Migrate TREK 3 to NestJS + React 19 with a shared Zod contract layer

Brownfield strangler migration of the backend onto NestJS modules
(auth, trips, days, places, assignments, packing, todo, budget,
reservations, collab, files, photos, journey, share, settings, backup,
oidc, oauth, admin, atlas, vacay, weather, airports, maps, categories,
tags, notifications, system-notices) served through a per-prefix
dispatcher, keeping the existing SQLite/better-sqlite3 DB and JWT
httpOnly cookie auth, with behavioural parity for every route.

Client: React 19 upgrade, "page = wiring container + data hook"
pattern across all pages, per-domain Zustand stores bound to
@trek/shared contracts, and decomposition of the large components
(DayPlanSidebar, PackingListPanel, CollabNotes, FileManager,
MemoriesPanel, PlacesSidebar, CollabChat, SystemNoticeModal,
BudgetPanel, PlaceFormModal, ...) into focused render units backed by
in-file hooks.

Apply the shared global request pipeline (helmet/CSP, CORS, HSTS,
forced HTTPS, the global MFA policy and request logging) to the NestJS
instance as well, so a migrated route is protected identically to the
legacy fallback rather than bypassing it.

client/e2e/auth.setup.ts

@@ -0,0 +1,42 @@
+import { test as setup, expect } from '@playwright/test'
+
+// Relative to the config dir (client/), matching `storageState` in
+// playwright.config.ts. Playwright runs from the client workspace root.
+const stateFile = 'e2e/.tmp/state.json'
+
+// Credentials match e2e/server-launch.mjs (ADMIN_EMAIL/ADMIN_PASSWORD). The
+// seeded admin is created with must_change_password=1, so the first login goes
+// through the forced change-password step before reaching the dashboard.
+const EMAIL = 'e2e@trek.local'
+const SEED_PW = 'E2eTest12345!'
+const NEW_PW = 'E2eChanged12345!'
+
+setup('authenticate the seeded admin (incl. forced password change)', async ({ page }) => {
+  await page.goto('/login')
+  await page.locator('input[type="email"]').fill(EMAIL)
+  await page.locator('input[type="password"]').fill(SEED_PW)
+  await page.locator('button[type="submit"]').click()
+
+  // must_change_password=1 → the change-password step renders two password
+  // fields (new + confirm). Selector-agnostic of the UI language.
+  const pw = page.locator('input[type="password"]')
+  await expect(pw).toHaveCount(2)
+  await pw.nth(0).fill(NEW_PW)
+  await pw.nth(1).fill(NEW_PW)
+  await page.locator('button[type="submit"]').click()
+
+  await page.waitForURL('**/dashboard', { timeout: 30_000 })
+
+  // Dismiss the first-run "Welcome to TREK" system-notice modal(s). It renders
+  // asynchronously (after the notices fetch), so wait for it before clicking.
+  // Dismissal is recorded server-side against this user, so clearing it here
+  // keeps it cleared for every authenticated flow in the run (shared test DB).
+  const ok = page.getByRole('button', { name: 'OK', exact: true })
+  await ok.waitFor({ state: 'visible', timeout: 10_000 }).catch(() => {})
+  for (let i = 0; i < 8 && (await ok.isVisible().catch(() => false)); i++) {
+    await ok.click()
+    await page.waitForTimeout(400)
+  }
+
+  await page.context().storageState({ path: stateFile })
+})

client/e2e/create-trip.spec.ts

@@ -0,0 +1,25 @@
+import { test, expect } from '@playwright/test'
+
+// Trip lifecycle (core): from the dashboard, open the new-trip modal, name the
+// trip, submit, and confirm it shows up on the dashboard. Exercises the whole
+// authenticated stack — dashboard → TripFormModal → POST /api/trips → store →
+// re-render — against the real backend + isolated test DB.
+test('create a trip and see it on the dashboard', async ({ page }) => {
+  await page.goto('/dashboard')
+
+  // The "+ New Trip" card is always rendered in the default (planned) filter.
+  await page.locator('.add-trip-card').click()
+
+  // Scope to the shared Modal (.modal-backdrop). Its form has no in-form submit
+  // button (the primary action lives in the footer), so click it explicitly
+  // rather than pressing Enter. The Create button is the slate primary button;
+  // Cancel is the bordered one.
+  const modal = page.locator('.modal-backdrop')
+  await expect(modal).toBeVisible()
+
+  const title = `E2E Trip ${Date.now()}`
+  await modal.locator('input[type="text"]').first().fill(title)
+  await modal.getByRole('button', { name: 'Create New Trip' }).click()
+
+  await expect(page.getByText(title).first()).toBeVisible({ timeout: 15_000 })
+})

client/e2e/dashboard.spec.ts

@@ -0,0 +1,10 @@
+import { test, expect } from '@playwright/test'
+
+// Authenticated smoke: the stored session lands on the dashboard and the
+// app chrome (navbar) renders instead of bouncing back to /login.
+test('authenticated session reaches the dashboard', async ({ page }) => {
+  await page.goto('/dashboard')
+  await expect(page).toHaveURL(/\/dashboard/)
+  // The shared Navbar shows the TREK brand once authenticated.
+  await expect(page.getByRole('img', { name: 'TREK' }).first()).toBeVisible()
+})

client/e2e/login.public.spec.ts

@@ -0,0 +1,8 @@
+import { test, expect } from '@playwright/test'
+
+// Infra smoke + first unauthenticated flow: the app boots, the backend is
+// reachable through the Vite proxy, and the login screen renders its form.
+test('login screen renders with a password field', async ({ page }) => {
+  await page.goto('/login')
+  await expect(page.locator('input[type="password"]')).toBeVisible()
+})

client/e2e/server-launch.mjs

@@ -0,0 +1,43 @@
+// Boots the TREK backend for the Playwright E2E run against a fresh, isolated
+// SQLite database. The DB file is deleted first so every run starts clean, then
+// the server's own startup seeds a known admin from ADMIN_EMAIL/ADMIN_PASSWORD.
+//
+// The server is built once and launched as a SINGLE node process (not the
+// watch-mode `npm run dev`, which spawns tsc -w + node --watch grandchildren
+// that survive Playwright's teardown and then linger on :3001 with stale DB
+// state). A single child is killed cleanly when Playwright tears the run down.
+import { rmSync } from 'node:fs'
+import { spawn, execSync } from 'node:child_process'
+import path from 'node:path'
+import { fileURLToPath } from 'node:url'
+
+const here = path.dirname(fileURLToPath(import.meta.url))
+const dbFile = path.join(here, '.tmp', 'e2e.db')
+const serverDir = path.join(here, '..', '..', 'server')
+
+for (const f of [dbFile, `${dbFile}-wal`, `${dbFile}-shm`]) {
+  try { rmSync(f, { force: true }) } catch {}
+}
+
+// Build once (no watcher) — the resulting process is a single killable node.
+execSync('node scripts/build.mjs', { cwd: serverDir, stdio: 'inherit' })
+
+const env = {
+  ...process.env,
+  TREK_DB_FILE: dbFile,
+  ADMIN_EMAIL: 'e2e@trek.local',
+  ADMIN_PASSWORD: 'E2eTest12345!',
+  PORT: '3001',
+  NODE_ENV: 'development',
+}
+
+const child = spawn(process.execPath, ['--require', 'tsconfig-paths/register', 'dist/index.js'], {
+  cwd: serverDir,
+  env,
+  stdio: 'inherit',
+})
+const stop = () => { try { child.kill() } catch {} }
+process.on('SIGINT', stop)
+process.on('SIGTERM', stop)
+process.on('exit', stop)
+child.on('exit', code => process.exit(code ?? 0))

client/e2e/trip-planner.spec.ts

@@ -0,0 +1,23 @@
+import { test, expect } from '@playwright/test'
+
+// Open a trip into the planner: create a trip, open it from the dashboard, and
+// confirm the trip planner (TripPlannerPage — the app's largest page) actually
+// mounts, proving the day-plan/map shell renders rather than crashing on load.
+test('open a trip and land in the planner with a map', async ({ page }) => {
+  await page.goto('/dashboard')
+
+  // Create a trip to open.
+  await page.locator('.add-trip-card').click()
+  const modal = page.locator('.modal-backdrop')
+  await expect(modal).toBeVisible()
+  const title = `E2E Planner ${Date.now()}`
+  await modal.locator('input[type="text"]').first().fill(title)
+  await modal.getByRole('button', { name: 'Create New Trip' }).click()
+
+  // Open it from the dashboard.
+  await page.getByText(title).first().click()
+
+  await expect(page).toHaveURL(/\/trips\/\d+/)
+  // The planner shows a Leaflet map once mounted (past the splash screen).
+  await expect(page.locator('.leaflet-container')).toBeVisible({ timeout: 20_000 })
+})