Pint

Added password reset prompt
Last one (I hope)
2026-05-09 12:20:45 +01:00 · 2026-05-09 12:20:40 +01:00 · 2026-05-08 15:59:37 +01:00 · 2026-05-08 15:59:00 +01:00 · 2026-05-08 15:56:03 +01:00 · 2026-05-08 15:55:48 +01:00
1572 changed files with 171138 additions and 7937 deletions
@@ -4262,6 +4262,15 @@
      "contributions": [
        "code"
      ]
+    },
+    {
+      "login": "Husky-Devel",
+      "name": "Peter Gallwas",
+      "avatar_url": "https://avatars.githubusercontent.com/u/75509373?v=4",
+      "profile": "https://www.husky.nz",
+      "contributions": [
+        "code"
+      ]
    }
  ]
 }
@@ -90,7 +90,16 @@ IMAGE_LIB=gd

 # --------------------------------------------
 # OPTIONAL: BACKUP SETTINGS
-# --------------------------------------------
+# Backup filesystem configuration
+# - BACKUP_FILESYSTEM_DRIVER: Driver to use (local, s3, etc.)
+#   Default: local (backward compatible)
+#   Set to s3 to use S3 for backups (requires PRIVATE_AWS_* credentials)
+# - BACKUP_FILESYSTEM_ROOT: Root path/prefix
+#   For local driver: leave commented for default to storage_path("app")
+#   For S3 driver: empty string = bucket root, or specify prefix like "backups/"
+#--------------------------------------------
+BACKUP_FILESYSTEM_DRIVER=local
+#BACKUP_FILESYSTEM_ROOT=
 MAIL_BACKUP_NOTIFICATION_DRIVER=null
 MAIL_BACKUP_NOTIFICATION_ADDRESS=null
 BACKUP_ENV=true
@@ -1,6 +1,7 @@
 # GitHub Copilot Custom Instructions for Snipe-IT

-These instructions guide Copilot to generate code that aligns with modern Laravel 11 standards, PHP 8.2/8.4 features, software engineering principles, and industry best practices to improve software quality, maintainability, and security.
+These instructions guide Copilot to generate code that aligns with modern Laravel 12 standards, PHP 8.2/8.4 features,
+software engineering principles, and industry best practices to improve software quality, maintainability, and security.

 ## ✅ General Coding Standards

@@ -22,7 +23,7 @@ These instructions guide Copilot to generate code that aligns with modern Larave
 - Adopt **final classes** where extension is not intended.
 - Use **Named Arguments** for improved clarity when calling functions with multiple parameters.

-## ✅ Laravel 11 Project Structure & Conventions
+## ✅ Laravel 12 Project Structure & Conventions

 - Follow the official Laravel project structure:
    - `app/Http/Controllers` - Controllers
@@ -32,6 +33,7 @@ These instructions guide Copilot to generate code that aligns with modern Larave
    - `app/Enums` - Enums
    - `app/Actions` - Single-responsibility action classes
    - `app/Policies` - Authorization logic
+  - `app/Models/Builders` - Query scoping logic

 - Controllers must:
    - Use dependency injection.
@@ -28,6 +28,7 @@ jobs:
          - "8.2"
          - "8.3"
          - "8.4"
+          - "8.5"

    name: PHP ${{ matrix.php-version }}

@@ -24,6 +24,7 @@ jobs:
          - "8.2"
          - "8.3"
          - "8.4"
+          - "8.5"


    name: PHP ${{ matrix.php-version }}
@@ -15,7 +15,7 @@ jobs:
      fail-fast: false
      matrix:
        php-version:
-          - "8.3"
+          - "8.5"

    name: PHP ${{ matrix.php-version }}

@@ -69,7 +69,7 @@ Thanks goes to all of these wonderful people ([emoji key](https://github.com/ken
 | [<img src="https://avatars.githubusercontent.com/u/10965027?v=4" width="110px;"/><br /><sub>Ellie</sub>](https://leafedfox.xyz/)<br />[💻](https://github.com/snipe/snipe-it/commits?author=LeafedFox "Code") | [<img src="https://avatars.githubusercontent.com/u/20960555?v=4" width="110px;"/><br /><sub>GA Stamper</sub>](https://github.com/gastamper)<br />[💻](https://github.com/snipe/snipe-it/commits?author=gastamper "Code") | [<img src="https://avatars.githubusercontent.com/u/206553556?v=4" width="110px;"/><br /><sub>Guillaume Lefranc</sub>](https://github.com/gl-pup)<br />[💻](https://github.com/snipe/snipe-it/commits?author=gl-pup "Code") | [<img src="https://avatars.githubusercontent.com/u/733892?v=4" width="110px;"/><br /><sub>Hajo Möller</sub>](https://github.com/dasjoe)<br />[💻](https://github.com/snipe/snipe-it/commits?author=dasjoe "Code") | [<img src="https://avatars.githubusercontent.com/u/3420063?v=4" width="110px;"/><br /><sub>Istvan Basa</sub>](https://github.com/pottom)<br />[💻](https://github.com/snipe/snipe-it/commits?author=pottom "Code") | [<img src="https://avatars.githubusercontent.com/u/810824?v=4" width="110px;"/><br /><sub>JJ Asghar</sub>](https://jjasghar.github.io/)<br />[💻](https://github.com/snipe/snipe-it/commits?author=jjasghar "Code") | [<img src="https://avatars.githubusercontent.com/u/40404495?v=4" width="110px;"/><br /><sub>James E. Msenga</sub>](https://github.com/JemCdo)<br />[💻](https://github.com/snipe/snipe-it/commits?author=JemCdo "Code") |
 | [<img src="https://avatars.githubusercontent.com/u/6865786?v=4" width="110px;"/><br /><sub>Jan Felix Wiebe</sub>](https://github.com/jfwiebe)<br />[💻](https://github.com/snipe/snipe-it/commits?author=jfwiebe "Code") | [<img src="https://avatars.githubusercontent.com/u/43412008?v=4" width="110px;"/><br /><sub>Jo Drexl</sub>](https://www.nfon.com/)<br />[💻](https://github.com/snipe/snipe-it/commits?author=drexljo "Code") | [<img src="https://avatars.githubusercontent.com/u/4807843?v=4" width="110px;"/><br /><sub>Austin Sasko</sub>](https://github.com/austinsasko)<br />[💻](https://github.com/snipe/snipe-it/commits?author=austinsasko "Code") | [<img src="https://avatars.githubusercontent.com/u/4875039?v=4" width="110px;"/><br /><sub>Jasson</sub>](http://jassoncordones.github.io)<br />[💻](https://github.com/snipe/snipe-it/commits?author=JassonCordones "Code") | [<img src="https://avatars.githubusercontent.com/u/76069640?v=4" width="110px;"/><br /><sub>Okean</sub>](https://github.com/Tinyblargon)<br />[💻](https://github.com/snipe/snipe-it/commits?author=Tinyblargon "Code") | [<img src="https://avatars.githubusercontent.com/u/6515064?v=4" width="110px;"/><br /><sub>Alejandro Medrano</sub>](https://www.lst.tfo.upm.es/alejandro-medrano/)<br />[💻](https://github.com/snipe/snipe-it/commits?author=amedranogil "Code") | [<img src="https://avatars.githubusercontent.com/u/58696401?v=4" width="110px;"/><br /><sub>Lukas Kraic</sub>](https://github.com/lukaskraic)<br />[💻](https://github.com/snipe/snipe-it/commits?author=lukaskraic "Code") |
 | [<img src="https://avatars.githubusercontent.com/u/1571724?v=4" width="110px;"/><br /><sub>Герхард PICCORO Lenz McKAY </sub>](https://github-readme-stats.vercel.app/api?username=mckaygerhard)<br />[💻](https://github.com/snipe/snipe-it/commits?author=mckaygerhard "Code") | [<img src="https://avatars.githubusercontent.com/u/15015119?v=4" width="110px;"/><br /><sub>Johannes Pollitt</sub>](https://github.com/FlorestanII)<br />[💻](https://github.com/snipe/snipe-it/commits?author=FlorestanII "Code") | [<img src="https://avatars.githubusercontent.com/u/14185442?v=4" width="110px;"/><br /><sub>Michael Strobel</sub>](https://strobelm.de)<br />[💻](https://github.com/snipe/snipe-it/commits?author=strobelm "Code") | [<img src="https://avatars.githubusercontent.com/u/634790?v=4" width="110px;"/><br /><sub>Nicky West</sub>](http://nickwest.me)<br />[💻](https://github.com/snipe/snipe-it/commits?author=nickwest "Code") | [<img src="https://avatars.githubusercontent.com/u/1347327?v=4" width="110px;"/><br /><sub>akaspeh1</sub>](https://github.com/akaspeh1)<br />[💻](https://github.com/snipe/snipe-it/commits?author=akaspeh1 "Code") | [<img src="https://avatars.githubusercontent.com/u/2880129?v=4" width="110px;"/><br /><sub>Sebastian Marsching</sub>](http://sebastian.marsching.com/)<br />[💻](https://github.com/snipe/snipe-it/commits?author=smarsching "Code") | [<img src="https://avatars.githubusercontent.com/u/40658372?v=4" width="110px;"/><br /><sub>Mo</sub>](https://github.com/mohammad-ahmadi1)<br />[💻](https://github.com/snipe/snipe-it/commits?author=mohammad-ahmadi1 "Code") |
-| [<img src="https://avatars.githubusercontent.com/u/20994684?v=4" width="110px;"/><br /><sub>Owen V. Hayes</sub>](https://github.com/MarvelousAnything)<br />[💻](https://github.com/snipe/snipe-it/commits?author=MarvelousAnything "Code") |
+| [<img src="https://avatars.githubusercontent.com/u/20994684?v=4" width="110px;"/><br /><sub>Owen V. Hayes</sub>](https://github.com/MarvelousAnything)<br />[💻](https://github.com/snipe/snipe-it/commits?author=MarvelousAnything "Code") | [<img src="https://avatars.githubusercontent.com/u/75509373?v=4" width="110px;"/><br /><sub>Peter Gallwas</sub>](https://www.husky.nz)<br />[💻](https://github.com/snipe/snipe-it/commits?author=Husky-Devel "Code") |
 <!-- ALL-CONTRIBUTORS-LIST:END -->

 This project follows the [all-contributors](https://github.com/kentcdodds/all-contributors) specification. Contributions of any kind welcome!
@@ -10,9 +10,9 @@ however there are times when library dependencies and/or PHP/MySQL dependencies
 make it impossible to backport security fixes on older versions. 

 | Version | Supported          |
-|---------| ------------------ |
+|---------|--------------------|
 | 8.x     | :white_check_mark: |
-| 7.x     | :white_check_mark: |
+| 7.x     | :x:                |
 | 6.x     | :x:                |
 | 5.1.x   | :x:                |
 | 5.0.x   | :x:                |
@@ -24,7 +24,18 @@ make it impossible to backport security fixes on older versions.
 Security vulnerabilities should be sent to security@snipeitapp.com. You can typically expect a 
 response within two business days, and we typically have fixes out in under a week from the initial disclosure.

-This obviously varies based on the severity of the  security issue and the difficulty in remediation, 
-but those have historically been the timelines we worm around.
+This obviously varies based on the severity of the security issue and the difficulty in remediation, but those have
+historically been the timelines we work around.
+
+We do ask that you do not disclose the vulnerability publicly until we have had a chance to address it and tag a release
+so that we can protect our users, and we will work
+with you to coordinate a public disclosure once we have a fix out. We will also work with you to ensure that you receive
+appropriate credit for the discovery of the vulnerability, if you would like to be credited. (Please provide a GitHub
+username or other information if you would like to be credited, and please let us know if you would like to remain
+anonymous.)
+
+For responsible disclosure, we ask that you give us at least __90 days__ to address the issue before disclosing it
+publicly,
+but we will work with you if you need to disclose it sooner than that.

 For a full breakdown of our security policies, please see https://snipeitapp.com/security.
@@ -0,0 +1,109 @@
+<?php
+
+namespace App\Actions\Breadcrumbs;
+
+use App\Models\Accessory;
+use App\Models\Asset;
+use App\Models\CheckoutAcceptance;
+use App\Models\Consumable;
+use App\Models\License;
+use App\Models\LicenseSeat;
+use App\Models\User;
+use Tabuna\Breadcrumbs\Trail;
+
+final class BuildAcceptanceBreadcrumbs
+{
+    public static function forAcceptance(Trail $trail, CheckoutAcceptance|int|string $acceptance): void
+    {
+        $acceptance = self::resolveAcceptance($acceptance);
+        $trail->parent('home');
+
+        if (! $acceptance instanceof CheckoutAcceptance) {
+            self::appendProfileContext($trail);
+
+            return;
+        }
+
+        if (! self::isSignInPlaceFlow($acceptance)) {
+            self::appendProfileContext($trail);
+            $trail->push(trans('general.accept_item'), route('account.accept.item', $acceptance));
+
+            return;
+        }
+
+        self::appendCheckoutFlowContext($trail, $acceptance);
+        $trail->push(self::buildSignInPlaceLabel($acceptance));
+    }
+
+    private static function resolveAcceptance(CheckoutAcceptance|int|string $acceptance): ?CheckoutAcceptance
+    {
+        if ($acceptance instanceof CheckoutAcceptance) {
+            return $acceptance;
+        }
+
+        if (is_numeric($acceptance)) {
+            return CheckoutAcceptance::find((int) $acceptance);
+        }
+
+        return null;
+    }
+
+    private static function isSignInPlaceFlow(CheckoutAcceptance $acceptance): bool
+    {
+        return (int) session('sign_in_place_acceptance_id') === (int) $acceptance->id;
+    }
+
+    private static function appendProfileContext(Trail $trail): void
+    {
+        $trail->push(trans('general.profile'), route('account'));
+        $trail->push(trans('general.accept_items'), route('account.accept'));
+    }
+
+    private static function appendCheckoutFlowContext(Trail $trail, CheckoutAcceptance $acceptance): void
+    {
+        $checkoutable = $acceptance->checkoutable;
+
+        if ($checkoutable instanceof Asset) {
+            $trail->push(trans('general.assets'), route('hardware.index'));
+            $trail->push($checkoutable->display_name ?? trans('general.asset'), route('hardware.show', $checkoutable));
+            $trail->push(trans('general.checkout'));
+
+            return;
+        }
+
+        if ($checkoutable instanceof LicenseSeat) {
+            $license = $checkoutable->license;
+
+            if ($license instanceof License) {
+                $trail->push(trans('general.licenses'), route('licenses.index'));
+                $trail->push($license->display_name ?? trans('general.license'), route('licenses.show', $license));
+                $trail->push(trans('general.checkout'));
+            }
+
+            return;
+        }
+
+        if ($checkoutable instanceof Consumable) {
+            $trail->push(trans('general.consumables'), route('consumables.index'));
+            $trail->push($checkoutable->display_name ?? trans('general.consumable'), route('consumables.show', $checkoutable));
+            $trail->push(trans('general.checkout'));
+
+            return;
+        }
+
+        if ($checkoutable instanceof Accessory) {
+            $trail->push(trans('general.accessories'), route('accessories.index'));
+            $trail->push($checkoutable->display_name ?? trans('general.accessory'), route('accessories.show', $checkoutable));
+            $trail->push(trans('general.checkout'));
+        }
+    }
+
+    private static function buildSignInPlaceLabel(CheckoutAcceptance $acceptance): string
+    {
+        if ($acceptance->assignedTo instanceof User) {
+            return sprintf('%s for %s', trans('general.sign_in_place'), $acceptance->assignedTo->display_name);
+        }
+
+        return trans('general.sign_in_place');
+    }
+}
@@ -19,7 +19,7 @@ class LdapSync extends Command
     *
     * @var string
     */
-    protected $signature = 'snipeit:ldap-sync {--location=} {--location_id=*} {--base_dn=} {--filter=} {--summary} {--json_summary}';
+    protected $signature = 'snipeit:ldap-sync {--location=} {--location_id=*} {--base_dn=} {--filter=} {--delete} {--summary} {--json_summary}';

    /**
     * The console command description.
@@ -94,6 +94,7 @@ class LdapSync extends Command
        }

        $summary = [];
+        $seen_ldap_usernames = [];

        try {

@@ -274,8 +275,14 @@ class LdapSync extends Command
                'name' => $item['department'],
            ]);

-            $user = User::where('username', $item['username'])->first();
+            $user = User::withTrashed()->where('username', $item['username'])->first();
+            if (! empty($item['username'])) {
+                $seen_ldap_usernames[] = $item['username'];
+            }
            if ($user) {
+                if ($user->trashed()) {
+                    $user->restore();
+                }
                // Updating an existing user.
                $item['createorupdate'] = 'updated';
            } else {
@@ -490,6 +497,41 @@ class LdapSync extends Command
            array_push($summary, $item);
        }

+        // Optionally soft-delete LDAP-imported users that are no longer present in LDAP.
+        // users with assests etc. are not deletable and skipped
+        if ($this->option('delete')) {
+            $missing_ldap_users = User::where('ldap_import', 1);
+            $missing_ldap_users = $missing_ldap_users->whereNotIn('username', $seen_ldap_usernames);
+            $missing_ldap_users = $missing_ldap_users->get();
+
+            foreach ($missing_ldap_users as $missing_user) {
+                $is_deletable = $this->isUserDeletable($missing_user);
+
+                $missing_item = [
+                    'id' => $missing_user->id,
+                    'username' => $missing_user->username,
+                    'firstname' => $missing_user->first_name,
+                    'lastname' => $missing_user->last_name,
+                    'email' => $missing_user->email,
+                    'createorupdate' => 'skipped',
+                    'status' => 'info',
+                    'deletable' => $is_deletable,
+                    'note' => $is_deletable ? 'missing from LDAP' : 'missing from LDAP, but not deletable',
+                ];
+
+                if ($is_deletable) {
+                    $missing_user->delete();
+                    $missing_item['createorupdate'] = 'deleted';
+                    $missing_item['status'] = 'success';
+                    $missing_item['note'] = 'deleted_missing_from_ldap';
+                }
+
+                $summary[] = $missing_item;
+            }
+        }
+
+
+
        if ($this->option('summary')) {
            for ($x = 0; $x < count($summary); $x++) {
                if ($summary[$x]['status'] == 'error') {
@@ -505,4 +547,23 @@ class LdapSync extends Command
            return $summary;
        }
    }
+
+    /**
+     * Checks if the user is deletable without gate check
+     * 
+     * A user is considered deletable if they have no associated assets, accessories, licenses, consumables, managed users, or managed locations.
+     * 
+     * @param User $user The user to check
+     * 
+     * @return bool True if the user is deletable, false otherwise
+     */
+    private function isUserDeletable(User $user): bool
+    {
+        return (($user->assets_count ?? $user->assets()->count()) === 0)
+            && (($user->accessories_count ?? $user->accessories()->count()) === 0)
+            && (($user->licenses_count ?? $user->licenses()->count()) === 0)
+            && (($user->consumables_count ?? $user->consumables()->count()) === 0)
+            && (($user->manages_users_count ?? $user->managesUsers()->count()) === 0)
+            && (($user->manages_locations_count ?? $user->managedLocations()->count()) === 0);
+    }
 }
@@ -15,7 +15,9 @@ class PurgeEulaPDFs extends Command
     * @var string
     */
    protected $signature = 'snipeit:purge-eula-pdfs  
-                            {--older-than-days= : The number of days we should delete before } 
+                            {--older-than-days= : The number of days we should delete before }
+                            {--company-id= : Only purge acceptances for users in this company}
+                            {--only-deleted-users : Only purge acceptances for deleted users, including soft-deleted or missing users}
                            {--force : Skip the interactive yes/no prompt for confirmation}
                            {--dryrun : Show the records that would be deleted but don\'t update the database or delete files from disk}
                            {--with-output : Display the results in a table in your console}';
@@ -55,7 +57,34 @@ class PurgeEulaPDFs extends Command
            $this->info('This script is being run with the --dryrun option. No files or records will be deleted.');

        }
-        $acceptances = CheckoutAcceptance::HasFiles()->where('updated_at', '<', $interval_date)->with('assignedTo')->get();
+        $companyId = $this->option('company-id');
+        $query = CheckoutAcceptance::HasFiles()->where('updated_at', '<', $interval_date)
+            ->with([
+                'assignedTo' => function ($query) {
+                    $query->withTrashed();
+                },
+            ]);
+
+        if ($this->option('only-deleted-users')) {
+            $query->where(function ($query) use ($companyId) {
+                $query->whereHas('assignedTo', function ($q) use ($companyId) {
+                    $q->withTrashed()->whereNotNull('deleted_at');
+
+                    if ($companyId) {
+                        $q->where('company_id', $companyId);
+                    }
+                });
+
+                $query->orWhereDoesntHave('assignedTo');
+            });
+        } else {
+            if ($companyId) {
+                $query->whereHas('assignedTo', function ($query) use ($companyId) {
+                    $query->withTrashed()->where('company_id', $companyId);
+                });
+            }
+        }
+        $acceptances = $query->get();

        if (! $this->option('force')) {
            if ($this->confirm("\n****************************************************\nTHIS WILL DELETE ALL OF THE SIGNATURES AND EULA PDF FILES SINCE $interval_date. \nThere is NO undo! \n****************************************************\n\nDo you wish to continue? No backsies! [y|N]")) {
@@ -456,7 +456,11 @@ class RestoreFromBackup extends Command
        if (! file_exists($mysql_binary)) {
            return $this->error("mysql tool at: '$mysql_binary' does not exist, cannot restore. Please edit DB_DUMP_PATH in your .env to point to a directory that contains the mysqldump and mysql binary");
        }
-        $proc_results = proc_open("$mysql_binary -h ".escapeshellarg(config('database.connections.mysql.host')).' -u '.escapeshellarg(config('database.connections.mysql.username')).' '.escapeshellarg(config('database.connections.mysql.database')), // yanked -p since we pass via ENV
+        $proc_results = proc_open("$mysql_binary -h " .
+            escapeshellarg(config('database.connections.mysql.host')) .
+            ' -u ' . escapeshellarg(config('database.connections.mysql.username')) . ' ' .
+            ' -P ' . escapeshellarg(config('database.connections.mysql.port')) . ' ' .
+            escapeshellarg(config('database.connections.mysql.database')), // yanked -p since we pass via ENV
            [0 => ['pipe', 'r'], 1 => ['pipe', 'w'], 2 => ['pipe', 'w']],
            $pipes,
            null,
@@ -0,0 +1,92 @@
+<?php
+
+namespace App\Console\Commands;
+
+use App\Models\Asset;
+use Illuminate\Console\Command;
+use Illuminate\Support\MessageBag;
+
+class ValidateAssets extends Command
+{
+    /**
+     * The name and signature of the console command.
+     *
+     * @var string
+     */
+    protected $signature = 'snipeit:validate-assets {--all : Display the valid assets in your table output as well} ';
+
+    /**
+     * The console command description.
+     *
+     * @var string
+     */
+    protected $description = 'This runs through the list of assets and checks for any validation errors that would prevent it from being updated or checked in or out. ';
+
+    /**
+     * Execute the console command.
+     */
+    public function handle()
+    {
+        $showAll = (bool) $this->option('all');
+
+        $assets = Asset::query()
+            ->whereNull('deleted_at')
+            ->with('model')
+            ->orderBy('assets.created_at', 'desc')
+            ->get();
+
+        if (! $showAll) {
+            $this->info('Run this command with the --all option to see the full list in the console.');
+        }
+
+        $rows = $assets
+            ->filter(fn (Asset $asset) => $showAll || ! $asset->isValid())
+            ->map(fn (Asset $asset) => [
+                trans('general.id') => $asset->id,
+                trans('admin/hardware/form.tag') => $asset->asset_tag,
+                trans('admin/hardware/form.serial') => $asset->serial ?? '',
+                trans('admin/hardware/form.model') => $asset->model?->name ?? '',
+                trans('general.model_no') => $asset->model?->model_number ?? '',
+                trans('general.error') => $asset->isValid() ? '√ valid' : $this->formatValidationErrors($asset),
+            ])
+            ->values()
+            ->all();
+
+        $this->table(
+            [
+                trans('general.id'),
+                trans('admin/hardware/form.tag'),
+                trans('admin/hardware/form.serial'),
+                trans('admin/hardware/form.model'),
+                trans('general.model_no'),
+                trans('general.error'),
+            ],
+            $rows
+        );
+
+        return self::SUCCESS;
+    }
+
+    private function formatValidationErrors(Asset $asset): string
+    {
+        $errors = $asset->getErrors();
+        $messages = [];
+
+        if ($errors instanceof MessageBag) {
+            $messages = $errors->all();
+        } elseif (is_array($errors)) {
+            $messages = $errors;
+        } else {
+            $messages = [(string) $errors];
+        }
+
+        $prefixedMessages = collect($messages)
+            ->map(fn ($message) => trim((string) $message))
+            ->filter()
+            ->map(fn (string $message) => str_starts_with($message, '✘') ? $message : '✘ '.$message)
+            ->values()
+            ->all();
+
+        return implode(PHP_EOL, $prefixedMessages);
+    }
+}
@@ -13,6 +13,7 @@ enum ActionType: string
    // Assets/Accessories/Components/Licenses/Consumables
    case Checkout = 'checkout';
    case CheckinFrom = 'checkin from';
+    case ForceCheckin = 'force checkin';
    case Requested = 'requested';
    case RequestCanceled = 'request canceled';
    case Accepted = 'accepted';
@@ -23,6 +24,8 @@ enum ActionType: string
    // Users
    case TwoFactorReset = '2FA reset';
    case Merged = 'merged';
+    case TokenRevoked = 'token revoked';
+    case TokenUnrevoked = 'token unrevoked';

    // Licenses
    case DeleteSeats = 'delete seats';
@@ -22,12 +22,14 @@ class CheckoutableCheckedOut

    public int $quantity;

+    public bool $signInPlace;
+
    /**
     * Create a new event instance.
     *
     * @return void
     */
-    public function __construct($checkoutable, $checkedOutTo, User $checkedOutBy, $note, $originalValues = [], $quantity = 1)
+    public function __construct($checkoutable, $checkedOutTo, User $checkedOutBy, $note, $originalValues = [], $quantity = 1, bool $signInPlace = false)
    {
        $this->checkoutable = $checkoutable;
        $this->checkedOutTo = $checkedOutTo;
@@ -35,5 +37,6 @@ class CheckoutableCheckedOut
        $this->note = $note;
        $this->originalValues = $originalValues;
        $this->quantity = $quantity;
+        $this->signInPlace = $signInPlace;
    }
 }
@@ -201,7 +201,7 @@ class Handler extends ExceptionHandler
    protected function unauthenticated($request, AuthenticationException $exception)
    {
        if ($request->expectsJson()) {
-            return response()->json(['error' => 'Unauthorized or unauthenticated.'], 401);
+            return response()->json(['error' => trans('general.unauthorized')], 401);
        }

        return redirect()->guest('login');
@@ -1629,10 +1629,20 @@ class Helper

        // return to assignment target
        if ($redirect_option == 'target') {
+            $userId = $request->assigned_user ?? $checkedInFrom;
+            $locationId = $request->assigned_location ?? $checkedInFrom;
+            $assetId = $request->assigned_asset ?? $checkedInFrom;
+
            return match ($checkout_to_type) {
-                'user' => redirect()->route('users.show', $request->assigned_user ?? $checkedInFrom),
-                'location' => redirect()->route('locations.show', $request->assigned_location ?? $checkedInFrom),
-                'asset' => redirect()->route('hardware.show', $request->assigned_asset ?? $checkedInFrom),
+                'user' => $userId
+                    ? redirect()->route('users.show', $userId)
+                    : redirect()->route('users.index'),
+                'location' => $locationId
+                    ? redirect()->route('locations.show', $locationId)
+                    : redirect()->route('locations.index'),
+                'asset' => $assetId
+                    ? redirect()->route('hardware.show', $assetId)
+                    : redirect()->route('hardware.index'),
            };
        }

@@ -9,6 +9,7 @@ use App\Http\Controllers\Controller;
 use App\Http\Requests\AccessoryCheckoutRequest;
 use App\Models\Accessory;
 use App\Models\AccessoryCheckout;
+use App\Models\CheckoutAcceptance;
 use App\Models\User;
 use Carbon\Carbon;
 use Illuminate\Contracts\View\View;
@@ -88,12 +89,53 @@ class AccessoryCheckoutController extends Controller
            $request->input('note'),
            [],
            $accessory->checkout_qty,
+            $request->boolean('sign_in_place'),
        ));

        $request->request->add(['checkout_to_type' => request('checkout_to_type')]);
        $request->request->add(['assigned_to' => $target->id]);

-        session()->put(['redirect_option' => $request->input('redirect_option'), 'checkout_to_type' => $request->input('checkout_to_type')]);
+        session()->put([
+            'redirect_option' => $request->input('redirect_option'),
+            'checkout_to_type' => $request->input('checkout_to_type'),
+            'sign_in_place' => $request->boolean('sign_in_place'),
+        ]);
+
+        // When sign_in_place is requested for a user checkout, redirect to the
+        // acceptance/signature page so the user can sign in person.
+        if ($request->boolean('sign_in_place') && ! in_array($request->input('checkout_to_type'), ['asset', 'location'], true)) {
+            $targetUser = User::find($target->id);
+
+            if (! $targetUser instanceof User) {
+                return redirect()->route('accessories.checkout.show', $accessory)
+                    ->with('error', trans('admin/accessories/message.checkout.user_does_not_exist'));
+            }
+
+            $acceptance = CheckoutAcceptance::where('checkoutable_type', Accessory::class)
+                ->where('checkoutable_id', $accessory->id)
+                ->where('assigned_to_id', $targetUser->id)
+                ->pending()
+                ->latest()
+                ->first();
+
+            // If requireAcceptance() is false the listener won't have created one; create it now.
+            if (! $acceptance) {
+                $acceptance = new CheckoutAcceptance;
+                $acceptance->checkoutable()->associate($accessory);
+                $acceptance->assignedTo()->associate($targetUser);
+                $acceptance->qty = $accessory->checkout_qty;
+                $acceptance->save();
+            }
+
+            session([
+                'sign_in_place_acceptance_id' => $acceptance->id,
+                'sign_in_place_item_id' => $accessory->id,
+                'sign_in_place_resource_type' => 'Accessories',
+            ]);
+
+            return redirect()->route('account.accept.item', $acceptance->id)
+                ->with('success', trans('admin/accessories/message.checkout.success'));
+        }

        // Redirect to the new accessory page
        return Helper::getRedirectOption($request, $accessory->id, 'Accessories')
@@ -7,8 +7,14 @@ use App\Events\CheckoutDeclined;
 use App\Helpers\Helper;
 use App\Http\Controllers\Controller;
 use App\Mail\CheckoutAcceptanceResponseMail;
+use App\Models\Accessory;
+use App\Models\Actionlog;
+use App\Models\Asset;
 use App\Models\CheckoutAcceptance;
 use App\Models\Company;
+use App\Models\Consumable;
+use App\Models\License;
+use App\Models\LicenseSeat;
 use App\Models\Setting;
 use App\Models\User;
 use App\Notifications\AcceptanceItemAcceptedNotification;
@@ -40,19 +46,32 @@ class AcceptanceController extends Controller
     *
     * @param  int  $id
     */
-    public function create($id): View|RedirectResponse
+    public function create(Request $request, $id): View|RedirectResponse
    {
+        $currentUser = auth()->user();
+
+        if (! $currentUser instanceof User) {
+            abort(403, trans('general.insufficient_permissions'));
+        }
+
        $acceptance = CheckoutAcceptance::find($id);

-        if (is_null($acceptance)) {
+        if (! $acceptance) {
            return redirect()->route('account.accept')->with('error', trans('admin/hardware/message.does_not_exist'));
        }

        if (! $acceptance->isPending()) {
+            if ($this->isStaleSignInPlaceAdminAttempt($acceptance, $currentUser)) {
+                return $this->redirectToIntendedSignInPlaceDestination($request, $acceptance)
+                    ->with('warning', trans('admin/users/message.error.asset_already_accepted'));
+            }
+
            return redirect()->route('account.accept')->with('error', trans('admin/users/message.error.asset_already_accepted'));
        }

-        if (! $acceptance->isCheckedOutTo(auth()->user())) {
+        $isSignInPlaceAdminFlow = $this->isSignInPlaceAdminFlow($acceptance);
+
+        if (! $acceptance->isCheckedOutTo($currentUser) && (! $isSignInPlaceAdminFlow)) {
            return redirect()->route('account.accept')->with('error', trans('admin/users/message.error.incorrect_user_accepted'));
        }

@@ -60,7 +79,10 @@ class AcceptanceController extends Controller
            return redirect()->route('account.accept')->with('error', trans('general.error_user_company'));
        }

-        return view('account/accept.create', compact('acceptance'));
+        $checkedOutAt = Helper::getFormattedDateObject($acceptance->created_at, 'datetime', false);
+        $checkedOutBy = $this->resolveCheckoutActorName($acceptance);
+
+        return view('account/accept.create', compact('acceptance', 'isSignInPlaceAdminFlow', 'checkedOutAt', 'checkedOutBy'));
    }

    /**
@@ -70,20 +92,36 @@ class AcceptanceController extends Controller
     */
    public function store(Request $request, $id): RedirectResponse
    {
+        $currentUser = auth()->user();

-        if (! $acceptance = CheckoutAcceptance::find($id)) {
+        if (! $currentUser instanceof User) {
+            abort(403, trans('general.insufficient_permissions'));
+        }
+
+        $acceptance = CheckoutAcceptance::find($id);
+
+        if (! $acceptance) {
            return redirect()->route('account.accept')->with('error', trans('admin/hardware/message.does_not_exist'));
        }

-        $assigned_user = User::find($acceptance->assigned_to_id);
+        $assignedUser = User::find($acceptance->assigned_to_id);
        $settings = Setting::getSettings();
+        $requiresSignature = (string) $settings->require_accept_signature === '1';
        $sig_filename = '';
+        $encodedSignatureImage = null;

        if (! $acceptance->isPending()) {
+            if ($this->isStaleSignInPlaceAdminAttempt($acceptance, $currentUser)) {
+                return $this->redirectToIntendedSignInPlaceDestination($request, $acceptance)
+                    ->with('warning', trans('admin/users/message.error.asset_already_accepted'));
+            }
+
            return redirect()->route('account.accept')->with('error', trans('admin/users/message.error.asset_already_accepted'));
        }

-        if (! $acceptance->isCheckedOutTo(auth()->user())) {
+        $isSignInPlaceAdminFlow = $this->isSignInPlaceAdminFlow($acceptance);
+
+        if (! $acceptance->isCheckedOutTo($currentUser) && (! $isSignInPlaceAdminFlow)) {
            return redirect()->route('account.accept')->with('error', trans('admin/users/message.error.incorrect_user_accepted'));
        }

@@ -112,14 +150,25 @@ class AcceptanceController extends Controller
        $item = $acceptance->checkoutable_type::find($acceptance->checkoutable_id);

        // If signatures are required, make sure we have one
-        if (Setting::getSettings()->require_accept_signature == '1') {
+        if ($requiresSignature) {

            // The item was accepted, check for a signature
            if ($request->filled('signature_output')) {
                $sig_filename = 'siglog-'.Str::uuid().'-'.date('Y-m-d-his').'.png';
-                $data_uri = $request->input('signature_output');
-                $encoded_image = explode(',', $data_uri);
-                $decoded_image = base64_decode($encoded_image[1]);
+                $dataUri = (string) $request->input('signature_output');
+                $encodedSignatureImage = Str::contains($dataUri, ',')
+                    ? Str::after($dataUri, ',')
+                    : $dataUri;
+
+                $decoded_image = base64_decode($encodedSignatureImage, true);
+
+                if ($decoded_image === false) {
+                    return redirect()->back()->with('error', trans('general.shitty_browser'));
+                }
+
+                $decoded_image = $this->flattenSignatureBackgroundToWhite($decoded_image);
+                $encodedSignatureImage = base64_encode($decoded_image);
+
                Storage::put('private_uploads/signatures/'.$sig_filename, (string) $decoded_image);

                // No image data is present, kick them back.
@@ -133,7 +182,7 @@ class AcceptanceController extends Controller
        // This is needed for TCPDF to properly embed the image if it's a png and the cache isn't writable
        $encoded_logo = null;
        if (($settings->acceptance_pdf_logo) && (Storage::disk('public')->exists($settings->acceptance_pdf_logo))) {
-            $encoded_logo = base64_encode(file_get_contents(public_path().'/uploads/'.$settings->acceptance_pdf_logo));
+            $encoded_logo = base64_encode(file_get_contents(public_path().'/uploads/'.basename($settings->acceptance_pdf_logo)));
        }

        // Get the data array ready for the notifications and PDF generation
@@ -148,18 +197,42 @@ class AcceptanceController extends Controller
            'check_out_date' => Helper::getFormattedDateObject($acceptance->created_at, 'datetime', false),
            'accepted_date' => Helper::getFormattedDateObject(now()->format('Y-m-d H:i:s'), 'datetime', false),
            'declined_date' => Helper::getFormattedDateObject(now()->format('Y-m-d H:i:s'), 'datetime', false),
-            'assigned_to' => $assigned_user->display_name,
-            'email' => $assigned_user->email,
-            'employee_num' => $assigned_user->employee_num,
+            'assigned_to' => $assignedUser->display_name,
+            'email' => $assignedUser->email,
+            'employee_num' => $assignedUser->employee_num,
            'site_name' => $settings->site_name,
            'company_name' => $item->company?->name ?? $settings->site_name,
-            'signature' => (($sig_filename && array_key_exists('1', $encoded_image))) ? $encoded_image[1] : null,
+            'signature' => ($sig_filename !== '') ? $encodedSignatureImage : null,
            'logo' => ($encoded_logo) ?? null,
            'date_settings' => $settings->date_display_format,
            'qty' => $acceptance->qty ?? 1,
        ];

-        if ($request->input('asset_acceptance') == 'accepted') {
+        // Include asset custom fields that are explicitly allowed in outbound emails/PDFs.
+        if ($item instanceof Asset && $item->model && $item->model->fieldset) {
+            $customFields = [];
+            $fields = $item->model->fieldset->fields
+                ->where('show_in_email', true)
+                ->where('field_encrypted', false);
+
+            foreach ($fields as $field) {
+                $dbColumn = $field->db_column;
+                $value = $item->{$dbColumn};
+
+                if (! is_null($value) && $value !== '') {
+                    $customFields[] = [
+                        'label' => $field->name,
+                        'value' => $value,
+                    ];
+                }
+            }
+
+            if (! empty($customFields)) {
+                $data['custom_fields'] = $customFields;
+            }
+        }
+
+        if ($request->input('asset_acceptance') === 'accepted') {

            $pdf_filename = 'accepted-'.$acceptance->checkoutable_id.'-'.$acceptance->display_checkoutable_type.'-eula-'.date('Y-m-d-h-i-s').'.pdf';

@@ -171,12 +244,12 @@ class AcceptanceController extends Controller
            $acceptance->accept($sig_filename, $item->getEula(), $pdf_filename, $request->input('note'));

            // Send the PDF to the signing user
-            if (($request->input('send_copy') == '1') && ($assigned_user->email != '')) {
+            if (($request->input('send_copy') === '1') && ($assignedUser->email !== '')) {

                // Add the attachment for the signing user into the $data array
                $data['file'] = $pdf_filename;
                try {
-                    $assigned_user->notify((new AcceptanceItemAcceptedToUserNotification($data))->locale($assigned_user->locale));
+                    $assignedUser->notify((new AcceptanceItemAcceptedToUserNotification($data))->locale($assignedUser->locale));
                } catch (Exception $e) {
                    Log::warning($e);
                }
@@ -215,7 +288,7 @@ class AcceptanceController extends Controller
                        $recipient,
                        $request->input('asset_acceptance') === 'accepted',
                    ));
-                    Log::debug('Send email notification sucess on checkout acceptance response.');
+                    Log::debug('Send email notification success on checkout acceptance response.');
                }
            } catch (Exception $e) {
                Log::error($e->getMessage());
@@ -223,7 +296,163 @@ class AcceptanceController extends Controller
            }
        }

+        if ($isSignInPlaceAdminFlow) {
+            $request->request->add(['assigned_user' => $assignedUser?->id]);
+
+            $redirect = Helper::getRedirectOption(
+                $request,
+                session('sign_in_place_item_id'),
+                session('sign_in_place_resource_type'),
+            );
+
+            session()->forget([
+                'sign_in_place_acceptance_id',
+                'sign_in_place_item_id',
+                'sign_in_place_resource_type',
+            ]);
+
+            return $redirect->with('success', $return_msg);
+        }
+
        return redirect()->to('account/accept')->with('success', $return_msg);

    }
+
+    private function isSignInPlaceAdminFlow(CheckoutAcceptance $acceptance): bool
+    {
+        $currentUser = auth()->user();
+
+        return ((int) session('sign_in_place_acceptance_id') === (int) $acceptance->id)
+            && ($currentUser?->can('checkout', $acceptance->checkoutable));
+    }
+
+    private function resolveCheckoutActorName(CheckoutAcceptance $acceptance): ?string
+    {
+        [$itemType, $itemId] = $this->resolveCheckoutLogItem($acceptance);
+
+        $checkoutLog = Actionlog::query()
+            ->where('action_type', 'checkout')
+            ->where('item_type', $itemType)
+            ->where('item_id', $itemId)
+            ->where('target_type', User::class)
+            ->where('target_id', $acceptance->assigned_to_id)
+            ->where('created_at', '<=', $acceptance->created_at->copy()->addMinutes(5))
+            ->latest('id')
+            ->first();
+
+        return $checkoutLog?->adminuser?->display_name;
+    }
+
+    /**
+     * Action logs normalize license seat checkouts to the parent license.
+     *
+     * @return array{0: class-string, 1: int}
+     */
+    private function resolveCheckoutLogItem(CheckoutAcceptance $acceptance): array
+    {
+        $checkoutable = $acceptance->checkoutable;
+
+        if ($checkoutable instanceof LicenseSeat) {
+            return [License::class, (int) $checkoutable->license_id];
+        }
+
+        return [$acceptance->checkoutable_type, (int) $acceptance->checkoutable_id];
+    }
+
+    private function isStaleSignInPlaceAdminAttempt(CheckoutAcceptance $acceptance, User $currentUser): bool
+    {
+        $redirectOption = session('redirect_option');
+        $checkoutToType = session('checkout_to_type');
+
+        if (session('sign_in_place') !== true) {
+            return false;
+        }
+
+        if ($redirectOption === null) {
+            return false;
+        }
+
+        if ($redirectOption === 'target' && $checkoutToType === 'user' && empty($acceptance->assigned_to_id)) {
+            return false;
+        }
+
+        return ! $acceptance->isCheckedOutTo($currentUser)
+            && $currentUser->can('checkout', $acceptance->checkoutable)
+            && ($checkoutToType === 'user');
+    }
+
+    private function redirectToIntendedSignInPlaceDestination(Request $request, CheckoutAcceptance $acceptance): RedirectResponse
+    {
+        if (empty($acceptance->assigned_to_id)) {
+            return redirect()->route('account.accept');
+        }
+
+        [$itemId, $resourceType] = $this->resolveRedirectTarget($acceptance);
+
+        $request->request->add(['assigned_user' => $acceptance->assigned_to_id]);
+
+        return Helper::getRedirectOption($request, $itemId, $resourceType);
+    }
+
+    /**
+     * @return array{0: int, 1: string}
+     */
+    private function resolveRedirectTarget(CheckoutAcceptance $acceptance): array
+    {
+        $checkoutable = $acceptance->checkoutable;
+
+        if ($checkoutable instanceof Asset) {
+            return [(int) $checkoutable->id, 'Assets'];
+        }
+
+        if ($checkoutable instanceof Accessory) {
+            return [(int) $checkoutable->id, 'Accessories'];
+        }
+
+        if ($checkoutable instanceof Consumable) {
+            return [(int) $checkoutable->id, 'Consumables'];
+        }
+
+        if ($checkoutable instanceof LicenseSeat) {
+            return [(int) $checkoutable->license_id, 'Licenses'];
+        }
+
+        return [(int) $acceptance->checkoutable_id, session('sign_in_place_resource_type', 'Assets')];
+    }
+
+    private function flattenSignatureBackgroundToWhite(string $signatureBinary): string
+    {
+        if (! function_exists('imagecreatefromstring') || ! function_exists('imagecreatetruecolor')) {
+            return $signatureBinary;
+        }
+
+        $source = @imagecreatefromstring($signatureBinary);
+
+        if ($source === false) {
+            return $signatureBinary;
+        }
+
+        $width = imagesx($source);
+        $height = imagesy($source);
+        $flattened = imagecreatetruecolor($width, $height);
+
+        if ($flattened === false) {
+            imagedestroy($source);
+
+            return $signatureBinary;
+        }
+
+        $white = imagecolorallocate($flattened, 255, 255, 255);
+        imagefilledrectangle($flattened, 0, 0, $width, $height, $white);
+        imagecopy($flattened, $source, 0, 0, 0, 0, $width, $height);
+
+        ob_start();
+        imagepng($flattened);
+        $output = ob_get_clean();
+
+        imagedestroy($source);
+        imagedestroy($flattened);
+
+        return is_string($output) ? $output : $signatureBinary;
+    }
 }
@@ -15,6 +15,8 @@ class ActionlogController extends Controller
 {
    public function displaySig($filename): RedirectResponse|Response|bool
    {
+        $filename = basename((string) $filename);
+
        // PHP doesn't let you handle file not found errors well with
        // file_get_contents, so we set the error reporting for just this class
        error_reporting(0);
@@ -44,6 +46,7 @@ class ActionlogController extends Controller

    public function getStoredEula($filename): Response|BinaryFileResponse|RedirectResponse
    {
+        $filename = basename((string) $filename);

        if ($actionlog = Actionlog::where('filename', $filename)->with('user')->with('target')->firstOrFail()) {

@@ -14,6 +14,7 @@ use App\Http\Transformers\ActionlogsTransformer;
 use App\Http\Transformers\SelectlistTransformer;
 use App\Models\Accessory;
 use App\Models\AccessoryCheckout;
+use App\Models\Company;
 use App\Models\User;
 use Carbon\Carbon;
 use Illuminate\Http\JsonResponse;
@@ -84,23 +85,23 @@ class AccessoriesController extends Controller
        }

        if ($request->filled('category_id')) {
-            $accessories->where('category_id', '=', $request->input('category_id'));
+            $accessories->where('accessories.category_id', '=', $request->input('category_id'));
        }

        if ($request->filled('manufacturer_id')) {
-            $accessories->where('manufacturer_id', '=', $request->input('manufacturer_id'));
+            $accessories->where('accessories.manufacturer_id', '=', $request->input('manufacturer_id'));
        }

        if ($request->filled('supplier_id')) {
-            $accessories->where('supplier_id', '=', $request->input('supplier_id'));
+            $accessories->where('accessories.supplier_id', '=', $request->input('supplier_id'));
        }

        if ($request->filled('location_id')) {
-            $accessories->where('location_id', '=', $request->input('location_id'));
+            $accessories->where('accessories.location_id', '=', $request->input('location_id'));
        }

        if ($request->filled('notes')) {
-            $accessories->where('notes', '=', $request->input('notes'));
+            $accessories->where('accessories.notes', '=', $request->input('notes'));
        }

        // Make sure the offset and limit are actually integers and do not exceed system limits
@@ -155,6 +156,7 @@ class AccessoriesController extends Controller
    {
        $accessory = new Accessory;
        $accessory->fill($request->all());
+        $accessory->company_id = Company::getIdForCurrentUser($request->input('company_id'));
        $accessory = $request->handleImages($accessory);

        if ($accessory->save()) {
@@ -248,6 +250,7 @@ class AccessoriesController extends Controller
        $this->authorize('update', Accessory::class);
        $accessory = Accessory::findOrFail($id);
        $accessory->fill($request->all());
+        $accessory->company_id = Company::getIdForCurrentUser($request->input('company_id'));
        $accessory = $request->handleImages($accessory);

        if ($accessory->save()) {
@@ -405,11 +408,11 @@ class AccessoriesController extends Controller
    public function history(Request $request, Accessory $accessory): JsonResponse|array
    {
        $this->authorize('history', $accessory);
-        $history = $accessory->getHistory($request);
-        $total = $accessory->getHistory($request)->count();
+        $historyQuery = $accessory->getHistory($request);
+        $total = (clone $historyQuery)->count();
        $offset = ($request->input('offset') > $total) ? $total : app('api_offset_value');
        $limit = app('api_limit_value');
-        $history = $history->skip($offset)->take($limit)->get();
+        $history = (clone $historyQuery)->skip($offset)->take($limit)->get();

        return response()->json((new ActionlogsTransformer)->transformActionlogs($history, $total), 200, ['Content-Type' => 'application/json;charset=utf8'], JSON_UNESCAPED_UNICODE);
    }
@@ -343,11 +343,11 @@ class AssetModelsController extends Controller
    public function history(Request $request, AssetModel $model): JsonResponse|array
    {
        $this->authorize('history', $model);
-        $history = $model->getHistory($request);
-        $total = $model->getHistory($request)->count();
+        $historyQuery = $model->getHistory($request);
+        $total = (clone $historyQuery)->count();
        $offset = ($request->input('offset') > $total) ? $total : app('api_offset_value');
        $limit = app('api_limit_value');
-        $history = $history->skip($offset)->take($limit)->get();
+        $history = (clone $historyQuery)->skip($offset)->take($limit)->get();

        return response()->json((new ActionlogsTransformer)->transformActionlogs($history, $total), 200, ['Content-Type' => 'application/json;charset=utf8'], JSON_UNESCAPED_UNICODE);
    }
@@ -39,6 +39,7 @@ use Illuminate\Support\Facades\Gate;
 use Illuminate\Support\Facades\Log;
 use Illuminate\Support\Facades\Route;
 use Illuminate\Support\Facades\Storage;
+use Illuminate\Support\Str;

 /**
 * This class controls all actions related to assets for
@@ -219,10 +220,18 @@ class AssetsController extends Controller

        // This is used by the sidenav, mostly

-        // We switched from using query scopes here because of a Laravel bug
-        // related to fulltext searches on complex queries.
-        // I am sad. :(
-        switch ($request->input('status_type')) {
+        // This bit here accounts for folks actually using the formerly-known-as status like we previously used in the sidenav
+        // to return a list of all assets with the status *type* of Deployed, etc. The inuput field used to be "status" (which was consistent
+        // with the relation rename, but it broke the sidebar. This should handle both use cases in the event that someone didn't update
+        // their API integration code
+        $status_type_key = null;
+        if ($request->filled('status_type')) {
+            $status_type_key = $request->input('status_type');
+        } elseif ($request->filled('status')) {
+            $status_type_key = $request->input('status');
+        }
+
+        switch ($status_type_key) {
            case 'Deleted':
                $assets->onlyTrashed();
                break;
@@ -953,6 +962,11 @@ class AssetsController extends Controller
            $asset->status_id = $request->input('status_id');
        }

+        // Preserve existing requestable state unless API caller explicitly includes the field.
+        if ($request->has('requestable')) {
+            $asset->requestable = $request->boolean('requestable');
+        }
+
        if (! isset($target)) {
            return response()->json(Helper::formatStandardApiResponse('error', $error_payload, 'Checkout target for asset '.e($asset->asset_tag).' is invalid - '.$error_payload['target_type'].' does not exist.'));
        }
@@ -1053,6 +1067,12 @@ class AssetsController extends Controller
            });

        if ($asset->save()) {
+
+            // Update the location of any child assets
+            Asset::where('assigned_type', Asset::class)
+                ->where('assigned_to', $asset->id)
+                ->update(['location_id' => $asset->location_id]);
+
            event(new CheckoutableCheckedIn($asset, $target, auth()->user(), $request->input('note'), $checkin_at, $originalValues));

            return response()->json(Helper::formatStandardApiResponse('success', [
@@ -1109,11 +1129,23 @@ class AssetsController extends Controller
            $dt = Carbon::now()->addMonths($settings->audit_interval)->toDateString();
        }

-        // Allow the asset tag to be passed in the payload (legacy method)
-        if ($request->filled('asset_tag')) {
+        $audit_by_field = $request->input('audit_by_field', 'asset_tag');
+        $audit_key = $request->input('audit_key', null);
+
+        // If they have selected to scan by serial, use that
+        if (($settings->unique_serial == '1') && ($audit_by_field == 'serial') && ($audit_key)) {
+            $asset = Asset::where('serial', '=', trim($audit_key))->first();
+
+            // If they have selected by asset tag, use that
+        } elseif (($audit_by_field == 'asset_tag') && ($audit_key)) {
+            $asset = Asset::where('asset_tag', '=', trim($audit_key))->first();
+
+            // Allow the asset tag to be passed in the payload (legacy method)
+        } elseif ($request->filled('asset_tag')) {
            $asset = Asset::where('asset_tag', '=', $request->input('asset_tag'))->first();
        }

+        // If none of the above were selected, fall back to the route-model-binding
        if ($asset) {

            $originalValues = $asset->getRawOriginal();
@@ -1135,8 +1167,10 @@ class AssetsController extends Controller
            // Set up the payload for re-display in the API response
            $payload = [
                'id' => $asset->id,
-                'asset_tag' => $asset->asset_tag,
-                'note' => e($request->input('note')),
+                'asset_tag' => e($asset->asset_tag),
+                'audit_by_field' => e(Str::headline($audit_by_field)),
+                'audit_key' => e($audit_key),
+                'note' => $request->filled('note') ? e($request->input('note')) : null,
                'status_label' => e($asset->status?->display_name),
                'status_type' => $asset->status?->getStatuslabelType(),
                'next_audit_date' => Helper::getFormattedDateObject($asset->next_audit_date),
@@ -1177,7 +1211,7 @@ class AssetsController extends Controller

            // Validate the rest of the data before we turn off the event dispatcher
            if ($asset->isInvalid()) {
-                return response()->json(Helper::formatStandardApiResponse('error', ['asset_tag' => $asset->asset_tag], $asset->getErrors()));
+                return response()->json(Helper::formatStandardApiResponse('error', $payload, $asset->getErrors()));
            }

            /**
@@ -1210,8 +1244,13 @@ class AssetsController extends Controller

        }

+        $fail_payload = [
+            'audit_by_field' => e(Str::headline($audit_by_field)),
+            'audit_key' => e($audit_key),
+        ];
+
        // No matching asset for the asset tag that was passed.
-        return response()->json(Helper::formatStandardApiResponse('error', null, trans('admin/hardware/message.does_not_exist')), 200);
+        return response()->json(Helper::formatStandardApiResponse('error', $fail_payload, trans('admin/hardware/message.does_not_exist')), 200);

    }

@@ -1411,7 +1450,7 @@ class AssetsController extends Controller
                $label = new Label;

                if (! $label) {
-                    throw new \Exception('Label object could not be created');
+                    throw new \Exception(trans('admin/labels/message.label_not_created'));
                }

                // Configure label with assets and settings
@@ -1432,7 +1471,7 @@ class AssetsController extends Controller

                // Verify PDF was generated successfully
                if (empty($pdf_content)) {
-                    throw new \Exception('PDF content is empty');
+                    throw new \Exception(trans('admin/labels/message.use_new_label_engine_for_api'));
                }

                $encoded_content = base64_encode($pdf_content);
@@ -1460,11 +1499,11 @@ class AssetsController extends Controller
    public function history(Request $request, Asset $asset): JsonResponse|array
    {
        $this->authorize('history', $asset);
-        $history = $asset->getHistory($request);
-        $total = $asset->getHistory($request)->count();
+        $historyQuery = $asset->getHistory($request);
+        $total = (clone $historyQuery)->count();
        $offset = ($request->input('offset') > $total) ? $total : app('api_offset_value');
        $limit = app('api_limit_value');
-        $history = $history->skip($offset)->take($limit)->get();
+        $history = (clone $historyQuery)->skip($offset)->take($limit)->get();

        return response()->json((new ActionlogsTransformer)->transformActionlogs($history, $total), 200, ['Content-Type' => 'application/json;charset=utf8'], JSON_UNESCAPED_UNICODE);
    }
@@ -129,6 +129,11 @@ class CategoriesController extends Controller
            case 'created_by':
                $categories = $categories->OrderByCreatedBy($order);
                break;
+                // This is annoying, since it's not a real relationship, which is what we usually use these switches for, but
+                // we call the field has_eula, not eula_text, so there won't be a matching field
+            case 'has_eula':
+                $categories = $categories->orderBy('eula_text', $order);
+                break;
            default:
                $categories = $categories->orderBy($column_sort, $order);
                break;
@@ -9,8 +9,8 @@ use App\Http\Requests\ImageUploadRequest;
 use App\Http\Transformers\ActionlogsTransformer;
 use App\Http\Transformers\ComponentsTransformer;
 use App\Models\Asset;
+use App\Models\Company;
 use App\Models\Component;
-use App\Models\ComponentAssignment;
 use Carbon\Carbon;
 use Illuminate\Database\Query\Builder;
 use Illuminate\Http\JsonResponse;
@@ -80,7 +80,7 @@ class ComponentsController extends Controller
        }

        if ($request->filled('name')) {
-            $components->where('name', '=', $request->input('name'));
+            $components->where('components.name', '=', $request->input('name'));
        }

        if ($request->filled('company_id')) {
@@ -92,27 +92,27 @@ class ComponentsController extends Controller
        }

        if ($request->filled('category_id')) {
-            $components->where('category_id', '=', $request->input('category_id'));
+            $components->where('components.category_id', '=', $request->input('category_id'));
        }

        if ($request->filled('supplier_id')) {
-            $components->where('supplier_id', '=', $request->input('supplier_id'));
+            $components->where('components.supplier_id', '=', $request->input('supplier_id'));
        }

        if ($request->filled('manufacturer_id')) {
-            $components->where('manufacturer_id', '=', $request->input('manufacturer_id'));
+            $components->where('components.manufacturer_id', '=', $request->input('manufacturer_id'));
        }

        if ($request->filled('model_number')) {
-            $components->where('model_number', '=', $request->input('model_number'));
+            $components->where('components.model_number', '=', $request->input('model_number'));
        }

        if ($request->filled('location_id')) {
-            $components->where('location_id', '=', $request->input('location_id'));
+            $components->where('components.location_id', '=', $request->input('location_id'));
        }

        if ($request->filled('notes')) {
-            $components->where('notes', '=', $request->input('notes'));
+            $components->where('components.notes', '=', $request->input('notes'));
        }

        // Make sure the offset and limit are actually integers and do not exceed system limits
@@ -166,6 +166,7 @@ class ComponentsController extends Controller
        $this->authorize('create', Component::class);
        $component = new Component;
        $component->fill($request->all());
+        $component->company_id = Company::getIdForCurrentUser($request->input('company_id'));
        $component = $request->handleImages($component);

        if ($component->save()) {
@@ -206,6 +207,7 @@ class ComponentsController extends Controller
        $this->authorize('update', Component::class);
        $component = Component::findOrFail($id);
        $component->fill($request->all());
+        $component->company_id = Company::getIdForCurrentUser($request->input('company_id'));
        $component = $request->handleImages($component);

        if ($component->save()) {
@@ -252,13 +254,11 @@ class ComponentsController extends Controller
    {
        $this->authorize('view', Asset::class);

-        $component_checkouts = ComponentAssignment::where('component_id', $component->id)->with('adminuser')->with('assets');
-
        $offset = request('offset', 0);
        $limit = $request->input('limit', 50);

        if ($request->filled('search')) {
-            $assets = $component_checkouts->assets()
+            $assets = $component->assets()
                ->where(function ($query) use ($request) {
                    $search_str = '%'.$request->input('search').'%';
                    $query->where('name', 'like', $search_str)
@@ -391,11 +391,11 @@ class ComponentsController extends Controller
    public function history(Request $request, Component $component): JsonResponse|array
    {
        $this->authorize('history', $component);
-        $history = $component->getHistory($request);
-        $total = $component->getHistory($request)->count();
+        $historyQuery = $component->getHistory($request);
+        $total = (clone $historyQuery)->count();
        $offset = ($request->input('offset') > $total) ? $total : app('api_offset_value');
        $limit = app('api_limit_value');
-        $history = $history->skip($offset)->take($limit)->get();
+        $history = (clone $historyQuery)->skip($offset)->take($limit)->get();

        return response()->json((new ActionlogsTransformer)->transformActionlogs($history, $total), 200, ['Content-Type' => 'application/json;charset=utf8'], JSON_UNESCAPED_UNICODE);
    }
@@ -67,7 +67,7 @@ class ConsumablesController extends Controller
        }

        if ($request->filled('name')) {
-            $consumables->where('name', '=', $request->input('name'));
+            $consumables->where('consumables.name', '=', $request->input('name'));
        }

        if ($request->filled('company_id')) {
@@ -79,27 +79,27 @@ class ConsumablesController extends Controller
        }

        if ($request->filled('category_id')) {
-            $consumables->where('category_id', '=', $request->input('category_id'));
+            $consumables->where('consumables.category_id', '=', $request->input('category_id'));
        }

        if ($request->filled('model_number')) {
-            $consumables->where('model_number', '=', $request->input('model_number'));
+            $consumables->where('consumables.model_number', '=', $request->input('model_number'));
        }

        if ($request->filled('manufacturer_id')) {
-            $consumables->where('manufacturer_id', '=', $request->input('manufacturer_id'));
+            $consumables->where('consumables.manufacturer_id', '=', $request->input('manufacturer_id'));
        }

        if ($request->filled('supplier_id')) {
-            $consumables->where('supplier_id', '=', $request->input('supplier_id'));
+            $consumables->where('consumables.supplier_id', '=', $request->input('supplier_id'));
        }

        if ($request->filled('location_id')) {
-            $consumables->where('location_id', '=', $request->input('location_id'));
+            $consumables->where('consumables.location_id', '=', $request->input('location_id'));
        }

        if ($request->filled('notes')) {
-            $consumables->where('notes', '=', $request->input('notes'));
+            $consumables->where('consumables.notes', '=', $request->input('notes'));
        }

        // Make sure the offset and limit are actually integers and do not exceed system limits
@@ -155,6 +155,7 @@ class ConsumablesController extends Controller
        $this->authorize('create', Consumable::class);
        $consumable = new Consumable;
        $consumable->fill($request->all());
+        $consumable->company_id = Company::getIdForCurrentUser($request->input('company_id'));
        $consumable = $request->handleImages($consumable);

        if ($consumable->save()) {
@@ -194,6 +195,7 @@ class ConsumablesController extends Controller
        $this->authorize('update', Consumable::class);
        $consumable = Consumable::findOrFail($id);
        $consumable->fill($request->all());
+        $consumable->company_id = Company::getIdForCurrentUser($request->input('company_id'));
        $consumable = $request->handleImages($consumable);

        if ($consumable->save()) {
@@ -361,11 +363,11 @@ class ConsumablesController extends Controller
    public function history(Request $request, Consumable $consumable): JsonResponse|array
    {
        $this->authorize('history', $consumable);
-        $history = $consumable->getHistory($request);
-        $total = $consumable->getHistory($request)->count();
+        $historyQuery = $consumable->getHistory($request);
+        $total = (clone $historyQuery)->count();
        $offset = ($request->input('offset') > $total) ? $total : app('api_offset_value');
        $limit = app('api_limit_value');
-        $history = $history->skip($offset)->take($limit)->get();
+        $history = (clone $historyQuery)->skip($offset)->take($limit)->get();

        return response()->json((new ActionlogsTransformer)->transformActionlogs($history, $total), 200, ['Content-Type' => 'application/json;charset=utf8'], JSON_UNESCAPED_UNICODE);
    }
@@ -9,6 +9,7 @@ use App\Http\Requests\ImageUploadRequest;
 use App\Http\Requests\StoreDepartmentRequest;
 use App\Http\Transformers\DepartmentsTransformer;
 use App\Http\Transformers\SelectlistTransformer;
+use App\Models\Company;
 use App\Models\Department;
 use Illuminate\Http\JsonResponse;
 use Illuminate\Http\Request;
@@ -50,23 +51,23 @@ class DepartmentsController extends Controller
        }

        if ($request->filled('name')) {
-            $departments->where('name', '=', $request->input('name'));
+            $departments->where('departments.name', '=', $request->input('name'));
        }

        if ($request->filled('company_id')) {
-            $departments->where('company_id', '=', $request->input('company_id'));
+            $departments->where('departments.company_id', '=', $request->input('company_id'));
        }

        if ($request->filled('manager_id')) {
-            $departments->where('manager_id', '=', $request->input('manager_id'));
+            $departments->where('departments.manager_id', '=', $request->input('manager_id'));
        }

        if ($request->filled('location_id')) {
-            $departments->where('location_id', '=', $request->input('location_id'));
+            $departments->where('departments.location_id', '=', $request->input('location_id'));
        }

        if ($request->filled('tag_color')) {
-            $departments->where('tag_color', '=', $request->input('departments.tag_color'));
+            $departments->where('departments.tag_color', '=', $request->input('tag_color'));
        }

        // Make sure the offset and limit are actually integers and do not exceed system limits
@@ -111,6 +112,7 @@ class DepartmentsController extends Controller
    {
        $department = new Department;
        $department->fill($request->validated());
+        $department->company_id = Company::getIdForCurrentUser($request->input('company_id'));
        $department = $request->handleImages($department);

        $department->created_by = auth()->id();
@@ -155,6 +157,7 @@ class DepartmentsController extends Controller
        $this->authorize('update', Department::class);
        $department = Department::findOrFail($id);
        $department->fill($request->all());
+        $department->company_id = Company::getIdForCurrentUser($request->input('company_id'));
        $department = $request->handleImages($department);

        if ($department->save()) {
@@ -8,6 +8,7 @@ use App\Http\Requests\FilterRequest;
 use App\Http\Transformers\ActionlogsTransformer;
 use App\Http\Transformers\LicensesTransformer;
 use App\Http\Transformers\SelectlistTransformer;
+use App\Models\Company;
 use App\Models\License;
 use App\Models\Setting;
 use Illuminate\Http\JsonResponse;
@@ -179,6 +180,7 @@ class LicensesController extends Controller
        $this->authorize('create', License::class);
        $license = new License;
        $license->fill($request->all());
+        $license->company_id = Company::getIdForCurrentUser($request->input('company_id'));

        if ($license->save()) {
            return response()->json(Helper::formatStandardApiResponse('success', $license, trans('admin/licenses/message.create.success')));
@@ -219,6 +221,7 @@ class LicensesController extends Controller

        $license = License::findOrFail($id);
        $license->fill($request->all());
+        $license->company_id = Company::getIdForCurrentUser($request->input('company_id'));

        if ($license->save()) {
            return response()->json(Helper::formatStandardApiResponse('success', $license, trans('admin/licenses/message.update.success')));
@@ -282,11 +285,11 @@ class LicensesController extends Controller
    public function history(Request $request, License $license): JsonResponse|array
    {
        $this->authorize('history', $license);
-        $history = $license->getHistory($request);
-        $total = $license->getHistory($request)->count();
+        $historyQuery = $license->getHistory($request);
+        $total = (clone $historyQuery)->count();
        $offset = ($request->input('offset') > $total) ? $total : app('api_offset_value');
        $limit = app('api_limit_value');
-        $history = $history->skip($offset)->take($limit)->get();
+        $history = (clone $historyQuery)->skip($offset)->take($limit)->get();

        return response()->json((new ActionlogsTransformer)->transformActionlogs($history, $total), 200, ['Content-Type' => 'application/json;charset=utf8'], JSON_UNESCAPED_UNICODE);
    }
@@ -462,11 +462,11 @@ class LocationsController extends Controller
    public function history(Request $request, Location $location): JsonResponse|array
    {
        $this->authorize('history', $location);
-        $history = $location->getHistory($request);
-        $total = $location->getHistory($request)->count();
+        $historyQuery = $location->getHistory($request);
+        $total = (clone $historyQuery)->count();
        $offset = ($request->input('offset') > $total) ? $total : app('api_offset_value');
        $limit = app('api_limit_value');
-        $history = $history->skip($offset)->take($limit)->get();
+        $history = (clone $historyQuery)->skip($offset)->take($limit)->get();

        return response()->json((new ActionlogsTransformer)->transformActionlogs($history, $total), 200, ['Content-Type' => 'application/json;charset=utf8'], JSON_UNESCAPED_UNICODE);
    }
@@ -257,14 +257,12 @@ class MaintenancesController extends Controller

    public function history(Request $request, Maintenance $maintenance): JsonResponse|array
    {
-        $this->authorize('view', Asset::class);
-        $asset = $maintenance->asset;
-        $this->authorize('history', $asset);
-        $history = $maintenance->getHistory($request);
-        $total = $maintenance->getHistory($request)->count();
+        $this->authorize('history', $maintenance);
+        $historyQuery = $maintenance->getHistory($request);
+        $total = (clone $historyQuery)->count();
        $offset = ($request->input('offset') > $total) ? $total : app('api_offset_value');
        $limit = app('api_limit_value');
-        $history = $history->skip($offset)->take($limit)->get();
+        $history = (clone $historyQuery)->skip($offset)->take($limit)->get();

        return response()->json((new ActionlogsTransformer)->transformActionlogs($history, $total), 200, ['Content-Type' => 'application/json;charset=utf8'], JSON_UNESCAPED_UNICODE);
    }
@@ -162,6 +162,13 @@ class SettingsController extends Controller
    public function ajaxTestEmail(): JsonResponse
    {
        if (! config('app.lock_passwords')) {
+
+            if (config('mail.reply_to.address') == '') {
+                Log::debug('MAIL_REPLYTO_ADDR not set in env. Skipping mail test.');
+
+                return response()->json(['message' => trans('admin/settings/general.mail_test_no_email')], 403);
+            }
+
            try {
                Notification::send(Setting::first(), new MailTest);
                Log::debug('Attempting to sending to '.config('mail.reply_to.address'));
@@ -286,6 +293,11 @@ class SettingsController extends Controller
     */
    public function downloadBackup($file): JsonResponse|BinaryFileResponse
    {
+        $file = $this->sanitizeBackupFilename($file);
+
+        if ($file === null) {
+            return response()->json(Helper::formatStandardApiResponse('error', null, trans('general.file_not_found')), 404);
+        }

        $path = storage_path('app/backups');

@@ -329,4 +341,21 @@ class SettingsController extends Controller
        }

    }
+
+    private function sanitizeBackupFilename(mixed $filename): ?string
+    {
+        $filename = trim((string) $filename);
+
+        if ($filename === '' || str_contains($filename, "\0")) {
+            return null;
+        }
+
+        $sanitized = basename($filename);
+
+        if (($sanitized === '') || ($sanitized === '.') || ($sanitized === '..')) {
+            return null;
+        }
+
+        return ($sanitized === $filename) ? $sanitized : null;
+    }
 }
@@ -808,21 +808,27 @@ class UsersController extends Controller
            try {
                $user = User::find($request->input('id'));
                $this->authorize('update', $user);
-                $user->two_factor_secret = null;
-                $user->two_factor_enrolled = 0;
-                $user->saveQuietly();

-                // Log the reset
-                $logaction = new Actionlog;
-                $logaction->target_type = User::class;
-                $logaction->target_id = $user->id;
-                $logaction->item_type = User::class;
-                $logaction->item_id = $user->id;
-                $logaction->created_at = date('Y-m-d H:i:s');
-                $logaction->created_by = auth()->id();
-                $logaction->logaction('2FA reset');
+                if (auth()->user()->can('canEditAuthFields', $user) && auth()->user()->can('editableOnDemo')) {

-                return response()->json(['message' => trans('admin/settings/general.two_factor_reset_success')], 200);
+                    $user->two_factor_secret = null;
+                    $user->two_factor_enrolled = 0;
+                    $user->saveQuietly();
+
+                    // Log the reset
+                    $logaction = new Actionlog;
+                    $logaction->target_type = User::class;
+                    $logaction->target_id = $user->id;
+                    $logaction->item_type = User::class;
+                    $logaction->item_id = $user->id;
+                    $logaction->created_at = date('Y-m-d H:i:s');
+                    $logaction->created_by = auth()->id();
+                    $logaction->logaction('2FA reset');
+
+                    return response()->json(['message' => trans('admin/settings/general.two_factor_reset_success')], 200);
+                }
+
+                return response()->json(['message' => trans('general.unauthorized')], 500);
            } catch (\Exception $e) {
                return response()->json(['message' => trans('admin/settings/general.two_factor_reset_error')], 500);
            }
@@ -939,11 +945,11 @@ class UsersController extends Controller
    public function history(Request $request, User $user): JsonResponse|array
    {
        $this->authorize('history', $user);
-        $history = $user->getHistory($request);
-        $total = $user->getHistory($request)->count();
+        $historyQuery = $user->getHistory($request);
+        $total = (clone $historyQuery)->count();
        $offset = ($request->input('offset') > $total) ? $total : app('api_offset_value');
        $limit = app('api_limit_value');
-        $history = $history->skip($offset)->take($limit)->get();
+        $history = (clone $historyQuery)->skip($offset)->take($limit)->get();

        return response()->json((new ActionlogsTransformer)->transformActionlogs($history, $total), 200, ['Content-Type' => 'application/json;charset=utf8'], JSON_UNESCAPED_UNICODE);
    }
@@ -10,6 +10,7 @@ use App\Http\Traits\MigratesLegacyAssetLocations;
 use App\Models\Asset;
 use App\Models\CheckoutAcceptance;
 use App\Models\LicenseSeat;
+use App\Models\Statuslabel;
 use Illuminate\Contracts\View\View;
 use Illuminate\Database\Eloquent\Builder;
 use Illuminate\Http\RedirectResponse;
@@ -56,9 +57,16 @@ class AssetCheckinController extends Controller
            default => trans('admin/hardware/form.redirect_to_type', ['type' => trans('general.user')]),
        };

+        $deployableStatusIds = array_map('intval', array_keys(Helper::deployableStatusLabelList()));
+        $selectedStatusId = old('status_id');
+        $showRequestableToggle = is_numeric($selectedStatusId)
+            && in_array((int) $selectedStatusId, $deployableStatusIds, true);
+
        return view('hardware/checkin', compact('asset', 'target_option'))
            ->with('item', $asset)
            ->with('statusLabel_list', Helper::statusLabelList())
+            ->with('deployable_status_ids', $deployableStatusIds)
+            ->with('show_requestable_toggle', $showRequestableToggle)
            ->with('backto', $backto)
            ->with('table_name', 'Assets');
    }
@@ -107,6 +115,19 @@ class AssetCheckinController extends Controller
            $asset->status_id = e($request->input('status_id'));
        }

+        $selectedStatusId = $request->filled('status_id')
+            ? (int) $request->input('status_id')
+            : (int) $asset->status_id;
+
+        $isDeployableStatus = Statuslabel::query()
+            ->whereKey($selectedStatusId)
+            ->where('deployable', 1)
+            ->exists();
+
+        if ($request->boolean('set_requestable') && $isDeployableStatus) {
+            $asset->requestable = true;
+        }
+
        // Add any custom fields that should be included in the checkout
        $asset->customFieldsForCheckinCheckout('display_checkin');

@@ -154,6 +175,10 @@ class AssetCheckinController extends Controller
        $asset->customFieldsForCheckinCheckout('display_checkin');

        if ($asset->save()) {
+            // Update the location of any child assets
+            Asset::where('assigned_type', Asset::class)
+                ->where('assigned_to', $asset->id)
+                ->update(['location_id' => $asset->location_id]);

            event(new CheckoutableCheckedIn($asset, $target, auth()->user(), $request->input('note'), $checkin_at, $originalValues));

@@ -164,4 +189,34 @@ class AssetCheckinController extends Controller
        // Redirect to the asset management page with error
        return redirect()->route('hardware.index')->with('error', trans('admin/hardware/message.checkin.error').$asset->getErrors());
    }
+
+    /**
+     * This would only be used if the target is actually hard-deleted
+     * and literally does not exist in the database anymore. This will null out the assigned_to
+     * and assigned_type fields, but will not trigger any events or do any of the other things that a
+     * normal checkin would do, since the target itself is now invalid.
+     */
+    public function forceCheckin(Asset $asset)
+    {
+
+        $this->authorize('checkin', $asset);
+
+        if (! $asset->hasOrphanedAssignment()) {
+            return redirect()->route('hardware.show', $asset->id)
+                ->with('error', trans('admin/hardware/message.checkin.force_checkin_not_orphaned'));
+        }
+
+        $asset->assigned_to = null;
+        $asset->assigned_type = null;
+
+        if ($asset->save()) {
+            $asset->logForceCheckin();
+
+            return redirect()->route('hardware.show', $asset->id)
+                ->with('success', trans('admin/hardware/message.checkin.force_checkin_orphaned_success'));
+        }
+
+        return redirect()->route('hardware.show', $asset->id)
+            ->with('error', trans('admin/hardware/message.checkin.force_checkin_error'));
+    }
 }
@@ -8,7 +8,9 @@ use App\Http\Controllers\CheckInOutRequest;
 use App\Http\Controllers\Controller;
 use App\Http\Requests\AssetCheckoutRequest;
 use App\Models\Asset;
+use App\Models\CheckoutAcceptance;
 use App\Models\Setting;
+use App\Models\User;
 use Illuminate\Contracts\View\View;
 use Illuminate\Database\Eloquent\ModelNotFoundException;
 use Illuminate\Http\RedirectResponse;
@@ -101,6 +103,10 @@ class AssetCheckoutController extends Controller
                $asset->status_id = $request->input('status_id');
            }

+            if ($request->boolean('set_not_requestable')) {
+                $asset->requestable = false;
+            }
+
            if (! empty($asset->licenseseats->all())) {
                if (request('checkout_to_type') == 'user') {
                    foreach ($asset->licenseseats as $seat) {
@@ -122,9 +128,43 @@ class AssetCheckoutController extends Controller
                }
            }

-            session()->put(['redirect_option' => $request->input('redirect_option'), 'checkout_to_type' => $request->input('checkout_to_type')]);
+            session()->put([
+                'redirect_option' => $request->input('redirect_option'),
+                'checkout_to_type' => $request->input('checkout_to_type'),
+                'sign_in_place' => $request->boolean('sign_in_place'),
+            ]);
+
+            if ($asset->checkOut($target, $admin, $checkout_at, $expected_checkin, $request->input('note'), $request->input('name'), null, $request->boolean('sign_in_place'))) {
+
+                // When sign_in_place is requested and the target is a user, redirect to the
+                // acceptance/signature page so the user can sign in person. The signature is
+                // attributed to the target user, not the admin.
+                if ($request->boolean('sign_in_place') && $target instanceof User) {
+                    $acceptance = CheckoutAcceptance::where('checkoutable_type', Asset::class)
+                        ->where('checkoutable_id', $asset->id)
+                        ->where('assigned_to_id', $target->id)
+                        ->pending()
+                        ->latest()
+                        ->first();
+
+                    // If requireAcceptance() is false the listener won't have created one; create it now.
+                    if (! $acceptance) {
+                        $acceptance = new CheckoutAcceptance;
+                        $acceptance->checkoutable()->associate($asset);
+                        $acceptance->assignedTo()->associate($target);
+                        $acceptance->save();
+                    }
+
+                    session([
+                        'sign_in_place_acceptance_id' => $acceptance->id,
+                        'sign_in_place_item_id' => $asset->id,
+                        'sign_in_place_resource_type' => 'Assets',
+                    ]);
+
+                    return redirect()->route('account.accept.item', $acceptance->id)
+                        ->with('success', trans('admin/hardware/message.checkout.success'));
+                }

-            if ($asset->checkOut($target, $admin, $checkout_at, $expected_checkin, $request->input('note'), $request->input('name'))) {
                return Helper::getRedirectOption($request, $asset->id, 'Assets')
                    ->with('success', trans('admin/hardware/message.checkout.success'));
            }
@@ -66,7 +66,8 @@ class AssetsController extends Controller
    public function index(Request $request): View
    {
        $this->authorize('index', Asset::class);
-        $company = Company::find($request->input('company_id'));
+        $companyId = $request->input('company_id');
+        $company = is_scalar($companyId) ? Company::find($companyId) : null;

        return view('hardware/index')->with('company', $company);
    }
@@ -360,8 +361,23 @@ class AssetsController extends Controller
                'url' => route('qr_code/hardware', $asset),
            ];

+            $total_maintenance_cost = $asset->maintenances?->sum('cost');
+            $total_asset_cost = ($asset->assignedAssets()?->AssetsForShow()) ? $asset->assignedAssets()?->AssetsForShow()?->sum('purchase_cost') : 0;
+            $total_license_cost = ($asset->licenses) ? $asset->licenses->sum('purchase_cost') : 0;
+            $total_accessory_cost = ($asset->accessories) ? $asset->accessories()->sum('purchase_cost') : 0;
+            $total_component_cost = ($asset->components) ? $asset->components->sum('calculated_purchase_cost') : 0;
+
+            $total_cost_for_asset = $asset->purchase_cost + $total_maintenance_cost + $total_asset_cost + $total_license_cost + $total_accessory_cost + $total_component_cost;
+
            return view('hardware/view', compact('asset', 'qr_code', 'settings'))
-                ->with('use_currency', $use_currency)->with('audit_log', $audit_log);
+                ->with('total_maintenance_cost', $total_maintenance_cost)
+                ->with('total_asset_cost', $total_asset_cost)
+                ->with('total_license_cost', $total_license_cost)
+                ->with('total_accessory_cost', $total_accessory_cost)
+                ->with('total_component_cost', $total_component_cost)
+                ->with('total_cost_for_asset', $total_cost_for_asset)
+                ->with('use_currency', $use_currency)
+                ->with('audit_log', $audit_log);
        }

        return redirect()->route('hardware.index')->with('error', trans('admin/hardware/message.does_not_exist'));
@@ -716,6 +716,10 @@ class BulkAssetsController extends Controller
                        $asset->status_id = $request->input('status_id');
                    }

+                    if ($request->boolean('set_not_requestable')) {
+                        $asset->requestable = false;
+                    }
+
                    $checkout_success = $asset->checkOut($target, $admin, $checkout_at, $expected_checkin, e($request->input('note')), $asset->name, null);

                    // TODO - I think this logic is duplicated in the checkOut method?
@@ -106,15 +106,21 @@ class LoginController extends Controller
        if ($saml->isEnabled() && ! empty($samlData)) {

            try {
+
                $user = $saml->samlLogin($samlData);
                $notValidAfter = new \Carbon\Carbon(@$samlData['assertionNotOnOrAfter']);
                if (\Carbon::now()->greaterThanOrEqualTo($notValidAfter)) {
                    abort(400, 'Expired SAML Assertion');
                }
-                if (SamlNonce::where('nonce', @$samlData['nonce'])->count() > 0) {
-                    abort(400, 'Assertion has already been used');
+                try {
+                    SamlNonce::create([
+                        'nonce' => $samlData['nonce'],
+                        'not_valid_after' => $notValidAfter,
+                    ]);
+                } catch (\Exception $e) {
+                    \Log::error($e);
+                    abort(400, 'Assertion has already been used.');
                }
-                Log::debug('okay, fine, this is a new nonce then. Good for you.');
                if (! is_null($user)) {
                    Auth::login($user);
                } else {
@@ -128,10 +134,6 @@ class LoginController extends Controller
                    $user->last_login = \Carbon::now();
                    $user->saveQuietly();
                }
-                $s = new SamlNonce;
-                $s->nonce = @$samlData['nonce'];
-                $s->not_valid_after = $notValidAfter;
-                $s->save();

            } catch (\Exception $e) {
                Log::debug('There was an error authenticating the SAML user: '.$e->getMessage());
@@ -433,7 +435,7 @@ class LoginController extends Controller
            $user->saveQuietly();
            $request->session()->put('2fa_authed', $user->id);

-            return redirect()->route('home')->with('success', trans('auth/message.signin.success'));
+            return redirect()->intended()->with('success', trans('auth/message.signin.success'));
        }

        return redirect()->route('two-factor')->with('error', trans('auth/message.two_factor.invalid_code'));
@@ -74,8 +74,7 @@ class SamlController extends Controller
    public function login(Request $request)
    {
        $auth = $this->saml->getAuth();
-        $ssoUrl = $auth->login(null, [], false, false, false, false);
-
+        $ssoUrl = $auth->login(session()->get('url.intended'), [], false, false, false, false);
        return redirect()->away($ssoUrl);
    }

@@ -96,6 +95,7 @@ class SamlController extends Controller
        $saml = $this->saml;
        $auth = $saml->getAuth();
        $saml_exception = false;
+        session()->put('url.intended', $request->post('RelayState'));
        try {
            $auth->processResponse();
        } catch (\Exception $e) {
@@ -5,6 +5,7 @@ namespace App\Http\Controllers\Consumables;
 use App\Events\CheckoutableCheckedOut;
 use App\Helpers\Helper;
 use App\Http\Controllers\Controller;
+use App\Models\CheckoutAcceptance;
 use App\Models\Consumable;
 use App\Models\User;
 use Illuminate\Auth\Access\AuthorizationException;
@@ -116,12 +117,46 @@ class ConsumableCheckoutController extends Controller
            $request->input('note'),
            [],
            $consumable->checkout_qty,
+            $request->boolean('sign_in_place'),
        ));

        $request->request->add(['checkout_to_type' => 'user']);
        $request->request->add(['assigned_user' => $user->id]);

-        session()->put(['redirect_option' => $request->input('redirect_option'), 'checkout_to_type' => $request->input('checkout_to_type')]);
+        session()->put([
+            'redirect_option' => $request->input('redirect_option'),
+            'checkout_to_type' => $request->input('checkout_to_type'),
+            'sign_in_place' => $request->boolean('sign_in_place'),
+        ]);
+
+        // When sign_in_place is requested, redirect to the acceptance/signature page
+        // so the user can sign in person. The signature is attributed to the target user.
+        if ($request->boolean('sign_in_place')) {
+            $acceptance = CheckoutAcceptance::where('checkoutable_type', Consumable::class)
+                ->where('checkoutable_id', $consumable->id)
+                ->where('assigned_to_id', $user->id)
+                ->pending()
+                ->latest()
+                ->first();
+
+            // If requireAcceptance() is false the listener won't have created one; create it now.
+            if (! $acceptance) {
+                $acceptance = new CheckoutAcceptance;
+                $acceptance->checkoutable()->associate($consumable);
+                $acceptance->assignedTo()->associate($user);
+                $acceptance->qty = $quantity;
+                $acceptance->save();
+            }
+
+            session([
+                'sign_in_place_acceptance_id' => $acceptance->id,
+                'sign_in_place_item_id' => $consumable->id,
+                'sign_in_place_resource_type' => 'Consumables',
+            ]);
+
+            return redirect()->route('account.accept.item', $acceptance->id)
+                ->with('success', trans('admin/consumables/message.checkout.success'));
+        }

        // Redirect to the new consumable page
        return Helper::getRedirectOption($request, $consumable->id, 'Consumables')
@@ -7,6 +7,7 @@ use App\Helpers\Helper;
 use App\Http\Controllers\Controller;
 use App\Http\Requests\LicenseCheckoutRequest;
 use App\Models\Asset;
+use App\Models\CheckoutAcceptance;
 use App\Models\License;
 use App\Models\LicenseSeat;
 use App\Models\User;
@@ -101,17 +102,53 @@ class LicenseCheckoutController extends Controller
            session()->put(['checkout_to_type' => 'asset']);
            $checkoutTarget = $this->checkoutToAsset($licenseSeat);
            $request->request->add(['assigned_asset' => $checkoutTarget->id]);
-            session()->put(['redirect_option' => $request->input('redirect_option'), 'checkout_to_type' => 'asset']);
+            session()->put([
+                'redirect_option' => $request->input('redirect_option'),
+                'checkout_to_type' => 'asset',
+                'sign_in_place' => $request->boolean('sign_in_place'),
+            ]);

        } elseif ($request->filled('assigned_to')) {
            session()->put(['checkout_to_type' => 'user']);
            $checkoutTarget = $this->checkoutToUser($licenseSeat);
            $request->request->add(['assigned_user' => $checkoutTarget->id]);
-            session()->put(['redirect_option' => $request->input('redirect_option'), 'checkout_to_type' => 'user']);
+            session()->put([
+                'redirect_option' => $request->input('redirect_option'),
+                'checkout_to_type' => 'user',
+                'sign_in_place' => $request->boolean('sign_in_place'),
+            ]);
        }

        if ($checkoutTarget) {

+            // When sign_in_place is requested and the target is a user, redirect to the
+            // acceptance/signature page so the user can sign in person.
+            if ($request->boolean('sign_in_place') && $checkoutTarget instanceof User) {
+                $acceptance = CheckoutAcceptance::where('checkoutable_type', LicenseSeat::class)
+                    ->where('checkoutable_id', $licenseSeat->id)
+                    ->where('assigned_to_id', $checkoutTarget->id)
+                    ->pending()
+                    ->latest()
+                    ->first();
+
+                // If requireAcceptance() is false the listener won't have created one; create it now.
+                if (! $acceptance) {
+                    $acceptance = new CheckoutAcceptance;
+                    $acceptance->checkoutable()->associate($licenseSeat);
+                    $acceptance->assignedTo()->associate($checkoutTarget);
+                    $acceptance->save();
+                }
+
+                session([
+                    'sign_in_place_acceptance_id' => $acceptance->id,
+                    'sign_in_place_item_id' => $license->id,
+                    'sign_in_place_resource_type' => 'Licenses',
+                ]);
+
+                return redirect()->route('account.accept.item', $acceptance->id)
+                    ->with('success', trans('admin/licenses/message.checkout.success'));
+            }
+
            return Helper::getRedirectOption($request, $license->id, 'Licenses')
                ->with('success', trans('admin/licenses/message.checkout.success'));
        }
@@ -150,7 +187,7 @@ class LicenseCheckoutController extends Controller
            $licenseSeat->assigned_to = $target->assigned_to;
        }
        if ($licenseSeat->save()) {
-            event(new CheckoutableCheckedOut($licenseSeat, $target, auth()->user(), request('notes')));
+            event(new CheckoutableCheckedOut($licenseSeat, $target, auth()->user(), request('notes'), [], 1, request()->boolean('sign_in_place')));

            return $target;
        }
@@ -167,7 +204,7 @@ class LicenseCheckoutController extends Controller
        $licenseSeat->assigned_to = request('assigned_to');

        if ($licenseSeat->save()) {
-            event(new CheckoutableCheckedOut($licenseSeat, $target, auth()->user(), request('notes')));
+            event(new CheckoutableCheckedOut($licenseSeat, $target, auth()->user(), request('notes'), [], 1, request()->boolean('sign_in_place')));

            return $target;
        }
@@ -3,12 +3,15 @@
 namespace App\Http\Controllers;

 use App\Http\Requests\ImageUploadRequest;
+use App\Http\Requests\UploadFileRequest;
 use App\Models\Asset;
 use App\Models\Maintenance;
 use Carbon\Carbon;
 use Illuminate\Contracts\View\View;
 use Illuminate\Http\RedirectResponse;
 use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Storage;
+use Illuminate\Support\Facades\Validator;

 /**
 * This controller handles all actions related to Asset Maintenance for
@@ -72,6 +75,7 @@ class MaintenancesController extends Controller
    public function store(ImageUploadRequest $request): RedirectResponse
    {
        $this->authorize('update', Asset::class);
+        $this->validateUploadedFiles($request);

        $assets = Asset::whereIn('id', $request->input('selected_assets'))->get();

@@ -102,12 +106,14 @@ class MaintenancesController extends Controller
                $maintenance->asset_maintenance_time = (int) $completionDate->diffInDays($startDate, true);
            }

-            $maintenance = $request->handleImages($maintenance);
+            $request->handleImages($maintenance);

            // Was the asset maintenance created?
            if (! $maintenance->save()) {
                return redirect()->back()->withInput()->withErrors($maintenance->getErrors());
            }
+
+            $this->storeUploadedFiles($request, $maintenance);
        }

        return redirect()->route('maintenances.index')
@@ -156,6 +162,7 @@ class MaintenancesController extends Controller
    {
        $this->authorize('update', Asset::class);
        $this->authorize('update', $maintenance->asset);
+        $this->validateUploadedFiles($request);

        $maintenance->supplier_id = $request->input('supplier_id');
        $maintenance->is_warranty = $request->input('is_warranty', 0);
@@ -184,9 +191,11 @@ class MaintenancesController extends Controller
            $completionDate = Carbon::parse($maintenance->completion_date);
            $maintenance->asset_maintenance_time = (int) $completionDate->diffInDays($startDate, true);
        }
-        $maintenance = $request->handleImages($maintenance);
+        $request->handleImages($maintenance);

        if ($maintenance->save()) {
+            $this->storeUploadedFiles($request, $maintenance);
+
            return redirect()->route('maintenances.index')
                ->with('success', trans('admin/maintenances/message.edit.success'));
        }
@@ -194,6 +203,56 @@ class MaintenancesController extends Controller
        return redirect()->back()->withInput()->withErrors($maintenance->getErrors());
    }

+    /**
+     * Stores any generic file uploads submitted from the maintenance form.
+     */
+    private function storeUploadedFiles(ImageUploadRequest $request, Maintenance $maintenance): void
+    {
+        if (! $request->hasFile('file')) {
+            return;
+        }
+
+        $objectType = 'maintenances';
+        $storagePath = self::$map_storage_path[$objectType];
+
+        if (! Storage::exists($storagePath)) {
+            Storage::makeDirectory($storagePath, 775);
+        }
+
+        $uploadFileRequest = app(UploadFileRequest::class);
+
+        foreach ((array) $request->file('file') as $file) {
+            if (! $file) {
+                continue;
+            }
+
+            $fileName = $uploadFileRequest->handleFile(
+                $storagePath,
+                self::$map_file_prefix[$objectType].'-'.$maintenance->id,
+                $file
+            );
+
+            $maintenance->logUpload($fileName, $request->input('file_notes'));
+        }
+    }
+
+    /**
+     * Validate generic file uploads with the shared UploadFileRequest rules.
+     */
+    private function validateUploadedFiles(ImageUploadRequest $request): void
+    {
+        if (! $request->hasFile('file')) {
+            return;
+        }
+
+        $uploadFileRequest = app(UploadFileRequest::class);
+
+        Validator::make(
+            array_merge($request->all(), ['file' => $request->file('file')]),
+            $uploadFileRequest->rules()
+        )->validate();
+    }
+
    /**
     *  Delete an asset maintenance
     *
@@ -251,6 +251,7 @@ class ProfileController extends Controller

    public function getStoredEula($filename): Response|BinaryFileResponse|RedirectResponse
    {
+        $filename = basename((string) $filename);

        $logentry = Actionlog::where('filename', $filename)->first();

@@ -32,6 +32,7 @@ use Illuminate\Http\RedirectResponse;
 use Illuminate\Http\Request;
 use Illuminate\Http\Response;
 use Illuminate\Mail\Mailable;
+use Illuminate\Support\Facades\Gate;
 use Illuminate\Support\Facades\Log;
 use Illuminate\Support\Facades\Mail;
 use League\Csv\EscapeFormula;
@@ -797,6 +798,14 @@ class ReportsController extends Controller
                $assets->onlyTrashed();
            }

+            if ($request->input('assignment_status') === 'assigned') {
+                $assets->whereNotNull('assets.assigned_to');
+            }
+
+            if ($request->input('assignment_status') === 'unassigned') {
+                $assets->whereNull('assets.assigned_to');
+            }
+
            $assets->orderBy('assets.id', 'ASC')->chunk(500, function ($assets) use ($handle, $customfields, $request) {

                $executionTime = microtime(true) - $_SERVER['REQUEST_TIME_FLOAT'];
@@ -917,7 +926,7 @@ class ReportsController extends Controller

                    if ($request->filled('user_company')) {
                        if ($asset->checkedOutToUser()) {
-                            $row[] = ($asset->assignedto->company) ? $asset->assignedto->company->display_name : '';
+                            $row[] = ($asset->assignedto?->company) ? $asset->assignedto?->company?->display_name : '';
                        } else {
                            $row[] = ''; // Empty string if unassigned
                        }
@@ -1070,7 +1079,13 @@ class ReportsController extends Controller
                    foreach ($customfields as $customfield) {
                        $column_name = $customfield->db_column_name();
                        if ($request->filled($customfield->db_column_name())) {
-                            $row[] = $asset->$column_name;
+                            $value = $asset->$column_name;
+
+                            if (($customfield->field_encrypted == '1') && Gate::allows('assets.view.encrypted_custom_fields')) {
+                                $value = Helper::gracefulDecrypt($customfield, $value);
+                            }
+
+                            $row[] = $value;
                        }
                    }

@@ -2,6 +2,7 @@

 namespace App\Http\Controllers;

+use App\Enums\ActionType;
 use App\Helpers\Helper;
 use App\Helpers\StorageHelper;
 use App\Http\Requests\ImageUploadRequest;
@@ -11,6 +12,7 @@ use App\Http\Requests\StoreLdapSettings;
 use App\Http\Requests\StoreLocalizationSettings;
 use App\Http\Requests\StoreNotificationSettings;
 use App\Http\Requests\StoreSecuritySettings;
+use App\Models\Actionlog;
 use App\Models\Asset;
 use App\Models\CustomField;
 use App\Models\Group;
@@ -870,6 +872,11 @@ class SettingsController extends Controller
    public function downloadFile($filename = null): RedirectResponse|BinaryFileResponse
    {
        $path = 'app/backups';
+        $filename = basename((string) $filename);
+
+        if ($this->hasInvalidBackupFilename($filename)) {
+            return redirect()->route('settings.backups.index')->with('error', trans('admin/settings/message.backup.file_not_found'));
+        }

        if (! config('app.lock_passwords')) {
            if (Storage::exists($path.'/'.$filename)) {
@@ -895,6 +902,12 @@ class SettingsController extends Controller
     */
    public function deleteFile($filename = null): RedirectResponse
    {
+        $filename = basename((string) $filename);
+
+        if ($this->hasInvalidBackupFilename($filename)) {
+            return redirect()->route('settings.backups.index')->with('error', trans('admin/settings/message.backup.file_not_found'));
+        }
+
        if (config('app.allow_backup_delete') == 'true') {

            if (! config('app.lock_passwords')) {
@@ -969,6 +982,11 @@ class SettingsController extends Controller
     */
    public function postRestore(Request $request, $filename = null): RedirectResponse
    {
+        $filename = basename((string) $filename);
+
+        if ($this->hasInvalidBackupFilename($filename)) {
+            return redirect()->route('settings.backups.index')->with('error', trans('admin/settings/message.backup.file_not_found'));
+        }

        if (! config('app.lock_passwords')) {
            $path = 'app/backups';
@@ -1118,7 +1136,86 @@ class SettingsController extends Controller
     */
    public function api(): View
    {
-        return view('settings.api');
+        $personalAccessTokenCount = DB::table('oauth_access_tokens')
+            ->join('oauth_clients', 'oauth_access_tokens.client_id', '=', 'oauth_clients.id')
+            ->where('oauth_clients.personal_access_client', true)
+            ->count();
+
+        return view('settings.api', [
+            'personalAccessTokenCount' => $personalAccessTokenCount,
+        ]);
+    }
+
+    /**
+     * Revoke a personal access token from the admin OAuth settings page.
+     */
+    public function revokePersonalAccessToken(string $token): RedirectResponse
+    {
+        $tokenRow = DB::table('oauth_access_tokens')
+            ->join('oauth_clients', 'oauth_access_tokens.client_id', '=', 'oauth_clients.id')
+            ->where('oauth_access_tokens.id', $token)
+            ->where('oauth_clients.personal_access_client', true)
+            ->select(['oauth_access_tokens.id', 'oauth_access_tokens.user_id'])
+            ->first();
+
+        if ($tokenRow === null) {
+            return redirect()
+                ->to(route('settings.oauth.index').'#personal-access-tokens')
+                ->with('error', trans('admin/settings/message.oauth.token_not_found'));
+        }
+
+        DB::table('oauth_access_tokens')
+            ->where('id', $tokenRow->id)
+            ->update(['revoked' => true]);
+
+        $logaction = new Actionlog;
+        $logaction->item_type = User::class;
+        $logaction->item_id = $tokenRow->user_id;
+        $logaction->target_type = User::class;
+        $logaction->target_id = $tokenRow->user_id;
+        $logaction->created_by = auth()->id();
+        // $logaction->note = 'Token ID: ' . $tokenRow->id;
+        $logaction->logaction(ActionType::TokenRevoked);
+
+        return redirect()
+            ->to(route('settings.oauth.index').'#personal-access-tokens')
+            ->with('success', trans('admin/settings/message.oauth.token_revoked'));
+    }
+
+    /**
+     * Unrevoke a personal access token from the admin OAuth settings page.
+     */
+    public function unrevokePersonalAccessToken(string $token): RedirectResponse
+    {
+        $tokenRow = DB::table('oauth_access_tokens')
+            ->join('oauth_clients', 'oauth_access_tokens.client_id', '=', 'oauth_clients.id')
+            ->where('oauth_access_tokens.id', $token)
+            ->where('oauth_clients.personal_access_client', true)
+            ->select(['oauth_access_tokens.id', 'oauth_access_tokens.user_id'])
+            ->first();
+
+        if ($tokenRow === null) {
+            return redirect()
+                ->to(route('settings.oauth.index').'#personal-access-tokens')
+                ->with('error', trans('admin/settings/message.oauth.token_not_found'));
+        }
+
+        DB::table('oauth_access_tokens')
+            ->where('id', $tokenRow->id)
+            ->update(['revoked' => false]);
+
+        $logaction = new Actionlog;
+        $logaction->item_type = User::class;
+        $logaction->item_id = $tokenRow->user_id;
+        $logaction->target_type = User::class;
+        $logaction->target_id = $tokenRow->user_id;
+        $logaction->created_by = auth()->id();
+        // $logaction->note = 'Token ID: ' . $tokenRow->id;
+        $logaction->logaction(ActionType::TokenUnrevoked);
+
+        return redirect()
+            ->to(route('settings.oauth.index').'#personal-access-tokens')
+            ->with('success', trans('admin/settings/message.oauth.token_unrevoked'));
    }

    /**
@@ -1155,4 +1252,62 @@ class SettingsController extends Controller
    {
        return view('settings.logins');
    }
+
+    /**
+     * Revoke an OAuth client from the admin OAuth settings page.
+     */
+    public function revokeOAuthClient(string $client): RedirectResponse
+    {
+        $oauthClient = DB::table('oauth_clients')
+            ->where('id', $client)
+            ->first();
+
+        if ($oauthClient === null) {
+            return redirect()
+                ->to(route('settings.oauth.index').'#oauth-clients')
+                ->with('error', trans('admin/settings/message.oauth.client_not_found'));
+        }
+
+        DB::table('oauth_clients')
+            ->where('id', $client)
+            ->update(['revoked' => true]);
+
+        return redirect()
+            ->to(route('settings.oauth.index').'#oauth-clients')
+            ->with('success', trans('admin/settings/message.oauth.client_revoked'));
+    }
+
+    /**
+     * Unrevoke an OAuth client from the admin OAuth settings page.
+     */
+    public function unrevokeOAuthClient(string $client): RedirectResponse
+    {
+        $oauthClient = DB::table('oauth_clients')
+            ->where('id', $client)
+            ->first();
+
+        if ($oauthClient === null) {
+            return redirect()
+                ->to(route('settings.oauth.index').'#oauth-clients')
+                ->with('error', trans('admin/settings/message.oauth.client_not_found'));
+        }
+
+        DB::table('oauth_clients')
+            ->where('id', $client)
+            ->update(['revoked' => false]);
+
+        return redirect()
+            ->to(route('settings.oauth.index').'#oauth-clients')
+            ->with('success', trans('admin/settings/message.oauth.client_unrevoked'));
+    }
+
+    private function hasInvalidBackupFilename(string $filename): bool
+    {
+        if ($filename === '' || $filename === '.' || $filename === '..') {
+            return true;
+        }
+
+        // Reject path separators in case a crafted value survives route decoding.
+        return str_contains($filename, '/') || str_contains($filename, '\\');
+    }
 }
@@ -17,13 +17,17 @@ class StorageProxyController extends Controller
     */
    public function show(string $path): Response|StreamedResponse
    {
+        if ($this->hasPathTraversalSegments($path)) {
+            abort(404);
+        }
+
        $disk = Storage::disk('public');

        // The S3 adapter includes the disk's root prefix in generated URLs,
        // but Flysystem also prepends it internally on every operation.
        // Strip it here to avoid double-prefixing.
        $root = trim(config('filesystems.disks.public.root', ''), '/');
-        if ($root !== '' && str_starts_with($path, $root . '/')) {
+        if ($root !== '' && str_starts_with($path, $root.'/')) {
            $path = substr($path, strlen($root) + 1);
        }

@@ -33,12 +37,12 @@ class StorageProxyController extends Controller

        $mimeType = $disk->mimeType($path) ?: 'application/octet-stream';
        $lastModified = $disk->lastModified($path);
-        $etag = md5($path . $lastModified);
+        $etag = md5($path.$lastModified);
        $size = $disk->size($path);

        if ($this->isNotModified($etag, $lastModified)) {
            return response('', 304)
-                ->header('ETag', '"' . $etag . '"')
+                ->header('ETag', '"'.$etag.'"')
                ->header('Cache-Control', 'public, max-age=86400');
        }

@@ -51,8 +55,8 @@ class StorageProxyController extends Controller
        }, 200, [
            'Content-Type' => $mimeType,
            'Content-Length' => $size,
-            'ETag' => '"' . $etag . '"',
-            'Last-Modified' => gmdate('D, d M Y H:i:s', $lastModified) . ' GMT',
+            'ETag' => '"'.$etag.'"',
+            'Last-Modified' => gmdate('D, d M Y H:i:s', $lastModified).' GMT',
            'Cache-Control' => 'public, max-age=86400',
        ]);
    }
@@ -60,7 +64,7 @@ class StorageProxyController extends Controller
    private function isNotModified(string $etag, int $lastModified): bool
    {
        $requestEtag = request()->header('If-None-Match');
-        if ($requestEtag && $requestEtag === '"' . $etag . '"') {
+        if ($requestEtag && $requestEtag === '"'.$etag.'"') {
            return true;
        }

@@ -71,4 +75,16 @@ class StorageProxyController extends Controller

        return false;
    }
+
+    private function hasPathTraversalSegments(string $path): bool
+    {
+        $normalizedPath = str_replace('\\', '/', $path);
+
+        return str_contains($normalizedPath, "\0")
+            || str_starts_with($normalizedPath, '/')
+            || str_contains($normalizedPath, '../')
+            || str_contains($normalizedPath, '/..')
+            || str_ends_with($normalizedPath, '/..')
+            || $normalizedPath === '..';
+    }
 }
@@ -362,7 +362,9 @@ class BulkUsersController extends Controller
            $logAction->target_id = $item->assigned_to;
            $logAction->target_type = User::class;
            $logAction->created_by = auth()->id();
-            $logAction->note = 'Bulk checkin items';
+            $logAction->action_date = now();
+            $logAction->created_at = now();
+            $logAction->note = 'Bulk checkin items on user bulk edit/delete';
            $logAction->logaction('checkin from');
        }
    }
@@ -376,7 +378,9 @@ class BulkUsersController extends Controller
            $logAction->target_id = $accessoryUserRow->assigned_to;
            $logAction->target_type = User::class;
            $logAction->created_by = auth()->id();
-            $logAction->note = 'Bulk checkin items';
+            $logAction->created_at = now();
+            $logAction->action_date = now();
+            $logAction->note = 'Bulk checkin accessory on user bulk edit/delete';
            $logAction->logaction('checkin from');
        }
    }
@@ -9,8 +9,10 @@ use App\Http\Controllers\Controller;
 use App\Http\Requests\DeleteUserRequest;
 use App\Http\Requests\ImageUploadRequest;
 use App\Http\Requests\SaveUserRequest;
+use App\Mail\UnacceptedAssetReminderMail;
 use App\Models\Actionlog;
 use App\Models\Asset;
+use App\Models\CheckoutAcceptance;
 use App\Models\Company;
 use App\Models\Group;
 use App\Models\Setting;
@@ -22,6 +24,7 @@ use Illuminate\Contracts\View\View;
 use Illuminate\Http\RedirectResponse;
 use Illuminate\Http\Request;
 use Illuminate\Support\Facades\Log;
+use Illuminate\Support\Facades\Mail;
 use Illuminate\Support\Facades\Password;
 use Symfony\Component\HttpFoundation\StreamedResponse;

@@ -436,6 +439,7 @@ class UsersController extends Controller
            'accessories',
            'licenses',
            'userloc',
+            'groups',
        ])
            ->withTrashed()
            ->find($user->id);
@@ -446,6 +450,7 @@ class UsersController extends Controller
        return view('users/view', [
            'user' => $user,
            'settings' => Setting::getSettings(),
+            'effectivePermissionsBySection' => $user->getEffectivePermissionsBySection(),
        ]);
    }

@@ -700,6 +705,48 @@ class UsersController extends Controller

    }

+    /**
+     * Resend pending acceptance reminder email for a specific user.
+     */
+    public function resendAcceptanceReminder(User $user): RedirectResponse
+    {
+        $this->authorize('view', $user);
+
+        if (empty($user->email)) {
+            return redirect()->back()->with('error', trans('admin/users/message.user_has_no_email'));
+        }
+
+        if ($user->activated == '0') {
+            return redirect()->back()->with('error', trans('admin/users/message.not_activated'));
+        }
+
+        $pendingItems = $user->getAssignedItemsWithPendingAcceptance();
+
+        if ($pendingItems->isEmpty()) {
+            return redirect()->back()->with('warning', trans('admin/users/message.error.no_pending_acceptances'));
+        }
+
+        $firstAcceptance = CheckoutAcceptance::query()
+            ->forUser($user)
+            ->pending()
+            ->with('assignedTo')
+            ->first();
+
+        if (! $firstAcceptance) {
+            return redirect()->back()->with('warning', trans('admin/users/message.error.no_pending_acceptances'));
+        }
+
+        $mailable = new UnacceptedAssetReminderMail($firstAcceptance, $pendingItems->count());
+
+        if (! empty($user->locale)) {
+            $mailable->locale($user->locale);
+        }
+
+        Mail::to($user->email)->send($mailable);
+
+        return redirect()->back()->with('success', trans_choice('admin/users/message.success.acceptance_reminder_sent', $pendingItems->count(), ['count' => $pendingItems->count()]));
+    }
+
    /**
     * Send individual password reset email
     *
@@ -11,6 +11,7 @@ use App\Http\Middleware\CheckLocale;
 use App\Http\Middleware\CheckPermissions;
 use App\Http\Middleware\CheckUserIsActivated;
 use App\Http\Middleware\EncryptCookies;
+use App\Http\Middleware\LogAuthedUserHeader;
 use App\Http\Middleware\NoSessionStore;
 use App\Http\Middleware\PreventBackHistory;
 use App\Http\Middleware\RedirectIfAuthenticated;
@@ -82,6 +83,7 @@ class Kernel extends HttpKernel
        'api' => [
            'auth:api',
            CheckLocale::class,
+            LogAuthedUserHeader::class,
            SubstituteBindings::class,
        ],

@@ -46,6 +46,7 @@ class CheckForTwoFactor
                    return $next($request);
                }

+                redirect()->setIntendedUrl(url()->full()); // save the 'current' URL so we can send the user back to it?
                // Otherwise make sure they're enrolled and show them the 2FA code screen
                if ((auth()->user()->two_factor_secret != '') && (auth()->user()->two_factor_enrolled == '1')) {
                    return redirect()->route('two-factor')->with('info', trans('auth/message.two_factor.enter_two_factor_code'));
@@ -0,0 +1,29 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use Closure;
+use Illuminate\Http\Request;
+
+class LogAuthedUserHeader
+{
+    /**
+     * Handle an incoming request.
+     *
+     * @param  Request  $request
+     * @return mixed
+     */
+    public function handle($request, Closure $next)
+    {
+
+        $response = $next($request);
+
+        if ((config('app.authorized_user_header') === true) && ($request->bearerToken() != '')) {
+            $response->headers->set('X-API-User-ID', auth()?->id());
+            $response->headers->set('X-API-Token-Name', $request->user()?->token()?->name);
+            $response->headers->set('X-API-Token-ID', $request->user()?->token()?->id);
+        }
+
+        return $response;
+    }
+}
@@ -25,7 +25,9 @@ class AssetCheckinRequest extends Request
    {
        $settings = Setting::getSettings();

-        $rules = [];
+        $rules = [
+            'set_requestable' => 'nullable|boolean',
+        ];

        if ($settings->require_checkinout_notes) {
            $rules['note'] = 'string|required';
@@ -39,6 +39,8 @@ class AssetCheckoutRequest extends Request
                'nullable',
                'date',
            ],
+            'requestable' => 'nullable|boolean',
+            'set_not_requestable' => 'nullable|boolean',
        ];

        if ($settings->require_checkinout_notes) {
@@ -29,6 +29,7 @@ class CustomAssetReportRequest extends Request
    public function rules()
    {
        return [
+            'assignment_status' => 'nullable|in:all,assigned,unassigned',
            'purchase_start' => 'date|date_format:Y-m-d|nullable',
            'purchase_end' => 'date|date_format:Y-m-d|nullable',
            'purchase_cost_end' => 'numeric|nullable|gte:purchase_cost_start',
@@ -57,6 +57,7 @@ class ImageUploadRequest extends Request
         * had it once to allow encoded image uploads.
         */
        return [
+            'avatar' => 'auto',
            'image' => 'auto',
            'image_source' => 'auto',
        ];
@@ -192,8 +192,8 @@ class AssetsTransformer
                        'pivot_id' => $component->pivot->id,
                        'name' => e($component->name),
                        'qty' => $component->pivot->assigned_qty,
-                        'price_cost' => $component->purchase_cost,
-                        'purchase_total' => $component->purchase_cost * $component->pivot->assigned_qty,
+                        'purchase_cost' => $component->purchase_cost,
+                        'purchase_total' => $component->calculated_purchase_cost,
                        'checkout_date' => Helper::getFormattedDateObject($component->pivot->created_at, 'datetime'),

                    ];
@@ -403,9 +403,10 @@ class AssetsTransformer
            $array[] = [
                'assigned_pivot_id' => $component_checkout->id,
                'name' => [
-                    'id' => $component_checkout->component->id,
-                    'name' => e($component_checkout->component->display_name),
+                    'id' => $component_checkout->component?->id,
+                    'name' => e($component_checkout->component?->display_name),
                    'type' => 'component',
+                    'deleted_at' => $component_checkout->component?->deleted_at,
                ],
                'assigned_qty' => $component_checkout->assigned_qty,
                'note' => ($component_checkout->note) ? e($component_checkout->note) : null,
@@ -414,7 +415,10 @@ class AssetsTransformer
                    'id' => (int) $component_checkout->adminuser->id,
                    'name' => e($component_checkout->adminuser->display_name),
                ] : null,
-                'available_actions' => ['checkin' => Gate::allows('checkin', Component::class)],
+                'available_actions' => [
+                    'checkin' => (($component_checkout->component?->deleted_at == '') && Gate::allows('checkin', Component::class)),
+                    'view' => (($component_checkout->component?->deleted_at == '') && Gate::allows('view', Component::class)),
+                ],
            ];
        }

@@ -51,7 +51,7 @@ class CategoriesTransformer
                'name' => e($category->name),
                'image' => ($category->image) ? Storage::disk('public')->url('categories/'.e($category->image)) : null,
                'category_type' => Helper::categoryTypeList($category->category_type),
-                'has_eula' => ($category->getEula() ? true : false),
+                'has_eula' => ($category->eula_text) ? true : false,
                'use_default_eula' => ($category->use_default_eula == '1' ? true : false),
                'eula' => ($category->getEula()),
                'checkin_email' => ($category->checkin_email == '1'),
@@ -6,6 +6,7 @@ use App\Helpers\Helper;
 use App\Helpers\StorageHelper;
 use App\Models\Actionlog;
 use Illuminate\Database\Eloquent\Collection;
+use Illuminate\Database\Eloquent\SoftDeletes;
 use Illuminate\Support\Facades\Gate;
 use Illuminate\Support\Facades\Storage;

@@ -24,6 +25,17 @@ class UploadedFilesTransformer
    public function transformFile(Actionlog $file)
    {
        $snipeModel = $file->item_type;
+        $item = null;
+
+        if (is_string($snipeModel) && class_exists($snipeModel)) {
+            $itemQuery = $snipeModel::query();
+
+            if (in_array(SoftDeletes::class, class_uses_recursive($snipeModel), true)) {
+                $itemQuery->withTrashed();
+            }
+
+            $item = $itemQuery->find($file->item_id);
+        }

        $array = [
            'id' => (int) $file->id,
@@ -49,7 +61,7 @@ class UploadedFilesTransformer
        ];

        $permissions_array['available_actions'] = [
-            'delete' => (Gate::allows('update', $snipeModel) && ($file->deleted_at == '')),
+            'delete' => (Gate::allows('update', $item ?? $snipeModel) && ($file->deleted_at == '')),
        ];

        $array += $permissions_array;
@@ -34,12 +34,14 @@ use App\Notifications\CheckoutLicenseSeatNotification;
 use Exception;
 use GuzzleHttp\Exception\ClientException;
 use Illuminate\Database\Eloquent\Model;
+use Illuminate\Notifications\Notification as BaseNotification;
 use Illuminate\Support\Facades\Context;
 use Illuminate\Support\Facades\Log;
 use Illuminate\Support\Facades\Mail;
 use Illuminate\Support\Facades\Notification;
 use Illuminate\Support\Str;
 use Osama\LaravelTeamsNotification\TeamsNotification;
+
 class CheckoutableListener
 {
    private array $skipNotificationsFor = [
@@ -80,6 +82,11 @@ class CheckoutableListener
        $shouldSendEmailToAlertAddress = $this->shouldSendEmailToAlertAddress($acceptance);
        $shouldSendWebhookNotification = $this->shouldSendWebhookNotification();

+        if ($this->shouldSkipInitialAcceptanceEmail($event, $acceptance)) {
+            $shouldSendEmailToUser = false;
+            $shouldSendEmailToAlertAddress = false;
+        }
+
        if (! $shouldSendEmailToUser && ! $shouldSendEmailToAlertAddress && ! $shouldSendWebhookNotification) {
            return;
        }
@@ -120,12 +127,12 @@ class CheckoutableListener
        if ($shouldSendWebhookNotification) {
            try {
                if ($this->newMicrosoftTeamsWebhookEnabled()) {
-                    $message = $this->getCheckoutNotification($event)->toMicrosoftTeams();
+                    $message = $this->getCheckoutNotification($event, $acceptance, true)->toMicrosoftTeams();
                    $notification = new TeamsNotification(Setting::getSettings()->webhook_endpoint);
                    $notification->success()->sendMessage($message[0], $message[1]);  // Send the message to Microsoft Teams
                } else {
                    Notification::route($this->webhookSelected(), Setting::getSettings()->webhook_endpoint)
-                        ->notify($this->getCheckoutNotification($event, $acceptance));
+                        ->notify($this->getCheckoutNotification($event, $acceptance, true));
                }
            } catch (ClientException $e) {
                $status = $e->getResponse()->getStatusCode();
@@ -227,12 +234,12 @@ class CheckoutableListener
            // Send Webhook notification
            try {
                if ($this->newMicrosoftTeamsWebhookEnabled()) {
-                    $message = $this->getCheckinNotification($event)->toMicrosoftTeams();
+                    $message = $this->getCheckinNotification($event, true)->toMicrosoftTeams();
                    $notification = new TeamsNotification(Setting::getSettings()->webhook_endpoint);
                    $notification->success()->sendMessage($message[0], $message[1]); // Send the message to Microsoft Teams
                } else {
                    Notification::route($this->webhookSelected(), Setting::getSettings()->webhook_endpoint)
-                        ->notify($this->getCheckinNotification($event));
+                        ->notify($this->getCheckinNotification($event, true));
                }
            } catch (ClientException $e) {
                $status = $e->getResponse()->getStatusCode();
@@ -306,12 +313,12 @@ class CheckoutableListener
     * @param  CheckoutableCheckedIn  $event
     * @return Notification
     */
-    private function getCheckinNotification($event)
+    private function getCheckinNotification($event, bool $refreshCheckoutable = false): BaseNotification
    {
-
        $notificationClass = null;
+        $checkoutable = $this->getCheckoutableForNotification($event->checkoutable, $refreshCheckoutable);

-        switch (get_class($event->checkoutable)) {
+        switch (get_class($checkoutable)) {
            case Accessory::class:
                $notificationClass = CheckinAccessoryNotification::class;
                break;
@@ -328,7 +335,7 @@ class CheckoutableListener

        Log::debug('Notification class: '.$notificationClass);

-        return new $notificationClass($event->checkoutable, $event->checkedOutTo, $event->checkedInBy, $event->note);
+        return new $notificationClass($checkoutable, $event->checkedOutTo, $event->checkedInBy, $event->note);
    }

    /**
@@ -338,11 +345,12 @@ class CheckoutableListener
     * @param  CheckoutAcceptance|null  $acceptance
     * @return Notification
     */
-    private function getCheckoutNotification($event, $acceptance = null)
+    private function getCheckoutNotification($event, $acceptance = null, bool $refreshCheckoutable = false): BaseNotification
    {
        $notificationClass = null;
+        $checkoutable = $this->getCheckoutableForNotification($event->checkoutable, $refreshCheckoutable);

-        switch (get_class($event->checkoutable)) {
+        switch (get_class($checkoutable)) {
            case Accessory::class:
                $notificationClass = CheckoutAccessoryNotification::class;
                break;
@@ -360,7 +368,16 @@ class CheckoutableListener
                break;
        }

-        return new $notificationClass($event->checkoutable, $event->checkedOutTo, $event->checkedOutBy, $acceptance, $event->note);
+        return new $notificationClass($checkoutable, $event->checkedOutTo, $event->checkedOutBy, $acceptance, $event->note);
+    }
+
+    private function getCheckoutableForNotification(Model $checkoutable, bool $shouldRefresh): Model
+    {
+        if (! $shouldRefresh) {
+            return $checkoutable;
+        }
+
+        return $checkoutable->fresh() ?? $checkoutable;
    }

    private function getCheckoutMailType($event, $acceptance)
@@ -480,6 +497,15 @@ class CheckoutableListener
        return false;
    }

+    private function shouldSkipInitialAcceptanceEmail(CheckoutableCheckedOut $event, ?CheckoutAcceptance $acceptance): bool
+    {
+        if (! $event->signInPlace) {
+            return false;
+        }
+
+        return ($acceptance instanceof CheckoutAcceptance) || ! empty($event->checkoutable->getEula());
+    }
+
    private function shouldSendEmailToAlertAddress($acceptance = null): bool
    {
        if (Context::get('action') === 'bulk_asset_checkout') {
@@ -135,14 +135,18 @@ class CheckoutablesCheckedOutInBulkListener
        return false;
    }

-    private function getNotifiableUser(CheckoutablesCheckedOutInBulk $event): ?Model
+    private function getNotifiableUser(CheckoutablesCheckedOutInBulk $event): ?User
    {
        $target = $event->target;

        if ($target instanceof Asset) {
            $target->load('assignedTo');

-            return $target->assignedto;
+            if ($target->assigned instanceof User) {
+                return $target->assigned;
+            }
+
+            return null;
        }

        if ($target instanceof Location) {
@@ -0,0 +1,40 @@
+<?php
+
+namespace App\Livewire;
+
+use Illuminate\Support\Facades\DB;
+use Livewire\Component;
+
+/**
+ * Livewire component for the admin-facing User API Tokens (Personal Access Tokens) table.
+ * Displays all personal access tokens across all users, used on the Settings > OAuth page.
+ */
+class AdminPersonalAccessTokens extends Component
+{
+    public function render()
+    {
+        $tokens = DB::table('oauth_access_tokens')
+            ->join('oauth_clients', 'oauth_access_tokens.client_id', '=', 'oauth_clients.id')
+            ->leftJoin('users', 'oauth_access_tokens.user_id', '=', 'users.id')
+            ->where('oauth_clients.personal_access_client', true)
+            ->select([
+                'oauth_access_tokens.id',
+                'oauth_access_tokens.name',
+                'oauth_access_tokens.revoked',
+                'oauth_access_tokens.created_at',
+                'oauth_access_tokens.expires_at',
+                'oauth_access_tokens.user_id as token_user_id',
+                'oauth_clients.name as client_name',
+                'users.id as existing_user_id',
+                'users.username as username',
+                'users.display_name as display_name',
+                'users.deleted_at as user_deleted_at',
+            ])
+            ->orderByDesc('oauth_access_tokens.created_at')
+            ->get();
+
+        return view('livewire.admin-personal-access-tokens', [
+            'tokens' => $tokens,
+        ]);
+    }
+}
@@ -2,6 +2,7 @@

 namespace App\Livewire;

+use App\Models\Setting;
 use Livewire\Attributes\Computed;
 use Livewire\Component;

@@ -45,4 +46,10 @@ class CategoryEditForm extends Component
    {
        return (bool) $this->useDefaultEula;
    }
+
+    #[Computed]
+    public function isGlobalSignatureRequired(): bool
+    {
+        return (string) Setting::getSettings()->require_accept_signature === '1';
+    }
 }
@@ -639,6 +639,10 @@ class Importer extends Component
                'color code',
                trans('general.tag_color'),
            ],
+            'checkout_class' => [
+                'checkout type',
+                'checkout class',
+            ],
        ];

        $this->columnOptions[''] = $this->getColumns(''); // blank mode? I don't know what this is supposed to mean
@@ -2,14 +2,16 @@

 namespace App\Livewire;

+use Illuminate\Support\Facades\DB;
 use Illuminate\Support\Facades\Log;
 use Laravel\Passport\Client;
 use Laravel\Passport\ClientRepository;
-use Laravel\Passport\TokenRepository;
 use Livewire\Component;

 class OauthClients extends Component
 {
+    public string $section = 'all';
+
    public $name;

    public $redirect;
@@ -22,11 +24,77 @@ class OauthClients extends Component

    public $authorizationError;

+    public function mount(?string $section = null): void
+    {
+        if ($section !== null) {
+            $this->section = $section;
+        }
+    }
+
+    public function showOauthClients(): bool
+    {
+        return in_array($this->section, ['all', 'oauth-clients'], true);
+    }
+
+    public function showAuthorizedApplications(): bool
+    {
+        return in_array($this->section, ['all', 'authorized-applications'], true);
+    }
+
    public function render()
    {
+        $clients = collect();
+        if ($this->showOauthClients()) {
+            $clients = Client::query()
+                ->orderByDesc('created_at')
+                ->get();
+
+            if ($clients->isNotEmpty()) {
+                $tokenCountsByClientId = DB::table('oauth_access_tokens')
+                    ->whereIn('client_id', $clients->pluck('id')->all())
+                    ->selectRaw('client_id, COUNT(*) as token_count')
+                    ->groupBy('client_id')
+                    ->pluck('token_count', 'client_id');
+
+                $clients->each(function ($client) use ($tokenCountsByClientId): void {
+                    $client->setAttribute('associated_token_count', (int) ($tokenCountsByClientId[$client->id] ?? 0));
+                });
+            }
+        }
+
+        $authorizedApplications = collect();
+        if ($this->showAuthorizedApplications()) {
+            $authorizedTokenSummary = DB::table('oauth_access_tokens as tokens')
+                ->where('tokens.revoked', false)
+                ->selectRaw('tokens.client_id')
+                ->selectRaw('MAX(tokens.scopes) as scopes')
+                ->selectRaw('MAX(tokens.created_at) as created_at')
+                ->selectRaw('MAX(tokens.expires_at) as expires_at')
+                ->groupBy('tokens.client_id');
+
+            $authorizedApplications = DB::table('oauth_clients as clients')
+                ->joinSub($authorizedTokenSummary, 'token_summary', function ($join) {
+                    $join->on('clients.id', '=', 'token_summary.client_id');
+                })
+                ->leftJoin('users as creators', 'clients.user_id', '=', 'creators.id')
+                ->select([
+                    'clients.id as client_id',
+                    'clients.name as client_name',
+                    'clients.user_id as client_owner_id',
+                    'creators.display_name as client_owner_display_name',
+                    'creators.username as client_owner_username',
+                    'creators.deleted_at as client_owner_deleted_at',
+                    'token_summary.scopes',
+                    'token_summary.created_at',
+                    'token_summary.expires_at',
+                ])
+                ->orderByDesc('token_summary.created_at')
+                ->get();
+        }
+
        return view('livewire.oauth-clients', [
-            'clients' => app(ClientRepository::class)->activeForUser(auth()->id()),
-            'authorized_tokens' => app(TokenRepository::class)->forUser(auth()->id())->where('revoked', false),
+            'clients' => $clients,
+            'authorizedApplications' => $authorizedApplications,
        ]);
    }

@@ -43,6 +111,7 @@ class OauthClients extends Component
            $this->redirect,
        );

+        session()->flash('success', trans('admin/settings/message.oauth.client_created'));
        $this->dispatch('clientCreated');
    }

@@ -50,22 +119,27 @@ class OauthClients extends Component
    {
        // test for safety
        // ->delete must be of type Client - thus the model binding
-        if ($clientId->user_id == auth()->id()) {
+        if ((auth()->user()?->isSuperUser()) || ($clientId->user_id == auth()->id())) {
            app(ClientRepository::class)->delete($clientId);
+            session()->flash('success', trans('admin/settings/message.oauth.client_deleted'));
        } else {
            Log::warning('User '.auth()->id().' attempted to delete client '.$clientId->id.' which belongs to user '.$clientId->created_by);
-            $this->authorizationError = 'You are not authorized to delete this client.';
+            $this->authorizationError = trans('admin/settings/message.oauth.client_delete_denied');
        }
    }

-    public function deleteToken($tokenId): void
+    public function deleteAuthorizedApplication(int $clientId): void
    {
-        $token = app(TokenRepository::class)->find($tokenId);
-        if ($token->created_by == auth()->id()) {
-            app(TokenRepository::class)->revokeAccessToken($tokenId);
+        $revokedTokenCount = DB::table('oauth_access_tokens')
+            ->where('client_id', $clientId)
+            ->where('revoked', false)
+            ->update(['revoked' => true]);
+
+        if ($revokedTokenCount > 0) {
+            session()->flash('success', trans('admin/settings/message.oauth.token_deleted'));
        } else {
-            Log::warning('User '.auth()->id().' attempted to delete token '.$tokenId.' which belongs to user '.$token->created_by);
-            $this->authorizationError = 'You are not authorized to delete this token.';
+            Log::warning('User '.auth()->id().' attempted to revoke authorized application client '.$clientId.' without matching active tokens.');
+            $this->authorizationError = trans('admin/settings/message.oauth.token_delete_denied');
        }
    }

@@ -91,9 +165,10 @@ class OauthClients extends Component
            $client->name = $this->editName;
            $client->redirect = $this->editRedirect;
            $client->save();
+            session()->flash('success', trans('admin/settings/message.oauth.client_updated'));
        } else {
            Log::warning('User '.auth()->id().' attempted to edit client '.$editClientId->id.' which belongs to user '.$client->created_by);
-            $this->authorizationError = 'You are not authorized to edit this client.';
+            $this->authorizationError = trans('admin/settings/message.oauth.client_edit_denied');
        }

        $this->dispatch('clientUpdated');
@@ -58,10 +58,26 @@ class CheckinAssetMail extends BaseMailable
    {
        $this->item->load('status');
        $fields = [];
+        $customFields = [];

        // Check if the item has custom fields associated with it
        if (($this->item->model) && ($this->item->model->fieldset)) {
            $fields = $this->item->model->fieldset->fields;
+
+            foreach ($fields as $field) {
+                if (! $field->show_in_email || $field->field_encrypted == '1') {
+                    continue;
+                }
+
+                $value = $this->item->{$field->db_column_name()};
+
+                if (! is_null($value) && $value !== '') {
+                    $customFields[] = [
+                        'label' => $field->name,
+                        'value' => $value,
+                    ];
+                }
+            }
        }

        return new Content(
@@ -73,6 +89,7 @@ class CheckinAssetMail extends BaseMailable
                'note' => $this->note,
                'target' => $this->target,
                'fields' => $fields,
+                'custom_fields' => $customFields,
                'expected_checkin' => $this->expected_checkin,
            ],
        );
@@ -75,6 +75,7 @@ class CheckoutAssetMail extends BaseMailable
        $eula = method_exists($this->item, 'getEula') ? $this->item->getEula() : '';
        $req_accept = $this->requiresAcceptance();
        $fields = [];
+        $customFields = [];
        $name = null;

        if ($this->target instanceof User) {
@@ -88,6 +89,21 @@ class CheckoutAssetMail extends BaseMailable
        // Check if the item has custom fields associated with it
        if (($this->item->model) && ($this->item->model->fieldset)) {
            $fields = $this->item->model->fieldset->fields;
+
+            foreach ($fields as $field) {
+                if (! $field->show_in_email || $field->field_encrypted == '1') {
+                    continue;
+                }
+
+                $value = $this->item->{$field->db_column_name()};
+
+                if (! is_null($value) && $value !== '') {
+                    $customFields[] = [
+                        'label' => $field->name,
+                        'value' => $value,
+                    ];
+                }
+            }
        }

        $accept_url = is_null($this->acceptance) ? null : route('account.accept.item', $this->acceptance);
@@ -101,6 +117,7 @@ class CheckoutAssetMail extends BaseMailable
                'note' => $this->note,
                'target' => $name,
                'fields' => $fields,
+                'custom_fields' => $customFields,
                'eula' => $eula,
                'req_accept' => $req_accept,
                'accept_url' => $accept_url,
@@ -0,0 +1,45 @@
+<?php
+
+namespace App\Mcp\Prompts;
+
+use Laravel\Mcp\Request;
+use Laravel\Mcp\Response;
+use Laravel\Mcp\Server\Attributes\Description;
+use Laravel\Mcp\Server\Attributes\Name;
+use Laravel\Mcp\Server\Attributes\Title;
+use Laravel\Mcp\Server\Prompts\Argument;
+
+#[Name('audit_location')]
+#[Title('Audit Location')]
+#[Description('Review all assets at a location, flag overdue audits and status anomalies')]
+class AuditLocationPrompt extends SnipePrompt
+{
+    public function handle(Request $request): Response
+    {
+        $location = $request->get('location');
+
+        $prompt = <<<TEXT
+        You are conducting an asset audit for location: {$location}.
+
+        Please complete the following steps using the available tools:
+
+        1. Find the location record for "{$location}" (search by name if needed).
+        2. List all assets currently assigned to or located at that location.
+        3. Identify any assets with overdue audit dates (next_audit_date is in the past).
+        4. Flag any assets with unexpected status labels (e.g. archived, pending, or out-for-repair assets that appear to still be at this location).
+        5. Note any assets that have been at this location longer than expected without a check-in or audit event.
+        6. Produce a summary report with: total asset count, assets requiring audit, assets with status anomalies, and any recommended actions.
+
+        Present the findings clearly so they can be acted on or exported.
+        TEXT;
+
+        return Response::text(trim($prompt).$this->localeInstruction());
+    }
+
+    public function arguments(): array
+    {
+        return [
+            new Argument('location', 'Name or ID of the location to audit', required: true),
+        ];
+    }
+}
@@ -0,0 +1,54 @@
+<?php
+
+namespace App\Mcp\Prompts;
+
+use Laravel\Mcp\Request;
+use Laravel\Mcp\Response;
+use Laravel\Mcp\Server\Attributes\Description;
+use Laravel\Mcp\Server\Attributes\Name;
+use Laravel\Mcp\Server\Attributes\Title;
+use Laravel\Mcp\Server\Prompts\Argument;
+
+#[Name('end_of_life_review')]
+#[Title('End of Life Review')]
+#[Description('Identify assets that have passed their EOL date or are fully depreciated, and recommend disposition actions')]
+class EndOfLifeReviewPrompt extends SnipePrompt
+{
+    public function handle(Request $request): Response
+    {
+        $department = $request->get('department');
+        $category = $request->get('category');
+
+        $scope = collect([
+            $department ? "department: {$department}" : null,
+            $category ? "category: {$category}" : null,
+        ])->filter()->implode(' and ');
+
+        $scopeLine = $scope
+            ? "Limit the review to assets in {$scope}."
+            : 'Review assets across the entire organisation.';
+
+        $prompt = <<<TEXT
+        You are conducting an end-of-life and depreciation review. {$scopeLine}
+
+        Please complete the following steps using the available tools:
+
+        1. List assets that have passed their asset_eol_date (end-of-life date is in the past).
+        2. List assets that are fully depreciated based on their depreciation schedule and purchase date.
+        3. For each identified asset, show: asset tag, name, model, assigned user or location, EOL date, purchase date, and current status.
+        4. Group findings by category for easier review.
+        5. Recommend disposition for each group: retire and replace, redeploy to a lower-demand role, send for repair, or archive.
+        6. Provide a cost summary if purchase cost data is available — total value of end-of-life assets.
+        TEXT;
+
+        return Response::text(trim($prompt).$this->localeInstruction());
+    }
+
+    public function arguments(): array
+    {
+        return [
+            new Argument('department', 'Limit review to a specific department', required: false),
+            new Argument('category', 'Limit review to a specific asset category', required: false),
+        ];
+    }
+}
@@ -0,0 +1,43 @@
+<?php
+
+namespace App\Mcp\Prompts;
+
+use Laravel\Mcp\Request;
+use Laravel\Mcp\Response;
+use Laravel\Mcp\Server\Attributes\Description;
+use Laravel\Mcp\Server\Attributes\Name;
+use Laravel\Mcp\Server\Attributes\Title;
+use Laravel\Mcp\Server\Prompts\Argument;
+
+#[Name('expiring_licenses')]
+#[Title('Expiring Licenses')]
+#[Description('Review license seat usage and flag licenses expiring within a given number of days')]
+class ExpiringLicensesPrompt extends SnipePrompt
+{
+    public function handle(Request $request): Response
+    {
+        $days = (int) ($request->get('days', 30));
+
+        $prompt = <<<TEXT
+        You are reviewing software license health across the organisation. Focus on licenses expiring within {$days} days.
+
+        Please complete the following steps using the available tools:
+
+        1. List all licenses in the system.
+        2. Identify licenses whose expiration date falls within the next {$days} days.
+        3. For each expiring license, show: license name, total seats, seats in use, seats free, and the expiration date.
+        4. Flag any licenses that are over-deployed (more seats checked out than purchased).
+        5. Flag any licenses that are under-used (many free seats that may indicate unused subscriptions worth cancelling).
+        6. Produce a prioritised action list: renewals needed urgently, over-deployments to resolve, and possible cancellations.
+        TEXT;
+
+        return Response::text(trim($prompt).$this->localeInstruction());
+    }
+
+    public function arguments(): array
+    {
+        return [
+            new Argument('days', 'Number of days ahead to check for expiring licenses (default: 30)', required: false),
+        ];
+    }
+}
@@ -0,0 +1,56 @@
+<?php
+
+namespace App\Mcp\Prompts;
+
+use Laravel\Mcp\Request;
+use Laravel\Mcp\Response;
+use Laravel\Mcp\Server\Attributes\Description;
+use Laravel\Mcp\Server\Attributes\Name;
+use Laravel\Mcp\Server\Attributes\Title;
+use Laravel\Mcp\Server\Prompts\Argument;
+
+#[Name('find_available_asset')]
+#[Title('Find Available Asset')]
+#[Description('Find an undeployed asset by category or model and optionally check it out to a user')]
+class FindAvailableAssetPrompt extends SnipePrompt
+{
+    public function handle(Request $request): Response
+    {
+        $category = $request->get('category');
+        $model = $request->get('model');
+        $assignTo = $request->get('assign_to');
+
+        $assetDescription = collect([
+            $category ? "category: {$category}" : null,
+            $model ? "model: {$model}" : null,
+        ])->filter()->implode(' / ');
+
+        $assignLine = $assignTo
+            ? "If a suitable asset is found, check it out to the user: {$assignTo}."
+            : 'Ask whether the found asset should be checked out to a specific user before proceeding.';
+
+        $prompt = <<<TEXT
+        You need to find an available (undeployed) asset matching {$assetDescription}.
+
+        Please complete the following steps using the available tools:
+
+        1. Search for assets with a Ready-to-Deploy status that match the requested {$assetDescription}.
+        2. If multiple options are available, list them with their asset tags, serial numbers, and any relevant details so the best one can be selected.
+        3. {$assignLine}
+        4. Confirm the final asset tag, serial number, and checkout status once complete.
+
+        If no available assets match, report what was found and suggest alternatives (different models in the same category, or assets currently out for repair that may return soon).
+        TEXT;
+
+        return Response::text(trim($prompt).$this->localeInstruction());
+    }
+
+    public function arguments(): array
+    {
+        return [
+            new Argument('category', 'Asset category to search (e.g. Laptop, Monitor)', required: false),
+            new Argument('model', 'Specific model name to search for', required: false),
+            new Argument('assign_to', 'Username to check the asset out to once found', required: false),
+        ];
+    }
+}
@@ -0,0 +1,54 @@
+<?php
+
+namespace App\Mcp\Prompts;
+
+use Laravel\Mcp\Request;
+use Laravel\Mcp\Response;
+use Laravel\Mcp\Server\Attributes\Description;
+use Laravel\Mcp\Server\Attributes\Name;
+use Laravel\Mcp\Server\Attributes\Title;
+use Laravel\Mcp\Server\Prompts\Argument;
+
+#[Name('inventory_summary')]
+#[Title('Inventory Summary')]
+#[Description('Produce a high-level inventory count by category, broken down by deployment status')]
+class InventorySummaryPrompt extends SnipePrompt
+{
+    public function handle(Request $request): Response
+    {
+        $location = $request->get('location');
+        $department = $request->get('department');
+
+        $scope = collect([
+            $location ? "location: {$location}" : null,
+            $department ? "department: {$department}" : null,
+        ])->filter()->implode(' and ');
+
+        $scopeLine = $scope
+            ? "Scope the report to {$scope}."
+            : 'Report across the entire organisation.';
+
+        $prompt = <<<TEXT
+        You are generating an inventory summary report. {$scopeLine}
+
+        Please complete the following steps using the available tools:
+
+        1. List assets (filtered by the scope above if provided) and tally counts by status: Deployed, Ready to Deploy, Archived, Pending, Out for Repair.
+        2. Break the deployed count down by asset category (laptops, monitors, phones, etc.).
+        3. List the top 5 models by total quantity.
+        4. Show total purchase value of the inventory if cost data is available.
+        5. Highlight any categories with zero available (Ready to Deploy) assets — potential stock-out risk.
+        6. Present the results as a concise executive summary with a supporting breakdown table.
+        TEXT;
+
+        return Response::text(trim($prompt).$this->localeInstruction());
+    }
+
+    public function arguments(): array
+    {
+        return [
+            new Argument('location', 'Limit report to a specific location', required: false),
+            new Argument('department', 'Limit report to a specific department', required: false),
+        ];
+    }
+}
@@ -0,0 +1,45 @@
+<?php
+
+namespace App\Mcp\Prompts;
+
+use Laravel\Mcp\Request;
+use Laravel\Mcp\Response;
+use Laravel\Mcp\Server\Attributes\Description;
+use Laravel\Mcp\Server\Attributes\Name;
+use Laravel\Mcp\Server\Attributes\Title;
+use Laravel\Mcp\Server\Prompts\Argument;
+
+#[Name('offboard_employee')]
+#[Title('Offboard Employee')]
+#[Description('Guide through checking in all equipment and licenses from a departing employee and deactivating their account')]
+class OffboardEmployeePrompt extends SnipePrompt
+{
+    public function handle(Request $request): Response
+    {
+        $username = $request->get('username');
+
+        $prompt = <<<TEXT
+        You are helping offboard a departing employee with username: {$username}.
+
+        Please complete the following offboarding steps using the available tools:
+
+        1. Look up the user account for {$username} and display a summary of everything currently assigned to them (assets, licenses, accessories, consumables).
+        2. Check in all assigned assets from this user.
+        3. Check in all assigned accessories from this user.
+        4. Revoke or check in any license seats assigned to this user.
+        5. Deactivate the user account.
+        6. Provide a final summary of all items that were checked in and confirm the account has been deactivated.
+
+        If any items cannot be checked in automatically, flag them for manual follow-up.
+        TEXT;
+
+        return Response::text(trim($prompt).$this->localeInstruction());
+    }
+
+    public function arguments(): array
+    {
+        return [
+            new Argument('username', 'Username of the departing employee', required: true),
+        ];
+    }
+}
@@ -0,0 +1,64 @@
+<?php
+
+namespace App\Mcp\Prompts;
+
+use Laravel\Mcp\Request;
+use Laravel\Mcp\Response;
+use Laravel\Mcp\Server\Attributes\Description;
+use Laravel\Mcp\Server\Attributes\Name;
+use Laravel\Mcp\Server\Attributes\Title;
+use Laravel\Mcp\Server\Prompts\Argument;
+
+#[Name('onboard_employee')]
+#[Title('Onboard Employee')]
+#[Description('Guide through creating a new employee account and assigning appropriate equipment and licenses')]
+class OnboardEmployeePrompt extends SnipePrompt
+{
+    public function handle(Request $request): Response
+    {
+        $firstName = $request->get('first_name');
+        $lastName = $request->get('last_name');
+        $department = $request->get('department');
+        $location = $request->get('location');
+        $title = $request->get('title');
+
+        $fullName = trim("{$firstName} {$lastName}");
+
+        $context = collect([
+            $department ? "Department: {$department}" : null,
+            $location ? "Location: {$location}" : null,
+            $title ? "Job title: {$title}" : null,
+        ])->filter()->implode("\n");
+
+        $prompt = <<<TEXT
+        You are helping onboard a new employee.
+
+        Employee details:
+        - First name: {$firstName}
+        - Last name: {$lastName}
+        {$context}
+
+        Please complete the following onboarding steps using the available tools:
+
+        1. Create a new user account using first_name "{$firstName}" and last_name "{$lastName}" along with the details provided above. Ask for any missing required fields (username and, optionally, email address) before proceeding. Do not ask for a password — one will be set automatically.
+        2. If the new account has an email address, ask whether you should send them a password reset link so they can set their own password. Use send_password_reset if the answer is yes.
+        3. Search for available (undeployed) assets suitable for their role — typically a laptop and any other standard equipment for their department or location.
+        4. Check out the selected assets to the new user.
+        5. Check whether any software license seats are available that should be assigned (e.g. productivity suites, VPN, etc.) and assign them.
+        6. Summarise what was set up: the user account created, whether a password reset email was sent, assets checked out, and licenses assigned.
+        TEXT;
+
+        return Response::text(trim($prompt).$this->localeInstruction());
+    }
+
+    public function arguments(): array
+    {
+        return [
+            new Argument('first_name', 'First name of the new employee', required: true),
+            new Argument('last_name', 'Last name of the new employee', required: false),
+            new Argument('department', 'Department the employee will join', required: false),
+            new Argument('location', 'Primary office location', required: false),
+            new Argument('title', 'Job title', required: false),
+        ];
+    }
+}
@@ -0,0 +1,24 @@
+<?php
+
+namespace App\Mcp\Prompts;
+
+use Laravel\Mcp\Server\Prompt;
+
+abstract class SnipePrompt extends Prompt
+{
+    /**
+     * Returns a trailing instruction telling the model which language to respond in,
+     * derived from the authenticated user's locale setting. Returns an empty string
+     * for English locales so the prompt text is unchanged for the majority of users.
+     */
+    protected function localeInstruction(): string
+    {
+        $locale = auth()->user()?->locale ?? app()->getLocale();
+
+        if (str_starts_with($locale, 'en')) {
+            return '';
+        }
+
+        return "\n\nPlease respond in the language that corresponds to locale: {$locale}.";
+    }
+}
@@ -0,0 +1,44 @@
+<?php
+
+namespace App\Mcp\Prompts;
+
+use Laravel\Mcp\Request;
+use Laravel\Mcp\Response;
+use Laravel\Mcp\Server\Attributes\Description;
+use Laravel\Mcp\Server\Attributes\Name;
+use Laravel\Mcp\Server\Attributes\Title;
+use Laravel\Mcp\Server\Prompts\Argument;
+
+#[Name('user_inventory')]
+#[Title('User Inventory')]
+#[Description('List everything currently assigned to a specific user across all asset types')]
+class UserInventoryPrompt extends SnipePrompt
+{
+    public function handle(Request $request): Response
+    {
+        $username = $request->get('username');
+
+        $prompt = <<<TEXT
+        You are pulling a complete inventory of everything assigned to the user: {$username}.
+
+        Please complete the following steps using the available tools:
+
+        1. Look up the user account for {$username} and display their basic info (name, department, location, job title).
+        2. List all assets currently checked out to this user (asset tag, name, model, serial, status).
+        3. List all accessories checked out to this user.
+        4. List all license seats assigned to this user.
+        5. List any consumables that have been checked out to this user.
+        6. Calculate the total purchase value of all assigned assets if cost data is available.
+        7. Present a clean summary grouped by item type, suitable for sharing with a manager or for an audit.
+        TEXT;
+
+        return Response::text(trim($prompt).$this->localeInstruction());
+    }
+
+    public function arguments(): array
+    {
+        return [
+            new Argument('username', 'Username of the user to review', required: true),
+        ];
+    }
+}
@@ -0,0 +1,42 @@
+<?php
+
+namespace App\Mcp\Prompts;
+
+use Laravel\Mcp\Request;
+use Laravel\Mcp\Response;
+use Laravel\Mcp\Server\Attributes\Description;
+use Laravel\Mcp\Server\Attributes\Name;
+use Laravel\Mcp\Server\Attributes\Title;
+use Laravel\Mcp\Server\Prompts\Argument;
+
+#[Name('warranty_expiring')]
+#[Title('Warranty Expiring')]
+#[Description('List assets whose warranty expires within a given number of days')]
+class WarrantyExpiringPrompt extends SnipePrompt
+{
+    public function handle(Request $request): Response
+    {
+        $days = (int) ($request->get('days', 90));
+
+        $prompt = <<<TEXT
+        You are reviewing assets whose warranty is expiring soon. Focus on assets expiring within {$days} days.
+
+        Please complete the following steps using the available tools:
+
+        1. List assets and filter for those whose warranty expiration date (calculated from purchase_date + warranty_months) falls within the next {$days} days.
+        2. For each asset, show: asset tag, name, model, assigned user or location, purchase date, warranty months, and calculated warranty end date.
+        3. Group by urgency: expiring within 30 days, 31–60 days, and 61–{$days} days.
+        4. Flag any assets that are deployed to critical roles or users where warranty coverage is especially important.
+        5. Recommend actions: extend warranty, schedule replacement, or note as acceptable risk.
+        TEXT;
+
+        return Response::text(trim($prompt).$this->localeInstruction());
+    }
+
+    public function arguments(): array
+    {
+        return [
+            new Argument('days', 'Number of days ahead to check for warranty expiry (default: 90)', required: false),
+        ];
+    }
+}
@@ -0,0 +1,275 @@
+<?php
+
+namespace App\Mcp\Servers;
+
+use App\Mcp\Prompts\AuditLocationPrompt;
+use App\Mcp\Prompts\EndOfLifeReviewPrompt;
+use App\Mcp\Prompts\ExpiringLicensesPrompt;
+use App\Mcp\Prompts\FindAvailableAssetPrompt;
+use App\Mcp\Prompts\InventorySummaryPrompt;
+use App\Mcp\Prompts\OffboardEmployeePrompt;
+use App\Mcp\Prompts\OnboardEmployeePrompt;
+use App\Mcp\Prompts\UserInventoryPrompt;
+use App\Mcp\Prompts\WarrantyExpiringPrompt;
+use App\Mcp\Tools\AddAssetNoteTool;
+use App\Mcp\Tools\AuditAssetTool;
+use App\Mcp\Tools\CheckinAccessoryTool;
+use App\Mcp\Tools\CheckinAssetTool;
+use App\Mcp\Tools\CheckinComponentTool;
+use App\Mcp\Tools\CheckinLicenseTool;
+use App\Mcp\Tools\CheckoutAccessoryTool;
+use App\Mcp\Tools\CheckoutAssetTool;
+use App\Mcp\Tools\CheckoutComponentTool;
+use App\Mcp\Tools\CheckoutConsumableTool;
+use App\Mcp\Tools\CheckoutLicenseTool;
+use App\Mcp\Tools\CreateAccessoryTool;
+use App\Mcp\Tools\CreateAssetModelTool;
+use App\Mcp\Tools\CreateAssetTool;
+use App\Mcp\Tools\CreateCategoryTool;
+use App\Mcp\Tools\CreateCompanyTool;
+use App\Mcp\Tools\CreateComponentTool;
+use App\Mcp\Tools\CreateConsumableTool;
+use App\Mcp\Tools\CreateDepartmentTool;
+use App\Mcp\Tools\CreateDepreciationTool;
+use App\Mcp\Tools\CreateGroupTool;
+use App\Mcp\Tools\CreateLicenseTool;
+use App\Mcp\Tools\CreateLocationTool;
+use App\Mcp\Tools\CreateMaintenanceTool;
+use App\Mcp\Tools\CreateManufacturerTool;
+use App\Mcp\Tools\CreateStatusLabelTool;
+use App\Mcp\Tools\CreateSupplierTool;
+use App\Mcp\Tools\CreateUserTool;
+use App\Mcp\Tools\DeleteAccessoryTool;
+use App\Mcp\Tools\DeleteAssetModelTool;
+use App\Mcp\Tools\DeleteAssetTool;
+use App\Mcp\Tools\DeleteCategoryTool;
+use App\Mcp\Tools\DeleteCompanyTool;
+use App\Mcp\Tools\DeleteComponentTool;
+use App\Mcp\Tools\DeleteConsumableTool;
+use App\Mcp\Tools\DeleteDepartmentTool;
+use App\Mcp\Tools\DeleteDepreciationTool;
+use App\Mcp\Tools\DeleteGroupTool;
+use App\Mcp\Tools\DeleteLicenseTool;
+use App\Mcp\Tools\DeleteLocationTool;
+use App\Mcp\Tools\DeleteManufacturerTool;
+use App\Mcp\Tools\DeleteStatusLabelTool;
+use App\Mcp\Tools\DeleteSupplierTool;
+use App\Mcp\Tools\DeleteUserTool;
+use App\Mcp\Tools\GetActivityLogTool;
+use App\Mcp\Tools\GetCurrentUserTool;
+use App\Mcp\Tools\GetUserAssetsTool;
+use App\Mcp\Tools\ListAssetModelsTool;
+use App\Mcp\Tools\ListAssetNotesTool;
+use App\Mcp\Tools\ListAssetsTool;
+use App\Mcp\Tools\ListCategoriesTool;
+use App\Mcp\Tools\ListCompaniesTool;
+use App\Mcp\Tools\ListConsumablesTool;
+use App\Mcp\Tools\ListDepreciationsTool;
+use App\Mcp\Tools\ListGroupsTool;
+use App\Mcp\Tools\ListHistoryTool;
+use App\Mcp\Tools\ListLicensesTool;
+use App\Mcp\Tools\ListLocationsTool;
+use App\Mcp\Tools\ListMaintenancesTool;
+use App\Mcp\Tools\ListManufacturersTool;
+use App\Mcp\Tools\ListStatusLabelsTool;
+use App\Mcp\Tools\ListSuppliersTool;
+use App\Mcp\Tools\ListUploadsTool;
+use App\Mcp\Tools\ListUsersTool;
+use App\Mcp\Tools\Reset2FATool;
+use App\Mcp\Tools\RestoreAssetTool;
+use App\Mcp\Tools\RestoreUserTool;
+use App\Mcp\Tools\SendPasswordResetTool;
+use App\Mcp\Tools\ShowAssetModelTool;
+use App\Mcp\Tools\ShowAssetTool;
+use App\Mcp\Tools\ShowCategoryTool;
+use App\Mcp\Tools\ShowCompanyTool;
+use App\Mcp\Tools\ShowConsumableTool;
+use App\Mcp\Tools\ShowDepreciationTool;
+use App\Mcp\Tools\ShowGroupTool;
+use App\Mcp\Tools\ShowLicenseTool;
+use App\Mcp\Tools\ShowLocationTool;
+use App\Mcp\Tools\ShowManufacturerTool;
+use App\Mcp\Tools\ShowStatusLabelTool;
+use App\Mcp\Tools\ShowSupplierTool;
+use App\Mcp\Tools\ShowUserTool;
+use App\Mcp\Tools\UpdateAccessoryTool;
+use App\Mcp\Tools\UpdateAssetModelTool;
+use App\Mcp\Tools\UpdateAssetTool;
+use App\Mcp\Tools\UpdateCategoryTool;
+use App\Mcp\Tools\UpdateCompanyTool;
+use App\Mcp\Tools\UpdateComponentTool;
+use App\Mcp\Tools\UpdateConsumableTool;
+use App\Mcp\Tools\UpdateDepartmentTool;
+use App\Mcp\Tools\UpdateDepreciationTool;
+use App\Mcp\Tools\UpdateGroupTool;
+use App\Mcp\Tools\UpdateLicenseTool;
+use App\Mcp\Tools\UpdateLocationTool;
+use App\Mcp\Tools\UpdateManufacturerTool;
+use App\Mcp\Tools\UpdateProfileTool;
+use App\Mcp\Tools\UpdateStatusLabelTool;
+use App\Mcp\Tools\UpdateSupplierTool;
+use App\Mcp\Tools\UpdateUserTool;
+use Laravel\Mcp\Server;
+use Laravel\Mcp\Server\Attributes\Instructions;
+use Laravel\Mcp\Server\Attributes\Name;
+use Laravel\Mcp\Server\Attributes\Version;
+
+#[Name('Snipe-IT MCP Server')]
+#[Version('0.0.1')]
+#[Instructions('This server allows you to interact with the Snipe-IT asset management database. You can list, view, check out, and check in assets.')]
+class SnipeMCPServer extends Server
+{
+    protected array $tools = [
+        // Assets
+        ShowAssetTool::class,
+        ListAssetsTool::class,
+        CreateAssetTool::class,
+        UpdateAssetTool::class,
+        DeleteAssetTool::class,
+        RestoreAssetTool::class,
+        CheckoutAssetTool::class,
+        CheckinAssetTool::class,
+        AuditAssetTool::class,
+        AddAssetNoteTool::class,
+        ListAssetNotesTool::class,
+
+        // Cross-type tools
+        ListUploadsTool::class,
+        ListHistoryTool::class,
+
+        // Users
+        ListUsersTool::class,
+        ShowUserTool::class,
+        CreateUserTool::class,
+        UpdateUserTool::class,
+        DeleteUserTool::class,
+        RestoreUserTool::class,
+        GetCurrentUserTool::class,
+        UpdateProfileTool::class,
+        GetUserAssetsTool::class,
+        Reset2FATool::class,
+        SendPasswordResetTool::class,
+
+        // Accessories
+        CreateAccessoryTool::class,
+        UpdateAccessoryTool::class,
+        DeleteAccessoryTool::class,
+        CheckoutAccessoryTool::class,
+        CheckinAccessoryTool::class,
+
+        // Components
+        CreateComponentTool::class,
+        UpdateComponentTool::class,
+        DeleteComponentTool::class,
+        CheckoutComponentTool::class,
+        CheckinComponentTool::class,
+
+        // Consumables
+        ListConsumablesTool::class,
+        ShowConsumableTool::class,
+        CreateConsumableTool::class,
+        UpdateConsumableTool::class,
+        DeleteConsumableTool::class,
+        CheckoutConsumableTool::class,
+
+        // Licenses
+        ListLicensesTool::class,
+        ShowLicenseTool::class,
+        CreateLicenseTool::class,
+        UpdateLicenseTool::class,
+        DeleteLicenseTool::class,
+        CheckoutLicenseTool::class,
+        CheckinLicenseTool::class,
+
+        // Departments
+        CreateDepartmentTool::class,
+        UpdateDepartmentTool::class,
+        DeleteDepartmentTool::class,
+
+        // Companies
+        ListCompaniesTool::class,
+        ShowCompanyTool::class,
+        CreateCompanyTool::class,
+        UpdateCompanyTool::class,
+        DeleteCompanyTool::class,
+
+        // Categories
+        ListCategoriesTool::class,
+        ShowCategoryTool::class,
+        CreateCategoryTool::class,
+        UpdateCategoryTool::class,
+        DeleteCategoryTool::class,
+
+        // Manufacturers
+        ListManufacturersTool::class,
+        ShowManufacturerTool::class,
+        CreateManufacturerTool::class,
+        UpdateManufacturerTool::class,
+        DeleteManufacturerTool::class,
+
+        // Suppliers
+        ListSuppliersTool::class,
+        ShowSupplierTool::class,
+        CreateSupplierTool::class,
+        UpdateSupplierTool::class,
+        DeleteSupplierTool::class,
+
+        // Status Labels
+        ListStatusLabelsTool::class,
+        ShowStatusLabelTool::class,
+        CreateStatusLabelTool::class,
+        UpdateStatusLabelTool::class,
+        DeleteStatusLabelTool::class,
+
+        // Locations
+        ListLocationsTool::class,
+        ShowLocationTool::class,
+        CreateLocationTool::class,
+        UpdateLocationTool::class,
+        DeleteLocationTool::class,
+
+        // Asset Models
+        ListAssetModelsTool::class,
+        ShowAssetModelTool::class,
+        CreateAssetModelTool::class,
+        UpdateAssetModelTool::class,
+        DeleteAssetModelTool::class,
+
+        // Depreciations
+        ListDepreciationsTool::class,
+        ShowDepreciationTool::class,
+        CreateDepreciationTool::class,
+        UpdateDepreciationTool::class,
+        DeleteDepreciationTool::class,
+
+        // Groups
+        ListGroupsTool::class,
+        ShowGroupTool::class,
+        CreateGroupTool::class,
+        UpdateGroupTool::class,
+        DeleteGroupTool::class,
+
+        // Maintenance
+        ListMaintenancesTool::class,
+        CreateMaintenanceTool::class,
+
+        // Activity Log
+        GetActivityLogTool::class,
+    ];
+
+    protected array $resources = [
+        //
+    ];
+
+    protected array $prompts = [
+        OnboardEmployeePrompt::class,
+        OffboardEmployeePrompt::class,
+        AuditLocationPrompt::class,
+        FindAvailableAssetPrompt::class,
+        ExpiringLicensesPrompt::class,
+        EndOfLifeReviewPrompt::class,
+        WarrantyExpiringPrompt::class,
+        InventorySummaryPrompt::class,
+        UserInventoryPrompt::class,
+    ];
+}
@@ -0,0 +1,97 @@
+<?php
+
+namespace App\Mcp\Tools;
+
+use App\Models\Actionlog;
+use App\Models\Asset;
+use Illuminate\Contracts\JsonSchema\JsonSchema;
+use Illuminate\Support\Facades\Gate;
+use Laravel\Mcp\Request;
+use Laravel\Mcp\Response;
+use Laravel\Mcp\ResponseFactory;
+use Laravel\Mcp\Server\Attributes\Description;
+use Laravel\Mcp\Server\Attributes\Name;
+use Laravel\Mcp\Server\Attributes\Title;
+use Laravel\Mcp\Server\Tool;
+
+#[Name('add_asset_note')]
+#[Title('Add Asset Note')]
+#[Description('Add a manual note to a Snipe-IT asset identified by asset tag, serial number, or numeric ID')]
+class AddAssetNoteTool extends Tool
+{
+    public function handle(Request $request): ResponseFactory
+    {
+        $request->validate([
+            'asset_tag' => 'nullable|string|max:100',
+            'serial' => 'nullable|string|max:255',
+            'id' => 'nullable|integer',
+            'note' => 'required|string|max:50000',
+        ]);
+
+        $asset = $this->resolveAsset($request);
+
+        if (! $asset) {
+            return Response::make(Response::error(trans('mcp.asset_not_found')));
+        }
+
+        if (! Gate::allows('update', $asset)) {
+            return Response::make(Response::error(trans('mcp.unauthorized')));
+        }
+
+        $logaction = new Actionlog;
+        $logaction->item_type = Asset::class;
+        $logaction->item_id = $asset->id;
+        $logaction->note = $request->get('note');
+        $logaction->created_by = auth()->id();
+
+        if ($logaction->logaction('note added')) {
+            return Response::make(
+                Response::text(trans('mcp.note_added_to_asset', ['asset_tag' => $asset->asset_tag]))
+            )->withStructuredContent([
+                'success' => true,
+                'message' => trans('mcp.note_added_successfully'),
+                'asset_tag' => $asset->asset_tag,
+                'asset_id' => $asset->id,
+                'note' => $logaction->note,
+            ]);
+        }
+
+        return Response::make(Response::error(trans('mcp.note_save_failed')));
+    }
+
+    private function resolveAsset(Request $request): ?Asset
+    {
+        if ($request->filled('asset_tag')) {
+            return Asset::where('asset_tag', $request->get('asset_tag'))->first();
+        }
+        if ($request->filled('serial')) {
+            return Asset::where('serial', $request->get('serial'))->first();
+        }
+        if ($request->filled('id')) {
+            return Asset::find($request->get('id'));
+        }
+
+        return null;
+    }
+
+    public function schema(JsonSchema $schema): array
+    {
+        return [
+            'asset_tag' => $schema->string()->description('Asset tag of the asset'),
+            'serial' => $schema->string()->description('Serial number of the asset'),
+            'id' => $schema->number()->description('Numeric ID of the asset'),
+            'note' => $schema->string()->description('Note text to add to the asset'),
+        ];
+    }
+
+    public function outputSchema(JsonSchema $schema): array
+    {
+        return [
+            'success' => $schema->boolean()->description('True if the note was saved'),
+            'message' => $schema->string()->description('Human-readable result message')->required(),
+            'asset_tag' => $schema->string()->description('Asset tag of the asset'),
+            'asset_id' => $schema->number()->description('Numeric ID of the asset'),
+            'note' => $schema->string()->description('The note that was saved'),
+        ];
+    }
+}
@@ -0,0 +1,120 @@
+<?php
+
+namespace App\Mcp\Tools;
+
+use App\Models\Asset;
+use App\Models\Setting;
+use Carbon\Carbon;
+use Illuminate\Contracts\JsonSchema\JsonSchema;
+use Illuminate\Support\Facades\Gate;
+use Laravel\Mcp\Request;
+use Laravel\Mcp\Response;
+use Laravel\Mcp\ResponseFactory;
+use Laravel\Mcp\Server\Attributes\Description;
+use Laravel\Mcp\Server\Attributes\Name;
+use Laravel\Mcp\Server\Attributes\Title;
+use Laravel\Mcp\Server\Tool;
+
+#[Name('audit_asset')]
+#[Title('Audit Asset')]
+#[Description('Record an audit for a Snipe-IT asset, updating the last audit date and optionally the location')]
+class AuditAssetTool extends Tool
+{
+    public function handle(Request $request): ResponseFactory
+    {
+        $request->validate([
+            'asset_tag' => 'nullable|max:100',
+            'serial' => 'nullable|string|max:255',
+            'id' => 'nullable|integer',
+            'note' => 'nullable|string|max:1000',
+            'location_id' => 'nullable|integer|exists:locations,id',
+            'next_audit_date' => 'nullable|date',
+        ]);
+
+        $asset = $this->resolveAsset($request);
+
+        if (! $asset) {
+            return Response::make(Response::error(trans('mcp.asset_not_found')));
+        }
+
+        if (! Gate::allows('audit', $asset)) {
+            return Response::make(Response::error(trans('mcp.unauthorized')));
+        }
+
+        $originalValues = $asset->getRawOriginal();
+        $settings = Setting::getSettings();
+
+        $asset->last_audit_date = date('Y-m-d H:i:s');
+
+        if ($request->filled('next_audit_date')) {
+            $asset->next_audit_date = $request->get('next_audit_date');
+        } elseif (! is_null($settings->audit_interval)) {
+            $asset->next_audit_date = Carbon::now()->addMonths($settings->audit_interval)->toDateString();
+        }
+
+        if ($request->filled('location_id')) {
+            $asset->location_id = $request->get('location_id');
+        }
+
+        // Bypass the observer to avoid logging a spurious asset-update entry
+        // alongside the audit log entry created by logAudit() below
+        $asset->unsetEventDispatcher();
+
+        if ($asset->isValid() && $asset->save()) {
+            $asset->logAudit($request->get('note'), $request->get('location_id'), null, $originalValues);
+
+            return Response::make(
+                Response::text(trans('mcp.asset_audited', ['asset_tag' => $asset->asset_tag]))
+            )->withStructuredContent([
+                'success' => true,
+                'message' => trans('mcp.asset_audited', ['asset_tag' => $asset->asset_tag]),
+                'asset_tag' => $asset->asset_tag,
+                'last_audit_date' => $asset->last_audit_date,
+                'next_audit_date' => $asset->next_audit_date,
+                'location' => $asset->location?->name,
+            ]);
+        }
+
+        return Response::make(Response::error(trans('mcp.audit_failed', ['error' => $asset->getErrors()->first()])));
+    }
+
+    private function resolveAsset(Request $request): ?Asset
+    {
+        if ($request->filled('asset_tag')) {
+            return Asset::where('asset_tag', $request->get('asset_tag'))->with('location')->first();
+        }
+        if ($request->filled('serial')) {
+            return Asset::where('serial', $request->get('serial'))->with('location')->first();
+        }
+        if ($request->filled('id')) {
+            return Asset::with('location')->find($request->get('id'));
+        }
+
+        return null;
+    }
+
+    public function schema(JsonSchema $schema): array
+    {
+        return [
+            'asset_tag' => $schema->string()->description('Asset tag of the asset to audit'),
+            'serial' => $schema->string()->description('Serial number of the asset to audit'),
+            'id' => $schema->number()->description('Numeric ID of the asset to audit'),
+            'note' => $schema->string()->description('Optional audit note'),
+            'location_id' => $schema->number()->description('Location ID where the asset was found (also updates the asset location)'),
+            'next_audit_date' => $schema->string()->description('Override the next audit date (YYYY-MM-DD); defaults to now plus the audit_interval from settings'),
+        ];
+    }
+
+    public function outputSchema(JsonSchema $schema): array
+    {
+        return [
+            'success' => $schema->boolean()->description('True if the audit succeeded'),
+            'error' => $schema->boolean()->description('True if the audit failed'),
+            'message' => $schema->string()->description('Human-readable result message')->required(),
+            'asset_tag' => $schema->string()->description('Asset tag of the audited asset'),
+            'last_audit_date' => $schema->string()->description('Timestamp of the audit just recorded'),
+            'next_audit_date' => $schema->string()->description('Date of the next scheduled audit'),
+            'location' => $schema->string()->description('Location name where the asset was found'),
+        ];
+    }
+}
@@ -0,0 +1,82 @@
+<?php
+
+namespace App\Mcp\Tools;
+
+use App\Models\Accessory;
+use App\Models\AccessoryCheckout;
+use Illuminate\Contracts\JsonSchema\JsonSchema;
+use Illuminate\Support\Facades\Gate;
+use Laravel\Mcp\Request;
+use Laravel\Mcp\Response;
+use Laravel\Mcp\ResponseFactory;
+use Laravel\Mcp\Server\Attributes\Description;
+use Laravel\Mcp\Server\Attributes\Name;
+use Laravel\Mcp\Server\Attributes\Title;
+use Laravel\Mcp\Server\Tool;
+
+#[Name('checkin_accessory')]
+#[Title('Checkin Accessory')]
+#[Description('Check in a Snipe-IT accessory checkout record by its checkout ID')]
+class CheckinAccessoryTool extends Tool
+{
+    public function handle(Request $request): ResponseFactory
+    {
+        $request->validate([
+            'checkout_id' => 'required|integer',
+            'note' => 'nullable|string|max:65535',
+        ]);
+
+        $checkout = AccessoryCheckout::find($request->get('checkout_id'));
+
+        if (! $checkout) {
+            return Response::make(Response::error(trans('mcp.accessory_checkout_not_found')));
+        }
+
+        $accessory = Accessory::find($checkout->accessory_id);
+
+        if (! $accessory) {
+            return Response::make(Response::error(trans('mcp.accessory_not_found')));
+        }
+
+        if (! Gate::allows('checkin', $accessory)) {
+            return Response::make(Response::error(trans('mcp.unauthorized')));
+        }
+
+        $target = $checkout->assigned_type && $checkout->assigned_to
+            ? $checkout->assigned_type::find($checkout->assigned_to)
+            : null;
+
+        $accessory->logCheckin($target, $request->get('note'));
+
+        if ($checkout->delete()) {
+            return Response::make(
+                Response::text(trans('mcp.accessory_checked_in', ['name' => $accessory->name]))
+            )->withStructuredContent([
+                'success' => true,
+                'message' => trans('mcp.accessory_checked_in', ['name' => $accessory->name]),
+                'accessory_id' => $accessory->id,
+                'accessory_name' => $accessory->name,
+            ]);
+        }
+
+        return Response::make(Response::error(trans('mcp.checkin_failed')));
+    }
+
+    public function schema(JsonSchema $schema): array
+    {
+        return [
+            'checkout_id' => $schema->number()->description('ID of the checkout record to check in (returned by checkout_accessory)'),
+            'note' => $schema->string()->description('Optional checkin note'),
+        ];
+    }
+
+    public function outputSchema(JsonSchema $schema): array
+    {
+        return [
+            'success' => $schema->boolean()->description('True if the checkin succeeded'),
+            'message' => $schema->string()->description('Human-readable result message')->required(),
+            'accessory_id' => $schema->number()->description('Numeric ID of the accessory'),
+            'accessory_name' => $schema->string()->description('Name of the accessory'),
+        ];
+    }
+}
@@ -0,0 +1,110 @@
+<?php
+
+namespace App\Mcp\Tools;
+
+use App\Events\CheckoutableCheckedIn;
+use App\Models\Asset;
+use Illuminate\Contracts\JsonSchema\JsonSchema;
+use Illuminate\Support\Facades\Gate;
+use Laravel\Mcp\Request;
+use Laravel\Mcp\Response;
+use Laravel\Mcp\ResponseFactory;
+use Laravel\Mcp\Server\Attributes\Description;
+use Laravel\Mcp\Server\Attributes\Name;
+use Laravel\Mcp\Server\Attributes\Title;
+use Laravel\Mcp\Server\Tool;
+
+#[Name('checkin_asset')]
+#[Title('Check In Asset')]
+#[Description('Check a currently checked-out Snipe-IT asset back in')]
+class CheckinAssetTool extends Tool
+{
+    public function handle(Request $request): ResponseFactory
+    {
+        $request->validate([
+            'asset_tag' => 'nullable|max:100',
+            'id' => 'nullable|integer',
+            'note' => 'nullable|string|max:1000',
+        ]);
+
+        $asset = $this->resolveAsset($request);
+
+        if (! $asset) {
+            return Response::make(Response::error(trans('mcp.asset_not_found')));
+        }
+
+        if (! Gate::allows('checkin', $asset)) {
+            return Response::make(Response::error(trans('mcp.unauthorized')));
+        }
+
+        $target = $asset->assignedTo;
+
+        if (is_null($target)) {
+            return Response::make(Response::error(trans('mcp.asset_not_checked_out', ['asset_tag' => $asset->asset_tag])));
+        }
+
+        $originalValues = $asset->getRawOriginal();
+        $checkinAt = date('Y-m-d H:i:s');
+
+        $asset->expected_checkin = null;
+        $asset->last_checkin = now();
+        $asset->assignedTo()->disassociate($asset);
+        $asset->accepted = null;
+        $asset->location_id = $asset->rtd_location_id;
+
+        if ($asset->save()) {
+            event(new CheckoutableCheckedIn($asset, $target, auth()->user(), $request->get('note'), $checkinAt, $originalValues));
+
+            return Response::make(
+                Response::text(trans('mcp.asset_checked_in', ['asset_tag' => $asset->asset_tag]))
+            )->withStructuredContent([
+                'success' => true,
+                'message' => trans('mcp.asset_checked_in', ['asset_tag' => $asset->asset_tag]),
+                'asset_tag' => $asset->asset_tag,
+                'model' => $asset->model?->name,
+                'location' => $asset->location?->name,
+            ]);
+        }
+
+        return Response::make(Response::error(trans('mcp.checkin_failed_error', ['error' => $asset->getErrors()->first()])));
+    }
+
+    private function resolveAsset(Request $request): ?Asset
+    {
+        if ($request->filled('asset_tag')) {
+            return Asset::where('asset_tag', $request->get('asset_tag'))
+                ->with('model', 'location')
+                ->first();
+        }
+
+        if ($request->filled('id')) {
+            return Asset::with('model', 'location')->find($request->get('id'));
+        }
+
+        return null;
+    }
+
+    public function schema(JsonSchema $schema): array
+    {
+        return [
+            'asset_tag' => $schema->string()
+                ->description('Asset tag of the asset to check in'),
+            'id' => $schema->number()
+                ->description('Numeric ID of the asset to check in'),
+            'note' => $schema->string()
+                ->description('Optional note to attach to this checkin'),
+        ];
+    }
+
+    public function outputSchema(JsonSchema $schema): array
+    {
+        return [
+            'success' => $schema->string()->description('True if the checkin succeeded'),
+            'error' => $schema->string()->description('True if the checkin failed'),
+            'message' => $schema->string()->description('Human-readable result message')->required(),
+            'asset_tag' => $schema->string()->description('Asset tag of the checked-in asset'),
+            'model' => $schema->string()->description('Model name of the checked-in asset'),
+            'location' => $schema->string()->description('Location the asset returned to'),
+        ];
+    }
+}
@@ -0,0 +1,102 @@
+<?php
+
+namespace App\Mcp\Tools;
+
+use App\Events\CheckoutableCheckedIn;
+use App\Models\Asset;
+use App\Models\Component;
+use Carbon\Carbon;
+use Illuminate\Contracts\JsonSchema\JsonSchema;
+use Illuminate\Support\Facades\DB;
+use Illuminate\Support\Facades\Gate;
+use Laravel\Mcp\Request;
+use Laravel\Mcp\Response;
+use Laravel\Mcp\ResponseFactory;
+use Laravel\Mcp\Server\Attributes\Description;
+use Laravel\Mcp\Server\Attributes\Name;
+use Laravel\Mcp\Server\Attributes\Title;
+use Laravel\Mcp\Server\Tool;
+
+#[Name('checkin_component')]
+#[Title('Checkin Component')]
+#[Description('Check in one or more units of a Snipe-IT component from an asset using the checkout record ID')]
+class CheckinComponentTool extends Tool
+{
+    public function handle(Request $request): ResponseFactory
+    {
+        $request->validate([
+            'component_asset_id' => 'required|integer',
+            'checkin_qty' => 'nullable|integer|min:1',
+            'note' => 'nullable|string|max:65535',
+        ]);
+
+        $componentAsset = DB::table('components_assets')->find($request->get('component_asset_id'));
+
+        if (! $componentAsset) {
+            return Response::make(Response::error(trans('mcp.component_checkout_not_found')));
+        }
+
+        $component = Component::find($componentAsset->component_id);
+
+        if (! $component) {
+            return Response::make(Response::error(trans('mcp.component_not_found')));
+        }
+
+        if (! Gate::allows('checkin', $component)) {
+            return Response::make(Response::error(trans('mcp.unauthorized')));
+        }
+
+        $maxCheckin = $componentAsset->assigned_qty ?? 1;
+        $checkinQty = (int) $request->get('checkin_qty', $maxCheckin);
+
+        if ($checkinQty > $maxCheckin) {
+            return Response::make(Response::error(
+                'Checkin quantity ('.$checkinQty.') exceeds assigned quantity ('.$maxCheckin.')'
+            ));
+        }
+
+        $remaining = $maxCheckin - $checkinQty;
+
+        if ($remaining === 0) {
+            DB::table('components_assets')->where('id', $componentAsset->id)->delete();
+        } else {
+            DB::table('components_assets')->where('id', $componentAsset->id)->update(['assigned_qty' => $remaining]);
+        }
+
+        $asset = Asset::find($componentAsset->asset_id);
+
+        event(new CheckoutableCheckedIn($component, $asset, auth()->user(), $request->get('note'), Carbon::now()));
+
+        return Response::make(
+            Response::text(trans('mcp.component_checked_in', ['name' => $component->name]))
+        )->withStructuredContent([
+            'success' => true,
+            'message' => trans('mcp.component_checked_in', ['name' => $component->name]),
+            'component_id' => $component->id,
+            'component_name' => $component->name,
+            'checkin_qty' => $checkinQty,
+            'qty_still_checked_out' => $remaining,
+        ]);
+    }
+
+    public function schema(JsonSchema $schema): array
+    {
+        return [
+            'component_asset_id' => $schema->number()->description('ID of the checkout record to check in (returned by checkout_component)'),
+            'checkin_qty' => $schema->number()->description('Number of units to check in (default: all assigned units)'),
+            'note' => $schema->string()->description('Optional checkin note'),
+        ];
+    }
+
+    public function outputSchema(JsonSchema $schema): array
+    {
+        return [
+            'success' => $schema->boolean()->description('True if the checkin succeeded'),
+            'message' => $schema->string()->description('Human-readable result message')->required(),
+            'component_id' => $schema->number()->description('Numeric ID of the component'),
+            'component_name' => $schema->string()->description('Name of the component'),
+            'checkin_qty' => $schema->number()->description('Number of units checked in'),
+            'qty_still_checked_out' => $schema->number()->description('Units remaining checked out on this record (0 means fully returned)'),
+        ];
+    }
+}
@@ -0,0 +1,105 @@
+<?php
+
+namespace App\Mcp\Tools;
+
+use App\Events\CheckoutableCheckedIn;
+use App\Models\Asset;
+use App\Models\License;
+use App\Models\LicenseSeat;
+use App\Models\User;
+use Illuminate\Contracts\JsonSchema\JsonSchema;
+use Illuminate\Support\Facades\Gate;
+use Laravel\Mcp\Request;
+use Laravel\Mcp\Response;
+use Laravel\Mcp\ResponseFactory;
+use Laravel\Mcp\Server\Attributes\Description;
+use Laravel\Mcp\Server\Attributes\Name;
+use Laravel\Mcp\Server\Attributes\Title;
+use Laravel\Mcp\Server\Tool;
+
+#[Name('checkin_license')]
+#[Title('Checkin License')]
+#[Description('Check in a Snipe-IT license seat by its seat ID, returning it to the available pool')]
+class CheckinLicenseTool extends Tool
+{
+    public function handle(Request $request): ResponseFactory
+    {
+        $request->validate([
+            'seat_id' => 'required|integer',
+            'note' => 'nullable|string|max:65535',
+        ]);
+
+        $seat = LicenseSeat::with('license')->find($request->get('seat_id'));
+
+        if (! $seat) {
+            return Response::make(Response::error(trans('mcp.license_seat_not_found')));
+        }
+
+        if (is_null($seat->assigned_to) && is_null($seat->asset_id)) {
+            return Response::make(Response::error(trans('mcp.seat_not_checked_out')));
+        }
+
+        $license = $seat->license;
+
+        if (! $license) {
+            return Response::make(Response::error(trans('mcp.license_not_found')));
+        }
+
+        // License checkin uses the checkout gate (matching application behavior)
+        if (! Gate::allows('checkout', $license)) {
+            return Response::make(Response::error(trans('mcp.unauthorized')));
+        }
+
+        $returnTo = null;
+        if ($seat->assigned_to) {
+            $returnTo = User::withTrashed()->find($seat->assigned_to);
+        } elseif ($seat->asset_id) {
+            $returnTo = Asset::find($seat->asset_id);
+        }
+
+        $note = $request->get('note');
+
+        $seat->assigned_to = null;
+        $seat->asset_id = null;
+        $seat->notes = $note;
+
+        if (! $license->reassignable) {
+            $seat->unreassignable_seat = true;
+        }
+
+        if ($seat->save()) {
+            event(new CheckoutableCheckedIn($seat, $returnTo, auth()->user(), $note));
+
+            return Response::make(
+                Response::text(trans('mcp.license_seat_checked_in', ['id' => $seat->id]))
+            )->withStructuredContent([
+                'success' => true,
+                'message' => trans('mcp.license_seat_checked_in', ['id' => $seat->id]),
+                'seat_id' => $seat->id,
+                'license_id' => $license->id,
+                'license_name' => $license->name,
+            ]);
+        }
+
+        return Response::make(Response::error(trans('mcp.checkin_failed')));
+    }
+
+    public function schema(JsonSchema $schema): array
+    {
+        return [
+            'seat_id' => $schema->number()->description('ID of the license seat to check in (returned by checkout_license)'),
+            'note' => $schema->string()->description('Optional checkin note'),
+        ];
+    }
+
+    public function outputSchema(JsonSchema $schema): array
+    {
+        return [
+            'success' => $schema->boolean()->description('True if the checkin succeeded'),
+            'message' => $schema->string()->description('Human-readable result message')->required(),
+            'seat_id' => $schema->number()->description('ID of the seat that was checked in'),
+            'license_id' => $schema->number()->description('Numeric ID of the license'),
+            'license_name' => $schema->string()->description('Name of the license'),
+        ];
+    }
+}
@@ -0,0 +1,134 @@
+<?php
+
+namespace App\Mcp\Tools;
+
+use App\Events\CheckoutableCheckedOut;
+use App\Models\Accessory;
+use App\Models\AccessoryCheckout;
+use App\Models\Asset;
+use App\Models\Location;
+use App\Models\User;
+use Carbon\Carbon;
+use Illuminate\Contracts\JsonSchema\JsonSchema;
+use Illuminate\Support\Facades\Gate;
+use Laravel\Mcp\Request;
+use Laravel\Mcp\Response;
+use Laravel\Mcp\ResponseFactory;
+use Laravel\Mcp\Server\Attributes\Description;
+use Laravel\Mcp\Server\Attributes\Name;
+use Laravel\Mcp\Server\Attributes\Title;
+use Laravel\Mcp\Server\Tool;
+
+#[Name('checkout_accessory')]
+#[Title('Checkout Accessory')]
+#[Description('Check out a Snipe-IT accessory to a user, location, or asset')]
+class CheckoutAccessoryTool extends Tool
+{
+    public function handle(Request $request): ResponseFactory
+    {
+        $request->validate([
+            'id' => 'nullable|integer',
+            'name' => 'nullable|string|max:255',
+            'checkout_to_type' => 'required|in:user,location,asset',
+            'assigned_user' => 'nullable|integer',
+            'assigned_location' => 'nullable|integer',
+            'assigned_asset' => 'nullable|integer',
+            'note' => 'nullable|string|max:65535',
+        ]);
+
+        $accessory = $this->resolveAccessory($request);
+
+        if (! $accessory) {
+            return Response::make(Response::error(trans('mcp.accessory_not_found')));
+        }
+
+        if (! Gate::allows('checkout', $accessory)) {
+            return Response::make(Response::error(trans('mcp.unauthorized')));
+        }
+
+        if ($accessory->numRemaining() < 1) {
+            return Response::make(Response::error(trans('mcp.no_units_available')));
+        }
+
+        $checkoutType = $request->get('checkout_to_type');
+
+        $target = match ($checkoutType) {
+            'user' => User::find($request->get('assigned_user')),
+            'location' => Location::find($request->get('assigned_location')),
+            'asset' => Asset::find($request->get('assigned_asset')),
+        };
+
+        if (! $target) {
+            return Response::make(Response::error(trans('mcp.checkout_target_not_found', ['type' => $checkoutType])));
+        }
+
+        $checkout = new AccessoryCheckout([
+            'accessory_id' => $accessory->id,
+            'created_at' => Carbon::now(),
+            'assigned_to' => $target->id,
+            'assigned_type' => $target::class,
+            'note' => $request->get('note'),
+        ]);
+        $checkout->created_by = auth()->id();
+        $checkout->save();
+
+        event(new CheckoutableCheckedOut(
+            $accessory,
+            $target,
+            auth()->user(),
+            $request->get('note'),
+            [],
+            1,
+        ));
+
+        return Response::make(
+            Response::text(trans('mcp.accessory_checked_out', ['name' => $accessory->name]))
+        )->withStructuredContent([
+            'success' => true,
+            'message' => trans('mcp.accessory_checked_out', ['name' => $accessory->name]),
+            'accessory_id' => $accessory->id,
+            'accessory_name' => $accessory->name,
+            'checkout_id' => $checkout->id,
+            'checked_out_to_type' => $checkoutType,
+            'checked_out_to_id' => $target->id,
+        ]);
+    }
+
+    private function resolveAccessory(Request $request): ?Accessory
+    {
+        if ($request->filled('id')) {
+            return Accessory::withCount('checkouts as checkouts_count')->find($request->get('id'));
+        }
+        if ($request->filled('name')) {
+            return Accessory::withCount('checkouts as checkouts_count')->where('name', $request->get('name'))->first();
+        }
+
+        return null;
+    }
+
+    public function schema(JsonSchema $schema): array
+    {
+        return [
+            'id' => $schema->number()->description('Numeric ID of the accessory to check out'),
+            'name' => $schema->string()->description('Name of the accessory to check out'),
+            'checkout_to_type' => $schema->string()->description('Target type: user, location, or asset (required)'),
+            'assigned_user' => $schema->number()->description('User ID to check out to'),
+            'assigned_location' => $schema->number()->description('Location ID to check out to'),
+            'assigned_asset' => $schema->number()->description('Asset ID to check out to'),
+            'note' => $schema->string()->description('Optional checkout note'),
+        ];
+    }
+
+    public function outputSchema(JsonSchema $schema): array
+    {
+        return [
+            'success' => $schema->boolean()->description('True if the checkout succeeded'),
+            'message' => $schema->string()->description('Human-readable result message')->required(),
+            'accessory_id' => $schema->number()->description('Numeric ID of the accessory'),
+            'accessory_name' => $schema->string()->description('Name of the accessory'),
+            'checkout_id' => $schema->number()->description('ID of the checkout record (use this for checkin)'),
+            'checked_out_to_type' => $schema->string()->description('Type of target: user, location, or asset'),
+            'checked_out_to_id' => $schema->number()->description('ID of the target'),
+        ];
+    }
+}
@@ -0,0 +1,145 @@
+<?php
+
+namespace App\Mcp\Tools;
+
+use App\Models\Asset;
+use App\Models\Location;
+use App\Models\User;
+use Illuminate\Contracts\JsonSchema\JsonSchema;
+use Illuminate\Support\Facades\Gate;
+use Laravel\Mcp\Request;
+use Laravel\Mcp\Response;
+use Laravel\Mcp\ResponseFactory;
+use Laravel\Mcp\Server\Attributes\Description;
+use Laravel\Mcp\Server\Attributes\Name;
+use Laravel\Mcp\Server\Attributes\Title;
+use Laravel\Mcp\Server\Tool;
+
+#[Name('checkout_asset')]
+#[Title('Checkout Asset')]
+#[Description('Check out a Snipe-IT asset to a user, location, or another asset')]
+class CheckoutAssetTool extends Tool
+{
+    public function handle(Request $request): ResponseFactory
+    {
+        $request->validate([
+            'asset_tag' => 'nullable|max:100',
+            'id' => 'nullable|integer',
+            'checkout_to_type' => 'required|string|in:user,location,asset',
+            'assigned_user' => 'nullable|integer',
+            'assigned_location' => 'nullable|integer',
+            'assigned_asset' => 'nullable|integer',
+            'note' => 'nullable|string|max:1000',
+            'checkout_at' => 'nullable|date',
+            'expected_checkin' => 'nullable|date',
+        ]);
+
+        $asset = $this->resolveAsset($request);
+
+        if (! $asset) {
+            return Response::make(Response::error(trans('mcp.asset_not_found')));
+        }
+
+        if (! Gate::allows('checkout', $asset)) {
+            return Response::make(Response::error(trans('mcp.unauthorized')));
+        }
+
+        if (! $asset->availableForCheckout()) {
+            return Response::make(Response::error(trans('mcp.asset_not_available', ['asset_tag' => $asset->asset_tag])));
+        }
+
+        $checkoutType = $request->get('checkout_to_type');
+        $target = null;
+
+        if ($checkoutType === 'user') {
+            $target = User::find($request->get('assigned_user'));
+            if ($target) {
+                $asset->location_id = $target->location_id ?? $asset->location_id;
+            }
+        } elseif ($checkoutType === 'location') {
+            $target = Location::find($request->get('assigned_location'));
+            if ($target) {
+                $asset->location_id = $target->id;
+            }
+        } elseif ($checkoutType === 'asset') {
+            $target = Asset::where('id', '!=', $asset->id)->find($request->get('assigned_asset'));
+            if ($target) {
+                $asset->location_id = $target->location_id ?? $asset->location_id;
+            }
+        }
+
+        if (! $target) {
+            return Response::make(Response::error(trans('mcp.checkout_target_not_found', ['type' => $checkoutType])));
+        }
+
+        $checkoutAt = $request->filled('checkout_at') ? $request->get('checkout_at') : date('Y-m-d H:i:s');
+        $expectedCheckin = $request->filled('expected_checkin') ? $request->get('expected_checkin') : null;
+        $note = $request->filled('note') ? $request->get('note') : null;
+
+        if ($asset->checkOut($target, auth()->user(), $checkoutAt, $expectedCheckin, $note, $asset->name, $asset->location_id)) {
+            return Response::make(
+                Response::text(trans('mcp.asset_checked_out', ['asset_tag' => $asset->asset_tag]))
+            )->withStructuredContent([
+                'success' => true,
+                'message' => trans('mcp.asset_checked_out', ['asset_tag' => $asset->asset_tag]),
+                'asset_tag' => $asset->asset_tag,
+                'checked_out_to_type' => $checkoutType,
+                'checked_out_to_id' => $target->id,
+            ]);
+        }
+
+        return Response::make(Response::error(trans('mcp.checkout_failed')));
+    }
+
+    private function resolveAsset(Request $request): ?Asset
+    {
+        if ($request->filled('asset_tag')) {
+            return Asset::where('asset_tag', $request->get('asset_tag'))
+                ->with('status')
+                ->first();
+        }
+
+        if ($request->filled('id')) {
+            return Asset::with('status')->find($request->get('id'));
+        }
+
+        return null;
+    }
+
+    public function schema(JsonSchema $schema): array
+    {
+        return [
+            'asset_tag' => $schema->string()
+                ->description('Asset tag of the asset to check out'),
+            'id' => $schema->number()
+                ->description('Numeric ID of the asset to check out'),
+            'checkout_to_type' => $schema->string()
+                ->description('What to check the asset out to: user, location, or asset')
+                ->required(),
+            'assigned_user' => $schema->number()
+                ->description('ID of the user to check the asset out to (when checkout_to_type is user)'),
+            'assigned_location' => $schema->number()
+                ->description('ID of the location to check the asset out to (when checkout_to_type is location)'),
+            'assigned_asset' => $schema->number()
+                ->description('ID of the asset to check the asset out to (when checkout_to_type is asset)'),
+            'note' => $schema->string()
+                ->description('Optional note to attach to this checkout'),
+            'checkout_at' => $schema->string()
+                ->description('Checkout date/time (defaults to now, format: YYYY-MM-DD)'),
+            'expected_checkin' => $schema->string()
+                ->description('Expected checkin date (format: YYYY-MM-DD)'),
+        ];
+    }
+
+    public function outputSchema(JsonSchema $schema): array
+    {
+        return [
+            'success' => $schema->string()->description('True if the checkout succeeded'),
+            'error' => $schema->string()->description('True if the checkout failed'),
+            'message' => $schema->string()->description('Human-readable result message')->required(),
+            'asset_tag' => $schema->string()->description('Asset tag of the checked-out asset'),
+            'checked_out_to_type' => $schema->string()->description('Type of entity the asset was checked out to'),
+            'checked_out_to_id' => $schema->number()->description('ID of the entity the asset was checked out to'),
+        ];
+    }
+}
@@ -0,0 +1,121 @@
+<?php
+
+namespace App\Mcp\Tools;
+
+use App\Models\Asset;
+use App\Models\Component;
+use Carbon\Carbon;
+use Illuminate\Contracts\JsonSchema\JsonSchema;
+use Illuminate\Support\Facades\Gate;
+use Illuminate\Validation\ValidationException;
+use Laravel\Mcp\Request;
+use Laravel\Mcp\Response;
+use Laravel\Mcp\ResponseFactory;
+use Laravel\Mcp\Server\Attributes\Description;
+use Laravel\Mcp\Server\Attributes\Name;
+use Laravel\Mcp\Server\Attributes\Title;
+use Laravel\Mcp\Server\Tool;
+
+#[Name('checkout_component')]
+#[Title('Checkout Component')]
+#[Description('Check out one or more units of a Snipe-IT component to an asset')]
+class CheckoutComponentTool extends Tool
+{
+    public function handle(Request $request): ResponseFactory
+    {
+        try {
+            $request->validate([
+                'id' => 'nullable|integer',
+                'name' => 'nullable|string|max:191',
+                'asset_id' => 'required|integer|exists:assets,id',
+                'assigned_qty' => 'nullable|integer|min:1',
+                'note' => 'nullable|string|max:65535',
+            ]);
+        } catch (ValidationException $e) {
+            return Response::make(Response::error($e->validator->errors()->first()));
+        }
+
+        $component = $this->resolveComponent($request);
+
+        if (! $component) {
+            return Response::make(Response::error(trans('mcp.component_not_found')));
+        }
+
+        if (! Gate::allows('checkout', $component)) {
+            return Response::make(Response::error(trans('mcp.unauthorized')));
+        }
+
+        $qty = (int) $request->get('assigned_qty', 1);
+
+        if ($component->numRemaining() < $qty) {
+            return Response::make(Response::error(
+                'Not enough units available. Requested: '.$qty.', remaining: '.$component->numRemaining()
+            ));
+        }
+
+        $asset = Asset::find($request->get('asset_id'));
+
+        $component->assets()->attach($component->id, [
+            'component_id' => $component->id,
+            'created_at' => Carbon::now(),
+            'assigned_qty' => $qty,
+            'created_by' => auth()->id(),
+            'asset_id' => $asset->id,
+            'note' => $request->get('note'),
+        ]);
+
+        $pivotId = $component->assets()->wherePivot('asset_id', $asset->id)->latest('components_assets.created_at')->first()?->pivot->id;
+
+        $component->logCheckout($request->get('note'), $asset, null, [], $qty);
+
+        return Response::make(
+            Response::text(trans('mcp.component_checked_out', ['name' => $component->name, 'asset_tag' => $asset->asset_tag]))
+        )->withStructuredContent([
+            'success' => true,
+            'message' => trans('mcp.component_checked_out', ['name' => $component->name, 'asset_tag' => $asset->asset_tag]),
+            'component_id' => $component->id,
+            'component_name' => $component->name,
+            'asset_id' => $asset->id,
+            'asset_tag' => $asset->asset_tag,
+            'assigned_qty' => $qty,
+            'component_asset_id' => $pivotId,
+        ]);
+    }
+
+    private function resolveComponent(Request $request): ?Component
+    {
+        if ($request->filled('id')) {
+            return Component::find($request->get('id'));
+        }
+        if ($request->filled('name')) {
+            return Component::where('name', $request->get('name'))->first();
+        }
+
+        return null;
+    }
+
+    public function schema(JsonSchema $schema): array
+    {
+        return [
+            'id' => $schema->number()->description('Numeric ID of the component to check out'),
+            'name' => $schema->string()->description('Name of the component to check out'),
+            'asset_id' => $schema->number()->description('Asset ID to check the component out to (required)'),
+            'assigned_qty' => $schema->number()->description('Number of units to check out (default: 1)'),
+            'note' => $schema->string()->description('Optional checkout note'),
+        ];
+    }
+
+    public function outputSchema(JsonSchema $schema): array
+    {
+        return [
+            'success' => $schema->boolean()->description('True if the checkout succeeded'),
+            'message' => $schema->string()->description('Human-readable result message')->required(),
+            'component_id' => $schema->number()->description('Numeric ID of the component'),
+            'component_name' => $schema->string()->description('Name of the component'),
+            'asset_id' => $schema->number()->description('ID of the asset checked out to'),
+            'asset_tag' => $schema->string()->description('Asset tag of the asset checked out to'),
+            'assigned_qty' => $schema->number()->description('Number of units checked out'),
+            'component_asset_id' => $schema->number()->description('ID of the checkout record (use this for checkin)'),
+        ];
+    }
+}
@@ -0,0 +1,113 @@
+<?php
+
+namespace App\Mcp\Tools;
+
+use App\Events\CheckoutableCheckedOut;
+use App\Models\Consumable;
+use App\Models\User;
+use Illuminate\Contracts\JsonSchema\JsonSchema;
+use Illuminate\Support\Facades\Gate;
+use Laravel\Mcp\Request;
+use Laravel\Mcp\Response;
+use Laravel\Mcp\ResponseFactory;
+use Laravel\Mcp\Server\Attributes\Description;
+use Laravel\Mcp\Server\Attributes\Name;
+use Laravel\Mcp\Server\Attributes\Title;
+use Laravel\Mcp\Server\Tool;
+
+#[Name('checkout_consumable')]
+#[Title('Checkout Consumable')]
+#[Description('Check out a Snipe-IT consumable to a user')]
+class CheckoutConsumableTool extends Tool
+{
+    public function handle(Request $request): ResponseFactory
+    {
+        $request->validate([
+            'id' => 'nullable|integer',
+            'name' => 'nullable|string|max:255',
+            'assigned_to' => 'required|integer',
+            'note' => 'nullable|string|max:65535',
+        ]);
+
+        $consumable = $this->resolveConsumable($request);
+
+        if (! $consumable) {
+            return Response::make(Response::error(trans('mcp.consumable_not_found')));
+        }
+
+        if (! Gate::allows('checkout', $consumable)) {
+            return Response::make(Response::error(trans('mcp.unauthorized')));
+        }
+
+        if ($consumable->numRemaining() <= 0) {
+            return Response::make(Response::error(trans('mcp.no_units_remaining')));
+        }
+
+        $user = User::find($request->get('assigned_to'));
+
+        if (! $user) {
+            return Response::make(Response::error(trans('mcp.user_not_found')));
+        }
+
+        $consumable->users()->attach($consumable->id, [
+            'consumable_id' => $consumable->id,
+            'created_by' => auth()->id(),
+            'assigned_to' => $user->id,
+            'note' => $request->get('note'),
+        ]);
+
+        event(new CheckoutableCheckedOut(
+            $consumable,
+            $user,
+            auth()->user(),
+            $request->get('note'),
+            [],
+            1,
+        ));
+
+        return Response::make(
+            Response::text(trans('mcp.consumable_checked_out', ['name' => $consumable->name, 'username' => $user->username]))
+        )->withStructuredContent([
+            'success' => true,
+            'message' => trans('mcp.consumable_checked_out', ['name' => $consumable->name, 'username' => $user->username]),
+            'consumable_id' => $consumable->id,
+            'consumable_name' => $consumable->name,
+            'assigned_to_id' => $user->id,
+            'assigned_to_username' => $user->username,
+        ]);
+    }
+
+    private function resolveConsumable(Request $request): ?Consumable
+    {
+        if ($request->filled('id')) {
+            return Consumable::find($request->get('id'));
+        }
+        if ($request->filled('name')) {
+            return Consumable::where('name', $request->get('name'))->first();
+        }
+
+        return null;
+    }
+
+    public function schema(JsonSchema $schema): array
+    {
+        return [
+            'id' => $schema->number()->description('Numeric ID of the consumable to check out'),
+            'name' => $schema->string()->description('Name of the consumable to check out'),
+            'assigned_to' => $schema->number()->description('User ID to check out to (required)'),
+            'note' => $schema->string()->description('Optional checkout note'),
+        ];
+    }
+
+    public function outputSchema(JsonSchema $schema): array
+    {
+        return [
+            'success' => $schema->boolean()->description('True if the checkout succeeded'),
+            'message' => $schema->string()->description('Human-readable result message')->required(),
+            'consumable_id' => $schema->number()->description('Numeric ID of the consumable'),
+            'consumable_name' => $schema->string()->description('Name of the consumable'),
+            'assigned_to_id' => $schema->number()->description('ID of the user the consumable was checked out to'),
+            'assigned_to_username' => $schema->string()->description('Username of the user the consumable was checked out to'),
+        ];
+    }
+}
@@ -0,0 +1,149 @@
+<?php
+
+namespace App\Mcp\Tools;
+
+use App\Events\CheckoutableCheckedOut;
+use App\Models\Asset;
+use App\Models\License;
+use App\Models\User;
+use Illuminate\Contracts\JsonSchema\JsonSchema;
+use Illuminate\Support\Facades\Gate;
+use Laravel\Mcp\Request;
+use Laravel\Mcp\Response;
+use Laravel\Mcp\ResponseFactory;
+use Laravel\Mcp\Server\Attributes\Description;
+use Laravel\Mcp\Server\Attributes\Name;
+use Laravel\Mcp\Server\Attributes\Title;
+use Laravel\Mcp\Server\Tool;
+
+#[Name('checkout_license')]
+#[Title('Checkout License')]
+#[Description('Check out an available license seat to a user or asset')]
+class CheckoutLicenseTool extends Tool
+{
+    public function handle(Request $request): ResponseFactory
+    {
+        $request->validate([
+            'id' => 'nullable|integer',
+            'name' => 'nullable|string|max:255',
+            'assigned_to' => 'nullable|integer',
+            'asset_id' => 'nullable|integer',
+            'note' => 'nullable|string|max:65535',
+        ]);
+
+        $license = $this->resolveLicense($request);
+
+        if (! $license) {
+            return Response::make(Response::error(trans('mcp.license_not_found')));
+        }
+
+        if (! Gate::allows('checkout', $license)) {
+            return Response::make(Response::error(trans('mcp.unauthorized')));
+        }
+
+        if ($license->numRemaining() < 1) {
+            return Response::make(Response::error(trans('mcp.no_available_seats')));
+        }
+
+        if (! $request->filled('assigned_to') && ! $request->filled('asset_id')) {
+            return Response::make(Response::error(trans('mcp.provide_user_or_asset')));
+        }
+
+        $seat = $license->freeSeat();
+
+        if (! $seat) {
+            return Response::make(Response::error(trans('mcp.no_free_seat')));
+        }
+
+        $note = $request->get('note');
+
+        if ($request->filled('assigned_to')) {
+            $target = User::find($request->get('assigned_to'));
+            if (! $target) {
+                return Response::make(Response::error(trans('mcp.user_not_found')));
+            }
+            $seat->assigned_to = $target->id;
+            $seat->notes = $note;
+
+            if ($seat->save()) {
+                event(new CheckoutableCheckedOut($seat, $target, auth()->user(), $note, [], 1));
+
+                return Response::make(
+                    Response::text(trans('mcp.license_seat_checked_out_user', ['username' => $target->username]))
+                )->withStructuredContent([
+                    'success' => true,
+                    'message' => trans('mcp.license_seat_checked_out_user', ['username' => $target->username]),
+                    'license_id' => $license->id,
+                    'license_name' => $license->name,
+                    'seat_id' => $seat->id,
+                    'assigned_to_type' => 'user',
+                    'assigned_to_id' => $target->id,
+                ]);
+            }
+        } elseif ($request->filled('asset_id')) {
+            $target = Asset::find($request->get('asset_id'));
+            if (! $target) {
+                return Response::make(Response::error(trans('mcp.asset_not_found')));
+            }
+            $seat->asset_id = $target->id;
+            if ($target->checkedOutToUser()) {
+                $seat->assigned_to = $target->assigned_to;
+            }
+            $seat->notes = $note;
+
+            if ($seat->save()) {
+                event(new CheckoutableCheckedOut($seat, $target, auth()->user(), $note, [], 1));
+
+                return Response::make(
+                    Response::text(trans('mcp.license_seat_checked_out_asset', ['asset_tag' => $target->asset_tag]))
+                )->withStructuredContent([
+                    'success' => true,
+                    'message' => trans('mcp.license_seat_checked_out_asset', ['asset_tag' => $target->asset_tag]),
+                    'license_id' => $license->id,
+                    'license_name' => $license->name,
+                    'seat_id' => $seat->id,
+                    'assigned_to_type' => 'asset',
+                    'assigned_to_id' => $target->id,
+                ]);
+            }
+        }
+
+        return Response::make(Response::error(trans('mcp.checkout_failed')));
+    }
+
+    private function resolveLicense(Request $request): ?License
+    {
+        if ($request->filled('id')) {
+            return License::find($request->get('id'));
+        }
+        if ($request->filled('name')) {
+            return License::where('name', $request->get('name'))->first();
+        }
+
+        return null;
+    }
+
+    public function schema(JsonSchema $schema): array
+    {
+        return [
+            'id' => $schema->number()->description('Numeric ID of the license to check out'),
+            'name' => $schema->string()->description('Name of the license to check out'),
+            'assigned_to' => $schema->number()->description('User ID to assign the seat to'),
+            'asset_id' => $schema->number()->description('Asset ID to assign the seat to'),
+            'note' => $schema->string()->description('Optional checkout note'),
+        ];
+    }
+
+    public function outputSchema(JsonSchema $schema): array
+    {
+        return [
+            'success' => $schema->boolean()->description('True if the checkout succeeded'),
+            'message' => $schema->string()->description('Human-readable result message')->required(),
+            'license_id' => $schema->number()->description('Numeric ID of the license'),
+            'license_name' => $schema->string()->description('Name of the license'),
+            'seat_id' => $schema->number()->description('ID of the seat record (use this for checkin)'),
+            'assigned_to_type' => $schema->string()->description('Type of entity checked out to: user or asset'),
+            'assigned_to_id' => $schema->number()->description('ID of the entity checked out to'),
+        ];
+    }
+}
@@ -0,0 +1,107 @@
+<?php
+
+namespace App\Mcp\Tools;
+
+use App\Models\Accessory;
+use App\Models\Company;
+use Illuminate\Contracts\JsonSchema\JsonSchema;
+use Illuminate\Support\Facades\Gate;
+use Illuminate\Validation\ValidationException;
+use Laravel\Mcp\Request;
+use Laravel\Mcp\Response;
+use Laravel\Mcp\ResponseFactory;
+use Laravel\Mcp\Server\Attributes\Description;
+use Laravel\Mcp\Server\Attributes\Name;
+use Laravel\Mcp\Server\Attributes\Title;
+use Laravel\Mcp\Server\Tool;
+
+#[Name('create_accessory')]
+#[Title('Create Accessory')]
+#[Description('Create a new Snipe-IT accessory')]
+class CreateAccessoryTool extends Tool
+{
+    public function handle(Request $request): ResponseFactory
+    {
+        if (! Gate::allows('create', Accessory::class)) {
+            return Response::make(Response::error(trans('mcp.unauthorized')));
+        }
+
+        try {
+            $request->validate([
+                'name' => 'required|string|max:255',
+                'category_id' => 'required|integer|exists:categories,id',
+                'qty' => 'nullable|integer|min:0',
+                'model_number' => 'nullable|string|max:255',
+                'manufacturer_id' => 'nullable|integer|exists:manufacturers,id',
+                'supplier_id' => 'nullable|integer|exists:suppliers,id',
+                'location_id' => 'nullable|integer|exists:locations,id',
+                'company_id' => 'nullable|integer|exists:companies,id',
+                'order_number' => 'nullable|string|max:255',
+                'purchase_cost' => 'nullable|numeric|min:0',
+                'purchase_date' => 'nullable|date_format:Y-m-d',
+                'min_amt' => 'nullable|integer|min:0',
+                'requestable' => 'nullable|boolean',
+                'notes' => 'nullable|string',
+            ]);
+        } catch (ValidationException $e) {
+            return Response::make(Response::error($e->validator->errors()->first()));
+        }
+
+        $accessory = new Accessory;
+        $accessory->fill($request->only([
+            'name', 'category_id', 'qty', 'model_number', 'manufacturer_id',
+            'supplier_id', 'location_id', 'order_number', 'purchase_cost',
+            'purchase_date', 'min_amt', 'requestable', 'notes',
+        ]));
+
+        $accessory->company_id = Company::getIdForCurrentUser($request->get('company_id'));
+        $accessory->created_by = auth()->id();
+
+        if ($accessory->save()) {
+            return Response::make(
+                Response::text(trans('mcp.accessory_created', ['name' => $accessory->name]))
+            )->withStructuredContent([
+                'success' => true,
+                'message' => trans('mcp.accessory_created', ['name' => $accessory->name]),
+                'id' => $accessory->id,
+                'name' => $accessory->name,
+                'qty' => $accessory->qty,
+                'category_id' => $accessory->category_id,
+            ]);
+        }
+
+        return Response::make(Response::error(trans('mcp.create_failed', ['error' => $accessory->getErrors()->first()])));
+    }
+
+    public function schema(JsonSchema $schema): array
+    {
+        return [
+            'name' => $schema->string()->description('Accessory name (required)'),
+            'category_id' => $schema->number()->description('Category ID — must be an accessory category (required)'),
+            'qty' => $schema->number()->description('Total quantity in stock'),
+            'model_number' => $schema->string()->description('Model number'),
+            'manufacturer_id' => $schema->number()->description('Manufacturer ID'),
+            'supplier_id' => $schema->number()->description('Supplier ID'),
+            'location_id' => $schema->number()->description('Location ID'),
+            'company_id' => $schema->number()->description('Company ID (defaults to the authenticated user\'s company)'),
+            'order_number' => $schema->string()->description('Order number'),
+            'purchase_cost' => $schema->number()->description('Purchase cost per unit'),
+            'purchase_date' => $schema->string()->description('Purchase date (YYYY-MM-DD)'),
+            'min_amt' => $schema->number()->description('Minimum quantity threshold for alerts'),
+            'requestable' => $schema->boolean()->description('Whether users can request this accessory'),
+            'notes' => $schema->string()->description('Notes'),
+        ];
+    }
+
+    public function outputSchema(JsonSchema $schema): array
+    {
+        return [
+            'success' => $schema->boolean()->description('True if the accessory was created'),
+            'message' => $schema->string()->description('Human-readable result message')->required(),
+            'id' => $schema->number()->description('Numeric ID of the new accessory'),
+            'name' => $schema->string()->description('Name of the new accessory'),
+            'qty' => $schema->number()->description('Total quantity'),
+            'category_id' => $schema->number()->description('Category ID'),
+        ];
+    }
+}
@@ -0,0 +1,97 @@
+<?php
+
+namespace App\Mcp\Tools;
+
+use App\Models\AssetModel;
+use Illuminate\Contracts\JsonSchema\JsonSchema;
+use Illuminate\Support\Facades\Gate;
+use Illuminate\Validation\ValidationException;
+use Laravel\Mcp\Request;
+use Laravel\Mcp\Response;
+use Laravel\Mcp\ResponseFactory;
+use Laravel\Mcp\Server\Attributes\Description;
+use Laravel\Mcp\Server\Attributes\Name;
+use Laravel\Mcp\Server\Attributes\Title;
+use Laravel\Mcp\Server\Tool;
+
+#[Name('create_asset_model')]
+#[Title('Create Asset Model')]
+#[Description('Create a new Snipe-IT asset model')]
+class CreateAssetModelTool extends Tool
+{
+    public function handle(Request $request): ResponseFactory
+    {
+        if (! Gate::allows('create', AssetModel::class)) {
+            return Response::make(Response::error(trans('mcp.unauthorized')));
+        }
+
+        try {
+            $request->validate([
+                'name' => 'required|string|max:255',
+                'category_id' => 'required|integer|exists:categories,id',
+                'model_number' => 'nullable|string|max:255',
+                'manufacturer_id' => 'nullable|integer|exists:manufacturers,id',
+                'depreciation_id' => 'nullable|integer|exists:depreciations,id',
+                'eol' => 'nullable|integer|min:0|max:240',
+                'min_amt' => 'nullable|integer|min:0',
+                'notes' => 'nullable|string',
+                'requestable' => 'nullable|boolean',
+                'require_serial' => 'nullable|boolean',
+            ]);
+        } catch (ValidationException $e) {
+            return Response::make(Response::error($e->validator->errors()->first()));
+        }
+
+        $assetModel = new AssetModel;
+        $assetModel->name = $request->get('name');
+        $assetModel->category_id = $request->get('category_id');
+        $assetModel->created_by = auth()->id();
+
+        foreach (['model_number', 'manufacturer_id', 'depreciation_id', 'eol', 'min_amt', 'notes', 'requestable', 'require_serial'] as $f) {
+            if ($request->filled($f)) {
+                $assetModel->{$f} = $request->get($f);
+            }
+        }
+
+        if ($assetModel->save()) {
+            return Response::make(
+                Response::text(trans('mcp.asset_model_created', ['name' => $assetModel->name]))
+            )->withStructuredContent([
+                'success' => true,
+                'message' => trans('mcp.asset_model_created', ['name' => $assetModel->name]),
+                'id' => $assetModel->id,
+                'name' => $assetModel->name,
+                'category_id' => $assetModel->category_id,
+            ]);
+        }
+
+        return Response::make(Response::error(trans('mcp.create_failed', ['error' => $assetModel->getErrors()->first()])));
+    }
+
+    public function schema(JsonSchema $schema): array
+    {
+        return [
+            'name' => $schema->string()->description('Asset model name (required)'),
+            'category_id' => $schema->number()->description('Category ID (required)'),
+            'model_number' => $schema->string()->description('Model number'),
+            'manufacturer_id' => $schema->number()->description('Manufacturer ID'),
+            'depreciation_id' => $schema->number()->description('Depreciation schedule ID'),
+            'eol' => $schema->number()->description('End of life in months (0-240)'),
+            'min_amt' => $schema->number()->description('Minimum quantity alert threshold'),
+            'notes' => $schema->string()->description('Notes'),
+            'requestable' => $schema->boolean()->description('Whether the model can be requested'),
+            'require_serial' => $schema->boolean()->description('Whether serial numbers are required'),
+        ];
+    }
+
+    public function outputSchema(JsonSchema $schema): array
+    {
+        return [
+            'success' => $schema->boolean()->description('True if the asset model was created'),
+            'message' => $schema->string()->description('Human-readable result message')->required(),
+            'id' => $schema->number()->description('Numeric ID of the new asset model'),
+            'name' => $schema->string()->description('Name of the new asset model'),
+            'category_id' => $schema->number()->description('Category ID of the new asset model'),
+        ];
+    }
+}
@@ -0,0 +1,108 @@
+<?php
+
+namespace App\Mcp\Tools;
+
+use App\Models\Asset;
+use Illuminate\Contracts\JsonSchema\JsonSchema;
+use Illuminate\Support\Facades\Gate;
+use Illuminate\Validation\ValidationException;
+use Laravel\Mcp\Request;
+use Laravel\Mcp\Response;
+use Laravel\Mcp\ResponseFactory;
+use Laravel\Mcp\Server\Attributes\Description;
+use Laravel\Mcp\Server\Attributes\Name;
+use Laravel\Mcp\Server\Attributes\Title;
+use Laravel\Mcp\Server\Tool;
+
+#[Name('create_asset')]
+#[Title('Create Asset')]
+#[Description('Create a new Snipe-IT asset')]
+class CreateAssetTool extends Tool
+{
+    public function handle(Request $request): ResponseFactory
+    {
+        if (! Gate::allows('create', Asset::class)) {
+            return Response::make(Response::error(trans('mcp.unauthorized')));
+        }
+
+        try {
+            $request->validate([
+                'model_id' => 'required|integer|exists:models,id',
+                'status_id' => 'required|integer|exists:status_labels,id',
+                'asset_tag' => 'required|string|max:255',
+                'name' => 'nullable|string|max:255',
+                'serial' => 'nullable|string',
+                'company_id' => 'nullable|integer',
+                'location_id' => 'nullable|integer|exists:locations,id',
+                'rtd_location_id' => 'nullable|integer|exists:locations,id',
+                'supplier_id' => 'nullable|integer|exists:suppliers,id',
+                'purchase_date' => 'nullable|date_format:Y-m-d',
+                'purchase_cost' => 'nullable|numeric',
+                'order_number' => 'nullable|string|max:191',
+                'warranty_months' => 'nullable|integer|min:0|max:240',
+                'requestable' => 'nullable|boolean',
+                'notes' => 'nullable|string|max:65535',
+            ]);
+        } catch (ValidationException $e) {
+            return Response::make(Response::error($e->validator->errors()->first()));
+        }
+
+        $asset = new Asset;
+        $asset->model_id = $request->get('model_id');
+        $asset->status_id = $request->get('status_id');
+        $asset->asset_tag = $request->get('asset_tag');
+        $asset->created_by = auth()->id();
+
+        foreach (['name', 'serial', 'company_id', 'location_id', 'rtd_location_id', 'supplier_id', 'purchase_date', 'purchase_cost', 'order_number', 'warranty_months', 'requestable', 'notes'] as $field) {
+            if ($request->filled($field)) {
+                $asset->{$field} = $request->get($field);
+            }
+        }
+
+        if ($asset->save()) {
+            return Response::make(
+                Response::text(trans('mcp.asset_created', ['asset_tag' => $asset->asset_tag]))
+            )->withStructuredContent([
+                'success' => true,
+                'message' => trans('mcp.asset_created', ['asset_tag' => $asset->asset_tag]),
+                'id' => $asset->id,
+                'asset_tag' => $asset->asset_tag,
+                'name' => $asset->name,
+            ]);
+        }
+
+        return Response::make(Response::error(trans('mcp.create_failed', ['error' => $asset->getErrors()->first()])));
+    }
+
+    public function schema(JsonSchema $schema): array
+    {
+        return [
+            'model_id' => $schema->number()->description('Asset model ID (required)'),
+            'status_id' => $schema->number()->description('Status label ID (required)'),
+            'asset_tag' => $schema->string()->description('Asset tag (required)'),
+            'name' => $schema->string()->description('Display name for the asset'),
+            'serial' => $schema->string()->description('Serial number'),
+            'company_id' => $schema->number()->description('Company ID'),
+            'location_id' => $schema->number()->description('Current location ID'),
+            'rtd_location_id' => $schema->number()->description('Default RTD location ID'),
+            'supplier_id' => $schema->number()->description('Supplier ID'),
+            'purchase_date' => $schema->string()->description('Purchase date (YYYY-MM-DD)'),
+            'purchase_cost' => $schema->number()->description('Purchase cost'),
+            'order_number' => $schema->string()->description('Order number'),
+            'warranty_months' => $schema->number()->description('Warranty length in months (0-240)'),
+            'requestable' => $schema->boolean()->description('Whether the asset is user-requestable'),
+            'notes' => $schema->string()->description('Notes'),
+        ];
+    }
+
+    public function outputSchema(JsonSchema $schema): array
+    {
+        return [
+            'success' => $schema->boolean()->description('True if the asset was created'),
+            'message' => $schema->string()->description('Human-readable result message')->required(),
+            'id' => $schema->number()->description('Numeric ID of the new asset'),
+            'asset_tag' => $schema->string()->description('Asset tag of the new asset'),
+            'name' => $schema->string()->description('Display name of the new asset'),
+        ];
+    }
+}
@@ -0,0 +1,89 @@
+<?php
+
+namespace App\Mcp\Tools;
+
+use App\Models\Category;
+use Illuminate\Contracts\JsonSchema\JsonSchema;
+use Illuminate\Support\Facades\Gate;
+use Illuminate\Validation\ValidationException;
+use Laravel\Mcp\Request;
+use Laravel\Mcp\Response;
+use Laravel\Mcp\ResponseFactory;
+use Laravel\Mcp\Server\Attributes\Description;
+use Laravel\Mcp\Server\Attributes\Name;
+use Laravel\Mcp\Server\Attributes\Title;
+use Laravel\Mcp\Server\Tool;
+
+#[Name('create_category')]
+#[Title('Create Category')]
+#[Description('Create a new Snipe-IT category')]
+class CreateCategoryTool extends Tool
+{
+    public function handle(Request $request): ResponseFactory
+    {
+        if (! Gate::allows('create', Category::class)) {
+            return Response::make(Response::error(trans('mcp.unauthorized')));
+        }
+
+        try {
+            $request->validate([
+                'name' => 'required|string|max:255',
+                'category_type' => 'required|string|in:asset,accessory,consumable,component,license',
+                'checkin_email' => 'nullable|boolean',
+                'require_acceptance' => 'nullable|boolean',
+                'use_default_eula' => 'nullable|boolean',
+                'notes' => 'nullable|string',
+            ]);
+        } catch (ValidationException $e) {
+            return Response::make(Response::error($e->validator->errors()->first()));
+        }
+
+        $category = new Category;
+        $category->name = $request->get('name');
+        $category->category_type = $request->get('category_type');
+        $category->created_by = auth()->id();
+
+        foreach (['checkin_email', 'require_acceptance', 'use_default_eula', 'notes'] as $field) {
+            if ($request->filled($field)) {
+                $category->{$field} = $request->get($field);
+            }
+        }
+
+        if ($category->save()) {
+            return Response::make(
+                Response::text(trans('mcp.category_created', ['name' => $category->name]))
+            )->withStructuredContent([
+                'success' => true,
+                'message' => trans('mcp.category_created', ['name' => $category->name]),
+                'id' => $category->id,
+                'name' => $category->name,
+                'category_type' => $category->category_type,
+            ]);
+        }
+
+        return Response::make(Response::error(trans('mcp.create_failed', ['error' => $category->getErrors()->first()])));
+    }
+
+    public function schema(JsonSchema $schema): array
+    {
+        return [
+            'name' => $schema->string()->description('Category name (required)'),
+            'category_type' => $schema->string()->description('Category type (required): asset, accessory, consumable, component, or license'),
+            'checkin_email' => $schema->boolean()->description('Send checkin email when items are checked in'),
+            'require_acceptance' => $schema->boolean()->description('Require user acceptance when checking out'),
+            'use_default_eula' => $schema->boolean()->description('Use the default EULA'),
+            'notes' => $schema->string()->description('Notes'),
+        ];
+    }
+
+    public function outputSchema(JsonSchema $schema): array
+    {
+        return [
+            'success' => $schema->boolean()->description('True if the category was created'),
+            'message' => $schema->string()->description('Human-readable result message')->required(),
+            'id' => $schema->number()->description('Numeric ID of the new category'),
+            'name' => $schema->string()->description('Name of the new category'),
+            'category_type' => $schema->string()->description('Type of the new category'),
+        ];
+    }
+}
@@ -0,0 +1,90 @@
+<?php
+
+namespace App\Mcp\Tools;
+
+use App\Models\Company;
+use Illuminate\Contracts\JsonSchema\JsonSchema;
+use Illuminate\Support\Facades\Gate;
+use Illuminate\Validation\ValidationException;
+use Laravel\Mcp\Request;
+use Laravel\Mcp\Response;
+use Laravel\Mcp\ResponseFactory;
+use Laravel\Mcp\Server\Attributes\Description;
+use Laravel\Mcp\Server\Attributes\Name;
+use Laravel\Mcp\Server\Attributes\Title;
+use Laravel\Mcp\Server\Tool;
+
+#[Name('create_company')]
+#[Title('Create Company')]
+#[Description('Create a new Snipe-IT company')]
+class CreateCompanyTool extends Tool
+{
+    public function handle(Request $request): ResponseFactory
+    {
+        if (! Gate::allows('create', Company::class)) {
+            return Response::make(Response::error(trans('mcp.unauthorized')));
+        }
+
+        try {
+            $request->validate([
+                'name' => 'required|string|max:255',
+                'phone' => 'nullable|string',
+                'fax' => 'nullable|string',
+                'email' => 'nullable|string',
+                'notes' => 'nullable|string',
+            ]);
+        } catch (ValidationException $e) {
+            return Response::make(Response::error($e->validator->errors()->first()));
+        }
+
+        $company = new Company;
+        $company->name = $request->get('name');
+        if ($request->filled('phone')) {
+            $company->phone = $request->get('phone');
+        }
+        if ($request->filled('fax')) {
+            $company->fax = $request->get('fax');
+        }
+        if ($request->filled('email')) {
+            $company->email = $request->get('email');
+        }
+        if ($request->filled('notes')) {
+            $company->notes = $request->get('notes');
+        }
+        $company->created_by = auth()->id();
+
+        if ($company->save()) {
+            return Response::make(
+                Response::text(trans('mcp.company_created', ['name' => $company->name]))
+            )->withStructuredContent([
+                'success' => true,
+                'message' => trans('mcp.company_created', ['name' => $company->name]),
+                'id' => $company->id,
+                'name' => $company->name,
+            ]);
+        }
+
+        return Response::make(Response::error(trans('mcp.create_failed', ['error' => $company->getErrors()->first()])));
+    }
+
+    public function schema(JsonSchema $schema): array
+    {
+        return [
+            'name' => $schema->string()->description('Company name (required)'),
+            'phone' => $schema->string()->description('Company phone number'),
+            'fax' => $schema->string()->description('Company fax number'),
+            'email' => $schema->string()->description('Company email address'),
+            'notes' => $schema->string()->description('Notes'),
+        ];
+    }
+
+    public function outputSchema(JsonSchema $schema): array
+    {
+        return [
+            'success' => $schema->boolean()->description('True if the company was created'),
+            'message' => $schema->string()->description('Human-readable result message')->required(),
+            'id' => $schema->number()->description('Numeric ID of the new company'),
+            'name' => $schema->string()->description('Name of the new company'),
+        ];
+    }
+}
@@ -0,0 +1,107 @@
+<?php
+
+namespace App\Mcp\Tools;
+
+use App\Models\Company;
+use App\Models\Component;
+use Illuminate\Contracts\JsonSchema\JsonSchema;
+use Illuminate\Support\Facades\Gate;
+use Illuminate\Validation\ValidationException;
+use Laravel\Mcp\Request;
+use Laravel\Mcp\Response;
+use Laravel\Mcp\ResponseFactory;
+use Laravel\Mcp\Server\Attributes\Description;
+use Laravel\Mcp\Server\Attributes\Name;
+use Laravel\Mcp\Server\Attributes\Title;
+use Laravel\Mcp\Server\Tool;
+
+#[Name('create_component')]
+#[Title('Create Component')]
+#[Description('Create a new Snipe-IT component')]
+class CreateComponentTool extends Tool
+{
+    public function handle(Request $request): ResponseFactory
+    {
+        if (! Gate::allows('create', Component::class)) {
+            return Response::make(Response::error(trans('mcp.unauthorized')));
+        }
+
+        try {
+            $request->validate([
+                'name' => 'required|string|max:191',
+                'category_id' => 'required|integer|exists:categories,id',
+                'qty' => 'required|integer|min:1',
+                'serial' => 'nullable|string|max:255',
+                'model_number' => 'nullable|string|max:255',
+                'manufacturer_id' => 'nullable|integer|exists:manufacturers,id',
+                'supplier_id' => 'nullable|integer|exists:suppliers,id',
+                'location_id' => 'nullable|integer|exists:locations,id',
+                'company_id' => 'nullable|integer|exists:companies,id',
+                'order_number' => 'nullable|string|max:255',
+                'purchase_cost' => 'nullable|numeric|min:0',
+                'purchase_date' => 'nullable|date_format:Y-m-d',
+                'min_amt' => 'nullable|integer|min:0',
+                'notes' => 'nullable|string',
+            ]);
+        } catch (ValidationException $e) {
+            return Response::make(Response::error($e->validator->errors()->first()));
+        }
+
+        $component = new Component;
+        $component->fill($request->only([
+            'name', 'category_id', 'qty', 'serial', 'model_number',
+            'manufacturer_id', 'supplier_id', 'location_id',
+            'order_number', 'purchase_cost', 'purchase_date', 'min_amt', 'notes',
+        ]));
+
+        $component->company_id = Company::getIdForCurrentUser($request->get('company_id'));
+        $component->created_by = auth()->id();
+
+        if ($component->save()) {
+            return Response::make(
+                Response::text(trans('mcp.component_created', ['name' => $component->name]))
+            )->withStructuredContent([
+                'success' => true,
+                'message' => trans('mcp.component_created', ['name' => $component->name]),
+                'id' => $component->id,
+                'name' => $component->name,
+                'qty' => $component->qty,
+                'category_id' => $component->category_id,
+            ]);
+        }
+
+        return Response::make(Response::error(trans('mcp.create_failed', ['error' => $component->getErrors()->first()])));
+    }
+
+    public function schema(JsonSchema $schema): array
+    {
+        return [
+            'name' => $schema->string()->description('Component name (required)'),
+            'category_id' => $schema->number()->description('Category ID — must be a component category (required)'),
+            'qty' => $schema->number()->description('Total quantity in stock (required, min 1)'),
+            'serial' => $schema->string()->description('Serial number'),
+            'model_number' => $schema->string()->description('Model number'),
+            'manufacturer_id' => $schema->number()->description('Manufacturer ID'),
+            'supplier_id' => $schema->number()->description('Supplier ID'),
+            'location_id' => $schema->number()->description('Location ID'),
+            'company_id' => $schema->number()->description('Company ID (defaults to the authenticated user\'s company)'),
+            'order_number' => $schema->string()->description('Order number'),
+            'purchase_cost' => $schema->number()->description('Purchase cost per unit'),
+            'purchase_date' => $schema->string()->description('Purchase date (YYYY-MM-DD)'),
+            'min_amt' => $schema->number()->description('Minimum quantity threshold for alerts'),
+            'notes' => $schema->string()->description('Notes'),
+        ];
+    }
+
+    public function outputSchema(JsonSchema $schema): array
+    {
+        return [
+            'success' => $schema->boolean()->description('True if the component was created'),
+            'message' => $schema->string()->description('Human-readable result message')->required(),
+            'id' => $schema->number()->description('Numeric ID of the new component'),
+            'name' => $schema->string()->description('Name of the new component'),
+            'qty' => $schema->number()->description('Total quantity'),
+            'category_id' => $schema->number()->description('Category ID'),
+        ];
+    }
+}
@@ -0,0 +1,106 @@
+<?php
+
+namespace App\Mcp\Tools;
+
+use App\Models\Consumable;
+use Illuminate\Contracts\JsonSchema\JsonSchema;
+use Illuminate\Support\Facades\Gate;
+use Illuminate\Validation\ValidationException;
+use Laravel\Mcp\Request;
+use Laravel\Mcp\Response;
+use Laravel\Mcp\ResponseFactory;
+use Laravel\Mcp\Server\Attributes\Description;
+use Laravel\Mcp\Server\Attributes\Name;
+use Laravel\Mcp\Server\Attributes\Title;
+use Laravel\Mcp\Server\Tool;
+
+#[Name('create_consumable')]
+#[Title('Create Consumable')]
+#[Description('Create a new Snipe-IT consumable')]
+class CreateConsumableTool extends Tool
+{
+    public function handle(Request $request): ResponseFactory
+    {
+        if (! Gate::allows('create', Consumable::class)) {
+            return Response::make(Response::error(trans('mcp.unauthorized')));
+        }
+
+        try {
+            $request->validate([
+                'name' => 'required|string|max:255',
+                'qty' => 'required|integer|min:0',
+                'category_id' => 'required|integer|exists:categories,id',
+                'company_id' => 'nullable|integer',
+                'location_id' => 'nullable|integer|exists:locations,id',
+                'manufacturer_id' => 'nullable|integer|exists:manufacturers,id',
+                'supplier_id' => 'nullable|integer|exists:suppliers,id',
+                'item_no' => 'nullable|string|max:255',
+                'order_number' => 'nullable|string|max:255',
+                'model_number' => 'nullable|string|max:255',
+                'purchase_cost' => 'nullable|numeric|min:0',
+                'purchase_date' => 'nullable|date_format:Y-m-d',
+                'min_amt' => 'nullable|integer|min:0',
+                'requestable' => 'nullable|boolean',
+                'notes' => 'nullable|string',
+            ]);
+        } catch (ValidationException $e) {
+            return Response::make(Response::error($e->validator->errors()->first()));
+        }
+
+        $consumable = new Consumable;
+        $consumable->fill($request->only([
+            'name', 'qty', 'category_id', 'company_id', 'location_id', 'manufacturer_id',
+            'supplier_id', 'item_no', 'order_number', 'model_number', 'purchase_cost',
+            'purchase_date', 'min_amt', 'requestable', 'notes',
+        ]));
+        $consumable->created_by = auth()->id();
+
+        if ($consumable->save()) {
+            return Response::make(
+                Response::text(trans('mcp.consumable_created', ['name' => $consumable->name]))
+            )->withStructuredContent([
+                'success' => true,
+                'message' => trans('mcp.consumable_created', ['name' => $consumable->name]),
+                'id' => $consumable->id,
+                'name' => $consumable->name,
+                'qty' => $consumable->qty,
+                'category_id' => $consumable->category_id,
+            ]);
+        }
+
+        return Response::make(Response::error(trans('mcp.create_failed', ['error' => $consumable->getErrors()->first()])));
+    }
+
+    public function schema(JsonSchema $schema): array
+    {
+        return [
+            'name' => $schema->string()->description('Consumable name (required)'),
+            'qty' => $schema->number()->description('Total quantity in stock (required)'),
+            'category_id' => $schema->number()->description('Category ID — must be a consumable category (required)'),
+            'company_id' => $schema->number()->description('Company ID'),
+            'location_id' => $schema->number()->description('Location ID'),
+            'manufacturer_id' => $schema->number()->description('Manufacturer ID'),
+            'supplier_id' => $schema->number()->description('Supplier ID'),
+            'item_no' => $schema->string()->description('Item number'),
+            'order_number' => $schema->string()->description('Order number'),
+            'model_number' => $schema->string()->description('Model number'),
+            'purchase_cost' => $schema->number()->description('Purchase cost per unit'),
+            'purchase_date' => $schema->string()->description('Purchase date (YYYY-MM-DD)'),
+            'min_amt' => $schema->number()->description('Minimum quantity threshold for alerts'),
+            'requestable' => $schema->boolean()->description('Whether users can request this consumable'),
+            'notes' => $schema->string()->description('Notes'),
+        ];
+    }
+
+    public function outputSchema(JsonSchema $schema): array
+    {
+        return [
+            'success' => $schema->boolean()->description('True if the consumable was created'),
+            'message' => $schema->string()->description('Human-readable result message')->required(),
+            'id' => $schema->number()->description('Numeric ID of the new consumable'),
+            'name' => $schema->string()->description('Name of the new consumable'),
+            'qty' => $schema->number()->description('Total quantity'),
+            'category_id' => $schema->number()->description('Category ID'),
+        ];
+    }
+}
@@ -0,0 +1,87 @@
+<?php
+
+namespace App\Mcp\Tools;
+
+use App\Models\Company;
+use App\Models\Department;
+use Illuminate\Contracts\JsonSchema\JsonSchema;
+use Illuminate\Support\Facades\Gate;
+use Illuminate\Validation\ValidationException;
+use Laravel\Mcp\Request;
+use Laravel\Mcp\Response;
+use Laravel\Mcp\ResponseFactory;
+use Laravel\Mcp\Server\Attributes\Description;
+use Laravel\Mcp\Server\Attributes\Name;
+use Laravel\Mcp\Server\Attributes\Title;
+use Laravel\Mcp\Server\Tool;
+
+#[Name('create_department')]
+#[Title('Create Department')]
+#[Description('Create a new Snipe-IT department')]
+class CreateDepartmentTool extends Tool
+{
+    public function handle(Request $request): ResponseFactory
+    {
+        if (! Gate::allows('create', Department::class)) {
+            return Response::make(Response::error(trans('mcp.unauthorized')));
+        }
+
+        try {
+            $request->validate([
+                'name' => 'required|string|max:255',
+                'location_id' => 'nullable|integer|exists:locations,id',
+                'company_id' => 'nullable|integer|exists:companies,id',
+                'manager_id' => 'nullable|integer|exists:users,id',
+                'phone' => 'nullable|string|max:255',
+                'fax' => 'nullable|string|max:255',
+                'notes' => 'nullable|string|max:255',
+            ]);
+        } catch (ValidationException $e) {
+            return Response::make(Response::error($e->validator->errors()->first()));
+        }
+
+        $department = new Department;
+        $department->fill($request->only([
+            'name', 'location_id', 'manager_id', 'phone', 'fax', 'notes',
+        ]));
+
+        $department->company_id = Company::getIdForCurrentUser($request->get('company_id'));
+        $department->created_by = auth()->id();
+
+        if ($department->save()) {
+            return Response::make(
+                Response::text(trans('mcp.department_created', ['name' => $department->name]))
+            )->withStructuredContent([
+                'success' => true,
+                'message' => trans('mcp.department_created', ['name' => $department->name]),
+                'id' => $department->id,
+                'name' => $department->name,
+            ]);
+        }
+
+        return Response::make(Response::error(trans('mcp.create_failed', ['error' => $department->getErrors()->first()])));
+    }
+
+    public function schema(JsonSchema $schema): array
+    {
+        return [
+            'name' => $schema->string()->description('Department name (required)'),
+            'location_id' => $schema->number()->description('Location ID'),
+            'company_id' => $schema->number()->description('Company ID (defaults to the authenticated user\'s company)'),
+            'manager_id' => $schema->number()->description('User ID of the department manager'),
+            'phone' => $schema->string()->description('Department phone number'),
+            'fax' => $schema->string()->description('Department fax number'),
+            'notes' => $schema->string()->description('Notes'),
+        ];
+    }
+
+    public function outputSchema(JsonSchema $schema): array
+    {
+        return [
+            'success' => $schema->boolean()->description('True if the department was created'),
+            'message' => $schema->string()->description('Human-readable result message')->required(),
+            'id' => $schema->number()->description('Numeric ID of the new department'),
+            'name' => $schema->string()->description('Name of the new department'),
+        ];
+    }
+}
@@ -0,0 +1,74 @@
+<?php
+
+namespace App\Mcp\Tools;
+
+use App\Models\Depreciation;
+use Illuminate\Contracts\JsonSchema\JsonSchema;
+use Illuminate\Support\Facades\Gate;
+use Illuminate\Validation\ValidationException;
+use Laravel\Mcp\Request;
+use Laravel\Mcp\Response;
+use Laravel\Mcp\ResponseFactory;
+use Laravel\Mcp\Server\Attributes\Description;
+use Laravel\Mcp\Server\Attributes\Name;
+use Laravel\Mcp\Server\Attributes\Title;
+use Laravel\Mcp\Server\Tool;
+
+#[Name('create_depreciation')]
+#[Title('Create Depreciation')]
+#[Description('Create a new Snipe-IT depreciation schedule')]
+class CreateDepreciationTool extends Tool
+{
+    public function handle(Request $request): ResponseFactory
+    {
+        if (! Gate::allows('create', Depreciation::class)) {
+            return Response::make(Response::error(trans('mcp.unauthorized')));
+        }
+
+        try {
+            $request->validate([
+                'name' => 'required|string|max:255',
+                'months' => 'required|integer|min:1|max:3600',
+            ]);
+        } catch (ValidationException $e) {
+            return Response::make(Response::error($e->validator->errors()->first()));
+        }
+
+        $depreciation = new Depreciation;
+        $depreciation->name = $request->get('name');
+        $depreciation->months = $request->get('months');
+
+        if ($depreciation->save()) {
+            return Response::make(
+                Response::text(trans('mcp.depreciation_created', ['name' => $depreciation->name]))
+            )->withStructuredContent([
+                'success' => true,
+                'message' => trans('mcp.depreciation_created', ['name' => $depreciation->name]),
+                'id' => $depreciation->id,
+                'name' => $depreciation->name,
+                'months' => $depreciation->months,
+            ]);
+        }
+
+        return Response::make(Response::error(trans('mcp.create_failed', ['error' => $depreciation->getErrors()->first()])));
+    }
+
+    public function schema(JsonSchema $schema): array
+    {
+        return [
+            'name' => $schema->string()->description('Depreciation name (required)'),
+            'months' => $schema->number()->description('Depreciation period in months (required, 1-3600)'),
+        ];
+    }
+
+    public function outputSchema(JsonSchema $schema): array
+    {
+        return [
+            'success' => $schema->boolean()->description('True if the depreciation was created'),
+            'message' => $schema->string()->description('Human-readable result message')->required(),
+            'id' => $schema->number()->description('Numeric ID of the new depreciation'),
+            'name' => $schema->string()->description('Name of the new depreciation'),
+            'months' => $schema->number()->description('Depreciation period in months'),
+        ];
+    }
+}
@@ -0,0 +1,130 @@
+<?php
+
+namespace App\Mcp\Tools;
+
+use App\Models\Group;
+use Illuminate\Contracts\JsonSchema\JsonSchema;
+use Illuminate\Support\Facades\Gate;
+use Illuminate\Validation\ValidationException;
+use Laravel\Mcp\Request;
+use Laravel\Mcp\Response;
+use Laravel\Mcp\ResponseFactory;
+use Laravel\Mcp\Server\Attributes\Description;
+use Laravel\Mcp\Server\Attributes\Name;
+use Laravel\Mcp\Server\Attributes\Title;
+use Laravel\Mcp\Server\Tool;
+
+#[Name('create_group')]
+#[Title('Create Group')]
+#[Description('Create a new Snipe-IT permission group. Requires superadmin. Permissions are a JSON object mapping permission keys to 1 (grant) or -1 (deny).')]
+class CreateGroupTool extends Tool
+{
+    public function handle(Request $request): ResponseFactory
+    {
+        if (! Gate::allows('superadmin')) {
+            return Response::make(Response::error(trans('mcp.unauthorized')));
+        }
+
+        try {
+            $request->validate([
+                'name' => 'required|string|max:255',
+                'permissions' => 'nullable|string',
+                'notes' => 'nullable|string',
+            ]);
+        } catch (ValidationException $e) {
+            return Response::make(Response::error($e->validator->errors()->first()));
+        }
+
+        $permissions = null;
+        if ($request->filled('permissions')) {
+            $result = $this->parseAndValidatePermissions($request->get('permissions'));
+            if (is_string($result)) {
+                return Response::make(Response::error($result));
+            }
+            $permissions = $result;
+        }
+
+        $group = new Group;
+        $group->name = $request->get('name');
+        if ($permissions !== null) {
+            $group->permissions = json_encode($permissions);
+        }
+        if ($request->filled('notes')) {
+            $group->notes = $request->get('notes');
+        }
+        $group->created_by = auth()->id();
+
+        if ($group->save()) {
+            return Response::make(
+                Response::text(trans('mcp.group_created', ['name' => $group->name]))
+            )->withStructuredContent([
+                'success' => true,
+                'message' => trans('mcp.group_created', ['name' => $group->name]),
+                'id' => $group->id,
+                'name' => $group->name,
+                'permissions' => $group->decodePermissions(),
+            ]);
+        }
+
+        return Response::make(Response::error(trans('mcp.create_failed', ['error' => $group->getErrors()->first()])));
+    }
+
+    /**
+     * Parse a JSON permissions string and validate all keys against config('permissions').
+     * Returns the decoded array on success, or an error string on failure.
+     */
+    private function parseAndValidatePermissions(string $raw): array|string
+    {
+        $decoded = json_decode($raw, true);
+        if (! is_array($decoded)) {
+            return trans('mcp.invalid_permissions_format');
+        }
+
+        $validKeys = collect(config('permissions'))
+            ->flatMap(fn ($perms) => collect($perms)->pluck('permission'))
+            ->unique()
+            ->flip()
+            ->all();
+
+        foreach (array_keys($decoded) as $key) {
+            if (! isset($validKeys[$key])) {
+                return trans('mcp.invalid_permission_key', ['key' => $key]);
+            }
+            if (! in_array((int) $decoded[$key], [1, -1], true)) {
+                return trans('mcp.invalid_permission_value', ['key' => $key]);
+            }
+        }
+
+        return array_map('intval', $decoded);
+    }
+
+    public function schema(JsonSchema $schema): array
+    {
+        return [
+            'name' => $schema->string()->description('Group name (required, must be unique)'),
+            'permissions' => $schema->string()->description(
+                'JSON object mapping permission keys to 1 (grant) or -1 (deny). '.
+                'Valid keys include: superuser, admin, import, reports.view, '.
+                'assets.view, assets.create, assets.edit, assets.delete, assets.checkout, assets.checkin, assets.audit, '.
+                'users.view, users.create, users.edit, users.delete, '.
+                'licenses.view, licenses.create, licenses.edit, licenses.delete, licenses.checkout, licenses.checkin, '.
+                'accessories.view, accessories.create, accessories.edit, accessories.delete, accessories.checkout, accessories.checkin, '.
+                'components.view, components.create, components.edit, components.delete, components.checkout, components.checkin, '.
+                'consumables.view, consumables.create, consumables.edit, consumables.delete, consumables.checkout, '.
+                'and many more. Example: {"assets.view":1,"assets.create":1,"assets.edit":-1}'
+            ),
+            'notes' => $schema->string()->description('Notes about the group'),
+        ];
+    }
+
+    public function outputSchema(JsonSchema $schema): array
+    {
+        return [
+            'success' => $schema->boolean()->description('True if the group was created'),
+            'message' => $schema->string()->description('Human-readable result message')->required(),
+            'id' => $schema->number()->description('Numeric ID of the new group'),
+            'name' => $schema->string()->description('Name of the new group'),
+            'permissions' => $schema->object()->description('Permissions set on the group'),
+        ];
+    }
+}
@@ -0,0 +1,119 @@
+<?php
+
+namespace App\Mcp\Tools;
+
+use App\Models\Company;
+use App\Models\License;
+use Illuminate\Contracts\JsonSchema\JsonSchema;
+use Illuminate\Support\Facades\Gate;
+use Illuminate\Validation\ValidationException;
+use Laravel\Mcp\Request;
+use Laravel\Mcp\Response;
+use Laravel\Mcp\ResponseFactory;
+use Laravel\Mcp\Server\Attributes\Description;
+use Laravel\Mcp\Server\Attributes\Name;
+use Laravel\Mcp\Server\Attributes\Title;
+use Laravel\Mcp\Server\Tool;
+
+#[Name('create_license')]
+#[Title('Create License')]
+#[Description('Create a new Snipe-IT software license')]
+class CreateLicenseTool extends Tool
+{
+    public function handle(Request $request): ResponseFactory
+    {
+        if (! Gate::allows('create', License::class)) {
+            return Response::make(Response::error(trans('mcp.unauthorized')));
+        }
+
+        try {
+            $request->validate([
+                'name' => 'required|string|max:255',
+                'seats' => 'required|integer|min:1',
+                'category_id' => 'required|integer|exists:categories,id',
+                'serial' => 'nullable|string|max:255',
+                'manufacturer_id' => 'nullable|integer|exists:manufacturers,id',
+                'supplier_id' => 'nullable|integer|exists:suppliers,id',
+                'company_id' => 'nullable|integer|exists:companies,id',
+                'purchase_date' => 'nullable|date_format:Y-m-d',
+                'purchase_cost' => 'nullable|numeric|min:0',
+                'purchase_order' => 'nullable|string|max:255',
+                'order_number' => 'nullable|string|max:255',
+                'expiration_date' => 'nullable|date_format:Y-m-d',
+                'termination_date' => 'nullable|date_format:Y-m-d',
+                'license_name' => 'nullable|string|max:255',
+                'license_email' => 'nullable|email|max:255',
+                'maintained' => 'nullable|boolean',
+                'reassignable' => 'nullable|boolean',
+                'notes' => 'nullable|string',
+                'min_amt' => 'nullable|integer|min:0',
+            ]);
+        } catch (ValidationException $e) {
+            return Response::make(Response::error($e->validator->errors()->first()));
+        }
+
+        $license = new License;
+        $license->fill($request->only([
+            'name', 'seats', 'category_id', 'serial', 'manufacturer_id',
+            'supplier_id', 'purchase_date', 'purchase_cost', 'purchase_order',
+            'order_number', 'expiration_date', 'termination_date',
+            'license_name', 'license_email', 'maintained', 'reassignable',
+            'notes', 'min_amt',
+        ]));
+
+        $license->company_id = Company::getIdForCurrentUser($request->get('company_id'));
+        $license->created_by = auth()->id();
+
+        if ($license->save()) {
+            return Response::make(
+                Response::text(trans('mcp.license_created', ['name' => $license->name]))
+            )->withStructuredContent([
+                'success' => true,
+                'message' => trans('mcp.license_created', ['name' => $license->name]),
+                'id' => $license->id,
+                'name' => $license->name,
+                'seats' => $license->seats,
+                'category_id' => $license->category_id,
+            ]);
+        }
+
+        return Response::make(Response::error(trans('mcp.create_failed', ['error' => $license->getErrors()->first()])));
+    }
+
+    public function schema(JsonSchema $schema): array
+    {
+        return [
+            'name' => $schema->string()->description('License name (required)'),
+            'seats' => $schema->number()->description('Number of seats (required, min 1)'),
+            'category_id' => $schema->number()->description('Category ID — must be a license category (required)'),
+            'serial' => $schema->string()->description('Product key / serial number'),
+            'manufacturer_id' => $schema->number()->description('Manufacturer ID'),
+            'supplier_id' => $schema->number()->description('Supplier ID'),
+            'company_id' => $schema->number()->description('Company ID (defaults to the authenticated user\'s company)'),
+            'purchase_date' => $schema->string()->description('Purchase date (YYYY-MM-DD)'),
+            'purchase_cost' => $schema->number()->description('Purchase cost'),
+            'purchase_order' => $schema->string()->description('Purchase order number'),
+            'order_number' => $schema->string()->description('Order number'),
+            'expiration_date' => $schema->string()->description('License expiration date (YYYY-MM-DD)'),
+            'termination_date' => $schema->string()->description('License termination date (YYYY-MM-DD)'),
+            'license_name' => $schema->string()->description('Name of the licensed user/organization'),
+            'license_email' => $schema->string()->description('Email of the licensed user/organization'),
+            'maintained' => $schema->boolean()->description('Whether the license is under maintenance'),
+            'reassignable' => $schema->boolean()->description('Whether seats can be reassigned after checkin'),
+            'notes' => $schema->string()->description('Notes'),
+            'min_amt' => $schema->number()->description('Minimum seat threshold for alerts'),
+        ];
+    }
+
+    public function outputSchema(JsonSchema $schema): array
+    {
+        return [
+            'success' => $schema->boolean()->description('True if the license was created'),
+            'message' => $schema->string()->description('Human-readable result message')->required(),
+            'id' => $schema->number()->description('Numeric ID of the new license'),
+            'name' => $schema->string()->description('Name of the new license'),
+            'seats' => $schema->number()->description('Total seat count'),
+            'category_id' => $schema->number()->description('Category ID'),
+        ];
+    }
+}
@@ -0,0 +1,97 @@
+<?php
+
+namespace App\Mcp\Tools;
+
+use App\Models\Location;
+use Illuminate\Contracts\JsonSchema\JsonSchema;
+use Illuminate\Support\Facades\Gate;
+use Illuminate\Validation\ValidationException;
+use Laravel\Mcp\Request;
+use Laravel\Mcp\Response;
+use Laravel\Mcp\ResponseFactory;
+use Laravel\Mcp\Server\Attributes\Description;
+use Laravel\Mcp\Server\Attributes\Name;
+use Laravel\Mcp\Server\Attributes\Title;
+use Laravel\Mcp\Server\Tool;
+
+#[Name('create_location')]
+#[Title('Create Location')]
+#[Description('Create a new Snipe-IT location')]
+class CreateLocationTool extends Tool
+{
+    public function handle(Request $request): ResponseFactory
+    {
+        if (! Gate::allows('create', Location::class)) {
+            return Response::make(Response::error(trans('mcp.unauthorized')));
+        }
+
+        try {
+            $request->validate([
+                'name' => 'required|string|max:255',
+                'address' => 'nullable|string',
+                'address2' => 'nullable|string',
+                'city' => 'nullable|string',
+                'state' => 'nullable|string',
+                'country' => 'nullable|string',
+                'zip' => 'nullable|string',
+                'phone' => 'nullable|string|max:255',
+                'fax' => 'nullable|string|max:255',
+                'currency' => 'nullable|string',
+                'parent_id' => 'nullable|integer|exists:locations,id',
+                'manager_id' => 'nullable|integer|exists:users,id',
+            ]);
+        } catch (ValidationException $e) {
+            return Response::make(Response::error($e->validator->errors()->first()));
+        }
+
+        $location = new Location;
+        $location->name = $request->get('name');
+
+        foreach (['address', 'address2', 'city', 'state', 'country', 'zip', 'phone', 'fax', 'currency', 'parent_id', 'manager_id'] as $field) {
+            if ($request->filled($field)) {
+                $location->{$field} = $request->get($field);
+            }
+        }
+
+        if ($location->save()) {
+            return Response::make(
+                Response::text(trans('mcp.location_created', ['name' => $location->name]))
+            )->withStructuredContent([
+                'success' => true,
+                'message' => trans('mcp.location_created', ['name' => $location->name]),
+                'id' => $location->id,
+                'name' => $location->name,
+            ]);
+        }
+
+        return Response::make(Response::error(trans('mcp.create_failed', ['error' => $location->getErrors()->first()])));
+    }
+
+    public function schema(JsonSchema $schema): array
+    {
+        return [
+            'name' => $schema->string()->description('Location name (required)'),
+            'address' => $schema->string()->description('Street address'),
+            'address2' => $schema->string()->description('Address line 2'),
+            'city' => $schema->string()->description('City'),
+            'state' => $schema->string()->description('State'),
+            'country' => $schema->string()->description('Country'),
+            'zip' => $schema->string()->description('Zip code'),
+            'phone' => $schema->string()->description('Phone number'),
+            'fax' => $schema->string()->description('Fax number'),
+            'currency' => $schema->string()->description('Currency code'),
+            'parent_id' => $schema->number()->description('Parent location ID'),
+            'manager_id' => $schema->number()->description('Manager user ID'),
+        ];
+    }
+
+    public function outputSchema(JsonSchema $schema): array
+    {
+        return [
+            'success' => $schema->boolean()->description('True if the location was created'),
+            'message' => $schema->string()->description('Human-readable result message')->required(),
+            'id' => $schema->number()->description('Numeric ID of the new location'),
+            'name' => $schema->string()->description('Name of the new location'),
+        ];
+    }
+}
--- a/Show More
+++ b/Show More