Merge pull request 'feat(payment): Swish QR code and pre-filled payment link' (#15) from feature/swish-qr-payment into master

Reviewed-on: https://srvr.nu/git/git/jocke/bilhej/pulls/15

.dockerignore

@@ -1,6 +1,66 @@
+# Exclude everything that isn't strictly needed to build or run the dev images.
+# The dev Dockerfiles COPY source subpaths (frontend/, backend/, gradlew,
+# settings.gradle, etc.), so without this the image would bloat with docs,
+# scripts, git history, etc.
+
+# Build artifacts and caches (mounted as named volumes at runtime)
 .gradle
-.env
-.git
-frontend/node_modules
 backend/build
+frontend/dist
+frontend/coverage
+frontend/node_modules
+backend/.gradle
+
+# Test outputs
+**/build/test-results
+**/build/reports
+**/coverage
+**/.pytest_cache
+frontend/playwright-report
+frontend/test-results
+
+# Local config and secrets
+.env
+.env.*
+!.env.example
+**/application-local.yml
+
+# VCS and editor state
+.git
+.gitignore
+.gitattributes
+.github
+.forgejo
+.idea
+.vscode
+*.iml
+.DS_Store
+
+# Documentation (not needed at runtime)
+README.md
+REQUIREMENTS.md
+AGENTS.md
+CODING_GUIDELINES.md
+docs/
+
+# Ops scripts (not needed at runtime)
+scripts/
+
+# Test source dirs that aren't built into runtime artifacts
 frontend/src/__tests__
+backend/src/test
+
+# Docker metadata — Dockerfiles, .dockerignore, and compose files are not
+# needed inside the running image. Keep docker/*.conf and docker/entrypoint.sh
+# because frontend.prod.Dockerfile copies them into the production nginx image.
+docker/*.Dockerfile
+Dockerfile*
+.dockerignore
+docker-compose*.yml
+
+# Misc
+*.log
+logs/
+tmp/
+*.bak
+*.tmp

.env.example

@@ -24,6 +24,12 @@ STRIPE_WEBHOOK_SECRET=whsec_...
 STRIPE_PRICE_ID=price_...
 
 # ---------- Swish (Phase 0) ----------
+# The Swish number customers pay to. Two formats accepted:
+#   - Swedish phone number: 0701234567 (normalised to 46… for the payment URL)
+#   - Swish Business number: 1234567890 (starts with 123, used as-is)
+# A Swish Business number (123…) is recommended — get one from your bank
+# via a "Swish Företag" agreement. No Swish Commerce API certificate needed;
+# the frontend generates a pre-filled QR code + payment link automatically.
 SWISH_NUMBER=0701234567
 
 # ---------- App URL (password reset links in email) ----------
@@ -43,3 +49,10 @@ APP_PUBLIC_BASE_URL=http://localhost:3000
 # Strong password; never use test1234. Dev seeds use test@bilhej.se instead.
 ADMIN_EMAIL=admin@bilhej.se
 ADMIN_PASSWORD=change_me_to_a_strong_password
+
+# ---------- Umami analytics (production frontend build only) ----------
+# Baked into the frontend image at build time. Leave unset for local dev / docker compose up.
+# Website ID from https://analytics.bilhej.se → Settings → Websites → BilHej
+# See docs/umami-analytics.md
+# VITE_UMAMI_WEBSITE_ID=
+# VITE_UMAMI_SCRIPT_URL=https://analytics.bilhej.se/script.js

.forgejo/workflows/deploy.yml

@@ -4,9 +4,9 @@ on:
   workflow_dispatch:
     inputs:
       version:
-        description: 'Git tag to create for this deploy (e.g. v0.1.2) — not the branch/tag above'
+        description: 'Leave as "auto" to bump from latest git tag, or enter a specific version (e.g. v0.1.2)'
-        required: true
+        required: false
-        default: 'v0.1.0'
+        default: 'auto'
         type: string
 
 jobs:
@@ -21,12 +21,36 @@ jobs:
           git fetch --depth 1 origin ${GITHUB_SHA}
           git checkout FETCH_HEAD
 
+      - name: Resolve version
+        run: |
+          INPUT_VERSION="${{ github.event.inputs.version }}"
+          if [ -z "$INPUT_VERSION" ] || [ "$INPUT_VERSION" = "auto" ]; then
+            git fetch --tags origin
+            LATEST=$(git tag --list 'v*' --sort=-v:refname | head -1)
+            if [ -z "$LATEST" ]; then LATEST="v0.0.0"; fi
+            BASE="${LATEST#v}"
+            MAJOR=$(echo "$BASE" | cut -d. -f1)
+            MINOR=$(echo "$BASE" | cut -d. -f2)
+            PATCH=$(echo "$BASE" | cut -d. -f3)
+            PATCH=$(( ${PATCH:-0} + 1 ))
+            VERSION="v${MAJOR:-0}.${MINOR:-0}.${PATCH}"
+            echo "Latest tag: $LATEST → auto-bumped to $VERSION"
+          else
+            VERSION="$INPUT_VERSION"
+            echo "Using manual version: $VERSION"
+          fi
+          if ! echo "$VERSION" | grep -qE '^v[0-9]+\.[0-9]+\.[0-9]+$'; then
+            echo "ERROR: resolved version '$VERSION' is not valid semver (expected vX.Y.Z)"
+            exit 1
+          fi
+          echo "VERSION=$VERSION" >> "$GITHUB_ENV"
+
       - name: Tag version
         run: |
-          git tag -d ${{ github.event.inputs.version }} 2>/dev/null || true
+          git tag -d ${{ env.VERSION }} 2>/dev/null || true
-          git push origin --delete ${{ github.event.inputs.version }} 2>/dev/null || true
+          git push origin --delete ${{ env.VERSION }} 2>/dev/null || true
-          git tag ${{ github.event.inputs.version }}
+          git tag ${{ env.VERSION }}
-          git push origin ${{ github.event.inputs.version }}
+          git push origin ${{ env.VERSION }}
 
       - name: Write production .env
         env:
@@ -46,6 +70,7 @@ jobs:
           MAIL_USERNAME: ${{ secrets.MAIL_USERNAME }}
           MAIL_PASSWORD: ${{ secrets.MAIL_PASSWORD }}
           MAIL_FROM: ${{ secrets.MAIL_FROM }}
+          VITE_UMAMI_WEBSITE_ID: ${{ secrets.VITE_UMAMI_WEBSITE_ID }}
         run: |
           # Docker Compose treats $ as variable interpolation in .env files.
           # Escape literal dollar signs (e.g. in passwords) as $$.
@@ -67,6 +92,7 @@ jobs:
             printf 'MAIL_USERNAME=%s\n' "$(escape "$MAIL_USERNAME")"
             printf 'MAIL_PASSWORD=%s\n' "$(escape "$MAIL_PASSWORD")"
             printf 'MAIL_FROM=%s\n' "$(escape "${MAIL_FROM:-noreply@bilhej.se}")"
+            printf 'VITE_UMAMI_WEBSITE_ID=%s\n' "$(escape "$VITE_UMAMI_WEBSITE_ID")"
           } > .env
 
       - name: Build and start production stack
@@ -132,7 +158,7 @@ jobs:
         run: |
           echo ""
           echo "═══════════════════════════════════════════════════"
-          echo "  Deployed ${{ github.event.inputs.version }} to production"
+          echo "  Deployed ${{ env.VERSION }} to production"
           echo "═══════════════════════════════════════════════════"
           echo ""
           docker compose -p bilhej-prod -f docker-compose.prod.yml ps

AGENTS.md

@@ -74,6 +74,14 @@ stripe listen --forward-to localhost:8080/api/webhooks/stripe
 Flyway migrations run automatically on Spring Boot startup. Migration files
 live in `backend/src/main/resources/db/migration/`. Naming: `V<number>__descriptive_name.sql`.
 
+**Before adding a migration:** run `./scripts/next-flyway-version.sh` and use that
+version. Never reuse a version number already on `master`. Never edit a migration
+after it has merged — add a new higher version instead. CI runs
+`scripts/check-flyway-migrations.sh` against `origin/master`.
+
+If local dev Postgres fails with Flyway checksum / “migration not resolved locally”
+after switching branches, run `./gradlew reset` (wipes the Docker DB volume).
+
 To reset: `docker compose down -v && docker compose up -d`.
 
 Flyway schema migrations live in `db/migration/`; dev-only seeds (test users,
@@ -152,6 +160,26 @@ Full details in `@CODING_GUIDELINES.md`. Key rules:
   list concrete changes as bullet points. Never write single-line
   "feat: add X" messages.
 
+**Before every commit (mandatory — agents must not skip):**
+
+```bash
+# from repo root; needs Docker running
+export POSTGRES_DB=bilhej POSTGRES_USER=bilhej POSTGRES_PASSWORD=test_pw_ci_123
+export JWT_SECRET=aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
+export STRIPE_SECRET_KEY=sk_test_fake STRIPE_WEBHOOK_SECRET=whsec_fake STRIPE_PRICE_ID=price_fake
+./gradlew check
+```
+
+This runs frontend lint, frontend unit tests, backend tests, coverage
+thresholds, Flyway checks, and **all E2E tests in Docker**. **Do not commit or
+push if this fails.** Optional local guard: `./scripts/install-pre-commit-hook.sh`
+(runs the same `check` on every `git commit`).
+
+**Note for agents:** The pre-commit hook runs the full `./gradlew check` which
+takes ~3.5 minutes. If your tool enforces a default timeout (e.g. 120 s on
+agent tool calls), increase it to ≥300 000 ms, or use `--no-verify` and run
+`./gradlew check` manually before committing.
+
 ### Frontend (Vue.js 3)
 - `<script setup>` with Composition API only. Never Options API.
 - File naming: PascalCase for pages/components, camelCase (`useXxx`) for composables.
@@ -187,6 +215,9 @@ After the address is used to mail the letter, it must be deleted. The Order
 entity must NOT have an address field. The address lookup and mailing are
 external/human processes in Phase 0.
 
+### E2E must use Docker (not host Playwright)
+See **Testing Approach → E2E (Playwright) — Docker only** above. Do not run `npx playwright install` or `npm run test:e2e` on the host when verifying E2E.
+
 ### Local email (Mailpit)
 `docker compose up` includes Mailpit (`ghcr.io/axllent/mailpit:v1.28`); password-reset mail appears at http://localhost:8025. E2E verifies SMTP via Mailpit API (`frontend/e2e/helpers/mailpit.ts`). Production uses Resend SMTP—see docs/production-email-checklist.md.
 
@@ -228,12 +259,40 @@ the same PR — never merge code without corresponding tests.
 - Component tests with Vue Test Utils where needed.
 - E2E tests with Playwright in `frontend/e2e/`.
 
-### E2E (Playwright)
+### E2E (Playwright) — **Docker only**
-- `npm run test:e2e` — runs all Playwright tests (headless Chromium).
+
-- Requires `docker compose up` (backend + frontend running).
+**Agents and humans: never run Playwright on the host.**
-- Config: `frontend/playwright.config.ts`.
+
-- Tests: `frontend/e2e/*.spec.ts`.
+| Do **not** run | Why |
-- Docker CI: `npm run test:e2e:ci` — runs tests inside official Playwright Docker container. Starts postgres, backend, frontend, and Playwright via `docker-compose.ci.yml`. Use for consistent environment or CI pipelines.
+|----------------|-----|
+| `npx playwright test` | Wrong environment; needs Docker stack |
+| `npm run test:e2e` | Same — host Playwright, not supported for agents |
+| `npx playwright install` | Do not install browsers on the host; the Playwright image already includes them |
+
+**Always use Docker** (`docker-compose.e2e.yml`): isolated postgres (tmpfs), backend, frontend, Mailpit, and the official Playwright container on the `e2e` network (`PLAYWRIGHT_BASE_URL=http://frontend`).
+
+**Full E2E suite** (same as Forgejo CI / `./gradlew check`):
+
+```bash
+# from repo root — set env (or use .env; see .env.example)
+cd frontend && npm run test:e2e:ci
+# equivalent:
+./gradlew frontendE2E
+```
+
+**Single spec or project** (stack must be reachable on the `e2e` network):
+
+```bash
+# from repo root, after exporting the same vars as frontendE2E / .env
+docker compose -f docker-compose.e2e.yml up -d --build postgres mailpit backend frontend
+docker compose -f docker-compose.e2e.yml run --rm --build playwright \
+  sh -c 'npx playwright test admin-fulfillment.spec.ts --project=chromium-serial --reporter=list'
+docker compose -f docker-compose.e2e.yml down
+```
+
+- Config: `frontend/playwright.config.ts`
+- Tests: `frontend/e2e/*.spec.ts`
+- Serial specs (shared Mailpit / seeded DB): `admin-fulfillment`, `deferred-payment-admin`, `admin-dashboard`, `account-settings`, `password-reset` — project `chromium-serial` runs **after** parallel `chromium`, `workers: 1`
 
 ### CI (future)
 - `./gradlew check` and `npm run test && npm run lint` must pass before merge.

README.md

@@ -342,6 +342,7 @@ Before the first deploy, complete these steps on the production server (`srvr.nu
    | `MAIL_USERNAME` | `resend` (literal string) |
    | `MAIL_PASSWORD` | Resend API key (`re_...`; rotate if ever exposed) |
    | `MAIL_FROM` | `noreply@bilhej.se` (must be on verified domain) |
+   | `VITE_UMAMI_WEBSITE_ID` | Umami website UUID for `bilhej.se` (see `docs/umami-analytics.md`) |
 
    Passwords may contain `$` — the deploy workflow escapes these for Docker Compose.
    Production does **not** seed `test@bilhej.se` or demo orders. On first start, the

backend/src/main/java/se/bilhalsning/config/SecurityConfig.java

@@ -1,8 +1,12 @@
 package se.bilhalsning.config;
 
+import com.fasterxml.jackson.databind.ObjectMapper;
+import jakarta.servlet.http.HttpServletResponse;
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.MediaType;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.http.SessionCreationPolicy;
@@ -10,6 +14,7 @@ import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+import se.bilhalsning.dto.ErrorResponse;
 import se.bilhalsning.security.JwtAuthenticationFilter;
 import se.bilhalsning.security.JwtService;
 
@@ -17,6 +22,13 @@ import se.bilhalsning.security.JwtService;
 @EnableWebSecurity
 public class SecurityConfig {
 
+    static final String UNAUTHENTICATED_MESSAGE =
+            "Din session har löpt ut eller är ogiltig. Logga in igen.";
+    static final String FORBIDDEN_MESSAGE =
+            "Du har inte behörighet att utföra denna åtgärd.";
+
+    private final ObjectMapper objectMapper = new ObjectMapper();
+
     @Bean
     public PasswordEncoder passwordEncoder() {
         return new BCryptPasswordEncoder();
@@ -46,8 +58,21 @@ public class SecurityConfig {
                         .requestMatchers("/api/vehicles/**").permitAll()
                         .requestMatchers("/api/admin/**").hasRole("ADMIN")
                         .anyRequest().authenticated())
+                .exceptionHandling(eh -> eh
+                        .authenticationEntryPoint((request, response, ex) ->
+                                writeError(response, HttpStatus.UNAUTHORIZED, UNAUTHENTICATED_MESSAGE))
+                        .accessDeniedHandler((request, response, ex) ->
+                                writeError(response, HttpStatus.FORBIDDEN, FORBIDDEN_MESSAGE)))
                 .addFilterBefore(jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
 
         return http.build();
     }
+
+    private void writeError(HttpServletResponse response, HttpStatus status, String message)
+            throws java.io.IOException {
+        response.setStatus(status.value());
+        response.setContentType(MediaType.APPLICATION_JSON_VALUE);
+        response.setCharacterEncoding("UTF-8");
+        response.getWriter().write(objectMapper.writeValueAsString(new ErrorResponse(message)));
+    }
 }

backend/src/main/java/se/bilhalsning/controller/AdminController.java

@@ -9,10 +9,13 @@ import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
+import se.bilhalsning.dto.AdminOrderMapper;
 import se.bilhalsning.dto.AdminOrderResponse;
+import se.bilhalsning.dto.RegisterShipmentRequest;
+import se.bilhalsning.dto.UpdateAdminNotesRequest;
 import se.bilhalsning.dto.UpdateStatusRequest;
-import se.bilhalsning.dto.UpdateTrackingRequest;
 import se.bilhalsning.entity.Order;
+import se.bilhalsning.service.AdminOrderWorkflowService;
 import se.bilhalsning.service.OrderService;
 
 import java.util.List;
@@ -24,11 +27,12 @@ import java.util.UUID;
 public class AdminController {
 
     private final OrderService orderService;
+    private final AdminOrderWorkflowService adminOrderWorkflowService;
 
     @GetMapping("/orders")
     public ResponseEntity<List<AdminOrderResponse>> listAllOrders() {
         List<AdminOrderResponse> orders = orderService.getAllOrders().stream()
-                .map(this::toAdminResponse)
+                .map(AdminOrderMapper::toResponse)
                 .toList();
         return ResponseEntity.ok(orders);
     }
@@ -37,29 +41,26 @@ public class AdminController {
     public ResponseEntity<AdminOrderResponse> updateStatus(
             @PathVariable UUID id,
             @Valid @RequestBody UpdateStatusRequest request) {
-        Order order = orderService.updateOrderStatus(id, request.status());
+        Order order = adminOrderWorkflowService.updateOrderStatus(id, request.status());
-        return ResponseEntity.ok(toAdminResponse(order));
+        return ResponseEntity.ok(AdminOrderMapper.toResponse(order));
     }
 
-    @PatchMapping("/orders/{id}")
+    @PatchMapping("/orders/{id}/register-shipment")
-    public ResponseEntity<AdminOrderResponse> updateTracking(
+    public ResponseEntity<AdminOrderResponse> registerShipment(
             @PathVariable UUID id,
-            @Valid @RequestBody UpdateTrackingRequest request) {
+            @Valid @RequestBody RegisterShipmentRequest request) {
-        Order order = orderService.updateTracking(id, request.trackingId());
+        Order order = adminOrderWorkflowService.registerShipment(
-        return ResponseEntity.ok(toAdminResponse(order));
+                id,
+                request.trackingInput(),
+                request.notifyCustomerOrDefault());
+        return ResponseEntity.ok(AdminOrderMapper.toResponse(order));
     }
 
-    private AdminOrderResponse toAdminResponse(Order order) {
+    @PatchMapping("/orders/{id}/notes")
-        String email = order.getUser() != null ? order.getUser().getEmail() : "";
+    public ResponseEntity<AdminOrderResponse> updateNotes(
-        return new AdminOrderResponse(
+            @PathVariable UUID id,
-                order.getId(),
+            @RequestBody UpdateAdminNotesRequest request) {
-                email,
+        Order order = adminOrderWorkflowService.updateAdminNotes(id, request.adminNotes());
-                order.getPlate(),
+        return ResponseEntity.ok(AdminOrderMapper.toResponse(order));
-                order.getLetterText(),
-                order.getStatus().getValue(),
-                order.getTrackingId(),
-                order.getAmountPaid(),
-                order.getCreatedAt()
-        );
     }
 }

backend/src/main/java/se/bilhalsning/dto/AdminOrderMapper.java

@@ -0,0 +1,26 @@
+package se.bilhalsning.dto;
+
+import se.bilhalsning.entity.Order;
+import se.bilhalsning.service.AdminOrderStatusRules;
+
+public final class AdminOrderMapper {
+
+    private AdminOrderMapper() {}
+
+    public static AdminOrderResponse toResponse(Order order) {
+        String email = order.getUser() != null ? order.getUser().getEmail() : "";
+        return new AdminOrderResponse(
+                order.getId(),
+                email,
+                order.getPlate(),
+                order.getLetterText(),
+                order.getStatus().getValue(),
+                order.getTrackingId(),
+                order.getAmountPaid(),
+                order.getShippedAt(),
+                order.getAdminNotes(),
+                order.getCreatedAt(),
+                AdminOrderStatusRules.allowedStatusValues(order),
+                AdminOrderStatusRules.canRegisterShipment(order));
+    }
+}

backend/src/main/java/se/bilhalsning/dto/AdminOrderResponse.java

@@ -2,6 +2,7 @@ package se.bilhalsning.dto;
 
 import java.math.BigDecimal;
 import java.time.Instant;
+import java.util.List;
 import java.util.UUID;
 
 public record AdminOrderResponse(
@@ -12,5 +13,9 @@ public record AdminOrderResponse(
         String status,
         String trackingId,
         BigDecimal amountPaid,
-        Instant createdAt
+        Instant shippedAt,
+        String adminNotes,
+        Instant createdAt,
+        List<String> allowedStatuses,
+        boolean canRegisterShipment
 ) {}

backend/src/main/java/se/bilhalsning/dto/RegisterShipmentRequest.java

@@ -0,0 +1,13 @@
+package se.bilhalsning.dto;
+
+import jakarta.validation.constraints.NotBlank;
+
+public record RegisterShipmentRequest(
+        @NotBlank(message = "Spårnings-ID krävs")
+        String trackingInput,
+        Boolean notifyCustomer
+) {
+    public boolean notifyCustomerOrDefault() {
+        return notifyCustomer == null || notifyCustomer;
+    }
+}

backend/src/main/java/se/bilhalsning/dto/UpdateAdminNotesRequest.java

@@ -0,0 +1,5 @@
+package se.bilhalsning.dto;
+
+public record UpdateAdminNotesRequest(
+        String adminNotes
+) {}

backend/src/main/java/se/bilhalsning/dto/UpdateStatusRequest.java

@@ -6,7 +6,7 @@ import jakarta.validation.constraints.Pattern;
 public record UpdateStatusRequest(
         @NotBlank(message = "Status krävs")
         @Pattern(
-                regexp = "pending_payment|paid|processing|sent|delivered|failed",
+                regexp = "pending_payment|paid|processing|sent|delivered|failed|cancelled",
                 message = "Ogiltig status"
         )
         String status

backend/src/main/java/se/bilhalsning/dto/UpdateTrackingRequest.java

@@ -1,5 +0,0 @@
-package se.bilhalsning.dto;
-
-public record UpdateTrackingRequest(
-        String trackingId
-) {}

backend/src/main/java/se/bilhalsning/entity/Order.java

@@ -43,6 +43,12 @@ public class Order {
     @Column(name = "tracking_id", length = 100)
     private String trackingId;
 
+    @Column(name = "shipped_at")
+    private Instant shippedAt;
+
+    @Column(name = "admin_notes", columnDefinition = "text")
+    private String adminNotes;
+
     @Column(name = "created_at", nullable = false)
     private Instant createdAt;
 
@@ -130,6 +136,22 @@ public class Order {
         this.trackingId = trackingId;
     }
 
+    public Instant getShippedAt() {
+        return shippedAt;
+    }
+
+    public void setShippedAt(Instant shippedAt) {
+        this.shippedAt = shippedAt;
+    }
+
+    public String getAdminNotes() {
+        return adminNotes;
+    }
+
+    public void setAdminNotes(String adminNotes) {
+        this.adminNotes = adminNotes;
+    }
+
     public Instant getCreatedAt() {
         return createdAt;
     }

backend/src/main/java/se/bilhalsning/repository/OrderRepository.java

@@ -7,6 +7,7 @@ import se.bilhalsning.entity.Order;
 import se.bilhalsning.entity.OrderStatus;
 
 import java.util.List;
+import java.util.Optional;
 import java.util.UUID;
 
 @Repository
@@ -17,4 +18,7 @@ public interface OrderRepository extends JpaRepository<Order, UUID> {
 
     @EntityGraph(attributePaths = {"user"})
     List<Order> findAllByOrderByCreatedAtDesc();
+
+    @EntityGraph(attributePaths = {"user"})
+    Optional<Order> findWithUserById(UUID id);
 }

backend/src/main/java/se/bilhalsning/security/JwtService.java

@@ -18,7 +18,7 @@ public class JwtService {
         this(secret, DEFAULT_EXPIRATION_MS);
     }
 
-    JwtService(String secret, long expirationMs) {
+    public JwtService(String secret, long expirationMs) {
         this.secretKey = new SecretKeySpec(secret.getBytes(StandardCharsets.UTF_8), "HmacSHA256");
         this.expirationMs = expirationMs;
     }

backend/src/main/java/se/bilhalsning/service/AdminOrderStatusRules.java

@@ -0,0 +1,81 @@
+package se.bilhalsning.service;
+
+import java.util.ArrayList;
+import java.util.LinkedHashSet;
+import java.util.List;
+import se.bilhalsning.entity.Order;
+import se.bilhalsning.entity.OrderStatus;
+import se.bilhalsning.exception.InvalidOrderStateException;
+
+/**
+ * Admin status transitions and UI affordances. Single source of truth for
+ * {@link AdminOrderResponse#allowedStatuses()} and {@link AdminOrderResponse#canRegisterShipment()}.
+ */
+public final class AdminOrderStatusRules {
+
+    private AdminOrderStatusRules() {}
+
+    public static List<String> allowedStatusValues(Order order) {
+        OrderStatus current = order.getStatus();
+        LinkedHashSet<OrderStatus> options = new LinkedHashSet<>();
+        options.add(current);
+        for (OrderStatus target : allowedTargets(current, order)) {
+            options.add(target);
+        }
+        List<String> values = new ArrayList<>();
+        for (OrderStatus status : options) {
+            values.add(status.getValue());
+        }
+        return values;
+    }
+
+    public static boolean canRegisterShipment(Order order) {
+        OrderStatus status = order.getStatus();
+        if (status == OrderStatus.PROCESSING
+                || status == OrderStatus.SENT
+                || status == OrderStatus.DELIVERED) {
+            return true;
+        }
+        return status == OrderStatus.FAILED && order.getAmountPaid() != null;
+    }
+
+    public static void validateTransition(Order order, OrderStatus to) {
+        OrderStatus from = order.getStatus();
+        if (from == to) {
+            return;
+        }
+        if (!allowedTargets(from, order).contains(to)) {
+            throw new InvalidOrderStateException(
+                    "Status kan inte ändras från " + from.getValue() + " till " + to.getValue());
+        }
+    }
+
+    private static List<OrderStatus> allowedTargets(OrderStatus from, Order order) {
+        return switch (from) {
+            case PENDING_PAYMENT -> List.of(OrderStatus.FAILED);
+            case PROCESSING -> List.of(OrderStatus.FAILED);
+            case SENT -> List.of(OrderStatus.DELIVERED, OrderStatus.FAILED);
+            case DELIVERED -> List.of(OrderStatus.FAILED);
+            case FAILED -> allowedTargetsFromFailed(order);
+            default -> List.of();
+        };
+    }
+
+    private static List<OrderStatus> allowedTargetsFromFailed(Order order) {
+        if (hasTrackingId(order)) {
+            return List.of(
+                    OrderStatus.PROCESSING,
+                    OrderStatus.SENT,
+                    OrderStatus.DELIVERED);
+        }
+        if (order.getAmountPaid() == null) {
+            return List.of(OrderStatus.PENDING_PAYMENT);
+        }
+        return List.of(OrderStatus.PROCESSING, OrderStatus.SENT);
+    }
+
+    private static boolean hasTrackingId(Order order) {
+        String trackingId = order.getTrackingId();
+        return trackingId != null && !trackingId.isBlank();
+    }
+}

backend/src/main/java/se/bilhalsning/service/AdminOrderWorkflowService.java

@@ -0,0 +1,88 @@
+package se.bilhalsning.service;
+
+import lombok.RequiredArgsConstructor;
+import org.springframework.stereotype.Service;
+import se.bilhalsning.entity.Order;
+import se.bilhalsning.entity.OrderStatus;
+import se.bilhalsning.exception.InvalidOrderStateException;
+import se.bilhalsning.exception.OrderNotFoundException;
+import se.bilhalsning.repository.OrderRepository;
+import se.bilhalsning.util.PostNordTrackingNormalizer;
+
+import java.time.Instant;
+import java.util.UUID;
+
+@Service
+@RequiredArgsConstructor
+public class AdminOrderWorkflowService {
+
+    private final OrderRepository orderRepository;
+    private final OrderNotificationService orderNotificationService;
+
+    public Order updateOrderStatus(UUID orderId, String statusString) {
+        Order order = requireOrder(orderId);
+        OrderStatus newStatus = parseStatus(statusString);
+        OrderStatus previousStatus = order.getStatus();
+        AdminOrderStatusRules.validateTransition(order, newStatus);
+        order.setStatus(newStatus);
+        if (newStatus == OrderStatus.SENT
+                && previousStatus == OrderStatus.FAILED
+                && order.getShippedAt() == null) {
+            order.setShippedAt(Instant.now());
+        }
+        Order saved = orderRepository.save(order);
+        if (newStatus == OrderStatus.FAILED && previousStatus != OrderStatus.FAILED) {
+            orderNotificationService.notifyOrderFailed(saved);
+        }
+        return saved;
+    }
+
+    public Order registerShipment(UUID orderId, String rawTrackingInput, boolean notifyCustomer) {
+        String trackingId = PostNordTrackingNormalizer.normalize(rawTrackingInput);
+        Order order = requireOrder(orderId);
+        OrderStatus previousStatus = order.getStatus();
+
+        if (!AdminOrderStatusRules.canRegisterShipment(order)) {
+            throw new InvalidOrderStateException(
+                    "Beställningen kan inte registreras som utskickad i detta tillstånd");
+        }
+
+        if (previousStatus == OrderStatus.FAILED && order.getAmountPaid() == null) {
+            throw new InvalidOrderStateException(
+                    "Obetalda misslyckade beställningar kan inte registreras som utskickade");
+        }
+
+        boolean firstShipment = previousStatus == OrderStatus.PROCESSING
+                || previousStatus == OrderStatus.FAILED;
+        order.setTrackingId(trackingId);
+        if (firstShipment) {
+            order.setStatus(OrderStatus.SENT);
+            order.setShippedAt(Instant.now());
+        }
+
+        Order saved = orderRepository.save(order);
+        if (notifyCustomer && firstShipment) {
+            orderNotificationService.notifyOrderSent(saved, trackingId);
+        }
+        return saved;
+    }
+
+    public Order updateAdminNotes(UUID orderId, String adminNotes) {
+        Order order = requireOrder(orderId);
+        order.setAdminNotes(adminNotes);
+        return orderRepository.save(order);
+    }
+
+    private Order requireOrder(UUID orderId) {
+        return orderRepository.findWithUserById(orderId)
+                .orElseThrow(() -> new OrderNotFoundException(orderId));
+    }
+
+    private static OrderStatus parseStatus(String statusString) {
+        try {
+            return OrderStatus.valueOf(statusString.toUpperCase());
+        } catch (IllegalArgumentException ex) {
+            throw new IllegalArgumentException("Ogiltig status");
+        }
+    }
+}

backend/src/main/java/se/bilhalsning/service/EmailService.java

@@ -93,4 +93,71 @@ public class EmailService {
             throw new IllegalStateException("Kunde inte skicka e-post just nu");
         }
     }
+
+    public void sendOrderProcessingEmail(String toEmail, String plate, String ordersUrl) {
+        String subject = "Din beställning hanteras – BilHej";
+        String body = """
+                Hej,
+
+                Tack för din betalning! Vi har tagit emot din beställning för fordonet %s och börjar hantera brevet.
+
+                Du kan följa status på dina beställningar här:
+                %s
+
+                Vänliga hälsningar,
+                BilHej
+                """.formatted(plate, ordersUrl);
+        sendPlainText(toEmail, subject, body);
+    }
+
+    public void sendOrderSentEmail(String toEmail, String plate, String trackingId, String trackingUrl) {
+        String subject = "Ditt brev är skickat – BilHej";
+        String body = """
+                Hej,
+
+                Ditt brev till fordonet %s har skickats med PostNord.
+
+                Spårnings-ID: %s
+                Spåra brevet: %s
+
+                Vänliga hälsningar,
+                BilHej
+                """.formatted(plate, trackingId, trackingUrl);
+        sendPlainText(toEmail, subject, body);
+    }
+
+    public void sendOrderFailedEmail(String toEmail, String plate, String ordersUrl) {
+        String subject = "Din beställning kunde inte slutföras – BilHej";
+        String body = """
+                Hej,
+
+                Tyvärr kunde vi inte slutföra din beställning för fordonet %s. Vi återkommer om återbetalning behövs.
+
+                Se dina beställningar här:
+                %s
+
+                Vänliga hälsningar,
+                BilHej
+                """.formatted(plate, ordersUrl);
+        sendPlainText(toEmail, subject, body);
+    }
+
+    private void sendPlainText(String toEmail, String subject, String body) {
+        if (mailHost == null || mailHost.isBlank() || mailSender == null) {
+            log.info("SMTP not configured. Email to {} — subject: {}", toEmail, subject);
+            return;
+        }
+
+        SimpleMailMessage message = new SimpleMailMessage();
+        message.setFrom(mailFrom);
+        message.setTo(toEmail);
+        message.setSubject(subject);
+        message.setText(body);
+        try {
+            mailSender.send(message);
+        } catch (MailException ex) {
+            log.error("Failed to send email to {}", toEmail, ex);
+            throw new IllegalStateException("Kunde inte skicka e-post just nu");
+        }
+    }
 }

backend/src/main/java/se/bilhalsning/service/OrderNotificationService.java

@@ -0,0 +1,69 @@
+package se.bilhalsning.service;
+
+import lombok.RequiredArgsConstructor;
+import org.springframework.beans.factory.annotation.Value;
+import org.springframework.stereotype.Service;
+import se.bilhalsning.entity.Order;
+import se.bilhalsning.entity.User;
+import se.bilhalsning.repository.UserRepository;
+
+import java.util.UUID;
+
+@Service
+@RequiredArgsConstructor
+public class OrderNotificationService {
+
+    private final UserRepository userRepository;
+    private final EmailService emailService;
+
+    @Value("${app.public-base-url:http://localhost:3000}")
+    private String publicBaseUrl;
+
+    public void notifyOrderProcessing(Order order) {
+        String email = resolveCustomerEmail(order);
+        if (email.isBlank()) {
+            return;
+        }
+        emailService.sendOrderProcessingEmail(
+                email,
+                order.getPlate(),
+                ordersPageUrl());
+    }
+
+    public void notifyOrderSent(Order order, String trackingId) {
+        String email = resolveCustomerEmail(order);
+        if (email.isBlank()) {
+            return;
+        }
+        String trackingUrl = "https://www.postnord.se/verktyg/spara/?id=" + trackingId;
+        emailService.sendOrderSentEmail(email, order.getPlate(), trackingId, trackingUrl);
+    }
+
+    public void notifyOrderFailed(Order order) {
+        String email = resolveCustomerEmail(order);
+        if (email.isBlank()) {
+            return;
+        }
+        emailService.sendOrderFailedEmail(email, order.getPlate(), ordersPageUrl());
+    }
+
+    private String resolveCustomerEmail(Order order) {
+        if (order.getUser() != null && order.getUser().getEmail() != null) {
+            return order.getUser().getEmail();
+        }
+        UUID userId = order.getUserId();
+        if (userId == null) {
+            return "";
+        }
+        return userRepository.findById(userId)
+                .map(User::getEmail)
+                .orElse("");
+    }
+
+    private String ordersPageUrl() {
+        String base = publicBaseUrl.endsWith("/")
+                ? publicBaseUrl.substring(0, publicBaseUrl.length() - 1)
+                : publicBaseUrl;
+        return base + "/mina-bestallningar";
+    }
+}

backend/src/main/java/se/bilhalsning/service/OrderService.java

@@ -16,6 +16,7 @@ import java.util.UUID;
 public class OrderService {
 
     private final OrderRepository orderRepository;
+    private final OrderNotificationService orderNotificationService;
 
     public Order createOrder(UUID userId, String plate, String letterText) {
         Order order = new Order();
@@ -39,27 +40,12 @@ public class OrderService {
         return orderRepository.findAllByOrderByCreatedAtDesc();
     }
 
-    public Order updateOrderStatus(UUID orderId, String statusString) {
-        Order order = orderRepository.findById(orderId)
-                .orElseThrow(() -> new OrderNotFoundException(orderId));
-
-        OrderStatus newStatus = OrderStatus.valueOf(statusString.toUpperCase());
-        order.setStatus(newStatus);
-        return orderRepository.save(order);
-    }
-
-    public Order updateTracking(UUID orderId, String trackingId) {
-        Order order = orderRepository.findById(orderId)
-                .orElseThrow(() -> new OrderNotFoundException(orderId));
-
-        order.setTrackingId(trackingId);
-        return orderRepository.save(order);
-    }
-
     public Order confirmPayment(UUID orderId, UUID userId) {
         Order order = requirePendingOwnedBy(orderId, userId);
         order.setStatus(OrderStatus.PROCESSING);
-        return orderRepository.save(order);
+        Order saved = orderRepository.save(order);
+        orderNotificationService.notifyOrderProcessing(saved);
+        return saved;
     }
 
     public Order cancelOrder(UUID orderId, UUID userId) {

backend/src/main/java/se/bilhalsning/util/PostNordTrackingNormalizer.java

@@ -0,0 +1,45 @@
+package se.bilhalsning.util;
+
+import java.net.URI;
+import java.net.URLDecoder;
+import java.nio.charset.StandardCharsets;
+
+public final class PostNordTrackingNormalizer {
+
+    private PostNordTrackingNormalizer() {
+    }
+
+    public static String normalize(String raw) {
+        if (raw == null || raw.isBlank()) {
+            throw new IllegalArgumentException("Spårnings-ID krävs");
+        }
+
+        String trimmed = raw.trim();
+        if (trimmed.toLowerCase().contains("postnord")) {
+            String fromUrl = extractIdFromPostNordUrl(trimmed);
+            if (fromUrl != null && !fromUrl.isBlank()) {
+                trimmed = fromUrl;
+            }
+        }
+
+        return trimmed.replaceAll("\\s+", "");
+    }
+
+    private static String extractIdFromPostNordUrl(String url) {
+        try {
+            URI uri = URI.create(url);
+            String query = uri.getQuery();
+            if (query == null) {
+                return null;
+            }
+            for (String param : query.split("&")) {
+                if (param.startsWith("id=")) {
+                    return URLDecoder.decode(param.substring(3), StandardCharsets.UTF_8).trim();
+                }
+            }
+        } catch (IllegalArgumentException ignored) {
+            return null;
+        }
+        return null;
+    }
+}

backend/src/main/resources/db/dev-migration/V7__seed_processing_order.sql

@@ -0,0 +1,13 @@
+-- Dev/CI: order in "processing" for admin fulfillment testing
+INSERT INTO orders (id, user_id, plate, letter_text, status, amount_paid, tracking_id, created_at, updated_at)
+VALUES (
+    'c4eebc99-9c0b-4ef8-bb6d-6bb9bd380a14',
+    'a0eebc99-9c0b-4ef8-bb6d-6bb9bd380a11',
+    'JKL012',
+    'Hej! Bara en påminnelse om serviceboken.',
+    'processing',
+    49.00,
+    NULL,
+    TIMESTAMP '2026-05-16 09:00:00',
+    TIMESTAMP '2026-05-16 09:00:00'
+);

backend/src/main/resources/db/migration/V11__add_order_fulfillment_columns.sql

@@ -0,0 +1,3 @@
+ALTER TABLE orders ADD COLUMN shipped_at TIMESTAMP WITH TIME ZONE;
+
+ALTER TABLE orders ADD COLUMN admin_notes TEXT;

backend/src/test/java/se/bilhalsning/controller/AdminControllerTest.java

@@ -1,6 +1,6 @@
 package se.bilhalsning.controller;
 
-import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.ArgumentMatchers.anyBoolean;
 import static org.mockito.ArgumentMatchers.eq;
 import static org.mockito.Mockito.when;
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
@@ -23,7 +23,9 @@ import org.springframework.test.web.servlet.MockMvc;
 import se.bilhalsning.entity.Order;
 import se.bilhalsning.entity.OrderStatus;
 import se.bilhalsning.entity.User;
+import se.bilhalsning.exception.InvalidOrderStateException;
 import se.bilhalsning.exception.OrderNotFoundException;
+import se.bilhalsning.service.AdminOrderWorkflowService;
 import se.bilhalsning.service.OrderService;
 
 @SpringBootTest
@@ -36,17 +38,22 @@ class AdminControllerTest {
     @MockitoBean
     private OrderService orderService;
 
+    @MockitoBean
+    private AdminOrderWorkflowService adminOrderWorkflowService;
+
     @Test
-    void shouldReturn403WhenNotAuthenticated() throws Exception {
+    void shouldReturn401WhenNotAuthenticated() throws Exception {
         mockMvc.perform(get("/api/admin/orders"))
-                .andExpect(status().isForbidden());
+                .andExpect(status().isUnauthorized())
+                .andExpect(jsonPath("$.message").exists());
     }
 
     @Test
     @WithMockUser(username = "test@bilhej.se", roles = "USER")
     void shouldReturn403ForNonAdminUser() throws Exception {
         mockMvc.perform(get("/api/admin/orders"))
-                .andExpect(status().isForbidden());
+                .andExpect(status().isForbidden())
+                .andExpect(jsonPath("$.message").exists());
     }
 
     @Test
@@ -61,151 +68,96 @@ class AdminControllerTest {
                 .andExpect(jsonPath("$[0].id").value(order.getId().toString()))
                 .andExpect(jsonPath("$[0].email").value("test@bilhej.se"))
                 .andExpect(jsonPath("$[0].plate").value("ABC123"))
-                .andExpect(jsonPath("$[0].letterText").value("Test letter"))
+                .andExpect(jsonPath("$[0].status").value("sent"))
-                .andExpect(jsonPath("$[0].status").value("sent"));
+                .andExpect(jsonPath("$[0].allowedStatuses").isArray())
-    }
+                .andExpect(jsonPath("$[0].canRegisterShipment").value(true));
-
-    @Test
-    @WithMockUser(username = "admin@bilhalsning.se", roles = "ADMIN")
-    void shouldReturnEmptyArrayWhenNoOrders() throws Exception {
-        when(orderService.getAllOrders()).thenReturn(List.of());
-
-        mockMvc.perform(get("/api/admin/orders"))
-                .andExpect(status().isOk())
-                .andExpect(jsonPath("$").isArray())
-                .andExpect(jsonPath("$").isEmpty());
-    }
-
-    @Test
-    void shouldReturn403WhenPatchingStatusWithoutAuth() throws Exception {
-        mockMvc.perform(patch("/api/admin/orders/{id}/status",
-                        "c1eebc99-9c0b-4ef8-bb6d-6bb9bd380a11")
-                        .contentType(MediaType.APPLICATION_JSON)
-                        .content("{\"status\":\"paid\"}"))
-                .andExpect(status().isForbidden());
-    }
-
-    @Test
-    @WithMockUser(username = "test@bilhej.se", roles = "USER")
-    void shouldReturn403WhenPatchingStatusAsNonAdmin() throws Exception {
-        mockMvc.perform(patch("/api/admin/orders/{id}/status",
-                        "c1eebc99-9c0b-4ef8-bb6d-6bb9bd380a11")
-                        .contentType(MediaType.APPLICATION_JSON)
-                        .content("{\"status\":\"paid\"}"))
-                .andExpect(status().isForbidden());
     }
 
     @Test
     @WithMockUser(username = "admin@bilhalsning.se", roles = "ADMIN")
     void shouldUpdateOrderStatusSuccessfully() throws Exception {
         UUID orderId = UUID.fromString("c1eebc99-9c0b-4ef8-bb6d-6bb9bd380a11");
-        Order order = createOrder(orderId, "ABC123", "test@bilhej.se", OrderStatus.PAID);
+        Order order = createOrder(orderId, "ABC123", "test@bilhej.se", OrderStatus.FAILED);
 
-        when(orderService.updateOrderStatus(eq(orderId), eq("paid"))).thenReturn(order);
+        when(adminOrderWorkflowService.updateOrderStatus(eq(orderId), eq("failed")))
+                .thenReturn(order);
 
         mockMvc.perform(patch("/api/admin/orders/{id}/status", orderId)
                         .contentType(MediaType.APPLICATION_JSON)
-                        .content("{\"status\":\"paid\"}"))
+                        .content("{\"status\":\"failed\"}"))
                 .andExpect(status().isOk())
-                .andExpect(jsonPath("$.id").value(orderId.toString()))
+                .andExpect(jsonPath("$.status").value("failed"));
-                .andExpect(jsonPath("$.status").value("paid"));
     }
 
     @Test
     @WithMockUser(username = "admin@bilhalsning.se", roles = "ADMIN")
-    void shouldReturn400WhenStatusIsInvalid() throws Exception {
+    void shouldReturn409WhenStatusTransitionInvalid() throws Exception {
-        mockMvc.perform(patch("/api/admin/orders/{id}/status",
-                        "c1eebc99-9c0b-4ef8-bb6d-6bb9bd380a11")
-                        .contentType(MediaType.APPLICATION_JSON)
-                        .content("{\"status\":\"invalid_status\"}"))
-                .andExpect(status().isBadRequest());
-    }
-
-    @Test
-    @WithMockUser(username = "admin@bilhalsning.se", roles = "ADMIN")
-    void shouldReturn400WhenStatusIsBlank() throws Exception {
-        mockMvc.perform(patch("/api/admin/orders/{id}/status",
-                        "c1eebc99-9c0b-4ef8-bb6d-6bb9bd380a11")
-                        .contentType(MediaType.APPLICATION_JSON)
-                        .content("{\"status\":\"\"}"))
-                .andExpect(status().isBadRequest());
-    }
-
-    @Test
-    @WithMockUser(username = "admin@bilhalsning.se", roles = "ADMIN")
-    void shouldReturn404WhenOrderNotFound() throws Exception {
         UUID orderId = UUID.fromString("c1eebc99-9c0b-4ef8-bb6d-6bb9bd380a11");
-        when(orderService.updateOrderStatus(eq(orderId), eq("paid")))
+        when(adminOrderWorkflowService.updateOrderStatus(eq(orderId), eq("delivered")))
-                .thenThrow(new OrderNotFoundException(orderId));
+                .thenThrow(new InvalidOrderStateException("Ogiltig övergång"));
 
         mockMvc.perform(patch("/api/admin/orders/{id}/status", orderId)
                         .contentType(MediaType.APPLICATION_JSON)
-                        .content("{\"status\":\"paid\"}"))
+                        .content("{\"status\":\"delivered\"}"))
-                .andExpect(status().isNotFound());
+                .andExpect(status().isConflict());
-    }
-
-    @Test
-    void shouldReturn403WhenPatchingTrackingWithoutAuth() throws Exception {
-        mockMvc.perform(patch("/api/admin/orders/{id}",
-                        "c1eebc99-9c0b-4ef8-bb6d-6bb9bd380a11")
-                        .contentType(MediaType.APPLICATION_JSON)
-                        .content("{\"trackingId\":\"PN123456789\"}"))
-                .andExpect(status().isForbidden());
-    }
-
-    @Test
-    @WithMockUser(username = "test@bilhej.se", roles = "USER")
-    void shouldReturn403WhenPatchingTrackingAsNonAdmin() throws Exception {
-        mockMvc.perform(patch("/api/admin/orders/{id}",
-                        "c1eebc99-9c0b-4ef8-bb6d-6bb9bd380a11")
-                        .contentType(MediaType.APPLICATION_JSON)
-                        .content("{\"trackingId\":\"PN123456789\"}"))
-                .andExpect(status().isForbidden());
     }
 
     @Test
     @WithMockUser(username = "admin@bilhalsning.se", roles = "ADMIN")
-    void shouldUpdateTrackingSuccessfully() throws Exception {
+    void shouldRegisterShipmentSuccessfully() throws Exception {
         UUID orderId = UUID.fromString("c1eebc99-9c0b-4ef8-bb6d-6bb9bd380a11");
         Order order = createOrder(orderId, "ABC123", "test@bilhej.se", OrderStatus.SENT);
         order.setTrackingId("PN123456789");
+        order.setShippedAt(Instant.parse("2026-05-13T12:00:00Z"));
 
-        when(orderService.updateTracking(eq(orderId), eq("PN123456789"))).thenReturn(order);
+        when(adminOrderWorkflowService.registerShipment(eq(orderId), eq("PN123456789"), eq(true)))
+                .thenReturn(order);
 
-        mockMvc.perform(patch("/api/admin/orders/{id}", orderId)
+        mockMvc.perform(patch("/api/admin/orders/{id}/register-shipment", orderId)
                         .contentType(MediaType.APPLICATION_JSON)
-                        .content("{\"trackingId\":\"PN123456789\"}"))
+                        .content("{\"trackingInput\":\"PN123456789\",\"notifyCustomer\":true}"))
                 .andExpect(status().isOk())
-                .andExpect(jsonPath("$.id").value(orderId.toString()))
+                .andExpect(jsonPath("$.trackingId").value("PN123456789"))
-                .andExpect(jsonPath("$.trackingId").value("PN123456789"));
+                .andExpect(jsonPath("$.status").value("sent"));
     }
 
     @Test
     @WithMockUser(username = "admin@bilhalsning.se", roles = "ADMIN")
-    void shouldClearTrackingWhenNull() throws Exception {
+    void shouldReturn400WhenTrackingInputBlank() throws Exception {
         UUID orderId = UUID.fromString("c1eebc99-9c0b-4ef8-bb6d-6bb9bd380a11");
-        Order order = createOrder(orderId, "ABC123", "test@bilhej.se", OrderStatus.SENT);
-        order.setTrackingId(null);
 
-        when(orderService.updateTracking(eq(orderId), eq(null))).thenReturn(order);
+        mockMvc.perform(patch("/api/admin/orders/{id}/register-shipment", orderId)
-
-        mockMvc.perform(patch("/api/admin/orders/{id}", orderId)
                         .contentType(MediaType.APPLICATION_JSON)
-                        .content("{\"trackingId\":null}"))
+                        .content("{\"trackingInput\":\"\"}"))
-                .andExpect(status().isOk())
+                .andExpect(status().isBadRequest());
-                .andExpect(jsonPath("$.trackingId").doesNotExist());
     }
 
     @Test
     @WithMockUser(username = "admin@bilhalsning.se", roles = "ADMIN")
-    void shouldReturn404WhenOrderNotFoundForTracking() throws Exception {
+    void shouldUpdateAdminNotes() throws Exception {
         UUID orderId = UUID.fromString("c1eebc99-9c0b-4ef8-bb6d-6bb9bd380a11");
-        when(orderService.updateTracking(eq(orderId), eq("PN123456789")))
+        Order order = createOrder(orderId, "ABC123", "test@bilhej.se", OrderStatus.PROCESSING);
+        order.setAdminNotes("Kontaktat TS");
+
+        when(adminOrderWorkflowService.updateAdminNotes(orderId, "Kontaktat TS")).thenReturn(order);
+
+        mockMvc.perform(patch("/api/admin/orders/{id}/notes", orderId)
+                        .contentType(MediaType.APPLICATION_JSON)
+                        .content("{\"adminNotes\":\"Kontaktat TS\"}"))
+                .andExpect(status().isOk())
+                .andExpect(jsonPath("$.adminNotes").value("Kontaktat TS"));
+    }
+
+    @Test
+    @WithMockUser(username = "admin@bilhalsning.se", roles = "ADMIN")
+    void shouldReturn404WhenOrderNotFoundForRegisterShipment() throws Exception {
+        UUID orderId = UUID.fromString("c1eebc99-9c0b-4ef8-bb6d-6bb9bd380a11");
+        when(adminOrderWorkflowService.registerShipment(eq(orderId), eq("PN123"), anyBoolean()))
                 .thenThrow(new OrderNotFoundException(orderId));
 
-        mockMvc.perform(patch("/api/admin/orders/{id}", orderId)
+        mockMvc.perform(patch("/api/admin/orders/{id}/register-shipment", orderId)
                         .contentType(MediaType.APPLICATION_JSON)
-                        .content("{\"trackingId\":\"PN123456789\"}"))
+                        .content("{\"trackingInput\":\"PN123\"}"))
                 .andExpect(status().isNotFound());
     }
 
@@ -219,7 +171,6 @@ class AdminControllerTest {
         order.setPlate(plate);
         order.setLetterText("Test letter");
         order.setStatus(status);
-        order.setTrackingId(null);
         order.setAmountPaid(new BigDecimal("49.00"));
 
         return order;

backend/src/test/java/se/bilhalsning/controller/AuthControllerTest.java

@@ -225,7 +225,8 @@ class AuthControllerTest {
                         .contentType(MediaType.APPLICATION_JSON)
                         .content(
                                 "{\"currentPassword\":\"test1234\",\"newPassword\":\"newpassword123\"}"))
-                .andExpect(status().isForbidden());
+                .andExpect(status().isUnauthorized())
+                .andExpect(jsonPath("$.message").exists());
     }
 
     @Test
@@ -263,6 +264,7 @@ class AuthControllerTest {
         mockMvc.perform(post("/api/auth/change-email")
                         .contentType(MediaType.APPLICATION_JSON)
                         .content("{\"newEmail\":\"new@example.com\",\"password\":\"password123\"}"))
-                .andExpect(status().isForbidden());
+                .andExpect(status().isUnauthorized())
+                .andExpect(jsonPath("$.message").exists());
     }
 }

backend/src/test/java/se/bilhalsning/controller/OrderControllerTest.java

@@ -18,16 +18,22 @@ import org.springframework.boot.test.context.SpringBootTest;
 import org.springframework.boot.webmvc.test.autoconfigure.AutoConfigureMockMvc;
 import org.springframework.security.test.context.support.WithMockUser;
 import org.springframework.test.context.bean.override.mockito.MockitoBean;
+import org.springframework.test.context.TestPropertySource;
 import org.springframework.test.web.servlet.MockMvc;
 import se.bilhalsning.dto.OrderResponse;
 import se.bilhalsning.entity.User;
+import se.bilhalsning.security.JwtService;
 import se.bilhalsning.service.OrderService;
 import se.bilhalsning.service.UserService;
 
 @SpringBootTest
 @AutoConfigureMockMvc
+@TestPropertySource(properties = "app.jwt.secret=this-is-a-test-secret-that-is-at-least-32-bytes-long!!")
 class OrderControllerTest {
 
+    private static final String TEST_SECRET =
+            "this-is-a-test-secret-that-is-at-least-32-bytes-long!!";
+
     @Autowired
     private MockMvc mockMvc;
 
@@ -38,9 +44,10 @@ class OrderControllerTest {
     private UserService userService;
 
     @Test
-    void shouldReturn403WhenNotAuthenticated() throws Exception {
+    void shouldReturn401WhenNotAuthenticated() throws Exception {
         mockMvc.perform(get("/api/orders"))
-                .andExpect(status().isForbidden());
+                .andExpect(status().isUnauthorized())
+                .andExpect(jsonPath("$.message").exists());
     }
 
     @Test
@@ -100,11 +107,31 @@ class OrderControllerTest {
     }
 
     @Test
-    void shouldReturn403WhenPostingWithoutAuth() throws Exception {
+    void shouldReturn401WhenPostingWithoutAuth() throws Exception {
         mockMvc.perform(post("/api/orders")
                         .contentType("application/json")
                         .content("{\"plate\":\"ABC123\",\"letterText\":\"Hej\"}"))
-                .andExpect(status().isForbidden());
+                .andExpect(status().isUnauthorized())
+                .andExpect(jsonPath("$.message").exists());
+    }
+
+    @Test
+    void shouldReturn401WithSwedishMessageWhenTokenExpired() throws Exception {
+        JwtService expiredJwtService = new JwtService(TEST_SECRET, -1000L);
+        String expiredToken = expiredJwtService.generateToken("test@bilhej.se");
+
+        mockMvc.perform(get("/api/orders")
+                        .header("Authorization", "Bearer " + expiredToken))
+                .andExpect(status().isUnauthorized())
+                .andExpect(jsonPath("$.message").exists());
+    }
+
+    @Test
+    void shouldReturn401WithMessageWhenNoAuthHeader() throws Exception {
+        mockMvc.perform(get("/api/orders"))
+                .andExpect(status().isUnauthorized())
+                .andExpect(jsonPath("$.message")
+                        .value(org.hamcrest.Matchers.containsString("session")));
     }
 
     @Test

backend/src/test/java/se/bilhalsning/controller/PaymentControllerTest.java

@@ -39,10 +39,11 @@ class PaymentControllerTest {
     private UserService userService;
 
     @Test
-    void shouldReturn403WhenNotAuthenticated() throws Exception {
+    void shouldReturn401WhenNotAuthenticated() throws Exception {
         mockMvc.perform(post("/api/payment/{orderId}/pay",
                         "c1eebc99-9c0b-4ef8-bb6d-6bb9bd380a11"))
-                .andExpect(status().isForbidden());
+                .andExpect(status().isUnauthorized())
+                .andExpect(jsonPath("$.message").exists());
     }
 
     @Test

backend/src/test/java/se/bilhalsning/service/AdminOrderStatusRulesTest.java

@@ -0,0 +1,48 @@
+package se.bilhalsning.service;
+
+import org.junit.jupiter.api.Test;
+import se.bilhalsning.entity.Order;
+import se.bilhalsning.entity.OrderStatus;
+
+import java.math.BigDecimal;
+
+import static org.junit.jupiter.api.Assertions.*;
+
+class AdminOrderStatusRulesTest {
+
+    @Test
+    void shouldIncludeCurrentAndTargetsForSentOrder() {
+        Order order = orderWithStatus(OrderStatus.SENT);
+
+        assertEquals(
+                java.util.List.of("sent", "delivered", "failed"),
+                AdminOrderStatusRules.allowedStatusValues(order));
+        assertTrue(AdminOrderStatusRules.canRegisterShipment(order));
+    }
+
+    @Test
+    void shouldAllowOnlyFailedFromPendingPayment() {
+        Order order = orderWithStatus(OrderStatus.PENDING_PAYMENT);
+
+        assertEquals(
+                java.util.List.of("pending_payment", "failed"),
+                AdminOrderStatusRules.allowedStatusValues(order));
+        assertFalse(AdminOrderStatusRules.canRegisterShipment(order));
+    }
+
+    @Test
+    void shouldExposeFailedRecoveryOptionsWhenTrackingExists() {
+        Order order = orderWithStatus(OrderStatus.FAILED);
+        order.setTrackingId("PN123");
+        order.setAmountPaid(new BigDecimal("49.00"));
+
+        assertTrue(AdminOrderStatusRules.allowedStatusValues(order).contains("sent"));
+        assertTrue(AdminOrderStatusRules.canRegisterShipment(order));
+    }
+
+    private static Order orderWithStatus(OrderStatus status) {
+        Order order = new Order();
+        order.setStatus(status);
+        return order;
+    }
+}

backend/src/test/java/se/bilhalsning/service/AdminOrderWorkflowServiceTest.java

@@ -0,0 +1,179 @@
+package se.bilhalsning.service;
+
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.mockito.InjectMocks;
+import org.mockito.Mock;
+import org.mockito.junit.jupiter.MockitoExtension;
+import se.bilhalsning.entity.Order;
+import se.bilhalsning.entity.OrderStatus;
+import se.bilhalsning.exception.InvalidOrderStateException;
+import se.bilhalsning.repository.OrderRepository;
+
+import java.math.BigDecimal;
+import java.util.Optional;
+import java.util.UUID;
+
+import static org.junit.jupiter.api.Assertions.*;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.*;
+
+@ExtendWith(MockitoExtension.class)
+class AdminOrderWorkflowServiceTest {
+
+    @Mock
+    private OrderRepository orderRepository;
+
+    @Mock
+    private OrderNotificationService orderNotificationService;
+
+    @InjectMocks
+    private AdminOrderWorkflowService adminOrderWorkflowService;
+
+    @Test
+    void shouldRegisterShipmentFromProcessingAndSetSent() {
+        UUID orderId = UUID.randomUUID();
+        Order order = new Order();
+        order.setId(orderId);
+        order.setStatus(OrderStatus.PROCESSING);
+        when(orderRepository.findWithUserById(orderId)).thenReturn(Optional.of(order));
+        when(orderRepository.save(any(Order.class))).thenAnswer(inv -> inv.getArgument(0));
+
+        Order result = adminOrderWorkflowService.registerShipment(orderId, "PN123456789", true);
+
+        assertEquals(OrderStatus.SENT, result.getStatus());
+        assertEquals("PN123456789", result.getTrackingId());
+        assertNotNull(result.getShippedAt());
+        verify(orderNotificationService).notifyOrderSent(result, "PN123456789");
+    }
+
+    @Test
+    void shouldRejectRegisterShipmentWhenPendingPayment() {
+        UUID orderId = UUID.randomUUID();
+        Order order = new Order();
+        order.setId(orderId);
+        order.setStatus(OrderStatus.PENDING_PAYMENT);
+        when(orderRepository.findWithUserById(orderId)).thenReturn(Optional.of(order));
+
+        assertThrows(InvalidOrderStateException.class,
+                () -> adminOrderWorkflowService.registerShipment(orderId, "PN123", true));
+    }
+
+    @Test
+    void shouldRejectInvalidAdminStatusTransition() {
+        UUID orderId = UUID.randomUUID();
+        Order order = new Order();
+        order.setId(orderId);
+        order.setStatus(OrderStatus.PROCESSING);
+        when(orderRepository.findWithUserById(orderId)).thenReturn(Optional.of(order));
+
+        assertThrows(InvalidOrderStateException.class,
+                () -> adminOrderWorkflowService.updateOrderStatus(orderId, "delivered"));
+    }
+
+    @Test
+    void shouldMarkPendingPaymentAsFailed() {
+        UUID orderId = UUID.randomUUID();
+        Order order = new Order();
+        order.setId(orderId);
+        order.setStatus(OrderStatus.PENDING_PAYMENT);
+        when(orderRepository.findWithUserById(orderId)).thenReturn(Optional.of(order));
+        when(orderRepository.save(any(Order.class))).thenAnswer(inv -> inv.getArgument(0));
+
+        Order result = adminOrderWorkflowService.updateOrderStatus(orderId, "failed");
+
+        assertEquals(OrderStatus.FAILED, result.getStatus());
+        verify(orderNotificationService).notifyOrderFailed(result);
+    }
+
+    @Test
+    void shouldRevertFailedToPendingPaymentWhenUnpaid() {
+        UUID orderId = UUID.randomUUID();
+        Order order = new Order();
+        order.setId(orderId);
+        order.setStatus(OrderStatus.FAILED);
+        when(orderRepository.findWithUserById(orderId)).thenReturn(Optional.of(order));
+        when(orderRepository.save(any(Order.class))).thenAnswer(inv -> inv.getArgument(0));
+
+        Order result = adminOrderWorkflowService.updateOrderStatus(orderId, "pending_payment");
+
+        assertEquals(OrderStatus.PENDING_PAYMENT, result.getStatus());
+    }
+
+    @Test
+    void shouldRevertFailedToProcessingWhenPaidWithoutTracking() {
+        UUID orderId = UUID.randomUUID();
+        Order order = new Order();
+        order.setId(orderId);
+        order.setStatus(OrderStatus.FAILED);
+        order.setAmountPaid(new BigDecimal("49.00"));
+        when(orderRepository.findWithUserById(orderId)).thenReturn(Optional.of(order));
+        when(orderRepository.save(any(Order.class))).thenAnswer(inv -> inv.getArgument(0));
+
+        Order result = adminOrderWorkflowService.updateOrderStatus(orderId, "processing");
+
+        assertEquals(OrderStatus.PROCESSING, result.getStatus());
+        verify(orderNotificationService, never()).notifyOrderFailed(any(Order.class));
+    }
+
+    @Test
+    void shouldRevertFailedToSentWhenPaidWithoutTracking() {
+        UUID orderId = UUID.randomUUID();
+        Order order = new Order();
+        order.setId(orderId);
+        order.setStatus(OrderStatus.FAILED);
+        order.setAmountPaid(new BigDecimal("49.00"));
+        when(orderRepository.findWithUserById(orderId)).thenReturn(Optional.of(order));
+        when(orderRepository.save(any(Order.class))).thenAnswer(inv -> inv.getArgument(0));
+
+        Order result = adminOrderWorkflowService.updateOrderStatus(orderId, "sent");
+
+        assertEquals(OrderStatus.SENT, result.getStatus());
+        assertNotNull(result.getShippedAt());
+    }
+
+    @Test
+    void shouldRegisterShipmentFromFailedWhenPaid() {
+        UUID orderId = UUID.randomUUID();
+        Order order = new Order();
+        order.setId(orderId);
+        order.setStatus(OrderStatus.FAILED);
+        order.setAmountPaid(new BigDecimal("49.00"));
+        when(orderRepository.findWithUserById(orderId)).thenReturn(Optional.of(order));
+        when(orderRepository.save(any(Order.class))).thenAnswer(inv -> inv.getArgument(0));
+
+        Order result = adminOrderWorkflowService.registerShipment(orderId, "PN888", true);
+
+        assertEquals(OrderStatus.SENT, result.getStatus());
+        assertEquals("PN888", result.getTrackingId());
+    }
+
+    @Test
+    void shouldRevertFailedToSentWhenTrackingExists() {
+        UUID orderId = UUID.randomUUID();
+        Order order = new Order();
+        order.setId(orderId);
+        order.setStatus(OrderStatus.FAILED);
+        order.setTrackingId("PN123");
+        when(orderRepository.findWithUserById(orderId)).thenReturn(Optional.of(order));
+        when(orderRepository.save(any(Order.class))).thenAnswer(inv -> inv.getArgument(0));
+
+        Order result = adminOrderWorkflowService.updateOrderStatus(orderId, "sent");
+
+        assertEquals(OrderStatus.SENT, result.getStatus());
+    }
+
+    @Test
+    void shouldNotifyCustomerOnFailedStatusFromProcessing() {
+        UUID orderId = UUID.randomUUID();
+        Order order = new Order();
+        order.setId(orderId);
+        order.setStatus(OrderStatus.PROCESSING);
+        when(orderRepository.findWithUserById(orderId)).thenReturn(Optional.of(order));
+        when(orderRepository.save(any(Order.class))).thenAnswer(inv -> inv.getArgument(0));
+
+        adminOrderWorkflowService.updateOrderStatus(orderId, "failed");
+
+        verify(orderNotificationService).notifyOrderFailed(any(Order.class));
+    }
+}

backend/src/test/java/se/bilhalsning/service/OrderServiceTest.java

@@ -27,6 +27,9 @@ class OrderServiceTest {
     @Mock
     private OrderRepository orderRepository;
 
+    @Mock
+    private OrderNotificationService orderNotificationService;
+
     @InjectMocks
     private OrderService orderService;
 
@@ -249,4 +252,5 @@ class OrderServiceTest {
         assertThrows(OrderNotFoundException.class,
                 () -> orderService.confirmPayment(orderId, otherUserId));
     }
+
 }

backend/src/test/java/se/bilhalsning/util/PostNordTrackingNormalizerTest.java

@@ -0,0 +1,26 @@
+package se.bilhalsning.util;
+
+import org.junit.jupiter.api.Test;
+
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+
+class PostNordTrackingNormalizerTest {
+
+    @Test
+    void shouldTrimAndRemoveWhitespaceFromPlainId() {
+        assertEquals("PN123456789", PostNordTrackingNormalizer.normalize("  PN 123 456 789  "));
+    }
+
+    @Test
+    void shouldExtractIdFromPostNordUrl() {
+        String url = "https://www.postnord.se/verktyg/spara/?id=PN987654321&utm=foo";
+        assertEquals("PN987654321", PostNordTrackingNormalizer.normalize(url));
+    }
+
+    @Test
+    void shouldThrowWhenInputIsBlank() {
+        assertThrows(IllegalArgumentException.class,
+                () -> PostNordTrackingNormalizer.normalize("   "));
+    }
+}

docker-compose.dev-bindless.yml

@@ -0,0 +1,106 @@
+# Bindless dev stack — standalone variant of docker-compose.yml.
+#
+# Why this exists as a standalone file (not an override):
+# Docker Compose merges `volumes:` by list concatenation, not by entry
+# replacement, so an override can't drop the bind mounts from the base file —
+# only append to them. A standalone file lets us redefine services with only
+# the volumes we want.
+#
+# Usage:
+#   docker compose -f docker-compose.dev-bindless.yml up -d --build
+#
+# Use this when the Docker daemon can't bind-mount the host repo correctly:
+#   - Docker-in-Docker setups (e.g. this Hermes sandbox)
+#   - rootless Docker with restricted mount paths
+#   - Some CI runners
+#
+# For normal local dev, use docker-compose.yml — it bind-mounts the repo for
+# Vite HMR and gradle bootRun hot reload.
+#
+# Trade-off vs. the bind-mounted dev compose:
+#   - The image is "frozen" at build time. Editing source on the host does not
+#     affect the running container. Edit + rebuild + restart, or run
+#     `docker compose up -d --build` after changes.
+#   - All source lives inside the image (docker/backend.Dockerfile and
+#     docker/frontend.Dockerfile COPY it in at build time).
+#
+# What you still get:
+#   - Gradle caches in named volumes (.gradle, backend/build, gradle-cache)
+#     so dependency downloads persist between `up` cycles.
+#   - Postgres data persists across `down` (via the pgdata volume).
+
+services:
+  postgres:
+    image: postgres:16
+    container_name: bilhej-postgres
+    ports:
+      - "5432:5432"
+    environment:
+      POSTGRES_DB: ${POSTGRES_DB}
+      POSTGRES_USER: ${POSTGRES_USER}
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
+    volumes:
+      - pgdata:/var/lib/postgresql/data
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER} -d ${POSTGRES_DB}"]
+      interval: 5s
+      timeout: 5s
+      retries: 5
+
+  mailpit:
+    image: ghcr.io/axllent/mailpit:v1.28
+    container_name: bilhej-mailpit
+    ports:
+      - "1025:1025"
+      - "8025:8025"
+
+  backend:
+    image: bilhej-backend-dev
+    build:
+      dockerfile: docker/backend.Dockerfile
+      context: .
+    container_name: bilhej-backend
+    ports:
+      - "8080:8080"
+    environment:
+      SPRING_PROFILES_ACTIVE: docker
+      POSTGRES_DB: ${POSTGRES_DB}
+      POSTGRES_USER: ${POSTGRES_USER}
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
+      JWT_SECRET: ${JWT_SECRET}
+      SWISH_NUMBER: ${SWISH_NUMBER}
+      STRIPE_SECRET_KEY: ${STRIPE_SECRET_KEY}
+      STRIPE_WEBHOOK_SECRET: ${STRIPE_WEBHOOK_SECRET}
+      STRIPE_PRICE_ID: ${STRIPE_PRICE_ID}
+      APP_PUBLIC_BASE_URL: ${APP_PUBLIC_BASE_URL:-http://localhost:3000}
+      MAIL_HOST: mailpit
+      MAIL_PORT: "1025"
+      MAIL_USERNAME: ""
+      MAIL_PASSWORD: ""
+      MAIL_FROM: ${MAIL_FROM:-noreply@bilhej.se}
+    depends_on:
+      postgres:
+        condition: service_healthy
+      mailpit:
+        condition: service_started
+    volumes:
+      - backend-gradle-project:/app/.gradle
+      - backend-build:/app/backend/build
+      - gradle-cache:/root/.gradle
+
+  frontend:
+    image: bilhej-frontend-dev
+    build:
+      dockerfile: docker/frontend.Dockerfile
+      context: .
+    container_name: bilhej-frontend
+    ports:
+      - "3000:3000"
+    depends_on:
+      - backend
+
+volumes:
+  pgdata:
+  gradle-cache:
+  backend-gradle-project:
+  backend-build:

docker-compose.e2e.yml

@@ -89,8 +89,8 @@ services:
           sleep 1;
         done;
         echo 'Waiting for backend...';
-        for i in \$(seq 1 60); do
+        for i in \$(seq 1 120); do
-          curl -s http://backend:8080/api/vehicles/ZZZ999 > /dev/null && break;
+          curl -sf http://backend:8080/api/vehicles/ZZZ999 > /dev/null && break;
           sleep 1;
         done;
         echo 'Waiting for frontend...';

docker-compose.prod.yml

@@ -49,6 +49,9 @@ services:
     build:
       dockerfile: docker/frontend.prod.Dockerfile
       context: .
+      args:
+        VITE_UMAMI_WEBSITE_ID: ${VITE_UMAMI_WEBSITE_ID:-}
+        VITE_UMAMI_SCRIPT_URL: ${VITE_UMAMI_SCRIPT_URL:-https://analytics.bilhej.se/script.js}
     container_name: bilhej-frontend-prod
     ports:
       - "3001:80"

docker/backend.Dockerfile

@@ -1,3 +1,15 @@
 FROM eclipse-temurin:21-jdk
 WORKDIR /app
+
+# Copy build configuration and wrapper first so this layer caches well.
+COPY gradlew settings.gradle build.gradle ./
+COPY gradle/ gradle/
+RUN chmod +x gradlew
+
+# Copy backend module. The dev compose overlays this with a host bind mount
+# for live source changes; if the bind mount is absent (DinD, CI, k8s) the
+# image is still self-contained and `gradlew :backend:bootRun` will work.
+COPY backend/ backend/
+
+EXPOSE 8080
 ENTRYPOINT ["./gradlew", ":backend:bootRun", "--no-daemon"]

docker/frontend.Dockerfile

@@ -1,7 +1,16 @@
 FROM node:24-alpine
 WORKDIR /app
+
+# Install dependencies first so this layer caches independently of source changes.
 COPY frontend/package.json frontend/package-lock.json ./
 RUN npm install
+
+# Copy the rest of the frontend. The dev compose overlays individual paths
+# (./frontend/src, ./frontend/public, ./frontend/index.html) with host bind
+# mounts for live reload; if those bind mounts are absent (DinD, CI, k8s)
+# the image is still self-contained and `npm run dev` will serve from the
+# COPY'd files.
 COPY frontend/ .
+
 EXPOSE 3000
 CMD ["npm", "run", "dev", "--", "--host", "0.0.0.0"]

docker/frontend.prod.Dockerfile

@@ -1,5 +1,9 @@
 FROM node:24-alpine AS builder
 WORKDIR /app
+ARG VITE_UMAMI_WEBSITE_ID=
+ARG VITE_UMAMI_SCRIPT_URL=https://analytics.bilhej.se/script.js
+ENV VITE_UMAMI_WEBSITE_ID=$VITE_UMAMI_WEBSITE_ID
+ENV VITE_UMAMI_SCRIPT_URL=$VITE_UMAMI_SCRIPT_URL
 COPY frontend/package.json frontend/package-lock.json ./
 RUN npm ci
 COPY frontend/ .

docs/umami-analytics.md

@@ -0,0 +1,81 @@
+# Umami analytics (BilHej app)
+
+Privacy-friendly page analytics via self-hosted [Umami](https://umami.is/docs) on **`https://analytics.bilhej.se`**. Server install is live on the VPS; this doc is for **BilHej code and deploy config** only.
+
+## Values (production)
+
+| Item | Value |
+|------|--------|
+| Collector | `https://analytics.bilhej.se` |
+| Tracker script | `https://analytics.bilhej.se/script.js` |
+| Dashboard | `https://analytics.bilhej.se` (admin login) |
+| Website in Umami | Name **BilHej**, domain **`bilhej.se`** |
+| Website ID | `ce59614c-9f2a-4f99-8ba3-c5217f88c3f7` |
+
+The Website ID is public in the browser (tracking snippet). Set it via **`VITE_UMAMI_WEBSITE_ID`** in production frontend build env — do not hardcode in source.
+
+**Note:** Umami 3.1 on this server uses the default **`/script.js`** path. `TRACKER_SCRIPT_NAME` / custom `bilhej-stats.js` is not applied in this version.
+
+### Example snippet (for reference)
+
+```html
+<script
+  defer
+  src="https://analytics.bilhej.se/script.js"
+  data-website-id="ce59614c-9f2a-4f99-8ba3-c5217f88c3f7"
+></script>
+```
+
+## Frontend env
+
+Production builds read this from the **Forgejo Actions secret** `VITE_UMAMI_WEBSITE_ID`. The deploy workflow writes it into `.env` on the server, then `docker compose -f docker-compose.prod.yml build` bakes it into the frontend image.
+
+**Forgejo → Repository → Settings → Actions → Secrets:**
+
+| Secret | Value |
+|--------|--------|
+| `VITE_UMAMI_WEBSITE_ID` | `ce59614c-9f2a-4f99-8ba3-c5217f88c3f7` |
+
+Not a high-risk secret (the same ID appears in the browser), but keeping it in Forgejo matches other deploy config.
+
+Manual deploy on the server (without Forgejo) works the same way: put the line in the project `.env` before `docker compose ... up --build`.
+
+Optional override (default matches production):
+
+```bash
+# VITE_UMAMI_SCRIPT_URL=https://analytics.bilhej.se/script.js
+```
+
+Leave `VITE_UMAMI_WEBSITE_ID` unset in local dev unless you intentionally send traffic to production Umami.
+
+## Implementation checklist
+
+- [x] Load `script.js` with `data-website-id` from `VITE_UMAMI_WEBSITE_ID` (only when set).
+- [x] Send **SPA pageviews** on Vue Router `afterEach` (`data-auto-track="false"`).
+- [x] Update **integritetspolicy** — analytics, country-level stats, no IP stored in BilHej DB.
+- [x] Admin link **Webbstatistik** → Umami dashboard (prod builds only).
+
+Umami derives **country** from the visitor IP at ingest and does not show IP lists in the UI. BilHej must not store visitor IPs for analytics.
+
+## Verify after deploy
+
+1. Browse `https://bilhej.se` (several routes).
+2. Umami → **BilHej** → **Realtime** / **Countries**.
+
+## Server layout (reference)
+
+| Item | Actual on VPS |
+|------|----------------|
+| Compose project | `~/umami` (`/home/jocke/umami`) |
+| Public access | nginx → `http://umami:3000` on Docker network `web` (host port 3000 used by open-webui) |
+| Database | `umami-db` on internal network `umami-internal` only |
+
+```bash
+cd ~/umami
+docker compose ps
+docker compose logs -f umami
+docker compose pull && docker compose up -d   # updates — read release notes first
+docker exec umami-db pg_dump -U umami umami > ~/umami-backup-$(date +%F).sql
+```
+
+Country stats require nginx to pass **`X-Forwarded-For`** (already configured for this vhost).

frontend/e2e/account-settings.spec.ts

@@ -1,9 +1,5 @@
 import { test, expect, type Page, type APIRequestContext } from '@playwright/test'
-import {
+import { clearMailpit, waitForEmailChangeToken } from './helpers/mailpit'
-  clearMailpit,
-  countMessagesTo,
-  waitForEmailChangeToken,
-} from './helpers/mailpit'
 
 test.describe('Account settings', () => {
   test('can change password and change back', async ({ page, request }) => {
@@ -50,8 +46,6 @@ test.describe('Account settings', () => {
         'Vi har skickat en bekräftelselänk till din nya e-postadress.',
       ),
     ).toBeVisible()
-    expect(await countMessagesTo(request, tempEmail)).toBe(1)
-    expect(await countMessagesTo(request, originalEmail)).toBe(0)
 
     const token = await waitForEmailChangeToken(request, tempEmail, {
       publicBaseUrl: 'http://frontend',
@@ -70,7 +64,6 @@ test.describe('Account settings', () => {
         'Vi har skickat en bekräftelselänk till din nya e-postadress.',
       ),
     ).toBeVisible()
-    expect(await countMessagesTo(request, originalEmail)).toBe(1)
 
     const restoreToken = await waitForEmailChangeToken(request, originalEmail, {
       publicBaseUrl: 'http://frontend',

frontend/e2e/admin-dashboard.spec.ts

@@ -1,15 +1,19 @@
 import { test, expect } from '@playwright/test'
+import { loginAsAdmin } from './helpers/admin'
 
 const SEEDED_ORDER_ID = 'c1eebc99-9c0b-4ef8-bb6d-6bb9bd380a11'
 const SEEDED_ORDER_SHORT_ID = SEEDED_ORDER_ID.slice(0, 8)
+const PROCESSING_PLATE = 'JKL012'
+
+function rowByPlate(page: import('@playwright/test').Page, plate: string) {
+  return page.locator('.admin__row').filter({
+    has: page.locator('.admin__plate', { hasText: plate }),
+  })
+}
 
 test.describe('Admin dashboard', () => {
   test.beforeEach(async ({ page }) => {
-    await page.goto('/logga-in')
+    await loginAsAdmin(page)
-    await page.getByLabel('E-postadress').fill('admin@bilhalsning.se')
-    await page.getByLabel('Lösenord').fill('test1234')
-    await page.getByRole('button', { name: 'Logga in' }).click()
-    await page.waitForURL('/')
   })
 
   test('admin can navigate to admin page', async ({ page }) => {
@@ -37,9 +41,7 @@ test.describe('Admin dashboard', () => {
     await page.goto('/admin')
 
     await expect(page.getByRole('columnheader', { name: 'Datum' })).toBeVisible()
-    await expect(
+    await expect(page.getByRole('columnheader', { name: 'ID' })).toBeVisible()
-      page.getByRole('columnheader', { name: 'Beställnings-ID' }),
-    ).toBeVisible()
     await expect(page.getByRole('columnheader', { name: 'E-post' })).toBeVisible()
     await expect(page.getByRole('columnheader', { name: 'Regnr' })).toBeVisible()
     await expect(page.getByRole('columnheader', { name: 'Status' })).toBeVisible()
@@ -69,34 +71,37 @@ test.describe('Admin dashboard', () => {
     await expect(dialog).not.toBeVisible()
   })
 
-  test('click expand button shows tracking section', async ({ page }) => {
+  test('click row shows tracking section', async ({ page }) => {
     await page.goto('/admin')
+    await expect(page.locator('.admin__loading')).toBeHidden({ timeout: 30_000 })
 
-    const expandBtns = page.locator('.admin__expand-btn')
+    await rowByPlate(page, PROCESSING_PLATE).click()
-    await expandBtns.first().click()
 
-    await expect(page.getByText('Spårnings-ID').first()).toBeVisible()
+    await expect(page.getByText('Registrera utskick').first()).toBeVisible()
   })
 
-  test('click expand button again collapses it', async ({ page }) => {
+  test('click row again collapses it', async ({ page }) => {
     await page.goto('/admin')
+    await expect(page.locator('.admin__loading')).toBeHidden({ timeout: 30_000 })
 
-    const expandBtns = page.locator('.admin__expand-btn')
+    const row = rowByPlate(page, PROCESSING_PLATE)
-    await expandBtns.first().click()
+    await row.click()
     await expect(page.locator('.admin__tracking-input').first()).toBeVisible()
 
-    await expandBtns.first().click()
+    await row.click()
     await expect(page.locator('.admin__tracking-input').first()).not.toBeVisible()
   })
 
-  test('status dropdown changes update order status', async ({ page }) => {
+  test('status dropdown shows current status for sent orders', async ({
+    page,
+  }) => {
     await page.goto('/admin')
+    await page.locator('#admin-order-search').fill(SEEDED_ORDER_SHORT_ID)
 
-    const selects = page.locator('.admin__status-select')
+    const row = page.locator('.admin__row', { hasText: SEEDED_ORDER_SHORT_ID })
-    await selects.first().selectOption('delivered')
+    const select = row.locator('.admin__status-select')
-
+    await expect(select).toBeVisible()
-    const updatedSelect = selects.first()
+    await expect(select).toHaveValue('sent')
-    await expect(updatedSelect).toHaveValue('delivered')
   })
 
   test('admin cannot access admin page without auth', async ({ page }) => {
@@ -108,20 +113,21 @@ test.describe('Admin dashboard', () => {
 
   test('expanded row shows tracking input and save button', async ({ page }) => {
     await page.goto('/admin')
+    await expect(page.locator('.admin__loading')).toBeHidden({ timeout: 30_000 })
 
-    const expandBtns = page.locator('.admin__expand-btn')
+    await rowByPlate(page, PROCESSING_PLATE).click()
-    await expandBtns.first().click()
 
-    await expect(page.getByText('Spårnings-ID').first()).toBeVisible()
+    await expect(page.getByText('Registrera utskick').first()).toBeVisible()
     await expect(page.locator('.admin__tracking-input')).toBeVisible()
-    await expect(page.getByRole('button', { name: 'Spara' })).toBeVisible()
+    await expect(
+      page.getByRole('button', { name: 'Registrera utskick' }),
+    ).toBeVisible()
   })
 
   test('shows PostNord link when trackingId exists', async ({ page }) => {
     await page.goto('/admin')
 
-    const expandBtns = page.locator('.admin__expand-btn')
+    await page.locator('.admin__row').last().click()
-    await expandBtns.last().click()
 
     const trackingLink = page.locator('.admin__tracking-link')
     await expect(trackingLink).toBeVisible()
@@ -132,8 +138,7 @@ test.describe('Admin dashboard', () => {
     await page.goto('/admin')
 
     const defRow = page.locator('.admin__row', { hasText: 'DEF456' }).first()
-    const expandBtn = defRow.locator('.admin__expand-btn')
+    await defRow.click()
-    await expandBtn.click()
 
     const trackingLink = page.locator('.admin__tracking-link')
     await expect(trackingLink).not.toBeVisible()

frontend/e2e/admin-fulfillment.spec.ts

@@ -0,0 +1,87 @@
+import { test, expect } from '@playwright/test'
+import { loginAsAdmin, openAdminDashboard } from './helpers/admin'
+
+/**
+ * Admin order status and shipment flows (serial — mutates seeded orders).
+ * Requires docker e2e stack with dev seeds (DEF456, JKL012, ABC123).
+ */
+test.describe.configure({ mode: 'serial' })
+
+const PENDING_ORDER_SHORT_ID = 'c2eebc99'
+const PROCESSING_PLATE = 'JKL012'
+const SENT_ORDER_SHORT_ID = 'c1eebc99'
+
+function orderRowByPlate(page: import('@playwright/test').Page, plate: string) {
+  return page.locator('.admin__row').filter({
+    has: page.locator('.admin__plate', { hasText: plate }),
+  })
+}
+
+function orderRowByShortId(
+  page: import('@playwright/test').Page,
+  shortId: string,
+) {
+  return page.locator('.admin__row', { hasText: shortId })
+}
+
+test.describe('Admin fulfillment flows', () => {
+  test.beforeEach(async ({ page }) => {
+    await loginAsAdmin(page)
+    await openAdminDashboard(page)
+  })
+
+  test('can mark unpaid order as failed', async ({ page }) => {
+    await page.locator('#admin-order-search').fill(PENDING_ORDER_SHORT_ID)
+    const row = orderRowByShortId(page, PENDING_ORDER_SHORT_ID)
+    const select = row.locator('.admin__status-select')
+    await select.selectOption('failed')
+    await expect(select).toHaveValue('failed')
+    await expect(page.getByRole('alert')).not.toBeVisible()
+  })
+
+  test('can revert unpaid failed order to pending payment', async ({
+    page,
+  }) => {
+    await page.locator('#admin-order-search').fill(PENDING_ORDER_SHORT_ID)
+    const row = orderRowByShortId(page, PENDING_ORDER_SHORT_ID)
+    const select = row.locator('.admin__status-select')
+    await expect(select).toHaveValue('failed')
+    await select.selectOption('pending_payment')
+    await expect(select).toHaveValue('pending_payment')
+  })
+
+  test('can register shipment for processing order', async ({ page }) => {
+    const row = orderRowByPlate(page, PROCESSING_PLATE)
+    await row.click()
+    await page
+      .locator('.admin__tracking-input')
+      .fill('PN-E2E-FULFILLMENT-001')
+    await page.getByRole('button', { name: 'Registrera utskick' }).click()
+    await expect(row.locator('.admin__status-select')).toHaveValue('sent')
+    await expect(page.locator('.admin__tracking-link')).toBeVisible()
+  })
+
+  test('can mark sent order as delivered', async ({ page }) => {
+    await page.locator('#admin-order-search').fill(SENT_ORDER_SHORT_ID)
+    const row = orderRowByShortId(page, SENT_ORDER_SHORT_ID)
+    const select = row.locator('.admin__status-select')
+    if ((await select.inputValue()) !== 'delivered') {
+      await select.selectOption('delivered')
+    }
+    await expect(select).toHaveValue('delivered')
+  })
+
+  test('can mark delivered order as failed then back to sent when tracking exists', async ({
+    page,
+  }) => {
+    await page.locator('#admin-order-search').fill(SENT_ORDER_SHORT_ID)
+    const row = orderRowByShortId(page, SENT_ORDER_SHORT_ID)
+    const select = row.locator('.admin__status-select')
+
+    await select.selectOption('failed')
+    await expect(select).toHaveValue('failed')
+
+    await select.selectOption('sent')
+    await expect(select).toHaveValue('sent')
+  })
+})

frontend/e2e/auth-guards.spec.ts

@@ -70,6 +70,13 @@ test.describe('Auth guards', () => {
   })
 
   test('allows admin user to access /admin', async ({ page }) => {
+    await page.route('**/api/admin/orders', (route) =>
+      route.fulfill({
+        status: 200,
+        contentType: 'application/json',
+        body: '[]',
+      }),
+    )
     const jwt = makeJwt({ role: 'admin' })
     await page.goto('/')
     await page.evaluate((token) => localStorage.setItem('auth_token', token), jwt)

frontend/e2e/deferred-payment-admin.spec.ts

@@ -1,4 +1,5 @@
 import { test, expect } from '@playwright/test'
+import { loginAsAdmin, openAdminDashboard } from './helpers/admin'
 
 test.describe.configure({ mode: 'serial' })
 
@@ -40,8 +41,7 @@ test.describe('Deferred payment and admin lookup', () => {
   }
 
   async function openAdminTodoBoard(page: import('@playwright/test').Page) {
-    await page.goto('/admin')
+    await openAdminDashboard(page)
-    await expect(page.locator('.admin__loading')).toBeHidden({ timeout: 30_000 })
     await page.getByRole('button', { name: /Att göra/ }).click()
     await expect(page.locator('.admin__stat--active')).toContainText('Att göra')
   }

frontend/e2e/expired-token.spec.ts

@@ -0,0 +1,55 @@
+import { test, expect } from '@playwright/test'
+
+test.describe('Expired token logout', () => {
+  test('router guard redirects expired token to login and logs out', async ({
+    page,
+  }) => {
+    const past = Math.floor(Date.now() / 1000) - 3600
+    const jwt = makeJwt({ sub: 'test@bilhej.se', role: 'user', exp: past })
+
+    await page.goto('/')
+    await page.evaluate((token) => localStorage.setItem('auth_token', token), jwt)
+
+    await page.goto('/orders')
+
+    await expect(page).toHaveURL(/\/logga-in\?redirect=\/orders/)
+    await expect(page.getByRole('heading', { name: 'Logga in' })).toBeVisible()
+
+    const header = page.locator('header')
+    await expect(header.getByRole('link', { name: 'Logga in' })).toBeVisible()
+    await expect(
+      header.getByRole('button', { name: 'Logga ut' }),
+    ).not.toBeVisible()
+
+    const stored = await page.evaluate(() => localStorage.getItem('auth_token'))
+    expect(stored).toBeNull()
+  })
+
+  test('API 401 logs out and redirects when guard accepts token but backend rejects it', async ({
+    page,
+  }) => {
+    const future = Math.floor(Date.now() / 1000) + 3600
+    const jwt = makeJwt({ sub: 'test@bilhej.se', role: 'user', exp: future })
+
+    await page.goto('/')
+    await page.evaluate((token) => localStorage.setItem('auth_token', token), jwt)
+
+    await page.goto('/orders')
+    await page.waitForURL(/\/logga-in\?redirect=\/orders/)
+
+    await expect(page.getByRole('heading', { name: 'Logga in' })).toBeVisible()
+
+    const header = page.locator('header')
+    await expect(header.getByRole('button', { name: 'Logga ut' })).not.toBeVisible()
+
+    const stored = await page.evaluate(() => localStorage.getItem('auth_token'))
+    expect(stored).toBeNull()
+  })
+})
+
+function makeJwt(payload: Record<string, unknown>): string {
+  const header = btoa(JSON.stringify({ alg: 'HS256', typ: 'JWT' }))
+  const body = btoa(JSON.stringify(payload))
+  const signature = 'test-sig'
+  return `${header}.${body}.${signature}`
+}

frontend/e2e/header-auth.spec.ts

@@ -100,6 +100,13 @@ test.describe('Header auth state', () => {
   })
 
   test('logout redirects to home page', async ({ page }) => {
+    await page.route('**/api/orders', (route) =>
+      route.fulfill({
+        status: 200,
+        contentType: 'application/json',
+        body: '[]',
+      }),
+    )
     const jwt = makeJwt({ sub: 'test@bilhej.se', role: 'user' })
     await page.goto('/orders')
     await page.evaluate(

frontend/e2e/helpers/admin.ts

@@ -0,0 +1,15 @@
+import type { Page } from '@playwright/test'
+import { expect } from '@playwright/test'
+
+export async function loginAsAdmin(page: Page) {
+  await page.goto('/logga-in')
+  await page.getByLabel('E-postadress').fill('admin@bilhalsning.se')
+  await page.getByLabel('Lösenord').fill('test1234')
+  await page.getByRole('button', { name: 'Logga in' }).click()
+  await page.waitForURL('/')
+}
+
+export async function openAdminDashboard(page: Page) {
+  await page.goto('/admin')
+  await expect(page.locator('.admin__loading')).toBeHidden({ timeout: 30_000 })
+}

frontend/e2e/order-history.spec.ts

@@ -49,7 +49,7 @@ test.describe('Order history', () => {
 
     await page.goto('/orders')
 
-    await expect(page.getByText('Skickat')).toBeVisible()
+    await expect(page.getByText('Skickat').first()).toBeVisible()
     await expect(page.getByText('Väntar på betalning').first()).toBeVisible()
     await expect(page.getByText('Levererat').first()).toBeVisible()
   })

frontend/e2e/payment-redirect.spec.ts

@@ -49,6 +49,31 @@ test.describe('Payment redirect', () => {
 
     await page.waitForURL(/\/betalning\//)
     await expect(page.getByText('Swisha till')).toBeVisible()
-    await expect(page.getByRole('button', { name: 'Jag har betalat' })).toBeVisible()
+    await expect(
+      page.getByRole('button', { name: 'Jag har betalat' }),
+    ).toBeVisible()
+  })
+
+  test('shows QR code for desktop scanning', async ({ page }) => {
+    await page.goto('/compose?plate=QRA222')
+    await page.getByLabel('Ditt meddelande').fill('Fin bil!')
+    await page.getByRole('button', { name: 'Fortsätt till betalning' }).click()
+
+    await page.waitForURL(/\/betalning\//)
+    await expect(page.getByRole('img', { name: 'Swish QR-kod' })).toBeVisible()
+    await expect(page.getByText('Skanna QR-koden')).toBeVisible()
+  })
+
+  test('shows Swish payment link with pre-filled data', async ({ page }) => {
+    await page.goto('/compose?plate=MNO345')
+    await page.getByLabel('Ditt meddelande').fill('Hej där!')
+    await page.getByRole('button', { name: 'Fortsätt till betalning' }).click()
+
+    await page.waitForURL(/\/betalning\//)
+    const swishLink = page.getByRole('link', { name: 'Betala med Swish' })
+    await expect(swishLink).toBeVisible()
+    const href = await swishLink.getAttribute('href')
+    expect(href).toContain('app.swish.nu')
+    expect(href).toContain('amt=49.00')
   })
 })

frontend/package-lock.json

@@ -9,6 +9,7 @@
       "version": "0.0.0",
       "dependencies": {
         "pinia": "^3.0.4",
+        "qrcode": "^1.5.4",
         "vue": "^3.5.32",
         "vue-router": "^5.0.6"
       },
@@ -16,6 +17,7 @@
         "@playwright/test": "^1.60.0",
         "@rushstack/eslint-patch": "^1.16.1",
         "@types/node": "^24.12.2",
+        "@types/qrcode": "^1.5.5",
         "@vitejs/plugin-vue": "^6.0.6",
         "@vitest/coverage-v8": "^4.1.6",
         "@vue/eslint-config-prettier": "^10.2.0",
@@ -791,9 +793,6 @@
         "arm64"
       ],
       "dev": true,
-      "libc": [
-        "glibc"
-      ],
       "license": "MIT",
       "optional": true,
       "os": [
@@ -811,9 +810,6 @@
         "arm64"
       ],
       "dev": true,
-      "libc": [
-        "musl"
-      ],
       "license": "MIT",
       "optional": true,
       "os": [
@@ -831,9 +827,6 @@
         "ppc64"
       ],
       "dev": true,
-      "libc": [
-        "glibc"
-      ],
       "license": "MIT",
       "optional": true,
       "os": [
@@ -851,9 +844,6 @@
         "s390x"
       ],
       "dev": true,
-      "libc": [
-        "glibc"
-      ],
       "license": "MIT",
       "optional": true,
       "os": [
@@ -871,9 +861,6 @@
         "x64"
       ],
       "dev": true,
-      "libc": [
-        "glibc"
-      ],
       "license": "MIT",
       "optional": true,
       "os": [
@@ -891,9 +878,6 @@
         "x64"
       ],
       "dev": true,
-      "libc": [
-        "musl"
-      ],
       "license": "MIT",
       "optional": true,
       "os": [
@@ -1054,6 +1038,16 @@
         "undici-types": "~7.16.0"
       }
     },
+    "node_modules/@types/qrcode": {
+      "version": "1.5.6",
+      "resolved": "https://registry.npmjs.org/@types/qrcode/-/qrcode-1.5.6.tgz",
+      "integrity": "sha512-te7NQcV2BOvdj2b1hCAHzAoMNuj65kNBMz0KBaxM6c3VGBOhU0dURQKOtH8CFNI/dsKkwlv32p26qYQTWoB5bw==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@types/node": "*"
+      }
+    },
     "node_modules/@typescript-eslint/eslint-plugin": {
       "version": "8.59.1",
       "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.59.1.tgz",
@@ -1962,6 +1956,15 @@
         "node": ">=8"
       }
     },
+    "node_modules/camelcase": {
+      "version": "5.3.1",
+      "resolved": "https://registry.npmjs.org/camelcase/-/camelcase-5.3.1.tgz",
+      "integrity": "sha512-L28STB170nwWS63UjtlEOE3dldQApaJXZkOI1uMFfzf3rRuPegHaHesyee+YxQ+W6SvRDQV6UrdOdRiR153wJg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=6"
+      }
+    },
     "node_modules/chai": {
       "version": "6.2.2",
       "resolved": "https://registry.npmjs.org/chai/-/chai-6.2.2.tgz",
@@ -1987,11 +1990,91 @@
         "url": "https://paulmillr.com/funding/"
       }
     },
+    "node_modules/cliui": {
+      "version": "6.0.0",
+      "resolved": "https://registry.npmjs.org/cliui/-/cliui-6.0.0.tgz",
+      "integrity": "sha512-t6wbgtoCXvAzst7QgXxJYqPt0usEfbgQdftEPbLL/cvv6HPE5VgvqCuAIDR0NgU52ds6rFwqrgakNLrHEjCbrQ==",
+      "license": "ISC",
+      "dependencies": {
+        "string-width": "^4.2.0",
+        "strip-ansi": "^6.0.0",
+        "wrap-ansi": "^6.2.0"
+      }
+    },
+    "node_modules/cliui/node_modules/ansi-regex": {
+      "version": "5.0.1",
+      "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz",
+      "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/cliui/node_modules/ansi-styles": {
+      "version": "4.3.0",
+      "resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-4.3.0.tgz",
+      "integrity": "sha512-zbB9rCJAT1rbjiVDb2hqKFHNYLxgtk8NURxZ3IZwD3F6NtxbXZQCnnSi1Lkx+IDohdPlFp222wVALIheZJQSEg==",
+      "license": "MIT",
+      "dependencies": {
+        "color-convert": "^2.0.1"
+      },
+      "engines": {
+        "node": ">=8"
+      },
+      "funding": {
+        "url": "https://github.com/chalk/ansi-styles?sponsor=1"
+      }
+    },
+    "node_modules/cliui/node_modules/emoji-regex": {
+      "version": "8.0.0",
+      "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz",
+      "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==",
+      "license": "MIT"
+    },
+    "node_modules/cliui/node_modules/string-width": {
+      "version": "4.2.3",
+      "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz",
+      "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==",
+      "license": "MIT",
+      "dependencies": {
+        "emoji-regex": "^8.0.0",
+        "is-fullwidth-code-point": "^3.0.0",
+        "strip-ansi": "^6.0.1"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/cliui/node_modules/strip-ansi": {
+      "version": "6.0.1",
+      "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz",
+      "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==",
+      "license": "MIT",
+      "dependencies": {
+        "ansi-regex": "^5.0.1"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/cliui/node_modules/wrap-ansi": {
+      "version": "6.2.0",
+      "resolved": "https://registry.npmjs.org/wrap-ansi/-/wrap-ansi-6.2.0.tgz",
+      "integrity": "sha512-r6lPcBGxZXlIcymEu7InxDMhdW0KDxpLgoFLcguasxCaJ/SOIZwINatK9KY/tf+ZrlywOKU0UDj3ATXUBfxJXA==",
+      "license": "MIT",
+      "dependencies": {
+        "ansi-styles": "^4.0.0",
+        "string-width": "^4.1.0",
+        "strip-ansi": "^6.0.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
     "node_modules/color-convert": {
       "version": "2.0.1",
       "resolved": "https://registry.npmjs.org/color-convert/-/color-convert-2.0.1.tgz",
       "integrity": "sha512-RRECPsj7iu/xb5oKYcsFHSppFNnsj/52OVTRKb4zP5onXwVF3zVmmToNcOfGC+CRDpfK/U584fMg38ZHCaElKQ==",
-      "dev": true,
       "license": "MIT",
       "dependencies": {
         "color-name": "~1.1.4"
@@ -2004,7 +2087,6 @@
       "version": "1.1.4",
       "resolved": "https://registry.npmjs.org/color-name/-/color-name-1.1.4.tgz",
       "integrity": "sha512-dOy+3AuW3a2wNbZHIuMZpTcgjGuLU/uBL/ubcZF9OXbDo8ff4O8yVp5Bf0efS8uEoYo5q4Fx7dY9OgQGXgAsQA==",
-      "dev": true,
       "license": "MIT"
     },
     "node_modules/commander": {
@@ -2136,6 +2218,15 @@
         }
       }
     },
+    "node_modules/decamelize": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/decamelize/-/decamelize-1.2.0.tgz",
+      "integrity": "sha512-z2S+W9X73hAUUki+N+9Za2lBlun89zigOyGrsax+KUQ6wKW4ZoWpEYBkGhQjwAjjDCkWxhY0VKEhk8wzY7F5cA==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
     "node_modules/decimal.js": {
       "version": "10.6.0",
       "resolved": "https://registry.npmjs.org/decimal.js/-/decimal.js-10.6.0.tgz",
@@ -2160,6 +2251,12 @@
         "node": ">=8"
       }
     },
+    "node_modules/dijkstrajs": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/dijkstrajs/-/dijkstrajs-1.0.3.tgz",
+      "integrity": "sha512-qiSlmBq9+BCdCA/L46dw8Uy93mloxsPSbwnm5yrKn2vMPiy8KyAskTF6zuV/j5BMsmOGZDPs7KjU+mjb670kfA==",
+      "license": "MIT"
+    },
     "node_modules/eastasianwidth": {
       "version": "0.2.0",
       "resolved": "https://registry.npmjs.org/eastasianwidth/-/eastasianwidth-0.2.0.tgz",
@@ -2718,6 +2815,15 @@
         "node": "^8.16.0 || ^10.6.0 || >=11.0.0"
       }
     },
+    "node_modules/get-caller-file": {
+      "version": "2.0.5",
+      "resolved": "https://registry.npmjs.org/get-caller-file/-/get-caller-file-2.0.5.tgz",
+      "integrity": "sha512-DyFP3BM/3YHTQOCUL/w0OZHR0lpKeGrxotcHWcqNEdnltqFwXVfhEBQ94eIo34AfQpo0rGki4cyIiftY06h2Fg==",
+      "license": "ISC",
+      "engines": {
+        "node": "6.* || 8.* || >= 10.*"
+      }
+    },
     "node_modules/glob": {
       "version": "10.5.0",
       "resolved": "https://registry.npmjs.org/glob/-/glob-10.5.0.tgz",
@@ -2863,7 +2969,6 @@
       "version": "3.0.0",
       "resolved": "https://registry.npmjs.org/is-fullwidth-code-point/-/is-fullwidth-code-point-3.0.0.tgz",
       "integrity": "sha512-zymm5+u+sCsSWyD9qNaejV3DFvhCKclKdizYaJUuHA83RLjb7nSuGnddCHGv0hk+KY7BMAlsWeK4Ueg6EV6XQg==",
-      "dev": true,
       "license": "MIT",
       "engines": {
         "node": ">=8"
@@ -3285,9 +3390,6 @@
         "arm64"
       ],
       "dev": true,
-      "libc": [
-        "glibc"
-      ],
       "license": "MPL-2.0",
       "optional": true,
       "os": [
@@ -3309,9 +3411,6 @@
         "arm64"
       ],
       "dev": true,
-      "libc": [
-        "musl"
-      ],
       "license": "MPL-2.0",
       "optional": true,
       "os": [
@@ -3333,9 +3432,6 @@
         "x64"
       ],
       "dev": true,
-      "libc": [
-        "glibc"
-      ],
       "license": "MPL-2.0",
       "optional": true,
       "os": [
@@ -3357,9 +3453,6 @@
         "x64"
       ],
       "dev": true,
-      "libc": [
-        "musl"
-      ],
       "license": "MPL-2.0",
       "optional": true,
       "os": [
@@ -3743,6 +3836,15 @@
         "url": "https://github.com/sponsors/sindresorhus"
       }
     },
+    "node_modules/p-try": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/p-try/-/p-try-2.2.0.tgz",
+      "integrity": "sha512-R4nPAVTAU0B9D35/Gk3uJf/7XYbQcyohSKdvAxIRSNghFl4e71hVoGnBNQz9cWaXxO2I10KTC+3jMdvvoKw6dQ==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=6"
+      }
+    },
     "node_modules/package-json-from-dist": {
       "version": "1.0.1",
       "resolved": "https://registry.npmjs.org/package-json-from-dist/-/package-json-from-dist-1.0.1.tgz",
@@ -3787,7 +3889,6 @@
       "version": "4.0.0",
       "resolved": "https://registry.npmjs.org/path-exists/-/path-exists-4.0.0.tgz",
       "integrity": "sha512-ak9Qy5Q7jYb2Wwcey5Fpvg2KoAc/ZIhLSLOSBmRmygPsGwkVVt0fZa0qrtMz+m6tJTAHfZQ8FnmB4MG4LWy7/w==",
-      "dev": true,
       "license": "MIT",
       "engines": {
         "node": ">=8"
@@ -3936,6 +4037,15 @@
         "node": "^8.16.0 || ^10.6.0 || >=11.0.0"
       }
     },
+    "node_modules/pngjs": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/pngjs/-/pngjs-5.0.0.tgz",
+      "integrity": "sha512-40QW5YalBNfQo5yRYmiw7Yz6TKKVr3h6970B2YE+3fQpsWcrbj1PzJgxeJ19DRQjhMbKPIuMY8rFaXc8moolVw==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=10.13.0"
+      }
+    },
     "node_modules/postcss": {
       "version": "8.5.13",
       "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.13.tgz",
@@ -4034,6 +4144,23 @@
         "node": ">=6"
       }
     },
+    "node_modules/qrcode": {
+      "version": "1.5.4",
+      "resolved": "https://registry.npmjs.org/qrcode/-/qrcode-1.5.4.tgz",
+      "integrity": "sha512-1ca71Zgiu6ORjHqFBDpnSMTR2ReToX4l1Au1VFLyVeBTFavzQnv5JxMFr3ukHVKpSrSA2MCk0lNJSykjUfz7Zg==",
+      "license": "MIT",
+      "dependencies": {
+        "dijkstrajs": "^1.0.1",
+        "pngjs": "^5.0.0",
+        "yargs": "^15.3.1"
+      },
+      "bin": {
+        "qrcode": "bin/qrcode"
+      },
+      "engines": {
+        "node": ">=10.13.0"
+      }
+    },
     "node_modules/quansync": {
       "version": "0.2.11",
       "resolved": "https://registry.npmjs.org/quansync/-/quansync-0.2.11.tgz",
@@ -4084,6 +4211,15 @@
         "url": "https://paulmillr.com/funding/"
       }
     },
+    "node_modules/require-directory": {
+      "version": "2.1.1",
+      "resolved": "https://registry.npmjs.org/require-directory/-/require-directory-2.1.1.tgz",
+      "integrity": "sha512-fGxEI7+wsG9xrvdjsrlmL22OMTTiHRwAMroiEeMgq8gzoLC/PQr7RsRDSTLUg/bZAZtF+TVIkHc6/4RIKrui+Q==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
     "node_modules/require-from-string": {
       "version": "2.0.2",
       "resolved": "https://registry.npmjs.org/require-from-string/-/require-from-string-2.0.2.tgz",
@@ -4094,6 +4230,12 @@
         "node": ">=0.10.0"
       }
     },
+    "node_modules/require-main-filename": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/require-main-filename/-/require-main-filename-2.0.0.tgz",
+      "integrity": "sha512-NKN5kMDylKuldxYLSUfrbo5Tuzh4hd+2E8NPPX02mZtn1VuREQToYe/ZdlJy+J3uCpfaiGF05e7B8W0iXbQHmg==",
+      "license": "ISC"
+    },
     "node_modules/reusify": {
       "version": "1.1.0",
       "resolved": "https://registry.npmjs.org/reusify/-/reusify-1.1.0.tgz",
@@ -4208,6 +4350,12 @@
         "node": ">=10"
       }
     },
+    "node_modules/set-blocking": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/set-blocking/-/set-blocking-2.0.0.tgz",
+      "integrity": "sha512-KiKBS8AnWGEyLzofFfmvKwpdPzqiy16LvQfK3yv/fVH7Bj13/wl3JSR1J+rfgRE9q7xUJK4qvgS8raSOeLUehw==",
+      "license": "ISC"
+    },
     "node_modules/shebang-command": {
       "version": "2.0.0",
       "resolved": "https://registry.npmjs.org/shebang-command/-/shebang-command-2.0.0.tgz",
@@ -5094,6 +5242,12 @@
         "node": ">= 8"
       }
     },
+    "node_modules/which-module": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/which-module/-/which-module-2.0.1.tgz",
+      "integrity": "sha512-iBdZ57RDvnOR9AGBhML2vFZf7h8vmBjhoaZqODJBFWHVtKkDmKuHai3cx5PgVMrX5YDNp27AofYbAwctSS+vhQ==",
+      "license": "ISC"
+    },
     "node_modules/why-is-node-running": {
       "version": "2.3.0",
       "resolved": "https://registry.npmjs.org/why-is-node-running/-/why-is-node-running-2.3.0.tgz",
@@ -5236,6 +5390,12 @@
       "dev": true,
       "license": "MIT"
     },
+    "node_modules/y18n": {
+      "version": "4.0.3",
+      "resolved": "https://registry.npmjs.org/y18n/-/y18n-4.0.3.tgz",
+      "integrity": "sha512-JKhqTOwSrqNA1NY5lSztJ1GrBiUodLMmIZuLiDaMRJ+itFd+ABVE8XBjOvIWL+rSqNDC74LCSFmlb/U4UZ4hJQ==",
+      "license": "ISC"
+    },
     "node_modules/yaml": {
       "version": "2.8.3",
       "resolved": "https://registry.npmjs.org/yaml/-/yaml-2.8.3.tgz",
@@ -5251,6 +5411,134 @@
         "url": "https://github.com/sponsors/eemeli"
       }
     },
+    "node_modules/yargs": {
+      "version": "15.4.1",
+      "resolved": "https://registry.npmjs.org/yargs/-/yargs-15.4.1.tgz",
+      "integrity": "sha512-aePbxDmcYW++PaqBsJ+HYUFwCdv4LVvdnhBy78E57PIor8/OVvhMrADFFEDh8DHDFRv/O9i3lPhsENjO7QX0+A==",
+      "license": "MIT",
+      "dependencies": {
+        "cliui": "^6.0.0",
+        "decamelize": "^1.2.0",
+        "find-up": "^4.1.0",
+        "get-caller-file": "^2.0.1",
+        "require-directory": "^2.1.1",
+        "require-main-filename": "^2.0.0",
+        "set-blocking": "^2.0.0",
+        "string-width": "^4.2.0",
+        "which-module": "^2.0.0",
+        "y18n": "^4.0.0",
+        "yargs-parser": "^18.1.2"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/yargs-parser": {
+      "version": "18.1.3",
+      "resolved": "https://registry.npmjs.org/yargs-parser/-/yargs-parser-18.1.3.tgz",
+      "integrity": "sha512-o50j0JeToy/4K6OZcaQmW6lyXXKhq7csREXcDwk2omFPJEwUNOVtJKvmDr9EI1fAJZUyZcRF7kxGBWmRXudrCQ==",
+      "license": "ISC",
+      "dependencies": {
+        "camelcase": "^5.0.0",
+        "decamelize": "^1.2.0"
+      },
+      "engines": {
+        "node": ">=6"
+      }
+    },
+    "node_modules/yargs/node_modules/ansi-regex": {
+      "version": "5.0.1",
+      "resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz",
+      "integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/yargs/node_modules/emoji-regex": {
+      "version": "8.0.0",
+      "resolved": "https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz",
+      "integrity": "sha512-MSjYzcWNOA0ewAHpz0MxpYFvwg6yjy1NG3xteoqz644VCo/RPgnr1/GGt+ic3iJTzQ8Eu3TdM14SawnVUmGE6A==",
+      "license": "MIT"
+    },
+    "node_modules/yargs/node_modules/find-up": {
+      "version": "4.1.0",
+      "resolved": "https://registry.npmjs.org/find-up/-/find-up-4.1.0.tgz",
+      "integrity": "sha512-PpOwAdQ/YlXQ2vj8a3h8IipDuYRi3wceVQQGYWxNINccq40Anw7BlsEXCMbt1Zt+OLA6Fq9suIpIWD0OsnISlw==",
+      "license": "MIT",
+      "dependencies": {
+        "locate-path": "^5.0.0",
+        "path-exists": "^4.0.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/yargs/node_modules/locate-path": {
+      "version": "5.0.0",
+      "resolved": "https://registry.npmjs.org/locate-path/-/locate-path-5.0.0.tgz",
+      "integrity": "sha512-t7hw9pI+WvuwNJXwk5zVHpyhIqzg2qTlklJOf0mVxGSbe3Fp2VieZcduNYjaLDoy6p9uGpQEGWG87WpMKlNq8g==",
+      "license": "MIT",
+      "dependencies": {
+        "p-locate": "^4.1.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/yargs/node_modules/p-limit": {
+      "version": "2.3.0",
+      "resolved": "https://registry.npmjs.org/p-limit/-/p-limit-2.3.0.tgz",
+      "integrity": "sha512-//88mFWSJx8lxCzwdAABTJL2MyWB12+eIY7MDL2SqLmAkeKU9qxRvWuSyTjm3FUmpBEMuFfckAIqEaVGUDxb6w==",
+      "license": "MIT",
+      "dependencies": {
+        "p-try": "^2.0.0"
+      },
+      "engines": {
+        "node": ">=6"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/yargs/node_modules/p-locate": {
+      "version": "4.1.0",
+      "resolved": "https://registry.npmjs.org/p-locate/-/p-locate-4.1.0.tgz",
+      "integrity": "sha512-R79ZZ/0wAxKGu3oYMlz8jy/kbhsNrS7SKZ7PxEHBgJ5+F2mtFW2fK2cOtBh1cHYkQsbzFV7I+EoRKe6Yt0oK7A==",
+      "license": "MIT",
+      "dependencies": {
+        "p-limit": "^2.2.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/yargs/node_modules/string-width": {
+      "version": "4.2.3",
+      "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz",
+      "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==",
+      "license": "MIT",
+      "dependencies": {
+        "emoji-regex": "^8.0.0",
+        "is-fullwidth-code-point": "^3.0.0",
+        "strip-ansi": "^6.0.1"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/yargs/node_modules/strip-ansi": {
+      "version": "6.0.1",
+      "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-6.0.1.tgz",
+      "integrity": "sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==",
+      "license": "MIT",
+      "dependencies": {
+        "ansi-regex": "^5.0.1"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
     "node_modules/yocto-queue": {
       "version": "0.1.0",
       "resolved": "https://registry.npmjs.org/yocto-queue/-/yocto-queue-0.1.0.tgz",

frontend/package.json

@@ -17,6 +17,7 @@
   },
   "dependencies": {
     "pinia": "^3.0.4",
+    "qrcode": "^1.5.4",
     "vue": "^3.5.32",
     "vue-router": "^5.0.6"
   },
@@ -24,6 +25,7 @@
     "@playwright/test": "^1.60.0",
     "@rushstack/eslint-patch": "^1.16.1",
     "@types/node": "^24.12.2",
+    "@types/qrcode": "^1.5.5",
     "@vitejs/plugin-vue": "^6.0.6",
     "@vitest/coverage-v8": "^4.1.6",
     "@vue/eslint-config-prettier": "^10.2.0",

frontend/playwright.config.ts

@@ -23,12 +23,25 @@ export default defineConfig({
   projects: [
     {
       name: 'chromium',
-      testIgnore: '**/deferred-payment-admin.spec.ts',
+      testIgnore: [
+        '**/deferred-payment-admin.spec.ts',
+        '**/admin-fulfillment.spec.ts',
+        '**/admin-dashboard.spec.ts',
+        '**/account-settings.spec.ts',
+        '**/password-reset.spec.ts',
+      ],
       use: { browserName: 'chromium' },
     },
     {
       name: 'chromium-serial',
-      testMatch: '**/deferred-payment-admin.spec.ts',
+      dependencies: ['chromium'],
+      testMatch: [
+        '**/admin-fulfillment.spec.ts',
+        '**/deferred-payment-admin.spec.ts',
+        '**/admin-dashboard.spec.ts',
+        '**/account-settings.spec.ts',
+        '**/password-reset.spec.ts',
+      ],
       fullyParallel: false,
       workers: 1,
       use: { browserName: 'chromium' },

frontend/src/__tests__/AdminDashboard.spec.ts

@@ -43,7 +43,11 @@ const mockOrders = [
     status: 'sent',
     trackingId: 'PN123456789',
     amountPaid: 49.0,
+    shippedAt: '2026-05-13T12:00:00Z',
+    adminNotes: null,
     createdAt: '2026-05-11T12:00:00Z',
+    allowedStatuses: ['sent', 'delivered', 'failed'],
+    canRegisterShipment: true,
   },
   {
     id: 'c2eebc99-9c0b-4ef8-bb6d-6bb9bd380a12',
@@ -53,7 +57,11 @@ const mockOrders = [
     status: 'processing',
     trackingId: null,
     amountPaid: null,
+    shippedAt: null,
+    adminNotes: null,
     createdAt: '2026-05-14T13:00:00Z',
+    allowedStatuses: ['processing', 'failed'],
+    canRegisterShipment: true,
   },
   {
     id: 'c3eebc99-9c0b-4ef8-bb6d-6bb9bd380a13',
@@ -63,16 +71,24 @@ const mockOrders = [
     status: 'pending_payment',
     trackingId: null,
     amountPaid: null,
+    shippedAt: null,
+    adminNotes: null,
     createdAt: '2026-05-15T14:00:00Z',
+    allowedStatuses: ['pending_payment', 'failed'],
+    canRegisterShipment: false,
   },
 ]
 
+function freshMockOrders() {
+  return mockOrders.map((order) => ({ ...order }))
+}
+
 describe('AdminDashboard', () => {
   beforeEach(() => {
     localStorage.clear()
     globalThis.fetch = vi.fn()
     vi.mocked(globalThis.fetch).mockResolvedValue(
-      mockFetchResponse(200, mockOrders),
+      mockFetchResponse(200, freshMockOrders()),
     )
   })
 
@@ -101,10 +117,10 @@ describe('AdminDashboard', () => {
     const { wrapper } = mountPage()
     await new Promise((r) => setTimeout(r, 50))
     expect(wrapper.text()).toContain('Datum')
-    expect(wrapper.text()).toContain('Beställnings-ID')
+    expect(wrapper.text()).toContain('ID')
     expect(wrapper.text()).toContain('E-post')
     expect(wrapper.text()).toContain('Regnr')
-    expect(wrapper.text()).toContain('Meddelande')
+    expect(wrapper.text()).toContain('Brev')
     expect(wrapper.text()).toContain('Status')
   })
 
@@ -163,7 +179,7 @@ describe('AdminDashboard', () => {
     const { wrapper } = mountPage()
     await new Promise((r) => setTimeout(r, 50))
 
-    const expandBtns = wrapper.findAll('.admin__expand-btn')
+    const expandBtns = wrapper.findAll('.admin__row')
     await expandBtns[0].trigger('click')
     await new Promise((r) => setTimeout(r, 50))
     expect(wrapper.find('.admin__expanded-row').exists()).toBe(true)
@@ -177,7 +193,7 @@ describe('AdminDashboard', () => {
     const { wrapper } = mountPage()
     await new Promise((r) => setTimeout(r, 50))
 
-    const expandBtns = wrapper.findAll('.admin__expand-btn')
+    const expandBtns = wrapper.findAll('.admin__row')
     await expandBtns[0].trigger('click')
     await new Promise((r) => setTimeout(r, 50))
     expect(wrapper.findAll('.admin__expanded-row')).toHaveLength(1)
@@ -198,15 +214,16 @@ describe('AdminDashboard', () => {
 
   it('fires status update API on dropdown change', async () => {
     vi.mocked(globalThis.fetch)
-      .mockResolvedValueOnce(mockFetchResponse(200, mockOrders))
+      .mockResolvedValueOnce(mockFetchResponse(200, freshMockOrders()))
       .mockResolvedValueOnce(
-        mockFetchResponse(200, { ...mockOrders[0], status: 'paid' }),
+        mockFetchResponse(200, { ...mockOrders[0], status: 'delivered' }),
       )
 
     const { wrapper } = mountPage()
     await new Promise((r) => setTimeout(r, 50))
 
     const selects = wrapper.findAll('.admin__status-select')
+    await selects[0].setValue('delivered')
     await selects[0].trigger('change')
     await new Promise((r) => setTimeout(r, 50))
 
@@ -214,14 +231,14 @@ describe('AdminDashboard', () => {
       '/api/admin/orders/c1eebc99-9c0b-4ef8-bb6d-6bb9bd380a11/status',
       expect.objectContaining({
         method: 'PATCH',
-        body: '{"status":"sent"}',
+        body: '{"status":"delivered"}',
       }),
     )
   })
 
   it('shows status error on failed update', async () => {
     vi.mocked(globalThis.fetch)
-      .mockResolvedValueOnce(mockFetchResponse(200, mockOrders))
+      .mockResolvedValueOnce(mockFetchResponse(200, freshMockOrders()))
       .mockResolvedValueOnce(
         mockFetchResponse(500, { message: 'Server error' }),
       )
@@ -230,10 +247,11 @@ describe('AdminDashboard', () => {
     await new Promise((r) => setTimeout(r, 50))
 
     const selects = wrapper.findAll('.admin__status-select')
+    await selects[0].setValue('delivered')
     await selects[0].trigger('change')
     await new Promise((r) => setTimeout(r, 50))
 
-    expect(wrapper.text()).toContain('Kunde inte uppdatera status')
+    expect(wrapper.text()).toContain('Server error')
   })
 
   it('formats dates in Swedish locale', async () => {
@@ -247,7 +265,7 @@ describe('AdminDashboard', () => {
     const { wrapper } = mountPage()
     await new Promise((r) => setTimeout(r, 50))
 
-    const expandBtns = wrapper.findAll('.admin__expand-btn')
+    const expandBtns = wrapper.findAll('.admin__row')
     await expandBtns[0].trigger('click')
     await new Promise((r) => setTimeout(r, 50))
 
@@ -260,7 +278,7 @@ describe('AdminDashboard', () => {
     const { wrapper } = mountPage()
     await new Promise((r) => setTimeout(r, 50))
 
-    const expandBtns = wrapper.findAll('.admin__expand-btn')
+    const expandBtns = wrapper.findAll('.admin__row')
     await expandBtns[0].trigger('click')
     await new Promise((r) => setTimeout(r, 50))
 
@@ -274,7 +292,7 @@ describe('AdminDashboard', () => {
     const { wrapper } = mountPage()
     await new Promise((r) => setTimeout(r, 50))
 
-    const expandBtns = wrapper.findAll('.admin__expand-btn')
+    const expandBtns = wrapper.findAll('.admin__row')
     await expandBtns[1].trigger('click')
     await new Promise((r) => setTimeout(r, 50))
 
@@ -282,32 +300,47 @@ describe('AdminDashboard', () => {
     expect(link.exists()).toBe(false)
   })
 
-  it('fires PATCH on tracking save button click', async () => {
+  it('fires register-shipment API on register button click', async () => {
-    vi.mocked(globalThis.fetch).mockResolvedValueOnce(
+    vi.mocked(globalThis.fetch)
-      mockFetchResponse(200, mockOrders),
+      .mockResolvedValueOnce(mockFetchResponse(200, freshMockOrders()))
+      .mockResolvedValueOnce(
+        mockFetchResponse(200, {
+          ...mockOrders[1],
+          status: 'sent',
+          trackingId: 'PN999',
+        }),
       )
 
     const { wrapper } = mountPage()
     await new Promise((r) => setTimeout(r, 50))
 
-    const expandBtns = wrapper.findAll('.admin__expand-btn')
+    const expandBtns = wrapper.findAll('.admin__row')
     await expandBtns[1].trigger('click')
     await new Promise((r) => setTimeout(r, 50))
 
-    await wrapper.find('.btn--primary').trigger('click')
+    await wrapper.find('.admin__tracking-input').setValue('PN999')
+    const registerBtn = wrapper
+      .findAll('button')
+      .find((btn) => btn.text() === 'Registrera utskick')
+    expect(registerBtn).toBeDefined()
+    await registerBtn!.trigger('click')
     await new Promise((r) => setTimeout(r, 50))
 
     expect(globalThis.fetch).toHaveBeenCalledWith(
-      '/api/admin/orders/c2eebc99-9c0b-4ef8-bb6d-6bb9bd380a12',
+      '/api/admin/orders/c2eebc99-9c0b-4ef8-bb6d-6bb9bd380a12/register-shipment',
       expect.objectContaining({
         method: 'PATCH',
+        body: JSON.stringify({
+          trackingInput: 'PN999',
+          notifyCustomer: true,
+        }),
       }),
     )
   })
 
   it('shows tracking error on failed save', async () => {
     vi.mocked(globalThis.fetch)
-      .mockResolvedValueOnce(mockFetchResponse(200, mockOrders))
+      .mockResolvedValueOnce(mockFetchResponse(200, freshMockOrders()))
       .mockResolvedValueOnce(
         mockFetchResponse(500, { message: 'Server error' }),
       )
@@ -315,14 +348,18 @@ describe('AdminDashboard', () => {
     const { wrapper } = mountPage()
     await new Promise((r) => setTimeout(r, 50))
 
-    const expandBtns = wrapper.findAll('.admin__expand-btn')
+    const expandBtns = wrapper.findAll('.admin__row')
     await expandBtns[1].trigger('click')
     await new Promise((r) => setTimeout(r, 50))
 
-    await wrapper.find('.btn--primary').trigger('click')
+    await wrapper.find('.admin__tracking-input').setValue('PN999')
+    const registerBtn = wrapper
+      .findAll('button')
+      .find((btn) => btn.text() === 'Registrera utskick')
+    await registerBtn!.trigger('click')
     await new Promise((r) => setTimeout(r, 50))
 
-    expect(wrapper.text()).toContain('Kunde inte spara spårnings-ID')
+    expect(wrapper.text()).toContain('Kunde inte registrera utskick')
   })
 
   it('shows Att göra stat for processing orders', async () => {
@@ -392,7 +429,10 @@ describe('AdminDashboard', () => {
     await new Promise((r) => setTimeout(r, 50))
 
     const rows = wrapper.findAll('.admin__row')
-    const processingRow = rows.find((row) => row.text().includes('XYZ789'))
+    const processingRow = rows.find(
+      (row) =>
+        row.text().includes('XYZ789') && row.classes().includes('admin__row'),
+    )
     expect(processingRow?.classes()).toContain('admin__row--todo')
   })
 })

frontend/src/__tests__/OrdersPage.spec.ts

@@ -4,6 +4,26 @@ import { createRouter, createMemoryHistory } from 'vue-router'
 import { createPinia } from 'pinia'
 import OrdersPage from '@/pages/OrdersPage.vue'
 
+const sessionMocks = vi.hoisted(() => {
+  const mockLogout = vi.fn()
+  const mockPush = vi.fn()
+  return {
+    mockLogout,
+    mockPush,
+    mockAuth: { isAuthenticated: true, logout: mockLogout },
+  }
+})
+
+vi.mock('@/stores/authStore', () => ({
+  useAuthStore: () => sessionMocks.mockAuth,
+}))
+vi.mock('@/router', () => ({
+  default: {
+    currentRoute: { value: { fullPath: '/orders' } },
+    push: sessionMocks.mockPush,
+  },
+}))
+
 function mockFetchResponse(status: number, body: unknown) {
   return Promise.resolve({
     ok: status >= 200 && status < 300,
@@ -376,3 +396,34 @@ describe('OrdersPage', () => {
     expect(wrapper.find('.orders__preview-toggle').exists()).toBe(false)
   })
 })
+
+describe('OrdersPage — expired session (401)', () => {
+  beforeEach(() => {
+    localStorage.clear()
+    globalThis.fetch = vi.fn()
+    sessionMocks.mockLogout.mockClear()
+    sessionMocks.mockPush.mockClear()
+    sessionMocks.mockAuth.isAuthenticated = true
+  })
+
+  it('does not show generic error and triggers global logout/redirect on 401', async () => {
+    vi.mocked(globalThis.fetch).mockImplementation((url) => {
+      const urlStr = String(url)
+      if (urlStr.includes('/payment/swish-info')) {
+        return mockFetchResponse(200, { number: '123', amount: 49 })
+      }
+      return mockFetchResponse(401, { message: 'Din session har löpt ut.' })
+    })
+    localStorage.setItem('auth_token', 'expired-token')
+
+    const { wrapper } = mountPage()
+    await new Promise((r) => setTimeout(r, 50))
+
+    expect(wrapper.text()).not.toContain('Kunde inte hämta beställningar')
+    expect(sessionMocks.mockLogout).toHaveBeenCalledTimes(1)
+    expect(sessionMocks.mockPush).toHaveBeenCalledWith({
+      name: 'login',
+      query: { redirect: '/orders' },
+    })
+  })
+})

frontend/src/__tests__/PaymentRedirect.spec.ts

@@ -5,14 +5,26 @@ import { createRouter, createMemoryHistory } from 'vue-router'
 import PaymentRedirect from '@/pages/PaymentRedirect.vue'
 import OrdersPage from '@/pages/OrdersPage.vue'
 
+vi.mock('qrcode', () => ({
+  default: {
+    toDataURL: vi.fn().mockResolvedValue('data:image/png;base64,mock-qr'),
+  },
+}))
+
 vi.mock('@/api/payment', () => ({
   payOrder: vi.fn(),
   fetchSwishInfo: vi.fn(),
+  buildSwishPaymentUrl: vi.fn(
+    (number: string, amount: number, message: string) =>
+      `https://app.swish.nu/1/p/sw/?sw=${number}&amt=${amount.toFixed(2)}&msg=${message}`,
+  ),
 }))
 
 import { payOrder, fetchSwishInfo } from '@/api/payment'
+import QRCode from 'qrcode'
 const mockPayOrder = vi.mocked(payOrder)
 const mockFetchSwishInfo = vi.mocked(fetchSwishInfo)
+const mockToDataURL = vi.mocked(QRCode.toDataURL)
 
 function createTestRouter() {
   return createRouter({
@@ -59,6 +71,7 @@ describe('PaymentRedirect', () => {
       number: '0701234567',
       amount: 49,
     })
+    mockToDataURL.mockResolvedValue('data:image/png;base64,mock-qr')
   })
 
   it('renders heading and amount', async () => {
@@ -81,7 +94,7 @@ describe('PaymentRedirect', () => {
       expect(wrapper.text()).toContain('Beställnings-ID')
       expect(wrapper.text()).toContain(orderId)
       expect(wrapper.text()).toContain(
-        'Ange beställnings-ID ovan som meddelande i Swish-appen',
+        'fylls i automatiskt via QR-kod eller länk',
       )
     })
   })
@@ -93,13 +106,30 @@ describe('PaymentRedirect', () => {
     })
   })
 
+  it('renders QR code after fetching swish info', async () => {
+    const { wrapper } = await mountPage()
+    await vi.waitFor(() => {
+      expect(wrapper.find('.payment__qr-img').exists()).toBe(true)
+    })
+    expect(mockToDataURL).toHaveBeenCalledTimes(1)
+  })
+
+  it('renders a Swish payment link', async () => {
+    const { wrapper } = await mountPage('test-order', 'ABC123')
+    await vi.waitFor(() => {
+      const link = wrapper.find('.payment__swish-link')
+      expect(link.exists()).toBe(true)
+      expect(link.attributes('href')).toContain('app.swish.nu')
+    })
+  })
+
   it('shows confirmation dialog after clicking pay button', async () => {
     const { wrapper } = await mountPage()
     await vi.waitFor(() => {
-      expect(wrapper.find('.btn--primary').exists()).toBe(true)
+      expect(wrapper.find('.payment__submit').exists()).toBe(true)
     })
 
-    await wrapper.find('.btn--primary').trigger('click')
+    await wrapper.find('.payment__submit').trigger('click')
     await vi.waitFor(() => {
       expect(wrapper.text()).toContain('Jag bekräftar att jag har Swishat')
       expect(wrapper.text()).toContain('0701234567')
@@ -110,15 +140,15 @@ describe('PaymentRedirect', () => {
   it('can cancel confirmation dialog', async () => {
     const { wrapper } = await mountPage()
     await vi.waitFor(() => {
-      expect(wrapper.find('.btn--primary').exists()).toBe(true)
+      expect(wrapper.find('.payment__submit').exists()).toBe(true)
     })
 
-    await wrapper.find('.btn--primary').trigger('click')
+    await wrapper.find('.payment__submit').trigger('click')
     await vi.waitFor(() => {
       expect(wrapper.text()).toContain('Avbryt')
     })
 
-    await wrapper.find('.btn--ghost').trigger('click')
+    await wrapper.find('.payment__confirm-cancel').trigger('click')
     await vi.waitFor(() => {
       expect(wrapper.text()).toContain('Swisha till')
       expect(wrapper.text()).not.toContain('Avbryt')
@@ -137,16 +167,15 @@ describe('PaymentRedirect', () => {
 
     const { wrapper } = await mountPage()
     await vi.waitFor(() => {
-      expect(wrapper.find('.btn--primary').exists()).toBe(true)
+      expect(wrapper.find('.payment__submit').exists()).toBe(true)
     })
 
-    await wrapper.find('.btn--primary').trigger('click')
+    await wrapper.find('.payment__submit').trigger('click')
     await vi.waitFor(() => {
       expect(wrapper.text()).toContain('Ja, jag har betalat')
     })
 
-    const confirmButtons = wrapper.findAll('.btn--primary')
+    await wrapper.find('.payment__confirm .btn--primary').trigger('click')
-    await confirmButtons[confirmButtons.length - 1].trigger('click')
 
     expect(mockPayOrder).toHaveBeenCalledWith('order-1')
   })
@@ -156,16 +185,15 @@ describe('PaymentRedirect', () => {
 
     const { wrapper } = await mountPage()
     await vi.waitFor(() => {
-      expect(wrapper.find('.btn--primary').exists()).toBe(true)
+      expect(wrapper.find('.payment__submit').exists()).toBe(true)
     })
 
-    await wrapper.find('.btn--primary').trigger('click')
+    await wrapper.find('.payment__submit').trigger('click')
     await vi.waitFor(() => {
       expect(wrapper.text()).toContain('Ja, jag har betalat')
     })
 
-    const confirmButtons = wrapper.findAll('.btn--primary')
+    await wrapper.find('.payment__confirm .btn--primary').trigger('click')
-    await confirmButtons[confirmButtons.length - 1].trigger('click')
 
     await vi.waitFor(() => {
       expect(wrapper.text()).toContain('Kunde inte bekräfta betalningen')
@@ -184,16 +212,15 @@ describe('PaymentRedirect', () => {
 
     const { wrapper, router } = await mountPage()
     await vi.waitFor(() => {
-      expect(wrapper.find('.btn--primary').exists()).toBe(true)
+      expect(wrapper.find('.payment__submit').exists()).toBe(true)
     })
 
-    await wrapper.find('.btn--primary').trigger('click')
+    await wrapper.find('.payment__submit').trigger('click')
     await vi.waitFor(() => {
       expect(wrapper.text()).toContain('Ja, jag har betalat')
     })
 
-    const confirmButtons = wrapper.findAll('.btn--primary')
+    await wrapper.find('.payment__confirm .btn--primary').trigger('click')
-    await confirmButtons[confirmButtons.length - 1].trigger('click')
 
     await vi.waitFor(() => {
       expect(router.currentRoute.value.name).toBe('orders')

frontend/src/__tests__/PrivacyPolicyPage.spec.ts

@@ -41,6 +41,16 @@ describe('PrivacyPolicyPage', () => {
     expect(wrapper.text()).toContain('varken vi eller obehöriga')
   })
 
+  it('describes web analytics', () => {
+    const router = createTestRouter()
+    const wrapper = mount(PrivacyPolicyPage, {
+      global: { plugins: [router] },
+    })
+    expect(wrapper.text()).toContain('Webbstatistik')
+    expect(wrapper.text()).toContain('analytics.bilhej.se')
+    expect(wrapper.text()).toContain('IP-adresser')
+  })
+
   it('links to contact email and contact page', () => {
     const router = createTestRouter()
     const wrapper = mount(PrivacyPolicyPage, {

frontend/src/__tests__/Router.spec.ts

@@ -214,6 +214,64 @@ describe('Router guards', () => {
   })
 })
 
+describe('Router guards — expired tokens', () => {
+  beforeEach(() => {
+    setActivePinia(createPinia())
+    localStorage.clear()
+  })
+
+  it('redirects expired-token user from /orders to /logga-in with redirect query', async () => {
+    const past = Math.floor(Date.now() / 1000) - 3600
+    localStorage.setItem('auth_token', makeJwt({ role: 'user', exp: past }))
+
+    await router.push('/orders')
+    await router.isReady()
+
+    expect(router.currentRoute.value.name).toBe('login')
+    expect(router.currentRoute.value.query.redirect).toBe('/orders')
+  })
+
+  it('clears the expired token from localStorage on redirect', async () => {
+    const past = Math.floor(Date.now() / 1000) - 3600
+    localStorage.setItem('auth_token', makeJwt({ role: 'user', exp: past }))
+
+    await router.push('/orders')
+    await router.isReady()
+
+    expect(localStorage.getItem('auth_token')).toBeNull()
+  })
+
+  it('allows access with a token whose exp is in the future', async () => {
+    const future = Math.floor(Date.now() / 1000) + 3600
+    localStorage.setItem('auth_token', makeJwt({ role: 'user', exp: future }))
+
+    await router.push('/orders')
+    await router.isReady()
+
+    expect(router.currentRoute.value.name).toBe('orders')
+  })
+
+  it('lets expired-token user open /logga-in instead of bouncing to home', async () => {
+    const past = Math.floor(Date.now() / 1000) - 3600
+    localStorage.setItem('auth_token', makeJwt({ role: 'user', exp: past }))
+
+    await router.push('/logga-in')
+    await router.isReady()
+
+    expect(router.currentRoute.value.name).toBe('login')
+  })
+
+  it('lets expired-token user open /registrera instead of bouncing to home', async () => {
+    const past = Math.floor(Date.now() / 1000) - 3600
+    localStorage.setItem('auth_token', makeJwt({ role: 'user', exp: past }))
+
+    await router.push('/registrera')
+    await router.isReady()
+
+    expect(router.currentRoute.value.name).toBe('register')
+  })
+})
+
 function makeJwt(payload: Record<string, unknown>): string {
   const header = btoa(JSON.stringify({ alg: 'HS256', typ: 'JWT' }))
   const body = btoa(JSON.stringify(payload))

frontend/src/__tests__/authStore.spec.ts

@@ -212,6 +212,52 @@ describe('authStore', () => {
   })
 })
 
+describe('authStore.isTokenExpired', () => {
+  beforeEach(() => {
+    setActivePinia(createPinia())
+    localStorage.clear()
+  })
+
+  it('returns true when there is no token', () => {
+    const store = useAuthStore()
+    expect(store.isTokenExpired()).toBe(true)
+  })
+
+  it('returns true for a token with an expired exp claim', () => {
+    const past = Math.floor(Date.now() / 1000) - 3600
+    localStorage.setItem('auth_token', makeJwt({ role: 'user', exp: past }))
+    const store = useAuthStore()
+
+    expect(store.isTokenExpired()).toBe(true)
+  })
+
+  it('returns false for a token with a future exp claim', () => {
+    const future = Math.floor(Date.now() / 1000) + 3600
+    localStorage.setItem('auth_token', makeJwt({ role: 'user', exp: future }))
+    const store = useAuthStore()
+
+    expect(store.isTokenExpired()).toBe(false)
+  })
+
+  it('returns false for a token without an exp claim', () => {
+    localStorage.setItem('auth_token', makeJwt({ role: 'user' }))
+    const store = useAuthStore()
+
+    expect(store.isTokenExpired()).toBe(false)
+  })
+
+  it('returns true after logout clears the token', async () => {
+    const future = Math.floor(Date.now() / 1000) + 3600
+    localStorage.setItem('auth_token', makeJwt({ role: 'user', exp: future }))
+    const store = useAuthStore()
+    expect(store.isTokenExpired()).toBe(false)
+
+    store.logout()
+
+    expect(store.isTokenExpired()).toBe(true)
+  })
+})
+
 function makeJwt(payload: Record<string, unknown>): string {
   const header = btoa(JSON.stringify({ alg: 'HS256', typ: 'JWT' }))
   const body = btoa(JSON.stringify(payload))

frontend/src/__tests__/client.spec.ts

@@ -0,0 +1,125 @@
+import { describe, it, expect, beforeEach, vi } from 'vitest'
+import { createPinia, setActivePinia } from 'pinia'
+
+const mocks = vi.hoisted(() => {
+  const mockLogout = vi.fn()
+  const mockPush = vi.fn()
+  return {
+    mockLogout,
+    mockPush,
+    mockAuth: { isAuthenticated: true, logout: mockLogout },
+  }
+})
+
+vi.mock('@/stores/authStore', () => ({
+  useAuthStore: () => mocks.mockAuth,
+}))
+vi.mock('@/router', () => ({
+  default: {
+    currentRoute: { value: { fullPath: '/orders' } },
+    push: mocks.mockPush,
+  },
+}))
+
+import { request, ApiError, isSessionExpired, isForbidden } from '@/api/client'
+
+function mockFetchResponse(status: number, body: unknown) {
+  return Promise.resolve({
+    ok: status >= 200 && status < 300,
+    status,
+    json: () => Promise.resolve(body),
+  })
+}
+
+describe('api client', () => {
+  beforeEach(() => {
+    setActivePinia(createPinia())
+    localStorage.clear()
+    globalThis.fetch = vi.fn()
+    mocks.mockLogout.mockClear()
+    mocks.mockPush.mockClear()
+    mocks.mockAuth.isAuthenticated = true
+  })
+
+  it('logs out and redirects to login on 401 from a protected endpoint', async () => {
+    vi.mocked(globalThis.fetch).mockResolvedValue(
+      mockFetchResponse(401, { message: 'Din session har löpt ut.' }),
+    )
+    localStorage.setItem('auth_token', 'expired-token')
+
+    await expect(request('/orders')).rejects.toThrow('Din session har löpt ut.')
+
+    expect(mocks.mockLogout).toHaveBeenCalledTimes(1)
+    expect(mocks.mockPush).toHaveBeenCalledWith({
+      name: 'login',
+      query: { redirect: '/orders' },
+    })
+  })
+
+  it('still throws ApiError with 401 status after handling expired session', async () => {
+    vi.mocked(globalThis.fetch).mockResolvedValue(
+      mockFetchResponse(401, { message: 'Din session har löpt ut.' }),
+    )
+
+    try {
+      await request('/orders')
+      throw new Error('should have thrown')
+    } catch (err) {
+      expect(err).toBeInstanceOf(ApiError)
+      expect((err as ApiError).status).toBe(401)
+    }
+  })
+
+  it('does not log out on 401 from an auth endpoint (wrong credentials)', async () => {
+    vi.mocked(globalThis.fetch).mockResolvedValue(
+      mockFetchResponse(401, { message: 'Felaktig e-post eller lösenord' }),
+    )
+
+    await expect(request('/auth/login', { method: 'POST' })).rejects.toThrow(
+      'Felaktig e-post eller lösenord',
+    )
+
+    expect(mocks.mockLogout).not.toHaveBeenCalled()
+    expect(mocks.mockPush).not.toHaveBeenCalled()
+  })
+
+  it('does not log out on 403 (forbidden is not session expiry)', async () => {
+    vi.mocked(globalThis.fetch).mockResolvedValue(
+      mockFetchResponse(403, { message: 'Du har inte behörighet' }),
+    )
+    localStorage.setItem('auth_token', 'valid-token')
+
+    await expect(request('/admin/orders')).rejects.toThrow(
+      'Du har inte behörighet',
+    )
+
+    expect(mocks.mockLogout).not.toHaveBeenCalled()
+    expect(mocks.mockPush).not.toHaveBeenCalled()
+  })
+
+  it('does not redirect when there is no token on 401', async () => {
+    mocks.mockAuth.isAuthenticated = false
+    vi.mocked(globalThis.fetch).mockResolvedValue(
+      mockFetchResponse(401, { message: 'Din session har löpt ut.' }),
+    )
+
+    await expect(request('/orders')).rejects.toThrow()
+
+    expect(mocks.mockLogout).not.toHaveBeenCalled()
+    expect(mocks.mockPush).not.toHaveBeenCalled()
+  })
+
+  it('isSessionExpired returns true only for a 401 ApiError', () => {
+    expect(isSessionExpired(new ApiError(401, 'x'))).toBe(true)
+    expect(isSessionExpired(new ApiError(403, 'x'))).toBe(false)
+    expect(isSessionExpired(new ApiError(500, 'x'))).toBe(false)
+    expect(isSessionExpired(new Error('x'))).toBe(false)
+    expect(isSessionExpired(null)).toBe(false)
+  })
+
+  it('isForbidden returns true only for a 403 ApiError', () => {
+    expect(isForbidden(new ApiError(403, 'x'))).toBe(true)
+    expect(isForbidden(new ApiError(401, 'x'))).toBe(false)
+    expect(isForbidden(new Error('x'))).toBe(false)
+  })
+})

frontend/src/__tests__/umami.spec.ts

@@ -0,0 +1,72 @@
+import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest'
+import { createRouter, createMemoryHistory } from 'vue-router'
+import {
+  getUmamiConfig,
+  initUmamiAnalytics,
+  trackUmamiPageview,
+} from '@/utils/umami'
+
+describe('umami', () => {
+  beforeEach(() => {
+    document.head.innerHTML = ''
+    delete window.umami
+  })
+
+  afterEach(() => {
+    vi.unstubAllEnvs()
+  })
+
+  it('returns null when website id is unset', () => {
+    vi.stubEnv('VITE_UMAMI_WEBSITE_ID', '')
+    expect(getUmamiConfig()).toBeNull()
+  })
+
+  it('returns config when website id is set', () => {
+    vi.stubEnv('VITE_UMAMI_WEBSITE_ID', '11111111-2222-3333-4444-555555555555')
+    vi.stubEnv('VITE_UMAMI_SCRIPT_URL', '')
+    expect(getUmamiConfig()).toEqual({
+      websiteId: '11111111-2222-3333-4444-555555555555',
+      scriptUrl: 'https://analytics.bilhej.se/script.js',
+    })
+  })
+
+  it('uses custom script url when provided', () => {
+    vi.stubEnv('VITE_UMAMI_WEBSITE_ID', 'test-id')
+    vi.stubEnv('VITE_UMAMI_SCRIPT_URL', 'https://example.test/script.js')
+    expect(getUmamiConfig()?.scriptUrl).toBe('https://example.test/script.js')
+  })
+
+  it('does not inject script when website id is unset', () => {
+    vi.stubEnv('VITE_UMAMI_WEBSITE_ID', '')
+    const router = createRouter({
+      history: createMemoryHistory(),
+      routes: [{ path: '/', component: { template: '<div />' } }],
+    })
+    initUmamiAnalytics(router)
+    expect(document.querySelector('script[data-website-id]')).toBeNull()
+  })
+
+  it('injects script with auto-track disabled when configured', () => {
+    vi.stubEnv('VITE_UMAMI_WEBSITE_ID', 'test-id')
+    const router = createRouter({
+      history: createMemoryHistory(),
+      routes: [{ path: '/', component: { template: '<div />' } }],
+    })
+    initUmamiAnalytics(router)
+    const script = document.querySelector('script[data-website-id]')
+    expect(script?.getAttribute('data-website-id')).toBe('test-id')
+    expect(script?.getAttribute('data-auto-track')).toBe('false')
+    expect(script?.getAttribute('src')).toContain('script.js')
+  })
+
+  it('trackUmamiPageview forwards url to umami', () => {
+    const track = vi.fn()
+    window.umami = { track }
+    trackUmamiPageview('/orders')
+    expect(track).toHaveBeenCalledOnce()
+    const mapper = track.mock.calls[0][0] as (
+      props: Record<string, unknown>,
+    ) => Record<string, unknown>
+    expect(mapper({ referrer: 'x' })).toEqual({ referrer: 'x', url: '/orders' })
+  })
+})

frontend/src/api/admin.ts

@@ -8,7 +8,11 @@ export interface AdminOrder {
   status: string
   trackingId: string | null
   amountPaid: number | null
+  shippedAt: string | null
+  adminNotes: string | null
   createdAt: string
+  allowedStatuses: string[]
+  canRegisterShipment: boolean
 }
 
 export function fetchAllOrders(): Promise<AdminOrder[]> {
@@ -25,12 +29,23 @@ export function updateOrderStatus(
   })
 }
 
-export function updateTracking(
+export function registerShipment(
   orderId: string,
-  trackingId: string | null,
+  trackingInput: string,
+  notifyCustomer = true,
 ): Promise<AdminOrder> {
-  return request<AdminOrder>(`/admin/orders/${orderId}`, {
+  return request<AdminOrder>(`/admin/orders/${orderId}/register-shipment`, {
     method: 'PATCH',
-    body: JSON.stringify({ trackingId }),
+    body: JSON.stringify({ trackingInput, notifyCustomer }),
+  })
+}
+
+export function updateAdminNotes(
+  orderId: string,
+  adminNotes: string | null,
+): Promise<AdminOrder> {
+  return request<AdminOrder>(`/admin/orders/${orderId}/notes`, {
+    method: 'PATCH',
+    body: JSON.stringify({ adminNotes }),
   })
 }

frontend/src/api/client.ts

@@ -1,3 +1,6 @@
+import { useAuthStore } from '@/stores/authStore'
+import router from '@/router'
+
 const API_BASE = import.meta.env.VITE_API_URL || '/api'
 
 export class ApiError extends Error {
@@ -10,10 +13,27 @@ export class ApiError extends Error {
   }
 }
 
+export function isSessionExpired(err: unknown): boolean {
+  return err instanceof ApiError && err.status === 401
+}
+
+export function isForbidden(err: unknown): boolean {
+  return err instanceof ApiError && err.status === 403
+}
+
 function getToken(): string | null {
   return localStorage.getItem('auth_token')
 }
 
+function handleExpiredSession(): void {
+  const auth = useAuthStore()
+  if (auth.isAuthenticated) {
+    auth.logout()
+    const redirect = router.currentRoute.value.fullPath
+    router.push({ name: 'login', query: { redirect } })
+  }
+}
+
 export async function request<T>(
   url: string,
   options: RequestInit = {},
@@ -34,6 +54,9 @@ export async function request<T>(
   })
 
   if (!response.ok) {
+    if (response.status === 401 && !url.startsWith('/auth/')) {
+      handleExpiredSession()
+    }
     const body = await response.json().catch(() => ({}))
     throw new ApiError(response.status, body.message || 'Något gick fel')
   }

frontend/src/api/payment.ts

@@ -15,3 +15,44 @@ export function payOrder(orderId: string): Promise<Order> {
 export function fetchSwishInfo(): Promise<SwishInfo> {
   return request<SwishInfo>('/payment/swish-info')
 }
+
+/**
+ * Build a pre-filled Swish payment URL.
+ *
+ * On mobile, tapping this URL opens the Swish app with the amount and
+ * message pre-filled. On desktop, embed it in a QR code for the user
+ * to scan with their phone.
+ *
+ * Uses the Swish "C2B pre-fill" URL scheme documented at
+ * https://developer.swish.nu — no Swish Commerce API certificate required.
+ * The `sw` parameter accepts either a phone number or a Swish Business
+ * number (123…). Phone numbers in Swedish national format (leading 0)
+ * are normalised to international format (46…).
+ */
+export function buildSwishPaymentUrl(
+  swishNumber: string,
+  amount: number,
+  message: string,
+): string {
+  const payee = normalizeSwishNumber(swishNumber)
+  const params = new URLSearchParams({
+    sw: payee,
+    amt: amount.toFixed(2),
+    msg: message,
+  })
+  return `https://app.swish.nu/1/p/sw/?${params.toString()}`
+}
+
+/**
+ * Normalise a Swish number to the format the Swish URL expects.
+ * - 123… (Swish Business number) → unchanged
+ * - 46… (already international)  → unchanged
+ * - 0… (Swedish national format) → 46 + rest without leading 0
+ */
+function normalizeSwishNumber(number: string): string {
+  const trimmed = number.replace(/\s/g, '')
+  if (trimmed.startsWith('123')) return trimmed
+  if (trimmed.startsWith('46')) return trimmed
+  if (trimmed.startsWith('0')) return '46' + trimmed.slice(1)
+  return trimmed
+}

frontend/src/components/AppHeader.vue

@@ -171,7 +171,7 @@ onUnmounted(() => {
           <RouterLink
             v-if="auth.isAdmin"
             to="/admin"
-            class="app-header__link app-header__link--admin"
+            class="app-header__link"
             @click="handleNavClick"
             >Admin</RouterLink
           >
@@ -348,17 +348,6 @@ onUnmounted(() => {
   background: var(--color-primary-soft);
 }
 
-.app-header__link--admin {
-  background: var(--color-primary-soft);
-  color: var(--color-primary);
-  font-weight: 600;
-}
-
-.app-header__link--admin:hover {
-  background: #e9d5ff;
-  color: var(--color-primary-dark);
-}
-
 .app-header__link--settings-mobile {
   display: none;
 }

frontend/src/components/admin/AdminOrderDetailPanel.vue

@@ -0,0 +1,133 @@
+<script setup lang="ts">
+import type { AdminOrder } from '@/api/admin'
+import { postNordTrackingUrl } from '@/constants/orderStatus'
+
+defineProps<{
+  order: AdminOrder
+  trackingInput: string
+  adminNotes: string
+  notifyCustomer: boolean
+  trackingError: string
+  notesError: string
+  registering: boolean
+  savingNotes: boolean
+}>()
+
+const emit = defineEmits<{
+  'update:trackingInput': [value: string]
+  'update:adminNotes': [value: string]
+  'update:notifyCustomer': [value: boolean]
+  registerShipment: []
+  saveNotes: []
+}>()
+</script>
+
+<template>
+  <div class="admin__expanded-inner">
+    <ol v-if="order.status === 'processing'" class="admin__checklist">
+      <li>Hämta ägaradress via Transportstyrelsen</li>
+      <li>Skriv ut brevet och lägg i kuvert</li>
+      <li>Skicka med PostNord och få spårnings-ID</li>
+      <li>Registrera utskick nedan</li>
+    </ol>
+
+    <div v-if="order.canRegisterShipment" class="admin__section">
+      <div class="admin__section-header">
+        <span class="admin__section-label">Registrera utskick</span>
+        <a
+          v-if="order.trackingId"
+          class="admin__tracking-link"
+          :href="postNordTrackingUrl(order.trackingId)"
+          target="_blank"
+          rel="noopener noreferrer"
+          @click.stop
+        >
+          Spåra hos PostNord
+        </a>
+      </div>
+
+      <p class="admin__section-hint">
+        Klistra in spårnings-ID eller PostNord-länk. Vid beställningar som
+        hanteras markeras brevet som skickat och kunden kan få e-post.
+      </p>
+
+      <p
+        v-if="trackingError"
+        class="message message--error admin__tracking-error"
+        role="alert"
+      >
+        {{ trackingError }}
+      </p>
+
+      <div class="admin__tracking-row">
+        <label :for="`tracking-${order.id}`" class="visually-hidden"
+          >Spårnings-ID</label
+        >
+        <input
+          :id="`tracking-${order.id}`"
+          class="admin__tracking-input"
+          type="text"
+          :value="trackingInput"
+          placeholder="PN... eller PostNord-länk"
+          @input="
+            emit(
+              'update:trackingInput',
+              ($event.target as HTMLInputElement).value,
+            )
+          "
+          @click.stop
+        />
+        <button
+          class="btn btn--primary btn--sm"
+          :disabled="registering"
+          @click.stop="emit('registerShipment')"
+        >
+          {{ registering ? 'Registrerar...' : 'Registrera utskick' }}
+        </button>
+      </div>
+
+      <label v-if="order.status === 'processing'" class="admin__notify">
+        <input
+          :checked="notifyCustomer"
+          type="checkbox"
+          @change="
+            emit(
+              'update:notifyCustomer',
+              ($event.target as HTMLInputElement).checked,
+            )
+          "
+          @click.stop
+        />
+        Skicka e-post till kund
+      </label>
+    </div>
+
+    <div class="admin__section">
+      <span class="admin__section-label">Interna anteckningar</span>
+      <p v-if="notesError" class="message message--error" role="alert">
+        {{ notesError }}
+      </p>
+      <textarea
+        :id="`notes-${order.id}`"
+        class="admin__notes-input"
+        rows="3"
+        placeholder="T.ex. TS-begäran skickad..."
+        :value="adminNotes"
+        @input="
+          emit(
+            'update:adminNotes',
+            ($event.target as HTMLTextAreaElement).value,
+          )
+        "
+        @click.stop
+      />
+      <button
+        class="btn btn--ghost btn--sm admin__notes-save"
+        :disabled="savingNotes"
+        @click.stop="emit('saveNotes')"
+      >
+        {{ savingNotes ? 'Sparar...' : 'Spara anteckningar' }}
+      </button>
+    </div>
+  </div>
+</template>

frontend/src/components/admin/AdminOrderMessageModal.vue

@@ -0,0 +1,55 @@
+<script setup lang="ts">
+import type { AdminOrder } from '@/api/admin'
+import { shortOrderId } from '@/utils/orderDisplay'
+
+defineProps<{
+  order: AdminOrder | null
+}>()
+
+const emit = defineEmits<{
+  close: []
+}>()
+</script>
+
+<template>
+  <div v-if="order" class="admin-modal-overlay" @click.self="emit('close')">
+    <div
+      class="admin-modal"
+      role="dialog"
+      aria-modal="true"
+      aria-labelledby="admin-message-modal-title"
+    >
+      <div class="admin-modal__header">
+        <h2 id="admin-message-modal-title" class="admin-modal__title">
+          Brevtext
+        </h2>
+        <button
+          type="button"
+          class="admin-modal__close"
+          aria-label="Stäng"
+          @click="emit('close')"
+        >
+          <svg
+            viewBox="0 0 24 24"
+            width="20"
+            height="20"
+            fill="none"
+            stroke="currentColor"
+            stroke-width="2"
+            stroke-linecap="round"
+            aria-hidden="true"
+          >
+            <line x1="18" y1="6" x2="6" y2="18" />
+            <line x1="6" y1="6" x2="18" y2="18" />
+          </svg>
+        </button>
+      </div>
+      <p class="admin-modal__meta">
+        {{ order.plate }} · {{ shortOrderId(order.id) }}
+      </p>
+      <div class="admin-modal__body">
+        {{ order.letterText }}
+      </div>
+    </div>
+  </div>
+</template>

frontend/src/components/admin/AdminOrdersTable.vue

@@ -0,0 +1,176 @@
+<script setup lang="ts">
+import type { AdminOrder } from '@/api/admin'
+import {
+  ORDER_STATUS_BADGE,
+  ORDER_STATUS_LABELS,
+} from '@/constants/orderStatus'
+import { formatOrderDate, shortOrderId } from '@/utils/orderDisplay'
+import AdminOrderDetailPanel from '@/components/admin/AdminOrderDetailPanel.vue'
+
+defineProps<{
+  orders: AdminOrder[]
+  expandedOrderId: string | null
+  statusError: string
+  trackingError: string
+  notesError: string
+  trackingInputValues: Record<string, string>
+  adminNotesValues: Record<string, string>
+  notifyCustomerValues: Record<string, boolean>
+  savingNotesId: string | null
+  registeringId: string | null
+}>()
+
+const emit = defineEmits<{
+  toggleExpand: [orderId: string]
+  openMessage: [order: AdminOrder]
+  statusChange: [orderId: string, status: string]
+  registerShipment: [orderId: string]
+  saveNotes: [orderId: string]
+  'update:trackingInput': [orderId: string, value: string]
+  'update:adminNotes': [orderId: string, value: string]
+  'update:notifyCustomer': [orderId: string, value: boolean]
+}>()
+
+function isStatusDropdownDisabled(order: AdminOrder): boolean {
+  return order.allowedStatuses.length <= 1
+}
+</script>
+
+<template>
+  <p
+    v-if="statusError"
+    class="message message--error admin__status-error"
+    role="alert"
+  >
+    {{ statusError }}
+  </p>
+
+  <div class="admin__table-wrap">
+    <table class="admin__table">
+      <thead>
+        <tr>
+          <th class="admin__th-expand" scope="col">
+            <span class="visually-hidden">Visa detaljer</span>
+          </th>
+          <th class="admin__th-date">Datum</th>
+          <th class="admin__th-id" title="Beställnings-ID">ID</th>
+          <th class="admin__th-email">E-post</th>
+          <th class="admin__th-plate">Regnr</th>
+          <th class="admin__th-message" title="Meddelande">Brev</th>
+          <th class="admin__th-status">Status</th>
+        </tr>
+      </thead>
+      <tbody>
+        <template v-for="order in orders" :key="order.id">
+          <tr
+            class="admin__row"
+            :class="{
+              'admin__row--expanded': expandedOrderId === order.id,
+              'admin__row--todo': order.status === 'processing',
+            }"
+            :aria-expanded="expandedOrderId === order.id"
+            :title="
+              expandedOrderId === order.id
+                ? 'Klicka för att dölja detaljer'
+                : 'Klicka för att visa utskick och detaljer'
+            "
+            @click="emit('toggleExpand', order.id)"
+          >
+            <td class="admin__expand-cell">
+              <span
+                class="admin__expand-icon"
+                :class="{
+                  'admin__expand-icon--open': expandedOrderId === order.id,
+                }"
+                aria-hidden="true"
+              >
+                <svg
+                  viewBox="0 0 24 24"
+                  width="14"
+                  height="14"
+                  fill="none"
+                  stroke="currentColor"
+                  stroke-width="2.5"
+                  stroke-linecap="round"
+                  stroke-linejoin="round"
+                >
+                  <polyline
+                    :points="
+                      expandedOrderId === order.id
+                        ? '6 9 12 15 18 9'
+                        : '9 6 15 12 9 18'
+                    "
+                  />
+                </svg>
+              </span>
+            </td>
+            <td class="admin__td-date">
+              {{ formatOrderDate(order.createdAt) }}
+            </td>
+            <td class="admin__order-id" :title="order.id">
+              {{ shortOrderId(order.id) }}
+            </td>
+            <td class="admin__email" :title="order.email">{{ order.email }}</td>
+            <td class="admin__plate">{{ order.plate }}</td>
+            <td class="admin__message-cell">
+              <button
+                type="button"
+                class="btn btn--ghost btn--sm admin__message-btn"
+                @click.stop="emit('openMessage', order)"
+              >
+                Visa meddelande
+              </button>
+            </td>
+            <td class="admin__status-cell">
+              <select
+                class="admin__status-select"
+                :class="ORDER_STATUS_BADGE[order.status] || 'badge--muted'"
+                :value="order.status"
+                :disabled="isStatusDropdownDisabled(order)"
+                @change="
+                  emit(
+                    'statusChange',
+                    order.id,
+                    ($event.target as HTMLSelectElement).value,
+                  )
+                "
+                @click.stop
+              >
+                <option v-for="s in order.allowedStatuses" :key="s" :value="s">
+                  {{ ORDER_STATUS_LABELS[s] }}
+                </option>
+              </select>
+            </td>
+          </tr>
+          <tr v-if="expandedOrderId === order.id" class="admin__expanded-row">
+            <td :colspan="7">
+              <AdminOrderDetailPanel
+                :order="order"
+                :tracking-input="
+                  trackingInputValues[order.id] ?? order.trackingId ?? ''
+                "
+                :admin-notes="adminNotesValues[order.id] ?? ''"
+                :notify-customer="notifyCustomerValues[order.id] ?? true"
+                :tracking-error="trackingError"
+                :notes-error="notesError"
+                :registering="registeringId === order.id"
+                :saving-notes="savingNotesId === order.id"
+                @update:tracking-input="
+                  emit('update:trackingInput', order.id, $event)
+                "
+                @update:admin-notes="
+                  emit('update:adminNotes', order.id, $event)
+                "
+                @update:notify-customer="
+                  emit('update:notifyCustomer', order.id, $event)
+                "
+                @register-shipment="emit('registerShipment', order.id)"
+                @save-notes="emit('saveNotes', order.id)"
+              />
+            </td>
+          </tr>
+        </template>
+      </tbody>
+    </table>
+  </div>
+</template>

frontend/src/components/admin/AdminStatsBar.vue

@@ -0,0 +1,71 @@
+<script setup lang="ts">
+import type { AdminOrderFilter } from '@/composables/useAdminOrders'
+
+defineProps<{
+  total: number
+  todo: number
+  paid: number
+  pending: number
+}>()
+
+const activeFilterModel = defineModel<AdminOrderFilter>('activeFilter', {
+  required: true,
+})
+const searchQuery = defineModel<string>('searchQuery', { required: true })
+</script>
+
+<template>
+  <div class="admin__stats">
+    <button
+      type="button"
+      class="admin__stat"
+      :class="{ 'admin__stat--active': activeFilterModel === 'all' }"
+      @click="activeFilterModel = 'all'"
+    >
+      <span class="admin__stat-value">{{ total }}</span>
+      <span class="admin__stat-label">Totalt</span>
+    </button>
+    <button
+      type="button"
+      class="admin__stat"
+      :class="{ 'admin__stat--active': activeFilterModel === 'processing' }"
+      @click="activeFilterModel = 'processing'"
+    >
+      <span class="admin__stat-value">{{ todo }}</span>
+      <span class="admin__stat-label">Att göra</span>
+    </button>
+    <button
+      type="button"
+      class="admin__stat"
+      :class="{ 'admin__stat--active': activeFilterModel === 'paid_group' }"
+      @click="activeFilterModel = 'paid_group'"
+    >
+      <span class="admin__stat-value">{{ paid }}</span>
+      <span class="admin__stat-label">Betalda</span>
+    </button>
+    <button
+      type="button"
+      class="admin__stat"
+      :class="{
+        'admin__stat--active': activeFilterModel === 'pending_payment',
+      }"
+      @click="activeFilterModel = 'pending_payment'"
+    >
+      <span class="admin__stat-value">{{ pending }}</span>
+      <span class="admin__stat-label">Väntar</span>
+    </button>
+  </div>
+
+  <div class="admin__toolbar">
+    <label for="admin-order-search" class="admin__search-label"
+      >Sök beställnings-ID eller regnr</label
+    >
+    <input
+      id="admin-order-search"
+      v-model="searchQuery"
+      class="admin__search-input"
+      type="search"
+      placeholder="t.ex. c1eebc99 eller ABC123"
+    />
+  </div>
+</template>

frontend/src/composables/useAdminOrderActions.ts

@@ -0,0 +1,159 @@
+import { ref, reactive, type Ref } from 'vue'
+import { ApiError, isSessionExpired } from '@/api/client'
+import {
+  updateOrderStatus,
+  registerShipment,
+  updateAdminNotes,
+  type AdminOrder,
+} from '@/api/admin'
+
+export function useAdminOrderActions(
+  orders: Ref<AdminOrder[]>,
+  replaceOrder: (updated: AdminOrder) => void,
+) {
+  const expandedOrderId = ref<string | null>(null)
+  const statusError = ref('')
+  const trackingError = ref('')
+  const notesError = ref('')
+  const savingNotesId = ref<string | null>(null)
+  const registeringId = ref<string | null>(null)
+  const messageModalOrder = ref<AdminOrder | null>(null)
+
+  const trackingInputValues = reactive<Record<string, string>>({})
+  const adminNotesValues = reactive<Record<string, string>>({})
+  const notifyCustomerValues = reactive<Record<string, boolean>>({})
+
+  function findOrder(orderId: string): AdminOrder | undefined {
+    return orders.value.find((o) => o.id === orderId)
+  }
+
+  function openMessageModal(order: AdminOrder) {
+    messageModalOrder.value = order
+  }
+
+  function closeMessageModal() {
+    messageModalOrder.value = null
+  }
+
+  function toggleExpand(orderId: string) {
+    if (expandedOrderId.value === orderId) {
+      expandedOrderId.value = null
+      return
+    }
+
+    expandedOrderId.value = orderId
+    const order = findOrder(orderId)
+    if (!order) return
+
+    if (!(orderId in trackingInputValues)) {
+      trackingInputValues[orderId] = order.trackingId ?? ''
+    }
+    if (!(orderId in adminNotesValues)) {
+      adminNotesValues[orderId] = order.adminNotes ?? ''
+    }
+    if (!(orderId in notifyCustomerValues)) {
+      notifyCustomerValues[orderId] = true
+    }
+  }
+
+  async function handleStatusChange(orderId: string, newStatus: string) {
+    const order = findOrder(orderId)
+    if (!order) return
+
+    const previousStatus = order.status
+    order.status = newStatus
+    statusError.value = ''
+
+    try {
+      const updated = await updateOrderStatus(orderId, newStatus)
+      replaceOrder(updated)
+    } catch (err) {
+      order.status = previousStatus
+      if (!isSessionExpired(err)) {
+        statusError.value =
+          err instanceof ApiError && err.message
+            ? err.message
+            : 'Kunde inte uppdatera status. Försök igen.'
+      }
+    }
+  }
+
+  async function handleRegisterShipment(orderId: string) {
+    const trackingInput = trackingInputValues[orderId]?.trim()
+    if (!trackingInput) {
+      trackingError.value = 'Ange ett spårnings-ID eller en PostNord-länk.'
+      return
+    }
+
+    const order = findOrder(orderId)
+    if (!order) return
+
+    const previousStatus = order.status
+    const previousTrackingId = order.trackingId
+    const notifyCustomer = notifyCustomerValues[orderId] ?? true
+    trackingError.value = ''
+    registeringId.value = orderId
+
+    try {
+      const updated = await registerShipment(
+        orderId,
+        trackingInput,
+        notifyCustomer,
+      )
+      replaceOrder(updated)
+      trackingInputValues[orderId] = updated.trackingId ?? trackingInput
+    } catch (err) {
+      order.status = previousStatus
+      order.trackingId = previousTrackingId
+      if (!isSessionExpired(err)) {
+        trackingError.value =
+          'Kunde inte registrera utskick. Kontrollera spårnings-ID och försök igen.'
+      }
+    } finally {
+      registeringId.value = null
+    }
+  }
+
+  async function handleNotesSave(orderId: string) {
+    const order = findOrder(orderId)
+    if (!order) return
+
+    const notes = adminNotesValues[orderId]?.trim() || null
+    const previousNotes = order.adminNotes
+    notesError.value = ''
+    savingNotesId.value = orderId
+
+    try {
+      const updated = await updateAdminNotes(orderId, notes)
+      replaceOrder(updated)
+      adminNotesValues[orderId] = updated.adminNotes ?? ''
+    } catch (err) {
+      order.adminNotes = previousNotes
+      adminNotesValues[orderId] = previousNotes ?? ''
+      if (!isSessionExpired(err)) {
+        notesError.value = 'Kunde inte spara anteckningar. Försök igen.'
+      }
+    } finally {
+      savingNotesId.value = null
+    }
+  }
+
+  return {
+    expandedOrderId,
+    statusError,
+    trackingError,
+    notesError,
+    savingNotesId,
+    registeringId,
+    messageModalOrder,
+    trackingInputValues,
+    adminNotesValues,
+    notifyCustomerValues,
+    openMessageModal,
+    closeMessageModal,
+    toggleExpand,
+    handleStatusChange,
+    handleRegisterShipment,
+    handleNotesSave,
+  }
+}

frontend/src/composables/useAdminOrders.ts

@@ -0,0 +1,92 @@
+import { ref, computed } from 'vue'
+import { fetchAllOrders, type AdminOrder } from '@/api/admin'
+import { isSessionExpired } from '@/api/client'
+import { PAID_GROUP_STATUSES } from '@/constants/orderStatus'
+
+export type AdminOrderFilter =
+  | 'all'
+  | 'processing'
+  | 'paid_group'
+  | 'pending_payment'
+
+export function useAdminOrders() {
+  const orders = ref<AdminOrder[]>([])
+  const loading = ref(true)
+  const error = ref('')
+  const activeFilter = ref<AdminOrderFilter>('all')
+  const searchQuery = ref('')
+
+  const stats = computed(() => {
+    const total = orders.value.length
+    const todo = orders.value.filter((o) => o.status === 'processing').length
+    const paid = orders.value.filter((o) =>
+      PAID_GROUP_STATUSES.includes(
+        o.status as (typeof PAID_GROUP_STATUSES)[number],
+      ),
+    ).length
+    const pending = orders.value.filter(
+      (o) => o.status === 'pending_payment',
+    ).length
+    return { total, todo, paid, pending }
+  })
+
+  const filteredOrders = computed(() => {
+    let result = orders.value
+
+    if (activeFilter.value === 'processing') {
+      result = result.filter((o) => o.status === 'processing')
+    } else if (activeFilter.value === 'paid_group') {
+      result = result.filter((o) =>
+        PAID_GROUP_STATUSES.includes(
+          o.status as (typeof PAID_GROUP_STATUSES)[number],
+        ),
+      )
+    } else if (activeFilter.value === 'pending_payment') {
+      result = result.filter((o) => o.status === 'pending_payment')
+    }
+
+    const query = searchQuery.value.trim().toLowerCase()
+    if (query) {
+      result = result.filter(
+        (o) =>
+          o.id.toLowerCase().includes(query) ||
+          o.plate.toLowerCase().includes(query),
+      )
+    }
+
+    return result
+  })
+
+  async function loadOrders() {
+    loading.value = true
+    error.value = ''
+    try {
+      orders.value = await fetchAllOrders()
+    } catch (err) {
+      if (!isSessionExpired(err)) {
+        error.value = 'Kunde inte hämta beställningar. Försök igen senare.'
+      }
+    } finally {
+      loading.value = false
+    }
+  }
+
+  function replaceOrder(updated: AdminOrder) {
+    const index = orders.value.findIndex((o) => o.id === updated.id)
+    if (index !== -1) {
+      orders.value[index] = updated
+    }
+  }
+
+  return {
+    orders,
+    loading,
+    error,
+    activeFilter,
+    searchQuery,
+    stats,
+    filteredOrders,
+    loadOrders,
+    replaceOrder,
+  }
+}

frontend/src/constants/orderStatus.ts

@@ -0,0 +1,30 @@
+export const ORDER_STATUS_LABELS: Record<string, string> = {
+  pending_payment: 'Väntar på betalning',
+  paid: 'Betalad',
+  processing: 'Hanteras',
+  sent: 'Skickat',
+  delivered: 'Levererat',
+  failed: 'Misslyckad',
+  cancelled: 'Avbruten',
+}
+
+export const ORDER_STATUS_BADGE: Record<string, string> = {
+  pending_payment: 'badge--muted',
+  paid: 'badge--success',
+  processing: 'badge--primary',
+  sent: 'badge--success',
+  delivered: 'badge--success',
+  failed: 'badge--danger',
+  cancelled: 'badge--muted',
+}
+
+export const PAID_GROUP_STATUSES = [
+  'processing',
+  'paid',
+  'sent',
+  'delivered',
+] as const
+
+export function postNordTrackingUrl(trackingId: string): string {
+  return `https://www.postnord.se/verktyg/spara/?id=${trackingId}`
+}

frontend/src/env.d.ts

@@ -0,0 +1,22 @@
+/// <reference types="vite/client" />
+
+interface ImportMetaEnv {
+  readonly VITE_API_URL?: string
+  readonly VITE_UMAMI_WEBSITE_ID?: string
+  readonly VITE_UMAMI_SCRIPT_URL?: string
+}
+
+interface ImportMeta {
+  readonly env: ImportMetaEnv
+}
+
+interface Window {
+  umami?: {
+    track: (
+      input?:
+        | string
+        | Record<string, unknown>
+        | ((props: Record<string, unknown>) => Record<string, unknown>),
+    ) => void
+  }
+}

frontend/src/main.ts

@@ -2,11 +2,13 @@ import { createApp } from 'vue'
 import { createPinia } from 'pinia'
 import App from './App.vue'
 import router from './router'
+import { initUmamiAnalytics } from '@/utils/umami'
 import './assets/styles/base.css'
 
 const app = createApp(App)
 
 app.use(createPinia())
 app.use(router)
+initUmamiAnalytics(router)
 
 app.mount('#app')

frontend/src/pages/AdminPage.vue

@@ -1,111 +1,45 @@
 <script setup lang="ts">
-import { ref, onMounted, onUnmounted, reactive, computed } from 'vue'
+import { onMounted, onUnmounted } from 'vue'
-import {
+import { useAdminOrders } from '@/composables/useAdminOrders'
-  fetchAllOrders,
+import { useAdminOrderActions } from '@/composables/useAdminOrderActions'
-  updateOrderStatus,
+import AdminStatsBar from '@/components/admin/AdminStatsBar.vue'
-  updateTracking,
+import AdminOrdersTable from '@/components/admin/AdminOrdersTable.vue'
-  type AdminOrder,
+import AdminOrderMessageModal from '@/components/admin/AdminOrderMessageModal.vue'
-} from '@/api/admin'
 
-const orders = ref<AdminOrder[]>([])
+const {
-const expandedOrderId = ref<string | null>(null)
+  orders,
-const loading = ref(true)
+  loading,
-const error = ref('')
+  error,
-const statusError = ref('')
+  activeFilter,
-const trackingError = ref('')
+  searchQuery,
-const activeFilter = ref<
+  stats,
-  'all' | 'processing' | 'paid_group' | 'pending_payment'
+  filteredOrders,
->('all')
+  loadOrders,
-const searchQuery = ref('')
+  replaceOrder,
-const trackingInputValues = reactive<Record<string, string>>({})
+} = useAdminOrders()
-const messageModalOrder = ref<AdminOrder | null>(null)
 
-const statusLabels: Record<string, string> = {
+const {
-  pending_payment: 'Väntar på betalning',
+  expandedOrderId,
-  paid: 'Betalad',
+  statusError,
-  processing: 'Hanteras',
+  trackingError,
-  sent: 'Skickat',
+  notesError,
-  delivered: 'Levererat',
+  savingNotesId,
-  failed: 'Misslyckad',
+  registeringId,
-  cancelled: 'Avbruten',
+  messageModalOrder,
-}
+  trackingInputValues,
+  adminNotesValues,
+  notifyCustomerValues,
+  openMessageModal,
+  closeMessageModal,
+  toggleExpand,
+  handleStatusChange,
+  handleRegisterShipment,
+  handleNotesSave,
+} = useAdminOrderActions(orders, replaceOrder)
 
-const statusBadge: Record<string, string> = {
+const umamiDashboardUrl = import.meta.env.VITE_UMAMI_WEBSITE_ID
-  pending_payment: 'badge--muted',
+  ? 'https://analytics.bilhej.se'
-  paid: 'badge--success',
+  : null
-  processing: 'badge--primary',
-  sent: 'badge--success',
-  delivered: 'badge--success',
-  failed: 'badge--danger',
-  cancelled: 'badge--muted',
-}
-
-const allStatuses = [
-  'pending_payment',
-  'paid',
-  'processing',
-  'sent',
-  'delivered',
-  'failed',
-  'cancelled',
-]
-
-const stats = computed(() => {
-  const total = orders.value.length
-  const todo = orders.value.filter((o) => o.status === 'processing').length
-  const paid = orders.value.filter((o) =>
-    ['paid', 'sent', 'delivered'].includes(o.status),
-  ).length
-  const pending = orders.value.filter(
-    (o) => o.status === 'pending_payment',
-  ).length
-  return { total, todo, paid, pending }
-})
-
-const filteredOrders = computed(() => {
-  let result = orders.value
-
-  if (activeFilter.value === 'processing') {
-    result = result.filter((o) => o.status === 'processing')
-  } else if (activeFilter.value === 'paid_group') {
-    result = result.filter((o) =>
-      ['paid', 'sent', 'delivered'].includes(o.status),
-    )
-  } else if (activeFilter.value === 'pending_payment') {
-    result = result.filter((o) => o.status === 'pending_payment')
-  }
-
-  const query = searchQuery.value.trim().toLowerCase()
-  if (query) {
-    result = result.filter(
-      (o) =>
-        o.id.toLowerCase().includes(query) ||
-        o.plate.toLowerCase().includes(query),
-    )
-  }
-
-  return result
-})
-
-function shortOrderId(id: string): string {
-  return id.slice(0, 8)
-}
-
-function formatDate(iso: string): string {
-  return new Date(iso).toLocaleDateString('sv-SE', {
-    year: 'numeric',
-    month: 'short',
-    day: 'numeric',
-  })
-}
-
-function openMessageModal(order: AdminOrder) {
-  messageModalOrder.value = order
-}
-
-function closeMessageModal() {
-  messageModalOrder.value = null
-}
 
 function handleModalKeydown(event: KeyboardEvent) {
   if (event.key === 'Escape' && messageModalOrder.value) {
@@ -113,60 +47,9 @@ function handleModalKeydown(event: KeyboardEvent) {
   }
 }
 
-function toggleExpand(orderId: string) {
+onMounted(() => {
-  if (expandedOrderId.value === orderId) {
-    expandedOrderId.value = null
-  } else {
-    expandedOrderId.value = orderId
-    const order = orders.value.find((o) => o.id === orderId)
-    if (order && !(orderId in trackingInputValues)) {
-      trackingInputValues[orderId] = order.trackingId ?? ''
-    }
-  }
-}
-
-async function handleStatusChange(orderId: string, newStatus: string) {
-  const order = orders.value.find((o) => o.id === orderId)
-  if (!order) return
-
-  const previousStatus = order.status
-  order.status = newStatus
-  statusError.value = ''
-
-  try {
-    await updateOrderStatus(orderId, newStatus)
-  } catch {
-    order.status = previousStatus
-    statusError.value = 'Kunde inte uppdatera status. Försök igen.'
-  }
-}
-
-async function handleTrackingSave(orderId: string) {
-  const newTrackingId = trackingInputValues[orderId]?.trim() || null
-  const order = orders.value.find((o) => o.id === orderId)
-  if (!order) return
-
-  const previousTrackingId = order.trackingId
-  order.trackingId = newTrackingId
-  trackingError.value = ''
-
-  try {
-    await updateTracking(orderId, newTrackingId)
-  } catch {
-    order.trackingId = previousTrackingId
-    trackingError.value = 'Kunde inte spara spårnings-ID. Försök igen.'
-  }
-}
-
-onMounted(async () => {
   window.addEventListener('keydown', handleModalKeydown)
-  try {
+  void loadOrders()
-    orders.value = await fetchAllOrders()
-  } catch {
-    error.value = 'Kunde inte hämta beställningar. Försök igen senare.'
-  } finally {
-    loading.value = false
-  }
 })
 
 onUnmounted(() => {
@@ -176,7 +59,18 @@ onUnmounted(() => {
 
 <template>
   <div class="admin">
+    <header class="admin__header">
       <h1 class="admin__title">Administration</h1>
+      <a
+        v-if="umamiDashboardUrl"
+        class="admin__analytics-link"
+        :href="umamiDashboardUrl"
+        target="_blank"
+        rel="noopener noreferrer"
+      >
+        Webbstatistik
+      </a>
+    </header>
 
     <p
       v-if="loading"
@@ -193,57 +87,14 @@ onUnmounted(() => {
     </div>
 
     <template v-else>
-      <div class="admin__stats">
+      <AdminStatsBar
-        <button
+        v-model:active-filter="activeFilter"
-          type="button"
+        v-model:search-query="searchQuery"
-          class="admin__stat"
+        :total="stats.total"
-          :class="{ 'admin__stat--active': activeFilter === 'all' }"
+        :todo="stats.todo"
-          @click="activeFilter = 'all'"
+        :paid="stats.paid"
-        >
+        :pending="stats.pending"
-          <span class="admin__stat-value">{{ stats.total }}</span>
-          <span class="admin__stat-label">Totalt</span>
-        </button>
-        <button
-          type="button"
-          class="admin__stat"
-          :class="{ 'admin__stat--active': activeFilter === 'processing' }"
-          @click="activeFilter = 'processing'"
-        >
-          <span class="admin__stat-value">{{ stats.todo }}</span>
-          <span class="admin__stat-label">Att göra</span>
-        </button>
-        <button
-          type="button"
-          class="admin__stat"
-          :class="{ 'admin__stat--active': activeFilter === 'paid_group' }"
-          @click="activeFilter = 'paid_group'"
-        >
-          <span class="admin__stat-value">{{ stats.paid }}</span>
-          <span class="admin__stat-label">Betalda</span>
-        </button>
-        <button
-          type="button"
-          class="admin__stat"
-          :class="{ 'admin__stat--active': activeFilter === 'pending_payment' }"
-          @click="activeFilter = 'pending_payment'"
-        >
-          <span class="admin__stat-value">{{ stats.pending }}</span>
-          <span class="admin__stat-label">Väntar</span>
-        </button>
-      </div>
-
-      <div class="admin__toolbar">
-        <label for="admin-order-search" class="admin__search-label"
-          >Sök beställnings-ID eller regnr</label
-        >
-        <input
-          id="admin-order-search"
-          v-model="searchQuery"
-          class="admin__search-input"
-          type="search"
-          placeholder="t.ex. c1eebc99 eller ABC123"
       />
-      </div>
 
       <p
         v-if="filteredOrders.length === 0"
@@ -252,232 +103,82 @@ onUnmounted(() => {
         Inga beställningar matchar filtret.
       </p>
 
-      <p
+      <AdminOrdersTable
-        v-if="statusError"
+        v-if="filteredOrders.length > 0"
-        class="message message--error admin__status-error"
+        :orders="filteredOrders"
-        role="alert"
+        :expanded-order-id="expandedOrderId"
-      >
+        :status-error="statusError"
-        {{ statusError }}
+        :tracking-error="trackingError"
-      </p>
+        :notes-error="notesError"
-
+        :tracking-input-values="trackingInputValues"
-      <div v-if="filteredOrders.length > 0" class="admin__table-wrap">
+        :admin-notes-values="adminNotesValues"
-        <table class="admin__table">
+        :notify-customer-values="notifyCustomerValues"
-          <thead>
+        :saving-notes-id="savingNotesId"
-            <tr>
+        :registering-id="registeringId"
-              <th>Datum</th>
+        @toggle-expand="toggleExpand"
-              <th>Beställnings-ID</th>
+        @open-message="openMessageModal"
-              <th>E-post</th>
+        @status-change="handleStatusChange"
-              <th>Regnr</th>
+        @register-shipment="handleRegisterShipment"
-              <th>Meddelande</th>
+        @save-notes="handleNotesSave"
-              <th>Status</th>
+        @update:tracking-input="
-              <th></th>
+          (id, value) => {
-            </tr>
+            trackingInputValues[id] = value
-          </thead>
+          }
-          <tbody>
-            <template v-for="order in filteredOrders" :key="order.id">
-              <tr
-                class="admin__row"
-                :class="{
-                  'admin__row--expanded': expandedOrderId === order.id,
-                  'admin__row--todo': order.status === 'processing',
-                }"
-              >
-                <td>{{ formatDate(order.createdAt) }}</td>
-                <td class="admin__order-id" :title="order.id">
-                  {{ shortOrderId(order.id) }}
-                </td>
-                <td>{{ order.email }}</td>
-                <td class="admin__plate">{{ order.plate }}</td>
-                <td>
-                  <button
-                    type="button"
-                    class="btn btn--ghost btn--sm admin__message-btn"
-                    @click.stop="openMessageModal(order)"
-                  >
-                    Visa meddelande
-                  </button>
-                </td>
-                <td>
-                  <select
-                    class="admin__status-select"
-                    :class="statusBadge[order.status] || 'badge--muted'"
-                    :value="order.status"
-                    @change="
-                      handleStatusChange(
-                        order.id,
-                        ($event.target as HTMLSelectElement).value,
-                      )
         "
-                    @click.stop
+        @update:admin-notes="
-                  >
+          (id, value) => {
-                    <option v-for="s in allStatuses" :key="s" :value="s">
+            adminNotesValues[id] = value
-                      {{ statusLabels[s] }}
+          }
-                    </option>
-                  </select>
-                </td>
-                <td class="admin__chevron-cell">
-                  <button
-                    class="admin__expand-btn"
-                    :aria-expanded="expandedOrderId === order.id"
-                    :aria-label="
-                      expandedOrderId === order.id
-                        ? 'Dölj detaljer'
-                        : 'Visa detaljer'
         "
-                    @click.stop="toggleExpand(order.id)"
+        @update:notify-customer="
-                  >
+          (id, value) => {
-                    <svg
+            notifyCustomerValues[id] = value
-                      viewBox="0 0 24 24"
+          }
-                      width="14"
-                      height="14"
-                      fill="none"
-                      stroke="currentColor"
-                      stroke-width="2.5"
-                      stroke-linecap="round"
-                      stroke-linejoin="round"
-                      aria-hidden="true"
-                    >
-                      <polyline
-                        :points="
-                          expandedOrderId === order.id
-                            ? '6 9 12 15 18 9'
-                            : '9 6 15 12 9 18'
         "
       />
-                    </svg>
+    </template>
-                  </button>
-                </td>
-              </tr>
-              <tr
-                v-if="expandedOrderId === order.id"
-                class="admin__expanded-row"
-              >
-                <td :colspan="7">
-                  <div class="admin__expanded-inner">
-                    <div class="admin__section">
-                      <div class="admin__section-header">
-                        <span class="admin__section-label">Spårnings-ID</span>
-                        <a
-                          v-if="order.trackingId"
-                          class="admin__tracking-link"
-                          :href="`https://www.postnord.se/verktyg/spara/?id=${order.trackingId}`"
-                          target="_blank"
-                          rel="noopener noreferrer"
-                          @click.stop
-                        >
-                          Spåra hos PostNord
-                        </a>
-                      </div>
 
-                      <p
+    <AdminOrderMessageModal
-                        v-if="trackingError"
+      :order="messageModalOrder"
-                        class="message message--error admin__tracking-error"
+      @close="closeMessageModal"
-                        role="alert"
-                      >
-                        {{ trackingError }}
-                      </p>
-
-                      <div class="admin__tracking-row">
-                        <label
-                          :for="`tracking-${order.id}`"
-                          class="visually-hidden"
-                          >Spårnings-ID</label
-                        >
-                        <input
-                          :id="`tracking-${order.id}`"
-                          class="admin__tracking-input"
-                          type="text"
-                          :value="
-                            trackingInputValues[order.id] ??
-                            order.trackingId ??
-                            ''
-                          "
-                          placeholder="PN..."
-                          @input="
-                            trackingInputValues[order.id] = (
-                              $event.target as HTMLInputElement
-                            ).value
-                          "
-                          @click.stop
     />
-                        <button
-                          class="btn btn--primary btn--sm"
-                          @click.stop="handleTrackingSave(order.id)"
-                        >
-                          Spara
-                        </button>
-                      </div>
-                    </div>
-                  </div>
-                </td>
-              </tr>
-            </template>
-          </tbody>
-        </table>
-      </div>
-    </template>
-
-    <div
-      v-if="messageModalOrder"
-      class="admin-modal-overlay"
-      @click.self="closeMessageModal"
-    >
-      <div
-        class="admin-modal"
-        role="dialog"
-        aria-modal="true"
-        aria-labelledby="admin-message-modal-title"
-      >
-        <div class="admin-modal__header">
-          <h2 id="admin-message-modal-title" class="admin-modal__title">
-            Brevtext
-          </h2>
-          <button
-            type="button"
-            class="admin-modal__close"
-            aria-label="Stäng"
-            @click="closeMessageModal"
-          >
-            <svg
-              viewBox="0 0 24 24"
-              width="20"
-              height="20"
-              fill="none"
-              stroke="currentColor"
-              stroke-width="2"
-              stroke-linecap="round"
-              aria-hidden="true"
-            >
-              <line x1="18" y1="6" x2="6" y2="18" />
-              <line x1="6" y1="6" x2="18" y2="18" />
-            </svg>
-          </button>
-        </div>
-        <p class="admin-modal__meta">
-          {{ messageModalOrder.plate }} ·
-          {{ shortOrderId(messageModalOrder.id) }}
-        </p>
-        <div class="admin-modal__body">
-          {{ messageModalOrder.letterText }}
-        </div>
-      </div>
-    </div>
   </div>
 </template>
 
-<style scoped>
+<style>
 .admin {
   max-width: 72rem;
   margin: var(--space-2xl) auto 0;
   padding: 0 var(--space-lg);
 }
 
+.admin__header {
+  display: flex;
+  flex-wrap: wrap;
+  align-items: center;
+  justify-content: space-between;
+  gap: var(--space-md);
+  margin-bottom: var(--space-xl);
+}
+
 .admin__title {
-  margin: 0 0 var(--space-xl) 0;
+  margin: 0;
   font-size: 1.5rem;
   color: var(--color-ink);
 }
 
+.admin__analytics-link {
+  font-size: 0.875rem;
+  font-weight: 600;
+  color: var(--color-primary);
+  text-decoration: underline;
+  text-underline-offset: 2px;
+}
+
+.admin__analytics-link:hover {
+  color: var(--color-primary-dark);
+}
+
 .admin__stats {
   display: grid;
   grid-template-columns: repeat(4, 1fr);
@@ -573,14 +274,16 @@ onUnmounted(() => {
   background: var(--color-surface);
   border: 1px solid var(--color-border);
   border-radius: var(--radius-lg);
-  overflow: hidden;
   box-shadow: var(--shadow-card);
   overflow-x: auto;
+  -webkit-overflow-scrolling: touch;
 }
 
 .admin__table {
   width: 100%;
-  border-collapse: collapse;
+  min-width: 60rem;
+  border-collapse: separate;
+  border-spacing: 0;
   font-size: 0.875rem;
 }
 
@@ -589,7 +292,7 @@ onUnmounted(() => {
 }
 
 .admin__table th {
-  padding: 0.75rem var(--space-md);
+  padding: 0.75rem 1rem;
   text-align: left;
   font-size: 0.75rem;
   font-weight: 600;
@@ -597,15 +300,88 @@ onUnmounted(() => {
   text-transform: uppercase;
   letter-spacing: 0.05em;
   border-bottom: 1px solid var(--color-border);
+  white-space: nowrap;
+}
+
+.admin__th-expand,
+.admin__expand-cell {
+  width: 2.75rem;
+  padding-left: 0.75rem;
+  padding-right: 0.25rem;
+}
+
+.admin__expand-cell {
+  text-align: center;
+  vertical-align: middle;
+}
+
+.admin__expand-icon {
+  display: inline-flex;
+  align-items: center;
+  justify-content: center;
+  width: 1.625rem;
+  height: 1.625rem;
+  border-radius: var(--radius-full);
+  background: var(--color-border-light);
+  color: var(--color-muted);
+  transition:
+    background var(--transition-fast),
+    color var(--transition-fast);
+}
+
+.admin__row:hover .admin__expand-icon {
+  background: var(--color-primary-soft);
+  color: var(--color-primary);
+}
+
+.admin__row--expanded .admin__expand-icon,
+.admin__expand-icon--open {
+  background: var(--color-primary);
+  color: #fff;
+}
+
+.admin__row--todo .admin__expand-icon:not(.admin__expand-icon--open) {
+  background: var(--color-primary-soft);
+  color: var(--color-primary);
+}
+
+.admin__th-date,
+.admin__td-date {
+  min-width: 6.5rem;
+}
+
+.admin__th-id,
+.admin__order-id {
+  min-width: 5.5rem;
+}
+
+.admin__th-email,
+.admin__email {
+  min-width: 11rem;
+  max-width: 16rem;
+}
+
+.admin__th-plate,
+.admin__plate {
+  min-width: 5rem;
+}
+
+.admin__th-message,
+.admin__message-cell {
+  min-width: 9.5rem;
+}
+
+.admin__th-status,
+.admin__status-cell {
+  min-width: 11rem;
 }
 
 .admin__row {
   cursor: pointer;
-  border-bottom: 1px solid var(--color-border-light);
   transition: background var(--transition-fast);
 }
 
-.admin__row:last-child {
+.admin__row:last-child td {
   border-bottom: none;
 }
 
@@ -622,14 +398,32 @@ onUnmounted(() => {
 }
 
 .admin__row td {
-  padding: 0.75rem var(--space-md);
+  padding: 0.75rem 1rem;
   color: var(--color-ink);
+  vertical-align: middle;
+  border-bottom: 1px solid var(--color-border-light);
+}
+
+.admin__email {
+  overflow: hidden;
+  text-overflow: ellipsis;
   white-space: nowrap;
+  font-size: 0.8125rem;
+  color: var(--color-muted);
 }
 
 .admin__plate {
   font-weight: 600;
   letter-spacing: 0.05em;
+  white-space: nowrap;
+}
+
+.admin__message-cell {
+  text-align: center;
+}
+
+.admin__status-cell {
+  white-space: nowrap;
 }
 
 .admin__status-select {
@@ -649,31 +443,6 @@ onUnmounted(() => {
   box-shadow: 0 0 0 2px var(--color-primary-ring);
 }
 
-.admin__chevron-cell {
-  text-align: center;
-  width: 2rem;
-}
-
-.admin__expand-btn {
-  background: none;
-  border: none;
-  color: var(--color-soft);
-  cursor: pointer;
-  padding: 0.25rem;
-  border-radius: var(--radius-sm);
-  display: inline-flex;
-  align-items: center;
-  justify-content: center;
-  transition:
-    color var(--transition-fast),
-    background var(--transition-fast);
-}
-
-.admin__expand-btn:hover {
-  color: var(--color-ink);
-  background: var(--color-border-light);
-}
-
 .admin__expanded-row td {
   padding: 0;
   background: var(--color-surface);
@@ -702,13 +471,6 @@ onUnmounted(() => {
   margin-bottom: var(--space-sm);
 }
 
-.admin__section-body {
-  font-size: 0.875rem;
-  color: var(--color-ink);
-  line-height: 1.6;
-  white-space: pre-wrap;
-}
-
 .admin__section-header {
   display: flex;
   justify-content: space-between;
@@ -756,6 +518,48 @@ onUnmounted(() => {
   margin-bottom: var(--space-md);
 }
 
+.admin__checklist {
+  margin: 0 0 var(--space-md);
+  padding-left: 1.25rem;
+  font-size: 0.875rem;
+  color: var(--color-ink-muted);
+}
+
+.admin__checklist li + li {
+  margin-top: var(--space-xs);
+}
+
+.admin__section-hint {
+  margin: var(--space-xs) 0 0;
+  font-size: 0.8125rem;
+  color: var(--color-ink-muted);
+}
+
+.admin__notify {
+  display: flex;
+  align-items: center;
+  gap: var(--space-sm);
+  margin-top: var(--space-sm);
+  font-size: 0.8125rem;
+  color: var(--color-ink-muted);
+  cursor: pointer;
+}
+
+.admin__notes-input {
+  width: 100%;
+  margin-top: var(--space-sm);
+  padding: 0.5rem 0.75rem;
+  border: 1px solid var(--color-border);
+  border-radius: var(--radius-sm);
+  font-size: 0.8125rem;
+  font-family: inherit;
+  resize: vertical;
+}
+
+.admin__notes-save {
+  margin-top: var(--space-sm);
+}
+
 .admin__tracking-error {
   margin-bottom: var(--space-sm);
   padding: var(--space-sm) var(--space-md);
@@ -842,5 +646,14 @@ onUnmounted(() => {
   .admin__stats {
     grid-template-columns: repeat(2, 1fr);
   }
+
+  .admin__table {
+    min-width: 62rem;
+  }
+
+  .admin__message-btn {
+    font-size: 0.75rem;
+    padding-inline: 0.5rem;
+  }
 }
 </style>

frontend/src/pages/ComposePage.vue

@@ -2,6 +2,7 @@
 import { ref, computed } from 'vue'
 import { useRouter, useRoute } from 'vue-router'
 import { createOrder } from '@/api/orders'
+import { isSessionExpired } from '@/api/client'
 import { type LetterTemplate } from '@/data/templates'
 import TemplatePicker from '@/components/TemplatePicker.vue'
 import { RouterLink } from 'vue-router'
@@ -41,8 +42,10 @@ async function handleSubmit() {
       params: { orderId: order.id },
       query: { plate: plate.value },
     })
-  } catch {
+  } catch (err) {
+    if (!isSessionExpired(err)) {
       errorMessage.value = 'Kunde inte skapa beställningen. Försök igen senare.'
+    }
   } finally {
     submitting.value = false
   }

frontend/src/pages/EditOrderPage.vue

@@ -2,6 +2,7 @@
 import { ref, computed, onMounted } from 'vue'
 import { useRouter, useRoute, RouterLink } from 'vue-router'
 import { fetchOrder, updateOrder, type Order } from '@/api/orders'
+import { isSessionExpired } from '@/api/client'
 import { type LetterTemplate } from '@/data/templates'
 import TemplatePicker from '@/components/TemplatePicker.vue'
 
@@ -44,8 +45,10 @@ async function loadOrder() {
     if (fetched.status === 'pending_payment') {
       letterText.value = fetched.letterText
     }
-  } catch {
+  } catch (err) {
+    if (!isSessionExpired(err)) {
       loadError.value = 'Kunde inte hämta beställningen. Försök igen senare.'
+    }
   } finally {
     loading.value = false
   }
@@ -64,8 +67,10 @@ async function handleSubmit() {
       params: { orderId: order.value.id },
       query: { plate: order.value.plate },
     })
-  } catch {
+  } catch (err) {
+    if (!isSessionExpired(err)) {
       errorMessage.value = 'Kunde inte spara ändringarna. Försök igen senare.'
+    }
   } finally {
     submitting.value = false
   }

frontend/src/pages/OrdersPage.vue

@@ -2,7 +2,12 @@
 import { ref, computed, onMounted } from 'vue'
 import { fetchOrders, cancelOrder, type Order } from '@/api/orders'
 import { fetchSwishInfo } from '@/api/payment'
+import { isSessionExpired } from '@/api/client'
 import { RouterLink } from 'vue-router'
+import {
+  ORDER_STATUS_BADGE,
+  ORDER_STATUS_LABELS,
+} from '@/constants/orderStatus'
 
 const ORDER_AMOUNT_FALLBACK = 49
 
@@ -42,26 +47,6 @@ const completedOrders = computed(() =>
   orders.value.filter((order) => order.status !== 'pending_payment'),
 )
 
-const statusLabels: Record<string, string> = {
-  pending_payment: 'Väntar på betalning',
-  paid: 'Betalad',
-  processing: 'Hanteras',
-  sent: 'Skickat',
-  delivered: 'Levererat',
-  failed: 'Misslyckad',
-  cancelled: 'Avbruten',
-}
-
-const statusBadge: Record<string, string> = {
-  pending_payment: 'badge--muted',
-  paid: 'badge--success',
-  processing: 'badge--primary',
-  sent: 'badge--success',
-  delivered: 'badge--success',
-  failed: 'badge--danger',
-  cancelled: 'badge--muted',
-}
-
 function formatDate(iso: string): string {
   return new Date(iso).toLocaleDateString('sv-SE', {
     year: 'numeric',
@@ -81,8 +66,10 @@ async function loadOrders() {
     ])
     orders.value = fetchedOrders
     orderAmount.value = swishInfo.amount
-  } catch {
+  } catch (err) {
+    if (!isSessionExpired(err)) {
       error.value = 'Kunde inte hämta beställningar. Försök igen senare.'
+    }
   } finally {
     loading.value = false
   }
@@ -103,8 +90,11 @@ async function handleCancel(order: Order) {
   try {
     const updated = await cancelOrder(order.id)
     orders.value = orders.value.map((o) => (o.id === updated.id ? updated : o))
-  } catch {
+  } catch (err) {
-    actionError.value = 'Kunde inte avbryta beställningen. Försök igen senare.'
+    if (!isSessionExpired(err)) {
+      actionError.value =
+        'Kunde inte avbryta beställningen. Försök igen senare.'
+    }
   } finally {
     cancellingId.value = null
   }
@@ -166,7 +156,7 @@ onMounted(loadOrders)
                   <span class="orders__plate-value">{{ order.plate }}</span>
                 </p>
                 <span class="badge badge--warning">
-                  {{ statusLabels[order.status] }}
+                  {{ ORDER_STATUS_LABELS[order.status] }}
                 </span>
               </div>
 
@@ -262,9 +252,9 @@ onMounted(loadOrders)
                 </p>
                 <span
                   class="badge"
-                  :class="statusBadge[order.status] || 'badge--muted'"
+                  :class="ORDER_STATUS_BADGE[order.status] || 'badge--muted'"
                 >
-                  {{ statusLabels[order.status] || order.status }}
+                  {{ ORDER_STATUS_LABELS[order.status] || order.status }}
                 </span>
               </div>
 

frontend/src/pages/PaymentRedirect.vue

@@ -1,7 +1,9 @@
 <script setup lang="ts">
-import { ref, onMounted } from 'vue'
+import { ref, computed, onMounted } from 'vue'
 import { useRouter, useRoute } from 'vue-router'
-import { payOrder, fetchSwishInfo } from '@/api/payment'
+import QRCode from 'qrcode'
+import { payOrder, fetchSwishInfo, buildSwishPaymentUrl } from '@/api/payment'
+import { isSessionExpired } from '@/api/client'
 
 const router = useRouter()
 const route = useRoute()
@@ -12,12 +14,27 @@ const swishAmount = ref(49)
 const paying = ref(false)
 const error = ref('')
 const showConfirmation = ref(false)
+const qrDataUrl = ref('')
+
+const swishPaymentUrl = computed(() =>
+  swishNumber.value
+    ? buildSwishPaymentUrl(swishNumber.value, swishAmount.value, orderId)
+    : '',
+)
 
 onMounted(async () => {
   try {
     const info = await fetchSwishInfo()
     swishNumber.value = info.number
     swishAmount.value = info.amount
+
+    if (swishPaymentUrl.value) {
+      qrDataUrl.value = await QRCode.toDataURL(swishPaymentUrl.value, {
+        width: 224,
+        margin: 2,
+        color: { dark: '#111827', light: '#ffffff' },
+      })
+    }
   } catch {
     error.value = 'Kunde inte ladda betalningsinformation. Försök igen senare.'
   }
@@ -38,8 +55,10 @@ async function confirmPayment() {
   try {
     await payOrder(orderId)
     await router.push({ name: 'orders' })
-  } catch {
+  } catch (err) {
+    if (!isSessionExpired(err)) {
       error.value = 'Kunde inte bekräfta betalningen. Försök igen.'
+    }
   } finally {
     paying.value = false
   }
@@ -75,21 +94,37 @@ async function confirmPayment() {
       </div>
 
       <template v-if="!showConfirmation">
+        <!-- QR code — scan with the Swish app (desktop users) -->
+        <div v-if="qrDataUrl" class="payment__qr">
+          <img :src="qrDataUrl" alt="Swish QR-kod" class="payment__qr-img" />
+          <p class="payment__qr-hint">
+            Skanna QR-koden med Swish-appen för att betala
+          </p>
+        </div>
+
+        <!-- Direct link — opens the Swish app (mobile users) -->
+        <a
+          v-if="swishPaymentUrl"
+          :href="swishPaymentUrl"
+          class="btn btn--primary btn--lg payment__swish-link"
+        >
+          Betala med Swish
+        </a>
+
+        <!-- Manual fallback -->
         <div class="payment__swish">
           <p class="payment__swish-label">Swisha till</p>
           <p class="payment__swish-number">{{ swishNumber }}</p>
           <p class="payment__swish-instruction">
-            Ange beställnings-ID ovan som meddelande i Swish-appen.
+            Belopp och beställnings-ID fylls i automatiskt via QR-kod eller
+            länk.
           </p>
           <p class="payment__swish-instruction">
-            Tryck sedan på knappen nedan för att bekräfta.
+            Betala manuellt om du inte har Swish-appen tillgänglig.
           </p>
         </div>
 
-        <button
+        <button class="btn btn--ghost payment__submit" @click="startPayment">
-          class="btn btn--primary btn--lg payment__submit"
-          @click="startPayment"
-        >
           Jag har betalat
         </button>
       </template>
@@ -198,6 +233,31 @@ async function confirmPayment() {
   color: var(--color-ink);
 }
 
+.payment__qr {
+  text-align: center;
+  margin-bottom: var(--space-lg);
+}
+
+.payment__qr-img {
+  width: 224px;
+  height: 224px;
+  border-radius: var(--radius-md);
+  margin: 0 auto var(--space-sm);
+}
+
+.payment__qr-hint {
+  font-size: 0.8125rem;
+  color: var(--color-muted);
+}
+
+.payment__swish-link {
+  display: block;
+  width: 100%;
+  text-align: center;
+  text-decoration: none;
+  margin-bottom: var(--space-lg);
+}
+
 .payment__swish {
   background: var(--color-border-light);
   border: 1px solid var(--color-border);

frontend/src/pages/PrivacyPolicyPage.vue

@@ -40,6 +40,15 @@ const sections = [
       'Vi säljer inte personuppgifter och visar inte mottagarens identitet eller adress för dig som avsändare.',
     ],
   },
+  {
+    id: 'webbanalys',
+    title: 'Webbstatistik',
+    paragraphs: [
+      'Vi använder självhostad webbanalys (Umami) på analytics.bilhej.se för att förstå hur webbplatsen används, till exempel vilka sidor som besöks och ungefärlig geografisk fördelning på landsnivå.',
+      'Analysen bygger på sidvisningar och teknisk information som webbläsaren skickar vid besök. Vi lagrar inte besökares IP-adresser i Bilhejs databas; Umami behandlar IP tillfälligt för att kunna visa land och tar inte emot personuppgifter som du skriver i brev eller konto.',
+      'Du kan begränsa spårning med webbläsarens spärrlistor eller “Do Not Track”. Kontakta oss om du har frågor om webbanalys.',
+    ],
+  },
   {
     id: 'lagring',
     title: 'Hur länge sparar vi uppgifterna?',

frontend/src/router/index.ts

@@ -148,9 +148,11 @@ router.beforeEach((to) => {
   if (!getActivePinia()) return
 
   const auth = useAuthStore()
+  const authenticated = auth.isAuthenticated && !auth.isTokenExpired()
 
-  if (to.meta.guestOnly && auth.isAuthenticated) return { name: 'home' }
+  if (to.meta.guestOnly && authenticated) return { name: 'home' }
-  if (to.meta.requiresAuth && !auth.isAuthenticated) {
+  if (to.meta.requiresAuth && !authenticated) {
+    if (auth.isAuthenticated) auth.logout()
     return { name: 'login', query: { redirect: to.fullPath } }
   }
   if (to.meta.requiresAdmin && !auth.isAdmin) return { name: 'home' }

frontend/src/stores/authStore.ts

@@ -1,7 +1,7 @@
 import { defineStore } from 'pinia'
 import { ref, computed } from 'vue'
 import { register, login, changeEmail, confirmEmailChange } from '@/api/auth'
-import { parseJwtPayload } from '@/utils/jwt'
+import { parseJwtPayload, isTokenExpired as isJwtExpired } from '@/utils/jwt'
 
 export const useAuthStore = defineStore('auth', () => {
   const token = ref<string | null>(localStorage.getItem('auth_token'))
@@ -21,6 +21,10 @@ export const useAuthStore = defineStore('auth', () => {
     return payload.role ?? null
   }
 
+  function isTokenExpired(): boolean {
+    return isJwtExpired(token.value)
+  }
+
   function setToken(newToken: string) {
     token.value = newToken
     role.value = extractRole(newToken)
@@ -69,6 +73,7 @@ export const useAuthStore = defineStore('auth', () => {
     email,
     isAuthenticated,
     isAdmin,
+    isTokenExpired,
     registerUser,
     loginUser,
     changeUserEmail,

frontend/src/utils/jwt.ts

@@ -20,3 +20,10 @@ export function parseJwtPayload(token: string): JwtPayload {
     return {}
   }
 }
+
+export function isTokenExpired(token: string | null): boolean {
+  if (!token) return true
+  const payload = parseJwtPayload(token)
+  if (payload.exp === undefined || payload.exp === null) return false
+  return payload.exp < Math.floor(Date.now() / 1000)
+}

frontend/src/utils/orderDisplay.ts

@@ -0,0 +1,11 @@
+export function shortOrderId(id: string): string {
+  return id.slice(0, 8)
+}
+
+export function formatOrderDate(iso: string): string {
+  return new Date(iso).toLocaleDateString('sv-SE', {
+    year: 'numeric',
+    month: 'short',
+    day: 'numeric',
+  })
+}

frontend/src/utils/umami.ts

@@ -0,0 +1,45 @@
+import type { Router } from 'vue-router'
+
+const DEFAULT_SCRIPT_URL = 'https://analytics.bilhej.se/script.js'
+
+export type UmamiConfig = {
+  websiteId: string
+  scriptUrl: string
+}
+
+export function getUmamiConfig(): UmamiConfig | null {
+  const websiteId = import.meta.env.VITE_UMAMI_WEBSITE_ID?.trim()
+  if (!websiteId) {
+    return null
+  }
+
+  const scriptUrl =
+    import.meta.env.VITE_UMAMI_SCRIPT_URL?.trim() || DEFAULT_SCRIPT_URL
+
+  return { websiteId, scriptUrl }
+}
+
+export function trackUmamiPageview(url: string): void {
+  window.umami?.track((props) => ({ ...props, url }))
+}
+
+export function initUmamiAnalytics(router: Router): void {
+  const config = getUmamiConfig()
+  if (!config) {
+    return
+  }
+
+  const script = document.createElement('script')
+  script.defer = true
+  script.src = config.scriptUrl
+  script.setAttribute('data-website-id', config.websiteId)
+  script.setAttribute('data-auto-track', 'false')
+  script.onload = () => {
+    trackUmamiPageview(router.currentRoute.value.fullPath)
+  }
+  document.head.appendChild(script)
+
+  router.afterEach((to) => {
+    trackUmamiPageview(to.fullPath)
+  })
+}

scripts/install-pre-commit-hook.sh

@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+# Symlinks scripts/pre-commit-check.sh into .git/hooks/pre-commit
+
+set -euo pipefail
+
+ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+HOOK="$ROOT/.git/hooks/pre-commit"
+CHECK="$ROOT/scripts/pre-commit-check.sh"
+
+chmod +x "$CHECK"
+ln -sf "../../scripts/pre-commit-check.sh" "$HOOK"
+chmod +x "$HOOK"
+
+echo "Installed pre-commit hook -> scripts/pre-commit-check.sh"
+echo "Every commit will run: ./gradlew check"

scripts/pre-commit-check.sh

@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+# Runs the same verification as CI before allowing a commit.
+# Install: ./scripts/install-pre-commit-hook.sh
+
+set -euo pipefail
+
+ROOT="$(git rev-parse --show-toplevel)"
+cd "$ROOT"
+
+export POSTGRES_DB="${POSTGRES_DB:-bilhej}"
+export POSTGRES_USER="${POSTGRES_USER:-bilhej}"
+export POSTGRES_PASSWORD="${POSTGRES_PASSWORD:-test_pw_ci_123}"
+export JWT_SECRET="${JWT_SECRET:-aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa}"
+export STRIPE_SECRET_KEY="${STRIPE_SECRET_KEY:-sk_test_fake}"
+export STRIPE_WEBHOOK_SECRET="${STRIPE_WEBHOOK_SECRET:-whsec_fake}"
+export STRIPE_PRICE_ID="${STRIPE_PRICE_ID:-price_fake}"
+
+echo "pre-commit: running ./gradlew check (lint + unit + E2E in Docker)..."
+./gradlew check --no-daemon
+echo "pre-commit: all checks passed."