chore: release v0.1.1.23

Erweitert die Backup- und Restore-Skripte um die Möglichkeit, Staging-Umgebungen zu unterstützen. Fügt die Option `-dest stage` hinzu, um spezifische Konfigurationen für Staging zu verwenden, einschließlich separater Docker-Compose-Dateien und Datenbankcontainer. Dokumentation aktualisiert, um manuelle Tests und Umgebungsvariablen für Staging zu reflektieren.

README.md

@@ -258,6 +258,8 @@ Standard-Ziel Prod: `root@10.0.0.25:/opt/kapteins-daagbok` — per `REMOTE_HOST`
 
 Auf dem Server müssen `.env` u. a. `POSTGRES_PASSWORD`, `RP_ID`, `ORIGIN` (`https://kapteins-daagbok.eu`), `SESSION_SECRET` (≥ 32 Zeichen), `TRUST_PROXY` (NPM, z. B. `172.16.10.10` oder `1`) und bei Push `VAPID_*` enthalten. Optional `NTFY_*` für Feedback. Nach Schema-Änderungen: `npx prisma db push` im Backend-Container.
 
+Prod-Deploy legt vor dem Update automatisch ein Server-Backup an (DB, `.env`, Compose, App-Code). Tägliches Cron-Backup und Restore: [docs/deployment/backup.md](docs/deployment/backup.md).
+
 Hinter **Nginx Proxy Manager**: [docs/deployment/npm-security.md](docs/deployment/npm-security.md).
 
 ### Staging
@@ -277,6 +279,7 @@ Standard-Ziel Staging: `root@10.0.0.27:/opt/kapteins-daagbok-staging` — per `R
 | [docs/deployment/npm-security.md](docs/deployment/npm-security.md) | NPM, TLS, `trust proxy`, Security-Header |
 | [docs/deployment/predeploy.md](docs/deployment/predeploy.md) | Pre-Deploy-Checks ohne CI |
 | [docs/deployment/postgres-password.md](docs/deployment/postgres-password.md) | PostgreSQL-Passwort rotieren / App-Rolle |
+| [docs/deployment/backup.md](docs/deployment/backup.md) | Server-Backup, Crontab, Restore (Prod) |
 | [docs/deployment/staging.md](docs/deployment/staging.md) | Staging-VM, Deploy, `.env` |
 | [docs/plausible-events.md](docs/plausible-events.md) | Custom Events für Plausible Analytics |
 | [docs/push-notifications-plan.md](docs/push-notifications-plan.md) | Web Push: Architektur, API, Testplan |

VERSION

@@ -1 +1 @@
-0.1.1.20
+0.1.1.24

client/src/App.css

@@ -3237,9 +3237,9 @@ html.theme-cupertino .events-scroll-container {
   left: 0;
   right: 0;
   bottom: 0;
-  background: rgba(11, 12, 16, 0.75);
+  background: rgba(11, 12, 16, 0.45);
-  backdrop-filter: blur(10px);
+  backdrop-filter: var(--app-backdrop);
-  -webkit-backdrop-filter: blur(10px);
+  -webkit-backdrop-filter: var(--app-backdrop);
   display: flex;
   align-items: center;
   justify-content: center;
@@ -3247,13 +3247,15 @@ html.theme-cupertino .events-scroll-container {
 }
 
 .custom-dialog-card {
-  background: rgba(15, 23, 42, 0.85);
+  background: var(--app-surface-hover, var(--app-surface));
-  border: 1px solid rgba(255, 255, 255, 0.08);
+  backdrop-filter: var(--app-backdrop);
-  border-radius: 16px;
+  -webkit-backdrop-filter: var(--app-backdrop);
+  border: 1px solid var(--app-border-subtle);
+  border-radius: var(--app-radius-card, 16px);
   padding: 28px;
   width: 90%;
   max-width: 420px;
-  box-shadow: 0 25px 50px -12px rgba(0, 0, 0, 0.6);
+  box-shadow: var(--app-shadow);
   text-align: center;
   display: flex;
   flex-direction: column;
@@ -3263,7 +3265,7 @@ html.theme-cupertino .events-scroll-container {
 .custom-dialog-title {
   font-size: 19px;
   font-weight: 700;
-  color: #fbbf24;
+  color: var(--app-accent-light);
   margin: 0 0 14px 0;
   text-transform: uppercase;
   letter-spacing: 0.5px;
@@ -3271,7 +3273,7 @@ html.theme-cupertino .events-scroll-container {
 
 .custom-dialog-message {
   font-size: 15px;
-  color: #e2e8f0;
+  color: var(--app-text);
   line-height: 1.5;
   margin: 0 0 24px 0;
   white-space: pre-line;

client/src/components/CreatorAvatar.tsx

@@ -45,12 +45,39 @@ export default function CreatorAvatar({
   let photo: string | null = null
   let role = ''
 
-  if (creatorId && crewSnapshotsById && crewSnapshotsById[creatorId]) {
+  if (creatorId && crewSnapshotsById) {
-    const snap = crewSnapshotsById[creatorId]
+    let snap: PersonSnapshot | undefined = crewSnapshotsById[creatorId]
+
+    // Fallback: If not found directly by key, search by role or name or active user
+    if (!snap) {
+      if (creatorId === 'skipper') {
+        snap = Object.values(crewSnapshotsById).find((s) => s.role === 'skipper')
+      } else {
+        // Try to match name case-insensitively
+        snap = Object.values(crewSnapshotsById).find(
+          (s) => (s.name || '').trim().toLowerCase() === creatorId.trim().toLowerCase()
+        )
+
+        // Try to match active username/userid to the skipper snapshot
+        if (!snap) {
+          const activeUsername = localStorage.getItem('active_username')
+          const activeUserId = localStorage.getItem('active_userid')
+          if (
+            (activeUsername && creatorId.toLowerCase() === activeUsername.toLowerCase()) ||
+            (activeUserId && creatorId === activeUserId)
+          ) {
+            snap = Object.values(crewSnapshotsById).find((s) => s.role === 'skipper')
+          }
+        }
+      }
+    }
+
+    if (snap) {
       name = snap.name || ''
       photo = snap.photo || null
       role = snap.role || ''
     }
+  }
 
   // Fallback to active username if owner or no crew pool matches
   if (!name) {

client/src/components/EventRemarksCell.tsx

@@ -1,24 +1,97 @@
+import { useState, useEffect } from 'react'
 import { useTranslation } from 'react-i18next'
+import { Mic, Loader2 } from 'lucide-react'
 import type { LogEventPayload } from '../utils/logEntryPayload.js'
 import { parseLiveVoiceRemark } from '../utils/liveEventCodes.js'
 import { formatEventSummary } from '../utils/formatEventSummary.js'
 import VoiceMemoPlayer, { type PreloadedVoiceMemo } from './VoiceMemoPlayer.tsx'
+import { useDialog } from './ModalDialog.tsx'
+import { updateVoiceMemoTranscript } from '../services/voiceAttachments.js'
+import { PlausibleEvents, trackPlausibleEvent } from '../services/analytics.js'
+import { getAiAuthorized } from '../services/userPreferences.js'
 
 interface EventRemarksCellProps {
   event: LogEventPayload
   logbookId: string
   voiceMemoLookup?: Map<string, PreloadedVoiceMemo>
+  readOnly?: boolean
 }
 
 export default function EventRemarksCell({
   event,
   logbookId,
-  voiceMemoLookup
+  voiceMemoLookup,
+  readOnly = false
 }: EventRemarksCellProps) {
   const { t } = useTranslation()
+  const { showAlert } = useDialog()
   const voiceId = parseLiveVoiceRemark(event.remarks.trim())
   const preloaded = voiceId ? voiceMemoLookup?.get(voiceId) : undefined
 
+  const [transcribing, setTranscribing] = useState(false)
+  const [isOnline, setIsOnline] = useState(navigator.onLine)
+
+  useEffect(() => {
+    const handleOnline = () => setIsOnline(true)
+    const handleOffline = () => setIsOnline(false)
+    window.addEventListener('online', handleOnline)
+    window.addEventListener('offline', handleOffline)
+    return () => {
+      window.removeEventListener('online', handleOnline)
+      window.removeEventListener('offline', handleOffline)
+    }
+  }, [])
+
+  const handleTranscribe = async (e: React.MouseEvent) => {
+    e.preventDefault()
+    e.stopPropagation()
+    if (transcribing || !preloaded?.audio || !voiceId) return
+    if (!getAiAuthorized()) {
+      void showAlert(
+        t('profile.ai_unauthorized_alert_desc'),
+        t('profile.ai_unauthorized_alert_title')
+      )
+      return
+    }
+    setTranscribing(true)
+    const controller = new AbortController()
+    const timeoutId = setTimeout(() => controller.abort(), 15000)
+    try {
+      const res = await fetch('/api/ai/transcribe', {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json'
+        },
+        body: JSON.stringify({ audioDataUrl: preloaded.audio }),
+        signal: controller.signal
+      })
+      clearTimeout(timeoutId)
+      if (!res.ok) {
+        throw new Error(`Server returned status ${res.status}`)
+      }
+      const data = await res.json()
+      const text = (data.text || '').trim()
+      if (!text) {
+        throw new Error('Transcription returned empty text')
+      }
+      await updateVoiceMemoTranscript(logbookId, voiceId, text)
+      trackPlausibleEvent(PlausibleEvents.VOICE_MEMO_TRANSCRIBED, {
+        status: 'success',
+        mode: 'manual'
+      })
+    } catch (err) {
+      clearTimeout(timeoutId)
+      console.error('[EventRemarksCell] Transcription failed:', err)
+      trackPlausibleEvent(PlausibleEvents.VOICE_MEMO_TRANSCRIBED, {
+        status: 'failed',
+        mode: 'manual'
+      })
+      void showAlert(t('logs.live_voice_transcribe_failed'), t('logs.live_voice_btn'))
+    } finally {
+      setTranscribing(false)
+    }
+  }
+
   let summary = formatEventSummary(event, t)
   if (voiceId && preloaded?.caption) {
     summary = t('logs.live_voice_entry', { caption: preloaded.caption })
@@ -28,12 +101,39 @@ export default function EventRemarksCell({
     <div className={`event-remarks-cell${voiceId ? ' event-remarks-cell--voice' : ''}`}>
       <span>{summary}</span>
       {voiceId && (
+        <div style={{ display: 'inline-flex', alignItems: 'center', flexWrap: 'wrap', gap: '8px', marginTop: '4px' }}>
           <VoiceMemoPlayer
             audioId={voiceId}
             logbookId={logbookId}
             preloaded={preloaded}
             compact
           />
+          {!readOnly && preloaded && preloaded.transcribed === false && isOnline && (
+            <button
+              type="button"
+              className="btn-icon-text link-sec"
+              style={{
+                fontSize: '0.8rem',
+                padding: '2px 6px',
+                height: 'auto',
+                display: 'inline-flex',
+                alignItems: 'center',
+                gap: '4px',
+                margin: 0
+              }}
+              onClick={handleTranscribe}
+              disabled={transcribing}
+              title={t('logs.live_voice_transcribe_action')}
+            >
+              {transcribing ? (
+                <Loader2 size={12} className="spin" />
+              ) : (
+                <Mic size={12} />
+              )}
+              {transcribing ? t('logs.live_voice_transcribing') : t('logs.live_voice_transcribe_action')}
+            </button>
+          )}
+        </div>
       )}
     </div>
   )

client/src/components/LiveLogView.tsx

@@ -22,6 +22,7 @@ import {
   Zap
 } from 'lucide-react'
 import { PlausibleEvents, trackPlausibleEvent } from '../services/analytics.js'
+import { getAiAuthorized } from '../services/userPreferences.js'
 import {
   appendQuickEvent as apiAppendQuickEvent,
   appendQuickEvents as apiAppendQuickEvents,
@@ -31,7 +32,6 @@ import {
   removeLastEvent
 } from '../services/quickEventLog.js'
 import CreatorAvatar from './CreatorAvatar.tsx'
-import { formatEventSummary } from '../utils/formatEventSummary.js'
 import {
   getLastAutoPositionMs,
   getLastLoggedPositionWithin,
@@ -43,7 +43,6 @@ import {
   liveFuelRemark,
   livePhotoRemark,
   liveVoiceRemark,
-  parseLiveVoiceRemark,
   livePrecipRemark,
   liveSailsRemark,
   liveSogRemark,
@@ -80,7 +79,7 @@ import CourseDialInput from './CourseDialInput.tsx'
 import GpsSignalHint from './GpsSignalHint.tsx'
 import LiveCameraCapture from './LiveCameraCapture.tsx'
 import LiveVoiceCapture from './LiveVoiceCapture.tsx'
-import VoiceMemoPlayer from './VoiceMemoPlayer.tsx'
+import EventRemarksCell from './EventRemarksCell.tsx'
 import { saveEntryPhoto, deleteEntryPhoto } from '../services/photoAttachments.js'
 import { saveEntryVoiceMemo, deleteEntryVoiceMemo } from '../services/voiceAttachments.js'
 import { blobToCompressedJpegDataUrl } from '../utils/imageCompress.js'
@@ -713,14 +712,28 @@ export default function LiveLogView({
             { analyticsSource: 'live_log' }
           )
         } catch (err) {
-          if (err instanceof WeatherApiError && err.code === 'OFFLINE') {
+          if (err instanceof WeatherApiError) {
+            if (err.code === 'OFFLINE') {
               void showAlert(t('logs.weather_offline'), t('logs.live_weather_owm_btn'))
               return
             }
-          if (err instanceof WeatherApiError && err.code === 'NO_KEY') {
+            if (err.code === 'NO_KEY') {
               void showAlert(t('settings.no_key'), t('logs.live_weather_owm_btn'))
               return
             }
+            if (err.code === 'UNAUTHORIZED') {
+              void showAlert(t('settings.weather_unauthorized'), t('logs.live_weather_owm_btn'))
+              return
+            }
+            if (err.code === 'NOT_FOUND') {
+              void showAlert(t('settings.weather_not_found'), t('logs.live_weather_owm_btn'))
+              return
+            }
+            if (err.code === 'BAD_REQUEST') {
+              void showAlert(t('settings.weather_bad_request'), t('logs.live_weather_owm_btn'))
+              return
+            }
+          }
           console.error('Live log OWM weather failed:', err)
           void showAlert(t('settings.weather_error'), t('logs.live_weather_owm_btn'))
           return
@@ -822,13 +835,50 @@ export default function LiveLogView({
     void (async () => {
       try {
         const audioDataUrl = await blobToAudioDataUrl(blob)
+        const authorized = getAiAuthorized()
+        let transcriptionText = ''
+        let transcribed = true
+        let transcriptionError = false
+
+        if (authorized) {
+          try {
+            const controller = new AbortController()
+            const timeoutId = setTimeout(() => controller.abort(), 4000)
+
+            const res = await fetch('/api/ai/transcribe', {
+              method: 'POST',
+              headers: { 'Content-Type': 'application/json' },
+              body: JSON.stringify({ audioDataUrl }),
+              signal: controller.signal
+            })
+            clearTimeout(timeoutId)
+            if (!res.ok) throw new Error(`Status ${res.status}`)
+            const data = await res.json()
+            transcriptionText = (data.text || '').trim()
+          } catch (err) {
+            console.warn('[LiveLogView] Automatic transcription failed or timed out:', err)
+            transcriptionError = true
+            transcribed = false
+          }
+        } else {
+          transcribed = false
+        }
+
+        let finalCaption = caption
+        if (transcriptionText) {
+          finalCaption = caption
+            ? `${caption}\n(Transkript: ${transcriptionText})`
+            : transcriptionText
+        }
+
         const voiceId = await saveEntryVoiceMemo({
           logbookId,
           entryId,
           audioDataUrl,
           mimeType,
           durationSec,
-          caption,
+          caption: finalCaption,
+          transcribed,
           analyticsContext: 'live_log'
         })
         await appendQuickEvent(logbookId, entryId, {
@@ -840,6 +890,23 @@ export default function LiveLogView({
         setVoiceCaption('')
         showUndo('voice')
         trackPlausibleEvent(PlausibleEvents.LIVE_LOG_EVENT_LOGGED, { action: 'voice' })
+        if (transcriptionError) {
+          trackPlausibleEvent(PlausibleEvents.VOICE_MEMO_TRANSCRIBED, {
+            status: 'failed',
+            mode: 'auto'
+          })
+          void showAlert(t('logs.live_voice_transcribe_failed'), t('logs.live_voice_btn'))
+        } else if (authorized) {
+          trackPlausibleEvent(PlausibleEvents.VOICE_MEMO_TRANSCRIBED, {
+            status: 'success',
+            mode: 'auto'
+          })
+        } else {
+          void showAlert(
+            t('profile.ai_unauthorized_alert_desc'),
+            t('profile.ai_unauthorized_alert_title')
+          )
+        }
       } catch (err: unknown) {
         console.error('Live log voice save failed:', err)
         const msg = err instanceof Error && err.message === 'VOICE_MEMO_TOO_LARGE'
@@ -1211,12 +1278,6 @@ export default function LiveLogView({
           ) : (
             <ol className="live-log-stream">
               {events.map((event, index) => {
-                const voiceId = parseLiveVoiceRemark(event.remarks.trim())
-                const voicePreloaded = voiceId ? voiceMemoLookup.get(voiceId) : undefined
-                let summary = formatEventSummary(event, t)
-                if (voiceId && voicePreloaded?.caption) {
-                  summary = t('logs.live_voice_entry', { caption: voicePreloaded.caption })
-                }
                 return (
                   <li key={`${event.time}-${index}`} className="live-log-entry">
                     <time className="live-log-time">{event.time}</time>
@@ -1226,15 +1287,12 @@ export default function LiveLogView({
                       size={24}
                     />
                     <div className="live-log-summary-block">
-                      <span className="live-log-summary">{summary}</span>
+                      <EventRemarksCell
-                      {voiceId && (
+                        event={event}
-                        <VoiceMemoPlayer
-                          audioId={voiceId}
                         logbookId={logbookId}
-                          preloaded={voicePreloaded}
+                        voiceMemoLookup={voiceMemoLookup}
-                          compact
+                        readOnly={false}
                       />
-                      )}
                     </div>
                   </li>
                 )

client/src/components/LogEntryEditor.tsx

@@ -50,6 +50,7 @@ import {
   TravelDaySummaryApiError
 } from '../services/aiSummary.js'
 import { tryDecryptEntryPayload } from '../services/quickEventLog.js'
+import { getAiAuthorized } from '../services/userPreferences.js'
 import {
   getDecryptedTrack,
   saveUploadedTrack,
@@ -1178,14 +1179,28 @@ export default function LogEntryEditor({
 
       showAlert(t('settings.weather_success'))
     } catch (err) {
-      if (err instanceof WeatherApiError && err.code === 'OFFLINE') {
+      if (err instanceof WeatherApiError) {
+        if (err.code === 'OFFLINE') {
           showAlert(t('logs.weather_offline'))
           return
         }
-      if (err instanceof WeatherApiError && err.code === 'NO_KEY') {
+        if (err.code === 'NO_KEY') {
           showAlert(t('settings.no_key'))
           return
         }
+        if (err.code === 'UNAUTHORIZED') {
+          showAlert(t('settings.weather_unauthorized'))
+          return
+        }
+        if (err.code === 'NOT_FOUND') {
+          showAlert(t('settings.weather_not_found'))
+          return
+        }
+        if (err.code === 'BAD_REQUEST') {
+          showAlert(t('settings.weather_bad_request'))
+          return
+        }
+      }
       console.error('Weather prefilling failed:', err)
       showAlert(t('settings.weather_error'))
     } finally {
@@ -1195,6 +1210,13 @@ export default function LogEntryEditor({
 
   const handleGenerateAiSummary = async () => {
     if (!canSignSkipper || readOnly || aiSummaryLoading) return
+    if (!getAiAuthorized()) {
+      void showAlert(
+        t('profile.ai_unauthorized_alert_desc'),
+        t('profile.ai_unauthorized_alert_title')
+      )
+      return
+    }
     if (!isOnline) {
       setAiSummaryError(t('logs.ai_summary_offline'))
       return
@@ -1895,6 +1917,7 @@ export default function LogEntryEditor({
                           event={ev}
                           logbookId={logbookId}
                           voiceMemoLookup={voiceMemoLookup}
+                          readOnly={readOnly}
                         />
                       </td>
                       {!readOnly && (

client/src/components/UserProfilePreferences.tsx

@@ -1,6 +1,6 @@
 import { useState } from 'react'
 import { useTranslation } from 'react-i18next'
-import { Compass, Palette, Save, Check, Cloud } from 'lucide-react'
+import { Compass, Palette, Save, Check, Cloud, Brain } from 'lucide-react'
 import ThemedSelect from './ThemedSelect.tsx'
 import PushNotificationSettings from './PushNotificationSettings.tsx'
 import PwaInstallPrompt from './PwaInstallPrompt.tsx'
@@ -13,7 +13,9 @@ import {
   getThemePreference,
   setColorSchemePreference,
   setOwmApiKey,
-  setThemePreference
+  setThemePreference,
+  getAiAuthorized,
+  setAiAuthorized
 } from '../services/userPreferences.js'
 
 interface UserProfilePreferencesProps {
@@ -28,6 +30,7 @@ export default function UserProfilePreferences({ userId }: UserProfilePreference
   const [colorScheme, setColorScheme] = useState(() => getColorSchemePreference(userId))
   const [savingOwm, setSavingOwm] = useState(false)
   const [owmSaved, setOwmSaved] = useState(false)
+  const [aiAuthorized, setAiAuthorizedState] = useState(() => getAiAuthorized(userId))
 
   const persistAppearance = (nextTheme: string, nextColorScheme: string) => {
     setThemePreference(userId, nextTheme)
@@ -58,6 +61,12 @@ export default function UserProfilePreferences({ userId }: UserProfilePreference
     window.setTimeout(() => setOwmSaved(false), 3000)
   }
 
+  const handleAiToggle = (e: React.ChangeEvent<HTMLInputElement>) => {
+    const nextVal = e.target.checked
+    setAiAuthorizedState(nextVal)
+    setAiAuthorized(userId, nextVal)
+  }
+
   return (
     <>
       <section className="member-editor-card glass">
@@ -152,6 +161,42 @@ export default function UserProfilePreferences({ userId }: UserProfilePreference
         </form>
       </section>
 
+      <section className="member-editor-card glass">
+        <div className="profile-section-header">
+          <Brain size={20} style={{ color: 'var(--app-accent-light)' }} />
+          <h3 style={{ margin: 0, color: 'var(--app-accent-light)', fontSize: '16px' }}>
+            {t('profile.ai_title')}
+          </h3>
+        </div>
+        <p className="text-muted" style={{ fontSize: '13.5px', lineHeight: '145%', margin: '0 0 12px 0' }}>
+          {t('profile.ai_desc')}
+        </p>
+        <p className="text-muted" style={{ fontSize: '13px', lineHeight: '145%', margin: '0 0 16px 0', whiteSpace: 'pre-line' }}>
+          {t('profile.ai_help')}
+        </p>
+
+        <label
+          className="switch-label"
+          style={{
+            display: 'flex',
+            alignItems: 'center',
+            gap: '10px',
+            cursor: 'pointer',
+            fontSize: '14px',
+            color: '#f1f5f9'
+          }}
+        >
+          <input
+            id="profile-ai-authorize"
+            type="checkbox"
+            checked={aiAuthorized}
+            onChange={handleAiToggle}
+            style={{ width: '18px', height: '18px', cursor: 'pointer' }}
+          />
+          <span>{t('profile.ai_enable_label')}</span>
+        </label>
+      </section>
+
       <PushNotificationSettings />
       <PwaInstallPrompt variant="inline" />
     </>

client/src/components/VoiceMemoPlayer.tsx

@@ -11,6 +11,7 @@ export interface PreloadedVoiceMemo {
   mimeType?: string
   durationSec?: number
   caption?: string
+  transcribed?: boolean
 }
 
 interface VoiceMemoPlayerProps {

client/src/hooks/useEntryVoiceMemos.ts

@@ -48,7 +48,8 @@ export function useEntryVoiceMemos(
             audio: String(decrypted.audio),
             mimeType: decrypted.mimeType ? String(decrypted.mimeType) : undefined,
             durationSec: typeof decrypted.durationSec === 'number' ? decrypted.durationSec : undefined,
-            caption: decrypted.caption ? String(decrypted.caption) : ''
+            caption: decrypted.caption ? String(decrypted.caption) : '',
+            transcribed: decrypted.transcribed !== false
           })
         } catch {
           // skip corrupt memo

client/src/i18n/locales/da.json

@@ -297,6 +297,9 @@
       "live_voice_entry_plain": "Stemmenotat",
       "live_voice_caption_label": "Billedtekst (valgfrit)",
       "live_voice_caption_placeholder": "f.eks. radiokontakt med havnemester",
+      "live_voice_transcribe_action": "Transkribere",
+      "live_voice_transcribing": "Transkriberer…",
+      "live_voice_transcribe_failed": "Stemmebesked gemt, men transkribering mislykkedes.",
       "live_undo_voice_hint": "Stemmenotat gemt",
       "live_comment_btn": "Kommentar",
       "live_comment_placeholder": "Indtast tekst…",
@@ -669,6 +672,12 @@
       "integrations_title": "Integrationer",
       "owm_key": "OpenWeatherMap API-nøgle",
       "owm_help": "Valgfrit: egen OpenWeatherMap API-nøgle. Hvis der ikke er nogen indtastning, bruges nøglen på serversiden fra operatørkonfigurationen.",
+      "ai_title": "AI-funktioner og privatliv",
+      "ai_desc": "Autoriser integrationer af kunstig intelligens for dine logbøger.",
+      "ai_help": "Aktivering af AI-funktioner giver appen mulighed for at opsummere dine rejsedage og transkribere optagede stemmememoer. For at behandle disse anmodninger sendes rå stemmedata og rejselogfiler sikkert løbende til OpenRouter. Der gemmes ingen data permanent af AI-modellen.\n\nDisse cloud-ressourcer koster penge at køre. Hvis du kan lide at bruge dem, bedes du overveje at støtte projektet frivilligt med en donation via Ko-fi-linket i footeren for at holde dem gratis og bæredygtige for alle.",
+      "ai_enable_label": "Aktiver transkribering og resuméer af rejsedage",
+      "ai_unauthorized_alert_title": "AI-funktioner er ikke autoriseret",
+      "ai_unauthorized_alert_desc": "For at bruge transkribering eller rejsedagsresuméer skal du autorisere dataoverførslen til OpenRouter i din brugerprofil under 'AI-funktioner og privatliv'.",
       "prefs_save": "Gemme",
       "prefs_saving": "Vil blive reddet...",
       "prefs_saved": "Gemt",
@@ -790,6 +799,9 @@
       "no_key": "Ingen OpenWeatherMap API-nøgle tilgængelig. Gem din egen nøgle i brugerprofilen, eller kontakt operatøren.",
       "weather_success": "Vejrdata hentet med succes!",
       "weather_error": "Hentning af vejrdata mislykkedes. Tjek API-nøglen og forbindelsen.",
+      "weather_unauthorized": "Hentning af vejrdata mislykkedes. API-nøglen er ugyldig eller ikke autoriseret.",
+      "weather_not_found": "Hentning af vejrdata mislykkedes. Den angivne placering eller koordinater blev ikke fundet.",
+      "weather_bad_request": "Hentning af vejrdata mislykkedes. Ingen placering eller GPS-position blev angivet.",
       "weather_date_mismatch": "Vejrdata kan kun hentes for i dag ({{today}}). Dette logbogsindlæg er dateret {{date}}.",
       "gps_error": "Indtast en placering, eller find GPS-koordinaterne.",
       "share_title": "Del logbog (skrivebeskyttet)",

client/src/i18n/locales/de.json

@@ -297,6 +297,9 @@
       "live_voice_entry_plain": "Sprachnotiz",
       "live_voice_caption_label": "Beschriftung (optional)",
       "live_voice_caption_placeholder": "z. B. Funkverkehr mit Hafenmeister",
+      "live_voice_transcribe_action": "Transkribieren",
+      "live_voice_transcribing": "Transkribiere...",
+      "live_voice_transcribe_failed": "Sprachmemo gespeichert, aber Transkription fehlgeschlagen.",
       "live_undo_voice_hint": "Sprachnotiz gespeichert",
       "live_comment_btn": "Kommentar",
       "live_comment_placeholder": "Freitext eingeben…",
@@ -669,6 +672,12 @@
       "integrations_title": "Integrationen",
       "owm_key": "OpenWeatherMap API-Schlüssel",
       "owm_help": "Optional: eigener OpenWeatherMap-API-Schlüssel. Ohne Eintrag wird der serverseitige Schlüssel aus der Betreiber-Konfiguration verwendet.",
+      "ai_title": "KI-Funktionen & Datenschutz",
+      "ai_desc": "Autorisiere die Nutzung von künstlicher Intelligenz (lokale/Cloud-Integrationen) für deine Logbücher.",
+      "ai_help": "Die Aktivierung ermöglicht es, Reiseberichte automatisch zusammenzufassen und Sprachnotizen zu transkribieren. Zur Verarbeitung werden Sprachaufnahmen und Logbucheinträge verschlüsselt an OpenRouter übertragen. Die Daten werden dort nicht dauerhaft gespeichert.\n\nDa der Betrieb dieser Cloud-Ressourcen Kosten verursacht, freuen wir uns über eine freiwillige Unterstützung über den Ko-fi-Spenden-Link im Footer, um diese Funktionen dauerhaft für alle kostenlos anbieten zu können.",
+      "ai_enable_label": "Transkribierung und Tageszusammenfassungen aktivieren",
+      "ai_unauthorized_alert_title": "KI-Funktionen nicht autorisiert",
+      "ai_unauthorized_alert_desc": "Um Sprachnotizen zu transkribieren oder Reiseberichte zusammenzufassen, musst du der Datenübermittlung an OpenRouter in deinem Benutzerprofil unter 'KI-Funktionen & Datenschutz' zustimmen.",
       "prefs_save": "Speichern",
       "prefs_saving": "Wird gespeichert…",
       "prefs_saved": "Gespeichert",
@@ -790,6 +799,9 @@
       "no_key": "Kein OpenWeatherMap-API-Schlüssel verfügbar. Hinterlege einen eigenen Schlüssel im Benutzerprofil oder kontaktiere den Betreiber.",
       "weather_success": "Wetterdaten erfolgreich abgerufen!",
       "weather_error": "Wetterdatenabruf fehlgeschlagen. Überprüfe den API-Schlüssel und die Verbindung.",
+      "weather_unauthorized": "Wetterdatenabruf fehlgeschlagen. Der API-Schlüssel ist ungültig oder nicht autorisiert.",
+      "weather_not_found": "Wetterdatenabruf fehlgeschlagen. Der angegebene Ort oder die Koordinaten wurden nicht gefunden.",
+      "weather_bad_request": "Wetterdatenabruf fehlgeschlagen. Es wurde kein Ort und keine GPS-Position angegeben.",
       "weather_date_mismatch": "Wetterdaten können nur für den heutigen Tag ({{today}}) abgerufen werden. Dieser Logbucheintrag ist auf den {{date}} datiert.",
       "gps_error": "Bitte gib einen Ort an oder ermittle die GPS-Koordinaten.",
       "share_title": "Logbuch teilen (Schreibgeschützt)",

client/src/i18n/locales/en.json

@@ -297,6 +297,9 @@
       "live_voice_entry_plain": "Voice memo",
       "live_voice_caption_label": "Caption (optional)",
       "live_voice_caption_placeholder": "e.g. radio call with harbour master",
+      "live_voice_transcribe_action": "Transcribe",
+      "live_voice_transcribing": "Transcribing…",
+      "live_voice_transcribe_failed": "Voice memo saved, but transcription failed.",
       "live_undo_voice_hint": "Voice memo saved",
       "live_comment_btn": "Comment",
       "live_comment_placeholder": "Enter text…",
@@ -669,6 +672,12 @@
       "integrations_title": "Integrations",
       "owm_key": "OpenWeatherMap API key",
       "owm_help": "Optional: your own OpenWeatherMap API key. If left empty, the operator-configured server key is used.",
+      "ai_title": "AI Features & Privacy",
+      "ai_desc": "Authorize artificial intelligence integrations for your logbooks.",
+      "ai_help": "Enabling AI features allows the app to summarize travel days and transcribe recorded voice memos. To process these requests, raw voice data and travel logs are sent securely on-the-fly to OpenRouter. No data is stored permanently by the AI model.\n\nThese cloud resources cost money to run; if you enjoy using them, please consider supporting the project voluntarily with a donation via the Ko-fi link in the footer to keep them free and sustainable for everyone.",
+      "ai_enable_label": "Enable transcription and travel day summaries",
+      "ai_unauthorized_alert_title": "AI Features Not Authorized",
+      "ai_unauthorized_alert_desc": "To use transcription or travel day summaries, please authorize the data transmission to OpenRouter in your User Profile under 'AI Features & Privacy'.",
       "prefs_save": "Save",
       "prefs_saving": "Saving…",
       "prefs_saved": "Saved",
@@ -790,6 +799,9 @@
       "no_key": "No OpenWeatherMap API key available. Add your own key in your user profile or contact the operator.",
       "weather_success": "Weather details fetched successfully!",
       "weather_error": "Failed to fetch weather. Check your API key and connection.",
+      "weather_unauthorized": "Failed to fetch weather. The API key is invalid or unauthorized.",
+      "weather_not_found": "Failed to fetch weather. The specified location or coordinates were not found.",
+      "weather_bad_request": "Failed to fetch weather. No location or GPS position was specified.",
       "weather_date_mismatch": "Weather data can only be fetched for today ({{today}}). This logbook entry is dated {{date}}.",
       "gps_error": "Please enter a location or fetch GPS coordinates first.",
       "share_title": "Share Logbook (Read-Only)",

client/src/i18n/locales/nb.json

@@ -297,6 +297,9 @@
       "live_voice_entry_plain": "Talemelding",
       "live_voice_caption_label": "Bildetekst (valgfritt)",
       "live_voice_caption_placeholder": "f.eks. radiokontakt med havnesjef",
+      "live_voice_transcribe_action": "Transkribere",
+      "live_voice_transcribing": "Transkriberer…",
+      "live_voice_transcribe_failed": "Taleopptak lagret, men transkribering mislyktes.",
       "live_undo_voice_hint": "Talemelding lagret",
       "live_comment_btn": "Kommentar",
       "live_comment_placeholder": "Skriv inn tekst…",
@@ -669,6 +672,12 @@
       "integrations_title": "Integrasjoner",
       "owm_key": "OpenWeatherMap API-nøkkel",
       "owm_help": "Valgfritt: egen OpenWeatherMap API-nøkkel. Hvis ingen oppføring er gjort, brukes serverside-nøkkelen fra operatørkonfigurasjonen.",
+      "ai_title": "KI-funksjoner og personvern",
+      "ai_desc": "Autoriser integrasjoner av kunstig intelligens for loggbøkene dine.",
+      "ai_help": "Aktivering av KI-funksjoner gjør det mulig for appen å oppsummere reisedagene dine og transkribere innspilte talememoer. For å behandle disse forespørslene sendes rå stemmedata og reiselogger sikkert løpende til OpenRouter. Ingen data lagres permanent av KI-modellen.\n\nDisse nettskyressursene koster penger å drifte. Hvis du har glede av å bruke dem, kan du vurdere å støtte prosjektet frivillig med en donasjon via Ko-fi-lenken i bunnteksten for å holde dem gratis og bærekraftige for alle.",
+      "ai_enable_label": "Aktiver transkribering og oppsummeringer av reisedager",
+      "ai_unauthorized_alert_title": "KI-funktionen er ikke autorisert",
+      "ai_unauthorized_alert_desc": "For å bruke transkribering eller reisedagsoppsummeringer, må du autorisere dataoverføringen til OpenRouter i brukerprofilen din under 'KI-funksjoner og personvern'.",
       "prefs_save": "Spar",
       "prefs_saving": "...vil bli reddet...",
       "prefs_saved": "Reddet",
@@ -790,6 +799,9 @@
       "no_key": "Ingen OpenWeatherMap API-nøkkel tilgjengelig. Lagre din egen nøkkel i brukerprofilen, eller kontakt operatøren.",
       "weather_success": "Værdata vellykket hentet!",
       "weather_error": "Henting av værdata mislyktes. Kontroller API-nøkkelen og tilkoblingen.",
+      "weather_unauthorized": "Henting av værdata mislyktes. API-nøkkelen er ugyldig eller ikke autorisert.",
+      "weather_not_found": "Henting av værdata mislyktes. Den angitte posisjonen eller koordinatene ble ikke funnet.",
+      "weather_bad_request": "Henting av værdata mislyktes. Ingen posisjon eller GPS-koordinater ble angitt.",
       "weather_date_mismatch": "Værdata kan bare hentes ut for i dag ({{today}}). Denne loggbokoppføringen er datert {{date}}.",
       "gps_error": "Vennligst skriv inn en posisjon eller finn GPS-koordinatene.",
       "share_title": "Del loggbok (skrivebeskyttet)",

client/src/i18n/locales/sv.json

@@ -297,6 +297,9 @@
       "live_voice_entry_plain": "Röstanteckning",
       "live_voice_caption_label": "Bildtext (valfritt)",
       "live_voice_caption_placeholder": "t.ex. radiokontakt med hamnmästare",
+      "live_voice_transcribe_action": "Transkribera",
+      "live_voice_transcribing": "Transkriberar…",
+      "live_voice_transcribe_failed": "Röstanteckning sparad, men transkribering misslyckades.",
       "live_undo_voice_hint": "Röstanteckning sparad",
       "live_comment_btn": "Kommentar",
       "live_comment_placeholder": "Ange text…",
@@ -669,6 +672,12 @@
       "integrations_title": "Integrationer",
       "owm_key": "OpenWeatherMap API-nyckel",
       "owm_help": "Valfritt: egen OpenWeatherMap API-nyckel. Om inget anges används nyckeln på serversidan från operatörskonfigurationen.",
+      "ai_title": "AI-funktioner och integritet",
+      "ai_desc": "Auktorisera integrationer av artificiell intelligens för dina loggböcker.",
+      "ai_help": "Genom at aktivera AI-funktioner kan appen sammanfatta dina rejsdagar och transkribera röstmemon. För att bearbeta dessa förfrågningar skickas röstdata och rejsloggar säkert och tillfälligt till OpenRouter. Inga data sparas permanent av AI-modellen.\n\nDessa molnresurser kostar pengar att driva. Om du gillar att använda dem, överväg att frivilligt stödja projektet med en donation via Ko-fi-länken i sidfoten för att hålla dem gratis och hållbara för alla.",
+      "ai_enable_label": "Aktivera transkribering och sammanfattningar av rejsdagar",
+      "ai_unauthorized_alert_title": "AI-funktioner är inte auktoriserade",
+      "ai_unauthorized_alert_desc": "För att använda transkribering eller rejsdagsöversikter måste du auktorisera dataöverföringen till OpenRouter i din användarprofil under 'AI-funktioner och integritet'.",
       "prefs_save": "Spara",
       "prefs_saving": "Kommer att sparas...",
       "prefs_saved": "Sparade",
@@ -790,6 +799,9 @@
       "no_key": "Ingen OpenWeatherMap API-nyckel tillgänglig. Spara din egen nyckel i användarprofilen eller kontakta operatören.",
       "weather_success": "Väderdata har hämtats framgångsrikt!",
       "weather_error": "Hämtning av väderdata misslyckades. Kontrollera API-nyckeln och anslutningen.",
+      "weather_unauthorized": "Hämtning av väderdata misslyckades. API-nyckeln är ogiltig eller inte auktoriserad.",
+      "weather_not_found": "Hämtning av väderdata misslyckades. Den angivna platsen eller koordinaterna hittades inte.",
+      "weather_bad_request": "Hämtning av väderdata misslyckades. Ingen plats eller GPS-position angavs.",
       "weather_date_mismatch": "Väderdata kan endast hämtas för idag ({{today}}). Denna loggbokspost är daterad {{date}}.",
       "gps_error": "Ange en plats eller bestäm GPS-koordinaterna.",
       "share_title": "Aktieloggbok (skrivskyddad)",

client/src/services/analytics.ts

@@ -42,6 +42,7 @@ export const PlausibleEvents = {
   LIVE_LOG_OPENED: 'Live Log Opened',
   LIVE_LOG_EVENT_LOGGED: 'Live Log Event Logged',
   VOICE_MEMO_UPLOADED: 'Voice Memo Uploaded',
+  VOICE_MEMO_TRANSCRIBED: 'Voice Memo Transcribed',
   OWM_WEATHER_FETCHED: 'OWM Weather Fetched',
   AI_SUMMARY_GENERATED: 'AI Summary Generated',
   PWA_BOOT_WATCHDOG_SOFT: 'PWA Boot Watchdog Soft',

client/src/services/userPreferences.test.ts

@@ -6,7 +6,9 @@ import {
   getThemePreference,
   setColorSchemePreference,
   setOwmApiKey,
-  setThemePreference
+  setThemePreference,
+  getAiAuthorized,
+  setAiAuthorized
 } from './userPreferences.js'
 
 const USER_ID = 'test-user-123'
@@ -58,4 +60,13 @@ describe('userPreferences', () => {
     expect(getThemePreference(USER_ID)).toBe('ocean')
     expect(getColorSchemePreference(USER_ID)).toBe('light')
   })
+
+  it('stores AI authorization preference per user', () => {
+    localStorage.setItem('active_userid', USER_ID)
+    expect(getAiAuthorized()).toBe(false)
+    setAiAuthorized(USER_ID, true)
+    expect(getAiAuthorized()).toBe(true)
+    expect(getAiAuthorized(USER_ID)).toBe(true)
+    expect(getAiAuthorized('other-user')).toBe(false)
+  })
 })

client/src/services/userPreferences.ts

@@ -89,3 +89,20 @@ export function setOwmApiKey(userId: string, value: string): void {
     localStorage.removeItem(owmKey(userId))
   }
 }
+
+function aiAuthorizedKey(userId: string): string {
+  return `user_pref_ai_authorized_${userId}`
+}
+
+export function getAiAuthorized(userId?: string | null): boolean {
+  const id = resolveUserId(userId)
+  if (id) {
+    return localStorage.getItem(aiAuthorizedKey(id)) === 'true'
+  }
+  return false
+}
+
+export function setAiAuthorized(userId: string, value: boolean): void {
+  localStorage.setItem(aiAuthorizedKey(userId), String(value))
+}
+

client/src/services/voiceAttachments.ts

@@ -1,7 +1,7 @@
 import { db } from './db.js'
 import { getActiveMasterKey } from './auth.js'
 import { getLogbookKey } from './logbookKeys.js'
-import { encryptJson } from './crypto.js'
+import { encryptJson, decryptJson } from './crypto.js'
 import { syncLogbook } from './sync.js'
 import { PlausibleEvents, trackPlausibleEvent } from './analytics.js'
 
@@ -18,6 +18,7 @@ export async function saveEntryVoiceMemo(options: {
   mimeType: string
   durationSec: number
   caption?: string
+  transcribed?: boolean
   analyticsContext?: string
 }): Promise<string> {
   const {
@@ -27,6 +28,7 @@ export async function saveEntryVoiceMemo(options: {
     mimeType,
     durationSec,
     caption = '',
+    transcribed = true,
     analyticsContext = 'logbook'
   } = options
   const masterKey = await getEncryptionKey(logbookId)
@@ -35,7 +37,8 @@ export async function saveEntryVoiceMemo(options: {
     audio: audioDataUrl,
     mimeType,
     durationSec,
-    caption: caption.trim()
+    caption: caption.trim(),
+    transcribed: !!transcribed
   }
 
   const encrypted = await encryptJson(voicePayload, masterKey)
@@ -98,3 +101,55 @@ export async function removeLastVoiceMemoForEntry(
   await deleteEntryVoiceMemo(logbookId, lastId)
   return lastId
 }
+
+/** Updates an existing voice memo payload with a new transcript and sets transcribed: true. */
+export async function updateVoiceMemoTranscript(
+  logbookId: string,
+  voiceId: string,
+  transcript: string
+): Promise<void> {
+  const masterKey = await getEncryptionKey(logbookId)
+  const record = await db.voiceMemos.get(voiceId)
+  if (!record) throw new Error('Voice memo not found')
+
+  const decrypted = await decryptJson(record.encryptedData, record.iv, record.tag, masterKey)
+  if (!decrypted) throw new Error('Failed to decrypt voice memo')
+
+  const manualCaption = decrypted.caption ? String(decrypted.caption).trim() : ''
+  const finalCaption = manualCaption
+    ? `${manualCaption}\n(Transkript: ${transcript.trim()})`
+    : transcript.trim()
+
+  const updatedPayload = {
+    ...decrypted,
+    caption: finalCaption,
+    transcribed: true
+  }
+
+  const encrypted = await encryptJson(updatedPayload, masterKey)
+  const now = new Date().toISOString()
+
+  await db.voiceMemos.put({
+    ...record,
+    encryptedData: encrypted.ciphertext,
+    iv: encrypted.iv,
+    tag: encrypted.tag,
+    updatedAt: now
+  })
+
+  await db.syncQueue.put({
+    action: 'update',
+    type: 'voiceMemo',
+    payloadId: voiceId,
+    logbookId,
+    data: JSON.stringify({
+      encryptedData: encrypted.ciphertext,
+      iv: encrypted.iv,
+      tag: encrypted.tag,
+      entryId: record.entryId
+    }),
+    updatedAt: now
+  })
+
+  syncLogbook(logbookId).catch((err) => console.warn('Background sync failed:', err))
+}

client/src/services/weather.test.ts

@@ -69,4 +69,51 @@ describe('fetchOpenWeatherCurrent', () => {
 
     expect(trackPlausibleEvent).not.toHaveBeenCalled()
   })
+
+  it('throws UNAUTHORIZED when status is 401', async () => {
+    apiFetch.mockResolvedValue({
+      ok: false,
+      status: 401,
+      json: async () => ({ error: 'Unauthorized' })
+    })
+
+    const { fetchOpenWeatherCurrent, WeatherApiError } = await import('./weather.js')
+    const err = await fetchOpenWeatherCurrent({ lat: '54', lon: '10' }).catch((e) => e)
+    expect(err).toBeInstanceOf(WeatherApiError)
+    expect((err as any).code).toBe('UNAUTHORIZED')
+  })
+
+  it('throws NOT_FOUND when status is 404', async () => {
+    apiFetch.mockResolvedValue({
+      ok: false,
+      status: 404,
+      json: async () => ({ error: 'Not Found' })
+    })
+
+    const { fetchOpenWeatherCurrent, WeatherApiError } = await import('./weather.js')
+    const err = await fetchOpenWeatherCurrent({ lat: '54', lon: '10' }).catch((e) => e)
+    expect(err).toBeInstanceOf(WeatherApiError)
+    expect((err as any).code).toBe('NOT_FOUND')
+  })
+
+  it('throws BAD_REQUEST when status is 400', async () => {
+    apiFetch.mockResolvedValue({
+      ok: false,
+      status: 400,
+      json: async () => ({ error: 'Bad Request' })
+    })
+
+    const { fetchOpenWeatherCurrent, WeatherApiError } = await import('./weather.js')
+    const err = await fetchOpenWeatherCurrent({ lat: '54', lon: '10' }).catch((e) => e)
+    expect(err).toBeInstanceOf(WeatherApiError)
+    expect((err as any).code).toBe('BAD_REQUEST')
+  })
+
+  it('throws BAD_REQUEST when coordinates or query are missing', async () => {
+    const { fetchOpenWeatherCurrent, WeatherApiError } = await import('./weather.js')
+    const err = await fetchOpenWeatherCurrent({}).catch((e) => e)
+    expect(err).toBeInstanceOf(WeatherApiError)
+    expect((err as any).code).toBe('BAD_REQUEST')
+    expect(apiFetch).not.toHaveBeenCalled()
+  })
 })

client/src/services/weather.ts

@@ -7,9 +7,12 @@ import {
 } from './analytics.js'
 
 export class WeatherApiError extends Error {
-  code: 'NO_KEY' | 'OFFLINE' | 'REQUEST_FAILED'
+  code: 'NO_KEY' | 'OFFLINE' | 'REQUEST_FAILED' | 'UNAUTHORIZED' | 'NOT_FOUND' | 'BAD_REQUEST'
 
-  constructor(message: string, code: 'NO_KEY' | 'OFFLINE' | 'REQUEST_FAILED' = 'REQUEST_FAILED') {
+  constructor(
+    message: string,
+    code: 'NO_KEY' | 'OFFLINE' | 'REQUEST_FAILED' | 'UNAUTHORIZED' | 'NOT_FOUND' | 'BAD_REQUEST' = 'REQUEST_FAILED'
+  ) {
     super(message)
     this.name = 'WeatherApiError'
     this.code = code
@@ -38,7 +41,7 @@ export async function fetchOpenWeatherCurrent(
   } else if (params.q?.trim()) {
     searchParams.set('q', params.q.trim())
   } else {
-    throw new WeatherApiError('lat/lon or location query required')
+    throw new WeatherApiError('lat/lon or location query required', 'BAD_REQUEST')
   }
 
   const userKey = getOwmApiKeyForActiveUser().trim()
@@ -65,6 +68,15 @@ export async function fetchOpenWeatherCurrent(
   if (res.status === 503) {
     throw new WeatherApiError('No OpenWeatherMap API key configured', 'NO_KEY')
   }
+  if (res.status === 401) {
+    throw new WeatherApiError('Invalid OpenWeatherMap API key', 'UNAUTHORIZED')
+  }
+  if (res.status === 404) {
+    throw new WeatherApiError('Location or coordinates not found', 'NOT_FOUND')
+  }
+  if (res.status === 400) {
+    throw new WeatherApiError('Invalid or missing location parameters', 'BAD_REQUEST')
+  }
 
   const data = await res.json()
   if (!res.ok) {

docs/deployment/backup.md

@@ -0,0 +1,111 @@
+# Server-Backup (Produktion)
+
+Automatische und manuelle Sicherung von PostgreSQL, `.env`, `docker-compose.yml` und App-Code (Git-Archiv) auf der Prod-VM.
+
+**Staging:** Kein automatisches Backup — Daten sind bewusst wegwerfbar. Deploy via `update-remotes.sh -dest stage` legt kein Backup an. Zum manuellen Testen auf Staging: `-dest stage` (oder Auto-Fallback, wenn nur `daagbox-staging-db` läuft).
+
+## Was wird gesichert?
+
+| Inhalt | Beschreibung |
+|--------|--------------|
+| `database.sql.gz` | `pg_dump` aus dem laufenden DB-Container |
+| `.env` | Server-Secrets (Sessions, DB-Passwort, VAPID, …) |
+| `docker-compose.yml` | Aktive Compose-Datei |
+| `app.tar.gz` | `git archive HEAD` — Code-Snapshot |
+| `manifest.json` | Timestamp, Git-Tag, SHA, Grund (`cron` / `pre-deploy` / `manual`) |
+
+Backups liegen in `/var/backups/kapteins-daagbok/` (mode 700, root-only). Es werden **maximal 5** Archive aufbewahrt.
+
+## Einmalige Einrichtung (Prod-Server)
+
+```bash
+ssh root@10.0.0.25
+mkdir -p /var/backups/kapteins-daagbok
+chmod 700 /var/backups/kapteins-daagbok
+cd /opt/kapteins-daagbok
+git pull
+chmod +x scripts/backup.sh scripts/restore-backup.sh
+./scripts/backup.sh --reason manual
+```
+
+## Manuell sichern
+
+```bash
+cd /opt/kapteins-daagbok
+./scripts/backup.sh
+./scripts/backup.sh --reason manual --dry-run   # Vorschau ohne Schreiben
+```
+
+### Staging (manueller Test)
+
+```bash
+cd /opt/kapteins-daagbok-staging
+./scripts/backup.sh -dest stage --reason manual
+# oder: Auto-Fallback, wenn nur daagbox-staging-db läuft
+./scripts/backup.sh --reason manual
+```
+
+## Crontab (unbeaufsichtigt)
+
+Beispiel: [`scripts/crontab.prod.example`](../../scripts/crontab.prod.example)
+
+```bash
+crontab -e
+# Zeile einfügen:
+0 3 * * * cd /opt/kapteins-daagbok && ./scripts/backup.sh --reason cron >> /var/log/kapteins-backup.log 2>&1
+```
+
+## Pre-Deploy-Backup
+
+Bei `./scripts/update-remotes.sh -dest prod` wird **vor** dem Git-Sync auf dem Server automatisch ein Backup mit Tag `v{VERSION}-predeploy` erstellt. Schlägt das Backup fehl, wird das Deploy abgebrochen.
+
+Staging-Deploys (`-dest stage`) erstellen **kein** Backup.
+
+## Wiederherstellen
+
+Verfügbare Backups anzeigen:
+
+```bash
+./scripts/restore-backup.sh --list
+```
+
+Vollständige Wiederherstellung (DB + `.env`, optional Git-Tag checkout):
+
+```bash
+./scripts/restore-backup.sh --restore /var/backups/kapteins-daagbok/kapteins-daagbok_YYYYMMDD-HHMMSS_vX.Y.Z.tar.gz
+```
+
+Nur Datenbank:
+
+```bash
+./scripts/restore-backup.sh --restore PATH --db-only
+```
+
+Nur `.env`:
+
+```bash
+./scripts/restore-backup.sh --restore PATH --env-only
+```
+
+Ohne Rückfragen (Notfall):
+
+```bash
+./scripts/restore-backup.sh --restore PATH --full --yes
+```
+
+## Vor Passwort-Rotation
+
+Vor [`rotate-postgres-password.sh`](../../scripts/rotate-postgres-password.sh) ein Backup anlegen — siehe auch [postgres-password.md](postgres-password.md):
+
+```bash
+./scripts/backup.sh --reason manual
+```
+
+## Umgebungsvariablen
+
+| Variable | Prod (default) | Staging (`-dest stage`) |
+|----------|----------------|-------------------------|
+| `COMPOSE_FILE` | `docker-compose.yml` | `docker-compose.staging.yml` |
+| `DB_CONTAINER` | `daagbox-prod-db` | `daagbox-staging-db` |
+| `BACKUP_DIR` | `/var/backups/kapteins-daagbok` | gleich |
+| `RETENTION` | `5` | `5` |

docs/deployment/postgres-password.md

@@ -8,7 +8,7 @@
 
 ## Empfohlene Schritte
 
-1. **Backup/Snapshot** (hast du laut Vorgabe).
+1. **Backup/Snapshot** — auf dem Server: `./scripts/backup.sh --reason manual` (Details: [backup.md](backup.md)).
 2. Auf dem Server im Repo:
    ```bash
    cd /opt/kapteins-daagbok

docs/plausible-events.md

@@ -47,6 +47,7 @@ Das Script wird über `plausible-bootstrap.js` geladen; `data-domain` ist der ak
 | CSV Shared | CSV über Web Share API geteilt (`LogEntriesList.tsx`) | — |
 | Photo Uploaded | Foto hochgeladen (`photoAttachments.ts`, `PhotoCapture.tsx`, `CrewForm.tsx`) | `context`: `logbook` \| `live_log` \| `crew`, bei Crew zusätzlich `role`: `skipper` \| `crew` |
 | Voice Memo Uploaded | Sprachnotiz gespeichert (`voiceAttachments.ts`) | `context`: `logbook` \| `live_log` |
+| Voice Memo Transcribed | Sprachmemo transkribiert (`LiveLogView.tsx`, `EventRemarksCell.tsx`) | `status`: `success` \| `failed`, `mode`: `auto` (beim Speichern) \| `manual` (nachträglich) |
 | OWM Weather Fetched | Erfolgreicher OpenWeatherMap-API-Abruf (`weather.ts`, zentral nach HTTP 200) | `source`: siehe [OWM-Quellen](#owm-quellen) |
 | AI Summary Generated | Erfolgreiche KI-Zusammenfassung eines Reisetags (`aiSummary.ts`) | — |
 | Backup Exported | Backup-Datei heruntergeladen (`LogbookBackupPanel.tsx`, v2 ZIP) | `entries`, `photos`, `voiceMemos`, `bytes` (Anzahlen/Größe, keine Inhalte) |
@@ -161,6 +162,7 @@ trackPlausibleEvent(PlausibleEvents.LANGUAGE_CHANGED, { from: 'de', to: 'da' })
 trackPlausibleEvent(PlausibleEvents.LIVE_LOG_EVENT_LOGGED, { action: 'course' })
 trackPlausibleEvent(PlausibleEvents.PHOTO_UPLOADED, { context: 'live_log' })
 trackPlausibleEvent(PlausibleEvents.VOICE_MEMO_UPLOADED, { context: 'live_log' })
+trackPlausibleEvent(PlausibleEvents.VOICE_MEMO_TRANSCRIBED, { status: 'success', mode: 'auto' })
 trackPlausibleEvent(PlausibleEvents.OWM_WEATHER_FETCHED, { source: 'live_log' })
 trackPlausibleEvent(PlausibleEvents.NMEA_UPLOADED, { lines: 1200, candidates: 8, duplicate: false, has_position: true })
 trackPlausibleEvent(PlausibleEvents.NMEA_IMPORTED, { mode: 'both', events: 6, track: true })

scripts/backup.sh

@@ -0,0 +1,255 @@
+#!/usr/bin/env bash
+# Create a local backup of PostgreSQL, .env, docker-compose and app (git archive).
+#
+# Run on the server in repo root (/opt/kapteins-daagbok on production).
+#
+# Usage:
+#   ./scripts/backup.sh
+#   ./scripts/backup.sh -dest stage              # Staging-Container (daagbox-staging-db)
+#   ./scripts/backup.sh --reason cron
+#   ./scripts/backup.sh --reason pre-deploy --tag v0.1.1.20
+#   ./scripts/backup.sh --dry-run
+#
+# Environment overrides:
+#   BACKUP_DIR, COMPOSE_FILE, DB_CONTAINER, RETENTION, ENV_FILE
+set -euo pipefail
+
+BACKUP_DIR="${BACKUP_DIR:-/var/backups/kapteins-daagbok}"
+ENV_FILE="${ENV_FILE:-.env}"
+RETENTION="${RETENTION:-5}"
+DEST="prod"
+REASON="manual"
+EXPLICIT_TAG=""
+DRY_RUN=0
+COMPOSE_FILE=""
+DB_CONTAINER=""
+
+apply_dest_config() {
+  local dest="$1"
+  local force="${2:-0}"
+  if [[ "$dest" == "stage" ]]; then
+    if [[ "$force" == "1" || -z "${COMPOSE_FILE}" ]]; then
+      COMPOSE_FILE="docker-compose.staging.yml"
+    fi
+    if [[ "$force" == "1" || -z "${DB_CONTAINER}" ]]; then
+      DB_CONTAINER="daagbox-staging-db"
+    fi
+  else
+    if [[ "$force" == "1" || -z "${COMPOSE_FILE}" ]]; then
+      COMPOSE_FILE="docker-compose.yml"
+    fi
+    if [[ "$force" == "1" || -z "${DB_CONTAINER}" ]]; then
+      DB_CONTAINER="daagbox-prod-db"
+    fi
+  fi
+}
+
+usage() {
+  sed -n '2,14p' "$0"
+  echo ""
+  echo "Options:"
+  echo "  -dest prod|stage                  Target environment (default: prod)"
+  echo "  --reason cron|pre-deploy|manual   Backup trigger (default: manual)"
+  echo "  --tag TAG                         Git tag label (e.g. v0.1.1.20 for pre-deploy)"
+  echo "  --dry-run                         Show actions without writing backup"
+  echo "  -h, --help                        Show this help"
+}
+
+while [ $# -gt 0 ]; do
+  case "$1" in
+    -dest)
+      DEST="${2:?-dest requires an argument}"
+      shift 2
+      ;;
+    -dest=*)
+      DEST="${1#*=}"
+      shift
+      ;;
+    --reason)
+      REASON="${2:?--reason requires an argument}"
+      shift 2
+      ;;
+    --tag)
+      EXPLICIT_TAG="${2:?--tag requires an argument}"
+      shift 2
+      ;;
+    --dry-run)
+      DRY_RUN=1
+      shift
+      ;;
+    -h|--help)
+      usage
+      exit 0
+      ;;
+    *)
+      echo "Unknown option: $1" >&2
+      usage >&2
+      exit 1
+      ;;
+  esac
+done
+
+case "$DEST" in
+  prod|stage) ;;
+  *)
+    echo "Error: invalid -dest '$DEST' (use prod or stage)" >&2
+    exit 1
+    ;;
+esac
+
+apply_dest_config "$DEST"
+
+case "$REASON" in
+  cron|pre-deploy|manual) ;;
+  *)
+    echo "Error: invalid --reason '$REASON' (use cron, pre-deploy, or manual)" >&2
+    exit 1
+    ;;
+esac
+
+if [ ! -f "$COMPOSE_FILE" ]; then
+  echo "Error: $COMPOSE_FILE not found" >&2
+  exit 1
+fi
+
+TIMESTAMP="$(date +%Y%m%d-%H%M%S)"
+GIT_SHA="$(git rev-parse HEAD 2>/dev/null || echo unknown)"
+GIT_TAG="$EXPLICIT_TAG"
+if [ -z "$GIT_TAG" ]; then
+  GIT_TAG="$(git describe --tags --exact-match HEAD 2>/dev/null || true)"
+fi
+if [ -z "$GIT_TAG" ] && [ -f VERSION ]; then
+  GIT_TAG="v$(tr -d '[:space:]' < VERSION)"
+fi
+if [ -z "$GIT_TAG" ]; then
+  GIT_TAG="unknown"
+fi
+
+APP_VERSION="$(tr -d '[:space:]' < VERSION 2>/dev/null || echo unknown)"
+TAG_SLUG="${GIT_TAG}"
+if [ "$REASON" = "pre-deploy" ]; then
+  TAG_SLUG="${GIT_TAG}-predeploy"
+fi
+TAG_SLUG="${TAG_SLUG//\//-}"
+
+ARCHIVE_NAME="kapteins-daagbok_${TIMESTAMP}_${TAG_SLUG}.tar.gz"
+ARCHIVE_PATH="${BACKUP_DIR}/${ARCHIVE_NAME}"
+
+echo "Backup: reason=$REASON tag=$GIT_TAG sha=${GIT_SHA:0:8} → $ARCHIVE_PATH"
+
+if [ "$DRY_RUN" -eq 1 ]; then
+  echo "[dry-run] Would dump database from $DB_CONTAINER"
+  echo "[dry-run] Would copy $ENV_FILE and $COMPOSE_FILE"
+  echo "[dry-run] Would create git archive"
+  echo "[dry-run] Would write manifest and pack to $ARCHIVE_PATH"
+  echo "[dry-run] Would apply retention (keep $RETENTION)"
+  exit 0
+fi
+
+if [ ! -f "$ENV_FILE" ]; then
+  echo "Error: $ENV_FILE not found (run from repo root)" >&2
+  exit 1
+fi
+
+# shellcheck disable=SC1090
+set -a
+source "$ENV_FILE"
+set +a
+
+POSTGRES_USER="${POSTGRES_USER:-postgres}"
+POSTGRES_DB="${POSTGRES_DB:-daagbox}"
+
+if [ -z "${POSTGRES_PASSWORD:-}" ]; then
+  echo "Error: POSTGRES_PASSWORD not set in $ENV_FILE" >&2
+  exit 1
+fi
+
+if ! docker inspect "$DB_CONTAINER" >/dev/null 2>&1; then
+  if [[ "$DEST" == "prod" ]] && docker inspect daagbox-staging-db >/dev/null 2>&1; then
+    echo "Note: $DB_CONTAINER not found — falling back to staging (daagbox-staging-db). Use -dest stage explicitly."
+    apply_dest_config stage 1
+    DEST="stage"
+  else
+    echo "Error: DB container '$DB_CONTAINER' not found" >&2
+    exit 1
+  fi
+fi
+
+if [ "$(docker inspect -f '{{.State.Running}}' "$DB_CONTAINER")" != "true" ]; then
+  echo "Error: DB container '$DB_CONTAINER' is not running" >&2
+  exit 1
+fi
+
+mkdir -p "$BACKUP_DIR"
+chmod 700 "$BACKUP_DIR"
+
+WORK_DIR="$(mktemp -d)"
+cleanup() {
+  rm -rf "$WORK_DIR"
+}
+trap cleanup EXIT
+
+echo "Dumping PostgreSQL ($POSTGRES_DB)..."
+export PGPASSWORD="$POSTGRES_PASSWORD"
+if ! docker exec -e PGPASSWORD="$POSTGRES_PASSWORD" "$DB_CONTAINER" \
+  pg_dump -U "$POSTGRES_USER" -d "$POSTGRES_DB" --no-owner --no-acl \
+  | gzip > "$WORK_DIR/database.sql.gz"; then
+  echo "Error: pg_dump failed" >&2
+  exit 1
+fi
+unset PGPASSWORD
+
+cp "$ENV_FILE" "$WORK_DIR/.env"
+chmod 600 "$WORK_DIR/.env"
+cp "$COMPOSE_FILE" "$WORK_DIR/docker-compose.yml"
+
+echo "Creating app snapshot (git archive)..."
+if git archive --format=tar HEAD | gzip > "$WORK_DIR/app.tar.gz"; then
+  :
+else
+  echo "Warning: git archive failed — backup continues without app.tar.gz" >&2
+  rm -f "$WORK_DIR/app.tar.gz"
+fi
+
+python3 - "$WORK_DIR/manifest.json" <<PY
+import json
+import socket
+import sys
+from datetime import datetime, timezone
+
+manifest = {
+    "timestamp": datetime.now(timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ"),
+    "local_timestamp": "${TIMESTAMP}",
+    "destination": "${DEST}",
+    "reason": "${REASON}",
+    "git_tag": "${GIT_TAG}",
+    "git_sha": "${GIT_SHA}",
+    "app_version": "${APP_VERSION}",
+    "compose_file": "${COMPOSE_FILE}",
+    "db_container": "${DB_CONTAINER}",
+    "postgres_db": "${POSTGRES_DB}",
+    "hostname": socket.gethostname(),
+    "archive_name": "${ARCHIVE_NAME}",
+}
+with open(sys.argv[1], "w", encoding="utf-8") as f:
+    json.dump(manifest, f, indent=2)
+    f.write("\n")
+PY
+
+echo "Packing backup archive..."
+tar -czf "$ARCHIVE_PATH" -C "$WORK_DIR" \
+  manifest.json database.sql.gz .env docker-compose.yml \
+  $( [ -f "$WORK_DIR/app.tar.gz" ] && echo app.tar.gz )
+chmod 600 "$ARCHIVE_PATH"
+
+echo "Applying retention (keep last $RETENTION backups)..."
+mapfile -t ALL_BACKUPS < <(ls -1t "$BACKUP_DIR"/kapteins-daagbok_*.tar.gz 2>/dev/null || true)
+if [ "${#ALL_BACKUPS[@]}" -gt "$RETENTION" ]; then
+  for ((i = RETENTION; i < ${#ALL_BACKUPS[@]}; i++)); do
+    echo "Removing old backup: ${ALL_BACKUPS[$i]}"
+    rm -f "${ALL_BACKUPS[$i]}"
+  done
+fi
+
+echo "Backup complete: $ARCHIVE_PATH"
+echo "$ARCHIVE_PATH"

scripts/crontab.prod.example

@@ -0,0 +1,11 @@
+# Kapteins Daagbok — Production backup cron (install on 10.0.0.25)
+#
+# Install:
+#   crontab -e
+#   (paste the line below)
+#
+# Ensure log directory exists:
+#   touch /var/log/kapteins-backup.log && chmod 600 /var/log/kapteins-backup.log
+
+# Daily backup at 03:00 UTC — keeps last 5 in /var/backups/kapteins-daagbok/
+0 3 * * * cd /opt/kapteins-daagbok && ./scripts/backup.sh --reason cron >> /var/log/kapteins-backup.log 2>&1

scripts/restore-backup.sh

@@ -0,0 +1,345 @@
+#!/usr/bin/env bash
+# Restore server backup created by scripts/backup.sh
+#
+# Usage:
+#   ./scripts/restore-backup.sh --list
+#   ./scripts/restore-backup.sh -dest stage --restore PATH
+#   ./scripts/restore-backup.sh --restore /var/backups/kapteins-daagbok/kapteins-daagbok_....tar.gz
+#
+# Environment overrides:
+#   BACKUP_DIR, COMPOSE_FILE, DB_CONTAINER, BACKEND_CONTAINER, ENV_FILE
+set -euo pipefail
+
+BACKUP_DIR="${BACKUP_DIR:-/var/backups/kapteins-daagbok}"
+ENV_FILE="${ENV_FILE:-.env}"
+MAX_WAIT=90
+DEST="prod"
+COMPOSE_FILE=""
+DB_CONTAINER=""
+BACKEND_CONTAINER=""
+
+apply_dest_config() {
+  local dest="$1"
+  local force="${2:-0}"
+  if [[ "$dest" == "stage" ]]; then
+    if [[ "$force" == "1" || -z "${COMPOSE_FILE}" ]]; then
+      COMPOSE_FILE="docker-compose.staging.yml"
+    fi
+    if [[ "$force" == "1" || -z "${DB_CONTAINER}" ]]; then
+      DB_CONTAINER="daagbox-staging-db"
+    fi
+    if [[ "$force" == "1" || -z "${BACKEND_CONTAINER}" ]]; then
+      BACKEND_CONTAINER="daagbox-staging-backend"
+    fi
+  else
+    if [[ "$force" == "1" || -z "${COMPOSE_FILE}" ]]; then
+      COMPOSE_FILE="docker-compose.yml"
+    fi
+    if [[ "$force" == "1" || -z "${DB_CONTAINER}" ]]; then
+      DB_CONTAINER="daagbox-prod-db"
+    fi
+    if [[ "$force" == "1" || -z "${BACKEND_CONTAINER}" ]]; then
+      BACKEND_CONTAINER="daagbox-prod-backend"
+    fi
+  fi
+}
+
+MODE="full"
+RESTORE_PATH=""
+LIST=0
+ASSUME_YES=0
+
+usage() {
+  sed -n '2,10p' "$0"
+  echo ""
+  echo "Options:"
+  echo "  -dest prod|stage                  Target environment (default: prod)"
+  echo "  --list                            List available backups"
+  echo "  --restore PATH                    Backup archive to restore"
+  echo "  --full                            Restore DB + .env (default)"
+  echo "  --db-only                         Restore database only"
+  echo "  --env-only                        Restore .env only"
+  echo "  --yes                             Skip confirmation prompts"
+  echo "  -h, --help                        Show this help"
+}
+
+confirm() {
+  local prompt="$1"
+  if [ "$ASSUME_YES" -eq 1 ]; then
+    return 0
+  fi
+  read -r -p "$prompt [y/N] " answer
+  [[ "$answer" =~ ^[yY]$ ]]
+}
+
+while [ $# -gt 0 ]; do
+  case "$1" in
+    -dest)
+      DEST="${2:?-dest requires an argument}"
+      shift 2
+      ;;
+    -dest=*)
+      DEST="${1#*=}"
+      shift
+      ;;
+    --list)
+      LIST=1
+      shift
+      ;;
+    --restore)
+      RESTORE_PATH="${2:?--restore requires a path}"
+      shift 2
+      ;;
+    --full)
+      MODE="full"
+      shift
+      ;;
+    --db-only)
+      MODE="db-only"
+      shift
+      ;;
+    --env-only)
+      MODE="env-only"
+      shift
+      ;;
+    --yes)
+      ASSUME_YES=1
+      shift
+      ;;
+    -h|--help)
+      usage
+      exit 0
+      ;;
+    *)
+      echo "Unknown option: $1" >&2
+      usage >&2
+      exit 1
+      ;;
+  esac
+done
+
+case "$DEST" in
+  prod|stage) ;;
+  *)
+    echo "Error: invalid -dest '$DEST' (use prod or stage)" >&2
+    exit 1
+    ;;
+esac
+
+apply_dest_config "$DEST"
+
+list_backups() {
+  if [ ! -d "$BACKUP_DIR" ]; then
+    echo "No backup directory: $BACKUP_DIR"
+    return 0
+  fi
+
+  local found=0
+  while IFS= read -r archive; do
+    found=1
+    echo "=== $archive ==="
+    tar -xOf "$archive" manifest.json 2>/dev/null | python3 -m json.tool 2>/dev/null || echo "(no manifest)"
+    echo ""
+  done < <(ls -1t "$BACKUP_DIR"/kapteins-daagbok_*.tar.gz 2>/dev/null || true)
+
+  if [ "$found" -eq 0 ]; then
+    echo "No backups found in $BACKUP_DIR"
+  fi
+}
+
+if [ "$LIST" -eq 1 ]; then
+  list_backups
+  exit 0
+fi
+
+if [ -z "$RESTORE_PATH" ]; then
+  echo "Error: --restore PATH or --list required" >&2
+  usage >&2
+  exit 1
+fi
+
+if [ ! -f "$RESTORE_PATH" ]; then
+  echo "Error: backup archive not found: $RESTORE_PATH" >&2
+  exit 1
+fi
+
+WORK_DIR="$(mktemp -d)"
+cleanup() {
+  rm -rf "$WORK_DIR"
+}
+trap cleanup EXIT
+
+echo "Extracting $RESTORE_PATH..."
+tar -xzf "$RESTORE_PATH" -C "$WORK_DIR"
+
+if [ ! -f "$WORK_DIR/manifest.json" ]; then
+  echo "Error: manifest.json missing in backup archive" >&2
+  exit 1
+fi
+
+MANIFEST="$WORK_DIR/manifest.json"
+echo "Backup manifest:"
+python3 -m json.tool "$MANIFEST"
+echo ""
+
+read_manifest_field() {
+  python3 -c "import json; print(json.load(open('$MANIFEST')).get('$1', '') or '')"
+}
+
+MANIFEST_COMPOSE="$(read_manifest_field compose_file)"
+MANIFEST_DB="$(read_manifest_field db_container)"
+MANIFEST_DEST="$(read_manifest_field destination)"
+
+if [ -n "$MANIFEST_COMPOSE" ]; then
+  COMPOSE_FILE="$MANIFEST_COMPOSE"
+fi
+if [ -n "$MANIFEST_DB" ]; then
+  DB_CONTAINER="$MANIFEST_DB"
+fi
+if [ -n "$MANIFEST_DEST" ]; then
+  if [[ "$MANIFEST_DEST" == "stage" ]]; then
+    BACKEND_CONTAINER="${BACKEND_CONTAINER:-daagbox-staging-backend}"
+  else
+    BACKEND_CONTAINER="${BACKEND_CONTAINER:-daagbox-prod-backend}"
+  fi
+fi
+
+if ! docker inspect "$DB_CONTAINER" >/dev/null 2>&1; then
+  if [[ "$DEST" == "prod" ]] && docker inspect daagbox-staging-db >/dev/null 2>&1; then
+    echo "Note: $DB_CONTAINER not found — falling back to staging (daagbox-staging-db). Use -dest stage explicitly."
+    apply_dest_config stage 1
+    DEST="stage"
+  else
+    echo "Error: DB container '$DB_CONTAINER' not found" >&2
+    exit 1
+  fi
+fi
+
+GIT_TAG="$(read_manifest_field git_tag)"
+GIT_SHA="$(read_manifest_field git_sha)"
+BACKUP_TS="$(read_manifest_field local_timestamp)"
+
+if ! confirm "Restore backup from $BACKUP_TS (tag: $GIT_TAG)? Mode: $MODE"; then
+  echo "Aborted."
+  exit 1
+fi
+
+restore_env() {
+  if [ ! -f "$WORK_DIR/.env" ]; then
+    echo "Error: .env missing in backup archive" >&2
+    exit 1
+  fi
+
+  if [ -f "$ENV_FILE" ]; then
+    BAK="${ENV_FILE}.bak-restore.$(date +%Y%m%d-%H%M%S)"
+    cp "$ENV_FILE" "$BAK"
+    echo "Current $ENV_FILE saved to $BAK"
+  fi
+
+  cp "$WORK_DIR/.env" "$ENV_FILE"
+  chmod 600 "$ENV_FILE"
+  echo "Restored $ENV_FILE"
+}
+
+restore_db() {
+  if [ ! -f "$WORK_DIR/database.sql.gz" ]; then
+    echo "Error: database.sql.gz missing in backup archive" >&2
+    exit 1
+  fi
+
+  if [ ! -f "$ENV_FILE" ]; then
+    echo "Error: $ENV_FILE required for database restore" >&2
+    exit 1
+  fi
+
+  # shellcheck disable=SC1090
+  set -a
+  source "$ENV_FILE"
+  set +a
+
+  POSTGRES_USER="${POSTGRES_USER:-postgres}"
+  POSTGRES_DB="${POSTGRES_DB:-daagbox}"
+
+  if [ -z "${POSTGRES_PASSWORD:-}" ]; then
+    echo "Error: POSTGRES_PASSWORD not set in $ENV_FILE" >&2
+    exit 1
+  fi
+
+  if ! docker inspect "$DB_CONTAINER" >/dev/null 2>&1; then
+    echo "Error: DB container '$DB_CONTAINER' not found" >&2
+    exit 1
+  fi
+
+  echo "Stopping backend before database restore..."
+  docker compose -f "$COMPOSE_FILE" stop backend || true
+
+  echo "Resetting public schema..."
+  export PGPASSWORD="$POSTGRES_PASSWORD"
+  docker exec -e PGPASSWORD="$POSTGRES_PASSWORD" "$DB_CONTAINER" \
+    psql -U "$POSTGRES_USER" -d "$POSTGRES_DB" -v ON_ERROR_STOP=1 <<SQL
+DROP SCHEMA IF EXISTS public CASCADE;
+CREATE SCHEMA public;
+GRANT ALL ON SCHEMA public TO "${POSTGRES_USER}";
+GRANT ALL ON SCHEMA public TO public;
+SQL
+
+  echo "Importing database dump..."
+  gunzip -c "$WORK_DIR/database.sql.gz" | docker exec -i -e PGPASSWORD="$POSTGRES_PASSWORD" "$DB_CONTAINER" \
+    psql -U "$POSTGRES_USER" -d "$POSTGRES_DB" -v ON_ERROR_STOP=1
+  unset PGPASSWORD
+
+  echo "Database restore complete."
+}
+
+wait_for_healthy() {
+  echo "Starting stack and waiting for health..."
+  docker compose -f "$COMPOSE_FILE" up -d
+
+  local counter=0
+  while [ "$counter" -lt "$MAX_WAIT" ]; do
+    local status
+    status="$(docker inspect --format='{{if .State.Health}}{{.State.Health.Status}}{{end}}' "$BACKEND_CONTAINER" 2>/dev/null || true)"
+    if [ "$status" = "healthy" ]; then
+      echo "Backend is healthy."
+      return 0
+    fi
+    if curl -sf "http://127.0.0.1/api/health" | grep -q '"status":"ok"'; then
+      echo "API health check OK."
+      return 0
+    fi
+    sleep 1
+    counter=$((counter + 1))
+    printf "."
+  done
+  echo ""
+  echo "Warning: backend did not become healthy in time." >&2
+  return 1
+}
+
+case "$MODE" in
+  env-only)
+    restore_env
+    ;;
+  db-only)
+    restore_db
+    wait_for_healthy || exit 1
+    ;;
+  full)
+    restore_env
+    restore_db
+    wait_for_healthy || exit 1
+    if [ -f "$WORK_DIR/app.tar.gz" ] && [ "$GIT_TAG" != "unknown" ]; then
+      if confirm "Checkout app code at tag $GIT_TAG? (git fetch + checkout)"; then
+        git fetch --tags origin
+        git checkout "$GIT_TAG"
+        echo "Checked out $GIT_TAG"
+      fi
+    fi
+    ;;
+  *)
+    echo "Error: unknown mode $MODE" >&2
+    exit 1
+    ;;
+esac
+
+echo "Restore finished (mode: $MODE, tag: $GIT_TAG, sha: ${GIT_SHA:0:8})."

scripts/update-remotes.sh

@@ -16,6 +16,8 @@ Environment overrides (optional):
   DEPLOY_BRANCH (stage only, default: master)
   SKIP_PREDEPLOY_CHECK=1
 
+Local repo must be clean and match origin before deploy (git fetch + compare HEAD).
+
 Examples:
   $(basename "$0") -dest prod
   $(basename "$0") -dest stage
@@ -158,6 +160,66 @@ ensure_clean_git_tree() {
   git commit -m "$commit_message"
 }
 
+ensure_local_sync_with_origin() {
+  local branch="$1"
+  local local_sha origin_sha current_branch
+
+  if [ -z "$branch" ]; then
+    echo "Error: deploy branch is not set." >&2
+    exit 1
+  fi
+
+  if [ -n "$(git status --porcelain)" ]; then
+    echo "Error: Working tree is not clean. Commit or stash changes before deploying." >&2
+    git status --short
+    exit 1
+  fi
+
+  current_branch="$(git branch --show-current)"
+  if [ -z "$current_branch" ]; then
+    echo "Error: Detached HEAD — checkout branch '$branch' before deploying." >&2
+    exit 1
+  fi
+
+  if [ "$current_branch" != "$branch" ]; then
+    echo "Error: On branch '$current_branch', expected '$branch'." >&2
+    exit 1
+  fi
+
+  echo "Syncing with origin..."
+  git fetch --tags origin
+  if [ $? -ne 0 ]; then
+    echo "Error: git fetch origin failed." >&2
+    exit 1
+  fi
+
+  if ! git rev-parse --verify "origin/${branch}" >/dev/null 2>&1; then
+    echo "Error: origin/${branch} does not exist." >&2
+    exit 1
+  fi
+
+  local_sha="$(git rev-parse HEAD)"
+  origin_sha="$(git rev-parse "origin/${branch}")"
+
+  if [ "$local_sha" = "$origin_sha" ]; then
+    echo "Local branch '$branch' matches origin/${branch} ($(git rev-parse --short HEAD))."
+    return 0
+  fi
+
+  echo "Error: Local '$branch' is not in sync with origin/${branch}." >&2
+  echo "  local:  $(git rev-parse --short HEAD) $(git log -1 --format='%s' HEAD)" >&2
+  echo "  origin: $(git rev-parse --short "origin/${branch}") $(git log -1 --format='%s' "origin/${branch}")" >&2
+
+  if git merge-base --is-ancestor "$local_sha" "origin/${branch}" 2>/dev/null; then
+    echo "Hint: run 'git pull' to fast-forward." >&2
+  elif git merge-base --is-ancestor "origin/${branch}" "$local_sha" 2>/dev/null; then
+    echo "Hint: run 'git push origin ${branch}' before deploying." >&2
+  else
+    echo "Hint: branches have diverged — reconcile manually before deploying." >&2
+  fi
+  exit 1
+}
+
 prepare_release() {
   local current_version release_version next_version tag_name
 
@@ -199,7 +261,9 @@ prepare_release() {
 
 if [[ "$DEST" == "prod" ]]; then
   prepare_release
+  ensure_local_sync_with_origin "$(git branch --show-current)"
 else
+  ensure_local_sync_with_origin "$DEPLOY_BRANCH"
   APP_VERSION="$(read_current_version)"
 fi
 
@@ -227,7 +291,7 @@ MAX_WAIT="$4"
 APP_URL="$5"
 APP_VERSION="$6"
 DEST="$7"
-DEPLOY_BRANCH="$8"
+DEPLOY_BRANCH="${8:-}"
 
 cd "$REMOTE_DIR" || { echo "Error: Remote directory '$REMOTE_DIR' not found."; exit 1; }
 
@@ -235,6 +299,18 @@ if ! git diff-index --quiet HEAD -- || [ -n "$(git status --porcelain)" ]; then
   echo "Warning: Local changes on deployment host will be discarded."
 fi
 
+if [[ "$DEST" == "prod" ]]; then
+  echo "Creating pre-deploy backup..."
+  if [ -x "./scripts/backup.sh" ]; then
+    if ! ./scripts/backup.sh --reason pre-deploy --tag "v${APP_VERSION}"; then
+      echo "Error: Pre-deploy backup failed. Aborting update."
+      exit 1
+    fi
+  else
+    echo "Warning: scripts/backup.sh not found or not executable — skipping backup."
+  fi
+fi
+
 if [[ "$DEST" == "stage" ]]; then
   echo "Syncing repository from origin/${DEPLOY_BRANCH}..."
   git fetch origin

server/src/api.smoke.test.ts

@@ -59,4 +59,12 @@ describe('API smoke', () => {
     expect(res.status).toBe(401)
     expect(res.body.error).toMatch(/Unauthorized/i)
   })
+
+  it('POST /api/ai/transcribe requires session', async () => {
+    const res = await request(app)
+      .post('/api/ai/transcribe')
+      .send({ audioDataUrl: 'data:audio/webm;base64,abcdef' })
+    expect(res.status).toBe(401)
+    expect(res.body.error).toMatch(/Unauthorized/i)
+  })
 })

server/src/routes/ai.ts

@@ -3,7 +3,6 @@ import { prisma } from '../db.js'
 import { requireUser } from '../middleware/auth.js'
 
 const router = Router()
-
 const MAX_ATTEMPTS_PER_ENTRY = 3
 const DEFAULT_MODEL = 'anthropic/claude-3.5-haiku'
 const OPENROUTER_URL = 'https://openrouter.ai/api/v1/chat/completions'
@@ -230,4 +229,78 @@ router.post('/summary', async (req: any, res) => {
   }
 })
 
+router.post('/transcribe', async (req: any, res) => {
+  try {
+    const { audioDataUrl } = req.body ?? {}
+    if (!audioDataUrl || typeof audioDataUrl !== 'string') {
+      return res.status(400).json({ error: 'audioDataUrl is required' })
+    }
+
+    const match = audioDataUrl.match(/^data:(.+);base64,(.+)$/)
+    if (!match) {
+      return res.status(400).json({ error: 'Invalid audio data URL format' })
+    }
+
+    const [, fullMimeType, base64Data] = match
+    const mimeType = fullMimeType.split(';')[0]
+
+    let ext = 'webm'
+    if (mimeType.includes('mp4')) ext = 'mp4'
+    else if (mimeType.includes('ogg')) ext = 'ogg'
+    else if (mimeType.includes('wav')) ext = 'wav'
+
+    const apiKey = resolveOpenRouterApiKey()
+    if (!apiKey) {
+      console.warn('[server] OpenRouter API key not configured, transcription unavailable')
+      return res.status(503).json({ error: 'Transcription service not configured' })
+    }
+
+    console.log(`[server] Forwarding ASR request to OpenRouter (${ext}, ${base64Data.length} chars)`)
+
+    const controller = new AbortController()
+    const timeoutId = setTimeout(() => controller.abort(), 30000)
+
+    try {
+      const openRouterRes = await fetch('https://openrouter.ai/api/v1/audio/transcriptions', {
+        method: 'POST',
+        headers: {
+          'Authorization': `Bearer ${apiKey}`,
+          'Content-Type': 'application/json'
+        },
+        body: JSON.stringify({
+          model: 'openai/whisper-large-v3-turbo',
+          input_audio: {
+            data: base64Data,
+            format: ext
+          }
+        }),
+        signal: controller.signal
+      })
+
+      if (!openRouterRes.ok) {
+        const errorText = await openRouterRes.text().catch(() => '')
+        console.error(`[server] OpenRouter ASR error response (status=${openRouterRes.status}):`, errorText)
+        throw new Error(`OpenRouter returned status ${openRouterRes.status}`)
+      }
+
+      const data: any = await openRouterRes.json()
+      const text = (data?.text || '').trim()
+
+      console.log(`[server] OpenRouter ASR completed successfully: "${text}"`)
+      return res.json({ text })
+    } catch (error: unknown) {
+      if (error instanceof Error && error.name === 'AbortError') {
+        console.error('[server] OpenRouter ASR request timed out')
+        return res.status(504).json({ error: 'Transcription request timed out' })
+      }
+      throw error
+    } finally {
+      clearTimeout(timeoutId)
+    }
+  } catch (error: unknown) {
+    console.error('ASR transcription failed:', error)
+    return res.status(503).json({ error: 'Transcription service unavailable' })
+  }
+})
+
 export default router