Merge branch 'main' into feat/add-searchbar-in-atlas

MCP.md

@@ -0,0 +1,239 @@
+# MCP Integration
+
+TREK includes a built-in [Model Context Protocol](https://modelcontextprotocol.io/) (MCP) server that lets AI
+assistants — such as Claude Desktop, Cursor, or any MCP-compatible client — read and modify your trip data through a
+structured API.
+
+> **Note:** MCP is an addon that must be enabled by your TREK administrator before it becomes available.
+
+## Table of Contents
+
+- [Setup](#setup)
+- [Limitations & Important Notes](#limitations--important-notes)
+- [Resources (read-only)](#resources-read-only)
+- [Tools (read-write)](#tools-read-write)
+- [Example](#example)
+
+---
+
+## Setup
+
+### 1. Enable the MCP addon (admin)
+
+An administrator must first enable the MCP addon from the **Admin Panel > Addons** page. Until enabled, the `/mcp`
+endpoint returns `403 Forbidden` and the MCP section does not appear in user settings.
+
+### 2. Create an API token
+
+Once MCP is enabled, go to **Settings > MCP Configuration** and create an API token:
+
+1. Click **Create New Token**
+2. Give it a descriptive name (e.g. "Claude Desktop", "Work laptop")
+3. **Copy the token immediately** — it is shown only once and cannot be recovered
+
+Each user can create up to **10 tokens**.
+
+### 3. Configure your MCP client
+
+The Settings page shows a ready-to-copy client configuration snippet. For **Claude Desktop**, add the following to your
+`claude_desktop_config.json`:
+
+```json
+{
+  "mcpServers": {
+    "trek": {
+      "command": "npx",
+      "args": [
+        "mcp-remote",
+        "https://your-trek-instance.com/mcp",
+        "--header",
+        "Authorization: Bearer trek_your_token_here"
+      ]
+    }
+  }
+}
+```
+
+> The path to `npx` may need to be adjusted for your system (e.g. `C:\PROGRA~1\nodejs\npx.cmd` on Windows).
+
+---
+
+## Limitations & Important Notes
+
+| Limitation                              | Details                                                                                                                                          |
+|-----------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------|
+| **Admin activation required**           | The MCP addon must be enabled by an admin before any user can access it.                                                                         |
+| **Per-user scoping**                    | Each MCP session is scoped to the authenticated user. You can only access trips you own or are a member of.                                      |
+| **No image uploads**                    | Cover images cannot be set through MCP. Use the web UI to upload trip covers.                                                                    |
+| **Reservations are created as pending** | When the AI creates a reservation, it starts with `pending` status. You must confirm it manually or ask the AI to set the status to `confirmed`. |
+| **Demo mode restrictions**              | If TREK is running in demo mode, all write operations through MCP are blocked.                                                                   |
+| **Rate limiting**                       | 60 requests per minute per user. Exceeding this returns a `429` error.                                                                           |
+| **Session limits**                      | Maximum 5 concurrent MCP sessions per user. Sessions expire after 1 hour of inactivity.                                                          |
+| **Token limits**                        | Maximum 10 API tokens per user.                                                                                                                  |
+| **Token revocation**                    | Deleting a token immediately terminates all active MCP sessions for that user.                                                                   |
+| **Real-time sync**                      | Changes made through MCP are broadcast to all connected clients in real-time via WebSocket, just like changes made through the web UI.           |
+
+---
+
+## Resources (read-only)
+
+Resources provide read-only access to your TREK data. MCP clients can read these to understand the current state before
+making changes.
+
+| Resource          | URI                                        | Description                                               |
+|-------------------|--------------------------------------------|-----------------------------------------------------------|
+| Trips             | `trek://trips`                             | All trips you own or are a member of                      |
+| Trip Detail       | `trek://trips/{tripId}`                    | Single trip with metadata and member count                |
+| Days              | `trek://trips/{tripId}/days`               | Days of a trip with their assigned places                 |
+| Places            | `trek://trips/{tripId}/places`             | All places/POIs saved in a trip                           |
+| Budget            | `trek://trips/{tripId}/budget`             | Budget and expense items                                  |
+| Packing           | `trek://trips/{tripId}/packing`            | Packing checklist                                         |
+| Reservations      | `trek://trips/{tripId}/reservations`       | Flights, hotels, restaurants, etc.                        |
+| Day Notes         | `trek://trips/{tripId}/days/{dayId}/notes` | Notes for a specific day                                  |
+| Accommodations    | `trek://trips/{tripId}/accommodations`     | Hotels/rentals with check-in/out details                  |
+| Members           | `trek://trips/{tripId}/members`            | Owner and collaborators                                   |
+| Collab Notes      | `trek://trips/{tripId}/collab-notes`       | Shared collaborative notes                                |
+| Categories        | `trek://categories`                        | Available place categories (for use when creating places) |
+| Bucket List       | `trek://bucket-list`                       | Your personal travel bucket list                          |
+| Visited Countries | `trek://visited-countries`                 | Countries marked as visited in Atlas                      |
+
+---
+
+## Tools (read-write)
+
+TREK exposes **34 tools** organized by feature area. Use `get_trip_summary` as a starting point — it returns everything
+about a trip in a single call.
+
+### Trip Summary
+
+| Tool               | Description                                                                                                                                                                                              |
+|--------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `get_trip_summary` | Full denormalized snapshot of a trip: metadata, members, days with assignments and notes, accommodations, budget totals, packing stats, reservations, and collab notes. Use this as your context loader. |
+
+### Trips
+
+| Tool          | Description                                                                                 |
+|---------------|---------------------------------------------------------------------------------------------|
+| `list_trips`  | List all trips you own or are a member of. Supports `include_archived` flag.                |
+| `create_trip` | Create a new trip with title, dates, currency. Days are auto-generated from the date range. |
+| `update_trip` | Update a trip's title, description, dates, or currency.                                     |
+| `delete_trip` | Delete a trip. **Owner only.**                                                              |
+
+### Places
+
+| Tool           | Description                                                                       |
+|----------------|-----------------------------------------------------------------------------------|
+| `create_place` | Add a place/POI with name, coordinates, address, category, notes, website, phone. |
+| `update_place` | Update any field of an existing place.                                            |
+| `delete_place` | Remove a place from a trip.                                                       |
+
+### Day Planning
+
+| Tool                      | Description                                                                   |
+|---------------------------|-------------------------------------------------------------------------------|
+| `assign_place_to_day`     | Pin a place to a specific day in the itinerary.                               |
+| `unassign_place`          | Remove a place assignment from a day.                                         |
+| `reorder_day_assignments` | Reorder places within a day by providing assignment IDs in the desired order. |
+| `update_assignment_time`  | Set start/end times for a place assignment (e.g. "09:00" – "11:30").          |
+| `update_day`              | Set or clear a day's title (e.g. "Arrival in Paris", "Free day").             |
+
+### Reservations
+
+| Tool                       | Description                                                                                                                                                                                   |
+|----------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `create_reservation`       | Create a pending reservation. Supports flights, hotels, restaurants, trains, cars, cruises, events, tours, activities, and other types. Hotels can be linked to places and check-in/out days. |
+| `update_reservation`       | Update any field including status (`pending` / `confirmed` / `cancelled`).                                                                                                                    |
+| `delete_reservation`       | Delete a reservation and its linked accommodation record if applicable.                                                                                                                       |
+| `link_hotel_accommodation` | Set or update a hotel reservation's check-in/out day links and associated place.                                                                                                              |
+
+### Budget
+
+| Tool                 | Description                                                  |
+|----------------------|--------------------------------------------------------------|
+| `create_budget_item` | Add an expense with name, category, and price.               |
+| `update_budget_item` | Update an expense's details, split (persons/days), or notes. |
+| `delete_budget_item` | Remove a budget item.                                        |
+
+### Packing
+
+| Tool                  | Description                                                  |
+|-----------------------|--------------------------------------------------------------|
+| `create_packing_item` | Add an item to the packing checklist with optional category. |
+| `update_packing_item` | Rename an item or change its category.                       |
+| `toggle_packing_item` | Check or uncheck a packing item.                             |
+| `delete_packing_item` | Remove a packing item.                                       |
+
+### Day Notes
+
+| Tool              | Description                                                           |
+|-------------------|-----------------------------------------------------------------------|
+| `create_day_note` | Add a note to a specific day with optional time label and emoji icon. |
+| `update_day_note` | Edit a day note's text, time, or icon.                                |
+| `delete_day_note` | Remove a note from a day.                                             |
+
+### Collab Notes
+
+| Tool                 | Description                                                                                     |
+|----------------------|-------------------------------------------------------------------------------------------------|
+| `create_collab_note` | Create a shared note visible to all trip members. Supports title, content, category, and color. |
+| `update_collab_note` | Edit a collab note's content, category, color, or pin status.                                   |
+| `delete_collab_note` | Delete a collab note and its associated files.                                                  |
+
+### Bucket List
+
+| Tool                      | Description                                                                                |
+|---------------------------|--------------------------------------------------------------------------------------------|
+| `create_bucket_list_item` | Add a destination to your personal bucket list with optional coordinates and country code. |
+| `delete_bucket_list_item` | Remove an item from your bucket list.                                                      |
+
+### Atlas
+
+| Tool                     | Description                                                                    |
+|--------------------------|--------------------------------------------------------------------------------|
+| `mark_country_visited`   | Mark a country as visited using its ISO 3166-1 alpha-2 code (e.g. "FR", "JP"). |
+| `unmark_country_visited` | Remove a country from your visited list.                                       |
+
+---
+
+## Example
+
+Conversation with Claude: https://claude.ai/share/51572203-6a4d-40f8-a6bd-eba09d4b009d
+
+Initial prompt (1st message):
+
+```
+I'd like to plan a week-long trip to Kyoto, Japan, arriving April 5 2027
+and leaving April 11 2027. It's cherry blossom season so please keep that
+in mind when picking spots.
+
+Before writing anything to TREK, do some research: look up what's worth
+visiting, figure out a logical day-by-day flow (group nearby spots together
+to avoid unnecessary travel), find a well-reviewed hotel in a central
+neighbourhood, and think about what kind of food and restaurant experiences
+are worth including.
+
+Once you have a solid plan, write the whole thing to TREK:
+- Create the trip
+- Add all the places you've researched with their real coordinates
+- Build out the daily itinerary with sensible visiting times
+- Book the hotel as a reservation and link it properly to the accommodation days
+- Add any notable restaurant reservations
+- Put together a realistic budget in EUR
+- Build a packing list suited to April in Kyoto
+- Leave a pinned collab note with practical tips (transport, etiquette, money, etc.)
+- Add a day note for each day with any important heads-up (early start, crowd
+  tips, booking requirements, etc.)
+- Mark Japan as visited in my Atlas
+
+Currency: CHF. Use get_trip_summary at the end and give me a quick recap
+of everything that was added.
+```
+
+Database file: https://share.jubnl.ch/s/S7bBpj42mB
+
+Email: admin@admin.com \
+Password: admin123
+
+PDF of the generated trip: [./docs/TREK-Generated-by-MCP.pdf](./docs/TREK-Generated-by-MCP.pdf)
+
+![trip](./docs/screenshot-trip-mcp.png)

client/src/App.tsx

@@ -23,8 +23,9 @@ interface ProtectedRouteProps {
 }
 
 function ProtectedRoute({ children, adminRequired = false }: ProtectedRouteProps) {
-  const { isAuthenticated, user, isLoading } = useAuthStore()
+  const { isAuthenticated, user, isLoading, appRequireMfa } = useAuthStore()
   const { t } = useTranslation()
+  const location = useLocation()
 
   if (isLoading) {
     return (
@@ -41,6 +42,15 @@ function ProtectedRoute({ children, adminRequired = false }: ProtectedRouteProps
     return <Navigate to="/login" replace />
   }
 
+  if (
+    appRequireMfa &&
+    user &&
+    !user.mfa_enabled &&
+    location.pathname !== '/settings'
+  ) {
+    return <Navigate to="/settings?mfa=required" replace />
+  }
+
   if (adminRequired && user && user.role !== 'admin') {
     return <Navigate to="/dashboard" replace />
   }
@@ -63,17 +73,18 @@ function RootRedirect() {
 }
 
 export default function App() {
-  const { loadUser, token, isAuthenticated, demoMode, setDemoMode, setHasMapsKey, setServerTimezone } = useAuthStore()
+  const { loadUser, token, isAuthenticated, demoMode, setDemoMode, setHasMapsKey, setServerTimezone, setAppRequireMfa } = useAuthStore()
   const { loadSettings } = useSettingsStore()
 
   useEffect(() => {
     if (token) {
       loadUser()
     }
-    authApi.getAppConfig().then(async (config: { demo_mode?: boolean; has_maps_key?: boolean; version?: string; timezone?: string }) => {
+    authApi.getAppConfig().then(async (config: { demo_mode?: boolean; has_maps_key?: boolean; version?: string; timezone?: string; require_mfa?: boolean }) => {
       if (config?.demo_mode) setDemoMode(true)
       if (config?.has_maps_key !== undefined) setHasMapsKey(config.has_maps_key)
       if (config?.timezone) setServerTimezone(config.timezone)
+      if (config?.require_mfa !== undefined) setAppRequireMfa(!!config.require_mfa)
 
       if (config?.version) {
         const storedVersion = localStorage.getItem('trek_app_version')

client/src/api/client.ts

@@ -34,6 +34,13 @@ apiClient.interceptors.response.use(
         window.location.href = '/login'
       }
     }
+    if (
+      error.response?.status === 403 &&
+      (error.response?.data as { code?: string } | undefined)?.code === 'MFA_REQUIRED' &&
+      !window.location.pathname.startsWith('/settings')
+    ) {
+      window.location.href = '/settings?mfa=required'
+    }
     return Promise.reject(error)
   }
 )
@@ -44,7 +51,7 @@ export const authApi = {
   login: (data: { email: string; password: string }) => apiClient.post('/auth/login', data).then(r => r.data),
   verifyMfaLogin: (data: { mfa_token: string; code: string }) => apiClient.post('/auth/mfa/verify-login', data).then(r => r.data),
   mfaSetup: () => apiClient.post('/auth/mfa/setup', {}).then(r => r.data),
-  mfaEnable: (data: { code: string }) => apiClient.post('/auth/mfa/enable', data).then(r => r.data),
+  mfaEnable: (data: { code: string }) => apiClient.post('/auth/mfa/enable', data).then(r => r.data as { success: boolean; mfa_enabled: boolean; backup_codes?: string[] }),
   mfaDisable: (data: { password: string; code: string }) => apiClient.post('/auth/mfa/disable', data).then(r => r.data),
   me: () => apiClient.get('/auth/me').then(r => r.data),
   updateMapsKey: (key: string | null) => apiClient.put('/auth/me/maps-key', { maps_api_key: key }).then(r => r.data),
@@ -61,6 +68,11 @@ export const authApi = {
   changePassword: (data: { current_password: string; new_password: string }) => apiClient.put('/auth/me/password', data).then(r => r.data),
   deleteOwnAccount: () => apiClient.delete('/auth/me').then(r => r.data),
   demoLogin: () => apiClient.post('/auth/demo-login').then(r => r.data),
+  mcpTokens: {
+    list: () => apiClient.get('/auth/mcp-tokens').then(r => r.data),
+    create: (name: string) => apiClient.post('/auth/mcp-tokens', { name }).then(r => r.data),
+    delete: (id: number) => apiClient.delete(`/auth/mcp-tokens/${id}`).then(r => r.data),
+  },
 }
 
 export const tripsApi = {
@@ -170,6 +182,8 @@ export const adminApi = {
   deleteInvite: (id: number) => apiClient.delete(`/admin/invites/${id}`).then(r => r.data),
   auditLog: (params?: { limit?: number; offset?: number }) =>
     apiClient.get('/admin/audit-log', { params }).then(r => r.data),
+  mcpTokens: () => apiClient.get('/admin/mcp-tokens').then(r => r.data),
+  deleteMcpToken: (id: number) => apiClient.delete(`/admin/mcp-tokens/${id}`).then(r => r.data),
 }
 
 export const addonsApi = {

client/src/components/Admin/AddonManager.tsx

@@ -2,11 +2,12 @@ import { useEffect, useState } from 'react'
 import { adminApi } from '../../api/client'
 import { useTranslation } from '../../i18n'
 import { useSettingsStore } from '../../store/settingsStore'
+import { useAddonStore } from '../../store/addonStore'
 import { useToast } from '../shared/Toast'
-import { Puzzle, ListChecks, Wallet, FileText, CalendarDays, Globe, Briefcase, Image } from 'lucide-react'
+import { Puzzle, ListChecks, Wallet, FileText, CalendarDays, Globe, Briefcase, Image, Terminal, Link2 } from 'lucide-react'
 
 const ICON_MAP = {
-  ListChecks, Wallet, FileText, CalendarDays, Puzzle, Globe, Briefcase, Image,
+  ListChecks, Wallet, FileText, CalendarDays, Puzzle, Globe, Briefcase, Image, Terminal, Link2,
 }
 
 interface Addon {
@@ -32,6 +33,7 @@ export default function AddonManager({ bagTrackingEnabled, onToggleBagTracking }
   const dm = useSettingsStore(s => s.settings.dark_mode)
   const dark = dm === true || dm === 'dark' || (dm === 'auto' && window.matchMedia('(prefers-color-scheme: dark)').matches)
   const toast = useToast()
+  const refreshGlobalAddons = useAddonStore(s => s.loadAddons)
   const [addons, setAddons] = useState([])
   const [loading, setLoading] = useState(true)
 
@@ -57,7 +59,7 @@ export default function AddonManager({ bagTrackingEnabled, onToggleBagTracking }
     setAddons(prev => prev.map(a => a.id === addon.id ? { ...a, enabled: newEnabled } : a))
     try {
       await adminApi.updateAddon(addon.id, { enabled: newEnabled })
-      window.dispatchEvent(new Event('addons-changed'))
+      refreshGlobalAddons()
       toast.success(t('admin.addons.toast.updated'))
     } catch (err: unknown) {
       // Rollback
@@ -68,6 +70,7 @@ export default function AddonManager({ bagTrackingEnabled, onToggleBagTracking }
 
   const tripAddons = addons.filter(a => a.type === 'trip')
   const globalAddons = addons.filter(a => a.type === 'global')
+  const integrationAddons = addons.filter(a => a.type === 'integration')
 
   if (loading) {
     return (
@@ -144,6 +147,21 @@ export default function AddonManager({ bagTrackingEnabled, onToggleBagTracking }
                 ))}
               </div>
             )}
+
+            {/* Integration Addons */}
+            {integrationAddons.length > 0 && (
+              <div>
+                <div className="px-6 py-2.5 border-b border-t flex items-center gap-2" style={{ background: 'var(--bg-secondary)', borderColor: 'var(--border-secondary)' }}>
+                  <Link2 size={13} style={{ color: 'var(--text-muted)' }} />
+                  <span className="text-xs font-medium uppercase tracking-wider" style={{ color: 'var(--text-muted)' }}>
+                    {t('admin.addons.type.integration')} — {t('admin.addons.integrationHint')}
+                  </span>
+                </div>
+                {integrationAddons.map(addon => (
+                  <AddonRow key={addon.id} addon={addon} onToggle={handleToggle} t={t} />
+                ))}
+              </div>
+            )}
           </div>
         )}
       </div>
@@ -188,11 +206,8 @@ function AddonRow({ addon, onToggle, t }: AddonRowProps) {
               Coming Soon
             </span>
           )}
-          <span className="text-[10px] font-medium px-1.5 py-0.5 rounded-full" style={{
-            background: addon.type === 'global' ? 'var(--bg-secondary)' : 'var(--bg-secondary)',
-            color: 'var(--text-muted)',
-          }}>
-            {addon.type === 'global' ? t('admin.addons.type.global') : t('admin.addons.type.trip')}
+          <span className="text-[10px] font-medium px-1.5 py-0.5 rounded-full" style={{ background: 'var(--bg-secondary)', color: 'var(--text-muted)' }}>
+            {addon.type === 'global' ? t('admin.addons.type.global') : addon.type === 'integration' ? t('admin.addons.type.integration') : t('admin.addons.type.trip')}
           </span>
         </div>
         <p className="text-xs mt-0.5" style={{ color: 'var(--text-muted)' }}>{label.description}</p>

client/src/components/Admin/AdminMcpTokensPanel.tsx

@@ -0,0 +1,120 @@
+import { useState, useEffect } from 'react'
+import { adminApi } from '../../api/client'
+import { useToast } from '../shared/Toast'
+import { Key, Trash2, User, Loader2 } from 'lucide-react'
+import { useTranslation } from '../../i18n'
+
+interface AdminMcpToken {
+  id: number
+  name: string
+  token_prefix: string
+  created_at: string
+  last_used_at: string | null
+  user_id: number
+  username: string
+}
+
+export default function AdminMcpTokensPanel() {
+  const [tokens, setTokens] = useState<AdminMcpToken[]>([])
+  const [isLoading, setIsLoading] = useState(true)
+  const [deleteConfirmId, setDeleteConfirmId] = useState<number | null>(null)
+  const toast = useToast()
+  const { t, locale } = useTranslation()
+
+  useEffect(() => {
+    setIsLoading(true)
+    adminApi.mcpTokens()
+      .then(d => setTokens(d.tokens || []))
+      .catch(() => toast.error(t('admin.mcpTokens.loadError')))
+      .finally(() => setIsLoading(false))
+  }, [])
+
+  const handleDelete = async (id: number) => {
+    try {
+      await adminApi.deleteMcpToken(id)
+      setTokens(prev => prev.filter(tk => tk.id !== id))
+      setDeleteConfirmId(null)
+      toast.success(t('admin.mcpTokens.deleteSuccess'))
+    } catch {
+      toast.error(t('admin.mcpTokens.deleteError'))
+    }
+  }
+
+  return (
+    <div className="space-y-6">
+      <div>
+        <h2 className="text-lg font-semibold" style={{ color: 'var(--text-primary)' }}>{t('admin.mcpTokens.title')}</h2>
+        <p className="text-sm mt-0.5" style={{ color: 'var(--text-tertiary)' }}>{t('admin.mcpTokens.subtitle')}</p>
+      </div>
+
+      <div className="rounded-xl border overflow-hidden" style={{ borderColor: 'var(--border-primary)', background: 'var(--bg-card)' }}>
+        {isLoading ? (
+          <div className="flex items-center justify-center py-12">
+            <Loader2 className="w-5 h-5 animate-spin" style={{ color: 'var(--text-tertiary)' }} />
+          </div>
+        ) : tokens.length === 0 ? (
+          <div className="flex flex-col items-center justify-center py-12 gap-2">
+            <Key className="w-8 h-8" style={{ color: 'var(--text-tertiary)' }} />
+            <p className="text-sm" style={{ color: 'var(--text-tertiary)' }}>{t('admin.mcpTokens.empty')}</p>
+          </div>
+        ) : (
+          <>
+            <div className="grid grid-cols-[1fr_auto_auto_auto_auto] gap-x-4 px-4 py-2.5 text-xs font-medium border-b"
+              style={{ color: 'var(--text-tertiary)', borderColor: 'var(--border-primary)', background: 'var(--bg-secondary)' }}>
+              <span>{t('admin.mcpTokens.tokenName')}</span>
+              <span>{t('admin.mcpTokens.owner')}</span>
+              <span className="text-right">{t('admin.mcpTokens.created')}</span>
+              <span className="text-right">{t('admin.mcpTokens.lastUsed')}</span>
+              <span></span>
+            </div>
+            {tokens.map((token, i) => (
+              <div key={token.id}
+                className="grid grid-cols-[1fr_auto_auto_auto_auto] items-center gap-x-4 px-4 py-3"
+                style={{ borderBottom: i < tokens.length - 1 ? '1px solid var(--border-primary)' : undefined }}>
+                <div className="min-w-0">
+                  <p className="text-sm font-medium truncate" style={{ color: 'var(--text-primary)' }}>{token.name}</p>
+                  <p className="text-xs font-mono mt-0.5" style={{ color: 'var(--text-tertiary)' }}>{token.token_prefix}...</p>
+                </div>
+                <div className="flex items-center gap-1.5 text-sm" style={{ color: 'var(--text-secondary)' }}>
+                  <User className="w-3.5 h-3.5 flex-shrink-0" />
+                  <span className="whitespace-nowrap">{token.username}</span>
+                </div>
+                <span className="text-xs whitespace-nowrap text-right" style={{ color: 'var(--text-tertiary)' }}>
+                  {new Date(token.created_at).toLocaleDateString(locale)}
+                </span>
+                <span className="text-xs whitespace-nowrap text-right" style={{ color: 'var(--text-tertiary)' }}>
+                  {token.last_used_at ? new Date(token.last_used_at).toLocaleDateString(locale) : t('admin.mcpTokens.never')}
+                </span>
+                <button onClick={() => setDeleteConfirmId(token.id)}
+                  className="p-1.5 rounded-lg transition-colors hover:bg-red-50 hover:text-red-600 dark:hover:bg-red-900/20"
+                  style={{ color: 'var(--text-tertiary)' }} title={t('common.delete')}>
+                  <Trash2 className="w-4 h-4" />
+                </button>
+              </div>
+            ))}
+          </>
+        )}
+      </div>
+
+      {deleteConfirmId !== null && (
+        <div className="fixed inset-0 z-50 flex items-center justify-center p-4" style={{ background: 'rgba(0,0,0,0.5)' }}
+          onClick={e => { if (e.target === e.currentTarget) setDeleteConfirmId(null) }}>
+          <div className="rounded-xl shadow-xl w-full max-w-sm p-6 space-y-4" style={{ background: 'var(--bg-card)' }}>
+            <h3 className="text-base font-semibold" style={{ color: 'var(--text-primary)' }}>{t('admin.mcpTokens.deleteTitle')}</h3>
+            <p className="text-sm" style={{ color: 'var(--text-secondary)' }}>{t('admin.mcpTokens.deleteMessage')}</p>
+            <div className="flex gap-2 justify-end">
+              <button onClick={() => setDeleteConfirmId(null)}
+                className="px-4 py-2 rounded-lg text-sm border" style={{ borderColor: 'var(--border-primary)', color: 'var(--text-secondary)' }}>
+                {t('common.cancel')}
+              </button>
+              <button onClick={() => handleDelete(deleteConfirmId)}
+                className="px-4 py-2 rounded-lg text-sm font-medium text-white bg-red-600 hover:bg-red-700">
+                {t('common.delete')}
+              </button>
+            </div>
+          </div>
+        </div>
+      )}
+    </div>
+  )
+}

client/src/components/Layout/Navbar.tsx

@@ -3,8 +3,8 @@ import ReactDOM from 'react-dom'
 import { Link, useNavigate, useLocation } from 'react-router-dom'
 import { useAuthStore } from '../../store/authStore'
 import { useSettingsStore } from '../../store/settingsStore'
+import { useAddonStore } from '../../store/addonStore'
 import { useTranslation } from '../../i18n'
-import { addonsApi } from '../../api/client'
 import { Plane, LogOut, Settings, ChevronDown, Shield, ArrowLeft, Users, Moon, Sun, Monitor, CalendarDays, Briefcase, Globe } from 'lucide-react'
 import type { LucideIcon } from 'lucide-react'
 
@@ -28,29 +28,21 @@ interface Addon {
 export default function Navbar({ tripTitle, tripId, onBack, showBack, onShare }: NavbarProps): React.ReactElement {
   const { user, logout } = useAuthStore()
   const { settings, updateSetting } = useSettingsStore()
+  const { addons: allAddons, loadAddons } = useAddonStore()
   const { t, locale } = useTranslation()
   const navigate = useNavigate()
   const location = useLocation()
   const [userMenuOpen, setUserMenuOpen] = useState<boolean>(false)
   const [appVersion, setAppVersion] = useState<string | null>(null)
-  const [globalAddons, setGlobalAddons] = useState<Addon[]>([])
   const darkMode = settings.dark_mode
   const dark = darkMode === true || darkMode === 'dark' || (darkMode === 'auto' && window.matchMedia('(prefers-color-scheme: dark)').matches)
 
-  const loadAddons = () => {
-    if (user) {
-      addonsApi.enabled().then(data => {
-        setGlobalAddons(data.addons.filter(a => a.type === 'global'))
-      }).catch(() => {})
-    }
-  }
-  useEffect(loadAddons, [user, location.pathname])
-  // Listen for addon changes from AddonManager
+  // Only show 'global' type addons in the navbar — 'integration' addons have no dedicated page
+  const globalAddons = allAddons.filter((a: Addon) => a.type === 'global' && a.enabled)
+
   useEffect(() => {
-    const handler = () => loadAddons()
-    window.addEventListener('addons-changed', handler)
-    return () => window.removeEventListener('addons-changed', handler)
-  }, [user])
+    if (user) loadAddons()
+  }, [user, location.pathname])
 
   useEffect(() => {
     import('../../api/client').then(({ authApi }) => {

client/src/components/Planner/DayPlanSidebar.tsx

@@ -632,6 +632,7 @@ export default function DayPlanSidebar({
 
   const handleDropOnDay = (e, dayId) => {
     e.preventDefault()
+    e.stopPropagation()
     setDragOverDayId(null)
     const { placeId, assignmentId, noteId, fromDayId } = getDragData(e)
     if (placeId) {
@@ -886,6 +887,7 @@ export default function DayPlanSidebar({
                   onDragOver={e => { e.preventDefault(); const cur = dropTargetRef.current; if (draggingId && (!cur || cur.startsWith('end-'))) setDropTargetKey(`end-${day.id}`) }}
                   onDrop={e => {
                     e.preventDefault()
+                    e.stopPropagation()
                     const { placeId, assignmentId, noteId, fromDayId } = getDragData(e)
                     // Drop on transport card (detected via dropTargetRef for sync accuracy)
                     if (dropTargetRef.current?.startsWith('transport-')) {

client/src/i18n/translations/ar.ts

@@ -190,6 +190,31 @@ const ar: Record<string, string | { name: string; category: string }[]> = {
   'share.permCollab': 'الدردشة',
   'settings.on': 'تشغيل',
   'settings.off': 'إيقاف',
+  'settings.mcp.title': 'إعداد MCP',
+  'settings.mcp.endpoint': 'نقطة نهاية MCP',
+  'settings.mcp.clientConfig': 'إعداد العميل',
+  'settings.mcp.clientConfigHint': 'استبدل <your_token> برمز API من القائمة أدناه. قد يحتاج مسار npx إلى ضبط وفق نظامك (مثلاً C:\\PROGRA~1\\nodejs\\npx.cmd على Windows).',
+  'settings.mcp.copy': 'نسخ',
+  'settings.mcp.copied': 'تم النسخ!',
+  'settings.mcp.apiTokens': 'رموز API',
+  'settings.mcp.createToken': 'إنشاء رمز جديد',
+  'settings.mcp.noTokens': 'لا توجد رموز بعد. أنشئ رمزاً للاتصال بعملاء MCP.',
+  'settings.mcp.tokenCreatedAt': 'أُنشئ',
+  'settings.mcp.tokenUsedAt': 'استُخدم',
+  'settings.mcp.deleteTokenTitle': 'حذف الرمز',
+  'settings.mcp.deleteTokenMessage': 'سيتوقف هذا الرمز عن العمل فوراً. أي عميل MCP يستخدمه سيفقد الوصول.',
+  'settings.mcp.modal.createTitle': 'إنشاء رمز API',
+  'settings.mcp.modal.tokenName': 'اسم الرمز',
+  'settings.mcp.modal.tokenNamePlaceholder': 'مثال: Claude Desktop، حاسوب العمل',
+  'settings.mcp.modal.creating': 'جارٍ الإنشاء…',
+  'settings.mcp.modal.create': 'إنشاء الرمز',
+  'settings.mcp.modal.createdTitle': 'تم إنشاء الرمز',
+  'settings.mcp.modal.createdWarning': 'سيُعرض هذا الرمز مرة واحدة فقط. انسخه واحفظه الآن — لا يمكن استرداده.',
+  'settings.mcp.modal.done': 'تم',
+  'settings.mcp.toast.created': 'تم إنشاء الرمز',
+  'settings.mcp.toast.createError': 'فشل إنشاء الرمز',
+  'settings.mcp.toast.deleted': 'تم حذف الرمز',
+  'settings.mcp.toast.deleteError': 'فشل حذف الرمز',
   'settings.account': 'الحساب',
   'settings.username': 'اسم المستخدم',
   'settings.email': 'البريد الإلكتروني',
@@ -226,6 +251,14 @@ const ar: Record<string, string | { name: string; category: string }[]> = {
   'settings.avatarError': 'فشل الرفع',
   'settings.mfa.title': 'المصادقة الثنائية (2FA)',
   'settings.mfa.description': 'تضيف خطوة ثانية عند تسجيل الدخول. استخدم تطبيق مصادقة (Google Authenticator، Authy، إلخ).',
+  'settings.mfa.requiredByPolicy': 'المسؤول يتطلب المصادقة الثنائية. اضبط تطبيق المصادقة أدناه قبل المتابعة.',
+  'settings.mfa.backupTitle': 'رموز النسخ الاحتياطي',
+  'settings.mfa.backupDescription': 'استخدم هذه الرموز لمرة واحدة إذا فقدت الوصول إلى تطبيق المصادقة.',
+  'settings.mfa.backupWarning': 'احفظ هذه الرموز الآن. كل رمز يمكن استخدامه مرة واحدة فقط.',
+  'settings.mfa.backupCopy': 'نسخ الرموز',
+  'settings.mfa.backupDownload': 'تنزيل TXT',
+  'settings.mfa.backupPrint': 'طباعة / PDF',
+  'settings.mfa.backupCopied': 'تم نسخ رموز النسخ الاحتياطي',
   'settings.mfa.enabled': 'المصادقة الثنائية مفعّلة على حسابك.',
   'settings.mfa.disabled': 'المصادقة الثنائية غير مفعّلة.',
   'settings.mfa.setup': 'إعداد المصادقة',
@@ -325,6 +358,20 @@ const ar: Record<string, string | { name: string; category: string }[]> = {
   'admin.tabs.config': 'الإعدادات',
   'admin.tabs.templates': 'قوالب التعبئة',
   'admin.tabs.addons': 'الإضافات',
+  'admin.tabs.mcpTokens': 'رموز MCP',
+  'admin.mcpTokens.title': 'رموز MCP',
+  'admin.mcpTokens.subtitle': 'إدارة رموز API لجميع المستخدمين',
+  'admin.mcpTokens.owner': 'المالك',
+  'admin.mcpTokens.tokenName': 'اسم الرمز',
+  'admin.mcpTokens.created': 'تاريخ الإنشاء',
+  'admin.mcpTokens.lastUsed': 'آخر استخدام',
+  'admin.mcpTokens.never': 'أبداً',
+  'admin.mcpTokens.empty': 'لم يتم إنشاء أي رموز MCP بعد',
+  'admin.mcpTokens.deleteTitle': 'حذف الرمز',
+  'admin.mcpTokens.deleteMessage': 'سيتم إلغاء هذا الرمز فوراً. سيفقد المستخدم وصوله إلى MCP عبر هذا الرمز.',
+  'admin.mcpTokens.deleteSuccess': 'تم حذف الرمز',
+  'admin.mcpTokens.deleteError': 'فشل حذف الرمز',
+  'admin.mcpTokens.loadError': 'فشل تحميل الرموز',
   'admin.tabs.github': 'GitHub',
   'admin.stats.users': 'المستخدمون',
   'admin.stats.trips': 'الرحلات',
@@ -374,6 +421,8 @@ const ar: Record<string, string | { name: string; category: string }[]> = {
   'admin.invite.deleteError': 'فشل حذف رابط الدعوة',
   'admin.allowRegistration': 'السماح بالتسجيل',
   'admin.allowRegistrationHint': 'يمكن للمستخدمين الجدد التسجيل بأنفسهم',
+  'admin.requireMfa': 'فرض المصادقة الثنائية (2FA)',
+  'admin.requireMfaHint': 'يجب على المستخدمين الذين لا يملكون 2FA إكمال الإعداد في الإعدادات قبل استخدام التطبيق.',
   'admin.apiKeys': 'مفاتيح API',
   'admin.apiKeysHint': 'اختياري. يُفعّل بيانات الأماكن الموسعة مثل الصور والطقس.',
   'admin.mapsKey': 'مفتاح Google Maps API',
@@ -425,8 +474,10 @@ const ar: Record<string, string | { name: string; category: string }[]> = {
   // Addons
   'admin.addons.title': 'الإضافات',
   'admin.addons.subtitle': 'فعّل أو عطّل الميزات لتخصيص تجربة TREK.',
-  'admin.addons.catalog.memories.name': 'ذكريات',
-  'admin.addons.catalog.memories.description': 'ألبومات صور مشتركة لكل رحلة',
+  'admin.addons.catalog.memories.name': 'صور (Immich)',
+  'admin.addons.catalog.memories.description': 'شارك صور رحلتك عبر Immich',
+  'admin.addons.catalog.mcp.name': 'MCP',
+  'admin.addons.catalog.mcp.description': 'بروتوكول سياق النموذج لتكامل مساعد الذكاء الاصطناعي',
   'admin.addons.catalog.packing.name': 'التعبئة',
   'admin.addons.catalog.packing.description': 'قوائم تحقق لإعداد أمتعتك لكل رحلة',
   'admin.addons.catalog.budget.name': 'الميزانية',
@@ -445,8 +496,10 @@ const ar: Record<string, string | { name: string; category: string }[]> = {
   'admin.addons.disabled': 'معطّل',
   'admin.addons.type.trip': 'رحلة',
   'admin.addons.type.global': 'عام',
+  'admin.addons.type.integration': 'تكامل',
   'admin.addons.tripHint': 'متاح كعلامة تبويب داخل كل رحلة',
   'admin.addons.globalHint': 'متاح كقسم مستقل في التنقل الرئيسي',
+  'admin.addons.integrationHint': 'خدمات الواجهة الخلفية وتكاملات API بدون صفحة مخصصة',
   'admin.addons.toast.updated': 'تم تحديث الإضافة',
   'admin.addons.toast.error': 'فشل تحديث الإضافة',
   'admin.addons.noAddons': 'لا توجد إضافات متاحة',

client/src/i18n/translations/br.ts

@@ -221,6 +221,14 @@ const br: Record<string, string | { name: string; category: string }[]> = {
   'settings.avatarError': 'Falha no envio',
   'settings.mfa.title': 'Autenticação em duas etapas (2FA)',
   'settings.mfa.description': 'Adiciona uma segunda etapa ao entrar com e-mail e senha. Use um app autenticador (Google Authenticator, Authy, etc.).',
+  'settings.mfa.requiredByPolicy': 'O administrador exige autenticação em dois fatores. Configure um app autenticador abaixo antes de continuar.',
+  'settings.mfa.backupTitle': 'Códigos de backup',
+  'settings.mfa.backupDescription': 'Use estes códigos únicos se perder acesso ao app autenticador.',
+  'settings.mfa.backupWarning': 'Salve estes códigos agora. Cada código pode ser usado apenas uma vez.',
+  'settings.mfa.backupCopy': 'Copiar códigos',
+  'settings.mfa.backupDownload': 'Baixar TXT',
+  'settings.mfa.backupPrint': 'Imprimir / PDF',
+  'settings.mfa.backupCopied': 'Códigos de backup copiados',
   'settings.mfa.enabled': 'O 2FA está ativado na sua conta.',
   'settings.mfa.disabled': 'O 2FA não está ativado.',
   'settings.mfa.setup': 'Configurar autenticador',
@@ -235,6 +243,31 @@ const br: Record<string, string | { name: string; category: string }[]> = {
   'settings.mfa.toastEnabled': 'Autenticação em duas etapas ativada',
   'settings.mfa.toastDisabled': 'Autenticação em duas etapas desativada',
   'settings.mfa.demoBlocked': 'Indisponível no modo demonstração',
+  'settings.mcp.title': 'Configuração MCP',
+  'settings.mcp.endpoint': 'Endpoint MCP',
+  'settings.mcp.clientConfig': 'Configuração do cliente',
+  'settings.mcp.clientConfigHint': 'Substitua <your_token> por um token de API da lista abaixo. O caminho para o npx pode precisar ser ajustado para o seu sistema (ex.: C:\\PROGRA~1\\nodejs\\npx.cmd no Windows).',
+  'settings.mcp.copy': 'Copiar',
+  'settings.mcp.copied': 'Copiado!',
+  'settings.mcp.apiTokens': 'Tokens de API',
+  'settings.mcp.createToken': 'Criar novo token',
+  'settings.mcp.noTokens': 'Nenhum token ainda. Crie um para conectar clientes MCP.',
+  'settings.mcp.tokenCreatedAt': 'Criado em',
+  'settings.mcp.tokenUsedAt': 'Usado em',
+  'settings.mcp.deleteTokenTitle': 'Excluir token',
+  'settings.mcp.deleteTokenMessage': 'Este token deixará de funcionar imediatamente. Qualquer cliente MCP que o utilize perderá o acesso.',
+  'settings.mcp.modal.createTitle': 'Criar token de API',
+  'settings.mcp.modal.tokenName': 'Nome do token',
+  'settings.mcp.modal.tokenNamePlaceholder': 'ex.: Claude Desktop, Notebook do trabalho',
+  'settings.mcp.modal.creating': 'Criando…',
+  'settings.mcp.modal.create': 'Criar token',
+  'settings.mcp.modal.createdTitle': 'Token criado',
+  'settings.mcp.modal.createdWarning': 'Este token será exibido apenas uma vez. Copie e guarde agora — não poderá ser recuperado.',
+  'settings.mcp.modal.done': 'Concluído',
+  'settings.mcp.toast.created': 'Token criado',
+  'settings.mcp.toast.createError': 'Falha ao criar token',
+  'settings.mcp.toast.deleted': 'Token excluído',
+  'settings.mcp.toast.deleteError': 'Falha ao excluir token',
 
   // Login
   'login.error': 'Falha no login. Verifique suas credenciais.',
@@ -364,6 +397,8 @@ const br: Record<string, string | { name: string; category: string }[]> = {
   'admin.tabs.settings': 'Configurações',
   'admin.allowRegistration': 'Permitir cadastro',
   'admin.allowRegistrationHint': 'Novos usuários podem se cadastrar sozinhos',
+  'admin.requireMfa': 'Exigir autenticação em dois fatores (2FA)',
+  'admin.requireMfaHint': 'Usuários sem 2FA precisam concluir a configuração em Configurações antes de usar o app.',
   'admin.apiKeys': 'Chaves de API',
   'admin.apiKeysHint': 'Opcional. Habilita dados estendidos de lugares, como fotos e clima.',
   'admin.mapsKey': 'Chave da API Google Maps',
@@ -432,6 +467,8 @@ const br: Record<string, string | { name: string; category: string }[]> = {
   'admin.addons.catalog.atlas.description': 'Mapa mundial com países visitados e estatísticas',
   'admin.addons.catalog.collab.name': 'Colab',
   'admin.addons.catalog.collab.description': 'Notas, enquetes e chat em tempo real para planejar a viagem',
+  'admin.addons.catalog.mcp.name': 'MCP',
+  'admin.addons.catalog.mcp.description': 'Model Context Protocol para integração com assistentes de IA',
   'admin.addons.subtitleBefore': 'Ative ou desative recursos para personalizar sua ',
   'admin.addons.subtitleAfter': ' experiência.',
   'admin.addons.enabled': 'Ativado',

client/src/i18n/translations/cs.ts

@@ -152,6 +152,31 @@ const cs: Record<string, string | { name: string; category: string }[]> = {
   'settings.notifyWebhook': 'Webhook oznámení',
   'settings.on': 'Zapnuto',
   'settings.off': 'Vypnuto',
+  'settings.mcp.title': 'Konfigurace MCP',
+  'settings.mcp.endpoint': 'MCP endpoint',
+  'settings.mcp.clientConfig': 'Konfigurace klienta',
+  'settings.mcp.clientConfigHint': 'Nahraďte <your_token> API tokenem ze seznamu níže. Cestu k npx může být nutné upravit pro váš systém (např. C:\\PROGRA~1\\nodejs\\npx.cmd ve Windows).',
+  'settings.mcp.copy': 'Kopírovat',
+  'settings.mcp.copied': 'Zkopírováno!',
+  'settings.mcp.apiTokens': 'API tokeny',
+  'settings.mcp.createToken': 'Vytvořit nový token',
+  'settings.mcp.noTokens': 'Zatím žádné tokeny. Vytvořte jeden pro připojení MCP klientů.',
+  'settings.mcp.tokenCreatedAt': 'Vytvořen',
+  'settings.mcp.tokenUsedAt': 'Použit',
+  'settings.mcp.deleteTokenTitle': 'Smazat token',
+  'settings.mcp.deleteTokenMessage': 'Tento token přestane okamžitě fungovat. Všichni MCP klienti, kteří ho používají, ztratí přístup.',
+  'settings.mcp.modal.createTitle': 'Vytvořit API token',
+  'settings.mcp.modal.tokenName': 'Název tokenu',
+  'settings.mcp.modal.tokenNamePlaceholder': 'např. Claude Desktop, Pracovní notebook',
+  'settings.mcp.modal.creating': 'Vytváření…',
+  'settings.mcp.modal.create': 'Vytvořit token',
+  'settings.mcp.modal.createdTitle': 'Token vytvořen',
+  'settings.mcp.modal.createdWarning': 'Tento token bude zobrazen pouze jednou. Zkopírujte a uložte ho nyní — nelze ho obnovit.',
+  'settings.mcp.modal.done': 'Hotovo',
+  'settings.mcp.toast.created': 'Token vytvořen',
+  'settings.mcp.toast.createError': 'Nepodařilo se vytvořit token',
+  'settings.mcp.toast.deleted': 'Token smazán',
+  'settings.mcp.toast.deleteError': 'Nepodařilo se smazat token',
   'settings.account': 'Účet',
   'settings.username': 'Uživatelské jméno',
   'settings.email': 'E-mail',
@@ -188,6 +213,14 @@ const cs: Record<string, string | { name: string; category: string }[]> = {
   'settings.avatarError': 'Nahrávání se nezdařilo',
   'settings.mfa.title': 'Dvoufaktorové ověření (2FA)',
   'settings.mfa.description': 'Přidá druhý stupeň zabezpečení při přihlašování e-mailem a heslem. Použijte aplikaci (Google Authenticator, Authy apod.).',
+  'settings.mfa.requiredByPolicy': 'Správce vyžaduje dvoufázové ověření. Nejdřív níže nastavte aplikaci autentikátoru.',
+  'settings.mfa.backupTitle': 'Záložní kódy',
+  'settings.mfa.backupDescription': 'Použijte tyto jednorázové kódy, pokud ztratíte přístup k autentizační aplikaci.',
+  'settings.mfa.backupWarning': 'Uložte si je hned. Každý kód lze použít pouze jednou.',
+  'settings.mfa.backupCopy': 'Kopírovat kódy',
+  'settings.mfa.backupDownload': 'Stáhnout TXT',
+  'settings.mfa.backupPrint': 'Tisk / PDF',
+  'settings.mfa.backupCopied': 'Záložní kódy zkopírovány',
   'settings.mfa.enabled': '2FA je pro váš účet aktivní.',
   'settings.mfa.disabled': '2FA není aktivní.',
   'settings.mfa.setup': 'Nastavit autentizační aplikaci',
@@ -365,6 +398,8 @@ const cs: Record<string, string | { name: string; category: string }[]> = {
   'admin.tabs.settings': 'Nastavení',
   'admin.allowRegistration': 'Povolit registraci',
   'admin.allowRegistrationHint': 'Noví uživatelé se mohou sami registrovat',
+  'admin.requireMfa': 'Vyžadovat dvoufázové ověření (2FA)',
+  'admin.requireMfaHint': 'Uživatelé bez 2FA musí dokončit nastavení v Nastavení před použitím aplikace.',
   'admin.apiKeys': 'API klíče',
   'admin.apiKeysHint': 'Volitelné. Povoluje rozšířená data o místech (fotky, počasí).',
   'admin.mapsKey': 'Google Maps API klíč',
@@ -419,8 +454,8 @@ const cs: Record<string, string | { name: string; category: string }[]> = {
   'admin.tabs.addons': 'Doplňky',
   'admin.addons.title': 'Doplňky',
   'admin.addons.subtitle': 'Zapněte nebo vypněte funkce a přizpůsobte si TREK.',
-  'admin.addons.catalog.memories.name': 'Vzpomínky',
-  'admin.addons.catalog.memories.description': 'Sdílená fotoalba pro každou cestu',
+  'admin.addons.catalog.memories.name': 'Fotky (Immich)',
+  'admin.addons.catalog.memories.description': 'Sdílejte cestovní fotky přes vaši instanci Immich',
   'admin.addons.catalog.packing.name': 'Balení',
   'admin.addons.catalog.packing.description': 'Seznamy věcí pro přípravu na cestu',
   'admin.addons.catalog.budget.name': 'Rozpočet',
@@ -437,13 +472,17 @@ const cs: Record<string, string | { name: string; category: string }[]> = {
   'admin.addons.disabled': 'Zakázáno',
   'admin.addons.type.trip': 'Cesta',
   'admin.addons.type.global': 'Globální',
+  'admin.addons.type.integration': 'Integrace',
   'admin.addons.tripHint': 'Dostupné jako karta v rámci každé cesty',
   'admin.addons.globalHint': 'Dostupné jako samostatná sekce v hlavní navigaci',
+  'admin.addons.integrationHint': 'Backendové služby a API integrace bez vlastní stránky',
   'admin.addons.toast.updated': 'Doplněk byl aktualizován',
   'admin.addons.toast.error': 'Aktualizace doplňku se nezdařila',
   'admin.addons.noAddons': 'Žádné doplňky nejsou k dispozici',
   'admin.addons.catalog.memories.name': 'Fotky (Immich)',
   'admin.addons.catalog.memories.description': 'Sdílejte cestovní fotky přes vaši instanci Immich',
+  'admin.addons.catalog.mcp.name': 'MCP',
+  'admin.addons.catalog.mcp.description': 'Model Context Protocol pro integraci AI asistentů',
   'admin.addons.subtitleBefore': 'Zapněte nebo vypněte funkce a přizpůsobte si ',
   'admin.addons.subtitleAfter': '.',
 
@@ -461,6 +500,22 @@ const cs: Record<string, string | { name: string; category: string }[]> = {
   'admin.audit.col.ip': 'IP',
   'admin.audit.col.details': 'Detaily',
 
+  // MCP Tokens
+  'admin.tabs.mcpTokens': 'MCP tokeny',
+  'admin.mcpTokens.title': 'MCP tokeny',
+  'admin.mcpTokens.subtitle': 'Správa API tokenů všech uživatelů',
+  'admin.mcpTokens.owner': 'Vlastník',
+  'admin.mcpTokens.tokenName': 'Název tokenu',
+  'admin.mcpTokens.created': 'Vytvořen',
+  'admin.mcpTokens.lastUsed': 'Naposledy použit',
+  'admin.mcpTokens.never': 'Nikdy',
+  'admin.mcpTokens.empty': 'Zatím nebyly vytvořeny žádné MCP tokeny',
+  'admin.mcpTokens.deleteTitle': 'Smazat token',
+  'admin.mcpTokens.deleteMessage': 'Tento token bude okamžitě zneplatněn. Uživatel ztratí MCP přístup přes tento token.',
+  'admin.mcpTokens.deleteSuccess': 'Token smazán',
+  'admin.mcpTokens.deleteError': 'Nepodařilo se smazat token',
+  'admin.mcpTokens.loadError': 'Nepodařilo se načíst tokeny',
+
   // GitHub
   'admin.tabs.github': 'GitHub',
   'admin.github.title': 'Historie verzí',
@@ -605,7 +660,6 @@ const cs: Record<string, string | { name: string; category: string }[]> = {
   'atlas.markVisitedHint': 'Přidat tuto zemi do seznamu navštívených',
   'atlas.addToBucket': 'Přidat do seznamu přání (Bucket list)',
   'atlas.addPoi': 'Přidat místo',
-  'atlas.searchCountry': 'Hledat zemi...',
   'atlas.bucketNamePlaceholder': 'Název (země, město, místo...)',
   'atlas.month': 'Měsíc',
   'atlas.addToBucketHint': 'Uložit jako místo, které chcete navštívit',

client/src/i18n/translations/de.ts

@@ -185,6 +185,31 @@ const de: Record<string, string | { name: string; category: string }[]> = {
   'share.permCollab': 'Chat',
   'settings.on': 'An',
   'settings.off': 'Aus',
+  'settings.mcp.title': 'MCP-Konfiguration',
+  'settings.mcp.endpoint': 'MCP-Endpunkt',
+  'settings.mcp.clientConfig': 'Client-Konfiguration',
+  'settings.mcp.clientConfigHint': 'Ersetze <your_token> durch ein API-Token aus der Liste unten. Der Pfad zu npx muss ggf. für dein System angepasst werden (z. B. C:\\PROGRA~1\\nodejs\\npx.cmd unter Windows).',
+  'settings.mcp.copy': 'Kopieren',
+  'settings.mcp.copied': 'Kopiert!',
+  'settings.mcp.apiTokens': 'API-Tokens',
+  'settings.mcp.createToken': 'Neuen Token erstellen',
+  'settings.mcp.noTokens': 'Noch keine Tokens. Erstelle einen, um MCP-Clients zu verbinden.',
+  'settings.mcp.tokenCreatedAt': 'Erstellt',
+  'settings.mcp.tokenUsedAt': 'Verwendet',
+  'settings.mcp.deleteTokenTitle': 'Token löschen',
+  'settings.mcp.deleteTokenMessage': 'Dieser Token wird sofort ungültig. Jeder MCP-Client, der ihn verwendet, verliert den Zugang.',
+  'settings.mcp.modal.createTitle': 'API-Token erstellen',
+  'settings.mcp.modal.tokenName': 'Token-Name',
+  'settings.mcp.modal.tokenNamePlaceholder': 'z. B. Claude Desktop, Arbeits-Laptop',
+  'settings.mcp.modal.creating': 'Wird erstellt…',
+  'settings.mcp.modal.create': 'Token erstellen',
+  'settings.mcp.modal.createdTitle': 'Token erstellt',
+  'settings.mcp.modal.createdWarning': 'Dieser Token wird nur einmal angezeigt. Kopiere und speichere ihn jetzt — er kann nicht wiederhergestellt werden.',
+  'settings.mcp.modal.done': 'Fertig',
+  'settings.mcp.toast.created': 'Token erstellt',
+  'settings.mcp.toast.createError': 'Token konnte nicht erstellt werden',
+  'settings.mcp.toast.deleted': 'Token gelöscht',
+  'settings.mcp.toast.deleteError': 'Token konnte nicht gelöscht werden',
   'settings.account': 'Konto',
   'settings.username': 'Benutzername',
   'settings.email': 'E-Mail',
@@ -221,6 +246,14 @@ const de: Record<string, string | { name: string; category: string }[]> = {
   'settings.avatarError': 'Fehler beim Hochladen',
   'settings.mfa.title': 'Zwei-Faktor-Authentifizierung (2FA)',
   'settings.mfa.description': 'Zusätzlicher Schritt bei der Anmeldung mit E-Mail und Passwort. Nutze eine Authenticator-App (Google Authenticator, Authy, …).',
+  'settings.mfa.requiredByPolicy': 'Dein Administrator verlangt Zwei-Faktor-Authentifizierung. Richte unten eine Authenticator-App ein, bevor du fortfährst.',
+  'settings.mfa.backupTitle': 'Backup-Codes',
+  'settings.mfa.backupDescription': 'Verwende diese Einmal-Codes, wenn du keinen Zugriff mehr auf deine Authenticator-App hast.',
+  'settings.mfa.backupWarning': 'Jetzt speichern. Jeder Code kann nur einmal verwendet werden.',
+  'settings.mfa.backupCopy': 'Codes kopieren',
+  'settings.mfa.backupDownload': 'TXT herunterladen',
+  'settings.mfa.backupPrint': 'Drucken / PDF',
+  'settings.mfa.backupCopied': 'Backup-Codes kopiert',
   'settings.mfa.enabled': '2FA ist für dein Konto aktiv.',
   'settings.mfa.disabled': '2FA ist nicht aktiviert.',
   'settings.mfa.setup': 'Authenticator einrichten',
@@ -365,6 +398,8 @@ const de: Record<string, string | { name: string; category: string }[]> = {
   'admin.tabs.settings': 'Einstellungen',
   'admin.allowRegistration': 'Registrierung erlauben',
   'admin.allowRegistrationHint': 'Neue Benutzer können sich selbst registrieren',
+  'admin.requireMfa': 'Zwei-Faktor-Authentifizierung (2FA) für alle verlangen',
+  'admin.requireMfaHint': 'Benutzer ohne 2FA müssen die Einrichtung unter Einstellungen abschließen, bevor sie die App nutzen können.',
   'admin.apiKeys': 'API-Schlüssel',
   'admin.apiKeysHint': 'Optional. Aktiviert erweiterte Ortsdaten wie Fotos und Wetter.',
   'admin.mapsKey': 'Google Maps API Key',
@@ -433,14 +468,18 @@ const de: Record<string, string | { name: string; category: string }[]> = {
   'admin.addons.catalog.collab.description': 'Echtzeit-Notizen, Umfragen und Chat für die Reiseplanung',
   'admin.addons.catalog.memories.name': 'Fotos (Immich)',
   'admin.addons.catalog.memories.description': 'Reisefotos über deine Immich-Instanz teilen',
+  'admin.addons.catalog.mcp.name': 'MCP',
+  'admin.addons.catalog.mcp.description': 'Model Context Protocol für die KI-Assistenten-Integration',
   'admin.addons.subtitleBefore': 'Aktiviere oder deaktiviere Funktionen, um ',
   'admin.addons.subtitleAfter': ' nach deinen Wünschen anzupassen.',
   'admin.addons.enabled': 'Aktiviert',
   'admin.addons.disabled': 'Deaktiviert',
   'admin.addons.type.trip': 'Trip',
   'admin.addons.type.global': 'Global',
+  'admin.addons.type.integration': 'Integration',
   'admin.addons.tripHint': 'Verfügbar als Tab innerhalb jedes Trips',
   'admin.addons.globalHint': 'Verfügbar als eigenständiger Bereich in der Navigation',
+  'admin.addons.integrationHint': 'Backend-Dienste und API-Integrationen ohne eigene Seite',
   'admin.addons.toast.updated': 'Addon aktualisiert',
   'admin.addons.toast.error': 'Addon konnte nicht aktualisiert werden',
   'admin.addons.noAddons': 'Keine Addons verfügbar',
@@ -456,6 +495,22 @@ const de: Record<string, string | { name: string; category: string }[]> = {
   'admin.weather.requestsDesc': 'Kostenlos, kein API-Schlüssel erforderlich',
   'admin.weather.locationHint': 'Das Wetter wird anhand des ersten Ortes mit Koordinaten im jeweiligen Tag berechnet. Ist kein Ort am Tag eingeplant, wird ein beliebiger Ort aus der Ortsliste als Referenz verwendet.',
 
+  // MCP Tokens
+  'admin.tabs.mcpTokens': 'MCP-Tokens',
+  'admin.mcpTokens.title': 'MCP-Tokens',
+  'admin.mcpTokens.subtitle': 'API-Tokens aller Benutzer verwalten',
+  'admin.mcpTokens.owner': 'Besitzer',
+  'admin.mcpTokens.tokenName': 'Token-Name',
+  'admin.mcpTokens.created': 'Erstellt',
+  'admin.mcpTokens.lastUsed': 'Zuletzt verwendet',
+  'admin.mcpTokens.never': 'Nie',
+  'admin.mcpTokens.empty': 'Es wurden noch keine MCP-Tokens erstellt',
+  'admin.mcpTokens.deleteTitle': 'Token löschen',
+  'admin.mcpTokens.deleteMessage': 'Dieser Token wird sofort widerrufen. Der Benutzer verliert den MCP-Zugang über diesen Token.',
+  'admin.mcpTokens.deleteSuccess': 'Token gelöscht',
+  'admin.mcpTokens.deleteError': 'Token konnte nicht gelöscht werden',
+  'admin.mcpTokens.loadError': 'Tokens konnten nicht geladen werden',
+
   // GitHub
   'admin.tabs.github': 'GitHub',
 

client/src/i18n/translations/en.ts

@@ -185,6 +185,31 @@ const en: Record<string, string | { name: string; category: string }[]> = {
   'share.permCollab': 'Chat',
   'settings.on': 'On',
   'settings.off': 'Off',
+  'settings.mcp.title': 'MCP Configuration',
+  'settings.mcp.endpoint': 'MCP Endpoint',
+  'settings.mcp.clientConfig': 'Client Configuration',
+  'settings.mcp.clientConfigHint': 'Replace <your_token> with an API token from the list below. The path to npx may need to be adjusted for your system (e.g. C:\\PROGRA~1\\nodejs\\npx.cmd on Windows).',
+  'settings.mcp.copy': 'Copy',
+  'settings.mcp.copied': 'Copied!',
+  'settings.mcp.apiTokens': 'API Tokens',
+  'settings.mcp.createToken': 'Create New Token',
+  'settings.mcp.noTokens': 'No tokens yet. Create one to connect MCP clients.',
+  'settings.mcp.tokenCreatedAt': 'Created',
+  'settings.mcp.tokenUsedAt': 'Used',
+  'settings.mcp.deleteTokenTitle': 'Delete Token',
+  'settings.mcp.deleteTokenMessage': 'This token will stop working immediately. Any MCP client using it will lose access.',
+  'settings.mcp.modal.createTitle': 'Create API Token',
+  'settings.mcp.modal.tokenName': 'Token Name',
+  'settings.mcp.modal.tokenNamePlaceholder': 'e.g. Claude Desktop, Work laptop',
+  'settings.mcp.modal.creating': 'Creating…',
+  'settings.mcp.modal.create': 'Create Token',
+  'settings.mcp.modal.createdTitle': 'Token Created',
+  'settings.mcp.modal.createdWarning': 'This token will only be shown once. Copy and store it now — it cannot be recovered.',
+  'settings.mcp.modal.done': 'Done',
+  'settings.mcp.toast.created': 'Token created',
+  'settings.mcp.toast.createError': 'Failed to create token',
+  'settings.mcp.toast.deleted': 'Token deleted',
+  'settings.mcp.toast.deleteError': 'Failed to delete token',
   'settings.account': 'Account',
   'settings.username': 'Username',
   'settings.email': 'Email',
@@ -221,6 +246,14 @@ const en: Record<string, string | { name: string; category: string }[]> = {
   'settings.avatarError': 'Upload failed',
   'settings.mfa.title': 'Two-factor authentication (2FA)',
   'settings.mfa.description': 'Adds a second step when you sign in with email and password. Use an authenticator app (Google Authenticator, Authy, etc.).',
+  'settings.mfa.requiredByPolicy': 'Your administrator requires two-factor authentication. Set up an authenticator app below before continuing.',
+  'settings.mfa.backupTitle': 'Backup codes',
+  'settings.mfa.backupDescription': 'Use these one-time backup codes if you lose access to your authenticator app.',
+  'settings.mfa.backupWarning': 'Save these codes now. Each code can only be used once.',
+  'settings.mfa.backupCopy': 'Copy codes',
+  'settings.mfa.backupDownload': 'Download TXT',
+  'settings.mfa.backupPrint': 'Print / PDF',
+  'settings.mfa.backupCopied': 'Backup codes copied',
   'settings.mfa.enabled': '2FA is enabled on your account.',
   'settings.mfa.disabled': '2FA is not enabled.',
   'settings.mfa.setup': 'Set up authenticator',
@@ -365,6 +398,8 @@ const en: Record<string, string | { name: string; category: string }[]> = {
   'admin.tabs.settings': 'Settings',
   'admin.allowRegistration': 'Allow Registration',
   'admin.allowRegistrationHint': 'New users can register themselves',
+  'admin.requireMfa': 'Require two-factor authentication (2FA)',
+  'admin.requireMfaHint': 'Users without 2FA must complete setup in Settings before using the app.',
   'admin.apiKeys': 'API Keys',
   'admin.apiKeysHint': 'Optional. Enables extended place data like photos and weather.',
   'admin.mapsKey': 'Google Maps API Key',
@@ -433,14 +468,18 @@ const en: Record<string, string | { name: string; category: string }[]> = {
   'admin.addons.catalog.collab.description': 'Real-time notes, polls, and chat for trip planning',
   'admin.addons.catalog.memories.name': 'Photos (Immich)',
   'admin.addons.catalog.memories.description': 'Share trip photos via your Immich instance',
+  'admin.addons.catalog.mcp.name': 'MCP',
+  'admin.addons.catalog.mcp.description': 'Model Context Protocol for AI assistant integration',
   'admin.addons.subtitleBefore': 'Enable or disable features to customize your ',
   'admin.addons.subtitleAfter': ' experience.',
   'admin.addons.enabled': 'Enabled',
   'admin.addons.disabled': 'Disabled',
   'admin.addons.type.trip': 'Trip',
   'admin.addons.type.global': 'Global',
+  'admin.addons.type.integration': 'Integration',
   'admin.addons.tripHint': 'Available as a tab within each trip',
   'admin.addons.globalHint': 'Available as a standalone section in the main navigation',
+  'admin.addons.integrationHint': 'Backend services and API integrations with no dedicated page',
   'admin.addons.toast.updated': 'Addon updated',
   'admin.addons.toast.error': 'Failed to update addon',
   'admin.addons.noAddons': 'No addons available',
@@ -457,6 +496,20 @@ const en: Record<string, string | { name: string; category: string }[]> = {
   'admin.weather.locationHint': 'Weather is based on the first place with coordinates in each day. If no place is assigned to a day, any place from the place list is used as a reference.',
 
   // GitHub
+  'admin.tabs.mcpTokens': 'MCP Tokens',
+  'admin.mcpTokens.title': 'MCP Tokens',
+  'admin.mcpTokens.subtitle': 'Manage API tokens across all users',
+  'admin.mcpTokens.owner': 'Owner',
+  'admin.mcpTokens.tokenName': 'Token Name',
+  'admin.mcpTokens.created': 'Created',
+  'admin.mcpTokens.lastUsed': 'Last Used',
+  'admin.mcpTokens.never': 'Never',
+  'admin.mcpTokens.empty': 'No MCP tokens have been created yet',
+  'admin.mcpTokens.deleteTitle': 'Delete Token',
+  'admin.mcpTokens.deleteMessage': 'This will revoke the token immediately. The user will lose MCP access through this token.',
+  'admin.mcpTokens.deleteSuccess': 'Token deleted',
+  'admin.mcpTokens.deleteError': 'Failed to delete token',
+  'admin.mcpTokens.loadError': 'Failed to load tokens',
   'admin.tabs.github': 'GitHub',
 
   'admin.audit.subtitle': 'Security-sensitive and administration events (backups, users, MFA, settings).',

client/src/i18n/translations/es.ts

@@ -186,6 +186,31 @@ const es: Record<string, string> = {
   'share.permCollab': 'Chat',
   'settings.on': 'Activado',
   'settings.off': 'Desactivado',
+  'settings.mcp.title': 'Configuración MCP',
+  'settings.mcp.endpoint': 'Endpoint MCP',
+  'settings.mcp.clientConfig': 'Configuración del cliente',
+  'settings.mcp.clientConfigHint': 'Reemplaza <your_token> con un token de la lista de abajo. Es posible que debas ajustar la ruta de npx según tu sistema (p. ej. C:\\PROGRA~1\\nodejs\\npx.cmd en Windows).',
+  'settings.mcp.copy': 'Copiar',
+  'settings.mcp.copied': '¡Copiado!',
+  'settings.mcp.apiTokens': 'Tokens de API',
+  'settings.mcp.createToken': 'Crear nuevo token',
+  'settings.mcp.noTokens': 'Sin tokens aún. Crea uno para conectar clientes MCP.',
+  'settings.mcp.tokenCreatedAt': 'Creado',
+  'settings.mcp.tokenUsedAt': 'Usado',
+  'settings.mcp.deleteTokenTitle': 'Eliminar token',
+  'settings.mcp.deleteTokenMessage': 'Este token dejará de funcionar de inmediato. Cualquier cliente MCP que lo use perderá el acceso.',
+  'settings.mcp.modal.createTitle': 'Crear token de API',
+  'settings.mcp.modal.tokenName': 'Nombre del token',
+  'settings.mcp.modal.tokenNamePlaceholder': 'p. ej. Claude Desktop, Portátil de trabajo',
+  'settings.mcp.modal.creating': 'Creando…',
+  'settings.mcp.modal.create': 'Crear token',
+  'settings.mcp.modal.createdTitle': 'Token creado',
+  'settings.mcp.modal.createdWarning': 'Este token solo se mostrará una vez. Cópialo y guárdalo ahora — no se podrá recuperar.',
+  'settings.mcp.modal.done': 'Listo',
+  'settings.mcp.toast.created': 'Token creado',
+  'settings.mcp.toast.createError': 'Error al crear el token',
+  'settings.mcp.toast.deleted': 'Token eliminado',
+  'settings.mcp.toast.deleteError': 'Error al eliminar el token',
   'settings.account': 'Cuenta',
   'settings.username': 'Usuario',
   'settings.email': 'Correo',
@@ -211,6 +236,14 @@ const es: Record<string, string> = {
   'settings.saveProfile': 'Guardar perfil',
   'settings.mfa.title': 'Autenticación de dos factores (2FA)',
   'settings.mfa.description': 'Añade un segundo paso al iniciar sesión. Usa una app de autenticación (Google Authenticator, Authy, etc.).',
+  'settings.mfa.requiredByPolicy': 'Tu administrador exige autenticación en dos factores. Configura una app de autenticación abajo antes de continuar.',
+  'settings.mfa.backupTitle': 'Códigos de respaldo',
+  'settings.mfa.backupDescription': 'Usa estos códigos de un solo uso si pierdes acceso a tu app autenticadora.',
+  'settings.mfa.backupWarning': 'Guárdalos ahora. Cada código solo se puede usar una vez.',
+  'settings.mfa.backupCopy': 'Copiar códigos',
+  'settings.mfa.backupDownload': 'Descargar TXT',
+  'settings.mfa.backupPrint': 'Imprimir / PDF',
+  'settings.mfa.backupCopied': 'Códigos de respaldo copiados',
   'settings.mfa.enabled': '2FA está activado en tu cuenta.',
   'settings.mfa.disabled': '2FA no está activado.',
   'settings.mfa.setup': 'Configurar autenticador',
@@ -363,6 +396,8 @@ const es: Record<string, string> = {
   'admin.tabs.settings': 'Ajustes',
   'admin.allowRegistration': 'Permitir el registro',
   'admin.allowRegistrationHint': 'Los nuevos usuarios pueden registrarse por sí mismos',
+  'admin.requireMfa': 'Exigir autenticación en dos factores (2FA)',
+  'admin.requireMfaHint': 'Los usuarios sin 2FA deben completar la configuración en Ajustes antes de usar la aplicación.',
   'admin.apiKeys': 'Claves API',
   'admin.apiKeysHint': 'Opcional. Activa datos ampliados de lugares, como fotos y previsión del tiempo.',
   'admin.mapsKey': 'Clave API de Google Maps',
@@ -420,8 +455,10 @@ const es: Record<string, string> = {
   'admin.addons.disabled': 'Desactivado',
   'admin.addons.type.trip': 'Viaje',
   'admin.addons.type.global': 'Global',
+  'admin.addons.type.integration': 'Integración',
   'admin.addons.tripHint': 'Disponible como pestaña dentro de cada viaje',
   'admin.addons.globalHint': 'Disponible como sección independiente en la navegación principal',
+  'admin.addons.integrationHint': 'Servicios backend e integraciones de API sin página dedicada',
   'admin.addons.toast.updated': 'Complemento actualizado',
   'admin.addons.toast.error': 'No se pudo actualizar el complemento',
   'admin.addons.noAddons': 'No hay complementos disponibles',
@@ -436,6 +473,22 @@ const es: Record<string, string> = {
   'admin.weather.requestsDesc': 'Gratis, sin necesidad de clave API',
   'admin.weather.locationHint': 'El tiempo se basa en el primer lugar con coordenadas de cada día. Si no hay ningún lugar asignado a un día, se usa como referencia cualquier lugar de la lista.',
 
+  // MCP Tokens
+  'admin.tabs.mcpTokens': 'Tokens MCP',
+  'admin.mcpTokens.title': 'Tokens MCP',
+  'admin.mcpTokens.subtitle': 'Gestionar tokens de API de todos los usuarios',
+  'admin.mcpTokens.owner': 'Propietario',
+  'admin.mcpTokens.tokenName': 'Nombre del token',
+  'admin.mcpTokens.created': 'Creado',
+  'admin.mcpTokens.lastUsed': 'Último uso',
+  'admin.mcpTokens.never': 'Nunca',
+  'admin.mcpTokens.empty': 'Aún no se han creado tokens MCP',
+  'admin.mcpTokens.deleteTitle': 'Eliminar token',
+  'admin.mcpTokens.deleteMessage': 'Este token se revocará inmediatamente. El usuario perderá el acceso MCP a través de este token.',
+  'admin.mcpTokens.deleteSuccess': 'Token eliminado',
+  'admin.mcpTokens.deleteError': 'No se pudo eliminar el token',
+  'admin.mcpTokens.loadError': 'No se pudieron cargar los tokens',
+
   // GitHub
   'admin.tabs.github': 'GitHub',
 
@@ -1063,8 +1116,10 @@ const es: Record<string, string> = {
   'photos.linkPlace': 'Vincular lugar',
   'photos.noPlace': 'Sin lugar',
   'photos.uploadN': 'Subida de {n} foto(s)',
-  'admin.addons.catalog.memories.name': 'Recuerdos',
-  'admin.addons.catalog.memories.description': 'Álbumes de fotos compartidos para cada viaje',
+  'admin.addons.catalog.memories.name': 'Fotos (Immich)',
+  'admin.addons.catalog.memories.description': 'Comparte fotos de viaje a través de tu instancia de Immich',
+  'admin.addons.catalog.mcp.name': 'MCP',
+  'admin.addons.catalog.mcp.description': 'Protocolo de contexto de modelo para integración con asistentes de IA',
   'admin.addons.catalog.packing.name': 'Equipaje',
   'admin.addons.catalog.packing.description': 'Prepara tu equipaje con listas de comprobación para cada viaje',
   'admin.addons.catalog.budget.name': 'Presupuesto',

client/src/i18n/translations/fr.ts

@@ -185,6 +185,31 @@ const fr: Record<string, string> = {
   'share.permCollab': 'Chat',
   'settings.on': 'Activé',
   'settings.off': 'Désactivé',
+  'settings.mcp.title': 'Configuration MCP',
+  'settings.mcp.endpoint': 'Point de terminaison MCP',
+  'settings.mcp.clientConfig': 'Configuration du client',
+  'settings.mcp.clientConfigHint': 'Remplacez <your_token> par un token API de la liste ci-dessous. Le chemin vers npx devra peut-être être ajusté selon votre système (ex. C:\\PROGRA~1\\nodejs\\npx.cmd sous Windows).',
+  'settings.mcp.copy': 'Copier',
+  'settings.mcp.copied': 'Copié !',
+  'settings.mcp.apiTokens': 'Tokens API',
+  'settings.mcp.createToken': 'Créer un token',
+  'settings.mcp.noTokens': 'Aucun token pour l\'instant. Créez-en un pour connecter des clients MCP.',
+  'settings.mcp.tokenCreatedAt': 'Créé',
+  'settings.mcp.tokenUsedAt': 'Utilisé',
+  'settings.mcp.deleteTokenTitle': 'Supprimer le token',
+  'settings.mcp.deleteTokenMessage': 'Ce token cessera de fonctionner immédiatement. Tout client MCP l\'utilisant perdra l\'accès.',
+  'settings.mcp.modal.createTitle': 'Créer un token API',
+  'settings.mcp.modal.tokenName': 'Nom du token',
+  'settings.mcp.modal.tokenNamePlaceholder': 'ex. Claude Desktop, Ordinateur pro',
+  'settings.mcp.modal.creating': 'Création…',
+  'settings.mcp.modal.create': 'Créer le token',
+  'settings.mcp.modal.createdTitle': 'Token créé',
+  'settings.mcp.modal.createdWarning': 'Ce token ne sera affiché qu\'une seule fois. Copiez-le et conservez-le maintenant — il ne pourra pas être récupéré.',
+  'settings.mcp.modal.done': 'Terminé',
+  'settings.mcp.toast.created': 'Token créé',
+  'settings.mcp.toast.createError': 'Impossible de créer le token',
+  'settings.mcp.toast.deleted': 'Token supprimé',
+  'settings.mcp.toast.deleteError': 'Impossible de supprimer le token',
   'settings.account': 'Compte',
   'settings.username': 'Nom d\'utilisateur',
   'settings.email': 'E-mail',
@@ -212,6 +237,14 @@ const fr: Record<string, string> = {
   'settings.saveProfile': 'Enregistrer le profil',
   'settings.mfa.title': 'Authentification à deux facteurs (2FA)',
   'settings.mfa.description': 'Ajoute une étape supplémentaire lors de la connexion. Utilisez une application d\'authentification (Google Authenticator, Authy, etc.).',
+  'settings.mfa.requiredByPolicy': 'Votre administrateur exige l\'authentification à deux facteurs. Configurez une application d\'authentification ci-dessous avant de continuer.',
+  'settings.mfa.backupTitle': 'Codes de secours',
+  'settings.mfa.backupDescription': 'Utilisez ces codes à usage unique si vous perdez l\'accès à votre application d\'authentification.',
+  'settings.mfa.backupWarning': 'Enregistrez ces codes maintenant. Chaque code n\'est utilisable qu\'une seule fois.',
+  'settings.mfa.backupCopy': 'Copier les codes',
+  'settings.mfa.backupDownload': 'Télécharger TXT',
+  'settings.mfa.backupPrint': 'Imprimer / PDF',
+  'settings.mfa.backupCopied': 'Codes de secours copiés',
   'settings.mfa.enabled': '2FA est activé sur votre compte.',
   'settings.mfa.disabled': '2FA n\'est pas activé.',
   'settings.mfa.setup': 'Configurer l\'authentificateur',
@@ -364,6 +397,8 @@ const fr: Record<string, string> = {
   'admin.tabs.settings': 'Paramètres',
   'admin.allowRegistration': 'Autoriser les inscriptions',
   'admin.allowRegistrationHint': 'Les nouveaux utilisateurs peuvent s\'inscrire eux-mêmes',
+  'admin.requireMfa': 'Exiger l\'authentification à deux facteurs (2FA)',
+  'admin.requireMfaHint': 'Les utilisateurs sans 2FA doivent terminer la configuration dans Paramètres avant d\'utiliser l\'application.',
   'admin.apiKeys': 'Clés API',
   'admin.apiKeysHint': 'Facultatif. Active les données de lieu étendues comme les photos et la météo.',
   'admin.mapsKey': 'Clé API Google Maps',
@@ -417,8 +452,10 @@ const fr: Record<string, string> = {
   'admin.tabs.addons': 'Extensions',
   'admin.addons.title': 'Extensions',
   'admin.addons.subtitle': 'Activez ou désactivez des fonctionnalités pour personnaliser votre expérience TREK.',
-  'admin.addons.catalog.memories.name': 'Souvenirs',
-  'admin.addons.catalog.memories.description': 'Albums photo partagés pour chaque voyage',
+  'admin.addons.catalog.memories.name': 'Photos (Immich)',
+  'admin.addons.catalog.memories.description': 'Partagez vos photos de voyage via votre instance Immich',
+  'admin.addons.catalog.mcp.name': 'MCP',
+  'admin.addons.catalog.mcp.description': 'Protocole de contexte de modèle pour l\'intégration d\'assistants IA',
   'admin.addons.catalog.packing.name': 'Bagages',
   'admin.addons.catalog.packing.description': 'Listes de contrôle pour préparer vos bagages pour chaque voyage',
   'admin.addons.catalog.budget.name': 'Budget',
@@ -437,8 +474,10 @@ const fr: Record<string, string> = {
   'admin.addons.disabled': 'Désactivé',
   'admin.addons.type.trip': 'Voyage',
   'admin.addons.type.global': 'Global',
+  'admin.addons.type.integration': 'Intégration',
   'admin.addons.tripHint': 'Disponible comme onglet dans chaque voyage',
   'admin.addons.globalHint': 'Disponible comme section autonome dans la navigation principale',
+  'admin.addons.integrationHint': 'Services backend et intégrations API sans page dédiée',
   'admin.addons.toast.updated': 'Extension mise à jour',
   'admin.addons.toast.error': 'Échec de la mise à jour de l\'extension',
   'admin.addons.noAddons': 'Aucune extension disponible',
@@ -468,6 +507,22 @@ const fr: Record<string, string> = {
   'admin.audit.col.ip': 'IP',
   'admin.audit.col.details': 'Détails',
 
+  // MCP Tokens
+  'admin.tabs.mcpTokens': 'Tokens MCP',
+  'admin.mcpTokens.title': 'Tokens MCP',
+  'admin.mcpTokens.subtitle': 'Gérer les tokens API de tous les utilisateurs',
+  'admin.mcpTokens.owner': 'Propriétaire',
+  'admin.mcpTokens.tokenName': 'Nom du token',
+  'admin.mcpTokens.created': 'Créé',
+  'admin.mcpTokens.lastUsed': 'Dernière utilisation',
+  'admin.mcpTokens.never': 'Jamais',
+  'admin.mcpTokens.empty': 'Aucun token MCP n\'a encore été créé',
+  'admin.mcpTokens.deleteTitle': 'Supprimer le token',
+  'admin.mcpTokens.deleteMessage': 'Ce token sera révoqué immédiatement. L\'utilisateur perdra l\'accès MCP via ce token.',
+  'admin.mcpTokens.deleteSuccess': 'Token supprimé',
+  'admin.mcpTokens.deleteError': 'Impossible de supprimer le token',
+  'admin.mcpTokens.loadError': 'Impossible de charger les tokens',
+
   // GitHub
   'admin.tabs.github': 'GitHub',
   'admin.github.title': 'Historique des versions',

client/src/i18n/translations/hu.ts

@@ -151,6 +151,31 @@ const hu: Record<string, string | { name: string; category: string }[]> = {
   'settings.notifyWebhook': 'Webhook értesítések',
   'settings.on': 'Be',
   'settings.off': 'Ki',
+  'settings.mcp.title': 'MCP konfiguráció',
+  'settings.mcp.endpoint': 'MCP végpont',
+  'settings.mcp.clientConfig': 'Kliens konfiguráció',
+  'settings.mcp.clientConfigHint': 'Cserélje ki a <your_token> részt egy API tokenre az alábbi listából. Az npx elérési útját szükség lehet módosítani a rendszeréhez (pl. C:\\PROGRA~1\\nodejs\\npx.cmd Windows-on).',
+  'settings.mcp.copy': 'Másolás',
+  'settings.mcp.copied': 'Másolva!',
+  'settings.mcp.apiTokens': 'API tokenek',
+  'settings.mcp.createToken': 'Új token létrehozása',
+  'settings.mcp.noTokens': 'Még nincsenek tokenek. Hozzon létre egyet MCP kliensek csatlakoztatásához.',
+  'settings.mcp.tokenCreatedAt': 'Létrehozva',
+  'settings.mcp.tokenUsedAt': 'Használva',
+  'settings.mcp.deleteTokenTitle': 'Token törlése',
+  'settings.mcp.deleteTokenMessage': 'Ez a token azonnal érvénytelenné válik. Minden MCP kliens, amely használja, elveszíti a hozzáférést.',
+  'settings.mcp.modal.createTitle': 'API token létrehozása',
+  'settings.mcp.modal.tokenName': 'Token neve',
+  'settings.mcp.modal.tokenNamePlaceholder': 'pl. Claude Desktop, Munkahelyi laptop',
+  'settings.mcp.modal.creating': 'Létrehozás…',
+  'settings.mcp.modal.create': 'Token létrehozása',
+  'settings.mcp.modal.createdTitle': 'Token létrehozva',
+  'settings.mcp.modal.createdWarning': 'Ez a token csak egyszer jelenik meg. Másolja és mentse el most — nem lehet visszaállítani.',
+  'settings.mcp.modal.done': 'Kész',
+  'settings.mcp.toast.created': 'Token létrehozva',
+  'settings.mcp.toast.createError': 'Nem sikerült létrehozni a tokent',
+  'settings.mcp.toast.deleted': 'Token törölve',
+  'settings.mcp.toast.deleteError': 'Nem sikerült törölni a tokent',
   'settings.account': 'Fiók',
   'settings.username': 'Felhasználónév',
   'settings.email': 'E-mail',
@@ -187,6 +212,14 @@ const hu: Record<string, string | { name: string; category: string }[]> = {
   'settings.avatarError': 'Feltöltés sikertelen',
   'settings.mfa.title': 'Kétfaktoros hitelesítés (2FA)',
   'settings.mfa.description': 'Egy második lépést ad a bejelentkezéshez e-mail és jelszó használatakor. Használj hitelesítő alkalmazást (Google Authenticator, Authy stb.).',
+  'settings.mfa.requiredByPolicy': 'A rendszergazda kétlépcsős hitelesítést ír elő. Állíts be hitelesítő alkalmazást lent, mielőtt továbblépnél.',
+  'settings.mfa.backupTitle': 'Tartalék kódok',
+  'settings.mfa.backupDescription': 'Használd ezeket az egyszer használatos kódokat, ha elveszíted a hozzáférést a hitelesítő alkalmazásodhoz.',
+  'settings.mfa.backupWarning': 'Mentsd el ezeket most. Minden kód csak egyszer használható.',
+  'settings.mfa.backupCopy': 'Kódok másolása',
+  'settings.mfa.backupDownload': 'TXT letöltése',
+  'settings.mfa.backupPrint': 'Nyomtatás / PDF',
+  'settings.mfa.backupCopied': 'Tartalék kódok másolva',
   'settings.mfa.enabled': '2FA engedélyezve van a fiókodban.',
   'settings.mfa.disabled': '2FA nincs engedélyezve.',
   'settings.mfa.setup': 'Hitelesítő beállítása',
@@ -364,6 +397,8 @@ const hu: Record<string, string | { name: string; category: string }[]> = {
   'admin.tabs.settings': 'Beállítások',
   'admin.allowRegistration': 'Regisztráció engedélyezése',
   'admin.allowRegistrationHint': 'Új felhasználók regisztrálhatják magukat',
+  'admin.requireMfa': 'Kétlépcsős hitelesítés (2FA) kötelezővé tétele',
+  'admin.requireMfaHint': 'A 2FA nélküli felhasználóknak a Beállításokban kell befejezniük a beállítást az alkalmazás használata előtt.',
   'admin.apiKeys': 'API kulcsok',
   'admin.apiKeysHint': 'Opcionális. Bővített helyadatokat tesz lehetővé, például fotókat és időjárást.',
   'admin.mapsKey': 'Google Maps API kulcs',
@@ -432,14 +467,18 @@ const hu: Record<string, string | { name: string; category: string }[]> = {
   'admin.addons.catalog.collab.description': 'Valós idejű jegyzetek, szavazások és csevegés az utazás tervezéséhez',
   'admin.addons.catalog.memories.name': 'Fotók (Immich)',
   'admin.addons.catalog.memories.description': 'Utazási fotók megosztása az Immich példányon keresztül',
+  'admin.addons.catalog.mcp.name': 'MCP',
+  'admin.addons.catalog.mcp.description': 'Model Context Protocol AI asszisztens integrációhoz',
   'admin.addons.subtitleBefore': 'Funkciók engedélyezése vagy letiltása a ',
   'admin.addons.subtitleAfter': ' testreszabásához.',
   'admin.addons.enabled': 'Engedélyezve',
   'admin.addons.disabled': 'Letiltva',
   'admin.addons.type.trip': 'Utazás',
   'admin.addons.type.global': 'Globális',
+  'admin.addons.type.integration': 'Integráció',
   'admin.addons.tripHint': 'Fülként érhető el minden utazáson belül',
   'admin.addons.globalHint': 'Önálló szekcióként elérhető a fő navigációban',
+  'admin.addons.integrationHint': 'Háttérszolgáltatások és API integrációk dedikált oldal nélkül',
   'admin.addons.toast.updated': 'Bővítmény frissítve',
   'admin.addons.toast.error': 'Nem sikerült frissíteni a bővítményt',
   'admin.addons.noAddons': 'Nincsenek elérhető bővítmények',
@@ -469,6 +508,22 @@ const hu: Record<string, string | { name: string; category: string }[]> = {
   'admin.audit.col.ip': 'IP',
   'admin.audit.col.details': 'Részletek',
 
+  // MCP Tokens
+  'admin.tabs.mcpTokens': 'MCP tokenek',
+  'admin.mcpTokens.title': 'MCP tokenek',
+  'admin.mcpTokens.subtitle': 'Összes felhasználó API tokeneinek kezelése',
+  'admin.mcpTokens.owner': 'Tulajdonos',
+  'admin.mcpTokens.tokenName': 'Token neve',
+  'admin.mcpTokens.created': 'Létrehozva',
+  'admin.mcpTokens.lastUsed': 'Utoljára használva',
+  'admin.mcpTokens.never': 'Soha',
+  'admin.mcpTokens.empty': 'Még nem hoztak létre MCP tokeneket',
+  'admin.mcpTokens.deleteTitle': 'Token törlése',
+  'admin.mcpTokens.deleteMessage': 'Ez a token azonnal érvénytelenítésre kerül. A felhasználó elveszíti az MCP hozzáférést ezen a tokenen keresztül.',
+  'admin.mcpTokens.deleteSuccess': 'Token törölve',
+  'admin.mcpTokens.deleteError': 'Nem sikerült törölni a tokent',
+  'admin.mcpTokens.loadError': 'Nem sikerült betölteni a tokeneket',
+
   // GitHub
   'admin.tabs.github': 'GitHub',
   'admin.github.title': 'Frissítési előzmények',
@@ -609,7 +664,6 @@ const hu: Record<string, string | { name: string; category: string }[]> = {
   'atlas.statsTab': 'Statisztikák',
   'atlas.bucketTab': 'Bakancslista',
   'atlas.addBucket': 'Hozzáadás a bakancslistához',
-  'atlas.bucketNamePlaceholder': 'Hely vagy úti cél...',
   'atlas.bucketNotesPlaceholder': 'Jegyzetek (opcionális)',
   'atlas.bucketEmpty': 'A bakancslistád üres',
   'atlas.bucketEmptyHint': 'Adj hozzá helyeket, ahová álmodsz eljutni',

client/src/i18n/translations/it.ts

@@ -151,6 +151,31 @@ const it: Record<string, string | { name: string; category: string }[]> = {
   'settings.notifyWebhook': 'Notifiche webhook',
   'settings.on': 'On',
   'settings.off': 'Off',
+  'settings.mcp.title': 'Configurazione MCP',
+  'settings.mcp.endpoint': 'Endpoint MCP',
+  'settings.mcp.clientConfig': 'Configurazione client',
+  'settings.mcp.clientConfigHint': 'Sostituisci <your_token> con un token API dalla lista sottostante. Il percorso di npx potrebbe dover essere adattato per il tuo sistema (es. C:\\PROGRA~1\\nodejs\\npx.cmd su Windows).',
+  'settings.mcp.copy': 'Copia',
+  'settings.mcp.copied': 'Copiato!',
+  'settings.mcp.apiTokens': 'Token API',
+  'settings.mcp.createToken': 'Crea nuovo token',
+  'settings.mcp.noTokens': 'Nessun token ancora. Creane uno per connettere i client MCP.',
+  'settings.mcp.tokenCreatedAt': 'Creato',
+  'settings.mcp.tokenUsedAt': 'Utilizzato',
+  'settings.mcp.deleteTokenTitle': 'Elimina token',
+  'settings.mcp.deleteTokenMessage': 'Questo token smetterà di funzionare immediatamente. Qualsiasi client MCP che lo utilizza perderà l\'accesso.',
+  'settings.mcp.modal.createTitle': 'Crea token API',
+  'settings.mcp.modal.tokenName': 'Nome del token',
+  'settings.mcp.modal.tokenNamePlaceholder': 'es. Claude Desktop, Laptop di lavoro',
+  'settings.mcp.modal.creating': 'Creazione…',
+  'settings.mcp.modal.create': 'Crea token',
+  'settings.mcp.modal.createdTitle': 'Token creato',
+  'settings.mcp.modal.createdWarning': 'Questo token verrà mostrato solo una volta. Copialo e salvalo ora — non può essere recuperato.',
+  'settings.mcp.modal.done': 'Fatto',
+  'settings.mcp.toast.created': 'Token creato',
+  'settings.mcp.toast.createError': 'Impossibile creare il token',
+  'settings.mcp.toast.deleted': 'Token eliminato',
+  'settings.mcp.toast.deleteError': 'Impossibile eliminare il token',
   'settings.account': 'Account',
   'settings.username': 'Username',
   'settings.email': 'Email',
@@ -187,6 +212,14 @@ const it: Record<string, string | { name: string; category: string }[]> = {
   'settings.avatarError': 'Impossibile caricare',
   'settings.mfa.title': 'Autenticazione a due fattori (2FA)',
   'settings.mfa.description': 'Aggiunge un secondo passaggio quando accedi con email e password. Usa un\'app authenticator (Google Authenticator, Authy, ecc.).',
+  'settings.mfa.requiredByPolicy': 'L\'amministratore richiede l\'autenticazione a due fattori. Configura un\'app authenticator qui sotto prima di continuare.',
+  'settings.mfa.backupTitle': 'Codici di backup',
+  'settings.mfa.backupDescription': 'Usa questi codici monouso se perdi l\'accesso alla tua app authenticator.',
+  'settings.mfa.backupWarning': 'Salvali adesso. Ogni codice può essere usato una sola volta.',
+  'settings.mfa.backupCopy': 'Copia codici',
+  'settings.mfa.backupDownload': 'Scarica TXT',
+  'settings.mfa.backupPrint': 'Stampa / PDF',
+  'settings.mfa.backupCopied': 'Codici di backup copiati',
   'settings.mfa.enabled': 'La 2FA è abilitata sul tuo account.',
   'settings.mfa.disabled': 'La 2FA non è abilitata.',
   'settings.mfa.setup': 'Configura authenticator',
@@ -364,6 +397,8 @@ const it: Record<string, string | { name: string; category: string }[]> = {
   'admin.tabs.settings': 'Impostazioni',
   'admin.allowRegistration': 'Consenti Registrazione',
   'admin.allowRegistrationHint': 'I nuovi utenti possono registrarsi autonomamente',
+  'admin.requireMfa': 'Richiedi autenticazione a due fattori (2FA)',
+  'admin.requireMfaHint': 'Gli utenti senza 2FA devono completare la configurazione in Impostazioni prima di usare l\'app.',
   'admin.apiKeys': 'Chiavi API',
   'admin.apiKeysHint': 'Opzionale. Abilita dati estesi per i luoghi come foto e meteo.',
   'admin.mapsKey': 'Chiave API Google Maps',
@@ -431,14 +466,18 @@ const it: Record<string, string | { name: string; category: string }[]> = {
   'admin.addons.catalog.collab.description': 'Note, sondaggi e chat in tempo reale per la pianificazione del viaggio',
   'admin.addons.catalog.memories.name': 'Foto (Immich)',
   'admin.addons.catalog.memories.description': 'Condividi le foto del viaggio tramite la tua istanza Immich',
+  'admin.addons.catalog.mcp.name': 'MCP',
+  'admin.addons.catalog.mcp.description': 'Model Context Protocol per l\'integrazione di assistenti AI',
   'admin.addons.subtitleBefore': 'Abilita o disabilita le funzionalità per personalizzare la tua ',
   'admin.addons.subtitleAfter': ' esperienza.',
   'admin.addons.enabled': 'Abilitato',
   'admin.addons.disabled': 'Disabilitato',
   'admin.addons.type.trip': 'Viaggio',
   'admin.addons.type.global': 'Globale',
+  'admin.addons.type.integration': 'Integrazione',
   'admin.addons.tripHint': 'Disponibile come scheda all\'interno di ciascun viaggio',
   'admin.addons.globalHint': 'Disponibile come sezione autonoma nella navigazione principale',
+  'admin.addons.integrationHint': 'Servizi backend e integrazioni API senza pagina dedicata',
   'admin.addons.toast.updated': 'Modulo aggiornato',
   'admin.addons.toast.error': 'Impossibile aggiornare il modulo',
   'admin.addons.noAddons': 'Nessun modulo disponibile',
@@ -469,6 +508,22 @@ const it: Record<string, string | { name: string; category: string }[]> = {
   'admin.audit.col.ip': 'IP',
   'admin.audit.col.details': 'Dettagli',
 
+  // MCP Tokens
+  'admin.tabs.mcpTokens': 'Token MCP',
+  'admin.mcpTokens.title': 'Token MCP',
+  'admin.mcpTokens.subtitle': 'Gestisci i token API di tutti gli utenti',
+  'admin.mcpTokens.owner': 'Proprietario',
+  'admin.mcpTokens.tokenName': 'Nome token',
+  'admin.mcpTokens.created': 'Creato',
+  'admin.mcpTokens.lastUsed': 'Ultimo utilizzo',
+  'admin.mcpTokens.never': 'Mai',
+  'admin.mcpTokens.empty': 'Non sono ancora stati creati token MCP',
+  'admin.mcpTokens.deleteTitle': 'Elimina token',
+  'admin.mcpTokens.deleteMessage': 'Questo token verrà revocato immediatamente. L\'utente perderà l\'accesso MCP tramite questo token.',
+  'admin.mcpTokens.deleteSuccess': 'Token eliminato',
+  'admin.mcpTokens.deleteError': 'Impossibile eliminare il token',
+  'admin.mcpTokens.loadError': 'Impossibile caricare i token',
+
   // GitHub
   'admin.tabs.github': 'GitHub',
   'admin.github.title': 'Cronologia rilasci',
@@ -601,7 +656,6 @@ const it: Record<string, string | { name: string; category: string }[]> = {
   'atlas.markVisitedHint': 'Aggiungi questo paese alla tua lista dei visitati',
   'atlas.addToBucket': 'Aggiungi alla lista desideri',
   'atlas.addPoi': 'Aggiungi luogo',
-  'atlas.searchCountry': 'Cerca un paese...',
   'atlas.bucketNamePlaceholder': 'Nome (paese, città, luogo...)',
   'atlas.month': 'Mese',
   'atlas.addToBucketHint': 'Salvalo come luogo che vuoi visitare',
@@ -609,6 +663,7 @@ const it: Record<string, string | { name: string; category: string }[]> = {
   'atlas.statsTab': 'Statistiche',
   'atlas.bucketTab': 'Lista desideri',
   'atlas.addBucket': 'Aggiungi alla lista desideri',
+  'atlas.bucketNamePlaceholder': 'Luogo o destinazione...',
   'atlas.bucketNotesPlaceholder': 'Note (opzionale)',
   'atlas.bucketEmpty': 'La tua lista desideri è vuota',
   'atlas.bucketEmptyHint': 'Aggiungi luoghi che sogni di visitare',

client/src/i18n/translations/nl.ts

@@ -185,6 +185,31 @@ const nl: Record<string, string> = {
   'share.permCollab': 'Chat',
   'settings.on': 'Aan',
   'settings.off': 'Uit',
+  'settings.mcp.title': 'MCP-configuratie',
+  'settings.mcp.endpoint': 'MCP-eindpunt',
+  'settings.mcp.clientConfig': 'Clientconfiguratie',
+  'settings.mcp.clientConfigHint': 'Vervang <your_token> door een API-token uit de onderstaande lijst. Het pad naar npx moet mogelijk worden aangepast voor jouw systeem (bijv. C:\\PROGRA~1\\nodejs\\npx.cmd op Windows).',
+  'settings.mcp.copy': 'Kopiëren',
+  'settings.mcp.copied': 'Gekopieerd!',
+  'settings.mcp.apiTokens': 'API-tokens',
+  'settings.mcp.createToken': 'Nieuw token aanmaken',
+  'settings.mcp.noTokens': 'Nog geen tokens. Maak er een aan om MCP-clients te verbinden.',
+  'settings.mcp.tokenCreatedAt': 'Aangemaakt',
+  'settings.mcp.tokenUsedAt': 'Gebruikt',
+  'settings.mcp.deleteTokenTitle': 'Token verwijderen',
+  'settings.mcp.deleteTokenMessage': 'Dit token werkt onmiddellijk niet meer. Elke MCP-client die het gebruikt verliest de toegang.',
+  'settings.mcp.modal.createTitle': 'API-token aanmaken',
+  'settings.mcp.modal.tokenName': 'Tokennaam',
+  'settings.mcp.modal.tokenNamePlaceholder': 'bijv. Claude Desktop, Werklaptop',
+  'settings.mcp.modal.creating': 'Aanmaken…',
+  'settings.mcp.modal.create': 'Token aanmaken',
+  'settings.mcp.modal.createdTitle': 'Token aangemaakt',
+  'settings.mcp.modal.createdWarning': 'Dit token wordt slechts één keer getoond. Kopieer en bewaar het nu — het kan niet worden hersteld.',
+  'settings.mcp.modal.done': 'Klaar',
+  'settings.mcp.toast.created': 'Token aangemaakt',
+  'settings.mcp.toast.createError': 'Token aanmaken mislukt',
+  'settings.mcp.toast.deleted': 'Token verwijderd',
+  'settings.mcp.toast.deleteError': 'Token verwijderen mislukt',
   'settings.account': 'Account',
   'settings.username': 'Gebruikersnaam',
   'settings.email': 'E-mail',
@@ -212,6 +237,14 @@ const nl: Record<string, string> = {
   'settings.saveProfile': 'Profiel opslaan',
   'settings.mfa.title': 'Tweefactorauthenticatie (2FA)',
   'settings.mfa.description': 'Voegt een tweede stap toe bij het inloggen. Gebruik een authenticator-app (Google Authenticator, Authy, etc.).',
+  'settings.mfa.requiredByPolicy': 'Je beheerder vereist tweestapsverificatie. Stel hieronder een authenticator-app in voordat je verdergaat.',
+  'settings.mfa.backupTitle': 'Back-upcodes',
+  'settings.mfa.backupDescription': 'Gebruik deze eenmalige codes als je geen toegang meer hebt tot je authenticator-app.',
+  'settings.mfa.backupWarning': 'Sla deze codes nu op. Elke code kan maar een keer worden gebruikt.',
+  'settings.mfa.backupCopy': 'Codes kopiëren',
+  'settings.mfa.backupDownload': 'TXT downloaden',
+  'settings.mfa.backupPrint': 'Afdrukken / PDF',
+  'settings.mfa.backupCopied': 'Back-upcodes gekopieerd',
   'settings.mfa.enabled': '2FA is ingeschakeld op je account.',
   'settings.mfa.disabled': '2FA is niet ingeschakeld.',
   'settings.mfa.setup': 'Authenticator instellen',
@@ -365,6 +398,8 @@ const nl: Record<string, string> = {
   'admin.tabs.settings': 'Instellingen',
   'admin.allowRegistration': 'Registratie toestaan',
   'admin.allowRegistrationHint': 'Nieuwe gebruikers kunnen zichzelf registreren',
+  'admin.requireMfa': 'Tweestapsverificatie (2FA) verplicht stellen',
+  'admin.requireMfaHint': 'Gebruikers zonder 2FA moeten de installatie in Instellingen voltooien voordat ze de app kunnen gebruiken.',
   'admin.apiKeys': 'API-sleutels',
   'admin.apiKeysHint': 'Optioneel. Schakelt uitgebreide plaatsgegevens in zoals foto\'s en weer.',
   'admin.mapsKey': 'Google Maps API-sleutel',
@@ -418,8 +453,10 @@ const nl: Record<string, string> = {
   'admin.tabs.addons': 'Add-ons',
   'admin.addons.title': 'Add-ons',
   'admin.addons.subtitle': 'Schakel functies in of uit om je TREK-ervaring aan te passen.',
-  'admin.addons.catalog.memories.name': 'Herinneringen',
-  'admin.addons.catalog.memories.description': 'Gedeelde fotoalbums voor elke reis',
+  'admin.addons.catalog.memories.name': 'Foto\'s (Immich)',
+  'admin.addons.catalog.memories.description': 'Deel reisfoto\'s via je Immich-instantie',
+  'admin.addons.catalog.mcp.name': 'MCP',
+  'admin.addons.catalog.mcp.description': 'Model Context Protocol voor AI-assistent integratie',
   'admin.addons.catalog.packing.name': 'Inpakken',
   'admin.addons.catalog.packing.description': 'Checklists om je bagage voor elke reis voor te bereiden',
   'admin.addons.catalog.budget.name': 'Budget',
@@ -438,8 +475,10 @@ const nl: Record<string, string> = {
   'admin.addons.disabled': 'Uitgeschakeld',
   'admin.addons.type.trip': 'Reis',
   'admin.addons.type.global': 'Globaal',
+  'admin.addons.type.integration': 'Integratie',
   'admin.addons.tripHint': 'Beschikbaar als tabblad binnen elke reis',
   'admin.addons.globalHint': 'Beschikbaar als zelfstandig onderdeel in de hoofdnavigatie',
+  'admin.addons.integrationHint': 'Backenddiensten en API-integraties zonder eigen pagina',
   'admin.addons.toast.updated': 'Add-on bijgewerkt',
   'admin.addons.toast.error': 'Add-on bijwerken mislukt',
   'admin.addons.noAddons': 'Geen add-ons beschikbaar',
@@ -455,6 +494,22 @@ const nl: Record<string, string> = {
   'admin.weather.requestsDesc': 'Gratis, geen API-sleutel vereist',
   'admin.weather.locationHint': 'Het weer is gebaseerd op de eerste plaats met coördinaten op elke dag. Als er geen plaats aan een dag is toegewezen, wordt een plaats uit de lijst als referentie gebruikt.',
 
+  // MCP Tokens
+  'admin.tabs.mcpTokens': 'MCP-tokens',
+  'admin.mcpTokens.title': 'MCP-tokens',
+  'admin.mcpTokens.subtitle': 'API-tokens van alle gebruikers beheren',
+  'admin.mcpTokens.owner': 'Eigenaar',
+  'admin.mcpTokens.tokenName': 'Tokennaam',
+  'admin.mcpTokens.created': 'Aangemaakt',
+  'admin.mcpTokens.lastUsed': 'Laatst gebruikt',
+  'admin.mcpTokens.never': 'Nooit',
+  'admin.mcpTokens.empty': 'Er zijn nog geen MCP-tokens aangemaakt',
+  'admin.mcpTokens.deleteTitle': 'Token verwijderen',
+  'admin.mcpTokens.deleteMessage': 'Dit token wordt onmiddellijk ingetrokken. De gebruiker verliest MCP-toegang via dit token.',
+  'admin.mcpTokens.deleteSuccess': 'Token verwijderd',
+  'admin.mcpTokens.deleteError': 'Token kon niet worden verwijderd',
+  'admin.mcpTokens.loadError': 'Tokens konden niet worden geladen',
+
   // GitHub
   'admin.tabs.github': 'GitHub',
 

client/src/i18n/translations/ru.ts

@@ -185,6 +185,31 @@ const ru: Record<string, string> = {
   'share.permCollab': 'Чат',
   'settings.on': 'Вкл.',
   'settings.off': 'Выкл.',
+  'settings.mcp.title': 'Настройка MCP',
+  'settings.mcp.endpoint': 'MCP-эндпоинт',
+  'settings.mcp.clientConfig': 'Конфигурация клиента',
+  'settings.mcp.clientConfigHint': 'Замените <your_token> на API-токен из списка ниже. Путь к npx может потребовать настройки для вашей системы (например, C:\\PROGRA~1\\nodejs\\npx.cmd в Windows).',
+  'settings.mcp.copy': 'Копировать',
+  'settings.mcp.copied': 'Скопировано!',
+  'settings.mcp.apiTokens': 'API-токены',
+  'settings.mcp.createToken': 'Создать токен',
+  'settings.mcp.noTokens': 'Токенов пока нет. Создайте один для подключения MCP-клиентов.',
+  'settings.mcp.tokenCreatedAt': 'Создан',
+  'settings.mcp.tokenUsedAt': 'Использован',
+  'settings.mcp.deleteTokenTitle': 'Удалить токен',
+  'settings.mcp.deleteTokenMessage': 'Этот токен перестанет работать немедленно. Любой MCP-клиент, использующий его, потеряет доступ.',
+  'settings.mcp.modal.createTitle': 'Создать API-токен',
+  'settings.mcp.modal.tokenName': 'Название токена',
+  'settings.mcp.modal.tokenNamePlaceholder': 'напр. Claude Desktop, Рабочий ноутбук',
+  'settings.mcp.modal.creating': 'Создание…',
+  'settings.mcp.modal.create': 'Создать токен',
+  'settings.mcp.modal.createdTitle': 'Токен создан',
+  'settings.mcp.modal.createdWarning': 'Этот токен будет показан только один раз. Скопируйте и сохраните его сейчас — восстановить его будет невозможно.',
+  'settings.mcp.modal.done': 'Готово',
+  'settings.mcp.toast.created': 'Токен создан',
+  'settings.mcp.toast.createError': 'Не удалось создать токен',
+  'settings.mcp.toast.deleted': 'Токен удалён',
+  'settings.mcp.toast.deleteError': 'Не удалось удалить токен',
   'settings.account': 'Аккаунт',
   'settings.username': 'Имя пользователя',
   'settings.email': 'Эл. почта',
@@ -212,6 +237,14 @@ const ru: Record<string, string> = {
   'settings.saveProfile': 'Сохранить профиль',
   'settings.mfa.title': 'Двухфакторная аутентификация (2FA)',
   'settings.mfa.description': 'Добавляет второй шаг при входе. Используйте приложение-аутентификатор (Google Authenticator, Authy и др.).',
+  'settings.mfa.requiredByPolicy': 'Администратор требует двухфакторную аутентификацию. Настройте приложение-аутентификатор ниже, прежде чем продолжить.',
+  'settings.mfa.backupTitle': 'Резервные коды',
+  'settings.mfa.backupDescription': 'Используйте эти одноразовые коды, если потеряете доступ к приложению-аутентификатору.',
+  'settings.mfa.backupWarning': 'Сохраните их сейчас. Каждый код можно использовать только один раз.',
+  'settings.mfa.backupCopy': 'Скопировать коды',
+  'settings.mfa.backupDownload': 'Скачать TXT',
+  'settings.mfa.backupPrint': 'Печать / PDF',
+  'settings.mfa.backupCopied': 'Резервные коды скопированы',
   'settings.mfa.enabled': '2FA включена для вашего аккаунта.',
   'settings.mfa.disabled': '2FA не включена.',
   'settings.mfa.setup': 'Настроить аутентификатор',
@@ -365,6 +398,8 @@ const ru: Record<string, string> = {
   'admin.tabs.settings': 'Настройки',
   'admin.allowRegistration': 'Разрешить регистрацию',
   'admin.allowRegistrationHint': 'Новые пользователи могут регистрироваться самостоятельно',
+  'admin.requireMfa': 'Требовать двухфакторную аутентификацию (2FA)',
+  'admin.requireMfaHint': 'Пользователи без 2FA должны завершить настройку в разделе «Настройки» перед использованием приложения.',
   'admin.apiKeys': 'API-ключи',
   'admin.apiKeysHint': 'Необязательно. Включает расширенные данные о местах, такие как фото и погода.',
   'admin.mapsKey': 'API-ключ Google Maps',
@@ -418,8 +453,10 @@ const ru: Record<string, string> = {
   'admin.tabs.addons': 'Дополнения',
   'admin.addons.title': 'Дополнения',
   'admin.addons.subtitle': 'Включайте или отключайте функции для настройки TREK под себя.',
-  'admin.addons.catalog.memories.name': 'Воспоминания',
-  'admin.addons.catalog.memories.description': 'Общие фотоальбомы для каждой поездки',
+  'admin.addons.catalog.memories.name': 'Фото (Immich)',
+  'admin.addons.catalog.memories.description': 'Делитесь фотографиями из поездок через Immich',
+  'admin.addons.catalog.mcp.name': 'MCP',
+  'admin.addons.catalog.mcp.description': 'Протокол контекста модели для интеграции с ИИ-ассистентами',
   'admin.addons.catalog.packing.name': 'Сборы',
   'admin.addons.catalog.packing.description': 'Чек-листы для подготовки багажа к каждой поездке',
   'admin.addons.catalog.budget.name': 'Бюджет',
@@ -438,8 +475,10 @@ const ru: Record<string, string> = {
   'admin.addons.disabled': 'Отключено',
   'admin.addons.type.trip': 'Поездка',
   'admin.addons.type.global': 'Глобально',
+  'admin.addons.type.integration': 'Интеграция',
   'admin.addons.tripHint': 'Доступно как вкладка внутри каждой поездки',
   'admin.addons.globalHint': 'Доступно как отдельный раздел в основной навигации',
+  'admin.addons.integrationHint': 'Фоновые сервисы и API-интеграции без отдельной страницы',
   'admin.addons.toast.updated': 'Дополнение обновлено',
   'admin.addons.toast.error': 'Не удалось обновить дополнение',
   'admin.addons.noAddons': 'Нет доступных дополнений',
@@ -455,6 +494,22 @@ const ru: Record<string, string> = {
   'admin.weather.requestsDesc': 'Бесплатно, API-ключ не требуется',
   'admin.weather.locationHint': 'Погода основана на первом месте с координатами в каждом дне. Если ни одно место не назначено на день, в качестве ориентира используется любое место из списка.',
 
+  // MCP Tokens
+  'admin.tabs.mcpTokens': 'MCP-токены',
+  'admin.mcpTokens.title': 'MCP-токены',
+  'admin.mcpTokens.subtitle': 'Управление API-токенами всех пользователей',
+  'admin.mcpTokens.owner': 'Владелец',
+  'admin.mcpTokens.tokenName': 'Название токена',
+  'admin.mcpTokens.created': 'Создан',
+  'admin.mcpTokens.lastUsed': 'Последнее использование',
+  'admin.mcpTokens.never': 'Никогда',
+  'admin.mcpTokens.empty': 'MCP-токены ещё не созданы',
+  'admin.mcpTokens.deleteTitle': 'Удалить токен',
+  'admin.mcpTokens.deleteMessage': 'Токен будет немедленно отозван. Пользователь потеряет доступ к MCP через этот токен.',
+  'admin.mcpTokens.deleteSuccess': 'Токен удалён',
+  'admin.mcpTokens.deleteError': 'Не удалось удалить токен',
+  'admin.mcpTokens.loadError': 'Не удалось загрузить токены',
+
   // GitHub
   'admin.tabs.github': 'GitHub',
 

client/src/i18n/translations/zh.ts

@@ -185,6 +185,31 @@ const zh: Record<string, string> = {
   'share.permCollab': '聊天',
   'settings.on': '开',
   'settings.off': '关',
+  'settings.mcp.title': 'MCP 配置',
+  'settings.mcp.endpoint': 'MCP 端点',
+  'settings.mcp.clientConfig': '客户端配置',
+  'settings.mcp.clientConfigHint': '将 <your_token> 替换为下方列表中的 API 令牌。npx 的路径可能需要根据您的系统进行调整（例如 Windows 上为 C:\\PROGRA~1\\nodejs\\npx.cmd）。',
+  'settings.mcp.copy': '复制',
+  'settings.mcp.copied': '已复制！',
+  'settings.mcp.apiTokens': 'API 令牌',
+  'settings.mcp.createToken': '创建新令牌',
+  'settings.mcp.noTokens': '暂无令牌，请创建一个以连接 MCP 客户端。',
+  'settings.mcp.tokenCreatedAt': '创建于',
+  'settings.mcp.tokenUsedAt': '使用于',
+  'settings.mcp.deleteTokenTitle': '删除令牌',
+  'settings.mcp.deleteTokenMessage': '此令牌将立即失效，使用它的所有 MCP 客户端将失去访问权限。',
+  'settings.mcp.modal.createTitle': '创建 API 令牌',
+  'settings.mcp.modal.tokenName': '令牌名称',
+  'settings.mcp.modal.tokenNamePlaceholder': '例如：Claude Desktop、工作电脑',
+  'settings.mcp.modal.creating': '创建中…',
+  'settings.mcp.modal.create': '创建令牌',
+  'settings.mcp.modal.createdTitle': '令牌已创建',
+  'settings.mcp.modal.createdWarning': '此令牌只会显示一次，请立即复制并妥善保存——无法找回。',
+  'settings.mcp.modal.done': '完成',
+  'settings.mcp.toast.created': '令牌已创建',
+  'settings.mcp.toast.createError': '创建令牌失败',
+  'settings.mcp.toast.deleted': '令牌已删除',
+  'settings.mcp.toast.deleteError': '删除令牌失败',
   'settings.account': '账户',
   'settings.username': '用户名',
   'settings.email': '邮箱',
@@ -212,6 +237,14 @@ const zh: Record<string, string> = {
   'settings.saveProfile': '保存资料',
   'settings.mfa.title': '双因素认证 (2FA)',
   'settings.mfa.description': '登录时添加第二步验证。使用身份验证器应用（Google Authenticator、Authy 等）。',
+  'settings.mfa.requiredByPolicy': '管理员要求双因素身份验证。请先完成下方的身份验证器设置后再继续。',
+  'settings.mfa.backupTitle': '备用代码',
+  'settings.mfa.backupDescription': '如果你无法使用身份验证器应用，可使用这些一次性备用代码登录。',
+  'settings.mfa.backupWarning': '请立即保存这些代码。每个代码只能使用一次。',
+  'settings.mfa.backupCopy': '复制代码',
+  'settings.mfa.backupDownload': '下载 TXT',
+  'settings.mfa.backupPrint': '打印 / PDF',
+  'settings.mfa.backupCopied': '备用代码已复制',
   'settings.mfa.enabled': '您的账户已启用 2FA。',
   'settings.mfa.disabled': '2FA 未启用。',
   'settings.mfa.setup': '设置身份验证器',
@@ -365,6 +398,8 @@ const zh: Record<string, string> = {
   'admin.tabs.settings': '设置',
   'admin.allowRegistration': '允许注册',
   'admin.allowRegistrationHint': '新用户可以自行注册',
+  'admin.requireMfa': '要求双因素身份验证（2FA）',
+  'admin.requireMfaHint': '未启用 2FA 的用户必须先完成设置中的配置才能使用应用。',
   'admin.apiKeys': 'API 密钥',
   'admin.apiKeysHint': '可选。启用地点的扩展数据，如照片和天气。',
   'admin.mapsKey': 'Google Maps API 密钥',
@@ -418,8 +453,10 @@ const zh: Record<string, string> = {
   'admin.tabs.addons': '扩展',
   'admin.addons.title': '扩展',
   'admin.addons.subtitle': '启用或禁用功能以自定义你的 TREK 体验。',
-  'admin.addons.catalog.memories.name': '回忆',
-  'admin.addons.catalog.memories.description': '每次旅行的共享相册',
+  'admin.addons.catalog.memories.name': '照片 (Immich)',
+  'admin.addons.catalog.memories.description': '通过 Immich 实例分享旅行照片',
+  'admin.addons.catalog.mcp.name': 'MCP',
+  'admin.addons.catalog.mcp.description': '用于 AI 助手集成的模型上下文协议',
   'admin.addons.catalog.packing.name': '行李',
   'admin.addons.catalog.packing.description': '每次旅行的行李准备清单',
   'admin.addons.catalog.budget.name': '预算',
@@ -438,8 +475,10 @@ const zh: Record<string, string> = {
   'admin.addons.disabled': '已禁用',
   'admin.addons.type.trip': '旅行',
   'admin.addons.type.global': '全局',
+  'admin.addons.type.integration': '集成',
   'admin.addons.tripHint': '在每次旅行中作为标签页显示',
   'admin.addons.globalHint': '在主导航中作为独立板块显示',
+  'admin.addons.integrationHint': '后端服务和 API 集成，无专属页面',
   'admin.addons.toast.updated': '扩展已更新',
   'admin.addons.toast.error': '更新扩展失败',
   'admin.addons.noAddons': '暂无可用扩展',
@@ -455,6 +494,22 @@ const zh: Record<string, string> = {
   'admin.weather.requestsDesc': '免费，无需 API 密钥',
   'admin.weather.locationHint': '天气基于每天中第一个有坐标的地点。如果当天没有分配地点，则使用地点列表中的任意地点作为参考。',
 
+  // MCP Tokens
+  'admin.tabs.mcpTokens': 'MCP 令牌',
+  'admin.mcpTokens.title': 'MCP 令牌',
+  'admin.mcpTokens.subtitle': '管理所有用户的 API 令牌',
+  'admin.mcpTokens.owner': '所有者',
+  'admin.mcpTokens.tokenName': '令牌名称',
+  'admin.mcpTokens.created': '创建时间',
+  'admin.mcpTokens.lastUsed': '最后使用',
+  'admin.mcpTokens.never': '从未',
+  'admin.mcpTokens.empty': '尚未创建任何 MCP 令牌',
+  'admin.mcpTokens.deleteTitle': '删除令牌',
+  'admin.mcpTokens.deleteMessage': '此令牌将立即被撤销。用户将失去通过此令牌的 MCP 访问权限。',
+  'admin.mcpTokens.deleteSuccess': '令牌已删除',
+  'admin.mcpTokens.deleteError': '删除令牌失败',
+  'admin.mcpTokens.loadError': '加载令牌失败',
+
   // GitHub
   'admin.tabs.github': 'GitHub',
 

client/src/pages/AdminPage.tsx

@@ -14,6 +14,7 @@ import GitHubPanel from '../components/Admin/GitHubPanel'
 import AddonManager from '../components/Admin/AddonManager'
 import PackingTemplateManager from '../components/Admin/PackingTemplateManager'
 import AuditLogPanel from '../components/Admin/AuditLogPanel'
+import AdminMcpTokensPanel from '../components/Admin/AdminMcpTokensPanel'
 import { Users, Map, Briefcase, Shield, Trash2, Edit2, Camera, FileText, Eye, EyeOff, Save, CheckCircle, XCircle, Loader2, UserPlus, ArrowUpCircle, ExternalLink, Download, AlertTriangle, RefreshCw, GitBranch, Sun, Link2, Copy, Plus } from 'lucide-react'
 import CustomSelect from '../components/shared/CustomSelect'
 
@@ -63,6 +64,7 @@ export default function AdminPage(): React.ReactElement {
     { id: 'settings', label: t('admin.tabs.settings') },
     { id: 'backup', label: t('admin.tabs.backup') },
     { id: 'audit', label: t('admin.tabs.audit') },
+    { id: 'mcp-tokens', label: t('admin.tabs.mcpTokens') },
     { id: 'github', label: t('admin.tabs.github') },
   ]
 
@@ -85,6 +87,7 @@ export default function AdminPage(): React.ReactElement {
 
   // Registration toggle
   const [allowRegistration, setAllowRegistration] = useState<boolean>(true)
+  const [requireMfa, setRequireMfa] = useState<boolean>(false)
 
   // Invite links
   const [invites, setInvites] = useState<any[]>([])
@@ -119,7 +122,7 @@ export default function AdminPage(): React.ReactElement {
   const [updating, setUpdating] = useState<boolean>(false)
   const [updateResult, setUpdateResult] = useState<'success' | 'error' | null>(null)
 
-  const { user: currentUser, updateApiKeys } = useAuthStore()
+  const { user: currentUser, updateApiKeys, setAppRequireMfa } = useAuthStore()
   const navigate = useNavigate()
   const toast = useToast()
 
@@ -155,6 +158,7 @@ export default function AdminPage(): React.ReactElement {
     try {
       const config = await authApi.getAppConfig()
       setAllowRegistration(config.allow_registration)
+      if (config.require_mfa !== undefined) setRequireMfa(!!config.require_mfa)
       if (config.allowed_file_types) setAllowedFileTypes(config.allowed_file_types)
     } catch (err: unknown) {
       // ignore
@@ -201,6 +205,18 @@ export default function AdminPage(): React.ReactElement {
     }
   }
 
+  const handleToggleRequireMfa = async (value: boolean) => {
+    setRequireMfa(value)
+    try {
+      await authApi.updateAppSettings({ require_mfa: value })
+      setAppRequireMfa(value)
+      toast.success(t('common.saved'))
+    } catch (err: unknown) {
+      setRequireMfa(!value)
+      toast.error(getApiErrorMessage(err, t('common.error')))
+    }
+  }
+
   const toggleKey = (key) => {
     setShowKeys(prev => ({ ...prev, [key]: !prev[key] }))
   }
@@ -706,6 +722,34 @@ export default function AdminPage(): React.ReactElement {
                 </div>
               </div>
 
+              {/* Require 2FA for all users */}
+              <div className="bg-white rounded-xl border border-slate-200 overflow-hidden">
+                <div className="px-6 py-4 border-b border-slate-100">
+                  <h2 className="font-semibold text-slate-900">{t('admin.requireMfa')}</h2>
+                </div>
+                <div className="p-6">
+                  <div className="flex items-center justify-between">
+                    <div>
+                      <p className="text-sm font-medium text-slate-700">{t('admin.requireMfa')}</p>
+                      <p className="text-xs text-slate-400 mt-0.5">{t('admin.requireMfaHint')}</p>
+                    </div>
+                    <button
+                      type="button"
+                      onClick={() => handleToggleRequireMfa(!requireMfa)}
+                      className={`relative inline-flex h-6 w-11 items-center rounded-full transition-colors ${
+                        requireMfa ? 'bg-slate-900' : 'bg-slate-300'
+                      }`}
+                    >
+                      <span
+                        className={`inline-block h-4 w-4 transform rounded-full bg-white transition-transform ${
+                          requireMfa ? 'translate-x-6' : 'translate-x-1'
+                        }`}
+                      />
+                    </button>
+                  </div>
+                </div>
+              </div>
+
               {/* Allowed File Types */}
               <div className="bg-white rounded-xl border border-slate-200 overflow-hidden">
                 <div className="px-6 py-4 border-b border-slate-100">
@@ -997,6 +1041,8 @@ export default function AdminPage(): React.ReactElement {
 
           {activeTab === 'audit' && <AuditLogPanel />}
 
+          {activeTab === 'mcp-tokens' && <AdminMcpTokensPanel />}
+
           {activeTab === 'github' && <GitHubPanel />}
         </div>
       </div>

client/src/pages/LoginPage.tsx

@@ -544,11 +544,11 @@ export default function LoginPage(): React.ReactElement {
                     <KeyRound size={15} style={{ position: 'absolute', left: 13, top: '50%', transform: 'translateY(-50%)', color: '#9ca3af', pointerEvents: 'none' }} />
                     <input
                       type="text"
-                      inputMode="numeric"
+                      inputMode="text"
                       autoComplete="one-time-code"
                       value={mfaCode}
-                      onChange={(e: React.ChangeEvent<HTMLInputElement>) => setMfaCode(e.target.value.replace(/\D/g, '').slice(0, 8))}
-                      placeholder="000000"
+                      onChange={(e: React.ChangeEvent<HTMLInputElement>) => setMfaCode(e.target.value.toUpperCase().slice(0, 24))}
+                      placeholder="000000 or XXXX-XXXX"
                       required
                       style={inputBase}
                       onFocus={(e: React.FocusEvent<HTMLInputElement>) => e.target.style.borderColor = '#111827'}

client/src/pages/SettingsPage.tsx

@@ -1,14 +1,15 @@
 import React, { useState, useEffect } from 'react'
-import { useNavigate } from 'react-router-dom'
+import { useNavigate, useSearchParams } from 'react-router-dom'
 import { useAuthStore } from '../store/authStore'
 import { useSettingsStore } from '../store/settingsStore'
 import { SUPPORTED_LANGUAGES, useTranslation } from '../i18n'
 import Navbar from '../components/Layout/Navbar'
 import CustomSelect from '../components/shared/CustomSelect'
 import { useToast } from '../components/shared/Toast'
-import { Save, Map, Palette, User, Moon, Sun, Monitor, Shield, Camera, Trash2, Lock, KeyRound } from 'lucide-react'
+import { Save, Map, Palette, User, Moon, Sun, Monitor, Shield, Camera, Trash2, Lock, KeyRound, AlertTriangle, Copy, Download, Printer, Terminal, Plus, Check } from 'lucide-react'
 import { authApi, adminApi, notificationsApi } from '../api/client'
 import apiClient from '../api/client'
+import { useAddonStore } from '../store/addonStore'
 import type { LucideIcon } from 'lucide-react'
 import type { UserWithOidc } from '../types'
 import { getApiErrorMessage } from '../types'
@@ -18,6 +19,15 @@ interface MapPreset {
   url: string
 }
 
+const MFA_BACKUP_SESSION_KEY = 'trek_mfa_backup_codes_pending'
+interface McpToken {
+  id: number
+  name: string
+  token_prefix: string
+  created_at: string
+  last_used_at: string | null
+}
+
 const MAP_PRESETS: MapPreset[] = [
   { name: 'OpenStreetMap', url: 'https://{s}.tile.openstreetmap.org/{z}/{x}/{y}.png' },
   { name: 'OpenStreetMap DE', url: 'https://tile.openstreetmap.de/{z}/{x}/{y}.png' },
@@ -101,36 +111,39 @@ function NotificationPreferences({ t, memoriesEnabled }: { t: any; memoriesEnabl
 }
 
 export default function SettingsPage(): React.ReactElement {
-  const { user, updateProfile, uploadAvatar, deleteAvatar, logout, loadUser, demoMode } = useAuthStore()
+  const { user, updateProfile, uploadAvatar, deleteAvatar, logout, loadUser, demoMode, appRequireMfa } = useAuthStore()
+  const [searchParams] = useSearchParams()
   const [showDeleteConfirm, setShowDeleteConfirm] = useState<boolean | 'blocked'>(false)
   const avatarInputRef = React.useRef<HTMLInputElement>(null)
   const { settings, updateSetting, updateSettings } = useSettingsStore()
+  const { isEnabled: addonEnabled, loadAddons } = useAddonStore()
   const { t, locale } = useTranslation()
   const toast = useToast()
   const navigate = useNavigate()
 
   const [saving, setSaving] = useState<Record<string, boolean>>({})
 
-  // Immich
-  const [memoriesEnabled, setMemoriesEnabled] = useState(false)
+  // Addon gating (derived from store)
+  const memoriesEnabled = addonEnabled('memories')
+  const mcpEnabled = addonEnabled('mcp')
   const [immichUrl, setImmichUrl] = useState('')
   const [immichApiKey, setImmichApiKey] = useState('')
   const [immichConnected, setImmichConnected] = useState(false)
   const [immichTesting, setImmichTesting] = useState(false)
 
   useEffect(() => {
-    apiClient.get('/addons').then(r => {
-      const mem = r.data.addons?.find((a: any) => a.id === 'memories' && a.enabled)
-      setMemoriesEnabled(!!mem)
-      if (mem) {
-        apiClient.get('/integrations/immich/settings').then(r2 => {
-          setImmichUrl(r2.data.immich_url || '')
-          setImmichConnected(r2.data.connected)
-        }).catch(() => {})
-      }
-    }).catch(() => {})
+    loadAddons()
   }, [])
 
+  useEffect(() => {
+    if (memoriesEnabled) {
+      apiClient.get('/integrations/immich/settings').then(r2 => {
+        setImmichUrl(r2.data.immich_url || '')
+        setImmichConnected(r2.data.connected)
+      }).catch(() => {})
+    }
+  }, [memoriesEnabled])
+
   const handleSaveImmich = async () => {
     setSaving(s => ({ ...s, immich: true }))
     try {
@@ -164,6 +177,67 @@ export default function SettingsPage(): React.ReactElement {
     }
   }
 
+  // MCP tokens
+  const [mcpTokens, setMcpTokens] = useState<McpToken[]>([])
+  const [mcpModalOpen, setMcpModalOpen] = useState(false)
+  const [mcpNewName, setMcpNewName] = useState('')
+  const [mcpCreatedToken, setMcpCreatedToken] = useState<string | null>(null)
+  const [mcpCreating, setMcpCreating] = useState(false)
+  const [mcpDeleteId, setMcpDeleteId] = useState<number | null>(null)
+  const [copiedKey, setCopiedKey] = useState<string | null>(null)
+
+  useEffect(() => {
+    authApi.mcpTokens.list().then(d => setMcpTokens(d.tokens || [])).catch(() => {})
+  }, [])
+
+  const handleCreateMcpToken = async () => {
+    if (!mcpNewName.trim()) return
+    setMcpCreating(true)
+    try {
+      const d = await authApi.mcpTokens.create(mcpNewName.trim())
+      setMcpCreatedToken(d.token.raw_token)
+      setMcpNewName('')
+      setMcpTokens(prev => [{ id: d.token.id, name: d.token.name, token_prefix: d.token.token_prefix, created_at: d.token.created_at, last_used_at: null }, ...prev])
+    } catch {
+      toast.error(t('settings.mcp.toast.createError'))
+    } finally {
+      setMcpCreating(false)
+    }
+  }
+
+  const handleDeleteMcpToken = async (id: number) => {
+    try {
+      await authApi.mcpTokens.delete(id)
+      setMcpTokens(prev => prev.filter(tk => tk.id !== id))
+      setMcpDeleteId(null)
+      toast.success(t('settings.mcp.toast.deleted'))
+    } catch {
+      toast.error(t('settings.mcp.toast.deleteError'))
+    }
+  }
+
+  const handleCopy = (text: string, key: string) => {
+    navigator.clipboard.writeText(text).then(() => {
+      setCopiedKey(key)
+      setTimeout(() => setCopiedKey(null), 2000)
+    })
+  }
+
+  const mcpEndpoint = `${window.location.origin}/mcp`
+  const mcpJsonConfig = `{
+  "mcpServers": {
+    "trek": {
+      "command": "npx",
+      "args": [
+        "mcp-remote",
+        "${mcpEndpoint}",
+        "--header",
+        "Authorization: Bearer <your_token>"
+      ]
+    }
+  }
+}`
+
   // Map settings
   const [mapTileUrl, setMapTileUrl] = useState<string>(settings.map_tile_url || '')
   const [defaultLat, setDefaultLat] = useState<number | string>(settings.default_lat || 48.8566)
@@ -193,6 +267,71 @@ export default function SettingsPage(): React.ReactElement {
   const [mfaDisablePwd, setMfaDisablePwd] = useState('')
   const [mfaDisableCode, setMfaDisableCode] = useState('')
   const [mfaLoading, setMfaLoading] = useState(false)
+  const mfaRequiredByPolicy =
+    !demoMode &&
+    !user?.mfa_enabled &&
+    (searchParams.get('mfa') === 'required' || appRequireMfa)
+
+  const [backupCodes, setBackupCodes] = useState<string[] | null>(null)
+
+  const backupCodesText = backupCodes?.join('\n') || ''
+
+  // Restore backup codes panel after refresh (loadUser silent fix + sessionStorage)
+  useEffect(() => {
+    if (!user?.mfa_enabled || backupCodes) return
+    try {
+      const raw = sessionStorage.getItem(MFA_BACKUP_SESSION_KEY)
+      if (!raw) return
+      const parsed = JSON.parse(raw) as unknown
+      if (Array.isArray(parsed) && parsed.length > 0 && parsed.every((x) => typeof x === 'string')) {
+        setBackupCodes(parsed)
+      }
+    } catch {
+      sessionStorage.removeItem(MFA_BACKUP_SESSION_KEY)
+    }
+  }, [user?.mfa_enabled, backupCodes])
+
+  const dismissBackupCodes = (): void => {
+    sessionStorage.removeItem(MFA_BACKUP_SESSION_KEY)
+    setBackupCodes(null)
+  }
+
+  const copyBackupCodes = async (): Promise<void> => {
+    if (!backupCodesText) return
+    try {
+      await navigator.clipboard.writeText(backupCodesText)
+      toast.success(t('settings.mfa.backupCopied'))
+    } catch {
+      toast.error(t('common.error'))
+    }
+  }
+
+  const downloadBackupCodes = (): void => {
+    if (!backupCodesText) return
+    const blob = new Blob([backupCodesText + '\n'], { type: 'text/plain;charset=utf-8' })
+    const url = URL.createObjectURL(blob)
+    const a = document.createElement('a')
+    a.href = url
+    a.download = 'trek-mfa-backup-codes.txt'
+    document.body.appendChild(a)
+    a.click()
+    a.remove()
+    URL.revokeObjectURL(url)
+  }
+
+  const printBackupCodes = (): void => {
+    if (!backupCodesText) return
+    const html = `<!doctype html><html><head><meta charset="utf-8"/><title>TREK MFA Backup Codes</title>
+      <style>body{font-family:Arial,sans-serif;padding:32px}h1{font-size:20px}pre{font-size:16px;line-height:1.6}</style>
+      </head><body><h1>TREK MFA Backup Codes</h1><p>${new Date().toLocaleString()}</p><pre>${backupCodesText}</pre></body></html>`
+    const w = window.open('', '_blank', 'width=900,height=700')
+    if (!w) return
+    w.document.open()
+    w.document.write(html)
+    w.document.close()
+    w.focus()
+    w.print()
+  }
 
   useEffect(() => {
     setMapTileUrl(settings.map_tile_url || '')
@@ -572,6 +711,162 @@ export default function SettingsPage(): React.ReactElement {
             </Section>
           )}
 
+          {/* MCP Configuration — only when MCP addon is enabled */}
+          {mcpEnabled && <Section title={t('settings.mcp.title')} icon={Terminal}>
+            {/* Endpoint URL */}
+            <div>
+              <label className="block text-sm font-medium mb-1.5" style={{ color: 'var(--text-secondary)' }}>{t('settings.mcp.endpoint')}</label>
+              <div className="flex items-center gap-2">
+                <code className="flex-1 px-3 py-2 rounded-lg text-sm font-mono border" style={{ background: 'var(--bg-secondary)', borderColor: 'var(--border-primary)', color: 'var(--text-primary)' }}>
+                  {mcpEndpoint}
+                </code>
+                <button onClick={() => handleCopy(mcpEndpoint, 'endpoint')}
+                  className="p-2 rounded-lg border transition-colors hover:bg-slate-100 dark:hover:bg-slate-700"
+                  style={{ borderColor: 'var(--border-primary)' }} title={t('settings.mcp.copy')}>
+                  {copiedKey === 'endpoint' ? <Check className="w-4 h-4 text-green-500" /> : <Copy className="w-4 h-4" style={{ color: 'var(--text-secondary)' }} />}
+                </button>
+              </div>
+            </div>
+
+            {/* JSON config box */}
+            <div>
+              <div className="flex items-center justify-between mb-1.5">
+                <label className="block text-sm font-medium" style={{ color: 'var(--text-secondary)' }}>{t('settings.mcp.clientConfig')}</label>
+                <button onClick={() => handleCopy(mcpJsonConfig, 'json')}
+                  className="flex items-center gap-1.5 px-2.5 py-1 rounded text-xs border transition-colors hover:bg-slate-100 dark:hover:bg-slate-700"
+                  style={{ borderColor: 'var(--border-primary)', color: 'var(--text-secondary)' }}>
+                  {copiedKey === 'json' ? <Check className="w-3 h-3 text-green-500" /> : <Copy className="w-3 h-3" />}
+                  {copiedKey === 'json' ? t('settings.mcp.copied') : t('settings.mcp.copy')}
+                </button>
+              </div>
+              <pre className="p-3 rounded-lg text-xs font-mono overflow-x-auto border" style={{ background: 'var(--bg-secondary)', borderColor: 'var(--border-primary)', color: 'var(--text-primary)' }}>
+                {mcpJsonConfig}
+              </pre>
+              <p className="mt-1.5 text-xs" style={{ color: 'var(--text-tertiary)' }}>{t('settings.mcp.clientConfigHint')}</p>
+            </div>
+
+            {/* Token list */}
+            <div>
+              <div className="flex items-center justify-between mb-2">
+                <label className="text-sm font-medium" style={{ color: 'var(--text-secondary)' }}>{t('settings.mcp.apiTokens')}</label>
+                <button onClick={() => { setMcpModalOpen(true); setMcpCreatedToken(null); setMcpNewName('') }}
+                  className="flex items-center gap-1.5 px-3 py-1.5 rounded-lg text-sm font-medium transition-colors"
+                  style={{ background: 'var(--accent-primary, #4f46e5)', color: '#fff' }}>
+                  <Plus className="w-3.5 h-3.5" /> {t('settings.mcp.createToken')}
+                </button>
+              </div>
+
+              {mcpTokens.length === 0 ? (
+                <p className="text-sm py-3 text-center rounded-lg border" style={{ color: 'var(--text-tertiary)', borderColor: 'var(--border-primary)' }}>
+                  {t('settings.mcp.noTokens')}
+                </p>
+              ) : (
+                <div className="rounded-lg border overflow-hidden" style={{ borderColor: 'var(--border-primary)' }}>
+                  {mcpTokens.map((token, i) => (
+                    <div key={token.id} className="flex items-center gap-3 px-4 py-3"
+                      style={{ borderBottom: i < mcpTokens.length - 1 ? '1px solid var(--border-primary)' : undefined }}>
+                      <div className="flex-1 min-w-0">
+                        <p className="text-sm font-medium truncate" style={{ color: 'var(--text-primary)' }}>{token.name}</p>
+                        <p className="text-xs font-mono mt-0.5" style={{ color: 'var(--text-tertiary)' }}>
+                          {token.token_prefix}...
+                          <span className="ml-3 font-sans">{t('settings.mcp.tokenCreatedAt')} {new Date(token.created_at).toLocaleDateString(locale)}</span>
+                          {token.last_used_at && (
+                            <span className="ml-2">· {t('settings.mcp.tokenUsedAt')} {new Date(token.last_used_at).toLocaleDateString(locale)}</span>
+                          )}
+                        </p>
+                      </div>
+                      <button onClick={() => setMcpDeleteId(token.id)}
+                        className="p-1.5 rounded-lg transition-colors hover:bg-red-50 hover:text-red-600 dark:hover:bg-red-900/20"
+                        style={{ color: 'var(--text-tertiary)' }} title={t('settings.mcp.deleteTokenTitle')}>
+                        <Trash2 className="w-4 h-4" />
+                      </button>
+                    </div>
+                  ))}
+                </div>
+              )}
+            </div>
+          </Section>}
+
+          {/* Create MCP Token modal */}
+          {mcpModalOpen && (
+            <div className="fixed inset-0 z-50 flex items-center justify-center p-4" style={{ background: 'rgba(0,0,0,0.5)' }}
+              onClick={e => { if (e.target === e.currentTarget && !mcpCreatedToken) { setMcpModalOpen(false) } }}>
+              <div className="rounded-xl shadow-xl w-full max-w-md p-6 space-y-4" style={{ background: 'var(--bg-card)' }}>
+                {!mcpCreatedToken ? (
+                  <>
+                    <h3 className="text-lg font-semibold" style={{ color: 'var(--text-primary)' }}>{t('settings.mcp.modal.createTitle')}</h3>
+                    <div>
+                      <label className="block text-sm font-medium mb-1.5" style={{ color: 'var(--text-secondary)' }}>{t('settings.mcp.modal.tokenName')}</label>
+                      <input type="text" value={mcpNewName} onChange={e => setMcpNewName(e.target.value)}
+                        onKeyDown={e => e.key === 'Enter' && handleCreateMcpToken()}
+                        placeholder={t('settings.mcp.modal.tokenNamePlaceholder')}
+                        className="w-full px-3 py-2.5 border rounded-lg text-sm focus:outline-none focus:ring-2 focus:ring-indigo-300"
+                        style={{ borderColor: 'var(--border-primary)', background: 'var(--bg-secondary)', color: 'var(--text-primary)' }}
+                        autoFocus />
+                    </div>
+                    <div className="flex gap-2 justify-end pt-1">
+                      <button onClick={() => setMcpModalOpen(false)}
+                        className="px-4 py-2 rounded-lg text-sm border" style={{ borderColor: 'var(--border-primary)', color: 'var(--text-secondary)' }}>
+                        {t('common.cancel')}
+                      </button>
+                      <button onClick={handleCreateMcpToken} disabled={!mcpNewName.trim() || mcpCreating}
+                        className="px-4 py-2 rounded-lg text-sm font-medium text-white disabled:opacity-50"
+                        style={{ background: 'var(--accent-primary, #4f46e5)' }}>
+                        {mcpCreating ? t('settings.mcp.modal.creating') : t('settings.mcp.modal.create')}
+                      </button>
+                    </div>
+                  </>
+                ) : (
+                  <>
+                    <h3 className="text-lg font-semibold" style={{ color: 'var(--text-primary)' }}>{t('settings.mcp.modal.createdTitle')}</h3>
+                    <div className="flex items-start gap-2 p-3 rounded-lg border border-amber-200" style={{ background: 'rgba(251,191,36,0.1)' }}>
+                      <span className="text-amber-500 mt-0.5">⚠</span>
+                      <p className="text-sm" style={{ color: 'var(--text-secondary)' }}>{t('settings.mcp.modal.createdWarning')}</p>
+                    </div>
+                    <div className="relative">
+                      <pre className="p-3 pr-10 rounded-lg text-xs font-mono break-all border whitespace-pre-wrap" style={{ background: 'var(--bg-secondary)', borderColor: 'var(--border-primary)', color: 'var(--text-primary)' }}>
+                        {mcpCreatedToken}
+                      </pre>
+                      <button onClick={() => handleCopy(mcpCreatedToken, 'new-token')}
+                        className="absolute top-2 right-2 p-1.5 rounded transition-colors hover:bg-slate-200 dark:hover:bg-slate-600"
+                        style={{ color: 'var(--text-secondary)' }} title={t('settings.mcp.copy')}>
+                        {copiedKey === 'new-token' ? <Check className="w-4 h-4 text-green-500" /> : <Copy className="w-4 h-4" />}
+                      </button>
+                    </div>
+                    <div className="flex justify-end">
+                      <button onClick={() => { setMcpModalOpen(false); setMcpCreatedToken(null) }}
+                        className="px-4 py-2 rounded-lg text-sm font-medium text-white"
+                        style={{ background: 'var(--accent-primary, #4f46e5)' }}>
+                        {t('settings.mcp.modal.done')}
+                      </button>
+                    </div>
+                  </>
+                )}
+              </div>
+            </div>
+          )}
+
+          {/* Delete MCP Token confirm */}
+          {mcpDeleteId !== null && (
+            <div className="fixed inset-0 z-50 flex items-center justify-center p-4" style={{ background: 'rgba(0,0,0,0.5)' }}
+              onClick={e => { if (e.target === e.currentTarget) setMcpDeleteId(null) }}>
+              <div className="rounded-xl shadow-xl w-full max-w-sm p-6 space-y-4" style={{ background: 'var(--bg-card)' }}>
+                <h3 className="text-base font-semibold" style={{ color: 'var(--text-primary)' }}>{t('settings.mcp.deleteTokenTitle')}</h3>
+                <p className="text-sm" style={{ color: 'var(--text-secondary)' }}>{t('settings.mcp.deleteTokenMessage')}</p>
+                <div className="flex gap-2 justify-end">
+                  <button onClick={() => setMcpDeleteId(null)}
+                    className="px-4 py-2 rounded-lg text-sm border" style={{ borderColor: 'var(--border-primary)', color: 'var(--text-secondary)' }}>
+                    {t('common.cancel')}
+                  </button>
+                  <button onClick={() => handleDeleteMcpToken(mcpDeleteId)}
+                    className="px-4 py-2 rounded-lg text-sm font-medium text-white bg-red-600 hover:bg-red-700">
+                    {t('settings.mcp.deleteTokenTitle')}
+                  </button>
+                </div>
+              </div>
+            </div>
+          )}
+
           {/* Account */}
           <Section title={t('settings.account')} icon={User}>
             <div>
@@ -652,6 +947,19 @@ export default function SettingsPage(): React.ReactElement {
                 <h3 className="font-semibold text-base m-0" style={{ color: 'var(--text-primary)' }}>{t('settings.mfa.title')}</h3>
               </div>
               <div className="space-y-3">
+                {mfaRequiredByPolicy && (
+                  <div
+                    className="flex gap-3 p-3 rounded-lg border text-sm"
+                    style={{
+                      background: 'var(--bg-secondary)',
+                      borderColor: 'var(--border-primary)',
+                      color: 'var(--text-primary)',
+                    }}
+                  >
+                    <AlertTriangle className="w-5 h-5 flex-shrink-0 text-amber-600" />
+                    <p className="m-0 leading-relaxed">{t('settings.mfa.requiredByPolicy')}</p>
+                  </div>
+                )}
                 <p className="text-sm m-0" style={{ color: 'var(--text-muted)', lineHeight: 1.5 }}>{t('settings.mfa.description')}</p>
                 {demoMode ? (
                   <p className="text-sm text-amber-700 m-0">{t('settings.mfa.demoBlocked')}</p>
@@ -709,12 +1017,21 @@ export default function SettingsPage(): React.ReactElement {
                             onClick={async () => {
                               setMfaLoading(true)
                               try {
-                                await authApi.mfaEnable({ code: mfaSetupCode })
+                                const resp = await authApi.mfaEnable({ code: mfaSetupCode }) as { backup_codes?: string[] }
                                 toast.success(t('settings.mfa.toastEnabled'))
                                 setMfaQr(null)
                                 setMfaSecret(null)
                                 setMfaSetupCode('')
-                                await loadUser()
+                                const codes = resp.backup_codes || null
+                                if (codes?.length) {
+                                  try {
+                                    sessionStorage.setItem(MFA_BACKUP_SESSION_KEY, JSON.stringify(codes))
+                                  } catch {
+                                    /* ignore quota / private mode */
+                                  }
+                                }
+                                setBackupCodes(codes)
+                                await loadUser({ silent: true })
                               } catch (err: unknown) {
                                 toast.error(getApiErrorMessage(err, t('common.error')))
                               } finally {
@@ -766,7 +1083,9 @@ export default function SettingsPage(): React.ReactElement {
                               toast.success(t('settings.mfa.toastDisabled'))
                               setMfaDisablePwd('')
                               setMfaDisableCode('')
-                              await loadUser()
+                              sessionStorage.removeItem(MFA_BACKUP_SESSION_KEY)
+                              setBackupCodes(null)
+                              await loadUser({ silent: true })
                             } catch (err: unknown) {
                               toast.error(getApiErrorMessage(err, t('common.error')))
                             } finally {
@@ -779,6 +1098,29 @@ export default function SettingsPage(): React.ReactElement {
                         </button>
                       </div>
                     )}
+
+                    {backupCodes && backupCodes.length > 0 && (
+                      <div className="space-y-3 p-3 rounded-lg border" style={{ borderColor: 'var(--border-primary)', background: 'var(--bg-hover)' }}>
+                        <p className="text-sm font-semibold m-0" style={{ color: 'var(--text-primary)' }}>{t('settings.mfa.backupTitle')}</p>
+                        <p className="text-xs m-0" style={{ color: 'var(--text-muted)' }}>{t('settings.mfa.backupDescription')}</p>
+                        <pre className="text-xs m-0 p-2 rounded border overflow-auto" style={{ borderColor: 'var(--border-primary)', background: 'var(--bg-card)', color: 'var(--text-primary)', maxHeight: 220 }}>{backupCodesText}</pre>
+                        <p className="text-xs m-0" style={{ color: '#b45309' }}>{t('settings.mfa.backupWarning')}</p>
+                        <div className="flex flex-wrap gap-2">
+                          <button type="button" onClick={copyBackupCodes} className="px-3 py-2 rounded-lg text-xs border flex items-center gap-1.5" style={{ borderColor: 'var(--border-primary)', color: 'var(--text-secondary)' }}>
+                            <Copy size={13} /> {t('settings.mfa.backupCopy')}
+                          </button>
+                          <button type="button" onClick={downloadBackupCodes} className="px-3 py-2 rounded-lg text-xs border flex items-center gap-1.5" style={{ borderColor: 'var(--border-primary)', color: 'var(--text-secondary)' }}>
+                            <Download size={13} /> {t('settings.mfa.backupDownload')}
+                          </button>
+                          <button type="button" onClick={printBackupCodes} className="px-3 py-2 rounded-lg text-xs border flex items-center gap-1.5" style={{ borderColor: 'var(--border-primary)', color: 'var(--text-secondary)' }}>
+                            <Printer size={13} /> {t('settings.mfa.backupPrint')}
+                          </button>
+                          <button type="button" onClick={dismissBackupCodes} className="px-3 py-2 rounded-lg text-xs border" style={{ borderColor: 'var(--border-primary)', color: 'var(--text-secondary)' }}>
+                            {t('common.ok')}
+                          </button>
+                        </div>
+                      </div>
+                    )}
                   </>
                 )}
               </div>

client/src/store/addonStore.ts

@@ -0,0 +1,35 @@
+import { create } from 'zustand'
+import { addonsApi } from '../api/client'
+
+interface Addon {
+  id: string
+  name: string
+  type: string
+  icon: string
+  enabled: boolean
+}
+
+interface AddonState {
+  addons: Addon[]
+  loaded: boolean
+  loadAddons: () => Promise<void>
+  isEnabled: (id: string) => boolean
+}
+
+export const useAddonStore = create<AddonState>((set, get) => ({
+  addons: [],
+  loaded: false,
+
+  loadAddons: async () => {
+    try {
+      const data = await addonsApi.enabled()
+      set({ addons: data.addons || [], loaded: true })
+    } catch {
+      set({ loaded: true })
+    }
+  },
+
+  isEnabled: (id: string) => {
+    return get().addons.some(a => a.id === id && a.enabled)
+  },
+}))

client/src/store/authStore.ts

@@ -24,12 +24,15 @@ interface AuthState {
   demoMode: boolean
   hasMapsKey: boolean
   serverTimezone: string
+  /** Server policy: all users must enable MFA */
+  appRequireMfa: boolean
 
   login: (email: string, password: string) => Promise<LoginResult>
   completeMfaLogin: (mfaToken: string, code: string) => Promise<AuthResponse>
   register: (username: string, email: string, password: string) => Promise<AuthResponse>
   logout: () => void
-  loadUser: () => Promise<void>
+  /** Pass `{ silent: true }` to refresh the user without toggling global isLoading (avoids unmounting protected routes). */
+  loadUser: (opts?: { silent?: boolean }) => Promise<void>
   updateMapsKey: (key: string | null) => Promise<void>
   updateApiKeys: (keys: Record<string, string | null>) => Promise<void>
   updateProfile: (profileData: Partial<User>) => Promise<void>
@@ -38,6 +41,7 @@ interface AuthState {
   setDemoMode: (val: boolean) => void
   setHasMapsKey: (val: boolean) => void
   setServerTimezone: (tz: string) => void
+  setAppRequireMfa: (val: boolean) => void
   demoLogin: () => Promise<AuthResponse>
 }
 
@@ -50,6 +54,7 @@ export const useAuthStore = create<AuthState>((set, get) => ({
   demoMode: localStorage.getItem('demo_mode') === 'true',
   hasMapsKey: false,
   serverTimezone: Intl.DateTimeFormat().resolvedOptions().timeZone,
+  appRequireMfa: false,
 
   login: async (email: string, password: string) => {
     set({ isLoading: true, error: null })
@@ -129,13 +134,14 @@ export const useAuthStore = create<AuthState>((set, get) => ({
     })
   },
 
-  loadUser: async () => {
+  loadUser: async (opts?: { silent?: boolean }) => {
+    const silent = !!opts?.silent
     const token = get().token
     if (!token) {
-      set({ isLoading: false })
+      if (!silent) set({ isLoading: false })
       return
     }
-    set({ isLoading: true })
+    if (!silent) set({ isLoading: true })
     try {
       const data = await authApi.me()
       set({
@@ -205,6 +211,7 @@ export const useAuthStore = create<AuthState>((set, get) => ({
 
   setHasMapsKey: (val: boolean) => set({ hasMapsKey: val }),
   setServerTimezone: (tz: string) => set({ serverTimezone: tz }),
+  setAppRequireMfa: (val: boolean) => set({ appRequireMfa: val }),
 
   demoLogin: async () => {
     set({ isLoading: true, error: null })

client/src/types.ts

@@ -281,6 +281,8 @@ export interface AppConfig {
   has_maps_key?: boolean
   allowed_file_types?: string
   timezone?: string
+  /** When true, users without MFA cannot use the app until they enable it */
+  require_mfa?: boolean
 }
 
 // Translation function type

client/vite.config.js

@@ -11,7 +11,7 @@ export default defineConfig({
         maximumFileSizeToCacheInBytes: 5 * 1024 * 1024,
         globPatterns: ['**/*.{js,css,html,svg,png,woff,woff2,ttf}'],
         navigateFallback: 'index.html',
-        navigateFallbackDenylist: [/^\/api/, /^\/uploads/],
+        navigateFallbackDenylist: [/^\/api/, /^\/uploads/, /^\/mcp/],
         runtimeCaching: [
           {
             // Carto map tiles (default provider)
@@ -101,6 +101,10 @@ export default defineConfig({
       '/ws': {
         target: 'http://localhost:3001',
         ws: true,
+      },
+      '/mcp': {
+        target: 'http://localhost:3001',
+        changeOrigin: true,
       }
     }
   }

server/package-lock.json

@@ -1,13 +1,14 @@
 {
   "name": "trek-server",
-  "version": "2.7.0",
+  "version": "2.7.1",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "trek-server",
-      "version": "2.7.0",
+      "version": "2.7.1",
       "dependencies": {
+        "@modelcontextprotocol/sdk": "^1.28.0",
         "archiver": "^6.0.1",
         "bcryptjs": "^2.4.3",
         "better-sqlite3": "^12.8.0",
@@ -26,7 +27,8 @@
         "typescript": "^6.0.2",
         "unzipper": "^0.12.3",
         "uuid": "^9.0.0",
-        "ws": "^8.19.0"
+        "ws": "^8.19.0",
+        "zod": "^4.3.6"
       },
       "devDependencies": {
         "@types/archiver": "^7.0.0",
@@ -462,6 +464,358 @@
         "node": ">=18"
       }
     },
+    "node_modules/@hono/node-server": {
+      "version": "1.19.11",
+      "resolved": "https://registry.npmjs.org/@hono/node-server/-/node-server-1.19.11.tgz",
+      "integrity": "sha512-dr8/3zEaB+p0D2n/IUrlPF1HZm586qgJNXK1a9fhg/PzdtkK7Ksd5l312tJX2yBuALqDYBlG20QEbayqPyxn+g==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=18.14.1"
+      },
+      "peerDependencies": {
+        "hono": "^4"
+      }
+    },
+    "node_modules/@modelcontextprotocol/sdk": {
+      "version": "1.28.0",
+      "resolved": "https://registry.npmjs.org/@modelcontextprotocol/sdk/-/sdk-1.28.0.tgz",
+      "integrity": "sha512-gmloF+i+flI8ouQK7MWW4mOwuMh4RePBuPFAEPC6+pdqyWOUMDOixb6qZ69owLJpz6XmyllCouc4t8YWO+E2Nw==",
+      "license": "MIT",
+      "dependencies": {
+        "@hono/node-server": "^1.19.9",
+        "ajv": "^8.17.1",
+        "ajv-formats": "^3.0.1",
+        "content-type": "^1.0.5",
+        "cors": "^2.8.5",
+        "cross-spawn": "^7.0.5",
+        "eventsource": "^3.0.2",
+        "eventsource-parser": "^3.0.0",
+        "express": "^5.2.1",
+        "express-rate-limit": "^8.2.1",
+        "hono": "^4.11.4",
+        "jose": "^6.1.3",
+        "json-schema-typed": "^8.0.2",
+        "pkce-challenge": "^5.0.0",
+        "raw-body": "^3.0.0",
+        "zod": "^3.25 || ^4.0",
+        "zod-to-json-schema": "^3.25.1"
+      },
+      "engines": {
+        "node": ">=18"
+      },
+      "peerDependencies": {
+        "@cfworker/json-schema": "^4.1.1",
+        "zod": "^3.25 || ^4.0"
+      },
+      "peerDependenciesMeta": {
+        "@cfworker/json-schema": {
+          "optional": true
+        },
+        "zod": {
+          "optional": false
+        }
+      }
+    },
+    "node_modules/@modelcontextprotocol/sdk/node_modules/accepts": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/accepts/-/accepts-2.0.0.tgz",
+      "integrity": "sha512-5cvg6CtKwfgdmVqY1WIiXKc3Q1bkRqGLi+2W/6ao+6Y7gu/RCwRuAhGEzh5B4KlszSuTLgZYuqFqo5bImjNKng==",
+      "license": "MIT",
+      "dependencies": {
+        "mime-types": "^3.0.0",
+        "negotiator": "^1.0.0"
+      },
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/@modelcontextprotocol/sdk/node_modules/body-parser": {
+      "version": "2.2.2",
+      "resolved": "https://registry.npmjs.org/body-parser/-/body-parser-2.2.2.tgz",
+      "integrity": "sha512-oP5VkATKlNwcgvxi0vM0p/D3n2C3EReYVX+DNYs5TjZFn/oQt2j+4sVJtSMr18pdRr8wjTcBl6LoV+FUwzPmNA==",
+      "license": "MIT",
+      "dependencies": {
+        "bytes": "^3.1.2",
+        "content-type": "^1.0.5",
+        "debug": "^4.4.3",
+        "http-errors": "^2.0.0",
+        "iconv-lite": "^0.7.0",
+        "on-finished": "^2.4.1",
+        "qs": "^6.14.1",
+        "raw-body": "^3.0.1",
+        "type-is": "^2.0.1"
+      },
+      "engines": {
+        "node": ">=18"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/express"
+      }
+    },
+    "node_modules/@modelcontextprotocol/sdk/node_modules/content-disposition": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/content-disposition/-/content-disposition-1.0.1.tgz",
+      "integrity": "sha512-oIXISMynqSqm241k6kcQ5UwttDILMK4BiurCfGEREw6+X9jkkpEe5T9FZaApyLGGOnFuyMWZpdolTXMtvEJ08Q==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=18"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/express"
+      }
+    },
+    "node_modules/@modelcontextprotocol/sdk/node_modules/cookie-signature": {
+      "version": "1.2.2",
+      "resolved": "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.2.2.tgz",
+      "integrity": "sha512-D76uU73ulSXrD1UXF4KE2TMxVVwhsnCgfAyTg9k8P6KGZjlXKrOLe4dJQKI3Bxi5wjesZoFXJWElNWBjPZMbhg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=6.6.0"
+      }
+    },
+    "node_modules/@modelcontextprotocol/sdk/node_modules/debug": {
+      "version": "4.4.3",
+      "resolved": "https://registry.npmjs.org/debug/-/debug-4.4.3.tgz",
+      "integrity": "sha512-RGwwWnwQvkVfavKVt22FGLw+xYSdzARwm0ru6DhTVA3umU5hZc28V3kO4stgYryrTlLpuvgI9GiijltAjNbcqA==",
+      "license": "MIT",
+      "dependencies": {
+        "ms": "^2.1.3"
+      },
+      "engines": {
+        "node": ">=6.0"
+      },
+      "peerDependenciesMeta": {
+        "supports-color": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@modelcontextprotocol/sdk/node_modules/express": {
+      "version": "5.2.1",
+      "resolved": "https://registry.npmjs.org/express/-/express-5.2.1.tgz",
+      "integrity": "sha512-hIS4idWWai69NezIdRt2xFVofaF4j+6INOpJlVOLDO8zXGpUVEVzIYk12UUi2JzjEzWL3IOAxcTubgz9Po0yXw==",
+      "license": "MIT",
+      "dependencies": {
+        "accepts": "^2.0.0",
+        "body-parser": "^2.2.1",
+        "content-disposition": "^1.0.0",
+        "content-type": "^1.0.5",
+        "cookie": "^0.7.1",
+        "cookie-signature": "^1.2.1",
+        "debug": "^4.4.0",
+        "depd": "^2.0.0",
+        "encodeurl": "^2.0.0",
+        "escape-html": "^1.0.3",
+        "etag": "^1.8.1",
+        "finalhandler": "^2.1.0",
+        "fresh": "^2.0.0",
+        "http-errors": "^2.0.0",
+        "merge-descriptors": "^2.0.0",
+        "mime-types": "^3.0.0",
+        "on-finished": "^2.4.1",
+        "once": "^1.4.0",
+        "parseurl": "^1.3.3",
+        "proxy-addr": "^2.0.7",
+        "qs": "^6.14.0",
+        "range-parser": "^1.2.1",
+        "router": "^2.2.0",
+        "send": "^1.1.0",
+        "serve-static": "^2.2.0",
+        "statuses": "^2.0.1",
+        "type-is": "^2.0.1",
+        "vary": "^1.1.2"
+      },
+      "engines": {
+        "node": ">= 18"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/express"
+      }
+    },
+    "node_modules/@modelcontextprotocol/sdk/node_modules/finalhandler": {
+      "version": "2.1.1",
+      "resolved": "https://registry.npmjs.org/finalhandler/-/finalhandler-2.1.1.tgz",
+      "integrity": "sha512-S8KoZgRZN+a5rNwqTxlZZePjT/4cnm0ROV70LedRHZ0p8u9fRID0hJUZQpkKLzro8LfmC8sx23bY6tVNxv8pQA==",
+      "license": "MIT",
+      "dependencies": {
+        "debug": "^4.4.0",
+        "encodeurl": "^2.0.0",
+        "escape-html": "^1.0.3",
+        "on-finished": "^2.4.1",
+        "parseurl": "^1.3.3",
+        "statuses": "^2.0.1"
+      },
+      "engines": {
+        "node": ">= 18.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/express"
+      }
+    },
+    "node_modules/@modelcontextprotocol/sdk/node_modules/fresh": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/fresh/-/fresh-2.0.0.tgz",
+      "integrity": "sha512-Rx/WycZ60HOaqLKAi6cHRKKI7zxWbJ31MhntmtwMoaTeF7XFH9hhBp8vITaMidfljRQ6eYWCKkaTK+ykVJHP2A==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/@modelcontextprotocol/sdk/node_modules/iconv-lite": {
+      "version": "0.7.2",
+      "resolved": "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.7.2.tgz",
+      "integrity": "sha512-im9DjEDQ55s9fL4EYzOAv0yMqmMBSZp6G0VvFyTMPKWxiSBHUj9NW/qqLmXUwXrrM7AvqSlTCfvqRb0cM8yYqw==",
+      "license": "MIT",
+      "dependencies": {
+        "safer-buffer": ">= 2.1.2 < 3.0.0"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/express"
+      }
+    },
+    "node_modules/@modelcontextprotocol/sdk/node_modules/media-typer": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/media-typer/-/media-typer-1.1.0.tgz",
+      "integrity": "sha512-aisnrDP4GNe06UcKFnV5bfMNPBUw4jsLGaWwWfnH3v02GnBuXX2MCVn5RbrWo0j3pczUilYblq7fQ7Nw2t5XKw==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/@modelcontextprotocol/sdk/node_modules/merge-descriptors": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/merge-descriptors/-/merge-descriptors-2.0.0.tgz",
+      "integrity": "sha512-Snk314V5ayFLhp3fkUREub6WtjBfPdCPY1Ln8/8munuLuiYhsABgBVWsozAG+MWMbVEvcdcpbi9R7ww22l9Q3g==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=18"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/@modelcontextprotocol/sdk/node_modules/mime-db": {
+      "version": "1.54.0",
+      "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.54.0.tgz",
+      "integrity": "sha512-aU5EJuIN2WDemCcAp2vFBfp/m4EAhWJnUNSSw0ixs7/kXbd6Pg64EmwJkNdFhB8aWt1sH2CTXrLxo/iAGV3oPQ==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/@modelcontextprotocol/sdk/node_modules/mime-types": {
+      "version": "3.0.2",
+      "resolved": "https://registry.npmjs.org/mime-types/-/mime-types-3.0.2.tgz",
+      "integrity": "sha512-Lbgzdk0h4juoQ9fCKXW4by0UJqj+nOOrI9MJ1sSj4nI8aI2eo1qmvQEie4VD1glsS250n15LsWsYtCugiStS5A==",
+      "license": "MIT",
+      "dependencies": {
+        "mime-db": "^1.54.0"
+      },
+      "engines": {
+        "node": ">=18"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/express"
+      }
+    },
+    "node_modules/@modelcontextprotocol/sdk/node_modules/ms": {
+      "version": "2.1.3",
+      "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz",
+      "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==",
+      "license": "MIT"
+    },
+    "node_modules/@modelcontextprotocol/sdk/node_modules/negotiator": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/negotiator/-/negotiator-1.0.0.tgz",
+      "integrity": "sha512-8Ofs/AUQh8MaEcrlq5xOX0CQ9ypTF5dl78mjlMNfOK08fzpgTHQRQPBxcPlEtIw0yRpws+Zo/3r+5WRby7u3Gg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/@modelcontextprotocol/sdk/node_modules/raw-body": {
+      "version": "3.0.2",
+      "resolved": "https://registry.npmjs.org/raw-body/-/raw-body-3.0.2.tgz",
+      "integrity": "sha512-K5zQjDllxWkf7Z5xJdV0/B0WTNqx6vxG70zJE4N0kBs4LovmEYWJzQGxC9bS9RAKu3bgM40lrd5zoLJ12MQ5BA==",
+      "license": "MIT",
+      "dependencies": {
+        "bytes": "~3.1.2",
+        "http-errors": "~2.0.1",
+        "iconv-lite": "~0.7.0",
+        "unpipe": "~1.0.0"
+      },
+      "engines": {
+        "node": ">= 0.10"
+      }
+    },
+    "node_modules/@modelcontextprotocol/sdk/node_modules/send": {
+      "version": "1.2.1",
+      "resolved": "https://registry.npmjs.org/send/-/send-1.2.1.tgz",
+      "integrity": "sha512-1gnZf7DFcoIcajTjTwjwuDjzuz4PPcY2StKPlsGAQ1+YH20IRVrBaXSWmdjowTJ6u8Rc01PoYOGHXfP1mYcZNQ==",
+      "license": "MIT",
+      "dependencies": {
+        "debug": "^4.4.3",
+        "encodeurl": "^2.0.0",
+        "escape-html": "^1.0.3",
+        "etag": "^1.8.1",
+        "fresh": "^2.0.0",
+        "http-errors": "^2.0.1",
+        "mime-types": "^3.0.2",
+        "ms": "^2.1.3",
+        "on-finished": "^2.4.1",
+        "range-parser": "^1.2.1",
+        "statuses": "^2.0.2"
+      },
+      "engines": {
+        "node": ">= 18"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/express"
+      }
+    },
+    "node_modules/@modelcontextprotocol/sdk/node_modules/serve-static": {
+      "version": "2.2.1",
+      "resolved": "https://registry.npmjs.org/serve-static/-/serve-static-2.2.1.tgz",
+      "integrity": "sha512-xRXBn0pPqQTVQiC8wyQrKs2MOlX24zQ0POGaj0kultvoOCstBQM5yvOhAVSUwOMjQtTvsPWoNCHfPGwaaQJhTw==",
+      "license": "MIT",
+      "dependencies": {
+        "encodeurl": "^2.0.0",
+        "escape-html": "^1.0.3",
+        "parseurl": "^1.3.3",
+        "send": "^1.2.0"
+      },
+      "engines": {
+        "node": ">= 18"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/express"
+      }
+    },
+    "node_modules/@modelcontextprotocol/sdk/node_modules/type-is": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/type-is/-/type-is-2.0.1.tgz",
+      "integrity": "sha512-OZs6gsjF4vMp32qrCbiVSkrFmXtG/AZhY3t0iAMrMBiAZyV9oALtXO8hsrHbMXF9x6L3grlFuwW2oAz7cav+Gw==",
+      "license": "MIT",
+      "dependencies": {
+        "content-type": "^1.0.5",
+        "media-typer": "^1.1.0",
+        "mime-types": "^3.0.0"
+      },
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
     "node_modules/@otplib/core": {
       "version": "12.0.1",
       "resolved": "https://registry.npmjs.org/@otplib/core/-/core-12.0.1.tgz",
@@ -772,6 +1126,39 @@
         "node": ">= 0.6"
       }
     },
+    "node_modules/ajv": {
+      "version": "8.18.0",
+      "resolved": "https://registry.npmjs.org/ajv/-/ajv-8.18.0.tgz",
+      "integrity": "sha512-PlXPeEWMXMZ7sPYOHqmDyCJzcfNrUr3fGNKtezX14ykXOEIvyK81d+qydx89KY5O71FKMPaQ2vBfBFI5NHR63A==",
+      "license": "MIT",
+      "dependencies": {
+        "fast-deep-equal": "^3.1.3",
+        "fast-uri": "^3.0.1",
+        "json-schema-traverse": "^1.0.0",
+        "require-from-string": "^2.0.2"
+      },
+      "funding": {
+        "type": "github",
+        "url": "https://github.com/sponsors/epoberezkin"
+      }
+    },
+    "node_modules/ajv-formats": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/ajv-formats/-/ajv-formats-3.0.1.tgz",
+      "integrity": "sha512-8iUql50EUR+uUcdRQ3HDqa6EVyo3docL8g5WJ3FNcWmu62IbkGUue/pEyLBW8VGKKucTPgqeks4fIU1DA4yowQ==",
+      "license": "MIT",
+      "dependencies": {
+        "ajv": "^8.0.0"
+      },
+      "peerDependencies": {
+        "ajv": "^8.0.0"
+      },
+      "peerDependenciesMeta": {
+        "ajv": {
+          "optional": true
+        }
+      }
+    },
     "node_modules/ansi-regex": {
       "version": "5.0.1",
       "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz",
@@ -1380,6 +1767,20 @@
         "node": ">= 12.0.0"
       }
     },
+    "node_modules/cross-spawn": {
+      "version": "7.0.6",
+      "resolved": "https://registry.npmjs.org/cross-spawn/-/cross-spawn-7.0.6.tgz",
+      "integrity": "sha512-uV2QOWP2nWzsy2aMp8aRibhi9dlzF5Hgh5SHaB9OiTGEyDTiJJyx0uy51QXdyWbtAHNua4XJzUKca3OzKUd3vA==",
+      "license": "MIT",
+      "dependencies": {
+        "path-key": "^3.1.0",
+        "shebang-command": "^2.0.0",
+        "which": "^2.0.1"
+      },
+      "engines": {
+        "node": ">= 8"
+      }
+    },
     "node_modules/debug": {
       "version": "2.6.9",
       "resolved": "https://registry.npmjs.org/debug/-/debug-2.6.9.tgz",
@@ -1655,6 +2056,27 @@
         "bare-events": "^2.7.0"
       }
     },
+    "node_modules/eventsource": {
+      "version": "3.0.7",
+      "resolved": "https://registry.npmjs.org/eventsource/-/eventsource-3.0.7.tgz",
+      "integrity": "sha512-CRT1WTyuQoD771GW56XEZFQ/ZoSfWid1alKGDYMmkt2yl8UXrVR4pspqWNEcqKvVIzg6PAltWjxcSSPrboA4iA==",
+      "license": "MIT",
+      "dependencies": {
+        "eventsource-parser": "^3.0.1"
+      },
+      "engines": {
+        "node": ">=18.0.0"
+      }
+    },
+    "node_modules/eventsource-parser": {
+      "version": "3.0.6",
+      "resolved": "https://registry.npmjs.org/eventsource-parser/-/eventsource-parser-3.0.6.tgz",
+      "integrity": "sha512-Vo1ab+QXPzZ4tCa8SwIHJFaSzy4R6SHf7BY79rFBDf0idraZWAkYrDjDj8uWaSm3S2TK+hJ7/t1CEmZ7jXw+pg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=18.0.0"
+      }
+    },
     "node_modules/expand-template": {
       "version": "2.0.3",
       "resolved": "https://registry.npmjs.org/expand-template/-/expand-template-2.0.3.tgz",
@@ -1710,12 +2132,52 @@
         "url": "https://opencollective.com/express"
       }
     },
+    "node_modules/express-rate-limit": {
+      "version": "8.3.1",
+      "resolved": "https://registry.npmjs.org/express-rate-limit/-/express-rate-limit-8.3.1.tgz",
+      "integrity": "sha512-D1dKN+cmyPWuvB+G2SREQDzPY1agpBIcTa9sJxOPMCNeH3gwzhqJRDWCXW3gg0y//+LQ/8j52JbMROWyrKdMdw==",
+      "license": "MIT",
+      "dependencies": {
+        "ip-address": "10.1.0"
+      },
+      "engines": {
+        "node": ">= 16"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/express-rate-limit"
+      },
+      "peerDependencies": {
+        "express": ">= 4.11"
+      }
+    },
+    "node_modules/fast-deep-equal": {
+      "version": "3.1.3",
+      "resolved": "https://registry.npmjs.org/fast-deep-equal/-/fast-deep-equal-3.1.3.tgz",
+      "integrity": "sha512-f3qQ9oQy9j2AhBe/H9VC91wLmKBCCU/gDOnKNAYG5hswO7BLKj09Hc5HYNz9cGI++xlpDCIgDaitVs03ATR84Q==",
+      "license": "MIT"
+    },
     "node_modules/fast-fifo": {
       "version": "1.3.2",
       "resolved": "https://registry.npmjs.org/fast-fifo/-/fast-fifo-1.3.2.tgz",
       "integrity": "sha512-/d9sfos4yxzpwkDkuN7k2SqFKtYNmCTzgfEpz82x34IM9/zc8KGxQoXg1liNC/izpRM/MBdt44Nmx41ZWqk+FQ==",
       "license": "MIT"
     },
+    "node_modules/fast-uri": {
+      "version": "3.1.0",
+      "resolved": "https://registry.npmjs.org/fast-uri/-/fast-uri-3.1.0.tgz",
+      "integrity": "sha512-iPeeDKJSWf4IEOasVVrknXpaBV0IApz/gp7S2bb7Z4Lljbl2MGJRqInZiUrQwV16cpzw/D3S5j5Julj/gT52AA==",
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/fastify"
+        },
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/fastify"
+        }
+      ],
+      "license": "BSD-3-Clause"
+    },
     "node_modules/file-uri-to-path": {
       "version": "1.0.0",
       "resolved": "https://registry.npmjs.org/file-uri-to-path/-/file-uri-to-path-1.0.0.tgz",
@@ -2018,6 +2480,15 @@
         "node": ">=18.0.0"
       }
     },
+    "node_modules/hono": {
+      "version": "4.12.9",
+      "resolved": "https://registry.npmjs.org/hono/-/hono-4.12.9.tgz",
+      "integrity": "sha512-wy3T8Zm2bsEvxKZM5w21VdHDDcwVS1yUFFY6i8UobSsKfFceT7TOwhbhfKsDyx7tYQlmRM5FLpIuYvNFyjctiA==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=16.9.0"
+      }
+    },
     "node_modules/http-errors": {
       "version": "2.0.1",
       "resolved": "https://registry.npmjs.org/http-errors/-/http-errors-2.0.1.tgz",
@@ -2100,6 +2571,15 @@
       "integrity": "sha512-JV/yugV2uzW5iMRSiZAyDtQd+nxtUnjeLt0acNdw98kKLrvuRVyB80tsREOE7yvGVgalhZ6RNXCmEHkUKBKxew==",
       "license": "ISC"
     },
+    "node_modules/ip-address": {
+      "version": "10.1.0",
+      "resolved": "https://registry.npmjs.org/ip-address/-/ip-address-10.1.0.tgz",
+      "integrity": "sha512-XXADHxXmvT9+CRxhXg56LJovE+bmWnEWB78LB83VZTprKTmaC5QfruXocxzTZ2Kl0DNwKuBdlIhjL8LeY8Sf8Q==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 12"
+      }
+    },
     "node_modules/ipaddr.js": {
       "version": "1.9.1",
       "resolved": "https://registry.npmjs.org/ipaddr.js/-/ipaddr.js-1.9.1.tgz",
@@ -2164,12 +2644,45 @@
         "node": ">=0.12.0"
       }
     },
+    "node_modules/is-promise": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/is-promise/-/is-promise-4.0.0.tgz",
+      "integrity": "sha512-hvpoI6korhJMnej285dSg6nu1+e6uxs7zG3BYAm5byqDsgJNWwxzM6z6iZiAgQR4TJ30JmBTOwqZUw3WlyH3AQ==",
+      "license": "MIT"
+    },
     "node_modules/isarray": {
       "version": "1.0.0",
       "resolved": "https://registry.npmjs.org/isarray/-/isarray-1.0.0.tgz",
       "integrity": "sha512-VLghIWNM6ELQzo7zwmcg0NmTVyWKYjvIeM83yjp0wRDTmUnrM678fQbcKBo6n2CJEF0szoG//ytg+TKla89ALQ==",
       "license": "MIT"
     },
+    "node_modules/isexe": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/isexe/-/isexe-2.0.0.tgz",
+      "integrity": "sha512-RHxMLp9lnKHGHRng9QFhRCMbYAcVpn69smSGcq3f36xjgVVWThj4qqLbTLlq7Ssj8B+fIQ1EuCEGI2lKsyQeIw==",
+      "license": "ISC"
+    },
+    "node_modules/jose": {
+      "version": "6.2.2",
+      "resolved": "https://registry.npmjs.org/jose/-/jose-6.2.2.tgz",
+      "integrity": "sha512-d7kPDd34KO/YnzaDOlikGpOurfF0ByC2sEV4cANCtdqLlTfBlw2p14O/5d/zv40gJPbIQxfES3nSx1/oYNyuZQ==",
+      "license": "MIT",
+      "funding": {
+        "url": "https://github.com/sponsors/panva"
+      }
+    },
+    "node_modules/json-schema-traverse": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/json-schema-traverse/-/json-schema-traverse-1.0.0.tgz",
+      "integrity": "sha512-NM8/P9n3XjXhIZn1lLhkFaACTOURQXjWhV4BA/RnOv8xvgqtqpAX9IO4mRQxSx1Rlo4tqzeqb0sOlruaOy3dug==",
+      "license": "MIT"
+    },
+    "node_modules/json-schema-typed": {
+      "version": "8.0.2",
+      "resolved": "https://registry.npmjs.org/json-schema-typed/-/json-schema-typed-8.0.2.tgz",
+      "integrity": "sha512-fQhoXdcvc3V28x7C7BMs4P5+kNlgUURe2jmUT1T//oBRMDrqy1QPelJimwZGo7Hg9VPV3EQV5Bnq4hbFy2vetA==",
+      "license": "BSD-2-Clause"
+    },
     "node_modules/jsonfile": {
       "version": "6.2.0",
       "resolved": "https://registry.npmjs.org/jsonfile/-/jsonfile-6.2.0.tgz",
@@ -2711,6 +3224,15 @@
         "node": ">=8"
       }
     },
+    "node_modules/path-key": {
+      "version": "3.1.1",
+      "resolved": "https://registry.npmjs.org/path-key/-/path-key-3.1.1.tgz",
+      "integrity": "sha512-ojmeN0qd+y0jszEtoY48r0Peq5dwMEkIlCOu6Q5f41lfkswXuKtYrhgoTpLnyIcHm24Uhqx+5Tqm2InSwLhE6Q==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=8"
+      }
+    },
     "node_modules/path-to-regexp": {
       "version": "0.1.13",
       "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.13.tgz",
@@ -2730,6 +3252,15 @@
         "url": "https://github.com/sponsors/jonschlinkert"
       }
     },
+    "node_modules/pkce-challenge": {
+      "version": "5.0.1",
+      "resolved": "https://registry.npmjs.org/pkce-challenge/-/pkce-challenge-5.0.1.tgz",
+      "integrity": "sha512-wQ0b/W4Fr01qtpHlqSqspcj3EhBvimsdh0KlHhH8HRZnMsEa0ea2fTULOXOS9ccQr3om+GcGRk4e+isrZWV8qQ==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=16.20.0"
+      }
+    },
     "node_modules/pngjs": {
       "version": "5.0.0",
       "resolved": "https://registry.npmjs.org/pngjs/-/pngjs-5.0.0.tgz",
@@ -2945,6 +3476,15 @@
         "node": ">=0.10.0"
       }
     },
+    "node_modules/require-from-string": {
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/require-from-string/-/require-from-string-2.0.2.tgz",
+      "integrity": "sha512-Xf0nWe6RseziFMu+Ap9biiUbmplq6S9/p+7w7YXP/JBHhrUDDUhwa+vANyubuqfZWTveU//DYVGsDG7RKL/vEw==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
     "node_modules/require-main-filename": {
       "version": "2.0.0",
       "resolved": "https://registry.npmjs.org/require-main-filename/-/require-main-filename-2.0.0.tgz",
@@ -2960,6 +3500,55 @@
         "url": "https://github.com/privatenumber/resolve-pkg-maps?sponsor=1"
       }
     },
+    "node_modules/router": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/router/-/router-2.2.0.tgz",
+      "integrity": "sha512-nLTrUKm2UyiL7rlhapu/Zl45FwNgkZGaCpZbIHajDYgwlJCOzLSk+cIPAnsEqV955GjILJnKbdQC1nVPz+gAYQ==",
+      "license": "MIT",
+      "dependencies": {
+        "debug": "^4.4.0",
+        "depd": "^2.0.0",
+        "is-promise": "^4.0.0",
+        "parseurl": "^1.3.3",
+        "path-to-regexp": "^8.0.0"
+      },
+      "engines": {
+        "node": ">= 18"
+      }
+    },
+    "node_modules/router/node_modules/debug": {
+      "version": "4.4.3",
+      "resolved": "https://registry.npmjs.org/debug/-/debug-4.4.3.tgz",
+      "integrity": "sha512-RGwwWnwQvkVfavKVt22FGLw+xYSdzARwm0ru6DhTVA3umU5hZc28V3kO4stgYryrTlLpuvgI9GiijltAjNbcqA==",
+      "license": "MIT",
+      "dependencies": {
+        "ms": "^2.1.3"
+      },
+      "engines": {
+        "node": ">=6.0"
+      },
+      "peerDependenciesMeta": {
+        "supports-color": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/router/node_modules/ms": {
+      "version": "2.1.3",
+      "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz",
+      "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==",
+      "license": "MIT"
+    },
+    "node_modules/router/node_modules/path-to-regexp": {
+      "version": "8.4.0",
+      "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-8.4.0.tgz",
+      "integrity": "sha512-PuseHIvAnz3bjrM2rGJtSgo1zjgxapTLZ7x2pjhzWwlp4SJQgK3f3iZIQwkpEnBaKz6seKBADpM4B4ySkuYypg==",
+      "license": "MIT",
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/express"
+      }
+    },
     "node_modules/safe-buffer": {
       "version": "5.2.1",
       "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.2.1.tgz",
@@ -3055,6 +3644,27 @@
       "integrity": "sha512-E5LDX7Wrp85Kil5bhZv46j8jOeboKq5JMmYM3gVGdGH8xFpPWXUMsNrlODCrkoxMEeNi/XZIwuRvY4XNwYMJpw==",
       "license": "ISC"
     },
+    "node_modules/shebang-command": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/shebang-command/-/shebang-command-2.0.0.tgz",
+      "integrity": "sha512-kHxr2zZpYtdmrN1qDjrrX/Z1rR1kG8Dx+gkpK1G4eXmvXswmcE1hTWBWYUzlraYw1/yZp6YuDY77YtvbN0dmDA==",
+      "license": "MIT",
+      "dependencies": {
+        "shebang-regex": "^3.0.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/shebang-regex": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/shebang-regex/-/shebang-regex-3.0.0.tgz",
+      "integrity": "sha512-7++dFhtcx3353uBaq8DDR4NuxBetBzC7ZQOhmTQInHEd6bSrXdiEyzCvG07Z44UYdLShWUyXt5M/yhz8ekcb1A==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=8"
+      }
+    },
     "node_modules/side-channel": {
       "version": "1.1.0",
       "resolved": "https://registry.npmjs.org/side-channel/-/side-channel-1.1.0.tgz",
@@ -3535,6 +4145,21 @@
         "webidl-conversions": "^3.0.0"
       }
     },
+    "node_modules/which": {
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/which/-/which-2.0.2.tgz",
+      "integrity": "sha512-BLI3Tl1TW3Pvl70l3yq3Y64i+awpwXqsGBYWkkqMtnbXgrMD+yj7rhW0kuEDxzJaYXGjEW5ogapKNMEKNMjibA==",
+      "license": "ISC",
+      "dependencies": {
+        "isexe": "^2.0.0"
+      },
+      "bin": {
+        "node-which": "bin/node-which"
+      },
+      "engines": {
+        "node": ">= 8"
+      }
+    },
     "node_modules/which-module": {
       "version": "2.0.1",
       "resolved": "https://registry.npmjs.org/which-module/-/which-module-2.0.1.tgz",
@@ -3636,6 +4261,24 @@
       "engines": {
         "node": ">= 12.0.0"
       }
+    },
+    "node_modules/zod": {
+      "version": "4.3.6",
+      "resolved": "https://registry.npmjs.org/zod/-/zod-4.3.6.tgz",
+      "integrity": "sha512-rftlrkhHZOcjDwkGlnUtZZkvaPHCsDATp4pGpuOOMDaTdDDXF91wuVDJoWoPsKX/3YPQ5fHuF3STjcYyKr+Qhg==",
+      "license": "MIT",
+      "funding": {
+        "url": "https://github.com/sponsors/colinhacks"
+      }
+    },
+    "node_modules/zod-to-json-schema": {
+      "version": "3.25.2",
+      "resolved": "https://registry.npmjs.org/zod-to-json-schema/-/zod-to-json-schema-3.25.2.tgz",
+      "integrity": "sha512-O/PgfnpT1xKSDeQYSCfRI5Gy3hPf91mKVDuYLUHZJMiDFptvP41MSnWofm8dnCm0256ZNfZIM7DSzuSMAFnjHA==",
+      "license": "ISC",
+      "peerDependencies": {
+        "zod": "^3.25.28 || ^4"
+      }
     }
   }
 }

server/package.json

@@ -7,6 +7,7 @@
     "dev": "tsx watch src/index.ts"
   },
   "dependencies": {
+    "@modelcontextprotocol/sdk": "^1.28.0",
     "archiver": "^6.0.1",
     "bcryptjs": "^2.4.3",
     "better-sqlite3": "^12.8.0",
@@ -25,7 +26,8 @@
     "typescript": "^6.0.2",
     "unzipper": "^0.12.3",
     "uuid": "^9.0.0",
-    "ws": "^8.19.0"
+    "ws": "^8.19.0",
+    "zod": "^4.3.6"
   },
   "devDependencies": {
     "@types/archiver": "^7.0.0",

server/src/db/migrations.ts

@@ -394,6 +394,39 @@ function runMigrations(db: Database.Database): void {
         CREATE INDEX IF NOT EXISTS idx_audit_log_created ON audit_log(created_at DESC);
       `);
     },
+    () => {
+      // MFA backup/recovery codes
+      try { db.exec('ALTER TABLE users ADD COLUMN mfa_backup_codes TEXT'); } catch {}
+    },
+    // MCP long-lived API tokens
+    () => db.exec(`
+      CREATE TABLE IF NOT EXISTS mcp_tokens (
+        id INTEGER PRIMARY KEY AUTOINCREMENT,
+        user_id INTEGER NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+        name TEXT NOT NULL,
+        token_hash TEXT NOT NULL,
+        token_prefix TEXT NOT NULL,
+        created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
+        last_used_at DATETIME
+      )
+    `),
+    // MCP addon entry
+    () => {
+      try {
+        db.prepare("INSERT OR IGNORE INTO addons (id, name, description, type, icon, enabled, sort_order) VALUES (?, ?, ?, ?, ?, ?, ?)")
+          .run('mcp', 'MCP', 'Model Context Protocol for AI assistant integration', 'integration', 'Terminal', 0, 12);
+      } catch {}
+    },
+    // Index on mcp_tokens.token_hash
+    () => db.exec(`
+      CREATE UNIQUE INDEX IF NOT EXISTS idx_mcp_tokens_hash ON mcp_tokens(token_hash)
+    `),
+    // Ensure MCP addon type is 'integration'
+    () => {
+      try {
+        db.prepare("UPDATE addons SET type = 'integration' WHERE id = 'mcp'").run();
+      } catch {}
+    },
   ];
 
   if (currentVersion < migrations.length) {

server/src/db/schema.ts

@@ -17,6 +17,7 @@ function createTables(db: Database.Database): void {
       last_login DATETIME,
       mfa_enabled INTEGER DEFAULT 0,
       mfa_secret TEXT,
+      mfa_backup_codes TEXT,
       created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
       updated_at DATETIME DEFAULT CURRENT_TIMESTAMP
     );

server/src/db/seeds.ts

@@ -33,6 +33,7 @@ function seedAddons(db: Database.Database): void {
       { id: 'documents', name: 'Documents', description: 'Store and manage travel documents', type: 'trip', icon: 'FileText', enabled: 1, sort_order: 2 },
       { id: 'vacay', name: 'Vacay', description: 'Personal vacation day planner with calendar view', type: 'global', icon: 'CalendarDays', enabled: 1, sort_order: 10 },
       { id: 'atlas', name: 'Atlas', description: 'World map of your visited countries with travel stats', type: 'global', icon: 'Globe', enabled: 1, sort_order: 11 },
+      { id: 'mcp', name: 'MCP', description: 'Model Context Protocol for AI assistant integration', type: 'integration', icon: 'Terminal', enabled: 0, sort_order: 12 },
       { id: 'collab', name: 'Collab', description: 'Notes, polls, and live chat for trip collaboration', type: 'trip', icon: 'Users', enabled: 1, sort_order: 6 },
     ];
     const insertAddon = db.prepare('INSERT OR IGNORE INTO addons (id, name, description, type, icon, enabled, sort_order) VALUES (?, ?, ?, ?, ?, ?, ?)');

server/src/index.ts

@@ -1,5 +1,7 @@
 import 'dotenv/config';
+import './config';
 import express, { Request, Response, NextFunction } from 'express';
+import { enforceGlobalMfaPolicy } from './middleware/mfaPolicy';
 import cors from 'cors';
 import helmet from 'helmet';
 import path from 'path';
@@ -80,6 +82,8 @@ if (shouldForceHttps) {
 app.use(express.json({ limit: '100kb' }));
 app.use(express.urlencoded({ extended: true }));
 
+app.use(enforceGlobalMfaPolicy);
+
 if (DEBUG) {
   app.use((req: Request, res: Response, next: NextFunction) => {
     const startedAt = Date.now();
@@ -197,6 +201,12 @@ app.use('/api/notifications', notificationRoutes);
 import shareRoutes from './routes/share';
 app.use('/api', shareRoutes);
 
+// MCP endpoint (Streamable HTTP transport, per-user auth)
+import { mcpHandler, closeMcpSessions } from './mcp';
+app.post('/mcp', mcpHandler);
+app.get('/mcp', mcpHandler);
+app.delete('/mcp', mcpHandler);
+
 // Serve static files in production
 if (process.env.NODE_ENV === 'production') {
   const publicPath = path.join(__dirname, '../public');
@@ -242,6 +252,7 @@ const server = app.listen(PORT, () => {
 function shutdown(signal: string): void {
   console.log(`\n${signal} received — shutting down gracefully...`);
   scheduler.stop();
+  closeMcpSessions();
   server.close(() => {
     console.log('HTTP server closed');
     const { closeDb } = require('./db/database');

server/src/mcp/index.ts

@@ -0,0 +1,189 @@
+import { Request, Response } from 'express';
+import { randomUUID, createHash } from 'crypto';
+import jwt from 'jsonwebtoken';
+import { McpServer } from '@modelcontextprotocol/sdk/server/mcp';
+import { StreamableHTTPServerTransport } from '@modelcontextprotocol/sdk/server/streamableHttp';
+import { JWT_SECRET } from '../config';
+import { db } from '../db/database';
+import { User } from '../types';
+import { registerResources } from './resources';
+import { registerTools } from './tools';
+
+interface McpSession {
+  server: McpServer;
+  transport: StreamableHTTPServerTransport;
+  userId: number;
+  lastActivity: number;
+}
+
+const sessions = new Map<string, McpSession>();
+
+const SESSION_TTL_MS = 60 * 60 * 1000; // 1 hour
+const MAX_SESSIONS_PER_USER = 5;
+const RATE_LIMIT_WINDOW_MS = 60 * 1000; // 1 minute
+const RATE_LIMIT_MAX = 60; // requests per minute per user
+
+interface RateLimitEntry {
+  count: number;
+  windowStart: number;
+}
+const rateLimitMap = new Map<number, RateLimitEntry>();
+
+function isRateLimited(userId: number): boolean {
+  const now = Date.now();
+  const entry = rateLimitMap.get(userId);
+  if (!entry || now - entry.windowStart > RATE_LIMIT_WINDOW_MS) {
+    rateLimitMap.set(userId, { count: 1, windowStart: now });
+    return false;
+  }
+  entry.count += 1;
+  return entry.count > RATE_LIMIT_MAX;
+}
+
+function countSessionsForUser(userId: number): number {
+  const cutoff = Date.now() - SESSION_TTL_MS;
+  let count = 0;
+  for (const session of sessions.values()) {
+    if (session.userId === userId && session.lastActivity >= cutoff) count++;
+  }
+  return count;
+}
+
+const sessionSweepInterval = setInterval(() => {
+  const cutoff = Date.now() - SESSION_TTL_MS;
+  for (const [sid, session] of sessions) {
+    if (session.lastActivity < cutoff) {
+      try { session.server.close(); } catch { /* ignore */ }
+      try { session.transport.close(); } catch { /* ignore */ }
+      sessions.delete(sid);
+    }
+  }
+  const rateCutoff = Date.now() - RATE_LIMIT_WINDOW_MS;
+  for (const [uid, entry] of rateLimitMap) {
+    if (entry.windowStart < rateCutoff) rateLimitMap.delete(uid);
+  }
+}, 10 * 60 * 1000); // sweep every 10 minutes
+
+// Prevent the interval from keeping the process alive if nothing else is running
+sessionSweepInterval.unref();
+
+function verifyToken(authHeader: string | undefined): User | null {
+  const token = authHeader && authHeader.split(' ')[1];
+  if (!token) return null;
+
+  // Long-lived MCP API token (trek_...)
+  if (token.startsWith('trek_')) {
+    const hash = createHash('sha256').update(token).digest('hex');
+    const row = db.prepare(`
+      SELECT u.id, u.username, u.email, u.role
+      FROM mcp_tokens mt
+      JOIN users u ON mt.user_id = u.id
+      WHERE mt.token_hash = ?
+    `).get(hash) as User | undefined;
+    if (row) {
+      // Update last_used_at (fire-and-forget, non-blocking)
+      db.prepare('UPDATE mcp_tokens SET last_used_at = CURRENT_TIMESTAMP WHERE token_hash = ?').run(hash);
+      return row;
+    }
+    return null;
+  }
+
+  // Short-lived JWT
+  try {
+    const decoded = jwt.verify(token, JWT_SECRET) as { id: number };
+    const user = db.prepare(
+      'SELECT id, username, email, role FROM users WHERE id = ?'
+    ).get(decoded.id) as User | undefined;
+    return user || null;
+  } catch {
+    return null;
+  }
+}
+
+export async function mcpHandler(req: Request, res: Response): Promise<void> {
+  const mcpAddon = db.prepare("SELECT enabled FROM addons WHERE id = 'mcp'").get() as { enabled: number } | undefined;
+  if (!mcpAddon || !mcpAddon.enabled) {
+    res.status(403).json({ error: 'MCP is not enabled' });
+    return;
+  }
+
+  const user = verifyToken(req.headers['authorization']);
+  if (!user) {
+    res.status(401).json({ error: 'Access token required' });
+    return;
+  }
+
+  if (isRateLimited(user.id)) {
+    res.status(429).json({ error: 'Too many requests. Please slow down.' });
+    return;
+  }
+
+  const sessionId = req.headers['mcp-session-id'] as string | undefined;
+
+  // Resume an existing session
+  if (sessionId) {
+    const session = sessions.get(sessionId);
+    if (!session) {
+      res.status(404).json({ error: 'Session not found' });
+      return;
+    }
+    if (session.userId !== user.id) {
+      res.status(403).json({ error: 'Session belongs to a different user' });
+      return;
+    }
+    session.lastActivity = Date.now();
+    await session.transport.handleRequest(req, res, req.body);
+    return;
+  }
+
+  // Only POST can initialize a new session
+  if (req.method !== 'POST') {
+    res.status(400).json({ error: 'Missing mcp-session-id header' });
+    return;
+  }
+
+  if (countSessionsForUser(user.id) >= MAX_SESSIONS_PER_USER) {
+    res.status(429).json({ error: 'Session limit reached. Close an existing session before opening a new one.' });
+    return;
+  }
+
+  // Create a new per-user MCP server and session
+  const server = new McpServer({ name: 'trek', version: '1.0.0' });
+  registerResources(server, user.id);
+  registerTools(server, user.id);
+
+  const transport = new StreamableHTTPServerTransport({
+    sessionIdGenerator: () => randomUUID(),
+    onsessioninitialized: (sid) => {
+      sessions.set(sid, { server, transport, userId: user.id, lastActivity: Date.now() });
+    },
+    onsessionclosed: (sid) => {
+      sessions.delete(sid);
+    },
+  });
+
+  await server.connect(transport);
+  await transport.handleRequest(req, res, req.body);
+}
+
+/** Terminate all active MCP sessions for a specific user (e.g. on token revocation). */
+export function revokeUserSessions(userId: number): void {
+  for (const [sid, session] of sessions) {
+    if (session.userId === userId) {
+      try { session.server.close(); } catch { /* ignore */ }
+      try { session.transport.close(); } catch { /* ignore */ }
+      sessions.delete(sid);
+    }
+  }
+}
+
+/** Close all active MCP sessions (call during graceful shutdown). */
+export function closeMcpSessions(): void {
+  clearInterval(sessionSweepInterval);
+  for (const [, session] of sessions) {
+    try { session.server.close(); } catch { /* ignore */ }
+    try { session.transport.close(); } catch { /* ignore */ }
+  }
+  sessions.clear();
+  rateLimitMap.clear();
+}

server/src/mcp/resources.ts

@@ -0,0 +1,304 @@
+import { McpServer, ResourceTemplate } from '@modelcontextprotocol/sdk/server/mcp';
+import { db, canAccessTrip } from '../db/database';
+
+const TRIP_SELECT = `
+  SELECT t.*,
+    (SELECT COUNT(*) FROM days d WHERE d.trip_id = t.id) as day_count,
+    (SELECT COUNT(*) FROM places p WHERE p.trip_id = t.id) as place_count,
+    CASE WHEN t.user_id = :userId THEN 1 ELSE 0 END as is_owner,
+    u.username as owner_username,
+    (SELECT COUNT(*) FROM trip_members tm WHERE tm.trip_id = t.id) as shared_count
+  FROM trips t
+  JOIN users u ON u.id = t.user_id
+`;
+
+function parseId(value: string | string[]): number | null {
+  const n = Number(Array.isArray(value) ? value[0] : value);
+  return Number.isInteger(n) && n > 0 ? n : null;
+}
+
+function accessDenied(uri: string) {
+  return {
+    contents: [{
+      uri,
+      mimeType: 'application/json',
+      text: JSON.stringify({ error: 'Trip not found or access denied' }),
+    }],
+  };
+}
+
+function jsonContent(uri: string, data: unknown) {
+  return {
+    contents: [{
+      uri,
+      mimeType: 'application/json',
+      text: JSON.stringify(data, null, 2),
+    }],
+  };
+}
+
+export function registerResources(server: McpServer, userId: number): void {
+  // List all accessible trips
+  server.registerResource(
+    'trips',
+    'trek://trips',
+    { description: 'All trips the user owns or is a member of' },
+    async (uri) => {
+      const trips = db.prepare(`
+        ${TRIP_SELECT}
+        LEFT JOIN trip_members m ON m.trip_id = t.id AND m.user_id = :userId
+        WHERE (t.user_id = :userId OR m.user_id IS NOT NULL) AND t.is_archived = 0
+        ORDER BY t.created_at DESC
+      `).all({ userId });
+      return jsonContent(uri.href, trips);
+    }
+  );
+
+  // Single trip detail
+  server.registerResource(
+    'trip',
+    new ResourceTemplate('trek://trips/{tripId}', { list: undefined }),
+    { description: 'A single trip with metadata and member count' },
+    async (uri, { tripId }) => {
+      const id = parseId(tripId);
+      if (id === null || !canAccessTrip(id, userId)) return accessDenied(uri.href);
+      const trip = db.prepare(`
+        ${TRIP_SELECT}
+        LEFT JOIN trip_members m ON m.trip_id = t.id AND m.user_id = :userId
+        WHERE t.id = :tripId AND (t.user_id = :userId OR m.user_id IS NOT NULL)
+      `).get({ userId, tripId: id });
+      return jsonContent(uri.href, trip);
+    }
+  );
+
+  // Days with assigned places
+  server.registerResource(
+    'trip-days',
+    new ResourceTemplate('trek://trips/{tripId}/days', { list: undefined }),
+    { description: 'Days of a trip with their assigned places' },
+    async (uri, { tripId }) => {
+      const id = parseId(tripId);
+      if (id === null || !canAccessTrip(id, userId)) return accessDenied(uri.href);
+
+      const days = db.prepare(
+        'SELECT * FROM days WHERE trip_id = ? ORDER BY day_number ASC'
+      ).all(id) as { id: number; day_number: number; date: string | null; title: string | null; notes: string | null }[];
+
+      const dayIds = days.map(d => d.id);
+      const assignmentsByDay: Record<number, unknown[]> = {};
+
+      if (dayIds.length > 0) {
+        const placeholders = dayIds.map(() => '?').join(',');
+        const assignments = db.prepare(`
+          SELECT da.id, da.day_id, da.order_index, da.notes as assignment_notes,
+            p.id as place_id, p.name, p.address, p.lat, p.lng, p.category_id,
+            COALESCE(da.assignment_time, p.place_time) as place_time,
+            c.name as category_name, c.color as category_color, c.icon as category_icon
+          FROM day_assignments da
+          JOIN places p ON da.place_id = p.id
+          LEFT JOIN categories c ON p.category_id = c.id
+          WHERE da.day_id IN (${placeholders})
+          ORDER BY da.order_index ASC, da.created_at ASC
+        `).all(...dayIds) as (Record<string, unknown> & { day_id: number })[];
+
+        for (const a of assignments) {
+          if (!assignmentsByDay[a.day_id]) assignmentsByDay[a.day_id] = [];
+          assignmentsByDay[a.day_id].push(a);
+        }
+      }
+
+      const result = days.map(d => ({ ...d, assignments: assignmentsByDay[d.id] || [] }));
+      return jsonContent(uri.href, result);
+    }
+  );
+
+  // Places in a trip
+  server.registerResource(
+    'trip-places',
+    new ResourceTemplate('trek://trips/{tripId}/places', { list: undefined }),
+    { description: 'All places/POIs saved in a trip' },
+    async (uri, { tripId }) => {
+      const id = parseId(tripId);
+      if (id === null || !canAccessTrip(id, userId)) return accessDenied(uri.href);
+      const places = db.prepare(`
+        SELECT p.*, c.name as category_name, c.color as category_color, c.icon as category_icon
+        FROM places p
+        LEFT JOIN categories c ON p.category_id = c.id
+        WHERE p.trip_id = ?
+        ORDER BY p.created_at DESC
+      `).all(id);
+      return jsonContent(uri.href, places);
+    }
+  );
+
+  // Budget items
+  server.registerResource(
+    'trip-budget',
+    new ResourceTemplate('trek://trips/{tripId}/budget', { list: undefined }),
+    { description: 'Budget and expense items for a trip' },
+    async (uri, { tripId }) => {
+      const id = parseId(tripId);
+      if (id === null || !canAccessTrip(id, userId)) return accessDenied(uri.href);
+      const items = db.prepare(
+        'SELECT * FROM budget_items WHERE trip_id = ? ORDER BY category ASC, created_at ASC'
+      ).all(id);
+      return jsonContent(uri.href, items);
+    }
+  );
+
+  // Packing checklist
+  server.registerResource(
+    'trip-packing',
+    new ResourceTemplate('trek://trips/{tripId}/packing', { list: undefined }),
+    { description: 'Packing checklist for a trip' },
+    async (uri, { tripId }) => {
+      const id = parseId(tripId);
+      if (id === null || !canAccessTrip(id, userId)) return accessDenied(uri.href);
+      const items = db.prepare(
+        'SELECT * FROM packing_items WHERE trip_id = ? ORDER BY sort_order ASC, created_at ASC'
+      ).all(id);
+      return jsonContent(uri.href, items);
+    }
+  );
+
+  // Reservations (flights, hotels, restaurants)
+  server.registerResource(
+    'trip-reservations',
+    new ResourceTemplate('trek://trips/{tripId}/reservations', { list: undefined }),
+    { description: 'Reservations (flights, hotels, restaurants) for a trip' },
+    async (uri, { tripId }) => {
+      const id = parseId(tripId);
+      if (id === null || !canAccessTrip(id, userId)) return accessDenied(uri.href);
+      const reservations = db.prepare(`
+        SELECT r.*, d.day_number, p.name as place_name
+        FROM reservations r
+        LEFT JOIN days d ON r.day_id = d.id
+        LEFT JOIN places p ON r.place_id = p.id
+        WHERE r.trip_id = ?
+        ORDER BY r.reservation_time ASC, r.created_at ASC
+      `).all(id);
+      return jsonContent(uri.href, reservations);
+    }
+  );
+
+  // Day notes
+  server.registerResource(
+    'day-notes',
+    new ResourceTemplate('trek://trips/{tripId}/days/{dayId}/notes', { list: undefined }),
+    { description: 'Notes for a specific day in a trip' },
+    async (uri, { tripId, dayId }) => {
+      const tId = parseId(tripId);
+      const dId = parseId(dayId);
+      if (tId === null || dId === null || !canAccessTrip(tId, userId)) return accessDenied(uri.href);
+      const notes = db.prepare(
+        'SELECT * FROM day_notes WHERE day_id = ? AND trip_id = ? ORDER BY sort_order ASC, created_at ASC'
+      ).all(dId, tId);
+      return jsonContent(uri.href, notes);
+    }
+  );
+
+  // Accommodations (hotels, rentals) per trip
+  server.registerResource(
+    'trip-accommodations',
+    new ResourceTemplate('trek://trips/{tripId}/accommodations', { list: undefined }),
+    { description: 'Accommodations (hotels, rentals) for a trip with check-in/out details' },
+    async (uri, { tripId }) => {
+      const id = parseId(tripId);
+      if (id === null || !canAccessTrip(id, userId)) return accessDenied(uri.href);
+      const accommodations = db.prepare(`
+        SELECT da.*, p.name as place_name, p.address as place_address, p.lat, p.lng,
+          ds.day_number as start_day_number, de.day_number as end_day_number
+        FROM day_accommodations da
+        JOIN places p ON da.place_id = p.id
+        LEFT JOIN days ds ON da.start_day_id = ds.id
+        LEFT JOIN days de ON da.end_day_id = de.id
+        WHERE da.trip_id = ?
+        ORDER BY ds.day_number ASC
+      `).all(id);
+      return jsonContent(uri.href, accommodations);
+    }
+  );
+
+  // Trip members (owner + collaborators)
+  server.registerResource(
+    'trip-members',
+    new ResourceTemplate('trek://trips/{tripId}/members', { list: undefined }),
+    { description: 'Owner and collaborators of a trip' },
+    async (uri, { tripId }) => {
+      const id = parseId(tripId);
+      if (id === null || !canAccessTrip(id, userId)) return accessDenied(uri.href);
+      const trip = db.prepare('SELECT user_id FROM trips WHERE id = ?').get(id) as { user_id: number } | undefined;
+      if (!trip) return accessDenied(uri.href);
+      const owner = db.prepare('SELECT id, username, avatar FROM users WHERE id = ?').get(trip.user_id) as Record<string, unknown> | undefined;
+      const members = db.prepare(`
+        SELECT u.id, u.username, u.avatar, tm.added_at
+        FROM trip_members tm
+        JOIN users u ON tm.user_id = u.id
+        WHERE tm.trip_id = ?
+        ORDER BY tm.added_at ASC
+      `).all(id);
+      return jsonContent(uri.href, {
+        owner: owner ? { ...owner, role: 'owner' } : null,
+        members,
+      });
+    }
+  );
+
+  // Collab notes for a trip
+  server.registerResource(
+    'trip-collab-notes',
+    new ResourceTemplate('trek://trips/{tripId}/collab-notes', { list: undefined }),
+    { description: 'Shared collaborative notes for a trip' },
+    async (uri, { tripId }) => {
+      const id = parseId(tripId);
+      if (id === null || !canAccessTrip(id, userId)) return accessDenied(uri.href);
+      const notes = db.prepare(`
+        SELECT cn.*, u.username
+        FROM collab_notes cn
+        JOIN users u ON cn.user_id = u.id
+        WHERE cn.trip_id = ?
+        ORDER BY cn.pinned DESC, cn.updated_at DESC
+      `).all(id);
+      return jsonContent(uri.href, notes);
+    }
+  );
+
+  // All place categories (global, no trip filter)
+  server.registerResource(
+    'categories',
+    'trek://categories',
+    { description: 'All available place categories (id, name, color, icon) for use when creating places' },
+    async (uri) => {
+      const categories = db.prepare(
+        'SELECT id, name, color, icon FROM categories ORDER BY name ASC'
+      ).all();
+      return jsonContent(uri.href, categories);
+    }
+  );
+
+  // User's bucket list
+  server.registerResource(
+    'bucket-list',
+    'trek://bucket-list',
+    { description: 'Your personal travel bucket list' },
+    async (uri) => {
+      const items = db.prepare(
+        'SELECT * FROM bucket_list WHERE user_id = ? ORDER BY created_at DESC'
+      ).all(userId);
+      return jsonContent(uri.href, items);
+    }
+  );
+
+  // User's visited countries
+  server.registerResource(
+    'visited-countries',
+    'trek://visited-countries',
+    { description: 'Countries you have marked as visited in Atlas' },
+    async (uri) => {
+      const countries = db.prepare(
+        'SELECT country_code, created_at FROM visited_countries WHERE user_id = ? ORDER BY created_at DESC'
+      ).all(userId);
+      return jsonContent(uri.href, countries);
+    }
+  );
+}

server/src/middleware/mfaPolicy.ts

@@ -0,0 +1,98 @@
+import { Request, Response, NextFunction } from 'express';
+import jwt from 'jsonwebtoken';
+import { db } from '../db/database';
+import { JWT_SECRET } from '../config';
+
+/** Paths that never require MFA (public or pre-auth). */
+function isPublicApiPath(method: string, pathNoQuery: string): boolean {
+  if (method === 'GET' && pathNoQuery === '/api/health') return true;
+  if (method === 'GET' && pathNoQuery === '/api/auth/app-config') return true;
+  if (method === 'POST' && pathNoQuery === '/api/auth/login') return true;
+  if (method === 'POST' && pathNoQuery === '/api/auth/register') return true;
+  if (method === 'POST' && pathNoQuery === '/api/auth/demo-login') return true;
+  if (method === 'GET' && pathNoQuery.startsWith('/api/auth/invite/')) return true;
+  if (method === 'POST' && pathNoQuery === '/api/auth/mfa/verify-login') return true;
+  if (pathNoQuery.startsWith('/api/auth/oidc/')) return true;
+  return false;
+}
+
+/** Authenticated paths allowed while MFA is not yet enabled (setup + lockout recovery). */
+function isMfaSetupExemptPath(method: string, pathNoQuery: string): boolean {
+  if (method === 'GET' && pathNoQuery === '/api/auth/me') return true;
+  if (method === 'POST' && pathNoQuery === '/api/auth/mfa/setup') return true;
+  if (method === 'POST' && pathNoQuery === '/api/auth/mfa/enable') return true;
+  if ((method === 'GET' || method === 'PUT') && pathNoQuery === '/api/auth/app-settings') return true;
+  return false;
+}
+
+/**
+ * When app_settings.require_mfa is true, block API access for users without MFA enabled,
+ * except for public routes and MFA setup endpoints.
+ */
+export function enforceGlobalMfaPolicy(req: Request, res: Response, next: NextFunction): void {
+  const pathNoQuery = (req.originalUrl || req.url || '').split('?')[0];
+
+  if (!pathNoQuery.startsWith('/api')) {
+    next();
+    return;
+  }
+
+  if (isPublicApiPath(req.method, pathNoQuery)) {
+    next();
+    return;
+  }
+
+  const authHeader = req.headers.authorization;
+  const token = authHeader && authHeader.split(' ')[1];
+  if (!token) {
+    next();
+    return;
+  }
+
+  let userId: number;
+  try {
+    const decoded = jwt.verify(token, JWT_SECRET) as { id: number };
+    userId = decoded.id;
+  } catch {
+    next();
+    return;
+  }
+
+  const requireRow = db.prepare("SELECT value FROM app_settings WHERE key = 'require_mfa'").get() as { value: string } | undefined;
+  if (requireRow?.value !== 'true') {
+    next();
+    return;
+  }
+
+  if (process.env.DEMO_MODE === 'true') {
+    const demo = db.prepare('SELECT email FROM users WHERE id = ?').get(userId) as { email: string } | undefined;
+    if (demo?.email === 'demo@trek.app' || demo?.email === 'demo@nomad.app') {
+      next();
+      return;
+    }
+  }
+
+  const row = db.prepare('SELECT mfa_enabled, role FROM users WHERE id = ?').get(userId) as
+    | { mfa_enabled: number | boolean; role: string }
+    | undefined;
+  if (!row) {
+    next();
+    return;
+  }
+
+  const mfaOk = row.mfa_enabled === 1 || row.mfa_enabled === true;
+  if (mfaOk) {
+    next();
+    return;
+  }
+
+  if (isMfaSetupExemptPath(req.method, pathNoQuery)) {
+    next();
+    return;
+  }
+
+  res.status(403).json({
+    error: 'Two-factor authentication is required. Complete setup in Settings.',
+    code: 'MFA_REQUIRED',
+  });
+}

server/src/routes/admin.ts

@@ -8,6 +8,7 @@ import { db } from '../db/database';
 import { authenticate, adminOnly } from '../middleware/auth';
 import { AuthRequest, User, Addon } from '../types';
 import { writeAudit, getClientIp } from '../services/auditLog';
+import { revokeUserSessions } from '../mcp';
 
 const router = express.Router();
 
@@ -547,4 +548,22 @@ router.put('/addons/:id', (req: Request, res: Response) => {
   res.json({ addon: { ...updated, enabled: !!updated.enabled, config: JSON.parse(updated.config || '{}') } });
 });
 
+router.get('/mcp-tokens', (req: Request, res: Response) => {
+  const tokens = db.prepare(`
+    SELECT t.id, t.name, t.token_prefix, t.created_at, t.last_used_at, t.user_id, u.username
+    FROM mcp_tokens t
+    JOIN users u ON u.id = t.user_id
+    ORDER BY t.created_at DESC
+  `).all();
+  res.json({ tokens });
+});
+
+router.delete('/mcp-tokens/:id', (req: Request, res: Response) => {
+  const token = db.prepare('SELECT id, user_id FROM mcp_tokens WHERE id = ?').get(req.params.id) as { id: number; user_id: number } | undefined;
+  if (!token) return res.status(404).json({ error: 'Token not found' });
+  db.prepare('DELETE FROM mcp_tokens WHERE id = ?').run(req.params.id);
+  revokeUserSessions(token.user_id);
+  res.json({ success: true });
+});
+
 export default router;

server/src/routes/auth.ts

@@ -4,6 +4,7 @@ import jwt from 'jsonwebtoken';
 import multer from 'multer';
 import path from 'path';
 import fs from 'fs';
+import crypto from 'crypto';
 import { v4 as uuid } from 'uuid';
 import fetch from 'node-fetch';
 import { authenticator } from 'otplib';
@@ -12,6 +13,8 @@ import { db } from '../db/database';
 import { authenticate, demoUploadBlock } from '../middleware/auth';
 import { JWT_SECRET } from '../config';
 import { encryptMfaSecret, decryptMfaSecret } from '../services/mfaCrypto';
+import { randomBytes, createHash } from 'crypto';
+import { revokeUserSessions } from '../mcp';
 import { AuthRequest, User } from '../types';
 import { writeAudit, getClientIp } from '../services/auditLog';
 
@@ -19,6 +22,35 @@ authenticator.options = { window: 1 };
 
 const MFA_SETUP_TTL_MS = 15 * 60 * 1000;
 const mfaSetupPending = new Map<number, { secret: string; exp: number }>();
+const MFA_BACKUP_CODE_COUNT = 10;
+
+function normalizeBackupCode(input: string): string {
+  return String(input || '').toUpperCase().replace(/[^A-Z0-9]/g, '');
+}
+
+function hashBackupCode(input: string): string {
+  return crypto.createHash('sha256').update(normalizeBackupCode(input)).digest('hex');
+}
+
+function generateBackupCodes(count = MFA_BACKUP_CODE_COUNT): string[] {
+  const codes: string[] = [];
+  while (codes.length < count) {
+    const raw = crypto.randomBytes(4).toString('hex').toUpperCase();
+    const code = `${raw.slice(0, 4)}-${raw.slice(4)}`;
+    if (!codes.includes(code)) codes.push(code);
+  }
+  return codes;
+}
+
+function parseBackupCodeHashes(raw: string | null | undefined): string[] {
+  if (!raw) return [];
+  try {
+    const parsed = JSON.parse(raw);
+    return Array.isArray(parsed) ? parsed.filter(v => typeof v === 'string') : [];
+  } catch {
+    return [];
+  }
+}
 
 function getPendingMfaSecret(userId: number): string | null {
   const row = mfaSetupPending.get(userId);
@@ -41,6 +73,7 @@ function stripUserForClient(user: User): Record<string, unknown> {
     openweather_api_key: _o,
     unsplash_api_key: _u,
     mfa_secret: _mf,
+    mfa_backup_codes: _mbc,
     ...rest
   } = user;
   return {
@@ -143,6 +176,7 @@ router.get('/app-config', (_req: Request, res: Response) => {
   );
   const oidcOnlySetting = process.env.OIDC_ONLY || (db.prepare("SELECT value FROM app_settings WHERE key = 'oidc_only'").get() as { value: string } | undefined)?.value;
   const oidcOnlyMode = oidcConfigured && oidcOnlySetting === 'true';
+  const requireMfaRow = db.prepare("SELECT value FROM app_settings WHERE key = 'require_mfa'").get() as { value: string } | undefined;
   res.json({
     allow_registration: isDemo ? false : allowRegistration,
     has_users: userCount > 0,
@@ -151,6 +185,7 @@ router.get('/app-config', (_req: Request, res: Response) => {
     oidc_configured: oidcConfigured,
     oidc_display_name: oidcConfigured ? (oidcDisplayName || 'SSO') : undefined,
     oidc_only_mode: oidcOnlyMode,
+    require_mfa: requireMfaRow?.value === 'true',
     allowed_file_types: (db.prepare("SELECT value FROM app_settings WHERE key = 'allowed_file_types'").get() as { value: string } | undefined)?.value || 'jpg,jpeg,png,gif,webp,heic,pdf,doc,docx,xls,xlsx,txt,csv',
     demo_mode: isDemo,
     demo_email: isDemo ? 'demo@trek.app' : undefined,
@@ -516,7 +551,7 @@ router.get('/validate-keys', authenticate, async (req: Request, res: Response) =
   res.json(result);
 });
 
-const ADMIN_SETTINGS_KEYS = ['allow_registration', 'allowed_file_types', 'smtp_host', 'smtp_port', 'smtp_user', 'smtp_pass', 'smtp_from', 'smtp_skip_tls_verify', 'notification_webhook_url', 'app_url'];
+const ADMIN_SETTINGS_KEYS = ['allow_registration', 'allowed_file_types', 'require_mfa', 'smtp_host', 'smtp_port', 'smtp_user', 'smtp_pass', 'smtp_from', 'smtp_skip_tls_verify', 'notification_webhook_url', 'app_url'];
 
 router.get('/app-settings', authenticate, (req: Request, res: Response) => {
   const authReq = req as AuthRequest;
@@ -536,9 +571,23 @@ router.put('/app-settings', authenticate, (req: Request, res: Response) => {
   const user = db.prepare('SELECT role FROM users WHERE id = ?').get(authReq.user.id) as { role: string } | undefined;
   if (user?.role !== 'admin') return res.status(403).json({ error: 'Admin access required' });
 
+  const { allow_registration, allowed_file_types, require_mfa } = req.body as Record<string, unknown>;
+
+  if (require_mfa === true || require_mfa === 'true') {
+    const adminMfa = db.prepare('SELECT mfa_enabled FROM users WHERE id = ?').get(authReq.user.id) as { mfa_enabled: number } | undefined;
+    if (!(adminMfa?.mfa_enabled === 1)) {
+      return res.status(400).json({
+        error: 'Enable two-factor authentication on your own account before requiring it for all users.',
+      });
+    }
+  }
+
   for (const key of ADMIN_SETTINGS_KEYS) {
     if (req.body[key] !== undefined) {
-      const val = String(req.body[key]);
+      let val = String(req.body[key]);
+      if (key === 'require_mfa') {
+        val = req.body[key] === true || val === 'true' ? 'true' : 'false';
+      }
       // Don't save masked password
       if (key === 'smtp_pass' && val === '••••••••') continue;
       db.prepare("INSERT OR REPLACE INTO app_settings (key, value) VALUES (?, ?)").run(key, val);
@@ -551,6 +600,7 @@ router.put('/app-settings', authenticate, (req: Request, res: Response) => {
     details: {
       allow_registration: allow_registration !== undefined ? Boolean(allow_registration) : undefined,
       allowed_file_types_changed: allowed_file_types !== undefined,
+      require_mfa: require_mfa !== undefined ? (require_mfa === true || require_mfa === 'true') : undefined,
     },
   });
   res.json({ success: true });
@@ -645,10 +695,20 @@ router.post('/mfa/verify-login', authLimiter, (req: Request, res: Response) => {
       return res.status(401).json({ error: 'Invalid session' });
     }
     const secret = decryptMfaSecret(user.mfa_secret);
-    const tokenStr = String(code).replace(/\s/g, '');
-    const ok = authenticator.verify({ token: tokenStr, secret });
-    if (!ok) {
-      return res.status(401).json({ error: 'Invalid verification code' });
+    const tokenStr = String(code).trim();
+    const okTotp = authenticator.verify({ token: tokenStr.replace(/\s/g, ''), secret });
+    if (!okTotp) {
+      const hashes = parseBackupCodeHashes(user.mfa_backup_codes);
+      const candidateHash = hashBackupCode(tokenStr);
+      const idx = hashes.findIndex(h => h === candidateHash);
+      if (idx === -1) {
+        return res.status(401).json({ error: 'Invalid verification code' });
+      }
+      hashes.splice(idx, 1);
+      db.prepare('UPDATE users SET mfa_backup_codes = ?, updated_at = CURRENT_TIMESTAMP WHERE id = ?').run(
+        JSON.stringify(hashes),
+        user.id
+      );
     }
     db.prepare('UPDATE users SET last_login = CURRENT_TIMESTAMP WHERE id = ?').run(user.id);
     const sessionToken = generateToken(user);
@@ -702,14 +762,17 @@ router.post('/mfa/enable', authenticate, (req: Request, res: Response) => {
   if (!ok) {
     return res.status(401).json({ error: 'Invalid verification code' });
   }
+  const backupCodes = generateBackupCodes();
+  const backupHashes = backupCodes.map(hashBackupCode);
   const enc = encryptMfaSecret(pending);
-  db.prepare('UPDATE users SET mfa_enabled = 1, mfa_secret = ?, updated_at = CURRENT_TIMESTAMP WHERE id = ?').run(
+  db.prepare('UPDATE users SET mfa_enabled = 1, mfa_secret = ?, mfa_backup_codes = ?, updated_at = CURRENT_TIMESTAMP WHERE id = ?').run(
     enc,
+    JSON.stringify(backupHashes),
     authReq.user.id
   );
   mfaSetupPending.delete(authReq.user.id);
   writeAudit({ userId: authReq.user.id, action: 'user.mfa_enable', ip: getClientIp(req) });
-  res.json({ success: true, mfa_enabled: true });
+  res.json({ success: true, mfa_enabled: true, backup_codes: backupCodes });
 });
 
 router.post('/mfa/disable', authenticate, rateLimiter(5, RATE_LIMIT_WINDOW), (req: Request, res: Response) => {
@@ -717,6 +780,10 @@ router.post('/mfa/disable', authenticate, rateLimiter(5, RATE_LIMIT_WINDOW), (re
   if (process.env.DEMO_MODE === 'true' && authReq.user.email === 'demo@nomad.app') {
     return res.status(403).json({ error: 'MFA cannot be changed in demo mode.' });
   }
+  const policy = db.prepare("SELECT value FROM app_settings WHERE key = 'require_mfa'").get() as { value: string } | undefined;
+  if (policy?.value === 'true') {
+    return res.status(403).json({ error: 'Two-factor authentication cannot be disabled while it is required for all users.' });
+  }
   const { password, code } = req.body as { password?: string; code?: string };
   if (!password || !code) {
     return res.status(400).json({ error: 'Password and authenticator code are required' });
@@ -734,7 +801,7 @@ router.post('/mfa/disable', authenticate, rateLimiter(5, RATE_LIMIT_WINDOW), (re
   if (!ok) {
     return res.status(401).json({ error: 'Invalid verification code' });
   }
-  db.prepare('UPDATE users SET mfa_enabled = 0, mfa_secret = NULL, updated_at = CURRENT_TIMESTAMP WHERE id = ?').run(
+  db.prepare('UPDATE users SET mfa_enabled = 0, mfa_secret = NULL, mfa_backup_codes = NULL, updated_at = CURRENT_TIMESTAMP WHERE id = ?').run(
     authReq.user.id
   );
   mfaSetupPending.delete(authReq.user.id);
@@ -742,4 +809,48 @@ router.post('/mfa/disable', authenticate, rateLimiter(5, RATE_LIMIT_WINDOW), (re
   res.json({ success: true, mfa_enabled: false });
 });
 
+// --- MCP Token Management ---
+
+router.get('/mcp-tokens', authenticate, (req: Request, res: Response) => {
+  const authReq = req as AuthRequest;
+  const tokens = db.prepare(
+    'SELECT id, name, token_prefix, created_at, last_used_at FROM mcp_tokens WHERE user_id = ? ORDER BY created_at DESC'
+  ).all(authReq.user.id);
+  res.json({ tokens });
+});
+
+router.post('/mcp-tokens', authenticate, rateLimiter(5, RATE_LIMIT_WINDOW), (req: Request, res: Response) => {
+  const authReq = req as AuthRequest;
+  const { name } = req.body;
+  if (!name?.trim()) return res.status(400).json({ error: 'Token name is required' });
+  if (name.trim().length > 100) return res.status(400).json({ error: 'Token name must be 100 characters or less' });
+
+  const tokenCount = (db.prepare('SELECT COUNT(*) as count FROM mcp_tokens WHERE user_id = ?').get(authReq.user.id) as { count: number }).count;
+  if (tokenCount >= 10) return res.status(400).json({ error: 'Maximum of 10 tokens per user reached' });
+
+  const rawToken = 'trek_' + randomBytes(24).toString('hex');
+  const tokenHash = createHash('sha256').update(rawToken).digest('hex');
+  const tokenPrefix = rawToken.slice(0, 13); // "trek_" + 8 hex chars
+
+  const result = db.prepare(
+    'INSERT INTO mcp_tokens (user_id, name, token_hash, token_prefix) VALUES (?, ?, ?, ?)'
+  ).run(authReq.user.id, name.trim(), tokenHash, tokenPrefix);
+
+  const token = db.prepare(
+    'SELECT id, name, token_prefix, created_at, last_used_at FROM mcp_tokens WHERE id = ?'
+  ).get(result.lastInsertRowid);
+
+  res.status(201).json({ token: { ...(token as object), raw_token: rawToken } });
+});
+
+router.delete('/mcp-tokens/:id', authenticate, (req: Request, res: Response) => {
+  const authReq = req as AuthRequest;
+  const { id } = req.params;
+  const token = db.prepare('SELECT id FROM mcp_tokens WHERE id = ? AND user_id = ?').get(id, authReq.user.id);
+  if (!token) return res.status(404).json({ error: 'Token not found' });
+  db.prepare('DELETE FROM mcp_tokens WHERE id = ?').run(id);
+  revokeUserSessions(authReq.user.id);
+  res.json({ success: true });
+});
+
 export default router;

server/src/routes/files.ts

@@ -85,7 +85,7 @@ router.get('/', authenticate, (req: Request, res: Response) => {
 
   // Get all file_links for this trip's files
   const fileIds = files.map(f => f.id);
-  let linksMap: Record<number, number[]> = {};
+  let linksMap: Record<number, { file_id: number; reservation_id: number | null; place_id: number | null }[]> = {};
   if (fileIds.length > 0) {
     const placeholders = fileIds.map(() => '?').join(',');
     const links = db.prepare(`SELECT file_id, reservation_id, place_id FROM file_links WHERE file_id IN (${placeholders})`).all(...fileIds) as { file_id: number; reservation_id: number | null; place_id: number | null }[];

server/src/types.ts

@@ -15,6 +15,7 @@ export interface User {
   last_login?: string | null;
   mfa_enabled?: number | boolean;
   mfa_secret?: string | null;
+  mfa_backup_codes?: string | null;
   created_at?: string;
   updated_at?: string;
 }

server/src/websocket.ts

@@ -55,12 +55,18 @@ function setupWebSocket(server: http.Server): void {
     try {
       const decoded = jwt.verify(token, JWT_SECRET) as { id: number };
       user = db.prepare(
-        'SELECT id, username, email, role FROM users WHERE id = ?'
+        'SELECT id, username, email, role, mfa_enabled FROM users WHERE id = ?'
       ).get(decoded.id) as User | undefined;
       if (!user) {
         nws.close(4001, 'User not found');
         return;
       }
+      const requireMfa = (db.prepare("SELECT value FROM app_settings WHERE key = 'require_mfa'").get() as { value: string } | undefined)?.value === 'true';
+      const mfaOk = user.mfa_enabled === 1 || user.mfa_enabled === true;
+      if (requireMfa && !mfaOk) {
+        nws.close(4403, 'MFA required');
+        return;
+      }
     } catch (err: unknown) {
       nws.close(4001, 'Invalid or expired token');
       return;

server/tsconfig.json

@@ -14,7 +14,14 @@
     "sourceMap": true,
     "allowJs": true,
     "noUnusedLocals": false,
-    "noUnusedParameters": false
+    "noUnusedParameters": false,
+    // The MCP SDK's package.json uses a wildcard exports pattern with extension-less targets
+    // (e.g. "./*": "./dist/esm/*") which TypeScript cannot resolve — it only strips .js suffixes.
+    // These paths manually redirect to the CJS dist until the SDK fixes its exports map.
+    "paths": {
+      "@modelcontextprotocol/sdk/server/mcp": ["./node_modules/@modelcontextprotocol/sdk/dist/cjs/server/mcp"],
+      "@modelcontextprotocol/sdk/server/streamableHttp": ["./node_modules/@modelcontextprotocol/sdk/dist/cjs/server/streamableHttp"]
+    }
   },
   "include": ["src"],
   "exclude": ["node_modules", "dist"]