Actualiser Dockerfile

Actualiser assets/js/app.js
Actualiser .htaccess
2026-06-30 11:37:51 +00:00 · 2026-06-29 18:22:25 +00:00 · 2026-06-29 15:44:24 +00:00 · 2026-06-27 17:49:17 +00:00 · 2026-06-27 17:43:03 +00:00 · 2026-06-27 17:31:38 +00:00
71 changed files with 21416 additions and 10291 deletions
@@ -0,0 +1,5 @@
 node_modules/
 .git/
 dist/
 build/
 *.log
@@ -125,10 +125,24 @@ GDRIVE_FOLDER_ID=
 GDRIVE_RETENTION_DAYS=30
 # ── Security ─────────────────────────────────────────────────────────────────
-# SETTINGS_TOKEN: if set, the Settings screen requires this token to save changes.
+# API_TOKEN: when set, all API calls require header X-API-Token (or ?api_token= for HA).
-# Leave empty to allow anyone with access to the server to change settings.
+# SETTINGS_TOKEN: legacy alias — use API_TOKEN for new installs.
 API_TOKEN=
 SETTINGS_TOKEN=
 # CORS_ORIGIN: comma-separated allowed origins (empty = same-origin only, no wildcard)
 CORS_ORIGIN=
 # GitHub automatic issue reporting (encrypted storage recommended)
 # Option A — plain ( .env is gitignored ):
 # GH_ISSUE_TOKEN=ghp_...
 # Option B — encrypted (php scripts/encrypt-gh-token.php 'ghp_...' 'secret-key'):
 GH_ISSUE_TOKEN=
 GH_ISSUE_TOKEN_ENC=
 GH_ISSUE_TOKEN_KEY=
 # NOTE: Run `php scripts/migrate-env-security.php` once after upgrading to migrate legacy tokens.
 # INSTANCE_NAME: display name for this EverShelf instance (used by the HA integration
 # for Zeroconf discovery label and device name in Home Assistant).
 # Defaults to the server hostname if left empty.
@@ -160,5 +174,5 @@ HA_EXPIRY_DAYS=3
 # DEMO_MODE: when true, all write operations are blocked (for public demos)
 DEMO_MODE=false
-# NOTE: GitHub error reporting uses a token hardcoded in api/index.php.
+# CRON_LOG_MAX_BYTES: rotate data/cron.log when larger (default 524288 = 512 KB)
-# To rotate it, update the GH_ISSUE_TOKEN constant there.
+CRON_LOG_MAX_BYTES=524288
@@ -37,8 +37,10 @@ jobs:
        id: version
        run: |
          VERSION=$(grep 'versionName' evershelf-kiosk/app/build.gradle.kts | grep -oP '"\K[^"]+')
          VCODE=$(grep 'versionCode' evershelf-kiosk/app/build.gradle.kts | grep -oP '\d+')
          echo "name=$VERSION" >> "$GITHUB_OUTPUT"
-          echo "Kiosk version: $VERSION"
+          echo "code=$VCODE" >> "$GITHUB_OUTPUT"
          echo "Kiosk version: $VERSION (versionCode $VCODE)"
      - name: Build debug APK
        run: gradle assembleDebug --no-daemon
@@ -75,7 +77,21 @@ jobs:
          sleep 3
          gh release create kiosk-latest \
            --title "EverShelf Kiosk Latest" \
-            --notes "Alias automatico → kiosk-${{ steps.version.outputs.name }}" \
+            --notes "Auto alias → kiosk-${{ steps.version.outputs.name }} (versionCode ${{ steps.version.outputs.code }})" \
            --prerelease \
            artifacts/evershelf-kiosk.apk
      - name: Publish APK to releases/ for LAN OTA
        env:
          GH_TOKEN: ${{ secrets.WORKFLOW_PAT || secrets.GITHUB_TOKEN }}
        run: |
          cp artifacts/evershelf-kiosk.apk releases/evershelf-kiosk.apk
          printf '{"version":"%s","version_code":%s}\n' \
            "${{ steps.version.outputs.name }}" "${{ steps.version.outputs.code }}" \
            > releases/kiosk-version.json
          git config user.name "github-actions[bot]"
          git config user.email "github-actions[bot]@users.noreply.github.com"
          git add releases/evershelf-kiosk.apk releases/kiosk-version.json
          git diff --staged --quiet || git commit -m "chore(kiosk): publish APK v${{ steps.version.outputs.name }} for LAN OTA"
          git push origin HEAD:${{ github.ref_name }}
@@ -43,7 +43,18 @@ jobs:
      - uses: actions/checkout@v6
      - name: Build Docker image
-        run: docker build -t evershelf-test .
+        run: |
          set -e
          for attempt in 1 2 3; do
            echo "Docker build attempt $attempt/3..."
            if docker build -t evershelf-test .; then
              exit 0
            fi
            echo "Attempt $attempt failed — retrying in 20s..."
            sleep 20
          done
          echo "Docker build failed after 3 attempts"
          exit 1
      - name: Test container starts
        run: |
@@ -52,3 +52,4 @@ data/food_facts_cache.json
 data/category_ai_cache.json
 assets/img/logo/*_backup.*
 logs/*.log
 assets/vendor/transformers/Xenova/
@@ -1,8 +1,23 @@
 RewriteEngine On
-# Force HTTPS
+# Block sensitive files (Apache 2.4+)
-RewriteCond %{HTTPS} !=on
+<Files ".env">
-RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
+    Require all denied
 </Files>
 <Files ".env.example">
    Require all denied
 </Files>
 <Files "backup.sh">
    Require all denied
 </Files>
 <FilesMatch "^\.">
    Require all denied
 </FilesMatch>
 # Force HTTPS (skip when terminated TLS is forwarded — Traefik, Caddy, NPM, …)
 #RewriteCond %{HTTPS} !=on
 #RewriteCond %{HTTP:X-Forwarded-Proto} !^https$ [NC]
 #RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
 # API routing
 RewriteCond %{REQUEST_FILENAME} !-f
@@ -11,6 +11,129 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - **Recipe scraps tips** — During cooking steps, detect "waste" generated (peels, cores, bones, eggshells, coffee grounds, citrus zest, etc.) and surface AI-powered tips on how to reuse them (compost, natural cleaner, broth, candied peel, etc.). Could be shown as an optional collapsible hint card below the step that generates the scrap.
 ## [1.7.42] - 2026-06-11
 ### Added
 - **Waste reason picker** — Discarding a product prompts for why (expired, spoiled, wrong storage, kept too long, bought too much, forgotten, bad quality, other) in IT/EN/DE/FR/ES.
 - **Waste learning** — Reasons are stored per product in `app_settings.waste_learning`; caps smart-shopping suggested quantities, surfaces preferred storage location, and tightens expiry alerts after repeated spoilage.
 - **`scripts/github-issue-triage.php`** — Reopens wrongly closed feature backlog items; closes resolved auto-report bugs with English comments.
 ### Fixed
 - **Inflated shopping total** — Price each Bring!/shopping line as **one retail purchase**; convert AI €/kg prices to estimated piece weight (200 g default) instead of multiplying by piece count; cap smart-shopping conf/pz suggestions used for pricing context.
 - **SQLite database locked (#201–#202)** — `inventory_use` and `shopping_add` (including Bring mode) wrapped in `dbWithRetry()`.
 - **Smart shopping timeout (#203–#204)** — `set_time_limit(120)` on `smartShopping()` / `smartShoppingCached()` for large inventories.
 - **Android kiosk CI** — Escaped apostrophes in locale `strings.xml` (de/es/fr/it); fixed Kotlin JSON string escaping in `SetupActivity.finishSetup()`.
 - **GitHub triage** — `triage-open-issues.php` no longer bulk-closes enhancement/feature backlog; reopened #98 (pin products) and #125 (cooking voice commands) where not yet implemented.
 ## [1.7.41] - 2026-06-08
 ### Fixed
 - **Docker/Traefik “Impossibile contattare il server”** — PHP 8.2 deprecation notices (`LoggingPDO::prepare`) were emitted as HTML before JSON, breaking `fetch().json()` on the startup health check; API bootstrap now suppresses HTML error output in production.
 - **Traefik HTTPS redirect loop** — `.htaccess` skips the HTTPS redirect when `X-Forwarded-Proto: https` is already set (compatible with Traefik `sslheader` middleware); no need to disable `.htaccess` manually.
 - **LoggingPDO PHP 8.2** — `#[\ReturnTypeWillChange]` on `prepare()` to eliminate deprecation noise in error logs.
 ## [1.7.40] - 2026-06-08
 ### Added
 - **Qty unit badges** — Quantity inputs show the active unit (g, ml, conf, pz, …) on use, add, recipe-use, edit and throw modals; scale live label “Inserimento in …”.
 - **Recipe shopping suggestions** — AI recipes can list optional missing ingredients with one-tap add to Bring!/shopping list.
 - **Recipe frozen badge** — Freezer items flagged in pantry lines and recipe UI; prompt rule for cooking from frozen.
 - **Health check `db_writable`** — Startup diagnostic detects non-writable SQLite file (common Docker volume issue).
 - **`scripts/triage-open-issues.php`** — Maintenance helper to comment/close GitHub issues via encrypted token.
 - **Ops CLI scripts** — `audit-finished-shopping.php`, `backfill-finished-shopping.php`, `sync-shopping-bring.php`, `install-transformers-model.sh` (offline Xenova classifier bootstrap).
 ### Fixed
 - **SQLite database locked** — `PRAGMA busy_timeout` 10s + `dbWithRetry()` on `inventory_update` under cron/PWA contention.
 - **Barcode duplicate on save** — `saveProduct` merges or returns 409 instead of HTTP 500 on UNIQUE barcode.
 - **EverLog CLI crash** — Safe cast of `REQUEST_METHOD` when null (kiosk/cron).
 - **Spesa scan crash** — `currentPage` → `_currentPageId` in `_applySpesaScanUI`.
 - **Recipe quantities** — Piece products use 1 pc base; serving caps for onions, leafy greens, minestrone; pantry-only post-processing; conf/g display fixes.
 - **Smart shopping purchased block** — Server-side blocklist + spesa mode sync prevents cron from re-adding bought items.
 ### Changed
 - **Docker behind Traefik** — Apache `SetEnvIf X-Forwarded-Proto https HTTPS=on` to avoid redirect loops.
 ## [1.7.39] - 2026-06-06
 ### Added
 - **`resolve_barcode` API** — Single round-trip: local catalog lookup plus **parallel** external search (Open Food Facts IT/world, UPC Item DB, Open Products Facts, Open Beauty Facts via `curl_multi`). Results are stored in SQLite `barcode_cache` for instant repeat scans.
 - **Spesa barcode fast path** — In shopping mode, a successful scan opens the **add form directly** (skips the intermediate action page).
 - **Session barcode cache** — In-memory cache avoids duplicate API calls when scanning many items in one trip.
 - **Manual expiry flag (`expiry_user_set`)** — User-entered expiry dates are kept when changing location, vacuum seal, or moving stock; only auto-estimated dates are recalculated.
 - **Family sibling 24h dedup** — After confirming “Sì, tutto ok” on a similar in-stock product, the check prompt is suppressed for the same `shopping_name` family for 24 hours (synced via `family_sibling_confirmed` in app settings).
 - **Family sibling stock line** — Spesa prompt shows readable stock (e.g. `4 conf (da 20g)`); new `family_sibling_check` / `family_sibling_stock` strings in IT/EN/DE/FR/ES.
 - **Quick-edit product notes** — Notes field in the inline name/brand editor on the product action page.
 ### Fixed
 - **Kiosk / WebView stability** — Guard `$_SERVER['REQUEST_METHOD']` when null; fix JS temporal-dead-zone crashes (`setProgress`, `enriched` → `enrichedRaw`, `duplicateNames`); lazy-load ZBar WASM so kiosk startup no longer OOM-crashes.
 - **Empty barcode SQL error** — Multiple products with `barcode = ''` violated SQLite UNIQUE; empty strings are normalized to `NULL` (migration included).
 - **Spesa ghost products** — Finished/catalog AI candidates and scan recents no longer show zero-stock items in shopping mode; `family_sibling_suggest` requires live inventory quantity.
 - **Insalata di riso misclassification** — Prepared rice salads (e.g. Ponti) map to `pasta` instead of fresh `verdura`; server and client rules aligned.
 - **Family sibling prompt readability** — Quantity and question text use high-contrast colours on the dark overlay.
 - **Move after use / recipe move** — Respects manually set expiry (`expiry_user_set`); purchased items marked on blocklist after spesa add.
 ### Changed
 - **Barcode lookup** — Replaced sequential API waterfall (up to ~15s) with parallel fetch (~1–2s first hit); 30-minute negative cache for unknown codes.
 - **Local barcode search** — Automatically tries EAN-13 / UPC-A variant barcodes.
 ## [1.7.38] - 2026-06-04
 ### Fixed
 - **Finished products on shopping list** — Depleted items are now added to Bring! under their generic `shopping_name` (e.g. “Affettato”). If the generic is already on the list, the specific variant is appended to the specification instead of being skipped. Confirming a ghost/finished product from the dashboard banner also triggers this flow.
 - **Unstable shopping total** — Dashboard, Spesa tab, Home Assistant and screensaver now share one **weekly canonical total** (`PRICE_UPDATE_WEEKS=1`). Totals use **1 package per list item** (no more day-to-day swings from smart-shopping suggested quantities). AI prices are fetched only for items missing from cache; manual 🔄 refresh forces an update.
 - **Screensaver price mismatch** — Screensaver waits for the canonical total sync before displaying the amount, matching the other surfaces.
 ### Changed
 - **Shopping list UI** — Generic list entries show the group name with specific finished variants underneath (same pattern as smart shopping suggestions).
 ## [1.7.37] - 2026-06-04
 ### Fixed
 - **Recipe pantry false positives** — Generated recipes no longer mark ingredients as ✅ in pantry when the product is not in stock or the name does not strictly match an inventory item (score ≥ 80, no generic alias expansion like *formaggio* → any cheese). AI prompt now receives the full in-stock list and explicit rules forbidding invented ingredient names.
 - **`renderRecipe` crash** — Restored missing `qtyNum` variable when reopening archived recipes with pantry ingredients (ReferenceError on the "Use ingredient" button).
 ### Changed
 - **`re-enrich-recipe.php`** — Re-applies strict pantry matching before stock hints when fixing archived recipes.
 ## [1.7.36] - 2026-06-04
 ### Added
 - **Recipe ingredient stock hints** — Pantry ingredients in generated and archived recipes now show a small line under each item: how much you have in stock and how much would remain after use. Quantities are summed across all storage locations.
 - **Zero-waste use-all rule** — When the leftover would be less than **5% of the full sealed package** (or **10%** when less than one full unit is left on an opened pack), the recipe quantity is automatically bumped to use everything on hand (♻️ badge + note in all 5 languages).
 - **Ghost product detection** — Dashboard anomaly banner now surfaces products that vanished from inventory (ledger says stock should exist but no rows remain), with a restore prompt and quantity input.
 - **`inventory_restore_ghost` API** — Restores a vanished product row from the banner without losing transaction history.
 - **`product_merge` API** — Merges duplicate product records (inventory, transactions, aliases) into a single canonical product.
 - **Maintenance scripts** — `scripts/sync-i18n.py` (5-language key sync), `scripts/re-enrich-recipe.php` (re-apply stock hints to archived recipes), `scripts/merge-duplicate-products.php` (batch duplicate merge).
 ### Fixed
 - **Unified shopping total** — Dashboard, Spesa page and screensaver now share one canonical server-side total (`shopping_total_cache`); background refresh runs during screensaver too.
 - **Recipe stream auth** — `generate_recipe_stream` and other direct `fetch()` calls now send the API token consistently, fixing 401 errors during recipe generation.
 - **Home Assistant auth compatibility** — HA integration endpoints accept the configured API token without breaking legacy setups.
 - **Security hardening** — API bootstrap modularised; scale SSE relay and sensitive routes require auth; env migration script for legacy installs.
 - **Dashboard banner i18n** — Fixed raw translation keys (`dashboard.banner_*`) showing in the UI; full sync across IT/EN/DE/FR/ES with cache bust.
 - **Ghost banner permanently hidden** — Removed incorrect `fin_*` hide logic that suppressed vanished-product alerts after a false "finished" confirmation.
 - **`deleteInventory` / `use_all` dedup** — Inventory deletions now log transactions; duplicate `use_all` within 60 s is deduplicated; `confirmFinished` reconciles ledger mismatches.
 - **Duplicate product prevention** — `saveProduct` blocks creating a second product with the same normalised name.
 - **Recipe qty normalization** — conf+weight ingredients (e.g. ceci, basilico) now keep recipe amounts in grams/ml instead of copying the inventory conf count; use-all percentage is calculated on the sealed package size, not current stock.
 ## [1.7.35] - 2026-06-02
 ### Fixed
 - **Barcode scanner accepts invalid codes** — Manual barcode input with an incorrect EAN checksum now blocks the lookup and shows an error (previously showed a warning but proceeded anyway). The native `BarcodeDetector` path now also validates EAN-8/EAN-13/UPC checksum before confirming a scan, consistent with the Quagga fallback which already did this check.
 - **Recipe persons +/− buttons stopped working in the generation dialog** — A duplicate `adjustRecipePersons` function added for the post-generation rescaler was overriding the one that updated the persons input in the recipe setup dialog. The rescaler is now named `scaleRecipePersons` to avoid the conflict.
 ## [1.7.34] - 2026-05-30
 ### Added
 - **AI visual barcode fallback** — When the barcode scanner fails to read a barcode within 5 seconds, EverShelf can now automatically capture a camera frame and send it to Gemini Vision to visually identify the product (name, brand, category). On success the product is saved and the inventory form opens just as if a barcode had been scanned. A new toggle in **Settings → Camera** (`AI visual identification (5s fallback)`) lets users enable or disable this feature at any time. Requires Gemini API key configured. Disabled by default.
 ## [1.7.33] - 2026-05-29
 ### Fixed
 - **HA sensor `shopping_total` always null** — `haInventorySensor` was reading `shopping_total_cache.json` with a 1-hour TTL (cache populated only by the JS frontend, so it was often empty). Extended TTL to 24 hours and added an inline fallback: when the cache is absent or stale, the sensor now computes the total directly from `shopping_price_cache.json` without any AI calls. Queries `shopping_list` joined to `products` for the canonical `shopping_name`, then looks up both v3 and legacy v0 cache key formats to maximise hit rate. Works in both internal and Bring shopping modes.
 - **HA `ha_refresh_prices` using non-existent columns** — `haInventorySensor` and `haRefreshPrices` were querying `quantity`, `unit`, `checked` from `shopping_list` — columns that do not exist in that table (schema: `id, name, raw_name, specification, added_at, sort_order`). Changed to `SELECT name` with `shopping_name` join and default `qty=1 / unit=pz`.
 ## [1.7.32] - 2026-05-29
 ### Changed
@@ -6,10 +6,12 @@ RUN apt-get update && apt-get upgrade -y && apt-get install -y \
    libcurl4-openssl-dev \
    libonig-dev \
    libgd-dev \
    libzip-dev \
    libicu-dev \
    tesseract-ocr \
    tesseract-ocr-ita \
    tesseract-ocr-eng \
-    && docker-php-ext-install pdo_sqlite curl mbstring gd \
+    && docker-php-ext-install pdo_sqlite curl mbstring gd zip intl \
    && apt-get clean && rm -rf /var/lib/apt/lists/*
 # Enable Apache mod_rewrite and mod_headers
@@ -28,12 +30,15 @@ RUN mkdir -p /var/www/html/data/backups \
 # Create .env from example if it doesn't exist (will be overridden by volume mount)
 RUN [ ! -f /var/www/html/.env ] && cp /var/www/html/.env.example /var/www/html/.env || true
 RUN chown www-data:www-data /var/www/html/.env && chmod 664 /var/www/html/.env
 # Apache configuration: serve from app root
 RUN echo '<Directory /var/www/html>\n\
    AllowOverride All\n\
    Require all granted\n\
-</Directory>' > /etc/apache2/conf-available/evershelf.conf \
+</Directory>\n\
 # Traefik / reverse-proxy: treat forwarded HTTPS as on so .htaccess does not redirect-loop\n\
 SetEnvIf X-Forwarded-Proto "https" HTTPS=on' > /etc/apache2/conf-available/evershelf.conf \
    && a2enconf evershelf
 # Expose port 80
@@ -43,4 +48,4 @@ EXPOSE 80
 HEALTHCHECK --interval=30s --timeout=5s --retries=3 \
    CMD curl -f http://localhost/ || exit 1
-CMD ["apache2-foreground"]
+CMD ["apache2-foreground"]
@@ -1,550 +1,223 @@
-# 🏠 EverShelf
+# 🏠 EverShelf for Ricardo
-> **Self-hosted pantry management system** — Track your food inventory, scan barcodes, get AI-powered recipe suggestions, and reduce waste.
+> Fork personnalisé d'EverShelf, adapté pour servir de backend stock/recettes à **Ricardo**, l'application bartender. Garde toutes les fonctionnalités d'EverShelf, avec des ajustements pour la gestion de bar (catégorie boissons, sous-catégories alcools, intégration directe avec Ricardo).
 ---
 <div align="center">
 ### 🚀 Try the live demo — no installation required!
 **[▶ Open Live Demo](https://evershelfproject.dadaloop.it/demo)**
 &nbsp;·&nbsp;
 [🌐 Project Website](https://evershelfproject.dadaloop.it/)
 &nbsp;·&nbsp;
 [📖 Wiki](https://github.com/dadaloop82/EverShelf/wiki)
 *The demo runs with mock pantry data. AI features are fully enabled. All write operations are safely sandboxed.*
 </div>
 ---
 [![License: MIT](https://img.shields.io/badge/License-MIT-green.svg)](LICENSE)
 [![PHP](https://img.shields.io/badge/PHP-8.0+-blue.svg)](https://www.php.net/)
 [![SQLite](https://img.shields.io/badge/SQLite-3-blue.svg)](https://www.sqlite.org/)
-[![Docker](https://img.shields.io/badge/Docker-Ready-2496ED.svg)](Dockerfile)
+[![Docker](https://img.shields.io/badge/Docker-Compatible-2496ED.svg)](Dockerfile)
 [![i18n](https://img.shields.io/badge/i18n-IT%20%7C%20EN%20%7C%20DE%20%7C%20FR%20%7C%20ES-orange.svg)](translations/)
 [![Version](https://img.shields.io/badge/version-1.7.31-brightgreen.svg)](CHANGELOG.md)
 [![GitHub stars](https://img.shields.io/github/stars/dadaloop82/EverShelf?style=social)](https://github.com/dadaloop82/EverShelf/stargazers)
 [![Last commit](https://img.shields.io/github/last-commit/dadaloop82/EverShelf/main)](https://github.com/dadaloop82/EverShelf/commits/main)
 [![Contributors](https://img.shields.io/github/contributors/dadaloop82/EverShelf)](https://github.com/dadaloop82/EverShelf/graphs/contributors)
 [![GitHub Discussions](https://img.shields.io/github/discussions/dadaloop82/EverShelf)](https://github.com/dadaloop82/EverShelf/discussions)
 [![CI](https://github.com/dadaloop82/EverShelf/actions/workflows/ci.yml/badge.svg)](https://github.com/dadaloop82/EverShelf/actions/workflows/ci.yml)
 [![ko-fi](https://ko-fi.com/img/githubbutton_sm.svg)](https://ko-fi.com/J3J01ZNETZ)
 ---
-> **⚠️ Name disambiguation:** There is an unrelated iOS app also called **EverShelf**, developed and published by [Joshumi Technologies LLC](https://evershelf.joshumi.com/) on the [Apple App Store](https://apps.apple.com/app/evershelf/id6759439940). That application is a **completely separate, independent product** with no affiliation, association, or collaboration with this open-source project. This repository has no connection to Joshumi Technologies LLC, its products, or its services.
+## ✨ Fonctionnalités principales
 ### 📦 Gestion des stocks
 - Inventaire alimentaire complet
 - Gestion des emplacements :
  - 🏠 Placard
  - ❄️ Réfrigérateur
  - 🧊 Congélateur
  - 📍 Emplacements personnalisés, entièrement gérés depuis une page **🔧 Configuration** dédiée (ajout, modification, suppression sans toucher au code)
 - Sous-catégorie dédiée aux boissons (vin, bière, spiritueux, soda, jus, eau...) pour filtrer et trier l'inventaire plus précisément
 - Scan de codes-barres avec la caméra du téléphone
 - Ajout rapide de produits
 - Suivi des dates de péremption
 - Gestion des produits ouverts
 - Support des produits sous vide
 - Détection des incohérences de stock
 ---
-## ✨ Features
+## 🤖 Intelligence artificielle (Google Gemini)
-### 🏠 NEW — Home Assistant Integration
+EverShelf peut utiliser l'IA pour :
-EverShelf has a **native Home Assistant integration** available on HACS.  
+- 📸 Identifier un produit depuis une photo
-Connect your pantry to your smart home in minutes — no YAML, no manual sensor setup.
+- 📅 Lire automatiquement une date limite de consommation
 - 🧊 Proposer un stockage adapté
 - 🍳 Générer des recettes selon votre inventaire
 - 💬 Répondre aux questions sur vos produits
 - 🛒 Améliorer les suggestions de courses
-[![Install via HACS](https://my.home-assistant.io/badges/hacs_repository.svg)](https://my.home-assistant.io/redirect/hacs_repository/?owner=dadaloop82&repository=ha-evershelf&category=integration)
+> L'IA est optionnelle. EverShelf fonctionne sans clé Gemini.
 &nbsp;
 [![Add Integration](https://my.home-assistant.io/badges/config_flow_start.svg)](https://my.home-assistant.io/redirect/config_flow_start/?domain=evershelf)
 **What you get:**
 | | |
 |---|---|
 | **16 sensors** | Expiry counts, stock levels by location (pantry / fridge / freezer), shopping list total, AI API usage, last backup timestamp, days to next expiry |
 | **6 binary sensors** | Expired items, expiring items, expiring today, shopping list active, backup overdue, Bring! connected |
 | **5 action buttons** | Refresh data, Refresh prices, **Suggest Recipe** (AI — result as HA notification), Sync smart shopping, Clear expired rows |
 | **Shopping list todo** | Bidirectional sync — add, remove, check off items directly from HA |
 | **Expiry calendar** | Every product's expiry date as a native HA calendar event — works with the calendar card and any calendar automation |
 | **Quick-add text entity** | Type a product name in HA to instantly add it to the shopping list (great for voice assistants / Assist) |
 | **6 services** | `add_to_shopping`, `mark_used`, `refresh`, `suggest_recipe`, `refresh_prices`, `clear_expired` |
 | **Auto-discovery** | Detected automatically via Zeroconf/mDNS when `avahi-daemon` runs on the EverShelf host |
 | **5 languages** | English, Italian, German, French, Spanish |
 > **Requires a self-hosted EverShelf instance.** The integration talks directly to your server — no cloud involved.  
 > Full documentation: [ha-evershelf on GitHub](https://github.com/dadaloop82/ha-evershelf)
 ---
-### 📦 Inventory Management
+## 🛒 Liste de courses intelligente
 - **Export inventory** — Download the full inventory as a UTF-8 CSV (Excel-compatible) or open a print-ready page to save as PDF; export button always visible in the inventory page header
 - **Barcode scanning** — Scan products with your phone camera using QuaggaJS; last 20 scanned products saved as tappable chips so you can re-select them without rescanning
 - **AI identification** — Take a photo and let Google Gemini identify the product, with suggestions from your existing inventory; gracefully shows a friendly message when AI quota is exhausted instead of a raw API error
 - **Smart locations** — Track items across Pantry, Fridge, Freezer, and custom locations
 - **Expiry tracking** — Automatic shelf-life estimation based on product type and storage
 - **Opened product tracking** — Reduced shelf-life calculation when packages are opened; opened-product expiry is now also checked when building banner alerts (not just the dashboard section)
 - **Vacuum-sealed support** — Extended expiry dates for vacuum-sealed items; products sealed under vacuum are only flagged as expired after a configurable grace period past the printed date (`VACUUM_EXPIRY_EXTENSION_DAYS`, default 30 days, configurable in `.env`)
 - **Anomaly detection** — Banner alerts for suspicious quantities and consumption predictions with inline correction; dismiss button now shows the current inventory quantity so the action is unambiguous ("Quantity is correct (2 pcs)")
-### 🤖 AI-Powered (Google Gemini)
+- Création automatique depuis les ruptures de stock
- **Expiry date reading** — Photograph a label and extract the expiry date automatically
+- Prévisions de besoins
- **Product identification** — Point your camera at any product for instant recognition
+- Synchronisation avec Bring!
- **Existing product matching** — AI scan shows matching products already in your pantry before suggesting new ones
+- Nettoyage automatique des doublons
- **Storage & shelf-life hint** — When adding a new product, Gemini suggests the optimal storage location and shelf-life in the background; shown as an inline AI badge next to the expiry estimate
+- Suggestions d'achat personnalisées
 - **Recipe generation** — Get personalized recipes based on what's in your pantry; streams live via Server-Sent Events so results appear as they are generated
 - **Smart chat assistant** — Ask questions about your inventory, get cooking tips
 - **Shopping suggestions with tips** — AI-powered purchase recommendations, each enriched with a short practical buying/storing tip
 - **Anomaly explanation** — "Explain" button on anomaly banners explains in plain language why a discrepancy likely occurred and what to do
 - **Model fallback** — All AI endpoints try `gemini-2.5-flash` first and fall back to `gemini-2.0-flash` automatically
 - **Graceful no-key state** — When no Gemini key is configured, AI entry points show a friendly message; the header button is visually greyed with an amber dot
 ### 🛒 Shopping List
 - **Bring! integration** — Sync with the [Bring!](https://www.getbring.com/) shopping list app
 - **Generic shopping names** — Products are grouped by type (e.g. "Milk", "Cold cuts", "Cooking cream") rather than brand, keeping the Bring! list clean and consolidated
 - **Smart predictions** — Know what you'll need before you run out
 - **Auto-add on depletion** — When a product reaches zero the app adds it to Bring! automatically, no confirmation needed
 - **Auto-remove on scan** — Products are removed from the shopping list when scanned in  - **Auto-migration** — Items already on the Bring! list are silently renamed to their generic name in the background (throttled, runs on list load)
  - **Catalog coverage** — All product types resolve to a German Bring! catalog key for icon and category display in the Bring! app
 ### 🍳 Cooking Mode
 - **♻️ Zero-waste tips** — For each cooking step that generates reusable scraps (peels, cooking water, egg whites, cheese rinds, bread crusts, vegetable tops, etc.), a dismissible ♻️ tip card appears with a practical reuse idea; tips are generated by Gemini as part of the recipe at no extra API cost; opt-in toggle in Settings (default OFF)
 - **Step-by-step guidance** — Follow recipes with a hands-free cooking interface
 - **Text-to-Speech** — Voice readout of recipe steps; supports browser Web Speech API, native Android TTS (kiosk), or a custom REST endpoint (Home Assistant, etc.); retries voice loading for up to 10 seconds with a fallback refresh button; TTS activates automatically without requiring the global TTS setting to be enabled
 - **Auto-read on navigate** — Each step is read aloud automatically when you tap Next or Previous; the first step is read when entering cooking mode
 - **Timer voice alerts** — 10-second countdown warning spoken aloud before each timer expires; expiry announced vocally when time is up
 - **Recipe completion** — "Bon appétit!" announced via TTS when the last step is confirmed
 - **Built-in timer** — Automatic timer suggestions based on recipe instructions
 - **Ingredient tracking** — Mark ingredients as used during cooking; leftover quantities prompt a "move to another location" flow
 ### 📊 Dashboard
 - **Waste tracking** — Monitor consumed vs. wasted products over 30 days
 - **Anti-waste report** — Personalised waste rate vs. national average with annual kg estimate; shown above the expiring-items list
 - **Expiry alerts** — Visual warnings for expired and soon-to-expire items
 - **Opened products panel** — Tracks partially-used items; expiry is recalculated from the opening date using AI (Gemini) + per-category rule fallback; whole sealed packages always keep their original manufacturer expiry; conf items with mixed whole + fractional units are shown as two separate entries
 - **Freezer shelf-life** — Granular per-product estimates (USDA/EFSA): fish 120 d, poultry 270 d, whole red-meat cuts 365 d, mince 120 d, vegetables/fruit 270 d, generic 180 d; AI + cache still take priority over rules
 - **Safety ratings** — Smart assessment of expired product safety (by category and location); expired unsafe items shown with a red danger banner and a discard action as the primary action
 - **Expired product banner** — Products that have passed their effective shelf-life (including opened-product reduced expiry) appear in the top notification banner; icon, colour and title adapt to the actual safety level (✅ green for safe, 👀 amber to check, 🚫 red for danger); high-risk items get a prominent discard action
 - **Quick recipe bar** — One-tap recipe suggestion using expiring products
 - **Anomaly banner** — Scrollable banner with suspicious quantities and consumption prediction mismatches, with one-tap correction or inline edit
 - **Expired/expiring alerts** — Priority-sorted banner notifications for expired and soon-to-expire products with use, throw, edit, and dismiss actions
 - **Swipe navigation** — Touch swipe or tap arrows/dots to browse banner notifications
 - **Quick-access buttons** — Recently used and most popular products shown on the inventory page for fast access
 ### 🌙 Appearance
 - **Dark mode** — Three modes: Light, Dark, and Auto (time-based: dark from 20:00 to 07:00, light otherwise); applies immediately without page reload; auto mode re-evaluates every 5 minutes, so night/day transitions happen automatically even on always-on kiosk displays; theme is applied before the first render to prevent a white flash
 - **Global settings tab** — A dedicated **⚙️ General** tab groups all system-wide settings (language, currency, theme, screensaver, zero-waste tips, export) at the top of the Settings panel
 ### �️ Database Maintenance
 - **Automatic cleanup** — Recipes older than `RECIPE_RETENTION_DAYS` (default 7) and transactions older than `TRANSACTION_RETENTION_DAYS` (default 7) are deleted automatically on every cron cycle; SQLite `VACUUM` runs after each cleanup to keep the file compact
 - **Manual cleanup** — Trigger immediately via `GET /api/?action=db_cleanup`
 - **Compact by default** — Fresh installs stay small; large accumulated databases shrink back to a few hundred KB within one cron cycle
 ### �📱 Progressive Web App
 - **Mobile-first design** — Optimized for phones, works on tablets and desktop
 - **Installable** — Add to home screen for a native app experience
 - **Multi-device** — All user data (shopping tags, pinned items, location preferences, scan history) is stored server-side in SQLite and shared across every device on the same instance; no data is siloed in a single browser's localStorage
 ### 📶 Offline Mode
 - **Automatic detection** — Full-screen overlay appears immediately on network loss; shows a "Continue offline" button after 3 s, and auto-enters offline mode after 8 s
 - **Local inventory cache** — Inventory is synced to `localStorage` at every startup and on each successful API call; the offline view always reflects the last known state
 - **Write queue** — Add, use, update and delete operations performed while offline are queued locally and synced to the server automatically on reconnect (including after a page refresh)
 - **Optimistic UI** — Queued writes are applied immediately to the local cache so the interface stays responsive
 - **Offline-computed stats** — Expiring and expired items are derived client-side from the cache; dashboard stat cards show real counts instead of zeros
 - **AI/network sections hidden** — Anti-waste chart, nutrition analysis, recipe generator, price fetching, and Gemini chat are hidden in offline mode; the inventory, history, and manually-managed shopping list remain fully functional
 - **Broken image fallback** — External product images (Open Food Facts, etc.) that fail to load are replaced with a neutral grey placeholder, keeping the layout intact
 - **Startup recovery** — If the page is refreshed while operations are queued, they are detected and synced automatically on the next successful startup
 - **Buffered error reporting** — `remoteLog` and `reportError` calls made while offline are stored locally and flushed to the server (and to GitHub issues) when the connection is restored
 ### ⚖️ Smart Scale Integration (Add-on)
 - **Bluetooth gateway** — Connects a BLE smart scale to EverShelf via local WebSocket
 - **SSE relay** — Server-side relay avoids mixed-content (HTTPS→WS) issues
 - **Auto-discovery** — Server scans LAN to find the gateway automatically
 - **Auto weight reading** — When adding/using a product with unit g/ml, weight fills automatically
 - **10g threshold** — Ignores readings that haven't changed enough between products  - **Duplicate-reading prevention** — Server-side 12-second dedup window rejects a second scale-triggered deduction of the same product, guarding against BLE multi-fire- **ml conversion hint** — Shows "weight in grams → will be converted to ml" when product unit is ml
 - **Stability + auto-confirm** — 10s stable wait + 5s countdown before confirming
 - **Real-time status** — Scale connection indicator always visible in the header
 - **Multi-protocol** — Supports Bluetooth SIG Weight Scale, Body Composition, Xiaomi Mi Scale 2 and 100+ models
 - **Built into kiosk (v1.6.0+)** — BLE gateway runs as an integrated foreground service inside the [EverShelf Kiosk](evershelf-kiosk/) app; no separate APK needed.
 ### 📺 Android Kiosk Mode (Add-on)
 - **Dedicated tablet app** — Full-screen WebView wrapper for wall-mounted kitchen tablets
 - **True kiosk lock** — Screen pinning blocks home/recent buttons
 - **Setup wizard** — 6-step guided configuration (language, welcome, permissions, server URL, BLE scale scan, screensaver, summary)
 - **Smart auto-discovery** — Scans the LAN in parallel (60 threads, TCP pre-check, ports 80/443/8080/8443) with real-time UI feedback; correctly identifies the device's Wi-Fi/Ethernet subnet (VPN and cellular interfaces are filtered out)
 - **Built-in BLE scale gateway** — `GatewayService` foreground service; BLE scanning + WebSocket server `:8765` run directly inside the kiosk app. Select your scale in step 5 of the wizard — no external app required
 - **Scale auto-configuration** — After selecting the BLE device, the wizard writes `scale_enabled` and `scale_gateway_url=ws://127.0.0.1:8765` to the server automatically
 - **Camera & mic permissions** — Full hardware access for barcode scanning and voice; grant button transforms to a green confirmation after granting
 - **Native TTS bridge** — Cooking mode voice readout uses the Android TextToSpeech engine directly, bypassing Web Speech API voice limitations; no offline voice packs required
 - **Hard refresh** — ↻ button clears WebView cache to pick up web app updates
 - **Update notifications** — Checks GitHub releases every 6h, shows banner when updates available
 - **SSL support** — Accepts self-signed certificates
 - **Android kiosk app** — [`evershelf-kiosk/`](evershelf-kiosk/) — downloadable APK
 ---
-## 🚀 Quick Start
+## 🍳 Mode cuisine
-### Prerequisites
+- Recettes étape par étape
- **Web server** with PHP 8.0+ (Apache or Nginx)
+- Mode mains libres
- **PHP extensions**: `pdo_sqlite`, `curl`, `mbstring`, `json`
+- Synthèse vocale (TTS)
- **HTTPS** recommended (required for camera access on mobile)
+- Minuteurs automatiques
 - Suivi des ingrédients utilisés
 - Conseils anti-gaspillage
-### Installation
+---
-#### Option A: Docker (recommended)
+## ♻️ Réduction du gaspillage
 - Suivi des aliments consommés ou jetés
 - Analyse des pertes
 - Alertes de péremption
 - Suggestions pour utiliser les produits bientôt périmés
 ---
 ## 🏡 Intégrations
 ### Home Assistant
 Intégration native disponible :
 - Capteurs de stock
 - Dates de péremption
 - Liste de courses
 - Calendrier des produits
 - Actions personnalisées
 - Suggestions de recettes IA
 Compatible avec une installation 100% locale.
 ---
 ## 📱 Application mobile / PWA
 - Interface adaptée smartphone
 - Installation comme une application
 - Synchronisation multi-appareils
 - Mode hors-ligne :
  - consultation du stock
  - actions mises en attente
  - synchronisation automatique au retour réseau
 ---
 ## 📺 Mode tablette (Kiosque Android)
 - Affichage plein écran
 - Verrouillage kiosque
 - Scan caméra
 - Support TTS natif Android
 - Découverte automatique du serveur
 - Support des balances Bluetooth
 ---
 ## 🚀 Installation rapide
 ### Prérequis
 - PHP 8.0+
 - SQLite 3
 - Extensions PHP :
  - `pdo_sqlite`
  - `curl`
  - `mbstring`
  - `json`
 Docker est recommandé.
 ---
 ### 🐳 Installation Docker (CLI)
 ```bash
-# 1. Clone the repository
+git clone https://git.mashome.fr/morgane/EverShelf.git
 git clone https://github.com/dadaloop82/EverShelf.git
 cd EverShelf
 # 2. Create configuration file
 cp .env.example .env
 nano .env
 # 3. Start with Docker Compose
 docker compose up -d
 # → Open http://localhost:8080
 ```
-#### Option B: Manual
+Puis ouvrez :
 http://localhost:8080
-```bash
+---
-# 1. Clone the repository
+### 🐳 Déploiement via Portainer
 git clone https://github.com/dadaloop82/EverShelf.git
 cd EverShelf
-# 2. Create configuration file
+1. Dans Portainer, va dans **Stacks** → **Add stack**
-cp .env.example .env
+2. Donne un nom à la stack (ex : `evershelf`)
 3. Colle le contenu de ton `docker-compose.yml` dans l'éditeur web (ou utilise l'option **Repository** en pointant vers `https://git.mashome.fr/morgane/EverShelf.git` et le chemin du fichier compose)
 4. Renseigne tes variables d'environnement dans la section **Environment variables** (ou via un fichier `.env` à la racine du repo)
 5. Clique sur **Deploy the stack**
-# 3. Set permissions
+Pour mettre à jour après une modification de code :
-chmod 755 data/
+- Va dans **Stacks** → ta stack → **Update the stack**
-chmod 664 data/.gitkeep
+- Coche bien **« Re-pull image »** / **« Re-build image »** avant de valider — sinon Portainer redémarre le conteneur avec l'image déjà construite en cache, sans prendre en compte tes changements.
 chown -R www-data:www-data data/
 # 4. Edit your configuration
 nano .env
 ```
 ### Configuration (.env)
 ```ini
 # Required for AI features (get a key at https://aistudio.google.com/app/apikey)
 GEMINI_API_KEY=your_api_key_here
 # Optional: Bring! shopping list integration
 BRING_EMAIL=your_email@example.com
 BRING_PASSWORD=your_password
 # Optional: Text-to-Speech for cooking mode
 TTS_URL=http://your-home-assistant:8123/api/events/tts_speak
 TTS_TOKEN=your_long_lived_token
 TTS_ENABLED=true
 # Optional: DB retention and cleanup (applied automatically each cron cycle)
 RECIPE_RETENTION_DAYS=7        # delete recipe plans older than N days
 TRANSACTION_RETENTION_DAYS=7   # delete stock transactions older than N days
 # Optional: Vacuum-sealed expiry grace period
 VACUUM_EXPIRY_EXTENSION_DAYS=30 # extra days before vacuum-sealed items are flagged expired
 # Optional: Gemini cost rates (USD per million tokens, for the Info tab cost estimate)
 GEMINI_COST_25F_IN=0.15
 GEMINI_COST_25F_OUT=0.60
 GEMINI_COST_20F_IN=0.10
 GEMINI_COST_20F_OUT=0.40
 # Optional: Security — protect the save_settings endpoint
 # Set a strong random string; the Settings UI will ask for it before saving
 SETTINGS_TOKEN=
 # Optional: Demo mode — block all write operations at the router level
 DEMO_MODE=false
 # Optional: Logging
 # LOG_LEVEL sets the minimum severity written to disk (DEBUG / INFO / WARN / ERROR)
 # DEBUG also logs every SQL query executed against the database
 LOG_LEVEL=INFO
 LOG_ROTATE_HOURS=24   # hours before opening a new log file (default: 24)
 LOG_MAX_FILES=14      # maximum number of rotated files to keep (default: 14)
 ```
 ### Web Server Configuration
 <details>
 <summary><strong>Apache (.htaccess)</strong></summary>
 The app works out of the box with Apache if placed in the web root or a subdirectory. Make sure `mod_rewrite` is enabled and `AllowOverride All` is set.
 ```apache
 <Directory /var/www/html/evershelf>
    AllowOverride All
    Require all granted
 </Directory>
 ```
 </details>
 <details>
 <summary><strong>Nginx</strong></summary>
 ```nginx
 server {
    listen 80;
    server_name your-server.local;
    root /var/www/html/evershelf;
    index index.html;
    location /api/ {
        try_files $uri $uri/ =404;
        location ~ \.php$ {
            fastcgi_pass unix:/run/php/php8.2-fpm.sock;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            include fastcgi_params;
        }
    }
    # Deny access to sensitive files
    location ~ /\.env { deny all; }
    location ~ /data/ { deny all; }
    location ~ /backup\.sh { deny all; }
 }
 ```
 </details>
 ### HTTPS Setup (Recommended)
 Camera access requires HTTPS on most mobile browsers. Options:
 - **Let's Encrypt** with Certbot (for public-facing servers)
 - **Self-signed certificate** (for local network only)
 - **Reverse proxy** (e.g., Caddy, Traefik) with automatic TLS
 ### Cron Job (Optional)
 Set up a cron job for smart shopping predictions:
 ```bash
 # Run every 5 minutes
 */5 * * * * php /path/to/evershelf/api/cron_smart_shopping.php >> /path/to/evershelf/data/cron.log 2>&1
 ```
 ### Backup (Optional)
 The included `backup.sh` creates local daily backups of your database:
 ```bash
 # Run daily at 3 AM
 0 3 * * * /path/to/evershelf/backup.sh
 ```
 ### Google Drive Backup (Optional)
 EverShelf supports automatic daily backups to Google Drive via OAuth 2.0. This works on any server, including private IP / local network setups (no public domain required).
 **Setup:**
 1. Go to [console.cloud.google.com](https://console.cloud.google.com) and select or create a project.
 2. Enable the **Google Drive API** (`APIs & Services → Enable APIs → Google Drive API`).
 3. Go to `APIs & Services → Credentials → Create Credentials → OAuth client ID`.
 4. Application type: **Web application**.
 5. Add **`http://localhost`** as an Authorized Redirect URI (this is the key — it works even without a real domain).
 6. Copy **Client ID** and **Client Secret** into EverShelf Settings → Backup.
 7. Enter your **Google Drive Folder ID** (the last part of the folder URL).
 8. Click **Authorize with Google** and sign in.
 9. The browser will redirect to `http://localhost` and may show a connection error — **this is expected**. Copy the full URL from the address bar (e.g. `http://localhost/?code=4%2F0A...`) and paste it into the field that appears in EverShelf, then click **Submit**.
 > **Note:** While the OAuth app is in *Testing* status in Google Cloud Console, you must add your Google account as a test user under `APIs & Services → OAuth consent screen → Test users`.
 ---
-## 🏗️ Architecture
+## ⚙️ Configuration
-```
+Exemple de fichier `.env` :
 evershelf/
 ├── index.html              # Single-page application (SPA)
 ├── manifest.json           # PWA manifest
 ├── .env.example            # Configuration template
 ├── backup.sh               # Local database backup script
 ├── LICENSE                 # MIT License
 │
 ├── api/
 │   ├── index.php           # Main API router (all endpoints)
 │   ├── database.php        # SQLite schema, migrations, helpers
 │   └── cron_smart_shopping.php  # Background job for predictions
 │
 ├── assets/
 │   ├── css/style.css       # All application styles
 │   ├── js/app.js           # All application logic
 │   └── img/                # Static images
 │
 └── data/                   # Runtime data (gitignored)
    ├── evershelf.db         # SQLite database (auto-created)
    ├── backups/            # Local DB backups
    └── *.json              # Token/cache files
-evershelf-scale-gateway/    # ⚖️ Android BLE gateway [DEPRECATED — integrated into kiosk v1.6.0+]
+```env
-    ├── README.md           # Deprecation notice + legacy docs
+# IA Google Gemini (optionnel)
-    └── app/src/            # Kotlin Android source (WebSocket + BLE)
+GEMINI_API_KEY=votre_cle
-evershelf-kiosk/            # 📺 Android kiosk app (add-on)
+# Bring! (optionnel)
-    ├── README.md           # Setup & feature docs
+BRING_EMAIL=email@example.com
-    └── app/src/            # Kotlin Android source (WebView wrapper)
+BRING_PASSWORD=motdepasse
 # Sécurité API
 API_TOKEN=
 # Nettoyage automatique
 RECIPE_RETENTION_DAYS=7
 TRANSACTION_RETENTION_DAYS=90
 ```
-### API Endpoints
+---
-| Category | Action | Method | Description |
+## 🔒 Vie privée
-|----------|--------|--------|-------------|
+
-| **Products** | `search_barcode` | GET | Find product by barcode |
+EverShelf est conçu pour fonctionner en auto-hébergement :
-| | `lookup_barcode` | GET | Look up barcode on Open Food Facts |
+
-| | `product_save` | POST | Create or update a product |
+- Pas de compte obligatoire
-| | `products_list` | GET | List all products |
+- Pas de cloud imposé
-| **Inventory** | `inventory_list` | GET | List inventory items |
+- Données stockées localement
-| | `inventory_add` | POST | Add product to inventory |
+- SQLite comme base de données
-| | `inventory_use` | POST | Use/consume from inventory |
+- Les fonctions IA utilisent uniquement les services configurés par l'utilisateur
 | | `inventory_summary` | GET | Count by location |
 | **AI** | `gemini_identify` | POST | Identify product from photo |
 | | `gemini_expiry` | POST | Read expiry date from photo |
 | | `gemini_chat` | POST | Chat with AI assistant |
 | | `generate_recipe` | POST | Generate recipe from inventory |
 | | `gemini_product_hint` | POST | Storage location + shelf-life hint |
 | | `gemini_shopping_enrich` | POST | Enrich shopping suggestions with tips |
 | | `gemini_anomaly_explain` | POST | Plain-language anomaly explanation |
 | **Shopping** | `bring_list` | GET | Get Bring! shopping list |
 | | `bring_add` | POST | Add items to Bring! |
 | | `smart_shopping` | GET | Smart shopping predictions |
 | **Settings** | `get_settings` | GET | Get server configuration |
 | | `save_settings` | POST | Update server configuration |
 ---
-## 🔒 Security Notes
+## 🛠️ Développement
- **Credentials** are stored in `.env` (server-side, never committed to Git)
+Technologies principales :
- **Database** stays local — never pushed to remote repositories
+
- **API keys are never exposed to the browser** — `get_settings` returns only boolean flags (`gemini_key_set`, `settings_token_set`), never raw key values
+- PHP
- **Settings write protection** — set `SETTINGS_TOKEN` in `.env` to require a secret token (`X-Settings-Token` header) for all `save_settings` calls; validated with `hash_equals` to prevent timing attacks
+- SQLite
- **Demo / public mode** — set `DEMO_MODE=true` to block all write operations at the PHP router level before any business logic runs
+- JavaScript
- The API uses **parameterized SQL queries** (PDO prepared statements) against injection
+- HTML/CSS
- **Input validation** on all inventory operations (quantity bounds, location whitelist)
+- Docker
 - Consider adding **reverse-proxy authentication** (e.g. Authelia, Nginx `auth_basic`) if the server is accessible from the internet
 ---
-## 🛠️ Development
+## 📜 Licence
-```bash
+Projet sous licence MIT.
 # Run PHP's built-in server for local development
 php -S localhost:8080 -t /path/to/evershelf
 # Check PHP syntax
 php -l api/index.php
 php -l api/database.php
 ```
 The application uses no build tools — edit files directly and refresh.
 ---
-## 📋 Roadmap
+## 🙏 Crédits
-Feature requests, bug reports and planned work are tracked in the [**EverShelf Roadmap**](https://github.com/users/dadaloop82/projects/2) GitHub Project.
+Ce fork, **EverShelf for Ricardo**, est maintenu par Morgane pour servir de système de gestion de stock/recettes à l'application **Ricardo**.
---
+Projet original :
-## 🌐 Translations
+https://github.com/dadaloop82/EverShelf
-The app supports multiple languages via JSON translation files in the `translations/` folder.
+Ce dépôt contient des améliorations et adaptations personnelles, incluant un système d'export/import avec fusion intelligente des données.
 | Language | Status |
 |----------|--------|
 | 🇮🇹 Italian (it) | ✅ Complete (base) |
 | 🇬🇧 English (en) | ✅ Complete |
 | 🇩🇪 German (de) | ✅ Complete |
 | 🇫🇷 French (fr) | ✅ Complete |
 | 🇪🇸 Spanish (es) | ✅ Complete |
 **Want to add your language?** See the [Translation Guide](CONTRIBUTING.md#-adding-translations) — just copy `translations/it.json`, translate the values, and submit a PR!
 ---
 ## 🤝 Contributing
 Contributions are welcome! See [CONTRIBUTING.md](CONTRIBUTING.md) for detailed guidelines.
 1. Fork the repository
 2. Create a feature branch (`git checkout -b feature/my-feature`)
 3. Commit your changes (`git commit -m 'Add my feature'`)
 4. Push to the branch (`git push origin feature/my-feature`)
 5. Open a Pull Request
 ---
 ## 🤝 Contributing
 EverShelf is a community project and contributions of any size are welcome!
 ### Easiest way to start — translate EverShelf into your language
 Translations are just JSON files. No coding, no setup — fork → edit → PR.
 ```
 translations/
 ├── it.json   ✅ Italian (base)
 ├── en.json   ✅ English
 ├── de.json   ✅ German
 ├── fr.json   ✅ French
 ├── es.json   ✅ Spanish
 ├── pt.json   ❌ Portuguese — wanted!
 ├── nl.json   ❌ Dutch — wanted!
 └── ...       ❌ Your language here!
 ```
 👉 See [issue #93](https://github.com/dadaloop82/EverShelf/issues/93) to claim a language.
 ### Other ways to contribute
 | What | Skill needed |
 |---|---|
 | 🐛 Report a bug | None |
 | 📖 Improve the wiki | Markdown |
 | 🌍 Add a translation | JSON editing |
 | 🎨 Fix a CSS/UI issue | CSS / HTML |
 | ⚙️ Implement a feature | PHP / JS |
 | ⭐ Star the repo | Clicking |
 👉 Browse [`help wanted`](https://github.com/dadaloop82/EverShelf/labels/help%20wanted) issues for good starting points.
 Read [CONTRIBUTING.md](CONTRIBUTING.md) for the full guide (branch naming, code style, how to run locally).
 ---
 ## 💬 Community
 Join the conversation in [GitHub Discussions](https://github.com/dadaloop82/EverShelf/discussions):
 - **Vote on upcoming features** — tell us what to build next
 - **Show your setup** — share your kitchen kiosk
 - **Ask questions** — get help from the community
 ---
 ## 📄 License
 This project is licensed under the **MIT License** — see the [LICENSE](LICENSE) file for details.
 ---
 ## 👨‍💻 Author
 **Stimpfl Daniel** — [evershelfproject@gmail.com](mailto:evershelfproject@gmail.com)
 - Website: [evershelfproject.dadaloop.it](https://evershelfproject.dadaloop.it/)
 - GitHub: [@dadaloop82](https://github.com/dadaloop82)
 ---
 ## 📸 Screenshots
 <div align="center">
 ![EverShelf demo — barcode scan, inventory management and AI recipe generation](assets/img/demo.gif)
 </div>
 For a live walkthrough with real data and full AI enabled, visit the **[live demo](https://evershelfproject.dadaloop.it/demo)** — no installation required.
 > Want to contribute additional screenshots? See [CONTRIBUTING.md](CONTRIBUTING.md) — PRs welcome!
@@ -0,0 +1,16 @@
 <?php
 /**
 * EverShelf API bootstrap — shared by HTTP router and cron.
 */
 // Never emit HTML notices before JSON API responses (breaks fetch().json() in the PWA).
 if (!defined('CRON_MODE') && (getenv('DISPLAY_ERRORS') ?: '') !== '1') {
    ini_set('display_errors', '0');
    ini_set('html_errors', '0');
 }
 require_once __DIR__ . '/lib/env.php';
 require_once __DIR__ . '/lib/constants.php';
 require_once __DIR__ . '/lib/github.php';
 require_once __DIR__ . '/lib/security.php';
 require_once __DIR__ . '/lib/cron_log.php';
 require_once __DIR__ . '/logger.php';
 require_once __DIR__ . '/database.php';
@@ -11,14 +11,16 @@ if (PHP_SAPI !== 'cli') {
    exit('Forbidden');
 }
-// Define CRON_MODE before loading index.php so the router is skipped
+// Define CRON_MODE before loading bootstrap so the HTTP router is skipped
 define('CRON_MODE', true);
-// Load all API functions without running the HTTP router
+require_once __DIR__ . '/bootstrap.php';
 require_once __DIR__ . '/index.php';
 const CACHE_FILE = __DIR__ . '/../data/smart_shopping_cache.json';
 evershelfRotateCronLog();
 try {
    $db = getDB();
@@ -42,9 +44,10 @@ try {
    $itemCount = count($decoded['items'] ?? []);
    echo '[' . date('Y-m-d H:i:s') . '] OK — ' . $itemCount . " items cached\n";
-    // ── Bring! server-side cleanup ────────────────────────────────────────
+    // ── Bring! server-side sync ───────────────────────────────────────────
-    // After computing smart shopping, automatically remove stale Bring! items
+    // After computing smart shopping, remove stale Bring! items and push every
-    // and add/update critical ones. This runs fully server-side every cron cycle.
+    // product that needs restocking (esauriti, quasi finiti, previsione).
    // Runs fully server-side every cron cycle (~5 min).
    try {
        $cleanupResult = bringCleanupObsolete($db);
        if (isset($cleanupResult['skipped'])) {
@@ -55,6 +58,21 @@ try {
                . ($cleanupResult['errors'] ? ', errors: ' . $cleanupResult['errors'] : '') . "\n";
        }
        $dedupeResult = bringDedupeGenerics($db);
        if (isset($dedupeResult['skipped'])) {
            echo '[' . date('Y-m-d H:i:s') . '] Bring! dedupe skipped: ' . $dedupeResult['skipped'] . "\n";
        } else {
            echo '[' . date('Y-m-d H:i:s') . '] Bring! dedupe — removed: ' . ($dedupeResult['removed'] ?? 0)
                . ', merged specs: ' . ($dedupeResult['merged'] ?? 0) . "\n";
        }
        $specsResult = bringSyncSpecs($db);
        if (isset($specsResult['skipped'])) {
            echo '[' . date('Y-m-d H:i:s') . '] Bring! specs skipped: ' . $specsResult['skipped'] . "\n";
        } else {
            echo '[' . date('Y-m-d H:i:s') . '] Bring! specs — updated: ' . ($specsResult['updated'] ?? 0) . "\n";
        }
        $addResult = bringAutoAddCritical($db);
        if (isset($addResult['skipped'])) {
            echo '[' . date('Y-m-d H:i:s') . '] Bring! auto-add skipped: ' . $addResult['skipped'] . "\n";
@@ -62,6 +80,11 @@ try {
            echo '[' . date('Y-m-d H:i:s') . '] Bring! auto-add — added: ' . ($addResult['added'] ?? 0)
                . ', updated specs: ' . ($addResult['updated'] ?? 0) . "\n";
        }
        $dedupeFinal = bringDedupeGenerics($db);
        if (!isset($dedupeFinal['skipped']) && (($dedupeFinal['removed'] ?? 0) > 0)) {
            echo '[' . date('Y-m-d H:i:s') . '] Bring! dedupe (final) — removed: ' . ($dedupeFinal['removed'] ?? 0) . "\n";
        }
    } catch (Throwable $be) {
        echo '[' . date('Y-m-d H:i:s') . '] Bring! sync warning: ' . $be->getMessage() . "\n";
    }
@@ -38,8 +38,24 @@ function _ensureDataDir(): void {
    }
 }
 /** Ensure the SQLite DB and WAL sidecar files are writable (Docker volume first-boot). */
 function _ensureDbWritable(): void {
    if (!file_exists(DB_PATH)) {
        return;
    }
    if (!is_writable(DB_PATH)) {
        @chmod(DB_PATH, 0664);
    }
    foreach ([DB_PATH . '-wal', DB_PATH . '-shm'] as $sidecar) {
        if (file_exists($sidecar) && !is_writable($sidecar)) {
            @chmod($sidecar, 0664);
        }
    }
 }
 function getDB(): PDO {
    _ensureDataDir();
    _ensureDbWritable();
    // logger.php is required by index.php before getDB() is called.
    // In cron context it may not be loaded yet — guard with class_exists.
    $useLogging = class_exists('LoggingPDO', false);
@@ -53,7 +69,7 @@ function getDB(): PDO {
    $db->setAttribute(PDO::ATTR_TIMEOUT, 5); // PDO::ATTR_TIMEOUT is in seconds for MySQL, but not directly for SQLite.
                                             // For SQLite, we use PRAGMA busy_timeout.
    $db->exec('PRAGMA journal_mode = WAL;');
-    $db->exec('PRAGMA busy_timeout = 5000;'); // 5000 milliseconds = 5 seconds
+    $db->exec('PRAGMA busy_timeout = 10000;'); // 10 s — cron + PWA writes can contend under WAL
    $db->setAttribute(PDO::ATTR_DEFAULT_FETCH_MODE, PDO::FETCH_ASSOC);
    $db->exec("PRAGMA journal_mode=WAL");
@@ -72,6 +88,29 @@ function getDB(): PDO {
    return $db;
 }
 /**
 * Retry a DB write when SQLite returns "database is locked" (concurrent cron + API).
 *
 * @template T
 * @param callable(): T $fn
 * @return T
 */
 function dbWithRetry(callable $fn, int $maxAttempts = 4): mixed {
    $attempt = 0;
    while (true) {
        try {
            return $fn();
        } catch (\PDOException $e) {
            $attempt++;
            $locked = str_contains($e->getMessage(), 'database is locked');
            if (!$locked || $attempt >= $maxAttempts) {
                throw $e;
            }
            usleep(150000 * $attempt); // 150 ms, 300 ms, 450 ms …
        }
    }
 }
 function initializeDB(PDO $db): void {
    $db->exec("
        CREATE TABLE IF NOT EXISTS products (
@@ -147,6 +186,28 @@ function migrateDB(PDO $db): void {
        try { $db->exec("ALTER TABLE products ADD COLUMN shopping_name TEXT DEFAULT ''"); }
        catch (PDOException $e) { if (strpos($e->getMessage(), 'duplicate column') === false) throw $e; }
    }
    if (!in_array('subcategory', $colNames)) {
        try { $db->exec("ALTER TABLE products ADD COLUMN subcategory TEXT DEFAULT NULL"); }
        catch (PDOException $e) { if (strpos($e->getMessage(), 'duplicate column') === false) throw $e; }
    }
    // Empty barcode strings break UNIQUE (only one '' allowed); normalize to NULL.
    $db->exec("UPDATE products SET barcode = NULL WHERE barcode IS NOT NULL AND TRIM(barcode) = ''");
    $invCols = $db->query("PRAGMA table_info(inventory)")->fetchAll();
    $invColNames = array_column($invCols, 'name');
    if (!in_array('expiry_user_set', $invColNames)) {
        try { $db->exec("ALTER TABLE inventory ADD COLUMN expiry_user_set INTEGER DEFAULT 0"); }
        catch (PDOException $e) { if (strpos($e->getMessage(), 'duplicate column') === false) throw $e; }
    }
    $db->exec("CREATE TABLE IF NOT EXISTS barcode_cache (
        barcode TEXT PRIMARY KEY,
        found INTEGER NOT NULL DEFAULT 0,
        source TEXT,
        payload TEXT,
        updated_at TEXT DEFAULT CURRENT_TIMESTAMP
    )");
    // Migrate transactions CHECK constraint to allow 'waste' type
    $sql = $db->query("SELECT sql FROM sqlite_master WHERE type='table' AND name='transactions'")->fetchColumn();
@@ -262,6 +323,227 @@ function migrateDB(PDO $db): void {
    $db->exec("CREATE INDEX IF NOT EXISTS idx_transactions_type_date ON transactions(type, created_at)");
    $db->exec("CREATE INDEX IF NOT EXISTS idx_transactions_pid_type_undone ON transactions(product_id, type, undone)");
 // Custom locations table (v1.9.0) — dynamic inventory locations managed from Settings
 $locTables = $db->query("SELECT name FROM sqlite_master WHERE type='table' AND name='locations'")->fetchAll();
 if (empty($locTables)) {
    $db->exec("
        CREATE TABLE locations (
            id INTEGER PRIMARY KEY AUTOINCREMENT,
            key TEXT UNIQUE NOT NULL,
            label TEXT NOT NULL,
            icon TEXT DEFAULT '📦',
            sort_order INTEGER DEFAULT 0,
            is_builtin INTEGER DEFAULT 0
        );
    ");
 $db->exec("INSERT INTO locations (key, label, icon, sort_order, is_builtin) VALUES
        ('dispensa', 'Dispensa', '🗄️', 1, 1),
        ('frigo', 'Frigo', '🧊', 2, 1),
        ('freezer', 'Freezer', '❄️', 3, 1),
        ('altro', 'Altro', '📦', 4, 1)
    ");
 }
 // Custom subcategories table (v2.0) — sous-catégories par catégorie, gérables depuis Config
 $subcatTables = $db->query("SELECT name FROM sqlite_master WHERE type='table' AND name='subcategories'")->fetchAll();
 if (empty($subcatTables)) {
    $db->exec("
        CREATE TABLE subcategories (
            id INTEGER PRIMARY KEY AUTOINCREMENT,
            category TEXT NOT NULL,
            key TEXT NOT NULL,
            label TEXT NOT NULL,
            sort_order INTEGER DEFAULT 0,
            UNIQUE(category, key)
        );
    ");
    $db->exec("INSERT INTO subcategories (category, key, label, sort_order) VALUES
        ('latticini', 'lait', '🥛 Lait', 1),
        ('latticini', 'yaourt', '🥣 Yaourt', 2),
        ('latticini', 'fromage', '🧀 Fromage', 3),
        ('latticini', 'beurre', '🧈 Beurre', 4),
        ('latticini', 'creme', '🍦 Crème', 5),
        ('latticini', 'oeufs', '🥚 Œufs', 6),
        ('latticini', 'autre', '📦 Autre', 7),
        ('carne', 'poulet', '🍗 Poulet', 1),
        ('carne', 'boeuf', '🐄 Bœuf', 2),
        ('carne', 'porc', '🐖 Porc', 3),
        ('carne', 'agneau', '🐑 Agneau', 4),
        ('carne', 'charcuterie', '🥓 Charcuterie', 5),
        ('carne', 'autre', '📦 Autre', 6),
        ('pesce', 'poisson_frais', '🐟 Poisson frais', 1),
        ('pesce', 'poisson_surgele', '🧊 Poisson surgelé', 2),
        ('pesce', 'fruits_mer', '🦐 Fruits de mer', 3),
        ('pesce', 'conserve_poisson', '🥫 Conserve', 4),
        ('pesce', 'autre', '📦 Autre', 5),
        ('frutta', 'agrumes', '🍊 Agrumes', 1),
        ('frutta', 'baies', '🫐 Baies', 2),
        ('frutta', 'fruits_noyau', '🍑 Fruits à noyau', 3),
        ('frutta', 'fruits_tropicaux', '🍍 Fruits tropicaux', 4),
        ('frutta', 'autre', '📦 Autre', 5),
        ('verdura', 'legumes_feuilles', '🥬 Légumes feuilles', 1),
        ('verdura', 'legumes_racines', '🥕 Légumes racines', 2),
        ('verdura', 'legumineuses_fraiches', '🌱 Légumineuses fraîches', 3),
        ('verdura', 'autre', '📦 Autre', 4),
        ('pasta', 'pates', '🍝 Pâtes', 1),
        ('pasta', 'riz', '🍚 Riz', 2),
        ('pasta', 'semoule', '🌾 Semoule', 3),
        ('pasta', 'autre', '📦 Autre', 4),
        ('pane', 'pain_frais', '🍞 Pain frais', 1),
        ('pane', 'biscottes', '🥖 Biscottes', 2),
        ('pane', 'viennoiserie', '🥐 Viennoiserie', 3),
        ('pane', 'autre', '📦 Autre', 4),
        ('surgelati', 'plats_prepares', '🍱 Plats préparés', 1),
        ('surgelati', 'legumes_surgeles', '🧊 Légumes surgelés', 2),
        ('surgelati', 'glaces', '🍨 Glaces', 3),
        ('surgelati', 'viande_poisson_surgele', '🧊 Viande/poisson surgelé', 4),
        ('surgelati', 'autre', '📦 Autre', 5),
        ('bevande', 'vin', '🍷 Vin', 1),
        ('bevande', 'biere', '🍺 Bière', 2),
        ('bevande', 'spiritueux', '🥃 Spiritueux', 3),
        ('bevande', 'soda', '🥤 Soda', 4),
        ('bevande', 'jus', '🧃 Jus', 5),
        ('bevande', 'eau', '💧 Eau', 6),
        ('bevande', 'autre', '📦 Autre', 7),
        ('condimenti', 'huile', '🫒 Huile', 1),
        ('condimenti', 'vinaigre', '🍶 Vinaigre', 2),
        ('condimenti', 'sauce', '🥫 Sauce', 3),
        ('condimenti', 'epice', '🌿 Épice', 4),
        ('condimenti', 'autre', '📦 Autre', 5),
        ('snack', 'chocolat', '🍫 Chocolat', 1),
        ('snack', 'biscuit', '🍪 Biscuit', 2),
        ('snack', 'chips', '🥔 Chips', 3),
        ('snack', 'bonbon', '🍬 Bonbon', 4),
        ('snack', 'autre', '📦 Autre', 5),
        ('conserve', 'legumes_conserve', '🥫 Légumes', 1),
        ('conserve', 'fruits_conserve', '🥫 Fruits', 2),
        ('conserve', 'poisson_conserve', '🥫 Poisson', 3),
        ('conserve', 'confiture', '🍯 Confiture', 4),
        ('conserve', 'autre', '📦 Autre', 5),
        ('cereali', 'cereales_petitdej', '🥣 Céréales petit-déj', 1),
        ('cereali', 'legumineuses_seches', '🫘 Légumineuses sèches', 2),
        ('cereali', 'farine', '🌾 Farine', 3),
        ('cereali', 'autre', '📦 Autre', 4)
    ");
 }
 // Custom categories table (v2.1) — catégories produit, gérables depuis Config
 $catTables = $db->query("SELECT name FROM sqlite_master WHERE type='table' AND name='categories'")->fetchAll();
 if (empty($catTables)) {
    $db->exec("
        CREATE TABLE categories (
            id INTEGER PRIMARY KEY AUTOINCREMENT,
            key TEXT UNIQUE NOT NULL,
            label TEXT NOT NULL,
            icon TEXT DEFAULT '📦',
            keywords TEXT DEFAULT '',
            sort_order INTEGER DEFAULT 0,
            is_builtin INTEGER DEFAULT 0
        );
    ");
    $db->exec("INSERT INTO categories (key, label, icon, sort_order, is_builtin) VALUES
        ('latticini', 'Latticini', '🥛', 1, 1),
        ('carne', 'Carne', '🥩', 2, 1),
        ('pesce', 'Pesce', '🐟', 3, 1),
        ('frutta', 'Frutta', '🍎', 4, 1),
        ('verdura', 'Verdura', '🥬', 5, 1),
        ('pasta', 'Pasta', '🍝', 6, 1),
        ('pane', 'Pane', '🍞', 7, 1),
        ('surgelati', 'Surgelati', '🧊', 8, 1),
        ('bevande', 'Bevande', '🥤', 9, 1),
        ('condimenti', 'Condimenti', '🧂', 10, 1),
        ('snack', 'Snack', '🍪', 11, 1),
        ('conserve', 'Conserve', '🥫', 12, 1),
        ('cereali', 'Cereali', '🌾', 13, 1),
        ('igiene', 'Igiene', '🧴', 14, 1),
        ('pulizia', 'Pulizia', '🧹', 15, 1),
        ('altro', 'Altro', '📦', 16, 1)
    ");
 }
 // Recipe library (v2.2) — recettes ajoutées manuellement (cocktails, boissons...), distinctes du planning repas
 $recipeLibTables = $db->query("SELECT name FROM sqlite_master WHERE type='table' AND name='recipe_library'")->fetchAll();
 if (empty($recipeLibTables)) {
    $db->exec("
        CREATE TABLE recipe_library (
            id INTEGER PRIMARY KEY AUTOINCREMENT,
            title TEXT NOT NULL,
            recipe_json TEXT NOT NULL,
            is_favorite INTEGER DEFAULT 0,
            created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
            updated_at DATETIME DEFAULT CURRENT_TIMESTAMP
        );
    ");
 }
 // Recipe tags (v2.3) — tags pour trier/filtrer "Mes recettes", gérables depuis Config
 $recipeTagsTables = $db->query("SELECT name FROM sqlite_master WHERE type='table' AND name='recipe_tags'")->fetchAll();
 if (empty($recipeTagsTables)) {
    $db->exec("
        CREATE TABLE recipe_tags (
            id INTEGER PRIMARY KEY AUTOINCREMENT,
            key TEXT UNIQUE NOT NULL,
            label TEXT NOT NULL,
            icon TEXT DEFAULT '🏷️',
            sort_order INTEGER DEFAULT 0
        );
    ");
    $db->exec("INSERT INTO recipe_tags (key, label, icon, sort_order) VALUES
        ('cocktail', 'Cocktail', '🍹', 1),
        ('sans_alcool', 'Sans alcool', '🚫', 2),
        ('shot', 'Shot', '🥃', 3),
        ('long_drink', 'Long drink', '🍺', 4),
        ('aperitif', 'Apéritif', '🍾', 5),
        ('digestif', 'Digestif', '❄️', 6),
        ('rhum', 'Rhum', '🥃', 7),
        ('vodka', 'Vodka', '🍸', 8),
        ('gin', 'Gin', '🌿', 9),
        ('whisky', 'Whisky', '🥃', 10),
        ('tequila', 'Tequila', '🌵', 11),
        ('vin', 'Vin', '🍷', 12),
        ('champagne', 'Champagne / Mousseux', '🍾', 13),
        ('acidule', 'Acidulé', '🍋', 14),
        ('sucre', 'Sucré', '🍬', 15),
        ('amer', 'Amer', '☕', 16),
        ('epice', 'Épicé', '🌶️', 17),
        ('fruite', 'Fruité', '🍊', 18),
        ('herbace', 'Herbacé', '🌿', 19),
        ('ete', 'Été', '☀️', 20),
        ('hiver', 'Hiver', '❄️', 21),
        ('soiree', 'Soirée', '🎉', 22),
        ('brunch', 'Brunch', '🥂', 23)
    ");
 }
 // Migration: add keywords column to recipe_tags if missing
 $rtCols = array_column($db->query("PRAGMA table_info(recipe_tags)")->fetchAll(), 'name');
 if (!in_array('keywords', $rtCols)) {
    try { $db->exec("ALTER TABLE recipe_tags ADD COLUMN keywords TEXT DEFAULT ''"); }
    catch (PDOException $e) { if (strpos($e->getMessage(), 'duplicate column') === false) throw $e; }
 }
 // Custom quantity units (v2.4) — unités personnalisées (ex: kg, L) avec facteur de conversion vers pz/g/ml, gérables depuis Config
 $customUnitsTables = $db->query("SELECT name FROM sqlite_master WHERE type='table' AND name='custom_units'")->fetchAll();
 if (empty($customUnitsTables)) {
    $db->exec("
        CREATE TABLE custom_units (
            id INTEGER PRIMARY KEY AUTOINCREMENT,
            key TEXT UNIQUE NOT NULL,
            label TEXT NOT NULL,
            icon TEXT DEFAULT '📏',
            base_unit TEXT NOT NULL DEFAULT 'g',
            factor REAL NOT NULL DEFAULT 1,
            sort_order INTEGER DEFAULT 0
        );
    ");
 }
 // Add display_unit_key column to products if missing — unité personnalisée a afficher pour ce produit
 $prodColsUnits = array_column($db->query("PRAGMA table_info(products)")->fetchAll(), 'name');
 if (!in_array('display_unit_key', $prodColsUnits)) {
    try { $db->exec("ALTER TABLE products ADD COLUMN display_unit_key TEXT DEFAULT NULL"); }
    catch (PDOException $e) { if (strpos($e->getMessage(), 'duplicate column') === false) throw $e; }
 }
    // Internal shopping list table (v1.8.0) — used when SHOPPING_MODE=internal
    // Internal shopping list table (v1.8.0) — used when SHOPPING_MODE=internal
    $shopTables = $db->query("SELECT name FROM sqlite_master WHERE type='table' AND name='shopping_list'")->fetchAll();
    if (empty($shopTables)) {
@@ -291,6 +573,12 @@ function migrateDB(PDO $db): void {
        try { $db->exec("ALTER TABLE products ADD COLUMN nutriments_json TEXT DEFAULT NULL"); }
        catch (PDOException $e) { if (strpos($e->getMessage(), 'duplicate column') === false) throw $e; }
    }
    // Add tags column to products if missing (bugfix: insert referenced a column never created)
    if (!in_array('tags', $prodCols2)) {
        try { $db->exec("ALTER TABLE products ADD COLUMN tags TEXT DEFAULT NULL"); }
        catch (PDOException $e) { if (strpos($e->getMessage(), 'duplicate column') === false) throw $e; }
    }
 }
 /**
@@ -443,6 +731,7 @@ function estimateOpenedExpiryDaysPHP(string $name, string $category, string $loc
    if (preg_match('/\b(pollo|tacchino|maiale|manzo|vitello|agnello)\b/', $n)) return 2;
    if (preg_match('/salmone|tonno\s+fresco|pesce(?!\s+in)/', $n)) return 2;
    if (preg_match('/\b(passata|pelati|polpa|sugo|salsa\s+di\s+pomodoro)\b/', $n)) return 5;
    if (preg_match('/insalata\s+di\s+(riso|pasta|farro|orzo|couscous)/', $n)) return 7;
    if (preg_match('/insalata|rucola|spinaci|lattuga|crescione|germogli/', $n)) return 4;
    if (preg_match('/\b(succo|spremuta)\b/', $n)) return 3;
    if (preg_match('/\b(birra|beer)\b/', $n)) return 3;
@@ -520,6 +809,7 @@ function estimateSealedExpiryDaysPHP(string $name, string $category, string $loc
    elseif (preg_match('/uova/', $n)) $days = 28;
    elseif (preg_match('/pane\s+fresco|pane\s+in\s+cassetta/', $n)) $days = 5;
    elseif (preg_match('/pane\s+confezionato|pan\s+carr|pancarrè/', $n)) $days = 14;
    elseif (preg_match('/insalata\s+di\s+(riso|pasta|farro|orzo|couscous)/', $n)) $days = 7;
    elseif (preg_match('/insalata|rucola|spinaci\s+freschi/', $n)) $days = 5;
    elseif (preg_match('/pollo|tacchino|maiale|manzo|vitello|sovracosci|cosci/', $n)) $days = 3;
    elseif (preg_match('/salmone|tonno\s+fresco|pesce/', $n) && !preg_match('/tonno\s+in\s+scatola|tonno\s+rio/', $n)) $days = 2;
@@ -616,4 +906,4 @@ function getVacuumExpiryDaysPHP(int $baseDays): int {
    if ($baseDays <= 30) return (int)round($baseDays * 2.5);
    if ($baseDays <= 90) return (int)round($baseDays * 2.5);
    return (int)round($baseDays * 1.5);
-}
+}
@@ -0,0 +1,22 @@
 <?php
 /**
 * EverShelf — shared path constants.
 */
 define('EVERSHELF_ROOT', dirname(__DIR__, 2));
 define('GH_REPO', 'dadaloop82/EverShelf');
 define('PRICE_CACHE_PATH',         EVERSHELF_ROOT . '/data/shopping_price_cache.json');
 define('CATEGORY_CACHE_PATH',      EVERSHELF_ROOT . '/data/category_ai_cache.json');
 define('SHELF_CACHE_PATH',         EVERSHELF_ROOT . '/data/opened_shelf_cache.json');
 define('FOODFACTS_CACHE_PATH',     EVERSHELF_ROOT . '/data/food_facts_cache.json');
 define('SHOPPING_NAME_CACHE_PATH', EVERSHELF_ROOT . '/data/shopping_name_cache.json');
 define('BRING_TOKEN_PATH',         EVERSHELF_ROOT . '/data/bring_token.json');
 define('AI_USAGE_PATH',            EVERSHELF_ROOT . '/data/ai_usage.json');
 define('BACKUP_DIR',               EVERSHELF_ROOT . '/data/backups');
 define('BACKUP_LAST_TS_PATH',      EVERSHELF_ROOT . '/data/backup_last_ts.json');
 define('CRON_LOG_PATH',            EVERSHELF_ROOT . '/data/cron.log');
 define('GEMINI_COST_25F_IN',  (float)(getenv('GEMINI_COST_25F_IN')  ?: 0.15));
 define('GEMINI_COST_25F_OUT', (float)(getenv('GEMINI_COST_25F_OUT') ?: 0.60));
 define('GEMINI_COST_20F_IN',  (float)(getenv('GEMINI_COST_20F_IN')  ?: 0.10));
 define('GEMINI_COST_20F_OUT', (float)(getenv('GEMINI_COST_20F_OUT') ?: 0.40));
@@ -0,0 +1,28 @@
 <?php
 /**
 * Rotate data/cron.log — keep last N MB / lines.
 */
 require_once __DIR__ . '/constants.php';
 function evershelfRotateCronLog(?int $maxBytes = null, int $keepRotated = 3): void {
    $path = CRON_LOG_PATH;
    if (!file_exists($path)) {
        return;
    }
    $maxBytes = $maxBytes ?? max(65536, (int)env('CRON_LOG_MAX_BYTES', '524288'));
    $size = filesize($path);
    if ($size === false || $size <= $maxBytes) {
        return;
    }
    for ($i = $keepRotated; $i >= 1; $i--) {
        $from = ($i === 1) ? $path : $path . '.' . ($i - 1);
        $to   = $path . '.' . $i;
        if ($i === $keepRotated && file_exists($to)) {
            @unlink($to);
        }
        if (file_exists($from)) {
            @rename($from, $to);
        }
    }
 }
@@ -0,0 +1,40 @@
 <?php
 /**
 * EverShelf — environment variable loader (.env).
 */
 function loadEnv(): array {
    static $cache = null;
    if ($cache !== null) {
        return $cache;
    }
    $envFile = dirname(__DIR__, 2) . '/.env';
    $cache = [];
    if (file_exists($envFile)) {
        $lines = file($envFile, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);
        foreach ($lines as $line) {
            if (strpos($line, '#') === 0 || strpos($line, '=') === false) {
                continue;
            }
            [$key, $val] = explode('=', $line, 2);
            $cache[trim($key)] = trim($val);
        }
    }
    return $cache;
 }
 function env(string $key, string $default = ''): string {
    $vars = loadEnv();
    if (isset($vars[$key]) && $vars[$key] !== '') {
        return $vars[$key];
    }
    // Fallback to system/Docker environment variables (e.g. set via Portainer)
    $sysVal = getenv($key);
    if ($sysVal !== false && $sysVal !== '') {
        return $sysVal;
    }
    return $default;
 }
 /** Push a single key into the in-memory env cache (after .env write). */
 function envCacheSet(string $key, string $value): void {
    loadEnv();
    // Force reload on next call — callers should use loadEnv() return for batch updates
 }
@@ -0,0 +1,69 @@
 <?php
 /**
 * EverShelf — GitHub issue reporting token (encrypted at rest in .env).
 *
 * Configure ONE of:
 *   GH_ISSUE_TOKEN=ghp_...                    (plain, .env is gitignored)
 *   GH_ISSUE_TOKEN_ENC=... + GH_ISSUE_TOKEN_KEY=...  (AES-256-GCM, preferred)
 *
 * Generate encrypted value: php scripts/encrypt-gh-token.php 'ghp_xxx' 'your-secret-key'
 */
 require_once __DIR__ . '/env.php';
 function evershelfDecryptGhToken(string $encB64, string $key): string {
    $raw = base64_decode($encB64, true);
    if ($raw === false || strlen($raw) < 28) {
        return '';
    }
    $iv     = substr($raw, 0, 12);
    $tag    = substr($raw, 12, 16);
    $cipher = substr($raw, 28);
    $plain  = openssl_decrypt(
        $cipher,
        'aes-256-gcm',
        hash('sha256', $key, true),
        OPENSSL_RAW_DATA,
        $iv,
        $tag
    );
    return ($plain !== false) ? $plain : '';
 }
 function evershelfEncryptGhToken(string $plain, string $key): string {
    $iv = random_bytes(12);
    $tag = '';
    $cipher = openssl_encrypt(
        $plain,
        'aes-256-gcm',
        hash('sha256', $key, true),
        OPENSSL_RAW_DATA,
        $iv,
        $tag
    );
    return base64_encode($iv . $tag . $cipher);
 }
 /** Decode GitHub Issues token at runtime — never stored in source code. */
 function _ghToken(): string {
    static $token = null;
    if ($token !== null) {
        return $token;
    }
    $plain = env('GH_ISSUE_TOKEN');
    if ($plain !== '') {
        $token = $plain;
        return $token;
    }
    $enc = env('GH_ISSUE_TOKEN_ENC');
    $key = env('GH_ISSUE_TOKEN_KEY');
    if ($enc !== '' && $key !== '') {
        $token = evershelfDecryptGhToken($enc, $key);
        return $token;
    }
    $token = '';
    return $token;
 }
@@ -0,0 +1,293 @@
 <?php
 /**
 * EverShelf — authentication, CORS, demo mode, scale gateway allowlist.
 */
 require_once __DIR__ . '/env.php';
 /** Effective API token: API_TOKEN takes precedence over legacy SETTINGS_TOKEN. */
 function evershelfEffectiveApiToken(): string {
    $api = env('API_TOKEN');
    if ($api !== '') {
        return $api;
    }
    return env('SETTINGS_TOKEN', '');
 }
 function evershelfApiTokenRequired(): bool {
    return evershelfEffectiveApiToken() !== '';
 }
 function evershelfGetProvidedApiToken(): string {
    if (!empty($_SERVER['HTTP_X_API_TOKEN'])) {
        return (string)$_SERVER['HTTP_X_API_TOKEN'];
    }
    if (!empty($_SERVER['HTTP_X_SETTINGS_TOKEN'])) {
        return (string)$_SERVER['HTTP_X_SETTINGS_TOKEN'];
    }
    if (isset($_GET['api_token'])) {
        return (string)$_GET['api_token'];
    }
    // Home Assistant ha-evershelf sends Authorization: Bearer (legacy)
    $authHeader = $_SERVER['HTTP_AUTHORIZATION']
        ?? $_SERVER['REDIRECT_HTTP_AUTHORIZATION']
        ?? '';
    if (preg_match('/^Bearer\s+(\S+)/i', $authHeader, $m)) {
        return $m[1];
    }
    return evershelfGetProvidedApiTokenFromHeaders();
 }
 function evershelfApiTokenValid(): bool {
    $required = evershelfEffectiveApiToken();
    if ($required === '') {
        return true;
    }
    $provided = evershelfGetProvidedApiToken();
    return $provided !== '' && hash_equals($required, $provided);
 }
 function evershelfGetProvidedApiTokenFromHeaders(): string {
    return (string)($_SERVER['HTTP_X_API_TOKEN'] ?? $_SERVER['HTTP_X_SETTINGS_TOKEN'] ?? '');
 }
 /** Actions reachable without API token (telemetry + public probes). */
 function evershelfPublicActions(): array {
    return [
        'ping',
        'app_bootstrap',
        'check_update',
        'report_error',
        'report_bug',
        'client_log',
        'gdrive_oauth_callback',
    ];
 }
 /** GET actions that mutate state — require auth when token is configured. */
 function evershelfMutatingGetActions(): array {
    return ['db_cleanup', 'export_inventory'];
 }
 function evershelfDestructiveActions(): array {
    return [
        'save_settings', 'db_cleanup',
        'backup_now', 'backup_delete', 'backup_restore',
        'gdrive_push', 'gdrive_oauth_exchange',
        'migrate_units',
    ];
 }
 function evershelfActionNeedsAuth(string $action, string $method): bool {
    if (!evershelfApiTokenRequired()) {
        return false;
    }
    if (in_array($action, evershelfPublicActions(), true)) {
        return false;
    }
    if ($method === 'POST') {
        return true;
    }
    if ($method === 'GET' && in_array($action, evershelfMutatingGetActions(), true)) {
        return true;
    }
    if (in_array($action, ['get_logs', 'gemini_usage', 'get_client_log'], true)) {
        return true;
    }
    if (in_array($action, evershelfDestructiveActions(), true)) {
        return true;
    }
    // Protect all data reads when API token is set
    return true;
 }
 function evershelfRequireApiAuth(string $action, string $method): void {
    if (!evershelfActionNeedsAuth($action, $method)) {
        return;
    }
    if (evershelfApiTokenValid()) {
        return;
    }
    http_response_code(401);
    header('Content-Type: application/json; charset=utf-8');
    echo json_encode([
        'success'            => false,
        'error'              => 'unauthorized',
        'api_token_required' => true,
    ]);
    exit;
 }
 function evershelfRequireAuthForSensitive(string $action): void {
    if (!evershelfApiTokenRequired()) {
        return;
    }
    if (evershelfApiTokenValid()) {
        return;
    }
    http_response_code(401);
    header('Content-Type: application/json; charset=utf-8');
    echo json_encode(['success' => false, 'error' => 'unauthorized', 'api_token_required' => true]);
    exit;
 }
 function evershelfSendCorsHeaders(): void {
    $configured = env('CORS_ORIGIN', '');
    if ($configured === '') {
        // Same-origin SPA — do not emit wildcard CORS
        return;
    }
    if ($configured === '*') {
        header('Access-Control-Allow-Origin: *');
    } else {
        $reqOrigin = $_SERVER['HTTP_ORIGIN'] ?? '';
        $allowed   = array_filter(array_map('trim', explode(',', $configured)));
        if ($reqOrigin !== '' && in_array($reqOrigin, $allowed, true)) {
            header('Access-Control-Allow-Origin: ' . $reqOrigin);
            header('Vary: Origin');
        }
    }
    header('Access-Control-Allow-Methods: GET, POST, OPTIONS');
    header('Access-Control-Allow-Headers: Content-Type, X-EverShelf-Request, X-API-Token, X-Settings-Token');
 }
 /** Read-only actions allowed in DEMO_MODE. */
 function evershelfDemoReadOnlyActions(): array {
    return [
        'ping', 'check_update', 'health_check', 'get_settings', 'gemini_usage',
        'search_barcode', 'lookup_barcode', 'resolve_barcode', 'stock_for_name',
        'product_get', 'products_list', 'products_search', 'inventory_search', 'ai_product_suggest',
        'inventory_list', 'inventory_summary', 'inventory_finished_items',
        'transactions_list', 'stats', 'monthly_stats', 'macro_stats',
        'consumption_predictions', 'inventory_anomalies', 'inventory_duplicate_loss_checks',
        'recent_popular_products', 'expiry_history', 'food_facts', 'opened_shelf_life',
        'bring_list', 'bring_suggest', 'shopping_list', 'shopping_suggest', 'smart_shopping',
        'recipes_list', 'chat_list', 'app_settings_get',
        'ha_sensor', 'ha_info', 'ha_shopping_items', 'ha_test', 'ha_calendar',
        'guess_category', 'get_shopping_price', 'get_all_shopping_prices',
        'backup_list', 'export_inventory',
    ];
 }
 function evershelfDemoBlocksAction(string $action, string $method): bool {
    if (env('DEMO_MODE') !== 'true') {
        return false;
    }
    if (in_array($action, evershelfDemoReadOnlyActions(), true)) {
        return false;
    }
    // Block all AI generation in demo (cost + writes)
    if (str_starts_with($action, 'gemini_') || in_array($action, [
        'generate_recipe', 'generate_recipe_stream', 'chat_to_recipe', 'recipe_from_ingredient',
    ], true)) {
        return true;
    }
    if ($method === 'POST') {
        return true;
    }
    if (in_array($action, evershelfMutatingGetActions(), true)) {
        return true;
    }
    return !in_array($action, evershelfDemoReadOnlyActions(), true);
 }
 /** Hosts allowed for scale WebSocket relay (SSRF guard). */
 function evershelfAllowedScaleHosts(): array {
    $hosts = ['127.0.0.1', 'localhost', '::1'];
    $gw    = env('SCALE_GATEWAY_URL', '');
    if ($gw !== '') {
        $p = parse_url($gw);
        if (!empty($p['host'])) {
            $hosts[] = strtolower($p['host']);
        }
    }
    // Server's own LAN IP — gateway may bind here on kiosk LAN
    if (function_exists('gethostname')) {
        $lan = gethostbyname(gethostname());
        if ($lan && filter_var($lan, FILTER_VALIDATE_IP)) {
            $hosts[] = $lan;
        }
    }
    return array_values(array_unique($hosts));
 }
 function evershelfScaleHostAllowed(string $host): bool {
    $host = strtolower(trim($host));
    if ($host === '') {
        return false;
    }
    foreach (evershelfAllowedScaleHosts() as $allowed) {
        if ($host === strtolower($allowed)) {
            return true;
        }
    }
    // Allow private /24 only when host matches server's subnet (kiosk on same LAN)
    $serverIp = evershelfLocalLanIp();
    if ($serverIp !== '') {
        $subnet = implode('.', array_slice(explode('.', $serverIp), 0, 3));
        if (str_starts_with($host, $subnet . '.')) {
            return true;
        }
    }
    return false;
 }
 function evershelfLocalLanIp(): string {
    $sock = @socket_create(AF_INET, SOCK_DGRAM, SOL_UDP);
    if ($sock) {
        @socket_connect($sock, '8.8.8.8', 53);
        @socket_getsockname($sock, $ip);
        socket_close($sock);
        if (isset($ip) && filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4)) {
            return $ip;
        }
    }
    return '';
 }
 /**
 * True when the request comes from the EverShelf web UI on the same host.
 * Used to auto-provision API_TOKEN to the browser without manual .env copy.
 */
 function evershelfIsSameOriginBrowser(): bool {
    $host = strtolower(explode(':', $_SERVER['HTTP_HOST'] ?? '')[0]);
    if ($host === '') {
        return false;
    }
    $origin = $_SERVER['HTTP_ORIGIN'] ?? '';
    if ($origin !== '') {
        $oh = parse_url($origin, PHP_URL_HOST);
        return $oh && strtolower($oh) === $host;
    }
    $referer = $_SERVER['HTTP_REFERER'] ?? '';
    if ($referer !== '') {
        $rh = parse_url($referer, PHP_URL_HOST);
        return $rh && strtolower($rh) === $host;
    }
    $fetchSite = $_SERVER['HTTP_SEC_FETCH_SITE'] ?? '';
    if (in_array($fetchSite, ['same-origin', 'same-site'], true)) {
        return true;
    }
    return false;
 }
 /** Auth for scale endpoints — EventSource cannot send headers; allow query token or same-origin UI. */
 function evershelfRequireScaleAccess(): void {
    if (!evershelfApiTokenRequired()) {
        return;
    }
    if (evershelfApiTokenValid()) {
        return;
    }
    if (evershelfIsSameOriginBrowser()) {
        return;
    }
    http_response_code(401);
    header('Content-Type: application/json; charset=utf-8');
    echo json_encode(['error' => 'unauthorized', 'api_token_required' => true]);
    exit;
 }
@@ -335,6 +335,7 @@ class LoggingPDOStatement {
 // Type hint: use PDO in all functions (LoggingPDO extends PDO).
 // ═══════════════════════════════════════════════════════════════════════════
 class LoggingPDO extends \PDO {
    #[\ReturnTypeWillChange]
    public function prepare(string $query, array $options = []): LoggingPDOStatement|false {
        $stmt = parent::prepare($query, $options);
        if ($stmt === false) {
@@ -1,57 +1,53 @@
 <?php
 /**
- * EverShelf Scale Gateway — Auto-discovery
+ * EverShelf Scale Gateway — Auto-discovery (auth + rate limit + LAN only).
 *
 * Scans the server's local /24 subnet for any host responding on the gateway
 * port (default 8765) and confirms it with a WebSocket handshake.
 *
 * Returns: {"found": ["ws://192.168.1.100:8765", ...]}
 */
 require_once __DIR__ . '/lib/env.php';
 require_once __DIR__ . '/lib/security.php';
 header('Content-Type: application/json');
 header('Cache-Control: no-cache');
 evershelfSendCorsHeaders();
-$port = (int)($_GET['port'] ?? 8765);
+if (evershelfApiTokenRequired() && !evershelfApiTokenValid() && !evershelfIsSameOriginBrowser()) {
-if ($port < 1 || $port > 65535) $port = 8765;
+    http_response_code(401);
-
+    echo json_encode(['error' => 'unauthorized', 'api_token_required' => true]);
-// ── Determine server LAN IP ────────────────────────────────────────────────
+    exit;
 // SERVER_ADDR may be 127.0.0.1 when accessed via internal vhost — fall back
 // to a UDP trick (no actual packet sent) to find the default-route interface IP.
 function localLanIp(): string {
    $sock = @socket_create(AF_INET, SOCK_DGRAM, SOL_UDP);
    if ($sock) {
        @socket_connect($sock, '8.8.8.8', 53);
        @socket_getsockname($sock, $ip);
        socket_close($sock);
        if (isset($ip) && filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4)) return $ip;
    }
    // Fallback: parse /proc/net/route for default gateway interface then ip neigh
    $ifaces = @net_get_interfaces();
    if ($ifaces) {
        foreach ($ifaces as $name => $info) {
            if ($name === 'lo') continue;
            foreach ($info['unicast'] ?? [] as $u) {
                $ip = $u['address'] ?? '';
                if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4 | FILTER_FLAG_NO_PRIV_RANGE)) continue;
                if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4)) return $ip;
            }
        }
    }
    return '';
 }
-$serverIp = localLanIp();
+// Simple rate limit: max 6 scans per minute per IP
 $rlDir = dirname(__DIR__) . '/data/rate_limits';
 if (!is_dir($rlDir)) {
    @mkdir($rlDir, 0755, true);
 }
 $rlFile = $rlDir . '/scale_discover_' . md5($_SERVER['REMOTE_ADDR'] ?? 'cli') . '.json';
 $now = time();
 $hits = [];
 if (file_exists($rlFile)) {
    $hits = array_filter(json_decode(file_get_contents($rlFile), true) ?: [], fn($t) => $t > $now - 60);
 }
 if (count($hits) >= 6) {
    http_response_code(429);
    echo json_encode(['error' => 'Too many discovery scans']);
    exit;
 }
 $hits[] = $now;
@file_put_contents($rlFile, json_encode($hits), LOCK_EX);
 $port = (int)($_GET['port'] ?? 8765);
 if ($port < 1 || $port > 65535) {
    $port = 8765;
 }
 $serverIp = evershelfLocalLanIp();
 $parts = explode('.', $serverIp);
 if (count($parts) !== 4) {
-    echo json_encode(['error' => 'Cannot determine local subnet', 'server_ip' => $serverIp]);
+    echo json_encode(['error' => 'Cannot determine local subnet', 'found' => []]);
    exit;
 }
 $subnet = $parts[0] . '.' . $parts[1] . '.' . $parts[2] . '.';
 // ── Phase 1: Async TCP connect to all 254 hosts ────────────────────────────
 // Non-blocking stream_socket_client + stream_select to detect open ports quickly.
 // Total scan budget: 1.5 seconds.
 $candidates = [];
 for ($i = 1; $i <= 254; $i++) {
    $ip = $subnet . $i;
@@ -74,25 +70,28 @@ while (!empty($candidates) && microtime(true) < $deadline) {
    $read   = null;
    $usec   = (int)(max(0, $deadline - microtime(true)) * 1_000_000);
    $n = @stream_select($read, $write, $except, 0, $usec);
-    if ($n === false || $n === 0) break;
+    if ($n === false || $n === 0) {
        break;
    }
    // Sockets in $except = connection refused/error
    $failed = [];
    foreach ($except as $s) {
        $ip = array_search($s, $candidates, true);
-        if ($ip !== false) $failed[$ip] = true;
+        if ($ip !== false) {
            $failed[$ip] = true;
        }
    }
    // Sockets in $write = connection complete (may overlap with $except on error)
    foreach ($write as $s) {
        $ip = array_search($s, $candidates, true);
-        if ($ip === false) continue;
+        if ($ip === false) {
            continue;
        }
        if (!isset($failed[$ip])) {
            $found_tcp[] = $ip;
        }
        @fclose($s);
        unset($candidates[$ip]);
    }
    // Close failed sockets too
    foreach ($failed as $ip => $_) {
        if (isset($candidates[$ip])) {
            @fclose($candidates[$ip]);
@@ -100,13 +99,16 @@ while (!empty($candidates) && microtime(true) < $deadline) {
        }
    }
 }
-foreach ($candidates as $s) @fclose($s); // close remaining (timeout)
+foreach ($candidates as $s) {
    @fclose($s);
 }
 // ── Phase 2: WebSocket handshake to confirm each TCP responder ─────────────
 $gateways = [];
 foreach ($found_tcp as $ip) {
    $sock = @stream_socket_client("tcp://{$ip}:{$port}", $errno, $errstr, 2);
-    if (!$sock) continue;
+    if (!$sock) {
        continue;
    }
    stream_set_timeout($sock, 2);
    $key = base64_encode(random_bytes(16));
@@ -124,9 +126,13 @@ foreach ($found_tcp as $ip) {
    $dl = microtime(true) + 2;
    while (microtime(true) < $dl && !feof($sock)) {
        $line = fgets($sock, 256);
-        if ($line === false) break;
+        if ($line === false) {
            break;
        }
        $resp .= $line;
-        if ($line === "\r\n") break;
+        if ($line === "\r\n") {
            break;
        }
    }
    fclose($sock);
@@ -138,5 +144,4 @@ foreach ($found_tcp as $ip) {
 echo json_encode([
    'found'  => $gateways,
    'subnet' => rtrim($subnet, '.') . '.0/24',
    'server_ip' => $serverIp,
 ]);
@@ -1,16 +1,20 @@
 <?php
 /**
- * EverShelf Scale Gateway — Connection ping / test
+ * EverShelf Scale Gateway — Connection ping / test (SSRF-hardened)
 *
 * Performs a WebSocket handshake with the gateway and returns
 * {"ok":true} on success, {"ok":false,"error":"..."} on failure.
 *
 * Usage: GET /api/scale_ping.php?url=ws%3A%2F%2F192.168.1.100%3A8765
 */
 require_once __DIR__ . '/lib/env.php';
 require_once __DIR__ . '/lib/security.php';
 header('Content-Type: application/json');
 header('Cache-Control: no-cache');
 if (evershelfApiTokenRequired() && !evershelfApiTokenValid() && !evershelfIsSameOriginBrowser()) {
    http_response_code(401);
    echo json_encode(['ok' => false, 'error' => 'unauthorized', 'api_token_required' => true]);
    exit;
 }
 $rawUrl = $_GET['url'] ?? '';
 if (!preg_match('#^ws://[0-9a-zA-Z][\w.\-]*(:\d{1,5})?(/.*)?$#', $rawUrl)) {
@@ -19,7 +23,7 @@ if (!preg_match('#^ws://[0-9a-zA-Z][\w.\-]*(:\d{1,5})?(/.*)?$#', $rawUrl)) {
 }
 $parsed = parse_url($rawUrl);
-$host   = $parsed['host'] ?? '';
+$host   = strtolower($parsed['host'] ?? '');
 $port   = (int)($parsed['port'] ?? 8765);
 $path   = ($parsed['path'] ?? '') ?: '/';
@@ -28,6 +32,11 @@ if (!$host || $port < 1 || $port > 65535) {
    exit;
 }
 if (!evershelfScaleHostAllowed($host)) {
    echo json_encode(['ok' => false, 'error' => 'Gateway host not allowed']);
    exit;
 }
 // Try to open a TCP connection with a 5-second timeout
 $sock = @stream_socket_client("tcp://{$host}:{$port}", $errno, $errstr, 5);
 if (!$sock) {
@@ -8,6 +8,16 @@
 * Usage: GET /api/scale_relay.php?url=ws%3A%2F%2F192.168.1.100%3A8765
 */
 require_once __DIR__ . '/lib/env.php';
 require_once __DIR__ . '/lib/security.php';
 if (evershelfApiTokenRequired() && !evershelfApiTokenValid() && !evershelfIsSameOriginBrowser()) {
    header('Content-Type: application/json; charset=utf-8');
    http_response_code(401);
    echo json_encode(['error' => 'unauthorized', 'api_token_required' => true]);
    exit;
 }
 // ── Input validation ──────────────────────────────────────────────────────────
 $rawUrl = $_GET['url'] ?? '';
@@ -19,7 +29,7 @@ if (!preg_match('#^ws://[0-9a-zA-Z][\w.\-]*(:\d{1,5})?(/.*)?$#', $rawUrl)) {
 }
 $parsed = parse_url($rawUrl);
-$wsHost = $parsed['host'] ?? '';
+$wsHost = strtolower($parsed['host'] ?? '');
 $wsPort = (int)($parsed['port'] ?? 8765);
 $wsPath = ($parsed['path'] ?? '') ?: '/';
@@ -29,6 +39,12 @@ if (!$wsHost || $wsPort < 1 || $wsPort > 65535) {
    exit;
 }
 if (!evershelfScaleHostAllowed($wsHost)) {
    header('Content-Type: text/event-stream');
    echo 'data: ' . json_encode(['type' => 'error', 'message' => 'Gateway host not allowed']) . "\n\n";
    exit;
 }
 // ── SSE headers ───────────────────────────────────────────────────────────────
 header('Content-Type: text/event-stream');
 header('Cache-Control: no-cache, no-store, must-revalidate');
@@ -666,6 +666,126 @@ body.server-offline .bottom-nav {
    flex-shrink: 0;
 }
 /* Family sibling hint (spesa mode) — compact card with thumbnail */
 .family-sibling-prompt {
    position: fixed;
    bottom: 80px;
    left: 50%;
    transform: translateX(-50%);
    z-index: 9998;
    background: linear-gradient(145deg, #1e3a5f 0%, #0f2744 100%);
    color: #fff;
    border-radius: 14px;
    padding: 10px 12px;
    display: flex;
    flex-direction: column;
    gap: 8px;
    box-shadow: 0 6px 24px rgba(0, 0, 0, 0.45);
    max-width: min(440px, calc(100vw - 20px));
    width: calc(100% - 20px);
    box-sizing: border-box;
    border: 1px solid rgba(255, 255, 255, 0.12);
    animation: family-sibling-in 0.22s ease-out;
 }
@keyframes family-sibling-in {
    from { opacity: 0; transform: translateX(-50%) translateY(10px); }
    to   { opacity: 1; transform: translateX(-50%) translateY(0); }
 }
 .family-sibling-prompt-body {
    display: flex;
    gap: 10px;
    align-items: flex-start;
 }
 .family-sibling-prompt-thumb {
    flex-shrink: 0;
    width: 52px;
    height: 52px;
    border-radius: 10px;
    overflow: hidden;
    background: rgba(255, 255, 255, 0.1);
    display: flex;
    align-items: center;
    justify-content: center;
 }
 .family-sibling-prompt-img {
    width: 100%;
    height: 100%;
    object-fit: cover;
 }
 .family-sibling-prompt-icon {
    font-size: 1.6rem;
    line-height: 1;
 }
 .family-sibling-prompt-info {
    flex: 1;
    min-width: 0;
    display: flex;
    flex-direction: column;
    gap: 2px;
 }
 .family-sibling-prompt-title {
    font-size: 0.72rem;
    font-weight: 700;
    line-height: 1.2;
    margin: 0;
    text-transform: uppercase;
    letter-spacing: 0.03em;
    color: rgba(255, 255, 255, 0.85);
 }
 .family-sibling-prompt-name {
    font-size: 0.95rem;
    font-weight: 700;
    line-height: 1.25;
    margin: 0;
    overflow: hidden;
    text-overflow: ellipsis;
    display: -webkit-box;
    -webkit-line-clamp: 2;
    -webkit-box-orient: vertical;
 }
 .family-sibling-prompt-stock {
    font-size: 1.05rem;
    font-weight: 800;
    line-height: 1.3;
    margin: 4px 0 0;
    color: #bbf7d0;
 }
 .family-sibling-prompt-meta {
    font-size: 0.8rem;
    line-height: 1.3;
    margin: 0;
    color: rgba(255, 255, 255, 0.78);
 }
 .family-sibling-prompt-question {
    font-size: 0.82rem;
    line-height: 1.25;
    margin: 2px 0 0;
    color: #f8fafc;
    font-weight: 600;
 }
 .family-sibling-prompt-actions {
    display: flex;
    gap: 8px;
 }
 .family-sibling-prompt-actions button {
    flex: 1;
    border: none;
    border-radius: 10px;
    padding: 9px 10px;
    font-size: 0.88rem;
    font-weight: 700;
    cursor: pointer;
    min-height: 38px;
 }
 .family-sibling-prompt-yes {
    background: #22c55e;
    color: #fff;
 }
 .family-sibling-prompt-no {
    background: #475569;
    color: #fff;
 }
@keyframes pulse-scan {
    0%, 100% { box-shadow: 0 2px 8px rgba(0,0,0,0.2); }
    50% { box-shadow: 0 2px 16px rgba(255,255,255,0.4); }
@@ -1727,6 +1847,41 @@ body.server-offline .bottom-nav {
    border-color: var(--primary);
 }
 .qty-control-with-unit {
    display: flex;
    align-items: center;
    gap: 10px;
    flex-wrap: wrap;
 }
 .qty-control-with-unit .qty-control {
    flex: 0 0 auto;
 }
 .qty-unit-badge {
    display: inline-flex;
    align-items: center;
    justify-content: center;
    min-width: 52px;
    height: 50px;
    padding: 0 12px;
    border-radius: var(--radius-sm);
    background: var(--primary);
    color: #fff;
    font-size: 1rem;
    font-weight: 800;
    letter-spacing: 0.02em;
    text-transform: lowercase;
    white-space: nowrap;
    box-shadow: 0 1px 3px rgba(0, 0, 0, 0.12);
 }
 .qty-unit-badge.qty-unit-muted {
    background: var(--bg-card);
    color: var(--primary);
    border: 2px solid var(--primary);
 }
 /* ===== USE OPTIONS ===== */
 .use-options {
    display: flex;
@@ -1845,6 +2000,19 @@ body.server-offline .bottom-nav {
    overflow: hidden;
 }
 /* Spesa mode: hide manual barcode field only — tabs and normal viewport stay */
 #page-scan.spesa-scan-layout .barcode-input-row {
    display: none !important;
 }
 .spesa-scan-barcode-hint {
    margin: 0;
    padding: 6px 4px 2px;
    font-size: 0.85rem;
    color: var(--text-muted);
    text-align: center;
    line-height: 1.35;
 }
 .scanner-viewport video {
    width: 100%;
    height: 100%;
@@ -2009,6 +2177,63 @@ body.server-offline .bottom-nav {
 .scan-status-msg.state-confirmed { color: #4ade80; background: rgba(74,222,128,0.22); }
 .scan-status-msg.state-retry { color: #fb923c; }
 /* — AI processing overlay (full-viewport, shown during Gemini Vision call) — */
 .scan-ai-overlay {
    position: absolute;
    inset: 0;
    z-index: 20;
    display: flex;
    align-items: center;
    justify-content: center;
    background: rgba(0,0,0,0.72);
    backdrop-filter: blur(4px);
    -webkit-backdrop-filter: blur(4px);
    border-radius: var(--radius);
 }
 .scan-ai-overlay-inner {
    display: flex;
    flex-direction: column;
    align-items: center;
    gap: 10px;
    padding: 24px 28px;
    background: rgba(255,255,255,0.07);
    border: 1.5px solid rgba(255,255,255,0.18);
    border-radius: 16px;
 }
 .scan-ai-overlay-label {
    font-size: 0.65rem;
    color: rgba(255,255,255,0.5);
    text-transform: uppercase;
    letter-spacing: 0.1em;
    font-family: monospace;
 }
 .scan-ai-overlay-msg {
    font-size: 0.88rem;
    color: #fff;
    text-align: center;
    max-width: 220px;
 }
 /* — Manual AI button (user-triggered only) — */
 .scan-ai-manual-btn {
    width: 100%;
    margin-top: 10px;
    font-size: 1.05rem;
    padding: 14px 16px;
    border-radius: 14px;
    border: 2px solid var(--accent);
    background: rgba(124,58,237,0.12);
    color: var(--accent);
    font-weight: 700;
    cursor: pointer;
    transition: background 0.15s, opacity 0.15s;
 }
 .scan-ai-manual-btn:disabled {
    opacity: 0.45;
    cursor: not-allowed;
 }
 .scan-ai-manual-btn:active:not(:disabled) { background: rgba(124,58,237,0.22); }
 /* — Viewport overlay controls (torch / zoom / flip) — */
 .scan-viewport-controls {
    position: absolute;
@@ -2059,6 +2284,183 @@ body.server-offline .bottom-nav {
    box-shadow: var(--shadow);
 }
 .scan-ai-match-box {
    display: flex;
    flex-direction: column;
    gap: 14px;
 }
 .scan-ai-hero {
    display: flex;
    align-items: center;
    gap: 14px;
    padding: 14px;
    background: linear-gradient(135deg, rgba(124,58,237,0.12), rgba(34,197,94,0.1));
    border-radius: 14px;
    border: 1px solid var(--border);
 }
 .scan-ai-hero-icon {
    font-size: 2.6rem;
    line-height: 1;
    flex-shrink: 0;
 }
 .scan-ai-hero-text {
    min-width: 0;
    flex: 1;
 }
 .scan-ai-match-title {
    font-size: 0.82rem;
    font-weight: 700;
    text-transform: uppercase;
    letter-spacing: 0.04em;
    color: var(--text-muted);
    margin-bottom: 4px;
 }
 .scan-ai-hero-name {
    font-size: 1.35rem;
    font-weight: 800;
    line-height: 1.2;
    color: var(--text);
    word-break: break-word;
 }
 .scan-ai-hero-brand {
    font-size: 1rem;
    color: var(--text-muted);
    margin-top: 2px;
 }
 .scan-ai-action-hint {
    margin: -6px 0 0;
    font-size: 0.92rem;
    line-height: 1.4;
    color: var(--text-muted);
    text-align: center;
 }
 .scan-ai-or-divider {
    margin: 0;
    font-size: 0.88rem;
    font-weight: 700;
    color: var(--text-muted);
    text-align: center;
 }
 .scan-ai-match-subtitle {
    font-size: 0.82rem;
    color: var(--text-muted);
 }
 .scan-ai-match-list-wrap {
    display: flex;
    flex-direction: column;
    gap: 8px;
 }
 .scan-ai-match-list-title {
    font-size: 0.88rem;
    text-transform: uppercase;
    letter-spacing: 0.04em;
    color: var(--text-muted);
    font-weight: 700;
 }
 .scan-ai-match-list {
    display: flex;
    flex-direction: column;
    gap: 6px;
 }
 .scan-ai-candidate-item {
    border: 1px solid var(--border);
    background: var(--bg-main);
    border-radius: 12px;
    padding: 10px;
    display: flex;
    align-items: center;
    gap: 10px;
    cursor: pointer;
    text-align: left;
 }
 .scan-ai-candidate-item:active { transform: scale(0.99); }
 .scan-ai-candidate-thumb {
    width: 44px;
    height: 44px;
    flex-shrink: 0;
    border-radius: 10px;
    overflow: hidden;
    background: var(--bg-card);
    display: flex;
    align-items: center;
    justify-content: center;
 }
 .scan-ai-candidate-img {
    width: 100%;
    height: 100%;
    object-fit: cover;
 }
 .scan-ai-candidate-icon {
    font-size: 1.3rem;
    flex-shrink: 0;
 }
 .scan-ai-candidate-info {
    min-width: 0;
    display: flex;
    flex-direction: column;
    gap: 2px;
    flex: 1;
 }
 .scan-ai-candidate-name {
    font-size: 1rem;
    font-weight: 700;
    color: var(--text);
    white-space: nowrap;
    overflow: hidden;
    text-overflow: ellipsis;
 }
 .scan-ai-candidate-meta {
    font-size: 0.84rem;
    color: var(--text-muted);
    white-space: nowrap;
    overflow: hidden;
    text-overflow: ellipsis;
 }
 .scan-ai-candidate-cta {
    font-size: 0.82rem;
    font-weight: 700;
    color: var(--accent);
    border: 1px solid var(--accent);
    border-radius: 999px;
    padding: 6px 10px;
    flex-shrink: 0;
 }
 .scan-ai-match-empty {
    font-size: 0.86rem;
    color: var(--text-muted);
    background: var(--bg-main);
    border: 1px dashed var(--border);
    border-radius: 10px;
    padding: 10px 12px;
 }
 .scan-ai-add-btn {
    width: 100%;
    font-size: 1.15rem !important;
    font-weight: 800 !important;
    padding: 16px 20px !important;
    min-height: 54px;
    border-radius: 14px !important;
    box-shadow: 0 4px 14px rgba(34, 197, 94, 0.35);
 }
 .scan-ai-detected-label {
    font-size: 0.72rem;
    font-weight: 700;
    letter-spacing: 0.04em;
    text-transform: uppercase;
    color: var(--text-muted);
 }
 .scan-ai-detected-pill {
    font-size: 0.8rem;
    color: var(--text-muted);
    background: var(--bg-main);
    border-radius: 999px;
    border: 1px solid var(--border);
    padding: 6px 10px;
    white-space: nowrap;
    overflow: hidden;
    text-overflow: ellipsis;
 }
 /* — Recent scans — */
 .scan-recents {
    display: flex;
@@ -2933,6 +3335,14 @@ body.server-offline .bottom-nav {
    font-style: italic;
 }
 .shopping-item-specific {
    font-size: 0.73rem;
    color: var(--text-muted);
    margin-top: 2px;
    line-height: 1.3;
    font-style: italic;
 }
 .smart-brand {
    font-weight: 400;
    color: var(--text-muted);
@@ -4295,6 +4705,93 @@ body.server-offline .bottom-nav {
    line-height: 1.5;
 }
 /* ===== RECIPE NUTRITION BLOCK ===== */
 .recipe-nutrition-block {
    background: #f0fdf4;
    border: 1px solid #bbf7d0;
    border-radius: var(--radius-sm);
    padding: 12px 14px 8px;
    margin-top: 16px;
 }
 .recipe-section-heading {
    font-size: 0.85rem;
    font-weight: 700;
    color: #15803d;
    margin: 0 0 10px;
    text-transform: uppercase;
    letter-spacing: 0.03em;
 }
 .recipe-nutrition-grid {
    display: grid;
    grid-template-columns: repeat(4, 1fr);
    gap: 8px;
    text-align: center;
 }
 .recipe-nutrition-item {
    display: flex;
    flex-direction: column;
    align-items: center;
    gap: 2px;
 }
 .recipe-nutrition-icon { font-size: 1.2rem; }
 .recipe-nutrition-value {
    font-size: 0.95rem;
    font-weight: 700;
    color: #15803d;
 }
 .recipe-nutrition-label {
    font-size: 0.65rem;
    color: #64748b;
    text-transform: uppercase;
    letter-spacing: 0.04em;
 }
 .recipe-nutrition-note {
    font-size: 0.7rem;
    color: #94a3b8;
    text-align: center;
    margin: 6px 0 0;
 }
 .recipe-nutrition-footnote {
    color: var(--text-muted);
    font-size: 0.85rem;
    margin-top: 12px;
 }
 /* ===== RECIPE STORAGE CARD ===== */
 .recipe-storage-card {
    background: #fffbeb;
    border: 1px solid #fde68a;
    border-radius: var(--radius-sm);
    padding: 12px 14px 8px;
    margin-top: 12px;
 }
 .recipe-storage-card .recipe-section-heading { color: #b45309; }
 .recipe-storage-row {
    display: flex;
    flex-wrap: wrap;
    gap: 6px;
    margin-bottom: 6px;
 }
 .recipe-storage-badge {
    background: #fef3c7;
    border: 1px solid #fcd34d;
    border-radius: 20px;
    padding: 2px 12px;
    font-size: 0.8rem;
    font-weight: 600;
    color: #92400e;
    white-space: nowrap;
    text-transform: capitalize;
 }
 .recipe-storage-days { background: #dbeafe; border-color: #93c5fd; color: #1d4ed8; }
 .recipe-storage-now  { background: #fee2e2; border-color: #fca5a5; color: #b91c1c; }
 .recipe-storage-tips {
    font-size: 0.82rem;
    color: #78350f;
    margin: 2px 0 0;
    line-height: 1.4;
 }
 .recipe-tools-banner {
    display: flex;
    flex-wrap: wrap;
@@ -4419,6 +4916,13 @@ body.server-offline .bottom-nav {
    line-height: 1.3;
 }
 .recipe-ing-stock {
    color: var(--text-muted);
    font-size: 0.72rem;
    line-height: 1.35;
    opacity: 0.9;
 }
 /* ===== SHOPPING SECTION (REPARTO) HEADERS ===== */
 .shopping-section-divider {
    display: flex;
@@ -5939,6 +6443,12 @@ body.cooking-mode-active .app-header {
 }
 .banner-anomaly .alert-banner-title { color: #9a3412; }
 .banner-anomaly .alert-banner-counter .banner-dot.active { background: #ea580c; }
 .alert-banner.banner-dup-loss {
    background: linear-gradient(135deg, #fef2f2 0%, #fecaca 100%);
    border-color: #dc2626;
 }
 .banner-dup-loss .alert-banner-title { color: #991b1b; }
 .banner-dup-loss .alert-banner-counter .banner-dot.active { background: #dc2626; }
 .alert-banner.banner-no-expiry {
    background: linear-gradient(135deg, #f0fdf4 0%, #bbf7d0 100%);
    border-color: #16a34a;
@@ -7838,6 +8348,8 @@ body.cooking-mode-active .app-header {
 [data-theme="dark"] .banner-prediction .alert-banner-counter     { color: #a78bfa; }
 [data-theme="dark"] .alert-banner.banner-anomaly                 { background: #1a1200; border-color: #c2410c; }
 [data-theme="dark"] .banner-anomaly .alert-banner-title          { color: #fdba74; }
 [data-theme="dark"] .alert-banner.banner-dup-loss                { background: #2a0808; border-color: #dc2626; }
 [data-theme="dark"] .banner-dup-loss .alert-banner-title         { color: #fca5a5; }
 [data-theme="dark"] .alert-banner.banner-no-expiry               { background: #0f2a1a; border-color: #166534; }
 [data-theme="dark"] .banner-no-expiry .alert-banner-title        { color: #86efac; }
@@ -7908,6 +8420,18 @@ body.cooking-mode-active .app-header {
 /* ── Recipe components ── */
 [data-theme="dark"] .recipe-expiry-note  { background: #2a1e00; color: #fde68a; }
 [data-theme="dark"] .recipe-nutrition-block { background: #052e16; border-color: #166534; }
 [data-theme="dark"] .recipe-section-heading { color: #4ade80; }
 [data-theme="dark"] .recipe-storage-card .recipe-section-heading { color: #fbbf24; }
 [data-theme="dark"] .recipe-nutrition-value { color: #4ade80; }
 [data-theme="dark"] .recipe-nutrition-label { color: #94a3b8; }
 [data-theme="dark"] .recipe-nutrition-note  { color: #64748b; }
 [data-theme="dark"] .recipe-nutrition-footnote { color: var(--text-muted); }
 [data-theme="dark"] .recipe-storage-card { background: #1c1400; border-color: #78350f; }
 [data-theme="dark"] .recipe-storage-badge { background: #2a1e00; border-color: #92400e; color: #fde68a; }
 [data-theme="dark"] .recipe-storage-days { background: #0c1a2e; border-color: #1d4ed8; color: #93c5fd; }
 [data-theme="dark"] .recipe-storage-now  { background: #2a0a0a; border-color: #b91c1c; color: #fca5a5; }
 [data-theme="dark"] .recipe-storage-tips { color: #fde68a; }
 [data-theme="dark"] .recipe-tools-banner { background: #1a1040; border-color: #3730a3; color: #c4b5fd; }
 [data-theme="dark"] .recipe-tool-chip    { background: #2e1a4a; color: #c4b5fd; }
 [data-theme="dark"] .recipe-step-appliance { background: #052e16; border-color: #166534; color: #4ade80; }
@@ -0,0 +1,77 @@
 /**
 * EverShelf core — API token storage and auth headers.
 */
 const EVERSHELF_TOKEN_KEY = 'evershelf_api_token';
 function getApiToken() {
    return localStorage.getItem(EVERSHELF_TOKEN_KEY) || '';
 }
 function setApiToken(token) {
    const t = (token || '').trim();
    if (t) {
        localStorage.setItem(EVERSHELF_TOKEN_KEY, t);
    } else {
        localStorage.removeItem(EVERSHELF_TOKEN_KEY);
    }
 }
 function apiAuthHeaders() {
    const fromStorage = getApiToken();
    const fromSettingsField = document.getElementById('setting-settings-token')?.value.trim() || '';
    const token = fromSettingsField || fromStorage;
    if (!token) return {};
    return { 'X-API-Token': token };
 }
 /** Fetch API token from server when loading the UI from the same origin. */
 async function ensureApiToken() {
    if (getApiToken()) return true;
    try {
        const res = await fetch('api/index.php?action=app_bootstrap', { cache: 'no-store' });
        if (!res.ok) return false;
        const data = await res.json();
        window._apiTokenRequired = !!data.api_token_required;
        if (data.api_token) {
            setApiToken(data.api_token);
            return true;
        }
    } catch (_) { /* offline / network */ }
    return !!getApiToken();
 }
 function _promptApiTokenIfNeeded() {
    if (!window._apiTokenRequired) return;
    if (getApiToken()) return;
    const existing = document.getElementById('api-token-overlay');
    if (existing) return;
    const title = typeof t === 'function' ? t('startup.token_prompt_title') : '🔒 API Token';
    const hint  = typeof t === 'function' ? t('startup.token_prompt_hint') : 'Enter API_TOKEN from .env';
    const btn   = typeof t === 'function' ? t('startup.token_prompt_btn') : 'Continue';
    const overlay = document.createElement('div');
    overlay.id = 'api-token-overlay';
    overlay.className = 'modal-overlay';
    overlay.style.display = 'flex';
    overlay.innerHTML = `
        <div class="modal-content" style="max-width:420px;padding:20px">
            <h3>${title}</h3>
            <p class="settings-hint">${hint}</p>
            <input type="password" id="api-token-input" class="form-input" placeholder="API token">
            <button class="btn btn-primary full-width mt-2" id="api-token-save">${btn}</button>
        </div>`;
    document.body.appendChild(overlay);
    document.getElementById('api-token-save').onclick = () => {
        const v = document.getElementById('api-token-input').value.trim();
        if (v) {
            setApiToken(v);
            overlay.remove();
            location.reload();
        }
    };
 }
 window.getApiToken = getApiToken;
 window.setApiToken = setApiToken;
 window.apiAuthHeaders = apiAuthHeaders;
 window.ensureApiToken = ensureApiToken;
 window._promptApiTokenIfNeeded = _promptApiTokenIfNeeded;
@@ -0,0 +1,11 @@
 /**
 * EverShelf core — safe HTML escaping (loaded before app.js).
 */
 function escapeHtml(str) {
    if (str == null) return '';
    const div = document.createElement('div');
    div.textContent = String(str);
    return div.innerHTML;
 }
 window.escapeHtml = escapeHtml;
@@ -1,13 +1,19 @@
 #!/bin/bash
 # Daily backup of EverShelf database (local only)
-# The database is NOT pushed to remote repositories.
+# Retention follows BACKUP_RETENTION_DAYS from .env (default 3)
 # Runs via cron: creates a local timestamped backup copy
 #
 # Example crontab entry:
 #   0 3 * * * /var/www/html/evershelf/backup.sh
 set -euo pipefail
 INSTALL_DIR="$(cd "$(dirname "$0")" && pwd)"
 BACKUP_DIR="${INSTALL_DIR}/data/backups"
 ENV_FILE="${INSTALL_DIR}/.env"
 RETENTION=3
 if [ -f "$ENV_FILE" ]; then
    val=$(grep -E '^BACKUP_RETENTION_DAYS=' "$ENV_FILE" | tail -1 | cut -d= -f2)
    if [[ "$val" =~ ^[0-9]+$ ]] && [ "$val" -ge 1 ]; then
        RETENTION="$val"
    fi
 fi
 mkdir -p "$BACKUP_DIR"
@@ -19,5 +25,5 @@ fi
 DATE=$(date '+%Y-%m-%d_%H%M')
 cp "$DB_FILE" "${BACKUP_DIR}/evershelf_${DATE}.db"
-# Keep only the last 7 backups
+# Keep only the newest N backups
-ls -t "${BACKUP_DIR}"/evershelf_*.db 2>/dev/null | tail -n +8 | xargs -r rm --
+ls -t "${BACKUP_DIR}"/evershelf_*.db 2>/dev/null | tail -n +$((RETENTION + 1)) | xargs -r rm --
@@ -0,0 +1,2 @@
 # Deny all direct HTTP access to runtime data (DB, tokens, caches, logs)
 Require all denied
@@ -5,14 +5,21 @@ services:
    ports:
      - "8080:80"
    volumes:
      # Persist database and runtime data
      - evershelf_data:/var/www/html/data
      # Mount your local .env configuration
      - ./.env:/var/www/html/.env:ro
    restart: unless-stopped
    environment:
      - TZ=Europe/Rome
    networks:
      - backend
      - frontend
 volumes:
  evershelf_data:
    driver: local
 networks:
  frontend:
    external: true
  backend:
    external: true
@@ -0,0 +1,38 @@
 # EverShelf — Architecture (modular layout)
 ```
 dispensa/
 ├── api/
 │   ├── bootstrap.php       # Shared init: env, security, DB, logger
 │   ├── index.php           # HTTP handlers + router (split planned per domain)
 │   ├── database.php        # SQLite schema & migrations
 │   ├── logger.php          # Rotating file logger (logs/)
 │   ├── cron_smart_shopping.php  # CLI cron (uses bootstrap + index handlers)
 │   ├── lib/
 │   │   ├── env.php         # .env loader
 │   │   ├── constants.php   # Paths & pricing constants
 │   │   ├── security.php    # API auth, CORS, demo mode, scale allowlist
 │   │   ├── github.php      # Encrypted GitHub Issues token
 │   │   └── cron_log.php    # data/cron.log rotation
 │   └── scale_*.php         # Scale gateway helpers (auth + SSRF guards)
 ├── assets/
 │   ├── js/
 │   │   ├── core/           # auth.js, dom.js (loaded before app.js)
 │   │   └── app.js          # SPA logic (domain modules: future split)
 │   └── vendor/             # Offline CDN fallbacks (quagga, transformers)
 ├── data/                   # Runtime data (.htaccess: deny all)
 ├── logs/                   # Application logs (.htaccess: deny all)
 └── scripts/                # migrate-env-security, fix-permissions, encrypt-gh-token
 ```
 ## Security model
 - **`API_TOKEN`** (or legacy **`SETTINGS_TOKEN`**): when set, every API action requires `X-API-Token` header or `?api_token=` (Home Assistant).
 - Secrets (`HA_TOKEN`, `TTS_TOKEN`, `GEMINI_API_KEY`) stay in `.env`; `get_settings` exposes only `*_set` flags.
 - **`GH_ISSUE_TOKEN_ENC`** + **`GH_ISSUE_TOKEN_KEY`**: AES-256-GCM encrypted GitHub Issues token.
 ## Planned refactors
 1. Split `api/index.php` handlers into `api/handlers/{products,inventory,ai,shopping}.php`
 2. Split `assets/js/app.js` into ES modules under `assets/js/features/`
 3. Optional `npm run build` to minify JS/CSS (see `package.json`)
@@ -11,8 +11,8 @@ android {
        applicationId = "it.dadaloop.evershelf.kiosk"
        minSdk = 24
        targetSdk = 35
-        versionCode = 18
+        versionCode = 20
-        versionName = "1.7.17"
+        versionName = "1.7.19"
    }
    signingConfigs {
@@ -101,6 +101,20 @@ class KioskActivity : AppCompatActivity() {
    // Pending WebView permission request
    private var pendingWebPermission: PermissionRequest? = null
    private fun safeEvalJs(script: String) {
        if (!::webView.isInitialized) return
        if (isFinishing || isDestroyed) return
        if (webView.visibility != View.VISIBLE) return
        runCatching { webView.evaluateJavascript(script, null) }
            .onFailure {
                ErrorReporter.reportMessage(
                    type = "webview-js-bridge-error",
                    message = "Failed to deliver JS callback to WebView",
                    extra = mapOf("error" to (it.message ?: "unknown"))
                )
            }
    }
    companion object {
        private const val FILE_CHOOSER_REQUEST    = 1002
        private const val PERMISSION_REQUEST_CODE = 1003
@@ -150,18 +164,18 @@ class KioskActivity : AppCompatActivity() {
                    override fun onStart(utteranceId: String?) {}
                    override fun onDone(utteranceId: String?) {
                        runOnUiThread {
-                            webView.evaluateJavascript("if(window._kioskTtsDone)window._kioskTtsDone('$utteranceId')", null)
+                            safeEvalJs("if(window._kioskTtsDone)window._kioskTtsDone('$utteranceId')")
                        }
                    }
                    @Deprecated("Deprecated in API 21")
                    override fun onError(utteranceId: String?) {
                        runOnUiThread {
-                            webView.evaluateJavascript("if(window._kioskTtsError)window._kioskTtsError('$utteranceId','error')", null)
+                            safeEvalJs("if(window._kioskTtsError)window._kioskTtsError('$utteranceId','error')")
                        }
                    }
                    override fun onError(utteranceId: String?, errorCode: Int) {
                        runOnUiThread {
-                            webView.evaluateJavascript("if(window._kioskTtsError)window._kioskTtsError('$utteranceId',$errorCode)", null)
+                            safeEvalJs("if(window._kioskTtsError)window._kioskTtsError('$utteranceId',$errorCode)")
                        }
                    }
                })
@@ -629,6 +643,79 @@ class KioskActivity : AppCompatActivity() {
                    webView.evaluateJavascript("$jsCallback($escaped)", null)
                }
            }
            val currentKiosk = try {
                packageManager.getPackageInfo(packageName, 0).versionName ?: ""
            } catch (_: Exception) { "" }
            val installedVc: Long = try {
                val pi = packageManager.getPackageInfo(packageName, 0)
                if (Build.VERSION.SDK_INT >= 28) pi.longVersionCode
                else @Suppress("DEPRECATION") pi.versionCode.toLong()
            } catch (_: Exception) { -1L }
            fun semverNewer(remote: String, local: String): Boolean {
                val r = remote.split(".").map { it.filter(Char::isDigit).toIntOrNull() ?: 0 }
                val l = local.split(".").map  { it.filter(Char::isDigit).toIntOrNull() ?: 0 }
                for (i in 0 until maxOf(r.size, l.size)) {
                    val rv = r.getOrElse(i) { 0 }
                    val lv = l.getOrElse(i) { 0 }
                    if (rv != lv) return rv > lv
                }
                return false
            }
            fun needsUpdate(remoteVersion: String, remoteVc: Long): Boolean = when {
                remoteVc > 0 && installedVc >= 0 -> remoteVc > installedVc
                currentKiosk.isNotEmpty() && remoteVersion.matches(Regex("\\d+\\.\\d+.*")) ->
                    semverNewer(remoteVersion, currentKiosk)
                else -> false
            }
            fun applyUpdate(remoteVersion: String, apkUrl: String) {
                val result = JSONObject()
                    .put("has_update", true)
                    .put("current", currentKiosk)
                    .put("latest", remoteVersion)
                    .put("apk_url", apkUrl)
                notifyJs(result)
                prefs.edit()
                    .putString(KEY_PENDING_UPDATE_VERSION, remoteVersion)
                    .putString(KEY_PENDING_UPDATE_URL, apkUrl)
                    .apply()
                runOnUiThread { showNativeUpdateBanner("🔄 Kiosk $currentKiosk → $remoteVersion", apkUrl) }
            }
            // 1) Prefer LAN/self-hosted update (no GitHub required)
            val baseUrl = (prefs.getString(KEY_URL, "") ?: "").trim().trimEnd('/')
            if (baseUrl.isNotEmpty()) {
                try {
                    val localApi = "$baseUrl/api/index.php?action=kiosk_update"
                    val conn = openTrustedConnection(localApi)
                    conn.connectTimeout = 5000
                    conn.readTimeout = 5000
                    if (conn.responseCode == 200) {
                        val localJson = JSONObject(conn.inputStream.bufferedReader().readText())
                        conn.disconnect()
                        if (localJson.optBoolean("success")) {
                            val remoteVersion = localJson.optString("version", "")
                            val remoteVc = localJson.optLong("version_code", -1L)
                            val apkUrl = localJson.optString("apk_url", "")
                            if (apkUrl.isNotEmpty() && needsUpdate(remoteVersion, remoteVc)) {
                                applyUpdate(remoteVersion, apkUrl)
                                return@Thread
                            }
                            if (!needsUpdate(remoteVersion, remoteVc)) {
                                notifyJs(JSONObject().put("has_update", false).put("source", "local"))
                                prefs.edit().remove(KEY_PENDING_UPDATE_VERSION).remove(KEY_PENDING_UPDATE_URL).apply()
                                return@Thread
                            }
                        }
                    } else conn.disconnect()
                } catch (_: Exception) { /* fall through to GitHub */ }
            }
            // 2) GitHub release fallback (requires internet)
            try {
                val conn = URL(GITHUB_RELEASES_API).openConnection() as java.net.HttpURLConnection
                conn.setRequestProperty("Accept", "application/vnd.github+json")
@@ -643,43 +730,16 @@ class KioskActivity : AppCompatActivity() {
                val body = conn.inputStream.bufferedReader().readText()
                conn.disconnect()
                val json = JSONObject(body)
                val latestTag = json.optString("tag_name", "")
                if (latestTag.isEmpty()) {
                    notifyJs(JSONObject().put("has_update", false).put("error", "no tag"))
                    return@Thread
                }
                val currentKiosk = try {
                    packageManager.getPackageInfo(packageName, 0).versionName ?: ""
                } catch (_: Exception) { "" }
                // The kiosk-latest release uses a non-semver tag ("kiosk-latest").
                // Extract the actual kiosk version from the release body text.
                // Body format: "Alias automatico → kiosk-X.Y.Z" or just "kiosk-X.Y.Z".
                // Fall back to stripping the tag prefix if body parsing fails.
                val bodyText = json.optString("body", "")
                val norm = { v: String -> v.replace(Regex("^[^0-9]*"), "") }
                val remoteKioskVersion = Regex("""kiosk-v?(\d+\.\d+(?:\.\d+)?)""")
                    .find(bodyText)?.groupValues?.get(1)
                    ?.takeIf { it.isNotEmpty() }
-                    ?: norm(latestTag)
+                    ?: norm(json.optString("tag_name", ""))
-                // Compare semver: returns true if `remote` is strictly greater than `local`
+                val remoteVc = Regex("""versionCode[=:\s(]+(\d+)""", RegexOption.IGNORE_CASE)
-                fun semverNewer(remote: String, local: String): Boolean {
+                    .find(bodyText)?.groupValues?.get(1)?.toLongOrNull() ?: -1L
                    val r = remote.split(".").map { it.filter(Char::isDigit).toIntOrNull() ?: 0 }
                    val l = local.split(".").map  { it.filter(Char::isDigit).toIntOrNull() ?: 0 }
                    val len = maxOf(r.size, l.size)
                    for (i in 0 until len) {
                        val rv = r.getOrElse(i) { 0 }
                        val lv = l.getOrElse(i) { 0 }
                        if (rv != lv) return rv > lv
                    }
                    return false
                }
                val isSemver = remoteKioskVersion.matches(Regex("\\d+\\.\\d+.*"))
                // Get APK URL from assets; fall back to the hardcoded KIOSK_DOWNLOAD_URL
                val assets = json.optJSONArray("assets")
                var kioskApkUrl = ""
                if (assets != null) {
@@ -693,38 +753,35 @@ class KioskActivity : AppCompatActivity() {
                }
                if (kioskApkUrl.isEmpty()) kioskApkUrl = KIOSK_DOWNLOAD_URL
-                // Only flag an update when the remote version is parseable as semver AND
+                if (!needsUpdate(remoteKioskVersion, remoteVc)) {
-                // strictly greater than the installed version.
+                    notifyJs(JSONObject().put("has_update", false))
                val kioskNeedsUpdate = currentKiosk.isNotEmpty() && isSemver &&
                    semverNewer(remoteKioskVersion, currentKiosk)
                val result = JSONObject()
                    .put("has_update", kioskNeedsUpdate)
                    .put("current",    currentKiosk)
                    .put("latest",     remoteKioskVersion)
                    .put("apk_url",    kioskApkUrl)
                notifyJs(result)
                if (!kioskNeedsUpdate) {
                    // Clear any stale pending update if the current version is now up to date
                    prefs.edit().remove(KEY_PENDING_UPDATE_VERSION).remove(KEY_PENDING_UPDATE_URL).apply()
                    return@Thread
                }
-
+                applyUpdate(remoteKioskVersion, kioskApkUrl)
                // Persist the pending update so the banner reappears after a crash/restart
                prefs.edit()
                    .putString(KEY_PENDING_UPDATE_VERSION, remoteKioskVersion)
                    .putString(KEY_PENDING_UPDATE_URL, kioskApkUrl)
                    .apply()
                runOnUiThread { showNativeUpdateBanner("🔄 Kiosk $currentKiosk → $remoteKioskVersion", kioskApkUrl) }
            } catch (e: Exception) {
                notifyJs(JSONObject().put("has_update", false).put("error", e.message ?: "network error"))
            }
        }.start()
    }
    /** HTTPS with self-signed cert support (LAN servers). */
    private fun openTrustedConnection(urlStr: String): java.net.HttpURLConnection {
        val conn = URL(urlStr).openConnection()
        if (conn is javax.net.ssl.HttpsURLConnection) {
            val trustAll = arrayOf<javax.net.ssl.TrustManager>(object : javax.net.ssl.X509TrustManager {
                override fun checkClientTrusted(c: Array<java.security.cert.X509Certificate>?, t: String?) {}
                override fun checkServerTrusted(c: Array<java.security.cert.X509Certificate>?, t: String?) {}
                override fun getAcceptedIssuers(): Array<java.security.cert.X509Certificate> = arrayOf()
            })
            val sc = javax.net.ssl.SSLContext.getInstance("TLS")
            sc.init(null, trustAll, java.security.SecureRandom())
            conn.sslSocketFactory = sc.socketFactory
            conn.hostnameVerifier = javax.net.ssl.HostnameVerifier { _, _ -> true }
        }
        return conn as java.net.HttpURLConnection
    }
    /**
     * On resume: if a previous session detected an available update and saved it to prefs,
     * restore the update banner immediately without a network round-trip.
@@ -540,6 +540,11 @@ class SetupActivity : AppCompatActivity() {
        // Cancel auto-discover when leaving server step
        if (step != 3) discoverCancelled.set(true)
        // Auto-discover when entering server step (empty URL only)
        if (step == 3 && urlEdit.text.toString().trim().isEmpty()) {
            autoDiscover()
        }
        // Scroll to top
        try { findViewById<ScrollView>(R.id.setupScrollView).scrollTo(0, 0) } catch (_: Exception) {}
    }
@@ -697,6 +702,58 @@ class SetupActivity : AppCompatActivity() {
        })
    }
    private fun normalizeDiscoveredBase(urlStr: String): String {
        var base = urlStr.substringBefore("/api/")
        if (base.endsWith(":443")) base = base.removeSuffix(":443")
        if (base.endsWith(":80"))  base = base.removeSuffix(":80")
        return if (base.endsWith("/")) base else "$base/"
    }
    private fun probeEverShelfEndpoint(urlStr: String): String? {
        return try {
            val conn = openConn(urlStr) ?: return null
            val code = conn.responseCode
            if (code !in 200..399) {
                conn.disconnect()
                return null
            }
            val body = conn.inputStream.bufferedReader().readText()
            conn.disconnect()
            if (body.contains("gemini_key_set") || body.contains("\"success\"") || body.contains("\"ok\"")) {
                normalizeDiscoveredBase(urlStr)
            } else null
        } catch (_: Exception) {
            null
        }
    }
    private fun probeEverShelfHost(ip: String, port: Int): String? {
        val reachable = try {
            Socket().use { s -> s.connect(InetSocketAddress(ip, port), 800); true }
        } catch (_: Exception) {
            false
        }
        if (!reachable) return null
        val scheme = if (port == 443 || port == 8443) "https" else "http"
        val portInUrl = when {
            scheme == "https" && port == 443  -> ""
            scheme == "http"  && port == 80   -> ""
            else -> ":$port"
        }
        val paths = listOf(
            "/dispensa/api/index.php?action=ping",
            "/api/index.php?action=ping",
            "/dispensa/api/index.php?action=get_settings",
            "/api/index.php?action=get_settings",
            "/evershelf/api/index.php?action=get_settings",
        )
        for (path in paths) {
            probeEverShelfEndpoint("$scheme://$ip$portInUrl$path")?.let { return it }
        }
        return null
    }
    private fun openConn(urlStr: String): HttpURLConnection? {
        return try {
            val conn = URL(urlStr).openConnection()
@@ -772,9 +829,52 @@ class SetupActivity : AppCompatActivity() {
            runOnUiThread { discoverStatus.text = "📡  $detectedLabel" }
            val ports = listOf(443, 80, 8080, 8443)
            // ── 1b. Fast path: likely hosts on Wi-Fi subnet (incl. .128) before full sweep ─
            val priorityIps = linkedSetOf<String>()
            try {
                val ifaces = NetworkInterface.getNetworkInterfaces()
                while (ifaces != null && ifaces.hasMoreElements()) {
                    val intf = ifaces.nextElement()
                    if (!intf.isUp || intf.isLoopback) continue
                    for (addr in intf.interfaceAddresses) {
                        val ip = addr.address
                        if (ip is java.net.Inet4Address && !ip.isLoopbackAddress) {
                            priorityIps.add(ip.hostAddress ?: continue)
                        }
                    }
                }
            } catch (_: Exception) {}
            for (subnet in wifiSubnets.ifEmpty { subnets.take(1) }) {
                for (last in listOf(1, 128, 100, 10, 50, 254)) {
                    priorityIps.add("$subnet.$last")
                }
            }
            runOnUiThread { discoverStatus.text = "🔍  ${getString(R.string.setup_discovering_detail)}" }
            for (ip in priorityIps) {
                if (discoverCancelled.get()) break
                for (port in ports) {
                    val hit = probeEverShelfHost(ip, port)
                    if (hit != null) {
                        runOnUiThread {
                            urlEdit.setText(hit)
                            discoverStatus.text = "✅ ${getString(R.string.setup_server_found)}: $hit"
                            discoverStatus.setTextColor(0xFF34d399.toInt())
                            showUrlStatus("✅ ${getString(R.string.setup_server_found)}", true)
                            btnDiscover.isEnabled = true
                            btnDiscover.text = getString(R.string.setup_discover_btn)
                        }
                        return@Thread
                    }
                }
            }
            val paths = listOf(
-                "/api/index.php?action=get_settings",
+                "/dispensa/api/index.php?action=ping",
                "/api/index.php?action=ping",
                "/dispensa/api/index.php?action=get_settings",
                "/api/index.php?action=get_settings",
                "/evershelf/api/index.php?action=get_settings",
            )
@@ -819,30 +919,24 @@ class SetupActivity : AppCompatActivity() {
                    // Full HTTP probe on reachable host
                    val scheme = if (port == 443 || port == 8443) "https" else "http"
                    val portInUrl = when {
                        scheme == "https" && port == 443  -> ""
                        scheme == "http"  && port == 80   -> ""
                        else -> ":$port"
                    }
                    for (path in paths) {
                        if (discoverCancelled.get() || found.get()) break
-                        val urlStr = "$scheme://$ip:$port$path"
+                        probeEverShelfEndpoint("$scheme://$ip$portInUrl$path")?.let { return@submit it }
                        try {
                            val conn = openConn(urlStr) ?: continue
                            val code = conn.responseCode
                            if (code in 200..399) {
                                val body = conn.inputStream.bufferedReader().readText()
                                conn.disconnect()
                                if (body.contains("gemini_key_set") || body.contains("\"success\"")) {
                                    return@submit urlStr.substringBefore("/api/") + "/"
                                }
                            } else conn.disconnect()
                        } catch (_: Exception) {}
                    }
                    null
                }
            }
-            // ── 3. Collect results as they complete (not in submission order) ────
+            // ── 3. Collect results until all tasks finish or a server is found ────
            var result: String? = null
            var collected = 0
-            while (collected < total && !discoverCancelled.get()) {
+            while (collected < total && !discoverCancelled.get() && result == null) {
-                val future = cs.poll(3, TimeUnit.SECONDS) ?: break
+                val future = cs.poll(500, TimeUnit.MILLISECONDS) ?: continue
                collected++
                val r = try { future.get() } catch (_: Exception) { null }
                if (r != null && found.compareAndSet(false, true)) {
@@ -1101,9 +1195,9 @@ class SetupActivity : AppCompatActivity() {
                            val lanIp = getDeviceLanIp() ?: "127.0.0.1"
                            append(",\"scale_enabled\":true,\"scale_gateway_url\":\"ws://$lanIp:8765\"")
                        }
-                        if (geminiKey.isNotEmpty())    append(",\"gemini_api_key\":\"${geminiKey.replace("\"", "\\\"\")}\"")
+                        if (geminiKey.isNotEmpty())    append(",\"gemini_api_key\":\"${geminiKey.replace("\"", "\\\"")}\"")
-                        if (bringEmail.isNotEmpty())   append(",\"bring_email\":\"${bringEmail.replace("\"", "\\\"\")}\"")
+                        if (bringEmail.isNotEmpty())   append(",\"bring_email\":\"${bringEmail.replace("\"", "\\\"")}\"")
-                        if (bringPassword.isNotEmpty()) append(",\"bring_password\":\"${bringPassword.replace("\"", "\\\"\")}\"")
+                        if (bringPassword.isNotEmpty()) append(",\"bring_password\":\"${bringPassword.replace("\"", "\\\"")}\"")
                        append("}")
                    }
                    val conn = (java.net.URL(url).openConnection() as java.net.HttpURLConnection).apply {
@@ -49,7 +49,7 @@
    <string name="install_error_download">Download fehlgeschlagen</string>
    <string name="install_error_download_detail">Verbindung prüfen und erneut versuchen.</string>
    <string name="install_error_install">Installation fehlgeschlagen</string>
-    <string name="install_perm_detail">Aktiviere 'Unbekannte Apps installieren' in den Einstellungen, dann komm zurück.</string>
+    <string name="install_perm_detail">Aktiviere \'Unbekannte Apps installieren\' in den Einstellungen, dann komm zurück.</string>
    <string name="install_btn_retry">↩  Nochmal versuchen</string>
    <string name="btn_back">Zurück</string>
    <string name="btn_launch">🚀  EverShelf starten</string>
@@ -72,15 +72,11 @@
    <string name="setup_zerowaste_toggle_label">Zero-Waste-Tipps</string>
    <string name="setup_zerowaste_toggle_hint">Beim Kochen Tipps zur Wiederverwendung von Resten anzeigen (Schalen, Kochwasser usw.).</string>
    <string name="setup_gemini_title">Google Gemini AI</string>
-    <string name="setup_gemini_desc">EverShelf nutzt Google Gemini AI für Rezeptvorschläge, smarte Einkaufsschätzungen und mehr.
+    <string name="setup_gemini_desc">EverShelf nutzt Google Gemini AI für Rezeptvorschläge, smarte Einkaufsschätzungen und mehr.\n\nZum Aktivieren den kostenlosen Gemini API-Schlüssel eingeben.</string>
-
+    <string name="setup_gemini_how">Kostenlosen Schlüssel unter: aistudio.google.com → \"API-Schlüssel erhalten\"</string>
 Zum Aktivieren den kostenlosen Gemini API-Schlüssel eingeben.</string>
    <string name="setup_gemini_how">Kostenlosen Schlüssel unter: aistudio.google.com → "API-Schlüssel erhalten"</string>
    <string name="setup_gemini_hint">API-Schlüssel einfügen (beginnt mit AIza…)</string>
    <string name="setup_bring_title">Bring! Einkaufsliste</string>
-    <string name="setup_bring_desc">EverShelf kann die Einkaufsliste mit der Bring!-App synchronisieren.
+    <string name="setup_bring_desc">EverShelf kann die Einkaufsliste mit der Bring!-App synchronisieren.\n\nBring!-Zugangsdaten eingeben, um die Integration zu aktivieren.</string>
 Bring!-Zugangsdaten eingeben, um die Integration zu aktivieren.</string>
    <string name="setup_bring_email_hint">Bring!-E-Mail-Adresse</string>
    <string name="setup_bring_pass_hint">Bring!-Passwort</string>
    <string name="setup_done_title">Alles bereit!</string>
@@ -49,7 +49,7 @@
    <string name="install_error_download">Descarga fallida</string>
    <string name="install_error_download_detail">Comprueba la conexión e inténtalo de nuevo.</string>
    <string name="install_error_install">Instalación fallida</string>
-    <string name="install_perm_detail">Habilita 'Instalar apps desconocidas' en los ajustes y vuelve aquí.</string>
+    <string name="install_perm_detail">Habilita \'Instalar apps desconocidas\' en los ajustes y vuelve aquí.</string>
    <string name="install_btn_retry">↩  Reintentar</string>
    <string name="btn_back">Atrás</string>
    <string name="btn_launch">🚀  Iniciar EverShelf</string>
@@ -72,15 +72,11 @@
    <string name="setup_zerowaste_toggle_label">Consejos zero-waste</string>
    <string name="setup_zerowaste_toggle_hint">Muestra consejos para reutilizar restos (cáscaras, agua de cocción, etc.) al cocinar.</string>
    <string name="setup_gemini_title">Google Gemini AI</string>
-    <string name="setup_gemini_desc">EverShelf usa Google Gemini AI para sugerencias de recetas, estimaciones inteligentes de la compra y más.
+    <string name="setup_gemini_desc">EverShelf usa Google Gemini AI para sugerencias de recetas, estimaciones inteligentes de la compra y más.\n\nPara activarla, introduce tu clave API de Gemini gratuita.</string>
-
+    <string name="setup_gemini_how">Obtén tu clave gratuita en: aistudio.google.com → \"Obtener clave API\"</string>
 Para activarla, introduce tu clave API de Gemini gratuita.</string>
    <string name="setup_gemini_how">Obtén tu clave gratuita en: aistudio.google.com → "Obtener clave API"</string>
    <string name="setup_gemini_hint">Pega la clave API aquí (empieza por AIza…)</string>
    <string name="setup_bring_title">Bring! Lista de la compra</string>
-    <string name="setup_bring_desc">EverShelf puede sincronizar tu lista de la compra con la app Bring!.
+    <string name="setup_bring_desc">EverShelf puede sincronizar tu lista de la compra con la app Bring!.\n\nIntroduce tus credenciales de Bring! para activar la integración.</string>
 Introduce tus credenciales de Bring! para activar la integración.</string>
    <string name="setup_bring_email_hint">Correo electrónico de Bring!</string>
    <string name="setup_bring_pass_hint">Contraseña de Bring!</string>
    <string name="setup_done_title">¡Todo listo!</string>
@@ -1,18 +1,18 @@
 <?xml version="1.0" encoding="utf-8"?>
 <resources>
    <string name="app_name">EverShelf Kiosk</string>
-    <string name="setup_enter_url">Veuillez d'abord saisir une URL</string>
+    <string name="setup_enter_url">Veuillez d\'abord saisir une URL</string>
    <string name="setup_testing">Test de connexion…</string>
    <string name="setup_server_found">Serveur EverShelf trouvé et API active !</string>
    <string name="setup_api_not_found">Serveur accessible mais API EverShelf introuvable. Vérifiez le chemin.</string>
-    <string name="setup_unreachable">Impossible d'atteindre le serveur</string>
+    <string name="setup_unreachable">Impossible d\'atteindre le serveur</string>
    <string name="setup_discover_btn">🔍  Rechercher sur le réseau local</string>
    <string name="setup_perms_granted_next">✅ Permissions accordées — Continuer →</string>
    <string name="setup_discovering">Analyse en cours…</string>
    <string name="setup_discovering_detail">Recherche de serveurs EverShelf sur le réseau local…</string>
-    <string name="setup_discover_not_found">Aucun serveur EverShelf trouvé automatiquement. Entrez l'URL manuellement.</string>
+    <string name="setup_discover_not_found">Aucun serveur EverShelf trouvé automatiquement. Entrez l\'URL manuellement.</string>
    <string name="setup_exit_title">Quitter la configuration ?</string>
-    <string name="setup_exit_message">Vous pouvez terminer la configuration plus tard en rouvrant l'app.</string>
+    <string name="setup_exit_message">Vous pouvez terminer la configuration plus tard en rouvrant l\'app.</string>
    <string name="setup_exit_confirm">Quitter</string>
    <string name="setup_exit_cancel">Continuer</string>
    <string name="setup_step_back">← Retour</string>
@@ -22,20 +22,20 @@
    <string name="wizard_step3_title">Balance intelligente</string>
    <string name="wizard_step3_description">EverShelf Kiosk inclut une passerelle Bluetooth intégrée — aucune app externe nécessaire. Sélectionnez votre balance ci-dessous.</string>
    <string name="wizard_step3_question">Avez-vous une balance intelligente Bluetooth ?</string>
-    <string name="wizard_step3_yes">✅  Oui, j'ai une balance</string>
+    <string name="wizard_step3_yes">✅  Oui, j\'ai une balance</string>
    <string name="wizard_step3_no">➡️  Non, ignorer cette étape</string>
    <string name="ble_scanning">🔍 Scan en cours…</string>
    <string name="ble_connected">Connecté ! Posez un objet sur la balance…</string>
    <string name="ble_disconnected">Connexion perdue. Réessayer.</string>
-    <string name="ble_no_scale_found">Aucune balance trouvée. Vérifiez qu'elle est allumée et à proximité, puis réessayez.</string>
+    <string name="ble_no_scale_found">Aucune balance trouvée. Vérifiez qu\'elle est allumée et à proximité, puis réessayez.</string>
    <string name="ble_select_from_list">Sélectionnez votre balance dans la liste.</string>
    <string name="ble_not_confirmed">Balance non confirmée. Relancer le scan.</string>
    <string name="ble_scan_again">🔄  Scanner à nouveau</string>
-    <string name="ble_weight_received">Poids reçu — correspond-il à l'affichage de la balance ?</string>
+    <string name="ble_weight_received">Poids reçu — correspond-il à l\'affichage de la balance ?</string>
    <string name="wizard_gateway_installed">Balance enregistrée ✅</string>
    <string name="wizard_gateway_installed_detail">La passerelle BLE intégrée se connectera automatiquement au démarrage.</string>
    <string name="wizard_gateway_not_installed">Aucune balance sélectionnée</string>
-    <string name="wizard_gateway_not_installed_detail">Scannez les balances BLE à proximité et appuyez sur l'une d'elles pour la sélectionner.</string>
+    <string name="wizard_gateway_not_installed_detail">Scannez les balances BLE à proximité et appuyez sur l\'une d\'elles pour la sélectionner.</string>
    <string name="wizard_gateway_checking">Scan des balances BLE en cours…</string>
    <string name="wizard_gateway_up_to_date">Service BLE de la balance prêt.</string>
    <string name="wizard_gateway_update_available">Balance BLE trouvée</string>
@@ -43,13 +43,13 @@
    <string name="install_downloading">Téléchargement en cours…</string>
    <string name="install_downloading_detail">Veuillez patienter, le fichier est en cours de téléchargement.</string>
    <string name="install_installing">Installation en cours…</string>
-    <string name="install_confirm_detail">Confirmez l'installation dans la boîte de dialogue ouverte.</string>
+    <string name="install_confirm_detail">Confirmez l\'installation dans la boîte de dialogue ouverte.</string>
    <string name="install_success">Installé avec succès !</string>
-    <string name="install_success_detail">L'app a été mise à jour.</string>
+    <string name="install_success_detail">L\'app a été mise à jour.</string>
    <string name="install_error_download">Téléchargement échoué</string>
    <string name="install_error_download_detail">Vérifiez la connexion et réessayez.</string>
    <string name="install_error_install">Installation échouée</string>
-    <string name="install_perm_detail">Activez 'Installer des apps inconnues' dans les paramètres, puis revenez ici.</string>
+    <string name="install_perm_detail">Activez \'Installer des apps inconnues\' dans les paramètres, puis revenez ici.</string>
    <string name="install_btn_retry">↩  Réessayer</string>
    <string name="btn_back">Retour</string>
    <string name="btn_launch">🚀  Lancer EverShelf</string>
@@ -58,13 +58,13 @@
    <string name="btn_update_gateway">📥  Mettre à jour Scale Gateway</string>
    <string name="wizard_server_checking">Vérification de la connexion au serveur…</string>
    <string name="wizard_server_ok">Serveur accessible ✅</string>
-    <string name="wizard_server_ok_detail">Rapport d'erreurs actif — les échecs d'installation seront envoyés automatiquement aux GitHub Issues.</string>
+    <string name="wizard_server_ok_detail">Rapport d\'erreurs actif — les échecs d\'installation seront envoyés automatiquement aux GitHub Issues.</string>
    <string name="wizard_server_error">Serveur inaccessible ⚠️</string>
-    <string name="wizard_server_error_detail">Les erreurs n'atteindront pas GitHub Issues. Vérifiez l'URL saisie à l'étape 2.</string>
+    <string name="wizard_server_error_detail">Les erreurs n\'atteindront pas GitHub Issues. Vérifiez l\'URL saisie à l\'étape 2.</string>
    <string name="setup_features_title">Fonctionnalités</string>
    <string name="setup_features_desc">Activez les fonctions que vous souhaitez utiliser. Vous pourrez les modifier plus tard dans les paramètres du serveur.</string>
    <string name="setup_screensaver_toggle_label">Horloge écran de veille</string>
-    <string name="setup_screensaver_toggle_hint">Affiche une horloge après 5 min d'inactivité.</string>
+    <string name="setup_screensaver_toggle_hint">Affiche une horloge après 5 min d\'inactivité.</string>
    <string name="setup_prices_toggle_label">Prix liste de courses</string>
    <string name="setup_prices_toggle_hint">Estimation automatique du coût de chaque article via IA.</string>
    <string name="setup_mealplan_toggle_label">Plan de repas</string>
@@ -72,15 +72,11 @@
    <string name="setup_zerowaste_toggle_label">Conseils zéro déchet</string>
    <string name="setup_zerowaste_toggle_hint">Affiche des conseils pour réutiliser les restes (peaux, eau de cuisson, etc.) pendant la cuisson.</string>
    <string name="setup_gemini_title">Google Gemini AI</string>
-    <string name="setup_gemini_desc">EverShelf utilise Google Gemini AI pour les suggestions de recettes, les estimations intelligentes des courses et plus encore.
+    <string name="setup_gemini_desc">EverShelf utilise Google Gemini AI pour les suggestions de recettes, les estimations intelligentes des courses et plus encore.\n\nPour l\'activer, entrez votre clé API Gemini gratuite.</string>
-
+    <string name="setup_gemini_how">Obtenez votre clé gratuite sur : aistudio.google.com → \"Obtenir une clé API\"</string>
 Pour l'activer, entrez votre clé API Gemini gratuite.</string>
    <string name="setup_gemini_how">Obtenez votre clé gratuite sur : aistudio.google.com → "Obtenir une clé API"</string>
    <string name="setup_gemini_hint">Collez la clé API ici (commence par AIza…)</string>
    <string name="setup_bring_title">Bring! Liste de courses</string>
-    <string name="setup_bring_desc">EverShelf peut synchroniser votre liste de courses avec l'app Bring!.
+    <string name="setup_bring_desc">EverShelf peut synchroniser votre liste de courses avec l\'app Bring!.\n\nEntrez vos identifiants Bring! pour activer l\'intégration.</string>
 Entrez vos identifiants Bring! pour activer l'intégration.</string>
    <string name="setup_bring_email_hint">Adresse e-mail Bring!</string>
    <string name="setup_bring_pass_hint">Mot de passe Bring!</string>
    <string name="setup_done_title">Tout est prêt !</string>
@@ -10,9 +10,9 @@
    <string name="setup_perms_granted_next">✅ Permessi concessi — Continua →</string>
    <string name="setup_discovering">Scansione in corso…</string>
    <string name="setup_discovering_detail">Ricerca server EverShelf nella rete locale…</string>
-    <string name="setup_discover_not_found">Nessun server EverShelf trovato automaticamente. Inserisci l'URL manualmente.</string>
+    <string name="setup_discover_not_found">Nessun server EverShelf trovato automaticamente. Inserisci l\'URL manualmente.</string>
    <string name="setup_exit_title">Uscire dalla configurazione?</string>
-    <string name="setup_exit_message">Puoi completare la configurazione più tardi riaprendo l'app.</string>
+    <string name="setup_exit_message">Puoi completare la configurazione più tardi riaprendo l\'app.</string>
    <string name="setup_exit_confirm">Esci</string>
    <string name="setup_exit_cancel">Continua</string>
    <string name="setup_step_back">← Indietro</string>
@@ -28,28 +28,28 @@
    <string name="ble_connected">Connesso! Posiziona un oggetto sulla bilancia…</string>
    <string name="ble_disconnected">Connessione persa. Riprova.</string>
    <string name="ble_no_scale_found">Nessuna bilancia trovata. Assicurati che sia accesa e vicina, poi riprova.</string>
-    <string name="ble_select_from_list">Seleziona la tua bilancia dall'elenco.</string>
+    <string name="ble_select_from_list">Seleziona la tua bilancia dall\'elenco.</string>
    <string name="ble_not_confirmed">Bilancia non confermata. Riprova la scansione.</string>
    <string name="ble_scan_again">🔄  Scansiona di nuovo</string>
    <string name="ble_weight_received">Peso ricevuto — coincide con quello sulla bilancia?</string>
    <string name="wizard_gateway_installed">Bilancia salvata ✅</string>
-    <string name="wizard_gateway_installed_detail">Il gateway BLE integrato si collegherà automaticamente all'avvio.</string>
+    <string name="wizard_gateway_installed_detail">Il gateway BLE integrato si collegherà automaticamente all\'avvio.</string>
    <string name="wizard_gateway_not_installed">Nessuna bilancia selezionata</string>
    <string name="wizard_gateway_not_installed_detail">Scansiona le bilance BLE nelle vicinanze e tocca una per selezionarla.</string>
    <string name="wizard_gateway_checking">Scansione bilance BLE in corso…</string>
    <string name="wizard_gateway_up_to_date">Servizio BLE bilancia pronto.</string>
    <string name="wizard_gateway_update_available">Bilancia BLE trovata</string>
-    <string name="wizard_gateway_update_detail">Tocca la bilancia nell'elenco per connettersi.</string>
+    <string name="wizard_gateway_update_detail">Tocca la bilancia nell\'elenco per connettersi.</string>
    <string name="install_downloading">Scaricamento in corso…</string>
    <string name="install_downloading_detail">Attendi, il file viene scaricato.</string>
    <string name="install_installing">Installazione in corso…</string>
-    <string name="install_confirm_detail">Conferma l'installazione nel dialog che si è aperto.</string>
+    <string name="install_confirm_detail">Conferma l\'installazione nel dialog che si è aperto.</string>
    <string name="install_success">Installato con successo!</string>
-    <string name="install_success_detail">L'app è stata aggiornata.</string>
+    <string name="install_success_detail">L\'app è stata aggiornata.</string>
    <string name="install_error_download">Download fallito</string>
    <string name="install_error_download_detail">Controlla la connessione e riprova.</string>
    <string name="install_error_install">Installazione fallita</string>
-    <string name="install_perm_detail">Abilita 'Installa app sconosciute' nelle impostazioni, poi torna qui.</string>
+    <string name="install_perm_detail">Abilita \'Installa app sconosciute\' nelle impostazioni, poi torna qui.</string>
    <string name="install_btn_retry">↩  Riprova</string>
    <string name="btn_back">Indietro</string>
    <string name="btn_launch">🚀  Avvia EverShelf</string>
@@ -60,11 +60,11 @@
    <string name="wizard_server_ok">Server raggiungibile ✅</string>
    <string name="wizard_server_ok_detail">Segnalazione errori attiva — i problemi di installazione vengono inviati automaticamente alle GitHub Issues.</string>
    <string name="wizard_server_error">Server non raggiungibile ⚠️</string>
-    <string name="wizard_server_error_detail">Gli errori non raggiungeranno GitHub Issues. Verifica l'URL inserito al passaggio 2.</string>
+    <string name="wizard_server_error_detail">Gli errori non raggiungeranno GitHub Issues. Verifica l\'URL inserito al passaggio 2.</string>
    <string name="setup_features_title">Funzionalità</string>
    <string name="setup_features_desc">Attiva le funzioni che vuoi usare. Puoi sempre cambiarle in seguito dalle impostazioni del server.</string>
    <string name="setup_screensaver_toggle_label">Salvaschermo orologio</string>
-    <string name="setup_screensaver_toggle_hint">Mostra l'overlay orologio dopo 5 min di inattività.</string>
+    <string name="setup_screensaver_toggle_hint">Mostra l\'overlay orologio dopo 5 min di inattività.</string>
    <string name="setup_prices_toggle_label">Prezzi lista spesa</string>
    <string name="setup_prices_toggle_hint">Stima automatica del costo di ogni articolo in lista tramite AI.</string>
    <string name="setup_mealplan_toggle_label">Piano pasti</string>
@@ -72,15 +72,11 @@
    <string name="setup_zerowaste_toggle_label">Suggerimenti zero-waste</string>
    <string name="setup_zerowaste_toggle_hint">Durante la cottura mostra consigli per riutilizzare scarti (bucce, acqua di cottura, ecc.).</string>
    <string name="setup_gemini_title">Google Gemini AI</string>
-    <string name="setup_gemini_desc">EverShelf usa Google Gemini AI per suggerimenti di ricette, stime intelligenti della spesa e altro ancora.
+    <string name="setup_gemini_desc">EverShelf usa Google Gemini AI per suggerimenti di ricette, stime intelligenti della spesa e altro ancora.\n\nPer abilitarla, inserisci la tua chiave API Gemini gratuita.</string>
-
+    <string name="setup_gemini_how">Ottieni la chiave gratuita su: aistudio.google.com → \"Ottieni chiave API\"</string>
 Per abilitarla, inserisci la tua chiave API Gemini gratuita.</string>
    <string name="setup_gemini_how">Ottieni la chiave gratuita su: aistudio.google.com → "Ottieni chiave API"</string>
    <string name="setup_gemini_hint">Incolla la chiave API (inizia con AIza…)</string>
    <string name="setup_bring_title">Bring! Lista della spesa</string>
-    <string name="setup_bring_desc">EverShelf può sincronizzare la lista della spesa con l'app Bring!.
+    <string name="setup_bring_desc">EverShelf può sincronizzare la lista della spesa con l\'app Bring!.\n\nInserisci le credenziali del tuo account Bring! per abilitare l\'integrazione.</string>
 Inserisci le credenziali del tuo account Bring! per abilitare l'integrazione.</string>
    <string name="setup_bring_email_hint">Email Bring!</string>
    <string name="setup_bring_pass_hint">Password Bring!</string>
    <string name="setup_done_title">Tutto pronto!</string>
@@ -11,9 +11,23 @@
    <title>EverShelf</title>
    <link rel="manifest" href="manifest.json">
    <link rel="icon" type="image/png" href="assets/img/logo/logo_icon.png">
-    <link rel="stylesheet" href="assets/css/style.css?v=20260517a">
+    <link rel="stylesheet" href="assets/css/style.css?v=20260606m">
-    <!-- QuaggaJS for barcode scanning -->
+    <!-- Core modules (auth, DOM helpers) -->
-    <script src="https://cdn.jsdelivr.net/npm/@ericblade/quagga2@1.8.4/dist/quagga.min.js"></script>
+    <script src="assets/js/core/dom.js?v=20260603a"></script>
    <script src="assets/js/core/auth.js?v=20260603b"></script>
    <!-- ZBar WASM — lazy on kiosk WebView (OOM); eager elsewhere -->
    <script>
    (function () {
        var kioskWv = /; wv\)/.test(navigator.userAgent);
        if (kioskWv) return;
        document.write('<script src="assets/vendor/zbar/index.js?v=20260606a"><\/script>');
        document.write('<script>if(window.zbarWasm&&zbarWasm.setModuleArgs){zbarWasm.setModuleArgs({locateFile:function(f){return"assets/vendor/zbar/"+f}});}<\/script>');
        document.write('<script src="assets/vendor/zbar/polyfill.js?v=20260606a"><\/script>');
    })();
    </script>
    <!-- QuaggaJS — legacy last-resort only -->
    <script src="assets/vendor/quagga/quagga.min.js?v=20260603a"></script>
    <script>if(typeof Quagga==='undefined'){document.write('<script src="https://cdn.jsdelivr.net/npm/@ericblade/quagga2@1.8.4/dist/quagga.min.js"><\\/script>');}</script>
    <!-- @xenova/transformers: ES-module bootstrap that exposes a lazy category-classifier as window._categoryPipelinePromise -->
    <script type="module">
        // Lazy-load the embedding pipeline only when first needed.
@@ -25,11 +39,27 @@
            if (window._categoryPipelinePromise) return window._categoryPipelinePromise;
            window._categoryPipelinePromise = (async () => {
                try {
-                    const { pipeline, env } = await import(
+                    const localBase = 'assets/vendor/transformers/';
-                        'https://cdn.jsdelivr.net/npm/@xenova/transformers@2/src/transformers.min.js'
+                    const cdnBase = 'https://cdn.jsdelivr.net/npm/@xenova/transformers@2.17.2/dist/';
-                    );
+                    const modelProbe = localBase + 'Xenova/all-MiniLM-L6-v2/tokenizer.json';
-                    // Keep WASM/model files in the browser cache; disable remote model check
+                    let pipeline, env;
-                    // to avoid CORS issues with the self-hosted instance.
+                    try {
                        ({ pipeline, env } = await import(localBase + 'transformers.min.js'));
                    } catch (_) {
                        ({ pipeline, env } = await import(cdnBase + 'transformers.min.js'));
                    }
                    // Use bundled model files when present; otherwise HuggingFace CDN (no 404 spam)
                    let localModels = false;
                    try {
                        const r = await fetch(modelProbe, { method: 'HEAD' });
                        localModels = r.ok;
                    } catch (_) {}
                    if (localModels) {
                        env.localModelPath = localBase;
                        env.allowLocalModels = true;
                    } else {
                        env.allowLocalModels = false;
                    }
                    env.allowRemoteModels = true;
                    env.useBrowserCache   = true;
                    const pipe = await pipeline(
@@ -64,7 +94,7 @@
        <div id="preloader-warnings" class="preloader-warnings" style="display:none"></div>
        <div id="preloader-error-msg" class="preloader-error-msg" style="display:none"></div>
        <button id="preloader-retry-btn" class="preloader-retry-btn" style="display:none" onclick="_startupRetry()">🔄 <span data-i18n="startup.retry">Riprova</span></button>
-        <span class="app-preloader-version" id="preloader-version">v1.7.25</span>
+        <span class="app-preloader-version" id="preloader-version">v1.7.42</span>
    </div>
 </div>
@@ -77,7 +107,7 @@
        <!-- Title — left-aligned; grows to fill space -->
        <div class="header-title-wrap">
            <h1 class="header-title" onclick="showPage('dashboard')">
-                <img src="assets/img/logo/logo_icon.png" alt="" class="header-logo-icon" aria-hidden="true" /><span data-i18n="nav.title">EverShelf</span><span class="header-version">v1.7.25</span>
+                <img src="assets/img/logo/logo_icon.png" alt="" class="header-logo-icon" aria-hidden="true" /><span data-i18n="nav.title">EverShelf</span><span class="header-version">v1.7.42</span>
            </h1>
            <!-- Update badge — shown alongside title, never replaces it -->
            <span class="header-update-badge" id="header-update-badge" style="display:none"></span>
@@ -96,6 +126,7 @@
            <button class="header-btn header-gemini-btn" onclick="showPage('chat')" title="Chat con Gemini" data-i18n-title="chat.title">
                <svg class="gemini-icon" viewBox="0 0 24 24" width="24" height="24" fill="white"><path d="M12 0C12 6.627 6.627 12 0 12c6.627 0 12 5.373 12 12 0-6.627 5.373-12 12-12-6.627 0-12-5.373-12-12z"/></svg>
            </button>
            <button class="header-btn" onclick="startManualEntry()" title="Ajouter manuellement">✏️</button>
            <button class="header-btn header-scan-btn" id="btn-header-scan"
                    title="Scansiona prodotto (tieni premuto per modalità spesa)" data-i18n-title="scan.hint">
                📷
@@ -117,21 +148,6 @@
    <!-- ===== DASHBOARD ===== -->
    <section class="page active" id="page-dashboard">
        <div class="dashboard-stats" id="dashboard-stats">
            <div class="stat-card" onclick="showPage('inventory', 'dispensa')">
                <span class="stat-icon">🗄️</span>
                <span class="stat-value" id="stat-dispensa">-</span>
                <span class="stat-label" data-i18n="locations.dispensa">Dispensa</span>
            </div>
            <div class="stat-card" onclick="showPage('inventory', 'frigo')">
                <span class="stat-icon">🧊</span>
                <span class="stat-value" id="stat-frigo">-</span>
                <span class="stat-label" data-i18n="locations.frigo">Frigo</span>
            </div>
            <div class="stat-card" onclick="showPage('inventory', 'freezer')">
                <span class="stat-icon">❄️</span>
                <span class="stat-value" id="stat-freezer">-</span>
                <span class="stat-label" data-i18n="locations.freezer">Freezer</span>
            </div>
            <div class="stat-card" onclick="showPage('shopping')">
                <span class="stat-icon">🛒</span>
                <span class="stat-value" id="stat-spesa">-</span>
@@ -194,7 +210,7 @@
    <!-- ===== INVENTORY LIST ===== -->
    <section class="page" id="page-inventory">
        <div class="page-header">
-            <button class="back-btn" onclick="showPage('dashboard')" data-i18n="btn.back">← Indietro</button>
+            <button class="back-btn" onclick="goBack()" data-i18n="btn.back">← Indietro</button>
            <h2 id="inventory-title" data-i18n="inventory.title">Dispensa</h2>
            <button class="page-header-action-btn" onclick="_showExportModal()" title="Export" data-i18n-title="export.btn_title">📤</button>
        </div>
@@ -225,7 +241,7 @@
    <!-- ===== SCAN PAGE ===== -->
    <section class="page" id="page-scan">
        <div class="page-header">
-            <button class="back-btn" onclick="stopScanner(); showPage('dashboard')" data-i18n="btn.back">← Indietro</button>
+            <button class="back-btn" onclick="goBack()" data-i18n="btn.back">← Indietro</button>
            <h2 data-i18n="scan.title">Scansiona</h2>
            <button class="scan-spesa-chip" id="scan-spesa-btn" onclick="startSpesaMode()" data-i18n="scan.spesa_btn">🛒 Spesa</button>
        </div>
@@ -256,6 +272,14 @@
                    <span id="scan-status-method" class="scan-status-method"></span>
                    <span id="scan-status-msg" class="scan-status-msg" data-i18n="scan.status_ready"></span>
                </div>
                <!-- AI processing overlay (shown when Gemini Vision is analyzing) -->
                <div class="scan-ai-overlay" id="scan-ai-overlay" style="display:none">
                    <div class="scan-ai-overlay-inner">
                        <div class="loading-spinner"></div>
                        <span class="scan-ai-overlay-label" data-i18n="scan.ai_overlay_label">Gemini Vision</span>
                        <span class="scan-ai-overlay-msg" id="scan-ai-overlay-msg"></span>
                    </div>
                </div>
                <!-- Success flash overlay -->
                <div class="scan-confirm-overlay" id="scan-confirm-overlay" style="display:none">
                    <div class="scan-confirm-check">✓</div>
@@ -274,6 +298,9 @@
            <!-- Scan errors -->
            <div class="scan-result" id="scan-result" style="display:none"></div>
            <!-- Manual AI identification (only when user taps — never automatic) -->
            <button class="btn btn-accent scan-ai-manual-btn" id="scan-ai-manual-btn" type="button" style="display:none" onclick="_triggerManualAiScan()" data-i18n="scan.ai_manual_btn">🤖 Identifica con AI</button>
            <!-- Recent scans -->
            <div class="scan-recents" id="scan-recents" style="display:none">
                <span class="scan-recents-label" data-i18n="scan.recents_label">Recenti</span>
@@ -333,7 +360,7 @@
    <!-- ===== PRODUCT ACTION (IN/OUT after scan) ===== -->
    <section class="page" id="page-action">
        <div class="page-header">
-            <button class="back-btn" id="action-back-btn" onclick="showPage('scan')" data-i18n="btn.back">← Indietro</button>
+            <button class="back-btn" id="action-back-btn" onclick="goBack()" data-i18n="btn.back">← Indietro</button>
            <h2 data-i18n="action.title">Cosa vuoi fare?</h2>
        </div>
        <!-- Banner: shopping list scan context -->
@@ -356,14 +383,14 @@
    <!-- ===== ADD TO INVENTORY FORM ===== -->
    <section class="page" id="page-add">
        <div class="page-header">
-            <button class="back-btn" onclick="showPage('action')" data-i18n="btn.back">← Indietro</button>
+            <button class="back-btn" onclick="goBack()" data-i18n="btn.back">← Indietro</button>
            <h2 data-i18n="add.title">Aggiungi alla Dispensa</h2>
        </div>
        <div class="product-preview-small" id="add-product-preview"></div>
        <form class="form" onsubmit="submitAdd(event)">
            <div class="form-group">
                <label data-i18n="add.location_label">📍 Dove lo metti?</label>
-                <div class="location-selector">
+                <div class="location-selector" id="location-selector-add">
                    <button type="button" class="loc-btn active" onclick="selectLocation(this, 'dispensa')">🗄️ <span data-i18n="locations.dispensa">Dispensa</span></button>
                    <button type="button" class="loc-btn" onclick="selectLocation(this, 'frigo')">🧊 <span data-i18n="locations.frigo">Frigo</span></button>
                    <button type="button" class="loc-btn" onclick="selectLocation(this, 'freezer')">❄️ <span data-i18n="locations.freezer">Freezer</span></button>
@@ -379,6 +406,7 @@
                        <input type="number" id="add-quantity" value="1" min="0.1" step="any" class="qty-input">
                        <button type="button" class="qty-btn" onclick="adjustAddQty(1)">+</button>
                    </div>
                    <span class="qty-unit-badge qty-unit-muted" id="add-quantity-unit" aria-live="polite">pz</span>
                    <select id="add-unit" class="form-input unit-select" onchange="onAddUnitChange()">
                        <option value="pz">pz</option>
                        <option value="conf">conf</option>
@@ -410,8 +438,7 @@
                <p class="form-hint" id="add-vacuum-hint" style="display:none" data-i18n="add.vacuum_hint">La scadenza verrà estesa automaticamente</p>
            </div>
            <div class="form-group" id="add-expiry-section">
-                <!-- Populated dynamically by showAddForm() -->
+                </div>
            </div>
            <button type="submit" class="btn btn-large btn-success full-width" data-i18n="add.submit">✅ Aggiungi</button>
        </form>
    </section>
@@ -419,7 +446,7 @@
    <!-- ===== USE FROM INVENTORY FORM ===== -->
    <section class="page" id="page-use">
        <div class="page-header">
-            <button class="back-btn" onclick="showPage('action')" data-i18n="btn.back">← Indietro</button>
+            <button class="back-btn" onclick="goBack()" data-i18n="btn.back">← Indietro</button>
            <h2 data-i18n="use.title">Usa / Consuma</h2>
        </div>
        <div class="product-preview-small" id="use-product-preview"></div>
@@ -458,11 +485,14 @@
                    </button>
                    <div class="use-partial">
                        <p id="use-partial-hint" data-i18n="use.partial_hint">Oppure specifica la quantità usata:</p>
-                        <div class="qty-control">
+                        <div class="qty-control-with-unit">
-                            <button type="button" class="qty-btn" id="use-qty-minus" onclick="adjustUseQty(-1)">−</button>
+                            <div class="qty-control">
-                            <input type="number" id="use-quantity" value="1" min="0.1" step="any" class="qty-input"
+                                <button type="button" class="qty-btn" id="use-qty-minus" onclick="adjustUseQty(-1)">−</button>
-                                   oninput="_scaleUserDismissed=true; _cancelScaleTimersOnly();">
+                                <input type="number" id="use-quantity" value="1" min="0.1" step="any" class="qty-input"
-                            <button type="button" class="qty-btn" id="use-qty-plus" onclick="adjustUseQty(1)">+</button>
+                                       oninput="_scaleUserDismissed=true; _cancelScaleTimersOnly();">
                                <button type="button" class="qty-btn" id="use-qty-plus" onclick="adjustUseQty(1)">+</button>
                            </div>
                            <span class="qty-unit-badge" id="use-quantity-unit" aria-live="polite">—</span>
                        </div>
                        <button type="submit" id="btn-use-submit" class="btn btn-large btn-warning full-width mt-2 move-countdown-btn" data-i18n="use.submit">📤 Usa questa quantità</button>
                    </div>
@@ -475,7 +505,7 @@
    <!-- ===== MANUAL / EDIT PRODUCT FORM ===== -->
    <section class="page" id="page-product-form">
        <div class="page-header">
-            <button class="back-btn" onclick="showPage('scan')" data-i18n="btn.back">← Indietro</button>
+            <button class="back-btn" onclick="goBack()" data-i18n="btn.back">← Indietro</button>
            <h2 id="product-form-title">Nuovo Prodotto</h2>
        </div>
        <form class="form" onsubmit="submitProduct(event)">
@@ -615,6 +645,12 @@
                    <option value="altro">📦 Altro</option>
                </select>
            </div>
            <div class="form-group" id="pf-subcategory-group" style="display:none">
                <label>📂 Sous-catégorie <span class="subcategory-required-mark" style="display:none;color:#e74c3c">*</span></label>
                <select id="pf-subcategory" class="form-input">
                    <option value="">-- Aucune --</option>
                </select>
            </div>
            <div class="form-row">
                <div class="form-group flex-1">
                    <label data-i18n="product.unit_label">📏 Unità di misura</label>
@@ -663,7 +699,7 @@
    <!-- ===== ALL PRODUCTS PAGE ===== -->
    <section class="page" id="page-products">
        <div class="page-header">
-            <button class="back-btn" onclick="showPage('dashboard')" data-i18n="btn.back">← Indietro</button>
+            <button class="back-btn" onclick="goBack()" data-i18n="btn.back">← Indietro</button>
            <h2 data-i18n="products.title">📦 Tutti i Prodotti</h2>
        </div>
        <div class="search-bar">
@@ -675,7 +711,7 @@
    <!-- ===== RECIPE PAGE ===== -->
    <section class="page" id="page-recipe">
        <div class="page-header">
-            <button class="back-btn" onclick="showPage('dashboard')" data-i18n="btn.back">← Indietro</button>
+            <button class="back-btn" onclick="goBack()" data-i18n="btn.back">← Indietro</button>
            <h2 data-i18n="recipes.title">🍳 Ricette</h2>
        </div>
        <div class="recipe-page-container">
@@ -683,13 +719,22 @@
                ✨ Genera nuova ricetta
            </button>
            <div id="recipe-archive" class="recipe-archive"></div>
            <div class="settings-section" style="margin-top:24px">
                <h3 class="settings-section-title">📖 Mes recettes</h3>
                <p class="settings-hint">Tes propres recettes (cocktails, boissons...), ajoutées à la main.</p>
                <button class="btn btn-large btn-accent full-width" style="margin-top:10px" onclick="openRecipeLibraryForm()">➕ Ajouter une recette</button>
                <button class="btn btn-large btn-secondary full-width" style="margin-top:8px" onclick="openRecipeLibraryImportForm()">📋 Importer texte brut</button>
                <div id="recipe-library-tag-filter" style="display:flex;flex-wrap:wrap;gap:6px;margin-top:14px"></div>
                <div id="recipe-library-list" style="margin-top:14px"></div>
            </div>
        </div>
    </section>
    <!-- ===== SHOPPING LIST (BRING!) PAGE ===== -->
    <section class="page" id="page-shopping">
        <div class="page-header">
-            <button class="back-btn" onclick="showPage('dashboard')" data-i18n="btn.back">← Indietro</button>
+            <button class="back-btn" onclick="goBack()" data-i18n="btn.back">← Indietro</button>
            <h2 data-i18n="shopping.title">🛒 Lista della Spesa</h2>
        </div>
        <div class="shopping-container">
@@ -797,7 +842,7 @@
    <!-- ===== AI IDENTIFICATION PAGE ===== -->
    <section class="page" id="page-ai">
        <div class="page-header">
-            <button class="back-btn" onclick="stopScanner(); showPage('scan')" data-i18n="btn.back">← Indietro</button>
+            <button class="back-btn" onclick="goBack()" data-i18n="btn.back">← Indietro</button>
            <h2 data-i18n="ai.title">🤖 Identificazione AI</h2>
        </div>
        <div class="ai-container">
@@ -835,7 +880,7 @@
    <!-- ===== SETTINGS PAGE ===== -->
    <section class="page" id="page-settings">
        <div class="page-header">
-            <button class="back-btn" onclick="showPage('dashboard')" data-i18n="btn.back">← Indietro</button>
+            <button class="back-btn" onclick="goBack()" data-i18n="btn.back">← Indietro</button>
            <h2 data-i18n="settings.title">⚙️ Configurazione</h2>
        </div>
        <div class="settings-tabs">
@@ -1183,6 +1228,9 @@
                        <p class="settings-hint mt-2" data-i18n="settings.camera.devices_hint">Se hai più fotocamere, puoi selezionarne una specifica dall'elenco sopra dopo aver concesso i permessi.</p>
                        <button class="btn btn-small btn-secondary mt-2" onclick="loadCameraDevices()" data-i18n="settings.camera.detect_btn">🔄 Rileva fotocamere</button>
                    </div>
                    <div class="form-group" style="margin-top:14px">
                        <p class="settings-hint" data-i18n="settings.camera.ai_manual_hint">Se il barcode non si legge, usa il pulsante «Identifica con AI» sotto la fotocamera. Richiede Gemini configurato.</p>
                    </div>
                </div>
            </div>
            <!-- Security Tab -->
@@ -1192,10 +1240,10 @@
                    <p class="settings-hint" data-i18n="settings.security.token_hint">Se <code>SETTINGS_TOKEN</code> è configurato nel <code>.env</code> server, inserisci qui il token prima di salvare le impostazioni. Lascia vuoto se non configurato.</p>
                    <div class="form-group">
                        <label data-i18n="settings.security.token_label">Token di accesso</label>
-                        <input type="password" id="setting-settings-token" class="form-input" placeholder="(vuoto = nessuna protezione)" data-i18n-placeholder="settings.security.token_placeholder">
+                        <input type="password" id="setting-settings-token" class="form-input" placeholder="API_TOKEN da .env" data-i18n-placeholder="settings.security.token_placeholder">
                        <button class="btn btn-small btn-secondary mt-2" onclick="togglePasswordVisibility('setting-settings-token')" data-i18n="btn.toggle_password">👁️ Mostra/Nascondi</button>
                    </div>
-                    <p class="settings-hint" id="settings-token-status-hint" style="display:none;color:var(--accent)" data-i18n="settings.security.token_required_hint">🔒 Questo server richiede un token per salvare le impostazioni.</p>
+                    <p class="settings-hint" id="settings-token-status-hint" style="display:none;color:var(--accent)" data-i18n="settings.security.token_required_hint">🔒 Questo server richiede un token API (API_TOKEN nel file .env). Il token viene salvato nel browser.</p>
                </div>
                <div class="settings-card">
                    <h4 data-i18n="settings.security.title">🔒 Certificato HTTPS</h4>
@@ -1542,6 +1590,17 @@
                    </div>
                    <button class="btn btn-large btn-accent full-width" onclick="_backupNow()" id="btn-backup-now" data-i18n="settings.backup.backup_now">💾 Backup Ora</button>
                    <div id="backup-status" style="display:none;margin-top:8px" class="settings-status"></div>
                    <div style="margin-top:14px;padding-top:14px;border-top:1px solid var(--border,#e2e8f0)">
                        <h4 style="margin-bottom:6px">📦 Export / Import complet</h4>
                        <p class="settings-hint">Exporte la DB + config en un .zip, ou importe un export pour fusionner sans doublons.</p>
                        <a href="api/index.php?action=export_full" class="btn btn-large btn-accent full-width" style="text-decoration:none;display:block;text-align:center;margin-top:8px">📤 Exporter tout</a>
                        <div style="margin-top:8px">
                            <input type="file" id="import-merge-file" accept=".zip" style="display:none" onchange="_importMergeFile(this)">
                            <button class="btn btn-large btn-secondary full-width" onclick="document.getElementById('import-merge-file').click()">📥 Importer (fusion)</button>
                        </div>
                        <div id="import-merge-status" style="display:none;margin-top:8px" class="settings-status"></div>
                    </div>
                    <!-- List of backups -->
                    <div id="backup-list-container" style="margin-top:14px">
                        <p class="settings-hint" data-i18n="settings.info.loading">Caricamento…</p>
@@ -1648,18 +1707,6 @@
            </div>
        </div>
        <!-- Kiosk app download banner (hidden inside kiosk WebView) -->
        <div id="kiosk-download-banner" style="background:linear-gradient(135deg,rgba(16,185,129,0.08),rgba(5,150,105,0.12));border:1.5px solid rgba(16,185,129,0.25);border-radius:12px;padding:16px;margin-top:16px">
            <div style="display:flex;align-items:center;gap:10px;margin-bottom:8px">
                <span style="font-size:1.6rem">📺</span>
                <div>
                    <p style="margin:0;font-weight:700;font-size:0.95rem;color:#065f46">EverShelf Kiosk</p>
                    <p class="settings-hint" style="margin:2px 0 0" data-i18n="settings.kiosk.hint">Trasforma un tablet Android in un pannello EverShelf sempre acceso, con bilancia BLE integrata.</p>
                </div>
            </div>
            <a href="https://github.com/dadaloop82/EverShelf/releases/download/kiosk-latest/evershelf-kiosk.apk" target="_blank" rel="noopener noreferrer" class="btn btn-large btn-accent full-width" style="text-decoration:none;display:block;text-align:center;background:linear-gradient(135deg,#059669,#10b981);color:#fff" data-i18n="settings.kiosk.download_btn">📥 Scarica EverShelf Kiosk (APK)</a>
            <p class="settings-hint" style="margin-top:8px" data-i18n="settings.kiosk.download_sub">Modalità kiosk full-screen + gateway bilancia integrato. Sorgente: <code>evershelf-kiosk/</code></p>
        </div>
        <!-- Kiosk native settings panel (visible only inside kiosk WebView) -->
        <div id="kiosk-native-settings-panel" style="display:none;background:rgba(99,102,241,0.06);border:1.5px solid rgba(99,102,241,0.2);border-radius:12px;padding:16px;margin-top:16px">
@@ -1692,30 +1739,129 @@
        <button class="btn btn-large btn-success full-width mt-2" onclick="saveSettings()" data-i18n="btn.save_config">💾 Salva Configurazione</button>
        <div id="settings-status" class="settings-status" style="display:none"></div>
-        <!-- About & Support -->
+    </section>
-        <div class="settings-section" style="margin-top:24px">
+
-            <h3 class="settings-section-title" data-i18n="about.title">About</h3>
+    <!-- ===== CONFIGURATION PAGE ===== -->
-            <div class="settings-row" style="justify-content:space-between;align-items:center">
+<section class="page" id="page-config">
-                <span class="settings-label" data-i18n="about.version">Version</span>
+        <div class="page-header">
-                <span id="about-version-label" class="settings-hint" style="font-family:monospace">—</span>
+            <h2>🔧 Configuration</h2>
        </div>
        <div class="config-tabs" style="display:flex;gap:6px;margin-bottom:14px;flex-wrap:wrap">
            <button class="btn btn-small btn-primary config-tab-btn" data-tab="locations" onclick="showConfigTab('locations')">📍 Emplacements</button>
            <button class="btn btn-small btn-secondary config-tab-btn" data-tab="categories" onclick="showConfigTab('categories')">📁 Catégories</button>
            <button class="btn btn-small btn-secondary config-tab-btn" data-tab="subcategories" onclick="showConfigTab('subcategories')">📂 Sous-catégories</button>
            <button class="btn btn-small btn-secondary config-tab-btn" data-tab="recipetags" onclick="showConfigTab('recipetags')">🏷️ Tags recettes</button>
            <button class="btn btn-small btn-secondary config-tab-btn" data-tab="units" onclick="showConfigTab('units')">📏 Unités</button>
        </div>
        <div class="config-tab-content" id="config-tab-locations">
            <div class="settings-card">
                <h4>📍 Emplacements de stockage</h4>
                <p class="settings-hint">Gère les emplacements disponibles pour ranger tes produits (Frigo, Cave, Bar...).</p>
                <div id="locations-list-container" style="margin-top:10px">
                    <p class="settings-hint">Chargement…</p>
                </div>
                <div class="form-group mt-2">
                    <label>➕ Nouvel emplacement</label>
                    <div class="barcode-input-row">
                        <input type="text" id="new-location-icon" class="form-input" style="max-width:70px;text-align:center" placeholder="📦" maxlength="4">
                        <input type="text" id="new-location-label" class="form-input" placeholder="Es: Cave, Bar, Garage..." onkeydown="if(event.key==='Enter'){event.preventDefault();addLocation()}">
                        <button class="btn btn-accent" onclick="addLocation()">➕</button>
                    </div>
                </div>
            </div>
-            <div style="margin-top:10px;display:flex;flex-direction:column;gap:8px">
+        </div>
-                <button class="btn btn-outline full-width" onclick="reportBugManual()" id="btn-report-bug">
+
-                    🐛 <span data-i18n="about.report_bug">Segnala un problema</span>
+        <div class="config-tab-content" id="config-tab-categories" style="display:none">
-                </button>
+            <div class="settings-card">
-                <p class="settings-hint" style="text-align:center;margin:0" data-i18n="about.report_bug_hint">Qualcosa non funziona? Inviaci una segnalazione direttamente dall'app.</p>
+                <h4>📁 Catégories</h4>
-                <div style="display:flex;gap:8px">
+                <p class="settings-hint">Gère les catégories de produits : icône, libellé, et mots-clés de détection automatique à partir du nom du produit.</p>
-                    <a class="btn btn-outline full-width" style="text-decoration:none;text-align:center"
+                <div id="categories-list-container" style="margin-top:10px">
-                       href="https://github.com/dadaloop82/EverShelf/blob/main/CHANGELOG.md"
+                    <p class="settings-hint">Chargement…</p>
-                       target="_blank" rel="noopener" data-i18n="about.changelog">Changelog</a>
+                </div>
-                    <a class="btn btn-outline full-width" style="text-decoration:none;text-align:center"
+                <div class="form-group mt-2">
-                       href="https://github.com/dadaloop82/EverShelf"
+                    <label>➕ Nouvelle catégorie</label>
-                       target="_blank" rel="noopener" data-i18n="about.github">GitHub</a>
+                    <div class="barcode-input-row">
                        <input type="text" id="new-category-icon" class="form-input" style="max-width:70px;text-align:center" placeholder="📦" maxlength="4">
                        <input type="text" id="new-category-label" class="form-input" placeholder="Es: Apéritifs, Bébé...">
                        <button class="btn btn-accent" onclick="addCategory()">➕</button>
                    </div>
                    <input type="text" id="new-category-keywords" class="form-input mt-1" placeholder="Mots-clés séparés par des virgules (ex: chips, apéro, biscuit salé)">
                </div>
            </div>
        </div>
        <div class="config-tab-content" id="config-tab-subcategories" style="display:none">
            <div class="settings-card">
                <h4>📂 Sous-catégories</h4>
                <p class="settings-hint">Gère les sous-catégories disponibles pour chaque catégorie de produit.</p>
                <div class="form-group">
                    <label>Catégorie</label>
                    <select id="subcat-config-category" class="form-input" onchange="onSubcatConfigCategoryChange()"></select>
                </div>
                <div class="form-group" style="display:flex;align-items:center;gap:8px">
                    <input type="checkbox" id="subcat-config-required" onchange="toggleSubcategoryRequired()" style="width:auto">
                    <label for="subcat-config-required" style="margin:0">Sous-catégorie obligatoire pour cette catégorie</label>
                </div>
                <div id="subcat-list-container" style="margin-top:10px">
                    <p class="settings-hint">Chargement…</p>
                </div>
                <div class="form-group mt-2">
                    <label>➕ Nouvelle sous-catégorie (pour la catégorie sélectionnée)</label>
                    <div class="barcode-input-row">
                        <input type="text" id="new-subcat-label" class="form-input" placeholder="Es: 🍷 Vin, 🍗 Poulet..." onkeydown="if(event.key==='Enter'){event.preventDefault();addSubcategoryRow()}">
                        <button class="btn btn-accent" onclick="addSubcategoryRow()">➕</button>
                    </div>
                </div>
            </div>
        </div>
        <div class="config-tab-content" id="config-tab-recipetags" style="display:none">
            <div class="settings-card">
                <h4>🏷️ Tags recettes</h4>
                <p class="settings-hint">Gère les tags utilisés pour trier/filtrer "Mes recettes" (cocktails, boissons...).</p>
                <div id="recipe-tags-list-container" style="margin-top:10px">
                    <p class="settings-hint">Chargement…</p>
                </div>
                <div class="form-group mt-2">
                    <label>➕ Nouveau tag</label>
                    <div class="barcode-input-row">
                        <input type="text" id="new-recipe-tag-icon" class="form-input" style="max-width:70px;text-align:center" placeholder="🏷️" maxlength="4">
                        <input type="text" id="new-recipe-tag-label" class="form-input" placeholder="Es: Tiki, Sans alcool...">
                        <input type="text" id="new-recipe-tag-keywords" class="form-input" placeholder="Mots-clés (ex: citron, lime, vinaigre)" onkeydown="if(event.key==='Enter'){event.preventDefault();addRecipeTagConfig()}">
                        <button class="btn btn-accent" onclick="addRecipeTagConfig()">➕</button>
                    </div>
                </div>
            </div>
        </div>
        <div class="config-tab-content" id="config-tab-units" style="display:none">
            <div class="settings-card">
                <h4>📏 Unités</h4>
                <p class="settings-hint">Ajoute des unités personnalisées (ex: kg, L) qui se convertissent automatiquement en g/ml/pz pour le stockage, mais s'affichent dans leur propre unité partout dans l'app.</p>
                <div id="custom-units-list-container" style="margin-top:10px">
                    <p class="settings-hint">Chargement…</p>
                </div>
                <div class="form-group mt-2">
                    <label>➕ Nouvelle unité</label>
                    <div class="barcode-input-row">
                        <input type="text" id="new-unit-icon" class="form-input" style="max-width:70px;text-align:center" placeholder="📏" maxlength="4">
                        <input type="text" id="new-unit-key" class="form-input" style="max-width:80px" placeholder="Es: kg" maxlength="10">
                        <input type="text" id="new-unit-label" class="form-input" placeholder="Es: kg (Kilogrammes)">
                    </div>
                    <div class="barcode-input-row" style="margin-top:8px">
                        <select id="new-unit-base" class="form-input">
                            <option value="g">g (poids)</option>
                            <option value="ml">ml (volume)</option>
                            <option value="pz">pz (pièces)</option>
                        </select>
                        <input type="number" id="new-unit-factor" class="form-input" placeholder="Facteur (ex: 1000)" min="0.001" step="any">
                        <button class="btn btn-accent" onclick="addCustomUnitConfig()">➕</button>
                    </div>
                </div>
            </div>
        </div>
    </section>
-
+    
    <!-- ===== GEMINI CHAT ===== -->
    <section class="page" id="page-chat">
        <div class="chat-container">
@@ -1772,6 +1918,10 @@
        <span class="nav-icon">📋</span>
        <span class="nav-label" data-i18n="nav.log">Storico</span>
    </button>
    <button class="nav-btn" onclick="showPage('config')" data-page="config">
        <span class="nav-icon">🔧</span>
        <span class="nav-label">Config.</span>
    </button>
    <button class="nav-btn" onclick="showPage('settings')" data-page="settings">
        <span class="nav-icon">⚙️</span>
        <span class="nav-label" data-i18n="nav.settings">Config</span>
@@ -1831,7 +1981,7 @@
                <p class="recipe-regen-choice-title" data-i18n="recipes.regen_choice_title">Cosa vuoi fare con questa ricetta?</p>
                <button class="btn btn-large btn-warning full-width" onclick="doRegenerateReplace()" data-i18n="recipes.regen_replace">🔄 Genera un'altra (scarta questa)</button>
                <button class="btn btn-large btn-success full-width mt-2" onclick="doRegenerateSave()" data-i18n="recipes.regen_save_new">💾 Salva nell'archivio e genera nuova</button>
-                <button class="btn btn-large btn-ghost full-width mt-2" onclick="cancelRegenChoice()" data-i18n="action.cancel">Annulla</button>
+                <button class="btn btn-large btn-ghost full-width mt-2" onclick="cancelRegenChoice()" data-i18n="confirm.cancel">Annulla</button>
            </div>
            <button class="btn btn-large btn-primary full-width mt-2" onclick="closeRecipeDialog()" data-i18n="recipes.close_btn">
                ✅ Chiudi
@@ -1941,6 +2091,6 @@
    </div>
 </div>
-<script src="assets/js/app.js?v=20260518c"></script>
+<script src="assets/js/app.js?v=20260606z"></script>
-</body>
+</body>    
 </html>
@@ -0,0 +1 @@
 Require all denied
@@ -2,8 +2,8 @@
    "name": "EverShelf",
    "short_name": "EverShelf",
    "description": "Gestione completa della dispensa di casa con scansione barcode",
-    "version": "1.7.25",
+    "version": "1.7.42",
-    "start_url": "/evershelf/",
+    "start_url": "/",
    "display": "standalone",
    "background_color": "#f0f4e8",
    "theme_color": "#2d5016",
@@ -0,0 +1,9 @@
 {
  "name": "evershelf",
  "private": true,
  "scripts": {
    "build:js": "npx --yes terser assets/js/app.js -c -m -o assets/js/app.min.js",
    "build:css": "npx --yes clean-css-cli -o assets/css/style.min.css assets/css/style.css",
    "build": "npm run build:js && npm run build:css"
  }
 }
@@ -0,0 +1 @@
 {"version":"1.7.19","version_code":20}
@@ -0,0 +1,163 @@
 #!/usr/bin/env php
 <?php
 /**
 * Audit: products depleted in last N days vs shopping list / Bring / smart shopping.
 * Usage: php scripts/audit-finished-shopping.php [days]
 */
 define('CRON_MODE', true);
 require_once __DIR__ . '/../api/bootstrap.php';
 require_once __DIR__ . '/../api/index.php';
 $days = max(1, (int)($argv[1] ?? 30));
 $db = getDB();
 // Recompute smart shopping fresh
 ob_start();
 smartShopping($db);
 $smartJson = ob_get_clean();
 $smartData = json_decode($smartJson, true);
 $smartItems = $smartData['items'] ?? [];
 $smartByPid = [];
 $smartByName = [];
 foreach ($smartItems as $si) {
    foreach ($si['variants'] ?? [] as $v) {
        $smartByPid[(int)$v['product_id']] = $si;
    }
    $smartByPid[(int)$si['product_id']] = $si;
    $sn = strtolower(trim($si['shopping_name'] ?? $si['name'] ?? ''));
    if ($sn !== '') $smartByName[$sn] = $si;
 }
 // Bring list
 $bringNames = [];
 $bringSpecs = [];
 $auth = bringAuth();
 if ($auth && !empty($auth['bringListUUID'])) {
    $listData = bringRequest('GET', "https://api.getbring.com/rest/v2/bringlists/{$auth['bringListUUID']}");
    if ($listData && isset($listData['purchase'])) {
        foreach ($listData['purchase'] as $bi) {
            $k = mb_strtolower($bi['name'] ?? '');
            $bringNames[$k] = $bi['name'] ?? '';
            $bringSpecs[$k] = $bi['specification'] ?? '';
        }
    }
 }
 // Internal shopping list
 $shopNames = [];
 $shopRows = $db->query("SELECT name, specification FROM shopping_list")->fetchAll(PDO::FETCH_ASSOC);
 foreach ($shopRows as $r) {
    $shopNames[mb_strtolower($r['name'])] = $r;
 }
 // Products with zero stock, last activity in window
 $rows = $db->query("
    SELECT p.id, p.name, p.brand, p.shopping_name, p.unit,
           COALESCE((SELECT SUM(i.quantity) FROM inventory i WHERE i.product_id = p.id), 0) AS stock_qty,
           (SELECT MAX(t.created_at) FROM transactions t
            WHERE t.product_id = p.id AND t.undone = 0
              AND t.type IN ('out','waste','in')
              AND t.created_at >= datetime('now', '-{$days} days')) AS last_activity,
           (SELECT MAX(t.created_at) FROM transactions t
            WHERE t.product_id = p.id AND t.undone = 0
              AND t.type IN ('out','waste')
              AND t.created_at >= datetime('now', '-{$days} days')) AS last_out,
           (SELECT COUNT(*) FROM transactions t
            WHERE t.product_id = p.id AND t.undone = 0 AND t.type IN ('out','waste')) AS use_count,
           (SELECT COUNT(*) FROM transactions t
            WHERE t.product_id = p.id AND t.undone = 0 AND t.type = 'in') AS buy_count
    FROM products p
    WHERE COALESCE((SELECT SUM(i.quantity) FROM inventory i WHERE i.product_id = p.id), 0) <= 0.001
      AND (SELECT MAX(t.created_at) FROM transactions t
           WHERE t.product_id = p.id AND t.undone = 0
             AND t.type IN ('out','waste','in')
             AND t.created_at >= datetime('now', '-{$days} days')) IS NOT NULL
    ORDER BY last_activity DESC
 ")->fetchAll(PDO::FETCH_ASSOC);
 $missing = [];
 $onList = [];
 $suppressed = [];
 foreach ($rows as $r) {
    $pid = (int)$r['id'];
    $generic = trim($r['shopping_name'] ?? '') ?: computeShoppingName($r['name'], '', $r['brand'] ?? '');
    $bringKey = mb_strtolower(italianToBring($generic));
    $shopKey = mb_strtolower($generic);
    $smart = $smartByPid[$pid] ?? $smartByName[mb_strtolower($generic)] ?? null;
    $onBring = isset($bringNames[$bringKey]);
    $onShop = isset($shopNames[$shopKey]);
    $inSmart = $smart !== null && ($smart['urgency'] ?? 'none') !== 'none';
    $entry = [
        'id' => $pid,
        'name' => $r['name'],
        'brand' => $r['brand'],
        'generic' => $generic,
        'last_activity' => $r['last_activity'],
        'last_out' => $r['last_out'],
        'use_count' => (int)$r['use_count'],
        'buy_count' => (int)$r['buy_count'],
        'on_bring' => $onBring,
        'on_shop' => $onShop,
        'in_smart' => $inSmart,
        'smart_urgency' => $smart['urgency'] ?? null,
        'smart_reasons' => $smart['reasons'] ?? [],
        'bring_spec' => $bringSpecs[$bringKey] ?? '',
    ];
    if (!$onBring && !$onShop && !$inSmart) {
        $missing[] = $entry;
    } elseif ($onBring || $onShop) {
        $onList[] = $entry;
    } elseif ($inSmart) {
        $suppressed[] = $entry; // in smart but not synced yet
    } else {
        $missing[] = $entry;
    }
 }
 echo "=== Audit prodotti esauriti (ultimi {$days} giorni) ===\n";
 echo 'Totale esauriti con attività recente: ' . count($rows) . "\n";
 echo 'Già in lista/Bring: ' . count($onList) . "\n";
 echo 'In smart shopping ma non in lista: ' . count($suppressed) . "\n";
 echo 'MANCANTI (né lista né Bring né smart): ' . count($missing) . "\n\n";
 if ($missing) {
    echo "--- MANCANTI ---\n";
    foreach ($missing as $m) {
        echo sprintf(
            "- [%d] %s%s → generico: %s | usi:%d acquisti:%d | ultimo:%s\n",
            $m['id'],
            $m['name'],
            $m['brand'] ? " ({$m['brand']})" : '',
            $m['generic'],
            $m['use_count'],
            $m['buy_count'],
            $m['last_activity']
        );
    }
    echo "\n";
 }
 if ($suppressed) {
    echo "--- IN SMART MA NON IN LISTA/BRING ---\n";
    foreach ($suppressed as $m) {
        echo sprintf(
            "- [%d] %s → %s | urgenza:%s | %s\n",
            $m['id'],
            $m['name'],
            $m['generic'],
            $m['smart_urgency'] ?? '?',
            implode(', ', $m['smart_reasons'] ?? [])
        );
    }
 }
 // Export JSON for fix script
 file_put_contents(
    __DIR__ . '/../data/audit_finished_missing.json',
    json_encode(['days' => $days, 'missing' => $missing, 'suppressed' => $suppressed], JSON_UNESCAPED_UNICODE | JSON_PRETTY_PRINT)
 );
 echo "\nReport salvato in data/audit_finished_missing.json\n";
@@ -0,0 +1,65 @@
 #!/usr/bin/env php
 <?php
 /**
 * Backfill Bring!/shopping list for products depleted in the last N days.
 * Usage: php scripts/backfill-finished-shopping.php [days]
 */
 define('CRON_MODE', true);
 require_once __DIR__ . '/../api/bootstrap.php';
 require_once __DIR__ . '/../api/index.php';
 $days = max(1, (int)($argv[1] ?? RECENTLY_EXHAUSTED_DAYS));
 $db = getDB();
 $rows = $db->query("
    SELECT p.id, p.name, p.shopping_name
    FROM products p
    WHERE COALESCE((SELECT SUM(i.quantity) FROM inventory i WHERE i.product_id = p.id), 0) <= 0.001
      AND (
        SELECT MAX(t.created_at) FROM transactions t
        WHERE t.product_id = p.id AND t.undone = 0 AND t.type IN ('out','waste')
      ) >= datetime('now', '-{$days} days')
    ORDER BY (
        SELECT MAX(t.created_at) FROM transactions t
        WHERE t.product_id = p.id AND t.undone = 0 AND t.type IN ('out','waste')
    ) DESC
 ")->fetchAll(PDO::FETCH_ASSOC);
 echo '[' . date('Y-m-d H:i:s') . "] Backfill {$days}d — " . count($rows) . " prodotti esauriti\n";
 $added = 0;
 $updated = 0;
 $skipped = 0;
 foreach ($rows as $r) {
    $res = bringAddDepletedProduct($db, (int)$r['id']);
    if (!empty($res['added'])) {
        $added++;
        echo "  + {$r['name']} → {$res['generic_name']}\n";
    } elseif (!empty($res['updated'])) {
        $updated++;
        echo "  ~ {$r['name']} → {$res['generic_name']}\n";
    } else {
        $skipped++;
    }
 }
 ob_start();
 smartShopping($db);
 $json = ob_get_clean();
 $decoded = json_decode($json, true);
 if ($decoded && !empty($decoded['success'])) {
    $decoded['cached_at'] = date('c');
    $decoded['cached_ts'] = time();
    file_put_contents(
        __DIR__ . '/../data/smart_shopping_cache.json',
        json_encode($decoded, JSON_UNESCAPED_UNICODE)
    );
 }
 ob_start();
 bringSyncFull($db, false);
 $sync = json_decode(ob_get_clean(), true);
 $auto = $sync['auto_add'] ?? [];
 echo '[' . date('Y-m-d H:i:s') . "] bringAddDepleted: added={$added} updated={$updated} skipped={$skipped}\n";
 echo '[' . date('Y-m-d H:i:s') . '] bringSync auto_add: ' . json_encode($auto, JSON_UNESCAPED_UNICODE) . "\n";
@@ -0,0 +1,79 @@
 #!/usr/bin/env php
 <?php
 /** Delete all comments on open feature/enhancement backlog issues (English-only tracker policy). */
 declare(strict_types=1);
 define('CRON_MODE', true);
 require_once __DIR__ . '/../api/bootstrap.php';
 require_once __DIR__ . '/../api/lib/github.php';
 require_once __DIR__ . '/../api/lib/constants.php';
 $token = _ghToken();
 if ($token === '') {
    fwrite(STDERR, "ERROR: GH_ISSUE_TOKEN not configured\n");
    exit(1);
 }
 function ghRequest(string $token, string $method, string $url, ?array $body = null): array {
    $ch = curl_init($url);
    $headers = [
        'Authorization: token ' . $token,
        'Accept: application/vnd.github+json',
        'X-GitHub-Api-Version: 2022-11-28',
        'User-Agent: EverShelf-Triage/1.0',
    ];
    curl_setopt_array($ch, [
        CURLOPT_RETURNTRANSFER => true,
        CURLOPT_HTTPHEADER     => $headers,
        CURLOPT_TIMEOUT        => 30,
    ]);
    if ($method === 'DELETE') {
        curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'DELETE');
    } elseif ($method === 'GET') {
        // default
    }
    if ($body !== null) {
        $headers[] = 'Content-Type: application/json';
        curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
        curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($body));
    }
    $raw  = curl_exec($ch);
    $code = (int)curl_getinfo($ch, CURLINFO_HTTP_CODE);
    curl_close($ch);
    return ['code' => $code, 'body' => $raw];
 }
 $issues = [122, 121, 120, 119, 118, 117, 116, 115, 114, 106, 105, 104, 103, 102, 101, 97, 93, 81, 80, 79, 69, 67, 65];
 $deleted = 0;
 foreach ($issues as $num) {
    $page = 1;
    while (true) {
        $url = 'https://api.github.com/repos/' . GH_REPO . "/issues/$num/comments?per_page=100&page=$page";
        $r = ghRequest($token, 'GET', $url);
        if ($r['code'] !== 200) {
            fwrite(STDERR, "#$num list comments HTTP {$r['code']}\n");
            break;
        }
        $comments = json_decode($r['body'], true);
        if (!is_array($comments) || empty($comments)) {
            break;
        }
        foreach ($comments as $c) {
            $id = (int)($c['id'] ?? 0);
            if ($id <= 0) continue;
            $dr = ghRequest($token, 'DELETE', 'https://api.github.com/repos/' . GH_REPO . "/issues/comments/$id");
            if ($dr['code'] === 204) {
                $deleted++;
                echo "deleted comment $id on #$num\n";
            } else {
                fwrite(STDERR, "FAIL delete comment $id on #$num HTTP {$dr['code']}\n");
            }
            usleep(200000);
        }
        if (count($comments) < 100) break;
        $page++;
    }
 }
 echo "Done. Deleted $deleted comments.\n";
@@ -0,0 +1,14 @@
 #!/usr/bin/env php
 <?php
 /**
 * Encrypt a GitHub Issues token for storage in .env as GH_ISSUE_TOKEN_ENC.
 *
 * Usage:
 *   php scripts/encrypt-gh-token.php 'ghp_xxxx' 'your-secret-key'
 */
 if ($argc < 3) {
    fwrite(STDERR, "Usage: php scripts/encrypt-gh-token.php <token> <key>\n");
    exit(1);
 }
 require_once __DIR__ . '/../api/lib/github.php';
 echo evershelfEncryptGhToken($argv[1], $argv[2]) . "\n";
@@ -0,0 +1,12 @@
 #!/bin/bash
 # Fix ownership and permissions for EverShelf runtime directories.
 set -euo pipefail
 ROOT="$(cd "$(dirname "$0")/.." && pwd)"
 WEB_USER="${WEB_USER:-www-data}"
 chown -R "${WEB_USER}:${WEB_USER}" "${ROOT}/data" "${ROOT}/logs" 2>/dev/null || true
 chmod 750 "${ROOT}/data" "${ROOT}/logs"
 chmod 640 "${ROOT}/.env" 2>/dev/null || true
 find "${ROOT}/data" -type f -exec chmod 660 {} \;
 find "${ROOT}/logs" -type f -exec chmod 640 {} \;
 echo "Permissions updated for ${WEB_USER}"
@@ -0,0 +1,81 @@
 #!/usr/bin/env php
 <?php
 /** Reopen wrongly closed feature issues; close resolved auto-report bugs (English). */
 declare(strict_types=1);
 define('CRON_MODE', true);
 require_once __DIR__ . '/../api/bootstrap.php';
 require_once __DIR__ . '/../api/lib/github.php';
 require_once __DIR__ . '/../api/lib/constants.php';
 $token = _ghToken();
 if ($token === '') {
    fwrite(STDERR, "ERROR: GH_ISSUE_TOKEN not configured\n");
    exit(1);
 }
 function ghApi(string $token, string $method, string $url, array $payload = []): array {
    $ch = curl_init($url);
    $headers = [
        'Authorization: token ' . $token,
        'Accept: application/vnd.github+json',
        'X-GitHub-Api-Version: 2022-11-28',
        'User-Agent: EverShelf-Triage/1.0',
        'Content-Type: application/json',
    ];
    curl_setopt_array($ch, [
        CURLOPT_RETURNTRANSFER => true,
        CURLOPT_HTTPHEADER     => $headers,
        CURLOPT_TIMEOUT        => 20,
    ]);
    if ($method === 'PATCH') {
        curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'PATCH');
        curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($payload));
    } elseif ($method === 'POST') {
        curl_setopt($ch, CURLOPT_POST, true);
        curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($payload));
    }
    $raw  = curl_exec($ch);
    $code = (int)curl_getinfo($ch, CURLINFO_HTTP_CODE);
    curl_close($ch);
    return ['http_code' => $code, 'body' => json_decode($raw ?: '{}', true) ?: []];
 }
 function comment(string $token, int $num, string $body): void {
    $r = ghApi($token, 'POST', 'https://api.github.com/repos/' . GH_REPO . "/issues/$num/comments", ['body' => $body]);
    echo $r['http_code'] >= 200 && $r['http_code'] < 300 ? "OK comment #$num\n" : "FAIL comment #$num\n";
 }
 function closeIssue(string $token, int $num): void {
    $r = ghApi($token, 'PATCH', 'https://api.github.com/repos/' . GH_REPO . "/issues/$num", ['state' => 'closed']);
    echo $r['http_code'] >= 200 && $r['http_code'] < 300 ? "OK close #$num\n" : "FAIL close #$num\n";
 }
 function reopenIssue(string $token, int $num): void {
    $r = ghApi($token, 'PATCH', 'https://api.github.com/repos/' . GH_REPO . "/issues/$num", ['state' => 'open']);
    echo $r['http_code'] >= 200 && $r['http_code'] < 300 ? "OK reopen #$num\n" : "FAIL reopen #$num\n";
 }
 $reopen = [
    125 => "Reopened: **voice commands in cooking mode** are not implemented yet (only TTS readout exists). This was closed by mistake during bulk triage — the feature backlog should stay open until hands-free step navigation ships.",
    98  => "Reopened: **pin favourite products to the top of inventory** is not implemented yet (recipe favourites #124 are done, but product pinning is a separate request). Closed by mistake — keeping on the backlog.",
 ];
 foreach ($reopen as $num => $msg) {
    comment($token, $num, $msg);
    reopenIssue($token, $num);
 }
 $bugs = [
    201 => 'Fixed in latest develop: `inventory_use` and `shopping_add` now retry on `SQLITE_BUSY` via `dbWithRetry()` (same pattern as #198).',
    202 => 'Fixed: Bring/internal `shopping_add` wrapped in `dbWithRetry()` to survive cron + PWA concurrent writes.',
    203 => 'Fixed: `smartShopping()` / `smartShoppingCached()` now call `set_time_limit(120)` so large pantries no longer hit the 30s PHP fatal.',
    204 => 'Fixed: same as #203 — smart shopping timeout caused HTTP 500; extended execution limit resolves the crash.',
 ];
 foreach ($bugs as $num => $msg) {
    comment($token, $num, $msg . "\n\n_Closed after triage — fix shipped in develop._");
    closeIssue($token, $num);
 }
 echo "Done.\n";
@@ -0,0 +1,26 @@
 #!/bin/bash
 # Download @xenova/transformers runtime + all-MiniLM-L6-v2 for offline category classification.
 set -euo pipefail
 ROOT="$(cd "$(dirname "$0")/.." && pwd)"
 VENDOR="$ROOT/assets/vendor/transformers"
 MODEL="$VENDOR/Xenova/all-MiniLM-L6-v2"
 ONNX="$MODEL/onnx"
 BASE="https://huggingface.co/Xenova/all-MiniLM-L6-v2/resolve/main"
 mkdir -p "$ONNX"
 echo "→ transformers.min.js"
 curl -fsSL "https://cdn.jsdelivr.net/npm/@xenova/transformers@2.17.2/dist/transformers.min.js" \
  -o "$VENDOR/transformers.min.js"
 for f in config.json tokenizer.json tokenizer_config.json; do
  echo "→ $f"
  curl -fsSL "$BASE/$f" -o "$MODEL/$f"
 done
 echo "→ onnx/model_quantized.onnx (~22 MB)"
 curl -fsSL "$BASE/onnx/model_quantized.onnx" -o "$ONNX/model_quantized.onnx"
 chown -R www-data:www-data "$VENDOR" 2>/dev/null || true
 echo "Done. Model installed under assets/vendor/transformers/"
@@ -0,0 +1,111 @@
 #!/usr/bin/env php
 <?php
 /**
 * One-time merge of duplicate product records (same normalized name + compatible brand).
 * Opened-package splits remain as separate inventory rows on the canonical product.
 *
 * Usage: php scripts/merge-duplicate-products.php [--dry-run]
 */
 declare(strict_types=1);
 $dryRun = in_array('--dry-run', $argv, true);
 $dbPath = __DIR__ . '/../data/evershelf.db';
 if (!file_exists($dbPath)) {
    fwrite(STDERR, "Database not found: $dbPath\n");
    exit(1);
 }
 $db = new PDO('sqlite:' . $dbPath);
 $db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
 function normName(string $name): string {
    return mb_strtolower(trim($name));
 }
 function normBrand(string $brand): string {
    return mb_strtolower(trim($brand));
 }
 function brandsCompatible(string $a, string $b): bool {
    $na = normBrand($a);
    $nb = normBrand($b);
    return $na === $nb || $na === '' || $nb === '';
 }
 function productScore(PDO $db, int $id): float {
    $tx = (float)$db->query("SELECT COUNT(*) FROM transactions WHERE product_id = $id")->fetchColumn();
    $inv = (float)$db->query("SELECT COALESCE(SUM(quantity), 0) FROM inventory WHERE product_id = $id")->fetchColumn();
    return $tx * 10 + $inv;
 }
 function mergeProducts(PDO $db, int $keepId, int $dropId): void {
    $db->beginTransaction();
    try {
        $db->prepare('UPDATE inventory SET product_id = ? WHERE product_id = ?')->execute([$keepId, $dropId]);
        $db->prepare('UPDATE transactions SET product_id = ? WHERE product_id = ?')->execute([$keepId, $dropId]);
        $db->prepare('DELETE FROM products WHERE id = ?')->execute([$dropId]);
        $db->commit();
    } catch (Throwable $e) {
        if ($db->inTransaction()) {
            $db->rollBack();
        }
        throw $e;
    }
 }
 $products = $db->query('SELECT id, name, brand, barcode FROM products ORDER BY id')->fetchAll(PDO::FETCH_ASSOC);
 $byName = [];
 foreach ($products as $p) {
    $key = normName($p['name']);
    if ($key === '') {
        continue;
    }
    $byName[$key][] = $p;
 }
 $merged = 0;
 foreach ($byName as $nameKey => $group) {
    if (count($group) < 2) {
        continue;
    }
    // Split into compatible-brand clusters
    $clusters = [];
    foreach ($group as $p) {
        $placed = false;
        foreach ($clusters as &$cluster) {
            $ref = $cluster[0];
            if (brandsCompatible($p['brand'] ?? '', $ref['brand'] ?? '')) {
                $cluster[] = $p;
                $placed = true;
                break;
            }
        }
        unset($cluster);
        if (!$placed) {
            $clusters[] = [$p];
        }
    }
    foreach ($clusters as $cluster) {
        if (count($cluster) < 2) {
            continue;
        }
        usort($cluster, fn($a, $b) => productScore($db, (int)$b['id']) <=> productScore($db, (int)$a['id']));
        $keep = (int)$cluster[0]['id'];
        $keepName = $cluster[0]['name'];
        for ($i = 1; $i < count($cluster); $i++) {
            $drop = (int)$cluster[$i]['id'];
            echo ($dryRun ? '[dry-run] ' : '') . "Merge #{$drop} \"{$cluster[$i]['name']}\" → #{$keep} \"{$keepName}\"\n";
            if (!$dryRun) {
                mergeProducts($db, $keep, $drop);
            }
            $merged++;
        }
    }
 }
 echo $dryRun
    ? "Dry run: $merged merge(s) would be performed.\n"
    : "Done: $merged duplicate product(s) merged.\n";
@@ -0,0 +1,57 @@
 #!/usr/bin/env php
 <?php
 /**
 * One-time security migration: GitHub token → encrypted .env, optional API_TOKEN.
 */
 require_once __DIR__ . '/../api/lib/env.php';
 require_once __DIR__ . '/../api/lib/github.php';
 $envFile = dirname(__DIR__) . '/.env';
 if (!file_exists($envFile)) {
    fwrite(STDERR, ".env not found\n");
    exit(1);
 }
 $lines = file($envFile, FILE_IGNORE_NEW_LINES);
 $vars = loadEnv();
 $changed = false;
 // Migrate legacy XOR token from previous index.php if still in git history
 if (empty($vars['GH_ISSUE_TOKEN']) && empty($vars['GH_ISSUE_TOKEN_ENC'])) {
    $legacyEnc = '23580718460c2c444031290243627e7971622b29030a3e4d50001e45261659420b6e110a423f30447133205b425a577971561f32762b0b034e0b3e56106d5945020406254a3a4647592a1a611c66687a0b672043700f34757900014004';
    $legacyKey = 'D1sp3ns4!Ev3r#26';
    $encBin = hex2bin($legacyEnc);
    $plain = '';
    if ($encBin) {
        for ($i = 0; $i < strlen($encBin); $i++) {
            $plain .= chr(ord($encBin[$i]) ^ ord($legacyKey[$i % strlen($legacyKey)]));
        }
    }
    if ($plain !== '' && str_starts_with($plain, 'github_')) {
        $newKey = bin2hex(random_bytes(16));
        $enc = evershelfEncryptGhToken($plain, $newKey);
        $lines[] = '';
        $lines[] = '# GitHub Issues (migrated from legacy source — encrypted at rest)';
        $lines[] = 'GH_ISSUE_TOKEN_ENC=' . $enc;
        $lines[] = 'GH_ISSUE_TOKEN_KEY=' . $newKey;
        $changed = true;
        echo "Migrated GitHub token to GH_ISSUE_TOKEN_ENC\n";
    }
 }
 if (empty($vars['API_TOKEN']) && empty($vars['SETTINGS_TOKEN'])) {
    $token = bin2hex(random_bytes(24));
    $lines[] = '';
    $lines[] = '# API access token — required for all API calls when set (also used by kiosk/HA)';
    $lines[] = 'API_TOKEN=' . $token;
    $changed = true;
    echo "Generated API_TOKEN (save this for your devices): {$token}\n";
 }
 if ($changed) {
    file_put_contents($envFile, implode("\n", $lines) . "\n");
    chmod($envFile, 0640);
    echo "Updated .env\n";
 } else {
    echo "No migration needed\n";
 }
@@ -0,0 +1,64 @@
 #!/usr/bin/env php
 <?php
 /**
 * Re-apply stock hints and 5% use-all rule to an archived recipe.
 * Usage: php scripts/re-enrich-recipe.php <recipe_id>
 */
 define('CRON_MODE', true);
 require __DIR__ . '/../api/index.php';
 $id = (int)($argv[1] ?? 0);
 if ($id <= 0) {
    fwrite(STDERR, "Usage: php scripts/re-enrich-recipe.php <recipe_id>\n");
    exit(1);
 }
 $db = getDB();
 $stmt = $db->prepare('SELECT id, recipe_json FROM recipes WHERE id = ?');
 $stmt->execute([$id]);
 $row = $stmt->fetch(PDO::FETCH_ASSOC);
 if (!$row) {
    fwrite(STDERR, "Recipe {$id} not found\n");
    exit(1);
 }
 $recipe = json_decode($row['recipe_json'], true);
 if (!is_array($recipe)) {
    fwrite(STDERR, "Invalid recipe JSON for id {$id}\n");
    exit(1);
 }
 $stmt = $db->query("
    SELECT p.id AS product_id, p.name, p.brand, p.category, i.quantity, p.unit, p.default_quantity, p.package_unit, i.location, i.expiry_date, i.opened_at,
           CASE WHEN i.expiry_date IS NOT NULL THEN julianday(i.expiry_date) - julianday('now') ELSE 999 END AS days_left
    FROM inventory i
    JOIN products p ON p.id = i.product_id
    WHERE i.quantity > 0
    ORDER BY days_left ASC, p.name ASC
 ");
 $items = $stmt->fetchAll(PDO::FETCH_ASSOC);
 recipeEnrichIngredientsFromPantry($db, $recipe['ingredients'], $items);
 recipeApplyStockHintsToRecipe($db, $recipe);
 $upd = $db->prepare('UPDATE recipes SET recipe_json = ? WHERE id = ?');
 $upd->execute([json_encode($recipe, JSON_UNESCAPED_UNICODE), $id]);
 echo "Updated recipe {$id}: " . ($recipe['title'] ?? '?') . "\n";
 foreach ($recipe['ingredients'] ?? [] as $ing) {
    if (empty($ing['from_pantry'])) {
        echo sprintf("  🛒 %s — %s (da comprare)\n", $ing['name'] ?? '?', $ing['qty'] ?? '?');
        continue;
    }
    $useAll = !empty($ing['use_all_suggested']) ? ' [USE ALL]' : '';
    echo sprintf(
        "  %s: %s | hai %.1f %s | restano %.1f %s%s\n",
        $ing['name'] ?? '?',
        $ing['qty'] ?? '?',
        $ing['stock_have'] ?? 0,
        $ing['stock_unit'] ?? '',
        $ing['stock_remain'] ?? 0,
        $ing['stock_unit'] ?? '',
        $useAll
    );
 }
@@ -0,0 +1,341 @@
 #!/usr/bin/env python3
 """Sync translation files: ensure all locales have the same keys as it.json (reference)."""
 from __future__ import annotations
 import copy
 import json
 from pathlib import Path
 ROOT = Path(__file__).resolve().parent.parent / 'translations'
 REF = 'it.json'
 LOCALES = ['it.json', 'en.json', 'de.json', 'fr.json', 'es.json']
 # New keys added across all locales (nested path -> value per locale)
 NEW_KEYS: dict[str, dict[str, str]] = {
    'dashboard.banner_prediction_confirmed': {
        'it': '✅ Confermato — il sistema ricalcolerà le previsioni dalle prossime registrazioni',
        'en': '✅ Confirmed — forecasts will recalculate from your next entries',
        'de': '✅ Bestätigt — Prognosen werden aus den nächsten Einträgen neu berechnet',
        'fr': '✅ Confirmé — les prévisions seront recalculées à partir de vos prochains enregistrements',
        'es': '✅ Confirmado — las previsiones se recalcularán con tus próximos registros',
    },
    'dashboard.banner_anomaly_explain_fail': {
        'it': 'Impossibile ottenere spiegazione AI',
        'en': 'Could not get AI explanation',
        'de': 'KI-Erklärung konnte nicht abgerufen werden',
        'fr': 'Impossible d\'obtenir l\'explication IA',
        'es': 'No se pudo obtener la explicación de IA',
    },
    'dashboard.banner_anomaly_dismissed': {
        'it': 'Anomalia ignorata',
        'en': 'Anomaly dismissed',
        'de': 'Anomalie ignoriert',
        'fr': 'Anomalie ignorée',
        'es': 'Anomalía descartada',
    },
    'error.copy_failed': {
        'it': 'Copia negli appunti non riuscita',
        'en': 'Copy to clipboard failed',
        'de': 'Kopieren in die Zwischenablage fehlgeschlagen',
        'fr': 'Échec de la copie dans le presse-papiers',
        'es': 'Error al copiar al portapapeles',
    },
    'error.invalid_quantity': {
        'it': 'Quantità non valida',
        'en': 'Invalid quantity',
        'de': 'Ungültige Menge',
        'fr': 'Quantité invalide',
        'es': 'Cantidad no válida',
    },
    'dashboard.banner_finished_restore_prompt': {
        'it': 'Quante {unit} di {name} hai ancora? (stima sistema: {qty})',
        'en': 'How many {unit} of {name} do you still have? (system estimate: {qty})',
        'de': 'Wie viele {unit} {name} hast du noch? (Systemschätzung: {qty})',
        'fr': 'Combien de {unit} de {name} vous reste-t-il ? (estimation : {qty})',
        'es': '¿Cuántas {unit} de {name} te quedan? (estimación del sistema: {qty})',
    },
    'time.just_now': {
        'it': 'adesso', 'en': 'just now', 'de': 'gerade eben', 'fr': 'à l\'instant', 'es': 'ahora',
    },
    'time.seconds_ago': {
        'it': '{n}s fa', 'en': '{n}s ago', 'de': 'vor {n}s', 'fr': 'il y a {n}s', 'es': 'hace {n}s',
    },
    'time.minutes_ago': {
        'it': '{n} min fa', 'en': '{n} min ago', 'de': 'vor {n} min', 'fr': 'il y a {n} min', 'es': 'hace {n} min',
    },
    'time.hours_ago': {
        'it': '{n} h fa', 'en': '{n} h ago', 'de': 'vor {n} h', 'fr': 'il y a {n} h', 'es': 'hace {n} h',
    },
    'time.days_ago': {
        'it': '{n} gg fa', 'en': '{n} d ago', 'de': 'vor {n} T', 'fr': 'il y a {n} j', 'es': 'hace {n} d',
    },
    'use.locations_short': {
        'it': 'posti', 'en': 'places', 'de': 'Orte', 'fr': 'emplacements', 'es': 'ubicaciones',
    },
    'move.moved_simple': {
        'it': '📦 Spostato in {location}',
        'en': '📦 Moved to {location}',
        'de': '📦 Nach {location} verschoben',
        'fr': '📦 Déplacé vers {location}',
        'es': '📦 Movido a {location}',
    },
    'product.history_badge': {
        'it': '📊 storico', 'en': '📊 history', 'de': '📊 Verlauf', 'fr': '📊 historique', 'es': '📊 historial',
    },
    'ai.conservation_hint': {
        'it': '🤖 AI: conserva in {location}',
        'en': '🤖 AI: store in {location}',
        'de': '🤖 KI: lagere in {location}',
        'fr': '🤖 IA : conserve dans {location}',
        'es': '🤖 IA: conserva en {location}',
    },
    'settings.kiosk_update_required': {
        'it': '⚠️ Aggiorna il kiosk per usare questa funzione',
        'en': '⚠️ Update the kiosk app to use this feature',
        'de': '⚠️ Aktualisiere die Kiosk-App, um diese Funktion zu nutzen',
        'fr': '⚠️ Mettez à jour l\'application kiosk pour utiliser cette fonction',
        'es': '⚠️ Actualiza la app kiosk para usar esta función',
    },
    'shopping.bring_names_migrated': {
        'it': '🔄 {n} nomi generalizzati in Bring!',
        'en': '🔄 {n} names generalized in Bring!',
        'de': '🔄 {n} Namen in Bring! verallgemeinert',
        'fr': '🔄 {n} noms généralisés dans Bring !',
        'es': '🔄 {n} nombres generalizados en Bring!',
    },
    'scan.mode_shopping_activated': {
        'it': '🛒 Modalità Spesa attivata!',
        'en': '🛒 Shopping mode activated!',
        'de': '🛒 Einkaufsmodus aktiviert!',
        'fr': '🛒 Mode courses activé !',
        'es': '🛒 ¡Modo compras activado!',
    },
    'settings.scale.discover_scanning': {
        'it': '🔍 Scansione rete locale per gateway bilancia…',
        'en': '🔍 Scanning local network for scale gateway…',
        'de': '🔍 Lokales Netz wird nach Waagen-Gateway durchsucht…',
        'fr': '🔍 Recherche du gateway balance sur le réseau local…',
        'es': '🔍 Buscando pasarela de báscula en la red local…',
    },
    'settings.scale.discover_found': {
        'it': '✅ Gateway trovato: {url}{more}',
        'en': '✅ Gateway found: {url}{more}',
        'de': '✅ Gateway gefunden: {url}{more}',
        'fr': '✅ Gateway trouvé : {url}{more}',
        'es': '✅ Pasarela encontrada: {url}{more}',
    },
    'settings.scale.discover_not_found': {
        'it': '❌ Nessun gateway su {subnet}. Avvia l\'app Android sulla stessa Wi-Fi.',
        'en': '❌ No gateway found on {subnet}. Make sure the Android app is running and on the same Wi-Fi.',
        'de': '❌ Kein Gateway in {subnet}. Android-App auf demselben WLAN starten.',
        'fr': '❌ Aucun gateway sur {subnet}. Lancez l\'app Android sur le même Wi-Fi.',
        'es': '❌ Ninguna pasarela en {subnet}. Inicia la app Android en la misma Wi-Fi.',
    },
    'settings.scale.discover_failed': {
        'it': '❌ Ricerca fallita: {error}',
        'en': '❌ Discovery failed: {error}',
        'de': '❌ Suche fehlgeschlagen: {error}',
        'fr': '❌ Échec de la recherche : {error}',
        'es': '❌ Búsqueda fallida: {error}',
    },
    'settings.scale.discover_auto': {
        'it': '🔍 Auto', 'en': '🔍 Auto', 'de': '🔍 Auto', 'fr': '🔍 Auto', 'es': '🔍 Auto',
    },
    'settings.scale.unknown_device': {
        'it': 'Dispositivo sconosciuto',
        'en': 'Unknown device',
        'de': 'Unbekanntes Gerät',
        'fr': 'Appareil inconnu',
        'es': 'Dispositivo desconocido',
    },
    'product.from_history': {
        'it': ' (da storico)', 'en': ' (from history)', 'de': ' (aus Verlauf)', 'fr': ' (historique)', 'es': ' (del historial)',
    },
    'recipes.ing_stock_line': {
        'it': 'Hai {have} · restano {remain} dopo l\'uso',
        'en': 'You have {have} · {remain} left after use',
        'de': 'Du hast {have} · {remain} bleiben nach Gebrauch',
        'fr': 'Vous avez {have} · il reste {remain} après usage',
        'es': 'Tienes {have} · quedan {remain} después del uso',
    },
    'recipes.ing_use_all_note': {
        'it': 'uso totale (<5% della confezione intera)',
        'en': 'use all (<5% of full package left)',
        'de': 'alles verwenden (<5% der Vollpackung)',
        'fr': 'tout utiliser (<5% du conditionnement entier)',
        'es': 'usar todo (<5% del envase completo)',
    },
 }
 # fr/es gaps filled with proper translations (flat key -> value)
 FR_FILL: dict[str, str] = {
    'action.related_stock_title': 'Aussi à la maison',
    'dashboard.banner_expired_action_modify': 'Modifier',
    'dashboard.banner_expired_action_vacuum': 'Mettre sous vide',
    'recipes.stream_interrupted': 'Génération interrompue (réponse serveur incomplète). Vérifiez les logs ou réessayez.',
    'scan.stock_in_pantry': 'Déjà à la maison :',
    'scanner.expiry_found': 'Date trouvée',
    'scanner.expiry_raw_label': 'Lu',
    'scanner.expiry_read_fail': 'Impossible de lire la date.',
    'settings.info.act_new_products': 'Nouveaux produits',
    'settings.info.act_restock': 'Réapprovisionnements',
    'settings.info.act_title': 'Activité mensuelle',
    'settings.info.act_tx_month': 'Mouvements',
    'settings.info.act_tx_year': 'Mouvements annuels',
    'settings.info.act_use': 'Utilisations',
    'settings.info.ai_calls': 'Appels',
    'settings.info.ai_hint': 'Consommation mensuelle et coût estimé pour la clé API actuelle.',
    'settings.info.ai_overview': 'Aperçu IA, inventaire et état du système',
    'settings.info.ai_title': 'Gemini AI — Utilisation des tokens',
    'settings.info.bring_days': 'jeton expire dans {n} jours',
    'settings.info.bring_expired': 'jeton expiré',
    'settings.info.by_action': 'Répartition par fonction',
    'settings.info.by_model': 'Répartition par modèle',
    'settings.info.cache_entries': 'produits',
    'settings.info.calls_unit': 'appels',
    'settings.info.currency_hint': 'Devise utilisée pour tous les coûts et prix dans l\'app.',
    'settings.info.currency_title': 'Devise',
    'settings.info.db_size': 'Base de données',
    'settings.info.est_cost': 'Coût est.',
    'settings.info.input_tok': 'Tokens entrée',
    'settings.info.inv_active': 'Actifs',
    'settings.info.inv_expired': 'Expirés',
    'settings.info.inv_expiring': 'Expirent (7j)',
    'settings.info.inv_finished': 'Terminés',
    'settings.info.inv_products': 'Produits totaux',
    'settings.info.inv_title': 'Inventaire',
    'settings.info.last_backup': 'Dernière sauvegarde',
    'settings.info.loading': 'Chargement…',
    'settings.info.log_level': 'Niveau de log',
    'settings.info.log_size': 'Logs',
    'settings.info.output_tok': 'Tokens sortie',
    'settings.info.price_cache': 'Cache prix',
    'settings.info.pricing_note': 'Tarifs Gemini : 2.5-flash $0.15/M in · $0.60/M out — 2.0-flash $0.10/M in · $0.40/M out.',
    'settings.info.system_title': 'Système',
    'settings.info.tab': 'Info',
    'settings.info.total_tokens': 'Tokens totaux',
    'settings.info.year_label': 'Année {year}',
    'settings.tab_general': 'Général',
    'settings.tts.test_sound_btn': '🔔 Test sonore',
    'shopping.pantry_hint': 'Déjà à la maison : {qty}',
    'startup.check_db_legacy': 'Ancienne BD (dispensa.db)',
    'startup.check_scale': 'Passerelle balance',
    'startup.check_tts': 'URL synthèse vocale',
    'startup.critical_error_intro': 'L\'application ne peut pas démarrer en raison des problèmes suivants :',
    'startup.error_network_detail': 'Le navigateur ne peut pas joindre le serveur PHP.\n\nCauses possibles :\n• Apache/PHP n\'est pas démarré\n• Problème réseau ou pare-feu\n• URL incorrecte\n\nDémarrez le serveur et réessayez.',
    'toast.vacuum_sealed': '{name} enregistré sous vide',
 }
 ES_FILL = {
    'action.related_stock_title': 'También en casa',
    'dashboard.banner_expired_action_modify': 'Editar',
    'dashboard.banner_expired_action_vacuum': 'Poner al vacío',
    'recipes.stream_interrupted': 'Generación interrumpida (respuesta del servidor incompleta). Revisa los logs o inténtalo de nuevo.',
    'scan.stock_in_pantry': 'Ya en despensa:',
    'scanner.expiry_found': 'Fecha encontrada',
    'scanner.expiry_raw_label': 'Leído',
    'scanner.expiry_read_fail': 'No se puede leer la fecha.',
    'settings.info.act_new_products': 'Productos nuevos',
    'settings.info.act_restock': 'Reabastecimientos',
    'settings.info.act_title': 'Actividad mensual',
    'settings.info.act_tx_month': 'Movimientos',
    'settings.info.act_tx_year': 'Movimientos anuales',
    'settings.info.act_use': 'Usos',
    'settings.info.ai_calls': 'Llamadas',
    'settings.info.ai_hint': 'Consumo mensual y coste estimado para la clave API actual.',
    'settings.info.ai_overview': 'Resumen de IA, inventario y estado del sistema',
    'settings.info.ai_title': 'Gemini AI — Uso de tokens',
    'settings.info.bring_days': 'token expira en {n} días',
    'settings.info.bring_expired': 'token expirado',
    'settings.info.by_action': 'Desglose por función',
    'settings.info.by_model': 'Desglose por modelo',
    'settings.info.cache_entries': 'productos',
    'settings.info.calls_unit': 'llamadas',
    'settings.info.currency_hint': 'Moneda usada para todos los costes y precios en la app.',
    'settings.info.currency_title': 'Moneda',
    'settings.info.db_size': 'Base de datos',
    'settings.info.est_cost': 'Coste est.',
    'settings.info.input_tok': 'Tokens de entrada',
    'settings.info.inv_active': 'Activos',
    'settings.info.inv_expired': 'Caducados',
    'settings.info.inv_expiring': 'Caducan (7d)',
    'settings.info.inv_finished': 'Agotados',
    'settings.info.inv_products': 'Productos totales',
    'settings.info.inv_title': 'Inventario',
    'settings.info.last_backup': 'Última copia',
    'settings.info.loading': 'Cargando…',
    'settings.info.log_level': 'Nivel de log',
    'settings.info.log_size': 'Logs',
    'settings.info.output_tok': 'Tokens de salida',
    'settings.info.price_cache': 'Caché de precios',
    'settings.info.pricing_note': 'Precios Gemini: 2.5-flash $0.15/M in · $0.60/M out — 2.0-flash $0.10/M in · $0.40/M out.',
    'settings.info.system_title': 'Sistema',
    'settings.info.tab': 'Info',
    'settings.info.total_tokens': 'Tokens totales',
    'settings.info.year_label': 'Año {year}',
    'settings.tab_general': 'General',
    'settings.tts.test_sound_btn': '🔔 Prueba de sonido',
    'shopping.pantry_hint': 'Ya en casa: {qty}',
    'startup.check_db_legacy': 'BD antigua (dispensa.db)',
    'startup.check_scale': 'Pasarela báscula',
    'startup.check_tts': 'URL texto a voz',
    'startup.critical_error_intro': 'La app no puede iniciarse por los siguientes problemas:',
    'startup.error_network_detail': 'El navegador no puede conectar con el servidor PHP.\n\nPosibles causas:\n• Apache/PHP no está en ejecución\n• Problema de red o firewall\n• URL incorrecta\n\nInicia el servidor e inténtalo de nuevo.',
    'toast.vacuum_sealed': '{name} guardado al vacío',
 }
 def flatten(obj: dict, prefix: str = '') -> dict[str, str]:
    out: dict[str, str] = {}
    for k, v in obj.items():
        key = f'{prefix}.{k}' if prefix else k
        if isinstance(v, dict):
            out.update(flatten(v, key))
        else:
            out[key] = v
    return out
 def set_nested(root: dict, dotted: str, value: str) -> None:
    parts = dotted.split('.')
    d = root
    for p in parts[:-1]:
        d = d.setdefault(p, {})
    d[parts[-1]] = value
 def main() -> None:
    ref = json.loads((ROOT / REF).read_text(encoding='utf-8'))
    ref_flat = flatten(ref)
    en_flat = flatten(json.loads((ROOT / 'en.json').read_text(encoding='utf-8')))
    for fname in LOCALES:
        lang = fname.replace('.json', '')
        path = ROOT / fname
        data = json.loads(path.read_text(encoding='utf-8'))
        flat = flatten(data)
        # Fill missing keys from reference (Italian text as last resort via en)
        for key, ref_val in ref_flat.items():
            if key not in flat:
                if lang == 'fr' and key in FR_FILL:
                    val = FR_FILL[key]
                elif lang == 'es' and key in ES_FILL:
                    val = ES_FILL[key]
                elif lang == 'en':
                    val = en_flat.get(key, ref_val)
                else:
                    val = en_flat.get(key, ref_val)
                set_nested(data, key, val)
                flat[key] = val
        # Inject new keys
        for key, per_lang in NEW_KEYS.items():
            set_nested(data, key, per_lang[lang if lang in per_lang else 'en'])
        path.write_text(json.dumps(data, ensure_ascii=False, indent=2) + '\n', encoding='utf-8')
        print(f'Updated {fname}')
 if __name__ == '__main__':
    main()
@@ -0,0 +1,44 @@
 <?php
 /**
 * Full Bring! sync: recompute smart shopping, migrate names, dedupe generics,
 * fix specs, remove obsolete items, add missing critical/high.
 *
 * Usage: php scripts/sync-shopping-bring.php
 */
 if (PHP_SAPI !== 'cli') {
    http_response_code(403);
    exit('Forbidden');
 }
 define('CRON_MODE', true);
 require_once __DIR__ . '/../api/bootstrap.php';
 require_once __DIR__ . '/../api/index.php';
 $db = getDB();
 echo '[' . date('Y-m-d H:i:s') . "] Starting full Bring! sync…\n";
 ob_start();
 bringSyncFull($db, true);
 $json = ob_get_clean();
 $result = json_decode($json, true);
 if (!$result || empty($result['success'])) {
    echo '[' . date('Y-m-d H:i:s') . '] ERROR: ' . ($result['error'] ?? $json) . "\n";
    exit(1);
 }
 echo '[' . date('Y-m-d H:i:s') . '] Smart items: ' . ($result['smart_items'] ?? '?') . "\n";
 echo '[' . date('Y-m-d H:i:s') . '] Migrate: ' . json_encode($result['migrate'] ?? [], JSON_UNESCAPED_UNICODE) . "\n";
 echo '[' . date('Y-m-d H:i:s') . '] Dedupe: ' . json_encode($result['dedupe'] ?? [], JSON_UNESCAPED_UNICODE) . "\n";
 echo '[' . date('Y-m-d H:i:s') . '] Specs: ' . json_encode($result['specs'] ?? [], JSON_UNESCAPED_UNICODE) . "\n";
 echo '[' . date('Y-m-d H:i:s') . '] Cleanup: ' . json_encode($result['cleanup'] ?? [], JSON_UNESCAPED_UNICODE) . "\n";
 echo '[' . date('Y-m-d H:i:s') . '] Auto-add: ' . json_encode($result['auto_add'] ?? [], JSON_UNESCAPED_UNICODE) . "\n";
 if (!empty($result['dedupe_final'])) {
    echo '[' . date('Y-m-d H:i:s') . '] Dedupe (final): ' . json_encode($result['dedupe_final'], JSON_UNESCAPED_UNICODE) . "\n";
 }
 if (!empty($result['cache_restored'])) {
    echo '[' . date('Y-m-d H:i:s') . '] Cache restored: ' . $result['cache_restored'] . " items\n";
 }
 echo '[' . date('Y-m-d H:i:s') . "] Done.\n";
@@ -0,0 +1,98 @@
 #!/usr/bin/env php
 <?php
 /**
 * Triage resolved auto-report bugs only (English comments).
 * Feature/enhancement backlog issues are never bulk-closed here.
 * Usage: php scripts/triage-open-issues.php [--dry-run]
 */
 declare(strict_types=1);
 define('CRON_MODE', true);
 require_once __DIR__ . '/../api/bootstrap.php';
 require_once __DIR__ . '/../api/lib/github.php';
 require_once __DIR__ . '/../api/lib/constants.php';
 $dryRun = in_array('--dry-run', $argv ?? [], true);
 $repo   = GH_REPO;
 $token  = _ghToken();
 if ($token === '') {
    fwrite(STDERR, "ERROR: GH_ISSUE_TOKEN not configured\n");
    exit(1);
 }
 function ghApi(string $token, string $method, string $url, array $payload = []): array {
    $ch = curl_init($url);
    $headers = [
        'Authorization: token ' . $token,
        'Accept: application/vnd.github+json',
        'X-GitHub-Api-Version: 2022-11-28',
        'User-Agent: EverShelf-Triage/1.0',
        'Content-Type: application/json',
    ];
    curl_setopt_array($ch, [
        CURLOPT_RETURNTRANSFER => true,
        CURLOPT_HTTPHEADER     => $headers,
        CURLOPT_TIMEOUT        => 20,
    ]);
    if ($method === 'PATCH') {
        curl_setopt($ch, CURLOPT_CUSTOMREQUEST, 'PATCH');
        curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($payload));
    } elseif ($method === 'POST') {
        curl_setopt($ch, CURLOPT_POST, true);
        curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($payload));
    }
    $raw  = curl_exec($ch);
    $code = (int)curl_getinfo($ch, CURLINFO_HTTP_CODE);
    curl_close($ch);
    return ['http_code' => $code, 'body' => json_decode($raw ?: '{}', true) ?: []];
 }
 function commentIssue(string $token, string $repo, int $num, string $body, bool $dryRun): bool {
    if ($dryRun) {
        echo "[dry-run] comment #$num\n";
        return true;
    }
    $r = ghApi($token, 'POST', "https://api.github.com/repos/$repo/issues/$num/comments", ['body' => $body]);
    if ($r['http_code'] >= 200 && $r['http_code'] < 300) {
        echo "OK comment #$num\n";
        return true;
    }
    fwrite(STDERR, "FAIL comment #$num HTTP {$r['http_code']}: " . json_encode($r['body']) . "\n");
    return false;
 }
 function closeIssue(string $token, string $repo, int $num, bool $dryRun): bool {
    if ($dryRun) {
        echo "[dry-run] close #$num\n";
        return true;
    }
    $r = ghApi($token, 'PATCH', "https://api.github.com/repos/$repo/issues/$num", ['state' => 'closed']);
    if ($r['http_code'] >= 200 && $r['http_code'] < 300) {
        echo "OK close #$num\n";
        return true;
    }
    fwrite(STDERR, "FAIL close #$num HTTP {$r['http_code']}: " . json_encode($r['body']) . "\n");
    return false;
 }
 $bugs = [
    198 => 'Fixed in develop: `PRAGMA busy_timeout` raised to 10s and `dbWithRetry()` on `updateInventory` retries SQLITE_BUSY when cron and PWA write in parallel.',
    199 => 'Duplicate of #198 — same event (`inventory_update` → database locked). Fix: retry + longer busy_timeout.',
    196 => 'Fixed in v1.7.38+: `saveProduct` handles duplicate barcodes (merge or 409 JSON) instead of HTTP 500.',
    197 => 'PWA side-effect of PHP crash #196 — fixed with duplicate barcode handling in `saveProduct`.',
    195 => 'Fixed: `EverLog::request()` always receives strings — `(string)($_SERVER[\'REQUEST_METHOD\'] ?? \'GET\')`.',
    193 => 'Same root cause as #195 (TypeError when method was null from CLI).',
    194 => 'Fixed: `_applySpesaScanUI` referenced `currentPage` → corrected to `_currentPageId`.',
    192 => 'Fixed: TDZ on `enriched` in `renderShoppingItems`.',
    191 => 'Fixed: TDZ on `setProgress` / `barEl` in `_runStartupCheck`.',
    134 => 'Auto-report for non-writable Docker volume. Mitigations: `_ensureDataDir()`, `_ensureDbWritable()`, Dockerfile chown.',
    184 => 'Related to #134: SQLite readonly when `data/` is not writable.',
 ];
 foreach ($bugs as $num => $msg) {
    commentIssue($token, $repo, $num, $msg . "\n\n_Closed after triage — fix shipped in develop._", $dryRun);
    closeIssue($token, $repo, $num, $dryRun);
 }
 echo "Done.\n";
		`@@ -0,0 +1,2 @@`
							`# Deny all direct HTTP access to runtime data (DB, tokens, caches, logs)`
							`Require all denied`