feat: Plan-based feature permissions and quota enforcement

Backend:
- Add HasQuota() permission factory for quota limits (resources, users, services, appointments, email templates, automated tasks)
- Add HasFeaturePermission() factory for feature-based permissions (SMS, masked calling, custom domains, white label, plugins, webhooks, calendar sync, analytics)
- Add has_feature() method to Tenant model for flexible permission checking
- Add new tenant permission fields: can_create_plugins, can_use_webhooks, can_use_calendar_sync, can_export_data
- Create Data Export API with CSV/JSON support for appointments, customers, resources, services
- Create Analytics API with dashboard, appointments, revenue endpoints
- Add calendar sync views and URL configuration

Frontend:
- Add usePlanFeatures hook for checking feature availability
- Add UpgradePrompt components (inline, banner, overlay variants)
- Add LockedSection wrapper and LockedButton for feature gating
- Update settings pages with permission checks

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

DATA_EXPORT_IMPLEMENTATION.md

@@ -0,0 +1,155 @@
+# Data Export API Implementation Summary
+
+## Overview
+
+Implemented a comprehensive data export feature for the SmoothSchedule Django backend that allows businesses to export their data in CSV and JSON formats. The feature is properly gated by subscription plan permissions.
+
+## Implementation Date
+December 2, 2025
+
+## Files Created/Modified
+
+### New Files Created
+
+1. **`/home/poduck/Desktop/smoothschedule2/smoothschedule/schedule/export_views.py`**
+   - Main export API implementation
+   - Contains `ExportViewSet` with 4 export endpoints
+   - Implements permission checking via `HasExportDataPermission`
+   - Supports both CSV and JSON formats
+   - ~450 lines of code
+
+2. **`/home/poduck/Desktop/smoothschedule2/smoothschedule/schedule/test_export.py`**
+   - Comprehensive test suite for export API
+   - Tests all endpoints, formats, filters
+   - Tests permission gating
+   - ~200 lines of test code
+
+3. **`/home/poduck/Desktop/smoothschedule2/smoothschedule/DATA_EXPORT_API.md`**
+   - Complete API documentation
+   - Request/response examples
+   - Query parameter documentation
+   - Error handling documentation
+   - ~300 lines of documentation
+
+4. **`/home/poduck/Desktop/smoothschedule2/test_export_api.py`**
+   - Standalone test script for manual API testing
+   - Can be run outside of Django test framework
+
+### Modified Files
+
+1. **`/home/poduck/Desktop/smoothschedule2/smoothschedule/schedule/urls.py`**
+   - Added import for `ExportViewSet`
+   - Registered export viewset with router
+
+2. **`/home/poduck/Desktop/smoothschedule2/smoothschedule/core/models.py`**
+   - Added `can_export_data` BooleanField to Tenant model
+   - Field defaults to `False` (permission must be explicitly granted)
+   - Field already had migration applied (0014_tenant_can_export_data_tenant_subscription_plan.py)
+
+## API Endpoints
+
+All endpoints are accessible at the base path `/export/` (not `/api/export/` since schedule URLs are at root level).
+
+### 1. Export Appointments
+- **URL**: `GET /export/appointments/`
+- **Query Params**: `format`, `start_date`, `end_date`, `status`
+- **Formats**: CSV, JSON
+- **Data**: Event/appointment information with customer and resource details
+
+### 2. Export Customers
+- **URL**: `GET /export/customers/`
+- **Query Params**: `format`, `status`
+- **Formats**: CSV, JSON
+- **Data**: Customer list with contact information
+
+### 3. Export Resources
+- **URL**: `GET /export/resources/`
+- **Query Params**: `format`, `is_active`
+- **Formats**: CSV, JSON
+- **Data**: Resource list (staff, rooms, equipment)
+
+### 4. Export Services
+- **URL**: `GET /export/services/`
+- **Query Params**: `format`, `is_active`
+- **Formats**: CSV, JSON
+- **Data**: Service catalog with pricing and duration
+
+## Security Features
+
+### Permission Gating
+- All endpoints check `tenant.can_export_data` permission
+- Returns 403 Forbidden if permission not granted
+- Clear error messages guide users to upgrade their subscription
+
+### Authentication
+- All endpoints require authentication (IsAuthenticated permission)
+- Returns 401 Unauthorized for unauthenticated requests
+
+### Data Isolation
+- Leverages django-tenants automatic schema isolation
+- Users can only export data from their own tenant
+- No risk of cross-tenant data leakage
+
+## Features
+
+### Format Support
+- **JSON**: Includes metadata (count, filters, export timestamp)
+- **CSV**: Clean, spreadsheet-ready format with proper headers
+- Both formats include Content-Disposition header for automatic downloads
+
+### Filtering
+- **Date Range**: Filter appointments by start_date and end_date
+- **Status**: Filter by active/inactive status for various entities
+- **Query Parameters**: Flexible, URL-based filtering
+
+### File Naming
+- Timestamped filenames for uniqueness
+- Format: `{data_type}_{YYYYMMDD}_{HHMMSS}.{format}`
+- Example: `appointments_20241202_103000.csv`
+
+## Testing
+
+Run unit tests with:
+```bash
+docker compose -f docker-compose.local.yml exec django python manage.py test schedule.test_export
+```
+
+## Integration
+
+### Enable Export for a Tenant
+
+```python
+# In Django shell or admin
+from core.models import Tenant
+
+tenant = Tenant.objects.get(schema_name='your_tenant')
+tenant.can_export_data = True
+tenant.save()
+```
+
+### Example API Calls
+
+```bash
+# JSON export
+curl -H "Authorization: Bearer YOUR_TOKEN" \
+  "http://lvh.me:8000/export/appointments/?format=json"
+
+# CSV export with date range
+curl -H "Authorization: Bearer YOUR_TOKEN" \
+  "http://lvh.me:8000/export/appointments/?format=csv&start_date=2024-01-01T00:00:00Z&end_date=2024-12-31T23:59:59Z"
+```
+
+## Production Checklist
+
+- [x] Permission gating implemented
+- [x] Authentication required
+- [x] Unit tests written
+- [x] Documentation created
+- [x] Database migration applied
+- [ ] Rate limiting configured
+- [ ] Frontend integration completed
+- [ ] Load testing performed
+
+---
+
+**Implementation completed successfully!** ✓