feat: real-time sync, push notifications, multi-member accounts + security hardening

- **Partie 1 — WebSocket real-time sync**: Live updates across all 9 pages (tasks, shopping,
  calendar, budget, family, recipes, meal planning, planning, dashboard). Server-side broadcast
  utility (broadcaster.ts) + WebSocketContext with exponential backoff and heartbeat.

- **Partie 2 — Push notifications**: web-push VAPID integration, node-cron reminder scheduler
  (30min/1h before appointments), service worker (sw.js, injectManifest mode), useNotifications
  hook, NotificationBell component with unread badge and dropdown.

- **Partie 3 — Multi-member accounts**: Family invite system — owners generate a 64-char token
  link (/join?invite=TOKEN), new users register with it or existing users join via the Join page.
  JWT now carries { userId, ownerId } so all data queries transparently scope to the family owner.
  Family page shows shared accounts list, invite link generator, kick member (owner) and leave
  family (member) actions. DB migration adds family_owner_id and family_invites table.

- **Critical — SQL injection (dataTransfer.ts)**: Column names from import body now validated
  against SAFE_IDENTIFIER regex before use in queries.
- **High — WebSocket auth bypass (index.ts + WebSocketContext)**: Client now sends JWT token
  instead of plain userId; server verifies before registering the connection (4001 Unauthorized
  on failure).
- **Medium — Missing HTTP security headers (app.ts)**: Added helmet() (CSP, X-Frame-Options,
  HSTS, X-Content-Type-Options, Referrer-Policy, etc.).
- **Medium — No request size limit (app.ts)**: express.json() and urlencoded() capped at 1 MB
  to prevent DoS via oversized payloads.
- **Low — bcrypt cost factor 10 → 12 (auth.ts)**: Aligned with current OWASP recommendation.
- **Low — Silent DB password fallback (db.ts)**: Clear warning logged when POSTGRES_PASSWORD
  is not set instead of silently using the default.

- Proxmox LXC install script (scripts/proxmox-lxc-install.sh)
- Update script (scripts/update.sh)

Author: NexaFlowFrance

client/public/OpenFamily.png

@@ -12,6 +12,7 @@ import MealPlanning from './pages/MealPlanning';
 import Budget from './pages/Budget';
 import Family from './pages/Family';
 import Settings from './pages/Settings';
+import Join from './pages/Join';
 
 function App() {
     const { isAuthenticated, loading } = useAuth();
@@ -44,6 +45,7 @@ function App() {
                 <Route path="/budget" element={<Budget />} />
                 <Route path="/family" element={<Family />} />
                 <Route path="/settings" element={<Settings />} />
+                <Route path="/join" element={<Join />} />
                 <Route path="*" element={<Navigate to="/" replace />} />
             </Routes>
         </Layout>

client/public/apple-touch-icon.png

@@ -22,6 +22,7 @@ import {
 } from 'lucide-react';
 import { cn } from '../../lib/utils';
 import { Button } from '../ui/Button';
+import { NotificationBell } from '../ui/NotificationBell';
 
 interface LayoutProps {
     children: ReactNode;
@@ -103,9 +104,7 @@ const Layout: React.FC<LayoutProps> = ({ children }) => {
                 <div className="flex h-full flex-col">
                     <div className="flex h-20 items-center justify-between border-b border-border px-6">
                         <Link to="/" className="flex items-center gap-3" onClick={closeMenus}>
-                            <div className="flex h-9 w-9 items-center justify-center rounded-card bg-primary text-primary-foreground shadow-surface">
-                                <Users className="h-5 w-5" />
-                            </div>
+                            <img src="/OpenFamily.png" alt="OpenFamily" className="h-9 w-9 object-contain" />
                             <span className="text-lg font-semibold tracking-tight">OpenFamily</span>
                         </Link>
                         <button
@@ -207,28 +206,31 @@ const Layout: React.FC<LayoutProps> = ({ children }) => {
                             </div>
                         </div>
 
-                        <div className="hidden items-center gap-2 lg:flex">
-                            <Button
-                                variant="secondary"
-                                size="icon"
-                                onClick={toggleTheme}
-                                aria-label="Changer le theme"
-                            >
-                                {actualTheme === 'dark' ? (
-                                    <Sun className="h-4 w-4" />
-                                ) : (
-                                    <Moon className="h-4 w-4" />
-                                )}
-                            </Button>
-                            <Button
-                                variant="ghost"
-                                size="icon"
-                                onClick={logout}
-                                aria-label="Se deconnecter"
-                                className="text-destructive hover:bg-destructive/10 hover:text-destructive"
-                            >
-                                <LogOut className="h-4 w-4" />
-                            </Button>
+                        <div className="flex items-center gap-2">
+                            <NotificationBell />
+                            <div className="hidden items-center gap-2 lg:flex">
+                                <Button
+                                    variant="secondary"
+                                    size="icon"
+                                    onClick={toggleTheme}
+                                    aria-label="Changer le theme"
+                                >
+                                    {actualTheme === 'dark' ? (
+                                        <Sun className="h-4 w-4" />
+                                    ) : (
+                                        <Moon className="h-4 w-4" />
+                                    )}
+                                </Button>
+                                <Button
+                                    variant="ghost"
+                                    size="icon"
+                                    onClick={logout}
+                                    aria-label="Se deconnecter"
+                                    className="text-destructive hover:bg-destructive/10 hover:text-destructive"
+                                >
+                                    <LogOut className="h-4 w-4" />
+                                </Button>
+                            </div>
                         </div>
                     </div>
                 </header>

client/public/favicon-16x16.png

@@ -0,0 +1,140 @@
+import React, { useEffect, useRef, useState } from 'react';
+import { Bell, BellOff, CheckCheck } from 'lucide-react';
+import { Link } from 'react-router-dom';
+import { cn } from '../../lib/utils';
+import { useNotifications, AppNotification } from '../../hooks/useNotifications';
+import { Button } from './Button';
+
+function timeAgo(dateStr: string): string {
+    const diff = Date.now() - new Date(dateStr).getTime();
+    const minutes = Math.floor(diff / 60000);
+    if (minutes < 1) return 'à l\'instant';
+    if (minutes < 60) return `il y a ${minutes} min`;
+    const hours = Math.floor(minutes / 60);
+    if (hours < 24) return `il y a ${hours}h`;
+    return `il y a ${Math.floor(hours / 24)}j`;
+}
+
+export const NotificationBell: React.FC = () => {
+    const {
+        isSupported,
+        unreadCount,
+        notifications,
+        fetchNotifications,
+        markAsRead,
+        markAllAsRead,
+    } = useNotifications();
+
+    const [open, setOpen] = useState(false);
+    const ref = useRef<HTMLDivElement>(null);
+
+    // Close on outside click
+    useEffect(() => {
+        const handler = (e: MouseEvent) => {
+            if (ref.current && !ref.current.contains(e.target as Node)) {
+                setOpen(false);
+            }
+        };
+        document.addEventListener('mousedown', handler);
+        return () => document.removeEventListener('mousedown', handler);
+    }, []);
+
+    const handleOpen = () => {
+        setOpen((o) => {
+            if (!o) void fetchNotifications();
+            return !o;
+        });
+    };
+
+    const handleMarkAsRead = (n: AppNotification) => {
+        if (!n.is_read) void markAsRead(n.id);
+    };
+
+    if (!isSupported) return null;
+
+    return (
+        <div ref={ref} className="relative">
+            <Button
+                variant="secondary"
+                size="icon"
+                onClick={handleOpen}
+                aria-label="Notifications"
+                className="relative"
+            >
+                <Bell className="h-4 w-4" />
+                {unreadCount > 0 && (
+                    <span className="absolute -right-1 -top-1 flex h-4 min-w-[16px] items-center justify-center rounded-full bg-destructive px-1 text-[10px] font-bold text-destructive-foreground">
+                        {unreadCount > 99 ? '99+' : unreadCount}
+                    </span>
+                )}
+            </Button>
+
+            {open && (
+                <div className="absolute right-0 top-full z-50 mt-2 w-80 rounded-card border border-border bg-card shadow-surface-hover">
+                    {/* Header */}
+                    <div className="flex items-center justify-between border-b border-border px-4 py-3">
+                        <span className="text-caption font-semibold text-foreground">Notifications</span>
+                        {unreadCount > 0 && (
+                            <button
+                                type="button"
+                                onClick={() => void markAllAsRead()}
+                                className="flex items-center gap-1 text-micro text-primary hover:text-primary/80"
+                            >
+                                <CheckCheck className="h-3.5 w-3.5" />
+                                Tout marquer lu
+                            </button>
+                        )}
+                    </div>
+
+                    {/* Notification list */}
+                    <div className="max-h-80 overflow-y-auto">
+                        {notifications.length === 0 ? (
+                            <div className="flex flex-col items-center gap-2 px-4 py-8 text-center text-muted-foreground">
+                                <BellOff className="h-8 w-8 opacity-40" />
+                                <p className="text-micro">Aucune notification</p>
+                            </div>
+                        ) : (
+                            notifications.slice(0, 10).map((n) => (
+                                <button
+                                    key={n.id}
+                                    type="button"
+                                    onClick={() => handleMarkAsRead(n)}
+                                    className={cn(
+                                        'flex w-full items-start gap-3 px-4 py-3 text-left transition-colors hover:bg-surface-2',
+                                        !n.is_read && 'bg-primary-soft/30'
+                                    )}
+                                >
+                                    {!n.is_read && (
+                                        <span className="mt-1.5 h-2 w-2 shrink-0 rounded-full bg-primary" />
+                                    )}
+                                    <div className={cn('flex-1 min-w-0', n.is_read && 'ml-5')}>
+                                        <p className="truncate text-micro font-medium text-foreground">
+                                            {n.title}
+                                        </p>
+                                        <p className="mt-0.5 line-clamp-2 text-micro text-muted-foreground">
+                                            {n.message}
+                                        </p>
+                                        <p className="mt-1 text-micro text-muted-foreground/60">
+                                            {timeAgo(n.created_at)}
+                                        </p>
+                                    </div>
+                                </button>
+                            ))
+                        )}
+                    </div>
+
+                    {/* Footer */}
+                    <div className="border-t border-border px-4 py-2">
+                        <Link
+                            to="/settings"
+                            onClick={() => setOpen(false)}
+                            className="block text-center text-micro text-primary hover:text-primary/80"
+                        >
+                            Gérer les notifications →
+                        </Link>
+                    </div>
+                </div>
+            )}
+        </div>
+    );
+};

client/public/favicon-32x32.png

@@ -5,13 +5,16 @@ interface User {
     id: string;
     email: string;
     name: string;
+    is_owner?: boolean;
 }
 
 interface AuthContextType {
     user: User | null;
     loading: boolean;
     login: (email: string, password: string) => Promise<void>;
-    register: (email: string, password: string, name: string) => Promise<void>;
+    register: (email: string, password: string, name: string, inviteToken?: string) => Promise<void>;
+    joinFamily: (inviteToken: string) => Promise<void>;
+    leaveFamily: () => Promise<void>;
     logout: () => void;
     isAuthenticated: boolean;
 }
@@ -88,11 +91,26 @@ export const AuthProvider: React.FC<{ children: ReactNode }> = ({ children }) =>
         }
     };
 
-    const register = async (email: string, password: string, name: string) => {
-        const response = await api.register(email, password, name);
+    const register = async (email: string, password: string, name: string, inviteToken?: string) => {
+        const response = await api.register(email, password, name, inviteToken);
+        if (response.success && response.user) {
+            setUser(response.user);
+            localStorage.setItem('user', JSON.stringify(response.user));
+        }
+    };
+
+    const joinFamily = async (inviteToken: string) => {
+        const response = await api.joinFamily(inviteToken);
+        if (response.success && response.user) {
+            setUser(response.user);
+            localStorage.setItem('user', JSON.stringify(response.user));
+        }
+    };
+
+    const leaveFamily = async () => {
+        const response = await api.leaveFamily();
         if (response.success && response.user) {
             setUser(response.user);
-            // Also store in localStorage for persistence
             localStorage.setItem('user', JSON.stringify(response.user));
         }
     };
@@ -110,6 +128,8 @@ export const AuthProvider: React.FC<{ children: ReactNode }> = ({ children }) =>
                 loading,
                 login,
                 register,
+                joinFamily,
+                leaveFamily,
                 logout,
                 isAuthenticated: !!user,
             }}