* feat(maps): add an OSM POI search endpoint (category within a viewport)
New /api/maps/pois queries OpenStreetMap via Overpass for places of a category
(restaurants, cafes, hotels, sights, …) inside a bounding box. OSM-only by design
— it never calls Google, even when a Google key is configured.
* feat(map): explore nearby places on the trip map (OSM category pill)
A floating, icon-only pill over the planner map lets you toggle a POI category and
see those OpenStreetMap places in the current view; clicking a marker opens the
add-place form pre-filled (name, address, website, phone). Single-select with a
'search this area' action after the map moves. Renders on both the Leaflet and
Mapbox maps, and can be turned off in settings (discussion #841).
* fix(planner): anchor timed places when optimising and route transports by location
- The day optimiser no longer reshuffles places that have a set time — they stay
anchored to their time, like locked places.
- The route now uses a transport's departure/arrival location as a waypoint when it
has one (e.g. a flight's airport), instead of breaking the route at every booking;
transports without a location are ignored for routing but still show their leg's
distance/duration under the booking.
* feat(admin): instance-wide Mapbox defaults in default user settings
Admins can set a shared Mapbox token (plus style, 3D and quality) as instance
defaults, so the whole instance can use Mapbox without each user pasting their own
key. Users without their own value inherit it via the existing admin-defaults
merge; the shared token is stored encrypted (discussion #920).
* feat(auth): passkey (WebAuthn) login — server endpoints, schema + admin toggle
Add @simplewebauthn/server registration and primary (discoverable) login ceremonies under /api/auth/passkey, a webauthn_credentials + single-use webauthn_challenges schema (migration), the instance-wide passkey_login toggle (default off) enforced before auth by a guard, and require_mfa satisfaction via a verified passkey. RP ID/origin come only from server config (webauthn_rp_id/origins -> APP_URL), never request headers.
* feat(auth): passkey enrolment, login button + admin settings UI
PasskeysSection in account settings (add/rename/remove with a current-password step-up), a 'Sign in with a passkey' button on the login page, the admin enable + RP-ID/origins controls, and a per-user admin reset action.
* i18n(auth): passkey strings across all locales
Add login/settings/admin passkey keys to en and all 19 translated locales.
Maurice