feat(costs): rework Budget into Costs — Splitwise-style, multi-currency, mobile (#1106)

* fix(journey): authorize reads of the journey share link

GET /api/journeys/:id/share-link now requires journey access (canAccessJourney),
matching the create/delete share-link routes and the get_journey_share_link MCP
tool. Returns no link when the caller lacks access to the journey.

* feat(costs): rework Budget into Costs — Splitwise-style, multi-currency, mobile

Renames the Budget addon to "Costs" (UI only) and reworks it into a Tricount/
Splitwise-style cost tracker: multiple payers per expense, equal split across
chosen members, settle-up with persisted history + undo, 12 fixed categories,
per-expense currency with live FX conversion to a user-set display currency
(Settings -> Display), and locale-correct money formatting. Adds a desktop and a
dedicated mobile layout. A migration backfills existing budget items (single
payer, split members, currency). Closes #551 (per-expense currency).

Also switches the app font to self-hosted Poppins (Geist for secondary subtext),
replacing the Google Fonts CDN dependency.

* fix(costs): neutral dashboard dark palette + liquid glass, full page width, entry-count badge

- Dark mode used a warm oklch palette that read brownish; switch to the
  neutral zinc tokens used by the dashboard (#121215 bg, #f4f4f5 ink) and add a
  subtle backdrop-blur glass on cards.
- Costs now uses the full available page width on desktop instead of a 1280px cap.
- Render the expense count next to the Expenses title as a badge.
- Adapt budget/journey unit tests to the new payer-based settlement model and the
  Costs rename (category default 'other', Costs tab/CostsPanel).

* fix(costs): drop the entry-count badge, always show row edit/delete actions

Removes the count badge next to the Expenses title and makes the per-row
edit/delete actions permanently visible (no longer hover-only) on desktop too.

* feat(costs): currency-native money formatting, custom select/date, rename addon to Costs

- Format every amount in its own currency convention (symbol position, grouping
  and decimal separators) regardless of app language, via a currency->locale map
  (EUR -> '12,00 €', USD -> '$12.00', JPY -> '¥12', ...). Previously Intl used the
  app locale, so EUR showed the symbol in front under an English UI.
- Use TREK's CustomSelect (searchable, with symbols) and CustomDatePicker in the
  add/edit expense modal instead of the native <select>/<input type=date>.
- Rename the 'Budget Planner' add-on to 'Costs' in the admin list (display only;
  id/tables/permissions/MCP stay 'budget') via seed + a migration for existing DBs.

* feat(auth): configurable session duration via SESSION_DURATION

Adds a SESSION_DURATION env var (ms-style strings: 1h, 7d, 30d, ...) controlling
how long a session stays valid before re-login. It drives both the trek_session
JWT exp claim and the cookie maxAge from one source, so they never drift. Invalid
values warn at startup and fall back to the default (24h — unchanged). The MFA
challenge token and MCP OAuth tokens keep their own TTL.

Implements the request from discussion #946. Documented in the env-var wiki page,
.env.example and docker-compose.yml.

server/src/nest/budget/budget.controller.ts

@@ -8,6 +8,7 @@ import {
   Param,
   Post,
   Put,
+  Query,
   UseGuards,
 } from '@nestjs/common';
 import type { User } from '../../types';
@@ -57,9 +58,56 @@ export class BudgetController {
   }
 
   @Get('settlement')
-  settlement(@CurrentUser() user: User, @Param('tripId') tripId: string) {
+  settlement(
+    @CurrentUser() user: User,
+    @Param('tripId') tripId: string,
+    @Query('base') base?: string,
+  ) {
+    const trip = this.requireTrip(tripId, user);
+    return this.budget.settlement(tripId, base, (trip as { currency?: string }).currency || 'EUR');
+  }
+
+  @Get('settlements')
+  listSettlements(@CurrentUser() user: User, @Param('tripId') tripId: string) {
     this.requireTrip(tripId, user);
-    return this.budget.settlement(tripId);
+    return { settlements: this.budget.listSettlements(tripId) };
+  }
+
+  @Post('settlements')
+  createSettlement(
+    @CurrentUser() user: User,
+    @Param('tripId') tripId: string,
+    @Body() body: { from_user_id?: number; to_user_id?: number; amount?: number },
+    @Headers('x-socket-id') socketId?: string,
+  ) {
+    const trip = this.requireTrip(tripId, user);
+    this.requireEdit(trip, user);
+    if (body.from_user_id == null || body.to_user_id == null || body.amount == null) {
+      throw new HttpException({ error: 'from_user_id, to_user_id and amount are required' }, 400);
+    }
+    const settlement = this.budget.createSettlement(
+      tripId,
+      { from_user_id: body.from_user_id, to_user_id: body.to_user_id, amount: body.amount },
+      user.id,
+    );
+    this.budget.broadcast(tripId, 'budget:settlement-created', { settlement }, socketId);
+    return { settlement };
+  }
+
+  @Delete('settlements/:settlementId')
+  deleteSettlement(
+    @CurrentUser() user: User,
+    @Param('tripId') tripId: string,
+    @Param('settlementId') settlementId: string,
+    @Headers('x-socket-id') socketId?: string,
+  ) {
+    const trip = this.requireTrip(tripId, user);
+    this.requireEdit(trip, user);
+    if (!this.budget.deleteSettlement(settlementId, tripId)) {
+      throw new HttpException({ error: 'Settlement not found' }, 404);
+    }
+    this.budget.broadcast(tripId, 'budget:settlement-deleted', { settlementId: Number(settlementId) }, socketId);
+    return { success: true };
   }
 
   @Post()
@@ -149,6 +197,27 @@ export class BudgetController {
     return { members: result.members, item: result.item };
   }
 
+  @Put(':id/payers')
+  setPayers(
+    @CurrentUser() user: User,
+    @Param('tripId') tripId: string,
+    @Param('id') id: string,
+    @Body('payers') payers: unknown,
+    @Headers('x-socket-id') socketId?: string,
+  ) {
+    const trip = this.requireTrip(tripId, user);
+    this.requireEdit(trip, user);
+    if (!Array.isArray(payers)) {
+      throw new HttpException({ error: 'payers must be an array' }, 400);
+    }
+    const item = this.budget.setPayers(id, tripId, payers as { user_id: number; amount: number }[]);
+    if (!item) {
+      throw new HttpException({ error: 'Budget item not found' }, 404);
+    }
+    this.budget.broadcast(tripId, 'budget:updated', { item }, socketId);
+    return { item };
+  }
+
   @Put(':id/members/:userId/paid')
   toggleMemberPaid(
     @CurrentUser() user: User,

server/src/nest/budget/budget.service.ts

@@ -4,6 +4,7 @@ import { broadcast } from '../../websocket';
 import { checkPermission } from '../../services/permissions';
 import type { User } from '../../types';
 import * as svc from '../../services/budgetService';
+import { getRates } from '../../services/exchangeRateService';
 
 type Trip = NonNullable<ReturnType<typeof svc.verifyTripAccess>>;
 
@@ -34,8 +35,10 @@ export class BudgetService {
     return svc.getPerPersonSummary(tripId);
   }
 
-  settlement(tripId: string) {
-    return svc.calculateSettlement(tripId);
+  async settlement(tripId: string, base: string | undefined, tripCurrency: string) {
+    const effectiveBase = (base || tripCurrency || 'EUR').toUpperCase();
+    const rates = await getRates(effectiveBase);
+    return svc.calculateSettlement(tripId, { base: effectiveBase, rates, tripCurrency });
   }
 
   create(tripId: string, data: Parameters<typeof svc.createBudgetItem>[1]) {
@@ -58,6 +61,22 @@ export class BudgetService {
     return svc.toggleMemberPaid(id, userId, paid);
   }
 
+  setPayers(id: string, tripId: string, payers: { user_id: number; amount: number }[]) {
+    return svc.setItemPayers(id, tripId, payers);
+  }
+
+  listSettlements(tripId: string) {
+    return svc.listSettlements(tripId);
+  }
+
+  createSettlement(tripId: string, data: { from_user_id: number; to_user_id: number; amount: number }, userId: number) {
+    return svc.createSettlement(tripId, data, userId);
+  }
+
+  deleteSettlement(id: string, tripId: string): boolean {
+    return svc.deleteSettlement(id, tripId);
+  }
+
   reorderItems(tripId: string, orderedIds: number[]): void {
     svc.reorderBudgetItems(tripId, orderedIds);
   }

server/src/nest/journey/journey.controller.ts

@@ -392,7 +392,7 @@ export class JourneyController {
   // ── Share Link ──────────────────────────────────────────────────────────
   @Get(':id/share-link')
   getShareLink(@CurrentUser() user: User, @Param('id') id: string) {
-    return { link: this.journey.getJourneyShareLink(Number(id)) };
+    return { link: this.journey.getJourneyShareLink(Number(id), user.id) };
   }
 
   @Post(':id/share-link')

server/src/nest/journey/journey.service.ts

@@ -61,7 +61,13 @@ export class JourneyService {
   removeContributor(id: number, userId: number, targetUserId: number) { return svc.removeContributor(id, userId, targetUserId); }
 
   // Share links
-  getJourneyShareLink(id: number) { return share.getJourneyShareLink(id); }
+  // Authorization: only someone with access to the journey may read its public
+  // share token — same access model as create/delete here and the
+  // get_journey_share_link MCP tool.
+  getJourneyShareLink(id: number, userId: number) {
+    if (!svc.canAccessJourney(id, userId)) return null;
+    return share.getJourneyShareLink(id);
+  }
   createOrUpdateJourneyShareLink(id: number, userId: number, data: Parameters<typeof share.createOrUpdateJourneyShareLink>[2]) { return share.createOrUpdateJourneyShareLink(id, userId, data); }
   deleteJourneyShareLink(id: number, userId: number) { return share.deleteJourneyShareLink(id, userId); }