chore: auto-merge develop → main

Triggered by: cf65e79 Release v1.7.36: recipe stock hints, ghost products, and shopping total fix.

.env.example

@@ -125,10 +125,24 @@ GDRIVE_FOLDER_ID=
 GDRIVE_RETENTION_DAYS=30
 
 # ── Security ─────────────────────────────────────────────────────────────────
-# SETTINGS_TOKEN: if set, the Settings screen requires this token to save changes.
-# Leave empty to allow anyone with access to the server to change settings.
+# API_TOKEN: when set, all API calls require header X-API-Token (or ?api_token= for HA).
+# SETTINGS_TOKEN: legacy alias — use API_TOKEN for new installs.
+API_TOKEN=
 SETTINGS_TOKEN=
 
+# CORS_ORIGIN: comma-separated allowed origins (empty = same-origin only, no wildcard)
+CORS_ORIGIN=
+
+# GitHub automatic issue reporting (encrypted storage recommended)
+# Option A — plain ( .env is gitignored ):
+# GH_ISSUE_TOKEN=ghp_...
+# Option B — encrypted (php scripts/encrypt-gh-token.php 'ghp_...' 'secret-key'):
+GH_ISSUE_TOKEN=
+GH_ISSUE_TOKEN_ENC=
+GH_ISSUE_TOKEN_KEY=
+
+# NOTE: Run `php scripts/migrate-env-security.php` once after upgrading to migrate legacy tokens.
+
 # INSTANCE_NAME: display name for this EverShelf instance (used by the HA integration
 # for Zeroconf discovery label and device name in Home Assistant).
 # Defaults to the server hostname if left empty.
@@ -160,5 +174,5 @@ HA_EXPIRY_DAYS=3
 # DEMO_MODE: when true, all write operations are blocked (for public demos)
 DEMO_MODE=false
 
-# NOTE: GitHub error reporting uses a token hardcoded in api/index.php.
-# To rotate it, update the GH_ISSUE_TOKEN constant there.
+# CRON_LOG_MAX_BYTES: rotate data/cron.log when larger (default 524288 = 512 KB)
+CRON_LOG_MAX_BYTES=524288

.htaccess

@@ -1,5 +1,19 @@
 RewriteEngine On
 
+# Block sensitive files (Apache 2.4+)
+<Files ".env">
+    Require all denied
+</Files>
+<Files ".env.example">
+    Require all denied
+</Files>
+<Files "backup.sh">
+    Require all denied
+</Files>
+<FilesMatch "^\.">
+    Require all denied
+</FilesMatch>
+
 # Force HTTPS
 RewriteCond %{HTTPS} !=on
 RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

CHANGELOG.md

@@ -11,6 +11,38 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - **Recipe scraps tips** — During cooking steps, detect "waste" generated (peels, cores, bones, eggshells, coffee grounds, citrus zest, etc.) and surface AI-powered tips on how to reuse them (compost, natural cleaner, broth, candied peel, etc.). Could be shown as an optional collapsible hint card below the step that generates the scrap.
 
+## [1.7.36] - 2026-06-04
+
+### Added
+- **Recipe ingredient stock hints** — Pantry ingredients in generated and archived recipes now show a small line under each item: how much you have in stock and how much would remain after use. Quantities are summed across all storage locations.
+- **Zero-waste use-all rule** — When the leftover would be less than **5% of the full sealed package** (or **10%** when less than one full unit is left on an opened pack), the recipe quantity is automatically bumped to use everything on hand (♻️ badge + note in all 5 languages).
+- **Ghost product detection** — Dashboard anomaly banner now surfaces products that vanished from inventory (ledger says stock should exist but no rows remain), with a restore prompt and quantity input.
+- **`inventory_restore_ghost` API** — Restores a vanished product row from the banner without losing transaction history.
+- **`product_merge` API** — Merges duplicate product records (inventory, transactions, aliases) into a single canonical product.
+- **Maintenance scripts** — `scripts/sync-i18n.py` (5-language key sync), `scripts/re-enrich-recipe.php` (re-apply stock hints to archived recipes), `scripts/merge-duplicate-products.php` (batch duplicate merge).
+
+### Fixed
+- **Unified shopping total** — Dashboard, Spesa page and screensaver now share one canonical server-side total (`shopping_total_cache`); background refresh runs during screensaver too.
+- **Recipe stream auth** — `generate_recipe_stream` and other direct `fetch()` calls now send the API token consistently, fixing 401 errors during recipe generation.
+- **Home Assistant auth compatibility** — HA integration endpoints accept the configured API token without breaking legacy setups.
+- **Security hardening** — API bootstrap modularised; scale SSE relay and sensitive routes require auth; env migration script for legacy installs.
+- **Dashboard banner i18n** — Fixed raw translation keys (`dashboard.banner_*`) showing in the UI; full sync across IT/EN/DE/FR/ES with cache bust.
+- **Ghost banner permanently hidden** — Removed incorrect `fin_*` hide logic that suppressed vanished-product alerts after a false "finished" confirmation.
+- **`deleteInventory` / `use_all` dedup** — Inventory deletions now log transactions; duplicate `use_all` within 60 s is deduplicated; `confirmFinished` reconciles ledger mismatches.
+- **Duplicate product prevention** — `saveProduct` blocks creating a second product with the same normalised name.
+- **Recipe qty normalization** — conf+weight ingredients (e.g. ceci, basilico) now keep recipe amounts in grams/ml instead of copying the inventory conf count; use-all percentage is calculated on the sealed package size, not current stock.
+
+## [1.7.35] - 2026-06-02
+
+### Fixed
+- **Barcode scanner accepts invalid codes** — Manual barcode input with an incorrect EAN checksum now blocks the lookup and shows an error (previously showed a warning but proceeded anyway). The native `BarcodeDetector` path now also validates EAN-8/EAN-13/UPC checksum before confirming a scan, consistent with the Quagga fallback which already did this check.
+- **Recipe persons +/− buttons stopped working in the generation dialog** — A duplicate `adjustRecipePersons` function added for the post-generation rescaler was overriding the one that updated the persons input in the recipe setup dialog. The rescaler is now named `scaleRecipePersons` to avoid the conflict.
+
+## [1.7.34] - 2026-05-30
+
+### Added
+- **AI visual barcode fallback** — When the barcode scanner fails to read a barcode within 5 seconds, EverShelf can now automatically capture a camera frame and send it to Gemini Vision to visually identify the product (name, brand, category). On success the product is saved and the inventory form opens just as if a barcode had been scanned. A new toggle in **Settings → Camera** (`AI visual identification (5s fallback)`) lets users enable or disable this feature at any time. Requires Gemini API key configured. Disabled by default.
+
 ## [1.7.33] - 2026-05-29
 
 ### Fixed

README.md

@@ -25,7 +25,7 @@
 [![SQLite](https://img.shields.io/badge/SQLite-3-blue.svg)](https://www.sqlite.org/)
 [![Docker](https://img.shields.io/badge/Docker-Ready-2496ED.svg)](Dockerfile)
 [![i18n](https://img.shields.io/badge/i18n-IT%20%7C%20EN%20%7C%20DE%20%7C%20FR%20%7C%20ES-orange.svg)](translations/)
-[![Version](https://img.shields.io/badge/version-1.7.33-brightgreen.svg)](CHANGELOG.md)
+[![Version](https://img.shields.io/badge/version-1.7.36-brightgreen.svg)](CHANGELOG.md)
 [![GitHub stars](https://img.shields.io/github/stars/dadaloop82/EverShelf?style=social)](https://github.com/dadaloop82/EverShelf/stargazers)
 [![Last commit](https://img.shields.io/github/last-commit/dadaloop82/EverShelf/main)](https://github.com/dadaloop82/EverShelf/commits/main)
 [![Contributors](https://img.shields.io/github/contributors/dadaloop82/EverShelf)](https://github.com/dadaloop82/EverShelf/graphs/contributors)
@@ -86,6 +86,7 @@ Connect your pantry to your smart home in minutes — no YAML, no manual sensor
 - **Existing product matching** — AI scan shows matching products already in your pantry before suggesting new ones
 - **Storage & shelf-life hint** — When adding a new product, Gemini suggests the optimal storage location and shelf-life in the background; shown as an inline AI badge next to the expiry estimate
 - **Recipe generation** — Get personalized recipes based on what's in your pantry; streams live via Server-Sent Events so results appear as they are generated
+- **Recipe stock hints** — Each pantry ingredient shows how much you have and what remains after use; when the leftover would be less than 5% of the full sealed package (10% for an already-opened partial pack), the recipe automatically uses everything on hand to avoid waste
 - **Smart chat assistant** — Ask questions about your inventory, get cooking tips
 - **Shopping suggestions with tips** — AI-powered purchase recommendations, each enriched with a short practical buying/storing tip
 - **Anomaly explanation** — "Explain" button on anomaly banners explains in plain language why a discrepancy likely occurred and what to do
@@ -236,7 +237,7 @@ TTS_ENABLED=true
 
 # Optional: DB retention and cleanup (applied automatically each cron cycle)
 RECIPE_RETENTION_DAYS=7        # delete recipe plans older than N days
-TRANSACTION_RETENTION_DAYS=7   # delete stock transactions older than N days
+TRANSACTION_RETENTION_DAYS=90   # delete stock transactions older than N days (min 30 enforced)
 
 # Optional: Vacuum-sealed expiry grace period
 VACUUM_EXPIRY_EXTENSION_DAYS=30 # extra days before vacuum-sealed items are flagged expired
@@ -247,8 +248,11 @@ GEMINI_COST_25F_OUT=0.60
 GEMINI_COST_20F_IN=0.10
 GEMINI_COST_20F_OUT=0.40
 
-# Optional: Security — protect the save_settings endpoint
-# Set a strong random string; the Settings UI will ask for it before saving
+# Optional: Security — protect all API endpoints
+# Set a strong random string; clients send it as X-API-Token header (or ?api_token= for HA)
+API_TOKEN=
+
+# Optional: Legacy alias for API_TOKEN (settings save only)
 SETTINGS_TOKEN=
 
 # Optional: Demo mode — block all write operations at the router level
@@ -416,8 +420,11 @@ evershelf-kiosk/            # 📺 Android kiosk app (add-on)
 
 - **Credentials** are stored in `.env` (server-side, never committed to Git)
 - **Database** stays local — never pushed to remote repositories
-- **API keys are never exposed to the browser** — `get_settings` returns only boolean flags (`gemini_key_set`, `settings_token_set`), never raw key values
-- **Settings write protection** — set `SETTINGS_TOKEN` in `.env` to require a secret token (`X-Settings-Token` header) for all `save_settings` calls; validated with `hash_equals` to prevent timing attacks
+- **Apache/Nginx hardening** — `.env`, `data/`, and `logs/` are blocked from direct HTTP access
+- **API token** — set `API_TOKEN` in `.env` to require `X-API-Token` on all API calls (Home Assistant: `?api_token=`)
+- **API keys are never exposed to the browser** — `get_settings` returns only boolean flags (`gemini_key_set`, `ha_token_set`, …)
+- **GitHub Issues token** — stored encrypted as `GH_ISSUE_TOKEN_ENC` + `GH_ISSUE_TOKEN_KEY` (see `scripts/encrypt-gh-token.php`)
+- **Settings write protection** — `save_settings` requires the same API token when configured; validated with `hash_equals`
 - **Demo / public mode** — set `DEMO_MODE=true` to block all write operations at the PHP router level before any business logic runs
 - The API uses **parameterized SQL queries** (PDO prepared statements) against injection
 - **Input validation** on all inventory operations (quantity bounds, location whitelist)
@@ -472,12 +479,6 @@ Contributions are welcome! See [CONTRIBUTING.md](CONTRIBUTING.md) for detailed g
 4. Push to the branch (`git push origin feature/my-feature`)
 5. Open a Pull Request
 
----
-
-## 🤝 Contributing
-
-EverShelf is a community project and contributions of any size are welcome!
-
 ### Easiest way to start — translate EverShelf into your language
 
 Translations are just JSON files. No coding, no setup — fork → edit → PR.

api/bootstrap.php

@@ -0,0 +1,11 @@
+<?php
+/**
+ * EverShelf API bootstrap — shared by HTTP router and cron.
+ */
+require_once __DIR__ . '/lib/env.php';
+require_once __DIR__ . '/lib/constants.php';
+require_once __DIR__ . '/lib/github.php';
+require_once __DIR__ . '/lib/security.php';
+require_once __DIR__ . '/lib/cron_log.php';
+require_once __DIR__ . '/logger.php';
+require_once __DIR__ . '/database.php';

api/cron_smart_shopping.php

@@ -11,14 +11,16 @@ if (PHP_SAPI !== 'cli') {
     exit('Forbidden');
 }
 
-// Define CRON_MODE before loading index.php so the router is skipped
+// Define CRON_MODE before loading bootstrap so the HTTP router is skipped
 define('CRON_MODE', true);
 
-// Load all API functions without running the HTTP router
+require_once __DIR__ . '/bootstrap.php';
 require_once __DIR__ . '/index.php';
 
 const CACHE_FILE = __DIR__ . '/../data/smart_shopping_cache.json';
 
+evershelfRotateCronLog();
+
 try {
     $db = getDB();
 

api/lib/constants.php

@@ -0,0 +1,22 @@
+<?php
+/**
+ * EverShelf — shared path constants.
+ */
+
+define('EVERSHELF_ROOT', dirname(__DIR__, 2));
+define('GH_REPO', 'dadaloop82/EverShelf');
+define('PRICE_CACHE_PATH',         EVERSHELF_ROOT . '/data/shopping_price_cache.json');
+define('CATEGORY_CACHE_PATH',      EVERSHELF_ROOT . '/data/category_ai_cache.json');
+define('SHELF_CACHE_PATH',         EVERSHELF_ROOT . '/data/opened_shelf_cache.json');
+define('FOODFACTS_CACHE_PATH',     EVERSHELF_ROOT . '/data/food_facts_cache.json');
+define('SHOPPING_NAME_CACHE_PATH', EVERSHELF_ROOT . '/data/shopping_name_cache.json');
+define('BRING_TOKEN_PATH',         EVERSHELF_ROOT . '/data/bring_token.json');
+define('AI_USAGE_PATH',            EVERSHELF_ROOT . '/data/ai_usage.json');
+define('BACKUP_DIR',               EVERSHELF_ROOT . '/data/backups');
+define('BACKUP_LAST_TS_PATH',      EVERSHELF_ROOT . '/data/backup_last_ts.json');
+define('CRON_LOG_PATH',            EVERSHELF_ROOT . '/data/cron.log');
+
+define('GEMINI_COST_25F_IN',  (float)(getenv('GEMINI_COST_25F_IN')  ?: 0.15));
+define('GEMINI_COST_25F_OUT', (float)(getenv('GEMINI_COST_25F_OUT') ?: 0.60));
+define('GEMINI_COST_20F_IN',  (float)(getenv('GEMINI_COST_20F_IN')  ?: 0.10));
+define('GEMINI_COST_20F_OUT', (float)(getenv('GEMINI_COST_20F_OUT') ?: 0.40));

api/lib/cron_log.php

@@ -0,0 +1,28 @@
+<?php
+/**
+ * Rotate data/cron.log — keep last N MB / lines.
+ */
+
+require_once __DIR__ . '/constants.php';
+
+function evershelfRotateCronLog(?int $maxBytes = null, int $keepRotated = 3): void {
+    $path = CRON_LOG_PATH;
+    if (!file_exists($path)) {
+        return;
+    }
+    $maxBytes = $maxBytes ?? max(65536, (int)env('CRON_LOG_MAX_BYTES', '524288'));
+    $size = filesize($path);
+    if ($size === false || $size <= $maxBytes) {
+        return;
+    }
+    for ($i = $keepRotated; $i >= 1; $i--) {
+        $from = ($i === 1) ? $path : $path . '.' . ($i - 1);
+        $to   = $path . '.' . $i;
+        if ($i === $keepRotated && file_exists($to)) {
+            @unlink($to);
+        }
+        if (file_exists($from)) {
+            @rename($from, $to);
+        }
+    }
+}

api/lib/env.php

@@ -0,0 +1,35 @@
+<?php
+/**
+ * EverShelf — environment variable loader (.env).
+ */
+
+function loadEnv(): array {
+    static $cache = null;
+    if ($cache !== null) {
+        return $cache;
+    }
+    $envFile = dirname(__DIR__, 2) . '/.env';
+    $cache = [];
+    if (file_exists($envFile)) {
+        $lines = file($envFile, FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);
+        foreach ($lines as $line) {
+            if (strpos($line, '#') === 0 || strpos($line, '=') === false) {
+                continue;
+            }
+            [$key, $val] = explode('=', $line, 2);
+            $cache[trim($key)] = trim($val);
+        }
+    }
+    return $cache;
+}
+
+function env(string $key, string $default = ''): string {
+    $vars = loadEnv();
+    return $vars[$key] ?? $default;
+}
+
+/** Push a single key into the in-memory env cache (after .env write). */
+function envCacheSet(string $key, string $value): void {
+    loadEnv();
+    // Force reload on next call — callers should use loadEnv() return for batch updates
+}

api/lib/github.php

@@ -0,0 +1,69 @@
+<?php
+/**
+ * EverShelf — GitHub issue reporting token (encrypted at rest in .env).
+ *
+ * Configure ONE of:
+ *   GH_ISSUE_TOKEN=ghp_...                    (plain, .env is gitignored)
+ *   GH_ISSUE_TOKEN_ENC=... + GH_ISSUE_TOKEN_KEY=...  (AES-256-GCM, preferred)
+ *
+ * Generate encrypted value: php scripts/encrypt-gh-token.php 'ghp_xxx' 'your-secret-key'
+ */
+
+require_once __DIR__ . '/env.php';
+
+function evershelfDecryptGhToken(string $encB64, string $key): string {
+    $raw = base64_decode($encB64, true);
+    if ($raw === false || strlen($raw) < 28) {
+        return '';
+    }
+    $iv     = substr($raw, 0, 12);
+    $tag    = substr($raw, 12, 16);
+    $cipher = substr($raw, 28);
+    $plain  = openssl_decrypt(
+        $cipher,
+        'aes-256-gcm',
+        hash('sha256', $key, true),
+        OPENSSL_RAW_DATA,
+        $iv,
+        $tag
+    );
+    return ($plain !== false) ? $plain : '';
+}
+
+function evershelfEncryptGhToken(string $plain, string $key): string {
+    $iv = random_bytes(12);
+    $tag = '';
+    $cipher = openssl_encrypt(
+        $plain,
+        'aes-256-gcm',
+        hash('sha256', $key, true),
+        OPENSSL_RAW_DATA,
+        $iv,
+        $tag
+    );
+    return base64_encode($iv . $tag . $cipher);
+}
+
+/** Decode GitHub Issues token at runtime — never stored in source code. */
+function _ghToken(): string {
+    static $token = null;
+    if ($token !== null) {
+        return $token;
+    }
+
+    $plain = env('GH_ISSUE_TOKEN');
+    if ($plain !== '') {
+        $token = $plain;
+        return $token;
+    }
+
+    $enc = env('GH_ISSUE_TOKEN_ENC');
+    $key = env('GH_ISSUE_TOKEN_KEY');
+    if ($enc !== '' && $key !== '') {
+        $token = evershelfDecryptGhToken($enc, $key);
+        return $token;
+    }
+
+    $token = '';
+    return $token;
+}

api/lib/security.php

@@ -0,0 +1,293 @@
+<?php
+/**
+ * EverShelf — authentication, CORS, demo mode, scale gateway allowlist.
+ */
+
+require_once __DIR__ . '/env.php';
+
+/** Effective API token: API_TOKEN takes precedence over legacy SETTINGS_TOKEN. */
+function evershelfEffectiveApiToken(): string {
+    $api = env('API_TOKEN');
+    if ($api !== '') {
+        return $api;
+    }
+    return env('SETTINGS_TOKEN', '');
+}
+
+function evershelfApiTokenRequired(): bool {
+    return evershelfEffectiveApiToken() !== '';
+}
+
+function evershelfGetProvidedApiToken(): string {
+    if (!empty($_SERVER['HTTP_X_API_TOKEN'])) {
+        return (string)$_SERVER['HTTP_X_API_TOKEN'];
+    }
+    if (!empty($_SERVER['HTTP_X_SETTINGS_TOKEN'])) {
+        return (string)$_SERVER['HTTP_X_SETTINGS_TOKEN'];
+    }
+    if (isset($_GET['api_token'])) {
+        return (string)$_GET['api_token'];
+    }
+    // Home Assistant ha-evershelf sends Authorization: Bearer (legacy)
+    $authHeader = $_SERVER['HTTP_AUTHORIZATION']
+        ?? $_SERVER['REDIRECT_HTTP_AUTHORIZATION']
+        ?? '';
+    if (preg_match('/^Bearer\s+(\S+)/i', $authHeader, $m)) {
+        return $m[1];
+    }
+    return evershelfGetProvidedApiTokenFromHeaders();
+}
+
+function evershelfApiTokenValid(): bool {
+    $required = evershelfEffectiveApiToken();
+    if ($required === '') {
+        return true;
+    }
+    $provided = evershelfGetProvidedApiToken();
+    return $provided !== '' && hash_equals($required, $provided);
+}
+
+function evershelfGetProvidedApiTokenFromHeaders(): string {
+    return (string)($_SERVER['HTTP_X_API_TOKEN'] ?? $_SERVER['HTTP_X_SETTINGS_TOKEN'] ?? '');
+}
+
+/** Actions reachable without API token (telemetry + public probes). */
+function evershelfPublicActions(): array {
+    return [
+        'ping',
+        'app_bootstrap',
+        'check_update',
+        'report_error',
+        'report_bug',
+        'client_log',
+        'gdrive_oauth_callback',
+    ];
+}
+
+/** GET actions that mutate state — require auth when token is configured. */
+function evershelfMutatingGetActions(): array {
+    return ['db_cleanup', 'export_inventory'];
+}
+
+function evershelfDestructiveActions(): array {
+    return [
+        'save_settings', 'db_cleanup',
+        'backup_now', 'backup_delete', 'backup_restore',
+        'gdrive_push', 'gdrive_oauth_exchange',
+        'migrate_units',
+    ];
+}
+
+function evershelfActionNeedsAuth(string $action, string $method): bool {
+    if (!evershelfApiTokenRequired()) {
+        return false;
+    }
+    if (in_array($action, evershelfPublicActions(), true)) {
+        return false;
+    }
+    if ($method === 'POST') {
+        return true;
+    }
+    if ($method === 'GET' && in_array($action, evershelfMutatingGetActions(), true)) {
+        return true;
+    }
+    if (in_array($action, ['get_logs', 'gemini_usage', 'get_client_log'], true)) {
+        return true;
+    }
+    if (in_array($action, evershelfDestructiveActions(), true)) {
+        return true;
+    }
+    // Protect all data reads when API token is set
+    return true;
+}
+
+function evershelfRequireApiAuth(string $action, string $method): void {
+    if (!evershelfActionNeedsAuth($action, $method)) {
+        return;
+    }
+    if (evershelfApiTokenValid()) {
+        return;
+    }
+    http_response_code(401);
+    header('Content-Type: application/json; charset=utf-8');
+    echo json_encode([
+        'success'            => false,
+        'error'              => 'unauthorized',
+        'api_token_required' => true,
+    ]);
+    exit;
+}
+
+function evershelfRequireAuthForSensitive(string $action): void {
+    if (!evershelfApiTokenRequired()) {
+        return;
+    }
+    if (evershelfApiTokenValid()) {
+        return;
+    }
+    http_response_code(401);
+    header('Content-Type: application/json; charset=utf-8');
+    echo json_encode(['success' => false, 'error' => 'unauthorized', 'api_token_required' => true]);
+    exit;
+}
+
+function evershelfSendCorsHeaders(): void {
+    $configured = env('CORS_ORIGIN', '');
+    if ($configured === '') {
+        // Same-origin SPA — do not emit wildcard CORS
+        return;
+    }
+    if ($configured === '*') {
+        header('Access-Control-Allow-Origin: *');
+    } else {
+        $reqOrigin = $_SERVER['HTTP_ORIGIN'] ?? '';
+        $allowed   = array_filter(array_map('trim', explode(',', $configured)));
+        if ($reqOrigin !== '' && in_array($reqOrigin, $allowed, true)) {
+            header('Access-Control-Allow-Origin: ' . $reqOrigin);
+            header('Vary: Origin');
+        }
+    }
+    header('Access-Control-Allow-Methods: GET, POST, OPTIONS');
+    header('Access-Control-Allow-Headers: Content-Type, X-EverShelf-Request, X-API-Token, X-Settings-Token');
+}
+
+/** Read-only actions allowed in DEMO_MODE. */
+function evershelfDemoReadOnlyActions(): array {
+    return [
+        'ping', 'check_update', 'health_check', 'get_settings', 'gemini_usage',
+        'search_barcode', 'lookup_barcode', 'stock_for_name',
+        'product_get', 'products_list', 'products_search', 'inventory_search',
+        'inventory_list', 'inventory_summary', 'inventory_finished_items',
+        'transactions_list', 'stats', 'monthly_stats', 'macro_stats',
+        'consumption_predictions', 'inventory_anomalies', 'inventory_duplicate_loss_checks',
+        'recent_popular_products', 'expiry_history', 'food_facts', 'opened_shelf_life',
+        'bring_list', 'bring_suggest', 'shopping_list', 'shopping_suggest', 'smart_shopping',
+        'recipes_list', 'chat_list', 'app_settings_get',
+        'ha_sensor', 'ha_info', 'ha_shopping_items', 'ha_test', 'ha_calendar',
+        'guess_category', 'get_shopping_price', 'get_all_shopping_prices',
+        'backup_list', 'export_inventory',
+    ];
+}
+
+function evershelfDemoBlocksAction(string $action, string $method): bool {
+    if (env('DEMO_MODE') !== 'true') {
+        return false;
+    }
+    if (in_array($action, evershelfDemoReadOnlyActions(), true)) {
+        return false;
+    }
+    // Block all AI generation in demo (cost + writes)
+    if (str_starts_with($action, 'gemini_') || in_array($action, [
+        'generate_recipe', 'generate_recipe_stream', 'chat_to_recipe', 'recipe_from_ingredient',
+    ], true)) {
+        return true;
+    }
+    if ($method === 'POST') {
+        return true;
+    }
+    if (in_array($action, evershelfMutatingGetActions(), true)) {
+        return true;
+    }
+    return !in_array($action, evershelfDemoReadOnlyActions(), true);
+}
+
+/** Hosts allowed for scale WebSocket relay (SSRF guard). */
+function evershelfAllowedScaleHosts(): array {
+    $hosts = ['127.0.0.1', 'localhost', '::1'];
+    $gw    = env('SCALE_GATEWAY_URL', '');
+    if ($gw !== '') {
+        $p = parse_url($gw);
+        if (!empty($p['host'])) {
+            $hosts[] = strtolower($p['host']);
+        }
+    }
+    // Server's own LAN IP — gateway may bind here on kiosk LAN
+    if (function_exists('gethostname')) {
+        $lan = gethostbyname(gethostname());
+        if ($lan && filter_var($lan, FILTER_VALIDATE_IP)) {
+            $hosts[] = $lan;
+        }
+    }
+    return array_values(array_unique($hosts));
+}
+
+function evershelfScaleHostAllowed(string $host): bool {
+    $host = strtolower(trim($host));
+    if ($host === '') {
+        return false;
+    }
+    foreach (evershelfAllowedScaleHosts() as $allowed) {
+        if ($host === strtolower($allowed)) {
+            return true;
+        }
+    }
+    // Allow private /24 only when host matches server's subnet (kiosk on same LAN)
+    $serverIp = evershelfLocalLanIp();
+    if ($serverIp !== '') {
+        $subnet = implode('.', array_slice(explode('.', $serverIp), 0, 3));
+        if (str_starts_with($host, $subnet . '.')) {
+            return true;
+        }
+    }
+    return false;
+}
+
+function evershelfLocalLanIp(): string {
+    $sock = @socket_create(AF_INET, SOCK_DGRAM, SOL_UDP);
+    if ($sock) {
+        @socket_connect($sock, '8.8.8.8', 53);
+        @socket_getsockname($sock, $ip);
+        socket_close($sock);
+        if (isset($ip) && filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4)) {
+            return $ip;
+        }
+    }
+    return '';
+}
+
+/**
+ * True when the request comes from the EverShelf web UI on the same host.
+ * Used to auto-provision API_TOKEN to the browser without manual .env copy.
+ */
+function evershelfIsSameOriginBrowser(): bool {
+    $host = strtolower(explode(':', $_SERVER['HTTP_HOST'] ?? '')[0]);
+    if ($host === '') {
+        return false;
+    }
+
+    $origin = $_SERVER['HTTP_ORIGIN'] ?? '';
+    if ($origin !== '') {
+        $oh = parse_url($origin, PHP_URL_HOST);
+        return $oh && strtolower($oh) === $host;
+    }
+
+    $referer = $_SERVER['HTTP_REFERER'] ?? '';
+    if ($referer !== '') {
+        $rh = parse_url($referer, PHP_URL_HOST);
+        return $rh && strtolower($rh) === $host;
+    }
+
+    $fetchSite = $_SERVER['HTTP_SEC_FETCH_SITE'] ?? '';
+    if (in_array($fetchSite, ['same-origin', 'same-site'], true)) {
+        return true;
+    }
+
+    return false;
+}
+
+/** Auth for scale endpoints — EventSource cannot send headers; allow query token or same-origin UI. */
+function evershelfRequireScaleAccess(): void {
+    if (!evershelfApiTokenRequired()) {
+        return;
+    }
+    if (evershelfApiTokenValid()) {
+        return;
+    }
+    if (evershelfIsSameOriginBrowser()) {
+        return;
+    }
+    http_response_code(401);
+    header('Content-Type: application/json; charset=utf-8');
+    echo json_encode(['error' => 'unauthorized', 'api_token_required' => true]);
+    exit;
+}

api/scale_discover.php

@@ -1,57 +1,53 @@
 <?php
 /**
- * EverShelf Scale Gateway — Auto-discovery
- *
- * Scans the server's local /24 subnet for any host responding on the gateway
- * port (default 8765) and confirms it with a WebSocket handshake.
- *
- * Returns: {"found": ["ws://192.168.1.100:8765", ...]}
+ * EverShelf Scale Gateway — Auto-discovery (auth + rate limit + LAN only).
  */
 
+require_once __DIR__ . '/lib/env.php';
+require_once __DIR__ . '/lib/security.php';
+
 header('Content-Type: application/json');
 header('Cache-Control: no-cache');
+evershelfSendCorsHeaders();
 
-$port = (int)($_GET['port'] ?? 8765);
-if ($port < 1 || $port > 65535) $port = 8765;
-
-// ── Determine server LAN IP ────────────────────────────────────────────────
-// SERVER_ADDR may be 127.0.0.1 when accessed via internal vhost — fall back
-// to a UDP trick (no actual packet sent) to find the default-route interface IP.
-function localLanIp(): string {
-    $sock = @socket_create(AF_INET, SOCK_DGRAM, SOL_UDP);
-    if ($sock) {
-        @socket_connect($sock, '8.8.8.8', 53);
-        @socket_getsockname($sock, $ip);
-        socket_close($sock);
-        if (isset($ip) && filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4)) return $ip;
-    }
-    // Fallback: parse /proc/net/route for default gateway interface then ip neigh
-    $ifaces = @net_get_interfaces();
-    if ($ifaces) {
-        foreach ($ifaces as $name => $info) {
-            if ($name === 'lo') continue;
-            foreach ($info['unicast'] ?? [] as $u) {
-                $ip = $u['address'] ?? '';
-                if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4 | FILTER_FLAG_NO_PRIV_RANGE)) continue;
-                if (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV4)) return $ip;
-            }
-        }
-    }
-    return '';
+if (evershelfApiTokenRequired() && !evershelfApiTokenValid() && !evershelfIsSameOriginBrowser()) {
+    http_response_code(401);
+    echo json_encode(['error' => 'unauthorized', 'api_token_required' => true]);
+    exit;
 }
 
-$serverIp = localLanIp();
+// Simple rate limit: max 6 scans per minute per IP
+$rlDir = dirname(__DIR__) . '/data/rate_limits';
+if (!is_dir($rlDir)) {
+    @mkdir($rlDir, 0755, true);
+}
+$rlFile = $rlDir . '/scale_discover_' . md5($_SERVER['REMOTE_ADDR'] ?? 'cli') . '.json';
+$now = time();
+$hits = [];
+if (file_exists($rlFile)) {
+    $hits = array_filter(json_decode(file_get_contents($rlFile), true) ?: [], fn($t) => $t > $now - 60);
+}
+if (count($hits) >= 6) {
+    http_response_code(429);
+    echo json_encode(['error' => 'Too many discovery scans']);
+    exit;
+}
+$hits[] = $now;
+@file_put_contents($rlFile, json_encode($hits), LOCK_EX);
+
+$port = (int)($_GET['port'] ?? 8765);
+if ($port < 1 || $port > 65535) {
+    $port = 8765;
+}
+
+$serverIp = evershelfLocalLanIp();
 $parts = explode('.', $serverIp);
 if (count($parts) !== 4) {
-    echo json_encode(['error' => 'Cannot determine local subnet', 'server_ip' => $serverIp]);
+    echo json_encode(['error' => 'Cannot determine local subnet', 'found' => []]);
     exit;
 }
 $subnet = $parts[0] . '.' . $parts[1] . '.' . $parts[2] . '.';
 
-// ── Phase 1: Async TCP connect to all 254 hosts ────────────────────────────
-// Non-blocking stream_socket_client + stream_select to detect open ports quickly.
-// Total scan budget: 1.5 seconds.
-
 $candidates = [];
 for ($i = 1; $i <= 254; $i++) {
     $ip = $subnet . $i;
@@ -74,25 +70,28 @@ while (!empty($candidates) && microtime(true) < $deadline) {
     $read   = null;
     $usec   = (int)(max(0, $deadline - microtime(true)) * 1_000_000);
     $n = @stream_select($read, $write, $except, 0, $usec);
-    if ($n === false || $n === 0) break;
+    if ($n === false || $n === 0) {
+        break;
+    }
 
-    // Sockets in $except = connection refused/error
     $failed = [];
     foreach ($except as $s) {
         $ip = array_search($s, $candidates, true);
-        if ($ip !== false) $failed[$ip] = true;
+        if ($ip !== false) {
+            $failed[$ip] = true;
+        }
     }
-    // Sockets in $write = connection complete (may overlap with $except on error)
     foreach ($write as $s) {
         $ip = array_search($s, $candidates, true);
-        if ($ip === false) continue;
+        if ($ip === false) {
+            continue;
+        }
         if (!isset($failed[$ip])) {
             $found_tcp[] = $ip;
         }
         @fclose($s);
         unset($candidates[$ip]);
     }
-    // Close failed sockets too
     foreach ($failed as $ip => $_) {
         if (isset($candidates[$ip])) {
             @fclose($candidates[$ip]);
@@ -100,13 +99,16 @@ while (!empty($candidates) && microtime(true) < $deadline) {
         }
     }
 }
-foreach ($candidates as $s) @fclose($s); // close remaining (timeout)
+foreach ($candidates as $s) {
+    @fclose($s);
+}
 
-// ── Phase 2: WebSocket handshake to confirm each TCP responder ─────────────
 $gateways = [];
 foreach ($found_tcp as $ip) {
     $sock = @stream_socket_client("tcp://{$ip}:{$port}", $errno, $errstr, 2);
-    if (!$sock) continue;
+    if (!$sock) {
+        continue;
+    }
     stream_set_timeout($sock, 2);
 
     $key = base64_encode(random_bytes(16));
@@ -124,9 +126,13 @@ foreach ($found_tcp as $ip) {
     $dl = microtime(true) + 2;
     while (microtime(true) < $dl && !feof($sock)) {
         $line = fgets($sock, 256);
-        if ($line === false) break;
+        if ($line === false) {
+            break;
+        }
         $resp .= $line;
-        if ($line === "\r\n") break;
+        if ($line === "\r\n") {
+            break;
+        }
     }
     fclose($sock);
 
@@ -138,5 +144,4 @@ foreach ($found_tcp as $ip) {
 echo json_encode([
     'found'  => $gateways,
     'subnet' => rtrim($subnet, '.') . '.0/24',
-    'server_ip' => $serverIp,
 ]);

api/scale_ping.php

@@ -1,16 +1,20 @@
 <?php
 /**
- * EverShelf Scale Gateway — Connection ping / test
- *
- * Performs a WebSocket handshake with the gateway and returns
- * {"ok":true} on success, {"ok":false,"error":"..."} on failure.
- *
- * Usage: GET /api/scale_ping.php?url=ws%3A%2F%2F192.168.1.100%3A8765
+ * EverShelf Scale Gateway — Connection ping / test (SSRF-hardened)
  */
 
+require_once __DIR__ . '/lib/env.php';
+require_once __DIR__ . '/lib/security.php';
+
 header('Content-Type: application/json');
 header('Cache-Control: no-cache');
 
+if (evershelfApiTokenRequired() && !evershelfApiTokenValid() && !evershelfIsSameOriginBrowser()) {
+    http_response_code(401);
+    echo json_encode(['ok' => false, 'error' => 'unauthorized', 'api_token_required' => true]);
+    exit;
+}
+
 $rawUrl = $_GET['url'] ?? '';
 
 if (!preg_match('#^ws://[0-9a-zA-Z][\w.\-]*(:\d{1,5})?(/.*)?$#', $rawUrl)) {
@@ -19,7 +23,7 @@ if (!preg_match('#^ws://[0-9a-zA-Z][\w.\-]*(:\d{1,5})?(/.*)?$#', $rawUrl)) {
 }
 
 $parsed = parse_url($rawUrl);
-$host   = $parsed['host'] ?? '';
+$host   = strtolower($parsed['host'] ?? '');
 $port   = (int)($parsed['port'] ?? 8765);
 $path   = ($parsed['path'] ?? '') ?: '/';
 
@@ -28,6 +32,11 @@ if (!$host || $port < 1 || $port > 65535) {
     exit;
 }
 
+if (!evershelfScaleHostAllowed($host)) {
+    echo json_encode(['ok' => false, 'error' => 'Gateway host not allowed']);
+    exit;
+}
+
 // Try to open a TCP connection with a 5-second timeout
 $sock = @stream_socket_client("tcp://{$host}:{$port}", $errno, $errstr, 5);
 if (!$sock) {

api/scale_relay.php

@@ -8,6 +8,16 @@
  * Usage: GET /api/scale_relay.php?url=ws%3A%2F%2F192.168.1.100%3A8765
  */
 
+require_once __DIR__ . '/lib/env.php';
+require_once __DIR__ . '/lib/security.php';
+
+if (evershelfApiTokenRequired() && !evershelfApiTokenValid() && !evershelfIsSameOriginBrowser()) {
+    header('Content-Type: application/json; charset=utf-8');
+    http_response_code(401);
+    echo json_encode(['error' => 'unauthorized', 'api_token_required' => true]);
+    exit;
+}
+
 // ── Input validation ──────────────────────────────────────────────────────────
 $rawUrl = $_GET['url'] ?? '';
 
@@ -19,7 +29,7 @@ if (!preg_match('#^ws://[0-9a-zA-Z][\w.\-]*(:\d{1,5})?(/.*)?$#', $rawUrl)) {
 }
 
 $parsed = parse_url($rawUrl);
-$wsHost = $parsed['host'] ?? '';
+$wsHost = strtolower($parsed['host'] ?? '');
 $wsPort = (int)($parsed['port'] ?? 8765);
 $wsPath = ($parsed['path'] ?? '') ?: '/';
 
@@ -29,6 +39,12 @@ if (!$wsHost || $wsPort < 1 || $wsPort > 65535) {
     exit;
 }
 
+if (!evershelfScaleHostAllowed($wsHost)) {
+    header('Content-Type: text/event-stream');
+    echo 'data: ' . json_encode(['type' => 'error', 'message' => 'Gateway host not allowed']) . "\n\n";
+    exit;
+}
+
 // ── SSE headers ───────────────────────────────────────────────────────────────
 header('Content-Type: text/event-stream');
 header('Cache-Control: no-cache, no-store, must-revalidate');

assets/css/style.css

@@ -2009,6 +2009,59 @@ body.server-offline .bottom-nav {
 .scan-status-msg.state-confirmed { color: #4ade80; background: rgba(74,222,128,0.22); }
 .scan-status-msg.state-retry { color: #fb923c; }
 
+/* — AI processing overlay (full-viewport, shown during Gemini Vision call) — */
+.scan-ai-overlay {
+    position: absolute;
+    inset: 0;
+    z-index: 20;
+    display: flex;
+    align-items: center;
+    justify-content: center;
+    background: rgba(0,0,0,0.72);
+    backdrop-filter: blur(4px);
+    -webkit-backdrop-filter: blur(4px);
+    border-radius: var(--radius);
+}
+.scan-ai-overlay-inner {
+    display: flex;
+    flex-direction: column;
+    align-items: center;
+    gap: 10px;
+    padding: 24px 28px;
+    background: rgba(255,255,255,0.07);
+    border: 1.5px solid rgba(255,255,255,0.18);
+    border-radius: 16px;
+}
+.scan-ai-overlay-label {
+    font-size: 0.65rem;
+    color: rgba(255,255,255,0.5);
+    text-transform: uppercase;
+    letter-spacing: 0.1em;
+    font-family: monospace;
+}
+.scan-ai-overlay-msg {
+    font-size: 0.88rem;
+    color: #fff;
+    text-align: center;
+    max-width: 220px;
+}
+
+/* — AI retry button (shown below scanner after visual ID fails) — */
+.scan-ai-retry-btn {
+    width: 100%;
+    margin-top: 10px;
+    font-size: 0.95rem;
+    padding: 12px;
+    border-radius: var(--radius);
+    border: 2px solid var(--accent);
+    background: rgba(124,58,237,0.1);
+    color: var(--accent);
+    font-weight: 600;
+    cursor: pointer;
+    transition: background 0.15s;
+}
+.scan-ai-retry-btn:active { background: rgba(124,58,237,0.22); }
+
 /* — Viewport overlay controls (torch / zoom / flip) — */
 .scan-viewport-controls {
     position: absolute;
@@ -2059,6 +2112,118 @@ body.server-offline .bottom-nav {
     box-shadow: var(--shadow);
 }
 
+.scan-ai-match-box {
+    display: flex;
+    flex-direction: column;
+    gap: 12px;
+}
+.scan-ai-match-head {
+    display: flex;
+    flex-direction: column;
+    gap: 4px;
+}
+.scan-ai-match-title {
+    font-size: 1rem;
+    font-weight: 700;
+    color: var(--text);
+}
+.scan-ai-match-subtitle {
+    font-size: 0.82rem;
+    color: var(--text-muted);
+}
+.scan-ai-match-list-wrap {
+    display: flex;
+    flex-direction: column;
+    gap: 8px;
+}
+.scan-ai-match-list-title {
+    font-size: 0.78rem;
+    text-transform: uppercase;
+    letter-spacing: 0.06em;
+    color: var(--text-muted);
+    font-weight: 700;
+}
+.scan-ai-match-list {
+    display: flex;
+    flex-direction: column;
+    gap: 6px;
+}
+.scan-ai-candidate-item {
+    border: 1px solid var(--border);
+    background: var(--bg-main);
+    border-radius: 12px;
+    padding: 10px;
+    display: flex;
+    align-items: center;
+    gap: 10px;
+    cursor: pointer;
+    text-align: left;
+}
+.scan-ai-candidate-item:active { transform: scale(0.99); }
+.scan-ai-candidate-icon {
+    font-size: 1.3rem;
+    flex-shrink: 0;
+}
+.scan-ai-candidate-info {
+    min-width: 0;
+    display: flex;
+    flex-direction: column;
+    gap: 2px;
+    flex: 1;
+}
+.scan-ai-candidate-name {
+    font-size: 0.9rem;
+    font-weight: 600;
+    color: var(--text);
+    white-space: nowrap;
+    overflow: hidden;
+    text-overflow: ellipsis;
+}
+.scan-ai-candidate-meta {
+    font-size: 0.76rem;
+    color: var(--text-muted);
+    white-space: nowrap;
+    overflow: hidden;
+    text-overflow: ellipsis;
+}
+.scan-ai-candidate-cta {
+    font-size: 0.74rem;
+    color: var(--accent);
+    border: 1px solid var(--accent);
+    border-radius: 999px;
+    padding: 3px 8px;
+    flex-shrink: 0;
+}
+.scan-ai-match-empty {
+    font-size: 0.86rem;
+    color: var(--text-muted);
+    background: var(--bg-main);
+    border: 1px dashed var(--border);
+    border-radius: 10px;
+    padding: 10px 12px;
+}
+.scan-ai-add-btn {
+    width: 100%;
+}
+.scan-ai-detected-label {
+    font-size: 0.72rem;
+    font-weight: 700;
+    letter-spacing: 0.04em;
+    text-transform: uppercase;
+    color: var(--text-muted);
+}
+.scan-ai-detected-pill {
+    font-size: 0.8rem;
+    color: var(--text-muted);
+    background: var(--bg-main);
+    border-radius: 999px;
+    border: 1px solid var(--border);
+    padding: 6px 10px;
+    white-space: nowrap;
+    overflow: hidden;
+    text-overflow: ellipsis;
+}
+
 /* — Recent scans — */
 .scan-recents {
     display: flex;
@@ -4295,6 +4460,93 @@ body.server-offline .bottom-nav {
     line-height: 1.5;
 }
 
+/* ===== RECIPE NUTRITION BLOCK ===== */
+.recipe-nutrition-block {
+    background: #f0fdf4;
+    border: 1px solid #bbf7d0;
+    border-radius: var(--radius-sm);
+    padding: 12px 14px 8px;
+    margin-top: 16px;
+}
+.recipe-section-heading {
+    font-size: 0.85rem;
+    font-weight: 700;
+    color: #15803d;
+    margin: 0 0 10px;
+    text-transform: uppercase;
+    letter-spacing: 0.03em;
+}
+.recipe-nutrition-grid {
+    display: grid;
+    grid-template-columns: repeat(4, 1fr);
+    gap: 8px;
+    text-align: center;
+}
+.recipe-nutrition-item {
+    display: flex;
+    flex-direction: column;
+    align-items: center;
+    gap: 2px;
+}
+.recipe-nutrition-icon { font-size: 1.2rem; }
+.recipe-nutrition-value {
+    font-size: 0.95rem;
+    font-weight: 700;
+    color: #15803d;
+}
+.recipe-nutrition-label {
+    font-size: 0.65rem;
+    color: #64748b;
+    text-transform: uppercase;
+    letter-spacing: 0.04em;
+}
+.recipe-nutrition-note {
+    font-size: 0.7rem;
+    color: #94a3b8;
+    text-align: center;
+    margin: 6px 0 0;
+}
+.recipe-nutrition-footnote {
+    color: var(--text-muted);
+    font-size: 0.85rem;
+    margin-top: 12px;
+}
+
+/* ===== RECIPE STORAGE CARD ===== */
+.recipe-storage-card {
+    background: #fffbeb;
+    border: 1px solid #fde68a;
+    border-radius: var(--radius-sm);
+    padding: 12px 14px 8px;
+    margin-top: 12px;
+}
+.recipe-storage-card .recipe-section-heading { color: #b45309; }
+.recipe-storage-row {
+    display: flex;
+    flex-wrap: wrap;
+    gap: 6px;
+    margin-bottom: 6px;
+}
+.recipe-storage-badge {
+    background: #fef3c7;
+    border: 1px solid #fcd34d;
+    border-radius: 20px;
+    padding: 2px 12px;
+    font-size: 0.8rem;
+    font-weight: 600;
+    color: #92400e;
+    white-space: nowrap;
+    text-transform: capitalize;
+}
+.recipe-storage-days { background: #dbeafe; border-color: #93c5fd; color: #1d4ed8; }
+.recipe-storage-now  { background: #fee2e2; border-color: #fca5a5; color: #b91c1c; }
+.recipe-storage-tips {
+    font-size: 0.82rem;
+    color: #78350f;
+    margin: 2px 0 0;
+    line-height: 1.4;
+}
+
 .recipe-tools-banner {
     display: flex;
     flex-wrap: wrap;
@@ -4419,6 +4671,13 @@ body.server-offline .bottom-nav {
     line-height: 1.3;
 }
 
+.recipe-ing-stock {
+    color: var(--text-muted);
+    font-size: 0.72rem;
+    line-height: 1.35;
+    opacity: 0.9;
+}
+
 /* ===== SHOPPING SECTION (REPARTO) HEADERS ===== */
 .shopping-section-divider {
     display: flex;
@@ -5939,6 +6198,12 @@ body.cooking-mode-active .app-header {
 }
 .banner-anomaly .alert-banner-title { color: #9a3412; }
 .banner-anomaly .alert-banner-counter .banner-dot.active { background: #ea580c; }
+.alert-banner.banner-dup-loss {
+    background: linear-gradient(135deg, #fef2f2 0%, #fecaca 100%);
+    border-color: #dc2626;
+}
+.banner-dup-loss .alert-banner-title { color: #991b1b; }
+.banner-dup-loss .alert-banner-counter .banner-dot.active { background: #dc2626; }
 .alert-banner.banner-no-expiry {
     background: linear-gradient(135deg, #f0fdf4 0%, #bbf7d0 100%);
     border-color: #16a34a;
@@ -7838,6 +8103,8 @@ body.cooking-mode-active .app-header {
 [data-theme="dark"] .banner-prediction .alert-banner-counter     { color: #a78bfa; }
 [data-theme="dark"] .alert-banner.banner-anomaly                 { background: #1a1200; border-color: #c2410c; }
 [data-theme="dark"] .banner-anomaly .alert-banner-title          { color: #fdba74; }
+[data-theme="dark"] .alert-banner.banner-dup-loss                { background: #2a0808; border-color: #dc2626; }
+[data-theme="dark"] .banner-dup-loss .alert-banner-title         { color: #fca5a5; }
 [data-theme="dark"] .alert-banner.banner-no-expiry               { background: #0f2a1a; border-color: #166534; }
 [data-theme="dark"] .banner-no-expiry .alert-banner-title        { color: #86efac; }
 
@@ -7908,6 +8175,18 @@ body.cooking-mode-active .app-header {
 
 /* ── Recipe components ── */
 [data-theme="dark"] .recipe-expiry-note  { background: #2a1e00; color: #fde68a; }
+[data-theme="dark"] .recipe-nutrition-block { background: #052e16; border-color: #166534; }
+[data-theme="dark"] .recipe-section-heading { color: #4ade80; }
+[data-theme="dark"] .recipe-storage-card .recipe-section-heading { color: #fbbf24; }
+[data-theme="dark"] .recipe-nutrition-value { color: #4ade80; }
+[data-theme="dark"] .recipe-nutrition-label { color: #94a3b8; }
+[data-theme="dark"] .recipe-nutrition-note  { color: #64748b; }
+[data-theme="dark"] .recipe-nutrition-footnote { color: var(--text-muted); }
+[data-theme="dark"] .recipe-storage-card { background: #1c1400; border-color: #78350f; }
+[data-theme="dark"] .recipe-storage-badge { background: #2a1e00; border-color: #92400e; color: #fde68a; }
+[data-theme="dark"] .recipe-storage-days { background: #0c1a2e; border-color: #1d4ed8; color: #93c5fd; }
+[data-theme="dark"] .recipe-storage-now  { background: #2a0a0a; border-color: #b91c1c; color: #fca5a5; }
+[data-theme="dark"] .recipe-storage-tips { color: #fde68a; }
 [data-theme="dark"] .recipe-tools-banner { background: #1a1040; border-color: #3730a3; color: #c4b5fd; }
 [data-theme="dark"] .recipe-tool-chip    { background: #2e1a4a; color: #c4b5fd; }
 [data-theme="dark"] .recipe-step-appliance { background: #052e16; border-color: #166534; color: #4ade80; }

assets/js/core/auth.js

@@ -0,0 +1,77 @@
+/**
+ * EverShelf core — API token storage and auth headers.
+ */
+const EVERSHELF_TOKEN_KEY = 'evershelf_api_token';
+
+function getApiToken() {
+    return localStorage.getItem(EVERSHELF_TOKEN_KEY) || '';
+}
+
+function setApiToken(token) {
+    const t = (token || '').trim();
+    if (t) {
+        localStorage.setItem(EVERSHELF_TOKEN_KEY, t);
+    } else {
+        localStorage.removeItem(EVERSHELF_TOKEN_KEY);
+    }
+}
+
+function apiAuthHeaders() {
+    const fromStorage = getApiToken();
+    const fromSettingsField = document.getElementById('setting-settings-token')?.value.trim() || '';
+    const token = fromSettingsField || fromStorage;
+    if (!token) return {};
+    return { 'X-API-Token': token };
+}
+
+/** Fetch API token from server when loading the UI from the same origin. */
+async function ensureApiToken() {
+    if (getApiToken()) return true;
+    try {
+        const res = await fetch('api/index.php?action=app_bootstrap', { cache: 'no-store' });
+        if (!res.ok) return false;
+        const data = await res.json();
+        window._apiTokenRequired = !!data.api_token_required;
+        if (data.api_token) {
+            setApiToken(data.api_token);
+            return true;
+        }
+    } catch (_) { /* offline / network */ }
+    return !!getApiToken();
+}
+
+function _promptApiTokenIfNeeded() {
+    if (!window._apiTokenRequired) return;
+    if (getApiToken()) return;
+    const existing = document.getElementById('api-token-overlay');
+    if (existing) return;
+    const title = typeof t === 'function' ? t('startup.token_prompt_title') : '🔒 API Token';
+    const hint  = typeof t === 'function' ? t('startup.token_prompt_hint') : 'Enter API_TOKEN from .env';
+    const btn   = typeof t === 'function' ? t('startup.token_prompt_btn') : 'Continue';
+    const overlay = document.createElement('div');
+    overlay.id = 'api-token-overlay';
+    overlay.className = 'modal-overlay';
+    overlay.style.display = 'flex';
+    overlay.innerHTML = `
+        <div class="modal-content" style="max-width:420px;padding:20px">
+            <h3>${title}</h3>
+            <p class="settings-hint">${hint}</p>
+            <input type="password" id="api-token-input" class="form-input" placeholder="API token">
+            <button class="btn btn-primary full-width mt-2" id="api-token-save">${btn}</button>
+        </div>`;
+    document.body.appendChild(overlay);
+    document.getElementById('api-token-save').onclick = () => {
+        const v = document.getElementById('api-token-input').value.trim();
+        if (v) {
+            setApiToken(v);
+            overlay.remove();
+            location.reload();
+        }
+    };
+}
+
+window.getApiToken = getApiToken;
+window.setApiToken = setApiToken;
+window.apiAuthHeaders = apiAuthHeaders;
+window.ensureApiToken = ensureApiToken;
+window._promptApiTokenIfNeeded = _promptApiTokenIfNeeded;

assets/js/core/dom.js

@@ -0,0 +1,11 @@
+/**
+ * EverShelf core — safe HTML escaping (loaded before app.js).
+ */
+function escapeHtml(str) {
+    if (str == null) return '';
+    const div = document.createElement('div');
+    div.textContent = String(str);
+    return div.innerHTML;
+}
+
+window.escapeHtml = escapeHtml;

backup.sh

@@ -1,13 +1,19 @@
 #!/bin/bash
 # Daily backup of EverShelf database (local only)
-# The database is NOT pushed to remote repositories.
-# Runs via cron: creates a local timestamped backup copy
-#
-# Example crontab entry:
-#   0 3 * * * /var/www/html/evershelf/backup.sh
+# Retention follows BACKUP_RETENTION_DAYS from .env (default 3)
 
-INSTALL_DIR="$(cd "$(dirname "$0")" && pwd)"
+set -euo pipefail
+INSTALL_DIR="$(cd "$(dirname "$0")/.." && pwd)"
 BACKUP_DIR="${INSTALL_DIR}/data/backups"
+ENV_FILE="${INSTALL_DIR}/.env"
+
+RETENTION=3
+if [ -f "$ENV_FILE" ]; then
+    val=$(grep -E '^BACKUP_RETENTION_DAYS=' "$ENV_FILE" | tail -1 | cut -d= -f2)
+    if [[ "$val" =~ ^[0-9]+$ ]] && [ "$val" -ge 1 ]; then
+        RETENTION="$val"
+    fi
+fi
 
 mkdir -p "$BACKUP_DIR"
 
@@ -19,5 +25,5 @@ fi
 DATE=$(date '+%Y-%m-%d_%H%M')
 cp "$DB_FILE" "${BACKUP_DIR}/evershelf_${DATE}.db"
 
-# Keep only the last 7 backups
-ls -t "${BACKUP_DIR}"/evershelf_*.db 2>/dev/null | tail -n +8 | xargs -r rm --
+# Keep only the newest N backups
+ls -t "${BACKUP_DIR}"/evershelf_*.db 2>/dev/null | tail -n +$((RETENTION + 1)) | xargs -r rm --

data/.htaccess

@@ -0,0 +1,2 @@
+# Deny all direct HTTP access to runtime data (DB, tokens, caches, logs)
+Require all denied

docs/ARCHITECTURE.md

@@ -0,0 +1,38 @@
+# EverShelf — Architecture (modular layout)
+
+```
+dispensa/
+├── api/
+│   ├── bootstrap.php       # Shared init: env, security, DB, logger
+│   ├── index.php           # HTTP handlers + router (split planned per domain)
+│   ├── database.php        # SQLite schema & migrations
+│   ├── logger.php          # Rotating file logger (logs/)
+│   ├── cron_smart_shopping.php  # CLI cron (uses bootstrap + index handlers)
+│   ├── lib/
+│   │   ├── env.php         # .env loader
+│   │   ├── constants.php   # Paths & pricing constants
+│   │   ├── security.php    # API auth, CORS, demo mode, scale allowlist
+│   │   ├── github.php      # Encrypted GitHub Issues token
+│   │   └── cron_log.php    # data/cron.log rotation
+│   └── scale_*.php         # Scale gateway helpers (auth + SSRF guards)
+├── assets/
+│   ├── js/
+│   │   ├── core/           # auth.js, dom.js (loaded before app.js)
+│   │   └── app.js          # SPA logic (domain modules: future split)
+│   └── vendor/             # Offline CDN fallbacks (quagga, transformers)
+├── data/                   # Runtime data (.htaccess: deny all)
+├── logs/                   # Application logs (.htaccess: deny all)
+└── scripts/                # migrate-env-security, fix-permissions, encrypt-gh-token
+```
+
+## Security model
+
+- **`API_TOKEN`** (or legacy **`SETTINGS_TOKEN`**): when set, every API action requires `X-API-Token` header or `?api_token=` (Home Assistant).
+- Secrets (`HA_TOKEN`, `TTS_TOKEN`, `GEMINI_API_KEY`) stay in `.env`; `get_settings` exposes only `*_set` flags.
+- **`GH_ISSUE_TOKEN_ENC`** + **`GH_ISSUE_TOKEN_KEY`**: AES-256-GCM encrypted GitHub Issues token.
+
+## Planned refactors
+
+1. Split `api/index.php` handlers into `api/handlers/{products,inventory,ai,shopping}.php`
+2. Split `assets/js/app.js` into ES modules under `assets/js/features/`
+3. Optional `npm run build` to minify JS/CSS (see `package.json`)

evershelf-kiosk/app/src/main/kotlin/it/dadaloop/evershelf/kiosk/KioskActivity.kt

@@ -101,6 +101,20 @@ class KioskActivity : AppCompatActivity() {
     // Pending WebView permission request
     private var pendingWebPermission: PermissionRequest? = null
 
+    private fun safeEvalJs(script: String) {
+        if (!::webView.isInitialized) return
+        if (isFinishing || isDestroyed) return
+        if (webView.visibility != View.VISIBLE) return
+        runCatching { webView.evaluateJavascript(script, null) }
+            .onFailure {
+                ErrorReporter.reportMessage(
+                    type = "webview-js-bridge-error",
+                    message = "Failed to deliver JS callback to WebView",
+                    extra = mapOf("error" to (it.message ?: "unknown"))
+                )
+            }
+    }
+
     companion object {
         private const val FILE_CHOOSER_REQUEST    = 1002
         private const val PERMISSION_REQUEST_CODE = 1003
@@ -150,18 +164,18 @@ class KioskActivity : AppCompatActivity() {
                     override fun onStart(utteranceId: String?) {}
                     override fun onDone(utteranceId: String?) {
                         runOnUiThread {
-                            webView.evaluateJavascript("if(window._kioskTtsDone)window._kioskTtsDone('$utteranceId')", null)
+                            safeEvalJs("if(window._kioskTtsDone)window._kioskTtsDone('$utteranceId')")
                         }
                     }
                     @Deprecated("Deprecated in API 21")
                     override fun onError(utteranceId: String?) {
                         runOnUiThread {
-                            webView.evaluateJavascript("if(window._kioskTtsError)window._kioskTtsError('$utteranceId','error')", null)
+                            safeEvalJs("if(window._kioskTtsError)window._kioskTtsError('$utteranceId','error')")
                         }
                     }
                     override fun onError(utteranceId: String?, errorCode: Int) {
                         runOnUiThread {
-                            webView.evaluateJavascript("if(window._kioskTtsError)window._kioskTtsError('$utteranceId',$errorCode)", null)
+                            safeEvalJs("if(window._kioskTtsError)window._kioskTtsError('$utteranceId',$errorCode)")
                         }
                     }
                 })

index.html

@@ -11,9 +11,13 @@
     <title>EverShelf</title>
     <link rel="manifest" href="manifest.json">
     <link rel="icon" type="image/png" href="assets/img/logo/logo_icon.png">
-    <link rel="stylesheet" href="assets/css/style.css?v=20260517a">
-    <!-- QuaggaJS for barcode scanning -->
-    <script src="https://cdn.jsdelivr.net/npm/@ericblade/quagga2@1.8.4/dist/quagga.min.js"></script>
+    <link rel="stylesheet" href="assets/css/style.css?v=20260603a">
+    <!-- Core modules (auth, DOM helpers) -->
+    <script src="assets/js/core/dom.js?v=20260603a"></script>
+    <script src="assets/js/core/auth.js?v=20260603b"></script>
+    <!-- QuaggaJS — local vendor with CDN fallback -->
+    <script src="assets/vendor/quagga/quagga.min.js?v=20260603a"></script>
+    <script>if(typeof Quagga==='undefined'){document.write('<script src="https://cdn.jsdelivr.net/npm/@ericblade/quagga2@1.8.4/dist/quagga.min.js"><\\/script>');}</script>
     <!-- @xenova/transformers: ES-module bootstrap that exposes a lazy category-classifier as window._categoryPipelinePromise -->
     <script type="module">
         // Lazy-load the embedding pipeline only when first needed.
@@ -25,11 +29,15 @@
             if (window._categoryPipelinePromise) return window._categoryPipelinePromise;
             window._categoryPipelinePromise = (async () => {
                 try {
-                    const { pipeline, env } = await import(
-                        'https://cdn.jsdelivr.net/npm/@xenova/transformers@2/src/transformers.min.js'
-                    );
-                    // Keep WASM/model files in the browser cache; disable remote model check
-                    // to avoid CORS issues with the self-hosted instance.
+                    const localBase = 'assets/vendor/transformers/';
+                    const cdnBase = 'https://cdn.jsdelivr.net/npm/@xenova/transformers@2.17.2/dist/';
+                    let pipeline, env;
+                    try {
+                        ({ pipeline, env } = await import(localBase + 'transformers.min.js'));
+                    } catch (_) {
+                        ({ pipeline, env } = await import(cdnBase + 'transformers.min.js'));
+                    }
+                    env.localModelPath = localBase;
                     env.allowRemoteModels = true;
                     env.useBrowserCache   = true;
                     const pipe = await pipeline(
@@ -64,7 +72,7 @@
         <div id="preloader-warnings" class="preloader-warnings" style="display:none"></div>
         <div id="preloader-error-msg" class="preloader-error-msg" style="display:none"></div>
         <button id="preloader-retry-btn" class="preloader-retry-btn" style="display:none" onclick="_startupRetry()">🔄 <span data-i18n="startup.retry">Riprova</span></button>
-        <span class="app-preloader-version" id="preloader-version">v1.7.25</span>
+        <span class="app-preloader-version" id="preloader-version">v1.7.36</span>
     </div>
 </div>
 
@@ -77,7 +85,7 @@
         <!-- Title — left-aligned; grows to fill space -->
         <div class="header-title-wrap">
             <h1 class="header-title" onclick="showPage('dashboard')">
-                <img src="assets/img/logo/logo_icon.png" alt="" class="header-logo-icon" aria-hidden="true" /><span data-i18n="nav.title">EverShelf</span><span class="header-version">v1.7.25</span>
+                <img src="assets/img/logo/logo_icon.png" alt="" class="header-logo-icon" aria-hidden="true" /><span data-i18n="nav.title">EverShelf</span><span class="header-version">v1.7.36</span>
             </h1>
             <!-- Update badge — shown alongside title, never replaces it -->
             <span class="header-update-badge" id="header-update-badge" style="display:none"></span>
@@ -194,7 +202,7 @@
     <!-- ===== INVENTORY LIST ===== -->
     <section class="page" id="page-inventory">
         <div class="page-header">
-            <button class="back-btn" onclick="showPage('dashboard')" data-i18n="btn.back">← Indietro</button>
+            <button class="back-btn" onclick="goBack()" data-i18n="btn.back">← Indietro</button>
             <h2 id="inventory-title" data-i18n="inventory.title">Dispensa</h2>
             <button class="page-header-action-btn" onclick="_showExportModal()" title="Export" data-i18n-title="export.btn_title">📤</button>
         </div>
@@ -225,7 +233,7 @@
     <!-- ===== SCAN PAGE ===== -->
     <section class="page" id="page-scan">
         <div class="page-header">
-            <button class="back-btn" onclick="stopScanner(); showPage('dashboard')" data-i18n="btn.back">← Indietro</button>
+            <button class="back-btn" onclick="goBack()" data-i18n="btn.back">← Indietro</button>
             <h2 data-i18n="scan.title">Scansiona</h2>
             <button class="scan-spesa-chip" id="scan-spesa-btn" onclick="startSpesaMode()" data-i18n="scan.spesa_btn">🛒 Spesa</button>
         </div>
@@ -256,6 +264,14 @@
                     <span id="scan-status-method" class="scan-status-method"></span>
                     <span id="scan-status-msg" class="scan-status-msg" data-i18n="scan.status_ready"></span>
                 </div>
+                <!-- AI processing overlay (shown when Gemini Vision is analyzing) -->
+                <div class="scan-ai-overlay" id="scan-ai-overlay" style="display:none">
+                    <div class="scan-ai-overlay-inner">
+                        <div class="loading-spinner"></div>
+                        <span class="scan-ai-overlay-label">Gemini Vision</span>
+                        <span class="scan-ai-overlay-msg" id="scan-ai-overlay-msg"></span>
+                    </div>
+                </div>
                 <!-- Success flash overlay -->
                 <div class="scan-confirm-overlay" id="scan-confirm-overlay" style="display:none">
                     <div class="scan-confirm-check">✓</div>
@@ -274,6 +290,9 @@
             <!-- Scan errors -->
             <div class="scan-result" id="scan-result" style="display:none"></div>
 
+            <!-- AI retry button (shown after visual identification fails) -->
+            <button class="btn btn-accent scan-ai-retry-btn" id="scan-ai-retry-btn" style="display:none" onclick="_retryAiScan()" data-i18n="scan.ai_retry_btn">🤖 Riprova con AI</button>
+
             <!-- Recent scans -->
             <div class="scan-recents" id="scan-recents" style="display:none">
                 <span class="scan-recents-label" data-i18n="scan.recents_label">Recenti</span>
@@ -333,7 +352,7 @@
     <!-- ===== PRODUCT ACTION (IN/OUT after scan) ===== -->
     <section class="page" id="page-action">
         <div class="page-header">
-            <button class="back-btn" id="action-back-btn" onclick="showPage('scan')" data-i18n="btn.back">← Indietro</button>
+            <button class="back-btn" id="action-back-btn" onclick="goBack()" data-i18n="btn.back">← Indietro</button>
             <h2 data-i18n="action.title">Cosa vuoi fare?</h2>
         </div>
         <!-- Banner: shopping list scan context -->
@@ -356,7 +375,7 @@
     <!-- ===== ADD TO INVENTORY FORM ===== -->
     <section class="page" id="page-add">
         <div class="page-header">
-            <button class="back-btn" onclick="showPage('action')" data-i18n="btn.back">← Indietro</button>
+            <button class="back-btn" onclick="goBack()" data-i18n="btn.back">← Indietro</button>
             <h2 data-i18n="add.title">Aggiungi alla Dispensa</h2>
         </div>
         <div class="product-preview-small" id="add-product-preview"></div>
@@ -419,7 +438,7 @@
     <!-- ===== USE FROM INVENTORY FORM ===== -->
     <section class="page" id="page-use">
         <div class="page-header">
-            <button class="back-btn" onclick="showPage('action')" data-i18n="btn.back">← Indietro</button>
+            <button class="back-btn" onclick="goBack()" data-i18n="btn.back">← Indietro</button>
             <h2 data-i18n="use.title">Usa / Consuma</h2>
         </div>
         <div class="product-preview-small" id="use-product-preview"></div>
@@ -475,7 +494,7 @@
     <!-- ===== MANUAL / EDIT PRODUCT FORM ===== -->
     <section class="page" id="page-product-form">
         <div class="page-header">
-            <button class="back-btn" onclick="showPage('scan')" data-i18n="btn.back">← Indietro</button>
+            <button class="back-btn" onclick="goBack()" data-i18n="btn.back">← Indietro</button>
             <h2 id="product-form-title">Nuovo Prodotto</h2>
         </div>
         <form class="form" onsubmit="submitProduct(event)">
@@ -663,7 +682,7 @@
     <!-- ===== ALL PRODUCTS PAGE ===== -->
     <section class="page" id="page-products">
         <div class="page-header">
-            <button class="back-btn" onclick="showPage('dashboard')" data-i18n="btn.back">← Indietro</button>
+            <button class="back-btn" onclick="goBack()" data-i18n="btn.back">← Indietro</button>
             <h2 data-i18n="products.title">📦 Tutti i Prodotti</h2>
         </div>
         <div class="search-bar">
@@ -675,7 +694,7 @@
     <!-- ===== RECIPE PAGE ===== -->
     <section class="page" id="page-recipe">
         <div class="page-header">
-            <button class="back-btn" onclick="showPage('dashboard')" data-i18n="btn.back">← Indietro</button>
+            <button class="back-btn" onclick="goBack()" data-i18n="btn.back">← Indietro</button>
             <h2 data-i18n="recipes.title">🍳 Ricette</h2>
         </div>
         <div class="recipe-page-container">
@@ -689,7 +708,7 @@
     <!-- ===== SHOPPING LIST (BRING!) PAGE ===== -->
     <section class="page" id="page-shopping">
         <div class="page-header">
-            <button class="back-btn" onclick="showPage('dashboard')" data-i18n="btn.back">← Indietro</button>
+            <button class="back-btn" onclick="goBack()" data-i18n="btn.back">← Indietro</button>
             <h2 data-i18n="shopping.title">🛒 Lista della Spesa</h2>
         </div>
         <div class="shopping-container">
@@ -797,7 +816,7 @@
     <!-- ===== AI IDENTIFICATION PAGE ===== -->
     <section class="page" id="page-ai">
         <div class="page-header">
-            <button class="back-btn" onclick="stopScanner(); showPage('scan')" data-i18n="btn.back">← Indietro</button>
+            <button class="back-btn" onclick="goBack()" data-i18n="btn.back">← Indietro</button>
             <h2 data-i18n="ai.title">🤖 Identificazione AI</h2>
         </div>
         <div class="ai-container">
@@ -835,7 +854,7 @@
     <!-- ===== SETTINGS PAGE ===== -->
     <section class="page" id="page-settings">
         <div class="page-header">
-            <button class="back-btn" onclick="showPage('dashboard')" data-i18n="btn.back">← Indietro</button>
+            <button class="back-btn" onclick="goBack()" data-i18n="btn.back">← Indietro</button>
             <h2 data-i18n="settings.title">⚙️ Configurazione</h2>
         </div>
         <div class="settings-tabs">
@@ -1183,6 +1202,16 @@
                         <p class="settings-hint mt-2" data-i18n="settings.camera.devices_hint">Se hai più fotocamere, puoi selezionarne una specifica dall'elenco sopra dopo aver concesso i permessi.</p>
                         <button class="btn btn-small btn-secondary mt-2" onclick="loadCameraDevices()" data-i18n="settings.camera.detect_btn">🔄 Rileva fotocamere</button>
                     </div>
+                    <div class="form-group" style="margin-top:14px">
+                        <label class="toggle-row">
+                            <span data-i18n="settings.camera.ai_fallback_label">Identificazione visiva AI (fallback 5s)</span>
+                            <span class="toggle-switch">
+                                <input type="checkbox" id="setting-barcode-ai-fallback">
+                                <span class="toggle-slider"></span>
+                            </span>
+                        </label>
+                        <p class="settings-hint mt-2" data-i18n="settings.camera.ai_fallback_hint">Se il codice a barre non viene letto entro 5 secondi, un fotogramma viene inviato automaticamente all'AI per identificare visivamente il prodotto. Richiede Gemini configurato.</p>
+                    </div>
                 </div>
             </div>
             <!-- Security Tab -->
@@ -1192,10 +1221,10 @@
                     <p class="settings-hint" data-i18n="settings.security.token_hint">Se <code>SETTINGS_TOKEN</code> è configurato nel <code>.env</code> server, inserisci qui il token prima di salvare le impostazioni. Lascia vuoto se non configurato.</p>
                     <div class="form-group">
                         <label data-i18n="settings.security.token_label">Token di accesso</label>
-                        <input type="password" id="setting-settings-token" class="form-input" placeholder="(vuoto = nessuna protezione)" data-i18n-placeholder="settings.security.token_placeholder">
+                        <input type="password" id="setting-settings-token" class="form-input" placeholder="API_TOKEN da .env" data-i18n-placeholder="settings.security.token_placeholder">
                         <button class="btn btn-small btn-secondary mt-2" onclick="togglePasswordVisibility('setting-settings-token')" data-i18n="btn.toggle_password">👁️ Mostra/Nascondi</button>
                     </div>
-                    <p class="settings-hint" id="settings-token-status-hint" style="display:none;color:var(--accent)" data-i18n="settings.security.token_required_hint">🔒 Questo server richiede un token per salvare le impostazioni.</p>
+                    <p class="settings-hint" id="settings-token-status-hint" style="display:none;color:var(--accent)" data-i18n="settings.security.token_required_hint">🔒 Questo server richiede un token API (API_TOKEN nel file .env). Il token viene salvato nel browser.</p>
                 </div>
                 <div class="settings-card">
                     <h4 data-i18n="settings.security.title">🔒 Certificato HTTPS</h4>
@@ -1941,6 +1970,6 @@
     </div>
 </div>
 
-<script src="assets/js/app.js?v=20260518c"></script>
+<script src="assets/js/app.js?v=20260604c"></script>
 </body>
 </html>

logs/.htaccess

@@ -0,0 +1 @@
+Require all denied

manifest.json

@@ -2,7 +2,7 @@
     "name": "EverShelf",
     "short_name": "EverShelf",
     "description": "Gestione completa della dispensa di casa con scansione barcode",
-    "version": "1.7.25",
+    "version": "1.7.36",
     "start_url": "/evershelf/",
     "display": "standalone",
     "background_color": "#f0f4e8",

package.json

@@ -0,0 +1,9 @@
+{
+  "name": "evershelf",
+  "private": true,
+  "scripts": {
+    "build:js": "npx --yes terser assets/js/app.js -c -m -o assets/js/app.min.js",
+    "build:css": "npx --yes clean-css-cli -o assets/css/style.min.css assets/css/style.css",
+    "build": "npm run build:js && npm run build:css"
+  }
+}

scripts/encrypt-gh-token.php

@@ -0,0 +1,14 @@
+#!/usr/bin/env php
+<?php
+/**
+ * Encrypt a GitHub Issues token for storage in .env as GH_ISSUE_TOKEN_ENC.
+ *
+ * Usage:
+ *   php scripts/encrypt-gh-token.php 'ghp_xxxx' 'your-secret-key'
+ */
+if ($argc < 3) {
+    fwrite(STDERR, "Usage: php scripts/encrypt-gh-token.php <token> <key>\n");
+    exit(1);
+}
+require_once __DIR__ . '/../api/lib/github.php';
+echo evershelfEncryptGhToken($argv[1], $argv[2]) . "\n";

scripts/fix-permissions.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+# Fix ownership and permissions for EverShelf runtime directories.
+set -euo pipefail
+ROOT="$(cd "$(dirname "$0")/.." && pwd)"
+WEB_USER="${WEB_USER:-www-data}"
+
+chown -R "${WEB_USER}:${WEB_USER}" "${ROOT}/data" "${ROOT}/logs" 2>/dev/null || true
+chmod 750 "${ROOT}/data" "${ROOT}/logs"
+chmod 640 "${ROOT}/.env" 2>/dev/null || true
+find "${ROOT}/data" -type f -exec chmod 660 {} \;
+find "${ROOT}/logs" -type f -exec chmod 640 {} \;
+echo "Permissions updated for ${WEB_USER}"

scripts/merge-duplicate-products.php

@@ -0,0 +1,111 @@
+#!/usr/bin/env php
+<?php
+/**
+ * One-time merge of duplicate product records (same normalized name + compatible brand).
+ * Opened-package splits remain as separate inventory rows on the canonical product.
+ *
+ * Usage: php scripts/merge-duplicate-products.php [--dry-run]
+ */
+declare(strict_types=1);
+
+$dryRun = in_array('--dry-run', $argv, true);
+$dbPath = __DIR__ . '/../data/evershelf.db';
+if (!file_exists($dbPath)) {
+    fwrite(STDERR, "Database not found: $dbPath\n");
+    exit(1);
+}
+
+$db = new PDO('sqlite:' . $dbPath);
+$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
+
+function normName(string $name): string {
+    return mb_strtolower(trim($name));
+}
+
+function normBrand(string $brand): string {
+    return mb_strtolower(trim($brand));
+}
+
+function brandsCompatible(string $a, string $b): bool {
+    $na = normBrand($a);
+    $nb = normBrand($b);
+    return $na === $nb || $na === '' || $nb === '';
+}
+
+function productScore(PDO $db, int $id): float {
+    $tx = (float)$db->query("SELECT COUNT(*) FROM transactions WHERE product_id = $id")->fetchColumn();
+    $inv = (float)$db->query("SELECT COALESCE(SUM(quantity), 0) FROM inventory WHERE product_id = $id")->fetchColumn();
+    return $tx * 10 + $inv;
+}
+
+function mergeProducts(PDO $db, int $keepId, int $dropId): void {
+    $db->beginTransaction();
+    try {
+        $db->prepare('UPDATE inventory SET product_id = ? WHERE product_id = ?')->execute([$keepId, $dropId]);
+        $db->prepare('UPDATE transactions SET product_id = ? WHERE product_id = ?')->execute([$keepId, $dropId]);
+        $db->prepare('DELETE FROM products WHERE id = ?')->execute([$dropId]);
+        $db->commit();
+    } catch (Throwable $e) {
+        if ($db->inTransaction()) {
+            $db->rollBack();
+        }
+        throw $e;
+    }
+}
+
+$products = $db->query('SELECT id, name, brand, barcode FROM products ORDER BY id')->fetchAll(PDO::FETCH_ASSOC);
+$byName = [];
+foreach ($products as $p) {
+    $key = normName($p['name']);
+    if ($key === '') {
+        continue;
+    }
+    $byName[$key][] = $p;
+}
+
+$merged = 0;
+foreach ($byName as $nameKey => $group) {
+    if (count($group) < 2) {
+        continue;
+    }
+
+    // Split into compatible-brand clusters
+    $clusters = [];
+    foreach ($group as $p) {
+        $placed = false;
+        foreach ($clusters as &$cluster) {
+            $ref = $cluster[0];
+            if (brandsCompatible($p['brand'] ?? '', $ref['brand'] ?? '')) {
+                $cluster[] = $p;
+                $placed = true;
+                break;
+            }
+        }
+        unset($cluster);
+        if (!$placed) {
+            $clusters[] = [$p];
+        }
+    }
+
+    foreach ($clusters as $cluster) {
+        if (count($cluster) < 2) {
+            continue;
+        }
+
+        usort($cluster, fn($a, $b) => productScore($db, (int)$b['id']) <=> productScore($db, (int)$a['id']));
+        $keep = (int)$cluster[0]['id'];
+        $keepName = $cluster[0]['name'];
+        for ($i = 1; $i < count($cluster); $i++) {
+            $drop = (int)$cluster[$i]['id'];
+            echo ($dryRun ? '[dry-run] ' : '') . "Merge #{$drop} \"{$cluster[$i]['name']}\" → #{$keep} \"{$keepName}\"\n";
+            if (!$dryRun) {
+                mergeProducts($db, $keep, $drop);
+            }
+            $merged++;
+        }
+    }
+}
+
+echo $dryRun
+    ? "Dry run: $merged merge(s) would be performed.\n"
+    : "Done: $merged duplicate product(s) merged.\n";

scripts/migrate-env-security.php

@@ -0,0 +1,57 @@
+#!/usr/bin/env php
+<?php
+/**
+ * One-time security migration: GitHub token → encrypted .env, optional API_TOKEN.
+ */
+require_once __DIR__ . '/../api/lib/env.php';
+require_once __DIR__ . '/../api/lib/github.php';
+
+$envFile = dirname(__DIR__) . '/.env';
+if (!file_exists($envFile)) {
+    fwrite(STDERR, ".env not found\n");
+    exit(1);
+}
+
+$lines = file($envFile, FILE_IGNORE_NEW_LINES);
+$vars = loadEnv();
+$changed = false;
+
+// Migrate legacy XOR token from previous index.php if still in git history
+if (empty($vars['GH_ISSUE_TOKEN']) && empty($vars['GH_ISSUE_TOKEN_ENC'])) {
+    $legacyEnc = '23580718460c2c444031290243627e7971622b29030a3e4d50001e45261659420b6e110a423f30447133205b425a577971561f32762b0b034e0b3e56106d5945020406254a3a4647592a1a611c66687a0b672043700f34757900014004';
+    $legacyKey = 'D1sp3ns4!Ev3r#26';
+    $encBin = hex2bin($legacyEnc);
+    $plain = '';
+    if ($encBin) {
+        for ($i = 0; $i < strlen($encBin); $i++) {
+            $plain .= chr(ord($encBin[$i]) ^ ord($legacyKey[$i % strlen($legacyKey)]));
+        }
+    }
+    if ($plain !== '' && str_starts_with($plain, 'github_')) {
+        $newKey = bin2hex(random_bytes(16));
+        $enc = evershelfEncryptGhToken($plain, $newKey);
+        $lines[] = '';
+        $lines[] = '# GitHub Issues (migrated from legacy source — encrypted at rest)';
+        $lines[] = 'GH_ISSUE_TOKEN_ENC=' . $enc;
+        $lines[] = 'GH_ISSUE_TOKEN_KEY=' . $newKey;
+        $changed = true;
+        echo "Migrated GitHub token to GH_ISSUE_TOKEN_ENC\n";
+    }
+}
+
+if (empty($vars['API_TOKEN']) && empty($vars['SETTINGS_TOKEN'])) {
+    $token = bin2hex(random_bytes(24));
+    $lines[] = '';
+    $lines[] = '# API access token — required for all API calls when set (also used by kiosk/HA)';
+    $lines[] = 'API_TOKEN=' . $token;
+    $changed = true;
+    echo "Generated API_TOKEN (save this for your devices): {$token}\n";
+}
+
+if ($changed) {
+    file_put_contents($envFile, implode("\n", $lines) . "\n");
+    chmod($envFile, 0640);
+    echo "Updated .env\n";
+} else {
+    echo "No migration needed\n";
+}

scripts/re-enrich-recipe.php

@@ -0,0 +1,50 @@
+#!/usr/bin/env php
+<?php
+/**
+ * Re-apply stock hints and 5% use-all rule to an archived recipe.
+ * Usage: php scripts/re-enrich-recipe.php <recipe_id>
+ */
+define('CRON_MODE', true);
+require __DIR__ . '/../api/index.php';
+
+$id = (int)($argv[1] ?? 0);
+if ($id <= 0) {
+    fwrite(STDERR, "Usage: php scripts/re-enrich-recipe.php <recipe_id>\n");
+    exit(1);
+}
+
+$db = getDB();
+$stmt = $db->prepare('SELECT id, recipe_json FROM recipes WHERE id = ?');
+$stmt->execute([$id]);
+$row = $stmt->fetch(PDO::FETCH_ASSOC);
+if (!$row) {
+    fwrite(STDERR, "Recipe {$id} not found\n");
+    exit(1);
+}
+
+$recipe = json_decode($row['recipe_json'], true);
+if (!is_array($recipe)) {
+    fwrite(STDERR, "Invalid recipe JSON for id {$id}\n");
+    exit(1);
+}
+
+recipeApplyStockHintsToRecipe($db, $recipe);
+
+$upd = $db->prepare('UPDATE recipes SET recipe_json = ? WHERE id = ?');
+$upd->execute([json_encode($recipe, JSON_UNESCAPED_UNICODE), $id]);
+
+echo "Updated recipe {$id}: " . ($recipe['title'] ?? '?') . "\n";
+foreach ($recipe['ingredients'] ?? [] as $ing) {
+    if (empty($ing['from_pantry'])) continue;
+    $useAll = !empty($ing['use_all_suggested']) ? ' [USE ALL]' : '';
+    echo sprintf(
+        "  %s: %s | hai %.1f %s | restano %.1f %s%s\n",
+        $ing['name'] ?? '?',
+        $ing['qty'] ?? '?',
+        $ing['stock_have'] ?? 0,
+        $ing['stock_unit'] ?? '',
+        $ing['stock_remain'] ?? 0,
+        $ing['stock_unit'] ?? '',
+        $useAll
+    );
+}

scripts/sync-i18n.py

@@ -0,0 +1,341 @@
+#!/usr/bin/env python3
+"""Sync translation files: ensure all locales have the same keys as it.json (reference)."""
+from __future__ import annotations
+
+import copy
+import json
+from pathlib import Path
+
+ROOT = Path(__file__).resolve().parent.parent / 'translations'
+REF = 'it.json'
+LOCALES = ['it.json', 'en.json', 'de.json', 'fr.json', 'es.json']
+
+# New keys added across all locales (nested path -> value per locale)
+NEW_KEYS: dict[str, dict[str, str]] = {
+    'dashboard.banner_prediction_confirmed': {
+        'it': '✅ Confermato — il sistema ricalcolerà le previsioni dalle prossime registrazioni',
+        'en': '✅ Confirmed — forecasts will recalculate from your next entries',
+        'de': '✅ Bestätigt — Prognosen werden aus den nächsten Einträgen neu berechnet',
+        'fr': '✅ Confirmé — les prévisions seront recalculées à partir de vos prochains enregistrements',
+        'es': '✅ Confirmado — las previsiones se recalcularán con tus próximos registros',
+    },
+    'dashboard.banner_anomaly_explain_fail': {
+        'it': 'Impossibile ottenere spiegazione AI',
+        'en': 'Could not get AI explanation',
+        'de': 'KI-Erklärung konnte nicht abgerufen werden',
+        'fr': 'Impossible d\'obtenir l\'explication IA',
+        'es': 'No se pudo obtener la explicación de IA',
+    },
+    'dashboard.banner_anomaly_dismissed': {
+        'it': 'Anomalia ignorata',
+        'en': 'Anomaly dismissed',
+        'de': 'Anomalie ignoriert',
+        'fr': 'Anomalie ignorée',
+        'es': 'Anomalía descartada',
+    },
+    'error.copy_failed': {
+        'it': 'Copia negli appunti non riuscita',
+        'en': 'Copy to clipboard failed',
+        'de': 'Kopieren in die Zwischenablage fehlgeschlagen',
+        'fr': 'Échec de la copie dans le presse-papiers',
+        'es': 'Error al copiar al portapapeles',
+    },
+    'error.invalid_quantity': {
+        'it': 'Quantità non valida',
+        'en': 'Invalid quantity',
+        'de': 'Ungültige Menge',
+        'fr': 'Quantité invalide',
+        'es': 'Cantidad no válida',
+    },
+    'dashboard.banner_finished_restore_prompt': {
+        'it': 'Quante {unit} di {name} hai ancora? (stima sistema: {qty})',
+        'en': 'How many {unit} of {name} do you still have? (system estimate: {qty})',
+        'de': 'Wie viele {unit} {name} hast du noch? (Systemschätzung: {qty})',
+        'fr': 'Combien de {unit} de {name} vous reste-t-il ? (estimation : {qty})',
+        'es': '¿Cuántas {unit} de {name} te quedan? (estimación del sistema: {qty})',
+    },
+    'time.just_now': {
+        'it': 'adesso', 'en': 'just now', 'de': 'gerade eben', 'fr': 'à l\'instant', 'es': 'ahora',
+    },
+    'time.seconds_ago': {
+        'it': '{n}s fa', 'en': '{n}s ago', 'de': 'vor {n}s', 'fr': 'il y a {n}s', 'es': 'hace {n}s',
+    },
+    'time.minutes_ago': {
+        'it': '{n} min fa', 'en': '{n} min ago', 'de': 'vor {n} min', 'fr': 'il y a {n} min', 'es': 'hace {n} min',
+    },
+    'time.hours_ago': {
+        'it': '{n} h fa', 'en': '{n} h ago', 'de': 'vor {n} h', 'fr': 'il y a {n} h', 'es': 'hace {n} h',
+    },
+    'time.days_ago': {
+        'it': '{n} gg fa', 'en': '{n} d ago', 'de': 'vor {n} T', 'fr': 'il y a {n} j', 'es': 'hace {n} d',
+    },
+    'use.locations_short': {
+        'it': 'posti', 'en': 'places', 'de': 'Orte', 'fr': 'emplacements', 'es': 'ubicaciones',
+    },
+    'move.moved_simple': {
+        'it': '📦 Spostato in {location}',
+        'en': '📦 Moved to {location}',
+        'de': '📦 Nach {location} verschoben',
+        'fr': '📦 Déplacé vers {location}',
+        'es': '📦 Movido a {location}',
+    },
+    'product.history_badge': {
+        'it': '📊 storico', 'en': '📊 history', 'de': '📊 Verlauf', 'fr': '📊 historique', 'es': '📊 historial',
+    },
+    'ai.conservation_hint': {
+        'it': '🤖 AI: conserva in {location}',
+        'en': '🤖 AI: store in {location}',
+        'de': '🤖 KI: lagere in {location}',
+        'fr': '🤖 IA : conserve dans {location}',
+        'es': '🤖 IA: conserva en {location}',
+    },
+    'settings.kiosk_update_required': {
+        'it': '⚠️ Aggiorna il kiosk per usare questa funzione',
+        'en': '⚠️ Update the kiosk app to use this feature',
+        'de': '⚠️ Aktualisiere die Kiosk-App, um diese Funktion zu nutzen',
+        'fr': '⚠️ Mettez à jour l\'application kiosk pour utiliser cette fonction',
+        'es': '⚠️ Actualiza la app kiosk para usar esta función',
+    },
+    'shopping.bring_names_migrated': {
+        'it': '🔄 {n} nomi generalizzati in Bring!',
+        'en': '🔄 {n} names generalized in Bring!',
+        'de': '🔄 {n} Namen in Bring! verallgemeinert',
+        'fr': '🔄 {n} noms généralisés dans Bring !',
+        'es': '🔄 {n} nombres generalizados en Bring!',
+    },
+    'scan.mode_shopping_activated': {
+        'it': '🛒 Modalità Spesa attivata!',
+        'en': '🛒 Shopping mode activated!',
+        'de': '🛒 Einkaufsmodus aktiviert!',
+        'fr': '🛒 Mode courses activé !',
+        'es': '🛒 ¡Modo compras activado!',
+    },
+    'settings.scale.discover_scanning': {
+        'it': '🔍 Scansione rete locale per gateway bilancia…',
+        'en': '🔍 Scanning local network for scale gateway…',
+        'de': '🔍 Lokales Netz wird nach Waagen-Gateway durchsucht…',
+        'fr': '🔍 Recherche du gateway balance sur le réseau local…',
+        'es': '🔍 Buscando pasarela de báscula en la red local…',
+    },
+    'settings.scale.discover_found': {
+        'it': '✅ Gateway trovato: {url}{more}',
+        'en': '✅ Gateway found: {url}{more}',
+        'de': '✅ Gateway gefunden: {url}{more}',
+        'fr': '✅ Gateway trouvé : {url}{more}',
+        'es': '✅ Pasarela encontrada: {url}{more}',
+    },
+    'settings.scale.discover_not_found': {
+        'it': '❌ Nessun gateway su {subnet}. Avvia l\'app Android sulla stessa Wi-Fi.',
+        'en': '❌ No gateway found on {subnet}. Make sure the Android app is running and on the same Wi-Fi.',
+        'de': '❌ Kein Gateway in {subnet}. Android-App auf demselben WLAN starten.',
+        'fr': '❌ Aucun gateway sur {subnet}. Lancez l\'app Android sur le même Wi-Fi.',
+        'es': '❌ Ninguna pasarela en {subnet}. Inicia la app Android en la misma Wi-Fi.',
+    },
+    'settings.scale.discover_failed': {
+        'it': '❌ Ricerca fallita: {error}',
+        'en': '❌ Discovery failed: {error}',
+        'de': '❌ Suche fehlgeschlagen: {error}',
+        'fr': '❌ Échec de la recherche : {error}',
+        'es': '❌ Búsqueda fallida: {error}',
+    },
+    'settings.scale.discover_auto': {
+        'it': '🔍 Auto', 'en': '🔍 Auto', 'de': '🔍 Auto', 'fr': '🔍 Auto', 'es': '🔍 Auto',
+    },
+    'settings.scale.unknown_device': {
+        'it': 'Dispositivo sconosciuto',
+        'en': 'Unknown device',
+        'de': 'Unbekanntes Gerät',
+        'fr': 'Appareil inconnu',
+        'es': 'Dispositivo desconocido',
+    },
+    'product.from_history': {
+        'it': ' (da storico)', 'en': ' (from history)', 'de': ' (aus Verlauf)', 'fr': ' (historique)', 'es': ' (del historial)',
+    },
+    'recipes.ing_stock_line': {
+        'it': 'Hai {have} · restano {remain} dopo l\'uso',
+        'en': 'You have {have} · {remain} left after use',
+        'de': 'Du hast {have} · {remain} bleiben nach Gebrauch',
+        'fr': 'Vous avez {have} · il reste {remain} après usage',
+        'es': 'Tienes {have} · quedan {remain} después del uso',
+    },
+    'recipes.ing_use_all_note': {
+        'it': 'uso totale (<5% della confezione intera)',
+        'en': 'use all (<5% of full package left)',
+        'de': 'alles verwenden (<5% der Vollpackung)',
+        'fr': 'tout utiliser (<5% du conditionnement entier)',
+        'es': 'usar todo (<5% del envase completo)',
+    },
+}
+
+# fr/es gaps filled with proper translations (flat key -> value)
+FR_FILL: dict[str, str] = {
+    'action.related_stock_title': 'Aussi à la maison',
+    'dashboard.banner_expired_action_modify': 'Modifier',
+    'dashboard.banner_expired_action_vacuum': 'Mettre sous vide',
+    'recipes.stream_interrupted': 'Génération interrompue (réponse serveur incomplète). Vérifiez les logs ou réessayez.',
+    'scan.stock_in_pantry': 'Déjà à la maison :',
+    'scanner.expiry_found': 'Date trouvée',
+    'scanner.expiry_raw_label': 'Lu',
+    'scanner.expiry_read_fail': 'Impossible de lire la date.',
+    'settings.info.act_new_products': 'Nouveaux produits',
+    'settings.info.act_restock': 'Réapprovisionnements',
+    'settings.info.act_title': 'Activité mensuelle',
+    'settings.info.act_tx_month': 'Mouvements',
+    'settings.info.act_tx_year': 'Mouvements annuels',
+    'settings.info.act_use': 'Utilisations',
+    'settings.info.ai_calls': 'Appels',
+    'settings.info.ai_hint': 'Consommation mensuelle et coût estimé pour la clé API actuelle.',
+    'settings.info.ai_overview': 'Aperçu IA, inventaire et état du système',
+    'settings.info.ai_title': 'Gemini AI — Utilisation des tokens',
+    'settings.info.bring_days': 'jeton expire dans {n} jours',
+    'settings.info.bring_expired': 'jeton expiré',
+    'settings.info.by_action': 'Répartition par fonction',
+    'settings.info.by_model': 'Répartition par modèle',
+    'settings.info.cache_entries': 'produits',
+    'settings.info.calls_unit': 'appels',
+    'settings.info.currency_hint': 'Devise utilisée pour tous les coûts et prix dans l\'app.',
+    'settings.info.currency_title': 'Devise',
+    'settings.info.db_size': 'Base de données',
+    'settings.info.est_cost': 'Coût est.',
+    'settings.info.input_tok': 'Tokens entrée',
+    'settings.info.inv_active': 'Actifs',
+    'settings.info.inv_expired': 'Expirés',
+    'settings.info.inv_expiring': 'Expirent (7j)',
+    'settings.info.inv_finished': 'Terminés',
+    'settings.info.inv_products': 'Produits totaux',
+    'settings.info.inv_title': 'Inventaire',
+    'settings.info.last_backup': 'Dernière sauvegarde',
+    'settings.info.loading': 'Chargement…',
+    'settings.info.log_level': 'Niveau de log',
+    'settings.info.log_size': 'Logs',
+    'settings.info.output_tok': 'Tokens sortie',
+    'settings.info.price_cache': 'Cache prix',
+    'settings.info.pricing_note': 'Tarifs Gemini : 2.5-flash $0.15/M in · $0.60/M out — 2.0-flash $0.10/M in · $0.40/M out.',
+    'settings.info.system_title': 'Système',
+    'settings.info.tab': 'Info',
+    'settings.info.total_tokens': 'Tokens totaux',
+    'settings.info.year_label': 'Année {year}',
+    'settings.tab_general': 'Général',
+    'settings.tts.test_sound_btn': '🔔 Test sonore',
+    'shopping.pantry_hint': 'Déjà à la maison : {qty}',
+    'startup.check_db_legacy': 'Ancienne BD (dispensa.db)',
+    'startup.check_scale': 'Passerelle balance',
+    'startup.check_tts': 'URL synthèse vocale',
+    'startup.critical_error_intro': 'L\'application ne peut pas démarrer en raison des problèmes suivants :',
+    'startup.error_network_detail': 'Le navigateur ne peut pas joindre le serveur PHP.\n\nCauses possibles :\n• Apache/PHP n\'est pas démarré\n• Problème réseau ou pare-feu\n• URL incorrecte\n\nDémarrez le serveur et réessayez.',
+    'toast.vacuum_sealed': '{name} enregistré sous vide',
+}
+
+ES_FILL = {
+    'action.related_stock_title': 'También en casa',
+    'dashboard.banner_expired_action_modify': 'Editar',
+    'dashboard.banner_expired_action_vacuum': 'Poner al vacío',
+    'recipes.stream_interrupted': 'Generación interrumpida (respuesta del servidor incompleta). Revisa los logs o inténtalo de nuevo.',
+    'scan.stock_in_pantry': 'Ya en despensa:',
+    'scanner.expiry_found': 'Fecha encontrada',
+    'scanner.expiry_raw_label': 'Leído',
+    'scanner.expiry_read_fail': 'No se puede leer la fecha.',
+    'settings.info.act_new_products': 'Productos nuevos',
+    'settings.info.act_restock': 'Reabastecimientos',
+    'settings.info.act_title': 'Actividad mensual',
+    'settings.info.act_tx_month': 'Movimientos',
+    'settings.info.act_tx_year': 'Movimientos anuales',
+    'settings.info.act_use': 'Usos',
+    'settings.info.ai_calls': 'Llamadas',
+    'settings.info.ai_hint': 'Consumo mensual y coste estimado para la clave API actual.',
+    'settings.info.ai_overview': 'Resumen de IA, inventario y estado del sistema',
+    'settings.info.ai_title': 'Gemini AI — Uso de tokens',
+    'settings.info.bring_days': 'token expira en {n} días',
+    'settings.info.bring_expired': 'token expirado',
+    'settings.info.by_action': 'Desglose por función',
+    'settings.info.by_model': 'Desglose por modelo',
+    'settings.info.cache_entries': 'productos',
+    'settings.info.calls_unit': 'llamadas',
+    'settings.info.currency_hint': 'Moneda usada para todos los costes y precios en la app.',
+    'settings.info.currency_title': 'Moneda',
+    'settings.info.db_size': 'Base de datos',
+    'settings.info.est_cost': 'Coste est.',
+    'settings.info.input_tok': 'Tokens de entrada',
+    'settings.info.inv_active': 'Activos',
+    'settings.info.inv_expired': 'Caducados',
+    'settings.info.inv_expiring': 'Caducan (7d)',
+    'settings.info.inv_finished': 'Agotados',
+    'settings.info.inv_products': 'Productos totales',
+    'settings.info.inv_title': 'Inventario',
+    'settings.info.last_backup': 'Última copia',
+    'settings.info.loading': 'Cargando…',
+    'settings.info.log_level': 'Nivel de log',
+    'settings.info.log_size': 'Logs',
+    'settings.info.output_tok': 'Tokens de salida',
+    'settings.info.price_cache': 'Caché de precios',
+    'settings.info.pricing_note': 'Precios Gemini: 2.5-flash $0.15/M in · $0.60/M out — 2.0-flash $0.10/M in · $0.40/M out.',
+    'settings.info.system_title': 'Sistema',
+    'settings.info.tab': 'Info',
+    'settings.info.total_tokens': 'Tokens totales',
+    'settings.info.year_label': 'Año {year}',
+    'settings.tab_general': 'General',
+    'settings.tts.test_sound_btn': '🔔 Prueba de sonido',
+    'shopping.pantry_hint': 'Ya en casa: {qty}',
+    'startup.check_db_legacy': 'BD antigua (dispensa.db)',
+    'startup.check_scale': 'Pasarela báscula',
+    'startup.check_tts': 'URL texto a voz',
+    'startup.critical_error_intro': 'La app no puede iniciarse por los siguientes problemas:',
+    'startup.error_network_detail': 'El navegador no puede conectar con el servidor PHP.\n\nPosibles causas:\n• Apache/PHP no está en ejecución\n• Problema de red o firewall\n• URL incorrecta\n\nInicia el servidor e inténtalo de nuevo.',
+    'toast.vacuum_sealed': '{name} guardado al vacío',
+}
+
+
+def flatten(obj: dict, prefix: str = '') -> dict[str, str]:
+    out: dict[str, str] = {}
+    for k, v in obj.items():
+        key = f'{prefix}.{k}' if prefix else k
+        if isinstance(v, dict):
+            out.update(flatten(v, key))
+        else:
+            out[key] = v
+    return out
+
+
+def set_nested(root: dict, dotted: str, value: str) -> None:
+    parts = dotted.split('.')
+    d = root
+    for p in parts[:-1]:
+        d = d.setdefault(p, {})
+    d[parts[-1]] = value
+
+
+def main() -> None:
+    ref = json.loads((ROOT / REF).read_text(encoding='utf-8'))
+    ref_flat = flatten(ref)
+    en_flat = flatten(json.loads((ROOT / 'en.json').read_text(encoding='utf-8')))
+
+    for fname in LOCALES:
+        lang = fname.replace('.json', '')
+        path = ROOT / fname
+        data = json.loads(path.read_text(encoding='utf-8'))
+        flat = flatten(data)
+
+        # Fill missing keys from reference (Italian text as last resort via en)
+        for key, ref_val in ref_flat.items():
+            if key not in flat:
+                if lang == 'fr' and key in FR_FILL:
+                    val = FR_FILL[key]
+                elif lang == 'es' and key in ES_FILL:
+                    val = ES_FILL[key]
+                elif lang == 'en':
+                    val = en_flat.get(key, ref_val)
+                else:
+                    val = en_flat.get(key, ref_val)
+                set_nested(data, key, val)
+                flat[key] = val
+
+        # Inject new keys
+        for key, per_lang in NEW_KEYS.items():
+            set_nested(data, key, per_lang[lang if lang in per_lang else 'en'])
+
+        path.write_text(json.dumps(data, ensure_ascii=False, indent=2) + '\n', encoding='utf-8')
+        print(f'Updated {fname}')
+
+
+if __name__ == '__main__':
+    main()