feat(auth): add "Remember me" checkbox to extend session lifetime (#1189)

Adds a "Remember me" checkbox to the login form (single responsive page,
covers mobile + desktop). Unchecked (default) issues the existing
SESSION_DURATION JWT with a browser-session cookie (no maxAge); checked
issues a longer-lived JWT plus a persistent cookie sized by the new
SESSION_DURATION_REMEMBER env var (default 30d). The choice is threaded
through the MFA verify leg so it survives the step-up.

Register/demo logins keep their current persistent behaviour.

.github/workflows/security.yml

@@ -34,4 +34,5 @@ jobs:
           command: cves
           image: trek:scan
           only-severities: critical,high
+          only-fixed: true
           exit-code: true

Dockerfile

@@ -1,3 +1,10 @@
+# ── Stage 0: gosu ────────────────────────────────────────────────────────────
+# Rebuild gosu with a current Go toolchain so the runtime image ships no stale
+# Go stdlib (Debian's apt gosu is built with an old Go that trips CVE scanners).
+# The binary and its runtime behaviour are identical to the apt package.
+FROM golang:1.25-alpine AS gosu-build
+RUN CGO_ENABLED=0 GOBIN=/out go install github.com/tianon/gosu@latest
+
 # ── Stage 1: shared ──────────────────────────────────────────────────────────
 FROM node:24-alpine AS shared-builder
 WORKDIR /app
@@ -44,7 +51,7 @@ COPY server/package.json ./server/
 #   amd64 — static binary from KDE CDN (glibc 2.17+; wget stays for healthcheck)
 #   arm64 — apt package (KDE publishes no arm64 static binary)
 RUN apt-get update && \
-    apt-get install -y --no-install-recommends tzdata dumb-init gosu wget ca-certificates python3 build-essential && \
+    apt-get install -y --no-install-recommends tzdata dumb-init wget ca-certificates python3 build-essential && \
     npm ci --workspace=server --omit=dev && \
     ARCH=$(dpkg --print-architecture) && \
     if [ "$ARCH" = "amd64" ]; then \
@@ -60,6 +67,9 @@ RUN apt-get update && \
     apt-get autoremove -y && \
     rm -rf /var/lib/apt/lists/* /usr/local/lib/node_modules/npm /usr/local/bin/npm /usr/local/bin/npx
 
+# gosu rebuilt with a current Go toolchain (stage 0) — used by CMD to drop to node.
+COPY --from=gosu-build /out/gosu /usr/local/bin/gosu
+
 ENV XDG_CACHE_HOME=/tmp/kf6-cache
 # Prevent Qt from probing for a display in headless containers.
 ENV QT_QPA_PLATFORM=offscreen

client/src/api/websocket.ts

@@ -20,6 +20,12 @@ export function getSocketId(): string | null {
   return mySocketId
 }
 
+/** Trip ids the app currently has open (joined). Used to re-hydrate the active
+ *  trip's store after the network comes back via the `online` event. */
+export function getActiveTrips(): string[] {
+  return Array.from(activeTrips)
+}
+
 export function setRefetchCallback(fn: RefetchCallback | null): void {
   refetchCallback = fn
 }

client/src/components/Layout/OfflineBanner.test.tsx

@@ -0,0 +1,42 @@
+import { afterEach, describe, expect, it, vi } from 'vitest'
+import { screen, waitFor } from '@testing-library/react'
+import { render } from '../../../tests/helpers/render'
+import OfflineBanner from './OfflineBanner'
+
+vi.mock('../../sync/mutationQueue', () => ({
+  mutationQueue: {
+    pendingCount: vi.fn(),
+    failedCount: vi.fn(),
+  },
+}))
+
+import { mutationQueue } from '../../sync/mutationQueue'
+
+const pendingCount = mutationQueue.pendingCount as ReturnType<typeof vi.fn>
+const failedCount = mutationQueue.failedCount as ReturnType<typeof vi.fn>
+
+afterEach(() => {
+  vi.clearAllMocks()
+  Object.defineProperty(navigator, 'onLine', { value: true, writable: true, configurable: true })
+})
+
+describe('OfflineBanner (B3 surface)', () => {
+  it('shows the failed pill when failedCount > 0 while online', async () => {
+    pendingCount.mockResolvedValue(0)
+    failedCount.mockResolvedValue(2)
+
+    render(<OfflineBanner />)
+
+    expect(await screen.findByText(/2 changes failed to sync/i)).toBeInTheDocument()
+  })
+
+  it('stays hidden when online with nothing pending or failed', async () => {
+    pendingCount.mockResolvedValue(0)
+    failedCount.mockResolvedValue(0)
+
+    const { container } = render(<OfflineBanner />)
+    // Give the async poll a tick to resolve.
+    await waitFor(() => expect(failedCount).toHaveBeenCalled())
+    expect(container.querySelector('[role="status"]')).toBeNull()
+  })
+})

client/src/components/Layout/OfflineBanner.tsx

@@ -2,6 +2,7 @@
  * OfflineBanner — connectivity + sync state indicator.
  *
  * States:
+ *   N failed            →  red pill   "N changes failed to sync" (takes priority)
  *   offline + N queued  →  amber pill "Offline · N queued"
  *   offline + 0 queued  →  amber pill "Offline"
  *   online  + N pending →  blue pill  "Syncing N…"
@@ -12,7 +13,7 @@
  * headers. On mobile it hovers just above the bottom tab bar.
  */
 import React, { useState, useEffect } from 'react'
-import { WifiOff, RefreshCw } from 'lucide-react'
+import { WifiOff, RefreshCw, AlertTriangle } from 'lucide-react'
 import { mutationQueue } from '../../sync/mutationQueue'
 
 const POLL_MS = 3_000
@@ -20,6 +21,7 @@ const POLL_MS = 3_000
 export default function OfflineBanner(): React.ReactElement | null {
   const [isOnline, setIsOnline] = useState(navigator.onLine)
   const [pendingCount, setPendingCount] = useState(0)
+  const [failedCount, setFailedCount] = useState(0)
 
   useEffect(() => {
     const onOnline  = () => setIsOnline(true)
@@ -35,26 +37,36 @@ export default function OfflineBanner(): React.ReactElement | null {
   useEffect(() => {
     let cancelled = false
     async function poll() {
-      const n = await mutationQueue.pendingCount()
-      if (!cancelled) setPendingCount(n)
+      const [n, failed] = await Promise.all([
+        mutationQueue.pendingCount(),
+        mutationQueue.failedCount(),
+      ])
+      if (!cancelled) {
+        setPendingCount(n)
+        setFailedCount(failed)
+      }
     }
     poll()
     const id = setInterval(poll, POLL_MS)
     return () => { cancelled = true; clearInterval(id) }
   }, [])
 
-  const hidden = isOnline && pendingCount === 0
+  const hidden = isOnline && pendingCount === 0 && failedCount === 0
   if (hidden) return null
 
   const offline = !isOnline
-  const bg    = offline ? '#92400e' : '#1e40af'
+  // Failed mutations are the most important signal — they mean data was dropped.
+  const failed = failedCount > 0
+  const bg    = failed ? '#b91c1c' : offline ? '#92400e' : '#1e40af'
   const text  = '#fff'
 
-  const label = offline
-    ? pendingCount > 0
-      ? `Offline · ${pendingCount} queued`
-      : 'Offline'
-    : `Syncing ${pendingCount}…`
+  const label = failed
+    ? `${failedCount} change${failedCount !== 1 ? 's' : ''} failed to sync`
+    : offline
+      ? pendingCount > 0
+        ? `Offline · ${pendingCount} queued`
+        : 'Offline'
+      : `Syncing ${pendingCount}…`
 
   return (
     <div
@@ -82,9 +94,11 @@ export default function OfflineBanner(): React.ReactElement | null {
         pointerEvents: 'none',
       }}
     >
-      {offline
-        ? <WifiOff size={12} />
-        : <RefreshCw size={12} style={{ animation: 'spin 1s linear infinite' }} />
+      {failed
+        ? <AlertTriangle size={12} />
+        : offline
+          ? <WifiOff size={12} />
+          : <RefreshCw size={12} style={{ animation: 'spin 1s linear infinite' }} />
       }
       {label}
     </div>

client/src/components/Map/MapViewAuto.tsx

@@ -5,6 +5,11 @@ import { MapViewGL } from './MapViewGL'
 // Auto-selects the map renderer based on user settings. Keeps the existing
 // Leaflet MapView untouched so the Mapbox GL variant can mature iteratively
 // behind a toggle. Atlas is not affected — it imports Leaflet directly.
+//
+// Offline maps: only the Leaflet renderer supports full pre-download (raster
+// tiles via sync/tilePrefetcher.ts). Mapbox GL is best-effort offline — its
+// vector tiles are cached opportunistically by the Service Worker as you view
+// them online (see the mapbox-tiles rule in vite.config.js), not prefetched.
 // eslint-disable-next-line @typescript-eslint/no-explicit-any
 export function MapViewAuto(props: any) {
   const provider = useSettingsStore(s => s.settings.map_provider)

client/src/components/Settings/OfflineTab.tsx

@@ -21,6 +21,7 @@ interface CachedTripRow {
 export default function OfflineTab(): React.ReactElement {
   const [rows, setRows] = useState<CachedTripRow[]>([])
   const [pendingCount, setPendingCount] = useState(0)
+  const [failedCount, setFailedCount] = useState(0)
   const [syncing, setSyncing] = useState(false)
   const [clearing, setClearing] = useState(false)
   const [loading, setLoading] = useState(true)
@@ -28,11 +29,13 @@ export default function OfflineTab(): React.ReactElement {
   const load = useCallback(async () => {
     setLoading(true)
     try {
-      const [metas, pending] = await Promise.all([
+      const [metas, pending, failed] = await Promise.all([
         offlineDb.syncMeta.toArray(),
         mutationQueue.pendingCount(),
+        mutationQueue.failedCount(),
       ])
       setPendingCount(pending)
+      setFailedCount(failed)
 
       const result: CachedTripRow[] = []
       for (const meta of metas) {
@@ -85,6 +88,7 @@ export default function OfflineTab(): React.ReactElement {
         <div style={{ display: 'flex', gap: 12, flexWrap: 'wrap' }}>
           <Stat label="Cached trips" value={rows.length} />
           <Stat label="Pending changes" value={pendingCount} />
+          {failedCount > 0 && <Stat label="Failed changes" value={failedCount} danger />}
         </div>
 
         {/* Actions */}
@@ -165,13 +169,14 @@ export default function OfflineTab(): React.ReactElement {
   )
 }
 
-function Stat({ label, value }: { label: string; value: number }) {
+function Stat({ label, value, danger }: { label: string; value: number; danger?: boolean }) {
   return (
     <div className="border border-edge bg-surface-secondary" style={{
       padding: '8px 14px', borderRadius: 8,
       minWidth: 100,
     }}>
-      <div className="text-content" style={{ fontSize: 20, fontWeight: 700 }}>{value}</div>
+      <div style={{ fontSize: 20, fontWeight: 700, color: danger ? '#ef4444' : undefined }}
+        className={danger ? undefined : 'text-content'}>{value}</div>
       <div className="text-content-muted" style={{ fontSize: 11 }}>{label}</div>
     </div>
   )

client/src/db/offlineDb.ts

@@ -27,6 +27,12 @@ export interface QueuedMutation {
   tempId?: number;
   /** For DELETE mutations: the entity id to remove from Dexie on flush */
   entityId?: number;
+  /**
+   * For PUT/DELETE enqueued offline against a still-unsynced (negative-id) entity:
+   * the temp id of the target. The url carries an `{id}` placeholder that the
+   * mutation queue rewrites to the real server id once the dependent CREATE flushes.
+   */
+  tempEntityId?: number;
 }
 
 export interface SyncMeta {
@@ -41,13 +47,48 @@ export interface SyncMeta {
 export interface BlobCacheEntry {
   /** Relative URL, e.g. "/api/files/42/download" */
   url: string;
+  /**
+   * Trip this blob belongs to, so it is evicted together with the trip in
+   * clearTripData. Legacy rows cached before v3 carry the sentinel -1.
+   */
+  tripId: number;
   blob: Blob;
+  /** Byte size captured at insert time — Blob.size is not reliably preserved
+   *  across IndexedDB round-trips, so the LRU budget reads this instead. */
+  bytes: number;
   mime: string;
   cachedAt: number;
 }
 
 // ── Dexie class ────────────────────────────────────────────────────────────────
 
+/**
+ * The offline DB is scoped per user so that one account can never read another
+ * account's cached data on a shared device. Anonymous (logged-out) state uses
+ * the base name; a logged-in user uses `trek-offline-u<userId>`.
+ */
+const ANON_DB_NAME = 'trek-offline';
+
+function userDbName(userId: number | string): string {
+  return `trek-offline-u${userId}`;
+}
+
+/**
+ * Best-effort read of the persisted auth snapshot so the very first DB opened on
+ * app load (before loadUser resolves) is already the correct per-user one — the
+ * PWA can render cached data offline without leaking across users.
+ */
+function initialDbName(): string {
+  try {
+    const raw = typeof localStorage !== 'undefined' ? localStorage.getItem('trek_auth_snapshot') : null;
+    if (!raw) return ANON_DB_NAME;
+    const id = JSON.parse(raw)?.state?.user?.id;
+    return id != null ? userDbName(id) : ANON_DB_NAME;
+  } catch {
+    return ANON_DB_NAME;
+  }
+}
+
 class TrekOfflineDb extends Dexie {
   trips!: Table<Trip, number>;
   days!: Table<Day, number>;
@@ -65,8 +106,8 @@ class TrekOfflineDb extends Dexie {
   syncMeta!: Table<SyncMeta, number>;
   blobCache!: Table<BlobCacheEntry, string>;
 
-  constructor() {
-    super('trek-offline');
+  constructor(name: string = ANON_DB_NAME) {
+    super(name);
 
     this.version(1).stores({
       trips:        'id',
@@ -88,10 +129,67 @@ class TrekOfflineDb extends Dexie {
       tags:           'id',
       categories:     'id',
     });
+
+    // v3: scope the blob cache by trip so it can be evicted with the trip and
+    // bounded by an LRU budget (see enforceBlobBudget).
+    this.version(3).stores({
+      blobCache: 'url, cachedAt, tripId',
+    }).upgrade(async (tx) => {
+      await tx.table('blobCache').toCollection().modify((row: Partial<BlobCacheEntry>) => {
+        if (row.tripId == null) row.tripId = -1;
+        if (row.bytes == null) row.bytes = row.blob?.size ?? 0;
+      });
+    });
   }
 }
 
-export const offlineDb = new TrekOfflineDb();
+// The live instance is swapped on login/logout via reopenForUser/reopenAnonymous.
+// A Proxy keeps the exported `offlineDb` binding stable for the ~19 modules that
+// import it directly, while every access forwards to the current connection.
+let _db = new TrekOfflineDb(initialDbName());
+
+export const offlineDb = new Proxy({} as TrekOfflineDb, {
+  get(_target, prop) {
+    const value = (_db as unknown as Record<string | symbol, unknown>)[prop];
+    return typeof value === 'function' ? (value as (...args: unknown[]) => unknown).bind(_db) : value;
+  },
+  set(_target, prop, value) {
+    (_db as unknown as Record<string | symbol, unknown>)[prop] = value;
+    return true;
+  },
+}) as TrekOfflineDb;
+
+async function switchTo(name: string): Promise<void> {
+  if (_db.name === name) {
+    if (!_db.isOpen()) await _db.open();
+    return;
+  }
+  if (_db.isOpen()) _db.close();
+  _db = new TrekOfflineDb(name);
+  await _db.open();
+}
+
+/** Point the offline DB at a specific user's scoped database (call on login). */
+export async function reopenForUser(userId: number | string): Promise<void> {
+  await switchTo(userDbName(userId));
+}
+
+/** Point the offline DB at the anonymous database (call on logout). */
+export async function reopenAnonymous(): Promise<void> {
+  await switchTo(ANON_DB_NAME);
+}
+
+/**
+ * Delete the current user's scoped database entirely and return to the anonymous
+ * DB. Used on logout so no trace of the account's data remains on the device.
+ */
+export async function deleteCurrentUserDb(): Promise<void> {
+  if (_db.name !== ANON_DB_NAME) {
+    try { await _db.delete(); } catch { /* ignore — fall through to anon */ }
+  }
+  _db = new TrekOfflineDb(ANON_DB_NAME);
+  await _db.open();
+}
 
 // ── Bulk upsert helpers ────────────────────────────────────────────────────────
 
@@ -166,6 +264,40 @@ export async function getCachedBlob(url: string): Promise<Blob | null> {
   }
 }
 
+// ── Blob-cache budget ───────────────────────────────────────────────────────
+
+/**
+ * Upper bounds for the offline file-blob cache. Kept conservative so trip
+ * documents never starve the map-tile cache (sized at MAX_TILES in
+ * tilePrefetcher.ts) for the origin's storage quota.
+ */
+export const BLOB_CACHE_MAX_ENTRIES = 200;
+export const BLOB_CACHE_MAX_BYTES = 100 * 1024 * 1024; // 100 MB
+
+/**
+ * Evict oldest-by-cachedAt blobs until the cache is under both the entry-count
+ * and byte budget. Call after inserting new blobs. LRU on insertion time, which
+ * is a reasonable proxy for access for write-once document blobs.
+ */
+export async function enforceBlobBudget(
+  maxCount = BLOB_CACHE_MAX_ENTRIES,
+  maxBytes = BLOB_CACHE_MAX_BYTES,
+): Promise<void> {
+  const entries = await offlineDb.blobCache.orderBy('cachedAt').toArray();
+  let count = entries.length;
+  let totalBytes = entries.reduce((sum, e) => sum + (e.bytes ?? 0), 0);
+  if (count <= maxCount && totalBytes <= maxBytes) return;
+
+  const toDelete: string[] = [];
+  for (const e of entries) {
+    if (count <= maxCount && totalBytes <= maxBytes) break;
+    toDelete.push(e.url);
+    totalBytes -= e.bytes ?? 0;
+    count -= 1;
+  }
+  if (toDelete.length) await offlineDb.blobCache.bulkDelete(toDelete);
+}
+
 // ── Eviction / cleanup ────────────────────────────────────────────────────────
 
 /** Delete all cached data for one trip (eviction or explicit clear). */
@@ -184,6 +316,7 @@ export async function clearTripData(tripId: number): Promise<void> {
       offlineDb.tripMembers,
       offlineDb.mutationQueue,
       offlineDb.syncMeta,
+      offlineDb.blobCache,
     ],
     async () => {
       await offlineDb.days.where('trip_id').equals(tripId).delete();
@@ -197,6 +330,7 @@ export async function clearTripData(tripId: number): Promise<void> {
       await offlineDb.tripMembers.where('tripId').equals(tripId).delete();
       await offlineDb.mutationQueue.where('tripId').equals(tripId).delete();
       await offlineDb.syncMeta.where('tripId').equals(tripId).delete();
+      await offlineDb.blobCache.where('tripId').equals(tripId).delete();
     },
   );
   // Remove the trip row itself outside the transaction since it's a separate table

client/src/main.tsx

@@ -15,8 +15,11 @@ import '@fontsource/geist-sans/500.css'
 import '@fontsource/geist-sans/600.css'
 import './index.css'
 import { startConnectivityProbe } from './sync/connectivity'
+import { requestPersistentStorage } from './sync/persistentStorage'
 
 startConnectivityProbe()
+// Keep offline data (map tiles, file blobs, IndexedDB) exempt from eviction.
+requestPersistentStorage()
 
 ReactDOM.createRoot(document.getElementById('root')!).render(
   <React.StrictMode>

client/src/pages/LoginPage.test.tsx

@@ -103,6 +103,38 @@ describe('LoginPage', () => {
     });
   });
 
+  describe('FE-PAGE-LOGIN-007: Remember me sends remember_me to the API', () => {
+    it('renders an unchecked checkbox and forwards remember_me: true when ticked', async () => {
+      let capturedBody: Record<string, unknown> | null = null;
+      server.use(
+        http.post('/api/auth/login', async ({ request }) => {
+          capturedBody = (await request.json()) as Record<string, unknown>;
+          return HttpResponse.json({ user: { id: 1, username: 'test', email: 'test@example.com', role: 'user' } });
+        }),
+      );
+
+      const user = userEvent.setup();
+      render(<LoginPage />);
+
+      await waitFor(() => {
+        expect(screen.getByPlaceholderText(EMAIL_PLACEHOLDER)).toBeInTheDocument();
+      });
+
+      const checkbox = screen.getByRole('checkbox', { name: /remember me/i });
+      expect(checkbox).not.toBeChecked();
+
+      await user.type(screen.getByPlaceholderText(EMAIL_PLACEHOLDER), 'user@example.com');
+      await user.type(screen.getByPlaceholderText(PASSWORD_PLACEHOLDER), 'password123');
+      await user.click(checkbox);
+      expect(checkbox).toBeChecked();
+      await user.click(screen.getByRole('button', { name: /sign in/i }));
+
+      await waitFor(() => {
+        expect(capturedBody).toEqual(expect.objectContaining({ remember_me: true }));
+      });
+    });
+  });
+
   describe('FE-PAGE-LOGIN-005: Registration toggle visible', () => {
     it('shows a Register button to switch to registration mode', async () => {
       // Default appConfig has allow_registration: true, has_users: true

client/src/pages/LoginPage.tsx

@@ -9,7 +9,7 @@ export default function LoginPage(): React.ReactElement {
   const {
     navigate,
     mode, setMode,
-    username, setUsername, email, setEmail, password, setPassword, showPassword, setShowPassword,
+    username, setUsername, email, setEmail, password, setPassword, rememberMe, setRememberMe, showPassword, setShowPassword,
     isLoading, error, setError, appConfig, inviteToken,
     langDropdownOpen, setLangDropdownOpen, setLanguageLocal,
     showTakeoff, mfaStep, setMfaStep, mfaToken, setMfaToken, mfaCode, setMfaCode,
@@ -572,7 +572,16 @@ export default function LoginPage(): React.ReactElement {
                   </button>
                 </div>
                 {mode === 'login' && (
-                  <div style={{ textAlign: 'right', marginTop: 6 }}>
+                  <div style={{ display: 'flex', alignItems: 'center', justifyContent: 'space-between', gap: 12, marginTop: 8 }}>
+                    <label style={{ display: 'flex', alignItems: 'center', gap: 7, cursor: 'pointer', color: '#374151', fontSize: 12.5, fontWeight: 500 }}>
+                      <input
+                        type="checkbox"
+                        checked={rememberMe}
+                        onChange={(e: React.ChangeEvent<HTMLInputElement>) => setRememberMe(e.target.checked)}
+                        style={{ width: 15, height: 15, accentColor: '#111827', cursor: 'pointer', flexShrink: 0 }}
+                      />
+                      {t('login.rememberMe')}
+                    </label>
                     <button type="button" onClick={() => navigate('/forgot-password')} style={{
                       background: 'none', border: 'none', cursor: 'pointer', padding: 0,
                       color: '#6b7280', fontSize: 12.5, fontWeight: 500, fontFamily: 'inherit',

client/src/pages/login/useLogin.ts

@@ -37,6 +37,7 @@ export function useLogin() {
   const [username, setUsername] = useState<string>('')
   const [email, setEmail] = useState<string>('')
   const [password, setPassword] = useState<string>('')
+  const [rememberMe, setRememberMe] = useState<boolean>(false)
   const [showPassword, setShowPassword] = useState<boolean>(false)
   const [isLoading, setIsLoading] = useState<boolean>(false)
   const [error, setError] = useState<string>('')
@@ -242,7 +243,7 @@ export function useLogin() {
           setIsLoading(false)
           return
         }
-        const mfaResult = await completeMfaLogin(mfaToken, mfaCode)
+        const mfaResult = await completeMfaLogin(mfaToken, mfaCode, rememberMe)
         if ('user' in mfaResult && mfaResult.user?.must_change_password) {
           setSavedLoginPassword(password)
           setPasswordChangeStep(true)
@@ -258,7 +259,7 @@ export function useLogin() {
         if (password.length < 8) { setError(t('login.passwordMinLength')); setIsLoading(false); return }
         await register(username, email, password, inviteToken || undefined)
       } else {
-        const result = await login(email, password)
+        const result = await login(email, password, rememberMe)
         if ('mfa_required' in result && result.mfa_required && 'mfa_token' in result) {
           setMfaToken(result.mfa_token)
           setMfaStep(true)
@@ -289,7 +290,7 @@ export function useLogin() {
   return {
     navigate,
     mode, setMode,
-    username, setUsername, email, setEmail, password, setPassword, showPassword, setShowPassword,
+    username, setUsername, email, setEmail, password, setPassword, rememberMe, setRememberMe, showPassword, setShowPassword,
     isLoading, error, setError, appConfig, inviteToken,
     langDropdownOpen, setLangDropdownOpen, setLanguageLocal,
     showTakeoff, mfaStep, setMfaStep, mfaToken, setMfaToken, mfaCode, setMfaCode,

client/src/pages/tripPlanner/useTripPlanner.ts

@@ -221,11 +221,12 @@ export function useTripPlanner() {
     }
   }, [isLoading, places])
 
-  // Load trip + files (needed for place inspector file section)
+  // Load the trip. loadTrip hydrates every trip-scoped slice (days, places,
+  // packing, todo, budget, reservations, files) so offline hydration is uniform
+  // and there's no cross-trip bleed; members/accommodations load alongside.
   useEffect(() => {
     if (tripId) {
       tripActions.loadTrip(tripId).catch(() => { toast.error(t('trip.toast.loadError')); navigate('/dashboard') })
-      tripActions.loadFiles(tripId)
       loadAccommodations()
       if (!navigator.onLine) {
         offlineDb.tripMembers.where('tripId').equals(Number(tripId)).toArray()
@@ -240,13 +241,6 @@ export function useTripPlanner() {
     }
   }, [tripId])
 
-  useEffect(() => {
-    if (tripId) {
-      tripActions.loadReservations(tripId)
-      tripActions.loadBudgetItems?.(tripId)
-    }
-  }, [tripId])
-
   useTripWebSocket(tripId)
 
   const [mapCategoryFilter, setMapCategoryFilter] = useState<Set<string>>(new Set())

client/src/repo/accommodationRepo.ts

@@ -1,16 +1,20 @@
 import { accommodationsApi } from '../api/client'
 import { offlineDb, upsertAccommodations } from '../db/offlineDb'
+import { onlineThenCache } from './withOfflineFallback'
 import type { Accommodation } from '../types'
 
 export const accommodationRepo = {
   async list(tripId: number | string): Promise<{ accommodations: Accommodation[] }> {
-    if (!navigator.onLine) {
-      const accommodations = await offlineDb.accommodations
-        .where('trip_id').equals(Number(tripId)).toArray()
-      return { accommodations }
-    }
-    const result = await accommodationsApi.list(tripId)
-    upsertAccommodations(result.accommodations || []).catch(() => {})
-    return result
+    return onlineThenCache(
+      async () => {
+        const result = await accommodationsApi.list(tripId)
+        upsertAccommodations(result.accommodations || []).catch(() => {})
+        return result
+      },
+      async () => ({
+        accommodations: await offlineDb.accommodations
+          .where('trip_id').equals(Number(tripId)).toArray(),
+      }),
+    )
   },
 }

client/src/repo/budgetRepo.ts

@@ -1,18 +1,20 @@
 import { budgetApi } from '../api/client'
 import { offlineDb, upsertBudgetItems } from '../db/offlineDb'
+import { onlineThenCache } from './withOfflineFallback'
 import type { BudgetItem } from '../types'
 
 export const budgetRepo = {
   async list(tripId: number | string): Promise<{ items: BudgetItem[] }> {
-    if (!navigator.onLine) {
-      const cached = await offlineDb.budgetItems
-        .where('trip_id')
-        .equals(Number(tripId))
-        .toArray()
-      return { items: cached }
-    }
-    const result = await budgetApi.list(tripId)
-    upsertBudgetItems(result.items)
-    return result
+    return onlineThenCache(
+      async () => {
+        const result = await budgetApi.list(tripId)
+        upsertBudgetItems(result.items)
+        return result
+      },
+      async () => ({
+        items: await offlineDb.budgetItems
+          .where('trip_id').equals(Number(tripId)).toArray(),
+      }),
+    )
   },
 }

client/src/repo/dayRepo.ts

@@ -1,18 +1,22 @@
 import { daysApi } from '../api/client'
 import { offlineDb, upsertDays } from '../db/offlineDb'
+import { onlineThenCache } from './withOfflineFallback'
 import type { Day } from '../types'
 
 export const dayRepo = {
   async list(tripId: number | string): Promise<{ days: Day[] }> {
-    if (!navigator.onLine) {
-      const cached = await offlineDb.days
-        .where('trip_id')
-        .equals(Number(tripId))
-        .sortBy('day_number' as keyof Day)
-      return { days: cached as Day[] }
-    }
-    const result = await daysApi.list(tripId)
-    upsertDays(result.days)
-    return result
+    return onlineThenCache(
+      async () => {
+        const result = await daysApi.list(tripId)
+        upsertDays(result.days)
+        return result
+      },
+      async () => ({
+        days: (await offlineDb.days
+          .where('trip_id')
+          .equals(Number(tripId))
+          .sortBy('day_number' as keyof Day)) as Day[],
+      }),
+    )
   },
 }

client/src/repo/fileRepo.ts

@@ -1,18 +1,20 @@
 import { filesApi } from '../api/client'
 import { offlineDb, upsertTripFiles } from '../db/offlineDb'
+import { onlineThenCache } from './withOfflineFallback'
 import type { TripFile } from '../types'
 
 export const fileRepo = {
   async list(tripId: number | string): Promise<{ files: TripFile[] }> {
-    if (!navigator.onLine) {
-      const cached = await offlineDb.tripFiles
-        .where('trip_id')
-        .equals(Number(tripId))
-        .toArray()
-      return { files: cached }
-    }
-    const result = await filesApi.list(tripId)
-    upsertTripFiles(result.files)
-    return result
+    return onlineThenCache(
+      async () => {
+        const result = await filesApi.list(tripId)
+        upsertTripFiles(result.files)
+        return result
+      },
+      async () => ({
+        files: await offlineDb.tripFiles
+          .where('trip_id').equals(Number(tripId)).toArray(),
+      }),
+    )
   },
 }

client/src/repo/packingRepo.ts

@@ -1,25 +1,27 @@
 import { packingApi } from '../api/client'
 import { offlineDb, upsertPackingItems } from '../db/offlineDb'
-import { mutationQueue, generateUUID } from '../sync/mutationQueue'
+import { mutationQueue, generateUUID, nextTempId } from '../sync/mutationQueue'
+import { onlineThenCache } from './withOfflineFallback'
 import type { PackingItem } from '../types'
 
 export const packingRepo = {
   async list(tripId: number | string): Promise<{ items: PackingItem[] }> {
-    if (!navigator.onLine) {
-      const cached = await offlineDb.packingItems
-        .where('trip_id')
-        .equals(Number(tripId))
-        .toArray()
-      return { items: cached }
-    }
-    const result = await packingApi.list(tripId)
-    upsertPackingItems(result.items)
-    return result
+    return onlineThenCache(
+      async () => {
+        const result = await packingApi.list(tripId)
+        upsertPackingItems(result.items)
+        return result
+      },
+      async () => ({
+        items: await offlineDb.packingItems
+          .where('trip_id').equals(Number(tripId)).toArray(),
+      }),
+    )
   },
 
   async create(tripId: number | string, data: Record<string, unknown> & { name: string }): Promise<{ item: PackingItem }> {
     if (!navigator.onLine) {
-      const tempId = -(Date.now())
+      const tempId = nextTempId()
       const tempItem: PackingItem = {
         ...(data as Partial<PackingItem>),
         id: tempId,
@@ -51,13 +53,16 @@ export const packingRepo = {
       const optimistic: PackingItem = { ...(existing ?? {} as PackingItem), ...(data as Partial<PackingItem>), id }
       await offlineDb.packingItems.put(optimistic)
       const mutId = generateUUID()
+      const isTemp = id < 0
       await mutationQueue.enqueue({
         id: mutId,
         tripId: Number(tripId),
         method: 'PUT',
-        url: `/trips/${tripId}/packing/${id}`,
+        url: isTemp ? `/trips/${tripId}/packing/{id}` : `/trips/${tripId}/packing/${id}`,
         body: data,
         resource: 'packingItems',
+        entityId: id,
+        ...(isTemp ? { tempEntityId: id } : {}),
       })
       return { item: optimistic }
     }
@@ -70,14 +75,16 @@ export const packingRepo = {
     if (!navigator.onLine) {
       await offlineDb.packingItems.delete(id)
       const mutId = generateUUID()
+      const isTemp = id < 0
       await mutationQueue.enqueue({
         id: mutId,
         tripId: Number(tripId),
         method: 'DELETE',
-        url: `/trips/${tripId}/packing/${id}`,
+        url: isTemp ? `/trips/${tripId}/packing/{id}` : `/trips/${tripId}/packing/${id}`,
         body: undefined,
         resource: 'packingItems',
         entityId: id,
+        ...(isTemp ? { tempEntityId: id } : {}),
       })
       return { success: true }
     }

client/src/repo/placeRepo.ts

@@ -1,25 +1,27 @@
 import { placesApi } from '../api/client'
 import { offlineDb, upsertPlaces } from '../db/offlineDb'
-import { mutationQueue, generateUUID } from '../sync/mutationQueue'
+import { mutationQueue, generateUUID, nextTempId } from '../sync/mutationQueue'
+import { onlineThenCache } from './withOfflineFallback'
 import type { Place } from '../types'
 
 export const placeRepo = {
   async list(tripId: number | string, params?: Record<string, unknown>): Promise<{ places: Place[] }> {
-    if (!navigator.onLine) {
-      const cached = await offlineDb.places
-        .where('trip_id')
-        .equals(Number(tripId))
-        .toArray()
-      return { places: cached }
-    }
-    const result = await placesApi.list(tripId, params)
-    upsertPlaces(result.places)
-    return result
+    return onlineThenCache(
+      async () => {
+        const result = await placesApi.list(tripId, params)
+        upsertPlaces(result.places)
+        return result
+      },
+      async () => ({
+        places: await offlineDb.places
+          .where('trip_id').equals(Number(tripId)).toArray(),
+      }),
+    )
   },
 
   async create(tripId: number | string, data: Record<string, unknown> & { name: string }): Promise<{ place: Place }> {
     if (!navigator.onLine) {
-      const tempId = -(Date.now())
+      const tempId = nextTempId()
       const tempPlace: Place = {
         ...(data as Partial<Place>),
         id: tempId,
@@ -50,13 +52,16 @@ export const placeRepo = {
       const optimistic: Place = { ...(existing ?? {} as Place), ...(data as Partial<Place>), id: Number(id) }
       await offlineDb.places.put(optimistic)
       const mutId = generateUUID()
+      const isTemp = Number(id) < 0
       await mutationQueue.enqueue({
         id: mutId,
         tripId: Number(tripId),
         method: 'PUT',
-        url: `/trips/${tripId}/places/${id}`,
+        url: isTemp ? `/trips/${tripId}/places/{id}` : `/trips/${tripId}/places/${id}`,
         body: data,
         resource: 'places',
+        entityId: Number(id),
+        ...(isTemp ? { tempEntityId: Number(id) } : {}),
       })
       return { place: optimistic }
     }
@@ -69,14 +74,16 @@ export const placeRepo = {
     if (!navigator.onLine) {
       await offlineDb.places.delete(Number(id))
       const mutId = generateUUID()
+      const isTemp = Number(id) < 0
       await mutationQueue.enqueue({
         id: mutId,
         tripId: Number(tripId),
         method: 'DELETE',
-        url: `/trips/${tripId}/places/${id}`,
+        url: isTemp ? `/trips/${tripId}/places/{id}` : `/trips/${tripId}/places/${id}`,
         body: undefined,
         resource: 'places',
         entityId: Number(id),
+        ...(isTemp ? { tempEntityId: Number(id) } : {}),
       })
       return { success: true }
     }
@@ -90,14 +97,16 @@ export const placeRepo = {
       await offlineDb.places.bulkDelete(ids)
       for (const id of ids) {
         const mutId = generateUUID()
+        const isTemp = id < 0
         await mutationQueue.enqueue({
           id: mutId,
           tripId: Number(tripId),
           method: 'DELETE',
-          url: `/trips/${tripId}/places/${id}`,
+          url: isTemp ? `/trips/${tripId}/places/{id}` : `/trips/${tripId}/places/${id}`,
           body: undefined,
           resource: 'places',
           entityId: id,
+          ...(isTemp ? { tempEntityId: id } : {}),
         })
       }
       return { deleted: ids, count: ids.length }

client/src/repo/reservationRepo.ts

@@ -1,18 +1,20 @@
 import { reservationsApi } from '../api/client'
 import { offlineDb, upsertReservations } from '../db/offlineDb'
+import { onlineThenCache } from './withOfflineFallback'
 import type { Reservation } from '../types'
 
 export const reservationRepo = {
   async list(tripId: number | string): Promise<{ reservations: Reservation[] }> {
-    if (!navigator.onLine) {
-      const cached = await offlineDb.reservations
-        .where('trip_id')
-        .equals(Number(tripId))
-        .toArray()
-      return { reservations: cached }
-    }
-    const result = await reservationsApi.list(tripId)
-    upsertReservations(result.reservations)
-    return result
+    return onlineThenCache(
+      async () => {
+        const result = await reservationsApi.list(tripId)
+        upsertReservations(result.reservations)
+        return result
+      },
+      async () => ({
+        reservations: await offlineDb.reservations
+          .where('trip_id').equals(Number(tripId)).toArray(),
+      }),
+    )
   },
 }

client/src/repo/todoRepo.ts

@@ -1,18 +1,20 @@
 import { todoApi } from '../api/client'
 import { offlineDb, upsertTodoItems } from '../db/offlineDb'
+import { onlineThenCache } from './withOfflineFallback'
 import type { TodoItem } from '../types'
 
 export const todoRepo = {
   async list(tripId: number | string): Promise<{ items: TodoItem[] }> {
-    if (!navigator.onLine) {
-      const cached = await offlineDb.todoItems
-        .where('trip_id')
-        .equals(Number(tripId))
-        .toArray()
-      return { items: cached }
-    }
-    const result = await todoApi.list(tripId)
-    upsertTodoItems(result.items)
-    return result
+    return onlineThenCache(
+      async () => {
+        const result = await todoApi.list(tripId)
+        upsertTodoItems(result.items)
+        return result
+      },
+      async () => ({
+        items: await offlineDb.todoItems
+          .where('trip_id').equals(Number(tripId)).toArray(),
+      }),
+    )
   },
 }

client/src/repo/tripRepo.ts

@@ -1,33 +1,42 @@
 import { tripsApi } from '../api/client'
 import { offlineDb, upsertTrip } from '../db/offlineDb'
+import { onlineThenCache } from './withOfflineFallback'
 import type { Trip } from '../types'
 
 export const tripRepo = {
   async list(): Promise<{ trips: Trip[]; archivedTrips: Trip[] }> {
-    if (!navigator.onLine) {
-      const all = await offlineDb.trips.toArray()
-      return {
-        trips: all.filter(t => !t.is_archived),
-        archivedTrips: all.filter(t => t.is_archived),
-      }
-    }
-    const [active, archived] = await Promise.all([
-      tripsApi.list(),
-      tripsApi.list({ archived: 1 }),
-    ])
-    active.trips.forEach(t => upsertTrip(t))
-    archived.trips.forEach(t => upsertTrip(t))
-    return { trips: active.trips, archivedTrips: archived.trips }
+    return onlineThenCache(
+      async () => {
+        const [active, archived] = await Promise.all([
+          tripsApi.list(),
+          tripsApi.list({ archived: 1 }),
+        ])
+        active.trips.forEach(t => upsertTrip(t))
+        archived.trips.forEach(t => upsertTrip(t))
+        return { trips: active.trips, archivedTrips: archived.trips }
+      },
+      async () => {
+        const all = await offlineDb.trips.toArray()
+        return {
+          trips: all.filter(t => !t.is_archived),
+          archivedTrips: all.filter(t => t.is_archived),
+        }
+      },
+    )
   },
 
   async get(tripId: number | string): Promise<{ trip: Trip }> {
-    if (!navigator.onLine) {
-      const cached = await offlineDb.trips.get(Number(tripId))
-      if (cached) return { trip: cached }
-      throw new Error('No cached trip data available offline')
-    }
-    const result = await tripsApi.get(tripId)
-    upsertTrip(result.trip)
-    return result
+    return onlineThenCache(
+      async () => {
+        const result = await tripsApi.get(tripId)
+        upsertTrip(result.trip)
+        return result
+      },
+      async () => {
+        const cached = await offlineDb.trips.get(Number(tripId))
+        if (cached) return { trip: cached }
+        throw new Error('No cached trip data available offline')
+      },
+    )
   },
 }

client/src/repo/withOfflineFallback.ts

@@ -0,0 +1,48 @@
+/**
+ * True when an error means the request never reached the server — a network-level
+ * failure (offline, captive portal, proxy auth wall, dropped connection, CORS).
+ * Axios sets `response` only when the server actually replied; its absence (on an
+ * Axios error) means we never got one. A real HTTP error (4xx/5xx) HAS a response
+ * and must NOT be treated as a network failure — the server spoke, so the caller
+ * needs to see it. Non-Axios errors are surfaced too.
+ */
+function isNetworkError(err: unknown): boolean {
+  const e = err as { isAxiosError?: boolean; response?: unknown } | null
+  return !!e && e.isAxiosError === true && e.response == null
+}
+
+/**
+ * Read-through cache pattern shared by every repo's read methods.
+ *
+ * Reads degrade to the local Dexie cache in two situations:
+ *   1. The browser reports it is offline (`navigator.onLine` false) — skip the
+ *      doomed request entirely.
+ *   2. The browser *thinks* it is online but the request fails at the network
+ *      level — a lying `navigator.onLine` on a captive portal, a dropped
+ *      connection (H2). Rather than surfacing that (which blanks the trip even
+ *      though a good cached copy exists), we fall back to the cache.
+ *
+ * We intentionally gate only on `navigator.onLine`, NOT the connectivity probe:
+ * the probe is a coarse global flag, and a single failed health check would
+ * otherwise force every read to the (possibly empty) cache even when the request
+ * itself would succeed. The network-error catch below covers the captive-portal
+ * case the probe was meant to.
+ *
+ * A genuine HTTP error (404/403/500 — the server responded) is NOT swallowed: it
+ * is rethrown so callers can set error state, navigate away, etc.
+ *
+ * Writes must NOT use this — they go through the mutation queue so failures are
+ * surfaced and retried, not silently swallowed.
+ */
+export async function onlineThenCache<T>(
+  onlineFn: () => Promise<T>,
+  cacheFn: () => Promise<T>,
+): Promise<T> {
+  if (!navigator.onLine) return cacheFn()
+  try {
+    return await onlineFn()
+  } catch (err) {
+    if (isNetworkError(err)) return cacheFn()
+    throw err
+  }
+}

client/src/store/authStore.ts

@@ -5,7 +5,9 @@ import { connect, disconnect } from '../api/websocket'
 import type { User } from '../types'
 import { getApiErrorMessage } from '../types'
 import { tripSyncManager } from '../sync/tripSyncManager'
-import { clearAll } from '../db/offlineDb'
+import { reopenForUser, deleteCurrentUserDb } from '../db/offlineDb'
+import { setAuthed } from '../sync/authGate'
+import { unregisterSyncTriggers } from '../sync/syncTriggers'
 import { useSystemNoticeStore } from './systemNoticeStore.js'
 
 interface AuthResponse {
@@ -37,10 +39,10 @@ interface AuthState {
   placesAutocompleteEnabled: boolean
   placesDetailsEnabled: boolean
 
-  login: (email: string, password: string) => Promise<LoginResult>
-  completeMfaLogin: (mfaToken: string, code: string) => Promise<AuthResponse>
+  login: (email: string, password: string, rememberMe?: boolean) => Promise<LoginResult>
+  completeMfaLogin: (mfaToken: string, code: string, rememberMe?: boolean) => Promise<AuthResponse>
   register: (username: string, email: string, password: string, invite_token?: string) => Promise<AuthResponse>
-  logout: () => void
+  logout: () => Promise<void>
   /** Pass `{ silent: true }` to refresh the user without toggling global isLoading (avoids unmounting protected routes). */
   loadUser: (opts?: { silent?: boolean }) => Promise<void>
   updateMapsKey: (key: string | null) => Promise<void>
@@ -65,6 +67,19 @@ interface AuthState {
 // Sequence counter to prevent stale loadUser responses from overwriting fresh auth state
 let authSequence = 0
 
+/**
+ * Mark the session authenticated and point the offline DB at this user's scoped
+ * database before any background sync runs, so cached data never crosses users.
+ */
+async function onAuthSuccess(userId: number): Promise<void> {
+  setAuthed(true)
+  try {
+    await reopenForUser(userId)
+  } catch (err) {
+    console.error('[auth] failed to open user-scoped offline DB', err)
+  }
+}
+
 export const useAuthStore = create<AuthState>()(
   persist(
   (set, get) => ({
@@ -84,11 +99,11 @@ export const useAuthStore = create<AuthState>()(
   placesAutocompleteEnabled: true,
   placesDetailsEnabled: true,
 
-  login: async (email: string, password: string) => {
+  login: async (email: string, password: string, rememberMe?: boolean) => {
     authSequence++
     set({ isLoading: true, error: null })
     try {
-      const data = await authApi.login({ email, password }) as AuthResponse & { mfa_required?: boolean; mfa_token?: string }
+      const data = await authApi.login({ email, password, remember_me: rememberMe }) as AuthResponse & { mfa_required?: boolean; mfa_token?: string }
       if (data.mfa_required && data.mfa_token) {
         set({ isLoading: false, error: null })
         return { mfa_required: true as const, mfa_token: data.mfa_token }
@@ -99,6 +114,7 @@ export const useAuthStore = create<AuthState>()(
         isLoading: false,
         error: null,
       })
+      await onAuthSuccess(data.user.id)
       connect()
       tripSyncManager.syncAll().catch(console.error)
       if (!data.user?.must_change_password) {
@@ -112,17 +128,18 @@ export const useAuthStore = create<AuthState>()(
     }
   },
 
-  completeMfaLogin: async (mfaToken: string, code: string) => {
+  completeMfaLogin: async (mfaToken: string, code: string, rememberMe?: boolean) => {
     authSequence++
     set({ isLoading: true, error: null })
     try {
-      const data = await authApi.verifyMfaLogin({ mfa_token: mfaToken, code: code.replace(/\s/g, '') })
+      const data = await authApi.verifyMfaLogin({ mfa_token: mfaToken, code: code.replace(/\s/g, ''), remember_me: rememberMe })
       set({
         user: data.user,
         isAuthenticated: true,
         isLoading: false,
         error: null,
       })
+      await onAuthSuccess(data.user.id)
       connect()
       tripSyncManager.syncAll().catch(console.error)
       if (!data.user?.must_change_password) {
@@ -147,6 +164,7 @@ export const useAuthStore = create<AuthState>()(
         isLoading: false,
         error: null,
       })
+      await onAuthSuccess(data.user.id)
       connect()
       tripSyncManager.syncAll().catch(console.error)
       useSystemNoticeStore.getState().fetch()
@@ -158,18 +176,27 @@ export const useAuthStore = create<AuthState>()(
     }
   },
 
-  logout: () => {
+  logout: async () => {
+    // 1. Gate first so any in-flight flush/syncAll bails before we wipe the DB.
+    setAuthed(false)
+    set({ isAuthenticated: false })
+    // 2. Stop background sync triggers (30s interval, WS pre-reconnect hook, listeners).
+    unregisterSyncTriggers()
+    // 3. Tear down the live connection.
     disconnect()
     useSystemNoticeStore.getState().reset()
-    // Tell server to clear the httpOnly cookie
-    fetch('/api/auth/logout', { method: 'POST', credentials: 'include' }).catch(() => {})
-    // Clear service worker caches containing sensitive data
+    // 4. Tell server to clear the httpOnly cookie (best-effort).
+    await fetch('/api/auth/logout', { method: 'POST', credentials: 'include' }).catch(() => {})
+    // 5. Clear service worker caches containing sensitive data.
     if ('caches' in window) {
-      caches.delete('api-data').catch(() => {})
-      caches.delete('user-uploads').catch(() => {})
+      await Promise.all([
+        caches.delete('api-data').catch(() => {}),
+        caches.delete('user-uploads').catch(() => {}),
+      ])
     }
-    // Purge all cached trip data from IndexedDB
-    clearAll().catch(console.error)
+    // 6. Delete this user's scoped IndexedDB and return to the anonymous DB.
+    await deleteCurrentUserDb().catch(console.error)
+    // 7. Finish clearing auth state.
     set({
       user: null,
       isAuthenticated: false,
@@ -189,6 +216,7 @@ export const useAuthStore = create<AuthState>()(
         isAuthenticated: true,
         isLoading: false,
       })
+      await onAuthSuccess(data.user.id)
       connect()
     } catch (err: unknown) {
       if (seq !== authSequence) return // stale response — ignore
@@ -282,6 +310,7 @@ export const useAuthStore = create<AuthState>()(
         demoMode: true,
         error: null,
       })
+      await onAuthSuccess(data.user.id)
       connect()
       return data
     } catch (err: unknown) {

client/src/store/slices/remoteEventHandler.ts

@@ -193,25 +193,34 @@ export function handleRemoteEvent(set: SetState, get: GetState, event: WebSocket
 
       // Assignments
       case 'assignment:created': {
-        const dayKey = String((payload.assignment as Assignment).day_id)
-        const existing = (state.assignments[dayKey] || [])
-        const placeId = (payload.assignment as Assignment).place?.id || (payload.assignment as Assignment).place_id
-        if (existing.some(a => a.id === (payload.assignment as Assignment).id || (placeId && a.place?.id === placeId))) {
-          const hasTempVersion = existing.some(a => a.id < 0 && a.place?.id === placeId)
-          if (hasTempVersion) {
-            return {
-              assignments: {
-                ...state.assignments,
-                [dayKey]: existing.map(a => (a.id < 0 && a.place?.id === placeId) ? payload.assignment as Assignment : a),
-              }
-            }
+        const incoming = payload.assignment as Assignment
+        const dayKey = String(incoming.day_id)
+        const existing = state.assignments[dayKey] || []
+        const placeId = incoming.place?.id ?? incoming.place_id
+
+        // Already have this exact assignment id → duplicate broadcast or the
+        // echo of an already-committed assignment. No-op.
+        if (existing.some(a => a.id === incoming.id)) return {}
+
+        // Reconcile our own optimistic create: replace the temp (negative-id)
+        // assignment of the same place on this day with the real one. Guarded on
+        // a real placeId so an assignment with no place can never collapse onto
+        // another place-less one (undefined === undefined).
+        if (placeId != null) {
+          const tempIdx = existing.findIndex(a => a.id < 0 && a.place?.id === placeId)
+          if (tempIdx !== -1) {
+            const next = existing.slice()
+            next[tempIdx] = incoming
+            return { assignments: { ...state.assignments, [dayKey]: next } }
           }
-          return {}
         }
+
+        // Genuinely new — including a legitimate second assignment of a place
+        // already on this day (no temp version to reconcile). Append.
         return {
           assignments: {
             ...state.assignments,
-            [dayKey]: [...existing, payload.assignment as Assignment],
+            [dayKey]: [...existing, incoming],
           }
         }
       }

client/src/store/tripStore.ts

@@ -7,6 +7,9 @@ import { dayRepo } from '../repo/dayRepo'
 import { placeRepo } from '../repo/placeRepo'
 import { packingRepo } from '../repo/packingRepo'
 import { todoRepo } from '../repo/todoRepo'
+import { budgetRepo } from '../repo/budgetRepo'
+import { reservationRepo } from '../repo/reservationRepo'
+import { fileRepo } from '../repo/fileRepo'
 import { createPlacesSlice } from './slices/placesSlice'
 import { createAssignmentsSlice } from './slices/assignmentsSlice'
 import { createDaysSlice } from './slices/daysSlice'
@@ -61,7 +64,9 @@ export interface TripStoreState
 
   setSelectedDay: (dayId: number | null) => void
   handleRemoteEvent: (event: WebSocketEvent) => void
+  resetTrip: () => void
   loadTrip: (tripId: number | string) => Promise<void>
+  hydrateActiveTrip: (tripId: number | string) => Promise<void>
   refreshDays: (tripId: number | string) => Promise<void>
   updateTrip: (tripId: number | string, data: Partial<Trip>) => Promise<Trip>
   addTag: (data: Partial<Tag> & { name: string }) => Promise<Tag>
@@ -89,15 +94,40 @@ export const useTripStore = create<TripStoreState>((set, get) => ({
 
   handleRemoteEvent: (event: WebSocketEvent) => handleRemoteEvent(set, get, event),
 
+  // Clear every trip-scoped slice so switching trips (or losing access to one)
+  // can never leave a previous trip's data visible. Global tags/categories are
+  // left intact. Called at the top of loadTrip.
+  resetTrip: () => set({
+    trip: null,
+    days: [],
+    places: [],
+    assignments: {},
+    dayNotes: {},
+    packingItems: [],
+    todoItems: [],
+    budgetItems: [],
+    files: [],
+    reservations: [],
+    selectedDayId: null,
+    error: null,
+  }),
+
   loadTrip: async (tripId: number | string) => {
+    get().resetTrip()
     set({ isLoading: true, error: null })
     try {
-      const [tripData, daysData, placesData, packingData, todoData, tagsData, categoriesData] = await Promise.all([
+      const [tripData, daysData, placesData, packingData, todoData, budgetData, reservationsData, filesData, tagsData, categoriesData] = await Promise.all([
         tripRepo.get(tripId),
         dayRepo.list(tripId),
         placeRepo.list(tripId),
         packingRepo.list(tripId),
         todoRepo.list(tripId),
+        // Budget / reservations / files are hydrated here too so the offline
+        // path is uniform (no separate tab-gated effects). Non-fatal: a failure
+        // in any of these must not blank the whole trip.
+        budgetRepo.list(tripId).catch(() => ({ items: [] as BudgetItem[] })),
+        reservationRepo.list(tripId).catch(() => ({ reservations: [] as Reservation[] })),
+        fileRepo.list(tripId).catch(() => ({ files: [] as TripFile[] })),
         navigator.onLine
           ? tagsApi.list().catch(() => offlineDb.tags.toArray().then(tags => ({ tags })))
           : offlineDb.tags.toArray().then(tags => ({ tags })),
@@ -121,6 +151,9 @@ export const useTripStore = create<TripStoreState>((set, get) => ({
         dayNotes: dayNotesMap,
         packingItems: packingData.items,
         todoItems: todoData.items,
+        budgetItems: budgetData.items,
+        reservations: reservationsData.reservations,
+        files: filesData.files,
         tags: tagsData.tags,
         categories: categoriesData.categories,
         isLoading: false,
@@ -132,6 +165,22 @@ export const useTripStore = create<TripStoreState>((set, get) => ({
     }
   },
 
+  // Silently re-fetch the active trip's collaborative state into the store after
+  // the network comes back (WS reconnect or `online` event) so edits missed while
+  // offline appear in place — no splash, no resetTrip. Each resource is
+  // best-effort; a failure on one must not wipe the others.
+  hydrateActiveTrip: async (tripId: number | string) => {
+    await Promise.all([
+      get().refreshDays(tripId),
+      placeRepo.list(tripId).then(d => set({ places: d.places })).catch(() => {}),
+      packingRepo.list(tripId).then(d => set({ packingItems: d.items })).catch(() => {}),
+      todoRepo.list(tripId).then(d => set({ todoItems: d.items })).catch(() => {}),
+      get().loadBudgetItems(tripId),
+      get().loadReservations(tripId),
+      get().loadFiles(tripId),
+    ])
+  },
+
   refreshDays: async (tripId: number | string) => {
     try {
       const daysData = await dayRepo.list(tripId)

client/src/sync/authGate.ts

@@ -0,0 +1,18 @@
+/**
+ * Auth gate — a single boolean the sync layer checks before touching the
+ * offline DB. It lets logout disable all background sync (flush / syncAll /
+ * periodic triggers) *before* awaiting the DB swap, so an in-flight loop can't
+ * re-seed the database after the user has logged out.
+ *
+ * Kept separate from authStore to avoid an import cycle
+ * (authStore → tripSyncManager → authStore).
+ */
+let _authed = false
+
+export function setAuthed(value: boolean): void {
+  _authed = value
+}
+
+export function isAuthed(): boolean {
+  return _authed
+}

client/src/sync/mutationQueue.ts

@@ -7,6 +7,7 @@
  */
 import { offlineDb } from '../db/offlineDb'
 import { apiClient } from '../api/client'
+import { isAuthed } from './authGate'
 import type { QueuedMutation } from '../db/offlineDb'
 import type { Table } from 'dexie'
 
@@ -39,6 +40,27 @@ let _flushing = false
 // Monotonically increasing timestamp so same-millisecond enqueues
 // still get a deterministic FIFO order when sorted by createdAt.
 let _lastTs = 0
+// Monotonic counter for offline temp ids. Date.now() alone collides when two
+// creates land in the same millisecond (bulk import, rapid tapping), which would
+// overwrite one optimistic Dexie row. This guarantees distinct negative ids.
+let _lastTempId = 0
+
+/**
+ * Mint a collision-free temporary (negative) id for an offline-created entity.
+ * Monotonic across the session so same-millisecond creates never collide.
+ */
+export function nextTempId(): number {
+  const now = Date.now()
+  _lastTempId = now > _lastTempId ? now : _lastTempId + 1
+  return -_lastTempId
+}
+
+/** HTTP statuses that should be retried later rather than treated as terminal. */
+function isRetryableStatus(status: number | undefined): boolean {
+  // 401: token expired mid-flush (offline window) — retry after re-auth.
+  // 408/425/429: timeout / too-early / rate-limited — transient.
+  return status === 401 || status === 408 || status === 425 || status === 429
+}
 
 export const mutationQueue = {
   /**
@@ -67,8 +89,12 @@ export const mutationQueue = {
    * 4xx responses are marked failed and skipped.
    */
   async flush(): Promise<void> {
-    if (_flushing || !navigator.onLine) return
+    if (_flushing || !navigator.onLine || !isAuthed()) return
     _flushing = true
+    // tempId → realId learned during this flush, so a dependent edit/delete
+    // queued against an offline-created entity (still holding the negative id)
+    // can be rewritten to the server id before it is replayed.
+    const idMap = new Map<number, number>()
     try {
       const pending = await offlineDb.mutationQueue
         .where('status')
@@ -79,10 +105,32 @@ export const mutationQueue = {
         // Mark as syncing so UI can show progress
         await offlineDb.mutationQueue.update(mutation.id, { status: 'syncing' })
 
+        // Resolve a temp-id reference now that earlier CREATEs in this flush
+        // may have completed (FIFO order guarantees the CREATE ran first).
+        let reqUrl = mutation.url
+        let reqEntityId = mutation.entityId
+        if (mutation.tempEntityId !== undefined) {
+          const realId = idMap.get(mutation.tempEntityId)
+          if (realId !== undefined) {
+            reqUrl = reqUrl.replace('{id}', String(realId))
+            reqEntityId = realId
+          }
+        }
+        // Placeholder still unresolved → the create it depended on is gone
+        // (failed or missing). Surface it as failed rather than firing a 404.
+        if (reqUrl.includes('{id}')) {
+          await offlineDb.mutationQueue.update(mutation.id, {
+            status: 'failed',
+            attempts: mutation.attempts + 1,
+            lastError: 'unresolved temp id (dependent create did not sync)',
+          })
+          continue
+        }
+
         try {
           const response = await apiClient.request({
             method: mutation.method,
-            url: mutation.url,
+            url: reqUrl,
             data: mutation.body,
             headers: { 'X-Idempotency-Key': mutation.id },
           })
@@ -95,31 +143,51 @@ export const mutationQueue = {
               const values = Object.values(response.data as Record<string, unknown>)
               const entity = values[0]
               if (entity && typeof entity === 'object' && 'id' in entity) {
-                // Remove temp optimistic entry if id changed (CREATE case)
-                if (mutation.tempId !== undefined && mutation.tempId !== (entity as { id: number }).id) {
+                const realId = (entity as { id: number }).id
+                // Remove temp optimistic entry if id changed (CREATE case) and
+                // remap any queued mutations that still target the negative id.
+                if (mutation.tempId !== undefined && mutation.tempId !== realId) {
                   await table.delete(mutation.tempId)
+                  idMap.set(mutation.tempId, realId)
+                  // Durable rewrite so dependents survive a flush boundary / reload.
+                  await offlineDb.mutationQueue
+                    .where('tripId')
+                    .equals(mutation.tripId)
+                    .filter(m => m.tempEntityId === mutation.tempId)
+                    .modify(m => {
+                      m.url = m.url.replace('{id}', String(realId))
+                      m.entityId = realId
+                      m.tempEntityId = undefined
+                    })
                 }
                 await table.put(entity)
               }
             }
-          } else if (mutation.method === 'DELETE' && mutation.resource && mutation.entityId !== undefined) {
+          } else if (mutation.method === 'DELETE' && mutation.resource && reqEntityId !== undefined) {
             // DELETE was already applied optimistically; ensure it's gone
             const table = getTable(mutation.resource)
-            if (table) await table.delete(mutation.entityId)
+            if (table) await table.delete(reqEntityId)
           }
 
           await offlineDb.mutationQueue.delete(mutation.id)
         } catch (err: unknown) {
           const httpStatus = (err as { response?: { status: number } })?.response?.status
-          if (httpStatus !== undefined && httpStatus >= 400 && httpStatus < 500) {
-            // Permanent client error — mark failed, continue with next
+          const isTerminal =
+            httpStatus !== undefined && httpStatus >= 400 && httpStatus < 500 && !isRetryableStatus(httpStatus)
+          if (isTerminal) {
+            // Permanent client error — roll back the phantom optimistic CREATE so
+            // it can't masquerade as synced, then mark failed and continue.
+            if (mutation.method !== 'DELETE' && mutation.tempId !== undefined && mutation.resource) {
+              const table = getTable(mutation.resource)
+              if (table) await table.delete(mutation.tempId)
+            }
             await offlineDb.mutationQueue.update(mutation.id, {
               status: 'failed',
               attempts: mutation.attempts + 1,
               lastError: String(err),
             })
           } else {
-            // Network error — reset to pending, abort flush (retry on next trigger)
+            // Network / transient error — reset to pending, abort flush (retry next trigger)
             await offlineDb.mutationQueue.update(mutation.id, {
               status: 'pending',
               attempts: mutation.attempts + 1,
@@ -160,9 +228,19 @@ export const mutationQueue = {
       .count()
   },
 
-  /** Reset internal flushing flag and timestamp counter — useful in tests. */
+  /** Count permanently-failed mutations (surfaced separately so the user knows
+   *  changes were dropped — they are NOT folded into pendingCount). */
+  async failedCount(): Promise<number> {
+    return offlineDb.mutationQueue
+      .where('status')
+      .equals('failed')
+      .count()
+  },
+
+  /** Reset internal flushing flag and timestamp counters — useful in tests. */
   _resetFlushing(): void {
     _flushing = false
     _lastTs = 0
+    _lastTempId = 0
   },
 }

client/src/sync/persistentStorage.ts

@@ -0,0 +1,18 @@
+/**
+ * Ask the browser for persistent storage so our offline data — prefetched map
+ * tiles, cached file blobs, the IndexedDB caches — is exempt from eviction under
+ * storage pressure. Without this the browser may purge tiles right when a
+ * traveler goes offline and needs them (audit H8 / M6).
+ *
+ * Best-effort and idempotent: returns whether persistence is (now) granted.
+ */
+export async function requestPersistentStorage(): Promise<boolean> {
+  try {
+    if (typeof navigator === 'undefined' || !navigator.storage?.persist) return false
+    // Already persisted? Avoid re-prompting where the API distinguishes.
+    if (navigator.storage.persisted && (await navigator.storage.persisted())) return true
+    return await navigator.storage.persist()
+  } catch {
+    return false
+  }
+}

client/src/sync/syncTriggers.ts

@@ -14,17 +14,34 @@
  */
 import { mutationQueue } from './mutationQueue'
 import { tripSyncManager } from './tripSyncManager'
-import { setPreReconnectHook } from '../api/websocket'
+import { setPreReconnectHook, setRefetchCallback, getActiveTrips } from '../api/websocket'
+import { useTripStore } from '../store/tripStore'
 
 const PERIODIC_MS = 30_000
 
 let _intervalId: ReturnType<typeof setInterval> | null = null
 let _registered = false
 
-/** Network came back — flush mutations AND re-seed Dexie for all cacheable trips. */
+/** Pull the latest server state for every open trip into the Zustand store. */
+function rehydrateActiveTrips() {
+  const store = useTripStore.getState()
+  for (const tripId of getActiveTrips()) {
+    store.hydrateActiveTrip(tripId).catch(console.error)
+  }
+}
+
+/**
+ * Network came back — flush local writes first, then re-seed Dexie for all
+ * cacheable trips and re-hydrate the open trip's store so a collaborator's
+ * edits made while we were offline appear without navigating away.
+ */
 function onOnline() {
-  mutationQueue.flush().catch(console.error)
-  tripSyncManager.syncAll().catch(console.error)
+  mutationQueue.flush()
+    .catch(console.error)
+    .finally(() => {
+      tripSyncManager.syncAll().catch(console.error)
+      rehydrateActiveTrips()
+    })
 }
 
 /** Tab became visible — flush only; don't trigger a potentially expensive syncAll. */
@@ -48,6 +65,11 @@ export function registerSyncTriggers(): void {
   // WS reconnect: flush mutations only — no syncAll to avoid triggering rate
   // limiters when the socket drops and reconnects while the device is online.
   setPreReconnectHook(() => mutationQueue.flush())
+  // After the reconnect flush, pull canonical state for the open trip back into
+  // the store (the WS layer awaits the flush hook before invoking this).
+  setRefetchCallback(tripId => {
+    useTripStore.getState().hydrateActiveTrip(tripId).catch(console.error)
+  })
 
   window.addEventListener('online', onOnline)
   document.addEventListener('visibilitychange', onVisibility)
@@ -59,6 +81,7 @@ export function unregisterSyncTriggers(): void {
   _registered = false
 
   setPreReconnectHook(null)
+  setRefetchCallback(null)
   window.removeEventListener('online', onOnline)
   document.removeEventListener('visibilitychange', onVisibility)
   if (_intervalId !== null) {

client/src/sync/tilePrefetcher.ts

@@ -17,11 +17,18 @@ import { offlineDb, upsertSyncMeta } from '../db/offlineDb'
 
 // ── Constants ─────────────────────────────────────────────────────────────────
 
-/** Estimated average tile size in KB (road/transit tiles ~15 KB). */
+/** Estimated average tile size in KB (raster basemap tiles ~15 KB). */
 const AVG_TILE_KB = 15
 
-/** Hard cap: ~50 MB worth of tiles. */
-export const MAX_TILES = Math.floor((50 * 1024) / AVG_TILE_KB) // ≈ 3413
+/**
+ * Hard cap on prefetched tiles (~180 MB).
+ *
+ * MUST stay in sync with the Workbox 'map-tiles' `maxEntries` in
+ * client/vite.config.js (kept equal). If this budget exceeds the SW cache size,
+ * the LRU evicts freshly-prefetched tiles on arrival and the offline map goes
+ * blank — which is exactly the bug this value was raised (from ~3413) to fix.
+ */
+export const MAX_TILES = Math.floor((180 * 1024) / AVG_TILE_KB) // = 12288
 
 const DEFAULT_TILE_URL =
   'https://{s}.basemaps.cartocdn.com/light_all/{z}/{x}/{y}{r}.png'
@@ -177,15 +184,16 @@ export async function prefetchTilesForTrip(
   const bbox = computeBbox(places)
   if (!bbox) return
 
-  // Size guard: if total tile count across all zooms exceeds cap, skip
-  const estimated = countTiles(bbox, 10, 16)
-  if (estimated > MAX_TILES) {
-    console.warn(
-      `[tilePrefetch] trip ${tripId}: estimated ${estimated} tiles exceeds cap (${MAX_TILES}), skipping`,
-    )
-    return
-  }
-
+  // Zoom-clamp rather than skip: prefetchTiles fills zooms low→high and stops
+  // once MAX_TILES is reached, so large (region / road-trip) bboxes still get
+  // their lower zooms cached instead of being skipped entirely.
+  //
+  // NOTE: opaque (no-cors) tile responses are padded by Chromium to ~7 MB each
+  // for quota accounting, so the real on-disk budget is far below 180 MB. We
+  // keep no-cors deliberately: switching to cors would break self-hosted/custom
+  // tile providers that don't send CORS headers. To stop the browser evicting
+  // these tiles under the inflated quota, we request persistent storage at app
+  // init instead (sync/persistentStorage.ts).
   const fetched = await prefetchTiles(bbox, template)
 
   // Update syncMeta with bbox and tile count

client/src/sync/tripSyncManager.ts

@@ -27,8 +27,10 @@ import {
   upsertCategories,
   upsertSyncMeta,
   clearTripData,
+  enforceBlobBudget,
 } from '../db/offlineDb'
 import { prefetchTilesForTrip } from './tilePrefetcher'
+import { isAuthed } from './authGate'
 import { useSettingsStore } from '../store/settingsStore'
 import type { Trip, Day, Place, PackingItem, TodoItem, BudgetItem, Reservation, TripFile, Accommodation, TripMember } from '../types'
 
@@ -108,13 +110,16 @@ async function cacheFilesForTrip(files: TripFile[]): Promise<void> {
       const resp = await fetch(file.url!, { credentials: 'include' })
       if (!resp.ok) continue
       const blob = await resp.blob()
-      await offlineDb.blobCache.put({ url: file.url!, blob, mime: file.mime_type, cachedAt: Date.now() })
+      await offlineDb.blobCache.put({ url: file.url!, tripId: file.trip_id, blob, bytes: blob.size, mime: file.mime_type, cachedAt: Date.now() })
       cached++
     } catch {
       // Network failure — skip this file, will retry next sync
     }
   }
 
+  // Keep the blob cache within its size/count budget after adding new files.
+  if (cached > 0) await enforceBlobBudget().catch(() => {})
+
   // Update filesCachedCount in syncMeta
   const tripId = files[0]?.trip_id
   if (tripId) {
@@ -134,7 +139,7 @@ export const tripSyncManager = {
    * No-ops when offline.
    */
   async syncAll(): Promise<void> {
-    if (_syncing || !navigator.onLine) return
+    if (_syncing || !navigator.onLine || !isAuthed()) return
     _syncing = true
     try {
       const { trips } = await tripsApi.list() as { trips: Trip[] }

client/tests/unit/db/offlineDb.test.ts

@@ -23,6 +23,10 @@ import {
   upsertReservations,
   upsertTripFiles,
   upsertSyncMeta,
+  reopenForUser,
+  reopenAnonymous,
+  deleteCurrentUserDb,
+  enforceBlobBudget,
   type QueuedMutation,
   type SyncMeta,
   type BlobCacheEntry,
@@ -81,6 +85,15 @@ const makePlace = (id: number, tripId = 1): Place => ({
   created_at: '2026-01-01T00:00:00Z',
 });
 
+const makeBlob = (url: string, tripId = 1, bytes = 10, cachedAt = 1): BlobCacheEntry => ({
+  url,
+  tripId,
+  blob: new Blob(['x'.repeat(bytes)], { type: 'application/pdf' }),
+  bytes,
+  mime: 'application/pdf',
+  cachedAt,
+});
+
 // ── Lifecycle ─────────────────────────────────────────────────────────────────
 
 beforeEach(async () => {
@@ -220,7 +233,9 @@ describe('offlineDb — blobCache', () => {
     const blob = new Blob(['%PDF-1.4 test'], { type: 'application/pdf' });
     const entry: BlobCacheEntry = {
       url: '/api/files/99/download',
+      tripId: 1,
       blob,
+      bytes: blob.size,
       mime: 'application/pdf',
       cachedAt: Date.now(),
     };
@@ -231,6 +246,49 @@ describe('offlineDb — blobCache', () => {
     expect(stored!.mime).toBe('application/pdf');
     expect(stored!.blob).toBeDefined();
   });
+
+  it('queries blobs by tripId index', async () => {
+    await offlineDb.blobCache.bulkPut([
+      makeBlob('/api/files/1/download', 1),
+      makeBlob('/api/files/2/download', 1),
+      makeBlob('/api/files/3/download', 2),
+    ]);
+    const trip1 = await offlineDb.blobCache.where('tripId').equals(1).toArray();
+    expect(trip1).toHaveLength(2);
+  });
+});
+
+describe('offlineDb — enforceBlobBudget', () => {
+  it('evicts oldest-by-cachedAt entries past the count budget', async () => {
+    // 5 entries with strictly increasing cachedAt; cap to 3.
+    for (let i = 0; i < 5; i++) {
+      await offlineDb.blobCache.put(makeBlob(`/api/files/${i}/download`, 1, 10, i + 1));
+    }
+    await enforceBlobBudget(3, Infinity);
+
+    expect(await offlineDb.blobCache.count()).toBe(3);
+    // Oldest two (cachedAt 1 and 2) are gone; newest survive.
+    expect(await offlineDb.blobCache.get('/api/files/0/download')).toBeUndefined();
+    expect(await offlineDb.blobCache.get('/api/files/1/download')).toBeUndefined();
+    expect(await offlineDb.blobCache.get('/api/files/4/download')).toBeDefined();
+  });
+
+  it('evicts oldest entries past the byte budget', async () => {
+    // 3 entries of 100 bytes each; cap to 250 bytes → newest two (200) survive.
+    for (let i = 0; i < 3; i++) {
+      await offlineDb.blobCache.put(makeBlob(`/api/files/${i}/download`, 1, 100, i + 1));
+    }
+    await enforceBlobBudget(Infinity, 250);
+
+    expect(await offlineDb.blobCache.count()).toBe(2);
+    expect(await offlineDb.blobCache.get('/api/files/0/download')).toBeUndefined();
+  });
+
+  it('is a no-op when already within budget', async () => {
+    await offlineDb.blobCache.put(makeBlob('/api/files/1/download', 1));
+    await enforceBlobBudget(10, Infinity);
+    expect(await offlineDb.blobCache.count()).toBe(1);
+  });
 });
 
 describe('offlineDb — clearTripData', () => {
@@ -241,9 +299,12 @@ describe('offlineDb — clearTripData', () => {
     const item: PackingItem = { id: 5, trip_id: 1, name: 'Towel', category: null, checked: 0, sort_order: 0, quantity: 1 };
     await upsertPackingItems([item]);
 
+    await offlineDb.blobCache.put(makeBlob('/api/files/1/download', 1));
+
     // Also add data for a different trip — should NOT be removed
     await upsertTrip(makeTrip(2));
     await upsertDays([makeDay(99, 2)]);
+    await offlineDb.blobCache.put(makeBlob('/api/files/2/download', 2));
 
     await clearTripData(1);
 
@@ -251,10 +312,12 @@ describe('offlineDb — clearTripData', () => {
     expect(await offlineDb.days.where('trip_id').equals(1).count()).toBe(0);
     expect(await offlineDb.places.where('trip_id').equals(1).count()).toBe(0);
     expect(await offlineDb.packingItems.where('trip_id').equals(1).count()).toBe(0);
+    expect(await offlineDb.blobCache.where('tripId').equals(1).count()).toBe(0);
 
     // Trip 2 intact
     expect(await offlineDb.trips.get(2)).toBeDefined();
     expect(await offlineDb.days.where('trip_id').equals(2).count()).toBe(1);
+    expect(await offlineDb.blobCache.get('/api/files/2/download')).toBeDefined();
   });
 });
 
@@ -271,3 +334,37 @@ describe('offlineDb — clearAll', () => {
     expect(await offlineDb.places.count()).toBe(0);
   });
 });
+
+describe('offlineDb — per-user scoping (B4)', () => {
+  afterEach(async () => {
+    // Leave the suite on the anonymous DB so other tests are unaffected.
+    await reopenAnonymous();
+  });
+
+  it('isolates one user\'s cached data from another', async () => {
+    await reopenForUser(1);
+    await upsertPlaces([makePlace(10, 1)]);
+    expect(await offlineDb.places.count()).toBe(1);
+
+    // Switching users must not expose user 1's rows.
+    await reopenForUser(2);
+    expect(await offlineDb.places.count()).toBe(0);
+
+    // Switching back restores user 1's data (different physical DB).
+    await reopenForUser(1);
+    expect(await offlineDb.places.get(10)).toBeDefined();
+  });
+
+  it('deleteCurrentUserDb wipes the user DB and returns to anonymous', async () => {
+    await reopenForUser(5);
+    await upsertPlaces([makePlace(20, 1)]);
+
+    await deleteCurrentUserDb();
+    // Now on the anonymous DB — no user data.
+    expect(await offlineDb.places.count()).toBe(0);
+
+    // Re-opening user 5 starts empty (DB was deleted, not just detached).
+    await reopenForUser(5);
+    expect(await offlineDb.places.count()).toBe(0);
+  });
+});

client/tests/unit/remoteEventHandler/assignments.test.ts

@@ -2,6 +2,7 @@ import { describe, it, expect, beforeEach } from 'vitest';
 import { useTripStore } from '../../../src/store/tripStore';
 import { resetAllStores } from '../../helpers/store';
 import { buildDay, buildAssignment, buildPlace } from '../../helpers/factories';
+import type { Assignment } from '../../../src/types';
 
 beforeEach(() => {
   resetAllStores();
@@ -50,6 +51,58 @@ describe('remoteEventHandler > assignments', () => {
     expect(assignments['10'][0].id).toBe(500);
   });
 
+  it('FE-WSEVT-ASSIGN-003b: a second assignment of an already-present place is NOT suppressed (H11)', () => {
+    const place = buildPlace({ id: 55 });
+    useTripStore.setState({
+      days: [buildDay({ id: 10 })],
+      // A committed (positive-id) assignment of place 55 already on the day.
+      assignments: { '10': [buildAssignment({ id: 100, day_id: 10, place, place_id: place.id })] },
+    });
+    // A legitimately new, distinct assignment of the same place arrives.
+    const second = buildAssignment({ id: 300, day_id: 10, place, place_id: place.id });
+    useTripStore.getState().handleRemoteEvent({ type: 'assignment:created', assignment: second });
+    const { assignments } = useTripStore.getState();
+    expect(assignments['10']).toHaveLength(2);
+    expect(assignments['10'].map(a => a.id).sort((x, y) => x - y)).toEqual([100, 300]);
+  });
+
+  it('FE-WSEVT-ASSIGN-003c: temp reconciliation replaces only the matching place, not a sibling temp (H11)', () => {
+    const place55 = buildPlace({ id: 55 });
+    const place66 = buildPlace({ id: 66 });
+    useTripStore.setState({
+      days: [buildDay({ id: 10 })],
+      assignments: {
+        '10': [
+          buildAssignment({ id: -1, day_id: 10, place: place55, place_id: 55 }),
+          buildAssignment({ id: -2, day_id: 10, place: place66, place_id: 66 }),
+        ],
+      },
+    });
+    const real = buildAssignment({ id: 500, day_id: 10, place: place55, place_id: 55 });
+    useTripStore.getState().handleRemoteEvent({ type: 'assignment:created', assignment: real });
+    const { assignments } = useTripStore.getState();
+    const ids = assignments['10'].map(a => a.id);
+    expect(assignments['10']).toHaveLength(2);
+    expect(ids).toContain(500);   // temp 55 reconciled to real
+    expect(ids).toContain(-2);    // sibling temp 66 untouched
+    expect(ids).not.toContain(-1);
+  });
+
+  it('FE-WSEVT-ASSIGN-003d: place-less assignments do not collapse onto each other (H11)', () => {
+    // Defensive: a malformed event lacking place data must not let the
+    // `place?.id === placeId` reconciliation match undefined === undefined.
+    const placeless = (id: number): Assignment =>
+      ({ ...buildAssignment({ id, day_id: 10 }), place: undefined, place_id: undefined } as unknown as Assignment);
+    useTripStore.setState({
+      days: [buildDay({ id: 10 })],
+      assignments: { '10': [placeless(-1)] },
+    });
+    useTripStore.getState().handleRemoteEvent({ type: 'assignment:created', assignment: placeless(700) });
+    const { assignments } = useTripStore.getState();
+    // No placeId → no reconcile; both survive as distinct rows (no collapse).
+    expect(assignments['10']).toHaveLength(2);
+  });
+
   it('FE-WSEVT-ASSIGN-004: assignment:updated merges updated data into correct day', () => {
     seedData();
     const updated = buildAssignment({ id: 100, day_id: 10, notes: 'Updated notes' });

client/tests/unit/repo/placeRepo.test.ts

@@ -64,6 +64,20 @@ describe('placeRepo.list', () => {
     const result = await placeRepo.list(99);
     expect(result.places).toHaveLength(0);
   });
+
+  it('online but request fails — falls back to Dexie cache (captive portal)', async () => {
+    // navigator.onLine lies "true" on a captive portal; the request throws.
+    const place = buildPlace({ trip_id: 1 });
+    await offlineDb.places.put(place);
+
+    server.use(
+      http.get('/api/trips/1/places', () => HttpResponse.error()),
+    );
+
+    const result = await placeRepo.list(1);
+    expect(result.places).toHaveLength(1);
+    expect(result.places[0].id).toBe(place.id);
+  });
 });
 
 describe('placeRepo.create', () => {

client/tests/unit/repo/withOfflineFallback.test.ts

@@ -0,0 +1,76 @@
+/**
+ * onlineThenCache — the read-through fallback shared by every repo (H2).
+ *
+ * Branches:
+ *   - navigator offline → cache only (skip the request)
+ *   - online but the request fails at the network level → fall back to cache
+ *   - online but the server returns an HTTP error → rethrow (don't mask)
+ *   - online and the request succeeds → return it, skip cache
+ */
+import { describe, it, expect, beforeEach, afterEach, vi } from 'vitest';
+import { onlineThenCache } from '../../../src/repo/withOfflineFallback';
+
+beforeEach(() => {
+  Object.defineProperty(navigator, 'onLine', { value: true, writable: true, configurable: true });
+});
+
+afterEach(() => {
+  vi.restoreAllMocks();
+});
+
+describe('onlineThenCache', () => {
+  it('returns the online result when online', async () => {
+    const online = vi.fn().mockResolvedValue('online');
+    const cache = vi.fn().mockResolvedValue('cache');
+
+    expect(await onlineThenCache(online, cache)).toBe('online');
+    expect(online).toHaveBeenCalledOnce();
+    expect(cache).not.toHaveBeenCalled();
+  });
+
+  it('reads the cache without calling online when navigator is offline', async () => {
+    Object.defineProperty(navigator, 'onLine', { value: false });
+    const online = vi.fn().mockResolvedValue('online');
+    const cache = vi.fn().mockResolvedValue('cache');
+
+    expect(await onlineThenCache(online, cache)).toBe('cache');
+    expect(online).not.toHaveBeenCalled();
+  });
+
+  it('falls back to the cache on a network-level failure (no HTTP response)', async () => {
+    // Axios network error: the request never reached the server (captive portal).
+    const netErr = Object.assign(new Error('Network Error'), { isAxiosError: true, response: undefined });
+    const online = vi.fn().mockRejectedValue(netErr);
+    const cache = vi.fn().mockResolvedValue('cache');
+
+    expect(await onlineThenCache(online, cache)).toBe('cache');
+    expect(online).toHaveBeenCalledOnce();
+    expect(cache).toHaveBeenCalledOnce();
+  });
+
+  it('rethrows a genuine HTTP error (server responded) instead of masking it', async () => {
+    // 404/403/500 mean the server replied — callers must see it, not a stale cache.
+    const httpErr = Object.assign(new Error('Not Found'), { isAxiosError: true, response: { status: 404 } });
+    const online = vi.fn().mockRejectedValue(httpErr);
+    const cache = vi.fn().mockResolvedValue('cache');
+
+    await expect(onlineThenCache(online, cache)).rejects.toThrow('Not Found');
+    expect(cache).not.toHaveBeenCalled();
+  });
+
+  it('rethrows a non-Axios error rather than swallowing it', async () => {
+    const online = vi.fn().mockRejectedValue(new Error('bug'));
+    const cache = vi.fn().mockResolvedValue('cache');
+
+    await expect(onlineThenCache(online, cache)).rejects.toThrow('bug');
+    expect(cache).not.toHaveBeenCalled();
+  });
+
+  it('propagates a cache error (e.g. nothing cached) when online also failed', async () => {
+    Object.defineProperty(navigator, 'onLine', { value: false });
+    const online = vi.fn().mockResolvedValue('online');
+    const cache = vi.fn().mockRejectedValue(new Error('No cached data'));
+
+    await expect(onlineThenCache(online, cache)).rejects.toThrow('No cached data');
+  });
+});

client/tests/unit/stores/authStore.test.ts

@@ -105,10 +105,10 @@ describe('authStore', () => {
   });
 
   describe('FE-AUTH-006: logout', () => {
-    it('calls disconnect() and clears user state', () => {
+    it('calls disconnect() and clears user state', async () => {
       useAuthStore.setState({ user: buildUser(), isAuthenticated: true });
 
-      useAuthStore.getState().logout();
+      await useAuthStore.getState().logout();
       const state = useAuthStore.getState();
 
       expect(disconnect).toHaveBeenCalledOnce();
@@ -441,10 +441,10 @@ describe('authStore', () => {
   });
 
   describe('FE-STORE-AUTH-PERSIST-001: logout resets persisted snapshot', () => {
-    it('snapshot has isAuthenticated:false after logout (PWA offline will redirect to login)', () => {
+    it('snapshot has isAuthenticated:false after logout (PWA offline will redirect to login)', async () => {
       useAuthStore.setState({ user: buildUser(), isAuthenticated: true });
 
-      useAuthStore.getState().logout();
+      await useAuthStore.getState().logout();
 
       const snapshot = JSON.parse(localStorage.getItem('trek_auth_snapshot') ?? '{}');
       expect(snapshot?.state?.isAuthenticated).toBe(false);

client/tests/unit/sync/mutationQueue.test.ts

@@ -8,18 +8,22 @@ import { describe, it, expect, beforeEach, afterEach, vi } from 'vitest';
 import 'fake-indexeddb/auto';
 import { server } from '../../helpers/msw/server';
 import { http, HttpResponse } from 'msw';
-import { mutationQueue, generateUUID } from '../../../src/sync/mutationQueue';
+import { setAuthed } from '../../../src/sync/authGate';
+import { mutationQueue, generateUUID, nextTempId } from '../../../src/sync/mutationQueue';
 import { offlineDb, clearAll } from '../../../src/db/offlineDb';
+import { placeRepo } from '../../../src/repo/placeRepo';
 import { buildPlace, buildPackingItem } from '../../helpers/factories';
 
 beforeEach(async () => {
   await clearAll();
   mutationQueue._resetFlushing();
+  setAuthed(true);
   Object.defineProperty(navigator, 'onLine', { value: true, writable: true, configurable: true });
 });
 
 afterEach(() => {
   vi.restoreAllMocks();
+  setAuthed(false);
 });
 
 // ── helpers ──────────────────────────────────────────────────────────────────
@@ -214,6 +218,25 @@ describe('mutationQueue.flush — offline guard', () => {
     const m = await offlineDb.mutationQueue.get(id);
     expect(m!.status).toBe('pending');
   });
+
+  it('does nothing when logged out (auth gate closed)', async () => {
+    setAuthed(false);
+    const id = generateUUID();
+    await mutationQueue.enqueue(makeMutation({ id }));
+
+    let called = false;
+    server.use(
+      http.post('/api/trips/1/places', () => {
+        called = true;
+        return HttpResponse.json({ place: buildPlace({ trip_id: 1 }) });
+      }),
+    );
+
+    await mutationQueue.flush();
+    expect(called).toBe(false);
+    const m = await offlineDb.mutationQueue.get(id);
+    expect(m!.status).toBe('pending');
+  });
 });
 
 // ── pending / pendingCount ────────────────────────────────────────────────────
@@ -265,3 +288,177 @@ describe('mutationQueue.pendingCount', () => {
     expect(await mutationQueue.pendingCount()).toBe(2);
   });
 });
+
+describe('mutationQueue.failedCount', () => {
+  it('counts only failed mutations (not pending/syncing)', async () => {
+    const id1 = generateUUID();
+    const id2 = generateUUID();
+    await mutationQueue.enqueue(makeMutation({ id: id1 }));
+    await mutationQueue.enqueue(makeMutation({ id: id2 }));
+    await offlineDb.mutationQueue.update(id2, { status: 'failed' });
+
+    expect(await mutationQueue.failedCount()).toBe(1);
+    expect(await mutationQueue.pendingCount()).toBe(1);
+  });
+});
+
+// ── B2: collision-free temp ids ────────────────────────────────────────────────
+
+describe('nextTempId (B2)', () => {
+  it('returns distinct negative ids even within the same millisecond', () => {
+    mutationQueue._resetFlushing();
+    const a = nextTempId();
+    const b = nextTempId();
+    const c = nextTempId();
+    expect(a).toBeLessThan(0);
+    expect(new Set([a, b, c]).size).toBe(3);
+  });
+
+  it('two tight offline creates produce two distinct Dexie rows', async () => {
+    Object.defineProperty(navigator, 'onLine', { value: false });
+    await placeRepo.create(1, { name: 'First' });
+    await placeRepo.create(1, { name: 'Second' });
+
+    const rows = await offlineDb.places.where('trip_id').equals(1).toArray();
+    expect(rows).toHaveLength(2);
+    expect(rows.map(r => r.name).sort()).toEqual(['First', 'Second']);
+  });
+});
+
+// ── B1: temp-id → real-id remapping ─────────────────────────────────────────────
+
+describe('mutationQueue.flush — temp-id remapping (B1)', () => {
+  it('rewrites a dependent PUT/DELETE to the real id within one flush', async () => {
+    const tempId = -1;
+    await offlineDb.places.put({ ...buildPlace({ trip_id: 1 }), id: tempId });
+
+    const createId = generateUUID();
+    const putId = generateUUID();
+    const deleteId = generateUUID();
+
+    await mutationQueue.enqueue({
+      id: createId, tripId: 1, method: 'POST', url: '/trips/1/places',
+      body: { name: 'Temp' }, resource: 'places', tempId,
+    });
+    await mutationQueue.enqueue({
+      id: putId, tripId: 1, method: 'PUT', url: '/trips/1/places/{id}',
+      body: { name: 'Edited' }, resource: 'places', entityId: tempId, tempEntityId: tempId,
+    });
+    await mutationQueue.enqueue({
+      id: deleteId, tripId: 1, method: 'DELETE', url: '/trips/1/places/{id}',
+      body: undefined, resource: 'places', entityId: tempId, tempEntityId: tempId,
+    });
+
+    const putUrls: string[] = [];
+    const deleteUrls: string[] = [];
+    server.use(
+      http.post('/api/trips/1/places', () => HttpResponse.json({ place: buildPlace({ trip_id: 1, id: 42 }) })),
+      http.put('/api/trips/1/places/:id', ({ params }) => { putUrls.push(String(params.id)); return HttpResponse.json({ place: buildPlace({ trip_id: 1, id: 42, name: 'Edited' }) }); }),
+      http.delete('/api/trips/1/places/:id', ({ params }) => { deleteUrls.push(String(params.id)); return HttpResponse.json({ success: true }); }),
+    );
+
+    await mutationQueue.flush();
+
+    expect(putUrls).toEqual(['42']);
+    expect(deleteUrls).toEqual(['42']);
+    expect(await mutationQueue.pendingCount()).toBe(0);
+    expect(await mutationQueue.failedCount()).toBe(0);
+  });
+
+  it('durably rewrites a still-queued dependent after the CREATE flushes alone', async () => {
+    const tempId = -7;
+    await offlineDb.places.put({ ...buildPlace({ trip_id: 1 }), id: tempId });
+
+    const createId = generateUUID();
+    const putId = generateUUID();
+    await mutationQueue.enqueue({
+      id: createId, tripId: 1, method: 'POST', url: '/trips/1/places',
+      body: { name: 'Temp' }, resource: 'places', tempId,
+    });
+    await mutationQueue.enqueue({
+      id: putId, tripId: 1, method: 'PUT', url: '/trips/1/places/{id}',
+      body: { name: 'Edited' }, resource: 'places', entityId: tempId, tempEntityId: tempId,
+    });
+
+    // Only the CREATE succeeds this round; the PUT errors out (network) and stays queued.
+    let putAttempts = 0;
+    server.use(
+      http.post('/api/trips/1/places', () => HttpResponse.json({ place: buildPlace({ trip_id: 1, id: 88 }) })),
+      http.put('/api/trips/1/places/:id', () => { putAttempts++; return HttpResponse.error(); }),
+    );
+
+    await mutationQueue.flush();
+
+    const queuedPut = await offlineDb.mutationQueue.get(putId);
+    expect(queuedPut).toBeDefined();
+    expect(queuedPut!.url).toBe('/trips/1/places/88');
+    expect(queuedPut!.entityId).toBe(88);
+    expect(queuedPut!.tempEntityId).toBeUndefined();
+    expect(putAttempts).toBeGreaterThanOrEqual(1);
+  });
+
+  it('marks an orphaned dependent (placeholder never resolved) as failed', async () => {
+    const putId = generateUUID();
+    await mutationQueue.enqueue({
+      id: putId, tripId: 1, method: 'PUT', url: '/trips/1/places/{id}',
+      body: { name: 'Edited' }, resource: 'places', entityId: -999, tempEntityId: -999,
+    });
+
+    await mutationQueue.flush();
+
+    const m = await offlineDb.mutationQueue.get(putId);
+    expect(m!.status).toBe('failed');
+  });
+});
+
+// ── B3: terminal rollback + retryable classification ────────────────────────────
+
+describe('mutationQueue.flush — failure handling (B3)', () => {
+  it('rolls back the phantom optimistic row on a terminal 400 CREATE', async () => {
+    const tempId = -3;
+    await offlineDb.places.put({ ...buildPlace({ trip_id: 1 }), id: tempId });
+
+    const id = generateUUID();
+    await mutationQueue.enqueue(makeMutation({ id, tempId }));
+
+    server.use(
+      http.post('/api/trips/1/places', () => HttpResponse.json({ error: 'Bad' }, { status: 400 })),
+    );
+
+    await mutationQueue.flush();
+
+    expect(await offlineDb.places.get(tempId)).toBeUndefined();
+    const m = await offlineDb.mutationQueue.get(id);
+    expect(m!.status).toBe('failed');
+  });
+
+  it('treats 429 as retryable: resets to pending and stops the flush', async () => {
+    const id = generateUUID();
+    await mutationQueue.enqueue(makeMutation({ id }));
+
+    server.use(
+      http.post('/api/trips/1/places', () => HttpResponse.json({ error: 'slow down' }, { status: 429 })),
+    );
+
+    await mutationQueue.flush();
+
+    const m = await offlineDb.mutationQueue.get(id);
+    expect(m!.status).toBe('pending');
+    expect(m!.attempts).toBe(1);
+    expect(await mutationQueue.failedCount()).toBe(0);
+  });
+
+  it('treats 401 as retryable rather than dropping the change', async () => {
+    const id = generateUUID();
+    await mutationQueue.enqueue(makeMutation({ id }));
+
+    server.use(
+      http.post('/api/trips/1/places', () => HttpResponse.json({ error: 'AUTH_REQUIRED' }, { status: 401 })),
+    );
+
+    await mutationQueue.flush();
+
+    const m = await offlineDb.mutationQueue.get(id);
+    expect(m!.status).toBe('pending');
+  });
+});

client/tests/unit/sync/persistentStorage.test.ts

@@ -0,0 +1,47 @@
+/**
+ * requestPersistentStorage (H8 / M6) — best-effort persistent storage request
+ * so prefetched tiles / file blobs / IndexedDB aren't evicted under pressure.
+ */
+import { describe, it, expect, afterEach, vi } from 'vitest';
+import { requestPersistentStorage } from '../../../src/sync/persistentStorage';
+
+const original = (navigator as Navigator & { storage?: StorageManager }).storage;
+
+afterEach(() => {
+  Object.defineProperty(navigator, 'storage', { value: original, configurable: true });
+  vi.restoreAllMocks();
+});
+
+function stubStorage(storage: unknown) {
+  Object.defineProperty(navigator, 'storage', { value: storage, configurable: true });
+}
+
+describe('requestPersistentStorage', () => {
+  it('requests persistence when not already granted', async () => {
+    const persist = vi.fn().mockResolvedValue(true);
+    const persisted = vi.fn().mockResolvedValue(false);
+    stubStorage({ persist, persisted });
+
+    expect(await requestPersistentStorage()).toBe(true);
+    expect(persist).toHaveBeenCalledOnce();
+  });
+
+  it('skips the prompt when already persisted', async () => {
+    const persist = vi.fn().mockResolvedValue(true);
+    const persisted = vi.fn().mockResolvedValue(true);
+    stubStorage({ persist, persisted });
+
+    expect(await requestPersistentStorage()).toBe(true);
+    expect(persist).not.toHaveBeenCalled();
+  });
+
+  it('returns false (no throw) when the API is unavailable', async () => {
+    stubStorage(undefined);
+    expect(await requestPersistentStorage()).toBe(false);
+  });
+
+  it('returns false (no throw) when persist rejects', async () => {
+    stubStorage({ persist: vi.fn().mockRejectedValue(new Error('denied')) });
+    expect(await requestPersistentStorage()).toBe(false);
+  });
+});

client/tests/unit/sync/syncTriggers.test.ts

@@ -0,0 +1,76 @@
+/**
+ * syncTriggers — reconnect/online wiring (H1).
+ *
+ * Verifies the previously-dead refetch path is wired: on WS reconnect and on the
+ * `online` event the active trip's store is re-hydrated (after the queue flush).
+ */
+import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
+
+const flush = vi.fn(() => Promise.resolve());
+const syncAll = vi.fn(() => Promise.resolve());
+const hydrate = vi.fn(() => Promise.resolve());
+
+let refetchCb: ((tripId: string) => void) | null = null;
+let preReconnect: (() => Promise<void>) | null = null;
+
+vi.mock('../../../src/sync/mutationQueue', () => ({
+  mutationQueue: { flush: () => flush() },
+}));
+vi.mock('../../../src/sync/tripSyncManager', () => ({
+  tripSyncManager: { syncAll: () => syncAll() },
+}));
+vi.mock('../../../src/api/websocket', () => ({
+  setPreReconnectHook: (fn: (() => Promise<void>) | null) => { preReconnect = fn; },
+  setRefetchCallback: (fn: ((tripId: string) => void) | null) => { refetchCb = fn; },
+  getActiveTrips: () => ['7'],
+}));
+vi.mock('../../../src/store/tripStore', () => ({
+  useTripStore: { getState: () => ({ hydrateActiveTrip: hydrate }) },
+}));
+
+import { registerSyncTriggers, unregisterSyncTriggers } from '../../../src/sync/syncTriggers';
+
+const flushMicrotasks = async () => {
+  for (let i = 0; i < 5; i++) await Promise.resolve();
+};
+
+beforeEach(() => {
+  flush.mockClear(); syncAll.mockClear(); hydrate.mockClear();
+  refetchCb = null; preReconnect = null;
+  Object.defineProperty(navigator, 'onLine', { value: true, writable: true, configurable: true });
+});
+
+afterEach(() => {
+  unregisterSyncTriggers();
+});
+
+describe('syncTriggers', () => {
+  it('registers a refetch callback that hydrates the active trip', () => {
+    registerSyncTriggers();
+    expect(refetchCb).toBeTypeOf('function');
+    refetchCb!('7');
+    expect(hydrate).toHaveBeenCalledWith('7');
+  });
+
+  it('also registers the pre-reconnect flush hook', () => {
+    registerSyncTriggers();
+    expect(preReconnect).toBeTypeOf('function');
+  });
+
+  it('clears both reconnect hooks on unregister', () => {
+    registerSyncTriggers();
+    unregisterSyncTriggers();
+    expect(refetchCb).toBeNull();
+    expect(preReconnect).toBeNull();
+  });
+
+  it('online event flushes, then re-seeds Dexie and re-hydrates active trips', async () => {
+    registerSyncTriggers();
+    window.dispatchEvent(new Event('online'));
+    await flushMicrotasks();
+
+    expect(flush).toHaveBeenCalled();
+    expect(syncAll).toHaveBeenCalled();
+    expect(hydrate).toHaveBeenCalledWith('7');
+  });
+});

client/tests/unit/sync/tilePrefetcher.test.ts

@@ -207,17 +207,42 @@ describe('prefetchTilesForTrip', () => {
     expect(meta!.tilesBbox).toHaveLength(4);
   });
 
-  it('skips prefetch when estimated tiles exceed MAX_TILES', async () => {
+  it('zoom-clamps instead of skipping when the bbox exceeds MAX_TILES', async () => {
     await upsertSyncMeta({ tripId: 1, lastSyncedAt: Date.now(), status: 'idle', tilesBbox: null, filesCachedCount: 0 });
 
-    // Places far apart → huge bbox → estimate > MAX_TILES
+    // ~4° road-trip span: low zooms fit the budget, high zooms (z14+) blow past
+    // it. The old guard skipped the whole trip; now we keep what fits.
     const places = [
-      buildPlace({ trip_id: 1, lat: -60, lng: -170 }),
-      buildPlace({ trip_id: 1, lat: 60, lng: 170 }),
+      buildPlace({ trip_id: 1, lat: 45.0, lng: 0.0 }),
+      buildPlace({ trip_id: 1, lat: 49.0, lng: 4.0 }),
     ];
     await prefetchTilesForTrip(1, places, 'https://{s}.example.com/{z}/{x}/{y}.png');
 
-    // No fetches should have been made
-    expect(vi.mocked(fetch)).not.toHaveBeenCalled();
+    // Previously this skipped entirely; now it prefetches a clamped subset.
+    const calls = vi.mocked(fetch).mock.calls.length;
+    expect(calls).toBeGreaterThan(0);
+    expect(calls).toBeLessThanOrEqual(MAX_TILES);
+  });
+
+  it('prefetches a region-sized (0.5°) trip that the old all-or-nothing guard would have skipped', async () => {
+    await upsertSyncMeta({ tripId: 1, lastSyncedAt: Date.now(), status: 'idle', tilesBbox: null, filesCachedCount: 0 });
+
+    const places = [
+      buildPlace({ trip_id: 1, lat: 48.6, lng: 2.1 }),
+      buildPlace({ trip_id: 1, lat: 49.1, lng: 2.6 }),
+    ];
+    await prefetchTilesForTrip(1, places, 'https://{s}.example.com/{z}/{x}/{y}.png');
+
+    const calls = vi.mocked(fetch).mock.calls.length;
+    expect(calls).toBeGreaterThan(0);
+    expect(calls).toBeLessThanOrEqual(MAX_TILES);
+  });
+});
+
+// ── cap coherence ───────────────────────────────────────────────────────────────
+
+describe('MAX_TILES budget', () => {
+  it('matches the Workbox map-tiles maxEntries in vite.config.js (drift guard)', () => {
+    expect(MAX_TILES).toBe(12288);
   });
 });

client/tests/unit/sync/tripSyncManager.test.ts

@@ -9,6 +9,7 @@ import 'fake-indexeddb/auto';
 import { server } from '../../helpers/msw/server';
 import { http, HttpResponse } from 'msw';
 import { tripSyncManager } from '../../../src/sync/tripSyncManager';
+import { setAuthed } from '../../../src/sync/authGate';
 import { offlineDb, clearAll, upsertTrip } from '../../../src/db/offlineDb';
 import {
   buildTrip,
@@ -45,6 +46,7 @@ function makeBundle(tripId: number) {
 beforeEach(async () => {
   await clearAll();
   tripSyncManager._resetSyncing();
+  setAuthed(true);
   Object.defineProperty(navigator, 'onLine', { value: true, writable: true, configurable: true });
   // Stub fetch for blob caching (used by cacheFilesForTrip)
   vi.stubGlobal('fetch', vi.fn().mockResolvedValue({
@@ -56,6 +58,19 @@ beforeEach(async () => {
 afterEach(() => {
   vi.restoreAllMocks();
   vi.unstubAllGlobals();
+  setAuthed(false);
+});
+
+describe('tripSyncManager.syncAll — auth gate (B4)', () => {
+  it('no-ops when logged out (gate closed)', async () => {
+    setAuthed(false);
+    let called = false;
+    server.use(
+      http.get('/api/trips', () => { called = true; return HttpResponse.json({ trips: [] }); }),
+    );
+    await tripSyncManager.syncAll();
+    expect(called).toBe(false);
+  });
 });
 
 // ── offline guard ─────────────────────────────────────────────────────────────

client/tests/unit/tripStore.test.ts

@@ -2,7 +2,7 @@ import { describe, it, expect, beforeEach, vi } from 'vitest';
 import { http, HttpResponse } from 'msw';
 import { useTripStore } from '../../src/store/tripStore';
 import { resetAllStores } from '../helpers/store';
-import { buildTrip, buildDay, buildPlace, buildPackingItem, buildTodoItem, buildTag, buildCategory, buildAssignment, buildDayNote } from '../helpers/factories';
+import { buildTrip, buildDay, buildPlace, buildPackingItem, buildTodoItem, buildTag, buildCategory, buildAssignment, buildDayNote, buildBudgetItem, buildReservation, buildTripFile } from '../helpers/factories';
 import { server } from '../helpers/msw/server';
 
 vi.mock('../../src/api/websocket', () => ({
@@ -21,6 +21,28 @@ beforeEach(() => {
   resetAllStores();
 });
 
+/** Full set of MSW handlers for one trip's loadTrip fan-out. */
+function tripHandlers(
+  id: number,
+  data: {
+    budget?: unknown[]; reservations?: unknown[]; files?: unknown[];
+    tags?: unknown[]; categories?: unknown[];
+  },
+) {
+  return [
+    http.get(`/api/trips/${id}`, () => HttpResponse.json({ trip: buildTrip({ id }) })),
+    http.get(`/api/trips/${id}/days`, () => HttpResponse.json({ days: [] })),
+    http.get(`/api/trips/${id}/places`, () => HttpResponse.json({ places: [] })),
+    http.get(`/api/trips/${id}/packing`, () => HttpResponse.json({ items: [] })),
+    http.get(`/api/trips/${id}/todo`, () => HttpResponse.json({ items: [] })),
+    http.get(`/api/trips/${id}/budget`, () => HttpResponse.json({ items: data.budget ?? [] })),
+    http.get(`/api/trips/${id}/reservations`, () => HttpResponse.json({ reservations: data.reservations ?? [] })),
+    http.get(`/api/trips/${id}/files`, () => HttpResponse.json({ files: data.files ?? [] })),
+    http.get('/api/tags', () => HttpResponse.json({ tags: data.tags ?? [] })),
+    http.get('/api/categories', () => HttpResponse.json({ categories: data.categories ?? [] })),
+  ];
+}
+
 describe('tripStore', () => {
   describe('loadTrip', () => {
     it('FE-TRIP-001: fires parallel API calls for trips, days, places, packing, todo, tags, categories', async () => {
@@ -178,6 +200,97 @@ describe('tripStore', () => {
       expect(state.isLoading).toBe(false);
       expect(state.error).not.toBeNull();
     });
+
+    it('FE-TRIP-H5: loadTrip uniformly hydrates budget, reservations and files', async () => {
+      const budgetItem = buildBudgetItem({ trip_id: 1 });
+      const reservation = buildReservation({ trip_id: 1 });
+      const file = buildTripFile({ trip_id: 1 });
+      server.use(...tripHandlers(1, { budget: [budgetItem], reservations: [reservation], files: [file] }));
+
+      await useTripStore.getState().loadTrip(1);
+      const state = useTripStore.getState();
+
+      expect(state.budgetItems).toEqual([budgetItem]);
+      expect(state.reservations).toEqual([reservation]);
+      expect(state.files).toEqual([file]);
+    });
+
+    it('FE-TRIP-H4: switching trips does not leak budget/reservations/files from the previous trip', async () => {
+      // Trip 1 has budget/reservations/files; trip 2 has none.
+      server.use(...tripHandlers(1, {
+        budget: [buildBudgetItem({ trip_id: 1 })],
+        reservations: [buildReservation({ trip_id: 1 })],
+        files: [buildTripFile({ trip_id: 1 })],
+      }));
+      await useTripStore.getState().loadTrip(1);
+      expect(useTripStore.getState().budgetItems).toHaveLength(1);
+
+      server.use(...tripHandlers(2, {}));
+      await useTripStore.getState().loadTrip(2);
+      const state = useTripStore.getState();
+
+      expect(state.trip!.id).toBe(2);
+      expect(state.budgetItems).toEqual([]);
+      expect(state.reservations).toEqual([]);
+      expect(state.files).toEqual([]);
+    });
+
+    it('FE-TRIP-H4b: resetTrip clears every trip-scoped slice but keeps tags/categories', async () => {
+      server.use(...tripHandlers(1, {
+        budget: [buildBudgetItem({ trip_id: 1 })],
+        reservations: [buildReservation({ trip_id: 1 })],
+        files: [buildTripFile({ trip_id: 1 })],
+        tags: [buildTag()],
+      }));
+      await useTripStore.getState().loadTrip(1);
+      expect(useTripStore.getState().budgetItems).toHaveLength(1);
+
+      useTripStore.getState().resetTrip();
+      const state = useTripStore.getState();
+
+      expect(state.trip).toBeNull();
+      expect(state.places).toEqual([]);
+      expect(state.budgetItems).toEqual([]);
+      expect(state.reservations).toEqual([]);
+      expect(state.files).toEqual([]);
+      expect(state.selectedDayId).toBeNull();
+      // Global lookups survive a trip reset.
+      expect(state.tags).toHaveLength(1);
+    });
+  });
+
+  describe('hydrateActiveTrip', () => {
+    const loadHandlers = (places: unknown[] = [], budget: unknown[] = []) => [
+      http.get('/api/trips/1', () => HttpResponse.json({ trip: buildTrip({ id: 1 }) })),
+      http.get('/api/trips/1/days', () => HttpResponse.json({ days: [] })),
+      http.get('/api/trips/1/places', () => HttpResponse.json({ places })),
+      http.get('/api/trips/1/packing', () => HttpResponse.json({ items: [] })),
+      http.get('/api/trips/1/todo', () => HttpResponse.json({ items: [] })),
+      http.get('/api/trips/1/budget', () => HttpResponse.json({ items: budget })),
+      http.get('/api/trips/1/reservations', () => HttpResponse.json({ reservations: [] })),
+      http.get('/api/trips/1/files', () => HttpResponse.json({ files: [] })),
+      http.get('/api/tags', () => HttpResponse.json({ tags: [] })),
+      http.get('/api/categories', () => HttpResponse.json({ categories: [] })),
+    ];
+
+    it('FE-TRIP-H1: silently refreshes resources without resetting or splashing', async () => {
+      server.use(...loadHandlers());
+      await useTripStore.getState().loadTrip(1);
+      expect(useTripStore.getState().trip!.id).toBe(1);
+
+      // New collaborative state arrives (as if edited by someone while we were offline).
+      const place = buildPlace({ trip_id: 1 });
+      const budgetItem = buildBudgetItem({ trip_id: 1 });
+      server.use(...loadHandlers([place], [budgetItem]));
+
+      await useTripStore.getState().hydrateActiveTrip(1);
+      const state = useTripStore.getState();
+
+      expect(state.places).toEqual([place]);
+      expect(state.budgetItems).toEqual([budgetItem]);
+      expect(state.trip!.id).toBe(1);      // trip not reset
+      expect(state.isLoading).toBe(false); // no splash toggled
+    });
   });
 
   describe('refreshDays', () => {

client/vite.config.js

@@ -15,21 +15,25 @@ export default defineConfig({
         runtimeCaching: [
           {
             // Carto map tiles (default provider)
+            // maxEntries MUST stay >= MAX_TILES in src/sync/tilePrefetcher.ts
+            // (both are 12288) so prefetched tiles aren't evicted on arrival.
             urlPattern: /^https:\/\/[a-d]\.basemaps\.cartocdn\.com\/.*/i,
             handler: 'CacheFirst',
             options: {
               cacheName: 'map-tiles',
-              expiration: { maxEntries: 1000, maxAgeSeconds: 30 * 24 * 60 * 60 },
+              expiration: { maxEntries: 12288, maxAgeSeconds: 30 * 24 * 60 * 60 },
               cacheableResponse: { statuses: [0, 200] },
             },
           },
           {
             // OpenStreetMap tiles (fallback / alternative)
+            // Shares the 'map-tiles' cache; keep maxEntries equal to the Carto
+            // rule above and MAX_TILES in src/sync/tilePrefetcher.ts (12288).
             urlPattern: /^https:\/\/[a-c]\.tile\.openstreetmap\.org\/.*/i,
             handler: 'CacheFirst',
             options: {
               cacheName: 'map-tiles',
-              expiration: { maxEntries: 1000, maxAgeSeconds: 30 * 24 * 60 * 60 },
+              expiration: { maxEntries: 12288, maxAgeSeconds: 30 * 24 * 60 * 60 },
               cacheableResponse: { statuses: [0, 200] },
             },
           },
@@ -44,17 +48,32 @@ export default defineConfig({
             },
           },
           {
-            // API calls — prefer network, fall back to cache
-            // Exclude sensitive endpoints (auth, admin, backup, settings)
-            urlPattern: /\/api\/(?!auth|admin|backup|settings|health).*/i,
-            handler: 'NetworkFirst',
+            // Mapbox GL style, glyphs, sprites and vector tiles. Best-effort
+            // offline only: opportunistically caches what the user has already
+            // viewed online. Full pre-download offline maps require the Leaflet
+            // renderer (raster prefetch in tilePrefetcher.ts) — the GL vector
+            // pipeline is not prefetched. StaleWhileRevalidate keeps the basemap
+            // fresh online while still serving from cache when offline. Mapbox
+            // sends CORS, so responses are non-opaque (real 200s, no quota pad).
+            urlPattern: /^https:\/\/(api\.mapbox\.com|[a-d]\.tiles\.mapbox\.com)\/.*/i,
+            handler: 'StaleWhileRevalidate',
             options: {
-              cacheName: 'api-data',
-              expiration: { maxEntries: 200, maxAgeSeconds: 24 * 60 * 60 },
-              networkTimeoutSeconds: 5,
+              cacheName: 'mapbox-tiles',
+              expiration: { maxEntries: 3000, maxAgeSeconds: 30 * 24 * 60 * 60 },
               cacheableResponse: { statuses: [200] },
             },
           },
+          {
+            // API calls — network only. We deliberately do NOT cache API
+            // responses in the Service Worker: Workbox keys entries by URL and
+            // cannot vary on the httpOnly session cookie, so a shared device
+            // could serve one user's cached data to the next (cross-user leak).
+            // Offline reads are served from the per-user IndexedDB cache via the
+            // repo layer instead. The urlPattern is kept so these requests still
+            // bypass the SPA navigation fallback.
+            urlPattern: /\/api\/(?!auth|admin|backup|settings|health).*/i,
+            handler: 'NetworkOnly',
+          },
           {
             // Uploaded files (photos, covers — public assets only)
             urlPattern: /\/uploads\/(?:covers|avatars)\/.*/i,

package-lock.json

@@ -15231,9 +15231,9 @@
       }
     },
     "node_modules/tsx/node_modules/@esbuild/aix-ppc64": {
-      "version": "0.28.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/aix-ppc64/-/aix-ppc64-0.28.0.tgz",
-      "integrity": "sha512-lhRUCeuOyJQURhTxl4WkpFTjIsbDayJHih5kZC1giwE+MhIzAb7mEsQMqMf18rHLsrb5qI1tafG20mLxEWcWlA==",
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/aix-ppc64/-/aix-ppc64-0.28.1.tgz",
+      "integrity": "sha512-Svl7tq8k/08+p6CXPpRjQ1fKX+1odH/BQbb48fV6fj3CWHhsoIOoY87w1oHXm0qEpkIK3ZfVgp0hed3XBXzXMQ==",
       "cpu": [
         "ppc64"
       ],
@@ -15247,9 +15247,9 @@
       }
     },
     "node_modules/tsx/node_modules/@esbuild/android-arm": {
-      "version": "0.28.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/android-arm/-/android-arm-0.28.0.tgz",
-      "integrity": "sha512-wqh0ByljabXLKHeWXYLqoJ5jKC4XBaw6Hk08OfMrCRd2nP2ZQ5eleDZC41XHyCNgktBGYMbqnrJKq/K/lzPMSQ==",
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/android-arm/-/android-arm-0.28.1.tgz",
+      "integrity": "sha512-0k2F129Xdio1TdJfzJ8sy1Q47vUD2NnwdhiAf7drUN1EBTfPf4hsFCtmMgu/6m8JSzsBrlmVjudMBQqOfG8usQ==",
       "cpu": [
         "arm"
       ],
@@ -15263,9 +15263,9 @@
       }
     },
     "node_modules/tsx/node_modules/@esbuild/android-arm64": {
-      "version": "0.28.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/android-arm64/-/android-arm64-0.28.0.tgz",
-      "integrity": "sha512-+WzIXQOSaGs33tLEgYPYe/yQHf0WTU0X42Jca3y8NWMbUVhp7rUnw+vAsRC/QiDrdD31IszMrZy+qwPOPjd+rw==",
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/android-arm64/-/android-arm64-0.28.1.tgz",
+      "integrity": "sha512-34EGEbCIAgosYz6goLcopX6Mo7NyGv9tfwEM2/7Ce2VcVRk568iSvniGWcUXIy7wEDR1wzolcxcriFVrWYcwBg==",
       "cpu": [
         "arm64"
       ],
@@ -15279,9 +15279,9 @@
       }
     },
     "node_modules/tsx/node_modules/@esbuild/android-x64": {
-      "version": "0.28.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/android-x64/-/android-x64-0.28.0.tgz",
-      "integrity": "sha512-+VJggoaKhk2VNNqVL7f6S189UzShHC/mR9EE8rDdSkdpN0KflSwWY/gWjDrNxxisg8Fp1ZCD9jLMo4m0OUfeUA==",
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/android-x64/-/android-x64-0.28.1.tgz",
+      "integrity": "sha512-dbwY7ltSMDWsRatcRpCnES4F+im88OCUgGZjy52shC7GqHRE/cYlxNbB4Z4UpJswpcc4Qxd2oE/ufM0p61IKng==",
       "cpu": [
         "x64"
       ],
@@ -15295,9 +15295,9 @@
       }
     },
     "node_modules/tsx/node_modules/@esbuild/darwin-arm64": {
-      "version": "0.28.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/darwin-arm64/-/darwin-arm64-0.28.0.tgz",
-      "integrity": "sha512-0T+A9WZm+bZ84nZBtk1ckYsOvyA3x7e2Acj1KdVfV4/2tdG4fzUp91YHx+GArWLtwqp77pBXVCPn2We7Letr0Q==",
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/darwin-arm64/-/darwin-arm64-0.28.1.tgz",
+      "integrity": "sha512-TZbWkQY7kvTAXbXUT7uVACR5cMHsDiSz9z7ZKAX/RTq/WJEk3QyRr0wZpNhBDX+/0CtdqUIJlOiodQcta6tY3Q==",
       "cpu": [
         "arm64"
       ],
@@ -15311,9 +15311,9 @@
       }
     },
     "node_modules/tsx/node_modules/@esbuild/darwin-x64": {
-      "version": "0.28.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/darwin-x64/-/darwin-x64-0.28.0.tgz",
-      "integrity": "sha512-fyzLm/DLDl/84OCfp2f/XQ4flmORsjU7VKt8HLjvIXChJoFFOIL6pLJPH4Yhd1n1gGFF9mPwtlN5Wf82DZs+LQ==",
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/darwin-x64/-/darwin-x64-0.28.1.tgz",
+      "integrity": "sha512-zfdzgK9ACBNZLI/CyHTOx81SyNbM6YXn7rxSgX97VjyiPl9W1i4Ka4fgKECEoFCKGpvBj5qArWIGgQjOwkgskQ==",
       "cpu": [
         "x64"
       ],
@@ -15327,9 +15327,9 @@
       }
     },
     "node_modules/tsx/node_modules/@esbuild/freebsd-arm64": {
-      "version": "0.28.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/freebsd-arm64/-/freebsd-arm64-0.28.0.tgz",
-      "integrity": "sha512-l9GeW5UZBT9k9brBYI+0WDffcRxgHQD8ShN2Ur4xWq/NFzUKm3k5lsH4PdaRgb2w7mI9u61nr2gI2mLI27Nh3Q==",
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/freebsd-arm64/-/freebsd-arm64-0.28.1.tgz",
+      "integrity": "sha512-wG2EA8ENdEI0qhkSZMjfqrdY+ziCYCPMmtZjjIwOmXFjmyzEHn+UUxk5of+SYsjtfs3VpnlC7QLzSI5hY/rOAw==",
       "cpu": [
         "arm64"
       ],
@@ -15343,9 +15343,9 @@
       }
     },
     "node_modules/tsx/node_modules/@esbuild/freebsd-x64": {
-      "version": "0.28.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/freebsd-x64/-/freebsd-x64-0.28.0.tgz",
-      "integrity": "sha512-BXoQai/A0wPO6Es3yFJ7APCiKGc1tdAEOgeTNy3SsB491S3aHn4S4r3e976eUnPdU+NbdtmBuLncYir2tMU9Nw==",
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/freebsd-x64/-/freebsd-x64-0.28.1.tgz",
+      "integrity": "sha512-i7dZ9vQgnvSCzi/rYCXNgtF/U+eKZNJBzu3eTQbRgHnM7tNSizLOkRFAl3qzVc/Op/u5YkHHa4pf/3DOYHthLQ==",
       "cpu": [
         "x64"
       ],
@@ -15359,9 +15359,9 @@
       }
     },
     "node_modules/tsx/node_modules/@esbuild/linux-arm": {
-      "version": "0.28.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-arm/-/linux-arm-0.28.0.tgz",
-      "integrity": "sha512-CjaaREJagqJp7iTaNQjjidaNbCKYcd4IDkzbwwxtSvjI7NZm79qiHc8HqciMddQ6CKvJT6aBd8lO9kN/ZudLlw==",
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-arm/-/linux-arm-0.28.1.tgz",
+      "integrity": "sha512-qVXBOHQS+d5Y722GwJzJUtOLlX7km3CraOaGormF1pDtPd2C/l1SHRPgjLunLGe51Sh5YYWKMFDyV4SxgMQYTQ==",
       "cpu": [
         "arm"
       ],
@@ -15375,9 +15375,9 @@
       }
     },
     "node_modules/tsx/node_modules/@esbuild/linux-arm64": {
-      "version": "0.28.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-arm64/-/linux-arm64-0.28.0.tgz",
-      "integrity": "sha512-RVyzfb3FWsGA55n6WY0MEIEPURL1FcbhFE6BffZEMEekfCzCIMtB5yyDcFnVbTnwk+CLAgTujmV/Lgvih56W+A==",
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-arm64/-/linux-arm64-0.28.1.tgz",
+      "integrity": "sha512-yHs+0uc8+nvEAfAfxrWQKK5peSNzBc4PegcMO0EJ2hT71uA7vB8Ihg2e77R2P7SG5uYjPbHlLLmve4LLLRCf0g==",
       "cpu": [
         "arm64"
       ],
@@ -15391,9 +15391,9 @@
       }
     },
     "node_modules/tsx/node_modules/@esbuild/linux-ia32": {
-      "version": "0.28.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-ia32/-/linux-ia32-0.28.0.tgz",
-      "integrity": "sha512-KBnSTt1kxl9x70q+ydterVdl+Cn0H18ngRMRCEQfrbqdUuntQQ0LoMZv47uB97NljZFzY6HcfqEZ2SAyIUTQBQ==",
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-ia32/-/linux-ia32-0.28.1.tgz",
+      "integrity": "sha512-d1z4ZuP0ajrfz/FhGT4vv278rX8KnPPJx8i5+AtK7TYbx9Le9F1hyzurZpkEyjkGa9dUGhQow4C1NmeGvqxN2w==",
       "cpu": [
         "ia32"
       ],
@@ -15407,9 +15407,9 @@
       }
     },
     "node_modules/tsx/node_modules/@esbuild/linux-loong64": {
-      "version": "0.28.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-loong64/-/linux-loong64-0.28.0.tgz",
-      "integrity": "sha512-zpSlUce1mnxzgBADvxKXX5sl8aYQHo2ezvMNI8I0lbblJtp8V4odlm3Yzlj7gPyt3T8ReksE6bK+pT3WD+aJRg==",
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-loong64/-/linux-loong64-0.28.1.tgz",
+      "integrity": "sha512-M5sRjUVZrkm1OAPR3dlOYzNmN+loZKGVi1VUQGrwuqLcbR6qeAz+famMhjASeH3YVKvZz+zT1jlh/keC3Rj/lg==",
       "cpu": [
         "loong64"
       ],
@@ -15423,9 +15423,9 @@
       }
     },
     "node_modules/tsx/node_modules/@esbuild/linux-mips64el": {
-      "version": "0.28.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-mips64el/-/linux-mips64el-0.28.0.tgz",
-      "integrity": "sha512-2jIfP6mmjkdmeTlsX/9vmdmhBmKADrWqN7zcdtHIeNSCH1SqIoNI63cYsjQR8J+wGa4Y5izRcSHSm8K3QWmk3w==",
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-mips64el/-/linux-mips64el-0.28.1.tgz",
+      "integrity": "sha512-mRObBZeHh2OxcBFPWE/FjylkRgZdYuiTR3vaTozquCGOH14iP9oN4x4Ge81CoIDYQrXmIxpFumJBu5MtZpnQJQ==",
       "cpu": [
         "mips64el"
       ],
@@ -15439,9 +15439,9 @@
       }
     },
     "node_modules/tsx/node_modules/@esbuild/linux-ppc64": {
-      "version": "0.28.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-ppc64/-/linux-ppc64-0.28.0.tgz",
-      "integrity": "sha512-bc0FE9wWeC0WBm49IQMPSPILRocGTQt3j5KPCA8os6VprfuJ7KD+5PzESSrJ6GmPIPJK965ZJHTUlSA6GNYEhg==",
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-ppc64/-/linux-ppc64-0.28.1.tgz",
+      "integrity": "sha512-slScBsMAb3GFDcdrCgLwZtPYRoH2H/youv10QiZyRjmsP48fznoveWytSgCI/R0ZcUgpc0ZhIUEx6LHts8yrfQ==",
       "cpu": [
         "ppc64"
       ],
@@ -15455,9 +15455,9 @@
       }
     },
     "node_modules/tsx/node_modules/@esbuild/linux-riscv64": {
-      "version": "0.28.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-riscv64/-/linux-riscv64-0.28.0.tgz",
-      "integrity": "sha512-SQPZOwoTTT/HXFXQJG/vBX8sOFagGqvZyXcgLA3NhIqcBv1BJU1d46c0rGcrij2B56Z2rNiSLaZOYW5cUk7yLQ==",
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-riscv64/-/linux-riscv64-0.28.1.tgz",
+      "integrity": "sha512-kw0owk1o0GFETUJyW0jc0G4Yzs0BHZn0JDZ8JRT088vjJYX777BAs1fDGxAC+q831qOs2DTC96mNsG2opdfyyQ==",
       "cpu": [
         "riscv64"
       ],
@@ -15471,9 +15471,9 @@
       }
     },
     "node_modules/tsx/node_modules/@esbuild/linux-s390x": {
-      "version": "0.28.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-s390x/-/linux-s390x-0.28.0.tgz",
-      "integrity": "sha512-SCfR0HN8CEEjnYnySJTd2cw0k9OHB/YFzt5zgJEwa+wL/T/raGWYMBqwDNAC6dqFKmJYZoQBRfHjgwLHGSrn3Q==",
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-s390x/-/linux-s390x-0.28.1.tgz",
+      "integrity": "sha512-/lAIjX8aYFRByhh6L5rYtPEDRqa9de/4V/juOXcta5frjvzXO4/sqEtyytse0g3zZFuWu5cDN0MkLz2qRDD2Ag==",
       "cpu": [
         "s390x"
       ],
@@ -15487,9 +15487,9 @@
       }
     },
     "node_modules/tsx/node_modules/@esbuild/linux-x64": {
-      "version": "0.28.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/linux-x64/-/linux-x64-0.28.0.tgz",
-      "integrity": "sha512-us0dSb9iFxIi8srnpl931Nvs65it/Jd2a2K3qs7fz2WfGPHqzfzZTfec7oxZJRNPXPnNYZtanmRc4AL/JwVzHQ==",
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/linux-x64/-/linux-x64-0.28.1.tgz",
+      "integrity": "sha512-u/anNYF2mmVOEDwLtnQ1wOr3EZ9sTNGLWrsYGYwHWzGA3Si84IOkHXlbWTD1NB+9/1lcnweYKO54uhxZydNzfA==",
       "cpu": [
         "x64"
       ],
@@ -15503,9 +15503,9 @@
       }
     },
     "node_modules/tsx/node_modules/@esbuild/netbsd-arm64": {
-      "version": "0.28.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/netbsd-arm64/-/netbsd-arm64-0.28.0.tgz",
-      "integrity": "sha512-CR/RYotgtCKwtftMwJlUU7xCVNg3lMYZ0RzTmAHSfLCXw3NtZtNpswLEj/Kkf6kEL3Gw+BpOekRX0BYCtklhUw==",
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/netbsd-arm64/-/netbsd-arm64-0.28.1.tgz",
+      "integrity": "sha512-oks0DYbLwWMmaakTsCb+zL4E+aHRVLom9IJZOAthMQEPiQmydXHkziYEsGYRx0uNV/IjEKGAV941JzH02pflqw==",
       "cpu": [
         "arm64"
       ],
@@ -15519,9 +15519,9 @@
       }
     },
     "node_modules/tsx/node_modules/@esbuild/netbsd-x64": {
-      "version": "0.28.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/netbsd-x64/-/netbsd-x64-0.28.0.tgz",
-      "integrity": "sha512-nU1yhmYutL+fQ71Kxnhg8uEOdC0pwEW9entHykTgEbna2pw2dkbFSMeqjjyHZoCmt8SBkOSvV+yNmm94aUrrqw==",
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/netbsd-x64/-/netbsd-x64-0.28.1.tgz",
+      "integrity": "sha512-aeL6lAnN89Hz43Mlh1G8ARasbuoYvSITDEx0tHh5b7jJnHcssqgjy9Yx430GDpmCa6OyrKoS0aNRjKundRizGg==",
       "cpu": [
         "x64"
       ],
@@ -15535,9 +15535,9 @@
       }
     },
     "node_modules/tsx/node_modules/@esbuild/openbsd-arm64": {
-      "version": "0.28.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/openbsd-arm64/-/openbsd-arm64-0.28.0.tgz",
-      "integrity": "sha512-cXb5vApOsRsxsEl4mcZ1XY3D4DzcoMxR/nnc4IyqYs0rTI8ZKmW6kyyg+11Z8yvgMfAEldKzP7AdP64HnSC/6g==",
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/openbsd-arm64/-/openbsd-arm64-0.28.1.tgz",
+      "integrity": "sha512-MEFJe5C3R8pwXdZ5Y21oo6m7ePiS0d9pWucn99O/wvyJZChoIQKrQDxKrGeW8F5+T0okTHesAmDeiHDTIq0V/Q==",
       "cpu": [
         "arm64"
       ],
@@ -15551,9 +15551,9 @@
       }
     },
     "node_modules/tsx/node_modules/@esbuild/openbsd-x64": {
-      "version": "0.28.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/openbsd-x64/-/openbsd-x64-0.28.0.tgz",
-      "integrity": "sha512-8wZM2qqtv9UP3mzy7HiGYNH/zjTA355mpeuA+859TyR+e+Tc08IHYpLJuMsfpDJwoLo1ikIJI8jC3GFjnRClzA==",
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/openbsd-x64/-/openbsd-x64-0.28.1.tgz",
+      "integrity": "sha512-i/ZLIOafE0Z8cI/XANJAixoJL/uRAoS2xOA3rb0xN+KK0K177cMAsQYkzHtBrtMXAKuAc7HGgcWiZ/sRC1Nxgw==",
       "cpu": [
         "x64"
       ],
@@ -15567,9 +15567,9 @@
       }
     },
     "node_modules/tsx/node_modules/@esbuild/openharmony-arm64": {
-      "version": "0.28.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/openharmony-arm64/-/openharmony-arm64-0.28.0.tgz",
-      "integrity": "sha512-FLGfyizszcef5C3YtoyQDACyg95+dndv79i2EekILBofh5wpCa1KuBqOWKrEHZg3zrL3t5ouE5jgr94vA+Wb2w==",
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/openharmony-arm64/-/openharmony-arm64-0.28.1.tgz",
+      "integrity": "sha512-ge+Z7EXFNt2BO1oAMsVpiQ8EwndV9i1xXerAeTIK7AtPs3bKFXQM7nlRxDSIUIMeueR1CNXxqztLzdNeReKBJg==",
       "cpu": [
         "arm64"
       ],
@@ -15583,9 +15583,9 @@
       }
     },
     "node_modules/tsx/node_modules/@esbuild/sunos-x64": {
-      "version": "0.28.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/sunos-x64/-/sunos-x64-0.28.0.tgz",
-      "integrity": "sha512-1ZgjUoEdHZZl/YlV76TSCz9Hqj9h9YmMGAgAPYd+q4SicWNX3G5GCyx9uhQWSLcbvPW8Ni7lj4gDa1T40akdlw==",
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/sunos-x64/-/sunos-x64-0.28.1.tgz",
+      "integrity": "sha512-BEjgtECkL3vY+SaSQ6nzVfiALUeFxpawyp8Jmf5PtYhf1Ug40N1h/hxlhts+f1FvSvarEigdxS3BlSMI2PJLcQ==",
       "cpu": [
         "x64"
       ],
@@ -15599,9 +15599,9 @@
       }
     },
     "node_modules/tsx/node_modules/@esbuild/win32-arm64": {
-      "version": "0.28.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/win32-arm64/-/win32-arm64-0.28.0.tgz",
-      "integrity": "sha512-Q9StnDmQ/enxnpxCCLSg0oo4+34B9TdXpuyPeTedN/6+iXBJ4J+zwfQI28u/Jl40nOYAxGoNi7mFP40RUtkmUA==",
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/win32-arm64/-/win32-arm64-0.28.1.tgz",
+      "integrity": "sha512-lCv9eK/H6ZJWbE7bh2nw54CZ9M2nupBxJcTsdk/QQnWkdSjKGuxmmH8/GWrlT1eMmZfn4dGcCjRte397WqfQXA==",
       "cpu": [
         "arm64"
       ],
@@ -15615,9 +15615,9 @@
       }
     },
     "node_modules/tsx/node_modules/@esbuild/win32-ia32": {
-      "version": "0.28.0",
-      "resolved": "https://registry.npmjs.org/@esbuild/win32-ia32/-/win32-ia32-0.28.0.tgz",
-      "integrity": "sha512-zF3ag/gfiCe6U2iczcRzSYJKH1DCI+ByzSENHlM2FcDbEeo5Zd2C86Aq0tKUYAJJ1obRP84ymxIAksZUcdztHA==",
+      "version": "0.28.1",
+      "resolved": "https://registry.npmjs.org/@esbuild/win32-ia32/-/win32-ia32-0.28.1.tgz",
+      "integrity": "sha512-zvb/mB2bSCoJOpoCBgYKKpX6YM6mJBlBUVUtVj41DlZJVEB6/0CKlRYxP5wWl1C1ILiCoAU5wZZ4q1P3qeS6Eg==",
       "cpu": [
         "ia32"
       ],
@@ -15631,7 +15631,7 @@
       }
     },
     "node_modules/tsx/node_modules/@esbuild/win32-x64": {
-      "version": "0.28.0",
+      "version": "0.28.1",
       "cpu": [
         "x64"
       ],
@@ -15642,10 +15642,12 @@
       ],
       "engines": {
         "node": ">=18"
-      }
+      },
+      "resolved": "https://registry.npmjs.org/@esbuild/win32-x64/-/win32-x64-0.28.1.tgz",
+      "integrity": "sha512-bm4Mowrv+GXMlpWX++EcXw/iLyd1o3+bJkC2DkWXYVvgZCqD/bSj9ctZeAMC3cIxgjRVR2Dufaiu4YPxr5gW1A=="
     },
     "node_modules/tsx/node_modules/esbuild": {
-      "version": "0.28.0",
+      "version": "0.28.1",
       "hasInstallScript": true,
       "license": "MIT",
       "bin": {
@@ -15655,33 +15657,35 @@
         "node": ">=18"
       },
       "optionalDependencies": {
-        "@esbuild/aix-ppc64": "0.28.0",
-        "@esbuild/android-arm": "0.28.0",
-        "@esbuild/android-arm64": "0.28.0",
-        "@esbuild/android-x64": "0.28.0",
-        "@esbuild/darwin-arm64": "0.28.0",
-        "@esbuild/darwin-x64": "0.28.0",
-        "@esbuild/freebsd-arm64": "0.28.0",
-        "@esbuild/freebsd-x64": "0.28.0",
-        "@esbuild/linux-arm": "0.28.0",
-        "@esbuild/linux-arm64": "0.28.0",
-        "@esbuild/linux-ia32": "0.28.0",
-        "@esbuild/linux-loong64": "0.28.0",
-        "@esbuild/linux-mips64el": "0.28.0",
-        "@esbuild/linux-ppc64": "0.28.0",
-        "@esbuild/linux-riscv64": "0.28.0",
-        "@esbuild/linux-s390x": "0.28.0",
-        "@esbuild/linux-x64": "0.28.0",
-        "@esbuild/netbsd-arm64": "0.28.0",
-        "@esbuild/netbsd-x64": "0.28.0",
-        "@esbuild/openbsd-arm64": "0.28.0",
-        "@esbuild/openbsd-x64": "0.28.0",
-        "@esbuild/openharmony-arm64": "0.28.0",
-        "@esbuild/sunos-x64": "0.28.0",
-        "@esbuild/win32-arm64": "0.28.0",
-        "@esbuild/win32-ia32": "0.28.0",
-        "@esbuild/win32-x64": "0.28.0"
-      }
+        "@esbuild/aix-ppc64": "0.28.1",
+        "@esbuild/android-arm": "0.28.1",
+        "@esbuild/android-arm64": "0.28.1",
+        "@esbuild/android-x64": "0.28.1",
+        "@esbuild/darwin-arm64": "0.28.1",
+        "@esbuild/darwin-x64": "0.28.1",
+        "@esbuild/freebsd-arm64": "0.28.1",
+        "@esbuild/freebsd-x64": "0.28.1",
+        "@esbuild/linux-arm": "0.28.1",
+        "@esbuild/linux-arm64": "0.28.1",
+        "@esbuild/linux-ia32": "0.28.1",
+        "@esbuild/linux-loong64": "0.28.1",
+        "@esbuild/linux-mips64el": "0.28.1",
+        "@esbuild/linux-ppc64": "0.28.1",
+        "@esbuild/linux-riscv64": "0.28.1",
+        "@esbuild/linux-s390x": "0.28.1",
+        "@esbuild/linux-x64": "0.28.1",
+        "@esbuild/netbsd-arm64": "0.28.1",
+        "@esbuild/netbsd-x64": "0.28.1",
+        "@esbuild/openbsd-arm64": "0.28.1",
+        "@esbuild/openbsd-x64": "0.28.1",
+        "@esbuild/openharmony-arm64": "0.28.1",
+        "@esbuild/sunos-x64": "0.28.1",
+        "@esbuild/win32-arm64": "0.28.1",
+        "@esbuild/win32-ia32": "0.28.1",
+        "@esbuild/win32-x64": "0.28.1"
+      },
+      "resolved": "https://registry.npmjs.org/esbuild/-/esbuild-0.28.1.tgz",
+      "integrity": "sha512-HrJrvZv5ayxBzPfwphOoNzkzOIIlifzk0KJrGK2c8R4+LKpMtpYLQeUdjnwjWv/LZlkH2laZk+4w78pi99D4Vw=="
     },
     "node_modules/tsyringe": {
       "version": "4.10.0",

server/src/config.ts

@@ -136,3 +136,21 @@ export const SESSION_DURATION = parsedSessionMs == null ? DEFAULT_SESSION_DURATI
 export const SESSION_DURATION_MS = parsedSessionMs ?? parseDurationMs(DEFAULT_SESSION_DURATION)!;
 /** Session length in seconds — passed to `jwt.sign({ expiresIn })` (number = seconds). */
 export const SESSION_DURATION_SECONDS = Math.floor(SESSION_DURATION_MS / 1000);
+
+// SESSION_DURATION_REMEMBER is the session length used when the user ticks
+// "Remember me" on the login form: a longer-lived JWT `exp` claim plus a
+// persistent `trek_session` cookie `maxAge`. An unticked login keeps
+// SESSION_DURATION and a browser-session cookie (no `maxAge`). Same ms-style
+// format and fallback behavior as SESSION_DURATION.
+const DEFAULT_SESSION_DURATION_REMEMBER = '30d';
+const rawRememberDuration = process.env.SESSION_DURATION_REMEMBER?.trim() || DEFAULT_SESSION_DURATION_REMEMBER;
+const parsedRememberMs = parseDurationMs(rawRememberDuration);
+if (parsedRememberMs == null) {
+  console.warn(`SESSION_DURATION_REMEMBER="${rawRememberDuration}" is not a valid duration (use e.g. 7d, 30d, 90d). Falling back to "${DEFAULT_SESSION_DURATION_REMEMBER}".`);
+}
+/** Human-readable "remember me" session length actually in effect (for logs/diagnostics). */
+export const SESSION_DURATION_REMEMBER = parsedRememberMs == null ? DEFAULT_SESSION_DURATION_REMEMBER : rawRememberDuration;
+/** "Remember me" session length in milliseconds — used for the persistent cookie `maxAge`. */
+export const SESSION_DURATION_REMEMBER_MS = parsedRememberMs ?? parseDurationMs(DEFAULT_SESSION_DURATION_REMEMBER)!;
+/** "Remember me" session length in seconds — passed to `jwt.sign({ expiresIn })`. */
+export const SESSION_DURATION_REMEMBER_SECONDS = Math.floor(SESSION_DURATION_REMEMBER_MS / 1000);

server/src/nest/auth/auth-public.controller.ts

@@ -87,7 +87,7 @@ export class AuthPublicController {
     if (result.mfa_required) {
       return { mfa_required: true, mfa_token: result.mfa_token };
     }
-    this.auth.setAuthCookie(res, result.token!, req);
+    this.auth.setAuthCookie(res, result.token!, req, result.remember);
     return { token: result.token, user: result.user };
   }
 
@@ -146,7 +146,7 @@ export class AuthPublicController {
       throw new HttpException({ error: result.error }, result.status!);
     }
     writeAudit({ userId: result.auditUserId!, action: 'user.login', ip: getClientIp(req), details: { mfa: true } });
-    this.auth.setAuthCookie(res, result.token!, req);
+    this.auth.setAuthCookie(res, result.token!, req, result.remember);
     return { token: result.token, user: result.user };
   }
 

server/src/nest/auth/auth.service.ts

@@ -14,7 +14,7 @@ import type { User } from '../../types';
 @Injectable()
 export class AuthService {
   // Cookie
-  setAuthCookie(res: Response, token: string, req: Request) { setAuthCookie(res, token, req); }
+  setAuthCookie(res: Response, token: string, req: Request, remember?: boolean) { setAuthCookie(res, token, req, remember); }
   clearAuthCookie(res: Response, req: Request) { clearAuthCookie(res, req); }
 
   // Reset-email delivery (canonical app URL, never request headers)

server/src/scheduler.ts

@@ -291,20 +291,45 @@ function startVersionCheck(): void {
   }, { timezone: tz });
 }
 
-// Idempotency key cleanup: nightly at 3 AM — delete keys older than 24 hours
+// Idempotency key cleanup: nightly at 3 AM — delete keys past their TTL.
+// The TTL must exceed any realistic offline window: the TREK client replays
+// queued mutations with their X-Idempotency-Key when it reconnects, so a key
+// GC'd before the device comes back online would let the replay create a
+// duplicate. 24h was far too short for a multi-day offline trip; default 30d,
+// overridable via IDEMPOTENCY_TTL_SECONDS.
+const DEFAULT_IDEMPOTENCY_TTL_SECONDS = 30 * 24 * 60 * 60; // 30 days
 let idempotencyCleanupTask: ScheduledTask | null = null;
 
+function idempotencyTtlSeconds(): number {
+  const n = Number(process.env.IDEMPOTENCY_TTL_SECONDS);
+  return Number.isFinite(n) && n > 0 ? n : DEFAULT_IDEMPOTENCY_TTL_SECONDS;
+}
+
+interface PurgeDb {
+  prepare(sql: string): { run(...args: unknown[]): { changes: number } };
+}
+
+/** Delete idempotency keys older than the configured TTL. Returns rows removed.
+ *  The db is injectable for testing; the cron job uses the default. */
+function purgeExpiredIdempotencyKeys(
+  now: number = Date.now(),
+  ttlSeconds: number = idempotencyTtlSeconds(),
+  database: PurgeDb = require('./db/database').db,
+): number {
+  const cutoff = Math.floor(now / 1000) - ttlSeconds;
+  const result = database.prepare('DELETE FROM idempotency_keys WHERE created_at < ?').run(cutoff);
+  return result.changes;
+}
+
 function startIdempotencyCleanup(): void {
   if (idempotencyCleanupTask) { idempotencyCleanupTask.stop(); idempotencyCleanupTask = null; }
 
   const tz = process.env.TZ || 'UTC';
   idempotencyCleanupTask = cron.schedule('0 3 * * *', () => {
     try {
-      const { db } = require('./db/database');
-      const cutoff = Math.floor(Date.now() / 1000) - 86400;
-      const result = db.prepare('DELETE FROM idempotency_keys WHERE created_at < ?').run(cutoff);
-      if (result.changes > 0) {
-        logInfo(`Idempotency cleanup: removed ${result.changes} expired key(s)`);
+      const removed = purgeExpiredIdempotencyKeys();
+      if (removed > 0) {
+        logInfo(`Idempotency cleanup: removed ${removed} expired key(s)`);
       }
     } catch (err: unknown) {
       logError(`Idempotency cleanup: ${err instanceof Error ? err.message : err}`);
@@ -394,4 +419,4 @@ function stop(): void {
   if (airtrailSyncTask) { airtrailSyncTask.stop(); airtrailSyncTask = null; }
 }
 
-export { start, stop, startDemoReset, startTripReminders, startTodoReminders, startVersionCheck, startIdempotencyCleanup, startTrekPhotoCacheCleanup, startPlacePhotoCacheCleanup, startAirTrailSync, loadSettings, saveSettings, VALID_INTERVALS };
+export { start, stop, startDemoReset, startTripReminders, startTodoReminders, startVersionCheck, startIdempotencyCleanup, purgeExpiredIdempotencyKeys, startTrekPhotoCacheCleanup, startPlacePhotoCacheCleanup, startAirTrailSync, loadSettings, saveSettings, VALID_INTERVALS };

server/src/services/authService.ts

@@ -7,7 +7,7 @@ import { authenticator } from 'otplib';
 import QRCode from 'qrcode';
 import { randomBytes, createHash } from 'crypto';
 import { db } from '../db/database';
-import { JWT_SECRET, SESSION_DURATION_SECONDS } from '../config';
+import { JWT_SECRET, SESSION_DURATION_SECONDS, SESSION_DURATION_REMEMBER_SECONDS } from '../config';
 import { validatePassword } from './passwordPolicy';
 import { encryptMfaSecret, decryptMfaSecret } from './mfaCrypto';
 import { getAllPermissions } from './permissions';
@@ -181,14 +181,17 @@ export function isOidcOnlyMode(): boolean {
   return !resolveAuthToggles().password_login;
 }
 
-export function generateToken(user: { id: number | bigint; password_version?: number }) {
+export function generateToken(user: { id: number | bigint; password_version?: number }, rememberMe = false) {
   const pv = typeof user.password_version === 'number'
     ? user.password_version
     : ((db.prepare('SELECT password_version FROM users WHERE id = ?').get(user.id) as { password_version?: number } | undefined)?.password_version ?? 0);
+  // "Remember me" extends the JWT lifetime to match the persistent cookie maxAge;
+  // the cookie service decides session-vs-persistent off the same flag.
+  const expiresIn = rememberMe ? SESSION_DURATION_REMEMBER_SECONDS : SESSION_DURATION_SECONDS;
   return jwt.sign(
     { id: user.id, pv },
     JWT_SECRET,
-    { expiresIn: SESSION_DURATION_SECONDS, algorithm: 'HS256' }
+    { expiresIn, algorithm: 'HS256' }
   );
 }
 
@@ -443,6 +446,7 @@ export function registerUser(body: {
 export function loginUser(body: {
   email?: string;
   password?: string;
+  remember_me?: boolean;
 }): {
   error?: string;
   status?: number;
@@ -450,6 +454,7 @@ export function loginUser(body: {
   user?: Record<string, unknown>;
   mfa_required?: boolean;
   mfa_token?: string;
+  remember?: boolean;
   auditUserId?: number | null;
   auditAction?: string;
   auditDetails?: Record<string, unknown>;
@@ -458,7 +463,8 @@ export function loginUser(body: {
     return { error: 'Password authentication is disabled. Please sign in with SSO.', status: 403 };
   }
 
-  const { email, password } = body;
+  const { email, password, remember_me } = body;
+  const remember = remember_me === true;
   if (!email || !password) {
     return { error: 'Email and password are required', status: 400 };
   }
@@ -500,12 +506,13 @@ export function loginUser(body: {
   }
 
   db.prepare('UPDATE users SET last_login = CURRENT_TIMESTAMP, login_count = login_count + 1 WHERE id = ?').run(user.id);
-  const token = generateToken(user);
+  const token = generateToken(user, remember);
   const userSafe = stripUserForClient(user) as Record<string, unknown>;
 
   return {
     token,
     user: { ...userSafe, avatar_url: avatarUrl(user) },
+    remember,
     auditUserId: Number(user.id),
     auditAction: 'user.login',
     auditDetails: { email },
@@ -1066,14 +1073,17 @@ export function disableMfa(
 export function verifyMfaLogin(body: {
   mfa_token?: string;
   code?: string;
+  remember_me?: boolean;
 }): {
   error?: string;
   status?: number;
   token?: string;
   user?: Record<string, unknown>;
+  remember?: boolean;
   auditUserId?: number;
 } {
-  const { mfa_token, code } = body;
+  const { mfa_token, code, remember_me } = body;
+  const remember = remember_me === true;
   if (!mfa_token || !code) {
     return { error: 'Verification token and code are required', status: 400 };
   }
@@ -1104,11 +1114,12 @@ export function verifyMfaLogin(body: {
       );
     }
     db.prepare('UPDATE users SET last_login = CURRENT_TIMESTAMP, login_count = login_count + 1 WHERE id = ?').run(user.id);
-    const sessionToken = generateToken(user);
+    const sessionToken = generateToken(user, remember);
     const userSafe = stripUserForClient(user) as Record<string, unknown>;
     return {
       token: sessionToken,
       user: { ...userSafe, avatar_url: avatarUrl(user) },
+      remember,
       auditUserId: Number(user.id),
     };
   } catch {

server/src/services/cookie.ts

@@ -1,8 +1,17 @@
 import { Request, Response } from 'express';
-import { SESSION_DURATION_MS } from '../config';
+import { SESSION_DURATION_MS, SESSION_DURATION_REMEMBER_MS } from '../config';
 
 const COOKIE_NAME = 'trek_session';
 
+/**
+ * Controls the cookie lifetime for a login:
+ *  - `undefined` → persistent `maxAge: SESSION_DURATION_MS` (the historical
+ *    default, used by register/demo and anything that doesn't opt in).
+ *  - `true`  → persistent `maxAge: SESSION_DURATION_REMEMBER_MS` ("Remember me").
+ *  - `false` → no `maxAge` — a browser-session cookie cleared on browser close.
+ */
+export type RememberOption = boolean | undefined;
+
 /**
  * Decide whether the session cookie should carry the `Secure` flag.
  *
@@ -18,27 +27,35 @@ const COOKIE_NAME = 'trek_session';
  * on the outermost hop, the cookie is `Secure`. `COOKIE_SECURE=false`
  * remains the explicit escape hatch for plain-HTTP LAN testing.
  */
-export function cookieOptions(clear = false, req?: Request) {
+export function cookieOptions(clear = false, req?: Request, remember?: RememberOption) {
   if (process.env.COOKIE_SECURE?.toLowerCase() === 'false') {
-    return buildOptions(clear, false);
+    return buildOptions(clear, false, remember);
   }
   const envSecure = process.env.NODE_ENV?.toLowerCase() === 'production' || process.env.FORCE_HTTPS?.toLowerCase() === 'true';
   const requestSecure = req?.secure === true;
-  return buildOptions(clear, envSecure || requestSecure);
+  return buildOptions(clear, envSecure || requestSecure, remember);
 }
 
-function buildOptions(clear: boolean, secure: boolean) {
+function resolveMaxAge(remember: RememberOption): { maxAge: number } | Record<string, never> {
+  // false → session cookie (omit maxAge); true → the longer "remember me"
+  // window; undefined → the historical default. Each maxAge matches the JWT exp.
+  if (remember === false) return {};
+  if (remember === true) return { maxAge: SESSION_DURATION_REMEMBER_MS };
+  return { maxAge: SESSION_DURATION_MS };
+}
+
+function buildOptions(clear: boolean, secure: boolean, remember?: RememberOption) {
   return {
     httpOnly: true,
     secure,
     sameSite: 'lax' as const,
     path: '/',
-    ...(clear ? {} : { maxAge: SESSION_DURATION_MS }), // matches the JWT expiry (SESSION_DURATION)
+    ...(clear ? {} : resolveMaxAge(remember)),
   };
 }
 
-export function setAuthCookie(res: Response, token: string, req?: Request): void {
-  res.cookie(COOKIE_NAME, token, cookieOptions(false, req));
+export function setAuthCookie(res: Response, token: string, req?: Request, remember?: RememberOption): void {
+  res.cookie(COOKIE_NAME, token, cookieOptions(false, req, remember));
 }
 
 export function clearAuthCookie(res: Response, req?: Request): void {

server/tests/e2e/auth.e2e.test.ts

@@ -98,6 +98,28 @@ describe('Auth e2e (real auth guard + real cookie service + temp SQLite)', () =>
     expect(setCookie.some((c) => c.startsWith('trek_session=') && /HttpOnly/i.test(c))).toBe(true);
   }, 10000);
 
+  it('POST /login with remember_me sets a persistent cookie (Max-Age present)', async () => {
+    authSvc.loginUser.mockReturnValue({ token: 'jwt.token.value', user: { id: 1 }, remember: true });
+    const res = await request(server).post('/api/auth/login').send({ email: 'u@example.test', password: 'pw', remember_me: true });
+    expect(res.status).toBe(200);
+    const setCookie = res.headers['set-cookie'] as unknown as string[];
+    const cookie = setCookie.find((c) => c.startsWith('trek_session='))!;
+    expect(cookie).toMatch(/Max-Age=\d+/i);
+    // 30d default — well above the 24h (86400s) non-remember window.
+    const maxAge = Number(/Max-Age=(\d+)/i.exec(cookie)?.[1]);
+    expect(maxAge).toBeGreaterThan(86_400);
+  }, 10000);
+
+  it('POST /login without remember_me sets a session cookie (no Max-Age)', async () => {
+    authSvc.loginUser.mockReturnValue({ token: 'jwt.token.value', user: { id: 1 }, remember: false });
+    const res = await request(server).post('/api/auth/login').send({ email: 'u@example.test', password: 'pw' });
+    expect(res.status).toBe(200);
+    const setCookie = res.headers['set-cookie'] as unknown as string[];
+    const cookie = setCookie.find((c) => c.startsWith('trek_session='))!;
+    expect(cookie).not.toMatch(/Max-Age/i);
+    expect(cookie).not.toMatch(/Expires/i);
+  }, 10000);
+
   it('POST /logout clears the session cookie', async () => {
     const res = await request(server).post('/api/auth/logout');
     expect(res.status).toBe(200);

server/tests/unit/idempotency-cleanup.test.ts

@@ -0,0 +1,58 @@
+/**
+ * Idempotency key TTL cleanup (H6).
+ *
+ * The TREK client replays queued mutations with their X-Idempotency-Key on
+ * reconnect, so the server must keep keys long enough to cover a realistic
+ * offline window — otherwise a key GC'd before the device returns lets the
+ * replay create a duplicate. The TTL was raised from 24h to 30d (overridable).
+ */
+import { describe, it, expect, beforeEach, afterEach } from 'vitest';
+import { db } from '../../src/db/database';
+import { purgeExpiredIdempotencyKeys } from '../../src/scheduler';
+
+const DAY = 24 * 60 * 60;
+const NOW = 2_000_000_000_000; // fixed ms so the test is deterministic
+const NOW_SEC = Math.floor(NOW / 1000);
+
+function insertKey(key: string, ageSeconds: number): void {
+  db.prepare(
+    `INSERT INTO idempotency_keys (key, user_id, method, path, status_code, response_body, created_at)
+     VALUES (?, 1, 'POST', '/x', 200, '{}', ?)`,
+  ).run(key, NOW_SEC - ageSeconds);
+}
+
+beforeEach(() => {
+  db.pragma('foreign_keys = OFF'); // fixtures reference a user we don't seed here
+  db.prepare('DELETE FROM idempotency_keys').run();
+});
+
+afterEach(() => {
+  db.prepare('DELETE FROM idempotency_keys').run();
+  db.pragma('foreign_keys = ON');
+  delete process.env.IDEMPOTENCY_TTL_SECONDS;
+});
+
+describe('purgeExpiredIdempotencyKeys', () => {
+  it('removes keys older than the 30-day default, keeps recent ones', () => {
+    insertKey('old', 31 * DAY);
+    insertKey('fresh', 5 * DAY);
+
+    const removed = purgeExpiredIdempotencyKeys(NOW, undefined, db);
+
+    expect(removed).toBe(1);
+    const keys = db.prepare('SELECT key FROM idempotency_keys').all().map((r: { key: string }) => r.key);
+    expect(keys).toEqual(['fresh']);
+  });
+
+  it('keeps a 25-day-old key that the old 24h TTL would have dropped', () => {
+    insertKey('offline-trip', 25 * DAY);
+    expect(purgeExpiredIdempotencyKeys(NOW, undefined, db)).toBe(0);
+    expect(db.prepare('SELECT COUNT(*) c FROM idempotency_keys').get()).toMatchObject({ c: 1 });
+  });
+
+  it('respects the IDEMPOTENCY_TTL_SECONDS override', () => {
+    process.env.IDEMPOTENCY_TTL_SECONDS = String(DAY);
+    insertKey('twoDays', 2 * DAY);
+    expect(purgeExpiredIdempotencyKeys(NOW, undefined, db)).toBe(1);
+  });
+});

server/tests/unit/nest/auth.controller.test.ts

@@ -82,9 +82,10 @@ describe('AuthPublicController', () => {
     const setAuthCookie = vi.fn();
     const mfa = new AuthPublicController(asvc({ loginUser: vi.fn().mockReturnValue({ mfa_required: true, mfa_token: 'mt' }) } as Partial<AuthService>), rl());
     expect(await mfa.login({}, req, res)).toEqual({ mfa_required: true, mfa_token: 'mt' });
-    const ok = new AuthPublicController(asvc({ loginUser: vi.fn().mockReturnValue({ token: 'tk', user }), setAuthCookie } as Partial<AuthService>), rl());
+    const ok = new AuthPublicController(asvc({ loginUser: vi.fn().mockReturnValue({ token: 'tk', user, remember: true }), setAuthCookie } as Partial<AuthService>), rl());
     expect(await ok.login({}, req, res)).toEqual({ token: 'tk', user });
-    expect(setAuthCookie).toHaveBeenCalled();
+    // The "remember me" flag from the service rides through to the cookie service.
+    expect(setAuthCookie).toHaveBeenCalledWith(res, 'tk', req, true);
     const bad = new AuthPublicController(asvc({ loginUser: vi.fn().mockReturnValue({ error: 'Bad creds', status: 401, auditAction: 'user.login_fail' }) } as Partial<AuthService>), rl());
     expect(await thrownAsync(() => bad.login({}, req, res))).toEqual({ status: 401, body: { error: 'Bad creds' } });
   }, 10000);

server/tests/unit/services/cookie.test.ts

@@ -1,6 +1,7 @@
 import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
 
 import { cookieOptions } from '../../../src/services/cookie';
+import { SESSION_DURATION_MS, SESSION_DURATION_REMEMBER_MS } from '../../../src/config';
 
 describe('cookieOptions', () => {
   afterEach(() => {
@@ -53,4 +54,16 @@ describe('cookieOptions', () => {
     const opts = cookieOptions(true);
     expect(opts).not.toHaveProperty('maxAge');
   });
+
+  it('keeps the default SESSION_DURATION maxAge when remember is undefined', () => {
+    expect(cookieOptions(false, undefined)).toHaveProperty('maxAge', SESSION_DURATION_MS);
+  });
+
+  it('uses the longer SESSION_DURATION_REMEMBER maxAge when remember is true', () => {
+    expect(cookieOptions(false, undefined, true)).toHaveProperty('maxAge', SESSION_DURATION_REMEMBER_MS);
+  });
+
+  it('omits maxAge (session cookie) when remember is false', () => {
+    expect(cookieOptions(false, undefined, false)).not.toHaveProperty('maxAge');
+  });
 });

shared/src/auth/auth.schema.ts

@@ -19,6 +19,10 @@ export type RegisterRequest = z.infer<typeof registerRequestSchema>;
 export const loginRequestSchema = z.object({
   email: z.string(),
   password: z.string(),
+  // "Remember me" — when true the server issues a longer-lived
+  // (SESSION_DURATION_REMEMBER) JWT + persistent cookie; when false/absent the
+  // session lasts SESSION_DURATION and the cookie is a browser-session cookie.
+  remember_me: z.boolean().optional(),
 });
 export type LoginRequest = z.infer<typeof loginRequestSchema>;
 
@@ -45,6 +49,9 @@ export type ChangePasswordRequest = z.infer<typeof changePasswordRequestSchema>;
 export const mfaVerifyLoginRequestSchema = z.object({
   mfa_token: z.string(),
   code: z.string(),
+  // Carries the login-form "Remember me" choice through the second (MFA) leg,
+  // since the session token is only minted once the MFA code is verified.
+  remember_me: z.boolean().optional(),
 });
 export type MfaVerifyLoginRequest = z.infer<typeof mfaVerifyLoginRequestSchema>;
 

shared/src/i18n/ar/login.ts

@@ -59,6 +59,7 @@ const login: TranslationStrings = {
   'login.usernameRequired': 'اسم المستخدم مطلوب',
   'login.passwordMinLength': 'يجب أن تكون كلمة المرور 8 أحرف على الأقل',
   'login.forgotPassword': 'نسيت كلمة المرور؟',
+  'login.rememberMe': 'تذكرني',
   'login.forgotPasswordTitle': 'إعادة تعيين كلمة المرور',
   'login.forgotPasswordBody':
     'أدخل عنوان البريد الإلكتروني المسجَّل. إذا كان الحساب موجودًا، سنرسل رابط إعادة التعيين.',

shared/src/i18n/br/login.ts

@@ -62,6 +62,7 @@ const login: TranslationStrings = {
   'login.usernameRequired': 'Nome de usuário é obrigatório',
   'login.passwordMinLength': 'A senha deve ter pelo menos 8 caracteres',
   'login.forgotPassword': 'Esqueceu a senha?',
+  'login.rememberMe': 'Lembrar de mim',
   'login.forgotPasswordTitle': 'Redefinir sua senha',
   'login.forgotPasswordBody':
     'Digite o e-mail cadastrado. Se houver uma conta, enviaremos um link de redefinição.',

shared/src/i18n/cs/login.ts

@@ -64,6 +64,7 @@ const login: TranslationStrings = {
   'login.usernameRequired': 'Uživatelské jméno je povinné',
   'login.passwordMinLength': 'Heslo musí mít alespoň 8 znaků',
   'login.forgotPassword': 'Zapomenuté heslo?',
+  'login.rememberMe': 'Zapamatovat si mě',
   'login.forgotPasswordTitle': 'Obnovení hesla',
   'login.forgotPasswordBody':
     'Zadej e-mail použitý při registraci. Pokud účet existuje, pošleme odkaz pro obnovení.',

shared/src/i18n/de/login.ts

@@ -65,6 +65,7 @@ const login: TranslationStrings = {
   'login.usernameRequired': 'Benutzername ist erforderlich',
   'login.passwordMinLength': 'Das Passwort muss mindestens 8 Zeichen lang sein',
   'login.forgotPassword': 'Passwort vergessen?',
+  'login.rememberMe': 'Angemeldet bleiben',
   'login.forgotPasswordTitle': 'Passwort zurücksetzen',
   'login.forgotPasswordBody':
     'Gib die E-Mail-Adresse deines Kontos ein. Falls ein Konto existiert, schicken wir dir einen Reset-Link.',

shared/src/i18n/en/login.ts

@@ -63,6 +63,7 @@ const login: TranslationStrings = {
   'login.usernameRequired': 'Username is required',
   'login.passwordMinLength': 'Password must be at least 8 characters',
   'login.forgotPassword': 'Forgot password?',
+  'login.rememberMe': 'Remember me',
   'login.forgotPasswordTitle': 'Reset your password',
   'login.forgotPasswordBody':
     "Enter the email address you signed up with. If an account exists, we'll send a reset link.",

shared/src/i18n/es/login.ts

@@ -57,6 +57,7 @@ const login: TranslationStrings = {
   'login.usernameRequired': 'El nombre de usuario es obligatorio',
   'login.passwordMinLength': 'La contraseña debe tener al menos 8 caracteres',
   'login.forgotPassword': '¿Olvidaste tu contraseña?',
+  'login.rememberMe': 'Recuérdame',
   'login.forgotPasswordTitle': 'Restablecer tu contraseña',
   'login.forgotPasswordBody':
     'Introduce la dirección de correo con la que te registraste. Si existe una cuenta, enviaremos un enlace.',

shared/src/i18n/fr/login.ts

@@ -60,6 +60,7 @@ const login: TranslationStrings = {
   'login.passwordMinLength':
     'Le mot de passe doit comporter au moins 8 caractères',
   'login.forgotPassword': 'Mot de passe oublié ?',
+  'login.rememberMe': 'Se souvenir de moi',
   'login.forgotPasswordTitle': 'Réinitialiser votre mot de passe',
   'login.forgotPasswordBody':
     "Entrez l'adresse e-mail associée à votre compte. Si un compte existe, nous enverrons un lien de réinitialisation.",

shared/src/i18n/gr/login.ts

@@ -70,6 +70,7 @@ const login: TranslationStrings = {
   'login.passwordMinLength':
     'Ο κωδικός πρέπει να έχει τουλάχιστον 8 χαρακτήρες',
   'login.forgotPassword': 'Ξεχάσατε τον κωδικό;',
+  'login.rememberMe': 'Να με θυμάσαι',
   'login.forgotPasswordTitle': 'Επαναφορά του κωδικού σας',
   'login.forgotPasswordBody':
     'Εισάγετε το email με το οποίο εγγραφήκατε. Αν υπάρχει λογαριασμός, θα στείλουμε έναν σύνδεσμο επαναφοράς.',

shared/src/i18n/hu/login.ts

@@ -69,6 +69,7 @@ const login: TranslationStrings = {
   'login.passwordMinLength':
     'A jelszónak legalább 8 karakter hosszúnak kell lennie',
   'login.forgotPassword': 'Elfelejtetted a jelszavad?',
+  'login.rememberMe': 'Emlékezz rám',
   'login.forgotPasswordTitle': 'Jelszó visszaállítása',
   'login.forgotPasswordBody':
     'Írd be a regisztrációnál használt e-mail-címet. Ha létezik fiók, küldünk egy visszaállítási linket.',

shared/src/i18n/id/login.ts

@@ -65,6 +65,7 @@ const login: TranslationStrings = {
   'login.usernameRequired': 'Nama pengguna wajib diisi',
   'login.passwordMinLength': 'Kata sandi minimal 8 karakter',
   'login.forgotPassword': 'Lupa kata sandi?',
+  'login.rememberMe': 'Ingat saya',
   'login.forgotPasswordTitle': 'Setel ulang kata sandi',
   'login.forgotPasswordBody':
     'Masukkan alamat email akunmu. Jika akun ada, kami akan mengirim tautan reset.',

shared/src/i18n/it/login.ts

@@ -64,6 +64,7 @@ const login: TranslationStrings = {
   'login.usernameRequired': 'Il nome utente è obbligatorio',
   'login.passwordMinLength': 'La password deve contenere almeno 8 caratteri',
   'login.forgotPassword': 'Password dimenticata?',
+  'login.rememberMe': 'Ricordami',
   'login.forgotPasswordTitle': 'Reimposta la password',
   'login.forgotPasswordBody':
     'Inserisci l’indirizzo email del tuo account. Se esiste un account, invieremo un link per reimpostarla.',

shared/src/i18n/ja/login.ts

@@ -63,6 +63,7 @@ const login: TranslationStrings = {
   'login.usernameRequired': 'ユーザー名を入力してください',
   'login.passwordMinLength': 'パスワードは8文字以上である必要があります',
   'login.forgotPassword': 'パスワードを忘れた場合',
+  'login.rememberMe': 'ログイン状態を保持する',
   'login.forgotPasswordTitle': 'パスワードをリセット',
   'login.forgotPasswordBody':
     '登録時のメールアドレスを入力してください。アカウントが存在する場合、リセット用リンクを送信します。',

shared/src/i18n/ko/login.ts

@@ -62,6 +62,7 @@ const login: TranslationStrings = {
   'login.usernameRequired': '사용자 이름을 입력하세요',
   'login.passwordMinLength': '비밀번호는 최소 8자 이상이어야 합니다',
   'login.forgotPassword': '비밀번호를 잊으셨나요?',
+  'login.rememberMe': '로그인 상태 유지',
   'login.forgotPasswordTitle': '비밀번호 재설정',
   'login.forgotPasswordBody':
     '가입 시 사용한 이메일 주소를 입력하세요. 계정이 존재하면 재설정 링크를 보내드립니다.',

shared/src/i18n/nl/login.ts

@@ -56,6 +56,7 @@ const login: TranslationStrings = {
   'login.usernameRequired': 'Gebruikersnaam is vereist',
   'login.passwordMinLength': 'Wachtwoord moet minimaal 8 tekens bevatten',
   'login.forgotPassword': 'Wachtwoord vergeten?',
+  'login.rememberMe': 'Ingelogd blijven',
   'login.forgotPasswordTitle': 'Wachtwoord resetten',
   'login.forgotPasswordBody':
     'Voer het e-mailadres van je account in. Als er een account bestaat, sturen we een resetlink.',

shared/src/i18n/pl/login.ts

@@ -65,6 +65,7 @@ const login: TranslationStrings = {
   'login.usernameRequired': 'Nazwa użytkownika jest wymagana',
   'login.passwordMinLength': 'Hasło musi mieć co najmniej 8 znaków',
   'login.forgotPassword': 'Nie pamiętasz hasła?',
+  'login.rememberMe': 'Zapamiętaj mnie',
   'login.forgotPasswordTitle': 'Zresetuj hasło',
   'login.forgotPasswordBody':
     'Wpisz adres e-mail użyty przy rejestracji. Jeśli konto istnieje, wyślemy link do resetu.',

shared/src/i18n/ru/login.ts

@@ -56,6 +56,7 @@ const login: TranslationStrings = {
   'login.usernameRequired': 'Имя пользователя обязательно',
   'login.passwordMinLength': 'Пароль должен содержать не менее 8 символов',
   'login.forgotPassword': 'Забыли пароль?',
+  'login.rememberMe': 'Запомнить меня',
   'login.forgotPasswordTitle': 'Сброс пароля',
   'login.forgotPasswordBody':
     'Введите e-mail, с которым вы регистрировались. Если аккаунт найдём — отправим ссылку для сброса.',

shared/src/i18n/tr/login.ts

@@ -67,6 +67,7 @@ const login: TranslationStrings = {
   'login.usernameRequired': 'Kullanıcı adı gerekli',
   'login.passwordMinLength': 'Şifre en az 8 karakter olmalıdır',
   'login.forgotPassword': 'Parolanızı mı unuttunuz?',
+  'login.rememberMe': 'Beni hatırla',
   'login.forgotPasswordTitle': 'Şifrenizi sıfırlayın',
   'login.forgotPasswordBody':
     "Enter the email address you signed up with. If an account exists, we'll send a reset link.",

shared/src/i18n/uk/login.ts

@@ -57,6 +57,7 @@ const login: TranslationStrings = {
   'login.usernameRequired': 'Ім’я користувача обов’язкове',
   'login.passwordMinLength': 'Пароль має містити щонайменше 8 символів',
   'login.forgotPassword': 'Забули пароль?',
+  'login.rememberMe': "Запам'ятати мене",
   'login.forgotPasswordTitle': 'Скидання пароля',
   'login.forgotPasswordBody':
     'Введіть електронну пошту, з якою ви реєструвалися. Якщо акаунт існує — буде надіслано посилання для скидання.',

shared/src/i18n/zh-TW/login.ts

@@ -51,6 +51,7 @@ const login: TranslationStrings = {
   'login.usernameRequired': '使用者名稱為必填',
   'login.passwordMinLength': '密碼至少需要8個字元',
   'login.forgotPassword': '忘記密碼？',
+  'login.rememberMe': '記住我',
   'login.forgotPasswordTitle': '重設密碼',
   'login.forgotPasswordBody':
     '請輸入您註冊時使用的電子郵件。若帳號存在，我們將傳送重設連結。',

shared/src/i18n/zh/login.ts

@@ -51,6 +51,7 @@ const login: TranslationStrings = {
   'login.usernameRequired': '用户名为必填项',
   'login.passwordMinLength': '密码至少需要8个字符',
   'login.forgotPassword': '忘记密码？',
+  'login.rememberMe': '记住我',
   'login.forgotPasswordTitle': '重置密码',
   'login.forgotPasswordBody':
     '输入您注册时使用的邮箱地址。若账户存在，我们将发送重置链接。',

wiki/Development-environment.md

@@ -154,6 +154,36 @@ The `@trek/shared` package is the single source of truth for code shared between
 | `npm run lint`              | Lint source                          |
 | `npm run format`            | Format source                        |
 
+### Root (`/`)
+
+These commands run across all workspaces at once and are the recommended way to work:
+
+| Command              | Description                                                         |
+|----------------------|---------------------------------------------------------------------|
+| `npm run dev`        | Build shared, then start shared (watch), server, and client together via `concurrently` |
+| `npm run build`      | Build shared → server → client in order                            |
+| `npm test`           | Run tests in shared, server, and client                            |
+| `npm run test:cov`   | Run coverage for server and client                                 |
+| `npm run test:e2e`   | Run end-to-end tests (server)                                      |
+| `npm run lint`       | Lint shared, server, and client                                    |
+| `npm run format`     | Format shared, server, and client                                  |
+| `npm run format:check` | Check formatting across all workspaces                           |
+
+### Shared (`/shared`)
+
+The `@trek/shared` package is the single source of truth for code shared between the client and server. It currently holds **Zod schemas that define API contracts** (request/response shapes, common primitives, pagination). Both workspaces import from it so schema changes automatically propagate to both sides.
+
+> **Upcoming:** the i18n translation layer will be migrated into this package so that translation keys and types are enforced across the stack from one place.
+
+| Command                | Description                        |
+|------------------------|------------------------------------|
+| `npm run build`        | Compile shared package (tsup)      |
+| `npm run build:watch`  | Compile in watch mode              |
+| `npm test`             | Run tests                          |
+| `npm run typecheck`    | Type-check without emitting        |
+| `npm run lint`         | Lint source                        |
+| `npm run format`       | Format source                      |
+
 ### Server (`/server`)
 
 | Command                    | Description                              |

wiki/Environment-Variables.md

@@ -22,7 +22,8 @@ Complete reference for all environment variables TREK reads.
 | `TZ` | Timezone for logs, reminders, and cron jobs (e.g. `Europe/Berlin`) | `UTC` |
 | `LOG_LEVEL` | `info` = concise user actions; `debug` = verbose details | `info` |
 | `DEFAULT_LANGUAGE` | Default language on the login page — see supported codes below | `en` |
-| `SESSION_DURATION` | How long a login session stays valid before re-login is required. Applies to both the `trek_session` JWT `exp` claim and the cookie `maxAge`, so they never drift apart. Accepts `ms`-style strings: `1h`, `12h`, `7d`, `30d`, `90d`. Invalid values warn at startup and fall back to the default. Does not affect the short-lived MFA challenge token or MCP OAuth tokens (those keep their own TTL). | `24h` |
+| `SESSION_DURATION` | How long a login session stays valid before re-login is required. Used when **"Remember me" is unchecked** on the login form (the default): applies to the `trek_session` JWT `exp` claim, and the cookie is issued as a **browser-session cookie** (no `maxAge`, cleared when the browser closes). Accepts `ms`-style strings: `1h`, `12h`, `7d`, `30d`, `90d`. Invalid values warn at startup and fall back to the default. Does not affect the short-lived MFA challenge token or MCP OAuth tokens (those keep their own TTL). | `24h` |
+| `SESSION_DURATION_REMEMBER` | Session length used when the user **ticks "Remember me"** on login: a longer-lived JWT `exp` claim plus a **persistent** `trek_session` cookie whose `maxAge` matches, so the session survives browser restarts. Same `ms`-style format and startup-fallback behaviour as `SESSION_DURATION`. | `30d` |
 | `ALLOWED_ORIGINS` | Comma-separated origins for CORS and email notification links | same-origin |
 | `ALLOW_INTERNAL_NETWORK` | Allow outbound requests to private/RFC-1918 IPs. Set `true` if Immich or other integrated services are on your local network. Loopback (`127.x`) and link-local (`169.254.x`) addresses remain blocked regardless. | `false` |
 | `APP_URL` | Public base URL (e.g. `https://trek.example.com`). Required when OIDC is enabled — must match the redirect URI registered with your IdP. Also used as the base URL for email notification links. | — |