Migrate TREK 3 to NestJS + React 19 (shared Zod contracts) (#1087)

* Migrate TREK 3 to NestJS + React 19 with a shared Zod contract layer Brownfield strangler migration of the backend onto NestJS modules (auth, trips, days, places, assignments, packing, todo, budget, reservations, collab, files, photos, journey, share, settings, backup, oidc, oauth, admin, atlas, vacay, weather, airports, maps, categories, tags, notifications, system-notices) served through a per-prefix dispatcher, keeping the existing SQLite/better-sqlite3 DB and JWT httpOnly cookie auth, with behavioural parity for every route. Client: React 19 upgrade, "page = wiring container + data hook" pattern across all pages, per-domain Zustand stores bound to @trek/shared contracts, and decomposition of the large components (DayPlanSidebar, PackingListPanel, CollabNotes, FileManager, MemoriesPanel, PlacesSidebar, CollabChat, SystemNoticeModal, BudgetPanel, PlaceFormModal, ...) into focused render units backed by in-file hooks. Apply the shared global request pipeline (helmet/CSP, CORS, HSTS, forced HTTPS, the global MFA policy and request logging) to the NestJS instance as well, so a migrated route is protected identically to the legacy fallback rather than bypassing it. * Finish the NestJS migration — drop the legacy Express app NestJS now serves the whole surface: every /api domain plus the platform routes (uploads, /mcp, the OAuth/MCP SDK + /.well-known metadata and the production SPA fallback). Removed server/src/app.ts, all of server/src/routes/* and the strangler dispatcher; index.ts and the integration suite share a single buildApp() bootstrap so prod and tests can't drift. - Platform/transport routes extracted to nest/platform/platform.routes.ts and mounted before app.init() — Nest's router answers an unmatched request with a 404, so a route registered after init is never reached. The SPA fallback is a NotFoundException filter and the catch-all uses a RegExp (Express 5's path-to-regexp rejects a bare '*'). - New modules: memories (/api/integrations/memories — the Journey gallery's Immich/Synology proxy), addons (GET /api/addons) and the cross-trip GET /api/reservations/upcoming. - TrekExceptionFilter reproduces the old multer / err.statusCode handling so upload rejections keep their 400/413 { error } body and non-ASCII filenames survive (defParamCharset). - addTripToJourney and the MCP get_journey_share_link tool gained the trip-access check they were missing. - Re-pointed the 34 integration tests + the websocket test onto the Nest app; removed the now-meaningless Express-vs-Nest parity tests and a few orphaned client components. * Restore the reset-password rate limit and fix copyTrip reservation links Two correctness/security gaps the NestJS migration introduced: - POST /api/auth/reset-password lost its per-IP rate limiter. Restore it (5 attempts / 15 min on a dedicated bucket, same as the old resetLimiter) so reset tokens can't be brute-forced unthrottled. Covered by AUTH-019. - copyTripById did not copy reservations.end_day_id (a day reference — now remapped through dayMap like day_id) or needs_review, so a duplicated trip lost multi-day transport end-day links and reset the review flag. * Clean up dead code, dedupe helpers, fix the reset-password contract - Remove server exports orphaned by the Express removal: the immich album-link helpers, seven route-only service exports, getFileByIdFull; de-export internal-only helpers (utcSuffix). - De-duplicate verifyTripAccess (9 identical copies -> services/tripAccess.ts) and avatarUrl (3 -> services/avatarUrl.ts); name the bcrypt cost (BCRYPT_COST) and the email regex (EMAIL_REGEX). Public API unchanged. - resetPasswordRequestSchema declared `password`, but the client sends and the service reads `new_password` — rename it so the contract matches and the client types resolve. - Make ATLAS-013 deterministic: stub the admin-1 GeoJSON download instead of fetching ~4600 features from GitHub during the test (it hung the suite). * Make the client typecheck runnable (vitest/vite ambient types) The client had no `typecheck` script and tsc couldn't even start (the baseUrl deprecation errored out, same as server/shared already silence). Add `ignoreDeprecations: "6.0"` to match the other workspaces, a `typecheck` npm script, and a src/vite-env.d.ts referencing vite/client + vitest/globals so tsc knows the test globals (describe/it/expect/vi). This turns ~3600 phantom "Cannot find name" errors into a real, measurable count (~590 actual type errors remain, to be worked down). Type-only; no runtime change. * Derive client domain types from the shared schema contracts Add entity/response Zod schemas to @trek/shared (place, trip, assignment, day, budget, packing, reservation), each matched against the producing server service, and re-export them from client types.ts instead of the hand-written duplicates that had drifted (name/title, amount/total_price, owner_id/user_id, cover_url/cover_image, ...). Updates the call sites and test fixtures the corrected types surfaced; type-only, no runtime behaviour change. * chore(db): log swallowed errors in addon-disable migration + guard against destructive migrations The migration that disables the legacy "memories" addon swallowed any error in an empty catch, as did ~30 other catch blocks in the migration runner (column adds, the journey rebuild, index probes). Replace each silent catch with the existing console.warn('[migrations] ...') log so failures are visible. Control flow is unchanged: every step stays non-fatal, nothing new is thrown. Add a static guardrail test that scans the migration source and fails when a new destructive statement (DROP TABLE / DROP COLUMN / TRUNCATE / DELETE FROM / ALTER ... DROP) appears outside a reviewed allowlist, and when an empty/silent catch block is reintroduced. The existing destructive statements are all legitimate table rebuilds or bounded cleanups and are recorded in the allowlist with a reason. * Re-check SSRF on every redirect hop when resolving short links Replace the one-shot checkSsrf + fetch(redirect:'follow') in the maps and place short-link resolvers with safeFetchFollow, which follows redirects manually and re-runs checkSsrf against the DNS-pinned IP of each hop (max 5). A redirect to an internal/loopback address is now blocked even when the initial URL is public, while legitimate cross-host redirects (goo.gl -> maps.google.com) still resolve. * Reject WebSocket tokens minted before a password change Stamp the user's password_version onto the ephemeral ws token and verify it on connect, closing the socket (4001) when it no longer matches, so a token issued before a password reset can't be replayed. Tokens minted without a version are treated as version 0, matching the JWT pv-claim semantics. * fix(i18n): guard locale key parity and finish the OAuth consent page strings Every non-en locale now exposes the exact same flat key set as en. Keys that had drifted out of sync are backfilled with the English source value (tagged en-fallback) so t() resolves a real string instead of relying on the silent runtime fallback; no existing translation was touched and no key was removed. Add a parity test that imports each aggregated locale bundle and asserts its key set matches en, with a diagnostic listing of any missing/extra keys. This complements the file-level check in shared/scripts by guarding the merged export the app actually serves. Finish internationalising OAuthAuthorizePage: the ~15 remaining hardcoded English chrome strings now go through oauth.authorize.* keys (English source in en, en-fallback placeholders elsewhere). Markup and behaviour are unchanged. * Add semantic theme color tokens to Tailwind Map the CSS theme variables from src/index.css (:root light / .dark dark) to named Tailwind utilities — bg-surface, text-content, border-edge, bg-accent and their variants. This gives components a Tailwind-native target for the theme colors so we can replace inline `style={{ ... 'var(--...)' }}` with utility classes without changing the rendered values. * Surface silent store failures to the user and validate API responses in dev Reservation toggle, todo/packing toggle and budget reorder were swallowing API errors after rolling back, so the user saw the change silently snap back with no explanation. Route those failures through the existing toast channel (new store/notify.ts bridges to window.__addToast, the same channel SystemNoticeBanner uses); the reservation toggle re-throws so ReservationsPanel's own translated toast finally fires. Also wire the existing parseInDev/checkInDev response validation into the maps and notification-test endpoints to catch contract drift in dev. * Migrate static theme inline styles to Tailwind utilities and extract page sub-components Replace the static, color-only inline `style={{ ... 'var(--bg-primary)' ... }}` props with the new semantic Tailwind utilities (bg-surface, text-content, border-edge, ...) wherever the result is byte-identical; dynamic/conditional theme styles and hardcoded status colors are left inline. Extract the Atlas country-search autocomplete, the Admin update banner, and two Journey dialogs into their own presentational components to shrink the oversized page files, keeping behaviour and markup identical. * Remove the unrouted photos page and its dead photo components PhotosPage was never wired into the router and its usePhotos hook read a tripStore photos slice that was never implemented; the Photos gallery, lightbox and upload components were only reachable through it. Per-trip photos now live in the Journey gallery (Immich/Synology). Removed the dead page, hook and components — the live Journey PhotoLightbox is a separate component and stays. * Resolve the remaining client type errors and the trip.title navbar bug Drive the client typecheck to zero without any/ts-ignore: convert the tripId route param to a number once at the page boundary so it matches the numeric props and store actions it feeds, fix trip.name -> trip.title (the wire field is title, so the old read rendered blank in the files/offline views), and tighten the scattered handler-arity, DOM-cast and untyped-payload sites. No runtime behaviour change. * Convert the remaining dynamic and hardcoded inline styles to Tailwind utilities Second styling pass over the components and pages: move conditional theme colors into className ternaries (bg-accent / bg-surface-hover etc.), turn reused CSSProperties constants into className constants, and express static hardcoded hex/rgba colors as Tailwind arbitrary values so the exact rendered colour is preserved. Truly dynamic styling (computed geometry, gradients, multi-part shadows, data-driven colours, the undefined --sidebar/--nav layout vars) stays inline as it cannot be expressed as a static class. Updated three component tests that asserted the old inline active-state styles to assert the equivalent utility class instead. Verified: client typecheck 0, full client suite green, and a live light/dark render check in the dev server confirms the semantic theme tokens resolve correctly (the earlier 'transparent popups' were a stale dev server that pre-dated the tailwind.config token addition, not a code issue). * Add eslint flat-config for client and server and gate typecheck, lint and pages in CI client and server had lint scripts but no eslint config (only shared was linted in CI). Add flat configs mirroring shared's stack (js + typescript-eslint recommended + eslint-config-prettier) plus the client's react-hooks/react-refresh plugins. Pre-existing patterns in this never-linted code (explicit any, require() in the CommonJS server, empty catches, exhaustive-deps) are set to 'warn' rather than 'error' so the gate passes at 0 errors without a repo-wide reformat — these can be ratcheted to errors over time. Wire blocking typecheck + lint + lint:pages steps into the client and server CI jobs (now that both typechecks are clean) and promote the server typecheck from informational to blocking. * Decompose the remaining God Components into hooks, helpers and sub-components FE6: split the oversized page and panel components into thin layout shells plus colocated use<Component> hooks, .constants.ts, .helpers.ts (with tests) and presentational sub-components, following the established 'logic in a hook, render in slices' pattern. Behaviour, markup, classes and effect order are unchanged. Largest reductions: PackingListPanel 1598->42, FileManager 1055->36, AdminPage 1525->167, BudgetPanel 1266->146, JourneyDetailPage 2822->547, PlacesSidebar 945->66, CollabChat 861->106, CollabNotes 1417->532. DayPlanSidebar's drag-and-drop render body was left intact (ref-identity sensitive) and only its toolbar/modals/constants were extracted. * Fix duplicate React keys in the file-assign place list When a place is assigned to the same day more than once it appeared twice in a day's list, so the place-button key={p.id} collided and React warned about duplicate keys. Key by place id + render index so siblings stay unique. Pre-existing in the old FileManager; behaviour unchanged. * Format the shared package and drop an unused import to satisfy the lint gate The i18n and schema changes added code that wasn't prettier-formatted, and place.schema.ts imported categorySchema without using it. Run prettier over shared and remove the import so 'npm run lint' + 'format:check' pass. * Install all workspaces in the server CI job so SWC's native binary is present The server vitest config transforms via unplugin-swc, which needs @swc/core's platform-specific native binary. A workspace-scoped 'npm ci --workspace server' skips that optional dependency, so vitest failed to load the config on the Linux runner. Use a full 'npm ci'. * Re-resolve dependencies with npm install in the server CI job for SWC Full 'npm ci' still skipped @swc/core's Linux native binary because the committed lockfile was generated on Windows and lacks the Linux optional-dep install metadata. 'npm install' re-resolves and fetches the platform-matching binary, which the server's unplugin-swc transform needs to load vitest.config.ts. * Install @swc/core's Linux binary explicitly in the server CI job Neither npm ci nor npm install fetched @swc/core-linux-x64-gnu on the Linux runner because the lockfile was generated on Windows and lacks the Linux optional-dep metadata. Add a step that installs the matching @swc/core-linux-x64-gnu version (no-save, no-lockfile) so unplugin-swc can load the server's vitest config. * Use legacy-peer-deps when installing the SWC Linux binary in CI The explicit @swc/core-linux-x64-gnu install re-resolved the tree and hit the pre-existing lucide-react/react-19 peer conflict that the lockfile was generated around. Add --legacy-peer-deps so the step matches the project's resolution and installs the binary. * Keep the lockfile when installing the SWC binary so other deps stay pinned Dropping --no-package-lock made npm re-resolve the whole tree and upgrade eslint, whose newer recommended config flagged no-useless-assignment as an error in the server lint step. Keep the lockfile so only @swc/core-linux-x64-gnu is added and every other dependency (incl. eslint) stays at its locked version.
2026-06-21 06:11:45 +00:00 · 2026-05-31 21:10:00 +02:00
parent 6d2dd37414
commit 20791a29a7
721 changed files with 44416 additions and 31919 deletions
@@ -0,0 +1,67 @@
+import {
+  adminUserCreateRequestSchema,
+  adminPermissionsRequestSchema,
+  adminInviteCreateRequestSchema,
+  adminFeatureToggleRequestSchema,
+} from './admin.schema';
+
+import { describe, it, expect } from 'vitest';
+
+describe('adminUserCreateRequestSchema', () => {
+  it('requires an email; role limited to user/admin', () => {
+    expect(
+      adminUserCreateRequestSchema.safeParse({
+        email: 'a@b.c',
+        password: 'p',
+        role: 'admin',
+      }).success,
+    ).toBe(true);
+    expect(
+      adminUserCreateRequestSchema.safeParse({ email: 'a@b.c' }).success,
+    ).toBe(true);
+    expect(
+      adminUserCreateRequestSchema.safeParse({ password: 'p' }).success,
+    ).toBe(false);
+    expect(
+      adminUserCreateRequestSchema.safeParse({ email: 'a@b.c', role: 'root' })
+        .success,
+    ).toBe(false);
+  });
+});
+
+describe('adminPermissionsRequestSchema', () => {
+  it('requires a permissions record', () => {
+    expect(
+      adminPermissionsRequestSchema.safeParse({
+        permissions: { trip_edit: { user: true } },
+      }).success,
+    ).toBe(true);
+    expect(adminPermissionsRequestSchema.safeParse({}).success).toBe(false);
+  });
+});
+
+describe('adminInviteCreateRequestSchema', () => {
+  it('accepts optional uses/expiry/role', () => {
+    expect(
+      adminInviteCreateRequestSchema.safeParse({
+        max_uses: 5,
+        expires_in_days: 7,
+      }).success,
+    ).toBe(true);
+    expect(adminInviteCreateRequestSchema.safeParse({}).success).toBe(true);
+    expect(
+      adminInviteCreateRequestSchema.safeParse({ role: 'root' }).success,
+    ).toBe(false);
+  });
+});
+
+describe('adminFeatureToggleRequestSchema', () => {
+  it('requires a boolean enabled', () => {
+    expect(
+      adminFeatureToggleRequestSchema.safeParse({ enabled: true }).success,
+    ).toBe(true);
+    expect(
+      adminFeatureToggleRequestSchema.safeParse({ enabled: 'yes' }).success,
+    ).toBe(false);
+  });
+});
@@ -0,0 +1,42 @@
+import { z } from 'zod';
+
+/**
+ * Admin API contract for /api/admin (admin-only).
+ *
+ * The admin service validates most bodies itself (returning {error,status}), so
+ * these schemas pin the well-defined ones: user create/update, the permission
+ * matrix, invites and the boolean feature toggles. Free-form bodies (OIDC
+ * settings, addon config, default user settings) stay with the service.
+ */
+export const adminUserCreateRequestSchema = z.object({
+  email: z.string(),
+  password: z.string().optional(),
+  username: z.string().optional(),
+  role: z.enum(['user', 'admin']).optional(),
+});
+export type AdminUserCreateRequest = z.infer<
+  typeof adminUserCreateRequestSchema
+>;
+
+export const adminPermissionsRequestSchema = z.object({
+  permissions: z.record(z.string(), z.unknown()),
+});
+export type AdminPermissionsRequest = z.infer<
+  typeof adminPermissionsRequestSchema
+>;
+
+export const adminInviteCreateRequestSchema = z.object({
+  max_uses: z.number().optional(),
+  expires_in_days: z.number().optional(),
+  role: z.enum(['user', 'admin']).optional(),
+});
+export type AdminInviteCreateRequest = z.infer<
+  typeof adminInviteCreateRequestSchema
+>;
+
+export const adminFeatureToggleRequestSchema = z.object({
+  enabled: z.boolean(),
+});
+export type AdminFeatureToggleRequest = z.infer<
+  typeof adminFeatureToggleRequestSchema
+>;
@@ -0,0 +1,41 @@
+import { airportSchema, airportSearchQuerySchema } from './airport.schema';
+
+import { describe, it, expect } from 'vitest';
+
+describe('airportSchema', () => {
+  it('accepts a full airport record', () => {
+    const parsed = airportSchema.parse({
+      iata: 'BER',
+      icao: 'EDDB',
+      name: 'Berlin Brandenburg',
+      city: 'Berlin',
+      country: 'DE',
+      lat: 52.36,
+      lng: 13.5,
+      tz: 'Europe/Berlin',
+    });
+    expect(parsed.iata).toBe('BER');
+  });
+
+  it('allows a null icao (smaller fields can be missing one)', () => {
+    expect(
+      airportSchema.safeParse({
+        iata: 'XXX',
+        icao: null,
+        name: 'Test',
+        city: 'Test',
+        country: 'DE',
+        lat: 0,
+        lng: 0,
+        tz: 'UTC',
+      }).success,
+    ).toBe(true);
+  });
+});
+
+describe('airportSearchQuerySchema', () => {
+  it('treats the query as optional (the route answers [] when absent)', () => {
+    expect(airportSearchQuerySchema.parse({})).toEqual({});
+    expect(airportSearchQuerySchema.parse({ q: 'ber' })).toEqual({ q: 'ber' });
+  });
+});
@@ -0,0 +1,37 @@
+import { z } from 'zod';
+
+/**
+ * Airport API contract — single source of truth for the /api/airports endpoints.
+ *
+ * The legacy Express route (server/src/routes/airports.ts) exposes a typeahead
+ * search and a single-airport lookup by IATA code, both backed by an in-memory
+ * dataset (server/src/services/airportService.ts). The route treats the query as
+ * an opaque string and returns an empty array when it is absent, so the search
+ * query mirrors that: an optional string, no coercion.
+ *
+ * The bespoke 404 `{ error: 'Airport not found' }` body is reproduced in the
+ * controller, not derived from this schema, so the response stays byte-identical
+ * to Express.
+ */
+
+/** A single airport record as served by the dataset (matches Airport in airportService). */
+export const airportSchema = z.object({
+  iata: z.string(),
+  icao: z.string().nullable(),
+  name: z.string(),
+  city: z.string(),
+  country: z.string(),
+  lat: z.number(),
+  lng: z.number(),
+  tz: z.string(),
+});
+export type Airport = z.infer<typeof airportSchema>;
+
+/**
+ * Search query. `q` is optional — the route answers with `[]` when it is missing
+ * or empty rather than 400ing, so presence is handled in the controller.
+ */
+export const airportSearchQuerySchema = z.object({
+  q: z.string().optional(),
+});
+export type AirportSearchQuery = z.infer<typeof airportSearchQuerySchema>;
@@ -0,0 +1,45 @@
+import {
+  assignmentCreateRequestSchema,
+  assignmentMoveRequestSchema,
+  assignmentParticipantsRequestSchema,
+} from './assignment.schema';
+
+import { describe, it, expect } from 'vitest';
+
+describe('assignmentCreateRequestSchema', () => {
+  it('requires a place_id; notes optional/nullable', () => {
+    expect(
+      assignmentCreateRequestSchema.safeParse({ place_id: 2 }).success,
+    ).toBe(true);
+    expect(
+      assignmentCreateRequestSchema.safeParse({ place_id: '2', notes: null })
+        .success,
+    ).toBe(true);
+    expect(assignmentCreateRequestSchema.safeParse({}).success).toBe(false);
+  });
+});
+
+describe('assignmentMoveRequestSchema', () => {
+  it('requires new_day_id; order_index optional', () => {
+    expect(
+      assignmentMoveRequestSchema.safeParse({ new_day_id: 4 }).success,
+    ).toBe(true);
+    expect(
+      assignmentMoveRequestSchema.safeParse({ new_day_id: 4, order_index: 0 })
+        .success,
+    ).toBe(true);
+    expect(assignmentMoveRequestSchema.safeParse({}).success).toBe(false);
+  });
+});
+
+describe('assignmentParticipantsRequestSchema', () => {
+  it('requires a numeric user_ids array', () => {
+    expect(
+      assignmentParticipantsRequestSchema.safeParse({ user_ids: [1, 2] })
+        .success,
+    ).toBe(true);
+    expect(
+      assignmentParticipantsRequestSchema.safeParse({ user_ids: 'no' }).success,
+    ).toBe(false);
+  });
+});
@@ -0,0 +1,80 @@
+import { assignmentPlaceSchema } from '../place/place.schema';
+
+import { z } from 'zod';
+
+/**
+ * Assignment API contract — single source of truth for the place↔day itinerary
+ * endpoints under /api/trips/:tripId/days/:dayId/assignments and
+ * /api/trips/:tripId/assignments/:id/*.
+ *
+ * Trip-scoped; mutations use the 'day_edit' permission. The legacy route
+ * (server/src/routes/assignments.ts, mounted on /api) wraps assignmentService.
+ * Assignment rows carry joined place data and are kept open in responses; the
+ * request schemas + the bespoke 404/400 controller messages pin the rest.
+ */
+
+/**
+ * Assignment participant embedded on an assignment
+ * (server/src/services/queryHelpers.ts -> loadParticipantsByAssignmentIds).
+ */
+export const assignmentParticipantSchema = z.object({
+  user_id: z.number(),
+  username: z.string(),
+  avatar: z.string().nullable().optional(),
+});
+export type AssignmentParticipant = z.infer<typeof assignmentParticipantSchema>;
+
+/**
+ * Assignment entity as returned by the day/assignment endpoints
+ * (server/src/services/queryHelpers.ts -> formatAssignmentWithPlace, and
+ * assignmentService.getAssignmentWithPlace). The embedded `place` is the trimmed
+ * assignment-place projection, NOT the full place pool entity. `assignment_time`
+ * /`assignment_end_time` carry the per-assignment override times.
+ */
+export const assignmentSchema = z.object({
+  id: z.number(),
+  day_id: z.number(),
+  place_id: z.number(),
+  order_index: z.number(),
+  notes: z.string().nullable().optional(),
+  assignment_time: z.string().nullable().optional(),
+  assignment_end_time: z.string().nullable().optional(),
+  participants: z.array(assignmentParticipantSchema).optional(),
+  created_at: z.string().optional(),
+  place: assignmentPlaceSchema,
+});
+export type Assignment = z.infer<typeof assignmentSchema>;
+
+export const assignmentCreateRequestSchema = z.object({
+  place_id: z.union([z.number(), z.string()]),
+  notes: z.string().nullable().optional(),
+});
+export type AssignmentCreateRequest = z.infer<
+  typeof assignmentCreateRequestSchema
+>;
+
+export const assignmentReorderRequestSchema = z.object({
+  orderedIds: z.array(z.number()),
+});
+export type AssignmentReorderRequest = z.infer<
+  typeof assignmentReorderRequestSchema
+>;
+
+export const assignmentMoveRequestSchema = z.object({
+  new_day_id: z.union([z.number(), z.string()]),
+  order_index: z.number().optional(),
+});
+export type AssignmentMoveRequest = z.infer<typeof assignmentMoveRequestSchema>;
+
+export const assignmentTimeRequestSchema = z.object({
+  place_time: z.string().nullable().optional(),
+  end_time: z.string().nullable().optional(),
+});
+export type AssignmentTimeRequest = z.infer<typeof assignmentTimeRequestSchema>;
+
+export const assignmentParticipantsRequestSchema = z.object({
+  user_ids: z.array(z.number()),
+});
+export type AssignmentParticipantsRequest = z.infer<
+  typeof assignmentParticipantsRequestSchema
+>;
@@ -0,0 +1,54 @@
+import {
+  markRegionRequestSchema,
+  createBucketItemRequestSchema,
+  regionGeoSchema,
+} from './atlas.schema';
+
+import { describe, it, expect } from 'vitest';
+
+describe('markRegionRequestSchema', () => {
+  it('requires both name and country_code', () => {
+    expect(
+      markRegionRequestSchema.safeParse({ name: 'Bavaria', country_code: 'DE' })
+        .success,
+    ).toBe(true);
+    expect(markRegionRequestSchema.safeParse({ name: 'Bavaria' }).success).toBe(
+      false,
+    );
+  });
+});
+
+describe('createBucketItemRequestSchema', () => {
+  it('requires a name; coordinates and metadata optional/nullable', () => {
+    expect(
+      createBucketItemRequestSchema.safeParse({ name: 'Tokyo' }).success,
+    ).toBe(true);
+    expect(
+      createBucketItemRequestSchema.safeParse({
+        name: 'Tokyo',
+        lat: 35,
+        lng: 139,
+        country_code: null,
+      }).success,
+    ).toBe(true);
+    expect(createBucketItemRequestSchema.safeParse({}).success).toBe(false);
+  });
+});
+
+describe('regionGeoSchema', () => {
+  it('accepts a FeatureCollection with opaque features', () => {
+    expect(
+      regionGeoSchema.safeParse({ type: 'FeatureCollection', features: [] })
+        .success,
+    ).toBe(true);
+    expect(
+      regionGeoSchema.safeParse({
+        type: 'FeatureCollection',
+        features: [{ anything: true }],
+      }).success,
+    ).toBe(true);
+    expect(
+      regionGeoSchema.safeParse({ type: 'Other', features: [] }).success,
+    ).toBe(false);
+  });
+});
@@ -0,0 +1,61 @@
+import { z } from 'zod';
+
+/**
+ * Atlas API contract — single source of truth for the /api/addons/atlas endpoints
+ * (visited countries/regions, region GeoJSON, and the travel bucket list).
+ *
+ * Parity note: unlike the journey addon, the legacy atlas route is NOT gated by
+ * an addon-enabled check (app.ts mounts it without one), so the migration does
+ * not add a gate either — adding one would be a breaking 404.
+ *
+ * Stats, visited-regions and GeoJSON are wide, externally-derived shapes kept as
+ * open records; the request schemas and the bespoke 400/404 controller messages
+ * pin the parts the client depends on.
+ */
+
+const open = z.record(z.string(), z.unknown());
+
+export const markRegionRequestSchema = z.object({
+  name: z.string().min(1),
+  country_code: z.string().min(1),
+});
+export type MarkRegionRequest = z.infer<typeof markRegionRequestSchema>;
+
+export const createBucketItemRequestSchema = z.object({
+  name: z.string().min(1),
+  lat: z.number().nullable().optional(),
+  lng: z.number().nullable().optional(),
+  country_code: z.string().nullable().optional(),
+  notes: z.string().nullable().optional(),
+  target_date: z.string().nullable().optional(),
+});
+export type CreateBucketItemRequest = z.infer<
+  typeof createBucketItemRequestSchema
+>;
+
+export const updateBucketItemRequestSchema = z.object({
+  name: z.string().optional(),
+  notes: z.string().optional(),
+  lat: z.number().nullable().optional(),
+  lng: z.number().nullable().optional(),
+  country_code: z.string().nullable().optional(),
+  target_date: z.string().nullable().optional(),
+});
+export type UpdateBucketItemRequest = z.infer<
+  typeof updateBucketItemRequestSchema
+>;
+
+/** A bucket-list item row (DB-shaped; kept open). */
+export const bucketItemSchema = open;
+
+export const bucketListResponseSchema = z.object({
+  items: z.array(bucketItemSchema),
+});
+export type BucketListResponse = z.infer<typeof bucketListResponseSchema>;
+
+/** GeoJSON FeatureCollection (kept open — provider-derived geometry). */
+export const regionGeoSchema = z.object({
+  type: z.literal('FeatureCollection'),
+  features: z.array(z.unknown()),
+});
+export type RegionGeo = z.infer<typeof regionGeoSchema>;
@@ -0,0 +1,92 @@
+import {
+  registerRequestSchema,
+  loginRequestSchema,
+  forgotPasswordRequestSchema,
+  resetPasswordRequestSchema,
+  changePasswordRequestSchema,
+  mfaVerifyLoginRequestSchema,
+  mfaEnableRequestSchema,
+  mcpTokenCreateRequestSchema,
+} from './auth.schema';
+
+import { describe, it, expect } from 'vitest';
+
+describe('registerRequestSchema', () => {
+  it('requires email + password; username/invite optional', () => {
+    expect(
+      registerRequestSchema.safeParse({ email: 'a@b.c', password: 'pw' })
+        .success,
+    ).toBe(true);
+    expect(
+      registerRequestSchema.safeParse({
+        email: 'a@b.c',
+        password: 'pw',
+        invite_token: 't',
+      }).success,
+    ).toBe(true);
+    expect(registerRequestSchema.safeParse({ email: 'a@b.c' }).success).toBe(
+      false,
+    );
+  });
+});
+
+describe('loginRequestSchema', () => {
+  it('requires email + password', () => {
+    expect(
+      loginRequestSchema.safeParse({ email: 'a@b.c', password: 'pw' }).success,
+    ).toBe(true);
+    expect(loginRequestSchema.safeParse({ email: 'a@b.c' }).success).toBe(
+      false,
+    );
+  });
+});
+
+describe('forgot/reset/change password schemas', () => {
+  it('validate their required fields', () => {
+    expect(
+      forgotPasswordRequestSchema.safeParse({ email: 'a@b.c' }).success,
+    ).toBe(true);
+    expect(
+      resetPasswordRequestSchema.safeParse({ token: 't', new_password: 'pw' })
+        .success,
+    ).toBe(true);
+    expect(
+      resetPasswordRequestSchema.safeParse({
+        token: 't',
+        new_password: 'pw',
+        mfa_code: '123456',
+      }).success,
+    ).toBe(true);
+    expect(
+      resetPasswordRequestSchema.safeParse({ new_password: 'pw' }).success,
+    ).toBe(false);
+    expect(
+      changePasswordRequestSchema.safeParse({
+        current_password: 'a',
+        new_password: 'b',
+      }).success,
+    ).toBe(true);
+    expect(
+      changePasswordRequestSchema.safeParse({ new_password: 'b' }).success,
+    ).toBe(false);
+  });
+});
+
+describe('mfa + mcp-token schemas', () => {
+  it('validate their fields', () => {
+    expect(
+      mfaVerifyLoginRequestSchema.safeParse({ mfa_token: 't', code: '123456' })
+        .success,
+    ).toBe(true);
+    expect(
+      mfaVerifyLoginRequestSchema.safeParse({ mfa_token: 't' }).success,
+    ).toBe(false);
+    expect(mfaEnableRequestSchema.safeParse({ code: '123456' }).success).toBe(
+      true,
+    );
+    expect(mcpTokenCreateRequestSchema.safeParse({ name: 'CLI' }).success).toBe(
+      true,
+    );
+    expect(mcpTokenCreateRequestSchema.safeParse({}).success).toBe(true);
+  });
+});
@@ -0,0 +1,59 @@
+import { z } from 'zod';
+
+/**
+ * Auth API contract for /api/auth.
+ *
+ * The auth service does the heavy credential/MFA validation internally (and
+ * returns its own {error,status}); these schemas pin the well-defined request
+ * bodies the public + account endpoints accept. Login/reset can branch to an
+ * MFA step, so password fields stay permissive where the service owns the rules.
+ */
+export const registerRequestSchema = z.object({
+  email: z.string(),
+  password: z.string(),
+  username: z.string().optional(),
+  invite_token: z.string().optional(),
+});
+export type RegisterRequest = z.infer<typeof registerRequestSchema>;
+
+export const loginRequestSchema = z.object({
+  email: z.string(),
+  password: z.string(),
+});
+export type LoginRequest = z.infer<typeof loginRequestSchema>;
+
+export const forgotPasswordRequestSchema = z.object({
+  email: z.string(),
+});
+export type ForgotPasswordRequest = z.infer<typeof forgotPasswordRequestSchema>;
+
+export const resetPasswordRequestSchema = z.object({
+  token: z.string(),
+  // The client sends `new_password` and the service reads `body.new_password`;
+  // the field was misnamed `password` here, which broke the client's typing.
+  new_password: z.string(),
+  mfa_code: z.string().optional(),
+});
+export type ResetPasswordRequest = z.infer<typeof resetPasswordRequestSchema>;
+
+export const changePasswordRequestSchema = z.object({
+  current_password: z.string(),
+  new_password: z.string(),
+});
+export type ChangePasswordRequest = z.infer<typeof changePasswordRequestSchema>;
+
+export const mfaVerifyLoginRequestSchema = z.object({
+  mfa_token: z.string(),
+  code: z.string(),
+});
+export type MfaVerifyLoginRequest = z.infer<typeof mfaVerifyLoginRequestSchema>;
+
+export const mfaEnableRequestSchema = z.object({
+  code: z.string(),
+});
+export type MfaEnableRequest = z.infer<typeof mfaEnableRequestSchema>;
+
+export const mcpTokenCreateRequestSchema = z.object({
+  name: z.string().optional(),
+});
+export type McpTokenCreateRequest = z.infer<typeof mcpTokenCreateRequestSchema>;
@@ -0,0 +1,26 @@
+import { autoBackupSettingsRequestSchema } from './backup.schema';
+
+import { describe, it, expect } from 'vitest';
+
+describe('autoBackupSettingsRequestSchema', () => {
+  it('accepts the known toggles and stays permissive for extras', () => {
+    expect(
+      autoBackupSettingsRequestSchema.safeParse({
+        enabled: true,
+        interval: 'daily',
+        keep_days: 7,
+      }).success,
+    ).toBe(true);
+    expect(
+      autoBackupSettingsRequestSchema.safeParse({ enabled: false, foo: 'bar' })
+        .success,
+    ).toBe(true);
+    expect(autoBackupSettingsRequestSchema.safeParse({}).success).toBe(true);
+  });
+
+  it('rejects a non-boolean enabled', () => {
+    expect(
+      autoBackupSettingsRequestSchema.safeParse({ enabled: 'yes' }).success,
+    ).toBe(false);
+  });
+});
@@ -0,0 +1,21 @@
+import { z } from 'zod';
+
+/**
+ * Backup API contract (admin-only) for /api/backup.
+ *
+ * The auto-backup settings body is normalised server-side by the backup
+ * service (parseAutoBackupBody), so this schema only pins the well-known toggle
+ * fields and stays permissive (passthrough) for the rest. Create/restore/delete
+ * carry no JSON body; their inputs are the :filename path param + the upload.
+ */
+export const autoBackupSettingsRequestSchema = z
+  .object({
+    enabled: z.boolean().optional(),
+    interval: z.string().optional(),
+    keep_days: z.union([z.string(), z.number()]).optional(),
+    time: z.string().optional(),
+  })
+  .passthrough();
+export type AutoBackupSettingsRequest = z.infer<
+  typeof autoBackupSettingsRequestSchema
+>;
@@ -0,0 +1,58 @@
+import {
+  budgetCreateItemRequestSchema,
+  budgetUpdateMembersRequestSchema,
+  budgetToggleMemberPaidRequestSchema,
+  budgetReorderItemsRequestSchema,
+} from './budget.schema';
+
+import { describe, it, expect } from 'vitest';
+
+describe('budgetCreateItemRequestSchema', () => {
+  it('requires a name; money/meta fields optional + nullable', () => {
+    expect(
+      budgetCreateItemRequestSchema.safeParse({ name: 'Hotel' }).success,
+    ).toBe(true);
+    expect(
+      budgetCreateItemRequestSchema.safeParse({
+        name: 'Hotel',
+        total_price: 200,
+        persons: null,
+      }).success,
+    ).toBe(true);
+    expect(budgetCreateItemRequestSchema.safeParse({}).success).toBe(false);
+  });
+});
+
+describe('budgetUpdateMembersRequestSchema', () => {
+  it('requires a numeric user_ids array', () => {
+    expect(
+      budgetUpdateMembersRequestSchema.safeParse({ user_ids: [1, 2] }).success,
+    ).toBe(true);
+    expect(
+      budgetUpdateMembersRequestSchema.safeParse({ user_ids: 'no' }).success,
+    ).toBe(false);
+  });
+});
+
+describe('budgetToggleMemberPaidRequestSchema', () => {
+  it('requires a boolean paid', () => {
+    expect(
+      budgetToggleMemberPaidRequestSchema.safeParse({ paid: true }).success,
+    ).toBe(true);
+    expect(
+      budgetToggleMemberPaidRequestSchema.safeParse({ paid: 'yes' }).success,
+    ).toBe(false);
+  });
+});
+
+describe('budgetReorderItemsRequestSchema', () => {
+  it('requires numeric ids', () => {
+    expect(
+      budgetReorderItemsRequestSchema.safeParse({ orderedIds: [3, 1, 2] })
+        .success,
+    ).toBe(true);
+    expect(
+      budgetReorderItemsRequestSchema.safeParse({ orderedIds: ['a'] }).success,
+    ).toBe(false);
+  });
+});
@@ -0,0 +1,106 @@
+import { z } from 'zod';
+
+/**
+ * Budget API contract — single source of truth for the /api/trips/:tripId/budget
+ * endpoints (expense items, per-member splits, paid toggles, settlement).
+ *
+ * Trip-scoped: every endpoint verifies trip access (404 "Trip not found") and
+ * mutations check the 'budget_edit' permission (403 "No permission"). The legacy
+ * route (server/src/routes/budget.ts) wraps services/budgetService.ts; rows are
+ * DB-shaped and kept open. Mutations broadcast over WebSocket with the forwarded
+ * X-Socket-Id. Updating a linked item's total_price also syncs the price into the
+ * linked reservation's metadata (and broadcasts reservation:updated).
+ */
+
+/**
+ * Budget item member as embedded on a budget item
+ * (server/src/services/budgetService.ts -> loadItemMembers). `paid` is the raw
+ * SQLite INTEGER (0/1); `avatar_url` is the resolved avatar (avatarUrl()).
+ */
+export const budgetItemMemberSchema = z.object({
+  user_id: z.number(),
+  paid: z.number(),
+  username: z.string(),
+  avatar_url: z.string().nullable().optional(),
+  avatar: z.string().nullable().optional(),
+  budget_item_id: z.number().optional(),
+});
+export type BudgetItemMember = z.infer<typeof budgetItemMemberSchema>;
+
+/**
+ * Budget item entity as returned by the budget list/create/update endpoints
+ * (server/src/services/budgetService.ts). Columns of the `budget_items` table
+ * plus the embedded `members` array. total_price is SQLite REAL.
+ */
+export const budgetItemSchema = z.object({
+  id: z.number(),
+  trip_id: z.number(),
+  category: z.string(),
+  name: z.string(),
+  total_price: z.number(),
+  persons: z.number().nullable().optional(),
+  days: z.number().nullable().optional(),
+  note: z.string().nullable().optional(),
+  reservation_id: z.number().nullable().optional(),
+  paid_by_user_id: z.number().nullable().optional(),
+  expense_date: z.string().nullable().optional(),
+  sort_order: z.number().optional(),
+  created_at: z.string().optional(),
+  members: z.array(budgetItemMemberSchema).optional(),
+});
+export type BudgetItem = z.infer<typeof budgetItemSchema>;
+
+export const budgetCreateItemRequestSchema = z.object({
+  name: z.string().min(1),
+  category: z.string().optional(),
+  total_price: z.number().optional(),
+  persons: z.number().nullable().optional(),
+  days: z.number().nullable().optional(),
+  note: z.string().nullable().optional(),
+  expense_date: z.string().nullable().optional(),
+});
+export type BudgetCreateItemRequest = z.infer<
+  typeof budgetCreateItemRequestSchema
+>;
+
+/** Update accepts the same fields plus total_price changes; all optional. */
+export const budgetUpdateItemRequestSchema = z.object({
+  name: z.string().optional(),
+  category: z.string().optional(),
+  total_price: z.number().optional(),
+  persons: z.number().nullable().optional(),
+  days: z.number().nullable().optional(),
+  note: z.string().nullable().optional(),
+  expense_date: z.string().nullable().optional(),
+});
+export type BudgetUpdateItemRequest = z.infer<
+  typeof budgetUpdateItemRequestSchema
+>;
+
+export const budgetUpdateMembersRequestSchema = z.object({
+  user_ids: z.array(z.number()),
+});
+export type BudgetUpdateMembersRequest = z.infer<
+  typeof budgetUpdateMembersRequestSchema
+>;
+
+export const budgetToggleMemberPaidRequestSchema = z.object({
+  paid: z.boolean(),
+});
+export type BudgetToggleMemberPaidRequest = z.infer<
+  typeof budgetToggleMemberPaidRequestSchema
+>;
+
+export const budgetReorderItemsRequestSchema = z.object({
+  orderedIds: z.array(z.number()),
+});
+export type BudgetReorderItemsRequest = z.infer<
+  typeof budgetReorderItemsRequestSchema
+>;
+
+export const budgetReorderCategoriesRequestSchema = z.object({
+  orderedCategories: z.array(z.string()),
+});
+export type BudgetReorderCategoriesRequest = z.infer<
+  typeof budgetReorderCategoriesRequestSchema
+>;
@@ -0,0 +1,41 @@
+import {
+  categorySchema,
+  createCategoryRequestSchema,
+  updateCategoryRequestSchema,
+} from './category.schema';
+
+import { describe, it, expect } from 'vitest';
+
+describe('categorySchema', () => {
+  it('accepts a full category', () => {
+    expect(
+      categorySchema.safeParse({
+        id: 1,
+        name: 'Food',
+        color: '#fff',
+        icon: '🍔',
+      }).success,
+    ).toBe(true);
+  });
+});
+
+describe('createCategoryRequestSchema', () => {
+  it('requires a non-empty name; colour and icon are optional', () => {
+    expect(
+      createCategoryRequestSchema.safeParse({ name: 'Food' }).success,
+    ).toBe(true);
+    expect(createCategoryRequestSchema.safeParse({ name: '' }).success).toBe(
+      false,
+    );
+    expect(createCategoryRequestSchema.safeParse({}).success).toBe(false);
+  });
+});
+
+describe('updateCategoryRequestSchema', () => {
+  it('allows every field to be omitted (the service COALESCEs)', () => {
+    expect(updateCategoryRequestSchema.safeParse({}).success).toBe(true);
+    expect(
+      updateCategoryRequestSchema.safeParse({ color: '#000' }).success,
+    ).toBe(true);
+  });
+});
@@ -0,0 +1,43 @@
+import { z } from 'zod';
+
+/**
+ * Category API contract — single source of truth for the /api/categories endpoints.
+ *
+ * Categories are the place-category palette (also the admin "Personalization"
+ * surface). Reading is open to any authenticated user; create/update/delete are
+ * admin-only. The legacy route (server/src/routes/categories.ts) wraps
+ * services/categoryService.ts 1:1.
+ *
+ * The bespoke 400 ("Category name is required") and 404 ("Category not found")
+ * messages are reproduced in the controller so the bodies stay byte-identical.
+ */
+
+export const categorySchema = z.object({
+  id: z.number(),
+  name: z.string(),
+  color: z.string(),
+  icon: z.string(),
+  user_id: z.number().nullable().optional(),
+  created_at: z.string().optional(),
+});
+export type Category = z.infer<typeof categorySchema>;
+
+export const createCategoryRequestSchema = z.object({
+  name: z.string().min(1),
+  color: z.string().optional(),
+  icon: z.string().optional(),
+});
+export type CreateCategoryRequest = z.infer<typeof createCategoryRequestSchema>;
+
+/** All fields optional — the service COALESCEs each against the stored value. */
+export const updateCategoryRequestSchema = z.object({
+  name: z.string().optional(),
+  color: z.string().optional(),
+  icon: z.string().optional(),
+});
+export type UpdateCategoryRequest = z.infer<typeof updateCategoryRequestSchema>;
+
+export const categoryListResponseSchema = z.object({
+  categories: z.array(categorySchema),
+});
+export type CategoryListResponse = z.infer<typeof categoryListResponseSchema>;
@@ -0,0 +1,83 @@
+import {
+  collabNoteCreateRequestSchema,
+  collabPollCreateRequestSchema,
+  collabPollVoteRequestSchema,
+  collabMessageCreateRequestSchema,
+  collabReactionRequestSchema,
+} from './collab.schema';
+
+import { describe, it, expect } from 'vitest';
+
+describe('collabNoteCreateRequestSchema', () => {
+  it('requires a non-empty title; the rest is optional', () => {
+    expect(
+      collabNoteCreateRequestSchema.safeParse({ title: 'Idea' }).success,
+    ).toBe(true);
+    expect(collabNoteCreateRequestSchema.safeParse({ title: '' }).success).toBe(
+      false,
+    );
+    expect(collabNoteCreateRequestSchema.safeParse({}).success).toBe(false);
+  });
+});
+
+describe('collabPollCreateRequestSchema', () => {
+  it('requires a question and at least two options', () => {
+    expect(
+      collabPollCreateRequestSchema.safeParse({
+        question: 'Where?',
+        options: ['A', 'B'],
+      }).success,
+    ).toBe(true);
+    expect(
+      collabPollCreateRequestSchema.safeParse({
+        question: 'Where?',
+        options: ['A'],
+      }).success,
+    ).toBe(false);
+    expect(
+      collabPollCreateRequestSchema.safeParse({ options: ['A', 'B'] }).success,
+    ).toBe(false);
+  });
+});
+
+describe('collabPollVoteRequestSchema', () => {
+  it('requires a numeric option_index', () => {
+    expect(
+      collabPollVoteRequestSchema.safeParse({ option_index: 0 }).success,
+    ).toBe(true);
+    expect(
+      collabPollVoteRequestSchema.safeParse({ option_index: 'a' }).success,
+    ).toBe(false);
+  });
+});
+
+describe('collabMessageCreateRequestSchema', () => {
+  it('requires text, caps it at 5000, allows a nullable reply_to', () => {
+    expect(
+      collabMessageCreateRequestSchema.safeParse({ text: 'hi', reply_to: null })
+        .success,
+    ).toBe(true);
+    expect(
+      collabMessageCreateRequestSchema.safeParse({ text: 'hi', reply_to: 4 })
+        .success,
+    ).toBe(true);
+    expect(
+      collabMessageCreateRequestSchema.safeParse({ text: '' }).success,
+    ).toBe(false);
+    expect(
+      collabMessageCreateRequestSchema.safeParse({ text: 'x'.repeat(5001) })
+        .success,
+    ).toBe(false);
+  });
+});
+
+describe('collabReactionRequestSchema', () => {
+  it('requires a non-empty emoji', () => {
+    expect(collabReactionRequestSchema.safeParse({ emoji: '👍' }).success).toBe(
+      true,
+    );
+    expect(collabReactionRequestSchema.safeParse({ emoji: '' }).success).toBe(
+      false,
+    );
+  });
+});
@@ -0,0 +1,64 @@
+import { z } from 'zod';
+
+/**
+ * Collab API contract — single source of truth for the /api/trips/:tripId/collab
+ * endpoints (shared notes + file attachments, decision polls, group chat with
+ * reactions, link previews).
+ *
+ * Trip-scoped; mutations use 'collab_edit' (file uploads use 'file_upload'). The
+ * legacy route (server/src/routes/collab.ts) wraps collabService and broadcasts
+ * over WebSocket + fires chat/note notifications. Rows are wide and kept open;
+ * the request schemas + the bespoke 400/403/404 controller messages pin the rest.
+ */
+
+export const collabNoteCreateRequestSchema = z.object({
+  title: z.string().min(1),
+  content: z.string().optional(),
+  category: z.string().optional(),
+  color: z.string().optional(),
+  website: z.string().optional(),
+});
+export type CollabNoteCreateRequest = z.infer<
+  typeof collabNoteCreateRequestSchema
+>;
+
+export const collabNoteUpdateRequestSchema = z.object({
+  title: z.string().optional(),
+  content: z.string().optional(),
+  category: z.string().optional(),
+  color: z.string().optional(),
+  pinned: z.union([z.boolean(), z.number()]).optional(),
+  website: z.string().optional(),
+});
+export type CollabNoteUpdateRequest = z.infer<
+  typeof collabNoteUpdateRequestSchema
+>;
+
+export const collabPollCreateRequestSchema = z.object({
+  question: z.string().min(1),
+  options: z.array(z.unknown()).min(2),
+  multiple: z.boolean().optional(),
+  multiple_choice: z.boolean().optional(),
+  deadline: z.string().optional(),
+});
+export type CollabPollCreateRequest = z.infer<
+  typeof collabPollCreateRequestSchema
+>;
+
+export const collabPollVoteRequestSchema = z.object({
+  option_index: z.number(),
+});
+export type CollabPollVoteRequest = z.infer<typeof collabPollVoteRequestSchema>;
+
+export const collabMessageCreateRequestSchema = z.object({
+  text: z.string().min(1).max(5000),
+  reply_to: z.number().nullable().optional(),
+});
+export type CollabMessageCreateRequest = z.infer<
+  typeof collabMessageCreateRequestSchema
+>;
+
+export const collabReactionRequestSchema = z.object({
+  emoji: z.string().min(1),
+});
+export type CollabReactionRequest = z.infer<typeof collabReactionRequestSchema>;
@@ -0,0 +1,14 @@
+import { z } from 'zod';
+
+/**
+ * Public config contract — the unauthenticated /api/config endpoint.
+ *
+ * This is the only public (non-authenticated) endpoint in the L2 bundle: the
+ * login page reads it before a user signs in to pick the initial language. The
+ * legacy route (server/src/routes/publicConfig.ts) returns just the server's
+ * configured default language, so the response is intentionally minimal.
+ */
+export const publicConfigSchema = z.object({
+  defaultLanguage: z.string(),
+});
+export type PublicConfig = z.infer<typeof publicConfigSchema>;
@@ -0,0 +1,49 @@
+import {
+  dayCreateRequestSchema,
+  dayNoteCreateRequestSchema,
+  dayNoteUpdateRequestSchema,
+} from './day.schema';
+
+import { describe, it, expect } from 'vitest';
+
+describe('dayCreateRequestSchema', () => {
+  it('accepts an optional date + notes', () => {
+    expect(dayCreateRequestSchema.safeParse({}).success).toBe(true);
+    expect(
+      dayCreateRequestSchema.safeParse({ date: '2026-07-01', notes: 'n' })
+        .success,
+    ).toBe(true);
+  });
+});
+
+describe('dayNoteCreateRequestSchema', () => {
+  it('requires non-empty text capped at 500, time capped at 150', () => {
+    expect(
+      dayNoteCreateRequestSchema.safeParse({ text: 'Lunch' }).success,
+    ).toBe(true);
+    expect(dayNoteCreateRequestSchema.safeParse({ text: '' }).success).toBe(
+      false,
+    );
+    expect(
+      dayNoteCreateRequestSchema.safeParse({ text: 'x'.repeat(501) }).success,
+    ).toBe(false);
+    expect(
+      dayNoteCreateRequestSchema.safeParse({
+        text: 'ok',
+        time: 'y'.repeat(151),
+      }).success,
+    ).toBe(false);
+  });
+});
+
+describe('dayNoteUpdateRequestSchema', () => {
+  it('allows omitting text and caps the lengths', () => {
+    expect(dayNoteUpdateRequestSchema.safeParse({}).success).toBe(true);
+    expect(dayNoteUpdateRequestSchema.safeParse({ icon: '🍽️' }).success).toBe(
+      true,
+    );
+    expect(
+      dayNoteUpdateRequestSchema.safeParse({ text: 'x'.repeat(501) }).success,
+    ).toBe(false);
+  });
+});
@@ -0,0 +1,75 @@
+import { assignmentSchema } from '../assignment/assignment.schema';
+
+import { z } from 'zod';
+
+/**
+ * Day + day-note API contract — single source of truth for the
+ * /api/trips/:tripId/days and /api/trips/:tripId/days/:dayId/notes endpoints.
+ *
+ * Trip-scoped, both gated by the 'day_edit' permission. The legacy routes
+ * (server/src/routes/days.ts + routes/dayNotes.ts) wrap dayService /
+ * dayNoteService. Day rows (with their assignments) are wide and DB-derived, so
+ * list responses stay open. Day notes cap text at 500 and time at 150 chars
+ * (the legacy validateStringLengths middleware) — reproduced in the controller.
+ */
+
+/**
+ * Day note entity (server day_notes table / dayNoteService). `sort_order` is
+ * SQLite REAL; `icon` defaults to a note emoji.
+ */
+export const dayNoteSchema = z.object({
+  id: z.number(),
+  day_id: z.number(),
+  trip_id: z.number().optional(),
+  text: z.string(),
+  time: z.string().nullable().optional(),
+  icon: z.string().nullable().optional(),
+  sort_order: z.number().optional(),
+  created_at: z.string().optional(),
+});
+export type DayNote = z.infer<typeof dayNoteSchema>;
+
+/**
+ * Day entity as returned by the day list/get endpoints
+ * (server/src/services/dayService.ts -> listDays). Columns of the `days` table
+ * plus the embedded `assignments` and `notes_items` arrays.
+ */
+export const daySchema = z.object({
+  id: z.number(),
+  trip_id: z.number(),
+  day_number: z.number().optional(),
+  date: z.string().nullable().optional(),
+  title: z.string().nullable().optional(),
+  notes: z.string().nullable().optional(),
+  assignments: z.array(assignmentSchema).optional(),
+  notes_items: z.array(dayNoteSchema).optional(),
+});
+export type Day = z.infer<typeof daySchema>;
+
+export const dayCreateRequestSchema = z.object({
+  date: z.string().optional(),
+  notes: z.string().optional(),
+});
+export type DayCreateRequest = z.infer<typeof dayCreateRequestSchema>;
+
+export const dayUpdateRequestSchema = z.object({
+  notes: z.string().optional(),
+  title: z.string().nullable().optional(),
+});
+export type DayUpdateRequest = z.infer<typeof dayUpdateRequestSchema>;
+
+export const dayNoteCreateRequestSchema = z.object({
+  text: z.string().min(1).max(500),
+  time: z.string().max(150).optional(),
+  icon: z.string().optional(),
+  sort_order: z.number().optional(),
+});
+export type DayNoteCreateRequest = z.infer<typeof dayNoteCreateRequestSchema>;
+
+export const dayNoteUpdateRequestSchema = z.object({
+  text: z.string().max(500).optional(),
+  time: z.string().max(150).optional(),
+  icon: z.string().optional(),
+  sort_order: z.number().optional(),
+});
+export type DayNoteUpdateRequest = z.infer<typeof dayNoteUpdateRequestSchema>;
@@ -0,0 +1,42 @@
+import {
+  fileUpdateRequestSchema,
+  fileLinkRequestSchema,
+  photoVariantSchema,
+} from './file.schema';
+
+import { describe, it, expect } from 'vitest';
+
+describe('fileUpdateRequestSchema', () => {
+  it('accepts optional metadata, nullable ids, an empty body', () => {
+    expect(
+      fileUpdateRequestSchema.safeParse({ description: 'doc', place_id: 3 })
+        .success,
+    ).toBe(true);
+    expect(
+      fileUpdateRequestSchema.safeParse({ place_id: null, reservation_id: '7' })
+        .success,
+    ).toBe(true);
+    expect(fileUpdateRequestSchema.safeParse({}).success).toBe(true);
+  });
+});
+
+describe('fileLinkRequestSchema', () => {
+  it('accepts any subset of reservation/assignment/place ids', () => {
+    expect(fileLinkRequestSchema.safeParse({ reservation_id: 1 }).success).toBe(
+      true,
+    );
+    expect(
+      fileLinkRequestSchema.safeParse({ assignment_id: '2', place_id: null })
+        .success,
+    ).toBe(true);
+    expect(fileLinkRequestSchema.safeParse({}).success).toBe(true);
+  });
+});
+
+describe('photoVariantSchema', () => {
+  it('only allows thumbnail or original', () => {
+    expect(photoVariantSchema.safeParse('thumbnail').success).toBe(true);
+    expect(photoVariantSchema.safeParse('original').success).toBe(true);
+    expect(photoVariantSchema.safeParse('full').success).toBe(false);
+  });
+});
@@ -0,0 +1,33 @@
+import { z } from 'zod';
+
+/**
+ * File + photo API contract.
+ *
+ * Files live under /api/trips/:tripId/files (upload, metadata, star, trash,
+ * reservation links, authenticated download). Photos live under /api/photos
+ * (thumbnail/original streaming + info) and are global, not trip-scoped.
+ *
+ * Uploads are multipart/form-data so the file itself isn't modelled here; these
+ * schemas pin the JSON-ish metadata fields that ride along or come as request
+ * bodies. The bespoke 400/403/404 controller messages pin the rest.
+ */
+
+const nullableIdField = z.union([z.string(), z.number()]).nullable().optional();
+
+export const fileUpdateRequestSchema = z.object({
+  description: z.string().optional(),
+  place_id: nullableIdField,
+  reservation_id: nullableIdField,
+});
+export type FileUpdateRequest = z.infer<typeof fileUpdateRequestSchema>;
+
+export const fileLinkRequestSchema = z.object({
+  reservation_id: nullableIdField,
+  assignment_id: nullableIdField,
+  place_id: nullableIdField,
+});
+export type FileLinkRequest = z.infer<typeof fileLinkRequestSchema>;
+
+/** Variants the photo streaming endpoints accept. */
+export const photoVariantSchema = z.enum(['thumbnail', 'original']);
+export type PhotoVariant = z.infer<typeof photoVariantSchema>;
@@ -315,5 +315,31 @@ const admin: TranslationStrings = {
    'يعمل TREK الخاص بك في Docker. للتحديث إلى {version}، نفّذ الأوامر التالية على الخادم:',
  'admin.update.reloadHint': 'يرجى إعادة تحميل الصفحة بعد بضع ثوانٍ.',
  'admin.tabs.permissions': 'الصلاحيات',
+  'admin.notifications.webhook': 'Webhook', // en-fallback
+  'admin.notifications.ntfy': 'Ntfy', // en-fallback
+  'admin.notifications.emailPanel.title': 'Email (SMTP)', // en-fallback
+  'admin.notifications.webhookPanel.title': 'Webhook', // en-fallback
+  'admin.notifications.inappPanel.title': 'In-App', // en-fallback
+  'admin.notifications.adminNtfyPanel.serverPlaceholder': 'https://ntfy.sh', // en-fallback
+  'admin.notifications.adminNtfyPanel.topicPlaceholder': 'trek-admin-alerts', // en-fallback
+  'admin.authMethods': 'Authentication Methods', // en-fallback
+  'admin.passwordLogin': 'Password Login', // en-fallback
+  'admin.passwordLoginHint': 'Allow users to sign in with email and password', // en-fallback
+  'admin.passwordRegistration': 'Password Registration', // en-fallback
+  'admin.passwordRegistrationHint':
+    'Allow new users to register with email and password', // en-fallback
+  'admin.oidcLogin': 'SSO Login', // en-fallback
+  'admin.oidcLoginHint': 'Allow users to sign in with SSO', // en-fallback
+  'admin.oidcRegistration': 'SSO Auto-Provisioning', // en-fallback
+  'admin.oidcRegistrationHint':
+    'Automatically create accounts for new SSO users', // en-fallback
+  'admin.envOverrideHint':
+    'Password login settings are controlled by the OIDC_ONLY environment variable and cannot be changed here.', // en-fallback
+  'admin.lockoutWarning': 'At least one login method must remain enabled', // en-fallback
+  'admin.addons.catalog.mcp.name': 'MCP', // en-fallback
+  'admin.tabs.github': 'GitHub', // en-fallback
+  'admin.addons.catalog.journey.name': 'Journey', // en-fallback
+  'admin.addons.catalog.journey.description':
+    'Trip tracking & travel journal with check-ins, photos, and daily stories', // en-fallback
 };
 export default admin;
@@ -71,5 +71,6 @@ const backup: TranslationStrings = {
  'backup.restoreTip':
    'نصيحة: أنشئ نسخة احتياطية للحالة الحالية قبل الاستعادة.',
  'backup.restoreConfirm': 'نعم، استعادة',
+  'backup.auto.envLocked': 'Docker', // en-fallback
 };
 export default backup;
@@ -68,5 +68,6 @@ const collab: TranslationStrings = {
  'collab.polls.options': 'الخيارات',
  'collab.polls.delete': 'حذف',
  'collab.polls.closedSection': 'مغلق',
+  'collab.notes.websitePlaceholder': 'https://...', // en-fallback
 };
 export default collab;
@@ -47,5 +47,8 @@ const common: TranslationStrings = {
  'common.collapse': 'طي',
  'common.copy': 'نسخ',
  'common.copied': 'تم النسخ',
+  'common.justNow': 'just now', // en-fallback
+  'common.hoursAgo': '{count}h ago', // en-fallback
+  'common.daysAgo': '{count}d ago', // en-fallback
 };
 export default common;
@@ -34,5 +34,13 @@ const dayplan: TranslationStrings = {
  'dayplan.pendingRes': 'قيد الانتظار',
  'dayplan.pdfTooltip': 'تصدير خطة اليوم بصيغة PDF',
  'dayplan.pdfError': 'فشل تصدير PDF',
+  'dayplan.expandAll': 'Expand all days', // en-fallback
+  'dayplan.collapseAll': 'Collapse all days', // en-fallback
+  'dayplan.pdf': 'PDF', // en-fallback
+  'dayplan.mobile.addPlace': 'Add Place', // en-fallback
+  'dayplan.mobile.searchPlaces': 'Search places...', // en-fallback
+  'dayplan.mobile.allAssigned': 'All places assigned', // en-fallback
+  'dayplan.mobile.noMatch': 'No match', // en-fallback
+  'dayplan.mobile.createNew': 'Create new place', // en-fallback
 };
 export default dayplan;
@@ -52,5 +52,193 @@ const journey: TranslationStrings = {
  'journey.picker.noAlbums': 'لم يتم العثور على ألبومات',
  'journey.picker.selectDate': 'اختر تاريخ',
  'journey.picker.search': 'بحث',
+  'journey.title': 'Journey', // en-fallback
+  'journey.subtitle': 'Track your travels as they happen', // en-fallback
+  'journey.new': 'New Journey', // en-fallback
+  'journey.create': 'Create', // en-fallback
+  'journey.titlePlaceholder': 'Where are you going?', // en-fallback
+  'journey.empty': 'No journeys yet', // en-fallback
+  'journey.emptyHint': 'Start documenting your next trip', // en-fallback
+  'journey.deleted': 'Journey deleted', // en-fallback
+  'journey.createError': 'Could not create journey', // en-fallback
+  'journey.deleteError': 'Could not delete journey', // en-fallback
+  'journey.deleteConfirmTitle': 'Delete', // en-fallback
+  'journey.deleteConfirmMessage': 'Delete "{title}"? This cannot be undone.', // en-fallback
+  'journey.deleteConfirmGeneric': 'Are you sure you want to delete this?', // en-fallback
+  'journey.notFound': 'Journey not found', // en-fallback
+  'journey.photos': 'Photos', // en-fallback
+  'journey.timelineEmpty': 'No stops yet', // en-fallback
+  'journey.timelineEmptyHint':
+    'Add a check-in or write a journal entry to get started', // en-fallback
+  'journey.status.draft': 'Draft', // en-fallback
+  'journey.status.active': 'Active', // en-fallback
+  'journey.status.completed': 'Completed', // en-fallback
+  'journey.status.upcoming': 'Upcoming', // en-fallback
+  'journey.checkin.add': 'Check in', // en-fallback
+  'journey.checkin.namePlaceholder': 'Location name', // en-fallback
+  'journey.checkin.notesPlaceholder': 'Notes (optional)', // en-fallback
+  'journey.checkin.save': 'Save', // en-fallback
+  'journey.checkin.error': 'Could not save check-in', // en-fallback
+  'journey.entry.add': 'Journal', // en-fallback
+  'journey.entry.edit': 'Edit entry', // en-fallback
+  'journey.entry.titlePlaceholder': 'Title (optional)', // en-fallback
+  'journey.entry.bodyPlaceholder': 'What happened today?', // en-fallback
+  'journey.entry.save': 'Save', // en-fallback
+  'journey.entry.error': 'Could not save entry', // en-fallback
+  'journey.photo.add': 'Photo', // en-fallback
+  'journey.photo.uploadError': 'Upload failed', // en-fallback
+  'journey.share.share': 'Share', // en-fallback
+  'journey.share.public': 'Public', // en-fallback
+  'journey.share.linkCopied': 'Public link copied', // en-fallback
+  'journey.share.disabled': 'Public sharing disabled', // en-fallback
+  'journey.editor.titlePlaceholder': 'Give this moment a name...', // en-fallback
+  'journey.editor.bodyPlaceholder': 'Tell the story of this day...', // en-fallback
+  'journey.editor.placePlaceholder': 'Location (optional)', // en-fallback
+  'journey.editor.tagsPlaceholder':
+    'Tags: hidden gem, best meal, must revisit...', // en-fallback
+  'journey.visibility.private': 'Private', // en-fallback
+  'journey.visibility.shared': 'Shared', // en-fallback
+  'journey.visibility.public': 'Public', // en-fallback
+  'journey.emptyState.title': 'Your story starts here', // en-fallback
+  'journey.emptyState.subtitle':
+    'Check in at a place or write your first journal entry', // en-fallback
+  'journey.frontpage.subtitle':
+    "Turn your trips into stories you'll never forget", // en-fallback
+  'journey.frontpage.createJourney': 'Create Journey', // en-fallback
+  'journey.frontpage.activeJourney': 'Active Journey', // en-fallback
+  'journey.frontpage.allJourneys': 'All Journeys', // en-fallback
+  'journey.frontpage.journeys': 'journeys', // en-fallback
+  'journey.frontpage.createNew': 'Create a new Journey', // en-fallback
+  'journey.frontpage.createNewSub':
+    'Pick trips, write stories, share your adventures', // en-fallback
+  'journey.frontpage.live': 'Live', // en-fallback
+  'journey.frontpage.synced': 'Synced', // en-fallback
+  'journey.frontpage.continueWriting': 'Continue writing', // en-fallback
+  'journey.frontpage.updated': 'Updated {time}', // en-fallback
+  'journey.frontpage.suggestionLabel': 'Trip just ended', // en-fallback
+  'journey.frontpage.suggestionText':
+    'Turn <strong>{title}</strong> into a Journey', // en-fallback
+  'journey.frontpage.dismiss': 'Dismiss', // en-fallback
+  'journey.frontpage.journeyName': 'Journey Name', // en-fallback
+  'journey.frontpage.namePlaceholder': 'e.g. Southeast Asia 2026', // en-fallback
+  'journey.frontpage.selectTrips': 'Select Trips', // en-fallback
+  'journey.frontpage.tripsSelected': 'trips selected', // en-fallback
+  'journey.frontpage.trips': 'trips', // en-fallback
+  'journey.frontpage.placesImported': 'places will be imported', // en-fallback
+  'journey.frontpage.places': 'places', // en-fallback
+  'journey.detail.syncedWithTrips': 'Synced with Trips', // en-fallback
+  'journey.detail.addEntry': 'Add Entry', // en-fallback
+  'journey.detail.newEntry': 'New Entry', // en-fallback
+  'journey.detail.editEntry': 'Edit Entry', // en-fallback
+  'journey.detail.noEntries': 'No entries yet', // en-fallback
+  'journey.detail.noEntriesHint':
+    'Add a trip to get started with skeleton entries', // en-fallback
+  'journey.detail.noPhotos': 'No photos yet', // en-fallback
+  'journey.detail.noPhotosHint':
+    'Upload photos to entries or browse your Immich/Synology library', // en-fallback
+  'journey.detail.journeyTab': 'Journey', // en-fallback
+  'journey.detail.journeyStats': 'Journey Stats', // en-fallback
+  'journey.detail.syncedTrips': 'Synced Trips', // en-fallback
+  'journey.detail.noTripsLinked': 'No trips linked yet', // en-fallback
+  'journey.detail.contributors': 'Contributors', // en-fallback
+  'journey.detail.readMore': 'Read more', // en-fallback
+  'journey.detail.prosCons': 'Pros & Cons', // en-fallback
+  'journey.stats.days': 'Days', // en-fallback
+  'journey.stats.cities': 'Cities', // en-fallback
+  'journey.stats.entries': 'Entries', // en-fallback
+  'journey.stats.photos': 'Photos', // en-fallback
+  'journey.stats.places': 'Places', // en-fallback
+  'journey.verdict.lovedIt': 'Loved it', // en-fallback
+  'journey.verdict.couldBeBetter': 'Could be better', // en-fallback
+  'journey.synced.places': 'places', // en-fallback
+  'journey.synced.synced': 'synced', // en-fallback
+  'journey.editor.allPhotosAdded': 'All photos already added', // en-fallback
+  'journey.editor.writeStory': 'Write your story...', // en-fallback
+  'journey.editor.prosCons': 'Pros & Cons', // en-fallback
+  'journey.editor.pros': 'Pros', // en-fallback
+  'journey.editor.cons': 'Cons', // en-fallback
+  'journey.editor.proPlaceholder': 'Something great...', // en-fallback
+  'journey.editor.conPlaceholder': 'Not so great...', // en-fallback
+  'journey.editor.date': 'Date', // en-fallback
+  'journey.editor.location': 'Location', // en-fallback
+  'journey.editor.searchLocation': 'Search location...', // en-fallback
+  'journey.editor.mood': 'Mood', // en-fallback
+  'journey.editor.weather': 'Weather', // en-fallback
+  'journey.editor.photoFirst': '1st', // en-fallback
+  'journey.mood.amazing': 'Amazing', // en-fallback
+  'journey.mood.good': 'Good', // en-fallback
+  'journey.mood.neutral': 'Neutral', // en-fallback
+  'journey.mood.rough': 'Rough', // en-fallback
+  'journey.weather.sunny': 'Sunny', // en-fallback
+  'journey.weather.partly': 'Partly cloudy', // en-fallback
+  'journey.weather.cloudy': 'Cloudy', // en-fallback
+  'journey.weather.rainy': 'Rainy', // en-fallback
+  'journey.weather.stormy': 'Stormy', // en-fallback
+  'journey.weather.cold': 'Snowy', // en-fallback
+  'journey.trips.linkTrip': 'Link Trip', // en-fallback
+  'journey.trips.searchTrip': 'Search Trip', // en-fallback
+  'journey.trips.searchPlaceholder': 'Trip name or destination...', // en-fallback
+  'journey.trips.noTripsAvailable': 'No trips available', // en-fallback
+  'journey.trips.link': 'Link', // en-fallback
+  'journey.trips.tripLinked': 'Trip linked', // en-fallback
+  'journey.trips.linkFailed': 'Failed to link trip', // en-fallback
+  'journey.trips.addTrip': 'Add Trip', // en-fallback
+  'journey.trips.unlinkTrip': 'Unlink Trip', // en-fallback
+  'journey.trips.unlinkMessage':
+    'Unlink "{title}"? All synced entries and photos from this trip will be permanently deleted. This cannot be undone.', // en-fallback
+  'journey.trips.unlink': 'Unlink', // en-fallback
+  'journey.trips.tripUnlinked': 'Trip unlinked', // en-fallback
+  'journey.trips.unlinkFailed': 'Failed to unlink trip', // en-fallback
+  'journey.trips.noTripsLinkedSettings': 'No trips linked', // en-fallback
+  'journey.contributors.invite': 'Invite Contributor', // en-fallback
+  'journey.contributors.searchUser': 'Search User', // en-fallback
+  'journey.contributors.searchPlaceholder': 'Username or email...', // en-fallback
+  'journey.contributors.noUsers': 'No users found', // en-fallback
+  'journey.contributors.role': 'Role', // en-fallback
+  'journey.contributors.added': 'Contributor added', // en-fallback
+  'journey.contributors.addFailed': 'Failed to add contributor', // en-fallback
+  'journey.contributors.remove': 'Remove contributor', // en-fallback
+  'journey.contributors.removeConfirm': 'Remove {username} from this journey?', // en-fallback
+  'journey.contributors.removed': 'Contributor removed', // en-fallback
+  'journey.contributors.removeFailed': 'Failed to remove contributor', // en-fallback
+  'journey.share.publicShare': 'Public Share', // en-fallback
+  'journey.share.createLink': 'Create share link', // en-fallback
+  'journey.share.linkCreated': 'Share link created', // en-fallback
+  'journey.share.createFailed': 'Failed to create link', // en-fallback
+  'journey.share.timeline': 'Timeline', // en-fallback
+  'journey.share.gallery': 'Gallery', // en-fallback
+  'journey.share.map': 'Map', // en-fallback
+  'journey.share.removeLink': 'Remove share link', // en-fallback
+  'journey.share.linkDeleted': 'Share link deleted', // en-fallback
+  'journey.share.deleteFailed': 'Failed to delete', // en-fallback
+  'journey.share.updateFailed': 'Failed to update', // en-fallback
+  'journey.settings.title': 'Journey Settings', // en-fallback
+  'journey.settings.coverImage': 'Cover Image', // en-fallback
+  'journey.settings.changeCover': 'Change cover', // en-fallback
+  'journey.settings.addCover': 'Add cover image', // en-fallback
+  'journey.settings.name': 'Name', // en-fallback
+  'journey.settings.subtitle': 'Subtitle', // en-fallback
+  'journey.settings.subtitlePlaceholder': 'e.g. Thailand, Vietnam & Cambodia', // en-fallback
+  'journey.settings.delete': 'Delete', // en-fallback
+  'journey.settings.deleteJourney': 'Delete Journey', // en-fallback
+  'journey.settings.deleteMessage':
+    'Delete "{title}"? All entries and photos will be lost.', // en-fallback
+  'journey.settings.saved': 'Settings saved', // en-fallback
+  'journey.settings.saveFailed': 'Failed to save', // en-fallback
+  'journey.settings.coverUpdated': 'Cover updated', // en-fallback
+  'journey.settings.coverFailed': 'Upload failed', // en-fallback
+  'journey.public.notFound': 'Not Found', // en-fallback
+  'journey.public.notFoundMessage':
+    "This journey doesn't exist or the link has expired.", // en-fallback
+  'journey.public.readOnly': 'Read-only · Public Journey', // en-fallback
+  'journey.public.tagline': 'Travel Resource & Exploration Kit', // en-fallback
+  'journey.public.sharedVia': 'Shared via', // en-fallback
+  'journey.public.madeWith': 'Made with', // en-fallback
+  'journey.pdf.journeyBook': 'Journey Book', // en-fallback
+  'journey.pdf.madeWith': 'Made with TREK', // en-fallback
+  'journey.pdf.day': 'Day', // en-fallback
+  'journey.pdf.theEnd': 'The End', // en-fallback
+  'journey.pdf.saveAsPdf': 'Save as PDF', // en-fallback
+  'journey.pdf.pages': 'pages', // en-fallback
 };
 export default journey;
@@ -87,5 +87,6 @@ const login: TranslationStrings = {
  'login.resetPasswordInvalidLinkBody':
    'هذا الرابط مفقود أو تالف. اطلب رابطًا جديدًا للمتابعة.',
  'login.resetPasswordFailed': 'فشلت إعادة التعيين. ربما انتهت صلاحية الرابط.',
+  'login.emailPlaceholder': 'your@email.com', // en-fallback
 };
 export default login;
@@ -89,5 +89,31 @@ const oauth: TranslationStrings = {
  'oauth.scope.journey:share.label': 'إدارة روابط مذكرات السفر',
  'oauth.scope.journey:share.description':
    'إنشاء روابط مشاركة عامة لمذكرات السفر وتحديثها وإلغاؤها',
+  'oauth.scope.group.atlas': 'Atlas', // en-fallback
+  'oauth.scope.group.geo': 'Geo', // en-fallback
+  'oauth.authorize.authorizing': 'Authorizing…', // en-fallback
+  'oauth.authorize.loading': 'Loading…', // en-fallback
+  'oauth.authorize.errorTitle': 'Authorization Error', // en-fallback
+  'oauth.authorize.loginTitle': 'Sign in to continue', // en-fallback
+  'oauth.authorize.loginDescription':
+    '{client} wants access to your TREK account. Please sign in first.', // en-fallback
+  'oauth.authorize.loginButton': 'Sign in to TREK', // en-fallback
+  'oauth.authorize.requestLabel': 'Authorization Request', // en-fallback
+  'oauth.authorize.requestDescription':
+    'This application is requesting access to your TREK account.', // en-fallback
+  'oauth.authorize.trustNote':
+    'Only grant access to applications you trust. Your data stays on your server.', // en-fallback
+  'oauth.authorize.selectScope': 'Select at least one scope', // en-fallback
+  'oauth.authorize.approveOneScope': 'Approve ({count} scope)', // en-fallback
+  'oauth.authorize.approveManyScopes': 'Approve ({count} scopes)', // en-fallback
+  'oauth.authorize.approveAccess': 'Approve Access', // en-fallback
+  'oauth.authorize.deny': 'Deny', // en-fallback
+  'oauth.authorize.choosePermissions': 'Choose which permissions to grant', // en-fallback
+  'oauth.authorize.permissionsRequested': 'Permissions requested', // en-fallback
+  'oauth.authorize.alwaysIncluded': 'Always included', // en-fallback
+  'oauth.authorize.alwaysTool.listTrips':
+    'List your trips so the AI can discover trip IDs', // en-fallback
+  'oauth.authorize.alwaysTool.getTripSummary':
+    'Read a trip overview needed to use any other tool', // en-fallback
 };
 export default oauth;
@@ -270,5 +270,23 @@ const settings: TranslationStrings = {
  'settings.mfa.toastEnabled': 'تم تفعيل المصادقة الثنائية',
  'settings.mfa.toastDisabled': 'تم تعطيل المصادقة الثنائية',
  'settings.mfa.demoBlocked': 'غير متاح في الوضع التجريبي',
+  'settings.tabs.offline': 'Offline', // en-fallback
+  'settings.mapTemplatePlaceholder':
+    'https://{s}.tile.openstreetmap.org/{z}/{x}/{y}.png', // en-fallback
+  'settings.notificationPreferences.email': 'Email', // en-fallback
+  'settings.notificationPreferences.webhook': 'Webhook', // en-fallback
+  'settings.notificationPreferences.inapp': 'In-App', // en-fallback
+  'settings.notificationPreferences.ntfy': 'Ntfy', // en-fallback
+  'settings.webhookUrl.placeholder': 'https://discord.com/api/webhooks/...', // en-fallback
+  'settings.ntfyUrl.topicPlaceholder': 'my-trek-alerts', // en-fallback
+  'settings.ntfyUrl.serverPlaceholder': 'https://ntfy.sh', // en-fallback
+  'settings.oauth.modal.redirectUrisPlaceholder':
+    'https://your-app.com/callback\nhttps://your-app.com/auth', // en-fallback
+  'settings.about.supporter.tier.noReturnTicket': 'No Return Ticket', // en-fallback
+  'settings.about.supporter.tier.lostLuggageVip': 'Lost Luggage VIP', // en-fallback
+  'settings.about.supporter.tier.businessClassDreamer':
+    'Business Class Dreamer', // en-fallback
+  'settings.about.supporter.tier.budgetTraveller': 'Budget Traveller', // en-fallback
+  'settings.about.supporter.tier.hostelBunkmate': 'Hostel Bunkmate', // en-fallback
 };
 export default settings;
@@ -47,5 +47,8 @@ const system_notice: TranslationStrings = {
  'system_notice.pager.next': 'الإشعار التالي',
  'system_notice.pager.goto': 'الانتقال إلى الإشعار {n}',
  'system_notice.pager.position': 'الإشعار {current} من {total}',
+  'system_notice.dev_test_modal.title': '[Dev] Test notice', // en-fallback
+  'system_notice.dev_test_modal.body': 'This is a dev-only test notice.', // en-fallback
+  'system_notice.pager.counter': '{current} / {total}', // en-fallback
 };
 export default system_notice;
@@ -42,5 +42,7 @@ const dayplan: TranslationStrings = {
  'dayplan.mobile.allAssigned': 'Todos os lugares atribuídos',
  'dayplan.mobile.noMatch': 'Sem correspondência',
  'dayplan.mobile.createNew': 'Criar novo lugar',
+  'dayplan.expandAll': 'Expand all days', // en-fallback
+  'dayplan.collapseAll': 'Collapse all days', // en-fallback
 };
 export default dayplan;
@@ -236,5 +236,10 @@ const journey: TranslationStrings = {
  'journey.picker.noAlbums': 'Nenhum álbum encontrado',
  'journey.picker.selectDate': 'Selecionar data',
  'journey.picker.search': 'Pesquisar',
+  'journey.detail.journeyTab': 'Journey', // en-fallback
+  'journey.contributors.remove': 'Remove contributor', // en-fallback
+  'journey.contributors.removeConfirm': 'Remove {username} from this journey?', // en-fallback
+  'journey.contributors.removed': 'Contributor removed', // en-fallback
+  'journey.contributors.removeFailed': 'Failed to remove contributor', // en-fallback
 };
 export default journey;
@@ -94,5 +94,29 @@ const oauth: TranslationStrings = {
  'oauth.scope.journey:share.label': 'Gerenciar links de jornadas',
  'oauth.scope.journey:share.description':
    'Criar, atualizar e revogar links de compartilhamento públicos para jornadas',
+  'oauth.authorize.authorizing': 'Authorizing…', // en-fallback
+  'oauth.authorize.loading': 'Loading…', // en-fallback
+  'oauth.authorize.errorTitle': 'Authorization Error', // en-fallback
+  'oauth.authorize.loginTitle': 'Sign in to continue', // en-fallback
+  'oauth.authorize.loginDescription':
+    '{client} wants access to your TREK account. Please sign in first.', // en-fallback
+  'oauth.authorize.loginButton': 'Sign in to TREK', // en-fallback
+  'oauth.authorize.requestLabel': 'Authorization Request', // en-fallback
+  'oauth.authorize.requestDescription':
+    'This application is requesting access to your TREK account.', // en-fallback
+  'oauth.authorize.trustNote':
+    'Only grant access to applications you trust. Your data stays on your server.', // en-fallback
+  'oauth.authorize.selectScope': 'Select at least one scope', // en-fallback
+  'oauth.authorize.approveOneScope': 'Approve ({count} scope)', // en-fallback
+  'oauth.authorize.approveManyScopes': 'Approve ({count} scopes)', // en-fallback
+  'oauth.authorize.approveAccess': 'Approve Access', // en-fallback
+  'oauth.authorize.deny': 'Deny', // en-fallback
+  'oauth.authorize.choosePermissions': 'Choose which permissions to grant', // en-fallback
+  'oauth.authorize.permissionsRequested': 'Permissions requested', // en-fallback
+  'oauth.authorize.alwaysIncluded': 'Always included', // en-fallback
+  'oauth.authorize.alwaysTool.listTrips':
+    'List your trips so the AI can discover trip IDs', // en-fallback
+  'oauth.authorize.alwaysTool.getTripSummary':
+    'Read a trip overview needed to use any other tool', // en-fallback
 };
 export default oauth;
@@ -42,5 +42,7 @@ const dayplan: TranslationStrings = {
  'dayplan.mobile.allAssigned': 'Všechna místa přiřazena',
  'dayplan.mobile.noMatch': 'Žádná shoda',
  'dayplan.mobile.createNew': 'Vytvořit nové místo',
+  'dayplan.expandAll': 'Expand all days', // en-fallback
+  'dayplan.collapseAll': 'Collapse all days', // en-fallback
 };
 export default dayplan;
@@ -235,5 +235,10 @@ const journey: TranslationStrings = {
  'journey.picker.noAlbums': 'Žádná alba nenalezena',
  'journey.picker.selectDate': 'Vyberte datum',
  'journey.picker.search': 'Hledat',
+  'journey.detail.journeyTab': 'Journey', // en-fallback
+  'journey.contributors.remove': 'Remove contributor', // en-fallback
+  'journey.contributors.removeConfirm': 'Remove {username} from this journey?', // en-fallback
+  'journey.contributors.removed': 'Contributor removed', // en-fallback
+  'journey.contributors.removeFailed': 'Failed to remove contributor', // en-fallback
 };
 export default journey;
@@ -94,5 +94,29 @@ const oauth: TranslationStrings = {
  'oauth.scope.journey:share.label': 'Spravovat odkazy na cestovní deníky',
  'oauth.scope.journey:share.description':
    'Vytvářet, aktualizovat a rušit veřejné sdílené odkazy na cestovní deníky',
+  'oauth.authorize.authorizing': 'Authorizing…', // en-fallback
+  'oauth.authorize.loading': 'Loading…', // en-fallback
+  'oauth.authorize.errorTitle': 'Authorization Error', // en-fallback
+  'oauth.authorize.loginTitle': 'Sign in to continue', // en-fallback
+  'oauth.authorize.loginDescription':
+    '{client} wants access to your TREK account. Please sign in first.', // en-fallback
+  'oauth.authorize.loginButton': 'Sign in to TREK', // en-fallback
+  'oauth.authorize.requestLabel': 'Authorization Request', // en-fallback
+  'oauth.authorize.requestDescription':
+    'This application is requesting access to your TREK account.', // en-fallback
+  'oauth.authorize.trustNote':
+    'Only grant access to applications you trust. Your data stays on your server.', // en-fallback
+  'oauth.authorize.selectScope': 'Select at least one scope', // en-fallback
+  'oauth.authorize.approveOneScope': 'Approve ({count} scope)', // en-fallback
+  'oauth.authorize.approveManyScopes': 'Approve ({count} scopes)', // en-fallback
+  'oauth.authorize.approveAccess': 'Approve Access', // en-fallback
+  'oauth.authorize.deny': 'Deny', // en-fallback
+  'oauth.authorize.choosePermissions': 'Choose which permissions to grant', // en-fallback
+  'oauth.authorize.permissionsRequested': 'Permissions requested', // en-fallback
+  'oauth.authorize.alwaysIncluded': 'Always included', // en-fallback
+  'oauth.authorize.alwaysTool.listTrips':
+    'List your trips so the AI can discover trip IDs', // en-fallback
+  'oauth.authorize.alwaysTool.getTripSummary':
+    'Read a trip overview needed to use any other tool', // en-fallback
 };
 export default oauth;
@@ -242,5 +242,6 @@ const journey: TranslationStrings = {
  'journey.picker.noAlbums': 'Keine Alben gefunden',
  'journey.picker.selectDate': 'Datum wählen',
  'journey.picker.search': 'Suchen',
+  'journey.detail.journeyTab': 'Journey', // en-fallback
 };
 export default journey;
@@ -95,5 +95,29 @@ const oauth: TranslationStrings = {
  'oauth.scope.journey:share.label': 'Journey-Links verwalten',
  'oauth.scope.journey:share.description':
    'Öffentliche Freigabelinks für Journeys erstellen, aktualisieren und widerrufen',
+  'oauth.authorize.authorizing': 'Authorizing…', // en-fallback
+  'oauth.authorize.loading': 'Loading…', // en-fallback
+  'oauth.authorize.errorTitle': 'Authorization Error', // en-fallback
+  'oauth.authorize.loginTitle': 'Sign in to continue', // en-fallback
+  'oauth.authorize.loginDescription':
+    '{client} wants access to your TREK account. Please sign in first.', // en-fallback
+  'oauth.authorize.loginButton': 'Sign in to TREK', // en-fallback
+  'oauth.authorize.requestLabel': 'Authorization Request', // en-fallback
+  'oauth.authorize.requestDescription':
+    'This application is requesting access to your TREK account.', // en-fallback
+  'oauth.authorize.trustNote':
+    'Only grant access to applications you trust. Your data stays on your server.', // en-fallback
+  'oauth.authorize.selectScope': 'Select at least one scope', // en-fallback
+  'oauth.authorize.approveOneScope': 'Approve ({count} scope)', // en-fallback
+  'oauth.authorize.approveManyScopes': 'Approve ({count} scopes)', // en-fallback
+  'oauth.authorize.approveAccess': 'Approve Access', // en-fallback
+  'oauth.authorize.deny': 'Deny', // en-fallback
+  'oauth.authorize.choosePermissions': 'Choose which permissions to grant', // en-fallback
+  'oauth.authorize.permissionsRequested': 'Permissions requested', // en-fallback
+  'oauth.authorize.alwaysIncluded': 'Always included', // en-fallback
+  'oauth.authorize.alwaysTool.listTrips':
+    'List your trips so the AI can discover trip IDs', // en-fallback
+  'oauth.authorize.alwaysTool.getTripSummary':
+    'Read a trip overview needed to use any other tool', // en-fallback
 };
 export default oauth;
@@ -95,5 +95,29 @@ const oauth: TranslationStrings = {
  'oauth.scope.journey:share.label': 'Manage journey links',
  'oauth.scope.journey:share.description':
    'Create, update, and revoke public share links for journeys',
+  'oauth.authorize.authorizing': 'Authorizing…',
+  'oauth.authorize.loading': 'Loading…',
+  'oauth.authorize.errorTitle': 'Authorization Error',
+  'oauth.authorize.loginTitle': 'Sign in to continue',
+  'oauth.authorize.loginDescription':
+    '{client} wants access to your TREK account. Please sign in first.',
+  'oauth.authorize.loginButton': 'Sign in to TREK',
+  'oauth.authorize.requestLabel': 'Authorization Request',
+  'oauth.authorize.requestDescription':
+    'This application is requesting access to your TREK account.',
+  'oauth.authorize.trustNote':
+    'Only grant access to applications you trust. Your data stays on your server.',
+  'oauth.authorize.selectScope': 'Select at least one scope',
+  'oauth.authorize.approveOneScope': 'Approve ({count} scope)',
+  'oauth.authorize.approveManyScopes': 'Approve ({count} scopes)',
+  'oauth.authorize.approveAccess': 'Approve Access',
+  'oauth.authorize.deny': 'Deny',
+  'oauth.authorize.choosePermissions': 'Choose which permissions to grant',
+  'oauth.authorize.permissionsRequested': 'Permissions requested',
+  'oauth.authorize.alwaysIncluded': 'Always included',
+  'oauth.authorize.alwaysTool.listTrips':
+    'List your trips so the AI can discover trip IDs',
+  'oauth.authorize.alwaysTool.getTripSummary':
+    'Read a trip overview needed to use any other tool',
 };
 export default oauth;
@@ -146,7 +146,8 @@ const dashboard: TranslationStrings = {
  'dashboard.confirm.copy.willCopy': 'Se copiará',
  'dashboard.confirm.copy.will1': 'Días, lugares y asignaciones por día',
  'dashboard.confirm.copy.will2': 'Alojamientos y reservas',
-  'dashboard.confirm.copy.will3': 'Partidas de presupuesto y orden de categorías',
+  'dashboard.confirm.copy.will3':
+    'Partidas de presupuesto y orden de categorías',
  'dashboard.confirm.copy.will4': 'Listas de equipaje (sin marcar)',
  'dashboard.confirm.copy.will5': 'Tareas (sin asignar ni marcar)',
  'dashboard.confirm.copy.will6': 'Notas del día',
@@ -42,5 +42,7 @@ const dayplan: TranslationStrings = {
  'dayplan.mobile.allAssigned': 'Todos los lugares asignados',
  'dayplan.mobile.noMatch': 'Sin coincidencias',
  'dayplan.mobile.createNew': 'Crear nuevo lugar',
+  'dayplan.expandAll': 'Expand all days', // en-fallback
+  'dayplan.collapseAll': 'Collapse all days', // en-fallback
 };
 export default dayplan;
@@ -236,5 +236,10 @@ const journey: TranslationStrings = {
  'journey.picker.noAlbums': 'No se encontraron álbumes',
  'journey.picker.selectDate': 'Seleccionar fecha',
  'journey.picker.search': 'Buscar',
+  'journey.detail.journeyTab': 'Journey', // en-fallback
+  'journey.contributors.remove': 'Remove contributor', // en-fallback
+  'journey.contributors.removeConfirm': 'Remove {username} from this journey?', // en-fallback
+  'journey.contributors.removed': 'Contributor removed', // en-fallback
+  'journey.contributors.removeFailed': 'Failed to remove contributor', // en-fallback
 };
 export default journey;
@@ -94,5 +94,29 @@ const oauth: TranslationStrings = {
  'oauth.scope.journey:share.label': 'Gestionar enlaces de travesías',
  'oauth.scope.journey:share.description':
    'Crear, actualizar y revocar enlaces públicos de compartir para travesías',
+  'oauth.authorize.authorizing': 'Authorizing…', // en-fallback
+  'oauth.authorize.loading': 'Loading…', // en-fallback
+  'oauth.authorize.errorTitle': 'Authorization Error', // en-fallback
+  'oauth.authorize.loginTitle': 'Sign in to continue', // en-fallback
+  'oauth.authorize.loginDescription':
+    '{client} wants access to your TREK account. Please sign in first.', // en-fallback
+  'oauth.authorize.loginButton': 'Sign in to TREK', // en-fallback
+  'oauth.authorize.requestLabel': 'Authorization Request', // en-fallback
+  'oauth.authorize.requestDescription':
+    'This application is requesting access to your TREK account.', // en-fallback
+  'oauth.authorize.trustNote':
+    'Only grant access to applications you trust. Your data stays on your server.', // en-fallback
+  'oauth.authorize.selectScope': 'Select at least one scope', // en-fallback
+  'oauth.authorize.approveOneScope': 'Approve ({count} scope)', // en-fallback
+  'oauth.authorize.approveManyScopes': 'Approve ({count} scopes)', // en-fallback
+  'oauth.authorize.approveAccess': 'Approve Access', // en-fallback
+  'oauth.authorize.deny': 'Deny', // en-fallback
+  'oauth.authorize.choosePermissions': 'Choose which permissions to grant', // en-fallback
+  'oauth.authorize.permissionsRequested': 'Permissions requested', // en-fallback
+  'oauth.authorize.alwaysIncluded': 'Always included', // en-fallback
+  'oauth.authorize.alwaysTool.listTrips':
+    'List your trips so the AI can discover trip IDs', // en-fallback
+  'oauth.authorize.alwaysTool.getTripSummary':
+    'Read a trip overview needed to use any other tool', // en-fallback
 };
 export default oauth;
@@ -5,6 +5,7 @@ import de from '../de/externalNotifications';
 import en from '../en/externalNotifications';
 import es from '../es/externalNotifications';
 import fr from '../fr/externalNotifications';
+import gr from '../gr/externalNotifications';
 import hu from '../hu/externalNotifications';
 import id from '../id/externalNotifications';
 import it from '../it/externalNotifications';
@@ -47,6 +48,7 @@ const LOCALES = {
  ja,
  ko,
  uk,
+  gr,
 } satisfies Record<string, NotificationLocale>;

 export const EMAIL_I18N: Record<string, EmailStrings> = Object.fromEntries(
@@ -109,7 +109,7 @@ const dashboard: TranslationStrings = {
  'dashboard.mobile.currencyConverter': 'Convertisseur de devises',
  'dashboard.filter.planned': 'Planifiés',
  'dashboard.hero.badgeLive': 'EN DIRECT',
-  'dashboard.hero.badgeToday': 'DÉBUTE AUJOURD\'HUI',
+  'dashboard.hero.badgeToday': "DÉBUTE AUJOURD'HUI",
  'dashboard.hero.badgeTomorrow': 'DEMAIN',
  'dashboard.hero.badgeNext': 'À SUIVRE',
  'dashboard.hero.badgeRecent': 'RÉCENT',
@@ -135,16 +135,17 @@ const dashboard: TranslationStrings = {
  'dashboard.atlas.acrossAllTrips': 'sur tous les voyages',
  'dashboard.atlas.distanceFlown': 'Distance parcourue en avion',
  'dashboard.atlas.kmUnit': 'km',
-  'dashboard.atlas.aroundEquator': '≈ {count}× le tour de l\'équateur',
+  'dashboard.atlas.aroundEquator': "≈ {count}× le tour de l'équateur",
  'dashboard.card.idea': 'Idée',
  'dashboard.card.buddyOne': 'Compagnon',
  'dashboard.fx.from': 'De',
  'dashboard.fx.to': 'Vers',
  'dashboard.fx.unavailable': 'Taux indisponible',
  'dashboard.tz.searchPlaceholder': 'Rechercher un fuseau horaire…',
-  'dashboard.tz.empty': 'Pas encore d\'autres fuseaux horaires — ajoutez-en un avec +',
+  'dashboard.tz.empty':
+    "Pas encore d'autres fuseaux horaires — ajoutez-en un avec +",
  'dashboard.upcoming.title': 'Prochaines réservations',
-  'dashboard.upcoming.empty': 'Rien de réservé pour l\'instant.',
+  'dashboard.upcoming.empty': "Rien de réservé pour l'instant.",
  'dashboard.confirm.copy.title': 'Copier ce voyage ?',
  'dashboard.confirm.copy.willCopy': 'Sera copié',
  'dashboard.confirm.copy.will1': 'Jours, lieux et affectations par jour',
@@ -159,7 +160,7 @@ const dashboard: TranslationStrings = {
  'dashboard.confirm.copy.wont3': 'Fichiers et photos',
  'dashboard.confirm.copy.wont4': 'Jetons de partage',
  'dashboard.confirm.copy.confirm': 'Copier le voyage',
-  'dashboard.aria.toggleView': 'Changer d\'affichage',
+  'dashboard.aria.toggleView': "Changer d'affichage",
  'dashboard.aria.filter': 'Filtrer',
  'dashboard.aria.duplicate': 'Dupliquer',
  'dashboard.aria.refreshRates': 'Actualiser les taux',
@@ -42,5 +42,7 @@ const dayplan: TranslationStrings = {
  'dayplan.mobile.allAssigned': 'Tous les lieux attribués',
  'dayplan.mobile.noMatch': 'Aucun résultat',
  'dayplan.mobile.createNew': 'Créer un nouveau lieu',
+  'dayplan.expandAll': 'Expand all days', // en-fallback
+  'dayplan.collapseAll': 'Collapse all days', // en-fallback
 };
 export default dayplan;
@@ -237,5 +237,10 @@ const journey: TranslationStrings = {
  'journey.picker.noAlbums': 'Aucun album trouvé',
  'journey.picker.selectDate': 'Sélectionner une date',
  'journey.picker.search': 'Rechercher',
+  'journey.detail.journeyTab': 'Journey', // en-fallback
+  'journey.contributors.remove': 'Remove contributor', // en-fallback
+  'journey.contributors.removeConfirm': 'Remove {username} from this journey?', // en-fallback
+  'journey.contributors.removed': 'Contributor removed', // en-fallback
+  'journey.contributors.removeFailed': 'Failed to remove contributor', // en-fallback
 };
 export default journey;
@@ -95,5 +95,29 @@ const oauth: TranslationStrings = {
  'oauth.scope.journey:share.label': 'Gérer les liens de journaux de voyage',
  'oauth.scope.journey:share.description':
    'Créer, modifier et révoquer des liens de partage publics pour les journaux de voyage',
+  'oauth.authorize.authorizing': 'Authorizing…', // en-fallback
+  'oauth.authorize.loading': 'Loading…', // en-fallback
+  'oauth.authorize.errorTitle': 'Authorization Error', // en-fallback
+  'oauth.authorize.loginTitle': 'Sign in to continue', // en-fallback
+  'oauth.authorize.loginDescription':
+    '{client} wants access to your TREK account. Please sign in first.', // en-fallback
+  'oauth.authorize.loginButton': 'Sign in to TREK', // en-fallback
+  'oauth.authorize.requestLabel': 'Authorization Request', // en-fallback
+  'oauth.authorize.requestDescription':
+    'This application is requesting access to your TREK account.', // en-fallback
+  'oauth.authorize.trustNote':
+    'Only grant access to applications you trust. Your data stays on your server.', // en-fallback
+  'oauth.authorize.selectScope': 'Select at least one scope', // en-fallback
+  'oauth.authorize.approveOneScope': 'Approve ({count} scope)', // en-fallback
+  'oauth.authorize.approveManyScopes': 'Approve ({count} scopes)', // en-fallback
+  'oauth.authorize.approveAccess': 'Approve Access', // en-fallback
+  'oauth.authorize.deny': 'Deny', // en-fallback
+  'oauth.authorize.choosePermissions': 'Choose which permissions to grant', // en-fallback
+  'oauth.authorize.permissionsRequested': 'Permissions requested', // en-fallback
+  'oauth.authorize.alwaysIncluded': 'Always included', // en-fallback
+  'oauth.authorize.alwaysTool.listTrips':
+    'List your trips so the AI can discover trip IDs', // en-fallback
+  'oauth.authorize.alwaysTool.getTripSummary':
+    'Read a trip overview needed to use any other tool', // en-fallback
 };
 export default oauth;
@@ -120,5 +120,51 @@ const dashboard: TranslationStrings = {
  'dashboard.mobile.inMonths': 'Σε {count} μήνες',
  'dashboard.mobile.completed': 'Ολοκληρώθηκε',
  'dashboard.mobile.currencyConverter': 'Μετατροπέας Νομισμάτων',
+  'dashboard.newTripSub': 'Plan a new trip from scratch', // en-fallback
+  'dashboard.filter.planned': 'Planned', // en-fallback
+  'dashboard.hero.badgeLive': 'LIVE NOW', // en-fallback
+  'dashboard.hero.badgeToday': 'STARTS TODAY', // en-fallback
+  'dashboard.hero.badgeTomorrow': 'TOMORROW', // en-fallback
+  'dashboard.hero.badgeNext': 'UP NEXT', // en-fallback
+  'dashboard.hero.badgeRecent': 'RECENT', // en-fallback
+  'dashboard.hero.tripDates': 'Trip dates', // en-fallback
+  'dashboard.hero.noDates': 'No dates set', // en-fallback
+  'dashboard.hero.travelerOne': '{count} traveler', // en-fallback
+  'dashboard.hero.travelerMany': '{count} travelers', // en-fallback
+  'dashboard.hero.destinationOne': '{count} destination', // en-fallback
+  'dashboard.hero.destinationMany': '{count} destinations', // en-fallback
+  'dashboard.hero.dayUnitOne': 'day', // en-fallback
+  'dashboard.hero.dayUnitMany': 'days', // en-fallback
+  'dashboard.hero.dayLeft': 'Day left', // en-fallback
+  'dashboard.hero.daysLeft': 'Days left', // en-fallback
+  'dashboard.hero.lastDay': 'Last day', // en-fallback
+  'dashboard.hero.untilStart': 'Until start', // en-fallback
+  'dashboard.hero.startsIn': 'Trip starts in', // en-fallback
+  'dashboard.atlas.countriesVisited': 'Atlas · Countries visited', // en-fallback
+  'dashboard.atlas.ofTotal': 'of {total}', // en-fallback
+  'dashboard.atlas.tripsTotal': 'Trips total', // en-fallback
+  'dashboard.atlas.placesMapped': '{count} places mapped', // en-fallback
+  'dashboard.atlas.daysTraveled': 'Days traveled', // en-fallback
+  'dashboard.atlas.daysUnit': 'days', // en-fallback
+  'dashboard.atlas.acrossAllTrips': 'across all trips', // en-fallback
+  'dashboard.atlas.distanceFlown': 'Distance flown', // en-fallback
+  'dashboard.atlas.kmUnit': 'km', // en-fallback
+  'dashboard.atlas.aroundEquator': '≈ {count}× around the equator', // en-fallback
+  'dashboard.card.idea': 'Idea', // en-fallback
+  'dashboard.card.buddyOne': 'Buddy', // en-fallback
+  'dashboard.fx.from': 'From', // en-fallback
+  'dashboard.fx.to': 'To', // en-fallback
+  'dashboard.fx.unavailable': 'Rate unavailable', // en-fallback
+  'dashboard.tz.searchPlaceholder': 'Search timezone…', // en-fallback
+  'dashboard.tz.empty': 'No other timezones yet — add one with +', // en-fallback
+  'dashboard.upcoming.title': 'Upcoming reservations', // en-fallback
+  'dashboard.upcoming.empty': 'Nothing booked yet.', // en-fallback
+  'dashboard.aria.toggleView': 'Toggle view', // en-fallback
+  'dashboard.aria.filter': 'Filter', // en-fallback
+  'dashboard.aria.duplicate': 'Duplicate', // en-fallback
+  'dashboard.aria.refreshRates': 'Refresh rates', // en-fallback
+  'dashboard.aria.swapCurrencies': 'Swap currencies', // en-fallback
+  'dashboard.aria.addTimezone': 'Add timezone', // en-fallback
+  'dashboard.aria.removeTimezone': 'Remove {city}', // en-fallback
 };
 export default dashboard;
@@ -0,0 +1,64 @@
+import type { NotificationLocale } from '../externalNotifications/types';
+
+const gr: NotificationLocale = {
+  email: {
+    footer:
+      'Λάβατε αυτό το μήνυμα επειδή έχετε ενεργοποιήσει τις ειδοποιήσεις στο TREK.',
+    manage: 'Διαχείριση προτιμήσεων στις Ρυθμίσεις',
+    madeWith: 'Δημιουργήθηκε με',
+    openTrek: 'Άνοιγμα TREK',
+  },
+  events: {
+    trip_invite: (p) => ({
+      title: `Πρόσκληση ταξιδιού: "${p.trip}"`,
+      body: `Ο/Η ${p.actor} προσκάλεσε ${p.invitee || 'ένα μέλος'} στο ταξίδι "${p.trip}".`,
+    }),
+    booking_change: (p) => ({
+      title: `Νέα κράτηση: ${p.booking}`,
+      body: `Ο/Η ${p.actor} πρόσθεσε μια νέα κράτηση "${p.booking}" (${p.type}) στο "${p.trip}".`,
+    }),
+    trip_reminder: (p) => ({
+      title: `Υπενθύμιση ταξιδιού: ${p.trip}`,
+      body: `Το ταξίδι σας "${p.trip}" πλησιάζει!`,
+    }),
+    todo_due: (p) => ({
+      title: `Εκκρεμότητα προς εκτέλεση: ${p.todo}`,
+      body: `Η εκκρεμότητα "${p.todo}" στο "${p.trip}" λήγει στις ${p.due}.`,
+    }),
+    vacay_invite: (p) => ({
+      title: 'Πρόσκληση συγχώνευσης διακοπών',
+      body: `Ο/Η ${p.actor} σας προσκάλεσε να συγχωνεύσετε τα σχέδια διακοπών σας. Ανοίξτε το TREK για να αποδεχτείτε ή να απορρίψετε.`,
+    }),
+    photos_shared: (p) => ({
+      title: `${p.count} φωτογραφίες κοινοποιήθηκαν`,
+      body: `Ο/Η ${p.actor} κοινοποίησε ${p.count} φωτογραφία/ες στο "${p.trip}".`,
+    }),
+    collab_message: (p) => ({
+      title: `Νέο μήνυμα στο "${p.trip}"`,
+      body: `${p.actor}: ${p.preview}`,
+    }),
+    packing_tagged: (p) => ({
+      title: `Λίστα συσκευασίας: ${p.category}`,
+      body: `Ο/Η ${p.actor} σας ανέθεσε στην κατηγορία "${p.category}" της λίστας συσκευασίας στο "${p.trip}".`,
+    }),
+    version_available: (p) => ({
+      title: 'Νέα έκδοση TREK διαθέσιμη',
+      body: `Η έκδοση TREK ${p.version} είναι τώρα διαθέσιμη. Επισκεφθείτε τον πίνακα διαχείρισης για να ενημερώσετε.`,
+    }),
+    synology_session_cleared: () => ({
+      title: 'Η σύνδεση Synology τερματίστηκε',
+      body: 'Ο λογαριασμός σας Synology ή το URL άλλαξε. Έχετε αποσυνδεθεί από το Synology Photos.',
+    }),
+  },
+  passwordReset: {
+    subject: 'Επαναφορά κωδικού πρόσβασης',
+    greeting: 'Γεια σας',
+    body: 'Λάβαμε ένα αίτημα επαναφοράς του κωδικού πρόσβασης για τον λογαριασμό σας στο TREK. Κάντε κλικ στο παρακάτω κουμπί για να ορίσετε νέο κωδικό πρόσβασης.',
+    ctaIntro: 'Επαναφορά κωδικού',
+    expiry: 'Αυτός ο σύνδεσμος λήγει σε 60 λεπτά.',
+    ignore:
+      'Εάν δεν ζητήσατε αυτή την αλλαγή, μπορείτε να αγνοήσετε αυτό το μήνυμα — ο κωδικός σας δεν θα αλλάξει.',
+  },
+};
+
+export default gr;
@@ -95,5 +95,29 @@ const oauth: TranslationStrings = {
  'oauth.scope.journey:share.label': 'Διαχείριση συνδέσμων ταξιδιών',
  'oauth.scope.journey:share.description':
    'Δημιουργία, ενημέρωση και ανάκληση δημόσιων συνδέσμων κοινής χρήσης για ταξίδια',
+  'oauth.authorize.authorizing': 'Authorizing…', // en-fallback
+  'oauth.authorize.loading': 'Loading…', // en-fallback
+  'oauth.authorize.errorTitle': 'Authorization Error', // en-fallback
+  'oauth.authorize.loginTitle': 'Sign in to continue', // en-fallback
+  'oauth.authorize.loginDescription':
+    '{client} wants access to your TREK account. Please sign in first.', // en-fallback
+  'oauth.authorize.loginButton': 'Sign in to TREK', // en-fallback
+  'oauth.authorize.requestLabel': 'Authorization Request', // en-fallback
+  'oauth.authorize.requestDescription':
+    'This application is requesting access to your TREK account.', // en-fallback
+  'oauth.authorize.trustNote':
+    'Only grant access to applications you trust. Your data stays on your server.', // en-fallback
+  'oauth.authorize.selectScope': 'Select at least one scope', // en-fallback
+  'oauth.authorize.approveOneScope': 'Approve ({count} scope)', // en-fallback
+  'oauth.authorize.approveManyScopes': 'Approve ({count} scopes)', // en-fallback
+  'oauth.authorize.approveAccess': 'Approve Access', // en-fallback
+  'oauth.authorize.deny': 'Deny', // en-fallback
+  'oauth.authorize.choosePermissions': 'Choose which permissions to grant', // en-fallback
+  'oauth.authorize.permissionsRequested': 'Permissions requested', // en-fallback
+  'oauth.authorize.alwaysIncluded': 'Always included', // en-fallback
+  'oauth.authorize.alwaysTool.listTrips':
+    'List your trips so the AI can discover trip IDs', // en-fallback
+  'oauth.authorize.alwaysTool.getTripSummary':
+    'Read a trip overview needed to use any other tool', // en-fallback
 };
 export default oauth;
@@ -62,7 +62,6 @@ const settings: TranslationStrings = {
  'settings.language': 'Γλώσσα',
  'settings.temperature': 'Μονάδα Θερμοκρασίας',
  'settings.timeFormat': 'Μορφή Ώρας',
-  'settings.routeCalculation': 'Υπολογισμός Διαδρομής',
  'settings.bookingLabels': 'Ετικέτες διαδρομής κρατήσεων',
  'settings.bookingLabelsHint':
    'Εμφάνιση ονομάτων σταθμών / αεροδρομίων στον χάρτη. Όταν είναι απενεργοποιημένο, εμφανίζεται μόνο το εικονίδιο.',
@@ -42,5 +42,7 @@ const dayplan: TranslationStrings = {
  'dayplan.mobile.allAssigned': 'Minden helyszín kiosztva',
  'dayplan.mobile.noMatch': 'Nincs találat',
  'dayplan.mobile.createNew': 'Új helyszín létrehozása',
+  'dayplan.expandAll': 'Expand all days', // en-fallback
+  'dayplan.collapseAll': 'Collapse all days', // en-fallback
 };
 export default dayplan;
@@ -236,5 +236,10 @@ const journey: TranslationStrings = {
  'journey.picker.noAlbums': 'Nem található album',
  'journey.picker.selectDate': 'Dátum választása',
  'journey.picker.search': 'Keresés',
+  'journey.detail.journeyTab': 'Journey', // en-fallback
+  'journey.contributors.remove': 'Remove contributor', // en-fallback
+  'journey.contributors.removeConfirm': 'Remove {username} from this journey?', // en-fallback
+  'journey.contributors.removed': 'Contributor removed', // en-fallback
+  'journey.contributors.removeFailed': 'Failed to remove contributor', // en-fallback
 };
 export default journey;
@@ -95,5 +95,29 @@ const oauth: TranslationStrings = {
  'oauth.scope.journey:share.label': 'Útinapló-linkek kezelése',
  'oauth.scope.journey:share.description':
    'Nyilvános megosztási linkek létrehozása, frissítése és visszavonása útinaplókhoz',
+  'oauth.authorize.authorizing': 'Authorizing…', // en-fallback
+  'oauth.authorize.loading': 'Loading…', // en-fallback
+  'oauth.authorize.errorTitle': 'Authorization Error', // en-fallback
+  'oauth.authorize.loginTitle': 'Sign in to continue', // en-fallback
+  'oauth.authorize.loginDescription':
+    '{client} wants access to your TREK account. Please sign in first.', // en-fallback
+  'oauth.authorize.loginButton': 'Sign in to TREK', // en-fallback
+  'oauth.authorize.requestLabel': 'Authorization Request', // en-fallback
+  'oauth.authorize.requestDescription':
+    'This application is requesting access to your TREK account.', // en-fallback
+  'oauth.authorize.trustNote':
+    'Only grant access to applications you trust. Your data stays on your server.', // en-fallback
+  'oauth.authorize.selectScope': 'Select at least one scope', // en-fallback
+  'oauth.authorize.approveOneScope': 'Approve ({count} scope)', // en-fallback
+  'oauth.authorize.approveManyScopes': 'Approve ({count} scopes)', // en-fallback
+  'oauth.authorize.approveAccess': 'Approve Access', // en-fallback
+  'oauth.authorize.deny': 'Deny', // en-fallback
+  'oauth.authorize.choosePermissions': 'Choose which permissions to grant', // en-fallback
+  'oauth.authorize.permissionsRequested': 'Permissions requested', // en-fallback
+  'oauth.authorize.alwaysIncluded': 'Always included', // en-fallback
+  'oauth.authorize.alwaysTool.listTrips':
+    'List your trips so the AI can discover trip IDs', // en-fallback
+  'oauth.authorize.alwaysTool.getTripSummary':
+    'Read a trip overview needed to use any other tool', // en-fallback
 };
 export default oauth;
@@ -0,0 +1,33 @@
+// @ts-expect-error — plain .mjs script with no .d.ts; import as JS module.
+import { checkParity } from '../../scripts/i18n-parity.mjs';
+
+import { describe, it, expect } from 'vitest';
+
+/**
+ * Enforces the file-set contract for the i18n migration: every non-en locale
+ * dir must contain the exact same domain files as en/.
+ *
+ * Key-set drift is intentionally NOT enforced here — translation work happens
+ * gradually and gating CI on every newly-added EN key would block feature
+ * merges. The CLI script still prints the key-drift report so translators can
+ * see what they owe; only file-level drift is a structural bug.
+ */
+describe('i18n parity', () => {
+  it('every locale has the same domain files as en', () => {
+    const report = checkParity();
+    expect(report.fileDrift).toEqual([]);
+  });
+
+  it('reports key drift as data (not enforced, used by the CLI tool)', () => {
+    const report = checkParity();
+    // We do not assert here — translation drift is expected and acceptable.
+    // The shape check just confirms the report contract for tooling consumers.
+    expect(Array.isArray(report.keyDrift)).toBe(true);
+    for (const entry of report.keyDrift) {
+      expect(typeof entry.locale).toBe('string');
+      expect(typeof entry.file).toBe('string');
+      expect(Array.isArray(entry.missing)).toBe(true);
+      expect(Array.isArray(entry.extra)).toBe(true);
+    }
+  });
+});
@@ -42,5 +42,7 @@ const dayplan: TranslationStrings = {
  'dayplan.mobile.allAssigned': 'Semua tempat sudah ditugaskan',
  'dayplan.mobile.noMatch': 'Tidak ditemukan',
  'dayplan.mobile.createNew': 'Buat tempat baru',
+  'dayplan.expandAll': 'Expand all days', // en-fallback
+  'dayplan.collapseAll': 'Collapse all days', // en-fallback
 };
 export default dayplan;
@@ -237,5 +237,10 @@ const journey: TranslationStrings = {
  'journey.picker.noAlbums': 'Tidak ada album ditemukan',
  'journey.picker.selectDate': 'Pilih tanggal',
  'journey.picker.search': 'Cari',
+  'journey.detail.journeyTab': 'Journey', // en-fallback
+  'journey.contributors.remove': 'Remove contributor', // en-fallback
+  'journey.contributors.removeConfirm': 'Remove {username} from this journey?', // en-fallback
+  'journey.contributors.removed': 'Contributor removed', // en-fallback
+  'journey.contributors.removeFailed': 'Failed to remove contributor', // en-fallback
 };
 export default journey;
@@ -95,5 +95,29 @@ const oauth: TranslationStrings = {
  'oauth.scope.journey:share.label': 'Kelola tautan Journey',
  'oauth.scope.journey:share.description':
    'Buat, perbarui, dan cabut tautan berbagi publik untuk Journey',
+  'oauth.authorize.authorizing': 'Authorizing…', // en-fallback
+  'oauth.authorize.loading': 'Loading…', // en-fallback
+  'oauth.authorize.errorTitle': 'Authorization Error', // en-fallback
+  'oauth.authorize.loginTitle': 'Sign in to continue', // en-fallback
+  'oauth.authorize.loginDescription':
+    '{client} wants access to your TREK account. Please sign in first.', // en-fallback
+  'oauth.authorize.loginButton': 'Sign in to TREK', // en-fallback
+  'oauth.authorize.requestLabel': 'Authorization Request', // en-fallback
+  'oauth.authorize.requestDescription':
+    'This application is requesting access to your TREK account.', // en-fallback
+  'oauth.authorize.trustNote':
+    'Only grant access to applications you trust. Your data stays on your server.', // en-fallback
+  'oauth.authorize.selectScope': 'Select at least one scope', // en-fallback
+  'oauth.authorize.approveOneScope': 'Approve ({count} scope)', // en-fallback
+  'oauth.authorize.approveManyScopes': 'Approve ({count} scopes)', // en-fallback
+  'oauth.authorize.approveAccess': 'Approve Access', // en-fallback
+  'oauth.authorize.deny': 'Deny', // en-fallback
+  'oauth.authorize.choosePermissions': 'Choose which permissions to grant', // en-fallback
+  'oauth.authorize.permissionsRequested': 'Permissions requested', // en-fallback
+  'oauth.authorize.alwaysIncluded': 'Always included', // en-fallback
+  'oauth.authorize.alwaysTool.listTrips':
+    'List your trips so the AI can discover trip IDs', // en-fallback
+  'oauth.authorize.alwaysTool.getTripSummary':
+    'Read a trip overview needed to use any other tool', // en-fallback
 };
 export default oauth;
@@ -124,7 +124,7 @@ const dashboard: TranslationStrings = {
  'dashboard.hero.dayLeft': 'Giorno rimasto',
  'dashboard.hero.daysLeft': 'Giorni rimasti',
  'dashboard.hero.lastDay': 'Ultimo giorno',
-  'dashboard.hero.untilStart': 'All\'inizio',
+  'dashboard.hero.untilStart': "All'inizio",
  'dashboard.hero.startsIn': 'Si parte tra',
  'dashboard.atlas.countriesVisited': 'Atlas · Paesi visitati',
  'dashboard.atlas.ofTotal': 'di {total}',
@@ -135,14 +135,15 @@ const dashboard: TranslationStrings = {
  'dashboard.atlas.acrossAllTrips': 'su tutti i viaggi',
  'dashboard.atlas.distanceFlown': 'Distanza in volo',
  'dashboard.atlas.kmUnit': 'km',
-  'dashboard.atlas.aroundEquator': '≈ {count}× intorno all\'equatore',
+  'dashboard.atlas.aroundEquator': "≈ {count}× intorno all'equatore",
  'dashboard.card.idea': 'Idea',
  'dashboard.card.buddyOne': 'Compagno',
  'dashboard.fx.from': 'Da',
  'dashboard.fx.to': 'A',
  'dashboard.fx.unavailable': 'Tasso non disponibile',
  'dashboard.tz.searchPlaceholder': 'Cerca fuso orario…',
-  'dashboard.tz.empty': 'Ancora nessun altro fuso orario — aggiungine uno con +',
+  'dashboard.tz.empty':
+    'Ancora nessun altro fuso orario — aggiungine uno con +',
  'dashboard.upcoming.title': 'Prossime prenotazioni',
  'dashboard.upcoming.empty': 'Niente ancora prenotato.',
  'dashboard.confirm.copy.title': 'Copiare questo viaggio?',
@@ -42,5 +42,7 @@ const dayplan: TranslationStrings = {
  'dayplan.mobile.allAssigned': 'Tutti i luoghi assegnati',
  'dayplan.mobile.noMatch': 'Nessun risultato',
  'dayplan.mobile.createNew': 'Crea nuovo luogo',
+  'dayplan.expandAll': 'Expand all days', // en-fallback
+  'dayplan.collapseAll': 'Collapse all days', // en-fallback
 };
 export default dayplan;
@@ -236,5 +236,10 @@ const journey: TranslationStrings = {
  'journey.picker.noAlbums': 'Nessun album trovato',
  'journey.picker.selectDate': 'Seleziona data',
  'journey.picker.search': 'Cerca',
+  'journey.detail.journeyTab': 'Journey', // en-fallback
+  'journey.contributors.remove': 'Remove contributor', // en-fallback
+  'journey.contributors.removeConfirm': 'Remove {username} from this journey?', // en-fallback
+  'journey.contributors.removed': 'Contributor removed', // en-fallback
+  'journey.contributors.removeFailed': 'Failed to remove contributor', // en-fallback
 };
 export default journey;
@@ -95,5 +95,29 @@ const oauth: TranslationStrings = {
  'oauth.scope.journey:share.label': 'Gestisci link diari di viaggio',
  'oauth.scope.journey:share.description':
    'Crea, aggiorna e revoca link di condivisione pubblici per i diari di viaggio',
+  'oauth.authorize.authorizing': 'Authorizing…', // en-fallback
+  'oauth.authorize.loading': 'Loading…', // en-fallback
+  'oauth.authorize.errorTitle': 'Authorization Error', // en-fallback
+  'oauth.authorize.loginTitle': 'Sign in to continue', // en-fallback
+  'oauth.authorize.loginDescription':
+    '{client} wants access to your TREK account. Please sign in first.', // en-fallback
+  'oauth.authorize.loginButton': 'Sign in to TREK', // en-fallback
+  'oauth.authorize.requestLabel': 'Authorization Request', // en-fallback
+  'oauth.authorize.requestDescription':
+    'This application is requesting access to your TREK account.', // en-fallback
+  'oauth.authorize.trustNote':
+    'Only grant access to applications you trust. Your data stays on your server.', // en-fallback
+  'oauth.authorize.selectScope': 'Select at least one scope', // en-fallback
+  'oauth.authorize.approveOneScope': 'Approve ({count} scope)', // en-fallback
+  'oauth.authorize.approveManyScopes': 'Approve ({count} scopes)', // en-fallback
+  'oauth.authorize.approveAccess': 'Approve Access', // en-fallback
+  'oauth.authorize.deny': 'Deny', // en-fallback
+  'oauth.authorize.choosePermissions': 'Choose which permissions to grant', // en-fallback
+  'oauth.authorize.permissionsRequested': 'Permissions requested', // en-fallback
+  'oauth.authorize.alwaysIncluded': 'Always included', // en-fallback
+  'oauth.authorize.alwaysTool.listTrips':
+    'List your trips so the AI can discover trip IDs', // en-fallback
+  'oauth.authorize.alwaysTool.getTripSummary':
+    'Read a trip overview needed to use any other tool', // en-fallback
 };
 export default oauth;
@@ -79,5 +79,29 @@ const oauth: TranslationStrings = {
  'oauth.scope.journey:write.description': '日記やエントリーの作成・編集・削除',
  'oauth.scope.journey:share.label': '日記共有を管理',
  'oauth.scope.journey:share.description': '公開共有リンクの作成・更新・無効化',
+  'oauth.authorize.authorizing': 'Authorizing…', // en-fallback
+  'oauth.authorize.loading': 'Loading…', // en-fallback
+  'oauth.authorize.errorTitle': 'Authorization Error', // en-fallback
+  'oauth.authorize.loginTitle': 'Sign in to continue', // en-fallback
+  'oauth.authorize.loginDescription':
+    '{client} wants access to your TREK account. Please sign in first.', // en-fallback
+  'oauth.authorize.loginButton': 'Sign in to TREK', // en-fallback
+  'oauth.authorize.requestLabel': 'Authorization Request', // en-fallback
+  'oauth.authorize.requestDescription':
+    'This application is requesting access to your TREK account.', // en-fallback
+  'oauth.authorize.trustNote':
+    'Only grant access to applications you trust. Your data stays on your server.', // en-fallback
+  'oauth.authorize.selectScope': 'Select at least one scope', // en-fallback
+  'oauth.authorize.approveOneScope': 'Approve ({count} scope)', // en-fallback
+  'oauth.authorize.approveManyScopes': 'Approve ({count} scopes)', // en-fallback
+  'oauth.authorize.approveAccess': 'Approve Access', // en-fallback
+  'oauth.authorize.deny': 'Deny', // en-fallback
+  'oauth.authorize.choosePermissions': 'Choose which permissions to grant', // en-fallback
+  'oauth.authorize.permissionsRequested': 'Permissions requested', // en-fallback
+  'oauth.authorize.alwaysIncluded': 'Always included', // en-fallback
+  'oauth.authorize.alwaysTool.listTrips':
+    'List your trips so the AI can discover trip IDs', // en-fallback
+  'oauth.authorize.alwaysTool.getTripSummary':
+    'Read a trip overview needed to use any other tool', // en-fallback
 };
 export default oauth;
@@ -83,5 +83,29 @@ const oauth: TranslationStrings = {
  'oauth.scope.journey:share.label': 'Journey 링크 관리',
  'oauth.scope.journey:share.description':
    'Journey의 공개 공유 링크 만들기, 업데이트, 취소',
+  'oauth.authorize.authorizing': 'Authorizing…', // en-fallback
+  'oauth.authorize.loading': 'Loading…', // en-fallback
+  'oauth.authorize.errorTitle': 'Authorization Error', // en-fallback
+  'oauth.authorize.loginTitle': 'Sign in to continue', // en-fallback
+  'oauth.authorize.loginDescription':
+    '{client} wants access to your TREK account. Please sign in first.', // en-fallback
+  'oauth.authorize.loginButton': 'Sign in to TREK', // en-fallback
+  'oauth.authorize.requestLabel': 'Authorization Request', // en-fallback
+  'oauth.authorize.requestDescription':
+    'This application is requesting access to your TREK account.', // en-fallback
+  'oauth.authorize.trustNote':
+    'Only grant access to applications you trust. Your data stays on your server.', // en-fallback
+  'oauth.authorize.selectScope': 'Select at least one scope', // en-fallback
+  'oauth.authorize.approveOneScope': 'Approve ({count} scope)', // en-fallback
+  'oauth.authorize.approveManyScopes': 'Approve ({count} scopes)', // en-fallback
+  'oauth.authorize.approveAccess': 'Approve Access', // en-fallback
+  'oauth.authorize.deny': 'Deny', // en-fallback
+  'oauth.authorize.choosePermissions': 'Choose which permissions to grant', // en-fallback
+  'oauth.authorize.permissionsRequested': 'Permissions requested', // en-fallback
+  'oauth.authorize.alwaysIncluded': 'Always included', // en-fallback
+  'oauth.authorize.alwaysTool.listTrips':
+    'List your trips so the AI can discover trip IDs', // en-fallback
+  'oauth.authorize.alwaysTool.getTripSummary':
+    'Read a trip overview needed to use any other tool', // en-fallback
 };
 export default oauth;
@@ -153,14 +153,14 @@ const dashboard: TranslationStrings = {
  'dashboard.confirm.copy.wontCopy': 'Wordt niet gekopieerd',
  'dashboard.confirm.copy.wont1': 'Medewerkers & ledentoewijzingen',
  'dashboard.confirm.copy.wont2': 'Gedeelde notities, peilingen & berichten',
-  'dashboard.confirm.copy.wont3': 'Bestanden & foto\'s',
+  'dashboard.confirm.copy.wont3': "Bestanden & foto's",
  'dashboard.confirm.copy.wont4': 'Deeltokens',
  'dashboard.confirm.copy.confirm': 'Reis kopiëren',
  'dashboard.aria.toggleView': 'Weergave wisselen',
  'dashboard.aria.filter': 'Filter',
  'dashboard.aria.duplicate': 'Dupliceren',
  'dashboard.aria.refreshRates': 'Koersen vernieuwen',
-  'dashboard.aria.swapCurrencies': 'Valuta\'s omwisselen',
+  'dashboard.aria.swapCurrencies': "Valuta's omwisselen",
  'dashboard.aria.addTimezone': 'Tijdzone toevoegen',
  'dashboard.aria.removeTimezone': '{city} verwijderen',
 };
@@ -42,5 +42,7 @@ const dayplan: TranslationStrings = {
  'dayplan.mobile.allAssigned': 'Alle plaatsen toegewezen',
  'dayplan.mobile.noMatch': 'Geen resultaat',
  'dayplan.mobile.createNew': 'Nieuwe plaats aanmaken',
+  'dayplan.expandAll': 'Expand all days', // en-fallback
+  'dayplan.collapseAll': 'Collapse all days', // en-fallback
 };
 export default dayplan;
@@ -236,5 +236,10 @@ const journey: TranslationStrings = {
  'journey.picker.noAlbums': 'Geen albums gevonden',
  'journey.picker.selectDate': 'Selecteer datum',
  'journey.picker.search': 'Zoeken',
+  'journey.detail.journeyTab': 'Journey', // en-fallback
+  'journey.contributors.remove': 'Remove contributor', // en-fallback
+  'journey.contributors.removeConfirm': 'Remove {username} from this journey?', // en-fallback
+  'journey.contributors.removed': 'Contributor removed', // en-fallback
+  'journey.contributors.removeFailed': 'Failed to remove contributor', // en-fallback
 };
 export default journey;
@@ -95,5 +95,29 @@ const oauth: TranslationStrings = {
  'oauth.scope.journey:share.label': 'Reisverslag-links beheren',
  'oauth.scope.journey:share.description':
    'Publieke deellinks voor reisverslagen aanmaken, bijwerken en intrekken',
+  'oauth.authorize.authorizing': 'Authorizing…', // en-fallback
+  'oauth.authorize.loading': 'Loading…', // en-fallback
+  'oauth.authorize.errorTitle': 'Authorization Error', // en-fallback
+  'oauth.authorize.loginTitle': 'Sign in to continue', // en-fallback
+  'oauth.authorize.loginDescription':
+    '{client} wants access to your TREK account. Please sign in first.', // en-fallback
+  'oauth.authorize.loginButton': 'Sign in to TREK', // en-fallback
+  'oauth.authorize.requestLabel': 'Authorization Request', // en-fallback
+  'oauth.authorize.requestDescription':
+    'This application is requesting access to your TREK account.', // en-fallback
+  'oauth.authorize.trustNote':
+    'Only grant access to applications you trust. Your data stays on your server.', // en-fallback
+  'oauth.authorize.selectScope': 'Select at least one scope', // en-fallback
+  'oauth.authorize.approveOneScope': 'Approve ({count} scope)', // en-fallback
+  'oauth.authorize.approveManyScopes': 'Approve ({count} scopes)', // en-fallback
+  'oauth.authorize.approveAccess': 'Approve Access', // en-fallback
+  'oauth.authorize.deny': 'Deny', // en-fallback
+  'oauth.authorize.choosePermissions': 'Choose which permissions to grant', // en-fallback
+  'oauth.authorize.permissionsRequested': 'Permissions requested', // en-fallback
+  'oauth.authorize.alwaysIncluded': 'Always included', // en-fallback
+  'oauth.authorize.alwaysTool.listTrips':
+    'List your trips so the AI can discover trip IDs', // en-fallback
+  'oauth.authorize.alwaysTool.getTripSummary':
+    'Read a trip overview needed to use any other tool', // en-fallback
 };
 export default oauth;
@@ -42,5 +42,7 @@ const dayplan: TranslationStrings = {
  'dayplan.mobile.allAssigned': 'Wszystkie miejsca przypisane',
  'dayplan.mobile.noMatch': 'Brak wyników',
  'dayplan.mobile.createNew': 'Utwórz nowe miejsce',
+  'dayplan.expandAll': 'Expand all days', // en-fallback
+  'dayplan.collapseAll': 'Collapse all days', // en-fallback
 };
 export default dayplan;
@@ -235,5 +235,10 @@ const journey: TranslationStrings = {
  'journey.picker.noAlbums': 'Nie znaleziono albumów',
  'journey.picker.selectDate': 'Wybierz datę',
  'journey.picker.search': 'Szukaj',
+  'journey.detail.journeyTab': 'Journey', // en-fallback
+  'journey.contributors.remove': 'Remove contributor', // en-fallback
+  'journey.contributors.removeConfirm': 'Remove {username} from this journey?', // en-fallback
+  'journey.contributors.removed': 'Contributor removed', // en-fallback
+  'journey.contributors.removeFailed': 'Failed to remove contributor', // en-fallback
 };
 export default journey;
@@ -95,5 +95,29 @@ const oauth: TranslationStrings = {
  'oauth.scope.journey:share.label': 'Zarządzaj linkami dzienników podróży',
  'oauth.scope.journey:share.description':
    'Twórz, aktualizuj i unieważniaj publiczne linki udostępniania dzienników podróży',
+  'oauth.authorize.authorizing': 'Authorizing…', // en-fallback
+  'oauth.authorize.loading': 'Loading…', // en-fallback
+  'oauth.authorize.errorTitle': 'Authorization Error', // en-fallback
+  'oauth.authorize.loginTitle': 'Sign in to continue', // en-fallback
+  'oauth.authorize.loginDescription':
+    '{client} wants access to your TREK account. Please sign in first.', // en-fallback
+  'oauth.authorize.loginButton': 'Sign in to TREK', // en-fallback
+  'oauth.authorize.requestLabel': 'Authorization Request', // en-fallback
+  'oauth.authorize.requestDescription':
+    'This application is requesting access to your TREK account.', // en-fallback
+  'oauth.authorize.trustNote':
+    'Only grant access to applications you trust. Your data stays on your server.', // en-fallback
+  'oauth.authorize.selectScope': 'Select at least one scope', // en-fallback
+  'oauth.authorize.approveOneScope': 'Approve ({count} scope)', // en-fallback
+  'oauth.authorize.approveManyScopes': 'Approve ({count} scopes)', // en-fallback
+  'oauth.authorize.approveAccess': 'Approve Access', // en-fallback
+  'oauth.authorize.deny': 'Deny', // en-fallback
+  'oauth.authorize.choosePermissions': 'Choose which permissions to grant', // en-fallback
+  'oauth.authorize.permissionsRequested': 'Permissions requested', // en-fallback
+  'oauth.authorize.alwaysIncluded': 'Always included', // en-fallback
+  'oauth.authorize.alwaysTool.listTrips':
+    'List your trips so the AI can discover trip IDs', // en-fallback
+  'oauth.authorize.alwaysTool.getTripSummary':
+    'Read a trip overview needed to use any other tool', // en-fallback
 };
 export default oauth;
@@ -42,5 +42,7 @@ const dayplan: TranslationStrings = {
  'dayplan.mobile.allAssigned': 'Все места распределены',
  'dayplan.mobile.noMatch': 'Нет совпадений',
  'dayplan.mobile.createNew': 'Создать новое место',
+  'dayplan.expandAll': 'Expand all days', // en-fallback
+  'dayplan.collapseAll': 'Collapse all days', // en-fallback
 };
 export default dayplan;
@@ -236,5 +236,10 @@ const journey: TranslationStrings = {
  'journey.picker.noAlbums': 'Альбомы не найдены',
  'journey.picker.selectDate': 'Выберите дату',
  'journey.picker.search': 'Поиск',
+  'journey.detail.journeyTab': 'Journey', // en-fallback
+  'journey.contributors.remove': 'Remove contributor', // en-fallback
+  'journey.contributors.removeConfirm': 'Remove {username} from this journey?', // en-fallback
+  'journey.contributors.removed': 'Contributor removed', // en-fallback
+  'journey.contributors.removeFailed': 'Failed to remove contributor', // en-fallback
 };
 export default journey;
@@ -95,5 +95,29 @@ const oauth: TranslationStrings = {
  'oauth.scope.journey:share.label': 'Управление ссылками на путешествия',
  'oauth.scope.journey:share.description':
    'Создание, обновление и отзыв публичных ссылок для путешествий',
+  'oauth.authorize.authorizing': 'Authorizing…', // en-fallback
+  'oauth.authorize.loading': 'Loading…', // en-fallback
+  'oauth.authorize.errorTitle': 'Authorization Error', // en-fallback
+  'oauth.authorize.loginTitle': 'Sign in to continue', // en-fallback
+  'oauth.authorize.loginDescription':
+    '{client} wants access to your TREK account. Please sign in first.', // en-fallback
+  'oauth.authorize.loginButton': 'Sign in to TREK', // en-fallback
+  'oauth.authorize.requestLabel': 'Authorization Request', // en-fallback
+  'oauth.authorize.requestDescription':
+    'This application is requesting access to your TREK account.', // en-fallback
+  'oauth.authorize.trustNote':
+    'Only grant access to applications you trust. Your data stays on your server.', // en-fallback
+  'oauth.authorize.selectScope': 'Select at least one scope', // en-fallback
+  'oauth.authorize.approveOneScope': 'Approve ({count} scope)', // en-fallback
+  'oauth.authorize.approveManyScopes': 'Approve ({count} scopes)', // en-fallback
+  'oauth.authorize.approveAccess': 'Approve Access', // en-fallback
+  'oauth.authorize.deny': 'Deny', // en-fallback
+  'oauth.authorize.choosePermissions': 'Choose which permissions to grant', // en-fallback
+  'oauth.authorize.permissionsRequested': 'Permissions requested', // en-fallback
+  'oauth.authorize.alwaysIncluded': 'Always included', // en-fallback
+  'oauth.authorize.alwaysTool.listTrips':
+    'List your trips so the AI can discover trip IDs', // en-fallback
+  'oauth.authorize.alwaysTool.getTripSummary':
+    'Read a trip overview needed to use any other tool', // en-fallback
 };
 export default oauth;
@@ -95,5 +95,29 @@ const oauth: TranslationStrings = {
  'oauth.scope.journey:share.label': 'Journey bağlantılarını yönet',
  'oauth.scope.journey:share.description':
    "Journey'ler için herkese açık paylaşım bağlantıları oluştur, güncelle ve iptal et",
+  'oauth.authorize.authorizing': 'Authorizing…', // en-fallback
+  'oauth.authorize.loading': 'Loading…', // en-fallback
+  'oauth.authorize.errorTitle': 'Authorization Error', // en-fallback
+  'oauth.authorize.loginTitle': 'Sign in to continue', // en-fallback
+  'oauth.authorize.loginDescription':
+    '{client} wants access to your TREK account. Please sign in first.', // en-fallback
+  'oauth.authorize.loginButton': 'Sign in to TREK', // en-fallback
+  'oauth.authorize.requestLabel': 'Authorization Request', // en-fallback
+  'oauth.authorize.requestDescription':
+    'This application is requesting access to your TREK account.', // en-fallback
+  'oauth.authorize.trustNote':
+    'Only grant access to applications you trust. Your data stays on your server.', // en-fallback
+  'oauth.authorize.selectScope': 'Select at least one scope', // en-fallback
+  'oauth.authorize.approveOneScope': 'Approve ({count} scope)', // en-fallback
+  'oauth.authorize.approveManyScopes': 'Approve ({count} scopes)', // en-fallback
+  'oauth.authorize.approveAccess': 'Approve Access', // en-fallback
+  'oauth.authorize.deny': 'Deny', // en-fallback
+  'oauth.authorize.choosePermissions': 'Choose which permissions to grant', // en-fallback
+  'oauth.authorize.permissionsRequested': 'Permissions requested', // en-fallback
+  'oauth.authorize.alwaysIncluded': 'Always included', // en-fallback
+  'oauth.authorize.alwaysTool.listTrips':
+    'List your trips so the AI can discover trip IDs', // en-fallback
+  'oauth.authorize.alwaysTool.getTripSummary':
+    'Read a trip overview needed to use any other tool', // en-fallback
 };
 export default oauth;
@@ -153,7 +153,8 @@ const dashboard: TranslationStrings = {
  'dashboard.fx.to': 'У',
  'dashboard.fx.unavailable': 'Курс недоступний',
  'dashboard.tz.searchPlaceholder': 'Пошук часового поясу…',
-  'dashboard.tz.empty': 'Інших часових поясів поки немає — додайте за допомогою +',
+  'dashboard.tz.empty':
+    'Інших часових поясів поки немає — додайте за допомогою +',
  'dashboard.upcoming.title': 'Найближчі бронювання',
  'dashboard.upcoming.empty': 'Поки нічого не заброньовано.',
  'dashboard.aria.toggleView': 'Перемкнути вигляд',
@@ -95,5 +95,29 @@ const oauth: TranslationStrings = {
  'oauth.scope.journey:share.label': 'Керування посиланнями на подорожі',
  'oauth.scope.journey:share.description':
    'Створення, оновлення і відкликання публічних посилань на подорожі',
+  'oauth.authorize.authorizing': 'Authorizing…', // en-fallback
+  'oauth.authorize.loading': 'Loading…', // en-fallback
+  'oauth.authorize.errorTitle': 'Authorization Error', // en-fallback
+  'oauth.authorize.loginTitle': 'Sign in to continue', // en-fallback
+  'oauth.authorize.loginDescription':
+    '{client} wants access to your TREK account. Please sign in first.', // en-fallback
+  'oauth.authorize.loginButton': 'Sign in to TREK', // en-fallback
+  'oauth.authorize.requestLabel': 'Authorization Request', // en-fallback
+  'oauth.authorize.requestDescription':
+    'This application is requesting access to your TREK account.', // en-fallback
+  'oauth.authorize.trustNote':
+    'Only grant access to applications you trust. Your data stays on your server.', // en-fallback
+  'oauth.authorize.selectScope': 'Select at least one scope', // en-fallback
+  'oauth.authorize.approveOneScope': 'Approve ({count} scope)', // en-fallback
+  'oauth.authorize.approveManyScopes': 'Approve ({count} scopes)', // en-fallback
+  'oauth.authorize.approveAccess': 'Approve Access', // en-fallback
+  'oauth.authorize.deny': 'Deny', // en-fallback
+  'oauth.authorize.choosePermissions': 'Choose which permissions to grant', // en-fallback
+  'oauth.authorize.permissionsRequested': 'Permissions requested', // en-fallback
+  'oauth.authorize.alwaysIncluded': 'Always included', // en-fallback
+  'oauth.authorize.alwaysTool.listTrips':
+    'List your trips so the AI can discover trip IDs', // en-fallback
+  'oauth.authorize.alwaysTool.getTripSummary':
+    'Read a trip overview needed to use any other tool', // en-fallback
 };
 export default oauth;
@@ -37,5 +37,7 @@ const dayplan: TranslationStrings = {
  'dayplan.mobile.allAssigned': '所有地點已分配',
  'dayplan.mobile.noMatch': '無匹配',
  'dayplan.mobile.createNew': '建立新地點',
+  'dayplan.expandAll': 'Expand all days', // en-fallback
+  'dayplan.collapseAll': 'Collapse all days', // en-fallback
 };
 export default dayplan;
@@ -225,5 +225,10 @@ const journey: TranslationStrings = {
  'journey.picker.noAlbums': '未找到相簿',
  'journey.picker.selectDate': '選擇日期',
  'journey.picker.search': '搜尋',
+  'journey.detail.journeyTab': 'Journey', // en-fallback
+  'journey.contributors.remove': 'Remove contributor', // en-fallback
+  'journey.contributors.removeConfirm': 'Remove {username} from this journey?', // en-fallback
+  'journey.contributors.removed': 'Contributor removed', // en-fallback
+  'journey.contributors.removeFailed': 'Failed to remove contributor', // en-fallback
 };
 export default journey;
@@ -73,5 +73,29 @@ const oauth: TranslationStrings = {
  'oauth.scope.journey:write.description': '建立、更新及刪除旅程及其條目',
  'oauth.scope.journey:share.label': '管理旅程連結',
  'oauth.scope.journey:share.description': '建立、更新及撤銷旅程的公開分享連結',
+  'oauth.authorize.authorizing': 'Authorizing…', // en-fallback
+  'oauth.authorize.loading': 'Loading…', // en-fallback
+  'oauth.authorize.errorTitle': 'Authorization Error', // en-fallback
+  'oauth.authorize.loginTitle': 'Sign in to continue', // en-fallback
+  'oauth.authorize.loginDescription':
+    '{client} wants access to your TREK account. Please sign in first.', // en-fallback
+  'oauth.authorize.loginButton': 'Sign in to TREK', // en-fallback
+  'oauth.authorize.requestLabel': 'Authorization Request', // en-fallback
+  'oauth.authorize.requestDescription':
+    'This application is requesting access to your TREK account.', // en-fallback
+  'oauth.authorize.trustNote':
+    'Only grant access to applications you trust. Your data stays on your server.', // en-fallback
+  'oauth.authorize.selectScope': 'Select at least one scope', // en-fallback
+  'oauth.authorize.approveOneScope': 'Approve ({count} scope)', // en-fallback
+  'oauth.authorize.approveManyScopes': 'Approve ({count} scopes)', // en-fallback
+  'oauth.authorize.approveAccess': 'Approve Access', // en-fallback
+  'oauth.authorize.deny': 'Deny', // en-fallback
+  'oauth.authorize.choosePermissions': 'Choose which permissions to grant', // en-fallback
+  'oauth.authorize.permissionsRequested': 'Permissions requested', // en-fallback
+  'oauth.authorize.alwaysIncluded': 'Always included', // en-fallback
+  'oauth.authorize.alwaysTool.listTrips':
+    'List your trips so the AI can discover trip IDs', // en-fallback
+  'oauth.authorize.alwaysTool.getTripSummary':
+    'Read a trip overview needed to use any other tool', // en-fallback
 };
 export default oauth;
@@ -37,5 +37,7 @@ const dayplan: TranslationStrings = {
  'dayplan.mobile.allAssigned': '所有地点已分配',
  'dayplan.mobile.noMatch': '无匹配',
  'dayplan.mobile.createNew': '创建新地点',
+  'dayplan.expandAll': 'Expand all days', // en-fallback
+  'dayplan.collapseAll': 'Collapse all days', // en-fallback
 };
 export default dayplan;
@@ -225,5 +225,10 @@ const journey: TranslationStrings = {
  'journey.picker.noAlbums': '未找到相册',
  'journey.picker.selectDate': '选择日期',
  'journey.picker.search': '搜索',
+  'journey.detail.journeyTab': 'Journey', // en-fallback
+  'journey.contributors.remove': 'Remove contributor', // en-fallback
+  'journey.contributors.removeConfirm': 'Remove {username} from this journey?', // en-fallback
+  'journey.contributors.removed': 'Contributor removed', // en-fallback
+  'journey.contributors.removeFailed': 'Failed to remove contributor', // en-fallback
 };
 export default journey;
@@ -73,5 +73,29 @@ const oauth: TranslationStrings = {
  'oauth.scope.journey:write.description': '创建、更新和删除旅程及其条目',
  'oauth.scope.journey:share.label': '管理旅程链接',
  'oauth.scope.journey:share.description': '创建、更新和撤销旅程的公开分享链接',
+  'oauth.authorize.authorizing': 'Authorizing…', // en-fallback
+  'oauth.authorize.loading': 'Loading…', // en-fallback
+  'oauth.authorize.errorTitle': 'Authorization Error', // en-fallback
+  'oauth.authorize.loginTitle': 'Sign in to continue', // en-fallback
+  'oauth.authorize.loginDescription':
+    '{client} wants access to your TREK account. Please sign in first.', // en-fallback
+  'oauth.authorize.loginButton': 'Sign in to TREK', // en-fallback
+  'oauth.authorize.requestLabel': 'Authorization Request', // en-fallback
+  'oauth.authorize.requestDescription':
+    'This application is requesting access to your TREK account.', // en-fallback
+  'oauth.authorize.trustNote':
+    'Only grant access to applications you trust. Your data stays on your server.', // en-fallback
+  'oauth.authorize.selectScope': 'Select at least one scope', // en-fallback
+  'oauth.authorize.approveOneScope': 'Approve ({count} scope)', // en-fallback
+  'oauth.authorize.approveManyScopes': 'Approve ({count} scopes)', // en-fallback
+  'oauth.authorize.approveAccess': 'Approve Access', // en-fallback
+  'oauth.authorize.deny': 'Deny', // en-fallback
+  'oauth.authorize.choosePermissions': 'Choose which permissions to grant', // en-fallback
+  'oauth.authorize.permissionsRequested': 'Permissions requested', // en-fallback
+  'oauth.authorize.alwaysIncluded': 'Always included', // en-fallback
+  'oauth.authorize.alwaysTool.listTrips':
+    'List your trips so the AI can discover trip IDs', // en-fallback
+  'oauth.authorize.alwaysTool.getTripSummary':
+    'Read a trip overview needed to use any other tool', // en-fallback
 };
 export default oauth;
@@ -13,6 +13,37 @@ export * from './common/pagination.schema';

 // Domain contracts
 export * from './weather/weather.schema';
+export * from './airport/airport.schema';
+export * from './config/config.schema';
+export * from './system-notice/system-notice.schema';
+export * from './maps/maps.schema';
+export * from './category/category.schema';
+export * from './tag/tag.schema';
+export * from './notification/notification.schema';
+export * from './atlas/atlas.schema';
+export * from './vacay/vacay.schema';
+export * from './packing/packing.schema';
+export * from './todo/todo.schema';
+export * from './budget/budget.schema';
+export * from './reservation/reservation.schema';
+export * from './day/day.schema';
+export * from './assignment/assignment.schema';
+export * from './place/place.schema';
+export * from './trip/trip.schema';
+export * from './collab/collab.schema';
+export * from './file/file.schema';
+export * from './journey/journey.schema';
+export * from './share/share.schema';
+export * from './settings/settings.schema';
+export * from './backup/backup.schema';
+export * from './auth/auth.schema';
+export * from './oidc/oidc.schema';
+export * from './oauth/oauth.schema';
+export * from './admin/admin.schema';
+
+// Sanitisation helpers — used by the client today, scoped here so the server
+// has them ready if rich-text input ever ships.
+export * from './sanitize/sanitize';

 // i18n registry (language list + pure helpers — no locale data)
 export * from './i18n/languages';
@@ -0,0 +1,98 @@
+import {
+  journeyCreateRequestSchema,
+  journeyAddTripRequestSchema,
+  journeyReorderEntriesRequestSchema,
+  journeyContributorRequestSchema,
+  journeyProviderPhotosRequestSchema,
+  journeyShareLinkRequestSchema,
+} from './journey.schema';
+
+import { describe, it, expect } from 'vitest';
+
+describe('journeyCreateRequestSchema', () => {
+  it('requires a title; subtitle + trip_ids optional', () => {
+    expect(
+      journeyCreateRequestSchema.safeParse({ title: 'Trip of a lifetime' })
+        .success,
+    ).toBe(true);
+    expect(
+      journeyCreateRequestSchema.safeParse({ title: 'X', trip_ids: [1, '2'] })
+        .success,
+    ).toBe(true);
+    expect(
+      journeyCreateRequestSchema.safeParse({ subtitle: 'no title' }).success,
+    ).toBe(false);
+  });
+});
+
+describe('journeyAddTripRequestSchema', () => {
+  it('requires a trip_id (string or number)', () => {
+    expect(journeyAddTripRequestSchema.safeParse({ trip_id: 5 }).success).toBe(
+      true,
+    );
+    expect(
+      journeyAddTripRequestSchema.safeParse({ trip_id: '5' }).success,
+    ).toBe(true);
+    expect(journeyAddTripRequestSchema.safeParse({}).success).toBe(false);
+  });
+});
+
+describe('journeyReorderEntriesRequestSchema', () => {
+  it('requires a non-empty orderedIds array', () => {
+    expect(
+      journeyReorderEntriesRequestSchema.safeParse({ orderedIds: [3, 1, 2] })
+        .success,
+    ).toBe(true);
+    expect(
+      journeyReorderEntriesRequestSchema.safeParse({ orderedIds: [] }).success,
+    ).toBe(false);
+  });
+});
+
+describe('journeyContributorRequestSchema', () => {
+  it('requires user_id; role limited to editor/viewer', () => {
+    expect(
+      journeyContributorRequestSchema.safeParse({ user_id: 2 }).success,
+    ).toBe(true);
+    expect(
+      journeyContributorRequestSchema.safeParse({ user_id: 2, role: 'editor' })
+        .success,
+    ).toBe(true);
+    expect(
+      journeyContributorRequestSchema.safeParse({ user_id: 2, role: 'admin' })
+        .success,
+    ).toBe(false);
+  });
+});
+
+describe('journeyProviderPhotosRequestSchema', () => {
+  it('requires a provider; accepts single asset_id or a batch', () => {
+    expect(
+      journeyProviderPhotosRequestSchema.safeParse({
+        provider: 'immich',
+        asset_id: 'a1',
+      }).success,
+    ).toBe(true);
+    expect(
+      journeyProviderPhotosRequestSchema.safeParse({
+        provider: 'immich',
+        asset_ids: ['a1', 'a2'],
+      }).success,
+    ).toBe(true);
+    expect(
+      journeyProviderPhotosRequestSchema.safeParse({ asset_id: 'a1' }).success,
+    ).toBe(false);
+  });
+});
+
+describe('journeyShareLinkRequestSchema', () => {
+  it('accepts optional share toggles', () => {
+    expect(
+      journeyShareLinkRequestSchema.safeParse({
+        share_timeline: true,
+        share_gallery: false,
+      }).success,
+    ).toBe(true);
+    expect(journeyShareLinkRequestSchema.safeParse({}).success).toBe(true);
+  });
+});
@@ -0,0 +1,61 @@
+import { z } from 'zod';
+
+/**
+ * Journey API contract — cross-trip travel narrative (journeys, dated entries,
+ * a photo gallery with provider mirroring, contributors, per-user preferences
+ * and public share links).
+ *
+ * Authenticated routes live under /api/journeys (gated by the Journey addon);
+ * the public read/photo-proxy routes live under /api/public/journey and are
+ * share-token validated. Access control lives inside journeyService (it returns
+ * null/false → the controller maps to 403/404), so these schemas pin the
+ * well-defined request bodies; entry create/update stay open-ended (forwarded
+ * to the service) and the bespoke 400/403/404 messages pin the rest.
+ */
+
+export const journeyCreateRequestSchema = z.object({
+  title: z.string().min(1),
+  subtitle: z.string().optional(),
+  trip_ids: z.array(z.union([z.string(), z.number()])).optional(),
+});
+export type JourneyCreateRequest = z.infer<typeof journeyCreateRequestSchema>;
+
+export const journeyAddTripRequestSchema = z.object({
+  trip_id: z.union([z.string(), z.number()]),
+});
+export type JourneyAddTripRequest = z.infer<typeof journeyAddTripRequestSchema>;
+
+export const journeyReorderEntriesRequestSchema = z.object({
+  orderedIds: z.array(z.union([z.string(), z.number()])).min(1),
+});
+export type JourneyReorderEntriesRequest = z.infer<
+  typeof journeyReorderEntriesRequestSchema
+>;
+
+export const journeyContributorRequestSchema = z.object({
+  user_id: z.union([z.string(), z.number()]),
+  role: z.enum(['editor', 'viewer']).optional(),
+});
+export type JourneyContributorRequest = z.infer<
+  typeof journeyContributorRequestSchema
+>;
+
+export const journeyProviderPhotosRequestSchema = z.object({
+  provider: z.string().min(1),
+  asset_id: z.string().optional(),
+  asset_ids: z.array(z.union([z.string(), z.number()])).optional(),
+  caption: z.string().optional(),
+  passphrase: z.string().optional(),
+});
+export type JourneyProviderPhotosRequest = z.infer<
+  typeof journeyProviderPhotosRequestSchema
+>;
+
+export const journeyShareLinkRequestSchema = z.object({
+  share_timeline: z.boolean().optional(),
+  share_gallery: z.boolean().optional(),
+  share_map: z.boolean().optional(),
+});
+export type JourneyShareLinkRequest = z.infer<
+  typeof journeyShareLinkRequestSchema
+>;
@@ -0,0 +1,62 @@
+import {
+  mapsSearchRequestSchema,
+  mapsAutocompleteRequestSchema,
+  mapsReverseQuerySchema,
+  mapsResolveUrlRequestSchema,
+} from './maps.schema';
+
+import { describe, it, expect } from 'vitest';
+
+describe('mapsSearchRequestSchema', () => {
+  it('requires a non-empty query', () => {
+    expect(mapsSearchRequestSchema.safeParse({ query: 'berlin' }).success).toBe(
+      true,
+    );
+    expect(mapsSearchRequestSchema.safeParse({ query: '' }).success).toBe(
+      false,
+    );
+    expect(mapsSearchRequestSchema.safeParse({}).success).toBe(false);
+  });
+});
+
+describe('mapsAutocompleteRequestSchema', () => {
+  it('caps input at 200 chars and allows an optional locationBias', () => {
+    expect(
+      mapsAutocompleteRequestSchema.safeParse({ input: 'be' }).success,
+    ).toBe(true);
+    expect(
+      mapsAutocompleteRequestSchema.safeParse({ input: 'x'.repeat(201) })
+        .success,
+    ).toBe(false);
+    expect(
+      mapsAutocompleteRequestSchema.safeParse({
+        input: 'be',
+        locationBias: { low: { lat: 1, lng: 2 }, high: { lat: 3, lng: 4 } },
+      }).success,
+    ).toBe(true);
+  });
+});
+
+describe('mapsReverseQuerySchema', () => {
+  it('requires lat and lng as strings (the route parses them downstream)', () => {
+    expect(
+      mapsReverseQuerySchema.safeParse({ lat: '52.5', lng: '13.4' }).success,
+    ).toBe(true);
+    expect(mapsReverseQuerySchema.safeParse({ lat: '52.5' }).success).toBe(
+      false,
+    );
+  });
+});
+
+describe('mapsResolveUrlRequestSchema', () => {
+  it('requires a non-empty url', () => {
+    expect(
+      mapsResolveUrlRequestSchema.safeParse({
+        url: 'https://maps.app.goo.gl/x',
+      }).success,
+    ).toBe(true);
+    expect(mapsResolveUrlRequestSchema.safeParse({ url: '' }).success).toBe(
+      false,
+    );
+  });
+});
@@ -0,0 +1,94 @@
+import { z } from 'zod';
+
+/**
+ * Maps / geo API contract — single source of truth for the /api/maps endpoints.
+ *
+ * The legacy Express route (server/src/routes/maps.ts) is a thin layer over
+ * services/mapsService.ts, which talks to Nominatim/Overpass (and optionally
+ * Google Places when a key is configured) and applies the SSRF guard on every
+ * outbound URL. The place objects these return are provider-shaped and vary by
+ * source, so the response schemas keep them as open records — the contract pins
+ * down the request shapes and the stable envelope fields, not the provider blobs.
+ *
+ * The bespoke 400 validation messages and the per-endpoint kill-switch responses
+ * are reproduced in the controller, not derived from these schemas, so the bodies
+ * stay byte-identical to Express.
+ */
+
+const latLng = z.object({ lat: z.number(), lng: z.number() });
+
+export const mapsSearchRequestSchema = z.object({
+  query: z.string().min(1),
+});
+export type MapsSearchRequest = z.infer<typeof mapsSearchRequestSchema>;
+
+export const mapsAutocompleteRequestSchema = z.object({
+  input: z.string().min(1).max(200),
+  lang: z.string().optional(),
+  locationBias: z.object({ low: latLng, high: latLng }).optional(),
+});
+export type MapsAutocompleteRequest = z.infer<
+  typeof mapsAutocompleteRequestSchema
+>;
+
+export const mapsReverseQuerySchema = z.object({
+  lat: z.string().min(1),
+  lng: z.string().min(1),
+  lang: z.string().optional(),
+});
+export type MapsReverseQuery = z.infer<typeof mapsReverseQuerySchema>;
+
+export const mapsResolveUrlRequestSchema = z.object({
+  url: z.string().min(1),
+});
+export type MapsResolveUrlRequest = z.infer<typeof mapsResolveUrlRequestSchema>;
+
+/** Provider-shaped place blob (Google/OSM fields differ); kept open by design. */
+const placeRecord = z.record(z.string(), z.unknown());
+
+export const mapsSearchResultSchema = z.object({
+  places: z.array(placeRecord),
+  source: z.string(),
+});
+export type MapsSearchResult = z.infer<typeof mapsSearchResultSchema>;
+
+export const mapsAutocompleteSuggestionSchema = z.object({
+  placeId: z.string(),
+  mainText: z.string(),
+  secondaryText: z.string(),
+});
+export const mapsAutocompleteResultSchema = z.object({
+  suggestions: z.array(mapsAutocompleteSuggestionSchema),
+  source: z.string(),
+});
+export type MapsAutocompleteResult = z.infer<
+  typeof mapsAutocompleteResultSchema
+>;
+
+export const mapsPlaceDetailsResultSchema = z.object({
+  place: placeRecord.nullable(),
+  disabled: z.boolean().optional(),
+});
+export type MapsPlaceDetailsResult = z.infer<
+  typeof mapsPlaceDetailsResultSchema
+>;
+
+export const mapsPlacePhotoResultSchema = z.object({
+  photoUrl: z.string().nullable(),
+  attribution: z.string().nullable().optional(),
+});
+export type MapsPlacePhotoResult = z.infer<typeof mapsPlacePhotoResultSchema>;
+
+export const mapsReverseResultSchema = z.object({
+  name: z.string().nullable(),
+  address: z.string().nullable(),
+});
+export type MapsReverseResult = z.infer<typeof mapsReverseResultSchema>;
+
+export const mapsResolveUrlResultSchema = z.object({
+  lat: z.number(),
+  lng: z.number(),
+  name: z.string().nullable(),
+  address: z.string().nullable(),
+});
+export type MapsResolveUrlResult = z.infer<typeof mapsResolveUrlResultSchema>;
@@ -0,0 +1,59 @@
+import {
+  preferencesUpdateRequestSchema,
+  notificationRespondRequestSchema,
+  channelTestResultSchema,
+  inAppListResultSchema,
+} from './notification.schema';
+
+import { describe, it, expect } from 'vitest';
+
+describe('preferencesUpdateRequestSchema', () => {
+  it('accepts a nested event/channel/enabled matrix', () => {
+    expect(
+      preferencesUpdateRequestSchema.safeParse({
+        trip_invite: { inapp: true, email: false },
+      }).success,
+    ).toBe(true);
+    expect(
+      preferencesUpdateRequestSchema.safeParse({
+        trip_invite: { inapp: 'yes' },
+      }).success,
+    ).toBe(false);
+  });
+});
+
+describe('notificationRespondRequestSchema', () => {
+  it('only accepts positive/negative', () => {
+    expect(
+      notificationRespondRequestSchema.safeParse({ response: 'positive' })
+        .success,
+    ).toBe(true);
+    expect(
+      notificationRespondRequestSchema.safeParse({ response: 'maybe' }).success,
+    ).toBe(false);
+  });
+});
+
+describe('channelTestResultSchema', () => {
+  it('accepts a success result and an error result', () => {
+    expect(channelTestResultSchema.safeParse({ success: true }).success).toBe(
+      true,
+    );
+    expect(
+      channelTestResultSchema.safeParse({ success: false, error: 'SMTP down' })
+        .success,
+    ).toBe(true);
+  });
+});
+
+describe('inAppListResultSchema', () => {
+  it('accepts the list envelope with open notification rows', () => {
+    expect(
+      inAppListResultSchema.safeParse({
+        notifications: [{ id: 1, type: 'info', anything: 'goes' }],
+        total: 1,
+        unread_count: 0,
+      }).success,
+    ).toBe(true);
+  });
+});
@@ -0,0 +1,61 @@
+import { z } from 'zod';
+
+/**
+ * Notification API contract — single source of truth for the /api/notifications
+ * endpoints (channel-preference matrix, channel test pings, and in-app
+ * notifications).
+ *
+ * The notification row and the preferences matrix are wide, DB- and
+ * registry-derived shapes; the response schemas keep them as open records and
+ * pin the stable envelope fields, while the request schemas and the bespoke
+ * 400/403/404 controller messages capture the parts the client depends on.
+ * Real-time delivery happens over the existing WebSocket path inside the
+ * services and is untouched by this contract.
+ */
+
+/** Channel preference matrix update: { eventType: { channel: enabled } }. */
+export const preferencesUpdateRequestSchema = z.record(
+  z.string(),
+  z.record(z.string(), z.boolean()),
+);
+export type PreferencesUpdateRequest = z.infer<
+  typeof preferencesUpdateRequestSchema
+>;
+
+export const testSmtpRequestSchema = z.object({ email: z.string().optional() });
+export const testWebhookRequestSchema = z.object({
+  url: z.string().optional(),
+});
+export const testNtfyRequestSchema = z.object({
+  topic: z.string().optional(),
+  server: z.string().optional(),
+  token: z.string().optional(),
+});
+
+/** Result of a channel test ping. */
+export const channelTestResultSchema = z.object({
+  success: z.boolean(),
+  error: z.string().optional(),
+});
+export type ChannelTestResult = z.infer<typeof channelTestResultSchema>;
+
+/** Respond to a boolean (yes/no) notification. */
+export const notificationRespondRequestSchema = z.object({
+  response: z.enum(['positive', 'negative']),
+});
+export type NotificationRespondRequest = z.infer<
+  typeof notificationRespondRequestSchema
+>;
+
+/** A single in-app notification row (DB-shaped; kept open). */
+export const notificationRowSchema = z.record(z.string(), z.unknown());
+
+export const inAppListResultSchema = z.object({
+  notifications: z.array(notificationRowSchema),
+  total: z.number(),
+  unread_count: z.number(),
+});
+export type InAppListResult = z.infer<typeof inAppListResultSchema>;
+
+export const unreadCountResultSchema = z.object({ count: z.number() });
+export type UnreadCountResult = z.infer<typeof unreadCountResultSchema>;
@@ -0,0 +1,71 @@
+import {
+  oauthTokenRequestSchema,
+  oauthConsentRequestSchema,
+  oauthClientCreateRequestSchema,
+} from './oauth.schema';
+
+import { describe, it, expect } from 'vitest';
+
+describe('oauthTokenRequestSchema', () => {
+  it('is permissive across grant types and passes extras through', () => {
+    expect(
+      oauthTokenRequestSchema.safeParse({
+        grant_type: 'authorization_code',
+        client_id: 'c',
+        code: 'x',
+        redirect_uri: 'u',
+        code_verifier: 'v',
+      }).success,
+    ).toBe(true);
+    expect(
+      oauthTokenRequestSchema.safeParse({
+        grant_type: 'client_credentials',
+        client_id: 'c',
+        client_secret: 's',
+        scope: 'a b',
+      }).success,
+    ).toBe(true);
+    expect(oauthTokenRequestSchema.safeParse({}).success).toBe(true);
+  });
+});
+
+describe('oauthConsentRequestSchema', () => {
+  it('requires the PKCE consent fields + approved flag', () => {
+    expect(
+      oauthConsentRequestSchema.safeParse({
+        client_id: 'c',
+        redirect_uri: 'u',
+        scope: 's',
+        code_challenge: 'cc',
+        code_challenge_method: 'S256',
+        approved: true,
+      }).success,
+    ).toBe(true);
+    expect(
+      oauthConsentRequestSchema.safeParse({
+        client_id: 'c',
+        redirect_uri: 'u',
+        scope: 's',
+        code_challenge: 'cc',
+        code_challenge_method: 'S256',
+      }).success,
+    ).toBe(false);
+  });
+});
+
+describe('oauthClientCreateRequestSchema', () => {
+  it('requires name + allowed_scopes', () => {
+    expect(
+      oauthClientCreateRequestSchema.safeParse({
+        name: 'CLI',
+        allowed_scopes: ['trips:read'],
+      }).success,
+    ).toBe(true);
+    expect(
+      oauthClientCreateRequestSchema.safeParse({ name: 'CLI' }).success,
+    ).toBe(false);
+    expect(
+      oauthClientCreateRequestSchema.safeParse({ allowed_scopes: [] }).success,
+    ).toBe(false);
+  });
+});
@@ -0,0 +1,46 @@
+import { z } from 'zod';
+
+/**
+ * OAuth 2.1 server contract for /oauth/* (public) + /api/oauth/* (SPA).
+ *
+ * The token endpoint accepts JSON or form-encoded bodies across three grant
+ * types, so its body stays permissive (the service enforces grant-specific
+ * rules + the RFC error codes). These schemas pin the consent submit and the
+ * client-create body the SPA sends.
+ */
+export const oauthTokenRequestSchema = z
+  .object({
+    grant_type: z.string().optional(),
+    client_id: z.string().optional(),
+    client_secret: z.string().optional(),
+    code: z.string().optional(),
+    redirect_uri: z.string().optional(),
+    code_verifier: z.string().optional(),
+    refresh_token: z.string().optional(),
+    scope: z.string().optional(),
+    resource: z.string().optional(),
+  })
+  .passthrough();
+export type OauthTokenRequest = z.infer<typeof oauthTokenRequestSchema>;
+
+export const oauthConsentRequestSchema = z.object({
+  client_id: z.string(),
+  redirect_uri: z.string(),
+  scope: z.string(),
+  state: z.string().optional(),
+  code_challenge: z.string(),
+  code_challenge_method: z.string(),
+  approved: z.boolean(),
+  resource: z.string().optional(),
+});
+export type OauthConsentRequest = z.infer<typeof oauthConsentRequestSchema>;
+
+export const oauthClientCreateRequestSchema = z.object({
+  name: z.string().min(1),
+  redirect_uris: z.array(z.string()).optional(),
+  allowed_scopes: z.array(z.string()),
+  allows_client_credentials: z.boolean().optional(),
+});
+export type OauthClientCreateRequest = z.infer<
+  typeof oauthClientCreateRequestSchema
+>;
@@ -0,0 +1,25 @@
+import {
+  oidcCallbackQuerySchema,
+  oidcExchangeQuerySchema,
+} from './oidc.schema';
+
+import { describe, it, expect } from 'vitest';
+
+describe('oidcCallbackQuerySchema', () => {
+  it('accepts code+state, an error, or nothing (all optional)', () => {
+    expect(
+      oidcCallbackQuerySchema.safeParse({ code: 'c', state: 's' }).success,
+    ).toBe(true);
+    expect(
+      oidcCallbackQuerySchema.safeParse({ error: 'access_denied' }).success,
+    ).toBe(true);
+    expect(oidcCallbackQuerySchema.safeParse({}).success).toBe(true);
+  });
+});
+
+describe('oidcExchangeQuerySchema', () => {
+  it('requires a code', () => {
+    expect(oidcExchangeQuerySchema.safeParse({ code: 'c' }).success).toBe(true);
+    expect(oidcExchangeQuerySchema.safeParse({}).success).toBe(false);
+  });
+});
@@ -0,0 +1,21 @@
+import { z } from 'zod';
+
+/**
+ * OIDC SSO contract for /api/auth/oidc.
+ *
+ * The flow is redirect-based and carries no request bodies — inputs arrive as
+ * query params (the provider callback's code/state/error, the optional invite on
+ * /login, and the auth-code on /exchange). These schemas pin those query shapes;
+ * the cryptographic verification + provisioning live in the OIDC service.
+ */
+export const oidcCallbackQuerySchema = z.object({
+  code: z.string().optional(),
+  state: z.string().optional(),
+  error: z.string().optional(),
+});
+export type OidcCallbackQuery = z.infer<typeof oidcCallbackQuerySchema>;
+
+export const oidcExchangeQuerySchema = z.object({
+  code: z.string(),
+});
+export type OidcExchangeQuery = z.infer<typeof oidcExchangeQuerySchema>;
@@ -0,0 +1,56 @@
+import {
+  packingCreateItemRequestSchema,
+  packingImportRequestSchema,
+  packingCreateBagRequestSchema,
+  packingSaveTemplateRequestSchema,
+} from './packing.schema';
+
+import { describe, it, expect } from 'vitest';
+
+describe('packingCreateItemRequestSchema', () => {
+  it('requires a non-empty name; category/checked optional', () => {
+    expect(
+      packingCreateItemRequestSchema.safeParse({ name: 'Socks' }).success,
+    ).toBe(true);
+    expect(
+      packingCreateItemRequestSchema.safeParse({
+        name: 'Socks',
+        category: 'Clothes',
+        checked: true,
+      }).success,
+    ).toBe(true);
+    expect(packingCreateItemRequestSchema.safeParse({ name: '' }).success).toBe(
+      false,
+    );
+  });
+});
+
+describe('packingImportRequestSchema', () => {
+  it('accepts an array of open item rows', () => {
+    expect(
+      packingImportRequestSchema.safeParse({
+        items: [{ name: 'a' }, { name: 'b', anything: 1 }],
+      }).success,
+    ).toBe(true);
+  });
+});
+
+describe('packingCreateBagRequestSchema', () => {
+  it('requires a name', () => {
+    expect(
+      packingCreateBagRequestSchema.safeParse({ name: 'Carry-on' }).success,
+    ).toBe(true);
+    expect(packingCreateBagRequestSchema.safeParse({}).success).toBe(false);
+  });
+});
+
+describe('packingSaveTemplateRequestSchema', () => {
+  it('requires a name', () => {
+    expect(
+      packingSaveTemplateRequestSchema.safeParse({ name: 'Summer' }).success,
+    ).toBe(true);
+    expect(
+      packingSaveTemplateRequestSchema.safeParse({ name: '' }).success,
+    ).toBe(false);
+  });
+});
@@ -0,0 +1,134 @@
+import { z } from 'zod';
+
+/**
+ * Packing API contract — single source of truth for the
+ * /api/trips/:tripId/packing endpoints (items, bags, templates, assignees).
+ *
+ * Trip-scoped: every endpoint verifies trip access (404 "Trip not found") and
+ * mutations additionally check the 'packing_edit' permission (403 "No
+ * permission"). The legacy route (server/src/routes/packing.ts) wraps
+ * services/packingService.ts; rows are DB-shaped and kept as open records here.
+ * Mutations broadcast over WebSocket using the forwarded X-Socket-Id.
+ */
+
+const open = z.record(z.string(), z.unknown());
+
+/**
+ * Packing item entity as returned by the packing endpoints
+ * (server/src/services/packingService.ts -> SELECT * FROM packing_items).
+ * `checked` is the raw SQLite INTEGER (0/1). Columns match the packing_items
+ * table (see server DB): weight_grams/bag_id are nullable, quantity defaults 1.
+ */
+export const packingItemSchema = z.object({
+  id: z.number(),
+  trip_id: z.number(),
+  name: z.string(),
+  checked: z.number(),
+  category: z.string().nullable().optional(),
+  sort_order: z.number(),
+  weight_grams: z.number().nullable().optional(),
+  bag_id: z.number().nullable().optional(),
+  quantity: z.number().optional(),
+  created_at: z.string().optional(),
+});
+export type PackingItem = z.infer<typeof packingItemSchema>;
+
+/**
+ * Packing bag member embedded on a bag (server packingService -> listBags).
+ * `avatar` is the resolved avatar URL.
+ */
+export const packingBagMemberSchema = z.object({
+  user_id: z.number(),
+  username: z.string(),
+  avatar: z.string().nullable().optional(),
+});
+export type PackingBagMember = z.infer<typeof packingBagMemberSchema>;
+
+/**
+ * Packing bag entity (server packingService -> listBags). Columns of the
+ * packing_bags table plus the embedded `members` array (and the optional
+ * `assigned_username` join present on updateBag).
+ */
+export const packingBagSchema = z.object({
+  id: z.number(),
+  trip_id: z.number(),
+  name: z.string(),
+  color: z.string(),
+  weight_limit_grams: z.number().nullable().optional(),
+  sort_order: z.number(),
+  user_id: z.number().nullable().optional(),
+  assigned_username: z.string().nullable().optional(),
+  created_at: z.string().optional(),
+  members: z.array(packingBagMemberSchema).optional(),
+});
+export type PackingBag = z.infer<typeof packingBagSchema>;
+
+export const packingCreateItemRequestSchema = z.object({
+  name: z.string().min(1),
+  category: z.string().optional(),
+  checked: z.boolean().optional(),
+});
+export type PackingCreateItemRequest = z.infer<
+  typeof packingCreateItemRequestSchema
+>;
+
+export const packingUpdateItemRequestSchema = z.object({
+  name: z.string().optional(),
+  checked: z.boolean().optional(),
+  category: z.string().optional(),
+  weight_grams: z.number().nullable().optional(),
+  bag_id: z.number().nullable().optional(),
+  quantity: z.number().optional(),
+});
+export type PackingUpdateItemRequest = z.infer<
+  typeof packingUpdateItemRequestSchema
+>;
+
+export const packingImportRequestSchema = z.object({
+  items: z.array(open),
+});
+export type PackingImportRequest = z.infer<typeof packingImportRequestSchema>;
+
+export const packingReorderRequestSchema = z.object({
+  orderedIds: z.array(z.number()),
+});
+export type PackingReorderRequest = z.infer<typeof packingReorderRequestSchema>;
+
+export const packingCreateBagRequestSchema = z.object({
+  name: z.string().min(1),
+  color: z.string().optional(),
+});
+export type PackingCreateBagRequest = z.infer<
+  typeof packingCreateBagRequestSchema
+>;
+
+export const packingUpdateBagRequestSchema = z.object({
+  name: z.string().optional(),
+  color: z.string().optional(),
+  weight_limit_grams: z.number().nullable().optional(),
+  user_id: z.number().nullable().optional(),
+});
+export type PackingUpdateBagRequest = z.infer<
+  typeof packingUpdateBagRequestSchema
+>;
+
+export const packingBagMembersRequestSchema = z.object({
+  user_ids: z.array(z.number()),
+});
+export type PackingBagMembersRequest = z.infer<
+  typeof packingBagMembersRequestSchema
+>;
+
+export const packingSaveTemplateRequestSchema = z.object({
+  name: z.string().min(1),
+});
+export type PackingSaveTemplateRequest = z.infer<
+  typeof packingSaveTemplateRequestSchema
+>;
+
+export const packingCategoryAssigneesRequestSchema = z.object({
+  user_ids: z.array(z.number()),
+});
+export type PackingCategoryAssigneesRequest = z.infer<
+  typeof packingCategoryAssigneesRequestSchema
+>;
--- a/Show More
+++ b/Show More