feat(weather): migrate /api/weather to the NestJS pilot module (L1) (#1053)

First strangler migration (L1): /api/weather is served by a NestJS module.

- @trek/shared/weather Zod contract; Nest controller byte-identical to the legacy Express route (paths, query params, status codes, { error } bodies, lang default, ApiError/500 passthrough). Service reuses getWeather/getDetailedWeather (+ shared cache; MCP tools unchanged).
- Strangler routes /api/weather to Nest by default; the legacy Express route + its migration-time parity test were decommissioned in this PR.
- Frontend (FE2): weatherApi typed against the @trek/shared WeatherResult contract.
- Harness: reusable Nest-vs-Express parity harness, e2e harness (temp SQLite + seed/cookie helpers, real JwtAuthGuard), src/nest coverage gate raised to >=80%, src/nest test guide.
- Verified end-to-end on a prod mirror (dev1): 401/400/200 via Nest with real Open-Meteo data, Express route gone.

server/tests/e2e/harness.ts

@@ -0,0 +1,65 @@
+import Database from 'better-sqlite3';
+import jwt from 'jsonwebtoken';
+import { JWT_SECRET } from '../../src/config';
+
+/**
+ * Shared e2e harness for migrated Nest modules.
+ *
+ * Gives each module e2e test a throwaway in-memory SQLite db (the same shape the
+ * shared connection exposes), a seed helper for demo data, and a session-cookie
+ * signer that produces tokens the REAL JwtAuthGuard accepts — so e2e tests cover
+ * the actual auth path end-to-end, not a stubbed guard.
+ *
+ * Wire it in a test with `vi.mock('../../src/db/database', () => ({ db, ... }))`
+ * using the db returned here, then build the Nest app under test.
+ */
+
+export interface SeededUser {
+  id: number;
+  username: string;
+  email: string;
+  role: 'user' | 'admin';
+  password_version: number;
+}
+
+/** Fresh in-memory db with the minimal `users` table the auth guard reads. */
+export function createTempDb(): Database.Database {
+  const db = new Database(':memory:');
+  db.exec('PRAGMA journal_mode = WAL');
+  db.exec('PRAGMA foreign_keys = ON');
+  db.exec(`
+    CREATE TABLE users (
+      id INTEGER PRIMARY KEY AUTOINCREMENT,
+      username TEXT NOT NULL,
+      email TEXT NOT NULL UNIQUE,
+      role TEXT NOT NULL DEFAULT 'user',
+      password_version INTEGER NOT NULL DEFAULT 0
+    );
+  `);
+  return db;
+}
+
+/** Insert a demo user and return its row. */
+export function seedUser(db: Database.Database, overrides: Partial<SeededUser> = {}): SeededUser {
+  const user: SeededUser = {
+    id: overrides.id ?? 1,
+    username: overrides.username ?? 'e2e-user',
+    email: overrides.email ?? 'e2e@example.test',
+    role: overrides.role ?? 'user',
+    password_version: overrides.password_version ?? 0,
+  };
+  db.prepare(
+    'INSERT INTO users (id, username, email, role, password_version) VALUES (?, ?, ?, ?, ?)',
+  ).run(user.id, user.username, user.email, user.role, user.password_version);
+  return user;
+}
+
+/** Sign a `trek_session` token the real guard will accept (matching JWT_SECRET + pv). */
+export function signSession(userId: number, passwordVersion = 0): string {
+  return jwt.sign({ id: userId, pv: passwordVersion }, JWT_SECRET, { algorithm: 'HS256' });
+}
+
+/** Convenience: the Cookie header value for a signed session. */
+export function sessionCookie(userId: number, passwordVersion = 0): string {
+  return `trek_session=${signSession(userId, passwordVersion)}`;
+}

server/tests/e2e/weather.e2e.test.ts

@@ -0,0 +1,88 @@
+/**
+ * Weather module e2e — exercises the migrated /api/weather endpoints through the
+ * real JwtAuthGuard against a temp SQLite db (seeded via the shared harness).
+ * The weather service is mocked so no real Open-Meteo calls happen.
+ */
+import { describe, it, expect, beforeAll, afterAll, vi } from 'vitest';
+import request from 'supertest';
+import cookieParser from 'cookie-parser';
+import type { Server } from 'http';
+import { Test } from '@nestjs/testing';
+import { createTempDb, seedUser, sessionCookie } from './harness';
+
+const { db } = vi.hoisted(() => {
+  // eslint-disable-next-line @typescript-eslint/no-require-imports
+  const Database = require('better-sqlite3');
+  const tmp = new Database(':memory:');
+  tmp.exec('PRAGMA journal_mode = WAL');
+  tmp.exec(`CREATE TABLE users (id INTEGER PRIMARY KEY AUTOINCREMENT, username TEXT NOT NULL,
+    email TEXT NOT NULL UNIQUE, role TEXT NOT NULL DEFAULT 'user', password_version INTEGER NOT NULL DEFAULT 0);`);
+  return { db: tmp };
+});
+
+vi.mock('../../src/db/database', () => ({ db, closeDb: () => {}, reinitialize: () => {} }));
+
+const { mockGet, mockGetDetailed } = vi.hoisted(() => ({ mockGet: vi.fn(), mockGetDetailed: vi.fn() }));
+vi.mock('../../src/services/weatherService', async (importActual) => {
+  const actual = await importActual<typeof import('../../src/services/weatherService')>();
+  return { ...actual, getWeather: mockGet, getDetailedWeather: mockGetDetailed };
+});
+
+import { WeatherModule } from '../../src/nest/weather/weather.module';
+import { TrekExceptionFilter } from '../../src/nest/common/trek-exception.filter';
+
+describe('Weather e2e (real auth guard + temp SQLite)', () => {
+  let server: Server;
+  let app: Awaited<ReturnType<typeof build>>;
+
+  async function build() {
+    const moduleRef = await Test.createTestingModule({ imports: [WeatherModule] }).compile();
+    const nest = moduleRef.createNestApplication();
+    nest.use(cookieParser());
+    nest.useGlobalFilters(new TrekExceptionFilter());
+    await nest.init();
+    return nest;
+  }
+
+  beforeAll(async () => {
+    seedUser(db as never, { id: 1 });
+    app = await build();
+    server = app.getHttpServer();
+    mockGet.mockResolvedValue({ temp: 21, main: 'Clear', description: 'Klar', type: 'current' });
+    mockGetDetailed.mockResolvedValue({ temp: 20, main: 'Rain', description: 'Regen', type: 'forecast', hourly: [] });
+  });
+
+  afterAll(async () => {
+    await app.close();
+  });
+
+  it('401 { error, code } without a session cookie', async () => {
+    const res = await request(server).get('/api/weather').query({ lat: '1', lng: '2' });
+    expect(res.status).toBe(401);
+    expect(res.body).toEqual({ error: 'Access token required', code: 'AUTH_REQUIRED' });
+  });
+
+  it('401 with an invalid token', async () => {
+    const res = await request(server).get('/api/weather').set('Cookie', 'trek_session=not-a-jwt').query({ lat: '1', lng: '2' });
+    expect(res.status).toBe(401);
+    expect(res.body).toEqual({ error: 'Invalid or expired token', code: 'AUTH_REQUIRED' });
+  });
+
+  it('400 when authenticated but lat/lng missing', async () => {
+    const res = await request(server).get('/api/weather').set('Cookie', sessionCookie(1)).query({ lng: '2' });
+    expect(res.status).toBe(400);
+    expect(res.body).toEqual({ error: 'Latitude and longitude are required' });
+  });
+
+  it('200 with a valid session cookie', async () => {
+    const res = await request(server).get('/api/weather').set('Cookie', sessionCookie(1)).query({ lat: '52.5', lng: '13.4' });
+    expect(res.status).toBe(200);
+    expect(res.body).toMatchObject({ temp: 21, main: 'Clear', type: 'current' });
+  });
+
+  it('200 on /detailed with a valid session cookie', async () => {
+    const res = await request(server).get('/api/weather/detailed').set('Cookie', sessionCookie(1)).query({ lat: '1', lng: '2', date: '2026-07-01' });
+    expect(res.status).toBe(200);
+    expect(res.body).toMatchObject({ type: 'forecast' });
+  });
+});