fix(webhooks): test endpoint formats payload per platform; add missing column

* The Test URL button was POSTing a generic {event, timestamp, data}
  envelope to every endpoint. Google Chat / Slack / Discord / Teams
  reject anything that isn't their specific shape — so a successful
  Laravel request still got a 400 back from the platform, making the
  test look broken. The real webhook events already handle this via
  WebhookCheckService::formatPayloadForPlatform; that helper is now
  exposed as a public static (buildPlatformPayload) and the test
  endpoint uses the same code path, so the test exercises the same
  format real events will.
* unifi_device_states was missing a consecutive_count column the
  WebhookCheckService inserts on every snapshot capture. The scheduler
  was throwing "Unknown column 'consecutive_count'" once a minute.
  Added an idempotent migration.

v1.6.1.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

composer.json

@@ -1,7 +1,7 @@
 {
     "name": "dashboard/unifi",
     "description": "UniFi network management, WiFi stats, and captive portal authentication for the Dashboard platform",
-    "version": "1.4.0",
+    "version": "1.6.1",
     "type": "library",
     "license": "MIT",
     "autoload": {
@@ -27,8 +27,6 @@
                 { "label": "Devices",          "route_name": "unifi.devices",          "icon": "cpu-chip",         "permission": "unifi.stats",    "sort_order": 3 },
                 { "label": "Clients",          "route_name": "unifi.clients",          "icon": "users",            "permission": "unifi.stats",    "sort_order": 4 },
                 { "label": "WiFi Networks",    "route_name": "unifi.wifi",             "icon": "wifi",             "permission": "unifi.manage",   "sort_order": 5 },
-                { "label": "Portal",           "route_name": "unifi.portal.settings",  "icon": "shield-check",     "permission": "unifi.auth",     "sort_order": 6 },
-                { "label": "Webhooks",         "route_name": "unifi.webhooks.index",   "icon": "bell-alert",       "permission": "unifi.settings", "sort_order": 7 },
                 { "label": "Settings",         "route_name": "unifi.settings",         "icon": "cog-6-tooth",      "permission": "unifi.settings", "sort_order": 99 }
             ],
             "permissions": [

database/migrations/2026_05_24_000001_create_unifi_cron_runs_table.php

@@ -0,0 +1,32 @@
+<?php
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Support\Facades\Schema;
+
+return new class extends Migration
+{
+    /**
+     * Structured log of every unifi scheduled-task execution: AP reboots,
+     * password rotations, PPSK schedule syncs. One row per run.
+     * Surfaced in the Logs tab of the Unifi settings page.
+     */
+    public function up(): void
+    {
+        Schema::create('unifi_cron_runs', function (Blueprint $table) {
+            $table->id();
+            $table->string('command', 64)->index();              // 'reboot-all-aps' | 'rotate-passwords' | 'sync-ppsk-schedules'
+            $table->enum('triggered_by', ['schedule', 'manual']);
+            $table->foreignId('triggered_by_user_id')->nullable()->constrained('users')->nullOnDelete();
+            $table->timestamp('started_at')->index();
+            $table->timestamp('finished_at')->nullable();
+            $table->string('status', 16);                        // 'running' | 'succeeded' | 'partial' | 'failed' | 'skipped'
+            $table->longText('details')->nullable();             // JSON: counts, per-item actions, error summary
+        });
+    }
+
+    public function down(): void
+    {
+        Schema::dropIfExists('unifi_cron_runs');
+    }
+};

database/migrations/2026_05_24_000002_add_templates_and_tracked_clients_to_unifi_webhook_configs.php

@@ -0,0 +1,32 @@
+<?php
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Support\Facades\Schema;
+
+return new class extends Migration
+{
+    public function up(): void
+    {
+        Schema::table('unifi_webhook_configs', function (Blueprint $table) {
+            if (! Schema::hasColumn('unifi_webhook_configs', 'tracked_clients')) {
+                $table->json('tracked_clients')->nullable()->after('device_filter');
+            }
+            if (! Schema::hasColumn('unifi_webhook_configs', 'templates')) {
+                $table->json('templates')->nullable()->after('tracked_clients');
+            }
+        });
+    }
+
+    public function down(): void
+    {
+        Schema::table('unifi_webhook_configs', function (Blueprint $table) {
+            if (Schema::hasColumn('unifi_webhook_configs', 'templates')) {
+                $table->dropColumn('templates');
+            }
+            if (Schema::hasColumn('unifi_webhook_configs', 'tracked_clients')) {
+                $table->dropColumn('tracked_clients');
+            }
+        });
+    }
+};

database/migrations/2026_05_24_000003_add_consecutive_count_to_unifi_device_states.php

@@ -0,0 +1,26 @@
+<?php
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Support\Facades\Schema;
+
+return new class extends Migration
+{
+    public function up(): void
+    {
+        Schema::table('unifi_device_states', function (Blueprint $table) {
+            if (! Schema::hasColumn('unifi_device_states', 'consecutive_count')) {
+                $table->unsignedSmallInteger('consecutive_count')->default(0)->after('in_alert');
+            }
+        });
+    }
+
+    public function down(): void
+    {
+        Schema::table('unifi_device_states', function (Blueprint $table) {
+            if (Schema::hasColumn('unifi_device_states', 'consecutive_count')) {
+                $table->dropColumn('consecutive_count');
+            }
+        });
+    }
+};

src/Console/RebootAllAps.php

@@ -2,41 +2,40 @@
 
 namespace Dashboard\Unifi\Console;
 
+use Dashboard\Unifi\Models\UnifiCronRun;
 use Dashboard\Unifi\Services\UnifiApiClient;
 use Illuminate\Console\Command;
 use Illuminate\Support\Facades\Cache;
 
 class RebootAllAps extends Command
 {
-    protected $signature   = 'unifi:reboot-all-aps {--delay=5 : Seconds to wait between each reboot}';
+    protected $signature   = 'unifi:reboot-all-aps {--delay=5 : Seconds to wait between each reboot} {--triggered-by=schedule}';
     protected $description = 'Planned reboot of all access points — suppresses webhook offline/online alerts';
 
     public function handle(UnifiApiClient $unifi): int
     {
-        try {
+        $run = UnifiCronRun::record(
+            'reboot-all-aps',
+            $this->option('triggered-by') ?: 'schedule',
+            null,
+            function () use ($unifi) {
                 $aps = $unifi->getAccessPoints();
-        } catch (\Throwable $e) {
-            $this->error('Failed to fetch APs: ' . $e->getMessage());
-            return self::FAILURE;
-        }
 
                 if (empty($aps)) {
                     $this->warn('No access points found.');
-            return self::SUCCESS;
+                    return ['status' => 'skipped', 'reason' => 'no APs found'];
                 }
 
                 $delay = max(0, (int) $this->option('delay'));
+                $rebooted = [];
+                $failed   = [];
 
-        // Pre-mark all APs as planned reboots before sending any commands
                 foreach ($aps as $ap) {
                     $mac = strtolower($ap['mac']);
                     Cache::put("unifi:planned_reboot:{$mac}", true, now()->addMinutes(20));
                     $this->line("Marked planned reboot: {$ap['name']} ({$mac})");
                 }
-
                 $this->newLine();
-        $ok = 0;
-        $fail = 0;
 
                 foreach ($aps as $ap) {
                     $mac  = strtolower($ap['mac']);
@@ -44,19 +43,27 @@ class RebootAllAps extends Command
                     try {
                         $unifi->rebootDevice($mac);
                         $this->info("Rebooted: {$name} ({$mac})");
-                $ok++;
+                        $rebooted[] = $name;
                     } catch (\Throwable $e) {
                         $this->error("Failed to reboot {$name}: {$e->getMessage()}");
-                $fail++;
+                        $failed[] = ['name' => $name, 'error' => $e->getMessage()];
                     }
 
-            if ($delay > 0 && $ok + $fail < count($aps)) {
+                    if ($delay > 0 && count($rebooted) + count($failed) < count($aps)) {
                         sleep($delay);
                     }
                 }
 
-        $this->newLine();
+                return [
-        $this->info("Done. {$ok} rebooted, {$fail} failed.");
+                    'status'        => count($failed) === 0 ? 'succeeded' : (count($rebooted) > 0 ? 'partial' : 'failed'),
-        return $fail > 0 ? self::FAILURE : self::SUCCESS;
+                    'rebooted'      => $rebooted,
+                    'failed'        => $failed,
+                    'total'         => count($aps),
+                ];
+            }
+        );
+
+        $this->info("Done. Status: {$run->status}.");
+        return $run->status === 'failed' ? self::FAILURE : self::SUCCESS;
     }
 }

src/Console/RotatePasswords.php

@@ -3,27 +3,45 @@
 namespace Dashboard\Unifi\Console;
 
 use App\Models\Setting;
+use Dashboard\Unifi\Models\UnifiCronRun;
 use Dashboard\Unifi\Models\UnifiPpsk;
 use Dashboard\Unifi\Services\UnifiApiClient;
 use Illuminate\Console\Command;
-use Illuminate\Support\Carbon;
 
 class RotatePasswords extends Command
 {
-    protected $signature   = 'unifi:rotate-passwords {--force : Run regardless of schedule}';
+    protected $signature   = 'unifi:rotate-passwords {--force : Run regardless of schedule} {--triggered-by=schedule}';
     protected $description = 'Rotate WiFi passwords for SSIDs configured with a wordlist schedule';
 
     public function handle(UnifiApiClient $unifi): int
     {
         if (! Setting::get('unifi.password_rotation.enabled')) {
+            // Don't log anything — the scheduler runs this every minute
+            // and we'd flood the logs with "rotation disabled" rows.
             return self::SUCCESS;
         }
 
+        if (! $this->option('force') && ! $this->isDue()) {
+            // Same reasoning — only log when we actually do something.
+            return self::SUCCESS;
+        }
+
+        $force = $this->option('force');
+        $triggeredBy = $this->option('triggered-by') ?: 'schedule';
+
+        $run = UnifiCronRun::record('rotate-passwords', $triggeredBy, null, function () use ($unifi, $force) {
             $wlanIdsJson = Setting::get('unifi.password_rotation.wlan_ids', '[]');
             $wlanIds     = json_decode($wlanIdsJson, true);
+            if (! is_array($wlanIds)) $wlanIds = [];
 
-        if (empty($wlanIds) || ! is_array($wlanIds)) {
+            $ppskQuery = UnifiPpsk::where('rotate_password', true)
-            return self::SUCCESS;
+                ->where('state', 'active')
+                ->whereNotNull('unifi_id');
+
+            // Skip only if there's nothing at all to rotate — neither
+            // whole-SSID rotation targets nor per-PPSK rotation opt-ins.
+            if (empty($wlanIds) && ! $ppskQuery->exists()) {
+                return ['status' => 'skipped', 'reason' => 'no SSIDs or PPSKs configured for rotation'];
             }
 
             $wordlist = Setting::get('unifi.password_rotation.wordlist', '');
@@ -31,48 +49,63 @@ class RotatePasswords extends Command
 
             if (empty($passwords)) {
                 $this->warn('Password rotation: no passwords in wordlist — skipped.');
-            return self::SUCCESS;
+                return ['status' => 'skipped', 'reason' => 'empty wordlist'];
-        }
-
-        if (! $this->option('force') && ! $this->isDue()) {
-            return self::SUCCESS;
             }
 
             $password   = $passwords[array_rand($passwords)];
-        $rotated  = 0;
+            $rotated    = [];
+            $failedWlans = [];
 
             foreach ($wlanIds as $wlanId) {
                 try {
                     $unifi->updateWlan($wlanId, ['x_passphrase' => $password]);
-                $rotated++;
+                    $rotated[] = $wlanId;
                 } catch (\Throwable $e) {
                     $this->error("Failed to rotate wlan {$wlanId}: {$e->getMessage()}");
+                    $failedWlans[] = ['wlan_id' => $wlanId, 'error' => $e->getMessage()];
                 }
             }
 
-        if ($rotated > 0) {
+            if ($rotated) {
                 Setting::set('unifi.password_rotation.last_rotated_at', now()->toIso8601String());
-            $this->info("Rotated password for {$rotated} SSID(s).");
+                $this->info('Rotated password for ' . count($rotated) . ' SSID(s).');
             }
 
-        // ── Rotate PPSK passwords ────────────────────────────────────────────
+            $rotatedPpsks = [];
-        $rotatedPpsks = 0;
+            $failedPpsks  = [];
-        foreach (UnifiPpsk::where('rotate_password', true)->where('state', 'active')->whereNotNull('unifi_id')->get() as $ppsk) {
+            foreach ($ppskQuery->get() as $ppsk) {
-            // Each PPSK gets its own independently-chosen password from the wordlist
                 $newPass = $passwords[array_rand($passwords)];
                 try {
+                    if (str_starts_with((string) $ppsk->unifi_id, 'emb_')) {
+                        // Embedded PPSK: update inside the parent WLAN object.
+                        // Synthetic ID is derived from the new passphrase, so update it too.
+                        $unifi->updateEmbeddedPpsk($ppsk->wlan_id, $ppsk->x_passphrase, $newPass);
+                        $newUid = 'emb_' . substr(hash('sha256', $ppsk->wlan_id . ':' . $newPass), 0, 32);
+                        $ppsk->update(['x_passphrase' => $newPass, 'unifi_id' => $newUid]);
+                    } else {
                         $unifi->updatePpsk($ppsk->unifi_id, ['x_passphrase' => $newPass]);
                         $ppsk->update(['x_passphrase' => $newPass]);
-                $rotatedPpsks++;
+                    }
+                    $rotatedPpsks[] = $ppsk->name;
                 } catch (\Throwable $e) {
                     $this->error("Failed to rotate PPSK \"{$ppsk->name}\": {$e->getMessage()}");
+                    $failedPpsks[] = ['name' => $ppsk->name, 'error' => $e->getMessage()];
                 }
             }
-        if ($rotatedPpsks > 0) {
-            $this->info("Rotated password for {$rotatedPpsks} PPSK(s).");
-        }
 
-        return self::SUCCESS;
+            $hasFailures = count($failedWlans) + count($failedPpsks) > 0;
+            $hasSuccess  = count($rotated) + count($rotatedPpsks) > 0;
+
+            return [
+                'status'         => $hasFailures ? ($hasSuccess ? 'partial' : 'failed') : 'succeeded',
+                'rotated_wlans'  => $rotated,
+                'failed_wlans'   => $failedWlans,
+                'rotated_ppsks'  => $rotatedPpsks,
+                'failed_ppsks'   => $failedPpsks,
+            ];
+        });
+
+        return $run->status === 'failed' ? self::FAILURE : self::SUCCESS;
     }
 
     private function isDue(): bool

src/Console/SyncPpskSchedules.php

@@ -3,38 +3,33 @@
 namespace Dashboard\Unifi\Console;
 
 use App\Models\Setting;
+use Dashboard\Unifi\Models\UnifiCronRun;
 use Dashboard\Unifi\Models\UnifiPpsk;
 use Dashboard\Unifi\Services\UnifiApiClient;
 use Illuminate\Console\Command;
 
 class SyncPpskSchedules extends Command
 {
-    protected $signature   = 'unifi:sync-ppsk-schedules {--force : Run even if PPSK scheduling is disabled}';
+    protected $signature   = 'unifi:sync-ppsk-schedules {--force : Run even if PPSK scheduling is disabled} {--triggered-by=schedule}';
     protected $description = 'Enable or disable PPSKs based on their weekly half-hour schedule, kicking active clients when disabling';
 
     public function handle(UnifiApiClient $unifi): int
     {
-        // Always run, even when global ppsk_scheduling is disabled — in
-        // that case the target state for every PPSK is "active" (always
-        // on). That way disabling the global setting actually restores
-        // any held PPSKs to active without operators having to do
-        // anything else, and null-schedule PPSKs always end up active.
-        // Schedules in the DB are preserved regardless of toggle state,
-        // so re-enabling resumes the per-PPSK schedule.
-        $globalEnabled = (bool) Setting::get('unifi.ppsk_scheduling.enabled');
-
-        $tz   = \App\Support\Timezone::current();
-        $now  = now($tz);
-        $day  = $now->dayOfWeek;                                 // 0=Sun … 6=Sat
-        $slot = $now->hour * 2 + ($now->minute >= 30 ? 1 : 0);  // 0–47
-
         $ppsks = UnifiPpsk::all();
-
         if ($ppsks->isEmpty()) {
+            // Don't bother logging — no work, no audit value.
             return self::SUCCESS;
         }
 
-        // Fetch network confs once so we can resolve vlan → networkconf_id on re-enable
+        $triggeredBy = $this->option('triggered-by') ?: 'schedule';
+
+        $run = UnifiCronRun::record('sync-ppsk-schedules', $triggeredBy, null, function () use ($unifi, $ppsks) {
+            $globalEnabled = (bool) Setting::get('unifi.ppsk_scheduling.enabled');
+            $tz   = \App\Support\Timezone::current();
+            $now  = now($tz);
+            $day  = $now->dayOfWeek;
+            $slot = $now->hour * 2 + ($now->minute >= 30 ? 1 : 0);
+
             $networksByVlan = [];
             try {
                 foreach ($unifi->getNetworkConfs() as $n) {
@@ -46,22 +41,44 @@ class SyncPpskSchedules extends Command
                 $this->warn("Could not fetch network configs: {$e->getMessage()}");
             }
 
+            $enabled  = [];
+            $disabled = [];
+            $errors   = [];
+
             foreach ($ppsks as $ppsk) {
-            // Default to "always on". Only consult the schedule if
-            // global scheduling is enabled AND this PPSK has one.
                 $shouldBeOn = true;
                 if ($globalEnabled && $ppsk->schedule) {
                     $shouldBeOn = (bool) ($ppsk->schedule[$day * 48 + $slot] ?? true);
                 }
 
+                try {
                     if ($shouldBeOn && $ppsk->state === 'held') {
                         $this->enablePpsk($ppsk, $unifi, $networksByVlan);
+                        $enabled[] = $ppsk->name;
                     } elseif (! $shouldBeOn && $ppsk->state === 'active' && $ppsk->unifi_id) {
                         $this->disablePpsk($ppsk, $unifi);
+                        $disabled[] = $ppsk->name;
+                    }
+                } catch (\Throwable $e) {
+                    $errors[] = ['ppsk' => $ppsk->name, 'error' => $e->getMessage()];
                 }
             }
 
-        return self::SUCCESS;
+            $hasActions = count($enabled) + count($disabled) > 0;
+            $status = count($errors) > 0
+                ? ($hasActions ? 'partial' : 'failed')
+                : ($hasActions ? 'succeeded' : 'skipped');
+
+            return [
+                'status'         => $status,
+                'global_enabled' => $globalEnabled,
+                'enabled_ppsks'  => $enabled,
+                'disabled_ppsks' => $disabled,
+                'errors'         => $errors,
+            ];
+        });
+
+        return $run->status === 'failed' ? self::FAILURE : self::SUCCESS;
     }
 
     private function enablePpsk(UnifiPpsk $ppsk, UnifiApiClient $unifi, array $networksByVlan): void

src/Http/Controllers/UnifiCronLogsController.php

@@ -0,0 +1,43 @@
+<?php
+
+namespace Dashboard\Unifi\Http\Controllers;
+
+use Dashboard\Unifi\Models\UnifiCronRun;
+use Illuminate\Http\Request;
+use Illuminate\Routing\Controller;
+
+class UnifiCronLogsController extends Controller
+{
+    public function index(Request $request)
+    {
+        $filters = $request->only(['command', 'status']);
+
+        $runs = UnifiCronRun::query()
+            ->with('triggeredByUser:id,name,email')
+            ->when($filters['command'] ?? null, fn ($q, $c) => $q->where('command', $c))
+            ->when($filters['status']  ?? null, fn ($q, $s) => $q->where('status',  $s))
+            ->orderByDesc('started_at')
+            ->limit(200)
+            ->get();
+
+        return response()->json([
+            'runs' => $runs->map(fn ($r) => [
+                'id'             => $r->id,
+                'command'        => $r->command,
+                'triggered_by'   => $r->triggered_by,
+                'triggered_user' => $r->triggeredByUser ? [
+                    'id'    => $r->triggeredByUser->id,
+                    'name'  => $r->triggeredByUser->name,
+                    'email' => $r->triggeredByUser->email,
+                ] : null,
+                'started_at'     => $r->started_at?->toIso8601String(),
+                'finished_at'    => $r->finished_at?->toIso8601String(),
+                'duration_ms'    => $r->finished_at && $r->started_at
+                    ? (int) $r->finished_at->diffInMilliseconds($r->started_at)
+                    : null,
+                'status'         => $r->status,
+                'details'        => $r->details,
+            ])->values(),
+        ]);
+    }
+}

src/Http/Controllers/UnifiPagesAccessController.php

@@ -34,6 +34,12 @@ class UnifiPagesAccessController extends Controller
             ->get()
             ->groupBy('nav_item_id');
 
+        // Only return users that ALREADY have grants. The full users list
+        // can be enormous (thousands of rows); the operator adds more via
+        // the searchUsers endpoint as needed.
+        $grantedUserIds = $grants->flatten(1)->where('grantee_type', 'user')->pluck('grantee_id')->unique();
+        $users = User::whereIn('id', $grantedUserIds)->orderBy('name')->get(['id', 'name', 'email']);
+
         return response()->json([
             'pages' => $pages->map(fn ($p) => [
                 'id'         => $p->id,
@@ -42,11 +48,34 @@ class UnifiPagesAccessController extends Controller
                 'user_ids'   => $grants->get($p->id, collect())->where('grantee_type', 'user')->pluck('grantee_id')->all(),
                 'group_ids'  => $grants->get($p->id, collect())->where('grantee_type', 'group')->pluck('grantee_id')->all(),
             ])->values(),
-            'users'  => User::orderBy('name')->get(['id', 'name', 'email']),
+            'users'  => $users,
             'groups' => Group::orderBy('name')->get(['id', 'name', 'is_super']),
         ]);
     }
 
+    /**
+     * Typeahead-style search for users to add to the access matrix.
+     * Returns up to 20 matches against name or email. Empty query returns
+     * an empty array — caller must enter at least 2 chars.
+     */
+    public function searchUsers(Request $request)
+    {
+        $q = trim((string) $request->query('q', ''));
+        if (strlen($q) < 2) {
+            return response()->json(['users' => []]);
+        }
+
+        $users = User::where(function ($w) use ($q) {
+            $w->where('name',  'like', '%' . $q . '%')
+              ->orWhere('email', 'like', '%' . $q . '%');
+        })
+            ->orderBy('name')
+            ->limit(20)
+            ->get(['id', 'name', 'email']);
+
+        return response()->json(['users' => $users]);
+    }
+
     public function update(Request $request, NavItem $navItem)
     {
         $app = DashboardApp::where('slug', 'unifi')->first();

src/Http/Controllers/WebhookController.php

@@ -68,20 +68,49 @@ class WebhookController extends Controller
 
     public function test(WebhookConfig $webhook)
     {
-        $payload = [
+        return $this->fireTest($webhook->url, $webhook->secret);
+    }
+
+    /**
+     * Test an arbitrary URL+secret before the webhook is saved. Lets the
+     * operator validate their endpoint from the form without first
+     * committing a row.
+     */
+    public function testUrl(Request $request)
+    {
+        $data = $request->validate([
+            'url'    => 'required|url|max:500',
+            'secret' => 'nullable|string|max:255',
+        ]);
+        return $this->fireTest($data['url'], $data['secret'] ?? null);
+    }
+
+    private function fireTest(string $url, ?string $secret)
+    {
+        $message = '✅ Test webhook from ' . config('app.name') . ' — endpoint is reachable.';
+        $genericPayload = [
             'event'     => 'test',
             'timestamp' => now()->toIso8601String(),
-            'data'      => ['message' => 'This is a test webhook from ' . config('app.name')],
+            'message'   => $message,
+            'data'      => ['message' => $message],
         ];
+        // Shape the payload to match the target platform (Google Chat,
+        // Slack, Discord, Teams) so the test exercises the same code
+        // path real events use.
+        $payload = \Dashboard\Unifi\Services\WebhookCheckService::buildPlatformPayload($url, $message, $genericPayload);
 
         $headers = ['Content-Type' => 'application/json'];
-        if ($webhook->secret) {
+        if ($secret) {
-            $headers['X-Webhook-Signature'] = hash_hmac('sha256', json_encode($payload), $webhook->secret);
+            $headers['X-Webhook-Signature'] = hash_hmac('sha256', json_encode($payload), $secret);
         }
 
         try {
-            $response = \Illuminate\Support\Facades\Http::withHeaders($headers)->timeout(10)->post($webhook->url, $payload);
+            $response = \Illuminate\Support\Facades\Http::withHeaders($headers)->timeout(10)->post($url, $payload);
-            return response()->json(['ok' => true, 'status' => $response->status()]);
+            return response()->json([
+                'ok'     => $response->successful(),
+                'status' => $response->status(),
+                'body'   => mb_substr((string) $response->body(), 0, 500),
+            ]);
         } catch (\Throwable $e) {
             return response()->json(['ok' => false, 'error' => $e->getMessage()], 422);
         }

src/Http/Controllers/WifiController.php

@@ -291,11 +291,18 @@ class WifiController extends Controller
                     fn ($v) => $v !== null
                 );
                 if (! empty($unifiUpdate)) {
+                    if (str_starts_with($record->unifi_id, 'emb_') && isset($unifiUpdate['x_passphrase'])) {
+                        // Embedded PPSK update path — modify the WLAN's embedded array.
+                        $unifi->updateEmbeddedPpsk($record->wlan_id, $record->x_passphrase, $unifiUpdate['x_passphrase']);
+                        // Synthetic id is derived from the new passphrase.
+                        $data['unifi_id'] = 'emb_' . substr(hash('sha256', $record->wlan_id . ':' . $unifiUpdate['x_passphrase']), 0, 32);
+                    } else {
                         $unifi->updatePpsk($record->unifi_id, $unifiUpdate);
                     }
                 }
+            }
 
-            $dbUpdate = array_intersect_key($data, array_flip(['name', 'x_passphrase']));
+            $dbUpdate = array_intersect_key($data, array_flip(['name', 'x_passphrase', 'unifi_id']));
             // vlan can be explicitly set to null
             if (array_key_exists('vlan', $data)) $dbUpdate['vlan'] = $data['vlan'];
             if (! empty($dbUpdate)) $record->update($dbUpdate);

src/Models/UnifiCronRun.php

@@ -0,0 +1,79 @@
+<?php
+
+namespace Dashboard\Unifi\Models;
+
+use Illuminate\Database\Eloquent\Model;
+
+class UnifiCronRun extends Model
+{
+    protected $table = 'unifi_cron_runs';
+
+    public $timestamps = false;
+
+    protected $fillable = [
+        'command',
+        'triggered_by',
+        'triggered_by_user_id',
+        'started_at',
+        'finished_at',
+        'status',
+        'details',
+    ];
+
+    protected $casts = [
+        'started_at'  => 'datetime',
+        'finished_at' => 'datetime',
+        'details'     => 'array',
+    ];
+
+    public function triggeredByUser()
+    {
+        return $this->belongsTo(\App\Models\User::class, 'triggered_by_user_id');
+    }
+
+    /**
+     * Wraps a unit of cron work, recording start/finish/status and any
+     * exception. Returns whatever the work returns; the resulting
+     * UnifiCronRun row is returned via the $run reference param.
+     */
+    public static function record(string $command, string $triggeredBy, ?int $userId, callable $work): self
+    {
+        $run = static::create([
+            'command'              => $command,
+            'triggered_by'         => $triggeredBy,
+            'triggered_by_user_id' => $userId,
+            'started_at'           => now(),
+            'status'               => 'running',
+        ]);
+
+        try {
+            $details = $work($run);
+
+            // Caller can return a status string ("skipped", "partial",
+            // etc.) by sticking it under the 'status' key in details.
+            // Default = succeeded.
+            $status = is_array($details) && isset($details['status'])
+                ? $details['status']
+                : 'succeeded';
+
+            $run->update([
+                'finished_at' => now(),
+                'status'      => $status,
+                'details'     => is_array($details) ? array_diff_key($details, ['status' => null]) : null,
+            ]);
+        } catch (\Throwable $e) {
+            $run->update([
+                'finished_at' => now(),
+                'status'      => 'failed',
+                'details'     => [
+                    'error'  => $e->getMessage(),
+                    'class'  => $e::class,
+                    'file'   => $e->getFile() . ':' . $e->getLine(),
+                ],
+            ]);
+            throw $e;
+        }
+
+        return $run->refresh();
+    }
+}

src/Services/UnifiApiClient.php

@@ -496,6 +496,63 @@ class UnifiApiClient
         return $this->normalizePpsk(is_array($result) && isset($result[0]) ? $result : [$result]);
     }
 
+    /**
+     * Update an embedded PPSK (one that lives inside a WLAN's
+     * private_preshared_keys array rather than as its own REST resource).
+     *
+     * Matching is done by current passphrase since embedded entries have
+     * no controller-side ID. Only changes the entry's passphrase; name
+     * isn't separately addressable on embedded PPSKs.
+     */
+    public function updateEmbeddedPpsk(string $wlanId, string $oldPassphrase, string $newPassphrase): array
+    {
+        $wlanResp = $this->get("/rest/wlanconf/{$wlanId}");
+        $wlan     = $wlanResp[0] ?? $wlanResp;
+        $entries  = $wlan['private_preshared_keys'] ?? [];
+
+        if (! is_array($entries) || empty($entries)) {
+            throw new \RuntimeException('WLAN has no embedded PPSKs to update.');
+        }
+
+        $matched = false;
+        foreach ($entries as &$e) {
+            $current = $e['x_passphrase'] ?? $e['password'] ?? $e['passphrase'] ?? null;
+            if ($current === $oldPassphrase) {
+                // Preserve whichever field name the controller is using.
+                if (array_key_exists('x_passphrase', $e))  $e['x_passphrase'] = $newPassphrase;
+                if (array_key_exists('password', $e))       $e['password']     = $newPassphrase;
+                if (array_key_exists('passphrase', $e))     $e['passphrase']   = $newPassphrase;
+                // If none of the above existed, default to password (most common on embedded).
+                if (! isset($e['x_passphrase']) && ! isset($e['password']) && ! isset($e['passphrase'])) {
+                    $e['password'] = $newPassphrase;
+                }
+                $matched = true;
+                break;
+            }
+        }
+        unset($e);
+
+        if (! $matched) {
+            throw new \RuntimeException('Embedded PPSK not found by current passphrase.');
+        }
+
+        // UniFi REST expects the full WLAN object on PUT — send what we
+        // got back, with the mutated PPSK array.
+        $payload = $wlan;
+        $payload['private_preshared_keys'] = $entries;
+        // Strip internal fields the controller rejects on PUT.
+        unset($payload['_id'], $payload['site_id']);
+
+        $this->put("/rest/wlanconf/{$wlanId}", $payload);
+
+        // Return a normalized record so callers can read the new state.
+        return $this->normalizePpsk([[
+            '_id'          => 'emb_' . substr(hash('sha256', $wlanId . ':' . $newPassphrase), 0, 32),
+            'wlan_id'      => $wlanId,
+            'x_passphrase' => $newPassphrase,
+        ]]);
+    }
+
     public function deletePpsk(string $ppskId): void
     {
         // Try v2 hotspot endpoint first

src/Services/WebhookCheckService.php

@@ -580,6 +580,15 @@ class WebhookCheckService
     }
 
     private function formatPayloadForPlatform(string $url, string $message, array $fullPayload): array
+    {
+        return self::buildPlatformPayload($url, $message, $fullPayload);
+    }
+
+    /**
+     * Public/static helper so the test-webhook endpoint produces the
+     * same per-platform payload shape that real events do.
+     */
+    public static function buildPlatformPayload(string $url, string $message, array $fullPayload): array
     {
         if (str_contains($url, 'chat.googleapis.com'))                                          return ['text'    => $message];
         if (str_contains($url, 'hooks.slack.com'))                                              return ['text'    => $message];

src/routes/unifi.php

@@ -4,6 +4,7 @@ use Dashboard\Unifi\Http\Controllers\ClientController;
 use Dashboard\Unifi\Http\Controllers\DeviceController;
 use Dashboard\Unifi\Http\Controllers\PortalController;
 use Dashboard\Unifi\Http\Controllers\StatsController;
+use Dashboard\Unifi\Http\Controllers\UnifiCronLogsController;
 use Dashboard\Unifi\Http\Controllers\UnifiPagesAccessController;
 use Dashboard\Unifi\Http\Controllers\UnifiSettingsController;
 use Dashboard\Unifi\Http\Controllers\VlanGroupController;
@@ -75,15 +76,20 @@ Route::middleware(['web', 'auth', 'app.access:unifi'])
             // operators assign per-page user/group grants.
             Route::middleware('super.admin')->group(function () {
                 Route::get('/settings/pages-access',                [UnifiPagesAccessController::class, 'index'])      ->name('settings.pages-access.index');
+                Route::get('/settings/pages-access/users/search',   [UnifiPagesAccessController::class, 'searchUsers'])->name('settings.pages-access.users.search');
                 Route::put('/settings/pages-access/{navItem}',      [UnifiPagesAccessController::class, 'update'])     ->name('settings.pages-access.update');
             });
 
-            // Webhooks
+            // Cron logs — read-only history of scheduled-task runs.
-            Route::get('/webhooks',                    [WebhookController::class, 'index'])  ->name('webhooks.index');
+            Route::get('/settings/cron-logs', [UnifiCronLogsController::class, 'index'])->name('settings.cron-logs.index');
-            Route::post('/webhooks',                   [WebhookController::class, 'store'])  ->name('webhooks.store');
+
-            Route::put('/webhooks/{webhook}',          [WebhookController::class, 'update']) ->name('webhooks.update');
+            // Webhooks — lives under /settings/* so it reads as a settings tab.
-            Route::delete('/webhooks/{webhook}',       [WebhookController::class, 'destroy'])->name('webhooks.destroy');
+            Route::get('/settings/webhooks',                    [WebhookController::class, 'index'])  ->name('webhooks.index');
-            Route::post('/webhooks/{webhook}/test',    [WebhookController::class, 'test'])   ->name('webhooks.test');
+            Route::post('/settings/webhooks',                   [WebhookController::class, 'store'])  ->name('webhooks.store');
+            Route::put('/settings/webhooks/{webhook}',          [WebhookController::class, 'update']) ->name('webhooks.update');
+            Route::delete('/settings/webhooks/{webhook}',       [WebhookController::class, 'destroy'])->name('webhooks.destroy');
+            Route::post('/settings/webhooks/{webhook}/test',    [WebhookController::class, 'test'])   ->name('webhooks.test');
+            Route::post('/settings/webhooks/test-url',          [WebhookController::class, 'testUrl'])->name('webhooks.test-url');
         });
     });