feat: Add comprehensive sandbox mode, public API system, and platform support

This commit adds major features for sandbox isolation, public API access, and platform support ticketing.

## Sandbox Mode
- Add sandbox mode toggle for businesses to test features without affecting live data
- Implement schema-based isolation for tenant data (appointments, resources, services)
- Add is_sandbox field filtering for shared models (customers, staff, tickets)
- Create sandbox middleware to detect and set sandbox mode from cookies
- Add sandbox context and hooks for React frontend
- Display sandbox banner when in test mode
- Auto-reload page when switching between live/test modes
- Prevent platform support tickets from being created in sandbox mode

## Public API System
- Full REST API for external integrations with businesses
- API token management with sandbox/live token separation
- Test tokens (ss_test_*) show full plaintext for easy testing
- Live tokens (ss_live_*) are hashed and secure
- Security validation prevents live token plaintext storage
- Comprehensive test suite for token security
- Rate limiting and throttling per token
- Webhook support for real-time event notifications
- Scoped permissions system (read/write per resource type)
- API documentation page with interactive examples
- Token revocation with confirmation modal

## Platform Support
- Dedicated support page for businesses to contact SmoothSchedule
- View all platform support tickets in one place
- Create new support tickets with simplified interface
- Reply to existing tickets with conversation history
- Platform tickets have no admin controls (no priority/category/assignee/status)
- Internal notes hidden for platform tickets (business can't see them)
- Quick help section with links to guides and API docs
- Sandbox warning prevents ticket creation in test mode
- Business ticketing retains full admin controls (priority, assignment, internal notes)

## UI/UX Improvements
- Add notification dropdown with real-time updates
- Staff permissions UI for ticket access control
- Help dropdown in sidebar with Platform Guide, Ticketing Help, API Docs, and Support
- Update sidebar "Contact Support" to "Support" with message icon
- Fix navigation links to use React Router instead of anchor tags
- Remove unused language translations (Japanese, Portuguese, Chinese)

## Technical Details
- Sandbox middleware sets request.sandbox_mode from cookies
- ViewSets filter data by is_sandbox field
- API authentication via custom token auth class
- WebSocket support for real-time ticket updates
- Migration for sandbox fields on User, Tenant, and Ticket models
- Comprehensive documentation in SANDBOX_MODE_IMPLEMENTATION.md

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

frontend/src/components/StaffPermissions.tsx

@@ -0,0 +1,202 @@
+import React from 'react';
+import { useTranslation } from 'react-i18next';
+
+export interface PermissionConfig {
+  key: string;
+  labelKey: string;
+  labelDefault: string;
+  hintKey: string;
+  hintDefault: string;
+  defaultValue: boolean;
+  roles: ('manager' | 'staff')[];
+}
+
+// Define all available permissions in one place
+export const PERMISSION_CONFIGS: PermissionConfig[] = [
+  // Manager-only permissions
+  {
+    key: 'can_invite_staff',
+    labelKey: 'staff.canInviteStaff',
+    labelDefault: 'Can invite new staff members',
+    hintKey: 'staff.canInviteStaffHint',
+    hintDefault: 'Allow this manager to send invitations to new staff members',
+    defaultValue: false,
+    roles: ['manager'],
+  },
+  {
+    key: 'can_manage_resources',
+    labelKey: 'staff.canManageResources',
+    labelDefault: 'Can manage resources',
+    hintKey: 'staff.canManageResourcesHint',
+    hintDefault: 'Create, edit, and delete bookable resources',
+    defaultValue: true,
+    roles: ['manager'],
+  },
+  {
+    key: 'can_manage_services',
+    labelKey: 'staff.canManageServices',
+    labelDefault: 'Can manage services',
+    hintKey: 'staff.canManageServicesHint',
+    hintDefault: 'Create, edit, and delete service offerings',
+    defaultValue: true,
+    roles: ['manager'],
+  },
+  {
+    key: 'can_view_reports',
+    labelKey: 'staff.canViewReports',
+    labelDefault: 'Can view reports',
+    hintKey: 'staff.canViewReportsHint',
+    hintDefault: 'Access business analytics and financial reports',
+    defaultValue: true,
+    roles: ['manager'],
+  },
+  {
+    key: 'can_access_settings',
+    labelKey: 'staff.canAccessSettings',
+    labelDefault: 'Can access business settings',
+    hintKey: 'staff.canAccessSettingsHint',
+    hintDefault: 'Modify business profile, branding, and configuration',
+    defaultValue: false,
+    roles: ['manager'],
+  },
+  {
+    key: 'can_refund_payments',
+    labelKey: 'staff.canRefundPayments',
+    labelDefault: 'Can refund payments',
+    hintKey: 'staff.canRefundPaymentsHint',
+    hintDefault: 'Process refunds for customer payments',
+    defaultValue: false,
+    roles: ['manager'],
+  },
+  // Staff-only permissions
+  {
+    key: 'can_view_all_schedules',
+    labelKey: 'staff.canViewAllSchedules',
+    labelDefault: 'Can view all schedules',
+    hintKey: 'staff.canViewAllSchedulesHint',
+    hintDefault: 'View schedules of other staff members (otherwise only their own)',
+    defaultValue: false,
+    roles: ['staff'],
+  },
+  {
+    key: 'can_manage_own_appointments',
+    labelKey: 'staff.canManageOwnAppointments',
+    labelDefault: 'Can manage own appointments',
+    hintKey: 'staff.canManageOwnAppointmentsHint',
+    hintDefault: 'Create, reschedule, and cancel their own appointments',
+    defaultValue: true,
+    roles: ['staff'],
+  },
+  // Shared permissions (both manager and staff)
+  {
+    key: 'can_access_tickets',
+    labelKey: 'staff.canAccessTickets',
+    labelDefault: 'Can access support tickets',
+    hintKey: 'staff.canAccessTicketsHint',
+    hintDefault: 'View and manage customer support tickets',
+    defaultValue: true, // Default for managers; staff will override to false
+    roles: ['manager', 'staff'],
+  },
+];
+
+// Get default permissions for a role
+export const getDefaultPermissions = (role: 'manager' | 'staff'): Record<string, boolean> => {
+  const defaults: Record<string, boolean> = {};
+  PERMISSION_CONFIGS.forEach((config) => {
+    if (config.roles.includes(role)) {
+      // Staff members have ticket access disabled by default
+      if (role === 'staff' && config.key === 'can_access_tickets') {
+        defaults[config.key] = false;
+      } else {
+        defaults[config.key] = config.defaultValue;
+      }
+    }
+  });
+  return defaults;
+};
+
+interface StaffPermissionsProps {
+  role: 'manager' | 'staff';
+  permissions: Record<string, boolean>;
+  onChange: (permissions: Record<string, boolean>) => void;
+  variant?: 'invite' | 'edit';
+}
+
+const StaffPermissions: React.FC<StaffPermissionsProps> = ({
+  role,
+  permissions,
+  onChange,
+  variant = 'edit',
+}) => {
+  const { t } = useTranslation();
+
+  // Filter permissions for this role
+  const rolePermissions = PERMISSION_CONFIGS.filter((config) =>
+    config.roles.includes(role)
+  );
+
+  const handleToggle = (key: string, checked: boolean) => {
+    onChange({ ...permissions, [key]: checked });
+  };
+
+  // Get the current value, falling back to default
+  const getValue = (config: PermissionConfig): boolean => {
+    if (permissions[config.key] !== undefined) {
+      return permissions[config.key];
+    }
+    // Staff have ticket access disabled by default
+    if (role === 'staff' && config.key === 'can_access_tickets') {
+      return false;
+    }
+    return config.defaultValue;
+  };
+
+  // Different styling for manager vs staff permissions
+  const isManagerPermission = (config: PermissionConfig) =>
+    config.roles.includes('manager') && !config.roles.includes('staff');
+
+  const getPermissionStyle = (config: PermissionConfig) => {
+    if (isManagerPermission(config) || role === 'manager') {
+      return 'bg-blue-50 dark:bg-blue-900/20 border-blue-200 dark:border-blue-800 hover:bg-blue-100 dark:hover:bg-blue-900/30';
+    }
+    return 'bg-gray-50 dark:bg-gray-700/50 border-gray-200 dark:border-gray-600 hover:bg-gray-100 dark:hover:bg-gray-700';
+  };
+
+  if (rolePermissions.length === 0) {
+    return null;
+  }
+
+  return (
+    <div className="space-y-3">
+      <h4 className="text-sm font-semibold text-gray-700 dark:text-gray-300">
+        {role === 'manager'
+          ? t('staff.managerPermissions', 'Manager Permissions')
+          : t('staff.staffPermissions', 'Staff Permissions')}
+      </h4>
+
+      {rolePermissions.map((config) => (
+        <label
+          key={config.key}
+          className={`flex items-start gap-3 p-3 rounded-lg border cursor-pointer transition-colors ${getPermissionStyle(config)}`}
+        >
+          <input
+            type="checkbox"
+            checked={getValue(config)}
+            onChange={(e) => handleToggle(config.key, e.target.checked)}
+            className="w-4 h-4 mt-0.5 rounded border-gray-300 text-brand-600 focus:ring-brand-500"
+          />
+          <div>
+            <span className="text-sm font-medium text-gray-900 dark:text-white">
+              {t(config.labelKey, config.labelDefault)}
+            </span>
+            <p className="text-xs text-gray-500 dark:text-gray-400 mt-0.5">
+              {t(config.hintKey, config.hintDefault)}
+            </p>
+          </div>
+        </label>
+      ))}
+    </div>
+  );
+};
+
+export default StaffPermissions;