Merge branch 'dev' into pr-1029-tr

# Conflicts:
#	client/src/i18n/TranslationContext.tsx
#	client/src/i18n/supportedLanguages.ts

.github/workflows/test.yml

@@ -8,10 +8,33 @@ on:
     branches: [main, dev]
     paths:
       - 'server/**'
-      - '.github/workflows/test.yml'
       - 'client/**'
+      - 'shared/**'
+      - '.github/workflows/test.yml'
 
 jobs:
+  shared-contracts:
+    name: Shared Contracts (Zod)
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v6
+
+      - uses: actions/setup-node@v6
+        with:
+          node-version: 22
+          cache: npm
+          cache-dependency-path: shared/package-lock.json
+
+      - name: Install dependencies
+        run: cd shared && npm ci
+
+      - name: Typecheck
+        run: cd shared && npm run typecheck
+
+      - name: Run tests
+        run: cd shared && npm test
+
   server-tests:
     name: Server Tests
     runs-on: ubuntu-latest
@@ -28,6 +51,15 @@ jobs:
       - name: Install dependencies
         run: cd server && npm ci
 
+      - name: Build (tsc + tsc-alias -> dist)
+        run: cd server && npm run build
+
+      - name: Typecheck (informational)
+        # Legacy code still has pre-existing type errors; this surfaces them
+        # without blocking the migration. Ratchet to blocking once cleaned up.
+        continue-on-error: true
+        run: cd server && npm run typecheck
+
       - name: Run tests
         run: cd server && npm run test:coverage
 

.gitignore

@@ -3,6 +3,7 @@ node_modules/
 
 # Build output
 client/dist/
+server/dist/
 server/public/*
 !server/public/.gitkeep
 

.issue-scratch/release-draft-new.md

@@ -0,0 +1,524 @@
+<img width="5292" height="1404" alt="Release 2 9 0 (2)" src="https://github.com/user-attachments/assets/6ff67226-3535-444e-991f-0bc0352e22e7" />
+
+# TREK 3.0.0
+
+<video src="https://github.com/mauriceboe/trek-media/raw/main/.github/assets/TREK1.mp4" controls width="100%"></video>
+
+> **The biggest TREK release to date.** A new Journey addon turns your trips into rich travel journals. Mapbox GL joins Leaflet as a first-class renderer. MCP gets a full OAuth 2.1 authorization server. Offline-first PWA, self-service password reset, and a dashboard redesigned from the ground up. Fifteen languages, top to bottom.
+
+---
+
+## Breaking Changes
+
+### Photos moved from Trip Planner to Journey
+
+In previous versions, Immich and Synology Photos were integrated directly into the Trip Planner via a "Photos" tab. **This tab has been removed.** Photos are now part of the new **Journey addon**, which is purpose-built for documenting your travels with stories, photos, and maps.
+
+**What this means for you:**
+- **No photos are lost.** The previous integration was read-only — TREK never uploaded to or deleted from your Immich/Synology library. Your photos remain untouched in your photo provider.
+- **Previously linked trip photos are no longer displayed in the Trip Planner.** To view and organize your travel photos, enable the Journey addon (Settings > Addons) and create a Journey linked to your trip.
+- **Journey brings a much richer photo experience:** upload photos directly to TREK, browse and import from Immich/Synology with duplicate detection, reorder photos, view EXIF metadata, and export everything as a PDF photo book.
+
+### New Immich API Key Permissions Required
+
+Journey introduces **photo upload sync** — when you upload a photo to a Journey entry, TREK can optionally sync it to your Immich library. This requires an additional Immich API permission that was not needed before.
+
+**Previous versions required:**
+| Permission | Used for |
+|---|---|
+| `user.read` | Connection test |
+| `asset.read` | Browse photos by date, search |
+| `asset.view` | Stream thumbnails |
+| `asset.download` | Stream originals |
+| `album.read` | List and browse albums |
+| `timeline.read` | Browse timeline buckets |
+
+**New in 3.0.0 — additionally required:**
+| Permission | Used for |
+|---|---|
+| `asset.upload` | Sync uploaded Journey photos to Immich |
+
+> **How to update your Immich API key:** Go to your Immich instance > User Settings > API Keys. Edit your existing TREK key (or create a new one) and ensure `asset.upload` is enabled in addition to the existing permissions. If you don't plan to use Journey's upload sync, the old key will continue to work — the upload simply won't sync to Immich.
+
+**No changes needed for Synology Photos** — Synology uses session-based authentication which inherits the user's full permissions.
+
+### OIDC_ONLY deprecated
+
+The `OIDC_ONLY` environment variable is deprecated. Replace with `DISABLE_LOCAL_LOGIN=true` + `DISABLE_LOCAL_REGISTRATION=true` for equivalent behavior. The old variable still works but will be removed in a future release.
+
+---
+
+<img width="5292" height="1404" alt="Release 2 9 0 (3)" src="https://github.com/user-attachments/assets/76976c02-dd81-49ab-83f5-e2221d6b018b" />
+
+## Journey Addon — Travel Journal
+
+The headline feature of 3.0.0. Journey is a new global addon that transforms your trips into magazine-style travel stories.
+
+### Core
+- **5-table schema** — journeys, entries, photos, trips, contributors with full relational integrity
+- **Trip-to-Journey sync engine** — link one or more trips to a journey; skeleton entries and photos are synced automatically
+- **Timeline, Gallery, and Map views** — browse entries chronologically, as a photo grid, or on an interactive map with SVG pin markers
+- **Entry editor** — markdown toolbar, custom date picker, location search (Nominatim/Google Maps), mood (Amazing/Good/Neutral/Rough), weather (Sunny to Snowy), and Pros & Cons sections
+- **Entry reorder** — move-up / move-down arrows on each entry (desktop), skipped on skeleton suggestions
+- **Hide skeletons toggle** — per-contributor setting to focus on the written entries only
+
+### Photos
+- **Immich & Synology browser** — browse by trip dates, custom range, or album with duplicate detection
+- **Photo upload** — direct upload with drag-and-drop, reorder (Make 1st), and delete
+- **EXIF metadata** — displayed in lightbox for Immich photos
+- **Thumbnail to original fallback** — seamless resolution upgrade everywhere
+- **HEIC rendering fix** — serve fullsize thumbnail for original to fix HEIC rendering on non-Safari browsers
+- **Contributor photo access** — invited contributors can view all journey photos even without their own Immich/Synology connection (owner credentials are used for the proxy)
+- **Safari gallery picker fix** — repaired grid layout collapse on Safari (#717)
+
+### Sharing & Export
+- **Public share links** — token-based access with language picker, no login required
+- **Public photo proxy** — validates share token instead of auth for photo streaming
+- **Thumbnail size in public gallery** — grid loads thumbnails instead of originals, lightbox keeps originals (cuts bandwidth on shared links significantly)
+- **PDF photo book export** — Polarsteps-inspired layout with cover, day chapters, photo grids, and stories
+
+### Collaboration
+- **Contributors** — invite users as editors or viewers
+- **Trip linking/unlinking** — manage synced trips from Journey Settings and Desktop Sidebar
+- **Cover image** — upload or pick from journey photos
+
+### Frontend
+- **JourneyPage** — frontpage with hero card, active journey stats, trip suggestions ("Trip just ended — turn it into a Journey")
+- **JourneyDetailPage** — full timeline/gallery/map with inline entry editing
+- **JourneyPublicPage** — public share view with language picker and read-only timeline
+
+---
+
+## Mapbox GL as a First-Class Renderer
+
+Leaflet gets a sibling. Users can now switch the trip planner map to **Mapbox GL JS** for a proper 3D globe, terrain, and 3D buildings.
+
+- **Settings toggle** — choose between Leaflet and Mapbox GL in Settings > Map
+- **Globe projection** — smooth rotating globe when zoomed out, mercator when zoomed in
+- **3D terrain and buildings** — enabled on Standard and Satellite styles, with custom 3D buildings in dark/light mode
+- **Trip route, GPX geometries, place markers** — full feature parity with the Leaflet renderer
+- **Transport reservations overlay** — great-circle arcs for flights/cruises, straight lines for trains/cars, clickable endpoint badges with IATA codes, rotating mid-arc stats label for flights. Honours the per-booking "show route" toggle in DayPlanSidebar
+- **Auto-fit on load** — planner map zooms to the trip's places on initial render
+- **Booking route label toggle** — separate setting to hide IATA labels on endpoint markers
+- **Infrastructure** — WebAssembly allowed in CSP for Mapbox GL's 3D engine, PWA precache limit raised so the mapbox-gl bundle builds, Mapbox endpoints allowed in `connect-src` / `img-src`
+
+---
+
+## MCP: OAuth 2.1 & Granular Scopes
+
+MCP authentication has been completely rebuilt around the OAuth 2.1 specification.
+
+- **OAuth 2.1 authorization server** — full PKCE flow with authorization codes, access tokens, refresh tokens, and token rotation with replay detection
+- **Granular scopes** — 24 scopes across 11 groups (trips, places, atlas, packing, todos, budget, reservations, collab, notifications, vacay, geo/weather) with per-scope read/write/delete control
+- **Dynamic Client Registration (DCR)** — RFC 7591 endpoint at `POST /oauth/register`, with strict redirect_uri validation (HTTPS / loopback / reverse-DNS private-use schemes only; rejects `javascript:` / `data:` / `file:` / etc.)
+- **RFC 9728 Protected Resource Metadata** — `/.well-known/oauth-protected-resource` exposes the MCP endpoint's auth requirements for client auto-discovery
+- **RFC 8707 audience binding** — tokens are audience-bound to `<app_url>/mcp` by default and validated on every MCP request
+- **Consent screen** — user-facing scope selection with grouped permission display
+- **Admin panel** — OAuth sessions management in MCP Access panel with collapsible scope lists
+- **Per-client rate limiting** — configurable rate limits per OAuth client
+- **Addon gating** — MCP tools are only registered when their corresponding addon is enabled
+- **Compound tools** — single-call multi-step workflows (e.g. create day with places in one tool call, fetch full trip context) to reduce MCP round-trips
+- **Surface alignment** — MCP tool schemas and responses kept in sync with the current app state (fewer drifted fields, correct enum sets)
+- **Static token deprecation** — existing MCP tokens still work but surface deprecation notices; migration path to OAuth is documented
+- **Collab sub-feature gating** — MCP tools for chat/notes/polls respect the admin-level collab sub-feature toggles
+
+---
+
+## Self-Service Password Reset
+
+Users can now reset their own password without admin intervention.
+
+- **Email-based flow** — `/forgot-password` issues a single-use reset token delivered via SMTP (or logged to the server console if SMTP is not configured)
+- **MFA-aware** — if the user has MFA enabled, the reset endpoint additionally verifies a TOTP code or backup code before rotating the password
+- **Session invalidation** — resetting the password bumps `users.password_version`, which kicks every existing JWT, MCP static token, and OAuth bearer token for that user out in one shot
+- **Server-side URL building** — the reset link is built from `APP_URL` / `ALLOWED_ORIGINS`, not from request headers, so a spoofed `Host` / `Origin` cannot redirect the link to an attacker-controlled domain
+- **Rate limiting + audit** — per-IP rate limit on `/forgot-password`, all requests audited (including "no such user" so abuse is visible)
+
+---
+
+## Dashboard Redesign
+
+The dashboard has been rebuilt with a mobile-first design language.
+
+### Mobile
+- **Greeting header** — "Good morning, {username}" with notification bell and avatar
+- **Spotlight hero card** — the next upcoming or ongoing trip as a full-width hero with cover image, progress bar (for live trips), stats grid, and frosted-glass action buttons
+- **Quick Actions** — New Trip, Currency Converter, Timezone as icon cards
+- **Trip cards** — cover image with title overlay, status badge (In X days / Starts today / Ongoing / Completed), bottom stats (starts, duration, places, buddies)
+
+### Desktop
+- **Unified header toolbar** — the dashboard, planner, vacay, and journey now share the same toolbar style
+- **Unified card design** — desktop grid cards now match the mobile card style (cover + title overlay + stats)
+- **Hero card** — SpotlightCard with progress bar for ongoing trips, countdown for upcoming, stats grid
+- **Hover actions** — edit/copy/archive/delete buttons appear on hover as frosted-glass icons
+- **Status badges** — CircleCheck icon for completed trips, Clock for upcoming, pulsing dot for ongoing
+
+### Both
+- **BottomNav profile sheet** — slide-up sheet with user info, settings, admin, and logout
+- **Dark mode** — full dark mode support across all new components
+- **Shared PageSidebar** — Settings and Admin pages share a single sidebar component for layout consistency
+
+---
+
+## PWA Offline Mode
+
+TREK now works offline as a Progressive Web App with full data synchronization.
+
+- **IndexedDB (Dexie) storage** — trips, places, assignments, categories, tags, accommodations, reservations, budget items, packing items, files, and trip members cached locally
+- **Offline mutation queue** — changes made offline are queued with monotonic timestamps and replayed on reconnect (FIFO)
+- **Offline dashboard** — trip list loaded from Dexie when network is unavailable
+- **Offline trip planner** — full planner functionality with cached data
+- **Repo layer** — all data access routed through repository layer that falls back to offline storage
+- **Offline banner** — visible indicator with safe-area-inset support for iOS PWA
+- **Idempotency keys** — prevents duplicate mutations on replay, scoped by `(key, user_id, method, path)` so the same key on different endpoints can't leak cached bodies
+- **Offline document downloads** — document downloads work from the PWA cache when the network is unavailable
+
+---
+
+## Transport Reservations: Multi-Day + Map Visualization
+
+- **Multi-day transport reservations** — flights, trains, cruises, car rentals can span multiple days with a dedicated modal and automatic route segmentation across the affected days (#384, #587)
+- **Map visualization** — transport endpoints render on both Leaflet and Mapbox GL maps as clickable badges with IATA codes, great-circle arcs for flights/cruises, straight lines for trains/cars, and a rotating mid-arc stats label (IATA → IATA · distance · duration) on flights
+- **Per-booking route toggle** — each booking in DayPlanSidebar has a "Show booking routes" button; connections only render when toggled on
+- **Check-in time ranges** — hotel bookings now support a check-in window (e.g. "15:00 -- 22:00") with a new `check_in_end` field (#366)
+- **Cascaded delete** — deleting a reservation now cleans up related budget items, file links, and trip_items
+
+---
+
+## Reservations Redesign
+
+The reservations panel has been completely redesigned with a modern, unified layout.
+
+- **Unified toolbar** — title, type filter pills with count badges, and add button in one row with muted background
+- **Type filters** — multi-select filter buttons (Flight, Hotel, Restaurant, etc.) with per-type count badges, persisted in sessionStorage
+- **Responsive grid** — auto-fill layout with max 3 columns that fills full width
+- **Card redesign** — status + type badge in header, labeled fields in rounded boxes, hover shadow
+- **Mobile responsive** — filters hidden on mobile, booking code on separate row, weekday hidden in dates, reduced padding
+
+---
+
+## Apple Wallet pkpass Support
+
+- **.pkpass MIME type** — server correctly serves `application/vnd.apple.pkpass` with the right Content-Type
+- **Upload + download** — .pkpass files can be attached to bookings or places and opened directly in Apple Wallet on iOS
+
+---
+
+## Todo Due-Date Reminders
+
+- **Scheduler** — a new background scheduler scans todos with upcoming due dates and sends one reminder per item (default lead: 3 days)
+- **No spam** — `todo_items.reminded_at` prevents re-sending a reminder for the same item on subsequent scheduler runs
+- **Notification channel aware** — reminders respect the user's notification channel preferences (email, webhook, ntfy)
+
+---
+
+## Collab Sub-Feature Toggles
+
+Individual collab sections can now be toggled on/off from the admin addons page (#604).
+
+- **Admin UI** — sub-toggles for Chat, Notes, Polls, and What's Next under the Collab addon, with icons matching the collab panel tabs
+- **Dynamic desktop layout** — Chat always stays at fixed 380px width; remaining active panels share space equally
+- **Mobile** — disabled tabs are hidden from the tab bar
+- **API** — GET/PUT /admin/collab-features endpoints stored in app_settings
+
+---
+
+## Place Import: KMZ/KML + Naver Maps + Selective GPX
+
+Three ways to import places into your trips.
+
+### KMZ/KML Import
+- **Unified file import modal** — drag-and-drop or file picker for KML, KMZ, and GPX files
+- **KMZ unpacking** — extracts KML from ZIP archive with 50MB decompressed size limit
+- **Folder-to-category mapping** — KML folders are automatically matched to TREK categories
+- **Place deduplication** — skips places that already exist in the trip (by name + coordinates)
+
+### Naver Maps List Import
+- **Always enabled** — no longer requires addon toggle, available alongside Google Maps list import
+- **Shortlink resolution** — resolves naver.me shortlinks to full list URLs
+- **Pagination support** — handles large Naver Maps lists with automatic pagination
+
+### Selective GPX/KML Element Import
+- **Pick what to import** — import modal now lets you choose individual waypoints / tracks / folders instead of an all-or-nothing dump
+- **Performance** — larger files (thousands of points) parse and render without freezing the UI
+
+---
+
+## Search Autocomplete
+
+- **Real-time suggestions** — autocomplete suggestions appear as you type in the place search field
+- **Google Places API** — primary autocomplete provider with location bias
+- **Nominatim fallback** — free fallback when Google API key is not configured
+- **Bounding box bias** — search results biased to the current map viewport
+
+---
+
+## ntfy Notification Channel
+
+- **ntfy as first-class channel** — push notifications via any ntfy server (self-hosted or ntfy.sh)
+- **Admin configuration** — server URL and topic configuration in admin panel with clear token button
+- **Per-user opt-in** — users can enable/disable ntfy in their notification preferences
+- **Full i18n** — ntfy strings translated in all 15 languages
+
+---
+
+## Login & Language
+
+- **Language dropdown on login page** — users can select their preferred language before logging in
+- **Browser auto-detection** — language is automatically detected from browser settings on first visit
+- **DEFAULT_LANGUAGE env var** — configurable default language for the instance, documented across all deployment configs (Docker, Helm, Synology)
+
+---
+
+## Granular Auth Toggles
+
+- **OIDC_ONLY replaced** — split into `DISABLE_LOCAL_LOGIN`, `DISABLE_LOCAL_REGISTRATION`, and `DISABLE_PASSWORD_CHANGE` for fine-grained control over authentication methods
+- Allows mixed setups (e.g., OIDC + local admin account, or OIDC-only with no local registration)
+
+---
+
+## Synology Photos: OTP, SSL Skip & Session Management
+
+- **OTP support** — one-time password field for 2FA-enabled Synology NAS
+- **Skip SSL verification** — toggle for self-signed certificates
+- **Device ID persistence** — prevents repeated 2FA prompts
+- **Session-cleared notification** — routed through unified notification system
+- **Provider URL hint** — contextual help text for Synology URL format
+- **Thumbnail size bump** — default thumbnail size raised from `sm` (240 px) to `m` (320 px) so grids no longer look pixelated on retina
+- **Passphrase support** — shared-album links with passphrases work from the browse UI (#689)
+
+---
+
+## Atlas Improvements
+
+- **Scoped region matching** — region name matching is now scoped by country to prevent cross-country false matches
+- **Expanded country lookup tables** — more countries and regions recognized correctly, including A3 fallback for invalid ISO_A2 codes
+- **Nominatim rate limiting** — shared throttle prevents 429 errors, background region fill, fetch timeout
+- **Stadia Maps fix** — resolved 401 errors on journey and atlas maps
+
+---
+
+## i18n: Full 15-Language Coverage
+
+- **Indonesian added** — complete translation with full parity to English, bringing the total to 15 languages (EN, DE, FR, ES, IT, NL, PL, RU, ZH, ZH-TW, BR, CS, HU, AR, ID)
+- **Comprehensive audit** — every key translated natively, no English fallbacks
+- **OAuth scope labels** — all 24 scopes have localized names and descriptions
+- **Journey addon** — complete coverage for all journal, editor, sharing, and PDF export strings
+- **Mapbox GL settings** — localized labels for renderer toggle, style picker, 3D / quality switches
+- **Ellipsis standardization** — all ellipsis characters normalized to three dots (...)
+
+---
+
+## Vacay Improvements
+
+- **Trip indicator dots** — small blue dots on calendar days where trips are scheduled
+- **Configurable week start** — choose Monday or Sunday as first day of the week (#224)
+- **Holiday overlap** — vacations can now be placed on public holidays
+- **Today marker** — visual indicator for the current day in the calendar
+- **Unified toolbar** — same header style as planner/dashboard/journey
+- **Bottom padding fix** — toolbar no longer overlaps the last row (#533)
+
+---
+
+## iCal Export Improvements
+
+- **Day activities and notes** — iCal export now includes daily activities and notes, not just the trip dates (#375)
+
+---
+
+## Budget Improvements
+
+- **Drag-and-drop reorder** — budget categories and individual items can be reordered via drag-and-drop (#479)
+- **Category legend redesign** — prevents overflow on small screens (#564)
+- **Comma decimal support** — pasting numbers with comma separators works correctly
+- **Table alignment fix** — budget data rows and the "New Entry" row now share column widths (#759)
+
+---
+
+## Packing List Improvements
+
+- **Bulk import + template apply without full reload** — new items appear in place instead of triggering the trip loading screen (#760)
+- **Reservation link cleanup** — packing items linked to deleted reservations stay in the list without the dangling reference
+- **Bag tracking** — keep track of which items live in which bag, with optional weight tracking and per-bag totals
+
+---
+
+## Planner & UX Improvements
+
+- **Emil-style polish pass** — consistent transitions/animations across cards, hover states, and drawer sheets; shared components for toolbars and section headers
+- **Planner drag-and-drop jank fix** — dragging places across days is smooth again on long trips
+- **Unified toolbar header** — dashboard, planner, vacay, and journey share a single toolbar style for visual consistency
+- **Places sidebar polish** — filter counts, compact select UI, tooltip component, "No Category" / "Uncategorized" filter (#607)
+- **Dayplan toolbar polish** — cleaner alignment, weather archive fallback for past trips
+- **Unplanned filter sync** — unplanned filter properly syncs with map markers (#385)
+- **Place notes** — notes textarea in place edit form with proper display in inspector (#596)
+- **Place deduplication** — Google Maps list re-import skips existing places (#543)
+- **File download button** — all file views now include a download button
+- **Note modal** — no longer closes on outside click (#480)
+- **Google Maps links** — use place name + google_place_id for accurate links (#554)
+- **Packing list menu** — no longer cut off by overflow (#557)
+- **Trip date change** — preserving day content when date range changes
+- **PDF export** — render restaurant, event, tour, and other reservation types
+
+---
+
+## Admin Panel Improvements
+
+- **Collab sub-feature toggles** — individual toggles for Chat, Notes, Polls, What's Next
+- **Photo provider icons** — Immich and Synology Photos SVG brand icons in addon manager
+- **Bag tracking icon** — Luggage icon for the bag tracking sub-toggle
+- **Naver List Import** — now always enabled, removed from addon toggles
+- **Shared PageSidebar** — admin pages use the same sidebar layout as Settings
+
+---
+
+## Mobile Improvements
+
+- **Bottom nav fix** — prevent clipping of scrollable content and dialogs
+- **Journey mobile** — compact add-entry button, scrollable settings dialog, iOS PWA fixes, drop hero / inline tab-bar, eager map tiles, trimmed picker labels
+- **Dashboard mobile** — spotlight trip in hero, smaller badges, check icon for completed
+- **Bottom nav dark mode** — consistent dark mode styling
+- **Safe area support** — proper insets for iOS PWA
+
+---
+
+## Documentation & Wiki
+
+- **Full GitHub Wiki** — 74 pages covering setup, deployment, addon docs, troubleshooting, API reference, and MCP
+- **CI sync workflow** — `./wiki/**` in the main repo is auto-synced to the GitHub Wiki on push to `main`
+- **README redesign** — Apple-style hero with animated video, feature tiles, and a screenshot gallery; hero video hosted externally so the repo stays lightweight
+- **MCP compound tools doc** — `MCP.md` documents the compound / multi-step tools
+
+---
+
+## Security
+
+Fifth-pass internal audit. Critical + High + Medium findings addressed in one bundled PR:
+
+- **JWT password_version gate** — a single `verifyJwtAndLoadUser` helper is now used by every auth surface (web session, MCP bearer, file download token, photo route, MFA policy). A password reset bumps `password_version` and invalidates every outstanding session/token for the user in one shot.
+- **MFA policy via cookie** — `require_mfa` now applies to cookie-authenticated SPA sessions too (previously only the `Authorization` header was checked, so the whole SPA bypassed it).
+- **OIDC id_token verification** — full JWKS-based signature verification (iss, aud, exp, nbf) plus `userinfo.sub == id_token.sub` cross-check. `kid` match is strict — no fallback to an arbitrary key.
+- **OIDC invite redemption** — invite-token increment and user INSERT run in a single `db.transaction`; concurrent callbacks cannot double-redeem a single-use invite.
+- **OAuth 2.1 DCR** — redirect_uri allowlist rejects `javascript:` / `data:` / `vbscript:` / `file:` / `blob:` / `about:` / `chrome:` and requires private-use schemes to be reverse-DNS (RFC 8252 §7.1).
+- **OAuth audience binding** — `audience` defaults to the MCP endpoint when no `resource` parameter is sent, so new tokens always carry the correct audience claim.
+- **HSTS on in production** — `NODE_ENV=production` is enough to enable HSTS (previously required `FORCE_HTTPS=true`). `includeSubDomains` stays off by default to avoid breaking apex-domain setups; opt in with `HSTS_INCLUDE_SUBDOMAINS=true`.
+- **Cookie Secure behind proxies** — `trek_session` Secure flag is now derived from `req.secure` (Express's `trust proxy`-aware field), so instances behind Traefik / Caddy / Cloudflare Tunnel get Secure cookies without `FORCE_HTTPS`.
+- **Share-token expiry** — public share tokens default to 90-day TTL. Existing tokens stay NULL (no expiry) so already-distributed links keep working.
+- **Photo route scoping** — share tokens can only unlock photos that belong to the same trip as the token.
+- **Bcrypt MFA backup codes** — backup codes are now bcrypt-hashed at rest. Legacy SHA-256 codes keep working until the user regenerates.
+- **Demo-mode guards** — single `DEMO_EMAILS` registry fixes the drift where `demoUploadBlock` only matched the pre-rename `demo@nomad.app` string.
+- **Filesystem safety** — `permanentDeleteFile` / `emptyTrash` / avatar cleanup use async `fs.promises.rm({ force: true })` and only drop the DB row when the on-disk unlink actually succeeded.
+- **Idempotency store hardening** — key length capped at 128 chars, response bodies over 256 KiB not cached, primary key widened to `(key, user_id, method, path)` so the same key on a different endpoint does not replay an unrelated response.
+- **Permissions cache invalidation** — `restoreFromZip` now drops the permissions cache after a DB swap.
+- **Reset-URL source** — password-reset email URL is built from server-side `APP_URL` / `ALLOWED_ORIGINS`, never from request headers.
+- **Critical DB indexes** — added `trips(user_id)`, `trips(created_at DESC)`, `photos(day_id/place_id)`, `reservations(day_id)`, `share_tokens(token)` and conditional `day_accommodations` / `notifications` indexes.
+
+Upstream CVEs patched:
+
+- **hono** 4.12.9 to 4.12.12 — directory traversal (CVE-2026-39407, CVE-2026-39408), HTTP response splitting, improper input validation (CVE-2026-39410), IP restriction bypass (CVE-2026-39409)
+- **@hono/node-server** 1.19.11 to 1.19.13 — directory traversal (CVE-2026-39406)
+- **nodemailer** 8.0.4 to 8.0.5 — CRLF injection
+
+---
+
+## Bug Fixes
+
+- Fixed OIDC-only mode login/logout loop (#491)
+- Fixed dayplan duplicate reservation display, date off-by-one, and missing day_id on edit
+- Fixed booking date handling and file auth bugs
+- Fixed dayplan time-based auto-sort for places and free reorder for untimed
+- Fixed streaming response end on client disconnect during asset pipe
+- Fixed per-day transport positions for multi-day reservations
+- Fixed stale budget category reset when category no longer exists
+- Fixed trip redirect to plan tab when active tab addon is disabled
+- Fixed reservation price/budget field visibility when budget addon disabled
+- Fixed HEIC photo rendering on non-Safari browsers
+- Fixed CSP path matching for paths ending in /
+- Fixed avatar URLs in notifications, admin panel, and budget
+- Fixed budget member avatars lost after updating item fields
+- Fixed budget table column alignment broken by `display: flex` on `<td>` (#759)
+- Fixed collab notes line break preservation (#608)
+- Fixed weather archive date handling for future trips (#599)
+- Fixed duplicate skeleton entries for multi-day places (#606)
+- Fixed ghost Gallery / `[Trip Photos]` entries in journal timeline and public share (#764)
+- Fixed journey reorder arrows rendering on skeleton suggestions (#763)
+- Fixed journey map OSM tile warning (#627)
+- Fixed journey gallery picker grid collapse on Safari (#717)
+- Fixed content divider placement in journal entries (#624)
+- Fixed local photos wrong provider label (#625)
+- Fixed Synology pagination and album scroll leak (#644)
+- Fixed Stadia Maps 401 on journey and atlas maps (#640)
+- Fixed Nominatim User-Agent and error diagnostics
+- Fixed map tooltips, journey creation, and contributor avatars
+- Fixed notifications SMTP error surfacing, webhook button label, backup timestamp (#537)
+- Fixed stale accommodation_id on reservation update (#522)
+- Fixed hardcoded Immich in toast — now uses provider_name
+- Fixed MCP safeBroadcast recursive call bug
+- Fixed MCP Zod v4 `z.record()` API compatibility in transport tool schemas
+- Fixed Vite module preload polyfill CSP inline script violation
+- Fixed PWA offline session redirect and file download auth (#505, #541)
+- Fixed `FORCE_HTTPS` redirect applying to `/api/health`, breaking container health-checks
+- Fixed journey bugs reported by @roel-de-vries (#722–#736)
+
+---
+
+## Infrastructure
+
+- **Prerelease workflow** — automated prerelease pipeline with major version support, version propagation, and race/orphan tag protection
+- **Helm chart** — moved to `charts/trek/`, published via helm-publisher action to `gh-pages`, `appVersion` used as default image tag
+- **Docker** — workflow improvements, tag management cleanup, `server/data/airports.json` properly included in image after assets refactor
+- **CI** — contributor workflow automation, `npm audit` removal from install steps, manual trigger for prerelease, client test job added alongside server tests with split coverage artifacts
+
+---
+
+## Test Coverage
+
+- **Backend** — expanded to ~87% coverage with comprehensive tests for OAuth, MCP tools, addon gating, services, and session management
+- **Frontend** — expanded to ~82% coverage with tests for dashboard, planner, settings, admin panels, and component interactions
+- **Journey** — 89.5% new code coverage
+
+---
+
+## Contributors
+
+Thanks to everyone who contributed to this release:
+
+- @mauriceboe
+- @jubnl
+- @gravitysc
+- @luojiyin1987
+- @marco783
+- @isaiastavares
+- @tiquis0290
+- @xenocent
+- @gfrcsd
+- @roel-de-vries
+
+---
+
+## Stats
+
+| Metric | Value |
+|--------|-------|
+| Commits | 500+ |
+| Merged PRs | 130+ |
+| Files changed | 700+ |
+| Lines added | 120,000+ |
+| Contributors | 12+ |
+
+---
+
+## Upgrading
+
+```bash
+docker pull mauriceboe/trek:3.0.0
+docker compose up -d
+```
+
+Migrations run automatically on startup. No manual steps required.
+
+**Checklist:**
+1. Update your Immich API key to include `asset.upload` (optional, only needed for Journey upload sync)
+2. If using `OIDC_ONLY`, migrate to `DISABLE_LOCAL_LOGIN` + `DISABLE_LOCAL_REGISTRATION`
+3. Enable the Journey addon in Settings > Addons to start using the travel journal
+4. Try the Mapbox GL renderer in Settings > Map if you want 3D terrain and a proper globe view (requires a free Mapbox access token)

.issue-scratch/release-draft.md

@@ -0,0 +1,405 @@
+
+<img width="5292" height="1404" alt="Release 2 9 0 (2)" src="https://github.com/user-attachments/assets/6ff67226-3535-444e-991f-0bc0352e22e7" />
+
+# TREK 3.0.0
+
+> **This is the biggest TREK release to date.** Journey turns your trips into rich travel journals. MCP gets full OAuth 2.1 security. The dashboard has been redesigned for mobile-first. And every corner of the app now speaks 15 languages natively.
+
+---
+
+## Breaking Changes
+
+### Photos moved from Trip Planner to Journey
+
+In previous versions, Immich and Synology Photos were integrated directly into the Trip Planner via a "Photos" tab. **This tab has been removed.** Photos are now part of the new **Journey addon**, which is purpose-built for documenting your travels with stories, photos, and maps.
+
+**What this means for you:**
+- **No photos are lost.** The previous integration was read-only — TREK never uploaded to or deleted from your Immich/Synology library. Your photos remain untouched in your photo provider.
+- **Previously linked trip photos are no longer displayed in the Trip Planner.** To view and organize your travel photos, enable the Journey addon (Settings > Addons) and create a Journey linked to your trip.
+- **Journey brings a much richer photo experience:** upload photos directly to TREK, browse and import from Immich/Synology with duplicate detection, reorder photos, view EXIF metadata, and export everything as a PDF photo book.
+
+### New Immich API Key Permissions Required
+
+Journey introduces **photo upload sync** — when you upload a photo to a Journey entry, TREK can optionally sync it to your Immich library. This requires an additional Immich API permission that was not needed before.
+
+**Previous versions required:**
+| Permission | Used for |
+|---|---|
+| `user.read` | Connection test |
+| `asset.read` | Browse photos by date, search |
+| `asset.view` | Stream thumbnails |
+| `asset.download` | Stream originals |
+| `album.read` | List and browse albums |
+| `timeline.read` | Browse timeline buckets |
+
+**New in 3.0.0 — additionally required:**
+| Permission | Used for |
+|---|---|
+| `asset.upload` | Sync uploaded Journey photos to Immich |
+
+> **How to update your Immich API key:** Go to your Immich instance > User Settings > API Keys. Edit your existing TREK key (or create a new one) and ensure `asset.upload` is enabled in addition to the existing permissions. If you don't plan to use Journey's upload sync, the old key will continue to work — the upload simply won't sync to Immich.
+
+**No changes needed for Synology Photos** — Synology uses session-based authentication which inherits the user's full permissions.
+
+### OIDC_ONLY deprecated
+
+The `OIDC_ONLY` environment variable is deprecated. Replace with `DISABLE_LOCAL_LOGIN=true` + `DISABLE_LOCAL_REGISTRATION=true` for equivalent behavior. The old variable still works but will be removed in a future release.
+
+---
+<img width="5292" height="1404" alt="Release 2 9 0 (3)" src="https://github.com/user-attachments/assets/76976c02-dd81-49ab-83f5-e2221d6b018b" />
+
+## Journey Addon — Travel Journal
+
+The headline feature of 3.0.0. Journey is a new global addon that transforms your trips into magazine-style travel stories.
+
+### Core
+- **5-table schema** — journeys, entries, photos, trips, contributors with full relational integrity
+- **Trip-to-Journey sync engine** — link one or more trips to a journey; skeleton entries and photos are synced automatically
+- **Timeline, Gallery, and Map views** — browse entries chronologically, as a photo grid, or on an interactive map with SVG pin markers
+- **Entry editor** — markdown toolbar, custom date picker, location search (Nominatim/Google Maps), mood (Amazing/Good/Neutral/Rough), weather (Sunny to Snowy), and Pros & Cons sections
+
+### Photos
+- **Immich & Synology browser** — browse by trip dates, custom range, or album with duplicate detection
+- **Photo upload** — direct upload with drag-and-drop, reorder (Make 1st), and delete
+- **EXIF metadata** — displayed in lightbox for Immich photos
+- **Thumbnail to original fallback** — seamless resolution upgrade everywhere
+- **HEIC rendering fix** — serve fullsize thumbnail for original to fix HEIC rendering on non-Safari browsers
+- **Contributor photo access** — invited contributors can view all journey photos even without their own Immich/Synology connection (owner credentials are used for the proxy)
+
+### Sharing & Export
+- **Public share links** — token-based access with language picker, no login required
+- **Public photo proxy** — validates share token instead of auth for photo streaming
+- **PDF photo book export** — Polarsteps-inspired layout with cover, day chapters, photo grids, and stories
+
+### Collaboration
+- **Contributors** — invite users as editors or viewers
+- **Trip linking/unlinking** — manage synced trips from Journey Settings and Desktop Sidebar
+- **Cover image** — upload or pick from journey photos
+
+### Frontend
+- **JourneyPage** — frontpage with hero card, active journey stats, trip suggestions ("Trip just ended — turn it into a Journey")
+- **JourneyDetailPage** — full timeline/gallery/map with inline entry editing
+- **JourneyPublicPage** — public share view with language picker and read-only timeline
+
+---
+
+## MCP: OAuth 2.1 & Granular Scopes
+
+MCP authentication has been completely rebuilt around the OAuth 2.1 specification.
+
+- **OAuth 2.1 authorization server** — full PKCE flow with authorization codes, access tokens, refresh tokens, and token rotation with replay detection
+- **Granular scopes** — 24 scopes across 11 groups (trips, places, atlas, packing, todos, budget, reservations, collab, notifications, vacay, geo/weather) with per-scope read/write/delete control
+- **Dynamic Client Registration (DCR)** — RFC 7591 endpoint at POST /oauth/register for browser-initiated and public clients
+- **Consent screen** — user-facing scope selection with grouped permission display
+- **Admin panel** — OAuth sessions management in MCP Access panel with collapsible scope lists
+- **Per-client rate limiting** — configurable rate limits per OAuth client
+- **Addon gating** — MCP tools are only registered when their corresponding addon is enabled
+- **Static token deprecation** — existing MCP tokens still work but surface deprecation notices; migration path to OAuth is documented
+- **Security hardening** — Critical + High + Medium findings addressed (token storage, PKCE enforcement, scope validation)
+
+---
+
+## Dashboard Redesign
+
+The dashboard has been rebuilt with a mobile-first design language.
+
+### Mobile
+- **Greeting header** — "Good morning, {username}" with notification bell and avatar
+- **Spotlight hero card** — the next upcoming or ongoing trip as a full-width hero with cover image, progress bar (for live trips), stats grid, and frosted-glass action buttons
+- **Quick Actions** — New Trip, Currency Converter, Timezone as icon cards
+- **Trip cards** — cover image with title overlay, status badge (In X days / Starts today / Ongoing / Completed), bottom stats (starts, duration, places, buddies)
+
+### Desktop
+- **Unified card design** — desktop grid cards now match the mobile card style (cover + title overlay + stats)
+- **Hero card** — SpotlightCard with progress bar for ongoing trips, countdown for upcoming, stats grid
+- **Hover actions** — edit/copy/archive/delete buttons appear on hover as frosted-glass icons
+- **Status badges** — CircleCheck icon for completed trips, Clock for upcoming, pulsing dot for ongoing
+
+### Both
+- **BottomNav profile sheet** — slide-up sheet with user info, settings, admin, and logout
+- **Dark mode** — full dark mode support across all new components
+
+---
+
+## PWA Offline Mode
+
+TREK now works offline as a Progressive Web App with full data synchronization.
+
+- **IndexedDB (Dexie) storage** — trips, places, assignments, categories, tags, accommodations, reservations, budget items, packing items, files, and trip members cached locally
+- **Offline mutation queue** — changes made offline are queued with monotonic timestamps and replayed on reconnect (FIFO)
+- **Offline dashboard** — trip list loaded from Dexie when network is unavailable
+- **Offline trip planner** — full planner functionality with cached data
+- **Repo layer** — all data access routed through repository layer that falls back to offline storage
+- **Offline banner** — visible indicator with safe-area-inset support for iOS PWA
+- **Idempotency keys** — prevents duplicate mutations on replay (Migration 100)
+
+---
+
+## Reservations Redesign
+
+The reservations panel has been completely redesigned with a modern, unified layout.
+
+- **Unified toolbar** — title, type filter pills with count badges, and add button in one row with muted background
+- **Type filters** — multi-select filter buttons (Flight, Hotel, Restaurant, etc.) with per-type count badges, persisted in sessionStorage
+- **Responsive grid** — auto-fill layout with max 3 columns that fills full width
+- **Card redesign** — status + type badge in header, labeled fields in rounded boxes, hover shadow
+- **Check-in time ranges** — hotel bookings now support a check-in window (e.g. "15:00 -- 22:00") with a new check_in_end field (#366)
+- **Mobile responsive** — filters hidden on mobile, booking code on separate row, weekday hidden in dates, reduced padding
+
+---
+
+## Collab Sub-Feature Toggles
+
+Individual collab sections can now be toggled on/off from the admin addons page (#604).
+
+- **Admin UI** — sub-toggles for Chat, Notes, Polls, and What's Next under the Collab addon, with icons matching the collab panel tabs
+- **Dynamic desktop layout** — Chat always stays at fixed 380px width; remaining active panels share space equally
+- **Mobile** — disabled tabs are hidden from the tab bar
+- **API** — GET/PUT /admin/collab-features endpoints stored in app_settings
+
+---
+
+## Place Import: KMZ/KML & Naver Maps
+
+Two new ways to import places into your trips.
+
+### KMZ/KML Import
+- **Unified file import modal** — drag-and-drop or file picker for KML, KMZ, and GPX files
+- **KMZ unpacking** — extracts KML from ZIP archive with 50MB decompressed size limit
+- **Folder-to-category mapping** — KML folders are automatically matched to TREK categories
+- **Place deduplication** — skips places that already exist in the trip (by name + coordinates)
+
+### Naver Maps List Import
+- **Always enabled** — no longer requires addon toggle, available alongside Google Maps list import
+- **Shortlink resolution** — resolves naver.me shortlinks to full list URLs
+- **Pagination support** — handles large Naver Maps lists with automatic pagination
+
+---
+
+## Search Autocomplete
+
+- **Real-time suggestions** — autocomplete suggestions appear as you type in the place search field
+- **Google Places API** — primary autocomplete provider with location bias
+- **Nominatim fallback** — free fallback when Google API key is not configured
+- **Bounding box bias** — search results biased to the current map viewport
+
+---
+
+## ntfy Notification Channel
+
+- **ntfy as first-class channel** — push notifications via any ntfy server (self-hosted or ntfy.sh)
+- **Admin configuration** — server URL and topic configuration in admin panel with clear token button
+- **Per-user opt-in** — users can enable/disable ntfy in their notification preferences
+- **Full i18n** — ntfy strings translated in all 15 languages
+
+---
+
+## Login & Language
+
+- **Language dropdown on login page** — users can select their preferred language before logging in
+- **Browser auto-detection** — language is automatically detected from browser settings on first visit
+- **DEFAULT_LANGUAGE env var** — configurable default language for the instance, documented across all deployment configs (Docker, Helm, Synology)
+
+---
+
+## Granular Auth Toggles
+
+- **OIDC_ONLY replaced** — split into DISABLE_LOCAL_LOGIN, DISABLE_LOCAL_REGISTRATION, and DISABLE_PASSWORD_CHANGE for fine-grained control over authentication methods
+- Allows mixed setups (e.g., OIDC + local admin account, or OIDC-only with no local registration)
+
+---
+
+## Synology Photos: OTP, SSL Skip & Session Management
+
+- **OTP support** — one-time password field for 2FA-enabled Synology NAS
+- **Skip SSL verification** — toggle for self-signed certificates
+- **Device ID persistence** — prevents repeated 2FA prompts
+- **Session-cleared notification** — routed through unified notification system
+- **Provider URL hint** — contextual help text for Synology URL format
+
+---
+
+## Atlas Improvements
+
+- **Scoped region matching** — region name matching is now scoped by country to prevent cross-country false matches
+- **Expanded country lookup tables** — more countries and regions recognized correctly, including A3 fallback for invalid ISO_A2 codes
+- **Nominatim rate limiting** — shared throttle prevents 429 errors, background region fill, fetch timeout
+- **Stadia Maps fix** — resolved 401 errors on journey and atlas maps
+
+---
+
+## i18n: Full 15-Language Coverage
+
+- **Indonesian added** — complete translation with full parity to English, bringing the total to 15 languages (EN, DE, FR, ES, IT, NL, PL, RU, ZH, ZH-TW, BR, CS, HU, AR, ID)
+- **Comprehensive audit** — every key translated natively, no English fallbacks
+- **OAuth scope labels** — all 24 scopes have localized names and descriptions
+- **Journey addon** — complete coverage for all journal, editor, sharing, and PDF export strings
+- **Ellipsis standardization** — all ellipsis characters normalized to three dots (...)
+
+---
+
+## Vacay Improvements
+
+- **Trip indicator dots** — small blue dots on calendar days where trips are scheduled
+- **Configurable week start** — choose Monday or Sunday as first day of the week (#224)
+- **Holiday overlap** — vacations can now be placed on public holidays
+- **Today marker** — visual indicator for the current day in the calendar
+- **Bottom padding fix** — toolbar no longer overlaps the last row (#533)
+
+---
+
+## iCal Export Improvements
+
+- **Day activities and notes** — iCal export now includes daily activities and notes, not just the trip dates (#375)
+
+---
+
+## Budget Improvements
+
+- **Drag-and-drop reorder** — budget categories and individual items can be reordered via drag-and-drop (#479)
+- **Category legend redesign** — prevents overflow on small screens (#564)
+- **Comma decimal support** — pasting numbers with comma separators works correctly
+
+---
+
+## Planner & UX Improvements
+
+- **Collapsible day detail panel** — day detail panel can be collapsed/expanded in the planner
+- **Uncategorized filter** — "No Category" option in category dropdown to find places without a category (#607)
+- **Map multi-category filter** — filter syncs with map view for uncategorized places
+- **Unplanned filter sync** — unplanned filter properly syncs with map markers (#385)
+- **Place notes** — notes textarea in place edit form with proper display in inspector (#596)
+- **Place deduplication** — Google Maps list re-import skips existing places (#543)
+- **File download button** — all file views now include a download button
+- **Note modal** — no longer closes on outside click (#480)
+- **Google Maps links** — use place name + google_place_id for accurate links (#554)
+- **Packing list menu** — no longer cut off by overflow (#557)
+- **Trip date change** — preserving day content when date range changes
+- **PDF export** — render restaurant, event, tour, and other reservation types
+
+---
+
+## Admin Panel Improvements
+
+- **Collab sub-feature toggles** — individual toggles for Chat, Notes, Polls, What's Next
+- **Photo provider icons** — Immich and Synology Photos SVG brand icons in addon manager
+- **Bag tracking icon** — Luggage icon for the bag tracking sub-toggle
+- **Naver List Import** — now always enabled, removed from addon toggles
+
+---
+
+## Mobile Improvements
+
+- **Bottom nav fix** — prevent clipping of scrollable content and dialogs
+- **Journey mobile** — compact add-entry button, scrollable settings dialog, iOS PWA fixes
+- **Dashboard mobile** — spotlight trip in hero, smaller badges, check icon for completed
+- **Bottom nav dark mode** — consistent dark mode styling
+- **Safe area support** — proper insets for iOS PWA
+
+---
+
+## Test Coverage
+
+- **Backend** — expanded to ~87% coverage with comprehensive tests for OAuth, MCP tools, addon gating, services, and session management
+- **Frontend** — expanded to ~82% coverage with tests for dashboard, planner, settings, admin panels, and component interactions
+- **Journey** — 89.5% new code coverage
+- **CI** — client test job added alongside server tests with split coverage artifacts
+
+---
+
+## Bug Fixes
+
+- Fixed OIDC-only mode login/logout loop (#491)
+- Fixed dayplan duplicate reservation display, date off-by-one, and missing day_id on edit
+- Fixed booking date handling and file auth bugs
+- Fixed dayplan time-based auto-sort for places and free reorder for untimed
+- Fixed streaming response end on client disconnect during asset pipe
+- Fixed per-day transport positions for multi-day reservations
+- Fixed stale budget category reset when category no longer exists
+- Fixed trip redirect to plan tab when active tab addon is disabled
+- Fixed reservation price/budget field visibility when budget addon disabled
+- Fixed HEIC photo rendering on non-Safari browsers
+- Fixed CSP path matching for paths ending in /
+- Fixed avatar URLs in notifications, admin panel, and budget
+- Fixed budget member avatars lost after updating item fields
+- Fixed collab notes line break preservation (#608)
+- Fixed weather archive date handling for future trips (#599)
+- Fixed duplicate skeleton entries for multi-day places (#606)
+- Fixed ghost Gallery entries in journal timeline and public share
+- Fixed journey map OSM tile warning (#627)
+- Fixed content divider placement in journal entries (#624)
+- Fixed local photos wrong provider label (#625)
+- Fixed Synology pagination and album scroll leak (#644)
+- Fixed Stadia Maps 401 on journey and atlas maps (#640)
+- Fixed Nominatim User-Agent and error diagnostics
+- Fixed map tooltips, journey creation, and contributor avatars
+- Fixed notifications SMTP error surfacing, webhook button label, backup timestamp (#537)
+- Fixed stale accommodation_id on reservation update (#522)
+- Fixed hardcoded Immich in toast — now uses provider_name
+- Fixed MCP safeBroadcast recursive call bug
+- Fixed Vite module preload polyfill CSP inline script violation
+- Fixed PWA offline session redirect and file download auth (#505, #541)
+
+---
+
+## Security
+
+- **hono** 4.12.9 to 4.12.12 — fixes directory traversal (CVE-2026-39407, CVE-2026-39408), HTTP response splitting, improper input validation (CVE-2026-39410), and IP restriction bypass (CVE-2026-39409)
+- **@hono/node-server** 1.19.11 to 1.19.13 — fixes directory traversal (CVE-2026-39406)
+- **nodemailer** 8.0.4 to 8.0.5 — fixes CRLF injection
+- **OAuth 2.1 hardening** — token storage, PKCE enforcement, scope intersection validation
+- **Google Maps regex** — replaced too-permissive regex with safer utility function
+
+---
+
+## Infrastructure
+
+- **Prerelease workflow** — automated prerelease pipeline with major version support, version propagation, and race/orphan tag protection
+- **Helm chart** — moved to charts/trek/, published via helm-publisher action to gh-pages, appVersion used as default image tag
+- **Docker** — workflow improvements, tag management cleanup
+- **CI** — contributor workflow automation, npm audit removal from install steps, manual trigger for prerelease
+
+---
+
+## Contributors
+
+Thanks to everyone who contributed to this release:
+
+- @mauriceboe
+- @jubnl
+- @gravitysc
+- @luojiyin1987
+- @marco783
+- @isaiastavares
+- @tiquis0290
+- @xenocent
+- @gfrcsd
+
+---
+
+## Stats
+
+| Metric | Value |
+|--------|-------|
+| Commits | 280+ |
+| Merged PRs | 49 |
+| Files changed | 500+ |
+| Lines added | 108,000+ |
+| Contributors | 12 |
+
+---
+
+## Upgrading
+
+```bash
+docker pull mauriceboe/trek:3.0.0
+docker compose up -d
+```
+
+Migrations run automatically on startup. No manual steps required.
+
+**Checklist:**
+1. Update your Immich API key to include `asset.upload` (optional, only needed for Journey upload sync)
+2. If using `OIDC_ONLY`, migrate to `DISABLE_LOCAL_LOGIN` + `DISABLE_LOCAL_REGISTRATION`
+3. Enable the Journey addon in Settings > Addons to start using the travel journal
+

Dockerfile

@@ -6,7 +6,18 @@ RUN npm ci
 COPY client/ ./
 RUN npm run build
 
-# Stage 2: Production server
+# Stage 2: Build server (TypeScript -> dist via tsc + tsc-alias)
+# --ignore-scripts: tsc only transpiles, so we skip native builds (better-sqlite3)
+# here; the production stage builds the native module.
+FROM node:24-alpine AS server-builder
+WORKDIR /app
+COPY server/package*.json ./
+RUN npm ci --ignore-scripts
+COPY server/ ./
+RUN npm run build
+
+# Stage 3: Production server (runs the compiled JS — NestJS DI needs the
+# decorator metadata that tsc emits; the old tsx runtime did not).
 FROM node:24-alpine
 
 WORKDIR /app
@@ -19,12 +30,11 @@ RUN apk add --no-cache tzdata dumb-init su-exec python3 make g++ && \
     apk del python3 make g++ && \
     rm -rf /usr/local/lib/node_modules/npm /usr/local/bin/npm /usr/local/bin/npx
 
-COPY server/ ./
+COPY --from=server-builder /app/dist ./dist
 COPY --from=client-builder /app/client/dist ./public
 COPY --from=client-builder /app/client/public/fonts ./public/fonts
 
-RUN rm -f package-lock.json && \
-    mkdir -p /app/data/logs /app/uploads/files /app/uploads/covers /app/uploads/avatars /app/uploads/photos && \
+RUN mkdir -p /app/data/logs /app/uploads/files /app/uploads/covers /app/uploads/avatars /app/uploads/photos && \
     mkdir -p /app/server && ln -s /app/uploads /app/server/uploads && ln -s /app/data /app/server/data && \
     chown -R node:node /app
 
@@ -39,4 +49,4 @@ HEALTHCHECK --interval=30s --timeout=5s --start-period=15s --retries=3 \
   CMD wget -qO- http://localhost:3000/api/health || exit 1
 
 ENTRYPOINT ["dumb-init", "--"]
-CMD ["sh", "-c", "chown -R node:node /app/data /app/uploads 2>/dev/null || true; exec su-exec node node --import tsx src/index.ts"]
+CMD ["sh", "-c", "chown -R node:node /app/data /app/uploads 2>/dev/null || true; exec su-exec node node dist/index.js"]

client/package-lock.json

@@ -28,6 +28,7 @@
         "remark-breaks": "^4.0.0",
         "remark-gfm": "^4.0.1",
         "topojson-client": "^3.1.0",
+        "zod": "^4.3.6",
         "zustand": "^4.5.2"
       },
       "devDependencies": {
@@ -2153,9 +2154,6 @@
         "arm"
       ],
       "dev": true,
-      "libc": [
-        "glibc"
-      ],
       "license": "LGPL-3.0-or-later",
       "optional": true,
       "os": [
@@ -2173,9 +2171,6 @@
         "arm64"
       ],
       "dev": true,
-      "libc": [
-        "glibc"
-      ],
       "license": "LGPL-3.0-or-later",
       "optional": true,
       "os": [
@@ -2193,9 +2188,6 @@
         "s390x"
       ],
       "dev": true,
-      "libc": [
-        "glibc"
-      ],
       "license": "LGPL-3.0-or-later",
       "optional": true,
       "os": [
@@ -2211,9 +2203,6 @@
         "x64"
       ],
       "dev": true,
-      "libc": [
-        "glibc"
-      ],
       "license": "LGPL-3.0-or-later",
       "optional": true,
       "os": [
@@ -2231,9 +2220,6 @@
         "arm64"
       ],
       "dev": true,
-      "libc": [
-        "musl"
-      ],
       "license": "LGPL-3.0-or-later",
       "optional": true,
       "os": [
@@ -2251,9 +2237,6 @@
         "x64"
       ],
       "dev": true,
-      "libc": [
-        "musl"
-      ],
       "license": "LGPL-3.0-or-later",
       "optional": true,
       "os": [
@@ -2271,9 +2254,6 @@
         "arm"
       ],
       "dev": true,
-      "libc": [
-        "glibc"
-      ],
       "license": "Apache-2.0",
       "optional": true,
       "os": [
@@ -2297,9 +2277,6 @@
         "arm64"
       ],
       "dev": true,
-      "libc": [
-        "glibc"
-      ],
       "license": "Apache-2.0",
       "optional": true,
       "os": [
@@ -2323,9 +2300,6 @@
         "s390x"
       ],
       "dev": true,
-      "libc": [
-        "glibc"
-      ],
       "license": "Apache-2.0",
       "optional": true,
       "os": [
@@ -2347,9 +2321,6 @@
         "x64"
       ],
       "dev": true,
-      "libc": [
-        "glibc"
-      ],
       "license": "Apache-2.0",
       "optional": true,
       "os": [
@@ -2373,9 +2344,6 @@
         "arm64"
       ],
       "dev": true,
-      "libc": [
-        "musl"
-      ],
       "license": "Apache-2.0",
       "optional": true,
       "os": [
@@ -2399,9 +2367,6 @@
         "x64"
       ],
       "dev": true,
-      "libc": [
-        "musl"
-      ],
       "license": "Apache-2.0",
       "optional": true,
       "os": [
@@ -3160,9 +3125,6 @@
         "arm"
       ],
       "dev": true,
-      "libc": [
-        "glibc"
-      ],
       "license": "MIT",
       "optional": true,
       "os": [
@@ -3177,9 +3139,6 @@
         "arm"
       ],
       "dev": true,
-      "libc": [
-        "musl"
-      ],
       "license": "MIT",
       "optional": true,
       "os": [
@@ -3194,9 +3153,6 @@
         "arm64"
       ],
       "dev": true,
-      "libc": [
-        "glibc"
-      ],
       "license": "MIT",
       "optional": true,
       "os": [
@@ -3211,9 +3167,6 @@
         "arm64"
       ],
       "dev": true,
-      "libc": [
-        "musl"
-      ],
       "license": "MIT",
       "optional": true,
       "os": [
@@ -3228,9 +3181,6 @@
         "loong64"
       ],
       "dev": true,
-      "libc": [
-        "glibc"
-      ],
       "license": "MIT",
       "optional": true,
       "os": [
@@ -3245,9 +3195,6 @@
         "loong64"
       ],
       "dev": true,
-      "libc": [
-        "musl"
-      ],
       "license": "MIT",
       "optional": true,
       "os": [
@@ -3262,9 +3209,6 @@
         "ppc64"
       ],
       "dev": true,
-      "libc": [
-        "glibc"
-      ],
       "license": "MIT",
       "optional": true,
       "os": [
@@ -3279,9 +3223,6 @@
         "ppc64"
       ],
       "dev": true,
-      "libc": [
-        "musl"
-      ],
       "license": "MIT",
       "optional": true,
       "os": [
@@ -3296,9 +3237,6 @@
         "riscv64"
       ],
       "dev": true,
-      "libc": [
-        "glibc"
-      ],
       "license": "MIT",
       "optional": true,
       "os": [
@@ -3313,9 +3251,6 @@
         "riscv64"
       ],
       "dev": true,
-      "libc": [
-        "musl"
-      ],
       "license": "MIT",
       "optional": true,
       "os": [
@@ -3330,9 +3265,6 @@
         "s390x"
       ],
       "dev": true,
-      "libc": [
-        "glibc"
-      ],
       "license": "MIT",
       "optional": true,
       "os": [
@@ -3345,9 +3277,6 @@
         "x64"
       ],
       "dev": true,
-      "libc": [
-        "glibc"
-      ],
       "license": "MIT",
       "optional": true,
       "os": [
@@ -3362,9 +3291,6 @@
         "x64"
       ],
       "dev": true,
-      "libc": [
-        "musl"
-      ],
       "license": "MIT",
       "optional": true,
       "os": [
@@ -11048,6 +10974,15 @@
       "version": "3.2.1",
       "license": "MIT"
     },
+    "node_modules/zod": {
+      "version": "4.4.3",
+      "resolved": "https://registry.npmjs.org/zod/-/zod-4.4.3.tgz",
+      "integrity": "sha512-ytENFjIJFl2UwYglde2jchW2Hwm4GJFLDiSXWdTrJQBIN9Fcyp7n4DhxJEiWNAJMV1/BqWfW/kkg71UDcHJyTQ==",
+      "license": "MIT",
+      "funding": {
+        "url": "https://github.com/sponsors/colinhacks"
+      }
+    },
     "node_modules/zustand": {
       "version": "4.5.7",
       "license": "MIT",

client/package.json

@@ -35,6 +35,7 @@
     "remark-breaks": "^4.0.0",
     "remark-gfm": "^4.0.1",
     "topojson-client": "^3.1.0",
+    "zod": "^4.3.6",
     "zustand": "^4.5.2"
   },
   "devDependencies": {

client/src/api/client.ts

@@ -1,4 +1,5 @@
 import axios, { AxiosInstance } from 'axios'
+import type { WeatherResult } from '@trek/shared'
 import { getSocketId } from './websocket'
 import { isReachable, probeNow } from '../sync/connectivity'
 import en from '../i18n/translations/en'
@@ -501,8 +502,8 @@ export const reservationsApi = {
 }
 
 export const weatherApi = {
-  get: (lat: number, lng: number, date: string) => apiClient.get('/weather', { params: { lat, lng, date } }).then(r => r.data),
-  getDetailed: (lat: number, lng: number, date: string, lang?: string) => apiClient.get('/weather/detailed', { params: { lat, lng, date, lang } }).then(r => r.data),
+  get: (lat: number, lng: number, date: string): Promise<WeatherResult> => apiClient.get('/weather', { params: { lat, lng, date } }).then(r => r.data),
+  getDetailed: (lat: number, lng: number, date: string, lang?: string): Promise<WeatherResult> => apiClient.get('/weather/detailed', { params: { lat, lng, date, lang } }).then(r => r.data),
 }
 
 export const configApi = {

client/src/components/Packing/PackingListPanel.test.tsx

@@ -8,7 +8,21 @@ import { useAuthStore } from '../../store/authStore';
 import { useTripStore } from '../../store/tripStore';
 import { resetAllStores, seedStore } from '../../../tests/helpers/store';
 import { buildUser, buildTrip, buildPackingItem } from '../../../tests/helpers/factories';
-import PackingListPanel from './PackingListPanel';
+import PackingListPanel, { itemWeight } from './PackingListPanel';
+
+describe('itemWeight (bag total weight calc)', () => {
+  it('FE-COMP-PACKING-030: multiplies unit weight by quantity', () => {
+    expect(itemWeight({ weight_grams: 120, quantity: 3 })).toBe(360);
+  });
+  it('FE-COMP-PACKING-031: defaults quantity to 1 when missing', () => {
+    expect(itemWeight({ weight_grams: 250 })).toBe(250);
+  });
+  it('FE-COMP-PACKING-032: contributes 0 when weight is missing or zero', () => {
+    expect(itemWeight({ quantity: 5 })).toBe(0);
+    expect(itemWeight({ weight_grams: 0, quantity: 5 })).toBe(0);
+    expect(itemWeight({})).toBe(0);
+  });
+});
 
 beforeEach(() => {
   resetAllStores();

client/src/components/Packing/PackingListPanel.tsx

@@ -69,6 +69,10 @@ function katColor(kat, allCategories) {
 
 interface PackingBag { id: number; trip_id: number; name: string; color: string; weight_limit_grams: number | null; user_id?: number | null; assigned_username?: string | null }
 
+/** Weight an item contributes to a total: unit weight times quantity (defaults: 0 g, qty 1). */
+export const itemWeight = (i: { weight_grams?: number | null; quantity?: number | null }): number =>
+  (i.weight_grams || 0) * (i.quantity || 1)
+
 // ── Bag Card ──────────────────────────────────────────────────────────────
 
 interface BagCardProps {
@@ -1311,8 +1315,8 @@ export default function PackingListPanel({ tripId, items, openImportSignal = 0,
 
           {bags.map(bag => {
             const bagItems = items.filter(i => i.bag_id === bag.id)
-            const totalWeight = bagItems.reduce((sum, i) => sum + (i.weight_grams || 0), 0)
-            const maxWeight = bag.weight_limit_grams || Math.max(...bags.map(b => items.filter(i => i.bag_id === b.id).reduce((s, i) => s + (i.weight_grams || 0), 0)), 1)
+            const totalWeight = bagItems.reduce((sum, i) => sum + itemWeight(i), 0)
+            const maxWeight = bag.weight_limit_grams || Math.max(...bags.map(b => items.filter(i => i.bag_id === b.id).reduce((s, i) => s + itemWeight(i), 0)), 1)
             const pct = Math.min(100, Math.round((totalWeight / maxWeight) * 100))
             return (
               <BagCard key={bag.id} bag={bag} bagItems={bagItems} totalWeight={totalWeight} pct={pct} tripId={tripId} tripMembers={tripMembers} canEdit={canEdit} onDelete={() => handleDeleteBag(bag.id)} onUpdate={handleUpdateBag} onSetMembers={handleSetBagMembers} t={t} compact />
@@ -1322,7 +1326,7 @@ export default function PackingListPanel({ tripId, items, openImportSignal = 0,
           {/* Unassigned */}
           {(() => {
             const unassigned = items.filter(i => !i.bag_id)
-            const unassignedWeight = unassigned.reduce((s, i) => s + (i.weight_grams || 0), 0)
+            const unassignedWeight = unassigned.reduce((s, i) => s + itemWeight(i), 0)
             if (unassigned.length === 0) return null
             return (
               <div style={{ marginBottom: 14, opacity: 0.6 }}>
@@ -1342,7 +1346,7 @@ export default function PackingListPanel({ tripId, items, openImportSignal = 0,
           <div style={{ borderTop: '1px solid var(--border-secondary)', paddingTop: 10, marginTop: 6 }}>
             <div style={{ display: 'flex', justifyContent: 'space-between', fontSize: 12, fontWeight: 700, color: 'var(--text-primary)' }}>
               <span>{t('packing.totalWeight')}</span>
-              <span>{(() => { const w = items.reduce((s, i) => s + (i.weight_grams || 0), 0); return w >= 1000 ? `${(w / 1000).toFixed(1)} kg` : `${w} g` })()}</span>
+              <span>{(() => { const w = items.reduce((s, i) => s + itemWeight(i), 0); return w >= 1000 ? `${(w / 1000).toFixed(1)} kg` : `${w} g` })()}</span>
             </div>
           </div>
 
@@ -1380,8 +1384,8 @@ export default function PackingListPanel({ tripId, items, openImportSignal = 0,
 
             {bags.map(bag => {
               const bagItems = items.filter(i => i.bag_id === bag.id)
-              const totalWeight = bagItems.reduce((sum, i) => sum + (i.weight_grams || 0), 0)
-              const maxWeight = Math.max(...bags.map(b => items.filter(i => i.bag_id === b.id).reduce((s, i) => s + (i.weight_grams || 0), 0)), 1)
+              const totalWeight = bagItems.reduce((sum, i) => sum + itemWeight(i), 0)
+              const maxWeight = Math.max(...bags.map(b => items.filter(i => i.bag_id === b.id).reduce((s, i) => s + itemWeight(i), 0)), 1)
               const pct = Math.min(100, Math.round((totalWeight / maxWeight) * 100))
               return (
                 <BagCard key={bag.id} bag={bag} bagItems={bagItems} totalWeight={totalWeight} pct={pct} tripId={tripId} tripMembers={tripMembers} canEdit={canEdit} onDelete={() => handleDeleteBag(bag.id)} onUpdate={handleUpdateBag} onSetMembers={handleSetBagMembers} t={t} />
@@ -1391,7 +1395,7 @@ export default function PackingListPanel({ tripId, items, openImportSignal = 0,
             {/* Unassigned */}
             {(() => {
               const unassigned = items.filter(i => !i.bag_id)
-              const unassignedWeight = unassigned.reduce((s, i) => s + (i.weight_grams || 0), 0)
+              const unassignedWeight = unassigned.reduce((s, i) => s + itemWeight(i), 0)
               if (unassigned.length === 0) return null
               return (
                 <div style={{ marginBottom: 16, opacity: 0.6 }}>
@@ -1411,7 +1415,7 @@ export default function PackingListPanel({ tripId, items, openImportSignal = 0,
             <div style={{ borderTop: '1px solid var(--border-secondary)', paddingTop: 12, marginTop: 8 }}>
               <div style={{ display: 'flex', justifyContent: 'space-between', fontSize: 14, fontWeight: 700, color: 'var(--text-primary)' }}>
                 <span>{t('packing.totalWeight')}</span>
-                <span>{(() => { const w = items.reduce((s, i) => s + (i.weight_grams || 0), 0); return w >= 1000 ? `${(w / 1000).toFixed(1)} kg` : `${w} g` })()}</span>
+                <span>{(() => { const w = items.reduce((s, i) => s + itemWeight(i), 0); return w >= 1000 ? `${(w / 1000).toFixed(1)} kg` : `${w} g` })()}</span>
               </div>
             </div>
 

client/src/i18n/TranslationContext.tsx

@@ -6,6 +6,7 @@ import es from './translations/es'
 import fr from './translations/fr'
 import hu from './translations/hu'
 import it from './translations/it'
+import tr from './translations/tr'
 import ru from './translations/ru'
 import zh from './translations/zh'
 import zhTw from './translations/zhTw'
@@ -15,6 +16,7 @@ import ar from './translations/ar'
 import br from './translations/br'
 import cs from './translations/cs'
 import pl from './translations/pl'
+import ja from './translations/ja'
 import { SUPPORTED_LANGUAGES, SupportedLanguageCode } from './supportedLanguages'
 
 export { SUPPORTED_LANGUAGES }
@@ -23,7 +25,7 @@ type TranslationStrings = Record<string, string | { name: string; category: stri
 
 // Keyed by SupportedLanguageCode so TypeScript enforces all languages have a translation.
 const translations: Record<SupportedLanguageCode, TranslationStrings> = {
-  de, en, es, fr, hu, it, ru, zh, 'zh-TW': zhTw, nl, id, ar, br, cs, pl,
+  de, en, es, fr, hu, it, tr, ru, zh, 'zh-TW': zhTw, nl, id, ar, br, cs, pl, ja,
 }
 
 // Derived from SUPPORTED_LANGUAGES — add new languages there, not here.
@@ -38,7 +40,7 @@ export function getLocaleForLanguage(language: string): string {
 
 export function getIntlLanguage(language: string): string {
   if (language === 'br') return 'pt-BR'
-  return ['de', 'es', 'fr', 'hu', 'it', 'ru', 'zh', 'zh-TW', 'nl', 'ar', 'cs', 'pl', 'id'].includes(language) ? language : 'en'
+  return ['de', 'es', 'fr', 'hu', 'it', 'tr', 'ru', 'zh', 'zh-TW', 'nl', 'ar', 'cs', 'pl', 'id', 'ja'].includes(language) ? language : 'en'
 }
 
 export function isRtlLanguage(language: string): boolean {

client/src/i18n/supportedLanguages.ts

@@ -12,8 +12,10 @@ export const SUPPORTED_LANGUAGES = [
   { value: 'zh',    label: '简体中文',              locale: 'zh-CN' },
   { value: 'zh-TW', label: '繁體中文',              locale: 'zh-TW' },
   { value: 'it',    label: 'Italiano',             locale: 'it-IT' },
+  { value: 'tr',    label: 'Türkçe',               locale: 'tr-TR' },
   { value: 'ar',    label: 'العربية',              locale: 'ar-SA' },
   { value: 'id',    label: 'Bahasa Indonesia',     locale: 'id-ID' },
+  { value: 'ja',    label: '日本語',                locale: 'ja-JP' },
 ] as const
 
 export type SupportedLanguageCode = typeof SUPPORTED_LANGUAGES[number]['value']

client/tests/unit/i18n/index.test.ts

@@ -91,8 +91,10 @@ describe('isRtlLanguage', () => {
 describe('SUPPORTED_LANGUAGES', () => {
   it('FE-COMP-I18N-009: contains expected entries with value/label shape', () => {
     expect(Array.isArray(SUPPORTED_LANGUAGES)).toBe(true)
-    expect(SUPPORTED_LANGUAGES).toHaveLength(15)
+    expect(SUPPORTED_LANGUAGES).toHaveLength(17)
     expect(SUPPORTED_LANGUAGES).toContainEqual(expect.objectContaining({ value: 'en', label: 'English' }))
+    expect(SUPPORTED_LANGUAGES).toContainEqual(expect.objectContaining({ value: 'tr', label: 'Türkçe' }))
+    expect(SUPPORTED_LANGUAGES).toContainEqual(expect.objectContaining({ value: 'ja', label: '日本語' }))
     expect(SUPPORTED_LANGUAGES).toContainEqual(expect.objectContaining({ value: 'ar', label: 'العربية' }))
   })
 })

client/tests/unit/shared-contract.test.ts

@@ -0,0 +1,10 @@
+import { describe, it, expect } from 'vitest';
+// Smoke test: proves the client toolchain (vite / vitest) resolves @trek/shared.
+import { idParamSchema, paginationQuerySchema } from '@trek/shared';
+
+describe('@trek/shared resolves in the client toolchain', () => {
+  it('imports and uses a shared schema', () => {
+    expect(idParamSchema.parse('7')).toBe(7);
+    expect(paginationQuerySchema.parse({})).toEqual({ page: 1, perPage: 50 });
+  });
+});

client/tsconfig.json

@@ -7,6 +7,11 @@
     "skipLibCheck": true,
     "moduleResolution": "bundler",
     "allowImportingTsExtensions": true,
+    "baseUrl": ".",
+    "paths": {
+      "@trek/shared": ["../shared/src/index.ts"],
+      "@trek/shared/*": ["../shared/src/*"]
+    },
     "isolatedModules": true,
     "moduleDetection": "force",
     "noEmit": true,

client/vite.config.js

@@ -1,6 +1,7 @@
 import { defineConfig } from 'vite'
 import react from '@vitejs/plugin-react'
 import { VitePWA } from 'vite-plugin-pwa'
+import { fileURLToPath } from 'node:url'
 
 export default defineConfig({
   plugins: [
@@ -88,6 +89,15 @@ export default defineConfig({
       },
     }),
   ],
+  resolve: {
+    alias: {
+      // @trek/shared — Zod contract package (dev: resolved to TS source).
+      '@trek/shared': fileURLToPath(new URL('../shared/src/index.ts', import.meta.url)),
+    },
+    // @trek/shared imports zod from its own source; it lives outside this root,
+    // so pin zod to the client's copy (one instance, resolvable from anywhere).
+    dedupe: ['zod'],
+  },
   build: {
     sourcemap: false,
     modulePreload: { polyfill: true },

client/vitest.config.ts

@@ -1,8 +1,19 @@
 import { defineConfig } from 'vitest/config';
 import react from '@vitejs/plugin-react';
+import { fileURLToPath } from 'node:url';
 
 export default defineConfig({
   plugins: [react()],
+  resolve: {
+    alias: {
+      // @trek/shared — Zod contract package (tests resolve it to TS source,
+      // mirroring the alias in vite.config.js used by the dev server / build).
+      '@trek/shared': fileURLToPath(new URL('../shared/src/index.ts', import.meta.url)),
+    },
+    // Mirror vite.config.js: keep a single zod instance resolvable from the
+    // shared source, which lives outside this project root.
+    dedupe: ['zod'],
+  },
   test: {
     root: '.',
     globals: true,

server/package.json

@@ -3,17 +3,25 @@
   "version": "3.0.22",
   "main": "src/index.ts",
   "scripts": {
-    "start": "node --import tsx src/index.ts",
-    "dev": "tsx watch src/index.ts",
+    "start": "node dist/index.js",
+    "dev": "node scripts/dev.mjs",
+    "build": "node scripts/build.mjs",
+    "start:prod": "node dist/index.js",
+    "typecheck": "tsc -p tsconfig.build.json --noEmit",
     "test": "vitest run",
     "test:watch": "vitest",
     "test:unit": "vitest run tests/unit",
     "test:integration": "vitest run tests/integration",
     "test:ws": "vitest run tests/websocket",
+    "test:parity": "vitest run tests/parity",
+    "test:e2e": "vitest run tests/e2e",
     "test:coverage": "vitest run --coverage"
   },
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.28.0",
+    "@nestjs/common": "^11.1.24",
+    "@nestjs/core": "^11.1.24",
+    "@nestjs/platform-express": "^11.1.24",
     "archiver": "^6.0.1",
     "bcryptjs": "^2.4.3",
     "better-sqlite3": "^12.8.0",
@@ -30,22 +38,30 @@
     "nodemailer": "^8.0.5",
     "otplib": "^12.0.1",
     "qrcode": "^1.5.4",
+    "reflect-metadata": "^0.2.2",
+    "rxjs": "^7.8.2",
     "semver": "^7.7.4",
     "tsx": "^4.21.0",
     "typescript": "^6.0.2",
     "undici": "^7.0.0",
     "unzipper": "^0.12.3",
     "uuid": "^14.0.0",
-    "ws": "^8.19.0",
+    "ws": "^8.21.0",
     "zod": "^4.3.6"
   },
   "overrides": {
     "hono": "^4.12.16",
     "@hono/node-server": "^1.19.13",
     "picomatch": "^4.0.4",
-    "ip-address": "^10.1.1"
+    "ip-address": "^10.1.1",
+    "multer": "^2.1.1",
+    "ws": "^8.21.0",
+    "qs": "^6.15.2",
+    "file-type": "^21.3.4"
   },
   "devDependencies": {
+    "@nestjs/testing": "^11.1.24",
+    "@swc/core": "^1.15.40",
     "@types/archiver": "^7.0.0",
     "@types/bcryptjs": "^2.4.6",
     "@types/better-sqlite3": "^7.6.13",
@@ -66,7 +82,9 @@
     "@vitest/coverage-v8": "^3.2.4",
     "nodemon": "^3.1.0",
     "supertest": "^7.2.2",
+    "tsc-alias": "^1.8.17",
     "tz-lookup": "^6.1.25",
+    "unplugin-swc": "^1.5.9",
     "vitest": "^3.2.4"
   }
 }

server/scripts/build.mjs

@@ -0,0 +1,14 @@
+import { execSync } from 'node:child_process';
+
+// tsc emits JS even with type errors (noEmitOnError:false), but still exits
+// non-zero to report them. We must run tsc-alias regardless, so run tsc in a
+// try/catch and always proceed to the path-rewrite step.
+// Type correctness is enforced separately via `npm run typecheck`.
+try {
+  execSync('tsc -p tsconfig.build.json', { stdio: 'inherit' });
+} catch {
+  console.warn('[build] tsc reported type errors — emitting anyway (gated by `npm run typecheck`).');
+}
+
+execSync('tsc-alias -p tsconfig.build.json', { stdio: 'inherit' });
+console.log('[build] dist ready (path aliases rewritten).');

server/scripts/dev.mjs

@@ -0,0 +1,22 @@
+import { execSync, spawn } from 'node:child_process';
+
+// Dev runtime for the co-hosted NestJS + legacy Express server.
+// NestJS DI needs decorator metadata, which the old tsx/esbuild runtime does not
+// emit — so dev runs the tsc build with watchers (same toolchain as prod `dist`).
+// Initial build first so `node --watch dist/index.js` has something to start.
+console.log('[dev] initial build...');
+execSync('node scripts/build.mjs', { stdio: 'inherit' });
+
+const watchers = [
+  ['npx', ['tsc', '-w', '-p', 'tsconfig.build.json', '--preserveWatchOutput']],
+  ['npx', ['tsc-alias', '-w', '-p', 'tsconfig.build.json']],
+  ['node', ['--watch', 'dist/index.js']],
+];
+
+const children = watchers.map(([cmd, args]) =>
+  spawn(cmd, args, { stdio: 'inherit', shell: true }),
+);
+
+const stop = () => { children.forEach((c) => { try { c.kill(); } catch {} }); process.exit(0); };
+process.on('SIGINT', stop);
+process.on('SIGTERM', stop);

server/src/app.ts

@@ -26,7 +26,6 @@ import airportsRoutes from './routes/airports';
 import filesRoutes from './routes/files';
 import reservationsRoutes from './routes/reservations';
 import dayNotesRoutes from './routes/dayNotes';
-import weatherRoutes from './routes/weather';
 import settingsRoutes from './routes/settings';
 import budgetRoutes from './routes/budget';
 import collabRoutes from './routes/collab';
@@ -361,7 +360,8 @@ export function createApp(): express.Application {
   app.use('/api/photos', photoRoutes);
   app.use('/api/maps', mapsRoutes);
   app.use('/api/airports', airportsRoutes);
-  app.use('/api/weather', weatherRoutes);
+  // /api/weather is served by the NestJS weather module (see src/nest/weather);
+  // the legacy Express route was decommissioned after the migration (L1).
   app.use('/api/settings', settingsRoutes);
   app.use('/api/system-notices', systemNoticesRoutes);
   app.use('/api/backup', backupRoutes);

server/src/index.ts

@@ -1,7 +1,16 @@
+import 'reflect-metadata';
 import 'dotenv/config';
 import path from 'node:path';
 import fs from 'node:fs';
+import http from 'node:http';
+import express from 'express';
+import cookieParser from 'cookie-parser';
+import { NestFactory } from '@nestjs/core';
+import { ExpressAdapter } from '@nestjs/platform-express';
+import type { INestApplication } from '@nestjs/common';
 import { createApp } from './app';
+import { AppModule } from './nest/app.module';
+import { getNestPrefixes, makeNestPathMatcher } from './nest/strangler';
 
 // Create upload and data directories on startup
 const uploadsDir = path.join(__dirname, '../uploads');
@@ -16,7 +25,10 @@ const tmpDir = path.join(__dirname, '../data/tmp');
   if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
 });
 
-const app = createApp();
+// Legacy Express app — unchanged. NestJS (its own Express 5 instance) is mounted
+// in front of it (strangler pattern): migrated route prefixes are served by Nest,
+// everything else falls through to this app via a fallback middleware.
+const legacyApp = createApp();
 
 import * as scheduler from './scheduler';
 import { getAppUrl, getMcpSafeUrl } from './services/notifications';
@@ -49,6 +61,11 @@ const onListen = () => {
     '──────────────────────────────────────',
   ];
   banner.forEach(l => console.log(l));
+  sLogInfo(
+    NEST_PREFIXES.length
+      ? `NestJS handling prefixes: ${NEST_PREFIXES.join(', ')} (override via NEST_PREFIXES)`
+      : 'NestJS prefixes: none — all routes served by the legacy Express app',
+  );
   if (process.env.APP_URL) {
     let parsedAppUrl: URL | null = null;
     try { parsedAppUrl = new URL(process.env.APP_URL); } catch { /* invalid */ }
@@ -84,9 +101,42 @@ const onListen = () => {
   });
 };
 
-const server = HOST
-  ? app.listen(PORT, HOST, onListen)
-  : app.listen(PORT, onListen);
+let server: http.Server;
+let nestApp: INestApplication;
+
+// Strangler toggle: prefixes served by Nest (env-overridable, instant rollback).
+const NEST_PREFIXES = getNestPrefixes();
+const isNestPath = makeNestPathMatcher(NEST_PREFIXES);
+
+async function bootstrap(): Promise<void> {
+  // Nest runs on its own Express instance (bodyParser off so request bodies reach
+  // the legacy app untouched — it has its own parsers; /mcp relies on raw body).
+  // Nest body parsing is safe here: the dispatcher only forwards migrated
+  // prefixes to this instance, so the legacy app (and raw-body routes like /mcp)
+  // is reached separately and never passes through Nest's parser.
+  nestApp = await NestFactory.create(AppModule, new ExpressAdapter());
+  // cookie-parser so the auth guard can read the existing `trek_session` cookie.
+  nestApp.use(cookieParser());
+  // (TrekExceptionFilter is registered globally via APP_FILTER in AppModule.)
+  await nestApp.init();
+  const nestInstance = nestApp.getHttpAdapter().getInstance();
+
+  // Top-level dispatcher: migrated prefixes -> Nest, everything else -> legacy
+  // Express (unchanged). Nest never sees non-migrated paths, so its 404 handler
+  // only applies within migrated prefixes.
+  const top = express();
+  top.use((req, res, next) => (isNestPath(req.path) ? nestInstance(req, res, next) : next()));
+  top.use(legacyApp);
+
+  server = http.createServer(top);
+  if (HOST) server.listen(PORT, HOST, onListen);
+  else server.listen(PORT, onListen);
+}
+
+bootstrap().catch((err) => {
+  console.error('Fatal: failed to bootstrap server', err);
+  process.exit(1);
+});
 
 // Graceful shutdown
 function shutdown(signal: string): void {
@@ -95,6 +145,7 @@ function shutdown(signal: string): void {
   sLogInfo(`${signal} received — shutting down gracefully...`);
   scheduler.stop();
   closeMcpSessions();
+  void nestApp?.close();
   server.close(() => {
     sLogInfo('HTTP server closed');
     const { closeDb } = require('./db/database');
@@ -111,4 +162,4 @@ function shutdown(signal: string): void {
 process.on('SIGTERM', () => shutdown('SIGTERM'));
 process.on('SIGINT', () => shutdown('SIGINT'));
 
-export default app;
+export default legacyApp;

server/src/nest/README.md

@@ -0,0 +1,58 @@
+# NestJS migration layer — module & test guide
+
+This folder holds the co-hosted NestJS app that incrementally strangles the legacy
+Express API (see the "Brownfield Rewrite" board). Until a prefix is migrated, the
+top-level dispatcher in `src/index.ts` routes it to the legacy app; migrated
+prefixes go to Nest. **Weather (`weather/`) is the reference implementation** — copy
+its shape when migrating a new domain.
+
+## Module layout (per domain)
+
+```
+shared/src/<domain>/<domain>.schema.ts(.spec.ts)   # Zod contract — single source of truth
+server/src/nest/<domain>/<domain>.service.ts        # business logic (ported 1:1 from the Express service)
+server/src/nest/<domain>/<domain>.controller.ts     # same routes/verbs/params/status codes as Express
+server/src/nest/<domain>/<domain>.module.ts         # registered in app.module.ts
+```
+
+Add the prefix to `DEFAULT_NEST_PREFIXES` in `strangler.ts` to route it to Nest
+(operators can override at runtime via the `NEST_PREFIXES` env var — instant
+rollback, no redeploy).
+
+## Parity is law
+
+A migrated route must be **byte-identical** for the client: same URL, method,
+query/body, HTTP status, `Set-Cookie`, and JSON body — including bespoke error
+strings. Where the legacy route returns a hand-written error (e.g. weather's
+`{ error: 'Latitude and longitude are required' }`), reproduce that exact body in
+the controller rather than relying on the generic `ZodValidationPipe` envelope.
+
+## How to write the tests
+
+Every module ships three kinds of tests; the coverage gate (`vitest.config.ts`,
+scoped to `src/nest/**`) requires ≥80%.
+
+1. **Service / controller unit spec** — `tests/unit/nest/<domain>.controller.test.ts`.
+   Instantiate the controller with a mocked service; assert status codes, the exact
+   `{ error }` bodies, and that inputs are forwarded correctly (defaults, coercion).
+   See `weather.controller.test.ts`.
+
+2. **Parity test** — `tests/parity/<domain>.parity.test.ts`. Mock the shared service
+   identically for both apps, then fire the same request at the Express route and the
+   Nest controller with the `expectParity()` harness (`tests/parity/parity.ts`) and
+   assert identical status + body. This is the gate before flipping the toggle.
+   See `weather.parity.test.ts`.
+
+3. **e2e** — `tests/e2e/<domain>.e2e.test.ts`. Boot the Nest module against a temp
+   in-memory SQLite db via the shared harness (`tests/e2e/harness.ts`:
+   `createTempDb`/`seedUser`/`sessionCookie`), exercising the **real** `JwtAuthGuard`
+   end-to-end (401 without cookie, 200 with a signed session). Mock external I/O
+   (HTTP/etc.). See `weather.e2e.test.ts`.
+
+## Definition of Done (per module)
+
+Contract in `@trek/shared` → service ported 1:1 → controller with identical routes →
+validation/error parity → unit + parity + e2e tests over the gate → prefix toggled to
+Nest → parity verified on the demo DB → **then** decommission the old Express
+route/service (separate step, after the toggle is confirmed in prod) → frontend points
+at the typed contract (Frontend Track).

server/src/nest/app.module.ts

@@ -0,0 +1,23 @@
+import { Module } from '@nestjs/common';
+import { APP_FILTER } from '@nestjs/core';
+import { DatabaseModule } from './database/database.module';
+import { HealthController } from './health/health.controller';
+import { HealthService } from './health/health.service';
+import { WeatherModule } from './weather/weather.module';
+import { TrekExceptionFilter } from './common/trek-exception.filter';
+
+/**
+ * Root NestJS module for the incremental migration. Domain modules
+ * (weather, notifications, ...) get registered here as they are migrated.
+ */
+@Module({
+  imports: [DatabaseModule, WeatherModule],
+  controllers: [HealthController],
+  providers: [
+    HealthService,
+    // Global error-envelope normaliser (DI-registered so it also catches
+    // framework-level exceptions like the not-found handler).
+    { provide: APP_FILTER, useClass: TrekExceptionFilter },
+  ],
+})
+export class AppModule {}

server/src/nest/auth/admin.guard.ts

@@ -0,0 +1,19 @@
+import { CanActivate, ExecutionContext, HttpException, Injectable } from '@nestjs/common';
+import type { Request } from 'express';
+import type { User } from '../../types';
+
+/**
+ * Mirrors the legacy `adminOnly` middleware: requires an authenticated admin.
+ * Use together with JwtAuthGuard (which populates req.user):
+ * `@UseGuards(JwtAuthGuard, AdminGuard)`.
+ */
+@Injectable()
+export class AdminGuard implements CanActivate {
+  canActivate(context: ExecutionContext): boolean {
+    const req = context.switchToHttp().getRequest<Request & { user?: User }>();
+    if (!req.user || req.user.role !== 'admin') {
+      throw new HttpException({ error: 'Admin access required' }, 403);
+    }
+    return true;
+  }
+}

server/src/nest/auth/current-user.decorator.ts

@@ -0,0 +1,12 @@
+import { createParamDecorator, ExecutionContext } from '@nestjs/common';
+import type { User } from '../../types';
+
+/**
+ * Resolves the authenticated user attached by JwtAuthGuard.
+ * Use on guarded handlers: `getThing(@CurrentUser() user: User) { ... }`.
+ */
+export const CurrentUser = createParamDecorator(
+  (_data: unknown, context: ExecutionContext): User | undefined => {
+    return context.switchToHttp().getRequest().user;
+  },
+);

server/src/nest/auth/jwt-auth.guard.ts

@@ -0,0 +1,28 @@
+import { CanActivate, ExecutionContext, HttpException, Injectable } from '@nestjs/common';
+import type { Request } from 'express';
+import { extractToken, verifyJwtAndLoadUser } from '../../middleware/auth';
+
+/**
+ * Validates TREK's existing JWT session — the same httpOnly `trek_session`
+ * cookie (or `Authorization: Bearer`) the legacy app uses. Reuses the canonical
+ * `verifyJwtAndLoadUser` so the secret, the password_version invalidation gate
+ * and the loaded user are IDENTICAL to the Express middleware. No new tokens.
+ *
+ * Error bodies match the legacy 401 shape exactly so the client is unaffected.
+ */
+@Injectable()
+export class JwtAuthGuard implements CanActivate {
+  canActivate(context: ExecutionContext): boolean {
+    const req = context.switchToHttp().getRequest<Request>();
+    const token = extractToken(req);
+    if (!token) {
+      throw new HttpException({ error: 'Access token required', code: 'AUTH_REQUIRED' }, 401);
+    }
+    const user = verifyJwtAndLoadUser(token);
+    if (!user) {
+      throw new HttpException({ error: 'Invalid or expired token', code: 'AUTH_REQUIRED' }, 401);
+    }
+    (req as Request & { user?: unknown }).user = user;
+    return true;
+  }
+}

server/src/nest/common/trek-exception.filter.ts

@@ -0,0 +1,42 @@
+import { ArgumentsHost, Catch, ExceptionFilter, HttpException } from '@nestjs/common';
+import type { Response } from 'express';
+
+/**
+ * Normalises every Nest exception to TREK's legacy error envelope so migrated
+ * routes are byte-identical for the client:
+ *   - 4xx -> { error: <message> }   (5xx -> { error: 'Internal server error' })
+ *   - exceptions already throwing { error, code? } (e.g. the auth guards) pass through
+ * This replaces Nest's default { statusCode, message, error } body, which the
+ * TREK client does not expect.
+ */
+@Catch()
+export class TrekExceptionFilter implements ExceptionFilter {
+  catch(exception: unknown, host: ArgumentsHost): void {
+    const res = host.switchToHttp().getResponse<Response>();
+
+    if (exception instanceof HttpException) {
+      const status = exception.getStatus();
+      const body = exception.getResponse();
+
+      // Already in TREK shape (e.g. guards throw { error, code }): pass through.
+      if (body && typeof body === 'object' && 'error' in (body as Record<string, unknown>)) {
+        res.status(status).json(body);
+        return;
+      }
+
+      const raw = typeof body === 'string' ? body : (body as { message?: unknown })?.message;
+      const message =
+        status < 500
+          ? Array.isArray(raw)
+            ? raw.join(', ')
+            : String(raw ?? 'Error')
+          : 'Internal server error';
+      res.status(status).json({ error: message });
+      return;
+    }
+
+    // Unknown/unhandled error — mirror the legacy 500 behaviour.
+    console.error('Unhandled error:', exception);
+    res.status(500).json({ error: 'Internal server error' });
+  }
+}

server/src/nest/common/zod-validation.pipe.ts

@@ -0,0 +1,26 @@
+import { ArgumentMetadata, HttpException, Injectable, PipeTransform } from '@nestjs/common';
+import type { ZodType } from 'zod';
+
+/**
+ * Validates an incoming @Body()/@Query() against a Zod schema (from @trek/shared)
+ * and returns the parsed, typed value. On failure it throws TREK's error envelope
+ * `{ error: string }` with status 400 — the same shape the legacy routes produce,
+ * so the client's error handling is unaffected.
+ *
+ * Usage: `@Body(new ZodValidationPipe(someSchema)) dto: Dto`.
+ */
+@Injectable()
+export class ZodValidationPipe implements PipeTransform {
+  constructor(private readonly schema: ZodType) {}
+
+  transform(value: unknown, _metadata: ArgumentMetadata): unknown {
+    const result = this.schema.safeParse(value);
+    if (!result.success) {
+      const message = result.error.issues
+        .map((i) => `${i.path.join('.') || 'body'}: ${i.message}`)
+        .join('; ');
+      throw new HttpException({ error: message }, 400);
+    }
+    return result.data;
+  }
+}

server/src/nest/database/database.module.ts

@@ -0,0 +1,13 @@
+import { Global, Module } from '@nestjs/common';
+import { DatabaseService } from './database.service';
+
+/**
+ * Global so every migrated module can inject DatabaseService without re-importing.
+ * Wraps the existing better-sqlite3 singleton (no new connection).
+ */
+@Global()
+@Module({
+  providers: [DatabaseService],
+  exports: [DatabaseService],
+})
+export class DatabaseModule {}

server/src/nest/database/database.service.ts

@@ -0,0 +1,39 @@
+import { Injectable } from '@nestjs/common';
+import type Database from 'better-sqlite3';
+import { db } from '../../db/database';
+
+/**
+ * Injectable wrapper around TREK's existing better-sqlite3 connection.
+ *
+ * `db` is a Proxy onto the singleton connection the legacy app already uses
+ * (WAL enabled), so Nest modules share the exact same connection — no second
+ * connection, no split state, single writer preserved.
+ */
+@Injectable()
+export class DatabaseService {
+  /** The shared better-sqlite3 connection (same singleton the legacy app uses). */
+  get connection(): Database.Database {
+    return db;
+  }
+
+  prepare(sql: string): Database.Statement {
+    return db.prepare(sql);
+  }
+
+  get<T = unknown>(sql: string, ...params: unknown[]): T | undefined {
+    return db.prepare(sql).get(...params) as T | undefined;
+  }
+
+  all<T = unknown>(sql: string, ...params: unknown[]): T[] {
+    return db.prepare(sql).all(...params) as T[];
+  }
+
+  run(sql: string, ...params: unknown[]): Database.RunResult {
+    return db.prepare(sql).run(...params);
+  }
+
+  /** Run `fn` inside a synchronous better-sqlite3 transaction. */
+  transaction<T>(fn: (conn: Database.Database) => T): T {
+    return db.transaction(() => fn(db))();
+  }
+}

server/src/nest/health/health.controller.ts

@@ -0,0 +1,41 @@
+import { Body, Controller, Get, Post, UseGuards } from '@nestjs/common';
+import { z } from 'zod';
+import type { User } from '../../types';
+import { HealthService } from './health.service';
+import { JwtAuthGuard } from '../auth/jwt-auth.guard';
+import { CurrentUser } from '../auth/current-user.decorator';
+import { ZodValidationPipe } from '../common/zod-validation.pipe';
+
+// Local demo schema (real domains import their schema from @trek/shared).
+const echoSchema = z.object({ name: z.string().min(1) });
+
+/**
+ * Foundation smoke endpoints for the co-hosted NestJS app.
+ * Proves: boot, routing, type-based DI, the shared SQLite connection, the
+ * JWT-cookie auth guard, and the Zod validation pipe + error-envelope parity.
+ *
+ * Lives under /api/_nest/* so it never collides with the legacy Express API.
+ */
+@Controller('api/_nest')
+export class HealthController {
+  constructor(private readonly healthService: HealthService) {}
+
+  @Get('health')
+  getHealth() {
+    return { ok: true, ...this.healthService.info() };
+  }
+
+  /** Guarded: returns the authenticated user, proving JwtAuthGuard + @CurrentUser. */
+  @Get('me')
+  @UseGuards(JwtAuthGuard)
+  me(@CurrentUser() user: User) {
+    return user;
+  }
+
+  /** Validated: proves the Zod pipe (400 + { error } on failure) and body parsing. */
+  @Post('echo')
+  @UseGuards(JwtAuthGuard)
+  echo(@Body(new ZodValidationPipe(echoSchema)) body: z.infer<typeof echoSchema>) {
+    return { youSent: body };
+  }
+}

server/src/nest/health/health.service.ts

@@ -0,0 +1,21 @@
+import { Injectable } from '@nestjs/common';
+import { DatabaseService } from '../database/database.service';
+
+/**
+ * Smoke service proving NestJS DI works under the chosen runtime AND that the
+ * injected DatabaseService talks to TREK's existing SQLite connection.
+ */
+@Injectable()
+export class HealthService {
+  constructor(private readonly database: DatabaseService) {}
+
+  info() {
+    const row = this.database.get<{ n: number }>('SELECT COUNT(*) AS n FROM users');
+    return {
+      runtime: 'nestjs',
+      diInjected: true,
+      // Proof the shared connection works: real row count from the existing DB.
+      userCount: row?.n ?? null,
+    };
+  }
+}

server/src/nest/strangler.ts

@@ -0,0 +1,24 @@
+/**
+ * Strangler toggle for the incremental NestJS migration.
+ *
+ * `getNestPrefixes()` returns the request path prefixes that NestJS handles;
+ * every other path falls through to the legacy Express app. The default is the
+ * set of prefixes whose Nest modules exist. Operators can override it at runtime
+ * via the `NEST_PREFIXES` env var (comma-separated) for instant Nest<->Express
+ * rollback — no redeploy, no code change. Setting `NEST_PREFIXES=` (empty) routes
+ * everything back to the legacy app.
+ */
+const DEFAULT_NEST_PREFIXES = ['/api/_nest', '/api/weather'];
+
+export function getNestPrefixes(): string[] {
+  const raw = process.env.NEST_PREFIXES;
+  if (raw !== undefined) {
+    return raw.split(',').map((s) => s.trim()).filter(Boolean);
+  }
+  return DEFAULT_NEST_PREFIXES;
+}
+
+/** Builds a matcher: true when `path` belongs to one of the migrated prefixes. */
+export function makeNestPathMatcher(prefixes: string[]): (path: string) => boolean {
+  return (path) => prefixes.some((prefix) => path === prefix || path.startsWith(prefix + '/'));
+}

server/src/nest/weather/weather.controller.ts

@@ -0,0 +1,66 @@
+import { Controller, Get, HttpException, Query, UseGuards } from '@nestjs/common';
+import type { WeatherResult } from '@trek/shared';
+import { WeatherService } from './weather.service';
+import { JwtAuthGuard } from '../auth/jwt-auth.guard';
+import { ApiError } from '../../services/weatherService';
+
+/**
+ * /api/weather — first migrated leaf module (the pilot).
+ *
+ * Behaviour is byte-identical to the legacy Express route (server/src/routes/
+ * weather.ts): same paths, query params, status codes and `{ error }` bodies.
+ *
+ * Parity note: the "X is required" 400s and the 500 fallback messages are bespoke
+ * strings, not the generic Zod-pipe envelope, so they are reproduced here exactly
+ * rather than derived from the schema. The Zod contract/types live in
+ * @trek/shared/weather and are used for typing; `lang` defaults to 'de' only when
+ * the param is absent, matching the Express destructuring default.
+ */
+@Controller('api/weather')
+@UseGuards(JwtAuthGuard)
+export class WeatherController {
+  constructor(private readonly weather: WeatherService) {}
+
+  @Get()
+  async getWeather(
+    @Query('lat') lat?: string,
+    @Query('lng') lng?: string,
+    @Query('date') date?: string,
+    @Query('lang') lang?: string,
+  ): Promise<WeatherResult> {
+    if (!lat || !lng) {
+      throw new HttpException({ error: 'Latitude and longitude are required' }, 400);
+    }
+    try {
+      return await this.weather.get(lat, lng, date, lang ?? 'de');
+    } catch (err: unknown) {
+      throw toHttp(err, 'Weather error:', 'Error fetching weather data');
+    }
+  }
+
+  @Get('detailed')
+  async getDetailed(
+    @Query('lat') lat?: string,
+    @Query('lng') lng?: string,
+    @Query('date') date?: string,
+    @Query('lang') lang?: string,
+  ): Promise<WeatherResult> {
+    if (!lat || !lng || !date) {
+      throw new HttpException({ error: 'Latitude, longitude, and date are required' }, 400);
+    }
+    try {
+      return await this.weather.getDetailed(lat, lng, date, lang ?? 'de');
+    } catch (err: unknown) {
+      throw toHttp(err, 'Detailed weather error:', 'Error fetching detailed weather data');
+    }
+  }
+}
+
+/** Maps a thrown error to the same status + `{ error }` body the Express route sent. */
+function toHttp(err: unknown, logPrefix: string, fallback: string): HttpException {
+  if (err instanceof ApiError) {
+    return new HttpException({ error: err.message }, err.status);
+  }
+  console.error(logPrefix, err);
+  return new HttpException({ error: fallback }, 500);
+}

server/src/nest/weather/weather.module.ts

@@ -0,0 +1,10 @@
+import { Module } from '@nestjs/common';
+import { WeatherController } from './weather.controller';
+import { WeatherService } from './weather.service';
+
+/** Weather domain (pilot leaf module). Registered in AppModule. */
+@Module({
+  controllers: [WeatherController],
+  providers: [WeatherService],
+})
+export class WeatherModule {}

server/src/nest/weather/weather.service.ts

@@ -0,0 +1,21 @@
+import { Injectable } from '@nestjs/common';
+import type { WeatherResult } from '@trek/shared';
+import { getWeather, getDetailedWeather } from '../../services/weatherService';
+
+/**
+ * Thin Nest wrapper around the existing weather service. It delegates to the
+ * exact same `getWeather` / `getDetailedWeather` functions the legacy route and
+ * the MCP tools use, so behaviour — including the shared in-memory cache and the
+ * Open-Meteo calls — is identical. No logic is duplicated; the upstream service
+ * stays the single source of truth (still consumed by the MCP weather tools).
+ */
+@Injectable()
+export class WeatherService {
+  get(lat: string, lng: string, date: string | undefined, lang: string): Promise<WeatherResult> {
+    return getWeather(lat, lng, date, lang) as Promise<WeatherResult>;
+  }
+
+  getDetailed(lat: string, lng: string, date: string, lang: string): Promise<WeatherResult> {
+    return getDetailedWeather(lat, lng, date, lang) as Promise<WeatherResult>;
+  }
+}

server/src/routes/weather.ts

@@ -1,45 +0,0 @@
-import express, { Request, Response } from 'express';
-import { authenticate } from '../middleware/auth';
-import { getWeather, getDetailedWeather, ApiError } from '../services/weatherService';
-
-const router = express.Router();
-
-router.get('/', authenticate, async (req: Request, res: Response) => {
-  const { lat, lng, date, lang = 'de' } = req.query as { lat: string; lng: string; date?: string; lang?: string };
-
-  if (!lat || !lng) {
-    return res.status(400).json({ error: 'Latitude and longitude are required' });
-  }
-
-  try {
-    const result = await getWeather(lat, lng, date, lang);
-    res.json(result);
-  } catch (err: unknown) {
-    if (err instanceof ApiError) {
-      return res.status(err.status).json({ error: err.message });
-    }
-    console.error('Weather error:', err);
-    res.status(500).json({ error: 'Error fetching weather data' });
-  }
-});
-
-router.get('/detailed', authenticate, async (req: Request, res: Response) => {
-  const { lat, lng, date, lang = 'de' } = req.query as { lat: string; lng: string; date: string; lang?: string };
-
-  if (!lat || !lng || !date) {
-    return res.status(400).json({ error: 'Latitude, longitude, and date are required' });
-  }
-
-  try {
-    const result = await getDetailedWeather(lat, lng, date, lang);
-    res.json(result);
-  } catch (err: unknown) {
-    if (err instanceof ApiError) {
-      return res.status(err.status).json({ error: err.message });
-    }
-    console.error('Detailed weather error:', err);
-    res.status(500).json({ error: 'Error fetching detailed weather data' });
-  }
-});
-
-export default router;

server/tests/e2e/harness.ts

@@ -0,0 +1,65 @@
+import Database from 'better-sqlite3';
+import jwt from 'jsonwebtoken';
+import { JWT_SECRET } from '../../src/config';
+
+/**
+ * Shared e2e harness for migrated Nest modules.
+ *
+ * Gives each module e2e test a throwaway in-memory SQLite db (the same shape the
+ * shared connection exposes), a seed helper for demo data, and a session-cookie
+ * signer that produces tokens the REAL JwtAuthGuard accepts — so e2e tests cover
+ * the actual auth path end-to-end, not a stubbed guard.
+ *
+ * Wire it in a test with `vi.mock('../../src/db/database', () => ({ db, ... }))`
+ * using the db returned here, then build the Nest app under test.
+ */
+
+export interface SeededUser {
+  id: number;
+  username: string;
+  email: string;
+  role: 'user' | 'admin';
+  password_version: number;
+}
+
+/** Fresh in-memory db with the minimal `users` table the auth guard reads. */
+export function createTempDb(): Database.Database {
+  const db = new Database(':memory:');
+  db.exec('PRAGMA journal_mode = WAL');
+  db.exec('PRAGMA foreign_keys = ON');
+  db.exec(`
+    CREATE TABLE users (
+      id INTEGER PRIMARY KEY AUTOINCREMENT,
+      username TEXT NOT NULL,
+      email TEXT NOT NULL UNIQUE,
+      role TEXT NOT NULL DEFAULT 'user',
+      password_version INTEGER NOT NULL DEFAULT 0
+    );
+  `);
+  return db;
+}
+
+/** Insert a demo user and return its row. */
+export function seedUser(db: Database.Database, overrides: Partial<SeededUser> = {}): SeededUser {
+  const user: SeededUser = {
+    id: overrides.id ?? 1,
+    username: overrides.username ?? 'e2e-user',
+    email: overrides.email ?? 'e2e@example.test',
+    role: overrides.role ?? 'user',
+    password_version: overrides.password_version ?? 0,
+  };
+  db.prepare(
+    'INSERT INTO users (id, username, email, role, password_version) VALUES (?, ?, ?, ?, ?)',
+  ).run(user.id, user.username, user.email, user.role, user.password_version);
+  return user;
+}
+
+/** Sign a `trek_session` token the real guard will accept (matching JWT_SECRET + pv). */
+export function signSession(userId: number, passwordVersion = 0): string {
+  return jwt.sign({ id: userId, pv: passwordVersion }, JWT_SECRET, { algorithm: 'HS256' });
+}
+
+/** Convenience: the Cookie header value for a signed session. */
+export function sessionCookie(userId: number, passwordVersion = 0): string {
+  return `trek_session=${signSession(userId, passwordVersion)}`;
+}

server/tests/e2e/weather.e2e.test.ts

@@ -0,0 +1,88 @@
+/**
+ * Weather module e2e — exercises the migrated /api/weather endpoints through the
+ * real JwtAuthGuard against a temp SQLite db (seeded via the shared harness).
+ * The weather service is mocked so no real Open-Meteo calls happen.
+ */
+import { describe, it, expect, beforeAll, afterAll, vi } from 'vitest';
+import request from 'supertest';
+import cookieParser from 'cookie-parser';
+import type { Server } from 'http';
+import { Test } from '@nestjs/testing';
+import { createTempDb, seedUser, sessionCookie } from './harness';
+
+const { db } = vi.hoisted(() => {
+  // eslint-disable-next-line @typescript-eslint/no-require-imports
+  const Database = require('better-sqlite3');
+  const tmp = new Database(':memory:');
+  tmp.exec('PRAGMA journal_mode = WAL');
+  tmp.exec(`CREATE TABLE users (id INTEGER PRIMARY KEY AUTOINCREMENT, username TEXT NOT NULL,
+    email TEXT NOT NULL UNIQUE, role TEXT NOT NULL DEFAULT 'user', password_version INTEGER NOT NULL DEFAULT 0);`);
+  return { db: tmp };
+});
+
+vi.mock('../../src/db/database', () => ({ db, closeDb: () => {}, reinitialize: () => {} }));
+
+const { mockGet, mockGetDetailed } = vi.hoisted(() => ({ mockGet: vi.fn(), mockGetDetailed: vi.fn() }));
+vi.mock('../../src/services/weatherService', async (importActual) => {
+  const actual = await importActual<typeof import('../../src/services/weatherService')>();
+  return { ...actual, getWeather: mockGet, getDetailedWeather: mockGetDetailed };
+});
+
+import { WeatherModule } from '../../src/nest/weather/weather.module';
+import { TrekExceptionFilter } from '../../src/nest/common/trek-exception.filter';
+
+describe('Weather e2e (real auth guard + temp SQLite)', () => {
+  let server: Server;
+  let app: Awaited<ReturnType<typeof build>>;
+
+  async function build() {
+    const moduleRef = await Test.createTestingModule({ imports: [WeatherModule] }).compile();
+    const nest = moduleRef.createNestApplication();
+    nest.use(cookieParser());
+    nest.useGlobalFilters(new TrekExceptionFilter());
+    await nest.init();
+    return nest;
+  }
+
+  beforeAll(async () => {
+    seedUser(db as never, { id: 1 });
+    app = await build();
+    server = app.getHttpServer();
+    mockGet.mockResolvedValue({ temp: 21, main: 'Clear', description: 'Klar', type: 'current' });
+    mockGetDetailed.mockResolvedValue({ temp: 20, main: 'Rain', description: 'Regen', type: 'forecast', hourly: [] });
+  });
+
+  afterAll(async () => {
+    await app.close();
+  });
+
+  it('401 { error, code } without a session cookie', async () => {
+    const res = await request(server).get('/api/weather').query({ lat: '1', lng: '2' });
+    expect(res.status).toBe(401);
+    expect(res.body).toEqual({ error: 'Access token required', code: 'AUTH_REQUIRED' });
+  });
+
+  it('401 with an invalid token', async () => {
+    const res = await request(server).get('/api/weather').set('Cookie', 'trek_session=not-a-jwt').query({ lat: '1', lng: '2' });
+    expect(res.status).toBe(401);
+    expect(res.body).toEqual({ error: 'Invalid or expired token', code: 'AUTH_REQUIRED' });
+  });
+
+  it('400 when authenticated but lat/lng missing', async () => {
+    const res = await request(server).get('/api/weather').set('Cookie', sessionCookie(1)).query({ lng: '2' });
+    expect(res.status).toBe(400);
+    expect(res.body).toEqual({ error: 'Latitude and longitude are required' });
+  });
+
+  it('200 with a valid session cookie', async () => {
+    const res = await request(server).get('/api/weather').set('Cookie', sessionCookie(1)).query({ lat: '52.5', lng: '13.4' });
+    expect(res.status).toBe(200);
+    expect(res.body).toMatchObject({ temp: 21, main: 'Clear', type: 'current' });
+  });
+
+  it('200 on /detailed with a valid session cookie', async () => {
+    const res = await request(server).get('/api/weather/detailed').set('Cookie', sessionCookie(1)).query({ lat: '1', lng: '2', date: '2026-07-01' });
+    expect(res.status).toBe(200);
+    expect(res.body).toMatchObject({ type: 'forecast' });
+  });
+});

server/tests/integration/weather.test.ts

@@ -1,262 +0,0 @@
-/**
- * Weather integration tests.
- * Covers WEATHER-001 to WEATHER-007.
- *
- * External API calls (Open-Meteo) are mocked via vi.mock.
- */
-import { describe, it, expect, vi, beforeAll, beforeEach, afterAll } from 'vitest';
-import request from 'supertest';
-import type { Application } from 'express';
-
-const { testDb, dbMock } = vi.hoisted(() => {
-  const Database = require('better-sqlite3');
-  const db = new Database(':memory:');
-  db.exec('PRAGMA journal_mode = WAL');
-  db.exec('PRAGMA foreign_keys = ON');
-  db.exec('PRAGMA busy_timeout = 5000');
-  const mock = {
-    db,
-    closeDb: () => {},
-    reinitialize: () => {},
-    getPlaceWithTags: (placeId: number) => {
-      const place: any = db.prepare(`SELECT p.*, c.name as category_name, c.color as category_color, c.icon as category_icon FROM places p LEFT JOIN categories c ON p.category_id = c.id WHERE p.id = ?`).get(placeId);
-      if (!place) return null;
-      const tags = db.prepare(`SELECT t.* FROM tags t JOIN place_tags pt ON t.id = pt.tag_id WHERE pt.place_id = ?`).all(placeId);
-      return { ...place, category: place.category_id ? { id: place.category_id, name: place.category_name, color: place.category_color, icon: place.category_icon } : null, tags };
-    },
-    canAccessTrip: (tripId: any, userId: number) =>
-      db.prepare(`SELECT t.id, t.user_id FROM trips t LEFT JOIN trip_members m ON m.trip_id = t.id AND m.user_id = ? WHERE t.id = ? AND (t.user_id = ? OR m.user_id IS NOT NULL)`).get(userId, tripId, userId),
-    isOwner: (tripId: any, userId: number) =>
-      !!db.prepare('SELECT id FROM trips WHERE id = ? AND user_id = ?').get(tripId, userId),
-  };
-  return { testDb: db, dbMock: mock };
-});
-
-vi.mock('../../src/db/database', () => dbMock);
-vi.mock('../../src/config', () => ({
-  JWT_SECRET: 'test-jwt-secret-for-trek-testing-only',
-  ENCRYPTION_KEY: 'a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6a7b8c9d0e1f2a3b4c5d6a7b8c9d0e1f2',
-  updateJwtSecret: () => {},
-}));
-
-// Prevent real HTTP calls to Open-Meteo
-vi.stubGlobal('fetch', vi.fn().mockResolvedValue({
-  ok: true,
-  json: () => Promise.resolve({
-    current: { temperature_2m: 22, weathercode: 1, windspeed_10m: 10, relativehumidity_2m: 60, precipitation: 0 },
-    daily: {
-      time: ['2025-06-01'],
-      temperature_2m_max: [25],
-      temperature_2m_min: [18],
-      weathercode: [1],
-      precipitation_sum: [0],
-      windspeed_10m_max: [15],
-      sunrise: ['2025-06-01T06:00'],
-      sunset: ['2025-06-01T21:00'],
-    },
-  }),
-}));
-
-import { createApp } from '../../src/app';
-import { createTables } from '../../src/db/schema';
-import { runMigrations } from '../../src/db/migrations';
-import { resetTestDb } from '../helpers/test-db';
-import { createUser } from '../helpers/factories';
-import { authCookie } from '../helpers/auth';
-import { loginAttempts, mfaAttempts } from '../../src/routes/auth';
-
-const app: Application = createApp();
-
-beforeAll(() => {
-  createTables(testDb);
-  runMigrations(testDb);
-});
-
-beforeEach(() => {
-  resetTestDb(testDb);
-  loginAttempts.clear();
-  mfaAttempts.clear();
-});
-
-afterAll(() => {
-  testDb.close();
-  vi.unstubAllGlobals();
-});
-
-describe('Weather validation', () => {
-  it('WEATHER-001 — GET /weather without lat/lng returns 400', async () => {
-    const { user } = createUser(testDb);
-
-    const res = await request(app)
-      .get('/api/weather')
-      .set('Cookie', authCookie(user.id));
-    expect(res.status).toBe(400);
-  });
-
-  it('WEATHER-001 — GET /weather without lng returns 400', async () => {
-    const { user } = createUser(testDb);
-
-    const res = await request(app)
-      .get('/api/weather?lat=48.8566')
-      .set('Cookie', authCookie(user.id));
-    expect(res.status).toBe(400);
-  });
-
-  it('WEATHER-005 — GET /weather/detailed without date returns 400', async () => {
-    const { user } = createUser(testDb);
-
-    const res = await request(app)
-      .get('/api/weather/detailed?lat=48.8566&lng=2.3522')
-      .set('Cookie', authCookie(user.id));
-    expect(res.status).toBe(400);
-  });
-
-  it('WEATHER-001 — GET /weather without auth returns 401', async () => {
-    const res = await request(app)
-      .get('/api/weather?lat=48.8566&lng=2.3522');
-    expect(res.status).toBe(401);
-  });
-});
-
-describe('Weather with mocked API', () => {
-  it('WEATHER-001 — GET /weather with lat/lng returns weather data', async () => {
-    const { user } = createUser(testDb);
-
-    const res = await request(app)
-      .get('/api/weather?lat=48.8566&lng=2.3522')
-      .set('Cookie', authCookie(user.id));
-    expect(res.status).toBe(200);
-    expect(res.body).toHaveProperty('temp');
-    expect(res.body).toHaveProperty('main');
-  });
-
-  it('WEATHER-002 — GET /weather?date=future returns forecast data', async () => {
-    const { user } = createUser(testDb);
-    const futureDate = new Date();
-    futureDate.setDate(futureDate.getDate() + 5);
-    const dateStr = futureDate.toISOString().slice(0, 10);
-
-    const res = await request(app)
-      .get(`/api/weather?lat=48.8566&lng=2.3522&date=${dateStr}`)
-      .set('Cookie', authCookie(user.id));
-    expect(res.status).toBe(200);
-    expect(res.body).toHaveProperty('temp');
-    expect(res.body).toHaveProperty('type');
-  });
-
-  it('WEATHER-006 — GET /weather accepts lang parameter', async () => {
-    const { user } = createUser(testDb);
-
-    const res = await request(app)
-      .get('/api/weather?lat=48.8566&lng=2.3522&lang=en')
-      .set('Cookie', authCookie(user.id));
-    expect(res.status).toBe(200);
-    expect(res.body).toHaveProperty('temp');
-  });
-
-  it('WEATHER-007 — GET /weather returns 500 on non-ok API response (ApiError path)', async () => {
-    const { user } = createUser(testDb);
-    // Use unique coords to avoid cache from previous tests
-    vi.mocked(global.fetch as any).mockResolvedValueOnce({
-      ok: false,
-      status: 503,
-      json: () => Promise.resolve({ error: true, reason: 'Service unavailable' }),
-    });
-    const futureDate = new Date();
-    futureDate.setDate(futureDate.getDate() + 3);
-    const dateStr = futureDate.toISOString().slice(0, 10);
-
-    const res = await request(app)
-      .get(`/api/weather?lat=55.0&lng=25.0&date=${dateStr}`)
-      .set('Cookie', authCookie(user.id));
-    expect(res.status).toBe(503);
-    expect(res.body).toHaveProperty('error');
-  });
-
-  it('WEATHER-008 — GET /weather returns 500 on network error (generic error path)', async () => {
-    const { user } = createUser(testDb);
-    vi.mocked(global.fetch as any).mockRejectedValueOnce(new Error('Network error'));
-    const futureDate = new Date();
-    futureDate.setDate(futureDate.getDate() + 4);
-    const dateStr = futureDate.toISOString().slice(0, 10);
-
-    const res = await request(app)
-      .get(`/api/weather?lat=56.0&lng=26.0&date=${dateStr}`)
-      .set('Cookie', authCookie(user.id));
-    expect(res.status).toBe(500);
-    expect(res.body).toHaveProperty('error');
-  });
-
-  it('WEATHER-009 — GET /weather/detailed returns detailed weather data', async () => {
-    const { user } = createUser(testDb);
-    const futureDate = new Date();
-    futureDate.setDate(futureDate.getDate() + 2);
-    const dateStr = futureDate.toISOString().slice(0, 10);
-
-    // Override mock with full detailed forecast response
-    vi.mocked(global.fetch as any).mockResolvedValueOnce({
-      ok: true,
-      json: () => Promise.resolve({
-        daily: {
-          time: [dateStr],
-          temperature_2m_max: [24],
-          temperature_2m_min: [16],
-          weathercode: [1],
-          precipitation_sum: [0],
-          windspeed_10m_max: [12],
-          sunrise: [`${dateStr}T06:00`],
-          sunset: [`${dateStr}T21:00`],
-          precipitation_probability_max: [10],
-        },
-        hourly: {
-          time: [`${dateStr}T12:00`],
-          temperature_2m: [20],
-          precipitation_probability: [5],
-          precipitation: [0],
-          weathercode: [1],
-          windspeed_10m: [10],
-          relativehumidity_2m: [55],
-        },
-      }),
-    });
-
-    const res = await request(app)
-      .get(`/api/weather/detailed?lat=50.0&lng=10.0&date=${dateStr}`)
-      .set('Cookie', authCookie(user.id));
-    expect(res.status).toBe(200);
-    expect(res.body).toHaveProperty('temp');
-    expect(res.body.type).toBe('forecast');
-  });
-
-  it('WEATHER-010 — GET /weather/detailed returns error status on ApiError', async () => {
-    const { user } = createUser(testDb);
-    vi.mocked(global.fetch as any).mockResolvedValueOnce({
-      ok: false,
-      status: 502,
-      json: () => Promise.resolve({ error: true, reason: 'Bad Gateway' }),
-    });
-    const futureDate = new Date();
-    futureDate.setDate(futureDate.getDate() + 6);
-    const dateStr = futureDate.toISOString().slice(0, 10);
-
-    const res = await request(app)
-      .get(`/api/weather/detailed?lat=57.0&lng=27.0&date=${dateStr}`)
-      .set('Cookie', authCookie(user.id));
-    expect(res.status).toBe(502);
-    expect(res.body).toHaveProperty('error');
-  });
-
-  it('WEATHER-011 — GET /weather/detailed returns 500 on network error', async () => {
-    const { user } = createUser(testDb);
-    vi.mocked(global.fetch as any).mockRejectedValueOnce(new Error('Network error'));
-    const futureDate = new Date();
-    futureDate.setDate(futureDate.getDate() + 7);
-    const dateStr = futureDate.toISOString().slice(0, 10);
-
-    const res = await request(app)
-      .get(`/api/weather/detailed?lat=58.0&lng=28.0&date=${dateStr}`)
-      .set('Cookie', authCookie(user.id));
-    expect(res.status).toBe(500);
-    expect(res.body).toHaveProperty('error');
-  });
-});

server/tests/parity/parity.ts

@@ -0,0 +1,39 @@
+import request from 'supertest';
+import { expect } from 'vitest';
+import type { Server } from 'http';
+
+export interface ParityRequest {
+  method?: 'get' | 'post' | 'put' | 'patch' | 'delete';
+  path: string;
+  query?: Record<string, string>;
+  body?: unknown;
+}
+
+/**
+ * Reusable Nest-vs-Express parity harness.
+ *
+ * Fires the same HTTP request at the legacy Express app and the migrated Nest app
+ * and asserts the response is client-identical — same status code and same JSON
+ * body. With the underlying service mocked identically for both, any difference is
+ * purely framework-layer (routing, validation, error envelope), which is exactly
+ * what a migration must not change. Use one assertion per migrated route/case.
+ */
+export async function expectParity(
+  expressServer: Server | Express.Application,
+  nestServer: Server,
+  req: ParityRequest,
+): Promise<void> {
+  const fire = (target: Server | Express.Application) => {
+    const method = req.method ?? 'get';
+    let r = request(target as never)[method](req.path);
+    if (req.query) r = r.query(req.query);
+    if (req.body !== undefined) r = r.send(req.body as object);
+    return r;
+  };
+
+  const [ex, ne] = await Promise.all([fire(expressServer), fire(nestServer)]);
+
+  const label = `${(req.method ?? 'GET').toUpperCase()} ${req.path}`;
+  expect(ne.status, `${label}: status mismatch`).toBe(ex.status);
+  expect(ne.body, `${label}: body mismatch`).toEqual(ex.body);
+}

server/tests/unit/nest/auth-guard.test.ts

@@ -0,0 +1,26 @@
+import { describe, it, expect } from 'vitest';
+import { HttpException } from '@nestjs/common';
+import { JwtAuthGuard } from '../../../src/nest/auth/jwt-auth.guard';
+
+function context(req: unknown) {
+  return { switchToHttp: () => ({ getRequest: () => req }) } as never;
+}
+
+describe('JwtAuthGuard', () => {
+  const guard = new JwtAuthGuard();
+
+  it('rejects with the legacy 401 { error, code } when no token is present', () => {
+    let thrown: unknown;
+    try {
+      guard.canActivate(context({ headers: {}, cookies: {} }));
+    } catch (e) {
+      thrown = e;
+    }
+    expect(thrown).toBeInstanceOf(HttpException);
+    expect((thrown as HttpException).getStatus()).toBe(401);
+    expect((thrown as HttpException).getResponse()).toEqual({
+      error: 'Access token required',
+      code: 'AUTH_REQUIRED',
+    });
+  });
+});

server/tests/unit/nest/database-service.test.ts

@@ -0,0 +1,36 @@
+/**
+ * DatabaseService — the shared better-sqlite3 provider (F3). Exercises every
+ * helper against the real connection so the typed query surface is covered.
+ */
+import { describe, it, expect } from 'vitest';
+import { DatabaseService } from '../../../src/nest/database/database.service';
+
+describe('DatabaseService (typed query helpers)', () => {
+  const svc = new DatabaseService();
+
+  it('exposes the shared connection', () => {
+    expect(typeof svc.connection.prepare).toBe('function');
+  });
+
+  it('prepare + get + all return rows from the live connection', () => {
+    expect(svc.prepare('SELECT 1 AS one').get()).toEqual({ one: 1 });
+    expect(svc.get('SELECT 2 AS two')).toEqual({ two: 2 });
+    expect(svc.all('SELECT 3 AS three')).toEqual([{ three: 3 }]);
+  });
+
+  it('run + transaction operate on a scratch table', () => {
+    svc.run('CREATE TEMP TABLE IF NOT EXISTS _dbsvc_test (n INTEGER)');
+    svc.run('DELETE FROM _dbsvc_test');
+
+    const info = svc.run('INSERT INTO _dbsvc_test (n) VALUES (?)', 41);
+    expect(info.changes).toBe(1);
+
+    const total = svc.transaction((conn) => {
+      conn.prepare('INSERT INTO _dbsvc_test (n) VALUES (?)').run(1);
+      return conn.prepare('SELECT SUM(n) AS s FROM _dbsvc_test').get() as { s: number };
+    });
+    expect(total.s).toBe(42);
+
+    svc.run('DROP TABLE _dbsvc_test');
+  });
+});

server/tests/unit/nest/exception-filter.test.ts

@@ -0,0 +1,34 @@
+import { describe, it, expect, vi } from 'vitest';
+import { HttpException } from '@nestjs/common';
+import { TrekExceptionFilter } from '../../../src/nest/common/trek-exception.filter';
+
+function mockHost() {
+  const res = { status: vi.fn().mockReturnThis(), json: vi.fn().mockReturnThis() };
+  const host = { switchToHttp: () => ({ getResponse: () => res }) } as never;
+  return { res, host };
+}
+
+describe('TrekExceptionFilter', () => {
+  const filter = new TrekExceptionFilter();
+
+  it('passes through { error, code } bodies (auth guards) unchanged', () => {
+    const { res, host } = mockHost();
+    filter.catch(new HttpException({ error: 'Access token required', code: 'AUTH_REQUIRED' }, 401), host);
+    expect(res.status).toHaveBeenCalledWith(401);
+    expect(res.json).toHaveBeenCalledWith({ error: 'Access token required', code: 'AUTH_REQUIRED' });
+  });
+
+  it('normalises a string HttpException to { error }', () => {
+    const { res, host } = mockHost();
+    filter.catch(new HttpException('Bad thing', 400), host);
+    expect(res.status).toHaveBeenCalledWith(400);
+    expect(res.json).toHaveBeenCalledWith({ error: 'Bad thing' });
+  });
+
+  it('maps unknown errors to 500 { error: Internal server error }', () => {
+    const { res, host } = mockHost();
+    filter.catch(new Error('boom'), host);
+    expect(res.status).toHaveBeenCalledWith(500);
+    expect(res.json).toHaveBeenCalledWith({ error: 'Internal server error' });
+  });
+});

server/tests/unit/nest/health.di.test.ts

@@ -0,0 +1,25 @@
+import { describe, it, expect } from 'vitest';
+import { Test } from '@nestjs/testing';
+import { HealthController } from '../../../src/nest/health/health.controller';
+import { HealthService } from '../../../src/nest/health/health.service';
+import { DatabaseService } from '../../../src/nest/database/database.service';
+
+describe('Nest dependency injection (vitest + swc)', () => {
+  it('injects HealthService + DatabaseService into HealthController by type', async () => {
+    const moduleRef = await Test.createTestingModule({
+      controllers: [HealthController],
+      providers: [
+        HealthService,
+        { provide: DatabaseService, useValue: { get: () => ({ n: 7 }) } },
+      ],
+    }).compile();
+
+    const controller = moduleRef.get(HealthController);
+    expect(controller.getHealth()).toEqual({
+      ok: true,
+      runtime: 'nestjs',
+      diInjected: true,
+      userCount: 7,
+    });
+  });
+});

server/tests/unit/nest/strangler.test.ts

@@ -0,0 +1,33 @@
+import { describe, it, expect, afterEach } from 'vitest';
+import { getNestPrefixes, makeNestPathMatcher } from '../../../src/nest/strangler';
+
+describe('strangler toggle', () => {
+  const original = process.env.NEST_PREFIXES;
+  afterEach(() => {
+    if (original === undefined) delete process.env.NEST_PREFIXES;
+    else process.env.NEST_PREFIXES = original;
+  });
+
+  it('defaults to the migrated prefixes (/api/_nest + /api/weather) when NEST_PREFIXES is unset', () => {
+    delete process.env.NEST_PREFIXES;
+    expect(getNestPrefixes()).toEqual(['/api/_nest', '/api/weather']);
+  });
+
+  it('parses NEST_PREFIXES (comma-separated, trimmed)', () => {
+    process.env.NEST_PREFIXES = '/api/weather, /api/airports';
+    expect(getNestPrefixes()).toEqual(['/api/weather', '/api/airports']);
+  });
+
+  it('treats an empty NEST_PREFIXES as "all routes on legacy"', () => {
+    process.env.NEST_PREFIXES = '';
+    expect(getNestPrefixes()).toEqual([]);
+  });
+
+  it('matches exact prefixes and subpaths but not lookalikes', () => {
+    const match = makeNestPathMatcher(['/api/_nest']);
+    expect(match('/api/_nest')).toBe(true);
+    expect(match('/api/_nest/health')).toBe(true);
+    expect(match('/api/_nestxyz')).toBe(false);
+    expect(match('/api/health')).toBe(false);
+  });
+});

server/tests/unit/nest/weather.controller.test.ts

@@ -0,0 +1,93 @@
+import { describe, it, expect, vi } from 'vitest';
+import { HttpException } from '@nestjs/common';
+import { WeatherController } from '../../../src/nest/weather/weather.controller';
+import { ApiError } from '../../../src/services/weatherService';
+import type { WeatherService } from '../../../src/nest/weather/weather.service';
+
+function makeController(svc: Partial<WeatherService>) {
+  return new WeatherController(svc as WeatherService);
+}
+
+/** Run `fn`, expecting it to throw an HttpException; return its { status, body }. */
+async function thrown(fn: () => Promise<unknown>): Promise<{ status: number; body: unknown }> {
+  try {
+    await fn();
+  } catch (err) {
+    expect(err).toBeInstanceOf(HttpException);
+    const e = err as HttpException;
+    return { status: e.getStatus(), body: e.getResponse() };
+  }
+  throw new Error('expected the handler to throw');
+}
+
+describe('WeatherController (parity with the legacy /api/weather route)', () => {
+  const sample = { temp: 21, main: 'Clear', description: 'Klar', type: 'current' };
+
+  describe('GET /api/weather', () => {
+    it('400 { error } with the exact legacy message when lat/lng missing', async () => {
+      const c = makeController({ get: vi.fn() });
+      expect(await thrown(() => c.getWeather(undefined, '13.4'))).toEqual({
+        status: 400,
+        body: { error: 'Latitude and longitude are required' },
+      });
+    });
+
+    it('returns the service result and defaults lang to "de" when absent', async () => {
+      const get = vi.fn().mockResolvedValue(sample);
+      const c = makeController({ get });
+      const res = await c.getWeather('52.5', '13.4', undefined, undefined);
+      expect(res).toEqual(sample);
+      expect(get).toHaveBeenCalledWith('52.5', '13.4', undefined, 'de');
+    });
+
+    it('passes an explicit lang and date through unchanged', async () => {
+      const get = vi.fn().mockResolvedValue(sample);
+      const c = makeController({ get });
+      await c.getWeather('1', '2', '2026-07-01', 'en');
+      expect(get).toHaveBeenCalledWith('1', '2', '2026-07-01', 'en');
+    });
+
+    it('maps an ApiError to its status + { error: message }', async () => {
+      const c = makeController({ get: vi.fn().mockRejectedValue(new ApiError(404, 'Open-Meteo API error')) });
+      expect(await thrown(() => c.getWeather('1', '2'))).toEqual({
+        status: 404,
+        body: { error: 'Open-Meteo API error' },
+      });
+    });
+
+    it('maps an unexpected error to the exact legacy 500 body', async () => {
+      vi.spyOn(console, 'error').mockImplementation(() => {});
+      const c = makeController({ get: vi.fn().mockRejectedValue(new Error('boom')) });
+      expect(await thrown(() => c.getWeather('1', '2'))).toEqual({
+        status: 500,
+        body: { error: 'Error fetching weather data' },
+      });
+    });
+  });
+
+  describe('GET /api/weather/detailed', () => {
+    it('400 { error } with the exact legacy message when date missing', async () => {
+      const c = makeController({ getDetailed: vi.fn() });
+      expect(await thrown(() => c.getDetailed('1', '2', undefined))).toEqual({
+        status: 400,
+        body: { error: 'Latitude, longitude, and date are required' },
+      });
+    });
+
+    it('returns the detailed result and defaults lang to "de"', async () => {
+      const getDetailed = vi.fn().mockResolvedValue(sample);
+      const c = makeController({ getDetailed });
+      await c.getDetailed('1', '2', '2026-07-01', undefined);
+      expect(getDetailed).toHaveBeenCalledWith('1', '2', '2026-07-01', 'de');
+    });
+
+    it('maps an unexpected error to the exact detailed 500 body', async () => {
+      vi.spyOn(console, 'error').mockImplementation(() => {});
+      const c = makeController({ getDetailed: vi.fn().mockRejectedValue(new Error('boom')) });
+      expect(await thrown(() => c.getDetailed('1', '2', '2026-07-01'))).toEqual({
+        status: 500,
+        body: { error: 'Error fetching detailed weather data' },
+      });
+    });
+  });
+});

server/tests/unit/nest/wiring.test.ts

@@ -0,0 +1,40 @@
+import { describe, it, expect } from 'vitest';
+import { HttpException } from '@nestjs/common';
+import { Test } from '@nestjs/testing';
+import { AppModule } from '../../../src/nest/app.module';
+import { HealthController } from '../../../src/nest/health/health.controller';
+import { DatabaseService } from '../../../src/nest/database/database.service';
+import { AdminGuard } from '../../../src/nest/auth/admin.guard';
+
+function ctx(user: unknown) {
+  return { switchToHttp: () => ({ getRequest: () => ({ user }) }) } as never;
+}
+
+describe('AppModule wiring', () => {
+  it('compiles with the global filter + DB provider and resolves the controller', async () => {
+    const moduleRef = await Test.createTestingModule({ imports: [AppModule] })
+      .overrideProvider(DatabaseService)
+      .useValue({ get: () => ({ n: 0 }) })
+      .compile();
+    expect(moduleRef.get(HealthController)).toBeInstanceOf(HealthController);
+  });
+});
+
+describe('AdminGuard', () => {
+  const guard = new AdminGuard();
+  it('allows admins', () => {
+    expect(guard.canActivate(ctx({ role: 'admin' }))).toBe(true);
+  });
+  it('blocks non-admins and anonymous with 403 { error }', () => {
+    expect(() => guard.canActivate(ctx({ role: 'user' }))).toThrow(HttpException);
+    expect(() => guard.canActivate(ctx(undefined))).toThrow(HttpException);
+  });
+});
+
+describe('DatabaseService (shared connection)', () => {
+  it('runs real queries against the existing SQLite connection', () => {
+    const svc = new DatabaseService();
+    expect(svc.get('SELECT 1 AS one')).toEqual({ one: 1 });
+    expect(svc.all('SELECT 1 AS one')).toEqual([{ one: 1 }]);
+  });
+});

server/tests/unit/nest/zod-pipe.test.ts

@@ -0,0 +1,25 @@
+import { describe, it, expect } from 'vitest';
+import { z } from 'zod';
+import { HttpException } from '@nestjs/common';
+import { ZodValidationPipe } from '../../../src/nest/common/zod-validation.pipe';
+
+describe('ZodValidationPipe', () => {
+  const pipe = new ZodValidationPipe(z.object({ name: z.string().min(1) }));
+  const meta = {} as never;
+
+  it('returns the parsed value for valid input', () => {
+    expect(pipe.transform({ name: 'x' }, meta)).toEqual({ name: 'x' });
+  });
+
+  it('throws TREK { error } envelope with status 400 on invalid input', () => {
+    let thrown: unknown;
+    try {
+      pipe.transform({ name: '' }, meta);
+    } catch (e) {
+      thrown = e;
+    }
+    expect(thrown).toBeInstanceOf(HttpException);
+    expect((thrown as HttpException).getStatus()).toBe(400);
+    expect((thrown as HttpException).getResponse()).toHaveProperty('error');
+  });
+});

server/tests/unit/shared-contract.test.ts

@@ -0,0 +1,10 @@
+import { describe, it, expect } from 'vitest';
+// Smoke test: proves the server toolchain (tsx / vitest) resolves @trek/shared.
+import { idParamSchema, paginationQuerySchema } from '@trek/shared';
+
+describe('@trek/shared resolves in the server toolchain', () => {
+  it('imports and uses a shared schema', () => {
+    expect(idParamSchema.parse('7')).toBe(7);
+    expect(paginationQuerySchema.parse({})).toEqual({ page: 1, perPage: 50 });
+  });
+});

server/tsconfig.build.json

@@ -0,0 +1,12 @@
+{
+  "extends": "./tsconfig.json",
+  "compilerOptions": {
+    "noEmit": false,
+    "noEmitOnError": false,
+    "outDir": "./dist",
+    "sourceMap": false,
+    "declaration": false
+  },
+  "include": ["src"],
+  "exclude": ["node_modules", "dist", "tests", "**/*.spec.ts", "**/*.test.ts"]
+}

server/tsconfig.json

@@ -3,6 +3,9 @@
     "target": "ES2022",
     "module": "commonjs",
     "lib": ["ES2022"],
+    "experimentalDecorators": true,
+    "emitDecoratorMetadata": true,
+    "baseUrl": ".",
     "outDir": "./dist",
     "rootDir": "./src",
     "strict": false,
@@ -19,16 +22,18 @@
     // (e.g. "./*": "./dist/esm/*") which TypeScript cannot resolve — it only strips .js suffixes.
     // These paths manually redirect to the CJS dist until the SDK fixes its exports map.
     "paths": {
-      "@modelcontextprotocol/sdk/server/mcp": ["./node_modules/@modelcontextprotocol/sdk/dist/cjs/server/mcp"],
-      "@modelcontextprotocol/sdk/server/streamableHttp": ["./node_modules/@modelcontextprotocol/sdk/dist/cjs/server/streamableHttp"],
-      "@modelcontextprotocol/sdk/server/auth/router": ["./node_modules/@modelcontextprotocol/sdk/dist/cjs/server/auth/router"],
-      "@modelcontextprotocol/sdk/server/auth/handlers/authorize": ["./node_modules/@modelcontextprotocol/sdk/dist/cjs/server/auth/handlers/authorize"],
-      "@modelcontextprotocol/sdk/server/auth/handlers/register": ["./node_modules/@modelcontextprotocol/sdk/dist/cjs/server/auth/handlers/register"],
-      "@modelcontextprotocol/sdk/server/auth/provider": ["./node_modules/@modelcontextprotocol/sdk/dist/cjs/server/auth/provider"],
-      "@modelcontextprotocol/sdk/server/auth/clients": ["./node_modules/@modelcontextprotocol/sdk/dist/cjs/server/auth/clients"],
-      "@modelcontextprotocol/sdk/server/auth/errors": ["./node_modules/@modelcontextprotocol/sdk/dist/cjs/server/auth/errors"],
-      "@modelcontextprotocol/sdk/server/auth/types": ["./node_modules/@modelcontextprotocol/sdk/dist/cjs/server/auth/types"],
-      "@modelcontextprotocol/sdk/shared/auth": ["./node_modules/@modelcontextprotocol/sdk/dist/cjs/shared/auth"]
+      "@trek/shared": ["../shared/src/index.ts"],
+      "@trek/shared/*": ["../shared/src/*"],
+      "@modelcontextprotocol/sdk/server/mcp": ["./node_modules/@modelcontextprotocol/sdk/dist/cjs/server/mcp.js"],
+      "@modelcontextprotocol/sdk/server/streamableHttp": ["./node_modules/@modelcontextprotocol/sdk/dist/cjs/server/streamableHttp.js"],
+      "@modelcontextprotocol/sdk/server/auth/router": ["./node_modules/@modelcontextprotocol/sdk/dist/cjs/server/auth/router.js"],
+      "@modelcontextprotocol/sdk/server/auth/handlers/authorize": ["./node_modules/@modelcontextprotocol/sdk/dist/cjs/server/auth/handlers/authorize.js"],
+      "@modelcontextprotocol/sdk/server/auth/handlers/register": ["./node_modules/@modelcontextprotocol/sdk/dist/cjs/server/auth/handlers/register.js"],
+      "@modelcontextprotocol/sdk/server/auth/provider": ["./node_modules/@modelcontextprotocol/sdk/dist/cjs/server/auth/provider.js"],
+      "@modelcontextprotocol/sdk/server/auth/clients": ["./node_modules/@modelcontextprotocol/sdk/dist/cjs/server/auth/clients.js"],
+      "@modelcontextprotocol/sdk/server/auth/errors": ["./node_modules/@modelcontextprotocol/sdk/dist/cjs/server/auth/errors.js"],
+      "@modelcontextprotocol/sdk/server/auth/types": ["./node_modules/@modelcontextprotocol/sdk/dist/cjs/server/auth/types.js"],
+      "@modelcontextprotocol/sdk/shared/auth": ["./node_modules/@modelcontextprotocol/sdk/dist/cjs/shared/auth.js"]
     }
   },
   "include": ["src"],

server/vitest.config.ts

@@ -1,6 +1,18 @@
 import { defineConfig } from 'vitest/config';
+import swc from 'unplugin-swc';
 
 export default defineConfig({
+  // SWC transform so NestJS decorator metadata is emitted in tests
+  // (vitest's default esbuild does not emit it -> type-based DI would break).
+  plugins: [
+    swc.vite({
+      jsc: {
+        parser: { syntax: 'typescript', decorators: true },
+        transform: { legacyDecorator: true, decoratorMetadata: true },
+        keepClassNames: true,
+      },
+    }),
+  ],
   test: {
     root: '.',
     include: ['tests/**/*.test.ts'],
@@ -16,10 +28,19 @@ export default defineConfig({
       reporter: ['lcov', 'text'],
       reportsDirectory: './coverage',
       include: ['src/**/*.ts'],
+      // Coverage gate scoped to the new NestJS code only — the legacy codebase
+      // is intentionally ungated. Raised to the DoD's >=80% bar once the first
+      // module (weather) landed; ratchet further as more modules are migrated.
+      thresholds: {
+        'src/nest/**/*.ts': { statements: 80, branches: 80, functions: 80, lines: 80 },
+      },
     },
   },
   resolve: {
     alias: {
+      // @trek/shared — Zod contract package (tests resolve it to TS source,
+      // mirroring the tsconfig `paths` the tsx runtime uses).
+      '@trek/shared': new URL('../shared/src/index.ts', import.meta.url).pathname,
       '@modelcontextprotocol/sdk/server/mcp': new URL(
           './node_modules/@modelcontextprotocol/sdk/dist/cjs/server/mcp.js',
           import.meta.url
@@ -37,5 +58,12 @@ export default defineConfig({
           import.meta.url
       ).pathname,
     },
+    // The server build emits @trek/shared next to its source (shared/src/*.js,
+    // needed by the prod dist via tsc-alias). Vite's default extension order
+    // prefers .js over .ts, so after a build the tests would load that compiled
+    // CJS instead of the source — and its `require('zod')` is unresolvable from
+    // the shared/ dir on CI (only server deps are installed there). Resolve .ts
+    // first so tests always run the source, whose zod import resolves via Vite.
+    extensions: ['.ts', '.mts', '.mjs', '.js', '.cts', '.cjs', '.tsx', '.jsx', '.json'],
   },
 });

shared/README.md

@@ -0,0 +1,32 @@
+# @trek/shared
+
+Single source of truth for TREK's API contracts, expressed as [Zod](https://zod.dev) schemas
+and consumed by **both** the server (request validation + inferred DTO types) and the client
+(typed requests/responses).
+
+This package is part of the incremental NestJS + React 19 migration
+(see the "Brownfield Rewrite" board). It is intentionally **dormant** until modules start
+importing it — adding it changes nothing for users.
+
+## Rules
+
+- **One folder per domain**: `src/<domain>/<domain>.schema.ts` (+ `.spec.ts`).
+- Domain-agnostic building blocks live in `src/common/`.
+- A route is only considered **migrated** once its contract lives here.
+- Schemas are the source of truth; server DTOs and client types are *inferred* from them
+  (`z.infer<typeof schema>`), never hand-duplicated.
+
+## Consumption (dev)
+
+Both apps resolve `@trek/shared` to this package's TypeScript source:
+
+- **Server** (`tsx`): via `paths` in `server/tsconfig.json`.
+- **Client** (`vite`): via `resolve.alias` in `client/vite.config.ts` (+ `paths` for the type-checker).
+
+> Production packaging (Docker / workspace wiring) is introduced in card **F2**, when the
+> server first depends on this package at runtime. Until then prod builds are untouched.
+
+## Not yet here
+
+The canonical **error envelope** is finalised in card **F5** (it must match TREK's current
+Express error responses byte-for-byte), so it is deliberately not invented in F1.

shared/package.json

@@ -0,0 +1,25 @@
+{
+  "name": "@trek/shared",
+  "version": "0.0.0",
+  "private": true,
+  "description": "Shared API contracts (Zod schemas) — single source of truth for TREK server and client.",
+  "type": "module",
+  "main": "./src/index.ts",
+  "types": "./src/index.ts",
+  "exports": {
+    ".": "./src/index.ts",
+    "./*": "./src/*.ts"
+  },
+  "scripts": {
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "typecheck": "tsc --noEmit"
+  },
+  "dependencies": {
+    "zod": "^4.3.6"
+  },
+  "devDependencies": {
+    "typescript": "^6.0.2",
+    "vitest": "^3.2.4"
+  }
+}

shared/src/common/pagination.schema.ts

@@ -0,0 +1,12 @@
+import { z } from 'zod';
+
+/**
+ * Generic pagination query helper. Individual endpoints opt in by extending
+ * this; it is NOT applied globally (many TREK list endpoints return full sets).
+ * Defaults are conservative and only used where a route already paginates.
+ */
+export const paginationQuerySchema = z.object({
+  page: z.coerce.number().int().min(1).default(1),
+  perPage: z.coerce.number().int().min(1).max(200).default(50),
+});
+export type PaginationQuery = z.infer<typeof paginationQuerySchema>;

shared/src/common/primitives.schema.spec.ts

@@ -0,0 +1,39 @@
+import { describe, it, expect } from 'vitest';
+import { idSchema, idParamSchema, nonEmptyString, isoDateTime } from './primitives.schema';
+import { paginationQuerySchema } from './pagination.schema';
+
+describe('@trek/shared primitives', () => {
+  it('idSchema accepts positive integers, rejects others', () => {
+    expect(idSchema.parse(1)).toBe(1);
+    expect(idSchema.safeParse(0).success).toBe(false);
+    expect(idSchema.safeParse(-3).success).toBe(false);
+    expect(idSchema.safeParse(1.5).success).toBe(false);
+  });
+
+  it('idParamSchema coerces string params to a positive int', () => {
+    expect(idParamSchema.parse('42')).toBe(42);
+    expect(idParamSchema.safeParse('abc').success).toBe(false);
+  });
+
+  it('nonEmptyString trims and rejects empty', () => {
+    expect(nonEmptyString.parse('  hi ')).toBe('hi');
+    expect(nonEmptyString.safeParse('   ').success).toBe(false);
+  });
+
+  it('isoDateTime accepts an ISO timestamp', () => {
+    expect(isoDateTime.safeParse('2026-05-25T08:38:14Z').success).toBe(true);
+    expect(isoDateTime.safeParse('not-a-date').success).toBe(false);
+  });
+});
+
+describe('@trek/shared pagination', () => {
+  it('applies defaults and coerces', () => {
+    expect(paginationQuerySchema.parse({})).toEqual({ page: 1, perPage: 50 });
+    expect(paginationQuerySchema.parse({ page: '2', perPage: '10' })).toEqual({ page: 2, perPage: 10 });
+  });
+
+  it('enforces bounds', () => {
+    expect(paginationQuerySchema.safeParse({ perPage: 0 }).success).toBe(false);
+    expect(paginationQuerySchema.safeParse({ perPage: 999 }).success).toBe(false);
+  });
+});

shared/src/common/primitives.schema.ts

@@ -0,0 +1,22 @@
+import { z } from 'zod';
+
+/**
+ * Primitive, domain-agnostic building blocks shared by every contract.
+ * Domain schemas (trips, places, ...) live in their own folders and reuse these.
+ */
+
+/** TREK uses auto-increment integer primary keys. */
+export const idSchema = z.number().int().positive();
+export type Id = z.infer<typeof idSchema>;
+
+/**
+ * Numeric id coming from a URL param / query string. Express hands these over
+ * as strings, so we coerce, then enforce a positive integer.
+ */
+export const idParamSchema = z.coerce.number().int().positive();
+
+/** Non-empty, trimmed string. */
+export const nonEmptyString = z.string().trim().min(1);
+
+/** ISO-8601 timestamp string (the shape TREK serialises dates as in JSON). */
+export const isoDateTime = z.string().datetime({ offset: true });

shared/src/index.ts

@@ -0,0 +1,15 @@
+/**
+ * @trek/shared — single source of truth for TREK's API contracts.
+ *
+ * Zod schemas defined here are consumed by BOTH the server (validation +
+ * inferred DTO types) and the client (typed requests/responses). A route is
+ * only considered "migrated" once its contract lives in this package.
+ *
+ * Layout: one folder per domain (e.g. src/trip/trip.schema.ts), plus the
+ * domain-agnostic primitives below. See the board card "Module blueprint".
+ */
+export * from './common/primitives.schema';
+export * from './common/pagination.schema';
+
+// Domain contracts
+export * from './weather/weather.schema';

shared/src/weather/weather.schema.spec.ts

@@ -0,0 +1,53 @@
+import { describe, it, expect } from 'vitest';
+import {
+  weatherQuerySchema,
+  detailedWeatherQuerySchema,
+  weatherResultSchema,
+} from './weather.schema';
+
+describe('weatherQuerySchema', () => {
+  it('accepts lat/lng and defaults lang to "de"', () => {
+    const parsed = weatherQuerySchema.parse({ lat: '52.5', lng: '13.4' });
+    expect(parsed).toEqual({ lat: '52.5', lng: '13.4', lang: 'de' });
+  });
+
+  it('keeps an explicit lang and optional date', () => {
+    const parsed = weatherQuerySchema.parse({ lat: '1', lng: '2', date: '2026-07-01', lang: 'en' });
+    expect(parsed.lang).toBe('en');
+    expect(parsed.date).toBe('2026-07-01');
+  });
+
+  it('rejects missing lat/lng', () => {
+    expect(weatherQuerySchema.safeParse({ lng: '13.4' }).success).toBe(false);
+    expect(weatherQuerySchema.safeParse({ lat: '', lng: '13.4' }).success).toBe(false);
+  });
+});
+
+describe('detailedWeatherQuerySchema', () => {
+  it('requires a date', () => {
+    expect(detailedWeatherQuerySchema.safeParse({ lat: '1', lng: '2' }).success).toBe(false);
+    expect(detailedWeatherQuerySchema.safeParse({ lat: '1', lng: '2', date: '2026-07-01' }).success).toBe(true);
+  });
+});
+
+describe('weatherResultSchema', () => {
+  it('accepts a minimal current-weather result', () => {
+    const r = weatherResultSchema.parse({ temp: 21, main: 'Clear', description: 'Klar', type: 'current' });
+    expect(r.temp).toBe(21);
+  });
+
+  it('accepts a detailed result with hourly entries and a no_forecast error', () => {
+    expect(
+      weatherResultSchema.safeParse({
+        temp: 0, main: '', description: '', type: '', error: 'no_forecast',
+      }).success,
+    ).toBe(true);
+    expect(
+      weatherResultSchema.safeParse({
+        temp: 18, main: 'Rain', description: 'Regen', type: 'forecast',
+        sunrise: '05:30', sunset: '21:10', precipitation_sum: 2.4,
+        hourly: [{ hour: 9, temp: 17, precipitation: 0.1, precipitation_probability: 20, main: 'Clouds', wind: 12, humidity: 80 }],
+      }).success,
+    ).toBe(true);
+  });
+});

shared/src/weather/weather.schema.ts

@@ -0,0 +1,60 @@
+import { z } from 'zod';
+
+/**
+ * Weather API contract — single source of truth for the /api/weather endpoints.
+ *
+ * The legacy Express routes treat lat/lng as opaque strings (they are parsed with
+ * parseFloat inside the service) and only check for presence, so the query schemas
+ * mirror that: non-empty strings, not coerced numbers. `lang` defaults to 'de',
+ * matching the Express default.
+ *
+ * The bespoke "X is required" 400 messages are reproduced in the controller, not
+ * derived from these schemas, so the error body stays byte-identical to Express.
+ */
+
+export const weatherQuerySchema = z.object({
+  lat: z.string().min(1),
+  lng: z.string().min(1),
+  date: z.string().min(1).optional(),
+  lang: z.string().min(1).default('de'),
+});
+export type WeatherQuery = z.infer<typeof weatherQuerySchema>;
+
+/** Detailed weather requires a date (the Express route 400s without it). */
+export const detailedWeatherQuerySchema = weatherQuerySchema.extend({
+  date: z.string().min(1),
+});
+export type DetailedWeatherQuery = z.infer<typeof detailedWeatherQuerySchema>;
+
+export const hourlyEntrySchema = z.object({
+  hour: z.number(),
+  temp: z.number(),
+  precipitation: z.number(),
+  precipitation_probability: z.number(),
+  main: z.string(),
+  wind: z.number(),
+  humidity: z.number(),
+});
+export type HourlyEntry = z.infer<typeof hourlyEntrySchema>;
+
+/**
+ * Weather response DTO. Fields are optional because the Express service emits
+ * different subsets depending on the request type (current / forecast / climate /
+ * detailed) and on error (`{ ..., error: 'no_forecast' }`).
+ */
+export const weatherResultSchema = z.object({
+  temp: z.number(),
+  temp_max: z.number().optional(),
+  temp_min: z.number().optional(),
+  main: z.string(),
+  description: z.string(),
+  type: z.string(),
+  sunrise: z.string().nullable().optional(),
+  sunset: z.string().nullable().optional(),
+  precipitation_sum: z.number().optional(),
+  precipitation_probability_max: z.number().optional(),
+  wind_max: z.number().optional(),
+  hourly: z.array(hourlyEntrySchema).optional(),
+  error: z.string().optional(),
+});
+export type WeatherResult = z.infer<typeof weatherResultSchema>;

shared/tsconfig.json

@@ -0,0 +1,16 @@
+{
+  "compilerOptions": {
+    "target": "ES2022",
+    "module": "ESNext",
+    "moduleResolution": "Bundler",
+    "lib": ["ES2022"],
+    "declaration": true,
+    "strict": true,
+    "noUncheckedIndexedAccess": true,
+    "esModuleInterop": true,
+    "skipLibCheck": true,
+    "forceConsistentCasingInFileNames": true,
+    "noEmit": true
+  },
+  "include": ["src"]
+}