feat(costs): create an expense from a booking, fix editing total-only items

Replace the inline price + budget-category fields in the Transport and Reservation booking modals with a "Create expense" flow: the modal saves the booking, then opens the full Costs editor prefilled (name + category mapped from the booking type) and linked to the reservation. A booking with a linked expense shows it inline with edit / remove. Also fix the Costs editor so an expense with a recorded total but no payers (transport-derived or pre-rework items) opens with its amount, lets you set the currency, and saves - it previously showed 0 everywhere and could not be saved. Legacy / localized categories now map to the fixed keys, and changing a booking's type keeps its linked expense category in sync (unless it was manually set). - shared: reservation_id on budget create, typeToCostCategory helper, i18n keys - server: createBudgetItem stores reservation_id; keep total_price for payerless items; a booking update no longer wipes its linked expense and syncs the category on type change - client: shared BookingCostsSection, exported ExpenseModal with prefill and an editable total, page-level save-then-open wiring
feat(backup): make the upload size limit configurable
2026-06-19 13:21:46 +00:00 · 2026-06-17 22:11:56 +02:00 · 2026-06-17 21:00:36 +02:00 · 2026-06-17 21:00:19 +02:00 · 2026-06-17 21:00:04 +02:00 · 2026-06-17 15:23:54 +02:00
180 changed files with 14116 additions and 3624 deletions
@@ -34,4 +34,5 @@ jobs:
          command: cves
          image: trek:scan
          only-severities: critical,high
+          only-fixed: true
          exit-code: true
@@ -1,3 +1,10 @@
+# ── Stage 0: gosu ────────────────────────────────────────────────────────────
+# Rebuild gosu with a current Go toolchain so the runtime image ships no stale
+# Go stdlib (Debian's apt gosu is built with an old Go that trips CVE scanners).
+# The binary and its runtime behaviour are identical to the apt package.
+FROM golang:1.25-alpine AS gosu-build
+RUN CGO_ENABLED=0 GOBIN=/out go install github.com/tianon/gosu@latest
+
 # ── Stage 1: shared ──────────────────────────────────────────────────────────
 FROM node:24-alpine AS shared-builder
 WORKDIR /app
@@ -44,7 +51,7 @@ COPY server/package.json ./server/
 #   amd64 — static binary from KDE CDN (glibc 2.17+; wget stays for healthcheck)
 #   arm64 — apt package (KDE publishes no arm64 static binary)
 RUN apt-get update && \
-    apt-get install -y --no-install-recommends tzdata dumb-init gosu wget ca-certificates python3 build-essential && \
+    apt-get install -y --no-install-recommends tzdata dumb-init wget ca-certificates python3 build-essential && \
    npm ci --workspace=server --omit=dev && \
    ARCH=$(dpkg --print-architecture) && \
    if [ "$ARCH" = "amd64" ]; then \
@@ -60,6 +67,9 @@ RUN apt-get update && \
    apt-get autoremove -y && \
    rm -rf /var/lib/apt/lists/* /usr/local/lib/node_modules/npm /usr/local/bin/npm /usr/local/bin/npx

+# gosu rebuilt with a current Go toolchain (stage 0) — used by CMD to drop to node.
+COPY --from=gosu-build /out/gosu /usr/local/bin/gosu
+
 ENV XDG_CACHE_HOME=/tmp/kf6-cache
 # Prevent Qt from probing for a display in headless containers.
 ENV QT_QPA_PLATFORM=offscreen
@@ -75,6 +85,10 @@ COPY --from=server-builder /app/server/dist ./server/dist
 COPY --from=server-builder /app/server/assets ./server/assets
 # tsconfig-paths/register reads this at runtime to resolve MCP SDK paths.
 COPY server/tsconfig.json ./server/
+# Encryption-key rotation is run on demand via tsx (a prod dep) straight from the
+# raw .ts source — it never enters dist, so it must be copied in explicitly or
+# `node --import tsx scripts/migrate-encryption.ts` fails with module-not-found.
+COPY server/scripts/migrate-encryption.ts ./server/scripts/migrate-encryption.ts
 COPY --from=shared-builder /app/shared/dist ./shared/dist
 COPY --from=client-builder /app/client/dist ./server/public
 COPY --from=client-builder /app/client/public/fonts ./server/public/fonts
@@ -95,5 +109,8 @@ HEALTHCHECK --interval=30s --timeout=5s --start-period=15s --retries=3 \
  CMD wget -qO- http://localhost:3000/api/health || exit 1

 ENTRYPOINT ["dumb-init", "--"]
+# Preflight: if the app code is missing, a volume was almost certainly mounted
+# over /app (it hides the image's node_modules + dist). Fail with actionable
+# guidance instead of a cryptic "Cannot find module 'tsconfig-paths/register'".
 # cd into server/ so tsconfig-paths/register finds tsconfig.json and ../node_modules resolves correctly.
-CMD ["sh", "-c", "chown -R node:node /app/data /app/uploads 2>/dev/null || true; cd /app/server && exec gosu node node --require tsconfig-paths/register dist/index.js"]
+CMD ["sh", "-c", "if [ ! -f /app/server/dist/index.js ] || [ ! -d /app/node_modules/tsconfig-paths ]; then echo 'FATAL: TREK application files are missing from the image.'; echo 'A volume is likely mounted over /app, which hides the app code.'; echo 'Mount ONLY your data and uploads dirs: -v ./data:/app/data -v ./uploads:/app/uploads'; echo 'Do NOT mount a volume at /app. See the Troubleshooting section of the README.'; exit 1; fi; chown -R node:node /app/data /app/uploads 2>/dev/null || true; cd /app/server && exec gosu node node --require tsconfig-paths/register dist/index.js"]
@@ -51,10 +51,10 @@ A self-hosted, real-time collaborative travel planner — with maps, budgets, pa
  <a href="docs/screenshots/dashboard.png"><img src="docs/screenshots/dashboard.png" alt="Dashboard" width="49%" /></a>
  <a href="docs/screenshots/trip-planner.png"><img src="docs/screenshots/trip-planner.png" alt="Trip planner with 3D map" width="49%" /></a>
  <a href="docs/screenshots/journey.png"><img src="docs/screenshots/journey.png" alt="Journey journal" width="49%" /></a>
-  <a href="docs/screenshots/budget.png"><img src="docs/screenshots/budget.png" alt="Budget tracker" width="49%" /></a>
+  <a href="docs/screenshots/budget.png"><img src="docs/screenshots/budget.png" alt="Costs · expense splitting" width="49%" /></a>
  <a href="docs/screenshots/atlas.png"><img src="docs/screenshots/atlas.png" alt="Atlas · visited countries" width="49%" /></a>
  <a href="docs/screenshots/vacay.png"><img src="docs/screenshots/vacay.png" alt="Vacay planner" width="49%" /></a>
-  <a href="docs/screenshots/trip-iceland.png"><img src="docs/screenshots/trip-iceland.png" alt="Iceland Ring Road" width="49%" /></a>
+  <a href="docs/screenshots/trip-iceland.png"><img src="docs/screenshots/trip-iceland.png" alt="Trip planner · day plan and route" width="49%" /></a>
  <a href="docs/screenshots/admin.png"><img src="docs/screenshots/admin.png" alt="Admin panel" width="49%" /></a>
 </div>

@@ -79,6 +79,7 @@ A self-hosted, real-time collaborative travel planner — with maps, budgets, pa
 - **Drag & drop planner** — organise places into day plans with reordering and cross-day moves
 - **Interactive map** — Leaflet or Mapbox GL with 3D buildings, terrain, photo markers, clustering, route visualization
 - **Place search** — Google Places (photos, ratings, hours) or OpenStreetMap (free, no API key)
+- **Place import** — shared Google Maps / Naver Maps lists, plus GPX and KML/KMZ/GeoJSON map files
 - **Day notes** — timestamped, icon-tagged notes with drag-and-drop reordering
 - **Route optimisation** — auto-sort places and export to Google Maps
 - **Weather forecasts** — 16-day via Open-Meteo (no key) + historical climate fallback
@@ -90,7 +91,7 @@ A self-hosted, real-time collaborative travel planner — with maps, budgets, pa
 #### 🧳 Travel management

 - **Reservations** — flights, accommodations, restaurants with status, confirmation numbers, files; import from booking confirmation emails and PDFs ([KDE Itinerary](https://invent.kde.org/pim/kitinerary))
- **Budget tracking** — category-based expenses with pie chart, per-person / per-day splits, multi-currency
+- **Costs** — track and split trip expenses (Splitwise-style): per-person / per-day breakdowns, settle-up, multi-currency
 - **Packing lists** — categories, templates, user assignment, progress tracking
 - **Bag tracking** — optional weight tracking with iOS-style distribution
 - **Document manager** — attach docs, tickets, PDFs to trips / places / reservations (≤ 50 MB each)
@@ -108,6 +109,7 @@ A self-hosted, real-time collaborative travel planner — with maps, budgets, pa
 - **Invite links** — one-time or reusable links with expiry
 - **SSO (OIDC)** — Google, Apple, Authentik, Keycloak, or any OIDC provider
 - **2FA** — TOTP + backup codes
+- **Passkeys** — passwordless WebAuthn login (fingerprint / face / PIN / security key), admin-toggleable
 - **Collab suite** — group chat, shared notes, polls, day check-ins

 </td>
@@ -128,13 +130,13 @@ A self-hosted, real-time collaborative travel planner — with maps, budgets, pa
 #### 🧩 Addons (admin-toggleable)

 - **Lists** — packing lists + to-dos with templates, member assignments, optional bag tracking
- **Budget** — expense tracker with splits, pie chart, multi-currency
+- **Costs** — expense tracker with splits and settle-up (who owes whom), multi-currency
 - **Documents** — file attachments on trips, places, and reservations
 - **Collab** — chat, notes, polls, day-by-day attendance
 - **Vacay** — personal vacation planner with calendar, 100+ country holidays, carry-over tracking
 - **Atlas** — world map of visited countries, bucket list, travel stats, streak tracking, liquid-glass UI
 - **Journey** — magazine-style travel journal with entries, photos (Immich/Synology), maps, moods
- **Naver List Import** — one-click import from shared Naver Maps lists
+- **AirTrail** — connect a self-hosted AirTrail instance to import and sync flights into reservations
 - **MCP** — expose TREK to AI assistants via OAuth 2.1

 </td>
@@ -156,8 +158,9 @@ A self-hosted, real-time collaborative travel planner — with maps, budgets, pa
 #### ⚙️ Admin & customisation

 - **Dashboard views** — card grid or compact list · **Dark mode** — full theme with matching status bar
- **15 languages** — EN, DE, ES, FR, IT, NL, HU, RU, ZH, ZH-TW, PL, CS, AR (RTL), BR, ID
+- **20 languages** — EN, DE, ES, FR, IT, NL, HU, RU, ZH, ZH-TW, PL, CS, AR (RTL), BR, ID, TR, JA, KO, UK, GR
 - **Admin panel** — users, invites, packing templates, categories, addons, API keys, backups, GitHub history
+- **Notifications** — per-user preferences across email (SMTP), webhook, ntfy, and an in-app notification center
 - **Auto-backups** — scheduled with configurable retention · **Units** — °C/°F, 12h/24h, map tile sources, default coordinates

 </td>
@@ -191,9 +194,9 @@ Open `http://localhost:3000`. On first boot TREK seeds an admin account — if y
 <div align="center">

 ![Node.js](https://img.shields.io/badge/Node.js_22-339933?style=flat-square&logo=node.js&logoColor=white)
-![Express](https://img.shields.io/badge/Express-000000?style=flat-square&logo=express&logoColor=white)
+![NestJS](https://img.shields.io/badge/NestJS_11-E0234E?style=flat-square&logo=nestjs&logoColor=white)
 ![SQLite](https://img.shields.io/badge/SQLite-003B57?style=flat-square&logo=sqlite&logoColor=white)
-![React](https://img.shields.io/badge/React_18-61DAFB?style=flat-square&logo=react&logoColor=black)
+![React](https://img.shields.io/badge/React_19-61DAFB?style=flat-square&logo=react&logoColor=black)
 ![Vite](https://img.shields.io/badge/Vite-646CFF?style=flat-square&logo=vite&logoColor=white)
 ![TypeScript](https://img.shields.io/badge/TypeScript-3178C6?style=flat-square&logo=typescript&logoColor=white)
 ![Tailwind](https://img.shields.io/badge/Tailwind-06B6D4?style=flat-square&logo=tailwindcss&logoColor=white)
@@ -202,7 +205,7 @@ Open `http://localhost:3000`. On first boot TREK seeds an admin account — if y

 </div>

-Real-time sync via WebSocket (`ws`). State with Zustand. Auth via JWT + OAuth 2.1 + OIDC + TOTP MFA. Weather via Open-Meteo (no key required). Maps with Leaflet and Mapbox GL.
+Real-time sync via WebSocket (`ws`). Backend on NestJS 11. State with Zustand. Auth via JWT + OAuth 2.1 + OIDC + Passkeys (WebAuthn) + TOTP MFA. Weather via Open-Meteo (no key required). Maps with Leaflet and Mapbox GL.

 <br />

@@ -263,7 +266,7 @@ Then:
 docker compose up -d
 ```

-**HTTPS notes:** `FORCE_HTTPS=true` is optional — it adds a 301 redirect, HSTS, CSP upgrade-insecure-requests, and forces the `secure` cookie flag. Only use it behind a TLS-terminating reverse proxy. `TRUST_PROXY=1` tells Express how many proxies sit in front so real client IPs and `X-Forwarded-Proto` work.
+**HTTPS notes:** `FORCE_HTTPS=true` is optional — it adds a 301 redirect, HSTS, CSP upgrade-insecure-requests, and forces the `secure` cookie flag. Only use it behind a TLS-terminating reverse proxy. `TRUST_PROXY=1` tells the server how many proxies sit in front so real client IPs and `X-Forwarded-Proto` work.

 </details>

@@ -311,6 +314,9 @@ docker run -d --name trek -p 3000:3000 -v ./data:/app/data -v ./uploads:/app/upl

 Your data stays in the mounted `data` and `uploads` volumes — updates never touch it.

+> [!IMPORTANT]
+> Mount **only** the data and uploads directories — `-v ./data:/app/data -v ./uploads:/app/uploads`. **Never mount a volume at `/app`.** Doing so hides the application code shipped in the image and the container fails to start with `Cannot find module 'tsconfig-paths/register'`. If you previously mounted `/app`, switch to the two mounts above; your data in `data/` and `uploads/` is preserved.
+
 <h3>Rotating the Encryption Key</h3>

 If you need to rotate `ENCRYPTION_KEY` (e.g. upgrading from a version that derived encryption from `JWT_SECRET`):
@@ -397,12 +403,14 @@ Caddy handles TLS and WebSockets automatically.
 | `ENCRYPTION_KEY` | At-rest encryption key for stored secrets (API keys, MFA, SMTP, OIDC). Recommended: generate with `openssl rand -hex 32`. If unset, falls back to `data/.jwt_secret` (existing installs) or auto-generates a key (fresh installs). | Auto |
 | `TZ` | Timezone for logs, reminders and cron jobs (e.g. `Europe/Berlin`) | `UTC` |
 | `LOG_LEVEL` | `info` = concise user actions, `debug` = verbose details | `info` |
-| `DEFAULT_LANGUAGE` | Default language on the login page for users with no saved preference. Browser/OS language is auto-detected first; this is the fallback. Supported: `de`, `en`, `es`, `fr`, `hu`, `nl`, `br`, `cs`, `pl`, `ru`, `zh`, `zh-TW`, `it`, `ar` | `en` |
+| `DEFAULT_LANGUAGE` | Default language on the login page for users with no saved preference. Browser/OS language is auto-detected first; this is the fallback. Supported: `de`, `en`, `es`, `fr`, `hu`, `nl`, `br`, `cs`, `pl`, `ru`, `zh`, `zh-TW`, `it`, `ar`, `id`, `tr`, `ja`, `ko`, `uk`, `gr` | `en` |
 | `ALLOWED_ORIGINS` | Comma-separated origins for CORS and email links | same-origin |
 | `FORCE_HTTPS` | Optional. When `true`: 301-redirects HTTP to HTTPS, sends HSTS, adds CSP `upgrade-insecure-requests`, forces the session cookie `secure` flag. Useful behind a TLS-terminating reverse proxy. Requires `TRUST_PROXY`. | `false` |
 | `HSTS_INCLUDE_SUBDOMAINS` | When `true`: adds the `includeSubDomains` directive to the HSTS header, extending HTTPS enforcement to all subdomains. Only effective when HSTS is active (`FORCE_HTTPS=true` or `NODE_ENV=production`). Leave `false` if you run other services on sibling subdomains over plain HTTP. | `false` |
 | `COOKIE_SECURE` | Controls the `secure` flag on the `trek_session` cookie. Auto-derived: on when `NODE_ENV=production` or `FORCE_HTTPS=true`. Escape hatch: set `false` to allow session cookies over plain HTTP. Not recommended in production. | auto |
-| `TRUST_PROXY` | Number of trusted reverse proxies. Tells Express to read client IP from `X-Forwarded-For` and protocol from `X-Forwarded-Proto`. Defaults to `1` in production; off in dev unless set. | `1` |
+| `SESSION_DURATION` | How long a login session stays valid when **"Remember me" is unchecked** (the default): sets the `trek_session` JWT `exp` and issues a browser-session cookie (cleared when the browser closes). Accepts `ms`-style strings: `1h`, `12h`, `7d`, `30d`, `90d`. Invalid values warn at startup and fall back to the default. | `24h` |
+| `SESSION_DURATION_REMEMBER` | Session length when **"Remember me" is ticked** at login: a longer-lived JWT plus a persistent `trek_session` cookie that survives browser restarts. Same format and startup-fallback behaviour as `SESSION_DURATION`. | `30d` |
+| `TRUST_PROXY` | Number of trusted reverse proxies. Tells the server to read client IP from `X-Forwarded-For` and protocol from `X-Forwarded-Proto`. Defaults to `1` in production; off in dev unless set. | `1` |
 | `ALLOW_INTERNAL_NETWORK` | Allow outbound requests to private/RFC-1918 IPs (e.g. Immich on your LAN). Loopback and link-local addresses remain blocked. | `false` |
 | `APP_URL` | Public base URL of this instance (e.g. `https://trek.example.com`). Required when OIDC is enabled; used as base for email notification links. | — |
 | **OIDC / SSO** | | |
@@ -1,5 +1,5 @@
 apiVersion: v2
 name: trek
-version: 3.0.22
+version: 3.1.0
 description: Minimal Helm chart for TREK app
-appVersion: "3.0.22"
+appVersion: "3.1.0"
@@ -28,6 +28,12 @@ data:
  {{- if .Values.env.COOKIE_SECURE }}
  COOKIE_SECURE: {{ .Values.env.COOKIE_SECURE | quote }}
  {{- end }}
+  {{- if .Values.env.SESSION_DURATION }}
+  SESSION_DURATION: {{ .Values.env.SESSION_DURATION | quote }}
+  {{- end }}
+  {{- if .Values.env.SESSION_DURATION_REMEMBER }}
+  SESSION_DURATION_REMEMBER: {{ .Values.env.SESSION_DURATION_REMEMBER | quote }}
+  {{- end }}
  {{- if .Values.env.TRUST_PROXY }}
  TRUST_PROXY: {{ .Values.env.TRUST_PROXY | quote }}
  {{- end }}
@@ -34,6 +34,10 @@ env:
  # When "true": adds includeSubDomains to the HSTS header. Only effective when HSTS is active. Leave "false" if sibling subdomains still run over plain HTTP.
  # COOKIE_SECURE: "true"
  # Auto-derived (true in production or when FORCE_HTTPS=true). Set "false" to force cookies over plain HTTP. Not recommended for production.
+  # SESSION_DURATION: "24h"
+  # How long a login session stays valid when "Remember me" is unchecked (the default): trek_session JWT exp + a browser-session cookie. Accepts 1h, 12h, 7d, 30d, 90d. Defaults to 24h.
+  # SESSION_DURATION_REMEMBER: "30d"
+  # Session length when "Remember me" is ticked: a longer-lived JWT + persistent cookie that survives browser restarts. Same format as SESSION_DURATION. Defaults to 30d.
  # TRUST_PROXY: "1"
  # Trusted proxy hops for X-Forwarded-For/X-Forwarded-Proto. Defaults to 1 in production. Must be set for FORCE_HTTPS to work.
  # ALLOW_INTERNAL_NETWORK: "false"
@@ -1,6 +1,6 @@
 {
  "name": "@trek/client",
-  "version": "3.0.22",
+  "version": "3.1.0",
  "private": true,
  "type": "module",
  "scripts": {
@@ -58,11 +58,12 @@
    "@testing-library/user-event": "^14.6.1",
    "@trivago/prettier-plugin-sort-imports": "^6.0.2",
    "@types/leaflet": "^1.9.8",
+    "@types/node": "^25.9.3",
    "@types/react": "^19.2.15",
    "@types/react-dom": "^19.2.3",
    "@types/react-window": "^1.8.8",
-    "@vitejs/plugin-react": "^4.2.1",
-    "@vitest/coverage-v8": "^3.2.4",
+    "@vitejs/plugin-react": "^6.0.2",
+    "@vitest/coverage-v8": "^4.1.9",
    "autoprefixer": "^10.4.18",
    "eslint": "^10.2.1",
    "eslint-config-flat-gitignore": "^2.3.0",
@@ -80,8 +81,8 @@
    "tailwindcss": "^3.4.1",
    "typescript": "^6.0.2",
    "typescript-eslint": "^8.58.2",
-    "vite": "^5.1.4",
-    "vite-plugin-pwa": "^0.21.0",
-    "vitest": "^3.2.4"
+    "vite": "^8.0.16",
+    "vite-plugin-pwa": "^1.3.0",
+    "vitest": "^4.1.9"
  }
 }
@@ -662,8 +662,15 @@ function SettleHistory({ settlements, fmt, Avatar, name, onUndo, canEdit }: {
 }

 // ── Add / edit expense modal ───────────────────────────────────────────────
-function ExpenseModal({ tripId, base, people, me, editing, onClose, onSaved }: {
-  tripId: number; base: string; people: TripMember[]; me: number; editing: BudgetItem | null; onClose: () => void; onSaved: () => void
+export interface ExpensePrefill {
+  name?: string
+  category?: string
+  amount?: number
+  reservationId?: number
+}
+
+export function ExpenseModal({ tripId, base, people, me, editing, prefill, onClose, onSaved }: {
+  tripId: number; base: string; people: TripMember[]; me: number; editing: BudgetItem | null; prefill?: ExpensePrefill; onClose: () => void; onSaved: () => void
 }) {
  const { t, locale } = useTranslation()
  const toast = useToast()
@@ -671,8 +678,8 @@ function ExpenseModal({ tripId, base, people, me, editing, onClose, onSaved }: {
  const { convert } = useExchangeRates(base)
  const sym = (c: string) => SYMBOLS[c] || (c + ' ')

-  const [name, setName] = useState(editing?.name || '')
-  const [cat, setCat] = useState<string>(editing ? catMeta(editing.category).key : 'food')
+  const [name, setName] = useState(editing?.name || prefill?.name || '')
+  const [cat, setCat] = useState<string>(editing ? catMeta(editing.category).key : (prefill?.category || 'food'))
  const [currency, setCurrency] = useState((editing?.currency || base).toUpperCase())
  const [day, setDay] = useState(editing?.expense_date || new Date().toISOString().slice(0, 10))
  const [payers, setPayers] = useState<Record<number, string>>(() => {
@@ -680,13 +687,23 @@ function ExpenseModal({ tripId, base, people, me, editing, onClose, onSaved }: {
    for (const p of editing?.payers || []) m[p.user_id] = String(p.amount)
    return m
  })
+  // Standalone total for "recorded amount, nobody has paid yet" expenses (created
+  // from a booking, or pre-rework items). Used only while no per-person amount is
+  // entered; once a payer has an amount, the total derives from the payers.
+  const [amount, setAmount] = useState<string>(() => {
+    if (editing && !(editing.payers && editing.payers.length > 0)) return editing.total_price ? String(editing.total_price) : ''
+    if (prefill?.amount != null) return String(prefill.amount)
+    return ''
+  })
  const [split, setSplit] = useState<Set<number>>(() =>
    editing ? new Set((editing.members || []).map(m => m.user_id)) : new Set(people.map(p => p.id)))
  const [saving, setSaving] = useState(false)

  const payersTotal = Object.values(payers).reduce((a, v) => a + (parseFloat(v) || 0), 0)
-  const each = split.size > 0 ? payersTotal / split.size : 0
-  const valid = name.trim().length > 0 && split.size > 0 && payersTotal > 0
+  const hasPayers = payersTotal > 0
+  const total = hasPayers ? payersTotal : (parseFloat(amount) || 0)
+  const each = split.size > 0 ? total / split.size : 0
+  const valid = name.trim().length > 0 && total > 0 && (hasPayers ? split.size > 0 : true)

  const save = async () => {
    if (!valid) return
@@ -699,6 +716,11 @@ function ExpenseModal({ tripId, base, people, me, editing, onClose, onSaved }: {
      currency,
      payers: payerList, member_ids: [...split],
      expense_date: day || null,
+      // No per-person amounts: record the typed total directly (the server keeps
+      // it instead of deriving 0 from the empty payer list).
+      ...(payerList.length === 0 ? { total_price: parseFloat(amount) || 0 } : {}),
+      // Link a freshly-created expense to its booking (create-from-booking flow).
+      ...(!editing && prefill?.reservationId ? { reservation_id: prefill.reservationId } : {}),
    }
    try {
      if (editing) await updateBudgetItem(tripId, editing.id, data)
@@ -728,7 +750,13 @@ function ExpenseModal({ tripId, base, people, me, editing, onClose, onSaved }: {
          <label className={labelCls}>{t('costs.totalAmount')}</label>
          <div className="bg-surface-input border border-edge" style={{ height: FIELD_H, boxSizing: 'border-box', display: 'flex', alignItems: 'center', borderRadius: 10, padding: '0 12px' }}>
            <span className="text-content-faint" style={{ fontSize: 15 }}>{sym(currency)}</span>
-            <span className="text-content" style={{ flex: 1, fontSize: 15, fontWeight: 600, paddingLeft: 6 }}>{payersTotal.toFixed(2)}</span>
+            {hasPayers ? (
+              <span className="text-content" style={{ flex: 1, fontSize: 15, fontWeight: 600, paddingLeft: 6 }}>{payersTotal.toFixed(2)}</span>
+            ) : (
+              <input type="number" inputMode="decimal" min="0" step="0.01" placeholder="0.00" value={amount}
+                onChange={e => setAmount(e.target.value)}
+                className="text-content" style={{ flex: 1, border: 0, background: 'none', outline: 'none', fontSize: 15, fontWeight: 600, paddingLeft: 6, width: '100%' }} />
+            )}
          </div>
        </div>
        <div style={{ display: 'grid', gridTemplateColumns: '1fr 1fr', gap: 10 }}>
@@ -744,11 +772,11 @@ function ExpenseModal({ tripId, base, people, me, editing, onClose, onSaved }: {
          </div>
        </div>

-        {currency !== base && payersTotal > 0 && (
+        {currency !== base && total > 0 && (
          <div className="bg-surface-secondary border border-edge text-content-muted" style={{ borderRadius: 10, padding: '10px 12px', fontSize: 12.5, display: 'flex', alignItems: 'center', gap: 8, flexWrap: 'wrap' }}>
-            <span>{formatMoney(payersTotal, currency, locale)}</span>
+            <span>{formatMoney(total, currency, locale)}</span>
            <span className="text-content-faint">≈</span>
-            <span className="text-content" style={{ fontWeight: 600 }}>{formatMoney(convert(payersTotal, currency), base, locale)}</span>
+            <span className="text-content" style={{ fontWeight: 600 }}>{formatMoney(convert(total, currency), base, locale)}</span>
            <span className="text-content-faint">· {t('costs.liveRate')}</span>
          </div>
        )}
@@ -32,8 +32,32 @@ export const COST_CAT_META: Record<CostCategory, CostCategoryMeta> = {

 export const COST_CATEGORY_LIST: CostCategoryMeta[] = COST_CATEGORIES.map(k => COST_CAT_META[k])

-/** Map any stored category (incl. legacy free-text values) to a known meta. */
-export function catMeta(cat: string | null | undefined): CostCategoryMeta {
-  if (cat && cat in COST_CAT_META) return COST_CAT_META[cat as CostCategory]
-  return COST_CAT_META.other
+/**
+ * Legacy / English free-text categories (and reservation type labels) mapped to
+ * the fixed keys. Bookings used to store labels like "Flight"/"Train"/"Other",
+ * which never matched the lowercase keys and fell through to `other`.
+ */
+const LEGACY_CATEGORY_MAP: Record<string, CostCategory> = {
+  flight: 'flights', flights: 'flights', plane: 'flights', flug: 'flights',
+  train: 'transport', bus: 'transport', car: 'transport', 'car rental': 'transport',
+  ferry: 'transport', boat: 'transport', taxi: 'transport', transfer: 'transport',
+  transport: 'transport', transportation: 'transport',
+  hotel: 'accommodation', accommodation: 'accommodation', lodging: 'accommodation', hostel: 'accommodation',
+  restaurant: 'food', food: 'food', dining: 'food', meal: 'food', meals: 'food',
+  grocery: 'groceries', groceries: 'groceries',
+  activity: 'activities', activities: 'activities',
+  sightseeing: 'sightseeing', sights: 'sightseeing',
+  shop: 'shopping', shopping: 'shopping',
+  fee: 'fees', fees: 'fees',
+  health: 'health', medical: 'health',
+  tip: 'tips', tips: 'tips',
+  other: 'other', misc: 'other',
+}
+
+/** Map any stored category (incl. legacy/localized free-text values) to a known meta. */
+export function catMeta(cat: string | null | undefined): CostCategoryMeta {
+  if (!cat) return COST_CAT_META.other
+  if (cat in COST_CAT_META) return COST_CAT_META[cat as CostCategory]
+  const mapped = LEGACY_CATEGORY_MAP[cat.trim().toLowerCase()]
+  return mapped ? COST_CAT_META[mapped] : COST_CAT_META.other
 }
@@ -1,6 +1,6 @@
 // FE-COMP-MDTOOLBAR-001 to FE-COMP-MDTOOLBAR-006

-import { describe, it, expect, vi, beforeEach } from 'vitest';
+import { describe, it, expect, vi, beforeEach, type Mock } from 'vitest';
 import { render, screen, fireEvent } from '../../../tests/helpers/render';
 import MarkdownToolbar from './MarkdownToolbar';
 import React from 'react';
@@ -16,10 +16,10 @@ function createTextareaRef(value = '', selectionStart = 0, selectionEnd = 0) {
 }

 describe('MarkdownToolbar', () => {
-  let onUpdate: ReturnType<typeof vi.fn>;
+  let onUpdate: Mock<(value: string) => void>;

  beforeEach(() => {
-    onUpdate = vi.fn();
+    onUpdate = vi.fn<(value: string) => void>();
  });

  it('FE-COMP-MDTOOLBAR-001: renders all 8 toolbar buttons', () => {
@@ -31,21 +31,29 @@ const glMap = vi.hoisted(() => ({
 vi.mock('mapbox-gl', () => ({
  default: {
    accessToken: '',
-    Map: vi.fn(() => glMap),
-    Marker: vi.fn(() => ({
-      setLngLat: vi.fn().mockReturnThis(),
-      addTo: vi.fn().mockReturnThis(),
-      remove: vi.fn(),
-      getElement: vi.fn(() => document.createElement('div')),
-    })),
-    LngLatBounds: vi.fn(() => ({ extend: vi.fn().mockReturnThis() })),
+    Map: vi.fn(function () {
+      return glMap
+    }),
+    Marker: vi.fn(function () {
+      return {
+        setLngLat: vi.fn().mockReturnThis(),
+        addTo: vi.fn().mockReturnThis(),
+        remove: vi.fn(),
+        getElement: vi.fn(() => document.createElement('div')),
+      }
+    }),
+    LngLatBounds: vi.fn(function () {
+      return { extend: vi.fn().mockReturnThis() }
+    }),
    NavigationControl: vi.fn(),
-    Popup: vi.fn(() => ({
-      setLngLat: vi.fn().mockReturnThis(),
-      setHTML: vi.fn().mockReturnThis(),
-      addTo: vi.fn().mockReturnThis(),
-      remove: vi.fn(),
-    })),
+    Popup: vi.fn(function () {
+      return {
+        setLngLat: vi.fn().mockReturnThis(),
+        setHTML: vi.fn().mockReturnThis(),
+        addTo: vi.fn().mockReturnThis(),
+        remove: vi.fn(),
+      }
+    }),
  },
 }))
 vi.mock('mapbox-gl/dist/mapbox-gl.css', () => ({}))
@@ -63,7 +71,9 @@ vi.mock('./locationMarkerMapbox', () => ({
 }))

 vi.mock('./reservationsMapbox', () => ({
-  ReservationMapboxOverlay: vi.fn().mockImplementation(() => ({ update: vi.fn() })),
+  ReservationMapboxOverlay: vi.fn(function () {
+    return { update: vi.fn() }
+  }),
 }))

 vi.mock('../../hooks/useGeolocation', () => ({
@@ -84,6 +84,22 @@ const transportReservation = {
  metadata: JSON.stringify({ airline: 'Air Italia', flight_number: 'AI123', departure_airport: 'CDG', arrival_airport: 'FCO' }),
 } as any

+const multiLegFlight = {
+  id: 401,
+  title: 'Flight to Tokyo',
+  type: 'flight',
+  day_id: 10,
+  reservation_time: '2025-06-01T08:00:00',
+  confirmation_number: 'XYZ789',
+  metadata: JSON.stringify({
+    legs: [
+      { from: 'FRA', to: 'BER', airline: 'Lufthansa', flight_number: 'LH1' },
+      { from: 'BER', to: 'HND', airline: 'Lufthansa', flight_number: 'LH2' },
+    ],
+    departure_airport: 'FRA', arrival_airport: 'HND', airline: 'Lufthansa', flight_number: 'LH1',
+  }),
+} as any
+
 const richArgs = {
  trip: { id: 10, title: 'Italy Trip', description: 'Summer adventure', cover_image: '/uploads/cover.jpg' } as any,
  days: [dayWithPlaces],
@@ -196,6 +212,16 @@ describe('downloadTripPDF', () => {
    const iframe = getIframe()
    expect(iframe!.srcdoc).toContain('Flight to Rome')
    expect(iframe!.srcdoc).toContain('ABC123')
+    // Single-leg flight keeps its full-route subtitle.
+    expect(iframe!.srcdoc).toContain('Air Italia · AI123 · CDG → FCO')
+  })
+
+  it('FE-COMP-TRIPPDF-013b: renders every flight number for a multi-leg flight', async () => {
+    await downloadTripPDF({ ...richArgs, reservations: [multiLegFlight] })
+    const iframe = getIframe()
+    // One subtitle line per leg, each with its own flight number and segment route.
+    expect(iframe!.srcdoc).toContain('Lufthansa · LH1 · FRA → BER')
+    expect(iframe!.srcdoc).toContain('Lufthansa · LH2 · BER → HND')
  })

  it('FE-COMP-TRIPPDF-014: renders cover image when trip has cover_image', async () => {
@@ -6,6 +6,7 @@ import { accommodationsApi, mapsApi } from '../../api/client'
 import type { Trip, Day, Place, Category, AssignmentsMap, DayNote } from '../../types'
 import { isDayInAccommodationRange, getDayOrder } from '../../utils/dayOrder'
 import { splitReservationDateTime } from '../../utils/formatters'
+import { getFlightLegs } from '../../utils/flightLegs'

 function renderLucideIcon(icon:LucideIcon, props = {}) {
  if (!_renderToStaticMarkup) return ''
@@ -215,17 +216,30 @@ export async function downloadTripPDF({ trip, days, places, assignments, categor
            const icon = reservationIconSvg(r.type)
            const color = RESERVATION_COLOR_MAP[r.type] || '#3b82f6'
            let subtitle = ''
+            // Flights render one subtitle line per leg (see below); everything else is a single line.
+            let subtitleLines: string[] = []
            if (r.type === 'flight') {
-              // Full route over all waypoints (FRA → BER → HND), falling back to the
-              // flat metadata pair for legacy single-leg flights without endpoints.
-              const stops = (r.endpoints || []).slice().sort((a, b) => (a.sequence ?? 0) - (b.sequence ?? 0)).map(e => e.code || e.name)
-              const route = stops.length >= 2 ? stops.join(' → ') : (meta.departure_airport && meta.arrival_airport ? `${meta.departure_airport} → ${meta.arrival_airport}` : '')
-              subtitle = [meta.airline, meta.flight_number, route].filter(Boolean).join(' · ')
+              const legs = getFlightLegs(r)
+              if (legs.length > 1) {
+                // Multi-leg: one line per leg so every flight number + segment route is shown.
+                subtitleLines = legs.map(l =>
+                  [l.airline, l.flight_number,
+                   (l.from || l.to) ? [l.from, l.to].filter(Boolean).join(' → ') : '']
+                    .filter(Boolean).join(' · '))
+                  .filter(Boolean)
+              } else {
+                // Single-leg: full route over all waypoints (FRA → BER → HND), falling back to the
+                // flat metadata pair for legacy single-leg flights without endpoints.
+                const stops = (r.endpoints || []).slice().sort((a, b) => (a.sequence ?? 0) - (b.sequence ?? 0)).map(e => e.code || e.name)
+                const route = stops.length >= 2 ? stops.join(' → ') : (meta.departure_airport && meta.arrival_airport ? `${meta.departure_airport} → ${meta.arrival_airport}` : '')
+                subtitle = [meta.airline, meta.flight_number, route].filter(Boolean).join(' · ')
+              }
            }
            else if (r.type === 'train') subtitle = [meta.train_number, meta.platform ? `Gl. ${meta.platform}` : '', meta.seat ? `Seat ${meta.seat}` : ''].filter(Boolean).join(' · ')
            else if (r.type === 'restaurant') subtitle = [meta.party_size ? `${meta.party_size} guests` : ''].filter(Boolean).join(' · ')
            else if (r.type === 'event') subtitle = [meta.venue].filter(Boolean).join(' · ')
            else if (r.type === 'tour') subtitle = [meta.operator].filter(Boolean).join(' · ')
+            if (subtitleLines.length === 0 && subtitle) subtitleLines = [subtitle]
            const locationLine = r.location || meta.location || ''
            const phase = pdfGetSpanPhase(r, day.id)
            const spanLabel = pdfGetSpanLabel(r, phase)
@@ -238,7 +252,7 @@ export async function downloadTripPDF({ trip, days, places, assignments, categor
                <span class="note-icon">${icon}</span>
                <div class="note-body">
                  <div class="note-text" style="font-weight: 600;">${titleHtml}${time ? ` <span style="color:#6b7280;font-weight:400;font-size:10px;">${time}</span>` : ''}</div>
-                  ${subtitle ? `<div class="note-time">${escHtml(subtitle)}</div>` : ''}
+                  ${subtitleLines.filter(Boolean).map(s => `<div class="note-time">${escHtml(s)}</div>`).join('')}
                  ${locationLine ? `<div class="note-time">${escHtml(locationLine)}</div>` : ''}
                  ${r.confirmation_number ? `<div class="note-time" style="font-size:9px;">Code: ${escHtml(r.confirmation_number)}</div>` : ''}
                </div>
@@ -0,0 +1,61 @@
+import { Plus, Pencil, Trash2 } from 'lucide-react'
+import { useTripStore } from '../../store/tripStore'
+import { useSettingsStore } from '../../store/settingsStore'
+import { useTranslation } from '../../i18n'
+import { formatMoney } from '../../utils/formatters'
+import { catMeta } from '../Budget/costsCategories'
+import type { BudgetItem } from '../../types'
+
+/**
+ * The Costs block inside a booking modal. Replaces the old inline price + budget
+ * category fields: when no expense is linked yet it offers a "create expense"
+ * button (the modal saves the booking first, then opens the full Costs editor);
+ * once linked it shows the expense with edit / remove actions.
+ */
+export function BookingCostsSection({ reservationId, onCreate, onEdit, onRemove }: {
+  reservationId: number | null
+  onCreate: () => void
+  onEdit: (item: BudgetItem) => void
+  onRemove: (item: BudgetItem) => void
+}) {
+  const { t, locale } = useTranslation()
+  const budgetItems = useTripStore(s => s.budgetItems)
+  const trip = useTripStore(s => s.trip)
+  const displayCurrency = useSettingsStore(s => s.settings.default_currency)
+  const base = (displayCurrency || trip?.currency || 'EUR').toUpperCase()
+  const linked = reservationId ? budgetItems.find(i => i.reservation_id === reservationId) : null
+
+  const labelCls = 'block text-[11px] font-semibold uppercase tracking-[0.08em] text-content-faint mb-[6px]'
+
+  if (linked) {
+    const meta = catMeta(linked.category)
+    const Icon = meta.Icon
+    return (
+      <div>
+        <label className={labelCls}>{t('reservations.linkedExpense')}</label>
+        <div className="bg-surface-secondary border border-edge" style={{ display: 'flex', alignItems: 'center', gap: 10, padding: '10px 12px', borderRadius: 10 }}>
+          <span style={{ width: 26, height: 26, borderRadius: 7, display: 'grid', placeItems: 'center', background: meta.color + '22', color: meta.color, flexShrink: 0 }}><Icon size={14} /></span>
+          <div style={{ flex: 1, minWidth: 0 }}>
+            <div className="text-content" style={{ fontSize: 14, fontWeight: 600, overflow: 'hidden', textOverflow: 'ellipsis', whiteSpace: 'nowrap' }}>{linked.name}</div>
+            <div className="text-content-faint" style={{ fontSize: 12 }}>{t(meta.labelKey)}</div>
+          </div>
+          <span className="text-content" style={{ fontSize: 14, fontWeight: 700, flexShrink: 0 }}>{formatMoney(linked.total_price, linked.currency || base, locale)}</span>
+          <button type="button" onClick={() => onEdit(linked)} title={t('common.edit')} className="text-content-muted border border-edge bg-surface-card" style={{ display: 'inline-flex', padding: 7, borderRadius: 8, cursor: 'pointer' }}><Pencil size={13} /></button>
+          <button type="button" onClick={() => onRemove(linked)} title={t('reservations.removeExpense')} className="text-content-muted border border-edge bg-surface-card" style={{ display: 'inline-flex', padding: 7, borderRadius: 8, cursor: 'pointer' }}><Trash2 size={13} /></button>
+        </div>
+      </div>
+    )
+  }
+
+  return (
+    <div>
+      <label className={labelCls}>{t('reservations.costsLabel')}</label>
+      <button type="button" onClick={onCreate}
+        className="bg-surface-secondary border border-edge text-content"
+        style={{ width: '100%', display: 'flex', alignItems: 'center', justifyContent: 'center', gap: 8, padding: '11px 13px', borderRadius: 10, fontSize: 13.5, fontWeight: 600, cursor: 'pointer', fontFamily: 'inherit' }}>
+        <Plus size={15} /> {t('reservations.createExpense')}
+      </button>
+      <div className="text-content-faint" style={{ fontSize: 11, marginTop: 6 }}>{t('reservations.createExpenseHint')}</div>
+    </div>
+  )
+}
@@ -0,0 +1,11 @@
+import type { BudgetItem } from '../../types'
+
+/**
+ * A request from a booking modal to open the Costs expense editor — either to
+ * edit the already-linked expense, or to create a new one prefilled from the
+ * booking (the modal saves the booking first so `reservationId` is known).
+ */
+export interface BookingExpenseRequest {
+  editItem?: BudgetItem
+  prefill?: { reservationId?: number; name?: string; category?: string; amount?: number }
+}
@@ -18,16 +18,16 @@ import { useTripStore } from '../../store/tripStore'
 import { useCanDo } from '../../store/permissionsStore'
 import { useSettingsStore } from '../../store/settingsStore'
 import { useTranslation } from '../../i18n'
-import { isDayInAccommodationRange, getAccommodationAnchors } from '../../utils/dayOrder'
+import { isDayInAccommodationRange, getAccommodationAnchors, getDayBookendHotels } from '../../utils/dayOrder'
 import {
-  TRANSPORT_TYPES, parseTimeToMinutes, getSpanPhase, getDisplayTimeForDay,
+  TRANSPORT_TYPES, parseTimeToMinutes, getSpanPhase, getDisplayTimeForDay, getTransportRouteEndpoints,
  getTransportForDay as _getTransportForDay, getMergedItems as _getMergedItems,
  type MergedItem,
 } from '../../utils/dayMerge'
 import { formatDate, formatTime, dayTotalCost, splitReservationDateTime } from '../../utils/formatters'
 import { useDayNotes } from '../../hooks/useDayNotes'
 import { RES_ICONS, getNoteIcon } from './DayPlanSidebar.constants'
-import { RouteConnector } from './DayPlanSidebarRouteConnector'
+import { RouteConnector, HotelRouteConnector } from './DayPlanSidebarRouteConnector'
 import { MobileAddPlaceButton } from './DayPlanSidebarMobileAddPlaceButton'
 import { DayPlanSidebarToolbar } from './DayPlanSidebarToolbar'
 import { DayPlanSidebarNoteModal } from './DayPlanSidebarNoteModal'
@@ -152,6 +152,8 @@ function useDayPlanSidebar(props: DayPlanSidebarProps) {
  const [isCalculating, setIsCalculating] = useState(false)
  const [routeInfo, setRouteInfo] = useState(null)
  const [routeLegs, setRouteLegs] = useState<Record<number, RouteSegment>>({})
+  const [hotelLegs, setHotelLegs] = useState<{ top?: { seg: RouteSegment; name: string }; bottom?: { seg: RouteSegment; name: string } }>({})
+  const optimizeFromAccommodation = useSettingsStore(s => s.settings.optimize_from_accommodation)
  const legsAbortRef = useRef<AbortController | null>(null)
  const [draggingId, setDraggingId] = useState(null)
  const [lockedIds, setLockedIds] = useState(new Set())
@@ -379,12 +381,8 @@ function useDayPlanSidebar(props: DayPlanSidebarProps) {
  // the start place's assignment id. Shares RouteCalculator's cache with the map.
  useEffect(() => {
    if (legsAbortRef.current) legsAbortRef.current.abort()
-    if (!selectedDayId || !routeShown) { setRouteLegs({}); return }
+    if (!selectedDayId || !routeShown) { setRouteLegs({}); setHotelLegs({}); return }
    const merged = mergedItemsMap[selectedDayId] || []
-    const epLoc = (r: any, role: 'from' | 'to'): { lat: number; lng: number } | null => {
-      const e = (r.endpoints || []).find((x: any) => x.role === role)
-      return e && e.lat != null && e.lng != null ? { lat: e.lat, lng: e.lng } : null
-    }
    const runs: { id: number; lat: number; lng: number }[][] = []
    let cur: { id: number; lat: number; lng: number }[] = []
    for (const it of merged) {
@@ -392,7 +390,7 @@ function useDayPlanSidebar(props: DayPlanSidebarProps) {
        cur.push({ id: it.data.id, lat: it.data.place.lat, lng: it.data.place.lng })
      } else if (it.type === 'transport') {
        const r = it.data
-        const from = epLoc(r, 'from'), to = epLoc(r, 'to')
+        const { from, to } = getTransportRouteEndpoints(r, selectedDayId)
        if (from || to) {
          // Located transport: route to its departure point, break the run (the
          // flight/train itself isn't driven), and let its arrival start the next.
@@ -408,7 +406,32 @@ function useDayPlanSidebar(props: DayPlanSidebarProps) {
      }
    }
    if (cur.length >= 2) runs.push(cur)
-    if (runs.length === 0) { setRouteLegs({}); return }
+
+    // Hotel bookend legs: the drive from the day's accommodation to the first located
+    // waypoint of the day (morning) and from the last one back to it (evening). Only when
+    // the "optimize from accommodation" setting is on and the day has a hotel.
+    const day = days.find(d => d.id === selectedDayId)
+    const { morning: startHotel, evening: endHotel } =
+      day && optimizeFromAccommodation !== false ? getDayBookendHotels(day, days, accommodations) : {}
+    const hotelName = (a: Accommodation) => (a as any).place_name || (a as any).reservation_title || ''
+    // Waypoints include transport endpoints (a car return, a taxi/train arrival), so the hotel
+    // legs connect even when the day starts or ends with a booking rather than a place.
+    const wayPts: { lat: number; lng: number }[] = []
+    for (const it of merged) {
+      if (it.type === 'place' && it.data.place?.lat && it.data.place?.lng) {
+        wayPts.push({ lat: it.data.place.lat, lng: it.data.place.lng })
+      } else if (it.type === 'transport') {
+        const { from, to } = getTransportRouteEndpoints(it.data, selectedDayId)
+        if (from) wayPts.push({ lat: from.lat, lng: from.lng })
+        if (to) wayPts.push({ lat: to.lat, lng: to.lng })
+      }
+    }
+    const firstWay = wayPts[0]
+    const lastWay = wayPts[wayPts.length - 1]
+    const wantTop = !!(startHotel && firstWay)
+    const wantBottom = !!(endHotel && lastWay)
+
+    if (runs.length === 0 && !wantTop && !wantBottom) { setRouteLegs({}); setHotelLegs({}); return }

    const controller = new AbortController()
    legsAbortRef.current = controller
@@ -422,9 +445,27 @@ function useDayPlanSidebar(props: DayPlanSidebarProps) {
          if (err instanceof Error && err.name === 'AbortError') return
        }
      }
-      if (!controller.signal.aborted) setRouteLegs(map)
+
+      // One extra cached OSRM call per bookend; shares RouteCalculator's cache.
+      const legBetween = async (a: { lat: number; lng: number }, b: { lat: number; lng: number }): Promise<RouteSegment | undefined> => {
+        try {
+          const r = await calculateRouteWithLegs([a, b], { signal: controller.signal, profile: routeProfile })
+          return r.legs[0]
+        } catch { return undefined }
+      }
+      const hotel: { top?: { seg: RouteSegment; name: string }; bottom?: { seg: RouteSegment; name: string } } = {}
+      if (wantTop) {
+        const seg = await legBetween({ lat: startHotel!.place_lat as number, lng: startHotel!.place_lng as number }, { lat: firstWay.lat, lng: firstWay.lng })
+        if (seg) hotel.top = { seg, name: hotelName(startHotel!) }
+      }
+      if (wantBottom) {
+        const seg = await legBetween({ lat: lastWay.lat, lng: lastWay.lng }, { lat: endHotel!.place_lat as number, lng: endHotel!.place_lng as number })
+        if (seg) hotel.bottom = { seg, name: hotelName(endHotel!) }
+      }
+
+      if (!controller.signal.aborted) { setRouteLegs(map); setHotelLegs(hotel) }
    })()
-  }, [selectedDayId, routeShown, routeProfile, mergedItemsMap])
+  }, [selectedDayId, routeShown, routeProfile, mergedItemsMap, accommodations, days, optimizeFromAccommodation])

  const openAddNote = (dayId, e) => {
    e?.stopPropagation()
@@ -938,6 +979,8 @@ function useDayPlanSidebar(props: DayPlanSidebarProps) {
    setRouteInfo,
    routeLegs,
    setRouteLegs,
+    hotelLegs,
+    setHotelLegs,
    legsAbortRef,
    draggingId,
    setDraggingId,
@@ -1085,6 +1128,8 @@ const DayPlanSidebar = React.memo(function DayPlanSidebar(props: DayPlanSidebarP
    setRouteInfo,
    routeLegs,
    setRouteLegs,
+    hotelLegs,
+    setHotelLegs,
    legsAbortRef,
    draggingId,
    setDraggingId,
@@ -1427,6 +1472,9 @@ const DayPlanSidebar = React.memo(function DayPlanSidebar(props: DayPlanSidebarP
                      handleMergedDrop(day.id, 'note', Number(noteId), lastItem.type, lastItem.data.id, true)
                  }}
                >
+                  {isSelected && hotelLegs.top && (
+                    <HotelRouteConnector seg={hotelLegs.top.seg} name={hotelLegs.top.name} profile={routeProfile} placement="top" />
+                  )}
                  {merged.length === 0 && !dayNoteUi ? (
                    <div
                      onDragOver={e => { e.preventDefault(); if (dragOverDayId !== day.id) setDragOverDayId(day.id) }}
@@ -2057,6 +2105,9 @@ const DayPlanSidebar = React.memo(function DayPlanSidebar(props: DayPlanSidebarP
                      )
                    })
                  )}
+                  {isSelected && hotelLegs.bottom && (
+                    <HotelRouteConnector seg={hotelLegs.bottom.seg} name={hotelLegs.bottom.name} profile={routeProfile} placement="bottom" />
+                  )}
                  {/* Drop-Zone am Listenende — immer vorhanden als Drop-Target */}
                  <div
                    style={{ minHeight: 12, padding: '2px 8px' }}
@@ -1,4 +1,4 @@
-import { Car, Footprints } from 'lucide-react'
+import { Car, Footprints, Hotel } from 'lucide-react'
 import type { RouteSegment } from '../../types'

 /** Slim travel-time connector shown between two consecutive located stops in a day. */
@@ -19,3 +19,60 @@ export function RouteConnector({ seg, profile }: { seg: RouteSegment; profile: '
    </div>
  )
 }
+
+/**
+ * The hotel's bookend legs for a day: a two-line connector naming the day's
+ * accommodation with the drive to/from it. Rendered above the first place (the
+ * morning departure from the hotel) and below the last place (the evening return),
+ * when the "optimize from accommodation" setting is on and the day has a hotel.
+ */
+export function HotelRouteConnector({
+  seg,
+  profile,
+  name,
+  placement,
+}: {
+  seg: RouteSegment
+  profile: 'driving' | 'walking'
+  name: string
+  placement: 'top' | 'bottom'
+}) {
+  const driving = profile === 'driving'
+  const Icon = driving ? Car : Footprints
+  const line = { flex: 1, height: 1, minHeight: 1, alignSelf: 'center', background: 'var(--border-primary)' }
+  const hotelRow = (
+    <div style={{ display: 'flex', alignItems: 'center', justifyContent: 'center', gap: 5, padding: '0 14px', minWidth: 0 }}>
+      <Hotel size={12} strokeWidth={1.8} style={{ flexShrink: 0, color: 'var(--text-muted)' }} />
+      <span style={{ fontSize: 11, fontWeight: 600, color: 'var(--text-muted)', overflow: 'hidden', textOverflow: 'ellipsis', whiteSpace: 'nowrap', lineHeight: 1.2 }}>
+        {name}
+      </span>
+    </div>
+  )
+  const travelRow = (
+    <div style={{ display: 'flex', alignItems: 'center', gap: 8, padding: '3px 14px', fontSize: 10.5, color: 'var(--text-faint)', lineHeight: 1.2 }}>
+      <div style={line} />
+      <div style={{ display: 'flex', alignItems: 'center', gap: 4, flexShrink: 0 }}>
+        <Icon size={11} strokeWidth={2} />
+        <span>{seg.durationText ?? (driving ? seg.drivingText : seg.walkingText)}</span>
+        <span style={{ opacity: 0.4 }}>·</span>
+        <span>{seg.distanceText}</span>
+      </div>
+      <div style={line} />
+    </div>
+  )
+  return (
+    <div style={{ display: 'flex', flexDirection: 'column', gap: 3, padding: placement === 'top' ? '2px 0 6px' : '6px 0 2px' }}>
+      {placement === 'top' ? (
+        <>
+          {hotelRow}
+          {travelRow}
+        </>
+      ) : (
+        <>
+          {travelRow}
+          {hotelRow}
+        </>
+      )}
+    </div>
+  )
+}
@@ -253,6 +253,101 @@ describe('PlaceFormModal', () => {
    delete window.__addToast;
  });

+  // ── Autocomplete suggestion click (#1192) ─────────────────────────────────────
+  // Selecting a dropdown suggestion does a second `details` lookup which is fragile
+  // (details kill-switch, an overloaded OSM Overpass mirror, upstream errors). When
+  // it yields no usable place the modal must fall back to the reliable text search
+  // instead of dead-ending on "Place search failed".
+
+  async function openSuggestion(user: ReturnType<typeof userEvent.setup>) {
+    const searchInput = screen.getByPlaceholderText('Search places...');
+    await user.type(searchInput, 'Eiffel');
+    // Debounced autocomplete (300ms) then the dropdown renders the suggestion.
+    return screen.findByText('Paris, France');
+  }
+
+  it('FE-PLANNER-PLACEFORM-021b: suggestion click falls back to search when details fails', async () => {
+    const addToast = vi.fn();
+    window.__addToast = addToast;
+    const user = userEvent.setup();
+    server.use(
+      http.post('/api/maps/autocomplete', () =>
+        HttpResponse.json({
+          suggestions: [{ placeId: 'node:123', mainText: 'Eiffel Tower', secondaryText: 'Paris, France' }],
+          source: 'nominatim',
+        }),
+      ),
+      // details rejects (e.g. proxy 504 from a hung Overpass mirror)
+      http.get('/api/maps/details/:placeId', () => HttpResponse.json({ error: 'boom' }, { status: 500 })),
+      http.post('/api/maps/search', () =>
+        HttpResponse.json({
+          places: [{ name: 'Eiffel Tower', address: 'Paris, France', lat: '48.8584', lng: '2.2945' }],
+          source: 'openstreetmap',
+        }),
+      ),
+    );
+
+    render(<PlaceFormModal {...defaultProps} />);
+    const suggestion = await openSuggestion(user);
+    await user.click(suggestion);
+
+    // Form is populated from the search fallback, and no error toast is shown.
+    expect(await screen.findByDisplayValue('48.8584')).toBeInTheDocument();
+    expect(screen.getByDisplayValue('2.2945')).toBeInTheDocument();
+    expect(addToast).not.toHaveBeenCalledWith(expect.anything(), 'error', expect.anything());
+    delete window.__addToast;
+  });
+
+  it('FE-PLANNER-PLACEFORM-021c: suggestion click falls back when details is disabled (place: null)', async () => {
+    const user = userEvent.setup();
+    server.use(
+      http.post('/api/maps/autocomplete', () =>
+        HttpResponse.json({
+          suggestions: [{ placeId: 'node:123', mainText: 'Eiffel Tower', secondaryText: 'Paris, France' }],
+          source: 'nominatim',
+        }),
+      ),
+      http.get('/api/maps/details/:placeId', () => HttpResponse.json({ place: null, disabled: true })),
+      http.post('/api/maps/search', () =>
+        HttpResponse.json({
+          places: [{ name: 'Eiffel Tower', address: 'Paris, France', lat: '48.8584', lng: '2.2945' }],
+          source: 'openstreetmap',
+        }),
+      ),
+    );
+
+    render(<PlaceFormModal {...defaultProps} />);
+    const suggestion = await openSuggestion(user);
+    await user.click(suggestion);
+
+    expect(await screen.findByDisplayValue('48.8584')).toBeInTheDocument();
+  });
+
+  it('FE-PLANNER-PLACEFORM-021d: suggestion click shows error only when the fallback also finds nothing', async () => {
+    const addToast = vi.fn();
+    window.__addToast = addToast;
+    const user = userEvent.setup();
+    server.use(
+      http.post('/api/maps/autocomplete', () =>
+        HttpResponse.json({
+          suggestions: [{ placeId: 'node:123', mainText: 'Eiffel Tower', secondaryText: 'Paris, France' }],
+          source: 'nominatim',
+        }),
+      ),
+      http.get('/api/maps/details/:placeId', () => HttpResponse.json({ place: null, disabled: true })),
+      http.post('/api/maps/search', () => HttpResponse.json({ places: [], source: 'openstreetmap' })),
+    );
+
+    render(<PlaceFormModal {...defaultProps} />);
+    const suggestion = await openSuggestion(user);
+    await user.click(suggestion);
+
+    await waitFor(() => {
+      expect(addToast).toHaveBeenCalledWith('Place search failed.', 'error', undefined);
+    });
+    delete window.__addToast;
+  });
+
  it('FE-PLANNER-PLACEFORM-022: hasMapsKey=false shows OSM active message', () => {
    // hasMapsKey is false by default in beforeEach
    render(<PlaceFormModal {...defaultProps} />);
@@ -249,15 +249,34 @@ function usePlaceFormModal(props: PlaceFormModalProps) {
    setForm(prev => ({ ...prev, name: suggestion.mainText }))
    setIsSearchingMaps(true)
    try {
-      const result = await mapsApi.details(suggestion.placeId, language)
-      if (result.place) {
-        handleSelectMapsResult(result.place)
+      // The details lookup is a fragile second hop — it can fail when the
+      // details kill-switch is off, when the OSM Overpass mirror is overloaded,
+      // or on any upstream error. Treat a missing/coordinate-less place as a
+      // miss and fall back to the reliable text-search path the search button
+      // uses (its results already carry coordinates), so dropdown items stay
+      // clickable instead of dead-ending on "Place search failed". (#1192)
+      let place: Record<string, unknown> | null = null
+      try {
+        const result = await mapsApi.details(suggestion.placeId, language)
+        if (result.place && result.place.lat != null && result.place.lng != null) {
+          place = result.place
+        }
+      } catch (err) {
+        console.error('Failed to fetch place details:', err)
+      }
+      if (!place) {
+        const query = [suggestion.mainText, suggestion.secondaryText].filter(Boolean).join(', ')
+        const search = await mapsApi.search(query, language)
+        place = search.places?.[0] ?? null
+      }
+      if (place) {
+        handleSelectMapsResult(place)
      } else {
        setMapsSearch(previousSearch)
        toast.error(t('places.mapsSearchError'))
      }
    } catch (err) {
-      console.error('Failed to fetch place details:', err)
+      console.error('Place suggestion lookup failed:', err)
      setMapsSearch(previousSearch)
      toast.error(getApiErrorMessage(err, t('places.mapsSearchError')))
    } finally {
@@ -647,5 +647,43 @@ describe('PlaceInspector', () => {
    expect(screen.queryByText('Participants')).toBeNull();
  });

+  // ── Scroll / overflow (issue #1195) ──────────────────────────────────────
+
+  it('FE-PLANNER-INSPECTOR-046: content area is a bounded flex scroll region', () => {
+    const longText = 'Lorem ipsum dolor sit amet. '.repeat(200);
+    const p = buildPlace({ id: 200, description: longText, notes: longText } as any);
+    render(<PlaceInspector {...defaultProps} place={p} />);
+    const scroll = screen.getByTestId('inspector-scroll') as HTMLElement;
+    expect(scroll.style.overflowY).toBe('auto');
+    expect(scroll.style.minHeight).toBe('0px');
+    // flex must allow the region to shrink/grow within the capped card
+    expect(scroll.style.flex).not.toBe('');
+    expect(scroll.style.flex).not.toBe('0 0 auto');
+  });
+
+  it('FE-PLANNER-INSPECTOR-047: long unbroken description wraps instead of clipping horizontally', () => {
+    const longWord = 'https://example.com/' + 'a'.repeat(300);
+    const p = buildPlace({ id: 201, description: longWord } as any);
+    const { container } = render(<PlaceInspector {...defaultProps} place={p} />);
+    const descDiv = container.querySelector('.collab-note-md') as HTMLElement;
+    expect(descDiv).toBeTruthy();
+    expect(descDiv.style.overflowWrap).toBe('anywhere');
+    expect(descDiv.style.wordBreak).toBe('break-word');
+  });
+
+  it('FE-PLANNER-INSPECTOR-048: description/notes do not shrink so the card scrolls instead of clipping', () => {
+    const longText = 'Lorem ipsum dolor sit amet. '.repeat(200);
+    const p = buildPlace({ id: 202, description: longText, notes: longText } as any);
+    const { container } = render(<PlaceInspector {...defaultProps} place={p} />);
+    const notes = Array.from(container.querySelectorAll('.collab-note-md')) as HTMLElement[];
+    // Both description and notes containers must keep their natural height
+    // (flex-shrink: 0) — otherwise they compress inside the flex column and
+    // overflow:hidden clips the text with no scroll (issue #1195).
+    expect(notes.length).toBe(2);
+    for (const el of notes) {
+      expect(el.style.flexShrink).toBe('0');
+    }
+  });
+
 });

@@ -217,7 +217,7 @@ export default function PlaceInspector({
          locale={locale} timeFormat={timeFormat} onClose={onClose} />

        {/* Content — scrollable */}
-        <div style={{ overflowY: 'auto', padding: '12px 16px', display: 'flex', flexDirection: 'column', gap: 10 }}>
+        <div data-testid="inspector-scroll" style={{ flex: '1 1 auto', minHeight: 0, overflowY: 'auto', WebkitOverflowScrolling: 'touch', overscrollBehavior: 'contain', padding: '12px 16px', display: 'flex', flexDirection: 'column', gap: 10 }}>

          {/* Info-Chips — hidden on mobile, shown on desktop */}
          <div className="hidden sm:flex" style={{ flexWrap: 'wrap', gap: 6, alignItems: 'center' }}>
@@ -253,14 +253,14 @@ export default function PlaceInspector({

          {/* Description / Summary */}
          {(place.description || googleDetails?.summary) && (
-            <div className="collab-note-md bg-surface-hover text-content-muted" style={{ borderRadius: 10, overflow: 'hidden', fontSize: 12, lineHeight: '1.5', padding: '8px 12px' }}>
+            <div className="collab-note-md bg-surface-hover text-content-muted" style={{ borderRadius: 10, overflow: 'hidden', flexShrink: 0, fontSize: 12, lineHeight: '1.5', padding: '8px 12px', wordBreak: 'break-word', overflowWrap: 'anywhere' }}>
              <Markdown remarkPlugins={[remarkGfm, remarkBreaks]}>{place.description || googleDetails?.summary || ''}</Markdown>
            </div>
          )}

          {/* Notes */}
          {place.notes && (
-            <div className="collab-note-md bg-surface-hover text-content-muted" style={{ borderRadius: 10, overflow: 'hidden', fontSize: 12, lineHeight: '1.5', padding: '8px 12px', wordBreak: 'break-word', overflowWrap: 'anywhere' }}>
+            <div className="collab-note-md bg-surface-hover text-content-muted" style={{ borderRadius: 10, overflow: 'hidden', flexShrink: 0, fontSize: 12, lineHeight: '1.5', padding: '8px 12px', wordBreak: 'break-word', overflowWrap: 'anywhere' }}>
              <Markdown remarkPlugins={[remarkGfm, remarkBreaks]}>{place.notes}</Markdown>
            </div>
          )}
@@ -279,7 +279,7 @@ export default function PlaceInspector({
        </div>

        {/* Footer actions */}
-        <div className="border-t border-edge-faint" style={{ padding: '10px 16px', display: 'flex', gap: 6, alignItems: 'center', flexWrap: 'wrap' }}>
+        <div className="border-t border-edge-faint" style={{ padding: '10px 16px', display: 'flex', gap: 6, alignItems: 'center', flexWrap: 'wrap', flexShrink: 0 }}>
          {selectedDayId && (
            assignmentInDay ? (
              <ActionButton onClick={() => onRemoveAssignment(selectedDayId, assignmentInDay.id)} variant="ghost" icon={<Minus size={13} />}
@@ -497,7 +497,7 @@ function ParticipantsBox({ tripMembers, participantIds, allJoined, onSetParticip
 function PlaceInspectorHeader({ openNow, place, category, t, editingName, nameInputRef, nameValue, setNameValue,
  commitNameEdit, handleNameKeyDown, startNameEdit, onUpdatePlace, locale, timeFormat, onClose }: any) {
  return (
-        <div style={{ display: 'flex', alignItems: 'center', gap: openNow !== null ? 26 : 14, padding: openNow !== null ? '18px 16px 14px 28px' : '18px 16px 14px', borderBottom: '1px solid var(--border-faint)' }}>
+        <div style={{ display: 'flex', alignItems: 'center', gap: openNow !== null ? 26 : 14, padding: openNow !== null ? '18px 16px 14px 28px' : '18px 16px 14px', borderBottom: '1px solid var(--border-faint)', flexShrink: 0 }}>
          {/* Avatar with open/closed ring + tag */}
          <div style={{ position: 'relative', flexShrink: 0, marginBottom: openNow !== null ? 8 : 0 }}>
            <div style={{
@@ -343,56 +343,51 @@ describe('ReservationModal', () => {

  // ── Budget addon ─────────────────────────────────────────────────────────────

-  it('FE-PLANNER-RESMODAL-024: budget section visible when budget addon is enabled', () => {
+  it('FE-PLANNER-RESMODAL-024: costs section (create expense) visible when budget addon is enabled', () => {
    seedStore(useAddonStore, {
      addons: [{ id: 'budget', name: 'Budget', type: 'budget', icon: '', enabled: true }],
      loaded: true,
    });
    render(<ReservationModal {...defaultProps} />);
-    expect(screen.getByText(/^Price$/i)).toBeInTheDocument();
-    expect(screen.getByText(/Budget category/i)).toBeInTheDocument();
+    expect(screen.getByRole('button', { name: /Create expense/i })).toBeInTheDocument();
  });

-  it('FE-PLANNER-RESMODAL-025: budget price input accepts valid decimal', async () => {
+  it('FE-PLANNER-RESMODAL-025: create-expense saves the booking (no create_budget_entry) then opens the Costs editor', async () => {
    seedStore(useAddonStore, {
      addons: [{ id: 'budget', name: 'Budget', type: 'budget', icon: '', enabled: true }],
      loaded: true,
    });
-    render(<ReservationModal {...defaultProps} />);
-    const priceInput = screen.getByPlaceholderText('0.00');
-    await userEvent.type(priceInput, '99.99');
-    expect((priceInput as HTMLInputElement).value).toBe('99.99');
-  });
-
-  it('FE-PLANNER-RESMODAL-026: budget hint shown when price > 0', async () => {
-    seedStore(useAddonStore, {
-      addons: [{ id: 'budget', name: 'Budget', type: 'budget', icon: '', enabled: true }],
-      loaded: true,
-    });
-    render(<ReservationModal {...defaultProps} />);
-    const priceInput = screen.getByPlaceholderText('0.00');
-    await userEvent.type(priceInput, '50');
-    expect(screen.getByText(/budget entry will be created/i)).toBeInTheDocument();
-  });
-
-  it('FE-PLANNER-RESMODAL-027: budget fields included in onSave when price is set', async () => {
-    seedStore(useAddonStore, {
-      addons: [{ id: 'budget', name: 'Budget', type: 'budget', icon: '', enabled: true }],
-      loaded: true,
-    });
-    const onSave = vi.fn().mockResolvedValue(undefined);
-    render(<ReservationModal {...defaultProps} onSave={onSave} />);
+    const onSave = vi.fn().mockResolvedValue({ id: 55 });
+    const onOpenExpense = vi.fn();
+    render(<ReservationModal {...defaultProps} onSave={onSave} onOpenExpense={onOpenExpense} />);

    await userEvent.type(screen.getByPlaceholderText(/e\.g\. Lufthansa/i), 'Hotel Paris');
-    await userEvent.type(screen.getByPlaceholderText('0.00'), '120');
-    await userEvent.click(screen.getByRole('button', { name: /^Add$/i }));
+    await userEvent.click(screen.getByRole('button', { name: /Create expense/i }));

    await waitFor(() => expect(onSave).toHaveBeenCalled());
-    expect(onSave).toHaveBeenCalledWith(
-      expect.objectContaining({ create_budget_entry: expect.objectContaining({ total_price: 120 }) })
+    expect(onSave).not.toHaveBeenCalledWith(expect.objectContaining({ create_budget_entry: expect.anything() }));
+    await waitFor(() =>
+      expect(onOpenExpense).toHaveBeenCalledWith(
+        expect.objectContaining({ prefill: expect.objectContaining({ reservationId: 55 }) })
+      )
    );
  });

+  it('FE-PLANNER-RESMODAL-026: linked expense summary shown for a booking with a linked cost', () => {
+    seedStore(useAddonStore, {
+      addons: [{ id: 'budget', name: 'Budget', type: 'budget', icon: '', enabled: true }],
+      loaded: true,
+    });
+    seedStore(useTripStore, {
+      trip: buildTrip({ id: 1 }),
+      budgetItems: [
+        { id: 7, trip_id: 1, name: 'Hotel deposit', total_price: 120, currency: 'EUR', category: 'accommodation', reservation_id: 9, members: [], payers: [], persons: 1, expense_date: null, paid_by_user_id: null },
+      ],
+    });
+    render(<ReservationModal {...defaultProps} reservation={buildReservation({ id: 9, type: 'hotel', title: 'Hotel Paris' })} />);
+    expect(screen.getByText('Hotel deposit')).toBeInTheDocument();
+  });
+
  // ── File upload ───────────────────────────────────────────────────────────────

  it('FE-PLANNER-RESMODAL-028: pending file added for new reservation on file input change', async () => {
@@ -599,22 +594,6 @@ describe('ReservationModal', () => {
    expect(filePickerItem).toBeInTheDocument();
  });

-  it('FE-PLANNER-RESMODAL-044: budget category dropdown options include existing categories', () => {
-    seedStore(useAddonStore, {
-      addons: [{ id: 'budget', name: 'Budget', type: 'budget', icon: '', enabled: true }],
-      loaded: true,
-    });
-    seedStore(useTripStore, {
-      trip: buildTrip({ id: 1 }),
-      budgetItems: [
-        { id: 1, trip_id: 1, name: 'Flight ticket', total_price: 300, category: 'Transport', paid_by_user_id: null, persons: 1, members: [], expense_date: null },
-      ],
-    });
-    render(<ReservationModal {...defaultProps} />);
-    // Budget section is visible
-    expect(screen.getByText(/Budget category/i)).toBeInTheDocument();
-  });
-
  it('FE-PLANNER-RESMODAL-045: tour type shows time pickers', async () => {
    render(<ReservationModal {...defaultProps} />);
    await userEvent.click(screen.getByRole('button', { name: /^Tour$/i }));
@@ -632,31 +611,6 @@ describe('ReservationModal', () => {
    await waitFor(() => expect(onSave).toHaveBeenCalledWith(expect.objectContaining({ type: 'other' })));
  });

-  it('FE-PLANNER-RESMODAL-047: clicking budget category select changes the value', async () => {
-    seedStore(useAddonStore, {
-      addons: [{ id: 'budget', name: 'Budget', type: 'budget', icon: '', enabled: true }],
-      loaded: true,
-    });
-    seedStore(useTripStore, {
-      trip: buildTrip({ id: 1 }),
-      budgetItems: [
-        { id: 1, trip_id: 1, name: 'Ticket', total_price: 100, category: 'Transport', paid_by_user_id: null, persons: 1, members: [], expense_date: null },
-      ],
-    });
-    render(<ReservationModal {...defaultProps} />);
-
-    // Open the budget category CustomSelect (shows placeholder "Auto (from booking type)")
-    const budgetCategoryBtn = screen.getByText(/Auto \(from booking type\)/i).closest('button')!;
-    await userEvent.click(budgetCategoryBtn);
-
-    // Click the "Transport" category option
-    await waitFor(() => expect(screen.getByText('Transport')).toBeInTheDocument());
-    await userEvent.click(screen.getByText('Transport'));
-
-    // The select should now show "Transport"
-    expect(screen.getByText('Transport')).toBeInTheDocument();
-  });
-
  it('FE-PLANNER-RESMODAL-048: clicking attach file button triggers file input', async () => {
    render(<ReservationModal {...defaultProps} />);
    const attachBtn = screen.getByRole('button', { name: /Attach file/i });
@@ -11,7 +11,10 @@ import { useTranslation } from '../../i18n'
 import { CustomDatePicker } from '../shared/CustomDateTimePicker'
 import CustomTimePicker from '../shared/CustomTimePicker'
 import { openFile } from '../../utils/fileDownload'
-import type { Day, Place, Reservation, TripFile, AssignmentsMap, Accommodation } from '../../types'
+import type { Day, Place, Reservation, TripFile, AssignmentsMap, Accommodation, BudgetItem } from '../../types'
+import { BookingCostsSection } from './BookingCostsSection'
+import type { BookingExpenseRequest } from './BookingCostsSection.types'
+import { typeToCostCategory } from '@trek/shared'

 const TYPE_OPTIONS = [
  { value: 'hotel',      labelKey: 'reservations.type.hotel',      Icon: Hotel },
@@ -60,9 +63,10 @@ interface ReservationModalProps {
  onFileDelete: (fileId: number) => Promise<void>
  accommodations?: Accommodation[]
  defaultAssignmentId?: number | null
+  onOpenExpense?: (req: BookingExpenseRequest) => void
 }

-export function ReservationModal({ isOpen, onClose, onSave, reservation, days, places, assignments, selectedDayId, files = [], onFileUpload, onFileDelete, accommodations = [], defaultAssignmentId = null }: ReservationModalProps) {
+export function ReservationModal({ isOpen, onClose, onSave, reservation, days, places, assignments, selectedDayId, files = [], onFileUpload, onFileDelete, accommodations = [], defaultAssignmentId = null, onOpenExpense }: ReservationModalProps) {
  const { id: tripId } = useParams<{ id: string }>()
  const loadFiles = useTripStore(s => s.loadFiles)
  const toast = useToast()
@@ -70,18 +74,14 @@ export function ReservationModal({ isOpen, onClose, onSave, reservation, days, p
  const fileInputRef = useRef(null)

  const isBudgetEnabled = useAddonStore(s => s.isEnabled('budget'))
-  const budgetItems = useTripStore(s => s.budgetItems)
-  const budgetCategories = useMemo(() => {
-    const cats = new Set<string>()
-    budgetItems.forEach(i => { if (i.category) cats.add(i.category) })
-    return Array.from(cats).sort()
-  }, [budgetItems])
+  const deleteBudgetItem = useTripStore(s => s.deleteBudgetItem)
+  // Set right before submit when the user clicked create/edit expense (see TransportModal).
+  const expenseIntentRef = useRef<{ editItem?: BudgetItem; create?: boolean } | null>(null)

  const [form, setForm] = useState({
    title: '', type: 'other', status: 'pending',
    reservation_time: '', reservation_end_time: '', end_date: '', location: '', confirmation_number: '',
    notes: '', assignment_id: '' as string | number, accommodation_id: '' as string | number,
-    price: '', budget_category: '',
    meta_check_in_time: '', meta_check_in_end_time: '', meta_check_out_time: '',
    hotel_place_id: '' as string | number, hotel_start_day: '' as string | number, hotel_end_day: '' as string | number,
  })
@@ -127,15 +127,12 @@ export function ReservationModal({ isOpen, onClose, onSave, reservation, days, p
        hotel_place_id: (() => { const acc = accommodations.find(a => a.id == reservation.accommodation_id); return acc?.place_id || '' })(),
        hotel_start_day: (() => { const acc = accommodations.find(a => a.id == reservation.accommodation_id); return acc?.start_day_id || '' })(),
        hotel_end_day: (() => { const acc = accommodations.find(a => a.id == reservation.accommodation_id); return acc?.end_day_id || '' })(),
-        price: meta.price || '',
-        budget_category: (meta.budget_category && budgetItems.some(i => i.category === meta.budget_category)) ? meta.budget_category : '',
      })
    } else {
      setForm({
        title: '', type: 'other', status: 'pending',
        reservation_time: '', reservation_end_time: '', end_date: '', location: '', confirmation_number: '',
        notes: '', assignment_id: defaultAssignmentId ?? '', accommodation_id: '',
-        price: '', budget_category: '',
        meta_check_in_time: '', meta_check_in_end_time: '', meta_check_out_time: '',
        hotel_place_id: '', hotel_start_day: '', hotel_end_day: '',
      })
@@ -167,8 +164,8 @@ export function ReservationModal({ isOpen, onClose, onSave, reservation, days, p
    return endFull <= startFull
  })()

-  const handleSubmit = async (e) => {
-    e.preventDefault()
+  const handleSubmit = async (e?: { preventDefault?: () => void }) => {
+    e?.preventDefault?.()
    if (!form.title.trim()) return
    if (isEndBeforeStart) { toast.error(t('reservations.validation.endBeforeStart')); return }
    setIsSaving(true)
@@ -185,11 +182,6 @@ export function ReservationModal({ isOpen, onClose, onSave, reservation, days, p
      } else if (form.reservation_end_time && form.reservation_time) {
        combinedEndTime = `${form.reservation_time.split('T')[0]}T${form.reservation_end_time}`
      }
-      if (isBudgetEnabled) {
-        if (form.price) metadata.price = form.price
-        if (form.budget_category) metadata.budget_category = form.budget_category
-      }
-
      const saveData: Record<string, any> & { title: string } = {
        title: form.title, type: form.type, status: form.status,
        reservation_time: form.type === 'hotel' ? null : (form.reservation_time || null),
@@ -202,11 +194,6 @@ export function ReservationModal({ isOpen, onClose, onSave, reservation, days, p
        endpoints: [],
        needs_review: false,
      }
-      if (isBudgetEnabled) {
-        saveData.create_budget_entry = form.price && parseFloat(form.price) > 0
-          ? { total_price: parseFloat(form.price), category: form.budget_category || t(`reservations.type.${form.type}`) || 'Other' }
-          : { total_price: 0 }
-      }
      if (form.type === 'hotel' && form.hotel_start_day && form.hotel_end_day) {
        saveData.create_accommodation = {
          place_id: form.hotel_place_id || null,
@@ -228,11 +215,25 @@ export function ReservationModal({ isOpen, onClose, onSave, reservation, days, p
          await onFileUpload(fd)
        }
      }
+      // Open the Costs editor for the saved booking when the user asked to
+      // create/edit its linked expense (gated on saved?.id).
+      const intent = expenseIntentRef.current
+      expenseIntentRef.current = null
+      if (intent && onOpenExpense && saved?.id) {
+        if (intent.editItem) onOpenExpense({ editItem: intent.editItem })
+        else onOpenExpense({ prefill: { reservationId: saved.id, name: form.title, category: typeToCostCategory(form.type) } })
+      }
    } finally {
      setIsSaving(false)
    }
  }

+  const handleCreateExpense = () => { expenseIntentRef.current = { create: true }; handleSubmit() }
+  const handleEditExpense = (item: BudgetItem) => { expenseIntentRef.current = { editItem: item }; handleSubmit() }
+  const handleRemoveExpense = async (item: BudgetItem) => {
+    try { await deleteBudgetItem(Number(tripId), item.id) } catch { toast.error(t('common.unknownError')) }
+  }
+
  const handleFileChange = async (e) => {
    const file = (e.target as HTMLInputElement).files?.[0]
    if (!file) return
@@ -610,38 +611,14 @@ export function ReservationModal({ isOpen, onClose, onSave, reservation, days, p
          </div>
        </div>

-        {/* Price + Budget Category */}
+        {/* Costs — create / view the expense linked to this booking */}
        {isBudgetEnabled && (
-          <>
-            <div style={{ display: 'flex', gap: 8 }}>
-              <div style={{ flex: 1, minWidth: 0 }}>
-                <label className={labelClass}>{t('reservations.price')}</label>
-                <input type="text" inputMode="decimal" value={form.price}
-                  onChange={e => { const v = e.target.value; if (v === '' || /^\d*[.,]?\d{0,2}$/.test(v)) set('price', v.replace(',', '.')) }}
-                  onPaste={e => { e.preventDefault(); let txt = e.clipboardData.getData('text').trim().replace(/[^\d.,-]/g, ''); const lc = txt.lastIndexOf(','), ld = txt.lastIndexOf('.'), dp = Math.max(lc, ld); if (dp > -1) { txt = txt.substring(0, dp).replace(/[.,]/g, '') + '.' + txt.substring(dp + 1) } else { txt = txt.replace(/[.,]/g, '') } set('price', txt) }}
-                  placeholder="0.00"
-                  className={inputClass} />
-              </div>
-              <div style={{ flex: 1, minWidth: 0 }}>
-                <label className={labelClass}>{t('reservations.budgetCategory')}</label>
-                <CustomSelect
-                  value={form.budget_category}
-                  onChange={v => set('budget_category', v)}
-                  options={[
-                    { value: '', label: t('reservations.budgetCategoryAuto') },
-                    ...budgetCategories.map(c => ({ value: c, label: c })),
-                  ]}
-                  placeholder={t('reservations.budgetCategoryAuto')}
-                  size="sm"
-                />
-              </div>
-            </div>
-            {form.price && parseFloat(form.price) > 0 && (
-              <div className="text-content-faint" style={{ fontSize: 11, marginTop: -4 }}>
-                {t('reservations.budgetHint')}
-              </div>
-            )}
-          </>
+          <BookingCostsSection
+            reservationId={reservation?.id ?? null}
+            onCreate={handleCreateExpense}
+            onEdit={handleEditExpense}
+            onRemove={handleRemoveExpense}
+          />
        )}

      </form>
@@ -132,34 +132,37 @@ describe('TransportModal', () => {

  // ── Budget addon ─────────────────────────────────────────────────────────────

-  it('FE-PLANNER-TRANSMODAL-011: budget section visible when addon is enabled', () => {
+  it('FE-PLANNER-TRANSMODAL-011: costs section (create expense) visible when budget addon is enabled', () => {
    seedStore(useAddonStore, {
      addons: [{ id: 'budget', name: 'Budget', type: 'budget', icon: '', enabled: true }],
      loaded: true,
    });
    render(<TransportModal {...defaultProps} />);
-    expect(screen.getByText(/^Price$/i)).toBeInTheDocument();
-    expect(screen.getByText(/Budget category/i)).toBeInTheDocument();
+    expect(screen.getByRole('button', { name: /Create expense/i })).toBeInTheDocument();
  });

-  it('FE-PLANNER-TRANSMODAL-012: budget section not shown when addon is disabled', () => {
+  it('FE-PLANNER-TRANSMODAL-012: costs section not shown when budget addon is disabled', () => {
    render(<TransportModal {...defaultProps} />);
-    expect(screen.queryByPlaceholderText('0.00')).not.toBeInTheDocument();
+    expect(screen.queryByRole('button', { name: /Create expense/i })).not.toBeInTheDocument();
  });

-  it('FE-PLANNER-TRANSMODAL-013: budget fields included in onSave when price is set', async () => {
+  it('FE-PLANNER-TRANSMODAL-013: create-expense saves the booking (no create_budget_entry) then opens the Costs editor', async () => {
    seedStore(useAddonStore, {
      addons: [{ id: 'budget', name: 'Budget', type: 'budget', icon: '', enabled: true }],
      loaded: true,
    });
-    const onSave = vi.fn().mockResolvedValue(undefined);
-    render(<TransportModal {...defaultProps} onSave={onSave} />);
+    const onSave = vi.fn().mockResolvedValue({ id: 42 });
+    const onOpenExpense = vi.fn();
+    render(<TransportModal {...defaultProps} onSave={onSave} onOpenExpense={onOpenExpense} />);
    await userEvent.type(screen.getByPlaceholderText(/e\.g\. Lufthansa/i), 'ICE Train');
-    await userEvent.type(screen.getByPlaceholderText('0.00'), '85');
-    await userEvent.click(screen.getByRole('button', { name: /^Add$/i }));
+    await userEvent.click(screen.getByRole('button', { name: /Create expense/i }));
    await waitFor(() => expect(onSave).toHaveBeenCalled());
-    expect(onSave).toHaveBeenCalledWith(
-      expect.objectContaining({ create_budget_entry: expect.objectContaining({ total_price: 85 }) })
+    // The legacy auto-budget mechanism is gone; the expense is created via the editor instead.
+    expect(onSave).not.toHaveBeenCalledWith(expect.objectContaining({ create_budget_entry: expect.anything() }));
+    await waitFor(() =>
+      expect(onOpenExpense).toHaveBeenCalledWith(
+        expect.objectContaining({ prefill: expect.objectContaining({ reservationId: 42 }) })
+      )
    );
  });

@@ -1,4 +1,4 @@
-import { useState, useEffect, useMemo, useRef } from 'react'
+import { useState, useEffect, useRef } from 'react'
 import { useParams } from 'react-router-dom'
 import { Plane, Train, Car, Ship, Bus, Sailboat, Bike, CarTaxiFront, Route, Paperclip, FileText, X, ExternalLink, Link2, Plus, Trash2 } from 'lucide-react'
 import Modal from '../shared/Modal'
@@ -13,8 +13,11 @@ import { useAddonStore } from '../../store/addonStore'
 import { formatDate, splitReservationDateTime } from '../../utils/formatters'
 import { openFile } from '../../utils/fileDownload'
 import apiClient from '../../api/client'
-import type { Day, Reservation, ReservationEndpoint, TripFile } from '../../types'
+import type { Day, Reservation, ReservationEndpoint, TripFile, BudgetItem } from '../../types'
 import { parseReservationMetadata, orderedEndpoints } from '../../utils/flightLegs'
+import { BookingCostsSection } from './BookingCostsSection'
+import type { BookingExpenseRequest } from './BookingCostsSection.types'
+import { typeToCostCategory } from '@trek/shared'

 const TRANSPORT_TYPES = ['flight', 'train', 'bus', 'car', 'taxi', 'bicycle', 'cruise', 'ferry', 'transport_other'] as const
 type TransportType = typeof TRANSPORT_TYPES[number]
@@ -105,8 +108,6 @@ const defaultForm = {
  arrival_time: '',
  confirmation_number: '',
  notes: '',
-  price: '',
-  budget_category: '',
  meta_airline: '',
  meta_flight_number: '',
  meta_train_number: '',
@@ -124,20 +125,20 @@ interface TransportModalProps {
  files?: TripFile[]
  onFileUpload?: (fd: FormData) => Promise<unknown>
  onFileDelete?: (fileId: number) => Promise<void>
+  onOpenExpense?: (req: BookingExpenseRequest) => void
 }

-export function TransportModal({ isOpen, onClose, onSave, reservation, days, selectedDayId, files = [], onFileUpload, onFileDelete }: TransportModalProps) {
+export function TransportModal({ isOpen, onClose, onSave, reservation, days, selectedDayId, files = [], onFileUpload, onFileDelete, onOpenExpense }: TransportModalProps) {
  const { t, locale } = useTranslation()
  const toast = useToast()
  const isBudgetEnabled = useAddonStore(s => s.isEnabled('budget'))
  const budgetItems = useTripStore(s => s.budgetItems)
+  const deleteBudgetItem = useTripStore(s => s.deleteBudgetItem)
  const loadFiles = useTripStore(s => s.loadFiles)
-  const budgetCategories = useMemo(() => {
-    const cats = new Set<string>()
-    budgetItems.forEach(i => { if (i.category) cats.add(i.category) })
-    return Array.from(cats).sort()
-  }, [budgetItems])
  const { id: tripId } = useParams<{ id: string }>()
+  // Set right before submitting when the user clicked "create/edit expense", so
+  // the post-save handler knows to open the Costs editor for the saved booking.
+  const expenseIntentRef = useRef<{ editItem?: BudgetItem; create?: boolean } | null>(null)
  const [form, setForm] = useState({ ...defaultForm })
  const [isSaving, setIsSaving] = useState(false)
  const [fromPick, setFromPick] = useState<EndpointPick>({})
@@ -177,8 +178,6 @@ export function TransportModal({ isOpen, onClose, onSave, reservation, days, sel
        meta_train_number: meta.train_number || '',
        meta_platform: meta.platform || '',
        meta_seat: meta.seat || '',
-        price: meta.price || '',
-        budget_category: (meta.budget_category && budgetItems.some(i => i.category === meta.budget_category)) ? meta.budget_category : '',
      })
      if (type === 'flight') {
        const orderedEps = orderedEndpoints(reservation)
@@ -229,8 +228,8 @@ export function TransportModal({ isOpen, onClose, onSave, reservation, days, sel

  const set = (field: string, value: any) => setForm(prev => ({ ...prev, [field]: value }))

-  const handleSubmit = async (e: React.FormEvent) => {
-    e.preventDefault()
+  const handleSubmit = async (e?: React.FormEvent) => {
+    e?.preventDefault()
    if (!form.title.trim()) return
    setIsSaving(true)
    try {
@@ -289,11 +288,6 @@ export function TransportModal({ isOpen, onClose, onSave, reservation, days, sel
        if (form.meta_platform) metadata.platform = form.meta_platform
        if (form.meta_seat) metadata.seat = form.meta_seat
      }
-      if (isBudgetEnabled) {
-        if (form.price) metadata.price = form.price
-        if (form.budget_category) metadata.budget_category = form.budget_category
-      }
-
      const startDate = startDay?.date ?? null
      const endDate = (endDay ?? startDay)?.date ?? null
      const endpoints: ReturnType<typeof endpointFromAirport>[] = []
@@ -334,11 +328,6 @@ export function TransportModal({ isOpen, onClose, onSave, reservation, days, sel
        endpoints,
        needs_review: false,
      }
-      if (isBudgetEnabled) {
-        (payload as any).create_budget_entry = form.price && parseFloat(form.price) > 0
-          ? { total_price: parseFloat(form.price), category: form.budget_category || t(`reservations.type.${form.type}`) || 'Other' }
-          : { total_price: 0 }
-      }
      const saved = await onSave(payload)
      if (!reservation?.id && saved?.id && pendingFiles.length > 0 && onFileUpload) {
        for (const file of pendingFiles) {
@@ -349,6 +338,14 @@ export function TransportModal({ isOpen, onClose, onSave, reservation, days, sel
          await onFileUpload(fd)
        }
      }
+      // The user asked to create/edit the linked expense — open the Costs editor
+      // for the now-saved booking. Gated on saved?.id so a failed save doesn't.
+      const intent = expenseIntentRef.current
+      expenseIntentRef.current = null
+      if (intent && onOpenExpense && saved?.id) {
+        if (intent.editItem) onOpenExpense({ editItem: intent.editItem })
+        else onOpenExpense({ prefill: { reservationId: saved.id, name: form.title, category: typeToCostCategory(form.type) } })
+      }
    } catch (err: unknown) {
      toast.error(err instanceof Error ? err.message : t('common.unknownError'))
    } finally {
@@ -356,6 +353,12 @@ export function TransportModal({ isOpen, onClose, onSave, reservation, days, sel
    }
  }

+  const handleCreateExpense = () => { expenseIntentRef.current = { create: true }; handleSubmit() }
+  const handleEditExpense = (item: BudgetItem) => { expenseIntentRef.current = { editItem: item }; handleSubmit() }
+  const handleRemoveExpense = async (item: BudgetItem) => {
+    try { await deleteBudgetItem(Number(tripId), item.id) } catch { toast.error(t('common.unknownError')) }
+  }
+
  const handleFileChange = async (e: React.ChangeEvent<HTMLInputElement>) => {
    const file = e.target.files?.[0]
    if (!file) return
@@ -712,38 +715,14 @@ export function TransportModal({ isOpen, onClose, onSave, reservation, days, sel
          </div>
        </div>

-        {/* Price + Budget Category */}
+        {/* Costs — create / view the expense linked to this booking */}
        {isBudgetEnabled && (
-          <>
-            <div style={{ display: 'flex', gap: 8 }}>
-              <div style={{ flex: 1, minWidth: 0 }}>
-                <label className={labelClass}>{t('reservations.price')}</label>
-                <input type="text" inputMode="decimal" value={form.price}
-                  onChange={e => { const v = e.target.value; if (v === '' || /^\d*[.,]?\d{0,2}$/.test(v)) set('price', v.replace(',', '.')) }}
-                  onPaste={e => { e.preventDefault(); let txt = e.clipboardData.getData('text').trim().replace(/[^\d.,-]/g, ''); const lc = txt.lastIndexOf(','), ld = txt.lastIndexOf('.'), dp = Math.max(lc, ld); if (dp > -1) { txt = txt.substring(0, dp).replace(/[.,]/g, '') + '.' + txt.substring(dp + 1) } else { txt = txt.replace(/[.,]/g, '') } set('price', txt) }}
-                  placeholder="0.00"
-                  className={inputClass} />
-              </div>
-              <div style={{ flex: 1, minWidth: 0 }}>
-                <label className={labelClass}>{t('reservations.budgetCategory')}</label>
-                <CustomSelect
-                  value={form.budget_category}
-                  onChange={v => set('budget_category', v)}
-                  options={[
-                    { value: '', label: t('reservations.budgetCategoryAuto') },
-                    ...budgetCategories.map(c => ({ value: c, label: c })),
-                  ]}
-                  placeholder={t('reservations.budgetCategoryAuto')}
-                  size="sm"
-                />
-              </div>
-            </div>
-            {form.price && parseFloat(form.price) > 0 && (
-              <div className="text-content-faint" style={{ fontSize: 11, marginTop: -4 }}>
-                {t('reservations.budgetHint')}
-              </div>
-            )}
-          </>
+          <BookingCostsSection
+            reservationId={reservation?.id ?? null}
+            onCreate={handleCreateExpense}
+            onEdit={handleEditExpense}
+            onRemove={handleRemoveExpense}
+          />
        )}

      </form>
@@ -1,8 +1,8 @@
 import React from 'react'

-export default function ToggleSwitch({ on, onToggle }: { on: boolean; onToggle: () => void }) {
+export default function ToggleSwitch({ on, onToggle, label }: { on: boolean; onToggle: () => void; label?: string }) {
  return (
-    <button type="button" onClick={onToggle}
+    <button type="button" onClick={onToggle} aria-pressed={on} aria-label={label}
      style={{
        position: 'relative', width: 44, height: 24, minWidth: 44, flexShrink: 0,
        borderRadius: 12, border: 'none', padding: 0, cursor: 'pointer',
@@ -288,4 +288,26 @@ describe('TripFormModal', () => {
    await user.click(submitBtn.closest('button')!);
    await waitFor(() => expect(screen.getByText('Saving...')).toBeInTheDocument());
  });
+
+  it('FE-COMP-TRIPFORM-029: clearing the day count leaves the field empty (no snap to 1)', () => {
+    render(<TripFormModal {...defaultProps} trip={null} />);
+    const dayInput = document.querySelector('input[max="365"]') as HTMLInputElement;
+    expect(dayInput).toBeInTheDocument();
+    expect(dayInput.value).toBe('7');
+    fireEvent.change(dayInput, { target: { value: '' } });
+    expect(dayInput.value).toBe('');
+  });
+
+  it('FE-COMP-TRIPFORM-030: empty day count blocks submit with an error', async () => {
+    const user = userEvent.setup();
+    const onSave = vi.fn();
+    render(<TripFormModal {...defaultProps} trip={null} onSave={onSave} />);
+    await user.type(screen.getByPlaceholderText(/Summer in Japan/i), 'No-date Trip');
+    const dayInput = document.querySelector('input[max="365"]') as HTMLInputElement;
+    fireEvent.change(dayInput, { target: { value: '' } });
+    const submitBtn = screen.getAllByText('Create New Trip').find(el => el.closest('button'))!;
+    await user.click(submitBtn.closest('button')!);
+    await screen.findByText('Number of days is required');
+    expect(onSave).not.toHaveBeenCalled();
+  });
 });
@@ -40,7 +40,7 @@ export default function TripFormModal({ isOpen, onClose, onSave, trip, onCoverUp
    start_date: '',
    end_date: '',
    reminder_days: 0 as number,
-    day_count: 7,
+    day_count: 7 as number | '',
  })
  const [customReminder, setCustomReminder] = useState(false)
  const [error, setError] = useState('')
@@ -100,6 +100,12 @@ export default function TripFormModal({ isOpen, onClose, onSave, trip, onCoverUp
    if (formData.start_date && formData.end_date && new Date(formData.end_date) < new Date(formData.start_date)) {
      setError(t('dashboard.endDateError')); return
    }
+    if (!formData.start_date && !formData.end_date) {
+      const dc = Number(formData.day_count)
+      if (formData.day_count === '' || !Number.isInteger(dc) || dc < 1 || dc > 365) {
+        setError(t('dashboard.dayCountRequired')); return
+      }
+    }
    setIsLoading(true)
    try {
      const result = await onSave({
@@ -108,7 +114,7 @@ export default function TripFormModal({ isOpen, onClose, onSave, trip, onCoverUp
        start_date: formData.start_date || null,
        end_date: formData.end_date || null,
        reminder_days: formData.reminder_days,
-        ...(!formData.start_date && !formData.end_date ? { day_count: formData.day_count } : {}),
+        ...(!formData.start_date && !formData.end_date ? { day_count: Number(formData.day_count) } : {}),
      })
      const createdTrip = result ? result.trip : undefined
      // Add selected members for newly created trips
@@ -320,7 +326,12 @@ export default function TripFormModal({ isOpen, onClose, onSave, trip, onCoverUp
              {t('dashboard.dayCount')}
            </label>
            <input type="number" min={1} max={365} value={formData.day_count}
-              onChange={e => update('day_count', Math.max(1, Math.min(365, Number(e.target.value) || 1)))}
+              onChange={e => {
+                const raw = e.target.value
+                if (raw === '') { update('day_count', ''); return }
+                const n = Math.floor(Number(raw))
+                if (Number.isFinite(n)) update('day_count', Math.min(365, Math.max(1, n)))
+              }}
              className={inputCls} />
            <p className="text-xs text-slate-400 mt-1.5">{t('dashboard.dayCountHint')}</p>
          </div>
@@ -69,7 +69,7 @@ export default function VacayCalendar() {

  return (
    <div>
-      <div className="grid grid-cols-1 sm:grid-cols-2 lg:grid-cols-3 xl:grid-cols-4 gap-3 pb-14">
+      <div className="grid grid-cols-1 sm:grid-cols-2 lg:grid-cols-3 xl:grid-cols-4 gap-3" style={{ paddingBottom: 'calc(var(--bottom-nav-h, 0px) + 80px)' }}>
        {Array.from({ length: 12 }, (_, i) => (
          <VacayMonthCard
            key={i}
@@ -89,8 +89,8 @@ export default function VacayCalendar() {
        ))}
      </div>

-      {/* Floating toolbar */}
-      <div className="sticky bottom-3 sm:bottom-4 mt-3 sm:mt-4 flex items-center justify-center z-30 px-2">
+      {/* Floating toolbar — lift above the mobile bottom nav (z-60). On desktop --bottom-nav-h is 0px. */}
+      <div className="sticky mt-3 sm:mt-4 flex items-center justify-center px-2" style={{ bottom: 'calc(var(--bottom-nav-h, 0px) + 12px)', zIndex: 61 }}>
        <div className="flex items-center gap-1.5 sm:gap-2 px-2 sm:px-3 py-1.5 sm:py-2 rounded-xl border bg-surface-card border-edge" style={{ boxShadow: '0 8px 32px rgba(0,0,0,0.12)' }}>
          <button
            onClick={() => setCompanyMode(false)}
@@ -2,7 +2,7 @@ import { useCallback, useEffect, useState } from 'react'

 /**
 * Live FX rates for the Costs panel, used to convert every amount into the user's
- * display currency. Fetches exchangerate-api.com (no key, already CSP-allowlisted
+ * display currency. Fetches api.frankfurter.dev (no key, already CSP-allowlisted
 * for the dashboard widget) for the given base and caches per base in memory +
 * localStorage for a few hours. rates[X] = units of X per 1 base, so an amount in
 * currency C converts to base as `amount / rates[C]`.
@@ -33,14 +33,19 @@ export function useExchangeRates(base: string) {
    if (cached) setRates(cached.rates)
    if (cached && Date.now() - cached.ts < TTL_MS) return
    let cancelled = false
-    fetch(`https://api.exchangerate-api.com/v4/latest/${encodeURIComponent(upper)}`)
+    fetch(`https://api.frankfurter.dev/v2/rates?base=${encodeURIComponent(upper)}`)
      .then(r => r.json())
-      .then((d: { rates?: Record<string, number> }) => {
-        if (cancelled || !d?.rates) return
-        const entry = { rates: d.rates, ts: Date.now() }
+      .then((d: Array<{ quote?: string; rate?: number }>) => {
+        if (cancelled || !Array.isArray(d)) return
+        // Frankfurter omits the base's own self-rate, so seed it with `base = 1`.
+        const rates: Record<string, number> = { [upper]: 1 }
+        for (const r of d) {
+          if (r && typeof r.quote === 'string' && typeof r.rate === 'number') rates[r.quote] = r.rate
+        }
+        const entry = { rates, ts: Date.now() }
        mem.set(upper, entry)
        try { localStorage.setItem('trek_fx_' + upper, JSON.stringify(entry)) } catch { /* ignore */ }
-        setRates(d.rates)
+        setRates(rates)
      })
      .catch(() => { /* offline → keep cached/identity */ })
    return () => { cancelled = true }
@@ -1,6 +1,7 @@
 import { useState, useCallback, useRef, useEffect, useMemo } from 'react'
 import { useTripStore } from '../store/tripStore'
 import { calculateRouteWithLegs } from '../components/Map/RouteCalculator'
+import { getTransportRouteEndpoints } from '../utils/dayMerge'
 import type { TripStoreState } from '../store/tripStore'
 import type { RouteSegment, RouteResult } from '../types'

@@ -53,12 +54,6 @@ export function useRouteCalculation(tripStore: TripStoreState, selectedDayId: nu
      return pos != null
    })

-    // The departure/arrival coordinate of a transport, if its endpoints carry one.
-    const epLoc = (r: any, role: 'from' | 'to'): { lat: number; lng: number } | null => {
-      const e = (r.endpoints || []).find((x: any) => x.role === role)
-      return e && e.lat != null && e.lng != null ? { lat: e.lat, lng: e.lng } : null
-    }
-
    // Build a unified list of places + transports sorted by effective position.
    type Entry =
      | { kind: 'place'; lat: number; lng: number; pos: number }
@@ -67,12 +62,15 @@ export function useRouteCalculation(tripStore: TripStoreState, selectedDayId: nu
      ...da.filter(a => a.place?.lat && a.place?.lng).map(a => ({
        kind: 'place' as const, lat: a.place.lat!, lng: a.place.lng!, pos: a.order_index,
      })),
-      ...dayTransports.map(r => ({
-        kind: 'transport' as const,
-        from: epLoc(r, 'from'),
-        to: epLoc(r, 'to'),
-        pos: (r.day_positions?.[dayId] ?? r.day_positions?.[String(dayId)] ?? r.day_plan_position) as number,
-      })),
+      ...dayTransports.map(r => {
+        const { from, to } = getTransportRouteEndpoints(r, dayId)
+        return {
+          kind: 'transport' as const,
+          from,
+          to,
+          pos: (r.day_positions?.[dayId] ?? r.day_positions?.[String(dayId)] ?? r.day_plan_position) as number,
+        }
+      }),
    ].sort((a, b) => a.pos - b.pos)

    // Group located places into driving runs.
@@ -20,8 +20,11 @@ beforeEach(() => {
  } as any);
  // Intercept CurrencyWidget's external fetch so it resolves before teardown
  server.use(
-    http.get('https://api.exchangerate-api.com/v4/latest/:currency', () => {
-      return HttpResponse.json({ rates: { USD: 1.08, EUR: 1, CHF: 0.97 } });
+    http.get('https://api.frankfurter.dev/v2/rates', () => {
+      return HttpResponse.json([
+        { date: '2026-06-16', base: 'EUR', quote: 'USD', rate: 1.08 },
+        { date: '2026-06-16', base: 'EUR', quote: 'CHF', rate: 0.97 },
+      ]);
    }),
  );
 });
@@ -18,6 +18,8 @@ import {
  Plane, Hotel, Utensils, Clock, RefreshCw, ArrowRightLeft, Calendar,
  LayoutGrid, List, Ticket, X,
 } from 'lucide-react'
+import { formatTime, splitReservationDateTime } from '../utils/formatters'
+import { useSettingsStore } from '../store/settingsStore'
 import '../styles/dashboard.css'

 const GRADIENTS = [
@@ -461,9 +463,15 @@ function CurrencyTool(): React.ReactElement {
  const [rates, setRates] = useState<Record<string, number> | null>(null)

  const fetchRate = React.useCallback(() => {
-    fetch(`https://api.exchangerate-api.com/v4/latest/${from}`)
+    fetch(`https://api.frankfurter.dev/v2/rates?base=${from}`)
      .then(r => r.json())
-      .then(d => setRates(d.rates ?? null))
+      .then((d: Array<{ quote: string; rate: number }>) => {
+        if (!Array.isArray(d)) { setRates(null); return }
+        // Frankfurter omits the base's own self-rate; seed it so `from` stays selectable.
+        const map: Record<string, number> = { [from]: 1 }
+        for (const r of d) map[r.quote] = r.rate
+        setRates(map)
+      })
      .catch(() => setRates(null))
  }, [from])

@@ -596,6 +604,7 @@ function UpcomingTool({ items, locale, onOpen }: {
  items: UpcomingReservation[]; locale: string; onOpen: (tripId: number) => void
 }): React.ReactElement {
  const { t } = useTranslation()
+  const timeFormat = useSettingsStore(s => s.settings.time_format)
  return (
    <div className="tool">
      <div className="tool-head">
@@ -606,10 +615,13 @@ function UpcomingTool({ items, locale, onOpen }: {
      ) : (
        <div className="upc-list">
          {items.map(r => {
-            const when = r.reservation_time || (r.day_date ? r.day_date + 'T00:00:00' : null)
-            const d = when ? new Date(when) : null
-            const dateStr = d ? splitDate(d.toISOString().slice(0, 10), locale) : null
-            const timeStr = r.reservation_time ? new Date(r.reservation_time).toLocaleTimeString(locale, { hour: '2-digit', minute: '2-digit' }) : null
+            // Read the date/time straight from the stored string parts. Going through
+            // new Date(...).toISOString() reinterprets the naive local time as UTC and
+            // can roll the displayed day forward/back in non-UTC timezones.
+            const parsed = splitReservationDateTime(r.reservation_time)
+            const datePart = parsed.date || r.day_date || null
+            const dateStr = datePart ? splitDate(datePart, locale) : null
+            const timeStr = parsed.time ? formatTime(parsed.time, locale, timeFormat) : null
            const typeClass = RES_TYPE_CLASS[r.type] || 'other'
            return (
              <div className="upc-item" key={r.id} onClick={() => onOpen(r.trip_id)}>
@@ -103,6 +103,38 @@ describe('LoginPage', () => {
    });
  });

+  describe('FE-PAGE-LOGIN-007: Remember me sends remember_me to the API', () => {
+    it('renders an off toggle and forwards remember_me: true when toggled on', async () => {
+      let capturedBody: Record<string, unknown> | null = null;
+      server.use(
+        http.post('/api/auth/login', async ({ request }) => {
+          capturedBody = (await request.json()) as Record<string, unknown>;
+          return HttpResponse.json({ user: { id: 1, username: 'test', email: 'test@example.com', role: 'user' } });
+        }),
+      );
+
+      const user = userEvent.setup();
+      render(<LoginPage />);
+
+      await waitFor(() => {
+        expect(screen.getByPlaceholderText(EMAIL_PLACEHOLDER)).toBeInTheDocument();
+      });
+
+      const toggle = screen.getByRole('button', { name: /remember me/i });
+      expect(toggle).toHaveAttribute('aria-pressed', 'false');
+
+      await user.type(screen.getByPlaceholderText(EMAIL_PLACEHOLDER), 'user@example.com');
+      await user.type(screen.getByPlaceholderText(PASSWORD_PLACEHOLDER), 'password123');
+      await user.click(toggle);
+      expect(toggle).toHaveAttribute('aria-pressed', 'true');
+      await user.click(screen.getByRole('button', { name: /sign in/i }));
+
+      await waitFor(() => {
+        expect(capturedBody).toEqual(expect.objectContaining({ remember_me: true }));
+      });
+    });
+  });
+
  describe('FE-PAGE-LOGIN-005: Registration toggle visible', () => {
    it('shows a Register button to switch to registration mode', async () => {
      // Default appConfig has allow_registration: true, has_users: true
@@ -2,6 +2,7 @@ import React from 'react'
 import { SUPPORTED_LANGUAGES, useTranslation } from '../i18n'
 import { Plane, Eye, EyeOff, Mail, Lock, MapPin, Calendar, Package, User, Globe, Zap, Users, Wallet, Map, CheckSquare, BookMarked, FolderOpen, Route, Shield, KeyRound, ChevronDown, Fingerprint } from 'lucide-react'
 import { useLogin } from './login/useLogin'
+import ToggleSwitch from '../components/Settings/ToggleSwitch'

 export default function LoginPage(): React.ReactElement {
  const { t, language } = useTranslation()
@@ -9,7 +10,7 @@ export default function LoginPage(): React.ReactElement {
  const {
    navigate,
    mode, setMode,
-    username, setUsername, email, setEmail, password, setPassword, showPassword, setShowPassword,
+    username, setUsername, email, setEmail, password, setPassword, rememberMe, setRememberMe, showPassword, setShowPassword,
    isLoading, error, setError, appConfig, inviteToken,
    langDropdownOpen, setLangDropdownOpen, setLanguageLocal,
    showTakeoff, mfaStep, setMfaStep, mfaToken, setMfaToken, mfaCode, setMfaCode,
@@ -572,7 +573,16 @@ export default function LoginPage(): React.ReactElement {
                  </button>
                </div>
                {mode === 'login' && (
-                  <div style={{ textAlign: 'right', marginTop: 6 }}>
+                  <div style={{ display: 'flex', alignItems: 'center', justifyContent: 'space-between', gap: 12, marginTop: 8 }}>
+                    <div style={{ display: 'flex', alignItems: 'center', gap: 8 }}>
+                      <ToggleSwitch on={rememberMe} onToggle={() => setRememberMe(!rememberMe)} label={t('login.rememberMe')} />
+                      <span
+                        onClick={() => setRememberMe(!rememberMe)}
+                        style={{ cursor: 'pointer', color: '#374151', fontSize: 12.5, fontWeight: 500, userSelect: 'none' }}
+                      >
+                        {t('login.rememberMe')}
+                      </span>
+                    </div>
                    <button type="button" onClick={() => navigate('/forgot-password')} style={{
                      background: 'none', border: 'none', cursor: 'pointer', padding: 0,
                      color: '#6b7280', fontSize: 12.5, fontWeight: 500, fontFamily: 'inherit',
@@ -405,4 +405,79 @@ describe('SharedTripPage', () => {
      });
    });
  });
+
+  describe('FE-PAGE-SHARED-017: Multi-leg flight shows each leg in the Day Plan', () => {
+    const day = { id: 101, trip_id: 1, day_number: 1, date: '2026-07-01', title: 'Day One', notes: null };
+    const multiLegFlight = {
+      id: 9, trip_id: 1, title: 'Flight', type: 'flight', status: 'confirmed',
+      day_id: 101, end_day_id: 101,
+      reservation_time: '2026-07-01T08:00:00', reservation_end_time: '2026-07-01T20:00:00',
+      metadata: JSON.stringify({
+        legs: [
+          { from: 'FRA', to: 'BER', airline: 'Lufthansa', flight_number: 'LH1', dep_day_id: 101, dep_time: '08:00', arr_day_id: 101, arr_time: '09:00' },
+          { from: 'BER', to: 'HND', airline: 'Lufthansa', flight_number: 'LH2', dep_day_id: 101, dep_time: '10:00', arr_day_id: 101, arr_time: '20:00' },
+        ],
+        departure_airport: 'FRA', arrival_airport: 'HND', airline: 'Lufthansa', flight_number: 'LH1',
+      }),
+    };
+
+    function serveMultiLeg(token: string) {
+      server.use(
+        http.get('/api/shared/:token', ({ params }) => {
+          if (params.token !== token) return;
+          return HttpResponse.json({
+            trip: { id: 1, title: 'Shared Paris Trip', start_date: '2026-07-01', end_date: '2026-07-05' },
+            days: [day],
+            assignments: {},
+            dayNotes: {},
+            places: [],
+            reservations: [multiLegFlight],
+            accommodations: [],
+            packing: [],
+            budget: [],
+            categories: [],
+            permissions: { share_bookings: true, share_packing: false, share_budget: false, share_collab: false },
+            collab: [],
+          });
+        }),
+      );
+    }
+
+    it('renders each leg with its own route, not the overall start/end', async () => {
+      serveMultiLeg('multileg-token');
+      renderSharedTrip('multileg-token');
+
+      await waitFor(() => {
+        expect(screen.getByText('Shared Paris Trip')).toBeInTheDocument();
+      });
+
+      // Expand the day to reveal the timeline
+      fireEvent.click(screen.getByText('Day One'));
+
+      await waitFor(() => {
+        expect(screen.getByText(/FRA → BER/)).toBeInTheDocument();
+      });
+      // Second leg shows its OWN route + flight number (the bug showed the overall route here)
+      expect(screen.getByText(/BER → HND/)).toBeInTheDocument();
+      expect(screen.getByText(/LH2/)).toBeInTheDocument();
+      // The overall start→end must NOT appear on any leg
+      expect(screen.queryByText(/FRA → HND/)).toBeNull();
+    });
+
+    it('lists each leg flight number in the Bookings tab', async () => {
+      serveMultiLeg('multileg-bookings-token');
+      renderSharedTrip('multileg-bookings-token');
+
+      await waitFor(() => {
+        expect(screen.getByText('Shared Paris Trip')).toBeInTheDocument();
+      });
+
+      fireEvent.click(screen.getByRole('button', { name: /bookings/i }));
+
+      await waitFor(() => {
+        expect(screen.getByText(/LH1/)).toBeInTheDocument();
+      });
+      expect(screen.getByText(/LH2/)).toBeInTheDocument();
+    });
+  });
 });
@@ -11,6 +11,7 @@ import { renderToStaticMarkup } from 'react-dom/server'
 import { Clock, MapPin, FileText, Train, Plane, Bus, Car, Ship, Ticket, Hotel, Map, Luggage, Wallet, MessageCircle } from 'lucide-react'
 import { isDayInAccommodationRange } from '../utils/dayOrder'
 import { getTransportForDay, getMergedItems } from '../utils/dayMerge'
+import { getFlightLegs } from '../utils/flightLegs'
 import { splitReservationDateTime } from '../utils/formatters'

 const TRANSPORT_ICONS = { flight: Plane, train: Train, bus: Bus, car: Car, cruise: Ship }
@@ -214,16 +215,24 @@ export default function SharedTripPage() {
                        const TIcon = TRANSPORT_ICONS[r.type] || Ticket
                        const meta = typeof r.metadata === 'string' ? JSON.parse(r.metadata || '{}') : (r.metadata || {})
                        const time = splitReservationDateTime(r.reservation_time).time ?? ''
+                        const endTime = splitReservationDateTime(r.reservation_end_time).time ?? ''
                        let sub = ''
-                        if (r.type === 'flight') sub = [meta.airline, meta.flight_number, meta.departure_airport && meta.arrival_airport ? `${meta.departure_airport} → ${meta.arrival_airport}` : ''].filter(Boolean).join(' · ')
+                        if (r.type === 'flight') {
+                          if (r.__leg) {
+                            // One leg of a multi-leg flight — show this segment's own route/flight number.
+                            sub = [r.__leg.airline, r.__leg.flight_number, (r.__leg.from || r.__leg.to) ? [r.__leg.from, r.__leg.to].filter(Boolean).join(' → ') : ''].filter(Boolean).join(' · ')
+                          } else {
+                            sub = [meta.airline, meta.flight_number, meta.departure_airport && meta.arrival_airport ? `${meta.departure_airport} → ${meta.arrival_airport}` : ''].filter(Boolean).join(' · ')
+                          }
+                        }
                        else if (r.type === 'train') sub = [meta.train_number, meta.platform ? `Gl. ${meta.platform}` : ''].filter(Boolean).join(' · ')
                        return (
-                          <div key={`t-${r.id}`} className="bg-[rgba(59,130,246,0.06)]" style={{ display: 'flex', alignItems: 'center', gap: 8, padding: '6px 8px', borderRadius: 6, border: '1px solid rgba(59,130,246,0.15)' }}>
+                          <div key={r.__leg ? `t-${r.id}-leg${r.__leg.index}` : `t-${r.id}`} className="bg-[rgba(59,130,246,0.06)]" style={{ display: 'flex', alignItems: 'center', gap: 8, padding: '6px 8px', borderRadius: 6, border: '1px solid rgba(59,130,246,0.15)' }}>
                            <div className="bg-[rgba(59,130,246,0.12)]" style={{ width: 24, height: 24, borderRadius: '50%', display: 'flex', alignItems: 'center', justifyContent: 'center', flexShrink: 0 }}>
                              <TIcon size={12} color="#3b82f6" />
                            </div>
                            <div style={{ flex: 1, minWidth: 0 }}>
-                              <div className="text-[#111827]" style={{ fontSize: 12, fontWeight: 500 }}>{r.title}{time ? ` · ${time}` : ''}</div>
+                              <div className="text-[#111827]" style={{ fontSize: 12, fontWeight: 500 }}>{r.title}{time ? ` · ${time}${endTime ? `–${endTime}` : ''}` : ''}</div>
                              {sub && <div className="text-[#6b7280]" style={{ fontSize: 10 }}>{sub}</div>}
                            </div>
                          </div>
@@ -284,7 +293,11 @@ export default function SharedTripPage() {
                      {date && <span>{date}</span>}
                      {time && <span>{time}</span>}
                      {r.location && <span>{r.location}</span>}
-                      {meta.airline && <span>{meta.airline} {meta.flight_number || ''}</span>}
+                      {r.type === 'flight'
+                        ? getFlightLegs(r).map((leg, i) => (
+                            <span key={i}>{[leg.airline, leg.flight_number, (leg.from || leg.to) ? [leg.from, leg.to].filter(Boolean).join(' → ') : ''].filter(Boolean).join(' ')}</span>
+                          ))
+                        : meta.airline && <span>{meta.airline} {meta.flight_number || ''}</span>}
                      {meta.train_number && <span>{meta.train_number}</span>}
                    </div>
                  </div>
@@ -25,7 +25,9 @@ import PackingListPanel from '../components/Packing/PackingListPanel'
 import ApplyTemplateButton from '../components/Packing/ApplyTemplateButton'
 import TodoListPanel from '../components/Todo/TodoListPanel'
 import FileManager from '../components/Files/FileManager'
-import CostsPanel from '../components/Budget/CostsPanel'
+import CostsPanel, { ExpenseModal, type ExpensePrefill } from '../components/Budget/CostsPanel'
+import type { BookingExpenseRequest } from '../components/Planner/BookingCostsSection.types'
+import type { BudgetItem } from '../types'
 import CollabPanel from '../components/Collab/CollabPanel'
 import Navbar from '../components/Layout/Navbar'
 import { useToast } from '../components/shared/Toast'
@@ -212,6 +214,18 @@ export default function TripPlannerPage(): React.ReactElement | null {
  const [glMap, setGlMap] = useState<import('mapbox-gl').Map | null>(null)
  const poiPillEnabled = useSettingsStore(s => s.settings.map_poi_pill_enabled) !== false

+  // Costs expense editor opened from a booking modal (save-then-open). Lives at the
+  // page level so it has tripMembers / base currency / current user available.
+  const meId = useAuthStore(s => s.user?.id ?? -1)
+  const displayCurrency = useSettingsStore(s => s.settings.default_currency)
+  const costsBase = (displayCurrency || trip?.currency || 'EUR').toUpperCase()
+  const loadBudgetItems = useTripStore(s => s.loadBudgetItems)
+  const [bookingExpense, setBookingExpense] = useState<{ editing: BudgetItem | null; prefill?: ExpensePrefill } | null>(null)
+  const openBookingExpense = (req: BookingExpenseRequest) => {
+    if (req.editItem) setBookingExpense({ editing: req.editItem })
+    else if (req.prefill) setBookingExpense({ editing: null, prefill: req.prefill })
+  }
+
  if (isLoading || !splashDone) {
    return (
      <div className="bg-surface" style={{
@@ -636,6 +650,8 @@ export default function TripPlannerPage(): React.ReactElement | null {
              assignments={assignments}
              files={files}
              onAdd={() => { setEditingTransport(null); setShowTransportModal(true) }}
+              onImport={() => setShowBookingImport(true)}
+              bookingImportAvailable={bookingImportAvailable}
              onAirTrailImport={() => setShowAirTrailImport(true)}
              airTrailAvailable={airTrailAvailable}
              onEdit={(r) => { setEditingTransport(r); setShowTransportModal(true) }}
@@ -704,8 +720,20 @@ export default function TripPlannerPage(): React.ReactElement | null {
      <PlaceFormModal isOpen={showPlaceForm} onClose={() => { setShowPlaceForm(false); setEditingPlace(null); setEditingAssignmentId(null); setPrefillCoords(null) }} onSave={handleSavePlace} place={editingPlace} prefillCoords={prefillCoords} assignmentId={editingAssignmentId} dayAssignments={editingAssignmentId ? Object.values(assignments).flat() : []} tripId={tripId} categories={categories} onCategoryCreated={cat => tripActions.addCategory?.(cat)} />
      <TripFormModal isOpen={showTripForm} onClose={() => setShowTripForm(false)} onSave={async (data) => { await tripActions.updateTrip(tripId, data); toast.success(t('trip.toast.tripUpdated')) }} trip={trip} />
      <TripMembersModal isOpen={showMembersModal} onClose={() => setShowMembersModal(false)} tripId={tripId} tripTitle={trip?.title} />
-      <ReservationModal isOpen={showReservationModal} onClose={() => { setShowReservationModal(false); setEditingReservation(null); setBookingForAssignmentId(null) }} onSave={handleSaveReservation} reservation={editingReservation} days={days} places={places} assignments={assignments} selectedDayId={selectedDayId} files={files} onFileUpload={canUploadFiles ? (fd) => tripActions.addFile(tripId, fd) : undefined} onFileDelete={(id) => tripActions.deleteFile(tripId, id)} accommodations={tripAccommodations} defaultAssignmentId={bookingForAssignmentId} />
-      {showTransportModal && <TransportModal isOpen={showTransportModal} onClose={() => { setShowTransportModal(false); setEditingTransport(null); setTransportModalDayId(null) }} onSave={handleSaveTransport} reservation={editingTransport} days={days} selectedDayId={transportModalDayId} files={files} onFileUpload={canUploadFiles ? (fd) => tripActions.addFile(tripId, fd) : undefined} onFileDelete={(id) => tripActions.deleteFile(tripId, id)} />}
+      <ReservationModal isOpen={showReservationModal} onClose={() => { setShowReservationModal(false); setEditingReservation(null); setBookingForAssignmentId(null) }} onSave={handleSaveReservation} reservation={editingReservation} days={days} places={places} assignments={assignments} selectedDayId={selectedDayId} files={files} onFileUpload={canUploadFiles ? (fd) => tripActions.addFile(tripId, fd) : undefined} onFileDelete={(id) => tripActions.deleteFile(tripId, id)} accommodations={tripAccommodations} defaultAssignmentId={bookingForAssignmentId} onOpenExpense={openBookingExpense} />
+      {showTransportModal && <TransportModal isOpen={showTransportModal} onClose={() => { setShowTransportModal(false); setEditingTransport(null); setTransportModalDayId(null) }} onSave={handleSaveTransport} reservation={editingTransport} days={days} selectedDayId={transportModalDayId} files={files} onFileUpload={canUploadFiles ? (fd) => tripActions.addFile(tripId, fd) : undefined} onFileDelete={(id) => tripActions.deleteFile(tripId, id)} onOpenExpense={openBookingExpense} />}
+      {bookingExpense && (
+        <ExpenseModal
+          tripId={tripId}
+          base={costsBase}
+          people={tripMembers}
+          me={meId}
+          editing={bookingExpense.editing}
+          prefill={bookingExpense.prefill}
+          onClose={() => setBookingExpense(null)}
+          onSaved={() => { setBookingExpense(null); loadBudgetItems(tripId) }}
+        />
+      )}
      <BookingImportModal isOpen={showBookingImport} onClose={() => setShowBookingImport(false)} tripId={tripId} pushUndo={pushUndo} />
      <AirTrailImportModal isOpen={showAirTrailImport} onClose={() => setShowAirTrailImport(false)} tripId={tripId} pushUndo={pushUndo} />
      <ConfirmDialog
@@ -340,7 +340,10 @@ export function useAtlas() {
              </div>
            </div>`
          layer.bindTooltip(tooltipHtml, {
-            sticky: false, permanent: false, className: 'atlas-tooltip', direction: 'top', offset: [0, -10], opacity: 1
+            // sticky so the tooltip tracks the cursor; non-sticky anchors it at the feature's
+            // bounds centre, which for countries with overseas territories (e.g. France) lands
+            // far out in the ocean instead of over the area being hovered.
+            sticky: true, permanent: false, className: 'atlas-tooltip', direction: 'top', offset: [0, -10], opacity: 1
          })
          layer.on('click', () => {
            if (c.placeCount === 0 && c.tripCount === 0) {
@@ -363,7 +366,7 @@ export function useAtlas() {
            country_layer_by_a2_ref.current[countryCode] = layer
            const name = feature.properties?.NAME || feature.properties?.ADMIN || resolveName(countryCode)
            layer.bindTooltip(`<div style="font-size:12px;font-weight:600">${name}</div>`, {
-              sticky: false, className: 'atlas-tooltip', direction: 'top', offset: [0, -10], opacity: 1
+              sticky: true, className: 'atlas-tooltip', direction: 'top', offset: [0, -10], opacity: 1
            })
            layer.on('click', () => handleMarkCountry(countryCode, name))
            layer.on('mouseover', (e) => {
@@ -552,6 +555,20 @@ export function useAtlas() {
    } catch (e ) {
      console.error('Error fitting bounds', e)
     }
+
+    // Mirror the map-click behaviour so an already-visited country can be removed
+    // straight from search. Tiny countries (Vatican City, Singapore) are hard to
+    // hit on the map, so search was the only way in — but it always opened the
+    // "Mark / Bucket" dialog with no Remove option.
+    const visited = data?.countries.find(c => c.code === country_code)
+    if (visited) {
+      if (visited.placeCount === 0 && visited.tripCount === 0) {
+        handleUnmarkCountry(country_code)
+      } else {
+        loadCountryDetailRef.current(country_code)
+      }
+      return
+    }
    setConfirmAction({ type: 'choose', code: country_code, name: country_label })
  }

@@ -37,6 +37,7 @@ export function useLogin() {
  const [username, setUsername] = useState<string>('')
  const [email, setEmail] = useState<string>('')
  const [password, setPassword] = useState<string>('')
+  const [rememberMe, setRememberMe] = useState<boolean>(false)
  const [showPassword, setShowPassword] = useState<boolean>(false)
  const [isLoading, setIsLoading] = useState<boolean>(false)
  const [error, setError] = useState<string>('')
@@ -242,7 +243,7 @@ export function useLogin() {
          setIsLoading(false)
          return
        }
-        const mfaResult = await completeMfaLogin(mfaToken, mfaCode)
+        const mfaResult = await completeMfaLogin(mfaToken, mfaCode, rememberMe)
        if ('user' in mfaResult && mfaResult.user?.must_change_password) {
          setSavedLoginPassword(password)
          setPasswordChangeStep(true)
@@ -258,7 +259,7 @@ export function useLogin() {
        if (password.length < 8) { setError(t('login.passwordMinLength')); setIsLoading(false); return }
        await register(username, email, password, inviteToken || undefined)
      } else {
-        const result = await login(email, password)
+        const result = await login(email, password, rememberMe)
        if ('mfa_required' in result && result.mfa_required && 'mfa_token' in result) {
          setMfaToken(result.mfa_token)
          setMfaStep(true)
@@ -289,7 +290,7 @@ export function useLogin() {
  return {
    navigate,
    mode, setMode,
-    username, setUsername, email, setEmail, password, setPassword, showPassword, setShowPassword,
+    username, setUsername, email, setEmail, password, setPassword, rememberMe, setRememberMe, showPassword, setShowPassword,
    isLoading, error, setError, appConfig, inviteToken,
    langDropdownOpen, setLangDropdownOpen, setLanguageLocal,
    showTakeoff, mfaStep, setMfaStep, mfaToken, setMfaToken, mfaCode, setMfaCode,
@@ -39,8 +39,8 @@ interface AuthState {
  placesAutocompleteEnabled: boolean
  placesDetailsEnabled: boolean

-  login: (email: string, password: string) => Promise<LoginResult>
-  completeMfaLogin: (mfaToken: string, code: string) => Promise<AuthResponse>
+  login: (email: string, password: string, rememberMe?: boolean) => Promise<LoginResult>
+  completeMfaLogin: (mfaToken: string, code: string, rememberMe?: boolean) => Promise<AuthResponse>
  register: (username: string, email: string, password: string, invite_token?: string) => Promise<AuthResponse>
  logout: () => Promise<void>
  /** Pass `{ silent: true }` to refresh the user without toggling global isLoading (avoids unmounting protected routes). */
@@ -99,11 +99,11 @@ export const useAuthStore = create<AuthState>()(
  placesAutocompleteEnabled: true,
  placesDetailsEnabled: true,

-  login: async (email: string, password: string) => {
+  login: async (email: string, password: string, rememberMe?: boolean) => {
    authSequence++
    set({ isLoading: true, error: null })
    try {
-      const data = await authApi.login({ email, password }) as AuthResponse & { mfa_required?: boolean; mfa_token?: string }
+      const data = await authApi.login({ email, password, remember_me: rememberMe }) as AuthResponse & { mfa_required?: boolean; mfa_token?: string }
      if (data.mfa_required && data.mfa_token) {
        set({ isLoading: false, error: null })
        return { mfa_required: true as const, mfa_token: data.mfa_token }
@@ -128,11 +128,11 @@ export const useAuthStore = create<AuthState>()(
    }
  },

-  completeMfaLogin: async (mfaToken: string, code: string) => {
+  completeMfaLogin: async (mfaToken: string, code: string, rememberMe?: boolean) => {
    authSequence++
    set({ isLoading: true, error: null })
    try {
-      const data = await authApi.verifyMfaLogin({ mfa_token: mfaToken, code: code.replace(/\s/g, '') })
+      const data = await authApi.verifyMfaLogin({ mfa_token: mfaToken, code: code.replace(/\s/g, ''), remember_me: rememberMe })
      set({
        user: data.user,
        isAuthenticated: true,
@@ -1,5 +1,5 @@
 import { describe, it, expect } from 'vitest'
-import { parseTimeToMinutes, getSpanPhase, getDisplayTimeForDay, getTransportForDay, getMergedItems } from './dayMerge'
+import { parseTimeToMinutes, getSpanPhase, getTransportRouteEndpoints, getDisplayTimeForDay, getTransportForDay, getMergedItems } from './dayMerge'

 describe('parseTimeToMinutes', () => {
  it('parses HH:MM string', () => {
@@ -34,6 +34,38 @@ describe('getSpanPhase', () => {
  })
 })

+describe('getTransportRouteEndpoints', () => {
+  const pickup = { role: 'from', lat: 48.1, lng: 11.5 }
+  const dropoff = { role: 'to', lat: 52.5, lng: 13.4 }
+  // A car rental spanning day 1 (pickup) through day 3 (drop-off).
+  const rental = { day_id: 1, end_day_id: 3, endpoints: [pickup, dropoff] }
+
+  it('routes to the pickup only on the start day of a multi-day rental', () => {
+    expect(getTransportRouteEndpoints(rental, 1)).toEqual({ from: { lat: 48.1, lng: 11.5 }, to: null })
+  })
+
+  it('routes from the drop-off only on the end day', () => {
+    expect(getTransportRouteEndpoints(rental, 3)).toEqual({ from: null, to: { lat: 52.5, lng: 13.4 } })
+  })
+
+  it('adds no waypoints on the days in between (regression for #1210)', () => {
+    expect(getTransportRouteEndpoints(rental, 2)).toEqual({ from: null, to: null })
+  })
+
+  it('uses both endpoints for a single-day transport', () => {
+    const sameDay = { day_id: 1, end_day_id: 1, endpoints: [pickup, dropoff] }
+    expect(getTransportRouteEndpoints(sameDay, 1)).toEqual({
+      from: { lat: 48.1, lng: 11.5 },
+      to: { lat: 52.5, lng: 13.4 },
+    })
+  })
+
+  it('returns nulls when the endpoints carry no coordinates', () => {
+    const noCoords = { day_id: 1, end_day_id: 1, endpoints: [{ role: 'from' }, { role: 'to' }] }
+    expect(getTransportRouteEndpoints(noCoords, 1)).toEqual({ from: null, to: null })
+  })
+})
+
 describe('getDisplayTimeForDay', () => {
  const r = { day_id: 1, end_day_id: 3, reservation_time: '2025-01-01T09:00:00', reservation_end_time: '2025-01-03T14:00:00' }

@@ -29,6 +29,33 @@ export function getSpanPhase(
  return 'middle'
 }

+/**
+ * The route waypoints a transport contributes on a given day, respecting multi-day spans.
+ * A car rental (or any reservation whose span covers several days) is only routed to on its
+ * pickup day (the departure endpoint) and from on its drop-off day (the arrival endpoint) — on
+ * the days in between you simply hold the vehicle, so it adds no waypoints and must not pull the
+ * route to those points. Single-day transports contribute both endpoints.
+ */
+export function getTransportRouteEndpoints(
+  r: any,
+  dayId: number
+): { from: { lat: number; lng: number } | null; to: { lat: number; lng: number } | null } {
+  const ep = (role: 'from' | 'to'): { lat: number; lng: number } | null => {
+    const e = (r.endpoints || []).find((x: any) => x.role === role)
+    return e && e.lat != null && e.lng != null ? { lat: e.lat, lng: e.lng } : null
+  }
+  switch (getSpanPhase(r, dayId)) {
+    case 'start':
+      return { from: ep('from'), to: null }
+    case 'end':
+      return { from: null, to: ep('to') }
+    case 'middle':
+      return { from: null, to: null }
+    default:
+      return { from: ep('from'), to: ep('to') }
+  }
+}
+
 export function getDisplayTimeForDay(
  r: { day_id?: number | null; end_day_id?: number | null; reservation_time?: string | null; reservation_end_time?: string | null },
  dayId: number
@@ -1,6 +1,6 @@
 import { describe, it, expect } from 'vitest'
 import type { Day, Accommodation } from '../types'
-import { getDayOrder, isDayInAccommodationRange, getAccommodationAnchors } from './dayOrder'
+import { getDayOrder, isDayInAccommodationRange, getAccommodationAnchors, getDayBookendHotels } from './dayOrder'

 const days = [
  { id: 10, day_number: 1 },
@@ -70,4 +70,51 @@ describe('getAccommodationAnchors', () => {
    const accs = [hotel({ start_day_id: 10, end_day_id: 30, place_lat: null, place_lng: null })]
    expect(getAccommodationAnchors(days[1], days, accs)).toEqual({})
  })
+
+  it('keeps morning/evening correct on a transfer day when the morning stay runs long (#887)', () => {
+    const accs = [
+      hotel({ start_day_id: 10, end_day_id: 30, place_lat: 1, place_lng: 1 }), // slept here, checks out later
+      hotel({ start_day_id: 20, end_day_id: 30, place_lat: 9, place_lng: 9 }), // check-in today
+    ]
+    expect(getAccommodationAnchors(days[1], days, accs)).toEqual({
+      start: { lat: 1, lng: 1 },
+      end: { lat: 9, lng: 9 },
+    })
+  })
+})
+
+describe('getDayBookendHotels', () => {
+  it('returns nothing when the day has no accommodation', () => {
+    expect(getDayBookendHotels(days[1], days, [])).toEqual({})
+  })
+
+  it('bookends both ends with the single hotel on a normal stay day', () => {
+    const h = hotel({ start_day_id: 10, end_day_id: 30 })
+    const { morning, evening } = getDayBookendHotels(days[1], days, [h])
+    expect(morning).toBe(h)
+    expect(evening).toBe(h)
+  })
+
+  it('uses the checked-out hotel in the morning and the checked-in hotel in the evening on a transfer day', () => {
+    const out = hotel({ start_day_id: 10, end_day_id: 20, place_lat: 1, place_lng: 1 })
+    const into = hotel({ start_day_id: 20, end_day_id: 30, place_lat: 9, place_lng: 9 })
+    const { morning, evening } = getDayBookendHotels(days[1], days, [out, into])
+    expect(morning).toBe(out)
+    expect(evening).toBe(into)
+  })
+
+  it('still picks the slept-in hotel for the morning when its stay does not end on the transfer day (#887)', () => {
+    // The morning hotel runs long (checks out day 3) so it is not flagged as "checks out today";
+    // the old "ends today" rule collapsed both bookends onto the arriving hotel.
+    const stayed = hotel({ start_day_id: 10, end_day_id: 30, place_lat: 1, place_lng: 1 })
+    const into = hotel({ start_day_id: 20, end_day_id: 30, place_lat: 9, place_lng: 9 })
+    const { morning, evening } = getDayBookendHotels(days[1], days, [stayed, into])
+    expect(morning).toBe(stayed)
+    expect(evening).toBe(into)
+  })
+
+  it('ignores accommodations without coordinates', () => {
+    const h = hotel({ place_lat: null, place_lng: null })
+    expect(getDayBookendHotels(days[1], days, [h])).toEqual({})
+  })
 })
@@ -3,6 +3,36 @@ import type { Day, Accommodation, RouteAnchors } from '../types'
 export const getDayOrder = (day: Day, days: Day[]): number =>
  day.day_number ?? days.indexOf(day)

+// The two hotels that bookend a day: the one you woke up in (morning) and the one you sleep in
+// tonight (evening). On a transfer day these differ; on any other day both are the single hotel.
+// The morning hotel is keyed off "checked in on an earlier day and still in range" (i.e. you slept
+// there) rather than "checks out today", so it stays correct when an overlapping or long stay does
+// not end exactly on the transfer day.
+export const getDayBookendHotels = (
+  day: Day,
+  days: Day[],
+  accommodations: Accommodation[],
+): { morning?: Accommodation; evening?: Accommodation } => {
+  const inRange = accommodations.filter(a =>
+    a.place_lat != null && a.place_lng != null &&
+    isDayInAccommodationRange(day, a.start_day_id, a.end_day_id, days),
+  )
+  if (inRange.length === 0) return {}
+
+  const dayOrd = getDayOrder(day, days)
+  const orderOf = (id: number) => {
+    const d = days.find(x => x.id === id)
+    return d ? getDayOrder(d, days) : dayOrd
+  }
+  const checkIn = inRange.find(a => a.start_day_id === day.id) // the hotel you arrive at tonight
+  const sleptHere = inRange.find(a => orderOf(a.start_day_id) < dayOrd) // the hotel you woke up in
+
+  return {
+    morning: sleptHere ?? checkIn ?? inRange[0],
+    evening: checkIn ?? sleptHere ?? inRange[0],
+  }
+}
+
 // Derives route anchors from the accommodation(s) active on a day. A single hotel is the day's home
 // base, so the route is a loop that starts and ends there. A transfer day — checking out of one hotel
 // and into another — instead runs from the morning hotel to the evening one.
@@ -11,22 +41,12 @@ export const getAccommodationAnchors = (
  days: Day[],
  accommodations: Accommodation[],
 ): RouteAnchors => {
-  const located = accommodations.filter(a =>
-    a.place_lat != null && a.place_lng != null &&
-    isDayInAccommodationRange(day, a.start_day_id, a.end_day_id, days),
-  )
-  if (located.length === 0) return {}
-
-  const toAnchor = (a: Accommodation) => ({ lat: a.place_lat as number, lng: a.place_lng as number })
-
-  const checkOut = located.find(a => a.end_day_id === day.id) // the hotel you leave this morning
-  const checkIn = located.find(a => a.start_day_id === day.id) // the hotel you arrive at tonight
-  if (checkOut && checkIn && checkOut !== checkIn) {
-    return { start: toAnchor(checkOut), end: toAnchor(checkIn) }
+  const { morning, evening } = getDayBookendHotels(day, days, accommodations)
+  if (!morning || !evening) return {}
+  return {
+    start: { lat: morning.place_lat as number, lng: morning.place_lng as number },
+    end: { lat: evening.place_lat as number, lng: evening.place_lng as number },
  }
-
-  const hotel = toAnchor(located[0])
-  return { start: hotel, end: hotel }
 }

 export const isDayInAccommodationRange = (
@@ -1,3 +1,4 @@
+/// <reference types="node" />
 import { describe, it, expect, beforeEach, vi } from 'vitest';
 import { http, HttpResponse } from 'msw';
 import { server } from '../../helpers/msw/server';
@@ -23,6 +23,7 @@ services:
      - LOG_LEVEL=${LOG_LEVEL:-info} # info = concise user actions; debug = verbose admin-level details
 #      - DEFAULT_LANGUAGE=en # Default language on the login page for users with no saved preference. Browser/OS language is auto-detected first; this is the fallback. Supported: de, en, es, fr, hu, nl, br, cs, pl, ru, zh, zh-TW, it, ar
 #      - SESSION_DURATION=30d # How long users stay logged in (trek_session JWT + cookie maxAge). Accepts: 1h | 12h | 7d | 30d | 90d. Default: 24h
+#      - SESSION_DURATION_REMEMBER=30d # Session length when "Remember me" is ticked at login: longer-lived JWT + persistent cookie that survives browser restarts. Same format as SESSION_DURATION. Default: 30d
      - ALLOWED_ORIGINS=${ALLOWED_ORIGINS:-} # Comma-separated origins for CORS and email notification links
 #      - FORCE_HTTPS=true # Optional. Enables HTTPS redirect, HSTS, CSP upgrade-insecure-requests, and secure cookies behind a TLS proxy
 #      - HSTS_INCLUDE_SUBDOMAINS=false # When true: adds includeSubDomains to the HSTS header. Only effective when HSTS is active. Leave false if sibling subdomains still run over plain HTTP.
@@ -1,7 +1,7 @@
 {
  "name": "@trek/root",
  "private": true,
-  "version": "3.0.22",
+  "version": "3.1.0",
  "workspaces": [
    "client",
    "server",
@@ -25,7 +25,7 @@
    "format:check": "npm run format:check --workspace=shared && npm run format:check --workspace=server && npm run format:check --workspace=client"
  },
  "devDependencies": {
-    "concurrently": "^9.2.1"
+    "concurrently": "^10.0.3"
  },
  "comment:overrides": "Force a single React 19 across the workspace so the test renderer (@testing-library/react) and the app share one react-dom.",
  "overrides": {
@@ -33,9 +33,9 @@
    "react-dom": "19.2.6"
  },
  "optionalDependencies": {
-    "@rollup/rollup-linux-x64-musl": "4.60.4",
-    "@rollup/rollup-linux-arm64-musl": "4.60.4",
-    "@img/sharp-linuxmusl-x64": "0.33.5",
-    "@img/sharp-linuxmusl-arm64": "0.33.5"
+    "@rollup/rollup-linux-x64-musl": "4.62.0",
+    "@rollup/rollup-linux-arm64-musl": "4.62.0",
+    "@img/sharp-linuxmusl-x64": "0.35.1",
+    "@img/sharp-linuxmusl-arm64": "0.35.1"
  }
-}
+}
@@ -9,6 +9,7 @@ NODE_ENV=development # development = development mode; production = production m
 TZ=UTC # Timezone for logs, reminders and scheduled tasks (e.g. Europe/Berlin)
 # DEFAULT_LANGUAGE=en # Default language on the login page for users with no saved preference (default: en)
 # SESSION_DURATION=30d # How long users stay logged in — sets the trek_session JWT exp + cookie maxAge. Accepts 1h, 12h, 7d, 30d, 90d. Default: 24h
+# SESSION_DURATION_REMEMBER=30d # Session length when "Remember me" is ticked at login — longer-lived JWT + persistent cookie that survives browser restarts. Same format as SESSION_DURATION. Default: 30d
 # Supported values: de, en, es, fr, hu, nl, br, cs, pl, ru, zh, zh-TW, it, ar
 # Note: browser/OS language is detected automatically first; this is the fallback when no match is found.
 LOG_LEVEL=info # info = concise user actions; debug = verbose admin-level details
@@ -34,6 +35,8 @@ OIDC_SCOPE=openid email profile # Fully overrides the default. Add extra scopes

 DEMO_MODE=false # Demo mode - resets data hourly

+# BACKUP_UPLOAD_LIMIT_MB=500 # Max size (MB) of a backup archive you can upload when restoring. Raise it if your backup exceeds 500 MB. If you sit behind a reverse proxy, raise its upload limit too (e.g. nginx client_max_body_size).
+
 # MCP_RATE_LIMIT=300 # Max MCP API requests per user per minute (default: 300)
 # MCP_MAX_SESSION_PER_USER=20 # Max concurrent MCP sessions per user (default: 20)

@@ -1,6 +1,6 @@
 {
  "name": "@trek/server",
-  "version": "3.0.22",
+  "version": "3.1.0",
  "main": "src/index.ts",
  "scripts": {
    "start": "node --require tsconfig-paths/register dist/index.js",
@@ -21,13 +21,12 @@
    "test:coverage": "vitest run --coverage"
  },
  "dependencies": {
-    "@trek/shared": "*",
-    "tsconfig-paths": "^4.2.0",
    "@modelcontextprotocol/sdk": "^1.28.0",
    "@nestjs/common": "^11.1.24",
    "@nestjs/core": "^11.1.24",
    "@nestjs/platform-express": "^11.1.24",
    "@simplewebauthn/server": "^13.1.2",
+    "@trek/shared": "*",
    "archiver": "^6.0.1",
    "bcryptjs": "^2.4.3",
    "better-sqlite3": "^12.8.0",
@@ -47,6 +46,7 @@
    "reflect-metadata": "^0.2.2",
    "rxjs": "^7.8.2",
    "semver": "^7.7.4",
+    "tsconfig-paths": "^4.2.0",
    "tsx": "^4.21.0",
    "typescript": "^6.0.2",
    "undici": "^7.0.0",
@@ -67,16 +67,9 @@
  },
  "devDependencies": {
    "@eslint/js": "^10.0.1",
-    "@trivago/prettier-plugin-sort-imports": "^6.0.2",
-    "eslint-config-prettier": "^10.0.1",
-    "eslint-plugin-prettier": "^5.2.2",
-    "prettier": "^3.8.3",
-    "prettier-plugin-organize-imports": "^4.3.0",
-    "eslint": "^9.18.0",
-    "eslint-config-flat-gitignore": "^2.3.0",
-    "typescript-eslint": "^8.58.2",
    "@nestjs/testing": "^11.1.24",
    "@swc/core": "^1.15.40",
+    "@trivago/prettier-plugin-sort-imports": "^6.0.2",
    "@types/archiver": "^7.0.0",
    "@types/bcryptjs": "^2.4.6",
    "@types/better-sqlite3": "^7.6.13",
@@ -94,11 +87,19 @@
    "@types/unzipper": "^0.10.11",
    "@types/uuid": "^10.0.0",
    "@types/ws": "^8.18.1",
-    "@vitest/coverage-v8": "^3.2.4",
+    "@vitest/coverage-istanbul": "^4.1.9",
+    "@vitest/coverage-v8": "^4.1.9",
+    "eslint": "^9.18.0",
+    "eslint-config-flat-gitignore": "^2.3.0",
+    "eslint-config-prettier": "^10.0.1",
+    "eslint-plugin-prettier": "^5.2.2",
    "nodemon": "^3.1.0",
+    "prettier": "^3.8.3",
+    "prettier-plugin-organize-imports": "^4.3.0",
    "supertest": "^7.2.2",
+    "typescript-eslint": "^8.58.2",
    "tz-lookup": "^6.1.25",
    "unplugin-swc": "^1.5.9",
-    "vitest": "^3.2.4"
+    "vitest": "^4.1.9"
  }
 }
@@ -136,3 +136,21 @@ export const SESSION_DURATION = parsedSessionMs == null ? DEFAULT_SESSION_DURATI
 export const SESSION_DURATION_MS = parsedSessionMs ?? parseDurationMs(DEFAULT_SESSION_DURATION)!;
 /** Session length in seconds — passed to `jwt.sign({ expiresIn })` (number = seconds). */
 export const SESSION_DURATION_SECONDS = Math.floor(SESSION_DURATION_MS / 1000);
+
+// SESSION_DURATION_REMEMBER is the session length used when the user ticks
+// "Remember me" on the login form: a longer-lived JWT `exp` claim plus a
+// persistent `trek_session` cookie `maxAge`. An unticked login keeps
+// SESSION_DURATION and a browser-session cookie (no `maxAge`). Same ms-style
+// format and fallback behavior as SESSION_DURATION.
+const DEFAULT_SESSION_DURATION_REMEMBER = '30d';
+const rawRememberDuration = process.env.SESSION_DURATION_REMEMBER?.trim() || DEFAULT_SESSION_DURATION_REMEMBER;
+const parsedRememberMs = parseDurationMs(rawRememberDuration);
+if (parsedRememberMs == null) {
+  console.warn(`SESSION_DURATION_REMEMBER="${rawRememberDuration}" is not a valid duration (use e.g. 7d, 30d, 90d). Falling back to "${DEFAULT_SESSION_DURATION_REMEMBER}".`);
+}
+/** Human-readable "remember me" session length actually in effect (for logs/diagnostics). */
+export const SESSION_DURATION_REMEMBER = parsedRememberMs == null ? DEFAULT_SESSION_DURATION_REMEMBER : rawRememberDuration;
+/** "Remember me" session length in milliseconds — used for the persistent cookie `maxAge`. */
+export const SESSION_DURATION_REMEMBER_MS = parsedRememberMs ?? parseDurationMs(DEFAULT_SESSION_DURATION_REMEMBER)!;
+/** "Remember me" session length in seconds — passed to `jwt.sign({ expiresIn })`. */
+export const SESSION_DURATION_REMEMBER_SECONDS = Math.floor(SESSION_DURATION_REMEMBER_MS / 1000);
@@ -18,6 +18,11 @@ function seedAdminAccount(db: Database.Database): void {
    const userCount = (db.prepare('SELECT COUNT(*) as count FROM users').get() as { count: number }).count;
    if (userCount > 0) return;

+    // Demo mode seeds its own admin (admin@trek.app, username 'admin') right after this.
+    // Creating a first-run admin here would grab username 'admin' first and make the demo
+    // seeder fail on the UNIQUE(username) constraint, leaving the demo user uncreated.
+    if (process.env.DEMO_MODE?.toLowerCase() === 'true') return;
+
    if (isOidcOnlyConfigured()) {
      console.log('');
      console.log('╔══════════════════════════════════════════════╗');
@@ -96,7 +96,7 @@ export function applyGlobalMiddleware(
          "https://en.wikipedia.org", "https://commons.wikimedia.org",
          "https://*.basemaps.cartocdn.com", "https://*.tile.openstreetmap.org",
          "https://unpkg.com", "https://open-meteo.com", "https://api.open-meteo.com",
-          "https://geocoding-api.open-meteo.com", "https://api.exchangerate-api.com",
+          "https://geocoding-api.open-meteo.com", "https://api.frankfurter.dev",
          "https://router.project-osrm.org/route/v1/", "https://routing.openstreetmap.de/",
          "https://api.mapbox.com", "https://*.tiles.mapbox.com", "https://events.mapbox.com"
        ],
@@ -87,7 +87,7 @@ export class AuthPublicController {
    if (result.mfa_required) {
      return { mfa_required: true, mfa_token: result.mfa_token };
    }
-    this.auth.setAuthCookie(res, result.token!, req);
+    this.auth.setAuthCookie(res, result.token!, req, result.remember);
    return { token: result.token, user: result.user };
  }

@@ -146,7 +146,7 @@ export class AuthPublicController {
      throw new HttpException({ error: result.error }, result.status!);
    }
    writeAudit({ userId: result.auditUserId!, action: 'user.login', ip: getClientIp(req), details: { mfa: true } });
-    this.auth.setAuthCookie(res, result.token!, req);
+    this.auth.setAuthCookie(res, result.token!, req, result.remember);
    return { token: result.token, user: result.user };
  }

@@ -14,7 +14,7 @@ import type { User } from '../../types';
@Injectable()
 export class AuthService {
  // Cookie
-  setAuthCookie(res: Response, token: string, req: Request) { setAuthCookie(res, token, req); }
+  setAuthCookie(res: Response, token: string, req: Request, remember?: boolean) { setAuthCookie(res, token, req, remember); }
  clearAuthCookie(res: Response, req: Request) { clearAuthCookie(res, req); }

  // Reset-email delivery (canonical app URL, never request headers)
@@ -114,7 +114,7 @@ export class BudgetController {
  create(
    @CurrentUser() user: User,
    @Param('tripId') tripId: string,
-    @Body() body: { name?: string; category?: string; total_price?: number; persons?: number | null; days?: number | null; note?: string | null; expense_date?: string | null },
+    @Body() body: { name?: string; category?: string; total_price?: number; persons?: number | null; days?: number | null; note?: string | null; expense_date?: string | null; reservation_id?: number },
    @Headers('x-socket-id') socketId?: string,
  ) {
    const trip = this.requireTrip(tripId, user);
@@ -5,6 +5,7 @@ import { checkPermission } from '../../services/permissions';
 import type { User } from '../../types';
 import * as svc from '../../services/reservationService';
 import { createBudgetItem, updateBudgetItem, deleteBudgetItem, linkBudgetItemToReservation } from '../../services/budgetService';
+import { typeToCostCategory } from '@trek/shared';

 type Trip = NonNullable<ReturnType<typeof svc.verifyTripAccess>>;
 type BudgetEntry = { total_price?: number; category?: string } | undefined;
@@ -77,30 +78,51 @@ export class ReservationsService {

  /** PUT side effect: drop the linked budget item when the price is cleared, else create/update it. */
  syncBudgetOnUpdate(tripId: string, id: string, title: string, type: string | undefined, currentTitle: string, currentType: string | undefined, entry: BudgetEntry, socketId: string | undefined): void {
-    if (!entry || !entry.total_price) {
+    // When the booking type changes, keep a linked expense's category in sync —
+    // but only if it still carries the auto-derived category (so a manual pick in
+    // the Costs editor is preserved). Runs regardless of create_budget_entry.
+    if (type && currentType && type !== currentType) {
+      const linked = db.prepare('SELECT id, category FROM budget_items WHERE trip_id = ? AND reservation_id = ?').get(tripId, id) as { id: number; category: string } | undefined;
+      if (linked) {
+        const oldCat = typeToCostCategory(currentType);
+        const newCat = typeToCostCategory(type);
+        if (oldCat !== newCat && linked.category === oldCat) {
+          const updated = updateBudgetItem(linked.id, tripId, { category: newCat });
+          broadcast(tripId, 'budget:updated', { item: updated }, socketId);
+        }
+      }
+    }
+
+    // No budget entry on the payload — the booking edit isn't touching its linked
+    // expense, so leave any linked item alone. Expenses are managed from the
+    // booking's Costs section / the Costs tab, not by re-saving the booking.
+    if (!entry) return;
+
+    if (!(Number(entry.total_price) > 0)) {
+      // Explicit clear (total_price 0/empty) — drop the linked item.
      const linked = db.prepare('SELECT id FROM budget_items WHERE trip_id = ? AND reservation_id = ?').get(tripId, id) as { id: number } | undefined;
      if (linked) {
        deleteBudgetItem(linked.id, tripId);
        broadcast(tripId, 'budget:deleted', { itemId: linked.id }, socketId);
      }
+      return;
    }
-    if (entry && Number(entry.total_price) > 0) {
-      try {
-        const itemName = title || currentTitle;
-        const category = entry.category || type || currentType || 'Other';
-        const existing = db.prepare('SELECT id FROM budget_items WHERE trip_id = ? AND reservation_id = ?').get(tripId, id) as { id: number } | undefined;
-        if (existing) {
-          const updated = updateBudgetItem(existing.id, tripId, { name: itemName, category, total_price: entry.total_price });
-          broadcast(tripId, 'budget:updated', { item: updated }, socketId);
-        } else {
-          const item = createBudgetItem(tripId, { name: itemName, category, total_price: entry.total_price });
-          db.prepare('UPDATE budget_items SET reservation_id = ? WHERE id = ?').run(id, item.id);
-          item.reservation_id = Number(id);
-          broadcast(tripId, 'budget:created', { item }, socketId);
-        }
-      } catch (err) {
-        console.error('[reservations] Failed to create/update budget entry:', err);
+
+    try {
+      const itemName = title || currentTitle;
+      const category = entry.category || type || currentType || 'Other';
+      const existing = db.prepare('SELECT id FROM budget_items WHERE trip_id = ? AND reservation_id = ?').get(tripId, id) as { id: number } | undefined;
+      if (existing) {
+        const updated = updateBudgetItem(existing.id, tripId, { name: itemName, category, total_price: entry.total_price });
+        broadcast(tripId, 'budget:updated', { item: updated }, socketId);
+      } else {
+        const item = createBudgetItem(tripId, { name: itemName, category, total_price: entry.total_price });
+        db.prepare('UPDATE budget_items SET reservation_id = ? WHERE id = ?').run(id, item.id);
+        item.reservation_id = Number(id);
+        broadcast(tripId, 'budget:created', { item }, socketId);
      }
+    } catch (err) {
+      console.error('[reservations] Failed to create/update budget entry:', err);
    }
  }

@@ -1,10 +1,9 @@
+import { ADDON_IDS } from '../../addons';
 import { db } from '../../db/database';
-import { logError, logInfo } from '../auditLog';
 import { broadcast } from '../../websocket';
 import { isAddonEnabled } from '../adminService';
-import { ADDON_IDS } from '../../addons';
+import { logError, logInfo } from '../auditLog';
 import { getReservation, getReservationWithJoins, updateReservation } from '../reservationService';
-import { getAirtrailCredentials } from './airtrailService';
 import {
  AirtrailAuthError,
  AirtrailCreds,
@@ -15,6 +14,7 @@ import {
  saveFlight,
 } from './airtrailClient';
 import { canonicalHash, mapFlightToReservation } from './airtrailMapper';
+import { getAirtrailCredentials } from './airtrailService';

 /** Global on/off: the addon must be enabled and sync not explicitly turned off. */
 export function syncGloballyEnabled(): boolean {
@@ -59,7 +59,7 @@ async function syncOwner(uid: number): Promise<number> {
    if (err instanceof AirtrailAuthError) logError(`AirTrail sync: invalid API key for user ${uid}`);
    return 0;
  }
-  const byId = new Map(flights.map(f => [String(f.id), f]));
+  const byId = new Map(flights.map((f) => [String(f.id), f]));

  const linked = db
    .prepare(
@@ -145,15 +145,15 @@ function splitLocal(dt: string | null | undefined): { date: string | null; time:
 }

 function buildSavePayload(reservation: any, existing: AirtrailFlightRaw): AirtrailSavePayload | null {
-  let meta: Record<string, any> = {};
+  let meta: Record<string, any>;
  try {
    meta = reservation.metadata ? JSON.parse(reservation.metadata) : {};
  } catch {
    meta = {};
  }
  const endpoints: any[] = reservation.endpoints || [];
-  const fromEp = endpoints.find(e => e.role === 'from');
-  const toEp = endpoints.find(e => e.role === 'to');
+  const fromEp = endpoints.find((e) => e.role === 'from');
+  const toEp = endpoints.find((e) => e.role === 'to');
  const fromCode = fromEp?.code || existing.from?.iata || existing.from?.icao || null;
  const toCode = toEp?.code || existing.to?.iata || existing.to?.icao || null;
  if (!fromCode || !toCode) return null;
@@ -164,7 +164,7 @@ function buildSavePayload(reservation: any, existing: AirtrailFlightRaw): Airtra

  // Preserve the existing seat manifest (an update replaces all seats); fall back
  // to the key-owner placeholder so AirTrail attributes it to the connecting user.
-  const seats = (existing.seats ?? []).map(s => ({
+  const seats = (existing.seats ?? []).map((s) => ({
    userId: s.userId,
    guestName: s.guestName,
    seat: s.seat,
@@ -179,7 +179,7 @@ function buildSavePayload(reservation: any, existing: AirtrailFlightRaw): Airtra
  // a userId), leaving any co-passenger seats untouched.
  const seatNumber = typeof meta.seat === 'string' && meta.seat.trim() ? meta.seat.trim() : null;
  if (seatNumber) {
-    const ownSeat = seats.find(s => s.userId) ?? seats[0];
+    const ownSeat = seats.find((s) => s.userId) ?? seats[0];
    if (ownSeat) ownSeat.seatNumber = seatNumber;
  }

@@ -7,7 +7,7 @@ import { authenticator } from 'otplib';
 import QRCode from 'qrcode';
 import { randomBytes, createHash } from 'crypto';
 import { db } from '../db/database';
-import { JWT_SECRET, SESSION_DURATION_SECONDS } from '../config';
+import { JWT_SECRET, SESSION_DURATION_SECONDS, SESSION_DURATION_REMEMBER_SECONDS } from '../config';
 import { validatePassword } from './passwordPolicy';
 import { encryptMfaSecret, decryptMfaSecret } from './mfaCrypto';
 import { getAllPermissions } from './permissions';
@@ -181,14 +181,17 @@ export function isOidcOnlyMode(): boolean {
  return !resolveAuthToggles().password_login;
 }

-export function generateToken(user: { id: number | bigint; password_version?: number }) {
+export function generateToken(user: { id: number | bigint; password_version?: number }, rememberMe = false) {
  const pv = typeof user.password_version === 'number'
    ? user.password_version
    : ((db.prepare('SELECT password_version FROM users WHERE id = ?').get(user.id) as { password_version?: number } | undefined)?.password_version ?? 0);
+  // "Remember me" extends the JWT lifetime to match the persistent cookie maxAge;
+  // the cookie service decides session-vs-persistent off the same flag.
+  const expiresIn = rememberMe ? SESSION_DURATION_REMEMBER_SECONDS : SESSION_DURATION_SECONDS;
  return jwt.sign(
    { id: user.id, pv },
    JWT_SECRET,
-    { expiresIn: SESSION_DURATION_SECONDS, algorithm: 'HS256' }
+    { expiresIn, algorithm: 'HS256' }
  );
 }

@@ -443,6 +446,7 @@ export function registerUser(body: {
 export function loginUser(body: {
  email?: string;
  password?: string;
+  remember_me?: boolean;
 }): {
  error?: string;
  status?: number;
@@ -450,6 +454,7 @@ export function loginUser(body: {
  user?: Record<string, unknown>;
  mfa_required?: boolean;
  mfa_token?: string;
+  remember?: boolean;
  auditUserId?: number | null;
  auditAction?: string;
  auditDetails?: Record<string, unknown>;
@@ -458,7 +463,8 @@ export function loginUser(body: {
    return { error: 'Password authentication is disabled. Please sign in with SSO.', status: 403 };
  }

-  const { email, password } = body;
+  const { email, password, remember_me } = body;
+  const remember = remember_me === true;
  if (!email || !password) {
    return { error: 'Email and password are required', status: 400 };
  }
@@ -500,12 +506,13 @@ export function loginUser(body: {
  }

  db.prepare('UPDATE users SET last_login = CURRENT_TIMESTAMP, login_count = login_count + 1 WHERE id = ?').run(user.id);
-  const token = generateToken(user);
+  const token = generateToken(user, remember);
  const userSafe = stripUserForClient(user) as Record<string, unknown>;

  return {
    token,
    user: { ...userSafe, avatar_url: avatarUrl(user) },
+    remember,
    auditUserId: Number(user.id),
    auditAction: 'user.login',
    auditDetails: { email },
@@ -1066,14 +1073,17 @@ export function disableMfa(
 export function verifyMfaLogin(body: {
  mfa_token?: string;
  code?: string;
+  remember_me?: boolean;
 }): {
  error?: string;
  status?: number;
  token?: string;
  user?: Record<string, unknown>;
+  remember?: boolean;
  auditUserId?: number;
 } {
-  const { mfa_token, code } = body;
+  const { mfa_token, code, remember_me } = body;
+  const remember = remember_me === true;
  if (!mfa_token || !code) {
    return { error: 'Verification token and code are required', status: 400 };
  }
@@ -1104,11 +1114,12 @@ export function verifyMfaLogin(body: {
      );
    }
    db.prepare('UPDATE users SET last_login = CURRENT_TIMESTAMP, login_count = login_count + 1 WHERE id = ?').run(user.id);
-    const sessionToken = generateToken(user);
+    const sessionToken = generateToken(user, remember);
    const userSafe = stripUserForClient(user) as Record<string, unknown>;
    return {
      token: sessionToken,
      user: { ...userSafe, avatar_url: avatarUrl(user) },
+      remember,
      auditUserId: Number(user.id),
    };
  } catch {
@@ -15,7 +15,21 @@ const dataDir = path.join(__dirname, '../../data');
 const backupsDir = path.join(dataDir, 'backups');
 const uploadsDir = path.join(__dirname, '../../uploads');

-export const MAX_BACKUP_UPLOAD_SIZE = 500 * 1024 * 1024; // 500 MB compressed
+// Compressed upload cap for restore archives. Defaults to 500 MB, raisable via
+// BACKUP_UPLOAD_LIMIT_MB for instances whose backups (uploads/ included) grow
+// past that. Invalid values warn and fall back to the default.
+const DEFAULT_BACKUP_UPLOAD_LIMIT_MB = 500;
+const rawBackupUploadLimit = process.env.BACKUP_UPLOAD_LIMIT_MB?.trim();
+let backupUploadLimitMb = DEFAULT_BACKUP_UPLOAD_LIMIT_MB;
+if (rawBackupUploadLimit) {
+  const parsed = Number(rawBackupUploadLimit);
+  if (Number.isFinite(parsed) && parsed > 0) {
+    backupUploadLimitMb = parsed;
+  } else {
+    console.warn(`BACKUP_UPLOAD_LIMIT_MB="${rawBackupUploadLimit}" is not a positive number. Falling back to ${DEFAULT_BACKUP_UPLOAD_LIMIT_MB} MB.`);
+  }
+}
+export const MAX_BACKUP_UPLOAD_SIZE = backupUploadLimitMb * 1024 * 1024; // compressed
 // Upper bound on the TOTAL decompressed size of a restore archive (the upload
 // limit only caps the compressed bytes). Generous enough for any real backup.
 export const MAX_BACKUP_DECOMPRESSED_SIZE = 5 * 1024 * 1024 * 1024; // 5 GB
@@ -155,6 +169,17 @@ export async function createBackup(): Promise<BackupInfo> {
        archive.file(dbPath, { name: 'travel.db' });
      }

+      // Bundle the at-rest encryption key so the backup is self-contained: the
+      // DB stores secrets (API keys, MFA, SMTP/OIDC) encrypted with this key, so
+      // a restore onto a different install would otherwise be unable to decrypt
+      // them. NOTE: this makes the backup file as sensitive as the key itself —
+      // store/transfer it securely. Skipped when ENCRYPTION_KEY is provided via
+      // env, since in that case the file is not the source of truth.
+      const encKeyPath = path.join(dataDir, '.encryption_key');
+      if (!process.env.ENCRYPTION_KEY && fs.existsSync(encKeyPath)) {
+        archive.file(encKeyPath, { name: '.encryption_key' });
+      }
+
      if (fs.existsSync(uploadsDir)) {
        // Exclude the place-photo and trek-memory caches: both are re-derivable
        // (re-fetched on demand, keyed on stable ids) and would otherwise dominate
@@ -252,6 +277,16 @@ export async function restoreFromZip(zipPath: string): Promise<RestoreResult> {
      }
      fs.copyFileSync(extractedDb, dbDest);

+      // Restore the bundled at-rest encryption key (if the archive carries one)
+      // so the restored DB's encrypted secrets can be decrypted. Only the file
+      // is swapped here; the in-memory key was read at startup, so a restart is
+      // required for it to take effect (and an explicit ENCRYPTION_KEY env var
+      // still overrides the file).
+      const extractedEncKey = path.join(extractDir, '.encryption_key');
+      if (fs.existsSync(extractedEncKey)) {
+        fs.copyFileSync(extractedEncKey, path.join(dataDir, '.encryption_key'));
+      }
+
      const extractedUploads = path.join(extractDir, 'uploads');
      if (fs.existsSync(extractedUploads)) {
        for (const sub of fs.readdirSync(uploadsDir)) {
@@ -262,7 +297,12 @@ export async function restoreFromZip(zipPath: string): Promise<RestoreResult> {
            }
          }
        }
-        fs.cpSync(extractedUploads, uploadsDir, { recursive: true, force: true });
+        // Copy into the real directory behind uploadsDir. In Docker, uploadsDir
+        // (/app/server/uploads) is a symlink to the mounted /app/uploads volume;
+        // cpSync(dereference:false) would otherwise try to overwrite the symlink
+        // node with a directory and throw ERR_FS_CP_DIR_TO_NON_DIR. realpathSync
+        // is a no-op when uploadsDir is a plain directory (dev/non-Docker).
+        fs.cpSync(extractedUploads, fs.realpathSync(uploadsDir), { recursive: true, force: true });
      }
    } finally {
      // Reopening the DB must always run (even if the copy above threw) so the
@@ -105,6 +105,7 @@ export function createBudgetItem(
    currency?: string | null; exchange_rate?: number;
    payers?: { user_id: number; amount: number }[]; member_ids?: number[];
    persons?: number | null; days?: number | null; note?: string | null; expense_date?: string | null;
+    reservation_id?: number | null;
  },
 ) {
  const maxOrder = db.prepare(
@@ -128,7 +129,7 @@ export function createBudgetItem(
  const total = data.payers && data.payers.length > 0 ? payerTotal : (data.total_price || 0);

  const result = db.prepare(
-    'INSERT INTO budget_items (trip_id, category, name, total_price, currency, exchange_rate, persons, days, note, sort_order, expense_date) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)'
+    'INSERT INTO budget_items (trip_id, category, name, total_price, currency, exchange_rate, persons, days, note, sort_order, expense_date, reservation_id) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)'
  ).run(
    tripId,
    cat,
@@ -141,6 +142,7 @@ export function createBudgetItem(
    data.note || null,
    sortOrder,
    data.expense_date || null,
+    data.reservation_id != null ? data.reservation_id : null,
  );

  const itemId = result.lastInsertRowid as number;
@@ -208,7 +210,15 @@ export function updateBudgetItem(
  );

  // Optional inline payer/member replacement (the edit modal saves all at once).
-  if (data.payers !== undefined) writeItemPayers(id, data.payers);
+  if (data.payers !== undefined) {
+    writeItemPayers(id, data.payers);
+    // writeItemPayers derives total_price from the payer sum (0 for no payers).
+    // A "recorded total, nobody assigned" expense clears payers but still carries
+    // an explicit total_price — re-apply it so it isn't clobbered to 0.
+    if (data.payers.length === 0 && data.total_price !== undefined) {
+      db.prepare('UPDATE budget_items SET total_price = ? WHERE id = ?').run(data.total_price, id);
+    }
+  }
  if (data.member_ids !== undefined) {
    db.prepare('DELETE FROM budget_item_members WHERE budget_item_id = ?').run(id);
    const insert = db.prepare('INSERT OR IGNORE INTO budget_item_members (budget_item_id, user_id, paid) VALUES (?, ?, 0)');
@@ -229,12 +229,17 @@ export function getPollWithVotes(pollId: number | bigint | string) {
    WHERE v.poll_id = ?
  `).all(pollId) as PollVoteRow[];

-  const formattedOptions = options.map((label: string | { label: string }, idx: number) => ({
-    label: typeof label === 'string' ? label : label.label || label,
-    voters: votes
-      .filter(v => v.option_index === idx)
-      .map(v => ({ id: v.user_id, user_id: v.user_id, username: v.username, avatar: v.avatar, avatar_url: avatarUrl(v) })),
-  }));
+  const formattedOptions = options.map((label: string | { label: string }, idx: number) => {
+    const text = typeof label === 'string' ? label : label.label || label;
+    return {
+      // The client renders `opt.text`; keep `label` too for any other consumer.
+      text,
+      label: text,
+      voters: votes
+        .filter(v => v.option_index === idx)
+        .map(v => ({ id: v.user_id, user_id: v.user_id, username: v.username, avatar: v.avatar, avatar_url: avatarUrl(v) })),
+    };
+  });

  return {
    ...poll,
@@ -1,8 +1,17 @@
 import { Request, Response } from 'express';
-import { SESSION_DURATION_MS } from '../config';
+import { SESSION_DURATION_MS, SESSION_DURATION_REMEMBER_MS } from '../config';

 const COOKIE_NAME = 'trek_session';

+/**
+ * Controls the cookie lifetime for a login:
+ *  - `undefined` → persistent `maxAge: SESSION_DURATION_MS` (the historical
+ *    default, used by register/demo and anything that doesn't opt in).
+ *  - `true`  → persistent `maxAge: SESSION_DURATION_REMEMBER_MS` ("Remember me").
+ *  - `false` → no `maxAge` — a browser-session cookie cleared on browser close.
+ */
+export type RememberOption = boolean | undefined;
+
 /**
 * Decide whether the session cookie should carry the `Secure` flag.
 *
@@ -18,27 +27,35 @@ const COOKIE_NAME = 'trek_session';
 * on the outermost hop, the cookie is `Secure`. `COOKIE_SECURE=false`
 * remains the explicit escape hatch for plain-HTTP LAN testing.
 */
-export function cookieOptions(clear = false, req?: Request) {
+export function cookieOptions(clear = false, req?: Request, remember?: RememberOption) {
  if (process.env.COOKIE_SECURE?.toLowerCase() === 'false') {
-    return buildOptions(clear, false);
+    return buildOptions(clear, false, remember);
  }
  const envSecure = process.env.NODE_ENV?.toLowerCase() === 'production' || process.env.FORCE_HTTPS?.toLowerCase() === 'true';
  const requestSecure = req?.secure === true;
-  return buildOptions(clear, envSecure || requestSecure);
+  return buildOptions(clear, envSecure || requestSecure, remember);
 }

-function buildOptions(clear: boolean, secure: boolean) {
+function resolveMaxAge(remember: RememberOption): { maxAge: number } | Record<string, never> {
+  // false → session cookie (omit maxAge); true → the longer "remember me"
+  // window; undefined → the historical default. Each maxAge matches the JWT exp.
+  if (remember === false) return {};
+  if (remember === true) return { maxAge: SESSION_DURATION_REMEMBER_MS };
+  return { maxAge: SESSION_DURATION_MS };
+}
+
+function buildOptions(clear: boolean, secure: boolean, remember?: RememberOption) {
  return {
    httpOnly: true,
    secure,
    sameSite: 'lax' as const,
    path: '/',
-    ...(clear ? {} : { maxAge: SESSION_DURATION_MS }), // matches the JWT expiry (SESSION_DURATION)
+    ...(clear ? {} : resolveMaxAge(remember)),
  };
 }

-export function setAuthCookie(res: Response, token: string, req?: Request): void {
-  res.cookie(COOKIE_NAME, token, cookieOptions(false, req));
+export function setAuthCookie(res: Response, token: string, req?: Request, remember?: RememberOption): void {
+  res.cookie(COOKIE_NAME, token, cookieOptions(false, req, remember));
 }

 export function clearAuthCookie(res: Response, req?: Request): void {
@@ -1,7 +1,7 @@
 /**
 * Live exchange rates for the Costs/Budget money conversion.
 *
- * Fetches from exchangerate-api.com (no key, already CSP-allowlisted for the
+ * Fetches from api.frankfurter.dev (no key, already CSP-allowlisted for the
 * dashboard widget) and caches per base currency in-memory for a few hours so a
 * settlement request never hammers the upstream. Rates are "units of X per 1
 * base", so an amount in currency C converts to base as `amount / rates[C]`.
@@ -17,10 +17,17 @@ const inflight = new Map<string, Promise<Record<string, number> | null>>();

 async function fetchRates(base: string): Promise<Record<string, number> | null> {
  try {
-    const res = await fetch(`https://api.exchangerate-api.com/v4/latest/${encodeURIComponent(base)}`);
+    const res = await fetch(`https://api.frankfurter.dev/v2/rates?base=${encodeURIComponent(base)}`);
    if (!res.ok) return null;
-    const data = (await res.json()) as { rates?: Record<string, number> };
-    return data.rates && typeof data.rates === 'object' ? data.rates : null;
+    // Frankfurter returns an array of { date, base, quote, rate } and omits the
+    // base's own self-rate, so seed the map with `base = 1` then index by quote.
+    const data = (await res.json()) as Array<{ quote?: string; rate?: number }>;
+    if (!Array.isArray(data)) return null;
+    const rates: Record<string, number> = { [base.toUpperCase()]: 1 };
+    for (const r of data) {
+      if (r && typeof r.quote === 'string' && typeof r.rate === 'number') rates[r.quote] = r.rate;
+    }
+    return Object.keys(rates).length > 1 ? rates : null;
  } catch {
    return null;
  }
@@ -417,8 +417,10 @@ export function findOrCreateUser(
  const bcrypt = require('bcryptjs');
  const hash = bcrypt.hashSync(randomPass, 10);

-  // Username: sanitize and avoid collisions
-  let username = name.replace(/[^a-zA-Z0-9_-]/g, '').substring(0, 30) || 'user';
+  // Username: sanitize and avoid collisions. Keep dots — they are valid in
+  // usernames (see the ^[a-zA-Z0-9_.-]+$ validation in authService) and common
+  // in OIDC name claims like "first.last".
+  let username = name.replace(/[^a-zA-Z0-9_.-]/g, '').substring(0, 30) || 'user';
  const existing = db.prepare('SELECT id FROM users WHERE LOWER(username) = LOWER(?)').get(username);
  if (existing) username = `${username}_${Date.now() % 10000}`;

@@ -1,9 +1,10 @@
-import path from 'node:path';
+import { db } from '../db/database';
+
+import { Jimp, JimpMime } from 'jimp';
+import crypto from 'node:crypto';
 import fs from 'node:fs';
 import fsPromises from 'node:fs/promises';
-import crypto from 'node:crypto';
-import { Jimp, JimpMime } from 'jimp';
-import { db } from '../db/database';
+import path from 'node:path';

 // Overridable for tests (mirrors the TREK_DB_FILE seam) so the suite never touches
 // the real uploads tree.
@@ -26,7 +27,9 @@ const knownOnDisk = new Set<string>();
 // Ensure upload dir exists once at startup — avoids sync FS calls inside put() on every write.
 try {
  fs.mkdirSync(GOOGLE_PHOTO_DIR, { recursive: true });
-} catch { /* already exists */ }
+} catch {
+  /* already exists */
+}

 function filePath(placeId: string): string {
  // Hash to avoid filename collisions — coords:lat:lng pseudo-IDs contain characters that
@@ -46,9 +49,9 @@ interface CachedPhoto {
 }

 export function get(placeId: string): CachedPhoto | null {
-  const row = db.prepare(
-    'SELECT attribution FROM google_place_photo_meta WHERE place_id = ? AND error_at IS NULL'
-  ).get(placeId) as { attribution: string | null } | undefined;
+  const row = db
+    .prepare('SELECT attribution FROM google_place_photo_meta WHERE place_id = ? AND error_at IS NULL')
+    .get(placeId) as { attribution: string | null } | undefined;

  if (!row) return null;

@@ -68,9 +71,9 @@ export function get(placeId: string): CachedPhoto | null {
 }

 export function getErrored(placeId: string): boolean {
-  const row = db.prepare(
-    'SELECT error_at FROM google_place_photo_meta WHERE place_id = ? AND error_at IS NOT NULL'
-  ).get(placeId) as { error_at: number } | undefined;
+  const row = db
+    .prepare('SELECT error_at FROM google_place_photo_meta WHERE place_id = ? AND error_at IS NOT NULL')
+    .get(placeId) as { error_at: number } | undefined;

  if (!row) return false;
  return Date.now() - row.error_at < ERROR_TTL;
@@ -79,7 +82,7 @@ export function getErrored(placeId: string): boolean {
 export function markError(placeId: string): void {
  knownOnDisk.delete(placeId);
  db.prepare(
-    'INSERT OR REPLACE INTO google_place_photo_meta (place_id, attribution, fetched_at, error_at) VALUES (?, NULL, ?, ?)'
+    'INSERT OR REPLACE INTO google_place_photo_meta (place_id, attribution, fetched_at, error_at) VALUES (?, NULL, ?, ?)',
  ).run(placeId, Date.now(), Date.now());
 }

@@ -109,21 +112,28 @@ export async function put(placeId: string, bytes: Buffer, attribution: string |
  knownOnDisk.add(placeId);

  db.prepare(
-    'INSERT OR REPLACE INTO google_place_photo_meta (place_id, attribution, fetched_at, error_at) VALUES (?, ?, ?, NULL)'
+    'INSERT OR REPLACE INTO google_place_photo_meta (place_id, attribution, fetched_at, error_at) VALUES (?, ?, ?, NULL)',
  ).run(placeId, attribution, Date.now());

  return { photoUrl: proxyUrl(placeId), filePath: fp, attribution };
 }

-export function getInFlight(placeId: string): Promise<{ filePath: string; attribution: string | null } | null> | undefined {
+export function getInFlight(
+  placeId: string,
+): Promise<{ filePath: string; attribution: string | null } | null> | undefined {
  return inFlight.get(placeId);
 }

-export function setInFlight(placeId: string, promise: Promise<{ filePath: string; attribution: string | null } | null>): void {
+export function setInFlight(
+  placeId: string,
+  promise: Promise<{ filePath: string; attribution: string | null } | null>,
+): void {
  inFlight.set(placeId, promise);
  promise
    .finally(() => inFlight.delete(placeId))
-    .catch(() => { /* awaiter logs; this .catch only prevents unhandledRejection */ });
+    .catch(() => {
+      /* awaiter logs; this .catch only prevents unhandledRejection */
+    });
 }

 export function serveFilePath(placeId: string): string | null {
@@ -138,14 +148,18 @@ export function serveFilePath(placeId: string): string | null {
 // Google place_id (the dedup key) or by the stable proxy URL stored in image_url
 // (covers coords: pseudo-ids, which never have a google_place_id).
 function isReferenced(placeId: string): boolean {
-  const row = db.prepare(
-    'SELECT 1 FROM places WHERE google_place_id = ? OR image_url = ? LIMIT 1'
-  ).get(placeId, proxyUrl(placeId));
+  const row = db
+    .prepare('SELECT 1 FROM places WHERE google_place_id = ? OR image_url = ? LIMIT 1')
+    .get(placeId, proxyUrl(placeId));
  return !!row;
 }

 function deleteEntry(placeId: string): void {
-  try { fs.unlinkSync(filePath(placeId)); } catch { /* already gone */ }
+  try {
+    fs.unlinkSync(filePath(placeId));
+  } catch {
+    /* already gone */
+  }
  db.prepare('DELETE FROM google_place_photo_meta WHERE place_id = ?').run(placeId);
  knownOnDisk.delete(placeId);
 }
@@ -175,11 +189,20 @@ export function sweepOrphans(): number {

  // Pass 2: files on disk that no surviving meta row maps to (e.g. left over from a
  // crash between writeFile and the DB upsert, or a meta row deleted out-of-band).
-  let entries: string[] = [];
-  try { entries = fs.readdirSync(GOOGLE_PHOTO_DIR); } catch { entries = []; }
+  let entries: string[];
+  try {
+    entries = fs.readdirSync(GOOGLE_PHOTO_DIR);
+  } catch {
+    entries = [];
+  }
  for (const entry of entries) {
    if (!entry.endsWith('.jpg') || keepFiles.has(entry)) continue;
-    try { fs.unlinkSync(path.join(GOOGLE_PHOTO_DIR, entry)); removed++; } catch { /* race */ }
+    try {
+      fs.unlinkSync(path.join(GOOGLE_PHOTO_DIR, entry));
+      removed++;
+    } catch {
+      /* race */
+    }
  }

  return removed;
@@ -16,11 +16,11 @@ function isAlwaysBlocked(ip: string): boolean {
  const addr = ip.startsWith('[') ? ip.slice(1, -1) : ip;

  // Loopback
-  if (addr.startsWith("127.") || addr === '::1') return true;
+  if (addr.startsWith('127.') || addr === '::1') return true;
  // Unspecified
-  if (addr.startsWith("0.")) return true;
+  if (addr.startsWith('0.')) return true;
  // Link-local / cloud metadata
-  if (addr.startsWith("169.254.") || /^fe80:/i.test(addr)) return true;
+  if (addr.startsWith('169.254.') || /^fe80:/i.test(addr)) return true;
  // IPv4-mapped loopback / link-local: ::ffff:127.x.x.x, ::ffff:169.254.x.x
  if (/^::ffff:127\./i.test(addr) || /^::ffff:169\.254\./i.test(addr)) return true;

@@ -32,9 +32,9 @@ function isPrivateNetwork(ip: string): boolean {
  const addr = ip.startsWith('[') ? ip.slice(1, -1) : ip;

  // RFC-1918 private ranges
-  if (addr.startsWith("10.")) return true;
+  if (addr.startsWith('10.')) return true;
  if (/^172\.(1[6-9]|2\d|3[01])\./.test(addr)) return true;
-  if (addr.startsWith("192.168.")) return true;
+  if (addr.startsWith('192.168.')) return true;
  // CGNAT / Tailscale shared address space (100.64.0.0/10)
  if (/^100\.(6[4-9]|[7-9]\d|1[01]\d|12[0-7])\./.test(addr)) return true;
  // IPv6 ULA (fc00::/7)
@@ -71,8 +71,9 @@ export async function checkSsrf(rawUrl: string, bypassInternalIpAllowed: boolean
  try {
    const result = await dns.lookup(hostname);
    resolvedIp = result.address;
-  } catch {
-    return { allowed: false, isPrivate: false, error: 'Could not resolve hostname' };
+  } catch (error_) {
+    const code = error_ instanceof Error && 'code' in error_ ? String(error_.code) : 'unknown';
+    return { allowed: false, isPrivate: false, error: `Could not resolve hostname (${code})` };
  }

  if (isAlwaysBlocked(resolvedIp)) {
@@ -90,7 +91,8 @@ export async function checkSsrf(rawUrl: string, bypassInternalIpAllowed: boolean
        allowed: false,
        isPrivate: true,
        resolvedIp,
-        error: 'Requests to private/internal network addresses are not allowed. Set ALLOW_INTERNAL_NETWORK=true to permit this for self-hosted setups.',
+        error:
+          'Requests to private/internal network addresses are not allowed. Set ALLOW_INTERNAL_NETWORK=true to permit this for self-hosted setups.',
      };
    }
    return { allowed: true, isPrivate: true, resolvedIp };
@@ -187,7 +189,7 @@ export async function safeFetchFollow(
    // (2xx/4xx/5xx, or a 3xx with no Location) is the final response.
    const status = typeof response.status === 'number' ? response.status : 0;
    const isRedirectStatus = status >= 300 && status < 400;
-    const location = isRedirectStatus ? response.headers?.get('location') ?? null : null;
+    const location = isRedirectStatus ? (response.headers?.get('location') ?? null) : null;
    if (!location) {
      return response;
    }
@@ -98,6 +98,28 @@ describe('Auth e2e (real auth guard + real cookie service + temp SQLite)', () =>
    expect(setCookie.some((c) => c.startsWith('trek_session=') && /HttpOnly/i.test(c))).toBe(true);
  }, 10000);

+  it('POST /login with remember_me sets a persistent cookie (Max-Age present)', async () => {
+    authSvc.loginUser.mockReturnValue({ token: 'jwt.token.value', user: { id: 1 }, remember: true });
+    const res = await request(server).post('/api/auth/login').send({ email: 'u@example.test', password: 'pw', remember_me: true });
+    expect(res.status).toBe(200);
+    const setCookie = res.headers['set-cookie'] as unknown as string[];
+    const cookie = setCookie.find((c) => c.startsWith('trek_session='))!;
+    expect(cookie).toMatch(/Max-Age=\d+/i);
+    // 30d default — well above the 24h (86400s) non-remember window.
+    const maxAge = Number(/Max-Age=(\d+)/i.exec(cookie)?.[1]);
+    expect(maxAge).toBeGreaterThan(86_400);
+  }, 10000);
+
+  it('POST /login without remember_me sets a session cookie (no Max-Age)', async () => {
+    authSvc.loginUser.mockReturnValue({ token: 'jwt.token.value', user: { id: 1 }, remember: false });
+    const res = await request(server).post('/api/auth/login').send({ email: 'u@example.test', password: 'pw' });
+    expect(res.status).toBe(200);
+    const setCookie = res.headers['set-cookie'] as unknown as string[];
+    const cookie = setCookie.find((c) => c.startsWith('trek_session='))!;
+    expect(cookie).not.toMatch(/Max-Age/i);
+    expect(cookie).not.toMatch(/Expires/i);
+  }, 10000);
+
  it('POST /logout clears the session cookie', async () => {
    const res = await request(server).post('/api/auth/logout');
    expect(res.status).toBe(200);
@@ -382,7 +382,7 @@ describe('Reservation budget entry integration', () => {
    expect(items[0].total_price).toBe(150);
  });

-  it('RESV-014 — PUT without create_budget_entry removes existing linked budget item', async () => {
+  it('RESV-014 — PUT without create_budget_entry keeps the existing linked budget item', async () => {
    const { user } = createUser(testDb);
    const trip = createTrip(testDb, user.id);

@@ -398,24 +398,98 @@ describe('Reservation budget entry integration', () => {
    expect(createRes.status).toBe(201);
    const resvId = createRes.body.reservation.id;

-    // Verify budget item exists
    const before = testDb
      .prepare('SELECT id FROM budget_items WHERE trip_id = ? AND reservation_id = ?')
      .get(trip.id, resvId);
    expect(before).toBeDefined();

-    // Update without create_budget_entry — should delete the linked budget item
+    // Update WITHOUT create_budget_entry — the booking edit must NOT touch its
+    // linked expense (expenses are managed from the Costs section now).
    const updateRes = await request(app)
      .put(`/api/trips/${trip.id}/reservations/${resvId}`)
      .set('Cookie', authCookie(user.id))
      .send({ title: 'Taxi Updated' });
    expect(updateRes.status).toBe(200);

+    const after = testDb
+      .prepare('SELECT id FROM budget_items WHERE trip_id = ? AND reservation_id = ?')
+      .get(trip.id, resvId);
+    expect(after).toBeDefined();
+  });
+
+  it('RESV-014b — PUT with create_budget_entry total_price 0 removes the linked budget item', async () => {
+    const { user } = createUser(testDb);
+    const trip = createTrip(testDb, user.id);
+
+    const createRes = await request(app)
+      .post(`/api/trips/${trip.id}/reservations`)
+      .set('Cookie', authCookie(user.id))
+      .send({
+        title: 'Taxi',
+        type: 'transport',
+        create_budget_entry: { total_price: 50, category: 'Transport' },
+      });
+    expect(createRes.status).toBe(201);
+    const resvId = createRes.body.reservation.id;
+
+    // Explicit clear (total_price 0) still removes the linked item.
+    const updateRes = await request(app)
+      .put(`/api/trips/${trip.id}/reservations/${resvId}`)
+      .set('Cookie', authCookie(user.id))
+      .send({ title: 'Taxi', create_budget_entry: { total_price: 0 } });
+    expect(updateRes.status).toBe(200);
+
    const after = testDb
      .prepare('SELECT id FROM budget_items WHERE trip_id = ? AND reservation_id = ?')
      .get(trip.id, resvId);
    expect(after).toBeUndefined();
  });
+
+  it('RESV-014c — changing the booking type updates the linked expense category', async () => {
+    const { user } = createUser(testDb);
+    const trip = createTrip(testDb, user.id);
+
+    const createRes = await request(app)
+      .post(`/api/trips/${trip.id}/reservations`)
+      .set('Cookie', authCookie(user.id))
+      .send({ title: 'Booking', type: 'other', create_budget_entry: { total_price: 50, category: 'other' } });
+    const resvId = createRes.body.reservation.id;
+
+    // Change the type other -> hotel (no create_budget_entry).
+    await request(app)
+      .put(`/api/trips/${trip.id}/reservations/${resvId}`)
+      .set('Cookie', authCookie(user.id))
+      .send({ title: 'Booking', type: 'hotel' });
+
+    const item = testDb
+      .prepare('SELECT category FROM budget_items WHERE trip_id = ? AND reservation_id = ?')
+      .get(trip.id, resvId) as { category: string };
+    expect(item.category).toBe('accommodation');
+  });
+
+  it('RESV-014d — a manually-picked expense category survives a booking type change', async () => {
+    const { user } = createUser(testDb);
+    const trip = createTrip(testDb, user.id);
+
+    const createRes = await request(app)
+      .post(`/api/trips/${trip.id}/reservations`)
+      .set('Cookie', authCookie(user.id))
+      .send({ title: 'Booking', type: 'other', create_budget_entry: { total_price: 50, category: 'other' } });
+    const resvId = createRes.body.reservation.id;
+
+    // Simulate a manual category pick in the Costs editor.
+    testDb.prepare('UPDATE budget_items SET category = ? WHERE trip_id = ? AND reservation_id = ?').run('fees', trip.id, resvId);
+
+    await request(app)
+      .put(`/api/trips/${trip.id}/reservations/${resvId}`)
+      .set('Cookie', authCookie(user.id))
+      .send({ title: 'Booking', type: 'hotel' });
+
+    const item = testDb
+      .prepare('SELECT category FROM budget_items WHERE trip_id = ? AND reservation_id = ?')
+      .get(trip.id, resvId) as { category: string };
+    expect(item.category).toBe('fees');
+  });
 });

 describe('Reservation accommodation delete', () => {
@@ -0,0 +1,26 @@
+import { describe, it, expect, vi } from 'vitest';
+import { AddonsController } from '../../../src/nest/addons/addons.controller';
+import type { AddonsService } from '../../../src/nest/addons/addons.service';
+
+function makeService(overrides: Partial<AddonsService> = {}): AddonsService {
+  return {
+    list: vi.fn().mockReturnValue({ collabFeatures: {}, bagTracking: false, addons: [] }),
+    ...overrides,
+  } as unknown as AddonsService;
+}
+
+describe('AddonsController (parity with the legacy GET /api/addons route)', () => {
+  it('GET / delegates straight to the service and returns its feed', () => {
+    const feed = {
+      collabFeatures: { comments: true },
+      bagTracking: true,
+      addons: [{ id: 'atlas', name: 'Atlas', type: 'page', icon: 'globe', enabled: true }],
+    };
+    const list = vi.fn().mockReturnValue(feed);
+    const svc = makeService({ list } as Partial<AddonsService>);
+
+    expect(new AddonsController(svc).list()).toBe(feed);
+    expect(list).toHaveBeenCalledTimes(1);
+    expect(list).toHaveBeenCalledWith();
+  });
+});
@@ -0,0 +1,232 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+
+// Three distinct prepare(...).all() reads (addons, photo_providers, photo_provider_fields).
+// A single shared statement is reused, so .all() is fed result sets in call order.
+const { dbMock } = vi.hoisted(() => {
+  const stmt = { get: vi.fn(), all: vi.fn(() => []), run: vi.fn() };
+  return { dbMock: { prepare: vi.fn(() => stmt), _stmt: stmt } };
+});
+vi.mock('../../../src/db/database', () => ({ db: dbMock, closeDb: () => {}, reinitialize: () => {} }));
+
+const { getBagTracking, getCollabFeatures } = vi.hoisted(() => ({
+  getBagTracking: vi.fn(() => ({ enabled: false })),
+  getCollabFeatures: vi.fn(() => ({})),
+}));
+vi.mock('../../../src/services/adminService', () => ({ getBagTracking, getCollabFeatures }));
+
+const { getPhotoProviderConfig } = vi.hoisted(() => ({ getPhotoProviderConfig: vi.fn(() => ({})) }));
+vi.mock('../../../src/services/memories/helpersService', () => ({ getPhotoProviderConfig }));
+
+import { AddonsService } from '../../../src/nest/addons/addons.service';
+
+function svc() {
+  return new AddonsService();
+}
+
+// Feed the three reads in order: addons, providers, fields.
+function feedReads(addons: unknown[], providers: unknown[], fields: unknown[]) {
+  dbMock._stmt.all
+    .mockReturnValueOnce(addons)
+    .mockReturnValueOnce(providers)
+    .mockReturnValueOnce(fields);
+}
+
+beforeEach(() => {
+  vi.clearAllMocks();
+  dbMock._stmt.all.mockReturnValue([]);
+  getCollabFeatures.mockReturnValue({});
+  getBagTracking.mockReturnValue({ enabled: false });
+  getPhotoProviderConfig.mockReturnValue({});
+});
+
+describe('AddonsService.list', () => {
+  it('returns the collab features and the bag-tracking flag from the admin service', () => {
+    getCollabFeatures.mockReturnValue({ comments: true });
+    getBagTracking.mockReturnValue({ enabled: true });
+    feedReads([], [], []);
+
+    const res = svc().list();
+    expect(res.collabFeatures).toEqual({ comments: true });
+    expect(res.bagTracking).toBe(true);
+    expect(res.addons).toEqual([]);
+  });
+
+  it('coerces the addon enabled column to a boolean (both 1 and 0)', () => {
+    feedReads(
+      [
+        { id: 'atlas', name: 'Atlas', type: 'page', icon: 'globe', enabled: 1 },
+        { id: 'vacay', name: 'Vacay', type: 'page', icon: 'sun', enabled: 0 },
+      ],
+      [],
+      [],
+    );
+
+    const res = svc().list();
+    expect(res.addons).toEqual([
+      { id: 'atlas', name: 'Atlas', type: 'page', icon: 'globe', enabled: true },
+      { id: 'vacay', name: 'Vacay', type: 'page', icon: 'sun', enabled: false },
+    ]);
+  });
+
+  it('maps a photo provider with no fields to an empty fields array (the || [] fallback)', () => {
+    feedReads(
+      [],
+      [{ id: 'immich', name: 'Immich', icon: 'image', enabled: 1, sort_order: 0 }],
+      [],
+    );
+    getPhotoProviderConfig.mockReturnValue({ baseUrl: 'http://x' });
+
+    const res = svc().list();
+    expect(res.addons).toEqual([
+      {
+        id: 'immich',
+        name: 'Immich',
+        type: 'photo_provider',
+        icon: 'image',
+        enabled: true,
+        config: { baseUrl: 'http://x' },
+        fields: [],
+      },
+    ]);
+    expect(getPhotoProviderConfig).toHaveBeenCalledWith('immich');
+  });
+
+  it('coerces a disabled photo provider enabled flag to false', () => {
+    feedReads(
+      [],
+      [{ id: 'synology', name: 'Synology', icon: 'image', enabled: 0, sort_order: 1 }],
+      [],
+    );
+
+    const res = svc().list();
+    expect((res.addons[0] as { enabled: boolean }).enabled).toBe(false);
+  });
+
+  it('groups multiple fields under their provider and keeps insertion order', () => {
+    feedReads(
+      [],
+      [{ id: 'immich', name: 'Immich', icon: 'image', enabled: 1, sort_order: 0 }],
+      [
+        {
+          provider_id: 'immich',
+          field_key: 'url',
+          label: 'URL',
+          input_type: 'text',
+          placeholder: 'https://',
+          hint: 'Base URL',
+          required: 1,
+          secret: 0,
+          settings_key: 'immich_url',
+          payload_key: 'url',
+          sort_order: 0,
+        },
+        // Second field for the SAME provider exercises the `get(...) || []` truthy branch.
+        {
+          provider_id: 'immich',
+          field_key: 'token',
+          label: 'Token',
+          input_type: 'password',
+          placeholder: null,
+          hint: null,
+          required: 0,
+          secret: 1,
+          settings_key: null,
+          payload_key: null,
+          sort_order: 1,
+        },
+      ],
+    );
+
+    const res = svc().list();
+    const provider = res.addons[0] as { fields: Array<Record<string, unknown>> };
+    expect(provider.fields).toEqual([
+      {
+        key: 'url',
+        label: 'URL',
+        input_type: 'text',
+        placeholder: 'https://',
+        hint: 'Base URL',
+        required: true,
+        secret: false,
+        settings_key: 'immich_url',
+        payload_key: 'url',
+        sort_order: 0,
+      },
+      {
+        key: 'token',
+        label: 'Token',
+        input_type: 'password',
+        placeholder: '',
+        hint: null,
+        required: false,
+        secret: true,
+        settings_key: null,
+        payload_key: null,
+        sort_order: 1,
+      },
+    ]);
+  });
+
+  it('falls back placeholder→"", hint→null, settings/payload keys→null when columns are missing/empty', () => {
+    feedReads(
+      [],
+      [{ id: 'p', name: 'P', icon: 'i', enabled: 1, sort_order: 0 }],
+      [
+        {
+          provider_id: 'p',
+          field_key: 'k',
+          label: 'L',
+          input_type: 'text',
+          // placeholder/hint/settings_key/payload_key omitted entirely (undefined)
+          required: 0,
+          secret: 0,
+          sort_order: 0,
+        },
+      ],
+    );
+
+    const res = svc().list();
+    const field = (res.addons[0] as { fields: Array<Record<string, unknown>> }).fields[0];
+    expect(field).toMatchObject({
+      placeholder: '',
+      hint: null,
+      settings_key: null,
+      payload_key: null,
+    });
+  });
+
+  it('keeps fields belonging to other providers out of a provider with none of its own', () => {
+    // A field exists, but for a DIFFERENT provider than the one returned — exercises
+    // the `fieldsByProvider.get(p.id) || []` fallback while the map is non-empty.
+    feedReads(
+      [],
+      [{ id: 'has-none', name: 'X', icon: 'i', enabled: 1, sort_order: 0 }],
+      [
+        {
+          provider_id: 'other',
+          field_key: 'k',
+          label: 'L',
+          input_type: 'text',
+          required: 0,
+          secret: 0,
+          sort_order: 0,
+        },
+      ],
+    );
+
+    const res = svc().list();
+    expect((res.addons[0] as { fields: unknown[] }).fields).toEqual([]);
+  });
+
+  it('concatenates regular addons before the photo providers', () => {
+    feedReads(
+      [{ id: 'atlas', name: 'Atlas', type: 'page', icon: 'globe', enabled: 1 }],
+      [{ id: 'immich', name: 'Immich', icon: 'image', enabled: 1, sort_order: 0 }],
+      [],
+    );
+
+    const res = svc().list();
+    expect(res.addons.map((a) => (a as { id: string }).id)).toEqual(['atlas', 'immich']);
+    expect((res.addons[1] as { type: string }).type).toBe('photo_provider');
+  });
+});
@@ -8,6 +8,7 @@ vi.mock('../../../src/services/notificationService', () => ({ send: vi.fn().mock
 import { AdminController } from '../../../src/nest/admin/admin.controller';
 import type { AdminService } from '../../../src/nest/admin/admin.service';
 import { writeAudit } from '../../../src/services/auditLog';
+import { send as sendNotification } from '../../../src/services/notificationService';
 import type { User } from '../../../src/types';

 const user = { id: 1, role: 'admin', email: 'admin@example.test' } as User;
@@ -121,6 +122,114 @@ describe('AdminController addons + sessions + jwt + defaults', () => {
  });
 });

+describe('AdminController error envelope fallbacks', () => {
+  it('ok() defaults to 400 when the error envelope omits a status', () => {
+    expect(thrown(() => new AdminController(svc({ createUser: vi.fn().mockReturnValue({ error: 'boom' }) } as Partial<AdminService>)).createUser(user, {}, req))).toEqual({ status: 400, body: { error: 'boom' } });
+  });
+
+  it('updateOidc defaults to 400 when the service error omits a status', () => {
+    expect(thrown(() => new AdminController(svc({ updateOidcSettings: vi.fn().mockReturnValue({ error: 'nope' }) } as Partial<AdminService>)).updateOidc(user, {}, req))).toEqual({ status: 400, body: { error: 'nope' } });
+  });
+
+  it('updateOidc audits issuer_set=false when no issuer is supplied', () => {
+    expect(new AdminController(svc({ updateOidcSettings: vi.fn().mockReturnValue({}) } as Partial<AdminService>)).updateOidc(user, {}, req)).toEqual({ success: true });
+    expect(writeAudit).toHaveBeenCalledWith(expect.objectContaining({ action: 'admin.oidc_update', details: { issuer_set: false } }));
+  });
+});
+
+describe('AdminController read-only getters', () => {
+  it('return service values verbatim', () => {
+    expect(new AdminController(svc({ resetUserPasskeys: vi.fn().mockReturnValue({ email: 'a@b.c', deleted: 2 }) } as Partial<AdminService>)).resetUserPasskeys(user, '4', req)).toEqual({ success: true, deleted: 2 });
+    expect(new AdminController(svc({ getStats: vi.fn().mockReturnValue({ users: 3 }) } as Partial<AdminService>)).stats()).toEqual({ users: 3 });
+    expect(new AdminController(svc({ getPermissions: vi.fn().mockReturnValue({ a: 1 }) } as Partial<AdminService>)).permissions()).toEqual({ a: 1 });
+    expect(new AdminController(svc({ getAuditLog: vi.fn().mockReturnValue({ entries: [] }) } as Partial<AdminService>)).auditLog({})).toEqual({ entries: [] });
+    expect(new AdminController(svc({ getOidcSettings: vi.fn().mockReturnValue({ issuer: 'x' }) } as Partial<AdminService>)).getOidc()).toEqual({ issuer: 'x' });
+    expect(new AdminController(svc({ checkVersion: vi.fn().mockResolvedValue({ current: '1' }) } as Partial<AdminService>)).versionCheck()).resolves.toEqual({ current: '1' });
+    expect(new AdminController(svc({ getPreferencesMatrix: vi.fn().mockReturnValue({ rows: [] }) } as Partial<AdminService>)).getNotificationPrefs(user)).toEqual({ rows: [] });
+    expect(new AdminController(svc({ listInvites: vi.fn().mockReturnValue([{ id: 1 }]) } as Partial<AdminService>)).listInvites()).toEqual({ invites: [{ id: 1 }] });
+    expect(new AdminController(svc({ getBagTracking: vi.fn().mockReturnValue({ enabled: false }) } as Partial<AdminService>)).getBagTracking()).toEqual({ enabled: false });
+    expect(new AdminController(svc({ getPlacesPhotos: vi.fn().mockReturnValue({ enabled: true }) } as Partial<AdminService>)).getPlacesPhotos()).toEqual({ enabled: true });
+    expect(new AdminController(svc({ getPlacesAutocomplete: vi.fn().mockReturnValue({ enabled: true }) } as Partial<AdminService>)).getPlacesAutocomplete()).toEqual({ enabled: true });
+    expect(new AdminController(svc({ getPlacesDetails: vi.fn().mockReturnValue({ enabled: true }) } as Partial<AdminService>)).getPlacesDetails()).toEqual({ enabled: true });
+    expect(new AdminController(svc({ getCollabFeatures: vi.fn().mockReturnValue({ chat: false }) } as Partial<AdminService>)).getCollabFeatures()).toEqual({ chat: false });
+    expect(new AdminController(svc({ listPackingTemplates: vi.fn().mockReturnValue([{ id: 1 }]) } as Partial<AdminService>)).listPackingTemplates()).toEqual({ templates: [{ id: 1 }] });
+    expect(new AdminController(svc({ listAddons: vi.fn().mockReturnValue([{ id: 'mcp' }]) } as Partial<AdminService>)).listAddons()).toEqual({ addons: [{ id: 'mcp' }] });
+    expect(new AdminController(svc({ listMcpTokens: vi.fn().mockReturnValue([{ id: 1 }]) } as Partial<AdminService>)).listMcpTokens()).toEqual({ tokens: [{ id: 1 }] });
+    expect(new AdminController(svc({ listOAuthSessions: vi.fn().mockReturnValue([{ id: 1 }]) } as Partial<AdminService>)).listOAuthSessions()).toEqual({ sessions: [{ id: 1 }] });
+    expect(new AdminController(svc({ getAdminUserDefaults: vi.fn().mockReturnValue({ theme: 'dark' }) } as Partial<AdminService>)).getDefaultUserSettings()).toEqual({ theme: 'dark' });
+  });
+
+  it('setNotificationPrefs persists then returns the refreshed matrix', () => {
+    const setAdminPreferences = vi.fn();
+    const c = new AdminController(svc({ setAdminPreferences, getPreferencesMatrix: vi.fn().mockReturnValue({ rows: [1] }) } as Partial<AdminService>));
+    expect(c.setNotificationPrefs(user, { x: 1 })).toEqual({ rows: [1] });
+    expect(setAdminPreferences).toHaveBeenCalledWith(user.id, { x: 1 });
+  });
+
+  it('githubReleases falls back to default paging when no query is given', async () => {
+    const getGithubReleases = vi.fn().mockResolvedValue([{ tag: 'v1' }]);
+    const c = new AdminController(svc({ getGithubReleases } as Partial<AdminService>));
+    await expect(c.githubReleases()).resolves.toEqual([{ tag: 'v1' }]);
+    expect(getGithubReleases).toHaveBeenCalledWith('10', '1');
+    await c.githubReleases('5', '2');
+    expect(getGithubReleases).toHaveBeenLastCalledWith('5', '2');
+  });
+});
+
+describe('AdminController feature toggles + audit', () => {
+  it('bag-tracking updates and audits', () => {
+    const c = new AdminController(svc({ updateBagTracking: vi.fn().mockReturnValue({ enabled: true }) } as Partial<AdminService>));
+    expect(c.updateBagTracking(user, { enabled: true }, req)).toEqual({ enabled: true });
+    expect(writeAudit).toHaveBeenCalledWith(expect.objectContaining({ action: 'admin.bag_tracking' }));
+  });
+
+  it('places-autocomplete: 400 on a non-boolean, else updates + audits', () => {
+    expect(thrown(() => new AdminController(svc()).updatePlacesAutocomplete(user, { enabled: 'yes' }, req))).toEqual({ status: 400, body: { error: 'enabled must be a boolean' } });
+    expect(new AdminController(svc({ updatePlacesAutocomplete: vi.fn().mockReturnValue({ enabled: false }) } as Partial<AdminService>)).updatePlacesAutocomplete(user, { enabled: false }, req)).toEqual({ enabled: false });
+  });
+
+  it('places-details: 400 on a non-boolean, else updates + audits', () => {
+    expect(thrown(() => new AdminController(svc()).updatePlacesDetails(user, { enabled: 1 }, req))).toEqual({ status: 400, body: { error: 'enabled must be a boolean' } });
+    expect(new AdminController(svc({ updatePlacesDetails: vi.fn().mockReturnValue({ enabled: true }) } as Partial<AdminService>)).updatePlacesDetails(user, { enabled: true }, req)).toEqual({ enabled: true });
+  });
+});
+
+describe('AdminController packing template sub-routes', () => {
+  it('update/delete templates, categories and items map errors + return success', () => {
+    expect(new AdminController(svc({ updatePackingTemplate: vi.fn().mockReturnValue({ id: 3 }) } as Partial<AdminService>)).updatePackingTemplate('3', {})).toEqual({ id: 3 });
+    expect(new AdminController(svc({ createTemplateCategory: vi.fn().mockReturnValue({ id: 4 }) } as Partial<AdminService>)).createTemplateCategory('3', { name: 'Tops' })).toEqual({ id: 4 });
+    expect(new AdminController(svc({ updateTemplateCategory: vi.fn().mockReturnValue({ id: 4 }) } as Partial<AdminService>)).updateTemplateCategory('3', '4', {})).toEqual({ id: 4 });
+    expect(new AdminController(svc({ deleteTemplateCategory: vi.fn().mockReturnValue({}) } as Partial<AdminService>)).deleteTemplateCategory('3', '4')).toEqual({ success: true });
+    expect(new AdminController(svc({ updateTemplateItem: vi.fn().mockReturnValue({ id: 7 }) } as Partial<AdminService>)).updateTemplateItem('7', {})).toEqual({ id: 7 });
+    expect(new AdminController(svc({ deleteTemplateItem: vi.fn().mockReturnValue({}) } as Partial<AdminService>)).deleteTemplateItem('7')).toEqual({ success: true });
+    expect(thrown(() => new AdminController(svc({ deleteTemplateItem: vi.fn().mockReturnValue({ error: 'gone', status: 404 }) } as Partial<AdminService>)).deleteTemplateItem('9'))).toEqual({ status: 404, body: { error: 'gone' } });
+  });
+});
+
+describe('AdminController tokens + sessions', () => {
+  it('mcp token + oauth session deletes return success and map errors', () => {
+    expect(new AdminController(svc({ deleteMcpToken: vi.fn().mockReturnValue({}) } as Partial<AdminService>)).deleteMcpToken('2')).toEqual({ success: true });
+    expect(thrown(() => new AdminController(svc({ deleteMcpToken: vi.fn().mockReturnValue({ error: 'no token', status: 404 }) } as Partial<AdminService>)).deleteMcpToken('9'))).toEqual({ status: 404, body: { error: 'no token' } });
+    expect(thrown(() => new AdminController(svc({ revokeOAuthSession: vi.fn().mockReturnValue({ error: 'no session', status: 404 }) } as Partial<AdminService>)).revokeOAuthSession(user, '9', req))).toEqual({ status: 404, body: { error: 'no session' } });
+  });
+});
+
+describe('AdminController default-user-settings error path', () => {
+  it('400 with an Error message when setAdminUserDefaults throws an Error', () => {
+    const c = new AdminController(svc({ setAdminUserDefaults: vi.fn(() => { throw new Error('bad default'); }) } as Partial<AdminService>));
+    expect(thrown(() => c.setDefaultUserSettings(user, { theme: 'x' }, req))).toEqual({ status: 400, body: { error: 'bad default' } });
+  });
+
+  it('400 stringifies a non-Error throw', () => {
+    const c = new AdminController(svc({ setAdminUserDefaults: vi.fn(() => { throw 'plain string'; }) } as Partial<AdminService>));
+    expect(thrown(() => c.setDefaultUserSettings(user, { theme: 'x' }, req))).toEqual({ status: 400, body: { error: 'plain string' } });
+  });
+
+  it('400 when the body is null', () => {
+    expect(thrown(() => new AdminController(svc()).setDefaultUserSettings(user, null, req))).toEqual({ status: 400, body: { error: 'Object body required' } });
+  });
+});
+
 describe('AdminController dev test-notification', () => {
  it('404 outside development', async () => {
    delete process.env.NODE_ENV;
@@ -132,4 +241,23 @@ describe('AdminController dev test-notification', () => {
    const res = await new AdminController(svc()).devTestNotification(user, { event: 'trip_reminder' });
    expect(res).toEqual({ success: true });
  });
+
+  it('applies notification defaults when the body is empty', async () => {
+    process.env.NODE_ENV = 'development';
+    const res = await new AdminController(svc()).devTestNotification(user, {});
+    expect(res).toEqual({ success: true });
+    expect(sendNotification).toHaveBeenCalledWith(expect.objectContaining({ event: 'trip_reminder', scope: 'user', targetId: user.id }));
+  });
+
+  it('maps an Error from the notification service to 400', async () => {
+    process.env.NODE_ENV = 'development';
+    (sendNotification as unknown as ReturnType<typeof vi.fn>).mockRejectedValueOnce(new Error('send failed'));
+    await expect(new AdminController(svc()).devTestNotification(user, { event: 'trip_reminder' })).rejects.toMatchObject({ response: { error: 'send failed' } });
+  });
+
+  it('stringifies a non-Error notification failure to 400', async () => {
+    process.env.NODE_ENV = 'development';
+    (sendNotification as unknown as ReturnType<typeof vi.fn>).mockRejectedValueOnce('weird');
+    await expect(new AdminController(svc()).devTestNotification(user, { event: 'trip_reminder' })).rejects.toMatchObject({ response: { error: 'weird' } });
+  });
 });
@@ -1,26 +1,264 @@
-import { describe, it, expect } from 'vitest';
+import { describe, it, expect, vi, beforeEach } from 'vitest';
 import { HttpException } from '@nestjs/common';
+import type { Request } from 'express';
+
+vi.mock('../../../src/middleware/auth', () => ({ extractToken: vi.fn(), verifyJwtAndLoadUser: vi.fn() }));
+vi.mock('../../../src/services/authService', () => ({ resolveAuthToggles: vi.fn() }));
+vi.mock('../../../src/services/cookie', () => ({ setAuthCookie: vi.fn() }));
+vi.mock('../../../src/services/auditLog', () => ({ writeAudit: vi.fn(), getClientIp: vi.fn(() => '1.2.3.4') }));
+vi.mock('../../../src/services/passkeyService', () => ({
+  passkeyRegisterOptions: vi.fn(),
+  passkeyRegisterVerify: vi.fn(),
+  passkeyLoginOptions: vi.fn(),
+  passkeyLoginVerify: vi.fn(),
+  listPasskeys: vi.fn(),
+  renamePasskey: vi.fn(),
+  deletePasskey: vi.fn(),
+}));
+
 import { JwtAuthGuard } from '../../../src/nest/auth/jwt-auth.guard';
+import { CookieAuthGuard } from '../../../src/nest/auth/cookie-auth.guard';
+import { OptionalJwtGuard } from '../../../src/nest/auth/optional-jwt.guard';
+import { AdminGuard } from '../../../src/nest/auth/admin.guard';
+import { PasskeyEnabledGuard } from '../../../src/nest/auth/passkey-enabled.guard';
+import { PasskeyController } from '../../../src/nest/auth/passkey.controller';
+import { RateLimitService } from '../../../src/nest/auth/rate-limit.service';
+import { CurrentUser } from '../../../src/nest/auth/current-user.decorator';
+import { extractToken, verifyJwtAndLoadUser } from '../../../src/middleware/auth';
+import { resolveAuthToggles } from '../../../src/services/authService';
+import { setAuthCookie } from '../../../src/services/cookie';
+import { writeAudit } from '../../../src/services/auditLog';
+import * as passkey from '../../../src/services/passkeyService';
+import type { User } from '../../../src/types';
+
+const user = { id: 1, username: 'u', role: 'user', email: 'u@example.test' } as User;

 function context(req: unknown) {
  return { switchToHttp: () => ({ getRequest: () => req }) } as never;
 }
+function thrown(fn: () => unknown): { status: number; body: unknown } {
+  try { fn(); } catch (err) {
+    expect(err).toBeInstanceOf(HttpException);
+    const e = err as HttpException;
+    return { status: e.getStatus(), body: e.getResponse() };
+  }
+  throw new Error('expected throw');
+}
+async function thrownAsync(fn: () => Promise<unknown>): Promise<{ status: number; body: unknown }> {
+  try { await fn(); } catch (err) {
+    expect(err).toBeInstanceOf(HttpException);
+    const e = err as HttpException;
+    return { status: e.getStatus(), body: e.getResponse() };
+  }
+  throw new Error('expected throw');
+}
+
+beforeEach(() => vi.clearAllMocks());

 describe('JwtAuthGuard', () => {
  const guard = new JwtAuthGuard();

  it('rejects with the legacy 401 { error, code } when no token is present', () => {
-    let thrown: unknown;
-    try {
-      guard.canActivate(context({ headers: {}, cookies: {} }));
-    } catch (e) {
-      thrown = e;
-    }
-    expect(thrown).toBeInstanceOf(HttpException);
-    expect((thrown as HttpException).getStatus()).toBe(401);
-    expect((thrown as HttpException).getResponse()).toEqual({
-      error: 'Access token required',
-      code: 'AUTH_REQUIRED',
+    vi.mocked(extractToken).mockReturnValue(null);
+    expect(thrown(() => guard.canActivate(context({ headers: {}, cookies: {} })))).toEqual({
+      status: 401,
+      body: { error: 'Access token required', code: 'AUTH_REQUIRED' },
    });
  });
+
+  it('rejects an invalid/expired token (verify returns null)', () => {
+    vi.mocked(extractToken).mockReturnValue('tok');
+    vi.mocked(verifyJwtAndLoadUser).mockReturnValue(null);
+    expect(thrown(() => guard.canActivate(context({ headers: {} })))).toEqual({
+      status: 401,
+      body: { error: 'Invalid or expired token', code: 'AUTH_REQUIRED' },
+    });
+  });
+
+  it('attaches the loaded user and allows a valid token through', () => {
+    const req: Record<string, unknown> = { headers: {} };
+    vi.mocked(extractToken).mockReturnValue('tok');
+    vi.mocked(verifyJwtAndLoadUser).mockReturnValue(user);
+    expect(guard.canActivate(context(req))).toBe(true);
+    expect(req.user).toBe(user);
+  });
+});
+
+describe('CookieAuthGuard', () => {
+  const guard = new CookieAuthGuard();
+
+  it('401s when the trek_session cookie is missing', () => {
+    expect(thrown(() => guard.canActivate(context({ cookies: {} })))).toEqual({
+      status: 401,
+      body: { error: 'Cookie session required for this endpoint', code: 'COOKIE_AUTH_REQUIRED' },
+    });
+    // and when there is no cookies object at all
+    expect(thrown(() => guard.canActivate(context({})))).toEqual({
+      status: 401,
+      body: { error: 'Cookie session required for this endpoint', code: 'COOKIE_AUTH_REQUIRED' },
+    });
+  });
+
+  it('401s when the cookie token fails verification', () => {
+    vi.mocked(verifyJwtAndLoadUser).mockReturnValue(null);
+    expect(thrown(() => guard.canActivate(context({ cookies: { trek_session: 'tok' } })))).toEqual({
+      status: 401,
+      body: { error: 'Invalid or expired session', code: 'AUTH_REQUIRED' },
+    });
+  });
+
+  it('attaches the user and allows a valid cookie session through', () => {
+    const req: Record<string, unknown> = { cookies: { trek_session: 'tok' } };
+    vi.mocked(verifyJwtAndLoadUser).mockReturnValue(user);
+    expect(guard.canActivate(context(req))).toBe(true);
+    expect(req.user).toBe(user);
+  });
+});
+
+describe('OptionalJwtGuard', () => {
+  const guard = new OptionalJwtGuard();
+
+  it('always allows; sets req.user to null when no token', () => {
+    const req: Record<string, unknown> = { headers: {} };
+    vi.mocked(extractToken).mockReturnValue(null);
+    expect(guard.canActivate(context(req))).toBe(true);
+    expect(req.user).toBeNull();
+    expect(verifyJwtAndLoadUser).not.toHaveBeenCalled();
+  });
+
+  it('sets req.user to null when a token verifies to nothing', () => {
+    const req: Record<string, unknown> = { headers: {} };
+    vi.mocked(extractToken).mockReturnValue('tok');
+    vi.mocked(verifyJwtAndLoadUser).mockReturnValue(null);
+    expect(guard.canActivate(context(req))).toBe(true);
+    expect(req.user).toBeNull();
+  });
+
+  it('populates req.user from a valid token', () => {
+    const req: Record<string, unknown> = { headers: {} };
+    vi.mocked(extractToken).mockReturnValue('tok');
+    vi.mocked(verifyJwtAndLoadUser).mockReturnValue(user);
+    expect(guard.canActivate(context(req))).toBe(true);
+    expect(req.user).toBe(user);
+  });
+});
+
+describe('AdminGuard', () => {
+  const guard = new AdminGuard();
+
+  it('403s for anonymous and for a non-admin role', () => {
+    expect(thrown(() => guard.canActivate(context({})))).toEqual({ status: 403, body: { error: 'Admin access required' } });
+    expect(thrown(() => guard.canActivate(context({ user: { role: 'user' } })))).toEqual({ status: 403, body: { error: 'Admin access required' } });
+  });
+
+  it('allows an admin through', () => {
+    expect(guard.canActivate(context({ user: { role: 'admin' } }))).toBe(true);
+  });
+});
+
+describe('PasskeyEnabledGuard', () => {
+  const guard = new PasskeyEnabledGuard();
+
+  it('404s when passkey_login is off', () => {
+    vi.mocked(resolveAuthToggles).mockReturnValue({ passkey_login: false } as ReturnType<typeof resolveAuthToggles>);
+    expect(thrown(() => guard.canActivate())).toEqual({ status: 404, body: { error: 'Passkey login is not enabled' } });
+  });
+
+  it('allows when passkey_login is on', () => {
+    vi.mocked(resolveAuthToggles).mockReturnValue({ passkey_login: true } as ReturnType<typeof resolveAuthToggles>);
+    expect(guard.canActivate()).toBe(true);
+  });
+});
+
+describe('CurrentUser decorator', () => {
+  // Apply the decorator to a throwaway handler so Nest stores the param factory in
+  // route metadata, then invoke that factory exactly as the framework would.
+  function paramFactory(): (data: unknown, ctx: unknown) => User | undefined {
+    class Target { handler(_u: User) {} }
+    (CurrentUser() as ParameterDecorator)(Target.prototype, 'handler', 0);
+    const meta = Reflect.getMetadata('__routeArguments__', Target, 'handler') as Record<string, { factory: (data: unknown, ctx: unknown) => User | undefined }>;
+    return Object.values(meta)[0].factory;
+  }
+
+  it('resolves the authenticated user from the request', () => {
+    expect(paramFactory()(undefined, context({ user }))).toBe(user);
+  });
+
+  it('returns undefined when no user is attached', () => {
+    expect(paramFactory()(undefined, context({}))).toBeUndefined();
+  });
+});
+
+describe('PasskeyController', () => {
+  const req = { ip: '9.9.9.9' } as Request;
+  const res = {} as never;
+  function rl(): RateLimitService { return new RateLimitService(); }
+
+  it('register/options maps a service error, else returns the options', async () => {
+    vi.mocked(passkey.passkeyRegisterOptions).mockResolvedValue({ error: 'Incorrect password', status: 401 });
+    expect(await thrownAsync(() => new PasskeyController(rl()).registerOptions(user, { password: 'x' }, req))).toEqual({ status: 401, body: { error: 'Incorrect password' } });
+    vi.mocked(passkey.passkeyRegisterOptions).mockResolvedValue({ options: { challenge: 'c' } as never });
+    expect(await new PasskeyController(rl()).registerOptions(user, { password: 'p' }, req)).toEqual({ challenge: 'c' });
+  });
+
+  it('register/verify maps a service error, else audits and returns the credential', async () => {
+    vi.mocked(passkey.passkeyRegisterVerify).mockResolvedValue({ error: 'Verification failed', status: 400 } as never);
+    expect(await thrownAsync(() => new PasskeyController(rl()).registerVerify(user, {}, req))).toEqual({ status: 400, body: { error: 'Verification failed' } });
+    vi.mocked(passkey.passkeyRegisterVerify).mockResolvedValue({ credential: { id: 'cr' } } as never);
+    expect(await new PasskeyController(rl()).registerVerify(user, {}, req)).toEqual({ success: true, credential: { id: 'cr' } });
+    expect(writeAudit).toHaveBeenCalledWith(expect.objectContaining({ action: 'user.passkey_register' }));
+  });
+
+  it('login/options maps a service error, else returns the options', async () => {
+    vi.mocked(passkey.passkeyLoginOptions).mockResolvedValue({ error: 'Not configured', status: 503 } as never);
+    expect(await thrownAsync(() => new PasskeyController(rl()).loginOptions(req))).toEqual({ status: 503, body: { error: 'Not configured' } });
+    vi.mocked(passkey.passkeyLoginOptions).mockResolvedValue({ options: { challenge: 'd' } } as never);
+    expect(await new PasskeyController(rl()).loginOptions(req)).toEqual({ challenge: 'd' });
+  });
+
+  it('login/verify audits a failure then maps the error, padding latency', async () => {
+    vi.mocked(passkey.passkeyLoginVerify).mockResolvedValue({ error: 'No match', status: 401, auditAction: 'user.login_fail', auditUserId: null } as never);
+    expect(await thrownAsync(() => new PasskeyController(rl()).loginVerify({}, req, res))).toEqual({ status: 401, body: { error: 'No match' } });
+    expect(writeAudit).toHaveBeenCalledWith(expect.objectContaining({ action: 'user.login_fail' }));
+  }, 10000);
+
+  it('login/verify sets the session cookie and audits login on success', async () => {
+    vi.mocked(passkey.passkeyLoginVerify).mockResolvedValue({ token: 'tk', user, auditUserId: 1 } as never);
+    expect(await new PasskeyController(rl()).loginVerify({}, req, res)).toEqual({ token: 'tk', user });
+    expect(setAuthCookie).toHaveBeenCalledWith(res, 'tk', req);
+    expect(writeAudit).toHaveBeenCalledWith(expect.objectContaining({ action: 'user.login', details: { method: 'passkey' } }));
+  }, 10000);
+
+  it('credentials: list, rename (error + success), delete (error + success)', () => {
+    vi.mocked(passkey.listPasskeys).mockReturnValue([{ id: 'a' }]);
+    expect(new PasskeyController(rl()).list(user)).toEqual({ credentials: [{ id: 'a' }] });
+
+    vi.mocked(passkey.renamePasskey).mockReturnValue({ error: 'Not found', status: 404 });
+    expect(thrown(() => new PasskeyController(rl()).rename(user, 'cid', { name: 'x' }))).toEqual({ status: 404, body: { error: 'Not found' } });
+    vi.mocked(passkey.renamePasskey).mockReturnValue({ success: true });
+    expect(new PasskeyController(rl()).rename(user, 'cid', { name: 'x' })).toEqual({ success: true });
+
+    vi.mocked(passkey.deletePasskey).mockReturnValue({ error: 'Incorrect password', status: 401 });
+    expect(thrown(() => new PasskeyController(rl()).remove(user, 'cid', { password: 'x' }, req))).toEqual({ status: 401, body: { error: 'Incorrect password' } });
+    vi.mocked(passkey.deletePasskey).mockReturnValue({ success: true });
+    expect(new PasskeyController(rl()).remove(user, 'cid', { password: 'p' }, req)).toEqual({ success: true });
+    expect(writeAudit).toHaveBeenCalledWith(expect.objectContaining({ action: 'user.passkey_delete' }));
+  });
+
+  it('throttles registration and login ceremonies once the bucket is exhausted', async () => {
+    const s = new RateLimitService();
+    const now = Date.now();
+    for (let i = 0; i < 5; i++) s.check('mfa', '9.9.9.9', 5, 15 * 60 * 1000, now);
+    expect(await thrownAsync(() => new PasskeyController(s).registerOptions(user, {}, req))).toEqual({ status: 429, body: { error: 'Too many attempts. Please try again later.' } });
+
+    const s2 = new RateLimitService();
+    for (let i = 0; i < 10; i++) s2.check('login', '9.9.9.9', 10, 15 * 60 * 1000, now);
+    expect(await thrownAsync(() => new PasskeyController(s2).loginOptions(req))).toEqual({ status: 429, body: { error: 'Too many attempts. Please try again later.' } });
+  });
+
+  it('falls back to the "unknown" rate-limit key when req.ip is absent', async () => {
+    vi.mocked(passkey.passkeyLoginOptions).mockResolvedValue({ options: { challenge: 'z' } } as never);
+    const noIp = {} as Request;
+    expect(await new PasskeyController(rl()).loginOptions(noIp)).toEqual({ challenge: 'z' });
+  });
 });
@@ -51,6 +51,18 @@ describe('RateLimitService', () => {
    expect(s.check('mfa', 'ip', 2, 1000, 20)).toBe(true);     // different bucket
    expect(s.check('login', 'ip', 2, 1000, 2000)).toBe(true); // window elapsed -> reset
  });
+
+  it('reset clears a single named bucket, and reset() clears all of them', () => {
+    const s = rl();
+    s.check('login', 'ip', 1, 1000, 0); // login bucket now at its cap
+    s.check('mfa', 'ip', 1, 1000, 0);   // mfa bucket now at its cap
+    expect(s.check('login', 'ip', 1, 1000, 0)).toBe(false);
+    s.reset('login'); // only the login bucket
+    expect(s.check('login', 'ip', 1, 1000, 0)).toBe(true);
+    expect(s.check('mfa', 'ip', 1, 1000, 0)).toBe(false); // mfa untouched
+    s.reset(); // everything
+    expect(s.check('mfa', 'ip', 1, 1000, 0)).toBe(true);
+  });
 });

 describe('AuthPublicController', () => {
@@ -82,9 +94,10 @@ describe('AuthPublicController', () => {
    const setAuthCookie = vi.fn();
    const mfa = new AuthPublicController(asvc({ loginUser: vi.fn().mockReturnValue({ mfa_required: true, mfa_token: 'mt' }) } as Partial<AuthService>), rl());
    expect(await mfa.login({}, req, res)).toEqual({ mfa_required: true, mfa_token: 'mt' });
-    const ok = new AuthPublicController(asvc({ loginUser: vi.fn().mockReturnValue({ token: 'tk', user }), setAuthCookie } as Partial<AuthService>), rl());
+    const ok = new AuthPublicController(asvc({ loginUser: vi.fn().mockReturnValue({ token: 'tk', user, remember: true }), setAuthCookie } as Partial<AuthService>), rl());
    expect(await ok.login({}, req, res)).toEqual({ token: 'tk', user });
-    expect(setAuthCookie).toHaveBeenCalled();
+    // The "remember me" flag from the service rides through to the cookie service.
+    expect(setAuthCookie).toHaveBeenCalledWith(res, 'tk', req, true);
    const bad = new AuthPublicController(asvc({ loginUser: vi.fn().mockReturnValue({ error: 'Bad creds', status: 401, auditAction: 'user.login_fail' }) } as Partial<AuthService>), rl());
    expect(await thrownAsync(() => bad.login({}, req, res))).toEqual({ status: 401, body: { error: 'Bad creds' } });
  }, 10000);
@@ -103,6 +116,71 @@ describe('AuthPublicController', () => {
    expect(new AuthPublicController(asvc({ resetPassword: vi.fn().mockReturnValue({ userId: 1 }) } as Partial<AuthService>), rl()).resetPassword({}, req)).toEqual({ success: true });
  });

+  it('app-config forwards the optional user (present and absent)', () => {
+    const getAppConfig = vi.fn().mockReturnValue({ version: '3' });
+    const c = new AuthPublicController(asvc({ getAppConfig } as Partial<AuthService>), rl());
+    expect(c.appConfig({ user } as unknown as Request)).toEqual({ version: '3' });
+    expect(getAppConfig).toHaveBeenLastCalledWith(user);
+    expect(c.appConfig({} as Request)).toEqual({ version: '3' });
+    expect(getAppConfig).toHaveBeenLastCalledWith(undefined);
+  });
+
+  it('invite maps a service error', () => {
+    const c = new AuthPublicController(asvc({ validateInviteToken: vi.fn().mockReturnValue({ error: 'Expired', status: 410 }) } as Partial<AuthService>), rl());
+    expect(thrown(() => c.invite('tok', req))).toEqual({ status: 410, body: { error: 'Expired' } });
+  });
+
+  it('login takes the mfa-required branch and never sets a cookie', async () => {
+    const setAuthCookie = vi.fn();
+    const c = new AuthPublicController(asvc({ loginUser: vi.fn().mockReturnValue({ mfa_required: true, mfa_token: 'mt', auditAction: 'user.login_mfa' }), setAuthCookie } as Partial<AuthService>), rl());
+    expect(await c.login({}, req, res)).toEqual({ mfa_required: true, mfa_token: 'mt' });
+    expect(setAuthCookie).not.toHaveBeenCalled();
+    expect(writeAudit).toHaveBeenCalledWith(expect.objectContaining({ action: 'user.login_mfa' }));
+  }, 10000);
+
+  it('forgot-password: non-issued reason and a delivery failure both still return ok', async () => {
+    // Non-issued (unknown email / throttled): audits the reason, no email sent.
+    const sendNever = vi.fn();
+    const skip = new AuthPublicController(asvc({ requestPasswordReset: vi.fn().mockReturnValue({ reason: 'not_found', userId: null }), sendPasswordResetEmail: sendNever } as Partial<AuthService>), rl());
+    expect(await skip.forgotPassword({ email: 'x@y.z' }, req)).toEqual({ ok: true });
+    expect(sendNever).not.toHaveBeenCalled();
+    expect(writeAudit).toHaveBeenCalledWith(expect.objectContaining({ action: 'user.password_reset_request', details: { reason: 'not_found' } }));
+    // Issued but the mailer throws: swallowed, audited as failed, still ok.
+    const boom = vi.fn().mockRejectedValue(new Error('smtp'));
+    const fail = new AuthPublicController(asvc({ requestPasswordReset: vi.fn().mockReturnValue({ reason: 'issued', tokenForDelivery: 'rt', userEmail: 'a@b.c', userId: 1 }), sendPasswordResetEmail: boom } as Partial<AuthService>), rl());
+    expect(await fail.forgotPassword({ email: 'a@b.c' }, req)).toEqual({ ok: true });
+    expect(writeAudit).toHaveBeenCalledWith(expect.objectContaining({ details: { delivered: 'failed' } }));
+  }, 10000);
+
+  it('forgot-password ignores a non-string email body', async () => {
+    const requestPasswordReset = vi.fn().mockReturnValue({ reason: 'not_found', userId: null });
+    const c = new AuthPublicController(asvc({ requestPasswordReset } as Partial<AuthService>), rl());
+    expect(await c.forgotPassword({ email: 42 } as { email?: unknown }, req)).toEqual({ ok: true });
+    expect(requestPasswordReset).toHaveBeenCalledWith('', expect.any(String));
+  }, 10000);
+
+  it('reset-password 429 once the dedicated reset bucket is exhausted', () => {
+    const s = rl();
+    const now = Date.now();
+    for (let i = 0; i < 5; i++) s.check('reset', '9.9.9.9', 5, 15 * 60 * 1000, now);
+    const c = new AuthPublicController(asvc({ resetPassword: vi.fn() } as Partial<AuthService>), s);
+    expect(thrown(() => c.resetPassword({}, req))).toEqual({ status: 429, body: { error: 'Too many attempts. Please try again later.' } });
+  });
+
+  it('mfa/verify-login maps a service error', () => {
+    const c = new AuthPublicController(asvc({ verifyMfaLogin: vi.fn().mockReturnValue({ error: 'Bad code', status: 401 }) } as Partial<AuthService>), rl());
+    expect(thrown(() => c.verifyMfaLogin({}, req, res))).toEqual({ status: 401, body: { error: 'Bad code' } });
+  });
+
+  it('demo-login + register + invite throw 429 when the login bucket is exhausted', () => {
+    const s = rl();
+    const now = Date.now();
+    for (let i = 0; i < 10; i++) s.check('login', '9.9.9.9', 10, 15 * 60 * 1000, now);
+    const c = new AuthPublicController(asvc({ registerUser: vi.fn(), validateInviteToken: vi.fn() } as Partial<AuthService>), s);
+    expect(thrown(() => c.register({}, req, res))).toEqual({ status: 429, body: { error: 'Too many attempts. Please try again later.' } });
+    expect(thrown(() => c.invite('t', req))).toEqual({ status: 429, body: { error: 'Too many attempts. Please try again later.' } });
+  });
+
  it('mfa/verify-login sets cookie + audits; logout clears cookie', () => {
    const setAuthCookie = vi.fn();
    const c = new AuthPublicController(asvc({ verifyMfaLogin: vi.fn().mockReturnValue({ token: 'tk', user, auditUserId: 1 }), setAuthCookie } as Partial<AuthService>), rl());
@@ -166,4 +244,88 @@ describe('AuthController (authenticated)', () => {
    const c = new AuthController(asvc({ changePassword: vi.fn() } as Partial<AuthService>), s);
    expect(thrown(() => c.changePassword(user, {}, req))).toEqual({ status: 429, body: { error: 'Too many attempts. Please try again later.' } });
  });
+
+  it('change-password refreshes this device cookie when the service returns a token', () => {
+    const setAuthCookie = vi.fn();
+    const c = new AuthController(asvc({ changePassword: vi.fn().mockReturnValue({ token: 'tk2' }), setAuthCookie } as Partial<AuthService>), rl());
+    expect(c.changePassword(user, {}, req, res)).toEqual({ success: true });
+    expect(setAuthCookie).toHaveBeenCalledWith(res, 'tk2', req);
+  });
+
+  it('delete-account maps error, else audits and succeeds', () => {
+    expect(thrown(() => new AuthController(asvc({ deleteAccount: vi.fn().mockReturnValue({ error: 'Last admin', status: 403 }) } as Partial<AuthService>), rl()).deleteAccount(user, req))).toEqual({ status: 403, body: { error: 'Last admin' } });
+    expect(new AuthController(asvc({ deleteAccount: vi.fn().mockReturnValue({}) } as Partial<AuthService>), rl()).deleteAccount(user, req)).toEqual({ success: true });
+    expect(writeAudit).toHaveBeenCalledWith(expect.objectContaining({ action: 'user.account_delete' }));
+  });
+
+  it('maps-key + api-keys pass straight through to the service', () => {
+    const updateMapsKey = vi.fn().mockReturnValue({ success: true });
+    expect(new AuthController(asvc({ updateMapsKey } as Partial<AuthService>), rl()).mapsKey(user, { maps_api_key: 'k' })).toEqual({ success: true });
+    expect(updateMapsKey).toHaveBeenCalledWith(1, 'k');
+    const updateApiKeys = vi.fn().mockReturnValue({ ok: 1 });
+    expect(new AuthController(asvc({ updateApiKeys } as Partial<AuthService>), rl()).apiKeys(user, { a: 1 })).toEqual({ ok: 1 });
+  });
+
+  it('update-settings + get-settings map errors, else return their payloads', () => {
+    expect(thrown(() => new AuthController(asvc({ updateSettings: vi.fn().mockReturnValue({ error: 'Bad', status: 400 }) } as Partial<AuthService>), rl()).updateSettings(user, {}))).toEqual({ status: 400, body: { error: 'Bad' } });
+    expect(new AuthController(asvc({ updateSettings: vi.fn().mockReturnValue({ success: true, user: { id: 1 } }) } as Partial<AuthService>), rl()).updateSettings(user, {})).toEqual({ success: true, user: { id: 1 } });
+    expect(thrown(() => new AuthController(asvc({ getSettings: vi.fn().mockReturnValue({ error: 'Nope', status: 404 }) } as Partial<AuthService>), rl()).getSettings(user))).toEqual({ status: 404, body: { error: 'Nope' } });
+    expect(new AuthController(asvc({ getSettings: vi.fn().mockReturnValue({ settings: { theme: 'dark' } }) } as Partial<AuthService>), rl()).getSettings(user)).toEqual({ settings: { theme: 'dark' } });
+  });
+
+  it('delete-avatar + users + travel-stats delegate to the service', async () => {
+    const deleteAvatar = vi.fn().mockResolvedValue({ removed: true });
+    expect(await new AuthController(asvc({ deleteAvatar } as Partial<AuthService>), rl()).deleteAvatar(user)).toEqual({ removed: true });
+    const listUsers = vi.fn().mockReturnValue([{ id: 1 }]);
+    expect(new AuthController(asvc({ listUsers } as Partial<AuthService>), rl()).users(user)).toEqual({ users: [{ id: 1 }] });
+    expect(listUsers).toHaveBeenCalledWith(1);
+    const getTravelStats = vi.fn().mockReturnValue({ countries: 3 });
+    expect(new AuthController(asvc({ getTravelStats } as Partial<AuthService>), rl()).travelStats(user)).toEqual({ countries: 3 });
+  });
+
+  it('validate-keys maps error, else returns the maps/weather payload', async () => {
+    expect(await thrownAsync(() => new AuthController(asvc({ validateKeys: vi.fn().mockResolvedValue({ error: 'fail', status: 502 }) } as Partial<AuthService>), rl()).validateKeys(user))).toEqual({ status: 502, body: { error: 'fail' } });
+    const ok = new AuthController(asvc({ validateKeys: vi.fn().mockResolvedValue({ maps: true, weather: false, maps_details: { ok: 1 } }) } as Partial<AuthService>), rl());
+    expect(await ok.validateKeys(user)).toEqual({ maps: true, weather: false, maps_details: { ok: 1 } });
+  });
+
+  it('app-settings get maps error, else returns data; put maps error, else audits', () => {
+    expect(thrown(() => new AuthController(asvc({ getAppSettings: vi.fn().mockReturnValue({ error: 'denied', status: 403 }) } as Partial<AuthService>), rl()).getAppSettings(user))).toEqual({ status: 403, body: { error: 'denied' } });
+    expect(new AuthController(asvc({ getAppSettings: vi.fn().mockReturnValue({ data: { x: 1 } }) } as Partial<AuthService>), rl()).getAppSettings(user)).toEqual({ x: 1 });
+    expect(thrown(() => new AuthController(asvc({ updateAppSettings: vi.fn().mockReturnValue({ error: 'bad', status: 400 }) } as Partial<AuthService>), rl()).updateAppSettings(user, {}, req))).toEqual({ status: 400, body: { error: 'bad' } });
+    expect(new AuthController(asvc({ updateAppSettings: vi.fn().mockReturnValue({ auditSummary: 's', auditDebugDetails: 'd' }) } as Partial<AuthService>), rl()).updateAppSettings(user, {}, req)).toEqual({ success: true });
+    expect(writeAudit).toHaveBeenCalledWith(expect.objectContaining({ action: 'settings.app_update' }));
+  });
+
+  it('mfa/setup maps a service error before ever awaiting the QR promise', async () => {
+    const c = new AuthController(asvc({ setupMfa: vi.fn().mockReturnValue({ error: 'already on', status: 409 }) } as Partial<AuthService>), rl());
+    expect(await thrownAsync(() => c.mfaSetup(user))).toEqual({ status: 409, body: { error: 'already on' } });
+  });
+
+  it('mfa/enable + mfa/disable map errors', () => {
+    expect(thrown(() => new AuthController(asvc({ enableMfa: vi.fn().mockReturnValue({ error: 'Invalid code', status: 400 }) } as Partial<AuthService>), rl()).mfaEnable(user, { code: 'x' }, req))).toEqual({ status: 400, body: { error: 'Invalid code' } });
+    expect(thrown(() => new AuthController(asvc({ disableMfa: vi.fn().mockReturnValue({ error: 'Wrong', status: 401 }) } as Partial<AuthService>), rl()).mfaDisable(user, {}, req))).toEqual({ status: 401, body: { error: 'Wrong' } });
+    const ok = new AuthController(asvc({ disableMfa: vi.fn().mockReturnValue({ mfa_enabled: false }) } as Partial<AuthService>), rl());
+    expect(ok.mfaDisable(user, {}, req)).toEqual({ success: true, mfa_enabled: false });
+    expect(writeAudit).toHaveBeenCalledWith(expect.objectContaining({ action: 'user.mfa_disable' }));
+  });
+
+  it('mcp-tokens list + create error + delete error/success', () => {
+    expect(new AuthController(asvc({ listMcpTokens: vi.fn().mockReturnValue([{ id: 't' }]) } as Partial<AuthService>), rl()).listMcpTokens(user)).toEqual({ tokens: [{ id: 't' }] });
+    expect(thrown(() => new AuthController(asvc({ createMcpToken: vi.fn().mockReturnValue({ error: 'Name taken', status: 409 }) } as Partial<AuthService>), rl()).createMcpToken(user, { name: 'x' }, req))).toEqual({ status: 409, body: { error: 'Name taken' } });
+    expect(thrown(() => new AuthController(asvc({ deleteMcpToken: vi.fn().mockReturnValue({ error: 'Not found', status: 404 }) } as Partial<AuthService>), rl()).deleteMcpToken(user, 'tid'))).toEqual({ status: 404, body: { error: 'Not found' } });
+    expect(new AuthController(asvc({ deleteMcpToken: vi.fn().mockReturnValue({}) } as Partial<AuthService>), rl()).deleteMcpToken(user, 'tid')).toEqual({ success: true });
+  });
+
+  it('ws-token maps error, else returns the token', () => {
+    expect(thrown(() => new AuthController(asvc({ createWsToken: vi.fn().mockReturnValue({ error: 'down', status: 503 }) } as Partial<AuthService>), rl()).wsToken(user))).toEqual({ status: 503, body: { error: 'down' } });
+    expect(new AuthController(asvc({ createWsToken: vi.fn().mockReturnValue({ token: 'ws' }) } as Partial<AuthService>), rl()).wsToken(user)).toEqual({ token: 'ws' });
+  });
+
+  it('avatar saves when not in demo mode (env present but email is not a demo email)', async () => {
+    process.env.DEMO_MODE = 'true';
+    vi.mocked(isDemoEmail).mockReturnValue(false);
+    const saveAvatar = vi.fn().mockResolvedValue({ avatar: '/b.png' });
+    expect(await new AuthController(asvc({ saveAvatar } as Partial<AuthService>), rl()).avatar(user, { filename: 'b.png' } as Express.Multer.File)).toEqual({ avatar: '/b.png' });
+  });
 });
@@ -3,13 +3,31 @@ import { HttpException } from '@nestjs/common';
 import type { Request, Response } from 'express';

 vi.mock('../../../src/services/auditLog', () => ({ writeAudit: vi.fn(), getClientIp: vi.fn(() => '1.2.3.4') }));
-// The controller imports the tmp-dir + size cap at module load.
-vi.mock('../../../src/services/backupService', () => ({ getUploadTmpDir: () => '/tmp', MAX_BACKUP_UPLOAD_SIZE: 1024 }));
+// The controller imports the tmp-dir + size cap at module load. The thin
+// BackupService wrapper forwards every call straight into this module, so the
+// mock also stubs the delegated functions for the wrapper tests below.
+vi.mock('../../../src/services/backupService', () => ({
+  getUploadTmpDir: () => '/tmp',
+  MAX_BACKUP_UPLOAD_SIZE: 1024,
+  BACKUP_RATE_WINDOW: 3600000,
+  listBackups: vi.fn().mockReturnValue([{ filename: 'svc.zip' }]),
+  createBackup: vi.fn().mockResolvedValue({ filename: 'svc.zip', size: 5 }),
+  restoreFromZip: vi.fn().mockResolvedValue({ success: true }),
+  getAutoSettings: vi.fn().mockReturnValue({ settings: { enabled: false }, timezone: 'UTC' }),
+  updateAutoSettings: vi.fn().mockReturnValue({ enabled: true, interval: 'daily', keep_days: 7 }),
+  deleteBackup: vi.fn(),
+  isValidBackupFilename: vi.fn().mockReturnValue(true),
+  backupFilePath: vi.fn().mockReturnValue('/data/backups/svc.zip'),
+  backupFileExists: vi.fn().mockReturnValue(true),
+  checkRateLimit: vi.fn().mockReturnValue(true),
+}));

 import { BackupController } from '../../../src/nest/backup/backup.controller';
+import { BackupService as RealBackupService } from '../../../src/nest/backup/backup.service';
 import { AdminGuard } from '../../../src/nest/auth/admin.guard';
 import type { BackupService } from '../../../src/nest/backup/backup.service';
 import { writeAudit } from '../../../src/services/auditLog';
+import * as backupSvc from '../../../src/services/backupService';
 import type { User } from '../../../src/types';

 const user = { id: 1, role: 'admin', email: 'a@example.test' } as User;
@@ -86,12 +104,17 @@ describe('BackupController', () => {

  it('POST /restore maps the service status, else audits', async () => {
    expect(await thrownAsync(() => new BackupController(svc({ isValidBackupFilename: vi.fn().mockReturnValue(false) })).restore(user, 'x', req))).toEqual({ status: 400, body: { error: 'Invalid filename' } });
+    expect(await thrownAsync(() => new BackupController(svc({ backupFileExists: vi.fn().mockReturnValue(false) })).restore(user, 'x.zip', req))).toEqual({ status: 404, body: { error: 'Backup not found' } });
    expect(await thrownAsync(() => new BackupController(svc({ restoreFromZip: vi.fn().mockResolvedValue({ success: false, status: 422, error: 'bad zip' }) } as Partial<BackupService>)).restore(user, 'x.zip', req))).toEqual({ status: 422, body: { error: 'bad zip' } });
    const res = await new BackupController(svc({ restoreFromZip: vi.fn().mockResolvedValue({ success: true }) } as Partial<BackupService>)).restore(user, 'x.zip', req);
    expect(res).toEqual({ success: true });
    expect(writeAudit).toHaveBeenCalledWith(expect.objectContaining({ action: 'backup.restore', resource: 'x.zip' }));
  });

+  it('POST /restore falls back to status 400 when the service omits one', async () => {
+    expect(await thrownAsync(() => new BackupController(svc({ restoreFromZip: vi.fn().mockResolvedValue({ success: false, error: 'nope' }) } as Partial<BackupService>)).restore(user, 'x.zip', req))).toEqual({ status: 400, body: { error: 'nope' } });
+  });
+
  it('POST /upload-restore 400 without a file, cleans up the tmp file', async () => {
    expect(await thrownAsync(() => new BackupController(svc()).uploadRestore(user, undefined, req))).toEqual({ status: 400, body: { error: 'No file uploaded' } });
  });
@@ -108,6 +131,14 @@ describe('BackupController', () => {
    expect(await thrownAsync(() => new BackupController(svc({ restoreFromZip: vi.fn().mockResolvedValue({ success: false, status: 422, error: 'bad' }) } as Partial<BackupService>)).uploadRestore(user, file, req))).toEqual({ status: 422, body: { error: 'bad' } });
  });

+  it('POST /upload-restore falls back to a default name and maps unexpected errors to 500', async () => {
+    const file = { path: '/tmp/does-not-exist-xyz.zip', originalname: '' } as Express.Multer.File;
+    expect(await thrownAsync(() => new BackupController(svc({ restoreFromZip: vi.fn().mockRejectedValue(new Error('boom')) } as Partial<BackupService>)).uploadRestore(user, file, req))).toEqual({ status: 500, body: { error: 'Error restoring backup' } });
+    const ok = { path: '/tmp/does-not-exist-xyz.zip', originalname: '' } as Express.Multer.File;
+    await new BackupController(svc({ restoreFromZip: vi.fn().mockResolvedValue({ success: true }) } as Partial<BackupService>)).uploadRestore(user, ok, req);
+    expect(writeAudit).toHaveBeenCalledWith(expect.objectContaining({ action: 'backup.upload_restore', resource: 'upload.zip' }));
+  });
+
  it('maps unexpected service errors to 500 (create, restore, auto-settings)', async () => {
    vi.spyOn(console, 'error').mockImplementation(() => {});
    expect(await thrownAsync(() => new BackupController(svc({ createBackup: vi.fn().mockRejectedValue(new Error('disk')) } as Partial<BackupService>)).create(user, req))).toEqual({ status: 500, body: { error: 'Error creating backup' } });
@@ -123,6 +154,20 @@ describe('BackupController', () => {
    expect(r.body).toEqual({ error: 'Could not save auto-backup settings', detail: 'parse fail' });
  });

+  it('PUT /auto-settings hides the detail in production and stringifies non-Error throws', () => {
+    vi.spyOn(console, 'error').mockImplementation(() => {});
+    process.env.NODE_ENV = 'production';
+    const r = thrown(() => new BackupController(svc({ updateAutoSettings: vi.fn(() => { throw 'plain string'; }) } as Partial<BackupService>)).updateAutoSettings(user, {}, req));
+    expect(r.status).toBe(500);
+    expect(r.body).toEqual({ error: 'Could not save auto-backup settings', detail: undefined });
+  });
+
+  it('PUT /auto-settings tolerates a missing body', () => {
+    const updateAutoSettings = vi.fn().mockReturnValue({ enabled: false, interval: 'weekly', keep_days: 30 });
+    new BackupController(svc({ updateAutoSettings } as Partial<BackupService>)).updateAutoSettings(user, undefined as unknown as Record<string, unknown>, req);
+    expect(updateAutoSettings).toHaveBeenCalledWith({});
+  });
+
  it('GET/PUT /auto-settings', () => {
    expect(new BackupController(svc({ getAutoSettings: vi.fn().mockReturnValue({ settings: { enabled: true }, timezone: 'UTC' }) } as Partial<BackupService>)).autoSettings()).toEqual({ settings: { enabled: true }, timezone: 'UTC' });
    const res = new BackupController(svc({ updateAutoSettings: vi.fn().mockReturnValue({ enabled: true, interval: 'daily', keep_days: 7 }) } as Partial<BackupService>)).updateAutoSettings(user, { enabled: true }, req);
@@ -138,3 +183,50 @@ describe('BackupController', () => {
    expect(deleteBackup).toHaveBeenCalledWith('x.zip');
  });
 });
+
+describe('BackupService (wrapper)', () => {
+  const wrapper = new RealBackupService();
+
+  it('forwards every call straight to the legacy backup service', async () => {
+    expect(wrapper.listBackups()).toEqual([{ filename: 'svc.zip' }]);
+    expect(backupSvc.listBackups).toHaveBeenCalled();
+
+    await expect(wrapper.createBackup()).resolves.toEqual({ filename: 'svc.zip', size: 5 });
+    expect(backupSvc.createBackup).toHaveBeenCalled();
+
+    await expect(wrapper.restoreFromZip('/tmp/a.zip')).resolves.toEqual({ success: true });
+    expect(backupSvc.restoreFromZip).toHaveBeenCalledWith('/tmp/a.zip');
+
+    expect(wrapper.getAutoSettings()).toEqual({ settings: { enabled: false }, timezone: 'UTC' });
+    expect(backupSvc.getAutoSettings).toHaveBeenCalled();
+
+    expect(wrapper.updateAutoSettings({ enabled: true })).toEqual({ enabled: true, interval: 'daily', keep_days: 7 });
+    expect(backupSvc.updateAutoSettings).toHaveBeenCalledWith({ enabled: true });
+
+    wrapper.deleteBackup('svc.zip');
+    expect(backupSvc.deleteBackup).toHaveBeenCalledWith('svc.zip');
+
+    expect(wrapper.isValidBackupFilename('svc.zip')).toBe(true);
+    expect(backupSvc.isValidBackupFilename).toHaveBeenCalledWith('svc.zip');
+
+    expect(wrapper.backupFilePath('svc.zip')).toBe('/data/backups/svc.zip');
+    expect(backupSvc.backupFilePath).toHaveBeenCalledWith('svc.zip');
+
+    expect(wrapper.backupFileExists('svc.zip')).toBe(true);
+    expect(backupSvc.backupFileExists).toHaveBeenCalledWith('svc.zip');
+
+    expect(wrapper.checkRateLimit('ip', 3, 1000)).toBe(true);
+    expect(backupSvc.checkRateLimit).toHaveBeenCalledWith('ip', 3, 1000);
+  });
+
+  it('exposes the legacy rate window', () => {
+    expect(wrapper.rateWindow).toBe(backupSvc.BACKUP_RATE_WINDOW);
+  });
+});
+
+describe('BackupModule', () => {
+  it('wires the controller and service together', async () => {
+    const { BackupModule } = await import('../../../src/nest/backup/backup.module');
+    expect(new BackupModule()).toBeInstanceOf(BackupModule);
+  });
+});
@@ -42,12 +42,75 @@ describe('BudgetController (parity with the legacy /api/trips/:tripId/budget rou
  });

  it('GET /summary/per-person + /settlement delegate', () => {
+    const settlement = vi.fn().mockReturnValue({ transfers: [] });
    const svc = makeService({
      perPersonSummary: vi.fn().mockReturnValue([{ userId: 1, owes: 10 }]),
-      settlement: vi.fn().mockReturnValue({ transfers: [] }),
+      settlement,
    } as Partial<BudgetService>);
    expect(new BudgetController(svc).perPerson(user, '5')).toEqual({ summary: [{ userId: 1, owes: 10 }] });
    expect(new BudgetController(svc).settlement(user, '5')).toEqual({ transfers: [] });
+    expect(settlement).toHaveBeenLastCalledWith('5', undefined, 'EUR');
+  });
+
+  it('GET /settlement forwards the base query and the trip currency', () => {
+    const settlement = vi.fn().mockReturnValue({ transfers: [] });
+    const svc = makeService({
+      verifyTripAccess: vi.fn().mockReturnValue({ id: 5, user_id: 1, currency: 'USD' }),
+      settlement,
+    } as Partial<BudgetService>);
+    new BudgetController(svc).settlement(user, '5', 'GBP');
+    expect(settlement).toHaveBeenCalledWith('5', 'GBP', 'USD');
+  });
+
+  describe('settlements ledger', () => {
+    it('GET /settlements lists', () => {
+      const svc = makeService({ listSettlements: vi.fn().mockReturnValue([{ id: 1 }]) } as Partial<BudgetService>);
+      expect(new BudgetController(svc).listSettlements(user, '5')).toEqual({ settlements: [{ id: 1 }] });
+    });
+
+    it('POST /settlements 403 without budget_edit', () => {
+      const svc = makeService({ canEdit: vi.fn().mockReturnValue(false) });
+      expect(thrown(() => new BudgetController(svc).createSettlement(user, '5', { from_user_id: 1, to_user_id: 2, amount: 10 }))).toEqual({
+        status: 403, body: { error: 'No permission' },
+      });
+    });
+
+    it('POST /settlements 400 when a field is missing', () => {
+      const svc = makeService();
+      expect(thrown(() => new BudgetController(svc).createSettlement(user, '5', { from_user_id: 1, to_user_id: 2 }))).toEqual({
+        status: 400, body: { error: 'from_user_id, to_user_id and amount are required' },
+      });
+      expect(thrown(() => new BudgetController(svc).createSettlement(user, '5', { from_user_id: 1, amount: 5 }))).toEqual({
+        status: 400, body: { error: 'from_user_id, to_user_id and amount are required' },
+      });
+      expect(thrown(() => new BudgetController(svc).createSettlement(user, '5', { to_user_id: 2, amount: 5 }))).toEqual({
+        status: 400, body: { error: 'from_user_id, to_user_id and amount are required' },
+      });
+    });
+
+    it('POST /settlements creates and broadcasts (amount 0 is allowed)', () => {
+      const createSettlement = vi.fn().mockReturnValue({ id: 3, amount: 0 });
+      const broadcast = vi.fn();
+      const svc = makeService({ createSettlement, broadcast } as Partial<BudgetService>);
+      const res = new BudgetController(svc).createSettlement(user, '5', { from_user_id: 1, to_user_id: 2, amount: 0 }, 'sock');
+      expect(res).toEqual({ settlement: { id: 3, amount: 0 } });
+      expect(createSettlement).toHaveBeenCalledWith('5', { from_user_id: 1, to_user_id: 2, amount: 0 }, user.id);
+      expect(broadcast).toHaveBeenCalledWith('5', 'budget:settlement-created', { settlement: { id: 3, amount: 0 } }, 'sock');
+    });
+
+    it('DELETE /settlements/:id 404 when missing', () => {
+      const svc = makeService({ deleteSettlement: vi.fn().mockReturnValue(false) } as Partial<BudgetService>);
+      expect(thrown(() => new BudgetController(svc).deleteSettlement(user, '5', '7'))).toEqual({
+        status: 404, body: { error: 'Settlement not found' },
+      });
+    });
+
+    it('DELETE /settlements/:id success broadcasts the numeric id', () => {
+      const broadcast = vi.fn();
+      const svc = makeService({ deleteSettlement: vi.fn().mockReturnValue(true), broadcast } as Partial<BudgetService>);
+      expect(new BudgetController(svc).deleteSettlement(user, '5', '7', 'sock')).toEqual({ success: true });
+      expect(broadcast).toHaveBeenCalledWith('5', 'budget:settlement-deleted', { settlementId: 7 }, 'sock');
+    });
  });

  describe('POST /', () => {
@@ -124,6 +187,31 @@ describe('BudgetController (parity with the legacy /api/trips/:tripId/budget rou
    });
  });

+  describe('PUT /:id/payers', () => {
+    it('400 when payers is not an array', () => {
+      expect(thrown(() => new BudgetController(makeService()).setPayers(user, '5', '9', 'nope'))).toEqual({
+        status: 400, body: { error: 'payers must be an array' },
+      });
+    });
+
+    it('404 when the item is missing', () => {
+      const svc = makeService({ setPayers: vi.fn().mockReturnValue(null) } as Partial<BudgetService>);
+      expect(thrown(() => new BudgetController(svc).setPayers(user, '5', '9', [{ user_id: 2, amount: 10 }]))).toEqual({
+        status: 404, body: { error: 'Budget item not found' },
+      });
+    });
+
+    it('sets payers and broadcasts budget:updated', () => {
+      const setPayers = vi.fn().mockReturnValue({ id: 9, payers: [{ user_id: 2, amount: 10 }] });
+      const broadcast = vi.fn();
+      const svc = makeService({ setPayers, broadcast } as Partial<BudgetService>);
+      const res = new BudgetController(svc).setPayers(user, '5', '9', [{ user_id: 2, amount: 10 }], 'sock');
+      expect(res).toEqual({ item: { id: 9, payers: [{ user_id: 2, amount: 10 }] } });
+      expect(setPayers).toHaveBeenCalledWith('9', '5', [{ user_id: 2, amount: 10 }]);
+      expect(broadcast).toHaveBeenCalledWith('5', 'budget:updated', { item: { id: 9, payers: [{ user_id: 2, amount: 10 }] } }, 'sock');
+    });
+  });
+
  it('PUT /:id/members/:userId/paid toggles + broadcasts normalised paid flag', () => {
    const toggleMemberPaid = vi.fn().mockReturnValue({ user_id: 2, paid: 1 });
    const broadcast = vi.fn();
@@ -132,6 +220,14 @@ describe('BudgetController (parity with the legacy /api/trips/:tripId/budget rou
    expect(broadcast).toHaveBeenCalledWith('5', 'budget:member-paid-updated', { itemId: 9, userId: 2, paid: 1 }, 'sock');
  });

+  it('PUT /:id/members/:userId/paid broadcasts paid: 0 when toggled off', () => {
+    const toggleMemberPaid = vi.fn().mockReturnValue({ user_id: 2, paid: 0 });
+    const broadcast = vi.fn();
+    const svc = makeService({ toggleMemberPaid, broadcast } as Partial<BudgetService>);
+    new BudgetController(svc).toggleMemberPaid(user, '5', '9', '2', false, 'sock');
+    expect(broadcast).toHaveBeenCalledWith('5', 'budget:member-paid-updated', { itemId: 9, userId: 2, paid: 0 }, 'sock');
+  });
+
  it('DELETE /:id 404 when missing, success otherwise', () => {
    const missing = makeService({ remove: vi.fn().mockReturnValue(false) } as Partial<BudgetService>);
    expect(thrown(() => new BudgetController(missing).remove(user, '5', '9'))).toEqual({
@@ -0,0 +1,165 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+
+// Mock the data + side-effect dependencies the wrapper reaches into directly.
+const { dbMock } = vi.hoisted(() => {
+  const stmt = { get: vi.fn(), all: vi.fn(() => []), run: vi.fn() };
+  return { dbMock: { prepare: vi.fn(() => stmt), _stmt: stmt } };
+});
+vi.mock('../../../src/db/database', () => ({ db: dbMock, closeDb: () => {}, reinitialize: () => {} }));
+
+const { broadcast } = vi.hoisted(() => ({ broadcast: vi.fn() }));
+vi.mock('../../../src/websocket', () => ({ broadcast }));
+
+const { checkPermission } = vi.hoisted(() => ({ checkPermission: vi.fn(() => true) }));
+vi.mock('../../../src/services/permissions', () => ({ checkPermission }));
+
+const { getRates } = vi.hoisted(() => ({ getRates: vi.fn() }));
+vi.mock('../../../src/services/exchangeRateService', () => ({ getRates }));
+
+const { budget } = vi.hoisted(() => ({
+  budget: {
+    verifyTripAccess: vi.fn(),
+    listBudgetItems: vi.fn(),
+    getPerPersonSummary: vi.fn(),
+    calculateSettlement: vi.fn(),
+    createBudgetItem: vi.fn(),
+    updateBudgetItem: vi.fn(),
+    deleteBudgetItem: vi.fn(),
+    updateMembers: vi.fn(),
+    toggleMemberPaid: vi.fn(),
+    setItemPayers: vi.fn(),
+    listSettlements: vi.fn(),
+    createSettlement: vi.fn(),
+    deleteSettlement: vi.fn(),
+    reorderBudgetItems: vi.fn(),
+    reorderBudgetCategories: vi.fn(),
+  },
+}));
+vi.mock('../../../src/services/budgetService', () => budget);
+
+import { BudgetService } from '../../../src/nest/budget/budget.service';
+
+function svc() {
+  return new BudgetService();
+}
+
+beforeEach(() => {
+  vi.clearAllMocks();
+  vi.spyOn(console, 'error').mockImplementation(() => {});
+});
+
+describe('BudgetService', () => {
+  it('verifyTripAccess delegates to the legacy service', () => {
+    budget.verifyTripAccess.mockReturnValue({ id: 5, user_id: 2 });
+    expect(svc().verifyTripAccess('5', 2)).toEqual({ id: 5, user_id: 2 });
+    expect(budget.verifyTripAccess).toHaveBeenCalledWith('5', 2);
+  });
+
+  it('canEdit forwards the ownership flag when the user owns the trip', () => {
+    checkPermission.mockReturnValue(true);
+    expect(svc().canEdit({ user_id: 1 } as never, { id: 1, role: 'user' } as never)).toBe(true);
+    expect(checkPermission).toHaveBeenCalledWith('budget_edit', 'user', 1, 1, false);
+  });
+
+  it('canEdit marks the user as a guest when they do not own the trip', () => {
+    checkPermission.mockReturnValue(false);
+    expect(svc().canEdit({ user_id: 2 } as never, { id: 1, role: 'user' } as never)).toBe(false);
+    expect(checkPermission).toHaveBeenCalledWith('budget_edit', 'user', 2, 1, true);
+  });
+
+  it('broadcast forwards to the websocket helper', () => {
+    svc().broadcast('5', 'budget:created', { item: { id: 1 } }, 'sock');
+    expect(broadcast).toHaveBeenCalledWith('5', 'budget:created', { item: { id: 1 } }, 'sock');
+  });
+
+  it('list / perPersonSummary delegate', () => {
+    budget.listBudgetItems.mockReturnValue([{ id: 1 }]);
+    expect(svc().list('5')).toEqual([{ id: 1 }]);
+    budget.getPerPersonSummary.mockReturnValue([{ userId: 1 }]);
+    expect(svc().perPersonSummary('5')).toEqual([{ userId: 1 }]);
+  });
+
+  describe('settlement', () => {
+    it('upper-cases the explicit base and forwards the rates', async () => {
+      getRates.mockResolvedValue({ USD: 1.1 });
+      budget.calculateSettlement.mockReturnValue({ transfers: [] });
+      await svc().settlement('5', 'usd', 'EUR');
+      expect(getRates).toHaveBeenCalledWith('USD');
+      expect(budget.calculateSettlement).toHaveBeenCalledWith('5', { base: 'USD', rates: { USD: 1.1 }, tripCurrency: 'EUR' });
+    });
+
+    it('falls back to the trip currency when no base is given', async () => {
+      getRates.mockResolvedValue(null);
+      await svc().settlement('5', undefined, 'gbp');
+      expect(getRates).toHaveBeenCalledWith('GBP');
+      expect(budget.calculateSettlement).toHaveBeenCalledWith('5', { base: 'GBP', rates: null, tripCurrency: 'gbp' });
+    });
+
+    it('falls back to EUR when neither base nor trip currency is present', async () => {
+      getRates.mockResolvedValue(null);
+      await svc().settlement('5', undefined, '');
+      expect(getRates).toHaveBeenCalledWith('EUR');
+      expect(budget.calculateSettlement).toHaveBeenCalledWith('5', { base: 'EUR', rates: null, tripCurrency: '' });
+    });
+  });
+
+  it('create / update / remove / members / paid / payers delegate', () => {
+    svc().create('5', { name: 'Hotel' } as never);
+    expect(budget.createBudgetItem).toHaveBeenCalledWith('5', { name: 'Hotel' });
+    svc().update('9', '5', { name: 'X' });
+    expect(budget.updateBudgetItem).toHaveBeenCalledWith('9', '5', { name: 'X' });
+    svc().remove('9', '5');
+    expect(budget.deleteBudgetItem).toHaveBeenCalledWith('9', '5');
+    svc().updateMembers('9', '5', [2, 3]);
+    expect(budget.updateMembers).toHaveBeenCalledWith('9', '5', [2, 3]);
+    svc().toggleMemberPaid('9', '5', '2', true);
+    expect(budget.toggleMemberPaid).toHaveBeenCalledWith('9', '5', '2', true);
+    svc().setPayers('9', '5', [{ user_id: 2, amount: 10 }]);
+    expect(budget.setItemPayers).toHaveBeenCalledWith('9', '5', [{ user_id: 2, amount: 10 }]);
+  });
+
+  it('settlement ledger + reorder delegate', () => {
+    svc().listSettlements('5');
+    expect(budget.listSettlements).toHaveBeenCalledWith('5');
+    svc().createSettlement('5', { from_user_id: 1, to_user_id: 2, amount: 10 }, 3);
+    expect(budget.createSettlement).toHaveBeenCalledWith('5', { from_user_id: 1, to_user_id: 2, amount: 10 }, 3);
+    svc().deleteSettlement('7', '5');
+    expect(budget.deleteSettlement).toHaveBeenCalledWith('7', '5');
+    svc().reorderItems('5', [3, 1]);
+    expect(budget.reorderBudgetItems).toHaveBeenCalledWith('5', [3, 1]);
+    svc().reorderCategories('5', ['food', 'fun']);
+    expect(budget.reorderBudgetCategories).toHaveBeenCalledWith('5', ['food', 'fun']);
+  });
+
+  describe('syncReservationPrice', () => {
+    it('returns early when the reservation is not found', () => {
+      dbMock._stmt.get.mockReturnValueOnce(undefined);
+      svc().syncReservationPrice('5', 42, 250, 'sock');
+      expect(dbMock._stmt.run).not.toHaveBeenCalled();
+      expect(broadcast).not.toHaveBeenCalled();
+    });
+
+    it('merges into existing metadata and broadcasts reservation:updated', () => {
+      dbMock._stmt.get
+        .mockReturnValueOnce({ id: 42, metadata: '{"vendor":"ACME"}' }) // lookup
+        .mockReturnValueOnce({ id: 42, metadata: '{"vendor":"ACME","price":"250"}' }); // reload
+      svc().syncReservationPrice('5', 42, 250, 'sock');
+      const writtenMeta = JSON.parse(dbMock._stmt.run.mock.calls[0][0] as string);
+      expect(writtenMeta).toEqual({ vendor: 'ACME', price: '250' });
+      expect(broadcast).toHaveBeenCalledWith('5', 'reservation:updated', { reservation: { id: 42, metadata: '{"vendor":"ACME","price":"250"}' } }, 'sock');
+    });
+
+    it('starts from an empty object when the reservation has no metadata', () => {
+      dbMock._stmt.get.mockReturnValueOnce({ id: 42, metadata: null }).mockReturnValueOnce({ id: 42 });
+      svc().syncReservationPrice('5', 42, 99, undefined);
+      const writtenMeta = JSON.parse(dbMock._stmt.run.mock.calls[0][0] as string);
+      expect(writtenMeta).toEqual({ price: '99' });
+    });
+
+    it('swallows errors so a sync failure never breaks the budget update', () => {
+      dbMock.prepare.mockImplementationOnce(() => { throw new Error('db gone'); });
+      expect(() => svc().syncReservationPrice('5', 42, 250, 'sock')).not.toThrow();
+      expect(broadcast).not.toHaveBeenCalled();
+    });
+  });
+});
@@ -2,6 +2,7 @@ import { describe, it, expect, vi } from 'vitest';
 import { HttpException } from '@nestjs/common';
 import { DaysController } from '../../../src/nest/days/days.controller';
 import { DayNotesController } from '../../../src/nest/days/day-notes.controller';
+import { DayReorderError } from '../../../src/services/dayService';
 import type { DaysService } from '../../../src/nest/days/days.service';
 import type { DayNotesService } from '../../../src/nest/days/day-notes.service';
 import type { User } from '../../../src/types';
@@ -44,6 +45,63 @@ describe('DaysController (parity with the legacy /api/trips/:tripId/days route)'
    expect(broadcast).toHaveBeenCalledWith('5', 'day:created', { day: { id: 9 } }, 'sock');
  });

+  it('POST / 404 when the trip is not accessible', () => {
+    const svc = daysSvc({ verifyTripAccess: vi.fn().mockReturnValue(null) });
+    expect(thrown(() => new DaysController(svc).create(user, '5', {}))).toEqual({ status: 404, body: { error: 'Trip not found' } });
+  });
+
+  it('POST / with a position inserts + broadcasts day:reordered', () => {
+    const insert = vi.fn().mockReturnValue({ id: 12 }); const create = vi.fn(); const broadcast = vi.fn();
+    const svc = daysSvc({ insert, create, broadcast } as Partial<DaysService>);
+    expect(new DaysController(svc).create(user, '5', { position: 0 }, 'sock')).toEqual({ day: { id: 12 } });
+    expect(insert).toHaveBeenCalledWith('5', 0);
+    expect(create).not.toHaveBeenCalled();
+    expect(broadcast).toHaveBeenCalledWith('5', 'day:reordered', { day: { id: 12 } }, 'sock');
+  });
+
+  describe('PUT /reorder', () => {
+    it('404 when the trip is not accessible', () => {
+      const svc = daysSvc({ verifyTripAccess: vi.fn().mockReturnValue(undefined) });
+      expect(thrown(() => new DaysController(svc).reorder(user, '5', { orderedIds: [1, 2] }))).toEqual({ status: 404, body: { error: 'Trip not found' } });
+    });
+
+    it('403 without day_edit', () => {
+      const svc = daysSvc({ canEdit: vi.fn().mockReturnValue(false) });
+      expect(thrown(() => new DaysController(svc).reorder(user, '5', { orderedIds: [1, 2] }))).toEqual({ status: 403, body: { error: 'No permission' } });
+    });
+
+    it('400 when orderedIds is missing', () => {
+      expect(thrown(() => new DaysController(daysSvc()).reorder(user, '5', {}))).toEqual({ status: 400, body: { error: 'orderedIds must be an array' } });
+    });
+
+    it('400 when orderedIds is not an array', () => {
+      expect(thrown(() => new DaysController(daysSvc()).reorder(user, '5', { orderedIds: 'nope' as never }))).toEqual({ status: 400, body: { error: 'orderedIds must be an array' } });
+    });
+
+    it('maps a DayReorderError to 400 with its message', () => {
+      const reorder = vi.fn(() => { throw new DayReorderError('orderedIds must be a permutation of the trip day ids.'); });
+      const svc = daysSvc({ reorder } as Partial<DaysService>);
+      expect(thrown(() => new DaysController(svc).reorder(user, '5', { orderedIds: [9] }))).toEqual({
+        status: 400, body: { error: 'orderedIds must be a permutation of the trip day ids.' },
+      });
+    });
+
+    it('rethrows a non-DayReorderError unchanged', () => {
+      const boom = new Error('db is down');
+      const reorder = vi.fn(() => { throw boom; });
+      const svc = daysSvc({ reorder } as Partial<DaysService>);
+      expect(() => new DaysController(svc).reorder(user, '5', { orderedIds: [1, 2] })).toThrow(boom);
+    });
+
+    it('reorders and broadcasts day:reordered', () => {
+      const reorder = vi.fn(); const broadcast = vi.fn();
+      const svc = daysSvc({ reorder, broadcast } as Partial<DaysService>);
+      expect(new DaysController(svc).reorder(user, '5', { orderedIds: [2, 1] }, 'sock')).toEqual({ success: true });
+      expect(reorder).toHaveBeenCalledWith('5', [2, 1]);
+      expect(broadcast).toHaveBeenCalledWith('5', 'day:reordered', { orderedIds: [2, 1] }, 'sock');
+    });
+  });
+
  it('PUT /:id 404 when the day is missing, else updates', () => {
    expect(thrown(() => new DaysController(daysSvc({ getDay: vi.fn().mockReturnValue(undefined) } as Partial<DaysService>)).update(user, '5', '9', {}))).toEqual({ status: 404, body: { error: 'Day not found' } });
    const update = vi.fn().mockReturnValue({ id: 9, title: 'T' });
@@ -1,5 +1,6 @@
 import { describe, it, expect, vi } from 'vitest';
 import { HttpException } from '@nestjs/common';
+import { MulterError } from 'multer';
 import { TrekExceptionFilter } from '../../../src/nest/common/trek-exception.filter';

 function mockHost() {
@@ -31,4 +32,89 @@ describe('TrekExceptionFilter', () => {
    expect(res.status).toHaveBeenCalledWith(500);
    expect(res.json).toHaveBeenCalledWith({ error: 'Internal server error' });
  });
+
+  it('maps a multer LIMIT_FILE_SIZE error to 413 with the multer message', () => {
+    const { res, host } = mockHost();
+    filter.catch(new MulterError('LIMIT_FILE_SIZE', 'avatar'), host);
+    expect(res.status).toHaveBeenCalledWith(413);
+    expect(res.json).toHaveBeenCalledWith({ error: 'File too large' });
+  });
+
+  it('maps any other multer error to 400 with the multer message', () => {
+    const { res, host } = mockHost();
+    const err = new MulterError('LIMIT_UNEXPECTED_FILE', 'avatar');
+    filter.catch(err, host);
+    expect(res.status).toHaveBeenCalledWith(400);
+    expect(res.json).toHaveBeenCalledWith({ error: err.message });
+  });
+
+  it('normalises a Nest-shaped { statusCode, message, error } body to { error }', () => {
+    const { res, host } = mockHost();
+    filter.catch(new HttpException({ statusCode: 400, message: 'Validation failed', error: 'Bad Request' }, 400), host);
+    expect(res.status).toHaveBeenCalledWith(400);
+    expect(res.json).toHaveBeenCalledWith({ error: 'Validation failed' });
+  });
+
+  it('joins an array message into a single string', () => {
+    const { res, host } = mockHost();
+    filter.catch(new HttpException({ message: ['too short', 'required'] }, 400), host);
+    expect(res.status).toHaveBeenCalledWith(400);
+    expect(res.json).toHaveBeenCalledWith({ error: 'too short, required' });
+  });
+
+  it('falls back to obj.error when an object body has no message', () => {
+    const { res, host } = mockHost();
+    filter.catch(new HttpException({ statusCode: 400, error: 'Bad Request' }, 400), host);
+    expect(res.status).toHaveBeenCalledWith(400);
+    expect(res.json).toHaveBeenCalledWith({ error: 'Bad Request' });
+  });
+
+  it("uses 'Error' when an object body carries neither message nor error", () => {
+    const { res, host } = mockHost();
+    filter.catch(new HttpException({ statusCode: 400 }, 400), host);
+    expect(res.status).toHaveBeenCalledWith(400);
+    expect(res.json).toHaveBeenCalledWith({ error: 'Error' });
+  });
+
+  it('hides 5xx object-body details behind Internal server error', () => {
+    const { res, host } = mockHost();
+    filter.catch(new HttpException({ message: 'secret stack detail' }, 503), host);
+    expect(res.status).toHaveBeenCalledWith(503);
+    expect(res.json).toHaveBeenCalledWith({ error: 'Internal server error' });
+  });
+
+  it('maps a plain error with statusCode to that status (4xx exposes message)', () => {
+    const { res, host } = mockHost();
+    filter.catch({ statusCode: 400, message: 'Only images are allowed' }, host);
+    expect(res.status).toHaveBeenCalledWith(400);
+    expect(res.json).toHaveBeenCalledWith({ error: 'Only images are allowed' });
+  });
+
+  it('honours a plain error status field when statusCode is absent', () => {
+    const { res, host } = mockHost();
+    filter.catch({ status: 404, message: 'Not here' }, host);
+    expect(res.status).toHaveBeenCalledWith(404);
+    expect(res.json).toHaveBeenCalledWith({ error: 'Not here' });
+  });
+
+  it("uses 'Error' for a 4xx plain error with no message", () => {
+    const { res, host } = mockHost();
+    filter.catch({ statusCode: 422 }, host);
+    expect(res.status).toHaveBeenCalledWith(422);
+    expect(res.json).toHaveBeenCalledWith({ error: 'Error' });
+  });
+
+  it('hides a 5xx string-body HttpException behind Internal server error', () => {
+    const { res, host } = mockHost();
+    filter.catch(new HttpException('database exploded', 500), host);
+    expect(res.status).toHaveBeenCalledWith(500);
+    expect(res.json).toHaveBeenCalledWith({ error: 'Internal server error' });
+  });
+
+  it('treats a null exception as a 500', () => {
+    const { res, host } = mockHost();
+    filter.catch(null, host);
+    expect(res.status).toHaveBeenCalledWith(500);
+    expect(res.json).toHaveBeenCalledWith({ error: 'Internal server error' });
+  });
 });
@@ -1,6 +1,9 @@
 import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
 import { HttpException } from '@nestjs/common';
 import type { Request, Response } from 'express';
+import os from 'os';
+import path from 'path';
+import fs from 'fs';

 vi.mock('../../../src/services/demo', () => ({ isDemoEmail: vi.fn(() => false) }));

@@ -123,6 +126,19 @@ describe('FilesController (parity with the legacy /api/trips/:tripId/files route
    const s = fsvc({ getFileLinks: vi.fn().mockReturnValue([{ id: 1 }]) } as Partial<FilesService>);
    expect(new FilesController(s).links(user, '5', '9')).toEqual({ links: [{ id: 1 }] });
  });
+
+  it('the trash + link routes all reject without file_delete / file_edit', async () => {
+    const denied = () => fsvc({ can: vi.fn().mockReturnValue(false) });
+    await expect(new FilesController(denied()).permanent(user, '5', '9')).rejects.toMatchObject({ status: 403 });
+    expect(thrown(() => new FilesController(denied()).restore(user, '5', '9'))).toEqual({ status: 403, body: { error: 'No permission' } });
+    expect(thrown(() => new FilesController(denied()).link(user, '5', '9', {}))).toEqual({ status: 403, body: { error: 'No permission' } });
+    expect(thrown(() => new FilesController(denied()).unlink(user, '5', '9', '3'))).toEqual({ status: 403, body: { error: 'No permission' } });
+  });
+
+  it('GET /:id/links 404 without trip access', () => {
+    const s = fsvc({ verifyTripAccess: vi.fn().mockReturnValue(undefined) });
+    expect(thrown(() => new FilesController(s).links(user, '5', '9'))).toEqual({ status: 404, body: { error: 'Trip not found' } });
+  });
 });

 describe('FilesDownloadController', () => {
@@ -147,6 +163,62 @@ describe('FilesDownloadController', () => {
    expect(thrown(() => new FilesDownloadController(dsvc({ getFileById: vi.fn().mockReturnValue(undefined) })).download(req, res, '5', '9'))).toEqual({ status: 404, body: { error: 'File not found' } });
    expect(thrown(() => new FilesDownloadController(dsvc({ resolveFilePath: vi.fn().mockReturnValue({ resolved: '/x', safe: false }) })).download(req, res, '5', '9'))).toEqual({ status: 403, body: { error: 'Forbidden' } });
  });
+
+  it('404 when the safe path is gone from disk', () => {
+    const missing = path.join(os.tmpdir(), `trek-no-such-${Date.now()}.pdf`);
+    const s = dsvc({ resolveFilePath: vi.fn().mockReturnValue({ resolved: missing, safe: true }) });
+    expect(thrown(() => new FilesDownloadController(s).download(req, res, '5', '9'))).toEqual({ status: 404, body: { error: 'File not found' } });
+  });
+
+  it('streams a regular file via sendFile with an explicit root', () => {
+    const real = path.join(os.tmpdir(), `trek-dl-${Date.now()}.pdf`);
+    fs.writeFileSync(real, 'x');
+    try {
+      const sendFile = vi.fn();
+      const localRes = { setHeader: vi.fn(), sendFile } as unknown as Response;
+      const s = dsvc({ resolveFilePath: vi.fn().mockReturnValue({ resolved: real, safe: true }) });
+      new FilesDownloadController(s).download(req, localRes, '5', '9');
+      expect(sendFile).toHaveBeenCalledWith(path.basename(real), { root: path.dirname(real) });
+      expect(localRes.setHeader).not.toHaveBeenCalled();
+    } finally {
+      fs.unlinkSync(real);
+    }
+  });
+
+  it('serves a .pkpass inline with the Wallet MIME type and the original name', () => {
+    const real = path.join(os.tmpdir(), `trek-pass-${Date.now()}.pkpass`);
+    fs.writeFileSync(real, 'x');
+    try {
+      const setHeader = vi.fn();
+      const localRes = { setHeader, sendFile: vi.fn() } as unknown as Response;
+      const s = dsvc({
+        getFileById: vi.fn().mockReturnValue({ filename: 'pass.pkpass', original_name: 'BoardingPass.pkpass' }),
+        resolveFilePath: vi.fn().mockReturnValue({ resolved: real, safe: true }),
+      });
+      new FilesDownloadController(s).download(req, localRes, '5', '9');
+      expect(setHeader).toHaveBeenCalledWith('Content-Type', 'application/vnd.apple.pkpass');
+      expect(setHeader).toHaveBeenCalledWith('Content-Disposition', 'inline; filename="BoardingPass.pkpass"');
+    } finally {
+      fs.unlinkSync(real);
+    }
+  });
+
+  it('falls back to the resolved basename when a .pkpass has no original name', () => {
+    const real = path.join(os.tmpdir(), `trek-pass-${Date.now()}.pkpass`);
+    fs.writeFileSync(real, 'x');
+    try {
+      const setHeader = vi.fn();
+      const localRes = { setHeader, sendFile: vi.fn() } as unknown as Response;
+      const s = dsvc({
+        getFileById: vi.fn().mockReturnValue({ filename: 'pass.pkpass', original_name: null }),
+        resolveFilePath: vi.fn().mockReturnValue({ resolved: real, safe: true }),
+      });
+      new FilesDownloadController(s).download(req, localRes, '5', '9');
+      expect(setHeader).toHaveBeenCalledWith('Content-Disposition', `inline; filename="${path.basename(real)}"`);
+    } finally {
+      fs.unlinkSync(real);
+    }
+  });
 });

 describe('PhotosController', () => {
@@ -0,0 +1,134 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+import type { Request } from 'express';
+
+// Mock the side-effect dependencies the wrapper reaches into directly.
+const { broadcast } = vi.hoisted(() => ({ broadcast: vi.fn() }));
+vi.mock('../../../src/websocket', () => ({ broadcast }));
+
+const { checkPermission } = vi.hoisted(() => ({ checkPermission: vi.fn(() => true) }));
+vi.mock('../../../src/services/permissions', () => ({ checkPermission }));
+
+const { svc } = vi.hoisted(() => ({
+  svc: {
+    verifyTripAccess: vi.fn(),
+    authenticateDownload: vi.fn(),
+    resolveFilePath: vi.fn(),
+    listFiles: vi.fn(),
+    getFileById: vi.fn(),
+    getDeletedFile: vi.fn(),
+    createFile: vi.fn(),
+    updateFile: vi.fn(),
+    toggleStarred: vi.fn(),
+    softDeleteFile: vi.fn(),
+    restoreFile: vi.fn(),
+    permanentDeleteFile: vi.fn(),
+    emptyTrash: vi.fn(),
+    createFileLink: vi.fn(),
+    deleteFileLink: vi.fn(),
+    getFileLinks: vi.fn(),
+  },
+}));
+vi.mock('../../../src/services/fileService', () => svc);
+
+import { FilesService } from '../../../src/nest/files/files.service';
+import type { User } from '../../../src/types';
+
+function service() {
+  return new FilesService();
+}
+
+beforeEach(() => vi.clearAllMocks());
+
+describe('FilesService (thin wrapper around the legacy fileService)', () => {
+  it('verifyTripAccess delegates to the legacy service', () => {
+    svc.verifyTripAccess.mockReturnValue({ id: 5, user_id: 2 });
+    expect(service().verifyTripAccess('5', 2)).toEqual({ id: 5, user_id: 2 });
+    expect(svc.verifyTripAccess).toHaveBeenCalledWith('5', 2);
+  });
+
+  it('can forwards the ownership flag when the user owns the trip', () => {
+    checkPermission.mockReturnValue(true);
+    const user = { id: 1, role: 'user' } as User;
+    expect(service().can('file_edit', { user_id: 1 } as never, user)).toBe(true);
+    expect(checkPermission).toHaveBeenCalledWith('file_edit', 'user', 1, 1, false);
+  });
+
+  it('can marks the user as a guest when they do not own the trip', () => {
+    checkPermission.mockReturnValue(false);
+    const user = { id: 1, role: 'user' } as User;
+    expect(service().can('file_upload', { user_id: 2 } as never, user)).toBe(false);
+    expect(checkPermission).toHaveBeenCalledWith('file_upload', 'user', 2, 1, true);
+  });
+
+  it('broadcast forwards to the websocket helper', () => {
+    service().broadcast('5', 'file:created', { file: { id: 1 } }, 'sock');
+    expect(broadcast).toHaveBeenCalledWith('5', 'file:created', { file: { id: 1 } }, 'sock');
+  });
+
+  it('authenticateDownload / resolveFilePath delegate', () => {
+    const req = { headers: {} } as Request;
+    svc.authenticateDownload.mockReturnValue({ userId: 7 });
+    expect(service().authenticateDownload(req)).toEqual({ userId: 7 });
+    expect(svc.authenticateDownload).toHaveBeenCalledWith(req);
+
+    svc.resolveFilePath.mockReturnValue({ resolved: '/a/b.pdf', safe: true });
+    expect(service().resolveFilePath('b.pdf')).toEqual({ resolved: '/a/b.pdf', safe: true });
+    expect(svc.resolveFilePath).toHaveBeenCalledWith('b.pdf');
+  });
+
+  it('the read helpers delegate', () => {
+    svc.listFiles.mockReturnValue([{ id: 1 }]);
+    expect(service().listFiles('5', true)).toEqual([{ id: 1 }]);
+    expect(svc.listFiles).toHaveBeenCalledWith('5', true);
+
+    svc.getFileById.mockReturnValue({ id: 9 });
+    expect(service().getFileById('9', '5')).toEqual({ id: 9 });
+    expect(svc.getFileById).toHaveBeenCalledWith('9', '5');
+
+    svc.getDeletedFile.mockReturnValue({ id: 9 });
+    expect(service().getDeletedFile('9', '5')).toEqual({ id: 9 });
+    expect(svc.getDeletedFile).toHaveBeenCalledWith('9', '5');
+
+    svc.getFileLinks.mockReturnValue([{ id: 1 }]);
+    expect(service().getFileLinks('9')).toEqual([{ id: 1 }]);
+    expect(svc.getFileLinks).toHaveBeenCalledWith('9');
+  });
+
+  it('the mutating helpers delegate', () => {
+    const file = { filename: 'a.pdf' } as Express.Multer.File;
+    svc.createFile.mockReturnValue({ id: 9 });
+    expect(service().createFile('5', file, 1, { description: 'd' })).toEqual({ id: 9 });
+    expect(svc.createFile).toHaveBeenCalledWith('5', file, 1, { description: 'd' });
+
+    svc.updateFile.mockReturnValue({ id: 9 });
+    const current = { id: 9 } as never;
+    expect(service().updateFile('9', current, { description: 'x' })).toEqual({ id: 9 });
+    expect(svc.updateFile).toHaveBeenCalledWith('9', current, { description: 'x' });
+
+    svc.toggleStarred.mockReturnValue({ id: 9, starred: 1 });
+    expect(service().toggleStarred('9', 0)).toEqual({ id: 9, starred: 1 });
+    expect(svc.toggleStarred).toHaveBeenCalledWith('9', 0);
+
+    service().softDeleteFile('9');
+    expect(svc.softDeleteFile).toHaveBeenCalledWith('9');
+
+    svc.restoreFile.mockReturnValue({ id: 9 });
+    expect(service().restoreFile('9')).toEqual({ id: 9 });
+    expect(svc.restoreFile).toHaveBeenCalledWith('9');
+
+    const trashed = { id: 9 } as never;
+    service().permanentDeleteFile(trashed);
+    expect(svc.permanentDeleteFile).toHaveBeenCalledWith(trashed);
+
+    svc.emptyTrash.mockReturnValue(3);
+    expect(service().emptyTrash('5')).toBe(3);
+    expect(svc.emptyTrash).toHaveBeenCalledWith('5');
+
+    svc.createFileLink.mockReturnValue([{ id: 1 }]);
+    expect(service().createFileLink('9', { reservation_id: 2 })).toEqual([{ id: 1 }]);
+    expect(svc.createFileLink).toHaveBeenCalledWith('9', { reservation_id: 2 });
+
+    service().deleteFileLink('3', '9');
+    expect(svc.deleteFileLink).toHaveBeenCalledWith('3', '9');
+  });
+});
@@ -0,0 +1,65 @@
+import { describe, it, expect, vi } from 'vitest';
+import { HealthController } from '../../../src/nest/health/health.controller';
+import { HealthService } from '../../../src/nest/health/health.service';
+import { DatabaseService } from '../../../src/nest/database/database.service';
+import type { User } from '../../../src/types';
+
+const user = { id: 1, role: 'user', email: 'u@example.test' } as User;
+
+function makeService(overrides: Partial<HealthService> = {}): HealthService {
+  return {
+    info: vi.fn().mockReturnValue({ runtime: 'nestjs', diInjected: true, userCount: 0 }),
+    ...overrides,
+  } as unknown as HealthService;
+}
+
+describe('HealthController (foundation smoke endpoints under /api/_nest)', () => {
+  it('GET /health merges ok:true with the service info', () => {
+    const svc = makeService({
+      info: vi.fn().mockReturnValue({ runtime: 'nestjs', diInjected: true, userCount: 7 }),
+    });
+    expect(new HealthController(svc).getHealth()).toEqual({
+      ok: true,
+      runtime: 'nestjs',
+      diInjected: true,
+      userCount: 7,
+    });
+  });
+
+  it('GET /me returns the authenticated user as-is', () => {
+    const svc = makeService();
+    expect(new HealthController(svc).me(user)).toBe(user);
+  });
+
+  it('POST /echo wraps the validated body', () => {
+    const svc = makeService();
+    expect(new HealthController(svc).echo({ name: 'Maurice' })).toEqual({
+      youSent: { name: 'Maurice' },
+    });
+  });
+});
+
+describe('HealthService.info (shared SQLite connection proof)', () => {
+  function makeDb(get: () => unknown): DatabaseService {
+    return { get: vi.fn(get) } as unknown as DatabaseService;
+  }
+
+  it('returns the real user count when the row resolves', () => {
+    const service = new HealthService(makeDb(() => ({ n: 42 })));
+    expect(service.info()).toEqual({
+      runtime: 'nestjs',
+      diInjected: true,
+      userCount: 42,
+    });
+  });
+
+  it('falls back to null when the row is undefined', () => {
+    const service = new HealthService(makeDb(() => undefined));
+    expect(service.info().userCount).toBeNull();
+  });
+
+  it('falls back to null when the count column is null', () => {
+    const service = new HealthService(makeDb(() => ({ n: null })));
+    expect(service.info().userCount).toBeNull();
+  });
+});
@@ -144,4 +144,54 @@ describe('IdempotencyInterceptor (parity with the legacy applyIdempotency middle
    res.json({ error: 'bad' });
    expect(run).not.toHaveBeenCalled();
  });
+
+  it('does not cache a body that exceeds the 256 KiB cap', async () => {
+    const run = vi.fn();
+    const db = makeDb({ get: vi.fn().mockReturnValue(undefined), run });
+    const res = makeRes();
+    const big = { blob: 'x'.repeat(300 * 1024) };
+    const h = handler(big);
+    await lastValueFrom(
+      new IdempotencyInterceptor(db).intercept(
+        ctx({ method: 'POST', headers: { 'x-idempotency-key': 'k' }, path: '/api/categories', user: { id: 1 } }, res),
+        h,
+      ),
+    );
+    res.statusCode = 200;
+    res.json(big);
+    expect(run).not.toHaveBeenCalled();
+  });
+
+  it('swallows a storage failure so the response still succeeds', async () => {
+    const run = vi.fn(() => {
+      throw new Error('db is locked');
+    });
+    const db = makeDb({ get: vi.fn().mockReturnValue(undefined), run });
+    const res = makeRes();
+    const h = handler({ ok: true });
+    await lastValueFrom(
+      new IdempotencyInterceptor(db).intercept(
+        ctx({ method: 'POST', headers: { 'x-idempotency-key': 'k' }, path: '/api/categories', user: { id: 1 } }, res),
+        h,
+      ),
+    );
+    res.statusCode = 201;
+    const returned = res.json({ ok: true });
+    expect(run).toHaveBeenCalledTimes(1);
+    expect(returned).toEqual({ ok: true });
+  });
+
+  it('treats a PATCH as a mutating method', async () => {
+    const db = makeDb({ get: vi.fn().mockReturnValue(undefined), run: vi.fn() });
+    const res = makeRes();
+    const h = handler('done');
+    await lastValueFrom(
+      new IdempotencyInterceptor(db).intercept(
+        ctx({ method: 'PATCH', headers: { 'x-idempotency-key': 'k' }, path: '/api/categories/1', user: { id: 1 } }, res),
+        h,
+      ),
+    );
+    expect(db.get).toHaveBeenCalled();
+    expect(h.handle).toHaveBeenCalled();
+  });
 });
@@ -76,6 +76,8 @@ describe('JourneyController', () => {
    const c = new JourneyController(svc({ linkPhotoToEntry } as Partial<JourneyService>));
    expect(c.linkPhoto(user, '3', { photo_id: 5 })).toEqual({ id: 5 });
    expect(linkPhotoToEntry).toHaveBeenCalledWith(3, 5, 1);
+    // accepts the canonical journey_photo_id, 403 when the service refuses
+    expect(thrown(() => new JourneyController(svc({ linkPhotoToEntry: vi.fn().mockReturnValue(null) } as Partial<JourneyService>)).linkPhoto(user, '3', { journey_photo_id: 9 }))).toEqual({ status: 403, body: { error: 'Not allowed' } });
  });

  it('unlink photo (204) maps 404; delete photo 404 then unlinks file', () => {
@@ -143,6 +145,113 @@ describe('JourneyController', () => {
    await new JourneyController(noOptIn).uploadEntryPhotos(user, '3', [{ filename: 'b.jpg', originalname: 'b.jpg' } as Express.Multer.File], {});
    expect(uploadToImmich).toHaveBeenCalledTimes(1); // only the opted-in upload above
  });
+
+  it('entry photo upload: 400 no files, 403 when nothing added, swallows immich errors and empty ids', async () => {
+    expect(await thrownAsync(() => new JourneyController(svc()).uploadEntryPhotos(user, '3', undefined, {}))).toEqual({ status: 400, body: { error: 'No files uploaded' } });
+    expect(await thrownAsync(() => new JourneyController(svc({ addPhoto: vi.fn().mockReturnValue(null) } as Partial<JourneyService>)).uploadEntryPhotos(user, '3', [{ filename: 'a.jpg', originalname: 'a.jpg' } as Express.Multer.File], {}))).toEqual({ status: 403, body: { error: 'Not allowed' } });
+
+    // opted in but the immich upload throws → best-effort, the local photo still wins
+    const setPhotoProvider = vi.fn();
+    const blowsUp = svc({ addPhoto: vi.fn().mockReturnValue({ id: 8 }), immichAutoUploadEnabled: vi.fn().mockReturnValue(true), uploadToImmich: vi.fn().mockRejectedValue(new Error('immich down')), setPhotoProvider } as Partial<JourneyService>);
+    expect(await new JourneyController(blowsUp).uploadEntryPhotos(user, '3', [{ filename: 'a.jpg', originalname: 'a.jpg' } as Express.Multer.File], { caption: 'c' })).toEqual({ photos: [{ id: 8 }] });
+    expect(setPhotoProvider).not.toHaveBeenCalled();
+
+    // opted in but immich returns a falsy id → no provider stamping
+    const noId = svc({ addPhoto: vi.fn().mockReturnValue({ id: 9 }), immichAutoUploadEnabled: vi.fn().mockReturnValue(true), uploadToImmich: vi.fn().mockResolvedValue(''), setPhotoProvider } as Partial<JourneyService>);
+    expect(await new JourneyController(noId).uploadEntryPhotos(user, '3', [{ filename: 'a.jpg', originalname: 'a.jpg' } as Express.Multer.File], {})).toEqual({ photos: [{ id: 9 }] });
+  });
+
+  it('provider-photos batch passes the passphrase through when present', () => {
+    const addProviderPhoto = vi.fn().mockReturnValue({ id: 1 });
+    new JourneyController(svc({ addProviderPhoto } as Partial<JourneyService>)).providerPhotos(user, '3', { provider: 'immich', asset_ids: ['a'], caption: 'cap', passphrase: 'secret' });
+    expect(addProviderPhoto).toHaveBeenCalledWith(3, 1, 'immich', 'a', 'cap', 'secret');
+    // single-photo success path
+    expect(new JourneyController(svc({ addProviderPhoto: vi.fn().mockReturnValue({ id: 2 }) } as Partial<JourneyService>)).providerPhotos(user, '3', { provider: 'immich', asset_id: 'a' })).toEqual({ id: 2 });
+  });
+
+  it('PATCH photos: 404 then returns the updated photo', () => {
+    expect(thrown(() => new JourneyController(svc({ updatePhoto: vi.fn().mockReturnValue(null) } as Partial<JourneyService>)).updatePhoto(user, '7', { caption: 'x' }))).toEqual({ status: 404, body: { error: 'Photo not found' } });
+    expect(new JourneyController(svc({ updatePhoto: vi.fn().mockReturnValue({ id: 7 }) } as Partial<JourneyService>)).updatePhoto(user, '7', { caption: 'x' })).toEqual({ id: 7 });
+  });
+
+  it('DELETE photo unlinks the file when a path exists', () => {
+    const unlinkSpy = vi.spyOn(fs, 'unlinkSync').mockImplementation(() => undefined);
+    try {
+      expect(new JourneyController(svc({ deletePhoto: vi.fn().mockReturnValue({ id: 7, file_path: 'journey/a.jpg' }) } as Partial<JourneyService>)).deletePhoto(user, '7')).toEqual({ success: true });
+      expect(unlinkSpy).toHaveBeenCalledTimes(1);
+      // a vanished file is swallowed
+      unlinkSpy.mockImplementationOnce(() => { throw new Error('ENOENT'); });
+      expect(new JourneyController(svc({ deletePhoto: vi.fn().mockReturnValue({ id: 8, file_path: 'journey/b.jpg' }) } as Partial<JourneyService>)).deletePhoto(user, '8')).toEqual({ success: true });
+    } finally {
+      unlinkSpy.mockRestore();
+    }
+  });
+
+  it('gallery provider-photos: batch (with passphrase), single 400/403, success', () => {
+    const addProviderPhotoToGallery = vi.fn().mockReturnValue({ id: 1 });
+    const batch = new JourneyController(svc({ addProviderPhotoToGallery } as Partial<JourneyService>));
+    expect(batch.galleryProviderPhotos(user, '9', { provider: 'immich', asset_ids: ['a', 'b'], passphrase: 'pw' })).toEqual({ photos: [{ id: 1 }, { id: 1 }], added: 2 });
+    expect(addProviderPhotoToGallery).toHaveBeenCalledWith(9, 1, 'immich', 'a', undefined, 'pw');
+    expect(thrown(() => new JourneyController(svc()).galleryProviderPhotos(user, '9', { provider: 'immich' }))).toEqual({ status: 400, body: { error: 'provider and asset_id required' } });
+    expect(thrown(() => new JourneyController(svc({ addProviderPhotoToGallery: vi.fn().mockReturnValue(null) } as Partial<JourneyService>)).galleryProviderPhotos(user, '9', { provider: 'immich', asset_id: 'a' }))).toEqual({ status: 403, body: { error: 'Not allowed or duplicate' } });
+    expect(new JourneyController(svc({ addProviderPhotoToGallery: vi.fn().mockReturnValue({ id: 3 }) } as Partial<JourneyService>)).galleryProviderPhotos(user, '9', { provider: 'immich', asset_id: 'a' })).toEqual({ id: 3 });
+  });
+
+  it('DELETE gallery photo: 404, then unlinks the file when present', () => {
+    expect(thrown(() => new JourneyController(svc({ deleteGalleryPhoto: vi.fn().mockReturnValue(null) } as Partial<JourneyService>)).deleteGalleryPhoto(user, '7'))).toEqual({ status: 404, body: { error: 'Photo not found or not allowed' } });
+    // no file_path → nothing to unlink, returns void
+    expect(new JourneyController(svc({ deleteGalleryPhoto: vi.fn().mockReturnValue({ id: 7, file_path: null }) } as Partial<JourneyService>)).deleteGalleryPhoto(user, '7')).toBeUndefined();
+    const unlinkSpy = vi.spyOn(fs, 'unlinkSync').mockImplementation(() => undefined);
+    try {
+      new JourneyController(svc({ deleteGalleryPhoto: vi.fn().mockReturnValue({ id: 8, file_path: 'journey/g.jpg' }) } as Partial<JourneyService>)).deleteGalleryPhoto(user, '8');
+      expect(unlinkSpy).toHaveBeenCalledTimes(1);
+      unlinkSpy.mockImplementationOnce(() => { throw new Error('ENOENT'); });
+      expect(new JourneyController(svc({ deleteGalleryPhoto: vi.fn().mockReturnValue({ id: 9, file_path: 'journey/h.jpg' }) } as Partial<JourneyService>)).deleteGalleryPhoto(user, '9')).toBeUndefined();
+    } finally {
+      unlinkSpy.mockRestore();
+    }
+  });
+
+  it('PATCH /:id returns the updated journey on success', () => {
+    expect(new JourneyController(svc({ updateJourney: vi.fn().mockReturnValue({ id: 9 }) } as Partial<JourneyService>)).update(user, '9', { title: 'x' })).toEqual({ id: 9 });
+  });
+
+  it('cover upload: 400 without file, 404 when the journey is gone, else returns the journey', () => {
+    expect(thrown(() => new JourneyController(svc()).cover(user, '9', undefined))).toEqual({ status: 400, body: { error: 'No file uploaded' } });
+    expect(thrown(() => new JourneyController(svc({ updateJourney: vi.fn().mockReturnValue(null) } as Partial<JourneyService>)).cover(user, '9', { filename: 'c.jpg' } as Express.Multer.File))).toEqual({ status: 404, body: { error: 'Journey not found' } });
+    const updateJourney = vi.fn().mockReturnValue({ id: 9, cover_image: 'journey/c.jpg' });
+    expect(new JourneyController(svc({ updateJourney } as Partial<JourneyService>)).cover(user, '9', { filename: 'c.jpg' } as Express.Multer.File)).toEqual({ id: 9, cover_image: 'journey/c.jpg' });
+    expect(updateJourney).toHaveBeenCalledWith(9, 1, { cover_image: 'journey/c.jpg' });
+  });
+
+  it('DELETE /:id and trips/contributors success paths', () => {
+    expect(new JourneyController(svc({ deleteJourney: vi.fn().mockReturnValue(true) } as Partial<JourneyService>)).remove(user, '9')).toEqual({ success: true });
+    expect(new JourneyController(svc({ removeTripFromJourney: vi.fn().mockReturnValue(true) } as Partial<JourneyService>)).removeTrip(user, '9', '2')).toEqual({ success: true });
+    expect(new JourneyController(svc({ updateContributorRole: vi.fn().mockReturnValue(true) } as Partial<JourneyService>)).updateContributor(user, '9', '2', { role: 'editor' })).toEqual({ success: true });
+    expect(new JourneyController(svc({ removeContributor: vi.fn().mockReturnValue(true) } as Partial<JourneyService>)).removeContributor(user, '9', '2')).toEqual({ success: true });
+  });
+
+  it('addContributor defaults the role to viewer when omitted', () => {
+    const addContributor = vi.fn().mockReturnValue(true);
+    new JourneyController(svc({ addContributor } as Partial<JourneyService>)).addContributor(user, '9', { user_id: 2 });
+    expect(addContributor).toHaveBeenCalledWith(9, 1, 2, 'viewer');
+  });
+
+  it('createEntry returns the entry when the journey exists', () => {
+    expect(new JourneyController(svc({ createEntry: vi.fn().mockReturnValue({ id: 4 }) } as Partial<JourneyService>)).createEntry(user, '9', { entry_date: '2026-01-01' })).toEqual({ id: 4 });
+  });
+
+  it('reorderEntries succeeds for a numeric array', () => {
+    expect(new JourneyController(svc({ reorderEntries: vi.fn().mockReturnValue(true) } as Partial<JourneyService>)).reorderEntries(user, '9', { orderedIds: [3, 1, 2] })).toEqual({ success: true });
+  });
+
+  it('preferences returns the result on success', () => {
+    expect(new JourneyController(svc({ updateJourneyPreferences: vi.fn().mockReturnValue({ ok: true }) } as Partial<JourneyService>)).preferences(user, '9', { theme: 'dark' })).toEqual({ ok: true });
+  });
+
+  it('deleteShareLink returns success when removed', () => {
+    expect(new JourneyController(svc({ deleteJourneyShareLink: vi.fn().mockReturnValue(true) } as Partial<JourneyService>)).deleteShareLink(user, '9')).toEqual({ success: true });
+  });
 });

 describe('JourneyPublicController', () => {
@@ -167,6 +276,45 @@ describe('JourneyPublicController', () => {
    expect(streamImmichAsset).toHaveBeenCalledWith({}, 5, 'a1', 'original', 5);
  });

+  it('photo proxy streams thumbnails too', async () => {
+    const streamPhoto = vi.fn().mockResolvedValue(undefined);
+    const s = svc({ validateShareTokenForPhoto: vi.fn().mockReturnValue({ ownerId: 3 }), streamPhoto } as Partial<JourneyService>);
+    await new JourneyPublicController(s).photo('tok', '7', 'thumbnail', {} as Response);
+    expect(streamPhoto).toHaveBeenCalledWith({}, 3, 7, 'thumbnail');
+  });
+
+  it('legacy photo proxy: synology streams, and a failure becomes a 404 json', async () => {
+    const streamSynologyAsset = vi.fn().mockResolvedValue(undefined);
+    const s = svc({ validateShareTokenForAsset: vi.fn().mockReturnValue({ ownerId: 5 }), streamSynologyAsset } as Partial<JourneyService>);
+    await new JourneyPublicController(s).legacyPhoto('tok', 'synology', 'a1', '2', 'thumbnail', {} as Response);
+    expect(streamSynologyAsset).toHaveBeenCalledWith({}, 5, 5, 'a1', 'thumbnail');
+
+    const status = vi.fn().mockReturnThis();
+    const json = vi.fn();
+    const res = { status, json } as unknown as Response;
+    const failing = svc({ validateShareTokenForAsset: vi.fn().mockReturnValue({ ownerId: 0 }), streamSynologyAsset: vi.fn().mockRejectedValue(new Error('no synology')) } as Partial<JourneyService>);
+    await new JourneyPublicController(failing).legacyPhoto('tok', 'synology', 'a1', '6', 'original', res);
+    expect(status).toHaveBeenCalledWith(404);
+    expect(json).toHaveBeenCalledWith({ error: 'Provider not supported' });
+  });
+
+  it('legacy photo proxy: falls back to the path ownerId when the token has none', async () => {
+    const streamImmichAsset = vi.fn().mockResolvedValue(undefined);
+    const s = svc({ validateShareTokenForAsset: vi.fn().mockReturnValue({ ownerId: 0 }), streamImmichAsset } as Partial<JourneyService>);
+    await new JourneyPublicController(s).legacyPhoto('tok', 'immich', 'a1', '8', 'original', {} as Response);
+    expect(streamImmichAsset).toHaveBeenCalledWith({}, 8, 'a1', 'original', 8);
+  });
+
+  it('legacy photo proxy: local provider 404s when the resolved file does not exist', async () => {
+    const existsSpy = vi.spyOn(fs, 'existsSync').mockReturnValue(false);
+    try {
+      const s = svc({ validateShareTokenForAsset: vi.fn().mockReturnValue({ ownerId: 5 }) } as Partial<JourneyService>);
+      expect(await thrownAsync(() => new JourneyPublicController(s).legacyPhoto('tok', 'local', 'gone.jpg', '2', 'thumbnail', {} as Response))).toEqual({ status: 404, body: { error: 'Not found' } });
+    } finally {
+      existsSpy.mockRestore();
+    }
+  });
+
  it('legacy photo proxy: local provider cannot escape uploads/journey via a traversal asset id', async () => {
    // Pretend any path exists so we can inspect exactly what would be served.
    const existsSpy = vi.spyOn(fs, 'existsSync').mockReturnValue(true);
@@ -50,12 +50,67 @@ describe('MapsController (parity with the legacy /api/maps route)', () => {
      expect(search).toHaveBeenCalledWith(3, 'berlin', 'de', undefined);
    });

+    it('400 on a malformed locationBias (non-finite lat/lng)', async () => {
+      const search = vi.fn();
+      const bad = { lat: NaN, lng: 2 };
+      expect(await thrown(() => makeController({ search }).search(user, 'x', 'de', bad))).toEqual({
+        status: 400, body: { error: 'Invalid locationBias: lat and lng must be finite numbers' },
+      });
+      expect(search).not.toHaveBeenCalled();
+    });
+
+    it('forwards a valid locationBias to the service', async () => {
+      const search = vi.fn().mockResolvedValue({ places: [], source: 'osm' });
+      const bias = { lat: 1, lng: 2, radius: 5000 };
+      await makeController({ search }).search(user, 'x', 'de', bias);
+      expect(search).toHaveBeenCalledWith(3, 'x', 'de', bias);
+    });
+
    it('maps a service error to its status + message', async () => {
      const search = vi.fn().mockRejectedValue(withError(429, 'Rate limited'));
      expect(await thrown(() => makeController({ search }).search(user, 'x'))).toEqual({
        status: 429, body: { error: 'Rate limited' },
      });
    });
+
+    it('defaults a non-Error rejection to 500 + the fallback message', async () => {
+      const search = vi.fn().mockRejectedValue('boom');
+      expect(await thrown(() => makeController({ search }).search(user, 'x'))).toEqual({
+        status: 500, body: { error: 'Search error' },
+      });
+    });
+  });
+
+  describe('GET /pois', () => {
+    it('400 when category is missing', async () => {
+      const pois = vi.fn();
+      expect(await thrown(() => makeController({ pois }).pois(undefined, '1', '2', '3', '4'))).toEqual({
+        status: 400, body: { error: 'A category is required' },
+      });
+      expect(pois).not.toHaveBeenCalled();
+    });
+
+    it('400 when the bbox has a non-finite value', async () => {
+      const pois = vi.fn();
+      expect(await thrown(() => makeController({ pois }).pois('cafe', 'x', '2', '3', '4'))).toEqual({
+        status: 400, body: { error: 'A valid bbox (south, west, north, east) is required' },
+      });
+      expect(pois).not.toHaveBeenCalled();
+    });
+
+    it('delegates a valid request with a parsed numeric bbox', async () => {
+      const pois = vi.fn().mockResolvedValue({ places: [] });
+      const res = await makeController({ pois }).pois('cafe', '1', '2', '3', '4');
+      expect(res).toEqual({ places: [] });
+      expect(pois).toHaveBeenCalledWith('cafe', { south: 1, west: 2, north: 3, east: 4 });
+    });
+
+    it('maps a service error, defaulting to 500', async () => {
+      const pois = vi.fn().mockRejectedValue(new Error('Overpass down'));
+      expect(await thrown(() => makeController({ pois }).pois('cafe', '1', '2', '3', '4'))).toEqual({
+        status: 500, body: { error: 'Overpass down' },
+      });
+    });
  });

  describe('POST /autocomplete', () => {
@@ -87,12 +142,28 @@ describe('MapsController (parity with the legacy /api/maps route)', () => {
      });
    });

+    it('400 when locationBias is missing the high corner', async () => {
+      const c = makeController({ autocompleteDisabled: () => false });
+      const bad = { low: { lat: 1, lng: 2 } } as never;
+      expect(await thrown(() => c.autocomplete(user, 'be', undefined, bad))).toEqual({
+        status: 400, body: { error: 'Invalid locationBias: low and high must have finite lat and lng' },
+      });
+    });
+
    it('delegates a valid request', async () => {
      const autocomplete = vi.fn().mockResolvedValue({ suggestions: [], source: 'osm' });
      const bias = { low: { lat: 1, lng: 2 }, high: { lat: 3, lng: 4 } };
      await makeController({ autocompleteDisabled: () => false, autocomplete }).autocomplete(user, 'be', 'en', bias);
      expect(autocomplete).toHaveBeenCalledWith(3, 'be', 'en', bias);
    });
+
+    it('maps a service error', async () => {
+      const autocomplete = vi.fn().mockRejectedValue(withError(503, 'Upstream down'));
+      const c = makeController({ autocompleteDisabled: () => false, autocomplete });
+      expect(await thrown(() => c.autocomplete(user, 'be'))).toEqual({
+        status: 503, body: { error: 'Upstream down' },
+      });
+    });
  });

  describe('GET /details/:placeId', () => {
@@ -138,12 +209,30 @@ describe('MapsController (parity with the legacy /api/maps route)', () => {
      expect(photo).toHaveBeenCalledWith(3, 'coords:1,2', 1, 2, 'Spot');
    });

-    it('maps a service error', async () => {
+    it('maps a 4xx service error', async () => {
      const photo = vi.fn().mockRejectedValue(withError(404, 'No photo available'));
      expect(await thrown(() => makeController({ photosDisabled: () => false, photo }).placePhoto(user, 'p1', '1', '2'))).toEqual({
        status: 404, body: { error: 'No photo available' },
      });
    });
+
+    it('logs and maps a 5xx service error', async () => {
+      const photo = vi.fn().mockRejectedValue(withError(502, 'Upstream failed'));
+      expect(await thrown(() => makeController({ photosDisabled: () => false, photo }).placePhoto(user, 'p1', '1', '2'))).toEqual({
+        status: 502, body: { error: 'Upstream failed' },
+      });
+      expect(console.error).toHaveBeenCalledWith('Place photo error:', expect.any(Error));
+    });
+
+    it('defaults a status-less error to 500 and parses NaN coords', async () => {
+      const photo = vi.fn().mockRejectedValue(new Error('Error fetching photo'));
+      expect(await thrown(() => makeController({ photosDisabled: () => false, photo }).placePhoto(user, 'p1'))).toEqual({
+        status: 500, body: { error: 'Error fetching photo' },
+      });
+      const [, , lat, lng] = photo.mock.calls[0];
+      expect(Number.isNaN(lat)).toBe(true);
+      expect(Number.isNaN(lng)).toBe(true);
+    });
  });

  describe('GET /place-photo/:placeId/bytes', () => {
@@ -190,6 +279,18 @@ describe('MapsController (parity with the legacy /api/maps route)', () => {
      expect(res.status).toHaveBeenCalledWith(404);
      expect(res.json).toHaveBeenCalledWith({ error: 'Photo not cached' });
    });
+
+    it('does not re-send a 404 when the stream errors after headers were flushed', () => {
+      let onError: () => void = () => {};
+      const stream = { on: vi.fn((ev: string, cb: () => void) => { if (ev === 'error') onError = cb; return stream; }), pipe: vi.fn() };
+      createReadStream.mockReturnValue(stream);
+      const res = makeRes();
+      (res as { headersSent: boolean }).headersSent = true;
+      makeController({ photoBytesPath: () => '/cache/p1.jpg' }).placePhotoBytes('p1', res);
+      onError();
+      expect(res.status).not.toHaveBeenCalled();
+      expect(res.json).not.toHaveBeenCalled();
+    });
  });

  describe('GET /reverse', () => {
@@ -220,11 +321,39 @@ describe('MapsController (parity with the legacy /api/maps route)', () => {
      expect(await makeController({ resolveUrl }).resolveUrl('https://maps.app.goo.gl/x')).toEqual({ lat: 1, lng: 2, name: null, address: null });
    });

+    it('400 when url is not a string', async () => {
+      expect(await thrown(() => makeController({}).resolveUrl(42 as unknown as string))).toEqual({
+        status: 400, body: { error: 'URL is required' },
+      });
+    });
+
    it('maps a service error, defaulting to 400', async () => {
      const resolveUrl = vi.fn().mockRejectedValue(new Error('Failed to resolve URL'));
      expect(await thrown(() => makeController({ resolveUrl }).resolveUrl('bad'))).toEqual({
        status: 400, body: { error: 'Failed to resolve URL' },
      });
    });
+
+    it('honours an explicit status on the thrown error', async () => {
+      const resolveUrl = vi.fn().mockRejectedValue(withError(422, 'Unsupported link'));
+      expect(await thrown(() => makeController({ resolveUrl }).resolveUrl('bad'))).toEqual({
+        status: 422, body: { error: 'Unsupported link' },
+      });
+    });
+
+    it('falls back to the default message when a non-Error is thrown', async () => {
+      const resolveUrl = vi.fn().mockRejectedValue('nope');
+      expect(await thrown(() => makeController({ resolveUrl }).resolveUrl('bad'))).toEqual({
+        status: 400, body: { error: 'Failed to resolve URL' },
+      });
+    });
+  });
+
+  describe('GET /reverse', () => {
+    it('forwards lang through to the service', async () => {
+      const reverse = vi.fn().mockResolvedValue({ name: null, address: null });
+      await makeController({ reverse }).reverse('1', '2', 'fr');
+      expect(reverse).toHaveBeenCalledWith('1', '2', 'fr');
+    });
  });
 });
@@ -0,0 +1,131 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+
+const { maps } = vi.hoisted(() => ({
+  maps: {
+    searchPlaces: vi.fn(),
+    autocompletePlaces: vi.fn(),
+    getPlaceDetails: vi.fn(),
+    getPlaceDetailsExpanded: vi.fn(),
+    getPlacePhoto: vi.fn(),
+    reverseGeocode: vi.fn(),
+    resolveGoogleMapsUrl: vi.fn(),
+    searchOverpassPois: vi.fn(),
+  },
+}));
+vi.mock('../../../src/services/mapsService', () => maps);
+
+const { serveFilePath } = vi.hoisted(() => ({ serveFilePath: vi.fn() }));
+vi.mock('../../../src/services/placePhotoCache', () => ({ serveFilePath }));
+
+import { MapsService } from '../../../src/nest/maps/maps.service';
+import type { DatabaseService } from '../../../src/nest/database/database.service';
+
+/** A DatabaseService stub whose get() returns the row the test wants. */
+function makeDb(row?: { value: string }) {
+  const get = vi.fn(() => row);
+  const db = { get } as unknown as DatabaseService;
+  return { db, get };
+}
+
+function svc(row?: { value: string }) {
+  return new MapsService(makeDb(row).db);
+}
+
+beforeEach(() => vi.clearAllMocks());
+
+describe('MapsService', () => {
+  describe('kill-switch settings reads', () => {
+    it('reports a switch disabled when the stored value is exactly "false"', () => {
+      expect(svc({ value: 'false' }).autocompleteDisabled()).toBe(true);
+      expect(svc({ value: 'false' }).detailsDisabled()).toBe(true);
+      expect(svc({ value: 'false' }).photosDisabled()).toBe(true);
+    });
+
+    it('reports enabled when the value is "true"', () => {
+      expect(svc({ value: 'true' }).autocompleteDisabled()).toBe(false);
+      expect(svc({ value: 'true' }).detailsDisabled()).toBe(false);
+      expect(svc({ value: 'true' }).photosDisabled()).toBe(false);
+    });
+
+    it('reports enabled when the setting row is absent', () => {
+      expect(svc(undefined).autocompleteDisabled()).toBe(false);
+      expect(svc(undefined).detailsDisabled()).toBe(false);
+      expect(svc(undefined).photosDisabled()).toBe(false);
+    });
+
+    it('queries the matching app_settings key', () => {
+      const { db, get } = makeDb({ value: 'true' });
+      const s = new MapsService(db);
+      s.autocompleteDisabled();
+      expect(get).toHaveBeenCalledWith(expect.stringContaining('app_settings'), 'places_autocomplete_enabled');
+      s.detailsDisabled();
+      expect(get).toHaveBeenCalledWith(expect.any(String), 'places_details_enabled');
+      s.photosDisabled();
+      expect(get).toHaveBeenCalledWith(expect.any(String), 'places_photos_enabled');
+    });
+  });
+
+  describe('delegation to the legacy maps service', () => {
+    it('search forwards userId, query, lang and bias', () => {
+      maps.searchPlaces.mockResolvedValue({ places: [], source: 'osm' });
+      const bias = { lat: 1, lng: 2, radius: 5 };
+      svc().search(3, 'berlin', 'de', bias);
+      expect(maps.searchPlaces).toHaveBeenCalledWith(3, 'berlin', 'de', bias);
+    });
+
+    it('search works without optional args', () => {
+      svc().search(3, 'berlin');
+      expect(maps.searchPlaces).toHaveBeenCalledWith(3, 'berlin', undefined, undefined);
+    });
+
+    it('autocomplete forwards through', () => {
+      const bias = { low: { lat: 1, lng: 2 }, high: { lat: 3, lng: 4 } };
+      svc().autocomplete(3, 'be', 'en', bias);
+      expect(maps.autocompletePlaces).toHaveBeenCalledWith(3, 'be', 'en', bias);
+    });
+
+    it('details forwards through', () => {
+      svc().details(3, 'p1', 'de');
+      expect(maps.getPlaceDetails).toHaveBeenCalledWith(3, 'p1', 'de');
+    });
+
+    it('detailsExpanded forwards refresh through', () => {
+      svc().detailsExpanded(3, 'p1', 'de', true);
+      expect(maps.getPlaceDetailsExpanded).toHaveBeenCalledWith(3, 'p1', 'de', true);
+    });
+
+    it('photo forwards coords and name through', () => {
+      svc().photo(3, 'p1', 1.5, 2.5, 'Spot');
+      expect(maps.getPlacePhoto).toHaveBeenCalledWith(3, 'p1', 1.5, 2.5, 'Spot');
+    });
+
+    it('reverse forwards through', () => {
+      svc().reverse('1', '2', 'de');
+      expect(maps.reverseGeocode).toHaveBeenCalledWith('1', '2', 'de');
+    });
+
+    it('resolveUrl forwards through', () => {
+      svc().resolveUrl('https://maps.app.goo.gl/x');
+      expect(maps.resolveGoogleMapsUrl).toHaveBeenCalledWith('https://maps.app.goo.gl/x');
+    });
+
+    it('pois forwards category and bbox through', () => {
+      const bbox = { south: 1, west: 2, north: 3, east: 4 };
+      svc().pois('cafe', bbox);
+      expect(maps.searchOverpassPois).toHaveBeenCalledWith('cafe', bbox);
+    });
+  });
+
+  describe('photoBytesPath', () => {
+    it('returns the cached file path from placePhotoCache', () => {
+      serveFilePath.mockReturnValue('/cache/p1.jpg');
+      expect(svc().photoBytesPath('p1')).toBe('/cache/p1.jpg');
+      expect(serveFilePath).toHaveBeenCalledWith('p1');
+    });
+
+    it('returns null when nothing is cached', () => {
+      serveFilePath.mockReturnValue(null);
+      expect(svc().photoBytesPath('p1')).toBeNull();
+    });
+  });
+});
@@ -0,0 +1,748 @@
+import { describe, it, expect, vi } from 'vitest';
+import type { Response } from 'express';
+import type { Request } from 'express';
+import { UnifiedMemoriesController } from '../../../src/nest/memories/unified.controller';
+import { ImmichMemoriesController } from '../../../src/nest/memories/immich.controller';
+import { SynologyMemoriesController } from '../../../src/nest/memories/synology.controller';
+import type { MemoriesService } from '../../../src/nest/memories/memories.service';
+import type { User } from '../../../src/types';
+
+const { getClientIp } = vi.hoisted(() => ({ getClientIp: vi.fn(() => '1.2.3.4') }));
+vi.mock('../../../src/services/auditLog', () => ({ getClientIp }));
+
+const user = { id: 7, role: 'user', email: 'u@example.test' } as User;
+
+function makeService(overrides: Partial<MemoriesService> = {}): MemoriesService {
+  return { ...overrides } as unknown as MemoriesService;
+}
+
+type MockRes = Response & {
+  status: ReturnType<typeof vi.fn>;
+  json: ReturnType<typeof vi.fn>;
+  statusCode: number;
+};
+
+function makeRes(): MockRes {
+  const res = {
+    statusCode: 200,
+    status: vi.fn(function (this: unknown, c: number) {
+      (res as { statusCode: number }).statusCode = c;
+      return res;
+    }),
+    json: vi.fn(function () {
+      return res;
+    }),
+  };
+  return res as unknown as MockRes;
+}
+
+// ─────────────────────────────────────────────────────────────────────────────
+describe('UnifiedMemoriesController (parity with /api/integrations/memories/unified)', () => {
+  describe('GET /trips/:tripId/photos', () => {
+    it('returns the photos on success', () => {
+      const svc = makeService({ listTripPhotos: vi.fn().mockReturnValue({ data: [{ id: 1 }] }) });
+      const res = makeRes();
+      new UnifiedMemoriesController(svc).listPhotos(user, '5', res);
+      expect(svc.listTripPhotos).toHaveBeenCalledWith('5', 7);
+      expect(res.json).toHaveBeenCalledWith({ photos: [{ id: 1 }] });
+      expect(res.status).not.toHaveBeenCalled();
+    });
+
+    it('maps the error envelope to its status + message', () => {
+      const svc = makeService({ listTripPhotos: vi.fn().mockReturnValue({ error: { status: 404, message: 'Trip not found' } }) });
+      const res = makeRes();
+      new UnifiedMemoriesController(svc).listPhotos(user, '5', res);
+      expect(res.status).toHaveBeenCalledWith(404);
+      expect(res.json).toHaveBeenCalledWith({ error: 'Trip not found' });
+    });
+  });
+
+  describe('POST /trips/:tripId/photos', () => {
+    it('defaults shared to true and selections to [] when both are absent', async () => {
+      const addTripPhotos = vi.fn().mockResolvedValue({ data: { added: 3 } });
+      const svc = makeService({ addTripPhotos });
+      const res = makeRes();
+      await new UnifiedMemoriesController(svc).addPhotos(user, '5', {}, 'sock', res);
+      expect(addTripPhotos).toHaveBeenCalledWith('5', 7, true, [], 'sock');
+      expect(res.json).toHaveBeenCalledWith({ success: true, added: 3 });
+    });
+
+    it('coerces a falsy shared flag and forwards an array of selections', async () => {
+      const addTripPhotos = vi.fn().mockResolvedValue({ data: { added: 0 } });
+      const svc = makeService({ addTripPhotos });
+      const selections = [{ provider: 'immich', asset_ids: ['a'] }];
+      await new UnifiedMemoriesController(svc).addPhotos(user, '5', { shared: 0, selections }, 'sock', makeRes());
+      expect(addTripPhotos).toHaveBeenCalledWith('5', 7, false, selections, 'sock');
+    });
+
+    it('ignores a non-array selections payload', async () => {
+      const addTripPhotos = vi.fn().mockResolvedValue({ data: { added: 0 } });
+      const svc = makeService({ addTripPhotos });
+      await new UnifiedMemoriesController(svc).addPhotos(user, '5', { selections: 'nope', shared: true }, 'sock', makeRes());
+      expect(addTripPhotos).toHaveBeenCalledWith('5', 7, true, [], 'sock');
+    });
+
+    it('maps the error envelope', async () => {
+      const svc = makeService({ addTripPhotos: vi.fn().mockResolvedValue({ error: { status: 403, message: 'No access' } }) });
+      const res = makeRes();
+      await new UnifiedMemoriesController(svc).addPhotos(user, '5', {}, 'sock', res);
+      expect(res.status).toHaveBeenCalledWith(403);
+      expect(res.json).toHaveBeenCalledWith({ error: 'No access' });
+    });
+  });
+
+  describe('PUT /trips/:tripId/photos/sharing', () => {
+    it('coerces photo_id to a number and forwards shared', async () => {
+      const setTripPhotoSharing = vi.fn().mockResolvedValue({ data: {} });
+      const svc = makeService({ setTripPhotoSharing });
+      const res = makeRes();
+      await new UnifiedMemoriesController(svc).setSharing(user, '5', { photo_id: '9', shared: true }, res);
+      expect(setTripPhotoSharing).toHaveBeenCalledWith('5', 7, 9, true);
+      expect(res.json).toHaveBeenCalledWith({ success: true });
+    });
+
+    it('maps the error envelope', async () => {
+      const svc = makeService({ setTripPhotoSharing: vi.fn().mockResolvedValue({ error: { status: 404, message: 'Photo not found' } }) });
+      const res = makeRes();
+      await new UnifiedMemoriesController(svc).setSharing(user, '5', { photo_id: '9', shared: false }, res);
+      expect(res.status).toHaveBeenCalledWith(404);
+      expect(res.json).toHaveBeenCalledWith({ error: 'Photo not found' });
+    });
+  });
+
+  describe('DELETE /trips/:tripId/photos', () => {
+    it('removes the photo on success', () => {
+      const removeTripPhoto = vi.fn().mockReturnValue({ data: {} });
+      const svc = makeService({ removeTripPhoto });
+      const res = makeRes();
+      new UnifiedMemoriesController(svc).removePhoto(user, '5', { photo_id: 11 }, res);
+      expect(removeTripPhoto).toHaveBeenCalledWith('5', 7, 11);
+      expect(res.json).toHaveBeenCalledWith({ success: true });
+    });
+
+    it('maps the error envelope', () => {
+      const svc = makeService({ removeTripPhoto: vi.fn().mockReturnValue({ error: { status: 404, message: 'Photo not found' } }) });
+      const res = makeRes();
+      new UnifiedMemoriesController(svc).removePhoto(user, '5', { photo_id: 11 }, res);
+      expect(res.status).toHaveBeenCalledWith(404);
+      expect(res.json).toHaveBeenCalledWith({ error: 'Photo not found' });
+    });
+  });
+
+  describe('GET /trips/:tripId/album-links', () => {
+    it('returns the links on success', () => {
+      const svc = makeService({ listTripAlbumLinks: vi.fn().mockReturnValue({ data: [{ id: 'l1' }] }) });
+      const res = makeRes();
+      new UnifiedMemoriesController(svc).listAlbumLinks(user, '5', res);
+      expect(res.json).toHaveBeenCalledWith({ links: [{ id: 'l1' }] });
+    });
+
+    it('maps the error envelope', () => {
+      const svc = makeService({ listTripAlbumLinks: vi.fn().mockReturnValue({ error: { status: 404, message: 'Trip not found' } }) });
+      const res = makeRes();
+      new UnifiedMemoriesController(svc).listAlbumLinks(user, '5', res);
+      expect(res.status).toHaveBeenCalledWith(404);
+      expect(res.json).toHaveBeenCalledWith({ error: 'Trip not found' });
+    });
+  });
+
+  describe('POST /trips/:tripId/album-links', () => {
+    it('forwards a coerced passphrase when present', () => {
+      const createTripAlbumLink = vi.fn().mockReturnValue({ data: {} });
+      const svc = makeService({ createTripAlbumLink });
+      const res = makeRes();
+      new UnifiedMemoriesController(svc).createAlbumLink(
+        user,
+        '5',
+        { provider: 'synologyphotos', album_id: 'a1', album_name: 'Trip', passphrase: 123 },
+        res,
+      );
+      expect(createTripAlbumLink).toHaveBeenCalledWith('5', 7, 'synologyphotos', 'a1', 'Trip', '123');
+      expect(res.json).toHaveBeenCalledWith({ success: true });
+    });
+
+    it('passes undefined when the passphrase is absent or empty', () => {
+      const createTripAlbumLink = vi.fn().mockReturnValue({ data: {} });
+      const svc = makeService({ createTripAlbumLink });
+      new UnifiedMemoriesController(svc).createAlbumLink(user, '5', { provider: 'immich', album_id: 'a1', album_name: 'Trip', passphrase: '' }, makeRes());
+      expect(createTripAlbumLink).toHaveBeenCalledWith('5', 7, 'immich', 'a1', 'Trip', undefined);
+    });
+
+    it('maps the error envelope', () => {
+      const svc = makeService({ createTripAlbumLink: vi.fn().mockReturnValue({ error: { status: 400, message: 'Invalid provider' } }) });
+      const res = makeRes();
+      new UnifiedMemoriesController(svc).createAlbumLink(user, '5', {}, res);
+      expect(res.status).toHaveBeenCalledWith(400);
+      expect(res.json).toHaveBeenCalledWith({ error: 'Invalid provider' });
+    });
+  });
+
+  describe('DELETE /trips/:tripId/album-links/:linkId', () => {
+    it('removes the link on success', () => {
+      const removeAlbumLink = vi.fn().mockReturnValue({ data: {} });
+      const svc = makeService({ removeAlbumLink });
+      const res = makeRes();
+      new UnifiedMemoriesController(svc).removeAlbumLink(user, '5', 'l1', res);
+      expect(removeAlbumLink).toHaveBeenCalledWith('5', 'l1', 7);
+      expect(res.json).toHaveBeenCalledWith({ success: true });
+    });
+
+    it('maps the error envelope', () => {
+      const svc = makeService({ removeAlbumLink: vi.fn().mockReturnValue({ error: { status: 404, message: 'Link not found' } }) });
+      const res = makeRes();
+      new UnifiedMemoriesController(svc).removeAlbumLink(user, '5', 'l1', res);
+      expect(res.status).toHaveBeenCalledWith(404);
+      expect(res.json).toHaveBeenCalledWith({ error: 'Link not found' });
+    });
+  });
+});
+
+// ─────────────────────────────────────────────────────────────────────────────
+describe('ImmichMemoriesController (parity with /api/integrations/memories/immich)', () => {
+  describe('GET /settings', () => {
+    it('delegates to the service', () => {
+      const immichGetConnectionSettings = vi.fn().mockReturnValue({ immich_url: 'u' });
+      const svc = makeService({ immichGetConnectionSettings });
+      expect(new ImmichMemoriesController(svc).getSettings(user)).toEqual({ immich_url: 'u' });
+      expect(immichGetConnectionSettings).toHaveBeenCalledWith(7);
+    });
+  });
+
+  describe('PUT /settings', () => {
+    const req = {} as Request;
+
+    it('400 when the save fails', async () => {
+      const svc = makeService({ immichSaveSettings: vi.fn().mockResolvedValue({ success: false, error: 'Bad URL' }) });
+      const res = makeRes();
+      await new ImmichMemoriesController(svc).putSettings(user, { immich_url: 'x', immich_api_key: 'k' }, req, res);
+      expect(res.status).toHaveBeenCalledWith(400);
+      expect(res.json).toHaveBeenCalledWith({ error: 'Bad URL' });
+    });
+
+    it('applies auto_upload when it is a boolean and returns success', async () => {
+      const immichSaveSettings = vi.fn().mockResolvedValue({ success: true });
+      const immichSetAutoUpload = vi.fn();
+      const svc = makeService({ immichSaveSettings, immichSetAutoUpload });
+      const res = makeRes();
+      await new ImmichMemoriesController(svc).putSettings(user, { immich_url: 'x', immich_api_key: 'k', auto_upload: true }, req, res);
+      expect(immichSaveSettings).toHaveBeenCalledWith(7, 'x', 'k', '1.2.3.4');
+      expect(immichSetAutoUpload).toHaveBeenCalledWith(7, true);
+      expect(res.json).toHaveBeenCalledWith({ success: true });
+    });
+
+    it('skips auto_upload when it is not a boolean', async () => {
+      const immichSaveSettings = vi.fn().mockResolvedValue({ success: true });
+      const immichSetAutoUpload = vi.fn();
+      const svc = makeService({ immichSaveSettings, immichSetAutoUpload });
+      await new ImmichMemoriesController(svc).putSettings(user, { auto_upload: 'yes' as unknown as boolean }, req, makeRes());
+      expect(immichSetAutoUpload).not.toHaveBeenCalled();
+    });
+
+    it('returns the warning when the save carries one', async () => {
+      const svc = makeService({ immichSaveSettings: vi.fn().mockResolvedValue({ success: true, warning: 'Unverified TLS' }) });
+      const res = makeRes();
+      await new ImmichMemoriesController(svc).putSettings(user, {}, req, res);
+      expect(res.json).toHaveBeenCalledWith({ success: true, warning: 'Unverified TLS' });
+    });
+  });
+
+  describe('GET /status', () => {
+    it('delegates to the service', async () => {
+      const svc = makeService({ immichGetConnectionStatus: vi.fn().mockResolvedValue({ connected: true }) });
+      await expect(new ImmichMemoriesController(svc).getStatus(user)).resolves.toEqual({ connected: true });
+    });
+  });
+
+  describe('POST /test', () => {
+    it('short-circuits to a 200 envelope when url is missing', async () => {
+      const immichTestConnection = vi.fn();
+      const svc = makeService({ immichTestConnection });
+      expect(await new ImmichMemoriesController(svc).test({ immich_api_key: 'k' })).toEqual({ connected: false, error: 'URL and API key required' });
+      expect(immichTestConnection).not.toHaveBeenCalled();
+    });
+
+    it('short-circuits when the api key is missing', async () => {
+      const immichTestConnection = vi.fn();
+      const svc = makeService({ immichTestConnection });
+      expect(await new ImmichMemoriesController(svc).test({ immich_url: 'u' })).toEqual({ connected: false, error: 'URL and API key required' });
+      expect(immichTestConnection).not.toHaveBeenCalled();
+    });
+
+    it('delegates when both are present', async () => {
+      const immichTestConnection = vi.fn().mockResolvedValue({ connected: true });
+      const svc = makeService({ immichTestConnection });
+      expect(await new ImmichMemoriesController(svc).test({ immich_url: 'u', immich_api_key: 'k' })).toEqual({ connected: true });
+      expect(immichTestConnection).toHaveBeenCalledWith('u', 'k');
+    });
+  });
+
+  describe('GET /browse', () => {
+    it('returns the buckets on success', async () => {
+      const svc = makeService({ immichBrowseTimeline: vi.fn().mockResolvedValue({ buckets: [{ id: 'b' }] }) });
+      const res = makeRes();
+      await new ImmichMemoriesController(svc).browse(user, res);
+      expect(res.json).toHaveBeenCalledWith({ buckets: [{ id: 'b' }] });
+    });
+
+    it('maps the error with its status', async () => {
+      const svc = makeService({ immichBrowseTimeline: vi.fn().mockResolvedValue({ error: 'Not connected', status: 412 }) });
+      const res = makeRes();
+      await new ImmichMemoriesController(svc).browse(user, res);
+      expect(res.status).toHaveBeenCalledWith(412);
+      expect(res.json).toHaveBeenCalledWith({ error: 'Not connected' });
+    });
+  });
+
+  describe('POST /search', () => {
+    it('clamps page to >=1 and size to <=200 and defaults both', async () => {
+      const immichSearchPhotos = vi.fn().mockResolvedValue({ assets: [{ id: 'a' }], hasMore: true });
+      const svc = makeService({ immichSearchPhotos });
+      const res = makeRes();
+      await new ImmichMemoriesController(svc).search(user, { from: 'f', to: 't' }, res);
+      expect(immichSearchPhotos).toHaveBeenCalledWith(7, 'f', 't', 1, 50);
+      expect(res.json).toHaveBeenCalledWith({ assets: [{ id: 'a' }], hasMore: true });
+    });
+
+    it('floors a sub-1 page to 1 and caps an oversized size at 200', async () => {
+      const immichSearchPhotos = vi.fn().mockResolvedValue({});
+      const svc = makeService({ immichSearchPhotos });
+      await new ImmichMemoriesController(svc).search(user, { page: 0, size: 9999 }, makeRes());
+      expect(immichSearchPhotos).toHaveBeenCalledWith(7, undefined, undefined, 1, 200);
+    });
+
+    it('honours an explicit page and size within range', async () => {
+      const immichSearchPhotos = vi.fn().mockResolvedValue({});
+      const svc = makeService({ immichSearchPhotos });
+      await new ImmichMemoriesController(svc).search(user, { page: 3, size: 25 }, makeRes());
+      expect(immichSearchPhotos).toHaveBeenCalledWith(7, undefined, undefined, 3, 25);
+    });
+
+    it('defaults assets to [] and hasMore to false when omitted', async () => {
+      const svc = makeService({ immichSearchPhotos: vi.fn().mockResolvedValue({}) });
+      const res = makeRes();
+      await new ImmichMemoriesController(svc).search(user, {}, res);
+      expect(res.json).toHaveBeenCalledWith({ assets: [], hasMore: false });
+    });
+
+    it('maps the error envelope', async () => {
+      const svc = makeService({ immichSearchPhotos: vi.fn().mockResolvedValue({ error: 'down', status: 502 }) });
+      const res = makeRes();
+      await new ImmichMemoriesController(svc).search(user, {}, res);
+      expect(res.status).toHaveBeenCalledWith(502);
+      expect(res.json).toHaveBeenCalledWith({ error: 'down' });
+    });
+  });
+
+  describe('GET /assets/:tripId/:assetId/:ownerId/info', () => {
+    it('400 on an invalid asset id', async () => {
+      const immichIsValidAssetId = vi.fn().mockReturnValue(false);
+      const svc = makeService({ immichIsValidAssetId });
+      const res = makeRes();
+      await new ImmichMemoriesController(svc).assetInfo(user, '5', 'bad', '2', res);
+      expect(res.status).toHaveBeenCalledWith(400);
+      expect(res.json).toHaveBeenCalledWith({ error: 'Invalid asset ID' });
+    });
+
+    it('403 when access is denied', async () => {
+      const svc = makeService({
+        immichIsValidAssetId: vi.fn().mockReturnValue(true),
+        canAccessUserPhoto: vi.fn().mockReturnValue(false),
+      });
+      const res = makeRes();
+      await new ImmichMemoriesController(svc).assetInfo(user, '5', 'a', '2', res);
+      expect(svc.canAccessUserPhoto).toHaveBeenCalledWith(7, 2, '5', 'a', 'immich');
+      expect(res.status).toHaveBeenCalledWith(403);
+      expect(res.json).toHaveBeenCalledWith({ error: 'Forbidden' });
+    });
+
+    it('maps a service error after the guards pass', async () => {
+      const svc = makeService({
+        immichIsValidAssetId: vi.fn().mockReturnValue(true),
+        canAccessUserPhoto: vi.fn().mockReturnValue(true),
+        immichGetAssetInfo: vi.fn().mockResolvedValue({ error: 'Asset gone', status: 404 }),
+      });
+      const res = makeRes();
+      await new ImmichMemoriesController(svc).assetInfo(user, '5', 'a', '2', res);
+      expect(res.status).toHaveBeenCalledWith(404);
+      expect(res.json).toHaveBeenCalledWith({ error: 'Asset gone' });
+    });
+
+    it('returns the asset data on success', async () => {
+      const svc = makeService({
+        immichIsValidAssetId: vi.fn().mockReturnValue(true),
+        canAccessUserPhoto: vi.fn().mockReturnValue(true),
+        immichGetAssetInfo: vi.fn().mockResolvedValue({ data: { id: 'a', takenAt: 't' } }),
+      });
+      const res = makeRes();
+      await new ImmichMemoriesController(svc).assetInfo(user, '5', 'a', '2', res);
+      expect(res.json).toHaveBeenCalledWith({ id: 'a', takenAt: 't' });
+    });
+  });
+
+  describe('GET /assets/.../thumbnail + /original', () => {
+    it('thumbnail: 400 on invalid id', async () => {
+      const svc = makeService({ immichIsValidAssetId: vi.fn().mockReturnValue(false) });
+      const res = makeRes();
+      await new ImmichMemoriesController(svc).assetThumbnail(user, '5', 'bad', '2', res);
+      expect(res.status).toHaveBeenCalledWith(400);
+    });
+
+    it('thumbnail: 403 when access denied', async () => {
+      const svc = makeService({
+        immichIsValidAssetId: vi.fn().mockReturnValue(true),
+        canAccessUserPhoto: vi.fn().mockReturnValue(false),
+      });
+      const res = makeRes();
+      await new ImmichMemoriesController(svc).assetThumbnail(user, '5', 'a', '2', res);
+      expect(res.status).toHaveBeenCalledWith(403);
+    });
+
+    it('thumbnail: streams with kind=thumbnail when allowed', async () => {
+      const immichStreamAsset = vi.fn().mockResolvedValue(undefined);
+      const svc = makeService({
+        immichIsValidAssetId: vi.fn().mockReturnValue(true),
+        canAccessUserPhoto: vi.fn().mockReturnValue(true),
+        immichStreamAsset,
+      });
+      const res = makeRes();
+      await new ImmichMemoriesController(svc).assetThumbnail(user, '5', 'a', '2', res);
+      expect(immichStreamAsset).toHaveBeenCalledWith(res, 7, 'a', 'thumbnail', 2);
+    });
+
+    it('original: 400 on invalid id', async () => {
+      const svc = makeService({ immichIsValidAssetId: vi.fn().mockReturnValue(false) });
+      const res = makeRes();
+      await new ImmichMemoriesController(svc).assetOriginal(user, '5', 'bad', '2', res);
+      expect(res.status).toHaveBeenCalledWith(400);
+    });
+
+    it('original: 403 when access denied', async () => {
+      const svc = makeService({
+        immichIsValidAssetId: vi.fn().mockReturnValue(true),
+        canAccessUserPhoto: vi.fn().mockReturnValue(false),
+      });
+      const res = makeRes();
+      await new ImmichMemoriesController(svc).assetOriginal(user, '5', 'a', '2', res);
+      expect(res.status).toHaveBeenCalledWith(403);
+    });
+
+    it('original: streams with kind=original when allowed', async () => {
+      const immichStreamAsset = vi.fn().mockResolvedValue(undefined);
+      const svc = makeService({
+        immichIsValidAssetId: vi.fn().mockReturnValue(true),
+        canAccessUserPhoto: vi.fn().mockReturnValue(true),
+        immichStreamAsset,
+      });
+      const res = makeRes();
+      await new ImmichMemoriesController(svc).assetOriginal(user, '5', 'a', '2', res);
+      expect(immichStreamAsset).toHaveBeenCalledWith(res, 7, 'a', 'original', 2);
+    });
+  });
+
+  describe('GET /albums + /albums/:albumId/photos', () => {
+    it('albums: returns the list on success', async () => {
+      const svc = makeService({ immichListAlbums: vi.fn().mockResolvedValue({ albums: [{ id: 'a' }] }) });
+      const res = makeRes();
+      await new ImmichMemoriesController(svc).albums(user, res);
+      expect(res.json).toHaveBeenCalledWith({ albums: [{ id: 'a' }] });
+    });
+
+    it('albums: maps the error envelope', async () => {
+      const svc = makeService({ immichListAlbums: vi.fn().mockResolvedValue({ error: 'nope', status: 500 }) });
+      const res = makeRes();
+      await new ImmichMemoriesController(svc).albums(user, res);
+      expect(res.status).toHaveBeenCalledWith(500);
+      expect(res.json).toHaveBeenCalledWith({ error: 'nope' });
+    });
+
+    it('albumPhotos: returns the assets on success', async () => {
+      const svc = makeService({ immichGetAlbumPhotos: vi.fn().mockResolvedValue({ assets: [{ id: 'p' }] }) });
+      const res = makeRes();
+      await new ImmichMemoriesController(svc).albumPhotos(user, 'al1', res);
+      expect(svc.immichGetAlbumPhotos).toHaveBeenCalledWith(7, 'al1');
+      expect(res.json).toHaveBeenCalledWith({ assets: [{ id: 'p' }] });
+    });
+
+    it('albumPhotos: maps the error envelope', async () => {
+      const svc = makeService({ immichGetAlbumPhotos: vi.fn().mockResolvedValue({ error: 'gone', status: 404 }) });
+      const res = makeRes();
+      await new ImmichMemoriesController(svc).albumPhotos(user, 'al1', res);
+      expect(res.status).toHaveBeenCalledWith(404);
+      expect(res.json).toHaveBeenCalledWith({ error: 'gone' });
+    });
+  });
+
+  describe('POST /trips/:tripId/album-links/:linkId/sync', () => {
+    it('maps the error envelope without broadcasting', async () => {
+      const broadcast = vi.fn();
+      const svc = makeService({ immichSyncAlbumAssets: vi.fn().mockResolvedValue({ error: 'Link gone', status: 404 }), broadcast });
+      const res = makeRes();
+      await new ImmichMemoriesController(svc).sync(user, '5', 'l1', 'sock', res);
+      expect(res.status).toHaveBeenCalledWith(404);
+      expect(res.json).toHaveBeenCalledWith({ error: 'Link gone' });
+      expect(broadcast).not.toHaveBeenCalled();
+    });
+
+    it('broadcasts when at least one asset was added', async () => {
+      const broadcast = vi.fn();
+      const svc = makeService({ immichSyncAlbumAssets: vi.fn().mockResolvedValue({ added: 2, total: 10 }), broadcast });
+      const res = makeRes();
+      await new ImmichMemoriesController(svc).sync(user, '5', 'l1', 'sock', res);
+      expect(res.json).toHaveBeenCalledWith({ success: true, added: 2, total: 10 });
+      expect(broadcast).toHaveBeenCalledWith('5', 'memories:updated', { userId: 7 }, 'sock');
+    });
+
+    it('does not broadcast when nothing was added', async () => {
+      const broadcast = vi.fn();
+      const svc = makeService({ immichSyncAlbumAssets: vi.fn().mockResolvedValue({ added: 0, total: 10 }), broadcast });
+      const res = makeRes();
+      await new ImmichMemoriesController(svc).sync(user, '5', 'l1', 'sock', res);
+      expect(res.json).toHaveBeenCalledWith({ success: true, added: 0, total: 10 });
+      expect(broadcast).not.toHaveBeenCalled();
+    });
+  });
+});
+
+// ─────────────────────────────────────────────────────────────────────────────
+describe('SynologyMemoriesController (parity with /api/integrations/memories/synologyphotos)', () => {
+  describe('GET /settings + /status', () => {
+    it('settings: returns the data on success', async () => {
+      const svc = makeService({ synologyGetSettings: vi.fn().mockResolvedValue({ success: true, data: { synology_url: 'u' } }) });
+      const res = makeRes();
+      await new SynologyMemoriesController(svc).getSettings(user, res);
+      expect(res.json).toHaveBeenCalledWith({ synology_url: 'u' });
+    });
+
+    it('settings: maps the error envelope', async () => {
+      const svc = makeService({ synologyGetSettings: vi.fn().mockResolvedValue({ success: false, error: { status: 500, message: 'DB error' } }) });
+      const res = makeRes();
+      await new SynologyMemoriesController(svc).getSettings(user, res);
+      expect(res.status).toHaveBeenCalledWith(500);
+      expect(res.json).toHaveBeenCalledWith({ error: 'DB error' });
+    });
+
+    it('status: delegates', async () => {
+      const svc = makeService({ synologyGetStatus: vi.fn().mockResolvedValue({ success: true, data: { connected: true } }) });
+      const res = makeRes();
+      await new SynologyMemoriesController(svc).getStatus(user, res);
+      expect(res.json).toHaveBeenCalledWith({ connected: true });
+    });
+  });
+
+  describe('PUT /settings', () => {
+    it('400 when the url is missing', async () => {
+      const synologyUpdateSettings = vi.fn();
+      const svc = makeService({ synologyUpdateSettings });
+      const res = makeRes();
+      await new SynologyMemoriesController(svc).putSettings(user, { synology_username: 'admin' }, res);
+      expect(res.status).toHaveBeenCalledWith(400);
+      expect(res.json).toHaveBeenCalledWith({ error: 'URL and username are required' });
+      expect(synologyUpdateSettings).not.toHaveBeenCalled();
+    });
+
+    it('400 when the username is missing', async () => {
+      const synologyUpdateSettings = vi.fn();
+      const svc = makeService({ synologyUpdateSettings });
+      const res = makeRes();
+      await new SynologyMemoriesController(svc).putSettings(user, { synology_url: 'http://nas' }, res);
+      expect(res.status).toHaveBeenCalledWith(400);
+      expect(synologyUpdateSettings).not.toHaveBeenCalled();
+    });
+
+    it('delegates with trimmed values and the boolean skip-ssl flag (true keyword)', async () => {
+      const synologyUpdateSettings = vi.fn().mockResolvedValue({ success: true, data: {} });
+      const svc = makeService({ synologyUpdateSettings });
+      const res = makeRes();
+      await new SynologyMemoriesController(
+        svc,
+      ).putSettings(user, { synology_url: '  http://nas  ', synology_username: ' admin ', synology_password: ' pw ', synology_skip_ssl: 'true' }, res);
+      expect(synologyUpdateSettings).toHaveBeenCalledWith(7, 'http://nas', 'admin', 'pw', true);
+      expect(res.json).toHaveBeenCalledWith({});
+    });
+
+    it('treats a literal-true skip-ssl flag as true and other values as false', async () => {
+      const synologyUpdateSettings = vi.fn().mockResolvedValue({ success: true, data: {} });
+      const svc = makeService({ synologyUpdateSettings });
+      await new SynologyMemoriesController(svc).putSettings(user, { synology_url: 'u', synology_username: 'a', synology_skip_ssl: true }, makeRes());
+      expect(synologyUpdateSettings).toHaveBeenCalledWith(7, 'u', 'a', '', true);
+
+      const svc2 = makeService({ synologyUpdateSettings: vi.fn().mockResolvedValue({ success: true, data: {} }) });
+      await new SynologyMemoriesController(svc2).putSettings(user, { synology_url: 'u', synology_username: 'a', synology_skip_ssl: 'no' }, makeRes());
+      expect(svc2.synologyUpdateSettings).toHaveBeenCalledWith(7, 'u', 'a', '', false);
+    });
+  });
+
+  describe('POST /test', () => {
+    it('reports a single missing field with "is required"', async () => {
+      const synologyTestConnection = vi.fn();
+      const svc = makeService({ synologyTestConnection });
+      const res = makeRes();
+      await new SynologyMemoriesController(svc).test(user, { synology_url: 'u', synology_username: 'a' }, res);
+      expect(res.json).toHaveBeenCalledWith({ connected: false, error: 'Password is required' });
+      expect(synologyTestConnection).not.toHaveBeenCalled();
+    });
+
+    it('reports multiple missing fields with "are required"', async () => {
+      const svc = makeService({ synologyTestConnection: vi.fn() });
+      const res = makeRes();
+      await new SynologyMemoriesController(svc).test(user, {}, res);
+      expect(res.json).toHaveBeenCalledWith({ connected: false, error: 'URL, Username, Password are required' });
+    });
+
+    it('delegates when every field is present (otp + skip-ssl forwarded)', async () => {
+      const synologyTestConnection = vi.fn().mockResolvedValue({ success: true, data: { connected: true } });
+      const svc = makeService({ synologyTestConnection });
+      const res = makeRes();
+      await new SynologyMemoriesController(
+        svc,
+      ).test(user, { synology_url: 'u', synology_username: 'a', synology_password: 'p', synology_otp: '123', synology_skip_ssl: true }, res);
+      expect(synologyTestConnection).toHaveBeenCalledWith(7, 'u', 'a', 'p', '123', true);
+      expect(res.json).toHaveBeenCalledWith({ connected: true });
+    });
+  });
+
+  describe('GET /albums + /albums/:albumId/photos', () => {
+    it('albums: delegates', async () => {
+      const svc = makeService({ synologyListAlbums: vi.fn().mockResolvedValue({ success: true, data: { albums: [] } }) });
+      const res = makeRes();
+      await new SynologyMemoriesController(svc).albums(user, res);
+      expect(res.json).toHaveBeenCalledWith({ albums: [] });
+    });
+
+    it('albumPhotos: forwards a coerced passphrase when present', async () => {
+      const synologyGetAlbumPhotos = vi.fn().mockResolvedValue({ success: true, data: { assets: [] } });
+      const svc = makeService({ synologyGetAlbumPhotos });
+      const res = makeRes();
+      await new SynologyMemoriesController(svc).albumPhotos(user, 'al1', 'secret', res);
+      expect(synologyGetAlbumPhotos).toHaveBeenCalledWith(7, 'al1', 'secret');
+      expect(res.json).toHaveBeenCalledWith({ assets: [] });
+    });
+
+    it('albumPhotos: passes undefined when the passphrase query is absent', async () => {
+      const synologyGetAlbumPhotos = vi.fn().mockResolvedValue({ success: true, data: { assets: [] } });
+      const svc = makeService({ synologyGetAlbumPhotos });
+      await new SynologyMemoriesController(svc).albumPhotos(user, 'al1', undefined, makeRes());
+      expect(synologyGetAlbumPhotos).toHaveBeenCalledWith(7, 'al1', undefined);
+    });
+  });
+
+  describe('POST /trips/:tripId/album-links/:linkId/sync', () => {
+    it('delegates and unwraps the success envelope', async () => {
+      const synologySyncAlbumLink = vi.fn().mockResolvedValue({ success: true, data: { added: 1, total: 2 } });
+      const svc = makeService({ synologySyncAlbumLink });
+      const res = makeRes();
+      await new SynologyMemoriesController(svc).sync(user, '5', 'l1', 'sock', res);
+      expect(synologySyncAlbumLink).toHaveBeenCalledWith(7, '5', 'l1', 'sock');
+      expect(res.json).toHaveBeenCalledWith({ added: 1, total: 2 });
+    });
+  });
+
+  describe('POST /search', () => {
+    it('uses the default offset/limit when nothing is provided', async () => {
+      const synologySearchPhotos = vi.fn().mockResolvedValue({ success: true, data: { assets: [] } });
+      const svc = makeService({ synologySearchPhotos });
+      await new SynologyMemoriesController(svc).search(user, {}, makeRes());
+      expect(synologySearchPhotos).toHaveBeenCalledWith(7, undefined, undefined, 0, 100);
+    });
+
+    it('forwards from/to and uses size as the limit when size > 0', async () => {
+      const synologySearchPhotos = vi.fn().mockResolvedValue({ success: true, data: { assets: [] } });
+      const svc = makeService({ synologySearchPhotos });
+      await new SynologyMemoriesController(svc).search(user, { from: '2024-01-01', to: '2024-02-01', size: 30 }, makeRes());
+      expect(synologySearchPhotos).toHaveBeenCalledWith(7, '2024-01-01', '2024-02-01', 0, 30);
+    });
+
+    it('derives the offset from a 1-based page using the limit', async () => {
+      const synologySearchPhotos = vi.fn().mockResolvedValue({ success: true, data: { assets: [] } });
+      const svc = makeService({ synologySearchPhotos });
+      await new SynologyMemoriesController(svc).search(user, { page: 3, limit: 20 }, makeRes());
+      // page-1 = 2, offset = 2 * 20 = 40
+      expect(synologySearchPhotos).toHaveBeenCalledWith(7, undefined, undefined, 40, 20);
+    });
+
+    it('keeps the explicit offset when page resolves to <= 0', async () => {
+      const synologySearchPhotos = vi.fn().mockResolvedValue({ success: true, data: { assets: [] } });
+      const svc = makeService({ synologySearchPhotos });
+      await new SynologyMemoriesController(svc).search(user, { page: 1, offset: 5, limit: 10 }, makeRes());
+      expect(synologySearchPhotos).toHaveBeenCalledWith(7, undefined, undefined, 5, 10);
+    });
+
+    it('falls back to defaults when numeric fields are non-finite', async () => {
+      const synologySearchPhotos = vi.fn().mockResolvedValue({ success: true, data: { assets: [] } });
+      const svc = makeService({ synologySearchPhotos });
+      await new SynologyMemoriesController(svc).search(user, { offset: 'x', limit: 'y', page: 'z', size: 'q' }, makeRes());
+      expect(synologySearchPhotos).toHaveBeenCalledWith(7, undefined, undefined, 0, 100);
+    });
+  });
+
+  describe('GET /assets/:tripId/:photoId/:ownerId/info', () => {
+    it('403 when access is denied', async () => {
+      const svc = makeService({ canAccessUserPhoto: vi.fn().mockReturnValue(false) });
+      const res = makeRes();
+      await new SynologyMemoriesController(svc).assetInfo(user, '5', 'p1', '2', undefined, res);
+      expect(svc.canAccessUserPhoto).toHaveBeenCalledWith(7, 2, '5', 'p1', 'synologyphotos');
+      expect(res.status).toHaveBeenCalledWith(403);
+      expect(res.json).toHaveBeenCalledWith({ error: "You don't have access to this photo" });
+    });
+
+    it('delegates with the coerced passphrase when access is granted', async () => {
+      const synologyGetAssetInfo = vi.fn().mockResolvedValue({ success: true, data: { id: 'p1' } });
+      const svc = makeService({ canAccessUserPhoto: vi.fn().mockReturnValue(true), synologyGetAssetInfo });
+      const res = makeRes();
+      await new SynologyMemoriesController(svc).assetInfo(user, '5', 'p1', '2', 'secret', res);
+      expect(synologyGetAssetInfo).toHaveBeenCalledWith(7, 'p1', 2, 'secret');
+      expect(res.json).toHaveBeenCalledWith({ id: 'p1' });
+    });
+
+    it('passes undefined passphrase when the query is absent', async () => {
+      const synologyGetAssetInfo = vi.fn().mockResolvedValue({ success: true, data: { id: 'p1' } });
+      const svc = makeService({ canAccessUserPhoto: vi.fn().mockReturnValue(true), synologyGetAssetInfo });
+      await new SynologyMemoriesController(svc).assetInfo(user, '5', 'p1', '2', undefined, makeRes());
+      expect(synologyGetAssetInfo).toHaveBeenCalledWith(7, 'p1', 2, undefined);
+    });
+  });
+
+  describe('GET /assets/:tripId/:photoId/:ownerId/:kind', () => {
+    it('400 on an invalid kind', async () => {
+      const synologyStreamAsset = vi.fn();
+      const svc = makeService({ synologyStreamAsset });
+      const res = makeRes();
+      await new SynologyMemoriesController(svc).asset(user, '5', 'p1', '2', 'preview', undefined, undefined, res);
+      expect(res.status).toHaveBeenCalledWith(400);
+      expect(res.json).toHaveBeenCalledWith({ error: 'Invalid asset kind' });
+      expect(synologyStreamAsset).not.toHaveBeenCalled();
+    });
+
+    it('403 when access is denied for a valid kind', async () => {
+      const svc = makeService({ canAccessUserPhoto: vi.fn().mockReturnValue(false) });
+      const res = makeRes();
+      await new SynologyMemoriesController(svc).asset(user, '5', 'p1', '2', 'thumbnail', undefined, undefined, res);
+      expect(res.status).toHaveBeenCalledWith(403);
+      expect(res.json).toHaveBeenCalledWith({ error: "You don't have access to this photo" });
+    });
+
+    it('streams a thumbnail, defaulting size to "sm" when omitted', async () => {
+      const synologyStreamAsset = vi.fn().mockResolvedValue(undefined);
+      const svc = makeService({ canAccessUserPhoto: vi.fn().mockReturnValue(true), synologyStreamAsset });
+      const res = makeRes();
+      await new SynologyMemoriesController(svc).asset(user, '5', 'p1', '2', 'thumbnail', undefined, undefined, res);
+      expect(synologyStreamAsset).toHaveBeenCalledWith(res, 7, 2, 'p1', 'thumbnail', 'sm', undefined);
+    });
+
+    it('keeps a whitelisted size and forwards the passphrase for an original', async () => {
+      const synologyStreamAsset = vi.fn().mockResolvedValue(undefined);
+      const svc = makeService({ canAccessUserPhoto: vi.fn().mockReturnValue(true), synologyStreamAsset });
+      const res = makeRes();
+      await new SynologyMemoriesController(svc).asset(user, '5', 'p1', '2', 'original', 'xl', 'secret', res);
+      expect(synologyStreamAsset).toHaveBeenCalledWith(res, 7, 2, 'p1', 'original', 'xl', 'secret');
+    });
+
+    it('coerces a non-whitelisted size back to "sm"', async () => {
+      const synologyStreamAsset = vi.fn().mockResolvedValue(undefined);
+      const svc = makeService({ canAccessUserPhoto: vi.fn().mockReturnValue(true), synologyStreamAsset });
+      const res = makeRes();
+      await new SynologyMemoriesController(svc).asset(user, '5', 'p1', '2', 'thumbnail', 'huge', undefined, res);
+      expect(synologyStreamAsset).toHaveBeenCalledWith(res, 7, 2, 'p1', 'thumbnail', 'sm', undefined);
+    });
+  });
+});
@@ -0,0 +1,195 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+
+// The MemoriesService is a thin pass-through over the legacy services/memories/*
+// helpers. Mock each legacy module so we can assert the wrapper forwards every
+// argument unchanged (and exercise the optional-param call sites).
+
+const unified = vi.hoisted(() => ({
+  listTripPhotos: vi.fn(() => ({ data: [] })),
+  listTripAlbumLinks: vi.fn(() => ({ data: [] })),
+  createTripAlbumLink: vi.fn(() => ({ data: {} })),
+  removeAlbumLink: vi.fn(() => ({ data: {} })),
+  addTripPhotos: vi.fn(async () => ({ data: { added: 0 } })),
+  removeTripPhoto: vi.fn(() => ({ data: {} })),
+  setTripPhotoSharing: vi.fn(async () => ({ data: {} })),
+}));
+vi.mock('../../../src/services/memories/unifiedService', () => unified);
+
+const immich = vi.hoisted(() => ({
+  getConnectionSettings: vi.fn(() => ({})),
+  saveImmichSettings: vi.fn(async () => ({ success: true })),
+  setImmichAutoUpload: vi.fn(),
+  testConnection: vi.fn(async () => ({ connected: true })),
+  getConnectionStatus: vi.fn(async () => ({ connected: true })),
+  browseTimeline: vi.fn(async () => ({ buckets: [] })),
+  searchPhotos: vi.fn(async () => ({ assets: [] })),
+  streamImmichAsset: vi.fn(async () => undefined),
+  listAlbums: vi.fn(async () => ({ albums: [] })),
+  getAlbumPhotos: vi.fn(async () => ({ assets: [] })),
+  syncAlbumAssets: vi.fn(async () => ({ added: 0, total: 0 })),
+  getAssetInfo: vi.fn(async () => ({ data: {} })),
+  isValidAssetId: vi.fn(() => true),
+}));
+vi.mock('../../../src/services/memories/immichService', () => immich);
+
+const synology = vi.hoisted(() => ({
+  getSynologySettings: vi.fn(async () => ({ success: true, data: {} })),
+  updateSynologySettings: vi.fn(async () => ({ success: true, data: {} })),
+  getSynologyStatus: vi.fn(async () => ({ success: true, data: {} })),
+  testSynologyConnection: vi.fn(async () => ({ success: true, data: {} })),
+  listSynologyAlbums: vi.fn(async () => ({ success: true, data: {} })),
+  getSynologyAlbumPhotos: vi.fn(async () => ({ success: true, data: {} })),
+  syncSynologyAlbumLink: vi.fn(async () => ({ success: true, data: {} })),
+  searchSynologyPhotos: vi.fn(async () => ({ success: true, data: {} })),
+  getSynologyAssetInfo: vi.fn(async () => ({ success: true, data: {} })),
+  streamSynologyAsset: vi.fn(async () => undefined),
+}));
+vi.mock('../../../src/services/memories/synologyService', () => synology);
+
+const helpers = vi.hoisted(() => ({ canAccessUserPhoto: vi.fn(() => true) }));
+vi.mock('../../../src/services/memories/helpersService', () => helpers);
+
+const ws = vi.hoisted(() => ({ broadcast: vi.fn() }));
+vi.mock('../../../src/websocket', () => ws);
+
+import { MemoriesService } from '../../../src/nest/memories/memories.service';
+
+const res = {} as import('express').Response;
+
+describe('MemoriesService (delegation wrapper over services/memories/*)', () => {
+  let svc: MemoriesService;
+
+  beforeEach(() => {
+    vi.clearAllMocks();
+    svc = new MemoriesService();
+  });
+
+  it('access check + broadcast forward verbatim', () => {
+    helpers.canAccessUserPhoto.mockReturnValue(false);
+    expect(svc.canAccessUserPhoto(1, 2, '5', 'a', 'immich')).toBe(false);
+    expect(helpers.canAccessUserPhoto).toHaveBeenCalledWith(1, 2, '5', 'a', 'immich');
+
+    svc.broadcast('5', 'memories:updated', { userId: 1 }, 'sock');
+    expect(ws.broadcast).toHaveBeenCalledWith('5', 'memories:updated', { userId: 1 }, 'sock');
+  });
+
+  it('broadcast forwards an absent socket id as undefined', () => {
+    svc.broadcast('5', 'memories:updated', { userId: 1 });
+    expect(ws.broadcast).toHaveBeenCalledWith('5', 'memories:updated', { userId: 1 }, undefined);
+  });
+
+  it('unified methods delegate', async () => {
+    svc.listTripPhotos('5', 7);
+    expect(unified.listTripPhotos).toHaveBeenCalledWith('5', 7);
+
+    const selections = [{ provider: 'immich', asset_ids: ['a'] }];
+    await svc.addTripPhotos('5', 7, true, selections, 'sock');
+    expect(unified.addTripPhotos).toHaveBeenCalledWith('5', 7, true, selections, 'sock');
+
+    await svc.setTripPhotoSharing('5', 7, 9, false);
+    expect(unified.setTripPhotoSharing).toHaveBeenCalledWith('5', 7, 9, false);
+
+    svc.removeTripPhoto('5', 7, 9);
+    expect(unified.removeTripPhoto).toHaveBeenCalledWith('5', 7, 9);
+
+    svc.listTripAlbumLinks('5', 7);
+    expect(unified.listTripAlbumLinks).toHaveBeenCalledWith('5', 7);
+
+    svc.removeAlbumLink('5', 'l1', 7);
+    expect(unified.removeAlbumLink).toHaveBeenCalledWith('5', 'l1', 7);
+  });
+
+  it('createTripAlbumLink forwards a passphrase when present and omits it when absent', () => {
+    svc.createTripAlbumLink('5', 7, 'immich', 'a1', 'Trip', 'secret');
+    expect(unified.createTripAlbumLink).toHaveBeenCalledWith('5', 7, 'immich', 'a1', 'Trip', 'secret');
+
+    svc.createTripAlbumLink('5', 7, 'immich', 'a1', 'Trip');
+    expect(unified.createTripAlbumLink).toHaveBeenLastCalledWith('5', 7, 'immich', 'a1', 'Trip', undefined);
+  });
+
+  it('immich methods delegate', async () => {
+    svc.immichGetConnectionSettings(7);
+    expect(immich.getConnectionSettings).toHaveBeenCalledWith(7);
+
+    await svc.immichSaveSettings(7, 'u', 'k', '1.2.3.4');
+    expect(immich.saveImmichSettings).toHaveBeenCalledWith(7, 'u', 'k', '1.2.3.4');
+
+    svc.immichSetAutoUpload(7, true);
+    expect(immich.setImmichAutoUpload).toHaveBeenCalledWith(7, true);
+
+    await svc.immichGetConnectionStatus(7);
+    expect(immich.getConnectionStatus).toHaveBeenCalledWith(7);
+
+    await svc.immichTestConnection('u', 'k');
+    expect(immich.testConnection).toHaveBeenCalledWith('u', 'k');
+
+    await svc.immichBrowseTimeline(7);
+    expect(immich.browseTimeline).toHaveBeenCalledWith(7);
+
+    await svc.immichSearchPhotos(7, 'f', 't', 2, 50);
+    expect(immich.searchPhotos).toHaveBeenCalledWith(7, 'f', 't', 2, 50);
+
+    expect(svc.immichIsValidAssetId('abc')).toBe(true);
+    expect(immich.isValidAssetId).toHaveBeenCalledWith('abc');
+
+    await svc.immichGetAssetInfo(7, 'a', 2);
+    expect(immich.getAssetInfo).toHaveBeenCalledWith(7, 'a', 2);
+
+    await svc.immichStreamAsset(res, 7, 'a', 'thumbnail', 2);
+    expect(immich.streamImmichAsset).toHaveBeenCalledWith(res, 7, 'a', 'thumbnail', 2);
+
+    await svc.immichListAlbums(7);
+    expect(immich.listAlbums).toHaveBeenCalledWith(7);
+
+    await svc.immichGetAlbumPhotos(7, 'al1');
+    expect(immich.getAlbumPhotos).toHaveBeenCalledWith(7, 'al1');
+
+    await svc.immichSyncAlbumAssets('5', 'l1', 7, 'sock');
+    expect(immich.syncAlbumAssets).toHaveBeenCalledWith('5', 'l1', 7, 'sock');
+  });
+
+  it('synology methods delegate', async () => {
+    await svc.synologyGetSettings(7);
+    expect(synology.getSynologySettings).toHaveBeenCalledWith(7);
+
+    await svc.synologyUpdateSettings(7, 'u', 'a', 'p', true);
+    expect(synology.updateSynologySettings).toHaveBeenCalledWith(7, 'u', 'a', 'p', true);
+
+    await svc.synologyGetStatus(7);
+    expect(synology.getSynologyStatus).toHaveBeenCalledWith(7);
+
+    await svc.synologyTestConnection(7, 'u', 'a', 'p', '123', false);
+    expect(synology.testSynologyConnection).toHaveBeenCalledWith(7, 'u', 'a', 'p', '123', false);
+
+    await svc.synologyListAlbums(7);
+    expect(synology.listSynologyAlbums).toHaveBeenCalledWith(7);
+
+    await svc.synologySyncAlbumLink(7, '5', 'l1', 'sock');
+    expect(synology.syncSynologyAlbumLink).toHaveBeenCalledWith(7, '5', 'l1', 'sock');
+
+    await svc.synologySearchPhotos(7, 'f', 't', 0, 100);
+    expect(synology.searchSynologyPhotos).toHaveBeenCalledWith(7, 'f', 't', 0, 100);
+  });
+
+  it('synology album-photos forwards a passphrase when present and omits it when absent', async () => {
+    await svc.synologyGetAlbumPhotos(7, 'al1', 'secret');
+    expect(synology.getSynologyAlbumPhotos).toHaveBeenCalledWith(7, 'al1', 'secret');
+
+    await svc.synologyGetAlbumPhotos(7, 'al1');
+    expect(synology.getSynologyAlbumPhotos).toHaveBeenLastCalledWith(7, 'al1', undefined);
+  });
+
+  it('synology asset-info + stream forward a passphrase when present and omit it when absent', async () => {
+    await svc.synologyGetAssetInfo(7, 'p1', 2, 'secret');
+    expect(synology.getSynologyAssetInfo).toHaveBeenCalledWith(7, 'p1', 2, 'secret');
+
+    await svc.synologyGetAssetInfo(7, 'p1', 2);
+    expect(synology.getSynologyAssetInfo).toHaveBeenLastCalledWith(7, 'p1', 2, undefined);
+
+    await svc.synologyStreamAsset(res, 7, 2, 'p1', 'thumbnail', 'sm', 'secret');
+    expect(synology.streamSynologyAsset).toHaveBeenCalledWith(res, 7, 2, 'p1', 'thumbnail', 'sm', 'secret');
+
+    await svc.synologyStreamAsset(res, 7, 2, 'p1', 'original', 'xl');
+    expect(synology.streamSynologyAsset).toHaveBeenLastCalledWith(res, 7, 2, 'p1', 'original', 'xl', undefined);
+  });
+});
@@ -4,6 +4,9 @@ import type { Request, Response } from 'express';

 vi.mock('../../../src/services/auditLog', () => ({ writeAudit: vi.fn(), getClientIp: vi.fn(() => '1.2.3.4'), logWarn: vi.fn() }));

+import { getClientIp } from '../../../src/services/auditLog';
+const getClientIpMock = vi.mocked(getClientIp);
+
 import { OauthPublicController } from '../../../src/nest/oauth/oauth-public.controller';
 import { OauthApiController } from '../../../src/nest/oauth/oauth-api.controller';
 import { RateLimitService } from '../../../src/nest/auth/rate-limit.service';
@@ -142,6 +145,95 @@ describe('OauthPublicController /token', () => {
    new OauthPublicController(osvc(), s).token(reqWith({ client_id: 'c' }), res);
    expect(res.statusCode).toBe(429);
  });
+
+  it('falls back to {} when the body is not an object', () => {
+    const res = makeRes();
+    new OauthPublicController(osvc(), rl()).token({ ip: '7.7.7.7', body: 'not-an-object' } as unknown as Request, res);
+    // no client_id in the {} fallback -> 401
+    expect(res.statusCode).toBe(401);
+    expect(res.body).toEqual({ error: 'invalid_client', error_description: 'client_id is required' });
+  });
+
+  it('authorization_code: invalid client secret writes an audit + 401', () => {
+    const res = makeRes();
+    new OauthPublicController(osvc({
+      consumeAuthCode: vi.fn().mockReturnValue({ clientId: 'c', redirectUri: 'u', userId: 1, scopes: ['s'], codeChallenge: 'cc', resource: null }),
+      authenticateClient: vi.fn().mockReturnValue(null),
+    }), rl()).token(reqWith({ grant_type: 'authorization_code', client_id: 'c', code: 'x', redirect_uri: 'u', code_verifier: 'v' }), res);
+    expect(res.statusCode).toBe(401);
+    expect(res.body).toEqual({ error: 'invalid_client', error_description: 'Invalid client credentials' });
+  });
+
+  it('refresh_token: invalid_client maps to its specific 401 message', () => {
+    const res = makeRes();
+    new OauthPublicController(osvc({ refreshTokens: vi.fn().mockReturnValue({ error: 'invalid_client', status: 401 }) }), rl())
+      .token(reqWith({ grant_type: 'refresh_token', client_id: 'c', refresh_token: 'rt' }), res);
+    expect(res.statusCode).toBe(401);
+    expect(res.body).toEqual({ error: 'invalid_client', error_description: 'Invalid client credentials' });
+  });
+
+  it('refresh_token: defaults the status to 400 when the service omits it', () => {
+    const res = makeRes();
+    new OauthPublicController(osvc({ refreshTokens: vi.fn().mockReturnValue({ error: 'invalid_grant' }) }), rl())
+      .token(reqWith({ grant_type: 'refresh_token', client_id: 'c', refresh_token: 'rt' }), res);
+    expect(res.statusCode).toBe(400);
+  });
+
+  it('client_credentials: 401 when the client cannot be authenticated', () => {
+    const res = makeRes();
+    new OauthPublicController(osvc({ authenticateClient: vi.fn().mockReturnValue(null) }), rl())
+      .token(reqWith({ grant_type: 'client_credentials', client_id: 'c', client_secret: 's' }), res);
+    expect(res.statusCode).toBe(401);
+    expect(res.body).toEqual({ error: 'invalid_client', error_description: 'Invalid client credentials' });
+  });
+
+  it('client_credentials: honours a valid requested scope subset', () => {
+    const res = makeRes();
+    const issueClientCredentialsToken = vi.fn().mockReturnValue({ access_token: 'cc_at' });
+    new OauthPublicController(osvc({
+      authenticateClient: vi.fn().mockReturnValue({ is_public: false, user_id: 1, allows_client_credentials: true, allowed_scopes: '["a","b"]' }),
+      issueClientCredentialsToken,
+    }), rl()).token(reqWith({ grant_type: 'client_credentials', client_id: 'c', client_secret: 's', scope: 'a' }), res);
+    expect(res.body).toEqual({ access_token: 'cc_at' });
+    expect(issueClientCredentialsToken).toHaveBeenCalledWith('c', 1, ['a'], expect.any(String));
+  });
+
+  it('client_credentials: derives the audience from an explicit resource', () => {
+    const res = makeRes();
+    const issueClientCredentialsToken = vi.fn().mockReturnValue({ access_token: 'cc_at' });
+    new OauthPublicController(osvc({
+      authenticateClient: vi.fn().mockReturnValue({ is_public: false, user_id: 1, allows_client_credentials: true, allowed_scopes: '["a"]' }),
+      issueClientCredentialsToken,
+    }), rl()).token(reqWith({ grant_type: 'client_credentials', client_id: 'c', client_secret: 's', resource: 'https://aud/' }), res);
+    // trailing slashes are trimmed, not the mcpSafeUrl fallback
+    expect(issueClientCredentialsToken).toHaveBeenCalledWith('c', 1, ['a'], 'https://aud');
+  });
+
+  it('logs a dash for a missing ip on the authorization_code client-auth failure', () => {
+    getClientIpMock.mockReturnValueOnce(undefined);
+    const res = makeRes();
+    new OauthPublicController(osvc({
+      consumeAuthCode: vi.fn().mockReturnValue({ clientId: 'c', redirectUri: 'u', userId: 1, scopes: ['s'], codeChallenge: 'cc', resource: null }),
+      authenticateClient: vi.fn().mockReturnValue(null),
+    }), rl()).token(reqWith({ grant_type: 'authorization_code', client_id: 'c', code: 'x', redirect_uri: 'u', code_verifier: 'v' }), res);
+    expect(res.statusCode).toBe(401);
+  });
+
+  it('logs a dash for a missing ip on the refresh invalid_client failure', () => {
+    getClientIpMock.mockReturnValueOnce(undefined);
+    const res = makeRes();
+    new OauthPublicController(osvc({ refreshTokens: vi.fn().mockReturnValue({ error: 'invalid_client', status: 401 }) }), rl())
+      .token(reqWith({ grant_type: 'refresh_token', client_id: 'c', refresh_token: 'rt' }), res);
+    expect(res.statusCode).toBe(401);
+  });
+
+  it('logs a dash for a missing ip on the client_credentials auth failure', () => {
+    getClientIpMock.mockReturnValueOnce(undefined);
+    const res = makeRes();
+    new OauthPublicController(osvc({ authenticateClient: vi.fn().mockReturnValue(null) }), rl())
+      .token(reqWith({ grant_type: 'client_credentials', client_id: 'c', client_secret: 's' }), res);
+    expect(res.statusCode).toBe(401);
+  });
 });

 describe('OauthPublicController /userinfo + /revoke', () => {
@@ -155,6 +247,21 @@ describe('OauthPublicController /userinfo + /revoke', () => {
    expect(r2.body).toEqual({ sub: '1', email: 'a@b.c', email_verified: true, preferred_username: 'u' });
  });

+  it('userinfo: 404 empty when MCP is disabled', () => {
+    const res = makeRes();
+    new OauthPublicController(osvc({ mcpEnabled: vi.fn().mockReturnValue(false) }), rl()).userinfo('Bearer tok', res);
+    expect(res.statusCode).toBe(404);
+    expect(res.ended).toBe(true);
+  });
+
+  it('userinfo: 401 with the error challenge when the token is unknown', () => {
+    const res = makeRes();
+    new OauthPublicController(osvc({ getUserByAccessToken: vi.fn().mockReturnValue(null) }), rl()).userinfo('Bearer tok', res);
+    expect(res.statusCode).toBe(401);
+    expect(res.headers['WWW-Authenticate']).toBe('Bearer realm="TREK MCP", error="invalid_token"');
+    expect(res.body).toEqual({ error: 'invalid_token' });
+  });
+
  it('revoke: 400 without token/client, always 200 once authenticated', () => {
    const r1 = makeRes();
    new OauthPublicController(osvc(), rl()).revoke({ ip: '1', body: { client_id: 'c' } } as Request, r1);
@@ -166,6 +273,45 @@ describe('OauthPublicController /userinfo + /revoke', () => {
    expect(r2.body).toEqual({});
    expect(revokeToken).toHaveBeenCalled();
  });
+
+  it('revoke: 404 empty when MCP is disabled', () => {
+    const res = makeRes();
+    new OauthPublicController(osvc({ mcpEnabled: vi.fn().mockReturnValue(false) }), rl()).revoke({ ip: '1', body: {} } as Request, res);
+    expect(res.statusCode).toBe(404);
+    expect(res.ended).toBe(true);
+  });
+
+  it('revoke: 429 when the per-ip bucket is exhausted', () => {
+    const s = rl();
+    for (let i = 0; i < 10; i++) s.check('oauth_revoke', '1', 10, 60000, Date.now());
+    const res = makeRes();
+    new OauthPublicController(osvc(), s).revoke({ ip: '1', body: { token: 't', client_id: 'c' } } as Request, res);
+    expect(res.statusCode).toBe(429);
+  });
+
+  it('revoke: falls back to a default ip key and {} body when both are missing', () => {
+    const res = makeRes();
+    new OauthPublicController(osvc({ authenticateClient: vi.fn().mockReturnValue({ id: 'c' }), revokeToken: vi.fn() }), rl())
+      .revoke({ body: undefined } as unknown as Request, res);
+    // body fell back to {} -> token/client missing -> 400
+    expect(res.statusCode).toBe(400);
+  });
+
+  it('revoke: 401 when the client credentials are invalid', () => {
+    const res = makeRes();
+    new OauthPublicController(osvc({ authenticateClient: vi.fn().mockReturnValue(null) }), rl())
+      .revoke({ ip: '1', body: { token: 't', client_id: 'c' } } as Request, res);
+    expect(res.statusCode).toBe(401);
+    expect(res.body).toEqual({ error: 'invalid_client', error_description: 'Invalid client credentials' });
+  });
+
+  it('revoke: logs a dash for a missing ip on the invalid-client failure', () => {
+    getClientIpMock.mockReturnValueOnce(undefined);
+    const res = makeRes();
+    new OauthPublicController(osvc({ authenticateClient: vi.fn().mockReturnValue(null) }), rl())
+      .revoke({ ip: '1', body: { token: 't', client_id: 'c' } } as Request, res);
+    expect(res.statusCode).toBe(401);
+  });
 });

 describe('OauthApiController', () => {
@@ -215,4 +361,66 @@ describe('OauthApiController', () => {
    expect(thrown(() => new OauthApiController(osvc({ validateAuthorizeRequest: vi.fn().mockReturnValue({ valid: false, error: 'invalid_scope', error_description: 'bad' }) }), rl()).authorize(user, { client_id: 'c', redirect_uri: 'https://cb', scope: 's', code_challenge: 'cc', code_challenge_method: 'S256', approved: true }, req))).toEqual({ status: 400, body: { error: 'invalid_scope', error_description: 'bad' } });
    expect(thrown(() => new OauthApiController(osvc({ validateAuthorizeRequest: vi.fn().mockReturnValue({ valid: true, scopes: ['s'], resource: null }), saveConsent: vi.fn(), createAuthCode: vi.fn().mockReturnValue(null) }), rl()).authorize(user, { client_id: 'c', redirect_uri: 'https://cb', scope: 's', code_challenge: 'cc', code_challenge_method: 'S256', approved: true }, req))).toEqual({ status: 503, body: { error: 'server_error', error_description: 'Authorization server is temporarily unavailable' } });
  });
+
+  it('validate: 429 when the per-ip bucket is exhausted', () => {
+    const s = rl();
+    for (let i = 0; i < 30; i++) s.check('oauth_validate', '1.2.3.4', 30, 60000, Date.now());
+    const res = makeRes2();
+    expect(thrown(() => new OauthApiController(osvc(), s).validate({ ...req } as Request, {}, res))).toEqual({
+      status: 429,
+      body: { error: 'too_many_requests', error_description: 'Too many attempts. Please try again later.' },
+    });
+  });
+
+  it('validate: falls back to the "unknown" rate-limit key when req.ip is absent', () => {
+    const res = makeRes2();
+    const out = new OauthApiController(osvc({ validateAuthorizeRequest: vi.fn().mockReturnValue({ valid: true }) }), rl())
+      .validate({ user: undefined } as unknown as Request, {}, res);
+    expect(out).toEqual({ valid: true, loginRequired: true });
+  });
+
+  it('validate: forwards the resource + returns the raw result for a logged-in user', () => {
+    const res = makeRes2();
+    const validateAuthorizeRequest = vi.fn().mockReturnValue({ valid: true, scopes: ['s'] });
+    const out = new OauthApiController(osvc({ validateAuthorizeRequest }), rl())
+      .validate({ ...req, user: { id: 9 } } as unknown as Request, { resource: 'https://r' }, res);
+    expect(out).toEqual({ valid: true, scopes: ['s'] });
+    expect(validateAuthorizeRequest).toHaveBeenCalledWith(expect.objectContaining({ resource: 'https://r' }), 9);
+  });
+
+  it('authorize: 403 when MCP is disabled', () => {
+    expect(thrown(() => new OauthApiController(osvc({ mcpEnabled: vi.fn().mockReturnValue(false) }), rl())
+      .authorize(user, { client_id: 'c', redirect_uri: 'https://cb', scope: 's', code_challenge: 'cc', code_challenge_method: 'S256', approved: false }, req)))
+      .toEqual({ status: 403, body: { error: 'MCP is not enabled' } });
+  });
+
+  it('authorize: carries the state through both the denied and approved redirects', () => {
+    const denied = new OauthApiController(osvc(), rl()).authorize(user, { client_id: 'c', redirect_uri: 'https://cb', scope: 's', state: 'xyz', code_challenge: 'cc', code_challenge_method: 'S256', approved: false }, req);
+    expect((denied as { redirect: string }).redirect).toContain('state=xyz');
+
+    const svc = osvc({ validateAuthorizeRequest: vi.fn().mockReturnValue({ valid: true, scopes: ['s'], resource: 'https://aud' }), saveConsent: vi.fn(), createAuthCode: vi.fn().mockReturnValue('the_code') });
+    const ok = new OauthApiController(svc, rl()).authorize(user, { client_id: 'c', redirect_uri: 'https://cb', scope: 's', state: 'xyz', code_challenge: 'cc', code_challenge_method: 'S256', approved: true }, req);
+    expect((ok as { redirect: string }).redirect).toContain('code=the_code');
+    expect((ok as { redirect: string }).redirect).toContain('state=xyz');
+  });
+
+  it('client/session errors default the status to 400 when the service omits it', () => {
+    expect(thrown(() => new OauthApiController(osvc({ createOAuthClient: vi.fn().mockReturnValue({ error: 'bad' }) }), rl()).createClient(user, { name: 'X', allowed_scopes: ['a'] }, req)))
+      .toEqual({ status: 400, body: { error: 'bad' } });
+    expect(thrown(() => new OauthApiController(osvc({ rotateOAuthClientSecret: vi.fn().mockReturnValue({ error: 'bad' }) }), rl()).rotateClient(user, 'c1', req)))
+      .toEqual({ status: 400, body: { error: 'bad' } });
+    expect(thrown(() => new OauthApiController(osvc({ deleteOAuthClient: vi.fn().mockReturnValue({ error: 'not_found', status: 404 }) }), rl()).deleteClient(user, 'c1', req)))
+      .toEqual({ status: 404, body: { error: 'not_found' } });
+    expect(thrown(() => new OauthApiController(osvc({ deleteOAuthClient: vi.fn().mockReturnValue({ error: 'bad' }) }), rl()).deleteClient(user, 'c1', req)))
+      .toEqual({ status: 400, body: { error: 'bad' } });
+    expect(thrown(() => new OauthApiController(osvc({ revokeSession: vi.fn().mockReturnValue({ error: 'not_found', status: 404 }) }), rl()).revokeSession(user, '1', req)))
+      .toEqual({ status: 404, body: { error: 'not_found' } });
+    expect(thrown(() => new OauthApiController(osvc({ revokeSession: vi.fn().mockReturnValue({ error: 'bad' }) }), rl()).revokeSession(user, '1', req)))
+      .toEqual({ status: 400, body: { error: 'bad' } });
+  });
+
+  it('sessions: 403 when MCP is off on the list', () => {
+    expect(thrown(() => new OauthApiController(osvc({ mcpEnabled: vi.fn().mockReturnValue(false) }), rl()).listSessions(user)))
+      .toEqual({ status: 403, body: { error: 'MCP is not enabled' } });
+  });
 });
@@ -0,0 +1,172 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+
+// The Nest service is a thin wrapper that forwards to the legacy oauthService
+// plus the addon/notification helpers. Mock those and assert the delegation.
+const { oauth } = vi.hoisted(() => ({
+  oauth: {
+    consumeAuthCode: vi.fn(),
+    authenticateClient: vi.fn(),
+    verifyPKCE: vi.fn(),
+    issueTokens: vi.fn(),
+    issueClientCredentialsToken: vi.fn(),
+    refreshTokens: vi.fn(),
+    revokeToken: vi.fn(),
+    getUserByAccessToken: vi.fn(),
+    validateAuthorizeRequest: vi.fn(),
+    saveConsent: vi.fn(),
+    createAuthCode: vi.fn(),
+    listOAuthClients: vi.fn(),
+    createOAuthClient: vi.fn(),
+    rotateOAuthClientSecret: vi.fn(),
+    deleteOAuthClient: vi.fn(),
+    listOAuthSessions: vi.fn(),
+    revokeSession: vi.fn(),
+  },
+}));
+vi.mock('../../../src/services/oauthService', () => oauth);
+
+const { isAddonEnabled } = vi.hoisted(() => ({ isAddonEnabled: vi.fn() }));
+vi.mock('../../../src/services/adminService', () => ({ isAddonEnabled }));
+
+const { getMcpSafeUrl } = vi.hoisted(() => ({ getMcpSafeUrl: vi.fn() }));
+vi.mock('../../../src/services/notifications', () => ({ getMcpSafeUrl }));
+
+import { OauthService } from '../../../src/nest/oauth/oauth.service';
+import { ADDON_IDS } from '../../../src/addons';
+
+function svc() { return new OauthService(); }
+
+beforeEach(() => vi.clearAllMocks());
+
+describe('OauthService', () => {
+  it('mcpEnabled checks the MCP addon flag', () => {
+    isAddonEnabled.mockReturnValue(true);
+    expect(svc().mcpEnabled()).toBe(true);
+    expect(isAddonEnabled).toHaveBeenCalledWith(ADDON_IDS.MCP);
+    isAddonEnabled.mockReturnValue(false);
+    expect(svc().mcpEnabled()).toBe(false);
+  });
+
+  it('mcpSafeUrl forwards to the notifications helper', () => {
+    getMcpSafeUrl.mockReturnValue('https://safe');
+    expect(svc().mcpSafeUrl()).toBe('https://safe');
+    expect(getMcpSafeUrl).toHaveBeenCalled();
+  });
+
+  it('consumeAuthCode delegates', () => {
+    oauth.consumeAuthCode.mockReturnValue({ clientId: 'c' });
+    expect(svc().consumeAuthCode('code')).toEqual({ clientId: 'c' });
+    expect(oauth.consumeAuthCode).toHaveBeenCalledWith('code');
+  });
+
+  it('authenticateClient delegates with both args', () => {
+    oauth.authenticateClient.mockReturnValue({ id: 'c' });
+    expect(svc().authenticateClient('c', 'secret')).toEqual({ id: 'c' });
+    expect(oauth.authenticateClient).toHaveBeenCalledWith('c', 'secret');
+  });
+
+  it('verifyPKCE delegates', () => {
+    oauth.verifyPKCE.mockReturnValue(true);
+    expect(svc().verifyPKCE('v', 'ch')).toBe(true);
+    expect(oauth.verifyPKCE).toHaveBeenCalledWith('v', 'ch');
+  });
+
+  it('issueTokens forwards the full argument list', () => {
+    oauth.issueTokens.mockReturnValue({ access_token: 'at' });
+    expect(svc().issueTokens('c', 1, ['s'], null, 'aud')).toEqual({ access_token: 'at' });
+    expect(oauth.issueTokens).toHaveBeenCalledWith('c', 1, ['s'], null, 'aud');
+  });
+
+  it('issueClientCredentialsToken forwards the full argument list', () => {
+    oauth.issueClientCredentialsToken.mockReturnValue({ access_token: 'cc' });
+    expect(svc().issueClientCredentialsToken('c', 1, ['s'], 'aud')).toEqual({ access_token: 'cc' });
+    expect(oauth.issueClientCredentialsToken).toHaveBeenCalledWith('c', 1, ['s'], 'aud');
+  });
+
+  it('refreshTokens forwards the full argument list', () => {
+    oauth.refreshTokens.mockReturnValue({ tokens: { access_token: 'new' } });
+    expect(svc().refreshTokens('rt', 'c', 's', '1.2.3.4')).toEqual({ tokens: { access_token: 'new' } });
+    expect(oauth.refreshTokens).toHaveBeenCalledWith('rt', 'c', 's', '1.2.3.4');
+  });
+
+  it('revokeToken forwards the full argument list', () => {
+    svc().revokeToken('t', 'c', undefined, '1.2.3.4');
+    expect(oauth.revokeToken).toHaveBeenCalledWith('t', 'c', undefined, '1.2.3.4');
+  });
+
+  it('getUserByAccessToken delegates', () => {
+    oauth.getUserByAccessToken.mockReturnValue({ user: { id: 1 } });
+    expect(svc().getUserByAccessToken('tok')).toEqual({ user: { id: 1 } });
+    expect(oauth.getUserByAccessToken).toHaveBeenCalledWith('tok');
+  });
+
+  it('validateAuthorizeRequest delegates with the user id', () => {
+    oauth.validateAuthorizeRequest.mockReturnValue({ valid: true });
+    const params = { response_type: 'code' } as never;
+    expect(svc().validateAuthorizeRequest(params, 5)).toEqual({ valid: true });
+    expect(oauth.validateAuthorizeRequest).toHaveBeenCalledWith(params, 5);
+  });
+
+  it('saveConsent forwards the full argument list', () => {
+    svc().saveConsent('c', 1, ['s'], '1.2.3.4');
+    expect(oauth.saveConsent).toHaveBeenCalledWith('c', 1, ['s'], '1.2.3.4');
+  });
+
+  it('createAuthCode forwards the params object', () => {
+    oauth.createAuthCode.mockReturnValue('the_code');
+    const p = { clientId: 'c', userId: 1, redirectUri: 'u', scopes: ['s'], resource: null, codeChallenge: 'cc', codeChallengeMethod: 'S256' } as const;
+    expect(svc().createAuthCode(p)).toBe('the_code');
+    expect(oauth.createAuthCode).toHaveBeenCalledWith(p);
+  });
+
+  it('listOAuthClients delegates', () => {
+    oauth.listOAuthClients.mockReturnValue([{ id: 'c1' }]);
+    expect(svc().listOAuthClients(1)).toEqual([{ id: 'c1' }]);
+    expect(oauth.listOAuthClients).toHaveBeenCalledWith(1);
+  });
+
+  it('createOAuthClient forwards the full argument list', () => {
+    oauth.createOAuthClient.mockReturnValue({ client_id: 'c1' });
+    expect(svc().createOAuthClient(1, 'CLI', ['https://cb'], ['a'], '1.2.3.4', { allowsClientCredentials: true })).toEqual({ client_id: 'c1' });
+    expect(oauth.createOAuthClient).toHaveBeenCalledWith(1, 'CLI', ['https://cb'], ['a'], '1.2.3.4', { allowsClientCredentials: true });
+  });
+
+  it('rotateOAuthClientSecret delegates', () => {
+    oauth.rotateOAuthClientSecret.mockReturnValue({ client_secret: 'new' });
+    expect(svc().rotateOAuthClientSecret(1, 'c1', '1.2.3.4')).toEqual({ client_secret: 'new' });
+    expect(oauth.rotateOAuthClientSecret).toHaveBeenCalledWith(1, 'c1', '1.2.3.4');
+  });
+
+  it('deleteOAuthClient delegates', () => {
+    oauth.deleteOAuthClient.mockReturnValue({});
+    expect(svc().deleteOAuthClient(1, 'c1', '1.2.3.4')).toEqual({});
+    expect(oauth.deleteOAuthClient).toHaveBeenCalledWith(1, 'c1', '1.2.3.4');
+  });
+
+  it('listOAuthSessions delegates', () => {
+    oauth.listOAuthSessions.mockReturnValue([{ id: 1 }]);
+    expect(svc().listOAuthSessions(1)).toEqual([{ id: 1 }]);
+    expect(oauth.listOAuthSessions).toHaveBeenCalledWith(1);
+  });
+
+  it('revokeSession delegates', () => {
+    oauth.revokeSession.mockReturnValue({});
+    expect(svc().revokeSession(1, 7, '1.2.3.4')).toEqual({});
+    expect(oauth.revokeSession).toHaveBeenCalledWith(1, 7, '1.2.3.4');
+  });
+});
+
+describe('OauthModule', () => {
+  it('wires the public + api controllers and the providers', async () => {
+    const { OauthModule } = await import('../../../src/nest/oauth/oauth.module');
+    const { OauthPublicController } = await import('../../../src/nest/oauth/oauth-public.controller');
+    const { OauthApiController } = await import('../../../src/nest/oauth/oauth-api.controller');
+    const { OauthService: Svc } = await import('../../../src/nest/oauth/oauth.service');
+    const { RateLimitService } = await import('../../../src/nest/auth/rate-limit.service');
+
+    const controllers = Reflect.getMetadata('controllers', OauthModule);
+    const providers = Reflect.getMetadata('providers', OauthModule);
+    expect(controllers).toEqual([OauthPublicController, OauthApiController]);
+    expect(providers).toEqual([Svc, RateLimitService]);
+  });
+});
@@ -71,6 +71,59 @@ describe('OidcController /login', () => {
    expect(res.redirectedTo).toContain('code_challenge=cc');
    expect(res.redirectedTo).toContain('code_challenge_method=S256');
  });
+
+  it('400 when a non-HTTPS issuer is used in production', async () => {
+    process.env.NODE_ENV = 'production';
+    const res = makeRes();
+    await new OidcController(svc({ getOidcConfig: vi.fn().mockReturnValue({ issuer: 'http://idp', clientId: 'c', clientSecret: 's', discoveryUrl: null }) })).login(req, res);
+    expect(res.statusCode).toBe(400);
+    expect(res.body).toEqual({ error: 'OIDC issuer must use HTTPS in production' });
+  });
+
+  it('allows a non-HTTPS issuer outside production', async () => {
+    process.env.NODE_ENV = 'development';
+    const res = makeRes();
+    await new OidcController(svc({ getOidcConfig: vi.fn().mockReturnValue({ issuer: 'http://idp', clientId: 'c', clientSecret: 's', discoveryUrl: null }) })).login(req, res);
+    expect(res.redirect).toHaveBeenCalled();
+  });
+
+  it('500 when APP_URL is not configured', async () => {
+    const res = makeRes();
+    await new OidcController(svc({ getAppUrl: vi.fn().mockReturnValue('') })).login(req, res);
+    expect(res.statusCode).toBe(500);
+    expect(res.body).toEqual({ error: 'APP_URL is not configured. OIDC cannot be used.' });
+  });
+
+  it('passes the invite token from the query into createState', async () => {
+    const res = makeRes();
+    const createState = vi.fn().mockReturnValue({ state: 'st', codeChallenge: 'cc' });
+    const reqInvite = { query: { invite: 'tok123' }, headers: {} } as unknown as Request;
+    await new OidcController(svc({ createState })).login(reqInvite, res);
+    expect(createState).toHaveBeenCalledWith('https://app/api/auth/oidc/callback', 'tok123');
+  });
+
+  it('trims a trailing slash off APP_URL when building the redirect uri', async () => {
+    const res = makeRes();
+    const createState = vi.fn().mockReturnValue({ state: 'st', codeChallenge: 'cc' });
+    await new OidcController(svc({ getAppUrl: vi.fn().mockReturnValue('https://app///'), createState })).login(req, res);
+    expect(createState).toHaveBeenCalledWith('https://app/api/auth/oidc/callback', undefined);
+  });
+
+  it('500 when discovery throws', async () => {
+    vi.spyOn(console, 'error').mockImplementation(() => {});
+    const res = makeRes();
+    await new OidcController(svc({ discover: vi.fn().mockRejectedValue(new Error('boom')) })).login(req, res);
+    expect(res.statusCode).toBe(500);
+    expect(res.body).toEqual({ error: 'OIDC login failed' });
+  });
+
+  it('500 logs a non-Error rejection without crashing', async () => {
+    const spy = vi.spyOn(console, 'error').mockImplementation(() => {});
+    const res = makeRes();
+    await new OidcController(svc({ discover: vi.fn().mockRejectedValue('plain string') })).login(req, res);
+    expect(res.statusCode).toBe(500);
+    expect(spy).toHaveBeenCalledWith('[OIDC] Login error:', 'plain string');
+  });
 });

 describe('OidcController /callback', () => {
@@ -131,6 +184,145 @@ describe('OidcController /callback', () => {
    await c.callback('c', 's', undefined, reqCb('s'), res);
    expect(res.redirectedTo).toBe('https://app/login?oidc_error=subject_mismatch');
  });
+
+  it('redirects invalid_state when there is no bound state cookie at all', async () => {
+    const res = makeRes();
+    const reqNoCookie = { query: {}, headers: {}, cookies: {} } as unknown as Request;
+    await new OidcController(svc()).callback('c', 's', undefined, reqNoCookie, res);
+    expect(res.redirectedTo).toBe('https://app/login?oidc_error=invalid_state');
+  });
+
+  it('tolerates a request with no cookies object', async () => {
+    const res = makeRes();
+    const reqNoCookies = { query: {}, headers: {} } as unknown as Request;
+    await new OidcController(svc()).callback('c', 's', undefined, reqNoCookies, res);
+    expect(res.redirectedTo).toBe('https://app/login?oidc_error=invalid_state');
+  });
+
+  it('redirects not_configured when the config disappears mid-flow', async () => {
+    const res = makeRes();
+    await new OidcController(svc({ getOidcConfig: vi.fn().mockReturnValue(null) })).callback('c', 's', undefined, reqCb('s'), res);
+    expect(res.redirectedTo).toBe('https://app/login?oidc_error=not_configured');
+  });
+
+  it('redirects issuer_not_https when a non-HTTPS issuer is used in production', async () => {
+    process.env.NODE_ENV = 'production';
+    const res = makeRes();
+    await new OidcController(svc({ getOidcConfig: vi.fn().mockReturnValue({ issuer: 'http://idp', clientId: 'c', clientSecret: 's', discoveryUrl: null }) })).callback('c', 's', undefined, reqCb('s'), res);
+    expect(res.redirectedTo).toBe('https://app/login?oidc_error=issuer_not_https');
+  });
+
+  it('redirects token_failed when the token exchange is not ok', async () => {
+    vi.spyOn(console, 'error').mockImplementation(() => {});
+    const res = makeRes();
+    await new OidcController(svc({ exchangeCodeForToken: vi.fn().mockResolvedValue({ _ok: false, _status: 401 }) })).callback('c', 's', undefined, reqCb('s'), res);
+    expect(res.redirectedTo).toBe('https://app/login?oidc_error=token_failed');
+  });
+
+  it('redirects token_failed when the access token is missing', async () => {
+    vi.spyOn(console, 'error').mockImplementation(() => {});
+    const res = makeRes();
+    await new OidcController(svc({ exchangeCodeForToken: vi.fn().mockResolvedValue({ _ok: true }) })).callback('c', 's', undefined, reqCb('s'), res);
+    expect(res.redirectedTo).toBe('https://app/login?oidc_error=token_failed');
+  });
+
+  it('redirects id_token_invalid when verification fails with a reason', async () => {
+    vi.spyOn(console, 'error').mockImplementation(() => {});
+    const res = makeRes();
+    await new OidcController(svc({
+      exchangeCodeForToken: vi.fn().mockResolvedValue({ _ok: true, access_token: 'at', id_token: 'it' }),
+      verifyIdToken: vi.fn().mockResolvedValue({ ok: false, error: 'bad_signature' }),
+    })).callback('c', 's', undefined, reqCb('s'), res);
+    expect(res.redirectedTo).toBe('https://app/login?oidc_error=id_token_invalid');
+  });
+
+  it('redirects id_token_invalid when verification fails without an error field', async () => {
+    vi.spyOn(console, 'error').mockImplementation(() => {});
+    const res = makeRes();
+    await new OidcController(svc({
+      exchangeCodeForToken: vi.fn().mockResolvedValue({ _ok: true, access_token: 'at', id_token: 'it' }),
+      verifyIdToken: vi.fn().mockResolvedValue({ ok: false }),
+    })).callback('c', 's', undefined, reqCb('s'), res);
+    expect(res.redirectedTo).toBe('https://app/login?oidc_error=id_token_invalid');
+  });
+
+  it('falls back to config.issuer when the discovery doc has no issuer', async () => {
+    const verifyIdToken = vi.fn().mockResolvedValue({ ok: true, claims: { sub: 'u1' } });
+    const res = makeRes();
+    await new OidcController(svc({
+      discover: vi.fn().mockResolvedValue({ authorization_endpoint: 'https://idp/auth', userinfo_endpoint: 'https://idp/ui' }),
+      exchangeCodeForToken: vi.fn().mockResolvedValue({ _ok: true, access_token: 'at', id_token: 'it' }),
+      verifyIdToken,
+      getUserInfo: vi.fn().mockResolvedValue({ email: 'a@b.c', sub: 'u1' }),
+      findOrCreateUser: vi.fn().mockReturnValue({ user: { id: 1 } }),
+    })).callback('c', 's', undefined, reqCb('s'), res);
+    // doc.issuer absent → (doc.issuer ?? '') is '' → falls back to config.issuer
+    expect(verifyIdToken).toHaveBeenCalledWith('it', expect.anything(), 'c', 'https://idp');
+    expect(res.redirectedTo).toBe('https://app/login?oidc_code=ac');
+  });
+
+  it('strips trailing slashes off the discovery doc issuer before verifying', async () => {
+    const verifyIdToken = vi.fn().mockResolvedValue({ ok: true, claims: { sub: 'u1' } });
+    const res = makeRes();
+    await new OidcController(svc({
+      discover: vi.fn().mockResolvedValue({ authorization_endpoint: 'https://idp/auth', userinfo_endpoint: 'https://idp/ui', issuer: 'https://idp/' }),
+      exchangeCodeForToken: vi.fn().mockResolvedValue({ _ok: true, access_token: 'at', id_token: 'it' }),
+      verifyIdToken,
+      getUserInfo: vi.fn().mockResolvedValue({ email: 'a@b.c', sub: 'u1' }),
+      findOrCreateUser: vi.fn().mockReturnValue({ user: { id: 1 } }),
+    })).callback('c', 's', undefined, reqCb('s'), res);
+    expect(verifyIdToken).toHaveBeenCalledWith('it', expect.anything(), 'c', 'https://idp');
+  });
+
+  it('redirects no_email when the userinfo has no email', async () => {
+    const res = makeRes();
+    await new OidcController(svc({
+      exchangeCodeForToken: vi.fn().mockResolvedValue({ _ok: true, access_token: 'at', id_token: 'it' }),
+      verifyIdToken: vi.fn().mockResolvedValue({ ok: true, claims: { sub: 'u1' } }),
+      getUserInfo: vi.fn().mockResolvedValue({ sub: 'u1' }),
+    })).callback('c', 's', undefined, reqCb('s'), res);
+    expect(res.redirectedTo).toBe('https://app/login?oidc_error=no_email');
+  });
+
+  it('accepts when userinfo omits sub (no cross-check to run)', async () => {
+    const res = makeRes();
+    await new OidcController(svc({
+      exchangeCodeForToken: vi.fn().mockResolvedValue({ _ok: true, access_token: 'at', id_token: 'it' }),
+      verifyIdToken: vi.fn().mockResolvedValue({ ok: true, claims: { sub: 'u1' } }),
+      getUserInfo: vi.fn().mockResolvedValue({ email: 'a@b.c' }),
+      findOrCreateUser: vi.fn().mockReturnValue({ user: { id: 1 } }),
+    })).callback('c', 's', undefined, reqCb('s'), res);
+    expect(res.redirectedTo).toBe('https://app/login?oidc_code=ac');
+  });
+
+  it('accepts when the id_token claims have a non-string sub (cross-check skipped)', async () => {
+    const res = makeRes();
+    await new OidcController(svc({
+      exchangeCodeForToken: vi.fn().mockResolvedValue({ _ok: true, access_token: 'at', id_token: 'it' }),
+      verifyIdToken: vi.fn().mockResolvedValue({ ok: true, claims: { sub: 12345 } }),
+      getUserInfo: vi.fn().mockResolvedValue({ email: 'a@b.c', sub: 'something-else' }),
+      findOrCreateUser: vi.fn().mockReturnValue({ user: { id: 1 } }),
+    })).callback('c', 's', undefined, reqCb('s'), res);
+    expect(res.redirectedTo).toBe('https://app/login?oidc_code=ac');
+  });
+
+  it('surfaces a findOrCreateUser provisioning error', async () => {
+    const res = makeRes();
+    await new OidcController(svc({
+      exchangeCodeForToken: vi.fn().mockResolvedValue({ _ok: true, access_token: 'at', id_token: 'it' }),
+      verifyIdToken: vi.fn().mockResolvedValue({ ok: true, claims: { sub: 'u1' } }),
+      getUserInfo: vi.fn().mockResolvedValue({ email: 'a@b.c', sub: 'u1' }),
+      findOrCreateUser: vi.fn().mockReturnValue({ error: 'registration_disabled' }),
+    })).callback('c', 's', undefined, reqCb('s'), res);
+    expect(res.redirectedTo).toBe('https://app/login?oidc_error=registration_disabled');
+  });
+
+  it('redirects server_error when the flow throws', async () => {
+    vi.spyOn(console, 'error').mockImplementation(() => {});
+    const res = makeRes();
+    await new OidcController(svc({ discover: vi.fn().mockRejectedValue(new Error('network down')) })).callback('c', 's', undefined, reqCb('s'), res);
+    expect(res.redirectedTo).toBe('https://app/login?oidc_error=server_error');
+  });
 });

 describe('OidcController /exchange', () => {
@@ -0,0 +1,158 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+import type { Request, Response } from 'express';
+
+// The Nest service is a thin pass-through to the legacy OIDC helpers plus a few
+// adjacent service modules. Mock each one and assert the wrapper forwards every
+// argument and returns whatever the legacy function hands back.
+const { oidc } = vi.hoisted(() => ({
+  oidc: {
+    getOidcConfig: vi.fn(),
+    discover: vi.fn(),
+    createState: vi.fn(),
+    consumeState: vi.fn(),
+    exchangeCodeForToken: vi.fn(),
+    verifyIdToken: vi.fn(),
+    getUserInfo: vi.fn(),
+    findOrCreateUser: vi.fn(),
+    touchLastLogin: vi.fn(),
+    generateToken: vi.fn(),
+    createAuthCode: vi.fn(),
+    consumeAuthCode: vi.fn(),
+    frontendUrl: vi.fn(),
+  },
+}));
+vi.mock('../../../src/services/oidcService', () => oidc);
+
+const { getAppUrl } = vi.hoisted(() => ({ getAppUrl: vi.fn() }));
+vi.mock('../../../src/services/notifications', () => ({ getAppUrl }));
+
+const { resolveAuthToggles } = vi.hoisted(() => ({ resolveAuthToggles: vi.fn() }));
+vi.mock('../../../src/services/authService', () => ({ resolveAuthToggles }));
+
+const { setAuthCookie } = vi.hoisted(() => ({ setAuthCookie: vi.fn() }));
+vi.mock('../../../src/services/cookie', () => ({ setAuthCookie }));
+
+import { OidcService } from '../../../src/nest/oidc/oidc.service';
+
+let s: OidcService;
+beforeEach(() => {
+  vi.clearAllMocks();
+  s = new OidcService();
+});
+
+describe('OidcService', () => {
+  it('oidcLoginEnabled reads the resolved auth toggle', () => {
+    resolveAuthToggles.mockReturnValue({ oidc_login: true });
+    expect(s.oidcLoginEnabled()).toBe(true);
+    resolveAuthToggles.mockReturnValue({ oidc_login: false });
+    expect(s.oidcLoginEnabled()).toBe(false);
+  });
+
+  it('getOidcConfig delegates to the legacy helper', () => {
+    const cfg = { issuer: 'https://idp' };
+    oidc.getOidcConfig.mockReturnValue(cfg);
+    expect(s.getOidcConfig()).toBe(cfg);
+  });
+
+  it('getAppUrl delegates to notifications.getAppUrl', () => {
+    getAppUrl.mockReturnValue('https://app');
+    expect(s.getAppUrl()).toBe('https://app');
+  });
+
+  it('discover forwards the issuer and discovery url', () => {
+    const doc = { authorization_endpoint: 'https://idp/auth' };
+    oidc.discover.mockReturnValue(doc);
+    expect(s.discover('https://idp', 'https://idp/.well-known')).toBe(doc);
+    expect(oidc.discover).toHaveBeenCalledWith('https://idp', 'https://idp/.well-known');
+  });
+
+  it('discover works without a discovery url', () => {
+    oidc.discover.mockReturnValue('doc');
+    expect(s.discover('https://idp')).toBe('doc');
+    expect(oidc.discover).toHaveBeenCalledWith('https://idp', undefined);
+  });
+
+  it('createState forwards the redirect uri and invite token', () => {
+    const st = { state: 'st', codeChallenge: 'cc' };
+    oidc.createState.mockReturnValue(st);
+    expect(s.createState('https://app/cb', 'inv')).toBe(st);
+    expect(oidc.createState).toHaveBeenCalledWith('https://app/cb', 'inv');
+  });
+
+  it('createState works without an invite token', () => {
+    oidc.createState.mockReturnValue({ state: 'st', codeChallenge: 'cc' });
+    s.createState('https://app/cb');
+    expect(oidc.createState).toHaveBeenCalledWith('https://app/cb', undefined);
+  });
+
+  it('consumeState forwards the state', () => {
+    oidc.consumeState.mockReturnValue({ redirectUri: 'r', codeVerifier: 'v' });
+    expect(s.consumeState('st')).toEqual({ redirectUri: 'r', codeVerifier: 'v' });
+    expect(oidc.consumeState).toHaveBeenCalledWith('st');
+  });
+
+  it('exchangeCodeForToken spreads all arguments through', () => {
+    oidc.exchangeCodeForToken.mockReturnValue({ _ok: true });
+    const doc = { token_endpoint: 'https://idp/token' } as never;
+    expect(s.exchangeCodeForToken(doc, 'code', 'redir', 'cid', 'secret', 'verifier')).toEqual({ _ok: true });
+    expect(oidc.exchangeCodeForToken).toHaveBeenCalledWith(doc, 'code', 'redir', 'cid', 'secret', 'verifier');
+  });
+
+  it('verifyIdToken spreads all arguments through', () => {
+    oidc.verifyIdToken.mockReturnValue({ ok: true });
+    const doc = { issuer: 'https://idp' } as never;
+    expect(s.verifyIdToken('id_token', doc, 'cid', 'https://idp')).toEqual({ ok: true });
+    expect(oidc.verifyIdToken).toHaveBeenCalledWith('id_token', doc, 'cid', 'https://idp');
+  });
+
+  it('getUserInfo forwards the endpoint and access token', () => {
+    oidc.getUserInfo.mockReturnValue({ email: 'a@b.c' });
+    expect(s.getUserInfo('https://idp/ui', 'at')).toEqual({ email: 'a@b.c' });
+    expect(oidc.getUserInfo).toHaveBeenCalledWith('https://idp/ui', 'at');
+  });
+
+  it('findOrCreateUser spreads all arguments through', () => {
+    const result = { user: { id: 1 } };
+    oidc.findOrCreateUser.mockReturnValue(result);
+    const info = { email: 'a@b.c' } as never;
+    const cfg = { issuer: 'https://idp' } as never;
+    expect(s.findOrCreateUser(info, cfg, 'inv')).toBe(result);
+    expect(oidc.findOrCreateUser).toHaveBeenCalledWith(info, cfg, 'inv');
+  });
+
+  it('touchLastLogin forwards the user id', () => {
+    s.touchLastLogin(42);
+    expect(oidc.touchLastLogin).toHaveBeenCalledWith(42);
+  });
+
+  it('generateToken forwards the user', () => {
+    oidc.generateToken.mockReturnValue('jwt');
+    expect(s.generateToken({ id: 7 })).toBe('jwt');
+    expect(oidc.generateToken).toHaveBeenCalledWith({ id: 7 });
+  });
+
+  it('createAuthCode forwards the token', () => {
+    oidc.createAuthCode.mockReturnValue('ac');
+    expect(s.createAuthCode('jwt')).toBe('ac');
+    expect(oidc.createAuthCode).toHaveBeenCalledWith('jwt');
+  });
+
+  it('consumeAuthCode forwards the code', () => {
+    oidc.consumeAuthCode.mockReturnValue({ token: 'jwt' });
+    expect(s.consumeAuthCode('ac')).toEqual({ token: 'jwt' });
+    expect(oidc.consumeAuthCode).toHaveBeenCalledWith('ac');
+  });
+
+  it('frontendUrl forwards the path', () => {
+    oidc.frontendUrl.mockReturnValue('https://app/login');
+    expect(s.frontendUrl('/login')).toBe('https://app/login');
+    expect(oidc.frontendUrl).toHaveBeenCalledWith('/login');
+  });
+
+  it('setAuthCookie forwards res, token and req to the cookie helper', () => {
+    const res = {} as Response;
+    const req = {} as Request;
+    s.setAuthCookie(res, 'jwt', req);
+    expect(setAuthCookie).toHaveBeenCalledWith(res, 'jwt', req);
+  });
+});
@@ -67,14 +67,35 @@ describe('PackingController (parity with the legacy /api/trips/:tripId/packing r
    });
  });

+  it('GET / lists items for the trip (success path)', () => {
+    const listItems = vi.fn().mockReturnValue([{ id: 1 }, { id: 2 }]);
+    const svc = makeService({ listItems } as Partial<PackingService>);
+    expect(new PackingController(svc).list(user, '5')).toEqual({ items: [{ id: 1 }, { id: 2 }] });
+    expect(listItems).toHaveBeenCalledWith('5');
+  });
+
  describe('POST /import', () => {
-    it('400 when items is not a non-empty array', () => {
+    it('400 when items is not a non-empty array (empty array)', () => {
      const svc = makeService();
      expect(thrown(() => new PackingController(svc).importItems(user, '5', []))).toEqual({
        status: 400, body: { error: 'items must be a non-empty array' },
      });
    });

+    it('400 when items is not an array at all (non-array branch)', () => {
+      const svc = makeService();
+      expect(thrown(() => new PackingController(svc).importItems(user, '5', 'nope'))).toEqual({
+        status: 400, body: { error: 'items must be a non-empty array' },
+      });
+    });
+
+    it('403 without packing_edit permission', () => {
+      const svc = makeService({ canEdit: vi.fn().mockReturnValue(false) });
+      expect(thrown(() => new PackingController(svc).importItems(user, '5', [{ name: 'a' }]))).toEqual({
+        status: 403, body: { error: 'No permission' },
+      });
+    });
+
    it('imports and broadcasts per item', () => {
      const bulkImport = vi.fn().mockReturnValue([{ id: 1 }, { id: 2 }]);
      const broadcast = vi.fn();
@@ -103,7 +124,46 @@ describe('PackingController (parity with the legacy /api/trips/:tripId/packing r
    });
  });

+  describe('PUT /reorder', () => {
+    it('reorders the items and reports success', () => {
+      const reorderItems = vi.fn();
+      const svc = makeService({ reorderItems } as Partial<PackingService>);
+      expect(new PackingController(svc).reorder(user, '5', [3, 1, 2])).toEqual({ success: true });
+      expect(reorderItems).toHaveBeenCalledWith('5', [3, 1, 2]);
+    });
+
+    it('403 without packing_edit permission', () => {
+      const svc = makeService({ canEdit: vi.fn().mockReturnValue(false) });
+      expect(thrown(() => new PackingController(svc).reorder(user, '5', [1]))).toEqual({
+        status: 403, body: { error: 'No permission' },
+      });
+    });
+  });
+
+  describe('DELETE /:id (remove)', () => {
+    it('404 when the item is missing', () => {
+      const svc = makeService({ deleteItem: vi.fn().mockReturnValue(false) } as Partial<PackingService>);
+      expect(thrown(() => new PackingController(svc).remove(user, '5', '9'))).toEqual({
+        status: 404, body: { error: 'Item not found' },
+      });
+    });
+
+    it('deletes the item and broadcasts', () => {
+      const deleteItem = vi.fn().mockReturnValue(true);
+      const broadcast = vi.fn();
+      const svc = makeService({ deleteItem, broadcast } as Partial<PackingService>);
+      expect(new PackingController(svc).remove(user, '5', '9', 'sock')).toEqual({ success: true });
+      expect(broadcast).toHaveBeenCalledWith('5', 'packing:deleted', { itemId: 9 }, 'sock');
+    });
+  });
+
  describe('bags', () => {
+    it('GET /bags lists bags for the trip', () => {
+      const listBags = vi.fn().mockReturnValue([{ id: 3, name: 'Carry-on' }]);
+      const svc = makeService({ listBags } as Partial<PackingService>);
+      expect(new PackingController(svc).listBags(user, '5')).toEqual({ bags: [{ id: 3, name: 'Carry-on' }] });
+    });
+
    it('400 on bag create with blank name', () => {
      const svc = makeService();
      expect(thrown(() => new PackingController(svc).createBag(user, '5', { name: '  ' }))).toEqual({
@@ -111,12 +171,77 @@ describe('PackingController (parity with the legacy /api/trips/:tripId/packing r
      });
    });

+    it('400 on bag create with no name at all (optional-chain short-circuit)', () => {
+      const svc = makeService();
+      expect(thrown(() => new PackingController(svc).createBag(user, '5', {}))).toEqual({
+        status: 400, body: { error: 'Name is required' },
+      });
+    });
+
+    it('creates a bag and broadcasts', () => {
+      const createBag = vi.fn().mockReturnValue({ id: 3, name: 'Carry-on' });
+      const broadcast = vi.fn();
+      const svc = makeService({ createBag, broadcast } as Partial<PackingService>);
+      expect(new PackingController(svc).createBag(user, '5', { name: 'Carry-on', color: '#fff' }, 'sock')).toEqual({
+        bag: { id: 3, name: 'Carry-on' },
+      });
+      expect(broadcast).toHaveBeenCalledWith('5', 'packing:bag-created', { bag: { id: 3, name: 'Carry-on' } }, 'sock');
+    });
+
    it('404 on bag update when missing', () => {
      const svc = makeService({ updateBag: vi.fn().mockReturnValue(null) } as Partial<PackingService>);
      expect(thrown(() => new PackingController(svc).updateBag(user, '5', '3', { name: 'X' }))).toEqual({
        status: 404, body: { error: 'Bag not found' },
      });
    });
+
+    it('updates a bag, forwards changed keys and broadcasts', () => {
+      const updateBag = vi.fn().mockReturnValue({ id: 3, name: 'X' });
+      const broadcast = vi.fn();
+      const svc = makeService({ updateBag, broadcast } as Partial<PackingService>);
+      new PackingController(svc).updateBag(user, '5', '3', { name: 'X', color: '#000' }, 'sock');
+      expect(updateBag).toHaveBeenCalledWith('5', '3', expect.objectContaining({ name: 'X', color: '#000' }), ['name', 'color']);
+      expect(broadcast).toHaveBeenCalledWith('5', 'packing:bag-updated', { bag: { id: 3, name: 'X' } }, 'sock');
+    });
+
+    it('404 on bag delete when missing', () => {
+      const svc = makeService({ deleteBag: vi.fn().mockReturnValue(false) } as Partial<PackingService>);
+      expect(thrown(() => new PackingController(svc).deleteBag(user, '5', '3'))).toEqual({
+        status: 404, body: { error: 'Bag not found' },
+      });
+    });
+
+    it('deletes a bag and broadcasts', () => {
+      const deleteBag = vi.fn().mockReturnValue(true);
+      const broadcast = vi.fn();
+      const svc = makeService({ deleteBag, broadcast } as Partial<PackingService>);
+      expect(new PackingController(svc).deleteBag(user, '5', '3', 'sock')).toEqual({ success: true });
+      expect(broadcast).toHaveBeenCalledWith('5', 'packing:bag-deleted', { bagId: 3 }, 'sock');
+    });
+
+    it('404 on set-members when the bag is missing', () => {
+      const svc = makeService({ setBagMembers: vi.fn().mockReturnValue(null) } as Partial<PackingService>);
+      expect(thrown(() => new PackingController(svc).setBagMembers(user, '5', '3', [1, 2]))).toEqual({
+        status: 404, body: { error: 'Bag not found' },
+      });
+    });
+
+    it('sets bag members and broadcasts (array branch)', () => {
+      const setBagMembers = vi.fn().mockReturnValue([{ user_id: 1 }, { user_id: 2 }]);
+      const broadcast = vi.fn();
+      const svc = makeService({ setBagMembers, broadcast } as Partial<PackingService>);
+      const res = new PackingController(svc).setBagMembers(user, '5', '3', [1, 2], 'sock');
+      expect(res).toEqual({ members: [{ user_id: 1 }, { user_id: 2 }] });
+      expect(setBagMembers).toHaveBeenCalledWith('5', '3', [1, 2]);
+      expect(broadcast).toHaveBeenCalledWith('5', 'packing:bag-members-updated', { bagId: 3, members: [{ user_id: 1 }, { user_id: 2 }] }, 'sock');
+    });
+
+    it('coerces non-array members to an empty list (ternary else branch)', () => {
+      const setBagMembers = vi.fn().mockReturnValue([]);
+      const svc = makeService({ setBagMembers } as Partial<PackingService>);
+      new PackingController(svc).setBagMembers(user, '5', '3', 'not-an-array');
+      expect(setBagMembers).toHaveBeenCalledWith('5', '3', []);
+    });
  });

  describe('templates', () => {
@@ -135,6 +260,33 @@ describe('PackingController (parity with the legacy /api/trips/:tripId/packing r
      });
    });

+    it('applies a template, broadcasts the added items and reports the count', () => {
+      const applyTemplate = vi.fn().mockReturnValue([{ id: 1 }, { id: 2 }, { id: 3 }]);
+      const broadcast = vi.fn();
+      const svc = makeService({ applyTemplate, broadcast } as Partial<PackingService>);
+      const res = new PackingController(svc).applyTemplate(user, '5', 't1', 'sock');
+      expect(res).toEqual({ items: [{ id: 1 }, { id: 2 }, { id: 3 }], count: 3 });
+      expect(broadcast).toHaveBeenCalledWith('5', 'packing:template-applied', { items: [{ id: 1 }, { id: 2 }, { id: 3 }] }, 'sock');
+    });
+
+    it('400 when an admin saves a template with no name (whitespace)', () => {
+      const saveAsTemplate = vi.fn();
+      const svc = makeService({ saveAsTemplate } as Partial<PackingService>);
+      expect(thrown(() => new PackingController(svc).saveAsTemplate(admin, '5', '   '))).toEqual({
+        status: 400, body: { error: 'Template name is required' },
+      });
+      expect(saveAsTemplate).not.toHaveBeenCalled();
+    });
+
+    it('400 when an admin saves a template with no name at all (optional-chain)', () => {
+      const saveAsTemplate = vi.fn();
+      const svc = makeService({ saveAsTemplate } as Partial<PackingService>);
+      expect(thrown(() => new PackingController(svc).saveAsTemplate(admin, '5'))).toEqual({
+        status: 400, body: { error: 'Template name is required' },
+      });
+      expect(saveAsTemplate).not.toHaveBeenCalled();
+    });
+
    it('403 when a non-admin tries to save a template', () => {
      const saveAsTemplate = vi.fn();
      const svc = makeService({ saveAsTemplate } as Partial<PackingService>);
@@ -162,6 +314,24 @@ describe('PackingController (parity with the legacy /api/trips/:tripId/packing r
  });

  describe('category assignees', () => {
+    it('GET /category-assignees returns the assignee list for an accessible trip', () => {
+      const getCategoryAssignees = vi.fn().mockReturnValue([{ category: 'Clothes', user_id: 2 }]);
+      const svc = makeService({ getCategoryAssignees } as Partial<PackingService>);
+      expect(new PackingController(svc).categoryAssignees(user, '5')).toEqual({
+        assignees: [{ category: 'Clothes', user_id: 2 }],
+      });
+      expect(getCategoryAssignees).toHaveBeenCalledWith('5');
+    });
+
+    it('decodes the URI-encoded category name before forwarding', () => {
+      const updateCategoryAssignees = vi.fn().mockReturnValue([]);
+      const broadcast = vi.fn();
+      const notifyTagged = vi.fn();
+      const svc = makeService({ updateCategoryAssignees, broadcast, notifyTagged } as Partial<PackingService>);
+      new PackingController(svc).updateCategoryAssignees(user, '5', 'Toys%20%26%20Games', [2]);
+      expect(updateCategoryAssignees).toHaveBeenCalledWith('5', 'Toys & Games', [2]);
+    });
+
    it('updates assignees, broadcasts and fires the tag notification', () => {
      const updateCategoryAssignees = vi.fn().mockReturnValue([{ user_id: 2 }]);
      const broadcast = vi.fn();
@@ -16,12 +16,15 @@ const { pk } = vi.hoisted(() => ({
  pk: {
    verifyTripAccess: vi.fn(), listItems: vi.fn(), createItem: vi.fn(), updateItem: vi.fn(), deleteItem: vi.fn(),
    bulkImport: vi.fn(), listBags: vi.fn(), createBag: vi.fn(), updateBag: vi.fn(), deleteBag: vi.fn(),
-    applyTemplate: vi.fn(), saveAsTemplate: vi.fn(), setBagMembers: vi.fn(), getCategoryAssignees: vi.fn(),
+    listTemplates: vi.fn(), applyTemplate: vi.fn(), saveAsTemplate: vi.fn(), setBagMembers: vi.fn(), getCategoryAssignees: vi.fn(),
    updateCategoryAssignees: vi.fn(), reorderItems: vi.fn(),
  },
 }));
 vi.mock('../../../src/services/packingService', () => pk);

+const { send } = vi.hoisted(() => ({ send: vi.fn(() => Promise.resolve()) }));
+vi.mock('../../../src/services/notificationService', () => ({ send }));
+
 import { PackingService } from '../../../src/nest/packing/packing.service';

 function svc() {
@@ -55,6 +58,7 @@ describe('PackingService (wrapper delegation + helpers)', () => {
    s.updateBag('5', '2', { name: 'B' } as never, ['name']); expect(pk.updateBag).toHaveBeenCalledWith('5', '2', { name: 'B' }, ['name']);
    s.deleteBag('5', '2'); expect(pk.deleteBag).toHaveBeenCalledWith('5', '2');
    s.setBagMembers('5', '2', [1, 2]); expect(pk.setBagMembers).toHaveBeenCalledWith('5', '2', [1, 2]);
+    s.listTemplates(); expect(pk.listTemplates).toHaveBeenCalled();
    s.applyTemplate('5', 't1'); expect(pk.applyTemplate).toHaveBeenCalledWith('5', 't1');
    s.saveAsTemplate('5', 1, 'Tpl'); expect(pk.saveAsTemplate).toHaveBeenCalledWith('5', 1, 'Tpl');
    s.getCategoryAssignees('5'); expect(pk.getCategoryAssignees).toHaveBeenCalledWith('5');
@@ -71,5 +75,31 @@ describe('PackingService (wrapper delegation + helpers)', () => {
    it('fires the notification when users are tagged (fire-and-forget, no throw)', () => {
      expect(() => svc().notifyTagged('5', { id: 1, email: 'a@b.c' } as never, 'Clothes', [2, 3])).not.toThrow();
    });
+
+    it('queries the trip title and dispatches the notification with the resolved title', async () => {
+      dbMock._stmt.get.mockReturnValue({ title: 'Iceland 2026' });
+      svc().notifyTagged('5', { id: 1, email: 'a@b.c' } as never, 'Clothes', [2, 3]);
+      // Flush the dynamic import().then microtask chain.
+      await new Promise((resolve) => setTimeout(resolve, 0));
+      expect(dbMock.prepare).toHaveBeenCalledWith('SELECT title FROM trips WHERE id = ?');
+      expect(send).toHaveBeenCalledWith(
+        expect.objectContaining({
+          event: 'packing_tagged',
+          actorId: 1,
+          scope: 'trip',
+          targetId: 5,
+          params: expect.objectContaining({ trip: 'Iceland 2026', actor: 'a@b.c', category: 'Clothes', tripId: '5' }),
+        }),
+      );
+    });
+
+    it('falls back to "Untitled" when the trip row is missing (?? / default branch)', async () => {
+      dbMock._stmt.get.mockReturnValue(undefined);
+      svc().notifyTagged('5', { id: 1, email: 'a@b.c' } as never, 'Clothes', [2]);
+      await new Promise((resolve) => setTimeout(resolve, 0));
+      expect(send).toHaveBeenCalledWith(
+        expect.objectContaining({ params: expect.objectContaining({ trip: 'Untitled' }) }),
+      );
+    });
  });
 });
--- a/Show More
+++ b/Show More