feat: public read-only share links with permissions — closes #79

Share links:
- Generate a public link in the trip share modal
- Choose what to share: Map & Plan, Bookings, Packing, Budget, Chat
- Permissions enforced server-side
- Delete link to revoke access instantly

Shared trip page (/shared/:token):
- Read-only view with TREK logo, cover image, trip details
- Tabbed navigation with Lucide icons (responsive on mobile)
- Interactive map with auto-fit bounds per day
- Day plan, Bookings, Packing, Budget, Chat views
- Language picker, TREK branding footer

Technical:
- share_tokens DB table with per-field permissions
- Public GET /shared/:token endpoint (no auth)
- Two-column share modal (max-w-5xl)

server/src/index.ts

@@ -81,6 +81,7 @@ app.use(express.urlencoded({ extended: true }));
 
 // Avatars are public (shown on login, sharing screens)
 app.use('/uploads/avatars', express.static(path.join(__dirname, '../uploads/avatars')));
+app.use('/uploads/covers', express.static(path.join(__dirname, '../uploads/covers')));
 
 // All other uploads require authentication
 app.get('/uploads/:type/:filename', (req: Request, res: Response) => {
@@ -163,6 +164,9 @@ app.use('/api/backup', backupRoutes);
 import notificationRoutes from './routes/notifications';
 app.use('/api/notifications', notificationRoutes);
 
+import shareRoutes from './routes/share';
+app.use('/api', shareRoutes);
+
 // Serve static files in production
 if (process.env.NODE_ENV === 'production') {
   const publicPath = path.join(__dirname, '../public');