chore: release v0.1.1.23

Erweitert die Backup- und Restore-Skripte um die Möglichkeit, Staging-Umgebungen zu unterstützen. Fügt die Option `-dest stage` hinzu, um spezifische Konfigurationen für Staging zu verwenden, einschließlich separater Docker-Compose-Dateien und Datenbankcontainer. Dokumentation aktualisiert, um manuelle Tests und Umgebungsvariablen für Staging zu reflektieren.

.env.example

@@ -15,6 +15,11 @@ DeepLAPIKey=
 # Production (kapteins-daagbok.eu):
 #   RP_ID=kapteins-daagbok.eu
 #   ORIGIN=https://kapteins-daagbok.eu
+# Staging (staging.kapteins-daagbok.eu):
+#   RP_ID=staging.kapteins-daagbok.eu
+#   ORIGIN=https://staging.kapteins-daagbok.eu
+#   POSTGRES_DB=daagbox_staging
+#   NTFY_TOPIC=kapteins-daagbok-staging-feedback
 RP_ID=localhost
 # Must match the frontend URL exactly (Vite dev: http://localhost:5173; Docker: http://localhost)
 ORIGIN=http://localhost:5173
@@ -36,6 +41,10 @@ ORIGIN=http://localhost:5173
 # Generate: openssl rand -base64 48
 SESSION_SECRET=
 
+# Admin dashboard access — comma-separated list of User IDs (UUIDs)
+# Example: ADMIN_USER_IDS=11111111-2222-3333-4444-555555555555,22222222-3333-4444-5555-666666666666
+ADMIN_USER_IDS=
+
 # Web Push (VAPID) — generate with: npx web-push generate-vapid-keys
 # Public key may also be set on the client as VITE_VAPID_PUBLIC_KEY
 VAPID_PUBLIC_KEY=
@@ -47,3 +56,9 @@ VAPID_SUBJECT=mailto:support@kapteins-daagbok.eu
 NTFY_SERVER=https://ntfy.sh
 NTFY_TOPIC=kapteins-daagbok-feedback
 NTFY_TOKEN=tk_example_ntfy_access_token
+
+# Plausible Analytics (frontend container — see docs/plausible-events.md)
+# Production: PLAUSIBLE_ENABLED=true, data-domain = current hostname (kapteins-daagbok.eu)
+# Staging:    PLAUSIBLE_ENABLED=false (default in docker-compose.staging.yml)
+PLAUSIBLE_ENABLED=true
+PLAUSIBLE_HOST=https://plausible.elpatron.me

README.md

@@ -251,15 +251,27 @@ Produktions-Update auf den Server (konfigurierbar via Umgebungsvariablen). Führ
 
 
 ```bash
-./scripts/update-prod.sh
+./scripts/update-remotes.sh -dest prod
 ```
 
-Standard-Ziel: `root@10.0.0.25:/opt/kapteins-daagbok` — per `REMOTE_HOST`, `REMOTE_USER`, `REMOTE_DIR` überschreibbar.
+Standard-Ziel Prod: `root@10.0.0.25:/opt/kapteins-daagbok` — per `REMOTE_HOST`, `REMOTE_USER`, `REMOTE_DIR` überschreibbar.
 
 Auf dem Server müssen `.env` u. a. `POSTGRES_PASSWORD`, `RP_ID`, `ORIGIN` (`https://kapteins-daagbok.eu`), `SESSION_SECRET` (≥ 32 Zeichen), `TRUST_PROXY` (NPM, z. B. `172.16.10.10` oder `1`) und bei Push `VAPID_*` enthalten. Optional `NTFY_*` für Feedback. Nach Schema-Änderungen: `npx prisma db push` im Backend-Container.
 
+Prod-Deploy legt vor dem Update automatisch ein Server-Backup an (DB, `.env`, Compose, App-Code). Tägliches Cron-Backup und Restore: [docs/deployment/backup.md](docs/deployment/backup.md).
+
 Hinter **Nginx Proxy Manager**: [docs/deployment/npm-security.md](docs/deployment/npm-security.md).
 
+### Staging
+
+Testumgebung unter [staging.kapteins-daagbok.eu](https://staging.kapteins-daagbok.eu) — Deploy ohne Release-Tag:
+
+```bash
+./scripts/update-remotes.sh -dest stage
+```
+
+Standard-Ziel Staging: `root@10.0.0.27:/opt/kapteins-daagbok-staging` — per `REMOTE_HOST`, `REMOTE_DIR`, `DEPLOY_BRANCH` überschreibbar. Details: [docs/deployment/staging.md](docs/deployment/staging.md).
+
 ## Dokumentation
 
 | Dokument | Inhalt |
@@ -267,6 +279,8 @@ Hinter **Nginx Proxy Manager**: [docs/deployment/npm-security.md](docs/deploymen
 | [docs/deployment/npm-security.md](docs/deployment/npm-security.md) | NPM, TLS, `trust proxy`, Security-Header |
 | [docs/deployment/predeploy.md](docs/deployment/predeploy.md) | Pre-Deploy-Checks ohne CI |
 | [docs/deployment/postgres-password.md](docs/deployment/postgres-password.md) | PostgreSQL-Passwort rotieren / App-Rolle |
+| [docs/deployment/backup.md](docs/deployment/backup.md) | Server-Backup, Crontab, Restore (Prod) |
+| [docs/deployment/staging.md](docs/deployment/staging.md) | Staging-VM, Deploy, `.env` |
 | [docs/plausible-events.md](docs/plausible-events.md) | Custom Events für Plausible Analytics |
 | [docs/push-notifications-plan.md](docs/push-notifications-plan.md) | Web Push: Architektur, API, Testplan |
 | [docs/plan-compass-course-dial.md](docs/plan-compass-course-dial.md) | Kompass-Dial: UX- und Implementierungsplan |

VERSION

@@ -1 +1 @@
-0.1.1.3
+0.1.1.24

client/Dockerfile

@@ -18,15 +18,18 @@ RUN npm run build
 FROM nginx:1.25-alpine
 WORKDIR /usr/share/nginx/html
 
-# Copy custom Nginx configuration
-COPY client/nginx.conf /etc/nginx/conf.d/default.conf
+RUN apk add --no-cache gettext
+
+COPY client/nginx.conf.template /etc/nginx/templates/default.conf.template
+COPY client/docker-entrypoint.sh /docker-entrypoint.sh
+RUN chmod +x /docker-entrypoint.sh
 
 # Copy built assets from builder
 COPY --from=builder /app/dist .
 
-# Expose HTTP port
 EXPOSE 80
 
-# Health check to verify Nginx is actively running
 HEALTHCHECK --interval=30s --timeout=5s --start-period=3s --retries=3 \
-  CMD wget --no-verbose --tries=1 --spider http://localhost:80/ || exit 1
+  CMD wget --no-verbose --tries=1 --spider http://127.0.0.1:80/ || exit 1
+
+ENTRYPOINT ["/docker-entrypoint.sh"]

client/docker-entrypoint.sh

@@ -0,0 +1,26 @@
+#!/bin/sh
+set -eu
+
+PLAUSIBLE_ENABLED="${PLAUSIBLE_ENABLED:-true}"
+PLAUSIBLE_HOST="${PLAUSIBLE_HOST:-https://plausible.elpatron.me}"
+PLAUSIBLE_HOST="${PLAUSIBLE_HOST%/}"
+
+case "$(printf '%s' "$PLAUSIBLE_ENABLED" | tr '[:upper:]' '[:lower:]')" in
+  true|1|yes)
+    PLAUSIBLE_ENABLED_JSON=true
+    PLAUSIBLE_CSP=" ${PLAUSIBLE_HOST}"
+    ;;
+  *)
+    PLAUSIBLE_ENABLED_JSON=false
+    PLAUSIBLE_CSP=""
+    ;;
+esac
+
+export PLAUSIBLE_CSP
+envsubst '${PLAUSIBLE_CSP}' < /etc/nginx/templates/default.conf.template > /etc/nginx/conf.d/default.conf
+
+cat > /usr/share/nginx/html/runtime-config.json <<EOF
+{"plausibleEnabled":${PLAUSIBLE_ENABLED_JSON},"plausibleHost":"${PLAUSIBLE_HOST}"}
+EOF
+
+exec nginx -g 'daemon off;'

client/index.html

@@ -22,6 +22,7 @@
     <meta name="apple-mobile-web-app-title" content="Daagbok" />
     <meta name="theme-color" content="#0b0c10" />
     <script src="/appearance-bootstrap.js"></script>
+    <script src="/plausible-bootstrap.js"></script>
     <script src="/bootstrap-watchdog.js"></script>
     <link rel="apple-touch-icon" href="/logo.png" />
     <meta property="og:type" content="website" />
@@ -38,7 +39,6 @@
     <meta name="twitter:description" content="Kostenlos und werbefrei: sicheres, E2E-verschlüsseltes Logbuch für Skipper. Reisetage, GPS-Tracks, Crew- und Schiffsdaten – Passkey-Anmeldung und Offline-PWA." />
     <meta name="twitter:image" content="https://kapteins-daagbok.eu/logo.png" />
     <meta name="twitter:image:alt" content="Kapteins Daagbok Logo" />
-    <script defer data-domain="kapteins-daagbok.eu" src="https://plausible.elpatron.me/js/script.tagged-events.js"></script>
     <title>Kapteins Daagbok – Kostenloses digitales Yacht-Logbuch (werbefrei)</title>
   </head>
   <body>

client/nginx.conf

@@ -1,51 +1,2 @@
-server {
-    listen 80;
-    server_name localhost;
-    client_max_body_size 50M;
-
-    # Security headers (TLS/HSTS at NPM — see docs/deployment/npm-security.md)
-    add_header X-Content-Type-Options "nosniff" always;
-    add_header X-Frame-Options "SAMEORIGIN" always;
-    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
-    add_header Permissions-Policy "camera=(self), geolocation=(self), microphone=(self)" always;
-    add_header Content-Security-Policy "default-src 'self'; script-src 'self' https://plausible.elpatron.me; connect-src 'self' https://plausible.elpatron.me; img-src 'self' data: blob: https://*.tile.openstreetmap.org; style-src 'self' 'unsafe-inline'; font-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'self';" always;
-
-    # Service worker and app shell must revalidate so PWA updates are detected
-    location ~* ^/(sw\.js|workbox-.*\.js|manifest\.webmanifest|version\.json)$ {
-        root /usr/share/nginx/html;
-        add_header Cache-Control "no-cache, no-store, must-revalidate" always;
-        add_header X-Content-Type-Options "nosniff" always;
-        add_header X-Frame-Options "SAMEORIGIN" always;
-        add_header Referrer-Policy "strict-origin-when-cross-origin" always;
-        add_header Permissions-Policy "camera=(self), geolocation=(self), microphone=(self)" always;
-        add_header Content-Security-Policy "default-src 'self'; script-src 'self' https://plausible.elpatron.me; connect-src 'self' https://plausible.elpatron.me; img-src 'self' data: blob: https://*.tile.openstreetmap.org; style-src 'self' 'unsafe-inline'; font-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'self';" always;
-    }
-
-    location = /index.html {
-        root /usr/share/nginx/html;
-        add_header Cache-Control "no-cache, must-revalidate" always;
-        add_header X-Content-Type-Options "nosniff" always;
-        add_header X-Frame-Options "SAMEORIGIN" always;
-        add_header Referrer-Policy "strict-origin-when-cross-origin" always;
-        add_header Permissions-Policy "camera=(self), geolocation=(self), microphone=(self)" always;
-        add_header Content-Security-Policy "default-src 'self'; script-src 'self' https://plausible.elpatron.me; connect-src 'self' https://plausible.elpatron.me; img-src 'self' data: blob: https://*.tile.openstreetmap.org; style-src 'self' 'unsafe-inline'; font-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'self';" always;
-    }
-
-    location / {
-        root /usr/share/nginx/html;
-        index index.html index.htm;
-        try_files $uri $uri/ /index.html;
-    }
-
-    location /api/ {
-        proxy_pass http://backend:5000/api/;
-        proxy_http_version 1.1;
-        proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection 'upgrade';
-        proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
-        proxy_cache_bypass $http_upgrade;
-    }
-}
+# Generated at container start from PLAUSIBLE_* — see client/nginx.conf.template and docker-entrypoint.sh
+# Local Docker Compose uses the template via client/Dockerfile entrypoint.

client/nginx.conf.template

@@ -0,0 +1,51 @@
+server {
+    listen 80;
+    server_name localhost;
+    client_max_body_size 50M;
+
+    # Security headers (TLS/HSTS at NPM — see docs/deployment/npm-security.md)
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-Frame-Options "SAMEORIGIN" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header Permissions-Policy "camera=(self), geolocation=(self), microphone=(self)" always;
+    add_header Content-Security-Policy "default-src 'self'; script-src 'self'${PLAUSIBLE_CSP}; connect-src 'self'${PLAUSIBLE_CSP}; img-src 'self' data: blob: https://*.tile.openstreetmap.org; media-src 'self' blob: data:; style-src 'self' 'unsafe-inline'; font-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'self';" always;
+
+    # Service worker and app shell must revalidate so PWA updates are detected
+    location ~* ^/(sw\.js|workbox-.*\.js|manifest\.webmanifest|version\.json)$ {
+        root /usr/share/nginx/html;
+        add_header Cache-Control "no-cache, no-store, must-revalidate" always;
+        add_header X-Content-Type-Options "nosniff" always;
+        add_header X-Frame-Options "SAMEORIGIN" always;
+        add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+        add_header Permissions-Policy "camera=(self), geolocation=(self), microphone=(self)" always;
+        add_header Content-Security-Policy "default-src 'self'; script-src 'self'${PLAUSIBLE_CSP}; connect-src 'self'${PLAUSIBLE_CSP}; img-src 'self' data: blob: https://*.tile.openstreetmap.org; media-src 'self' blob: data:; style-src 'self' 'unsafe-inline'; font-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'self';" always;
+    }
+
+    location = /index.html {
+        root /usr/share/nginx/html;
+        add_header Cache-Control "no-cache, must-revalidate" always;
+        add_header X-Content-Type-Options "nosniff" always;
+        add_header X-Frame-Options "SAMEORIGIN" always;
+        add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+        add_header Permissions-Policy "camera=(self), geolocation=(self), microphone=(self)" always;
+        add_header Content-Security-Policy "default-src 'self'; script-src 'self'${PLAUSIBLE_CSP}; connect-src 'self'${PLAUSIBLE_CSP}; img-src 'self' data: blob: https://*.tile.openstreetmap.org; media-src 'self' blob: data:; style-src 'self' 'unsafe-inline'; font-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'self';" always;
+    }
+
+    location / {
+        root /usr/share/nginx/html;
+        index index.html index.htm;
+        try_files $uri $uri/ /index.html;
+    }
+
+    location /api/ {
+        proxy_pass http://backend:5000/api/;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection 'upgrade';
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_cache_bypass $http_upgrade;
+    }
+}

client/package.json

@@ -13,6 +13,7 @@
     "generate:flyer:png": "node ../scripts/generate-beta-flyer.mjs --png",
     "generate:flyer:all": "node ../scripts/generate-beta-flyer.mjs --all",
     "generate:flyer:setup": "playwright install chromium",
+    "generate:sharepic": "node ../scripts/generate-sharepic.mjs",
     "translate:locales": "node ../scripts/translate-locales.mjs",
     "translate:flyer": "node ../scripts/translate-flyer.mjs",
     "validate:i18n": "node ../scripts/validate-i18n-keys.mjs"

client/public/plausible-bootstrap.js

@@ -0,0 +1,25 @@
+/**
+ * Loads Plausible when enabled via /runtime-config.json (from .env in Docker / Vite dev).
+ * data-domain is always the current hostname (prod vs staging).
+ */
+(function () {
+  function load(cfg) {
+    if (!cfg || !cfg.plausibleEnabled || !cfg.plausibleHost) return
+    var host = String(cfg.plausibleHost).replace(/\/$/, '')
+    if (!host) return
+    var s = document.createElement('script')
+    s.defer = true
+    s.dataset.domain = window.location.hostname
+    s.src = host + '/js/script.tagged-events.js'
+    document.head.appendChild(s)
+  }
+
+  fetch('/runtime-config.json', { cache: 'no-store' })
+    .then(function (r) {
+      return r.ok ? r.json() : null
+    })
+    .then(load)
+    .catch(function () {
+      /* analytics optional */
+    })
+})()

client/src/App.css

@@ -36,6 +36,10 @@ code {
   min-height: 100svh;
   padding: 24px 16px calc(48px + env(safe-area-inset-bottom, 0px));
   box-sizing: border-box;
+  background-image: linear-gradient(rgba(15, 23, 42, 0.3), rgba(15, 23, 42, 0.5)), url('/login-bg.jpg');
+  background-size: cover;
+  background-position: center;
+  background-repeat: no-repeat;
 }
 
 /* Glassmorphism Auth Card */
@@ -3233,9 +3237,9 @@ html.theme-cupertino .events-scroll-container {
   left: 0;
   right: 0;
   bottom: 0;
-  background: rgba(11, 12, 16, 0.75);
-  backdrop-filter: blur(10px);
-  -webkit-backdrop-filter: blur(10px);
+  background: rgba(11, 12, 16, 0.45);
+  backdrop-filter: var(--app-backdrop);
+  -webkit-backdrop-filter: var(--app-backdrop);
   display: flex;
   align-items: center;
   justify-content: center;
@@ -3243,13 +3247,15 @@ html.theme-cupertino .events-scroll-container {
 }
 
 .custom-dialog-card {
-  background: rgba(15, 23, 42, 0.85);
-  border: 1px solid rgba(255, 255, 255, 0.08);
-  border-radius: 16px;
+  background: var(--app-surface-hover, var(--app-surface));
+  backdrop-filter: var(--app-backdrop);
+  -webkit-backdrop-filter: var(--app-backdrop);
+  border: 1px solid var(--app-border-subtle);
+  border-radius: var(--app-radius-card, 16px);
   padding: 28px;
   width: 90%;
   max-width: 420px;
-  box-shadow: 0 25px 50px -12px rgba(0, 0, 0, 0.6);
+  box-shadow: var(--app-shadow);
   text-align: center;
   display: flex;
   flex-direction: column;
@@ -3259,7 +3265,7 @@ html.theme-cupertino .events-scroll-container {
 .custom-dialog-title {
   font-size: 19px;
   font-weight: 700;
-  color: #fbbf24;
+  color: var(--app-accent-light);
   margin: 0 0 14px 0;
   text-transform: uppercase;
   letter-spacing: 0.5px;
@@ -3267,7 +3273,7 @@ html.theme-cupertino .events-scroll-container {
 
 .custom-dialog-message {
   font-size: 15px;
-  color: #e2e8f0;
+  color: var(--app-text);
   line-height: 1.5;
   margin: 0 0 24px 0;
   white-space: pre-line;
@@ -4915,6 +4921,177 @@ html.theme-cupertino .events-scroll-container {
   padding-bottom: 8px;
 }
 
+.admin-page {
+  width: 100%;
+  max-width: 1200px;
+  min-height: 100vh;
+  margin: 0 auto;
+  padding: 24px;
+  box-sizing: border-box;
+  color: var(--app-text);
+  display: flex;
+  flex-direction: column;
+  gap: 24px;
+}
+
+.admin-header {
+  display: flex;
+  align-items: flex-start;
+  justify-content: space-between;
+  gap: 16px;
+  padding-bottom: 16px;
+  border-bottom: 1px solid var(--app-header-border);
+}
+
+.admin-header-left {
+  display: flex;
+  align-items: flex-start;
+  gap: 20px;
+  min-width: 0;
+}
+
+.admin-title {
+  margin: 0;
+  font-size: 24px;
+  font-weight: 700;
+  background: var(--app-accent-gradient);
+  -webkit-background-clip: text;
+  background-clip: text;
+  -webkit-text-fill-color: transparent;
+}
+
+.admin-subtitle {
+  margin: 6px 0 0;
+  font-size: 14px;
+  color: var(--app-text-muted);
+}
+
+.admin-main {
+  display: flex;
+  flex-direction: column;
+  gap: 24px;
+  width: 100%;
+}
+
+.admin-kpi-grid {
+  margin-top: 0;
+  grid-template-columns: repeat(3, minmax(0, 1fr));
+}
+
+.admin-controls {
+  display: flex;
+  flex-wrap: wrap;
+  gap: 24px;
+  padding: 16px 20px;
+  border-radius: var(--app-radius-card);
+  border: 1px solid var(--app-border-subtle);
+  background: var(--app-surface);
+}
+
+.admin-control-group {
+  display: flex;
+  flex-direction: column;
+  gap: 10px;
+  min-width: 0;
+}
+
+.admin-control-label {
+  font-size: 13px;
+  font-weight: 600;
+  color: var(--app-text-muted);
+}
+
+.admin-control-buttons {
+  display: flex;
+  flex-wrap: wrap;
+  gap: 8px;
+}
+
+.admin-control-buttons .btn {
+  width: auto;
+  padding: 8px 16px;
+  font-size: 14px;
+}
+
+.admin-charts-grid {
+  display: grid;
+  grid-template-columns: repeat(auto-fit, minmax(min(100%, 320px), 1fr));
+  gap: 20px;
+}
+
+.dashboard-subtitle {
+  margin-top: 4px;
+  font-size: 14px;
+  color: var(--app-text-muted);
+}
+
+@media (max-width: 640px) {
+  .admin-page {
+    padding: 12px 12px 20px;
+    gap: 16px;
+    min-height: auto;
+  }
+
+  .admin-header {
+    padding-bottom: 12px;
+  }
+
+  .admin-header-left {
+    display: grid;
+    grid-template-columns: auto 1fr;
+    grid-template-rows: auto auto;
+    align-items: center;
+    column-gap: 10px;
+    row-gap: 2px;
+  }
+
+  .admin-header-left .btn-back {
+    grid-row: 1 / -1;
+    align-self: center;
+    padding: 6px 10px;
+    font-size: 13px;
+  }
+
+  .admin-title {
+    font-size: 18px;
+    line-height: 1.2;
+  }
+
+  .admin-subtitle {
+    font-size: 11px;
+    margin: 0;
+    line-height: 1.35;
+  }
+
+  .admin-main {
+    gap: 16px;
+  }
+
+  .admin-controls {
+    display: grid;
+    grid-template-columns: 1fr 1fr;
+    gap: 12px;
+    padding: 12px;
+  }
+
+  .admin-control-buttons {
+    gap: 6px;
+  }
+
+  .admin-control-label {
+    font-size: 11px;
+  }
+
+  .admin-control-buttons .btn {
+    padding: 6px 8px;
+    font-size: 12px;
+  }
+
+  .admin-charts-grid {
+    gap: 14px;
+  }
+}
+
 .stats-consumption-chart .stats-bar-column--grouped {
   display: inline-flex;
   white-space: normal;
@@ -5014,6 +5191,36 @@ html.theme-cupertino .events-scroll-container {
     grid-template-columns: 1fr;
   }
 
+  /* Admin dashboard: keep 2-column KPI grid on mobile (overrides rule above) */
+  .stats-kpi-grid.admin-kpi-grid {
+    grid-template-columns: repeat(2, minmax(0, 1fr));
+    gap: 10px;
+  }
+
+  .admin-kpi-grid .stats-kpi-card {
+    padding: 10px 12px;
+    gap: 8px;
+  }
+
+  .admin-kpi-grid .stats-kpi-icon {
+    margin-top: 0;
+  }
+
+  .admin-kpi-grid .stats-kpi-icon svg {
+    width: 18px;
+    height: 18px;
+  }
+
+  .admin-kpi-grid .stats-kpi-label {
+    font-size: 11px;
+    line-height: 1.25;
+    margin-bottom: 2px;
+  }
+
+  .admin-kpi-grid .stats-kpi-value {
+    font-size: 18px;
+  }
+
   .stats-kpi-value {
     font-size: 20px;
   }
@@ -5293,8 +5500,9 @@ html.theme-cupertino .events-scroll-container {
 /* PWA install prompt */
 .pwa-install-banner {
   position: fixed;
-  left: 16px;
-  right: 16px;
+  left: 0;
+  right: 0;
+  width: calc(100% - 32px);
   bottom: calc(36px + env(safe-area-inset-bottom, 0px));
   z-index: 1200;
   display: grid;
@@ -5457,8 +5665,9 @@ html.theme-cupertino .events-scroll-container {
 .pwa-update-banner {
   position: fixed;
   top: calc(12px + env(safe-area-inset-top, 0px));
-  left: 16px;
-  right: 16px;
+  left: 0;
+  right: 0;
+  width: calc(100% - 32px);
   z-index: 1300;
   display: grid;
   grid-template-columns: auto 1fr auto;
@@ -5581,6 +5790,12 @@ html.theme-cupertino .events-scroll-container {
   pointer-events: none;
 }
 
+@media (max-width: 768px) {
+  body:has(.app-bottom-nav) .app-version-footer {
+    display: none;
+  }
+}
+
 .app-version-footer a,
 .app-version-footer button {
   pointer-events: auto;
@@ -5630,6 +5845,48 @@ html.theme-cupertino .events-scroll-container {
   border-color: rgba(255, 94, 91, 0.32);
 }
 
+.mail-footer-badge {
+  display: inline-flex;
+  align-items: center;
+  gap: 4px;
+  padding: 2px 8px;
+  border-radius: 999px;
+  font-size: 13px;
+  font-weight: 500;
+  color: #94a3b8;
+  text-decoration: none;
+  background: rgba(56, 189, 248, 0.08);
+  border: 1px solid rgba(56, 189, 248, 0.18);
+  transition: color 0.15s ease, background 0.15s ease, border-color 0.15s ease;
+}
+
+.mail-footer-badge:hover {
+  color: #bae6fd;
+  background: rgba(56, 189, 248, 0.14);
+  border-color: rgba(56, 189, 248, 0.32);
+}
+
+.knorrlabs-footer-badge {
+  display: inline-flex;
+  align-items: center;
+  gap: 4px;
+  padding: 2px 8px;
+  border-radius: 999px;
+  font-size: 13px;
+  font-weight: 500;
+  color: #94a3b8;
+  text-decoration: none;
+  background: rgba(139, 92, 246, 0.08);
+  border: 1px solid rgba(139, 92, 246, 0.18);
+  transition: color 0.15s ease, background 0.15s ease, border-color 0.15s ease;
+}
+
+.knorrlabs-footer-badge:hover {
+  color: #ddd6fe;
+  background: rgba(139, 92, 246, 0.14);
+  border-color: rgba(139, 92, 246, 0.32);
+}
+
 .demo-badge {
   display: inline-flex;
   align-items: center;
@@ -5779,13 +6036,15 @@ html.theme-cupertino .events-scroll-container {
 .app-tour-root {
   position: fixed;
   inset: 0;
-  z-index: 10000;
+  /* Above .app-tour-target-active (10001) so tooltip/backdrop stay topmost */
+  z-index: 10010;
   pointer-events: none;
 }
 
 .app-tour-backdrop {
   position: absolute;
   inset: 0;
+  z-index: 1;
   background: rgba(2, 6, 23, 0.62);
   pointer-events: auto;
 }
@@ -5803,7 +6062,7 @@ html.theme-cupertino .events-scroll-container {
     0 0 32px rgba(56, 189, 248, 0.5),
     0 12px 40px rgba(0, 0, 0, 0.35);
   pointer-events: none;
-  z-index: 10001;
+  z-index: 2;
 }
 
 body.app-tour-active .app-tour-target-active {
@@ -5814,7 +6073,8 @@ body.app-tour-active .app-tour-target-active {
 
 .app-tour-tooltip {
   position: fixed;
-  z-index: 10002;
+  /* Layer above backdrop/spotlight inside .app-tour-root (not vs. root's 10010) */
+  z-index: 3;
   box-sizing: border-box;
   width: min(420px, calc(100vw - 32px));
   max-width: calc(100vw - 32px);

client/src/App.tsx

@@ -36,6 +36,7 @@ import { syncAppearancePrefs } from './services/appearancePrefs.js'
 import { startBackgroundSync, stopBackgroundSync, syncAllLogbooks, subscribeToSyncState } from './services/sync.js'
 import ReadOnlyViewer from './components/ReadOnlyViewer.tsx'
 import DemoViewer from './components/DemoViewer.tsx'
+import AdminDashboard from './admin/AdminDashboard.tsx'
 import PwaInstallPrompt from './components/PwaInstallPrompt.tsx'
 import PwaUpdatePrompt from './components/PwaUpdatePrompt.tsx'
 import AppFooter from './components/AppFooter.tsx'
@@ -49,6 +50,8 @@ import { Ship, LogOut, ChevronLeft, Users, FileText, Settings, Wifi, WifiOff, La
 import DisclaimerHeaderButton from './components/DisclaimerHeaderButton.tsx'
 import FeedbackHeaderButton from './components/FeedbackHeaderButton.tsx'
 import ProfileHeaderButton from './components/ProfileHeaderButton.tsx'
+import AdminHeaderButton from './components/AdminHeaderButton.tsx'
+import { checkAdminAccess } from './services/adminApi.js'
 import { useTranslation } from 'react-i18next'
 import { cycleAppLanguage } from './utils/i18nLanguages.js'
 import {
@@ -92,6 +95,10 @@ function App() {
 
   // Public demo mode (no account required)
   const [isDemoMode, setIsDemoMode] = useState(() => window.location.pathname === '/demo')
+  const [isAdminRoute, setIsAdminRoute] = useState(() => window.location.pathname.startsWith('/admin'))
+  const [isAdminUser, setIsAdminUser] = useState(false)
+  const [sessionChecked, setSessionChecked] = useState(false)
+  const [serverSessionActive, setServerSessionActive] = useState(false)
 
   const syncQueueCount = useLiveQuery(
     () => activeLogbookId ? db.syncQueue.where({ logbookId: activeLogbookId }).count() : db.syncQueue.count(),
@@ -160,14 +167,23 @@ function App() {
     })
   }, [])
 
+  const refreshAdminAccess = useCallback(async () => {
+    const isAdmin = await checkAdminAccess()
+    setIsAdminUser(isAdmin)
+  }, [])
+
   useEffect(() => {
-    if (!isAuthenticated) return
+    if (!isAuthenticated) {
+      setIsAdminUser(false)
+      return
+    }
     const userId = localStorage.getItem('active_userid')
     if (!userId) return
     void syncAppearancePrefs(userId)
     void migrateLegacyCrewToPoolIfNeeded().then(() => syncPersonPool())
     void migrateLegacyYachtsToPoolIfNeeded().then(() => syncVesselPool())
-  }, [isAuthenticated])
+    void refreshAdminAccess()
+  }, [isAuthenticated, refreshAdminAccess])
 
   useEffect(() => {
     const handleOnline = () => {
@@ -199,6 +215,13 @@ function App() {
     const hashParams = new URLSearchParams(window.location.hash.substring(1))
     const path = window.location.pathname
 
+    if (path.startsWith('/admin')) {
+      setIsAdminRoute(true)
+      return
+    }
+
+    setIsAdminRoute(false)
+
     if (path === '/demo') {
       setIsDemoMode(true)
       setIsViewerMode(false)
@@ -240,6 +263,7 @@ function App() {
 
   const clearAuthenticatedAppState = useCallback(() => {
     setIsAuthenticated(false)
+    setIsAdminUser(false)
     setActiveLogbookId(null)
     setActiveLogbookTitle(null)
     setShowUserProfile(false)
@@ -249,7 +273,7 @@ function App() {
 
   /** After PWA/bfcache resume, React state may still say "logged in" while the master key is gone. */
   const enforceUnlockedSession = useCallback(() => {
-    if (isViewerMode || isDemoMode || isAcceptingInvite) return
+    if (isViewerMode || isDemoMode || isAcceptingInvite || isAdminRoute) return
     // Require full local session (incl. userId) so API calls are not left headless.
     if (isAuthenticated && !hasUnlockedLocalSession()) {
       clearAuthenticatedAppState()
@@ -259,6 +283,7 @@ function App() {
     isViewerMode,
     isDemoMode,
     isAcceptingInvite,
+    isAdminRoute,
     clearAuthenticatedAppState
   ])
 
@@ -293,6 +318,8 @@ function App() {
         const session = await checkServerSession()
         if (cancelled) return
 
+        setServerSessionActive(session.authenticated)
+
         if (session.authenticated) {
           persistSessionUserId(session.userId)
         }
@@ -312,6 +339,10 @@ function App() {
         if (!cancelled) {
           console.warn('Session restore failed:', err)
         }
+      } finally {
+        if (!cancelled) {
+          setSessionChecked(true)
+        }
       }
     })()
 
@@ -333,6 +364,14 @@ function App() {
     setIsAcceptingInvite(false)
   }, [])
 
+  const openAdmin = useCallback(() => {
+    window.history.pushState({}, document.title, '/admin')
+    setIsAdminRoute(true)
+    setIsDemoMode(false)
+    setIsViewerMode(false)
+    setIsAcceptingInvite(false)
+  }, [])
+
   const selectLogbook = useCallback((id: string, title: string) => {
     setActiveLogbookId(id)
     setActiveLogbookTitle(title)
@@ -497,6 +536,7 @@ function App() {
     if (!(await confirmLeave())) return
     void logoutUser()
     setIsAuthenticated(false)
+    setIsAdminUser(false)
     setActiveLogbookId(null)
     setActiveLogbookTitle(null)
     setShowUserProfile(false)
@@ -524,6 +564,28 @@ function App() {
     syncRouteFromLocation()
   }
 
+  const handleBackFromAdmin = () => {
+    window.history.replaceState({}, document.title, '/')
+    setIsAdminRoute(false)
+    syncRouteFromLocation()
+  }
+
+  if (isAdminRoute) {
+    if (!isAuthenticated) {
+      return (
+        <div className="auth-screen">
+          <AuthOnboarding onAuthenticated={handleAuthenticated} onOpenDemo={openDemo} />
+        </div>
+      )
+    }
+
+    return (
+      <div style={{ display: 'contents' }}>
+        <AdminDashboard onBack={handleBackFromAdmin} />
+      </div>
+    )
+  }
+
   if (isDemoMode) {
     return (
       <div style={{ display: 'contents' }}>
@@ -564,7 +626,17 @@ function App() {
   if (!isAuthenticated) {
     return (
       <div className="auth-screen">
-        <AuthOnboarding onAuthenticated={handleAuthenticated} onOpenDemo={openDemo} />
+        {!sessionChecked ? (
+          <div className="auth-card glass">
+            <p className="dashboard-status-msg">{t('auth.restore_checking')}</p>
+          </div>
+        ) : (
+          <AuthOnboarding
+            restoreSession={serverSessionActive}
+            onAuthenticated={handleAuthenticated}
+            onOpenDemo={openDemo}
+          />
+        )}
       </div>
     )
   }
@@ -597,6 +669,7 @@ function App() {
           onSelectLogbook={selectLogbook}
           onLogout={handleLogout}
           onOpenProfile={() => setShowUserProfile(true)}
+          onOpenAdmin={isAdminUser ? openAdmin : undefined}
         />
       </div>
     )
@@ -647,6 +720,8 @@ function App() {
               <Languages size={18} />
             </button>
 
+            {isAdminUser && <AdminHeaderButton onClick={openAdmin} />}
+
             <ProfileHeaderButton onClick={() => setShowUserProfile(true)} />
 
             <DisclaimerHeaderButton />

client/src/admin/AdminDashboard.tsx

@@ -0,0 +1,240 @@
+import { useEffect, useState, type ReactNode } from 'react'
+import {
+  fetchAdminMe,
+  fetchAdminSummary,
+  fetchAdminTimeSeries,
+  type AdminSummary,
+  type AdminTimeSeriesResponse,
+  type AdminTimeBucket
+} from '../services/adminApi.js'
+import { BarChart2, Bookmark, ChevronLeft, Image, MapPin, Mic, Users } from 'lucide-react'
+
+function formatNumber(value: number): string {
+  return value.toLocaleString()
+}
+
+function KpiCard({
+  icon,
+  label,
+  value
+}: {
+  icon: ReactNode
+  label: string
+  value: number
+}) {
+  return (
+    <div className="stats-kpi-card glass">
+      <div className="stats-kpi-icon">{icon}</div>
+      <div className="stats-kpi-body">
+        <span className="stats-kpi-label">{label}</span>
+        <span className="stats-kpi-value">{formatNumber(value)}</span>
+      </div>
+    </div>
+  )
+}
+
+function TimeSeriesChart({
+  title,
+  seriesKey,
+  data
+}: {
+  title: string
+  seriesKey: string
+  data: AdminTimeSeriesResponse | null
+}) {
+  if (!data) {
+    return null
+  }
+
+  const metric = data.series.find((s) => s.metric === seriesKey)
+  if (!metric || metric.points.length === 0) {
+    return (
+      <div className="form-card glass">
+        <div className="form-header">
+          <BarChart2 className="form-icon" />
+          <h2>{title}</h2>
+        </div>
+        <p className="dashboard-status-msg">Keine Daten im gewählten Zeitraum.</p>
+      </div>
+    )
+  }
+
+  const max = metric.points.reduce((acc, p) => (p.count > acc ? p.count : acc), 0) || 1
+
+  return (
+    <div className="form-card glass">
+      <div className="form-header">
+        <BarChart2 className="form-icon" />
+        <h2>{title}</h2>
+      </div>
+      <div className="stats-bar-chart" role="img" aria-label={title}>
+        {metric.points.map((point) => {
+          const heightPct = Math.max(2, (point.count / max) * 100)
+          return (
+            <div key={point.date} className="stats-bar-column" title={`${point.date}: ${point.count}`}>
+              <span className="stats-bar-value">{point.count > 0 ? String(point.count) : ''}</span>
+              <div className="stats-bar-track">
+                <div className="stats-bar stats-bar--distance" style={{ height: `${heightPct}%` }} />
+              </div>
+              <span className="stats-bar-label">{point.date.slice(5)}</span>
+            </div>
+          )
+        })}
+      </div>
+    </div>
+  )
+}
+
+interface AdminDashboardProps {
+  onBack: () => void
+}
+
+export default function AdminDashboard({ onBack }: AdminDashboardProps) {
+  const [loading, setLoading] = useState(true)
+  const [error, setError] = useState<string | null>(null)
+  const [summary, setSummary] = useState<AdminSummary | null>(null)
+  const [timeSeries, setTimeSeries] = useState<AdminTimeSeriesResponse | null>(null)
+  const [bucket, setBucket] = useState<AdminTimeBucket>('day')
+  const [windowDays, setWindowDays] = useState(90)
+
+  useEffect(() => {
+    let cancelled = false
+
+    async function load() {
+      try {
+        setLoading(true)
+        setError(null)
+
+        await fetchAdminMe()
+        const [summaryRes, tsRes] = await Promise.all([
+          fetchAdminSummary(),
+          fetchAdminTimeSeries({ bucket, windowDays })
+        ])
+
+        if (!cancelled) {
+          setSummary(summaryRes)
+          setTimeSeries(tsRes)
+        }
+      } catch (err: unknown) {
+        if (!cancelled) {
+          const message =
+            err instanceof Error && err.message ? err.message : 'Fehler beim Laden des Admin-Dashboards'
+          setError(message)
+        }
+      } finally {
+        if (!cancelled) {
+          setLoading(false)
+        }
+      }
+    }
+
+    void load()
+
+    return () => {
+      cancelled = true
+    }
+  }, [bucket, windowDays])
+
+  if (loading && !summary) {
+    return (
+      <div className="admin-page">
+        <p className="dashboard-status-msg">Admin-Dashboard wird geladen…</p>
+      </div>
+    )
+  }
+
+  if (error) {
+    return (
+      <div className="admin-page">
+        <header className="admin-header">
+          <button type="button" className="btn-back" onClick={onBack}>
+            <ChevronLeft size={16} />
+            Zur App
+          </button>
+        </header>
+        <p className="dashboard-status-msg">{error}</p>
+      </div>
+    )
+  }
+
+  if (!summary) {
+    return (
+      <div className="admin-page">
+        <p className="dashboard-status-msg">Keine Admin-Daten verfügbar.</p>
+      </div>
+    )
+  }
+
+  return (
+    <div className="admin-page">
+      <header className="admin-header">
+        <div className="admin-header-left">
+          <button type="button" className="btn-back" onClick={onBack}>
+            <ChevronLeft size={16} />
+            Zur App
+          </button>
+          <div>
+            <h1 className="admin-title">Admin-Dashboard</h1>
+            <p className="admin-subtitle">
+              Übersicht über Nutzung und Wachstum von Kapteins Daagbok.
+            </p>
+          </div>
+        </div>
+      </header>
+
+      <main className="admin-main">
+        <section className="stats-kpi-grid admin-kpi-grid">
+          <KpiCard icon={<Users size={20} />} label="Registrierte Benutzer" value={summary.totalUsers} />
+          <KpiCard icon={<Bookmark size={20} />} label="Logbücher" value={summary.totalLogbooks} />
+          <KpiCard icon={<Image size={20} />} label="Fotos" value={summary.totalPhotos} />
+          <KpiCard icon={<Mic size={20} />} label="Sprachmemos" value={summary.totalVoiceMemos} />
+          <KpiCard icon={<MapPin size={20} />} label="GPS-Tracks" value={summary.totalGpsTracks} />
+          <KpiCard
+            icon={<BarChart2 size={20} />}
+            label="Einträge mit AI-Zusammenfassung"
+            value={summary.aiSummaryEntries}
+          />
+        </section>
+
+        <section className="admin-controls">
+          <div className="admin-control-group">
+            <span className="admin-control-label">Zeitraum</span>
+            <div className="admin-control-buttons">
+              {[30, 90, 365].map((days) => (
+                <button
+                  key={days}
+                  type="button"
+                  className={days === windowDays ? 'btn primary' : 'btn secondary'}
+                  onClick={() => setWindowDays(days)}
+                >
+                  {days} Tage
+                </button>
+              ))}
+            </div>
+          </div>
+          <div className="admin-control-group">
+            <span className="admin-control-label">Aggregation</span>
+            <div className="admin-control-buttons">
+              {(['day', 'week', 'month'] as AdminTimeBucket[]).map((b) => (
+                <button
+                  key={b}
+                  type="button"
+                  className={b === bucket ? 'btn primary' : 'btn secondary'}
+                  onClick={() => setBucket(b)}
+                >
+                  {b === 'day' ? 'Tag' : b === 'week' ? 'Woche' : 'Monat'}
+                </button>
+              ))}
+            </div>
+          </div>
+        </section>
+
+        <section className="admin-charts-grid">
+          <TimeSeriesChart title="Neue Benutzer" seriesKey="users_created" data={timeSeries} />
+          <TimeSeriesChart title="Neue Logbücher" seriesKey="logbooks_created" data={timeSeries} />
+          <TimeSeriesChart title="Foto-Aktivität" seriesKey="photos_updated" data={timeSeries} />
+        </section>
+      </main>
+    </div>
+  )
+}

client/src/components/AdminHeaderButton.tsx

@@ -0,0 +1,23 @@
+import { useTranslation } from 'react-i18next'
+import { LayoutDashboard } from 'lucide-react'
+
+interface AdminHeaderButtonProps {
+  onClick: () => void
+}
+
+export default function AdminHeaderButton({ onClick }: AdminHeaderButtonProps) {
+  const { t } = useTranslation()
+
+  return (
+    <button
+      type="button"
+      className="btn-icon skipper-badge"
+      onClick={onClick}
+      title={t('nav.admin')}
+      aria-label={t('nav.admin')}
+    >
+      <LayoutDashboard size={18} aria-hidden="true" />
+      <span className="skipper-badge__name">{t('nav.admin')}</span>
+    </button>
+  )
+}

client/src/components/AppFooter.tsx

@@ -1,4 +1,4 @@
-import { Coffee } from 'lucide-react'
+import { Coffee, Mail, Compass } from 'lucide-react'
 import { useTranslation } from 'react-i18next'
 import { PlausibleEvents, trackPlausibleEvent } from '../services/analytics.js'
 
@@ -15,17 +15,35 @@ export default function AppFooter() {
         ·
       </span>
       <span className="app-version-footer__copyright">
-        © 2026 KnorrLabs/
-        <a
-          href="mailto:elpatron+kd@mailbox.org"
-          onClick={() => trackPlausibleEvent(PlausibleEvents.FOOTER_LINK_CLICKED)}
-        >
-          Markus F.J. Busche
-        </a>
+        © 2026
       </span>
       <span className="app-version-footer__sep" aria-hidden="true">
         ·
       </span>
+      <a
+        className="knorrlabs-footer-badge"
+        href="https://dashy.elpatron.me/"
+        target="_blank"
+        rel="noopener noreferrer"
+        onClick={() => trackPlausibleEvent(PlausibleEvents.FOOTER_LINK_CLICKED)}
+      >
+        <Compass size={14} aria-hidden="true" />
+        <span>KnorrLabs</span>
+      </a>
+      <span className="app-version-footer__sep" aria-hidden="true">
+        ·
+      </span>
+      <a
+        className="mail-footer-badge"
+        href="mailto:moin@kapteins-daagbok.eu"
+        onClick={() => trackPlausibleEvent(PlausibleEvents.FOOTER_LINK_CLICKED)}
+      >
+        <Mail size={14} aria-hidden="true" />
+        <span>moin@kapteins-daagbok.eu</span>
+      </a>
+      <span className="app-version-footer__sep" aria-hidden="true">
+        ·
+      </span>
       <a
         className="kofi-footer-badge"
         href={KOFI_URL}

client/src/components/AuthOnboarding.tsx

@@ -1,4 +1,4 @@
-import React, { useState } from 'react'
+import React, { useEffect, useRef, useState } from 'react'
 import { useTranslation } from 'react-i18next'
 import { cycleAppLanguage, getNextLanguage } from '../utils/i18nLanguages.js'
 import {
@@ -12,7 +12,8 @@ import {
   getKnownUsernames,
   forgetUsername,
   hasUnlockedLocalSession,
-  logoutUser
+  logoutUser,
+  resolveRestoreUsername
 } from '../services/auth.js'
 import { KeyRound, ShieldAlert, Languages, HelpCircle, UserRound, X } from 'lucide-react'
 import RegistrationDisclaimer from './RegistrationDisclaimer.tsx'
@@ -27,9 +28,15 @@ import {
 interface AuthOnboardingProps {
   onAuthenticated: () => void
   onOpenDemo?: () => void
+  /** Server session cookie is valid but the in-memory master key was lost (e.g. after reload). */
+  restoreSession?: boolean
 }
 
-export default function AuthOnboarding({ onAuthenticated, onOpenDemo }: AuthOnboardingProps) {
+export default function AuthOnboarding({
+  onAuthenticated,
+  onOpenDemo,
+  restoreSession = false
+}: AuthOnboardingProps) {
   const { t, i18n } = useTranslation()
   const [username, setUsername] = useState('')
   const [loading, setLoading] = useState(false)
@@ -60,7 +67,10 @@ export default function AuthOnboarding({ onAuthenticated, onOpenDemo }: AuthOnbo
   const [isNewRegistration, setIsNewRegistration] = useState(false)
   const [showDisclaimer, setShowDisclaimer] = useState(false)
   const [showHelp, setShowHelp] = useState(false)
+  const [showStandardLogin, setShowStandardLogin] = useState(false)
+  const autoUnlockAttempted = useRef(false)
 
+  const isRestoreFlow = restoreSession && !showStandardLogin
   const passkeyHostOk = isPasskeyCompatibleLocation()
   const passkeyCompatibleUrl = passkeyHostOk ? null : toPasskeyCompatibleUrl(window.location.href)
 
@@ -144,6 +154,23 @@ export default function AuthOnboarding({ onAuthenticated, onOpenDemo }: AuthOnbo
     }
   }
 
+  useEffect(() => {
+    if (!isRestoreFlow || autoUnlockAttempted.current) return
+
+    const user = resolveRestoreUsername()
+    if (user && hasLocalPin(user)) {
+      autoUnlockAttempted.current = true
+      setUsername(user)
+      setShowPinLogin(true)
+      return
+    }
+
+    if (user && passkeyHostOk) {
+      autoUnlockAttempted.current = true
+      void handleLogin(user)
+    }
+  }, [isRestoreFlow, passkeyHostOk])
+
   const handleRecoverySubmit = async (e: React.FormEvent) => {
     e.preventDefault()
     if (!recoveryInput.trim() || !encryptedPayloads) return
@@ -347,10 +374,10 @@ export default function AuthOnboarding({ onAuthenticated, onOpenDemo }: AuthOnbo
       <div className="auth-card glass">
         <div className="auth-header">
           <KeyRound className="auth-icon accent" size={48} />
-          <h2>{t('auth.enter_pin_title')}</h2>
+          <h2>{isRestoreFlow ? t('auth.restore_title') : t('auth.enter_pin_title')}</h2>
         </div>
         <p className="recovery-warning">
-          {t('auth.enter_pin_warning')}
+          {isRestoreFlow ? t('auth.restore_pin_warning') : t('auth.enter_pin_warning')}
         </p>
 
         <form onSubmit={handlePinLoginSubmit} className="auth-form">
@@ -397,6 +424,12 @@ export default function AuthOnboarding({ onAuthenticated, onOpenDemo }: AuthOnbo
               type="button"
               className="btn secondary"
               onClick={() => {
+                if (isRestoreFlow) {
+                  setShowPinLogin(false)
+                  setPinLoginInput('')
+                  setError(null)
+                  return
+                }
                 void (async () => {
                   setShowPinLogin(false)
                   setPinLoginInput('')
@@ -480,6 +513,101 @@ export default function AuthOnboarding({ onAuthenticated, onOpenDemo }: AuthOnbo
     )
   }
 
+  // Render: Session restore (active server cookie, master key lost after reload)
+  if (isRestoreFlow) {
+    const restoreUser = resolveRestoreUsername()
+    const restoreKnownUsers = getKnownUsernames()
+
+    return (
+      <div className="auth-card glass">
+        <div className="auth-header">
+          <KeyRound className="auth-icon accent" size={48} />
+          <h2>{t('auth.restore_title')}</h2>
+        </div>
+        <p className="recovery-warning">{t('auth.restore_subtitle')}</p>
+
+        {loading && (
+          <p className="dashboard-status-msg" style={{ marginTop: '12px' }}>
+            {t('auth.restore_unlocking')}
+          </p>
+        )}
+
+        {error && <div className="auth-error">{error}</div>}
+
+        {!loading && (
+          <div className="auth-actions" style={{ flexDirection: 'column', gap: '10px', marginTop: '16px' }}>
+            {restoreUser && passkeyHostOk && (
+              <button
+                type="button"
+                className="btn primary"
+                onClick={() => handleLogin(restoreUser)}
+                style={{ width: '100%' }}
+              >
+                {t('auth.restore_with_passkey', { name: restoreUser })}
+              </button>
+            )}
+
+            {restoreUser && hasLocalPin(restoreUser) && (
+              <button
+                type="button"
+                className="btn secondary"
+                onClick={() => {
+                  setUsername(restoreUser)
+                  setShowPinLogin(true)
+                }}
+                style={{ width: '100%' }}
+              >
+                {t('auth.restore_with_pin')}
+              </button>
+            )}
+
+            {restoreKnownUsers.length > 1 && (
+              <div style={{ display: 'flex', flexDirection: 'column', gap: '8px', width: '100%' }}>
+                <span style={{ fontSize: '12px', color: '#64748b', textTransform: 'uppercase' }}>
+                  {t('auth.quick_login')}
+                </span>
+                <div style={{ display: 'flex', flexWrap: 'wrap', gap: '8px', width: '100%' }}>
+                  {restoreKnownUsers.map((name) => (
+                    <button
+                      key={name}
+                      type="button"
+                      onClick={() => {
+                        if (hasLocalPin(name)) {
+                          setUsername(name)
+                          setShowPinLogin(true)
+                        } else {
+                          void handleLogin(name)
+                        }
+                      }}
+                      disabled={loading}
+                      className="btn secondary"
+                      style={{ display: 'flex', alignItems: 'center', gap: '6px' }}
+                    >
+                      <UserRound size={16} />
+                      {name}
+                    </button>
+                  ))}
+                </div>
+              </div>
+            )}
+
+            <button
+              type="button"
+              className="btn secondary"
+              onClick={() => {
+                setShowStandardLogin(true)
+                setError(null)
+              }}
+              style={{ width: '100%' }}
+            >
+              {t('auth.restore_other_account')}
+            </button>
+          </div>
+        )}
+      </div>
+    )
+  }
+
   // Render 3: Standard Login / Registration options form
   return (
     <>

client/src/components/CreatorAvatar.tsx

@@ -0,0 +1,141 @@
+import React from 'react'
+
+interface PersonSnapshot {
+  name: string
+  photo?: string | null
+  role?: string
+}
+
+interface CreatorAvatarProps {
+  creatorId?: string
+  crewSnapshotsById?: Record<string, PersonSnapshot>
+  fallbackName?: string
+  size?: number
+}
+
+const colors = [
+  '#2563eb', // blue
+  '#059669', // emerald
+  '#d97706', // amber
+  '#dc2626', // red
+  '#7c3aed', // violet
+  '#db2777', // pink
+  '#0891b2', // cyan
+  '#4f46e5', // indigo
+  '#0f766e', // teal
+  '#9333ea', // purple
+]
+
+function getAvatarColor(name: string): string {
+  let hash = 0
+  for (let i = 0; i < name.length; i++) {
+    hash = name.charCodeAt(i) + ((hash << 5) - hash)
+  }
+  const index = Math.abs(hash) % colors.length
+  return colors[index]
+}
+
+export default function CreatorAvatar({
+  creatorId,
+  crewSnapshotsById,
+  fallbackName,
+  size = 28
+}: CreatorAvatarProps) {
+  let name = ''
+  let photo: string | null = null
+  let role = ''
+
+  if (creatorId && crewSnapshotsById) {
+    let snap: PersonSnapshot | undefined = crewSnapshotsById[creatorId]
+
+    // Fallback: If not found directly by key, search by role or name or active user
+    if (!snap) {
+      if (creatorId === 'skipper') {
+        snap = Object.values(crewSnapshotsById).find((s) => s.role === 'skipper')
+      } else {
+        // Try to match name case-insensitively
+        snap = Object.values(crewSnapshotsById).find(
+          (s) => (s.name || '').trim().toLowerCase() === creatorId.trim().toLowerCase()
+        )
+
+        // Try to match active username/userid to the skipper snapshot
+        if (!snap) {
+          const activeUsername = localStorage.getItem('active_username')
+          const activeUserId = localStorage.getItem('active_userid')
+          if (
+            (activeUsername && creatorId.toLowerCase() === activeUsername.toLowerCase()) ||
+            (activeUserId && creatorId === activeUserId)
+          ) {
+            snap = Object.values(crewSnapshotsById).find((s) => s.role === 'skipper')
+          }
+        }
+      }
+    }
+
+    if (snap) {
+      name = snap.name || ''
+      photo = snap.photo || null
+      role = snap.role || ''
+    }
+  }
+
+  // Fallback to active username if owner or no crew pool matches
+  if (!name) {
+    if (creatorId === 'skipper') {
+      name = fallbackName || localStorage.getItem('active_username') || 'Skipper'
+      role = 'skipper'
+    } else if (fallbackName) {
+      name = fallbackName
+    } else if (creatorId) {
+      // If creatorId is a username itself (fallback from LiveLogView)
+      name = creatorId
+    } else {
+      name = '?'
+    }
+  }
+
+  const initial = name ? name.trim().split(/\s+/)[0]?.charAt(0).toUpperCase() || '?' : '?'
+  const bgColor = name === '?' ? '#64748b' : getAvatarColor(name)
+
+  const style: React.CSSProperties = {
+    width: `${size}px`,
+    height: `${size}px`,
+    borderRadius: '50%',
+    display: 'inline-flex',
+    alignItems: 'center',
+    justifyContent: 'center',
+    fontSize: `${Math.round(size * 0.45)}px`,
+    fontWeight: 'bold',
+    color: '#ffffff',
+    backgroundColor: bgColor,
+    flexShrink: 0,
+    verticalAlign: 'middle',
+    overflow: 'hidden',
+    border: '1px solid rgba(255, 255, 255, 0.15)',
+    boxSizing: 'border-box'
+  }
+
+  const roleText = role ? (role === 'skipper' ? 'Skipper' : 'Crew') : ''
+  const tooltip = name + (roleText ? ` (${roleText})` : '')
+
+  if (photo) {
+    return (
+      <img
+        src={photo}
+        alt={name}
+        title={tooltip}
+        style={{
+          ...style,
+          objectFit: 'cover',
+          backgroundColor: 'transparent'
+        }}
+      />
+    )
+  }
+
+  return (
+    <div style={style} title={tooltip} className="creator-avatar-fallback">
+      {initial}
+    </div>
+  )
+}

client/src/components/EventRemarksCell.tsx

@@ -1,24 +1,97 @@
+import { useState, useEffect } from 'react'
 import { useTranslation } from 'react-i18next'
+import { Mic, Loader2 } from 'lucide-react'
 import type { LogEventPayload } from '../utils/logEntryPayload.js'
 import { parseLiveVoiceRemark } from '../utils/liveEventCodes.js'
 import { formatEventSummary } from '../utils/formatEventSummary.js'
 import VoiceMemoPlayer, { type PreloadedVoiceMemo } from './VoiceMemoPlayer.tsx'
+import { useDialog } from './ModalDialog.tsx'
+import { updateVoiceMemoTranscript } from '../services/voiceAttachments.js'
+import { PlausibleEvents, trackPlausibleEvent } from '../services/analytics.js'
+import { getAiAuthorized } from '../services/userPreferences.js'
 
 interface EventRemarksCellProps {
   event: LogEventPayload
   logbookId: string
   voiceMemoLookup?: Map<string, PreloadedVoiceMemo>
+  readOnly?: boolean
 }
 
 export default function EventRemarksCell({
   event,
   logbookId,
-  voiceMemoLookup
+  voiceMemoLookup,
+  readOnly = false
 }: EventRemarksCellProps) {
   const { t } = useTranslation()
+  const { showAlert } = useDialog()
   const voiceId = parseLiveVoiceRemark(event.remarks.trim())
   const preloaded = voiceId ? voiceMemoLookup?.get(voiceId) : undefined
 
+  const [transcribing, setTranscribing] = useState(false)
+  const [isOnline, setIsOnline] = useState(navigator.onLine)
+
+  useEffect(() => {
+    const handleOnline = () => setIsOnline(true)
+    const handleOffline = () => setIsOnline(false)
+    window.addEventListener('online', handleOnline)
+    window.addEventListener('offline', handleOffline)
+    return () => {
+      window.removeEventListener('online', handleOnline)
+      window.removeEventListener('offline', handleOffline)
+    }
+  }, [])
+
+  const handleTranscribe = async (e: React.MouseEvent) => {
+    e.preventDefault()
+    e.stopPropagation()
+    if (transcribing || !preloaded?.audio || !voiceId) return
+    if (!getAiAuthorized()) {
+      void showAlert(
+        t('profile.ai_unauthorized_alert_desc'),
+        t('profile.ai_unauthorized_alert_title')
+      )
+      return
+    }
+    setTranscribing(true)
+    const controller = new AbortController()
+    const timeoutId = setTimeout(() => controller.abort(), 15000)
+    try {
+      const res = await fetch('/api/ai/transcribe', {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json'
+        },
+        body: JSON.stringify({ audioDataUrl: preloaded.audio }),
+        signal: controller.signal
+      })
+      clearTimeout(timeoutId)
+      if (!res.ok) {
+        throw new Error(`Server returned status ${res.status}`)
+      }
+      const data = await res.json()
+      const text = (data.text || '').trim()
+      if (!text) {
+        throw new Error('Transcription returned empty text')
+      }
+      await updateVoiceMemoTranscript(logbookId, voiceId, text)
+      trackPlausibleEvent(PlausibleEvents.VOICE_MEMO_TRANSCRIBED, {
+        status: 'success',
+        mode: 'manual'
+      })
+    } catch (err) {
+      clearTimeout(timeoutId)
+      console.error('[EventRemarksCell] Transcription failed:', err)
+      trackPlausibleEvent(PlausibleEvents.VOICE_MEMO_TRANSCRIBED, {
+        status: 'failed',
+        mode: 'manual'
+      })
+      void showAlert(t('logs.live_voice_transcribe_failed'), t('logs.live_voice_btn'))
+    } finally {
+      setTranscribing(false)
+    }
+  }
+
   let summary = formatEventSummary(event, t)
   if (voiceId && preloaded?.caption) {
     summary = t('logs.live_voice_entry', { caption: preloaded.caption })
@@ -28,12 +101,39 @@ export default function EventRemarksCell({
     <div className={`event-remarks-cell${voiceId ? ' event-remarks-cell--voice' : ''}`}>
       <span>{summary}</span>
       {voiceId && (
-        <VoiceMemoPlayer
-          audioId={voiceId}
-          logbookId={logbookId}
-          preloaded={preloaded}
-          compact
-        />
+        <div style={{ display: 'inline-flex', alignItems: 'center', flexWrap: 'wrap', gap: '8px', marginTop: '4px' }}>
+          <VoiceMemoPlayer
+            audioId={voiceId}
+            logbookId={logbookId}
+            preloaded={preloaded}
+            compact
+          />
+          {!readOnly && preloaded && preloaded.transcribed === false && isOnline && (
+            <button
+              type="button"
+              className="btn-icon-text link-sec"
+              style={{
+                fontSize: '0.8rem',
+                padding: '2px 6px',
+                height: 'auto',
+                display: 'inline-flex',
+                alignItems: 'center',
+                gap: '4px',
+                margin: 0
+              }}
+              onClick={handleTranscribe}
+              disabled={transcribing}
+              title={t('logs.live_voice_transcribe_action')}
+            >
+              {transcribing ? (
+                <Loader2 size={12} className="spin" />
+              ) : (
+                <Mic size={12} />
+              )}
+              {transcribing ? t('logs.live_voice_transcribing') : t('logs.live_voice_transcribe_action')}
+            </button>
+          )}
+        </div>
       )}
     </div>
   )

client/src/components/LiveLogView.tsx

@@ -22,15 +22,16 @@ import {
   Zap
 } from 'lucide-react'
 import { PlausibleEvents, trackPlausibleEvent } from '../services/analytics.js'
+import { getAiAuthorized } from '../services/userPreferences.js'
 import {
-  appendQuickEvent,
-  appendQuickEvents,
-  appendTankRefill,
+  appendQuickEvent as apiAppendQuickEvent,
+  appendQuickEvents as apiAppendQuickEvents,
+  appendTankRefill as apiAppendTankRefill,
   findOrCreateTodayEntry,
   loadEntry,
   removeLastEvent
 } from '../services/quickEventLog.js'
-import { formatEventSummary } from '../utils/formatEventSummary.js'
+import CreatorAvatar from './CreatorAvatar.tsx'
 import {
   getLastAutoPositionMs,
   getLastLoggedPositionWithin,
@@ -42,7 +43,6 @@ import {
   liveFuelRemark,
   livePhotoRemark,
   liveVoiceRemark,
-  parseLiveVoiceRemark,
   livePrecipRemark,
   liveSailsRemark,
   liveSogRemark,
@@ -79,7 +79,7 @@ import CourseDialInput from './CourseDialInput.tsx'
 import GpsSignalHint from './GpsSignalHint.tsx'
 import LiveCameraCapture from './LiveCameraCapture.tsx'
 import LiveVoiceCapture from './LiveVoiceCapture.tsx'
-import VoiceMemoPlayer from './VoiceMemoPlayer.tsx'
+import EventRemarksCell from './EventRemarksCell.tsx'
 import { saveEntryPhoto, deleteEntryPhoto } from '../services/photoAttachments.js'
 import { saveEntryVoiceMemo, deleteEntryVoiceMemo } from '../services/voiceAttachments.js'
 import { blobToCompressedJpegDataUrl } from '../utils/imageCompress.js'
@@ -160,6 +160,24 @@ function gpsFailureAlertBody(
   return `${t(geolocationErrorI18nKey(reason))}\n\n${t('logs.live_position_manual_hint')}`
 }
 
+function findActiveCreatorId(
+  activeUsername: string | null,
+  crewSnapshotsById: Record<string, any>,
+  selectedSkipperId: string | null
+): string {
+  const username = (activeUsername || '').trim()
+  if (username) {
+    const matchEntry = Object.entries(crewSnapshotsById).find(
+      ([_, snap]) => (snap?.name || '').trim().toLowerCase() === username.toLowerCase()
+    )
+    if (matchEntry) {
+      return matchEntry[0]
+    }
+    return username
+  }
+  return selectedSkipperId || 'skipper'
+}
+
 export default function LiveLogView({
   logbookId,
   onOpenEditor,
@@ -173,6 +191,8 @@ export default function LiveLogView({
   const [dayOfTravel, setDayOfTravel] = useState('')
   const [date, setDate] = useState('')
   const [events, setEvents] = useState<LogEventPayload[]>([])
+  const [crewSnapshotsById, setCrewSnapshotsById] = useState<Record<string, any>>({})
+  const [selectedSkipperId, setSelectedSkipperId] = useState<string | null>(null)
   const [yachtSails, setYachtSails] = useState<string[]>([])
   const [loading, setLoading] = useState(true)
   const [busy, setBusy] = useState(false)
@@ -214,6 +234,51 @@ export default function LiveLogView({
   dateRef.current = date
   busyRef.current = busy
 
+  const getActiveCreatorId = useCallback(() => {
+    const activeUsername = localStorage.getItem('active_username')
+    return findActiveCreatorId(activeUsername, crewSnapshotsById, selectedSkipperId)
+  }, [crewSnapshotsById, selectedSkipperId])
+
+  const appendQuickEvent = useCallback((
+    logbookId: string,
+    entryId: string,
+    partialEvent: Partial<LogEventPayload>,
+    headerPatch?: { departure?: string; destination?: string }
+  ) => {
+    return apiAppendQuickEvent(
+      logbookId,
+      entryId,
+      { creatorId: getActiveCreatorId(), ...partialEvent },
+      headerPatch
+    )
+  }, [getActiveCreatorId])
+
+  const appendQuickEvents = useCallback((
+    logbookId: string,
+    entryId: string,
+    partialEvents: Partial<LogEventPayload>[]
+  ) => {
+    const creatorId = getActiveCreatorId()
+    const mapped = partialEvents.map((p) => ({ creatorId, ...p }))
+    return apiAppendQuickEvents(logbookId, entryId, mapped)
+  }, [getActiveCreatorId])
+
+  const appendTankRefill = useCallback((
+    logbookId: string,
+    entryId: string,
+    tank: 'fuel' | 'freshwater',
+    addLiters: number,
+    event: Partial<LogEventPayload>
+  ) => {
+    return apiAppendTankRefill(
+      logbookId,
+      entryId,
+      tank,
+      addLiters,
+      { creatorId: getActiveCreatorId(), ...event }
+    )
+  }, [getActiveCreatorId])
+
   const defaultSails = useMemo(
     () => (i18n.language === 'de'
       ? ['Großsegel', 'Genua', 'Fock', 'Spinnaker', 'Gennaker']
@@ -237,6 +302,8 @@ export default function LiveLogView({
     setDayOfTravel(String(loaded.data.dayOfTravel || ''))
     setDate(String(loaded.data.date || ''))
     setEvents(sortLogEventsByTime(entryEvents.map((e) => ({ ...e }))))
+    setCrewSnapshotsById((loaded.data.crewSnapshotsById as Record<string, any>) || {})
+    setSelectedSkipperId(typeof loaded.data.selectedSkipperId === 'string' ? loaded.data.selectedSkipperId : null)
   }, [])
 
   const refreshEntry = useCallback(async (id: string) => {
@@ -645,13 +712,27 @@ export default function LiveLogView({
             { analyticsSource: 'live_log' }
           )
         } catch (err) {
-          if (err instanceof WeatherApiError && err.code === 'OFFLINE') {
-            void showAlert(t('logs.weather_offline'), t('logs.live_weather_owm_btn'))
-            return
-          }
-          if (err instanceof WeatherApiError && err.code === 'NO_KEY') {
-            void showAlert(t('settings.no_key'), t('logs.live_weather_owm_btn'))
-            return
+          if (err instanceof WeatherApiError) {
+            if (err.code === 'OFFLINE') {
+              void showAlert(t('logs.weather_offline'), t('logs.live_weather_owm_btn'))
+              return
+            }
+            if (err.code === 'NO_KEY') {
+              void showAlert(t('settings.no_key'), t('logs.live_weather_owm_btn'))
+              return
+            }
+            if (err.code === 'UNAUTHORIZED') {
+              void showAlert(t('settings.weather_unauthorized'), t('logs.live_weather_owm_btn'))
+              return
+            }
+            if (err.code === 'NOT_FOUND') {
+              void showAlert(t('settings.weather_not_found'), t('logs.live_weather_owm_btn'))
+              return
+            }
+            if (err.code === 'BAD_REQUEST') {
+              void showAlert(t('settings.weather_bad_request'), t('logs.live_weather_owm_btn'))
+              return
+            }
           }
           console.error('Live log OWM weather failed:', err)
           void showAlert(t('settings.weather_error'), t('logs.live_weather_owm_btn'))
@@ -754,13 +835,50 @@ export default function LiveLogView({
     void (async () => {
       try {
         const audioDataUrl = await blobToAudioDataUrl(blob)
+        const authorized = getAiAuthorized()
+        let transcriptionText = ''
+        let transcribed = true
+        let transcriptionError = false
+
+        if (authorized) {
+          try {
+            const controller = new AbortController()
+            const timeoutId = setTimeout(() => controller.abort(), 4000)
+
+            const res = await fetch('/api/ai/transcribe', {
+              method: 'POST',
+              headers: { 'Content-Type': 'application/json' },
+              body: JSON.stringify({ audioDataUrl }),
+              signal: controller.signal
+            })
+            clearTimeout(timeoutId)
+            if (!res.ok) throw new Error(`Status ${res.status}`)
+            const data = await res.json()
+            transcriptionText = (data.text || '').trim()
+          } catch (err) {
+            console.warn('[LiveLogView] Automatic transcription failed or timed out:', err)
+            transcriptionError = true
+            transcribed = false
+          }
+        } else {
+          transcribed = false
+        }
+
+        let finalCaption = caption
+        if (transcriptionText) {
+          finalCaption = caption
+            ? `${caption}\n(Transkript: ${transcriptionText})`
+            : transcriptionText
+        }
+
         const voiceId = await saveEntryVoiceMemo({
           logbookId,
           entryId,
           audioDataUrl,
           mimeType,
           durationSec,
-          caption,
+          caption: finalCaption,
+          transcribed,
           analyticsContext: 'live_log'
         })
         await appendQuickEvent(logbookId, entryId, {
@@ -772,6 +890,23 @@ export default function LiveLogView({
         setVoiceCaption('')
         showUndo('voice')
         trackPlausibleEvent(PlausibleEvents.LIVE_LOG_EVENT_LOGGED, { action: 'voice' })
+        if (transcriptionError) {
+          trackPlausibleEvent(PlausibleEvents.VOICE_MEMO_TRANSCRIBED, {
+            status: 'failed',
+            mode: 'auto'
+          })
+          void showAlert(t('logs.live_voice_transcribe_failed'), t('logs.live_voice_btn'))
+        } else if (authorized) {
+          trackPlausibleEvent(PlausibleEvents.VOICE_MEMO_TRANSCRIBED, {
+            status: 'success',
+            mode: 'auto'
+          })
+        } else {
+          void showAlert(
+            t('profile.ai_unauthorized_alert_desc'),
+            t('profile.ai_unauthorized_alert_title')
+          )
+        }
       } catch (err: unknown) {
         console.error('Live log voice save failed:', err)
         const msg = err instanceof Error && err.message === 'VOICE_MEMO_TOO_LARGE'
@@ -1143,25 +1278,21 @@ export default function LiveLogView({
           ) : (
             <ol className="live-log-stream">
               {events.map((event, index) => {
-                const voiceId = parseLiveVoiceRemark(event.remarks.trim())
-                const voicePreloaded = voiceId ? voiceMemoLookup.get(voiceId) : undefined
-                let summary = formatEventSummary(event, t)
-                if (voiceId && voicePreloaded?.caption) {
-                  summary = t('logs.live_voice_entry', { caption: voicePreloaded.caption })
-                }
                 return (
                   <li key={`${event.time}-${index}`} className="live-log-entry">
                     <time className="live-log-time">{event.time}</time>
+                    <CreatorAvatar
+                      creatorId={event.creatorId}
+                      crewSnapshotsById={crewSnapshotsById}
+                      size={24}
+                    />
                     <div className="live-log-summary-block">
-                      <span className="live-log-summary">{summary}</span>
-                      {voiceId && (
-                        <VoiceMemoPlayer
-                          audioId={voiceId}
-                          logbookId={logbookId}
-                          preloaded={voicePreloaded}
-                          compact
-                        />
-                      )}
+                      <EventRemarksCell
+                        event={event}
+                        logbookId={logbookId}
+                        voiceMemoLookup={voiceMemoLookup}
+                        readOnly={false}
+                      />
                     </div>
                   </li>
                 )

client/src/components/LiveVoiceCapture.tsx

@@ -43,6 +43,53 @@ export default function LiveVoiceCapture({
   const [previewMime, setPreviewMime] = useState('audio/webm')
   const [previewDurationSec, setPreviewDurationSec] = useState(0)
   const [saving, setSaving] = useState(false)
+  const log = useCallback((msg: string) => {
+    console.log(`[VoiceDebug] ${msg}`)
+  }, [])
+
+  const previewAudioRef = useRef<HTMLAudioElement | null>(null)
+
+  useEffect(() => {
+    const el = previewAudioRef.current
+    if (!el) {
+      log('previewAudioRef is null')
+      return
+    }
+
+    log('Preview audio player loaded. readyState=' + el.readyState + ', duration=' + el.duration + ', src=' + el.src)
+
+    const handleLoadedMetadata = () => {
+      log('loadedmetadata event fired. readyState=' + el.readyState + ', duration=' + el.duration)
+      if (el.duration === Infinity || isNaN(el.duration) || el.duration === 0) {
+        log('Duration correction hack triggered (duration=' + el.duration + '). Seeking to 1e10...')
+        el.currentTime = 1e10
+        const onTimeUpdate = () => {
+          log('timeupdate event. currentTime=' + el.currentTime + ', duration=' + el.duration)
+          el.currentTime = 0
+          el.removeEventListener('timeupdate', onTimeUpdate)
+          log('currentTime reset to 0. Final duration=' + el.duration)
+        }
+        el.addEventListener('timeupdate', onTimeUpdate)
+      } else {
+        log('Duration correction skipped (duration is valid)')
+      }
+    }
+
+    if (el.readyState >= 1) {
+      log('readyState >= 1. Executing hack immediately...')
+      handleLoadedMetadata()
+    } else {
+      log('readyState = 0. Adding loadedmetadata event listener...')
+      el.addEventListener('loadedmetadata', handleLoadedMetadata)
+    }
+
+    log('Calling el.load() to force loading of the media resource...')
+    el.load()
+
+    return () => {
+      el.removeEventListener('loadedmetadata', handleLoadedMetadata)
+    }
+  }, [previewUrl, log])
 
   const stopStream = useCallback(() => {
     for (const track of streamRef.current?.getTracks() ?? []) {
@@ -115,22 +162,46 @@ export default function LiveVoiceCapture({
   const startRecording = async () => {
     setMicError(null)
     chunksRef.current = []
+    log('startRecording flow triggered')
     if (!navigator.mediaDevices?.getUserMedia) {
+      log('navigator.mediaDevices.getUserMedia is unavailable')
       setMicError(t('logs.live_voice_mic_denied'))
       return
     }
     try {
+      log('Requesting getUserMedia audio stream...')
       const stream = await navigator.mediaDevices.getUserMedia({ audio: true })
       streamRef.current = stream
+      log('Stream obtained successfully. active=' + stream.active)
+      stream.getTracks().forEach((track, i) => {
+        log(`Track ${i}: label="${track.label}" enabled=${track.enabled} readyState=${track.readyState} muted=${track.muted}`)
+      })
+
       const mimeType = pickMediaRecorderMimeType()
+      log('MIME type candidates support check:')
+      const MIME_CANDIDATES = [
+        'audio/webm;codecs=opus',
+        'audio/webm',
+        'audio/mp4',
+        'audio/ogg;codecs=opus'
+      ]
+      MIME_CANDIDATES.forEach(mime => {
+        log(` - ${mime}: ${MediaRecorder.isTypeSupported(mime) ? 'SUPPORTED' : 'UNSUPPORTED'}`)
+      })
+      log('Selected MIME from picker: ' + mimeType)
+
       const recorder = mimeType
         ? new MediaRecorder(stream, { mimeType })
         : new MediaRecorder(stream)
       mediaRecorderRef.current = recorder
       const resolvedMime = recorder.mimeType || mimeType || 'audio/webm'
+      log('MediaRecorder created. Resolved mime=' + resolvedMime)
 
       recorder.ondataavailable = (ev) => {
-        if (ev.data.size > 0) chunksRef.current.push(ev.data)
+        log(`ondataavailable event: data size=${ev.data?.size} bytes`)
+        if (ev.data && ev.data.size > 0) {
+          chunksRef.current.push(ev.data)
+        }
       }
 
       recorder.onstop = () => {
@@ -138,45 +209,67 @@ export default function LiveVoiceCapture({
           VOICE_MEMO_MAX_DURATION_SEC,
           Math.max(1, Math.round((Date.now() - startedAtRef.current) / 1000))
         )
-        const blob = new Blob(chunksRef.current, { type: resolvedMime })
-        chunksRef.current = []
-        stopStream()
-        try {
-          assertVoiceMemoBlobSize(blob)
-          finishRecording(blob, resolvedMime, durationSec)
-        } catch {
-          setMicError(t('logs.live_voice_too_large'))
-          setPhase('idle')
-        }
+        log(`onstop triggered. durationSec=${durationSec}. Wrapping in 50ms timeout...`)
+        setTimeout(() => {
+          log(`Creating Blob from ${chunksRef.current.length} chunks. Resolved mime=${resolvedMime}`)
+          const totalChunksSize = chunksRef.current.reduce((acc, chunk) => acc + chunk.size, 0)
+          log(`Total raw chunks size: ${totalChunksSize} bytes`)
+          const blob = new Blob(chunksRef.current, { type: resolvedMime })
+          chunksRef.current = []
+          stopStream()
+          log(`Blob finalized: size=${blob.size} bytes, type=${blob.type}`)
+          try {
+            assertVoiceMemoBlobSize(blob)
+            log('Blob size assertion passed. Calling finishRecording...')
+            finishRecording(blob, resolvedMime, durationSec)
+          } catch (err) {
+            log('Blob size assertion failed (too large)')
+            setMicError(t('logs.live_voice_too_large'))
+            setPhase('idle')
+          }
+        }, 50)
       }
 
-      recorder.onerror = () => {
+      recorder.onerror = (ev) => {
+        log('MediaRecorder onerror triggered: ' + JSON.stringify(ev))
         setMicError(t('logs.live_voice_record_failed'))
         resetAll()
       }
 
       startedAtRef.current = Date.now()
-      recorder.start(200)
+      log('Calling recorder.start()...')
+      recorder.start()
+      log('recorder.start() called. State=' + recorder.state)
       setPhase('recording')
       setElapsedSec(0)
       timerRef.current = window.setInterval(() => {
         const sec = Math.floor((Date.now() - startedAtRef.current) / 1000)
         setElapsedSec(sec)
         if (sec >= VOICE_MEMO_MAX_DURATION_SEC) {
+          log('Max duration reached. Stopping recording...')
           stopRecording()
         }
       }, 250)
-    } catch {
+    } catch (err: any) {
+      log('Error in startRecording try-catch block: ' + (err instanceof Error ? err.stack || err.message : String(err)))
       setMicError(t('logs.live_voice_mic_denied'))
       stopStream()
     }
   }
 
   const handleSave = async () => {
-    if (!previewBlob || saving || busy) return
+    if (!previewBlob || saving || busy) {
+      log('handleSave ignored. previewBlob=' + (previewBlob ? 'PRESENT' : 'NULL') + ' saving=' + saving + ' busy=' + busy)
+      return
+    }
+    log('handleSave triggered. Saving blob size=' + previewBlob.size + ' mime=' + previewMime + ' duration=' + previewDurationSec)
     setSaving(true)
     try {
-      onSave(previewBlob, previewMime, previewDurationSec)
+      log('Invoking onSave callback...')
+      await onSave(previewBlob, previewMime, previewDurationSec)
+      log('onSave callback successfully finished!')
+    } catch (err: any) {
+      log('Error during onSave execution: ' + (err instanceof Error ? err.stack || err.message : String(err)))
     } finally {
       setSaving(false)
     }
@@ -241,7 +334,7 @@ export default function LiveVoiceCapture({
 
         {phase === 'preview' && previewUrl && (
           <>
-            <audio className="voice-memo-player" controls src={previewUrl} preload="auto" />
+            <audio ref={previewAudioRef} className="voice-memo-player" controls src={previewUrl} preload="auto" />
             {onCaptionChange && (
               <label className="live-voice-caption-field">
                 <span>{t('logs.live_voice_caption_label')}</span>
@@ -278,6 +371,8 @@ export default function LiveVoiceCapture({
             </div>
           </>
         )}
+
+
       </div>
     </div>
   )

client/src/components/LogEntryEditor.tsx

@@ -11,6 +11,7 @@ import { downloadLogbookPagePdf } from '../services/pdfExport.js'
 import { FileText, Save, ChevronLeft, Check, Compass, Plus, Trash2, MapPin, CloudSun, Clock, Download, Upload, Pencil, X, ChevronDown, ChevronUp, Sparkles } from 'lucide-react'
 import PhotoCapture from './PhotoCapture.tsx'
 import EventRemarksCell from './EventRemarksCell.tsx'
+import CreatorAvatar from './CreatorAvatar.tsx'
 import { useEntryVoiceMemos } from '../hooks/useEntryVoiceMemos.js'
 import { parseLiveVoiceRemark } from '../utils/liveEventCodes.js'
 import { deleteEntryVoiceMemo } from '../services/voiceAttachments.js'
@@ -49,6 +50,7 @@ import {
   TravelDaySummaryApiError
 } from '../services/aiSummary.js'
 import { tryDecryptEntryPayload } from '../services/quickEventLog.js'
+import { getAiAuthorized } from '../services/userPreferences.js'
 import {
   getDecryptedTrack,
   saveUploadedTrack,
@@ -173,6 +175,24 @@ function fingerprintFromStoredEntry(decrypted: Record<string, unknown>): string
   })
 }
 
+function findActiveCreatorId(
+  activeUsername: string | null,
+  crewSnapshotsById: Record<string, any>,
+  selectedSkipperId: string | null
+): string {
+  const username = (activeUsername || '').trim()
+  if (username) {
+    const matchEntry = Object.entries(crewSnapshotsById).find(
+      ([_, snap]) => (snap?.name || '').trim().toLowerCase() === username.toLowerCase()
+    )
+    if (matchEntry) {
+      return matchEntry[0]
+    }
+    return username
+  }
+  return selectedSkipperId || 'skipper'
+}
+
 interface LogEntryEditorProps {
   entryId: string
   logbookId: string
@@ -418,8 +438,17 @@ export default function LogEntryEditor({
     })
   }, [buildPayloadForSigning, signSkipper, signCrew])
 
-  const buildEventFromForm = (): LogEvent =>
-    normalizeLogEvent({
+  const buildEventFromForm = (): LogEvent => {
+    let creatorId: string | undefined = undefined
+    if (editingEventIndex !== null && events[editingEventIndex]) {
+      creatorId = events[editingEventIndex].creatorId
+    }
+    if (!creatorId) {
+      const activeUsername = localStorage.getItem('active_username')
+      creatorId = findActiveCreatorId(activeUsername, entryCrew.crewSnapshotsById, entryCrew.selectedSkipperId)
+    }
+
+    return normalizeLogEvent({
       time: evTime,
       mgk: evMgk,
       rwk: evRwk,
@@ -436,8 +465,10 @@ export default function LogEntryEditor({
       distance: evDistance,
       gpsLat: evGpsLat,
       gpsLng: evGpsLng,
-      remarks: evRemarks
+      remarks: evRemarks,
+      creatorId
     })
+  }
 
   const applyEventFormToEvents = (eventData: LogEvent): LogEvent[] => {
     if (editingEventIndex !== null) {
@@ -1148,13 +1179,27 @@ export default function LogEntryEditor({
 
       showAlert(t('settings.weather_success'))
     } catch (err) {
-      if (err instanceof WeatherApiError && err.code === 'OFFLINE') {
-        showAlert(t('logs.weather_offline'))
-        return
-      }
-      if (err instanceof WeatherApiError && err.code === 'NO_KEY') {
-        showAlert(t('settings.no_key'))
-        return
+      if (err instanceof WeatherApiError) {
+        if (err.code === 'OFFLINE') {
+          showAlert(t('logs.weather_offline'))
+          return
+        }
+        if (err.code === 'NO_KEY') {
+          showAlert(t('settings.no_key'))
+          return
+        }
+        if (err.code === 'UNAUTHORIZED') {
+          showAlert(t('settings.weather_unauthorized'))
+          return
+        }
+        if (err.code === 'NOT_FOUND') {
+          showAlert(t('settings.weather_not_found'))
+          return
+        }
+        if (err.code === 'BAD_REQUEST') {
+          showAlert(t('settings.weather_bad_request'))
+          return
+        }
       }
       console.error('Weather prefilling failed:', err)
       showAlert(t('settings.weather_error'))
@@ -1165,6 +1210,13 @@ export default function LogEntryEditor({
 
   const handleGenerateAiSummary = async () => {
     if (!canSignSkipper || readOnly || aiSummaryLoading) return
+    if (!getAiAuthorized()) {
+      void showAlert(
+        t('profile.ai_unauthorized_alert_desc'),
+        t('profile.ai_unauthorized_alert_title')
+      )
+      return
+    }
     if (!isOnline) {
       setAiSummaryError(t('logs.ai_summary_offline'))
       return
@@ -1815,6 +1867,7 @@ export default function LogEntryEditor({
                 <thead>
                   <tr>
                     <th>{t('logs.event_time')}</th>
+                    <th>{t('logs.event_creator')}</th>
                     <th>{t('logs.event_mgk')}</th>
                     <th>{t('logs.event_rwk')}</th>
                     <th>{t('logs.event_wind_direction')}</th>
@@ -1831,6 +1884,13 @@ export default function LogEntryEditor({
                   {events.map((ev, idx) => (
                     <tr key={idx}>
                       <td className="font-mono">{ev.time}</td>
+                      <td style={{ textAlign: 'center', width: '40px', verticalAlign: 'middle' }}>
+                        <CreatorAvatar
+                          creatorId={ev.creatorId}
+                          crewSnapshotsById={entryCrew.crewSnapshotsById}
+                          size={24}
+                        />
+                      </td>
                       <td>{ev.mgk ? `${ev.mgk}°` : '—'}</td>
                       <td>{ev.rwk ? `${ev.rwk}°` : '—'}</td>
                       <td>{ev.windDirection || '—'}</td>
@@ -1857,6 +1917,7 @@ export default function LogEntryEditor({
                           event={ev}
                           logbookId={logbookId}
                           voiceMemoLookup={voiceMemoLookup}
+                          readOnly={readOnly}
                         />
                       </td>
                       {!readOnly && (

client/src/components/LogbookDashboard.tsx

@@ -15,11 +15,13 @@ import { BookOpen, Plus, Trash2, LogOut, Languages, RefreshCw, Ship, Wifi, WifiO
 import DisclaimerHeaderButton from './DisclaimerHeaderButton.tsx'
 import FeedbackHeaderButton from './FeedbackHeaderButton.tsx'
 import ProfileHeaderButton from './ProfileHeaderButton.tsx'
+import AdminHeaderButton from './AdminHeaderButton.tsx'
 
 interface LogbookDashboardProps {
   onSelectLogbook: (id: string, title: string) => void
   onLogout: () => void
   onOpenProfile: () => void
+  onOpenAdmin?: () => void
 }
 
 type LogbookSortKey = 'name' | 'date'
@@ -42,7 +44,7 @@ function sortLogbooks(
   return sorted
 }
 
-export default function LogbookDashboard({ onSelectLogbook, onLogout, onOpenProfile }: LogbookDashboardProps) {
+export default function LogbookDashboard({ onSelectLogbook, onLogout, onOpenProfile, onOpenAdmin }: LogbookDashboardProps) {
   const { t, i18n } = useTranslation()
   const { showConfirm } = useDialog()
   const [logbooks, setLogbooks] = useState<DecryptedLogbook[]>([])
@@ -388,6 +390,8 @@ export default function LogbookDashboard({ onSelectLogbook, onLogout, onOpenProf
 
           <ProfileHeaderButton onClick={onOpenProfile} />
 
+          {onOpenAdmin && <AdminHeaderButton onClick={onOpenAdmin} />}
+
           {/* Lang toggle */}
           <button className="btn-icon" onClick={toggleLanguage} title="Switch Language">
             <Languages size={18} />

client/src/components/UserProfilePreferences.tsx

@@ -1,6 +1,6 @@
 import { useState } from 'react'
 import { useTranslation } from 'react-i18next'
-import { Compass, Palette, Save, Check, Cloud } from 'lucide-react'
+import { Compass, Palette, Save, Check, Cloud, Brain } from 'lucide-react'
 import ThemedSelect from './ThemedSelect.tsx'
 import PushNotificationSettings from './PushNotificationSettings.tsx'
 import PwaInstallPrompt from './PwaInstallPrompt.tsx'
@@ -13,7 +13,9 @@ import {
   getThemePreference,
   setColorSchemePreference,
   setOwmApiKey,
-  setThemePreference
+  setThemePreference,
+  getAiAuthorized,
+  setAiAuthorized
 } from '../services/userPreferences.js'
 
 interface UserProfilePreferencesProps {
@@ -28,6 +30,7 @@ export default function UserProfilePreferences({ userId }: UserProfilePreference
   const [colorScheme, setColorScheme] = useState(() => getColorSchemePreference(userId))
   const [savingOwm, setSavingOwm] = useState(false)
   const [owmSaved, setOwmSaved] = useState(false)
+  const [aiAuthorized, setAiAuthorizedState] = useState(() => getAiAuthorized(userId))
 
   const persistAppearance = (nextTheme: string, nextColorScheme: string) => {
     setThemePreference(userId, nextTheme)
@@ -58,6 +61,12 @@ export default function UserProfilePreferences({ userId }: UserProfilePreference
     window.setTimeout(() => setOwmSaved(false), 3000)
   }
 
+  const handleAiToggle = (e: React.ChangeEvent<HTMLInputElement>) => {
+    const nextVal = e.target.checked
+    setAiAuthorizedState(nextVal)
+    setAiAuthorized(userId, nextVal)
+  }
+
   return (
     <>
       <section className="member-editor-card glass">
@@ -152,6 +161,42 @@ export default function UserProfilePreferences({ userId }: UserProfilePreference
         </form>
       </section>
 
+      <section className="member-editor-card glass">
+        <div className="profile-section-header">
+          <Brain size={20} style={{ color: 'var(--app-accent-light)' }} />
+          <h3 style={{ margin: 0, color: 'var(--app-accent-light)', fontSize: '16px' }}>
+            {t('profile.ai_title')}
+          </h3>
+        </div>
+        <p className="text-muted" style={{ fontSize: '13.5px', lineHeight: '145%', margin: '0 0 12px 0' }}>
+          {t('profile.ai_desc')}
+        </p>
+        <p className="text-muted" style={{ fontSize: '13px', lineHeight: '145%', margin: '0 0 16px 0', whiteSpace: 'pre-line' }}>
+          {t('profile.ai_help')}
+        </p>
+
+        <label
+          className="switch-label"
+          style={{
+            display: 'flex',
+            alignItems: 'center',
+            gap: '10px',
+            cursor: 'pointer',
+            fontSize: '14px',
+            color: '#f1f5f9'
+          }}
+        >
+          <input
+            id="profile-ai-authorize"
+            type="checkbox"
+            checked={aiAuthorized}
+            onChange={handleAiToggle}
+            style={{ width: '18px', height: '18px', cursor: 'pointer' }}
+          />
+          <span>{t('profile.ai_enable_label')}</span>
+        </label>
+      </section>
+
       <PushNotificationSettings />
       <PwaInstallPrompt variant="inline" />
     </>

client/src/components/VoiceMemoPlayer.tsx

@@ -1,4 +1,4 @@
-import { useEffect, useState } from 'react'
+import { useEffect, useState, useRef } from 'react'
 import { useTranslation } from 'react-i18next'
 import { db } from '../services/db.js'
 import { getActiveMasterKey } from '../services/auth.js'
@@ -11,6 +11,7 @@ export interface PreloadedVoiceMemo {
   mimeType?: string
   durationSec?: number
   caption?: string
+  transcribed?: boolean
 }
 
 interface VoiceMemoPlayerProps {
@@ -30,6 +31,38 @@ export default function VoiceMemoPlayer({
   const [src, setSrc] = useState<string | null>(preloaded?.audio ?? null)
   const [error, setError] = useState(false)
 
+  const audioRef = useRef<HTMLAudioElement | null>(null)
+
+  useEffect(() => {
+    const el = audioRef.current
+    if (!el) return
+
+    const handleLoadedMetadata = () => {
+      if (el.duration === Infinity || isNaN(el.duration) || el.duration === 0) {
+        el.currentTime = 1e10
+        const onTimeUpdate = () => {
+          el.currentTime = 0
+          el.removeEventListener('timeupdate', onTimeUpdate)
+        }
+        el.addEventListener('timeupdate', onTimeUpdate)
+      }
+    }
+
+    if (el.readyState >= 1) {
+      handleLoadedMetadata()
+    } else {
+      el.addEventListener('loadedmetadata', handleLoadedMetadata)
+    }
+
+    if (src) {
+      el.load()
+    }
+
+    return () => {
+      el.removeEventListener('loadedmetadata', handleLoadedMetadata)
+    }
+  }, [src])
+
   useEffect(() => {
     if (preloaded?.audio) {
       setSrc(preloaded.audio)
@@ -75,7 +108,7 @@ export default function VoiceMemoPlayer({
 
   return (
     <div className="voice-memo-player-shell">
-      <audio className={playerClass} controls preload="none" src={src} />
+      <audio ref={audioRef} className={playerClass} controls preload="metadata" src={src} />
     </div>
   )
 }

client/src/hooks/useEntryVoiceMemos.ts

@@ -48,7 +48,8 @@ export function useEntryVoiceMemos(
             audio: String(decrypted.audio),
             mimeType: decrypted.mimeType ? String(decrypted.mimeType) : undefined,
             durationSec: typeof decrypted.durationSec === 'number' ? decrypted.durationSec : undefined,
-            caption: decrypted.caption ? String(decrypted.caption) : ''
+            caption: decrypted.caption ? String(decrypted.caption) : '',
+            transcribed: decrypted.transcribed !== false
           })
         } catch {
           // skip corrupt memo

client/src/i18n/locales/da.json

@@ -43,7 +43,8 @@
       "deviation": "Tabel over distraktioner",
       "logs": "Indlæg i logbogen",
       "stats": "Statistik",
-      "settings": "Indstillinger"
+      "settings": "Indstillinger",
+      "admin": "Admin"
     },
     "auth": {
       "welcome": "Velkommen til Kapteins Daagbok.",
@@ -90,7 +91,15 @@
       "use_localhost_link": "Skift til localhost",
       "error_passkey_cancelled": "Passkey-login blev annulleret eller udløb. Prøv igen.",
       "error_invalid_rp_id": "Passkey-domæne matcher ikke (RP ID). Brug http://localhost:5173 med RP_ID=localhost i .env til lokal udvikling.",
-      "error_session_incomplete": "Login ufuldstændig. Log ind med passkey igen."
+      "error_session_incomplete": "Login ufuldstændig. Log ind med passkey igen.",
+      "restore_checking": "Tjekker session…",
+      "restore_title": "Gendan session",
+      "restore_subtitle": "Du er stadig logget ind. Lås din logbog op med passkey eller PIN.",
+      "restore_unlocking": "Låser op…",
+      "restore_with_passkey": "Lås op med passkey ({{name}})",
+      "restore_with_pin": "Lås op med PIN",
+      "restore_pin_warning": "Indtast din lokale PIN for at låse logbogen op efter genindlæsning.",
+      "restore_other_account": "Log ind med en anden konto"
     },
     "pwa": {
       "title": "Installer app",
@@ -288,6 +297,9 @@
       "live_voice_entry_plain": "Stemmenotat",
       "live_voice_caption_label": "Billedtekst (valgfrit)",
       "live_voice_caption_placeholder": "f.eks. radiokontakt med havnemester",
+      "live_voice_transcribe_action": "Transkribere",
+      "live_voice_transcribing": "Transkriberer…",
+      "live_voice_transcribe_failed": "Stemmebesked gemt, men transkribering mislykkedes.",
       "live_undo_voice_hint": "Stemmenotat gemt",
       "live_comment_btn": "Kommentar",
       "live_comment_placeholder": "Indtast tekst…",
@@ -344,6 +356,7 @@
       "carry_over_tanks_yes": "Tag over",
       "carry_over_tanks_no": "Start med 0",
       "event_title": "Kronologisk hændelseslog",
+      "event_creator": "Indtastet af",
       "no_events": "Der er endnu ikke indtastet nogen begivenheder for denne rejsedag.",
       "event_time": "Tidspunkt på dagen",
       "event_mgk": "MgK-kursus",
@@ -659,6 +672,12 @@
       "integrations_title": "Integrationer",
       "owm_key": "OpenWeatherMap API-nøgle",
       "owm_help": "Valgfrit: egen OpenWeatherMap API-nøgle. Hvis der ikke er nogen indtastning, bruges nøglen på serversiden fra operatørkonfigurationen.",
+      "ai_title": "AI-funktioner og privatliv",
+      "ai_desc": "Autoriser integrationer af kunstig intelligens for dine logbøger.",
+      "ai_help": "Aktivering af AI-funktioner giver appen mulighed for at opsummere dine rejsedage og transkribere optagede stemmememoer. For at behandle disse anmodninger sendes rå stemmedata og rejselogfiler sikkert løbende til OpenRouter. Der gemmes ingen data permanent af AI-modellen.\n\nDisse cloud-ressourcer koster penge at køre. Hvis du kan lide at bruge dem, bedes du overveje at støtte projektet frivilligt med en donation via Ko-fi-linket i footeren for at holde dem gratis og bæredygtige for alle.",
+      "ai_enable_label": "Aktiver transkribering og resuméer af rejsedage",
+      "ai_unauthorized_alert_title": "AI-funktioner er ikke autoriseret",
+      "ai_unauthorized_alert_desc": "For at bruge transkribering eller rejsedagsresuméer skal du autorisere dataoverførslen til OpenRouter i din brugerprofil under 'AI-funktioner og privatliv'.",
       "prefs_save": "Gemme",
       "prefs_saving": "Vil blive reddet...",
       "prefs_saved": "Gemt",
@@ -780,6 +799,9 @@
       "no_key": "Ingen OpenWeatherMap API-nøgle tilgængelig. Gem din egen nøgle i brugerprofilen, eller kontakt operatøren.",
       "weather_success": "Vejrdata hentet med succes!",
       "weather_error": "Hentning af vejrdata mislykkedes. Tjek API-nøglen og forbindelsen.",
+      "weather_unauthorized": "Hentning af vejrdata mislykkedes. API-nøglen er ugyldig eller ikke autoriseret.",
+      "weather_not_found": "Hentning af vejrdata mislykkedes. Den angivne placering eller koordinater blev ikke fundet.",
+      "weather_bad_request": "Hentning af vejrdata mislykkedes. Ingen placering eller GPS-position blev angivet.",
       "weather_date_mismatch": "Vejrdata kan kun hentes for i dag ({{today}}). Dette logbogsindlæg er dateret {{date}}.",
       "gps_error": "Indtast en placering, eller find GPS-koordinaterne.",
       "share_title": "Del logbog (skrivebeskyttet)",

client/src/i18n/locales/de.json

@@ -43,7 +43,8 @@
       "deviation": "Ablenkungstabelle",
       "logs": "Logbucheinträge",
       "stats": "Statistik",
-      "settings": "Einstellungen"
+      "settings": "Einstellungen",
+      "admin": "Admin"
     },
     "auth": {
       "welcome": "Willkommen bei Kapteins Daagbok",
@@ -90,7 +91,15 @@
       "use_localhost_link": "Zu localhost wechseln",
       "error_passkey_cancelled": "Passkey-Anmeldung abgebrochen oder abgelaufen. Bitte erneut versuchen.",
       "error_invalid_rp_id": "Passkey-Domain passt nicht (RP ID). Lokal nur http://localhost:5173 mit RP_ID=localhost in .env verwenden.",
-      "error_session_incomplete": "Anmeldung unvollständig. Bitte erneut mit Passkey anmelden."
+      "error_session_incomplete": "Anmeldung unvollständig. Bitte erneut mit Passkey anmelden.",
+      "restore_checking": "Session wird geprüft…",
+      "restore_title": "Session wiederherstellen",
+      "restore_subtitle": "Deine Anmeldung ist noch aktiv. Entsperre dein Logbuch mit Passkey oder PIN.",
+      "restore_unlocking": "Wird entsperrt…",
+      "restore_with_passkey": "Mit Passkey entsperren ({{name}})",
+      "restore_with_pin": "Mit PIN entsperren",
+      "restore_pin_warning": "Gib deine lokale PIN ein, um dein Logbuch nach dem Neuladen zu entsperren.",
+      "restore_other_account": "Anderer Account anmelden"
     },
     "pwa": {
       "title": "App installieren",
@@ -288,6 +297,9 @@
       "live_voice_entry_plain": "Sprachnotiz",
       "live_voice_caption_label": "Beschriftung (optional)",
       "live_voice_caption_placeholder": "z. B. Funkverkehr mit Hafenmeister",
+      "live_voice_transcribe_action": "Transkribieren",
+      "live_voice_transcribing": "Transkribiere...",
+      "live_voice_transcribe_failed": "Sprachmemo gespeichert, aber Transkription fehlgeschlagen.",
       "live_undo_voice_hint": "Sprachnotiz gespeichert",
       "live_comment_btn": "Kommentar",
       "live_comment_placeholder": "Freitext eingeben…",
@@ -344,6 +356,7 @@
       "carry_over_tanks_yes": "Übernehmen",
       "carry_over_tanks_no": "Mit 0 starten",
       "event_title": "Chronologisches Ereignisprotokoll",
+      "event_creator": "Eingetragen von",
       "no_events": "Noch keine Ereignisse für diesen Reisetag eingetragen.",
       "event_time": "Uhrzeit",
       "event_mgk": "MgK Kurs",
@@ -659,6 +672,12 @@
       "integrations_title": "Integrationen",
       "owm_key": "OpenWeatherMap API-Schlüssel",
       "owm_help": "Optional: eigener OpenWeatherMap-API-Schlüssel. Ohne Eintrag wird der serverseitige Schlüssel aus der Betreiber-Konfiguration verwendet.",
+      "ai_title": "KI-Funktionen & Datenschutz",
+      "ai_desc": "Autorisiere die Nutzung von künstlicher Intelligenz (lokale/Cloud-Integrationen) für deine Logbücher.",
+      "ai_help": "Die Aktivierung ermöglicht es, Reiseberichte automatisch zusammenzufassen und Sprachnotizen zu transkribieren. Zur Verarbeitung werden Sprachaufnahmen und Logbucheinträge verschlüsselt an OpenRouter übertragen. Die Daten werden dort nicht dauerhaft gespeichert.\n\nDa der Betrieb dieser Cloud-Ressourcen Kosten verursacht, freuen wir uns über eine freiwillige Unterstützung über den Ko-fi-Spenden-Link im Footer, um diese Funktionen dauerhaft für alle kostenlos anbieten zu können.",
+      "ai_enable_label": "Transkribierung und Tageszusammenfassungen aktivieren",
+      "ai_unauthorized_alert_title": "KI-Funktionen nicht autorisiert",
+      "ai_unauthorized_alert_desc": "Um Sprachnotizen zu transkribieren oder Reiseberichte zusammenzufassen, musst du der Datenübermittlung an OpenRouter in deinem Benutzerprofil unter 'KI-Funktionen & Datenschutz' zustimmen.",
       "prefs_save": "Speichern",
       "prefs_saving": "Wird gespeichert…",
       "prefs_saved": "Gespeichert",
@@ -780,6 +799,9 @@
       "no_key": "Kein OpenWeatherMap-API-Schlüssel verfügbar. Hinterlege einen eigenen Schlüssel im Benutzerprofil oder kontaktiere den Betreiber.",
       "weather_success": "Wetterdaten erfolgreich abgerufen!",
       "weather_error": "Wetterdatenabruf fehlgeschlagen. Überprüfe den API-Schlüssel und die Verbindung.",
+      "weather_unauthorized": "Wetterdatenabruf fehlgeschlagen. Der API-Schlüssel ist ungültig oder nicht autorisiert.",
+      "weather_not_found": "Wetterdatenabruf fehlgeschlagen. Der angegebene Ort oder die Koordinaten wurden nicht gefunden.",
+      "weather_bad_request": "Wetterdatenabruf fehlgeschlagen. Es wurde kein Ort und keine GPS-Position angegeben.",
       "weather_date_mismatch": "Wetterdaten können nur für den heutigen Tag ({{today}}) abgerufen werden. Dieser Logbucheintrag ist auf den {{date}} datiert.",
       "gps_error": "Bitte gib einen Ort an oder ermittle die GPS-Koordinaten.",
       "share_title": "Logbuch teilen (Schreibgeschützt)",

client/src/i18n/locales/en.json

@@ -43,7 +43,8 @@
       "deviation": "Deviation Table",
       "logs": "Logbook Entries",
       "stats": "Statistics",
-      "settings": "Settings"
+      "settings": "Settings",
+      "admin": "Admin"
     },
     "auth": {
       "welcome": "Welcome to Kapteins Daagbok",
@@ -90,7 +91,15 @@
       "use_localhost_link": "Switch to localhost",
       "error_passkey_cancelled": "Passkey sign-in was cancelled or timed out. Please try again.",
       "error_invalid_rp_id": "Passkey domain mismatch (RP ID). For local dev use http://localhost:5173 with RP_ID=localhost in .env.",
-      "error_session_incomplete": "Sign-in incomplete. Please sign in with your passkey again."
+      "error_session_incomplete": "Sign-in incomplete. Please sign in with your passkey again.",
+      "restore_checking": "Checking session…",
+      "restore_title": "Restore session",
+      "restore_subtitle": "You are still signed in. Unlock your logbook with passkey or PIN.",
+      "restore_unlocking": "Unlocking…",
+      "restore_with_passkey": "Unlock with passkey ({{name}})",
+      "restore_with_pin": "Unlock with PIN",
+      "restore_pin_warning": "Enter your local PIN to unlock your logbook after reload.",
+      "restore_other_account": "Sign in with another account"
     },
     "pwa": {
       "title": "Install app",
@@ -288,6 +297,9 @@
       "live_voice_entry_plain": "Voice memo",
       "live_voice_caption_label": "Caption (optional)",
       "live_voice_caption_placeholder": "e.g. radio call with harbour master",
+      "live_voice_transcribe_action": "Transcribe",
+      "live_voice_transcribing": "Transcribing…",
+      "live_voice_transcribe_failed": "Voice memo saved, but transcription failed.",
       "live_undo_voice_hint": "Voice memo saved",
       "live_comment_btn": "Comment",
       "live_comment_placeholder": "Enter text…",
@@ -344,6 +356,7 @@
       "carry_over_tanks_yes": "Carry over",
       "carry_over_tanks_no": "Start at 0",
       "event_title": "Chronological Event Logbook",
+      "event_creator": "Entered by",
       "no_events": "No events logged for this travel day yet.",
       "event_time": "Time",
       "event_mgk": "MgK Course",
@@ -659,6 +672,12 @@
       "integrations_title": "Integrations",
       "owm_key": "OpenWeatherMap API key",
       "owm_help": "Optional: your own OpenWeatherMap API key. If left empty, the operator-configured server key is used.",
+      "ai_title": "AI Features & Privacy",
+      "ai_desc": "Authorize artificial intelligence integrations for your logbooks.",
+      "ai_help": "Enabling AI features allows the app to summarize travel days and transcribe recorded voice memos. To process these requests, raw voice data and travel logs are sent securely on-the-fly to OpenRouter. No data is stored permanently by the AI model.\n\nThese cloud resources cost money to run; if you enjoy using them, please consider supporting the project voluntarily with a donation via the Ko-fi link in the footer to keep them free and sustainable for everyone.",
+      "ai_enable_label": "Enable transcription and travel day summaries",
+      "ai_unauthorized_alert_title": "AI Features Not Authorized",
+      "ai_unauthorized_alert_desc": "To use transcription or travel day summaries, please authorize the data transmission to OpenRouter in your User Profile under 'AI Features & Privacy'.",
       "prefs_save": "Save",
       "prefs_saving": "Saving…",
       "prefs_saved": "Saved",
@@ -780,6 +799,9 @@
       "no_key": "No OpenWeatherMap API key available. Add your own key in your user profile or contact the operator.",
       "weather_success": "Weather details fetched successfully!",
       "weather_error": "Failed to fetch weather. Check your API key and connection.",
+      "weather_unauthorized": "Failed to fetch weather. The API key is invalid or unauthorized.",
+      "weather_not_found": "Failed to fetch weather. The specified location or coordinates were not found.",
+      "weather_bad_request": "Failed to fetch weather. No location or GPS position was specified.",
       "weather_date_mismatch": "Weather data can only be fetched for today ({{today}}). This logbook entry is dated {{date}}.",
       "gps_error": "Please enter a location or fetch GPS coordinates first.",
       "share_title": "Share Logbook (Read-Only)",

client/src/i18n/locales/nb.json

@@ -43,7 +43,8 @@
       "deviation": "Tabell over distraksjoner",
       "logs": "Loggbokoppføringer",
       "stats": "Statistikk",
-      "settings": "Innstillinger"
+      "settings": "Innstillinger",
+      "admin": "Admin"
     },
     "auth": {
       "welcome": "Velkommen til Kapteins Daagbok",
@@ -90,7 +91,15 @@
       "use_localhost_link": "Bytt til localhost",
       "error_passkey_cancelled": "Passkey-innlogging ble avbrutt eller utløp. Prøv igjen.",
       "error_invalid_rp_id": "Passkey-domene stemmer ikke (RP ID). Bruk http://localhost:5173 med RP_ID=localhost i .env for lokal utvikling.",
-      "error_session_incomplete": "Innlogging ufullstendig. Logg inn med passkey igjen."
+      "error_session_incomplete": "Innlogging ufullstendig. Logg inn med passkey igjen.",
+      "restore_checking": "Sjekker økt…",
+      "restore_title": "Gjenopprett økt",
+      "restore_subtitle": "Du er fortsatt innlogget. Lås opp loggboken med passkey eller PIN.",
+      "restore_unlocking": "Låser opp…",
+      "restore_with_passkey": "Lås opp med passkey ({{name}})",
+      "restore_with_pin": "Lås opp med PIN",
+      "restore_pin_warning": "Skriv inn din lokale PIN for å låse opp loggboken etter omlasting.",
+      "restore_other_account": "Logg inn med en annen konto"
     },
     "pwa": {
       "title": "Installer app",
@@ -288,6 +297,9 @@
       "live_voice_entry_plain": "Talemelding",
       "live_voice_caption_label": "Bildetekst (valgfritt)",
       "live_voice_caption_placeholder": "f.eks. radiokontakt med havnesjef",
+      "live_voice_transcribe_action": "Transkribere",
+      "live_voice_transcribing": "Transkriberer…",
+      "live_voice_transcribe_failed": "Taleopptak lagret, men transkribering mislyktes.",
       "live_undo_voice_hint": "Talemelding lagret",
       "live_comment_btn": "Kommentar",
       "live_comment_placeholder": "Skriv inn tekst…",
@@ -344,6 +356,7 @@
       "carry_over_tanks_yes": "Ta over",
       "carry_over_tanks_no": "Begynn med 0",
       "event_title": "Kronologisk hendelseslogg",
+      "event_creator": "Registrert av",
       "no_events": "Ingen arrangementer lagt inn for denne reisedagen ennå.",
       "event_time": "Tid på døgnet",
       "event_mgk": "MgK-kurs",
@@ -659,6 +672,12 @@
       "integrations_title": "Integrasjoner",
       "owm_key": "OpenWeatherMap API-nøkkel",
       "owm_help": "Valgfritt: egen OpenWeatherMap API-nøkkel. Hvis ingen oppføring er gjort, brukes serverside-nøkkelen fra operatørkonfigurasjonen.",
+      "ai_title": "KI-funksjoner og personvern",
+      "ai_desc": "Autoriser integrasjoner av kunstig intelligens for loggbøkene dine.",
+      "ai_help": "Aktivering av KI-funksjoner gjør det mulig for appen å oppsummere reisedagene dine og transkribere innspilte talememoer. For å behandle disse forespørslene sendes rå stemmedata og reiselogger sikkert løpende til OpenRouter. Ingen data lagres permanent av KI-modellen.\n\nDisse nettskyressursene koster penger å drifte. Hvis du har glede av å bruke dem, kan du vurdere å støtte prosjektet frivillig med en donasjon via Ko-fi-lenken i bunnteksten for å holde dem gratis og bærekraftige for alle.",
+      "ai_enable_label": "Aktiver transkribering og oppsummeringer av reisedager",
+      "ai_unauthorized_alert_title": "KI-funktionen er ikke autorisert",
+      "ai_unauthorized_alert_desc": "For å bruke transkribering eller reisedagsoppsummeringer, må du autorisere dataoverføringen til OpenRouter i brukerprofilen din under 'KI-funksjoner og personvern'.",
       "prefs_save": "Spar",
       "prefs_saving": "...vil bli reddet...",
       "prefs_saved": "Reddet",
@@ -780,6 +799,9 @@
       "no_key": "Ingen OpenWeatherMap API-nøkkel tilgjengelig. Lagre din egen nøkkel i brukerprofilen, eller kontakt operatøren.",
       "weather_success": "Værdata vellykket hentet!",
       "weather_error": "Henting av værdata mislyktes. Kontroller API-nøkkelen og tilkoblingen.",
+      "weather_unauthorized": "Henting av værdata mislyktes. API-nøkkelen er ugyldig eller ikke autorisert.",
+      "weather_not_found": "Henting av værdata mislyktes. Den angitte posisjonen eller koordinatene ble ikke funnet.",
+      "weather_bad_request": "Henting av værdata mislyktes. Ingen posisjon eller GPS-koordinater ble angitt.",
       "weather_date_mismatch": "Værdata kan bare hentes ut for i dag ({{today}}). Denne loggbokoppføringen er datert {{date}}.",
       "gps_error": "Vennligst skriv inn en posisjon eller finn GPS-koordinatene.",
       "share_title": "Del loggbok (skrivebeskyttet)",

client/src/i18n/locales/sv.json

@@ -43,7 +43,8 @@
       "deviation": "Distraktionsbord",
       "logs": "Loggboksanteckningar",
       "stats": "Statistik",
-      "settings": "Inställningar"
+      "settings": "Inställningar",
+      "admin": "Admin"
     },
     "auth": {
       "welcome": "Välkommen till Kapteins Daagbok",
@@ -90,7 +91,15 @@
       "use_localhost_link": "Byt till localhost",
       "error_passkey_cancelled": "Passkey-inloggning avbröts eller gick ut. Försök igen.",
       "error_invalid_rp_id": "Passkey-domänen matchar inte (RP ID). Använd http://localhost:5173 med RP_ID=localhost i .env för lokal utveckling.",
-      "error_session_incomplete": "Inloggning ofullständig. Logga in med passkey igen."
+      "error_session_incomplete": "Inloggning ofullständig. Logga in med passkey igen.",
+      "restore_checking": "Kontrollerar session…",
+      "restore_title": "Återställ session",
+      "restore_subtitle": "Du är fortfarande inloggad. Lås upp din loggbok med passkey eller PIN.",
+      "restore_unlocking": "Låser upp…",
+      "restore_with_passkey": "Lås upp med passkey ({{name}})",
+      "restore_with_pin": "Lås upp med PIN",
+      "restore_pin_warning": "Ange din lokala PIN för att låsa upp loggboken efter omladdning.",
+      "restore_other_account": "Logga in med ett annat konto"
     },
     "pwa": {
       "title": "Installera app",
@@ -288,6 +297,9 @@
       "live_voice_entry_plain": "Röstanteckning",
       "live_voice_caption_label": "Bildtext (valfritt)",
       "live_voice_caption_placeholder": "t.ex. radiokontakt med hamnmästare",
+      "live_voice_transcribe_action": "Transkribera",
+      "live_voice_transcribing": "Transkriberar…",
+      "live_voice_transcribe_failed": "Röstanteckning sparad, men transkribering misslyckades.",
       "live_undo_voice_hint": "Röstanteckning sparad",
       "live_comment_btn": "Kommentar",
       "live_comment_placeholder": "Ange text…",
@@ -344,6 +356,7 @@
       "carry_over_tanks_yes": "Ta över",
       "carry_over_tanks_no": "Börja med 0",
       "event_title": "Kronologisk händelselogg",
+      "event_creator": "Registrerad av",
       "no_events": "Inga händelser inlagda för denna resdag ännu.",
       "event_time": "Tid på dygnet",
       "event_mgk": "MgK-kurs",
@@ -659,6 +672,12 @@
       "integrations_title": "Integrationer",
       "owm_key": "OpenWeatherMap API-nyckel",
       "owm_help": "Valfritt: egen OpenWeatherMap API-nyckel. Om inget anges används nyckeln på serversidan från operatörskonfigurationen.",
+      "ai_title": "AI-funktioner och integritet",
+      "ai_desc": "Auktorisera integrationer av artificiell intelligens för dina loggböcker.",
+      "ai_help": "Genom at aktivera AI-funktioner kan appen sammanfatta dina rejsdagar och transkribera röstmemon. För att bearbeta dessa förfrågningar skickas röstdata och rejsloggar säkert och tillfälligt till OpenRouter. Inga data sparas permanent av AI-modellen.\n\nDessa molnresurser kostar pengar att driva. Om du gillar att använda dem, överväg att frivilligt stödja projektet med en donation via Ko-fi-länken i sidfoten för att hålla dem gratis och hållbara för alla.",
+      "ai_enable_label": "Aktivera transkribering och sammanfattningar av rejsdagar",
+      "ai_unauthorized_alert_title": "AI-funktioner är inte auktoriserade",
+      "ai_unauthorized_alert_desc": "För att använda transkribering eller rejsdagsöversikter måste du auktorisera dataöverföringen till OpenRouter i din användarprofil under 'AI-funktioner och integritet'.",
       "prefs_save": "Spara",
       "prefs_saving": "Kommer att sparas...",
       "prefs_saved": "Sparade",
@@ -780,6 +799,9 @@
       "no_key": "Ingen OpenWeatherMap API-nyckel tillgänglig. Spara din egen nyckel i användarprofilen eller kontakta operatören.",
       "weather_success": "Väderdata har hämtats framgångsrikt!",
       "weather_error": "Hämtning av väderdata misslyckades. Kontrollera API-nyckeln och anslutningen.",
+      "weather_unauthorized": "Hämtning av väderdata misslyckades. API-nyckeln är ogiltig eller inte auktoriserad.",
+      "weather_not_found": "Hämtning av väderdata misslyckades. Den angivna platsen eller koordinaterna hittades inte.",
+      "weather_bad_request": "Hämtning av väderdata misslyckades. Ingen plats eller GPS-position angavs.",
       "weather_date_mismatch": "Väderdata kan endast hämtas för idag ({{today}}). Denna loggbokspost är daterad {{date}}.",
       "gps_error": "Ange en plats eller bestäm GPS-koordinaterna.",
       "share_title": "Aktieloggbok (skrivskyddad)",

client/src/services/adminApi.ts

@@ -0,0 +1,74 @@
+import { ApiError, apiJson } from './api.js'
+
+const ADMIN_BASE = '/api/admin'
+
+export interface AdminMe {
+  isAdmin: boolean
+  userId: string
+}
+
+export interface AdminSummary {
+  totalUsers: number
+  totalLogbooks: number
+  totalPhotos: number
+  totalVoiceMemos: number
+  totalGpsTracks: number
+  totalCollaborations: number
+  totalInvitations: number
+  aiSummaryEntries: number
+}
+
+export type AdminTimeBucket = 'day' | 'week' | 'month'
+
+export interface AdminTimeSeriesPoint {
+  date: string
+  count: number
+}
+
+export interface AdminTimeSeriesMetric {
+  metric: string
+  points: AdminTimeSeriesPoint[]
+}
+
+export interface AdminTimeSeriesResponse {
+  bucket: AdminTimeBucket
+  windowDays: number
+  series: AdminTimeSeriesMetric[]
+}
+
+export async function fetchAdminMe(): Promise<AdminMe> {
+  return await apiJson<AdminMe>(`${ADMIN_BASE}/me`)
+}
+
+/** Returns true only for users listed in server ADMIN_USER_IDS. */
+export async function checkAdminAccess(): Promise<boolean> {
+  try {
+    await fetchAdminMe()
+    return true
+  } catch (err) {
+    if (err instanceof ApiError && (err.status === 401 || err.status === 403)) {
+      return false
+    }
+    return false
+  }
+}
+
+export async function fetchAdminSummary(): Promise<AdminSummary> {
+  return await apiJson<AdminSummary>(`${ADMIN_BASE}/summary`)
+}
+
+export async function fetchAdminTimeSeries(
+  params: { bucket?: AdminTimeBucket; windowDays?: number } = {}
+): Promise<AdminTimeSeriesResponse> {
+  const search = new URLSearchParams()
+  if (params.bucket) {
+    search.set('bucket', params.bucket)
+  }
+  if (params.windowDays && Number.isFinite(params.windowDays)) {
+    search.set('window', String(params.windowDays))
+  }
+  const query = search.toString()
+  const url = query ? `${ADMIN_BASE}/timeseries?${query}` : `${ADMIN_BASE}/timeseries`
+  return await apiJson<AdminTimeSeriesResponse>(url)
+}
+

client/src/services/analytics.ts

@@ -42,6 +42,7 @@ export const PlausibleEvents = {
   LIVE_LOG_OPENED: 'Live Log Opened',
   LIVE_LOG_EVENT_LOGGED: 'Live Log Event Logged',
   VOICE_MEMO_UPLOADED: 'Voice Memo Uploaded',
+  VOICE_MEMO_TRANSCRIBED: 'Voice Memo Transcribed',
   OWM_WEATHER_FETCHED: 'OWM Weather Fetched',
   AI_SUMMARY_GENERATED: 'AI Summary Generated',
   PWA_BOOT_WATCHDOG_SOFT: 'PWA Boot Watchdog Soft',

client/src/services/auth.ts

@@ -64,6 +64,15 @@ export function persistSessionUserId(userId: string | undefined): void {
   }
 }
 
+/** Username to use when re-unlocking after reload (active account or sole remembered user). */
+export function resolveRestoreUsername(): string | null {
+  const stored = localStorage.getItem('active_username')
+  if (stored) return stored
+  const known = getKnownUsernames()
+  if (known.length === 1) return known[0]
+  return null
+}
+
 export async function reauthWithPasskey(): Promise<boolean> {
   const options = await apiJson<any>(`${API_BASE}/reauth-options`, {
     method: 'POST'

client/src/services/authSession.test.ts

@@ -2,6 +2,7 @@ import { beforeEach, describe, expect, it } from 'vitest'
 import {
   hasUnlockedLocalCrypto,
   hasUnlockedLocalSession,
+  resolveRestoreUsername,
   setActiveMasterKey
 } from './auth.js'
 
@@ -33,6 +34,28 @@ describe('local session unlock checks', () => {
   })
 })
 
+describe('resolveRestoreUsername', () => {
+  beforeEach(() => {
+    localStorage.clear()
+  })
+
+  it('prefers active_username from storage', () => {
+    localStorage.setItem('active_username', 'captain')
+    localStorage.setItem('daagbox_known_users', JSON.stringify(['other']))
+    expect(resolveRestoreUsername()).toBe('captain')
+  })
+
+  it('falls back to a single remembered user', () => {
+    localStorage.setItem('daagbox_known_users', JSON.stringify(['solo']))
+    expect(resolveRestoreUsername()).toBe('solo')
+  })
+
+  it('returns null when multiple users and no active username', () => {
+    localStorage.setItem('daagbox_known_users', JSON.stringify(['alpha', 'beta']))
+    expect(resolveRestoreUsername()).toBeNull()
+  })
+})
+
 describe('persistSessionUserId', () => {
   beforeEach(() => {
     localStorage.clear()

client/src/services/csvExport.ts

@@ -77,7 +77,7 @@ export async function exportLogbookToCsv(logbookId: string, preloadedData?: { ya
     'Date', 'Day of Travel', 'Departure Port', 'Destination Port', 'AI Summary',
     'Skipper Signature', 'Crew Signature',
     'Track Distance (nm)', 'Track Max Speed (kn)', 'Track Avg Speed (kn)', 'Motor Hours (h)',
-    'Event Time', 'MgK Course', 'RwK Course',
+    'Event Time', 'Event Creator', 'MgK Course', 'RwK Course',
     'Wind Dir', 'Wind Str', 'Barometer (hPa)', 'Sea State', 'Visibility',
     'Current', 'Heel Angle', 'Sails/Motor', 'Log (nm)', 'Distance (nm)',
     'Latitude', 'Longitude', 'Remarks',
@@ -122,6 +122,7 @@ export async function exportLogbookToCsv(logbookId: string, preloadedData?: { ya
     const greywaterLevel = entry.greywater?.level ?? '';
     const aiSummary = entry.aiSummary ?? '';
 
+    const crewSnapshots = (entry.crewSnapshotsById as Record<string, any>) || {};
     const eventsList = entry.events || [];
     if (eventsList.length === 0) {
       // Create one row even if there are no events for the day
@@ -129,7 +130,7 @@ export async function exportLogbookToCsv(logbookId: string, preloadedData?: { ya
         dateVal, travelDay, dep, dest, aiSummary,
         signS, signC,
         trackDist, trackMax, trackAvg, motorH,
-        '', '', '',
+        '', '', '', '',
         '', '', '', '', '',
         '', '', '', '', '',
         '', '', '',
@@ -142,11 +143,21 @@ export async function exportLogbookToCsv(logbookId: string, preloadedData?: { ya
       // Sort events chronologically by time
       const sortedEvents = sortLogEventsByTime(eventsList);
       for (const ev of sortedEvents) {
+        const creatorSnap = ev.creatorId ? crewSnapshots[ev.creatorId] : null;
+        let creatorName = '';
+        if (creatorSnap) {
+          creatorName = creatorSnap.name || '';
+        } else if (ev.creatorId === 'skipper') {
+          creatorName = 'Skipper';
+        } else if (ev.creatorId) {
+          creatorName = ev.creatorId;
+        }
+
         rows.push([
           dateVal, travelDay, dep, dest, aiSummary,
           signS, signC,
           trackDist, trackMax, trackAvg, motorH,
-          ev.time || '', ev.mgk || '', ev.rwk || '',
+          ev.time || '', creatorName, ev.mgk || '', ev.rwk || '',
           ev.windDirection || '', ev.windStrength || '', ev.windPressure || '', ev.seaState || '',
           ev.visibility || '',
           ev.current || '', ev.heel || '', ev.sailsOrMotor || '', ev.logReading || '', ev.distance || '',

client/src/services/pdfExport.ts

@@ -13,12 +13,13 @@ function formatPasskeySignDate(signedAt: string): string {
 }
 
 export async function generateLogbookPagePdf(logbookId: string, entryId: string, preloadedData?: { yacht: any; entry: any }): Promise<jsPDF> {
-  let yachtName = '', homePort = '', registration = '', callsign = '', atis = '', mmsi = '';
+  let yachtName = '', owner = '', homePort = '', registration = '', callsign = '', atis = '', mmsi = '';
   let entry: any = null;
 
   if (preloadedData) {
     const yacht = preloadedData.yacht || {};
     yachtName = yacht.name || '';
+    owner = yacht.owner || '';
     homePort = yacht.port || '';
     registration = yacht.registrationNumber || yacht.registration || '';
     callsign = yacht.callSign || '';
@@ -35,6 +36,7 @@ export async function generateLogbookPagePdf(logbookId: string, entryId: string,
     const yacht = await resolveVesselForLogbook(logbookId)
     if (yacht) {
       yachtName = yacht.name || ''
+      owner = yacht.owner || ''
       homePort = yacht.homePort || ''
       registration = yacht.registrationNumber || ''
       callsign = yacht.callSign || ''
@@ -74,24 +76,56 @@ export async function generateLogbookPagePdf(logbookId: string, entryId: string,
   doc.setFontSize(8.5);
   doc.setFont('Helvetica', 'normal');
   doc.text(`Yachtname: ${yachtName || '—'}`, 10, 21);
-  doc.text(`Heimathafen: ${homePort || '—'}`, 60, 21);
-  doc.text(`Kennzeichen: ${registration || '—'}`, 110, 21);
-  doc.text(`Rufzeichen: ${callsign || '—'}`, 160, 21);
-  doc.text(`ATIS: ${atis || '—'}`, 210, 21);
-  doc.text(`MMSI: ${mmsi || '—'}`, 250, 21);
+  doc.text(`Eigner: ${owner || '—'}`, 55, 21);
+  doc.text(`Heimathafen: ${homePort || '—'}`, 100, 21);
+  doc.text(`Kennzeichen: ${registration || '—'}`, 145, 21);
+  doc.text(`Rufzeichen: ${callsign || '—'}`, 190, 21);
+  doc.text(`ATIS: ${atis || '—'}`, 230, 21);
+  doc.text(`MMSI: ${mmsi || '—'}`, 260, 21);
 
-  doc.text(`Datum: ${entry.date || '—'}`, 10, 23);
-  doc.text(`Reisetag: ${entry.dayOfTravel || '—'}`, 60, 23);
-  doc.text(`Reise von (Departure): ${entry.departure || '—'}`, 110, 23);
-  doc.text(`nach (Destination): ${entry.destination || '—'}`, 200, 23);
+  doc.text(`Datum: ${entry.date || '—'}`, 10, 24);
+  doc.text(`Reisetag: ${entry.dayOfTravel || '—'}`, 60, 24);
+  doc.text(`Reise von (Departure): ${entry.departure || '—'}`, 110, 24);
+  doc.text(`nach (Destination): ${entry.destination || '—'}`, 200, 24);
 
+  // Format Crew names with initials
+  const crewSnapshots = (entry.crewSnapshotsById as Record<string, any>) || {}
+  const crewList: string[] = []
+  
+  if (entry.selectedSkipperId && crewSnapshots[entry.selectedSkipperId]) {
+    const name = crewSnapshots[entry.selectedSkipperId].name || 'Skipper'
+    const initial = name.trim().split(/\s+/)[0]?.charAt(0).toUpperCase() || 'S'
+    crewList.push(`${name} [${initial}] (Skipper)`)
+  } else if (crewSnapshots['skipper']) {
+    const name = crewSnapshots['skipper'].name || 'Skipper'
+    crewList.push(`${name} [S] (Skipper)`)
+  }
+  
+  if (Array.isArray(entry.selectedCrewIds)) {
+    for (const crewId of entry.selectedCrewIds) {
+      const snap = crewSnapshots[crewId]
+      if (snap) {
+        const name = snap.name || ''
+        const initial = name.trim().split(/\s+/)[0]?.charAt(0).toUpperCase() || '?'
+        crewList.push(`${name} [${initial}]`)
+      }
+    }
+  }
+
+  const crewText = crewList.length > 0 ? `Besatzung (Crew): ${crewList.join(', ')}` : ''
+
+  doc.setFont('Helvetica', 'normal');
   if (entry.trackDistanceNm) {
-    doc.setFont('Helvetica', 'normal');
     doc.text(
       `GPS-Track: ${entry.trackDistanceNm} sm · max. ${entry.trackSpeedMaxKn ?? '—'} kn · Ø ${entry.trackSpeedAvgKn ?? '—'} kn`,
       10,
       27
     );
+    if (crewText) {
+      doc.text(crewText, 140, 27);
+    }
+  } else if (crewText) {
+    doc.text(crewText, 10, 27);
   }
 
   // Divider line
@@ -175,8 +209,28 @@ export async function generateLogbookPagePdf(logbookId: string, entryId: string,
       doc.text(gps, writeX + 1, y + 4.2);
       writeX += colWidths[11];
 
+      const crewSnapshots = (entry.crewSnapshotsById as Record<string, any>) || {};
+      let initial = '';
+      if (ev.creatorId) {
+        const snap = crewSnapshots[ev.creatorId];
+        let name = '';
+        if (snap) {
+          name = snap.name || '';
+        } else if (ev.creatorId === 'skipper') {
+          name = 'Skipper';
+        } else {
+          name = ev.creatorId;
+        }
+        if (name) {
+          initial = name.trim().split(/\s+/)[0]?.charAt(0).toUpperCase() || '';
+        }
+      }
+
       // Clip remarks to fit within the 94mm bounds
-      const remarks = ev.remarks || '';
+      let remarks = ev.remarks || '';
+      if (initial) {
+        remarks = `[${initial}] ${remarks}`;
+      }
       const maxChars = 65;
       const clippedRemarks = remarks.length > maxChars ? remarks.substring(0, maxChars) + '...' : remarks;
       doc.text(clippedRemarks, writeX + 1, y + 4.2);

client/src/services/quickEventLog.ts

@@ -97,6 +97,14 @@ function buildEncryptedPayload(
     consumption: fuel.consumption ?? 0
   }
 
+  const entryCrew = data.selectedSkipperId
+    ? {
+        selectedSkipperId: String(data.selectedSkipperId),
+        selectedCrewIds: Array.isArray(data.selectedCrewIds) ? data.selectedCrewIds.map(String) : [],
+        crewSnapshotsById: (data.crewSnapshotsById as Record<string, any>) || {}
+      }
+    : undefined
+
   const payload = buildLogEntryPayload({
     date: String(data.date || ''),
     dayOfTravel: String(data.dayOfTravel || ''),
@@ -121,7 +129,8 @@ function buildEncryptedPayload(
       motorHoursRaw != null && motorHoursRaw !== ''
         ? parseFloat(String(motorHoursRaw))
         : undefined,
-    events: options.events
+    events: options.events,
+    entryCrew
   })
 
   const clear = options.clearSignatures

client/src/services/userPreferences.test.ts

@@ -6,7 +6,9 @@ import {
   getThemePreference,
   setColorSchemePreference,
   setOwmApiKey,
-  setThemePreference
+  setThemePreference,
+  getAiAuthorized,
+  setAiAuthorized
 } from './userPreferences.js'
 
 const USER_ID = 'test-user-123'
@@ -58,4 +60,13 @@ describe('userPreferences', () => {
     expect(getThemePreference(USER_ID)).toBe('ocean')
     expect(getColorSchemePreference(USER_ID)).toBe('light')
   })
+
+  it('stores AI authorization preference per user', () => {
+    localStorage.setItem('active_userid', USER_ID)
+    expect(getAiAuthorized()).toBe(false)
+    setAiAuthorized(USER_ID, true)
+    expect(getAiAuthorized()).toBe(true)
+    expect(getAiAuthorized(USER_ID)).toBe(true)
+    expect(getAiAuthorized('other-user')).toBe(false)
+  })
 })

client/src/services/userPreferences.ts

@@ -89,3 +89,20 @@ export function setOwmApiKey(userId: string, value: string): void {
     localStorage.removeItem(owmKey(userId))
   }
 }
+
+function aiAuthorizedKey(userId: string): string {
+  return `user_pref_ai_authorized_${userId}`
+}
+
+export function getAiAuthorized(userId?: string | null): boolean {
+  const id = resolveUserId(userId)
+  if (id) {
+    return localStorage.getItem(aiAuthorizedKey(id)) === 'true'
+  }
+  return false
+}
+
+export function setAiAuthorized(userId: string, value: boolean): void {
+  localStorage.setItem(aiAuthorizedKey(userId), String(value))
+}
+

client/src/services/voiceAttachments.ts

@@ -1,7 +1,7 @@
 import { db } from './db.js'
 import { getActiveMasterKey } from './auth.js'
 import { getLogbookKey } from './logbookKeys.js'
-import { encryptJson } from './crypto.js'
+import { encryptJson, decryptJson } from './crypto.js'
 import { syncLogbook } from './sync.js'
 import { PlausibleEvents, trackPlausibleEvent } from './analytics.js'
 
@@ -18,6 +18,7 @@ export async function saveEntryVoiceMemo(options: {
   mimeType: string
   durationSec: number
   caption?: string
+  transcribed?: boolean
   analyticsContext?: string
 }): Promise<string> {
   const {
@@ -27,6 +28,7 @@ export async function saveEntryVoiceMemo(options: {
     mimeType,
     durationSec,
     caption = '',
+    transcribed = true,
     analyticsContext = 'logbook'
   } = options
   const masterKey = await getEncryptionKey(logbookId)
@@ -35,7 +37,8 @@ export async function saveEntryVoiceMemo(options: {
     audio: audioDataUrl,
     mimeType,
     durationSec,
-    caption: caption.trim()
+    caption: caption.trim(),
+    transcribed: !!transcribed
   }
 
   const encrypted = await encryptJson(voicePayload, masterKey)
@@ -98,3 +101,55 @@ export async function removeLastVoiceMemoForEntry(
   await deleteEntryVoiceMemo(logbookId, lastId)
   return lastId
 }
+
+/** Updates an existing voice memo payload with a new transcript and sets transcribed: true. */
+export async function updateVoiceMemoTranscript(
+  logbookId: string,
+  voiceId: string,
+  transcript: string
+): Promise<void> {
+  const masterKey = await getEncryptionKey(logbookId)
+  const record = await db.voiceMemos.get(voiceId)
+  if (!record) throw new Error('Voice memo not found')
+
+  const decrypted = await decryptJson(record.encryptedData, record.iv, record.tag, masterKey)
+  if (!decrypted) throw new Error('Failed to decrypt voice memo')
+
+  const manualCaption = decrypted.caption ? String(decrypted.caption).trim() : ''
+  const finalCaption = manualCaption
+    ? `${manualCaption}\n(Transkript: ${transcript.trim()})`
+    : transcript.trim()
+
+  const updatedPayload = {
+    ...decrypted,
+    caption: finalCaption,
+    transcribed: true
+  }
+
+  const encrypted = await encryptJson(updatedPayload, masterKey)
+  const now = new Date().toISOString()
+
+  await db.voiceMemos.put({
+    ...record,
+    encryptedData: encrypted.ciphertext,
+    iv: encrypted.iv,
+    tag: encrypted.tag,
+    updatedAt: now
+  })
+
+  await db.syncQueue.put({
+    action: 'update',
+    type: 'voiceMemo',
+    payloadId: voiceId,
+    logbookId,
+    data: JSON.stringify({
+      encryptedData: encrypted.ciphertext,
+      iv: encrypted.iv,
+      tag: encrypted.tag,
+      entryId: record.entryId
+    }),
+    updatedAt: now
+  })
+
+  syncLogbook(logbookId).catch((err) => console.warn('Background sync failed:', err))
+}

client/src/services/weather.test.ts

@@ -69,4 +69,51 @@ describe('fetchOpenWeatherCurrent', () => {
 
     expect(trackPlausibleEvent).not.toHaveBeenCalled()
   })
+
+  it('throws UNAUTHORIZED when status is 401', async () => {
+    apiFetch.mockResolvedValue({
+      ok: false,
+      status: 401,
+      json: async () => ({ error: 'Unauthorized' })
+    })
+
+    const { fetchOpenWeatherCurrent, WeatherApiError } = await import('./weather.js')
+    const err = await fetchOpenWeatherCurrent({ lat: '54', lon: '10' }).catch((e) => e)
+    expect(err).toBeInstanceOf(WeatherApiError)
+    expect((err as any).code).toBe('UNAUTHORIZED')
+  })
+
+  it('throws NOT_FOUND when status is 404', async () => {
+    apiFetch.mockResolvedValue({
+      ok: false,
+      status: 404,
+      json: async () => ({ error: 'Not Found' })
+    })
+
+    const { fetchOpenWeatherCurrent, WeatherApiError } = await import('./weather.js')
+    const err = await fetchOpenWeatherCurrent({ lat: '54', lon: '10' }).catch((e) => e)
+    expect(err).toBeInstanceOf(WeatherApiError)
+    expect((err as any).code).toBe('NOT_FOUND')
+  })
+
+  it('throws BAD_REQUEST when status is 400', async () => {
+    apiFetch.mockResolvedValue({
+      ok: false,
+      status: 400,
+      json: async () => ({ error: 'Bad Request' })
+    })
+
+    const { fetchOpenWeatherCurrent, WeatherApiError } = await import('./weather.js')
+    const err = await fetchOpenWeatherCurrent({ lat: '54', lon: '10' }).catch((e) => e)
+    expect(err).toBeInstanceOf(WeatherApiError)
+    expect((err as any).code).toBe('BAD_REQUEST')
+  })
+
+  it('throws BAD_REQUEST when coordinates or query are missing', async () => {
+    const { fetchOpenWeatherCurrent, WeatherApiError } = await import('./weather.js')
+    const err = await fetchOpenWeatherCurrent({}).catch((e) => e)
+    expect(err).toBeInstanceOf(WeatherApiError)
+    expect((err as any).code).toBe('BAD_REQUEST')
+    expect(apiFetch).not.toHaveBeenCalled()
+  })
 })

client/src/services/weather.ts

@@ -7,9 +7,12 @@ import {
 } from './analytics.js'
 
 export class WeatherApiError extends Error {
-  code: 'NO_KEY' | 'OFFLINE' | 'REQUEST_FAILED'
+  code: 'NO_KEY' | 'OFFLINE' | 'REQUEST_FAILED' | 'UNAUTHORIZED' | 'NOT_FOUND' | 'BAD_REQUEST'
 
-  constructor(message: string, code: 'NO_KEY' | 'OFFLINE' | 'REQUEST_FAILED' = 'REQUEST_FAILED') {
+  constructor(
+    message: string,
+    code: 'NO_KEY' | 'OFFLINE' | 'REQUEST_FAILED' | 'UNAUTHORIZED' | 'NOT_FOUND' | 'BAD_REQUEST' = 'REQUEST_FAILED'
+  ) {
     super(message)
     this.name = 'WeatherApiError'
     this.code = code
@@ -38,7 +41,7 @@ export async function fetchOpenWeatherCurrent(
   } else if (params.q?.trim()) {
     searchParams.set('q', params.q.trim())
   } else {
-    throw new WeatherApiError('lat/lon or location query required')
+    throw new WeatherApiError('lat/lon or location query required', 'BAD_REQUEST')
   }
 
   const userKey = getOwmApiKeyForActiveUser().trim()
@@ -65,6 +68,15 @@ export async function fetchOpenWeatherCurrent(
   if (res.status === 503) {
     throw new WeatherApiError('No OpenWeatherMap API key configured', 'NO_KEY')
   }
+  if (res.status === 401) {
+    throw new WeatherApiError('Invalid OpenWeatherMap API key', 'UNAUTHORIZED')
+  }
+  if (res.status === 404) {
+    throw new WeatherApiError('Location or coordinates not found', 'NOT_FOUND')
+  }
+  if (res.status === 400) {
+    throw new WeatherApiError('Invalid or missing location parameters', 'BAD_REQUEST')
+  }
 
   const data = await res.json()
   if (!res.ok) {

client/src/utils/logEntryPayload.ts

@@ -22,6 +22,7 @@ export interface LogEventPayload {
   gpsLat: string
   gpsLng: string
   remarks: string
+  creatorId?: string
 }
 
 /** Calendar date YYYY-MM-DD in local timezone (matches logbook entry `date` field). */
@@ -85,7 +86,7 @@ export function joinTimeHHMM(hours: string, minutes: string): string {
 const LOG_EVENT_FIELDS: (keyof LogEventPayload)[] = [
   'time', 'mgk', 'rwk', 'windPressure', 'windDirection', 'windStrength', 'seaState',
   'visibility', 'weatherIcon', 'current', 'heel', 'sailsOrMotor', 'logReading', 'distance',
-  'gpsLat', 'gpsLng', 'remarks'
+  'gpsLat', 'gpsLng', 'remarks', 'creatorId'
 ]
 
 /** Normalize partial/legacy events so all fields are strings (safe for form + save). */
@@ -109,10 +110,11 @@ export function normalizeLogEvent(event: Partial<LogEventPayload> | Record<strin
     distance: '',
     gpsLat: '',
     gpsLng: '',
-    remarks: ''
+    remarks: '',
+    creatorId: e.creatorId ? String(e.creatorId).trim() : undefined
   }
   for (const key of LOG_EVENT_FIELDS) {
-    if (key === 'time' || key === 'mgk' || key === 'rwk' || key === 'windDirection') continue
+    if (key === 'time' || key === 'mgk' || key === 'rwk' || key === 'windDirection' || key === 'creatorId') continue
     normalized[key] = String(e[key] ?? '').trim()
   }
   return normalized
@@ -122,7 +124,7 @@ export function logEventsEqual(a: LogEventPayload, b: LogEventPayload): boolean
   return LOG_EVENT_FIELDS.every((key) => a[key] === b[key])
 }
 
-const LOG_EVENT_CONTENT_FIELDS = LOG_EVENT_FIELDS.filter((key) => key !== 'time')
+const LOG_EVENT_CONTENT_FIELDS = LOG_EVENT_FIELDS.filter((key) => key !== 'time' && key !== 'creatorId')
 
 /** Draft with only a time (or empty fields) — not an unsaved log entry change. */
 export function isLogEventDraftEmpty(event: LogEventPayload): boolean {

client/vite.config.ts

@@ -33,8 +33,36 @@ function versionJsonPlugin(version: string): Plugin {
   }
 }
 
+function readPlausibleConfig(): { plausibleEnabled: boolean; plausibleHost: string } {
+  const host = (process.env.PLAUSIBLE_HOST || 'https://plausible.elpatron.me').replace(/\/$/, '')
+  const flag = (process.env.PLAUSIBLE_ENABLED ?? 'true').trim().toLowerCase()
+  const plausibleEnabled = !['false', '0', 'no'].includes(flag)
+  return { plausibleEnabled, plausibleHost: host }
+}
+
+function runtimeConfigPlugin(): Plugin {
+  return {
+    name: 'runtime-config',
+    configureServer(server) {
+      server.middlewares.use((req, res, next) => {
+        if (req.url !== '/runtime-config.json') return next()
+        res.setHeader('Content-Type', 'application/json')
+        res.end(`${JSON.stringify(readPlausibleConfig())}\n`)
+      })
+    },
+    writeBundle(options) {
+      const outDir = options.dir ?? resolve(__dirname, 'dist')
+      writeFileSync(
+        resolve(outDir, 'runtime-config.json'),
+        `${JSON.stringify(readPlausibleConfig(), null, 2)}\n`
+      )
+    }
+  }
+}
+
 // https://vite.dev/config/
 export default defineConfig({
+  envDir: resolve(__dirname, '..'),
   test: {
     environment: 'happy-dom',
     include: ['src/**/*.test.ts']
@@ -59,6 +87,7 @@ export default defineConfig({
   plugins: [
     react(),
     versionJsonPlugin(readAppVersion()),
+    runtimeConfigPlugin(),
     VitePWA({
       strategies: 'injectManifest',
       srcDir: 'src',

docker-compose.staging.yml

@@ -0,0 +1,71 @@
+services:
+  db:
+    image: postgres:16-alpine
+    container_name: daagbox-staging-db
+    restart: always
+    environment:
+      POSTGRES_USER: ${POSTGRES_USER:-postgres}
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:?Set POSTGRES_PASSWORD in .env}
+      POSTGRES_DB: ${POSTGRES_DB:-daagbox_staging}
+    volumes:
+      - pgdata:/var/lib/postgresql/data
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U \"$$POSTGRES_USER\" -d \"$$POSTGRES_DB\""]
+      interval: 5s
+      timeout: 5s
+      retries: 5
+
+  backend:
+    build:
+      context: ./server
+      dockerfile: Dockerfile
+    container_name: daagbox-staging-backend
+    restart: always
+    environment:
+      PORT: 5000
+      DATABASE_URL: "postgresql://${POSTGRES_USER:-postgres}:${POSTGRES_PASSWORD}@db:5432/${POSTGRES_DB:-daagbox_staging}?schema=public"
+      RP_ID: ${RP_ID:-localhost}
+      ORIGIN: ${ORIGIN:-http://localhost}
+      TRUST_PROXY: ${TRUST_PROXY:-1}
+      VAPID_PUBLIC_KEY: ${VAPID_PUBLIC_KEY:-}
+      VAPID_PRIVATE_KEY: ${VAPID_PRIVATE_KEY:-}
+      VAPID_SUBJECT: ${VAPID_SUBJECT:-mailto:support@kapteins-daagbok.eu}
+      OpenWeatherMapAPIKey: ${OpenWeatherMapAPIKey:-}
+      OpenRouterAPIKey: ${OpenRouterAPIKey:-}
+      OpenRouterModel: ${OpenRouterModel:-anthropic/claude-3.5-haiku}
+      SESSION_SECRET: ${SESSION_SECRET:-}
+      ADMIN_USER_IDS: ${ADMIN_USER_IDS:-}
+      NTFY_SERVER: ${NTFY_SERVER:-https://ntfy.sh}
+      NTFY_TOPIC: ${NTFY_TOPIC:-}
+      NTFY_TOKEN: ${NTFY_TOKEN:-}
+    command: sh -c "npx prisma db push && node dist/index.js"
+    healthcheck:
+      test: ["CMD", "node", "-e", "const http = require('http'); http.get('http://localhost:5000/api/health', (res) => { process.exit(res.statusCode === 200 ? 0 : 1); }).on('error', () => process.exit(1));"]
+      interval: 15s
+      timeout: 5s
+      start_period: 60s
+      retries: 5
+    depends_on:
+      db:
+        condition: service_healthy
+
+  frontend:
+    build:
+      context: .
+      dockerfile: client/Dockerfile
+      args:
+        APP_VERSION: ${APP_VERSION:-0.1.0.0-dev}
+    container_name: daagbox-staging-frontend
+    restart: always
+    environment:
+      PLAUSIBLE_ENABLED: ${PLAUSIBLE_ENABLED:-false}
+      PLAUSIBLE_HOST: ${PLAUSIBLE_HOST:-https://plausible.elpatron.me}
+    ports:
+      - "80:80"
+    depends_on:
+      backend:
+        condition: service_healthy
+
+volumes:
+  pgdata:
+    name: daagbox-staging-pgdata

docker-compose.yml

@@ -35,10 +35,17 @@ services:
       OpenRouterAPIKey: ${OpenRouterAPIKey:-}
       OpenRouterModel: ${OpenRouterModel:-anthropic/claude-3.5-haiku}
       SESSION_SECRET: ${SESSION_SECRET:-}
+      ADMIN_USER_IDS: ${ADMIN_USER_IDS:-}
       NTFY_SERVER: ${NTFY_SERVER:-https://ntfy.sh}
       NTFY_TOPIC: ${NTFY_TOPIC:-}
       NTFY_TOKEN: ${NTFY_TOKEN:-}
     command: sh -c "npx prisma db push && node dist/index.js"
+    healthcheck:
+      test: ["CMD", "node", "-e", "const http = require('http'); http.get('http://localhost:5000/api/health', (res) => { process.exit(res.statusCode === 200 ? 0 : 1); }).on('error', () => process.exit(1));"]
+      interval: 15s
+      timeout: 5s
+      start_period: 60s
+      retries: 5
     depends_on:
       db:
         condition: service_healthy
@@ -51,6 +58,9 @@ services:
         APP_VERSION: ${APP_VERSION:-0.1.0.0-dev}
     container_name: daagbox-prod-frontend
     restart: always
+    environment:
+      PLAUSIBLE_ENABLED: ${PLAUSIBLE_ENABLED:-true}
+      PLAUSIBLE_HOST: ${PLAUSIBLE_HOST:-https://plausible.elpatron.me}
     ports:
       - "80:80"
     depends_on:

docs/deployment/backup.md

@@ -0,0 +1,111 @@
+# Server-Backup (Produktion)
+
+Automatische und manuelle Sicherung von PostgreSQL, `.env`, `docker-compose.yml` und App-Code (Git-Archiv) auf der Prod-VM.
+
+**Staging:** Kein automatisches Backup — Daten sind bewusst wegwerfbar. Deploy via `update-remotes.sh -dest stage` legt kein Backup an. Zum manuellen Testen auf Staging: `-dest stage` (oder Auto-Fallback, wenn nur `daagbox-staging-db` läuft).
+
+## Was wird gesichert?
+
+| Inhalt | Beschreibung |
+|--------|--------------|
+| `database.sql.gz` | `pg_dump` aus dem laufenden DB-Container |
+| `.env` | Server-Secrets (Sessions, DB-Passwort, VAPID, …) |
+| `docker-compose.yml` | Aktive Compose-Datei |
+| `app.tar.gz` | `git archive HEAD` — Code-Snapshot |
+| `manifest.json` | Timestamp, Git-Tag, SHA, Grund (`cron` / `pre-deploy` / `manual`) |
+
+Backups liegen in `/var/backups/kapteins-daagbok/` (mode 700, root-only). Es werden **maximal 5** Archive aufbewahrt.
+
+## Einmalige Einrichtung (Prod-Server)
+
+```bash
+ssh root@10.0.0.25
+mkdir -p /var/backups/kapteins-daagbok
+chmod 700 /var/backups/kapteins-daagbok
+cd /opt/kapteins-daagbok
+git pull
+chmod +x scripts/backup.sh scripts/restore-backup.sh
+./scripts/backup.sh --reason manual
+```
+
+## Manuell sichern
+
+```bash
+cd /opt/kapteins-daagbok
+./scripts/backup.sh
+./scripts/backup.sh --reason manual --dry-run   # Vorschau ohne Schreiben
+```
+
+### Staging (manueller Test)
+
+```bash
+cd /opt/kapteins-daagbok-staging
+./scripts/backup.sh -dest stage --reason manual
+# oder: Auto-Fallback, wenn nur daagbox-staging-db läuft
+./scripts/backup.sh --reason manual
+```
+
+## Crontab (unbeaufsichtigt)
+
+Beispiel: [`scripts/crontab.prod.example`](../../scripts/crontab.prod.example)
+
+```bash
+crontab -e
+# Zeile einfügen:
+0 3 * * * cd /opt/kapteins-daagbok && ./scripts/backup.sh --reason cron >> /var/log/kapteins-backup.log 2>&1
+```
+
+## Pre-Deploy-Backup
+
+Bei `./scripts/update-remotes.sh -dest prod` wird **vor** dem Git-Sync auf dem Server automatisch ein Backup mit Tag `v{VERSION}-predeploy` erstellt. Schlägt das Backup fehl, wird das Deploy abgebrochen.
+
+Staging-Deploys (`-dest stage`) erstellen **kein** Backup.
+
+## Wiederherstellen
+
+Verfügbare Backups anzeigen:
+
+```bash
+./scripts/restore-backup.sh --list
+```
+
+Vollständige Wiederherstellung (DB + `.env`, optional Git-Tag checkout):
+
+```bash
+./scripts/restore-backup.sh --restore /var/backups/kapteins-daagbok/kapteins-daagbok_YYYYMMDD-HHMMSS_vX.Y.Z.tar.gz
+```
+
+Nur Datenbank:
+
+```bash
+./scripts/restore-backup.sh --restore PATH --db-only
+```
+
+Nur `.env`:
+
+```bash
+./scripts/restore-backup.sh --restore PATH --env-only
+```
+
+Ohne Rückfragen (Notfall):
+
+```bash
+./scripts/restore-backup.sh --restore PATH --full --yes
+```
+
+## Vor Passwort-Rotation
+
+Vor [`rotate-postgres-password.sh`](../../scripts/rotate-postgres-password.sh) ein Backup anlegen — siehe auch [postgres-password.md](postgres-password.md):
+
+```bash
+./scripts/backup.sh --reason manual
+```
+
+## Umgebungsvariablen
+
+| Variable | Prod (default) | Staging (`-dest stage`) |
+|----------|----------------|-------------------------|
+| `COMPOSE_FILE` | `docker-compose.yml` | `docker-compose.staging.yml` |
+| `DB_CONTAINER` | `daagbox-prod-db` | `daagbox-staging-db` |
+| `BACKUP_DIR` | `/var/backups/kapteins-daagbok` | gleich |
+| `RETENTION` | `5` | `5` |

docs/deployment/npm-security.md

@@ -1,14 +1,14 @@
 # Deployment: Nginx Proxy Manager & Security (Sprint 1)
 
-Kapteins Daagbok läuft öffentlich unter **https://kapteins-daagbok.eu/** hinter **Nginx Proxy Manager** (NPM, z. B. `172.16.10.10`) mit Upstream auf den App-Stack (`172.16.10.110`).
+Kapteins Daagbok läuft öffentlich unter **https://kapteins-daagbok.eu/** (Produktion) und **https://staging.kapteins-daagbok.eu/** (Staging) hinter **Nginx Proxy Manager** (NPM, z. B. `172.16.10.10`) mit Upstream auf die App-VMs (`10.0.0.25` Prod, `10.0.0.27` Staging).
 
 ## NPM Proxy Host
 
 | Einstellung | Wert |
 |-------------|------|
-| Domain | `kapteins-daagbok.eu` |
+| Domain | `kapteins-daagbok.eu` / `staging.kapteins-daagbok.eu` |
 | Scheme | `https` |
-| Forward Hostname / IP | `172.16.10.110` (oder Container-Port auf dem Host) |
+| Forward Hostname / IP | `10.0.0.25` (Prod) / `10.0.0.27` (Staging) |
 | Forward Port | `80` (Frontend-Nginx) |
 | Websockets | an, falls genutzt |
 | Block Common Exploits | an |
@@ -40,13 +40,20 @@ TRUST_PROXY=1
 ## Security-Header
 
 - **HSTS, CSP (optional restriktiver):** können in NPM unter „Custom Headers“ oder im Advanced-Block gesetzt werden.
-- **Basis-Header** für statische Dateien setzt [`client/nginx.conf`](../../client/nginx.conf) (X-Content-Type-Options, X-Frame-Options, Referrer-Policy, CSP inkl. Plausible).
+- **Basis-Header** für statische Dateien setzt [`client/nginx.conf.template`](../../client/nginx.conf.template) via Container-Entrypoint (X-Content-Type-Options, X-Frame-Options, Referrer-Policy, CSP optional inkl. Plausible).
 
 ### Plausible Analytics
 
-Script-Host: `https://plausible.elpatron.me` — in CSP als `script-src` und `connect-src` erlaubt. Gemessene Site: `data-domain="kapteins-daagbok.eu"`.
+Konfiguration über `.env` (Frontend-Container):
 
-Optional später: `analytics.kapteins-daagbok.eu` als Alias auf dieselbe Plausible-Instanz.
+```env
+PLAUSIBLE_ENABLED=true
+PLAUSIBLE_HOST=https://plausible.elpatron.me
+```
+
+Staging-Default: `PLAUSIBLE_ENABLED=false` in [`docker-compose.staging.yml`](../../docker-compose.staging.yml).
+
+Script-Host wird in CSP (`script-src`, `connect-src`) nur bei `PLAUSIBLE_ENABLED=true` freigegeben. `data-domain` ist immer der aktuelle Hostname (Prod vs. Staging getrennt, wenn Staging aktiviert wird).
 
 ## Nach Deploy prüfen
 

docs/deployment/postgres-password.md

@@ -8,7 +8,7 @@
 
 ## Empfohlene Schritte
 
-1. **Backup/Snapshot** (hast du laut Vorgabe).
+1. **Backup/Snapshot** — auf dem Server: `./scripts/backup.sh --reason manual` (Details: [backup.md](backup.md)).
 2. Auf dem Server im Repo:
    ```bash
    cd /opt/kapteins-daagbok

docs/deployment/predeploy.md

@@ -31,12 +31,12 @@ cd server && npm test
 
 ## Nach erfolgreichem Check
 
-[`scripts/update-prod.sh`](../../scripts/update-prod.sh) führt `predeploy-check.sh` **automatisch** aus (nach Release-Vorbereitung, vor dem SSH-Deploy).
+[`scripts/update-remotes.sh`](../../scripts/update-remotes.sh) führt `predeploy-check.sh` **automatisch** aus (nach Release-Vorbereitung bei Prod, vor dem SSH-Deploy).
 
 ```bash
-./scripts/update-prod.sh
+./scripts/update-remotes.sh -dest prod
 ```
 
-Notfall ohne Checks (nur wenn nötig): `SKIP_PREDEPLOY_CHECK=1 ./scripts/update-prod.sh`
+Notfall ohne Checks (nur wenn nötig): `SKIP_PREDEPLOY_CHECK=1 ./scripts/update-remotes.sh -dest prod`
 
 Manuell auf dem Server: `git pull`, `docker compose build`, `docker compose up -d` (siehe [npm-security.md](npm-security.md)).

docs/deployment/staging.md

@@ -0,0 +1,106 @@
+# Staging-Umgebung
+
+Staging läuft auf **VM3** (`10.0.0.27`) unter **https://staging.kapteins-daagbok.eu/** — hinter Nginx Proxy Manager wie Produktion.
+
+## Unterschiede zu Produktion
+
+| | Staging | Produktion |
+|---|---------|------------|
+| Host | `10.0.0.27` | `10.0.0.25` |
+| Verzeichnis | `/opt/kapteins-daagbok-staging` | `/opt/kapteins-daagbok` |
+| Compose | `docker-compose.staging.yml` | `docker-compose.yml` |
+| Deploy-Skript | `./scripts/update-remotes.sh -dest stage` | `./scripts/update-remotes.sh -dest prod` |
+| Release-Tag | nein | ja (`v*`) |
+| Datenbank-Volume | `daagbox-staging-pgdata` | `daagbox-prod-pgdata` |
+
+Staging ist **vollständig isoliert**: eigene DB, Session-Secrets, Passkeys (`RP_ID=staging.kapteins-daagbok.eu`) und optional eigene VAPID-/Ntfy-Konfiguration.
+
+## Erstinstallation (VM3)
+
+```bash
+ssh root@10.0.0.27
+
+git clone https://gitea.elpatron.me/elpatron/kapteins-daagbok.git /opt/kapteins-daagbok-staging
+cd /opt/kapteins-daagbok-staging
+git checkout master
+
+# .env anlegen — Secrets neu generieren, nicht von Prod kopieren
+openssl rand -hex 24      # POSTGRES_PASSWORD
+openssl rand -base64 48   # SESSION_SECRET
+
+nano .env
+docker compose -f docker-compose.staging.yml up -d --build
+```
+
+### `.env` (Staging)
+
+```env
+ORIGIN=https://staging.kapteins-daagbok.eu
+RP_ID=staging.kapteins-daagbok.eu
+TRUST_PROXY=1
+
+POSTGRES_USER=postgres
+POSTGRES_PASSWORD=<generiert>
+POSTGRES_DB=daagbox_staging
+
+SESSION_SECRET=<generiert>
+
+NTFY_SERVER=https://ntfy.sh
+NTFY_TOPIC=kapteins-daagbok-staging-feedback
+
+# Analytics aus (Staging soll Prod-Statistik nicht verfälschen)
+PLAUSIBLE_ENABLED=false
+PLAUSIBLE_HOST=https://plausible.elpatron.me
+```
+
+Optional: `VAPID_*`, `OpenWeatherMapAPIKey`, `OpenRouterAPIKey`, `ADMIN_USER_IDS`, `NTFY_TOKEN`.
+
+## Deploy vom Entwicklungsrechner
+
+Führt `npm run check` aus, dann SSH-Deploy ohne Release-Tag:
+
+```bash
+./scripts/update-remotes.sh -dest stage
+```
+
+Konfiguration via Umgebungsvariablen:
+
+```bash
+REMOTE_HOST=10.0.0.27 \
+REMOTE_DIR=/opt/kapteins-daagbok-staging \
+DEPLOY_BRANCH=master \
+./scripts/update-remotes.sh -dest stage
+```
+
+Notfall ohne Checks: `SKIP_PREDEPLOY_CHECK=1 ./scripts/update-remotes.sh -dest stage`
+
+## NPM (VM1)
+
+| Einstellung | Wert |
+|-------------|------|
+| Domain | `staging.kapteins-daagbok.eu` |
+| Forward Hostname / IP | `10.0.0.27` |
+| Forward Port | `80` |
+| SSL | Let's Encrypt |
+
+Empfohlen: Custom Header `X-Robots-Tag: noindex, nofollow` (Staging nicht indexieren).
+
+Details zu Proxy-Headern und Security: [npm-security.md](npm-security.md).
+
+## Nach Deploy prüfen
+
+1. https://staging.kapteins-daagbok.eu/api/health — `status: ok`
+2. Neuen Test-Account registrieren (Prod-Passkeys funktionieren nicht auf Staging)
+3. Passkey Login
+4. Cookie `daagbok_session`: `Secure`, `HttpOnly`, `SameSite=Lax`
+
+## Daten zurücksetzen
+
+Staging-Daten sind wegwerfbar:
+
+```bash
+cd /opt/kapteins-daagbok-staging
+docker compose -f docker-compose.staging.yml down
+docker volume rm daagbox-staging-pgdata
+docker compose -f docker-compose.staging.yml up -d
+```

docs/marketing/sharepic-portrait.html

@@ -0,0 +1,318 @@
+<!DOCTYPE html>
+<html lang="de">
+<head>
+  <meta charset="UTF-8" />
+  <title>Kapteins Daagbok — Sharepic (Portrait)</title>
+  <link rel="preconnect" href="https://fonts.googleapis.com">
+  <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+  <link href="https://fonts.googleapis.com/css2?family=Plus+Jakarta+Sans:wght@400;500;600;700;800&display=swap" rel="stylesheet">
+  <style>
+    * {
+      box-sizing: border-box;
+      margin: 0;
+      padding: 0;
+    }
+
+    body {
+      width: 1080px;
+      height: 1920px;
+      font-family: 'Plus Jakarta Sans', sans-serif;
+      color: #e2e8f0;
+      background: #0f172a;
+      overflow: hidden;
+      display: flex;
+      flex-direction: column;
+      justify-content: space-between;
+      align-items: center;
+      padding: 100px 80px;
+      background:
+        radial-gradient(circle at 50% 10%, rgba(56, 189, 248, 0.18) 0%, transparent 45%),
+        radial-gradient(circle at 50% 90%, rgba(134, 59, 255, 0.22) 0%, transparent 45%),
+        linear-gradient(180deg, #090d16 0%, #111827 50%, #090d16 100%);
+      position: relative;
+    }
+
+    /* Subtle background grid pattern */
+    body::after {
+      content: "";
+      position: absolute;
+      inset: 0;
+      background-image: linear-gradient(rgba(148, 163, 184, 0.03) 1px, transparent 1px),
+                        linear-gradient(90deg, rgba(148, 163, 184, 0.03) 1px, transparent 1px);
+      background-size: 40px 40px;
+      pointer-events: none;
+      z-index: 0;
+    }
+
+    /* Outer border */
+    .outer-border {
+      position: absolute;
+      inset: 40px;
+      border: 1px solid rgba(148, 163, 184, 0.1);
+      border-radius: 30px;
+      pointer-events: none;
+      z-index: 1;
+    }
+
+    .brand {
+      display: flex;
+      flex-direction: column;
+      align-items: center;
+      gap: 30px;
+      z-index: 2;
+      text-align: center;
+      margin-top: 40px;
+    }
+
+    .logo {
+      width: 140px;
+      height: 140px;
+      object-fit: contain;
+      filter: drop-shadow(0 8px 24px rgba(56, 189, 248, 0.3));
+    }
+
+    .title-group h1 {
+      font-size: 64px;
+      font-weight: 800;
+      letter-spacing: -0.03em;
+      color: #ffffff;
+      line-height: 1.1;
+      background: linear-gradient(135deg, #ffffff 60%, #94a3b8 100%);
+      -webkit-background-clip: text;
+      background-clip: text;
+      -webkit-text-fill-color: transparent;
+    }
+
+    .title-group p {
+      font-size: 26px;
+      color: #38bdf8;
+      font-weight: 600;
+      margin-top: 8px;
+      letter-spacing: -0.01em;
+    }
+
+    .main-content {
+      width: 100%;
+      display: flex;
+      flex-direction: column;
+      gap: 50px;
+      z-index: 2;
+    }
+
+    .intro-text {
+      font-size: 26px;
+      line-height: 1.6;
+      color: #cbd5e1;
+      font-weight: 400;
+      text-align: center;
+      padding: 0 20px;
+    }
+
+    .intro-text strong {
+      color: #ffffff;
+      font-weight: 600;
+    }
+
+    .features-card {
+      background: rgba(30, 41, 59, 0.45);
+      backdrop-filter: blur(16px);
+      -webkit-backdrop-filter: blur(16px);
+      border: 1px solid rgba(255, 255, 255, 0.08);
+      border-radius: 24px;
+      padding: 50px 60px;
+      box-shadow: 0 30px 60px rgba(0, 0, 0, 0.4);
+      position: relative;
+    }
+
+    .features-card::before {
+      content: "";
+      position: absolute;
+      inset: 0;
+      border-radius: 24px;
+      padding: 1px;
+      background: linear-gradient(to bottom, rgba(255, 255, 255, 0.1), rgba(255, 255, 255, 0.02));
+      -webkit-mask: linear-gradient(#fff 0 0) content-box, linear-gradient(#fff 0 0);
+      mask: linear-gradient(#fff 0 0) content-box, linear-gradient(#fff 0 0);
+      -webkit-mask-composite: xor;
+      mask-composite: exclude;
+      pointer-events: none;
+    }
+
+    .card-title {
+      font-size: 20px;
+      font-weight: 700;
+      text-transform: uppercase;
+      letter-spacing: 0.08em;
+      color: #94a3b8;
+      margin-bottom: 35px;
+      display: flex;
+      align-items: center;
+      gap: 12px;
+    }
+
+    .card-title::after {
+      content: "";
+      flex: 1;
+      height: 1px;
+      background: rgba(148, 163, 184, 0.15);
+    }
+
+    .badge-premium {
+      background: linear-gradient(135deg, #fbbf24 0%, #f59e0b 100%);
+      color: #1e293b;
+      font-size: 16px;
+      font-weight: 800;
+      text-transform: uppercase;
+      letter-spacing: 0.1em;
+      padding: 6px 14px;
+      border-radius: 8px;
+    }
+
+    .features-list {
+      display: flex;
+      flex-direction: column;
+      gap: 30px;
+      list-style: none;
+    }
+
+    .feature-item {
+      display: flex;
+      align-items: flex-start;
+      gap: 20px;
+      font-size: 24px;
+      line-height: 1.4;
+      color: #cbd5e1;
+      font-weight: 500;
+    }
+
+    .feature-icon {
+      color: #38bdf8;
+      font-size: 26px;
+      display: flex;
+      align-items: center;
+      justify-content: center;
+      margin-top: 3px;
+      text-shadow: 0 0 10px rgba(56, 189, 248, 0.6);
+    }
+
+    .bottom-section {
+      width: 100%;
+      display: flex;
+      flex-direction: column;
+      align-items: center;
+      gap: 50px;
+      z-index: 2;
+      margin-bottom: 40px;
+    }
+
+    .cta-container {
+      display: flex;
+      flex-direction: column;
+      align-items: center;
+      gap: 30px;
+    }
+
+    .cta-badge {
+      background: linear-gradient(135deg, #38bdf8 0%, #0284c7 100%);
+      color: #0f172a;
+      font-size: 32px;
+      font-weight: 800;
+      padding: 20px 45px;
+      border-radius: 16px;
+      letter-spacing: -0.02em;
+      box-shadow: 0 10px 30px rgba(56, 189, 248, 0.25);
+    }
+
+    .qr-code {
+      width: 160px;
+      height: 160px;
+      background: #ffffff;
+      padding: 10px;
+      border-radius: 16px;
+      box-shadow: 0 10px 30px rgba(0, 0, 0, 0.3);
+      display: flex;
+      align-items: center;
+      justify-content: center;
+    }
+
+    .qr-code img {
+      width: 100%;
+      height: 100%;
+      object-fit: contain;
+    }
+
+    footer {
+      font-size: 18px;
+      color: #64748b;
+      text-align: center;
+    }
+
+    footer strong {
+      color: #94a3b8;
+      font-weight: 600;
+    }
+  </style>
+</head>
+<body>
+  <div class="outer-border"></div>
+  
+  <div class="brand">
+    <img class="logo" src="../../client/public/logo.png" alt="Kapteins Daagbok" />
+    <div class="title-group">
+      <h1>Kapteins Daagbok</h1>
+      <p>Digitales Yacht-Logbuch</p>
+    </div>
+  </div>
+
+  <div class="main-content">
+    <p class="intro-text">
+      Führe dein Bordlogbuch modern & digital: Reisetage, GPS-Tracks, Crew- und Schiffsdaten — 
+      <strong>Ende-zu-Ende-verschlüsselt</strong>, als App installierbar und <strong>auch offline</strong> auf See nutzbar.
+    </p>
+
+    <div class="features-card">
+      <div class="card-title">Top Features <span class="badge-premium">Kostenlos & Werbefrei</span></div>
+      <ul class="features-list">
+        <li class="feature-item">
+          <span class="feature-icon">✦</span>
+          <span>Nautisches Logbuch-Format & Streckenstatistik</span>
+        </li>
+        <li class="feature-item">
+          <span class="feature-icon">✦</span>
+          <span>Offline-first PWA — läuft auf allen Smartphones & Tablets</span>
+        </li>
+        <li class="feature-item">
+          <span class="feature-icon">✦</span>
+          <span>Ende-zu-Ende Verschlüsselung (Zero-Knowledge)</span>
+        </li>
+        <li class="feature-item">
+          <span class="feature-icon">✦</span>
+          <span>Einfache passwortlose Passkey-Anmeldung</span>
+        </li>
+        <li class="feature-item">
+          <span class="feature-icon">✦</span>
+          <span>GPS-Track-Upload & automatische NMEA-Erfassung</span>
+        </li>
+        <li class="feature-item">
+          <span class="feature-icon">✦</span>
+          <span>Crew-Einladung zur gemeinsamen Logbuch-Arbeit</span>
+        </li>
+      </ul>
+    </div>
+  </div>
+
+  <div class="bottom-section">
+    <div class="cta-container">
+      <div class="cta-badge">
+        kapteins-daagbok.eu
+      </div>
+      <div class="qr-code">
+        <img src="assets/qr-kapteins-daagbok.eu.png" alt="QR Code" />
+      </div>
+    </div>
+    <footer>
+      <strong>Kapteins Daagbok</strong> ist ein werbefreies, privates Hobbyprojekt.
+    </footer>
+  </div>
+</body>
+</html>

docs/marketing/sharepic.html

@@ -0,0 +1,320 @@
+<!DOCTYPE html>
+<html lang="de">
+<head>
+  <meta charset="UTF-8" />
+  <title>Kapteins Daagbok — Sharepic</title>
+  <link rel="preconnect" href="https://fonts.googleapis.com">
+  <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+  <link href="https://fonts.googleapis.com/css2?family=Plus+Jakarta+Sans:wght@400;500;600;700;800&display=swap" rel="stylesheet">
+  <style>
+    * {
+      box-sizing: border-box;
+      margin: 0;
+      padding: 0;
+    }
+
+    body {
+      width: 1200px;
+      height: 630px;
+      font-family: 'Plus Jakarta Sans', sans-serif;
+      color: #e2e8f0;
+      background: #0f172a;
+      overflow: hidden;
+      display: flex;
+      flex-direction: column;
+      justify-content: space-between;
+      padding: 60px 80px;
+      background:
+        radial-gradient(circle at 90% 10%, rgba(56, 189, 248, 0.15) 0%, transparent 45%),
+        radial-gradient(circle at 10% 90%, rgba(134, 59, 255, 0.18) 0%, transparent 45%),
+        linear-gradient(165deg, #090d16 0%, #111827 50%, #090d16 100%);
+      position: relative;
+    }
+
+    /* Subtle background grid pattern */
+    body::after {
+      content: "";
+      position: absolute;
+      inset: 0;
+      background-image: linear-gradient(rgba(148, 163, 184, 0.03) 1px, transparent 1px),
+                        linear-gradient(90deg, rgba(148, 163, 184, 0.03) 1px, transparent 1px);
+      background-size: 40px 40px;
+      pointer-events: none;
+      z-index: 0;
+    }
+
+    /* Outer border */
+    .outer-border {
+      position: absolute;
+      inset: 30px;
+      border: 1px solid rgba(148, 163, 184, 0.1);
+      border-radius: 20px;
+      pointer-events: none;
+      z-index: 1;
+    }
+
+    .content-wrapper {
+      display: flex;
+      justify-content: space-between;
+      align-items: center;
+      height: 100%;
+      width: 100%;
+      z-index: 2;
+      position: relative;
+      gap: 50px;
+    }
+
+    .left-col {
+      flex: 1.1;
+      display: flex;
+      flex-direction: column;
+      justify-content: center;
+      gap: 30px;
+    }
+
+    .brand {
+      display: flex;
+      align-items: center;
+      gap: 20px;
+    }
+
+    .logo {
+      width: 80px;
+      height: 80px;
+      object-fit: contain;
+      filter: drop-shadow(0 4px 12px rgba(56, 189, 248, 0.3));
+    }
+
+    .title-group h1 {
+      font-size: 44px;
+      font-weight: 800;
+      letter-spacing: -0.03em;
+      color: #ffffff;
+      line-height: 1.1;
+      background: linear-gradient(135deg, #ffffff 60%, #94a3b8 100%);
+      -webkit-background-clip: text;
+      background-clip: text;
+      -webkit-text-fill-color: transparent;
+    }
+
+    .title-group p {
+      font-size: 18px;
+      color: #38bdf8;
+      font-weight: 600;
+      margin-top: 4px;
+      letter-spacing: -0.01em;
+    }
+
+    .intro-text {
+      font-size: 20px;
+      line-height: 1.6;
+      color: #cbd5e1;
+      font-weight: 400;
+    }
+
+    .intro-text strong {
+      color: #ffffff;
+      font-weight: 600;
+    }
+
+    .cta-container {
+      display: flex;
+      align-items: center;
+      gap: 20px;
+    }
+
+    .cta-badge {
+      background: linear-gradient(135deg, #38bdf8 0%, #0284c7 100%);
+      color: #0f172a;
+      font-size: 22px;
+      font-weight: 800;
+      padding: 14px 28px;
+      border-radius: 12px;
+      letter-spacing: -0.02em;
+      box-shadow: 0 4px 20px rgba(56, 189, 248, 0.25);
+    }
+
+    .qr-code {
+      width: 60px;
+      height: 60px;
+      background: #ffffff;
+      padding: 4px;
+      border-radius: 8px;
+      box-shadow: 0 4px 15px rgba(0, 0, 0, 0.2);
+      display: flex;
+      align-items: center;
+      justify-content: center;
+    }
+
+    .qr-code img {
+      width: 100%;
+      height: 100%;
+      object-fit: contain;
+    }
+
+    .right-col {
+      flex: 0.9;
+      display: flex;
+      flex-direction: column;
+      justify-content: center;
+    }
+
+    .features-card {
+      background: rgba(30, 41, 59, 0.45);
+      backdrop-filter: blur(16px);
+      -webkit-backdrop-filter: blur(16px);
+      border: 1px solid rgba(255, 255, 255, 0.08);
+      border-radius: 20px;
+      padding: 35px;
+      box-shadow: 0 20px 40px rgba(0, 0, 0, 0.3);
+      position: relative;
+    }
+
+    .features-card::before {
+      content: "";
+      position: absolute;
+      inset: 0;
+      border-radius: 20px;
+      padding: 1px;
+      background: linear-gradient(to bottom, rgba(255, 255, 255, 0.1), rgba(255, 255, 255, 0.02));
+      -webkit-mask: linear-gradient(#fff 0 0) content-box, linear-gradient(#fff 0 0);
+      mask: linear-gradient(#fff 0 0) content-box, linear-gradient(#fff 0 0);
+      -webkit-mask-composite: xor;
+      mask-composite: exclude;
+      pointer-events: none;
+    }
+
+    .features-list {
+      display: flex;
+      flex-direction: column;
+      gap: 18px;
+      list-style: none;
+    }
+
+    .feature-item {
+      display: flex;
+      align-items: flex-start;
+      gap: 14px;
+      font-size: 16px;
+      line-height: 1.4;
+      color: #cbd5e1;
+      font-weight: 500;
+    }
+
+    .feature-icon {
+      color: #38bdf8;
+      font-size: 18px;
+      display: flex;
+      align-items: center;
+      justify-content: center;
+      margin-top: 2px;
+      text-shadow: 0 0 8px rgba(56, 189, 248, 0.6);
+    }
+
+    .badge-premium {
+      background: linear-gradient(135deg, #fbbf24 0%, #f59e0b 100%);
+      color: #1e293b;
+      font-size: 12px;
+      font-weight: 800;
+      text-transform: uppercase;
+      letter-spacing: 0.1em;
+      padding: 4px 10px;
+      border-radius: 6px;
+      margin-left: auto;
+    }
+
+    .card-title {
+      font-size: 14px;
+      font-weight: 700;
+      text-transform: uppercase;
+      letter-spacing: 0.08em;
+      color: #94a3b8;
+      margin-bottom: 20px;
+      display: flex;
+      align-items: center;
+      gap: 8px;
+    }
+
+    .card-title::after {
+      content: "";
+      flex: 1;
+      height: 1px;
+      background: rgba(148, 163, 184, 0.15);
+    }
+
+    footer {
+      position: absolute;
+      bottom: 45px;
+      left: 80px;
+      font-size: 12px;
+      color: #64748b;
+      z-index: 2;
+    }
+
+    footer strong {
+      color: #94a3b8;
+      font-weight: 600;
+    }
+  </style>
+</head>
+<body>
+  <div class="outer-border"></div>
+  <div class="content-wrapper">
+    <div class="left-col">
+      <div class="brand">
+        <img class="logo" src="../../client/public/logo.png" alt="Kapteins Daagbok" />
+        <div class="title-group">
+          <h1>Kapteins Daagbok</h1>
+          <p>Digitales Yacht-Logbuch</p>
+        </div>
+      </div>
+      <p class="intro-text">
+        Führe dein Bordlogbuch modern & digital: Reisetage, GPS-Tracks, Crew- und Schiffsdaten — 
+        <strong>Ende-zu-Ende-verschlüsselt</strong>, als App installierbar und <strong>auch offline</strong> auf See nutzbar.
+      </p>
+      <div class="cta-container">
+        <div class="cta-badge">
+          kapteins-daagbok.eu
+        </div>
+        <div class="qr-code">
+          <img src="assets/qr-kapteins-daagbok.eu.png" alt="QR Code" />
+        </div>
+      </div>
+    </div>
+    <div class="right-col">
+      <div class="features-card">
+        <div class="card-title">Top Features <span class="badge-premium">Kostenlos & Werbefrei</span></div>
+        <ul class="features-list">
+          <li class="feature-item">
+            <span class="feature-icon">✦</span>
+            <span>Nautisches Logbuch-Format & Streckenstatistik</span>
+          </li>
+          <li class="feature-item">
+            <span class="feature-icon">✦</span>
+            <span>Offline-first PWA — läuft auf allen Smartphones & Tablets</span>
+          </li>
+          <li class="feature-item">
+            <span class="feature-icon">✦</span>
+            <span>Ende-zu-Ende Verschlüsselung (Zero-Knowledge)</span>
+          </li>
+          <li class="feature-item">
+            <span class="feature-icon">✦</span>
+            <span>Einfache passwortlose Passkey-Anmeldung</span>
+          </li>
+          <li class="feature-item">
+            <span class="feature-icon">✦</span>
+            <span>GPS-Track-Upload & automatische NMEA-Erfassung</span>
+          </li>
+          <li class="feature-item">
+            <span class="feature-icon">✦</span>
+            <span>Crew-Einladung zur gemeinsamen Logbuch-Arbeit</span>
+          </li>
+        </ul>
+      </div>
+    </div>
+  </div>
+  <footer>
+    <strong>Kapteins Daagbok</strong> ist ein werbefreies, privates Hobbyprojekt.
+  </footer>
+</body>
+</html>

docs/plausible-events.md

@@ -1,12 +1,21 @@
 # Plausible Custom Events
 
-Kapteins Daagbok nutzt [Plausible Analytics](https://plausible.io/) mit dem Script `script.tagged-events.js` auf der Domain `kapteins-daagbok.eu`. Custom Events werden über `window.plausible()` ausgelöst (siehe `client/src/services/analytics.ts`).
+Kapteins Daagbok nutzt [Plausible Analytics](https://plausible.io/) mit dem Script `script.tagged-events.js`. Custom Events werden über `window.plausible()` ausgelöst (siehe `client/src/services/analytics.ts`).
+
+**Konfiguration** (`.env`, Frontend-Container / Vite-Dev):
+
+```env
+PLAUSIBLE_ENABLED=true   # Staging: false
+PLAUSIBLE_HOST=https://plausible.elpatron.me
+```
+
+Das Script wird über `plausible-bootstrap.js` geladen; `data-domain` ist der aktuelle Hostname. CSP in Nginx enthält `PLAUSIBLE_HOST` nur wenn aktiviert.
 
 **Datenschutz:** Es werden keine personenbezogenen Daten in Event-Properties übermittelt (keine Nutzernamen, Hafennamen, Koordinaten o.ä.).
 
 ## Setup
 
-1. Script in `client/index.html` (bereits eingebunden)
+1. `PLAUSIBLE_*` in `.env` setzen (Prod: enabled, Staging: disabled empfohlen)
 2. Nach Deploy: Goals im Plausible-Dashboard anlegen — **Namen müssen exakt mit der Event-Spalte „Event name“ übereinstimmen** (Title Case, Leerzeichen)
 
 ## Event-Übersicht
@@ -38,6 +47,7 @@ Kapteins Daagbok nutzt [Plausible Analytics](https://plausible.io/) mit dem Scri
 | CSV Shared | CSV über Web Share API geteilt (`LogEntriesList.tsx`) | — |
 | Photo Uploaded | Foto hochgeladen (`photoAttachments.ts`, `PhotoCapture.tsx`, `CrewForm.tsx`) | `context`: `logbook` \| `live_log` \| `crew`, bei Crew zusätzlich `role`: `skipper` \| `crew` |
 | Voice Memo Uploaded | Sprachnotiz gespeichert (`voiceAttachments.ts`) | `context`: `logbook` \| `live_log` |
+| Voice Memo Transcribed | Sprachmemo transkribiert (`LiveLogView.tsx`, `EventRemarksCell.tsx`) | `status`: `success` \| `failed`, `mode`: `auto` (beim Speichern) \| `manual` (nachträglich) |
 | OWM Weather Fetched | Erfolgreicher OpenWeatherMap-API-Abruf (`weather.ts`, zentral nach HTTP 200) | `source`: siehe [OWM-Quellen](#owm-quellen) |
 | AI Summary Generated | Erfolgreiche KI-Zusammenfassung eines Reisetags (`aiSummary.ts`) | — |
 | Backup Exported | Backup-Datei heruntergeladen (`LogbookBackupPanel.tsx`, v2 ZIP) | `entries`, `photos`, `voiceMemos`, `bytes` (Anzahlen/Größe, keine Inhalte) |
@@ -152,6 +162,7 @@ trackPlausibleEvent(PlausibleEvents.LANGUAGE_CHANGED, { from: 'de', to: 'da' })
 trackPlausibleEvent(PlausibleEvents.LIVE_LOG_EVENT_LOGGED, { action: 'course' })
 trackPlausibleEvent(PlausibleEvents.PHOTO_UPLOADED, { context: 'live_log' })
 trackPlausibleEvent(PlausibleEvents.VOICE_MEMO_UPLOADED, { context: 'live_log' })
+trackPlausibleEvent(PlausibleEvents.VOICE_MEMO_TRANSCRIBED, { status: 'success', mode: 'auto' })
 trackPlausibleEvent(PlausibleEvents.OWM_WEATHER_FETCHED, { source: 'live_log' })
 trackPlausibleEvent(PlausibleEvents.NMEA_UPLOADED, { lines: 1200, candidates: 8, duplicate: false, has_position: true })
 trackPlausibleEvent(PlausibleEvents.NMEA_IMPORTED, { mode: 'both', events: 6, track: true })

scripts/backup.sh

@@ -0,0 +1,255 @@
+#!/usr/bin/env bash
+# Create a local backup of PostgreSQL, .env, docker-compose and app (git archive).
+#
+# Run on the server in repo root (/opt/kapteins-daagbok on production).
+#
+# Usage:
+#   ./scripts/backup.sh
+#   ./scripts/backup.sh -dest stage              # Staging-Container (daagbox-staging-db)
+#   ./scripts/backup.sh --reason cron
+#   ./scripts/backup.sh --reason pre-deploy --tag v0.1.1.20
+#   ./scripts/backup.sh --dry-run
+#
+# Environment overrides:
+#   BACKUP_DIR, COMPOSE_FILE, DB_CONTAINER, RETENTION, ENV_FILE
+set -euo pipefail
+
+BACKUP_DIR="${BACKUP_DIR:-/var/backups/kapteins-daagbok}"
+ENV_FILE="${ENV_FILE:-.env}"
+RETENTION="${RETENTION:-5}"
+DEST="prod"
+REASON="manual"
+EXPLICIT_TAG=""
+DRY_RUN=0
+COMPOSE_FILE=""
+DB_CONTAINER=""
+
+apply_dest_config() {
+  local dest="$1"
+  local force="${2:-0}"
+  if [[ "$dest" == "stage" ]]; then
+    if [[ "$force" == "1" || -z "${COMPOSE_FILE}" ]]; then
+      COMPOSE_FILE="docker-compose.staging.yml"
+    fi
+    if [[ "$force" == "1" || -z "${DB_CONTAINER}" ]]; then
+      DB_CONTAINER="daagbox-staging-db"
+    fi
+  else
+    if [[ "$force" == "1" || -z "${COMPOSE_FILE}" ]]; then
+      COMPOSE_FILE="docker-compose.yml"
+    fi
+    if [[ "$force" == "1" || -z "${DB_CONTAINER}" ]]; then
+      DB_CONTAINER="daagbox-prod-db"
+    fi
+  fi
+}
+
+usage() {
+  sed -n '2,14p' "$0"
+  echo ""
+  echo "Options:"
+  echo "  -dest prod|stage                  Target environment (default: prod)"
+  echo "  --reason cron|pre-deploy|manual   Backup trigger (default: manual)"
+  echo "  --tag TAG                         Git tag label (e.g. v0.1.1.20 for pre-deploy)"
+  echo "  --dry-run                         Show actions without writing backup"
+  echo "  -h, --help                        Show this help"
+}
+
+while [ $# -gt 0 ]; do
+  case "$1" in
+    -dest)
+      DEST="${2:?-dest requires an argument}"
+      shift 2
+      ;;
+    -dest=*)
+      DEST="${1#*=}"
+      shift
+      ;;
+    --reason)
+      REASON="${2:?--reason requires an argument}"
+      shift 2
+      ;;
+    --tag)
+      EXPLICIT_TAG="${2:?--tag requires an argument}"
+      shift 2
+      ;;
+    --dry-run)
+      DRY_RUN=1
+      shift
+      ;;
+    -h|--help)
+      usage
+      exit 0
+      ;;
+    *)
+      echo "Unknown option: $1" >&2
+      usage >&2
+      exit 1
+      ;;
+  esac
+done
+
+case "$DEST" in
+  prod|stage) ;;
+  *)
+    echo "Error: invalid -dest '$DEST' (use prod or stage)" >&2
+    exit 1
+    ;;
+esac
+
+apply_dest_config "$DEST"
+
+case "$REASON" in
+  cron|pre-deploy|manual) ;;
+  *)
+    echo "Error: invalid --reason '$REASON' (use cron, pre-deploy, or manual)" >&2
+    exit 1
+    ;;
+esac
+
+if [ ! -f "$COMPOSE_FILE" ]; then
+  echo "Error: $COMPOSE_FILE not found" >&2
+  exit 1
+fi
+
+TIMESTAMP="$(date +%Y%m%d-%H%M%S)"
+GIT_SHA="$(git rev-parse HEAD 2>/dev/null || echo unknown)"
+GIT_TAG="$EXPLICIT_TAG"
+if [ -z "$GIT_TAG" ]; then
+  GIT_TAG="$(git describe --tags --exact-match HEAD 2>/dev/null || true)"
+fi
+if [ -z "$GIT_TAG" ] && [ -f VERSION ]; then
+  GIT_TAG="v$(tr -d '[:space:]' < VERSION)"
+fi
+if [ -z "$GIT_TAG" ]; then
+  GIT_TAG="unknown"
+fi
+
+APP_VERSION="$(tr -d '[:space:]' < VERSION 2>/dev/null || echo unknown)"
+TAG_SLUG="${GIT_TAG}"
+if [ "$REASON" = "pre-deploy" ]; then
+  TAG_SLUG="${GIT_TAG}-predeploy"
+fi
+TAG_SLUG="${TAG_SLUG//\//-}"
+
+ARCHIVE_NAME="kapteins-daagbok_${TIMESTAMP}_${TAG_SLUG}.tar.gz"
+ARCHIVE_PATH="${BACKUP_DIR}/${ARCHIVE_NAME}"
+
+echo "Backup: reason=$REASON tag=$GIT_TAG sha=${GIT_SHA:0:8} → $ARCHIVE_PATH"
+
+if [ "$DRY_RUN" -eq 1 ]; then
+  echo "[dry-run] Would dump database from $DB_CONTAINER"
+  echo "[dry-run] Would copy $ENV_FILE and $COMPOSE_FILE"
+  echo "[dry-run] Would create git archive"
+  echo "[dry-run] Would write manifest and pack to $ARCHIVE_PATH"
+  echo "[dry-run] Would apply retention (keep $RETENTION)"
+  exit 0
+fi
+
+if [ ! -f "$ENV_FILE" ]; then
+  echo "Error: $ENV_FILE not found (run from repo root)" >&2
+  exit 1
+fi
+
+# shellcheck disable=SC1090
+set -a
+source "$ENV_FILE"
+set +a
+
+POSTGRES_USER="${POSTGRES_USER:-postgres}"
+POSTGRES_DB="${POSTGRES_DB:-daagbox}"
+
+if [ -z "${POSTGRES_PASSWORD:-}" ]; then
+  echo "Error: POSTGRES_PASSWORD not set in $ENV_FILE" >&2
+  exit 1
+fi
+
+if ! docker inspect "$DB_CONTAINER" >/dev/null 2>&1; then
+  if [[ "$DEST" == "prod" ]] && docker inspect daagbox-staging-db >/dev/null 2>&1; then
+    echo "Note: $DB_CONTAINER not found — falling back to staging (daagbox-staging-db). Use -dest stage explicitly."
+    apply_dest_config stage 1
+    DEST="stage"
+  else
+    echo "Error: DB container '$DB_CONTAINER' not found" >&2
+    exit 1
+  fi
+fi
+
+if [ "$(docker inspect -f '{{.State.Running}}' "$DB_CONTAINER")" != "true" ]; then
+  echo "Error: DB container '$DB_CONTAINER' is not running" >&2
+  exit 1
+fi
+
+mkdir -p "$BACKUP_DIR"
+chmod 700 "$BACKUP_DIR"
+
+WORK_DIR="$(mktemp -d)"
+cleanup() {
+  rm -rf "$WORK_DIR"
+}
+trap cleanup EXIT
+
+echo "Dumping PostgreSQL ($POSTGRES_DB)..."
+export PGPASSWORD="$POSTGRES_PASSWORD"
+if ! docker exec -e PGPASSWORD="$POSTGRES_PASSWORD" "$DB_CONTAINER" \
+  pg_dump -U "$POSTGRES_USER" -d "$POSTGRES_DB" --no-owner --no-acl \
+  | gzip > "$WORK_DIR/database.sql.gz"; then
+  echo "Error: pg_dump failed" >&2
+  exit 1
+fi
+unset PGPASSWORD
+
+cp "$ENV_FILE" "$WORK_DIR/.env"
+chmod 600 "$WORK_DIR/.env"
+cp "$COMPOSE_FILE" "$WORK_DIR/docker-compose.yml"
+
+echo "Creating app snapshot (git archive)..."
+if git archive --format=tar HEAD | gzip > "$WORK_DIR/app.tar.gz"; then
+  :
+else
+  echo "Warning: git archive failed — backup continues without app.tar.gz" >&2
+  rm -f "$WORK_DIR/app.tar.gz"
+fi
+
+python3 - "$WORK_DIR/manifest.json" <<PY
+import json
+import socket
+import sys
+from datetime import datetime, timezone
+
+manifest = {
+    "timestamp": datetime.now(timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ"),
+    "local_timestamp": "${TIMESTAMP}",
+    "destination": "${DEST}",
+    "reason": "${REASON}",
+    "git_tag": "${GIT_TAG}",
+    "git_sha": "${GIT_SHA}",
+    "app_version": "${APP_VERSION}",
+    "compose_file": "${COMPOSE_FILE}",
+    "db_container": "${DB_CONTAINER}",
+    "postgres_db": "${POSTGRES_DB}",
+    "hostname": socket.gethostname(),
+    "archive_name": "${ARCHIVE_NAME}",
+}
+with open(sys.argv[1], "w", encoding="utf-8") as f:
+    json.dump(manifest, f, indent=2)
+    f.write("\n")
+PY
+
+echo "Packing backup archive..."
+tar -czf "$ARCHIVE_PATH" -C "$WORK_DIR" \
+  manifest.json database.sql.gz .env docker-compose.yml \
+  $( [ -f "$WORK_DIR/app.tar.gz" ] && echo app.tar.gz )
+chmod 600 "$ARCHIVE_PATH"
+
+echo "Applying retention (keep last $RETENTION backups)..."
+mapfile -t ALL_BACKUPS < <(ls -1t "$BACKUP_DIR"/kapteins-daagbok_*.tar.gz 2>/dev/null || true)
+if [ "${#ALL_BACKUPS[@]}" -gt "$RETENTION" ]; then
+  for ((i = RETENTION; i < ${#ALL_BACKUPS[@]}; i++)); do
+    echo "Removing old backup: ${ALL_BACKUPS[$i]}"
+    rm -f "${ALL_BACKUPS[$i]}"
+  done
+fi
+
+echo "Backup complete: $ARCHIVE_PATH"
+echo "$ARCHIVE_PATH"

scripts/crontab.prod.example

@@ -0,0 +1,11 @@
+# Kapteins Daagbok — Production backup cron (install on 10.0.0.25)
+#
+# Install:
+#   crontab -e
+#   (paste the line below)
+#
+# Ensure log directory exists:
+#   touch /var/log/kapteins-backup.log && chmod 600 /var/log/kapteins-backup.log
+
+# Daily backup at 03:00 UTC — keeps last 5 in /var/backups/kapteins-daagbok/
+0 3 * * * cd /opt/kapteins-daagbok && ./scripts/backup.sh --reason cron >> /var/log/kapteins-backup.log 2>&1

scripts/generate-sharepic.mjs

@@ -0,0 +1,95 @@
+#!/usr/bin/env node
+/**
+ * Generates the sharepic PNGs (landscape & portrait) from HTML files
+ *
+ * Usage:
+ *   node scripts/generate-sharepic.mjs
+ */
+
+import { execSync } from 'node:child_process'
+import { dirname, resolve } from 'node:path'
+import { fileURLToPath, pathToFileURL } from 'node:url'
+import { createRequire } from 'node:module'
+
+const __dirname = dirname(fileURLToPath(import.meta.url))
+const repoRoot = resolve(__dirname, '..')
+const clientDir = resolve(repoRoot, 'client')
+const marketingDir = resolve(repoRoot, 'docs/marketing')
+
+const require = createRequire(resolve(clientDir, 'package.json'))
+
+function isMissingBrowserError(err) {
+  const msg = err instanceof Error ? err.message : String(err)
+  return msg.includes("Executable doesn't exist") || msg.includes('browserType.launch')
+}
+
+async function ensurePlaywrightChromium(playwright) {
+  try {
+    const browser = await playwright.chromium.launch({ headless: true })
+    await browser.close()
+    return
+  } catch (err) {
+    if (!isMissingBrowserError(err)) throw err
+  }
+
+  console.log('Playwright Chromium fehlt — installiere Browser (einmalig)…')
+  execSync('npx playwright install chromium', {
+    cwd: clientDir,
+    stdio: 'inherit'
+  })
+}
+
+function loadPlaywright() {
+  try {
+    return require('playwright')
+  } catch {
+    console.error('Fehlende Abhängigkeit: "npm install -D playwright" in client/ ausführen.')
+    process.exit(1)
+  }
+}
+
+async function renderSharepic(browser, htmlName, pngName, width, height) {
+  const htmlPath = resolve(marketingDir, htmlName)
+  const pngPath = resolve(marketingDir, pngName)
+  
+  console.log(`Generating sharepic (${width}x${height}) from ${htmlName}...`)
+  
+  const context = await browser.newContext({
+    viewport: { width, height },
+    deviceScaleFactor: 2 // High-DPI for crisp text
+  })
+  const page = await context.newPage()
+  
+  try {
+    await page.goto(pathToFileURL(htmlPath).href, { waitUntil: 'networkidle' })
+    await page.screenshot({
+      path: pngPath,
+      type: 'png'
+    })
+    console.log('Successfully wrote:', pngPath)
+  } finally {
+    await page.close()
+  }
+}
+
+async function main() {
+  const playwright = loadPlaywright()
+  await ensurePlaywrightChromium(playwright)
+  
+  const browser = await playwright.chromium.launch({ headless: true })
+  
+  try {
+    // Landscape 1200x630
+    await renderSharepic(browser, 'sharepic.html', 'kapteins-daagbok-sharepic.png', 1200, 630)
+    
+    // Portrait 1080x1920
+    await renderSharepic(browser, 'sharepic-portrait.html', 'kapteins-daagbok-sharepic-portrait.png', 1080, 1920)
+  } finally {
+    await browser.close()
+  }
+}
+
+main().catch((err) => {
+  console.error('Error generating sharepics:', err)
+  process.exit(1)
+})

scripts/restore-backup.sh

@@ -0,0 +1,345 @@
+#!/usr/bin/env bash
+# Restore server backup created by scripts/backup.sh
+#
+# Usage:
+#   ./scripts/restore-backup.sh --list
+#   ./scripts/restore-backup.sh -dest stage --restore PATH
+#   ./scripts/restore-backup.sh --restore /var/backups/kapteins-daagbok/kapteins-daagbok_....tar.gz
+#
+# Environment overrides:
+#   BACKUP_DIR, COMPOSE_FILE, DB_CONTAINER, BACKEND_CONTAINER, ENV_FILE
+set -euo pipefail
+
+BACKUP_DIR="${BACKUP_DIR:-/var/backups/kapteins-daagbok}"
+ENV_FILE="${ENV_FILE:-.env}"
+MAX_WAIT=90
+DEST="prod"
+COMPOSE_FILE=""
+DB_CONTAINER=""
+BACKEND_CONTAINER=""
+
+apply_dest_config() {
+  local dest="$1"
+  local force="${2:-0}"
+  if [[ "$dest" == "stage" ]]; then
+    if [[ "$force" == "1" || -z "${COMPOSE_FILE}" ]]; then
+      COMPOSE_FILE="docker-compose.staging.yml"
+    fi
+    if [[ "$force" == "1" || -z "${DB_CONTAINER}" ]]; then
+      DB_CONTAINER="daagbox-staging-db"
+    fi
+    if [[ "$force" == "1" || -z "${BACKEND_CONTAINER}" ]]; then
+      BACKEND_CONTAINER="daagbox-staging-backend"
+    fi
+  else
+    if [[ "$force" == "1" || -z "${COMPOSE_FILE}" ]]; then
+      COMPOSE_FILE="docker-compose.yml"
+    fi
+    if [[ "$force" == "1" || -z "${DB_CONTAINER}" ]]; then
+      DB_CONTAINER="daagbox-prod-db"
+    fi
+    if [[ "$force" == "1" || -z "${BACKEND_CONTAINER}" ]]; then
+      BACKEND_CONTAINER="daagbox-prod-backend"
+    fi
+  fi
+}
+
+MODE="full"
+RESTORE_PATH=""
+LIST=0
+ASSUME_YES=0
+
+usage() {
+  sed -n '2,10p' "$0"
+  echo ""
+  echo "Options:"
+  echo "  -dest prod|stage                  Target environment (default: prod)"
+  echo "  --list                            List available backups"
+  echo "  --restore PATH                    Backup archive to restore"
+  echo "  --full                            Restore DB + .env (default)"
+  echo "  --db-only                         Restore database only"
+  echo "  --env-only                        Restore .env only"
+  echo "  --yes                             Skip confirmation prompts"
+  echo "  -h, --help                        Show this help"
+}
+
+confirm() {
+  local prompt="$1"
+  if [ "$ASSUME_YES" -eq 1 ]; then
+    return 0
+  fi
+  read -r -p "$prompt [y/N] " answer
+  [[ "$answer" =~ ^[yY]$ ]]
+}
+
+while [ $# -gt 0 ]; do
+  case "$1" in
+    -dest)
+      DEST="${2:?-dest requires an argument}"
+      shift 2
+      ;;
+    -dest=*)
+      DEST="${1#*=}"
+      shift
+      ;;
+    --list)
+      LIST=1
+      shift
+      ;;
+    --restore)
+      RESTORE_PATH="${2:?--restore requires a path}"
+      shift 2
+      ;;
+    --full)
+      MODE="full"
+      shift
+      ;;
+    --db-only)
+      MODE="db-only"
+      shift
+      ;;
+    --env-only)
+      MODE="env-only"
+      shift
+      ;;
+    --yes)
+      ASSUME_YES=1
+      shift
+      ;;
+    -h|--help)
+      usage
+      exit 0
+      ;;
+    *)
+      echo "Unknown option: $1" >&2
+      usage >&2
+      exit 1
+      ;;
+  esac
+done
+
+case "$DEST" in
+  prod|stage) ;;
+  *)
+    echo "Error: invalid -dest '$DEST' (use prod or stage)" >&2
+    exit 1
+    ;;
+esac
+
+apply_dest_config "$DEST"
+
+list_backups() {
+  if [ ! -d "$BACKUP_DIR" ]; then
+    echo "No backup directory: $BACKUP_DIR"
+    return 0
+  fi
+
+  local found=0
+  while IFS= read -r archive; do
+    found=1
+    echo "=== $archive ==="
+    tar -xOf "$archive" manifest.json 2>/dev/null | python3 -m json.tool 2>/dev/null || echo "(no manifest)"
+    echo ""
+  done < <(ls -1t "$BACKUP_DIR"/kapteins-daagbok_*.tar.gz 2>/dev/null || true)
+
+  if [ "$found" -eq 0 ]; then
+    echo "No backups found in $BACKUP_DIR"
+  fi
+}
+
+if [ "$LIST" -eq 1 ]; then
+  list_backups
+  exit 0
+fi
+
+if [ -z "$RESTORE_PATH" ]; then
+  echo "Error: --restore PATH or --list required" >&2
+  usage >&2
+  exit 1
+fi
+
+if [ ! -f "$RESTORE_PATH" ]; then
+  echo "Error: backup archive not found: $RESTORE_PATH" >&2
+  exit 1
+fi
+
+WORK_DIR="$(mktemp -d)"
+cleanup() {
+  rm -rf "$WORK_DIR"
+}
+trap cleanup EXIT
+
+echo "Extracting $RESTORE_PATH..."
+tar -xzf "$RESTORE_PATH" -C "$WORK_DIR"
+
+if [ ! -f "$WORK_DIR/manifest.json" ]; then
+  echo "Error: manifest.json missing in backup archive" >&2
+  exit 1
+fi
+
+MANIFEST="$WORK_DIR/manifest.json"
+echo "Backup manifest:"
+python3 -m json.tool "$MANIFEST"
+echo ""
+
+read_manifest_field() {
+  python3 -c "import json; print(json.load(open('$MANIFEST')).get('$1', '') or '')"
+}
+
+MANIFEST_COMPOSE="$(read_manifest_field compose_file)"
+MANIFEST_DB="$(read_manifest_field db_container)"
+MANIFEST_DEST="$(read_manifest_field destination)"
+
+if [ -n "$MANIFEST_COMPOSE" ]; then
+  COMPOSE_FILE="$MANIFEST_COMPOSE"
+fi
+if [ -n "$MANIFEST_DB" ]; then
+  DB_CONTAINER="$MANIFEST_DB"
+fi
+if [ -n "$MANIFEST_DEST" ]; then
+  if [[ "$MANIFEST_DEST" == "stage" ]]; then
+    BACKEND_CONTAINER="${BACKEND_CONTAINER:-daagbox-staging-backend}"
+  else
+    BACKEND_CONTAINER="${BACKEND_CONTAINER:-daagbox-prod-backend}"
+  fi
+fi
+
+if ! docker inspect "$DB_CONTAINER" >/dev/null 2>&1; then
+  if [[ "$DEST" == "prod" ]] && docker inspect daagbox-staging-db >/dev/null 2>&1; then
+    echo "Note: $DB_CONTAINER not found — falling back to staging (daagbox-staging-db). Use -dest stage explicitly."
+    apply_dest_config stage 1
+    DEST="stage"
+  else
+    echo "Error: DB container '$DB_CONTAINER' not found" >&2
+    exit 1
+  fi
+fi
+
+GIT_TAG="$(read_manifest_field git_tag)"
+GIT_SHA="$(read_manifest_field git_sha)"
+BACKUP_TS="$(read_manifest_field local_timestamp)"
+
+if ! confirm "Restore backup from $BACKUP_TS (tag: $GIT_TAG)? Mode: $MODE"; then
+  echo "Aborted."
+  exit 1
+fi
+
+restore_env() {
+  if [ ! -f "$WORK_DIR/.env" ]; then
+    echo "Error: .env missing in backup archive" >&2
+    exit 1
+  fi
+
+  if [ -f "$ENV_FILE" ]; then
+    BAK="${ENV_FILE}.bak-restore.$(date +%Y%m%d-%H%M%S)"
+    cp "$ENV_FILE" "$BAK"
+    echo "Current $ENV_FILE saved to $BAK"
+  fi
+
+  cp "$WORK_DIR/.env" "$ENV_FILE"
+  chmod 600 "$ENV_FILE"
+  echo "Restored $ENV_FILE"
+}
+
+restore_db() {
+  if [ ! -f "$WORK_DIR/database.sql.gz" ]; then
+    echo "Error: database.sql.gz missing in backup archive" >&2
+    exit 1
+  fi
+
+  if [ ! -f "$ENV_FILE" ]; then
+    echo "Error: $ENV_FILE required for database restore" >&2
+    exit 1
+  fi
+
+  # shellcheck disable=SC1090
+  set -a
+  source "$ENV_FILE"
+  set +a
+
+  POSTGRES_USER="${POSTGRES_USER:-postgres}"
+  POSTGRES_DB="${POSTGRES_DB:-daagbox}"
+
+  if [ -z "${POSTGRES_PASSWORD:-}" ]; then
+    echo "Error: POSTGRES_PASSWORD not set in $ENV_FILE" >&2
+    exit 1
+  fi
+
+  if ! docker inspect "$DB_CONTAINER" >/dev/null 2>&1; then
+    echo "Error: DB container '$DB_CONTAINER' not found" >&2
+    exit 1
+  fi
+
+  echo "Stopping backend before database restore..."
+  docker compose -f "$COMPOSE_FILE" stop backend || true
+
+  echo "Resetting public schema..."
+  export PGPASSWORD="$POSTGRES_PASSWORD"
+  docker exec -e PGPASSWORD="$POSTGRES_PASSWORD" "$DB_CONTAINER" \
+    psql -U "$POSTGRES_USER" -d "$POSTGRES_DB" -v ON_ERROR_STOP=1 <<SQL
+DROP SCHEMA IF EXISTS public CASCADE;
+CREATE SCHEMA public;
+GRANT ALL ON SCHEMA public TO "${POSTGRES_USER}";
+GRANT ALL ON SCHEMA public TO public;
+SQL
+
+  echo "Importing database dump..."
+  gunzip -c "$WORK_DIR/database.sql.gz" | docker exec -i -e PGPASSWORD="$POSTGRES_PASSWORD" "$DB_CONTAINER" \
+    psql -U "$POSTGRES_USER" -d "$POSTGRES_DB" -v ON_ERROR_STOP=1
+  unset PGPASSWORD
+
+  echo "Database restore complete."
+}
+
+wait_for_healthy() {
+  echo "Starting stack and waiting for health..."
+  docker compose -f "$COMPOSE_FILE" up -d
+
+  local counter=0
+  while [ "$counter" -lt "$MAX_WAIT" ]; do
+    local status
+    status="$(docker inspect --format='{{if .State.Health}}{{.State.Health.Status}}{{end}}' "$BACKEND_CONTAINER" 2>/dev/null || true)"
+    if [ "$status" = "healthy" ]; then
+      echo "Backend is healthy."
+      return 0
+    fi
+    if curl -sf "http://127.0.0.1/api/health" | grep -q '"status":"ok"'; then
+      echo "API health check OK."
+      return 0
+    fi
+    sleep 1
+    counter=$((counter + 1))
+    printf "."
+  done
+  echo ""
+  echo "Warning: backend did not become healthy in time." >&2
+  return 1
+}
+
+case "$MODE" in
+  env-only)
+    restore_env
+    ;;
+  db-only)
+    restore_db
+    wait_for_healthy || exit 1
+    ;;
+  full)
+    restore_env
+    restore_db
+    wait_for_healthy || exit 1
+    if [ -f "$WORK_DIR/app.tar.gz" ] && [ "$GIT_TAG" != "unknown" ]; then
+      if confirm "Checkout app code at tag $GIT_TAG? (git fetch + checkout)"; then
+        git fetch --tags origin
+        git checkout "$GIT_TAG"
+        echo "Checked out $GIT_TAG"
+      fi
+    fi
+    ;;
+  *)
+    echo "Error: unknown mode $MODE" >&2
+    exit 1
+    ;;
+esac
+
+echo "Restore finished (mode: $MODE, tag: $GIT_TAG, sha: ${GIT_SHA:0:8})."

scripts/start-dev.sh

@@ -81,7 +81,7 @@ require_node_toolchain() {
   echo ""
   echo "On the production host, prefer updating the running stack:"
   echo "  docker compose -f docker-compose.yml up -d --build"
-  echo "  # or from your workstation: ./scripts/update-prod.sh"
+  echo "  # or from your workstation: ./scripts/update-remotes.sh -dest prod"
   exit 1
 }
 

scripts/update-prod.sh

@@ -1,254 +0,0 @@
-#!/bin/bash
-
-set -euo pipefail
-
-# Remote deployment configuration
-# Override any of these via environment variables if needed, e.g.:
-#   REMOTE_HOST=192.168.1.10 ./scripts/update-prod.sh
-REMOTE_USER="${REMOTE_USER:-root}"
-REMOTE_HOST="${REMOTE_HOST:-10.0.0.25}"
-REMOTE_DIR="${REMOTE_DIR:-/opt/kapteins-daagbok}"
-REMOTE_TARGET="${REMOTE_USER}@${REMOTE_HOST}"
-
-# Configuration
-COMPOSE_FILE="docker-compose.yml"
-BACKEND_CONTAINER="daagbox-prod-backend"
-MAX_WAIT=35
-
-SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-REPO_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
-VERSION_FILE="$REPO_ROOT/VERSION"
-DEFAULT_VERSION="0.1.0.0"
-
-echo "=================================================="
-echo "    Kapteins Daagbok Prod Environment Update     "
-echo "=================================================="
-echo "Target: ${REMOTE_TARGET}:${REMOTE_DIR}"
-echo "=================================================="
-
-cd "$REPO_ROOT"
-
-read_current_version() {
-  if [ -f "$VERSION_FILE" ]; then
-    tr -d '[:space:]' < "$VERSION_FILE"
-    return
-  fi
-
-  local latest_tag
-  latest_tag="$(git tag -l 'v*' --sort=-v:refname | head -n 1 || true)"
-  if [ -n "$latest_tag" ]; then
-    echo "${latest_tag#v}"
-    return
-  fi
-
-  echo "$DEFAULT_VERSION"
-}
-
-bump_patch_version() {
-  local version="$1"
-  local major minor patch build
-
-  IFS='.' read -r major minor patch build <<< "$version"
-  major="${major:-0}"
-  minor="${minor:-1}"
-  patch="${patch:-0}"
-  build="${build:-0}"
-
-  build=$((10#$build + 1))
-  echo "${major}.${minor}.${patch}.${build}"
-}
-
-ensure_clean_git_tree() {
-  if [ -z "$(git status --porcelain)" ]; then
-    return 0
-  fi
-
-  echo ""
-  echo "Uncommitted local changes detected:"
-  git status --short
-  echo ""
-  read -r -p "Commit all changes now before release? [y/N] " answer
-
-  if [[ ! "$answer" =~ ^[yY]$ ]]; then
-    echo "Aborting: working tree is not clean."
-    exit 1
-  fi
-
-  read -r -p "Commit message: " commit_message
-  if [ -z "$commit_message" ]; then
-    echo "Aborting: commit message is required."
-    exit 1
-  fi
-
-  git add -A
-  git commit -m "$commit_message"
-}
-
-prepare_release() {
-  local current_version release_version next_version tag_name
-
-  ensure_clean_git_tree
-
-  current_version="$(read_current_version)"
-  release_version="$current_version"
-  next_version="$(bump_patch_version "$current_version")"
-  tag_name="v${release_version}"
-
-  if git rev-parse "$tag_name" >/dev/null 2>&1; then
-    echo "Error: Git tag '$tag_name' already exists."
-    exit 1
-  fi
-
-  echo "$next_version" > "$VERSION_FILE"
-  git add "$VERSION_FILE"
-  git commit -m "chore: release ${tag_name}"
-  git tag -a "$tag_name" -m "Release ${tag_name}"
-
-  echo ""
-  echo "Prepared release ${tag_name}"
-  echo "  Released:  ${tag_name}"
-  echo "  Next prep: v${next_version}"
-  echo ""
-
-  read -r -p "Push commit and tag to origin? [Y/n] " push_answer
-  if [[ ! "$push_answer" =~ ^[nN]$ ]]; then
-    current_branch="$(git branch --show-current)"
-    git push origin "$current_branch"
-    git push origin "$tag_name"
-    echo "Pushed ${current_branch} and ${tag_name} to origin."
-  else
-    echo "Skipped push. Remote host must receive this commit/tag manually."
-  fi
-
-  export APP_VERSION="$release_version"
-}
-
-prepare_release
-
-if [[ "${SKIP_PREDEPLOY_CHECK:-}" == "1" ]]; then
-  echo "Skipping pre-deploy checks (SKIP_PREDEPLOY_CHECK=1)."
-else
-  echo "=================================================="
-  echo "    Pre-deploy checks (local)"
-  echo "=================================================="
-  "$SCRIPT_DIR/predeploy-check.sh"
-fi
-
-echo "=================================================="
-echo "Deploying ${APP_VERSION} to ${REMOTE_TARGET}:${REMOTE_DIR}"
-echo "=================================================="
-
-# Run the whole update procedure remotely over SSH.
-ssh -o ConnectTimeout=10 "$REMOTE_TARGET" 'bash -s' -- \
-  "$REMOTE_DIR" "$COMPOSE_FILE" "$BACKEND_CONTAINER" "$MAX_WAIT" "$REMOTE_HOST" "$APP_VERSION" <<'REMOTE_SCRIPT'
-set -uo pipefail
-
-REMOTE_DIR="$1"
-COMPOSE_FILE="$2"
-BACKEND_CONTAINER="$3"
-MAX_WAIT="$4"
-REMOTE_HOST="$5"
-APP_VERSION="$6"
-
-cd "$REMOTE_DIR" || { echo "Error: Remote directory '$REMOTE_DIR' not found."; exit 1; }
-
-echo "Syncing repository from origin..."
-CURRENT_BRANCH="$(git branch --show-current)"
-if [ -z "$CURRENT_BRANCH" ]; then
-  echo "Error: Could not determine current Git branch."
-  exit 1
-fi
-
-if ! git diff-index --quiet HEAD -- || [ -n "$(git status --porcelain)" ]; then
-  echo "Warning: Local changes on deployment host will be discarded."
-fi
-
-git fetch --tags origin
-if [ $? -ne 0 ]; then
-  echo "Error: Git fetch failed."
-  exit 1
-fi
-
-git reset --hard "origin/${CURRENT_BRANCH}"
-if [ $? -ne 0 ]; then
-  echo "Error: Git reset to origin/${CURRENT_BRANCH} failed."
-  exit 1
-fi
-
-REMOTE_VERSION="$(tr -d '[:space:]' < VERSION)"
-if [ "$REMOTE_VERSION" != "$APP_VERSION" ]; then
-  echo "Note: Remote VERSION file already points to next release (v${REMOTE_VERSION})."
-  echo "      Building deployed release v${APP_VERSION}."
-fi
-
-export APP_VERSION="$APP_VERSION"
-
-echo "Rebuilding Docker images without cache (APP_VERSION=${APP_VERSION})..."
-docker compose -f "$COMPOSE_FILE" build --no-cache
-if [ $? -ne 0 ]; then
-  echo "Error: Docker compose build failed."
-  exit 1
-fi
-
-echo "Starting updated container stack..."
-docker compose -f "$COMPOSE_FILE" up -d
-if [ $? -ne 0 ]; then
-  echo "Error: Failed to spin up docker-compose stack."
-  exit 1
-fi
-
-echo "Cleaning up old/unused Docker resources..."
-docker system prune -f
-if [ $? -ne 0 ]; then
-  echo "Warning: Docker system prune failed to run completely."
-fi
-
-echo "Waiting for services to become healthy..."
-COUNTER=0
-IS_READY=false
-
-while [ $COUNTER -lt $MAX_WAIT ]; do
-  STATUS=$(docker inspect --format='{{.State.Health.Status}}' "$BACKEND_CONTAINER" 2>/dev/null)
-
-  if [ "$STATUS" = "healthy" ]; then
-    IS_READY=true
-    break
-  fi
-
-  sleep 1
-  COUNTER=$((COUNTER + 1))
-  printf "."
-done
-echo ""
-
-echo "=================================================="
-echo "Container Statuses:"
-docker compose -f "$COMPOSE_FILE" ps
-echo "=================================================="
-
-if [ "$IS_READY" = true ]; then
-  echo "SUCCESS: Production environment updated and healthy!"
-  echo " -> Version:               v${APP_VERSION}"
-  echo " -> App Frontend (Nginx):  http://${REMOTE_HOST}"
-  echo " -> Backend API Health:    http://${REMOTE_HOST}/api/health"
-  echo "=================================================="
-else
-  echo "WARNING: Backend did not transition to healthy in time."
-  echo "Check backend container logs for details:"
-  echo " -> docker compose logs backend"
-  echo "=================================================="
-  exit 3
-fi
-REMOTE_SCRIPT
-
-REMOTE_EXIT=$?
-echo "=================================================="
-if [ $REMOTE_EXIT -eq 0 ]; then
-  echo "Remote update completed successfully on ${REMOTE_TARGET} (v${APP_VERSION})."
-elif [ $REMOTE_EXIT -eq 3 ]; then
-  echo "Remote update finished, but the backend was not healthy in time on ${REMOTE_TARGET}."
-else
-  echo "Remote update FAILED on ${REMOTE_TARGET} (exit code: ${REMOTE_EXIT})."
-fi
-echo "=================================================="
-exit $REMOTE_EXIT

scripts/update-remotes.sh

@@ -0,0 +1,432 @@
+#!/bin/bash
+
+set -euo pipefail
+
+usage() {
+  cat <<EOF
+Usage: $(basename "$0") [-dest prod|stage]
+
+Deploy Kapteins Daagbok to production or staging.
+
+  -dest prod   Production (default): release tag, bump VERSION, deploy to 10.0.0.25
+  -dest stage  Staging: no release tag, deploy branch to 10.0.0.27
+
+Environment overrides (optional):
+  REMOTE_HOST, REMOTE_USER, REMOTE_DIR, COMPOSE_FILE, BACKEND_CONTAINER
+  DEPLOY_BRANCH (stage only, default: master)
+  SKIP_PREDEPLOY_CHECK=1
+
+Local repo must be clean and match origin before deploy (git fetch + compare HEAD).
+
+Examples:
+  $(basename "$0") -dest prod
+  $(basename "$0") -dest stage
+  DEPLOY_BRANCH=feature/foo $(basename "$0") -dest stage
+EOF
+}
+
+DEST="prod"
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    -dest)
+      if [[ $# -lt 2 ]]; then
+        echo "Error: -dest requires an argument (prod or stage)." >&2
+        usage
+        exit 1
+      fi
+      DEST="$2"
+      shift 2
+      ;;
+    -dest=*)
+      DEST="${1#*=}"
+      shift
+      ;;
+    -h|--help)
+      usage
+      exit 0
+      ;;
+    *)
+      echo "Error: Unknown argument: $1" >&2
+      usage
+      exit 1
+      ;;
+  esac
+done
+
+case "$DEST" in
+  prod|stage) ;;
+  *)
+    echo "Error: Invalid -dest '$DEST' (use prod or stage)." >&2
+    usage
+    exit 1
+    ;;
+esac
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+REPO_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
+VERSION_FILE="$REPO_ROOT/VERSION"
+DEFAULT_VERSION="0.1.0.0"
+MAX_WAIT=90
+
+REMOTE_USER="${REMOTE_USER:-root}"
+
+if [[ "$DEST" == "stage" ]]; then
+  REMOTE_HOST="${REMOTE_HOST:-10.0.0.27}"
+  REMOTE_DIR="${REMOTE_DIR:-/opt/kapteins-daagbok-staging}"
+  COMPOSE_FILE="${COMPOSE_FILE:-docker-compose.staging.yml}"
+  BACKEND_CONTAINER="${BACKEND_CONTAINER:-daagbox-staging-backend}"
+  APP_URL="${APP_URL:-https://staging.kapteins-daagbok.eu}"
+  DEPLOY_BRANCH="${DEPLOY_BRANCH:-master}"
+  ENV_LABEL="Staging"
+else
+  REMOTE_HOST="${REMOTE_HOST:-10.0.0.25}"
+  REMOTE_DIR="${REMOTE_DIR:-/opt/kapteins-daagbok}"
+  COMPOSE_FILE="${COMPOSE_FILE:-docker-compose.yml}"
+  BACKEND_CONTAINER="${BACKEND_CONTAINER:-daagbox-prod-backend}"
+  APP_URL="${APP_URL:-https://kapteins-daagbok.eu}"
+  DEPLOY_BRANCH=""
+  ENV_LABEL="Production"
+fi
+
+REMOTE_TARGET="${REMOTE_USER}@${REMOTE_HOST}"
+
+echo "=================================================="
+echo "    Kapteins Daagbok ${ENV_LABEL} Update"
+echo "=================================================="
+echo "Destination: ${DEST}"
+echo "Target:      ${REMOTE_TARGET}:${REMOTE_DIR}"
+if [[ "$DEST" == "stage" ]]; then
+  echo "Branch:      ${DEPLOY_BRANCH}"
+fi
+echo "URL:         ${APP_URL}"
+echo "=================================================="
+
+cd "$REPO_ROOT"
+
+read_current_version() {
+  if [ -f "$VERSION_FILE" ]; then
+    tr -d '[:space:]' < "$VERSION_FILE"
+    return
+  fi
+
+  local latest_tag
+  latest_tag="$(git tag -l 'v*' --sort=-v:refname | head -n 1 || true)"
+  if [ -n "$latest_tag" ]; then
+    echo "${latest_tag#v}"
+    return
+  fi
+
+  echo "$DEFAULT_VERSION"
+}
+
+bump_patch_version() {
+  local version="$1"
+  local major minor patch build
+
+  IFS='.' read -r major minor patch build <<< "$version"
+  major="${major:-0}"
+  minor="${minor:-1}"
+  patch="${patch:-0}"
+  build="${build:-0}"
+
+  build=$((10#$build + 1))
+  echo "${major}.${minor}.${patch}.${build}"
+}
+
+ensure_clean_git_tree() {
+  if [ -z "$(git status --porcelain)" ]; then
+    return 0
+  fi
+
+  echo ""
+  echo "Uncommitted local changes detected:"
+  git status --short
+  echo ""
+  read -r -p "Commit all changes now before release? [y/N] " answer
+
+  if [[ ! "$answer" =~ ^[yY]$ ]]; then
+    echo "Aborting: working tree is not clean."
+    exit 1
+  fi
+
+  read -r -p "Commit message: " commit_message
+  if [ -z "$commit_message" ]; then
+    echo "Aborting: commit message is required."
+    exit 1
+  fi
+
+  git add -A
+  git commit -m "$commit_message"
+}
+
+ensure_local_sync_with_origin() {
+  local branch="$1"
+  local local_sha origin_sha current_branch
+
+  if [ -z "$branch" ]; then
+    echo "Error: deploy branch is not set." >&2
+    exit 1
+  fi
+
+  if [ -n "$(git status --porcelain)" ]; then
+    echo "Error: Working tree is not clean. Commit or stash changes before deploying." >&2
+    git status --short
+    exit 1
+  fi
+
+  current_branch="$(git branch --show-current)"
+  if [ -z "$current_branch" ]; then
+    echo "Error: Detached HEAD — checkout branch '$branch' before deploying." >&2
+    exit 1
+  fi
+
+  if [ "$current_branch" != "$branch" ]; then
+    echo "Error: On branch '$current_branch', expected '$branch'." >&2
+    exit 1
+  fi
+
+  echo "Syncing with origin..."
+  git fetch --tags origin
+  if [ $? -ne 0 ]; then
+    echo "Error: git fetch origin failed." >&2
+    exit 1
+  fi
+
+  if ! git rev-parse --verify "origin/${branch}" >/dev/null 2>&1; then
+    echo "Error: origin/${branch} does not exist." >&2
+    exit 1
+  fi
+
+  local_sha="$(git rev-parse HEAD)"
+  origin_sha="$(git rev-parse "origin/${branch}")"
+
+  if [ "$local_sha" = "$origin_sha" ]; then
+    echo "Local branch '$branch' matches origin/${branch} ($(git rev-parse --short HEAD))."
+    return 0
+  fi
+
+  echo "Error: Local '$branch' is not in sync with origin/${branch}." >&2
+  echo "  local:  $(git rev-parse --short HEAD) $(git log -1 --format='%s' HEAD)" >&2
+  echo "  origin: $(git rev-parse --short "origin/${branch}") $(git log -1 --format='%s' "origin/${branch}")" >&2
+
+  if git merge-base --is-ancestor "$local_sha" "origin/${branch}" 2>/dev/null; then
+    echo "Hint: run 'git pull' to fast-forward." >&2
+  elif git merge-base --is-ancestor "origin/${branch}" "$local_sha" 2>/dev/null; then
+    echo "Hint: run 'git push origin ${branch}' before deploying." >&2
+  else
+    echo "Hint: branches have diverged — reconcile manually before deploying." >&2
+  fi
+  exit 1
+}
+
+prepare_release() {
+  local current_version release_version next_version tag_name
+
+  ensure_clean_git_tree
+
+  current_version="$(read_current_version)"
+  release_version="$current_version"
+  next_version="$(bump_patch_version "$current_version")"
+  tag_name="v${release_version}"
+
+  if git rev-parse "$tag_name" >/dev/null 2>&1; then
+    echo "Error: Git tag '$tag_name' already exists."
+    exit 1
+  fi
+
+  echo "$next_version" > "$VERSION_FILE"
+  git add "$VERSION_FILE"
+  git commit -m "chore: release ${tag_name}"
+  git tag -a "$tag_name" -m "Release ${tag_name}"
+
+  echo ""
+  echo "Prepared release ${tag_name}"
+  echo "  Released:  ${tag_name}"
+  echo "  Next prep: v${next_version}"
+  echo ""
+
+  read -r -p "Push commit and tag to origin? [Y/n] " push_answer
+  if [[ ! "$push_answer" =~ ^[nN]$ ]]; then
+    current_branch="$(git branch --show-current)"
+    git push origin "$current_branch"
+    git push origin "$tag_name"
+    echo "Pushed ${current_branch} and ${tag_name} to origin."
+  else
+    echo "Skipped push. Remote host must receive this commit/tag manually."
+  fi
+
+  export APP_VERSION="$release_version"
+}
+
+if [[ "$DEST" == "prod" ]]; then
+  prepare_release
+  ensure_local_sync_with_origin "$(git branch --show-current)"
+else
+  ensure_local_sync_with_origin "$DEPLOY_BRANCH"
+  APP_VERSION="$(read_current_version)"
+fi
+
+if [[ "${SKIP_PREDEPLOY_CHECK:-}" == "1" ]]; then
+  echo "Skipping pre-deploy checks (SKIP_PREDEPLOY_CHECK=1)."
+else
+  echo "=================================================="
+  echo "    Pre-deploy checks (local)"
+  echo "=================================================="
+  "$SCRIPT_DIR/predeploy-check.sh"
+fi
+
+echo "=================================================="
+echo "Deploying v${APP_VERSION} to ${REMOTE_TARGET}:${REMOTE_DIR}"
+echo "=================================================="
+
+ssh -o ConnectTimeout=10 "$REMOTE_TARGET" 'bash -s' -- \
+  "$REMOTE_DIR" "$COMPOSE_FILE" "$BACKEND_CONTAINER" "$MAX_WAIT" "$APP_URL" "$APP_VERSION" "$DEST" "$DEPLOY_BRANCH" <<'REMOTE_SCRIPT'
+set -uo pipefail
+
+REMOTE_DIR="$1"
+COMPOSE_FILE="$2"
+BACKEND_CONTAINER="$3"
+MAX_WAIT="$4"
+APP_URL="$5"
+APP_VERSION="$6"
+DEST="$7"
+DEPLOY_BRANCH="${8:-}"
+
+cd "$REMOTE_DIR" || { echo "Error: Remote directory '$REMOTE_DIR' not found."; exit 1; }
+
+if ! git diff-index --quiet HEAD -- || [ -n "$(git status --porcelain)" ]; then
+  echo "Warning: Local changes on deployment host will be discarded."
+fi
+
+if [[ "$DEST" == "prod" ]]; then
+  echo "Creating pre-deploy backup..."
+  if [ -x "./scripts/backup.sh" ]; then
+    if ! ./scripts/backup.sh --reason pre-deploy --tag "v${APP_VERSION}"; then
+      echo "Error: Pre-deploy backup failed. Aborting update."
+      exit 1
+    fi
+  else
+    echo "Warning: scripts/backup.sh not found or not executable — skipping backup."
+  fi
+fi
+
+if [[ "$DEST" == "stage" ]]; then
+  echo "Syncing repository from origin/${DEPLOY_BRANCH}..."
+  git fetch origin
+  if [ $? -ne 0 ]; then
+    echo "Error: Git fetch failed."
+    exit 1
+  fi
+  git checkout "$DEPLOY_BRANCH" 2>/dev/null || git checkout -b "$DEPLOY_BRANCH" "origin/${DEPLOY_BRANCH}"
+  git reset --hard "origin/${DEPLOY_BRANCH}"
+  if [ $? -ne 0 ]; then
+    echo "Error: Git reset to origin/${DEPLOY_BRANCH} failed."
+    exit 1
+  fi
+else
+  echo "Syncing repository from origin..."
+  CURRENT_BRANCH="$(git branch --show-current)"
+  if [ -z "$CURRENT_BRANCH" ]; then
+    echo "Error: Could not determine current Git branch."
+    exit 1
+  fi
+
+  git fetch --tags origin
+  if [ $? -ne 0 ]; then
+    echo "Error: Git fetch failed."
+    exit 1
+  fi
+
+  git reset --hard "origin/${CURRENT_BRANCH}"
+  if [ $? -ne 0 ]; then
+    echo "Error: Git reset to origin/${CURRENT_BRANCH} failed."
+    exit 1
+  fi
+
+  REMOTE_VERSION="$(tr -d '[:space:]' < VERSION)"
+  if [ "$REMOTE_VERSION" != "$APP_VERSION" ]; then
+    echo "Note: Remote VERSION file already points to next release (v${REMOTE_VERSION})."
+    echo "      Building deployed release v${APP_VERSION}."
+  fi
+fi
+
+export APP_VERSION="$APP_VERSION"
+
+if [[ "$DEST" == "prod" ]]; then
+  echo "Rebuilding Docker images without cache (APP_VERSION=${APP_VERSION})..."
+  docker compose -f "$COMPOSE_FILE" build --no-cache
+else
+  echo "Rebuilding Docker images (APP_VERSION=${APP_VERSION})..."
+  docker compose -f "$COMPOSE_FILE" build
+fi
+if [ $? -ne 0 ]; then
+  echo "Error: Docker compose build failed."
+  exit 1
+fi
+
+echo "Starting updated container stack..."
+docker compose -f "$COMPOSE_FILE" up -d
+if [ $? -ne 0 ]; then
+  echo "Error: Failed to spin up docker-compose stack."
+  exit 1
+fi
+
+echo "Cleaning up old/unused Docker resources..."
+docker system prune -f || echo "Warning: Docker system prune failed."
+
+echo "Waiting for services to become healthy..."
+COUNTER=0
+IS_READY=false
+
+while [ $COUNTER -lt $MAX_WAIT ]; do
+  STATUS=$(docker inspect --format='{{if .State.Health}}{{.State.Health.Status}}{{end}}' "$BACKEND_CONTAINER" 2>/dev/null || true)
+
+  if [ "$STATUS" = "healthy" ]; then
+    IS_READY=true
+    break
+  fi
+
+  # End-to-end fallback via frontend nginx (covers missing/stale container health state)
+  if curl -sf "http://127.0.0.1/api/health" | grep -q '"status":"ok"'; then
+    IS_READY=true
+    break
+  fi
+
+  sleep 1
+  COUNTER=$((COUNTER + 1))
+  printf "."
+done
+echo ""
+
+echo "=================================================="
+echo "Container Statuses:"
+docker compose -f "$COMPOSE_FILE" ps
+echo "=================================================="
+
+if [ "$IS_READY" = true ]; then
+  echo "SUCCESS: ${DEST} environment updated and healthy!"
+  echo " -> Version:            v${APP_VERSION}"
+  echo " -> App Frontend:       ${APP_URL}"
+  echo " -> Backend API Health: ${APP_URL}/api/health"
+  echo "=================================================="
+else
+  echo "WARNING: Backend did not transition to healthy in time."
+  echo "Check backend container logs:"
+  echo " -> docker compose -f ${COMPOSE_FILE} logs backend"
+  echo "=================================================="
+  exit 3
+fi
+REMOTE_SCRIPT
+
+REMOTE_EXIT=$?
+echo "=================================================="
+if [ $REMOTE_EXIT -eq 0 ]; then
+  echo "${ENV_LABEL} update completed successfully on ${REMOTE_TARGET} (v${APP_VERSION})."
+elif [ $REMOTE_EXIT -eq 3 ]; then
+  echo "${ENV_LABEL} update finished, but the backend was not healthy in time on ${REMOTE_TARGET}."
+else
+  echo "${ENV_LABEL} update FAILED on ${REMOTE_TARGET} (exit code: ${REMOTE_EXIT})."
+fi
+echo "=================================================="
+exit $REMOTE_EXIT

server/src/adminConfig.ts

@@ -0,0 +1,25 @@
+const ADMIN_ENV_KEY = 'ADMIN_USER_IDS'
+
+export function getAdminUserIds(): Set<string> {
+  const raw = process.env[ADMIN_ENV_KEY]
+  if (!raw) {
+    return new Set()
+  }
+
+  const ids = raw
+    .split(',')
+    .map((id) => id.trim())
+    .filter((id) => id.length > 0)
+
+  if (ids.length === 0) {
+    return new Set()
+  }
+
+  return new Set(ids)
+}
+
+export function isAdminUserId(userId: string): boolean {
+  const adminIds = getAdminUserIds()
+  return adminIds.has(userId)
+}
+

server/src/api.smoke.test.ts

@@ -59,4 +59,12 @@ describe('API smoke', () => {
     expect(res.status).toBe(401)
     expect(res.body.error).toMatch(/Unauthorized/i)
   })
+
+  it('POST /api/ai/transcribe requires session', async () => {
+    const res = await request(app)
+      .post('/api/ai/transcribe')
+      .send({ audioDataUrl: 'data:audio/webm;base64,abcdef' })
+    expect(res.status).toBe(401)
+    expect(res.body.error).toMatch(/Unauthorized/i)
+  })
 })

server/src/app.ts

@@ -12,6 +12,7 @@ import pushRouter from './routes/push.js'
 import weatherRouter from './routes/weather.js'
 import aiRouter from './routes/ai.js'
 import feedbackRouter from './routes/feedback.js'
+import adminRouter from './routes/admin.js'
 import { prisma } from './db.js'
 import { buildCorsOptions } from './cors.js'
 
@@ -121,6 +122,7 @@ export function createApp(): express.Express {
   app.use('/api/weather', weatherRouter)
   app.use('/api/ai', aiRouter)
   app.use('/api/feedback', feedbackRouter)
+  app.use('/api/admin', adminRouter)
 
   app.get('/api/health', async (_req, res) => {
     try {

server/src/middleware/auth.ts

@@ -1,5 +1,6 @@
 import type { Request, Response, NextFunction } from 'express'
 import { hasValidReauth, readSessionFromRequest } from '../session.js'
+import { isAdminUserId } from '../adminConfig.js'
 
 export interface AuthedRequest extends Request {
   userId: string
@@ -31,3 +32,21 @@ export function requireReauth(req: Request, res: Response, next: NextFunction):
   ;(req as AuthedRequest).session = session
   next()
 }
+
+export function requireAdmin(req: Request, res: Response, next: NextFunction): void {
+  const session = readSessionFromRequest(req)
+  if (!session) {
+    res.status(401).json({ error: 'Unauthorized: valid session required' })
+    return
+  }
+
+  if (!isAdminUserId(session.userId)) {
+    res.status(403).json({ error: 'Forbidden: admin access required' })
+    return
+  }
+
+  ;(req as AuthedRequest).userId = session.userId
+  ;(req as AuthedRequest).session = session
+  next()
+}
+

server/src/routes/admin.ts

@@ -0,0 +1,151 @@
+import { Router } from 'express'
+import { prisma } from '../db.js'
+import { requireUser, requireAdmin, type AuthedRequest } from '../middleware/auth.js'
+
+const router = Router()
+
+router.get('/me', requireUser, requireAdmin, (req, res) => {
+  const { userId } = req as AuthedRequest
+  res.json({ isAdmin: true, userId })
+})
+
+router.get('/summary', requireUser, requireAdmin, async (_req, res) => {
+  try {
+    const [totalUsers, totalLogbooks, totalPhotos, totalVoiceMemos, totalGpsTracks, totalCollaborations, totalInvitations, aiSummaryEntries] =
+      await Promise.all([
+        prisma.user.count(),
+        prisma.logbook.count(),
+        prisma.photoPayload.count(),
+        prisma.voiceMemoPayload.count(),
+        prisma.gpsTrackPayload.count(),
+        prisma.collaboration.count(),
+        prisma.invitation.count(),
+        prisma.aiSummaryUsage.count()
+      ])
+
+    res.json({
+      totalUsers,
+      totalLogbooks,
+      totalPhotos,
+      totalVoiceMemos,
+      totalGpsTracks,
+      totalCollaborations,
+      totalInvitations,
+      aiSummaryEntries
+    })
+  } catch (error: unknown) {
+    console.error('admin/summary error', error)
+    res.status(500).json({ error: 'Failed to load admin summary' })
+  }
+})
+
+type TimeBucket = 'day' | 'week' | 'month'
+
+interface TimeSeriesPoint {
+  date: string
+  count: number
+}
+
+interface TimeSeries {
+  metric: string
+  points: TimeSeriesPoint[]
+}
+
+function normalizeBucket(value: string | undefined | null): TimeBucket {
+  if (value === 'week' || value === 'month') return value
+  return 'day'
+}
+
+function parseWindowDays(raw: string | undefined | null): number {
+  const n = raw ? Number.parseInt(raw, 10) : NaN
+  if (!Number.isFinite(n) || n <= 0) return 90
+  return Math.min(n, 365)
+}
+
+function startOfDay(date: Date): Date {
+  const d = new Date(date)
+  d.setUTCHours(0, 0, 0, 0)
+  return d
+}
+
+function startOfWeek(date: Date): Date {
+  const d = startOfDay(date)
+  const day = d.getUTCDay() || 7
+  d.setUTCDate(d.getUTCDate() - (day - 1))
+  return d
+}
+
+function startOfMonth(date: Date): Date {
+  const d = startOfDay(date)
+  d.setUTCDate(1)
+  return d
+}
+
+function bucketDate(date: Date, bucket: TimeBucket): string {
+  const base =
+    bucket === 'week' ? startOfWeek(date) : bucket === 'month' ? startOfMonth(date) : startOfDay(date)
+  return base.toISOString().slice(0, 10)
+}
+
+async function buildTimeSeries(bucket: TimeBucket, windowDays: number): Promise<TimeSeries[]> {
+  const since = new Date()
+  since.setUTCDate(since.getUTCDate() - windowDays)
+
+  const [users, logbooks, photos] = await Promise.all([
+    prisma.user.findMany({
+      where: { createdAt: { gte: since } },
+      select: { createdAt: true }
+    }),
+    prisma.logbook.findMany({
+      where: { createdAt: { gte: since } },
+      select: { createdAt: true }
+    }),
+    prisma.photoPayload.findMany({
+      where: { updatedAt: { gte: since } },
+      select: { updatedAt: true }
+    })
+  ])
+
+  function aggregate(dates: Date[], metric: string): TimeSeries {
+    const map = new Map<string, number>()
+    for (const d of dates) {
+      const key = bucketDate(d, bucket)
+      map.set(key, (map.get(key) ?? 0) + 1)
+    }
+    const points = Array.from(map.entries())
+      .sort(([a], [b]) => (a < b ? -1 : a > b ? 1 : 0))
+      .map(([date, count]) => ({ date, count }))
+    return { metric, points }
+  }
+
+  return [
+    aggregate(
+      users.map((u) => u.createdAt),
+      'users_created'
+    ),
+    aggregate(
+      logbooks.map((l) => l.createdAt),
+      'logbooks_created'
+    ),
+    aggregate(
+      photos.map((p) => p.updatedAt),
+      'photos_updated'
+    )
+  ]
+}
+
+router.get('/timeseries', requireUser, requireAdmin, async (req, res) => {
+  try {
+    const bucket = normalizeBucket(typeof req.query.bucket === 'string' ? req.query.bucket : undefined)
+    const windowDays = parseWindowDays(typeof req.query.window === 'string' ? req.query.window : undefined)
+
+    const series = await buildTimeSeries(bucket, windowDays)
+    res.json({ bucket, windowDays, series })
+  } catch (error: unknown) {
+    console.error('admin/timeseries error', error)
+    res.status(500).json({ error: 'Failed to load admin time series' })
+  }
+})
+
+export default router
+

server/src/routes/ai.ts

@@ -3,7 +3,6 @@ import { prisma } from '../db.js'
 import { requireUser } from '../middleware/auth.js'
 
 const router = Router()
-
 const MAX_ATTEMPTS_PER_ENTRY = 3
 const DEFAULT_MODEL = 'anthropic/claude-3.5-haiku'
 const OPENROUTER_URL = 'https://openrouter.ai/api/v1/chat/completions'
@@ -230,4 +229,78 @@ router.post('/summary', async (req: any, res) => {
   }
 })
 
+router.post('/transcribe', async (req: any, res) => {
+  try {
+    const { audioDataUrl } = req.body ?? {}
+    if (!audioDataUrl || typeof audioDataUrl !== 'string') {
+      return res.status(400).json({ error: 'audioDataUrl is required' })
+    }
+
+    const match = audioDataUrl.match(/^data:(.+);base64,(.+)$/)
+    if (!match) {
+      return res.status(400).json({ error: 'Invalid audio data URL format' })
+    }
+
+    const [, fullMimeType, base64Data] = match
+    const mimeType = fullMimeType.split(';')[0]
+
+    let ext = 'webm'
+    if (mimeType.includes('mp4')) ext = 'mp4'
+    else if (mimeType.includes('ogg')) ext = 'ogg'
+    else if (mimeType.includes('wav')) ext = 'wav'
+
+    const apiKey = resolveOpenRouterApiKey()
+    if (!apiKey) {
+      console.warn('[server] OpenRouter API key not configured, transcription unavailable')
+      return res.status(503).json({ error: 'Transcription service not configured' })
+    }
+
+    console.log(`[server] Forwarding ASR request to OpenRouter (${ext}, ${base64Data.length} chars)`)
+
+    const controller = new AbortController()
+    const timeoutId = setTimeout(() => controller.abort(), 30000)
+
+    try {
+      const openRouterRes = await fetch('https://openrouter.ai/api/v1/audio/transcriptions', {
+        method: 'POST',
+        headers: {
+          'Authorization': `Bearer ${apiKey}`,
+          'Content-Type': 'application/json'
+        },
+        body: JSON.stringify({
+          model: 'openai/whisper-large-v3-turbo',
+          input_audio: {
+            data: base64Data,
+            format: ext
+          }
+        }),
+        signal: controller.signal
+      })
+
+      if (!openRouterRes.ok) {
+        const errorText = await openRouterRes.text().catch(() => '')
+        console.error(`[server] OpenRouter ASR error response (status=${openRouterRes.status}):`, errorText)
+        throw new Error(`OpenRouter returned status ${openRouterRes.status}`)
+      }
+
+      const data: any = await openRouterRes.json()
+      const text = (data?.text || '').trim()
+
+      console.log(`[server] OpenRouter ASR completed successfully: "${text}"`)
+      return res.json({ text })
+    } catch (error: unknown) {
+      if (error instanceof Error && error.name === 'AbortError') {
+        console.error('[server] OpenRouter ASR request timed out')
+        return res.status(504).json({ error: 'Transcription request timed out' })
+      }
+      throw error
+    } finally {
+      clearTimeout(timeoutId)
+    }
+  } catch (error: unknown) {
+    console.error('ASR transcription failed:', error)
+    return res.status(503).json({ error: 'Transcription service unavailable' })
+  }
+})
+
 export default router