feat(todo): add To-Do list feature with 3-column layout

- New todo_items DB table with priority, due date, description, user assignment
- Full CRUD API with WebSocket real-time sync
- 3-column UI: sidebar filters (All, My Tasks, Overdue, Done, by Priority),
  task list with inline badges, and detail/create pane
- Apple-inspired design with custom dropdowns, date picker, priority system (P1-P3)
- Mobile responsive: icon-only sidebar, bottom-sheet modals for detail/create
- Lists tab with sub-tabs (Packing List + To-Do), persisted selection
- Addon renamed from "Packing List" to "Lists"
- i18n keys for all 13 languages
- UI polish: notification colors use system theme, mobile navbar cleanup,
  settings page responsive buttons

server/src/app.ts

@@ -18,6 +18,7 @@ import daysRoutes, { accommodationsRouter as accommodationsRoutes } from './rout
 import placesRoutes from './routes/places';
 import assignmentsRoutes from './routes/assignments';
 import packingRoutes from './routes/packing';
+import todoRoutes from './routes/todo';
 import tagsRoutes from './routes/tags';
 import categoriesRoutes from './routes/categories';
 import adminRoutes from './routes/admin';
@@ -179,6 +180,7 @@ export function createApp(): express.Application {
   app.use('/api/trips/:tripId/accommodations', accommodationsRoutes);
   app.use('/api/trips/:tripId/places', placesRoutes);
   app.use('/api/trips/:tripId/packing', packingRoutes);
+  app.use('/api/trips/:tripId/todo', todoRoutes);
   app.use('/api/trips/:tripId/files', filesRoutes);
   app.use('/api/trips/:tripId/budget', budgetRoutes);
   app.use('/api/trips/:tripId/collab', collabRoutes);

server/src/db/migrations.ts

@@ -523,6 +523,33 @@ function runMigrations(db: Database.Database): void {
       try { db.exec("ALTER TABLE trip_photos ADD COLUMN album_link_id INTEGER REFERENCES trip_album_links(id) ON DELETE SET NULL DEFAULT NULL"); } catch (err: any) { if (!err.message?.includes('duplicate column name')) throw err; }
       db.exec('CREATE INDEX IF NOT EXISTS idx_trip_photos_album_link ON trip_photos(album_link_id)');
     },
+    // Migration 68: Todo items
+    () => {
+      db.exec(`
+        CREATE TABLE IF NOT EXISTS todo_items (
+          id INTEGER PRIMARY KEY AUTOINCREMENT,
+          trip_id INTEGER NOT NULL REFERENCES trips(id) ON DELETE CASCADE,
+          name TEXT NOT NULL,
+          checked INTEGER DEFAULT 0,
+          category TEXT,
+          sort_order INTEGER DEFAULT 0,
+          due_date TEXT,
+          description TEXT,
+          assigned_user_id INTEGER REFERENCES users(id) ON DELETE SET NULL,
+          priority INTEGER DEFAULT 0,
+          created_at DATETIME DEFAULT CURRENT_TIMESTAMP
+        );
+        CREATE INDEX IF NOT EXISTS idx_todo_items_trip_id ON todo_items(trip_id);
+
+        CREATE TABLE IF NOT EXISTS todo_category_assignees (
+          id INTEGER PRIMARY KEY AUTOINCREMENT,
+          trip_id INTEGER NOT NULL REFERENCES trips(id) ON DELETE CASCADE,
+          category_name TEXT NOT NULL,
+          user_id INTEGER NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+          UNIQUE(trip_id, category_name, user_id)
+        );
+      `);
+    },
   ];
 
   if (currentVersion < migrations.length) {

server/src/db/seeds.ts

@@ -82,7 +82,7 @@ function seedCategories(db: Database.Database): void {
 function seedAddons(db: Database.Database): void {
   try {
     const defaultAddons = [
-      { id: 'packing', name: 'Packing List', description: 'Pack your bags with checklists per trip', type: 'trip', icon: 'ListChecks', enabled: 1, sort_order: 0 },
+      { id: 'packing', name: 'Lists', description: 'Packing lists and to-do tasks for your trips', type: 'trip', icon: 'ListChecks', enabled: 1, sort_order: 0 },
       { id: 'budget', name: 'Budget Planner', description: 'Track expenses and plan your travel budget', type: 'trip', icon: 'Wallet', enabled: 1, sort_order: 1 },
       { id: 'documents', name: 'Documents', description: 'Store and manage travel documents', type: 'trip', icon: 'FileText', enabled: 1, sort_order: 2 },
       { id: 'vacay', name: 'Vacay', description: 'Personal vacation day planner with calendar view', type: 'global', icon: 'CalendarDays', enabled: 1, sort_order: 10 },

server/src/routes/todo.ts

@@ -0,0 +1,127 @@
+import express, { Request, Response } from 'express';
+import { authenticate } from '../middleware/auth';
+import { broadcast } from '../websocket';
+import { checkPermission } from '../services/permissions';
+import { AuthRequest } from '../types';
+import {
+  verifyTripAccess,
+  listItems,
+  createItem,
+  updateItem,
+  deleteItem,
+  getCategoryAssignees,
+  updateCategoryAssignees,
+  reorderItems,
+} from '../services/todoService';
+
+const router = express.Router({ mergeParams: true });
+
+router.get('/', authenticate, (req: Request, res: Response) => {
+  const authReq = req as AuthRequest;
+  const { tripId } = req.params;
+
+  const trip = verifyTripAccess(tripId, authReq.user.id);
+  if (!trip) return res.status(404).json({ error: 'Trip not found' });
+
+  const items = listItems(tripId);
+  res.json({ items });
+});
+
+router.post('/', authenticate, (req: Request, res: Response) => {
+  const authReq = req as AuthRequest;
+  const { tripId } = req.params;
+  const { name, category, due_date, description, assigned_user_id, priority } = req.body;
+
+  const trip = verifyTripAccess(tripId, authReq.user.id);
+  if (!trip) return res.status(404).json({ error: 'Trip not found' });
+
+  if (!checkPermission('packing_edit', authReq.user.role, trip.user_id, authReq.user.id, trip.user_id !== authReq.user.id))
+    return res.status(403).json({ error: 'No permission' });
+
+  if (!name) return res.status(400).json({ error: 'Item name is required' });
+
+  const item = createItem(tripId, { name, category, due_date, description, assigned_user_id, priority });
+  res.status(201).json({ item });
+  broadcast(tripId, 'todo:created', { item }, req.headers['x-socket-id'] as string);
+});
+
+router.put('/reorder', authenticate, (req: Request, res: Response) => {
+  const authReq = req as AuthRequest;
+  const { tripId } = req.params;
+  const { orderedIds } = req.body;
+
+  const trip = verifyTripAccess(tripId, authReq.user.id);
+  if (!trip) return res.status(404).json({ error: 'Trip not found' });
+
+  if (!checkPermission('packing_edit', authReq.user.role, trip.user_id, authReq.user.id, trip.user_id !== authReq.user.id))
+    return res.status(403).json({ error: 'No permission' });
+
+  reorderItems(tripId, orderedIds);
+  res.json({ success: true });
+});
+
+router.put('/:id', authenticate, (req: Request, res: Response) => {
+  const authReq = req as AuthRequest;
+  const { tripId, id } = req.params;
+  const { name, checked, category, due_date, description, assigned_user_id, priority } = req.body;
+
+  const trip = verifyTripAccess(tripId, authReq.user.id);
+  if (!trip) return res.status(404).json({ error: 'Trip not found' });
+
+  if (!checkPermission('packing_edit', authReq.user.role, trip.user_id, authReq.user.id, trip.user_id !== authReq.user.id))
+    return res.status(403).json({ error: 'No permission' });
+
+  const updated = updateItem(tripId, id, { name, checked, category, due_date, description, assigned_user_id, priority }, Object.keys(req.body));
+  if (!updated) return res.status(404).json({ error: 'Item not found' });
+
+  res.json({ item: updated });
+  broadcast(tripId, 'todo:updated', { item: updated }, req.headers['x-socket-id'] as string);
+});
+
+router.delete('/:id', authenticate, (req: Request, res: Response) => {
+  const authReq = req as AuthRequest;
+  const { tripId, id } = req.params;
+
+  const trip = verifyTripAccess(tripId, authReq.user.id);
+  if (!trip) return res.status(404).json({ error: 'Trip not found' });
+
+  if (!checkPermission('packing_edit', authReq.user.role, trip.user_id, authReq.user.id, trip.user_id !== authReq.user.id))
+    return res.status(403).json({ error: 'No permission' });
+
+  if (!deleteItem(tripId, id)) return res.status(404).json({ error: 'Item not found' });
+
+  res.json({ success: true });
+  broadcast(tripId, 'todo:deleted', { itemId: Number(id) }, req.headers['x-socket-id'] as string);
+});
+
+// ── Category assignees ──────────────────────────────────────────────────────
+
+router.get('/category-assignees', authenticate, (req: Request, res: Response) => {
+  const authReq = req as AuthRequest;
+  const { tripId } = req.params;
+  const trip = verifyTripAccess(tripId, authReq.user.id);
+  if (!trip) return res.status(404).json({ error: 'Trip not found' });
+
+  const assignees = getCategoryAssignees(tripId);
+  res.json({ assignees });
+});
+
+router.put('/category-assignees/:categoryName', authenticate, (req: Request, res: Response) => {
+  const authReq = req as AuthRequest;
+  const { tripId, categoryName } = req.params;
+  const { user_ids } = req.body;
+
+  const trip = verifyTripAccess(tripId, authReq.user.id);
+  if (!trip) return res.status(404).json({ error: 'Trip not found' });
+
+  if (!checkPermission('packing_edit', authReq.user.role, trip.user_id, authReq.user.id, trip.user_id !== authReq.user.id))
+    return res.status(403).json({ error: 'No permission' });
+
+  const cat = decodeURIComponent(categoryName);
+  const rows = updateCategoryAssignees(tripId, cat, user_ids);
+
+  res.json({ assignees: rows });
+  broadcast(tripId, 'todo:assignees', { category: cat, assignees: rows }, req.headers['x-socket-id'] as string);
+});
+
+export default router;

server/src/services/todoService.ts

@@ -0,0 +1,122 @@
+import { db, canAccessTrip } from '../db/database';
+
+export function verifyTripAccess(tripId: string | number, userId: number) {
+  return canAccessTrip(tripId, userId);
+}
+
+// ── Items ──────────────────────────────────────────────────────────────────
+
+export function listItems(tripId: string | number) {
+  return db.prepare(
+    'SELECT * FROM todo_items WHERE trip_id = ? ORDER BY sort_order ASC, created_at ASC'
+  ).all(tripId);
+}
+
+export function createItem(tripId: string | number, data: {
+  name: string; category?: string; due_date?: string; description?: string; assigned_user_id?: number; priority?: number;
+}) {
+  const maxOrder = db.prepare('SELECT MAX(sort_order) as max FROM todo_items WHERE trip_id = ?').get(tripId) as { max: number | null };
+  const sortOrder = (maxOrder.max !== null ? maxOrder.max : -1) + 1;
+
+  const result = db.prepare(
+    'INSERT INTO todo_items (trip_id, name, checked, category, sort_order, due_date, description, assigned_user_id, priority) VALUES (?, ?, 0, ?, ?, ?, ?, ?, ?)'
+  ).run(
+    tripId, data.name, data.category || null, sortOrder,
+    data.due_date || null, data.description || null, data.assigned_user_id || null, data.priority || 0
+  );
+
+  return db.prepare('SELECT * FROM todo_items WHERE id = ?').get(result.lastInsertRowid);
+}
+
+export function updateItem(
+  tripId: string | number,
+  id: string | number,
+  data: { name?: string; checked?: number; category?: string; due_date?: string | null; description?: string | null; assigned_user_id?: number | null; priority?: number | null },
+  bodyKeys: string[]
+) {
+  const item = db.prepare('SELECT * FROM todo_items WHERE id = ? AND trip_id = ?').get(id, tripId);
+  if (!item) return null;
+
+  db.prepare(`
+    UPDATE todo_items SET
+      name = COALESCE(?, name),
+      checked = CASE WHEN ? IS NOT NULL THEN ? ELSE checked END,
+      category = COALESCE(?, category),
+      due_date = CASE WHEN ? THEN ? ELSE due_date END,
+      description = CASE WHEN ? THEN ? ELSE description END,
+      assigned_user_id = CASE WHEN ? THEN ? ELSE assigned_user_id END,
+      priority = CASE WHEN ? THEN ? ELSE priority END
+    WHERE id = ?
+  `).run(
+    data.name || null,
+    data.checked !== undefined ? 1 : null,
+    data.checked ? 1 : 0,
+    data.category || null,
+    bodyKeys.includes('due_date') ? 1 : 0,
+    data.due_date ?? null,
+    bodyKeys.includes('description') ? 1 : 0,
+    data.description ?? null,
+    bodyKeys.includes('assigned_user_id') ? 1 : 0,
+    data.assigned_user_id ?? null,
+    bodyKeys.includes('priority') ? 1 : 0,
+    data.priority ?? 0,
+    id
+  );
+
+  return db.prepare('SELECT * FROM todo_items WHERE id = ?').get(id);
+}
+
+export function deleteItem(tripId: string | number, id: string | number) {
+  const item = db.prepare('SELECT id FROM todo_items WHERE id = ? AND trip_id = ?').get(id, tripId);
+  if (!item) return false;
+
+  db.prepare('DELETE FROM todo_items WHERE id = ?').run(id);
+  return true;
+}
+
+// ── Category Assignees ─────────────────────────────────────────────────────
+
+export function getCategoryAssignees(tripId: string | number) {
+  const rows = db.prepare(`
+    SELECT tca.category_name, tca.user_id, u.username, u.avatar
+    FROM todo_category_assignees tca
+    JOIN users u ON tca.user_id = u.id
+    WHERE tca.trip_id = ?
+  `).all(tripId);
+
+  const assignees: Record<string, { user_id: number; username: string; avatar: string | null }[]> = {};
+  for (const row of rows as any[]) {
+    if (!assignees[row.category_name]) assignees[row.category_name] = [];
+    assignees[row.category_name].push({ user_id: row.user_id, username: row.username, avatar: row.avatar });
+  }
+
+  return assignees;
+}
+
+export function updateCategoryAssignees(tripId: string | number, categoryName: string, userIds: number[] | undefined) {
+  db.prepare('DELETE FROM todo_category_assignees WHERE trip_id = ? AND category_name = ?').run(tripId, categoryName);
+
+  if (Array.isArray(userIds) && userIds.length > 0) {
+    const insert = db.prepare('INSERT OR IGNORE INTO todo_category_assignees (trip_id, category_name, user_id) VALUES (?, ?, ?)');
+    for (const uid of userIds) insert.run(tripId, categoryName, uid);
+  }
+
+  return db.prepare(`
+    SELECT tca.user_id, u.username, u.avatar
+    FROM todo_category_assignees tca
+    JOIN users u ON tca.user_id = u.id
+    WHERE tca.trip_id = ? AND tca.category_name = ?
+  `).all(tripId, categoryName);
+}
+
+// ── Reorder ────────────────────────────────────────────────────────────────
+
+export function reorderItems(tripId: string | number, orderedIds: number[]) {
+  const update = db.prepare('UPDATE todo_items SET sort_order = ? WHERE id = ? AND trip_id = ?');
+  const updateMany = db.transaction((ids: number[]) => {
+    ids.forEach((id, index) => {
+      update.run(index, id, tripId);
+    });
+  });
+  updateMany(orderedIds);
+}