chore: bump version to 3.0.8 [skip ci]

* fix(packing): resolve avatar URL path in bag and category assignees (#854)

packingService was returning raw avatar filenames from the DB instead of
the full /uploads/avatars/<filename> path, causing broken profile images
for users with uploaded avatars.

* fix(budget): use Map.get() to fix category rename no-op (#855)

* fix(security): relax Referrer-Policy and document HSTS_INCLUDE_SUBDOMAINS (#862) (#863)

- Change Helmet default from no-referrer to strict-origin-when-cross-origin
  so browsers send the origin on cross-origin requests, allowing Google Maps
  API key restrictions by HTTP referrer to work correctly
- Document HSTS_INCLUDE_SUBDOMAINS in all deployment artifacts:
  .env.example, docker-compose.yml, README.md, unraid-template.xml,
  charts/values.yaml, charts/configmap.yaml, wiki/Environment-Variables.md

* fix(planner): prefetch budget items on trip page mount (#864)

Loads budgetItems alongside reservations when TripPlannerPage mounts so
the Budget category dropdown in ReservationModal and TransportModal shows
pre-existing categories on first open, regardless of whether the Budget
tab has been visited.

Closes #861

* fix(reservations): prevent Invalid Date when end time is set without end date (#866)

When reservation_end_time held a bare time string ("HH:MM"), fmtDate()
produced Invalid Date on the reservation card.

- Modal: when end date is blank but end time is filled, construct a
  same-day ISO datetime using the start date (prevents time-only strings
  from ever being persisted)
- Panel: derive endDatePart via regex so date-only end values ("YYYY-MM-DD")
  still show the multi-day range, while bare time strings are skipped and
  handled correctly by the existing time column logic

Closes #860

* fix(planner): format reservation end time instead of rendering raw ISO string (#867)

Closes #859

* fix(planner): wire Route toggle into mobile day sidebar (#850) (#868)

The per-booking Route icon was missing on mobile because the mobile
DayPlanSidebar invocation in TripPlannerPage didn't pass
visibleConnectionIds or onToggleConnection. Mobile PWA users couldn't
activate reservation map overlays without forcing desktop mode.

Also corrects the Map-Features wiki: fixes the setting name
("Booking route labels" not "Show connection labels"), documents the
route_calculation requirement for travel-time pills, and explains that
overlays are off by default and must be toggled per reservation.

TRADEMARKS.md

@@ -1,121 +0,0 @@
-# Trademark Policy
-
-## Introduction
-
-This is the TREK project's policy for the use of our trademarks. While TREK is
-available under the GNU Affero General Public License v3.0 (AGPL-3.0), that
-license does not include a license to use our trademarks.
-
-This policy describes how you may use our trademarks. Our goal is to strike a
-balance between: 1) our need to ensure that our trademarks remain reliable
-indicators of the software we release; and 2) our community members' desire to
-be full participants in the TREK project.
-
-## Our trademarks
-
-This policy covers the name "TREK" as well as any associated logos, trade dress,
-goodwill, or designs (our "Marks").
-
-## In general
-
-Whenever you use our Marks, you must always do so in a way that does not mislead
-anyone about exactly who is the source of the software. For example, you cannot
-say you are distributing TREK when you're distributing a modified version of it,
-because people would think they would be getting the same software that they
-can get directly from us when they aren't. You also cannot use our Marks on
-your website in a way that suggests that your website is an official TREK
-website or that we endorse your website. But, if true, you can say you like
-TREK, that you participate in the TREK community, that you are providing an
-unmodified version of TREK, or that you wrote a guide describing how to use
-TREK.
-
-This fundamental requirement, that it is always clear to people what they are
-getting and from whom, is reflected throughout this policy. It should also
-serve as your guide if you are not sure about how you are using the Marks.
-
-In addition:
-
-* You may not use or register, in whole or in part, the Marks as part of your
-  own trademark, service mark, domain name, company name, trade name, product
-  name or service name.
-* Trademark law does not allow your use of names or trademarks that are too
-  similar to ours. You therefore may not use an obvious variation of any of our
-  Marks or any phonetic equivalent, foreign language equivalent, takeoff, or
-  abbreviation for a similar or compatible product or service.
-* You agree that you will not acquire any rights in the Marks and that any
-  goodwill generated by your use of the Marks and participation in our
-  community inures solely to our benefit.
-
-## Distribution of unmodified source code or unmodified executable code we have compiled
-
-When you redistribute an unmodified copy of TREK, you are not changing the
-quality or nature of it. Therefore, you may retain the Marks we have placed on
-the software to identify your redistribution. This kind of use only applies if
-you are redistributing an official TREK distribution that has not been changed
-in any way.
-
-## Distribution of executable code that you have compiled, or modified code
-
-You may use the word mark "TREK", but not any TREK logos, to truthfully
-describe the origin of the software that you are providing, that is, that the
-code you are distributing is a modification of TREK. You may say, for example,
-that "this software is derived from the source code for TREK."
-
-Of course, you can place your own trademarks or logos on versions of the
-software to which you have made substantive modifications, because by modifying
-the software, you have become the origin of that exact version. In that case,
-you should not use our Marks.
-
-However, you may use our Marks for the distribution of code (source or
-executable) on the condition that any executable is built from an official TREK
-source code release and that any modifications are limited to switching on or
-off features already included in the software, translations into other
-languages, and incorporating minor bug-fix patches. Use of our Marks on any
-further modification is not permitted.
-
-## Mobile wrappers, hosted instances, and forks
-
-The following clarifications apply specifically to common ways TREK is
-redistributed:
-
-* **Self-hosted instances of unmodified TREK.** You may refer to your instance
-  as "a TREK instance" or "running TREK." You may not name the service itself
-  in a way that suggests it is the official TREK ("TREK Cloud," "TREK
-  Official," etc.).
-* **Mobile wrappers (WebView shells, Capacitor apps, native apps) pointing at
-  TREK.** You may describe your app as "a mobile client for TREK" or "for use
-  with TREK." You may not publish it on app stores under the name "TREK" or a
-  confusingly similar name, and you may not use the TREK logo as the app icon
-  unless your wrapper distributes only an unmodified, official TREK instance
-  and you have obtained permission.
-* **Forks of the TREK source code.** Forks that diverge from upstream must use
-  a different name. You may state that your fork is "based on TREK" or "a fork
-  of TREK," but the project name itself must be your own.
-
-## Statements about your software's relation to TREK
-
-You may use the word mark, but not TREK logos, to truthfully describe the
-relationship between your software and ours. The word mark "TREK" should be
-used after a verb or preposition that describes the relationship between your
-software and ours. So you may say, for example, "Bob's app for TREK" but may
-not say "Bob's TREK app." Some other examples that may work for you are:
-
-* [Your software] uses TREK
-* [Your software] is powered by TREK
-* [Your software] runs on TREK
-* [Your software] for use with TREK
-* [Your software] for TREK
-
-## Questions and permission requests
-
-If you are not sure whether your intended use of the Marks is permitted under
-this policy, or if you would like to request explicit permission for a use that
-is not covered, please open an issue on the TREK GitHub repository or contact
-the maintainers directly.
-
----
-
-These guidelines are based on the
-[Model Trademark Guidelines](http://www.modeltrademarkguidelines.org), used
-under a
-[Creative Commons Attribution 3.0 Unported license](https://creativecommons.org/licenses/by/3.0/deed.en_US).

charts/trek/Chart.yaml

@@ -1,5 +1,5 @@
 apiVersion: v2
 name: trek
-version: 3.0.9
+version: 3.0.8
 description: Minimal Helm chart for TREK app
-appVersion: "3.0.9"
+appVersion: "3.0.8"

client/package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "trek-client",
-  "version": "3.0.9",
+  "version": "3.0.8",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "trek-client",
-      "version": "3.0.9",
+      "version": "3.0.8",
       "dependencies": {
         "@react-pdf/renderer": "^4.3.2",
         "axios": "^1.6.7",
@@ -8907,9 +8907,9 @@
       }
     },
     "node_modules/postcss": {
-      "version": "8.5.10",
-      "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.10.tgz",
-      "integrity": "sha512-pMMHxBOZKFU6HgAZ4eyGnwXF/EvPGGqUr0MnZ5+99485wwW41kW91A4LOGxSHhgugZmSChL5AlElNdwlNgcnLQ==",
+      "version": "8.5.9",
+      "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.9.tgz",
+      "integrity": "sha512-7a70Nsot+EMX9fFU3064K/kdHWZqGVY+BADLyXc8Dfv+mTLLVl6JzJpPaCZ2kQL9gIJvKXSLMHhqdRRjwQeFtw==",
       "dev": true,
       "funding": [
         {

client/package.json

@@ -1,6 +1,6 @@
 {
   "name": "trek-client",
-  "version": "3.0.9",
+  "version": "3.0.8",
   "private": true,
   "type": "module",
   "scripts": {

client/src/components/Layout/DemoBanner.tsx

@@ -266,22 +266,17 @@ export default function DemoBanner(): React.ReactElement | null {
 
   return (
     <div style={{
-      position: 'fixed', inset: 0, zIndex: 99999,
+      position: 'fixed', inset: 0, zIndex: 9999,
       background: 'rgba(0,0,0,0.6)', backdropFilter: 'blur(8px)',
       display: 'flex', alignItems: 'center', justifyContent: 'center',
-      paddingTop: 'max(16px, env(safe-area-inset-top))',
-      paddingBottom: 'max(16px, calc(env(safe-area-inset-bottom) + 80px))',
-      paddingLeft: 16, paddingRight: 16,
-      overflow: 'auto',
+      padding: 16, overflow: 'auto',
       fontFamily: "-apple-system, BlinkMacSystemFont, 'SF Pro Text', system-ui, sans-serif",
     }} onClick={() => setDismissed(true)}>
       <div style={{
-        background: 'white', borderRadius: 20, padding: '28px 24px 0',
+        background: 'white', borderRadius: 20, padding: '28px 24px 20px',
         maxWidth: 480, width: '100%',
         boxShadow: '0 20px 60px rgba(0,0,0,0.3)',
-        maxHeight: 'min(90vh, calc(100dvh - 96px))',
-        overflow: 'auto',
-        display: 'flex', flexDirection: 'column',
+        maxHeight: '90vh', overflow: 'auto',
       }} onClick={(e: React.MouseEvent<HTMLDivElement>) => e.stopPropagation()}>
 
         {/* Header */}
@@ -372,10 +367,8 @@ export default function DemoBanner(): React.ReactElement | null {
 
         {/* Footer */}
         <div style={{
-          padding: '14px 0 20px', borderTop: '1px solid #e5e7eb',
+          paddingTop: 14, borderTop: '1px solid #e5e7eb',
           display: 'flex', alignItems: 'center', justifyContent: 'space-between',
-          position: 'sticky', bottom: 0, background: 'white',
-          marginTop: 'auto',
         }}>
           <div style={{ display: 'flex', alignItems: 'center', gap: 6, fontSize: 11, color: '#9ca3af' }}>
             <Github size={13} />

server/package.json

@@ -1,6 +1,6 @@
 {
   "name": "trek-server",
-  "version": "3.0.9",
+  "version": "3.0.8",
   "main": "src/index.ts",
   "scripts": {
     "start": "node --import tsx src/index.ts",
@@ -23,7 +23,6 @@
     "express": "^4.18.3",
     "fast-xml-parser": "^5.5.10",
     "helmet": "^8.1.0",
-    "jimp": "^1.6.1",
     "jsonwebtoken": "^9.0.2",
     "multer": "^2.1.1",
     "node-cron": "^4.2.1",
@@ -31,6 +30,7 @@
     "otplib": "^12.0.1",
     "qrcode": "^1.5.4",
     "semver": "^7.7.4",
+    "sharp": "^0.34.5",
     "tsx": "^4.21.0",
     "typescript": "^6.0.2",
     "undici": "^7.0.0",

server/src/services/memories/thumbnailService.ts

@@ -1,9 +1,7 @@
-import { Jimp } from 'jimp'
+import sharp from 'sharp'
 import path from 'path'
 import fs from 'fs/promises'
 import crypto from 'crypto'
-import { isAddonEnabled } from '../adminService'
-import { ADDON_IDS } from '../../addons'
 
 const THUMB_MAX = 800
 const THUMB_QUALITY = 80
@@ -12,14 +10,12 @@ export async function ensureLocalThumbnail(
   uploadsRoot: string,
   originalRelPath: string,
 ): Promise<{ thumbnailRelPath: string; width: number; height: number } | null> {
-  if (!isAddonEnabled(ADDON_IDS.JOURNEY)) return null
-
   const originalAbs = path.join(uploadsRoot, originalRelPath)
   try { await fs.access(originalAbs) } catch { return null }
 
   // Deterministic name so concurrent requests don't race on the same photo.
   const hash = crypto.createHash('sha1').update(originalRelPath).digest('hex').slice(0, 16)
-  const thumbRel = `journey/thumbs/${hash}.jpg`
+  const thumbRel = `journey/thumbs/${hash}.webp`
   const thumbAbs = path.join(uploadsRoot, thumbRel)
 
   try {
@@ -28,21 +24,18 @@ export async function ensureLocalThumbnail(
       fs.stat(thumbAbs).catch(() => null),
     ])
     if (dstStat && dstStat.mtimeMs >= srcStat.mtimeMs) {
-      const img = await Jimp.read(thumbAbs)
-      return { thumbnailRelPath: thumbRel, width: img.bitmap.width, height: img.bitmap.height }
+      const meta = await sharp(thumbAbs).metadata()
+      return { thumbnailRelPath: thumbRel, width: meta.width ?? 0, height: meta.height ?? 0 }
     }
 
     await fs.mkdir(path.dirname(thumbAbs), { recursive: true })
-
-    // Jimp auto-applies EXIF orientation on read, matching sharp's .rotate() behavior.
-    const img = await Jimp.read(originalAbs)
-    const { width: w, height: h } = img.bitmap
-    if (w > THUMB_MAX || h > THUMB_MAX) {
-      img.scaleToFit({ w: THUMB_MAX, h: THUMB_MAX })
-    }
-    await img.write(thumbAbs as `${string}.jpg`, { quality: THUMB_QUALITY })
-
-    return { thumbnailRelPath: thumbRel, width: img.bitmap.width, height: img.bitmap.height }
+    await sharp(originalAbs)
+      .rotate()
+      .resize({ width: THUMB_MAX, height: THUMB_MAX, fit: 'inside', withoutEnlargement: true })
+      .webp({ quality: THUMB_QUALITY })
+      .toFile(thumbAbs)
+    const meta = await sharp(thumbAbs).metadata()
+    return { thumbnailRelPath: thumbRel, width: meta.width ?? 0, height: meta.height ?? 0 }
   } catch {
     // Unsupported format, corrupt file, etc. — fall back to original in caller.
     return null

server/src/services/reservationService.ts

@@ -61,24 +61,16 @@ function resolveDayIdFromTime(
   return row?.id ?? null;
 }
 
-function saveEndpoints(reservationId: number, endpoints: EndpointInput[]): void {
-  // Bind the transaction lazily on each call. Binding at module load time
-  // captures the DB connection that was open then, which becomes invalid
-  // after demo-reset / restore-from-backup closes and reinitialises the
-  // connection — every later endpoint save would throw
-  // "The database connection is not open".
-  const tx = db.transaction((rid: number, eps: EndpointInput[]) => {
-    db.prepare('DELETE FROM reservation_endpoints WHERE reservation_id = ?').run(rid);
-    const insert = db.prepare(`
-      INSERT INTO reservation_endpoints (reservation_id, role, sequence, name, code, lat, lng, timezone, local_time, local_date)
-      VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
-    `);
-    eps.forEach((e, i) => {
-      insert.run(rid, e.role, e.sequence ?? i, e.name, e.code ?? null, e.lat, e.lng, e.timezone ?? null, e.local_time ?? null, e.local_date ?? null);
-    });
+const saveEndpoints = db.transaction((reservationId: number, endpoints: EndpointInput[]) => {
+  db.prepare('DELETE FROM reservation_endpoints WHERE reservation_id = ?').run(reservationId);
+  const insert = db.prepare(`
+    INSERT INTO reservation_endpoints (reservation_id, role, sequence, name, code, lat, lng, timezone, local_time, local_date)
+    VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+  `);
+  endpoints.forEach((e, i) => {
+    insert.run(reservationId, e.role, e.sequence ?? i, e.name, e.code ?? null, e.lat, e.lng, e.timezone ?? null, e.local_time ?? null, e.local_date ?? null);
   });
-  tx(reservationId, endpoints);
-}
+});
 
 export function listReservations(tripId: string | number) {
   const reservations = db.prepare(`

wiki/Photo-Providers.md

@@ -29,25 +29,10 @@ Go to **Settings → Integrations → Photo Providers**. Each enabled provider s
 |-------|----------|-------|
 | Server URL | Yes | Full URL of your Immich instance, e.g. `https://immich.example.com` |
 | API Key | Yes | Stored encrypted; never returned to the browser after saving |
-| Mirror journey photos to Immich on upload | No | Checkbox; when enabled, photos you upload in TREK are also pushed to your Immich library |
+| Auto-upload to Immich | No | Checkbox; when enabled, photos you upload in TREK are also pushed to your Immich library |
 
 Enter the full URL of your Immich instance and an Immich API key. The API key is stored encrypted on the TREK server and is never returned to the browser after it is saved.
 
-#### Required API key permissions
-
-When generating the API key in Immich (**Account Settings → API Keys**), grant only the scopes TREK actually uses:
-
-| Permission | Why TREK needs it |
-|------------|-------------------|
-| `user.read` | Verify the API key and identify the connected account |
-| `timeline.read` | Browse photos by date |
-| `asset.read` | Read photo metadata and search results |
-| `asset.view` | Load thumbnails and preview images |
-| `album.read` | List owned + shared albums and their contents |
-| `asset.upload` | *Only if you enable "Mirror journey photos to Immich on upload"* — push TREK uploads back to your library |
-
-TREK never modifies or deletes anything in Immich, so no `update`, `delete`, or admin scopes are needed.
-
 ### Synology Photos
 
 | Field | Required | Notes |
@@ -58,17 +43,6 @@ TREK never modifies or deletes anything in Immich, so no `update`, `delete`, or
 | OTP code | No | One-time password for 2FA; only needed on first connection or when re-authenticating |
 | Skip SSL verification | No | Checkbox; disable TLS certificate validation for self-signed certificates |
 
-#### Required DSM account permissions
-
-Synology Photos doesn't use API keys — TREK signs in with a regular DSM user account. To minimize blast radius, create a **dedicated low-privilege DSM user** for TREK rather than reusing your admin account:
-
-- A standard (non-admin) DSM user account is sufficient.
-- The account must have access to the **Synology Photos** package (DSM → **Control Panel → User & Group → [user] → Applications**, allow Synology Photos).
-- The account must be able to log in to DSM (not disabled, not IP-blocked).
-- Network access to DSM (typically port `5000` HTTP / `5001` HTTPS, or your reverse-proxy host).
-- 2FA is supported — enter the OTP at first connection; TREK stores the resulting device token so you won't be re-prompted on subsequent saves.
-- Read-only access is enough — TREK only lists albums, lists items, runs searches, and fetches thumbnails. It never writes, uploads, or deletes.
-
 ---
 
 ## Testing the connection

wiki/Troubleshooting.md

@@ -223,23 +223,6 @@ If `ALLOWED_ORIGINS` is not set, TREK allows all origins (development default).
 
 ---
 
-## MCP OAuth flow does not initiate / "Connect" redirects but authentication never starts
-
-**Cause:** TREK builds the OAuth 2.1 redirect URI from `APP_URL`. If `APP_URL` is not set, the authorization URL is constructed from a localhost fallback that external clients (Claude.ai, Claude Desktop) cannot reach, so the OAuth handshake never completes.
-
-**Fix:** Set `APP_URL` to the public URL of your instance:
-
-```yaml
-environment:
-  - APP_URL=https://trek.example.com
-```
-
-Restart the container after adding the variable. Once set, clicking **Connect** in the MCP client should redirect to your TREK instance and complete the OAuth flow normally.
-
-> **Note:** `APP_URL` is required for any MCP OAuth integration. Without it, the authorization endpoint resolves to `http://localhost:<PORT>`, which is unreachable from external MCP clients.
-
----
-
 ## MCP integration: "Too many requests" or "Session limit reached"
 
 **Cause:** Each user is limited to 300 MCP requests per minute and 20 concurrent sessions by default. Exceeding either limit returns a `429` response.