Trek_CN/wiki/_Sidebar.md

110 lines
3.3 KiB
Markdown
Raw Normal View History

## Getting Started
- [[Home]]
- [[Quick Start|Quick-Start]]
- [[Install: Docker|Install-Docker]]
- [[Install: Docker Compose|Install-Docker-Compose]]
- [[Install: Helm|Install-Helm]]
- [[Install: Proxmox VE (LXC)|Install-Proxmox]]
- [[Install: Unraid|Install-Unraid]]
- [[Install: Portainer|Install-Portainer]]
- [[Reverse Proxy|Reverse-Proxy]]
- [[Environment Variables|Environment-Variables]]
- [[Updating]]
## Account & Auth
- [[Login and Registration|Login-and-Registration]]
- [[OIDC SSO|OIDC-SSO]]
- [[Two-Factor Authentication|Two-Factor-Authentication]]
- [[Password Reset|Password-Reset]]
- [[User Settings|User-Settings]]
- [[Display Settings|Display-Settings]]
- [[Map Settings|Map-Settings]]
- [[Notifications]]
- [[Offline Mode and PWA|Offline-Mode-and-PWA]]
- [[Languages]]
## Planning Trips
- [[My Trips Dashboard|My-Trips-Dashboard]]
- [[Creating a Trip|Creating-a-Trip]]
- [[Trip Members and Sharing|Trip-Members-and-Sharing]]
- [[Trip Planner Overview|Trip-Planner-Overview]]
- [[Places and Search|Places-and-Search]]
- [[Day Plans and Notes|Day-Plans-and-Notes]]
- [[Map Features|Map-Features]]
- [[Route Optimization|Route-Optimization]]
- [[Weather Forecasts|Weather-Forecasts]]
## Travel Management
- [[Reservations and Bookings|Reservations-and-Bookings]]
3.2.0 (#1426) * docs(wiki): document the snap Docker + no-new-privileges startup failure * fix(setup): warn when ADMIN_EMAIL/ADMIN_PASSWORD are ignored, ship reset-admin The first-run seeder only applies ADMIN_EMAIL/ADMIN_PASSWORD on an empty database and then silently ignores them. People add the vars after the first boot, or pull a fresh image without clearing ./data, restart, and cannot log in with no hint why (#1339). The default is a generated password (not the .env.example placeholder), printed once in the first-run box. Now: warn loudly when the vars are set but a user already exists, and warn on a partial (one-of-two) config instead of quietly falling back. Also ship the reset-admin recovery script in the image -- it was never COPYed in despite the wiki referencing it. node server/reset-admin.js resets/creates admin@trek.local with a generated password (RESET_ADMIN_EMAIL/RESET_ADMIN_PASSWORD overridable), picks a free username so it cannot trip UNIQUE(username), and sets must_change_password. * feat(extract): extract data using LLM * fix(extract): auto-run the AI fallback when the addon is enabled Booking import only fell back to the LLM when each user flipped an 'always retry with AI' toggle, so by default files kitinerary returned nothing for just failed. Run the fallback automatically whenever the AI Parsing addon is on (fallback-on-empty); drop the now-redundant per-user toggle and its setting. * fix(extract): make AI imports reliable and fast on local models client: the import call inherited the global 8s axios timeout and aborted long LLM extractions even though the server finished it; remove the timeout. server: raise the OpenAI-compatible LLM timeout 60s->180s (a cold Ollama model can take ~45s to first token). server: cap extracted text to 8000 chars before the LLM - multi-page T&C tails (30k+ chars) overflowed the context window, truncating the relevant head and making CPU inference crawl; booking details sit at the top. * feat(extract): fill transport/booking fields, geocode endpoints, assign days - rental car: request+map dropoffLocation, emit pickup->return from/to endpoints, set a location string (G1/G2/G3). - geocode endpoints (stations/stops/terminals/rental desks) on confirm via Nominatim; mapper now emits coordless named endpoints and confirm persists only the geocoded ones (G6). - assign every dated booking to the nearest trip day so it still shows when slightly out of range, and keep hotel accommodation from vanishing when a check date misses (G5/G10). - fix bus mislabelled as train + add bus_number metadata (G7/G8), flag malformed boats (G9), accept root start/end time for events (G11). - raise the local-LLM timeout to 300s for CPU-only Ollama. * perf(extract): cap LLM input at 4000 chars for CPU-only speed On a GPU-less host the model's prompt-eval time scales with input length and dominates total latency. Booking details sit at the top of a confirmation, so capping the extracted text at 4000 chars (was 8000) roughly halves extraction time (~50s warm for a capable local 7B model) with no loss of fields on real hotel/rental confirmations. Tunable if a long multi-segment itinerary needs more. * feat(extract): capture seat, class, platform, price + event venue contact Request and map root-level seat/class/platform and a total price/currency into reservation metadata (shown on the card; price reuses the existing label). Read both the root and reservationFor and tolerate common field-name aliases (priceAmount, priceCurrencyISO4217Code, fareClass, ...) since models name these inconsistently. Also capture event/attraction venue telephone + url onto the auto-created place, matching lodging/restaurant. * feat(extract): create a linked cost from the booking price on import When a confirmation carries a total price, record it as a real expense linked to the reservation (in the matching Costs category) instead of leaving the amount in metadata only. Gated on the Costs addon. * fix(extract): refresh accommodations after a booking import A freshly imported hotel links to an accommodation that lives outside the trip store, so loadTrip alone left the reservation edit modal with blank place/date fields. Reload the accommodations list once the import finishes. * feat(extract): drive NuExtract with its native template NuExtract isn't an instruct model — fed a plain chat prompt it just echoes the schema back. Detect a NuExtract model by id and talk to it the way the model cards document: the JSON template inlined in a single user message, no system prompt, no json_schema, temperature 0. Its flat result is mapped back to the same KiReservation shape the rest of the pipeline already uses, so nothing downstream changes; every other model keeps the generic prompt. Money is taken as a verbatim string and parsed locally (German "1.580,22 €" otherwise comes back as 1.49772), a rental car's pickup/return ride the from/to fields so a stray form label doesn't become the location, and a lodging with no name falls back to its address instead of being dropped. * fix(admin): tidy the AI parsing settings and recommend the 2B model The provider picker is the shared CustomSelect now and the form is split into clear sections rather than a flat stack of inputs. NuExtract 2.0 2B is the recommended default — fastest on a CPU-only host and MIT licensed; the 4B carries a non-commercial licence, so it's no longer flagged as recommended. * feat(import): review each parsed booking before it's saved Instead of writing parsed items straight to the trip, the import opens the normal edit modal pre-filled for each one, so you can check and fix it before saving — useful when a model guesses a wrong date or address. Hotels gained an editable address field; on save an existing place is matched by name, otherwise the reviewed address is geocoded and a new place is created. * feat(extract): drive local parsing through a layered extraction router The single-shot prompt was unreliable on multi-leg flights and longer documents, and slow on a CPU host. For the local provider, run a small router instead: - deterministic vendor templates first, with no model call at all - exactly one grammar-enforced call per document via Ollama's native `format` (flights as a flat array of legs, everything else as one flat reservation, the type picked from keywords or a union schema) - booking-wide fields (booking reference, total price, the overnight arrival day) filled deterministically from the text afterwards, and dates coerced to ISO so a natural-language date can't slip through Recommend qwen2.5 in the AI-parsing settings instead of NuExtract. * feat(import): parse bookings in the background with a progress widget Parsing a booking can take a while on a CPU host, so don't hold the upload modal open for it. The async import endpoint returns a job id right away; the parse runs server-side (one at a time per user) and pushes progress over the user's WebSocket, and a small widget in the bottom corner tracks it while the user keeps navigating and editing. A finished job opens the per-item review from the widget. * fix(import): create linked costs and accommodations from reviewed bookings Reviewing an imported booking saves it through the normal reservation form, which dropped the parsed price (so no linked cost was created) and only created the accommodation when both nights matched a trip day. Carry the parsed price into a linked cost on save, and create the accommodation from whichever day the check-in/out dates resolve to. * feat(extract): add Expedia and rental-broker booking templates Pull the hotel/rental fields these vendors print in a stable text layout (name, address, stay/pickup dates, price, reference) deterministically, so the import stops depending on the local model for them. Handles German long/abbreviated months and English dates incl. 12-hour and comma forms. * fix(extract): backfill booking code/total and harden the reference match Apply the deterministic confirmation-code and total fill to vendor-template results too (not just model output), and require the captured reference to contain a digit so a bare 'Confirmation'/'Reference' label no longer grabs the next prose word. * fix(import): keep the parse-progress widget across a reload Persist the background-import tasks (id/trip/status only) and re-fetch each job's status on mount, so a parse still running when the page reloads keeps its widget instead of vanishing; expired jobs (404) are dropped and a restored 'done' task re-fetches its items. * fix(reservations): skip un-geocoded endpoints instead of failing the save reservation_endpoints.lat/lng are NOT NULL, so saving a reviewed transport whose pick-up/return couldn't be geocoded threw a 500 and lost the whole booking (dates, linked cost). Skip those rows; the dates still persist on reservation_time/reservation_end_time. * fix(import): resolve an imported transport's day from its parsed dates A reviewed transport (e.g. a rental car) arrived with only its parsed pick-up/return dates and no day_id, so the modal kept just the time and saved a bare "HH:MM" with no date. Resolve start/end day from the parsed dates (exact match, else nearest trip day) so the booking lands on the right days. * fix(import): refresh costs after a booking review so imported expenses appear without a reload Imported bookings auto-create their linked budget items server-side, but the saving client suppresses its own budget:created echo, so the Costs list stayed stale until a manual reload. Reload the budget items when the review session ends. * refactor(extract): dedupe currency/day helpers, drop redundant casts, support JPY vouchers Code-audit clean-ups: share one normCurrency between the router and the templates, lift the duplicated nearest-day resolver into formatters.resolveDayId, drop two needless as-unknown-as casts at the fillBookingWideFields call sites, restore routeExtraction's doc comment, and give the broker template readable names. Plus recognise ¥/JPY and fall back to a standalone symbol amount, so a Klook-style voucher whose price sits far from any label still yields a cost. * feat(import): attach the parsed source document to each booking Keep the uploaded files on the background task and hand them to the review flow, so each reviewed booking pre-fills its Files with the document it was parsed from (uploaded with the booking on save). The two modals also adopt the shared resolveDayId helper. * fix(extract): disable model thinking for grammar-constrained extraction Hybrid/reasoning models (Qwen3 and similar) default to emitting reasoning tokens, which collide with Ollama's format-grammar constraint — on CPU this produced null/unparseable output and blew the latency budget (qwen3:8b: null or 300s timeouts vs ~20s with thinking off). Send think:false on the /api/chat call; Ollama ignores it for non-thinking models (verified on qwen2.5:7b), so it's safe and unlocks the stronger Qwen3 family. * feat(extract): recommend Qwen3-8B as the local extraction model A/B against the prior default (qwen2.5:7b) on CPU showed Qwen3-8B is both faster and more accurate on tricky/multilingual booking docs (correct Airbnb year+price, correct DisneySea admission date), once thinking is disabled — which the router now does. Feature it as the recommended pull, keep qwen2.5:7b as the fallback. * refactor(extract): drop vendor templates, let the model drive with deterministic backfill Now that a capable instruct model (Qwen3-8B, thinking off) reads name/address/dates/legs reliably across formats, the per-vendor template short-circuit distorted more than it fixed: brittle on layout variations and overriding the better model output. Remove the template layer; the model extracts the structure and Schicht 2 backfills the confirmation/total and takes the currency from the document's own symbol (correcting model misreads like ¥→$). Per-type prompts now also ask for address and price/currency. * fix(extract): require the hotel address and ask for the rental company After dropping the vendor templates, the model skipped the (often unlabeled) Expedia-style hotel address — making address a required schema field forces it to emit the street-address line, restoring the booking's location/place. Also hint the rental company so a car booking gets a real title instead of the generic fallback. * fix(import): refresh costs immediately after an imported booking is saved The saving client gets no budget:created echo (X-Socket-Id) and the create response omits the linked budget item, so the booking's Costs section and the Costs tab stayed stale until a manual reload. Reload the budget items right after a create that carried a budget entry. * perf(extract): cap single-booking text tighter; require rental company A long single-booking PDF (e.g. an 11-page rental voucher) spent ~200s on CPU prompt-eval at the 16k cap, though its data sits in the first ~2k. Cap non-flight docs at 6k (flights keep 16k for all legs). Also make the rental operator a required field so the car gets a real title. * fix(import): preview the parsed cost as linked in the review modal During the per-item import review the booking isn't saved yet, so the Costs section showed an empty 'Create expense' even though a linked cost will be created on save. Show the parsed price (amount + category) as the pending linked expense so the user can verify it up front. Reuses existing i18n keys. * fix(import): persist source files in IndexedDB so attach survives a reload The source document was only kept in memory on the background task, so a page reload during the (now always-LLM ~25s) parse lost it and the booking saved without its file. Store the uploaded files in IndexedDB keyed by job id; the review loads them from there when the in-memory copy is gone, and a 1h TTL prunes abandoned imports. * chore(extract): recommend only Qwen3-8B (drop Qwen2.5 from the curated list) Qwen3-8B is the identified default; the prior Qwen2.5 entries are no longer needed in the pull list. * feat(settings): let users set their own AI parsing model Adds an "AI parsing" section under Settings -> Integrations where a user can choose the LLM provider, model, base URL, API key and multimodal option used for booking extraction. This per-user config applies when an admin has not configured an instance-wide model. Reuses the existing encrypted user settings: the API key is stored encrypted, never prefilled, and a blank field keeps the stored one. Adds settings.aiParsing.* across all 20 locales. * fix(settings): show the Integrations tab when only AI parsing is enabled hasIntegrations gated the tab on memories/mcp/airtrail only, so a user with just the llm_parsing addon enabled saw no Integrations tab and could not reach the AI parsing config. Include llmEnabled in the gate. * feat(settings): use the shared custom dropdown for the AI parsing provider Swap the native select for CustomSelect so the provider picker matches the rest of the app's styling (dark mode, portal dropdown). * refactor(planner): move the import-review bridge effect into the page hook TripPlannerPage held a useEffect (the background-import → review bridge), which trips the page-pattern check (pages must stay wiring containers). Move the effect and its store/IndexedDB wiring into useTripPlanner where the rest of the import-review state already lives. * test(llm-parse): cover the extraction router, client factory and import jobs The new LLM extraction router shipped with little branch coverage, dropping src/nest below the 80% gate. Add unit tests for routeExtraction (flights/single/union/error paths, deterministic booking-wide fill), the native Ollama format client, the provider factory, the local-router service path with its type-aware text cap, the flat->schema.org mapper's remaining reservation types, and the background import-jobs runner. Also remove the now-unused validate.ts (only its FlatLike type was still referenced; moved to flat-schemas). * test(setup): stub websocket addListener/removeListener in the global mock BackgroundTasksWidget (mounted globally in App) subscribes via addListener/removeListener from api/websocket, but the global test mock didn't export them, so every test that renders <App/> threw on mount. Add the two stubs. (Surfaced now that the page-pattern check passes and the client test step actually runs.) * fix(i18n): add Swedish translations for the AI booking-import settings The Swedish (sv) locale landed on dev (#1325) after this branch added the AI-parsing settings/reservation keys to the other locales, so sv was missing them — strict i18n key parity failed after rebasing onto dev. Adds the 3 reservations.import.* and 17 settings.aiParsing/aiAlwaysRetry keys in sv. * fix(extract): don't let the day-clamp fallback break reservation resync (#1288) This branch added a clamp-to-nearest-day fallback to resolveDayIdFromTime so an imported booking whose exact date has no day row still lands on a day. After rebasing onto dev, that collided with #1288's resyncReservationDays, which relies on the original "null when no exact day" semantics to leave a booking whose date now falls outside the range untouched — instead it snapped to an edge day (TRIP-SVC-019 failed: expected day_id kept, got the clamped one). Make clampToNearest an opt-in parameter (default true, preserving the import behaviour for create/update) and have resyncReservationDays pass false, so out-of-range bookings keep their day_id. Full server suite green (4082). * Added focus to search places in placeFormModal * fix(airtrail): import departure/arrival times for manually-entered flights (#1336) The mapper read only `departureScheduled`/`arrivalScheduled`, but those columns are optional in AirTrail and stay null for manually-entered flights — where `departure`/`arrival` are the only times set. So the import dropped the departure clock (date-only) and the whole arrival (no date, no time), exactly as reported. AirTrail's own rule is "use departure if available, otherwise fall back to departureScheduled". Mirror that: prefer the scheduled instant, fall back to the primary departure/arrival, in mapFlightToReservation, normalizeFlight, and the sync hash. Hashing the resolved instant means flights already imported without a scheduled time re-sync once and pick up their clock automatically; flights that do have scheduled times are unaffected (no spurious re-sync). Tests: 3 new mapper cases (fallback mapping, picker preview, hash tracking); two existing cases that asserted the scheduled-only behaviour updated to the "neither time set" case. Full server suite green (4085). * fix(pwa): stop unregistering the service worker on offline boot (#1346) Opening the installed PWA offline showed Chrome's "no internet" page instead of the cached app. On boot the axios response interceptor reacts to a failed request with no response by probing /api/health; the probe collapsed "genuinely offline" and "edge-proxy auth wall" into a single reachable=false, so the interceptor unregistered the service worker and reloaded — straight into a dead network. navigator.onLine is true on mobile while offline, so the existing guard didn't help. This also defeated the offline data layer (withOfflineFallback, authStore's offline branch), which runs later in the chain. Fix: connectivity.probe() now returns a discriminated state ('online' | 'offline' | 'proxy-wall'). A fetch that throws, or navigator.onLine false, is 'offline'; a cross-origin redirect (CF Access, via redirect:'manual' → opaqueredirect) or an HTML auth wall (Pangolin) is 'proxy-wall'. The interceptor only tears down the SW on 'proxy-wall'; on plain offline it lets the request reject so the cached shell + IndexedDB serve the app. CF Access / Pangolin reauth still works — the proxy always presents a reachable redirect or HTML wall, which the probe now detects positively. Regression dates to v3.0.16 (#964), surfaced by the 3.1.0 rewrite. Tests: 6 new connectivity cases (offline/online/proxy-wall discrimination); client tsc clean, full client suite green (2850). * fix(map): keep the mobile GPS button above the day-detail panel (#1348) On mobile the location (GPS) FAB sat at bottom: calc(var(--bottom-nav-h) + 12px), which only clears the bottom nav. When a day is selected, DayDetailPanel slides up over the map from bottom: navh+20 and spans nearly full width at z-index 10000, covering the button's band — so the button was hidden behind it. DayDetailPanel now publishes its live measured height to a root CSS var --day-panel-h (ResizeObserver, reset to 0 on unmount), and both map renderers lift the button above the panel when it's open, reusing the hasDayDetail prop they already receive: hasDayDetail ? calc(var(--bottom-nav-h) + 20px + var(--day-panel-h) + 12px) : calc(var(--bottom-nav-h) + 12px) Applied to both the Leaflet (MapView) and GL (MapViewGL) renderers. When the panel closes, hasDayDetail is false and the offset falls back to the bottom-nav value. Desktop is unaffected — the button is mobile-only. Tests: new DayDetailPanel case asserting --day-panel-h is published and reset on unmount; client tsc clean, full client suite green (2851). * feat(mobile): make the bottom-nav "+" context-aware per trip tab (#1349) On mobile the bottom-nav "+" always created a new place (except on the Costs tab, where it added an expense). It now matches the active trip tab: Bookings adds a reservation, Transports adds a transport, Costs adds an expense, and everything else (Plan, plus tabs that have no create modal — Lists / Files / Collab) keeps adding a place. Follows the existing ?create=<intent> pattern: BottomNav.useCreateAction emits the per-tab intent, and useTripPlanner consumes create=reservation|transport to open the booking / transport modals (both already mounted at page level). Place and expense were already wired; this just extends the mapping. Tests: 4 new BottomNav cases (plan/bookings/transports/costs → correct intent + navigate target); client tsc clean, full client suite green (2855). Implements mauriceboe/TREK#1349 * [+] Unsplash * [+] i18n * feat(trips): download chosen Unsplash covers into uploads (#1277) Previously a selected Unsplash photo was stored as a remote images.unsplash.com hot-link, so covers broke offline and on link rot. The trip PUT handler now fetches the picked image through the SSRF guard and saves it under uploads/covers, rewriting cover_image to the local path (502 if the download fails). Also debounces the cover search so a slow earlier request can no longer overwrite newer results, drops a dead userId parameter, and reverts an unrelated vite proxy change. * test(trips): cover the Unsplash cover download and search-race guard (#1277) Adds unit coverage for saveUnsplashCover (host check, content-type and size limits, download failure), the searchUnsplashPhotos error and success paths, and the PUT handler internalising a hot-link. Updates the existing PUT tests for the now-async handler. * fix(docker): keep server/reset-admin.js in the build context (#1339) The Dockerfile copies server/reset-admin.js (the admin recovery script), but .dockerignore also listed it, so it was stripped from the build context and the image build failed with a not-found error. Drop the ignore entry so the COPY resolves again. * fix(llm): stop the browser autofilling the LLM base URL (#1301) The AI-parsing base URL and model inputs had no autoComplete, so a browser password manager could drop the saved login email into the base URL field. In the admin addon config onBlur then fired a model lookup against e.g. "admin@trek.local", which the server rejected with 400. Mark the base URL and model inputs as type=url / autoComplete=off in both the admin addon config and the per-user connection section. * feat(appearance): add per-user appearance config contract Shared AppearanceConfig (color scheme, accent, transparency, per-tier type scale, density, reduce-motion and per-device dashboard widgets) stored as one JSON blob under the existing settings key. normalizeAppearance never throws, so a malformed/partial/future blob degrades to the neutral default and can never reach the DOM. No DB migration; the default reproduces today's look exactly. * feat(appearance): token-driven theme engine with schemes and FOUC-safe boot applyAppearance is the single writer of styling to the DOM (the .dark class plus data-scheme/-no-transparency/-density/-reduce-motion and the custom-accent/type-scale CSS vars). An external pre-paint /theme-boot.js replays a cached snapshot before first paint and complies with the production CSP (script-src 'self'), fixing the long-standing theme FOUC. Adds seven color schemes (incl. a true high-contrast that raises neutral contrast), a custom accent with auto-derived legible text, an extended token layer (accent variants, status/shadow/overlay/inverse), a scheme-gated legacy accent bridge, and a transparency-off layer. The default scheme sets no attributes, so existing users are unaffected. * feat(settings): appearance settings tab New Appearance tab with color mode (moved out of Display), color-scheme swatches, a custom accent picker with a live WCAG contrast hint, transparency and reduce-motion toggles, density, a global text-size slider with advanced per-tier controls, and per-device dashboard widget toggles. Edits preview live and commit on a short debounce. i18n keys added across all locales, translated for German. * feat(dashboard): per-device widget visibility with layout reflow Dashboard widgets (currency, timezones, upcoming reservations, atlas and the stat tiles) can be shown or hidden independently on desktop and mobile from the appearance settings. The stat grid spreads its visible tiles to full width, and disabling the right sidebar collapses the layout to a single centered column. * chore(appearance): add theme:lint guard for hardcoded styles A theme:lint script (modeled on i18n:parity) flags new inline color/fontSize literals and arbitrary-hex Tailwind classes that bypass the design tokens, so future code stays themeable. Map/PDF surfaces are exempt. The token taxonomy and the six theming rules are documented in src/theme/README.md. * fix(appearance): scale inline px font sizes so text-size reaches all content The global text-size control only set the root font-size, which scales rem-based text (navbar, menus) but not the dense inline px sizes used across the trip planner, budget, journey and panels — so place titles and addresses stayed fixed. applyAppearance now also exposes the factor as --fs-scale-text, and a codemod wraps inline numeric fontSize in calc(<px> * var(--fs-scale-text, 1)) across components and pages (map popups and PDF excluded). Sizes are byte-identical at 100%; the control now visibly resizes the actual content. * fix(appearance): clearer widget settings, density hint, solid surfaces with transparency off Dashboard widget settings are grouped by where they sit on the dashboard (below the hero / right sidebar / bottom of page); the right-sidebar master toggle now nests its individual widgets and greys them out when the sidebar is off, instead of a confusing flat list mixing the master with its children. Density gains an explanatory hint plus a real compact spacing effect. Transparency-off also solidifies the Atlas glass panels and tooltip, Leaflet zoom controls and GL popups — class-based surfaces via CSS, the Atlas inline panels via a noTransparency flag. * fix(appearance): keep i18n key parity and update the scaled-emoji test Add the new appearance settings keys (widget group titles, sidebar/density hints) to every locale so the strict key-parity check passes, and update the single-emoji chat test to expect the now-scalable calc() font size. * feat(appearance): granular per-size text scaling with live preview The text-size control now adjusts each size class (Large / Medium / Normal / Small) independently as well as all-at-once. Inline px sizes are mapped to a class by their value, so the per-class sliders reach real content; each class variable = global factor x its per-class factor (no double-scaling with the root font-size that handles rem text). The settings UI gains a live preview that resizes as you drag, and the four size sliders sit behind a clear toggle. * feat(appearance): show per-size text controls inline with examples The four size-class sliders (Large/Medium/Normal/Small) are now always visible instead of behind a disclosure, each with a live sample rendered at that size and an example of what it affects (e.g. Normal = place names/descriptions, Small = addresses/labels). * fix(appearance): shorten the Auto color-mode label to 'Auto' on mobile * fix(appearance): make the dashboard hero boarding-pass solid with transparency off * feat(appearance): mark the Readability section as experimental Transparency-off, density and per-size typography are best-effort while the token migration is ongoing, so the section carries an Experimental badge. Adds the i18n key across all locales. * chore(about): remove the monthly supporters section * refactor(settings): rename the Display tab to General and group its settings The Display tab became a catch-all once theming moved to its own Appearance tab, and its 'Display' label no longer fit. It is now 'General' (Allgemein) and split into 'Language & region' and 'Travel & map' sections. Tab labels and the new section titles are added across all locales. * refactor(admin): group the admin sidebar tabs into sections The admin sidebar had 11 flat tabs. PageSidebar now supports optional group headings (backward-compatible; the Settings sidebar stays flat), and the admin tabs are grouped into Users, Configuration, Integrations and Maintenance. Group labels added across all locales. * feat(help): embed the TREK wiki as an in-app help centre Add a Help section (profile menu, /help) that renders the GitHub wiki inside TREK. /api/help fetches the wiki markdown — the nav from _Sidebar.md, pages, and proxied images — from GitHub and caches it (1h TTL, serves stale on outage), so it auto-syncs on wiki edits with no redeploy and the client never calls GitHub directly. The page is styled to match TREK with a section sidebar, search and react-markdown; wiki [[links]] are rewritten to in-app routes and HTML-comment placeholders are stripped. Page state lives in a useHelp() hook per the page pattern. Adds nav.help and a help namespace across all locales. * feat(auth): explain the plain-HTTP secure-cookie gotcha on login When the server issues a Secure session cookie but the request arrived over plain HTTP (the common LAN install over http://ip:3000), the browser drops the cookie and the next request dead-ends on a bare "Access token required" — the top source of avoidable install issues. The login response now flags this exact case and the login page shows a localized box explaining the fix (use HTTPS, or set COOKIE_SECURE=false) with a link to the Troubleshooting guide. It only triggers in the real failure case, never for correct HTTPS setups. * feat(costs): Splitwise-like cost splitting Add per-payer and per-member custom split amounts with Equally, Custom and Ticket split modes on top of the existing equal split, keep legacy "paid by" expenses working, and document the modes in the Budget Tracking wiki page. * feat(i18n): add Vietnamese translations * chore(i18n): sync Vietnamese with latest dev keys Add the keys dev gained since this PR opened so the new vi locale keeps full parity: the help namespace (wiki help center), settings appearance options, costs split modes, dashboard Unsplash cover search, the insecure-cookie login hint, nav.help and the admin group labels. * feat(helm): Add existingClaim variable for custom PVC usage. * fix(helm): emptyDir is used as a fallback when persistence is disabled. * docs(helm): clean up existingClaim notes Strip stray zero-width characters from the persistence docs, move the PVC note out of the ENCRYPTION_KEY usage block into its own Persistence section in NOTES.txt, and document that persistence.enabled=false falls back to an ephemeral emptyDir. * feat(feeds): subscribable ICS calendar feeds for trips Adds TripIt-style live calendar subscriptions alongside the existing one-time .ics download. A trip (or all of a user's trips) exposes a secret, revocable feed URL that Google/Apple/Outlook poll to stay in sync. - Public read endpoints GET /api/feed/trip/:token.ics and /api/feed/user/:token.ics (no auth — the secret token is the credential), reusing the existing exportICS() generator and adding REFRESH-INTERVAL / X-PUBLISHED-TTL hints. - JWT-guarded token endpoints to generate (lazy, idempotent) and regenerate/revoke per-trip and per-user feed tokens; tokens stored in nullable feed_token columns. - All-trips feed excludes archived trips and trips ended >90 days ago. - UI: ICS toolbar button becomes a Download/Subscribe menu; modal offers one-click "Add to Google Calendar" (render?cid=webcal://) and a webcal:// link for Apple/Outlook, plus copy-link fallbacks. All-trips feed reachable from dashboard. - Feed base URL read from the existing APP_URL env var. Purely additive: new endpoints + two nullable columns, no breaking changes. Tests: server/tests/e2e/feeds.e2e.test.ts covers lazy token generate + idempotency, regenerate-invalidates-old, 401/404 auth+access, public feed content-type + hint injection, unknown-token 404, and the archived/>90-day all-trips exclusion. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * harden calendar feeds: absolute URLs, real disable, folding, schema sync - Resolve feed URLs against the request host when APP_URL is unset, so the webcal:// / Add-to-Google links work on a default install (not just behind a configured reverse proxy). - Give the public link a real off switch: POST enables, PUT rotates, DELETE clears the token (feed_token = NULL). The subscribe dialog no longer mints a token just from being opened — the user opts in explicitly. - Fold ICS content lines at 75 octets (UTF-8 safe) in exportICS, so download and feed both stay RFC 5545-compliant for long/non-ASCII summaries. - Extract VEVENTs by structural line scan instead of a lazy END:VEVENT regex that user text could truncate. - URL-encode the Google Calendar cid; mirror feed_token into schema.ts. - Collapse the duplicated all-trips modal into the shared IcsSubscribeModal. * feat(mcp): add bulk_update_places tool Apply the same field values to many places in one call instead of one update_place per place — e.g. re-categorising 80 POIs at once. Adds the updatePlacesMany service (one transaction, trip-scoped, partial patch built on updatePlace) and the bulk_update_places MCP tool with the usual demo/access/place_edit guards and a place:updated broadcast per place. * feat(dashboard): show the year on trip dates from other years Trip dates only showed month + day, so trips from other years were ambiguous (#1323). Dashboard cards and the boarding-pass hero now include the year, and so does the shared formatDate (planner day headers etc.) — but only when it isn't the current year, so this year's trips stay compact. Order and punctuation follow the locale (EN "Sep 10, 2026", DE "10. Sep 2026"). * feat(places): bulk "change category" from the selection toolbar Closes the UI half of #1168: in the Places selection mode, a new tag button before delete opens a category picker that applies one category (or "No category") to every selected place in a single request. Adds a REST /places/bulk-update endpoint reusing updatePlacesMany, an offline-aware repo + store action that patches both the place pool and the day-assignment projections, undo grouped by each place's prior category, and the i18n keys across all locales. * feat(map): include the day's route in the map fit (#1128) Selecting a day already fits the map to that day's destinations; this also folds the route polyline into the bounds. BoundsController fits the destinations immediately, then re-fits once — when the day's route finishes computing asynchronously — to destinations + the full route, so a route that bulges past its stops (a detour or ferry) stays in view. One-shot per day selection, so later route-profile toggles don't re-zoom. * feat(offline): detect update conflicts on the server for places and packing Update handlers accept an optional X-Base-Updated-At token and reject a stale overwrite with 409, returning the current server row. An absent token keeps the existing last-write-wins behaviour, so older clients are unaffected. packing_items gains an updated_at column (migration + stamped on every insert) so it can take part in conflict detection too. * feat(offline): force-offline mode, selective sync and a conflict queue A force-offline override routes every read to the cache and every write to the queue; preparing for offline downloads trip data, documents and map tiles up front and waits for them to finish. Map tiles and individual trips can be left out of the cache. Queued edits carry the version they were based on so the queue can surface server conflicts for a keep-mine / keep-theirs decision; chained offline edits to one entity no longer conflict with each other, and evicting a trip preserves its unsynced writes. * feat(offline): Settings -> Offline controls and a status banner The Offline tab gains a force-offline switch, a prepare-for-offline download with progress, per-trip and map-tile storage toggles, and a conflict resolver with a default strategy. The floating status pill now reflects forced-offline and unresolved conflicts. * i18n(offline): offline settings strings across all locales * docs(wiki): document force-offline, selective storage and conflicts * feat(video): media_type discriminator + local gallery video upload (server) trek_photos gains a media_type column (migration) so the registry can hold video as well as images. A new POST :id/gallery/video endpoint accepts a video plus a client-captured poster (500 MB cap, video MIME/extension allowlist), stores the poster as the thumbnail, and the photo stream serves the poster for the thumbnail kind and the raw file (HTTP Range) for the original — without running the image thumbnailer on video bytes. * feat(video): play local gallery videos in the journey gallery Picking a video in the journey gallery now captures a poster frame + duration in the browser and uploads the raw clip; the grid shows the poster with a play badge and the lightbox plays it with a native video player (HTTP Range seeking). Images keep their existing HEIC-normalised path. No server-side transcoding. Server media_type work was committed separately. * feat(video): use Plyr for the gallery video player Swaps the bare <video> element for a Plyr-wrapped player so playback controls match a consistent, cleaner skin. The instance is created per source and destroyed on unmount, so the lightbox stops playback when you navigate away. * feat(video): link and stream Immich videos in the journey gallery Immich timeline and album listings no longer filter out videos; each asset now carries its media type, which the provider picker forwards when linking. A linked video streams through Immich's transcoded /video/playback endpoint, and the asset proxy forwards the viewer's Range header (and passes 206/Content-Range back) so the player can seek. Synology video stays excluded until its stream API is verified. Adds media_type/media_types to the provider-photos request contract. * test(photos): assert the forwarded Range arg on the original stream Follow-up to the Range-aware photo proxy. * feat(video): upload and play videos in the trip file manager The file manager (which already attaches files to a place/activity) now accepts video uploads up to the larger video cap — other types stay at the document limit — and the lightbox plays them with the Plyr player over the plain same-origin download URL, so cookie auth and HTTP Range both work. Videos are excluded from the offline blob prefetch so one clip can't evict a trip's documents. * fix(video): harden upload handling and fix video playback edge cases Security: the gallery-video poster is now always stored as .jpg instead of the client-supplied extension, so a poster declared image/* but named x.html / x.js can't be written with that extension and served inline same-origin; local gallery files are also served with X-Content-Type-Options: nosniff. Robustness: rejected/unauthorised uploads no longer orphan their bytes on disk (the gallery-video and file-manager handlers unlink before throwing); the file-manager per-type size cap is keyed on the extension like the filter, so a real video labelled application/octet-stream isn't wrongly rejected. UX: the file-manager thumbnail strip shows a play placeholder for video instead of a broken image; shared (public) journeys now return media_type and play videos with a play badge; and a poster-less video shows a neutral tile instead of a broken thumbnail. * test(video): update gallery accept selector + complete fileService mocks The gallery upload input now accepts image/*,video/* — update the two JourneyDetailPage selectors that matched the old value. The files/journey e2e suites mock fileService and were missing the new MAX_VIDEO_SIZE / isVideoExtension / isVideoMime exports, which broke module load. * test(video): cover the new upload-handler branches Add controller tests for the gallery-video route (success / no-video / not-allowed / cleanup-on-reject), the per-asset media_types loops (gallery + entry, batch + single), and the file-manager per-type cap + unlink-on-rejection — restoring branch coverage on src/nest above the 80% gate. * feat(bookings): add a dedicated URL field to reservations (#935) Bookings get a first-class url column (migration) instead of users pasting links into notes. It's editable in the booking modal and rendered as a clickable link on the reservation card. The reservation request schemas are open passthroughs, so only the entity schema + service SQL enumerate it. * feat(files): render uploaded Markdown files inline (#1345) Markdown (.md/.markdown) is now an allowed upload type and opens in a rendered preview in the file manager instead of just downloading. Reuses the existing react-markdown stack with rehype-sanitize (these are untrusted uploads, so output is sanitized) and detects markdown by extension first since browsers send unreliable MIME for .md. * feat(lists): reorder packing/to-do lists and private packing items (#969, #858) Add drag-to-reorder to the packing and to-do lists, mirroring the budget panel's native HTML5 drag pattern. A drag within a filtered/grouped view is mapped back onto the global order so untouched items keep their place, and the order persists optimistically via the existing reorder endpoints. Packing items can now be marked private (#858): a private item is visible only to its owner. createItem/bulkImport stamp the owner, listItems filters by the viewer, and the WebSocket broadcasts are scoped to the owner so a private item never reaches another member's screen — including the public/private toggle transitions. Owners get a lock toggle and a private indicator on their items. * feat(trips): transfer trip ownership to a member (#973) Add POST /api/trips/:id/transfer so the owner can hand a trip to one of its existing members. The swap runs in a transaction: the new owner takes trips.user_id and the former owner is kept on as a regular member, so nobody loses access. The endpoint is owner-only, writes a trip.transfer_ownership audit entry and broadcasts the refreshed trip. The members modal gains a "Make owner" action, shown only to the current owner. * i18n: translate the booking link field across all locales (#935) Fan out reservations.urlLabel / reservations.urlPlaceholder to the remaining locales so the dedicated booking URL field is localised everywhere. * fix(packing): drop the always-true guard in the row drag handler (#969) The onDragOver guard `drag.isDragging || true` is a constant condition (eslint no-constant-condition). The handler is already gated by canDrag, so run the drag-over logic directly, matching the to-do row. * feat(trips): guest members for accountless participants (#1362, #1291) Add "guest" trip participants — people without a Trek account who can still be assigned to costs, packing, to-dos and day-plan activities. A guest is a credential-less users row (is_guest=1) joined into trip_members, so it is assignable everywhere a real member is, with the cost-splitting, settlement, packing and assignment paths working unchanged. Guests are firewalled from everything account-related: they can never sign in (password, OIDC and reset lookups skip them), never appear in the global user directory, the member-add picker or admin user management, are never resolved as notification recipients, can't be invited to another trip, and can't be made owner. The trip owner manages guests from the share dialog in a dedicated, clearly-labelled section (add / rename / remove), and guests carry a "Guest" badge wherever members are picked. All 22 locales stay in parity. * feat(packing): three-tier sharing — personal, shared-with-people, common pool (#858) Rework the private-packing flag into a full sharing model. Every item is now Common (the group pool — where all existing items live, so nothing breaks), Personal (private to its owner) or Shared with specific people (it shows up on those travelers' own lists, marked "by <bringer>"). is_private discriminates restricted from common; a new packing_item_recipients table holds who a shared item covers, and packing_item_contributors records "I can bring that too" pledges on Common items. The panel gains a Gemeinsam / Meine Liste view switch, each item a sharing control (owner sets the tier + the people it covers), and Common items can be co-brought or cloned onto your personal list. Visibility is enforced server-side in listItems and the WebSocket broadcasts are scoped to exactly who can see an item across every tier transition. All 22 locales stay in parity. * style(packing): small gap between the list and the luggage sidebar divider The luggage sidebar's left border sat flush against the right-hand category card. Add a little left margin so the divider has minimal breathing room. * feat(map): group GL place markers into clusters on zoom-out (#1385) MapLibre/Mapbox showed every place as its own rich HTML marker with no grouping when zoomed out, unlike the Leaflet map. Feed the place points through a clustered GeoJSON source: clustered points render as a dark count bubble (click to zoom in and expand) while the rich HTML photo markers are only drawn for the points the source reports as unclustered. Always on, matching the Leaflet MarkerClusterGroup. * fix(map): match the GL place hover tooltip to the Leaflet map (#1385) The MapLibre/Mapbox hover showed an anchored popup with a large photo thumbnail, completely unlike the Leaflet map's slim, cursor-following name/category/address card. Drop the anchored photo popup for places and render the same cursor-following overlay the Leaflet map uses (no photo, matching fonts/padding/shadow), so the two maps hover identically. * feat(collections): backend for the Overall Places addon (#1081) Adds the Collections addon backend: a server-wide-per-user library of saved places, independent of any trip, with multiple named lists, an idea/want/visited status, and Vacay-style fusion invitations to share a list with other users. - Data: collection / collection_members / collection_places / collection_place_tags tables (+ migration and baseline schema). Saved places carry the owner plus a nullable saved_by so a member deleting their account can't drop shared content. - Service: list + place CRUD with owner-or-accepted-member visibility, dedup, status, save-from-trip and copy-to-trip (reusing the trip copy column list), and the full fusion-invitation state machine mirrored from vacay (send / accept / decline / cancel / leave) with a websocket broadcast and an invite notification. Deleting a list snapshots its members and notifies them. - NestJS module + addon guard (404 before auth), registered in the app module. - Widens the place photo cache reference check to count collection places so the nightly sweep no longer evicts photos a saved place still uses. - collection_invite notification wired across all 22 locales. * feat(collections): /collections page, entry points and i18n (#1081) Adds the client side of the Collections addon: - A distinct /collections page (Atlas pattern, page/hook split) gated behind the addon: a multi-list rail, a Grid (default) / List / Map view switch, the idea/want/visited status with a one-tap badge, search and status filters, and considered empty states. Store + hook + model + websocket wiring; the place detail reuses the trip place inspector via a mode guard. - Entry points: a "Save to Collection" button next to Open-in-Google-Maps in the place inspector (and the two sidebar context menus), a "Copy to trip" modal, and a desktop-only two-column add-place picker (mobile keeps the single-column form). - The collection namespace and the new keys across all 22 locales. * feat(collections): fusion sharing UI + dashboard widget + per-user toggle (#1081) - ShareCollectionModal: the owner manages a list's members and invites users (available-users picker → invite, cancel pending); a member can leave a shared list. The incoming accept/decline surface stays in the lists rail. A Share button is added to the collections header for owners (and members, to reach Leave). - CollectionsWidget: a dashboard glass card after the currency widget showing the saved count and the most recent saved places, double-gated by the admin addon and a new per-user appearance flag. - Appearance: a 'collections' dashboard-widget flag (desktop + mobile defaults) wired into the appearance settings, surviving normalize. - Sharing + settings strings across all 22 locales (parity strict passes). * feat(collections): redesign the page on the dashboard glass language (#1081) Rebuilds the /collections page from the functional placeholder into the dashboard's glass visual language (light + dark): - A colour-washed hero per list: eyebrow + member avatars, big title, and stat chips (All / Idea / Want / Visited) that double as the status filter. - A sticky glass list rail (owned + shared + invites) with a mobile drawer. - Gradient/photo cover place cards modelled on the trip cards, via a new rectangular PlaceCover (photoService-backed, gradient fallback) + a shared gradients util. List and map views restyled to match. - Status pill rendered as a role=button span so it survives the .trek-dash button reset and can nest inside the card; the share member-count badge is now owner-only. - New hero eyebrow strings across all locales. * feat(collections): list+map split, taller rail, list-menu popover fix (#1081) - List view splits into a scrollable list + a sticky map on wide screens; clicking a place pans/highlights it on the map (single selectedPlaceId, no inspector over the map). Narrow screens keep the single-column list. - Keep the list rail at least as tall as the hero (measure the hero via a small useElementSize hook and feed its height as the rail's min-height). - List row kebab menu: portal the menu/colour popover to the body so the rail's overflow + backdrop-filter can't clip it ("renders only in the module"), and fade the place count on hover so the kebab stops overlapping it. * feat(collections): list+map default, map-only toggle, deselect + tooltip fixes (#1081) - Drop the grid/tile view. The list view is now the default and, on wide screens, a list + persistent map split; a top-left control on the map collapses the list to a full-width map (and back), animating smoothly (the map stays mounted and is nudged to re-layout during the transition). The place search moves onto the map (top-right); mobile keeps a list/map toggle. - Let a place be deselected again: clicking it once more, clicking the map background, or picking another all toggle the selection (collections map now wires onMapClick). - Fix the stuck hover tooltip: selecting a place swaps its marker's DOM node so the browser never fires mouseout/mouseleave, orphaning the fixed-position tooltip (it hung on screen and drifted with scroll). Both map stacks now clear the hover on selection change and on scroll. - Remove CollectionGrid + PlaceCover; add hero eyebrow + map control strings. * feat(collections): list details, place detail sheet, add-place, fusion kick (#1081) Dashboard widget (B): the collections tool now shows the user's LISTS as compact colour-washed badges (cover image tinted with the list colour, or a gradient) that jump to the list — one list() call, no N+1. List details (C): lists gain a description, a custom cover image (uploaded to /uploads/covers, tinted with the list colour in the hero) and links. A shared ListEditorModal handles both create and edit; the hero shows the description + link chips. New `links` JSON column on collections + collection_places (migration 151) with parse/serialize in the service; a POST :id/cover upload endpoint mirroring trips; cover-file cleanup path-confined locally. Place detail (D): clicking a place opens a bottom sheet (no backdrop, so the map stays visible) — status cycle, copy-to-trip, remove, and an edit mode with a markdown description + links editor (collectionsApi.updatePlace, now wired via a store action). A "+" next to the search adds a place to the list via the maps search. Fusion + fixes (E): the owner can now remove an accepted member (kick) — new removeMember service/route/store + a button in ShareCollectionModal, with a collections:removed WS bounce. findMembership no longer matches on name alone (coordinate proximity required, killing "Starbucks everywhere" false positives). loadCollection swallows a 403/404 after a leave/remove so the URL sync can't throw uncaught. Grid remnants gone; the map select toggle moved onto the map. New strings across all 22 locales; i18n parity strict passes. * fix(collections): review follow-ups on the B–E work (#1081) - Block the list-cover upload in demo mode (mirror the trips cover endpoint). - Restrict list/place links to http(s) (schema) and normalise scheme-less URLs to https:// on save, so a bare "booking.com" no longer resolves as a relative SPA route (and javascript:/data: hrefs are rejected). - Place detail: surface save errors with a toast instead of silently swallowing a 400 and leaving the sheet stuck in edit mode. - List editor: don't create a duplicate list when a retry follows a cover-upload failure (reuse the created id); revoke the cover preview object URL. - Map controls: one top bar (left toggle/select, right add/search) so they can't overlap on a narrow split map — the search shrinks instead. - Dashboard list badge: full-opacity colour wash so the name stays legible over bright covers. * fix(collections): detail-sheet, edit-refresh, map + rail polish (#1081) - Editing a place (status, description, title, …) no longer reloads the view or closes the detail: the WS echo now refreshes via loadCollection, which keeps the current selection + select-mode instead of setActive resetting them. - Place detail: docks over the list column on the desktop split (measured rect) instead of centred over the map, and the card is now opaque (was too see-through). - Map: click a marker in full-map view to drop back to the split; picking a place scrolls its list row into view; the select toggle is disabled in full-map view; the floating controls are one non-overlapping top bar and less transparent. - Hero: drop the New-list button (it's already in the rail). - Rail: the kebab is always visible (easy to hit); menu is Edit + Delete only (colour moved into the editor); "Rename" → "Edit". - Add-place: pick a result, then set description (markdown) / links / status before saving, all in one step. - Share modal: member roster as cards with clearer role badges + a count. * feat(collections): detail redesign + categories, close-on-map, highlight fix (#1081) - Rebuild the place detail as a clean, opaque, sectioned sheet (cover → meta → status segment → description → links) with a proper footer action bar — the loose "white lower half" is gone. - Assign a place to a central (admin-defined) category, both in the detail edit and when adding a place; categories are fetched once for the page. - Add-place now sets category + description (markdown) + links + status in the same step, closer to the trip's place form. - Switching to the full-map view now closes the (list-docked) detail. - Fix the selected-row highlight: it was clipped by the column's overflow — use an inset ring and only clip during the map-collapse animation; a picked row now scrolls into view above the detail sheet. - New category strings across all 22 locales. * feat(collections): filters, add-place popup, category badges, map-click hardening (#1081) - Map: markers no longer rebuild on every unrelated re-render (memoised the mappable list + only update the hero size when it really changes), the floating controls bar is click-through except its buttons, and the collection map runs with the hover tooltip off. Together these stop a marker click from landing on a mid-rebuild element / the tooltip so the pick actually registers. - Filters moved out of the hero into a compact status + category dropdown row above the places (custom dropdowns); the hero no longer carries the stat chips. - Add-place is a single popup now: search fills the location, and name / status / category / description / links are all editable together before saving. - Category shown as a badge top-left on the detail cover and next to the status in each list row (divided by a hairline). - Slimmer hero: shorter, tighter spacing, links tucked into the eyebrow row instead of their own line. * feat(collections): hero edit/share row, place photos, edit-echo fix, wider page (#1081) - Editing a place (category, status, …) no longer reloads the view: the mutating client's own socket is now excluded from the WS broadcast (x-socket-id threaded through save/update/status/delete + list update/cover), so the optimistic update stands on its own instead of being chased by an echoed refetch. - Detail sheet pulls a higher-res cover photo from the maps provider when the place has no image of its own (the avatar thumbnail was too low-res). - Hero: Share moved onto the title row (no more empty top band) with an Edit button beside it; editing/deleting a list now happens there. The list rail drops its per-row kebab entirely (and with it the janky open animation). - The list editor can delete the collection from its footer (owner only). - Wider, screen-relative page (max-width min(2100px, 95vw)). - List rows: the place avatar no longer shrinks when the address is long. * fix(collections): copy-to-trip labels + Unsplash cover search (#1081) - Copy-to-trip modal showed blank rows: trips are keyed by `title`, not `name`, so nothing rendered. Read `title` and add the trip's date range under it. - List editor gains an Unsplash cover search (same source as trip creation) next to the upload button; picking a photo sets it as the list cover. - Add-place result rows: pin keeps a hard min width so a long address can't squeeze it. * fix(collections): stop the address pin from shrinking on long addresses (#1081) The little map pin in front of a place's address sits in a flex row with the address text but had no flex-shrink guard, so a long address squeezed the icon smaller. Pin the SVG to its size. * fix(collections): white screen when editing a place (undefined in places) (#1081) updatePlace wrote `res.place` into the places list, but the endpoint returns the updated place directly (not wrapped in { place }, unlike savePlace) — so an `undefined` slipped into the list and the category-filter's presentCategories() crashed on `undefined.category_id`, blanking the whole page. The WS echo used to mask it by refetching; excluding the editor's own socket exposed it. - Read the updated place directly and guard against a falsy response. - Fix the api return types to match (updatePlace/setStatus return the place). - Harden filterPlaces / statusCounts / presentCategories / mappablePlaces against a stray undefined entry so a single bad row can never white-screen the page. * feat(collections): select toolbar — select-all, move/duplicate to another list (#1081) - The select toggle now sits at the right of the filter row (same height as the status/category dropdowns) instead of the top toolbar. - Select mode gains a "select all / deselect all" toggle and shows even with nothing selected yet. - Selected places can be moved or duplicated into another of your lists via a target-list picker (move re-points collection_id; duplicate re-saves the place data, carrying description / category / notes / etc.). - New strings across all 22 locales. * style(dashboard): accent follows the user's theme instead of a fixed orange (#1081) The .trek-dash scope (dashboard, collections, vacay, atlas) hardcoded an orange accent, ignoring the appearance theme. Drop the override so --accent inherits the theme tokens (index.css): monochrome black/white by default, coloured per data-scheme / custom accent. --accent-ink/-soft now map onto --accent-on/-subtle, and accent-filled elements use --accent-text for legible text on any scheme. Category colours are set explicitly per element and stay untouched. * fix(collections): saved-places picker height + list filter, all-saved first-load (#1081) - Trip "Saved places" picker: drop the fixed 360px cap so the list fills the panel instead of stopping half-way, and add list + status filter dropdowns (filter by which collection the place is saved in). - "All saved" showed nothing on first open: setActive(ALL_SAVED) unioned the lists from the store, but on first load those aren't fetched yet (loadAll still running). Load them first when empty so the union isn't blank. * test(collections): unit-test the nest controller (branch coverage) (#1081) The collections nest module had no controller test, dragging src/nest/** branch coverage below the 80% gate. Cover the controller's branches: reorder/deleteMany payload validation, owner-gated invite/cancel/remove/available-users, invite + accept error surfacing, the cover demo-mode + no-file guards, and the x-socket-id forwarding on the mutating endpoints. * fix(collections): mobile polish — touch targets, safe-areas, overflow (#1081) From a mobile UX audit of the collections page: - Detail sheet: the read-mode footer no longer clips "Remove from list" (it wraps, drops the growing spacer) and clears the home indicator (safe-area padding, 84dvh instead of 84vh). - Bigger touch targets on phones (≥40px): view toggle, filter dropdowns, select-bar buttons, detail close/actions, drawer rail rows, and the interactive status badge (enlarged tap area via a pseudo-element, look unchanged). - Select action bar breaks its bulk actions onto their own line instead of stranding them behind a growing spacer. - Lists drawer honours device safe-areas and gets an explicit close button. - Page honours the top safe-area and goes full-width on phones (drop the 95vw cap); filter popovers cap their width so long category names don't overflow. - Add-place: Cancel/Add pinned in the modal footer (reachable without scrolling), status pills wrap. - Drop dead hero mobile CSS left over from the hero refactor. * feat(collections): per-member permission roles on shared lists (#1081) The owner now assigns each member a role — viewer (read + copy-to-trip only), editor (default: add + edit places) or admin (full incl. delete). The owner is always full. Existing members default to editor via migration 152, so nothing regresses. - Server: role column on collection_members (migration 152 + schema); roleOf + assertCanEdit (save/update/status/list-meta) + assertCanDelete (delete) layered on assertAccess; sendInvite takes a role; new setMemberRole (owner-only) + POST members/role; members payload carries each role. - Client: Share modal gains a role picker on invite and a per-member role select for the owner (read-only role badge for others); the page hides add / edit / status / move / delete for roles that can't perform them (server still enforces). - Roles in all 22 locales; service + controller tests for the new gating. * feat(collections): bulk-add selected trip places to a list (#1081) Add a "Save to collection" action to the trip place list's selection bar (next to bulk category + delete): it opens a list picker and copies every selected place into the chosen list in one request, instead of one-by-one from each place. - Server: saveFromTripPlaces (one access check + one WS notify), POST places/from-trip-many; dedups by name/coords, skips missing ids, honours force. - Client: saveFromTripMany api + SaveTripPlacesToListModal; the selection-bar button is gated on the collections addon being enabled. - Copy count / skipped-duplicates toast; strings in all 22 locales. - Service + controller tests for the bulk path. * style(collections): custom dropdown for the permission role pickers (#1081) Swap the two native <select> role pickers in the share modal (invite + per-member) for the app's CustomSelect (portal dropdown, size sm) so they match the rest of the UI instead of the browser's native control. * style(collections): widen the share modal (#1081) * test(collections): client component tests + select in All saved, off the map (#1081) - Add client tests for the new collections UI (80 tests): collectionsModel (incl. the undefined-entry guards that fix the white-screen regression), StatusBadge, CollectionFilterBar, CollectionList, CollectionPlaceDetail (permission gating), MoveToListModal. - Offer the select toggle in "All saved" too (server enforces per-place rights). - Drop the now-duplicate select button from the map controls (it lives in the filter row). * docs(wiki): add Collections addon page (#1081) New wiki/Collections.md in the style of the other addon pages (lists, status, categories, adding/bulk-adding places, place detail, filters + bulk actions, fusion sharing with member roles, dashboard widget). Add it to the Addons overview table + the sidebar navigation. * feat(date-picker): add month/year drill-down navigation and keyboard input trigger - Add three-level calendar view (days → months → years) via clickable header label, allowing fast navigation to distant dates without repeated arrow clicks - Replace double-click text input affordance with a visible keyboard icon button; compact/borderless variants show the icon in the calendar footer - Pre-fill text input with locale-aware numeric date (DD.MM.YYYY) when a value is already selected - Add aria-label and aria-pressed to all interactive calendar elements for screen reader support - Update existing tests to reflect new two-button trigger layout - Add FE-COMP-DATEPICKER-018 through 027 covering drill-down view transitions, prev/next behaviour per view, aria-pressed state, and keyboard icon trigger * fix(date-picker): locale-aware keyboard input parsing and i18n control labels - Replace fixed-order date parser with locale-aware implementation using Intl.DateTimeFormat.formatToParts to detect field order; adds swap fallback for unambiguous inputs (day > 12) to handle locale mismatches gracefully - Pre-fill keyboard input with locale-formatted numeric date (e.g. 14.06.2026) instead of raw ISO value - Replace all hardcoded English aria-labels and titles with t() calls; add new keys under common.datepicker.* namespace across all locale files - Update FE-COMP-DATEPICKER-013 to use unambiguous day value (> 12) to avoid locale-dependent test failures * fix(date-picker): add missing locale file and fix let-to-const lint error - Add missing common.datepicker.* keys to overlooked locale file - Change reassigned `let` to `const` where value is not mutated to satisfy lint rules * chore(i18n): backfill datepicker keys for sv + vi locales added on dev * fix: back-merge v3.1.4 hotfixes into dev (#1371) Port the three main-only fixes onto dev's (post-rewrite) architecture: - fix(backups): prevent recursion when the backup path sits inside the backed-up dir - fix(share): convert budget items to the viewer's base currency instead of a flat EUR - fix(files): surface the descriptive server error for unsupported upload types (#1363) Cherry-picked from 819aa793 on main; the SharedTripPage and useTripPlanner conflicts were resolved to keep dev's font-scaling and full import set while taking the fixes' currency conversion and translateApiError wiring. * fix: resolve a batch of reported bugs (planner, budget, atlas, bookings, mobile) - #1394 planner: two transports on one day no longer draw a phantom airport→airport road route between them (a run is only a drive when it holds a real place); mirrored in the map hook and the sidebar's leg list, with a regression test. - #1392 planner: the per-day Route button now points the selection at the tapped day before toggling, so on mobile it computes that day's route instead of the previously selected one, and only the selected day's button reads as active. - #1372 planner: the "open in Google Maps" route now includes the day's hotel bookends, matching the drawn map route. - #1375 planner: a multi-day accommodation no longer thrashes the plan scroll — the auto-scroll lock keys on the selection identity, not the per-day row. - #1377 planner: the reset-orientation compass is now shown on small screens too. - #1382 budget: settlement nets in the trip's canonical currency and converts to the display currency once, so balances no longer drift with live FX and no phantom third-party micro-flows appear (identity, hence unchanged, when they're the same). - #1366 atlas: countries reached only by a transport booking (no lodging/place) now count as visited, on both the dashboard and the Atlas page. - #1383 bookings: a hotel linked to an accommodation shows only its day-range, not a duplicate stamped date row, and the range stays correct after an edit. - #1353 bookings: any non-hotel reservation can now link an existing trip place/activity. - #1390 i18n: fix the Polish word for "buddies" (Towarzysze → Współpodróżnicy). - #1265 planner: drag-and-drop of places now works on touch devices via a polyfill. * feat(planner): add an "Open in OpenStreetMap" button to the place inspector Next to the existing "Open in Google Maps" action, add an OpenStreetMap button that opens the place on openstreetmap.org (a marker at its coordinates, or a name search when it has none) — the same map source TREK already renders, and a jumping-off point for OSM-based apps like OrganicMaps / CoMaps. Requested in discussion #880. Strings across all 22 locales; a unit test for the URL builder. * feat(planner): shorten the map-open button labels to "Google Maps" / "OpenStreetMap" * feat(planner): show a day's route distances inline on mobile Seeing the driving/walking distances between a day's places on mobile meant tapping the day (which closes the plan sheet), reopening it, then tapping Route. Now the per-day Route button in the mobile footer toggles that day's leg distances in place, so the sheet stays open and you get the distances between places without selecting the day first. The leg computation runs for every route-toggled day instead of only the selected one, and the leg/hotel-bookend maps are nested per day so several toggled days can't overwrite each other's segments. Desktop is unchanged. Discussion #1374 * feat(oidc): use the picture claim as avatar when none is uploaded When a user signs in via OIDC and hasn't uploaded a custom avatar, their `picture` claim is now used as their avatar. The users.avatar column holds either an uploaded file name or an absolute https URL from the claim, and a single resolver on each side (server avatarUrl, client avatarSrc) renders both. An uploaded avatar always wins and is never overwritten; the picture refreshes on each login otherwise. Only https URLs are stored, matching the image CSP. All the scattered /uploads/avatars/ builders now go through the resolvers, which also fixes collection member avatars that were rendering a bare file name. Discussion #1399 * feat(trips): trip invite links + optional trip binding on admin invites Trip invite links (#1143): each trip can have one rotating invite link in its Share panel. An existing, logged-in user who opens /join/<token> is added to the trip as a member; an anonymous visitor is sent to the login page and returned to the invite afterwards — there is no registration from this link. Reading, rotating or disabling the link all require the share_manage permission. Admin invite trip binding (#1402): the admin create-invite dialog can now bind a registration invite to a trip. Someone who registers via that link is auto-added to the trip as a member (password and OIDC paths), inside the same atomic step that consumes the invite. Adds a trip_invite_tokens table and a nullable invite_tokens.trip_id, a shared owner-safe/idempotent add-by-id helper, the manage + join endpoints, the JoinTripPage and Share-panel section, the admin trip picker, and the new i18n keys across every locale. Wiki updated. Discussion #1143 * fix(join): extract JoinTripPage state into a useJoinTrip hook The page container held useState/useEffect directly, tripping the CI page-pattern check. Move the token preview + accept logic into a co-located useJoinTrip() hook; the page is now a thin presentational shell. * feat(costs): filter expenses by category and by a single day Adds two filter dropdowns next to the Search Expenses field (height-matched to it): one filters by expense category, the other narrows to a single day. Selecting a day shows a prominent summary banner with that day's total, and hides the now-redundant per-day header. Both filters work on the desktop and mobile layouts and compose with the existing search + all/mine/owed filters. New i18n keys (costs.filter.allCategories / allDays, costs.expensesCount) across every locale. * fix(admin): use TREK's CustomSelect for the invite trip picker The "add to trip" dropdown in the admin create-invite dialog was a native <select>; swap it for the shared CustomSelect so it matches the rest of the UI (searchable once there are many trips). * feat(planner): public transit routing via Transitous (#1065) Each day header gets a transit button (replacing the rename pencil, which moved next to the day name in the day detail panel). It opens a route search backed by Transitous/MOTIS — free, open data, no paid provider: from/to stop search with the day's own places as quick picks, depart/arrive time, mode filters (train, subway, tram, bus, ferry, cable car) and ranking by best route, fewer transfers or less walking. Results show local times, duration, transfers, walking time and line badges in their official colors, with a stop-by-stop breakdown per connection. Adding a connection saves it as a regular transport reservation — typed by its dominant leg, timed from the itinerary's wall-clock departure/arrival converted to station-local time (tz-lookup), with the origin, transfer stops and destination as endpoints and the compact legs in metadata.transit. It slots into the day timeline by time and inherits editing, deletion and drag-reordering from the existing transport machinery; the transport detail view renders the full itinerary. Re-saving a transit transport through the edit modal preserves the stored itinerary while the route is unchanged. The server proxies the Transitous API (JWT-guarded, rate-limited, identifying User-Agent, short response cache, strict mode whitelist); TRANSIT_API_URL lets self-hosters use their own MOTIS instance. New i18n keys in every locale, wiki page updated. Discussion #1065 * fix(build): declare tz-lookup as a client dependency It was present in the lockfile but undeclared, so the local install had it while the Docker client build (npm ci --workspace=client) did not. * test(maps): add buildUserAgent to the mapsService mock transitService imports it at module load, and the full-app integration boot now pulls the transit module in — the factory mock lacked the export. * feat(planner): make transit journeys first-class entries (#1065) A saved transit route is now its own reservation type instead of piggybacking on train/bus: it gets a tram icon and its own color everywhere, and the day timeline renders the itinerary inline — line badges in their official colors with walk segments, plus the transfer count and walking time — instead of a generic transport row. Clicking the row opens the itinerary view (journey summary, stop-by-stop legs with times, platforms, headsigns and operators) rather than the edit form; editing stays reachable from an Edit action inside that view. The transit type is registered across the timeline merge, transport modal, reservations panel, file manager, map overlays and detail panels, with a translated type label in every locale. * feat(planner): integrate transit into the transport system as Automated mode The add-transport dialog gains a Manual/Automated switch: Automated embeds the public-transit search (day picker + from/to + modes + preferences + results) right in the dialog, and the day header's tram button opens it directly in that mode. The standalone search modal is gone. Saved journeys get their own roomy journey view — the stop-by-stop itinerary (times, platforms, lines, headsigns, operators) together with the editable booking fields, delete, and a "Change route" action that re-runs the search pre-seeded with the journey's origin/destination and replaces the itinerary on save. The generic transport form no longer opens for transit entries, from the timeline or from the Transports tab, where journeys now sit in their own "Automated public transit" section with their line badges on the card. New i18n keys in every locale; wiki updated. * feat(planner): polish the transit journey UI and fix its tab placement Transit entries were classified as bookings by the planner's transport-type list and landed in the Bookings tab — they now sit in the Transports tab's own section, rendered as proper journey cards (tram icon, arrow title, leg chips, journey stats) instead of the generic booking card. The journey modal got a redesign: the title renames inline in the header with an icon arrow, the stats become three full-width tiles (duration / transfers / walking, each with an icon), status and booking-code fields are gone, and notes take the full width with a markdown write/preview toggle. The Automated search mode gains a proper header (icon, hint, day picker) and the day-plan row now shows walks with their minutes inside the chip sequence (🚶 3 › U2 › 🚶 3) instead of a detached direct/walk summary. "A → B" titles render with an arrow icon everywhere. The Transports tab's add button is simply "Transport" now that the dialog covers both modes. * test(nav): the bottom-nav add button is labelled Transport now * feat(planner): markdown toolbar for journey notes + calmer transit search form The journey notes gain a proper markdown toolbar (bold, italic, strike, heading, list, checklist, link, code) that wraps the selection or prefixes the current lines. The transit search options settle into one calm card: depart/arrive + time + date and the ranking preference share the top row, the mode filters and the search button share the bottom row, with the mode chips restyled from heavy filled pills to quiet toggles. The day-plan row drops the transfer count — the leg chips already tell the story. * feat(planner): badge meta rows + inline itinerary expansion for transit Dot-joined meta text becomes quiet badge chips everywhere transit facts are listed: the journey modal's per-leg line (time, duration, stops, headsign with an arrow icon, operator de-emphasised), the search results' leg details, and the Transports-tab journey card (day, date, time span, duration — the transfer count is gone from the card). The day-plan transit row swaps the map-connections toggle for an expander: the chevron folds the stop-by-stop itinerary out right inside the timeline — times, line badges, stations with platform and stop counts — sized for the sidebar. * feat(planner): walk legs as centred dividers + journey-card note line Walk segments in the journey modal and the day-plan inline itinerary collapse from two lines into a single centred divider — dashed rules left and right, the walk in the middle (foot icon, destination, minutes). Leg meta badges sit tighter under their titles. The Transports-tab journey card shows a dimmed first-line note preview, and the journey modal now reads the reservation from the live store, so an update is visible the moment the entry reopens. * feat(map): draw transit journeys along their real rail and bus alignments MOTIS leg geometry (encoded polylines) now travels through the proxy and is stored per leg, so both map renderers draw the journey along the actual tracks instead of a straight line: colored cores in each line's GTFS color over a white casing, walks as dotted grey connectors. Transit journeys are always visible on the map — they are part of the plan itself, not an opt-in overlay — and the day route already anchors to their stations, so the journey slots into the route computation end to end. Entries saved before this keep the straight-line fallback. Also: stronger dashes on the walk dividers, notes open rendered (preview tab) when present, and MOTIS's START/END placeholders are replaced with the places the user actually picked. * fix(planner): elegant walk-divider hairlines + proven notes preview The walk dividers switch from dashed borders to 1px hairlines that fade towards the outer edges — strongest next to the walk text. A regression test pins the journey modal opening existing notes on the rendered markdown preview rather than the raw text. * fix(map): transit polish — earlier label collapse, route-toggle coupling, md note preview Station badges on transit journeys collapse to icon dots much earlier when zooming out (label threshold 900px instead of 400). The drawn transit paths now ride the day-route toggle: turning the route off hides them too, since they are part of the computed route. The journey card's note preview renders its first line as inline markdown instead of raw asterisks. * fix(settings): booking route labels default to off The map endpoint labels only render when the user explicitly enables them; an unset preference now means hidden, matching the calmer default the transit paths brought to the map. * style(settings): TREK-styled text-size sliders The appearance tab's native range inputs become proper TREK sliders: a thin pill track filled up to the current value in the accent color, with a soft round thumb that scales slightly on hover/drag. * fix(planner): mobile layouts for the transit popups The journey modal and the transit search now lay out properly on phones: from/to stack vertically with the swap rotated between them, the ranking segment and search button go full width, the day picker in the automated header spans the row, the three stat tiles compress to centred mini tiles, the itinerary tightens its gutters, and the footer wraps with an icon-only delete. Desktop is unchanged. * fix(planner): tighter mobile transit search + vertical journey itinerary * fix(planner): wrap-safe mobile itinerary text — platform below the stop, minutes-first walks * feat(plugins): plugin system scaffold — registry tables + admin panel First slice of the plugin system. Lays down the data model and a read-only admin surface; nothing executes yet. - Migration 155: plugins, plugin_meta_migrations, plugin_error_log and plugin_settings_fields tables. Plugin data will live in a per-plugin sqlite file under /plugins-data, never in these tables. - New Nest module server/src/nest/plugins with GET /api/admin/plugins (admin-gated, returns the installed list + the runtime-enabled flag). - TREK_PLUGINS_ENABLED kill switch (config.pluginsEnabled), off by default. - Admin → Plugins tab with a read-only panel: installed list, status badges, and a clear banner when the runtime is disabled by server config. - i18n keys for the tab and panel across all locales. Install, activation, the isolated runtime and the registry browser follow in later slices. * feat(plugins): isolated per-plugin runtime + capability RPC (M1) Every plugin now runs in its own forked child process with a scrubbed env (no JWT_SECRET, no db path, nothing inherited). It talks to TREK only over a JSON-RPC channel, and the host's capability router registers ONLY the methods a plugin's granted permissions unlock — so an ungranted call is unreachable, not merely refused. The plugin's own data lives in a separate sqlite file it can never open directly; core reads (trips/users) go through membership-checked, column-projected host methods; ws broadcasts are force-namespaced. - protocol/envelope: the wire types + method→permission map (pure, shared by host and the isolated child) - host/rpc-host: the capability router = the enforcement point (dispatch, BAD_PARAMS / PERMISSION_DENIED / RESOURCE_FORBIDDEN / UNKNOWN_METHOD) - host/plugin-data: the per-plugin sqlite file (db:own), guarded against ATTACH/PRAGMA escape, idempotent migrations - host/create-rpc-host: wires the router to the real db/websocket (host-only) - runtime/plugin-sdk + plugin-host-entry: the child bootstrap + definePlugin ctx; turns each ctx call into an RPC, never imports a privileged module - supervisor: spawn on activate, heartbeat/reap, crash backoff + auto-disable, graceful shutdown — a plugin crash/OOM/hang can never reach the Nest loop - paths: code/data layout, dist-vs-tsx child entry resolution Nothing is wired into activation yet (that's the next slice); exercised by unit tests for the router/sdk/data and an integration test that forks a real child. * feat(plugins): activation, HTTP route proxy + instance settings (M2) Wires the isolated runtime into TREK. Admins can now activate a plugin from the panel and its HTTP routes work end to end, still behind the kill switch. - PluginRuntimeService owns the supervisor: activate spawns the child with its granted permissions + decrypted instance config, deactivate kills it, status and errors are persisted to the plugins / plugin_error_log tables, and active plugins are booted on startup (OnModuleInit). - Bidirectional RPC: the child now handles host→child invokes (routes/jobs) and reports its declared routes on load; the supervisor gained invoke()/routesOf(). - /api/plugins/:id/* proxy controller — a single static route that matches the plugin's declared routes, enforces per-route auth (auth:false routes are public for OAuth callbacks/webhooks), forwards only a whitelisted request view (never the session cookie), and strips unsafe response headers. - Admin endpoints: POST :id/activate, POST :id/deactivate, GET/PUT :id/config — instance settings with secret fields encrypted (apiKeyCrypto) and masked. - Kill switch moved to its own module so it never collides with test config mocks. Photo/calendar hook consumers are deferred to a later slice. * feat(plugins): sandboxed page/widget frames + trekBridge (M3) Plugins can now render UI. Page plugins appear as a nav entry and open a full-page sandboxed iframe; the frame talks to TREK only over the postMessage bridge. - Server serves plugin client assets at /plugin-frame/:id/* with a strict path guard and a locked-down, per-plugin CSP (default-src none; connect-src limited to declared outbound hosts; sandbox WITHOUT allow-same-origin -> opaque origin, so the frame can't read the session cookie or the parent DOM). Global CSP frameSrc relaxed from 'none' to 'self' for exactly these frames. - GET /api/plugins feed lists active plugins for the client. - Client: pluginStore + PluginFrame (the trekBridge host) authenticates every inbound message by SENDER WINDOW IDENTITY (event.source), not by a claimed id or origin; pushes context (theme/locale/tripId/userId), validates navigation, renders notifications as text, resizes widgets, and proxies trek:invoke to the plugin's own routes host-side (session cookie stays with the host). - Page route /plugins/:id + Navbar nav injection for page plugins. Dashboard widget slot and the trek:request core-data bridge are deferred to a later slice. * feat(plugins): secure installer — manifest, discovery, safe extract/fetch/scan (M4) Plugins placed on the /plugins volume are now discovered, validated and registered as inactive, ready to activate. - manifest.ts: strict trek-plugin.json validation (id/version/type, known permissions only, egress required with http:outbound, native modules rejected). - discovery.ts: scans the volume on startup + on demand (POST /api/admin/plugins/ rescan), upserts rows INACTIVE, refreshes settings-field descriptors, and never downgrades or wipes an already-installed plugin's status / grants / config. Invalid or native-carrying plugins are skipped and logged. - Activation now grants the DECLARED permissions (the consent gate) and persists them before spawning. - install/ utilities for the registry installer (M5), each independently tested: - safe-fetch: host allowlist (GitHub only) + private-IP refusal + manual redirect following + size cap + sha256 (constant-time compare). - safe-extract: zip/tar-slip-safe extraction with its own minimal tar.gz + zip readers; rejects traversal, absolute paths, symlinks, oversized/too-many entries, and unsupported formats. - native-scan: refuses .node / binding.gyp / prebuilds, never follows symlinks. * feat(plugins): TREK-side registry — browse + one-click install (M5) Connects TREK to the static GitHub registry (mauriceboe/TREK-Plugins). The registry repo + CI gates were already live; this is the server side. - registry.service: fetches the single aggregated dist/index.json (never per-plugin GitHub API calls — the HACS rate-limit lesson), caches it 30 min, soft-fails to a stale/empty registry, and installs a pinned version through the M4 pipeline: safe download -> sha256 verify -> slip-safe extract -> manifest re-validate -> native re-scan -> atomic move -> discover (inactive), recording repo/commit/sha provenance. Handles the codeload {repo}-{sha}/ wrapper directory. - Admin endpoints: GET /api/admin/plugins/registry (browse metadata) and POST /api/admin/plugins/install { id, version }. Install never executes code; activation stays a separate, deliberate step. * feat(plugins): trek-plugin-sdk package — types, mock host, scaffolder, validator (M6) The author-facing SDK, a standalone dependency-free package (not wired into the app workspaces, so it can't affect the app build). - definePlugin + the full plugin type surface (PluginContext, PluginRoute, PluginJob, PhotoProvider, CalendarSource) mirroring what the isolated runtime injects; PLUGIN_API_VERSION. - createMockHost (trek-plugin-sdk/testing): a PluginContext that enforces the SAME permission model + membership checks, so authors can unit-test that their plugin degrades gracefully — no running TREK needed. - validateManifest: the exact rules the registry CI runs, so a local pass predicts a CI pass. - CLIs: create-trek-plugin (scaffolds a working plugin + README + starter iframe) and trek-plugin validate (manifest + README sanity). Consolidating the server loader to import this shared validator is a follow-up. * docs(plugins): plugin wiki + reference plugin (M7) - Wiki pages (sync to the GitHub wiki on push to main): Plugins overview + trust model, Plugin Development (SDK, definePlugin, ctx, routes/jobs, the client bridge, testing with the mock host), Plugin Permissions reference, and Publishing (registry PR + CI gates + provenance). Linked from the sidebar. - Reference plugin plugin-sdk/examples/trip-countdown: a complete, minimal- permission widget (reads trip data through ctx, renders in the sandboxed iframe via the bridge, filled-in README). Validated in the SDK test suite so it passes the exact gate authors face. * feat(plugins): lifecycle polish — uninstall, error log, egress guard, widget slot (M8) - Uninstall with data disposition: POST /api/admin/plugins/:id/uninstall kills the plugin, removes its code + DB metadata, and (deleteData) drops its data dir, error log and per-user settings. - Error log: GET/DELETE /api/admin/plugins/:id/errors — the plugin's own crash / request-failure log, surfaced in the admin panel. - Egress guard: the isolated child wraps global fetch and refuses any outbound host not in the plugin's declared egress[]; with none declared, all outbound is blocked. Process-level defense in depth (the container runtime enforces it at the network layer in v2). - Admin → Plugins is now actionable: activate / deactivate / uninstall, a registry browser (install), and per-plugin error log. i18n across all locales. - Dashboard widget slot: active widget plugins render as sandboxed cards. The trek:request core-data bridge + photo/calendar hook consumers remain follow-ups. * docs(plugins): clarify the fork-and-PR publishing flow * fix(plugins): allow GitHub's rotating release-asset host in the installer GitHub 302-redirects release-asset downloads to a rotating *.githubusercontent.com host (objects / github-releases / release-assets). The SSRF allowlist only had objects.githubusercontent.com, so installs failed with 'host not allowlisted'. Allow the whole *.githubusercontent.com suffix (plus github.com/codeload); the private-IP check remains the SSRF backstop. * fix(plugins): allow inline scripts in the sandboxed frame + fix server lint error - Plugin frame CSP: the frame runs at an opaque origin (sandbox without allow-same-origin), so script-src 'self' matches nothing and the widget's own script never runs (stuck on 'Loading…'). Allow 'unsafe-inline' — the sandbox, not this directive, is the isolation boundary, and the plugin author controls the frame code either way. - Fix a no-constant-binary-expression eslint error in registry.test.ts that was failing the server lint:check (eslint .) in CI. * fix(plugins): exclude /plugin-frame/ from the service-worker navigate fallback The PWA service worker's navigateFallback served the SPA shell for any navigation not on its denylist. /plugin-frame/ wasn't listed, so the SW intercepted the sandboxed opaque-origin plugin iframe navigation, which Chrome reports as 'Unsafe attempt to load URL … from frame with URL …'. Denylist it so plugin frames are served straight from the network. * feat(plugins): pass the dashboard's spotlight trip id to widget plugins Widget plugins now receive the current (spotlight) trip id in their bridge context, so a widget like Trip Countdown can show a real countdown instead of the empty state. * fix(plugins): trips.getById returns the actual trip row, not the access check canAccessTrip only returns { id, user_id } (it's a membership check), but the rpc-host's trips.getById returned it verbatim — so plugins saw a trip with no title/start_date/etc. Fetch the real row after the access check. Also fix the reference plugin to read t.title (the trips column is 'title', not 'name'). * feat(plugins): persist enable-intent across restarts + redesign admin page The deactivation-on-deploy bug: `status` conflated the admin's ON/OFF intent with runtime health, so a boot crash flipped status to 'error' and the plugin never rebooted after the next deploy. Migration 156 adds an `enabled` flag (admin intent) separate from `status` (runtime health); boot now retries every enabled plugin regardless of last status, and a crash no longer erases the intent. Admin → Plugins redesign: - ON/OFF is a ToggleSwitch bound to `enabled`; runtime health shows separately as a coloured status dot, with the last error inline when it crashed. - "Update → vX" badge when the registry has a newer version (one click updates and reactivates). - Reviewed/unreviewed trust badges, cleaner cards, nicer empty state, registry browser marks already-installed plugins. i18n across all locales. * fix(plugins): backfill enabled for any plugin not explicitly deactivated status at migration time can be error/stopped/starting after a crash or shutdown, not just 'active' — so backfill enabled=1 for everything except 'inactive' (the only status deactivate() sets). * feat(plugins): hero widget slot + Koffi reference plugin Widget plugins can now declare capabilities.widget.slot 'hero' to render as a transparent, click-through overlay sitting on the boarding-pass bar's top edge (migration 157 persists capabilities; manifest validation server+SDK, feed exposes the slot, dashboard mounts hero frames above the pass). Sidebar stays the default slot. Replaces the trip-countdown example with Koffi, the TREK mascot: an animated suitcase with a 14-state behavior engine driven by real trip data — walking, waving, napping, trolley rolls, passport-stamp stickers, a split-flap luggage- tag countdown under 7 days, and sunglasses while the trip runs. Validated by the SDK suite like any author plugin; published as mauriceboe/trek-plugin-koffi in the registry. Migrations 156/157 follow the idempotent ALTER pattern (the reconciliation test re-runs everything from v135, so duplicate-column must stay non-fatal). * feat(plugins): richer admin panel + registry detail view Admin list: flush-left header like Addons, type/reviewed badges, runtime health as a dot on the icon tile (text badge only for problem states), description + source-repo link on installed cards, manifest icon. Browse: cards show the plugin screenshot (docs/screenshot.png at the pinned commit) and open a detail dialog fed by GET /api/admin/plugins/registry/:id — live-manifest permissions in plain language, egress hosts, setup preview, repo/homepage links. Manifest fetched server-side through safeDownload at the reviewed commit, cached per plugin for 30 min and only when a detail opens. Also fixes the update flow (restart the running child around the install, keep the admin's enabled intent instead of force-activating disabled plugins), guards the icon lookup against Object.prototype names, reserves ids that would shadow static admin routes, stops negative-caching failed manifest fetches, and makes the version compare prerelease-safe. * i18n: localize the plugins admin section across all locales The admin.plugins block was still English filler in most locales; translate it everywhere and add the new detail-view keys in all 22 languages. * feat(plugins): denser browse grid + prominent install-risk disclaimer Four cards per row on desktop with tighter card padding, and a full-width warning banner above the browse grid: installs are at the admin's own risk, a prior quick review does not rule out harmful content, inspect a plugin yourself when in doubt — TREK accepts no responsibility. All 22 locales. * feat(plugins): sandbox hardening — OS permission model, egress choke point, bound acting user, author signatures Closes the four gaps the security review surfaced: - OS permission model on the prod plugin child (Node --permission with fs-read scoped to the compiled server dir + the plugin's own code dir, no fs-write/child_process/worker/native). A plugin can no longer read trek.db or the .jwt_secret/.encryption_key files, nor shell out — the direct-fs and RCE escapes that bypassed the RPC layer. Opt-out via TREK_PLUGIN_PERMISSIONS=off. - Egress guard extended from fetch to the net.Socket connect choke point, so node:http/https/net/tls obey the declared-egress allowlist too (no declared egress = no outbound). Under the permission model there is no clean escape to an unwrapped runtime. Kernel/network-namespace containment remains the container step. - Trip reads are membership-checked against the acting user the HOST binds from the authenticated invocation, not an asUserId the plugin supplies; a job/onLoad (no user) can't read user-scoped trips. - Optional minisign (Ed25519) author signatures verified offline, TOFU-pinned (migration 158). Unsigned plugins install on sha256 alone; a signed plugin can't silently drop its signature or swap its author key. Server suite green (permission-model activation verified against the Koffi reference plugin on dev1). * fix(plugins): make the permission-model child load from the real plugin path The prod data dir is a symlink (server/data -> volume), so resolving the plugin under it tripped the permission model, and Node's module-type lookup walked up into the (denied) data dir. Fork the child from the plugin's realpath and drop a {"type":"commonjs"} package.json at its root so resolution stops there — trek.db and the secret files stay unreadable, verified against Koffi. * test(plugins): cover pluginRealCodeDir fallback + ensurePluginModuleType * feat(plugins): zero-config L1 hardening — SSRF egress, RSS reaper, capability audit, no popups Security that ships from the install itself, no self-hoster setup: - Egress SSRF/rebinding backstop: the net.Socket connect guard now RESOLVES the destination and refuses private/loopback/link-local/metadata/CGNAT/ULA addresses, pinning the resolved IP (a declared host that re-resolves to an internal address is blocked). Pure policy in egress-policy.ts + tests. TREK_PLUGIN_ALLOW_PRIVATE_EGRESS=on opts back into internal targets. - RSS memory reaper: the supervisor now kills a child that blows a real RSS ceiling (TREK_PLUGIN_MAX_RSS_MB, default 300) — --max-old-space-size only bounds the V8 heap, so Buffers could OOM the box under it. - Hash-chained capability audit log (migration 159): every core-data / broadcast call is recorded at the RPC boundary with the host-bound acting user and a per-plugin hash chain, so wide grants stay attributable + tamper-evident. Admin endpoint GET /api/admin/plugins/:id/audit. - Drop allow-popups from the plugin frame (sandbox + CSP): window.open ignores connect-src, so it was an egress/phishing bypass. Server suite 207 green, client + migration reconciliation green. * fix(plugins): close the UDP + DNS egress hole in the network guard The egress guard only wrapped fetch and net.Socket.connect, so TCP and HTTP were contained but two channels stayed wide open: a plugin could send data out over UDP (node:dgram) or tunnel it inside DNS queries (dns.resolveTxt & friends) to any host it never declared. Neither goes through net.Socket.connect, so the allowlist never saw them. Wrap both now against the same declared-host allowlist: - dgram send/connect: the explicit destination is allowlisted and private-IP-checked like a TCP connect (a null address keeps the connected/localhost default, which the connect wrapper already vetted). - the dns resolver family (module fns, dns.promises, Resolver.prototype): a forward lookup for an undeclared name is refused, which kills DNS tunnelling even when no socket is ever opened. A plugin with no declared egress now really has no way out. * feat(plugins): re-consent gate when an update wants new permissions Updating a plugin used to just reinstall and reactivate, which silently granted whatever the new version declared — so a plugin could quietly widen its own rights on the next release. Route updates through a new server-side update() that diffs the new version's declared permissions against what the admin already granted: - nothing new -> the plugin is restarted transparently on the new code. - new permissions or a new outbound host -> the new code is installed but the plugin is left OFF, and the delta is handed back so the admin has to approve it before it turns on. Install runs first, so a failed download/signature check leaves the running plugin untouched. The client shows the delta in a consent dialog and only then activates. An update can never widen a plugin behind your back. * feat(plugins): honest security info in the admin panel + update consent UI Reworks how the plugins panel talks about safety, since the old copy oversold it. Drops the "install at your own risk" banner and the generic trust note, and replaces them with: - a collapsible security section that lays out plainly how a plugin is contained, what the permissions actually mean (a hard limit on what a plugin CAN do, not a promise of what it does), where the limits are, and what a hostile plugin could do at worst. - a short note on what "Reviewed" means: a maintainer scanned it for malware each version, not for quality — not a guarantee it's harmless. - the consent dialog for the update flow: when an update asks for rights you never granted, it lists the new permissions and outbound hosts and makes you approve before the plugin turns back on. Full copy in all 22 locales. * feat(plugins): redesign the admin plugins page — search, filters, cleaner cards The panel was cramped and hard to scan. Rebuilt it as a proper management surface: - A segmented Installed/Discover switch with counts, and a real toolbar: search, filter by type, filter by status (active/off/update/error), and sort (name/recent/updates first). - An "N updates available · Update all" bar. - Installed rows are tidied up: a single health dot on the icon tile instead of a wall of badges, and capability chips underneath that show what each plugin can actually reach at a glance (reads your trips, dashboard widget, the hosts it talks to) — the reach is now visible without opening anything. Update, toggle and a ⋯ menu (restart, errors, source, uninstall) sit on the right. - The registry browser is now an App-Store-style card grid: screenshot with the plugin's icon chip, a reviewed badge, consistent heights. - The detail dialog gained "What it can access", "Connects to" and a details grid (version, size, requires, reviewed). To feed the capability chips, the installed list now returns each plugin's declared permissions and capabilities. New copy is in all 22 locales. * feat(plugins): make the plugins admin page work on small screens The redesign was built desktop-first. On a phone the toolbar wrapped into a mess and the rows were too cramped. Reworked the responsive behaviour: - The toolbar stacks on mobile — tabs + rescan on top, full-width search, then a right-aligned filter row — and collapses back into one row on sm+ (via display:contents), so the desktop layout is unchanged. Filter buttons drop their label on mobile and lead with an icon; their menus are capped to the viewport width so they never push the page sideways. - Installed rows use tighter spacing on mobile and the update button shrinks to just its icon (full label from sm up). - Horizontal padding, the discover grid and the detail dialog all get mobile-friendly spacing. * fix(plugins): make the detail dialog screenshot fill the full width aspect-[16/9] together with max-h-64 made the browser shrink the image width to keep the ratio once the height was capped, leaving a grey strip on the right. Drop the max-height so the header image spans the dialog. * feat(plugin-sdk): one-command publishing — pack, entry, release Publishing a plugin meant hand-building the zip, running shasum + stat, resolving the tag's commit, and hand-writing the whole registry entry. The SDK does all of it now: - `trek-plugin pack` builds plugin.zip in the exact layout the installer reads (own tiny zip writer, so the SDK stays dependency-free and the format can't drift from the reader), enforces the same native-binary and size rules, and prints the sha256 + size. docs/ is left out — the store fetches the screenshot from the repo, so it doesn't belong in the install artifact (Koffi's went from 943 KB to 15 KB). - `trek-plugin entry` emits the ready-to-PR registry entry from the manifest + the packed zip + the git tag: commitSha (deref'd), downloadUrl, sha256, size, and minTrekVersion derived from the manifest's trek range. `--merge` prepends a new version onto an existing entry for updates. - `trek-plugin release` chains pack → gh release → entry. Also: the scaffold now points the README at docs/screenshot.png (the path the store actually fetches, was screenshot-1.png) with a size hint, and stops hard-coding an MIT license — a plugin is the author's own code under their own license. Round-tripped against the real server extractor; 18 tests. * docs(plugins): rewrite the plugin wiki against the current code + tooling The plugin wiki had drifted from the app and the SDK. Rewrote all four pages, verifying every command, permission, field, path and UI behaviour against source: - Plugins: activation is a toggle (no separate consent screen); install is the Discover tab (no "Browse plugins" button); you review permissions in the detail modal before installing; documents update + re-consent, the ⋯ menu, toolbar filters, capability chips and the health dot. - Plugin-Development: full manifest reference; ws:broadcast:trip/:user (there is no ws:broadcast:*); onLoad + onUnload; the trek:error bridge message and full context payload; trips.* only work in a route handler; asUserId is accepted-but-ignored; integration hooks are declared but not yet wired. - Plugin-Permissions: db:own also covers db.migrate; a host must appear as both an http:outbound:<host> permission and an egress[] entry or it's silently blocked; bare vs per-host outbound. - Plugin-Publishing: the new one-command flow (validate → pack → release → entry), size is a required entry field, signing reconciled with the schema, no reserved namespaces, and the --merge update path. * chore(plugin-sdk): make it npm-publishable so `npx` resolves for authors The docs told authors to run `npx create-trek-plugin` / `npx trek-plugin`, but nothing published under those names, so npx couldn't resolve them. - Ship one package, `trek-plugin-sdk`, with a bin that matches the package name (`trek-plugin-sdk`) so `npx trek-plugin-sdk <command>` resolves with zero install. The dispatcher gained a `create` subcommand, so every step (create/validate/pack/entry/release) runs through that one entry point. The short `trek-plugin` / `create-trek-plugin` bins still work once installed. - Package hardening for publish: repository+directory (monorepo subdir), homepage/bugs/author/engines, publishConfig public, a prepublishOnly that builds + tests, and a LICENSE file. - A publish workflow: pushing a `plugin-sdk-v*` tag builds and publishes with the NPM_TOKEN repo secret. - Docs (SDK README + the four wiki pages) now use `npx trek-plugin-sdk <cmd>`, the invocation that actually resolves. * feat(plugin-sdk): dev server, preflight, auto-PR submit, signing, wizard Round out the author experience so the loop is create -> dev -> release/submit without hand-work or a round-trip through registry review. - `dev`: run a plugin locally with a real request loop and hot reload — no full TREK. Injects a ctx that enforces the manifest's granted permissions (an ungranted call throws, so you catch a missing grant), backs db:own with a real SQLite file (node:sqlite), serves routes under /api and page/widget UI at /ui, and reloads on save. Dependency-free (node:http + built-ins). - `preflight`: run the registry CI checks locally over the network (tag->commit, manifest parity, artifact sha256/size, native scan, README quality gate) so a green run predicts a green CI. - `submit`: fork TREK-Plugins, branch off current main, write/merge the entry, push, and open the PR — the last manual publishing step, automated. - `keygen`/`sign` + `--sign` on entry/release/submit: dependency-free Ed25519 author signatures over the artifact bytes, verified 1:1 against the server's TOFU check. Fills authorPublicKey + signature and guards against a key change. - `create` gains an interactive wizard (id/type/author/permissions) and flags. - README + Development/Publishing/Permissions wikis document the new flow. 24 tests pass (sign round-trips through a server-shaped verifier; zip reader; scaffold options; entry signing + key-change guard). * feat(plugin-sdk): one-command `publish` (pack → release → preflight → PR) Collapses the release into a single command: pack the artifact, tag + create the GitHub release, run the registry CI checks locally (preflight), and open the registry PR — stopping before it submits if preflight would fail, so a broken entry never becomes a doomed PR. `--sign` signs it; `--no-preflight` skips the gate. The individual pack/release/preflight/submit commands still exist. README + the Development/Publishing/Permissions wikis lead with `publish` now. * fix(plugins): security hardening from the PR #1415 audit Remediates the findings from the adversarial audit (threat model: malicious plugin author + malicious artifact). Highlights: Critical - proxy: force nosniff + Content-Disposition: attachment on every proxied reply and drop location/content-disposition + non-2xx from the passthrough, so a plugin can't serve an HTML document at TREK's origin (sandbox-escape → account takeover) or an open redirect. High - db:own runs synchronously in the host: cap the plugin DB (max_page_count) and row-cap query() via iterate() so a recursive CTE / huge blob can't stall the event loop, OOM, or exhaust the shared volume. - supervisor: measure child RSS host-side (/proc/<pid>/statm) instead of trusting the spoofable heartbeat; add an activation timeout so a stuck onLoad can't hang activate() or peg a core unreaped. - safe-extract: enforce entry-count + cumulative-size limits INSIDE readZip before inflating (decompression-bomb OOM). - re-consent: activate() never widens granted permissions without explicit consent (409 CONSENT_REQUIRED); the row toggle + "Update All" route through the consent dialog, which now queues instead of overwriting. Medium/low - egress: gate dgram hostnames through the IP-vetting resolver; block the low-level socket escape (process.binding) + lock the wrapped prototypes; canonicalize IPv6 in isBlockedIp (hex-mapped/compressed metadata); reject degenerate `*.` / whole-TLD / spaced outbound hosts in the manifest + CSP. - ws:broadcast is membership-gated to the acting user's trips / own connections; users.getById is scoped to users the acting user can see (no enumeration). - safe-fetch streams + aborts at the byte cap (chunked codeload OOM); isPrivateIp reuses the canonicalizing check. - native-scan throws instead of silently passing past its entry cap. - SDK: dev serves binary assets as raw buffers + handles EADDRINUSE; manifest validator gains the reserved-id + outbound-host checks; wikis corrected. Tests updated for the new membership-gated behaviour + regression tests added (IPv6 canonicalization, wildcard hardening, outbound-host validation, ws/user scoping). 234 plugin tests + 24 SDK tests green. * fix(plugins): close the 4 PARTIAL findings + regressions from the fix-verify pass A second adversarial pass over the first remediation found four findings only partially closed and five issues the fixes themselves introduced. This closes them: Partial → closed - re-consent gate keyed on `granted.length > 0`, so a plugin first activated with ZERO permissions (granted '[]') was treated as never-consented and a later widening was granted silently. Now discovery marks a never-consented plugin with granted_permissions '' and activate() gates on "ever consented" (any non-empty string, including '[]'). - db:own DoS: block WITH RECURSIVE outright (the one construct that spins the synchronous host unboundedly regardless of the size/row caps, via query OR exec). - dgram: also wrap `new dgram.Socket(...)` (bypassed createSocket) to inject the IP-vetting lookup, and lock createSocket/Socket. - frame self-navigation: documented as a bounded best-effort mitigation (inherent to sandboxed iframes; exposure is the plugin's own routes + already-held context, never the httpOnly cookie). Regressions introduced by the first pass → fixed - proxy: only real redirects (301/302/303/307/308) are gated, to a RELATIVE in-app Location (supports OAuth-callback bounce, blocks open redirect); 300/304 pass through; attachment only on non-redirects. - supervisor: measure RSS via /proc/<pid>/status VmRSS (page-size independent); activation-timeout awaits kill() before disposing the db handle. - manifest HOST_RE: allow single-label hosts (self-hoster sibling services) while keeping wildcards multi-label; mirrored in the SDK + frame CSP filter. Regression tests added (re-consent incl. the '[]' case, WITH RECURSIVE + row cap, single-label host). 236 plugin tests + 24 SDK tests green. * docs: refresh README screenshots (8) + swap the second trip shot for Collections Replaces all eight README gallery screenshots with current-UI captures and swaps docs/screenshots/trip-iceland.png for collections.png (saved place lists). * fix(plugin-sdk): make require('trek-plugin-sdk') actually resolve everywhere A freshly scaffolded plugin could not load anywhere: the npm package is ESM-only (no require condition in its exports map), so the scaffold's require('trek-plugin-sdk') threw ERR_PACKAGE_PATH_NOT_EXPORTED under `trek-plugin dev` - and the runtime injection the wiki promised for the plugin child never existed, so a packed plugin (node_modules stripped) crashed with MODULE_NOT_FOUND after a real install. - plugin child: inject a frozen {definePlugin, PLUGIN_API_VERSION} shim for require('trek-plugin-sdk'); subpaths fail with a pointed error - trek-plugin dev: inject the exact same shim, so a fresh scaffold runs with zero npm install and dev parity with production holds - npm package: ship a real CommonJS build (dist/cjs + require export conditions) so the installed package also requires cleanly on Node 18+ - create: scaffold a package.json (type commonjs, SDK as devDependency, npx scripts); print resolvable `npx trek-plugin-sdk ...` hints - wiki: package.json in the scaffold tree + publishing checklist, and document the zero-install dev flow * fix(plugins): tolerate a UTF-8 BOM in trek-plugin.json Windows editors love to prepend a BOM, and a bare JSON.parse then dies with an "Unexpected token" pointing at an invisible character - in the SDK CLIs (dev/validate/entry/submit) and, worse, server-side: a BOM in an author repo travels through pack into the artifact and fails discovery and registry install. Strip it at every manifest/JSON read (readJsonFile in the SDK, parseJsonText in the installer). * fix(plugin-sdk): dev db binds an args array like the real host, and a failed onLoad stops the routes * ci(plugin-sdk): publish on Node 22; skip the dev-db bind test without node:sqlite * docs(wiki): document AI booking import, guest members and packing sharing Fill the gaps left after the 3.2.0 feature work: - add an AI Booking Import page for the AI Parsing addon (providers, admin/per-user config, model pull, the review-before-save flow) and link it from Reservations & Bookings and the sidebar - document guest members on Trip Members and Sharing (owner-only, what they can be assigned to, and the sign-in/notification/visibility limits) - document the three packing sharing tiers and co-bringing on Packing Lists - add TRANSIT_API_URL and the plugin variables to Environment Variables, and correct the language list to 22 (add Swedish and Vietnamese) - list the airtrail and llm_parsing addons in the Addons overview * feat(plugins): enable the plugin system by default The runtime and the Admin -> Plugins panel are now available out of the box; TREK_PLUGINS_ENABLED becomes an opt-out (set it to false to switch the whole system off). Installed plugins are still registered inactive and have to be activated one by one, so no third-party code runs until an admin turns a specific plugin on. Update the kill-switch default test and the plugin/env-var wiki pages to match. * fix(costs): KGS is selectable as default/expense currency (#1400) * fix(map): render date-line-crossing routes as one continuous arc (#1411) The great-circle sampler normalizes longitudes to [-180,180], so a transpacific leg jumped +-360 between neighbours and got split into two polylines pinned to opposite map edges. Unwrap the longitudes instead (shared flightGeodesy module for both renderers): Leaflet additionally draws a +-360-shifted copy so both halves show in the standard view, GL maps repeat world copies themselves. * fix(map): clear the hover card on marker click and camera moves (#1404) Clicking an off-center place recenters the map under a stationary cursor, so mouseout/mouseleave never fires and the hover card sticks. Clear it on marker click and on movestart, and suppress re-shows while the camera is animating (marker rebuilds re-fire mouseenter mid-pan). feat(map): long-press + plain right-click add-place on GL maps (#1398) The GL providers only bound middle-click, so mobile had no way to add a place at a position (and Macs have no middle button). Add a 600ms touch long-press with move tolerance and the map contextmenu event - both GL libs suppress it while the right-button rotate/pitch drag is active, so the gesture keeps winning. * fix(mcp): keep SSE streams alive and stop invalidating sessions on unrelated saves (#1414) Three separate causes for the reconnect-per-tool-call pain: - no keep-alive on the standalone GET stream, so reverse proxies with idle timeouts (nginx default 60s) killed it between calls - send an SSE comment ping every 25s (MCP_SSE_KEEPALIVE, 0 = off) and count an open stream as session activity - the session TTL was hard-coded - MCP_SESSION_TTL (seconds, clamped to 24h) now works as the issue expected - every addon save invalidated ALL sessions: config-only saves, photo provider toggles and addons with no MCP surface included. Only a real enabled-flip of an MCP-relevant addon (or an actual collab-feature change) tears sessions down now. * feat(api): OpenAPI/Swagger docs at /api/docs behind TREK_API_DOCS_ENABLED (#1412) Swagger UI + raw spec (/api/docs-json, -yaml) over all controllers, with a bearer button that works with a plain session JWT. Off by default - the spec enumerates the whole surface incl. admin routes, so exposing it is an explicit self-hoster decision (same kill-switch pattern as TREK_PLUGINS_ENABLED). Request bodies come from the Zod schemas the routes already validate with: an enricher walks every controller, finds whole-body ZodValidationPipe params and lifts their schema into the document via zod v4's native z.toJSONSchema - nothing is annotated twice, and any route that gains a Zod pipe is documented automatically. * fix(map,mcp): review follow-ups for the issue-fix batch - mapbox-gl (unlike maplibre) still emits the map contextmenu after a right-button rotate/pitch drag on Windows - guard it with the pressed position so ending a rotate can't open the Add-Place form (#1398) - a long-press whose fire was deduped (or that never yields a click) no longer leaves suppressNextClick armed to swallow a later real tap - MCP_SSE_KEEPALIVE=0 keeps the open-stream-counts-as-activity guarantee: the touch interval survives, only the pings stop (#1414) - swagger-ui-dist ships @scarf/scarf install-time analytics - disabled via scarfSettings in the root package.json, TREK sends no telemetry - Budget wiki currency list: 47 incl. KGS (#1400) * feat(map): real road routes for car/bus/taxi/bicycle bookings instead of straight lines Road-based transport bookings drew an as-the-crow-flies line; only transit journeys (Transitous) showed the real path. A shared useTransportRoutes hook now fetches the OSRM road geometry (driving for car/bus/taxi, cycling for bicycle) — reusing the day-route router and its cache — and both renderers draw it in place of the straight arc, falling back to the straight line until it loads or if routing fails. Trains/other keep their straight line (not road-routable); a 2000 km sanity cap avoids hammering the public router on cross-continent quirks. * feat(transport): multi-leg train bookings (#1150) Long train trips are usually several trains under one booking. Trains now get the same multi-leg editor flights have: an ordered chain of stations (station search instead of the airport picker) with a per-leg train number + platform, saved as from/stop/to endpoints + metadata.legs — mirroring the flight leg contract, so the map draws the whole chain and the day plan splits it into one row per leg (drag/reorder/position persistence come for free from the shared __leg machinery). A single-leg train saves exactly as before (flat metadata, no legs), and the flat train-fields block is gone in favour of the per-leg inputs. Day sidebar, shared trip view and the PDF render each train leg like a flight leg. * feat(collections): per-collection custom labels Each list can now define its own labels (e.g. Berlin, Hamburg, Ostsee in a "Germany 2026" list) and organise its places by them: - manage labels (create / rename / recolor / delete) from a label manager - assign labels to a place from its detail sheet, or to many places at once from the selection toolbar - filter the place list AND the map by label (multi-select, any-match) Labels are scoped to a collection and shared by all its members. Managing and assigning labels needs edit rights; filtering is available to everyone. Moving a place to another list drops its labels, since they belong to the source list. * test(collections): pass the required labels prop in CollectionPlaceDetail test The per-collection labels feature (a5522e99) made `labels` a required prop and renders `labels.filter(...)`, but the test's props cast to Omit<DetailProps,'t'> hid the missing prop, so `labels` was undefined at runtime and crashed the whole suite (Cannot read properties of undefined reading 'filter'). Pass labels: [] like categories. * docs(wiki): document collection labels, multi-leg trains and road-route overlays - Collections: add a Custom labels section (manage / assign / filter), note the label filter + bulk assign, and the view-vs-edit permission split - Transport: rewrite the train fields as the multi-leg route editor, correct the transport type list (nine types) and the map/day-plan behaviour - Map Features: car/bus/taxi/bicycle overlays follow real roads; multi-leg trains draw their full station chain; date-line routes render as one continuous arc --------- Co-authored-by: jubnl <jgunther021@gmail.com> Co-authored-by: jufy111 <jeffturner93@gmail.com> Co-authored-by: Azalea <noreply@aza.moe> Co-authored-by: Zorth Thorch <jasper_goens@hotmail.com> Co-authored-by: leeduc <lee.duc55@gmail.com> Co-authored-by: yael-tramier <tramier.yael@gmail.com> Co-authored-by: michael-bohr <mjbohr@gmail.com> Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com> Co-authored-by: Gio Cettuzzi <gio.cettuzzi@gmail.com> Co-authored-by: mauriceboe <mauriceboe@users.noreply.github.com> Co-authored-by: jubnl <66769052+jubnl@users.noreply.github.com>
2026-07-05 07:13:04 +08:00
- [[AI Booking Import|AI-Booking-Import]]
- [[Transport: Flights, Trains, Cars|Transport-Flights-Trains-Cars]]
- [[Accommodations]]
- [[Budget Tracking|Budget-Tracking]]
- [[Packing Lists|Packing-Lists]]
- [[Packing Templates|Packing-Templates]]
- [[Todos and Tasks|Todos-and-Tasks]]
- [[Documents and Files|Documents-and-Files]]
- [[Tags and Categories|Tags-and-Categories]]
## Photos & Media
- [[Photo Providers|Photo-Providers]]
- [[PDF Export|PDF-Export]]
## Collaboration
- [[Real-Time Collaboration|Real-Time-Collaboration]]
- [[Collab Chat|Collab-Chat]]
- [[Collab Notes|Collab-Notes]]
- [[Collab Polls|Collab-Polls]]
- [[What's Next Widget|Whats-Next-Widget]]
- [[Public Share Links|Public-Share-Links]]
- [[Invite Links|Invite-Links]]
## Addons
- [[Addons Overview|Addons-Overview]]
- [[Vacay]]
- [[Atlas]]
- [[Journey Journal|Journey-Journal]]
3.2.0 (#1426) * docs(wiki): document the snap Docker + no-new-privileges startup failure * fix(setup): warn when ADMIN_EMAIL/ADMIN_PASSWORD are ignored, ship reset-admin The first-run seeder only applies ADMIN_EMAIL/ADMIN_PASSWORD on an empty database and then silently ignores them. People add the vars after the first boot, or pull a fresh image without clearing ./data, restart, and cannot log in with no hint why (#1339). The default is a generated password (not the .env.example placeholder), printed once in the first-run box. Now: warn loudly when the vars are set but a user already exists, and warn on a partial (one-of-two) config instead of quietly falling back. Also ship the reset-admin recovery script in the image -- it was never COPYed in despite the wiki referencing it. node server/reset-admin.js resets/creates admin@trek.local with a generated password (RESET_ADMIN_EMAIL/RESET_ADMIN_PASSWORD overridable), picks a free username so it cannot trip UNIQUE(username), and sets must_change_password. * feat(extract): extract data using LLM * fix(extract): auto-run the AI fallback when the addon is enabled Booking import only fell back to the LLM when each user flipped an 'always retry with AI' toggle, so by default files kitinerary returned nothing for just failed. Run the fallback automatically whenever the AI Parsing addon is on (fallback-on-empty); drop the now-redundant per-user toggle and its setting. * fix(extract): make AI imports reliable and fast on local models client: the import call inherited the global 8s axios timeout and aborted long LLM extractions even though the server finished it; remove the timeout. server: raise the OpenAI-compatible LLM timeout 60s->180s (a cold Ollama model can take ~45s to first token). server: cap extracted text to 8000 chars before the LLM - multi-page T&C tails (30k+ chars) overflowed the context window, truncating the relevant head and making CPU inference crawl; booking details sit at the top. * feat(extract): fill transport/booking fields, geocode endpoints, assign days - rental car: request+map dropoffLocation, emit pickup->return from/to endpoints, set a location string (G1/G2/G3). - geocode endpoints (stations/stops/terminals/rental desks) on confirm via Nominatim; mapper now emits coordless named endpoints and confirm persists only the geocoded ones (G6). - assign every dated booking to the nearest trip day so it still shows when slightly out of range, and keep hotel accommodation from vanishing when a check date misses (G5/G10). - fix bus mislabelled as train + add bus_number metadata (G7/G8), flag malformed boats (G9), accept root start/end time for events (G11). - raise the local-LLM timeout to 300s for CPU-only Ollama. * perf(extract): cap LLM input at 4000 chars for CPU-only speed On a GPU-less host the model's prompt-eval time scales with input length and dominates total latency. Booking details sit at the top of a confirmation, so capping the extracted text at 4000 chars (was 8000) roughly halves extraction time (~50s warm for a capable local 7B model) with no loss of fields on real hotel/rental confirmations. Tunable if a long multi-segment itinerary needs more. * feat(extract): capture seat, class, platform, price + event venue contact Request and map root-level seat/class/platform and a total price/currency into reservation metadata (shown on the card; price reuses the existing label). Read both the root and reservationFor and tolerate common field-name aliases (priceAmount, priceCurrencyISO4217Code, fareClass, ...) since models name these inconsistently. Also capture event/attraction venue telephone + url onto the auto-created place, matching lodging/restaurant. * feat(extract): create a linked cost from the booking price on import When a confirmation carries a total price, record it as a real expense linked to the reservation (in the matching Costs category) instead of leaving the amount in metadata only. Gated on the Costs addon. * fix(extract): refresh accommodations after a booking import A freshly imported hotel links to an accommodation that lives outside the trip store, so loadTrip alone left the reservation edit modal with blank place/date fields. Reload the accommodations list once the import finishes. * feat(extract): drive NuExtract with its native template NuExtract isn't an instruct model — fed a plain chat prompt it just echoes the schema back. Detect a NuExtract model by id and talk to it the way the model cards document: the JSON template inlined in a single user message, no system prompt, no json_schema, temperature 0. Its flat result is mapped back to the same KiReservation shape the rest of the pipeline already uses, so nothing downstream changes; every other model keeps the generic prompt. Money is taken as a verbatim string and parsed locally (German "1.580,22 €" otherwise comes back as 1.49772), a rental car's pickup/return ride the from/to fields so a stray form label doesn't become the location, and a lodging with no name falls back to its address instead of being dropped. * fix(admin): tidy the AI parsing settings and recommend the 2B model The provider picker is the shared CustomSelect now and the form is split into clear sections rather than a flat stack of inputs. NuExtract 2.0 2B is the recommended default — fastest on a CPU-only host and MIT licensed; the 4B carries a non-commercial licence, so it's no longer flagged as recommended. * feat(import): review each parsed booking before it's saved Instead of writing parsed items straight to the trip, the import opens the normal edit modal pre-filled for each one, so you can check and fix it before saving — useful when a model guesses a wrong date or address. Hotels gained an editable address field; on save an existing place is matched by name, otherwise the reviewed address is geocoded and a new place is created. * feat(extract): drive local parsing through a layered extraction router The single-shot prompt was unreliable on multi-leg flights and longer documents, and slow on a CPU host. For the local provider, run a small router instead: - deterministic vendor templates first, with no model call at all - exactly one grammar-enforced call per document via Ollama's native `format` (flights as a flat array of legs, everything else as one flat reservation, the type picked from keywords or a union schema) - booking-wide fields (booking reference, total price, the overnight arrival day) filled deterministically from the text afterwards, and dates coerced to ISO so a natural-language date can't slip through Recommend qwen2.5 in the AI-parsing settings instead of NuExtract. * feat(import): parse bookings in the background with a progress widget Parsing a booking can take a while on a CPU host, so don't hold the upload modal open for it. The async import endpoint returns a job id right away; the parse runs server-side (one at a time per user) and pushes progress over the user's WebSocket, and a small widget in the bottom corner tracks it while the user keeps navigating and editing. A finished job opens the per-item review from the widget. * fix(import): create linked costs and accommodations from reviewed bookings Reviewing an imported booking saves it through the normal reservation form, which dropped the parsed price (so no linked cost was created) and only created the accommodation when both nights matched a trip day. Carry the parsed price into a linked cost on save, and create the accommodation from whichever day the check-in/out dates resolve to. * feat(extract): add Expedia and rental-broker booking templates Pull the hotel/rental fields these vendors print in a stable text layout (name, address, stay/pickup dates, price, reference) deterministically, so the import stops depending on the local model for them. Handles German long/abbreviated months and English dates incl. 12-hour and comma forms. * fix(extract): backfill booking code/total and harden the reference match Apply the deterministic confirmation-code and total fill to vendor-template results too (not just model output), and require the captured reference to contain a digit so a bare 'Confirmation'/'Reference' label no longer grabs the next prose word. * fix(import): keep the parse-progress widget across a reload Persist the background-import tasks (id/trip/status only) and re-fetch each job's status on mount, so a parse still running when the page reloads keeps its widget instead of vanishing; expired jobs (404) are dropped and a restored 'done' task re-fetches its items. * fix(reservations): skip un-geocoded endpoints instead of failing the save reservation_endpoints.lat/lng are NOT NULL, so saving a reviewed transport whose pick-up/return couldn't be geocoded threw a 500 and lost the whole booking (dates, linked cost). Skip those rows; the dates still persist on reservation_time/reservation_end_time. * fix(import): resolve an imported transport's day from its parsed dates A reviewed transport (e.g. a rental car) arrived with only its parsed pick-up/return dates and no day_id, so the modal kept just the time and saved a bare "HH:MM" with no date. Resolve start/end day from the parsed dates (exact match, else nearest trip day) so the booking lands on the right days. * fix(import): refresh costs after a booking review so imported expenses appear without a reload Imported bookings auto-create their linked budget items server-side, but the saving client suppresses its own budget:created echo, so the Costs list stayed stale until a manual reload. Reload the budget items when the review session ends. * refactor(extract): dedupe currency/day helpers, drop redundant casts, support JPY vouchers Code-audit clean-ups: share one normCurrency between the router and the templates, lift the duplicated nearest-day resolver into formatters.resolveDayId, drop two needless as-unknown-as casts at the fillBookingWideFields call sites, restore routeExtraction's doc comment, and give the broker template readable names. Plus recognise ¥/JPY and fall back to a standalone symbol amount, so a Klook-style voucher whose price sits far from any label still yields a cost. * feat(import): attach the parsed source document to each booking Keep the uploaded files on the background task and hand them to the review flow, so each reviewed booking pre-fills its Files with the document it was parsed from (uploaded with the booking on save). The two modals also adopt the shared resolveDayId helper. * fix(extract): disable model thinking for grammar-constrained extraction Hybrid/reasoning models (Qwen3 and similar) default to emitting reasoning tokens, which collide with Ollama's format-grammar constraint — on CPU this produced null/unparseable output and blew the latency budget (qwen3:8b: null or 300s timeouts vs ~20s with thinking off). Send think:false on the /api/chat call; Ollama ignores it for non-thinking models (verified on qwen2.5:7b), so it's safe and unlocks the stronger Qwen3 family. * feat(extract): recommend Qwen3-8B as the local extraction model A/B against the prior default (qwen2.5:7b) on CPU showed Qwen3-8B is both faster and more accurate on tricky/multilingual booking docs (correct Airbnb year+price, correct DisneySea admission date), once thinking is disabled — which the router now does. Feature it as the recommended pull, keep qwen2.5:7b as the fallback. * refactor(extract): drop vendor templates, let the model drive with deterministic backfill Now that a capable instruct model (Qwen3-8B, thinking off) reads name/address/dates/legs reliably across formats, the per-vendor template short-circuit distorted more than it fixed: brittle on layout variations and overriding the better model output. Remove the template layer; the model extracts the structure and Schicht 2 backfills the confirmation/total and takes the currency from the document's own symbol (correcting model misreads like ¥→$). Per-type prompts now also ask for address and price/currency. * fix(extract): require the hotel address and ask for the rental company After dropping the vendor templates, the model skipped the (often unlabeled) Expedia-style hotel address — making address a required schema field forces it to emit the street-address line, restoring the booking's location/place. Also hint the rental company so a car booking gets a real title instead of the generic fallback. * fix(import): refresh costs immediately after an imported booking is saved The saving client gets no budget:created echo (X-Socket-Id) and the create response omits the linked budget item, so the booking's Costs section and the Costs tab stayed stale until a manual reload. Reload the budget items right after a create that carried a budget entry. * perf(extract): cap single-booking text tighter; require rental company A long single-booking PDF (e.g. an 11-page rental voucher) spent ~200s on CPU prompt-eval at the 16k cap, though its data sits in the first ~2k. Cap non-flight docs at 6k (flights keep 16k for all legs). Also make the rental operator a required field so the car gets a real title. * fix(import): preview the parsed cost as linked in the review modal During the per-item import review the booking isn't saved yet, so the Costs section showed an empty 'Create expense' even though a linked cost will be created on save. Show the parsed price (amount + category) as the pending linked expense so the user can verify it up front. Reuses existing i18n keys. * fix(import): persist source files in IndexedDB so attach survives a reload The source document was only kept in memory on the background task, so a page reload during the (now always-LLM ~25s) parse lost it and the booking saved without its file. Store the uploaded files in IndexedDB keyed by job id; the review loads them from there when the in-memory copy is gone, and a 1h TTL prunes abandoned imports. * chore(extract): recommend only Qwen3-8B (drop Qwen2.5 from the curated list) Qwen3-8B is the identified default; the prior Qwen2.5 entries are no longer needed in the pull list. * feat(settings): let users set their own AI parsing model Adds an "AI parsing" section under Settings -> Integrations where a user can choose the LLM provider, model, base URL, API key and multimodal option used for booking extraction. This per-user config applies when an admin has not configured an instance-wide model. Reuses the existing encrypted user settings: the API key is stored encrypted, never prefilled, and a blank field keeps the stored one. Adds settings.aiParsing.* across all 20 locales. * fix(settings): show the Integrations tab when only AI parsing is enabled hasIntegrations gated the tab on memories/mcp/airtrail only, so a user with just the llm_parsing addon enabled saw no Integrations tab and could not reach the AI parsing config. Include llmEnabled in the gate. * feat(settings): use the shared custom dropdown for the AI parsing provider Swap the native select for CustomSelect so the provider picker matches the rest of the app's styling (dark mode, portal dropdown). * refactor(planner): move the import-review bridge effect into the page hook TripPlannerPage held a useEffect (the background-import → review bridge), which trips the page-pattern check (pages must stay wiring containers). Move the effect and its store/IndexedDB wiring into useTripPlanner where the rest of the import-review state already lives. * test(llm-parse): cover the extraction router, client factory and import jobs The new LLM extraction router shipped with little branch coverage, dropping src/nest below the 80% gate. Add unit tests for routeExtraction (flights/single/union/error paths, deterministic booking-wide fill), the native Ollama format client, the provider factory, the local-router service path with its type-aware text cap, the flat->schema.org mapper's remaining reservation types, and the background import-jobs runner. Also remove the now-unused validate.ts (only its FlatLike type was still referenced; moved to flat-schemas). * test(setup): stub websocket addListener/removeListener in the global mock BackgroundTasksWidget (mounted globally in App) subscribes via addListener/removeListener from api/websocket, but the global test mock didn't export them, so every test that renders <App/> threw on mount. Add the two stubs. (Surfaced now that the page-pattern check passes and the client test step actually runs.) * fix(i18n): add Swedish translations for the AI booking-import settings The Swedish (sv) locale landed on dev (#1325) after this branch added the AI-parsing settings/reservation keys to the other locales, so sv was missing them — strict i18n key parity failed after rebasing onto dev. Adds the 3 reservations.import.* and 17 settings.aiParsing/aiAlwaysRetry keys in sv. * fix(extract): don't let the day-clamp fallback break reservation resync (#1288) This branch added a clamp-to-nearest-day fallback to resolveDayIdFromTime so an imported booking whose exact date has no day row still lands on a day. After rebasing onto dev, that collided with #1288's resyncReservationDays, which relies on the original "null when no exact day" semantics to leave a booking whose date now falls outside the range untouched — instead it snapped to an edge day (TRIP-SVC-019 failed: expected day_id kept, got the clamped one). Make clampToNearest an opt-in parameter (default true, preserving the import behaviour for create/update) and have resyncReservationDays pass false, so out-of-range bookings keep their day_id. Full server suite green (4082). * Added focus to search places in placeFormModal * fix(airtrail): import departure/arrival times for manually-entered flights (#1336) The mapper read only `departureScheduled`/`arrivalScheduled`, but those columns are optional in AirTrail and stay null for manually-entered flights — where `departure`/`arrival` are the only times set. So the import dropped the departure clock (date-only) and the whole arrival (no date, no time), exactly as reported. AirTrail's own rule is "use departure if available, otherwise fall back to departureScheduled". Mirror that: prefer the scheduled instant, fall back to the primary departure/arrival, in mapFlightToReservation, normalizeFlight, and the sync hash. Hashing the resolved instant means flights already imported without a scheduled time re-sync once and pick up their clock automatically; flights that do have scheduled times are unaffected (no spurious re-sync). Tests: 3 new mapper cases (fallback mapping, picker preview, hash tracking); two existing cases that asserted the scheduled-only behaviour updated to the "neither time set" case. Full server suite green (4085). * fix(pwa): stop unregistering the service worker on offline boot (#1346) Opening the installed PWA offline showed Chrome's "no internet" page instead of the cached app. On boot the axios response interceptor reacts to a failed request with no response by probing /api/health; the probe collapsed "genuinely offline" and "edge-proxy auth wall" into a single reachable=false, so the interceptor unregistered the service worker and reloaded — straight into a dead network. navigator.onLine is true on mobile while offline, so the existing guard didn't help. This also defeated the offline data layer (withOfflineFallback, authStore's offline branch), which runs later in the chain. Fix: connectivity.probe() now returns a discriminated state ('online' | 'offline' | 'proxy-wall'). A fetch that throws, or navigator.onLine false, is 'offline'; a cross-origin redirect (CF Access, via redirect:'manual' → opaqueredirect) or an HTML auth wall (Pangolin) is 'proxy-wall'. The interceptor only tears down the SW on 'proxy-wall'; on plain offline it lets the request reject so the cached shell + IndexedDB serve the app. CF Access / Pangolin reauth still works — the proxy always presents a reachable redirect or HTML wall, which the probe now detects positively. Regression dates to v3.0.16 (#964), surfaced by the 3.1.0 rewrite. Tests: 6 new connectivity cases (offline/online/proxy-wall discrimination); client tsc clean, full client suite green (2850). * fix(map): keep the mobile GPS button above the day-detail panel (#1348) On mobile the location (GPS) FAB sat at bottom: calc(var(--bottom-nav-h) + 12px), which only clears the bottom nav. When a day is selected, DayDetailPanel slides up over the map from bottom: navh+20 and spans nearly full width at z-index 10000, covering the button's band — so the button was hidden behind it. DayDetailPanel now publishes its live measured height to a root CSS var --day-panel-h (ResizeObserver, reset to 0 on unmount), and both map renderers lift the button above the panel when it's open, reusing the hasDayDetail prop they already receive: hasDayDetail ? calc(var(--bottom-nav-h) + 20px + var(--day-panel-h) + 12px) : calc(var(--bottom-nav-h) + 12px) Applied to both the Leaflet (MapView) and GL (MapViewGL) renderers. When the panel closes, hasDayDetail is false and the offset falls back to the bottom-nav value. Desktop is unaffected — the button is mobile-only. Tests: new DayDetailPanel case asserting --day-panel-h is published and reset on unmount; client tsc clean, full client suite green (2851). * feat(mobile): make the bottom-nav "+" context-aware per trip tab (#1349) On mobile the bottom-nav "+" always created a new place (except on the Costs tab, where it added an expense). It now matches the active trip tab: Bookings adds a reservation, Transports adds a transport, Costs adds an expense, and everything else (Plan, plus tabs that have no create modal — Lists / Files / Collab) keeps adding a place. Follows the existing ?create=<intent> pattern: BottomNav.useCreateAction emits the per-tab intent, and useTripPlanner consumes create=reservation|transport to open the booking / transport modals (both already mounted at page level). Place and expense were already wired; this just extends the mapping. Tests: 4 new BottomNav cases (plan/bookings/transports/costs → correct intent + navigate target); client tsc clean, full client suite green (2855). Implements mauriceboe/TREK#1349 * [+] Unsplash * [+] i18n * feat(trips): download chosen Unsplash covers into uploads (#1277) Previously a selected Unsplash photo was stored as a remote images.unsplash.com hot-link, so covers broke offline and on link rot. The trip PUT handler now fetches the picked image through the SSRF guard and saves it under uploads/covers, rewriting cover_image to the local path (502 if the download fails). Also debounces the cover search so a slow earlier request can no longer overwrite newer results, drops a dead userId parameter, and reverts an unrelated vite proxy change. * test(trips): cover the Unsplash cover download and search-race guard (#1277) Adds unit coverage for saveUnsplashCover (host check, content-type and size limits, download failure), the searchUnsplashPhotos error and success paths, and the PUT handler internalising a hot-link. Updates the existing PUT tests for the now-async handler. * fix(docker): keep server/reset-admin.js in the build context (#1339) The Dockerfile copies server/reset-admin.js (the admin recovery script), but .dockerignore also listed it, so it was stripped from the build context and the image build failed with a not-found error. Drop the ignore entry so the COPY resolves again. * fix(llm): stop the browser autofilling the LLM base URL (#1301) The AI-parsing base URL and model inputs had no autoComplete, so a browser password manager could drop the saved login email into the base URL field. In the admin addon config onBlur then fired a model lookup against e.g. "admin@trek.local", which the server rejected with 400. Mark the base URL and model inputs as type=url / autoComplete=off in both the admin addon config and the per-user connection section. * feat(appearance): add per-user appearance config contract Shared AppearanceConfig (color scheme, accent, transparency, per-tier type scale, density, reduce-motion and per-device dashboard widgets) stored as one JSON blob under the existing settings key. normalizeAppearance never throws, so a malformed/partial/future blob degrades to the neutral default and can never reach the DOM. No DB migration; the default reproduces today's look exactly. * feat(appearance): token-driven theme engine with schemes and FOUC-safe boot applyAppearance is the single writer of styling to the DOM (the .dark class plus data-scheme/-no-transparency/-density/-reduce-motion and the custom-accent/type-scale CSS vars). An external pre-paint /theme-boot.js replays a cached snapshot before first paint and complies with the production CSP (script-src 'self'), fixing the long-standing theme FOUC. Adds seven color schemes (incl. a true high-contrast that raises neutral contrast), a custom accent with auto-derived legible text, an extended token layer (accent variants, status/shadow/overlay/inverse), a scheme-gated legacy accent bridge, and a transparency-off layer. The default scheme sets no attributes, so existing users are unaffected. * feat(settings): appearance settings tab New Appearance tab with color mode (moved out of Display), color-scheme swatches, a custom accent picker with a live WCAG contrast hint, transparency and reduce-motion toggles, density, a global text-size slider with advanced per-tier controls, and per-device dashboard widget toggles. Edits preview live and commit on a short debounce. i18n keys added across all locales, translated for German. * feat(dashboard): per-device widget visibility with layout reflow Dashboard widgets (currency, timezones, upcoming reservations, atlas and the stat tiles) can be shown or hidden independently on desktop and mobile from the appearance settings. The stat grid spreads its visible tiles to full width, and disabling the right sidebar collapses the layout to a single centered column. * chore(appearance): add theme:lint guard for hardcoded styles A theme:lint script (modeled on i18n:parity) flags new inline color/fontSize literals and arbitrary-hex Tailwind classes that bypass the design tokens, so future code stays themeable. Map/PDF surfaces are exempt. The token taxonomy and the six theming rules are documented in src/theme/README.md. * fix(appearance): scale inline px font sizes so text-size reaches all content The global text-size control only set the root font-size, which scales rem-based text (navbar, menus) but not the dense inline px sizes used across the trip planner, budget, journey and panels — so place titles and addresses stayed fixed. applyAppearance now also exposes the factor as --fs-scale-text, and a codemod wraps inline numeric fontSize in calc(<px> * var(--fs-scale-text, 1)) across components and pages (map popups and PDF excluded). Sizes are byte-identical at 100%; the control now visibly resizes the actual content. * fix(appearance): clearer widget settings, density hint, solid surfaces with transparency off Dashboard widget settings are grouped by where they sit on the dashboard (below the hero / right sidebar / bottom of page); the right-sidebar master toggle now nests its individual widgets and greys them out when the sidebar is off, instead of a confusing flat list mixing the master with its children. Density gains an explanatory hint plus a real compact spacing effect. Transparency-off also solidifies the Atlas glass panels and tooltip, Leaflet zoom controls and GL popups — class-based surfaces via CSS, the Atlas inline panels via a noTransparency flag. * fix(appearance): keep i18n key parity and update the scaled-emoji test Add the new appearance settings keys (widget group titles, sidebar/density hints) to every locale so the strict key-parity check passes, and update the single-emoji chat test to expect the now-scalable calc() font size. * feat(appearance): granular per-size text scaling with live preview The text-size control now adjusts each size class (Large / Medium / Normal / Small) independently as well as all-at-once. Inline px sizes are mapped to a class by their value, so the per-class sliders reach real content; each class variable = global factor x its per-class factor (no double-scaling with the root font-size that handles rem text). The settings UI gains a live preview that resizes as you drag, and the four size sliders sit behind a clear toggle. * feat(appearance): show per-size text controls inline with examples The four size-class sliders (Large/Medium/Normal/Small) are now always visible instead of behind a disclosure, each with a live sample rendered at that size and an example of what it affects (e.g. Normal = place names/descriptions, Small = addresses/labels). * fix(appearance): shorten the Auto color-mode label to 'Auto' on mobile * fix(appearance): make the dashboard hero boarding-pass solid with transparency off * feat(appearance): mark the Readability section as experimental Transparency-off, density and per-size typography are best-effort while the token migration is ongoing, so the section carries an Experimental badge. Adds the i18n key across all locales. * chore(about): remove the monthly supporters section * refactor(settings): rename the Display tab to General and group its settings The Display tab became a catch-all once theming moved to its own Appearance tab, and its 'Display' label no longer fit. It is now 'General' (Allgemein) and split into 'Language & region' and 'Travel & map' sections. Tab labels and the new section titles are added across all locales. * refactor(admin): group the admin sidebar tabs into sections The admin sidebar had 11 flat tabs. PageSidebar now supports optional group headings (backward-compatible; the Settings sidebar stays flat), and the admin tabs are grouped into Users, Configuration, Integrations and Maintenance. Group labels added across all locales. * feat(help): embed the TREK wiki as an in-app help centre Add a Help section (profile menu, /help) that renders the GitHub wiki inside TREK. /api/help fetches the wiki markdown — the nav from _Sidebar.md, pages, and proxied images — from GitHub and caches it (1h TTL, serves stale on outage), so it auto-syncs on wiki edits with no redeploy and the client never calls GitHub directly. The page is styled to match TREK with a section sidebar, search and react-markdown; wiki [[links]] are rewritten to in-app routes and HTML-comment placeholders are stripped. Page state lives in a useHelp() hook per the page pattern. Adds nav.help and a help namespace across all locales. * feat(auth): explain the plain-HTTP secure-cookie gotcha on login When the server issues a Secure session cookie but the request arrived over plain HTTP (the common LAN install over http://ip:3000), the browser drops the cookie and the next request dead-ends on a bare "Access token required" — the top source of avoidable install issues. The login response now flags this exact case and the login page shows a localized box explaining the fix (use HTTPS, or set COOKIE_SECURE=false) with a link to the Troubleshooting guide. It only triggers in the real failure case, never for correct HTTPS setups. * feat(costs): Splitwise-like cost splitting Add per-payer and per-member custom split amounts with Equally, Custom and Ticket split modes on top of the existing equal split, keep legacy "paid by" expenses working, and document the modes in the Budget Tracking wiki page. * feat(i18n): add Vietnamese translations * chore(i18n): sync Vietnamese with latest dev keys Add the keys dev gained since this PR opened so the new vi locale keeps full parity: the help namespace (wiki help center), settings appearance options, costs split modes, dashboard Unsplash cover search, the insecure-cookie login hint, nav.help and the admin group labels. * feat(helm): Add existingClaim variable for custom PVC usage. * fix(helm): emptyDir is used as a fallback when persistence is disabled. * docs(helm): clean up existingClaim notes Strip stray zero-width characters from the persistence docs, move the PVC note out of the ENCRYPTION_KEY usage block into its own Persistence section in NOTES.txt, and document that persistence.enabled=false falls back to an ephemeral emptyDir. * feat(feeds): subscribable ICS calendar feeds for trips Adds TripIt-style live calendar subscriptions alongside the existing one-time .ics download. A trip (or all of a user's trips) exposes a secret, revocable feed URL that Google/Apple/Outlook poll to stay in sync. - Public read endpoints GET /api/feed/trip/:token.ics and /api/feed/user/:token.ics (no auth — the secret token is the credential), reusing the existing exportICS() generator and adding REFRESH-INTERVAL / X-PUBLISHED-TTL hints. - JWT-guarded token endpoints to generate (lazy, idempotent) and regenerate/revoke per-trip and per-user feed tokens; tokens stored in nullable feed_token columns. - All-trips feed excludes archived trips and trips ended >90 days ago. - UI: ICS toolbar button becomes a Download/Subscribe menu; modal offers one-click "Add to Google Calendar" (render?cid=webcal://) and a webcal:// link for Apple/Outlook, plus copy-link fallbacks. All-trips feed reachable from dashboard. - Feed base URL read from the existing APP_URL env var. Purely additive: new endpoints + two nullable columns, no breaking changes. Tests: server/tests/e2e/feeds.e2e.test.ts covers lazy token generate + idempotency, regenerate-invalidates-old, 401/404 auth+access, public feed content-type + hint injection, unknown-token 404, and the archived/>90-day all-trips exclusion. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * harden calendar feeds: absolute URLs, real disable, folding, schema sync - Resolve feed URLs against the request host when APP_URL is unset, so the webcal:// / Add-to-Google links work on a default install (not just behind a configured reverse proxy). - Give the public link a real off switch: POST enables, PUT rotates, DELETE clears the token (feed_token = NULL). The subscribe dialog no longer mints a token just from being opened — the user opts in explicitly. - Fold ICS content lines at 75 octets (UTF-8 safe) in exportICS, so download and feed both stay RFC 5545-compliant for long/non-ASCII summaries. - Extract VEVENTs by structural line scan instead of a lazy END:VEVENT regex that user text could truncate. - URL-encode the Google Calendar cid; mirror feed_token into schema.ts. - Collapse the duplicated all-trips modal into the shared IcsSubscribeModal. * feat(mcp): add bulk_update_places tool Apply the same field values to many places in one call instead of one update_place per place — e.g. re-categorising 80 POIs at once. Adds the updatePlacesMany service (one transaction, trip-scoped, partial patch built on updatePlace) and the bulk_update_places MCP tool with the usual demo/access/place_edit guards and a place:updated broadcast per place. * feat(dashboard): show the year on trip dates from other years Trip dates only showed month + day, so trips from other years were ambiguous (#1323). Dashboard cards and the boarding-pass hero now include the year, and so does the shared formatDate (planner day headers etc.) — but only when it isn't the current year, so this year's trips stay compact. Order and punctuation follow the locale (EN "Sep 10, 2026", DE "10. Sep 2026"). * feat(places): bulk "change category" from the selection toolbar Closes the UI half of #1168: in the Places selection mode, a new tag button before delete opens a category picker that applies one category (or "No category") to every selected place in a single request. Adds a REST /places/bulk-update endpoint reusing updatePlacesMany, an offline-aware repo + store action that patches both the place pool and the day-assignment projections, undo grouped by each place's prior category, and the i18n keys across all locales. * feat(map): include the day's route in the map fit (#1128) Selecting a day already fits the map to that day's destinations; this also folds the route polyline into the bounds. BoundsController fits the destinations immediately, then re-fits once — when the day's route finishes computing asynchronously — to destinations + the full route, so a route that bulges past its stops (a detour or ferry) stays in view. One-shot per day selection, so later route-profile toggles don't re-zoom. * feat(offline): detect update conflicts on the server for places and packing Update handlers accept an optional X-Base-Updated-At token and reject a stale overwrite with 409, returning the current server row. An absent token keeps the existing last-write-wins behaviour, so older clients are unaffected. packing_items gains an updated_at column (migration + stamped on every insert) so it can take part in conflict detection too. * feat(offline): force-offline mode, selective sync and a conflict queue A force-offline override routes every read to the cache and every write to the queue; preparing for offline downloads trip data, documents and map tiles up front and waits for them to finish. Map tiles and individual trips can be left out of the cache. Queued edits carry the version they were based on so the queue can surface server conflicts for a keep-mine / keep-theirs decision; chained offline edits to one entity no longer conflict with each other, and evicting a trip preserves its unsynced writes. * feat(offline): Settings -> Offline controls and a status banner The Offline tab gains a force-offline switch, a prepare-for-offline download with progress, per-trip and map-tile storage toggles, and a conflict resolver with a default strategy. The floating status pill now reflects forced-offline and unresolved conflicts. * i18n(offline): offline settings strings across all locales * docs(wiki): document force-offline, selective storage and conflicts * feat(video): media_type discriminator + local gallery video upload (server) trek_photos gains a media_type column (migration) so the registry can hold video as well as images. A new POST :id/gallery/video endpoint accepts a video plus a client-captured poster (500 MB cap, video MIME/extension allowlist), stores the poster as the thumbnail, and the photo stream serves the poster for the thumbnail kind and the raw file (HTTP Range) for the original — without running the image thumbnailer on video bytes. * feat(video): play local gallery videos in the journey gallery Picking a video in the journey gallery now captures a poster frame + duration in the browser and uploads the raw clip; the grid shows the poster with a play badge and the lightbox plays it with a native video player (HTTP Range seeking). Images keep their existing HEIC-normalised path. No server-side transcoding. Server media_type work was committed separately. * feat(video): use Plyr for the gallery video player Swaps the bare <video> element for a Plyr-wrapped player so playback controls match a consistent, cleaner skin. The instance is created per source and destroyed on unmount, so the lightbox stops playback when you navigate away. * feat(video): link and stream Immich videos in the journey gallery Immich timeline and album listings no longer filter out videos; each asset now carries its media type, which the provider picker forwards when linking. A linked video streams through Immich's transcoded /video/playback endpoint, and the asset proxy forwards the viewer's Range header (and passes 206/Content-Range back) so the player can seek. Synology video stays excluded until its stream API is verified. Adds media_type/media_types to the provider-photos request contract. * test(photos): assert the forwarded Range arg on the original stream Follow-up to the Range-aware photo proxy. * feat(video): upload and play videos in the trip file manager The file manager (which already attaches files to a place/activity) now accepts video uploads up to the larger video cap — other types stay at the document limit — and the lightbox plays them with the Plyr player over the plain same-origin download URL, so cookie auth and HTTP Range both work. Videos are excluded from the offline blob prefetch so one clip can't evict a trip's documents. * fix(video): harden upload handling and fix video playback edge cases Security: the gallery-video poster is now always stored as .jpg instead of the client-supplied extension, so a poster declared image/* but named x.html / x.js can't be written with that extension and served inline same-origin; local gallery files are also served with X-Content-Type-Options: nosniff. Robustness: rejected/unauthorised uploads no longer orphan their bytes on disk (the gallery-video and file-manager handlers unlink before throwing); the file-manager per-type size cap is keyed on the extension like the filter, so a real video labelled application/octet-stream isn't wrongly rejected. UX: the file-manager thumbnail strip shows a play placeholder for video instead of a broken image; shared (public) journeys now return media_type and play videos with a play badge; and a poster-less video shows a neutral tile instead of a broken thumbnail. * test(video): update gallery accept selector + complete fileService mocks The gallery upload input now accepts image/*,video/* — update the two JourneyDetailPage selectors that matched the old value. The files/journey e2e suites mock fileService and were missing the new MAX_VIDEO_SIZE / isVideoExtension / isVideoMime exports, which broke module load. * test(video): cover the new upload-handler branches Add controller tests for the gallery-video route (success / no-video / not-allowed / cleanup-on-reject), the per-asset media_types loops (gallery + entry, batch + single), and the file-manager per-type cap + unlink-on-rejection — restoring branch coverage on src/nest above the 80% gate. * feat(bookings): add a dedicated URL field to reservations (#935) Bookings get a first-class url column (migration) instead of users pasting links into notes. It's editable in the booking modal and rendered as a clickable link on the reservation card. The reservation request schemas are open passthroughs, so only the entity schema + service SQL enumerate it. * feat(files): render uploaded Markdown files inline (#1345) Markdown (.md/.markdown) is now an allowed upload type and opens in a rendered preview in the file manager instead of just downloading. Reuses the existing react-markdown stack with rehype-sanitize (these are untrusted uploads, so output is sanitized) and detects markdown by extension first since browsers send unreliable MIME for .md. * feat(lists): reorder packing/to-do lists and private packing items (#969, #858) Add drag-to-reorder to the packing and to-do lists, mirroring the budget panel's native HTML5 drag pattern. A drag within a filtered/grouped view is mapped back onto the global order so untouched items keep their place, and the order persists optimistically via the existing reorder endpoints. Packing items can now be marked private (#858): a private item is visible only to its owner. createItem/bulkImport stamp the owner, listItems filters by the viewer, and the WebSocket broadcasts are scoped to the owner so a private item never reaches another member's screen — including the public/private toggle transitions. Owners get a lock toggle and a private indicator on their items. * feat(trips): transfer trip ownership to a member (#973) Add POST /api/trips/:id/transfer so the owner can hand a trip to one of its existing members. The swap runs in a transaction: the new owner takes trips.user_id and the former owner is kept on as a regular member, so nobody loses access. The endpoint is owner-only, writes a trip.transfer_ownership audit entry and broadcasts the refreshed trip. The members modal gains a "Make owner" action, shown only to the current owner. * i18n: translate the booking link field across all locales (#935) Fan out reservations.urlLabel / reservations.urlPlaceholder to the remaining locales so the dedicated booking URL field is localised everywhere. * fix(packing): drop the always-true guard in the row drag handler (#969) The onDragOver guard `drag.isDragging || true` is a constant condition (eslint no-constant-condition). The handler is already gated by canDrag, so run the drag-over logic directly, matching the to-do row. * feat(trips): guest members for accountless participants (#1362, #1291) Add "guest" trip participants — people without a Trek account who can still be assigned to costs, packing, to-dos and day-plan activities. A guest is a credential-less users row (is_guest=1) joined into trip_members, so it is assignable everywhere a real member is, with the cost-splitting, settlement, packing and assignment paths working unchanged. Guests are firewalled from everything account-related: they can never sign in (password, OIDC and reset lookups skip them), never appear in the global user directory, the member-add picker or admin user management, are never resolved as notification recipients, can't be invited to another trip, and can't be made owner. The trip owner manages guests from the share dialog in a dedicated, clearly-labelled section (add / rename / remove), and guests carry a "Guest" badge wherever members are picked. All 22 locales stay in parity. * feat(packing): three-tier sharing — personal, shared-with-people, common pool (#858) Rework the private-packing flag into a full sharing model. Every item is now Common (the group pool — where all existing items live, so nothing breaks), Personal (private to its owner) or Shared with specific people (it shows up on those travelers' own lists, marked "by <bringer>"). is_private discriminates restricted from common; a new packing_item_recipients table holds who a shared item covers, and packing_item_contributors records "I can bring that too" pledges on Common items. The panel gains a Gemeinsam / Meine Liste view switch, each item a sharing control (owner sets the tier + the people it covers), and Common items can be co-brought or cloned onto your personal list. Visibility is enforced server-side in listItems and the WebSocket broadcasts are scoped to exactly who can see an item across every tier transition. All 22 locales stay in parity. * style(packing): small gap between the list and the luggage sidebar divider The luggage sidebar's left border sat flush against the right-hand category card. Add a little left margin so the divider has minimal breathing room. * feat(map): group GL place markers into clusters on zoom-out (#1385) MapLibre/Mapbox showed every place as its own rich HTML marker with no grouping when zoomed out, unlike the Leaflet map. Feed the place points through a clustered GeoJSON source: clustered points render as a dark count bubble (click to zoom in and expand) while the rich HTML photo markers are only drawn for the points the source reports as unclustered. Always on, matching the Leaflet MarkerClusterGroup. * fix(map): match the GL place hover tooltip to the Leaflet map (#1385) The MapLibre/Mapbox hover showed an anchored popup with a large photo thumbnail, completely unlike the Leaflet map's slim, cursor-following name/category/address card. Drop the anchored photo popup for places and render the same cursor-following overlay the Leaflet map uses (no photo, matching fonts/padding/shadow), so the two maps hover identically. * feat(collections): backend for the Overall Places addon (#1081) Adds the Collections addon backend: a server-wide-per-user library of saved places, independent of any trip, with multiple named lists, an idea/want/visited status, and Vacay-style fusion invitations to share a list with other users. - Data: collection / collection_members / collection_places / collection_place_tags tables (+ migration and baseline schema). Saved places carry the owner plus a nullable saved_by so a member deleting their account can't drop shared content. - Service: list + place CRUD with owner-or-accepted-member visibility, dedup, status, save-from-trip and copy-to-trip (reusing the trip copy column list), and the full fusion-invitation state machine mirrored from vacay (send / accept / decline / cancel / leave) with a websocket broadcast and an invite notification. Deleting a list snapshots its members and notifies them. - NestJS module + addon guard (404 before auth), registered in the app module. - Widens the place photo cache reference check to count collection places so the nightly sweep no longer evicts photos a saved place still uses. - collection_invite notification wired across all 22 locales. * feat(collections): /collections page, entry points and i18n (#1081) Adds the client side of the Collections addon: - A distinct /collections page (Atlas pattern, page/hook split) gated behind the addon: a multi-list rail, a Grid (default) / List / Map view switch, the idea/want/visited status with a one-tap badge, search and status filters, and considered empty states. Store + hook + model + websocket wiring; the place detail reuses the trip place inspector via a mode guard. - Entry points: a "Save to Collection" button next to Open-in-Google-Maps in the place inspector (and the two sidebar context menus), a "Copy to trip" modal, and a desktop-only two-column add-place picker (mobile keeps the single-column form). - The collection namespace and the new keys across all 22 locales. * feat(collections): fusion sharing UI + dashboard widget + per-user toggle (#1081) - ShareCollectionModal: the owner manages a list's members and invites users (available-users picker → invite, cancel pending); a member can leave a shared list. The incoming accept/decline surface stays in the lists rail. A Share button is added to the collections header for owners (and members, to reach Leave). - CollectionsWidget: a dashboard glass card after the currency widget showing the saved count and the most recent saved places, double-gated by the admin addon and a new per-user appearance flag. - Appearance: a 'collections' dashboard-widget flag (desktop + mobile defaults) wired into the appearance settings, surviving normalize. - Sharing + settings strings across all 22 locales (parity strict passes). * feat(collections): redesign the page on the dashboard glass language (#1081) Rebuilds the /collections page from the functional placeholder into the dashboard's glass visual language (light + dark): - A colour-washed hero per list: eyebrow + member avatars, big title, and stat chips (All / Idea / Want / Visited) that double as the status filter. - A sticky glass list rail (owned + shared + invites) with a mobile drawer. - Gradient/photo cover place cards modelled on the trip cards, via a new rectangular PlaceCover (photoService-backed, gradient fallback) + a shared gradients util. List and map views restyled to match. - Status pill rendered as a role=button span so it survives the .trek-dash button reset and can nest inside the card; the share member-count badge is now owner-only. - New hero eyebrow strings across all locales. * feat(collections): list+map split, taller rail, list-menu popover fix (#1081) - List view splits into a scrollable list + a sticky map on wide screens; clicking a place pans/highlights it on the map (single selectedPlaceId, no inspector over the map). Narrow screens keep the single-column list. - Keep the list rail at least as tall as the hero (measure the hero via a small useElementSize hook and feed its height as the rail's min-height). - List row kebab menu: portal the menu/colour popover to the body so the rail's overflow + backdrop-filter can't clip it ("renders only in the module"), and fade the place count on hover so the kebab stops overlapping it. * feat(collections): list+map default, map-only toggle, deselect + tooltip fixes (#1081) - Drop the grid/tile view. The list view is now the default and, on wide screens, a list + persistent map split; a top-left control on the map collapses the list to a full-width map (and back), animating smoothly (the map stays mounted and is nudged to re-layout during the transition). The place search moves onto the map (top-right); mobile keeps a list/map toggle. - Let a place be deselected again: clicking it once more, clicking the map background, or picking another all toggle the selection (collections map now wires onMapClick). - Fix the stuck hover tooltip: selecting a place swaps its marker's DOM node so the browser never fires mouseout/mouseleave, orphaning the fixed-position tooltip (it hung on screen and drifted with scroll). Both map stacks now clear the hover on selection change and on scroll. - Remove CollectionGrid + PlaceCover; add hero eyebrow + map control strings. * feat(collections): list details, place detail sheet, add-place, fusion kick (#1081) Dashboard widget (B): the collections tool now shows the user's LISTS as compact colour-washed badges (cover image tinted with the list colour, or a gradient) that jump to the list — one list() call, no N+1. List details (C): lists gain a description, a custom cover image (uploaded to /uploads/covers, tinted with the list colour in the hero) and links. A shared ListEditorModal handles both create and edit; the hero shows the description + link chips. New `links` JSON column on collections + collection_places (migration 151) with parse/serialize in the service; a POST :id/cover upload endpoint mirroring trips; cover-file cleanup path-confined locally. Place detail (D): clicking a place opens a bottom sheet (no backdrop, so the map stays visible) — status cycle, copy-to-trip, remove, and an edit mode with a markdown description + links editor (collectionsApi.updatePlace, now wired via a store action). A "+" next to the search adds a place to the list via the maps search. Fusion + fixes (E): the owner can now remove an accepted member (kick) — new removeMember service/route/store + a button in ShareCollectionModal, with a collections:removed WS bounce. findMembership no longer matches on name alone (coordinate proximity required, killing "Starbucks everywhere" false positives). loadCollection swallows a 403/404 after a leave/remove so the URL sync can't throw uncaught. Grid remnants gone; the map select toggle moved onto the map. New strings across all 22 locales; i18n parity strict passes. * fix(collections): review follow-ups on the B–E work (#1081) - Block the list-cover upload in demo mode (mirror the trips cover endpoint). - Restrict list/place links to http(s) (schema) and normalise scheme-less URLs to https:// on save, so a bare "booking.com" no longer resolves as a relative SPA route (and javascript:/data: hrefs are rejected). - Place detail: surface save errors with a toast instead of silently swallowing a 400 and leaving the sheet stuck in edit mode. - List editor: don't create a duplicate list when a retry follows a cover-upload failure (reuse the created id); revoke the cover preview object URL. - Map controls: one top bar (left toggle/select, right add/search) so they can't overlap on a narrow split map — the search shrinks instead. - Dashboard list badge: full-opacity colour wash so the name stays legible over bright covers. * fix(collections): detail-sheet, edit-refresh, map + rail polish (#1081) - Editing a place (status, description, title, …) no longer reloads the view or closes the detail: the WS echo now refreshes via loadCollection, which keeps the current selection + select-mode instead of setActive resetting them. - Place detail: docks over the list column on the desktop split (measured rect) instead of centred over the map, and the card is now opaque (was too see-through). - Map: click a marker in full-map view to drop back to the split; picking a place scrolls its list row into view; the select toggle is disabled in full-map view; the floating controls are one non-overlapping top bar and less transparent. - Hero: drop the New-list button (it's already in the rail). - Rail: the kebab is always visible (easy to hit); menu is Edit + Delete only (colour moved into the editor); "Rename" → "Edit". - Add-place: pick a result, then set description (markdown) / links / status before saving, all in one step. - Share modal: member roster as cards with clearer role badges + a count. * feat(collections): detail redesign + categories, close-on-map, highlight fix (#1081) - Rebuild the place detail as a clean, opaque, sectioned sheet (cover → meta → status segment → description → links) with a proper footer action bar — the loose "white lower half" is gone. - Assign a place to a central (admin-defined) category, both in the detail edit and when adding a place; categories are fetched once for the page. - Add-place now sets category + description (markdown) + links + status in the same step, closer to the trip's place form. - Switching to the full-map view now closes the (list-docked) detail. - Fix the selected-row highlight: it was clipped by the column's overflow — use an inset ring and only clip during the map-collapse animation; a picked row now scrolls into view above the detail sheet. - New category strings across all 22 locales. * feat(collections): filters, add-place popup, category badges, map-click hardening (#1081) - Map: markers no longer rebuild on every unrelated re-render (memoised the mappable list + only update the hero size when it really changes), the floating controls bar is click-through except its buttons, and the collection map runs with the hover tooltip off. Together these stop a marker click from landing on a mid-rebuild element / the tooltip so the pick actually registers. - Filters moved out of the hero into a compact status + category dropdown row above the places (custom dropdowns); the hero no longer carries the stat chips. - Add-place is a single popup now: search fills the location, and name / status / category / description / links are all editable together before saving. - Category shown as a badge top-left on the detail cover and next to the status in each list row (divided by a hairline). - Slimmer hero: shorter, tighter spacing, links tucked into the eyebrow row instead of their own line. * feat(collections): hero edit/share row, place photos, edit-echo fix, wider page (#1081) - Editing a place (category, status, …) no longer reloads the view: the mutating client's own socket is now excluded from the WS broadcast (x-socket-id threaded through save/update/status/delete + list update/cover), so the optimistic update stands on its own instead of being chased by an echoed refetch. - Detail sheet pulls a higher-res cover photo from the maps provider when the place has no image of its own (the avatar thumbnail was too low-res). - Hero: Share moved onto the title row (no more empty top band) with an Edit button beside it; editing/deleting a list now happens there. The list rail drops its per-row kebab entirely (and with it the janky open animation). - The list editor can delete the collection from its footer (owner only). - Wider, screen-relative page (max-width min(2100px, 95vw)). - List rows: the place avatar no longer shrinks when the address is long. * fix(collections): copy-to-trip labels + Unsplash cover search (#1081) - Copy-to-trip modal showed blank rows: trips are keyed by `title`, not `name`, so nothing rendered. Read `title` and add the trip's date range under it. - List editor gains an Unsplash cover search (same source as trip creation) next to the upload button; picking a photo sets it as the list cover. - Add-place result rows: pin keeps a hard min width so a long address can't squeeze it. * fix(collections): stop the address pin from shrinking on long addresses (#1081) The little map pin in front of a place's address sits in a flex row with the address text but had no flex-shrink guard, so a long address squeezed the icon smaller. Pin the SVG to its size. * fix(collections): white screen when editing a place (undefined in places) (#1081) updatePlace wrote `res.place` into the places list, but the endpoint returns the updated place directly (not wrapped in { place }, unlike savePlace) — so an `undefined` slipped into the list and the category-filter's presentCategories() crashed on `undefined.category_id`, blanking the whole page. The WS echo used to mask it by refetching; excluding the editor's own socket exposed it. - Read the updated place directly and guard against a falsy response. - Fix the api return types to match (updatePlace/setStatus return the place). - Harden filterPlaces / statusCounts / presentCategories / mappablePlaces against a stray undefined entry so a single bad row can never white-screen the page. * feat(collections): select toolbar — select-all, move/duplicate to another list (#1081) - The select toggle now sits at the right of the filter row (same height as the status/category dropdowns) instead of the top toolbar. - Select mode gains a "select all / deselect all" toggle and shows even with nothing selected yet. - Selected places can be moved or duplicated into another of your lists via a target-list picker (move re-points collection_id; duplicate re-saves the place data, carrying description / category / notes / etc.). - New strings across all 22 locales. * style(dashboard): accent follows the user's theme instead of a fixed orange (#1081) The .trek-dash scope (dashboard, collections, vacay, atlas) hardcoded an orange accent, ignoring the appearance theme. Drop the override so --accent inherits the theme tokens (index.css): monochrome black/white by default, coloured per data-scheme / custom accent. --accent-ink/-soft now map onto --accent-on/-subtle, and accent-filled elements use --accent-text for legible text on any scheme. Category colours are set explicitly per element and stay untouched. * fix(collections): saved-places picker height + list filter, all-saved first-load (#1081) - Trip "Saved places" picker: drop the fixed 360px cap so the list fills the panel instead of stopping half-way, and add list + status filter dropdowns (filter by which collection the place is saved in). - "All saved" showed nothing on first open: setActive(ALL_SAVED) unioned the lists from the store, but on first load those aren't fetched yet (loadAll still running). Load them first when empty so the union isn't blank. * test(collections): unit-test the nest controller (branch coverage) (#1081) The collections nest module had no controller test, dragging src/nest/** branch coverage below the 80% gate. Cover the controller's branches: reorder/deleteMany payload validation, owner-gated invite/cancel/remove/available-users, invite + accept error surfacing, the cover demo-mode + no-file guards, and the x-socket-id forwarding on the mutating endpoints. * fix(collections): mobile polish — touch targets, safe-areas, overflow (#1081) From a mobile UX audit of the collections page: - Detail sheet: the read-mode footer no longer clips "Remove from list" (it wraps, drops the growing spacer) and clears the home indicator (safe-area padding, 84dvh instead of 84vh). - Bigger touch targets on phones (≥40px): view toggle, filter dropdowns, select-bar buttons, detail close/actions, drawer rail rows, and the interactive status badge (enlarged tap area via a pseudo-element, look unchanged). - Select action bar breaks its bulk actions onto their own line instead of stranding them behind a growing spacer. - Lists drawer honours device safe-areas and gets an explicit close button. - Page honours the top safe-area and goes full-width on phones (drop the 95vw cap); filter popovers cap their width so long category names don't overflow. - Add-place: Cancel/Add pinned in the modal footer (reachable without scrolling), status pills wrap. - Drop dead hero mobile CSS left over from the hero refactor. * feat(collections): per-member permission roles on shared lists (#1081) The owner now assigns each member a role — viewer (read + copy-to-trip only), editor (default: add + edit places) or admin (full incl. delete). The owner is always full. Existing members default to editor via migration 152, so nothing regresses. - Server: role column on collection_members (migration 152 + schema); roleOf + assertCanEdit (save/update/status/list-meta) + assertCanDelete (delete) layered on assertAccess; sendInvite takes a role; new setMemberRole (owner-only) + POST members/role; members payload carries each role. - Client: Share modal gains a role picker on invite and a per-member role select for the owner (read-only role badge for others); the page hides add / edit / status / move / delete for roles that can't perform them (server still enforces). - Roles in all 22 locales; service + controller tests for the new gating. * feat(collections): bulk-add selected trip places to a list (#1081) Add a "Save to collection" action to the trip place list's selection bar (next to bulk category + delete): it opens a list picker and copies every selected place into the chosen list in one request, instead of one-by-one from each place. - Server: saveFromTripPlaces (one access check + one WS notify), POST places/from-trip-many; dedups by name/coords, skips missing ids, honours force. - Client: saveFromTripMany api + SaveTripPlacesToListModal; the selection-bar button is gated on the collections addon being enabled. - Copy count / skipped-duplicates toast; strings in all 22 locales. - Service + controller tests for the bulk path. * style(collections): custom dropdown for the permission role pickers (#1081) Swap the two native <select> role pickers in the share modal (invite + per-member) for the app's CustomSelect (portal dropdown, size sm) so they match the rest of the UI instead of the browser's native control. * style(collections): widen the share modal (#1081) * test(collections): client component tests + select in All saved, off the map (#1081) - Add client tests for the new collections UI (80 tests): collectionsModel (incl. the undefined-entry guards that fix the white-screen regression), StatusBadge, CollectionFilterBar, CollectionList, CollectionPlaceDetail (permission gating), MoveToListModal. - Offer the select toggle in "All saved" too (server enforces per-place rights). - Drop the now-duplicate select button from the map controls (it lives in the filter row). * docs(wiki): add Collections addon page (#1081) New wiki/Collections.md in the style of the other addon pages (lists, status, categories, adding/bulk-adding places, place detail, filters + bulk actions, fusion sharing with member roles, dashboard widget). Add it to the Addons overview table + the sidebar navigation. * feat(date-picker): add month/year drill-down navigation and keyboard input trigger - Add three-level calendar view (days → months → years) via clickable header label, allowing fast navigation to distant dates without repeated arrow clicks - Replace double-click text input affordance with a visible keyboard icon button; compact/borderless variants show the icon in the calendar footer - Pre-fill text input with locale-aware numeric date (DD.MM.YYYY) when a value is already selected - Add aria-label and aria-pressed to all interactive calendar elements for screen reader support - Update existing tests to reflect new two-button trigger layout - Add FE-COMP-DATEPICKER-018 through 027 covering drill-down view transitions, prev/next behaviour per view, aria-pressed state, and keyboard icon trigger * fix(date-picker): locale-aware keyboard input parsing and i18n control labels - Replace fixed-order date parser with locale-aware implementation using Intl.DateTimeFormat.formatToParts to detect field order; adds swap fallback for unambiguous inputs (day > 12) to handle locale mismatches gracefully - Pre-fill keyboard input with locale-formatted numeric date (e.g. 14.06.2026) instead of raw ISO value - Replace all hardcoded English aria-labels and titles with t() calls; add new keys under common.datepicker.* namespace across all locale files - Update FE-COMP-DATEPICKER-013 to use unambiguous day value (> 12) to avoid locale-dependent test failures * fix(date-picker): add missing locale file and fix let-to-const lint error - Add missing common.datepicker.* keys to overlooked locale file - Change reassigned `let` to `const` where value is not mutated to satisfy lint rules * chore(i18n): backfill datepicker keys for sv + vi locales added on dev * fix: back-merge v3.1.4 hotfixes into dev (#1371) Port the three main-only fixes onto dev's (post-rewrite) architecture: - fix(backups): prevent recursion when the backup path sits inside the backed-up dir - fix(share): convert budget items to the viewer's base currency instead of a flat EUR - fix(files): surface the descriptive server error for unsupported upload types (#1363) Cherry-picked from 819aa793 on main; the SharedTripPage and useTripPlanner conflicts were resolved to keep dev's font-scaling and full import set while taking the fixes' currency conversion and translateApiError wiring. * fix: resolve a batch of reported bugs (planner, budget, atlas, bookings, mobile) - #1394 planner: two transports on one day no longer draw a phantom airport→airport road route between them (a run is only a drive when it holds a real place); mirrored in the map hook and the sidebar's leg list, with a regression test. - #1392 planner: the per-day Route button now points the selection at the tapped day before toggling, so on mobile it computes that day's route instead of the previously selected one, and only the selected day's button reads as active. - #1372 planner: the "open in Google Maps" route now includes the day's hotel bookends, matching the drawn map route. - #1375 planner: a multi-day accommodation no longer thrashes the plan scroll — the auto-scroll lock keys on the selection identity, not the per-day row. - #1377 planner: the reset-orientation compass is now shown on small screens too. - #1382 budget: settlement nets in the trip's canonical currency and converts to the display currency once, so balances no longer drift with live FX and no phantom third-party micro-flows appear (identity, hence unchanged, when they're the same). - #1366 atlas: countries reached only by a transport booking (no lodging/place) now count as visited, on both the dashboard and the Atlas page. - #1383 bookings: a hotel linked to an accommodation shows only its day-range, not a duplicate stamped date row, and the range stays correct after an edit. - #1353 bookings: any non-hotel reservation can now link an existing trip place/activity. - #1390 i18n: fix the Polish word for "buddies" (Towarzysze → Współpodróżnicy). - #1265 planner: drag-and-drop of places now works on touch devices via a polyfill. * feat(planner): add an "Open in OpenStreetMap" button to the place inspector Next to the existing "Open in Google Maps" action, add an OpenStreetMap button that opens the place on openstreetmap.org (a marker at its coordinates, or a name search when it has none) — the same map source TREK already renders, and a jumping-off point for OSM-based apps like OrganicMaps / CoMaps. Requested in discussion #880. Strings across all 22 locales; a unit test for the URL builder. * feat(planner): shorten the map-open button labels to "Google Maps" / "OpenStreetMap" * feat(planner): show a day's route distances inline on mobile Seeing the driving/walking distances between a day's places on mobile meant tapping the day (which closes the plan sheet), reopening it, then tapping Route. Now the per-day Route button in the mobile footer toggles that day's leg distances in place, so the sheet stays open and you get the distances between places without selecting the day first. The leg computation runs for every route-toggled day instead of only the selected one, and the leg/hotel-bookend maps are nested per day so several toggled days can't overwrite each other's segments. Desktop is unchanged. Discussion #1374 * feat(oidc): use the picture claim as avatar when none is uploaded When a user signs in via OIDC and hasn't uploaded a custom avatar, their `picture` claim is now used as their avatar. The users.avatar column holds either an uploaded file name or an absolute https URL from the claim, and a single resolver on each side (server avatarUrl, client avatarSrc) renders both. An uploaded avatar always wins and is never overwritten; the picture refreshes on each login otherwise. Only https URLs are stored, matching the image CSP. All the scattered /uploads/avatars/ builders now go through the resolvers, which also fixes collection member avatars that were rendering a bare file name. Discussion #1399 * feat(trips): trip invite links + optional trip binding on admin invites Trip invite links (#1143): each trip can have one rotating invite link in its Share panel. An existing, logged-in user who opens /join/<token> is added to the trip as a member; an anonymous visitor is sent to the login page and returned to the invite afterwards — there is no registration from this link. Reading, rotating or disabling the link all require the share_manage permission. Admin invite trip binding (#1402): the admin create-invite dialog can now bind a registration invite to a trip. Someone who registers via that link is auto-added to the trip as a member (password and OIDC paths), inside the same atomic step that consumes the invite. Adds a trip_invite_tokens table and a nullable invite_tokens.trip_id, a shared owner-safe/idempotent add-by-id helper, the manage + join endpoints, the JoinTripPage and Share-panel section, the admin trip picker, and the new i18n keys across every locale. Wiki updated. Discussion #1143 * fix(join): extract JoinTripPage state into a useJoinTrip hook The page container held useState/useEffect directly, tripping the CI page-pattern check. Move the token preview + accept logic into a co-located useJoinTrip() hook; the page is now a thin presentational shell. * feat(costs): filter expenses by category and by a single day Adds two filter dropdowns next to the Search Expenses field (height-matched to it): one filters by expense category, the other narrows to a single day. Selecting a day shows a prominent summary banner with that day's total, and hides the now-redundant per-day header. Both filters work on the desktop and mobile layouts and compose with the existing search + all/mine/owed filters. New i18n keys (costs.filter.allCategories / allDays, costs.expensesCount) across every locale. * fix(admin): use TREK's CustomSelect for the invite trip picker The "add to trip" dropdown in the admin create-invite dialog was a native <select>; swap it for the shared CustomSelect so it matches the rest of the UI (searchable once there are many trips). * feat(planner): public transit routing via Transitous (#1065) Each day header gets a transit button (replacing the rename pencil, which moved next to the day name in the day detail panel). It opens a route search backed by Transitous/MOTIS — free, open data, no paid provider: from/to stop search with the day's own places as quick picks, depart/arrive time, mode filters (train, subway, tram, bus, ferry, cable car) and ranking by best route, fewer transfers or less walking. Results show local times, duration, transfers, walking time and line badges in their official colors, with a stop-by-stop breakdown per connection. Adding a connection saves it as a regular transport reservation — typed by its dominant leg, timed from the itinerary's wall-clock departure/arrival converted to station-local time (tz-lookup), with the origin, transfer stops and destination as endpoints and the compact legs in metadata.transit. It slots into the day timeline by time and inherits editing, deletion and drag-reordering from the existing transport machinery; the transport detail view renders the full itinerary. Re-saving a transit transport through the edit modal preserves the stored itinerary while the route is unchanged. The server proxies the Transitous API (JWT-guarded, rate-limited, identifying User-Agent, short response cache, strict mode whitelist); TRANSIT_API_URL lets self-hosters use their own MOTIS instance. New i18n keys in every locale, wiki page updated. Discussion #1065 * fix(build): declare tz-lookup as a client dependency It was present in the lockfile but undeclared, so the local install had it while the Docker client build (npm ci --workspace=client) did not. * test(maps): add buildUserAgent to the mapsService mock transitService imports it at module load, and the full-app integration boot now pulls the transit module in — the factory mock lacked the export. * feat(planner): make transit journeys first-class entries (#1065) A saved transit route is now its own reservation type instead of piggybacking on train/bus: it gets a tram icon and its own color everywhere, and the day timeline renders the itinerary inline — line badges in their official colors with walk segments, plus the transfer count and walking time — instead of a generic transport row. Clicking the row opens the itinerary view (journey summary, stop-by-stop legs with times, platforms, headsigns and operators) rather than the edit form; editing stays reachable from an Edit action inside that view. The transit type is registered across the timeline merge, transport modal, reservations panel, file manager, map overlays and detail panels, with a translated type label in every locale. * feat(planner): integrate transit into the transport system as Automated mode The add-transport dialog gains a Manual/Automated switch: Automated embeds the public-transit search (day picker + from/to + modes + preferences + results) right in the dialog, and the day header's tram button opens it directly in that mode. The standalone search modal is gone. Saved journeys get their own roomy journey view — the stop-by-stop itinerary (times, platforms, lines, headsigns, operators) together with the editable booking fields, delete, and a "Change route" action that re-runs the search pre-seeded with the journey's origin/destination and replaces the itinerary on save. The generic transport form no longer opens for transit entries, from the timeline or from the Transports tab, where journeys now sit in their own "Automated public transit" section with their line badges on the card. New i18n keys in every locale; wiki updated. * feat(planner): polish the transit journey UI and fix its tab placement Transit entries were classified as bookings by the planner's transport-type list and landed in the Bookings tab — they now sit in the Transports tab's own section, rendered as proper journey cards (tram icon, arrow title, leg chips, journey stats) instead of the generic booking card. The journey modal got a redesign: the title renames inline in the header with an icon arrow, the stats become three full-width tiles (duration / transfers / walking, each with an icon), status and booking-code fields are gone, and notes take the full width with a markdown write/preview toggle. The Automated search mode gains a proper header (icon, hint, day picker) and the day-plan row now shows walks with their minutes inside the chip sequence (🚶 3 › U2 › 🚶 3) instead of a detached direct/walk summary. "A → B" titles render with an arrow icon everywhere. The Transports tab's add button is simply "Transport" now that the dialog covers both modes. * test(nav): the bottom-nav add button is labelled Transport now * feat(planner): markdown toolbar for journey notes + calmer transit search form The journey notes gain a proper markdown toolbar (bold, italic, strike, heading, list, checklist, link, code) that wraps the selection or prefixes the current lines. The transit search options settle into one calm card: depart/arrive + time + date and the ranking preference share the top row, the mode filters and the search button share the bottom row, with the mode chips restyled from heavy filled pills to quiet toggles. The day-plan row drops the transfer count — the leg chips already tell the story. * feat(planner): badge meta rows + inline itinerary expansion for transit Dot-joined meta text becomes quiet badge chips everywhere transit facts are listed: the journey modal's per-leg line (time, duration, stops, headsign with an arrow icon, operator de-emphasised), the search results' leg details, and the Transports-tab journey card (day, date, time span, duration — the transfer count is gone from the card). The day-plan transit row swaps the map-connections toggle for an expander: the chevron folds the stop-by-stop itinerary out right inside the timeline — times, line badges, stations with platform and stop counts — sized for the sidebar. * feat(planner): walk legs as centred dividers + journey-card note line Walk segments in the journey modal and the day-plan inline itinerary collapse from two lines into a single centred divider — dashed rules left and right, the walk in the middle (foot icon, destination, minutes). Leg meta badges sit tighter under their titles. The Transports-tab journey card shows a dimmed first-line note preview, and the journey modal now reads the reservation from the live store, so an update is visible the moment the entry reopens. * feat(map): draw transit journeys along their real rail and bus alignments MOTIS leg geometry (encoded polylines) now travels through the proxy and is stored per leg, so both map renderers draw the journey along the actual tracks instead of a straight line: colored cores in each line's GTFS color over a white casing, walks as dotted grey connectors. Transit journeys are always visible on the map — they are part of the plan itself, not an opt-in overlay — and the day route already anchors to their stations, so the journey slots into the route computation end to end. Entries saved before this keep the straight-line fallback. Also: stronger dashes on the walk dividers, notes open rendered (preview tab) when present, and MOTIS's START/END placeholders are replaced with the places the user actually picked. * fix(planner): elegant walk-divider hairlines + proven notes preview The walk dividers switch from dashed borders to 1px hairlines that fade towards the outer edges — strongest next to the walk text. A regression test pins the journey modal opening existing notes on the rendered markdown preview rather than the raw text. * fix(map): transit polish — earlier label collapse, route-toggle coupling, md note preview Station badges on transit journeys collapse to icon dots much earlier when zooming out (label threshold 900px instead of 400). The drawn transit paths now ride the day-route toggle: turning the route off hides them too, since they are part of the computed route. The journey card's note preview renders its first line as inline markdown instead of raw asterisks. * fix(settings): booking route labels default to off The map endpoint labels only render when the user explicitly enables them; an unset preference now means hidden, matching the calmer default the transit paths brought to the map. * style(settings): TREK-styled text-size sliders The appearance tab's native range inputs become proper TREK sliders: a thin pill track filled up to the current value in the accent color, with a soft round thumb that scales slightly on hover/drag. * fix(planner): mobile layouts for the transit popups The journey modal and the transit search now lay out properly on phones: from/to stack vertically with the swap rotated between them, the ranking segment and search button go full width, the day picker in the automated header spans the row, the three stat tiles compress to centred mini tiles, the itinerary tightens its gutters, and the footer wraps with an icon-only delete. Desktop is unchanged. * fix(planner): tighter mobile transit search + vertical journey itinerary * fix(planner): wrap-safe mobile itinerary text — platform below the stop, minutes-first walks * feat(plugins): plugin system scaffold — registry tables + admin panel First slice of the plugin system. Lays down the data model and a read-only admin surface; nothing executes yet. - Migration 155: plugins, plugin_meta_migrations, plugin_error_log and plugin_settings_fields tables. Plugin data will live in a per-plugin sqlite file under /plugins-data, never in these tables. - New Nest module server/src/nest/plugins with GET /api/admin/plugins (admin-gated, returns the installed list + the runtime-enabled flag). - TREK_PLUGINS_ENABLED kill switch (config.pluginsEnabled), off by default. - Admin → Plugins tab with a read-only panel: installed list, status badges, and a clear banner when the runtime is disabled by server config. - i18n keys for the tab and panel across all locales. Install, activation, the isolated runtime and the registry browser follow in later slices. * feat(plugins): isolated per-plugin runtime + capability RPC (M1) Every plugin now runs in its own forked child process with a scrubbed env (no JWT_SECRET, no db path, nothing inherited). It talks to TREK only over a JSON-RPC channel, and the host's capability router registers ONLY the methods a plugin's granted permissions unlock — so an ungranted call is unreachable, not merely refused. The plugin's own data lives in a separate sqlite file it can never open directly; core reads (trips/users) go through membership-checked, column-projected host methods; ws broadcasts are force-namespaced. - protocol/envelope: the wire types + method→permission map (pure, shared by host and the isolated child) - host/rpc-host: the capability router = the enforcement point (dispatch, BAD_PARAMS / PERMISSION_DENIED / RESOURCE_FORBIDDEN / UNKNOWN_METHOD) - host/plugin-data: the per-plugin sqlite file (db:own), guarded against ATTACH/PRAGMA escape, idempotent migrations - host/create-rpc-host: wires the router to the real db/websocket (host-only) - runtime/plugin-sdk + plugin-host-entry: the child bootstrap + definePlugin ctx; turns each ctx call into an RPC, never imports a privileged module - supervisor: spawn on activate, heartbeat/reap, crash backoff + auto-disable, graceful shutdown — a plugin crash/OOM/hang can never reach the Nest loop - paths: code/data layout, dist-vs-tsx child entry resolution Nothing is wired into activation yet (that's the next slice); exercised by unit tests for the router/sdk/data and an integration test that forks a real child. * feat(plugins): activation, HTTP route proxy + instance settings (M2) Wires the isolated runtime into TREK. Admins can now activate a plugin from the panel and its HTTP routes work end to end, still behind the kill switch. - PluginRuntimeService owns the supervisor: activate spawns the child with its granted permissions + decrypted instance config, deactivate kills it, status and errors are persisted to the plugins / plugin_error_log tables, and active plugins are booted on startup (OnModuleInit). - Bidirectional RPC: the child now handles host→child invokes (routes/jobs) and reports its declared routes on load; the supervisor gained invoke()/routesOf(). - /api/plugins/:id/* proxy controller — a single static route that matches the plugin's declared routes, enforces per-route auth (auth:false routes are public for OAuth callbacks/webhooks), forwards only a whitelisted request view (never the session cookie), and strips unsafe response headers. - Admin endpoints: POST :id/activate, POST :id/deactivate, GET/PUT :id/config — instance settings with secret fields encrypted (apiKeyCrypto) and masked. - Kill switch moved to its own module so it never collides with test config mocks. Photo/calendar hook consumers are deferred to a later slice. * feat(plugins): sandboxed page/widget frames + trekBridge (M3) Plugins can now render UI. Page plugins appear as a nav entry and open a full-page sandboxed iframe; the frame talks to TREK only over the postMessage bridge. - Server serves plugin client assets at /plugin-frame/:id/* with a strict path guard and a locked-down, per-plugin CSP (default-src none; connect-src limited to declared outbound hosts; sandbox WITHOUT allow-same-origin -> opaque origin, so the frame can't read the session cookie or the parent DOM). Global CSP frameSrc relaxed from 'none' to 'self' for exactly these frames. - GET /api/plugins feed lists active plugins for the client. - Client: pluginStore + PluginFrame (the trekBridge host) authenticates every inbound message by SENDER WINDOW IDENTITY (event.source), not by a claimed id or origin; pushes context (theme/locale/tripId/userId), validates navigation, renders notifications as text, resizes widgets, and proxies trek:invoke to the plugin's own routes host-side (session cookie stays with the host). - Page route /plugins/:id + Navbar nav injection for page plugins. Dashboard widget slot and the trek:request core-data bridge are deferred to a later slice. * feat(plugins): secure installer — manifest, discovery, safe extract/fetch/scan (M4) Plugins placed on the /plugins volume are now discovered, validated and registered as inactive, ready to activate. - manifest.ts: strict trek-plugin.json validation (id/version/type, known permissions only, egress required with http:outbound, native modules rejected). - discovery.ts: scans the volume on startup + on demand (POST /api/admin/plugins/ rescan), upserts rows INACTIVE, refreshes settings-field descriptors, and never downgrades or wipes an already-installed plugin's status / grants / config. Invalid or native-carrying plugins are skipped and logged. - Activation now grants the DECLARED permissions (the consent gate) and persists them before spawning. - install/ utilities for the registry installer (M5), each independently tested: - safe-fetch: host allowlist (GitHub only) + private-IP refusal + manual redirect following + size cap + sha256 (constant-time compare). - safe-extract: zip/tar-slip-safe extraction with its own minimal tar.gz + zip readers; rejects traversal, absolute paths, symlinks, oversized/too-many entries, and unsupported formats. - native-scan: refuses .node / binding.gyp / prebuilds, never follows symlinks. * feat(plugins): TREK-side registry — browse + one-click install (M5) Connects TREK to the static GitHub registry (mauriceboe/TREK-Plugins). The registry repo + CI gates were already live; this is the server side. - registry.service: fetches the single aggregated dist/index.json (never per-plugin GitHub API calls — the HACS rate-limit lesson), caches it 30 min, soft-fails to a stale/empty registry, and installs a pinned version through the M4 pipeline: safe download -> sha256 verify -> slip-safe extract -> manifest re-validate -> native re-scan -> atomic move -> discover (inactive), recording repo/commit/sha provenance. Handles the codeload {repo}-{sha}/ wrapper directory. - Admin endpoints: GET /api/admin/plugins/registry (browse metadata) and POST /api/admin/plugins/install { id, version }. Install never executes code; activation stays a separate, deliberate step. * feat(plugins): trek-plugin-sdk package — types, mock host, scaffolder, validator (M6) The author-facing SDK, a standalone dependency-free package (not wired into the app workspaces, so it can't affect the app build). - definePlugin + the full plugin type surface (PluginContext, PluginRoute, PluginJob, PhotoProvider, CalendarSource) mirroring what the isolated runtime injects; PLUGIN_API_VERSION. - createMockHost (trek-plugin-sdk/testing): a PluginContext that enforces the SAME permission model + membership checks, so authors can unit-test that their plugin degrades gracefully — no running TREK needed. - validateManifest: the exact rules the registry CI runs, so a local pass predicts a CI pass. - CLIs: create-trek-plugin (scaffolds a working plugin + README + starter iframe) and trek-plugin validate (manifest + README sanity). Consolidating the server loader to import this shared validator is a follow-up. * docs(plugins): plugin wiki + reference plugin (M7) - Wiki pages (sync to the GitHub wiki on push to main): Plugins overview + trust model, Plugin Development (SDK, definePlugin, ctx, routes/jobs, the client bridge, testing with the mock host), Plugin Permissions reference, and Publishing (registry PR + CI gates + provenance). Linked from the sidebar. - Reference plugin plugin-sdk/examples/trip-countdown: a complete, minimal- permission widget (reads trip data through ctx, renders in the sandboxed iframe via the bridge, filled-in README). Validated in the SDK test suite so it passes the exact gate authors face. * feat(plugins): lifecycle polish — uninstall, error log, egress guard, widget slot (M8) - Uninstall with data disposition: POST /api/admin/plugins/:id/uninstall kills the plugin, removes its code + DB metadata, and (deleteData) drops its data dir, error log and per-user settings. - Error log: GET/DELETE /api/admin/plugins/:id/errors — the plugin's own crash / request-failure log, surfaced in the admin panel. - Egress guard: the isolated child wraps global fetch and refuses any outbound host not in the plugin's declared egress[]; with none declared, all outbound is blocked. Process-level defense in depth (the container runtime enforces it at the network layer in v2). - Admin → Plugins is now actionable: activate / deactivate / uninstall, a registry browser (install), and per-plugin error log. i18n across all locales. - Dashboard widget slot: active widget plugins render as sandboxed cards. The trek:request core-data bridge + photo/calendar hook consumers remain follow-ups. * docs(plugins): clarify the fork-and-PR publishing flow * fix(plugins): allow GitHub's rotating release-asset host in the installer GitHub 302-redirects release-asset downloads to a rotating *.githubusercontent.com host (objects / github-releases / release-assets). The SSRF allowlist only had objects.githubusercontent.com, so installs failed with 'host not allowlisted'. Allow the whole *.githubusercontent.com suffix (plus github.com/codeload); the private-IP check remains the SSRF backstop. * fix(plugins): allow inline scripts in the sandboxed frame + fix server lint error - Plugin frame CSP: the frame runs at an opaque origin (sandbox without allow-same-origin), so script-src 'self' matches nothing and the widget's own script never runs (stuck on 'Loading…'). Allow 'unsafe-inline' — the sandbox, not this directive, is the isolation boundary, and the plugin author controls the frame code either way. - Fix a no-constant-binary-expression eslint error in registry.test.ts that was failing the server lint:check (eslint .) in CI. * fix(plugins): exclude /plugin-frame/ from the service-worker navigate fallback The PWA service worker's navigateFallback served the SPA shell for any navigation not on its denylist. /plugin-frame/ wasn't listed, so the SW intercepted the sandboxed opaque-origin plugin iframe navigation, which Chrome reports as 'Unsafe attempt to load URL … from frame with URL …'. Denylist it so plugin frames are served straight from the network. * feat(plugins): pass the dashboard's spotlight trip id to widget plugins Widget plugins now receive the current (spotlight) trip id in their bridge context, so a widget like Trip Countdown can show a real countdown instead of the empty state. * fix(plugins): trips.getById returns the actual trip row, not the access check canAccessTrip only returns { id, user_id } (it's a membership check), but the rpc-host's trips.getById returned it verbatim — so plugins saw a trip with no title/start_date/etc. Fetch the real row after the access check. Also fix the reference plugin to read t.title (the trips column is 'title', not 'name'). * feat(plugins): persist enable-intent across restarts + redesign admin page The deactivation-on-deploy bug: `status` conflated the admin's ON/OFF intent with runtime health, so a boot crash flipped status to 'error' and the plugin never rebooted after the next deploy. Migration 156 adds an `enabled` flag (admin intent) separate from `status` (runtime health); boot now retries every enabled plugin regardless of last status, and a crash no longer erases the intent. Admin → Plugins redesign: - ON/OFF is a ToggleSwitch bound to `enabled`; runtime health shows separately as a coloured status dot, with the last error inline when it crashed. - "Update → vX" badge when the registry has a newer version (one click updates and reactivates). - Reviewed/unreviewed trust badges, cleaner cards, nicer empty state, registry browser marks already-installed plugins. i18n across all locales. * fix(plugins): backfill enabled for any plugin not explicitly deactivated status at migration time can be error/stopped/starting after a crash or shutdown, not just 'active' — so backfill enabled=1 for everything except 'inactive' (the only status deactivate() sets). * feat(plugins): hero widget slot + Koffi reference plugin Widget plugins can now declare capabilities.widget.slot 'hero' to render as a transparent, click-through overlay sitting on the boarding-pass bar's top edge (migration 157 persists capabilities; manifest validation server+SDK, feed exposes the slot, dashboard mounts hero frames above the pass). Sidebar stays the default slot. Replaces the trip-countdown example with Koffi, the TREK mascot: an animated suitcase with a 14-state behavior engine driven by real trip data — walking, waving, napping, trolley rolls, passport-stamp stickers, a split-flap luggage- tag countdown under 7 days, and sunglasses while the trip runs. Validated by the SDK suite like any author plugin; published as mauriceboe/trek-plugin-koffi in the registry. Migrations 156/157 follow the idempotent ALTER pattern (the reconciliation test re-runs everything from v135, so duplicate-column must stay non-fatal). * feat(plugins): richer admin panel + registry detail view Admin list: flush-left header like Addons, type/reviewed badges, runtime health as a dot on the icon tile (text badge only for problem states), description + source-repo link on installed cards, manifest icon. Browse: cards show the plugin screenshot (docs/screenshot.png at the pinned commit) and open a detail dialog fed by GET /api/admin/plugins/registry/:id — live-manifest permissions in plain language, egress hosts, setup preview, repo/homepage links. Manifest fetched server-side through safeDownload at the reviewed commit, cached per plugin for 30 min and only when a detail opens. Also fixes the update flow (restart the running child around the install, keep the admin's enabled intent instead of force-activating disabled plugins), guards the icon lookup against Object.prototype names, reserves ids that would shadow static admin routes, stops negative-caching failed manifest fetches, and makes the version compare prerelease-safe. * i18n: localize the plugins admin section across all locales The admin.plugins block was still English filler in most locales; translate it everywhere and add the new detail-view keys in all 22 languages. * feat(plugins): denser browse grid + prominent install-risk disclaimer Four cards per row on desktop with tighter card padding, and a full-width warning banner above the browse grid: installs are at the admin's own risk, a prior quick review does not rule out harmful content, inspect a plugin yourself when in doubt — TREK accepts no responsibility. All 22 locales. * feat(plugins): sandbox hardening — OS permission model, egress choke point, bound acting user, author signatures Closes the four gaps the security review surfaced: - OS permission model on the prod plugin child (Node --permission with fs-read scoped to the compiled server dir + the plugin's own code dir, no fs-write/child_process/worker/native). A plugin can no longer read trek.db or the .jwt_secret/.encryption_key files, nor shell out — the direct-fs and RCE escapes that bypassed the RPC layer. Opt-out via TREK_PLUGIN_PERMISSIONS=off. - Egress guard extended from fetch to the net.Socket connect choke point, so node:http/https/net/tls obey the declared-egress allowlist too (no declared egress = no outbound). Under the permission model there is no clean escape to an unwrapped runtime. Kernel/network-namespace containment remains the container step. - Trip reads are membership-checked against the acting user the HOST binds from the authenticated invocation, not an asUserId the plugin supplies; a job/onLoad (no user) can't read user-scoped trips. - Optional minisign (Ed25519) author signatures verified offline, TOFU-pinned (migration 158). Unsigned plugins install on sha256 alone; a signed plugin can't silently drop its signature or swap its author key. Server suite green (permission-model activation verified against the Koffi reference plugin on dev1). * fix(plugins): make the permission-model child load from the real plugin path The prod data dir is a symlink (server/data -> volume), so resolving the plugin under it tripped the permission model, and Node's module-type lookup walked up into the (denied) data dir. Fork the child from the plugin's realpath and drop a {"type":"commonjs"} package.json at its root so resolution stops there — trek.db and the secret files stay unreadable, verified against Koffi. * test(plugins): cover pluginRealCodeDir fallback + ensurePluginModuleType * feat(plugins): zero-config L1 hardening — SSRF egress, RSS reaper, capability audit, no popups Security that ships from the install itself, no self-hoster setup: - Egress SSRF/rebinding backstop: the net.Socket connect guard now RESOLVES the destination and refuses private/loopback/link-local/metadata/CGNAT/ULA addresses, pinning the resolved IP (a declared host that re-resolves to an internal address is blocked). Pure policy in egress-policy.ts + tests. TREK_PLUGIN_ALLOW_PRIVATE_EGRESS=on opts back into internal targets. - RSS memory reaper: the supervisor now kills a child that blows a real RSS ceiling (TREK_PLUGIN_MAX_RSS_MB, default 300) — --max-old-space-size only bounds the V8 heap, so Buffers could OOM the box under it. - Hash-chained capability audit log (migration 159): every core-data / broadcast call is recorded at the RPC boundary with the host-bound acting user and a per-plugin hash chain, so wide grants stay attributable + tamper-evident. Admin endpoint GET /api/admin/plugins/:id/audit. - Drop allow-popups from the plugin frame (sandbox + CSP): window.open ignores connect-src, so it was an egress/phishing bypass. Server suite 207 green, client + migration reconciliation green. * fix(plugins): close the UDP + DNS egress hole in the network guard The egress guard only wrapped fetch and net.Socket.connect, so TCP and HTTP were contained but two channels stayed wide open: a plugin could send data out over UDP (node:dgram) or tunnel it inside DNS queries (dns.resolveTxt & friends) to any host it never declared. Neither goes through net.Socket.connect, so the allowlist never saw them. Wrap both now against the same declared-host allowlist: - dgram send/connect: the explicit destination is allowlisted and private-IP-checked like a TCP connect (a null address keeps the connected/localhost default, which the connect wrapper already vetted). - the dns resolver family (module fns, dns.promises, Resolver.prototype): a forward lookup for an undeclared name is refused, which kills DNS tunnelling even when no socket is ever opened. A plugin with no declared egress now really has no way out. * feat(plugins): re-consent gate when an update wants new permissions Updating a plugin used to just reinstall and reactivate, which silently granted whatever the new version declared — so a plugin could quietly widen its own rights on the next release. Route updates through a new server-side update() that diffs the new version's declared permissions against what the admin already granted: - nothing new -> the plugin is restarted transparently on the new code. - new permissions or a new outbound host -> the new code is installed but the plugin is left OFF, and the delta is handed back so the admin has to approve it before it turns on. Install runs first, so a failed download/signature check leaves the running plugin untouched. The client shows the delta in a consent dialog and only then activates. An update can never widen a plugin behind your back. * feat(plugins): honest security info in the admin panel + update consent UI Reworks how the plugins panel talks about safety, since the old copy oversold it. Drops the "install at your own risk" banner and the generic trust note, and replaces them with: - a collapsible security section that lays out plainly how a plugin is contained, what the permissions actually mean (a hard limit on what a plugin CAN do, not a promise of what it does), where the limits are, and what a hostile plugin could do at worst. - a short note on what "Reviewed" means: a maintainer scanned it for malware each version, not for quality — not a guarantee it's harmless. - the consent dialog for the update flow: when an update asks for rights you never granted, it lists the new permissions and outbound hosts and makes you approve before the plugin turns back on. Full copy in all 22 locales. * feat(plugins): redesign the admin plugins page — search, filters, cleaner cards The panel was cramped and hard to scan. Rebuilt it as a proper management surface: - A segmented Installed/Discover switch with counts, and a real toolbar: search, filter by type, filter by status (active/off/update/error), and sort (name/recent/updates first). - An "N updates available · Update all" bar. - Installed rows are tidied up: a single health dot on the icon tile instead of a wall of badges, and capability chips underneath that show what each plugin can actually reach at a glance (reads your trips, dashboard widget, the hosts it talks to) — the reach is now visible without opening anything. Update, toggle and a ⋯ menu (restart, errors, source, uninstall) sit on the right. - The registry browser is now an App-Store-style card grid: screenshot with the plugin's icon chip, a reviewed badge, consistent heights. - The detail dialog gained "What it can access", "Connects to" and a details grid (version, size, requires, reviewed). To feed the capability chips, the installed list now returns each plugin's declared permissions and capabilities. New copy is in all 22 locales. * feat(plugins): make the plugins admin page work on small screens The redesign was built desktop-first. On a phone the toolbar wrapped into a mess and the rows were too cramped. Reworked the responsive behaviour: - The toolbar stacks on mobile — tabs + rescan on top, full-width search, then a right-aligned filter row — and collapses back into one row on sm+ (via display:contents), so the desktop layout is unchanged. Filter buttons drop their label on mobile and lead with an icon; their menus are capped to the viewport width so they never push the page sideways. - Installed rows use tighter spacing on mobile and the update button shrinks to just its icon (full label from sm up). - Horizontal padding, the discover grid and the detail dialog all get mobile-friendly spacing. * fix(plugins): make the detail dialog screenshot fill the full width aspect-[16/9] together with max-h-64 made the browser shrink the image width to keep the ratio once the height was capped, leaving a grey strip on the right. Drop the max-height so the header image spans the dialog. * feat(plugin-sdk): one-command publishing — pack, entry, release Publishing a plugin meant hand-building the zip, running shasum + stat, resolving the tag's commit, and hand-writing the whole registry entry. The SDK does all of it now: - `trek-plugin pack` builds plugin.zip in the exact layout the installer reads (own tiny zip writer, so the SDK stays dependency-free and the format can't drift from the reader), enforces the same native-binary and size rules, and prints the sha256 + size. docs/ is left out — the store fetches the screenshot from the repo, so it doesn't belong in the install artifact (Koffi's went from 943 KB to 15 KB). - `trek-plugin entry` emits the ready-to-PR registry entry from the manifest + the packed zip + the git tag: commitSha (deref'd), downloadUrl, sha256, size, and minTrekVersion derived from the manifest's trek range. `--merge` prepends a new version onto an existing entry for updates. - `trek-plugin release` chains pack → gh release → entry. Also: the scaffold now points the README at docs/screenshot.png (the path the store actually fetches, was screenshot-1.png) with a size hint, and stops hard-coding an MIT license — a plugin is the author's own code under their own license. Round-tripped against the real server extractor; 18 tests. * docs(plugins): rewrite the plugin wiki against the current code + tooling The plugin wiki had drifted from the app and the SDK. Rewrote all four pages, verifying every command, permission, field, path and UI behaviour against source: - Plugins: activation is a toggle (no separate consent screen); install is the Discover tab (no "Browse plugins" button); you review permissions in the detail modal before installing; documents update + re-consent, the ⋯ menu, toolbar filters, capability chips and the health dot. - Plugin-Development: full manifest reference; ws:broadcast:trip/:user (there is no ws:broadcast:*); onLoad + onUnload; the trek:error bridge message and full context payload; trips.* only work in a route handler; asUserId is accepted-but-ignored; integration hooks are declared but not yet wired. - Plugin-Permissions: db:own also covers db.migrate; a host must appear as both an http:outbound:<host> permission and an egress[] entry or it's silently blocked; bare vs per-host outbound. - Plugin-Publishing: the new one-command flow (validate → pack → release → entry), size is a required entry field, signing reconciled with the schema, no reserved namespaces, and the --merge update path. * chore(plugin-sdk): make it npm-publishable so `npx` resolves for authors The docs told authors to run `npx create-trek-plugin` / `npx trek-plugin`, but nothing published under those names, so npx couldn't resolve them. - Ship one package, `trek-plugin-sdk`, with a bin that matches the package name (`trek-plugin-sdk`) so `npx trek-plugin-sdk <command>` resolves with zero install. The dispatcher gained a `create` subcommand, so every step (create/validate/pack/entry/release) runs through that one entry point. The short `trek-plugin` / `create-trek-plugin` bins still work once installed. - Package hardening for publish: repository+directory (monorepo subdir), homepage/bugs/author/engines, publishConfig public, a prepublishOnly that builds + tests, and a LICENSE file. - A publish workflow: pushing a `plugin-sdk-v*` tag builds and publishes with the NPM_TOKEN repo secret. - Docs (SDK README + the four wiki pages) now use `npx trek-plugin-sdk <cmd>`, the invocation that actually resolves. * feat(plugin-sdk): dev server, preflight, auto-PR submit, signing, wizard Round out the author experience so the loop is create -> dev -> release/submit without hand-work or a round-trip through registry review. - `dev`: run a plugin locally with a real request loop and hot reload — no full TREK. Injects a ctx that enforces the manifest's granted permissions (an ungranted call throws, so you catch a missing grant), backs db:own with a real SQLite file (node:sqlite), serves routes under /api and page/widget UI at /ui, and reloads on save. Dependency-free (node:http + built-ins). - `preflight`: run the registry CI checks locally over the network (tag->commit, manifest parity, artifact sha256/size, native scan, README quality gate) so a green run predicts a green CI. - `submit`: fork TREK-Plugins, branch off current main, write/merge the entry, push, and open the PR — the last manual publishing step, automated. - `keygen`/`sign` + `--sign` on entry/release/submit: dependency-free Ed25519 author signatures over the artifact bytes, verified 1:1 against the server's TOFU check. Fills authorPublicKey + signature and guards against a key change. - `create` gains an interactive wizard (id/type/author/permissions) and flags. - README + Development/Publishing/Permissions wikis document the new flow. 24 tests pass (sign round-trips through a server-shaped verifier; zip reader; scaffold options; entry signing + key-change guard). * feat(plugin-sdk): one-command `publish` (pack → release → preflight → PR) Collapses the release into a single command: pack the artifact, tag + create the GitHub release, run the registry CI checks locally (preflight), and open the registry PR — stopping before it submits if preflight would fail, so a broken entry never becomes a doomed PR. `--sign` signs it; `--no-preflight` skips the gate. The individual pack/release/preflight/submit commands still exist. README + the Development/Publishing/Permissions wikis lead with `publish` now. * fix(plugins): security hardening from the PR #1415 audit Remediates the findings from the adversarial audit (threat model: malicious plugin author + malicious artifact). Highlights: Critical - proxy: force nosniff + Content-Disposition: attachment on every proxied reply and drop location/content-disposition + non-2xx from the passthrough, so a plugin can't serve an HTML document at TREK's origin (sandbox-escape → account takeover) or an open redirect. High - db:own runs synchronously in the host: cap the plugin DB (max_page_count) and row-cap query() via iterate() so a recursive CTE / huge blob can't stall the event loop, OOM, or exhaust the shared volume. - supervisor: measure child RSS host-side (/proc/<pid>/statm) instead of trusting the spoofable heartbeat; add an activation timeout so a stuck onLoad can't hang activate() or peg a core unreaped. - safe-extract: enforce entry-count + cumulative-size limits INSIDE readZip before inflating (decompression-bomb OOM). - re-consent: activate() never widens granted permissions without explicit consent (409 CONSENT_REQUIRED); the row toggle + "Update All" route through the consent dialog, which now queues instead of overwriting. Medium/low - egress: gate dgram hostnames through the IP-vetting resolver; block the low-level socket escape (process.binding) + lock the wrapped prototypes; canonicalize IPv6 in isBlockedIp (hex-mapped/compressed metadata); reject degenerate `*.` / whole-TLD / spaced outbound hosts in the manifest + CSP. - ws:broadcast is membership-gated to the acting user's trips / own connections; users.getById is scoped to users the acting user can see (no enumeration). - safe-fetch streams + aborts at the byte cap (chunked codeload OOM); isPrivateIp reuses the canonicalizing check. - native-scan throws instead of silently passing past its entry cap. - SDK: dev serves binary assets as raw buffers + handles EADDRINUSE; manifest validator gains the reserved-id + outbound-host checks; wikis corrected. Tests updated for the new membership-gated behaviour + regression tests added (IPv6 canonicalization, wildcard hardening, outbound-host validation, ws/user scoping). 234 plugin tests + 24 SDK tests green. * fix(plugins): close the 4 PARTIAL findings + regressions from the fix-verify pass A second adversarial pass over the first remediation found four findings only partially closed and five issues the fixes themselves introduced. This closes them: Partial → closed - re-consent gate keyed on `granted.length > 0`, so a plugin first activated with ZERO permissions (granted '[]') was treated as never-consented and a later widening was granted silently. Now discovery marks a never-consented plugin with granted_permissions '' and activate() gates on "ever consented" (any non-empty string, including '[]'). - db:own DoS: block WITH RECURSIVE outright (the one construct that spins the synchronous host unboundedly regardless of the size/row caps, via query OR exec). - dgram: also wrap `new dgram.Socket(...)` (bypassed createSocket) to inject the IP-vetting lookup, and lock createSocket/Socket. - frame self-navigation: documented as a bounded best-effort mitigation (inherent to sandboxed iframes; exposure is the plugin's own routes + already-held context, never the httpOnly cookie). Regressions introduced by the first pass → fixed - proxy: only real redirects (301/302/303/307/308) are gated, to a RELATIVE in-app Location (supports OAuth-callback bounce, blocks open redirect); 300/304 pass through; attachment only on non-redirects. - supervisor: measure RSS via /proc/<pid>/status VmRSS (page-size independent); activation-timeout awaits kill() before disposing the db handle. - manifest HOST_RE: allow single-label hosts (self-hoster sibling services) while keeping wildcards multi-label; mirrored in the SDK + frame CSP filter. Regression tests added (re-consent incl. the '[]' case, WITH RECURSIVE + row cap, single-label host). 236 plugin tests + 24 SDK tests green. * docs: refresh README screenshots (8) + swap the second trip shot for Collections Replaces all eight README gallery screenshots with current-UI captures and swaps docs/screenshots/trip-iceland.png for collections.png (saved place lists). * fix(plugin-sdk): make require('trek-plugin-sdk') actually resolve everywhere A freshly scaffolded plugin could not load anywhere: the npm package is ESM-only (no require condition in its exports map), so the scaffold's require('trek-plugin-sdk') threw ERR_PACKAGE_PATH_NOT_EXPORTED under `trek-plugin dev` - and the runtime injection the wiki promised for the plugin child never existed, so a packed plugin (node_modules stripped) crashed with MODULE_NOT_FOUND after a real install. - plugin child: inject a frozen {definePlugin, PLUGIN_API_VERSION} shim for require('trek-plugin-sdk'); subpaths fail with a pointed error - trek-plugin dev: inject the exact same shim, so a fresh scaffold runs with zero npm install and dev parity with production holds - npm package: ship a real CommonJS build (dist/cjs + require export conditions) so the installed package also requires cleanly on Node 18+ - create: scaffold a package.json (type commonjs, SDK as devDependency, npx scripts); print resolvable `npx trek-plugin-sdk ...` hints - wiki: package.json in the scaffold tree + publishing checklist, and document the zero-install dev flow * fix(plugins): tolerate a UTF-8 BOM in trek-plugin.json Windows editors love to prepend a BOM, and a bare JSON.parse then dies with an "Unexpected token" pointing at an invisible character - in the SDK CLIs (dev/validate/entry/submit) and, worse, server-side: a BOM in an author repo travels through pack into the artifact and fails discovery and registry install. Strip it at every manifest/JSON read (readJsonFile in the SDK, parseJsonText in the installer). * fix(plugin-sdk): dev db binds an args array like the real host, and a failed onLoad stops the routes * ci(plugin-sdk): publish on Node 22; skip the dev-db bind test without node:sqlite * docs(wiki): document AI booking import, guest members and packing sharing Fill the gaps left after the 3.2.0 feature work: - add an AI Booking Import page for the AI Parsing addon (providers, admin/per-user config, model pull, the review-before-save flow) and link it from Reservations & Bookings and the sidebar - document guest members on Trip Members and Sharing (owner-only, what they can be assigned to, and the sign-in/notification/visibility limits) - document the three packing sharing tiers and co-bringing on Packing Lists - add TRANSIT_API_URL and the plugin variables to Environment Variables, and correct the language list to 22 (add Swedish and Vietnamese) - list the airtrail and llm_parsing addons in the Addons overview * feat(plugins): enable the plugin system by default The runtime and the Admin -> Plugins panel are now available out of the box; TREK_PLUGINS_ENABLED becomes an opt-out (set it to false to switch the whole system off). Installed plugins are still registered inactive and have to be activated one by one, so no third-party code runs until an admin turns a specific plugin on. Update the kill-switch default test and the plugin/env-var wiki pages to match. * fix(costs): KGS is selectable as default/expense currency (#1400) * fix(map): render date-line-crossing routes as one continuous arc (#1411) The great-circle sampler normalizes longitudes to [-180,180], so a transpacific leg jumped +-360 between neighbours and got split into two polylines pinned to opposite map edges. Unwrap the longitudes instead (shared flightGeodesy module for both renderers): Leaflet additionally draws a +-360-shifted copy so both halves show in the standard view, GL maps repeat world copies themselves. * fix(map): clear the hover card on marker click and camera moves (#1404) Clicking an off-center place recenters the map under a stationary cursor, so mouseout/mouseleave never fires and the hover card sticks. Clear it on marker click and on movestart, and suppress re-shows while the camera is animating (marker rebuilds re-fire mouseenter mid-pan). feat(map): long-press + plain right-click add-place on GL maps (#1398) The GL providers only bound middle-click, so mobile had no way to add a place at a position (and Macs have no middle button). Add a 600ms touch long-press with move tolerance and the map contextmenu event - both GL libs suppress it while the right-button rotate/pitch drag is active, so the gesture keeps winning. * fix(mcp): keep SSE streams alive and stop invalidating sessions on unrelated saves (#1414) Three separate causes for the reconnect-per-tool-call pain: - no keep-alive on the standalone GET stream, so reverse proxies with idle timeouts (nginx default 60s) killed it between calls - send an SSE comment ping every 25s (MCP_SSE_KEEPALIVE, 0 = off) and count an open stream as session activity - the session TTL was hard-coded - MCP_SESSION_TTL (seconds, clamped to 24h) now works as the issue expected - every addon save invalidated ALL sessions: config-only saves, photo provider toggles and addons with no MCP surface included. Only a real enabled-flip of an MCP-relevant addon (or an actual collab-feature change) tears sessions down now. * feat(api): OpenAPI/Swagger docs at /api/docs behind TREK_API_DOCS_ENABLED (#1412) Swagger UI + raw spec (/api/docs-json, -yaml) over all controllers, with a bearer button that works with a plain session JWT. Off by default - the spec enumerates the whole surface incl. admin routes, so exposing it is an explicit self-hoster decision (same kill-switch pattern as TREK_PLUGINS_ENABLED). Request bodies come from the Zod schemas the routes already validate with: an enricher walks every controller, finds whole-body ZodValidationPipe params and lifts their schema into the document via zod v4's native z.toJSONSchema - nothing is annotated twice, and any route that gains a Zod pipe is documented automatically. * fix(map,mcp): review follow-ups for the issue-fix batch - mapbox-gl (unlike maplibre) still emits the map contextmenu after a right-button rotate/pitch drag on Windows - guard it with the pressed position so ending a rotate can't open the Add-Place form (#1398) - a long-press whose fire was deduped (or that never yields a click) no longer leaves suppressNextClick armed to swallow a later real tap - MCP_SSE_KEEPALIVE=0 keeps the open-stream-counts-as-activity guarantee: the touch interval survives, only the pings stop (#1414) - swagger-ui-dist ships @scarf/scarf install-time analytics - disabled via scarfSettings in the root package.json, TREK sends no telemetry - Budget wiki currency list: 47 incl. KGS (#1400) * feat(map): real road routes for car/bus/taxi/bicycle bookings instead of straight lines Road-based transport bookings drew an as-the-crow-flies line; only transit journeys (Transitous) showed the real path. A shared useTransportRoutes hook now fetches the OSRM road geometry (driving for car/bus/taxi, cycling for bicycle) — reusing the day-route router and its cache — and both renderers draw it in place of the straight arc, falling back to the straight line until it loads or if routing fails. Trains/other keep their straight line (not road-routable); a 2000 km sanity cap avoids hammering the public router on cross-continent quirks. * feat(transport): multi-leg train bookings (#1150) Long train trips are usually several trains under one booking. Trains now get the same multi-leg editor flights have: an ordered chain of stations (station search instead of the airport picker) with a per-leg train number + platform, saved as from/stop/to endpoints + metadata.legs — mirroring the flight leg contract, so the map draws the whole chain and the day plan splits it into one row per leg (drag/reorder/position persistence come for free from the shared __leg machinery). A single-leg train saves exactly as before (flat metadata, no legs), and the flat train-fields block is gone in favour of the per-leg inputs. Day sidebar, shared trip view and the PDF render each train leg like a flight leg. * feat(collections): per-collection custom labels Each list can now define its own labels (e.g. Berlin, Hamburg, Ostsee in a "Germany 2026" list) and organise its places by them: - manage labels (create / rename / recolor / delete) from a label manager - assign labels to a place from its detail sheet, or to many places at once from the selection toolbar - filter the place list AND the map by label (multi-select, any-match) Labels are scoped to a collection and shared by all its members. Managing and assigning labels needs edit rights; filtering is available to everyone. Moving a place to another list drops its labels, since they belong to the source list. * test(collections): pass the required labels prop in CollectionPlaceDetail test The per-collection labels feature (a5522e99) made `labels` a required prop and renders `labels.filter(...)`, but the test's props cast to Omit<DetailProps,'t'> hid the missing prop, so `labels` was undefined at runtime and crashed the whole suite (Cannot read properties of undefined reading 'filter'). Pass labels: [] like categories. * docs(wiki): document collection labels, multi-leg trains and road-route overlays - Collections: add a Custom labels section (manage / assign / filter), note the label filter + bulk assign, and the view-vs-edit permission split - Transport: rewrite the train fields as the multi-leg route editor, correct the transport type list (nine types) and the map/day-plan behaviour - Map Features: car/bus/taxi/bicycle overlays follow real roads; multi-leg trains draw their full station chain; date-line routes render as one continuous arc --------- Co-authored-by: jubnl <jgunther021@gmail.com> Co-authored-by: jufy111 <jeffturner93@gmail.com> Co-authored-by: Azalea <noreply@aza.moe> Co-authored-by: Zorth Thorch <jasper_goens@hotmail.com> Co-authored-by: leeduc <lee.duc55@gmail.com> Co-authored-by: yael-tramier <tramier.yael@gmail.com> Co-authored-by: michael-bohr <mjbohr@gmail.com> Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com> Co-authored-by: Gio Cettuzzi <gio.cettuzzi@gmail.com> Co-authored-by: mauriceboe <mauriceboe@users.noreply.github.com> Co-authored-by: jubnl <66769052+jubnl@users.noreply.github.com>
2026-07-05 07:13:04 +08:00
- [[Collections]]
- [[Dashboard Widgets|Dashboard-Widgets]]
3.2.0 (#1426) * docs(wiki): document the snap Docker + no-new-privileges startup failure * fix(setup): warn when ADMIN_EMAIL/ADMIN_PASSWORD are ignored, ship reset-admin The first-run seeder only applies ADMIN_EMAIL/ADMIN_PASSWORD on an empty database and then silently ignores them. People add the vars after the first boot, or pull a fresh image without clearing ./data, restart, and cannot log in with no hint why (#1339). The default is a generated password (not the .env.example placeholder), printed once in the first-run box. Now: warn loudly when the vars are set but a user already exists, and warn on a partial (one-of-two) config instead of quietly falling back. Also ship the reset-admin recovery script in the image -- it was never COPYed in despite the wiki referencing it. node server/reset-admin.js resets/creates admin@trek.local with a generated password (RESET_ADMIN_EMAIL/RESET_ADMIN_PASSWORD overridable), picks a free username so it cannot trip UNIQUE(username), and sets must_change_password. * feat(extract): extract data using LLM * fix(extract): auto-run the AI fallback when the addon is enabled Booking import only fell back to the LLM when each user flipped an 'always retry with AI' toggle, so by default files kitinerary returned nothing for just failed. Run the fallback automatically whenever the AI Parsing addon is on (fallback-on-empty); drop the now-redundant per-user toggle and its setting. * fix(extract): make AI imports reliable and fast on local models client: the import call inherited the global 8s axios timeout and aborted long LLM extractions even though the server finished it; remove the timeout. server: raise the OpenAI-compatible LLM timeout 60s->180s (a cold Ollama model can take ~45s to first token). server: cap extracted text to 8000 chars before the LLM - multi-page T&C tails (30k+ chars) overflowed the context window, truncating the relevant head and making CPU inference crawl; booking details sit at the top. * feat(extract): fill transport/booking fields, geocode endpoints, assign days - rental car: request+map dropoffLocation, emit pickup->return from/to endpoints, set a location string (G1/G2/G3). - geocode endpoints (stations/stops/terminals/rental desks) on confirm via Nominatim; mapper now emits coordless named endpoints and confirm persists only the geocoded ones (G6). - assign every dated booking to the nearest trip day so it still shows when slightly out of range, and keep hotel accommodation from vanishing when a check date misses (G5/G10). - fix bus mislabelled as train + add bus_number metadata (G7/G8), flag malformed boats (G9), accept root start/end time for events (G11). - raise the local-LLM timeout to 300s for CPU-only Ollama. * perf(extract): cap LLM input at 4000 chars for CPU-only speed On a GPU-less host the model's prompt-eval time scales with input length and dominates total latency. Booking details sit at the top of a confirmation, so capping the extracted text at 4000 chars (was 8000) roughly halves extraction time (~50s warm for a capable local 7B model) with no loss of fields on real hotel/rental confirmations. Tunable if a long multi-segment itinerary needs more. * feat(extract): capture seat, class, platform, price + event venue contact Request and map root-level seat/class/platform and a total price/currency into reservation metadata (shown on the card; price reuses the existing label). Read both the root and reservationFor and tolerate common field-name aliases (priceAmount, priceCurrencyISO4217Code, fareClass, ...) since models name these inconsistently. Also capture event/attraction venue telephone + url onto the auto-created place, matching lodging/restaurant. * feat(extract): create a linked cost from the booking price on import When a confirmation carries a total price, record it as a real expense linked to the reservation (in the matching Costs category) instead of leaving the amount in metadata only. Gated on the Costs addon. * fix(extract): refresh accommodations after a booking import A freshly imported hotel links to an accommodation that lives outside the trip store, so loadTrip alone left the reservation edit modal with blank place/date fields. Reload the accommodations list once the import finishes. * feat(extract): drive NuExtract with its native template NuExtract isn't an instruct model — fed a plain chat prompt it just echoes the schema back. Detect a NuExtract model by id and talk to it the way the model cards document: the JSON template inlined in a single user message, no system prompt, no json_schema, temperature 0. Its flat result is mapped back to the same KiReservation shape the rest of the pipeline already uses, so nothing downstream changes; every other model keeps the generic prompt. Money is taken as a verbatim string and parsed locally (German "1.580,22 €" otherwise comes back as 1.49772), a rental car's pickup/return ride the from/to fields so a stray form label doesn't become the location, and a lodging with no name falls back to its address instead of being dropped. * fix(admin): tidy the AI parsing settings and recommend the 2B model The provider picker is the shared CustomSelect now and the form is split into clear sections rather than a flat stack of inputs. NuExtract 2.0 2B is the recommended default — fastest on a CPU-only host and MIT licensed; the 4B carries a non-commercial licence, so it's no longer flagged as recommended. * feat(import): review each parsed booking before it's saved Instead of writing parsed items straight to the trip, the import opens the normal edit modal pre-filled for each one, so you can check and fix it before saving — useful when a model guesses a wrong date or address. Hotels gained an editable address field; on save an existing place is matched by name, otherwise the reviewed address is geocoded and a new place is created. * feat(extract): drive local parsing through a layered extraction router The single-shot prompt was unreliable on multi-leg flights and longer documents, and slow on a CPU host. For the local provider, run a small router instead: - deterministic vendor templates first, with no model call at all - exactly one grammar-enforced call per document via Ollama's native `format` (flights as a flat array of legs, everything else as one flat reservation, the type picked from keywords or a union schema) - booking-wide fields (booking reference, total price, the overnight arrival day) filled deterministically from the text afterwards, and dates coerced to ISO so a natural-language date can't slip through Recommend qwen2.5 in the AI-parsing settings instead of NuExtract. * feat(import): parse bookings in the background with a progress widget Parsing a booking can take a while on a CPU host, so don't hold the upload modal open for it. The async import endpoint returns a job id right away; the parse runs server-side (one at a time per user) and pushes progress over the user's WebSocket, and a small widget in the bottom corner tracks it while the user keeps navigating and editing. A finished job opens the per-item review from the widget. * fix(import): create linked costs and accommodations from reviewed bookings Reviewing an imported booking saves it through the normal reservation form, which dropped the parsed price (so no linked cost was created) and only created the accommodation when both nights matched a trip day. Carry the parsed price into a linked cost on save, and create the accommodation from whichever day the check-in/out dates resolve to. * feat(extract): add Expedia and rental-broker booking templates Pull the hotel/rental fields these vendors print in a stable text layout (name, address, stay/pickup dates, price, reference) deterministically, so the import stops depending on the local model for them. Handles German long/abbreviated months and English dates incl. 12-hour and comma forms. * fix(extract): backfill booking code/total and harden the reference match Apply the deterministic confirmation-code and total fill to vendor-template results too (not just model output), and require the captured reference to contain a digit so a bare 'Confirmation'/'Reference' label no longer grabs the next prose word. * fix(import): keep the parse-progress widget across a reload Persist the background-import tasks (id/trip/status only) and re-fetch each job's status on mount, so a parse still running when the page reloads keeps its widget instead of vanishing; expired jobs (404) are dropped and a restored 'done' task re-fetches its items. * fix(reservations): skip un-geocoded endpoints instead of failing the save reservation_endpoints.lat/lng are NOT NULL, so saving a reviewed transport whose pick-up/return couldn't be geocoded threw a 500 and lost the whole booking (dates, linked cost). Skip those rows; the dates still persist on reservation_time/reservation_end_time. * fix(import): resolve an imported transport's day from its parsed dates A reviewed transport (e.g. a rental car) arrived with only its parsed pick-up/return dates and no day_id, so the modal kept just the time and saved a bare "HH:MM" with no date. Resolve start/end day from the parsed dates (exact match, else nearest trip day) so the booking lands on the right days. * fix(import): refresh costs after a booking review so imported expenses appear without a reload Imported bookings auto-create their linked budget items server-side, but the saving client suppresses its own budget:created echo, so the Costs list stayed stale until a manual reload. Reload the budget items when the review session ends. * refactor(extract): dedupe currency/day helpers, drop redundant casts, support JPY vouchers Code-audit clean-ups: share one normCurrency between the router and the templates, lift the duplicated nearest-day resolver into formatters.resolveDayId, drop two needless as-unknown-as casts at the fillBookingWideFields call sites, restore routeExtraction's doc comment, and give the broker template readable names. Plus recognise ¥/JPY and fall back to a standalone symbol amount, so a Klook-style voucher whose price sits far from any label still yields a cost. * feat(import): attach the parsed source document to each booking Keep the uploaded files on the background task and hand them to the review flow, so each reviewed booking pre-fills its Files with the document it was parsed from (uploaded with the booking on save). The two modals also adopt the shared resolveDayId helper. * fix(extract): disable model thinking for grammar-constrained extraction Hybrid/reasoning models (Qwen3 and similar) default to emitting reasoning tokens, which collide with Ollama's format-grammar constraint — on CPU this produced null/unparseable output and blew the latency budget (qwen3:8b: null or 300s timeouts vs ~20s with thinking off). Send think:false on the /api/chat call; Ollama ignores it for non-thinking models (verified on qwen2.5:7b), so it's safe and unlocks the stronger Qwen3 family. * feat(extract): recommend Qwen3-8B as the local extraction model A/B against the prior default (qwen2.5:7b) on CPU showed Qwen3-8B is both faster and more accurate on tricky/multilingual booking docs (correct Airbnb year+price, correct DisneySea admission date), once thinking is disabled — which the router now does. Feature it as the recommended pull, keep qwen2.5:7b as the fallback. * refactor(extract): drop vendor templates, let the model drive with deterministic backfill Now that a capable instruct model (Qwen3-8B, thinking off) reads name/address/dates/legs reliably across formats, the per-vendor template short-circuit distorted more than it fixed: brittle on layout variations and overriding the better model output. Remove the template layer; the model extracts the structure and Schicht 2 backfills the confirmation/total and takes the currency from the document's own symbol (correcting model misreads like ¥→$). Per-type prompts now also ask for address and price/currency. * fix(extract): require the hotel address and ask for the rental company After dropping the vendor templates, the model skipped the (often unlabeled) Expedia-style hotel address — making address a required schema field forces it to emit the street-address line, restoring the booking's location/place. Also hint the rental company so a car booking gets a real title instead of the generic fallback. * fix(import): refresh costs immediately after an imported booking is saved The saving client gets no budget:created echo (X-Socket-Id) and the create response omits the linked budget item, so the booking's Costs section and the Costs tab stayed stale until a manual reload. Reload the budget items right after a create that carried a budget entry. * perf(extract): cap single-booking text tighter; require rental company A long single-booking PDF (e.g. an 11-page rental voucher) spent ~200s on CPU prompt-eval at the 16k cap, though its data sits in the first ~2k. Cap non-flight docs at 6k (flights keep 16k for all legs). Also make the rental operator a required field so the car gets a real title. * fix(import): preview the parsed cost as linked in the review modal During the per-item import review the booking isn't saved yet, so the Costs section showed an empty 'Create expense' even though a linked cost will be created on save. Show the parsed price (amount + category) as the pending linked expense so the user can verify it up front. Reuses existing i18n keys. * fix(import): persist source files in IndexedDB so attach survives a reload The source document was only kept in memory on the background task, so a page reload during the (now always-LLM ~25s) parse lost it and the booking saved without its file. Store the uploaded files in IndexedDB keyed by job id; the review loads them from there when the in-memory copy is gone, and a 1h TTL prunes abandoned imports. * chore(extract): recommend only Qwen3-8B (drop Qwen2.5 from the curated list) Qwen3-8B is the identified default; the prior Qwen2.5 entries are no longer needed in the pull list. * feat(settings): let users set their own AI parsing model Adds an "AI parsing" section under Settings -> Integrations where a user can choose the LLM provider, model, base URL, API key and multimodal option used for booking extraction. This per-user config applies when an admin has not configured an instance-wide model. Reuses the existing encrypted user settings: the API key is stored encrypted, never prefilled, and a blank field keeps the stored one. Adds settings.aiParsing.* across all 20 locales. * fix(settings): show the Integrations tab when only AI parsing is enabled hasIntegrations gated the tab on memories/mcp/airtrail only, so a user with just the llm_parsing addon enabled saw no Integrations tab and could not reach the AI parsing config. Include llmEnabled in the gate. * feat(settings): use the shared custom dropdown for the AI parsing provider Swap the native select for CustomSelect so the provider picker matches the rest of the app's styling (dark mode, portal dropdown). * refactor(planner): move the import-review bridge effect into the page hook TripPlannerPage held a useEffect (the background-import → review bridge), which trips the page-pattern check (pages must stay wiring containers). Move the effect and its store/IndexedDB wiring into useTripPlanner where the rest of the import-review state already lives. * test(llm-parse): cover the extraction router, client factory and import jobs The new LLM extraction router shipped with little branch coverage, dropping src/nest below the 80% gate. Add unit tests for routeExtraction (flights/single/union/error paths, deterministic booking-wide fill), the native Ollama format client, the provider factory, the local-router service path with its type-aware text cap, the flat->schema.org mapper's remaining reservation types, and the background import-jobs runner. Also remove the now-unused validate.ts (only its FlatLike type was still referenced; moved to flat-schemas). * test(setup): stub websocket addListener/removeListener in the global mock BackgroundTasksWidget (mounted globally in App) subscribes via addListener/removeListener from api/websocket, but the global test mock didn't export them, so every test that renders <App/> threw on mount. Add the two stubs. (Surfaced now that the page-pattern check passes and the client test step actually runs.) * fix(i18n): add Swedish translations for the AI booking-import settings The Swedish (sv) locale landed on dev (#1325) after this branch added the AI-parsing settings/reservation keys to the other locales, so sv was missing them — strict i18n key parity failed after rebasing onto dev. Adds the 3 reservations.import.* and 17 settings.aiParsing/aiAlwaysRetry keys in sv. * fix(extract): don't let the day-clamp fallback break reservation resync (#1288) This branch added a clamp-to-nearest-day fallback to resolveDayIdFromTime so an imported booking whose exact date has no day row still lands on a day. After rebasing onto dev, that collided with #1288's resyncReservationDays, which relies on the original "null when no exact day" semantics to leave a booking whose date now falls outside the range untouched — instead it snapped to an edge day (TRIP-SVC-019 failed: expected day_id kept, got the clamped one). Make clampToNearest an opt-in parameter (default true, preserving the import behaviour for create/update) and have resyncReservationDays pass false, so out-of-range bookings keep their day_id. Full server suite green (4082). * Added focus to search places in placeFormModal * fix(airtrail): import departure/arrival times for manually-entered flights (#1336) The mapper read only `departureScheduled`/`arrivalScheduled`, but those columns are optional in AirTrail and stay null for manually-entered flights — where `departure`/`arrival` are the only times set. So the import dropped the departure clock (date-only) and the whole arrival (no date, no time), exactly as reported. AirTrail's own rule is "use departure if available, otherwise fall back to departureScheduled". Mirror that: prefer the scheduled instant, fall back to the primary departure/arrival, in mapFlightToReservation, normalizeFlight, and the sync hash. Hashing the resolved instant means flights already imported without a scheduled time re-sync once and pick up their clock automatically; flights that do have scheduled times are unaffected (no spurious re-sync). Tests: 3 new mapper cases (fallback mapping, picker preview, hash tracking); two existing cases that asserted the scheduled-only behaviour updated to the "neither time set" case. Full server suite green (4085). * fix(pwa): stop unregistering the service worker on offline boot (#1346) Opening the installed PWA offline showed Chrome's "no internet" page instead of the cached app. On boot the axios response interceptor reacts to a failed request with no response by probing /api/health; the probe collapsed "genuinely offline" and "edge-proxy auth wall" into a single reachable=false, so the interceptor unregistered the service worker and reloaded — straight into a dead network. navigator.onLine is true on mobile while offline, so the existing guard didn't help. This also defeated the offline data layer (withOfflineFallback, authStore's offline branch), which runs later in the chain. Fix: connectivity.probe() now returns a discriminated state ('online' | 'offline' | 'proxy-wall'). A fetch that throws, or navigator.onLine false, is 'offline'; a cross-origin redirect (CF Access, via redirect:'manual' → opaqueredirect) or an HTML auth wall (Pangolin) is 'proxy-wall'. The interceptor only tears down the SW on 'proxy-wall'; on plain offline it lets the request reject so the cached shell + IndexedDB serve the app. CF Access / Pangolin reauth still works — the proxy always presents a reachable redirect or HTML wall, which the probe now detects positively. Regression dates to v3.0.16 (#964), surfaced by the 3.1.0 rewrite. Tests: 6 new connectivity cases (offline/online/proxy-wall discrimination); client tsc clean, full client suite green (2850). * fix(map): keep the mobile GPS button above the day-detail panel (#1348) On mobile the location (GPS) FAB sat at bottom: calc(var(--bottom-nav-h) + 12px), which only clears the bottom nav. When a day is selected, DayDetailPanel slides up over the map from bottom: navh+20 and spans nearly full width at z-index 10000, covering the button's band — so the button was hidden behind it. DayDetailPanel now publishes its live measured height to a root CSS var --day-panel-h (ResizeObserver, reset to 0 on unmount), and both map renderers lift the button above the panel when it's open, reusing the hasDayDetail prop they already receive: hasDayDetail ? calc(var(--bottom-nav-h) + 20px + var(--day-panel-h) + 12px) : calc(var(--bottom-nav-h) + 12px) Applied to both the Leaflet (MapView) and GL (MapViewGL) renderers. When the panel closes, hasDayDetail is false and the offset falls back to the bottom-nav value. Desktop is unaffected — the button is mobile-only. Tests: new DayDetailPanel case asserting --day-panel-h is published and reset on unmount; client tsc clean, full client suite green (2851). * feat(mobile): make the bottom-nav "+" context-aware per trip tab (#1349) On mobile the bottom-nav "+" always created a new place (except on the Costs tab, where it added an expense). It now matches the active trip tab: Bookings adds a reservation, Transports adds a transport, Costs adds an expense, and everything else (Plan, plus tabs that have no create modal — Lists / Files / Collab) keeps adding a place. Follows the existing ?create=<intent> pattern: BottomNav.useCreateAction emits the per-tab intent, and useTripPlanner consumes create=reservation|transport to open the booking / transport modals (both already mounted at page level). Place and expense were already wired; this just extends the mapping. Tests: 4 new BottomNav cases (plan/bookings/transports/costs → correct intent + navigate target); client tsc clean, full client suite green (2855). Implements mauriceboe/TREK#1349 * [+] Unsplash * [+] i18n * feat(trips): download chosen Unsplash covers into uploads (#1277) Previously a selected Unsplash photo was stored as a remote images.unsplash.com hot-link, so covers broke offline and on link rot. The trip PUT handler now fetches the picked image through the SSRF guard and saves it under uploads/covers, rewriting cover_image to the local path (502 if the download fails). Also debounces the cover search so a slow earlier request can no longer overwrite newer results, drops a dead userId parameter, and reverts an unrelated vite proxy change. * test(trips): cover the Unsplash cover download and search-race guard (#1277) Adds unit coverage for saveUnsplashCover (host check, content-type and size limits, download failure), the searchUnsplashPhotos error and success paths, and the PUT handler internalising a hot-link. Updates the existing PUT tests for the now-async handler. * fix(docker): keep server/reset-admin.js in the build context (#1339) The Dockerfile copies server/reset-admin.js (the admin recovery script), but .dockerignore also listed it, so it was stripped from the build context and the image build failed with a not-found error. Drop the ignore entry so the COPY resolves again. * fix(llm): stop the browser autofilling the LLM base URL (#1301) The AI-parsing base URL and model inputs had no autoComplete, so a browser password manager could drop the saved login email into the base URL field. In the admin addon config onBlur then fired a model lookup against e.g. "admin@trek.local", which the server rejected with 400. Mark the base URL and model inputs as type=url / autoComplete=off in both the admin addon config and the per-user connection section. * feat(appearance): add per-user appearance config contract Shared AppearanceConfig (color scheme, accent, transparency, per-tier type scale, density, reduce-motion and per-device dashboard widgets) stored as one JSON blob under the existing settings key. normalizeAppearance never throws, so a malformed/partial/future blob degrades to the neutral default and can never reach the DOM. No DB migration; the default reproduces today's look exactly. * feat(appearance): token-driven theme engine with schemes and FOUC-safe boot applyAppearance is the single writer of styling to the DOM (the .dark class plus data-scheme/-no-transparency/-density/-reduce-motion and the custom-accent/type-scale CSS vars). An external pre-paint /theme-boot.js replays a cached snapshot before first paint and complies with the production CSP (script-src 'self'), fixing the long-standing theme FOUC. Adds seven color schemes (incl. a true high-contrast that raises neutral contrast), a custom accent with auto-derived legible text, an extended token layer (accent variants, status/shadow/overlay/inverse), a scheme-gated legacy accent bridge, and a transparency-off layer. The default scheme sets no attributes, so existing users are unaffected. * feat(settings): appearance settings tab New Appearance tab with color mode (moved out of Display), color-scheme swatches, a custom accent picker with a live WCAG contrast hint, transparency and reduce-motion toggles, density, a global text-size slider with advanced per-tier controls, and per-device dashboard widget toggles. Edits preview live and commit on a short debounce. i18n keys added across all locales, translated for German. * feat(dashboard): per-device widget visibility with layout reflow Dashboard widgets (currency, timezones, upcoming reservations, atlas and the stat tiles) can be shown or hidden independently on desktop and mobile from the appearance settings. The stat grid spreads its visible tiles to full width, and disabling the right sidebar collapses the layout to a single centered column. * chore(appearance): add theme:lint guard for hardcoded styles A theme:lint script (modeled on i18n:parity) flags new inline color/fontSize literals and arbitrary-hex Tailwind classes that bypass the design tokens, so future code stays themeable. Map/PDF surfaces are exempt. The token taxonomy and the six theming rules are documented in src/theme/README.md. * fix(appearance): scale inline px font sizes so text-size reaches all content The global text-size control only set the root font-size, which scales rem-based text (navbar, menus) but not the dense inline px sizes used across the trip planner, budget, journey and panels — so place titles and addresses stayed fixed. applyAppearance now also exposes the factor as --fs-scale-text, and a codemod wraps inline numeric fontSize in calc(<px> * var(--fs-scale-text, 1)) across components and pages (map popups and PDF excluded). Sizes are byte-identical at 100%; the control now visibly resizes the actual content. * fix(appearance): clearer widget settings, density hint, solid surfaces with transparency off Dashboard widget settings are grouped by where they sit on the dashboard (below the hero / right sidebar / bottom of page); the right-sidebar master toggle now nests its individual widgets and greys them out when the sidebar is off, instead of a confusing flat list mixing the master with its children. Density gains an explanatory hint plus a real compact spacing effect. Transparency-off also solidifies the Atlas glass panels and tooltip, Leaflet zoom controls and GL popups — class-based surfaces via CSS, the Atlas inline panels via a noTransparency flag. * fix(appearance): keep i18n key parity and update the scaled-emoji test Add the new appearance settings keys (widget group titles, sidebar/density hints) to every locale so the strict key-parity check passes, and update the single-emoji chat test to expect the now-scalable calc() font size. * feat(appearance): granular per-size text scaling with live preview The text-size control now adjusts each size class (Large / Medium / Normal / Small) independently as well as all-at-once. Inline px sizes are mapped to a class by their value, so the per-class sliders reach real content; each class variable = global factor x its per-class factor (no double-scaling with the root font-size that handles rem text). The settings UI gains a live preview that resizes as you drag, and the four size sliders sit behind a clear toggle. * feat(appearance): show per-size text controls inline with examples The four size-class sliders (Large/Medium/Normal/Small) are now always visible instead of behind a disclosure, each with a live sample rendered at that size and an example of what it affects (e.g. Normal = place names/descriptions, Small = addresses/labels). * fix(appearance): shorten the Auto color-mode label to 'Auto' on mobile * fix(appearance): make the dashboard hero boarding-pass solid with transparency off * feat(appearance): mark the Readability section as experimental Transparency-off, density and per-size typography are best-effort while the token migration is ongoing, so the section carries an Experimental badge. Adds the i18n key across all locales. * chore(about): remove the monthly supporters section * refactor(settings): rename the Display tab to General and group its settings The Display tab became a catch-all once theming moved to its own Appearance tab, and its 'Display' label no longer fit. It is now 'General' (Allgemein) and split into 'Language & region' and 'Travel & map' sections. Tab labels and the new section titles are added across all locales. * refactor(admin): group the admin sidebar tabs into sections The admin sidebar had 11 flat tabs. PageSidebar now supports optional group headings (backward-compatible; the Settings sidebar stays flat), and the admin tabs are grouped into Users, Configuration, Integrations and Maintenance. Group labels added across all locales. * feat(help): embed the TREK wiki as an in-app help centre Add a Help section (profile menu, /help) that renders the GitHub wiki inside TREK. /api/help fetches the wiki markdown — the nav from _Sidebar.md, pages, and proxied images — from GitHub and caches it (1h TTL, serves stale on outage), so it auto-syncs on wiki edits with no redeploy and the client never calls GitHub directly. The page is styled to match TREK with a section sidebar, search and react-markdown; wiki [[links]] are rewritten to in-app routes and HTML-comment placeholders are stripped. Page state lives in a useHelp() hook per the page pattern. Adds nav.help and a help namespace across all locales. * feat(auth): explain the plain-HTTP secure-cookie gotcha on login When the server issues a Secure session cookie but the request arrived over plain HTTP (the common LAN install over http://ip:3000), the browser drops the cookie and the next request dead-ends on a bare "Access token required" — the top source of avoidable install issues. The login response now flags this exact case and the login page shows a localized box explaining the fix (use HTTPS, or set COOKIE_SECURE=false) with a link to the Troubleshooting guide. It only triggers in the real failure case, never for correct HTTPS setups. * feat(costs): Splitwise-like cost splitting Add per-payer and per-member custom split amounts with Equally, Custom and Ticket split modes on top of the existing equal split, keep legacy "paid by" expenses working, and document the modes in the Budget Tracking wiki page. * feat(i18n): add Vietnamese translations * chore(i18n): sync Vietnamese with latest dev keys Add the keys dev gained since this PR opened so the new vi locale keeps full parity: the help namespace (wiki help center), settings appearance options, costs split modes, dashboard Unsplash cover search, the insecure-cookie login hint, nav.help and the admin group labels. * feat(helm): Add existingClaim variable for custom PVC usage. * fix(helm): emptyDir is used as a fallback when persistence is disabled. * docs(helm): clean up existingClaim notes Strip stray zero-width characters from the persistence docs, move the PVC note out of the ENCRYPTION_KEY usage block into its own Persistence section in NOTES.txt, and document that persistence.enabled=false falls back to an ephemeral emptyDir. * feat(feeds): subscribable ICS calendar feeds for trips Adds TripIt-style live calendar subscriptions alongside the existing one-time .ics download. A trip (or all of a user's trips) exposes a secret, revocable feed URL that Google/Apple/Outlook poll to stay in sync. - Public read endpoints GET /api/feed/trip/:token.ics and /api/feed/user/:token.ics (no auth — the secret token is the credential), reusing the existing exportICS() generator and adding REFRESH-INTERVAL / X-PUBLISHED-TTL hints. - JWT-guarded token endpoints to generate (lazy, idempotent) and regenerate/revoke per-trip and per-user feed tokens; tokens stored in nullable feed_token columns. - All-trips feed excludes archived trips and trips ended >90 days ago. - UI: ICS toolbar button becomes a Download/Subscribe menu; modal offers one-click "Add to Google Calendar" (render?cid=webcal://) and a webcal:// link for Apple/Outlook, plus copy-link fallbacks. All-trips feed reachable from dashboard. - Feed base URL read from the existing APP_URL env var. Purely additive: new endpoints + two nullable columns, no breaking changes. Tests: server/tests/e2e/feeds.e2e.test.ts covers lazy token generate + idempotency, regenerate-invalidates-old, 401/404 auth+access, public feed content-type + hint injection, unknown-token 404, and the archived/>90-day all-trips exclusion. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * harden calendar feeds: absolute URLs, real disable, folding, schema sync - Resolve feed URLs against the request host when APP_URL is unset, so the webcal:// / Add-to-Google links work on a default install (not just behind a configured reverse proxy). - Give the public link a real off switch: POST enables, PUT rotates, DELETE clears the token (feed_token = NULL). The subscribe dialog no longer mints a token just from being opened — the user opts in explicitly. - Fold ICS content lines at 75 octets (UTF-8 safe) in exportICS, so download and feed both stay RFC 5545-compliant for long/non-ASCII summaries. - Extract VEVENTs by structural line scan instead of a lazy END:VEVENT regex that user text could truncate. - URL-encode the Google Calendar cid; mirror feed_token into schema.ts. - Collapse the duplicated all-trips modal into the shared IcsSubscribeModal. * feat(mcp): add bulk_update_places tool Apply the same field values to many places in one call instead of one update_place per place — e.g. re-categorising 80 POIs at once. Adds the updatePlacesMany service (one transaction, trip-scoped, partial patch built on updatePlace) and the bulk_update_places MCP tool with the usual demo/access/place_edit guards and a place:updated broadcast per place. * feat(dashboard): show the year on trip dates from other years Trip dates only showed month + day, so trips from other years were ambiguous (#1323). Dashboard cards and the boarding-pass hero now include the year, and so does the shared formatDate (planner day headers etc.) — but only when it isn't the current year, so this year's trips stay compact. Order and punctuation follow the locale (EN "Sep 10, 2026", DE "10. Sep 2026"). * feat(places): bulk "change category" from the selection toolbar Closes the UI half of #1168: in the Places selection mode, a new tag button before delete opens a category picker that applies one category (or "No category") to every selected place in a single request. Adds a REST /places/bulk-update endpoint reusing updatePlacesMany, an offline-aware repo + store action that patches both the place pool and the day-assignment projections, undo grouped by each place's prior category, and the i18n keys across all locales. * feat(map): include the day's route in the map fit (#1128) Selecting a day already fits the map to that day's destinations; this also folds the route polyline into the bounds. BoundsController fits the destinations immediately, then re-fits once — when the day's route finishes computing asynchronously — to destinations + the full route, so a route that bulges past its stops (a detour or ferry) stays in view. One-shot per day selection, so later route-profile toggles don't re-zoom. * feat(offline): detect update conflicts on the server for places and packing Update handlers accept an optional X-Base-Updated-At token and reject a stale overwrite with 409, returning the current server row. An absent token keeps the existing last-write-wins behaviour, so older clients are unaffected. packing_items gains an updated_at column (migration + stamped on every insert) so it can take part in conflict detection too. * feat(offline): force-offline mode, selective sync and a conflict queue A force-offline override routes every read to the cache and every write to the queue; preparing for offline downloads trip data, documents and map tiles up front and waits for them to finish. Map tiles and individual trips can be left out of the cache. Queued edits carry the version they were based on so the queue can surface server conflicts for a keep-mine / keep-theirs decision; chained offline edits to one entity no longer conflict with each other, and evicting a trip preserves its unsynced writes. * feat(offline): Settings -> Offline controls and a status banner The Offline tab gains a force-offline switch, a prepare-for-offline download with progress, per-trip and map-tile storage toggles, and a conflict resolver with a default strategy. The floating status pill now reflects forced-offline and unresolved conflicts. * i18n(offline): offline settings strings across all locales * docs(wiki): document force-offline, selective storage and conflicts * feat(video): media_type discriminator + local gallery video upload (server) trek_photos gains a media_type column (migration) so the registry can hold video as well as images. A new POST :id/gallery/video endpoint accepts a video plus a client-captured poster (500 MB cap, video MIME/extension allowlist), stores the poster as the thumbnail, and the photo stream serves the poster for the thumbnail kind and the raw file (HTTP Range) for the original — without running the image thumbnailer on video bytes. * feat(video): play local gallery videos in the journey gallery Picking a video in the journey gallery now captures a poster frame + duration in the browser and uploads the raw clip; the grid shows the poster with a play badge and the lightbox plays it with a native video player (HTTP Range seeking). Images keep their existing HEIC-normalised path. No server-side transcoding. Server media_type work was committed separately. * feat(video): use Plyr for the gallery video player Swaps the bare <video> element for a Plyr-wrapped player so playback controls match a consistent, cleaner skin. The instance is created per source and destroyed on unmount, so the lightbox stops playback when you navigate away. * feat(video): link and stream Immich videos in the journey gallery Immich timeline and album listings no longer filter out videos; each asset now carries its media type, which the provider picker forwards when linking. A linked video streams through Immich's transcoded /video/playback endpoint, and the asset proxy forwards the viewer's Range header (and passes 206/Content-Range back) so the player can seek. Synology video stays excluded until its stream API is verified. Adds media_type/media_types to the provider-photos request contract. * test(photos): assert the forwarded Range arg on the original stream Follow-up to the Range-aware photo proxy. * feat(video): upload and play videos in the trip file manager The file manager (which already attaches files to a place/activity) now accepts video uploads up to the larger video cap — other types stay at the document limit — and the lightbox plays them with the Plyr player over the plain same-origin download URL, so cookie auth and HTTP Range both work. Videos are excluded from the offline blob prefetch so one clip can't evict a trip's documents. * fix(video): harden upload handling and fix video playback edge cases Security: the gallery-video poster is now always stored as .jpg instead of the client-supplied extension, so a poster declared image/* but named x.html / x.js can't be written with that extension and served inline same-origin; local gallery files are also served with X-Content-Type-Options: nosniff. Robustness: rejected/unauthorised uploads no longer orphan their bytes on disk (the gallery-video and file-manager handlers unlink before throwing); the file-manager per-type size cap is keyed on the extension like the filter, so a real video labelled application/octet-stream isn't wrongly rejected. UX: the file-manager thumbnail strip shows a play placeholder for video instead of a broken image; shared (public) journeys now return media_type and play videos with a play badge; and a poster-less video shows a neutral tile instead of a broken thumbnail. * test(video): update gallery accept selector + complete fileService mocks The gallery upload input now accepts image/*,video/* — update the two JourneyDetailPage selectors that matched the old value. The files/journey e2e suites mock fileService and were missing the new MAX_VIDEO_SIZE / isVideoExtension / isVideoMime exports, which broke module load. * test(video): cover the new upload-handler branches Add controller tests for the gallery-video route (success / no-video / not-allowed / cleanup-on-reject), the per-asset media_types loops (gallery + entry, batch + single), and the file-manager per-type cap + unlink-on-rejection — restoring branch coverage on src/nest above the 80% gate. * feat(bookings): add a dedicated URL field to reservations (#935) Bookings get a first-class url column (migration) instead of users pasting links into notes. It's editable in the booking modal and rendered as a clickable link on the reservation card. The reservation request schemas are open passthroughs, so only the entity schema + service SQL enumerate it. * feat(files): render uploaded Markdown files inline (#1345) Markdown (.md/.markdown) is now an allowed upload type and opens in a rendered preview in the file manager instead of just downloading. Reuses the existing react-markdown stack with rehype-sanitize (these are untrusted uploads, so output is sanitized) and detects markdown by extension first since browsers send unreliable MIME for .md. * feat(lists): reorder packing/to-do lists and private packing items (#969, #858) Add drag-to-reorder to the packing and to-do lists, mirroring the budget panel's native HTML5 drag pattern. A drag within a filtered/grouped view is mapped back onto the global order so untouched items keep their place, and the order persists optimistically via the existing reorder endpoints. Packing items can now be marked private (#858): a private item is visible only to its owner. createItem/bulkImport stamp the owner, listItems filters by the viewer, and the WebSocket broadcasts are scoped to the owner so a private item never reaches another member's screen — including the public/private toggle transitions. Owners get a lock toggle and a private indicator on their items. * feat(trips): transfer trip ownership to a member (#973) Add POST /api/trips/:id/transfer so the owner can hand a trip to one of its existing members. The swap runs in a transaction: the new owner takes trips.user_id and the former owner is kept on as a regular member, so nobody loses access. The endpoint is owner-only, writes a trip.transfer_ownership audit entry and broadcasts the refreshed trip. The members modal gains a "Make owner" action, shown only to the current owner. * i18n: translate the booking link field across all locales (#935) Fan out reservations.urlLabel / reservations.urlPlaceholder to the remaining locales so the dedicated booking URL field is localised everywhere. * fix(packing): drop the always-true guard in the row drag handler (#969) The onDragOver guard `drag.isDragging || true` is a constant condition (eslint no-constant-condition). The handler is already gated by canDrag, so run the drag-over logic directly, matching the to-do row. * feat(trips): guest members for accountless participants (#1362, #1291) Add "guest" trip participants — people without a Trek account who can still be assigned to costs, packing, to-dos and day-plan activities. A guest is a credential-less users row (is_guest=1) joined into trip_members, so it is assignable everywhere a real member is, with the cost-splitting, settlement, packing and assignment paths working unchanged. Guests are firewalled from everything account-related: they can never sign in (password, OIDC and reset lookups skip them), never appear in the global user directory, the member-add picker or admin user management, are never resolved as notification recipients, can't be invited to another trip, and can't be made owner. The trip owner manages guests from the share dialog in a dedicated, clearly-labelled section (add / rename / remove), and guests carry a "Guest" badge wherever members are picked. All 22 locales stay in parity. * feat(packing): three-tier sharing — personal, shared-with-people, common pool (#858) Rework the private-packing flag into a full sharing model. Every item is now Common (the group pool — where all existing items live, so nothing breaks), Personal (private to its owner) or Shared with specific people (it shows up on those travelers' own lists, marked "by <bringer>"). is_private discriminates restricted from common; a new packing_item_recipients table holds who a shared item covers, and packing_item_contributors records "I can bring that too" pledges on Common items. The panel gains a Gemeinsam / Meine Liste view switch, each item a sharing control (owner sets the tier + the people it covers), and Common items can be co-brought or cloned onto your personal list. Visibility is enforced server-side in listItems and the WebSocket broadcasts are scoped to exactly who can see an item across every tier transition. All 22 locales stay in parity. * style(packing): small gap between the list and the luggage sidebar divider The luggage sidebar's left border sat flush against the right-hand category card. Add a little left margin so the divider has minimal breathing room. * feat(map): group GL place markers into clusters on zoom-out (#1385) MapLibre/Mapbox showed every place as its own rich HTML marker with no grouping when zoomed out, unlike the Leaflet map. Feed the place points through a clustered GeoJSON source: clustered points render as a dark count bubble (click to zoom in and expand) while the rich HTML photo markers are only drawn for the points the source reports as unclustered. Always on, matching the Leaflet MarkerClusterGroup. * fix(map): match the GL place hover tooltip to the Leaflet map (#1385) The MapLibre/Mapbox hover showed an anchored popup with a large photo thumbnail, completely unlike the Leaflet map's slim, cursor-following name/category/address card. Drop the anchored photo popup for places and render the same cursor-following overlay the Leaflet map uses (no photo, matching fonts/padding/shadow), so the two maps hover identically. * feat(collections): backend for the Overall Places addon (#1081) Adds the Collections addon backend: a server-wide-per-user library of saved places, independent of any trip, with multiple named lists, an idea/want/visited status, and Vacay-style fusion invitations to share a list with other users. - Data: collection / collection_members / collection_places / collection_place_tags tables (+ migration and baseline schema). Saved places carry the owner plus a nullable saved_by so a member deleting their account can't drop shared content. - Service: list + place CRUD with owner-or-accepted-member visibility, dedup, status, save-from-trip and copy-to-trip (reusing the trip copy column list), and the full fusion-invitation state machine mirrored from vacay (send / accept / decline / cancel / leave) with a websocket broadcast and an invite notification. Deleting a list snapshots its members and notifies them. - NestJS module + addon guard (404 before auth), registered in the app module. - Widens the place photo cache reference check to count collection places so the nightly sweep no longer evicts photos a saved place still uses. - collection_invite notification wired across all 22 locales. * feat(collections): /collections page, entry points and i18n (#1081) Adds the client side of the Collections addon: - A distinct /collections page (Atlas pattern, page/hook split) gated behind the addon: a multi-list rail, a Grid (default) / List / Map view switch, the idea/want/visited status with a one-tap badge, search and status filters, and considered empty states. Store + hook + model + websocket wiring; the place detail reuses the trip place inspector via a mode guard. - Entry points: a "Save to Collection" button next to Open-in-Google-Maps in the place inspector (and the two sidebar context menus), a "Copy to trip" modal, and a desktop-only two-column add-place picker (mobile keeps the single-column form). - The collection namespace and the new keys across all 22 locales. * feat(collections): fusion sharing UI + dashboard widget + per-user toggle (#1081) - ShareCollectionModal: the owner manages a list's members and invites users (available-users picker → invite, cancel pending); a member can leave a shared list. The incoming accept/decline surface stays in the lists rail. A Share button is added to the collections header for owners (and members, to reach Leave). - CollectionsWidget: a dashboard glass card after the currency widget showing the saved count and the most recent saved places, double-gated by the admin addon and a new per-user appearance flag. - Appearance: a 'collections' dashboard-widget flag (desktop + mobile defaults) wired into the appearance settings, surviving normalize. - Sharing + settings strings across all 22 locales (parity strict passes). * feat(collections): redesign the page on the dashboard glass language (#1081) Rebuilds the /collections page from the functional placeholder into the dashboard's glass visual language (light + dark): - A colour-washed hero per list: eyebrow + member avatars, big title, and stat chips (All / Idea / Want / Visited) that double as the status filter. - A sticky glass list rail (owned + shared + invites) with a mobile drawer. - Gradient/photo cover place cards modelled on the trip cards, via a new rectangular PlaceCover (photoService-backed, gradient fallback) + a shared gradients util. List and map views restyled to match. - Status pill rendered as a role=button span so it survives the .trek-dash button reset and can nest inside the card; the share member-count badge is now owner-only. - New hero eyebrow strings across all locales. * feat(collections): list+map split, taller rail, list-menu popover fix (#1081) - List view splits into a scrollable list + a sticky map on wide screens; clicking a place pans/highlights it on the map (single selectedPlaceId, no inspector over the map). Narrow screens keep the single-column list. - Keep the list rail at least as tall as the hero (measure the hero via a small useElementSize hook and feed its height as the rail's min-height). - List row kebab menu: portal the menu/colour popover to the body so the rail's overflow + backdrop-filter can't clip it ("renders only in the module"), and fade the place count on hover so the kebab stops overlapping it. * feat(collections): list+map default, map-only toggle, deselect + tooltip fixes (#1081) - Drop the grid/tile view. The list view is now the default and, on wide screens, a list + persistent map split; a top-left control on the map collapses the list to a full-width map (and back), animating smoothly (the map stays mounted and is nudged to re-layout during the transition). The place search moves onto the map (top-right); mobile keeps a list/map toggle. - Let a place be deselected again: clicking it once more, clicking the map background, or picking another all toggle the selection (collections map now wires onMapClick). - Fix the stuck hover tooltip: selecting a place swaps its marker's DOM node so the browser never fires mouseout/mouseleave, orphaning the fixed-position tooltip (it hung on screen and drifted with scroll). Both map stacks now clear the hover on selection change and on scroll. - Remove CollectionGrid + PlaceCover; add hero eyebrow + map control strings. * feat(collections): list details, place detail sheet, add-place, fusion kick (#1081) Dashboard widget (B): the collections tool now shows the user's LISTS as compact colour-washed badges (cover image tinted with the list colour, or a gradient) that jump to the list — one list() call, no N+1. List details (C): lists gain a description, a custom cover image (uploaded to /uploads/covers, tinted with the list colour in the hero) and links. A shared ListEditorModal handles both create and edit; the hero shows the description + link chips. New `links` JSON column on collections + collection_places (migration 151) with parse/serialize in the service; a POST :id/cover upload endpoint mirroring trips; cover-file cleanup path-confined locally. Place detail (D): clicking a place opens a bottom sheet (no backdrop, so the map stays visible) — status cycle, copy-to-trip, remove, and an edit mode with a markdown description + links editor (collectionsApi.updatePlace, now wired via a store action). A "+" next to the search adds a place to the list via the maps search. Fusion + fixes (E): the owner can now remove an accepted member (kick) — new removeMember service/route/store + a button in ShareCollectionModal, with a collections:removed WS bounce. findMembership no longer matches on name alone (coordinate proximity required, killing "Starbucks everywhere" false positives). loadCollection swallows a 403/404 after a leave/remove so the URL sync can't throw uncaught. Grid remnants gone; the map select toggle moved onto the map. New strings across all 22 locales; i18n parity strict passes. * fix(collections): review follow-ups on the B–E work (#1081) - Block the list-cover upload in demo mode (mirror the trips cover endpoint). - Restrict list/place links to http(s) (schema) and normalise scheme-less URLs to https:// on save, so a bare "booking.com" no longer resolves as a relative SPA route (and javascript:/data: hrefs are rejected). - Place detail: surface save errors with a toast instead of silently swallowing a 400 and leaving the sheet stuck in edit mode. - List editor: don't create a duplicate list when a retry follows a cover-upload failure (reuse the created id); revoke the cover preview object URL. - Map controls: one top bar (left toggle/select, right add/search) so they can't overlap on a narrow split map — the search shrinks instead. - Dashboard list badge: full-opacity colour wash so the name stays legible over bright covers. * fix(collections): detail-sheet, edit-refresh, map + rail polish (#1081) - Editing a place (status, description, title, …) no longer reloads the view or closes the detail: the WS echo now refreshes via loadCollection, which keeps the current selection + select-mode instead of setActive resetting them. - Place detail: docks over the list column on the desktop split (measured rect) instead of centred over the map, and the card is now opaque (was too see-through). - Map: click a marker in full-map view to drop back to the split; picking a place scrolls its list row into view; the select toggle is disabled in full-map view; the floating controls are one non-overlapping top bar and less transparent. - Hero: drop the New-list button (it's already in the rail). - Rail: the kebab is always visible (easy to hit); menu is Edit + Delete only (colour moved into the editor); "Rename" → "Edit". - Add-place: pick a result, then set description (markdown) / links / status before saving, all in one step. - Share modal: member roster as cards with clearer role badges + a count. * feat(collections): detail redesign + categories, close-on-map, highlight fix (#1081) - Rebuild the place detail as a clean, opaque, sectioned sheet (cover → meta → status segment → description → links) with a proper footer action bar — the loose "white lower half" is gone. - Assign a place to a central (admin-defined) category, both in the detail edit and when adding a place; categories are fetched once for the page. - Add-place now sets category + description (markdown) + links + status in the same step, closer to the trip's place form. - Switching to the full-map view now closes the (list-docked) detail. - Fix the selected-row highlight: it was clipped by the column's overflow — use an inset ring and only clip during the map-collapse animation; a picked row now scrolls into view above the detail sheet. - New category strings across all 22 locales. * feat(collections): filters, add-place popup, category badges, map-click hardening (#1081) - Map: markers no longer rebuild on every unrelated re-render (memoised the mappable list + only update the hero size when it really changes), the floating controls bar is click-through except its buttons, and the collection map runs with the hover tooltip off. Together these stop a marker click from landing on a mid-rebuild element / the tooltip so the pick actually registers. - Filters moved out of the hero into a compact status + category dropdown row above the places (custom dropdowns); the hero no longer carries the stat chips. - Add-place is a single popup now: search fills the location, and name / status / category / description / links are all editable together before saving. - Category shown as a badge top-left on the detail cover and next to the status in each list row (divided by a hairline). - Slimmer hero: shorter, tighter spacing, links tucked into the eyebrow row instead of their own line. * feat(collections): hero edit/share row, place photos, edit-echo fix, wider page (#1081) - Editing a place (category, status, …) no longer reloads the view: the mutating client's own socket is now excluded from the WS broadcast (x-socket-id threaded through save/update/status/delete + list update/cover), so the optimistic update stands on its own instead of being chased by an echoed refetch. - Detail sheet pulls a higher-res cover photo from the maps provider when the place has no image of its own (the avatar thumbnail was too low-res). - Hero: Share moved onto the title row (no more empty top band) with an Edit button beside it; editing/deleting a list now happens there. The list rail drops its per-row kebab entirely (and with it the janky open animation). - The list editor can delete the collection from its footer (owner only). - Wider, screen-relative page (max-width min(2100px, 95vw)). - List rows: the place avatar no longer shrinks when the address is long. * fix(collections): copy-to-trip labels + Unsplash cover search (#1081) - Copy-to-trip modal showed blank rows: trips are keyed by `title`, not `name`, so nothing rendered. Read `title` and add the trip's date range under it. - List editor gains an Unsplash cover search (same source as trip creation) next to the upload button; picking a photo sets it as the list cover. - Add-place result rows: pin keeps a hard min width so a long address can't squeeze it. * fix(collections): stop the address pin from shrinking on long addresses (#1081) The little map pin in front of a place's address sits in a flex row with the address text but had no flex-shrink guard, so a long address squeezed the icon smaller. Pin the SVG to its size. * fix(collections): white screen when editing a place (undefined in places) (#1081) updatePlace wrote `res.place` into the places list, but the endpoint returns the updated place directly (not wrapped in { place }, unlike savePlace) — so an `undefined` slipped into the list and the category-filter's presentCategories() crashed on `undefined.category_id`, blanking the whole page. The WS echo used to mask it by refetching; excluding the editor's own socket exposed it. - Read the updated place directly and guard against a falsy response. - Fix the api return types to match (updatePlace/setStatus return the place). - Harden filterPlaces / statusCounts / presentCategories / mappablePlaces against a stray undefined entry so a single bad row can never white-screen the page. * feat(collections): select toolbar — select-all, move/duplicate to another list (#1081) - The select toggle now sits at the right of the filter row (same height as the status/category dropdowns) instead of the top toolbar. - Select mode gains a "select all / deselect all" toggle and shows even with nothing selected yet. - Selected places can be moved or duplicated into another of your lists via a target-list picker (move re-points collection_id; duplicate re-saves the place data, carrying description / category / notes / etc.). - New strings across all 22 locales. * style(dashboard): accent follows the user's theme instead of a fixed orange (#1081) The .trek-dash scope (dashboard, collections, vacay, atlas) hardcoded an orange accent, ignoring the appearance theme. Drop the override so --accent inherits the theme tokens (index.css): monochrome black/white by default, coloured per data-scheme / custom accent. --accent-ink/-soft now map onto --accent-on/-subtle, and accent-filled elements use --accent-text for legible text on any scheme. Category colours are set explicitly per element and stay untouched. * fix(collections): saved-places picker height + list filter, all-saved first-load (#1081) - Trip "Saved places" picker: drop the fixed 360px cap so the list fills the panel instead of stopping half-way, and add list + status filter dropdowns (filter by which collection the place is saved in). - "All saved" showed nothing on first open: setActive(ALL_SAVED) unioned the lists from the store, but on first load those aren't fetched yet (loadAll still running). Load them first when empty so the union isn't blank. * test(collections): unit-test the nest controller (branch coverage) (#1081) The collections nest module had no controller test, dragging src/nest/** branch coverage below the 80% gate. Cover the controller's branches: reorder/deleteMany payload validation, owner-gated invite/cancel/remove/available-users, invite + accept error surfacing, the cover demo-mode + no-file guards, and the x-socket-id forwarding on the mutating endpoints. * fix(collections): mobile polish — touch targets, safe-areas, overflow (#1081) From a mobile UX audit of the collections page: - Detail sheet: the read-mode footer no longer clips "Remove from list" (it wraps, drops the growing spacer) and clears the home indicator (safe-area padding, 84dvh instead of 84vh). - Bigger touch targets on phones (≥40px): view toggle, filter dropdowns, select-bar buttons, detail close/actions, drawer rail rows, and the interactive status badge (enlarged tap area via a pseudo-element, look unchanged). - Select action bar breaks its bulk actions onto their own line instead of stranding them behind a growing spacer. - Lists drawer honours device safe-areas and gets an explicit close button. - Page honours the top safe-area and goes full-width on phones (drop the 95vw cap); filter popovers cap their width so long category names don't overflow. - Add-place: Cancel/Add pinned in the modal footer (reachable without scrolling), status pills wrap. - Drop dead hero mobile CSS left over from the hero refactor. * feat(collections): per-member permission roles on shared lists (#1081) The owner now assigns each member a role — viewer (read + copy-to-trip only), editor (default: add + edit places) or admin (full incl. delete). The owner is always full. Existing members default to editor via migration 152, so nothing regresses. - Server: role column on collection_members (migration 152 + schema); roleOf + assertCanEdit (save/update/status/list-meta) + assertCanDelete (delete) layered on assertAccess; sendInvite takes a role; new setMemberRole (owner-only) + POST members/role; members payload carries each role. - Client: Share modal gains a role picker on invite and a per-member role select for the owner (read-only role badge for others); the page hides add / edit / status / move / delete for roles that can't perform them (server still enforces). - Roles in all 22 locales; service + controller tests for the new gating. * feat(collections): bulk-add selected trip places to a list (#1081) Add a "Save to collection" action to the trip place list's selection bar (next to bulk category + delete): it opens a list picker and copies every selected place into the chosen list in one request, instead of one-by-one from each place. - Server: saveFromTripPlaces (one access check + one WS notify), POST places/from-trip-many; dedups by name/coords, skips missing ids, honours force. - Client: saveFromTripMany api + SaveTripPlacesToListModal; the selection-bar button is gated on the collections addon being enabled. - Copy count / skipped-duplicates toast; strings in all 22 locales. - Service + controller tests for the bulk path. * style(collections): custom dropdown for the permission role pickers (#1081) Swap the two native <select> role pickers in the share modal (invite + per-member) for the app's CustomSelect (portal dropdown, size sm) so they match the rest of the UI instead of the browser's native control. * style(collections): widen the share modal (#1081) * test(collections): client component tests + select in All saved, off the map (#1081) - Add client tests for the new collections UI (80 tests): collectionsModel (incl. the undefined-entry guards that fix the white-screen regression), StatusBadge, CollectionFilterBar, CollectionList, CollectionPlaceDetail (permission gating), MoveToListModal. - Offer the select toggle in "All saved" too (server enforces per-place rights). - Drop the now-duplicate select button from the map controls (it lives in the filter row). * docs(wiki): add Collections addon page (#1081) New wiki/Collections.md in the style of the other addon pages (lists, status, categories, adding/bulk-adding places, place detail, filters + bulk actions, fusion sharing with member roles, dashboard widget). Add it to the Addons overview table + the sidebar navigation. * feat(date-picker): add month/year drill-down navigation and keyboard input trigger - Add three-level calendar view (days → months → years) via clickable header label, allowing fast navigation to distant dates without repeated arrow clicks - Replace double-click text input affordance with a visible keyboard icon button; compact/borderless variants show the icon in the calendar footer - Pre-fill text input with locale-aware numeric date (DD.MM.YYYY) when a value is already selected - Add aria-label and aria-pressed to all interactive calendar elements for screen reader support - Update existing tests to reflect new two-button trigger layout - Add FE-COMP-DATEPICKER-018 through 027 covering drill-down view transitions, prev/next behaviour per view, aria-pressed state, and keyboard icon trigger * fix(date-picker): locale-aware keyboard input parsing and i18n control labels - Replace fixed-order date parser with locale-aware implementation using Intl.DateTimeFormat.formatToParts to detect field order; adds swap fallback for unambiguous inputs (day > 12) to handle locale mismatches gracefully - Pre-fill keyboard input with locale-formatted numeric date (e.g. 14.06.2026) instead of raw ISO value - Replace all hardcoded English aria-labels and titles with t() calls; add new keys under common.datepicker.* namespace across all locale files - Update FE-COMP-DATEPICKER-013 to use unambiguous day value (> 12) to avoid locale-dependent test failures * fix(date-picker): add missing locale file and fix let-to-const lint error - Add missing common.datepicker.* keys to overlooked locale file - Change reassigned `let` to `const` where value is not mutated to satisfy lint rules * chore(i18n): backfill datepicker keys for sv + vi locales added on dev * fix: back-merge v3.1.4 hotfixes into dev (#1371) Port the three main-only fixes onto dev's (post-rewrite) architecture: - fix(backups): prevent recursion when the backup path sits inside the backed-up dir - fix(share): convert budget items to the viewer's base currency instead of a flat EUR - fix(files): surface the descriptive server error for unsupported upload types (#1363) Cherry-picked from 819aa793 on main; the SharedTripPage and useTripPlanner conflicts were resolved to keep dev's font-scaling and full import set while taking the fixes' currency conversion and translateApiError wiring. * fix: resolve a batch of reported bugs (planner, budget, atlas, bookings, mobile) - #1394 planner: two transports on one day no longer draw a phantom airport→airport road route between them (a run is only a drive when it holds a real place); mirrored in the map hook and the sidebar's leg list, with a regression test. - #1392 planner: the per-day Route button now points the selection at the tapped day before toggling, so on mobile it computes that day's route instead of the previously selected one, and only the selected day's button reads as active. - #1372 planner: the "open in Google Maps" route now includes the day's hotel bookends, matching the drawn map route. - #1375 planner: a multi-day accommodation no longer thrashes the plan scroll — the auto-scroll lock keys on the selection identity, not the per-day row. - #1377 planner: the reset-orientation compass is now shown on small screens too. - #1382 budget: settlement nets in the trip's canonical currency and converts to the display currency once, so balances no longer drift with live FX and no phantom third-party micro-flows appear (identity, hence unchanged, when they're the same). - #1366 atlas: countries reached only by a transport booking (no lodging/place) now count as visited, on both the dashboard and the Atlas page. - #1383 bookings: a hotel linked to an accommodation shows only its day-range, not a duplicate stamped date row, and the range stays correct after an edit. - #1353 bookings: any non-hotel reservation can now link an existing trip place/activity. - #1390 i18n: fix the Polish word for "buddies" (Towarzysze → Współpodróżnicy). - #1265 planner: drag-and-drop of places now works on touch devices via a polyfill. * feat(planner): add an "Open in OpenStreetMap" button to the place inspector Next to the existing "Open in Google Maps" action, add an OpenStreetMap button that opens the place on openstreetmap.org (a marker at its coordinates, or a name search when it has none) — the same map source TREK already renders, and a jumping-off point for OSM-based apps like OrganicMaps / CoMaps. Requested in discussion #880. Strings across all 22 locales; a unit test for the URL builder. * feat(planner): shorten the map-open button labels to "Google Maps" / "OpenStreetMap" * feat(planner): show a day's route distances inline on mobile Seeing the driving/walking distances between a day's places on mobile meant tapping the day (which closes the plan sheet), reopening it, then tapping Route. Now the per-day Route button in the mobile footer toggles that day's leg distances in place, so the sheet stays open and you get the distances between places without selecting the day first. The leg computation runs for every route-toggled day instead of only the selected one, and the leg/hotel-bookend maps are nested per day so several toggled days can't overwrite each other's segments. Desktop is unchanged. Discussion #1374 * feat(oidc): use the picture claim as avatar when none is uploaded When a user signs in via OIDC and hasn't uploaded a custom avatar, their `picture` claim is now used as their avatar. The users.avatar column holds either an uploaded file name or an absolute https URL from the claim, and a single resolver on each side (server avatarUrl, client avatarSrc) renders both. An uploaded avatar always wins and is never overwritten; the picture refreshes on each login otherwise. Only https URLs are stored, matching the image CSP. All the scattered /uploads/avatars/ builders now go through the resolvers, which also fixes collection member avatars that were rendering a bare file name. Discussion #1399 * feat(trips): trip invite links + optional trip binding on admin invites Trip invite links (#1143): each trip can have one rotating invite link in its Share panel. An existing, logged-in user who opens /join/<token> is added to the trip as a member; an anonymous visitor is sent to the login page and returned to the invite afterwards — there is no registration from this link. Reading, rotating or disabling the link all require the share_manage permission. Admin invite trip binding (#1402): the admin create-invite dialog can now bind a registration invite to a trip. Someone who registers via that link is auto-added to the trip as a member (password and OIDC paths), inside the same atomic step that consumes the invite. Adds a trip_invite_tokens table and a nullable invite_tokens.trip_id, a shared owner-safe/idempotent add-by-id helper, the manage + join endpoints, the JoinTripPage and Share-panel section, the admin trip picker, and the new i18n keys across every locale. Wiki updated. Discussion #1143 * fix(join): extract JoinTripPage state into a useJoinTrip hook The page container held useState/useEffect directly, tripping the CI page-pattern check. Move the token preview + accept logic into a co-located useJoinTrip() hook; the page is now a thin presentational shell. * feat(costs): filter expenses by category and by a single day Adds two filter dropdowns next to the Search Expenses field (height-matched to it): one filters by expense category, the other narrows to a single day. Selecting a day shows a prominent summary banner with that day's total, and hides the now-redundant per-day header. Both filters work on the desktop and mobile layouts and compose with the existing search + all/mine/owed filters. New i18n keys (costs.filter.allCategories / allDays, costs.expensesCount) across every locale. * fix(admin): use TREK's CustomSelect for the invite trip picker The "add to trip" dropdown in the admin create-invite dialog was a native <select>; swap it for the shared CustomSelect so it matches the rest of the UI (searchable once there are many trips). * feat(planner): public transit routing via Transitous (#1065) Each day header gets a transit button (replacing the rename pencil, which moved next to the day name in the day detail panel). It opens a route search backed by Transitous/MOTIS — free, open data, no paid provider: from/to stop search with the day's own places as quick picks, depart/arrive time, mode filters (train, subway, tram, bus, ferry, cable car) and ranking by best route, fewer transfers or less walking. Results show local times, duration, transfers, walking time and line badges in their official colors, with a stop-by-stop breakdown per connection. Adding a connection saves it as a regular transport reservation — typed by its dominant leg, timed from the itinerary's wall-clock departure/arrival converted to station-local time (tz-lookup), with the origin, transfer stops and destination as endpoints and the compact legs in metadata.transit. It slots into the day timeline by time and inherits editing, deletion and drag-reordering from the existing transport machinery; the transport detail view renders the full itinerary. Re-saving a transit transport through the edit modal preserves the stored itinerary while the route is unchanged. The server proxies the Transitous API (JWT-guarded, rate-limited, identifying User-Agent, short response cache, strict mode whitelist); TRANSIT_API_URL lets self-hosters use their own MOTIS instance. New i18n keys in every locale, wiki page updated. Discussion #1065 * fix(build): declare tz-lookup as a client dependency It was present in the lockfile but undeclared, so the local install had it while the Docker client build (npm ci --workspace=client) did not. * test(maps): add buildUserAgent to the mapsService mock transitService imports it at module load, and the full-app integration boot now pulls the transit module in — the factory mock lacked the export. * feat(planner): make transit journeys first-class entries (#1065) A saved transit route is now its own reservation type instead of piggybacking on train/bus: it gets a tram icon and its own color everywhere, and the day timeline renders the itinerary inline — line badges in their official colors with walk segments, plus the transfer count and walking time — instead of a generic transport row. Clicking the row opens the itinerary view (journey summary, stop-by-stop legs with times, platforms, headsigns and operators) rather than the edit form; editing stays reachable from an Edit action inside that view. The transit type is registered across the timeline merge, transport modal, reservations panel, file manager, map overlays and detail panels, with a translated type label in every locale. * feat(planner): integrate transit into the transport system as Automated mode The add-transport dialog gains a Manual/Automated switch: Automated embeds the public-transit search (day picker + from/to + modes + preferences + results) right in the dialog, and the day header's tram button opens it directly in that mode. The standalone search modal is gone. Saved journeys get their own roomy journey view — the stop-by-stop itinerary (times, platforms, lines, headsigns, operators) together with the editable booking fields, delete, and a "Change route" action that re-runs the search pre-seeded with the journey's origin/destination and replaces the itinerary on save. The generic transport form no longer opens for transit entries, from the timeline or from the Transports tab, where journeys now sit in their own "Automated public transit" section with their line badges on the card. New i18n keys in every locale; wiki updated. * feat(planner): polish the transit journey UI and fix its tab placement Transit entries were classified as bookings by the planner's transport-type list and landed in the Bookings tab — they now sit in the Transports tab's own section, rendered as proper journey cards (tram icon, arrow title, leg chips, journey stats) instead of the generic booking card. The journey modal got a redesign: the title renames inline in the header with an icon arrow, the stats become three full-width tiles (duration / transfers / walking, each with an icon), status and booking-code fields are gone, and notes take the full width with a markdown write/preview toggle. The Automated search mode gains a proper header (icon, hint, day picker) and the day-plan row now shows walks with their minutes inside the chip sequence (🚶 3 › U2 › 🚶 3) instead of a detached direct/walk summary. "A → B" titles render with an arrow icon everywhere. The Transports tab's add button is simply "Transport" now that the dialog covers both modes. * test(nav): the bottom-nav add button is labelled Transport now * feat(planner): markdown toolbar for journey notes + calmer transit search form The journey notes gain a proper markdown toolbar (bold, italic, strike, heading, list, checklist, link, code) that wraps the selection or prefixes the current lines. The transit search options settle into one calm card: depart/arrive + time + date and the ranking preference share the top row, the mode filters and the search button share the bottom row, with the mode chips restyled from heavy filled pills to quiet toggles. The day-plan row drops the transfer count — the leg chips already tell the story. * feat(planner): badge meta rows + inline itinerary expansion for transit Dot-joined meta text becomes quiet badge chips everywhere transit facts are listed: the journey modal's per-leg line (time, duration, stops, headsign with an arrow icon, operator de-emphasised), the search results' leg details, and the Transports-tab journey card (day, date, time span, duration — the transfer count is gone from the card). The day-plan transit row swaps the map-connections toggle for an expander: the chevron folds the stop-by-stop itinerary out right inside the timeline — times, line badges, stations with platform and stop counts — sized for the sidebar. * feat(planner): walk legs as centred dividers + journey-card note line Walk segments in the journey modal and the day-plan inline itinerary collapse from two lines into a single centred divider — dashed rules left and right, the walk in the middle (foot icon, destination, minutes). Leg meta badges sit tighter under their titles. The Transports-tab journey card shows a dimmed first-line note preview, and the journey modal now reads the reservation from the live store, so an update is visible the moment the entry reopens. * feat(map): draw transit journeys along their real rail and bus alignments MOTIS leg geometry (encoded polylines) now travels through the proxy and is stored per leg, so both map renderers draw the journey along the actual tracks instead of a straight line: colored cores in each line's GTFS color over a white casing, walks as dotted grey connectors. Transit journeys are always visible on the map — they are part of the plan itself, not an opt-in overlay — and the day route already anchors to their stations, so the journey slots into the route computation end to end. Entries saved before this keep the straight-line fallback. Also: stronger dashes on the walk dividers, notes open rendered (preview tab) when present, and MOTIS's START/END placeholders are replaced with the places the user actually picked. * fix(planner): elegant walk-divider hairlines + proven notes preview The walk dividers switch from dashed borders to 1px hairlines that fade towards the outer edges — strongest next to the walk text. A regression test pins the journey modal opening existing notes on the rendered markdown preview rather than the raw text. * fix(map): transit polish — earlier label collapse, route-toggle coupling, md note preview Station badges on transit journeys collapse to icon dots much earlier when zooming out (label threshold 900px instead of 400). The drawn transit paths now ride the day-route toggle: turning the route off hides them too, since they are part of the computed route. The journey card's note preview renders its first line as inline markdown instead of raw asterisks. * fix(settings): booking route labels default to off The map endpoint labels only render when the user explicitly enables them; an unset preference now means hidden, matching the calmer default the transit paths brought to the map. * style(settings): TREK-styled text-size sliders The appearance tab's native range inputs become proper TREK sliders: a thin pill track filled up to the current value in the accent color, with a soft round thumb that scales slightly on hover/drag. * fix(planner): mobile layouts for the transit popups The journey modal and the transit search now lay out properly on phones: from/to stack vertically with the swap rotated between them, the ranking segment and search button go full width, the day picker in the automated header spans the row, the three stat tiles compress to centred mini tiles, the itinerary tightens its gutters, and the footer wraps with an icon-only delete. Desktop is unchanged. * fix(planner): tighter mobile transit search + vertical journey itinerary * fix(planner): wrap-safe mobile itinerary text — platform below the stop, minutes-first walks * feat(plugins): plugin system scaffold — registry tables + admin panel First slice of the plugin system. Lays down the data model and a read-only admin surface; nothing executes yet. - Migration 155: plugins, plugin_meta_migrations, plugin_error_log and plugin_settings_fields tables. Plugin data will live in a per-plugin sqlite file under /plugins-data, never in these tables. - New Nest module server/src/nest/plugins with GET /api/admin/plugins (admin-gated, returns the installed list + the runtime-enabled flag). - TREK_PLUGINS_ENABLED kill switch (config.pluginsEnabled), off by default. - Admin → Plugins tab with a read-only panel: installed list, status badges, and a clear banner when the runtime is disabled by server config. - i18n keys for the tab and panel across all locales. Install, activation, the isolated runtime and the registry browser follow in later slices. * feat(plugins): isolated per-plugin runtime + capability RPC (M1) Every plugin now runs in its own forked child process with a scrubbed env (no JWT_SECRET, no db path, nothing inherited). It talks to TREK only over a JSON-RPC channel, and the host's capability router registers ONLY the methods a plugin's granted permissions unlock — so an ungranted call is unreachable, not merely refused. The plugin's own data lives in a separate sqlite file it can never open directly; core reads (trips/users) go through membership-checked, column-projected host methods; ws broadcasts are force-namespaced. - protocol/envelope: the wire types + method→permission map (pure, shared by host and the isolated child) - host/rpc-host: the capability router = the enforcement point (dispatch, BAD_PARAMS / PERMISSION_DENIED / RESOURCE_FORBIDDEN / UNKNOWN_METHOD) - host/plugin-data: the per-plugin sqlite file (db:own), guarded against ATTACH/PRAGMA escape, idempotent migrations - host/create-rpc-host: wires the router to the real db/websocket (host-only) - runtime/plugin-sdk + plugin-host-entry: the child bootstrap + definePlugin ctx; turns each ctx call into an RPC, never imports a privileged module - supervisor: spawn on activate, heartbeat/reap, crash backoff + auto-disable, graceful shutdown — a plugin crash/OOM/hang can never reach the Nest loop - paths: code/data layout, dist-vs-tsx child entry resolution Nothing is wired into activation yet (that's the next slice); exercised by unit tests for the router/sdk/data and an integration test that forks a real child. * feat(plugins): activation, HTTP route proxy + instance settings (M2) Wires the isolated runtime into TREK. Admins can now activate a plugin from the panel and its HTTP routes work end to end, still behind the kill switch. - PluginRuntimeService owns the supervisor: activate spawns the child with its granted permissions + decrypted instance config, deactivate kills it, status and errors are persisted to the plugins / plugin_error_log tables, and active plugins are booted on startup (OnModuleInit). - Bidirectional RPC: the child now handles host→child invokes (routes/jobs) and reports its declared routes on load; the supervisor gained invoke()/routesOf(). - /api/plugins/:id/* proxy controller — a single static route that matches the plugin's declared routes, enforces per-route auth (auth:false routes are public for OAuth callbacks/webhooks), forwards only a whitelisted request view (never the session cookie), and strips unsafe response headers. - Admin endpoints: POST :id/activate, POST :id/deactivate, GET/PUT :id/config — instance settings with secret fields encrypted (apiKeyCrypto) and masked. - Kill switch moved to its own module so it never collides with test config mocks. Photo/calendar hook consumers are deferred to a later slice. * feat(plugins): sandboxed page/widget frames + trekBridge (M3) Plugins can now render UI. Page plugins appear as a nav entry and open a full-page sandboxed iframe; the frame talks to TREK only over the postMessage bridge. - Server serves plugin client assets at /plugin-frame/:id/* with a strict path guard and a locked-down, per-plugin CSP (default-src none; connect-src limited to declared outbound hosts; sandbox WITHOUT allow-same-origin -> opaque origin, so the frame can't read the session cookie or the parent DOM). Global CSP frameSrc relaxed from 'none' to 'self' for exactly these frames. - GET /api/plugins feed lists active plugins for the client. - Client: pluginStore + PluginFrame (the trekBridge host) authenticates every inbound message by SENDER WINDOW IDENTITY (event.source), not by a claimed id or origin; pushes context (theme/locale/tripId/userId), validates navigation, renders notifications as text, resizes widgets, and proxies trek:invoke to the plugin's own routes host-side (session cookie stays with the host). - Page route /plugins/:id + Navbar nav injection for page plugins. Dashboard widget slot and the trek:request core-data bridge are deferred to a later slice. * feat(plugins): secure installer — manifest, discovery, safe extract/fetch/scan (M4) Plugins placed on the /plugins volume are now discovered, validated and registered as inactive, ready to activate. - manifest.ts: strict trek-plugin.json validation (id/version/type, known permissions only, egress required with http:outbound, native modules rejected). - discovery.ts: scans the volume on startup + on demand (POST /api/admin/plugins/ rescan), upserts rows INACTIVE, refreshes settings-field descriptors, and never downgrades or wipes an already-installed plugin's status / grants / config. Invalid or native-carrying plugins are skipped and logged. - Activation now grants the DECLARED permissions (the consent gate) and persists them before spawning. - install/ utilities for the registry installer (M5), each independently tested: - safe-fetch: host allowlist (GitHub only) + private-IP refusal + manual redirect following + size cap + sha256 (constant-time compare). - safe-extract: zip/tar-slip-safe extraction with its own minimal tar.gz + zip readers; rejects traversal, absolute paths, symlinks, oversized/too-many entries, and unsupported formats. - native-scan: refuses .node / binding.gyp / prebuilds, never follows symlinks. * feat(plugins): TREK-side registry — browse + one-click install (M5) Connects TREK to the static GitHub registry (mauriceboe/TREK-Plugins). The registry repo + CI gates were already live; this is the server side. - registry.service: fetches the single aggregated dist/index.json (never per-plugin GitHub API calls — the HACS rate-limit lesson), caches it 30 min, soft-fails to a stale/empty registry, and installs a pinned version through the M4 pipeline: safe download -> sha256 verify -> slip-safe extract -> manifest re-validate -> native re-scan -> atomic move -> discover (inactive), recording repo/commit/sha provenance. Handles the codeload {repo}-{sha}/ wrapper directory. - Admin endpoints: GET /api/admin/plugins/registry (browse metadata) and POST /api/admin/plugins/install { id, version }. Install never executes code; activation stays a separate, deliberate step. * feat(plugins): trek-plugin-sdk package — types, mock host, scaffolder, validator (M6) The author-facing SDK, a standalone dependency-free package (not wired into the app workspaces, so it can't affect the app build). - definePlugin + the full plugin type surface (PluginContext, PluginRoute, PluginJob, PhotoProvider, CalendarSource) mirroring what the isolated runtime injects; PLUGIN_API_VERSION. - createMockHost (trek-plugin-sdk/testing): a PluginContext that enforces the SAME permission model + membership checks, so authors can unit-test that their plugin degrades gracefully — no running TREK needed. - validateManifest: the exact rules the registry CI runs, so a local pass predicts a CI pass. - CLIs: create-trek-plugin (scaffolds a working plugin + README + starter iframe) and trek-plugin validate (manifest + README sanity). Consolidating the server loader to import this shared validator is a follow-up. * docs(plugins): plugin wiki + reference plugin (M7) - Wiki pages (sync to the GitHub wiki on push to main): Plugins overview + trust model, Plugin Development (SDK, definePlugin, ctx, routes/jobs, the client bridge, testing with the mock host), Plugin Permissions reference, and Publishing (registry PR + CI gates + provenance). Linked from the sidebar. - Reference plugin plugin-sdk/examples/trip-countdown: a complete, minimal- permission widget (reads trip data through ctx, renders in the sandboxed iframe via the bridge, filled-in README). Validated in the SDK test suite so it passes the exact gate authors face. * feat(plugins): lifecycle polish — uninstall, error log, egress guard, widget slot (M8) - Uninstall with data disposition: POST /api/admin/plugins/:id/uninstall kills the plugin, removes its code + DB metadata, and (deleteData) drops its data dir, error log and per-user settings. - Error log: GET/DELETE /api/admin/plugins/:id/errors — the plugin's own crash / request-failure log, surfaced in the admin panel. - Egress guard: the isolated child wraps global fetch and refuses any outbound host not in the plugin's declared egress[]; with none declared, all outbound is blocked. Process-level defense in depth (the container runtime enforces it at the network layer in v2). - Admin → Plugins is now actionable: activate / deactivate / uninstall, a registry browser (install), and per-plugin error log. i18n across all locales. - Dashboard widget slot: active widget plugins render as sandboxed cards. The trek:request core-data bridge + photo/calendar hook consumers remain follow-ups. * docs(plugins): clarify the fork-and-PR publishing flow * fix(plugins): allow GitHub's rotating release-asset host in the installer GitHub 302-redirects release-asset downloads to a rotating *.githubusercontent.com host (objects / github-releases / release-assets). The SSRF allowlist only had objects.githubusercontent.com, so installs failed with 'host not allowlisted'. Allow the whole *.githubusercontent.com suffix (plus github.com/codeload); the private-IP check remains the SSRF backstop. * fix(plugins): allow inline scripts in the sandboxed frame + fix server lint error - Plugin frame CSP: the frame runs at an opaque origin (sandbox without allow-same-origin), so script-src 'self' matches nothing and the widget's own script never runs (stuck on 'Loading…'). Allow 'unsafe-inline' — the sandbox, not this directive, is the isolation boundary, and the plugin author controls the frame code either way. - Fix a no-constant-binary-expression eslint error in registry.test.ts that was failing the server lint:check (eslint .) in CI. * fix(plugins): exclude /plugin-frame/ from the service-worker navigate fallback The PWA service worker's navigateFallback served the SPA shell for any navigation not on its denylist. /plugin-frame/ wasn't listed, so the SW intercepted the sandboxed opaque-origin plugin iframe navigation, which Chrome reports as 'Unsafe attempt to load URL … from frame with URL …'. Denylist it so plugin frames are served straight from the network. * feat(plugins): pass the dashboard's spotlight trip id to widget plugins Widget plugins now receive the current (spotlight) trip id in their bridge context, so a widget like Trip Countdown can show a real countdown instead of the empty state. * fix(plugins): trips.getById returns the actual trip row, not the access check canAccessTrip only returns { id, user_id } (it's a membership check), but the rpc-host's trips.getById returned it verbatim — so plugins saw a trip with no title/start_date/etc. Fetch the real row after the access check. Also fix the reference plugin to read t.title (the trips column is 'title', not 'name'). * feat(plugins): persist enable-intent across restarts + redesign admin page The deactivation-on-deploy bug: `status` conflated the admin's ON/OFF intent with runtime health, so a boot crash flipped status to 'error' and the plugin never rebooted after the next deploy. Migration 156 adds an `enabled` flag (admin intent) separate from `status` (runtime health); boot now retries every enabled plugin regardless of last status, and a crash no longer erases the intent. Admin → Plugins redesign: - ON/OFF is a ToggleSwitch bound to `enabled`; runtime health shows separately as a coloured status dot, with the last error inline when it crashed. - "Update → vX" badge when the registry has a newer version (one click updates and reactivates). - Reviewed/unreviewed trust badges, cleaner cards, nicer empty state, registry browser marks already-installed plugins. i18n across all locales. * fix(plugins): backfill enabled for any plugin not explicitly deactivated status at migration time can be error/stopped/starting after a crash or shutdown, not just 'active' — so backfill enabled=1 for everything except 'inactive' (the only status deactivate() sets). * feat(plugins): hero widget slot + Koffi reference plugin Widget plugins can now declare capabilities.widget.slot 'hero' to render as a transparent, click-through overlay sitting on the boarding-pass bar's top edge (migration 157 persists capabilities; manifest validation server+SDK, feed exposes the slot, dashboard mounts hero frames above the pass). Sidebar stays the default slot. Replaces the trip-countdown example with Koffi, the TREK mascot: an animated suitcase with a 14-state behavior engine driven by real trip data — walking, waving, napping, trolley rolls, passport-stamp stickers, a split-flap luggage- tag countdown under 7 days, and sunglasses while the trip runs. Validated by the SDK suite like any author plugin; published as mauriceboe/trek-plugin-koffi in the registry. Migrations 156/157 follow the idempotent ALTER pattern (the reconciliation test re-runs everything from v135, so duplicate-column must stay non-fatal). * feat(plugins): richer admin panel + registry detail view Admin list: flush-left header like Addons, type/reviewed badges, runtime health as a dot on the icon tile (text badge only for problem states), description + source-repo link on installed cards, manifest icon. Browse: cards show the plugin screenshot (docs/screenshot.png at the pinned commit) and open a detail dialog fed by GET /api/admin/plugins/registry/:id — live-manifest permissions in plain language, egress hosts, setup preview, repo/homepage links. Manifest fetched server-side through safeDownload at the reviewed commit, cached per plugin for 30 min and only when a detail opens. Also fixes the update flow (restart the running child around the install, keep the admin's enabled intent instead of force-activating disabled plugins), guards the icon lookup against Object.prototype names, reserves ids that would shadow static admin routes, stops negative-caching failed manifest fetches, and makes the version compare prerelease-safe. * i18n: localize the plugins admin section across all locales The admin.plugins block was still English filler in most locales; translate it everywhere and add the new detail-view keys in all 22 languages. * feat(plugins): denser browse grid + prominent install-risk disclaimer Four cards per row on desktop with tighter card padding, and a full-width warning banner above the browse grid: installs are at the admin's own risk, a prior quick review does not rule out harmful content, inspect a plugin yourself when in doubt — TREK accepts no responsibility. All 22 locales. * feat(plugins): sandbox hardening — OS permission model, egress choke point, bound acting user, author signatures Closes the four gaps the security review surfaced: - OS permission model on the prod plugin child (Node --permission with fs-read scoped to the compiled server dir + the plugin's own code dir, no fs-write/child_process/worker/native). A plugin can no longer read trek.db or the .jwt_secret/.encryption_key files, nor shell out — the direct-fs and RCE escapes that bypassed the RPC layer. Opt-out via TREK_PLUGIN_PERMISSIONS=off. - Egress guard extended from fetch to the net.Socket connect choke point, so node:http/https/net/tls obey the declared-egress allowlist too (no declared egress = no outbound). Under the permission model there is no clean escape to an unwrapped runtime. Kernel/network-namespace containment remains the container step. - Trip reads are membership-checked against the acting user the HOST binds from the authenticated invocation, not an asUserId the plugin supplies; a job/onLoad (no user) can't read user-scoped trips. - Optional minisign (Ed25519) author signatures verified offline, TOFU-pinned (migration 158). Unsigned plugins install on sha256 alone; a signed plugin can't silently drop its signature or swap its author key. Server suite green (permission-model activation verified against the Koffi reference plugin on dev1). * fix(plugins): make the permission-model child load from the real plugin path The prod data dir is a symlink (server/data -> volume), so resolving the plugin under it tripped the permission model, and Node's module-type lookup walked up into the (denied) data dir. Fork the child from the plugin's realpath and drop a {"type":"commonjs"} package.json at its root so resolution stops there — trek.db and the secret files stay unreadable, verified against Koffi. * test(plugins): cover pluginRealCodeDir fallback + ensurePluginModuleType * feat(plugins): zero-config L1 hardening — SSRF egress, RSS reaper, capability audit, no popups Security that ships from the install itself, no self-hoster setup: - Egress SSRF/rebinding backstop: the net.Socket connect guard now RESOLVES the destination and refuses private/loopback/link-local/metadata/CGNAT/ULA addresses, pinning the resolved IP (a declared host that re-resolves to an internal address is blocked). Pure policy in egress-policy.ts + tests. TREK_PLUGIN_ALLOW_PRIVATE_EGRESS=on opts back into internal targets. - RSS memory reaper: the supervisor now kills a child that blows a real RSS ceiling (TREK_PLUGIN_MAX_RSS_MB, default 300) — --max-old-space-size only bounds the V8 heap, so Buffers could OOM the box under it. - Hash-chained capability audit log (migration 159): every core-data / broadcast call is recorded at the RPC boundary with the host-bound acting user and a per-plugin hash chain, so wide grants stay attributable + tamper-evident. Admin endpoint GET /api/admin/plugins/:id/audit. - Drop allow-popups from the plugin frame (sandbox + CSP): window.open ignores connect-src, so it was an egress/phishing bypass. Server suite 207 green, client + migration reconciliation green. * fix(plugins): close the UDP + DNS egress hole in the network guard The egress guard only wrapped fetch and net.Socket.connect, so TCP and HTTP were contained but two channels stayed wide open: a plugin could send data out over UDP (node:dgram) or tunnel it inside DNS queries (dns.resolveTxt & friends) to any host it never declared. Neither goes through net.Socket.connect, so the allowlist never saw them. Wrap both now against the same declared-host allowlist: - dgram send/connect: the explicit destination is allowlisted and private-IP-checked like a TCP connect (a null address keeps the connected/localhost default, which the connect wrapper already vetted). - the dns resolver family (module fns, dns.promises, Resolver.prototype): a forward lookup for an undeclared name is refused, which kills DNS tunnelling even when no socket is ever opened. A plugin with no declared egress now really has no way out. * feat(plugins): re-consent gate when an update wants new permissions Updating a plugin used to just reinstall and reactivate, which silently granted whatever the new version declared — so a plugin could quietly widen its own rights on the next release. Route updates through a new server-side update() that diffs the new version's declared permissions against what the admin already granted: - nothing new -> the plugin is restarted transparently on the new code. - new permissions or a new outbound host -> the new code is installed but the plugin is left OFF, and the delta is handed back so the admin has to approve it before it turns on. Install runs first, so a failed download/signature check leaves the running plugin untouched. The client shows the delta in a consent dialog and only then activates. An update can never widen a plugin behind your back. * feat(plugins): honest security info in the admin panel + update consent UI Reworks how the plugins panel talks about safety, since the old copy oversold it. Drops the "install at your own risk" banner and the generic trust note, and replaces them with: - a collapsible security section that lays out plainly how a plugin is contained, what the permissions actually mean (a hard limit on what a plugin CAN do, not a promise of what it does), where the limits are, and what a hostile plugin could do at worst. - a short note on what "Reviewed" means: a maintainer scanned it for malware each version, not for quality — not a guarantee it's harmless. - the consent dialog for the update flow: when an update asks for rights you never granted, it lists the new permissions and outbound hosts and makes you approve before the plugin turns back on. Full copy in all 22 locales. * feat(plugins): redesign the admin plugins page — search, filters, cleaner cards The panel was cramped and hard to scan. Rebuilt it as a proper management surface: - A segmented Installed/Discover switch with counts, and a real toolbar: search, filter by type, filter by status (active/off/update/error), and sort (name/recent/updates first). - An "N updates available · Update all" bar. - Installed rows are tidied up: a single health dot on the icon tile instead of a wall of badges, and capability chips underneath that show what each plugin can actually reach at a glance (reads your trips, dashboard widget, the hosts it talks to) — the reach is now visible without opening anything. Update, toggle and a ⋯ menu (restart, errors, source, uninstall) sit on the right. - The registry browser is now an App-Store-style card grid: screenshot with the plugin's icon chip, a reviewed badge, consistent heights. - The detail dialog gained "What it can access", "Connects to" and a details grid (version, size, requires, reviewed). To feed the capability chips, the installed list now returns each plugin's declared permissions and capabilities. New copy is in all 22 locales. * feat(plugins): make the plugins admin page work on small screens The redesign was built desktop-first. On a phone the toolbar wrapped into a mess and the rows were too cramped. Reworked the responsive behaviour: - The toolbar stacks on mobile — tabs + rescan on top, full-width search, then a right-aligned filter row — and collapses back into one row on sm+ (via display:contents), so the desktop layout is unchanged. Filter buttons drop their label on mobile and lead with an icon; their menus are capped to the viewport width so they never push the page sideways. - Installed rows use tighter spacing on mobile and the update button shrinks to just its icon (full label from sm up). - Horizontal padding, the discover grid and the detail dialog all get mobile-friendly spacing. * fix(plugins): make the detail dialog screenshot fill the full width aspect-[16/9] together with max-h-64 made the browser shrink the image width to keep the ratio once the height was capped, leaving a grey strip on the right. Drop the max-height so the header image spans the dialog. * feat(plugin-sdk): one-command publishing — pack, entry, release Publishing a plugin meant hand-building the zip, running shasum + stat, resolving the tag's commit, and hand-writing the whole registry entry. The SDK does all of it now: - `trek-plugin pack` builds plugin.zip in the exact layout the installer reads (own tiny zip writer, so the SDK stays dependency-free and the format can't drift from the reader), enforces the same native-binary and size rules, and prints the sha256 + size. docs/ is left out — the store fetches the screenshot from the repo, so it doesn't belong in the install artifact (Koffi's went from 943 KB to 15 KB). - `trek-plugin entry` emits the ready-to-PR registry entry from the manifest + the packed zip + the git tag: commitSha (deref'd), downloadUrl, sha256, size, and minTrekVersion derived from the manifest's trek range. `--merge` prepends a new version onto an existing entry for updates. - `trek-plugin release` chains pack → gh release → entry. Also: the scaffold now points the README at docs/screenshot.png (the path the store actually fetches, was screenshot-1.png) with a size hint, and stops hard-coding an MIT license — a plugin is the author's own code under their own license. Round-tripped against the real server extractor; 18 tests. * docs(plugins): rewrite the plugin wiki against the current code + tooling The plugin wiki had drifted from the app and the SDK. Rewrote all four pages, verifying every command, permission, field, path and UI behaviour against source: - Plugins: activation is a toggle (no separate consent screen); install is the Discover tab (no "Browse plugins" button); you review permissions in the detail modal before installing; documents update + re-consent, the ⋯ menu, toolbar filters, capability chips and the health dot. - Plugin-Development: full manifest reference; ws:broadcast:trip/:user (there is no ws:broadcast:*); onLoad + onUnload; the trek:error bridge message and full context payload; trips.* only work in a route handler; asUserId is accepted-but-ignored; integration hooks are declared but not yet wired. - Plugin-Permissions: db:own also covers db.migrate; a host must appear as both an http:outbound:<host> permission and an egress[] entry or it's silently blocked; bare vs per-host outbound. - Plugin-Publishing: the new one-command flow (validate → pack → release → entry), size is a required entry field, signing reconciled with the schema, no reserved namespaces, and the --merge update path. * chore(plugin-sdk): make it npm-publishable so `npx` resolves for authors The docs told authors to run `npx create-trek-plugin` / `npx trek-plugin`, but nothing published under those names, so npx couldn't resolve them. - Ship one package, `trek-plugin-sdk`, with a bin that matches the package name (`trek-plugin-sdk`) so `npx trek-plugin-sdk <command>` resolves with zero install. The dispatcher gained a `create` subcommand, so every step (create/validate/pack/entry/release) runs through that one entry point. The short `trek-plugin` / `create-trek-plugin` bins still work once installed. - Package hardening for publish: repository+directory (monorepo subdir), homepage/bugs/author/engines, publishConfig public, a prepublishOnly that builds + tests, and a LICENSE file. - A publish workflow: pushing a `plugin-sdk-v*` tag builds and publishes with the NPM_TOKEN repo secret. - Docs (SDK README + the four wiki pages) now use `npx trek-plugin-sdk <cmd>`, the invocation that actually resolves. * feat(plugin-sdk): dev server, preflight, auto-PR submit, signing, wizard Round out the author experience so the loop is create -> dev -> release/submit without hand-work or a round-trip through registry review. - `dev`: run a plugin locally with a real request loop and hot reload — no full TREK. Injects a ctx that enforces the manifest's granted permissions (an ungranted call throws, so you catch a missing grant), backs db:own with a real SQLite file (node:sqlite), serves routes under /api and page/widget UI at /ui, and reloads on save. Dependency-free (node:http + built-ins). - `preflight`: run the registry CI checks locally over the network (tag->commit, manifest parity, artifact sha256/size, native scan, README quality gate) so a green run predicts a green CI. - `submit`: fork TREK-Plugins, branch off current main, write/merge the entry, push, and open the PR — the last manual publishing step, automated. - `keygen`/`sign` + `--sign` on entry/release/submit: dependency-free Ed25519 author signatures over the artifact bytes, verified 1:1 against the server's TOFU check. Fills authorPublicKey + signature and guards against a key change. - `create` gains an interactive wizard (id/type/author/permissions) and flags. - README + Development/Publishing/Permissions wikis document the new flow. 24 tests pass (sign round-trips through a server-shaped verifier; zip reader; scaffold options; entry signing + key-change guard). * feat(plugin-sdk): one-command `publish` (pack → release → preflight → PR) Collapses the release into a single command: pack the artifact, tag + create the GitHub release, run the registry CI checks locally (preflight), and open the registry PR — stopping before it submits if preflight would fail, so a broken entry never becomes a doomed PR. `--sign` signs it; `--no-preflight` skips the gate. The individual pack/release/preflight/submit commands still exist. README + the Development/Publishing/Permissions wikis lead with `publish` now. * fix(plugins): security hardening from the PR #1415 audit Remediates the findings from the adversarial audit (threat model: malicious plugin author + malicious artifact). Highlights: Critical - proxy: force nosniff + Content-Disposition: attachment on every proxied reply and drop location/content-disposition + non-2xx from the passthrough, so a plugin can't serve an HTML document at TREK's origin (sandbox-escape → account takeover) or an open redirect. High - db:own runs synchronously in the host: cap the plugin DB (max_page_count) and row-cap query() via iterate() so a recursive CTE / huge blob can't stall the event loop, OOM, or exhaust the shared volume. - supervisor: measure child RSS host-side (/proc/<pid>/statm) instead of trusting the spoofable heartbeat; add an activation timeout so a stuck onLoad can't hang activate() or peg a core unreaped. - safe-extract: enforce entry-count + cumulative-size limits INSIDE readZip before inflating (decompression-bomb OOM). - re-consent: activate() never widens granted permissions without explicit consent (409 CONSENT_REQUIRED); the row toggle + "Update All" route through the consent dialog, which now queues instead of overwriting. Medium/low - egress: gate dgram hostnames through the IP-vetting resolver; block the low-level socket escape (process.binding) + lock the wrapped prototypes; canonicalize IPv6 in isBlockedIp (hex-mapped/compressed metadata); reject degenerate `*.` / whole-TLD / spaced outbound hosts in the manifest + CSP. - ws:broadcast is membership-gated to the acting user's trips / own connections; users.getById is scoped to users the acting user can see (no enumeration). - safe-fetch streams + aborts at the byte cap (chunked codeload OOM); isPrivateIp reuses the canonicalizing check. - native-scan throws instead of silently passing past its entry cap. - SDK: dev serves binary assets as raw buffers + handles EADDRINUSE; manifest validator gains the reserved-id + outbound-host checks; wikis corrected. Tests updated for the new membership-gated behaviour + regression tests added (IPv6 canonicalization, wildcard hardening, outbound-host validation, ws/user scoping). 234 plugin tests + 24 SDK tests green. * fix(plugins): close the 4 PARTIAL findings + regressions from the fix-verify pass A second adversarial pass over the first remediation found four findings only partially closed and five issues the fixes themselves introduced. This closes them: Partial → closed - re-consent gate keyed on `granted.length > 0`, so a plugin first activated with ZERO permissions (granted '[]') was treated as never-consented and a later widening was granted silently. Now discovery marks a never-consented plugin with granted_permissions '' and activate() gates on "ever consented" (any non-empty string, including '[]'). - db:own DoS: block WITH RECURSIVE outright (the one construct that spins the synchronous host unboundedly regardless of the size/row caps, via query OR exec). - dgram: also wrap `new dgram.Socket(...)` (bypassed createSocket) to inject the IP-vetting lookup, and lock createSocket/Socket. - frame self-navigation: documented as a bounded best-effort mitigation (inherent to sandboxed iframes; exposure is the plugin's own routes + already-held context, never the httpOnly cookie). Regressions introduced by the first pass → fixed - proxy: only real redirects (301/302/303/307/308) are gated, to a RELATIVE in-app Location (supports OAuth-callback bounce, blocks open redirect); 300/304 pass through; attachment only on non-redirects. - supervisor: measure RSS via /proc/<pid>/status VmRSS (page-size independent); activation-timeout awaits kill() before disposing the db handle. - manifest HOST_RE: allow single-label hosts (self-hoster sibling services) while keeping wildcards multi-label; mirrored in the SDK + frame CSP filter. Regression tests added (re-consent incl. the '[]' case, WITH RECURSIVE + row cap, single-label host). 236 plugin tests + 24 SDK tests green. * docs: refresh README screenshots (8) + swap the second trip shot for Collections Replaces all eight README gallery screenshots with current-UI captures and swaps docs/screenshots/trip-iceland.png for collections.png (saved place lists). * fix(plugin-sdk): make require('trek-plugin-sdk') actually resolve everywhere A freshly scaffolded plugin could not load anywhere: the npm package is ESM-only (no require condition in its exports map), so the scaffold's require('trek-plugin-sdk') threw ERR_PACKAGE_PATH_NOT_EXPORTED under `trek-plugin dev` - and the runtime injection the wiki promised for the plugin child never existed, so a packed plugin (node_modules stripped) crashed with MODULE_NOT_FOUND after a real install. - plugin child: inject a frozen {definePlugin, PLUGIN_API_VERSION} shim for require('trek-plugin-sdk'); subpaths fail with a pointed error - trek-plugin dev: inject the exact same shim, so a fresh scaffold runs with zero npm install and dev parity with production holds - npm package: ship a real CommonJS build (dist/cjs + require export conditions) so the installed package also requires cleanly on Node 18+ - create: scaffold a package.json (type commonjs, SDK as devDependency, npx scripts); print resolvable `npx trek-plugin-sdk ...` hints - wiki: package.json in the scaffold tree + publishing checklist, and document the zero-install dev flow * fix(plugins): tolerate a UTF-8 BOM in trek-plugin.json Windows editors love to prepend a BOM, and a bare JSON.parse then dies with an "Unexpected token" pointing at an invisible character - in the SDK CLIs (dev/validate/entry/submit) and, worse, server-side: a BOM in an author repo travels through pack into the artifact and fails discovery and registry install. Strip it at every manifest/JSON read (readJsonFile in the SDK, parseJsonText in the installer). * fix(plugin-sdk): dev db binds an args array like the real host, and a failed onLoad stops the routes * ci(plugin-sdk): publish on Node 22; skip the dev-db bind test without node:sqlite * docs(wiki): document AI booking import, guest members and packing sharing Fill the gaps left after the 3.2.0 feature work: - add an AI Booking Import page for the AI Parsing addon (providers, admin/per-user config, model pull, the review-before-save flow) and link it from Reservations & Bookings and the sidebar - document guest members on Trip Members and Sharing (owner-only, what they can be assigned to, and the sign-in/notification/visibility limits) - document the three packing sharing tiers and co-bringing on Packing Lists - add TRANSIT_API_URL and the plugin variables to Environment Variables, and correct the language list to 22 (add Swedish and Vietnamese) - list the airtrail and llm_parsing addons in the Addons overview * feat(plugins): enable the plugin system by default The runtime and the Admin -> Plugins panel are now available out of the box; TREK_PLUGINS_ENABLED becomes an opt-out (set it to false to switch the whole system off). Installed plugins are still registered inactive and have to be activated one by one, so no third-party code runs until an admin turns a specific plugin on. Update the kill-switch default test and the plugin/env-var wiki pages to match. * fix(costs): KGS is selectable as default/expense currency (#1400) * fix(map): render date-line-crossing routes as one continuous arc (#1411) The great-circle sampler normalizes longitudes to [-180,180], so a transpacific leg jumped +-360 between neighbours and got split into two polylines pinned to opposite map edges. Unwrap the longitudes instead (shared flightGeodesy module for both renderers): Leaflet additionally draws a +-360-shifted copy so both halves show in the standard view, GL maps repeat world copies themselves. * fix(map): clear the hover card on marker click and camera moves (#1404) Clicking an off-center place recenters the map under a stationary cursor, so mouseout/mouseleave never fires and the hover card sticks. Clear it on marker click and on movestart, and suppress re-shows while the camera is animating (marker rebuilds re-fire mouseenter mid-pan). feat(map): long-press + plain right-click add-place on GL maps (#1398) The GL providers only bound middle-click, so mobile had no way to add a place at a position (and Macs have no middle button). Add a 600ms touch long-press with move tolerance and the map contextmenu event - both GL libs suppress it while the right-button rotate/pitch drag is active, so the gesture keeps winning. * fix(mcp): keep SSE streams alive and stop invalidating sessions on unrelated saves (#1414) Three separate causes for the reconnect-per-tool-call pain: - no keep-alive on the standalone GET stream, so reverse proxies with idle timeouts (nginx default 60s) killed it between calls - send an SSE comment ping every 25s (MCP_SSE_KEEPALIVE, 0 = off) and count an open stream as session activity - the session TTL was hard-coded - MCP_SESSION_TTL (seconds, clamped to 24h) now works as the issue expected - every addon save invalidated ALL sessions: config-only saves, photo provider toggles and addons with no MCP surface included. Only a real enabled-flip of an MCP-relevant addon (or an actual collab-feature change) tears sessions down now. * feat(api): OpenAPI/Swagger docs at /api/docs behind TREK_API_DOCS_ENABLED (#1412) Swagger UI + raw spec (/api/docs-json, -yaml) over all controllers, with a bearer button that works with a plain session JWT. Off by default - the spec enumerates the whole surface incl. admin routes, so exposing it is an explicit self-hoster decision (same kill-switch pattern as TREK_PLUGINS_ENABLED). Request bodies come from the Zod schemas the routes already validate with: an enricher walks every controller, finds whole-body ZodValidationPipe params and lifts their schema into the document via zod v4's native z.toJSONSchema - nothing is annotated twice, and any route that gains a Zod pipe is documented automatically. * fix(map,mcp): review follow-ups for the issue-fix batch - mapbox-gl (unlike maplibre) still emits the map contextmenu after a right-button rotate/pitch drag on Windows - guard it with the pressed position so ending a rotate can't open the Add-Place form (#1398) - a long-press whose fire was deduped (or that never yields a click) no longer leaves suppressNextClick armed to swallow a later real tap - MCP_SSE_KEEPALIVE=0 keeps the open-stream-counts-as-activity guarantee: the touch interval survives, only the pings stop (#1414) - swagger-ui-dist ships @scarf/scarf install-time analytics - disabled via scarfSettings in the root package.json, TREK sends no telemetry - Budget wiki currency list: 47 incl. KGS (#1400) * feat(map): real road routes for car/bus/taxi/bicycle bookings instead of straight lines Road-based transport bookings drew an as-the-crow-flies line; only transit journeys (Transitous) showed the real path. A shared useTransportRoutes hook now fetches the OSRM road geometry (driving for car/bus/taxi, cycling for bicycle) — reusing the day-route router and its cache — and both renderers draw it in place of the straight arc, falling back to the straight line until it loads or if routing fails. Trains/other keep their straight line (not road-routable); a 2000 km sanity cap avoids hammering the public router on cross-continent quirks. * feat(transport): multi-leg train bookings (#1150) Long train trips are usually several trains under one booking. Trains now get the same multi-leg editor flights have: an ordered chain of stations (station search instead of the airport picker) with a per-leg train number + platform, saved as from/stop/to endpoints + metadata.legs — mirroring the flight leg contract, so the map draws the whole chain and the day plan splits it into one row per leg (drag/reorder/position persistence come for free from the shared __leg machinery). A single-leg train saves exactly as before (flat metadata, no legs), and the flat train-fields block is gone in favour of the per-leg inputs. Day sidebar, shared trip view and the PDF render each train leg like a flight leg. * feat(collections): per-collection custom labels Each list can now define its own labels (e.g. Berlin, Hamburg, Ostsee in a "Germany 2026" list) and organise its places by them: - manage labels (create / rename / recolor / delete) from a label manager - assign labels to a place from its detail sheet, or to many places at once from the selection toolbar - filter the place list AND the map by label (multi-select, any-match) Labels are scoped to a collection and shared by all its members. Managing and assigning labels needs edit rights; filtering is available to everyone. Moving a place to another list drops its labels, since they belong to the source list. * test(collections): pass the required labels prop in CollectionPlaceDetail test The per-collection labels feature (a5522e99) made `labels` a required prop and renders `labels.filter(...)`, but the test's props cast to Omit<DetailProps,'t'> hid the missing prop, so `labels` was undefined at runtime and crashed the whole suite (Cannot read properties of undefined reading 'filter'). Pass labels: [] like categories. * docs(wiki): document collection labels, multi-leg trains and road-route overlays - Collections: add a Custom labels section (manage / assign / filter), note the label filter + bulk assign, and the view-vs-edit permission split - Transport: rewrite the train fields as the multi-leg route editor, correct the transport type list (nine types) and the map/day-plan behaviour - Map Features: car/bus/taxi/bicycle overlays follow real roads; multi-leg trains draw their full station chain; date-line routes render as one continuous arc --------- Co-authored-by: jubnl <jgunther021@gmail.com> Co-authored-by: jufy111 <jeffturner93@gmail.com> Co-authored-by: Azalea <noreply@aza.moe> Co-authored-by: Zorth Thorch <jasper_goens@hotmail.com> Co-authored-by: leeduc <lee.duc55@gmail.com> Co-authored-by: yael-tramier <tramier.yael@gmail.com> Co-authored-by: michael-bohr <mjbohr@gmail.com> Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com> Co-authored-by: Gio Cettuzzi <gio.cettuzzi@gmail.com> Co-authored-by: mauriceboe <mauriceboe@users.noreply.github.com> Co-authored-by: jubnl <66769052+jubnl@users.noreply.github.com>
2026-07-05 07:13:04 +08:00
## Plugins
- [[Plugins Overview|Plugins]]
- [[Plugin Development|Plugin-Development]]
3.2.1 (#1433) * fix(plugins): prevent arbitrary api access * fix(planner): disable drag & drop on mobile so the places list scrolls (#1432) On touch devices the draggable rows hijack the scroll gesture, so dragging to scroll started an HTML5 drag and popped up the file-import overlay instead of scrolling. Gate the draggable rows and the sidebar file-drop handlers on !isMobile across the places sidebar and the day plan (places, transports, notes), and hide the grip handle — the arrow reorder buttons take over there. * fix(inspector): make the remove-from-day button icon-only on mobile * fix(collections): show the save picker above the mobile place detail * fix(plugins): seal IPC parent/child for good * test(inspector): match the icon-only remove-from-day button * feat(sdk): switch plain ts for clack/prompts interactive session * feat(plugins): force-refresh the registry from the rescan button The registry is cached for 30 min server-side and GitHub serves it with a 5-min CDN cache, so a freshly published plugin could take up to ~35 min to appear. The rescan/reload button now force-pulls the registry: it bypasses the in-memory cache and appends a cache-buster + no-cache headers to beat the CDN, and refreshes the browse grid immediately. * feat(sdk): bump plugin version * fix(stored settings): prevent local storage drop when update not successful * feat(plugins): sideload plugins by uploading a .zip Adds an admin "Upload plugin" button + drag-and-drop to the plugins panel for installing a plugin archive directly — handy for testing a build before it goes to the registry. It reuses the registry install pipeline (slip/bomb-safe extract, strict manifest validation, native-binary scan) via a new POST /admin/plugins/upload, and only skips the registry sha256/signature checks that a sideload can't have. Sideloaded plugins are flagged (source "local:upload", a "Sideloaded" badge, no GitHub link, no auto-update) and always land INACTIVE — replacing a running or active plugin stops it and clears the active flag first, so new code never runs without a fresh activation + permission consent. * fix(planner): keep the day-plan collapse state after fully closing the page The expanded/collapsed days were stored in sessionStorage, which survives a reload but is wiped when the tab or window is closed — so every fresh open re-expanded all days, which is tedious to re-collapse on long (10+ day) trips. Store it in localStorage instead so a collapsed layout sticks until it's changed. * fix(i18n): correct Vietnamese translation of 'Disabled' (#1438) 'Tàn tật' means physically handicapped/disabled-person, not the off/disabled state of a toggle. Replace with 'Tắt' (off), matching the existing 'admin.plugins.stateOff' translation. Affects admin.notifications.none and admin.addons.disabled. * add the code of conduct * fix(plugins): let widgets follow the in-app dark-mode toggle The plugin frame is sandboxed at an opaque origin (no parent DOM access) and we only sent the context — including the theme — once, on trek:ready. So toggling dark mode in TREK left already-mounted widgets on the old theme until a reload. Watch the <html> `dark` class and re-post the context when it flips; plugins already re-apply the theme on trek:context. * fix(plugins): deliver widget context on load so the theme is right on first paint * fix(plugins): give widget cards the native glassy look and auto-height Widget plugins rendered in a plain card with a fixed 180px body, so they looked foreign next to the glassy dashboard tools and taller widgets had their controls clipped. Mirror the native `.tool` surface (glass background/border/blur, uppercase title) and let the body grow to the height the widget reports over trek:resize. * feat(plugins): add read/rwite costs * feat(plugin): better readme/index.js * feat(plugin): better readme/index.js * feat(plugins): hand widgets TREK's theme tokens, formats and display identity Extends trek:context with a non-secret `tokens` map (TREK's resolved CSS design tokens for the current theme), `formats` (currency/date/units/timezone) and a `user` display object (name/avatar/isAdmin — never the email, role only as a boolean). Re-sent on every theme toggle. A widget can now apply the tokens and match the host exactly, in both themes and under a custom appearance, instead of hard-coding a palette that drifts — so plugins feel native, not bolted-on. * feat(plugins): hand plugins the full palette and appearance state The theme context only carried a ~19-token subset read off <html> and only followed the dark-mode toggle. Widen it to the whole global (:root/.dark) palette — surfaces, text, borders, the accent family, semantic + soft fills, shadows, radii and fonts — so a plugin tracks the user's chosen accent scheme, custom accent and high-contrast live, not just light/dark. Also send an `appearance` block (scheme, density, reduced-motion, no-transparency) mirrored from the attributes applyAppearance writes on <html>, and re-post the context whenever any of those actually change (a small signature dedupes unrelated mutations) so plugins restyle in step with the app. * feat(plugins): ship a design kit so plugin UIs look native A plugin's UI is a sandboxed, opaque-origin iframe that can't load TREK's stylesheet — so authors had to re-derive the whole look by hand, and most didn't. Ship it instead: a token-driven stylesheet (glass, hover, buttons, inputs, chips, rows) that consumes the tokens the host already sends and swaps light/dark, plus a small bootstrap that applies those tokens, mirrors the appearance flags, auto-reports the frame height and exposes a `window.trek` helper over the existing bridge. Both are plain strings meant to be inlined (the CSP forbids external assets for an opaque frame); `injectTrekUi` expands a `<!-- trek:ui -->` marker. No new capability — only a native look. * feat(plugins): deliver the design kit — native scaffold + inline on dev/pack A new page/widget scaffolds a native, glassy starter that talks over window.trek. The source keeps a single `<!-- trek:ui -->` line; `dev` (when it serves /ui) and `pack` (as the file enters the archive) expand it into the inlined kit — so the file stays a one-line opt-in and a rebuild always ships the current kit. Existing plugins opt in the same way, by dropping the marker. * feat(plugins): faithful themed host preview in dev `dev` served the plugin UI raw at /ui — top-level, with no host — so the theme, context and bridge never fired and authors couldn't see the design kit render. Add /preview: it embeds /ui in a sandboxed opaque-origin iframe (exactly TREK's isolation) and plays the host — posts trek:context with a theme/accent/appearance toggle, proxies trek:invoke to your /api routes as the dev user, and surfaces resize/notify/navigate. /ui stays as the raw doc for debugging. * docs(plugins): document the design kit, window.trek and the token contract Rewrite the client section of the Plugin Development wiki kit-first: the `<!-- trek:ui -->` marker, the component classes, the `window.trek` bridge, the `/preview` host preview, the full `trek:context` payload (now the whole palette plus an `appearance` block) and how to apply tokens by hand. Add a "Build a native UI" section + the new exports to the SDK README. * feat(budget): add 'Outstanding amount' card * fix(translations): finish translating new keys * feat(plugins): trip-page plugins — a plugin tab inside every trip Adds a `trip-page` plugin type whose sandboxed iframe mounts as a tab in the trip planner (Plan / Transports / … / <plugin>), scoped to the open trip, with no dashboard nav entry. This is the most-asked planner-extension request from discussion #1429 (a plugin that lives in the trip, e.g. SimMesg20's budget planner). It reuses PluginFrame and the existing tab system — the frame already receives the current tripId over trek:context — so there is no bridge or security change: only the manifest type enum (server + SDK), the client feed classification (pluginStore.tripPages), and one render branch in the planner. The SDK scaffolds it with `create --type trip-page`. * fix(apple wallet): support for .pkpasses * feat(plugins): permission-gated write APIs for the planner (#1429) Plugins can now WRITE core planner data, not just read it, through curated, membership-checked methods — so downstream features can live in plugins instead of long-lived core patches. Four new scopes: db:write:places (create/update/delete places), db:write:days (days), db:write:itinerary (assign/unassign a place on a day) and db:write:trips (update trip fields). Each ctx method mirrors costs.create: it validates the input against the SAME @trek/shared schema the web app uses, binds the acting user host-side (a job/onLoad has none, so its writes are refused), checks trip access AND the app's edit permission (place_edit / day_edit / trip_edit), delegates to the real services, broadcasts the same events so open sessions update live, and records the write in the tamper-evident capability audit. No new route, no sandbox or CSP change — the isolation boundary is unchanged; a plugin can only change what its user could change by hand. Consent UI + permission labels in all 22 locales, SDK types + mock host, and the wikis are updated. * docs(plugin): ensure wiki correctness * feat(plugins): plugin metadata on core entities — db:meta (#1429) Plugins can now attach their OWN namespaced key/value data to a trip, place or day without forking the core schema (#1429, request 2). New `db:meta` scope + `ctx.meta.get/set/list/delete`. Storage is one plugin_entity_metadata table (migration 161) keyed (plugin_id, entity_type, entity_id, key) — a plugin only ever sees its own rows. Every call is membership-checked: the entity must belong to a trip the host-bound acting user can access. Quotas guard the shared volume (≤64KB per value, ≤100 keys per entity); rows are purged on uninstall-with-delete-data and recorded in the capability audit. SDK types + mock host, a consent chip + labels in all 22 locales, and the wikis. No new route, no sandbox change. * feat(plugins): place-detail plugin slot in the trip planner (#1429) A widget plugin can declare `capabilities.widget.slot: 'place-detail'` to mount its sandboxed frame inside the trip planner's place-detail panel, scoped to the open place — the frame receives the `placeId` in trek:context alongside the tripId. This is the UI half of the place-detail-providers ask (reviews/ratings/popular times shown on a place). It reuses the existing widget mechanism: PluginFrame gains an optional placeId, the feed/store learn the new slot, and PlaceInspector renders the slot at the foot of its body in trip mode. Admin chip + label in all 22 locales, wiki updated. No sandbox or permission change. * fix(plugins): green the server tests + harden the new capability surface The in-memory uninstall fixture was missing the new plugin_entity_metadata table, so uninstall's DELETE threw "no such table" and failed the server test job. Add the table to the fixture schema. Self-review hardening of the write/metadata surface: - trips.update now reproduces the web UI's per-field gate: is_archived needs trip_archive and cover_image needs trip_cover_upload, not just trip_edit — so a member who may only edit can't archive or re-cover a trip. - Plugin metadata WRITES now also require the entity's edit permission (place_edit/day_edit/trip_edit), not just trip access, so a read-only member can't overwrite or delete metadata another user created. Reads stay access-gated. - Cap the metadata key length (<=256 chars) alongside the value/count quotas — the key was attacker-controlled and uncapped, defeating the disk-DoS guard. * test(plugins): cover the new write/metadata deps to hold the coverage gate The new create-rpc-host write + metadata deps were untested, dropping the src/nest branch coverage below the 80% gate. Add a seeded in-memory core db plus mocked core services to exercise every dep end-to-end: places/days/itinerary create/update/delete + not-found paths, trips.update with the archive/cover per-field gates and the Validation/NotFound/unknown-error mapping, metadata CRUD + key/value/count caps + access checks, the costs deps, and users.getById scoping. Plus rpc-host cases for meta writes on place/day and a no-acting-user refusal. Tests only — no production code change. * fix(costs): freeze FX on every cost + settlement write path (#1445) Settled foreign-currency costs kept re-opening with a few-cent residual when live rates drifted. The #1335 freeze only ran on the REST create/ update path, so two gaps remained: - Foreign-currency items created via MCP create_budget_item or booking- import bypassed the freeze and stored exchange_rate = 1, so settlement re-converted them with live rates. Promote freezeForeignRate into the shared budgetService and call it from every write path. - Settle-up transfers were stored currency-less and re-converted with live rates on each recompute. Add currency + exchange_rate to budget_settlements (migration), freeze the display-currency rate at settle time, and convert with it in calculateSettlement. Legacy rows (currency = NULL / rate = 1) keep live-rate behaviour until re-edited. Also expose guarded cost update/delete to plugins: costs.update and costs.delete under db:write:costs, gated exactly like costs.create (addon + trip access + the acting user's budget_edit permission). updateCost reuses BudgetService.update so a plugin write re-freezes the FX rate too; both broadcast the same budget:updated / budget:deleted events the REST controller emits. Wired through the host, the runtime SDK context and the published trek-plugin-sdk (types + mock host). * feat(plugins): provider hooks — placeDetailProvider, wired (#1429) Turn "hooks" from a declared-but-dead surface into a real host→plugin capability. Add an invoke.hook branch to the child + a supervisor hook registry (providersOf) + PluginRuntimeService.invokeHook, reusing the existing invoke transport and its timeout (a short 5s deadline so a slow provider can't delay a response; a job/onLoad has no user, host-bound as ever). Also fixes a real bug: the in-repo runtime SDK copy was missing the `hooks` field entirely and could not even parse a plugin that declared one — synced it with the published SDK. The first wired hook is placeDetailProvider: a plugin returns extra rows ({label,value?,url?}) for a place, and TREK renders them natively at the foot of the place-detail panel. Consumer is a new, additive, fail-safe endpoint GET /api/place-details/:placeId (membership-checked; any provider that errors or times out is simply skipped — it never breaks the panel). New hook:place-detail- provider scope + consent chip in all 22 locales. SDK types (both copies), a controller test, and the wiki. photoProvider/calendarSource stay reserved but the transport now exists for them. No sandbox or CSP change. * fix(files): handle pkpass in booking uploads and files-tab open (#1447, #1448) Both bugs were client-only; the server already allows .pkpass and serves it as application/vnd.apple.pkpass. #1448: the reservation/transport attachment inputs hard-coded an accept list that omitted pkpass, so macOS grayed it out. Add .pkpass/.pkpasses (+ wallet MIME types) to the accept attribute in both modals. #1447: the files-tab open path routed every non-media/non-markdown file into the in-app PDF preview object. Add isWalletPass() and route wallet passes through the shared blob openFile helper (as bookings already do), which downloads them so the OS hands them to Apple Wallet. * feat(plugins): validation/warning contributions via warningProvider hook (#1429) Second wired provider hook, reusing the invoke.hook infra from the last commit. A plugin implements warningProvider.getWarnings(tripId, ctx) → {level, message, dayId?, placeId?}[] to flag problems on a trip (overpacked day, place closed on its planned date, missing booking, …). TREK surfaces them as a non-blocking overlay banner at the top of the trip planner (the wrapper ignores pointer events so it never covers the map/panels; only the pills are interactive). Consumer is a new additive, fail-safe endpoint GET /api/trip-warnings/:tripId (membership-checked; a provider that errors or times out contributes nothing and never blocks the planner). New hook:trip-warning-provider scope + consent chip in all 22 locales, SDK types (both copies), a controller test, and the wiki. This is the validation half of the scheduling+validation block; feeding durations/travel times back into core recalculation stays out (it would touch core planner computation — deliberately deferred to keep the no-breaking-changes guarantee). * fix(plugins): enforce the hook:* grant on provider dispatch (#1429 audit) The adversarial audit of the #1429 additions found one real (medium) gap: the hook:* permission was never enforced at runtime. providersOf() selected provider plugins purely by the hooks their CODE declares (sup.hooks, reported by the child as Object.keys(def.hooks)) and never intersected that with sup.granted — so a plugin that merely implemented placeDetailProvider/warningProvider got wired in as a provider even when the admin never consented to hook:place-detail-provider / hook:trip-warning-provider. The downstream capability router still held (the hook's ctx can only do what the plugin's OTHER grants allow), but a plugin could obtain an auto-triggered, user-bound execution context on a passive UI browse without the hook being consented — a consent-integrity gap that contradicts the documented invariant. Gate it host-side: a hookName→permission map, and providersOf now returns a plugin only if it is active, implements the hook, AND holds the matching hook:* grant. An unmapped hook resolves to nobody. invokeHook additionally re-checks membership in providersOf (defense-in-depth against a direct caller). Unit test proves the grant/implements/active intersection. * docs(plugins): add the Plugin Cookbook + a trip-doctor example (#1429 eco) Fosters plugin authoring by turning the new #1429 capabilities into copy-paste recipes. New wiki page Plugin-Cookbook (read a trip, write to the itinerary, tag an entity with metadata, contribute native place details, raise trip warnings, broadcast, match the TREK look) linked in the sidebar, plus a complete runnable example — trip-doctor — a hooks-only plugin that showcases warningProvider + placeDetailProvider + ctx.meta with zero UI of its own. Manifest validates against the SDK. Docs/example only; no product code. * fix(collections): don't reset saved-place status to 'idea' on edit (#1437) The update schema reused collectionStatusSchema, whose .default('idea') survives .optional() — so a PATCH that omits status had 'idea' injected by the validation pipe and written to the DB, clobbering 'want'/'visited'. Strip the default on the update field with .removeDefault(), keeping the .catch guard. Add a shared schema regression test and an e2e round-trip. * docs(plugin): ensure plugin scopes are the same everywhere * feat(plugins): read scopes for packing + files (#1429 eco) Extend the read side of the capability model beyond trips/costs: db:read:packing → ctx.packing.list(tripId) and db:read:files → ctx.files.list(tripId). Both mirror the existing trip reads exactly — the host membership-checks the trip against the invocation's user (tripRead) before delegating to the same packingService/ fileService the REST paths use (so bags/assignees hydrate and trash is excluded), and each is a separate scope (packing doesn't unlock files). ctx types in both SDK copies + mock-host, consent labels + cap chips in all 22 locales, rpc-host + create-rpc-host tests, and the wiki (perm table + cookbook recipe). * feat(plugins): core event subscriptions (#1429 eco) A plugin can react to core activity by declaring events: [{ on, handler }] + the events:subscribe grant. websocket.broadcast announces every CORE trip event (name + tripId ONLY, never the payload) through a tiny dependency-free relay (plugin-event-sink); the runtime registers a sink in onModuleInit and the supervisor fans each event out to subscribed, granted, active plugins via a fire-and-forget invoke.event on a short timeout — so a slow subscriber can never block a core write. Safety by construction: handlers run with NO user (like a job) so trip reads are refused — they react to the fact, using the plugin's own ctx.db/ws/outbound; the grant is enforced host-side (deliverEvent checks events:subscribe); plugin:* re- broadcasts are never delivered back, so handlers can't loop; and only the event name + tripId cross the boundary. SDK types (both copies), consent label + cap chip in all 22 locales, supervisor gating + broadcast-tap tests, and the wiki + cookbook. The relay lives in its own module (not websocket) so it doesn't drag `ws` into the runtime and tests that mock ./websocket don't strip the sink. * feat(plugin-sdk): typed ctx returns + native trek.ui DOM helpers (#1429 eco) Two author-DX wins, SDK-only. Typed reads/writes: ctx.trips.getById/getPlaces/getReservations, packing.list, files.list, costs.*, places/days/itinerary writes and users.getById now return proper entity types (Trip, Place, Day, Reservation, PackingItem, TripFile, BudgetItem, Assignment, User) instead of unknown — real autocomplete for authors. Only `id` is guaranteed and every shape keeps an index signature, so it mirrors the raw DB row honestly (no column hidden, no false guarantees). mock-host matches. Native UI helpers: window.trek now carries `trek.ui` — a tiny bundler-free DOM builder (el/button/card/chip/input/mount) that emits the kit's trek-* classes, so a widget builds themed UI with no CSS and no build step. Ships inlined via the same <!-- trek:ui --> marker. Wiki updated. * fix(plugins): scope packing.list to the acting user's #858 visibility (eco audit) The final eco audit found one real (medium) gap: the db:read:packing delegate called packingService.listItems(tripId) with NO userId, which takes the UNFILTERED branch and returns every member's private (is_private=1) packing items — leaking another member's personal/surprise-gift items to a plugin the normal UI/REST hides them from. The handler had the host-bound acting user but dropped it when delegating. Thread it through: tripRead now hands the membership-checked userId to the read callback, packing.list forwards it to listPackingItems(tripId, userId), and the service applies its three-tier #858 filter — a plugin now sees exactly what its user sees. files.list is unaffected (no per-user file visibility). Tests assert the user is passed. The other three audited surfaces (event subscriptions, trek.ui, and the regression sweep of the capability boundary) were clean. * security(plugins): prevent open redirect * fix(plugins): resolve PR #1433 full-audit findings (code + tests) The comprehensive PR audit confirmed 21 findings; this fixes the code/test ones I own: - ctx.users.getById was DEAD: the runtime SDK omitted the _inv tag, so actingUser never bound and every call hit RESOURCE_FORBIDDEN. Add _inv (the test had codified the bug — corrected). - Plugin place writes bypassed the REST STRING_LIMITS (a 100k-char name the web app rejects). Mirror the caps (name 200 / description 2000 / address 500 / notes 2000). - packing.list / files.list were missing from the capability audit log while every other core read is audited — add them to isAuditable + auditResource. - SDK lockstep: CalendarSource.getEvents drifted (published Date vs runtime string); the host->plugin boundary is JSON, so align both to string. - Admin panel didn't know the new trip-page plugin type (unlocalised badge, missing filter) — add it to KNOWN_TYPES + the type filter + a 22-locale label. - Tests for previously-uncovered paths: the child-side invoke.hook/invoke.event dispatch (real fork, hook + event + non-matching-subscription), and invokeHook's defense-in-depth grant re-check. Julien's settlement-FX-refreeze finding is his budget code (flagged, not touched). * docs(plugins): correct the wiki against the shipped capability surface (#1433 audit) Fixes the 11 doc findings from the PR audit — every corrected claim was cross-checked against the code: - Plugin-Development: CSP connect-src is built from granted http:outbound:<host>, not egress[]; dropped the stale "costs.create is the first and only core mutation"; documented costs.update/delete + ctx.packing/ctx.files; the manifest permission table gained the six missing scopes (db:write:places/days/itinerary/trips, db:meta, hook:trip-warning-provider); the widget slot table gained place-detail. - Plugin-Cookbook: days.create no longer passes a title the schema drops; broadcastToUser uses the real (userId, event, data) signature; fixed the broken #the-trek-ui-design-kit anchor and noted window.trek.ui. - Plugin-Permissions: added db:read:packing, db:read:files and events:subscribe; the provider hooks are implemented in `hooks: {...}` on the definition, not on ctx. * fix(unsplash) allow api key usage * fix(guests): scope guest display names per-trip, not globally (#1446) A guest is a per-trip person, but their name lived in the globally UNIQUE users.username, so uniqueGuestUsername() auto-renamed a second "Jake" (on any other trip) to "Jake 2". Add a non-unique users.display_name: a guest now stores the human name there and gets a uuid-based username that is never shown, and every member view (members list, day-assignment participants, budget members/payers, packing recipients/contributors/bags/assignees) COALESCEs display_name over username. Rename updates display_name with no dedup. Real users are unchanged (display_name NULL → COALESCE falls through to username). Migration adds the nullable column; existing guests keep their current username via the COALESCE fallback. This also unblocks ctx.users.getById (the audit's #4 fix), whose projection selects display_name. Tests: two "Jake" guests on two trips both keep the name; the two codified-the-old-behaviour guest tests corrected. * fix(costs): don't re-freeze a settlement's FX rate on an unrelated edit (#1445) The full audit found that updateSettlement called freezeForeignRate without the "currency unchanged" guard the item path has, so any edit of a foreign-currency settlement (e.g. correcting from/to) re-fetched the LIVE rate and overwrote the frozen one — re-opening an already-balanced position with a small residual, the exact drift #1445 was meant to prevent. freezeForeignRate's unchanged-check was item-centric (it queried budget_items), which a settlement (a different table) can't use. Give it an explicit existingCurrency param; updateSettlement now reads the settlement's stored currency and passes it, so an edit that doesn't change the currency keeps the frozen rate (the service UPDATE already preserves exchange_rate when it's left unset). Tests cover both: unchanged currency keeps the rate, a real currency change re-freezes. * feat(plugins): add inter plugin dependency support and addon dependency support * feat(plugins): add inter plugin dependency support and addon dependency support * docs(plugins) inter dependencies --------- Co-authored-by: Maurice <mauriceboe@icloud.com> Co-authored-by: trongbinhnguyen <43725147+trongbinh15@users.noreply.github.com>
2026-07-06 06:27:42 +08:00
- [[Plugin Cookbook|Plugin-Cookbook]]
3.2.0 (#1426) * docs(wiki): document the snap Docker + no-new-privileges startup failure * fix(setup): warn when ADMIN_EMAIL/ADMIN_PASSWORD are ignored, ship reset-admin The first-run seeder only applies ADMIN_EMAIL/ADMIN_PASSWORD on an empty database and then silently ignores them. People add the vars after the first boot, or pull a fresh image without clearing ./data, restart, and cannot log in with no hint why (#1339). The default is a generated password (not the .env.example placeholder), printed once in the first-run box. Now: warn loudly when the vars are set but a user already exists, and warn on a partial (one-of-two) config instead of quietly falling back. Also ship the reset-admin recovery script in the image -- it was never COPYed in despite the wiki referencing it. node server/reset-admin.js resets/creates admin@trek.local with a generated password (RESET_ADMIN_EMAIL/RESET_ADMIN_PASSWORD overridable), picks a free username so it cannot trip UNIQUE(username), and sets must_change_password. * feat(extract): extract data using LLM * fix(extract): auto-run the AI fallback when the addon is enabled Booking import only fell back to the LLM when each user flipped an 'always retry with AI' toggle, so by default files kitinerary returned nothing for just failed. Run the fallback automatically whenever the AI Parsing addon is on (fallback-on-empty); drop the now-redundant per-user toggle and its setting. * fix(extract): make AI imports reliable and fast on local models client: the import call inherited the global 8s axios timeout and aborted long LLM extractions even though the server finished it; remove the timeout. server: raise the OpenAI-compatible LLM timeout 60s->180s (a cold Ollama model can take ~45s to first token). server: cap extracted text to 8000 chars before the LLM - multi-page T&C tails (30k+ chars) overflowed the context window, truncating the relevant head and making CPU inference crawl; booking details sit at the top. * feat(extract): fill transport/booking fields, geocode endpoints, assign days - rental car: request+map dropoffLocation, emit pickup->return from/to endpoints, set a location string (G1/G2/G3). - geocode endpoints (stations/stops/terminals/rental desks) on confirm via Nominatim; mapper now emits coordless named endpoints and confirm persists only the geocoded ones (G6). - assign every dated booking to the nearest trip day so it still shows when slightly out of range, and keep hotel accommodation from vanishing when a check date misses (G5/G10). - fix bus mislabelled as train + add bus_number metadata (G7/G8), flag malformed boats (G9), accept root start/end time for events (G11). - raise the local-LLM timeout to 300s for CPU-only Ollama. * perf(extract): cap LLM input at 4000 chars for CPU-only speed On a GPU-less host the model's prompt-eval time scales with input length and dominates total latency. Booking details sit at the top of a confirmation, so capping the extracted text at 4000 chars (was 8000) roughly halves extraction time (~50s warm for a capable local 7B model) with no loss of fields on real hotel/rental confirmations. Tunable if a long multi-segment itinerary needs more. * feat(extract): capture seat, class, platform, price + event venue contact Request and map root-level seat/class/platform and a total price/currency into reservation metadata (shown on the card; price reuses the existing label). Read both the root and reservationFor and tolerate common field-name aliases (priceAmount, priceCurrencyISO4217Code, fareClass, ...) since models name these inconsistently. Also capture event/attraction venue telephone + url onto the auto-created place, matching lodging/restaurant. * feat(extract): create a linked cost from the booking price on import When a confirmation carries a total price, record it as a real expense linked to the reservation (in the matching Costs category) instead of leaving the amount in metadata only. Gated on the Costs addon. * fix(extract): refresh accommodations after a booking import A freshly imported hotel links to an accommodation that lives outside the trip store, so loadTrip alone left the reservation edit modal with blank place/date fields. Reload the accommodations list once the import finishes. * feat(extract): drive NuExtract with its native template NuExtract isn't an instruct model — fed a plain chat prompt it just echoes the schema back. Detect a NuExtract model by id and talk to it the way the model cards document: the JSON template inlined in a single user message, no system prompt, no json_schema, temperature 0. Its flat result is mapped back to the same KiReservation shape the rest of the pipeline already uses, so nothing downstream changes; every other model keeps the generic prompt. Money is taken as a verbatim string and parsed locally (German "1.580,22 €" otherwise comes back as 1.49772), a rental car's pickup/return ride the from/to fields so a stray form label doesn't become the location, and a lodging with no name falls back to its address instead of being dropped. * fix(admin): tidy the AI parsing settings and recommend the 2B model The provider picker is the shared CustomSelect now and the form is split into clear sections rather than a flat stack of inputs. NuExtract 2.0 2B is the recommended default — fastest on a CPU-only host and MIT licensed; the 4B carries a non-commercial licence, so it's no longer flagged as recommended. * feat(import): review each parsed booking before it's saved Instead of writing parsed items straight to the trip, the import opens the normal edit modal pre-filled for each one, so you can check and fix it before saving — useful when a model guesses a wrong date or address. Hotels gained an editable address field; on save an existing place is matched by name, otherwise the reviewed address is geocoded and a new place is created. * feat(extract): drive local parsing through a layered extraction router The single-shot prompt was unreliable on multi-leg flights and longer documents, and slow on a CPU host. For the local provider, run a small router instead: - deterministic vendor templates first, with no model call at all - exactly one grammar-enforced call per document via Ollama's native `format` (flights as a flat array of legs, everything else as one flat reservation, the type picked from keywords or a union schema) - booking-wide fields (booking reference, total price, the overnight arrival day) filled deterministically from the text afterwards, and dates coerced to ISO so a natural-language date can't slip through Recommend qwen2.5 in the AI-parsing settings instead of NuExtract. * feat(import): parse bookings in the background with a progress widget Parsing a booking can take a while on a CPU host, so don't hold the upload modal open for it. The async import endpoint returns a job id right away; the parse runs server-side (one at a time per user) and pushes progress over the user's WebSocket, and a small widget in the bottom corner tracks it while the user keeps navigating and editing. A finished job opens the per-item review from the widget. * fix(import): create linked costs and accommodations from reviewed bookings Reviewing an imported booking saves it through the normal reservation form, which dropped the parsed price (so no linked cost was created) and only created the accommodation when both nights matched a trip day. Carry the parsed price into a linked cost on save, and create the accommodation from whichever day the check-in/out dates resolve to. * feat(extract): add Expedia and rental-broker booking templates Pull the hotel/rental fields these vendors print in a stable text layout (name, address, stay/pickup dates, price, reference) deterministically, so the import stops depending on the local model for them. Handles German long/abbreviated months and English dates incl. 12-hour and comma forms. * fix(extract): backfill booking code/total and harden the reference match Apply the deterministic confirmation-code and total fill to vendor-template results too (not just model output), and require the captured reference to contain a digit so a bare 'Confirmation'/'Reference' label no longer grabs the next prose word. * fix(import): keep the parse-progress widget across a reload Persist the background-import tasks (id/trip/status only) and re-fetch each job's status on mount, so a parse still running when the page reloads keeps its widget instead of vanishing; expired jobs (404) are dropped and a restored 'done' task re-fetches its items. * fix(reservations): skip un-geocoded endpoints instead of failing the save reservation_endpoints.lat/lng are NOT NULL, so saving a reviewed transport whose pick-up/return couldn't be geocoded threw a 500 and lost the whole booking (dates, linked cost). Skip those rows; the dates still persist on reservation_time/reservation_end_time. * fix(import): resolve an imported transport's day from its parsed dates A reviewed transport (e.g. a rental car) arrived with only its parsed pick-up/return dates and no day_id, so the modal kept just the time and saved a bare "HH:MM" with no date. Resolve start/end day from the parsed dates (exact match, else nearest trip day) so the booking lands on the right days. * fix(import): refresh costs after a booking review so imported expenses appear without a reload Imported bookings auto-create their linked budget items server-side, but the saving client suppresses its own budget:created echo, so the Costs list stayed stale until a manual reload. Reload the budget items when the review session ends. * refactor(extract): dedupe currency/day helpers, drop redundant casts, support JPY vouchers Code-audit clean-ups: share one normCurrency between the router and the templates, lift the duplicated nearest-day resolver into formatters.resolveDayId, drop two needless as-unknown-as casts at the fillBookingWideFields call sites, restore routeExtraction's doc comment, and give the broker template readable names. Plus recognise ¥/JPY and fall back to a standalone symbol amount, so a Klook-style voucher whose price sits far from any label still yields a cost. * feat(import): attach the parsed source document to each booking Keep the uploaded files on the background task and hand them to the review flow, so each reviewed booking pre-fills its Files with the document it was parsed from (uploaded with the booking on save). The two modals also adopt the shared resolveDayId helper. * fix(extract): disable model thinking for grammar-constrained extraction Hybrid/reasoning models (Qwen3 and similar) default to emitting reasoning tokens, which collide with Ollama's format-grammar constraint — on CPU this produced null/unparseable output and blew the latency budget (qwen3:8b: null or 300s timeouts vs ~20s with thinking off). Send think:false on the /api/chat call; Ollama ignores it for non-thinking models (verified on qwen2.5:7b), so it's safe and unlocks the stronger Qwen3 family. * feat(extract): recommend Qwen3-8B as the local extraction model A/B against the prior default (qwen2.5:7b) on CPU showed Qwen3-8B is both faster and more accurate on tricky/multilingual booking docs (correct Airbnb year+price, correct DisneySea admission date), once thinking is disabled — which the router now does. Feature it as the recommended pull, keep qwen2.5:7b as the fallback. * refactor(extract): drop vendor templates, let the model drive with deterministic backfill Now that a capable instruct model (Qwen3-8B, thinking off) reads name/address/dates/legs reliably across formats, the per-vendor template short-circuit distorted more than it fixed: brittle on layout variations and overriding the better model output. Remove the template layer; the model extracts the structure and Schicht 2 backfills the confirmation/total and takes the currency from the document's own symbol (correcting model misreads like ¥→$). Per-type prompts now also ask for address and price/currency. * fix(extract): require the hotel address and ask for the rental company After dropping the vendor templates, the model skipped the (often unlabeled) Expedia-style hotel address — making address a required schema field forces it to emit the street-address line, restoring the booking's location/place. Also hint the rental company so a car booking gets a real title instead of the generic fallback. * fix(import): refresh costs immediately after an imported booking is saved The saving client gets no budget:created echo (X-Socket-Id) and the create response omits the linked budget item, so the booking's Costs section and the Costs tab stayed stale until a manual reload. Reload the budget items right after a create that carried a budget entry. * perf(extract): cap single-booking text tighter; require rental company A long single-booking PDF (e.g. an 11-page rental voucher) spent ~200s on CPU prompt-eval at the 16k cap, though its data sits in the first ~2k. Cap non-flight docs at 6k (flights keep 16k for all legs). Also make the rental operator a required field so the car gets a real title. * fix(import): preview the parsed cost as linked in the review modal During the per-item import review the booking isn't saved yet, so the Costs section showed an empty 'Create expense' even though a linked cost will be created on save. Show the parsed price (amount + category) as the pending linked expense so the user can verify it up front. Reuses existing i18n keys. * fix(import): persist source files in IndexedDB so attach survives a reload The source document was only kept in memory on the background task, so a page reload during the (now always-LLM ~25s) parse lost it and the booking saved without its file. Store the uploaded files in IndexedDB keyed by job id; the review loads them from there when the in-memory copy is gone, and a 1h TTL prunes abandoned imports. * chore(extract): recommend only Qwen3-8B (drop Qwen2.5 from the curated list) Qwen3-8B is the identified default; the prior Qwen2.5 entries are no longer needed in the pull list. * feat(settings): let users set their own AI parsing model Adds an "AI parsing" section under Settings -> Integrations where a user can choose the LLM provider, model, base URL, API key and multimodal option used for booking extraction. This per-user config applies when an admin has not configured an instance-wide model. Reuses the existing encrypted user settings: the API key is stored encrypted, never prefilled, and a blank field keeps the stored one. Adds settings.aiParsing.* across all 20 locales. * fix(settings): show the Integrations tab when only AI parsing is enabled hasIntegrations gated the tab on memories/mcp/airtrail only, so a user with just the llm_parsing addon enabled saw no Integrations tab and could not reach the AI parsing config. Include llmEnabled in the gate. * feat(settings): use the shared custom dropdown for the AI parsing provider Swap the native select for CustomSelect so the provider picker matches the rest of the app's styling (dark mode, portal dropdown). * refactor(planner): move the import-review bridge effect into the page hook TripPlannerPage held a useEffect (the background-import → review bridge), which trips the page-pattern check (pages must stay wiring containers). Move the effect and its store/IndexedDB wiring into useTripPlanner where the rest of the import-review state already lives. * test(llm-parse): cover the extraction router, client factory and import jobs The new LLM extraction router shipped with little branch coverage, dropping src/nest below the 80% gate. Add unit tests for routeExtraction (flights/single/union/error paths, deterministic booking-wide fill), the native Ollama format client, the provider factory, the local-router service path with its type-aware text cap, the flat->schema.org mapper's remaining reservation types, and the background import-jobs runner. Also remove the now-unused validate.ts (only its FlatLike type was still referenced; moved to flat-schemas). * test(setup): stub websocket addListener/removeListener in the global mock BackgroundTasksWidget (mounted globally in App) subscribes via addListener/removeListener from api/websocket, but the global test mock didn't export them, so every test that renders <App/> threw on mount. Add the two stubs. (Surfaced now that the page-pattern check passes and the client test step actually runs.) * fix(i18n): add Swedish translations for the AI booking-import settings The Swedish (sv) locale landed on dev (#1325) after this branch added the AI-parsing settings/reservation keys to the other locales, so sv was missing them — strict i18n key parity failed after rebasing onto dev. Adds the 3 reservations.import.* and 17 settings.aiParsing/aiAlwaysRetry keys in sv. * fix(extract): don't let the day-clamp fallback break reservation resync (#1288) This branch added a clamp-to-nearest-day fallback to resolveDayIdFromTime so an imported booking whose exact date has no day row still lands on a day. After rebasing onto dev, that collided with #1288's resyncReservationDays, which relies on the original "null when no exact day" semantics to leave a booking whose date now falls outside the range untouched — instead it snapped to an edge day (TRIP-SVC-019 failed: expected day_id kept, got the clamped one). Make clampToNearest an opt-in parameter (default true, preserving the import behaviour for create/update) and have resyncReservationDays pass false, so out-of-range bookings keep their day_id. Full server suite green (4082). * Added focus to search places in placeFormModal * fix(airtrail): import departure/arrival times for manually-entered flights (#1336) The mapper read only `departureScheduled`/`arrivalScheduled`, but those columns are optional in AirTrail and stay null for manually-entered flights — where `departure`/`arrival` are the only times set. So the import dropped the departure clock (date-only) and the whole arrival (no date, no time), exactly as reported. AirTrail's own rule is "use departure if available, otherwise fall back to departureScheduled". Mirror that: prefer the scheduled instant, fall back to the primary departure/arrival, in mapFlightToReservation, normalizeFlight, and the sync hash. Hashing the resolved instant means flights already imported without a scheduled time re-sync once and pick up their clock automatically; flights that do have scheduled times are unaffected (no spurious re-sync). Tests: 3 new mapper cases (fallback mapping, picker preview, hash tracking); two existing cases that asserted the scheduled-only behaviour updated to the "neither time set" case. Full server suite green (4085). * fix(pwa): stop unregistering the service worker on offline boot (#1346) Opening the installed PWA offline showed Chrome's "no internet" page instead of the cached app. On boot the axios response interceptor reacts to a failed request with no response by probing /api/health; the probe collapsed "genuinely offline" and "edge-proxy auth wall" into a single reachable=false, so the interceptor unregistered the service worker and reloaded — straight into a dead network. navigator.onLine is true on mobile while offline, so the existing guard didn't help. This also defeated the offline data layer (withOfflineFallback, authStore's offline branch), which runs later in the chain. Fix: connectivity.probe() now returns a discriminated state ('online' | 'offline' | 'proxy-wall'). A fetch that throws, or navigator.onLine false, is 'offline'; a cross-origin redirect (CF Access, via redirect:'manual' → opaqueredirect) or an HTML auth wall (Pangolin) is 'proxy-wall'. The interceptor only tears down the SW on 'proxy-wall'; on plain offline it lets the request reject so the cached shell + IndexedDB serve the app. CF Access / Pangolin reauth still works — the proxy always presents a reachable redirect or HTML wall, which the probe now detects positively. Regression dates to v3.0.16 (#964), surfaced by the 3.1.0 rewrite. Tests: 6 new connectivity cases (offline/online/proxy-wall discrimination); client tsc clean, full client suite green (2850). * fix(map): keep the mobile GPS button above the day-detail panel (#1348) On mobile the location (GPS) FAB sat at bottom: calc(var(--bottom-nav-h) + 12px), which only clears the bottom nav. When a day is selected, DayDetailPanel slides up over the map from bottom: navh+20 and spans nearly full width at z-index 10000, covering the button's band — so the button was hidden behind it. DayDetailPanel now publishes its live measured height to a root CSS var --day-panel-h (ResizeObserver, reset to 0 on unmount), and both map renderers lift the button above the panel when it's open, reusing the hasDayDetail prop they already receive: hasDayDetail ? calc(var(--bottom-nav-h) + 20px + var(--day-panel-h) + 12px) : calc(var(--bottom-nav-h) + 12px) Applied to both the Leaflet (MapView) and GL (MapViewGL) renderers. When the panel closes, hasDayDetail is false and the offset falls back to the bottom-nav value. Desktop is unaffected — the button is mobile-only. Tests: new DayDetailPanel case asserting --day-panel-h is published and reset on unmount; client tsc clean, full client suite green (2851). * feat(mobile): make the bottom-nav "+" context-aware per trip tab (#1349) On mobile the bottom-nav "+" always created a new place (except on the Costs tab, where it added an expense). It now matches the active trip tab: Bookings adds a reservation, Transports adds a transport, Costs adds an expense, and everything else (Plan, plus tabs that have no create modal — Lists / Files / Collab) keeps adding a place. Follows the existing ?create=<intent> pattern: BottomNav.useCreateAction emits the per-tab intent, and useTripPlanner consumes create=reservation|transport to open the booking / transport modals (both already mounted at page level). Place and expense were already wired; this just extends the mapping. Tests: 4 new BottomNav cases (plan/bookings/transports/costs → correct intent + navigate target); client tsc clean, full client suite green (2855). Implements mauriceboe/TREK#1349 * [+] Unsplash * [+] i18n * feat(trips): download chosen Unsplash covers into uploads (#1277) Previously a selected Unsplash photo was stored as a remote images.unsplash.com hot-link, so covers broke offline and on link rot. The trip PUT handler now fetches the picked image through the SSRF guard and saves it under uploads/covers, rewriting cover_image to the local path (502 if the download fails). Also debounces the cover search so a slow earlier request can no longer overwrite newer results, drops a dead userId parameter, and reverts an unrelated vite proxy change. * test(trips): cover the Unsplash cover download and search-race guard (#1277) Adds unit coverage for saveUnsplashCover (host check, content-type and size limits, download failure), the searchUnsplashPhotos error and success paths, and the PUT handler internalising a hot-link. Updates the existing PUT tests for the now-async handler. * fix(docker): keep server/reset-admin.js in the build context (#1339) The Dockerfile copies server/reset-admin.js (the admin recovery script), but .dockerignore also listed it, so it was stripped from the build context and the image build failed with a not-found error. Drop the ignore entry so the COPY resolves again. * fix(llm): stop the browser autofilling the LLM base URL (#1301) The AI-parsing base URL and model inputs had no autoComplete, so a browser password manager could drop the saved login email into the base URL field. In the admin addon config onBlur then fired a model lookup against e.g. "admin@trek.local", which the server rejected with 400. Mark the base URL and model inputs as type=url / autoComplete=off in both the admin addon config and the per-user connection section. * feat(appearance): add per-user appearance config contract Shared AppearanceConfig (color scheme, accent, transparency, per-tier type scale, density, reduce-motion and per-device dashboard widgets) stored as one JSON blob under the existing settings key. normalizeAppearance never throws, so a malformed/partial/future blob degrades to the neutral default and can never reach the DOM. No DB migration; the default reproduces today's look exactly. * feat(appearance): token-driven theme engine with schemes and FOUC-safe boot applyAppearance is the single writer of styling to the DOM (the .dark class plus data-scheme/-no-transparency/-density/-reduce-motion and the custom-accent/type-scale CSS vars). An external pre-paint /theme-boot.js replays a cached snapshot before first paint and complies with the production CSP (script-src 'self'), fixing the long-standing theme FOUC. Adds seven color schemes (incl. a true high-contrast that raises neutral contrast), a custom accent with auto-derived legible text, an extended token layer (accent variants, status/shadow/overlay/inverse), a scheme-gated legacy accent bridge, and a transparency-off layer. The default scheme sets no attributes, so existing users are unaffected. * feat(settings): appearance settings tab New Appearance tab with color mode (moved out of Display), color-scheme swatches, a custom accent picker with a live WCAG contrast hint, transparency and reduce-motion toggles, density, a global text-size slider with advanced per-tier controls, and per-device dashboard widget toggles. Edits preview live and commit on a short debounce. i18n keys added across all locales, translated for German. * feat(dashboard): per-device widget visibility with layout reflow Dashboard widgets (currency, timezones, upcoming reservations, atlas and the stat tiles) can be shown or hidden independently on desktop and mobile from the appearance settings. The stat grid spreads its visible tiles to full width, and disabling the right sidebar collapses the layout to a single centered column. * chore(appearance): add theme:lint guard for hardcoded styles A theme:lint script (modeled on i18n:parity) flags new inline color/fontSize literals and arbitrary-hex Tailwind classes that bypass the design tokens, so future code stays themeable. Map/PDF surfaces are exempt. The token taxonomy and the six theming rules are documented in src/theme/README.md. * fix(appearance): scale inline px font sizes so text-size reaches all content The global text-size control only set the root font-size, which scales rem-based text (navbar, menus) but not the dense inline px sizes used across the trip planner, budget, journey and panels — so place titles and addresses stayed fixed. applyAppearance now also exposes the factor as --fs-scale-text, and a codemod wraps inline numeric fontSize in calc(<px> * var(--fs-scale-text, 1)) across components and pages (map popups and PDF excluded). Sizes are byte-identical at 100%; the control now visibly resizes the actual content. * fix(appearance): clearer widget settings, density hint, solid surfaces with transparency off Dashboard widget settings are grouped by where they sit on the dashboard (below the hero / right sidebar / bottom of page); the right-sidebar master toggle now nests its individual widgets and greys them out when the sidebar is off, instead of a confusing flat list mixing the master with its children. Density gains an explanatory hint plus a real compact spacing effect. Transparency-off also solidifies the Atlas glass panels and tooltip, Leaflet zoom controls and GL popups — class-based surfaces via CSS, the Atlas inline panels via a noTransparency flag. * fix(appearance): keep i18n key parity and update the scaled-emoji test Add the new appearance settings keys (widget group titles, sidebar/density hints) to every locale so the strict key-parity check passes, and update the single-emoji chat test to expect the now-scalable calc() font size. * feat(appearance): granular per-size text scaling with live preview The text-size control now adjusts each size class (Large / Medium / Normal / Small) independently as well as all-at-once. Inline px sizes are mapped to a class by their value, so the per-class sliders reach real content; each class variable = global factor x its per-class factor (no double-scaling with the root font-size that handles rem text). The settings UI gains a live preview that resizes as you drag, and the four size sliders sit behind a clear toggle. * feat(appearance): show per-size text controls inline with examples The four size-class sliders (Large/Medium/Normal/Small) are now always visible instead of behind a disclosure, each with a live sample rendered at that size and an example of what it affects (e.g. Normal = place names/descriptions, Small = addresses/labels). * fix(appearance): shorten the Auto color-mode label to 'Auto' on mobile * fix(appearance): make the dashboard hero boarding-pass solid with transparency off * feat(appearance): mark the Readability section as experimental Transparency-off, density and per-size typography are best-effort while the token migration is ongoing, so the section carries an Experimental badge. Adds the i18n key across all locales. * chore(about): remove the monthly supporters section * refactor(settings): rename the Display tab to General and group its settings The Display tab became a catch-all once theming moved to its own Appearance tab, and its 'Display' label no longer fit. It is now 'General' (Allgemein) and split into 'Language & region' and 'Travel & map' sections. Tab labels and the new section titles are added across all locales. * refactor(admin): group the admin sidebar tabs into sections The admin sidebar had 11 flat tabs. PageSidebar now supports optional group headings (backward-compatible; the Settings sidebar stays flat), and the admin tabs are grouped into Users, Configuration, Integrations and Maintenance. Group labels added across all locales. * feat(help): embed the TREK wiki as an in-app help centre Add a Help section (profile menu, /help) that renders the GitHub wiki inside TREK. /api/help fetches the wiki markdown — the nav from _Sidebar.md, pages, and proxied images — from GitHub and caches it (1h TTL, serves stale on outage), so it auto-syncs on wiki edits with no redeploy and the client never calls GitHub directly. The page is styled to match TREK with a section sidebar, search and react-markdown; wiki [[links]] are rewritten to in-app routes and HTML-comment placeholders are stripped. Page state lives in a useHelp() hook per the page pattern. Adds nav.help and a help namespace across all locales. * feat(auth): explain the plain-HTTP secure-cookie gotcha on login When the server issues a Secure session cookie but the request arrived over plain HTTP (the common LAN install over http://ip:3000), the browser drops the cookie and the next request dead-ends on a bare "Access token required" — the top source of avoidable install issues. The login response now flags this exact case and the login page shows a localized box explaining the fix (use HTTPS, or set COOKIE_SECURE=false) with a link to the Troubleshooting guide. It only triggers in the real failure case, never for correct HTTPS setups. * feat(costs): Splitwise-like cost splitting Add per-payer and per-member custom split amounts with Equally, Custom and Ticket split modes on top of the existing equal split, keep legacy "paid by" expenses working, and document the modes in the Budget Tracking wiki page. * feat(i18n): add Vietnamese translations * chore(i18n): sync Vietnamese with latest dev keys Add the keys dev gained since this PR opened so the new vi locale keeps full parity: the help namespace (wiki help center), settings appearance options, costs split modes, dashboard Unsplash cover search, the insecure-cookie login hint, nav.help and the admin group labels. * feat(helm): Add existingClaim variable for custom PVC usage. * fix(helm): emptyDir is used as a fallback when persistence is disabled. * docs(helm): clean up existingClaim notes Strip stray zero-width characters from the persistence docs, move the PVC note out of the ENCRYPTION_KEY usage block into its own Persistence section in NOTES.txt, and document that persistence.enabled=false falls back to an ephemeral emptyDir. * feat(feeds): subscribable ICS calendar feeds for trips Adds TripIt-style live calendar subscriptions alongside the existing one-time .ics download. A trip (or all of a user's trips) exposes a secret, revocable feed URL that Google/Apple/Outlook poll to stay in sync. - Public read endpoints GET /api/feed/trip/:token.ics and /api/feed/user/:token.ics (no auth — the secret token is the credential), reusing the existing exportICS() generator and adding REFRESH-INTERVAL / X-PUBLISHED-TTL hints. - JWT-guarded token endpoints to generate (lazy, idempotent) and regenerate/revoke per-trip and per-user feed tokens; tokens stored in nullable feed_token columns. - All-trips feed excludes archived trips and trips ended >90 days ago. - UI: ICS toolbar button becomes a Download/Subscribe menu; modal offers one-click "Add to Google Calendar" (render?cid=webcal://) and a webcal:// link for Apple/Outlook, plus copy-link fallbacks. All-trips feed reachable from dashboard. - Feed base URL read from the existing APP_URL env var. Purely additive: new endpoints + two nullable columns, no breaking changes. Tests: server/tests/e2e/feeds.e2e.test.ts covers lazy token generate + idempotency, regenerate-invalidates-old, 401/404 auth+access, public feed content-type + hint injection, unknown-token 404, and the archived/>90-day all-trips exclusion. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> * harden calendar feeds: absolute URLs, real disable, folding, schema sync - Resolve feed URLs against the request host when APP_URL is unset, so the webcal:// / Add-to-Google links work on a default install (not just behind a configured reverse proxy). - Give the public link a real off switch: POST enables, PUT rotates, DELETE clears the token (feed_token = NULL). The subscribe dialog no longer mints a token just from being opened — the user opts in explicitly. - Fold ICS content lines at 75 octets (UTF-8 safe) in exportICS, so download and feed both stay RFC 5545-compliant for long/non-ASCII summaries. - Extract VEVENTs by structural line scan instead of a lazy END:VEVENT regex that user text could truncate. - URL-encode the Google Calendar cid; mirror feed_token into schema.ts. - Collapse the duplicated all-trips modal into the shared IcsSubscribeModal. * feat(mcp): add bulk_update_places tool Apply the same field values to many places in one call instead of one update_place per place — e.g. re-categorising 80 POIs at once. Adds the updatePlacesMany service (one transaction, trip-scoped, partial patch built on updatePlace) and the bulk_update_places MCP tool with the usual demo/access/place_edit guards and a place:updated broadcast per place. * feat(dashboard): show the year on trip dates from other years Trip dates only showed month + day, so trips from other years were ambiguous (#1323). Dashboard cards and the boarding-pass hero now include the year, and so does the shared formatDate (planner day headers etc.) — but only when it isn't the current year, so this year's trips stay compact. Order and punctuation follow the locale (EN "Sep 10, 2026", DE "10. Sep 2026"). * feat(places): bulk "change category" from the selection toolbar Closes the UI half of #1168: in the Places selection mode, a new tag button before delete opens a category picker that applies one category (or "No category") to every selected place in a single request. Adds a REST /places/bulk-update endpoint reusing updatePlacesMany, an offline-aware repo + store action that patches both the place pool and the day-assignment projections, undo grouped by each place's prior category, and the i18n keys across all locales. * feat(map): include the day's route in the map fit (#1128) Selecting a day already fits the map to that day's destinations; this also folds the route polyline into the bounds. BoundsController fits the destinations immediately, then re-fits once — when the day's route finishes computing asynchronously — to destinations + the full route, so a route that bulges past its stops (a detour or ferry) stays in view. One-shot per day selection, so later route-profile toggles don't re-zoom. * feat(offline): detect update conflicts on the server for places and packing Update handlers accept an optional X-Base-Updated-At token and reject a stale overwrite with 409, returning the current server row. An absent token keeps the existing last-write-wins behaviour, so older clients are unaffected. packing_items gains an updated_at column (migration + stamped on every insert) so it can take part in conflict detection too. * feat(offline): force-offline mode, selective sync and a conflict queue A force-offline override routes every read to the cache and every write to the queue; preparing for offline downloads trip data, documents and map tiles up front and waits for them to finish. Map tiles and individual trips can be left out of the cache. Queued edits carry the version they were based on so the queue can surface server conflicts for a keep-mine / keep-theirs decision; chained offline edits to one entity no longer conflict with each other, and evicting a trip preserves its unsynced writes. * feat(offline): Settings -> Offline controls and a status banner The Offline tab gains a force-offline switch, a prepare-for-offline download with progress, per-trip and map-tile storage toggles, and a conflict resolver with a default strategy. The floating status pill now reflects forced-offline and unresolved conflicts. * i18n(offline): offline settings strings across all locales * docs(wiki): document force-offline, selective storage and conflicts * feat(video): media_type discriminator + local gallery video upload (server) trek_photos gains a media_type column (migration) so the registry can hold video as well as images. A new POST :id/gallery/video endpoint accepts a video plus a client-captured poster (500 MB cap, video MIME/extension allowlist), stores the poster as the thumbnail, and the photo stream serves the poster for the thumbnail kind and the raw file (HTTP Range) for the original — without running the image thumbnailer on video bytes. * feat(video): play local gallery videos in the journey gallery Picking a video in the journey gallery now captures a poster frame + duration in the browser and uploads the raw clip; the grid shows the poster with a play badge and the lightbox plays it with a native video player (HTTP Range seeking). Images keep their existing HEIC-normalised path. No server-side transcoding. Server media_type work was committed separately. * feat(video): use Plyr for the gallery video player Swaps the bare <video> element for a Plyr-wrapped player so playback controls match a consistent, cleaner skin. The instance is created per source and destroyed on unmount, so the lightbox stops playback when you navigate away. * feat(video): link and stream Immich videos in the journey gallery Immich timeline and album listings no longer filter out videos; each asset now carries its media type, which the provider picker forwards when linking. A linked video streams through Immich's transcoded /video/playback endpoint, and the asset proxy forwards the viewer's Range header (and passes 206/Content-Range back) so the player can seek. Synology video stays excluded until its stream API is verified. Adds media_type/media_types to the provider-photos request contract. * test(photos): assert the forwarded Range arg on the original stream Follow-up to the Range-aware photo proxy. * feat(video): upload and play videos in the trip file manager The file manager (which already attaches files to a place/activity) now accepts video uploads up to the larger video cap — other types stay at the document limit — and the lightbox plays them with the Plyr player over the plain same-origin download URL, so cookie auth and HTTP Range both work. Videos are excluded from the offline blob prefetch so one clip can't evict a trip's documents. * fix(video): harden upload handling and fix video playback edge cases Security: the gallery-video poster is now always stored as .jpg instead of the client-supplied extension, so a poster declared image/* but named x.html / x.js can't be written with that extension and served inline same-origin; local gallery files are also served with X-Content-Type-Options: nosniff. Robustness: rejected/unauthorised uploads no longer orphan their bytes on disk (the gallery-video and file-manager handlers unlink before throwing); the file-manager per-type size cap is keyed on the extension like the filter, so a real video labelled application/octet-stream isn't wrongly rejected. UX: the file-manager thumbnail strip shows a play placeholder for video instead of a broken image; shared (public) journeys now return media_type and play videos with a play badge; and a poster-less video shows a neutral tile instead of a broken thumbnail. * test(video): update gallery accept selector + complete fileService mocks The gallery upload input now accepts image/*,video/* — update the two JourneyDetailPage selectors that matched the old value. The files/journey e2e suites mock fileService and were missing the new MAX_VIDEO_SIZE / isVideoExtension / isVideoMime exports, which broke module load. * test(video): cover the new upload-handler branches Add controller tests for the gallery-video route (success / no-video / not-allowed / cleanup-on-reject), the per-asset media_types loops (gallery + entry, batch + single), and the file-manager per-type cap + unlink-on-rejection — restoring branch coverage on src/nest above the 80% gate. * feat(bookings): add a dedicated URL field to reservations (#935) Bookings get a first-class url column (migration) instead of users pasting links into notes. It's editable in the booking modal and rendered as a clickable link on the reservation card. The reservation request schemas are open passthroughs, so only the entity schema + service SQL enumerate it. * feat(files): render uploaded Markdown files inline (#1345) Markdown (.md/.markdown) is now an allowed upload type and opens in a rendered preview in the file manager instead of just downloading. Reuses the existing react-markdown stack with rehype-sanitize (these are untrusted uploads, so output is sanitized) and detects markdown by extension first since browsers send unreliable MIME for .md. * feat(lists): reorder packing/to-do lists and private packing items (#969, #858) Add drag-to-reorder to the packing and to-do lists, mirroring the budget panel's native HTML5 drag pattern. A drag within a filtered/grouped view is mapped back onto the global order so untouched items keep their place, and the order persists optimistically via the existing reorder endpoints. Packing items can now be marked private (#858): a private item is visible only to its owner. createItem/bulkImport stamp the owner, listItems filters by the viewer, and the WebSocket broadcasts are scoped to the owner so a private item never reaches another member's screen — including the public/private toggle transitions. Owners get a lock toggle and a private indicator on their items. * feat(trips): transfer trip ownership to a member (#973) Add POST /api/trips/:id/transfer so the owner can hand a trip to one of its existing members. The swap runs in a transaction: the new owner takes trips.user_id and the former owner is kept on as a regular member, so nobody loses access. The endpoint is owner-only, writes a trip.transfer_ownership audit entry and broadcasts the refreshed trip. The members modal gains a "Make owner" action, shown only to the current owner. * i18n: translate the booking link field across all locales (#935) Fan out reservations.urlLabel / reservations.urlPlaceholder to the remaining locales so the dedicated booking URL field is localised everywhere. * fix(packing): drop the always-true guard in the row drag handler (#969) The onDragOver guard `drag.isDragging || true` is a constant condition (eslint no-constant-condition). The handler is already gated by canDrag, so run the drag-over logic directly, matching the to-do row. * feat(trips): guest members for accountless participants (#1362, #1291) Add "guest" trip participants — people without a Trek account who can still be assigned to costs, packing, to-dos and day-plan activities. A guest is a credential-less users row (is_guest=1) joined into trip_members, so it is assignable everywhere a real member is, with the cost-splitting, settlement, packing and assignment paths working unchanged. Guests are firewalled from everything account-related: they can never sign in (password, OIDC and reset lookups skip them), never appear in the global user directory, the member-add picker or admin user management, are never resolved as notification recipients, can't be invited to another trip, and can't be made owner. The trip owner manages guests from the share dialog in a dedicated, clearly-labelled section (add / rename / remove), and guests carry a "Guest" badge wherever members are picked. All 22 locales stay in parity. * feat(packing): three-tier sharing — personal, shared-with-people, common pool (#858) Rework the private-packing flag into a full sharing model. Every item is now Common (the group pool — where all existing items live, so nothing breaks), Personal (private to its owner) or Shared with specific people (it shows up on those travelers' own lists, marked "by <bringer>"). is_private discriminates restricted from common; a new packing_item_recipients table holds who a shared item covers, and packing_item_contributors records "I can bring that too" pledges on Common items. The panel gains a Gemeinsam / Meine Liste view switch, each item a sharing control (owner sets the tier + the people it covers), and Common items can be co-brought or cloned onto your personal list. Visibility is enforced server-side in listItems and the WebSocket broadcasts are scoped to exactly who can see an item across every tier transition. All 22 locales stay in parity. * style(packing): small gap between the list and the luggage sidebar divider The luggage sidebar's left border sat flush against the right-hand category card. Add a little left margin so the divider has minimal breathing room. * feat(map): group GL place markers into clusters on zoom-out (#1385) MapLibre/Mapbox showed every place as its own rich HTML marker with no grouping when zoomed out, unlike the Leaflet map. Feed the place points through a clustered GeoJSON source: clustered points render as a dark count bubble (click to zoom in and expand) while the rich HTML photo markers are only drawn for the points the source reports as unclustered. Always on, matching the Leaflet MarkerClusterGroup. * fix(map): match the GL place hover tooltip to the Leaflet map (#1385) The MapLibre/Mapbox hover showed an anchored popup with a large photo thumbnail, completely unlike the Leaflet map's slim, cursor-following name/category/address card. Drop the anchored photo popup for places and render the same cursor-following overlay the Leaflet map uses (no photo, matching fonts/padding/shadow), so the two maps hover identically. * feat(collections): backend for the Overall Places addon (#1081) Adds the Collections addon backend: a server-wide-per-user library of saved places, independent of any trip, with multiple named lists, an idea/want/visited status, and Vacay-style fusion invitations to share a list with other users. - Data: collection / collection_members / collection_places / collection_place_tags tables (+ migration and baseline schema). Saved places carry the owner plus a nullable saved_by so a member deleting their account can't drop shared content. - Service: list + place CRUD with owner-or-accepted-member visibility, dedup, status, save-from-trip and copy-to-trip (reusing the trip copy column list), and the full fusion-invitation state machine mirrored from vacay (send / accept / decline / cancel / leave) with a websocket broadcast and an invite notification. Deleting a list snapshots its members and notifies them. - NestJS module + addon guard (404 before auth), registered in the app module. - Widens the place photo cache reference check to count collection places so the nightly sweep no longer evicts photos a saved place still uses. - collection_invite notification wired across all 22 locales. * feat(collections): /collections page, entry points and i18n (#1081) Adds the client side of the Collections addon: - A distinct /collections page (Atlas pattern, page/hook split) gated behind the addon: a multi-list rail, a Grid (default) / List / Map view switch, the idea/want/visited status with a one-tap badge, search and status filters, and considered empty states. Store + hook + model + websocket wiring; the place detail reuses the trip place inspector via a mode guard. - Entry points: a "Save to Collection" button next to Open-in-Google-Maps in the place inspector (and the two sidebar context menus), a "Copy to trip" modal, and a desktop-only two-column add-place picker (mobile keeps the single-column form). - The collection namespace and the new keys across all 22 locales. * feat(collections): fusion sharing UI + dashboard widget + per-user toggle (#1081) - ShareCollectionModal: the owner manages a list's members and invites users (available-users picker → invite, cancel pending); a member can leave a shared list. The incoming accept/decline surface stays in the lists rail. A Share button is added to the collections header for owners (and members, to reach Leave). - CollectionsWidget: a dashboard glass card after the currency widget showing the saved count and the most recent saved places, double-gated by the admin addon and a new per-user appearance flag. - Appearance: a 'collections' dashboard-widget flag (desktop + mobile defaults) wired into the appearance settings, surviving normalize. - Sharing + settings strings across all 22 locales (parity strict passes). * feat(collections): redesign the page on the dashboard glass language (#1081) Rebuilds the /collections page from the functional placeholder into the dashboard's glass visual language (light + dark): - A colour-washed hero per list: eyebrow + member avatars, big title, and stat chips (All / Idea / Want / Visited) that double as the status filter. - A sticky glass list rail (owned + shared + invites) with a mobile drawer. - Gradient/photo cover place cards modelled on the trip cards, via a new rectangular PlaceCover (photoService-backed, gradient fallback) + a shared gradients util. List and map views restyled to match. - Status pill rendered as a role=button span so it survives the .trek-dash button reset and can nest inside the card; the share member-count badge is now owner-only. - New hero eyebrow strings across all locales. * feat(collections): list+map split, taller rail, list-menu popover fix (#1081) - List view splits into a scrollable list + a sticky map on wide screens; clicking a place pans/highlights it on the map (single selectedPlaceId, no inspector over the map). Narrow screens keep the single-column list. - Keep the list rail at least as tall as the hero (measure the hero via a small useElementSize hook and feed its height as the rail's min-height). - List row kebab menu: portal the menu/colour popover to the body so the rail's overflow + backdrop-filter can't clip it ("renders only in the module"), and fade the place count on hover so the kebab stops overlapping it. * feat(collections): list+map default, map-only toggle, deselect + tooltip fixes (#1081) - Drop the grid/tile view. The list view is now the default and, on wide screens, a list + persistent map split; a top-left control on the map collapses the list to a full-width map (and back), animating smoothly (the map stays mounted and is nudged to re-layout during the transition). The place search moves onto the map (top-right); mobile keeps a list/map toggle. - Let a place be deselected again: clicking it once more, clicking the map background, or picking another all toggle the selection (collections map now wires onMapClick). - Fix the stuck hover tooltip: selecting a place swaps its marker's DOM node so the browser never fires mouseout/mouseleave, orphaning the fixed-position tooltip (it hung on screen and drifted with scroll). Both map stacks now clear the hover on selection change and on scroll. - Remove CollectionGrid + PlaceCover; add hero eyebrow + map control strings. * feat(collections): list details, place detail sheet, add-place, fusion kick (#1081) Dashboard widget (B): the collections tool now shows the user's LISTS as compact colour-washed badges (cover image tinted with the list colour, or a gradient) that jump to the list — one list() call, no N+1. List details (C): lists gain a description, a custom cover image (uploaded to /uploads/covers, tinted with the list colour in the hero) and links. A shared ListEditorModal handles both create and edit; the hero shows the description + link chips. New `links` JSON column on collections + collection_places (migration 151) with parse/serialize in the service; a POST :id/cover upload endpoint mirroring trips; cover-file cleanup path-confined locally. Place detail (D): clicking a place opens a bottom sheet (no backdrop, so the map stays visible) — status cycle, copy-to-trip, remove, and an edit mode with a markdown description + links editor (collectionsApi.updatePlace, now wired via a store action). A "+" next to the search adds a place to the list via the maps search. Fusion + fixes (E): the owner can now remove an accepted member (kick) — new removeMember service/route/store + a button in ShareCollectionModal, with a collections:removed WS bounce. findMembership no longer matches on name alone (coordinate proximity required, killing "Starbucks everywhere" false positives). loadCollection swallows a 403/404 after a leave/remove so the URL sync can't throw uncaught. Grid remnants gone; the map select toggle moved onto the map. New strings across all 22 locales; i18n parity strict passes. * fix(collections): review follow-ups on the B–E work (#1081) - Block the list-cover upload in demo mode (mirror the trips cover endpoint). - Restrict list/place links to http(s) (schema) and normalise scheme-less URLs to https:// on save, so a bare "booking.com" no longer resolves as a relative SPA route (and javascript:/data: hrefs are rejected). - Place detail: surface save errors with a toast instead of silently swallowing a 400 and leaving the sheet stuck in edit mode. - List editor: don't create a duplicate list when a retry follows a cover-upload failure (reuse the created id); revoke the cover preview object URL. - Map controls: one top bar (left toggle/select, right add/search) so they can't overlap on a narrow split map — the search shrinks instead. - Dashboard list badge: full-opacity colour wash so the name stays legible over bright covers. * fix(collections): detail-sheet, edit-refresh, map + rail polish (#1081) - Editing a place (status, description, title, …) no longer reloads the view or closes the detail: the WS echo now refreshes via loadCollection, which keeps the current selection + select-mode instead of setActive resetting them. - Place detail: docks over the list column on the desktop split (measured rect) instead of centred over the map, and the card is now opaque (was too see-through). - Map: click a marker in full-map view to drop back to the split; picking a place scrolls its list row into view; the select toggle is disabled in full-map view; the floating controls are one non-overlapping top bar and less transparent. - Hero: drop the New-list button (it's already in the rail). - Rail: the kebab is always visible (easy to hit); menu is Edit + Delete only (colour moved into the editor); "Rename" → "Edit". - Add-place: pick a result, then set description (markdown) / links / status before saving, all in one step. - Share modal: member roster as cards with clearer role badges + a count. * feat(collections): detail redesign + categories, close-on-map, highlight fix (#1081) - Rebuild the place detail as a clean, opaque, sectioned sheet (cover → meta → status segment → description → links) with a proper footer action bar — the loose "white lower half" is gone. - Assign a place to a central (admin-defined) category, both in the detail edit and when adding a place; categories are fetched once for the page. - Add-place now sets category + description (markdown) + links + status in the same step, closer to the trip's place form. - Switching to the full-map view now closes the (list-docked) detail. - Fix the selected-row highlight: it was clipped by the column's overflow — use an inset ring and only clip during the map-collapse animation; a picked row now scrolls into view above the detail sheet. - New category strings across all 22 locales. * feat(collections): filters, add-place popup, category badges, map-click hardening (#1081) - Map: markers no longer rebuild on every unrelated re-render (memoised the mappable list + only update the hero size when it really changes), the floating controls bar is click-through except its buttons, and the collection map runs with the hover tooltip off. Together these stop a marker click from landing on a mid-rebuild element / the tooltip so the pick actually registers. - Filters moved out of the hero into a compact status + category dropdown row above the places (custom dropdowns); the hero no longer carries the stat chips. - Add-place is a single popup now: search fills the location, and name / status / category / description / links are all editable together before saving. - Category shown as a badge top-left on the detail cover and next to the status in each list row (divided by a hairline). - Slimmer hero: shorter, tighter spacing, links tucked into the eyebrow row instead of their own line. * feat(collections): hero edit/share row, place photos, edit-echo fix, wider page (#1081) - Editing a place (category, status, …) no longer reloads the view: the mutating client's own socket is now excluded from the WS broadcast (x-socket-id threaded through save/update/status/delete + list update/cover), so the optimistic update stands on its own instead of being chased by an echoed refetch. - Detail sheet pulls a higher-res cover photo from the maps provider when the place has no image of its own (the avatar thumbnail was too low-res). - Hero: Share moved onto the title row (no more empty top band) with an Edit button beside it; editing/deleting a list now happens there. The list rail drops its per-row kebab entirely (and with it the janky open animation). - The list editor can delete the collection from its footer (owner only). - Wider, screen-relative page (max-width min(2100px, 95vw)). - List rows: the place avatar no longer shrinks when the address is long. * fix(collections): copy-to-trip labels + Unsplash cover search (#1081) - Copy-to-trip modal showed blank rows: trips are keyed by `title`, not `name`, so nothing rendered. Read `title` and add the trip's date range under it. - List editor gains an Unsplash cover search (same source as trip creation) next to the upload button; picking a photo sets it as the list cover. - Add-place result rows: pin keeps a hard min width so a long address can't squeeze it. * fix(collections): stop the address pin from shrinking on long addresses (#1081) The little map pin in front of a place's address sits in a flex row with the address text but had no flex-shrink guard, so a long address squeezed the icon smaller. Pin the SVG to its size. * fix(collections): white screen when editing a place (undefined in places) (#1081) updatePlace wrote `res.place` into the places list, but the endpoint returns the updated place directly (not wrapped in { place }, unlike savePlace) — so an `undefined` slipped into the list and the category-filter's presentCategories() crashed on `undefined.category_id`, blanking the whole page. The WS echo used to mask it by refetching; excluding the editor's own socket exposed it. - Read the updated place directly and guard against a falsy response. - Fix the api return types to match (updatePlace/setStatus return the place). - Harden filterPlaces / statusCounts / presentCategories / mappablePlaces against a stray undefined entry so a single bad row can never white-screen the page. * feat(collections): select toolbar — select-all, move/duplicate to another list (#1081) - The select toggle now sits at the right of the filter row (same height as the status/category dropdowns) instead of the top toolbar. - Select mode gains a "select all / deselect all" toggle and shows even with nothing selected yet. - Selected places can be moved or duplicated into another of your lists via a target-list picker (move re-points collection_id; duplicate re-saves the place data, carrying description / category / notes / etc.). - New strings across all 22 locales. * style(dashboard): accent follows the user's theme instead of a fixed orange (#1081) The .trek-dash scope (dashboard, collections, vacay, atlas) hardcoded an orange accent, ignoring the appearance theme. Drop the override so --accent inherits the theme tokens (index.css): monochrome black/white by default, coloured per data-scheme / custom accent. --accent-ink/-soft now map onto --accent-on/-subtle, and accent-filled elements use --accent-text for legible text on any scheme. Category colours are set explicitly per element and stay untouched. * fix(collections): saved-places picker height + list filter, all-saved first-load (#1081) - Trip "Saved places" picker: drop the fixed 360px cap so the list fills the panel instead of stopping half-way, and add list + status filter dropdowns (filter by which collection the place is saved in). - "All saved" showed nothing on first open: setActive(ALL_SAVED) unioned the lists from the store, but on first load those aren't fetched yet (loadAll still running). Load them first when empty so the union isn't blank. * test(collections): unit-test the nest controller (branch coverage) (#1081) The collections nest module had no controller test, dragging src/nest/** branch coverage below the 80% gate. Cover the controller's branches: reorder/deleteMany payload validation, owner-gated invite/cancel/remove/available-users, invite + accept error surfacing, the cover demo-mode + no-file guards, and the x-socket-id forwarding on the mutating endpoints. * fix(collections): mobile polish — touch targets, safe-areas, overflow (#1081) From a mobile UX audit of the collections page: - Detail sheet: the read-mode footer no longer clips "Remove from list" (it wraps, drops the growing spacer) and clears the home indicator (safe-area padding, 84dvh instead of 84vh). - Bigger touch targets on phones (≥40px): view toggle, filter dropdowns, select-bar buttons, detail close/actions, drawer rail rows, and the interactive status badge (enlarged tap area via a pseudo-element, look unchanged). - Select action bar breaks its bulk actions onto their own line instead of stranding them behind a growing spacer. - Lists drawer honours device safe-areas and gets an explicit close button. - Page honours the top safe-area and goes full-width on phones (drop the 95vw cap); filter popovers cap their width so long category names don't overflow. - Add-place: Cancel/Add pinned in the modal footer (reachable without scrolling), status pills wrap. - Drop dead hero mobile CSS left over from the hero refactor. * feat(collections): per-member permission roles on shared lists (#1081) The owner now assigns each member a role — viewer (read + copy-to-trip only), editor (default: add + edit places) or admin (full incl. delete). The owner is always full. Existing members default to editor via migration 152, so nothing regresses. - Server: role column on collection_members (migration 152 + schema); roleOf + assertCanEdit (save/update/status/list-meta) + assertCanDelete (delete) layered on assertAccess; sendInvite takes a role; new setMemberRole (owner-only) + POST members/role; members payload carries each role. - Client: Share modal gains a role picker on invite and a per-member role select for the owner (read-only role badge for others); the page hides add / edit / status / move / delete for roles that can't perform them (server still enforces). - Roles in all 22 locales; service + controller tests for the new gating. * feat(collections): bulk-add selected trip places to a list (#1081) Add a "Save to collection" action to the trip place list's selection bar (next to bulk category + delete): it opens a list picker and copies every selected place into the chosen list in one request, instead of one-by-one from each place. - Server: saveFromTripPlaces (one access check + one WS notify), POST places/from-trip-many; dedups by name/coords, skips missing ids, honours force. - Client: saveFromTripMany api + SaveTripPlacesToListModal; the selection-bar button is gated on the collections addon being enabled. - Copy count / skipped-duplicates toast; strings in all 22 locales. - Service + controller tests for the bulk path. * style(collections): custom dropdown for the permission role pickers (#1081) Swap the two native <select> role pickers in the share modal (invite + per-member) for the app's CustomSelect (portal dropdown, size sm) so they match the rest of the UI instead of the browser's native control. * style(collections): widen the share modal (#1081) * test(collections): client component tests + select in All saved, off the map (#1081) - Add client tests for the new collections UI (80 tests): collectionsModel (incl. the undefined-entry guards that fix the white-screen regression), StatusBadge, CollectionFilterBar, CollectionList, CollectionPlaceDetail (permission gating), MoveToListModal. - Offer the select toggle in "All saved" too (server enforces per-place rights). - Drop the now-duplicate select button from the map controls (it lives in the filter row). * docs(wiki): add Collections addon page (#1081) New wiki/Collections.md in the style of the other addon pages (lists, status, categories, adding/bulk-adding places, place detail, filters + bulk actions, fusion sharing with member roles, dashboard widget). Add it to the Addons overview table + the sidebar navigation. * feat(date-picker): add month/year drill-down navigation and keyboard input trigger - Add three-level calendar view (days → months → years) via clickable header label, allowing fast navigation to distant dates without repeated arrow clicks - Replace double-click text input affordance with a visible keyboard icon button; compact/borderless variants show the icon in the calendar footer - Pre-fill text input with locale-aware numeric date (DD.MM.YYYY) when a value is already selected - Add aria-label and aria-pressed to all interactive calendar elements for screen reader support - Update existing tests to reflect new two-button trigger layout - Add FE-COMP-DATEPICKER-018 through 027 covering drill-down view transitions, prev/next behaviour per view, aria-pressed state, and keyboard icon trigger * fix(date-picker): locale-aware keyboard input parsing and i18n control labels - Replace fixed-order date parser with locale-aware implementation using Intl.DateTimeFormat.formatToParts to detect field order; adds swap fallback for unambiguous inputs (day > 12) to handle locale mismatches gracefully - Pre-fill keyboard input with locale-formatted numeric date (e.g. 14.06.2026) instead of raw ISO value - Replace all hardcoded English aria-labels and titles with t() calls; add new keys under common.datepicker.* namespace across all locale files - Update FE-COMP-DATEPICKER-013 to use unambiguous day value (> 12) to avoid locale-dependent test failures * fix(date-picker): add missing locale file and fix let-to-const lint error - Add missing common.datepicker.* keys to overlooked locale file - Change reassigned `let` to `const` where value is not mutated to satisfy lint rules * chore(i18n): backfill datepicker keys for sv + vi locales added on dev * fix: back-merge v3.1.4 hotfixes into dev (#1371) Port the three main-only fixes onto dev's (post-rewrite) architecture: - fix(backups): prevent recursion when the backup path sits inside the backed-up dir - fix(share): convert budget items to the viewer's base currency instead of a flat EUR - fix(files): surface the descriptive server error for unsupported upload types (#1363) Cherry-picked from 819aa793 on main; the SharedTripPage and useTripPlanner conflicts were resolved to keep dev's font-scaling and full import set while taking the fixes' currency conversion and translateApiError wiring. * fix: resolve a batch of reported bugs (planner, budget, atlas, bookings, mobile) - #1394 planner: two transports on one day no longer draw a phantom airport→airport road route between them (a run is only a drive when it holds a real place); mirrored in the map hook and the sidebar's leg list, with a regression test. - #1392 planner: the per-day Route button now points the selection at the tapped day before toggling, so on mobile it computes that day's route instead of the previously selected one, and only the selected day's button reads as active. - #1372 planner: the "open in Google Maps" route now includes the day's hotel bookends, matching the drawn map route. - #1375 planner: a multi-day accommodation no longer thrashes the plan scroll — the auto-scroll lock keys on the selection identity, not the per-day row. - #1377 planner: the reset-orientation compass is now shown on small screens too. - #1382 budget: settlement nets in the trip's canonical currency and converts to the display currency once, so balances no longer drift with live FX and no phantom third-party micro-flows appear (identity, hence unchanged, when they're the same). - #1366 atlas: countries reached only by a transport booking (no lodging/place) now count as visited, on both the dashboard and the Atlas page. - #1383 bookings: a hotel linked to an accommodation shows only its day-range, not a duplicate stamped date row, and the range stays correct after an edit. - #1353 bookings: any non-hotel reservation can now link an existing trip place/activity. - #1390 i18n: fix the Polish word for "buddies" (Towarzysze → Współpodróżnicy). - #1265 planner: drag-and-drop of places now works on touch devices via a polyfill. * feat(planner): add an "Open in OpenStreetMap" button to the place inspector Next to the existing "Open in Google Maps" action, add an OpenStreetMap button that opens the place on openstreetmap.org (a marker at its coordinates, or a name search when it has none) — the same map source TREK already renders, and a jumping-off point for OSM-based apps like OrganicMaps / CoMaps. Requested in discussion #880. Strings across all 22 locales; a unit test for the URL builder. * feat(planner): shorten the map-open button labels to "Google Maps" / "OpenStreetMap" * feat(planner): show a day's route distances inline on mobile Seeing the driving/walking distances between a day's places on mobile meant tapping the day (which closes the plan sheet), reopening it, then tapping Route. Now the per-day Route button in the mobile footer toggles that day's leg distances in place, so the sheet stays open and you get the distances between places without selecting the day first. The leg computation runs for every route-toggled day instead of only the selected one, and the leg/hotel-bookend maps are nested per day so several toggled days can't overwrite each other's segments. Desktop is unchanged. Discussion #1374 * feat(oidc): use the picture claim as avatar when none is uploaded When a user signs in via OIDC and hasn't uploaded a custom avatar, their `picture` claim is now used as their avatar. The users.avatar column holds either an uploaded file name or an absolute https URL from the claim, and a single resolver on each side (server avatarUrl, client avatarSrc) renders both. An uploaded avatar always wins and is never overwritten; the picture refreshes on each login otherwise. Only https URLs are stored, matching the image CSP. All the scattered /uploads/avatars/ builders now go through the resolvers, which also fixes collection member avatars that were rendering a bare file name. Discussion #1399 * feat(trips): trip invite links + optional trip binding on admin invites Trip invite links (#1143): each trip can have one rotating invite link in its Share panel. An existing, logged-in user who opens /join/<token> is added to the trip as a member; an anonymous visitor is sent to the login page and returned to the invite afterwards — there is no registration from this link. Reading, rotating or disabling the link all require the share_manage permission. Admin invite trip binding (#1402): the admin create-invite dialog can now bind a registration invite to a trip. Someone who registers via that link is auto-added to the trip as a member (password and OIDC paths), inside the same atomic step that consumes the invite. Adds a trip_invite_tokens table and a nullable invite_tokens.trip_id, a shared owner-safe/idempotent add-by-id helper, the manage + join endpoints, the JoinTripPage and Share-panel section, the admin trip picker, and the new i18n keys across every locale. Wiki updated. Discussion #1143 * fix(join): extract JoinTripPage state into a useJoinTrip hook The page container held useState/useEffect directly, tripping the CI page-pattern check. Move the token preview + accept logic into a co-located useJoinTrip() hook; the page is now a thin presentational shell. * feat(costs): filter expenses by category and by a single day Adds two filter dropdowns next to the Search Expenses field (height-matched to it): one filters by expense category, the other narrows to a single day. Selecting a day shows a prominent summary banner with that day's total, and hides the now-redundant per-day header. Both filters work on the desktop and mobile layouts and compose with the existing search + all/mine/owed filters. New i18n keys (costs.filter.allCategories / allDays, costs.expensesCount) across every locale. * fix(admin): use TREK's CustomSelect for the invite trip picker The "add to trip" dropdown in the admin create-invite dialog was a native <select>; swap it for the shared CustomSelect so it matches the rest of the UI (searchable once there are many trips). * feat(planner): public transit routing via Transitous (#1065) Each day header gets a transit button (replacing the rename pencil, which moved next to the day name in the day detail panel). It opens a route search backed by Transitous/MOTIS — free, open data, no paid provider: from/to stop search with the day's own places as quick picks, depart/arrive time, mode filters (train, subway, tram, bus, ferry, cable car) and ranking by best route, fewer transfers or less walking. Results show local times, duration, transfers, walking time and line badges in their official colors, with a stop-by-stop breakdown per connection. Adding a connection saves it as a regular transport reservation — typed by its dominant leg, timed from the itinerary's wall-clock departure/arrival converted to station-local time (tz-lookup), with the origin, transfer stops and destination as endpoints and the compact legs in metadata.transit. It slots into the day timeline by time and inherits editing, deletion and drag-reordering from the existing transport machinery; the transport detail view renders the full itinerary. Re-saving a transit transport through the edit modal preserves the stored itinerary while the route is unchanged. The server proxies the Transitous API (JWT-guarded, rate-limited, identifying User-Agent, short response cache, strict mode whitelist); TRANSIT_API_URL lets self-hosters use their own MOTIS instance. New i18n keys in every locale, wiki page updated. Discussion #1065 * fix(build): declare tz-lookup as a client dependency It was present in the lockfile but undeclared, so the local install had it while the Docker client build (npm ci --workspace=client) did not. * test(maps): add buildUserAgent to the mapsService mock transitService imports it at module load, and the full-app integration boot now pulls the transit module in — the factory mock lacked the export. * feat(planner): make transit journeys first-class entries (#1065) A saved transit route is now its own reservation type instead of piggybacking on train/bus: it gets a tram icon and its own color everywhere, and the day timeline renders the itinerary inline — line badges in their official colors with walk segments, plus the transfer count and walking time — instead of a generic transport row. Clicking the row opens the itinerary view (journey summary, stop-by-stop legs with times, platforms, headsigns and operators) rather than the edit form; editing stays reachable from an Edit action inside that view. The transit type is registered across the timeline merge, transport modal, reservations panel, file manager, map overlays and detail panels, with a translated type label in every locale. * feat(planner): integrate transit into the transport system as Automated mode The add-transport dialog gains a Manual/Automated switch: Automated embeds the public-transit search (day picker + from/to + modes + preferences + results) right in the dialog, and the day header's tram button opens it directly in that mode. The standalone search modal is gone. Saved journeys get their own roomy journey view — the stop-by-stop itinerary (times, platforms, lines, headsigns, operators) together with the editable booking fields, delete, and a "Change route" action that re-runs the search pre-seeded with the journey's origin/destination and replaces the itinerary on save. The generic transport form no longer opens for transit entries, from the timeline or from the Transports tab, where journeys now sit in their own "Automated public transit" section with their line badges on the card. New i18n keys in every locale; wiki updated. * feat(planner): polish the transit journey UI and fix its tab placement Transit entries were classified as bookings by the planner's transport-type list and landed in the Bookings tab — they now sit in the Transports tab's own section, rendered as proper journey cards (tram icon, arrow title, leg chips, journey stats) instead of the generic booking card. The journey modal got a redesign: the title renames inline in the header with an icon arrow, the stats become three full-width tiles (duration / transfers / walking, each with an icon), status and booking-code fields are gone, and notes take the full width with a markdown write/preview toggle. The Automated search mode gains a proper header (icon, hint, day picker) and the day-plan row now shows walks with their minutes inside the chip sequence (🚶 3 › U2 › 🚶 3) instead of a detached direct/walk summary. "A → B" titles render with an arrow icon everywhere. The Transports tab's add button is simply "Transport" now that the dialog covers both modes. * test(nav): the bottom-nav add button is labelled Transport now * feat(planner): markdown toolbar for journey notes + calmer transit search form The journey notes gain a proper markdown toolbar (bold, italic, strike, heading, list, checklist, link, code) that wraps the selection or prefixes the current lines. The transit search options settle into one calm card: depart/arrive + time + date and the ranking preference share the top row, the mode filters and the search button share the bottom row, with the mode chips restyled from heavy filled pills to quiet toggles. The day-plan row drops the transfer count — the leg chips already tell the story. * feat(planner): badge meta rows + inline itinerary expansion for transit Dot-joined meta text becomes quiet badge chips everywhere transit facts are listed: the journey modal's per-leg line (time, duration, stops, headsign with an arrow icon, operator de-emphasised), the search results' leg details, and the Transports-tab journey card (day, date, time span, duration — the transfer count is gone from the card). The day-plan transit row swaps the map-connections toggle for an expander: the chevron folds the stop-by-stop itinerary out right inside the timeline — times, line badges, stations with platform and stop counts — sized for the sidebar. * feat(planner): walk legs as centred dividers + journey-card note line Walk segments in the journey modal and the day-plan inline itinerary collapse from two lines into a single centred divider — dashed rules left and right, the walk in the middle (foot icon, destination, minutes). Leg meta badges sit tighter under their titles. The Transports-tab journey card shows a dimmed first-line note preview, and the journey modal now reads the reservation from the live store, so an update is visible the moment the entry reopens. * feat(map): draw transit journeys along their real rail and bus alignments MOTIS leg geometry (encoded polylines) now travels through the proxy and is stored per leg, so both map renderers draw the journey along the actual tracks instead of a straight line: colored cores in each line's GTFS color over a white casing, walks as dotted grey connectors. Transit journeys are always visible on the map — they are part of the plan itself, not an opt-in overlay — and the day route already anchors to their stations, so the journey slots into the route computation end to end. Entries saved before this keep the straight-line fallback. Also: stronger dashes on the walk dividers, notes open rendered (preview tab) when present, and MOTIS's START/END placeholders are replaced with the places the user actually picked. * fix(planner): elegant walk-divider hairlines + proven notes preview The walk dividers switch from dashed borders to 1px hairlines that fade towards the outer edges — strongest next to the walk text. A regression test pins the journey modal opening existing notes on the rendered markdown preview rather than the raw text. * fix(map): transit polish — earlier label collapse, route-toggle coupling, md note preview Station badges on transit journeys collapse to icon dots much earlier when zooming out (label threshold 900px instead of 400). The drawn transit paths now ride the day-route toggle: turning the route off hides them too, since they are part of the computed route. The journey card's note preview renders its first line as inline markdown instead of raw asterisks. * fix(settings): booking route labels default to off The map endpoint labels only render when the user explicitly enables them; an unset preference now means hidden, matching the calmer default the transit paths brought to the map. * style(settings): TREK-styled text-size sliders The appearance tab's native range inputs become proper TREK sliders: a thin pill track filled up to the current value in the accent color, with a soft round thumb that scales slightly on hover/drag. * fix(planner): mobile layouts for the transit popups The journey modal and the transit search now lay out properly on phones: from/to stack vertically with the swap rotated between them, the ranking segment and search button go full width, the day picker in the automated header spans the row, the three stat tiles compress to centred mini tiles, the itinerary tightens its gutters, and the footer wraps with an icon-only delete. Desktop is unchanged. * fix(planner): tighter mobile transit search + vertical journey itinerary * fix(planner): wrap-safe mobile itinerary text — platform below the stop, minutes-first walks * feat(plugins): plugin system scaffold — registry tables + admin panel First slice of the plugin system. Lays down the data model and a read-only admin surface; nothing executes yet. - Migration 155: plugins, plugin_meta_migrations, plugin_error_log and plugin_settings_fields tables. Plugin data will live in a per-plugin sqlite file under /plugins-data, never in these tables. - New Nest module server/src/nest/plugins with GET /api/admin/plugins (admin-gated, returns the installed list + the runtime-enabled flag). - TREK_PLUGINS_ENABLED kill switch (config.pluginsEnabled), off by default. - Admin → Plugins tab with a read-only panel: installed list, status badges, and a clear banner when the runtime is disabled by server config. - i18n keys for the tab and panel across all locales. Install, activation, the isolated runtime and the registry browser follow in later slices. * feat(plugins): isolated per-plugin runtime + capability RPC (M1) Every plugin now runs in its own forked child process with a scrubbed env (no JWT_SECRET, no db path, nothing inherited). It talks to TREK only over a JSON-RPC channel, and the host's capability router registers ONLY the methods a plugin's granted permissions unlock — so an ungranted call is unreachable, not merely refused. The plugin's own data lives in a separate sqlite file it can never open directly; core reads (trips/users) go through membership-checked, column-projected host methods; ws broadcasts are force-namespaced. - protocol/envelope: the wire types + method→permission map (pure, shared by host and the isolated child) - host/rpc-host: the capability router = the enforcement point (dispatch, BAD_PARAMS / PERMISSION_DENIED / RESOURCE_FORBIDDEN / UNKNOWN_METHOD) - host/plugin-data: the per-plugin sqlite file (db:own), guarded against ATTACH/PRAGMA escape, idempotent migrations - host/create-rpc-host: wires the router to the real db/websocket (host-only) - runtime/plugin-sdk + plugin-host-entry: the child bootstrap + definePlugin ctx; turns each ctx call into an RPC, never imports a privileged module - supervisor: spawn on activate, heartbeat/reap, crash backoff + auto-disable, graceful shutdown — a plugin crash/OOM/hang can never reach the Nest loop - paths: code/data layout, dist-vs-tsx child entry resolution Nothing is wired into activation yet (that's the next slice); exercised by unit tests for the router/sdk/data and an integration test that forks a real child. * feat(plugins): activation, HTTP route proxy + instance settings (M2) Wires the isolated runtime into TREK. Admins can now activate a plugin from the panel and its HTTP routes work end to end, still behind the kill switch. - PluginRuntimeService owns the supervisor: activate spawns the child with its granted permissions + decrypted instance config, deactivate kills it, status and errors are persisted to the plugins / plugin_error_log tables, and active plugins are booted on startup (OnModuleInit). - Bidirectional RPC: the child now handles host→child invokes (routes/jobs) and reports its declared routes on load; the supervisor gained invoke()/routesOf(). - /api/plugins/:id/* proxy controller — a single static route that matches the plugin's declared routes, enforces per-route auth (auth:false routes are public for OAuth callbacks/webhooks), forwards only a whitelisted request view (never the session cookie), and strips unsafe response headers. - Admin endpoints: POST :id/activate, POST :id/deactivate, GET/PUT :id/config — instance settings with secret fields encrypted (apiKeyCrypto) and masked. - Kill switch moved to its own module so it never collides with test config mocks. Photo/calendar hook consumers are deferred to a later slice. * feat(plugins): sandboxed page/widget frames + trekBridge (M3) Plugins can now render UI. Page plugins appear as a nav entry and open a full-page sandboxed iframe; the frame talks to TREK only over the postMessage bridge. - Server serves plugin client assets at /plugin-frame/:id/* with a strict path guard and a locked-down, per-plugin CSP (default-src none; connect-src limited to declared outbound hosts; sandbox WITHOUT allow-same-origin -> opaque origin, so the frame can't read the session cookie or the parent DOM). Global CSP frameSrc relaxed from 'none' to 'self' for exactly these frames. - GET /api/plugins feed lists active plugins for the client. - Client: pluginStore + PluginFrame (the trekBridge host) authenticates every inbound message by SENDER WINDOW IDENTITY (event.source), not by a claimed id or origin; pushes context (theme/locale/tripId/userId), validates navigation, renders notifications as text, resizes widgets, and proxies trek:invoke to the plugin's own routes host-side (session cookie stays with the host). - Page route /plugins/:id + Navbar nav injection for page plugins. Dashboard widget slot and the trek:request core-data bridge are deferred to a later slice. * feat(plugins): secure installer — manifest, discovery, safe extract/fetch/scan (M4) Plugins placed on the /plugins volume are now discovered, validated and registered as inactive, ready to activate. - manifest.ts: strict trek-plugin.json validation (id/version/type, known permissions only, egress required with http:outbound, native modules rejected). - discovery.ts: scans the volume on startup + on demand (POST /api/admin/plugins/ rescan), upserts rows INACTIVE, refreshes settings-field descriptors, and never downgrades or wipes an already-installed plugin's status / grants / config. Invalid or native-carrying plugins are skipped and logged. - Activation now grants the DECLARED permissions (the consent gate) and persists them before spawning. - install/ utilities for the registry installer (M5), each independently tested: - safe-fetch: host allowlist (GitHub only) + private-IP refusal + manual redirect following + size cap + sha256 (constant-time compare). - safe-extract: zip/tar-slip-safe extraction with its own minimal tar.gz + zip readers; rejects traversal, absolute paths, symlinks, oversized/too-many entries, and unsupported formats. - native-scan: refuses .node / binding.gyp / prebuilds, never follows symlinks. * feat(plugins): TREK-side registry — browse + one-click install (M5) Connects TREK to the static GitHub registry (mauriceboe/TREK-Plugins). The registry repo + CI gates were already live; this is the server side. - registry.service: fetches the single aggregated dist/index.json (never per-plugin GitHub API calls — the HACS rate-limit lesson), caches it 30 min, soft-fails to a stale/empty registry, and installs a pinned version through the M4 pipeline: safe download -> sha256 verify -> slip-safe extract -> manifest re-validate -> native re-scan -> atomic move -> discover (inactive), recording repo/commit/sha provenance. Handles the codeload {repo}-{sha}/ wrapper directory. - Admin endpoints: GET /api/admin/plugins/registry (browse metadata) and POST /api/admin/plugins/install { id, version }. Install never executes code; activation stays a separate, deliberate step. * feat(plugins): trek-plugin-sdk package — types, mock host, scaffolder, validator (M6) The author-facing SDK, a standalone dependency-free package (not wired into the app workspaces, so it can't affect the app build). - definePlugin + the full plugin type surface (PluginContext, PluginRoute, PluginJob, PhotoProvider, CalendarSource) mirroring what the isolated runtime injects; PLUGIN_API_VERSION. - createMockHost (trek-plugin-sdk/testing): a PluginContext that enforces the SAME permission model + membership checks, so authors can unit-test that their plugin degrades gracefully — no running TREK needed. - validateManifest: the exact rules the registry CI runs, so a local pass predicts a CI pass. - CLIs: create-trek-plugin (scaffolds a working plugin + README + starter iframe) and trek-plugin validate (manifest + README sanity). Consolidating the server loader to import this shared validator is a follow-up. * docs(plugins): plugin wiki + reference plugin (M7) - Wiki pages (sync to the GitHub wiki on push to main): Plugins overview + trust model, Plugin Development (SDK, definePlugin, ctx, routes/jobs, the client bridge, testing with the mock host), Plugin Permissions reference, and Publishing (registry PR + CI gates + provenance). Linked from the sidebar. - Reference plugin plugin-sdk/examples/trip-countdown: a complete, minimal- permission widget (reads trip data through ctx, renders in the sandboxed iframe via the bridge, filled-in README). Validated in the SDK test suite so it passes the exact gate authors face. * feat(plugins): lifecycle polish — uninstall, error log, egress guard, widget slot (M8) - Uninstall with data disposition: POST /api/admin/plugins/:id/uninstall kills the plugin, removes its code + DB metadata, and (deleteData) drops its data dir, error log and per-user settings. - Error log: GET/DELETE /api/admin/plugins/:id/errors — the plugin's own crash / request-failure log, surfaced in the admin panel. - Egress guard: the isolated child wraps global fetch and refuses any outbound host not in the plugin's declared egress[]; with none declared, all outbound is blocked. Process-level defense in depth (the container runtime enforces it at the network layer in v2). - Admin → Plugins is now actionable: activate / deactivate / uninstall, a registry browser (install), and per-plugin error log. i18n across all locales. - Dashboard widget slot: active widget plugins render as sandboxed cards. The trek:request core-data bridge + photo/calendar hook consumers remain follow-ups. * docs(plugins): clarify the fork-and-PR publishing flow * fix(plugins): allow GitHub's rotating release-asset host in the installer GitHub 302-redirects release-asset downloads to a rotating *.githubusercontent.com host (objects / github-releases / release-assets). The SSRF allowlist only had objects.githubusercontent.com, so installs failed with 'host not allowlisted'. Allow the whole *.githubusercontent.com suffix (plus github.com/codeload); the private-IP check remains the SSRF backstop. * fix(plugins): allow inline scripts in the sandboxed frame + fix server lint error - Plugin frame CSP: the frame runs at an opaque origin (sandbox without allow-same-origin), so script-src 'self' matches nothing and the widget's own script never runs (stuck on 'Loading…'). Allow 'unsafe-inline' — the sandbox, not this directive, is the isolation boundary, and the plugin author controls the frame code either way. - Fix a no-constant-binary-expression eslint error in registry.test.ts that was failing the server lint:check (eslint .) in CI. * fix(plugins): exclude /plugin-frame/ from the service-worker navigate fallback The PWA service worker's navigateFallback served the SPA shell for any navigation not on its denylist. /plugin-frame/ wasn't listed, so the SW intercepted the sandboxed opaque-origin plugin iframe navigation, which Chrome reports as 'Unsafe attempt to load URL … from frame with URL …'. Denylist it so plugin frames are served straight from the network. * feat(plugins): pass the dashboard's spotlight trip id to widget plugins Widget plugins now receive the current (spotlight) trip id in their bridge context, so a widget like Trip Countdown can show a real countdown instead of the empty state. * fix(plugins): trips.getById returns the actual trip row, not the access check canAccessTrip only returns { id, user_id } (it's a membership check), but the rpc-host's trips.getById returned it verbatim — so plugins saw a trip with no title/start_date/etc. Fetch the real row after the access check. Also fix the reference plugin to read t.title (the trips column is 'title', not 'name'). * feat(plugins): persist enable-intent across restarts + redesign admin page The deactivation-on-deploy bug: `status` conflated the admin's ON/OFF intent with runtime health, so a boot crash flipped status to 'error' and the plugin never rebooted after the next deploy. Migration 156 adds an `enabled` flag (admin intent) separate from `status` (runtime health); boot now retries every enabled plugin regardless of last status, and a crash no longer erases the intent. Admin → Plugins redesign: - ON/OFF is a ToggleSwitch bound to `enabled`; runtime health shows separately as a coloured status dot, with the last error inline when it crashed. - "Update → vX" badge when the registry has a newer version (one click updates and reactivates). - Reviewed/unreviewed trust badges, cleaner cards, nicer empty state, registry browser marks already-installed plugins. i18n across all locales. * fix(plugins): backfill enabled for any plugin not explicitly deactivated status at migration time can be error/stopped/starting after a crash or shutdown, not just 'active' — so backfill enabled=1 for everything except 'inactive' (the only status deactivate() sets). * feat(plugins): hero widget slot + Koffi reference plugin Widget plugins can now declare capabilities.widget.slot 'hero' to render as a transparent, click-through overlay sitting on the boarding-pass bar's top edge (migration 157 persists capabilities; manifest validation server+SDK, feed exposes the slot, dashboard mounts hero frames above the pass). Sidebar stays the default slot. Replaces the trip-countdown example with Koffi, the TREK mascot: an animated suitcase with a 14-state behavior engine driven by real trip data — walking, waving, napping, trolley rolls, passport-stamp stickers, a split-flap luggage- tag countdown under 7 days, and sunglasses while the trip runs. Validated by the SDK suite like any author plugin; published as mauriceboe/trek-plugin-koffi in the registry. Migrations 156/157 follow the idempotent ALTER pattern (the reconciliation test re-runs everything from v135, so duplicate-column must stay non-fatal). * feat(plugins): richer admin panel + registry detail view Admin list: flush-left header like Addons, type/reviewed badges, runtime health as a dot on the icon tile (text badge only for problem states), description + source-repo link on installed cards, manifest icon. Browse: cards show the plugin screenshot (docs/screenshot.png at the pinned commit) and open a detail dialog fed by GET /api/admin/plugins/registry/:id — live-manifest permissions in plain language, egress hosts, setup preview, repo/homepage links. Manifest fetched server-side through safeDownload at the reviewed commit, cached per plugin for 30 min and only when a detail opens. Also fixes the update flow (restart the running child around the install, keep the admin's enabled intent instead of force-activating disabled plugins), guards the icon lookup against Object.prototype names, reserves ids that would shadow static admin routes, stops negative-caching failed manifest fetches, and makes the version compare prerelease-safe. * i18n: localize the plugins admin section across all locales The admin.plugins block was still English filler in most locales; translate it everywhere and add the new detail-view keys in all 22 languages. * feat(plugins): denser browse grid + prominent install-risk disclaimer Four cards per row on desktop with tighter card padding, and a full-width warning banner above the browse grid: installs are at the admin's own risk, a prior quick review does not rule out harmful content, inspect a plugin yourself when in doubt — TREK accepts no responsibility. All 22 locales. * feat(plugins): sandbox hardening — OS permission model, egress choke point, bound acting user, author signatures Closes the four gaps the security review surfaced: - OS permission model on the prod plugin child (Node --permission with fs-read scoped to the compiled server dir + the plugin's own code dir, no fs-write/child_process/worker/native). A plugin can no longer read trek.db or the .jwt_secret/.encryption_key files, nor shell out — the direct-fs and RCE escapes that bypassed the RPC layer. Opt-out via TREK_PLUGIN_PERMISSIONS=off. - Egress guard extended from fetch to the net.Socket connect choke point, so node:http/https/net/tls obey the declared-egress allowlist too (no declared egress = no outbound). Under the permission model there is no clean escape to an unwrapped runtime. Kernel/network-namespace containment remains the container step. - Trip reads are membership-checked against the acting user the HOST binds from the authenticated invocation, not an asUserId the plugin supplies; a job/onLoad (no user) can't read user-scoped trips. - Optional minisign (Ed25519) author signatures verified offline, TOFU-pinned (migration 158). Unsigned plugins install on sha256 alone; a signed plugin can't silently drop its signature or swap its author key. Server suite green (permission-model activation verified against the Koffi reference plugin on dev1). * fix(plugins): make the permission-model child load from the real plugin path The prod data dir is a symlink (server/data -> volume), so resolving the plugin under it tripped the permission model, and Node's module-type lookup walked up into the (denied) data dir. Fork the child from the plugin's realpath and drop a {"type":"commonjs"} package.json at its root so resolution stops there — trek.db and the secret files stay unreadable, verified against Koffi. * test(plugins): cover pluginRealCodeDir fallback + ensurePluginModuleType * feat(plugins): zero-config L1 hardening — SSRF egress, RSS reaper, capability audit, no popups Security that ships from the install itself, no self-hoster setup: - Egress SSRF/rebinding backstop: the net.Socket connect guard now RESOLVES the destination and refuses private/loopback/link-local/metadata/CGNAT/ULA addresses, pinning the resolved IP (a declared host that re-resolves to an internal address is blocked). Pure policy in egress-policy.ts + tests. TREK_PLUGIN_ALLOW_PRIVATE_EGRESS=on opts back into internal targets. - RSS memory reaper: the supervisor now kills a child that blows a real RSS ceiling (TREK_PLUGIN_MAX_RSS_MB, default 300) — --max-old-space-size only bounds the V8 heap, so Buffers could OOM the box under it. - Hash-chained capability audit log (migration 159): every core-data / broadcast call is recorded at the RPC boundary with the host-bound acting user and a per-plugin hash chain, so wide grants stay attributable + tamper-evident. Admin endpoint GET /api/admin/plugins/:id/audit. - Drop allow-popups from the plugin frame (sandbox + CSP): window.open ignores connect-src, so it was an egress/phishing bypass. Server suite 207 green, client + migration reconciliation green. * fix(plugins): close the UDP + DNS egress hole in the network guard The egress guard only wrapped fetch and net.Socket.connect, so TCP and HTTP were contained but two channels stayed wide open: a plugin could send data out over UDP (node:dgram) or tunnel it inside DNS queries (dns.resolveTxt & friends) to any host it never declared. Neither goes through net.Socket.connect, so the allowlist never saw them. Wrap both now against the same declared-host allowlist: - dgram send/connect: the explicit destination is allowlisted and private-IP-checked like a TCP connect (a null address keeps the connected/localhost default, which the connect wrapper already vetted). - the dns resolver family (module fns, dns.promises, Resolver.prototype): a forward lookup for an undeclared name is refused, which kills DNS tunnelling even when no socket is ever opened. A plugin with no declared egress now really has no way out. * feat(plugins): re-consent gate when an update wants new permissions Updating a plugin used to just reinstall and reactivate, which silently granted whatever the new version declared — so a plugin could quietly widen its own rights on the next release. Route updates through a new server-side update() that diffs the new version's declared permissions against what the admin already granted: - nothing new -> the plugin is restarted transparently on the new code. - new permissions or a new outbound host -> the new code is installed but the plugin is left OFF, and the delta is handed back so the admin has to approve it before it turns on. Install runs first, so a failed download/signature check leaves the running plugin untouched. The client shows the delta in a consent dialog and only then activates. An update can never widen a plugin behind your back. * feat(plugins): honest security info in the admin panel + update consent UI Reworks how the plugins panel talks about safety, since the old copy oversold it. Drops the "install at your own risk" banner and the generic trust note, and replaces them with: - a collapsible security section that lays out plainly how a plugin is contained, what the permissions actually mean (a hard limit on what a plugin CAN do, not a promise of what it does), where the limits are, and what a hostile plugin could do at worst. - a short note on what "Reviewed" means: a maintainer scanned it for malware each version, not for quality — not a guarantee it's harmless. - the consent dialog for the update flow: when an update asks for rights you never granted, it lists the new permissions and outbound hosts and makes you approve before the plugin turns back on. Full copy in all 22 locales. * feat(plugins): redesign the admin plugins page — search, filters, cleaner cards The panel was cramped and hard to scan. Rebuilt it as a proper management surface: - A segmented Installed/Discover switch with counts, and a real toolbar: search, filter by type, filter by status (active/off/update/error), and sort (name/recent/updates first). - An "N updates available · Update all" bar. - Installed rows are tidied up: a single health dot on the icon tile instead of a wall of badges, and capability chips underneath that show what each plugin can actually reach at a glance (reads your trips, dashboard widget, the hosts it talks to) — the reach is now visible without opening anything. Update, toggle and a ⋯ menu (restart, errors, source, uninstall) sit on the right. - The registry browser is now an App-Store-style card grid: screenshot with the plugin's icon chip, a reviewed badge, consistent heights. - The detail dialog gained "What it can access", "Connects to" and a details grid (version, size, requires, reviewed). To feed the capability chips, the installed list now returns each plugin's declared permissions and capabilities. New copy is in all 22 locales. * feat(plugins): make the plugins admin page work on small screens The redesign was built desktop-first. On a phone the toolbar wrapped into a mess and the rows were too cramped. Reworked the responsive behaviour: - The toolbar stacks on mobile — tabs + rescan on top, full-width search, then a right-aligned filter row — and collapses back into one row on sm+ (via display:contents), so the desktop layout is unchanged. Filter buttons drop their label on mobile and lead with an icon; their menus are capped to the viewport width so they never push the page sideways. - Installed rows use tighter spacing on mobile and the update button shrinks to just its icon (full label from sm up). - Horizontal padding, the discover grid and the detail dialog all get mobile-friendly spacing. * fix(plugins): make the detail dialog screenshot fill the full width aspect-[16/9] together with max-h-64 made the browser shrink the image width to keep the ratio once the height was capped, leaving a grey strip on the right. Drop the max-height so the header image spans the dialog. * feat(plugin-sdk): one-command publishing — pack, entry, release Publishing a plugin meant hand-building the zip, running shasum + stat, resolving the tag's commit, and hand-writing the whole registry entry. The SDK does all of it now: - `trek-plugin pack` builds plugin.zip in the exact layout the installer reads (own tiny zip writer, so the SDK stays dependency-free and the format can't drift from the reader), enforces the same native-binary and size rules, and prints the sha256 + size. docs/ is left out — the store fetches the screenshot from the repo, so it doesn't belong in the install artifact (Koffi's went from 943 KB to 15 KB). - `trek-plugin entry` emits the ready-to-PR registry entry from the manifest + the packed zip + the git tag: commitSha (deref'd), downloadUrl, sha256, size, and minTrekVersion derived from the manifest's trek range. `--merge` prepends a new version onto an existing entry for updates. - `trek-plugin release` chains pack → gh release → entry. Also: the scaffold now points the README at docs/screenshot.png (the path the store actually fetches, was screenshot-1.png) with a size hint, and stops hard-coding an MIT license — a plugin is the author's own code under their own license. Round-tripped against the real server extractor; 18 tests. * docs(plugins): rewrite the plugin wiki against the current code + tooling The plugin wiki had drifted from the app and the SDK. Rewrote all four pages, verifying every command, permission, field, path and UI behaviour against source: - Plugins: activation is a toggle (no separate consent screen); install is the Discover tab (no "Browse plugins" button); you review permissions in the detail modal before installing; documents update + re-consent, the ⋯ menu, toolbar filters, capability chips and the health dot. - Plugin-Development: full manifest reference; ws:broadcast:trip/:user (there is no ws:broadcast:*); onLoad + onUnload; the trek:error bridge message and full context payload; trips.* only work in a route handler; asUserId is accepted-but-ignored; integration hooks are declared but not yet wired. - Plugin-Permissions: db:own also covers db.migrate; a host must appear as both an http:outbound:<host> permission and an egress[] entry or it's silently blocked; bare vs per-host outbound. - Plugin-Publishing: the new one-command flow (validate → pack → release → entry), size is a required entry field, signing reconciled with the schema, no reserved namespaces, and the --merge update path. * chore(plugin-sdk): make it npm-publishable so `npx` resolves for authors The docs told authors to run `npx create-trek-plugin` / `npx trek-plugin`, but nothing published under those names, so npx couldn't resolve them. - Ship one package, `trek-plugin-sdk`, with a bin that matches the package name (`trek-plugin-sdk`) so `npx trek-plugin-sdk <command>` resolves with zero install. The dispatcher gained a `create` subcommand, so every step (create/validate/pack/entry/release) runs through that one entry point. The short `trek-plugin` / `create-trek-plugin` bins still work once installed. - Package hardening for publish: repository+directory (monorepo subdir), homepage/bugs/author/engines, publishConfig public, a prepublishOnly that builds + tests, and a LICENSE file. - A publish workflow: pushing a `plugin-sdk-v*` tag builds and publishes with the NPM_TOKEN repo secret. - Docs (SDK README + the four wiki pages) now use `npx trek-plugin-sdk <cmd>`, the invocation that actually resolves. * feat(plugin-sdk): dev server, preflight, auto-PR submit, signing, wizard Round out the author experience so the loop is create -> dev -> release/submit without hand-work or a round-trip through registry review. - `dev`: run a plugin locally with a real request loop and hot reload — no full TREK. Injects a ctx that enforces the manifest's granted permissions (an ungranted call throws, so you catch a missing grant), backs db:own with a real SQLite file (node:sqlite), serves routes under /api and page/widget UI at /ui, and reloads on save. Dependency-free (node:http + built-ins). - `preflight`: run the registry CI checks locally over the network (tag->commit, manifest parity, artifact sha256/size, native scan, README quality gate) so a green run predicts a green CI. - `submit`: fork TREK-Plugins, branch off current main, write/merge the entry, push, and open the PR — the last manual publishing step, automated. - `keygen`/`sign` + `--sign` on entry/release/submit: dependency-free Ed25519 author signatures over the artifact bytes, verified 1:1 against the server's TOFU check. Fills authorPublicKey + signature and guards against a key change. - `create` gains an interactive wizard (id/type/author/permissions) and flags. - README + Development/Publishing/Permissions wikis document the new flow. 24 tests pass (sign round-trips through a server-shaped verifier; zip reader; scaffold options; entry signing + key-change guard). * feat(plugin-sdk): one-command `publish` (pack → release → preflight → PR) Collapses the release into a single command: pack the artifact, tag + create the GitHub release, run the registry CI checks locally (preflight), and open the registry PR — stopping before it submits if preflight would fail, so a broken entry never becomes a doomed PR. `--sign` signs it; `--no-preflight` skips the gate. The individual pack/release/preflight/submit commands still exist. README + the Development/Publishing/Permissions wikis lead with `publish` now. * fix(plugins): security hardening from the PR #1415 audit Remediates the findings from the adversarial audit (threat model: malicious plugin author + malicious artifact). Highlights: Critical - proxy: force nosniff + Content-Disposition: attachment on every proxied reply and drop location/content-disposition + non-2xx from the passthrough, so a plugin can't serve an HTML document at TREK's origin (sandbox-escape → account takeover) or an open redirect. High - db:own runs synchronously in the host: cap the plugin DB (max_page_count) and row-cap query() via iterate() so a recursive CTE / huge blob can't stall the event loop, OOM, or exhaust the shared volume. - supervisor: measure child RSS host-side (/proc/<pid>/statm) instead of trusting the spoofable heartbeat; add an activation timeout so a stuck onLoad can't hang activate() or peg a core unreaped. - safe-extract: enforce entry-count + cumulative-size limits INSIDE readZip before inflating (decompression-bomb OOM). - re-consent: activate() never widens granted permissions without explicit consent (409 CONSENT_REQUIRED); the row toggle + "Update All" route through the consent dialog, which now queues instead of overwriting. Medium/low - egress: gate dgram hostnames through the IP-vetting resolver; block the low-level socket escape (process.binding) + lock the wrapped prototypes; canonicalize IPv6 in isBlockedIp (hex-mapped/compressed metadata); reject degenerate `*.` / whole-TLD / spaced outbound hosts in the manifest + CSP. - ws:broadcast is membership-gated to the acting user's trips / own connections; users.getById is scoped to users the acting user can see (no enumeration). - safe-fetch streams + aborts at the byte cap (chunked codeload OOM); isPrivateIp reuses the canonicalizing check. - native-scan throws instead of silently passing past its entry cap. - SDK: dev serves binary assets as raw buffers + handles EADDRINUSE; manifest validator gains the reserved-id + outbound-host checks; wikis corrected. Tests updated for the new membership-gated behaviour + regression tests added (IPv6 canonicalization, wildcard hardening, outbound-host validation, ws/user scoping). 234 plugin tests + 24 SDK tests green. * fix(plugins): close the 4 PARTIAL findings + regressions from the fix-verify pass A second adversarial pass over the first remediation found four findings only partially closed and five issues the fixes themselves introduced. This closes them: Partial → closed - re-consent gate keyed on `granted.length > 0`, so a plugin first activated with ZERO permissions (granted '[]') was treated as never-consented and a later widening was granted silently. Now discovery marks a never-consented plugin with granted_permissions '' and activate() gates on "ever consented" (any non-empty string, including '[]'). - db:own DoS: block WITH RECURSIVE outright (the one construct that spins the synchronous host unboundedly regardless of the size/row caps, via query OR exec). - dgram: also wrap `new dgram.Socket(...)` (bypassed createSocket) to inject the IP-vetting lookup, and lock createSocket/Socket. - frame self-navigation: documented as a bounded best-effort mitigation (inherent to sandboxed iframes; exposure is the plugin's own routes + already-held context, never the httpOnly cookie). Regressions introduced by the first pass → fixed - proxy: only real redirects (301/302/303/307/308) are gated, to a RELATIVE in-app Location (supports OAuth-callback bounce, blocks open redirect); 300/304 pass through; attachment only on non-redirects. - supervisor: measure RSS via /proc/<pid>/status VmRSS (page-size independent); activation-timeout awaits kill() before disposing the db handle. - manifest HOST_RE: allow single-label hosts (self-hoster sibling services) while keeping wildcards multi-label; mirrored in the SDK + frame CSP filter. Regression tests added (re-consent incl. the '[]' case, WITH RECURSIVE + row cap, single-label host). 236 plugin tests + 24 SDK tests green. * docs: refresh README screenshots (8) + swap the second trip shot for Collections Replaces all eight README gallery screenshots with current-UI captures and swaps docs/screenshots/trip-iceland.png for collections.png (saved place lists). * fix(plugin-sdk): make require('trek-plugin-sdk') actually resolve everywhere A freshly scaffolded plugin could not load anywhere: the npm package is ESM-only (no require condition in its exports map), so the scaffold's require('trek-plugin-sdk') threw ERR_PACKAGE_PATH_NOT_EXPORTED under `trek-plugin dev` - and the runtime injection the wiki promised for the plugin child never existed, so a packed plugin (node_modules stripped) crashed with MODULE_NOT_FOUND after a real install. - plugin child: inject a frozen {definePlugin, PLUGIN_API_VERSION} shim for require('trek-plugin-sdk'); subpaths fail with a pointed error - trek-plugin dev: inject the exact same shim, so a fresh scaffold runs with zero npm install and dev parity with production holds - npm package: ship a real CommonJS build (dist/cjs + require export conditions) so the installed package also requires cleanly on Node 18+ - create: scaffold a package.json (type commonjs, SDK as devDependency, npx scripts); print resolvable `npx trek-plugin-sdk ...` hints - wiki: package.json in the scaffold tree + publishing checklist, and document the zero-install dev flow * fix(plugins): tolerate a UTF-8 BOM in trek-plugin.json Windows editors love to prepend a BOM, and a bare JSON.parse then dies with an "Unexpected token" pointing at an invisible character - in the SDK CLIs (dev/validate/entry/submit) and, worse, server-side: a BOM in an author repo travels through pack into the artifact and fails discovery and registry install. Strip it at every manifest/JSON read (readJsonFile in the SDK, parseJsonText in the installer). * fix(plugin-sdk): dev db binds an args array like the real host, and a failed onLoad stops the routes * ci(plugin-sdk): publish on Node 22; skip the dev-db bind test without node:sqlite * docs(wiki): document AI booking import, guest members and packing sharing Fill the gaps left after the 3.2.0 feature work: - add an AI Booking Import page for the AI Parsing addon (providers, admin/per-user config, model pull, the review-before-save flow) and link it from Reservations & Bookings and the sidebar - document guest members on Trip Members and Sharing (owner-only, what they can be assigned to, and the sign-in/notification/visibility limits) - document the three packing sharing tiers and co-bringing on Packing Lists - add TRANSIT_API_URL and the plugin variables to Environment Variables, and correct the language list to 22 (add Swedish and Vietnamese) - list the airtrail and llm_parsing addons in the Addons overview * feat(plugins): enable the plugin system by default The runtime and the Admin -> Plugins panel are now available out of the box; TREK_PLUGINS_ENABLED becomes an opt-out (set it to false to switch the whole system off). Installed plugins are still registered inactive and have to be activated one by one, so no third-party code runs until an admin turns a specific plugin on. Update the kill-switch default test and the plugin/env-var wiki pages to match. * fix(costs): KGS is selectable as default/expense currency (#1400) * fix(map): render date-line-crossing routes as one continuous arc (#1411) The great-circle sampler normalizes longitudes to [-180,180], so a transpacific leg jumped +-360 between neighbours and got split into two polylines pinned to opposite map edges. Unwrap the longitudes instead (shared flightGeodesy module for both renderers): Leaflet additionally draws a +-360-shifted copy so both halves show in the standard view, GL maps repeat world copies themselves. * fix(map): clear the hover card on marker click and camera moves (#1404) Clicking an off-center place recenters the map under a stationary cursor, so mouseout/mouseleave never fires and the hover card sticks. Clear it on marker click and on movestart, and suppress re-shows while the camera is animating (marker rebuilds re-fire mouseenter mid-pan). feat(map): long-press + plain right-click add-place on GL maps (#1398) The GL providers only bound middle-click, so mobile had no way to add a place at a position (and Macs have no middle button). Add a 600ms touch long-press with move tolerance and the map contextmenu event - both GL libs suppress it while the right-button rotate/pitch drag is active, so the gesture keeps winning. * fix(mcp): keep SSE streams alive and stop invalidating sessions on unrelated saves (#1414) Three separate causes for the reconnect-per-tool-call pain: - no keep-alive on the standalone GET stream, so reverse proxies with idle timeouts (nginx default 60s) killed it between calls - send an SSE comment ping every 25s (MCP_SSE_KEEPALIVE, 0 = off) and count an open stream as session activity - the session TTL was hard-coded - MCP_SESSION_TTL (seconds, clamped to 24h) now works as the issue expected - every addon save invalidated ALL sessions: config-only saves, photo provider toggles and addons with no MCP surface included. Only a real enabled-flip of an MCP-relevant addon (or an actual collab-feature change) tears sessions down now. * feat(api): OpenAPI/Swagger docs at /api/docs behind TREK_API_DOCS_ENABLED (#1412) Swagger UI + raw spec (/api/docs-json, -yaml) over all controllers, with a bearer button that works with a plain session JWT. Off by default - the spec enumerates the whole surface incl. admin routes, so exposing it is an explicit self-hoster decision (same kill-switch pattern as TREK_PLUGINS_ENABLED). Request bodies come from the Zod schemas the routes already validate with: an enricher walks every controller, finds whole-body ZodValidationPipe params and lifts their schema into the document via zod v4's native z.toJSONSchema - nothing is annotated twice, and any route that gains a Zod pipe is documented automatically. * fix(map,mcp): review follow-ups for the issue-fix batch - mapbox-gl (unlike maplibre) still emits the map contextmenu after a right-button rotate/pitch drag on Windows - guard it with the pressed position so ending a rotate can't open the Add-Place form (#1398) - a long-press whose fire was deduped (or that never yields a click) no longer leaves suppressNextClick armed to swallow a later real tap - MCP_SSE_KEEPALIVE=0 keeps the open-stream-counts-as-activity guarantee: the touch interval survives, only the pings stop (#1414) - swagger-ui-dist ships @scarf/scarf install-time analytics - disabled via scarfSettings in the root package.json, TREK sends no telemetry - Budget wiki currency list: 47 incl. KGS (#1400) * feat(map): real road routes for car/bus/taxi/bicycle bookings instead of straight lines Road-based transport bookings drew an as-the-crow-flies line; only transit journeys (Transitous) showed the real path. A shared useTransportRoutes hook now fetches the OSRM road geometry (driving for car/bus/taxi, cycling for bicycle) — reusing the day-route router and its cache — and both renderers draw it in place of the straight arc, falling back to the straight line until it loads or if routing fails. Trains/other keep their straight line (not road-routable); a 2000 km sanity cap avoids hammering the public router on cross-continent quirks. * feat(transport): multi-leg train bookings (#1150) Long train trips are usually several trains under one booking. Trains now get the same multi-leg editor flights have: an ordered chain of stations (station search instead of the airport picker) with a per-leg train number + platform, saved as from/stop/to endpoints + metadata.legs — mirroring the flight leg contract, so the map draws the whole chain and the day plan splits it into one row per leg (drag/reorder/position persistence come for free from the shared __leg machinery). A single-leg train saves exactly as before (flat metadata, no legs), and the flat train-fields block is gone in favour of the per-leg inputs. Day sidebar, shared trip view and the PDF render each train leg like a flight leg. * feat(collections): per-collection custom labels Each list can now define its own labels (e.g. Berlin, Hamburg, Ostsee in a "Germany 2026" list) and organise its places by them: - manage labels (create / rename / recolor / delete) from a label manager - assign labels to a place from its detail sheet, or to many places at once from the selection toolbar - filter the place list AND the map by label (multi-select, any-match) Labels are scoped to a collection and shared by all its members. Managing and assigning labels needs edit rights; filtering is available to everyone. Moving a place to another list drops its labels, since they belong to the source list. * test(collections): pass the required labels prop in CollectionPlaceDetail test The per-collection labels feature (a5522e99) made `labels` a required prop and renders `labels.filter(...)`, but the test's props cast to Omit<DetailProps,'t'> hid the missing prop, so `labels` was undefined at runtime and crashed the whole suite (Cannot read properties of undefined reading 'filter'). Pass labels: [] like categories. * docs(wiki): document collection labels, multi-leg trains and road-route overlays - Collections: add a Custom labels section (manage / assign / filter), note the label filter + bulk assign, and the view-vs-edit permission split - Transport: rewrite the train fields as the multi-leg route editor, correct the transport type list (nine types) and the map/day-plan behaviour - Map Features: car/bus/taxi/bicycle overlays follow real roads; multi-leg trains draw their full station chain; date-line routes render as one continuous arc --------- Co-authored-by: jubnl <jgunther021@gmail.com> Co-authored-by: jufy111 <jeffturner93@gmail.com> Co-authored-by: Azalea <noreply@aza.moe> Co-authored-by: Zorth Thorch <jasper_goens@hotmail.com> Co-authored-by: leeduc <lee.duc55@gmail.com> Co-authored-by: yael-tramier <tramier.yael@gmail.com> Co-authored-by: michael-bohr <mjbohr@gmail.com> Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com> Co-authored-by: Gio Cettuzzi <gio.cettuzzi@gmail.com> Co-authored-by: mauriceboe <mauriceboe@users.noreply.github.com> Co-authored-by: jubnl <66769052+jubnl@users.noreply.github.com>
2026-07-05 07:13:04 +08:00
- [[Plugin Permissions|Plugin-Permissions]]
- [[Publishing a Plugin|Plugin-Publishing]]
## AI / MCP
- [[MCP Overview|MCP-Overview]]
- [[MCP Setup|MCP-Setup]]
- [[MCP Scopes|MCP-Scopes]]
- [[MCP Tools and Resources|MCP-Tools-and-Resources]]
- [[MCP Addon Tools|MCP-Addon-Tools]]
- [[MCP Prompts|MCP-Prompts]]
## Admin Panel
- [[Admin Panel Overview|Admin-Panel-Overview]]
- [[Admin: Users and Invites|Admin-Users-and-Invites]]
- [[Admin: Addons|Admin-Addons]]
- [[Admin: Categories|Admin-Categories]]
- [[Admin: Packing Templates|Admin-Packing-Templates]]
- [[Admin: Permissions|Admin-Permissions]]
- [[Admin: MCP Tokens|Admin-MCP-Tokens]]
- [[Admin: GitHub Releases|Admin-GitHub-Releases]]
## Operations
- [[Backups]]
- [[Demo Mode|Demo-Mode]]
- [[Encryption Key Rotation|Encryption-Key-Rotation]]
- [[Internal Network Access|Internal-Network-Access]]
- [[Audit Log|Audit-Log]]
- [[Security Hardening|Security-Hardening]]
## Help
- [[FAQ]]
- [[Troubleshooting]]
## Contributing
- [[Contributing]]
- [[Development Environment|Development-environment]]