chore: bump version to 2.9.8 [skip ci]

Bidirectional substring matching in isVisitedFeature caused unrelated
regions to be highlighted as visited (e.g. selecting Nordrhein-Westfalen
also marked Nord France due to "nord" being a substring match).

Replace the fuzzy loop with an additional exact check against the Natural
Earth name_en property to cover English-vs-native name mismatches.
Also fix Nominatim field priority to prefer state over county so
reverse-geocoded places resolve to the correct admin-1 level.

Adds integration tests ATLAS-009 through ATLAS-011 covering mark/unmark
region endpoints and user isolation.

Fixes #446

README.md

@@ -161,6 +161,7 @@ services:
       # - ADMIN_EMAIL=admin@trek.local # Initial admin e-mail — only used on first boot when no users exist
       # - ADMIN_PASSWORD=changeme      # Initial admin password — only used on first boot when no users exist
       # - MCP_RATE_LIMIT=60 # Max MCP API requests per user per minute (default: 60)
+      # - MCP_MAX_SESSION_PER_USER=5 # Max concurrent MCP sessions per user (default: 5)
     volumes:
       - ./data:/app/data
       - ./uploads:/app/uploads
@@ -303,6 +304,7 @@ trek.yourdomain.com {
 | **Other** | | |
 | `DEMO_MODE` | Enable demo mode (hourly data resets) | `false` |
 | `MCP_RATE_LIMIT` | Max MCP API requests per user per minute | `60` |
+| `MCP_MAX_SESSION_PER_USER` | Max concurrent MCP sessions per user | `5` |
 
 ## Optional API Keys
 

chart/values.yaml

@@ -53,6 +53,8 @@ env:
   # Enable demo mode (hourly data resets).
   # MCP_RATE_LIMIT: "60"
   # Max MCP API requests per user per minute. Defaults to 60.
+  # MCP_MAX_SESSION_PER_USER: "5"
+  # Max concurrent MCP sessions per user. Defaults to 5.
 
 
 # Secret environment variables stored in a Kubernetes Secret.

client/package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "trek-client",
-  "version": "2.9.6",
+  "version": "2.9.8",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "trek-client",
-      "version": "2.9.6",
+      "version": "2.9.8",
       "dependencies": {
         "@react-pdf/renderer": "^4.3.2",
         "axios": "^1.6.7",

client/package.json

@@ -1,6 +1,6 @@
 {
   "name": "trek-client",
-  "version": "2.9.6",
+  "version": "2.9.8",
   "private": true,
   "type": "module",
   "scripts": {

client/src/pages/AtlasPage.tsx

@@ -480,15 +480,13 @@ export default function AtlasPage(): React.ReactElement {
       }
     }
 
-    // Match feature by ISO code OR region name
+    // Match feature by ISO code OR region name (native or English)
     const isVisitedFeature = (f: any) => {
       if (visitedRegionCodes.has(f.properties?.iso_3166_2)) return true
       const name = (f.properties?.name || '').toLowerCase()
       if (visitedRegionNames.has(name)) return true
-      // Fuzzy: check if any visited name is contained in feature name or vice versa
-      for (const vn of visitedRegionNames) {
-        if (name.includes(vn) || vn.includes(name)) return true
-      }
+      const nameEn = (f.properties?.name_en || '').toLowerCase()
+      if (nameEn && visitedRegionNames.has(nameEn)) return true
       return false
     }
 
@@ -535,15 +533,16 @@ export default function AtlasPage(): React.ReactElement {
       },
       onEachFeature: (feature, layer) => {
         const regionName = feature?.properties?.name || ''
+        const regionNameEn = feature?.properties?.name_en || ''
         const countryName = feature?.properties?.admin || ''
         const regionCode = feature?.properties?.iso_3166_2 || ''
         const countryA2 = (feature?.properties?.iso_a2 || '').toUpperCase()
         const visited = isVisitedFeature(feature)
-        const count = regionPlaceCounts[regionCode] || regionPlaceCounts[regionName.toLowerCase()] || 0
+        const count = regionPlaceCounts[regionCode] || regionPlaceCounts[regionName.toLowerCase()] || regionPlaceCounts[regionNameEn.toLowerCase()] || 0
         layer.on('click', () => {
           if (!countryA2) return
           if (visited) {
-            const regionEntry = visitedRegions[countryA2]?.find(r => r.code === regionCode)
+            const regionEntry = visitedRegions[countryA2]?.find(r => r.code === regionCode || r.name.toLowerCase() === regionNameEn.toLowerCase())
             if (regionEntry?.manuallyMarked) {
               setConfirmActionRef.current({
                 type: 'unmark-region',

docker-compose.yml

@@ -39,6 +39,7 @@ services:
 #      - ADMIN_EMAIL=admin@trek.local # Initial admin e-mail — only used on first boot when no users exist
 #      - ADMIN_PASSWORD=changeme      # Initial admin password — only used on first boot when no users exist
 #      - MCP_RATE_LIMIT=60 # Max MCP API requests per user per minute (default: 60)
+#      - MCP_MAX_SESSION_PER_USER=5 # Max concurrent MCP sessions per user (default: 5)
     volumes:
       - ./data:/app/data
       - ./uploads:/app/uploads

server/.env.example

@@ -29,6 +29,7 @@ OIDC_SCOPE=openid email profile # Fully overrides the default. Add extra scopes
 DEMO_MODE=false # Demo mode - resets data hourly
 
 # MCP_RATE_LIMIT=60 # Max MCP API requests per user per minute (default: 60)
+# MCP_MAX_SESSION_PER_USER=5 # Max concurrent MCP sessions per user (default: 5)
 
 # Initial admin account — only used on first boot when no users exist yet.
 # If both are set the admin account is created with these credentials.

server/package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "trek-server",
-  "version": "2.9.6",
+  "version": "2.9.8",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "trek-server",
-      "version": "2.9.6",
+      "version": "2.9.8",
       "dependencies": {
         "@modelcontextprotocol/sdk": "^1.28.0",
         "archiver": "^6.0.1",

server/package.json

@@ -1,6 +1,6 @@
 {
   "name": "trek-server",
-  "version": "2.9.6",
+  "version": "2.9.8",
   "main": "src/index.ts",
   "scripts": {
     "start": "node --import tsx src/index.ts",

server/src/mcp/index.ts

@@ -18,7 +18,8 @@ interface McpSession {
 const sessions = new Map<string, McpSession>();
 
 const SESSION_TTL_MS = 60 * 60 * 1000; // 1 hour
-const MAX_SESSIONS_PER_USER = 5;
+const sessionParsed = Number.parseInt(process.env.MCP_MAX_SESSION_PER_USER ?? "");
+const MAX_SESSIONS_PER_USER = Number.isFinite(sessionParsed) && sessionParsed > 0 ? sessionParsed : 5;
 const RATE_LIMIT_WINDOW_MS = 60 * 1000; // 1 minute
 const parsed = Number.parseInt(process.env.MCP_RATE_LIMIT ?? "");
 const RATE_LIMIT_MAX = Number.isFinite(parsed) && parsed > 0 ? parsed : 60; // requests per minute per user

server/src/services/atlasService.ts

@@ -421,7 +421,7 @@ async function reverseGeocodeRegion(lat: number, lng: number): Promise<RegionInf
     if (regionCode && /^[A-Z]{2}-\d+[A-Z]$/i.test(regionCode)) {
       regionCode = regionCode.replace(/[A-Z]$/i, '');
     }
-    const regionName = data.address?.county || data.address?.state || data.address?.province || data.address?.region || data.address?.city || null;
+    const regionName = data.address?.state || data.address?.province || data.address?.region || data.address?.county || data.address?.city || null;
     if (!countryCode || !regionName) { regionCache.set(key, null); return null; }
     const info: RegionInfo = {
       country_code: countryCode,

server/tests/integration/atlas.test.ts

@@ -202,3 +202,184 @@ describe('Bucket list', () => {
     expect(res.status).toBe(404);
   });
 });
+
+describe('Mark/unmark region', () => {
+  it('ATLAS-009 — POST /region/:code/mark marks a region as visited', async () => {
+    const { user } = createUser(testDb);
+
+    const res = await request(app)
+      .post('/api/addons/atlas/region/DE-NW/mark')
+      .set('Cookie', authCookie(user.id))
+      .send({ name: 'Nordrhein-Westfalen', country_code: 'DE' });
+
+    expect(res.status).toBe(200);
+    expect(res.body.success).toBe(true);
+  });
+
+  it('ATLAS-009 — POST /region/:code/mark without name returns 400', async () => {
+    const { user } = createUser(testDb);
+
+    const res = await request(app)
+      .post('/api/addons/atlas/region/DE-NW/mark')
+      .set('Cookie', authCookie(user.id))
+      .send({ country_code: 'DE' });
+
+    expect(res.status).toBe(400);
+  });
+
+  it('ATLAS-009 — POST /region/:code/mark without country_code returns 400', async () => {
+    const { user } = createUser(testDb);
+
+    const res = await request(app)
+      .post('/api/addons/atlas/region/DE-NW/mark')
+      .set('Cookie', authCookie(user.id))
+      .send({ name: 'Nordrhein-Westfalen' });
+
+    expect(res.status).toBe(400);
+  });
+
+  it('ATLAS-009 — marking a region also auto-marks the parent country', async () => {
+    const { user } = createUser(testDb);
+
+    await request(app)
+      .post('/api/addons/atlas/region/DE-NW/mark')
+      .set('Cookie', authCookie(user.id))
+      .send({ name: 'Nordrhein-Westfalen', country_code: 'DE' });
+
+    const stats = await request(app)
+      .get('/api/addons/atlas/stats')
+      .set('Cookie', authCookie(user.id));
+
+    const codes = (stats.body.countries as any[]).map((c: any) => c.code);
+    expect(codes).toContain('DE');
+  });
+
+  it('ATLAS-009 — marking the same region twice is idempotent', async () => {
+    const { user } = createUser(testDb);
+
+    await request(app)
+      .post('/api/addons/atlas/region/DE-NW/mark')
+      .set('Cookie', authCookie(user.id))
+      .send({ name: 'Nordrhein-Westfalen', country_code: 'DE' });
+
+    const res = await request(app)
+      .post('/api/addons/atlas/region/DE-NW/mark')
+      .set('Cookie', authCookie(user.id))
+      .send({ name: 'Nordrhein-Westfalen', country_code: 'DE' });
+
+    expect(res.status).toBe(200);
+  });
+
+  it('ATLAS-010 — GET /regions returns marked regions grouped by country', async () => {
+    const { user } = createUser(testDb);
+
+    await request(app)
+      .post('/api/addons/atlas/region/DE-NW/mark')
+      .set('Cookie', authCookie(user.id))
+      .send({ name: 'Nordrhein-Westfalen', country_code: 'DE' });
+
+    await request(app)
+      .post('/api/addons/atlas/region/DE-BY/mark')
+      .set('Cookie', authCookie(user.id))
+      .send({ name: 'Bayern', country_code: 'DE' });
+
+    const res = await request(app)
+      .get('/api/addons/atlas/regions')
+      .set('Cookie', authCookie(user.id));
+
+    expect(res.status).toBe(200);
+    expect(res.body).toHaveProperty('regions');
+    const deRegions = res.body.regions['DE'] as any[];
+    expect(deRegions).toBeDefined();
+    const codes = deRegions.map((r: any) => r.code);
+    expect(codes).toContain('DE-NW');
+    expect(codes).toContain('DE-BY');
+  });
+
+  it('ATLAS-011 — DELETE /region/:code/mark unmarks a region', async () => {
+    const { user } = createUser(testDb);
+
+    await request(app)
+      .post('/api/addons/atlas/region/DE-NW/mark')
+      .set('Cookie', authCookie(user.id))
+      .send({ name: 'Nordrhein-Westfalen', country_code: 'DE' });
+
+    const del = await request(app)
+      .delete('/api/addons/atlas/region/DE-NW/mark')
+      .set('Cookie', authCookie(user.id));
+
+    expect(del.status).toBe(200);
+    expect(del.body.success).toBe(true);
+
+    const res = await request(app)
+      .get('/api/addons/atlas/regions')
+      .set('Cookie', authCookie(user.id));
+
+    const deRegions = res.body.regions['DE'] as any[] | undefined;
+    const codes = (deRegions || []).map((r: any) => r.code);
+    expect(codes).not.toContain('DE-NW');
+  });
+
+  it('ATLAS-011 — unmark last region in country also unmarks the parent country', async () => {
+    const { user } = createUser(testDb);
+
+    await request(app)
+      .post('/api/addons/atlas/region/DE-NW/mark')
+      .set('Cookie', authCookie(user.id))
+      .send({ name: 'Nordrhein-Westfalen', country_code: 'DE' });
+
+    await request(app)
+      .delete('/api/addons/atlas/region/DE-NW/mark')
+      .set('Cookie', authCookie(user.id));
+
+    const stats = await request(app)
+      .get('/api/addons/atlas/stats')
+      .set('Cookie', authCookie(user.id));
+
+    const codes = (stats.body.countries as any[]).map((c: any) => c.code);
+    expect(codes).not.toContain('DE');
+  });
+
+  it('ATLAS-011 — unmark one region keeps country when another region remains', async () => {
+    const { user } = createUser(testDb);
+
+    await request(app)
+      .post('/api/addons/atlas/region/DE-NW/mark')
+      .set('Cookie', authCookie(user.id))
+      .send({ name: 'Nordrhein-Westfalen', country_code: 'DE' });
+
+    await request(app)
+      .post('/api/addons/atlas/region/DE-BY/mark')
+      .set('Cookie', authCookie(user.id))
+      .send({ name: 'Bayern', country_code: 'DE' });
+
+    await request(app)
+      .delete('/api/addons/atlas/region/DE-NW/mark')
+      .set('Cookie', authCookie(user.id));
+
+    const stats = await request(app)
+      .get('/api/addons/atlas/stats')
+      .set('Cookie', authCookie(user.id));
+
+    const codes = (stats.body.countries as any[]).map((c: any) => c.code);
+    expect(codes).toContain('DE');
+  });
+
+  it('ATLAS-011 — regions are isolated between users', async () => {
+    const { user: user1 } = createUser(testDb);
+    const { user: user2 } = createUser(testDb);
+
+    await request(app)
+      .post('/api/addons/atlas/region/DE-NW/mark')
+      .set('Cookie', authCookie(user1.id))
+      .send({ name: 'Nordrhein-Westfalen', country_code: 'DE' });
+
+    const res = await request(app)
+      .get('/api/addons/atlas/regions')
+      .set('Cookie', authCookie(user2.id));
+
+    expect(res.status).toBe(200);
+    const deRegions = res.body.regions['DE'] as any[] | undefined;
+    expect(deRegions).toBeUndefined();
+  });
+});

unraid-template.xml

@@ -58,4 +58,5 @@
   <!-- Other -->
   <Config Name="DEMO_MODE" Target="DEMO_MODE" Default="false" Mode="" Description="Enable demo mode (resets all data hourly). Not intended for regular use." Type="Variable" Display="advanced" Required="false" Mask="false">false</Config>
   <Config Name="MCP_RATE_LIMIT" Target="MCP_RATE_LIMIT" Default="60" Mode="" Description="Max MCP API requests per user per minute." Type="Variable" Display="advanced" Required="false" Mask="false">60</Config>
+  <Config Name="MCP_MAX_SESSION_PER_USER" Target="MCP_MAX_SESSION_PER_USER" Default="5" Mode="" Description="Max concurrent MCP sessions per user." Type="Variable" Display="advanced" Required="false" Mask="false">5</Config>
 </Container>