fix(dev): Vite-API-Proxy, Auth, Stripe-Mails und Backend-Erweiterungen

- Client: API-Basis-URL (joinApiUrl, /v1-Falle), Vite strictPort + Proxy 127.0.0.1, Nicht-JSON-Fehler

- Server: /api-404 ohne Wildcard-Bug, SPA-Fallback, Auth-Middleware, Cron, Mailer, Crypto

- Routen: OAuth-State, Email/Stripe/Analytics; client/.env.example

Made-with: Cursor

.env.example

@@ -1,9 +1,16 @@
-# Appwrite Configuration
+# Appwrite Configuration (Express / node-appwrite)
 APPWRITE_ENDPOINT=https://cloud.appwrite.io/v1
 APPWRITE_PROJECT_ID=your_project_id_here
+
+# React (Vite): separate file client/.env — see client/.env.example (VITE_APPWRITE_*).
+# APPWRITE_ENDPOINT + APPWRITE_PROJECT_ID here must match the real Appwrite project (same IDs as in client/.env).
+# The Express server calls Appwrite directly, not through the Vite dev proxy (localhost:5173).
 APPWRITE_API_KEY=your_api_key_here
 APPWRITE_DATABASE_ID=your_database_id_here
 
+# Optional: JWT for automated API tests against protected routes (create via Appwrite client: account.createJWT)
+# APPWRITE_TEST_JWT=
+
 # Database Configuration (for bootstrap script)
 DB_ID=your_database_id_here
 DB_NAME=EmailSorter
@@ -23,6 +30,9 @@ PRODUCT_CURRENCY=eur
 # Stripe Configuration
 STRIPE_SECRET_KEY=sk_test_your_stripe_secret_key_here
 STRIPE_WEBHOOK_SECRET=whsec_your_webhook_secret_here
+# STRIPE_PRICE_BASIC=price_xxx
+# STRIPE_PRICE_PRO=price_xxx
+# STRIPE_PRICE_BUSINESS=price_xxx
 
 # Gitea Webhook (Deployment)
 # Secret für X-Gitea-Signature und optional Bearer-Header (gleicher Wert möglich)
@@ -33,3 +43,37 @@ GITEA_WEBHOOK_SECRET=your_webhook_secret_here
 # Server Configuration
 PORT=3000
 BASE_URL=http://localhost:3000
+FRONTEND_URL=http://localhost:5173
+# CORS_ORIGIN=http://localhost:5173
+
+# OAuth (optional; Gmail / Outlook)
+# GOOGLE_CLIENT_ID=
+# GOOGLE_CLIENT_SECRET=
+# GOOGLE_REDIRECT_URI=http://localhost:3000/api/oauth/gmail/callback
+# MICROSOFT_CLIENT_ID=
+# MICROSOFT_CLIENT_SECRET=
+# MICROSOFT_REDIRECT_URI=http://localhost:3000/api/oauth/outlook/callback
+
+# HMAC secret for OAuth state (recommended in production). If unset, state is unsigned JSON (dev only).
+# OAUTH_STATE_SECRET=
+
+# Mistral AI (email categorization)
+# MISTRAL_API_KEY=
+
+# IMAP credential encryption (64 hex chars = 32-byte AES key). If unset, IMAP passwords are stored plaintext.
+# Generate: openssl rand -hex 32
+# ENCRYPTION_KEY=
+
+# SMTP (Stripe lifecycle & system emails via nodemailer). If unset, emails are skipped (logged).
+# SMTP_HOST=smtp.example.com
+# SMTP_PORT=587
+# SMTP_SECURE=false
+# SMTP_USER=
+# SMTP_PASS=
+# SMTP_FROM=noreply@example.com
+
+# Admin emails (comma-separated): name-labels, /api/me isAdmin, unlimited sort, effective subscription = top tier (see TOP_SUBSCRIPTION_PLAN)
+# ADMIN_EMAILS=support@webklar.com
+
+# Highest tier id (must match a key in server stripe PLANS: basic | pro | business). Admin comped plan uses this.
+# TOP_SUBSCRIPTION_PLAN=business