github mauriceboe/TREK v3.0.0-pre.1
on GitHub

latest releases: v3.0.0-pre.7, v3.0.0-pre.6
pre-release12 hours ago

⚠ PRE-RELEASE — USE AT YOUR OWN RISK ⚠

This is a pre-release build of TREK. It may contain bugs, incomplete features, or breaking changes. It is not recommended for production use.

  • Do not use this on a live instance without a full backup
  • Database migrations may not be reversible
  • APIs and configuration options are subject to change without notice

If you encounter issues, please report them at https://github.com/mauriceboe/TREK/issues.

Stable releases are available on the main release page.

⚠ Pre-release image — not recommended for production use.

Tag Description
3.0.0-pre.1 Pinned to this exact pre-release build
3-pre Latest pre-release on the v3 line
latest-pre Latest pre-release across all versions 
docker pull mauriceboe/trek:3.0.0-pre.1

This is the biggest TREK release to date. Journey turns your trips into rich travel journals. MCP gets full OAuth 2.1 security. The dashboard has been redesigned for mobile-first. And every corner of the app now speaks 14 languages natively.

Breaking Changes

Photos moved from Trip Planner to Journey

In previous versions, Immich and Synology Photos were integrated directly into the Trip Planner via a "Photos" tab. This tab has been removed. Photos are now part of the new Journey addon, which is purpose-built for documenting your travels with stories, photos, and maps.

What this means for you:

  • No photos are lost. The previous integration was read-only — TREK never uploaded to or deleted from your Immich/Synology library. Your photos remain untouched in your photo provider.
  • Previously linked trip photos are no longer displayed in the Trip Planner. To view and organize your travel photos, enable the Journey addon (Settings > Addons) and create a Journey linked to your trip.
  • Journey brings a much richer photo experience: upload photos directly to TREK, browse and import from Immich/Synology with duplicate detection, reorder photos, view EXIF metadata, and export everything as a PDF photo book.

New Immich API Key Permissions Required

Journey introduces photo upload sync — when you upload a photo to a Journey entry, TREK can optionally sync it to your Immich library. This requires an additional Immich API permission that was not needed before.

Previous versions required:

Permission Used for
user.read Connection test
asset.read Browse photos by date, search
asset.view Stream thumbnails
asset.download Stream originals
album.read List and browse albums
timeline.read Browse timeline buckets

New in 3.0.0 — additionally required:

Permission Used for
asset.upload Sync uploaded Journey photos to Immich

How to update your Immich API key: Go to your Immich instance > User Settings > API Keys. Edit your existing TREK key (or create a new one) and ensure asset.upload is enabled in addition to the existing permissions. If you don't plan to use Journey's upload sync, the old key will continue to work — the upload simply won't sync to Immich.

Synology Photos — Please re-enter your synology credentials

OIDC_ONLY deprecated

The OIDC_ONLY environment variable is deprecated. Replace with DISABLE_LOCAL_LOGIN=true + DISABLE_LOCAL_REGISTRATION=true for equivalent behavior. The old variable still works but will be removed in a future release.

Journey Addon — Travel Journal

The headline feature of 3.0.0. Journey is a new global addon that transforms your trips into magazine-style travel stories.

Core

  • 5-table schema — journeys, entries, photos, trips, contributors with full relational integrity
  • Trip-to-Journey sync engine — link one or more trips to a journey; skeleton entries and photos are synced automatically
  • Timeline, Gallery, and Map views — browse entries chronologically, as a photo grid, or on an interactive map with SVG pin markers
  • Entry editor — markdown toolbar, custom date picker, location search (Nominatim/Google Maps), mood (Amazing/Good/Neutral/Rough), weather (Sunny to Snowy), and Pros & Cons sections

Photos

  • Immich & Synology browser — browse by trip dates, custom range, or album with duplicate detection
  • Photo upload — direct upload with drag-and-drop, reorder (Make 1st), and delete
  • EXIF metadata — displayed in lightbox for Immich photos
  • Thumbnail to original fallback — seamless resolution upgrade everywhere
  • Contributor photo access — invited contributors can view all journey photos even without their own Immich/Synology connection (owner credentials are used for the proxy)

Sharing & Export

  • Public share links — token-based access with language picker, no login required
  • Public photo proxy — validates share token instead of auth for photo streaming
  • PDF photo book export — Polarsteps-inspired layout with cover, day chapters, photo grids, and stories

Collaboration

  • Contributors — invite users as editors or viewers
  • Trip linking/unlinking — manage synced trips from Journey Settings and Desktop Sidebar
  • Cover image — upload or pick from journey photos

Frontend

  • JourneyPage — frontpage with hero card, active journey stats, trip suggestions ("Trip just ended — turn it into a Journey")
  • JourneyDetailPage — full timeline/gallery/map with inline entry editing
  • JourneyPublicPage — public share view with language picker and read-only timeline

MCP: OAuth 2.1 & Granular Scopes

MCP authentication has been completely rebuilt around the OAuth 2.1 specification.

  • OAuth 2.1 authorization server — full PKCE flow with authorization codes, access tokens, refresh tokens, and token rotation with replay detection
  • Granular scopes — 24 scopes across 11 groups (trips, places, atlas, packing, todos, budget, reservations, collab, notifications, vacay, geo/weather) with per-scope read/write/delete control
  • Dynamic Client Registration (DCR) — RFC 7591 endpoint at POST /oauth/register for browser-initiated and public clients
  • Consent screen — user-facing scope selection with grouped permission display
  • Admin panel — OAuth sessions management in MCP Access panel with collapsible scope lists
  • Per-client rate limiting — configurable rate limits per OAuth client
  • Addon gating — MCP tools are only registered when their corresponding addon is enabled
  • Static token deprecation — existing MCP tokens still work but surface deprecation notices; migration path to OAuth is documented
  • Security hardening — Critical + High + Medium findings addressed (token storage, PKCE enforcement, scope validation)

Dashboard Redesign

The dashboard has been rebuilt with a mobile-first design language.

Mobile

  • Greeting header — "Good morning, {username}" with notification bell and avatar
  • Spotlight hero card — the next upcoming or ongoing trip as a full-width hero with cover image, progress bar (for live trips), stats grid, and frosted-glass action buttons
  • Quick Actions — New Trip, Currency Converter, Timezone as icon cards
  • Trip cards — cover image with title overlay, status badge (In X days / Starts today / Ongoing / Completed), bottom stats (starts, duration, places, buddies)

Desktop

  • Unified card design — desktop grid cards now match the mobile card style (cover + title overlay + stats)
  • Hero card — SpotlightCard with progress bar for ongoing trips, countdown for upcoming, stats grid
  • Hover actions — edit/copy/archive/delete buttons appear on hover as frosted-glass icons
  • Status badges — CircleCheck icon for completed trips, Clock for upcoming, pulsing dot for ongoing

Both

  • BottomNav profile sheet — slide-up sheet with user info, settings, admin, and logout
  • Dark mode — full dark mode support across all new components

Granular Auth Toggles

  • OIDC_ONLY replaced — split into DISABLE_LOCAL_LOGIN, DISABLE_LOCAL_REGISTRATION, and DISABLE_PASSWORD_CHANGE for fine-grained control over authentication methods
  • Allows mixed setups (e.g., OIDC + local admin account, or OIDC-only with no local registration)

Synology Photos: OTP, SSL Skip & Session Management

  • OTP support — one-time password field for 2FA-enabled Synology NAS
  • Skip SSL verification — toggle for self-signed certificates
  • Device ID persistence — prevents repeated 2FA prompts
  • Session-cleared notification — routed through unified notification system
  • Provider URL hint — contextual help text for Synology URL format

Atlas: Region Matching Fix

  • Scoped region matching — region name matching is now scoped by country to prevent cross-country false matches
  • Expanded country lookup tables — more countries and regions recognized correctly

i18n: Full 14-Language Coverage

  • 231 new translation keys added across all 14 languages (EN, DE, FR, ES, IT, NL, PL, RU, ZH, ZH-TW, BR, CS, HU, AR)
  • Native translations — every key is translated in the target language, no English fallbacks
  • OAuth scope labels — all 24 scopes have localized names and descriptions
  • Journey addon — complete coverage for all journal, editor, sharing, and PDF export strings

Vacay: Trip Date Dots

  • Trip indicator dots — small blue dots appear on calendar days where trips are scheduled, giving a quick visual reference between vacation plans and travel dates

iCal Export Improvements

  • Day activities and notes — iCal export now includes daily activities and notes, not just the trip dates (#375)

Budget: Drag & Drop Reorder

  • Category and item reorder — budget categories and individual items can now be reordered via drag-and-drop, with positions persisted (#479)

Test Coverage

  • Backend — expanded to ~87% coverage with comprehensive tests for OAuth, MCP tools, addon gating, services, and session management
  • Frontend — expanded to ~82% coverage with tests for dashboard, planner, settings, admin panels, and component interactions
  • CI — client test job added alongside server tests with split coverage artifacts

Planner & UX Improvements

  • Collapsible day detail panel — day detail panel can be collapsed/expanded in the planner
  • DayPlan mobile Add Place — inline place picker for mobile with search and create-new
  • TripFormModal members management — manage trip members directly from the edit form
  • File download button — all file views now include a download button
  • Comma decimal support — pasting numbers with comma decimal separators works in budget and bookings
  • Note modal — no longer closes on outside click

Bug Fixes

  • Fixed OIDC-only mode login/logout loop (#491)
  • Fixed dayplan duplicate reservation display, date off-by-one, and missing day_id on edit
  • Fixed booking date handling and file auth bugs
  • Fixed dayplan time-based auto-sort for places and free reorder for untimed
  • Fixed streaming response end on client disconnect during asset pipe
  • Fixed per-day transport positions for multi-day reservations
  • Fixed stale budget category reset when category no longer exists
  • Fixed trip redirect to plan tab when active tab addon is disabled
  • Fixed reservation price/budget field visibility when budget addon disabled
  • Fixed memories EXIF info re-fetch when navigating between lightbox photos
  • Fixed CSP path matching for paths ending in /
  • Fixed avatar URLs in notifications, admin panel, and budget
  • Fixed budget member avatars lost after updating item fields
  • Fixed unplanned filter sync with map markers (#385)
  • Fixed hardcoded Immich in toast — now uses provider_name
  • Fixed MCP safeBroadcast recursive call bug
  • Fixed Vite module preload polyfill CSP inline script violation

Security

  • hono 4.12.9 to 4.12.12 — fixes directory traversal (CVE-2026-39407, CVE-2026-39408), HTTP response splitting, improper input validation (CVE-2026-39410), and IP restriction bypass (CVE-2026-39409)
  • @hono/node-server 1.19.11 to 1.19.13 — fixes directory traversal (CVE-2026-39406)
  • nodemailer 8.0.4 to 8.0.5 — fixes CRLF injection
  • OAuth 2.1 hardening — token storage, PKCE enforcement, scope intersection validation

Infrastructure

  • Helm chart — moved to charts/trek/, published via helm-publisher action to gh-pages, appVersion used as default image tag
  • Docker — workflow improvements, tag management cleanup
  • CI — contributor workflow automation, npm audit removal from install steps

Upgrading

docker pull mauriceboe/trek:3.0.0-pre.1
docker compose up -d

Migrations run automatically on startup. No manual steps required.

Checklist:

  1. Update your Immich API key to include asset.upload (optional, only needed for Journey upload sync)
  2. If using OIDC_ONLY, migrate to DISABLE_LOCAL_LOGIN + DISABLE_LOCAL_REGISTRATION
  3. Enable the Journey addon in Settings > Addons to start using the travel journal
  4. If you previously configured the synology integration, please re-enter your credentials

Full Changelog: v2.9.13...v3.0.0-pre.1

Check out latest releases or
releases around mauriceboe/TREK v3.0.0-pre.1

Don't miss a new TREK release

NewReleases is sending notifications on new releases.

Get notifications