feat: email notifications, webhook support, ICS export — closes #110

Email Notifications:
- SMTP configuration in Admin > Settings (host, port, user, pass, from)
- App URL setting for email CTA links
- Webhook URL support (Discord, Slack, custom)
- Test email button with SMTP validation
- Beautiful HTML email template with TREK logo, slogan, red heart footer
- All notification texts translated in 8 languages (en/de/fr/es/nl/ru/zh/ar)
- Emails sent in each user's language preference

Notification Events:
- Trip invitation (member added)
- Booking created (new reservation)
- Vacay fusion invite
- Photos shared (Immich)
- Collab chat message
- Packing list category assignment

User Notification Preferences:
- Per-user toggle for each event type in Settings
- Addon-aware: Vacay/Collab/Photos toggles hidden when addon disabled
- Webhook opt-in per user

ICS Calendar Export:
- Download button next to PDF in day plan header
- Exports trip dates + all reservations with details
- Compatible with Google Calendar, Apple Calendar, Outlook

Technical:
- Nodemailer for SMTP
- notification_preferences DB table with per-event columns
- GET/PUT /auth/app-settings for admin config persistence
- POST /notifications/test-smtp for validation
- Dynamic imports for non-blocking notification sends

server/src/routes/auth.ts

@@ -515,17 +515,33 @@ router.get('/validate-keys', authenticate, async (req: Request, res: Response) =
   res.json(result);
 });
 
+const ADMIN_SETTINGS_KEYS = ['allow_registration', 'allowed_file_types', 'smtp_host', 'smtp_port', 'smtp_user', 'smtp_pass', 'smtp_from', 'notification_webhook_url', 'app_url'];
+
+router.get('/app-settings', authenticate, (req: Request, res: Response) => {
+  const authReq = req as AuthRequest;
+  const user = db.prepare('SELECT role FROM users WHERE id = ?').get(authReq.user.id) as { role: string } | undefined;
+  if (user?.role !== 'admin') return res.status(403).json({ error: 'Admin access required' });
+
+  const result: Record<string, string> = {};
+  for (const key of ADMIN_SETTINGS_KEYS) {
+    const row = db.prepare("SELECT value FROM app_settings WHERE key = ?").get(key) as { value: string } | undefined;
+    if (row) result[key] = key === 'smtp_pass' ? '••••••••' : row.value;
+  }
+  res.json(result);
+});
+
 router.put('/app-settings', authenticate, (req: Request, res: Response) => {
   const authReq = req as AuthRequest;
   const user = db.prepare('SELECT role FROM users WHERE id = ?').get(authReq.user.id) as { role: string } | undefined;
   if (user?.role !== 'admin') return res.status(403).json({ error: 'Admin access required' });
 
-  const { allow_registration, allowed_file_types } = req.body;
-  if (allow_registration !== undefined) {
-    db.prepare("INSERT OR REPLACE INTO app_settings (key, value) VALUES ('allow_registration', ?)").run(String(allow_registration));
-  }
-  if (allowed_file_types !== undefined) {
-    db.prepare("INSERT OR REPLACE INTO app_settings (key, value) VALUES ('allowed_file_types', ?)").run(String(allowed_file_types));
+  for (const key of ADMIN_SETTINGS_KEYS) {
+    if (req.body[key] !== undefined) {
+      const val = String(req.body[key]);
+      // Don't save masked password
+      if (key === 'smtp_pass' && val === '••••••••') continue;
+      db.prepare("INSERT OR REPLACE INTO app_settings (key, value) VALUES (?, ?)").run(key, val);
+    }
   }
   res.json({ success: true });
 });

server/src/routes/collab.ts

@@ -419,6 +419,13 @@ router.post('/messages', authenticate, validateStringLengths({ text: 5000 }), (r
   const formatted = formatMessage(message);
   res.status(201).json({ message: formatted });
   broadcast(tripId, 'collab:message:created', { message: formatted }, req.headers['x-socket-id'] as string);
+
+  // Notify trip members about new chat message
+  import('../services/notifications').then(({ notifyTripMembers }) => {
+    const tripInfo = db.prepare('SELECT title FROM trips WHERE id = ?').get(tripId) as { title: string } | undefined;
+    const preview = text.trim().length > 80 ? text.trim().substring(0, 80) + '...' : text.trim();
+    notifyTripMembers(Number(tripId), authReq.user.id, 'collab_message', { trip: tripInfo?.title || 'Untitled', actor: authReq.user.username, preview }).catch(() => {});
+  });
 });
 
 router.post('/messages/:id/react', authenticate, (req: Request, res: Response) => {

server/src/routes/immich.ts

@@ -155,6 +155,14 @@ router.post('/trips/:tripId/photos', authenticate, (req: Request, res: Response)
 
   res.json({ success: true, added });
   broadcast(tripId, 'memories:updated', { userId: authReq.user.id }, req.headers['x-socket-id'] as string);
+
+  // Notify trip members about shared photos
+  if (shared && added > 0) {
+    import('../services/notifications').then(({ notifyTripMembers }) => {
+      const tripInfo = db.prepare('SELECT title FROM trips WHERE id = ?').get(tripId) as { title: string } | undefined;
+      notifyTripMembers(Number(tripId), authReq.user.id, 'photos_shared', { trip: tripInfo?.title || 'Untitled', actor: authReq.user.username, count: String(added) }).catch(() => {});
+    });
+  }
 });
 
 // Remove a photo from a trip (own photos only)

server/src/routes/notifications.ts

@@ -0,0 +1,58 @@
+import express, { Request, Response } from 'express';
+import { db } from '../db/database';
+import { authenticate } from '../middleware/auth';
+import { AuthRequest } from '../types';
+import { testSmtp } from '../services/notifications';
+
+const router = express.Router();
+
+// Get user's notification preferences
+router.get('/preferences', authenticate, (req: Request, res: Response) => {
+  const authReq = req as AuthRequest;
+  let prefs = db.prepare('SELECT * FROM notification_preferences WHERE user_id = ?').get(authReq.user.id);
+  if (!prefs) {
+    db.prepare('INSERT INTO notification_preferences (user_id) VALUES (?)').run(authReq.user.id);
+    prefs = db.prepare('SELECT * FROM notification_preferences WHERE user_id = ?').get(authReq.user.id);
+  }
+  res.json({ preferences: prefs });
+});
+
+// Update user's notification preferences
+router.put('/preferences', authenticate, (req: Request, res: Response) => {
+  const authReq = req as AuthRequest;
+  const { notify_trip_invite, notify_booking_change, notify_trip_reminder, notify_webhook } = req.body;
+
+  // Ensure row exists
+  const existing = db.prepare('SELECT id FROM notification_preferences WHERE user_id = ?').get(authReq.user.id);
+  if (!existing) {
+    db.prepare('INSERT INTO notification_preferences (user_id) VALUES (?)').run(authReq.user.id);
+  }
+
+  db.prepare(`UPDATE notification_preferences SET
+    notify_trip_invite = COALESCE(?, notify_trip_invite),
+    notify_booking_change = COALESCE(?, notify_booking_change),
+    notify_trip_reminder = COALESCE(?, notify_trip_reminder),
+    notify_webhook = COALESCE(?, notify_webhook)
+    WHERE user_id = ?`).run(
+    notify_trip_invite !== undefined ? (notify_trip_invite ? 1 : 0) : null,
+    notify_booking_change !== undefined ? (notify_booking_change ? 1 : 0) : null,
+    notify_trip_reminder !== undefined ? (notify_trip_reminder ? 1 : 0) : null,
+    notify_webhook !== undefined ? (notify_webhook ? 1 : 0) : null,
+    authReq.user.id
+  );
+
+  const prefs = db.prepare('SELECT * FROM notification_preferences WHERE user_id = ?').get(authReq.user.id);
+  res.json({ preferences: prefs });
+});
+
+// Admin: test SMTP configuration
+router.post('/test-smtp', authenticate, async (req: Request, res: Response) => {
+  const authReq = req as AuthRequest;
+  if (authReq.user.role !== 'admin') return res.status(403).json({ error: 'Admin only' });
+
+  const { email } = req.body;
+  const result = await testSmtp(email || authReq.user.email);
+  res.json(result);
+});
+
+export default router;

server/src/routes/packing.ts

@@ -278,6 +278,18 @@ router.put('/category-assignees/:categoryName', authenticate, (req: Request, res
 
   res.json({ assignees: rows });
   broadcast(tripId, 'packing:assignees', { category: cat, assignees: rows }, req.headers['x-socket-id'] as string);
+
+  // Notify newly assigned users
+  if (Array.isArray(user_ids) && user_ids.length > 0) {
+    import('../services/notifications').then(({ notify }) => {
+      const tripInfo = db.prepare('SELECT title FROM trips WHERE id = ?').get(tripId) as { title: string } | undefined;
+      for (const uid of user_ids) {
+        if (uid !== authReq.user.id) {
+          notify({ userId: uid, event: 'packing_tagged', params: { trip: tripInfo?.title || 'Untitled', actor: authReq.user.username, category: cat } }).catch(() => {});
+        }
+      }
+    });
+  }
 });
 
 router.put('/reorder', authenticate, (req: Request, res: Response) => {

server/src/routes/reservations.ts

@@ -101,6 +101,12 @@ router.post('/', authenticate, (req: Request, res: Response) => {
 
   res.status(201).json({ reservation });
   broadcast(tripId, 'reservation:created', { reservation }, req.headers['x-socket-id'] as string);
+
+  // Notify trip members about new booking
+  import('../services/notifications').then(({ notifyTripMembers }) => {
+    const tripInfo = db.prepare('SELECT title FROM trips WHERE id = ?').get(tripId) as { title: string } | undefined;
+    notifyTripMembers(Number(tripId), authReq.user.id, 'booking_change', { trip: tripInfo?.title || 'Untitled', actor: authReq.user.username, booking: title, type: type || 'booking' }).catch(() => {});
+  });
 });
 
 // Batch update day_plan_position for multiple reservations (must be before /:id)

server/src/routes/trips.ts

@@ -284,6 +284,12 @@ router.post('/:id/members', authenticate, (req: Request, res: Response) => {
 
   db.prepare('INSERT INTO trip_members (trip_id, user_id, invited_by) VALUES (?, ?, ?)').run(req.params.id, target.id, authReq.user.id);
 
+  // Notify invited user
+  const tripInfo = db.prepare('SELECT title FROM trips WHERE id = ?').get(req.params.id) as { title: string } | undefined;
+  import('../services/notifications').then(({ notify }) => {
+    notify({ userId: target.id, event: 'trip_invite', params: { trip: tripInfo?.title || 'Untitled', actor: authReq.user.username } }).catch(() => {});
+  });
+
   res.status(201).json({ member: { ...target, role: 'member', avatar_url: target.avatar ? `/uploads/avatars/${target.avatar}` : null } });
 });
 
@@ -301,4 +307,69 @@ router.delete('/:id/members/:userId', authenticate, (req: Request, res: Response
   res.json({ success: true });
 });
 
+// ICS calendar export
+router.get('/:id/export.ics', authenticate, (req: Request, res: Response) => {
+  const authReq = req as AuthRequest;
+  if (!canAccessTrip(req.params.id, authReq.user.id))
+    return res.status(404).json({ error: 'Trip not found' });
+
+  const trip = db.prepare('SELECT * FROM trips WHERE id = ?').get(req.params.id) as any;
+  if (!trip) return res.status(404).json({ error: 'Trip not found' });
+
+  const days = db.prepare('SELECT * FROM days WHERE trip_id = ? ORDER BY day_number ASC').all(req.params.id) as any[];
+  const reservations = db.prepare('SELECT * FROM reservations WHERE trip_id = ?').all(req.params.id) as any[];
+
+  const esc = (s: string) => s.replace(/[\\;,\n]/g, m => m === '\n' ? '\\n' : '\\' + m);
+  const fmtDate = (d: string) => d.replace(/-/g, '');
+  const fmtDateTime = (d: string) => d.replace(/[-:]/g, '').replace('T', 'T') + (d.includes('T') ? '00' : '');
+  const uid = (id: number, type: string) => `trek-${type}-${id}@trek`;
+
+  let ics = 'BEGIN:VCALENDAR\r\nVERSION:2.0\r\nPRODID:-//TREK//Travel Planner//EN\r\nCALSCALE:GREGORIAN\r\nMETHOD:PUBLISH\r\n';
+  ics += `X-WR-CALNAME:${esc(trip.title || 'TREK Trip')}\r\n`;
+
+  // Trip as all-day event
+  if (trip.start_date && trip.end_date) {
+    const endNext = new Date(trip.end_date + 'T00:00:00');
+    endNext.setDate(endNext.getDate() + 1);
+    const endStr = endNext.toISOString().split('T')[0].replace(/-/g, '');
+    ics += `BEGIN:VEVENT\r\nUID:${uid(trip.id, 'trip')}\r\nDTSTART;VALUE=DATE:${fmtDate(trip.start_date)}\r\nDTEND;VALUE=DATE:${endStr}\r\nSUMMARY:${esc(trip.title || 'Trip')}\r\n`;
+    if (trip.description) ics += `DESCRIPTION:${esc(trip.description)}\r\n`;
+    ics += `END:VEVENT\r\n`;
+  }
+
+  // Reservations as events
+  for (const r of reservations) {
+    if (!r.reservation_time) continue;
+    const hasTime = r.reservation_time.includes('T');
+    const meta = r.metadata ? (typeof r.metadata === 'string' ? JSON.parse(r.metadata) : r.metadata) : {};
+
+    ics += `BEGIN:VEVENT\r\nUID:${uid(r.id, 'res')}\r\n`;
+    if (hasTime) {
+      ics += `DTSTART:${fmtDateTime(r.reservation_time)}\r\n`;
+      if (r.reservation_end_time) ics += `DTEND:${fmtDateTime(r.reservation_end_time)}\r\n`;
+    } else {
+      ics += `DTSTART;VALUE=DATE:${fmtDate(r.reservation_time)}\r\n`;
+    }
+    ics += `SUMMARY:${esc(r.title)}\r\n`;
+
+    let desc = r.type ? `Type: ${r.type}` : '';
+    if (r.confirmation_number) desc += `\\nConfirmation: ${r.confirmation_number}`;
+    if (meta.airline) desc += `\\nAirline: ${meta.airline}`;
+    if (meta.flight_number) desc += `\\nFlight: ${meta.flight_number}`;
+    if (meta.departure_airport) desc += `\\nFrom: ${meta.departure_airport}`;
+    if (meta.arrival_airport) desc += `\\nTo: ${meta.arrival_airport}`;
+    if (meta.train_number) desc += `\\nTrain: ${meta.train_number}`;
+    if (r.notes) desc += `\\n${r.notes}`;
+    if (desc) ics += `DESCRIPTION:${desc}\r\n`;
+    if (r.location) ics += `LOCATION:${esc(r.location)}\r\n`;
+    ics += `END:VEVENT\r\n`;
+  }
+
+  ics += 'END:VCALENDAR\r\n';
+
+  res.setHeader('Content-Type', 'text/calendar; charset=utf-8');
+  res.setHeader('Content-Disposition', `attachment; filename="${esc(trip.title || 'trek-trip')}.ics"`);
+  res.send(ics);
+});
+
 export default router;

server/src/routes/vacay.ts

@@ -349,6 +349,11 @@ router.post('/invite', (req: Request, res: Response) => {
     });
   } catch { /* websocket not available */ }
 
+  // Notify invited user
+  import('../services/notifications').then(({ notify }) => {
+    notify({ userId: user_id, event: 'vacay_invite', params: { actor: authReq.user.username } }).catch(() => {});
+  });
+
   res.json({ success: true });
 });