Bug fixes - April 27th 2026 (#907)

* fix: clean up dangling FK references before deleting a user Resolves FOREIGN KEY constraint failed (500) on DELETE /api/admin/users/:id and DELETE /api/auth/me when the target user had rows in trip_members.invited_by, share_tokens.created_by, budget_items.paid_by_user_id, journeys.user_id, journey_entries.author_id, journey_contributors.user_id, or journey_share_tokens.created_by — none of which had ON DELETE clauses. Introduces deleteUserCompletely() in userCleanupService.ts which wraps all cleanup and the final DELETE FROM users in a single transaction. Both adminService.deleteUser and authService.deleteAccount now call it instead of the bare DELETE. Tests ADMIN-005b and AUTH-040 cover all reference types including notification sender/recipient and notice dismissals. * test: extend FK deletion tests to cover journeys, files, and photos ADMIN-005b and AUTH-040 now also seed and assert: - owned journey with entries (cascade-deleted via journeys.user_id cleanup) - trip_files.uploaded_by (SET NULL — file survives, attribution cleared) - trek_photos.owner_id (SET NULL — photo record survives, owner cleared) - trip_photos.user_id (CASCADE — photo association removed) * test: extend user deletion tests to cover all FK relationships ADMIN-005b and AUTH-040 now seed and assert every user FK relationship: CASCADE (row deleted): trips, trip_members, tags, mcp_tokens, oauth_tokens, oauth_consents, vacay_plans, vacay_plan_members, bucket_list, visited_countries, visited_regions, packing_templates, invite_tokens, collab_notes, settings, password_reset_tokens, notification_channel_preferences SET NULL (row survives, column nulled): categories, todo_items.assigned_user_id, packing_bags, audit_log Caught and fixed: notification_preferences was dropped in migration 72; correct table is notification_channel_preferences. * fix: preserve URL hash and OIDC redirect target through login flow - Include location.hash in redirect param at all three producer sites (ProtectedRoute, axios 401 interceptor, OAuthAuthorizePage) so hash fragments survive the login bounce - Stash redirectTarget in sessionStorage before any OIDC provider redirect and restore it after the code exchange, since the IdP strips the original ?redirect= param during the roundtrip - Clear sessionStorage on OIDC error to avoid stale state - Add tests covering sessionStorage stash on mount, navigate to saved redirect after OIDC exchange, fallback to /dashboard, and cleanup on error * fix: use day position instead of ID for accommodation date range clamping Math.min/Math.max over raw day IDs breaks the start/end picker when a trip's day IDs are non-monotonic relative to day_number (normal after repeated generateDays extend/shrink cycles). Replaced with findIndex lookups so clamping is always based on positional order. Closes #889 * fix: normalize env var comparisons to be case-insensitive All NODE_ENV, DEMO_MODE, OIDC_ONLY, FORCE_HTTPS, COOKIE_SECURE, and ALLOW_INTERNAL_NETWORK checks now use .toLowerCase() so values like 'Production' or 'True' behave identically to their lowercase forms. Also adds APP_VERSION to the startup banner. * fix: delete surplus days when shortening a trip When shrinking a trip's date range, surplus days are now deleted along with their assignments, notes, and accommodations (cascade). Places remain in the trip pool; reservations keep their day reference nulled by the existing ON DELETE SET NULL constraint (issue #909). Updates TRIP-SVC-011 to reflect the new behaviour; adds TRIP-SVC-016 as a regression test for the empty-day case. * fix: auto-backup retention deletes itself and manual backups on Docker Two bugs in cleanupOldBackups: 1. Filter was .endsWith('.zip') — swept manual backup-*.zip files too. Now restricted to auto-backup-* prefix. 2. Age was derived from stat.birthtimeMs, which is 0 on overlayfs (Docker default), making every backup appear epoch-old and get deleted immediately. Age is now parsed from the filename timestamp and falls back to mtimeMs (reliable on overlayfs). Also converts inline require('./services/auditLog') calls to a static import throughout scheduler.ts, and adds 8 unit tests covering the fixed retention logic including the overlayfs regression case. * test: update TRIP-024 to match delete behavior on trip shrink * feat: add bypass-branch-check label to skip branch enforcement
2026-06-19 13:21:46 +00:00 · 2026-04-28 05:17:20 +02:00
parent ca832e8d88
commit 1f5deeba6c
32 changed files with 937 additions and 106 deletions
@@ -53,7 +53,7 @@ export function createApp(): express.Application {
  const app = express();

  // Trust first proxy (nginx/Docker) for correct req.ip
-  if (process.env.NODE_ENV === 'production' || process.env.TRUST_PROXY) {
+  if (process.env.NODE_ENV?.toLowerCase() === 'production' || process.env.TRUST_PROXY) {
    app.set('trust proxy', Number.parseInt(process.env.TRUST_PROXY) || 1);
  }

@@ -67,13 +67,13 @@ export function createApp(): express.Application {
      if (!origin || allowedOrigins.includes(origin)) callback(null, true);
      else callback(new Error('Not allowed by CORS'));
    };
-  } else if (process.env.NODE_ENV === 'production') {
+  } else if (process.env.NODE_ENV?.toLowerCase() === 'production') {
    corsOrigin = false;
  } else {
    corsOrigin = true;
  }

-  const shouldForceHttps = process.env.FORCE_HTTPS === 'true';
+  const shouldForceHttps = process.env.FORCE_HTTPS?.toLowerCase() === 'true';
  // HSTS is worth enabling any time we're serving production traffic,
  // not only when FORCE_HTTPS is set. Self-hosters behind Traefik /
  // Caddy / Cloudflare Tunnel typically leave FORCE_HTTPS unset (the
@@ -105,7 +105,7 @@ export const ENCRYPTION_KEY = _encryptionKey;
 // Must stay in sync with client/src/i18n/supportedLanguages.ts (canonical source).
 // Kept duplicated here because server and client are separate npm packages.
 const SUPPORTED_LANG_CODES = ['de', 'en', 'es', 'fr', 'hu', 'nl', 'br', 'cs', 'pl', 'ru', 'zh', 'zh-TW', 'it', 'ar'];
-const rawDefaultLang = process.env.DEFAULT_LANGUAGE || 'en';
+const rawDefaultLang = process.env.DEFAULT_LANGUAGE?.toLowerCase() || 'en';
 if (!SUPPORTED_LANG_CODES.includes(rawDefaultLang)) {
  console.warn(`DEFAULT_LANGUAGE="${rawDefaultLang}" is not supported. Falling back to "en". Supported: ${SUPPORTED_LANG_CODES.join(', ')}`);
 }
@@ -47,7 +47,7 @@ const db = new Proxy({} as Database.Database, {
  },
 });

-if (process.env.DEMO_MODE === 'true') {
+if (process.env.DEMO_MODE?.toLowerCase() === 'true') {
  try {
    const { seedDemoData } = require('../demo/demo-seed');
    seedDemoData(_db);
@@ -6,7 +6,7 @@ import crypto from 'crypto';
 // are only relevant after the first user exists; at that point seeds have already
 // finished and skip via the userCount > 0 guard above.
 function isOidcOnlyConfigured(): boolean {
-  if (process.env.OIDC_ONLY !== 'true') return false;
+  if (process.env.OIDC_ONLY?.toLowerCase() !== 'true') return false;
  return !!(process.env.OIDC_ISSUER && process.env.OIDC_CLIENT_ID);
 }

@@ -29,8 +29,9 @@ const server = app.listen(PORT, () => {
  const banner = [
    '──────────────────────────────────────',
    '  TREK API started',
+    `  Version      ${process.env.APP_VERSION}`,
    `  Port:        ${PORT}`,
-    `  Environment: ${process.env.NODE_ENV || 'development'}`,
+    `  Environment: ${process.env.NODE_ENV?.toLowerCase() || 'development'}`,
    `  Timezone:    ${tz}`,
    `  Origins:     ${origins}`,
    `  Log level:   ${LOG_LVL}`,
@@ -40,8 +41,8 @@ const server = app.listen(PORT, () => {
    '──────────────────────────────────────',
  ];
  banner.forEach(l => console.log(l));
-  if (process.env.DEMO_MODE === 'true') sLogInfo('Demo mode: ENABLED');
-  if (process.env.DEMO_MODE === 'true' && process.env.NODE_ENV === 'production') {
+  if (process.env.DEMO_MODE?.toLowerCase() === 'true') sLogInfo('Demo mode: ENABLED');
+  if (process.env.DEMO_MODE?.toLowerCase() === 'true' && process.env.NODE_ENV?.toLowerCase() === 'production') {
    sLogWarn('SECURITY WARNING: DEMO_MODE is enabled in production!');
  }
  scheduler.start();
@@ -105,7 +105,7 @@ const adminOnly = (req: Request, res: Response, next: NextFunction): void => {

 const demoUploadBlock = (req: Request, res: Response, next: NextFunction): void => {
  const authReq = req as AuthRequest;
-  if (process.env.DEMO_MODE === 'true' && isDemoEmail(authReq.user?.email)) {
+  if (process.env.DEMO_MODE?.toLowerCase() === 'true' && isDemoEmail(authReq.user?.email)) {
    res.status(403).json({ error: 'Uploads are disabled in demo mode. Self-host TREK for full functionality.' });
    return;
  }
@@ -68,7 +68,7 @@ export function enforceGlobalMfaPolicy(req: Request, res: Response, next: NextFu
    return;
  }

-  if (process.env.DEMO_MODE === 'true' && verified.email && DEMO_EMAILS.has(verified.email)) {
+  if (process.env.DEMO_MODE?.toLowerCase() === 'true' && verified.email && DEMO_EMAILS.has(verified.email)) {
    next();
    return;
  }
@@ -449,7 +449,7 @@ router.put('/default-user-settings', (req: Request, res: Response) => {
 });

 // ── Dev-only: test notification endpoints ──────────────────────────────────────
-if (process.env.NODE_ENV === 'development') {
+if (process.env.NODE_ENV?.toLowerCase() === 'development') {
  const { send } = require('../services/notificationService');

  router.post('/dev/test-notification', async (req: Request, res: Response) => {
@@ -168,7 +168,7 @@ router.put('/auto-settings', (req: Request, res: Response) => {
    const msg = err instanceof Error ? err.message : String(err);
    res.status(500).json({
      error: 'Could not save auto-backup settings',
-      detail: process.env.NODE_ENV !== 'production' ? msg : undefined,
+      detail: process.env.NODE_ENV?.toLowerCase() !== 'production' ? msg : undefined,
    });
  }
 });
@@ -30,7 +30,7 @@ router.get('/login', async (req: Request, res: Response) => {
  const config = getOidcConfig();
  if (!config) return res.status(400).json({ error: 'OIDC not configured' });

-  if (config.issuer && !config.issuer.startsWith('https://') && process.env.NODE_ENV === 'production') {
+  if (config.issuer && !config.issuer.startsWith('https://') && process.env.NODE_ENV?.toLowerCase() === 'production') {
    return res.status(400).json({ error: 'OIDC issuer must use HTTPS in production' });
  }

@@ -85,7 +85,7 @@ router.get('/callback', async (req: Request, res: Response) => {
  const config = getOidcConfig();
  if (!config) return res.redirect(frontendUrl('/login?oidc_error=not_configured'));

-  if (config.issuer && !config.issuer.startsWith('https://') && process.env.NODE_ENV === 'production') {
+  if (config.issuer && !config.issuer.startsWith('https://') && process.env.NODE_ENV?.toLowerCase() === 'production') {
    return res.redirect(frontendUrl('/login?oidc_error=issuer_not_https'));
  }

@@ -2,6 +2,7 @@ import cron, { type ScheduledTask } from 'node-cron';
 import archiver from 'archiver';
 import path from 'node:path';
 import fs from 'node:fs';
+import { logInfo, logError } from './services/auditLog';

 const dataDir = path.join(__dirname, '../data');
 const backupsDir = path.join(dataDir, 'backups');
@@ -79,11 +80,9 @@ async function runBackup(): Promise<void> {
      if (fs.existsSync(uploadsDir)) archive.directory(uploadsDir, 'uploads');
      archive.finalize();
    });
-    const { logInfo: li } = require('./services/auditLog');
-    li(`Auto-Backup created: ${filename}`);
+    logInfo(`Auto-Backup created: ${filename}`);
  } catch (err: unknown) {
-    const { logError: le } = require('./services/auditLog');
-    le(`Auto-Backup: ${err instanceof Error ? err.message : err}`);
+    logError(`Auto-Backup: ${err instanceof Error ? err.message : err}`);
    if (fs.existsSync(outputPath)) fs.unlinkSync(outputPath);
    return;
  }
@@ -94,23 +93,28 @@ async function runBackup(): Promise<void> {
  }
 }

-function cleanupOldBackups(keepDays: number): void {
+function autoBackupTimestampMs(filename: string): number | null {
+  // auto-backup-2026-04-27T00-00-00.zip → 2026-04-27T00:00:00
+  const stamp = filename.slice('auto-backup-'.length, -'.zip'.length);
+  const iso = stamp.replace(/T(\d{2})-(\d{2})-(\d{2})$/, 'T$1:$2:$3');
+  const ms = Date.parse(iso);
+  return Number.isNaN(ms) ? null : ms;
+}
+
+export function cleanupOldBackups(keepDays: number, now: number = Date.now()): void {
  try {
-    const MS_PER_DAY = 24 * 60 * 60 * 1000;
-    const cutoff = Date.now() - keepDays * MS_PER_DAY;
-    const files = fs.readdirSync(backupsDir).filter(f => f.endsWith('.zip'));
+    const cutoff = now - keepDays * 24 * 60 * 60 * 1000;
+    const files = fs.readdirSync(backupsDir).filter(f => f.startsWith('auto-backup-') && f.endsWith('.zip'));
    for (const file of files) {
      const filePath = path.join(backupsDir, file);
-      const stat = fs.statSync(filePath);
-      if (stat.birthtimeMs < cutoff) {
+      const ageMs = autoBackupTimestampMs(file) ?? fs.statSync(filePath).mtimeMs;
+      if (ageMs < cutoff) {
        fs.unlinkSync(filePath);
-        const { logInfo: li } = require('./services/auditLog');
-        li(`Auto-Backup old backup deleted: ${file}`);
+        logInfo(`Auto-Backup old backup deleted: ${file}`);
      }
    }
  } catch (err: unknown) {
-    const { logError: le } = require('./services/auditLog');
-    le(`Auto-Backup cleanup: ${err instanceof Error ? err.message : err}`);
+    logError(`Auto-Backup cleanup: ${err instanceof Error ? err.message : err}`);
  }
 }

@@ -122,16 +126,14 @@ function start(): void {

  const settings = loadSettings();
  if (!settings.enabled) {
-    const { logInfo: li } = require('./services/auditLog');
-    li('Auto-Backup disabled');
+    logInfo('Auto-Backup disabled');
    return;
  }

  const expression = buildCronExpression(settings);
  const tz = process.env.TZ || 'UTC';
  currentTask = cron.schedule(expression, runBackup, { timezone: tz });
-  const { logInfo: li2 } = require('./services/auditLog');
-  li2(`Auto-Backup scheduled: ${settings.interval} (${expression}), tz: ${tz}, retention: ${settings.keep_days === 0 ? 'forever' : settings.keep_days + ' days'}`);
+  logInfo(`Auto-Backup scheduled: ${settings.interval} (${expression}), tz: ${tz}, retention: ${settings.keep_days === 0 ? 'forever' : settings.keep_days + ' days'}`);
 }

 // Demo mode: hourly reset of demo user data
@@ -139,19 +141,17 @@ let demoTask: ScheduledTask | null = null;

 function startDemoReset(): void {
  if (demoTask) { demoTask.stop(); demoTask = null; }
-  if (process.env.DEMO_MODE !== 'true') return;
+  if (process.env.DEMO_MODE?.toLowerCase() !== 'true') return;

  demoTask = cron.schedule('0 * * * *', () => {
    try {
      const { resetDemoUser } = require('./demo/demo-reset');
      resetDemoUser();
    } catch (err: unknown) {
-      const { logError: le } = require('./services/auditLog');
-      le(`Demo reset: ${err instanceof Error ? err.message : err}`);
+      logError(`Demo reset: ${err instanceof Error ? err.message : err}`);
    }
  });
-  const { logInfo: li3 } = require('./services/auditLog');
-  li3('Demo hourly reset scheduled');
+  logInfo('Demo hourly reset scheduled');
 }

 // Trip reminders: daily check at 9 AM local time for trips starting tomorrow
@@ -167,14 +167,12 @@ function startTripReminders(): void {
    const channelsRaw = getSetting('notification_channels') || getSetting('notification_channel') || 'none';
    const activeChannels = channelsRaw === 'none' ? [] : channelsRaw.split(',').map((c: string) => c.trim());
    if (!reminderEnabled) {
-      const { logInfo: li } = require('./services/auditLog');
-      li('Trip reminders: disabled in settings');
+      logInfo('Trip reminders: disabled in settings');
      return;
    }

    const tripCount = (db.prepare('SELECT COUNT(*) as c FROM trips WHERE reminder_days > 0 AND start_date IS NOT NULL').get() as { c: number }).c;
-    const { logInfo: liSetup } = require('./services/auditLog');
-    liSetup(`Trip reminders: enabled via [${activeChannels.join(',')}]${tripCount > 0 ? `, ${tripCount} trip(s) with active reminders` : ''}`);
+    logInfo(`Trip reminders: enabled via [${activeChannels.join(',')}]${tripCount > 0 ? `, ${tripCount} trip(s) with active reminders` : ''}`);
  } catch {
    return;
  }
@@ -196,13 +194,11 @@ function startTripReminders(): void {
        await send({ event: 'trip_reminder', actorId: null, scope: 'trip', targetId: trip.id, params: { trip: trip.title, tripId: String(trip.id) } }).catch(() => {});
      }

-      const { logInfo: li } = require('./services/auditLog');
      if (trips.length > 0) {
-        li(`Trip reminders sent for ${trips.length} trip(s): ${trips.map(t => `"${t.title}" (${t.reminder_days}d)`).join(', ')}`);
+        logInfo(`Trip reminders sent for ${trips.length} trip(s): ${trips.map(t => `"${t.title}" (${t.reminder_days}d)`).join(', ')}`);
      }
    } catch (err: unknown) {
-      const { logError: le } = require('./services/auditLog');
-      le(`Trip reminder check failed: ${err instanceof Error ? err.message : err}`);
+      logError(`Trip reminder check failed: ${err instanceof Error ? err.message : err}`);
    }
  }, { timezone: tz });
 }
@@ -222,12 +218,10 @@ function startTodoReminders(): void {
  const getSetting = (key: string) => (db.prepare('SELECT value FROM app_settings WHERE key = ?').get(key) as { value: string } | undefined)?.value;
  const enabled = getSetting('notify_todo_due') !== 'false';
  if (!enabled) {
-    const { logInfo: li } = require('./services/auditLog');
-    li('Todo due reminders: disabled in settings');
+    logInfo('Todo due reminders: disabled in settings');
    return;
  }
-  const { logInfo: liSetup } = require('./services/auditLog');
-  liSetup(`Todo due reminders: enabled (lead ${TODO_REMINDER_LEAD_DAYS}d)`);
+  logInfo(`Todo due reminders: enabled (lead ${TODO_REMINDER_LEAD_DAYS}d)`);

  const tz = process.env.TZ || 'UTC';
  todoReminderTask = cron.schedule('0 9 * * *', async () => {
@@ -271,13 +265,11 @@ function startTodoReminders(): void {
        db.prepare('UPDATE todo_items SET reminded_at = CURRENT_TIMESTAMP WHERE id = ?').run(todo.id);
      }

-      const { logInfo: li } = require('./services/auditLog');
      if (todos.length > 0) {
-        li(`Todo reminders sent for ${todos.length} item(s)`);
+        logInfo(`Todo reminders sent for ${todos.length} item(s)`);
      }
    } catch (err: unknown) {
-      const { logError: le } = require('./services/auditLog');
-      le(`Todo reminder check failed: ${err instanceof Error ? err.message : err}`);
+      logError(`Todo reminder check failed: ${err instanceof Error ? err.message : err}`);
    }
  }, { timezone: tz });
 }
@@ -294,8 +286,7 @@ function startVersionCheck(): void {
      const { checkAndNotifyVersion } = require('./services/adminService');
      await checkAndNotifyVersion();
    } catch (err: unknown) {
-      const { logError: le } = require('./services/auditLog');
-      le(`Version check: ${err instanceof Error ? err.message : err}`);
+      logError(`Version check: ${err instanceof Error ? err.message : err}`);
    }
  }, { timezone: tz });
 }
@@ -313,12 +304,10 @@ function startIdempotencyCleanup(): void {
      const cutoff = Math.floor(Date.now() / 1000) - 86400;
      const result = db.prepare('DELETE FROM idempotency_keys WHERE created_at < ?').run(cutoff);
      if (result.changes > 0) {
-        const { logInfo: li } = require('./services/auditLog');
-        li(`Idempotency cleanup: removed ${result.changes} expired key(s)`);
+        logInfo(`Idempotency cleanup: removed ${result.changes} expired key(s)`);
      }
    } catch (err: unknown) {
-      const { logError: le } = require('./services/auditLog');
-      le(`Idempotency cleanup: ${err instanceof Error ? err.message : err}`);
+      logError(`Idempotency cleanup: ${err instanceof Error ? err.message : err}`);
    }
  }, { timezone: tz });
 }
@@ -340,8 +329,7 @@ function startTrekPhotoCacheCleanup(): void {
      const { sweepExpired } = require('./services/memories/trekPhotoCache');
      sweepExpired();
    } catch (err: unknown) {
-      const { logError: le } = require('./services/auditLog');
-      le(`Trek photo cache cleanup: ${err instanceof Error ? err.message : err}`);
+      logError(`Trek photo cache cleanup: ${err instanceof Error ? err.message : err}`);
    }
  });
 }
@@ -8,6 +8,7 @@ import { updateJwtSecret } from '../config';
 import { maybe_encrypt_api_key, decrypt_api_key } from './apiKeyCrypto';
 import { getAllPermissions, savePermissions as savePerms, PERMISSION_ACTIONS } from './permissions';
 import { revokeUserSessions, revokeUserSessionsForClient } from '../mcp';
+import { deleteUserCompletely } from './userCleanupService';
 import { validatePassword } from './passwordPolicy';
 import { getPhotoProviderConfig } from './memories/helpersService';
 import { send as sendNotification } from './notificationService';
@@ -170,7 +171,7 @@ export function deleteUser(id: string, currentUserId: number) {
  const userToDel = db.prepare('SELECT id, email FROM users WHERE id = ?').get(id) as { id: number; email: string } | undefined;
  if (!userToDel) return { error: 'User not found', status: 404 };

-  db.prepare('DELETE FROM users WHERE id = ?').run(id);
+  deleteUserCompletely(userToDel.id);
  return { email: userToDel.email };
 }

@@ -287,7 +288,7 @@ export function updateOidcSettings(data: {
 // ── Demo Baseline ──────────────────────────────────────────────────────────

 export function saveDemoBaseline(): { error?: string; status?: number; message?: string } {
-  if (process.env.DEMO_MODE !== 'true') {
+  if (process.env.DEMO_MODE?.toLowerCase() !== 'true') {
    return { error: 'Not found', status: 404 };
  }
  try {
@@ -15,6 +15,7 @@ import { decrypt_api_key, maybe_encrypt_api_key, encrypt_api_key } from './apiKe
 import { createEphemeralToken } from './ephemeralTokens';
 import { revokeUserSessions } from '../mcp';
 import { startTripReminders } from '../scheduler';
+import { deleteUserCompletely } from './userCleanupService';
 import { verifyJwtAndLoadUser } from '../middleware/auth';
 import { User } from '../types';
 import { DEMO_EMAIL_PRIMARY, isDemoEmail } from './demo';
@@ -130,7 +131,7 @@ export function resolveAuthToggles(): {
      oidc_login: get('oidc_login') !== 'false',
      oidc_registration: get('oidc_registration') !== 'false',
    };
-    if (process.env.OIDC_ONLY === 'true') {
+    if (process.env.OIDC_ONLY?.toLowerCase() === 'true') {
      result.password_login = false;
      result.password_registration = false;
    }
@@ -138,7 +139,7 @@ export function resolveAuthToggles(): {
  }

  // Legacy fallback
-  const oidcOnlyEnabled = process.env.OIDC_ONLY === 'true' || get('oidc_only') === 'true';
+  const oidcOnlyEnabled = process.env.OIDC_ONLY?.toLowerCase() === 'true' || get('oidc_only') === 'true';
  const oidcConfigured = !!(
    (process.env.OIDC_ISSUER || get('oidc_issuer')) &&
    (process.env.OIDC_CLIENT_ID || get('oidc_client_id'))
@@ -252,7 +253,7 @@ export function getPendingMfaSecret(userId: number): string | null {

 export function getAppConfig(authenticatedUser: { id: number } | null) {
  const userCount = (db.prepare('SELECT COUNT(*) as count FROM users').get() as { count: number }).count;
-  const isDemo = process.env.DEMO_MODE === 'true';
+  const isDemo = process.env.DEMO_MODE?.toLowerCase() === 'true';
  const toggles = resolveAuthToggles();
  const version: string = process.env.APP_VERSION ?? require('../../package.json').version;
  const hasGoogleKey = !!db.prepare("SELECT maps_api_key FROM users WHERE role = 'admin' AND maps_api_key IS NOT NULL AND maps_api_key != '' LIMIT 1").get();
@@ -527,7 +528,7 @@ export function deleteAccount(userId: number, userEmail: string, userRole: strin
      return { error: 'Cannot delete the last admin account', status: 400 };
    }
  }
-  db.prepare('DELETE FROM users WHERE id = ?').run(userId);
+  deleteUserCompletely(userId);
  return { success: true };
 }

@@ -18,10 +18,10 @@ const COOKIE_NAME = 'trek_session';
 * remains the explicit escape hatch for plain-HTTP LAN testing.
 */
 export function cookieOptions(clear = false, req?: Request) {
-  if (process.env.COOKIE_SECURE === 'false') {
+  if (process.env.COOKIE_SECURE?.toLowerCase() === 'false') {
    return buildOptions(clear, false);
  }
-  const envSecure = process.env.NODE_ENV === 'production' || process.env.FORCE_HTTPS === 'true';
+  const envSecure = process.env.NODE_ENV?.toLowerCase() === 'production' || process.env.FORCE_HTTPS?.toLowerCase() === 'true';
  const requestSecure = req?.secure === true;
  return buildOptions(clear, envSecure || requestSecure);
 }
@@ -170,7 +170,7 @@ export async function send(payload: NotificationPayload): Promise<void> {
  const configEntry = EVENT_NOTIFICATION_CONFIG[event];
  if (!configEntry) {
    logDebug(`notificationService.send: unknown event type "${event}", using fallback`);
-    if (process.env.NODE_ENV === 'development' && actorId != null) {
+    if (process.env.NODE_ENV?.toLowerCase() === 'development' && actorId != null) {
      const devSender = (db.prepare('SELECT username, avatar FROM users WHERE id = ?').get(actorId) as { username: string; avatar: string | null } | undefined) ?? null;
      createNotificationForRecipient({
        type: 'simple',
@@ -117,10 +117,11 @@ export function generateDays(tripId: number | bigint | string, startDate: string
    }
  }

-  // Overflow dated days (trip shrunk): convert to dateless instead of deleting
-  const nullify = db.prepare('UPDATE days SET date = NULL, day_number = ? WHERE id = ?');
+  // Overflow dated days (trip shrunk): delete them (issue #909).
+  // Cascade removes their assignments, notes, and accommodations.
+  const del = db.prepare('DELETE FROM days WHERE id = ?');
  for (let i = targetDates.length; i < dated.length; i++) {
-    nullify.run(targetDates.length + (i - targetDates.length) + 1, dated[i].id);
+    del.run(dated[i].id);
  }

  // Any remaining unused dateless days: keep as dateless, just renumber.
@@ -0,0 +1,21 @@
+import { db } from '../db/database';
+
+function cleanupUserReferences(userId: number): void {
+  db.prepare('UPDATE trip_members SET invited_by = NULL WHERE invited_by = ?').run(userId);
+  db.prepare('UPDATE budget_items SET paid_by_user_id = NULL WHERE paid_by_user_id = ?').run(userId);
+  db.prepare('DELETE FROM share_tokens WHERE created_by = ?').run(userId);
+  db.prepare('DELETE FROM journey_share_tokens WHERE created_by = ?').run(userId);
+  // Owned journeys cascade-delete their entries/contributors/share_tokens/photos via journey_id FKs
+  db.prepare('DELETE FROM journeys WHERE user_id = ?').run(userId);
+  // Entries authored on other users' journeys (not covered by the cascade above)
+  db.prepare('DELETE FROM journey_entries WHERE author_id = ?').run(userId);
+  db.prepare('DELETE FROM journey_contributors WHERE user_id = ?').run(userId);
+}
+
+export function deleteUserCompletely(userId: number): void {
+  const tx = db.transaction((id: number) => {
+    cleanupUserReferences(id);
+    db.prepare('DELETE FROM users WHERE id = ?').run(id);
+  });
+  tx(userId);
+}
@@ -1,7 +1,7 @@
 import dns from 'node:dns/promises';
 import { Agent } from 'undici';

-const ALLOW_INTERNAL_NETWORK = process.env.ALLOW_INTERNAL_NETWORK === 'true';
+const ALLOW_INTERNAL_NETWORK = process.env.ALLOW_INTERNAL_NETWORK?.toLowerCase() === 'true';

 export interface SsrfResult {
  allowed: boolean;
@@ -41,7 +41,7 @@ import { createApp } from '../../src/app';
 import { createTables } from '../../src/db/schema';
 import { runMigrations } from '../../src/db/migrations';
 import { resetTestDb } from '../helpers/test-db';
-import { createUser, createAdmin, createInviteToken } from '../helpers/factories';
+import { createUser, createAdmin, createInviteToken, createTrip, createBudgetItem, createJourney, createJourneyEntry, addJourneyContributor, addTripPhoto, createCategory, createTag, createTodoItem, createMcpToken, createBucketListItem, createVisitedCountry, createCollabNote, addTripMember } from '../helpers/factories';
 import { authCookie } from '../helpers/auth';
 import { loginAttempts, mfaAttempts } from '../../src/routes/auth';

@@ -148,6 +148,216 @@ describe('Admin user management', () => {
    expect(deleted).toBeUndefined();
  });

+  it('ADMIN-005b — DELETE /admin/users/:id succeeds when user has FK references', async () => {
+    const { user: admin } = createAdmin(testDb);
+    const { user: target } = createUser(testDb);
+    const { user: otherUser } = createUser(testDb);
+    const { user: thirdUser } = createUser(testDb);
+
+    // trip_members.invited_by: target invited thirdUser to otherUser's trip
+    // (trip survives deletion; only invited_by should become NULL)
+    const otherTrip = createTrip(testDb, otherUser.id);
+    testDb.prepare('INSERT INTO trip_members (trip_id, user_id, invited_by) VALUES (?, ?, ?)').run(otherTrip.id, thirdUser.id, target.id);
+
+    // share_tokens.created_by: target created a share token for otherUser's trip
+    testDb.prepare("INSERT INTO share_tokens (trip_id, token, created_by) VALUES (?, 'tok-admin-test', ?)").run(otherTrip.id, target.id);
+
+    // budget_items.paid_by_user_id: target paid for an expense on otherUser's trip
+    const budgetItem = createBudgetItem(testDb, otherTrip.id);
+    testDb.prepare('UPDATE budget_items SET paid_by_user_id = ? WHERE id = ?').run(target.id, budgetItem.id);
+
+    // journey_contributors: target is a contributor on otherUser's journey
+    const otherJourney = createJourney(testDb, otherUser.id);
+    addJourneyContributor(testDb, otherJourney.id, target.id);
+
+    // journey_entries: target authored an entry on otherUser's journey
+    createJourneyEntry(testDb, otherJourney.id, target.id);
+
+    // journey_share_tokens: target created a share token for otherUser's journey
+    testDb.prepare("INSERT INTO journey_share_tokens (journey_id, token, created_by) VALUES (?, 'jst-admin-test', ?)").run(otherJourney.id, target.id);
+
+    // notifications.sender_id (SET NULL): target sent a notification to otherUser
+    const sentNotif = testDb.prepare(
+      "INSERT INTO notifications (type, scope, target, sender_id, recipient_id, title_key, text_key) VALUES ('simple', 'trip', ?, ?, ?, 'k', 'k')"
+    ).run(otherTrip.id, target.id, otherUser.id);
+    // notifications.recipient_id (CASCADE): otherUser sent a notification to target
+    testDb.prepare(
+      "INSERT INTO notifications (type, scope, target, sender_id, recipient_id, title_key, text_key) VALUES ('simple', 'trip', ?, ?, ?, 'k', 'k')"
+    ).run(otherTrip.id, otherUser.id, target.id);
+
+    // user_notice_dismissals (CASCADE): target dismissed a notice
+    testDb.prepare(
+      "INSERT INTO user_notice_dismissals (user_id, notice_id, dismissed_at) VALUES (?, 'test-notice', ?)"
+    ).run(target.id, Date.now());
+
+    // owned journey: target owns a journey with an entry (cascade-deletes on journey deletion)
+    const ownedJourney = createJourney(testDb, target.id);
+    createJourneyEntry(testDb, ownedJourney.id, target.id);
+
+    // trip_files.uploaded_by (SET NULL): target uploaded a file to otherUser's trip
+    const fileRow = testDb.prepare(
+      "INSERT INTO trip_files (trip_id, filename, original_name, uploaded_by) VALUES (?, 'f.pdf', 'file.pdf', ?)"
+    ).run(otherTrip.id, target.id);
+
+    // trek_photos.owner_id (SET NULL): target owns a photo in the central registry
+    const trekPhotoRow = testDb.prepare(
+      "INSERT INTO trek_photos (provider, asset_id, owner_id) VALUES ('immich', 'asset-admin-test', ?)"
+    ).run(target.id);
+
+    // trip_photos.user_id (CASCADE): target added a photo to otherUser's trip
+    addTripPhoto(testDb, otherTrip.id, target.id, 'asset-tp-admin', 'immich');
+
+    // trips.user_id (CASCADE): target owns a trip
+    const ownedTrip = createTrip(testDb, target.id);
+
+    // trip_members.user_id (CASCADE): target is a member of otherUser's trip
+    addTripMember(testDb, otherTrip.id, target.id);
+
+    // categories.user_id (SET NULL): target created a category
+    const userCategory = createCategory(testDb, { user_id: target.id });
+
+    // tags.user_id (CASCADE): target created a tag
+    const userTag = createTag(testDb, target.id);
+
+    // todo_items.assigned_user_id (SET NULL): target is assigned to a todo on otherUser's trip
+    const todoItem = createTodoItem(testDb, otherTrip.id);
+    testDb.prepare('UPDATE todo_items SET assigned_user_id = ? WHERE id = ?').run(target.id, todoItem.id);
+
+    // packing_bags.user_id (SET NULL): target owns a packing bag on otherUser's trip
+    const packBagRow = testDb.prepare(
+      "INSERT INTO packing_bags (trip_id, name, color, user_id) VALUES (?, 'Bag', '#ff0000', ?)"
+    ).run(otherTrip.id, target.id);
+
+    // mcp_tokens.user_id (CASCADE): target has an MCP API token
+    createMcpToken(testDb, target.id);
+
+    // oauth_tokens/consents.user_id (CASCADE): target has tokens from otherUser's OAuth client
+    testDb.prepare(
+      "INSERT INTO oauth_clients (id, user_id, name, client_id, client_secret_hash) VALUES ('cl-admin-test', ?, 'App', 'cid-admin-test', 'h')"
+    ).run(otherUser.id);
+    testDb.prepare(
+      "INSERT INTO oauth_tokens (client_id, user_id, access_token_hash, refresh_token_hash, access_token_expires_at, refresh_token_expires_at) VALUES ('cid-admin-test', ?, 'ath-admin', 'rth-admin', datetime('now','+1 hour'), datetime('now','+30 days'))"
+    ).run(target.id);
+    testDb.prepare(
+      "INSERT INTO oauth_consents (client_id, user_id) VALUES ('cid-admin-test', ?)"
+    ).run(target.id);
+
+    // vacay_plans.owner_id (CASCADE): target owns a vacation plan
+    const vacayPlanRow = testDb.prepare("INSERT INTO vacay_plans (owner_id) VALUES (?)").run(target.id);
+
+    // vacay_plan_members.user_id (CASCADE): target is a member of otherUser's vacay plan
+    const otherVacayPlanRow = testDb.prepare("INSERT INTO vacay_plans (owner_id) VALUES (?)").run(otherUser.id);
+    testDb.prepare("INSERT INTO vacay_plan_members (plan_id, user_id) VALUES (?, ?)").run(otherVacayPlanRow.lastInsertRowid, target.id);
+
+    // bucket_list.user_id (CASCADE): target has a bucket list item
+    createBucketListItem(testDb, target.id);
+
+    // visited_countries.user_id (CASCADE): target has visited a country
+    createVisitedCountry(testDb, target.id, 'JP');
+
+    // visited_regions.user_id (CASCADE): target has visited a region
+    testDb.prepare(
+      "INSERT INTO visited_regions (user_id, region_code, region_name, country_code) VALUES (?, 'JP-13', 'Tokyo', 'JP')"
+    ).run(target.id);
+
+    // packing_templates.created_by (CASCADE): target created a packing template
+    const packTemplateRow = testDb.prepare(
+      "INSERT INTO packing_templates (name, created_by) VALUES ('My Template', ?)"
+    ).run(target.id);
+
+    // invite_tokens.created_by (CASCADE): target created an invite token
+    createInviteToken(testDb, { created_by: target.id });
+
+    // collab_notes.user_id (CASCADE): target authored a collab note on otherUser's trip
+    createCollabNote(testDb, otherTrip.id, target.id);
+
+    // settings.user_id (CASCADE): target has a user setting
+    testDb.prepare("INSERT INTO settings (user_id, key, value) VALUES (?, 'theme', 'dark')").run(target.id);
+
+    // password_reset_tokens.user_id (CASCADE): target has a pending password reset
+    testDb.prepare(
+      "INSERT INTO password_reset_tokens (user_id, token_hash, expires_at) VALUES (?, 'prt-hash-admin', datetime('now','+1 hour'))"
+    ).run(target.id);
+
+    // audit_log.user_id (SET NULL): target performed an audited action
+    const auditRow = testDb.prepare(
+      "INSERT INTO audit_log (user_id, action, ip) VALUES (?, 'test.action', '127.0.0.1')"
+    ).run(target.id);
+
+    // notification_channel_preferences.user_id (CASCADE): target has notification preferences
+    testDb.prepare("INSERT OR IGNORE INTO notification_channel_preferences (user_id, event_type, channel) VALUES (?, 'trip_invite', 'email')").run(target.id);
+
+    const res = await request(app)
+      .delete(`/api/admin/users/${target.id}`)
+      .set('Cookie', authCookie(admin.id));
+    expect(res.status).toBe(200);
+    expect(res.body.success).toBe(true);
+
+    expect(testDb.prepare('SELECT id FROM users WHERE id = ?').get(target.id)).toBeUndefined();
+    // trip_members row survives but invited_by is now NULL
+    expect((testDb.prepare('SELECT invited_by FROM trip_members WHERE trip_id = ? AND user_id = ?').get(otherTrip.id, thirdUser.id) as any).invited_by).toBeNull();
+    expect(testDb.prepare('SELECT id FROM share_tokens WHERE created_by = ?').get(target.id)).toBeUndefined();
+    expect((testDb.prepare('SELECT paid_by_user_id FROM budget_items WHERE id = ?').get(budgetItem.id) as any).paid_by_user_id).toBeNull();
+    expect(testDb.prepare('SELECT user_id FROM journey_contributors WHERE journey_id = ? AND user_id = ?').get(otherJourney.id, target.id)).toBeUndefined();
+    expect(testDb.prepare('SELECT id FROM journey_entries WHERE author_id = ?').get(target.id)).toBeUndefined();
+    expect(testDb.prepare('SELECT id FROM journey_share_tokens WHERE created_by = ?').get(target.id)).toBeUndefined();
+    // sent notification survives but sender_id becomes NULL
+    expect((testDb.prepare('SELECT sender_id FROM notifications WHERE id = ?').get(sentNotif.lastInsertRowid) as any).sender_id).toBeNull();
+    // received notification is cascade-deleted
+    expect(testDb.prepare('SELECT id FROM notifications WHERE recipient_id = ?').get(target.id)).toBeUndefined();
+    // notice dismissals are cascade-deleted
+    expect(testDb.prepare("SELECT user_id FROM user_notice_dismissals WHERE user_id = ? AND notice_id = 'test-notice'").get(target.id)).toBeUndefined();
+    // owned journey and its entries are cascade-deleted
+    expect(testDb.prepare('SELECT id FROM journeys WHERE user_id = ?').get(target.id)).toBeUndefined();
+    expect(testDb.prepare('SELECT id FROM journey_entries WHERE journey_id = ?').get(ownedJourney.id)).toBeUndefined();
+    // uploaded file survives but uploaded_by is now NULL
+    expect((testDb.prepare('SELECT uploaded_by FROM trip_files WHERE id = ?').get(fileRow.lastInsertRowid) as any).uploaded_by).toBeNull();
+    // trek_photos row survives but owner_id is now NULL
+    expect((testDb.prepare('SELECT owner_id FROM trek_photos WHERE id = ?').get(trekPhotoRow.lastInsertRowid) as any).owner_id).toBeNull();
+    // trip_photos row for target is cascade-deleted
+    expect(testDb.prepare("SELECT id FROM trip_photos WHERE trip_id = ? AND user_id = ?").get(otherTrip.id, target.id)).toBeUndefined();
+    // owned trip is cascade-deleted
+    expect(testDb.prepare('SELECT id FROM trips WHERE id = ?').get(ownedTrip.id)).toBeUndefined();
+    // trip membership on others' trips is removed
+    expect(testDb.prepare('SELECT id FROM trip_members WHERE trip_id = ? AND user_id = ?').get(otherTrip.id, target.id)).toBeUndefined();
+    // category survives but user_id is NULL
+    expect((testDb.prepare('SELECT user_id FROM categories WHERE id = ?').get(userCategory.id) as any).user_id).toBeNull();
+    // tag is deleted
+    expect(testDb.prepare('SELECT id FROM tags WHERE id = ?').get(userTag.id)).toBeUndefined();
+    // todo assigned_user_id is NULL
+    expect((testDb.prepare('SELECT assigned_user_id FROM todo_items WHERE id = ?').get(todoItem.id) as any).assigned_user_id).toBeNull();
+    // packing bag survives but user_id is NULL
+    expect((testDb.prepare('SELECT user_id FROM packing_bags WHERE id = ?').get(packBagRow.lastInsertRowid) as any).user_id).toBeNull();
+    // MCP tokens are deleted
+    expect(testDb.prepare('SELECT id FROM mcp_tokens WHERE user_id = ?').get(target.id)).toBeUndefined();
+    // OAuth tokens and consents are deleted
+    expect(testDb.prepare('SELECT id FROM oauth_tokens WHERE user_id = ?').get(target.id)).toBeUndefined();
+    expect(testDb.prepare('SELECT id FROM oauth_consents WHERE user_id = ?').get(target.id)).toBeUndefined();
+    // owned vacay plan is deleted
+    expect(testDb.prepare('SELECT id FROM vacay_plans WHERE id = ?').get(vacayPlanRow.lastInsertRowid)).toBeUndefined();
+    // vacay plan membership on others' plans is removed
+    expect(testDb.prepare('SELECT id FROM vacay_plan_members WHERE plan_id = ? AND user_id = ?').get(otherVacayPlanRow.lastInsertRowid, target.id)).toBeUndefined();
+    // bucket list items are deleted
+    expect(testDb.prepare('SELECT id FROM bucket_list WHERE user_id = ?').get(target.id)).toBeUndefined();
+    // travel history is deleted
+    expect(testDb.prepare('SELECT user_id FROM visited_countries WHERE user_id = ? AND country_code = ?').get(target.id, 'JP')).toBeUndefined();
+    expect(testDb.prepare('SELECT id FROM visited_regions WHERE user_id = ?').get(target.id)).toBeUndefined();
+    // packing template is deleted
+    expect(testDb.prepare('SELECT id FROM packing_templates WHERE id = ?').get(packTemplateRow.lastInsertRowid)).toBeUndefined();
+    // invite tokens created by target are deleted
+    expect(testDb.prepare('SELECT id FROM invite_tokens WHERE created_by = ?').get(target.id)).toBeUndefined();
+    // collab content is deleted
+    expect(testDb.prepare('SELECT id FROM collab_notes WHERE user_id = ? AND trip_id = ?').get(target.id, otherTrip.id)).toBeUndefined();
+    // user settings are deleted
+    expect(testDb.prepare("SELECT id FROM settings WHERE user_id = ?").get(target.id)).toBeUndefined();
+    // password reset tokens are deleted
+    expect(testDb.prepare('SELECT id FROM password_reset_tokens WHERE user_id = ?').get(target.id)).toBeUndefined();
+    // audit log entry survives but user_id is NULL
+    expect((testDb.prepare('SELECT user_id FROM audit_log WHERE id = ?').get(auditRow.lastInsertRowid) as any).user_id).toBeNull();
+    // notification channel preferences are deleted
+    expect(testDb.prepare("SELECT user_id FROM notification_channel_preferences WHERE user_id = ? AND event_type = 'trip_invite'").get(target.id)).toBeUndefined();
+  });
+
  it('ADMIN-006 — admin cannot delete their own account', async () => {
    const { user: admin } = createAdmin(testDb);

@@ -52,7 +52,7 @@ import { createApp } from '../../src/app';
 import { createTables } from '../../src/db/schema';
 import { runMigrations } from '../../src/db/migrations';
 import { resetTestDb } from '../helpers/test-db';
-import { createUser, createAdmin, createUserWithMfa, createInviteToken } from '../helpers/factories';
+import { createUser, createAdmin, createUserWithMfa, createInviteToken, createTrip, createBudgetItem, createJourney, createJourneyEntry, addJourneyContributor, addTripPhoto, createCategory, createTag, createTodoItem, createMcpToken, createBucketListItem, createVisitedCountry, createCollabNote, addTripMember } from '../helpers/factories';
 import { authCookie, authHeader } from '../helpers/auth';
 import { loginAttempts, mfaAttempts } from '../../src/routes/auth';

@@ -509,6 +509,225 @@ describe('Extended auth scenarios', () => {
  });
 });

+// ─────────────────────────────────────────────────────────────────────────────
+// Account deletion
+// ─────────────────────────────────────────────────────────────────────────────
+
+describe('Account deletion', () => {
+  it('AUTH-040 — DELETE /auth/me succeeds when user has FK references', async () => {
+    const { user: admin } = createAdmin(testDb);
+    const { user: target } = createUser(testDb);
+    const { user: otherUser } = createUser(testDb);
+    const { user: thirdUser } = createUser(testDb);
+
+    // trip_members.invited_by: target invited thirdUser to otherUser's trip
+    // (trip survives deletion; only invited_by should become NULL)
+    const otherTrip = createTrip(testDb, otherUser.id);
+    testDb.prepare('INSERT INTO trip_members (trip_id, user_id, invited_by) VALUES (?, ?, ?)').run(otherTrip.id, thirdUser.id, target.id);
+
+    // share_tokens.created_by: target created a share token for otherUser's trip
+    testDb.prepare("INSERT INTO share_tokens (trip_id, token, created_by) VALUES (?, 'tok-auth-test', ?)").run(otherTrip.id, target.id);
+
+    // budget_items.paid_by_user_id: target paid for an expense on otherUser's trip
+    const budgetItem = createBudgetItem(testDb, otherTrip.id);
+    testDb.prepare('UPDATE budget_items SET paid_by_user_id = ? WHERE id = ?').run(target.id, budgetItem.id);
+
+    // journey_contributors: target is a contributor on otherUser's journey
+    const otherJourney = createJourney(testDb, otherUser.id);
+    addJourneyContributor(testDb, otherJourney.id, target.id);
+
+    // journey_entries: target authored an entry on otherUser's journey
+    createJourneyEntry(testDb, otherJourney.id, target.id);
+
+    // journey_share_tokens: target created a share token for otherUser's journey
+    testDb.prepare("INSERT INTO journey_share_tokens (journey_id, token, created_by) VALUES (?, 'jst-auth-test', ?)").run(otherJourney.id, target.id);
+
+    // notifications.sender_id (SET NULL): target sent a notification to otherUser
+    const sentNotif = testDb.prepare(
+      "INSERT INTO notifications (type, scope, target, sender_id, recipient_id, title_key, text_key) VALUES ('simple', 'trip', ?, ?, ?, 'k', 'k')"
+    ).run(otherTrip.id, target.id, otherUser.id);
+    // notifications.recipient_id (CASCADE): otherUser sent a notification to target
+    testDb.prepare(
+      "INSERT INTO notifications (type, scope, target, sender_id, recipient_id, title_key, text_key) VALUES ('simple', 'trip', ?, ?, ?, 'k', 'k')"
+    ).run(otherTrip.id, otherUser.id, target.id);
+
+    // user_notice_dismissals (CASCADE): target dismissed a notice
+    testDb.prepare(
+      "INSERT INTO user_notice_dismissals (user_id, notice_id, dismissed_at) VALUES (?, 'test-notice', ?)"
+    ).run(target.id, Date.now());
+
+    // owned journey: target owns a journey with an entry (cascade-deletes on journey deletion)
+    const ownedJourney = createJourney(testDb, target.id);
+    createJourneyEntry(testDb, ownedJourney.id, target.id);
+
+    // trip_files.uploaded_by (SET NULL): target uploaded a file to otherUser's trip
+    const fileRow = testDb.prepare(
+      "INSERT INTO trip_files (trip_id, filename, original_name, uploaded_by) VALUES (?, 'f.pdf', 'file.pdf', ?)"
+    ).run(otherTrip.id, target.id);
+
+    // trek_photos.owner_id (SET NULL): target owns a photo in the central registry
+    const trekPhotoRow = testDb.prepare(
+      "INSERT INTO trek_photos (provider, asset_id, owner_id) VALUES ('immich', 'asset-auth-test', ?)"
+    ).run(target.id);
+
+    // trip_photos.user_id (CASCADE): target added a photo to otherUser's trip
+    addTripPhoto(testDb, otherTrip.id, target.id, 'asset-tp-auth', 'immich');
+
+    // trips.user_id (CASCADE): target owns a trip
+    const ownedTrip = createTrip(testDb, target.id);
+
+    // trip_members.user_id (CASCADE): target is a member of otherUser's trip
+    addTripMember(testDb, otherTrip.id, target.id);
+
+    // categories.user_id (SET NULL): target created a category
+    const userCategory = createCategory(testDb, { user_id: target.id });
+
+    // tags.user_id (CASCADE): target created a tag
+    const userTag = createTag(testDb, target.id);
+
+    // todo_items.assigned_user_id (SET NULL): target is assigned to a todo on otherUser's trip
+    const todoItem = createTodoItem(testDb, otherTrip.id);
+    testDb.prepare('UPDATE todo_items SET assigned_user_id = ? WHERE id = ?').run(target.id, todoItem.id);
+
+    // packing_bags.user_id (SET NULL): target owns a packing bag on otherUser's trip
+    const packBagRow = testDb.prepare(
+      "INSERT INTO packing_bags (trip_id, name, color, user_id) VALUES (?, 'Bag', '#ff0000', ?)"
+    ).run(otherTrip.id, target.id);
+
+    // mcp_tokens.user_id (CASCADE): target has an MCP API token
+    createMcpToken(testDb, target.id);
+
+    // oauth_tokens/consents.user_id (CASCADE): target has tokens from otherUser's OAuth client
+    testDb.prepare(
+      "INSERT INTO oauth_clients (id, user_id, name, client_id, client_secret_hash) VALUES ('cl-auth-test', ?, 'App', 'cid-auth-test', 'h')"
+    ).run(otherUser.id);
+    testDb.prepare(
+      "INSERT INTO oauth_tokens (client_id, user_id, access_token_hash, refresh_token_hash, access_token_expires_at, refresh_token_expires_at) VALUES ('cid-auth-test', ?, 'ath-auth', 'rth-auth', datetime('now','+1 hour'), datetime('now','+30 days'))"
+    ).run(target.id);
+    testDb.prepare(
+      "INSERT INTO oauth_consents (client_id, user_id) VALUES ('cid-auth-test', ?)"
+    ).run(target.id);
+
+    // vacay_plans.owner_id (CASCADE): target owns a vacation plan
+    const vacayPlanRow = testDb.prepare("INSERT INTO vacay_plans (owner_id) VALUES (?)").run(target.id);
+
+    // vacay_plan_members.user_id (CASCADE): target is a member of otherUser's vacay plan
+    const otherVacayPlanRow = testDb.prepare("INSERT INTO vacay_plans (owner_id) VALUES (?)").run(otherUser.id);
+    testDb.prepare("INSERT INTO vacay_plan_members (plan_id, user_id) VALUES (?, ?)").run(otherVacayPlanRow.lastInsertRowid, target.id);
+
+    // bucket_list.user_id (CASCADE): target has a bucket list item
+    createBucketListItem(testDb, target.id);
+
+    // visited_countries.user_id (CASCADE): target has visited a country
+    createVisitedCountry(testDb, target.id, 'JP');
+
+    // visited_regions.user_id (CASCADE): target has visited a region
+    testDb.prepare(
+      "INSERT INTO visited_regions (user_id, region_code, region_name, country_code) VALUES (?, 'JP-13', 'Tokyo', 'JP')"
+    ).run(target.id);
+
+    // packing_templates.created_by (CASCADE): target created a packing template
+    const packTemplateRow = testDb.prepare(
+      "INSERT INTO packing_templates (name, created_by) VALUES ('My Template', ?)"
+    ).run(target.id);
+
+    // invite_tokens.created_by (CASCADE): target created an invite token
+    createInviteToken(testDb, { created_by: target.id });
+
+    // collab_notes.user_id (CASCADE): target authored a collab note on otherUser's trip
+    createCollabNote(testDb, otherTrip.id, target.id);
+
+    // settings.user_id (CASCADE): target has a user setting
+    testDb.prepare("INSERT INTO settings (user_id, key, value) VALUES (?, 'theme', 'dark')").run(target.id);
+
+    // password_reset_tokens.user_id (CASCADE): target has a pending password reset
+    testDb.prepare(
+      "INSERT INTO password_reset_tokens (user_id, token_hash, expires_at) VALUES (?, 'prt-hash-auth', datetime('now','+1 hour'))"
+    ).run(target.id);
+
+    // audit_log.user_id (SET NULL): target performed an audited action
+    const auditRow = testDb.prepare(
+      "INSERT INTO audit_log (user_id, action, ip) VALUES (?, 'test.action', '127.0.0.1')"
+    ).run(target.id);
+
+    // notification_channel_preferences.user_id (CASCADE): target has notification preferences
+    testDb.prepare("INSERT OR IGNORE INTO notification_channel_preferences (user_id, event_type, channel) VALUES (?, 'trip_invite', 'email')").run(target.id);
+
+    // admin exists to ensure target (non-admin user) passes the last-admin guard
+    void admin;
+
+    const res = await request(app)
+      .delete('/api/auth/me')
+      .set('Cookie', authCookie(target.id));
+    expect(res.status).toBe(200);
+    expect(res.body.success).toBe(true);
+
+    expect(testDb.prepare('SELECT id FROM users WHERE id = ?').get(target.id)).toBeUndefined();
+    // trip_members row survives but invited_by is now NULL
+    expect((testDb.prepare('SELECT invited_by FROM trip_members WHERE trip_id = ? AND user_id = ?').get(otherTrip.id, thirdUser.id) as any).invited_by).toBeNull();
+    expect(testDb.prepare('SELECT id FROM share_tokens WHERE created_by = ?').get(target.id)).toBeUndefined();
+    expect((testDb.prepare('SELECT paid_by_user_id FROM budget_items WHERE id = ?').get(budgetItem.id) as any).paid_by_user_id).toBeNull();
+    expect(testDb.prepare('SELECT user_id FROM journey_contributors WHERE journey_id = ? AND user_id = ?').get(otherJourney.id, target.id)).toBeUndefined();
+    expect(testDb.prepare('SELECT id FROM journey_entries WHERE author_id = ?').get(target.id)).toBeUndefined();
+    expect(testDb.prepare('SELECT id FROM journey_share_tokens WHERE created_by = ?').get(target.id)).toBeUndefined();
+    // sent notification survives but sender_id becomes NULL
+    expect((testDb.prepare('SELECT sender_id FROM notifications WHERE id = ?').get(sentNotif.lastInsertRowid) as any).sender_id).toBeNull();
+    // received notification is cascade-deleted
+    expect(testDb.prepare('SELECT id FROM notifications WHERE recipient_id = ?').get(target.id)).toBeUndefined();
+    // notice dismissals are cascade-deleted
+    expect(testDb.prepare("SELECT user_id FROM user_notice_dismissals WHERE user_id = ? AND notice_id = 'test-notice'").get(target.id)).toBeUndefined();
+    // owned journey and its entries are cascade-deleted
+    expect(testDb.prepare('SELECT id FROM journeys WHERE user_id = ?').get(target.id)).toBeUndefined();
+    expect(testDb.prepare('SELECT id FROM journey_entries WHERE journey_id = ?').get(ownedJourney.id)).toBeUndefined();
+    // uploaded file survives but uploaded_by is now NULL
+    expect((testDb.prepare('SELECT uploaded_by FROM trip_files WHERE id = ?').get(fileRow.lastInsertRowid) as any).uploaded_by).toBeNull();
+    // trek_photos row survives but owner_id is now NULL
+    expect((testDb.prepare('SELECT owner_id FROM trek_photos WHERE id = ?').get(trekPhotoRow.lastInsertRowid) as any).owner_id).toBeNull();
+    // trip_photos row for target is cascade-deleted
+    expect(testDb.prepare("SELECT id FROM trip_photos WHERE trip_id = ? AND user_id = ?").get(otherTrip.id, target.id)).toBeUndefined();
+    // owned trip is cascade-deleted
+    expect(testDb.prepare('SELECT id FROM trips WHERE id = ?').get(ownedTrip.id)).toBeUndefined();
+    // trip membership on others' trips is removed
+    expect(testDb.prepare('SELECT id FROM trip_members WHERE trip_id = ? AND user_id = ?').get(otherTrip.id, target.id)).toBeUndefined();
+    // category survives but user_id is NULL
+    expect((testDb.prepare('SELECT user_id FROM categories WHERE id = ?').get(userCategory.id) as any).user_id).toBeNull();
+    // tag is deleted
+    expect(testDb.prepare('SELECT id FROM tags WHERE id = ?').get(userTag.id)).toBeUndefined();
+    // todo assigned_user_id is NULL
+    expect((testDb.prepare('SELECT assigned_user_id FROM todo_items WHERE id = ?').get(todoItem.id) as any).assigned_user_id).toBeNull();
+    // packing bag survives but user_id is NULL
+    expect((testDb.prepare('SELECT user_id FROM packing_bags WHERE id = ?').get(packBagRow.lastInsertRowid) as any).user_id).toBeNull();
+    // MCP tokens are deleted
+    expect(testDb.prepare('SELECT id FROM mcp_tokens WHERE user_id = ?').get(target.id)).toBeUndefined();
+    // OAuth tokens and consents are deleted
+    expect(testDb.prepare('SELECT id FROM oauth_tokens WHERE user_id = ?').get(target.id)).toBeUndefined();
+    expect(testDb.prepare('SELECT id FROM oauth_consents WHERE user_id = ?').get(target.id)).toBeUndefined();
+    // owned vacay plan is deleted
+    expect(testDb.prepare('SELECT id FROM vacay_plans WHERE id = ?').get(vacayPlanRow.lastInsertRowid)).toBeUndefined();
+    // vacay plan membership on others' plans is removed
+    expect(testDb.prepare('SELECT id FROM vacay_plan_members WHERE plan_id = ? AND user_id = ?').get(otherVacayPlanRow.lastInsertRowid, target.id)).toBeUndefined();
+    // bucket list items are deleted
+    expect(testDb.prepare('SELECT id FROM bucket_list WHERE user_id = ?').get(target.id)).toBeUndefined();
+    // travel history is deleted
+    expect(testDb.prepare('SELECT user_id FROM visited_countries WHERE user_id = ? AND country_code = ?').get(target.id, 'JP')).toBeUndefined();
+    expect(testDb.prepare('SELECT id FROM visited_regions WHERE user_id = ?').get(target.id)).toBeUndefined();
+    // packing template is deleted
+    expect(testDb.prepare('SELECT id FROM packing_templates WHERE id = ?').get(packTemplateRow.lastInsertRowid)).toBeUndefined();
+    // invite tokens created by target are deleted
+    expect(testDb.prepare('SELECT id FROM invite_tokens WHERE created_by = ?').get(target.id)).toBeUndefined();
+    // collab content is deleted
+    expect(testDb.prepare('SELECT id FROM collab_notes WHERE user_id = ? AND trip_id = ?').get(target.id, otherTrip.id)).toBeUndefined();
+    // user settings are deleted
+    expect(testDb.prepare("SELECT id FROM settings WHERE user_id = ?").get(target.id)).toBeUndefined();
+    // password reset tokens are deleted
+    expect(testDb.prepare('SELECT id FROM password_reset_tokens WHERE user_id = ?').get(target.id)).toBeUndefined();
+    // audit log entry survives but user_id is NULL
+    expect((testDb.prepare('SELECT user_id FROM audit_log WHERE id = ?').get(auditRow.lastInsertRowid) as any).user_id).toBeNull();
+    // notification channel preferences are deleted
+    expect(testDb.prepare("SELECT user_id FROM notification_channel_preferences WHERE user_id = ? AND event_type = 'trip_invite'").get(target.id)).toBeUndefined();
+  });
+});
+
 // ─────────────────────────────────────────────────────────────────────────────
 // Rate limiting (AUTH-004, AUTH-018) — placed last
 // ─────────────────────────────────────────────────────────────────────────────
@@ -463,7 +463,7 @@ describe('Update trip', () => {
    expect(notesAfter!.day_id).toBe(daysAfter[1].id);
  });

-  it('TRIP-024 — Shrinking trip date range keeps overflow days as dateless with content intact', async () => {
+  it('TRIP-024 — Shrinking trip date range deletes overflow days and their content', async () => {
    const { user } = createUser(testDb);
    const trip = createTrip(testDb, user.id, { start_date: '2026-09-01', end_date: '2026-09-05' });

@@ -481,13 +481,12 @@ describe('Update trip', () => {
    expect(res.status).toBe(200);

    const daysAfter = testDb.prepare('SELECT * FROM days WHERE trip_id = ? ORDER BY day_number').all(trip.id) as { id: number; date: string | null }[];
-    expect(daysAfter).toHaveLength(5);
-    expect(daysAfter.filter(d => d.date !== null)).toHaveLength(3);
-    expect(daysAfter.filter(d => d.date === null)).toHaveLength(2);
+    expect(daysAfter).toHaveLength(3);
+    expect(daysAfter.every(d => d.date !== null)).toBe(true);

-    // Overflow assignments survived
+    // Overflow days and their assignments deleted
    const all = testDb.prepare('SELECT * FROM day_assignments WHERE id IN (?, ?)').all(a4.id, a5.id) as { id: number }[];
-    expect(all).toHaveLength(2);
+    expect(all).toHaveLength(0);
  });
 });

@@ -1,4 +1,4 @@
-import { describe, it, expect, vi } from 'vitest';
+import { describe, it, expect, vi, beforeEach } from 'vitest';

 // Prevent node-cron from scheduling anything at import time
 vi.mock('node-cron', () => ({
@@ -17,6 +17,7 @@ vi.mock('node:fs', () => ({
    writeFileSync: vi.fn(),
    readdirSync: vi.fn(() => []),
    statSync: vi.fn(() => ({ mtime: new Date(), size: 0 })),
+    unlinkSync: vi.fn(),
    createWriteStream: vi.fn(() => ({ on: vi.fn(), pipe: vi.fn() })),
  },
  existsSync: vi.fn(() => false),
@@ -25,14 +26,20 @@ vi.mock('node:fs', () => ({
  writeFileSync: vi.fn(),
  readdirSync: vi.fn(() => []),
  statSync: vi.fn(() => ({ mtime: new Date(), size: 0 })),
+  unlinkSync: vi.fn(),
  createWriteStream: vi.fn(() => ({ on: vi.fn(), pipe: vi.fn() })),
 }));
 vi.mock('../../../src/db/database', () => ({
  db: { prepare: () => ({ all: vi.fn(() => []), get: vi.fn(), run: vi.fn() }) },
 }));
 vi.mock('../../../src/config', () => ({ JWT_SECRET: 'test-secret', ENCRYPTION_KEY: '0'.repeat(64) }));
+vi.mock('../../src/services/auditLog', () => ({
+  logInfo: vi.fn(),
+  logError: vi.fn(),
+}));

-import { buildCronExpression } from '../../src/scheduler';
+import fs from 'node:fs';
+import { buildCronExpression, cleanupOldBackups } from '../../src/scheduler';

 interface BackupSettings {
  enabled: boolean;
@@ -130,3 +137,82 @@ describe('buildCronExpression', () => {
    });
  });
 });
+
+describe('cleanupOldBackups', () => {
+  const DAY = 24 * 60 * 60 * 1000;
+  const NOW = new Date('2026-04-27T02:00:00Z').getTime();
+
+  function isoFilename(daysAgo: number, prefix: 'auto-backup' | 'backup' = 'auto-backup'): string {
+    const d = new Date(NOW - daysAgo * DAY);
+    const stamp = d.toISOString().replace(/[:.]/g, '-').slice(0, 19);
+    return `${prefix}-${stamp}.zip`;
+  }
+
+  beforeEach(() => {
+    vi.mocked(fs.readdirSync).mockReset();
+    vi.mocked(fs.statSync).mockReset();
+    vi.mocked(fs.unlinkSync as ReturnType<typeof vi.fn>).mockReset();
+    (vi.mocked(fs.statSync) as ReturnType<typeof vi.fn>).mockReturnValue({ mtime: new Date(), mtimeMs: NOW, birthtimeMs: NOW, size: 0 });
+  });
+
+  it('never deletes manual backup-*.zip files regardless of age', () => {
+    const manual = isoFilename(365 * 5, 'backup');
+    const auto = isoFilename(0);
+    vi.mocked(fs.readdirSync).mockReturnValue([manual, auto] as unknown as string[]);
+    cleanupOldBackups(7, NOW);
+    const deleted = (vi.mocked(fs.unlinkSync as ReturnType<typeof vi.fn>)).mock.calls.map((c: unknown[]) => c[0] as string);
+    expect(deleted.some((p: string) => p.includes(manual))).toBe(false);
+  });
+
+  it('keeps auto-backups newer than retention', () => {
+    const recent = isoFilename(3);
+    vi.mocked(fs.readdirSync).mockReturnValue([recent] as unknown as string[]);
+    cleanupOldBackups(7, NOW);
+    expect(vi.mocked(fs.unlinkSync as ReturnType<typeof vi.fn>)).not.toHaveBeenCalled();
+  });
+
+  it('deletes auto-backups older than retention', () => {
+    const old = isoFilename(30);
+    vi.mocked(fs.readdirSync).mockReturnValue([old] as unknown as string[]);
+    cleanupOldBackups(7, NOW);
+    expect(vi.mocked(fs.unlinkSync as ReturnType<typeof vi.fn>)).toHaveBeenCalledOnce();
+    const [calledPath] = (vi.mocked(fs.unlinkSync as ReturnType<typeof vi.fn>)).mock.calls[0] as string[];
+    expect(calledPath).toContain(old);
+  });
+
+  it('overlayfs regression: birthtimeMs=0 does not delete a same-day backup', () => {
+    const fresh = isoFilename(0);
+    vi.mocked(fs.readdirSync).mockReturnValue([fresh] as unknown as string[]);
+    (vi.mocked(fs.statSync) as ReturnType<typeof vi.fn>).mockReturnValue({ birthtimeMs: 0, mtimeMs: NOW, mtime: new Date(NOW), size: 100 });
+    cleanupOldBackups(7, NOW);
+    expect(vi.mocked(fs.unlinkSync as ReturnType<typeof vi.fn>)).not.toHaveBeenCalled();
+  });
+
+  it('malformed filename falls back to mtimeMs: keeps recent file', () => {
+    vi.mocked(fs.readdirSync).mockReturnValue(['auto-backup-garbage.zip'] as unknown as string[]);
+    (vi.mocked(fs.statSync) as ReturnType<typeof vi.fn>).mockReturnValue({ birthtimeMs: 0, mtimeMs: NOW - 1 * DAY, mtime: new Date(NOW - 1 * DAY), size: 0 });
+    cleanupOldBackups(7, NOW);
+    expect(vi.mocked(fs.unlinkSync as ReturnType<typeof vi.fn>)).not.toHaveBeenCalled();
+  });
+
+  it('malformed filename falls back to mtimeMs: deletes stale file', () => {
+    vi.mocked(fs.readdirSync).mockReturnValue(['auto-backup-garbage.zip'] as unknown as string[]);
+    (vi.mocked(fs.statSync) as ReturnType<typeof vi.fn>).mockReturnValue({ birthtimeMs: 0, mtimeMs: NOW - 30 * DAY, mtime: new Date(NOW - 30 * DAY), size: 0 });
+    cleanupOldBackups(7, NOW);
+    expect(vi.mocked(fs.unlinkSync as ReturnType<typeof vi.fn>)).toHaveBeenCalledOnce();
+  });
+
+  it('ignores non-zip files and does not crash', () => {
+    const old = isoFilename(30);
+    vi.mocked(fs.readdirSync).mockReturnValue([old, 'notes.txt'] as unknown as string[]);
+    cleanupOldBackups(7, NOW);
+    const calls = (vi.mocked(fs.unlinkSync as ReturnType<typeof vi.fn>)).mock.calls as string[][];
+    expect(calls.every(([p]: string[]) => !p.includes('notes.txt'))).toBe(true);
+    expect(calls.length).toBe(1);
+  });
+
+  it('swallows readdirSync errors without throwing', () => {
+    vi.mocked(fs.readdirSync).mockImplementation(() => { throw new Error('ENOENT'); });
+    expect(() => cleanupOldBackups(7, NOW)).not.toThrow();
+  });
+});
@@ -96,33 +96,37 @@ describe('generateDays', () => {
    expect(getNotes(day2.id)[0].id).toBe(note.id);
  });

-  it('TRIP-SVC-011: shrinking range converts overflow days to dateless, preserves their assignments', () => {
+  it('TRIP-SVC-011: shrinking range deletes overflow days and their assignments (issue #909)', () => {
    const { user } = createUser(testDb);
    const trip = createTrip(testDb, user.id, { start_date: '2025-07-01', end_date: '2025-07-05' });
    const daysBefore = getDays(trip.id);
    expect(daysBefore).toHaveLength(5);

    const place = createPlace(testDb, trip.id);
-    // Assign places to days 4 and 5 (will become overflow)
-    const a4 = createDayAssignment(testDb, daysBefore[3].id, place.id);
-    const a5 = createDayAssignment(testDb, daysBefore[4].id, place.id);
+    createDayAssignment(testDb, daysBefore[3].id, place.id);
+    createDayAssignment(testDb, daysBefore[4].id, place.id);

-    // Shrink from 5 to 3 days
+    // Shrink from 5 to 3 days — surplus days and their content are removed
    generateDays(trip.id, '2025-07-01', '2025-07-03');

    const daysAfter = getDays(trip.id);
-    expect(daysAfter).toHaveLength(5); // no rows deleted
+    expect(daysAfter).toHaveLength(3);
+    expect(daysAfter.map(d => d.date)).toEqual(['2025-07-01', '2025-07-02', '2025-07-03']);
+  });

-    const dated = daysAfter.filter(d => d.date !== null);
-    const dateless = daysAfter.filter(d => d.date === null);
-    expect(dated).toHaveLength(3);
-    expect(dateless).toHaveLength(2);
+  it('TRIP-SVC-016: shrinking range deletes empty overflow days (issue #909)', () => {
+    const { user } = createUser(testDb);
+    const trip = createTrip(testDb, user.id, { start_date: '2025-07-01', end_date: '2025-07-07' });
+    expect(getDays(trip.id)).toHaveLength(7);

-    // Overflow days still have their assignments
-    expect(getAssignments(dateless[0].id)).toHaveLength(1);
-    expect(getAssignments(dateless[0].id)[0].id).toBe(a4.id);
-    expect(getAssignments(dateless[1].id)).toHaveLength(1);
-    expect(getAssignments(dateless[1].id)[0].id).toBe(a5.id);
+    // Shrink 7 → 5; days 6 and 7 have no content
+    generateDays(trip.id, '2025-07-01', '2025-07-05');
+
+    const daysAfter = getDays(trip.id);
+    expect(daysAfter).toHaveLength(5);
+    expect(daysAfter.map(d => d.date)).toEqual([
+      '2025-07-01', '2025-07-02', '2025-07-03', '2025-07-04', '2025-07-05',
+    ]);
  });

  it('TRIP-SVC-012: growing range keeps existing day content and appends new empty days', () => {