diff --git a/_backups/admin.html.cc3_pre_unified_sidebar.1777935999 b/_backups/admin.html.cc3_pre_unified_sidebar.1777935999
new file mode 100644
index 0000000..5af5774
--- /dev/null
+++ b/_backups/admin.html.cc3_pre_unified_sidebar.1777935999
@@ -0,0 +1,761 @@
+<!DOCTYPE html>
+<html lang="hr">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width,initial-scale=1">
+<title>PGŽ Sport · Admin Dashboard</title>
+<link rel="icon" href="data:image/svg+xml,<svg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 32 32'><rect width='32' height='32' rx='6' fill='%2306080d'/><text x='16' y='23' text-anchor='middle' font-size='18' font-family='monospace' fill='%2300f0ff'>A</text></svg>">
+<link rel="preconnect" href="https://fonts.googleapis.com">
+<link href="https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600;700&family=JetBrains+Mono:wght@400;500;600&display=swap" rel="stylesheet">
+<style>
+:root {
+  --bg: #06080d;
+  --bg-2: #0d1117;
+  --bg-3: #161b22;
+  --border: #1f2937;
+  --text: #e6edf3;
+  --text-2: #8b949e;
+  --text-3: #6e7681;
+  --accent: #00f0ff;
+  --accent-2: #00b8d4;
+  --green: #56d364;
+  --yellow: #d29922;
+  --red: #f85149;
+  --purple: #bc8cff;
+}
+* { margin: 0; padding: 0; box-sizing: border-box; }
+body {
+  font-family: 'Inter', system-ui, sans-serif;
+  background: var(--bg);
+  color: var(--text);
+  min-height: 100vh;
+  font-size: 14px;
+  line-height: 1.5;
+}
+.app { display: grid; grid-template-columns: 240px 1fr; min-height: 100vh; }
+.sidebar {
+  background: var(--bg-2);
+  border-right: 1px solid var(--border);
+  padding: 20px 0;
+  display: flex; flex-direction: column;
+}
+.brand {
+  padding: 0 20px 20px;
+  border-bottom: 1px solid var(--border);
+  margin-bottom: 12px;
+}
+.brand h1 {
+  font-size: 16px; font-weight: 700; color: var(--accent);
+  font-family: 'JetBrains Mono', monospace;
+}
+.brand .sub { font-size: 11px; color: var(--text-3); margin-top: 2px; }
+.nav-item {
+  display: flex; align-items: center; gap: 10px;
+  padding: 10px 20px; cursor: pointer;
+  color: var(--text-2); font-size: 13px;
+  border-left: 3px solid transparent;
+  transition: all 0.15s;
+}
+.nav-item:hover { background: var(--bg-3); color: var(--text); }
+.nav-item.active {
+  color: var(--accent);
+  background: rgba(0,240,255,0.05);
+  border-left-color: var(--accent);
+}
+.nav-item .icon { font-size: 16px; width: 18px; }
+.tenant-switch {
+  margin: auto 12px 12px;
+  padding: 12px;
+  background: var(--bg-3);
+  border-radius: 6px;
+  border: 1px solid var(--border);
+}
+.tenant-switch label { font-size: 11px; color: var(--text-3); display: block; margin-bottom: 4px; }
+.tenant-switch select {
+  width: 100%;
+  background: var(--bg);
+  color: var(--text);
+  border: 1px solid var(--border);
+  padding: 6px 8px;
+  border-radius: 4px;
+  font-family: inherit;
+  font-size: 13px;
+}
+.main { padding: 20px 28px; overflow-y: auto; }
+.header {
+  display: flex; justify-content: space-between; align-items: center;
+  margin-bottom: 20px; padding-bottom: 16px;
+  border-bottom: 1px solid var(--border);
+}
+.header h2 { font-size: 22px; font-weight: 700; }
+.header .meta { color: var(--text-3); font-size: 12px; font-family: 'JetBrains Mono', monospace; }
+.kpi-grid {
+  display: grid; grid-template-columns: repeat(auto-fit, minmax(160px, 1fr));
+  gap: 12px; margin-bottom: 24px;
+}
+.kpi-card {
+  background: var(--bg-2); border: 1px solid var(--border);
+  border-radius: 8px; padding: 16px;
+  position: relative; overflow: hidden;
+}
+.kpi-card::before {
+  content: ''; position: absolute; top: 0; left: 0;
+  width: 3px; height: 100%; background: var(--accent);
+}
+.kpi-card.green::before { background: var(--green); }
+.kpi-card.yellow::before { background: var(--yellow); }
+.kpi-card.purple::before { background: var(--purple); }
+.kpi-label { font-size: 11px; color: var(--text-3); text-transform: uppercase; letter-spacing: 0.5px; }
+.kpi-value { font-size: 28px; font-weight: 700; color: var(--text); margin-top: 6px; font-family: 'JetBrains Mono', monospace; }
+.kpi-sub { font-size: 11px; color: var(--text-2); margin-top: 4px; }
+.section {
+  background: var(--bg-2); border: 1px solid var(--border);
+  border-radius: 8px; padding: 18px; margin-bottom: 18px;
+}
+.section h3 { font-size: 14px; font-weight: 600; margin-bottom: 12px; color: var(--accent); }
+table { width: 100%; border-collapse: collapse; font-size: 13px; }
+th { text-align: left; padding: 8px 10px; color: var(--text-3); font-size: 11px; text-transform: uppercase; letter-spacing: 0.5px; border-bottom: 1px solid var(--border); }
+td { padding: 10px; border-bottom: 1px solid var(--border); color: var(--text); }
+tr:hover { background: var(--bg-3); }
+td.num { font-family: 'JetBrains Mono', monospace; text-align: right; }
+.badge { display: inline-block; padding: 2px 8px; border-radius: 4px; font-size: 11px; font-weight: 600; }
+.badge.green { background: rgba(86,211,100,0.15); color: var(--green); }
+.badge.yellow { background: rgba(210,153,34,0.15); color: var(--yellow); }
+.badge.red { background: rgba(248,81,73,0.15); color: var(--red); }
+.badge.gray { background: rgba(110,118,129,0.15); color: var(--text-3); }
+.search {
+  width: 100%; max-width: 320px;
+  background: var(--bg); border: 1px solid var(--border);
+  padding: 8px 12px; border-radius: 6px;
+  color: var(--text); font-family: inherit; font-size: 13px;
+}
+.search:focus { outline: none; border-color: var(--accent); }
+.tab-content { display: none; }
+.tab-content.active { display: block; }
+.iframe-wrap {
+  background: var(--bg-2); border: 1px solid var(--border);
+  border-radius: 8px; overflow: hidden; height: 600px;
+}
+.iframe-wrap iframe { width: 100%; height: 100%; border: 0; }
+.spinner {
+  display: inline-block; width: 14px; height: 14px;
+  border: 2px solid var(--border); border-top-color: var(--accent);
+  border-radius: 50%; animation: spin 1s linear infinite;
+}
+@keyframes spin { to { transform: rotate(360deg); } }
+.tenants-grid {
+  display: grid; grid-template-columns: repeat(auto-fit, minmax(280px, 1fr));
+  gap: 14px;
+}
+.tenant-card {
+  background: var(--bg-2); border: 1px solid var(--border);
+  border-radius: 8px; padding: 18px;
+}
+.tenant-card .name { font-size: 16px; font-weight: 600; margin-bottom: 4px; }
+.tenant-card .slug { font-size: 11px; color: var(--text-3); font-family: 'JetBrains Mono', monospace; }
+.tenant-card .stats { margin-top: 12px; display: flex; gap: 16px; }
+.tenant-card .stats .stat { font-size: 12px; color: var(--text-2); }
+.tenant-card .stats .stat strong { color: var(--accent); display: block; font-size: 16px; font-family: 'JetBrains Mono', monospace; }
+@media (max-width: 768px) {
+  .app { grid-template-columns: 1fr; }
+  .sidebar { display: none; }
+}
+</style>
+</head>
+<body>
+<div class="app">
+
+  <aside class="sidebar">
+    <div class="brand">
+      <h1>PGŽ SPORT</h1>
+      <div class="sub">Admin Dashboard v1.1</div>
+    </div>
+
+    <div class="nav-item active" data-tab="dashboard">
+      <span class="icon">⊞</span>
+      <span>Dashboard</span>
+    </div>
+    <div class="nav-item" data-tab="erp">
+      <span class="icon">€</span>
+      <span>ERP — Financije</span>
+    </div>
+    <div class="nav-item" data-tab="crm">
+      <span class="icon">◯</span>
+      <span>CRM — Klubovi</span>
+    </div>
+    <div class="nav-item" data-tab="osobe">
+      <span class="icon">⊙</span>
+      <span>Kontakti</span>
+    </div>
+    <div class="nav-item" data-tab="graph3d">
+      <span class="icon">▣</span>
+      <span>3D Graf</span>
+    </div>
+    <div class="nav-item" data-tab="tenants">
+      <span class="icon">⌂</span>
+      <span>Tenants</span>
+    </div>
+    <div class="nav-item" data-tab="reports">
+      <span class="icon">≡</span>
+      <span>Reports</span>
+    </div>
+
+    <div class="tenant-switch">
+      <label>Aktivan tenant</label>
+      <select id="tenantSel"></select>
+    </div>
+  </aside>
+
+  <main class="main">
+    <div class="header">
+      <h2 id="pageTitle">Dashboard</h2>
+      <span class="meta" id="metaInfo">učitavam…</span>
+    </div>
+
+    <!-- DASHBOARD -->
+    <div class="tab-content active" id="tab-dashboard">
+      <div class="kpi-grid" id="kpiGrid"></div>
+      <div class="section">
+        <h3>Top Klubovi (po aktivnosti)</h3>
+        <table id="topKlubovi"><thead><tr><th>Naziv</th><th>Sport</th><th>Grad</th><th class="num">Članovi</th><th class="num">Računi</th></tr></thead><tbody></tbody></table>
+      </div>
+    </div>
+
+    <!-- ERP -->
+    <div class="tab-content" id="tab-erp">
+      <div class="kpi-grid" id="erpKpi"></div>
+
+      <!-- M5: OCR drag-and-drop upload -->
+      <div class="section">
+        <h3>📷 OCR — Skeniraj račun (gorivo, cestarina, hotel…)</h3>
+        <div id="ocrDrop" style="border:2px dashed var(--border);border-radius:8px;padding:30px;text-align:center;cursor:pointer;background:var(--bg-3);transition:.15s">
+          <div style="font-size:32px;color:var(--accent);margin-bottom:6px">⤓</div>
+          <div style="font-size:14px;font-weight:600">Povuci PDF/JPG/PNG ovdje ili klikni za odabir</div>
+          <div style="font-size:11px;color:var(--text-3);margin-top:6px">Tesseract OCR + Ri.NET AI Engine izvuče izdavatelja, OIB, datum, iznos, PDV, IBAN, stavke</div>
+          <input id="ocrFile" type="file" accept=".pdf,.jpg,.jpeg,.png,.tif,.tiff,.webp" style="display:none">
+        </div>
+        <div id="ocrStatus" style="margin-top:10px;font-size:12px;color:var(--text-2);min-height:18px"></div>
+        <div id="ocrResult" style="display:none;margin-top:14px;padding:14px;background:var(--bg-3);border-radius:6px;border:1px solid var(--border)">
+          <div style="display:grid;grid-template-columns:1fr 1fr;gap:10px;font-size:13px">
+            <div><label style="font-size:11px;color:var(--text-3)">Izdavatelj</label><input id="oc_vendor_name" class="search" style="max-width:none;width:100%"></div>
+            <div><label style="font-size:11px;color:var(--text-3)">OIB izdavatelja</label><input id="oc_vendor_oib" class="search" style="max-width:none;width:100%"></div>
+            <div><label style="font-size:11px;color:var(--text-3)">Broj računa</label><input id="oc_invoice_no" class="search" style="max-width:none;width:100%"></div>
+            <div><label style="font-size:11px;color:var(--text-3)">Datum</label><input id="oc_invoice_date" type="date" class="search" style="max-width:none;width:100%"></div>
+            <div><label style="font-size:11px;color:var(--text-3)">Iznos neto</label><input id="oc_amount_net" type="number" step="0.01" class="search" style="max-width:none;width:100%"></div>
+            <div><label style="font-size:11px;color:var(--text-3)">PDV</label><input id="oc_amount_vat" type="number" step="0.01" class="search" style="max-width:none;width:100%"></div>
+            <div><label style="font-size:11px;color:var(--text-3)">Brutto (UKUPNO)</label><input id="oc_amount_gross" type="number" step="0.01" class="search" style="max-width:none;width:100%;border-color:var(--accent)"></div>
+            <div><label style="font-size:11px;color:var(--text-3)">Stopa PDV (%)</label><input id="oc_vat_rate" type="number" step="0.01" class="search" style="max-width:none;width:100%"></div>
+            <div><label style="font-size:11px;color:var(--text-3)">IBAN</label><input id="oc_iban" class="search" style="max-width:none;width:100%"></div>
+            <div><label style="font-size:11px;color:var(--text-3)">Vrsta troška</label>
+              <select id="oc_kind" class="search" style="max-width:none;width:100%">
+                <option value="gorivo">Gorivo</option>
+                <option value="cestarina">Cestarina</option>
+                <option value="hotel">Hotel</option>
+                <option value="restoran">Restoran</option>
+                <option value="oprema">Oprema</option>
+                <option value="ostalo" selected>Ostalo</option>
+              </select>
+            </div>
+            <div><label style="font-size:11px;color:var(--text-3)">Klub</label>
+              <select id="oc_klub" class="search" style="max-width:none;width:100%"></select>
+            </div>
+            <div><label style="font-size:11px;color:var(--text-3)">Valuta</label>
+              <select id="oc_currency" class="search" style="max-width:none;width:100%"><option>EUR</option><option>HRK</option></select>
+            </div>
+          </div>
+          <div style="margin-top:10px"><label style="font-size:11px;color:var(--text-3)">Opis</label><input id="oc_description" class="search" style="max-width:none;width:100%"></div>
+          <details style="margin-top:10px"><summary style="cursor:pointer;font-size:12px;color:var(--text-3)">Sirovi OCR tekst (preview)</summary>
+            <pre id="oc_raw" style="font-size:11px;background:var(--bg);padding:10px;border-radius:4px;margin-top:6px;max-height:200px;overflow:auto;white-space:pre-wrap"></pre>
+          </details>
+          <div style="margin-top:14px;display:flex;gap:8px;align-items:center">
+            <button id="ocSave" style="padding:8px 18px;background:var(--accent);color:var(--bg);border:0;border-radius:4px;cursor:pointer;font-weight:600">💾 Spremi račun</button>
+            <button id="ocCancel" style="padding:8px 14px;background:var(--bg-3);color:var(--text);border:1px solid var(--border);border-radius:4px;cursor:pointer">Odustani</button>
+            <span id="ocSaveStatus" style="font-size:12px;color:var(--text-3)"></span>
+          </div>
+        </div>
+      </div>
+
+      <!-- M6: Putni nalozi creation form -->
+      <div class="section">
+        <h3>🚗 Novi putni nalog (HR pravilnik 2025)</h3>
+        <div style="display:grid;grid-template-columns:1fr 1fr 1fr;gap:10px;font-size:13px">
+          <div><label style="font-size:11px;color:var(--text-3)">Klub</label><select id="pn_klub" class="search" style="max-width:none;width:100%"></select></div>
+          <div><label style="font-size:11px;color:var(--text-3)">Voditelj</label><input id="pn_voditelj" class="search" style="max-width:none;width:100%" placeholder="Ime Prezime"></div>
+          <div><label style="font-size:11px;color:var(--text-3)">Putnici (zarezom razdvojeno)</label><input id="pn_putnici" class="search" style="max-width:none;width:100%"></div>
+          <div><label style="font-size:11px;color:var(--text-3)">Svrha</label><input id="pn_svrha" class="search" style="max-width:none;width:100%" placeholder="Natjecanje, treninzi…"></div>
+          <div><label style="font-size:11px;color:var(--text-3)">Od grada</label><input id="pn_od" class="search" style="max-width:none;width:100%" value="Rijeka"></div>
+          <div><label style="font-size:11px;color:var(--text-3)">Do grada</label><input id="pn_do" class="search" style="max-width:none;width:100%"></div>
+          <div><label style="font-size:11px;color:var(--text-3)">Polazak</label><input id="pn_from" type="datetime-local" class="search" style="max-width:none;width:100%"></div>
+          <div><label style="font-size:11px;color:var(--text-3)">Povratak</label><input id="pn_to" type="datetime-local" class="search" style="max-width:none;width:100%"></div>
+          <div><label style="font-size:11px;color:var(--text-3)">Zemlja</label><input id="pn_country" class="search" style="max-width:none;width:100%" value="Hrvatska"></div>
+          <div><label style="font-size:11px;color:var(--text-3)">Tip vozila</label>
+            <select id="pn_vehicle" class="search" style="max-width:none;width:100%">
+              <option>vlastiti automobil</option><option>službeno vozilo</option><option>kombi</option><option>autobus</option><option>vlak</option><option>avion</option>
+            </select>
+          </div>
+          <div><label style="font-size:11px;color:var(--text-3)">Registracija</label><input id="pn_plate" class="search" style="max-width:none;width:100%"></div>
+          <div><label style="font-size:11px;color:var(--text-3)">Kilometara</label><input id="pn_km" type="number" step="1" class="search" style="max-width:none;width:100%" value="0"></div>
+          <div><label style="font-size:11px;color:var(--text-3)">€/km</label><input id="pn_kmrate" type="number" step="0.01" class="search" style="max-width:none;width:100%" value="0.50"></div>
+        </div>
+        <div id="pn_preview" style="margin-top:14px;padding:12px;background:var(--bg-3);border-radius:6px;border:1px solid var(--border);font-size:13px;color:var(--text-2)">
+          Unesi datume za live obračun dnevnica…
+        </div>
+        <div style="margin-top:12px;display:flex;gap:8px">
+          <button id="pnSave" style="padding:8px 18px;background:var(--accent);color:var(--bg);border:0;border-radius:4px;cursor:pointer;font-weight:600">📝 Kreiraj putni nalog</button>
+          <span id="pnSaveStatus" style="font-size:12px;color:var(--text-3);align-self:center"></span>
+        </div>
+      </div>
+
+      <div class="section">
+        <h3>Računi</h3>
+        <table id="invTable"><thead><tr><th>Broj</th><th>Dobavljač</th><th>Klub</th><th class="num">Iznos</th><th>Status</th><th>Datum</th></tr></thead><tbody></tbody></table>
+      </div>
+      <div class="section">
+        <h3>Putni nalozi / izdaci</h3>
+        <table id="expTable"><thead><tr><th>Broj</th><th>Klub</th><th>Destinacija</th><th class="num">Iznos</th><th>Status</th><th>Datum</th></tr></thead><tbody></tbody></table>
+      </div>
+    </div>
+
+    <!-- CRM klubovi -->
+    <div class="tab-content" id="tab-crm">
+      <input type="text" class="search" id="klubSearch" placeholder="Traži klub po imenu, OIB-u, gradu, sportu...">
+      <div class="section" style="margin-top: 14px;">
+        <h3>Klubovi</h3>
+        <table id="klubTable"><thead><tr><th>Naziv</th><th>OIB</th><th>Sport</th><th>Grad</th><th>Email</th><th class="num">Članovi</th><th class="num">Računi</th></tr></thead><tbody></tbody></table>
+      </div>
+    </div>
+
+    <!-- Osobe -->
+    <div class="tab-content" id="tab-osobe">
+      <input type="text" class="search" id="osobaSearch" placeholder="Traži po imenu, prezimenu, OIB-u...">
+      <div class="section" style="margin-top: 14px;">
+        <h3>Kontakti / Članovi</h3>
+        <table id="osobeTable"><thead><tr><th>Ime</th><th>Prezime</th><th>OIB</th><th>Klub</th><th>Pozicija</th><th>Email</th><th>Status</th></tr></thead><tbody></tbody></table>
+      </div>
+    </div>
+
+    <!-- 3D Graph -->
+    <div class="tab-content" id="tab-graph3d">
+      <div class="section">
+        <h3>3D Sport Graph</h3>
+        <p style="color: var(--text-3); margin-bottom: 12px;">Interaktivni 3D prikaz svih klubova, saveza i osoba s drill-down na detalje.</p>
+        <div class="iframe-wrap">
+          <iframe id="graph3dIframe" loading="lazy"></iframe>
+        </div>
+      </div>
+    </div>
+
+    <!-- Tenants -->
+    <div class="tab-content" id="tab-tenants">
+      <div class="section">
+        <h3>Multi-tenant Management</h3>
+        <p style="color: var(--text-3); margin-bottom: 16px;">Tenants u sustavu. Svaki tenant ima vlastiti scope klubova, financija i konfiguracije.</p>
+        <div class="tenants-grid" id="tenantsGrid"></div>
+      </div>
+    </div>
+
+    <!-- Reports -->
+    <div class="tab-content" id="tab-reports">
+      <div class="section">
+        <h3>Top 10 Klubova (po dokumentima i računima)</h3>
+        <table id="repTable"><thead><tr><th>Naziv</th><th>Sport</th><th>Grad</th><th class="num">Računi</th><th class="num">Članovi</th></tr></thead><tbody></tbody></table>
+      </div>
+    </div>
+
+  </main>
+</div>
+
+<script>
+const API = '/admin/api';
+let currentTenant = 1;
+let dashboardData = null;
+let tenantsList = [];
+
+const $ = sel => document.querySelector(sel);
+const $$ = sel => document.querySelectorAll(sel);
+
+async function fetchJSON(url) {
+  try {
+    const r = await fetch(url);
+    if (!r.ok) throw new Error(r.status);
+    return await r.json();
+  } catch (e) { console.error('Fetch fail:', url, e); return null; }
+}
+
+function fmt(n) {
+  if (n == null) return '—';
+  if (typeof n !== 'number') return n;
+  return new Intl.NumberFormat('hr-HR').format(n);
+}
+function fmtEur(n) { return n != null ? '€' + fmt(Math.round(n)) : '—'; }
+function fmtDate(d) { return d ? d.substring(0, 10) : '—'; }
+
+function badge(text, color) { return '<span class="badge ' + color + '">' + (text || '—') + '</span>'; }
+
+function statusBadge(s) {
+  if (!s) return badge('—', 'gray');
+  const s2 = s.toLowerCase();
+  if (['paid', 'approved', 'active', 'completed'].includes(s2)) return badge(s, 'green');
+  if (['pending', 'submitted', 'draft', 'open'].includes(s2)) return badge(s, 'yellow');
+  if (['overdue', 'rejected', 'cancelled', 'failed'].includes(s2)) return badge(s, 'red');
+  return badge(s, 'gray');
+}
+
+async function loadDashboard() {
+  const d = await fetchJSON(`${API}/dashboard?tenant_id=${currentTenant}`);
+  if (!d) return;
+  dashboardData = d;
+  
+  const k = d.kpi;
+  $('#kpiGrid').innerHTML = `
+    <div class="kpi-card"><div class="kpi-label">Klubovi</div><div class="kpi-value">${fmt(k.klubovi_total)}</div><div class="kpi-sub">${fmt(k.klubovi_aktivni_90d)} aktivnih /90d</div></div>
+    <div class="kpi-card green"><div class="kpi-label">Osobe</div><div class="kpi-value">${fmt(k.osobe)}</div><div class="kpi-sub">članovi i kontakti</div></div>
+    <div class="kpi-card yellow"><div class="kpi-label">Računi</div><div class="kpi-value">${fmt(k.invoices)}</div><div class="kpi-sub">${fmtEur(k.invoices_total_eur)}</div></div>
+    <div class="kpi-card purple"><div class="kpi-label">Putni nalozi</div><div class="kpi-value">${fmt(k.expenses)}</div><div class="kpi-sub">${fmtEur(k.expenses_total_eur)}</div></div>
+    <div class="kpi-card"><div class="kpi-label">Aktivnost</div><div class="kpi-value">${fmt(k.activity_30d)}</div><div class="kpi-sub">audit eventova /30d</div></div>
+    <div class="kpi-card green"><div class="kpi-label">Dokumenti</div><div class="kpi-value">${fmt(k.dokumenti_7d)}</div><div class="kpi-sub">novih /7d</div></div>
+  `;
+  
+  // Top klubovi
+  const top = await fetchJSON(`${API}/reports/top_klubovi?tenant_id=${currentTenant}&limit=8`);
+  if (top && top.top_klubovi) {
+    $('#topKlubovi tbody').innerHTML = top.top_klubovi.map(k => `
+      <tr><td>${k.naziv}</td><td>${k.sport || '—'}</td><td>${k.grad || '—'}</td>
+        <td class="num">${fmt(k.clanovi)}</td><td class="num">${fmt(k.invoices)}</td></tr>
+    `).join('');
+  }
+  
+  $('#metaInfo').textContent = `Tenant: ${d.tenant.display_name} · OIB: ${d.tenant.oib || '—'} · ${new Date().toLocaleString('hr-HR')}`;
+}
+
+async function loadERP() {
+  const s = await fetchJSON(`${API}/erp/summary?tenant_id=${currentTenant}`);
+  if (s) {
+    $('#erpKpi').innerHTML = `
+      <div class="kpi-card"><div class="kpi-label">Računi total</div><div class="kpi-value">${fmt(s.invoices.total)}</div><div class="kpi-sub">${fmtEur(s.invoices.sum_total)}</div></div>
+      <div class="kpi-card green"><div class="kpi-label">Plaćeno</div><div class="kpi-value">${fmt(s.invoices.paid)}</div><div class="kpi-sub">${fmtEur(s.invoices.sum_paid)}</div></div>
+      <div class="kpi-card yellow"><div class="kpi-label">Neplaćeno</div><div class="kpi-value">${fmt(s.invoices.pending + s.invoices.overdue + (s.invoices.other||0))}</div><div class="kpi-sub">${fmtEur(s.invoices.sum_unpaid)}</div></div>
+      <div class="kpi-card purple"><div class="kpi-label">Putni nalozi</div><div class="kpi-value">${fmt(s.expenses.total)}</div><div class="kpi-sub">${fmtEur(s.expenses.sum_total)}</div></div>
+      <div class="kpi-card"><div class="kpi-label">Plaćanja /90d</div><div class="kpi-value">${fmt(s.payments_90d.total)}</div><div class="kpi-sub">${fmtEur(s.payments_90d.sum_total)}</div></div>
+      <div class="kpi-card green"><div class="kpi-label">Proračun</div><div class="kpi-value">${fmtEur(s.proracun.sum_planirano)}</div><div class="kpi-sub">${s.proracun.n} godina · izvršeno: ${fmtEur(s.proracun.sum_izvrseno)}</div></div>
+    `;
+  }
+  
+  const inv = await fetchJSON(`${API}/erp/invoices?tenant_id=${currentTenant}&limit=20`);
+  if (inv && inv.invoices) {
+    $('#invTable tbody').innerHTML = inv.invoices.length ? inv.invoices.map(i => `
+      <tr><td>${i.invoice_no || '—'}</td><td>${i.vendor_name || '—'}</td>
+        <td>${i.klub_naziv || '—'}</td><td class="num">${fmtEur(i.amount_gross)}</td>
+        <td>${statusBadge(i.payment_status)}</td><td>${fmtDate(i.invoice_date)}</td></tr>
+    `).join('') : '<tr><td colspan="6" style="color:var(--text-3);text-align:center;padding:20px">Nema podataka</td></tr>';
+  }
+  
+  const exp = await fetchJSON(`${API}/erp/expenses?tenant_id=${currentTenant}&limit=20`);
+  if (exp && exp.expenses) {
+    $('#expTable tbody').innerHTML = exp.expenses.length ? exp.expenses.map(e => `
+      <tr><td>${e.report_no || '—'}</td><td>${e.klub_naziv || '—'}</td>
+        <td>${e.destination || '—'}</td><td class="num">${fmtEur(e.cost_total)}</td>
+        <td>${statusBadge(e.status)}</td><td>${fmtDate(e.created_at)}</td></tr>
+    `).join('') : '<tr><td colspan="6" style="color:var(--text-3);text-align:center;padding:20px">Nema podataka</td></tr>';
+  }
+}
+
+async function loadCRM(q='') {
+  const url = `${API}/crm/klubovi?tenant_id=${currentTenant}&limit=50${q ? '&q=' + encodeURIComponent(q) : ''}`;
+  const d = await fetchJSON(url);
+  if (d && d.klubovi) {
+    $('#klubTable tbody').innerHTML = d.klubovi.map(k => `
+      <tr><td><strong>${k.naziv}</strong></td><td>${k.oib || '—'}</td>
+        <td>${k.sport || '—'}</td><td>${k.grad || '—'}</td>
+        <td>${k.email || '—'}</td><td class="num">${fmt(k.clanovi)}</td>
+        <td class="num">${fmt(k.invoices_count)}</td></tr>
+    `).join('');
+  }
+}
+
+async function loadOsobe(q='') {
+  const url = `${API}/crm/osobe?limit=50${q ? '&q=' + encodeURIComponent(q) : ''}`;
+  const d = await fetchJSON(url);
+  if (d && d.osobe) {
+    $('#osobeTable tbody').innerHTML = d.osobe.map(o => `
+      <tr><td>${o.ime}</td><td><strong>${o.prezime}</strong></td>
+        <td>${o.oib || '—'}</td><td>${o.klub_naziv || '—'}</td>
+        <td>${o.pozicija || '—'}</td><td>${o.email || '—'}</td>
+        <td>${o.aktivan ? badge('Aktivan', 'green') : badge('Neaktivan', 'gray')}</td></tr>
+    `).join('');
+  }
+}
+
+async function loadTenants() {
+  const d = await fetchJSON(`${API}/tenants`);
+  if (d && d.tenants) {
+    $('#tenantsGrid').innerHTML = d.tenants.map(t => `
+      <div class="tenant-card">
+        <div class="name">${t.display_name}</div>
+        <div class="slug">@${t.slug} · ${t.type} · ${t.oib || 'no OIB'}</div>
+        <div class="stats">
+          <div class="stat"><strong>${fmt(t.klubovi_count || 0)}</strong>klubovi</div>
+          <div class="stat"><strong>${statusBadge(t.status).match(/>([^<]+)</)[1]}</strong>status</div>
+        </div>
+      </div>
+    `).join('');
+  }
+}
+
+async function loadReports() {
+  const d = await fetchJSON(`${API}/reports/top_klubovi?tenant_id=${currentTenant}&limit=20`);
+  if (d && d.top_klubovi) {
+    $('#repTable tbody').innerHTML = d.top_klubovi.map(k => `
+      <tr><td>${k.naziv}</td><td>${k.sport || '—'}</td><td>${k.grad || '—'}</td>
+        <td class="num">${fmt(k.invoices)}</td><td class="num">${fmt(k.clanovi)}</td></tr>
+    `).join('');
+  }
+}
+
+function load3D() {
+  const f = $('#graph3dIframe');
+  if (!f.src) f.src = '/3d';
+}
+
+async function loadTenantSelector() {
+  const d = await fetchJSON(`${API}/tenants`);
+  if (d && d.tenants) {
+    tenantsList = d.tenants;
+    $('#tenantSel').innerHTML = d.tenants.map(t =>
+      `<option value="${t.id}" ${t.id === currentTenant ? 'selected' : ''}>${t.display_name}</option>`
+    ).join('');
+  }
+}
+
+function activateTab(name) {
+  $$('.nav-item').forEach(n => n.classList.toggle('active', n.dataset.tab === name));
+  $$('.tab-content').forEach(c => c.classList.toggle('active', c.id === 'tab-' + name));
+  
+  const titles = {
+    dashboard: 'Dashboard',
+    erp: 'ERP — Financije',
+    crm: 'CRM — Klubovi',
+    osobe: 'Kontakti',
+    graph3d: '3D Graf',
+    tenants: 'Multi-tenant',
+    reports: 'Reports'
+  };
+  $('#pageTitle').textContent = titles[name] || name;
+  
+  if (name === 'dashboard') loadDashboard();
+  if (name === 'erp') loadERP();
+  if (name === 'crm') loadCRM();
+  if (name === 'osobe') loadOsobe();
+  if (name === 'graph3d') load3D();
+  if (name === 'tenants') loadTenants();
+  if (name === 'reports') loadReports();
+}
+
+// === M5: OCR upload (drag-and-drop) ===
+const ERP_API = '/api/erp';
+
+async function ocrLoadKlubSelectors() {
+  const sels = [document.getElementById('oc_klub'), document.getElementById('pn_klub')].filter(Boolean);
+  if (!sels.length) return;
+  // Use main API for klubovi list (admin-scoped)
+  const d = await fetch(`/api/klubovi?limit=400`).then(r => r.json()).catch(() => null);
+  if (!d) return;
+  const arr = Array.isArray(d) ? d : (d.rows || d.items || []);
+  const opts = '<option value="">— odaberi klub —</option>' + arr.map(k => `<option value="${k.id}">${k.naziv}</option>`).join('');
+  sels.forEach(s => { if (s) s.innerHTML = opts; });
+}
+
+let ocrParsed = null;
+let ocrUploadId = null;
+
+function ocrSetStatus(msg, color) {
+  const el = document.getElementById('ocrStatus');
+  if (el) { el.textContent = msg || ''; el.style.color = color || 'var(--text-2)'; }
+}
+
+async function ocrHandleFile(file) {
+  if (!file) return;
+  ocrSetStatus('⏳ Učitavam datoteku…', 'var(--yellow)');
+  const klubVal = document.getElementById('oc_klub')?.value || '';
+  const fd = new FormData();
+  fd.append('file', file);
+  if (klubVal) fd.append('klub_id', klubVal);
+  fd.append('tenant_id', currentTenant || 1);
+  fd.append('invoice_kind', document.getElementById('oc_kind')?.value || 'ostalo');
+  let r = await fetch(`${ERP_API}/ocr/upload`, {method: 'POST', body: fd});
+  if (!r.ok) { ocrSetStatus('❌ Upload pao: ' + r.status, 'var(--red)'); return; }
+  const j = await r.json();
+  ocrUploadId = j.upload_id;
+  ocrSetStatus(`✓ Uploaded (id=${ocrUploadId}, ${j.size} B). Pokrećem OCR + LLM ekstrakciju…`, 'var(--accent)');
+
+  const fd2 = new FormData();
+  fd2.append('upload_id', ocrUploadId);
+  fd2.append('use_llm', 'true');
+  r = await fetch(`${ERP_API}/ocr/parse`, {method: 'POST', body: fd2});
+  if (!r.ok) { ocrSetStatus('❌ Parse pao: ' + r.status, 'var(--red)'); return; }
+  const p = await r.json();
+  if (!p.ok) { ocrSetStatus('❌ ' + (p.error || 'Parse fail'), 'var(--red)'); return; }
+  ocrParsed = p.extracted || {};
+  document.getElementById('oc_vendor_name').value  = ocrParsed.vendor_name  || '';
+  document.getElementById('oc_vendor_oib').value   = ocrParsed.vendor_oib   || '';
+  document.getElementById('oc_invoice_no').value   = ocrParsed.invoice_no   || '';
+  document.getElementById('oc_invoice_date').value = ocrParsed.invoice_date || '';
+  document.getElementById('oc_amount_net').value   = ocrParsed.amount_net   ?? '';
+  document.getElementById('oc_amount_vat').value   = ocrParsed.amount_vat   ?? '';
+  document.getElementById('oc_amount_gross').value = ocrParsed.amount_gross ?? '';
+  document.getElementById('oc_vat_rate').value     = ocrParsed.vat_rate     ?? '';
+  document.getElementById('oc_iban').value         = ocrParsed.iban         || '';
+  document.getElementById('oc_kind').value         = ocrParsed.category     || 'ostalo';
+  document.getElementById('oc_currency').value     = ocrParsed.currency     || 'EUR';
+  document.getElementById('oc_description').value  = ocrParsed.description  || '';
+  document.getElementById('oc_raw').textContent    = (p.raw_text_preview || '').slice(0, 4000);
+  document.getElementById('ocrResult').style.display = 'block';
+  ocrSetStatus(`✓ OCR ${p.ocr_method} (${p.raw_chars} znakova). Provjeri polja i klikni "Spremi račun".`, 'var(--green)');
+}
+
+function ocrInitDrop() {
+  const drop = document.getElementById('ocrDrop');
+  const inp = document.getElementById('ocrFile');
+  if (!drop || !inp) return;
+  drop.addEventListener('click', () => inp.click());
+  inp.addEventListener('change', e => { if (e.target.files[0]) ocrHandleFile(e.target.files[0]); });
+  ['dragenter','dragover'].forEach(ev => drop.addEventListener(ev, e => { e.preventDefault(); drop.style.borderColor = 'var(--accent)'; }));
+  ['dragleave','drop'].forEach(ev => drop.addEventListener(ev, e => { e.preventDefault(); drop.style.borderColor = 'var(--border)'; }));
+  drop.addEventListener('drop', e => { e.preventDefault(); const f = e.dataTransfer.files[0]; if (f) ocrHandleFile(f); });
+  document.getElementById('ocCancel')?.addEventListener('click', () => {
+    document.getElementById('ocrResult').style.display = 'none';
+    ocrParsed = null; ocrUploadId = null; ocrSetStatus('');
+    inp.value = '';
+  });
+  document.getElementById('ocSave')?.addEventListener('click', async () => {
+    const klub = document.getElementById('oc_klub').value;
+    if (!klub) { document.getElementById('ocSaveStatus').textContent = 'Odaberi klub'; return; }
+    const body = {
+      klub_id: parseInt(klub),
+      tenant_id: currentTenant || 1,
+      upload_id: ocrUploadId,
+      invoice_kind: document.getElementById('oc_kind').value || 'ostalo',
+      invoice_no: document.getElementById('oc_invoice_no').value,
+      vendor_name: document.getElementById('oc_vendor_name').value,
+      vendor_oib: document.getElementById('oc_vendor_oib').value,
+      invoice_date: document.getElementById('oc_invoice_date').value,
+      amount_net: parseFloat(document.getElementById('oc_amount_net').value) || null,
+      amount_vat: parseFloat(document.getElementById('oc_amount_vat').value) || null,
+      amount_gross: parseFloat(document.getElementById('oc_amount_gross').value),
+      vat_rate: parseFloat(document.getElementById('oc_vat_rate').value) || null,
+      iban_to: document.getElementById('oc_iban').value || null,
+      currency: document.getElementById('oc_currency').value || 'EUR',
+      category: document.getElementById('oc_kind').value || 'ostalo',
+      description: document.getElementById('oc_description').value || null,
+    };
+    document.getElementById('ocSaveStatus').textContent = '⏳ Spremam…';
+    const r = await fetch(`${ERP_API}/invoices`, {method: 'POST', headers: {'Content-Type': 'application/json'}, body: JSON.stringify(body)});
+    const j = await r.json();
+    if (j.ok) {
+      document.getElementById('ocSaveStatus').textContent = `✓ Spremljen kao #${j.invoice.id}`;
+      document.getElementById('ocSaveStatus').style.color = 'var(--green)';
+      setTimeout(() => { document.getElementById('ocrResult').style.display = 'none'; loadERP(); }, 1500);
+    } else {
+      document.getElementById('ocSaveStatus').textContent = '❌ ' + (j.detail || 'Greška');
+      document.getElementById('ocSaveStatus').style.color = 'var(--red)';
+    }
+  });
+}
+
+// === M6: Putni nalog form with live dnevnice preview ===
+let pnPreviewTimer = null;
+async function pnRefreshPreview() {
+  const df = document.getElementById('pn_from')?.value;
+  const dt = document.getElementById('pn_to')?.value;
+  const country = document.getElementById('pn_country')?.value || 'Hrvatska';
+  const km = parseFloat(document.getElementById('pn_km')?.value || 0);
+  const km_rate = parseFloat(document.getElementById('pn_kmrate')?.value || 0.5);
+  const tgt = document.getElementById('pn_preview');
+  if (!df || !dt) { if (tgt) tgt.textContent = 'Unesi datume za live obračun dnevnica…'; return; }
+  const url = `${ERP_API}/putni-nalog/dnevnice/preview?date_from=${encodeURIComponent(df)}&date_to=${encodeURIComponent(dt)}&country=${encodeURIComponent(country)}&km=${km}&km_rate=${km_rate}`;
+  const r = await fetch(url).then(r => r.json()).catch(() => null);
+  if (!r || !r.ok) { tgt.textContent = '⚠ Neuspješan obračun'; return; }
+  const d = r.preview;
+  tgt.innerHTML = `
+    <div style="display:grid;grid-template-columns:repeat(4,1fr);gap:14px">
+      <div><div style="color:var(--text-3);font-size:11px">Sati</div><div style="font-size:18px;font-family:'JetBrains Mono'">${d.hours}h</div></div>
+      <div><div style="color:var(--text-3);font-size:11px">Pune dnevnice</div><div style="font-size:18px;color:var(--accent);font-family:'JetBrains Mono'">${d.days_full} × €${d.rate_full}</div></div>
+      <div><div style="color:var(--text-3);font-size:11px">Pola dnevnica</div><div style="font-size:18px;color:var(--yellow);font-family:'JetBrains Mono'">${d.days_half} × €${d.rate_half}</div></div>
+      <div><div style="color:var(--text-3);font-size:11px">Dnevnice ukupno</div><div style="font-size:18px;color:var(--green);font-family:'JetBrains Mono'">€${d.dnevnica_amount_total}</div></div>
+      <div><div style="color:var(--text-3);font-size:11px">Kilometara</div><div style="font-size:18px;font-family:'JetBrains Mono'">${d.km_driven} km</div></div>
+      <div><div style="color:var(--text-3);font-size:11px">Kilometrina</div><div style="font-size:18px;font-family:'JetBrains Mono'">€${d.km_amount}</div></div>
+      <div><div style="color:var(--text-3);font-size:11px">Zemlja</div><div style="font-size:14px;font-family:'JetBrains Mono'">${d.country}</div></div>
+      <div><div style="color:var(--text-3);font-size:11px">PROCJENA UKUPNO</div><div style="font-size:22px;color:var(--accent);font-family:'JetBrains Mono';font-weight:700">€${d.total_estimated}</div></div>
+    </div>`;
+}
+
+function pnInit() {
+  ['pn_from','pn_to','pn_country','pn_km','pn_kmrate'].forEach(id => {
+    const el = document.getElementById(id);
+    if (el) el.addEventListener('input', () => {
+      clearTimeout(pnPreviewTimer);
+      pnPreviewTimer = setTimeout(pnRefreshPreview, 250);
+    });
+  });
+  document.getElementById('pnSave')?.addEventListener('click', async () => {
+    const klub = document.getElementById('pn_klub').value;
+    if (!klub) { document.getElementById('pnSaveStatus').textContent = 'Odaberi klub'; return; }
+    const body = {
+      klub_id: parseInt(klub),
+      tenant_id: currentTenant || 1,
+      voditelj_ime: document.getElementById('pn_voditelj').value,
+      putnici: (document.getElementById('pn_putnici').value || '').split(',').map(s => s.trim()).filter(Boolean),
+      svrha: document.getElementById('pn_svrha').value,
+      od_grada: document.getElementById('pn_od').value,
+      do_grada: document.getElementById('pn_do').value,
+      datum_polaska: document.getElementById('pn_from').value,
+      datum_povratka: document.getElementById('pn_to').value,
+      country: document.getElementById('pn_country').value,
+      vehicle_type: document.getElementById('pn_vehicle').value,
+      registracija_vozila: document.getElementById('pn_plate').value,
+      kilometara: parseFloat(document.getElementById('pn_km').value) || 0,
+      km_rate: parseFloat(document.getElementById('pn_kmrate').value) || 0.5,
+    };
+    document.getElementById('pnSaveStatus').textContent = '⏳ Spremam…';
+    const r = await fetch(`${ERP_API}/putni-nalog`, {method: 'POST', headers: {'Content-Type': 'application/json'}, body: JSON.stringify(body)});
+    const j = await r.json();
+    if (j.ok) {
+      const pn = j.putni_nalog;
+      document.getElementById('pnSaveStatus').innerHTML = `✓ Putni nalog #${pn.id} kreiran (€${pn.cost_total})`;
+      document.getElementById('pnSaveStatus').style.color = 'var(--green)';
+      loadERP();
+    } else {
+      document.getElementById('pnSaveStatus').textContent = '❌ ' + (j.detail || 'Greška');
+      document.getElementById('pnSaveStatus').style.color = 'var(--red)';
+    }
+  });
+}
+
+ocrInitDrop();
+pnInit();
+ocrLoadKlubSelectors();
+
+// Init
+$$('.nav-item').forEach(n => n.addEventListener('click', () => activateTab(n.dataset.tab)));
+
+let searchTimeout;
+$('#klubSearch').addEventListener('input', e => {
+  clearTimeout(searchTimeout);
+  searchTimeout = setTimeout(() => loadCRM(e.target.value), 300);
+});
+$('#osobaSearch').addEventListener('input', e => {
+  clearTimeout(searchTimeout);
+  searchTimeout = setTimeout(() => loadOsobe(e.target.value), 300);
+});
+$('#tenantSel').addEventListener('change', e => {
+  currentTenant = parseInt(e.target.value);
+  activateTab($('.nav-item.active').dataset.tab);
+});
+
+(async () => {
+  await loadTenantSelector();
+  await loadDashboard();
+})();
+</script>
+</body>
+</html>
diff --git a/_backups/admin_users.py.r5_pre.1777937123 b/_backups/admin_users.py.r5_pre.1777937123
new file mode 100644
index 0000000..e5a4119
--- /dev/null
+++ b/_backups/admin_users.py.r5_pre.1777937123
@@ -0,0 +1,446 @@
+#!/usr/bin/env python3
+# admin_users.py — /api/admin/users CRUD endpoints
+# v1.0 dradulic@outlook.com / damir@rinet.one — 2026-05-04
+"""
+GET    /api/admin/users?tenant_type=&tenant_id=&q=
+POST   /api/admin/users
+PUT    /api/admin/users/{id}
+DELETE /api/admin/users/{id}
+POST   /api/admin/users/{id}/invite
+POST   /api/admin/users/{id}/role
+POST   /api/admin/users/{id}/suspend
+GET    /api/admin/audit?user_id=&action=&limit=
+GET    /api/admin/tenants
+POST   /api/admin/users/bulk-csv
+"""
+import csv, io, secrets, json
+from typing import Optional, List, Dict, Any
+from datetime import datetime
+from fastapi import APIRouter, HTTPException, Depends, Request, Body, UploadFile, File
+from pydantic import BaseModel
+
+from .auth_v2 import (
+    db_query, db_one, db_exec, hash_password,
+    require_user, audit, _client,
+    _resolve_tenant, _tier_for,
+    PGZ_USER_TYPES, SAVEZ_USER_TYPES, KLUB_USER_TYPES,
+)
+
+router = APIRouter(prefix="/api/admin", tags=["admin"])
+
+VALID_USER_TYPES = (PGZ_USER_TYPES | SAVEZ_USER_TYPES | KLUB_USER_TYPES |
+                    {"viewer", "guest"})
+
+# ─────────────────────────── Permission helpers ───────────────────────────
+def _is_pgz_admin(u: Dict) -> bool:
+    return (u.get("user_type") or "").lower() in ("super_admin", "pgz_admin")
+
+def _is_savez_admin(u: Dict) -> bool:
+    return (u.get("user_type") or "").lower() == "savez_admin"
+
+def _is_klub_admin(u: Dict) -> bool:
+    return (u.get("user_type") or "").lower() == "klub_admin"
+
+def _can_manage(actor: Dict, target_user_type: str,
+                target_klub_id: Optional[int], target_savez_id: Optional[int]) -> bool:
+    """Hierarchical management:
+       - super_admin / pgz_admin → manage everyone
+       - savez_admin             → manage savez_*, klub_admin in their savez
+       - klub_admin              → manage klub_user/klub_trener/klub_clan in their klub
+    """
+    if _is_pgz_admin(actor): return True
+    tut = (target_user_type or "").lower()
+    if _is_savez_admin(actor):
+        if tut in PGZ_USER_TYPES: return False
+        if tut in SAVEZ_USER_TYPES and (target_savez_id == actor.get("savez_id")): return True
+        if tut == "klub_admin" and target_savez_id and target_savez_id == actor.get("savez_id"):
+            return True
+        # any klub user that belongs to this savez
+        if tut in KLUB_USER_TYPES and target_savez_id == actor.get("savez_id"):
+            return True
+        return False
+    if _is_klub_admin(actor):
+        if tut not in {"klub_user", "klub_trener", "klub_clan", "viewer"}:
+            return False
+        return target_klub_id and target_klub_id == actor.get("klub_id")
+    return False
+
+def _scoped_where(actor: Dict) -> tuple:
+    """Filter user list by actor's scope."""
+    if _is_pgz_admin(actor): return ("", [])
+    if _is_savez_admin(actor):
+        sid = actor.get("savez_id")
+        if not sid: return ("AND 1=0", [])
+        return ("AND (u.savez_id=%s OR u.klub_id IN (SELECT id FROM pgz_sport.klubovi WHERE savez_id=%s))",
+                [sid, sid])
+    if _is_klub_admin(actor):
+        kid = actor.get("klub_id")
+        if not kid: return ("AND 1=0", [])
+        return ("AND u.klub_id=%s", [kid])
+    return ("AND u.id=%s", [actor["id"]])
+
+# ─────────────────────────── List / read ───────────────────────────
+@router.get("/users")
+def list_users(
+    q: Optional[str] = None,
+    user_type: Optional[str] = None,
+    tenant_type: Optional[str] = None,
+    tenant_id: Optional[int] = None,
+    klub_id: Optional[int] = None,
+    savez_id: Optional[int] = None,
+    aktivan: Optional[bool] = None,
+    limit: int = 100,
+    offset: int = 0,
+    actor = Depends(require_user),
+):
+    if not (_is_pgz_admin(actor) or _is_savez_admin(actor) or _is_klub_admin(actor)):
+        raise HTTPException(403, "Forbidden — admin required")
+    where = ["1=1"]; args: List[Any] = []
+    sw, sp = _scoped_where(actor)
+    if sw: where.append(sw.replace("AND ", "")); args.extend(sp)
+    if q:
+        where.append("(LOWER(u.email) LIKE %s OR LOWER(u.full_name) LIKE %s OR LOWER(COALESCE(u.ime,'')) LIKE %s OR LOWER(COALESCE(u.prezime,'')) LIKE %s)")
+        like = f"%{q.lower()}%"; args.extend([like]*4)
+    if user_type: where.append("u.user_type=%s"); args.append(user_type)
+    if klub_id:   where.append("u.klub_id=%s");   args.append(klub_id)
+    if savez_id:  where.append("u.savez_id=%s");  args.append(savez_id)
+    if aktivan is not None: where.append("u.aktivan=%s"); args.append(aktivan)
+    if tenant_type and tenant_id is not None:
+        if tenant_type == "klub":  where.append("u.klub_id=%s");  args.append(tenant_id)
+        elif tenant_type == "savez": where.append("u.savez_id=%s"); args.append(tenant_id)
+    base_args = list(args)
+    args.extend([limit, offset])
+    rows = db_query(f"""SELECT u.id, u.email, u.full_name, u.ime, u.prezime, u.user_type,
+            u.klub_id, u.savez_id, u.aktivan, u.status, u.must_change_pwd,
+            u.last_login, u.locked_until, u.failed_login_count, u.telefon,
+            u.created_at, u.gdpr_consent_at,
+            k.naziv AS klub_naziv, s.naziv AS savez_naziv
+        FROM pgz_sport.users u
+        LEFT JOIN pgz_sport.klubovi k ON k.id=u.klub_id
+        LEFT JOIN pgz_sport.savezi  s ON s.id=u.savez_id
+        WHERE {' AND '.join(where)}
+        ORDER BY u.id DESC LIMIT %s OFFSET %s""", tuple(args))
+    total = db_one(f"SELECT COUNT(*) AS c FROM pgz_sport.users u WHERE {' AND '.join(where)}",
+                   tuple(base_args))["c"]
+    return {"count": len(rows), "total": total, "results": rows}
+
+@router.get("/users/{uid}")
+def get_user(uid: int, actor = Depends(require_user)):
+    u = db_one("""SELECT u.*, k.naziv AS klub_naziv, s.naziv AS savez_naziv
+        FROM pgz_sport.users u
+        LEFT JOIN pgz_sport.klubovi k ON k.id=u.klub_id
+        LEFT JOIN pgz_sport.savezi  s ON s.id=u.savez_id
+        WHERE u.id=%s""", (uid,))
+    if not u: raise HTTPException(404, "User not found")
+    if not (_is_pgz_admin(actor) or
+            _can_manage(actor, u.get("user_type"), u.get("klub_id"), u.get("savez_id")) or
+            actor["id"] == uid):
+        raise HTTPException(403, "Forbidden")
+    # Strip sensitive
+    u.pop("password_hash", None)
+    u.pop("two_factor_secret", None)
+    return u
+
+# ─────────────────────────── Create ───────────────────────────
+class CreateUserReq(BaseModel):
+    email: str
+    full_name: Optional[str] = None
+    ime: Optional[str] = None
+    prezime: Optional[str] = None
+    user_type: str = "klub_user"
+    klub_id: Optional[int] = None
+    savez_id: Optional[int] = None
+    telefon: Optional[str] = None
+    oib: Optional[str] = None
+    password: Optional[str] = None  # if absent → temp pwd + must_change
+
+@router.post("/users")
+def create_user(req: CreateUserReq, request: Request, actor = Depends(require_user)):
+    if req.user_type not in VALID_USER_TYPES:
+        raise HTTPException(400, f"Invalid user_type: {req.user_type}")
+    if not _can_manage(actor, req.user_type, req.klub_id, req.savez_id):
+        raise HTTPException(403, "Forbidden — out of management scope")
+    full_name = req.full_name or ((req.ime or "") + " " + (req.prezime or "")).strip() or req.email
+    pwd = req.password or ("PGZ-" + secrets.token_hex(4))
+    must_change = not bool(req.password)
+    try:
+        new_id = db_one("""INSERT INTO pgz_sport.users
+            (email, password_hash, full_name, ime, prezime, user_type, klub_id, savez_id,
+             telefon, oib, must_change_pwd, aktivan, status, auth_provider)
+            VALUES (%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,true,'active','local')
+            RETURNING id""",
+            (req.email.lower().strip(), hash_password(pwd), full_name,
+             req.ime, req.prezime, req.user_type, req.klub_id, req.savez_id,
+             req.telefon, req.oib, must_change))["id"]
+    except Exception as e:
+        if "duplicate" in str(e).lower() or "unique" in str(e).lower():
+            raise HTTPException(409, f"Email već postoji: {req.email}")
+        raise HTTPException(400, str(e))
+    ip, ua = _client(request)
+    audit(actor["id"], "user.create", "user", new_id,
+          {"email": req.email, "user_type": req.user_type,
+           "klub_id": req.klub_id, "savez_id": req.savez_id}, ip, ua)
+    return {"id": new_id, "email": req.email, "user_type": req.user_type,
+            "must_change_pwd": must_change,
+            "temporary_password": pwd if must_change else None}
+
+# ─────────────────────────── Update ───────────────────────────
+class UpdateUserReq(BaseModel):
+    full_name: Optional[str] = None
+    ime: Optional[str] = None
+    prezime: Optional[str] = None
+    user_type: Optional[str] = None
+    klub_id: Optional[int] = None
+    savez_id: Optional[int] = None
+    telefon: Optional[str] = None
+    oib: Optional[str] = None
+    aktivan: Optional[bool] = None
+
+@router.put("/users/{uid}")
+def update_user(uid: int, req: UpdateUserReq, request: Request,
+                actor = Depends(require_user)):
+    target = db_one("SELECT user_type, klub_id, savez_id FROM pgz_sport.users WHERE id=%s",
+                    (uid,))
+    if not target: raise HTTPException(404, "User not found")
+    if not _can_manage(actor, target["user_type"], target["klub_id"], target["savez_id"]):
+        raise HTTPException(403, "Forbidden")
+    fields, args = [], []
+    for f in ["full_name","ime","prezime","user_type","klub_id","savez_id","telefon","oib","aktivan"]:
+        v = getattr(req, f)
+        if v is not None:
+            if f == "user_type" and v not in VALID_USER_TYPES:
+                raise HTTPException(400, f"Invalid user_type: {v}")
+            fields.append(f"{f}=%s"); args.append(v)
+    if not fields:
+        return {"status": "nothing_to_update"}
+    fields.append("updated_at=now()")
+    args.append(uid)
+    db_exec(f"UPDATE pgz_sport.users SET {', '.join(fields)} WHERE id=%s", tuple(args))
+    ip, ua = _client(request)
+    audit(actor["id"], "user.update", "user", uid,
+          req.dict(exclude_none=True), ip, ua)
+    return {"status": "ok", "id": uid}
+
+# ─────────────────────────── Delete (soft) ───────────────────────────
+@router.delete("/users/{uid}")
+def delete_user(uid: int, request: Request, actor = Depends(require_user)):
+    if uid == actor["id"]:
+        raise HTTPException(400, "Ne možete obrisati svoj račun")
+    target = db_one("SELECT user_type, klub_id, savez_id, email FROM pgz_sport.users WHERE id=%s",
+                    (uid,))
+    if not target: raise HTTPException(404, "User not found")
+    if not _can_manage(actor, target["user_type"], target["klub_id"], target["savez_id"]):
+        raise HTTPException(403, "Forbidden")
+    db_exec("""UPDATE pgz_sport.users SET aktivan=false, status='deleted',
+               updated_at=now() WHERE id=%s""", (uid,))
+    db_exec("UPDATE pgz_sport.user_sessions SET revoked=true WHERE user_id=%s", (uid,))
+    ip, ua = _client(request)
+    audit(actor["id"], "user.delete", "user", uid, {"email": target["email"]}, ip, ua)
+    return {"status": "ok", "id": uid}
+
+# ─────────────────────────── Invite ───────────────────────────
+class InviteReq(BaseModel):
+    send_email: bool = False  # placeholder — wired to mailer in M11
+    note: Optional[str] = None
+
+@router.post("/users/{uid}/invite")
+def invite_user(uid: int, req: InviteReq, request: Request,
+                actor = Depends(require_user)):
+    target = db_one("SELECT email, user_type, klub_id, savez_id FROM pgz_sport.users WHERE id=%s",
+                    (uid,))
+    if not target: raise HTTPException(404, "User not found")
+    if not _can_manage(actor, target["user_type"], target["klub_id"], target["savez_id"]):
+        raise HTTPException(403, "Forbidden")
+    new_temp = "PGZ-" + secrets.token_hex(4)
+    db_exec("""UPDATE pgz_sport.users
+               SET password_hash=%s, must_change_pwd=true,
+                   failed_login_count=0, locked_until=NULL, updated_at=now()
+               WHERE id=%s""", (hash_password(new_temp), uid))
+    db_exec("UPDATE pgz_sport.user_sessions SET revoked=true WHERE user_id=%s", (uid,))
+    ip, ua = _client(request)
+    audit(actor["id"], "user.invite", "user", uid,
+          {"email": target["email"], "send_email": req.send_email}, ip, ua)
+    invite_link = f"https://api.rinet.one/sport/login?email={target['email']}"
+    return {"status": "ok", "id": uid,
+            "temporary_password": new_temp,
+            "invite_link": invite_link,
+            "email_sent": False}  # mailer wired later
+
+# ─────────────────────────── Role change ───────────────────────────
+class RoleReq(BaseModel):
+    user_type: str
+
+@router.post("/users/{uid}/role")
+def change_role(uid: int, req: RoleReq, request: Request,
+                actor = Depends(require_user)):
+    if not _is_pgz_admin(actor):
+        raise HTTPException(403, "Samo PGŽ admin može mijenjati role")
+    if req.user_type not in VALID_USER_TYPES:
+        raise HTTPException(400, f"Invalid user_type: {req.user_type}")
+    target = db_one("SELECT user_type FROM pgz_sport.users WHERE id=%s", (uid,))
+    if not target: raise HTTPException(404, "User not found")
+    db_exec("UPDATE pgz_sport.users SET user_type=%s, updated_at=now() WHERE id=%s",
+            (req.user_type, uid))
+    ip, ua = _client(request)
+    audit(actor["id"], "user.role.change", "user", uid,
+          {"from": target["user_type"], "to": req.user_type}, ip, ua)
+    return {"status": "ok", "id": uid, "user_type": req.user_type}
+
+# ─────────────────────────── Suspend / unsuspend ───────────────────────────
+class SuspendReq(BaseModel):
+    reason: Optional[str] = None
+    minutes: Optional[int] = None  # null → indefinite
+
+@router.post("/users/{uid}/suspend")
+def suspend_user(uid: int, req: SuspendReq, request: Request,
+                 actor = Depends(require_user)):
+    target = db_one("SELECT user_type, klub_id, savez_id FROM pgz_sport.users WHERE id=%s",
+                    (uid,))
+    if not target: raise HTTPException(404, "User not found")
+    if not _can_manage(actor, target["user_type"], target["klub_id"], target["savez_id"]):
+        raise HTTPException(403, "Forbidden")
+    if req.minutes:
+        db_exec("""UPDATE pgz_sport.users
+                   SET locked_until = now() + (interval '1 minute' * %s),
+                       updated_at = now() WHERE id=%s""", (req.minutes, uid))
+    else:
+        db_exec("UPDATE pgz_sport.users SET aktivan=false, updated_at=now() WHERE id=%s",
+                (uid,))
+    db_exec("UPDATE pgz_sport.user_sessions SET revoked=true WHERE user_id=%s", (uid,))
+    ip, ua = _client(request)
+    audit(actor["id"], "user.suspend", "user", uid,
+          {"reason": req.reason, "minutes": req.minutes}, ip, ua)
+    return {"status": "ok", "id": uid}
+
+@router.post("/users/{uid}/unsuspend")
+def unsuspend_user(uid: int, request: Request, actor = Depends(require_user)):
+    target = db_one("SELECT user_type, klub_id, savez_id FROM pgz_sport.users WHERE id=%s",
+                    (uid,))
+    if not target: raise HTTPException(404, "User not found")
+    if not _can_manage(actor, target["user_type"], target["klub_id"], target["savez_id"]):
+        raise HTTPException(403, "Forbidden")
+    db_exec("""UPDATE pgz_sport.users
+               SET aktivan=true, locked_until=NULL, failed_login_count=0,
+                   updated_at=now() WHERE id=%s""", (uid,))
+    ip, ua = _client(request)
+    audit(actor["id"], "user.unsuspend", "user", uid, None, ip, ua)
+    return {"status": "ok", "id": uid}
+
+# ─────────────────────────── Reset password (admin) ───────────────────────────
+@router.post("/users/{uid}/reset-password")
+def admin_reset_password(uid: int, request: Request, actor = Depends(require_user)):
+    target = db_one("SELECT user_type, klub_id, savez_id, email FROM pgz_sport.users WHERE id=%s",
+                    (uid,))
+    if not target: raise HTTPException(404, "User not found")
+    if not _can_manage(actor, target["user_type"], target["klub_id"], target["savez_id"]):
+        raise HTTPException(403, "Forbidden")
+    new_temp = "PGZ-" + secrets.token_hex(4)
+    db_exec("""UPDATE pgz_sport.users
+               SET password_hash=%s, must_change_pwd=true,
+                   failed_login_count=0, locked_until=NULL, updated_at=now()
+               WHERE id=%s""", (hash_password(new_temp), uid))
+    db_exec("UPDATE pgz_sport.user_sessions SET revoked=true WHERE user_id=%s", (uid,))
+    ip, ua = _client(request)
+    audit(actor["id"], "user.password.reset", "user", uid,
+          {"email": target["email"]}, ip, ua)
+    return {"status": "ok", "temporary_password": new_temp}
+
+# ─────────────────────────── Audit log ───────────────────────────
+@router.get("/audit")
+def audit_log(user_id: Optional[int] = None,
+              action: Optional[str] = None,
+              resource_type: Optional[str] = None,
+              limit: int = 100,
+              offset: int = 0,
+              actor = Depends(require_user)):
+    if not _is_pgz_admin(actor):
+        # savez/klub admins see only their scope
+        if not (_is_savez_admin(actor) or _is_klub_admin(actor)):
+            raise HTTPException(403, "Forbidden")
+    where = ["1=1"]; args: List[Any] = []
+    if user_id:       where.append("a.user_id=%s"); args.append(user_id)
+    if action:        where.append("a.action LIKE %s"); args.append(f"%{action}%")
+    if resource_type: where.append("a.resource_type=%s"); args.append(resource_type)
+    if not _is_pgz_admin(actor):
+        # restrict to own user's actions or resources within scope
+        if _is_savez_admin(actor):
+            where.append("(a.user_id IN (SELECT id FROM pgz_sport.users WHERE savez_id=%s OR klub_id IN (SELECT id FROM pgz_sport.klubovi WHERE savez_id=%s)))")
+            args.extend([actor.get("savez_id"), actor.get("savez_id")])
+        elif _is_klub_admin(actor):
+            where.append("(a.user_id IN (SELECT id FROM pgz_sport.users WHERE klub_id=%s))")
+            args.append(actor.get("klub_id"))
+    args.extend([limit, offset])
+    rows = db_query(f"""SELECT a.id, a.action, a.resource_type, a.resource_id,
+            a.user_id, a.ts AS created_at, a.meta, a.ip_address, a.user_agent,
+            u.email AS actor_email, u.full_name AS actor_name
+        FROM pgz_sport.audit_events a
+        LEFT JOIN pgz_sport.users u ON u.id=a.user_id
+        WHERE {' AND '.join(where)}
+        ORDER BY a.id DESC LIMIT %s OFFSET %s""", tuple(args))
+    return {"count": len(rows), "results": rows}
+
+# ─────────────────────────── Tenants list ───────────────────────────
+@router.get("/tenants")
+def list_tenants(actor = Depends(require_user)):
+    """Combined view: tenants table + savezi + klubovi."""
+    tenants = db_query("""SELECT id, slug, display_name, type, status, oib, created_at
+        FROM pgz_sport.tenants ORDER BY id""")
+    if _is_pgz_admin(actor):
+        savezi  = db_query("""SELECT id, naziv, sport, oib, predsjednik, tajnik
+            FROM pgz_sport.savezi WHERE aktivan=true ORDER BY naziv LIMIT 200""")
+        klubovi = db_query("""SELECT id, naziv, sport, grad, oib, savez_id
+            FROM pgz_sport.klubovi WHERE aktivan=true ORDER BY naziv LIMIT 500""")
+    elif _is_savez_admin(actor):
+        sid = actor.get("savez_id")
+        savezi = db_query("""SELECT id, naziv, sport, oib, predsjednik, tajnik
+            FROM pgz_sport.savezi WHERE id=%s""", (sid,))
+        klubovi = db_query("""SELECT id, naziv, sport, grad, oib, savez_id
+            FROM pgz_sport.klubovi WHERE savez_id=%s AND aktivan=true ORDER BY naziv""", (sid,))
+    else:
+        kid = actor.get("klub_id")
+        savezi = []
+        klubovi = db_query("""SELECT id, naziv, sport, grad, oib, savez_id
+            FROM pgz_sport.klubovi WHERE id=%s""", (kid,))
+    return {"tenants": tenants, "savezi": savezi, "klubovi": klubovi}
+
+# ─────────────────────────── Bulk CSV import ───────────────────────────
+@router.post("/users/bulk-csv")
+async def bulk_csv(file: UploadFile = File(...),
+                   default_user_type: str = "klub_clan",
+                   default_klub_id: Optional[int] = None,
+                   default_savez_id: Optional[int] = None,
+                   request: Request = None,
+                   actor = Depends(require_user)):
+    """CSV columns (header required): email,ime,prezime,user_type,klub_id,savez_id,telefon,oib"""
+    if not _is_pgz_admin(actor):
+        raise HTTPException(403, "Samo PGŽ admin može masovno uvoziti")
+    raw = (await file.read()).decode("utf-8", errors="replace")
+    rdr = csv.DictReader(io.StringIO(raw))
+    created, skipped, errors = 0, 0, []
+    for i, row in enumerate(rdr, 1):
+        email = (row.get("email") or "").lower().strip()
+        if not email:
+            skipped += 1; continue
+        try:
+            ut = row.get("user_type") or default_user_type
+            if ut not in VALID_USER_TYPES:
+                errors.append(f"row {i}: invalid user_type {ut}"); skipped += 1; continue
+            kid = int(row["klub_id"]) if row.get("klub_id") else default_klub_id
+            sid = int(row["savez_id"]) if row.get("savez_id") else default_savez_id
+            full_name = (row.get("ime","") + " " + row.get("prezime","")).strip() or email
+            temp_pwd = "PGZ-" + secrets.token_hex(4)
+            new_id = db_one("""INSERT INTO pgz_sport.users
+                (email, password_hash, ime, prezime, full_name, user_type, klub_id, savez_id,
+                 telefon, oib, must_change_pwd, aktivan, status, auth_provider)
+                VALUES (%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,true,true,'active','local')
+                ON CONFLICT (email) DO NOTHING RETURNING id""",
+                (email, hash_password(temp_pwd), row.get("ime"), row.get("prezime"),
+                 full_name, ut, kid, sid, row.get("telefon"), row.get("oib")))
+            if new_id and new_id.get("id"):
+                created += 1
+            else:
+                skipped += 1
+        except Exception as e:
+            errors.append(f"row {i}: {e}"); skipped += 1
+    audit(actor["id"], "user.bulk_csv", meta={"created": created, "skipped": skipped})
+    return {"created": created, "skipped": skipped, "errors": errors[:20]}
diff --git a/_backups/app.html.cc3_pre_unified_sidebar.1777935999 b/_backups/app.html.cc3_pre_unified_sidebar.1777935999
new file mode 100644
index 0000000..05fd6e4
--- /dev/null
+++ b/_backups/app.html.cc3_pre_unified_sidebar.1777935999
@@ -0,0 +1,1705 @@
+<!DOCTYPE html>
+<html lang="hr">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width,initial-scale=1.0">
+<title>PGŽ SPORT — Operativna aplikacija</title>
+<!--
+  app.html v1.0 — Round 3 M4
+  PGŽ Sport operational app — 4 role dashboards (PGŽ admin, savez admin, klub admin, sportaš)
+  Author: dradulic@outlook.com / damir@rinet.one — 2026-05-05
+  Same CSS variables / theme as sport2.html. Sidebar is collapsible (M3 logic).
+-->
+<link rel="preconnect" href="https://fonts.googleapis.com">
+<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+<link href="https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600;700;800&family=JetBrains+Mono:wght@400;600&display=swap" rel="stylesheet">
+<script src="https://cdnjs.cloudflare.com/ajax/libs/Chart.js/4.4.1/chart.umd.min.js"></script>
+<style>
+:root{
+  --pgz-blue:#003087; --pgz-blue2:#004CC4; --pgz-gold:#F4C430;
+  --bg0:#08090e; --bg1:#0d1021; --bg2:#111628; --bg3:#161d35; --bg4:#1c2542;
+  --rim:#1e2a50; --rim2:#283560;
+  --t0:#fff; --t1:#e2e6f0; --t2:#8a95b4; --t4:#4e5a7a;
+  --green:#00e88f; --red:#ff2d55; --amber:#f59e0b; --cyan:#00c8e8;
+  --font:'Inter',sans-serif; --mono:'JetBrains Mono',monospace;
+}
+*{box-sizing:border-box;margin:0;padding:0}
+html,body{height:100%}
+body{font-family:var(--font);background:var(--bg0);color:var(--t1);font-size:13px;overflow-x:hidden}
+a{color:var(--cyan);text-decoration:none}
+a:hover{color:var(--pgz-gold)}
+button,input,select,textarea{font-family:inherit;font-size:inherit;outline:none}
+::-webkit-scrollbar{width:8px;height:8px}
+::-webkit-scrollbar-track{background:var(--bg1)}
+::-webkit-scrollbar-thumb{background:var(--rim2);border-radius:4px}
+::-webkit-scrollbar-thumb:hover{background:var(--pgz-blue2)}
+
+/* ============ LAYOUT ============ */
+.app{display:flex;min-height:100vh}
+.sb{width:240px;background:linear-gradient(180deg,var(--bg1) 0%,var(--bg0) 100%);border-right:1px solid var(--rim);position:fixed;top:0;left:0;bottom:0;display:flex;flex-direction:column;z-index:10;transition:width .22s ease}
+.sb-h{padding:18px 18px 14px;border-bottom:1px solid var(--rim);position:relative}
+.sb-h .logo{font-weight:800;font-size:14px;color:var(--t0);letter-spacing:.5px;white-space:nowrap;overflow:hidden}
+.sb-h .logo .g{color:var(--pgz-gold)}
+.sb-h .sub{font-size:10px;color:var(--t2);margin-top:4px;text-transform:uppercase;letter-spacing:1px;white-space:nowrap;overflow:hidden}
+.sb-toggle{position:absolute;top:14px;right:8px;width:22px;height:22px;display:flex;align-items:center;justify-content:center;cursor:pointer;color:var(--t2);background:var(--bg2);border:1px solid var(--rim);border-radius:4px;font-size:14px;font-weight:700;transition:all .15s;user-select:none}
+.sb-toggle:hover{background:var(--bg3);color:var(--pgz-gold);border-color:var(--pgz-gold)}
+.sb-section-label{padding:10px 14px 4px;font-size:9.5px;color:var(--t4);text-transform:uppercase;letter-spacing:1.2px;font-weight:700;white-space:nowrap;overflow:hidden}
+.sb-nav{flex:1;padding:8px 8px;overflow-y:auto;overflow-x:hidden}
+.nav-i{padding:9px 12px;border-radius:6px;color:var(--t2);cursor:pointer;display:flex;align-items:center;gap:10px;font-size:12.5px;margin-bottom:2px;transition:background .15s,color .15s;white-space:nowrap;position:relative}
+.nav-i:hover{background:var(--bg2);color:var(--t1)}
+.nav-i.active{background:linear-gradient(90deg,var(--pgz-blue) 0%,var(--pgz-blue2) 100%);color:#fff;font-weight:600}
+.nav-i .ic{width:18px;text-align:center;font-size:14px;flex-shrink:0}
+.nav-i .lbl{overflow:hidden;text-overflow:ellipsis}
+.nav-i .badge{margin-left:auto;background:var(--red);color:#fff;font-size:9px;font-weight:700;padding:1px 6px;border-radius:8px}
+.sb-foot{padding:10px 12px;border-top:1px solid var(--rim);display:flex;align-items:center;gap:8px;white-space:nowrap;overflow:hidden}
+.sb-foot .av{width:30px;height:30px;border-radius:50%;background:linear-gradient(135deg,var(--pgz-blue),var(--pgz-gold));color:#fff;font-weight:800;display:flex;align-items:center;justify-content:center;font-size:11px;flex-shrink:0}
+.sb-foot .ui{flex:1;min-width:0;overflow:hidden}
+.sb-foot .un{font-size:11.5px;color:var(--t1);font-weight:600;line-height:1.2;overflow:hidden;text-overflow:ellipsis}
+.sb-foot .ur{font-size:9.5px;color:var(--t4);text-transform:uppercase;letter-spacing:.5px;line-height:1.2;overflow:hidden;text-overflow:ellipsis}
+.sb-foot .lo{cursor:pointer;color:var(--t4);font-size:14px;padding:6px 8px;border-radius:5px;transition:all .15s;flex-shrink:0}
+.sb-foot .lo:hover{background:rgba(255,45,85,.15);color:var(--red)}
+
+/* Collapsed sidebar */
+.sb.collapsed{width:58px}
+.sb.collapsed .sb-h{padding:18px 8px 14px;text-align:center}
+.sb.collapsed .sb-h .logo{font-size:0}
+.sb.collapsed .sb-h .logo::before{content:"PG";font-size:13px;color:var(--pgz-gold);font-weight:800}
+.sb.collapsed .sb-h .sub,.sb.collapsed .sb-section-label{display:none}
+.sb.collapsed .sb-toggle{position:static;margin:6px auto 0;display:flex}
+.sb.collapsed .nav-i{justify-content:center;padding:10px 6px}
+.sb.collapsed .nav-i .lbl,.sb.collapsed .nav-i .badge{display:none}
+.sb.collapsed .nav-i:hover::after{content:attr(data-label);position:absolute;left:58px;top:50%;transform:translateY(-50%);background:var(--bg3);color:var(--t0);padding:5px 10px;border-radius:4px;font-size:11.5px;white-space:nowrap;border:1px solid var(--rim);z-index:50;font-weight:600;pointer-events:none;box-shadow:2px 2px 8px rgba(0,0,0,.4)}
+.sb.collapsed .sb-foot{padding:8px;justify-content:center}
+.sb.collapsed .sb-foot .ui{display:none}
+.sb.collapsed .sb-foot .lo{display:none}
+
+.main{margin-left:240px;flex:1;min-width:0;transition:margin-left .22s ease}
+.sb.collapsed ~ .main{margin-left:58px}
+.tb{background:var(--bg1);border-bottom:1px solid var(--rim);padding:12px 22px;display:flex;align-items:center;justify-content:space-between;position:sticky;top:0;z-index:5;gap:12px}
+.tb-t{font-size:15px;font-weight:700;color:var(--t0)}
+.tb-s{font-size:11px;color:var(--t2)}
+.tb-r{display:flex;align-items:center;gap:14px}
+.role-switch{display:inline-flex;background:var(--bg2);border:1px solid var(--rim);border-radius:6px;overflow:hidden}
+.role-switch button{background:transparent;border:0;padding:6px 12px;color:var(--t2);font-size:11px;font-weight:600;cursor:pointer;letter-spacing:.3px}
+.role-switch button:hover{background:var(--bg3);color:var(--t1)}
+.role-switch button.active{background:linear-gradient(135deg,var(--pgz-blue),var(--pgz-blue2));color:#fff}
+.tb-user{display:flex;align-items:center;gap:8px;font-size:12px;color:var(--t1);cursor:pointer;padding:4px 8px;border-radius:6px;transition:all .15s}
+.tb-user:hover{background:var(--bg2)}
+.tb-user .av{width:32px;height:32px;border-radius:50%;background:linear-gradient(135deg,var(--pgz-blue),var(--pgz-gold));color:#fff;font-weight:800;display:flex;align-items:center;justify-content:center;font-size:12px;overflow:hidden;flex-shrink:0;border:2px solid transparent}
+.tb-user:hover .av{border-color:var(--pgz-gold)}
+.tb-user .av img{width:100%;height:100%;object-fit:cover}
+.tb-user .role-badge{font-size:9px;background:var(--pgz-gold);color:var(--bg0);padding:1px 5px;border-radius:3px;font-weight:700;text-transform:uppercase;letter-spacing:.3px;margin-left:4px}
+.tb-user .tenant-name{font-size:10px;color:var(--t4)}
+
+/* Drill-down right panel (shared) */
+#dpanel{position:fixed;top:0;right:-720px;width:680px;max-width:96vw;height:100vh;background:var(--bg1);border-left:1px solid var(--rim);z-index:200;transition:right .25s ease;display:flex;flex-direction:column;box-shadow:-8px 0 30px rgba(0,0,0,.5)}
+#dpanel.open{right:0}
+#dpanel-hdr{padding:14px 18px;border-bottom:1px solid var(--rim);display:flex;align-items:center;justify-content:space-between;flex-shrink:0;background:var(--bg2);gap:10px}
+#dpanel-t{font-size:14px;font-weight:700;color:var(--t0)}
+#dpanel-x{cursor:pointer;font-size:22px;color:var(--t4);width:30px;height:30px;display:flex;align-items:center;justify-content:center;border-radius:5px;transition:all .15s}
+#dpanel-x:hover{background:var(--bg3);color:var(--red)}
+#dpanel-body{flex:1;overflow-y:auto;padding:16px}
+#dpanel-overlay{display:none;position:fixed;inset:0;background:rgba(0,0,0,.5);z-index:199;backdrop-filter:blur(2px)}
+#dpanel-overlay.open{display:block}
+
+/* Profile page styles */
+.profile-page{max-width:980px;margin:0 auto}
+.profile-banner{display:flex;align-items:center;gap:18px;padding:22px;background:linear-gradient(135deg,var(--pgz-blue) 0%,var(--bg2) 60%);border:1px solid var(--rim);border-radius:10px;margin-bottom:16px;position:relative;overflow:hidden}
+.profile-banner::before{content:"";position:absolute;top:0;right:0;width:200px;height:100%;background:radial-gradient(circle at 100% 0%,rgba(244,196,48,.18) 0%,transparent 60%);pointer-events:none}
+.profile-avatar-big{width:96px;height:96px;border-radius:50%;background:linear-gradient(135deg,var(--pgz-blue2),var(--pgz-gold));color:#fff;font-weight:800;font-size:32px;display:flex;align-items:center;justify-content:center;flex-shrink:0;border:3px solid var(--pgz-gold);overflow:hidden;position:relative;cursor:pointer}
+.profile-avatar-big img{width:100%;height:100%;object-fit:cover}
+.profile-avatar-big .upload-hint{position:absolute;inset:0;background:rgba(0,0,0,.55);color:#fff;font-size:10.5px;font-weight:700;display:flex;align-items:center;justify-content:center;text-align:center;padding:6px;opacity:0;transition:opacity .15s}
+.profile-avatar-big:hover .upload-hint{opacity:1}
+.profile-banner-info h1{font-size:22px;color:#fff;margin-bottom:4px;font-weight:800}
+.profile-banner-info .role-line{font-size:11.5px;color:var(--t1);margin-bottom:6px}
+.profile-banner-info .tags-row .tag{margin-right:4px}
+.profile-banner-actions{margin-left:auto;display:flex;gap:8px;flex-shrink:0;z-index:1}
+
+.profile-section{background:var(--bg2);border:1px solid var(--rim);border-radius:8px;padding:16px;margin-bottom:14px}
+.profile-section h3{font-size:12px;font-weight:700;color:var(--pgz-gold);text-transform:uppercase;letter-spacing:1px;margin-bottom:12px;padding-bottom:8px;border-bottom:1px solid var(--rim);display:flex;align-items:center;justify-content:space-between}
+.profile-section .edit-link{font-size:11px;color:var(--cyan);cursor:pointer;text-transform:none;letter-spacing:0;font-weight:600}
+.profile-section .edit-link:hover{color:var(--pgz-gold)}
+.profile-row{display:grid;grid-template-columns:160px 1fr auto;gap:8px 14px;padding:8px 0;border-bottom:1px dashed var(--rim);align-items:center}
+.profile-row:last-child{border:0}
+.profile-row .k{color:var(--t2);font-size:11.5px;font-weight:600}
+.profile-row .v{color:var(--t1);font-size:12.5px;word-break:break-word}
+.profile-row .v.empty{color:var(--t4);font-style:italic}
+.profile-row input,.profile-row select{background:var(--bg3);border:1px solid var(--rim);border-radius:5px;padding:6px 10px;color:var(--t1);font-size:12.5px;width:100%}
+.profile-row .a{display:flex;gap:4px}
+.profile-row .a button{padding:4px 8px;font-size:11px}
+
+.tag-2fa-on{background:var(--green);color:var(--bg0);padding:2px 7px;border-radius:3px;font-size:10px;font-weight:700;text-transform:uppercase}
+.tag-2fa-off{background:var(--rim2);color:var(--t1);padding:2px 7px;border-radius:3px;font-size:10px;font-weight:700;text-transform:uppercase}
+.tag-gdpr{background:var(--cyan);color:var(--bg0);padding:2px 7px;border-radius:3px;font-size:10px;font-weight:700;text-transform:uppercase}
+.content{padding:22px}
+.section{display:none}
+.section.active{display:block}
+
+/* ============ COMPONENTS (shared with sport2.html) ============ */
+.kpi-grid{display:grid;grid-template-columns:repeat(auto-fit,minmax(180px,1fr));gap:14px;margin-bottom:22px}
+.kpi{background:linear-gradient(135deg,var(--bg2) 0%,var(--bg1) 100%);border:1px solid var(--rim);border-radius:8px;padding:14px 16px;position:relative;overflow:hidden;transition:all .18s}
+.kpi.click{cursor:pointer}
+.kpi.click:hover{border-color:var(--pgz-gold);transform:translateY(-1px);box-shadow:0 4px 12px rgba(0,0,0,.4)}
+.kpi::before{content:"";position:absolute;top:0;left:0;width:3px;height:100%;background:var(--pgz-gold)}
+.kpi.b::before{background:var(--pgz-blue2)}
+.kpi.g::before{background:var(--green)}
+.kpi.r::before{background:var(--red)}
+.kpi.a::before{background:var(--amber)}
+.kpi.c::before{background:var(--cyan)}
+.kpi-l{font-size:10.5px;color:var(--t2);text-transform:uppercase;letter-spacing:1px;font-weight:600}
+.kpi-v{font-size:24px;font-weight:800;color:var(--t0);margin-top:4px;font-family:var(--mono)}
+.kpi-s{font-size:10px;color:var(--t4);margin-top:2px}
+.kpi-trend{font-size:10px;font-weight:700;margin-top:6px;display:inline-block;padding:1px 6px;border-radius:3px}
+.kpi-trend.up{background:rgba(0,232,143,.15);color:var(--green)}
+.kpi-trend.down{background:rgba(255,45,85,.15);color:var(--red)}
+
+.card{background:var(--bg2);border:1px solid var(--rim);border-radius:8px;padding:14px;margin-bottom:14px;transition:all .18s}
+.card.click-card{cursor:pointer}
+.card.click-card:hover{border-color:var(--pgz-gold)}
+.card-h{display:flex;align-items:center;justify-content:space-between;margin-bottom:10px;padding-bottom:8px;border-bottom:1px solid var(--rim);gap:10px}
+.card-t{font-weight:700;color:var(--t0);font-size:13px}
+.card-actions{display:flex;gap:6px}
+
+.row-2{display:grid;grid-template-columns:1fr 1fr;gap:14px}
+.row-3{display:grid;grid-template-columns:2fr 1fr;gap:14px}
+@media (max-width:900px){.row-2,.row-3{grid-template-columns:1fr}}
+
+.btn{background:var(--bg2);border:1px solid var(--rim);border-radius:5px;padding:7px 12px;color:var(--t1);font-size:12px;cursor:pointer;font-weight:600;transition:all .15s}
+.btn:hover{background:var(--bg3);border-color:var(--rim2)}
+.btn.primary{background:linear-gradient(135deg,var(--pgz-blue),var(--pgz-blue2));border-color:transparent;color:#fff}
+.btn.primary:hover{filter:brightness(1.1)}
+.btn.gold{background:var(--pgz-gold);color:var(--bg0);border-color:transparent}
+.btn.gold:hover{filter:brightness(1.1)}
+.btn.sm{padding:4px 9px;font-size:11px}
+
+table{width:100%;border-collapse:collapse;font-size:12px}
+table th{background:var(--bg3);color:var(--t2);text-transform:uppercase;font-size:10px;letter-spacing:.5px;padding:8px 10px;text-align:left;border-bottom:1px solid var(--rim);font-weight:700}
+table td{padding:8px 10px;border-bottom:1px solid var(--rim);color:var(--t1)}
+table tbody tr{transition:background .15s}
+table tbody tr:hover{background:var(--bg3)}
+.num{font-family:var(--mono);text-align:right}
+
+.tag{display:inline-block;padding:2px 7px;font-size:10px;border-radius:3px;background:var(--bg4);color:var(--t1);font-weight:600;text-transform:uppercase;letter-spacing:.5px;margin-right:3px}
+.tag.b{background:var(--pgz-blue);color:#fff}
+.tag.gd{background:var(--pgz-gold);color:var(--bg0)}
+.tag.gr{background:var(--green);color:var(--bg0)}
+.tag.rd{background:var(--red);color:#fff}
+.tag.am{background:var(--amber);color:var(--bg0)}
+.tag.cy{background:var(--cyan);color:var(--bg0)}
+
+.audit-i{display:flex;gap:10px;padding:8px 10px;border-bottom:1px solid var(--rim);font-size:11.5px;align-items:flex-start}
+.audit-i:last-child{border:0}
+.audit-i .ts{color:var(--t4);font-family:var(--mono);font-size:10.5px;flex-shrink:0;width:90px}
+.audit-i .who{color:var(--pgz-gold);font-weight:600;flex-shrink:0;width:120px;overflow:hidden;text-overflow:ellipsis;white-space:nowrap}
+.audit-i .what{color:var(--t1);flex:1;min-width:0}
+.audit-i .what b{color:var(--cyan)}
+
+.req-i{padding:10px 12px;border:1px solid var(--rim);border-radius:6px;margin-bottom:8px;background:var(--bg2);transition:all .15s;cursor:pointer}
+.req-i:hover{border-color:var(--pgz-gold)}
+.req-i .rh{display:flex;justify-content:space-between;align-items:center;margin-bottom:4px}
+.req-i .rt{font-weight:700;color:var(--t0);font-size:12.5px}
+.req-i .rsum{font-size:11px;color:var(--t2);margin-top:2px;line-height:1.4}
+.req-i .rmeta{display:flex;gap:10px;margin-top:6px;font-size:10.5px;color:var(--t4)}
+.req-i .rmeta b{color:var(--pgz-gold);font-weight:700}
+
+.member-i{display:flex;align-items:center;gap:10px;padding:8px 10px;border-bottom:1px solid var(--rim)}
+.member-i:last-child{border:0}
+.member-i .av{width:32px;height:32px;border-radius:50%;background:linear-gradient(135deg,var(--bg3),var(--bg4));color:var(--t0);font-weight:800;display:flex;align-items:center;justify-content:center;font-size:11px;flex-shrink:0}
+.member-i .mn{font-weight:700;color:var(--t0);font-size:12px}
+.member-i .mp{font-size:10.5px;color:var(--t2)}
+.member-i .mright{margin-left:auto;text-align:right}
+
+.cal-grid{display:grid;grid-template-columns:repeat(7,1fr);gap:4px}
+.cal-h{font-size:10px;color:var(--t4);text-transform:uppercase;text-align:center;padding:4px 0;font-weight:700;letter-spacing:.5px}
+.cal-d{aspect-ratio:1;background:var(--bg3);border:1px solid var(--rim);border-radius:4px;padding:4px;font-size:10.5px;color:var(--t2);position:relative;cursor:pointer}
+.cal-d:hover{border-color:var(--pgz-gold)}
+.cal-d.t{border-color:var(--pgz-gold);background:var(--bg4)}
+.cal-d.has-event::after{content:"";position:absolute;bottom:3px;left:50%;transform:translateX(-50%);width:5px;height:5px;background:var(--pgz-gold);border-radius:50%}
+
+.profile-card{display:grid;grid-template-columns:120px 1fr;gap:18px;padding:14px}
+.profile-photo{width:120px;height:140px;border-radius:8px;background:linear-gradient(135deg,var(--bg3),var(--bg4));display:flex;align-items:center;justify-content:center;font-size:48px;color:var(--t4);font-weight:800;overflow:hidden;cursor:pointer;border:2px solid var(--rim);transition:all .2s}
+.profile-photo:hover{border-color:var(--pgz-gold)}
+.profile-info h2{font-size:20px;color:var(--t0);margin-bottom:4px}
+.profile-info .sub{font-size:12px;color:var(--t2);margin-bottom:8px}
+.profile-info .tags-row{margin-bottom:10px}
+
+.kv{display:grid;grid-template-columns:160px 1fr;gap:6px 12px;font-size:12px}
+.kv .k{color:var(--t2);font-weight:600}
+.kv .v{color:var(--t1);word-break:break-word}
+
+.alert-card{padding:10px 12px;border-left:3px solid var(--amber);background:var(--bg2);border-radius:5px;margin-bottom:8px}
+.alert-card.crit{border-color:var(--red)}
+.alert-card.ok{border-color:var(--green)}
+.alert-card .at{font-weight:700;font-size:12px;color:var(--t0)}
+.alert-card .ad{font-size:11px;color:var(--t2);margin-top:3px}
+
+.empty{text-align:center;padding:30px;color:var(--t4);font-size:12px;font-style:italic}
+.loading{padding:24px;text-align:center;color:var(--t2);font-size:12px}
+.loading::before{content:"";display:inline-block;width:12px;height:12px;border:2px solid var(--rim);border-top-color:var(--pgz-gold);border-radius:50%;animation:spin .8s linear infinite;margin-right:8px;vertical-align:middle}
+@keyframes spin{to{transform:rotate(360deg)}}
+
+.chart-box{background:var(--bg2);border:1px solid var(--rim);border-radius:8px;padding:14px;height:280px}
+.chart-box canvas{max-height:240px}
+
+.demo-banner{background:linear-gradient(90deg,rgba(244,196,48,.15),rgba(0,76,196,.1));border:1px solid var(--pgz-gold);border-radius:6px;padding:10px 14px;margin-bottom:14px;font-size:11.5px;color:var(--t1);display:flex;align-items:center;gap:10px}
+.demo-banner b{color:var(--pgz-gold)}
+
+@media (max-width:768px){
+  .sb{transform:translateX(-100%);transition:transform .25s}
+  .sb.open{transform:translateX(0)}
+  .main,.sb.collapsed ~ .main{margin-left:0}
+  .role-switch{display:none}
+}
+</style>
+</head>
+<body>
+
+<div class="app">
+  <aside class="sb" id="sb">
+    <div class="sb-h">
+      <div class="logo">PGŽ <span class="g">SPORT</span></div>
+      <div class="sub" id="role-sub">Operativna aplikacija</div>
+      <div class="sb-toggle" id="sb-toggle" onclick="toggleSidebar()" title="Skupi/raširi sidebar">≡</div>
+    </div>
+    <div class="sb-section-label" id="role-section-label">Navigacija</div>
+    <nav class="sb-nav" id="nav"></nav>
+    <div class="sb-foot" id="sb-foot">
+      <div class="av" id="sf-av">DR</div>
+      <div class="ui">
+        <div class="un" id="sf-name">Damir Radulić</div>
+        <div class="ur" id="sf-role">PGŽ admin</div>
+      </div>
+      <div class="lo" onclick="logout()" title="Odjava">⎋</div>
+    </div>
+  </aside>
+
+  <main class="main">
+    <div class="tb">
+      <div>
+        <div class="tb-t" id="tb-t">Dashboard</div>
+        <div class="tb-s" id="tb-s">Pregled stanja</div>
+      </div>
+      <div class="tb-r">
+        <div class="role-switch" id="role-switch"></div>
+        <div class="tb-user" id="tb-user" onclick="navTo('profil')" title="Otvori moj profil">
+          <div class="av" id="user-av">DR</div>
+          <div>
+            <div style="font-weight:700" id="user-name">Damir Radulić<span class="role-badge" id="user-role-badge">pgz admin</span></div>
+            <div class="tenant-name" id="user-tenant">Primorsko-goranska županija</div>
+          </div>
+        </div>
+      </div>
+    </div>
+
+    <div class="content" id="content">
+      <div class="loading">Učitavanje...</div>
+    </div>
+  </main>
+</div>
+
+<!-- Drill-down right panel -->
+<div id="dpanel-overlay" onclick="closeDetail()"></div>
+<aside id="dpanel" aria-hidden="true">
+  <div id="dpanel-hdr">
+    <div id="dpanel-t">Detalji</div>
+    <div id="dpanel-x" onclick="closeDetail()" title="Zatvori (Esc)">×</div>
+  </div>
+  <div id="dpanel-body"><div class="loading">Učitavanje...</div></div>
+</aside>
+
+<input type="file" id="avatar-input" accept="image/jpeg,image/png,image/webp" style="display:none" onchange="onAvatarPick(this)">
+
+<script>
+//=========== UTIL ===========
+const API = '/sport/api';
+const $ = s => document.querySelector(s);
+const $$ = s => document.querySelectorAll(s);
+const esc = s => String(s==null?'':s).replace(/[&<>"']/g, m => ({'&':'&amp;','<':'&lt;','>':'&gt;','"':'&quot;',"'":'&#39;'}[m]));
+const fmt = n => (n==null?'—':Number(n).toLocaleString('hr-HR'));
+const fmtEur = n => (n==null?'—':Number(n).toLocaleString('hr-HR',{maximumFractionDigits:0})+' €');
+
+async function api(path){
+  try { const r = await fetch(API+path); if(!r.ok) return null; return await r.json(); }
+  catch(e){ return null; }
+}
+
+// JWT-aware fetch wrapper
+function getToken(){ try { return localStorage.getItem('jwt') || localStorage.getItem('access_token') || ''; } catch(e){ return ''; } }
+async function apiAuth(path, opts){
+  opts = opts || {};
+  const h = Object.assign({}, opts.headers || {});
+  const tok = getToken(); if(tok) h['Authorization'] = 'Bearer '+tok;
+  if(opts.body && !(opts.body instanceof FormData) && !h['Content-Type']) h['Content-Type'] = 'application/json';
+  try {
+    const r = await fetch(API+path, Object.assign({}, opts, {headers:h}));
+    if(r.status === 401){ return {__unauthorized:true, status:401}; }
+    if(!r.ok) return {__error:true, status:r.status};
+    if(r.headers.get('content-type')?.includes('application/json')) return await r.json();
+    return {__ok:true};
+  } catch(e){ return {__error:true, msg:String(e)}; }
+}
+const initials = (n) => { if(!n) return '?'; const p=String(n).trim().split(/\s+/); return ((p[0]||'')[0]||'')+((p[1]||'')[0]||'').toUpperCase(); };
+
+//=========== ROLES ===========
+const ROLES = {
+  pgz:    {name:'PGŽ admin',  user:'Damir Radulić',     av:'DR', sub:'Odjel za sport · PGŽ'},
+  savez:  {name:'Savez admin', user:'Marija Kovač',      av:'MK', sub:'Atletski savez PGŽ'},
+  klub:   {name:'Klub admin',  user:'Igor Tomić',        av:'IT', sub:'AK Kvarner Rijeka'},
+  sportas:{name:'Sportaš',     user:'Luka Horvat',       av:'LH', sub:'AK Kvarner Rijeka · Trčanje 800m'},
+};
+
+const NAV_BY_ROLE = {
+  pgz: [
+    {id:'profil',     ic:'\u{1F464}', label:'Moj profil'},
+    {id:'dashboard',  ic:'\u{1F4CA}', label:'Dashboard'},
+    {id:'korisnici',  ic:'\u{1F465}', label:'Korisnici'},
+    {id:'savezi',     ic:'\u{1F3C5}', label:'Savezi'},
+    {id:'klubovi',    ic:'⬢',        label:'Klubovi'},
+    {id:'sportasi',   ic:'\u{1F464}', label:'Sportaši'},
+    {id:'financije',  ic:'€',         label:'Financije'},
+    {id:'racuni',     ic:'\u{1F9FE}', label:'Računi (OCR)'},
+    {id:'crm',        ic:'\u{1F4DD}', label:'CRM'},
+    {id:'audit',      ic:'\u{1F50D}', label:'Audit log'},
+    {id:'forenzika',  ic:'⚠',        label:'Forenzika', badge:11},
+  ],
+  savez: [
+    {id:'profil',    ic:'\u{1F464}', label:'Moj profil'},
+    {id:'dashboard', ic:'\u{1F4CA}', label:'Dashboard'},
+    {id:'klubovi',   ic:'⬢',        label:'Naši klubovi'},
+    {id:'sportasi',  ic:'\u{1F464}', label:'Naši sportaši'},
+    {id:'zahtjevi',  ic:'\u{1F4D1}', label:'Zahtjevi PGŽ', badge:3},
+    {id:'kalendar',  ic:'\u{1F4C5}', label:'Kalendar'},
+    {id:'lijecnicki',ic:'⚕',         label:'Liječnički'},
+    {id:'racuni',    ic:'\u{1F9FE}', label:'Računi (OCR)'},
+  ],
+  klub: [
+    {id:'profil',    ic:'\u{1F464}', label:'Moj profil'},
+    {id:'dashboard', ic:'\u{1F4CA}', label:'Dashboard'},
+    {id:'clanovi',   ic:'\u{1F465}', label:'Članovi'},
+    {id:'clanarine', ic:'€',         label:'Članarine'},
+    {id:'lijecnicki',ic:'⚕',         label:'Liječnički'},
+    {id:'dokumenti', ic:'\u{1F4C4}', label:'Dokumenti'},
+    {id:'manifestacije', ic:'\u{1F4C5}', label:'Manifestacije'},
+    {id:'racuni',    ic:'\u{1F9FE}', label:'Računi (OCR)'},
+  ],
+  sportas: [
+    {id:'profil',    ic:'\u{1F464}', label:'Moj profil'},
+    {id:'dashboard', ic:'\u{1F4CA}', label:'Dashboard'},
+    {id:'clanarina', ic:'€',         label:'Članarina'},
+    {id:'lijecnicki',ic:'⚕',         label:'Liječnički'},
+    {id:'dokumenti', ic:'\u{1F4C4}', label:'Moji dokumenti'},
+    {id:'obrasci',   ic:'\u{1F4DD}', label:'Obrasci', badge:1},
+    {id:'manifestacije', ic:'\u{1F4C5}', label:'Manifestacije'},
+  ],
+};
+
+const _state = {role:'pgz', section:'dashboard', me:null, demoMode:true};
+
+// Map server user_type -> UI role bucket (for nav layout)
+function userTypeToRole(t){
+  const m = {
+    super_admin:'pgz', pgz_admin:'pgz', pgz_viewer:'pgz',
+    savez_admin:'savez',
+    klub_admin:'klub', klub_trener:'klub',
+    klub_clan:'sportas', sportas:'sportas', viewer:'pgz'
+  };
+  return m[t] || 'pgz';
+}
+
+// Try real auth first; fall back to demo mode
+async function loadCurrentUser(){
+  if(!getToken()) return null;
+  const me = await apiAuth('/auth/me');
+  if(!me || me.__unauthorized || me.__error){
+    if(me && me.__unauthorized){ try { localStorage.removeItem('jwt'); } catch(e){} }
+    return null;
+  }
+  _state.me = me;
+  _state.demoMode = false;
+  _state.role = userTypeToRole(me.user_type);
+  return me;
+}
+function applyMeToHeader(){
+  const me = _state.me; if(!me) return;
+  const name = me.full_name || ((me.ime||'')+' '+(me.prezime||'')).trim() || me.email || '—';
+  const tenant = me.tenant_name || (me.tenant_type ? me.tenant_type.toUpperCase() : '');
+  const roleLabel = (ROLES[_state.role]||{}).name || me.user_type || 'Korisnik';
+  // Topbar
+  $('#user-name').innerHTML = esc(name) + `<span class="role-badge" id="user-role-badge">${esc(me.user_type||'')}</span>`;
+  $('#user-tenant').textContent = tenant;
+  $('#user-role-label')?.replaceChildren(document.createTextNode(roleLabel));
+  // Avatar topbar
+  if(me.avatar_url){
+    $('#user-av').innerHTML = `<img src="${esc(me.avatar_url)}" alt="">`;
+  } else if(me.google_picture){
+    $('#user-av').innerHTML = `<img src="${esc(me.google_picture)}" alt="">`;
+  } else {
+    $('#user-av').textContent = initials(name);
+  }
+  // Sidebar footer
+  if($('#sf-name')) $('#sf-name').textContent = name;
+  if($('#sf-role')) $('#sf-role').textContent = roleLabel;
+  if($('#sf-av')){
+    if(me.avatar_url) $('#sf-av').innerHTML = `<img src="${esc(me.avatar_url)}" alt="" style="width:100%;height:100%;object-fit:cover;border-radius:50%">`;
+    else if(me.google_picture) $('#sf-av').innerHTML = `<img src="${esc(me.google_picture)}" alt="" style="width:100%;height:100%;object-fit:cover;border-radius:50%">`;
+    else $('#sf-av').textContent = initials(name);
+  }
+  if($('#role-sub')) $('#role-sub').textContent = tenant || roleLabel;
+}
+
+//=========== DRILL-DOWN PANEL ===========
+function openDetail(title, html){
+  $('#dpanel-t').textContent = title || 'Detalji';
+  $('#dpanel-body').innerHTML = html || '<div class="empty">Nema sadržaja.</div>';
+  $('#dpanel').classList.add('open');
+  $('#dpanel-overlay').classList.add('open');
+  $('#dpanel').setAttribute('aria-hidden','false');
+}
+function closeDetail(){
+  $('#dpanel').classList.remove('open');
+  $('#dpanel-overlay').classList.remove('open');
+  $('#dpanel').setAttribute('aria-hidden','true');
+}
+document.addEventListener('keydown', e => { if(e.key==='Escape') closeDetail(); });
+async function showDetail(kind, id, title){
+  openDetail(title || kind, '<div class="loading">Učitavam detalje...</div>');
+  let body = '';
+  try {
+    if(kind === 'savez'){
+      const d = await api('/savezi/'+id);
+      if(!d){ body = '<div class="empty">Savez nije pronađen.</div>'; }
+      else {
+        body = `
+          <h2 style="font-size:18px;color:var(--t0);margin-bottom:6px">${esc(d.naziv||'—')}</h2>
+          <div style="font-size:11px;color:var(--t2);margin-bottom:14px">${esc(d.skraceni_naziv||'')} · ${esc(d.oib||'')}</div>
+          <div class="kv">
+            <div class="k">Predsjednik</div><div class="v">${esc(d.predsjednik||'—')}</div>
+            <div class="k">Tajnik</div><div class="v">${esc(d.tajnik||'—')}</div>
+            <div class="k">Email</div><div class="v">${esc(d.email||'—')}</div>
+            <div class="k">Telefon</div><div class="v">${esc(d.telefon||'—')}</div>
+            <div class="k">Adresa</div><div class="v">${esc(d.adresa||'—')}</div>
+            <div class="k">Web</div><div class="v">${d.web?`<a href="${esc(d.web)}" target="_blank">${esc(d.web)}</a>`:'—'}</div>
+            <div class="k">Klubova</div><div class="v">${fmt(d.broj_klubova||'—')}</div>
+            <div class="k">Sportaša</div><div class="v">${fmt(d.broj_sportasa||'—')}</div>
+            <div class="k">Godina osnutka</div><div class="v">${esc(d.godina_osnutka||'—')}</div>
+          </div>
+          <div style="margin-top:14px"><a href="/sport/?savez=${id}" target="_blank" class="btn primary">Otvori u javnom portalu →</a></div>`;
+      }
+    } else if(kind === 'klub'){
+      const d = await api('/klubovi/'+id);
+      if(!d){ body = '<div class="empty">Klub nije pronađen.</div>'; }
+      else body = `
+        <h2 style="font-size:18px;color:var(--t0);margin-bottom:6px">${esc(d.naziv||'—')}</h2>
+        <div style="font-size:11px;color:var(--t2);margin-bottom:14px">${esc(d.savez||'')} · ${esc(d.grad||'')}</div>
+        <div class="kv">
+          <div class="k">OIB</div><div class="v">${esc(d.oib||'—')}</div>
+          <div class="k">Predsjednik</div><div class="v">${esc(d.predsjednik||'—')}</div>
+          <div class="k">Adresa</div><div class="v">${esc(d.adresa||'—')}</div>
+          <div class="k">Email</div><div class="v">${esc(d.email||'—')}</div>
+          <div class="k">Telefon</div><div class="v">${esc(d.telefon||'—')}</div>
+          <div class="k">Članova</div><div class="v">${fmt(d.broj_clanova||'—')}</div>
+        </div>`;
+    } else if(kind === 'zahtjev'){
+      const z = MOCK.zahtjevi_pending.concat(MOCK.savez_zahtjevi||[]).find(x => x.id===id || x.naziv===id) || {};
+      body = `
+        <h2 style="font-size:17px;color:var(--t0);margin-bottom:6px">${esc(z.naziv||id)}</h2>
+        <div class="kv">
+          <div class="k">Šifra</div><div class="v">${esc(z.id||'—')}</div>
+          <div class="k">Savez</div><div class="v">${esc(z.savez||'—')}</div>
+          <div class="k">Klub</div><div class="v">${esc(z.klub||'—')}</div>
+          <div class="k">Svrha</div><div class="v">${esc(z.svrha||'—')}</div>
+          <div class="k">Iznos</div><div class="v"><b style="color:var(--pgz-gold);font-size:15px">${fmtEur(z.iznos)}</b></div>
+          <div class="k">Datum predaje</div><div class="v">${esc(z.datum||'—')}</div>
+          <div class="k">Status</div><div class="v"><span class="tag am">${esc(z.status||'—')}</span></div>
+        </div>
+        <div style="margin-top:16px;display:flex;gap:8px">
+          <button class="btn primary">✓ Odobri</button>
+          <button class="btn">↩ Vrati podnositelju</button>
+          <button class="btn">✗ Odbij</button>
+        </div>
+        <div style="margin-top:18px;padding:14px;background:var(--bg3);border-radius:6px">
+          <div style="font-weight:700;color:var(--pgz-gold);font-size:11px;text-transform:uppercase;margin-bottom:8px">🔗 Blockchain seal</div>
+          <div style="font-size:11px;color:var(--t2)">Po odobrenju, hash zahtjeva + iznos zapisuje se u Polygon PoS (M11). Wallet: 0xD874...d368</div>
+        </div>`;
+    } else if(kind === 'audit'){
+      const a = MOCK.audit.concat(MOCK.audit_more||[]).find(x => x.what===id) || {ts:'',who:'',what:id};
+      body = `
+        <div class="kv">
+          <div class="k">Vrijeme</div><div class="v">${esc(a.ts)}</div>
+          <div class="k">Korisnik</div><div class="v" style="color:var(--pgz-gold)">${esc(a.who)}</div>
+          <div class="k">Akcija</div><div class="v">${a.what}</div>
+        </div>`;
+    } else if(kind === 'lijecnicki'){
+      body = `<div class="kv">
+        <div class="k">Sportaš</div><div class="v">${esc(id)}</div>
+        <div class="k">ZZJZ PGŽ</div><div class="v"><a href="https://zzjzpgz.hr" target="_blank">zzjzpgz.hr</a></div>
+      </div>
+      <div style="margin-top:14px"><button class="btn primary">📅 Zakaži termin (ZZJZ)</button></div>`;
+    } else if(kind === 'clan'){
+      body = `<h3 style="color:var(--t0);margin-bottom:10px">${esc(id)}</h3>
+      <div class="empty">Detalji člana — production: dohvati iz /api/clanovi/{id}</div>`;
+    } else {
+      body = '<div class="empty">Detalji.</div>';
+    }
+  } catch(e){ body = '<div class="empty">Greška pri dohvaćanju: '+esc(String(e))+'</div>'; }
+  $('#dpanel-body').innerHTML = body;
+}
+
+//=========== SIDEBAR ===========
+function toggleSidebar(){
+  const sb = $('#sb');
+  const tg = $('#sb-toggle');
+  if(!sb) return;
+  const c = sb.classList.toggle('collapsed');
+  if(tg) tg.textContent = '≡';
+  try { localStorage.setItem('sidebar-state', c ? 'collapsed' : 'expanded'); } catch(e){}
+}
+function restoreSidebar(){
+  try {
+    if(localStorage.getItem('sidebar-state') === 'collapsed') $('#sb').classList.add('collapsed');
+  } catch(e){}
+}
+
+//=========== ROLE SWITCH ===========
+function buildRoleSwitch(){
+  const rs = $('#role-switch');
+  rs.innerHTML = Object.entries(ROLES).map(([k,r]) =>
+    `<button data-role="${k}" onclick="setRole('${k}')" class="${k===_state.role?'active':''}">${esc(r.name)}</button>`
+  ).join('');
+}
+function setRole(r){
+  if(!ROLES[r]) return;
+  _state.role = r;
+  _state.section = 'profil';
+  try { localStorage.setItem('app-role', r); } catch(e){}
+  $$('.role-switch button').forEach(b => b.classList.toggle('active', b.dataset.role===r));
+  const role = ROLES[r];
+  // In demo mode, populate header from ROLES table; in real-auth mode, applyMeToHeader() owns it
+  if(_state.demoMode){
+    $('#user-name').innerHTML = esc(role.user) + `<span class="role-badge">${esc(role.name)}</span>`;
+    $('#user-av').innerHTML = '';
+    $('#user-av').textContent = role.av;
+    $('#user-tenant').textContent = role.sub;
+    $('#sf-name').textContent = role.user;
+    $('#sf-role').textContent = role.name;
+    $('#sf-av').innerHTML = '';
+    $('#sf-av').textContent = role.av;
+  }
+  $('#role-sub').textContent = (_state.me?.tenant_name) || role.sub;
+  $('#role-section-label').textContent = role.name.toUpperCase();
+  buildNav();
+  navTo('profil');
+}
+
+//=========== NAV ===========
+function buildNav(){
+  const items = NAV_BY_ROLE[_state.role] || [];
+  $('#nav').innerHTML = items.map(n =>
+    `<div class="nav-i ${n.id===_state.section?'active':''}" data-id="${n.id}" data-label="${esc(n.label)}" onclick="navTo('${n.id}')">
+      <span class="ic">${n.ic}</span>
+      <span class="lbl">${esc(n.label)}</span>
+      ${n.badge?`<span class="badge">${n.badge}</span>`:''}
+    </div>`
+  ).join('');
+}
+function navTo(id){
+  _state.section = id;
+  $$('.nav-i').forEach(el => el.classList.toggle('active', el.dataset.id===id));
+  loadSection();
+}
+function logout(){
+  if(!confirm('Odjava iz aplikacije?')) return;
+  try {
+    localStorage.removeItem('app-role');
+    localStorage.removeItem('jwt');
+  } catch(e){}
+  alert('Odjavljen. (Production: redirect na /login)');
+  window.location.href = '/sport/static/sport2.html';
+}
+
+//=========== SECTION TITLES ===========
+const TITLES = {
+  pgz: {
+    profil:['Moj profil','Osobni podaci i postavke'],
+    dashboard:['Dashboard','Pregled stanja PGŽ Sporta'],
+    korisnici:['Korisnici','Upravljanje korisnicima sustava'],
+    savezi:['Savezi','246 sportskih saveza'],
+    klubovi:['Klubovi','Sportski klubovi PGŽ'],
+    sportasi:['Sportaši','Registrirani članovi'],
+    financije:['Financije','Sufinanciranje sporta'],
+    racuni:['Računi (OCR)','OCR upload + obrada'],
+    crm:['CRM','Članarine + liječnički'],
+    audit:['Audit log','Sve aktivnosti sustava'],
+    forenzika:['Forenzika','Sumnjive transakcije / PEP'],
+  },
+  savez: {
+    profil:['Moj profil','Osobni podaci'],
+    dashboard:['Dashboard','Atletski savez PGŽ'],
+    klubovi:['Naši klubovi','Klubovi člana saveza'],
+    sportasi:['Naši sportaši','Registrirani sportaši saveza'],
+    zahtjevi:['Zahtjevi PGŽ','Sufinanciranje aktivnosti'],
+    kalendar:['Kalendar','Manifestacije saveza'],
+    lijecnicki:['Liječnički','Pregledi članova saveza'],
+    racuni:['Računi','Računi saveza'],
+  },
+  klub: {
+    profil:['Moj profil','Osobni podaci'],
+    dashboard:['Dashboard','AK Kvarner Rijeka'],
+    clanovi:['Članovi','Članovi kluba'],
+    clanarine:['Članarine','Stanje članarina'],
+    lijecnicki:['Liječnički','Pregledi članova'],
+    dokumenti:['Dokumenti','Dokumenti kluba'],
+    manifestacije:['Manifestacije','Nadolazeće aktivnosti'],
+    racuni:['Računi','Troškovi kluba'],
+  },
+  sportas: {
+    profil:['Moj profil','Osobni podaci'],
+    dashboard:['Pregled','Moja aktivnost'],
+    clanarina:['Članarina','Stanje moje članarine'],
+    lijecnicki:['Liječnički','Moj liječnički pregled'],
+    dokumenti:['Moji dokumenti','Suglasnosti, ugovori'],
+    obrasci:['Obrasci','Za potpis'],
+    manifestacije:['Manifestacije','Moje aktivnosti'],
+  },
+};
+
+function loadSection(){
+  const id = _state.section;
+  const role = _state.role;
+  const t = (TITLES[role] && TITLES[role][id]) || [id,''];
+  $('#tb-t').textContent = t[0];
+  $('#tb-s').textContent = t[1];
+  const fn = SECTIONS[role+':'+id] || SECTIONS[role+':default'] || (() => '<div class="empty">Sekcija u izradi.</div>');
+  $('#content').innerHTML = '<div class="loading">Učitavanje...</div>';
+  Promise.resolve(fn()).then(html => { $('#content').innerHTML = html || '<div class="empty">Nema podataka.</div>'; });
+}
+
+//=========== SECTION RENDERERS ===========
+const SECTIONS = {};
+
+// ──────────────────────── PROFILE PAGE (shared by all roles) ────────────────────────
+function profileMe(){
+  // Real user if available, else demo from ROLES table
+  if(_state.me) return _state.me;
+  const r = ROLES[_state.role] || ROLES.pgz;
+  const parts = String(r.user||'').split(/\s+/);
+  return {
+    id: 0, email:'demo@pgz.hr',
+    full_name: r.user, ime: parts[0]||'', prezime: parts.slice(1).join(' '),
+    user_type: _state.role==='pgz'?'pgz_admin':_state.role==='savez'?'savez_admin':_state.role==='klub'?'klub_admin':'klub_clan',
+    tenant_type: _state.role==='pgz'?'pgz':_state.role,
+    tenant_name: r.sub, tenant_id: null, tier: _state.role==='pgz'?0:_state.role==='savez'?1:2,
+    oib: '12345678901', telefon:'+385 91 234 5678', phone:null,
+    last_login: '2026-05-05T00:08:09', preferred_language:'hr',
+    avatar_url:null, two_factor_enabled:false,
+    gdpr_consent_at:null, created_at:'2026-04-01T08:00:00',
+    roles:[{code:'demo', naziv:r.name}]
+  };
+}
+function profileRender(){
+  const u = profileMe();
+  const name = u.full_name || ((u.ime||'')+' '+(u.prezime||'')).trim() || u.email || '—';
+  const av = u.avatar_url ? `<img src="${esc(u.avatar_url)}" alt="">`
+           : (u.google_picture ? `<img src="${esc(u.google_picture)}" alt="">` : esc(initials(name)));
+  const lastLogin = u.last_login ? new Date(u.last_login).toLocaleString('hr-HR') : '—';
+  const created = u.created_at ? new Date(u.created_at).toLocaleString('hr-HR') : '—';
+  const gdpr = u.gdpr_consent_at ? new Date(u.gdpr_consent_at).toLocaleDateString('hr-HR') : null;
+  const roleLabel = (ROLES[_state.role]||{}).name || u.user_type || 'Korisnik';
+  return `
+  <div class="profile-page">
+    <div class="profile-banner">
+      <div class="profile-avatar-big" id="prof-av-big" onclick="pickAvatar()" title="Klik za upload nove slike">
+        ${av}
+        <div class="upload-hint">📷 Promijeni sliku</div>
+      </div>
+      <div class="profile-banner-info">
+        <h1>${esc(name)}</h1>
+        <div class="role-line">${esc(roleLabel)} · ${esc(u.tenant_name || u.tenant_type || '')}</div>
+        <div class="tags-row">
+          <span class="tag b">${esc(u.user_type||'')}</span>
+          ${u.aktivan!==false ? '<span class="tag gr">Aktivan</span>' : '<span class="tag rd">Suspended</span>'}
+          ${u.two_factor_enabled ? '<span class="tag-2fa-on">2FA ON</span>' : '<span class="tag-2fa-off">2FA OFF</span>'}
+          ${gdpr ? `<span class="tag-gdpr">GDPR ${esc(gdpr)}</span>` : ''}
+        </div>
+      </div>
+      <div class="profile-banner-actions">
+        <button class="btn" onclick="pickAvatar()">📷 Slika</button>
+        <button class="btn primary" onclick="profileEditAll()">✏ Uredi profil</button>
+      </div>
+    </div>
+
+    <div class="profile-section">
+      <h3>Osobni podaci <span class="edit-link" onclick="profileEditAll()">✏ Uredi sva polja</span></h3>
+      <div class="profile-row" data-f="ime">
+        <div class="k">Ime</div>
+        <div class="v">${esc(u.ime||'')||'<span class="empty">—</span>'}</div>
+        <div class="a"><button class="btn sm" onclick="profileEditField('ime','Ime')">✏</button></div>
+      </div>
+      <div class="profile-row" data-f="prezime">
+        <div class="k">Prezime</div>
+        <div class="v">${esc(u.prezime||'')||'<span class="empty">—</span>'}</div>
+        <div class="a"><button class="btn sm" onclick="profileEditField('prezime','Prezime')">✏</button></div>
+      </div>
+      <div class="profile-row" data-f="full_name">
+        <div class="k">Puno ime</div>
+        <div class="v">${esc(u.full_name||'')||'<span class="empty">—</span>'}</div>
+        <div class="a"><button class="btn sm" onclick="profileEditField('full_name','Puno ime')">✏</button></div>
+      </div>
+      <div class="profile-row" data-f="email">
+        <div class="k">Email</div>
+        <div class="v">${esc(u.email||'—')}</div>
+        <div class="a"><span class="tag">read-only</span></div>
+      </div>
+      <div class="profile-row" data-f="telefon">
+        <div class="k">Telefon</div>
+        <div class="v">${esc(u.telefon||u.phone||'')||'<span class="empty">—</span>'}</div>
+        <div class="a"><button class="btn sm" onclick="profileEditField('telefon','Telefon')">✏</button></div>
+      </div>
+      <div class="profile-row" data-f="oib">
+        <div class="k">OIB</div>
+        <div class="v">${esc(u.oib||'')||'<span class="empty">—</span>'}</div>
+        <div class="a"><button class="btn sm" onclick="profileEditField('oib','OIB')">✏</button></div>
+      </div>
+      <div class="profile-row" data-f="preferred_language">
+        <div class="k">Jezik sučelja</div>
+        <div class="v">${esc(u.preferred_language||'hr')}</div>
+        <div class="a"><button class="btn sm" onclick="profileEditField('preferred_language','Jezik (hr/en)')">✏</button></div>
+      </div>
+    </div>
+
+    <div class="profile-section">
+      <h3>Tenant i ovlasti</h3>
+      <div class="profile-row"><div class="k">Tenant</div><div class="v">${esc(u.tenant_name || '—')}</div><div class="a"></div></div>
+      <div class="profile-row"><div class="k">Tip tenanta</div><div class="v"><span class="tag b">${esc(u.tenant_type || '—')}</span></div><div class="a"></div></div>
+      <div class="profile-row"><div class="k">Tier</div><div class="v">${u.tier!=null?u.tier:'—'} ${u.tier===0?'(PGŽ)':u.tier===1?'(savez)':u.tier===2?'(klub)':''}</div><div class="a"></div></div>
+      <div class="profile-row"><div class="k">User type</div><div class="v"><span class="tag gd">${esc(u.user_type || '—')}</span></div><div class="a"></div></div>
+      <div class="profile-row"><div class="k">Dodatne uloge</div><div class="v">${(u.roles||[]).map(r => `<span class="tag b" style="margin-right:4px">${esc(r.code)}</span>`).join('')||'<span class="empty">—</span>'}</div><div class="a"></div></div>
+    </div>
+
+    <div class="profile-section">
+      <h3>Sigurnost <span class="edit-link" onclick="profileChangePassword()">🔑 Promijeni lozinku</span></h3>
+      <div class="profile-row"><div class="k">2FA</div><div class="v">${u.two_factor_enabled?'<span class="tag-2fa-on">Uključeno</span>':'<span class="tag-2fa-off">Nije postavljeno</span>'}</div><div class="a"><button class="btn sm primary" onclick="profileSetup2FA()">${u.two_factor_enabled?'Provjeri':'Postavi'}</button></div></div>
+      <div class="profile-row"><div class="k">Mora promijeniti lozinku</div><div class="v">${u.must_change_pwd?'<span class="tag rd">DA</span>':'<span class="tag gr">NE</span>'}</div><div class="a"></div></div>
+      <div class="profile-row"><div class="k">GDPR pristanak</div><div class="v">${gdpr || '<span class="empty">Nije zabilježen</span>'}</div><div class="a">${gdpr?'':'<button class="btn sm">Dodijeli</button>'}</div></div>
+      <div class="profile-row"><div class="k">Status računa</div><div class="v"><span class="tag ${u.aktivan===false?'rd':'gr'}">${u.aktivan===false?'Suspended':'Aktivan'}</span></div><div class="a"></div></div>
+    </div>
+
+    <div class="profile-section">
+      <h3>Aktivnost</h3>
+      <div class="profile-row"><div class="k">Zadnji login</div><div class="v" style="font-family:var(--mono);font-size:11.5px">${esc(lastLogin)}</div><div class="a"></div></div>
+      <div class="profile-row"><div class="k">Račun kreiran</div><div class="v" style="font-family:var(--mono);font-size:11.5px">${esc(created)}</div><div class="a"></div></div>
+      <div class="profile-row"><div class="k">User ID</div><div class="v" style="font-family:var(--mono)">#${esc(u.id||0)}</div><div class="a"></div></div>
+    </div>
+
+    <div class="profile-section">
+      <h3>GDPR i podaci</h3>
+      <div style="font-size:11.5px;color:var(--t2);line-height:1.6;margin-bottom:10px">
+        Imaš pravo na pristup, izmjenu i brisanje svojih osobnih podataka prema GDPR uredbi (čl. 15–17, 20).
+      </div>
+      <div style="display:flex;gap:8px;flex-wrap:wrap">
+        <button class="btn" onclick="alert('Izvoz JSON svih podataka — backend M10')">📤 Izvezi moje podatke (JSON)</button>
+        <button class="btn" onclick="alert('Pregled audit zapisa o pristupu — M10')">🔍 Audit pristupa mojim podacima</button>
+        <button class="btn" style="border-color:var(--red);color:var(--red)" onclick="profileDeleteAccount()">🗑 Zatraži brisanje računa</button>
+      </div>
+    </div>
+  </div>`;
+}
+SECTIONS['pgz:profil']    = profileRender;
+SECTIONS['savez:profil']  = profileRender;
+SECTIONS['klub:profil']   = profileRender;
+SECTIONS['sportas:profil']= profileRender;
+
+// Profile actions
+function pickAvatar(){
+  if(!getToken()){
+    alert('Avatar upload zahtijeva login (JWT). U demo modu nije dostupan.');
+    return;
+  }
+  $('#avatar-input').click();
+}
+async function onAvatarPick(input){
+  const f = input.files && input.files[0];
+  if(!f) return;
+  if(f.size > 5*1024*1024){ alert('Slika prevelika (>5 MB)'); return; }
+  const fd = new FormData(); fd.append('file', f);
+  const av = $('#prof-av-big');
+  if(av) av.innerHTML = '<div style="font-size:14px;color:var(--t1)">⏳</div>';
+  const r = await apiAuth('/auth/me/avatar', {method:'POST', body:fd});
+  input.value = '';
+  if(r && r.avatar_url){
+    if(_state.me) _state.me.avatar_url = r.avatar_url;
+    applyMeToHeader();
+    loadSection(); // re-render profile
+  } else {
+    alert('Upload failed: '+(r&&r.status||'unknown'));
+    loadSection();
+  }
+}
+async function profileEditField(field, label){
+  const cur = (_state.me && _state.me[field]) || '';
+  const v = prompt(`${label}:`, cur);
+  if(v == null) return;
+  if(!getToken()){
+    if(_state.me){ _state.me[field] = v; }
+    else {
+      // demo: persist on local copy
+      if(!window._demoMe) window._demoMe = profileMe();
+      window._demoMe[field] = v;
+      _state.me = window._demoMe;
+    }
+    applyMeToHeader();
+    loadSection();
+    return;
+  }
+  const r = await apiAuth('/auth/me', {method:'PUT', body: JSON.stringify({[field]: v})});
+  if(r && !r.__error){ _state.me = r; applyMeToHeader(); loadSection(); }
+  else alert('Greška pri spremanju: '+(r&&r.status||'unknown'));
+}
+async function profileEditAll(){
+  // Open drill-down panel with full edit form
+  const u = profileMe();
+  openDetail('Uredi profil', `
+    <form id="prof-edit-form" onsubmit="return profileSaveAll(event)">
+      ${['ime','prezime','full_name','telefon','oib'].map(f => `
+        <div style="margin-bottom:12px">
+          <label style="display:block;font-size:11px;color:var(--t2);margin-bottom:4px;font-weight:600;text-transform:uppercase">${f}</label>
+          <input name="${f}" value="${esc(u[f]||'')}" style="background:var(--bg3);border:1px solid var(--rim);border-radius:5px;padding:8px 10px;color:var(--t1);font-size:13px;width:100%">
+        </div>`).join('')}
+      <div style="margin-bottom:12px">
+        <label style="display:block;font-size:11px;color:var(--t2);margin-bottom:4px;font-weight:600;text-transform:uppercase">Jezik</label>
+        <select name="preferred_language" style="background:var(--bg3);border:1px solid var(--rim);border-radius:5px;padding:8px 10px;color:var(--t1);font-size:13px;width:100%">
+          <option value="hr" ${(u.preferred_language||'hr')==='hr'?'selected':''}>Hrvatski</option>
+          <option value="en" ${u.preferred_language==='en'?'selected':''}>English</option>
+        </select>
+      </div>
+      <div style="display:flex;gap:8px;margin-top:18px">
+        <button type="submit" class="btn primary">💾 Spremi</button>
+        <button type="button" class="btn" onclick="closeDetail()">Odustani</button>
+      </div>
+    </form>`);
+}
+async function profileSaveAll(ev){
+  ev.preventDefault();
+  const fd = new FormData(ev.target);
+  const obj = {}; fd.forEach((v,k) => { obj[k]=v; });
+  if(!getToken()){
+    Object.assign(_state.me || {}, obj);
+    applyMeToHeader(); closeDetail(); loadSection();
+    return false;
+  }
+  const r = await apiAuth('/auth/me', {method:'PUT', body: JSON.stringify(obj)});
+  if(r && !r.__error){ _state.me = r; applyMeToHeader(); closeDetail(); loadSection(); }
+  else alert('Greška: '+(r&&r.status||'unknown'));
+  return false;
+}
+async function profileChangePassword(){
+  if(!getToken()){ alert('Login potreban (demo mode).'); return; }
+  const oldp = prompt('Stara lozinka:'); if(oldp==null) return;
+  const newp = prompt('Nova lozinka (min 8 znakova):'); if(newp==null) return;
+  if(newp.length < 8){ alert('Nova lozinka mora imati barem 8 znakova'); return; }
+  const r = await apiAuth('/auth/password/change', {method:'POST', body: JSON.stringify({old_password:oldp,new_password:newp})});
+  if(r && r.status==='ok') alert('Lozinka promijenjena ✓'); else alert('Greška: '+(r&&r.status||'unknown'));
+}
+async function profileSetup2FA(){
+  if(!getToken()){ alert('Login potreban (demo mode).'); return; }
+  const r = await apiAuth('/auth/2fa/setup', {method:'POST'});
+  if(r && r.qr_url) {
+    openDetail('Postavi 2FA', `<div style="text-align:center"><img src="${esc(r.qr_url)}" style="max-width:240px"><div style="margin-top:10px;font-size:12px;color:var(--t2)">Skeniraj QR kod u Google Authenticator / Authy</div><div style="margin-top:14px"><input id="totp-code" placeholder="6-cifreni kod" style="background:var(--bg3);border:1px solid var(--rim);border-radius:5px;padding:8px;color:var(--t1);width:140px"><button class="btn primary" onclick="profileVerify2FA()">Potvrdi</button></div></div>`);
+  } else alert('2FA setup failed');
+}
+async function profileVerify2FA(){
+  const code = $('#totp-code')?.value;
+  const r = await apiAuth('/auth/2fa/verify', {method:'POST', body: JSON.stringify({code})});
+  if(r && r.status==='ok'){ alert('2FA aktivirano ✓'); closeDetail(); loadSection(); }
+  else alert('Pogrešan kod.');
+}
+function profileDeleteAccount(){
+  if(!confirm('Zaista zatraži brisanje računa? GDPR brisanje je nepovratno.')) return;
+  alert('Zahtjev za brisanje poslan na PGŽ admin (M10 — backend).');
+}
+
+// =======================================================================
+// PGŽ ADMIN — Dashboard
+// =======================================================================
+SECTIONS['pgz:dashboard'] = async () => {
+  const d = await api('/dashboard') || {};
+  const kpis = `
+    <div class="kpi-grid">
+      <div class="kpi b click" onclick="navTo('savezi')"><div class="kpi-l">Saveza</div><div class="kpi-v">${fmt(d.aktivnih_saveza||246)}</div><div class="kpi-s">aktivnih</div><span class="kpi-trend up">+2 ovaj mj.</span></div>
+      <div class="kpi click" onclick="navTo('klubovi')"><div class="kpi-l">Klubova</div><div class="kpi-v">${fmt(d.aktivnih_klubova||1656)}</div><div class="kpi-s">registriranih</div></div>
+      <div class="kpi g click" onclick="navTo('sportasi')"><div class="kpi-l">Sportaša</div><div class="kpi-v">${fmt(d.aktivnih_clanova||3243)}</div><div class="kpi-s">aktivnih</div><span class="kpi-trend up">+45 ovaj mj.</span></div>
+      <div class="kpi a click" onclick="navTo('financije')"><div class="kpi-l">Proračun 2026</div><div class="kpi-v">${fmtEur(d.proracun_aktualni||2817309)}</div><div class="kpi-s">odobreno</div></div>
+      <div class="kpi r click" onclick="navTo('forenzika')"><div class="kpi-l">Critical alerts</div><div class="kpi-v">${fmt(d.critical_alerts||11)}</div><div class="kpi-s">forenzika</div></div>
+      <div class="kpi c click" onclick="navTo('crm')"><div class="kpi-l">Ist. liječničkih</div><div class="kpi-v">${fmt(d.isteki_lijecnicki||11)}</div><div class="kpi-s">treba obnoviti</div></div>
+    </div>`;
+
+  const reqHtml = MOCK.zahtjevi_pending.map(z => `
+    <div class="req-i" onclick="showDetail('zahtjev','${esc(z.id)}','Zahtjev ${esc(z.id)}')">
+      <div class="rh">
+        <div>
+          <div class="rt">${esc(z.naziv)}</div>
+          <div class="rsum">${esc(z.savez)} · ${esc(z.svrha)}</div>
+        </div>
+        <div><span class="tag am">${esc(z.status)}</span></div>
+      </div>
+      <div class="rmeta">
+        <div>Iznos: <b>${fmtEur(z.iznos)}</b></div>
+        <div>Predano: ${esc(z.datum)}</div>
+        <div>Klub: ${esc(z.klub||'—')}</div>
+      </div>
+    </div>`).join('');
+
+  const auditHtml = MOCK.audit.map(a =>
+    `<div class="audit-i" style="cursor:pointer" onclick='showDetail("audit",${JSON.stringify(a.what)},"Audit zapis")'><div class="ts">${esc(a.ts)}</div><div class="who">${esc(a.who)}</div><div class="what">${a.what}</div></div>`
+  ).join('');
+
+  return `
+    <div class="demo-banner">
+      <span style="font-size:18px">🛡️</span>
+      <div><b>PGŽ admin view</b> — najviša razina ovlaštenja. Vidiš sve saveze, klubove i transakcije.</div>
+    </div>
+    ${kpis}
+    <div class="row-3">
+      <div>
+        <div class="card">
+          <div class="card-h">
+            <div class="card-t">📋 Zahtjevi za sufinanciranje (${MOCK.zahtjevi_pending.length} čeka)</div>
+            <div class="card-actions"><button class="btn primary sm" onclick="navTo('financije')">Svi →</button></div>
+          </div>
+          ${reqHtml || '<div class="empty">Nema zahtjeva.</div>'}
+        </div>
+        <div class="card">
+          <div class="card-h"><div class="card-t">📊 Trend isplata 2025–2026</div></div>
+          <div class="chart-box"><canvas id="ch-trend"></canvas></div>
+        </div>
+      </div>
+      <div>
+        <div class="card">
+          <div class="card-h"><div class="card-t">⚡ Brze akcije</div></div>
+          <div style="display:grid;gap:8px">
+            <button class="btn primary" onclick="setRole('pgz');navTo('korisnici')">+ Dodaj korisnika</button>
+            <button class="btn" onclick="navTo('forenzika')">⚠ Pregled forenzike</button>
+            <button class="btn" onclick="navTo('racuni')">🧾 Skeniraj račun (OCR)</button>
+            <button class="btn" onclick="navTo('audit')">🔍 Audit log</button>
+            <button class="btn gold" onclick="window.open('/sport/','_blank')">🌐 Public portal</button>
+          </div>
+        </div>
+        <div class="card">
+          <div class="card-h"><div class="card-t">🔍 Audit log (zadnjih 6)</div></div>
+          ${auditHtml}
+        </div>
+      </div>
+    </div>`;
+};
+
+// chart hook executed after innerHTML
+const _origLoad = loadSection;
+loadSection = function(){
+  _origLoad();
+  setTimeout(() => {
+    const c = document.getElementById('ch-trend');
+    if(c && window.Chart){
+      try {
+        new Chart(c, {
+          type:'line',
+          data:{
+            labels:['I','II','III','IV','V','VI','VII','VIII','IX','X','XI','XII'],
+            datasets:[
+              {label:'2025',data:[180,220,240,280,310,350,290,320,360,400,420,440],borderColor:'#8a95b4',backgroundColor:'rgba(138,149,180,.15)',tension:.35},
+              {label:'2026',data:[210,260,290,330,380,420,null,null,null,null,null,null],borderColor:'#F4C430',backgroundColor:'rgba(244,196,48,.18)',tension:.35,fill:true},
+            ],
+          },
+          options:{responsive:true,maintainAspectRatio:false,plugins:{legend:{labels:{color:'#e2e6f0',font:{size:11}}}},scales:{x:{ticks:{color:'#8a95b4'},grid:{color:'#1e2a50'}},y:{ticks:{color:'#8a95b4'},grid:{color:'#1e2a50'}}}}
+        });
+      } catch(e){}
+    }
+  }, 80);
+};
+
+// PGŽ admin sub-pages
+SECTIONS['pgz:korisnici'] = () => {
+  const rows = MOCK.korisnici.map(u => `
+    <tr>
+      <td><b>${esc(u.ime)}</b></td>
+      <td>${esc(u.email)}</td>
+      <td><span class="tag b">${esc(u.role)}</span></td>
+      <td>${esc(u.tenant)}</td>
+      <td>${esc(u.status)==='aktivan'?'<span class="tag gr">aktivan</span>':'<span class="tag rd">suspended</span>'}</td>
+      <td>${esc(u.last_login)}</td>
+      <td><button class="btn sm" onclick="alert('Audit za korisnika ${esc(u.email)}')">Audit</button></td>
+    </tr>`).join('');
+  return `
+    <div class="card">
+      <div class="card-h">
+        <div class="card-t">👥 Korisnici sustava (${MOCK.korisnici.length})</div>
+        <div class="card-actions">
+          <button class="btn" onclick="alert('Bulk import iz CSV')">📥 Import CSV</button>
+          <button class="btn primary" onclick="alert('Wizard za dodavanje korisnika')">+ Novi korisnik</button>
+        </div>
+      </div>
+      <table>
+        <thead><tr><th>Ime</th><th>Email</th><th>Uloga</th><th>Tenant</th><th>Status</th><th>Zadnji login</th><th></th></tr></thead>
+        <tbody>${rows}</tbody>
+      </table>
+    </div>`;
+};
+
+SECTIONS['pgz:savezi'] = async () => {
+  const d = await api('/savezi') || {rows:[]};
+  const top = (d.rows||[]).slice(0,30);
+  const rows = top.map(s => `
+    <tr style="cursor:pointer" onclick="showDetail('savez',${s.id},${JSON.stringify(s.naziv)})">
+      <td><b>${esc(s.naziv)}</b></td>
+      <td class="num">${fmt(s.broj_klubova||'—')}</td>
+      <td class="num">${fmt(s.broj_sportasa||'—')}</td>
+      <td>${esc(s.predsjednik||'—')}</td>
+      <td><button class="btn sm" onclick="event.stopPropagation();showDetail('savez',${s.id},${JSON.stringify(s.naziv)})">Detalji</button></td>
+    </tr>`).join('');
+  return `<div class="card"><div class="card-h"><div class="card-t">🏅 Savezi PGŽ — top 30 (od ${d.count||246})</div></div>
+    <table><thead><tr><th>Naziv</th><th class="num">Klubovi</th><th class="num">Sportaši</th><th>Predsjednik</th><th></th></tr></thead><tbody>${rows||'<tr><td colspan=5 class="empty">Učitavam...</td></tr>'}</tbody></table>
+  </div>`;
+};
+
+SECTIONS['pgz:klubovi'] = async () => {
+  const d = await api('/klubovi?limit=40') || {rows:[]};
+  const rows = (d.rows||[]).slice(0,40).map(k => `
+    <tr style="cursor:pointer" onclick="showDetail('klub',${k.id},${JSON.stringify(k.naziv)})">
+      <td><b>${esc(k.naziv)}</b></td>
+      <td>${esc(k.savez||'—')}</td>
+      <td>${esc(k.grad||'—')}</td>
+      <td class="num">${fmt(k.broj_clanova||'—')}</td>
+      <td>${esc(k.predsjednik||'—')}</td>
+    </tr>`).join('');
+  return `<div class="card"><div class="card-h"><div class="card-t">⬢ Klubovi (${d.count||0})</div></div>
+    <table><thead><tr><th>Naziv</th><th>Savez</th><th>Grad</th><th class="num">Članova</th><th>Predsjednik</th></tr></thead><tbody>${rows||'<tr><td colspan=5 class="empty">—</td></tr>'}</tbody></table>
+  </div>`;
+};
+
+SECTIONS['pgz:sportasi'] = async () => {
+  const d = await api('/clanovi?limit=40') || {rows:[]};
+  const rows = (d.rows||[]).slice(0,40).map(c => `
+    <tr>
+      <td><b>${esc(c.ime+' '+(c.prezime||''))}</b></td>
+      <td>${esc(c.klub||'—')}</td>
+      <td>${esc(c.kategorija||'—')}</td>
+      <td>${esc(c.spol||'—')}</td>
+      <td>${esc(c.datum_rodjenja||'—')}</td>
+    </tr>`).join('');
+  return `<div class="card"><div class="card-h"><div class="card-t">👤 Sportaši (${d.count||0})</div></div>
+    <table><thead><tr><th>Ime i prezime</th><th>Klub</th><th>Kategorija</th><th>Spol</th><th>Rođen</th></tr></thead><tbody>${rows||'<tr><td colspan=5 class="empty">—</td></tr>'}</tbody></table>
+  </div>`;
+};
+
+SECTIONS['pgz:financije'] = async () => {
+  const d = await api('/proracun') || {};
+  return `
+    <div class="kpi-grid">
+      <div class="kpi"><div class="kpi-l">Proračun 2026</div><div class="kpi-v">${fmtEur(d.proracun||2817309)}</div></div>
+      <div class="kpi g"><div class="kpi-l">Isplaćeno</div><div class="kpi-v">${fmtEur(d.isplaceno||1240000)}</div></div>
+      <div class="kpi a"><div class="kpi-l">U obradi</div><div class="kpi-v">${fmtEur(d.u_obradi||320000)}</div></div>
+      <div class="kpi r"><div class="kpi-l">Odbijeno</div><div class="kpi-v">${fmtEur(d.odbijeno||45000)}</div></div>
+    </div>
+    <div class="card"><div class="card-h"><div class="card-t">📋 Pending zahtjevi za sufinanciranje</div></div>
+      ${MOCK.zahtjevi_pending.map(z => `
+        <div class="req-i">
+          <div class="rh"><div><div class="rt">${esc(z.naziv)}</div><div class="rsum">${esc(z.savez)} · ${esc(z.svrha)}</div></div>
+          <div><span class="tag am">${esc(z.status)}</span> <button class="btn sm primary">Odobri</button> <button class="btn sm">Odbij</button></div></div>
+          <div class="rmeta"><div>Iznos: <b>${fmtEur(z.iznos)}</b></div><div>Predano: ${esc(z.datum)}</div></div>
+        </div>`).join('')}
+    </div>`;
+};
+
+SECTIONS['pgz:racuni'] = () => `
+  <div class="card">
+    <div class="card-h"><div class="card-t">🧾 OCR upload (drag & drop)</div></div>
+    <div style="border:2px dashed var(--rim2);border-radius:8px;padding:40px;text-align:center;background:var(--bg3);cursor:pointer" onclick="alert('OCR upload — backend M5 (CC4)')">
+      <div style="font-size:48px;margin-bottom:8px">📷</div>
+      <div style="font-weight:700;color:var(--t0);margin-bottom:4px">Dovuci ovdje sliku ili PDF računa</div>
+      <div style="font-size:11px;color:var(--t2)">ili klikni za odabir · cestarina, gorivo, hotel, dnevnice...</div>
+      <button class="btn primary" style="margin-top:12px">📸 Snimi kamerom</button>
+    </div>
+    <div style="font-size:11px;color:var(--t4);margin-top:10px">Backend: Tesseract OCR + Ri.NET AI Engine ekstrakcija polja → invoices DB</div>
+  </div>
+  <div class="card">
+    <div class="card-h"><div class="card-t">📋 Nedavni računi</div></div>
+    <table><thead><tr><th>Datum</th><th>Izdavatelj</th><th>OIB</th><th>Vrsta</th><th class="num">Iznos</th><th>Status</th></tr></thead>
+    <tbody>${MOCK.invoices.map(r => `<tr><td>${esc(r.datum)}</td><td><b>${esc(r.izdavatelj)}</b></td><td>${esc(r.oib)}</td><td><span class="tag ${r.tag}">${esc(r.vrsta)}</span></td><td class="num">${fmtEur(r.iznos)}</td><td>${esc(r.status)}</td></tr>`).join('')}</tbody></table>
+  </div>`;
+
+SECTIONS['pgz:crm'] = () => `
+  <div style="margin-bottom:12px">
+    <a href="/sport/crm" target="_blank" class="btn primary" style="text-decoration:none">📋 Otvori CRM workspace (Članarine • Liječnički • Obrasci) — live API</a>
+  </div>
+  <div class="row-2">
+    <div class="card">
+      <div class="card-h"><div class="card-t">€ Članarine 2026</div></div>
+      <div class="kpi-grid" style="margin-bottom:0">
+        <div class="kpi g"><div class="kpi-l">Naplaćeno</div><div class="kpi-v">${fmtEur(5400)}</div></div>
+        <div class="kpi r"><div class="kpi-l">Dug</div><div class="kpi-v">${fmtEur(720)}</div></div>
+      </div>
+      <div style="margin-top:12px">
+        <button class="btn primary">📧 Notifikacija svima koji duguju</button>
+        <button class="btn">📄 Generiraj HUB-3 batch</button>
+      </div>
+    </div>
+    <div class="card">
+      <div class="card-h"><div class="card-t">⚕ Liječnički pregledi</div></div>
+      <div class="kpi-grid" style="margin-bottom:0">
+        <div class="kpi g"><div class="kpi-l">Validni</div><div class="kpi-v">${fmt(3232)}</div></div>
+        <div class="kpi a"><div class="kpi-l">Uskoro istek (30d)</div><div class="kpi-v">0</div></div>
+        <div class="kpi r"><div class="kpi-l">Istekli</div><div class="kpi-v">11</div></div>
+      </div>
+      <div style="margin-top:12px"><button class="btn primary">📅 ZZJZ PGŽ rezervacija</button></div>
+    </div>
+  </div>`;
+
+SECTIONS['pgz:audit'] = () => `
+  <div class="card">
+    <div class="card-h"><div class="card-t">🔍 Audit log — sve aktivnosti</div>
+      <div class="card-actions">
+        <input type="text" placeholder="Pretraži korisnika..." style="background:var(--bg2);border:1px solid var(--rim);border-radius:5px;padding:6px 10px;color:var(--t1);font-size:12px">
+      </div>
+    </div>
+    ${MOCK.audit.concat(MOCK.audit_more).map(a =>
+      `<div class="audit-i"><div class="ts">${esc(a.ts)}</div><div class="who">${esc(a.who)}</div><div class="what">${a.what}</div></div>`
+    ).join('')}
+  </div>`;
+
+SECTIONS['pgz:forenzika'] = () => `
+  <div class="card">
+    <div class="card-h"><div class="card-t">⚠ Forenzika — sumnjive transakcije</div></div>
+    ${MOCK.forenzika.map(f => `
+      <div class="alert-card ${f.sev==='crit'?'crit':''}">
+        <div class="at">${esc(f.title)}</div>
+        <div class="ad">${esc(f.desc)}</div>
+        <div style="margin-top:6px"><span class="tag ${f.sev==='crit'?'rd':'am'}">${esc(f.sev)}</span> <span class="tag">${esc(f.tip)}</span></div>
+      </div>`).join('')}
+  </div>`;
+
+// =======================================================================
+// SAVEZ ADMIN — Dashboard + sub-pages
+// =======================================================================
+SECTIONS['savez:dashboard'] = () => {
+  const klubHtml = MOCK.savez_klubovi.map(k => `
+    <div class="member-i">
+      <div class="av">${esc(k.naziv.substring(0,2).toUpperCase())}</div>
+      <div>
+        <div class="mn">${esc(k.naziv)}</div>
+        <div class="mp">${esc(k.grad)} · ${fmt(k.clanova)} članova</div>
+      </div>
+      <div class="mright">
+        ${k.alert?'<span class="tag am">⚠</span>':'<span class="tag gr">OK</span>'}
+      </div>
+    </div>`).join('');
+
+  return `
+    <div class="demo-banner">
+      <span style="font-size:18px">🏅</span>
+      <div><b>Savez admin view</b> — vidiš sve klubove i sportaše u svom savezu (Atletski savez PGŽ).</div>
+    </div>
+    <div class="kpi-grid">
+      <div class="kpi b click" onclick="navTo('klubovi')"><div class="kpi-l">Naših klubova</div><div class="kpi-v">12</div><div class="kpi-s">aktivnih</div></div>
+      <div class="kpi g click" onclick="navTo('sportasi')"><div class="kpi-l">Sportaša</div><div class="kpi-v">487</div><div class="kpi-s">registriranih</div></div>
+      <div class="kpi a click" onclick="navTo('zahtjevi')"><div class="kpi-l">Zahtjevi PGŽ</div><div class="kpi-v">3</div><div class="kpi-s">u obradi</div></div>
+      <div class="kpi r click" onclick="navTo('lijecnicki')"><div class="kpi-l">Liječnički ist.</div><div class="kpi-v">7</div><div class="kpi-s">do 30 dana</div></div>
+    </div>
+    <div class="row-2">
+      <div class="card">
+        <div class="card-h"><div class="card-t">⬢ Naši klubovi (12)</div><div class="card-actions"><button class="btn primary sm" onclick="navTo('klubovi')">Svi →</button></div></div>
+        ${klubHtml}
+      </div>
+      <div class="card">
+        <div class="card-h"><div class="card-t">📑 Naši zahtjevi PGŽ-u</div></div>
+        ${MOCK.savez_zahtjevi.map(z => `
+          <div class="req-i">
+            <div class="rh"><div class="rt">${esc(z.naziv)}</div>
+              <div><span class="tag ${z.tag}">${esc(z.status)}</span></div>
+            </div>
+            <div class="rmeta"><div>Iznos: <b>${fmtEur(z.iznos)}</b></div><div>Predano: ${esc(z.datum)}</div></div>
+          </div>`).join('')}
+      </div>
+    </div>
+    <div class="card">
+      <div class="card-h"><div class="card-t">⚕ Liječnički pregledi koji ističu (uskoro)</div></div>
+      <table>
+        <thead><tr><th>Sportaš</th><th>Klub</th><th>Datum isteka</th><th>Dana do isteka</th><th></th></tr></thead>
+        <tbody>${MOCK.lijecnicki_uskoro.map(l => `<tr><td><b>${esc(l.ime)}</b></td><td>${esc(l.klub)}</td><td>${esc(l.datum)}</td><td><span class="tag am">${l.dana} dana</span></td><td><button class="btn sm">Zakazat ZZJZ</button></td></tr>`).join('')}</tbody>
+      </table>
+    </div>`;
+};
+
+SECTIONS['savez:klubovi'] = () => `
+  <div class="card"><div class="card-h"><div class="card-t">⬢ Klubovi Atletskog saveza PGŽ (12)</div></div>
+  <table><thead><tr><th>Klub</th><th>Grad</th><th class="num">Članova</th><th>Predsjednik</th><th>Status</th></tr></thead>
+  <tbody>${MOCK.savez_klubovi_full.map(k => `<tr><td><b>${esc(k.naziv)}</b></td><td>${esc(k.grad)}</td><td class="num">${fmt(k.clanova)}</td><td>${esc(k.predsjednik)}</td><td>${k.alert?'<span class="tag am">⚠ Liječnički</span>':'<span class="tag gr">OK</span>'}</td></tr>`).join('')}</tbody></table>
+  </div>`;
+
+SECTIONS['savez:sportasi'] = () => `
+  <div class="card"><div class="card-h"><div class="card-t">👤 Naši sportaši (487)</div></div>
+  <div class="kpi-grid">
+    <div class="kpi"><div class="kpi-l">Senior</div><div class="kpi-v">142</div></div>
+    <div class="kpi b"><div class="kpi-l">Juniori</div><div class="kpi-v">98</div></div>
+    <div class="kpi g"><div class="kpi-l">Mladi</div><div class="kpi-v">156</div></div>
+    <div class="kpi a"><div class="kpi-l">Reprezent.</div><div class="kpi-v">22</div></div>
+  </div>
+  <table><thead><tr><th>Ime i prezime</th><th>Klub</th><th>Disciplina</th><th>Kategorija</th><th>Liječnički</th></tr></thead>
+  <tbody>${MOCK.savez_sportasi.map(s => `<tr><td><b>${esc(s.ime)}</b></td><td>${esc(s.klub)}</td><td>${esc(s.disciplina)}</td><td><span class="tag b">${esc(s.kat)}</span></td><td>${s.lijecnicki==='ok'?'<span class="tag gr">OK</span>':'<span class="tag am">istek</span>'}</td></tr>`).join('')}</tbody></table>
+  </div>`;
+
+SECTIONS['savez:zahtjevi'] = () => `
+  <div class="card"><div class="card-h"><div class="card-t">📑 Naši zahtjevi za sufinanciranje</div><div class="card-actions"><button class="btn primary">+ Novi zahtjev</button></div></div>
+  ${MOCK.savez_zahtjevi.concat(MOCK.savez_zahtjevi_more).map(z => `
+    <div class="req-i">
+      <div class="rh"><div><div class="rt">${esc(z.naziv)}</div><div class="rsum">${esc(z.svrha||'')}</div></div>
+      <div><span class="tag ${z.tag}">${esc(z.status)}</span></div></div>
+      <div class="rmeta"><div>Iznos: <b>${fmtEur(z.iznos)}</b></div><div>Predano: ${esc(z.datum)}</div></div>
+    </div>`).join('')}
+  </div>`;
+
+SECTIONS['savez:kalendar'] = () => `
+  <div class="card"><div class="card-h"><div class="card-t">📅 Kalendar manifestacija — Svibanj 2026</div></div>
+  <div class="cal-grid">
+    ${'PON UTO SRI ČET PET SUB NED'.split(' ').map(h => `<div class="cal-h">${h}</div>`).join('')}
+    ${[...Array(31)].map((_,i) => {
+      const day = i+1;
+      const ev = [4,11,18,25,9,16,30].includes(day);
+      const today = day===5;
+      return `<div class="cal-d ${today?'t':''} ${ev?'has-event':''}"><b>${day}</b>${ev?`<div style="font-size:9px;color:var(--pgz-gold);margin-top:2px">Trening / utakmica</div>`:''}</div>`;
+    }).join('')}
+  </div>
+  <div style="margin-top:14px;font-size:11px;color:var(--t2)">● Trening kamp Platak (4–6.5) · ● Liga PGŽ atletika (11.5) · ● Open senior (18.5) · ● Memorijalna utrka (25.5)</div>
+  </div>`;
+
+SECTIONS['savez:lijecnicki'] = () => `
+  <div class="card"><div class="card-h"><div class="card-t">⚕ Liječnički pregledi članova saveza</div><div class="card-actions"><button class="btn primary">📅 Bulk ZZJZ rezervacija</button></div></div>
+  <div class="kpi-grid">
+    <div class="kpi g"><div class="kpi-l">Validni</div><div class="kpi-v">468</div></div>
+    <div class="kpi a"><div class="kpi-l">Uskoro istek</div><div class="kpi-v">7</div></div>
+    <div class="kpi r"><div class="kpi-l">Istekli</div><div class="kpi-v">12</div></div>
+  </div>
+  <table><thead><tr><th>Sportaš</th><th>Klub</th><th>Vrijedi do</th><th>Doktor</th><th>Status</th><th></th></tr></thead>
+  <tbody>${MOCK.lijecnicki_uskoro.map(l => `<tr><td><b>${esc(l.ime)}</b></td><td>${esc(l.klub)}</td><td>${esc(l.datum)}</td><td>${esc(l.doktor||'Dr. Marković')}</td><td><span class="tag am">${l.dana} dana</span></td><td><button class="btn sm">Zakaži</button></td></tr>`).join('')}</tbody></table>
+  </div>`;
+
+SECTIONS['savez:racuni'] = SECTIONS['pgz:racuni'];
+
+// =======================================================================
+// KLUB ADMIN — Dashboard + sub-pages
+// =======================================================================
+SECTIONS['klub:dashboard'] = () => {
+  return `
+    <div class="demo-banner">
+      <span style="font-size:18px">⬢</span>
+      <div><b>Klub admin view</b> — AK Kvarner Rijeka. Upravljaš članstvom, plaćanjima i dokumentima.</div>
+    </div>
+    <div class="kpi-grid">
+      <div class="kpi b click" onclick="navTo('clanovi')"><div class="kpi-l">Članova</div><div class="kpi-v">87</div><div class="kpi-s">aktivnih</div><span class="kpi-trend up">+4 ovaj mjesec</span></div>
+      <div class="kpi g click" onclick="navTo('clanarine')"><div class="kpi-l">Naplaćeno</div><div class="kpi-v">${fmtEur(2840)}</div><div class="kpi-s">članarine 2026</div></div>
+      <div class="kpi r click" onclick="navTo('clanarine')"><div class="kpi-l">Dug</div><div class="kpi-v">${fmtEur(420)}</div><div class="kpi-s">7 članova</div></div>
+      <div class="kpi a click" onclick="navTo('lijecnicki')"><div class="kpi-l">Liječnički istek</div><div class="kpi-v">3</div><div class="kpi-s">do 30 dana</div></div>
+      <div class="kpi c click" onclick="navTo('lijecnicki')"><div class="kpi-l">Validni liječ.</div><div class="kpi-v">82</div><div class="kpi-s">aktivnih</div></div>
+      <div class="kpi click" onclick="navTo('manifestacije')"><div class="kpi-l">Manifest.</div><div class="kpi-v">5</div><div class="kpi-s">nadolazeće</div></div>
+    </div>
+
+    <div class="row-2">
+      <div class="card">
+        <div class="card-h"><div class="card-t">👥 Najnoviji članovi</div><div class="card-actions"><button class="btn primary sm" onclick="navTo('clanovi')">Svi →</button></div></div>
+        ${MOCK.klub_clanovi.slice(0,6).map(c => `
+          <div class="member-i">
+            <div class="av">${esc((c.ime[0]+(c.prezime?c.prezime[0]:'')).toUpperCase())}</div>
+            <div>
+              <div class="mn">${esc(c.ime+' '+c.prezime)}</div>
+              <div class="mp">${esc(c.kat)} · ${esc(c.discipline||'Trčanje')}</div>
+            </div>
+            <div class="mright">
+              ${c.dug?'<span class="tag rd">Dug</span>':'<span class="tag gr">€ OK</span>'}
+              ${c.lijecnicki==='istek'?'<span class="tag am">⚕ istek</span>':''}
+            </div>
+          </div>`).join('')}
+      </div>
+      <div class="card">
+        <div class="card-h"><div class="card-t">⚡ Brze akcije</div></div>
+        <div style="display:grid;gap:8px">
+          <button class="btn primary" onclick="navTo('clanovi')">+ Dodaj člana</button>
+          <button class="btn gold" onclick="navTo('racuni')">🧾 Skeniraj račun (OCR)</button>
+          <button class="btn" onclick="navTo('clanarine')">€ Članarine + HUB-3</button>
+          <button class="btn" onclick="navTo('lijecnicki')">⚕ Liječnički bulk ZZJZ</button>
+          <button class="btn" onclick="alert('Obrazac sufinanciranja — M9')">📑 Predaj zahtjev PGŽ</button>
+        </div>
+      </div>
+    </div>
+    <div class="row-2">
+      <div class="card">
+        <div class="card-h"><div class="card-t">⚕ Pregledi koji uskoro ističu</div></div>
+        ${MOCK.klub_lijecnicki.filter(l => l.uskoro).slice(0,4).map(l => `
+          <div class="alert-card">
+            <div class="at">${esc(l.ime)}</div>
+            <div class="ad">Vrijedi do: <b>${esc(l.datum)}</b> · ${esc(l.dana)} dana preostaje</div>
+          </div>`).join('') || '<div class="empty">Svi pregledi su važeći ✓</div>'}
+      </div>
+      <div class="card">
+        <div class="card-h"><div class="card-t">📅 Nadolazeće manifestacije</div></div>
+        ${MOCK.klub_manifestacije.map(m => `
+          <div class="alert-card ok">
+            <div class="at">${esc(m.naziv)}</div>
+            <div class="ad">${esc(m.datum)} · ${esc(m.lokacija)} · ${esc(m.tip)}</div>
+          </div>`).join('')}
+      </div>
+    </div>`;
+};
+
+SECTIONS['klub:clanovi'] = () => `
+  <div class="card"><div class="card-h"><div class="card-t">👥 Članovi AK Kvarner Rijeka (87)</div>
+    <div class="card-actions"><button class="btn primary">+ Dodaj člana</button></div></div>
+  <table><thead><tr><th>Ime</th><th>Kategorija</th><th>Disciplina</th><th>Članarina</th><th>Liječnički</th><th>Datum upisa</th></tr></thead>
+  <tbody>${MOCK.klub_clanovi.map(c => `<tr><td><b>${esc(c.ime+' '+c.prezime)}</b></td><td><span class="tag b">${esc(c.kat)}</span></td><td>${esc(c.discipline||'—')}</td><td>${c.dug?'<span class="tag rd">Dug</span>':'<span class="tag gr">Plaćeno</span>'}</td><td>${c.lijecnicki==='istek'?'<span class="tag am">istek</span>':'<span class="tag gr">OK</span>'}</td><td>${esc(c.upisan||'2024-09-01')}</td></tr>`).join('')}</tbody></table>
+  </div>`;
+
+SECTIONS['klub:clanarine'] = () => `
+  <div style="margin-bottom:10px"><a href="/sport/crm" target="_blank" class="btn primary" style="text-decoration:none">📋 Otvori live CRM (HUB-3 PDF + EPC QR generator)</a></div>
+  <div class="row-2">
+    <div class="card"><div class="card-h"><div class="card-t">€ Članarine 2026</div></div>
+    <div class="kpi-grid"><div class="kpi g"><div class="kpi-l">Plaćeno</div><div class="kpi-v">80</div></div><div class="kpi r"><div class="kpi-l">Dug</div><div class="kpi-v">7</div></div></div>
+    <button class="btn primary">📧 Pošalji notifikaciju (7 dužnika)</button>
+    </div>
+    <div class="card"><div class="card-h"><div class="card-t">📄 HUB-3 uplatnica + EPC QR</div></div>
+    <div style="background:var(--bg3);border:1px solid var(--rim);border-radius:6px;padding:12px;font-family:var(--mono);font-size:11px">
+    IBAN: HR1234567890123456789<br>
+    Iznos: 60,00 EUR<br>
+    Poziv na broj: HR00 2026-{clan_id}<br>
+    Opis: Članarina 2026
+    </div>
+    <button class="btn gold" style="margin-top:10px">📥 Generiraj PDF</button> <button class="btn">📱 EPC QR (mobile banking)</button>
+    </div>
+  </div>
+  <div class="card"><div class="card-h"><div class="card-t">📋 Sve članarine</div></div>
+  <table><thead><tr><th>Član</th><th>Godina</th><th class="num">Iznos</th><th>Dospijeće</th><th>Datum uplate</th><th>Status</th></tr></thead>
+  <tbody>${MOCK.klub_clanarine.map(c => `<tr><td>${esc(c.clan)}</td><td>${esc(c.god)}</td><td class="num">${fmtEur(c.iznos)}</td><td>${esc(c.dosp)}</td><td>${esc(c.uplata||'—')}</td><td>${c.status==='OK'?'<span class="tag gr">OK</span>':'<span class="tag rd">Dug</span>'}</td></tr>`).join('')}</tbody></table>
+  </div>`;
+
+SECTIONS['klub:lijecnicki'] = () => `
+  <div style="margin-bottom:10px"><a href="/sport/crm" target="_blank" class="btn primary" style="text-decoration:none">⚕ Otvori live CRM — pregledi + ZZJZ PGŽ scheduling</a></div>
+  <div class="card"><div class="card-h"><div class="card-t">⚕ Liječnički pregledi članova</div>
+  <div class="card-actions"><button class="btn primary">📅 Bulk ZZJZ termini</button></div></div>
+  <table><thead><tr><th>Član</th><th>Datum pregleda</th><th>Vrijedi do</th><th>Doktor</th><th>Status</th><th></th></tr></thead>
+  <tbody>${MOCK.klub_lijecnicki.map(l => `<tr><td><b>${esc(l.ime)}</b></td><td>${esc(l.pregled)}</td><td>${esc(l.datum)}</td><td>${esc(l.doktor||'Dr. Marković')}</td><td>${l.uskoro?'<span class="tag am">uskoro</span>':l.istekao?'<span class="tag rd">istekao</span>':'<span class="tag gr">OK</span>'}</td><td><button class="btn sm">PDF</button></td></tr>`).join('')}</tbody></table>
+  </div>`;
+
+SECTIONS['klub:dokumenti'] = () => `
+  <div class="card"><div class="card-h"><div class="card-t">📄 Dokumenti kluba</div><div class="card-actions"><button class="btn primary">+ Upload</button></div></div>
+  <table><thead><tr><th>Naziv</th><th>Vrsta</th><th>Datum</th><th>Veličina</th><th></th></tr></thead>
+  <tbody>${MOCK.klub_dokumenti.map(d => `<tr><td><b>${esc(d.naziv)}</b></td><td><span class="tag b">${esc(d.vrsta)}</span></td><td>${esc(d.datum)}</td><td>${esc(d.size)}</td><td><button class="btn sm">📥</button></td></tr>`).join('')}</tbody></table>
+  </div>`;
+
+SECTIONS['klub:manifestacije'] = () => `
+  <div class="card"><div class="card-h"><div class="card-t">📅 Manifestacije</div></div>
+  ${MOCK.klub_manifestacije.concat([{naziv:'Kros u Krašu',datum:'2026-06-12',lokacija:'Krk',tip:'utakmica'},{naziv:'Trening kamp Platak',datum:'2026-07-04',lokacija:'Platak',tip:'priprema'}]).map(m => `
+    <div class="alert-card ok">
+      <div class="at">${esc(m.naziv)}</div>
+      <div class="ad">${esc(m.datum)} · ${esc(m.lokacija)} · ${esc(m.tip)}</div>
+    </div>`).join('')}
+  </div>`;
+
+SECTIONS['klub:racuni'] = SECTIONS['pgz:racuni'];
+
+// =======================================================================
+// SPORTAŠ — Dashboard + sub-pages
+// =======================================================================
+SECTIONS['sportas:dashboard'] = () => `
+  <div class="demo-banner">
+    <span style="font-size:18px">👤</span>
+    <div><b>Sportaš view</b> — Luka Horvat. Vidiš samo svoje podatke i obrasce za potpis.</div>
+  </div>
+  <div class="row-3">
+    <div>
+      <div class="card profile-card">
+        <div class="profile-photo" onclick="alert('Upload nove slike profila')">LH</div>
+        <div class="profile-info">
+          <h2>Luka Horvat</h2>
+          <div class="sub">AK Kvarner Rijeka · Atletika · Trčanje 800m / 1500m</div>
+          <div class="tags-row">
+            <span class="tag b">Senior</span>
+            <span class="tag gd">Reprezentativac</span>
+            <span class="tag gr">Aktivan</span>
+          </div>
+          <div class="kv">
+            <div class="k">OIB</div><div class="v">12345678901</div>
+            <div class="k">Datum rođenja</div><div class="v">1998-03-14 (28 god)</div>
+            <div class="k">Email</div><div class="v">luka.horvat@example.hr</div>
+            <div class="k">Telefon</div><div class="v">+385 91 234 5678</div>
+            <div class="k">Trener</div><div class="v">Igor Tomić</div>
+          </div>
+        </div>
+      </div>
+      <div class="card">
+        <div class="card-h"><div class="card-t">🏆 Moje statistike 2026</div></div>
+        <div class="kpi-grid">
+          <div class="kpi"><div class="kpi-l">Treninzi</div><div class="kpi-v">156</div></div>
+          <div class="kpi b"><div class="kpi-l">Utakmice</div><div class="kpi-v">12</div></div>
+          <div class="kpi g"><div class="kpi-l">Pobjede</div><div class="kpi-v">8</div></div>
+          <div class="kpi a"><div class="kpi-l">PB 800m</div><div class="kpi-v">1:48.3</div></div>
+        </div>
+      </div>
+    </div>
+    <div>
+      <div class="card click-card" onclick="navTo('clanarina')">
+        <div class="card-h"><div class="card-t">€ Moja članarina</div><div class="card-actions"><span class="tag b">Detalji →</span></div></div>
+        <div class="alert-card ok">
+          <div class="at">2026 · Plaćeno ✓</div>
+          <div class="ad">Iznos: <b>60,00 €</b> · Datum uplate: 2026-01-15 · IBAN HR12...789</div>
+        </div>
+      </div>
+      <div class="card click-card" onclick="navTo('lijecnicki')">
+        <div class="card-h"><div class="card-t">⚕ Liječnički pregled</div><div class="card-actions"><span class="tag b">Detalji →</span></div></div>
+        <div class="alert-card">
+          <div class="at">⚠ Vrijedi do 2026-08-15 (103 dana)</div>
+          <div class="ad">Doktor: Dr. Marković · ZZJZ PGŽ</div>
+        </div>
+      </div>
+      <div class="card click-card" onclick="navTo('obrasci')">
+        <div class="card-h"><div class="card-t">📝 Obrasci za potpis</div><div class="card-actions"><span class="tag am">1 čeka</span></div></div>
+        <div class="alert-card crit">
+          <div class="at">GDPR suglasnost 2026</div>
+          <div class="ad">Potrebno potpisati do 2026-06-01 — klik za potpisivanje</div>
+        </div>
+      </div>
+    </div>
+  </div>`;
+
+SECTIONS['sportas:clanarina'] = () => `
+  <div class="card"><div class="card-h"><div class="card-t">€ Moja članarina</div></div>
+  <table><thead><tr><th>Godina</th><th class="num">Iznos</th><th>Dospijeće</th><th>Uplata</th><th>Status</th><th></th></tr></thead>
+  <tbody>
+    <tr><td>2026</td><td class="num">${fmtEur(60)}</td><td>2026-01-31</td><td>2026-01-15</td><td><span class="tag gr">Plaćeno</span></td><td><button class="btn sm">PDF</button></td></tr>
+    <tr><td>2025</td><td class="num">${fmtEur(60)}</td><td>2025-01-31</td><td>2025-01-22</td><td><span class="tag gr">Plaćeno</span></td><td><button class="btn sm">PDF</button></td></tr>
+    <tr><td>2024</td><td class="num">${fmtEur(50)}</td><td>2024-01-31</td><td>2024-02-04</td><td><span class="tag gr">Plaćeno</span></td><td><button class="btn sm">PDF</button></td></tr>
+  </tbody></table>
+  </div>`;
+
+SECTIONS['sportas:lijecnicki'] = () => `
+  <div style="margin-bottom:10px"><a href="/sport/crm" target="_blank" class="btn primary" style="text-decoration:none">⚕ Otvori live CRM — pregledi + ZZJZ PGŽ scheduling</a></div>`+`
+  <div class="card"><div class="card-h"><div class="card-t">⚕ Moji liječnički pregledi</div></div>
+  <div class="alert-card">
+    <div class="at">⚠ Trenutni: vrijedi do 2026-08-15 (103 dana)</div>
+    <div class="ad">Doktor: Dr. Marković · ZZJZ PGŽ Rijeka · Sportska medicina</div>
+  </div>
+  <div style="margin-top:14px;padding:14px;background:var(--bg3);border-radius:6px">
+    <div style="font-weight:700;color:var(--t0);margin-bottom:8px">📅 Zakazivanje preko ZZJZ PGŽ</div>
+    <div style="font-size:11.5px;color:var(--t2);margin-bottom:10px">Na raspolaganju imaš online termin u ZZJZ PGŽ Rijeka. Cijena pregleda: 35 €.</div>
+    <button class="btn primary" onclick="window.open('https://zzjzpgz.hr/','_blank')">🌐 Otvori ZZJZ PGŽ portal</button>
+    <button class="btn gold" style="margin-left:6px">📅 Zakaži termin</button>
+  </div>
+  <div style="margin-top:14px"><h4 style="font-size:12px;color:var(--t2);text-transform:uppercase;margin-bottom:8px">Povijest pregleda</h4>
+  <table><thead><tr><th>Datum</th><th>Doktor</th><th>Vrijedi do</th><th>Status</th><th></th></tr></thead>
+  <tbody>
+    <tr><td>2025-08-15</td><td>Dr. Marković</td><td>2026-08-15</td><td><span class="tag gr">aktivan</span></td><td><button class="btn sm">PDF</button></td></tr>
+    <tr><td>2024-08-12</td><td>Dr. Marković</td><td>2025-08-12</td><td><span class="tag">istekao</span></td><td><button class="btn sm">PDF</button></td></tr>
+  </tbody></table></div>
+  </div>`;
+
+SECTIONS['sportas:dokumenti'] = () => `
+  <div class="card"><div class="card-h"><div class="card-t">📄 Moji dokumenti</div></div>
+  <table><thead><tr><th>Dokument</th><th>Vrsta</th><th>Datum</th><th>Status</th><th></th></tr></thead>
+  <tbody>
+    <tr><td><b>GDPR suglasnost 2026</b></td><td><span class="tag b">Pravni</span></td><td>—</td><td><span class="tag am">Treba potpis</span></td><td><button class="btn sm primary">Potpiši</button></td></tr>
+    <tr><td><b>Ugovor članstvo 2026</b></td><td><span class="tag b">Ugovor</span></td><td>2026-01-15</td><td><span class="tag gr">Potpisan</span></td><td><button class="btn sm">📥</button></td></tr>
+    <tr><td><b>Suglasnost roditelja (2024)</b></td><td><span class="tag b">Pravni</span></td><td>2024-09-01</td><td><span class="tag gr">Arhivirano</span></td><td><button class="btn sm">📥</button></td></tr>
+    <tr><td><b>Liječnički certifikat 2025</b></td><td><span class="tag cy">Medicinski</span></td><td>2025-08-15</td><td><span class="tag gr">Validan</span></td><td><button class="btn sm">📥</button></td></tr>
+  </tbody></table>
+  </div>`;
+
+SECTIONS['sportas:obrasci'] = () => `
+  <div style="margin-bottom:10px"><a href="/sport/crm" target="_blank" class="btn primary" style="text-decoration:none">📝 Otvori live obrasce — popuni i digitalno potpiši</a></div>
+  <div class="card"><div class="card-h"><div class="card-t">📝 Obrasci za potpis</div></div>
+  <div class="alert-card crit">
+    <div class="at">GDPR suglasnost 2026 — obvezno do 2026-06-01</div>
+    <div class="ad">Klikom potpisuješ digitalno (sha256 + timestamp) — pohrana u blockchain audit (Polygon)</div>
+    <div style="margin-top:8px"><button class="btn primary">📝 Otvori i potpiši</button></div>
+  </div>
+  <div class="alert-card ok">
+    <div class="at">✓ Suglasnost na obradu osobnih podataka — POTPISANO</div>
+    <div class="ad">Datum: 2026-01-15 · sha256: a3f2...b9d1</div>
+  </div>
+  <div class="alert-card ok">
+    <div class="at">✓ Pristanak na sudjelovanje — POTPISANO</div>
+    <div class="ad">Datum: 2026-01-15 · sha256: 9c1d...4e8a</div>
+  </div>
+  </div>`;
+
+SECTIONS['sportas:manifestacije'] = () => `
+  <div class="card"><div class="card-h"><div class="card-t">📅 Moje manifestacije / aktivnosti</div></div>
+  ${MOCK.klub_manifestacije.map(m => `
+    <div class="alert-card ok">
+      <div class="at">${esc(m.naziv)}</div>
+      <div class="ad">${esc(m.datum)} · ${esc(m.lokacija)} · ${esc(m.tip)} · <b>Prijavljen ✓</b></div>
+    </div>`).join('')}
+  </div>`;
+
+//=========== MOCK DATA ===========
+const MOCK = {
+  zahtjevi_pending: [
+    {id:'Z-2026-0142', naziv:'Sufinanciranje pripremnog kampa Platak', savez:'Atletski savez PGŽ', svrha:'Pripreme za HR ligu seniora', iznos:18500, datum:'2026-04-22', status:'U obradi', klub:'AK Kvarner'},
+    {id:'Z-2026-0143', naziv:'Nabavka opreme — boćalište Krk', savez:'Bočarski savez PGŽ', svrha:'Renoviranje boćališta i nabavka opreme', iznos:42000, datum:'2026-04-19', status:'Čeka odluku', klub:'BK Krk'},
+    {id:'Z-2026-0144', naziv:'Sufinanciranje atletske staze', savez:'Atletski savez PGŽ', svrha:'Sanacija sintetičke staze Kantrida', iznos:120000, datum:'2026-04-15', status:'Pregled', klub:'—'},
+    {id:'Z-2026-0145', naziv:'Mladi nogometni kamp Lovran', savez:'Nogometni savez PGŽ', svrha:'Ljetne pripreme U-15 reprezentacije', iznos:28000, datum:'2026-04-10', status:'U obradi', klub:'NK Mladost'},
+    {id:'Z-2026-0146', naziv:'Memorijalna utrka Liburnija 2026', savez:'Atletski savez PGŽ', svrha:'Organizacija utrke + medalje', iznos:7800, datum:'2026-04-05', status:'Pregled', klub:'AK Liburnija'},
+  ],
+  audit: [
+    {ts:'00:08:31', who:'damir@pgz.hr',  what:'Odobrio zahtjev <b>Z-2026-0141</b> · 12 500 €'},
+    {ts:'23:54:12', who:'marija@asav.hr', what:'Predala zahtjev <b>Z-2026-0146</b> (Liburnija)'},
+    {ts:'23:42:08', who:'igor@kvarner.hr',what:'Dodao člana <b>Luka Horvat</b> (AK Kvarner)'},
+    {ts:'23:18:55', who:'damir@pgz.hr',  what:'Pristup forenzika dashboardu'},
+    {ts:'22:51:44', who:'system',         what:'Auto-scan forenzika: <b>2 nova alerta</b>'},
+    {ts:'22:14:17', who:'marija@asav.hr', what:'Login (2FA OK · IP 89.172.34.12)'},
+  ],
+  audit_more: [
+    {ts:'21:02:08', who:'damir@pgz.hr',   what:'Odbio zahtjev <b>Z-2026-0140</b> (nepotpuna dokumentacija)'},
+    {ts:'20:48:31', who:'sistema',         what:'Backup DB → S3 · 1.2 GB'},
+    {ts:'19:55:44', who:'igor@kvarner.hr', what:'Uplata članarine: <b>Marko M.</b> · 60 €'},
+    {ts:'19:21:09', who:'damir@pgz.hr',   what:'Kreirao novog savez admina: <b>petar@bsav.hr</b>'},
+    {ts:'18:33:21', who:'system',          what:'Polygon seal TX <b>0xAFE9...4D2</b> · zahtjev Z-2026-0141'},
+    {ts:'17:50:00', who:'luka@kvarner.hr', what:'Potpisao GDPR obrazac (sha256 a3f2...b9d1)'},
+  ],
+  korisnici: [
+    {ime:'Damir Radulić',     email:'damir@pgz.hr',     role:'pgz_admin',   tenant:'PGŽ Odjel za sport', status:'aktivan', last_login:'00:08'},
+    {ime:'Marija Kovač',      email:'marija@asav.hr',   role:'savez_admin', tenant:'Atletski savez PGŽ', status:'aktivan', last_login:'22:14'},
+    {ime:'Petar Babić',       email:'petar@bsav.hr',    role:'savez_admin', tenant:'Bočarski savez PGŽ', status:'aktivan', last_login:'19:21'},
+    {ime:'Igor Tomić',        email:'igor@kvarner.hr',  role:'klub_admin',  tenant:'AK Kvarner Rijeka',  status:'aktivan', last_login:'23:42'},
+    {ime:'Iva Šimić',         email:'iva@krk.hr',       role:'klub_admin',  tenant:'BK Krk',             status:'aktivan', last_login:'2026-05-03'},
+    {ime:'Luka Horvat',       email:'luka@kvarner.hr',  role:'klub_clan',   tenant:'AK Kvarner Rijeka',  status:'aktivan', last_login:'17:50'},
+    {ime:'Tomislav Vrbanić',  email:'tom@nsav.hr',      role:'savez_admin', tenant:'Nogometni savez PGŽ',status:'aktivan', last_login:'2026-05-04'},
+    {ime:'Dora Pavić',        email:'dora@stari.hr',    role:'klub_clan',   tenant:'AK Liburnija',       status:'suspended', last_login:'2026-04-12'},
+  ],
+  invoices: [
+    {datum:'2026-05-04', izdavatelj:'INA d.d.',   oib:'27759560625', vrsta:'Gorivo',     tag:'b',  iznos:84.50, status:'Odobreno'},
+    {datum:'2026-05-03', izdavatelj:'HAC d.o.o.', oib:'81117323553', vrsta:'Cestarina',  tag:'b',  iznos:18.20, status:'Odobreno'},
+    {datum:'2026-05-02', izdavatelj:'Hotel Kvarner',oib:'09320229884',vrsta:'Hotel',     tag:'gd', iznos:215.00,status:'Odobreno'},
+    {datum:'2026-05-01', izdavatelj:'Tifon d.o.o.',oib:'70289916717',vrsta:'Gorivo',     tag:'b',  iznos:62.40, status:'Odobreno'},
+    {datum:'2026-04-29', izdavatelj:'Konzum',     oib:'29955634590', vrsta:'Pribor',     tag:'cy', iznos:45.10, status:'U obradi'},
+    {datum:'2026-04-28', izdavatelj:'Restoran Trsat',oib:'82001112300',vrsta:'Dnevnice',tag:'gd', iznos:96.00, status:'Odobreno'},
+  ],
+  forenzika: [
+    {sev:'crit',title:'PEP match — Velimir Liverić',desc:'Možda javna osoba; veza s NK X kao predsjednik. Provjeri OIB i transakcije.',tip:'PEP'},
+    {sev:'crit',title:'Velika gotovinska transakcija — KKK Rijeka',desc:'Iznos 12 500 € označen kao "ostalo" bez računa.',tip:'Cash'},
+    {sev:'warn',title:'Duplicirana isplata — Z-2026-0089',desc:'Isti iznos isplaćen dva puta unutar 24h iste organizacije.',tip:'Duplicate'},
+    {sev:'warn',title:'OIB ne odgovara — Sudreg',desc:'OIB u zahtjevu se ne podudara s registriranim u Sudreg.',tip:'Validation'},
+  ],
+  // SAVEZ
+  savez_klubovi: [
+    {naziv:'AK Kvarner Rijeka',grad:'Rijeka',clanova:87,alert:false},
+    {naziv:'AK Liburnija',grad:'Opatija',clanova:54,alert:true},
+    {naziv:'AK Senj',grad:'Senj',clanova:32,alert:false},
+    {naziv:'AK Krk',grad:'Krk',clanova:28,alert:false},
+    {naziv:'AK Cres-Lošinj',grad:'Mali Lošinj',clanova:21,alert:false},
+    {naziv:'AK Crikvenica',grad:'Crikvenica',clanova:35,alert:true},
+  ],
+  savez_klubovi_full: [
+    {naziv:'AK Kvarner Rijeka',grad:'Rijeka',clanova:87,predsjednik:'Igor Tomić',alert:false},
+    {naziv:'AK Liburnija',grad:'Opatija',clanova:54,predsjednik:'Marin Babić',alert:true},
+    {naziv:'AK Senj',grad:'Senj',clanova:32,predsjednik:'Jelena Vukšić',alert:false},
+    {naziv:'AK Krk',grad:'Krk',clanova:28,predsjednik:'Boris Frankopan',alert:false},
+    {naziv:'AK Cres-Lošinj',grad:'Mali Lošinj',clanova:21,predsjednik:'Pavao Lupis',alert:false},
+    {naziv:'AK Crikvenica',grad:'Crikvenica',clanova:35,predsjednik:'Ines Salopek',alert:true},
+    {naziv:'AK Mladost Rab',grad:'Rab',clanova:18,predsjednik:'Dario Garić',alert:false},
+    {naziv:'AK Vinodol',grad:'Novi Vinodolski',clanova:24,predsjednik:'Ivan Crnković',alert:false},
+    {naziv:'AK Klanjac',grad:'Klanjac',clanova:14,predsjednik:'Marija Tomić',alert:false},
+    {naziv:'AK Drenova',grad:'Rijeka',clanova:42,predsjednik:'Hrvoje Pavić',alert:false},
+    {naziv:'AK Marathonas',grad:'Rijeka',clanova:67,predsjednik:'Robert Šimun',alert:false},
+    {naziv:'AK Riječki vihor',grad:'Rijeka',clanova:65,predsjednik:'Anita Lučić',alert:true},
+  ],
+  savez_zahtjevi: [
+    {naziv:'Sufinanciranje pripremnog kampa Platak',svrha:'HR liga seniora',status:'U obradi',tag:'am',iznos:18500,datum:'2026-04-22'},
+    {naziv:'Memorijalna utrka Liburnija 2026',svrha:'Organizacija utrke',status:'Pregled',tag:'b',iznos:7800,datum:'2026-04-05'},
+    {naziv:'Sufinanciranje atletske staze Kantrida',svrha:'Sanacija staze',status:'Pregled',tag:'b',iznos:120000,datum:'2026-04-15'},
+  ],
+  savez_zahtjevi_more: [
+    {naziv:'Trening kamp mladi Krk 2026',svrha:'Ljetne pripreme U-15',status:'Odobreno',tag:'gr',iznos:14200,datum:'2026-03-12'},
+    {naziv:'Open senior atletika Rijeka',svrha:'Organizacija mitinga',status:'Odobreno',tag:'gr',iznos:9500,datum:'2026-02-28'},
+    {naziv:'Kros Klanjac 2025',svrha:'Tradicijska utrka',status:'Odbijeno',tag:'rd',iznos:3200,datum:'2025-09-15'},
+  ],
+  savez_sportasi: [
+    {ime:'Luka Horvat',klub:'AK Kvarner',disciplina:'800m',kat:'Senior',lijecnicki:'ok'},
+    {ime:'Marko Marić',klub:'AK Kvarner',disciplina:'1500m',kat:'Senior',lijecnicki:'istek'},
+    {ime:'Petra Knežević',klub:'AK Liburnija',disciplina:'200m',kat:'Junior',lijecnicki:'ok'},
+    {ime:'Iva Tomić',klub:'AK Krk',disciplina:'Daljina',kat:'Mladi',lijecnicki:'ok'},
+    {ime:'Marin Crnković',klub:'AK Senj',disciplina:'Skok uvis',kat:'Senior',lijecnicki:'ok'},
+    {ime:'Sanja Vukšić',klub:'AK Drenova',disciplina:'400m H',kat:'Senior',lijecnicki:'istek'},
+    {ime:'Damir Babić',klub:'AK Marathonas',disciplina:'Maraton',kat:'Senior',lijecnicki:'ok'},
+    {ime:'Klara Pavić',klub:'AK Riječki vihor',disciplina:'Kugla',kat:'Junior',lijecnicki:'ok'},
+  ],
+  lijecnicki_uskoro: [
+    {ime:'Marko Marić',klub:'AK Kvarner',datum:'2026-05-22',dana:18,doktor:'Dr. Marković'},
+    {ime:'Sanja Vukšić',klub:'AK Drenova',datum:'2026-05-28',dana:24,doktor:'Dr. Pavlović'},
+    {ime:'Iva Šimić',klub:'AK Liburnija',datum:'2026-06-02',dana:29,doktor:'Dr. Marković'},
+    {ime:'Tomislav Pranjić',klub:'AK Crikvenica',datum:'2026-06-04',dana:31,doktor:'Dr. Marković'},
+  ],
+  // KLUB
+  klub_clanovi: [
+    {ime:'Luka', prezime:'Horvat',  kat:'Senior', discipline:'800m / 1500m', dug:false, lijecnicki:'ok',     upisan:'2024-09-01'},
+    {ime:'Marko',prezime:'Marić',   kat:'Senior', discipline:'1500m',         dug:false, lijecnicki:'istek',  upisan:'2023-09-12'},
+    {ime:'Ivan', prezime:'Babić',   kat:'Junior', discipline:'400m',          dug:true,  lijecnicki:'ok',     upisan:'2025-03-04'},
+    {ime:'Petra',prezime:'Knežević',kat:'Junior', discipline:'200m',          dug:false, lijecnicki:'ok',     upisan:'2024-04-22'},
+    {ime:'Iva',  prezime:'Tomić',   kat:'Mladi',  discipline:'Daljina',       dug:false, lijecnicki:'ok',     upisan:'2026-02-15'},
+    {ime:'Sara', prezime:'Lučić',   kat:'Mladi',  discipline:'100m',          dug:true,  lijecnicki:'ok',     upisan:'2026-03-11'},
+    {ime:'Mateo',prezime:'Crnković',kat:'Senior', discipline:'Maraton',       dug:false, lijecnicki:'ok',     upisan:'2022-08-30'},
+    {ime:'Dora', prezime:'Pavić',   kat:'Junior', discipline:'400m H',        dug:false, lijecnicki:'istek',  upisan:'2024-09-15'},
+    {ime:'Filip',prezime:'Šimić',   kat:'Senior', discipline:'Kugla',         dug:true,  lijecnicki:'ok',     upisan:'2023-10-01'},
+    {ime:'Ana',  prezime:'Vrbanić', kat:'Mladi',  discipline:'Daljina',       dug:false, lijecnicki:'ok',     upisan:'2026-01-08'},
+  ],
+  klub_clanarine: [
+    {clan:'Luka Horvat',  god:2026, iznos:60, dosp:'2026-01-31', uplata:'2026-01-15', status:'OK'},
+    {clan:'Marko Marić',  god:2026, iznos:60, dosp:'2026-01-31', uplata:'2026-01-22', status:'OK'},
+    {clan:'Ivan Babić',   god:2026, iznos:50, dosp:'2026-01-31', uplata:null,         status:'DUG'},
+    {clan:'Petra Knežević',god:2026,iznos:50, dosp:'2026-01-31', uplata:'2026-02-08', status:'OK'},
+    {clan:'Iva Tomić',    god:2026, iznos:40, dosp:'2026-02-28', uplata:'2026-02-25', status:'OK'},
+    {clan:'Sara Lučić',   god:2026, iznos:40, dosp:'2026-03-31', uplata:null,         status:'DUG'},
+  ],
+  klub_lijecnicki: [
+    {ime:'Luka Horvat',  pregled:'2025-08-15', datum:'2026-08-15', dana:103, doktor:'Dr. Marković', uskoro:false, istekao:false},
+    {ime:'Marko Marić',  pregled:'2025-05-22', datum:'2026-05-22', dana:18,  doktor:'Dr. Marković', uskoro:true,  istekao:false},
+    {ime:'Ivan Babić',   pregled:'2025-09-30', datum:'2026-09-30', dana:148, doktor:'Dr. Pavlović', uskoro:false, istekao:false},
+    {ime:'Petra Knežević',pregled:'2025-04-12',datum:'2026-04-12', dana:-23, doktor:'Dr. Marković', uskoro:false, istekao:true},
+    {ime:'Dora Pavić',   pregled:'2025-04-30', datum:'2026-04-30', dana:-5,  doktor:'Dr. Marković', uskoro:false, istekao:true},
+    {ime:'Sara Lučić',   pregled:'2026-01-12', datum:'2027-01-12', dana:253, doktor:'Dr. Marković', uskoro:false, istekao:false},
+  ],
+  klub_dokumenti: [
+    {naziv:'Statut kluba 2024',     vrsta:'Statut',    datum:'2024-04-15', size:'420 kB'},
+    {naziv:'Sudreg izvod',          vrsta:'Pravni',    datum:'2025-09-12', size:'180 kB'},
+    {naziv:'Zapisnik skupština 2026',vrsta:'Zapisnik', datum:'2026-02-22', size:'310 kB'},
+    {naziv:'GDPR politika',         vrsta:'Pravni',    datum:'2026-01-10', size:'95 kB'},
+    {naziv:'Ugovor sufinanciranja PGŽ 2026',vrsta:'Ugovor',datum:'2026-03-18',size:'520 kB'},
+  ],
+  klub_manifestacije: [
+    {naziv:'Trening kamp Platak',     datum:'2026-05-09', lokacija:'Platak',    tip:'priprema'},
+    {naziv:'Liga PGŽ atletika',       datum:'2026-05-11', lokacija:'Kantrida',  tip:'utakmica'},
+    {naziv:'Open senior atletika RI', datum:'2026-05-18', lokacija:'Rijeka',    tip:'natjecanje'},
+    {naziv:'Memorijalna utrka',       datum:'2026-05-25', lokacija:'Lovran',    tip:'natjecanje'},
+  ],
+};
+
+//=========== INIT ===========
+async function init(){
+  try {
+    const r = localStorage.getItem('app-role');
+    if(r && ROLES[r]) _state.role = r;
+  } catch(e){}
+  restoreSidebar();
+  buildRoleSwitch();
+
+  // Try real auth (JWT)
+  const me = await loadCurrentUser();
+  if(me){
+    // Real-auth mode — hide demo role switcher (only super_admin can switch personas)
+    if(me.user_type !== 'super_admin'){
+      const rs = $('#role-switch'); if(rs) rs.style.display='none';
+    }
+    applyMeToHeader();
+  }
+  // First page after login: Moj profil
+  setRole(_state.role);
+  navTo('profil');
+}
+window.addEventListener('DOMContentLoaded', init);
+</script>
+</body>
+</html>
diff --git a/_backups/audit.html.cc3_pre_unified_sidebar.1777935999 b/_backups/audit.html.cc3_pre_unified_sidebar.1777935999
new file mode 100644
index 0000000..8b7a947
--- /dev/null
+++ b/_backups/audit.html.cc3_pre_unified_sidebar.1777935999
@@ -0,0 +1,150 @@
+<!DOCTYPE html>
+<html lang="hr">
+<head>
+<meta charset="UTF-8">
+<title>Audit Log — PGŽ Sport</title>
+<meta name="viewport" content="width=device-width,initial-scale=1">
+<link rel="icon" href="data:,">
+<style>
+  :root { --bg0:#08090e; --bg1:#11141d; --bg2:#1a1f2c; --txt:#e6e9ef; --muted:#7a8294;
+          --pgz-blue:#003087; --pgz-gold:#F4C430; --green:#1a8754; --red:#dc3545; --orange:#fd7e14; }
+  * { box-sizing:border-box; margin:0; padding:0; }
+  body { font-family:'Inter',system-ui,sans-serif; background:var(--bg0); color:var(--txt); padding:24px; line-height:1.5; }
+  h1 { color:var(--pgz-gold); margin-bottom:6px; }
+  .sub { color:var(--muted); margin-bottom:24px; }
+  .toolbar { display:flex; gap:12px; margin-bottom:18px; flex-wrap:wrap; }
+  .btn { background:var(--pgz-blue); color:white; border:none; padding:9px 16px; border-radius:6px; cursor:pointer; font-weight:500; }
+  .btn:hover { background:#0040b8; }
+  .btn.secondary { background:var(--bg2); }
+  input,select { background:var(--bg2); color:var(--txt); border:1px solid #2a3144; padding:9px 12px; border-radius:6px; min-width:160px; }
+  table { width:100%; border-collapse:collapse; background:var(--bg1); border-radius:8px; overflow:hidden; margin-top:8px; }
+  th { background:var(--bg2); padding:12px; text-align:left; color:var(--pgz-gold); font-size:0.85rem; text-transform:uppercase; }
+  td { padding:11px 12px; border-top:1px solid #1a1f2c; font-size:0.92rem; }
+  tr:hover { background:#13182a; }
+  .badge { padding:3px 9px; border-radius:11px; font-size:0.75rem; font-weight:600; }
+  .b-create { background:rgba(26,135,84,0.2); color:#7fdca5; }
+  .b-update { background:rgba(253,126,20,0.2); color:#ffaa66; }
+  .b-delete { background:rgba(220,53,69,0.2); color:#ff7e85; }
+  .b-seal { background:rgba(244,196,48,0.2); color:var(--pgz-gold); }
+  .tx-link { color:#5fa8d3; text-decoration:none; font-family:monospace; font-size:0.85rem; }
+  .tx-link:hover { text-decoration:underline; }
+  .empty { padding:60px; text-align:center; color:var(--muted); }
+  .stats { display:grid; grid-template-columns:repeat(auto-fit,minmax(160px,1fr)); gap:12px; margin-bottom:18px; }
+  .stat { background:var(--bg1); padding:14px; border-radius:8px; border-left:3px solid var(--pgz-blue); }
+  .stat .v { font-size:1.6rem; font-weight:700; color:var(--pgz-gold); }
+  .stat .l { color:var(--muted); font-size:0.82rem; text-transform:uppercase; margin-top:3px; }
+</style>
+</head>
+<body>
+<h1>📜 Audit Log</h1>
+<div class="sub">Kompletna povijest izmjena s blockchain pečatima na Polygon PoS</div>
+
+<div class="stats" id="stats">
+  <div class="stat"><div class="v" id="s-total">—</div><div class="l">Ukupno akcija</div></div>
+  <div class="stat"><div class="v" id="s-today">—</div><div class="l">Danas</div></div>
+  <div class="stat"><div class="v" id="s-sealed">—</div><div class="l">Polygon zapečaćeno</div></div>
+  <div class="stat"><div class="v" id="s-users">—</div><div class="l">Aktivni korisnici</div></div>
+</div>
+
+<div class="toolbar">
+  <input id="f-q" placeholder="🔍 Pretraži..." />
+  <select id="f-action">
+    <option value="">Sve akcije</option>
+    <option value="create">CREATE</option>
+    <option value="update">UPDATE</option>
+    <option value="delete">DELETE</option>
+    <option value="seal">SEAL</option>
+  </select>
+  <select id="f-resource">
+    <option value="">Svi resursi</option>
+    <option value="users">Korisnici</option>
+    <option value="klubovi">Klubovi</option>
+    <option value="invoices">Računi</option>
+    <option value="putni_nalozi">Putni nalozi</option>
+    <option value="sufinanciranje">Sufinanciranje</option>
+  </select>
+  <button class="btn" onclick="load()">Filtriraj</button>
+  <button class="btn secondary" onclick="window.location.href='/app'">← Natrag na app</button>
+</div>
+
+<table id="tbl">
+  <thead>
+    <tr>
+      <th>Vrijeme</th>
+      <th>Korisnik</th>
+      <th>Akcija</th>
+      <th>Resurs</th>
+      <th>Detalji</th>
+      <th>Polygon Tx</th>
+    </tr>
+  </thead>
+  <tbody id="tbody">
+    <tr><td colspan="6" class="empty">⏳ Učitavam...</td></tr>
+  </tbody>
+</table>
+
+<script>
+async function load() {
+  const q = document.getElementById('f-q').value;
+  const action = document.getElementById('f-action').value;
+  const resource = document.getElementById('f-resource').value;
+  const tbody = document.getElementById('tbody');
+
+  let url = '/sport/api/audit/log?limit=200';
+  if (q) url += '&q=' + encodeURIComponent(q);
+  if (action) url += '&action=' + action;
+  if (resource) url += '&resource=' + resource;
+
+  try {
+    const r = await fetch(url);
+    if (!r.ok) throw new Error('HTTP ' + r.status);
+    const data = await r.json();
+    const items = data.items || data.entries || data || [];
+
+    if (!items.length) {
+      tbody.innerHTML = '<tr><td colspan="6" class="empty">📭 Nema zapisa</td></tr>';
+      return;
+    }
+
+    tbody.innerHTML = items.map(item => {
+      const action = (item.action || 'unknown').toLowerCase();
+      const klasa = action.includes('seal') ? 'b-seal' :
+                    action.includes('create') ? 'b-create' :
+                    action.includes('update') ? 'b-update' :
+                    action.includes('delete') ? 'b-delete' : 'b-update';
+      const tx = item.tx_hash || item.polygon_tx || '';
+      const txLink = tx ? `<a href="https://polygonscan.com/tx/${tx}" target="_blank" class="tx-link">${tx.substring(0,16)}...</a>` : '<span style="color:#5a6072">—</span>';
+      const ts = new Date(item.created_at || item.timestamp).toLocaleString('hr-HR');
+      const details = item.details || item.diff || item.message || '';
+      const detStr = typeof details === 'object' ? JSON.stringify(details).substring(0,80)+'...' : String(details).substring(0,80);
+
+      return `<tr>
+        <td>${ts}</td>
+        <td>${item.user_email || item.user_name || item.actor || '—'}</td>
+        <td><span class="badge ${klasa}">${(item.action || '').toUpperCase()}</span></td>
+        <td>${item.resource_type || item.resource || item.target || '—'}</td>
+        <td>${detStr}</td>
+        <td>${txLink}</td>
+      </tr>`;
+    }).join('');
+  } catch (e) {
+    tbody.innerHTML = `<tr><td colspan="6" class="empty">⚠ Greška: ${e.message}</td></tr>`;
+  }
+
+  // Stats
+  try {
+    const sr = await fetch('/sport/api/audit/stats');
+    if (sr.ok) {
+      const s = await sr.json();
+      document.getElementById('s-total').textContent = s.total || '—';
+      document.getElementById('s-today').textContent = s.today || '—';
+      document.getElementById('s-sealed').textContent = s.sealed || '—';
+      document.getElementById('s-users').textContent = s.users || '—';
+    }
+  } catch(e) {}
+}
+load();
+setInterval(load, 30000);
+</script>
+</body>
+</html>
diff --git a/_backups/auth_v2.py.r5_pre.1777937123 b/_backups/auth_v2.py.r5_pre.1777937123
new file mode 100644
index 0000000..53a3fe5
--- /dev/null
+++ b/_backups/auth_v2.py.r5_pre.1777937123
@@ -0,0 +1,666 @@
+#!/usr/bin/env python3
+# auth_v2.py — JWT auth backend with tenant_id, role, tier claims
+# v1.0 dradulic@outlook.com / damir@rinet.one — 2026-05-04
+# Endpoints: /api/auth/login, /api/auth/refresh, /api/auth/logout,
+#            /api/auth/me, /api/auth/password/change, /api/auth/password/reset
+"""
+JWT claims:
+    sub          int   user id
+    email        str
+    name         str
+    tenant_id    int|null   pgz_sport.tenants.id (or null for super_admin)
+    tenant_type  str   pgz | savez | klub | global
+    tenant_scope dict  {"klub_id": ..., "savez_id": ...}
+    role         str   user_type code (super_admin | pgz_admin | savez_admin | klub_admin | klub_clan | viewer ...)
+    tier         int   0 = PGŽ, 1 = savez, 2 = klub
+    jti          str   token id (revocable via user_sessions)
+    iat / exp / nbf
+"""
+
+import os, hashlib, secrets, json, time
+from datetime import datetime, timedelta, timezone
+from typing import Optional, Dict, List, Any
+
+import jwt as _jwt
+import psycopg2, psycopg2.extras
+from fastapi import APIRouter, HTTPException, Header, Depends, Request, Body
+from pydantic import BaseModel, EmailStr
+
+try:
+    from passlib.hash import bcrypt as _bcrypt
+    HAS_BCRYPT = True
+except Exception:
+    HAS_BCRYPT = False
+
+DB = dict(host='10.10.0.2', port=6432, dbname='rinet_v3',
+          user='rinet', password='R1net2026!SecureDB#v7')
+
+# Persistent JWT secret — read from env, else stable file, else generated.
+def _load_secret() -> str:
+    env_secret = os.environ.get("PGZ_JWT_SECRET")
+    if env_secret and len(env_secret) >= 32:
+        return env_secret
+    secret_file = "/opt/pgz-sport/auth/.jwt_secret"
+    try:
+        if os.path.exists(secret_file):
+            with open(secret_file) as f:
+                s = f.read().strip()
+                if len(s) >= 32:
+                    return s
+        s = "rinet-pgz-" + secrets.token_urlsafe(48)
+        with open(secret_file, "w") as f:
+            f.write(s)
+        os.chmod(secret_file, 0o600)
+        return s
+    except Exception:
+        return "rinet-pgz-jwt-2026-fallback-" + hashlib.sha256(b"pgz-sport").hexdigest()
+
+JWT_SECRET = _load_secret()
+JWT_ALG    = "HS256"
+ACCESS_TTL = timedelta(minutes=int(os.environ.get("PGZ_JWT_ACCESS_MIN", "30")))
+REFRESH_TTL = timedelta(days=int(os.environ.get("PGZ_JWT_REFRESH_DAYS", "7")))
+
+router = APIRouter(prefix="/api/auth", tags=["auth_v2"])
+
+# ─────────────────────────── DB helpers ───────────────────────────
+def _conn():
+    return psycopg2.connect(**DB)
+
+def db_query(sql: str, params=()):
+    with _conn() as c:
+        cur = c.cursor(cursor_factory=psycopg2.extras.RealDictCursor)
+        cur.execute(sql, params)
+        if cur.description: return cur.fetchall()
+        return []
+
+def db_one(sql: str, params=()):
+    rows = db_query(sql, params)
+    return rows[0] if rows else None
+
+def db_exec(sql: str, params=()):
+    with _conn() as c:
+        cur = c.cursor()
+        cur.execute(sql, params)
+        if cur.description:
+            r = cur.fetchone()
+            return r[0] if r else None
+        c.commit()
+
+# ─────────────────────────── Password helpers ───────────────────────────
+def _sha256(pw: str) -> str:
+    return hashlib.sha256(pw.encode()).hexdigest()
+
+def hash_password(pw: str) -> str:
+    if HAS_BCRYPT:
+        return _bcrypt.using(rounds=12).hash(pw)
+    return _sha256(pw)
+
+def verify_password(pw: str, hashed: Optional[str]) -> bool:
+    if not hashed: return False
+    h = hashed.strip()
+    if h.startswith("$2") and HAS_BCRYPT:
+        try:
+            return _bcrypt.verify(pw, h)
+        except Exception:
+            return False
+    return h == _sha256(pw)
+
+def needs_rehash(hashed: Optional[str]) -> bool:
+    if not hashed: return True
+    return HAS_BCRYPT and not hashed.startswith("$2")
+
+# ─────────────────────────── Tenant resolution ───────────────────────────
+PGZ_USER_TYPES   = {"super_admin", "pgz_admin", "pgz_user", "pgz_finance", "pgz_zzjz"}
+SAVEZ_USER_TYPES = {"savez_admin", "savez_user"}
+KLUB_USER_TYPES  = {"klub_admin", "klub_user", "klub_trener", "klub_clan"}
+
+def _tier_for(user_type: str) -> int:
+    ut = (user_type or "").lower()
+    if ut in PGZ_USER_TYPES:   return 0
+    if ut in SAVEZ_USER_TYPES: return 1
+    if ut in KLUB_USER_TYPES:  return 2
+    return 9  # unknown / viewer / guest
+
+def _resolve_tenant(u: Dict) -> Dict:
+    """Resolve tenant_id + tenant_type from a user row."""
+    ut = (u.get("user_type") or "").lower()
+    klub_id  = u.get("klub_id")
+    savez_id = u.get("savez_id")
+    if ut in PGZ_USER_TYPES:
+        row = db_one("SELECT id, slug, display_name FROM pgz_sport.tenants WHERE slug='pgz' LIMIT 1")
+        return {
+            "tenant_id":   row["id"] if row else None,
+            "tenant_type": "pgz",
+            "tenant_name": row["display_name"] if row else "PGŽ",
+            "tenant_scope": {"klub_id": None, "savez_id": None},
+        }
+    if ut in SAVEZ_USER_TYPES and savez_id:
+        return {
+            "tenant_id":   savez_id,
+            "tenant_type": "savez",
+            "tenant_name": (db_one("SELECT naziv FROM pgz_sport.savezi WHERE id=%s",(savez_id,)) or {}).get("naziv"),
+            "tenant_scope": {"klub_id": None, "savez_id": savez_id},
+        }
+    if ut in KLUB_USER_TYPES and klub_id:
+        return {
+            "tenant_id":   klub_id,
+            "tenant_type": "klub",
+            "tenant_name": (db_one("SELECT naziv FROM pgz_sport.klubovi WHERE id=%s",(klub_id,)) or {}).get("naziv"),
+            "tenant_scope": {"klub_id": klub_id, "savez_id": savez_id},
+        }
+    # super_admin without context
+    if ut == "super_admin":
+        return {"tenant_id": None, "tenant_type": "global",
+                "tenant_name": "Global", "tenant_scope": {"klub_id": None, "savez_id": None}}
+    return {"tenant_id": None, "tenant_type": "viewer",
+            "tenant_name": None, "tenant_scope": {"klub_id": klub_id, "savez_id": savez_id}}
+
+# ─────────────────────────── JWT issue / verify ───────────────────────────
+def _now() -> datetime: return datetime.now(timezone.utc)
+
+def _new_jti() -> str: return secrets.token_urlsafe(16)
+
+def make_access_token(u: Dict, jti: str) -> str:
+    tenant = _resolve_tenant(u)
+    tier = _tier_for(u.get("user_type") or "")
+    now = _now()
+    payload = {
+        "sub": str(u["id"]),
+        "uid": u["id"],
+        "email": u["email"],
+        "name":  u.get("full_name") or ((u.get("ime") or "") + " " + (u.get("prezime") or "")).strip() or u["email"],
+        "tenant_id":    tenant["tenant_id"],
+        "tenant_type":  tenant["tenant_type"],
+        "tenant_name":  tenant["tenant_name"],
+        "tenant_scope": tenant["tenant_scope"],
+        "role": u.get("user_type") or "viewer",
+        "tier": tier,
+        "jti": jti,
+        "typ": "access",
+        "iat": int(now.timestamp()),
+        "nbf": int(now.timestamp()),
+        "exp": int((now + ACCESS_TTL).timestamp()),
+    }
+    return _jwt.encode(payload, JWT_SECRET, algorithm=JWT_ALG)
+
+def make_refresh_token(uid: int, jti: str) -> str:
+    now = _now()
+    return _jwt.encode({
+        "sub": str(uid), "uid": uid, "jti": jti, "typ": "refresh",
+        "iat": int(now.timestamp()),
+        "exp": int((now + REFRESH_TTL).timestamp()),
+    }, JWT_SECRET, algorithm=JWT_ALG)
+
+def decode_token(token: str) -> Dict:
+    try:
+        return _jwt.decode(token, JWT_SECRET, algorithms=[JWT_ALG])
+    except _jwt.ExpiredSignatureError:
+        raise HTTPException(401, "Token expired")
+    except Exception as e:
+        raise HTTPException(401, f"Invalid token: {e}")
+
+def _record_session(uid: int, jti: str, expires: datetime, ip: str = None, ua: str = None):
+    th = hashlib.sha256(jti.encode()).hexdigest()
+    db_exec("""INSERT INTO pgz_sport.user_sessions
+        (user_id, token_hash, device_info, ip_address, expires_at, revoked)
+        VALUES (%s,%s,%s,%s::inet,%s,false)
+        ON CONFLICT (token_hash) DO NOTHING""",
+        (uid, th, ua, ip, expires))
+
+def _is_revoked(jti: str) -> bool:
+    th = hashlib.sha256(jti.encode()).hexdigest()
+    r = db_one("SELECT revoked FROM pgz_sport.user_sessions WHERE token_hash=%s", (th,))
+    if not r: return False
+    return bool(r.get("revoked"))
+
+def _revoke_jti(jti: str):
+    th = hashlib.sha256(jti.encode()).hexdigest()
+    db_exec("UPDATE pgz_sport.user_sessions SET revoked=true WHERE token_hash=%s", (th,))
+
+# ─────────────────────────── current_user dep ───────────────────────────
+def _extract_token(authorization: Optional[str]) -> Optional[str]:
+    if not authorization: return None
+    return authorization.replace("Bearer ", "").strip() or None
+
+def get_current_user(authorization: Optional[str] = Header(None)) -> Optional[Dict]:
+    token = _extract_token(authorization)
+    if not token: return None
+    try:
+        payload = decode_token(token)
+    except HTTPException:
+        return None
+    if payload.get("typ") not in (None, "access"):
+        return None
+    if _is_revoked(payload.get("jti","")):
+        return None
+    uid = payload.get("uid") or int(payload.get("sub", 0) or 0)
+    u = db_one("""SELECT id, email, full_name, ime, prezime, user_type,
+                  klub_id, savez_id, status, aktivan, must_change_pwd
+              FROM pgz_sport.users WHERE id=%s""", (uid,))
+    if not u or u.get("status") != "active" or not u.get("aktivan", True):
+        return None
+    u["_jwt"] = payload
+    u["_token"] = token
+    return u
+
+def require_user(user = Depends(get_current_user)) -> Dict:
+    if not user:
+        raise HTTPException(401, "Authentication required")
+    return user
+
+def require_role(roles: List[str]):
+    def dep(user = Depends(require_user)):
+        if user.get("user_type") not in roles:
+            raise HTTPException(403, f"Forbidden — required: {','.join(roles)}")
+        return user
+    return dep
+
+# ─────────────────────────── Audit ───────────────────────────
+def audit(user_id: Optional[int], action: str, resource_type: str = None,
+          resource_id: int = None, meta: Dict = None, ip: str = None, ua: str = None):
+    try:
+        db_exec("""INSERT INTO pgz_sport.audit_events
+            (user_id, action, resource_type, resource_id, meta, ip_address, user_agent)
+            VALUES (%s,%s,%s,%s,%s::jsonb,%s::inet,%s)""",
+            (user_id, action, resource_type, resource_id,
+             json.dumps(meta or {}), ip, ua))
+    except Exception as e:
+        print(f"[AUDIT WARN] {e}")
+
+def _client(req: Request):
+    ip = (req.headers.get("x-forwarded-for") or req.client.host or "").split(",")[0].strip() or None
+    ua = req.headers.get("user-agent")
+    return ip, ua
+
+# ─────────────────────────── Schemas ───────────────────────────
+class LoginReq(BaseModel):
+    email: str
+    password: str
+    totp: Optional[str] = None  # 6-digit TOTP if 2FA enabled (or recovery code)
+
+class RefreshReq(BaseModel):
+    refresh_token: str
+
+class ChangePwdReq(BaseModel):
+    old_password: Optional[str] = None
+    new_password: str
+
+class ResetPwdReq(BaseModel):
+    email: str
+
+# ─────────────────────────── Endpoints ───────────────────────────
+@router.post("/login")
+def login(req: LoginReq, request: Request):
+    ip, ua = _client(request)
+    email = (req.email or "").lower().strip()
+    if not email or not req.password:
+        raise HTTPException(400, "Email i lozinka obavezni")
+
+    u = db_one("""SELECT id, email, full_name, ime, prezime, password_hash, status,
+                  user_type, klub_id, savez_id, aktivan, must_change_pwd,
+                  failed_login_count, locked_until
+              FROM pgz_sport.users WHERE LOWER(email)=%s""", (email,))
+    if not u:
+        audit(None, "login.fail", meta={"email": email, "reason": "no_user"}, ip=ip, ua=ua)
+        raise HTTPException(401, "Neispravni podaci")
+    if u.get("locked_until"):
+        lu = u["locked_until"]
+        if lu.tzinfo is None: lu = lu.replace(tzinfo=timezone.utc)
+        if lu > _now():
+            audit(u["id"], "login.locked", ip=ip, ua=ua)
+            raise HTTPException(423, "Račun privremeno zaključan")
+    if u.get("status") != "active" or not u.get("aktivan", True):
+        audit(u["id"], "login.fail", meta={"reason":"inactive"}, ip=ip, ua=ua)
+        raise HTTPException(403, "Račun nije aktivan")
+    if not verify_password(req.password, u.get("password_hash")):
+        db_exec("""UPDATE pgz_sport.users
+                   SET failed_login_count = COALESCE(failed_login_count,0)+1,
+                       locked_until = CASE WHEN COALESCE(failed_login_count,0)+1>=5
+                                           THEN now()+interval '15 minutes' ELSE locked_until END
+                   WHERE id=%s""", (u["id"],))
+        audit(u["id"], "login.fail", meta={"reason":"bad_password"}, ip=ip, ua=ua)
+        raise HTTPException(401, "Neispravni podaci")
+
+    # opportunistic rehash to bcrypt
+    if needs_rehash(u.get("password_hash")):
+        try:
+            db_exec("UPDATE pgz_sport.users SET password_hash=%s WHERE id=%s",
+                    (hash_password(req.password), u["id"]))
+        except Exception: pass
+
+    # 2FA gate — if user has enabled 2FA, demand a valid TOTP / recovery code
+    twofa_row = None
+    try:
+        twofa_row = db_one("SELECT secret, enabled, recovery_codes FROM pgz_sport.user_2fa WHERE user_id=%s",
+                           (u["id"],))
+    except Exception: pass
+    if twofa_row and twofa_row.get("enabled"):
+        code = (req.totp or "").strip().replace(" ", "")
+        if not code:
+            audit(u["id"], "login.2fa_required", ip=ip, ua=ua)
+            raise HTTPException(401, "2FA_REQUIRED")
+        ok = False
+        if code.isdigit() and len(code) in (6, 8) and HAS_PYOTP:
+            ok = _pyotp.TOTP(twofa_row["secret"]).verify(code, valid_window=1)
+        if not ok and twofa_row.get("recovery_codes"):
+            up = code.upper()
+            if up in (twofa_row["recovery_codes"] or []):
+                ok = True
+                # consume the recovery code so it can't be reused
+                remaining = [c for c in twofa_row["recovery_codes"] if c != up]
+                db_exec("UPDATE pgz_sport.user_2fa SET recovery_codes=%s, updated_at=now() WHERE user_id=%s",
+                        (remaining, u["id"]))
+        if not ok:
+            audit(u["id"], "login.2fa_fail", ip=ip, ua=ua)
+            raise HTTPException(401, "Neispravan 2FA kod")
+
+    db_exec("""UPDATE pgz_sport.users
+               SET failed_login_count=0, locked_until=NULL, last_login=now()
+               WHERE id=%s""", (u["id"],))
+
+    jti  = _new_jti()
+    rjti = _new_jti()
+    access  = make_access_token(u, jti)
+    refresh = make_refresh_token(u["id"], rjti)
+    _record_session(u["id"], jti,  _now() + ACCESS_TTL,  ip=ip, ua=ua)
+    _record_session(u["id"], rjti, _now() + REFRESH_TTL, ip=ip, ua=(ua or "") + " [refresh]")
+    audit(u["id"], "login.ok", ip=ip, ua=ua)
+
+    tenant = _resolve_tenant(u)
+    return {
+        "access_token":  access,
+        "refresh_token": refresh,
+        "token_type":    "Bearer",
+        "expires_in":    int(ACCESS_TTL.total_seconds()),
+        "user": {
+            "id": u["id"], "email": u["email"],
+            "full_name": u.get("full_name") or (u.get("ime","") + " " + u.get("prezime","")).strip(),
+            "role": u.get("user_type"), "tier": _tier_for(u.get("user_type") or ""),
+            "must_change_pwd": bool(u.get("must_change_pwd")),
+            **tenant,
+        },
+    }
+
+@router.post("/refresh")
+def refresh(req: RefreshReq, request: Request):
+    payload = decode_token(req.refresh_token)
+    if payload.get("typ") != "refresh":
+        raise HTTPException(401, "Invalid refresh token")
+    if _is_revoked(payload.get("jti","")):
+        raise HTTPException(401, "Refresh token revoked")
+    uid = payload.get("uid") or int(payload.get("sub", 0) or 0)
+    u = db_one("""SELECT id, email, full_name, ime, prezime, user_type,
+                  klub_id, savez_id, status, aktivan, must_change_pwd
+              FROM pgz_sport.users WHERE id=%s""", (uid,))
+    if not u or u.get("status") != "active" or not u.get("aktivan", True):
+        raise HTTPException(401, "User inactive")
+    ip, ua = _client(request)
+    new_jti = _new_jti()
+    access = make_access_token(u, new_jti)
+    _record_session(u["id"], new_jti, _now() + ACCESS_TTL, ip=ip, ua=ua)
+    audit(u["id"], "auth.refresh", ip=ip, ua=ua)
+    return {"access_token": access, "token_type": "Bearer",
+            "expires_in": int(ACCESS_TTL.total_seconds())}
+
+@router.post("/logout")
+def logout(request: Request, user = Depends(require_user)):
+    jti = (user.get("_jwt") or {}).get("jti")
+    if jti: _revoke_jti(jti)
+    # Also revoke refresh tokens for this user (best-effort)
+    db_exec("""UPDATE pgz_sport.user_sessions SET revoked=true
+               WHERE user_id=%s AND device_info LIKE %s""",
+            (user["id"], "%[refresh]%"))
+    ip, ua = _client(request)
+    audit(user["id"], "logout", ip=ip, ua=ua)
+    return {"status": "ok"}
+
+@router.get("/me")
+def me(user = Depends(require_user)):
+    enriched = db_one("""SELECT id, email, full_name, ime, prezime, user_type,
+                  klub_id, savez_id, must_change_pwd, aktivan, status,
+                  last_login, oib, telefon, phone, preferred_language, created_at,
+                  avatar_url, gdpr_consent_at, google_picture
+              FROM pgz_sport.users WHERE id=%s""", (user["id"],))
+    if not enriched:
+        raise HTTPException(404, "User not found")
+    tenant = _resolve_tenant(enriched)
+    roles = db_query("""SELECT r.code, r.naziv, ur.scope_type, ur.scope_id
+        FROM pgz_sport.user_roles ur JOIN pgz_sport.roles r ON r.id=ur.role_id
+        WHERE ur.user_id=%s AND ur.active=true""", (user["id"],))
+    try:
+        twofa = db_one("SELECT secret IS NOT NULL AS enabled FROM pgz_sport.user_2fa WHERE user_id=%s",
+                       (user["id"],)) or {"enabled": False}
+    except Exception:
+        twofa = {"enabled": False}
+    return {**enriched,
+            "tier": _tier_for(enriched.get("user_type") or ""),
+            "must_change_pwd": bool(enriched.get("must_change_pwd")),
+            "two_factor_enabled": bool(twofa.get("enabled")),
+            **tenant, "roles": roles}
+
+class UpdateMeReq(BaseModel):
+    ime: Optional[str] = None
+    prezime: Optional[str] = None
+    full_name: Optional[str] = None
+    telefon: Optional[str] = None
+    phone: Optional[str] = None
+    preferred_language: Optional[str] = None
+    oib: Optional[str] = None
+
+@router.put("/me")
+def update_me(req: UpdateMeReq, request: Request, user = Depends(require_user)):
+    fields = []
+    vals: List[Any] = []
+    for k in ("ime","prezime","full_name","telefon","phone","preferred_language","oib"):
+        v = getattr(req, k)
+        if v is not None:
+            fields.append(f"{k}=%s")
+            vals.append(v.strip() if isinstance(v, str) else v)
+    if not fields:
+        raise HTTPException(400, "Nema polja za ažuriranje")
+    vals.append(user["id"])
+    db_exec(f"UPDATE pgz_sport.users SET {', '.join(fields)}, updated_at=now() WHERE id=%s", tuple(vals))
+    ip, ua = _client(request)
+    audit(user["id"], "profile.update", meta={"fields": [f.split("=")[0] for f in fields]}, ip=ip, ua=ua)
+    return me(user)
+
+# ───────────────────────────  AVATAR UPLOAD  ───────────────────────────
+import shutil, pathlib
+from fastapi import UploadFile, File
+
+UPLOAD_ROOT = pathlib.Path("/opt/pgz-sport/uploads")
+AVATAR_DIR = UPLOAD_ROOT / "avatars"
+AVATAR_DIR.mkdir(parents=True, exist_ok=True)
+ALLOWED_AVATAR_MIME = {"image/jpeg","image/jpg","image/png","image/webp"}
+ALLOWED_AVATAR_EXT = {".jpg",".jpeg",".png",".webp"}
+MAX_AVATAR_BYTES = 5 * 1024 * 1024  # 5 MB
+
+@router.post("/me/avatar")
+async def upload_my_avatar(request: Request, file: UploadFile = File(...), user = Depends(require_user)):
+    ct = (file.content_type or "").lower()
+    if ct not in ALLOWED_AVATAR_MIME:
+        raise HTTPException(400, f"Nedozvoljen tip slike: {ct} — jpeg/png/webp")
+    ext = pathlib.Path(file.filename or "").suffix.lower()
+    if ext not in ALLOWED_AVATAR_EXT:
+        ext = {"image/jpeg":".jpg","image/jpg":".jpg","image/png":".png","image/webp":".webp"}.get(ct, ".jpg")
+    data = await file.read()
+    if len(data) > MAX_AVATAR_BYTES:
+        raise HTTPException(413, f"Slika prevelika ({len(data)} B > {MAX_AVATAR_BYTES})")
+    if len(data) < 32:
+        raise HTTPException(400, "Slika prazna ili neispravna")
+    safe_name = f"{int(user['id'])}_{int(time.time())}{ext}"
+    target = AVATAR_DIR / safe_name
+    with open(target, "wb") as f:
+        f.write(data)
+    try: os.chmod(target, 0o644)
+    except Exception: pass
+    avatar_url = f"/uploads/avatars/{safe_name}"
+    db_exec("UPDATE pgz_sport.users SET avatar_url=%s, updated_at=now() WHERE id=%s",
+            (avatar_url, user["id"]))
+    ip, ua = _client(request)
+    audit(user["id"], "profile.avatar_upload",
+          meta={"file": safe_name, "size": len(data), "mime": ct}, ip=ip, ua=ua)
+    return {"status":"ok", "avatar_url": avatar_url, "size": len(data), "mime": ct}
+
+@router.delete("/me/avatar")
+def delete_my_avatar(request: Request, user = Depends(require_user)):
+    cur = db_one("SELECT avatar_url FROM pgz_sport.users WHERE id=%s", (user["id"],))
+    if cur and cur.get("avatar_url"):
+        p = AVATAR_DIR / pathlib.Path(cur["avatar_url"]).name
+        try:
+            if p.exists() and p.is_relative_to(AVATAR_DIR): p.unlink()
+        except Exception: pass
+    db_exec("UPDATE pgz_sport.users SET avatar_url=NULL, updated_at=now() WHERE id=%s", (user["id"],))
+    ip, ua = _client(request)
+    audit(user["id"], "profile.avatar_delete", ip=ip, ua=ua)
+    return {"status": "ok"}
+
+@router.post("/password/change")
+def change_password(req: ChangePwdReq, request: Request, user = Depends(require_user)):
+    if len(req.new_password) < 8:
+        raise HTTPException(400, "Lozinka mora imati barem 8 znakova")
+    cur = db_one("SELECT password_hash, must_change_pwd FROM pgz_sport.users WHERE id=%s",
+                 (user["id"],))
+    if not cur: raise HTTPException(404, "User not found")
+    if not cur.get("must_change_pwd"):
+        if not req.old_password:
+            raise HTTPException(400, "old_password obavezan")
+        if not verify_password(req.old_password, cur.get("password_hash")):
+            raise HTTPException(401, "Stara lozinka netočna")
+    db_exec("""UPDATE pgz_sport.users
+               SET password_hash=%s, must_change_pwd=false, updated_at=now()
+               WHERE id=%s""", (hash_password(req.new_password), user["id"]))
+    ip, ua = _client(request)
+    audit(user["id"], "password.change", ip=ip, ua=ua)
+    return {"status": "ok"}
+
+@router.post("/password/reset")
+def password_reset(req: ResetPwdReq, request: Request):
+    """Issue a temporary password (admin-equivalent self-reset; logged)."""
+    email = (req.email or "").lower().strip()
+    u = db_one("SELECT id, email, aktivan FROM pgz_sport.users WHERE LOWER(email)=%s",
+               (email,))
+    ip, ua = _client(request)
+    audit(u["id"] if u else None, "password.reset.request",
+          meta={"email": email, "found": bool(u)}, ip=ip, ua=ua)
+    # Generic response — do not leak which emails exist
+    return {"status": "ok",
+            "message": "Ako račun postoji, administrator će vam poslati instrukcije."}
+
+# ─────────────────────────── 2FA — real TOTP (RFC 6238) ───────────────────────────
+try:
+    import pyotp as _pyotp
+    HAS_PYOTP = True
+except Exception:
+    HAS_PYOTP = False
+
+def _ensure_2fa_table():
+    db_exec("""CREATE TABLE IF NOT EXISTS pgz_sport.user_2fa (
+        user_id INTEGER PRIMARY KEY REFERENCES pgz_sport.users(id) ON DELETE CASCADE,
+        secret  TEXT NOT NULL,
+        enabled BOOLEAN DEFAULT false,
+        verified_at TIMESTAMPTZ,
+        recovery_codes TEXT[],
+        created_at TIMESTAMPTZ DEFAULT now(),
+        updated_at TIMESTAMPTZ DEFAULT now()
+    )""")
+_ensure_2fa_table()
+
+def _build_qr_png(otpauth_url: str) -> str:
+    """Return a data: URL containing a base64 PNG of the QR code."""
+    try:
+        import qrcode, io, base64
+        img = qrcode.make(otpauth_url)
+        buf = io.BytesIO()
+        img.save(buf, format="PNG")
+        return "data:image/png;base64," + base64.b64encode(buf.getvalue()).decode()
+    except Exception as e:
+        return ""
+
+def _gen_recovery_codes(n: int = 8) -> List[str]:
+    return [secrets.token_hex(4).upper() for _ in range(n)]
+
+@router.post("/2fa/setup")
+def twofa_setup(user = Depends(require_user)):
+    """Generate a TOTP secret, store unverified, and return otpauth URL + QR + recovery codes.
+    The 2FA stays disabled until /2fa/verify confirms a valid TOTP code."""
+    if not HAS_PYOTP:
+        raise HTTPException(503, "pyotp not installed on server")
+    secret = _pyotp.random_base32()  # 32-char base32, RFC 4648 — what authenticator apps expect
+    recovery = _gen_recovery_codes()
+    db_exec("""INSERT INTO pgz_sport.user_2fa (user_id, secret, enabled, recovery_codes, updated_at)
+               VALUES (%s,%s,false,%s,now())
+               ON CONFLICT (user_id) DO UPDATE SET
+                 secret=EXCLUDED.secret, enabled=false,
+                 recovery_codes=EXCLUDED.recovery_codes, updated_at=now()""",
+            (user["id"], secret, recovery))
+    issuer = "PGŽ Sport"
+    otpauth = _pyotp.TOTP(secret).provisioning_uri(name=user["email"], issuer_name=issuer)
+    return {
+        "secret": secret,
+        "otpauth_url": otpauth,
+        "qr_png": _build_qr_png(otpauth),
+        "issuer": issuer,
+        "account": user["email"],
+        "recovery_codes": recovery,
+        "enabled": False,
+        "instructions": "Skenirajte QR u Google Authenticator / Authy / 1Password, zatim potvrdite kod kroz POST /api/auth/2fa/verify",
+    }
+
+class TwoFAVerifyReq(BaseModel):
+    code: str
+
+@router.post("/2fa/verify")
+def twofa_verify(req: TwoFAVerifyReq, request: Request, user = Depends(require_user)):
+    """Verify TOTP code; on success, mark 2FA enabled."""
+    if not HAS_PYOTP:
+        raise HTTPException(503, "pyotp not installed on server")
+    row = db_one("SELECT secret, enabled FROM pgz_sport.user_2fa WHERE user_id=%s",
+                 (user["id"],))
+    if not row:
+        raise HTTPException(400, "2FA nije postavljen — pozovite /2fa/setup prvo")
+    code = (req.code or "").strip().replace(" ", "")
+    if not code or not code.isdigit() or len(code) not in (6, 8):
+        raise HTTPException(400, "Neispravan format koda (6-8 znamenki)")
+    totp = _pyotp.TOTP(row["secret"])
+    # valid_window=1 → tolerate ±30s drift
+    if not totp.verify(code, valid_window=1):
+        ip, ua = _client(request)
+        audit(user["id"], "2fa.verify.fail", ip=ip, ua=ua)
+        raise HTTPException(401, "Neispravan TOTP kod")
+    db_exec("""UPDATE pgz_sport.user_2fa
+               SET enabled=true, verified_at=now(), updated_at=now()
+               WHERE user_id=%s""", (user["id"],))
+    ip, ua = _client(request)
+    audit(user["id"], "2fa.verify.ok", ip=ip, ua=ua)
+    return {"status": "ok", "enabled": True}
+
+@router.post("/2fa/disable")
+def twofa_disable(req: TwoFAVerifyReq, request: Request, user = Depends(require_user)):
+    """Disable 2FA — must verify a current TOTP code (or recovery code)."""
+    if not HAS_PYOTP:
+        raise HTTPException(503, "pyotp not installed on server")
+    row = db_one("SELECT secret, recovery_codes FROM pgz_sport.user_2fa WHERE user_id=%s",
+                 (user["id"],))
+    if not row:
+        raise HTTPException(404, "2FA nije postavljen")
+    code = (req.code or "").strip().replace(" ", "").upper()
+    valid = False
+    if code.isdigit() and len(code) in (6, 8):
+        valid = _pyotp.TOTP(row["secret"]).verify(code, valid_window=1)
+    elif row.get("recovery_codes") and code in (row["recovery_codes"] or []):
+        valid = True
+    if not valid:
+        raise HTTPException(401, "Neispravan kod")
+    db_exec("DELETE FROM pgz_sport.user_2fa WHERE user_id=%s", (user["id"],))
+    ip, ua = _client(request)
+    audit(user["id"], "2fa.disable", ip=ip, ua=ua)
+    return {"status": "ok", "enabled": False}
+
+@router.get("/2fa/status")
+def twofa_status(user = Depends(require_user)):
+    row = db_one("SELECT enabled, verified_at, created_at FROM pgz_sport.user_2fa WHERE user_id=%s",
+                 (user["id"],))
+    return {"enabled": bool(row and row.get("enabled")),
+            "configured": bool(row),
+            "verified_at": row.get("verified_at") if row else None}
diff --git a/_backups/crm.html.cc3_pre_unified_sidebar.1777935999 b/_backups/crm.html.cc3_pre_unified_sidebar.1777935999
new file mode 100644
index 0000000..da6bf61
--- /dev/null
+++ b/_backups/crm.html.cc3_pre_unified_sidebar.1777935999
@@ -0,0 +1,1362 @@
+<!DOCTYPE html>
+<html lang="hr">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width,initial-scale=1">
+<title>PGŽ Sport — CRM (Članarine • Liječnički • Obrasci)</title>
+<style>
+:root {
+  --pgz-blue:#1a73e8; --pgz-blue2:#1e3a8a;
+  --bg:#0f1115; --bg2:#171a21; --bg3:#1f242d;
+  --rim:#293040; --t1:#e6e8ef; --t2:#9aa3b6; --t3:#6b748b;
+  --ok:#22c55e; --warn:#f59e0b; --err:#ef4444; --info:#3b82f6;
+}
+* { box-sizing: border-box; }
+body { margin:0; font-family: -apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,sans-serif;
+  background: var(--bg); color: var(--t1); font-size: 14px; }
+.topbar {
+  height: 54px; background: linear-gradient(90deg, var(--pgz-blue2), var(--pgz-blue));
+  display: flex; align-items: center; padding: 0 18px; gap: 16px;
+  box-shadow: 0 2px 8px rgba(0,0,0,0.4);
+}
+.topbar .logo { font-weight: 700; font-size: 16px; }
+.topbar .sep { color: rgba(255,255,255,0.5); }
+.topbar .title { font-size: 14px; opacity: 0.95; }
+.topbar .right { margin-left: auto; display: flex; gap: 10px; align-items: center; font-size: 12px; }
+.topbar a { color: #fff; text-decoration: none; opacity: 0.8; padding: 6px 10px; border-radius: 4px; }
+.topbar a:hover { opacity: 1; background: rgba(255,255,255,0.1); }
+
+.tabs { display: flex; background: var(--bg2); border-bottom: 1px solid var(--rim); padding: 0 18px; }
+.tab { padding: 14px 20px; cursor: pointer; color: var(--t2); border-bottom: 2px solid transparent;
+  font-weight: 500; user-select: none; }
+.tab:hover { color: var(--t1); }
+.tab.active { color: var(--pgz-blue); border-bottom-color: var(--pgz-blue); background: var(--bg3); }
+.tab .count { background: var(--bg3); color: var(--t2); padding: 2px 8px; border-radius: 10px;
+  font-size: 11px; margin-left: 6px; }
+.tab.active .count { background: var(--pgz-blue); color: #fff; }
+
+.container { padding: 18px; }
+
+.toolbar { display: flex; gap: 10px; flex-wrap: wrap; margin-bottom: 14px; align-items: center; }
+.toolbar input, .toolbar select {
+  background: var(--bg2); border: 1px solid var(--rim); color: var(--t1);
+  padding: 7px 11px; border-radius: 5px; font-size: 13px; min-width: 140px;
+}
+.toolbar input:focus, .toolbar select:focus { outline: none; border-color: var(--pgz-blue); }
+.toolbar .grow { flex: 1; }
+
+.btn { background: var(--bg3); color: var(--t1); border: 1px solid var(--rim);
+  padding: 7px 13px; border-radius: 5px; cursor: pointer; font-size: 13px;
+  font-family: inherit; }
+.btn:hover { background: var(--bg2); border-color: var(--pgz-blue); }
+.btn.primary { background: linear-gradient(135deg, var(--pgz-blue), var(--pgz-blue2)); border-color: var(--pgz-blue); color:#fff; }
+.btn.primary:hover { filter: brightness(1.1); }
+.btn.danger { color: var(--err); border-color: var(--err); }
+.btn.sm { padding: 4px 8px; font-size: 12px; }
+
+.kpi-grid { display: grid; grid-template-columns: repeat(auto-fit, minmax(180px, 1fr));
+  gap: 12px; margin-bottom: 14px; }
+.kpi { background: var(--bg2); border: 1px solid var(--rim); padding: 12px 14px; border-radius: 8px; }
+.kpi.g { border-left: 3px solid var(--ok); }
+.kpi.r { border-left: 3px solid var(--err); }
+.kpi.a { border-left: 3px solid var(--warn); }
+.kpi.b { border-left: 3px solid var(--pgz-blue); }
+.kpi-l { font-size: 11px; color: var(--t2); text-transform: uppercase; letter-spacing: 0.5px; }
+.kpi-v { font-size: 22px; font-weight: 700; margin-top: 4px; }
+.kpi-s { font-size: 11px; color: var(--t3); margin-top: 2px; }
+
+.card { background: var(--bg2); border: 1px solid var(--rim); border-radius: 8px;
+  margin-bottom: 14px; overflow: hidden; }
+.card-h { padding: 12px 16px; border-bottom: 1px solid var(--rim); display: flex; align-items: center;
+  justify-content: space-between; background: var(--bg3); }
+.card-t { font-weight: 600; font-size: 14px; }
+.card-b { padding: 14px 16px; }
+
+table { width: 100%; border-collapse: collapse; font-size: 13px; }
+table th, table td { padding: 9px 12px; text-align: left; border-bottom: 1px solid var(--rim); }
+table th { background: var(--bg3); color: var(--t2); font-weight: 600; font-size: 11px;
+  text-transform: uppercase; letter-spacing: 0.4px; }
+table tr:hover td { background: rgba(26, 115, 232, 0.05); }
+
+.tag { display: inline-block; padding: 2px 8px; border-radius: 10px; font-size: 11px; font-weight: 600; }
+.tag.gr { background: rgba(34,197,94,0.2); color: var(--ok); }
+.tag.am { background: rgba(245,158,11,0.2); color: var(--warn); }
+.tag.rd { background: rgba(239,68,68,0.2); color: var(--err); }
+.tag.bl { background: rgba(26,115,232,0.2); color: var(--pgz-blue); }
+.tag.gy { background: rgba(154,163,182,0.2); color: var(--t2); }
+
+.empty { text-align: center; padding: 40px; color: var(--t3); }
+.loading { text-align: center; padding: 30px; color: var(--t2); }
+
+.modal-bg { position: fixed; top: 0; left: 0; right: 0; bottom: 0; background: rgba(0,0,0,0.7);
+  display: none; justify-content: center; align-items: flex-start; padding-top: 5vh; z-index: 1000; }
+.modal-bg.open { display: flex; }
+.modal { background: var(--bg2); border: 1px solid var(--rim); border-radius: 8px;
+  width: 92%; max-width: 720px; max-height: 90vh; overflow-y: auto; }
+.modal-h { padding: 14px 18px; border-bottom: 1px solid var(--rim); display: flex;
+  justify-content: space-between; align-items: center; background: var(--bg3); }
+.modal-t { font-weight: 600; font-size: 15px; }
+.modal-x { cursor: pointer; color: var(--t2); font-size: 22px; line-height: 1; padding: 0 4px; }
+.modal-x:hover { color: var(--err); }
+.modal-b { padding: 18px; }
+
+.field { margin-bottom: 12px; }
+.field label { display: block; font-size: 12px; color: var(--t2); margin-bottom: 4px;
+  text-transform: uppercase; letter-spacing: 0.3px; }
+.field label.req::after { content: " *"; color: var(--err); }
+.field input, .field select, .field textarea {
+  width: 100%; background: var(--bg); border: 1px solid var(--rim); color: var(--t1);
+  padding: 8px 12px; border-radius: 5px; font-size: 13px; font-family: inherit;
+}
+.field input:focus, .field select:focus, .field textarea:focus { outline: none; border-color: var(--pgz-blue); }
+.field textarea { min-height: 70px; resize: vertical; }
+.field .help { font-size: 11px; color: var(--t3); margin-top: 3px; }
+
+.payment-card { background: var(--bg); border: 1px solid var(--rim); border-radius: 6px;
+  padding: 14px; margin-top: 12px; }
+.payment-row { display: flex; justify-content: space-between; padding: 6px 0; border-bottom: 1px dashed var(--rim); }
+.payment-row:last-child { border-bottom: none; }
+.payment-row .l { color: var(--t2); font-size: 12px; }
+.payment-row .v { font-weight: 600; font-family: 'SF Mono', Consolas, monospace; }
+.payment-row .v.big { font-size: 18px; color: var(--pgz-blue); }
+
+.qr-box { display: flex; gap: 16px; align-items: center; margin: 14px 0; }
+.qr-box img { width: 160px; height: 160px; background: #fff; padding: 8px; border-radius: 6px; }
+.qr-box .qr-info { flex: 1; }
+
+.signature-box { background: var(--bg); border: 1px solid var(--rim); border-radius: 6px;
+  padding: 14px; margin-top: 14px; font-family: 'SF Mono', Consolas, monospace;
+  font-size: 11px; word-break: break-all; }
+.signature-box .sha { color: var(--ok); }
+
+.toast { position: fixed; bottom: 20px; right: 20px; background: var(--bg3); border: 1px solid var(--rim);
+  padding: 10px 16px; border-radius: 6px; font-size: 13px; z-index: 2000;
+  border-left: 3px solid var(--ok); transform: translateX(120%); transition: transform 0.3s; }
+.toast.show { transform: translateX(0); }
+.toast.err { border-left-color: var(--err); }
+</style>
+</head>
+<body>
+
+<div class="topbar">
+  <div class="logo">⬢ PGŽ SPORT</div>
+  <div class="sep">·</div>
+  <div class="title">CRM — Članarine • Liječnički • Obrasci</div>
+  <div class="right">
+    <span style="opacity:.7">Round 3 / CC5</span>
+    <a href="/sport/static/sport2.html">← portal</a>
+    <a href="/sport/static/app.html">app →</a>
+  </div>
+</div>
+
+<div class="tabs">
+  <div class="tab active" data-tab="clanovi" onclick="setTab('clanovi')">👤 Članovi <span class="count" id="cnt-clanovi">…</span></div>
+  <div class="tab" data-tab="clanarine" onclick="setTab('clanarine')">€ Članarine <span class="count" id="cnt-clanarine">…</span></div>
+  <div class="tab" data-tab="lijecnicki" onclick="setTab('lijecnicki')">⚕ Liječnički pregledi <span class="count" id="cnt-lijecnicki">…</span></div>
+  <div class="tab" data-tab="obrasci" onclick="setTab('obrasci')">📝 Obrasci <span class="count" id="cnt-obrasci">…</span></div>
+  <div style="margin-left:auto;display:flex;align-items:center;gap:8px;padding:0 14px">
+    <span style="font-size:11px;color:var(--t3)">ROLA:</span>
+    <select id="g-role" onchange="setRole(this.value)" style="background:var(--bg3);border:1px solid var(--rim);color:var(--t1);padding:4px 8px;border-radius:4px;font-size:12px">
+      <option value="pgz_admin">pgz_admin (full)</option>
+      <option value="klub_admin">klub_admin (sve osim OIB)</option>
+      <option value="savez_admin">savez_admin (samo napomena)</option>
+      <option value="klub_trener">klub_trener (sport polja)</option>
+      <option value="sportas">sportas (kontakt + slika)</option>
+      <option value="viewer">viewer (read-only)</option>
+    </select>
+  </div>
+</div>
+
+<div class="container">
+  <div id="page-clanovi" class="page"></div>
+  <div id="page-clanarine" class="page" style="display:none"></div>
+  <div id="page-lijecnicki" class="page" style="display:none"></div>
+  <div id="page-obrasci" class="page" style="display:none"></div>
+</div>
+
+<div id="modal-bg" class="modal-bg" onclick="if(event.target===this)closeModal()">
+  <div class="modal" id="modal"></div>
+</div>
+
+<div id="toast" class="toast"></div>
+
+<script>
+// ────────────────────────────────────────────────────
+// Helpers
+// ────────────────────────────────────────────────────
+const API = '/sport/api/crm';
+const $  = (s, root=document) => root.querySelector(s);
+const $$ = (s, root=document) => Array.from(root.querySelectorAll(s));
+const esc = s => String(s ?? '').replace(/[&<>"']/g, c => ({'&':'&amp;','<':'&lt;','>':'&gt;','"':'&quot;',"'":'&#39;'}[c]));
+const fmtEur = v => (v == null) ? '—' : Number(v).toLocaleString('hr-HR', {minimumFractionDigits:2, maximumFractionDigits:2}) + ' €';
+const fmt = v => (v == null) ? '—' : Number(v).toLocaleString('hr-HR');
+const fmtDate = d => !d ? '—' : new Date(d).toLocaleDateString('hr-HR');
+
+async function api(path, opts={}) {
+  const o = Object.assign({headers: {'Content-Type':'application/json'}}, opts);
+  if (o.body && typeof o.body !== 'string') o.body = JSON.stringify(o.body);
+  const r = await fetch(API + path, o);
+  if (!r.ok) {
+    const msg = await r.text().catch(()=>r.statusText);
+    throw new Error(`HTTP ${r.status}: ${msg.substring(0,200)}`);
+  }
+  return r.json();
+}
+
+function toast(msg, isErr=false) {
+  const t = $('#toast');
+  t.textContent = msg;
+  t.classList.toggle('err', isErr);
+  t.classList.add('show');
+  setTimeout(() => t.classList.remove('show'), 3500);
+}
+
+function openModal(html) {
+  $('#modal').innerHTML = html;
+  $('#modal-bg').classList.add('open');
+}
+function closeModal() {
+  $('#modal-bg').classList.remove('open');
+  $('#modal').innerHTML = '';
+}
+
+// Globalna rola (postavlja se preko dropdowna u topbaru)
+let CURRENT_ROLE = localStorage.getItem('crm-role') || 'pgz_admin';
+
+function setRole(r) {
+  CURRENT_ROLE = r;
+  localStorage.setItem('crm-role', r);
+  toast('Rola postavljena: ' + r);
+  // ako je otvoren panel, refreshaj edit dozvole
+  if (window._OPEN_PANEL_CID) loadClanPanel(window._OPEN_PANEL_CID);
+}
+
+// Wrapper za API koji dodaje X-Role
+async function apiR(path, opts={}) {
+  const o = Object.assign({headers: {'Content-Type':'application/json', 'X-Role': CURRENT_ROLE}}, opts);
+  if (o.body && typeof o.body !== 'string') o.body = JSON.stringify(o.body);
+  const r = await fetch(API + path, o);
+  if (!r.ok) {
+    const msg = await r.text().catch(()=>r.statusText);
+    throw new Error(`HTTP ${r.status}: ${msg.substring(0,200)}`);
+  }
+  return r.json();
+}
+
+function setTab(name) {
+  $$('.tab').forEach(t => t.classList.toggle('active', t.dataset.tab === name));
+  $$('.page').forEach(p => p.style.display = (p.id === 'page-' + name) ? 'block' : 'none');
+  if (name === 'clanovi') loadClanovi();
+  if (name === 'clanarine') loadClanarine();
+  if (name === 'lijecnicki') loadLijecnicki();
+  if (name === 'obrasci') loadObrasci();
+}
+
+// ════════════════════════════════════════════════════
+// MODUL 1 — ČLANARINE  (M7)
+// ════════════════════════════════════════════════════
+
+async function loadClanarine() {
+  const root = $('#page-clanarine');
+  root.innerHTML = '<div class="loading">Učitavanje članarina…</div>';
+  let data;
+  try {
+    data = await api('/clanarine?limit=200');
+  } catch (e) { root.innerHTML = `<div class="empty">Greška: ${esc(e.message)}</div>`; return; }
+  $('#cnt-clanarine').textContent = data.count;
+  const s = data.summary || {};
+  const kpi = `
+    <div class="kpi-grid">
+      <div class="kpi b"><div class="kpi-l">Ukupno zaduženja</div><div class="kpi-v">${fmt(s.total)}</div></div>
+      <div class="kpi g"><div class="kpi-l">Naplaćeno</div><div class="kpi-v">${fmtEur(s.total_placen)}</div></div>
+      <div class="kpi r"><div class="kpi-l">Dug</div><div class="kpi-v">${fmtEur(s.total_dug)}</div></div>
+      <div class="kpi a"><div class="kpi-l">Nepodmireno</div><div class="kpi-v">${fmt(s.n_nepodmireno)}</div></div>
+    </div>`;
+  const tools = `
+    <div class="toolbar">
+      <select id="cl-status" onchange="loadClanarineFiltered()">
+        <option value="">Svi statusi</option>
+        <option value="nepodmireno">Nepodmireno</option>
+        <option value="djelomicno">Djelomično</option>
+        <option value="podmireno">Podmireno</option>
+        <option value="storno">Storno</option>
+      </select>
+      <input id="cl-godina" type="number" placeholder="Godina" min="2020" max="2030" onchange="loadClanarineFiltered()">
+      <input id="cl-klub" type="number" placeholder="Klub ID" onchange="loadClanarineFiltered()">
+      <div class="grow"></div>
+      <button class="btn primary" onclick="bulkNotify()">📧 Notify dužnike</button>
+      <button class="btn" onclick="newClanarinaModal()">+ Novo zaduženje</button>
+    </div>`;
+  const rows = (data.rows || []).map(r => `
+    <tr>
+      <td><b>${esc(r.clan)}</b><div style="font-size:11px;color:var(--t3)">${esc(r.klub || '')}</div></td>
+      <td>${esc(r.godina)}</td>
+      <td>${esc(r.razdoblje || '')}</td>
+      <td>${fmtEur(r.iznos_propisan)}</td>
+      <td>${fmtEur(r.iznos_placen)}</td>
+      <td><b style="color:${r.dug>0?'var(--err)':'var(--ok)'}">${fmtEur(r.dug)}</b></td>
+      <td><span class="tag ${statusTag(r.status)}">${esc(r.status)}</span></td>
+      <td>
+        <button class="btn sm" onclick="openPayment(${r.id})" title="Pregled plaćanja">💳</button>
+        <button class="btn sm" onclick="openUplata(${r.id})" title="Registriraj uplatu">+€</button>
+        <a class="btn sm" href="${API}/clanarine/${r.id}/uplatnica.pdf" target="_blank" title="HUB-3 PDF">📄</a>
+      </td>
+    </tr>`).join('');
+
+  root.innerHTML = kpi + tools + `
+    <div class="card">
+      <div class="card-h"><div class="card-t">Lista članarina (${data.count})</div></div>
+      <table>
+        <thead><tr><th>Sportaš/Klub</th><th>God.</th><th>Razdoblje</th><th>Propisan</th><th>Plaćeno</th><th>Dug</th><th>Status</th><th></th></tr></thead>
+        <tbody>${rows || '<tr><td colspan="8" class="empty">Nema zapisa.</td></tr>'}</tbody>
+      </table>
+    </div>`;
+}
+
+function statusTag(s) {
+  return ({nepodmireno:'rd', djelomicno:'am', podmireno:'gr', storno:'gy'})[s] || 'gy';
+}
+
+async function loadClanarineFiltered() {
+  const status = $('#cl-status').value;
+  const godina = $('#cl-godina').value;
+  const klub = $('#cl-klub').value;
+  const params = new URLSearchParams({limit: 200});
+  if (status) params.append('status', status);
+  if (godina) params.append('godina', godina);
+  if (klub) params.append('klub_id', klub);
+  const data = await api('/clanarine?' + params);
+  const tbody = $('#page-clanarine table tbody');
+  tbody.innerHTML = (data.rows || []).map(r => `
+    <tr>
+      <td><b>${esc(r.clan)}</b><div style="font-size:11px;color:var(--t3)">${esc(r.klub || '')}</div></td>
+      <td>${esc(r.godina)}</td>
+      <td>${esc(r.razdoblje || '')}</td>
+      <td>${fmtEur(r.iznos_propisan)}</td>
+      <td>${fmtEur(r.iznos_placen)}</td>
+      <td><b style="color:${r.dug>0?'var(--err)':'var(--ok)'}">${fmtEur(r.dug)}</b></td>
+      <td><span class="tag ${statusTag(r.status)}">${esc(r.status)}</span></td>
+      <td>
+        <button class="btn sm" onclick="openPayment(${r.id})">💳</button>
+        <button class="btn sm" onclick="openUplata(${r.id})">+€</button>
+        <a class="btn sm" href="${API}/clanarine/${r.id}/uplatnica.pdf" target="_blank">📄</a>
+      </td>
+    </tr>`).join('') || '<tr><td colspan="8" class="empty">Nema zapisa.</td></tr>';
+}
+
+async function openPayment(id) {
+  let info;
+  try { info = await api('/clanarine/' + id + '/payment-info'); }
+  catch (e) { return toast('Greška: ' + e.message, true); }
+  openModal(`
+    <div class="modal-h">
+      <div class="modal-t">💳 Podaci za plaćanje #${id}</div>
+      <div class="modal-x" onclick="closeModal()">×</div>
+    </div>
+    <div class="modal-b">
+      <div class="qr-box">
+        <img src="${API}/clanarine/${id}/qr.png" alt="EPC QR">
+        <div class="qr-info">
+          <p style="margin:0 0 8px;color:var(--t2);font-size:12px">Skenirajte QR mobilnom bankom (Zaba / PBZ / Erste / OTP / RBA) — popunit će sve podatke za uplatu.</p>
+          <a class="btn primary" href="${API}/clanarine/${id}/uplatnica.pdf" target="_blank">📄 HUB-3 PDF (uplatnica)</a>
+        </div>
+      </div>
+      <div class="payment-card">
+        <div class="payment-row"><div class="l">Iznos za uplatu</div><div class="v big">${fmtEur(info.iznos_eur)}</div></div>
+        <div class="payment-row"><div class="l">Primatelj</div><div class="v">${esc(info.primatelj)}</div></div>
+        <div class="payment-row"><div class="l">IBAN</div><div class="v">${esc(info.iban)}</div></div>
+        <div class="payment-row"><div class="l">Model</div><div class="v">${esc(info.model)}</div></div>
+        <div class="payment-row"><div class="l">Poziv na broj</div><div class="v">${esc(info.poziv_na_broj)}</div></div>
+        <div class="payment-row"><div class="l">Opis</div><div class="v">${esc(info.opis)}</div></div>
+      </div>
+      <details style="margin-top:14px">
+        <summary style="cursor:pointer;color:var(--t2);font-size:12px">EPC QR payload (BCD/002 SCT)</summary>
+        <pre style="background:var(--bg);padding:10px;border-radius:5px;font-size:11px;overflow:auto;margin-top:6px">${esc(info.epc_payload)}</pre>
+      </details>
+    </div>`);
+}
+
+function openUplata(id) {
+  openModal(`
+    <div class="modal-h">
+      <div class="modal-t">+€ Registriraj uplatu (članarina #${id})</div>
+      <div class="modal-x" onclick="closeModal()">×</div>
+    </div>
+    <div class="modal-b">
+      <form onsubmit="submitUplata(event, ${id})">
+        <div class="field"><label class="req">Iznos uplate (EUR)</label>
+          <input name="iznos" type="number" step="0.01" min="0.01" required></div>
+        <div class="field"><label>Datum uplate</label>
+          <input name="datum_uplate" type="date" value="${new Date().toISOString().slice(0,10)}"></div>
+        <div class="field"><label>Način uplate</label>
+          <select name="nacin_uplate">
+            <option value="transakcijski">Transakcijski račun</option>
+            <option value="gotovina">Gotovina</option>
+            <option value="kartica">Kartica</option>
+          </select></div>
+        <div class="field"><label>Referenca / broj naloga</label>
+          <input name="referenca" type="text"></div>
+        <div style="text-align:right;margin-top:14px">
+          <button type="button" class="btn" onclick="closeModal()">Odustani</button>
+          <button type="submit" class="btn primary">💾 Spremi uplatu</button>
+        </div>
+      </form>
+    </div>`);
+}
+
+async function submitUplata(e, id) {
+  e.preventDefault();
+  const f = e.target;
+  const body = {
+    iznos: parseFloat(f.iznos.value),
+    datum_uplate: f.datum_uplate.value || null,
+    nacin_uplate: f.nacin_uplate.value,
+    referenca: f.referenca.value || null,
+  };
+  try {
+    const r = await api('/clanarine/' + id + '/uplata', {method:'POST', body});
+    closeModal();
+    toast(`Uplata ${fmtEur(body.iznos)} registrirana. Status: ${r.status}`);
+    loadClanarine();
+  } catch (err) { toast('Greška: ' + err.message, true); }
+}
+
+function newClanarinaModal() {
+  openModal(`
+    <div class="modal-h">
+      <div class="modal-t">+ Novo zaduženje članarine</div>
+      <div class="modal-x" onclick="closeModal()">×</div>
+    </div>
+    <div class="modal-b">
+      <form onsubmit="submitNewClanarina(event)">
+        <div class="field"><label class="req">Član ID</label>
+          <input name="clan_id" type="number" required></div>
+        <div class="field"><label>Klub ID (auto ako se ne unese)</label>
+          <input name="klub_id" type="number"></div>
+        <div class="field"><label class="req">Godina</label>
+          <input name="godina" type="number" required value="${new Date().getFullYear()}"></div>
+        <div class="field"><label>Razdoblje</label>
+          <input name="razdoblje" type="text" value="godišnja"></div>
+        <div class="field"><label class="req">Iznos propisan (EUR)</label>
+          <input name="iznos_propisan" type="number" step="0.01" required></div>
+        <div class="field"><label>Iznos plaćen (ako odmah)</label>
+          <input name="iznos_placen" type="number" step="0.01" value="0"></div>
+        <div class="field"><label>Napomena</label>
+          <textarea name="napomena"></textarea></div>
+        <div style="text-align:right">
+          <button type="button" class="btn" onclick="closeModal()">Odustani</button>
+          <button type="submit" class="btn primary">💾 Kreiraj</button>
+        </div>
+      </form>
+    </div>`);
+}
+
+async function submitNewClanarina(e) {
+  e.preventDefault();
+  const f = e.target;
+  const body = {
+    clan_id: parseInt(f.clan_id.value),
+    klub_id: f.klub_id.value ? parseInt(f.klub_id.value) : null,
+    godina: parseInt(f.godina.value),
+    razdoblje: f.razdoblje.value,
+    iznos_propisan: parseFloat(f.iznos_propisan.value),
+    iznos_placen: parseFloat(f.iznos_placen.value || 0),
+    napomena: f.napomena.value || null,
+  };
+  try {
+    await api('/clanarine', {method:'POST', body});
+    closeModal();
+    toast('Članarina kreirana.');
+    loadClanarine();
+  } catch (err) { toast('Greška: ' + err.message, true); }
+}
+
+async function bulkNotify() {
+  if (!confirm('Pošalji notifikaciju svim dužnicima?')) return;
+  try {
+    const r = await api('/clanarine/notify-bulk', {method:'POST', body: {}});
+    toast(`Postavljeno ${r.queued} primatelja u red. (Mock — SMTP nije konfiguriran.)`);
+  } catch (err) { toast('Greška: ' + err.message, true); }
+}
+
+// ════════════════════════════════════════════════════
+// MODUL 2 — LIJEČNIČKI PREGLEDI  (M8)
+// ════════════════════════════════════════════════════
+
+async function loadLijecnicki() {
+  const root = $('#page-lijecnicki');
+  root.innerHTML = '<div class="loading">Učitavanje pregleda…</div>';
+  let data;
+  try { data = await api('/lijecnicki?limit=200'); }
+  catch (e) { root.innerHTML = `<div class="empty">Greška: ${esc(e.message)}</div>`; return; }
+  $('#cnt-lijecnicki').textContent = data.count;
+  const s = data.summary || {};
+  const kpi = `
+    <div class="kpi-grid">
+      <div class="kpi b"><div class="kpi-l">Ukupno pregleda</div><div class="kpi-v">${fmt(s.total)}</div></div>
+      <div class="kpi g"><div class="kpi-l">Važeći</div><div class="kpi-v">${fmt(s.vazeci)}</div></div>
+      <div class="kpi a"><div class="kpi-l">Uskoro istek (30d)</div><div class="kpi-v">${fmt(s.uskoro)}</div></div>
+      <div class="kpi r"><div class="kpi-l">Istekli</div><div class="kpi-v">${fmt(s.istekli)}</div></div>
+    </div>`;
+  const tools = `
+    <div class="toolbar">
+      <select id="lj-status" onchange="loadLijecnickiFiltered()">
+        <option value="">Svi statusi</option>
+        <option value="vazeci">Važeći</option>
+        <option value="uskoro">Uskoro istek</option>
+        <option value="istekao">Istekao</option>
+      </select>
+      <input id="lj-klub" type="number" placeholder="Klub ID" onchange="loadLijecnickiFiltered()">
+      <div class="grow"></div>
+      <button class="btn" onclick="loadZZJZ()">🏥 ZZJZ PGŽ termini</button>
+      <button class="btn" onclick="newLijecnickiModal()">+ Novi pregled</button>
+    </div>`;
+  const rows = (data.rows || []).map(r => `
+    <tr>
+      <td><b>${esc(r.clan)}</b><div style="font-size:11px;color:var(--t3)">${esc(r.klub || '')}</div></td>
+      <td>${fmtDate(r.datum_pregleda)}</td>
+      <td>${fmtDate(r.vrijedi_do)}</td>
+      <td><span class="tag ${({vazeci:'gr', uskoro:'am', istekao:'rd'})[r.status_calc]||'gy'}">
+        ${r.status_calc}${r.dana_do_isteka != null ? ' ('+r.dana_do_isteka+'d)' : ''}</span></td>
+      <td>${esc(r.ustanova || '')}</td>
+      <td>${esc(r.lijecnik || '')}</td>
+      <td>${r.placeno ? '<span class="tag gr">DA</span>' : '<span class="tag rd">NE</span>'}</td>
+      <td>
+        <button class="btn sm" onclick="openZakaziModal(${r.id}, '${esc(r.clan)}')" title="Zakaži termin">📅</button>
+        <button class="btn sm" onclick="openLijecnickiDetalji(${r.id})" title="Detalji">👁</button>
+      </td>
+    </tr>`).join('');
+  root.innerHTML = kpi + tools + `
+    <div class="card">
+      <div class="card-h"><div class="card-t">Lista pregleda (${data.count})</div></div>
+      <table>
+        <thead><tr><th>Sportaš/Klub</th><th>Datum pregleda</th><th>Vrijedi do</th><th>Status</th><th>Ustanova</th><th>Liječnik</th><th>Plaćeno</th><th></th></tr></thead>
+        <tbody>${rows || '<tr><td colspan="8" class="empty">Nema zapisa.</td></tr>'}</tbody>
+      </table>
+    </div>`;
+}
+
+async function loadLijecnickiFiltered() {
+  const status = $('#lj-status').value;
+  const klub = $('#lj-klub').value;
+  const params = new URLSearchParams({limit: 200});
+  if (status) params.append('status', status);
+  if (klub) params.append('klub_id', klub);
+  const data = await api('/lijecnicki?' + params);
+  const tbody = $('#page-lijecnicki table tbody');
+  tbody.innerHTML = (data.rows || []).map(r => `
+    <tr>
+      <td><b>${esc(r.clan)}</b><div style="font-size:11px;color:var(--t3)">${esc(r.klub || '')}</div></td>
+      <td>${fmtDate(r.datum_pregleda)}</td>
+      <td>${fmtDate(r.vrijedi_do)}</td>
+      <td><span class="tag ${({vazeci:'gr', uskoro:'am', istekao:'rd'})[r.status_calc]||'gy'}">
+        ${r.status_calc}${r.dana_do_isteka != null ? ' ('+r.dana_do_isteka+'d)' : ''}</span></td>
+      <td>${esc(r.ustanova || '')}</td>
+      <td>${esc(r.lijecnik || '')}</td>
+      <td>${r.placeno ? '<span class="tag gr">DA</span>' : '<span class="tag rd">NE</span>'}</td>
+      <td>
+        <button class="btn sm" onclick="openZakaziModal(${r.id}, '${esc(r.clan)}')">📅</button>
+        <button class="btn sm" onclick="openLijecnickiDetalji(${r.id})">👁</button>
+      </td>
+    </tr>`).join('') || '<tr><td colspan="8" class="empty">Nema zapisa.</td></tr>';
+}
+
+async function loadZZJZ() {
+  let info, termini;
+  try {
+    info = await api('/zzjz/info');
+    termini = await api('/zzjz/termini');
+  } catch (e) { return toast('Greška: ' + e.message, true); }
+  const booking = info.online_booking || {};
+  const bookingHtml = booking.available
+    ? `<a class="btn primary" target="_blank" href="${esc(booking.url)}">🔗 Otvori online sustav (${esc(booking.kind)})</a>`
+    : `<div class="tag am">Online sustav nije pronađen — koristi e-mail kontakt</div>
+       <div style="margin-top:8px"><a class="btn primary" href="mailto:${esc(info.email)}">✉ E-mail: ${esc(info.email)}</a></div>`;
+  const termHtml = (termini.termini || []).slice(0, 30).map(t => `
+    <tr>
+      <td>${esc(t.datum)}</td><td>${esc(t.vrijeme)}</td>
+      <td>${esc(t.doktor)}</td>
+      <td>${t.available ? '<span class="tag gr">slobodno</span>' : '<span class="tag rd">zauzeto</span>'}</td>
+      <td>${fmtEur(t.iznos_eur)}</td>
+    </tr>`).join('');
+  openModal(`
+    <div class="modal-h">
+      <div class="modal-t">🏥 ZZJZ PGŽ — Sportska medicina</div>
+      <div class="modal-x" onclick="closeModal()">×</div>
+    </div>
+    <div class="modal-b">
+      <div class="payment-card">
+        <div class="payment-row"><div class="l">Naziv</div><div class="v">${esc(info.naziv)}</div></div>
+        <div class="payment-row"><div class="l">Adresa</div><div class="v">${esc(info.adresa)}</div></div>
+        <div class="payment-row"><div class="l">Telefon</div><div class="v">${esc(info.telefon)}</div></div>
+        <div class="payment-row"><div class="l">E-mail</div><div class="v">${esc(info.email)}</div></div>
+        <div class="payment-row"><div class="l">Web</div><div class="v"><a href="${esc(info.url_sportska_medicina)}" target="_blank" style="color:var(--pgz-blue)">${esc(info.url_sportska_medicina)}</a></div></div>
+      </div>
+      <div style="margin:14px 0">${bookingHtml}</div>
+      <div class="card-h" style="background:transparent;border:none;padding:8px 0">
+        <div class="card-t">Dostupni termini (mock — tjedan ${esc(termini.week_start)})</div>
+        <div style="font-size:11px;color:var(--t3)">${termini.available} slobodno / ${termini.count} ukupno</div>
+      </div>
+      <table>
+        <thead><tr><th>Datum</th><th>Vrijeme</th><th>Doktor</th><th>Status</th><th>Iznos</th></tr></thead>
+        <tbody>${termHtml || '<tr><td colspan="5" class="empty">Nema termina.</td></tr>'}</tbody>
+      </table>
+    </div>`);
+}
+
+function openZakaziModal(lid, clan) {
+  openModal(`
+    <div class="modal-h">
+      <div class="modal-t">📅 Zakaži pregled — ${esc(clan)}</div>
+      <div class="modal-x" onclick="closeModal()">×</div>
+    </div>
+    <div class="modal-b">
+      <p style="color:var(--t2);font-size:13px;margin-top:0">Sustav će zakazati termin u ZZJZ PGŽ. Ako online sustav nije dostupan, otvorit će mailto: link.</p>
+      <form onsubmit="submitZakazi(event, ${lid})">
+        <div class="field"><label class="req">Datum</label>
+          <input name="datum" type="date" required value="${new Date(Date.now()+7*86400000).toISOString().slice(0,10)}"></div>
+        <div class="field"><label>Vrijeme</label>
+          <input name="vrijeme" type="time" value="09:00"></div>
+        <div class="field"><label>Ustanova</label>
+          <input name="ustanova" type="text" value="ZZJZ PGŽ"></div>
+        <div class="field"><label>Napomena</label>
+          <textarea name="napomena"></textarea></div>
+        <div style="text-align:right">
+          <button type="button" class="btn" onclick="closeModal()">Odustani</button>
+          <button type="submit" class="btn primary">📅 Zakaži</button>
+        </div>
+      </form>
+    </div>`);
+}
+
+async function submitZakazi(e, lid) {
+  e.preventDefault();
+  const f = e.target;
+  const body = {
+    datum: f.datum.value, vrijeme: f.vrijeme.value,
+    ustanova: f.ustanova.value, napomena: f.napomena.value || null,
+  };
+  try {
+    const r = await api('/lijecnicki/' + lid + '/zakazi', {method:'POST', body});
+    closeModal();
+    toast('Termin zakazan: ' + r.zakazano_za);
+    if (r.booking && r.booking.available) {
+      window.open(r.booking.url, '_blank');
+    } else if (r.mailto) {
+      window.location.href = r.mailto;
+    }
+    loadLijecnicki();
+  } catch (err) { toast('Greška: ' + err.message, true); }
+}
+
+async function openLijecnickiDetalji(lid) {
+  let l;
+  try { l = await api('/lijecnicki/' + lid); }
+  catch (e) { return toast('Greška: ' + e.message, true); }
+  openModal(`
+    <div class="modal-h">
+      <div class="modal-t">⚕ Pregled #${l.id} — ${esc(l.clan)}</div>
+      <div class="modal-x" onclick="closeModal()">×</div>
+    </div>
+    <div class="modal-b">
+      <div class="payment-card">
+        <div class="payment-row"><div class="l">Sportaš</div><div class="v">${esc(l.clan)}</div></div>
+        <div class="payment-row"><div class="l">Klub</div><div class="v">${esc(l.klub || '')}</div></div>
+        <div class="payment-row"><div class="l">Datum pregleda</div><div class="v">${fmtDate(l.datum_pregleda)}</div></div>
+        <div class="payment-row"><div class="l">Vrijedi do</div><div class="v">${fmtDate(l.vrijedi_do)}</div></div>
+        <div class="payment-row"><div class="l">Status</div><div class="v"><span class="tag ${({vazeci:'gr',uskoro:'am',istekao:'rd'})[l.status_calc]||'gy'}">${l.status_calc} (${l.dana_do_isteka}d)</span></div></div>
+        <div class="payment-row"><div class="l">Vrsta</div><div class="v">${esc(l.vrsta_pregleda || '')}</div></div>
+        <div class="payment-row"><div class="l">Ustanova</div><div class="v">${esc(l.ustanova || '')}</div></div>
+        <div class="payment-row"><div class="l">Liječnik</div><div class="v">${esc(l.lijecnik || '')}</div></div>
+        <div class="payment-row"><div class="l">EKG / Krv / Spirometrija</div><div class="v">${l.ekg?'✓':'✗'} / ${l.krv?'✓':'✗'} / ${l.spirometrija?'✓':'✗'}</div></div>
+        <div class="payment-row"><div class="l">Spreman za natjecanje</div><div class="v">${l.spreman_za_natjecanje?'<span class="tag gr">DA</span>':'<span class="tag rd">NE</span>'}</div></div>
+        <div class="payment-row"><div class="l">Iznos / plaćeno</div><div class="v">${fmtEur(l.iznos)} ${l.placeno?'<span class="tag gr">DA</span>':'<span class="tag rd">NE</span>'}</div></div>
+      </div>
+      ${l.komentar_lijecnika ? `<div style="margin-top:12px;padding:10px;background:var(--bg);border-left:3px solid var(--pgz-blue);border-radius:5px"><div style="font-size:11px;color:var(--t3);margin-bottom:4px">KOMENTAR LIJEČNIKA</div>${esc(l.komentar_lijecnika)}</div>` : ''}
+      ${l.napomena ? `<div style="margin-top:8px;padding:10px;background:var(--bg);border-left:3px solid var(--warn);border-radius:5px"><div style="font-size:11px;color:var(--t3);margin-bottom:4px">NAPOMENA</div>${esc(l.napomena)}</div>` : ''}
+      <div style="text-align:right;margin-top:14px">
+        <button class="btn" onclick="openZakaziModal(${l.id}, '${esc(l.clan)}')">📅 Zakaži novi termin</button>
+      </div>
+    </div>`);
+}
+
+function newLijecnickiModal() {
+  openModal(`
+    <div class="modal-h">
+      <div class="modal-t">+ Novi liječnički pregled</div>
+      <div class="modal-x" onclick="closeModal()">×</div>
+    </div>
+    <div class="modal-b">
+      <form onsubmit="submitNewLijecnicki(event)">
+        <div class="field"><label class="req">Član ID</label>
+          <input name="clan_id" type="number" required></div>
+        <div class="field"><label class="req">Datum pregleda</label>
+          <input name="datum_pregleda" type="date" required value="${new Date().toISOString().slice(0,10)}"></div>
+        <div class="field"><label>Vrijedi do (auto +1 god)</label>
+          <input name="vrijedi_do" type="date"></div>
+        <div class="field"><label>Vrsta pregleda</label>
+          <select name="vrsta_pregleda">
+            <option value="temeljni">Temeljni</option>
+            <option value="kontrolni">Kontrolni</option>
+            <option value="izvanredni">Izvanredni</option>
+          </select></div>
+        <div class="field"><label>Ustanova</label>
+          <input name="ustanova" type="text" value="ZZJZ PGŽ"></div>
+        <div class="field"><label>Liječnik</label>
+          <input name="lijecnik" type="text"></div>
+        <div class="field"><label>Iznos (EUR)</label>
+          <input name="iznos" type="number" step="0.01" value="60"></div>
+        <div style="text-align:right">
+          <button type="button" class="btn" onclick="closeModal()">Odustani</button>
+          <button type="submit" class="btn primary">💾 Spremi pregled</button>
+        </div>
+      </form>
+    </div>`);
+}
+
+async function submitNewLijecnicki(e) {
+  e.preventDefault();
+  const f = e.target;
+  const body = {
+    clan_id: parseInt(f.clan_id.value),
+    datum_pregleda: f.datum_pregleda.value,
+    vrijedi_do: f.vrijedi_do.value || null,
+    vrsta_pregleda: f.vrsta_pregleda.value,
+    ustanova: f.ustanova.value,
+    lijecnik: f.lijecnik.value || null,
+    iznos: parseFloat(f.iznos.value || 0),
+  };
+  try {
+    await api('/lijecnicki', {method:'POST', body});
+    closeModal();
+    toast('Pregled spremljen.');
+    loadLijecnicki();
+  } catch (err) { toast('Greška: ' + err.message, true); }
+}
+
+// ════════════════════════════════════════════════════
+// MODUL 3 — OBRASCI  (M9)
+// ════════════════════════════════════════════════════
+
+async function loadObrasci() {
+  const root = $('#page-obrasci');
+  root.innerHTML = '<div class="loading">Učitavanje obrazaca…</div>';
+  let templates, submissions;
+  try {
+    templates = await api('/forms');
+    submissions = await api('/forms/submissions?limit=50');
+  } catch (e) { root.innerHTML = `<div class="empty">Greška: ${esc(e.message)}</div>`; return; }
+  $('#cnt-obrasci').textContent = templates.count;
+  const ss = submissions.summary || {};
+  const kpi = `
+    <div class="kpi-grid">
+      <div class="kpi b"><div class="kpi-l">Templati</div><div class="kpi-v">${fmt(templates.count)}</div></div>
+      <div class="kpi g"><div class="kpi-l">Predani</div><div class="kpi-v">${fmt(ss.submitted)}</div></div>
+      <div class="kpi a"><div class="kpi-l">Draft</div><div class="kpi-v">${fmt(ss.draft)}</div></div>
+      <div class="kpi b"><div class="kpi-l">Odobreni</div><div class="kpi-v">${fmt(ss.approved)}</div></div>
+    </div>`;
+  const cards = (templates.forms || []).map(f => `
+    <div class="card" style="margin-bottom:10px">
+      <div class="card-b" style="display:flex;justify-content:space-between;align-items:center">
+        <div>
+          <div style="font-weight:600">${esc(f.naziv)}</div>
+          <div style="font-size:11px;color:var(--t3);margin-top:3px">${esc(f.code)} · ${esc(f.kategorija || '—')} · ${f.field_count} polja${f.opis ? ' · ' + esc(f.opis.substring(0,80)) : ''}</div>
+        </div>
+        <button class="btn primary" onclick="openFormFill('${esc(f.code)}')">📝 Otvori obrazac</button>
+      </div>
+    </div>`).join('');
+  const subRows = (submissions.rows || []).map(s => `
+    <tr>
+      <td><b>${esc(s.template_naziv || s.template_code)}</b><div style="font-size:11px;color:var(--t3)">${esc(s.reference_no || '')}</div></td>
+      <td>${esc(s.klub_naziv || '—')}</td>
+      <td>${fmtDate(s.created_at)}</td>
+      <td><span class="tag ${({draft:'gy',submitted:'am',approved:'gr',rejected:'rd'})[s.status]||'gy'}">${esc(s.status)}</span></td>
+      <td><code style="font-size:10px;color:var(--ok)">${esc((s.signature_sha256 || '').substring(0,12))}${s.signature_sha256?'…':''}</code></td>
+      <td>
+        <button class="btn sm" onclick="openSubmissionDetalji(${s.id})" title="Detalji">👁</button>
+        <a class="btn sm" href="${API}/forms/submissions/${s.id}/pdf" target="_blank" title="PDF">📄</a>
+      </td>
+    </tr>`).join('');
+  root.innerHTML = kpi + `
+    <div class="row" style="display:grid;grid-template-columns:1fr 1.4fr;gap:14px">
+      <div>
+        <div class="card-h" style="border-radius:8px 8px 0 0;background:var(--bg2);border:1px solid var(--rim);border-bottom:none">
+          <div class="card-t">📋 Dostupni obrasci (${templates.count})</div>
+        </div>
+        <div style="background:var(--bg2);border:1px solid var(--rim);border-top:none;border-radius:0 0 8px 8px;padding:12px;max-height:600px;overflow-y:auto">${cards}</div>
+      </div>
+      <div>
+        <div class="card">
+          <div class="card-h"><div class="card-t">Predani obrasci (${submissions.count})</div></div>
+          <table>
+            <thead><tr><th>Obrazac</th><th>Klub</th><th>Datum</th><th>Status</th><th>SHA-256</th><th></th></tr></thead>
+            <tbody>${subRows || '<tr><td colspan="6" class="empty">Nema predanih obrazaca.</td></tr>'}</tbody>
+          </table>
+        </div>
+      </div>
+    </div>`;
+}
+
+async function openFormFill(code) {
+  let tpl, prefill;
+  try {
+    tpl = await api('/forms/' + code);
+    // prefill bez klub_id pretpostavlja prazan
+    prefill = await api(`/forms/${code}/prefill`);
+  } catch (e) { return toast('Greška: ' + e.message, true); }
+  const fields = (tpl.schema_json && tpl.schema_json.fields) || [];
+  const pre = prefill.prefill || {};
+  const fieldsHtml = fields.map(f => {
+    const v = pre[f.name] != null ? pre[f.name] : '';
+    const reqClass = f.required ? 'req' : '';
+    let inp = '';
+    if (f.type === 'textarea') {
+      inp = `<textarea name="${esc(f.name)}">${esc(v)}</textarea>`;
+    } else if (f.type === 'select' && Array.isArray(f.options)) {
+      inp = `<select name="${esc(f.name)}"><option value=""></option>${f.options.map(o => `<option ${o===v?'selected':''}>${esc(o)}</option>`).join('')}</select>`;
+    } else if (f.type === 'date') {
+      inp = `<input type="date" name="${esc(f.name)}" value="${esc(v)}">`;
+    } else if (f.type === 'number') {
+      inp = `<input type="number" name="${esc(f.name)}" value="${esc(v)}" ${f.required?'required':''}>`;
+    } else if (f.type === 'file') {
+      inp = `<input type="text" name="${esc(f.name)}" placeholder="(file upload — TODO)">`;
+    } else {
+      inp = `<input type="text" name="${esc(f.name)}" value="${esc(v)}" ${f.required?'required':''}>`;
+    }
+    return `<div class="field"><label class="${reqClass}">${esc(f.label || f.name)}</label>${inp}${f.help ? `<div class="help">${esc(f.help)}</div>` : ''}</div>`;
+  }).join('');
+
+  openModal(`
+    <div class="modal-h">
+      <div class="modal-t">📝 ${esc(tpl.naziv)}</div>
+      <div class="modal-x" onclick="closeModal()">×</div>
+    </div>
+    <div class="modal-b">
+      <p style="color:var(--t2);font-size:12px;margin-top:0">${esc(tpl.opis || '')} <br><span style="color:var(--t3)">Polja označena * su obavezna. Submit = digitalni potpis (sha256) + status "submitted".</span></p>
+      <form onsubmit="submitFormFill(event, '${esc(code)}')">
+        <div class="field"><label>Klub ID (opcionalno — za bolju autopopulaciju)</label>
+          <input id="fill-klub" type="number" placeholder="npr. 10" onchange="reloadPrefill('${esc(code)}', this.value)"></div>
+        ${fieldsHtml}
+        <div class="field"><label>Vaše ime/prezime (digitalni potpis)</label>
+          <input name="__signer" type="text" placeholder="npr. Damir Radulić" required></div>
+        <div style="text-align:right;margin-top:14px">
+          <button type="button" class="btn" onclick="closeModal()">Odustani</button>
+          <button type="button" class="btn" onclick="saveFormDraft(event, '${esc(code)}', this)">💾 Spremi draft</button>
+          <button type="submit" class="btn primary">✍ Potpiši i predaj</button>
+        </div>
+      </form>
+    </div>`);
+}
+
+async function reloadPrefill(code, klubId) {
+  if (!klubId) return;
+  try {
+    const data = await api(`/forms/${code}/prefill?klub_id=${parseInt(klubId)}`);
+    Object.entries(data.prefill || {}).forEach(([k, v]) => {
+      const el = document.querySelector(`[name="${k}"]`);
+      if (el && !el.value) el.value = v;
+    });
+    toast(`Autopopulirano ${data.applied_fields.length} polja iz kluba ${klubId}`);
+  } catch (err) { toast('Prefill greška: ' + err.message, true); }
+}
+
+function _collectFormData(form) {
+  const data = {};
+  let signer = null;
+  let klubId = null;
+  Array.from(form.elements).forEach(el => {
+    if (!el.name) return;
+    if (el.name === '__signer') { signer = el.value; return; }
+    if (el.id === 'fill-klub') { klubId = el.value ? parseInt(el.value) : null; return; }
+    data[el.name] = el.value;
+  });
+  return {data, signer, klubId};
+}
+
+async function submitFormFill(e, code) {
+  e.preventDefault();
+  const {data, signer, klubId} = _collectFormData(e.target);
+  try {
+    // create draft
+    const draft = await api('/forms/submissions', {method:'POST', body: {
+      template_code: code, klub_id: klubId, data,
+    }});
+    // submit + sign
+    const signed = await api('/forms/submissions/' + draft.id + '/submit', {method:'POST', body: {
+      full_name: signer, confirm: true,
+    }});
+    closeModal();
+    toast('Obrazac potpisan i predan. SHA-256: ' + signed.signature_sha256.substring(0,12) + '…');
+    showSignatureConfirm(signed);
+    loadObrasci();
+  } catch (err) { toast('Greška: ' + err.message, true); }
+}
+
+async function saveFormDraft(e, code, btn) {
+  const form = btn.closest('form');
+  const {data, klubId} = _collectFormData(form);
+  try {
+    const draft = await api('/forms/submissions', {method:'POST', body: {
+      template_code: code, klub_id: klubId, data,
+    }});
+    closeModal();
+    toast('Spremljen draft #' + draft.id + ' (REF ' + draft.reference_no + ')');
+    loadObrasci();
+  } catch (err) { toast('Greška: ' + err.message, true); }
+}
+
+function showSignatureConfirm(signed) {
+  setTimeout(() => openModal(`
+    <div class="modal-h">
+      <div class="modal-t">✓ Obrazac digitalno potpisan</div>
+      <div class="modal-x" onclick="closeModal()">×</div>
+    </div>
+    <div class="modal-b">
+      <div class="payment-card">
+        <div class="payment-row"><div class="l">Submission ID</div><div class="v">#${signed.id}</div></div>
+        <div class="payment-row"><div class="l">Status</div><div class="v"><span class="tag am">${esc(signed.status)}</span></div></div>
+        <div class="payment-row"><div class="l">Potpisao</div><div class="v">${esc(signed.signed_by)}</div></div>
+        <div class="payment-row"><div class="l">Vrijeme</div><div class="v" style="font-size:11px">${esc(signed.signed_at)}</div></div>
+      </div>
+      <div class="signature-box">
+        <div style="color:var(--t2);margin-bottom:6px">DIGITALNI POTPIS — SHA-256</div>
+        <div class="sha">${esc(signed.signature_sha256)}</div>
+      </div>
+      <div style="text-align:right;margin-top:14px">
+        <a class="btn primary" href="${API}/forms/submissions/${signed.id}/pdf" target="_blank">📄 Preuzmi PDF</a>
+      </div>
+    </div>`), 200);
+}
+
+async function openSubmissionDetalji(sid) {
+  let s;
+  try { s = await api('/forms/submissions/' + sid); }
+  catch (e) { return toast('Greška: ' + e.message, true); }
+  const data = s.data || {};
+  const fields = (s.schema_json && s.schema_json.fields) || [];
+  const fieldsHtml = fields.filter(f => !f.name.startsWith('__')).map(f => {
+    const v = data[f.name];
+    if (v == null || v === '') return '';
+    return `<div class="payment-row"><div class="l">${esc(f.label || f.name)}</div><div class="v">${esc(v).substring(0,200)}</div></div>`;
+  }).join('');
+  const sig = data.__signature_sha256;
+  openModal(`
+    <div class="modal-h">
+      <div class="modal-t">📋 Submission #${s.id} — ${esc(s.template_naziv)}</div>
+      <div class="modal-x" onclick="closeModal()">×</div>
+    </div>
+    <div class="modal-b">
+      <div class="payment-card">
+        <div class="payment-row"><div class="l">Reference</div><div class="v">${esc(s.reference_no || '')}</div></div>
+        <div class="payment-row"><div class="l">Klub</div><div class="v">${esc(s.klub_naziv || '—')}</div></div>
+        <div class="payment-row"><div class="l">Status</div><div class="v"><span class="tag ${({draft:'gy',submitted:'am',approved:'gr',rejected:'rd'})[s.status]||'gy'}">${esc(s.status)}</span></div></div>
+        <div class="payment-row"><div class="l">Predano</div><div class="v">${fmtDate(s.submitted_at)}</div></div>
+      </div>
+      <div class="card-h" style="background:transparent;border:none;padding:8px 0;margin-top:14px"><div class="card-t">Sadržaj</div></div>
+      <div class="payment-card">${fieldsHtml || '<div style="color:var(--t3)">Prazno.</div>'}</div>
+      ${sig ? `<div class="signature-box"><div style="color:var(--t2);margin-bottom:6px">DIGITALNI POTPIS — SHA-256</div><div class="sha">${esc(sig)}</div><div style="margin-top:6px;color:var(--t3)">Potpisao: ${esc(data.__signed_by||'')} • ${esc(data.__signed_at||'')}</div></div>` : '<div style="color:var(--err);margin-top:10px;font-size:12px">⚠ Nije digitalno potpisan</div>'}
+      <div style="text-align:right;margin-top:14px;display:flex;gap:8px;justify-content:flex-end">
+        ${s.status === 'submitted' ? `
+          <button class="btn" onclick="approveSub(${s.id})">✓ Odobri</button>
+          <button class="btn danger" onclick="rejectSub(${s.id})">✗ Odbij</button>
+        ` : ''}
+        <button class="btn" onclick="reSign(${s.id})">✍ Potpiši ponovno</button>
+        <a class="btn primary" href="${API}/forms/submissions/${s.id}/pdf" target="_blank">📄 PDF</a>
+      </div>
+    </div>`);
+}
+
+async function approveSub(sid) {
+  if (!confirm('Odobri submission #' + sid + '?')) return;
+  try {
+    await api('/forms/submissions/' + sid + '/approve', {method:'POST', body: {user_id: 1}});
+    closeModal(); toast('Submission #' + sid + ' odobren.'); loadObrasci();
+  } catch (e) { toast('Greška: ' + e.message, true); }
+}
+
+async function rejectSub(sid) {
+  const reason = prompt('Razlog odbijanja:');
+  if (!reason) return;
+  try {
+    await api('/forms/submissions/' + sid + '/reject', {method:'POST', body: {user_id: 1, reason}});
+    closeModal(); toast('Submission #' + sid + ' odbijen.'); loadObrasci();
+  } catch (e) { toast('Greška: ' + e.message, true); }
+}
+
+async function reSign(sid) {
+  const name = prompt('Vaše ime za potpis:');
+  if (!name) return;
+  try {
+    const r = await api('/forms/submissions/' + sid + '/sign', {method:'POST', body: {full_name: name, user_id: 1}});
+    closeModal(); toast('Potpisano. SHA-256: ' + r.signature_sha256.substring(0,12) + '…'); loadObrasci();
+  } catch (e) { toast('Greška: ' + e.message, true); }
+}
+
+// ════════════════════════════════════════════════════
+// MODUL 4 — ČLANOVI / DASHBOARD osobe (CRM Dashboard)
+// ════════════════════════════════════════════════════
+
+let CLANOVI_LAST_QUERY = '';
+
+async function loadClanovi() {
+  const root = $('#page-clanovi');
+  root.innerHTML = `
+    <div class="toolbar">
+      <input id="cl-q" type="text" placeholder="Pretraži po imenu / OIB-u (min 2 slova)…" style="min-width:340px;flex:1" oninput="searchClanovi(this.value)">
+      <input id="cl-klub-filter" type="number" placeholder="Klub ID (filter)" onchange="searchClanovi($('#cl-q').value)">
+      <div class="grow"></div>
+      <span style="font-size:11px;color:var(--t3)">Klik na karticu → puni dashboard člana</span>
+    </div>
+    <div id="cl-results"><div class="loading">Upišite ime za pretragu…</div></div>
+  `;
+  // initial: load nekoliko poznatih ID-ova kao primjer
+  if (!CLANOVI_LAST_QUERY) {
+    document.getElementById('cl-q').value = 'Mateo';
+    searchClanovi('Mateo');
+  }
+}
+
+let _searchTimer;
+function searchClanovi(q) {
+  clearTimeout(_searchTimer);
+  CLANOVI_LAST_QUERY = q;
+  if (!q || q.length < 2) {
+    $('#cl-results').innerHTML = '<div class="loading">Upišite ime za pretragu (min 2 slova)…</div>';
+    return;
+  }
+  _searchTimer = setTimeout(async () => {
+    const klub = $('#cl-klub-filter').value;
+    const params = new URLSearchParams({q, limit: 30});
+    if (klub) params.append('klub_id', klub);
+    try {
+      const data = await apiR('/clanovi/search?' + params);
+      $('#cnt-clanovi').textContent = data.count;
+      const cards = (data.rows || []).map(r => `
+        <div class="card" style="margin-bottom:8px;cursor:pointer" onclick="openClanPanel(${r.id})">
+          <div class="card-b" style="display:flex;align-items:center;gap:14px">
+            <div style="width:48px;height:48px;border-radius:50%;background:var(--bg3);overflow:hidden;display:flex;align-items:center;justify-content:center;flex-shrink:0;border:1px solid var(--rim)">
+              ${r.slika_url ? `<img src="${esc(r.slika_url)}" style="width:100%;height:100%;object-fit:cover" onerror="this.style.display='none'">` : `<span style="font-size:18px;font-weight:600;color:var(--t2)">${esc((r.ime||'?')[0]+(r.prezime||'?')[0])}</span>`}
+            </div>
+            <div style="flex:1">
+              <div style="font-weight:600">${esc(r.ime)} ${esc(r.prezime)}</div>
+              <div style="font-size:11px;color:var(--t3)">${esc(r.klub || '—')} · ${esc(r.pozicija || '—')}${r.broj_dresa ? ' · #'+r.broj_dresa : ''}</div>
+            </div>
+            <div><span class="tag bl">#${r.id}</span></div>
+          </div>
+        </div>`).join('');
+      $('#cl-results').innerHTML = `
+        <div style="color:var(--t3);font-size:12px;margin-bottom:8px">${data.count} rezultat${data.count==1?'':'a'}</div>
+        ${cards || '<div class="empty">Nema rezultata.</div>'}`;
+    } catch (e) { $('#cl-results').innerHTML = `<div class="empty">Greška: ${esc(e.message)}</div>`; }
+  }, 250);
+}
+
+window._OPEN_PANEL_CID = null;
+
+async function openClanPanel(cid) {
+  window._OPEN_PANEL_CID = cid;
+  loadClanPanel(cid);
+}
+
+function closeClanPanel() {
+  window._OPEN_PANEL_CID = null;
+  closeModal();
+}
+
+async function loadClanPanel(cid) {
+  let d, perms;
+  try {
+    d = await apiR('/clanovi/' + cid + '/full');
+    perms = await apiR('/clanovi/permissions?role=' + encodeURIComponent(CURRENT_ROLE));
+  } catch (e) { return toast('Greška: ' + e.message, true); }
+  const c = d.clan, k = d.klub || {};
+  const editable = perms.editable; // 'ALL' ili lista polja
+  const canEdit = (field) => editable === 'ALL' || (Array.isArray(editable) && editable.includes(field));
+  const canUploadAvatar = canEdit('slika_url');
+
+  const av = c.slika_url_full || c.slika_url || '';
+  const initials = ((c.ime||'?')[0]+(c.prezime||'?')[0]).toUpperCase();
+
+  // helper za render polja s edit/no-edit
+  const f = (key, label, val, type='text') => {
+    const ed = canEdit(key);
+    const safe = val == null || val === '' ? '—' : String(val);
+    return `
+      <div class="payment-row">
+        <div class="l">${esc(label)}${ed?'':' <span style="color:var(--t3);font-size:9px">🔒</span>'}</div>
+        <div class="v" style="display:flex;align-items:center;gap:6px">
+          <span id="fld-${key}-display" style="font-family:inherit">${esc(safe)}</span>
+          ${ed ? `<button class="btn sm" onclick="editFieldInline('${key}', '${esc(label)}', ${JSON.stringify(val||'').replace(/"/g,'&quot;')}, '${type}', ${cid})">✎</button>` : ''}
+        </div>
+      </div>`;
+  };
+
+  const kpiHtml = `
+    <div class="kpi-grid" style="margin-bottom:12px">
+      <div class="kpi b"><div class="kpi-l">Sezone</div><div class="kpi-v">${fmt(d.kpi.broj_sezona)}</div></div>
+      <div class="kpi g"><div class="kpi-l">Nastupi</div><div class="kpi-v">${fmt(d.kpi.nastupi_total)}</div></div>
+      <div class="kpi a"><div class="kpi-l">Pogoci</div><div class="kpi-v">${fmt(d.kpi.pogoci_total)}</div></div>
+      <div class="kpi r"><div class="kpi-l">Dug članarina</div><div class="kpi-v">${fmtEur(d.kpi.dug_clanarina_eur)}</div></div>
+      <div class="kpi ${d.kpi.lijecnicki_status==='vazeci'?'g':d.kpi.lijecnicki_status==='uskoro'?'a':'r'}"><div class="kpi-l">Liječnički</div><div class="kpi-v" style="font-size:14px">${esc(d.kpi.lijecnicki_status||'—')}</div><div class="kpi-s">${d.kpi.lijecnicki_dana_do_isteka != null ? d.kpi.lijecnicki_dana_do_isteka+' dana' : ''}</div></div>
+    </div>`;
+
+  const sectionPersonal = `
+    <div class="card-h" style="background:transparent;border:none;padding:6px 0;margin-top:6px"><div class="card-t">📋 Osobni podaci</div></div>
+    <div class="payment-card">
+      ${f('ime','Ime',c.ime)}
+      ${f('prezime','Prezime',c.prezime)}
+      ${f('oib','OIB',c.oib)}
+      ${f('datum_rodenja','Datum rođenja',c.datum_rodenja||c.datum_rodjenja,'date')}
+      ${f('mjesto_rodenja','Mjesto rođenja',c.mjesto_rodenja||c.mjesto_rodjenja)}
+      ${f('spol','Spol',c.spol)}
+    </div>`;
+
+  const sectionKontakt = `
+    <div class="card-h" style="background:transparent;border:none;padding:6px 0;margin-top:6px"><div class="card-t">📞 Kontakt</div></div>
+    <div class="payment-card">
+      ${f('email','E-mail',c.email)}
+      ${f('telefon','Telefon',c.telefon)}
+      ${f('adresa','Adresa',c.adresa)}
+      ${f('grad','Grad',c.grad)}
+      ${f('postanski_broj','Pošt. broj',c.postanski_broj)}
+    </div>`;
+
+  const sectionSport = `
+    <div class="card-h" style="background:transparent;border:none;padding:6px 0;margin-top:6px"><div class="card-t">⚽ Sport</div></div>
+    <div class="payment-card">
+      ${f('sport','Sport',c.sport)}
+      ${f('kategorija','Kategorija',c.kategorija)}
+      ${f('podkategorija','Podkategorija',c.podkategorija)}
+      ${f('pozicija','Pozicija',c.pozicija)}
+      ${f('dominantna_noga','Dominantna noga',c.dominantna_noga)}
+      ${f('visina_cm','Visina (cm)',c.visina_cm,'number')}
+      ${f('tezina_kg','Težina (kg)',c.tezina_kg,'number')}
+      ${f('broj_dresa','Broj dresa',c.broj_dresa,'number')}
+      ${f('uloga','Uloga',c.uloga)}
+      ${f('uloga_detalj','Uloga (detalj)',c.uloga_detalj)}
+    </div>`;
+
+  const sectionStatus = `
+    <div class="card-h" style="background:transparent;border:none;padding:6px 0;margin-top:6px"><div class="card-t">📊 Status</div></div>
+    <div class="payment-card">
+      ${f('aktivan','Aktivan',c.aktivan)}
+      ${f('datum_pristupa','Datum pristupa',c.datum_pristupa,'date')}
+      ${f('datum_napustanja','Datum napuštanja',c.datum_napustanja,'date')}
+      ${f('kategoriziran','Kategoriziran',c.kategoriziran)}
+      ${f('kategorija_hoo','HOO kategorija',c.kategorija_hoo,'number')}
+      ${f('reprezentativac','Reprezentativac',c.reprezentativac)}
+      ${f('reprezentacija_kategorija','Reprezentacija (kat.)',c.reprezentacija_kategorija)}
+      ${f('stipendiran','Stipendiran',c.stipendiran)}
+      ${f('stipendija_iznos','Stipendija (€)',c.stipendija_iznos,'number')}
+      ${f('licenca_broj','Licenca broj',c.licenca_broj)}
+      ${f('licenca_vrijedi_do','Licenca vrijedi do',c.licenca_vrijedi_do,'date')}
+      ${f('radno_pravni_status','Radno-pravni status',c.radno_pravni_status)}
+    </div>`;
+
+  const sectionKlub = `
+    <div class="card-h" style="background:transparent;border:none;padding:6px 0;margin-top:6px"><div class="card-t">⬢ Klub</div></div>
+    <div class="payment-card">
+      <div class="payment-row"><div class="l">Trenutni klub</div><div class="v">${esc(k.naziv || '—')}</div></div>
+      ${k.savez_naziv ? `<div class="payment-row"><div class="l">Savez</div><div class="v">${esc(k.savez_naziv)}</div></div>` : ''}
+      ${k.oib ? `<div class="payment-row"><div class="l">OIB kluba</div><div class="v">${esc(k.oib)}</div></div>` : ''}
+      ${k.iban ? `<div class="payment-row"><div class="l">IBAN</div><div class="v">${esc(k.iban)}</div></div>` : ''}
+    </div>
+    ${d.povijest_klubova && d.povijest_klubova.length ? `
+      <div style="margin-top:8px"><b>Povijest klubova (${d.povijest_klubova.length}):</b></div>
+      <table style="margin-top:6px"><thead><tr><th>Klub</th><th>Od</th><th>Do</th><th># sezona</th></tr></thead>
+        <tbody>${d.povijest_klubova.map(p=>`<tr><td>${esc(p.klub_naziv)}</td><td>${esc(p.od)}</td><td>${esc(p.do_)}</td><td>${p.broj_sezona}</td></tr>`).join('')}</tbody>
+      </table>` : ''}
+  `;
+
+  const tabSezone = `
+    <table><thead><tr><th>Sezona</th><th>Klub</th><th>Natjecanje</th><th>Nast.</th><th>Pog.</th><th>Asist.</th><th>Žuti</th><th>Crv.</th><th>Min.</th></tr></thead>
+      <tbody>${(d.sezone||[]).map(s=>`<tr><td><b>${esc(s.sezona)}</b></td><td>${esc(s.klub_naziv||'—')}</td><td>${esc(s.natjecanje||'—')}</td><td>${fmt(s.nastupi)}</td><td>${fmt(s.pogoci)}</td><td>${fmt(s.asistencije)}</td><td>${fmt(s.zuti_kartoni)}</td><td>${fmt(s.crveni_kartoni)}</td><td>${fmt(s.minute_total)}</td></tr>`).join('') || '<tr><td colspan="9" class="empty">Nema podataka.</td></tr>'}</tbody>
+    </table>`;
+
+  const tabUtakmice = `
+    <table><thead><tr><th>Datum</th><th>Domaćin</th><th>Gost</th><th>Rezultat</th><th>Natj.</th><th>Pog.</th><th>Min.</th><th></th></tr></thead>
+      <tbody>${(d.utakmice_zadnje20||[]).map(u=>`<tr><td>${fmtDate(u.datum)}</td><td>${esc(u.domacin||'—')}</td><td>${esc(u.gost||'—')}</td><td><b>${esc(u.rezultat||'—')}</b></td><td>${esc(u.natjecanje||'—')}</td><td>${fmt(u.pogoci)}</td><td>${fmt(u.minute)}</td><td>${u.utakmica_url?`<a class="btn sm" href="${esc(u.utakmica_url)}" target="_blank">↗</a>`:''}</td></tr>`).join('') || '<tr><td colspan="8" class="empty">Nema utakmica.</td></tr>'}</tbody>
+    </table>`;
+
+  const tabLij = `
+    <table><thead><tr><th>Datum</th><th>Vrijedi do</th><th>Status</th><th>Vrsta</th><th>Ustanova</th><th>Liječnik</th><th>Plaćeno</th></tr></thead>
+      <tbody>${(d.lijecnicki||[]).map(l=>`<tr><td>${fmtDate(l.datum_pregleda)}</td><td>${fmtDate(l.vrijedi_do)}</td><td><span class="tag ${({vazeci:'gr',uskoro:'am',istekao:'rd'})[l.status_calc]||'gy'}">${esc(l.status_calc)} (${l.dana_do_isteka}d)</span></td><td>${esc(l.vrsta_pregleda||'—')}</td><td>${esc(l.ustanova||'—')}</td><td>${esc(l.lijecnik||'—')}</td><td>${l.placeno?'<span class="tag gr">DA</span>':'<span class="tag rd">NE</span>'}</td></tr>`).join('') || '<tr><td colspan="7" class="empty">Nema pregleda.</td></tr>'}</tbody>
+    </table>`;
+
+  const tabClanarine = `
+    <table><thead><tr><th>God.</th><th>Razdoblje</th><th>Propisan</th><th>Plaćeno</th><th>Dug</th><th>Status</th><th>Datum upl.</th><th></th></tr></thead>
+      <tbody>${(d.clanarine||[]).map(cl=>`<tr><td>${esc(cl.godina)}</td><td>${esc(cl.razdoblje||'—')}</td><td>${fmtEur(cl.iznos_propisan)}</td><td>${fmtEur(cl.iznos_placen)}</td><td><b style="color:${cl.dug>0?'var(--err)':'var(--ok)'}">${fmtEur(cl.dug)}</b></td><td><span class="tag ${statusTag(cl.status)}">${esc(cl.status)}</span></td><td>${fmtDate(cl.datum_uplate)}</td><td><a class="btn sm" href="${API}/clanarine/${cl.id}/uplatnica.pdf" target="_blank">📄</a></td></tr>`).join('') || '<tr><td colspan="8" class="empty">Nema članarina.</td></tr>'}</tbody>
+    </table>`;
+
+  const tabDokumenti = `
+    <table><thead><tr><th>God.</th><th>Naslov</th><th>Vrsta</th><th>Snippet</th><th></th></tr></thead>
+      <tbody>${(d.dokumenti||[]).map(dk=>`<tr><td>${esc(dk.godina)}</td><td><b>${esc(dk.title||'—')}</b></td><td>${esc(dk.vrsta||'—')}</td><td style="font-size:11px;color:var(--t3);max-width:280px">${esc((dk.snippet||'').substring(0,140))}</td><td>${dk.pdf_url?`<a class="btn sm" href="${esc(dk.pdf_url)}" target="_blank">📄</a>`:dk.url?`<a class="btn sm" href="${esc(dk.url)}" target="_blank">↗</a>`:''}</td></tr>`).join('') || '<tr><td colspan="5" class="empty">Nema dokumenata.</td></tr>'}</tbody>
+    </table>`;
+
+  const tabObrasci = `
+    <table><thead><tr><th>Obrazac</th><th>Ref.</th><th>Status</th><th>Predano</th><th></th></tr></thead>
+      <tbody>${(d.obrasci||[]).map(o=>`<tr><td><b>${esc(o.template_naziv||o.template_code)}</b></td><td><code style="font-size:10px">${esc(o.reference_no||'')}</code></td><td><span class="tag ${({draft:'gy',submitted:'am',approved:'gr',rejected:'rd'})[o.status]||'gy'}">${esc(o.status)}</span></td><td>${fmtDate(o.submitted_at||o.created_at)}</td><td><a class="btn sm" href="${API}/forms/submissions/${o.id}/pdf" target="_blank">📄</a></td></tr>`).join('') || '<tr><td colspan="5" class="empty">Nema obrazaca.</td></tr>'}</tbody>
+    </table>`;
+
+  const tabNagrade = (d.nagrade && d.nagrade.length) ? `
+    <table><thead><tr><th>Godina</th><th>Natjecanje</th><th>Razina</th><th>Disciplina</th><th>Plasman</th><th>Klub</th></tr></thead>
+      <tbody>${d.nagrade.map(n=>`<tr><td>${esc(n.godina)}</td><td>${esc(n.natjecanje||'—')}</td><td>${esc(n.razina_natjecanja||'—')}</td><td>${esc(n.disciplina||'—')}</td><td><b>${n.plasman||'—'}</b></td><td>${esc(n.klub_naziv||'—')}</td></tr>`).join('')}</tbody>
+    </table>` : '';
+
+  // Modal — širi nego standardno
+  $('#modal').style.maxWidth = '1100px';
+  openModal(`
+    <div class="modal-h">
+      <div class="modal-t">👤 ${esc(c.ime)} ${esc(c.prezime)} <span style="color:var(--t3);font-size:11px;font-weight:400">#${cid} · ${esc(CURRENT_ROLE)} (${editable === 'ALL' ? 'full edit' : Array.isArray(editable) ? editable.length+' edit polja' : 'no edit'})</span></div>
+      <div class="modal-x" onclick="closeClanPanel()">×</div>
+    </div>
+    <div class="modal-b">
+      <div style="display:grid;grid-template-columns:140px 1fr;gap:18px;margin-bottom:14px">
+        <div style="text-align:center">
+          <div id="avatar-display" style="width:140px;height:140px;border-radius:8px;background:var(--bg3);border:1px solid var(--rim);display:flex;align-items:center;justify-content:center;overflow:hidden">
+            ${av ? `<img src="${esc(av)}?_=${Date.now()}" style="width:100%;height:100%;object-fit:cover">` : `<span style="font-size:48px;font-weight:700;color:var(--t2)">${esc(initials)}</span>`}
+          </div>
+          ${canUploadAvatar ? `
+            <input type="file" id="avatar-file" accept="image/*" style="display:none" onchange="uploadAvatar(${cid})">
+            <button class="btn primary sm" style="margin-top:8px;width:100%" onclick="document.getElementById('avatar-file').click()">📷 Upload</button>
+          ` : `<div style="font-size:10px;color:var(--t3);margin-top:6px">🔒 Bez dozvole</div>`}
+        </div>
+        <div>
+          ${kpiHtml}
+          <div style="font-size:12px;color:var(--t3)">Dob: <b style="color:var(--t1)">${c.dob_calc != null ? c.dob_calc + ' god.' : '—'}</b> · Slika: <code style="font-size:10px">${esc(c.slika_url || '—').substring(0,60)}</code></div>
+        </div>
+      </div>
+
+      <div class="cp-tabs" style="display:flex;gap:0;border-bottom:1px solid var(--rim);margin-bottom:12px;flex-wrap:wrap">
+        <div class="cp-tab active" onclick="cpTab('osobni')" data-cpt="osobni" style="padding:10px 14px;cursor:pointer;border-bottom:2px solid var(--pgz-blue);font-weight:600">Osobni</div>
+        <div class="cp-tab" onclick="cpTab('sezone')" data-cpt="sezone" style="padding:10px 14px;cursor:pointer;color:var(--t2)">Sezone (${d.sezone.length})</div>
+        <div class="cp-tab" onclick="cpTab('utakmice')" data-cpt="utakmice" style="padding:10px 14px;cursor:pointer;color:var(--t2)">Utakmice (${d.utakmice_zadnje20.length})</div>
+        <div class="cp-tab" onclick="cpTab('lij')" data-cpt="lij" style="padding:10px 14px;cursor:pointer;color:var(--t2)">Liječnički (${d.lijecnicki.length})</div>
+        <div class="cp-tab" onclick="cpTab('clanarine')" data-cpt="clanarine" style="padding:10px 14px;cursor:pointer;color:var(--t2)">Članarine (${d.clanarine.length})</div>
+        <div class="cp-tab" onclick="cpTab('dokumenti')" data-cpt="dokumenti" style="padding:10px 14px;cursor:pointer;color:var(--t2)">Dokumenti (${d.dokumenti.length})</div>
+        <div class="cp-tab" onclick="cpTab('obrasci')" data-cpt="obrasci" style="padding:10px 14px;cursor:pointer;color:var(--t2)">Obrasci (${d.obrasci.length})</div>
+        ${tabNagrade ? `<div class="cp-tab" onclick="cpTab('nagrade')" data-cpt="nagrade" style="padding:10px 14px;cursor:pointer;color:var(--t2)">Nagrade (${d.nagrade.length})</div>` : ''}
+      </div>
+
+      <div id="cp-osobni" class="cp-page">
+        ${sectionPersonal}
+        ${sectionKontakt}
+        ${sectionSport}
+        ${sectionStatus}
+        ${sectionKlub}
+        <div class="card-h" style="background:transparent;border:none;padding:6px 0;margin-top:6px"><div class="card-t">📝 Napomena</div></div>
+        <div class="payment-card">${f('napomena','Napomena',c.napomena)}</div>
+        <div class="card-h" style="background:transparent;border:none;padding:6px 0;margin-top:6px"><div class="card-t">📖 Biografija</div></div>
+        <div class="payment-card">${f('biografija','Biografija',c.biografija,'textarea')}</div>
+      </div>
+      <div id="cp-sezone" class="cp-page" style="display:none">${tabSezone}</div>
+      <div id="cp-utakmice" class="cp-page" style="display:none">${tabUtakmice}</div>
+      <div id="cp-lij" class="cp-page" style="display:none">${tabLij}</div>
+      <div id="cp-clanarine" class="cp-page" style="display:none">${tabClanarine}</div>
+      <div id="cp-dokumenti" class="cp-page" style="display:none">${tabDokumenti}</div>
+      <div id="cp-obrasci" class="cp-page" style="display:none">${tabObrasci}</div>
+      ${tabNagrade ? `<div id="cp-nagrade" class="cp-page" style="display:none">${tabNagrade}</div>` : ''}
+    </div>
+  `);
+}
+
+function cpTab(name) {
+  $$('.cp-tab').forEach(t => {
+    const active = t.dataset.cpt === name;
+    t.style.borderBottom = active ? '2px solid var(--pgz-blue)' : '';
+    t.style.color = active ? 'var(--t1)' : 'var(--t2)';
+    t.style.fontWeight = active ? '600' : '500';
+    t.classList.toggle('active', active);
+  });
+  $$('.cp-page').forEach(p => p.style.display = (p.id === 'cp-' + name) ? 'block' : 'none');
+}
+
+function editFieldInline(key, label, currentVal, type, cid) {
+  const inputType = type === 'date' ? 'date' : type === 'number' ? 'number' : 'text';
+  const isTextarea = type === 'textarea';
+  const isBool = typeof currentVal === 'boolean';
+  let inputHtml;
+  if (isBool) {
+    inputHtml = `<select id="ef-input"><option value="true" ${currentVal===true?'selected':''}>true</option><option value="false" ${currentVal===false?'selected':''}>false</option></select>`;
+  } else if (isTextarea) {
+    inputHtml = `<textarea id="ef-input" style="width:100%;min-height:80px">${esc(currentVal||'')}</textarea>`;
+  } else {
+    inputHtml = `<input id="ef-input" type="${inputType}" value="${esc(currentVal||'')}" style="width:100%">`;
+  }
+  const promptHtml = `
+    <div class="modal-h">
+      <div class="modal-t">✎ ${esc(label)}</div>
+      <div class="modal-x" onclick="closeModal();loadClanPanel(${cid})">×</div>
+    </div>
+    <div class="modal-b">
+      <div class="field"><label>${esc(label)} (${esc(key)})</label>${inputHtml}</div>
+      <div style="text-align:right;margin-top:14px">
+        <button class="btn" onclick="closeModal();loadClanPanel(${cid})">Odustani</button>
+        <button class="btn primary" onclick="saveField('${key}', ${cid}, ${isBool}, ${isTextarea ? 'false' : type==='number'?'true':'false'})">💾 Spremi</button>
+      </div>
+    </div>`;
+  $('#modal').style.maxWidth = '500px';
+  openModal(promptHtml);
+  setTimeout(() => $('#ef-input')?.focus(), 50);
+}
+
+async function saveField(key, cid, isBool, isNumber) {
+  const el = $('#ef-input');
+  let val = el.value;
+  if (isBool) val = val === 'true';
+  else if (isNumber) val = val === '' ? null : Number(val);
+  else if (val === '') val = null;
+  try {
+    const r = await apiR('/clanovi/' + cid, {method:'PUT', body: {[key]: val}});
+    if (r.rejected_fields && r.rejected_fields.includes(key)) {
+      toast(`Polje "${key}" odbijeno za rolu ${CURRENT_ROLE}`, true);
+    } else {
+      toast(`✓ Polje ${key} spremljeno (rola ${CURRENT_ROLE})`);
+    }
+    closeModal();
+    $('#modal').style.maxWidth = '1100px';
+    loadClanPanel(cid);
+  } catch (e) { toast('Greška: ' + e.message, true); }
+}
+
+async function uploadAvatar(cid) {
+  const inp = $('#avatar-file');
+  if (!inp.files || !inp.files[0]) return;
+  const fd = new FormData();
+  fd.append('file', inp.files[0]);
+  try {
+    const r = await fetch(API + '/clanovi/' + cid + '/avatar', {
+      method: 'POST',
+      headers: {'X-Role': CURRENT_ROLE},
+      body: fd,
+    });
+    if (!r.ok) throw new Error(`HTTP ${r.status}: ${await r.text()}`);
+    const d = await r.json();
+    toast(`✓ Avatar uploaded: ${d.size_bytes} bytes`);
+    loadClanPanel(cid);
+  } catch (e) { toast('Greška upload-a: ' + e.message, true); }
+}
+
+// ────────────────────────────────────────────────────
+// init
+// ────────────────────────────────────────────────────
+// postavi role iz localStorage u dropdown
+const _roleSel = document.getElementById('g-role');
+if (_roleSel) _roleSel.value = CURRENT_ROLE;
+
+loadClanovi();
+// preload counts za sve tabove
+(async () => {
+  try {
+    const cl = await api('/clanarine?limit=1');
+    $('#cnt-clanarine').textContent = cl.summary?.total ?? '?';
+    const lj = await api('/lijecnicki?limit=1');
+    $('#cnt-lijecnicki').textContent = lj.summary?.total ?? '?';
+    const fm = await api('/forms');
+    $('#cnt-obrasci').textContent = fm.count;
+  } catch (e) {}
+})();
+</script>
+
+</body>
+</html>
diff --git a/_backups/erp.html.cc3_pre_unified_sidebar.1777935999 b/_backups/erp.html.cc3_pre_unified_sidebar.1777935999
new file mode 100644
index 0000000..2854151
--- /dev/null
+++ b/_backups/erp.html.cc3_pre_unified_sidebar.1777935999
@@ -0,0 +1,848 @@
+<!DOCTYPE html>
+<html lang="hr">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width,initial-scale=1">
+<title>PGŽ Sport · ERP — OCR + Putni nalozi</title>
+<!--
+  erp.html — PGŽ Sport ERP UI (M5 OCR + M6 Putni nalozi)
+  Author: dradulic@outlook.com / damir@rinet.one — 2026-05-04
+  Real backend: /api/erp/ocr/upload, /parse, /invoices, /putni-nalog
+-->
+<link rel="icon" href="data:image/svg+xml,<svg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 32 32'><rect width='32' height='32' rx='6' fill='%2306080d'/><text x='16' y='23' text-anchor='middle' font-size='18' font-family='monospace' fill='%2300f0ff'>€</text></svg>">
+<link href="https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600;700&family=JetBrains+Mono:wght@400;500;600&display=swap" rel="stylesheet">
+<style>
+:root {
+  --bg:#06080d; --bg-2:#0d1117; --bg-3:#161b22; --border:#1f2937;
+  --text:#e6edf3; --text-2:#8b949e; --text-3:#6e7681;
+  --accent:#00f0ff; --green:#56d364; --yellow:#d29922; --red:#f85149; --purple:#bc8cff;
+}
+* { margin:0; padding:0; box-sizing:border-box; }
+body { font-family:'Inter',system-ui,sans-serif; background:var(--bg); color:var(--text); min-height:100vh; font-size:14px; }
+.app { display:grid; grid-template-columns:230px 1fr; min-height:100vh; }
+.sidebar { background:var(--bg-2); border-right:1px solid var(--border); padding:20px 0; }
+.brand { padding:0 20px 18px; border-bottom:1px solid var(--border); margin-bottom:10px; }
+.brand h1 { font-size:16px; font-weight:700; color:var(--accent); font-family:'JetBrains Mono',monospace; }
+.brand .sub { font-size:11px; color:var(--text-3); margin-top:2px; }
+.nav-item { display:flex; gap:10px; padding:10px 20px; cursor:pointer; color:var(--text-2); font-size:13px; border-left:3px solid transparent; align-items:center; }
+.nav-item:hover { background:var(--bg-3); color:var(--text); }
+.nav-item.active { color:var(--accent); background:rgba(0,240,255,.05); border-left-color:var(--accent); }
+.main { padding:24px 30px; overflow-y:auto; }
+.header { display:flex; justify-content:space-between; padding-bottom:14px; border-bottom:1px solid var(--border); margin-bottom:18px; align-items:center; }
+.header h2 { font-size:22px; font-weight:700; }
+.header .meta { color:var(--text-3); font-size:12px; font-family:'JetBrains Mono',monospace; }
+.section { background:var(--bg-2); border:1px solid var(--border); border-radius:8px; padding:18px; margin-bottom:16px; }
+.section h3 { font-size:14px; font-weight:600; color:var(--accent); margin-bottom:12px; }
+table { width:100%; border-collapse:collapse; font-size:13px; }
+th { text-align:left; padding:8px 10px; color:var(--text-3); font-size:11px; text-transform:uppercase; letter-spacing:.5px; border-bottom:1px solid var(--border); }
+td { padding:10px; border-bottom:1px solid var(--border); }
+td.num { font-family:'JetBrains Mono',monospace; text-align:right; }
+tr:hover { background:var(--bg-3); }
+.badge { display:inline-block; padding:2px 8px; border-radius:4px; font-size:11px; font-weight:600; }
+.badge.green { background:rgba(86,211,100,.15); color:var(--green); }
+.badge.yellow { background:rgba(210,153,34,.15); color:var(--yellow); }
+.badge.red { background:rgba(248,81,73,.15); color:var(--red); }
+.badge.gray { background:rgba(110,118,129,.15); color:var(--text-3); }
+input.fld, select.fld { width:100%; background:var(--bg); border:1px solid var(--border); padding:8px 10px; border-radius:4px; color:var(--text); font-family:inherit; font-size:13px; }
+input.fld:focus, select.fld:focus { outline:none; border-color:var(--accent); }
+label.lbl { font-size:11px; color:var(--text-3); display:block; margin-bottom:4px; text-transform:uppercase; letter-spacing:.5px; }
+.btn { padding:9px 18px; background:var(--accent); color:var(--bg); border:0; border-radius:4px; cursor:pointer; font-weight:600; font-family:inherit; font-size:13px; }
+.btn.sec { background:var(--bg-3); color:var(--text); border:1px solid var(--border); }
+.tab { display:none; }
+.tab.active { display:block; }
+.grid2 { display:grid; grid-template-columns:1fr 1fr; gap:10px; }
+.grid3 { display:grid; grid-template-columns:1fr 1fr 1fr; gap:10px; }
+.grid4 { display:grid; grid-template-columns:repeat(4,1fr); gap:14px; }
+tr.clickable { cursor:pointer; }
+tr.clickable:hover { background:var(--bg-3); box-shadow:inset 3px 0 0 var(--accent); }
+.modal-bg { position:fixed; inset:0; background:rgba(0,0,0,.6); z-index:100; display:none; align-items:flex-start; justify-content:center; padding:30px; overflow-y:auto; }
+.modal-bg.show { display:flex; }
+.modal { background:var(--bg-2); border:1px solid var(--border); border-radius:10px; max-width:1100px; width:100%; padding:0; box-shadow:0 12px 48px rgba(0,0,0,.6); }
+.modal-h { display:flex; justify-content:space-between; align-items:center; padding:16px 22px; border-bottom:1px solid var(--border); }
+.modal-h h3 { color:var(--accent); font-size:16px; }
+.modal-h .x { background:transparent; border:0; color:var(--text-2); font-size:22px; cursor:pointer; }
+.modal-h .x:hover { color:var(--red); }
+.modal-body { padding:18px 22px; max-height:80vh; overflow-y:auto; }
+.col2 { display:grid; grid-template-columns:1fr 1fr; gap:18px; }
+.kv { display:grid; grid-template-columns:140px 1fr; gap:6px 12px; font-size:13px; }
+.kv > div:nth-child(odd) { color:var(--text-3); font-size:11px; text-transform:uppercase; letter-spacing:.5px; align-self:center; }
+.kv > div:nth-child(even) { font-family:'JetBrains Mono',monospace; }
+.preview-img { max-width:100%; max-height:480px; border:1px solid var(--border); border-radius:6px; background:var(--bg); }
+.audit-row { display:grid; grid-template-columns:140px 110px 130px 1fr; gap:8px; padding:6px 0; border-bottom:1px dashed var(--border); font-size:12px; }
+.audit-row:last-child { border-bottom:0; }
+.audit-row .ts { color:var(--text-3); font-family:'JetBrains Mono',monospace; font-size:11px; }
+.audit-row .op { color:var(--accent); font-weight:600; }
+.audit-row .who { color:var(--text-2); }
+.btn.green { background:var(--green); color:var(--bg); }
+.btn.red { background:var(--red); color:#fff; }
+.btn.yellow { background:var(--yellow); color:var(--bg); }
+.actions-row { display:flex; flex-wrap:wrap; gap:8px; margin-top:14px; padding-top:14px; border-top:1px solid var(--border); }
+@media(max-width:768px) { .app { grid-template-columns:1fr; } .sidebar { display:none; } .grid2,.grid3 { grid-template-columns:1fr; } .col2 { grid-template-columns:1fr; } .audit-row { grid-template-columns:1fr; } }
+</style>
+</head>
+<body>
+<div class="app">
+  <aside class="sidebar">
+    <div class="brand"><h1>PGŽ ERP</h1><div class="sub">M5 OCR + M6 Putni nalozi</div></div>
+    <div class="nav-item active" data-tab="ocr"><span>📷</span><span>Skeniraj račun</span></div>
+    <div class="nav-item" data-tab="invoices"><span>€</span><span>Računi</span></div>
+    <div class="nav-item" data-tab="putni"><span>🚗</span><span>Novi putni nalog</span></div>
+    <div class="nav-item" data-tab="putni-list"><span>📋</span><span>Lista putnih naloga</span></div>
+  </aside>
+  <main class="main">
+    <div class="header">
+      <h2 id="pageTitle">Skeniraj račun (OCR)</h2>
+      <span class="meta" id="metaInfo">Tesseract + Ri.NET AI Engine · /api/erp</span>
+    </div>
+
+    <!-- OCR -->
+    <div class="tab active" id="tab-ocr">
+      <div class="section">
+        <h3>📷 Drag-and-drop OCR (PDF / JPG / PNG)</h3>
+        <div id="ocrDrop" style="border:2px dashed var(--border);border-radius:8px;padding:34px;text-align:center;cursor:pointer;background:var(--bg-3)">
+          <div style="font-size:36px;color:var(--accent);margin-bottom:6px">⤓</div>
+          <div style="font-size:14px;font-weight:600">Povuci datoteku ovdje ili klikni za odabir</div>
+          <div style="font-size:11px;color:var(--text-3);margin-top:6px">Tesseract OCR (hrv+eng) + Ri.NET AI Engine LLM ekstrakcija polja</div>
+          <input id="ocrFile" type="file" accept=".pdf,.jpg,.jpeg,.png,.tif,.tiff,.webp" style="display:none">
+        </div>
+        <div id="ocrStatus" style="margin-top:10px;font-size:12px;color:var(--text-2);min-height:18px"></div>
+
+        <div id="ocrResult" style="display:none;margin-top:14px;padding:14px;background:var(--bg-3);border-radius:6px;border:1px solid var(--border)">
+          <div class="grid2" style="font-size:13px">
+            <div><label class="lbl">Izdavatelj</label><input id="oc_vendor_name" class="fld"></div>
+            <div><label class="lbl">OIB izdavatelja</label><input id="oc_vendor_oib" class="fld"></div>
+            <div><label class="lbl">Broj računa</label><input id="oc_invoice_no" class="fld"></div>
+            <div><label class="lbl">Datum</label><input id="oc_invoice_date" type="date" class="fld"></div>
+            <div><label class="lbl">Iznos neto (€)</label><input id="oc_amount_net" type="number" step="0.01" class="fld"></div>
+            <div><label class="lbl">PDV (€)</label><input id="oc_amount_vat" type="number" step="0.01" class="fld"></div>
+            <div><label class="lbl" style="color:var(--accent)">Brutto / UKUPNO (€)</label><input id="oc_amount_gross" type="number" step="0.01" class="fld" style="border-color:var(--accent)"></div>
+            <div><label class="lbl">Stopa PDV (%)</label><input id="oc_vat_rate" type="number" step="0.01" class="fld"></div>
+            <div><label class="lbl">IBAN</label><input id="oc_iban" class="fld"></div>
+            <div><label class="lbl">Valuta</label><select id="oc_currency" class="fld"><option>EUR</option><option>HRK</option></select></div>
+            <div><label class="lbl">Vrsta troška</label>
+              <select id="oc_kind" class="fld">
+                <option value="gorivo">Gorivo</option><option value="cestarina">Cestarina</option>
+                <option value="hotel">Hotel</option><option value="restoran">Restoran</option>
+                <option value="oprema">Oprema</option><option value="ostalo" selected>Ostalo</option>
+              </select>
+            </div>
+            <div><label class="lbl">Klub</label><select id="oc_klub" class="fld"></select></div>
+          </div>
+          <div style="margin-top:10px"><label class="lbl">Opis</label><input id="oc_description" class="fld"></div>
+          <details style="margin-top:10px"><summary style="cursor:pointer;font-size:12px;color:var(--text-3)">Sirovi OCR tekst (preview)</summary>
+            <pre id="oc_raw" style="font-size:11px;background:var(--bg);padding:10px;border-radius:4px;margin-top:6px;max-height:200px;overflow:auto;white-space:pre-wrap"></pre>
+          </details>
+          <div style="margin-top:14px;display:flex;gap:8px;align-items:center">
+            <button id="ocSave" class="btn">💾 Spremi račun</button>
+            <button id="ocCancel" class="btn sec">Odustani</button>
+            <span id="ocSaveStatus" style="font-size:12px;color:var(--text-3)"></span>
+          </div>
+        </div>
+      </div>
+    </div>
+
+    <!-- Invoices list -->
+    <div class="tab" id="tab-invoices">
+      <div class="section">
+        <h3>Računi (svi klubovi)</h3>
+        <table id="invTable"><thead><tr><th>#</th><th>Vrsta</th><th>Broj</th><th>Dobavljač</th><th>OIB</th><th>Klub</th><th class="num">Brutto</th><th>Status</th><th>Datum</th></tr></thead><tbody></tbody></table>
+      </div>
+    </div>
+
+    <!-- Putni nalog form -->
+    <div class="tab" id="tab-putni">
+      <div class="section">
+        <h3>🚗 Novi putni nalog (HR pravilnik 2025)</h3>
+        <div class="grid3" style="font-size:13px">
+          <div><label class="lbl">Klub</label><select id="pn_klub" class="fld"></select></div>
+          <div><label class="lbl">Voditelj</label><input id="pn_voditelj" class="fld" placeholder="Ime Prezime"></div>
+          <div><label class="lbl">Putnici (zarez)</label><input id="pn_putnici" class="fld"></div>
+          <div style="grid-column:span 3"><label class="lbl">Svrha putovanja</label><input id="pn_svrha" class="fld" placeholder="Natjecanje, treninzi, edukacija…"></div>
+          <div><label class="lbl">Od grada</label><input id="pn_od" class="fld" value="Rijeka"></div>
+          <div><label class="lbl">Do grada</label><input id="pn_do" class="fld"></div>
+          <div><label class="lbl">Zemlja</label><input id="pn_country" class="fld" value="Hrvatska"></div>
+          <div><label class="lbl">Polazak</label><input id="pn_from" type="datetime-local" class="fld"></div>
+          <div><label class="lbl">Povratak</label><input id="pn_to" type="datetime-local" class="fld"></div>
+          <div><label class="lbl">Tip vozila</label>
+            <select id="pn_vehicle" class="fld">
+              <option>vlastiti automobil</option><option>službeno vozilo</option><option>kombi</option><option>autobus</option><option>vlak</option><option>avion</option>
+            </select>
+          </div>
+          <div><label class="lbl">Registracija</label><input id="pn_plate" class="fld"></div>
+          <div><label class="lbl">Kilometara</label><input id="pn_km" type="number" step="1" class="fld" value="0"></div>
+          <div><label class="lbl">€/km</label><input id="pn_kmrate" type="number" step="0.01" class="fld" value="0.50"></div>
+        </div>
+        <div id="pn_preview" style="margin-top:14px;padding:12px;background:var(--bg-3);border-radius:6px;border:1px solid var(--border);font-size:13px;color:var(--text-2)">
+          Unesi datume za live obračun dnevnica…
+        </div>
+        <div style="margin-top:12px;display:flex;gap:8px;align-items:center">
+          <button id="pnSave" class="btn">📝 Kreiraj putni nalog</button>
+          <span id="pnSaveStatus" style="font-size:12px;color:var(--text-3)"></span>
+        </div>
+        <p style="margin-top:14px;font-size:11px;color:var(--text-3);line-height:1.6">
+          <b>HR pravilnik 2025:</b> domaće 26.54 € (>8h), 13.27 € (5–8h), 0 € (&lt;5h). Inozemne dnevnice po zemlji
+          (Italija/Austrija 35 €, Slovenija/Mađarska/BiH/Srbija 30 €). Kilometrina vlastitim automobilom 0.50 €/km.
+        </p>
+      </div>
+    </div>
+
+    <!-- Putni nalozi list -->
+    <div class="tab" id="tab-putni-list">
+      <div class="section">
+        <h3>Lista putnih naloga</h3>
+        <table id="pnTable"><thead><tr><th>#</th><th>Klub</th><th>Destinacija</th><th>Polazak</th><th>Povratak</th><th class="num">Dnevnice</th><th class="num">Transport</th><th class="num">Total</th><th>Status</th></tr></thead><tbody></tbody></table>
+      </div>
+    </div>
+
+  </main>
+</div>
+
+<!-- ============ INVOICE DETAIL MODAL (M5.5) ============ -->
+<div id="invModal" class="modal-bg" onclick="if(event.target===this)closeModal('invModal')">
+  <div class="modal">
+    <div class="modal-h">
+      <h3 id="invModalTitle">Račun</h3>
+      <button class="x" onclick="closeModal('invModal')">×</button>
+    </div>
+    <div class="modal-body">
+      <div class="col2">
+        <div>
+          <h4 style="font-size:12px;color:var(--text-3);text-transform:uppercase;letter-spacing:.5px;margin-bottom:8px">Skenirana datoteka</h4>
+          <div id="inv_preview" style="text-align:center"></div>
+        </div>
+        <div>
+          <h4 style="font-size:12px;color:var(--text-3);text-transform:uppercase;letter-spacing:.5px;margin-bottom:8px">Podaci računa</h4>
+          <div class="kv" id="inv_kv"></div>
+          <div id="inv_status_block" style="margin-top:14px;padding:12px;background:var(--bg-3);border-radius:6px;border:1px solid var(--border)"></div>
+        </div>
+      </div>
+      <div class="actions-row" id="inv_actions"></div>
+      <div style="margin-top:18px">
+        <h4 style="font-size:12px;color:var(--text-3);text-transform:uppercase;letter-spacing:.5px;margin-bottom:8px">Audit log</h4>
+        <div id="inv_audit"></div>
+      </div>
+    </div>
+  </div>
+</div>
+
+<!-- ============ PAY INVOICE MODAL (M5.5) ============ -->
+<div id="payModal" class="modal-bg" onclick="if(event.target===this)closeModal('payModal')">
+  <div class="modal" style="max-width:560px">
+    <div class="modal-h">
+      <h3>💰 Označi kao plaćen</h3>
+      <button class="x" onclick="closeModal('payModal')">×</button>
+    </div>
+    <div class="modal-body">
+      <div class="grid2" style="gap:12px">
+        <div><label class="lbl">IBAN primatelja</label><input id="pay_iban_to" class="fld" placeholder="HRxxxxxxxxxxxxxxxxxxx"></div>
+        <div><label class="lbl">IBAN platitelja</label><input id="pay_iban_from" class="fld" placeholder="HRxxxxxxxxxxxxxxxxxxx"></div>
+        <div><label class="lbl">Datum uplate</label><input id="pay_date" type="date" class="fld"></div>
+        <div><label class="lbl">Iznos (€)</label><input id="pay_amount" type="number" step="0.01" class="fld"></div>
+        <div><label class="lbl">Poziv na broj / referenca</label><input id="pay_ref" class="fld" placeholder="HR00 12345-67890"></div>
+        <div><label class="lbl">Tx ID (banka)</label><input id="pay_tx" class="fld"></div>
+      </div>
+      <div class="actions-row">
+        <button class="btn green" id="payConfirm">✓ Potvrdi plaćanje</button>
+        <button class="btn sec" onclick="closeModal('payModal')">Odustani</button>
+        <span id="payStatus" style="font-size:12px;color:var(--text-3);align-self:center"></span>
+      </div>
+    </div>
+  </div>
+</div>
+
+<!-- ============ COMMENT MODAL (M5.5) ============ -->
+<div id="commentModal" class="modal-bg" onclick="if(event.target===this)closeModal('commentModal')">
+  <div class="modal" style="max-width:520px">
+    <div class="modal-h">
+      <h3>💬 Komentar (savez/admin)</h3>
+      <button class="x" onclick="closeModal('commentModal')">×</button>
+    </div>
+    <div class="modal-body">
+      <textarea id="commentText" class="fld" rows="5" style="resize:vertical;font-family:inherit"></textarea>
+      <div class="actions-row">
+        <button class="btn" id="commentSave">Spremi komentar</button>
+        <button class="btn sec" onclick="closeModal('commentModal')">Odustani</button>
+        <span id="commentStatus" style="font-size:12px;color:var(--text-3);align-self:center"></span>
+      </div>
+    </div>
+  </div>
+</div>
+
+<!-- ============ PUTNI NALOG DETAIL MODAL (M6.3) ============ -->
+<div id="pnModal" class="modal-bg" onclick="if(event.target===this)closeModal('pnModal')">
+  <div class="modal">
+    <div class="modal-h">
+      <h3 id="pnModalTitle">Putni nalog</h3>
+      <button class="x" onclick="closeModal('pnModal')">×</button>
+    </div>
+    <div class="modal-body">
+      <div class="col2">
+        <div>
+          <h4 style="font-size:12px;color:var(--text-3);text-transform:uppercase;letter-spacing:.5px;margin-bottom:8px">Voditelj + putnici, ruta, vozilo</h4>
+          <div class="kv" id="pn_kv"></div>
+        </div>
+        <div>
+          <h4 style="font-size:12px;color:var(--text-3);text-transform:uppercase;letter-spacing:.5px;margin-bottom:8px">Obračun (HR pravilnik 2025)</h4>
+          <div class="kv" id="pn_obracun"></div>
+          <div id="pn_status_block" style="margin-top:14px;padding:12px;background:var(--bg-3);border-radius:6px;border:1px solid var(--border)"></div>
+        </div>
+      </div>
+      <div style="margin-top:18px">
+        <h4 style="font-size:12px;color:var(--text-3);text-transform:uppercase;letter-spacing:.5px;margin-bottom:8px">📎 Vezani računi (gorivo, cestarina, hotel...)</h4>
+        <table id="pn_invoices_table"><thead><tr><th>#</th><th>Vrsta</th><th>Dobavljač</th><th>OIB</th><th>Datum</th><th class="num">Brutto</th><th>Status</th></tr></thead><tbody></tbody></table>
+      </div>
+      <div class="actions-row" id="pn_actions"></div>
+      <div style="margin-top:18px">
+        <h4 style="font-size:12px;color:var(--text-3);text-transform:uppercase;letter-spacing:.5px;margin-bottom:8px">Audit log</h4>
+        <div id="pn_audit"></div>
+      </div>
+    </div>
+  </div>
+</div>
+
+<!-- ============ PAY PUTNI NALOG MODAL ============ -->
+<div id="payPnModal" class="modal-bg" onclick="if(event.target===this)closeModal('payPnModal')">
+  <div class="modal" style="max-width:560px">
+    <div class="modal-h">
+      <h3>💰 Isplata putnog naloga</h3>
+      <button class="x" onclick="closeModal('payPnModal')">×</button>
+    </div>
+    <div class="modal-body">
+      <div class="grid2" style="gap:12px">
+        <div><label class="lbl">IBAN primatelja</label><input id="ppn_iban_to" class="fld"></div>
+        <div><label class="lbl">IBAN platitelja</label><input id="ppn_iban_from" class="fld"></div>
+        <div><label class="lbl">Datum uplate</label><input id="ppn_date" type="date" class="fld"></div>
+        <div><label class="lbl">Iznos (€)</label><input id="ppn_amount" type="number" step="0.01" class="fld"></div>
+        <div><label class="lbl">Referenca</label><input id="ppn_ref" class="fld"></div>
+        <div><label class="lbl">Tx ID</label><input id="ppn_tx" class="fld"></div>
+      </div>
+      <div class="actions-row">
+        <button class="btn green" id="ppnConfirm">✓ Potvrdi isplatu</button>
+        <button class="btn sec" onclick="closeModal('payPnModal')">Odustani</button>
+        <span id="ppnStatus" style="font-size:12px;color:var(--text-3);align-self:center"></span>
+      </div>
+    </div>
+  </div>
+</div>
+
+<!-- ============ REJECT PUTNI NALOG MODAL ============ -->
+<div id="rejectModal" class="modal-bg" onclick="if(event.target===this)closeModal('rejectModal')">
+  <div class="modal" style="max-width:480px">
+    <div class="modal-h">
+      <h3>❌ Odbij putni nalog</h3>
+      <button class="x" onclick="closeModal('rejectModal')">×</button>
+    </div>
+    <div class="modal-body">
+      <label class="lbl">Razlog odbijanja</label>
+      <textarea id="rejectText" class="fld" rows="4" style="resize:vertical;font-family:inherit"></textarea>
+      <div class="actions-row">
+        <button class="btn red" id="rejectConfirm">Odbij</button>
+        <button class="btn sec" onclick="closeModal('rejectModal')">Odustani</button>
+        <span id="rejectStatus" style="font-size:12px;color:var(--text-3);align-self:center"></span>
+      </div>
+    </div>
+  </div>
+</div>
+
+<script>
+const ERP_API = '/api/erp';
+const $ = s => document.querySelector(s);
+const $$ = s => document.querySelectorAll(s);
+const fmt = n => n == null ? '—' : new Intl.NumberFormat('hr-HR').format(n);
+const fmtEur = n => n != null ? '€' + fmt(Math.round(n*100)/100) : '—';
+const fmtDate = d => d ? d.substring(0,10) : '—';
+
+function badge(t,c) { return `<span class="badge ${c}">${t||'—'}</span>`; }
+function sBadge(s) {
+  if (!s) return badge('—','gray');
+  const x = s.toLowerCase();
+  if (['paid','approved','active','odobren','zatvoren'].includes(x)) return badge(s,'green');
+  if (['pending','draft','submitted','open','unpaid'].includes(x)) return badge(s,'yellow');
+  if (['overdue','rejected','cancelled','failed'].includes(x)) return badge(s,'red');
+  return badge(s,'gray');
+}
+
+async function loadKlubovi() {
+  const r = await fetch('/api/klubovi?limit=400').then(r=>r.json()).catch(()=>null);
+  if (!r) return;
+  const arr = Array.isArray(r) ? r : (r.rows || r.items || []);
+  const opts = '<option value="">— odaberi klub —</option>' + arr
+    .map(k => ({id: k.id, naziv: (k.naziv || k.klub || k.sport || '#'+k.id).toString().trim()}))
+    .filter(k => k.naziv)
+    .sort((a,b) => a.naziv.localeCompare(b.naziv,'hr'))
+    .map(k => `<option value="${k.id}">${k.naziv.replace(/"/g,'&quot;')}</option>`).join('');
+  ['oc_klub','pn_klub'].forEach(id => { const e=$('#'+id); if (e) e.innerHTML=opts; });
+}
+
+let ocrUploadId = null, ocrParsed = null;
+function ocrSet(m,c) { const e=$('#ocrStatus'); if(e){e.textContent=m||''; e.style.color=c||'var(--text-2)';} }
+
+async function ocrHandle(file) {
+  if (!file) return;
+  ocrSet('⏳ Učitavam datoteku…','var(--yellow)');
+  const klubVal = $('#oc_klub')?.value || '';
+  const fd = new FormData();
+  fd.append('file', file);
+  if (klubVal) fd.append('klub_id', klubVal);
+  fd.append('tenant_id', 1);
+  fd.append('invoice_kind', $('#oc_kind')?.value || 'ostalo');
+  let r = await fetch(`${ERP_API}/ocr/upload`, {method:'POST',body:fd});
+  if (!r.ok) { ocrSet('❌ Upload pao: '+r.status,'var(--red)'); return; }
+  const j = await r.json();
+  ocrUploadId = j.upload_id;
+  ocrSet(`✓ Uploaded #${ocrUploadId} (${j.size} B). Pokrećem OCR + Ri.NET AI Engine ekstrakciju…`,'var(--accent)');
+
+  const fd2 = new FormData();
+  fd2.append('upload_id', ocrUploadId);
+  fd2.append('use_llm', 'true');
+  r = await fetch(`${ERP_API}/ocr/parse`, {method:'POST',body:fd2});
+  const p = await r.json();
+  if (!p.ok) { ocrSet('❌ '+(p.error||'Parse fail'),'var(--red)'); return; }
+  ocrParsed = p.extracted || {};
+  $('#oc_vendor_name').value  = ocrParsed.vendor_name || '';
+  $('#oc_vendor_oib').value   = ocrParsed.vendor_oib  || '';
+  $('#oc_invoice_no').value   = ocrParsed.invoice_no  || '';
+  $('#oc_invoice_date').value = ocrParsed.invoice_date|| '';
+  $('#oc_amount_net').value   = ocrParsed.amount_net  ?? '';
+  $('#oc_amount_vat').value   = ocrParsed.amount_vat  ?? '';
+  $('#oc_amount_gross').value = ocrParsed.amount_gross?? '';
+  $('#oc_vat_rate').value     = ocrParsed.vat_rate    ?? '';
+  $('#oc_iban').value          = ocrParsed.iban       || '';
+  $('#oc_kind').value          = ocrParsed.category   || 'ostalo';
+  $('#oc_currency').value      = ocrParsed.currency   || 'EUR';
+  $('#oc_description').value   = ocrParsed.description|| '';
+  $('#oc_raw').textContent     = (p.raw_text_preview||'').slice(0,4000);
+  $('#ocrResult').style.display = 'block';
+  ocrSet(`✓ OCR ${p.ocr_method} (${p.raw_chars} znakova). Provjeri polja → "Spremi račun".`,'var(--green)');
+}
+
+function ocrInit() {
+  const drop = $('#ocrDrop'), inp = $('#ocrFile');
+  drop.addEventListener('click', () => inp.click());
+  inp.addEventListener('change', e => { if (e.target.files[0]) ocrHandle(e.target.files[0]); });
+  ['dragenter','dragover'].forEach(ev => drop.addEventListener(ev, e => { e.preventDefault(); drop.style.borderColor='var(--accent)'; }));
+  ['dragleave','drop'].forEach(ev => drop.addEventListener(ev, e => { e.preventDefault(); drop.style.borderColor='var(--border)'; }));
+  drop.addEventListener('drop', e => { e.preventDefault(); const f = e.dataTransfer.files[0]; if (f) ocrHandle(f); });
+  $('#ocCancel').addEventListener('click', () => { $('#ocrResult').style.display='none'; ocrUploadId=null; ocrParsed=null; ocrSet(''); inp.value=''; });
+  $('#ocSave').addEventListener('click', async () => {
+    const klub = $('#oc_klub').value;
+    if (!klub) { $('#ocSaveStatus').textContent = 'Odaberi klub'; return; }
+    const body = {
+      klub_id: parseInt(klub), tenant_id: 1, upload_id: ocrUploadId,
+      invoice_kind: $('#oc_kind').value || 'ostalo',
+      invoice_no: $('#oc_invoice_no').value, vendor_name: $('#oc_vendor_name').value,
+      vendor_oib: $('#oc_vendor_oib').value, invoice_date: $('#oc_invoice_date').value,
+      amount_net: parseFloat($('#oc_amount_net').value)||null,
+      amount_vat: parseFloat($('#oc_amount_vat').value)||null,
+      amount_gross: parseFloat($('#oc_amount_gross').value),
+      vat_rate: parseFloat($('#oc_vat_rate').value)||null,
+      iban_to: $('#oc_iban').value || null,
+      currency: $('#oc_currency').value || 'EUR',
+      category: $('#oc_kind').value || 'ostalo',
+      description: $('#oc_description').value || null,
+    };
+    $('#ocSaveStatus').textContent = '⏳ Spremam…';
+    const r = await fetch(`${ERP_API}/invoices`,{method:'POST',headers:{'Content-Type':'application/json'},body:JSON.stringify(body)});
+    const j = await r.json();
+    if (j.ok) {
+      $('#ocSaveStatus').textContent = `✓ Spremljen kao #${j.invoice.id}`;
+      $('#ocSaveStatus').style.color = 'var(--green)';
+      setTimeout(() => { $('#ocrResult').style.display='none'; loadInvoices(); }, 1500);
+    } else {
+      $('#ocSaveStatus').textContent = '❌ ' + (j.detail||'Greška');
+      $('#ocSaveStatus').style.color = 'var(--red)';
+    }
+  });
+}
+
+let pnTimer = null;
+async function pnPreview() {
+  const df = $('#pn_from').value, dt = $('#pn_to').value;
+  const country = $('#pn_country').value || 'Hrvatska';
+  const km = parseFloat($('#pn_km').value || 0);
+  const kr = parseFloat($('#pn_kmrate').value || 0.5);
+  const tgt = $('#pn_preview');
+  if (!df || !dt) { tgt.textContent = 'Unesi datume za live obračun dnevnica…'; return; }
+  const r = await fetch(`${ERP_API}/putni-nalog/dnevnice/preview?date_from=${encodeURIComponent(df)}&date_to=${encodeURIComponent(dt)}&country=${encodeURIComponent(country)}&km=${km}&km_rate=${kr}`).then(r=>r.json()).catch(()=>null);
+  if (!r || !r.ok) { tgt.textContent='⚠ Neuspješan obračun'; return; }
+  const d = r.preview;
+  tgt.innerHTML = `
+    <div class="grid4">
+      <div><div style="color:var(--text-3);font-size:11px">Sati</div><div style="font-size:18px;font-family:'JetBrains Mono'">${d.hours}h</div></div>
+      <div><div style="color:var(--text-3);font-size:11px">Pune dnevnice</div><div style="font-size:18px;color:var(--accent);font-family:'JetBrains Mono'">${d.days_full} × €${d.rate_full}</div></div>
+      <div><div style="color:var(--text-3);font-size:11px">Pola dnevnica</div><div style="font-size:18px;color:var(--yellow);font-family:'JetBrains Mono'">${d.days_half} × €${d.rate_half}</div></div>
+      <div><div style="color:var(--text-3);font-size:11px">Dnevnice ukupno</div><div style="font-size:18px;color:var(--green);font-family:'JetBrains Mono'">€${d.dnevnica_amount_total}</div></div>
+      <div><div style="color:var(--text-3);font-size:11px">Kilometara</div><div style="font-size:16px;font-family:'JetBrains Mono'">${d.km_driven} km</div></div>
+      <div><div style="color:var(--text-3);font-size:11px">Kilometrina</div><div style="font-size:16px;font-family:'JetBrains Mono'">€${d.km_amount}</div></div>
+      <div><div style="color:var(--text-3);font-size:11px">Zemlja</div><div style="font-size:14px;font-family:'JetBrains Mono'">${d.country}</div></div>
+      <div><div style="color:var(--text-3);font-size:11px">PROCJENA UKUPNO</div><div style="font-size:22px;color:var(--accent);font-family:'JetBrains Mono';font-weight:700">€${d.total_estimated}</div></div>
+    </div>`;
+}
+
+function pnInit() {
+  ['pn_from','pn_to','pn_country','pn_km','pn_kmrate'].forEach(id => {
+    const el = $('#'+id); if (el) el.addEventListener('input', () => { clearTimeout(pnTimer); pnTimer = setTimeout(pnPreview, 250); });
+  });
+  $('#pnSave').addEventListener('click', async () => {
+    const klub = $('#pn_klub').value;
+    if (!klub) { $('#pnSaveStatus').textContent = 'Odaberi klub'; return; }
+    const body = {
+      klub_id: parseInt(klub), tenant_id: 1,
+      voditelj_ime: $('#pn_voditelj').value,
+      putnici: ($('#pn_putnici').value||'').split(',').map(s=>s.trim()).filter(Boolean),
+      svrha: $('#pn_svrha').value,
+      od_grada: $('#pn_od').value, do_grada: $('#pn_do').value,
+      datum_polaska: $('#pn_from').value, datum_povratka: $('#pn_to').value,
+      country: $('#pn_country').value,
+      vehicle_type: $('#pn_vehicle').value,
+      registracija_vozila: $('#pn_plate').value,
+      kilometara: parseFloat($('#pn_km').value)||0,
+      km_rate: parseFloat($('#pn_kmrate').value)||0.5,
+    };
+    $('#pnSaveStatus').textContent = '⏳ Spremam…';
+    const r = await fetch(`${ERP_API}/putni-nalog`,{method:'POST',headers:{'Content-Type':'application/json'},body:JSON.stringify(body)});
+    const j = await r.json();
+    if (j.ok) {
+      $('#pnSaveStatus').innerHTML = `✓ Putni nalog #${j.putni_nalog.id} kreiran (€${j.putni_nalog.cost_total})`;
+      $('#pnSaveStatus').style.color = 'var(--green)';
+      loadPutni();
+    } else {
+      $('#pnSaveStatus').textContent = '❌ ' + (j.detail||'Greška');
+      $('#pnSaveStatus').style.color = 'var(--red)';
+    }
+  });
+}
+
+async function loadInvoices() {
+  const r = await fetch(`${ERP_API}/invoices?limit=50`, {headers: AUTH_HDR()}).then(r=>r.json()).catch(()=>null);
+  if (!r || !r.rows) return;
+  $('#invTable tbody').innerHTML = r.rows.length ? r.rows.map(i=>`
+    <tr class="clickable" onclick="openInvoice(${i.id})"><td>${i.id}</td><td>${i.invoice_kind||'—'}</td><td>${i.invoice_no||'—'}</td>
+      <td>${i.vendor_name||'—'}</td><td style="font-family:'JetBrains Mono'">${i.vendor_oib||'—'}</td>
+      <td>${i.klub_naziv||'—'}</td><td class="num">${fmtEur(i.amount_gross)}</td>
+      <td>${sBadge(i.payment_status)}</td><td>${fmtDate(i.invoice_date)}</td></tr>`).join('')
+    : '<tr><td colspan="9" style="color:var(--text-3);text-align:center;padding:20px">Nema podataka</td></tr>';
+}
+
+async function loadPutni() {
+  const r = await fetch(`${ERP_API}/putni-nalog?limit=50`, {headers: AUTH_HDR()}).then(r=>r.json()).catch(()=>null);
+  if (!r || !r.rows) return;
+  $('#pnTable tbody').innerHTML = r.rows.length ? r.rows.map(p=>`
+    <tr class="clickable" onclick="openPutni(${p.id})"><td>${p.id}</td><td>${p.klub_naziv||'—'}</td><td>${p.destination||'—'}</td>
+      <td>${fmtDate(p.date_from)}</td><td>${fmtDate(p.date_to)}</td>
+      <td class="num">${fmtEur(p.dnevnice_amount)}</td>
+      <td class="num">${fmtEur(p.cost_transport)}</td>
+      <td class="num"><strong>${fmtEur(p.cost_total)}</strong></td>
+      <td>${sBadge(p.status)}</td></tr>`).join('')
+    : '<tr><td colspan="9" style="color:var(--text-3);text-align:center;padding:20px">Nema podataka</td></tr>';
+}
+
+// ===== AUTH (JWT iz localStorage ili admin token fallback) =====
+function AUTH_HDR(extra) {
+  const h = Object.assign({}, extra || {});
+  let t = null;
+  try { t = localStorage.getItem('jwt') || sessionStorage.getItem('jwt'); } catch(e){}
+  if (!t) t = 'admin-pgz-2026';
+  h['Authorization'] = 'Bearer ' + t;
+  return h;
+}
+function AUTH_HDR_JSON() { return AUTH_HDR({'Content-Type': 'application/json'}); }
+
+function openModal(id) { document.getElementById(id).classList.add('show'); }
+function closeModal(id) { document.getElementById(id).classList.remove('show'); }
+
+function escHtml(s) {
+  if (s == null) return '';
+  return String(s).replace(/[&<>"']/g, c => ({'&':'&amp;','<':'&lt;','>':'&gt;','"':'&quot;',"'":'&#39;'}[c]));
+}
+
+function renderAudit(audit) {
+  if (!audit || !audit.length) return '<div style="color:var(--text-3);font-size:12px">Nema audit zapisa.</div>';
+  return audit.map(a => `
+    <div class="audit-row">
+      <div class="ts">${(a.timestamp||'').replace('T',' ').substring(0,19)}</div>
+      <div class="op">${escHtml(a.operacija)}</div>
+      <div class="who">${escHtml(a.korisnik||'—')}</div>
+      <div>${escHtml(a.promijenjeno_polje||'')}: <span style="color:var(--text-3)">${escHtml(a.stara_vrijednost||'∅')}</span> → <span style="color:var(--green)">${escHtml(a.nova_vrijednost||'∅')}</span></div>
+    </div>`).join('');
+}
+
+// ===== INVOICE DETAIL =====
+let _currentInvoice = null;
+
+async function openInvoice(id) {
+  const r = await fetch(`${ERP_API}/invoices/${id}`, {headers: AUTH_HDR()}).then(r=>r.json()).catch(()=>null);
+  if (!r || !r.ok) { alert('Greška pri učitavanju računa #' + id); return; }
+  _currentInvoice = r;
+  const i = r.invoice;
+  $('#invModalTitle').textContent = `Račun #${i.id} · ${i.invoice_no || '—'}`;
+
+  // Preview slike
+  const pv = $('#inv_preview');
+  if (r.uploads && r.uploads.length) {
+    const up = r.uploads[0];
+    const fileUrl = `${ERP_API}/invoices/${id}/file`;
+    const isPdf = (up.mime || '').includes('pdf') || (up.file_name || '').toLowerCase().endsWith('.pdf');
+    if (isPdf) {
+      pv.innerHTML = `<embed src="${fileUrl}" type="application/pdf" style="width:100%;height:480px;border:1px solid var(--border);border-radius:6px"><div style="margin-top:6px;font-size:11px;color:var(--text-3)">${escHtml(up.file_name)} · ${escHtml(up.mime||'')}</div>`;
+    } else {
+      pv.innerHTML = `<a href="${fileUrl}" target="_blank"><img class="preview-img" src="${fileUrl}" alt="skena"></a><div style="margin-top:6px;font-size:11px;color:var(--text-3)">${escHtml(up.file_name)} · OCR ${escHtml(up.ocr_engine||up.ocr_status||'')}</div>`;
+    }
+  } else {
+    pv.innerHTML = '<div style="padding:60px;background:var(--bg-3);border-radius:6px;color:var(--text-3);font-size:12px">Bez priložene datoteke</div>';
+  }
+
+  // KV polja
+  $('#inv_kv').innerHTML = `
+    <div>Izdavatelj</div><div>${escHtml(i.vendor_name||'—')}</div>
+    <div>OIB izdavatelja</div><div>${escHtml(i.vendor_oib||'—')}</div>
+    <div>Broj računa</div><div>${escHtml(i.invoice_no||'—')}</div>
+    <div>Datum</div><div>${fmtDate(i.invoice_date)}</div>
+    <div>Klub</div><div>${escHtml(i.klub_naziv||'—')}</div>
+    <div>Vrsta</div><div>${escHtml(i.invoice_kind||'—')}</div>
+    <div>Iznos neto</div><div>${fmtEur(i.amount_net)}</div>
+    <div>PDV (${i.vat_rate||'—'}%)</div><div>${fmtEur(i.amount_vat)}</div>
+    <div>Brutto</div><div style="color:var(--accent);font-weight:700">${fmtEur(i.amount_gross)}</div>
+    <div>Valuta</div><div>${escHtml(i.currency||'EUR')}</div>
+    <div>Opis</div><div>${escHtml(i.description||'—')}</div>
+  `;
+
+  // Status block
+  const status = (i.payment_status||'unpaid').toLowerCase();
+  let sb = `<div style="display:flex;align-items:center;gap:10px"><span style="font-size:11px;color:var(--text-3)">STATUS</span> ${sBadge(i.payment_status)}</div>`;
+  if (status === 'paid') {
+    const lastPay = (r.payments && r.payments.length) ? r.payments[0] : {};
+    sb += `<div style="margin-top:10px;font-size:12px;line-height:1.7">
+      <div><span style="color:var(--text-3)">IBAN primatelja:</span> <span style="font-family:'JetBrains Mono'">${escHtml(lastPay.iban_to || i.iban_to || '—')}</span></div>
+      <div><span style="color:var(--text-3)">IBAN platitelja:</span> <span style="font-family:'JetBrains Mono'">${escHtml(lastPay.iban_from || i.iban_from || '—')}</span></div>
+      <div><span style="color:var(--text-3)">Datum uplate:</span> ${fmtDate(i.paid_date) || fmtDate(lastPay.payment_date)}</div>
+      <div><span style="color:var(--text-3)">Iznos uplate:</span> <strong style="color:var(--green)">${fmtEur(lastPay.amount || i.amount_gross)}</strong></div>
+      <div><span style="color:var(--text-3)">Referenca:</span> <span style="font-family:'JetBrains Mono'">${escHtml(lastPay.reference||'—')}</span></div>
+      <div><span style="color:var(--text-3)">Tx ID:</span> <span style="font-family:'JetBrains Mono'">${escHtml(lastPay.bank_transaction_id||'—')}</span></div>
+    </div>`;
+  } else if (status === 'cancelled' || status === 'otkazan') {
+    sb += `<div style="margin-top:8px;color:var(--red);font-size:12px">Račun je otkazan.</div>`;
+  } else {
+    sb += `<div style="margin-top:8px;color:var(--yellow);font-size:12px">Neplaćen — čeka uplatu.</div>`;
+  }
+  $('#inv_status_block').innerHTML = sb;
+
+  // Actions po permission-ima
+  const a = r.actions || {};
+  const acts = [];
+  if (a.pay && status !== 'paid') acts.push(`<button class="btn green" onclick="openPayModal(${id})">💰 Označi kao plaćen</button>`);
+  if (a.edit && status !== 'paid') acts.push(`<button class="btn yellow" onclick="alert('Edit u UI: koristi M5 OCR formu — ovaj panel je read-only za prikaz')">✏ Korekcija polja</button>`);
+  if (a.comment) acts.push(`<button class="btn sec" onclick="openCommentModal(${id})">💬 Komentar</button>`);
+  if (r.uploads && r.uploads.length) acts.push(`<a href="${ERP_API}/invoices/${id}/file" target="_blank" class="btn sec" style="text-decoration:none">📥 Preuzmi sken</a>`);
+  if (a.delete) acts.push(`<button class="btn red" onclick="if(confirm('Obrisati račun #${id}?')){alert('Brisanje: TODO endpoint')}">🗑 Obriši</button>`);
+  if (!acts.length) acts.push('<span style="color:var(--text-3);font-size:12px">Bez dostupnih akcija (samo pregled).</span>');
+  $('#inv_actions').innerHTML = acts.join('');
+
+  $('#inv_audit').innerHTML = renderAudit(r.audit);
+  openModal('invModal');
+}
+
+function openPayModal(id) {
+  const inv = _currentInvoice && _currentInvoice.invoice;
+  if (inv) {
+    $('#pay_iban_to').value = inv.iban_to || '';
+    $('#pay_amount').value = inv.amount_gross || '';
+  }
+  $('#pay_date').value = new Date().toISOString().substring(0,10);
+  $('#payStatus').textContent = '';
+  openModal('payModal');
+  $('#payConfirm').onclick = async () => {
+    const body = {
+      iban_to: $('#pay_iban_to').value.trim(),
+      iban_from: $('#pay_iban_from').value.trim(),
+      paid_date: $('#pay_date').value,
+      amount: parseFloat($('#pay_amount').value) || undefined,
+      reference: $('#pay_ref').value.trim(),
+      bank_transaction_id: $('#pay_tx').value.trim(),
+      payment_method: 'transfer',
+    };
+    $('#payStatus').textContent = '⏳ Spremam…';
+    const r = await fetch(`${ERP_API}/invoices/${id}/pay`, {method:'POST', headers: AUTH_HDR_JSON(), body: JSON.stringify(body)}).then(r=>r.json()).catch(()=>({ok:false,detail:'net'}));
+    if (r.ok) {
+      $('#payStatus').textContent = '✓ Plaćeno';
+      $('#payStatus').style.color = 'var(--green)';
+      setTimeout(() => { closeModal('payModal'); openInvoice(id); loadInvoices(); }, 700);
+    } else {
+      $('#payStatus').textContent = '❌ ' + (r.detail || 'Greška');
+      $('#payStatus').style.color = 'var(--red)';
+    }
+  };
+}
+
+function openCommentModal(id) {
+  $('#commentText').value = '';
+  $('#commentStatus').textContent = '';
+  openModal('commentModal');
+  $('#commentSave').onclick = async () => {
+    const txt = $('#commentText').value.trim();
+    if (!txt) { $('#commentStatus').textContent = 'Komentar je prazan'; return; }
+    $('#commentStatus').textContent = '⏳';
+    const r = await fetch(`${ERP_API}/invoices/${id}/comment`, {method:'POST', headers: AUTH_HDR_JSON(), body: JSON.stringify({comment: txt})}).then(r=>r.json()).catch(()=>({ok:false,detail:'net'}));
+    if (r.ok) {
+      $('#commentStatus').textContent = '✓ Spremljeno';
+      $('#commentStatus').style.color = 'var(--green)';
+      setTimeout(() => { closeModal('commentModal'); openInvoice(id); }, 600);
+    } else {
+      $('#commentStatus').textContent = '❌ ' + (r.detail || 'Greška');
+      $('#commentStatus').style.color = 'var(--red)';
+    }
+  };
+}
+
+// ===== PUTNI NALOG DETAIL =====
+let _currentPn = null;
+
+async function openPutni(id) {
+  const r = await fetch(`${ERP_API}/putni-nalog/${id}`, {headers: AUTH_HDR()}).then(r=>r.json()).catch(()=>null);
+  if (!r || !r.ok) { alert('Greška pri učitavanju putnog naloga #' + id); return; }
+  _currentPn = r;
+  const p = r.putni_nalog;
+  $('#pnModalTitle').textContent = `Putni nalog #${p.id} · ${p.klub_naziv||'—'}`;
+
+  const att = p.attachments || {};
+  const dnv = att.dnevnice_calc || {};
+  const putnici = (att.putnici || []).join(', ');
+  const voditelj = att.voditelj || '—';
+  const country = att.country || '—';
+  const fromCity = att.from_city || '—', toCity = att.to_city || '—';
+
+  $('#pn_kv').innerHTML = `
+    <div>Voditelj</div><div>${escHtml(voditelj)}</div>
+    <div>Putnici</div><div>${escHtml(putnici||'—')}</div>
+    <div>Svrha</div><div>${escHtml(p.purpose||'—')}</div>
+    <div>Ruta</div><div>${escHtml(fromCity)} → ${escHtml(toCity)}</div>
+    <div>Zemlja</div><div>${escHtml(country)}</div>
+    <div>Polazak</div><div>${fmtDate(p.date_from)}</div>
+    <div>Povratak</div><div>${fmtDate(p.date_to)}</div>
+    <div>Vozilo</div><div>${escHtml(p.vehicle_type||'—')} ${escHtml(p.vehicle_plate||'')}</div>
+    <div>Kilometara</div><div>${p.km_driven||0} km × €${p.km_rate||0.5}</div>
+  `;
+
+  $('#pn_obracun').innerHTML = `
+    <div>Pune dnevnice</div><div style="color:var(--accent)">${dnv.days_full||0} × €${dnv.rate_full||0}</div>
+    <div>Pola dnevnica</div><div style="color:var(--yellow)">${dnv.days_half||0} × €${dnv.rate_half||0}</div>
+    <div>Dnevnice ukupno</div><div style="color:var(--green)">${fmtEur(p.dnevnice_amount)}</div>
+    <div>Kilometrina</div><div>${fmtEur(p.cost_transport)}</div>
+    <div>Smještaj</div><div>${fmtEur(p.cost_lodging)}</div>
+    <div>Hrana / ostalo</div><div>${fmtEur((p.cost_meals||0)+(p.cost_other||0))}</div>
+    <div style="font-weight:700">UKUPNO</div><div style="color:var(--accent);font-weight:700;font-size:18px">${fmtEur(p.cost_total)}</div>
+  `;
+
+  // Status block
+  const status = (p.status||'draft').toLowerCase();
+  let sb = `<div style="display:flex;align-items:center;gap:10px"><span style="font-size:11px;color:var(--text-3)">STATUS</span> ${sBadge(p.status)}</div>`;
+  if (status === 'isplacen') {
+    const lastPay = (r.payments && r.payments.length) ? r.payments[0] : {};
+    sb += `<div style="margin-top:10px;font-size:12px;line-height:1.7">
+      <div><span style="color:var(--text-3)">IBAN primatelja:</span> <span style="font-family:'JetBrains Mono'">${escHtml(lastPay.iban_to||'—')}</span></div>
+      <div><span style="color:var(--text-3)">Datum isplate:</span> ${fmtDate(p.paid_at) || fmtDate(lastPay.payment_date)}</div>
+      <div><span style="color:var(--text-3)">Iznos isplate:</span> <strong style="color:var(--green)">${fmtEur(lastPay.amount||p.cost_total)}</strong></div>
+      <div><span style="color:var(--text-3)">Referenca:</span> <span style="font-family:'JetBrains Mono'">${escHtml(lastPay.reference||'—')}</span></div>
+      <div><span style="color:var(--text-3)">Tx ID:</span> <span style="font-family:'JetBrains Mono'">${escHtml(lastPay.bank_transaction_id||'—')}</span></div>
+    </div>`;
+  } else if (status === 'odbijen') {
+    sb += `<div style="margin-top:8px;color:var(--red);font-size:12px">${escHtml(p.notes||'Odbijen').slice(-200)}</div>`;
+  } else {
+    sb += `<div style="margin-top:8px;color:var(--yellow);font-size:12px">${status === 'odobren' || status === 'zatvoren' ? 'Čeka isplatu.' : status === 'poslan' ? 'Čeka odobrenje.' : 'Draft — još nije poslan na odobrenje.'}</div>`;
+  }
+  $('#pn_status_block').innerHTML = sb;
+
+  // Vezani računi
+  const invs = r.invoices || [];
+  $('#pn_invoices_table tbody').innerHTML = invs.length ? invs.map(i => `
+    <tr class="clickable" onclick="closeModal('pnModal'); setTimeout(()=>openInvoice(${i.id}), 100)">
+      <td>${i.id}</td><td>${escHtml(i.invoice_kind||'—')}</td><td>${escHtml(i.vendor_name||'—')}</td>
+      <td style="font-family:'JetBrains Mono'">${escHtml(i.vendor_oib||'—')}</td>
+      <td>${fmtDate(i.invoice_date)}</td>
+      <td class="num">${fmtEur(i.amount_gross)}</td>
+      <td>${sBadge(i.payment_status)}</td>
+    </tr>`).join('') : '<tr><td colspan="7" style="color:var(--text-3);text-align:center;padding:14px">Nema vezanih računa</td></tr>';
+
+  // Actions
+  const a = r.actions || {};
+  const acts = [];
+  if (a.submit) acts.push(`<button class="btn yellow" onclick="submitPn(${id})">📤 Pošalji na odobrenje</button>`);
+  if (a.approve) acts.push(`<button class="btn green" onclick="approvePn(${id})">✓ Odobri</button>`);
+  if (a.reject) acts.push(`<button class="btn red" onclick="openRejectModal(${id})">✗ Odbij</button>`);
+  if (a.pay) acts.push(`<button class="btn green" onclick="openPayPnModal(${id})">💰 Isplati</button>`);
+  if (a.edit) acts.push(`<button class="btn sec" onclick="alert('Edit drafta — koristi M6 formu \\'Novi putni nalog\\' s prefilanim poljima (TODO UI)')">✏ Edit</button>`);
+  if (!acts.length) acts.push('<span style="color:var(--text-3);font-size:12px">Bez dostupnih akcija (samo pregled).</span>');
+  $('#pn_actions').innerHTML = acts.join('');
+
+  $('#pn_audit').innerHTML = renderAudit(r.audit);
+  openModal('pnModal');
+}
+
+async function submitPn(id) {
+  if (!confirm('Poslati putni nalog #' + id + ' na odobrenje?')) return;
+  const r = await fetch(`${ERP_API}/putni-nalog/${id}/posalji`, {method:'POST', headers: AUTH_HDR_JSON()}).then(r=>r.json()).catch(()=>null);
+  if (r && r.ok) { openPutni(id); loadPutni(); } else alert('Greška: ' + (r && r.detail || ''));
+}
+async function approvePn(id) {
+  if (!confirm('Odobriti putni nalog #' + id + '?')) return;
+  const r = await fetch(`${ERP_API}/putni-nalog/${id}/odobriti`, {method:'POST', headers: AUTH_HDR_JSON(), body: '{}'}).then(r=>r.json()).catch(()=>null);
+  if (r && r.ok) { openPutni(id); loadPutni(); } else alert('Greška: ' + (r && r.detail || ''));
+}
+function openRejectModal(id) {
+  $('#rejectText').value = '';
+  $('#rejectStatus').textContent = '';
+  openModal('rejectModal');
+  $('#rejectConfirm').onclick = async () => {
+    const reason = $('#rejectText').value.trim();
+    if (!reason) { $('#rejectStatus').textContent = 'Razlog je obavezan'; return; }
+    const r = await fetch(`${ERP_API}/putni-nalog/${id}/odbij`, {method:'POST', headers: AUTH_HDR_JSON(), body: JSON.stringify({razlog: reason})}).then(r=>r.json()).catch(()=>null);
+    if (r && r.ok) { closeModal('rejectModal'); openPutni(id); loadPutni(); }
+    else $('#rejectStatus').textContent = '❌ ' + (r && r.detail || 'Greška');
+  };
+}
+function openPayPnModal(id) {
+  const pn = _currentPn && _currentPn.putni_nalog;
+  if (pn) $('#ppn_amount').value = pn.cost_total || '';
+  $('#ppn_date').value = new Date().toISOString().substring(0,10);
+  $('#ppnStatus').textContent = '';
+  openModal('payPnModal');
+  $('#ppnConfirm').onclick = async () => {
+    const body = {
+      iban_to: $('#ppn_iban_to').value.trim(),
+      iban_from: $('#ppn_iban_from').value.trim(),
+      paid_date: $('#ppn_date').value,
+      amount: parseFloat($('#ppn_amount').value) || undefined,
+      reference: $('#ppn_ref').value.trim(),
+      bank_transaction_id: $('#ppn_tx').value.trim(),
+    };
+    $('#ppnStatus').textContent = '⏳';
+    const r = await fetch(`${ERP_API}/putni-nalog/${id}/isplati`, {method:'POST', headers: AUTH_HDR_JSON(), body: JSON.stringify(body)}).then(r=>r.json()).catch(()=>null);
+    if (r && r.ok) {
+      $('#ppnStatus').textContent = '✓ Isplaćeno';
+      $('#ppnStatus').style.color = 'var(--green)';
+      setTimeout(() => { closeModal('payPnModal'); openPutni(id); loadPutni(); }, 700);
+    } else {
+      $('#ppnStatus').textContent = '❌ ' + (r && r.detail || 'Greška');
+      $('#ppnStatus').style.color = 'var(--red)';
+    }
+  };
+}
+
+function activate(name) {
+  $$('.nav-item').forEach(n => n.classList.toggle('active', n.dataset.tab === name));
+  $$('.tab').forEach(t => t.classList.toggle('active', t.id === 'tab-' + name));
+  const titles = {ocr:'Skeniraj račun (OCR)',invoices:'Računi',putni:'Novi putni nalog','putni-list':'Lista putnih naloga'};
+  $('#pageTitle').textContent = titles[name] || name;
+  if (name === 'invoices') loadInvoices();
+  if (name === 'putni-list') loadPutni();
+}
+$$('.nav-item').forEach(n => n.addEventListener('click', () => activate(n.dataset.tab)));
+
+(async () => {
+  await loadKlubovi();
+  ocrInit();
+  pnInit();
+})();
+</script>
+</body>
+</html>
diff --git a/_backups/kpi.html.cc3_pre_unified_sidebar.1777935999 b/_backups/kpi.html.cc3_pre_unified_sidebar.1777935999
new file mode 100644
index 0000000..2861b47
--- /dev/null
+++ b/_backups/kpi.html.cc3_pre_unified_sidebar.1777935999
@@ -0,0 +1,99 @@
+<!DOCTYPE html>
+<html lang="hr">
+<head>
+<meta charset="UTF-8">
+<title>RINET KPI Dashboard</title>
+<style>
+  body { font-family: -apple-system, sans-serif; background: #0a0e1a; color: #d0d8e8; margin: 0; padding: 20px; }
+  h1 { color: #4af; margin: 0 0 20px; font-size: 24px; }
+  h2 { color: #6cf; margin: 20px 0 8px; font-size: 16px; border-bottom: 1px solid #2a3a4a; padding-bottom: 4px; }
+  .grid { display: grid; grid-template-columns: repeat(auto-fit, minmax(260px, 1fr)); gap: 12px; margin-bottom: 16px; }
+  .card { background: #14192a; padding: 12px 16px; border-radius: 6px; border-left: 3px solid #4af; }
+  .card .label { color: #88a; font-size: 11px; text-transform: uppercase; }
+  .card .value { color: #fff; font-size: 22px; font-weight: bold; margin: 4px 0; }
+  .card .sub { color: #aab; font-size: 12px; }
+  .card.good { border-left-color: #4f4; }
+  .card.warn { border-left-color: #fa4; }
+  .card.bad { border-left-color: #f44; }
+  table { width: 100%; border-collapse: collapse; }
+  th, td { text-align: left; padding: 6px 12px; border-bottom: 1px solid #2a3a4a; font-size: 12px; }
+  th { color: #6cf; font-weight: normal; text-transform: uppercase; font-size: 10px; }
+  tr:hover { background: #1a2030; }
+  .updated { color: #678; font-size: 11px; }
+  .refresh { background: #4af; color: #fff; border: none; padding: 4px 12px; border-radius: 4px; cursor: pointer; }
+</style>
+</head>
+<body>
+<h1>RINET KPI Dashboard <span class="updated" id="updated"></span> <button class="refresh" onclick="load()">↻</button></h1>
+<div id="root">Loading...</div>
+
+<script>
+async function load() {
+  document.getElementById('updated').textContent = '...';
+  try {
+    const r = await fetch('/admin/api/kpi');
+    const d = await r.json();
+    
+    if (d.error) {
+      document.getElementById('root').innerHTML = '<div class="card bad">Error: ' + d.error + '</div>';
+      return;
+    }
+    
+    const haluClass = d.queries.halu_pct > 5 ? 'bad' : d.queries.halu_pct > 1 ? 'warn' : 'good';
+    const clusterTotal = Object.values(d.cluster).reduce((a,b)=>a+b, 0);
+    const clusterUnhealthy = Object.entries(d.cluster).filter(([s,n]) => !['healthy','skipped'].includes(s)).reduce((a,[s,n])=>a+n, 0);
+    const clusterClass = clusterUnhealthy > 0 ? 'bad' : 'good';
+    const incClass = d.open_incidents > 0 ? 'warn' : 'good';
+    const embClass = d.knowledge.embed_pct >= 99 ? 'good' : d.knowledge.embed_pct >= 95 ? 'warn' : 'bad';
+    
+    let html = `
+      <h2>Queries (Production)</h2>
+      <div class="grid">
+        <div class="card good"><div class="label">Last 1h</div><div class="value">${d.queries.h1}</div></div>
+        <div class="card good"><div class="label">Last 24h</div><div class="value">${d.queries.h24}</div></div>
+        <div class="card ${haluClass}"><div class="label">Halucinacije 24h</div><div class="value">${d.queries.halucinacije_h24}</div><div class="sub">${d.queries.halu_pct}%</div></div>
+        <div class="card good"><div class="label">Avg latency</div><div class="value">${d.queries.avg_latency_sec}s</div></div>
+        <div class="card good"><div class="label">Avg confidence</div><div class="value">${d.queries.avg_confidence}</div></div>
+      </div>
+      
+      <h2>Knowledge Base</h2>
+      <div class="grid">
+        <div class="card good"><div class="label">Total facts</div><div class="value">${d.knowledge.total.toLocaleString()}</div></div>
+        <div class="card good"><div class="label">Added 1h / 24h</div><div class="value">+${d.knowledge.added_h1} / +${d.knowledge.added_h24}</div></div>
+        <div class="card ${embClass}"><div class="label">Embed coverage</div><div class="value">${d.knowledge.embed_pct}%</div><div class="sub">${d.knowledge.embed_pending} pending</div></div>
+        <div class="card good"><div class="label">Training Q&A</div><div class="value">${d.training.total.toLocaleString()}</div><div class="sub">+${d.training.added_h24} / 24h, ${d.training.from_capture} from capture</div></div>
+      </div>
+      
+      <h2>Cluster Health</h2>
+      <div class="grid">
+        <div class="card ${clusterClass}"><div class="label">Healthy</div><div class="value">${d.cluster.healthy || 0} / ${clusterTotal}</div></div>
+        <div class="card ${incClass}"><div class="label">Open incidents</div><div class="value">${d.open_incidents}</div></div>
+        <div class="card good"><div class="label">Skipped</div><div class="value">${d.cluster.skipped || 0}</div><div class="sub">PG/Redis/cold by design</div></div>
+        <div class="card ${clusterUnhealthy>0?'bad':'good'}"><div class="label">Unhealthy</div><div class="value">${clusterUnhealthy}</div></div>
+      </div>
+      
+      <h2>Top Sources (24h scrape)</h2>
+      <table>
+        <tr><th>Source</th><th>Count</th></tr>
+        ${d.top_sources_h24.map(s => `<tr><td>${s.source}</td><td>${s.count.toLocaleString()}</td></tr>`).join('')}
+      </table>
+      
+      <h2>Top Models (24h)</h2>
+      <table>
+        <tr><th>Model</th><th>Calls</th><th>Avg latency</th></tr>
+        ${d.top_models_h24.map(m => `<tr><td>${m.model || '-'}</td><td>${m.count}</td><td>${m.avg_latency}s</td></tr>`).join('')}
+      </table>
+    `;
+    
+    document.getElementById('root').innerHTML = html;
+    document.getElementById('updated').textContent = new Date().toLocaleTimeString();
+  } catch (e) {
+    document.getElementById('root').innerHTML = '<div class="card bad">Network error: ' + e.message + '</div>';
+  }
+}
+
+load();
+setInterval(load, 30000); // 30s refresh
+</script>
+</body>
+</html>
diff --git a/_backups/login.html.cc3_pre_unified_sidebar.1777935999 b/_backups/login.html.cc3_pre_unified_sidebar.1777935999
new file mode 100644
index 0000000..8cfde49
--- /dev/null
+++ b/_backups/login.html.cc3_pre_unified_sidebar.1777935999
@@ -0,0 +1,562 @@
+<!DOCTYPE html>
+<html lang="hr">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width,initial-scale=1">
+<title>PGŽ Sport · Prijava</title>
+<link rel="icon" href="data:image/svg+xml,<svg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 32 32'><rect width='32' height='32' rx='6' fill='%2306080d'/><text x='16' y='23' text-anchor='middle' font-size='18' font-family='monospace' fill='%2300f0ff'>P</text></svg>">
+<link rel="preconnect" href="https://fonts.googleapis.com">
+<link href="https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600;700&family=JetBrains+Mono:wght@400;500;600&display=swap" rel="stylesheet">
+<style>
+:root {
+  --bg: #06080d;
+  --bg-2: #0d1117;
+  --bg-3: #161b22;
+  --border: #1f2937;
+  --text: #e6edf3;
+  --text-2: #8b949e;
+  --text-3: #6e7681;
+  --accent: #00f0ff;
+  --accent-2: #00b8d4;
+  --green: #56d364;
+  --red: #f85149;
+  --yellow: #d29922;
+}
+* { margin: 0; padding: 0; box-sizing: border-box; }
+html, body {
+  font-family: 'Inter', system-ui, sans-serif;
+  background: var(--bg);
+  color: var(--text);
+  min-height: 100vh;
+  font-size: 14px;
+  line-height: 1.5;
+}
+body {
+  display: grid;
+  grid-template-columns: 1fr 1fr;
+  min-height: 100vh;
+}
+@media (max-width: 900px) {
+  body { grid-template-columns: 1fr; }
+  .left { display: none; }
+}
+.left {
+  background:
+    radial-gradient(ellipse at 30% 20%, rgba(0,240,255,0.08), transparent 60%),
+    radial-gradient(ellipse at 70% 80%, rgba(188,140,255,0.05), transparent 60%),
+    linear-gradient(180deg, var(--bg) 0%, var(--bg-2) 100%);
+  border-right: 1px solid var(--border);
+  padding: 56px;
+  display: flex;
+  flex-direction: column;
+  justify-content: space-between;
+  position: relative;
+  overflow: hidden;
+}
+.left::before {
+  content: '';
+  position: absolute; inset: 0;
+  background-image:
+    linear-gradient(rgba(0,240,255,0.04) 1px, transparent 1px),
+    linear-gradient(90deg, rgba(0,240,255,0.04) 1px, transparent 1px);
+  background-size: 40px 40px;
+  mask: radial-gradient(ellipse at center, black 30%, transparent 80%);
+  pointer-events: none;
+}
+.brand {
+  position: relative; z-index: 1;
+  display: flex; align-items: center; gap: 14px;
+}
+.brand-mark {
+  width: 48px; height: 48px;
+  background: var(--accent);
+  border-radius: 8px;
+  display: grid; place-items: center;
+  color: var(--bg);
+  font-weight: 700; font-size: 22px;
+  font-family: 'JetBrains Mono', monospace;
+  box-shadow: 0 0 24px rgba(0,240,255,0.3);
+}
+.brand-text h1 {
+  font-size: 20px; font-weight: 700; letter-spacing: 0.5px;
+}
+.brand-text .sub {
+  font-size: 12px; color: var(--text-3);
+  font-family: 'JetBrains Mono', monospace;
+}
+.hero { position: relative; z-index: 1; max-width: 460px; }
+.hero h2 {
+  font-size: 36px; font-weight: 700;
+  line-height: 1.15;
+  margin-bottom: 18px;
+  letter-spacing: -0.5px;
+}
+.hero h2 span { color: var(--accent); }
+.hero p {
+  color: var(--text-2);
+  font-size: 15px;
+  line-height: 1.6;
+  margin-bottom: 28px;
+}
+.features {
+  display: grid; gap: 12px;
+}
+.feat {
+  display: flex; gap: 12px;
+  font-size: 13px; color: var(--text-2);
+}
+.feat .ico {
+  width: 22px; height: 22px;
+  border-radius: 4px;
+  background: rgba(0,240,255,0.1);
+  color: var(--accent);
+  display: grid; place-items: center;
+  font-size: 12px; font-weight: 700;
+  flex-shrink: 0;
+}
+.footer-left {
+  position: relative; z-index: 1;
+  font-size: 11px; color: var(--text-3);
+  font-family: 'JetBrains Mono', monospace;
+}
+
+.right {
+  display: flex; align-items: center; justify-content: center;
+  padding: 40px;
+}
+.card {
+  width: 100%;
+  max-width: 380px;
+  background: var(--bg-2);
+  border: 1px solid var(--border);
+  border-radius: 12px;
+  padding: 36px 32px;
+  box-shadow: 0 20px 60px rgba(0,0,0,0.4);
+}
+.card h3 {
+  font-size: 22px;
+  font-weight: 700;
+  margin-bottom: 6px;
+}
+.card .lead {
+  color: var(--text-3);
+  font-size: 13px;
+  margin-bottom: 28px;
+}
+.field {
+  margin-bottom: 14px;
+}
+.field label {
+  display: block;
+  font-size: 11px;
+  color: var(--text-3);
+  text-transform: uppercase;
+  letter-spacing: 0.7px;
+  margin-bottom: 6px;
+  font-weight: 600;
+}
+.field input {
+  width: 100%;
+  background: var(--bg);
+  border: 1px solid var(--border);
+  color: var(--text);
+  padding: 12px 14px;
+  border-radius: 6px;
+  font-family: inherit;
+  font-size: 14px;
+  transition: border-color 0.15s, box-shadow 0.15s;
+}
+.field input:focus {
+  outline: none;
+  border-color: var(--accent);
+  box-shadow: 0 0 0 3px rgba(0,240,255,0.12);
+}
+.row {
+  display: flex; justify-content: space-between; align-items: center;
+  margin: 14px 0 22px;
+  font-size: 12px;
+}
+.row label {
+  display: flex; align-items: center; gap: 6px;
+  color: var(--text-2);
+  cursor: pointer;
+}
+.row label input { accent-color: var(--accent); }
+.row a { color: var(--accent); text-decoration: none; }
+.row a:hover { text-decoration: underline; }
+
+.btn {
+  width: 100%;
+  background: var(--accent);
+  color: var(--bg);
+  border: 0;
+  padding: 12px;
+  border-radius: 6px;
+  font-family: inherit;
+  font-size: 14px;
+  font-weight: 600;
+  cursor: pointer;
+  letter-spacing: 0.3px;
+  transition: background 0.15s, transform 0.05s;
+}
+.btn:hover:not(:disabled) { background: var(--accent-2); }
+.btn:active:not(:disabled) { transform: translateY(1px); }
+.btn:disabled { opacity: 0.6; cursor: not-allowed; }
+.btn .spinner {
+  display: inline-block;
+  width: 14px; height: 14px;
+  border: 2px solid rgba(0,0,0,0.25);
+  border-top-color: var(--bg);
+  border-radius: 50%;
+  animation: spin 0.8s linear infinite;
+  vertical-align: -3px;
+  margin-right: 6px;
+}
+@keyframes spin { to { transform: rotate(360deg); } }
+
+.alert {
+  background: rgba(248,81,73,0.1);
+  border: 1px solid rgba(248,81,73,0.4);
+  color: #ffb4af;
+  padding: 10px 12px;
+  border-radius: 6px;
+  font-size: 13px;
+  margin-bottom: 16px;
+  display: none;
+}
+.alert.show { display: block; }
+.alert.success {
+  background: rgba(86,211,100,0.1);
+  border-color: rgba(86,211,100,0.4);
+  color: #b6f0bd;
+}
+
+.divider {
+  display: flex; align-items: center; gap: 12px;
+  margin: 18px 0;
+  color: var(--text-3);
+  font-size: 11px;
+  text-transform: uppercase;
+  letter-spacing: 1px;
+}
+.divider::before, .divider::after {
+  content: '';
+  flex: 1;
+  height: 1px;
+  background: var(--border);
+}
+
+.demo {
+  background: var(--bg-3);
+  border: 1px dashed var(--border);
+  border-radius: 6px;
+  padding: 10px 12px;
+  font-size: 11px;
+  color: var(--text-2);
+  font-family: 'JetBrains Mono', monospace;
+  cursor: pointer;
+  transition: border-color 0.15s;
+}
+.demo:hover { border-color: var(--accent); color: var(--text); }
+.demo strong { color: var(--accent); }
+
+.footer-right {
+  text-align: center;
+  margin-top: 22px;
+  font-size: 11px;
+  color: var(--text-3);
+}
+.footer-right a {
+  color: var(--text-2);
+  text-decoration: none;
+  margin: 0 6px;
+}
+.footer-right a:hover { color: var(--accent); }
+
+/* Cookie banner */
+.cookie {
+  position: fixed;
+  bottom: 16px; left: 16px; right: 16px;
+  max-width: 600px;
+  margin: 0 auto;
+  background: var(--bg-2);
+  border: 1px solid var(--border);
+  border-radius: 10px;
+  padding: 16px 20px;
+  display: none;
+  z-index: 1000;
+  box-shadow: 0 12px 40px rgba(0,0,0,0.5);
+}
+.cookie.show { display: block; }
+.cookie h4 { font-size: 14px; margin-bottom: 6px; }
+.cookie p { font-size: 12px; color: var(--text-2); margin-bottom: 12px; }
+.cookie-actions { display: flex; gap: 8px; flex-wrap: wrap; }
+.cookie-actions button {
+  background: transparent;
+  border: 1px solid var(--border);
+  color: var(--text-2);
+  padding: 6px 14px;
+  border-radius: 5px;
+  font-family: inherit;
+  font-size: 12px;
+  cursor: pointer;
+}
+.cookie-actions button.primary {
+  background: var(--accent);
+  border-color: var(--accent);
+  color: var(--bg);
+  font-weight: 600;
+}
+.cookie-actions button:hover { color: var(--text); border-color: var(--accent); }
+.cookie a { color: var(--accent); text-decoration: none; }
+</style>
+</head>
+<body>
+
+<div class="left">
+  <div class="brand">
+    <div class="brand-mark">P</div>
+    <div class="brand-text">
+      <h1>PGŽ Sport</h1>
+      <div class="sub">ERP/CRM Platforma</div>
+    </div>
+  </div>
+  <div class="hero">
+    <h2>Operativna platforma <span>za sport</span> u Primorsko-goranskoj županiji.</h2>
+    <p>Jedinstvena baza klubova, saveza i sportaša. Računovodstvo, članarine, liječnički pregledi, sufinanciranja — sve na jednom mjestu.</p>
+    <div class="features">
+      <div class="feat"><div class="ico">✓</div><div>Multi-tenant arhitektura — PGŽ, savezi, klubovi sa svojim view-om</div></div>
+      <div class="feat"><div class="ico">✓</div><div>OCR za račune, automatska ekstrakcija polja, putni nalozi</div></div>
+      <div class="feat"><div class="ico">✓</div><div>Članarine s HUB-3 uplatnicama i blockchain audit log</div></div>
+      <div class="feat"><div class="ico">✓</div><div>GDPR-compliant (Art. 17, 20) · 2FA · audit svih akcija</div></div>
+    </div>
+  </div>
+  <div class="footer-left">
+    PGŽ ODJEL ZA SPORT · v3.0 · 2026
+  </div>
+</div>
+
+<div class="right">
+  <div class="card">
+    <h3>Prijava</h3>
+    <div class="lead">Unesite svoje podatke za pristup platformi.</div>
+
+    <div id="alert" class="alert"></div>
+
+    <form id="loginForm" autocomplete="on">
+      <div class="field">
+        <label for="email">E-mail</label>
+        <input type="email" id="email" name="email" required autocomplete="username" placeholder="ime.prezime@pgz.hr">
+      </div>
+      <div class="field">
+        <label for="password">Lozinka</label>
+        <input type="password" id="password" name="password" required autocomplete="current-password" placeholder="••••••••">
+      </div>
+      <div class="field" id="totpField" style="display:none">
+        <label for="totp">Kod autentifikatora (2FA)</label>
+        <input type="text" id="totp" name="totp" inputmode="numeric" pattern="[0-9 ]*" autocomplete="one-time-code" placeholder="123456" maxlength="8" style="font-family:'JetBrains Mono',monospace;letter-spacing:4px;text-align:center;font-size:18px">
+      </div>
+      <div class="row">
+        <label><input type="checkbox" id="remember" checked> Zapamti me</label>
+        <a href="#" id="forgotLink">Zaboravljena lozinka?</a>
+      </div>
+      <button type="submit" class="btn" id="submitBtn">Prijavi se</button>
+    </form>
+
+    <div class="divider">Demo računi</div>
+    <div style="display:grid;gap:8px">
+      <div class="demo" data-email="damir@pgz.hr" data-pwd="PGZ2026!">
+        <strong>PGŽ admin</strong> · damir@pgz.hr / PGZ2026!
+      </div>
+      <div class="demo" data-email="pero@atletika.pgz.hr" data-pwd="PGZ2026!">
+        <strong>Savez admin</strong> · pero@atletika.pgz.hr
+      </div>
+      <div class="demo" data-email="ana@akkvarner.hr" data-pwd="PGZ2026!">
+        <strong>Klub admin</strong> · ana@akkvarner.hr
+      </div>
+    </div>
+
+    <div class="footer-right">
+      <a href="/sport2.html">Javni portal</a>
+      ·
+      <a href="#" id="privacyLink">Politika privatnosti</a>
+      ·
+      <a href="#" id="cookieLink">Kolačići</a>
+    </div>
+  </div>
+</div>
+
+<!-- GDPR cookie consent -->
+<div id="cookie" class="cookie">
+  <h4>🍪 Kolačići</h4>
+  <p>Koristimo nužne kolačiće za prijavu i sigurnost sesije. Po vašem odobrenju koristimo i analitičke kolačiće za poboljšanje platforme. <a href="#" id="cookieMore">Više…</a></p>
+  <div class="cookie-actions">
+    <button class="primary" id="cookieAccept">Prihvati sve</button>
+    <button id="cookieNecessary">Samo nužni</button>
+    <button id="cookieReject">Odbij sve</button>
+  </div>
+</div>
+
+<script>
+const API = '/api';
+const $ = s => document.querySelector(s);
+
+// ---------- Login ----------
+function showAlert(msg, type) {
+  const a = $('#alert');
+  a.textContent = msg;
+  a.className = 'alert show' + (type === 'success' ? ' success' : '');
+  if (type === 'success') {
+    setTimeout(() => a.classList.remove('show'), 3000);
+  }
+}
+
+async function doLogin(email, password, totp) {
+  const btn = $('#submitBtn');
+  btn.disabled = true;
+  btn.innerHTML = '<span class="spinner"></span>Prijavljujem…';
+  try {
+    const body = { email, password };
+    if (totp) body.totp = totp;
+    const r = await fetch(API + '/auth/login', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify(body)
+    });
+    const data = await r.json();
+    if (!r.ok) {
+      if (r.status === 401 && (data.detail === '2FA_REQUIRED' || /2FA/i.test(data.detail||''))) {
+        // Show TOTP field and stop
+        $('#totpField').style.display = '';
+        $('#totp').focus();
+        showAlert('Unesite kod iz autentifikatora.');
+      } else {
+        showAlert(data.detail || 'Neispravni podaci');
+      }
+      btn.disabled = false;
+      btn.textContent = 'Prijavi se';
+      return;
+    }
+    // Store tokens
+    const store = $('#remember').checked ? localStorage : sessionStorage;
+    store.setItem('pgz_access',  data.access_token);
+    store.setItem('pgz_refresh', data.refresh_token);
+    store.setItem('pgz_user',    JSON.stringify(data.user));
+    showAlert('Prijava uspješna. Preusmjeravam…', 'success');
+    // Redirect by role
+    setTimeout(() => {
+      const role = (data.user.role || '').toLowerCase();
+      if (['super_admin','pgz_admin','pgz_user','pgz_finance','pgz_zzjz',
+           'savez_admin','savez_user','klub_admin','klub_user','klub_trener'].includes(role)) {
+        
+        // Smart redirect po roli
+        const role = data.user.role;
+        const redirectMap = {
+          'pgz_admin': '/app',
+          'savez_admin': '/app',
+          'klub_admin': '/app',
+          'super_admin': '/admin'
+        };
+        location.href = redirectMap[role] || '/app';
+
+      } else {
+        location.href = '/';
+      }
+    }, 600);
+  } catch (e) {
+    showAlert('Greška mreže: ' + e.message);
+    btn.disabled = false;
+    btn.textContent = 'Prijavi se';
+  }
+}
+
+$('#loginForm').addEventListener('submit', e => {
+  e.preventDefault();
+  const email = $('#email').value.trim().toLowerCase();
+  const pwd   = $('#password').value;
+  const totp  = ($('#totp').value || '').trim().replace(/\s/g,'') || null;
+  if (!email || !pwd) return;
+  doLogin(email, pwd, totp);
+});
+
+document.querySelectorAll('.demo').forEach(el => {
+  el.addEventListener('click', () => {
+    $('#email').value    = el.dataset.email;
+    $('#password').value = el.dataset.pwd;
+    $('#email').focus();
+  });
+});
+
+$('#forgotLink').addEventListener('click', async e => {
+  e.preventDefault();
+  const email = ($('#email').value || prompt('Unesite e-mail:') || '').trim().toLowerCase();
+  if (!email) return;
+  try {
+    const r = await fetch(API + '/auth/password/reset', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ email })
+    });
+    const data = await r.json();
+    showAlert(data.message || 'Zahtjev poslan administratoru.', 'success');
+  } catch (err) {
+    showAlert('Greška: ' + err.message);
+  }
+});
+
+// ---------- Cookie consent ----------
+const consentKey = 'pgz_consent';
+function showConsent() {
+  if (!localStorage.getItem(consentKey)) {
+    $('#cookie').classList.add('show');
+  }
+}
+async function saveConsent(necessary, analytics, marketing) {
+  const session_id = localStorage.getItem('pgz_session_id') ||
+    (() => { const s = crypto.randomUUID(); localStorage.setItem('pgz_session_id', s); return s; })();
+  localStorage.setItem(consentKey, JSON.stringify({ necessary, analytics, marketing, ts: Date.now() }));
+  $('#cookie').classList.remove('show');
+  try {
+    await fetch(API + '/gdpr/consent', {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify({ necessary, analytics, marketing, session_id })
+    });
+  } catch {}
+}
+$('#cookieAccept').addEventListener('click',    () => saveConsent(true, true, true));
+$('#cookieNecessary').addEventListener('click', () => saveConsent(true, false, false));
+$('#cookieReject').addEventListener('click',    () => saveConsent(true, false, false));
+$('#cookieLink').addEventListener('click', e => { e.preventDefault(); localStorage.removeItem(consentKey); showConsent(); });
+$('#privacyLink').addEventListener('click', async e => {
+  e.preventDefault();
+  try {
+    const r = await fetch(API + '/gdpr/policy');
+    const d = await r.json();
+    alert('PGŽ Sport — Politika privatnosti v' + d.version +
+      '\n\nKontroler: ' + d.controller +
+      '\nKontakt: ' + d.contact +
+      '\nDPO: ' + d.dpo +
+      '\n\nVaša prava:\n' + d.rights.join('\n'));
+  } catch {}
+});
+$('#cookieMore').addEventListener('click', e => { e.preventDefault(); $('#privacyLink').click(); });
+
+// Skip login if already authenticated
+(async () => {
+  const tok = localStorage.getItem('pgz_access') || sessionStorage.getItem('pgz_access');
+  if (tok) {
+    try {
+      const r = await fetch(API + '/auth/me', { headers: { Authorization: 'Bearer ' + tok }});
+      if (r.ok) {
+        location.href = '/app';
+        return;
+      }
+    } catch {}
+  }
+  showConsent();
+  $('#email').focus();
+})();
+</script>
+</body>
+</html>
diff --git a/_backups/r3_cc4/erp.html.pre_R5.1777937137 b/_backups/r3_cc4/erp.html.pre_R5.1777937137
new file mode 100644
index 0000000..8a545a3
--- /dev/null
+++ b/_backups/r3_cc4/erp.html.pre_R5.1777937137
@@ -0,0 +1,858 @@
+<!DOCTYPE html>
+<html lang="hr">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width,initial-scale=1">
+<title>PGŽ Sport · ERP — OCR + Putni nalozi</title>
+<!--
+  erp.html — PGŽ Sport ERP UI (M5 OCR + M6 Putni nalozi)
+  Author: dradulic@outlook.com / damir@rinet.one — 2026-05-04
+  Real backend: /api/erp/ocr/upload, /parse, /invoices, /putni-nalog
+-->
+<link rel="icon" href="data:image/svg+xml,<svg xmlns='http://www.w3.org/2000/svg' viewBox='0 0 32 32'><rect width='32' height='32' rx='6' fill='%2306080d'/><text x='16' y='23' text-anchor='middle' font-size='18' font-family='monospace' fill='%2300f0ff'>€</text></svg>">
+<link href="https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600;700&family=JetBrains+Mono:wght@400;500;600&display=swap" rel="stylesheet">
+<style>
+:root {
+  --bg:#06080d; --bg-2:#0d1117; --bg-3:#161b22; --border:#1f2937;
+  --text:#e6edf3; --text-2:#8b949e; --text-3:#6e7681;
+  --accent:#00f0ff; --green:#56d364; --yellow:#d29922; --red:#f85149; --purple:#bc8cff;
+}
+* { margin:0; padding:0; box-sizing:border-box; }
+body { font-family:'Inter',system-ui,sans-serif; background:var(--bg); color:var(--text); min-height:100vh; font-size:14px; }
+.app { display:grid; grid-template-columns:230px 1fr; min-height:100vh; }
+.sidebar { background:var(--bg-2); border-right:1px solid var(--border); padding:20px 0; }
+.brand { padding:0 20px 18px; border-bottom:1px solid var(--border); margin-bottom:10px; }
+.brand h1 { font-size:16px; font-weight:700; color:var(--accent); font-family:'JetBrains Mono',monospace; }
+.brand .sub { font-size:11px; color:var(--text-3); margin-top:2px; }
+.nav-item { display:flex; gap:10px; padding:10px 20px; cursor:pointer; color:var(--text-2); font-size:13px; border-left:3px solid transparent; align-items:center; }
+.nav-item:hover { background:var(--bg-3); color:var(--text); }
+.nav-item.active { color:var(--accent); background:rgba(0,240,255,.05); border-left-color:var(--accent); }
+.main { padding:24px 30px; overflow-y:auto; }
+.header { display:flex; justify-content:space-between; padding-bottom:14px; border-bottom:1px solid var(--border); margin-bottom:18px; align-items:center; }
+.header h2 { font-size:22px; font-weight:700; }
+.header .meta { color:var(--text-3); font-size:12px; font-family:'JetBrains Mono',monospace; }
+.section { background:var(--bg-2); border:1px solid var(--border); border-radius:8px; padding:18px; margin-bottom:16px; }
+.section h3 { font-size:14px; font-weight:600; color:var(--accent); margin-bottom:12px; }
+table { width:100%; border-collapse:collapse; font-size:13px; }
+th { text-align:left; padding:8px 10px; color:var(--text-3); font-size:11px; text-transform:uppercase; letter-spacing:.5px; border-bottom:1px solid var(--border); }
+td { padding:10px; border-bottom:1px solid var(--border); }
+td.num { font-family:'JetBrains Mono',monospace; text-align:right; }
+tr:hover { background:var(--bg-3); }
+.badge { display:inline-block; padding:2px 8px; border-radius:4px; font-size:11px; font-weight:600; }
+.badge.green { background:rgba(86,211,100,.15); color:var(--green); }
+.badge.yellow { background:rgba(210,153,34,.15); color:var(--yellow); }
+.badge.red { background:rgba(248,81,73,.15); color:var(--red); }
+.badge.gray { background:rgba(110,118,129,.15); color:var(--text-3); }
+input.fld, select.fld { width:100%; background:var(--bg); border:1px solid var(--border); padding:8px 10px; border-radius:4px; color:var(--text); font-family:inherit; font-size:13px; }
+input.fld:focus, select.fld:focus { outline:none; border-color:var(--accent); }
+label.lbl { font-size:11px; color:var(--text-3); display:block; margin-bottom:4px; text-transform:uppercase; letter-spacing:.5px; }
+.btn { padding:9px 18px; background:var(--accent); color:var(--bg); border:0; border-radius:4px; cursor:pointer; font-weight:600; font-family:inherit; font-size:13px; }
+.btn.sec { background:var(--bg-3); color:var(--text); border:1px solid var(--border); }
+.tab { display:none; }
+.tab.active { display:block; }
+.grid2 { display:grid; grid-template-columns:1fr 1fr; gap:10px; }
+.grid3 { display:grid; grid-template-columns:1fr 1fr 1fr; gap:10px; }
+.grid4 { display:grid; grid-template-columns:repeat(4,1fr); gap:14px; }
+tr.clickable { cursor:pointer; }
+tr.clickable:hover { background:var(--bg-3); box-shadow:inset 3px 0 0 var(--accent); }
+.modal-bg { position:fixed; inset:0; background:rgba(0,0,0,.6); z-index:100; display:none; align-items:flex-start; justify-content:center; padding:30px; overflow-y:auto; }
+.modal-bg.show { display:flex; }
+.modal { background:var(--bg-2); border:1px solid var(--border); border-radius:10px; max-width:1100px; width:100%; padding:0; box-shadow:0 12px 48px rgba(0,0,0,.6); }
+.modal-h { display:flex; justify-content:space-between; align-items:center; padding:16px 22px; border-bottom:1px solid var(--border); }
+.modal-h h3 { color:var(--accent); font-size:16px; }
+.modal-h .x { background:transparent; border:0; color:var(--text-2); font-size:22px; cursor:pointer; }
+.modal-h .x:hover { color:var(--red); }
+.modal-body { padding:18px 22px; max-height:80vh; overflow-y:auto; }
+.col2 { display:grid; grid-template-columns:1fr 1fr; gap:18px; }
+.kv { display:grid; grid-template-columns:140px 1fr; gap:6px 12px; font-size:13px; }
+.kv > div:nth-child(odd) { color:var(--text-3); font-size:11px; text-transform:uppercase; letter-spacing:.5px; align-self:center; }
+.kv > div:nth-child(even) { font-family:'JetBrains Mono',monospace; }
+.preview-img { max-width:100%; max-height:480px; border:1px solid var(--border); border-radius:6px; background:var(--bg); }
+.audit-row { display:grid; grid-template-columns:140px 110px 130px 1fr; gap:8px; padding:6px 0; border-bottom:1px dashed var(--border); font-size:12px; }
+.audit-row:last-child { border-bottom:0; }
+.audit-row .ts { color:var(--text-3); font-family:'JetBrains Mono',monospace; font-size:11px; }
+.audit-row .op { color:var(--accent); font-weight:600; }
+.audit-row .who { color:var(--text-2); }
+.btn.green { background:var(--green); color:var(--bg); }
+.btn.red { background:var(--red); color:#fff; }
+.btn.yellow { background:var(--yellow); color:var(--bg); }
+.actions-row { display:flex; flex-wrap:wrap; gap:8px; margin-top:14px; padding-top:14px; border-top:1px solid var(--border); }
+@media(max-width:768px) { .app { grid-template-columns:1fr; } .sidebar { display:none; } .grid2,.grid3 { grid-template-columns:1fr; } .col2 { grid-template-columns:1fr; } .audit-row { grid-template-columns:1fr; } }
+</style>
+</head>
+<body>
+<div class="app">
+  <aside class="sidebar">
+    <div class="brand"><h1>PGŽ ERP</h1><div class="sub">M5 OCR + M6 Putni nalozi</div></div>
+    <div class="nav-item active" data-tab="ocr"><span>📷</span><span>Skeniraj račun</span></div>
+    <div class="nav-item" data-tab="invoices"><span>€</span><span>Računi</span></div>
+    <div class="nav-item" data-tab="putni"><span>🚗</span><span>Novi putni nalog</span></div>
+    <div class="nav-item" data-tab="putni-list"><span>📋</span><span>Lista putnih naloga</span></div>
+
+    <div style="padding:14px 20px 4px;font-size:9.5px;color:var(--text-2);text-transform:uppercase;letter-spacing:1.2px;font-weight:700">Portali</div>
+    <a class="nav-item" href="/sport/login" style="text-decoration:none"><span>🔑</span><span>Prijava</span></a>
+    <a class="nav-item" href="/sport/app" style="text-decoration:none"><span>📱</span><span>Aplikacija</span></a>
+    <a class="nav-item" href="/sport/admin" style="text-decoration:none"><span>🛡</span><span>Administracija</span></a>
+    <a class="nav-item" href="/sport/crm" style="text-decoration:none"><span>👥</span><span>CRM</span></a>
+    <a class="nav-item active" href="/sport/erp" style="text-decoration:none"><span>💰</span><span>ERP</span></a>
+    <a class="nav-item" href="/sport/kpi" style="text-decoration:none"><span>📈</span><span>KPI</span></a>
+    <a class="nav-item" href="/sport/audit" style="text-decoration:none"><span>📋</span><span>Audit</span></a>
+    <a class="nav-item" href="/sport/static/sport2.html" target="_blank" style="text-decoration:none"><span>🌐</span><span>Public portal</span></a>
+  </aside>
+  <main class="main">
+    <div class="header">
+      <h2 id="pageTitle">Skeniraj račun (OCR)</h2>
+      <span class="meta" id="metaInfo">Tesseract + Ri.NET AI Engine · /api/erp</span>
+    </div>
+
+    <!-- OCR -->
+    <div class="tab active" id="tab-ocr">
+      <div class="section">
+        <h3>📷 Drag-and-drop OCR (PDF / JPG / PNG)</h3>
+        <div id="ocrDrop" style="border:2px dashed var(--border);border-radius:8px;padding:34px;text-align:center;cursor:pointer;background:var(--bg-3)">
+          <div style="font-size:36px;color:var(--accent);margin-bottom:6px">⤓</div>
+          <div style="font-size:14px;font-weight:600">Povuci datoteku ovdje ili klikni za odabir</div>
+          <div style="font-size:11px;color:var(--text-3);margin-top:6px">Tesseract OCR (hrv+eng) + Ri.NET AI Engine LLM ekstrakcija polja</div>
+          <input id="ocrFile" type="file" accept=".pdf,.jpg,.jpeg,.png,.tif,.tiff,.webp" style="display:none">
+        </div>
+        <div id="ocrStatus" style="margin-top:10px;font-size:12px;color:var(--text-2);min-height:18px"></div>
+
+        <div id="ocrResult" style="display:none;margin-top:14px;padding:14px;background:var(--bg-3);border-radius:6px;border:1px solid var(--border)">
+          <div class="grid2" style="font-size:13px">
+            <div><label class="lbl">Izdavatelj</label><input id="oc_vendor_name" class="fld"></div>
+            <div><label class="lbl">OIB izdavatelja</label><input id="oc_vendor_oib" class="fld"></div>
+            <div><label class="lbl">Broj računa</label><input id="oc_invoice_no" class="fld"></div>
+            <div><label class="lbl">Datum</label><input id="oc_invoice_date" type="date" class="fld"></div>
+            <div><label class="lbl">Iznos neto (€)</label><input id="oc_amount_net" type="number" step="0.01" class="fld"></div>
+            <div><label class="lbl">PDV (€)</label><input id="oc_amount_vat" type="number" step="0.01" class="fld"></div>
+            <div><label class="lbl" style="color:var(--accent)">Brutto / UKUPNO (€)</label><input id="oc_amount_gross" type="number" step="0.01" class="fld" style="border-color:var(--accent)"></div>
+            <div><label class="lbl">Stopa PDV (%)</label><input id="oc_vat_rate" type="number" step="0.01" class="fld"></div>
+            <div><label class="lbl">IBAN</label><input id="oc_iban" class="fld"></div>
+            <div><label class="lbl">Valuta</label><select id="oc_currency" class="fld"><option>EUR</option><option>HRK</option></select></div>
+            <div><label class="lbl">Vrsta troška</label>
+              <select id="oc_kind" class="fld">
+                <option value="gorivo">Gorivo</option><option value="cestarina">Cestarina</option>
+                <option value="hotel">Hotel</option><option value="restoran">Restoran</option>
+                <option value="oprema">Oprema</option><option value="ostalo" selected>Ostalo</option>
+              </select>
+            </div>
+            <div><label class="lbl">Klub</label><select id="oc_klub" class="fld"></select></div>
+          </div>
+          <div style="margin-top:10px"><label class="lbl">Opis</label><input id="oc_description" class="fld"></div>
+          <details style="margin-top:10px"><summary style="cursor:pointer;font-size:12px;color:var(--text-3)">Sirovi OCR tekst (preview)</summary>
+            <pre id="oc_raw" style="font-size:11px;background:var(--bg);padding:10px;border-radius:4px;margin-top:6px;max-height:200px;overflow:auto;white-space:pre-wrap"></pre>
+          </details>
+          <div style="margin-top:14px;display:flex;gap:8px;align-items:center">
+            <button id="ocSave" class="btn">💾 Spremi račun</button>
+            <button id="ocCancel" class="btn sec">Odustani</button>
+            <span id="ocSaveStatus" style="font-size:12px;color:var(--text-3)"></span>
+          </div>
+        </div>
+      </div>
+    </div>
+
+    <!-- Invoices list -->
+    <div class="tab" id="tab-invoices">
+      <div class="section">
+        <h3>Računi (svi klubovi)</h3>
+        <table id="invTable"><thead><tr><th>#</th><th>Vrsta</th><th>Broj</th><th>Dobavljač</th><th>OIB</th><th>Klub</th><th class="num">Brutto</th><th>Status</th><th>Datum</th></tr></thead><tbody></tbody></table>
+      </div>
+    </div>
+
+    <!-- Putni nalog form -->
+    <div class="tab" id="tab-putni">
+      <div class="section">
+        <h3>🚗 Novi putni nalog (HR pravilnik 2025)</h3>
+        <div class="grid3" style="font-size:13px">
+          <div><label class="lbl">Klub</label><select id="pn_klub" class="fld"></select></div>
+          <div><label class="lbl">Voditelj</label><input id="pn_voditelj" class="fld" placeholder="Ime Prezime"></div>
+          <div><label class="lbl">Putnici (zarez)</label><input id="pn_putnici" class="fld"></div>
+          <div style="grid-column:span 3"><label class="lbl">Svrha putovanja</label><input id="pn_svrha" class="fld" placeholder="Natjecanje, treninzi, edukacija…"></div>
+          <div><label class="lbl">Od grada</label><input id="pn_od" class="fld" value="Rijeka"></div>
+          <div><label class="lbl">Do grada</label><input id="pn_do" class="fld"></div>
+          <div><label class="lbl">Zemlja</label><input id="pn_country" class="fld" value="Hrvatska"></div>
+          <div><label class="lbl">Polazak</label><input id="pn_from" type="datetime-local" class="fld"></div>
+          <div><label class="lbl">Povratak</label><input id="pn_to" type="datetime-local" class="fld"></div>
+          <div><label class="lbl">Tip vozila</label>
+            <select id="pn_vehicle" class="fld">
+              <option>vlastiti automobil</option><option>službeno vozilo</option><option>kombi</option><option>autobus</option><option>vlak</option><option>avion</option>
+            </select>
+          </div>
+          <div><label class="lbl">Registracija</label><input id="pn_plate" class="fld"></div>
+          <div><label class="lbl">Kilometara</label><input id="pn_km" type="number" step="1" class="fld" value="0"></div>
+          <div><label class="lbl">€/km</label><input id="pn_kmrate" type="number" step="0.01" class="fld" value="0.50"></div>
+        </div>
+        <div id="pn_preview" style="margin-top:14px;padding:12px;background:var(--bg-3);border-radius:6px;border:1px solid var(--border);font-size:13px;color:var(--text-2)">
+          Unesi datume za live obračun dnevnica…
+        </div>
+        <div style="margin-top:12px;display:flex;gap:8px;align-items:center">
+          <button id="pnSave" class="btn">📝 Kreiraj putni nalog</button>
+          <span id="pnSaveStatus" style="font-size:12px;color:var(--text-3)"></span>
+        </div>
+        <p style="margin-top:14px;font-size:11px;color:var(--text-3);line-height:1.6">
+          <b>HR pravilnik 2025:</b> domaće 26.54 € (>8h), 13.27 € (5–8h), 0 € (&lt;5h). Inozemne dnevnice po zemlji
+          (Italija/Austrija 35 €, Slovenija/Mađarska/BiH/Srbija 30 €). Kilometrina vlastitim automobilom 0.50 €/km.
+        </p>
+      </div>
+    </div>
+
+    <!-- Putni nalozi list -->
+    <div class="tab" id="tab-putni-list">
+      <div class="section">
+        <h3>Lista putnih naloga</h3>
+        <table id="pnTable"><thead><tr><th>#</th><th>Klub</th><th>Destinacija</th><th>Polazak</th><th>Povratak</th><th class="num">Dnevnice</th><th class="num">Transport</th><th class="num">Total</th><th>Status</th></tr></thead><tbody></tbody></table>
+      </div>
+    </div>
+
+  </main>
+</div>
+
+<!-- ============ INVOICE DETAIL MODAL (M5.5) ============ -->
+<div id="invModal" class="modal-bg" onclick="if(event.target===this)closeModal('invModal')">
+  <div class="modal">
+    <div class="modal-h">
+      <h3 id="invModalTitle">Račun</h3>
+      <button class="x" onclick="closeModal('invModal')">×</button>
+    </div>
+    <div class="modal-body">
+      <div class="col2">
+        <div>
+          <h4 style="font-size:12px;color:var(--text-3);text-transform:uppercase;letter-spacing:.5px;margin-bottom:8px">Skenirana datoteka</h4>
+          <div id="inv_preview" style="text-align:center"></div>
+        </div>
+        <div>
+          <h4 style="font-size:12px;color:var(--text-3);text-transform:uppercase;letter-spacing:.5px;margin-bottom:8px">Podaci računa</h4>
+          <div class="kv" id="inv_kv"></div>
+          <div id="inv_status_block" style="margin-top:14px;padding:12px;background:var(--bg-3);border-radius:6px;border:1px solid var(--border)"></div>
+        </div>
+      </div>
+      <div class="actions-row" id="inv_actions"></div>
+      <div style="margin-top:18px">
+        <h4 style="font-size:12px;color:var(--text-3);text-transform:uppercase;letter-spacing:.5px;margin-bottom:8px">Audit log</h4>
+        <div id="inv_audit"></div>
+      </div>
+    </div>
+  </div>
+</div>
+
+<!-- ============ PAY INVOICE MODAL (M5.5) ============ -->
+<div id="payModal" class="modal-bg" onclick="if(event.target===this)closeModal('payModal')">
+  <div class="modal" style="max-width:560px">
+    <div class="modal-h">
+      <h3>💰 Označi kao plaćen</h3>
+      <button class="x" onclick="closeModal('payModal')">×</button>
+    </div>
+    <div class="modal-body">
+      <div class="grid2" style="gap:12px">
+        <div><label class="lbl">IBAN primatelja</label><input id="pay_iban_to" class="fld" placeholder="HRxxxxxxxxxxxxxxxxxxx"></div>
+        <div><label class="lbl">IBAN platitelja</label><input id="pay_iban_from" class="fld" placeholder="HRxxxxxxxxxxxxxxxxxxx"></div>
+        <div><label class="lbl">Datum uplate</label><input id="pay_date" type="date" class="fld"></div>
+        <div><label class="lbl">Iznos (€)</label><input id="pay_amount" type="number" step="0.01" class="fld"></div>
+        <div><label class="lbl">Poziv na broj / referenca</label><input id="pay_ref" class="fld" placeholder="HR00 12345-67890"></div>
+        <div><label class="lbl">Tx ID (banka)</label><input id="pay_tx" class="fld"></div>
+      </div>
+      <div class="actions-row">
+        <button class="btn green" id="payConfirm">✓ Potvrdi plaćanje</button>
+        <button class="btn sec" onclick="closeModal('payModal')">Odustani</button>
+        <span id="payStatus" style="font-size:12px;color:var(--text-3);align-self:center"></span>
+      </div>
+    </div>
+  </div>
+</div>
+
+<!-- ============ COMMENT MODAL (M5.5) ============ -->
+<div id="commentModal" class="modal-bg" onclick="if(event.target===this)closeModal('commentModal')">
+  <div class="modal" style="max-width:520px">
+    <div class="modal-h">
+      <h3>💬 Komentar (savez/admin)</h3>
+      <button class="x" onclick="closeModal('commentModal')">×</button>
+    </div>
+    <div class="modal-body">
+      <textarea id="commentText" class="fld" rows="5" style="resize:vertical;font-family:inherit"></textarea>
+      <div class="actions-row">
+        <button class="btn" id="commentSave">Spremi komentar</button>
+        <button class="btn sec" onclick="closeModal('commentModal')">Odustani</button>
+        <span id="commentStatus" style="font-size:12px;color:var(--text-3);align-self:center"></span>
+      </div>
+    </div>
+  </div>
+</div>
+
+<!-- ============ PUTNI NALOG DETAIL MODAL (M6.3) ============ -->
+<div id="pnModal" class="modal-bg" onclick="if(event.target===this)closeModal('pnModal')">
+  <div class="modal">
+    <div class="modal-h">
+      <h3 id="pnModalTitle">Putni nalog</h3>
+      <button class="x" onclick="closeModal('pnModal')">×</button>
+    </div>
+    <div class="modal-body">
+      <div class="col2">
+        <div>
+          <h4 style="font-size:12px;color:var(--text-3);text-transform:uppercase;letter-spacing:.5px;margin-bottom:8px">Voditelj + putnici, ruta, vozilo</h4>
+          <div class="kv" id="pn_kv"></div>
+        </div>
+        <div>
+          <h4 style="font-size:12px;color:var(--text-3);text-transform:uppercase;letter-spacing:.5px;margin-bottom:8px">Obračun (HR pravilnik 2025)</h4>
+          <div class="kv" id="pn_obracun"></div>
+          <div id="pn_status_block" style="margin-top:14px;padding:12px;background:var(--bg-3);border-radius:6px;border:1px solid var(--border)"></div>
+        </div>
+      </div>
+      <div style="margin-top:18px">
+        <h4 style="font-size:12px;color:var(--text-3);text-transform:uppercase;letter-spacing:.5px;margin-bottom:8px">📎 Vezani računi (gorivo, cestarina, hotel...)</h4>
+        <table id="pn_invoices_table"><thead><tr><th>#</th><th>Vrsta</th><th>Dobavljač</th><th>OIB</th><th>Datum</th><th class="num">Brutto</th><th>Status</th></tr></thead><tbody></tbody></table>
+      </div>
+      <div class="actions-row" id="pn_actions"></div>
+      <div style="margin-top:18px">
+        <h4 style="font-size:12px;color:var(--text-3);text-transform:uppercase;letter-spacing:.5px;margin-bottom:8px">Audit log</h4>
+        <div id="pn_audit"></div>
+      </div>
+    </div>
+  </div>
+</div>
+
+<!-- ============ PAY PUTNI NALOG MODAL ============ -->
+<div id="payPnModal" class="modal-bg" onclick="if(event.target===this)closeModal('payPnModal')">
+  <div class="modal" style="max-width:560px">
+    <div class="modal-h">
+      <h3>💰 Isplata putnog naloga</h3>
+      <button class="x" onclick="closeModal('payPnModal')">×</button>
+    </div>
+    <div class="modal-body">
+      <div class="grid2" style="gap:12px">
+        <div><label class="lbl">IBAN primatelja</label><input id="ppn_iban_to" class="fld"></div>
+        <div><label class="lbl">IBAN platitelja</label><input id="ppn_iban_from" class="fld"></div>
+        <div><label class="lbl">Datum uplate</label><input id="ppn_date" type="date" class="fld"></div>
+        <div><label class="lbl">Iznos (€)</label><input id="ppn_amount" type="number" step="0.01" class="fld"></div>
+        <div><label class="lbl">Referenca</label><input id="ppn_ref" class="fld"></div>
+        <div><label class="lbl">Tx ID</label><input id="ppn_tx" class="fld"></div>
+      </div>
+      <div class="actions-row">
+        <button class="btn green" id="ppnConfirm">✓ Potvrdi isplatu</button>
+        <button class="btn sec" onclick="closeModal('payPnModal')">Odustani</button>
+        <span id="ppnStatus" style="font-size:12px;color:var(--text-3);align-self:center"></span>
+      </div>
+    </div>
+  </div>
+</div>
+
+<!-- ============ REJECT PUTNI NALOG MODAL ============ -->
+<div id="rejectModal" class="modal-bg" onclick="if(event.target===this)closeModal('rejectModal')">
+  <div class="modal" style="max-width:480px">
+    <div class="modal-h">
+      <h3>❌ Odbij putni nalog</h3>
+      <button class="x" onclick="closeModal('rejectModal')">×</button>
+    </div>
+    <div class="modal-body">
+      <label class="lbl">Razlog odbijanja</label>
+      <textarea id="rejectText" class="fld" rows="4" style="resize:vertical;font-family:inherit"></textarea>
+      <div class="actions-row">
+        <button class="btn red" id="rejectConfirm">Odbij</button>
+        <button class="btn sec" onclick="closeModal('rejectModal')">Odustani</button>
+        <span id="rejectStatus" style="font-size:12px;color:var(--text-3);align-self:center"></span>
+      </div>
+    </div>
+  </div>
+</div>
+
+<script>
+const ERP_API = '/api/erp';
+const $ = s => document.querySelector(s);
+const $$ = s => document.querySelectorAll(s);
+const fmt = n => n == null ? '—' : new Intl.NumberFormat('hr-HR').format(n);
+const fmtEur = n => n != null ? '€' + fmt(Math.round(n*100)/100) : '—';
+const fmtDate = d => d ? d.substring(0,10) : '—';
+
+function badge(t,c) { return `<span class="badge ${c}">${t||'—'}</span>`; }
+function sBadge(s) {
+  if (!s) return badge('—','gray');
+  const x = s.toLowerCase();
+  if (['paid','approved','active','odobren','zatvoren'].includes(x)) return badge(s,'green');
+  if (['pending','draft','submitted','open','unpaid'].includes(x)) return badge(s,'yellow');
+  if (['overdue','rejected','cancelled','failed'].includes(x)) return badge(s,'red');
+  return badge(s,'gray');
+}
+
+async function loadKlubovi() {
+  const r = await fetch('/api/klubovi?limit=400').then(r=>r.json()).catch(()=>null);
+  if (!r) return;
+  const arr = Array.isArray(r) ? r : (r.rows || r.items || []);
+  const opts = '<option value="">— odaberi klub —</option>' + arr
+    .map(k => ({id: k.id, naziv: (k.naziv || k.klub || k.sport || '#'+k.id).toString().trim()}))
+    .filter(k => k.naziv)
+    .sort((a,b) => a.naziv.localeCompare(b.naziv,'hr'))
+    .map(k => `<option value="${k.id}">${k.naziv.replace(/"/g,'&quot;')}</option>`).join('');
+  ['oc_klub','pn_klub'].forEach(id => { const e=$('#'+id); if (e) e.innerHTML=opts; });
+}
+
+let ocrUploadId = null, ocrParsed = null;
+function ocrSet(m,c) { const e=$('#ocrStatus'); if(e){e.textContent=m||''; e.style.color=c||'var(--text-2)';} }
+
+async function ocrHandle(file) {
+  if (!file) return;
+  ocrSet('⏳ Učitavam datoteku…','var(--yellow)');
+  const klubVal = $('#oc_klub')?.value || '';
+  const fd = new FormData();
+  fd.append('file', file);
+  if (klubVal) fd.append('klub_id', klubVal);
+  fd.append('tenant_id', 1);
+  fd.append('invoice_kind', $('#oc_kind')?.value || 'ostalo');
+  let r = await fetch(`${ERP_API}/ocr/upload`, {method:'POST',body:fd});
+  if (!r.ok) { ocrSet('❌ Upload pao: '+r.status,'var(--red)'); return; }
+  const j = await r.json();
+  ocrUploadId = j.upload_id;
+  ocrSet(`✓ Uploaded #${ocrUploadId} (${j.size} B). Pokrećem OCR + Ri.NET AI Engine ekstrakciju…`,'var(--accent)');
+
+  const fd2 = new FormData();
+  fd2.append('upload_id', ocrUploadId);
+  fd2.append('use_llm', 'true');
+  r = await fetch(`${ERP_API}/ocr/parse`, {method:'POST',body:fd2});
+  const p = await r.json();
+  if (!p.ok) { ocrSet('❌ '+(p.error||'Parse fail'),'var(--red)'); return; }
+  ocrParsed = p.extracted || {};
+  $('#oc_vendor_name').value  = ocrParsed.vendor_name || '';
+  $('#oc_vendor_oib').value   = ocrParsed.vendor_oib  || '';
+  $('#oc_invoice_no').value   = ocrParsed.invoice_no  || '';
+  $('#oc_invoice_date').value = ocrParsed.invoice_date|| '';
+  $('#oc_amount_net').value   = ocrParsed.amount_net  ?? '';
+  $('#oc_amount_vat').value   = ocrParsed.amount_vat  ?? '';
+  $('#oc_amount_gross').value = ocrParsed.amount_gross?? '';
+  $('#oc_vat_rate').value     = ocrParsed.vat_rate    ?? '';
+  $('#oc_iban').value          = ocrParsed.iban       || '';
+  $('#oc_kind').value          = ocrParsed.category   || 'ostalo';
+  $('#oc_currency').value      = ocrParsed.currency   || 'EUR';
+  $('#oc_description').value   = ocrParsed.description|| '';
+  $('#oc_raw').textContent     = (p.raw_text_preview||'').slice(0,4000);
+  $('#ocrResult').style.display = 'block';
+  ocrSet(`✓ OCR ${p.ocr_method} (${p.raw_chars} znakova). Provjeri polja → "Spremi račun".`,'var(--green)');
+}
+
+function ocrInit() {
+  const drop = $('#ocrDrop'), inp = $('#ocrFile');
+  drop.addEventListener('click', () => inp.click());
+  inp.addEventListener('change', e => { if (e.target.files[0]) ocrHandle(e.target.files[0]); });
+  ['dragenter','dragover'].forEach(ev => drop.addEventListener(ev, e => { e.preventDefault(); drop.style.borderColor='var(--accent)'; }));
+  ['dragleave','drop'].forEach(ev => drop.addEventListener(ev, e => { e.preventDefault(); drop.style.borderColor='var(--border)'; }));
+  drop.addEventListener('drop', e => { e.preventDefault(); const f = e.dataTransfer.files[0]; if (f) ocrHandle(f); });
+  $('#ocCancel').addEventListener('click', () => { $('#ocrResult').style.display='none'; ocrUploadId=null; ocrParsed=null; ocrSet(''); inp.value=''; });
+  $('#ocSave').addEventListener('click', async () => {
+    const klub = $('#oc_klub').value;
+    if (!klub) { $('#ocSaveStatus').textContent = 'Odaberi klub'; return; }
+    const body = {
+      klub_id: parseInt(klub), tenant_id: 1, upload_id: ocrUploadId,
+      invoice_kind: $('#oc_kind').value || 'ostalo',
+      invoice_no: $('#oc_invoice_no').value, vendor_name: $('#oc_vendor_name').value,
+      vendor_oib: $('#oc_vendor_oib').value, invoice_date: $('#oc_invoice_date').value,
+      amount_net: parseFloat($('#oc_amount_net').value)||null,
+      amount_vat: parseFloat($('#oc_amount_vat').value)||null,
+      amount_gross: parseFloat($('#oc_amount_gross').value),
+      vat_rate: parseFloat($('#oc_vat_rate').value)||null,
+      iban_to: $('#oc_iban').value || null,
+      currency: $('#oc_currency').value || 'EUR',
+      category: $('#oc_kind').value || 'ostalo',
+      description: $('#oc_description').value || null,
+    };
+    $('#ocSaveStatus').textContent = '⏳ Spremam…';
+    const r = await fetch(`${ERP_API}/invoices`,{method:'POST',headers:{'Content-Type':'application/json'},body:JSON.stringify(body)});
+    const j = await r.json();
+    if (j.ok) {
+      $('#ocSaveStatus').textContent = `✓ Spremljen kao #${j.invoice.id}`;
+      $('#ocSaveStatus').style.color = 'var(--green)';
+      setTimeout(() => { $('#ocrResult').style.display='none'; loadInvoices(); }, 1500);
+    } else {
+      $('#ocSaveStatus').textContent = '❌ ' + (j.detail||'Greška');
+      $('#ocSaveStatus').style.color = 'var(--red)';
+    }
+  });
+}
+
+let pnTimer = null;
+async function pnPreview() {
+  const df = $('#pn_from').value, dt = $('#pn_to').value;
+  const country = $('#pn_country').value || 'Hrvatska';
+  const km = parseFloat($('#pn_km').value || 0);
+  const kr = parseFloat($('#pn_kmrate').value || 0.5);
+  const tgt = $('#pn_preview');
+  if (!df || !dt) { tgt.textContent = 'Unesi datume za live obračun dnevnica…'; return; }
+  const r = await fetch(`${ERP_API}/putni-nalog/dnevnice/preview?date_from=${encodeURIComponent(df)}&date_to=${encodeURIComponent(dt)}&country=${encodeURIComponent(country)}&km=${km}&km_rate=${kr}`).then(r=>r.json()).catch(()=>null);
+  if (!r || !r.ok) { tgt.textContent='⚠ Neuspješan obračun'; return; }
+  const d = r.preview;
+  tgt.innerHTML = `
+    <div class="grid4">
+      <div><div style="color:var(--text-3);font-size:11px">Sati</div><div style="font-size:18px;font-family:'JetBrains Mono'">${d.hours}h</div></div>
+      <div><div style="color:var(--text-3);font-size:11px">Pune dnevnice</div><div style="font-size:18px;color:var(--accent);font-family:'JetBrains Mono'">${d.days_full} × €${d.rate_full}</div></div>
+      <div><div style="color:var(--text-3);font-size:11px">Pola dnevnica</div><div style="font-size:18px;color:var(--yellow);font-family:'JetBrains Mono'">${d.days_half} × €${d.rate_half}</div></div>
+      <div><div style="color:var(--text-3);font-size:11px">Dnevnice ukupno</div><div style="font-size:18px;color:var(--green);font-family:'JetBrains Mono'">€${d.dnevnica_amount_total}</div></div>
+      <div><div style="color:var(--text-3);font-size:11px">Kilometara</div><div style="font-size:16px;font-family:'JetBrains Mono'">${d.km_driven} km</div></div>
+      <div><div style="color:var(--text-3);font-size:11px">Kilometrina</div><div style="font-size:16px;font-family:'JetBrains Mono'">€${d.km_amount}</div></div>
+      <div><div style="color:var(--text-3);font-size:11px">Zemlja</div><div style="font-size:14px;font-family:'JetBrains Mono'">${d.country}</div></div>
+      <div><div style="color:var(--text-3);font-size:11px">PROCJENA UKUPNO</div><div style="font-size:22px;color:var(--accent);font-family:'JetBrains Mono';font-weight:700">€${d.total_estimated}</div></div>
+    </div>`;
+}
+
+function pnInit() {
+  ['pn_from','pn_to','pn_country','pn_km','pn_kmrate'].forEach(id => {
+    const el = $('#'+id); if (el) el.addEventListener('input', () => { clearTimeout(pnTimer); pnTimer = setTimeout(pnPreview, 250); });
+  });
+  $('#pnSave').addEventListener('click', async () => {
+    const klub = $('#pn_klub').value;
+    if (!klub) { $('#pnSaveStatus').textContent = 'Odaberi klub'; return; }
+    const body = {
+      klub_id: parseInt(klub), tenant_id: 1,
+      voditelj_ime: $('#pn_voditelj').value,
+      putnici: ($('#pn_putnici').value||'').split(',').map(s=>s.trim()).filter(Boolean),
+      svrha: $('#pn_svrha').value,
+      od_grada: $('#pn_od').value, do_grada: $('#pn_do').value,
+      datum_polaska: $('#pn_from').value, datum_povratka: $('#pn_to').value,
+      country: $('#pn_country').value,
+      vehicle_type: $('#pn_vehicle').value,
+      registracija_vozila: $('#pn_plate').value,
+      kilometara: parseFloat($('#pn_km').value)||0,
+      km_rate: parseFloat($('#pn_kmrate').value)||0.5,
+    };
+    $('#pnSaveStatus').textContent = '⏳ Spremam…';
+    const r = await fetch(`${ERP_API}/putni-nalog`,{method:'POST',headers:{'Content-Type':'application/json'},body:JSON.stringify(body)});
+    const j = await r.json();
+    if (j.ok) {
+      $('#pnSaveStatus').innerHTML = `✓ Putni nalog #${j.putni_nalog.id} kreiran (€${j.putni_nalog.cost_total})`;
+      $('#pnSaveStatus').style.color = 'var(--green)';
+      loadPutni();
+    } else {
+      $('#pnSaveStatus').textContent = '❌ ' + (j.detail||'Greška');
+      $('#pnSaveStatus').style.color = 'var(--red)';
+    }
+  });
+}
+
+async function loadInvoices() {
+  const r = await fetch(`${ERP_API}/invoices?limit=50`, {headers: AUTH_HDR()}).then(r=>r.json()).catch(()=>null);
+  if (!r || !r.rows) return;
+  $('#invTable tbody').innerHTML = r.rows.length ? r.rows.map(i=>`
+    <tr class="clickable" onclick="openInvoice(${i.id})"><td>${i.id}</td><td>${i.invoice_kind||'—'}</td><td>${i.invoice_no||'—'}</td>
+      <td>${i.vendor_name||'—'}</td><td style="font-family:'JetBrains Mono'">${i.vendor_oib||'—'}</td>
+      <td>${i.klub_naziv||'—'}</td><td class="num">${fmtEur(i.amount_gross)}</td>
+      <td>${sBadge(i.payment_status)}</td><td>${fmtDate(i.invoice_date)}</td></tr>`).join('')
+    : '<tr><td colspan="9" style="color:var(--text-3);text-align:center;padding:20px">Nema podataka</td></tr>';
+}
+
+async function loadPutni() {
+  const r = await fetch(`${ERP_API}/putni-nalog?limit=50`, {headers: AUTH_HDR()}).then(r=>r.json()).catch(()=>null);
+  if (!r || !r.rows) return;
+  $('#pnTable tbody').innerHTML = r.rows.length ? r.rows.map(p=>`
+    <tr class="clickable" onclick="openPutni(${p.id})"><td>${p.id}</td><td>${p.klub_naziv||'—'}</td><td>${p.destination||'—'}</td>
+      <td>${fmtDate(p.date_from)}</td><td>${fmtDate(p.date_to)}</td>
+      <td class="num">${fmtEur(p.dnevnice_amount)}</td>
+      <td class="num">${fmtEur(p.cost_transport)}</td>
+      <td class="num"><strong>${fmtEur(p.cost_total)}</strong></td>
+      <td>${sBadge(p.status)}</td></tr>`).join('')
+    : '<tr><td colspan="9" style="color:var(--text-3);text-align:center;padding:20px">Nema podataka</td></tr>';
+}
+
+// ===== AUTH (JWT iz localStorage ili admin token fallback) =====
+function AUTH_HDR(extra) {
+  const h = Object.assign({}, extra || {});
+  let t = null;
+  try { t = localStorage.getItem('jwt') || sessionStorage.getItem('jwt'); } catch(e){}
+  if (!t) t = 'admin-pgz-2026';
+  h['Authorization'] = 'Bearer ' + t;
+  return h;
+}
+function AUTH_HDR_JSON() { return AUTH_HDR({'Content-Type': 'application/json'}); }
+
+function openModal(id) { document.getElementById(id).classList.add('show'); }
+function closeModal(id) { document.getElementById(id).classList.remove('show'); }
+
+function escHtml(s) {
+  if (s == null) return '';
+  return String(s).replace(/[&<>"']/g, c => ({'&':'&amp;','<':'&lt;','>':'&gt;','"':'&quot;',"'":'&#39;'}[c]));
+}
+
+function renderAudit(audit) {
+  if (!audit || !audit.length) return '<div style="color:var(--text-3);font-size:12px">Nema audit zapisa.</div>';
+  return audit.map(a => `
+    <div class="audit-row">
+      <div class="ts">${(a.timestamp||'').replace('T',' ').substring(0,19)}</div>
+      <div class="op">${escHtml(a.operacija)}</div>
+      <div class="who">${escHtml(a.korisnik||'—')}</div>
+      <div>${escHtml(a.promijenjeno_polje||'')}: <span style="color:var(--text-3)">${escHtml(a.stara_vrijednost||'∅')}</span> → <span style="color:var(--green)">${escHtml(a.nova_vrijednost||'∅')}</span></div>
+    </div>`).join('');
+}
+
+// ===== INVOICE DETAIL =====
+let _currentInvoice = null;
+
+async function openInvoice(id) {
+  const r = await fetch(`${ERP_API}/invoices/${id}`, {headers: AUTH_HDR()}).then(r=>r.json()).catch(()=>null);
+  if (!r || !r.ok) { alert('Greška pri učitavanju računa #' + id); return; }
+  _currentInvoice = r;
+  const i = r.invoice;
+  $('#invModalTitle').textContent = `Račun #${i.id} · ${i.invoice_no || '—'}`;
+
+  // Preview slike
+  const pv = $('#inv_preview');
+  if (r.uploads && r.uploads.length) {
+    const up = r.uploads[0];
+    const fileUrl = `${ERP_API}/invoices/${id}/file`;
+    const isPdf = (up.mime || '').includes('pdf') || (up.file_name || '').toLowerCase().endsWith('.pdf');
+    if (isPdf) {
+      pv.innerHTML = `<embed src="${fileUrl}" type="application/pdf" style="width:100%;height:480px;border:1px solid var(--border);border-radius:6px"><div style="margin-top:6px;font-size:11px;color:var(--text-3)">${escHtml(up.file_name)} · ${escHtml(up.mime||'')}</div>`;
+    } else {
+      pv.innerHTML = `<a href="${fileUrl}" target="_blank"><img class="preview-img" src="${fileUrl}" alt="skena"></a><div style="margin-top:6px;font-size:11px;color:var(--text-3)">${escHtml(up.file_name)} · OCR ${escHtml(up.ocr_engine||up.ocr_status||'')}</div>`;
+    }
+  } else {
+    pv.innerHTML = '<div style="padding:60px;background:var(--bg-3);border-radius:6px;color:var(--text-3);font-size:12px">Bez priložene datoteke</div>';
+  }
+
+  // KV polja
+  $('#inv_kv').innerHTML = `
+    <div>Izdavatelj</div><div>${escHtml(i.vendor_name||'—')}</div>
+    <div>OIB izdavatelja</div><div>${escHtml(i.vendor_oib||'—')}</div>
+    <div>Broj računa</div><div>${escHtml(i.invoice_no||'—')}</div>
+    <div>Datum</div><div>${fmtDate(i.invoice_date)}</div>
+    <div>Klub</div><div>${escHtml(i.klub_naziv||'—')}</div>
+    <div>Vrsta</div><div>${escHtml(i.invoice_kind||'—')}</div>
+    <div>Iznos neto</div><div>${fmtEur(i.amount_net)}</div>
+    <div>PDV (${i.vat_rate||'—'}%)</div><div>${fmtEur(i.amount_vat)}</div>
+    <div>Brutto</div><div style="color:var(--accent);font-weight:700">${fmtEur(i.amount_gross)}</div>
+    <div>Valuta</div><div>${escHtml(i.currency||'EUR')}</div>
+    <div>Opis</div><div>${escHtml(i.description||'—')}</div>
+  `;
+
+  // Status block
+  const status = (i.payment_status||'unpaid').toLowerCase();
+  let sb = `<div style="display:flex;align-items:center;gap:10px"><span style="font-size:11px;color:var(--text-3)">STATUS</span> ${sBadge(i.payment_status)}</div>`;
+  if (status === 'paid') {
+    const lastPay = (r.payments && r.payments.length) ? r.payments[0] : {};
+    sb += `<div style="margin-top:10px;font-size:12px;line-height:1.7">
+      <div><span style="color:var(--text-3)">IBAN primatelja:</span> <span style="font-family:'JetBrains Mono'">${escHtml(lastPay.iban_to || i.iban_to || '—')}</span></div>
+      <div><span style="color:var(--text-3)">IBAN platitelja:</span> <span style="font-family:'JetBrains Mono'">${escHtml(lastPay.iban_from || i.iban_from || '—')}</span></div>
+      <div><span style="color:var(--text-3)">Datum uplate:</span> ${fmtDate(i.paid_date) || fmtDate(lastPay.payment_date)}</div>
+      <div><span style="color:var(--text-3)">Iznos uplate:</span> <strong style="color:var(--green)">${fmtEur(lastPay.amount || i.amount_gross)}</strong></div>
+      <div><span style="color:var(--text-3)">Referenca:</span> <span style="font-family:'JetBrains Mono'">${escHtml(lastPay.reference||'—')}</span></div>
+      <div><span style="color:var(--text-3)">Tx ID:</span> <span style="font-family:'JetBrains Mono'">${escHtml(lastPay.bank_transaction_id||'—')}</span></div>
+    </div>`;
+  } else if (status === 'cancelled' || status === 'otkazan') {
+    sb += `<div style="margin-top:8px;color:var(--red);font-size:12px">Račun je otkazan.</div>`;
+  } else {
+    sb += `<div style="margin-top:8px;color:var(--yellow);font-size:12px">Neplaćen — čeka uplatu.</div>`;
+  }
+  $('#inv_status_block').innerHTML = sb;
+
+  // Actions po permission-ima
+  const a = r.actions || {};
+  const acts = [];
+  if (a.pay && status !== 'paid') acts.push(`<button class="btn green" onclick="openPayModal(${id})">💰 Označi kao plaćen</button>`);
+  if (a.edit && status !== 'paid') acts.push(`<button class="btn yellow" onclick="alert('Edit u UI: koristi M5 OCR formu — ovaj panel je read-only za prikaz')">✏ Korekcija polja</button>`);
+  if (a.comment) acts.push(`<button class="btn sec" onclick="openCommentModal(${id})">💬 Komentar</button>`);
+  if (r.uploads && r.uploads.length) acts.push(`<a href="${ERP_API}/invoices/${id}/file" target="_blank" class="btn sec" style="text-decoration:none">📥 Preuzmi sken</a>`);
+  if (a.delete) acts.push(`<button class="btn red" onclick="if(confirm('Obrisati račun #${id}?')){alert('Brisanje: TODO endpoint')}">🗑 Obriši</button>`);
+  if (!acts.length) acts.push('<span style="color:var(--text-3);font-size:12px">Bez dostupnih akcija (samo pregled).</span>');
+  $('#inv_actions').innerHTML = acts.join('');
+
+  $('#inv_audit').innerHTML = renderAudit(r.audit);
+  openModal('invModal');
+}
+
+function openPayModal(id) {
+  const inv = _currentInvoice && _currentInvoice.invoice;
+  if (inv) {
+    $('#pay_iban_to').value = inv.iban_to || '';
+    $('#pay_amount').value = inv.amount_gross || '';
+  }
+  $('#pay_date').value = new Date().toISOString().substring(0,10);
+  $('#payStatus').textContent = '';
+  openModal('payModal');
+  $('#payConfirm').onclick = async () => {
+    const body = {
+      iban_to: $('#pay_iban_to').value.trim(),
+      iban_from: $('#pay_iban_from').value.trim(),
+      paid_date: $('#pay_date').value,
+      amount: parseFloat($('#pay_amount').value) || undefined,
+      reference: $('#pay_ref').value.trim(),
+      bank_transaction_id: $('#pay_tx').value.trim(),
+      payment_method: 'transfer',
+    };
+    $('#payStatus').textContent = '⏳ Spremam…';
+    const r = await fetch(`${ERP_API}/invoices/${id}/pay`, {method:'POST', headers: AUTH_HDR_JSON(), body: JSON.stringify(body)}).then(r=>r.json()).catch(()=>({ok:false,detail:'net'}));
+    if (r.ok) {
+      $('#payStatus').textContent = '✓ Plaćeno';
+      $('#payStatus').style.color = 'var(--green)';
+      setTimeout(() => { closeModal('payModal'); openInvoice(id); loadInvoices(); }, 700);
+    } else {
+      $('#payStatus').textContent = '❌ ' + (r.detail || 'Greška');
+      $('#payStatus').style.color = 'var(--red)';
+    }
+  };
+}
+
+function openCommentModal(id) {
+  $('#commentText').value = '';
+  $('#commentStatus').textContent = '';
+  openModal('commentModal');
+  $('#commentSave').onclick = async () => {
+    const txt = $('#commentText').value.trim();
+    if (!txt) { $('#commentStatus').textContent = 'Komentar je prazan'; return; }
+    $('#commentStatus').textContent = '⏳';
+    const r = await fetch(`${ERP_API}/invoices/${id}/comment`, {method:'POST', headers: AUTH_HDR_JSON(), body: JSON.stringify({comment: txt})}).then(r=>r.json()).catch(()=>({ok:false,detail:'net'}));
+    if (r.ok) {
+      $('#commentStatus').textContent = '✓ Spremljeno';
+      $('#commentStatus').style.color = 'var(--green)';
+      setTimeout(() => { closeModal('commentModal'); openInvoice(id); }, 600);
+    } else {
+      $('#commentStatus').textContent = '❌ ' + (r.detail || 'Greška');
+      $('#commentStatus').style.color = 'var(--red)';
+    }
+  };
+}
+
+// ===== PUTNI NALOG DETAIL =====
+let _currentPn = null;
+
+async function openPutni(id) {
+  const r = await fetch(`${ERP_API}/putni-nalog/${id}`, {headers: AUTH_HDR()}).then(r=>r.json()).catch(()=>null);
+  if (!r || !r.ok) { alert('Greška pri učitavanju putnog naloga #' + id); return; }
+  _currentPn = r;
+  const p = r.putni_nalog;
+  $('#pnModalTitle').textContent = `Putni nalog #${p.id} · ${p.klub_naziv||'—'}`;
+
+  const att = p.attachments || {};
+  const dnv = att.dnevnice_calc || {};
+  const putnici = (att.putnici || []).join(', ');
+  const voditelj = att.voditelj || '—';
+  const country = att.country || '—';
+  const fromCity = att.from_city || '—', toCity = att.to_city || '—';
+
+  $('#pn_kv').innerHTML = `
+    <div>Voditelj</div><div>${escHtml(voditelj)}</div>
+    <div>Putnici</div><div>${escHtml(putnici||'—')}</div>
+    <div>Svrha</div><div>${escHtml(p.purpose||'—')}</div>
+    <div>Ruta</div><div>${escHtml(fromCity)} → ${escHtml(toCity)}</div>
+    <div>Zemlja</div><div>${escHtml(country)}</div>
+    <div>Polazak</div><div>${fmtDate(p.date_from)}</div>
+    <div>Povratak</div><div>${fmtDate(p.date_to)}</div>
+    <div>Vozilo</div><div>${escHtml(p.vehicle_type||'—')} ${escHtml(p.vehicle_plate||'')}</div>
+    <div>Kilometara</div><div>${p.km_driven||0} km × €${p.km_rate||0.5}</div>
+  `;
+
+  $('#pn_obracun').innerHTML = `
+    <div>Pune dnevnice</div><div style="color:var(--accent)">${dnv.days_full||0} × €${dnv.rate_full||0}</div>
+    <div>Pola dnevnica</div><div style="color:var(--yellow)">${dnv.days_half||0} × €${dnv.rate_half||0}</div>
+    <div>Dnevnice ukupno</div><div style="color:var(--green)">${fmtEur(p.dnevnice_amount)}</div>
+    <div>Kilometrina</div><div>${fmtEur(p.cost_transport)}</div>
+    <div>Smještaj</div><div>${fmtEur(p.cost_lodging)}</div>
+    <div>Hrana / ostalo</div><div>${fmtEur((p.cost_meals||0)+(p.cost_other||0))}</div>
+    <div style="font-weight:700">UKUPNO</div><div style="color:var(--accent);font-weight:700;font-size:18px">${fmtEur(p.cost_total)}</div>
+  `;
+
+  // Status block
+  const status = (p.status||'draft').toLowerCase();
+  let sb = `<div style="display:flex;align-items:center;gap:10px"><span style="font-size:11px;color:var(--text-3)">STATUS</span> ${sBadge(p.status)}</div>`;
+  if (status === 'isplacen') {
+    const lastPay = (r.payments && r.payments.length) ? r.payments[0] : {};
+    sb += `<div style="margin-top:10px;font-size:12px;line-height:1.7">
+      <div><span style="color:var(--text-3)">IBAN primatelja:</span> <span style="font-family:'JetBrains Mono'">${escHtml(lastPay.iban_to||'—')}</span></div>
+      <div><span style="color:var(--text-3)">Datum isplate:</span> ${fmtDate(p.paid_at) || fmtDate(lastPay.payment_date)}</div>
+      <div><span style="color:var(--text-3)">Iznos isplate:</span> <strong style="color:var(--green)">${fmtEur(lastPay.amount||p.cost_total)}</strong></div>
+      <div><span style="color:var(--text-3)">Referenca:</span> <span style="font-family:'JetBrains Mono'">${escHtml(lastPay.reference||'—')}</span></div>
+      <div><span style="color:var(--text-3)">Tx ID:</span> <span style="font-family:'JetBrains Mono'">${escHtml(lastPay.bank_transaction_id||'—')}</span></div>
+    </div>`;
+  } else if (status === 'odbijen') {
+    sb += `<div style="margin-top:8px;color:var(--red);font-size:12px">${escHtml(p.notes||'Odbijen').slice(-200)}</div>`;
+  } else {
+    sb += `<div style="margin-top:8px;color:var(--yellow);font-size:12px">${status === 'odobren' || status === 'zatvoren' ? 'Čeka isplatu.' : status === 'poslan' ? 'Čeka odobrenje.' : 'Draft — još nije poslan na odobrenje.'}</div>`;
+  }
+  $('#pn_status_block').innerHTML = sb;
+
+  // Vezani računi
+  const invs = r.invoices || [];
+  $('#pn_invoices_table tbody').innerHTML = invs.length ? invs.map(i => `
+    <tr class="clickable" onclick="closeModal('pnModal'); setTimeout(()=>openInvoice(${i.id}), 100)">
+      <td>${i.id}</td><td>${escHtml(i.invoice_kind||'—')}</td><td>${escHtml(i.vendor_name||'—')}</td>
+      <td style="font-family:'JetBrains Mono'">${escHtml(i.vendor_oib||'—')}</td>
+      <td>${fmtDate(i.invoice_date)}</td>
+      <td class="num">${fmtEur(i.amount_gross)}</td>
+      <td>${sBadge(i.payment_status)}</td>
+    </tr>`).join('') : '<tr><td colspan="7" style="color:var(--text-3);text-align:center;padding:14px">Nema vezanih računa</td></tr>';
+
+  // Actions
+  const a = r.actions || {};
+  const acts = [];
+  if (a.submit) acts.push(`<button class="btn yellow" onclick="submitPn(${id})">📤 Pošalji na odobrenje</button>`);
+  if (a.approve) acts.push(`<button class="btn green" onclick="approvePn(${id})">✓ Odobri</button>`);
+  if (a.reject) acts.push(`<button class="btn red" onclick="openRejectModal(${id})">✗ Odbij</button>`);
+  if (a.pay) acts.push(`<button class="btn green" onclick="openPayPnModal(${id})">💰 Isplati</button>`);
+  if (a.edit) acts.push(`<button class="btn sec" onclick="alert('Edit drafta — koristi M6 formu \\'Novi putni nalog\\' s prefilanim poljima (TODO UI)')">✏ Edit</button>`);
+  if (!acts.length) acts.push('<span style="color:var(--text-3);font-size:12px">Bez dostupnih akcija (samo pregled).</span>');
+  $('#pn_actions').innerHTML = acts.join('');
+
+  $('#pn_audit').innerHTML = renderAudit(r.audit);
+  openModal('pnModal');
+}
+
+async function submitPn(id) {
+  if (!confirm('Poslati putni nalog #' + id + ' na odobrenje?')) return;
+  const r = await fetch(`${ERP_API}/putni-nalog/${id}/posalji`, {method:'POST', headers: AUTH_HDR_JSON()}).then(r=>r.json()).catch(()=>null);
+  if (r && r.ok) { openPutni(id); loadPutni(); } else alert('Greška: ' + (r && r.detail || ''));
+}
+async function approvePn(id) {
+  if (!confirm('Odobriti putni nalog #' + id + '?')) return;
+  const r = await fetch(`${ERP_API}/putni-nalog/${id}/odobriti`, {method:'POST', headers: AUTH_HDR_JSON(), body: '{}'}).then(r=>r.json()).catch(()=>null);
+  if (r && r.ok) { openPutni(id); loadPutni(); } else alert('Greška: ' + (r && r.detail || ''));
+}
+function openRejectModal(id) {
+  $('#rejectText').value = '';
+  $('#rejectStatus').textContent = '';
+  openModal('rejectModal');
+  $('#rejectConfirm').onclick = async () => {
+    const reason = $('#rejectText').value.trim();
+    if (!reason) { $('#rejectStatus').textContent = 'Razlog je obavezan'; return; }
+    const r = await fetch(`${ERP_API}/putni-nalog/${id}/odbij`, {method:'POST', headers: AUTH_HDR_JSON(), body: JSON.stringify({razlog: reason})}).then(r=>r.json()).catch(()=>null);
+    if (r && r.ok) { closeModal('rejectModal'); openPutni(id); loadPutni(); }
+    else $('#rejectStatus').textContent = '❌ ' + (r && r.detail || 'Greška');
+  };
+}
+function openPayPnModal(id) {
+  const pn = _currentPn && _currentPn.putni_nalog;
+  if (pn) $('#ppn_amount').value = pn.cost_total || '';
+  $('#ppn_date').value = new Date().toISOString().substring(0,10);
+  $('#ppnStatus').textContent = '';
+  openModal('payPnModal');
+  $('#ppnConfirm').onclick = async () => {
+    const body = {
+      iban_to: $('#ppn_iban_to').value.trim(),
+      iban_from: $('#ppn_iban_from').value.trim(),
+      paid_date: $('#ppn_date').value,
+      amount: parseFloat($('#ppn_amount').value) || undefined,
+      reference: $('#ppn_ref').value.trim(),
+      bank_transaction_id: $('#ppn_tx').value.trim(),
+    };
+    $('#ppnStatus').textContent = '⏳';
+    const r = await fetch(`${ERP_API}/putni-nalog/${id}/isplati`, {method:'POST', headers: AUTH_HDR_JSON(), body: JSON.stringify(body)}).then(r=>r.json()).catch(()=>null);
+    if (r && r.ok) {
+      $('#ppnStatus').textContent = '✓ Isplaćeno';
+      $('#ppnStatus').style.color = 'var(--green)';
+      setTimeout(() => { closeModal('payPnModal'); openPutni(id); loadPutni(); }, 700);
+    } else {
+      $('#ppnStatus').textContent = '❌ ' + (r && r.detail || 'Greška');
+      $('#ppnStatus').style.color = 'var(--red)';
+    }
+  };
+}
+
+function activate(name) {
+  $$('.nav-item').forEach(n => n.classList.toggle('active', n.dataset.tab === name));
+  $$('.tab').forEach(t => t.classList.toggle('active', t.id === 'tab-' + name));
+  const titles = {ocr:'Skeniraj račun (OCR)',invoices:'Računi',putni:'Novi putni nalog','putni-list':'Lista putnih naloga'};
+  $('#pageTitle').textContent = titles[name] || name;
+  if (name === 'invoices') loadInvoices();
+  if (name === 'putni-list') loadPutni();
+}
+$$('.nav-item').forEach(n => n.addEventListener('click', () => activate(n.dataset.tab)));
+
+(async () => {
+  await loadKlubovi();
+  ocrInit();
+  pnInit();
+})();
+</script>
+</body>
+</html>
diff --git a/_backups/r3_cc4/ocr.py.pre_R5.1777937137 b/_backups/r3_cc4/ocr.py.pre_R5.1777937137
new file mode 100644
index 0000000..c9aae4c
--- /dev/null
+++ b/_backups/r3_cc4/ocr.py.pre_R5.1777937137
@@ -0,0 +1,835 @@
+#!/usr/bin/env python3
+# erp/ocr.py — PGŽ Sport ERP OCR router (M5)
+# Author: Damir Radulić <damir@rinet.one> / dradulic@outlook.com
+# Date:   2026-05-04
+# Description: /api/erp/ocr/upload + /parse — Tesseract OCR + DeepSeek V3 LLM extraction
+#              Persists into pgz_sport.invoice_uploads, then offers structured invoice parse.
+
+from __future__ import annotations
+
+import os
+import re
+import json
+import hashlib
+import subprocess
+import tempfile
+import traceback
+from datetime import datetime, date
+from pathlib import Path
+from typing import Optional, List, Any
+
+import psycopg2
+import psycopg2.extras
+import requests
+from fastapi import APIRouter, UploadFile, File, Form, HTTPException, Header, Query, Body
+from fastapi.responses import JSONResponse, FileResponse
+
+try:
+    from erp.permissions import (
+        can_view_invoice, can_edit_invoice, can_pay_invoice, can_comment_invoice,
+        invoice_actions, audit_invoice, fetch_audit, is_pgz_admin,
+    )
+except Exception:
+    # Fallback (always-allow) for unauth dev
+    def can_view_invoice(u, i): return True
+    def can_edit_invoice(u, i): return True
+    def can_pay_invoice(u, i): return True
+    def can_comment_invoice(u, i): return True
+    def invoice_actions(u, i): return {"view": True, "edit": True, "pay": True, "comment": True, "delete": False}
+    def audit_invoice(u, iid, op, field=None, old=None, new=None): pass
+    def fetch_audit(t, r, limit=50): return []
+    def is_pgz_admin(u): return False
+
+try:
+    from auth.auth_v2 import get_current_user as _auth_user
+except Exception:
+    _auth_user = None
+
+router = APIRouter(prefix="/api/erp", tags=["erp-ocr"])
+
+# === Config ===
+DB = dict(host="10.10.0.2", port=6432, dbname="rinet_v3", user="rinet",
+          password="R1net2026!SecureDB#v7")
+UPLOAD_DIR = Path("/opt/pgz-sport/_data/uploads/invoices")
+UPLOAD_DIR.mkdir(parents=True, exist_ok=True)
+
+DEEPSEEK_API_KEY = os.getenv("DEEPSEEK_API_KEY", "sk-33d29054d1ab4377b7d1a84bc0a423c7")
+DEEPSEEK_URL = "https://api.deepseek.com/v1/chat/completions"
+DEEPSEEK_MODEL = os.getenv("DEEPSEEK_MODEL", "deepseek-chat")
+
+ALLOWED_EXT = {".pdf", ".jpg", ".jpeg", ".png", ".tif", ".tiff", ".webp"}
+MAX_BYTES = 12 * 1024 * 1024  # 12 MB
+
+ADMIN_TOKEN = "admin-pgz-2026"
+
+
+def _db():
+    c = psycopg2.connect(**DB)
+    c.autocommit = True
+    return c
+
+
+def _is_admin(authorization: Optional[str]) -> bool:
+    if not authorization:
+        return False
+    t = authorization.replace("Bearer ", "").strip()
+    return t == ADMIN_TOKEN
+
+
+def _resolve_user(authorization: Optional[str]) -> Optional[dict]:
+    """Resolve current user via auth_v2 JWT, fallback to admin token (returns synthetic pgz_admin)."""
+    if _auth_user:
+        try:
+            u = _auth_user(authorization)
+            if u: return u
+        except Exception:
+            pass
+    if _is_admin(authorization):
+        return {"id": 0, "email": "admin@token", "user_type": "pgz_admin",
+                "klub_id": None, "savez_id": None, "_synthetic": True}
+    return None
+
+
+def _safe_filename(orig: str) -> str:
+    base = re.sub(r"[^A-Za-z0-9._-]+", "_", (orig or "upload").strip())[:120]
+    if not base:
+        base = "upload"
+    ts = datetime.now().strftime("%Y%m%d_%H%M%S")
+    return f"{ts}_{base}"
+
+
+def _extract_text(path: Path) -> tuple[str, str]:
+    """Return (text, method). Tries pdftotext first, falls back to tesseract."""
+    suf = path.suffix.lower()
+    if suf == ".pdf":
+        try:
+            r = subprocess.run(
+                ["pdftotext", "-layout", "-q", str(path), "-"],
+                capture_output=True, timeout=45,
+            )
+            txt = r.stdout.decode("utf-8", "ignore")
+            if len(txt.strip()) > 80:
+                return txt, "pdftotext"
+        except Exception:
+            pass
+        # Rasterize + tesseract
+        try:
+            with tempfile.TemporaryDirectory(prefix="ocr_") as td:
+                subprocess.run(
+                    ["pdftoppm", "-r", "200", str(path), f"{td}/page"],
+                    timeout=120, check=True,
+                )
+                chunks = []
+                for img in sorted(Path(td).glob("page-*.ppm"))[:5]:
+                    r = subprocess.run(
+                        ["tesseract", str(img), "-", "-l", "hrv+eng", "--psm", "6"],
+                        capture_output=True, timeout=90,
+                    )
+                    chunks.append(r.stdout.decode("utf-8", "ignore"))
+                return "\n".join(chunks), "tesseract"
+        except Exception as e:
+            return "", f"pdf_err:{e}"
+    if suf in {".jpg", ".jpeg", ".png", ".tif", ".tiff", ".webp"}:
+        try:
+            r = subprocess.run(
+                ["tesseract", str(path), "-", "-l", "hrv+eng", "--psm", "6"],
+                capture_output=True, timeout=120,
+            )
+            return r.stdout.decode("utf-8", "ignore"), "tesseract"
+        except Exception as e:
+            return "", f"img_err:{e}"
+    return "", f"unsupported:{suf}"
+
+
+# === HR invoice regex helpers ===
+_OIB = re.compile(r"\b(\d{11})\b")
+_IBAN = re.compile(r"\b(HR\d{19})\b")
+_DATE_DOT = re.compile(r"\b(\d{1,2})[.\s\-/]+(\d{1,2})[.\s\-/]+(20\d{2})\b")
+_DATE_ISO = re.compile(r"\b(20\d{2})[\-/](\d{1,2})[\-/](\d{1,2})\b")
+_AMOUNT_TOTAL = re.compile(
+    r"(?i)(?:UKUPNO|TOTAL|SVEUKUPNO|ZA NAPLATU|ZA PLATITI|ZA UPLATU|IZNOS\s+UKUPNO)[\s:€]*([\d.\s]{1,12}[,.]\d{2})"
+)
+_AMOUNT_VAT = re.compile(r"(?i)(?:PDV|VAT)[\s:%]*?([\d.\s]{1,8}[,.]\d{2})")
+_INVOICE_NO = re.compile(r"(?i)(?:ra[čc]un|invoice|broj|fakture|br\.)\s*[:#]?\s*([A-Z0-9\-/.]{3,30})")
+
+
+def _parse_amount(s: str) -> Optional[float]:
+    if not s:
+        return None
+    s = s.replace(" ", "").replace("\xa0", "")
+    # Croatian style "1.234,56" → 1234.56
+    if "," in s and "." in s:
+        s = s.replace(".", "").replace(",", ".")
+    elif "," in s:
+        s = s.replace(",", ".")
+    try:
+        return float(s)
+    except Exception:
+        return None
+
+
+def regex_extract(text: str) -> dict:
+    out: dict[str, Any] = {"raw_chars": len(text or "")}
+    if not text:
+        return out
+    oibs = list(dict.fromkeys(_OIB.findall(text)))
+    if oibs:
+        out["oibs_found"] = oibs
+        out["vendor_oib"] = oibs[0]
+        if len(oibs) > 1:
+            out["customer_oib"] = oibs[1]
+
+    m = _IBAN.search(text.replace(" ", ""))
+    if m:
+        out["iban"] = m.group(1)
+
+    m = _INVOICE_NO.search(text)
+    if m:
+        out["invoice_no"] = m.group(1).strip().rstrip(".,;")
+
+    for rx, order in [(_DATE_DOT, "dmy"), (_DATE_ISO, "ymd")]:
+        m = rx.search(text)
+        if m:
+            g = m.groups()
+            try:
+                if order == "dmy":
+                    out["invoice_date"] = f"{g[2]}-{int(g[1]):02d}-{int(g[0]):02d}"
+                else:
+                    out["invoice_date"] = f"{g[0]}-{int(g[1]):02d}-{int(g[2]):02d}"
+                # validate
+                date.fromisoformat(out["invoice_date"])
+                break
+            except Exception:
+                out.pop("invoice_date", None)
+
+    totals = [_parse_amount(x) for x in _AMOUNT_TOTAL.findall(text)]
+    totals = [t for t in totals if t and t > 0.01]
+    if totals:
+        out["amount_gross"] = max(totals)
+        out["amounts_found"] = totals[:6]
+
+    vats = [_parse_amount(x) for x in _AMOUNT_VAT.findall(text)]
+    vats = [v for v in vats if v and v > 0.01]
+    if vats:
+        # smallest plausible PDV (less than gross)
+        if "amount_gross" in out:
+            cand = [v for v in vats if v < out["amount_gross"]]
+            if cand:
+                out["amount_vat"] = max(cand)
+        else:
+            out["amount_vat"] = max(vats)
+
+    if "amount_gross" in out and "amount_vat" in out:
+        out["amount_net"] = round(out["amount_gross"] - out["amount_vat"], 2)
+
+    # Vendor name guess: first non-numeric, non-OIB line in header
+    for line in text.split("\n")[:12]:
+        ln = line.strip()
+        if 4 < len(ln) < 80 and not _OIB.search(ln) and not re.match(r"^[\d\s.,\-/€:]+$", ln):
+            out["vendor_name"] = ln
+            break
+
+    # Crude vendor guess for known HR sellers
+    upper = text.upper()
+    for keyword, label in [
+        ("INA d.d.", "INA"), ("INA-MAZIVA", "INA"), ("TIFON", "TIFON"),
+        ("PETROL", "PETROL"), ("HAC", "HAC"), ("BINA-ISTRA", "BINA-ISTRA"),
+        ("HRVATSKE AUTOCESTE", "HAC"),
+    ]:
+        if keyword in upper:
+            out.setdefault("vendor_brand", label)
+            break
+
+    return out
+
+
+# === DeepSeek V3 LLM extraction ===
+SYSTEM_PROMPT = (
+    "Ti si stručnjak za hrvatske račune (R-1, fiskalne, HUB-3). "
+    "Korisnik daje tekst računa izvučen OCR-om. Vrati ISKLJUČIVO valjani JSON, bez markdowna i komentara. "
+    "Ako neko polje nije sigurno - vrati null. Iznosi su brojevi (decimal s točkom). Datum je 'YYYY-MM-DD'."
+)
+
+LLM_SCHEMA_HINT = """{
+  "izdavatelj_naziv": str|null,
+  "izdavatelj_oib": str|null,
+  "izdavatelj_adresa": str|null,
+  "kupac_naziv": str|null,
+  "kupac_oib": str|null,
+  "datum": "YYYY-MM-DD"|null,
+  "broj_racuna": str|null,
+  "iznos_neto": float|null,
+  "iznos_pdv": float|null,
+  "iznos_brutto": float|null,
+  "stopa_pdv": float|null,
+  "valuta": "EUR"|"HRK"|null,
+  "nacin_placanja": str|null,
+  "IBAN": str|null,
+  "opis_svrhe": str|null,
+  "vrsta_troska": "gorivo"|"cestarina"|"hotel"|"restoran"|"oprema"|"ostalo"|null,
+  "stavke": [
+    {"opis": str, "kolicina": float, "jedinica": str, "cijena": float, "ukupno": float}
+  ]
+}"""
+
+
+def deepseek_extract(text: str, hint: dict | None = None) -> dict:
+    """Call DeepSeek chat completions for structured JSON extraction."""
+    if not DEEPSEEK_API_KEY:
+        return {"error": "no_api_key"}
+    if not text or len(text.strip()) < 20:
+        return {"error": "empty_text"}
+
+    user_msg = (
+        f"Iz teksta računa ispod izvuci polja po shemi:\n{LLM_SCHEMA_HINT}\n\n"
+        f"REGEX hint (može biti nepotpun ili netočan): {json.dumps(hint or {}, ensure_ascii=False)}\n\n"
+        f"--- TEKST RAČUNA ---\n{text[:8000]}\n--- KRAJ ---"
+    )
+    payload = {
+        "model": DEEPSEEK_MODEL,
+        "messages": [
+            {"role": "system", "content": SYSTEM_PROMPT},
+            {"role": "user", "content": user_msg},
+        ],
+        "response_format": {"type": "json_object"},
+        "temperature": 0.0,
+        "max_tokens": 1200,
+    }
+    headers = {
+        "Authorization": f"Bearer {DEEPSEEK_API_KEY}",
+        "Content-Type": "application/json",
+    }
+    try:
+        r = requests.post(DEEPSEEK_URL, headers=headers, json=payload, timeout=60)
+    except Exception as e:
+        return {"error": f"net:{e}"}
+    if r.status_code != 200:
+        return {"error": f"http_{r.status_code}", "detail": r.text[:300]}
+    try:
+        body = r.json()
+        content = body["choices"][0]["message"]["content"]
+        return json.loads(content)
+    except Exception as e:
+        return {"error": f"parse:{e}", "raw": (r.text[:500] if r else "")}
+
+
+# === Endpoints ===
+
+@router.post("/ocr/upload")
+async def ocr_upload(
+    file: UploadFile = File(...),
+    klub_id: Optional[int] = Form(None),
+    tenant_id: int = Form(1),
+    invoice_kind: str = Form("ostalo"),
+    authorization: Optional[str] = Header(None),
+):
+    """Upload an invoice file (PDF/image) → store on disk + insert pgz_sport.invoice_uploads."""
+    suffix = "." + (file.filename or "").rsplit(".", 1)[-1].lower()
+    if suffix not in ALLOWED_EXT:
+        raise HTTPException(400, f"Tip datoteke nije podržan: {suffix}. Dozvoljeno: {sorted(ALLOWED_EXT)}")
+
+    raw = await file.read()
+    if not raw:
+        raise HTTPException(400, "Prazna datoteka")
+    if len(raw) > MAX_BYTES:
+        raise HTTPException(400, f"Datoteka prevelika ({len(raw)} > {MAX_BYTES} bajtova)")
+
+    sha256 = hashlib.sha256(raw).hexdigest()
+    fname = _safe_filename(file.filename or "upload")
+    if not fname.endswith(suffix):
+        fname += suffix
+    path = UPLOAD_DIR / fname
+    path.write_bytes(raw)
+
+    with _db() as c:
+        cur = c.cursor(cursor_factory=psycopg2.extras.RealDictCursor)
+        cur.execute(
+            """
+            INSERT INTO pgz_sport.invoice_uploads
+                (klub_id, file_name, file_path, file_size, mime, sha256, ocr_status, meta)
+            VALUES (%s, %s, %s, %s, %s, %s, 'pending', %s)
+            RETURNING id, klub_id, file_name, ocr_status, uploaded_at
+            """,
+            (klub_id, file.filename, str(path), len(raw), file.content_type or "",
+             sha256, json.dumps({"tenant_id": tenant_id, "invoice_kind": invoice_kind})),
+        )
+        row = cur.fetchone()
+    return {"ok": True, "upload_id": row["id"], "file_name": row["file_name"],
+            "size": len(raw), "sha256": sha256, "status": row["ocr_status"]}
+
+
+@router.post("/ocr/parse")
+async def ocr_parse(
+    upload_id: Optional[int] = Form(None),
+    file: Optional[UploadFile] = File(None),
+    use_llm: bool = Form(True),
+    authorization: Optional[str] = Header(None),
+):
+    """Run OCR + (optional) DeepSeek LLM extraction.
+    Either pass upload_id (parse a previously uploaded file) or send file directly (one-shot)."""
+    tmp_to_clean: Optional[Path] = None
+    upload_row = None
+    try:
+        if upload_id:
+            with _db() as c:
+                cur = c.cursor(cursor_factory=psycopg2.extras.RealDictCursor)
+                cur.execute("SELECT * FROM pgz_sport.invoice_uploads WHERE id=%s", (upload_id,))
+                upload_row = cur.fetchone()
+            if not upload_row:
+                raise HTTPException(404, f"Upload id={upload_id} ne postoji")
+            target = Path(upload_row["file_path"])
+            if not target.exists():
+                raise HTTPException(404, f"Datoteka ne postoji na disku: {target}")
+        elif file:
+            suffix = "." + (file.filename or "").rsplit(".", 1)[-1].lower()
+            if suffix not in ALLOWED_EXT:
+                raise HTTPException(400, f"Tip datoteke nije podržan: {suffix}")
+            raw = await file.read()
+            if not raw:
+                raise HTTPException(400, "Prazna datoteka")
+            tmp = tempfile.NamedTemporaryFile(prefix="parse_", suffix=suffix, delete=False)
+            tmp.write(raw); tmp.close()
+            target = Path(tmp.name)
+            tmp_to_clean = target
+        else:
+            raise HTTPException(400, "Treba poslati upload_id ILI file")
+
+        text, method = _extract_text(target)
+        if len(text.strip()) < 20:
+            return {"ok": False, "ocr_method": method, "raw_chars": len(text),
+                    "error": "OCR nije uspio izvući dovoljno teksta"}
+
+        regex_fields = regex_extract(text)
+        regex_fields["ocr_method"] = method
+
+        llm_fields: dict = {}
+        if use_llm:
+            llm_fields = deepseek_extract(text, hint=regex_fields)
+
+        # Merge: LLM overrides regex when valid
+        merged = dict(regex_fields)
+        for k in ("izdavatelj_naziv", "izdavatelj_oib", "kupac_oib", "datum",
+                  "broj_racuna", "iznos_neto", "iznos_pdv", "iznos_brutto",
+                  "stopa_pdv", "valuta", "IBAN", "opis_svrhe", "vrsta_troska",
+                  "izdavatelj_adresa", "nacin_placanja"):
+            v = llm_fields.get(k) if isinstance(llm_fields, dict) else None
+            if v not in (None, "", "null"):
+                merged[k] = v
+
+        # Normalize aliases for UI / DB
+        if "izdavatelj_naziv" in merged: merged.setdefault("vendor_name", merged["izdavatelj_naziv"])
+        if "izdavatelj_oib"   in merged: merged.setdefault("vendor_oib",  merged["izdavatelj_oib"])
+        if "izdavatelj_adresa" in merged: merged.setdefault("vendor_address", merged["izdavatelj_adresa"])
+        if "kupac_oib"        in merged: merged.setdefault("customer_oib", merged["kupac_oib"])
+        if "datum"            in merged: merged.setdefault("invoice_date", merged["datum"])
+        if "broj_racuna"      in merged: merged.setdefault("invoice_no", merged["broj_racuna"])
+        if "iznos_brutto"     in merged: merged.setdefault("amount_gross", merged["iznos_brutto"])
+        if "iznos_neto"       in merged: merged.setdefault("amount_net", merged["iznos_neto"])
+        if "iznos_pdv"        in merged: merged.setdefault("amount_vat", merged["iznos_pdv"])
+        if "stopa_pdv"        in merged: merged.setdefault("vat_rate", merged["stopa_pdv"])
+        if "valuta"           in merged: merged.setdefault("currency", merged["valuta"])
+        if "IBAN"             in merged: merged.setdefault("iban", merged["IBAN"])
+        if "opis_svrhe"       in merged: merged.setdefault("description", merged["opis_svrhe"])
+        if "vrsta_troska"     in merged: merged.setdefault("category", merged["vrsta_troska"])
+
+        # Persist back to invoice_uploads when we have upload_row
+        if upload_row:
+            try:
+                with _db() as c:
+                    c.cursor().execute(
+                        """UPDATE pgz_sport.invoice_uploads
+                           SET ocr_status='done', processed_at=NOW(),
+                               ocr_engine=%s, ocr_text=%s,
+                               ai_invoice_no=%s, ai_invoice_date=%s,
+                               ai_vendor_name=%s, ai_vendor_oib=%s,
+                               ai_amount_gross=%s, ai_currency=%s, ai_iban=%s,
+                               ai_extracted=%s, ai_engine=%s
+                           WHERE id=%s""",
+                        (
+                            method, text[:50000],
+                            merged.get("invoice_no"),
+                            merged.get("invoice_date") if isinstance(merged.get("invoice_date"), str) else None,
+                            merged.get("vendor_name"),
+                            merged.get("vendor_oib"),
+                            merged.get("amount_gross"),
+                            merged.get("currency", "EUR"),
+                            merged.get("iban"),
+                            json.dumps({"regex": regex_fields, "llm": llm_fields, "merged": merged},
+                                       ensure_ascii=False, default=str),
+                            ("deepseek-v3" if use_llm and "error" not in (llm_fields or {}) else "regex"),
+                            upload_row["id"],
+                        ),
+                    )
+            except Exception as e:
+                merged["_persist_warn"] = str(e)[:200]
+
+        return {
+            "ok": True,
+            "upload_id": (upload_row["id"] if upload_row else None),
+            "ocr_method": method,
+            "raw_chars": len(text),
+            "regex": regex_fields,
+            "llm": llm_fields,
+            "extracted": merged,
+            "raw_text_preview": text[:1500],
+        }
+    finally:
+        if tmp_to_clean and tmp_to_clean.exists():
+            try:
+                tmp_to_clean.unlink()
+            except Exception:
+                pass
+
+
+# === Invoices CRUD (M5) ===
+
+@router.get("/invoices")
+def invoices_list(
+    tenant_id: Optional[int] = Query(None),
+    klub_id: Optional[int] = Query(None),
+    status: Optional[str] = Query(None),
+    kind: Optional[str] = Query(None),
+    limit: int = Query(100, le=500),
+    offset: int = Query(0),
+):
+    sql = """SELECT i.id, i.klub_id, k.naziv AS klub_naziv,
+                    i.invoice_kind, i.invoice_no, i.internal_no,
+                    i.vendor_name, i.vendor_oib, i.customer_name, i.customer_oib,
+                    i.invoice_date, i.due_date, i.paid_date, i.currency,
+                    i.amount_net, i.amount_vat, i.amount_gross, i.vat_rate,
+                    i.payment_status, i.payment_method, i.iban_to,
+                    i.description, i.category, i.tenant_id,
+                    i.created_at, i.approved_at
+             FROM pgz_sport.invoices i
+             LEFT JOIN pgz_sport.klubovi k ON k.id = i.klub_id
+             WHERE 1=1"""
+    args: list = []
+    if tenant_id is not None:
+        sql += " AND i.tenant_id=%s"; args.append(tenant_id)
+    if klub_id is not None:
+        sql += " AND i.klub_id=%s"; args.append(klub_id)
+    if status:
+        sql += " AND i.payment_status=%s"; args.append(status)
+    if kind:
+        sql += " AND i.invoice_kind=%s"; args.append(kind)
+    sql += " ORDER BY i.invoice_date DESC NULLS LAST, i.id DESC LIMIT %s OFFSET %s"
+    args += [limit, offset]
+    with _db() as c:
+        cur = c.cursor(cursor_factory=psycopg2.extras.RealDictCursor)
+        cur.execute(sql, args)
+        rows = cur.fetchall()
+    return {"ok": True, "rows": rows, "count": len(rows)}
+
+
+@router.get("/invoices/{invoice_id}")
+def invoices_get(invoice_id: int, authorization: Optional[str] = Header(None)):
+    user = _resolve_user(authorization)
+    with _db() as c:
+        cur = c.cursor(cursor_factory=psycopg2.extras.RealDictCursor)
+        cur.execute(
+            """SELECT i.*, k.naziv AS klub_naziv, k.savez_id
+               FROM pgz_sport.invoices i
+               LEFT JOIN pgz_sport.klubovi k ON k.id = i.klub_id
+               WHERE i.id=%s""", (invoice_id,))
+        row = cur.fetchone()
+        if not row:
+            raise HTTPException(404, "Račun ne postoji")
+        if user and not can_view_invoice(user, row):
+            raise HTTPException(403, "Nemate ovlasti vidjeti ovaj račun")
+        cur.execute("SELECT * FROM pgz_sport.invoice_lines WHERE invoice_id=%s ORDER BY line_no, id",
+                    (invoice_id,))
+        lines = cur.fetchall()
+        cur.execute(
+            """SELECT id, file_name, file_size, mime, sha256, ocr_status, ocr_engine,
+                      ai_extracted, uploaded_at, processed_at
+               FROM pgz_sport.invoice_uploads WHERE invoice_id=%s
+               ORDER BY uploaded_at DESC""", (invoice_id,))
+        uploads = cur.fetchall()
+        cur.execute(
+            """SELECT id, payment_date, amount, currency, payment_method, iban_from,
+                      iban_to, reference, bank_transaction_id, matched_status, created_at
+               FROM pgz_sport.payments WHERE invoice_id=%s ORDER BY payment_date DESC""",
+            (invoice_id,))
+        payments = cur.fetchall()
+    audit = fetch_audit("pgz_sport.invoices", invoice_id, 50)
+    actions = invoice_actions(user, row) if user else {"view": True, "edit": False, "pay": False, "comment": False, "delete": False}
+    return {"ok": True, "invoice": row, "lines": lines, "uploads": uploads,
+            "payments": payments, "audit": audit, "actions": actions}
+
+
+@router.get("/invoices/{invoice_id}/file")
+def invoices_file(invoice_id: int, authorization: Optional[str] = Header(None)):
+    """Streamira originalnu datoteku skena/računa (slika ili PDF)."""
+    user = _resolve_user(authorization)
+    with _db() as c:
+        cur = c.cursor(cursor_factory=psycopg2.extras.RealDictCursor)
+        cur.execute("SELECT i.id, i.klub_id FROM pgz_sport.invoices i WHERE i.id=%s", (invoice_id,))
+        inv = cur.fetchone()
+        if not inv:
+            raise HTTPException(404, "Račun ne postoji")
+        if user and not can_view_invoice(user, inv):
+            raise HTTPException(403, "Nemate ovlasti")
+        cur.execute(
+            """SELECT file_path, file_name, mime FROM pgz_sport.invoice_uploads
+               WHERE invoice_id=%s ORDER BY uploaded_at DESC LIMIT 1""", (invoice_id,))
+        up = cur.fetchone()
+    if not up:
+        raise HTTPException(404, "Datoteka skena ne postoji za ovaj račun")
+    p = Path(up["file_path"])
+    if not p.exists():
+        raise HTTPException(404, f"Datoteka ne postoji na disku")
+    return FileResponse(str(p), media_type=up.get("mime") or "application/octet-stream",
+                        filename=up.get("file_name") or p.name)
+
+
+@router.get("/invoices/uploads/{upload_id}/file")
+def upload_file(upload_id: int, authorization: Optional[str] = Header(None)):
+    user = _resolve_user(authorization)
+    with _db() as c:
+        cur = c.cursor(cursor_factory=psycopg2.extras.RealDictCursor)
+        cur.execute("SELECT * FROM pgz_sport.invoice_uploads WHERE id=%s", (upload_id,))
+        up = cur.fetchone()
+    if not up:
+        raise HTTPException(404, "Upload ne postoji")
+    if user and not is_pgz_admin(user) and user.get("klub_id") != up.get("klub_id"):
+        raise HTTPException(403, "Nemate ovlasti")
+    p = Path(up["file_path"])
+    if not p.exists():
+        raise HTTPException(404, "Datoteka ne postoji")
+    return FileResponse(str(p), media_type=up.get("mime") or "application/octet-stream",
+                        filename=up.get("file_name") or p.name)
+
+
+@router.post("/invoices/{invoice_id}/comment")
+def invoices_comment(invoice_id: int, body: dict = Body(...),
+                     authorization: Optional[str] = Header(None)):
+    """Savez admin / klub admin / pgz admin može dodati komentar (audit log entry)."""
+    user = _resolve_user(authorization)
+    with _db() as c:
+        cur = c.cursor(cursor_factory=psycopg2.extras.RealDictCursor)
+        cur.execute("SELECT i.*, k.savez_id FROM pgz_sport.invoices i LEFT JOIN pgz_sport.klubovi k ON k.id=i.klub_id WHERE i.id=%s", (invoice_id,))
+        inv = cur.fetchone()
+    if not inv:
+        raise HTTPException(404, "Račun ne postoji")
+    if user and not can_comment_invoice(user, inv):
+        raise HTTPException(403, "Nemate ovlasti komentirati")
+    txt = (body.get("comment") or "").strip()
+    if not txt:
+        raise HTTPException(400, "Komentar je prazan")
+    audit_invoice(user, invoice_id, "comment", field="komentar", old=None, new=txt[:500])
+    return {"ok": True, "invoice_id": invoice_id, "comment": txt}
+
+
+@router.get("/invoices/{invoice_id}/audit")
+def invoices_audit(invoice_id: int, limit: int = 100,
+                   authorization: Optional[str] = Header(None)):
+    user = _resolve_user(authorization)
+    with _db() as c:
+        cur = c.cursor(cursor_factory=psycopg2.extras.RealDictCursor)
+        cur.execute("SELECT i.id, i.klub_id FROM pgz_sport.invoices i WHERE i.id=%s", (invoice_id,))
+        inv = cur.fetchone()
+    if not inv:
+        raise HTTPException(404, "Račun ne postoji")
+    if user and not can_view_invoice(user, inv):
+        raise HTTPException(403, "Nemate ovlasti")
+    return {"ok": True, "audit": fetch_audit("pgz_sport.invoices", invoice_id, limit)}
+
+
+@router.post("/invoices")
+def invoices_create(body: dict = Body(...), authorization: Optional[str] = Header(None)):
+    """Create an invoice from parsed OCR result.
+    Body: {klub_id, tenant_id, invoice_kind, invoice_no, vendor_name, vendor_oib,
+           invoice_date, amount_gross, amount_net, amount_vat, vat_rate, currency,
+           iban_to, description, category, lines:[{...}], upload_id?}"""
+    required = ["invoice_kind", "invoice_no", "invoice_date", "amount_gross"]
+    for k in required:
+        if body.get(k) in (None, ""):
+            raise HTTPException(400, f"Nedostaje polje: {k}")
+
+    klub_id = body.get("klub_id")
+    tenant_id = body.get("tenant_id", 1)
+    upload_id = body.get("upload_id")
+    lines = body.get("lines") or []
+
+    with _db() as c:
+        cur = c.cursor(cursor_factory=psycopg2.extras.RealDictCursor)
+        cur.execute(
+            """INSERT INTO pgz_sport.invoices
+               (klub_id, invoice_kind, invoice_no, internal_no,
+                vendor_oib, vendor_name, vendor_address,
+                customer_oib, customer_name,
+                invoice_date, due_date, currency,
+                amount_net, amount_vat, amount_gross, vat_rate,
+                payment_status, payment_method, iban_to,
+                description, category, account_code, tenant_id, meta)
+               VALUES (%s,%s,%s,%s, %s,%s,%s, %s,%s,
+                       %s,%s,COALESCE(%s,'EUR'),
+                       %s,%s,%s,%s,
+                       COALESCE(%s,'unpaid'),%s,%s,
+                       %s,%s,%s,%s,%s)
+               ON CONFLICT (klub_id, invoice_kind, invoice_no, vendor_oib)
+               DO UPDATE SET amount_gross=EXCLUDED.amount_gross,
+                             amount_net=EXCLUDED.amount_net,
+                             amount_vat=EXCLUDED.amount_vat,
+                             updated_at=NOW()
+               RETURNING id, invoice_no, amount_gross, payment_status""",
+            (
+                klub_id, body["invoice_kind"], body["invoice_no"], body.get("internal_no"),
+                body.get("vendor_oib"), body.get("vendor_name"), body.get("vendor_address"),
+                body.get("customer_oib"), body.get("customer_name"),
+                body["invoice_date"], body.get("due_date"), body.get("currency"),
+                body.get("amount_net"), body.get("amount_vat"), body["amount_gross"], body.get("vat_rate"),
+                body.get("payment_status"), body.get("payment_method"), body.get("iban_to"),
+                body.get("description"), body.get("category"), body.get("account_code"),
+                tenant_id, json.dumps(body.get("meta", {})),
+            ),
+        )
+        inv = cur.fetchone()
+        inv_id = inv["id"]
+
+        # Replace lines
+        cur.execute("DELETE FROM pgz_sport.invoice_lines WHERE invoice_id=%s", (inv_id,))
+        for i, ln in enumerate(lines, start=1):
+            cur.execute(
+                """INSERT INTO pgz_sport.invoice_lines
+                   (invoice_id, line_no, description, quantity, unit, unit_price,
+                    vat_rate, line_net, line_vat, line_gross, account_code, cost_center, meta)
+                   VALUES (%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s)""",
+                (
+                    inv_id, ln.get("line_no", i), ln.get("description") or ln.get("opis") or "",
+                    ln.get("quantity") or ln.get("kolicina") or 1,
+                    ln.get("unit") or ln.get("jedinica") or "kom",
+                    ln.get("unit_price") or ln.get("cijena"),
+                    ln.get("vat_rate", 25),
+                    ln.get("line_net"), ln.get("line_vat"),
+                    ln.get("line_gross") or ln.get("ukupno"),
+                    ln.get("account_code"), ln.get("cost_center"),
+                    json.dumps(ln.get("meta", {})),
+                ),
+            )
+
+        # Link upload to invoice
+        if upload_id:
+            cur.execute(
+                "UPDATE pgz_sport.invoice_uploads SET invoice_id=%s WHERE id=%s",
+                (inv_id, upload_id),
+            )
+
+    return {"ok": True, "invoice": inv}
+
+
+@router.put("/invoices/{invoice_id}")
+def invoices_update(invoice_id: int, body: dict = Body(...), authorization: Optional[str] = Header(None)):
+    """Update / approve invoice. Body may include any of: payment_status, paid_date,
+    approved (bool), notes, category, account_code, due_date."""
+    user = _resolve_user(authorization)
+    with _db() as c:
+        cur = c.cursor(cursor_factory=psycopg2.extras.RealDictCursor)
+        cur.execute("SELECT i.*, k.savez_id FROM pgz_sport.invoices i LEFT JOIN pgz_sport.klubovi k ON k.id=i.klub_id WHERE i.id=%s", (invoice_id,))
+        inv = cur.fetchone()
+    if not inv:
+        raise HTTPException(404, "Račun ne postoji")
+    if user and not can_edit_invoice(user, inv):
+        raise HTTPException(403, "Nemate ovlasti uređivati ovaj račun")
+
+    fields = []
+    args: list = []
+    changes = []
+    for col in ("payment_status", "paid_date", "due_date", "category",
+                "account_code", "notes", "vat_rate", "amount_net", "amount_vat",
+                "amount_gross", "payment_method", "iban_to"):
+        if col in body:
+            fields.append(f"{col}=%s")
+            args.append(body[col])
+            changes.append((col, inv.get(col), body[col]))
+    if body.get("approved"):
+        fields.append("approved_at=NOW()")
+        changes.append(("approved_at", inv.get("approved_at"), "now"))
+    if not fields:
+        raise HTTPException(400, "Nema polja za izmjenu")
+    fields.append("updated_at=NOW()")
+    args.append(invoice_id)
+    with _db() as c:
+        cur = c.cursor(cursor_factory=psycopg2.extras.RealDictCursor)
+        cur.execute(f"UPDATE pgz_sport.invoices SET {','.join(fields)} WHERE id=%s RETURNING *", args)
+        row = cur.fetchone()
+    for f, o, n in changes:
+        audit_invoice(user, invoice_id, "update", field=f, old=o, new=n)
+    return {"ok": True, "invoice": row}
+
+
+@router.post("/invoices/{invoice_id}/pay")
+def invoices_pay(invoice_id: int, body: dict = Body(default={}),
+                 authorization: Optional[str] = Header(None)):
+    """Označi račun kao plaćen + insert payment record.
+    Body: {iban_to, iban_from, paid_date, reference, bank_transaction_id, payment_method, amount}
+    """
+    user = _resolve_user(authorization)
+    with _db() as c:
+        cur = c.cursor(cursor_factory=psycopg2.extras.RealDictCursor)
+        cur.execute("SELECT i.*, k.savez_id FROM pgz_sport.invoices i LEFT JOIN pgz_sport.klubovi k ON k.id=i.klub_id WHERE i.id=%s", (invoice_id,))
+        inv = cur.fetchone()
+    if not inv:
+        raise HTTPException(404, "Račun ne postoji")
+    if user and not can_pay_invoice(user, inv):
+        raise HTTPException(403, "Nemate ovlasti označiti račun kao plaćen")
+    if (inv.get("payment_status") or "").lower() == "paid":
+        raise HTTPException(409, "Račun je već označen kao plaćen")
+
+    paid_date = body.get("paid_date") or date.today().isoformat()
+    payment_method = body.get("payment_method") or "transfer"
+    iban_from = body.get("iban_from")
+    iban_to = body.get("iban_to") or inv.get("iban_to")
+    reference = body.get("reference")
+    tx_id = body.get("bank_transaction_id") or body.get("tx_id")
+    amount = body.get("amount") or inv.get("amount_gross")
+
+    with _db() as c:
+        cur = c.cursor(cursor_factory=psycopg2.extras.RealDictCursor)
+        cur.execute(
+            """UPDATE pgz_sport.invoices
+               SET payment_status='paid', paid_date=%s,
+                   payment_method=COALESCE(%s,payment_method),
+                   iban_from=COALESCE(%s,iban_from),
+                   iban_to=COALESCE(%s,iban_to),
+                   updated_at=NOW()
+               WHERE id=%s
+               RETURNING id, invoice_no, paid_date, amount_gross, payment_status,
+                         iban_from, iban_to, payment_method""",
+            (paid_date, payment_method, iban_from, iban_to, invoice_id),
+        )
+        row = cur.fetchone()
+        # Insert payment record
+        cur.execute(
+            """INSERT INTO pgz_sport.payments
+               (klub_id, invoice_id, payment_date, amount, currency, payment_method,
+                iban_from, iban_to, reference, bank_transaction_id, matched_status)
+               VALUES (%s,%s,%s,%s,COALESCE(%s,'EUR'),%s,%s,%s,%s,%s,'matched')
+               RETURNING id""",
+            (inv.get("klub_id"), invoice_id, paid_date, amount,
+             inv.get("currency"), payment_method, iban_from, iban_to,
+             reference, tx_id),
+        )
+        pay = cur.fetchone()
+    audit_invoice(user, invoice_id, "pay", field="payment_status",
+                   old=inv.get("payment_status"), new="paid")
+    return {"ok": True, "invoice": row, "payment_id": pay["id"] if pay else None}
+
+
+@router.get("/invoices/uploads/list")
+def uploads_list(klub_id: Optional[int] = None, status: Optional[str] = None, limit: int = 50):
+    sql = """SELECT id, klub_id, file_name, file_size, mime, ocr_status, ocr_engine,
+                    ai_invoice_no, ai_invoice_date, ai_vendor_name, ai_vendor_oib,
+                    ai_amount_gross, ai_currency, invoice_id, uploaded_at, processed_at
+             FROM pgz_sport.invoice_uploads WHERE 1=1"""
+    args: list = []
+    if klub_id is not None:
+        sql += " AND klub_id=%s"; args.append(klub_id)
+    if status:
+        sql += " AND ocr_status=%s"; args.append(status)
+    sql += " ORDER BY uploaded_at DESC LIMIT %s"; args.append(limit)
+    with _db() as c:
+        cur = c.cursor(cursor_factory=psycopg2.extras.RealDictCursor)
+        cur.execute(sql, args)
+        rows = cur.fetchall()
+    return {"ok": True, "rows": rows}
diff --git a/_backups/r3_cc4/putni_nalozi.py.pre_R5.1777937137 b/_backups/r3_cc4/putni_nalozi.py.pre_R5.1777937137
new file mode 100644
index 0000000..34f0695
--- /dev/null
+++ b/_backups/r3_cc4/putni_nalozi.py.pre_R5.1777937137
@@ -0,0 +1,615 @@
+#!/usr/bin/env python3
+# erp/putni_nalozi.py — PGŽ Sport ERP putni nalozi (M6)
+# Author: Damir Radulić <damir@rinet.one> / dradulic@outlook.com
+# Date:   2026-05-04
+# Description: CRUD putnih naloga + obračun dnevnica (HR pravilnik 2025).
+
+from __future__ import annotations
+
+import json
+from datetime import datetime, date, timedelta
+from typing import Optional, Any
+
+import psycopg2
+import psycopg2.extras
+from fastapi import APIRouter, Body, HTTPException, Query, Header
+
+try:
+    from erp.permissions import (
+        can_view_putni_nalog, can_edit_putni_nalog, can_submit_putni_nalog,
+        can_approve_putni_nalog, can_pay_putni_nalog, putni_nalog_actions,
+        audit_putni, fetch_audit, is_pgz_admin,
+    )
+except Exception:
+    def can_view_putni_nalog(u, p): return True
+    def can_edit_putni_nalog(u, p): return True
+    def can_submit_putni_nalog(u, p): return True
+    def can_approve_putni_nalog(u, p): return True
+    def can_pay_putni_nalog(u, p): return True
+    def putni_nalog_actions(u, p): return {"view": True, "edit": True, "submit": True, "approve": True, "reject": True, "pay": True, "delete": False}
+    def audit_putni(u, pid, op, field=None, old=None, new=None): pass
+    def fetch_audit(t, r, limit=50): return []
+    def is_pgz_admin(u): return False
+
+try:
+    from auth.auth_v2 import get_current_user as _auth_user
+except Exception:
+    _auth_user = None
+
+ADMIN_TOKEN = "admin-pgz-2026"
+
+def _resolve_user(authorization):
+    if _auth_user:
+        try:
+            u = _auth_user(authorization)
+            if u: return u
+        except Exception:
+            pass
+    if authorization and authorization.replace("Bearer ", "").strip() == ADMIN_TOKEN:
+        return {"id": 0, "email": "admin@token", "user_type": "pgz_admin",
+                "klub_id": None, "savez_id": None, "_synthetic": True}
+    return None
+
+
+router = APIRouter(prefix="/api/erp", tags=["erp-putni-nalozi"])
+
+DB = dict(host="10.10.0.2", port=6432, dbname="rinet_v3", user="rinet",
+          password="R1net2026!SecureDB#v7")
+
+# === HR pravilnik 2025 — dnevnice ===
+# Domaće: 26.54 € (puna) za put >8h, 13.27 € za 5-8h, 0 € za <5h.
+# Izvor: NN — Pravilnik o porezu na dohodak, neoporezivi iznosi 2025 (200 kn ≈ 26.54 €).
+DNEVNICA_DOM_FULL = 26.54   # EUR
+DNEVNICA_DOM_HALF = 13.27   # EUR
+KM_RATE_DEFAULT = 0.50      # EUR/km (vlastiti automobil)
+
+# Inozemne dnevnice (Uredba o izdacima službenih putovanja u inozemstvo).
+DNEVNICE_INO = {
+    "Italija": 35.00,
+    "Italy": 35.00,
+    "Slovenija": 30.00,
+    "Slovenia": 30.00,
+    "Austrija": 35.00,
+    "Austria": 35.00,
+    "Mađarska": 30.00,
+    "Madarska": 30.00,
+    "Hungary": 30.00,
+    "Bosna i Hercegovina": 30.00,
+    "BiH": 30.00,
+    "Bosnia": 30.00,
+    "Srbija": 30.00,
+    "Serbia": 30.00,
+    "Crna Gora": 30.00,
+    "Montenegro": 30.00,
+    "Njemačka": 50.00,
+    "Germany": 50.00,
+    "Francuska": 50.00,
+    "France": 50.00,
+    "Švicarska": 60.00,
+    "Switzerland": 60.00,
+    "SAD": 70.00,
+    "USA": 70.00,
+}
+
+
+def _db():
+    c = psycopg2.connect(**DB)
+    c.autocommit = True
+    return c
+
+
+def _parse_dt(v) -> Optional[datetime]:
+    if v is None or v == "":
+        return None
+    if isinstance(v, datetime):
+        return v
+    s = str(v).strip().replace("Z", "+00:00")
+    for fmt in ("%Y-%m-%dT%H:%M:%S", "%Y-%m-%dT%H:%M", "%Y-%m-%d %H:%M:%S",
+                "%Y-%m-%d %H:%M", "%Y-%m-%d"):
+        try:
+            return datetime.strptime(s[:len(fmt) + 5].rstrip("ZZ"), fmt)
+        except Exception:
+            continue
+    try:
+        return datetime.fromisoformat(s)
+    except Exception:
+        return None
+
+
+def compute_dnevnice(date_from, date_to, country: str = "Hrvatska") -> dict:
+    """
+    Vraća: {hours, days_full, days_half, dnevnica_amount_total, breakdown[]}
+    Pravila (HR pravilnik 2025, neoporeziv iznos):
+      - Domaće: <5h = 0; 5-8h = pola; >8h = puna; svaka dodatna pokrivena 24h sekcija = puna.
+      - Inozemne: pune dnevnice po zemlji (DNEVNICE_INO), inače fallback 50 €.
+      - Više dana: zaokružujemo po 24h segmentima; završetak <8h = 0, 8-12 = puna (po pravilu zaokruživanja na cijele dane), no koristimo konzervativni izračun po segmentima.
+    Implementacija (jednostavna, transparentna):
+      1) ukupne sate računaj kao razliku.
+      2) full_segments = sati // 24
+      3) ostatak_sati = sati - full_segments*24
+      4) ako ostatak >= 8 → +1 puna; ako 5 <= ostatak < 8 → +0.5; ako <5 → +0.
+      5) puna dnevnica = pun_iznos po zemlji; pola = polovica.
+    """
+    df = _parse_dt(date_from)
+    dt = _parse_dt(date_to)
+    if not df or not dt or dt < df:
+        return {"error": "neispravni datumi", "hours": 0,
+                "days_full": 0, "days_half": 0,
+                "dnevnica_amount_total": 0.0, "breakdown": []}
+
+    delta = dt - df
+    hours = round(delta.total_seconds() / 3600, 2)
+
+    full_segments = int(delta.total_seconds() // (24 * 3600))
+    remainder_h = (delta.total_seconds() - full_segments * 24 * 3600) / 3600.0
+
+    days_full = full_segments
+    days_half = 0.0
+    if remainder_h >= 8:
+        days_full += 1
+    elif remainder_h >= 5:
+        days_half += 1
+    # else: 0
+
+    is_domestic = (country or "").strip().lower() in ("hrvatska", "croatia", "hr")
+    if is_domestic:
+        full_amt = DNEVNICA_DOM_FULL
+        half_amt = DNEVNICA_DOM_HALF
+    else:
+        full_amt = DNEVNICE_INO.get(country.strip(), 50.00)
+        half_amt = full_amt / 2.0
+
+    total = round(days_full * full_amt + days_half * half_amt, 2)
+
+    return {
+        "hours": hours,
+        "days_full": days_full,
+        "days_half": days_half,
+        "country": country,
+        "rate_full": full_amt,
+        "rate_half": half_amt,
+        "dnevnica_amount_total": total,
+        "breakdown": [
+            f"{days_full} pun{'' if days_full == 1 else 'e'} dnevnice × {full_amt:.2f} €",
+            f"{days_half} pola dnevnice × {full_amt:.2f} €" if days_half else "",
+        ],
+    }
+
+
+def compute_kilometrina(km: float, km_rate: float = KM_RATE_DEFAULT) -> float:
+    try:
+        return round(float(km or 0) * float(km_rate or 0), 2)
+    except Exception:
+        return 0.0
+
+
+# === Endpoints ===
+
+@router.get("/putni-nalog/dnevnice/preview")
+def preview_dnevnice(date_from: str, date_to: str, country: str = "Hrvatska",
+                     km: float = 0.0, km_rate: float = KM_RATE_DEFAULT):
+    """Preview dnevnica + kilometrine bez upisa u DB. Koristi UI za live preview."""
+    d = compute_dnevnice(date_from, date_to, country)
+    km_amt = compute_kilometrina(km, km_rate)
+    d["km_amount"] = km_amt
+    d["km_driven"] = km
+    d["km_rate"] = km_rate
+    d["total_estimated"] = round((d.get("dnevnica_amount_total") or 0) + km_amt, 2)
+    return {"ok": True, "preview": d}
+
+
+@router.get("/putni-nalog")
+def list_putni_nalozi(klub_id: Optional[int] = None,
+                     status: Optional[str] = None,
+                     limit: int = Query(100, le=500),
+                     offset: int = 0):
+    sql = """SELECT er.id, er.klub_id, k.naziv AS klub_naziv,
+                    er.user_id, er.clan_id, er.report_type, er.report_no,
+                    er.destination, er.purpose,
+                    er.date_from, er.date_to,
+                    er.vehicle_type, er.vehicle_plate,
+                    er.km_driven, er.km_rate,
+                    er.cost_transport, er.cost_lodging, er.cost_meals,
+                    er.cost_other, er.cost_total,
+                    er.dnevnice_count, er.dnevnice_amount,
+                    er.status, er.approved_at, er.paid_at,
+                    er.created_at, er.tenant_id, er.notes
+             FROM pgz_sport.expense_reports er
+             LEFT JOIN pgz_sport.klubovi k ON k.id = er.klub_id
+             WHERE er.report_type='putni_nalog'"""
+    args: list = []
+    if klub_id is not None:
+        sql += " AND er.klub_id=%s"; args.append(klub_id)
+    if status:
+        sql += " AND er.status=%s"; args.append(status)
+    sql += " ORDER BY er.date_from DESC NULLS LAST, er.id DESC LIMIT %s OFFSET %s"
+    args += [limit, offset]
+    with _db() as c:
+        cur = c.cursor(cursor_factory=psycopg2.extras.RealDictCursor)
+        cur.execute(sql, args)
+        rows = cur.fetchall()
+    return {"ok": True, "rows": rows, "count": len(rows)}
+
+
+@router.get("/putni-nalog/{nalog_id}")
+def get_putni_nalog(nalog_id: int, authorization: Optional[str] = Header(None)):
+    user = _resolve_user(authorization)
+    with _db() as c:
+        cur = c.cursor(cursor_factory=psycopg2.extras.RealDictCursor)
+        cur.execute("""SELECT er.*, k.naziv AS klub_naziv, k.savez_id
+                       FROM pgz_sport.expense_reports er
+                       LEFT JOIN pgz_sport.klubovi k ON k.id = er.klub_id
+                       WHERE er.id=%s AND er.report_type='putni_nalog'""", (nalog_id,))
+        row = cur.fetchone()
+        if not row:
+            raise HTTPException(404, "Putni nalog ne postoji")
+        if user and not can_view_putni_nalog(user, row):
+            raise HTTPException(403, "Nemate ovlasti vidjeti ovaj putni nalog")
+
+        # Lista vezanih računa (po klubu, datumu, ili ID-evima u attachments)
+        att = row.get("attachments") or {}
+        if isinstance(att, str):
+            try: att = json.loads(att)
+            except Exception: att = {}
+        invoice_ids = att.get("invoice_ids") or []
+        invoices = []
+        if invoice_ids:
+            cur.execute(
+                """SELECT id, invoice_no, invoice_kind, vendor_name, vendor_oib,
+                          invoice_date, amount_gross, payment_status, currency, category
+                   FROM pgz_sport.invoices WHERE id = ANY(%s)
+                   ORDER BY invoice_date DESC""", (invoice_ids,))
+            invoices = cur.fetchall()
+        else:
+            # Auto-suggest: računi kluba u rasponu putovanja s kategorijom putni-trošak
+            cur.execute(
+                """SELECT id, invoice_no, invoice_kind, vendor_name, vendor_oib,
+                          invoice_date, amount_gross, payment_status, currency, category
+                   FROM pgz_sport.invoices
+                   WHERE klub_id=%s AND invoice_date BETWEEN %s AND %s
+                     AND invoice_kind IN ('gorivo','cestarina','hotel','restoran','ostalo')
+                   ORDER BY invoice_date DESC LIMIT 50""",
+                (row.get("klub_id"), row.get("date_from"), row.get("date_to")),
+            )
+            invoices = cur.fetchall()
+
+        # Payments za ovaj putni nalog
+        cur.execute(
+            """SELECT id, payment_date, amount, currency, payment_method, iban_from,
+                      iban_to, reference, bank_transaction_id, matched_status, created_at
+               FROM pgz_sport.payments WHERE expense_report_id=%s
+               ORDER BY payment_date DESC""", (nalog_id,))
+        payments = cur.fetchall()
+
+    audit = fetch_audit("pgz_sport.expense_reports", nalog_id, 50)
+    actions = putni_nalog_actions(user, row) if user else {"view": True, "edit": False, "submit": False, "approve": False, "reject": False, "pay": False, "delete": False}
+    return {"ok": True, "putni_nalog": row, "invoices": invoices,
+            "payments": payments, "audit": audit, "actions": actions}
+
+
+@router.post("/putni-nalog/{nalog_id}/posalji")
+def posalji_putni_nalog(nalog_id: int, authorization: Optional[str] = Header(None)):
+    """Voditelj/klub_admin šalje draft → poslan."""
+    user = _resolve_user(authorization)
+    with _db() as c:
+        cur = c.cursor(cursor_factory=psycopg2.extras.RealDictCursor)
+        cur.execute("SELECT er.*, k.savez_id FROM pgz_sport.expense_reports er LEFT JOIN pgz_sport.klubovi k ON k.id=er.klub_id WHERE er.id=%s AND er.report_type='putni_nalog'", (nalog_id,))
+        pn = cur.fetchone()
+    if not pn:
+        raise HTTPException(404, "Putni nalog ne postoji")
+    if user and not can_submit_putni_nalog(user, pn):
+        raise HTTPException(403, "Nemate ovlasti slanja na odobrenje")
+    with _db() as c:
+        cur = c.cursor(cursor_factory=psycopg2.extras.RealDictCursor)
+        cur.execute(
+            """UPDATE pgz_sport.expense_reports SET status='poslan', updated_at=NOW()
+               WHERE id=%s RETURNING id, status""", (nalog_id,))
+        row = cur.fetchone()
+    audit_putni(user, nalog_id, "submit", field="status", old=pn.get("status"), new="poslan")
+    return {"ok": True, "putni_nalog": row}
+
+
+@router.post("/putni-nalog/{nalog_id}/odbij")
+def odbij_putni_nalog(nalog_id: int, body: dict = Body(default={}),
+                      authorization: Optional[str] = Header(None)):
+    """Klub_admin/pgz_admin odbija s razlogom."""
+    user = _resolve_user(authorization)
+    razlog = (body.get("razlog") or body.get("reason") or "").strip()
+    with _db() as c:
+        cur = c.cursor(cursor_factory=psycopg2.extras.RealDictCursor)
+        cur.execute("SELECT er.*, k.savez_id FROM pgz_sport.expense_reports er LEFT JOIN pgz_sport.klubovi k ON k.id=er.klub_id WHERE er.id=%s AND er.report_type='putni_nalog'", (nalog_id,))
+        pn = cur.fetchone()
+    if not pn:
+        raise HTTPException(404, "Putni nalog ne postoji")
+    if user and not can_approve_putni_nalog(user, pn):
+        raise HTTPException(403, "Nemate ovlasti odbiti")
+    with _db() as c:
+        cur = c.cursor(cursor_factory=psycopg2.extras.RealDictCursor)
+        cur.execute(
+            """UPDATE pgz_sport.expense_reports
+               SET status='odbijen', notes=COALESCE(notes,'') || E'\n[ODBIJEN] ' || %s, updated_at=NOW()
+               WHERE id=%s RETURNING id, status, notes""",
+            (razlog or "(bez razloga)", nalog_id),
+        )
+        row = cur.fetchone()
+    audit_putni(user, nalog_id, "reject", field="status",
+                 old=pn.get("status"), new=f"odbijen: {razlog}")
+    return {"ok": True, "putni_nalog": row}
+
+
+@router.post("/putni-nalog/{nalog_id}/isplati")
+def isplati_putni_nalog(nalog_id: int, body: dict = Body(default={}),
+                         authorization: Optional[str] = Header(None)):
+    """Isplata putnog naloga (odobren/zatvoren → isplaćen).
+    Body: {iban_to, iban_from, paid_date, amount, reference, bank_transaction_id}"""
+    user = _resolve_user(authorization)
+    with _db() as c:
+        cur = c.cursor(cursor_factory=psycopg2.extras.RealDictCursor)
+        cur.execute("SELECT er.*, k.savez_id FROM pgz_sport.expense_reports er LEFT JOIN pgz_sport.klubovi k ON k.id=er.klub_id WHERE er.id=%s AND er.report_type='putni_nalog'", (nalog_id,))
+        pn = cur.fetchone()
+    if not pn:
+        raise HTTPException(404, "Putni nalog ne postoji")
+    if user and not can_pay_putni_nalog(user, pn):
+        raise HTTPException(403, "Nemate ovlasti za isplatu")
+
+    paid_date = body.get("paid_date") or date.today().isoformat()
+    iban_to = body.get("iban_to")
+    iban_from = body.get("iban_from")
+    amount = body.get("amount") or pn.get("cost_total")
+    reference = body.get("reference")
+    tx_id = body.get("bank_transaction_id") or body.get("tx_id")
+    payment_method = body.get("payment_method") or "transfer"
+
+    with _db() as c:
+        cur = c.cursor(cursor_factory=psycopg2.extras.RealDictCursor)
+        cur.execute(
+            """UPDATE pgz_sport.expense_reports
+               SET status='isplacen', paid_at=%s, updated_at=NOW()
+               WHERE id=%s RETURNING id, status, paid_at, cost_total""",
+            (paid_date, nalog_id),
+        )
+        row = cur.fetchone()
+        cur.execute(
+            """INSERT INTO pgz_sport.payments
+               (klub_id, expense_report_id, payment_date, amount, currency,
+                payment_method, iban_from, iban_to, reference, bank_transaction_id,
+                matched_status)
+               VALUES (%s,%s,%s,%s,'EUR',%s,%s,%s,%s,%s,'matched')
+               RETURNING id""",
+            (pn.get("klub_id"), nalog_id, paid_date, amount, payment_method,
+             iban_from, iban_to, reference, tx_id),
+        )
+        pay = cur.fetchone()
+    audit_putni(user, nalog_id, "pay", field="status",
+                 old=pn.get("status"), new="isplacen")
+    return {"ok": True, "putni_nalog": row, "payment_id": pay["id"] if pay else None}
+
+
+@router.get("/putni-nalog/{nalog_id}/audit")
+def putni_audit(nalog_id: int, limit: int = 100,
+                authorization: Optional[str] = Header(None)):
+    user = _resolve_user(authorization)
+    with _db() as c:
+        cur = c.cursor(cursor_factory=psycopg2.extras.RealDictCursor)
+        cur.execute("SELECT * FROM pgz_sport.expense_reports WHERE id=%s AND report_type='putni_nalog'", (nalog_id,))
+        pn = cur.fetchone()
+    if not pn:
+        raise HTTPException(404, "Putni nalog ne postoji")
+    if user and not can_view_putni_nalog(user, pn):
+        raise HTTPException(403, "Nemate ovlasti")
+    return {"ok": True, "audit": fetch_audit("pgz_sport.expense_reports", nalog_id, limit)}
+
+
+@router.post("/putni-nalog")
+def create_putni_nalog(body: dict = Body(...), authorization: Optional[str] = Header(None)):
+    """Kreiraj putni nalog.
+    Polja: klub_id, user_id, clan_id, voditelj_ime, putnici[],
+           svrha (purpose), od_grada, do_grada (destination),
+           datum_polaska (date_from), datum_povratka (date_to),
+           registracija_vozila (vehicle_plate), vehicle_type,
+           kilometara (km_driven), km_rate,
+           predviđeni_troškovi (cost_estimate), country, notes."""
+    df = body.get("date_from") or body.get("datum_polaska")
+    dt = body.get("date_to") or body.get("datum_povratka")
+    if not df or not dt:
+        raise HTTPException(400, "Datum polaska i povratka su obavezni")
+    klub_id = body.get("klub_id")
+    if not klub_id:
+        raise HTTPException(400, "klub_id je obavezan")
+
+    country = body.get("country", "Hrvatska")
+    km = body.get("km_driven", body.get("kilometara", 0)) or 0
+    km_rate = body.get("km_rate") or KM_RATE_DEFAULT
+    dnv = compute_dnevnice(df, dt, country)
+    dnevnice_count = (dnv.get("days_full") or 0) + 0.5 * (dnv.get("days_half") or 0)
+    dnevnice_amount = dnv.get("dnevnica_amount_total") or 0
+    cost_transport = compute_kilometrina(km, km_rate) + (body.get("cost_transport") or 0)
+
+    od = body.get("od_grada") or body.get("from_city")
+    do = body.get("do_grada") or body.get("to_city") or body.get("destination")
+    destination = " → ".join([x for x in [od, do] if x]) or do
+
+    putnici = body.get("putnici") or []
+    voditelj = body.get("voditelj_ime") or body.get("voditelj")
+    purpose = body.get("svrha") or body.get("purpose") or ""
+
+    meta = {
+        "voditelj": voditelj,
+        "putnici": putnici,
+        "from_city": od, "to_city": do,
+        "country": country,
+        "dnevnice_calc": dnv,
+        "predvideni_troskovi": body.get("predvideni_troskovi") or body.get("cost_estimate") or [],
+    }
+
+    with _db() as c:
+        cur = c.cursor(cursor_factory=psycopg2.extras.RealDictCursor)
+        cur.execute(
+            """INSERT INTO pgz_sport.expense_reports
+               (klub_id, user_id, clan_id, report_type, report_no, destination, purpose,
+                date_from, date_to, vehicle_type, vehicle_plate, km_driven, km_rate,
+                cost_transport, cost_lodging, cost_meals, cost_other,
+                dnevnice_count, dnevnice_amount, status, attachments, notes, tenant_id)
+               VALUES (%s, %s, %s, 'putni_nalog', %s, %s, %s,
+                       %s, %s, %s, %s, %s, %s,
+                       %s, %s, %s, %s,
+                       %s, %s, COALESCE(%s,'draft'), %s, %s, %s)
+               RETURNING id, klub_id, status, dnevnice_count, dnevnice_amount,
+                         cost_transport, date_from, date_to, destination""",
+            (
+                klub_id, body.get("user_id"), body.get("clan_id"),
+                body.get("report_no"), destination, purpose,
+                df, dt, body.get("vehicle_type"), body.get("vehicle_plate") or body.get("registracija_vozila"),
+                float(km or 0), float(km_rate or 0),
+                cost_transport,
+                body.get("cost_lodging") or 0, body.get("cost_meals") or 0,
+                body.get("cost_other") or 0,
+                dnevnice_count, dnevnice_amount,
+                body.get("status"),
+                json.dumps(meta, ensure_ascii=False, default=str),
+                body.get("notes"),
+                body.get("tenant_id", 1),
+            ),
+        )
+        row = cur.fetchone()
+        # cost_total via trigger maybe; recompute here
+        cur.execute(
+            """UPDATE pgz_sport.expense_reports
+               SET cost_total = COALESCE(cost_transport,0)+COALESCE(cost_lodging,0)
+                              +COALESCE(cost_meals,0)+COALESCE(cost_other,0)
+                              +COALESCE(dnevnice_amount,0)
+               WHERE id=%s
+               RETURNING cost_total""", (row["id"],),
+        )
+        ct = cur.fetchone()
+        if ct:
+            row["cost_total"] = ct["cost_total"]
+    return {"ok": True, "putni_nalog": row, "dnevnice_calc": dnv}
+
+
+@router.put("/putni-nalog/{nalog_id}")
+def update_putni_nalog(nalog_id: int, body: dict = Body(...)):
+    """Update polja putnog naloga (osim odobrenja/zatvaranja - oni imaju vlastite endpointe)."""
+    cols = []
+    args: list = []
+    for col in ("destination", "purpose", "date_from", "date_to", "vehicle_type",
+                "vehicle_plate", "km_driven", "km_rate", "cost_transport",
+                "cost_lodging", "cost_meals", "cost_other", "notes",
+                "dnevnice_count", "dnevnice_amount"):
+        if col in body:
+            cols.append(f"{col}=%s"); args.append(body[col])
+    # Recompute dnevnice if dates provided
+    if "date_from" in body or "date_to" in body or "country" in body:
+        with _db() as c:
+            cur = c.cursor(cursor_factory=psycopg2.extras.RealDictCursor)
+            cur.execute("SELECT date_from, date_to, attachments FROM pgz_sport.expense_reports WHERE id=%s", (nalog_id,))
+            cur_row = cur.fetchone()
+        if cur_row:
+            df = body.get("date_from") or cur_row["date_from"]
+            dt = body.get("date_to") or cur_row["date_to"]
+            country = body.get("country") or (cur_row["attachments"] or {}).get("country", "Hrvatska")
+            d = compute_dnevnice(df, dt, country)
+            cols += ["dnevnice_count=%s", "dnevnice_amount=%s"]
+            args += [(d.get("days_full") or 0) + 0.5 * (d.get("days_half") or 0),
+                     d.get("dnevnica_amount_total") or 0]
+    if not cols:
+        raise HTTPException(400, "Nema polja za izmjenu")
+    cols.append("updated_at=NOW()")
+    args.append(nalog_id)
+    with _db() as c:
+        cur = c.cursor(cursor_factory=psycopg2.extras.RealDictCursor)
+        cur.execute(f"UPDATE pgz_sport.expense_reports SET {','.join(cols)} WHERE id=%s AND report_type='putni_nalog' RETURNING *", args)
+        row = cur.fetchone()
+        if row:
+            cur.execute(
+                """UPDATE pgz_sport.expense_reports
+                   SET cost_total = COALESCE(cost_transport,0)+COALESCE(cost_lodging,0)
+                                  +COALESCE(cost_meals,0)+COALESCE(cost_other,0)
+                                  +COALESCE(dnevnice_amount,0)
+                   WHERE id=%s""", (nalog_id,),
+            )
+    if not row:
+        raise HTTPException(404, "Putni nalog ne postoji")
+    return {"ok": True, "putni_nalog": row}
+
+
+@router.post("/putni-nalog/{nalog_id}/odobriti")
+def odobriti_putni_nalog(nalog_id: int, body: dict = Body(default={}),
+                          authorization: Optional[str] = Header(None)):
+    user = _resolve_user(authorization)
+    approved_by = body.get("approved_by") or (user.get("id") if user else None)
+    with _db() as c:
+        cur = c.cursor(cursor_factory=psycopg2.extras.RealDictCursor)
+        cur.execute("SELECT er.*, k.savez_id FROM pgz_sport.expense_reports er LEFT JOIN pgz_sport.klubovi k ON k.id=er.klub_id WHERE er.id=%s AND er.report_type='putni_nalog'", (nalog_id,))
+        pn = cur.fetchone()
+    if not pn:
+        raise HTTPException(404, "Putni nalog ne postoji")
+    if user and not can_approve_putni_nalog(user, pn):
+        raise HTTPException(403, "Nemate ovlasti odobriti")
+    with _db() as c:
+        cur = c.cursor(cursor_factory=psycopg2.extras.RealDictCursor)
+        cur.execute(
+            """UPDATE pgz_sport.expense_reports
+               SET status='odobren', approved_by=%s, approved_at=NOW(), updated_at=NOW()
+               WHERE id=%s AND report_type='putni_nalog'
+               RETURNING id, status, approved_at""", (approved_by, nalog_id),
+        )
+        row = cur.fetchone()
+    audit_putni(user, nalog_id, "approve", field="status",
+                 old=pn.get("status"), new="odobren")
+    return {"ok": True, "putni_nalog": row}
+
+
+@router.post("/putni-nalog/{nalog_id}/zatvori")
+def zatvori_putni_nalog(nalog_id: int, body: dict = Body(default={})):
+    """Zatvori putni nalog: priloži račune i konačan obračun."""
+    invoice_ids = body.get("invoice_ids") or []
+    cost_lodging = body.get("cost_lodging")
+    cost_meals = body.get("cost_meals")
+    cost_other = body.get("cost_other")
+    notes = body.get("notes")
+    with _db() as c:
+        cur = c.cursor(cursor_factory=psycopg2.extras.RealDictCursor)
+        cur.execute("SELECT * FROM pgz_sport.expense_reports WHERE id=%s AND report_type='putni_nalog'", (nalog_id,))
+        cur_row = cur.fetchone()
+        if not cur_row:
+            raise HTTPException(404, "Putni nalog ne postoji")
+
+        # Aggregiraj iznose iz računa (ako su poslani)
+        if invoice_ids:
+            cur.execute(
+                "SELECT COALESCE(SUM(amount_gross),0) AS total FROM pgz_sport.invoices WHERE id = ANY(%s)",
+                (invoice_ids,),
+            )
+            invs_total = float(cur.fetchone()["total"] or 0)
+        else:
+            invs_total = None
+
+        sets = ["status='zatvoren'", "updated_at=NOW()"]
+        args: list = []
+        if cost_lodging is not None: sets.append("cost_lodging=%s"); args.append(cost_lodging)
+        if cost_meals is not None: sets.append("cost_meals=%s"); args.append(cost_meals)
+        if cost_other is not None: sets.append("cost_other=%s"); args.append(cost_other)
+        if notes: sets.append("notes=%s"); args.append(notes)
+        # Pohrani povezane račune u attachments
+        atts = cur_row["attachments"] or {}
+        if isinstance(atts, str):
+            try: atts = json.loads(atts)
+            except Exception: atts = {}
+        atts["invoice_ids"] = invoice_ids
+        if invs_total is not None:
+            atts["invoices_total"] = invs_total
+        sets.append("attachments=%s"); args.append(json.dumps(atts, ensure_ascii=False, default=str))
+        args.append(nalog_id)
+        cur.execute(f"UPDATE pgz_sport.expense_reports SET {','.join(sets)} WHERE id=%s RETURNING *", args)
+        row = cur.fetchone()
+        cur.execute(
+            """UPDATE pgz_sport.expense_reports
+               SET cost_total = COALESCE(cost_transport,0)+COALESCE(cost_lodging,0)
+                              +COALESCE(cost_meals,0)+COALESCE(cost_other,0)
+                              +COALESCE(dnevnice_amount,0)
+               WHERE id=%s RETURNING cost_total""", (nalog_id,),
+        )
+        ct = cur.fetchone()
+        if ct: row["cost_total"] = ct["cost_total"]
+    return {"ok": True, "putni_nalog": row}
diff --git a/_backups/r3_cc5/pgz_sport_api.py.pre_r5.1777937293 b/_backups/r3_cc5/pgz_sport_api.py.pre_r5.1777937293
new file mode 100644
index 0000000..ee172a7
--- /dev/null
+++ b/_backups/r3_cc5/pgz_sport_api.py.pre_r5.1777937293
@@ -0,0 +1,1729 @@
+#!/usr/bin/env python3
+"""
+pgz_sport_api.py - FastAPI backend za PGŽ Sportski savez ERP/CRM
+Author: Damir Radulić (damir@rinet.one)
+Date: 25.04.2026
+Port: 8095
+Endpoints: savezi, klubovi, članovi, članarine, liječnički, manifestacije, proračun, dashboard, alertovi
+"""
+
+from fastapi import FastAPI, HTTPException, Query, Body, Header, Depends, UploadFile, File, Form, Request
+import json
+from fastapi.middleware.cors import CORSMiddleware
+from pydantic import BaseModel
+from typing import Optional, List
+from datetime import date, datetime
+import psycopg2
+import psycopg2.extras
+from pgz_sport_v2_router import router as v2_router
+import os
+
+DB = dict(host='10.10.0.2', port=6432, dbname='rinet_v3', user='rinet', password='R1net2026!SecureDB#v7')
+
+
+ADMIN_TOKEN = 'admin-pgz-2026'
+
+def is_admin(authorization):
+    if not authorization: return False
+    token = authorization.replace('Bearer ', '').strip()
+    if token == ADMIN_TOKEN: return True
+    # Try JWT
+    try:
+        import jwt as _jwt
+        payload = _jwt.decode(token, JWT_SECRET, algorithms=["HS256"])
+        return payload.get("role") == "admin"
+    except Exception:
+        return False
+
+def blur_oib(v):
+    if not v: return v
+    s = str(v); 
+    return s[:3] + '•'*(len(s)-5) + s[-2:] if len(s) >= 8 else '•'*len(s)
+def blur_email(e):
+    if not e or '@' not in str(e): return e
+    u, d = str(e).split('@',1); return (u[:1]+'•••' if u else '')+'@'+d
+def blur_phone(p):
+    if not p: return p
+    s=str(p); return s[:4]+'•'*(len(s)-7)+s[-3:] if len(s)>=7 else s
+def blur_iban(v):
+    if not v: return v
+    s=str(v); return s[:4]+'•'*(len(s)-8)+s[-4:] if len(s)>=8 else s
+def blur_date(d):
+    if not d: return d
+    s = str(d); return s[:4]+'-••-••' if len(s)>=4 else s
+def blur_text(t, keep=3):
+    if not t: return t
+    s=str(t); return s[:keep]+'•'*(len(s)-keep*2)+s[-keep:] if len(s)>keep*2 else s
+
+def apply_privacy(rows, admin):
+    if admin: return rows
+    out = []
+    for r in (rows if isinstance(rows, list) else [rows]):
+        rr = dict(r)
+        for k, v in list(rr.items()):
+            if v is None: continue
+            kl = k.lower()
+            if 'oib' in kl: rr[k] = blur_oib(v)
+            elif 'email' in kl: rr[k] = blur_email(v)
+            elif kl in ('telefon','tel','phone'): rr[k] = blur_phone(v)
+            elif kl == 'datum_rodenja': rr[k] = blur_date(v)
+            elif 'iban' in kl: rr[k] = blur_iban(v)
+            elif kl == 'adresa': rr[k] = blur_text(v, 3)
+            elif 'licenca_broj' in kl: rr[k] = blur_text(v, 2)
+        out.append(rr)
+    return out if isinstance(rows, list) else out[0]
+
+app = FastAPI(title="PGŽ Sportski savez ERP/CRM", version="1.0.0")
+app.add_middleware(CORSMiddleware, allow_origins=["*"], allow_methods=["*"], allow_headers=["*"])
+
+# ─── R5 #1: Defense-in-depth JWT enforcement on /api/admin/* ───
+# Even if a route accidentally lacks `Depends(require_user)`, this middleware
+# rejects requests with no/invalid Bearer token before they reach the handler.
+@app.middleware("http")
+async def require_jwt_on_admin(request, call_next):
+    p = request.url.path
+    # Only gate admin endpoints — leave /api/auth/*, public /api/v2/* etc. alone
+    if p.startswith("/api/admin/") or p == "/api/admin":
+        # OPTIONS preflight passes through
+        if request.method == "OPTIONS":
+            return await call_next(request)
+        try:
+            from auth.auth_v2 import decode_token, _is_revoked
+            auth = request.headers.get("authorization", "")
+            if not auth.lower().startswith("bearer "):
+                from starlette.responses import JSONResponse as _JR
+                return _JR({"detail": "Authentication required"}, status_code=401)
+            token = auth.split(" ", 1)[1].strip()
+            try:
+                payload = decode_token(token)
+            except Exception:
+                from starlette.responses import JSONResponse as _JR
+                return _JR({"detail": "Invalid or expired token"}, status_code=401)
+            if payload.get("typ") not in (None, "access"):
+                from starlette.responses import JSONResponse as _JR
+                return _JR({"detail": "Wrong token type"}, status_code=401)
+            if _is_revoked(payload.get("jti", "")):
+                from starlette.responses import JSONResponse as _JR
+                return _JR({"detail": "Token revoked"}, status_code=401)
+        except Exception as e:
+            print(f"[JWT-MW WARN] {e}")
+    return await call_next(request)
+
+
+# === URL rewrite middleware - convert direct external image URLs to /img-proxy ===
+import json as _json_mw
+import re as _re_mw
+from starlette.responses import Response as _StarletteResponse_mw
+
+_IMG_DOMAINS_RE = _re_mw.compile(
+    r'https?://(?:hns\.family|hns\.hr|hbs\.hr|hrvatski-bocarski-savez\.hr|'
+    r'rk-zamet\.hr|hvs\.hr|rezultati\.hvs\.hr|sport-pgz\.hr)'
+    r'/[^"\s\\]+\.(?:jpg|jpeg|png|gif|webp|svg)',
+    _re_mw.IGNORECASE
+)
+
+def _rewrite_to_proxy(text: str) -> str:
+    """Replace external image URLs with /sport/api/v2/img-proxy?u=..."""
+    from urllib.parse import quote as _q
+    def _sub(m):
+        url = m.group(0)
+        return "/sport/api/v2/img-proxy?u=" + _q(url, safe='')
+    return _IMG_DOMAINS_RE.sub(_sub, text)
+
+@app.middleware("http")
+async def url_rewrite_middleware(request, call_next):
+    response = await call_next(request)
+    # Only rewrite JSON API responses
+    ct = response.headers.get("content-type", "")
+    if "application/json" not in ct:
+        return response
+    # Only on /api/v2 routes (admin & data endpoints) - SKIP /api/v2/img-proxy itself
+    path = request.url.path
+    if "/api/v2/img-proxy" in path or "/api/v2/dokumenti" in path:
+        return response  # don't rewrite raw document content
+    # Read body
+    body = b""
+    async for chunk in response.body_iterator:
+        body += chunk
+    try:
+        text = body.decode("utf-8")
+        new_text = _rewrite_to_proxy(text)
+        new_body = new_text.encode("utf-8")
+    except Exception:
+        new_body = body
+    return _StarletteResponse_mw(
+        content=new_body,
+        status_code=response.status_code,
+        headers={k: v for k, v in response.headers.items() if k.lower() not in ("content-length",)},
+        media_type=ct,
+    )
+# === end URL rewrite middleware ===
+
+def db():
+    conn = psycopg2.connect(**DB)
+    conn.autocommit = True
+    return conn
+
+def fetch(sql, params=None):
+    with db() as conn:
+        with conn.cursor(cursor_factory=psycopg2.extras.RealDictCursor) as c:
+            c.execute(sql, params or ())
+            return [dict(r) for r in c.fetchall()]
+
+def execute(sql, params=None):
+    with db() as conn:
+        with conn.cursor() as c:
+            c.execute(sql, params or ())
+            return c.rowcount
+
+# ==================== HEALTH ====================
+@app.get("/health")
+def health():
+    try:
+        rows = fetch("SELECT * FROM pgz_sport.v_dashboard")
+        return {"status": "ok", "service": "pgz_sport", "dashboard": rows[0] if rows else None}
+    except Exception as e:
+        raise HTTPException(500, f"DB error: {e}")
+
+
+@app.get("/api/whoami")
+def whoami_v2(authorization: Optional[str] = Header(None)):
+    return {"role": "admin" if is_admin(authorization) else "viewer", "privacy_active": not is_admin(authorization)}
+
+# ==================== DASHBOARD ====================
+@app.get("/api/dashboard")
+def dashboard():
+    rows = fetch("SELECT * FROM pgz_sport.v_dashboard")
+    if not rows:
+        return {}
+    d = rows[0]
+    # Top savezi by registriranih 2024
+    top = fetch("""SELECT s.naziv, st.klubova_clanica, st.registriranih, st.trenera, st.reprezentativaca
+                FROM pgz_sport.statistika_saveza st JOIN pgz_sport.savezi s ON s.id=st.savez_id
+                WHERE st.godina=2024 ORDER BY st.registriranih DESC LIMIT 10""")
+    proracun_trend = fetch("SELECT godina, ukupno FROM pgz_sport.proracun ORDER BY godina")
+    nositelji = fetch("""SELECT naziv_kluba, godina, iznos FROM pgz_sport.potpore_nositelji 
+                       WHERE godina = 2025 ORDER BY iznos DESC LIMIT 10""")
+    return {**d, "top_savezi": top, "proracun_trend": proracun_trend, "nositelji_2025": nositelji}
+
+@app.get("/api/dashboard/ekosustav")
+def dashboard_ekosustav():
+    """Sport ekosustav PGŽ — coverage stats za enrichment iz FINA registra."""
+    summary = fetch("""SELECT 
+        COUNT(*) AS klubova_total,
+        COUNT(*) FILTER (WHERE oib IS NOT NULL) AS s_oib,
+        COUNT(*) FILTER (WHERE predsjednik IS NOT NULL) AS s_predsjednik,
+        COUNT(*) FILTER (WHERE tajnik IS NOT NULL) AS s_tajnik,
+        COUNT(*) FILTER (WHERE ciljevi IS NOT NULL) AS s_ciljevi,
+        COUNT(*) FILTER (WHERE opis_djelatnosti IS NOT NULL) AS s_opis,
+        COUNT(*) FILTER (WHERE sjediste IS NOT NULL) AS s_sjediste,
+        COUNT(*) FILTER (WHERE email IS NOT NULL) AS s_email,
+        COUNT(*) FILTER (WHERE web_stranica IS NOT NULL) AS s_web,
+        COUNT(*) FILTER (WHERE udruga_status = \'AKTIVAN\') AS s_aktivan_reg,
+        COUNT(*) FILTER (WHERE savez_id IS NOT NULL) AS s_savez,
+        COUNT(*) FILTER (WHERE nositelj_kvalitete) AS s_nositelj
+        FROM pgz_sport.klubovi WHERE aktivan""")[0]
+    
+    by_sport = fetch("""SELECT sport, COUNT(*) AS broj 
+        FROM pgz_sport.klubovi WHERE aktivan AND sport IS NOT NULL 
+        GROUP BY sport ORDER BY COUNT(*) DESC LIMIT 15""")
+    
+    by_region = fetch("""SELECT region, COUNT(*) AS broj 
+        FROM pgz_sport.klubovi WHERE aktivan AND region IS NOT NULL 
+        GROUP BY region ORDER BY COUNT(*) DESC""")
+    
+    by_grad = fetch("""SELECT grad, COUNT(*) AS broj 
+        FROM pgz_sport.klubovi WHERE aktivan AND grad IS NOT NULL 
+        GROUP BY grad ORDER BY COUNT(*) DESC LIMIT 12""")
+    
+    decade = fetch("""SELECT 
+        CASE 
+            WHEN godina_osnutka < 1950 THEN \'pred1950\'
+            WHEN godina_osnutka < 1980 THEN \'1950-1979\'
+            WHEN godina_osnutka < 2000 THEN \'1980-1999\'
+            WHEN godina_osnutka < 2010 THEN \'2000-2009\'
+            WHEN godina_osnutka >= 2010 THEN \'2010-danas\'
+            ELSE \'nepoznato\'
+        END AS razdoblje,
+        COUNT(*) AS broj
+        FROM pgz_sport.klubovi 
+        WHERE aktivan AND godina_osnutka IS NOT NULL
+        GROUP BY razdoblje ORDER BY razdoblje""")
+    
+    # Pokazi enrichment %
+    total = summary["klubova_total"] or 1
+    coverage = {
+        "oib_pct": round(100 * summary["s_oib"] / total, 1),
+        "predsjednik_pct": round(100 * summary["s_predsjednik"] / total, 1),
+        "tajnik_pct": round(100 * summary["s_tajnik"] / total, 1),
+        "ciljevi_pct": round(100 * summary["s_ciljevi"] / total, 1),
+        "opis_pct": round(100 * summary["s_opis"] / total, 1),
+        "sjediste_pct": round(100 * summary["s_sjediste"] / total, 1),
+        "email_pct": round(100 * summary["s_email"] / total, 1),
+        "savez_pct": round(100 * summary["s_savez"] / total, 1),
+    }
+    
+    return {**summary, "coverage": coverage, "by_sport": by_sport, 
+            "by_region": by_region, "by_grad": by_grad, "by_decade": decade}
+
+
+
+# ==================== ANALYTICS ====================
+@app.get("/api/analytics/savezi-trend")
+def savezi_trend(godine: str = "2020,2021,2022,2023,2024", metric: str = "registriranih"):
+    valid_metrics = {"registriranih", "neregistriranih", "rekreativaca", "trenera", "reprezentativaca",
+                     "kategoriziranih", "stipendiranih", "klubova_clanica"}
+    if metric not in valid_metrics:
+        raise HTTPException(400, f"Invalid metric. Must be one of: {valid_metrics}")
+    god_list = [int(g) for g in godine.split(",")]
+    rows = fetch(f"""SELECT s.naziv AS savez, st.godina, st.{metric} AS value
+        FROM pgz_sport.statistika_saveza st JOIN pgz_sport.savezi s ON s.id=st.savez_id
+        WHERE st.godina = ANY(%s) ORDER BY s.naziv, st.godina""", [god_list])
+    saveze = {}
+    for r in rows:
+        if r['savez'] not in saveze: saveze[r['savez']] = {}
+        saveze[r['savez']][r['godina']] = r['value']
+    return {"metric": metric, "godine": god_list, "data": saveze}
+
+@app.get("/api/analytics/proracun-detaljno")
+def proracun_detaljno():
+    p = fetch("SELECT * FROM pgz_sport.proracun ORDER BY godina")
+    if not p: return {"proracun": [], "rast_godisnji": [], "current_year": None, "current_total": 0, "rast_dekada_pct": 0}
+    cagr = []
+    for i in range(1, len(p)):
+        prev = float(p[i-1]['ukupno']) if p[i-1]['ukupno'] else 0
+        curr = float(p[i]['ukupno']) if p[i]['ukupno'] else 0
+        rate = ((curr/prev - 1) * 100) if prev > 0 else 0
+        cagr.append({"godina": p[i]['godina'], "rast_postotak": round(rate, 1)})
+    decade_rast = round((float(p[-1]['ukupno'])/float(p[0]['ukupno']) - 1) * 100, 1) if p[0]['ukupno'] else 0
+    return {"proracun": p, "rast_godisnji": cagr, "rast_dekada_pct": decade_rast,
+            "current_year": int(p[-1]['godina']), "current_total": float(p[-1]['ukupno'])}
+
+@app.get("/api/analytics/klub-financije")
+def klub_financije(klub_id: Optional[int] = None, godina: Optional[int] = None):
+    where = []
+    params = []
+    if godina: where.append("p.godina=%s"); params.append(godina)
+    if klub_id:
+        where.append("(p.klub_id=%s OR p.naziv_kluba=(SELECT naziv FROM pgz_sport.klubovi WHERE id=%s))")
+        params.extend([klub_id, klub_id])
+    where_sql = "WHERE " + " AND ".join(where) if where else ""
+    rows = fetch(f"""SELECT p.naziv_kluba, p.godina, p.iznos,
+        k.id AS klub_id, k.sport, k.razina, k.nositelj_kvalitete
+        FROM pgz_sport.potpore_nositelji p
+        LEFT JOIN pgz_sport.klubovi k ON p.klub_id=k.id OR p.naziv_kluba=k.naziv
+        {where_sql} ORDER BY p.godina DESC, p.iznos DESC""", params)
+    summary = fetch(f"""SELECT godina, SUM(iznos) AS total, COUNT(*) AS klubova, AVG(iznos) AS prosjek
+        FROM pgz_sport.potpore_nositelji p {where_sql}
+        GROUP BY godina ORDER BY godina""", params)
+    return {"data": rows, "summary": summary}
+
+@app.get("/api/analytics/lijecnicki-stats")
+def lijecnicki_stats(klub_id: Optional[int] = None):
+    where = ["1=1"]; params = []
+    if klub_id: where.append("c.klub_id=%s"); params.append(klub_id)
+    where_sql = " AND ".join(where)
+    rows = fetch(f"""SELECT 
+        COUNT(*) AS total,
+        COUNT(*) FILTER (WHERE lp.vrijedi_do >= CURRENT_DATE + 30) AS validni,
+        COUNT(*) FILTER (WHERE lp.vrijedi_do BETWEEN CURRENT_DATE AND CURRENT_DATE + 30) AS uskoro,
+        COUNT(*) FILTER (WHERE lp.vrijedi_do < CURRENT_DATE) AS istekli,
+        SUM(lp.iznos) AS ukupan_trosak, SUM(lp.iznos_zzjz) AS zzjz_udio,
+        SUM(lp.iznos_klub) AS klub_udio, SUM(lp.iznos_clan) AS clan_udio,
+        AVG(lp.iznos) AS prosjecni_trosak
+        FROM pgz_sport.lijecnicki_pregledi lp
+        JOIN pgz_sport.clanovi c ON c.id=lp.clan_id WHERE {where_sql}""", params)
+    by_ustanova = fetch(f"""SELECT lp.ustanova, COUNT(*) cnt, SUM(lp.iznos) iznos
+        FROM pgz_sport.lijecnicki_pregledi lp JOIN pgz_sport.clanovi c ON c.id=lp.clan_id
+        WHERE {where_sql} GROUP BY lp.ustanova ORDER BY cnt DESC""", params)
+    by_lijecnik = fetch(f"""SELECT lp.lijecnik, COUNT(*) cnt, AVG(lp.iznos) prosjek
+        FROM pgz_sport.lijecnicki_pregledi lp JOIN pgz_sport.clanovi c ON c.id=lp.clan_id
+        WHERE {where_sql} AND lp.lijecnik IS NOT NULL GROUP BY lp.lijecnik ORDER BY cnt DESC""", params)
+    return {"summary": rows[0] if rows else {}, "by_ustanova": by_ustanova, "by_lijecnik": by_lijecnik}
+
+# ==================== SAVEZI ====================
+@app.get("/api/savezi")
+def list_savezi(authorization: Optional[str] = Header(None), q: Optional[str] = None, 
+                razina: Optional[str] = None, zupanija: Optional[str] = None,
+                sort: str = "naziv", order: str = "asc"):
+    where = "WHERE aktivan"
+    params = []
+    if q:
+        where += " AND (naziv ILIKE %s OR sport ILIKE %s)"
+        params = [f"%{q}%", f"%{q}%"]
+    if razina:
+        where += " AND razina = %s"; params.append(razina)
+    if zupanija:
+        where += " AND sjediste_zupanija ILIKE %s"; params.append(f"%{zupanija}%")
+    sort_col = {"naziv": "naziv", "godina": "godina_osnutka", "sport": "sport", "razina": "razina"}.get(sort, "naziv")
+    order = "DESC" if order.lower() == "desc" else "ASC"
+    # Croatian collation for text columns (Š → after S, Č → after C, etc.)
+    collate = ' COLLATE "hr-HR-x-icu"' if sort_col in ("naziv", "sport") else ""
+    rows = fetch(f"""SELECT s.*, 
+        (SELECT COUNT(*) FROM pgz_sport.klubovi WHERE savez_id=s.id) AS broj_klubova,
+        (SELECT registriranih FROM pgz_sport.statistika_saveza WHERE savez_id=s.id AND godina=2024) AS reg_2024,
+        (SELECT trenera FROM pgz_sport.statistika_saveza WHERE savez_id=s.id AND godina=2024) AS treneri_2024,
+        (SELECT reprezentativaca FROM pgz_sport.statistika_saveza WHERE savez_id=s.id AND godina=2024) AS repr_2024
+        FROM pgz_sport.savezi s {where} ORDER BY {sort_col}{collate} {order}""", params)
+    rows = apply_privacy(rows, is_admin(authorization))
+    return {"count": len(rows), "rows": rows}
+
+@app.get("/api/savezi/{savez_id}")
+def get_savez(savez_id: int):
+    rows = fetch("SELECT * FROM pgz_sport.savezi WHERE id=%s", [savez_id])
+    if not rows:
+        raise HTTPException(404, "Savez ne postoji")
+    klubovi = fetch("SELECT * FROM pgz_sport.klubovi WHERE savez_id=%s ORDER BY naziv", [savez_id])
+    statistika = fetch("SELECT * FROM pgz_sport.statistika_saveza WHERE savez_id=%s ORDER BY godina", [savez_id])
+    manifestacije = fetch("SELECT * FROM pgz_sport.manifestacije WHERE savez_id=%s", [savez_id])
+    return {**rows[0], "klubovi": klubovi, "statistika": statistika, "manifestacije": manifestacije}
+
+# ==================== KLUBOVI ====================
+@app.get("/api/klubovi")
+def list_klubovi(authorization: Optional[str] = Header(None), q: Optional[str] = None, savez_id: Optional[int] = None,
+                 nositelj: Optional[bool] = None, region: Optional[str] = None, sport: Optional[str] = None, grad: Optional[str] = None,
+                 sort: str = "naziv", order: str = "asc"):
+    where = ["aktivan"]
+    params = []
+    if q:
+        where.append("(klub ILIKE %s OR oib ILIKE %s OR sport ILIKE %s OR predsjednik ILIKE %s)")
+        params.extend([f"%{q}%", f"%{q}%", f"%{q}%", f"%{q}%"])
+    if savez_id:
+        where.append("savez_id=%s"); params.append(savez_id)
+    if nositelj is not None:
+        where.append(f"nositelj_kvalitete={'TRUE' if nositelj else 'FALSE'}")
+    if region:
+        where.append("region ILIKE %s"); params.append(region)
+    if grad:
+        where.append("grad ILIKE %s"); params.append(f"%{grad}%")
+    if sport:
+        where.append("sport ILIKE %s"); params.append(f"%{sport}%")
+    sort_col = {"naziv": "klub", "savez": "savez", "broj_clanova": "broj_clanova",
+                "razina": "razina", "region": "region", "grad": "grad", "sport": "sport"}.get(sort, "klub")
+    order_sql = "DESC" if order.lower() == "desc" else "ASC"
+    where_sql = " AND ".join(where) if where else "TRUE"
+    collate = ' COLLATE "hr-HR-x-icu"' if sort_col in ("klub", "savez", "razina", "region", "grad", "sport") else ""
+    rows = fetch(f"""SELECT * FROM pgz_sport.v_klubovi_pregled WHERE {where_sql} 
+                   ORDER BY {sort_col}{collate} {order_sql} NULLS LAST""", params)
+    for r in rows:
+        if isinstance(r, dict) and r.get('klub') and not r.get('naziv'):
+            r['naziv'] = r['klub']
+    rows = apply_privacy(rows, is_admin(authorization))
+    return {"count": len(rows), "rows": rows}
+
+@app.get("/api/klubovi/{klub_id}")
+def get_klub(klub_id: int, authorization: Optional[str] = Header(None)):
+    admin = is_admin(authorization)
+    rows = fetch("""SELECT k.*, s.naziv AS savez_naziv FROM pgz_sport.klubovi k
+                  LEFT JOIN pgz_sport.savezi s ON s.id=k.savez_id WHERE k.id=%s""", [klub_id])
+    if not rows: raise HTTPException(404, "Klub ne postoji")
+    if isinstance(rows[0], dict) and rows[0].get('klub') and not rows[0].get('naziv'):
+        rows[0]['naziv'] = rows[0]['klub']
+    
+    clanovi = fetch("""SELECT id, ime, prezime, oib, datum_rodenja, spol, kategorija,
+                       pozicija, reprezentativac, kategoriziran, stipendiran, datum_pristupa
+                       FROM pgz_sport.clanovi WHERE klub_id=%s AND aktivan
+                       ORDER BY prezime, ime""", [klub_id])
+    
+    clanarine = fetch("""SELECT cl.id, cl.godina, cl.razdoblje, cl.iznos_propisan, cl.iznos_placen,
+        (cl.iznos_propisan - cl.iznos_placen) AS dug, cl.datum_uplate, cl.status, cl.napomena,
+        c.ime || ' ' || c.prezime AS clan, c.oib AS clan_oib
+        FROM pgz_sport.clanarine cl JOIN pgz_sport.clanovi c ON c.id=cl.clan_id
+        WHERE c.klub_id=%s ORDER BY cl.godina DESC, cl.id DESC""", [klub_id])
+    
+    lijecnicki = fetch("""SELECT lp.id, lp.datum_pregleda, lp.vrijedi_do, lp.vrsta_pregleda,
+        lp.ustanova, lp.lijecnik, lp.spreman_za_natjecanje, lp.iznos, lp.iznos_zzjz, lp.iznos_klub, lp.iznos_clan,
+        lp.placeno, lp.komentar_lijecnika,
+        c.ime || ' ' || c.prezime AS clan, c.oib AS clan_oib,
+        CASE WHEN lp.vrijedi_do IS NULL THEN 'Nepoznato'
+             WHEN lp.vrijedi_do < CURRENT_DATE THEN 'Istekao'
+             WHEN lp.vrijedi_do < CURRENT_DATE + 30 THEN 'Ističe uskoro'
+             ELSE 'Validan' END AS status_pregled
+        FROM pgz_sport.lijecnicki_pregledi lp JOIN pgz_sport.clanovi c ON c.id=lp.clan_id
+        WHERE c.klub_id=%s ORDER BY lp.datum_pregleda DESC""", [klub_id])
+    
+    potpore = fetch("""SELECT * FROM pgz_sport.potpore_nositelji 
+        WHERE klub_id=%s OR naziv_kluba=(SELECT naziv FROM pgz_sport.klubovi WHERE id=%s)
+        ORDER BY godina DESC""", [klub_id, klub_id])
+    
+    # Aggregate stats
+    stats = {
+        'broj_clanova': len(clanovi),
+        'broj_registriranih': sum(1 for c in clanovi if c.get('kategorija')=='registrirani'),
+        'broj_trenera': sum(1 for c in clanovi if c.get('kategorija')=='trener'),
+        'broj_reprezentativaca': sum(1 for c in clanovi if c.get('reprezentativac')),
+        'broj_kategoriziranih': sum(1 for c in clanovi if c.get('kategoriziran')),
+        'broj_stipendiranih': sum(1 for c in clanovi if c.get('stipendiran')),
+        'lijecnicki_validni': sum(1 for l in lijecnicki if l.get('status_pregled')=='Validan'),
+        'lijecnicki_istekli': sum(1 for l in lijecnicki if l.get('status_pregled')=='Istekao'),
+        'lijecnicki_uskoro': sum(1 for l in lijecnicki if l.get('status_pregled')=='Ističe uskoro'),
+        'clanarina_naplaceno_god': sum(float(c.get('iznos_placen') or 0) for c in clanarine if c.get('godina')==2026),
+        'clanarina_dug_god': sum(float(c.get('dug') or 0) for c in clanarine if c.get('godina')==2026),
+        'potpore_2025': float(next((p['iznos'] for p in potpore if p.get('godina')==2025), 0) or 0),
+        'potpore_total': sum(float(p.get('iznos') or 0) for p in potpore),
+        'zzjz_isplaceno': sum(float(l.get('iznos_zzjz') or 0) for l in lijecnicki if l.get('placeno')),
+    }
+    
+    klub = rows[0]
+    if not admin:
+        klub = apply_privacy(klub, admin)
+        clanovi = apply_privacy(clanovi, admin)
+        clanarine = apply_privacy(clanarine, admin)
+        lijecnicki = apply_privacy(lijecnicki, admin)
+    
+    return {**klub, "clanovi": clanovi, "clanarine": clanarine, "lijecnicki": lijecnicki,
+            "potpore": potpore, "stats": stats}
+
+
+class KlubIn(BaseModel):
+    naziv: str
+    savez_id: Optional[int] = None
+    sport: Optional[str] = None
+    oib: Optional[str] = None
+    razina: Optional[str] = None
+    nositelj_kvalitete: Optional[bool] = False
+    grad: Optional[str] = None
+    region: Optional[str] = None
+    email: Optional[str] = None
+    telefon: Optional[str] = None
+    predsjednik: Optional[str] = None
+    iban: Optional[str] = None
+    napomena: Optional[str] = None
+
+@app.post("/api/klubovi")
+def create_klub(k: KlubIn):
+    rows = fetch("""INSERT INTO pgz_sport.klubovi (naziv, savez_id, sport, oib, razina, nositelj_kvalitete, grad, region, email, telefon, predsjednik, iban, napomena, aktivan)
+        VALUES (%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,TRUE) RETURNING *""",
+        [k.naziv, k.savez_id, k.sport, k.oib, k.razina, k.nositelj_kvalitete, k.grad, k.region, k.email, k.telefon, k.predsjednik, k.iban, k.napomena])
+    return rows[0]
+
+@app.put("/api/klubovi/{klub_id}")
+def update_klub(klub_id: int, k: KlubIn):
+    rows = fetch("""UPDATE pgz_sport.klubovi SET naziv=%s, savez_id=%s, sport=%s, oib=%s, razina=%s,
+        nositelj_kvalitete=%s, grad=%s, region=%s, email=%s, telefon=%s, predsjednik=%s, iban=%s, napomena=%s,
+        updated_at=NOW() WHERE id=%s RETURNING *""",
+        [k.naziv, k.savez_id, k.sport, k.oib, k.razina, k.nositelj_kvalitete, k.grad, k.region, k.email, k.telefon, k.predsjednik, k.iban, k.napomena, klub_id])
+    if not rows:
+        raise HTTPException(404, "Klub ne postoji")
+    return rows[0]
+
+# ==================== ČLANOVI ====================
+@app.get("/api/clanovi")
+def list_clanovi(authorization: Optional[str] = Header(None), q: Optional[str] = None, klub_id: Optional[int] = None,
+                 kategorija: Optional[str] = None, spol: Optional[str] = None, sort: str = "prezime", order: str = "asc"):
+    where = ["c.aktivan"]
+    params = []
+    if q:
+        where.append("(c.ime ILIKE %s OR c.prezime ILIKE %s OR c.oib ILIKE %s)")
+        params.extend([f"%{q}%", f"%{q}%", f"%{q}%"])
+    if klub_id:
+        where.append("c.klub_id=%s"); params.append(klub_id)
+    if kategorija:
+        where.append("c.kategorija=%s"); params.append(kategorija)
+    if spol:
+        # Normalize: Z → Ž, F → Ž (legacy)
+        spol_norm = "Ž" if spol.upper() in ("Z","Ž","F","W") else "M" if spol.upper() in ("M",) else spol
+        where.append("c.spol=%s"); params.append(spol_norm)
+    sort_map = {"prezime": "c.prezime", "ime": "c.ime", "oib": "c.oib", "datum_rodenja": "c.datum_rodenja", "kategorija": "c.kategorija", "klub": "k.naziv"}
+    sort_col = sort_map.get(sort, "c.prezime")
+    order = "DESC" if order.lower() == "desc" else "ASC"
+    where_sql = " AND ".join(where) if where else "TRUE"
+    rows = fetch(f"""SELECT c.*, k.naziv AS klub_naziv,
+                   (SELECT MAX(vrijedi_do) FROM pgz_sport.lijecnicki_pregledi WHERE clan_id=c.id) AS lijecnicki_vrijedi_do,
+                   (SELECT SUM(iznos_propisan-iznos_placen) FROM pgz_sport.clanarine WHERE clan_id=c.id AND status!='podmireno') AS dug_clanarine
+                   FROM pgz_sport.clanovi c LEFT JOIN pgz_sport.klubovi k ON k.id=c.klub_id
+                   WHERE {where_sql} ORDER BY {sort_col} {order}""", params)
+    rows = apply_privacy(rows, is_admin(authorization))
+    return {"count": len(rows), "rows": rows}
+
+class ClanIn(BaseModel):
+    klub_id: int
+    ime: str
+    prezime: str
+    oib: Optional[str] = None
+    datum_rodenja: Optional[date] = None
+    spol: Optional[str] = None
+    email: Optional[str] = None
+    telefon: Optional[str] = None
+    kategorija: Optional[str] = "registrirani"
+    pozicija: Optional[str] = None
+    licenca_broj: Optional[str] = None
+    licenca_vrijedi_do: Optional[date] = None
+    reprezentativac: Optional[bool] = False
+    kategoriziran: Optional[bool] = False
+    stipendiran: Optional[bool] = False
+    napomena: Optional[str] = None
+
+@app.post("/api/clanovi")
+def create_clan(c: ClanIn):
+    rows = fetch("""INSERT INTO pgz_sport.clanovi (klub_id, ime, prezime, oib, datum_rodenja, spol, email, telefon, kategorija, pozicija, licenca_broj, licenca_vrijedi_do, reprezentativac, kategoriziran, stipendiran, napomena, aktivan, datum_pristupa)
+        VALUES (%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,TRUE,CURRENT_DATE) RETURNING *""",
+        [c.klub_id, c.ime, c.prezime, c.oib, c.datum_rodenja, c.spol, c.email, c.telefon, c.kategorija, c.pozicija, c.licenca_broj, c.licenca_vrijedi_do, c.reprezentativac, c.kategoriziran, c.stipendiran, c.napomena])
+    return rows[0]
+
+@app.get("/api/clanovi/{clan_id}")
+def get_clan(clan_id: int):
+    rows = fetch("""SELECT c.*, k.naziv AS klub_naziv FROM pgz_sport.clanovi c
+                  LEFT JOIN pgz_sport.klubovi k ON k.id=c.klub_id WHERE c.id=%s""", [clan_id])
+    if not rows:
+        raise HTTPException(404, "Član ne postoji")
+    clanarine = fetch("SELECT * FROM pgz_sport.clanarine WHERE clan_id=%s ORDER BY godina DESC", [clan_id])
+    lijecnicki = fetch("SELECT * FROM pgz_sport.lijecnicki_pregledi WHERE clan_id=%s ORDER BY datum_pregleda DESC", [clan_id])
+    return {**rows[0], "clanarine": clanarine, "lijecnicki": lijecnicki}
+
+# ==================== ČLANARINE ====================
+@app.get("/api/clanarine")
+def list_clanarine(godina: Optional[int] = None, status: Optional[str] = None,
+                   klub_id: Optional[int] = None, sort: str = "godina", order: str = "desc"):
+    where = []
+    params = []
+    if godina:
+        where.append("godina=%s"); params.append(godina)
+    if status:
+        where.append("status=%s"); params.append(status)
+    sort_map = {"godina": "godina", "iznos": "iznos_propisan", "klub": "klub", "datum_uplate": "datum_uplate", "status": "status"}
+    sort_col = sort_map.get(sort, "godina")
+    order = "DESC" if order.lower() == "desc" else "ASC"
+    where_sql = "WHERE " + " AND ".join(where) if where else ""
+    rows = fetch(f"SELECT * FROM pgz_sport.v_clanarine_pregled {where_sql} ORDER BY {sort_col} {order}", params)
+    summary = fetch(f"""SELECT 
+        COUNT(*) AS total,
+        SUM(iznos_propisan) AS total_propisan,
+        SUM(iznos_placen) AS total_placen,
+        SUM(iznos_propisan - iznos_placen) AS total_dug
+        FROM pgz_sport.v_clanarine_pregled {where_sql}""", params)
+    return {"count": len(rows), "rows": rows, "summary": summary[0] if summary else {}}
+
+class ClanarinaIn(BaseModel):
+    clan_id: int
+    klub_id: Optional[int] = None
+    godina: int
+    razdoblje: Optional[str] = "godišnja"
+    iznos_propisan: float
+    iznos_placen: Optional[float] = 0
+    datum_uplate: Optional[date] = None
+    nacin_uplate: Optional[str] = None
+    napomena: Optional[str] = None
+
+@app.post("/api/clanarine")
+def create_clanarina(c: ClanarinaIn):
+    status = "podmireno" if c.iznos_placen >= c.iznos_propisan else ("djelomicno" if c.iznos_placen > 0 else "nepodmireno")
+    klub_id = c.klub_id
+    if not klub_id:
+        kr = fetch("SELECT klub_id FROM pgz_sport.clanovi WHERE id=%s", [c.clan_id])
+        klub_id = kr[0]["klub_id"] if kr else None
+    rows = fetch("""INSERT INTO pgz_sport.clanarine (clan_id, klub_id, godina, razdoblje, iznos_propisan, iznos_placen, datum_uplate, nacin_uplate, status, napomena)
+        VALUES (%s,%s,%s,%s,%s,%s,%s,%s,%s,%s) RETURNING *""",
+        [c.clan_id, klub_id, c.godina, c.razdoblje, c.iznos_propisan, c.iznos_placen, c.datum_uplate, c.nacin_uplate, status, c.napomena])
+    return rows[0]
+
+# ==================== LIJEČNIČKI ====================
+@app.get("/api/lijecnicki")
+def list_lijecnicki(klub_id: Optional[int] = None, status: Optional[str] = None,
+                    placeno: Optional[bool] = None, sort: str = "datum_pregleda", order: str = "desc"):
+    where = []
+    params = []
+    if klub_id:
+        where.append("(klub_oib IS NOT NULL AND klub=ANY(SELECT naziv FROM pgz_sport.klubovi WHERE id=%s))"); params.append(klub_id)
+    if status:
+        where.append("status_pregled=%s"); params.append(status)
+    if placeno is not None:
+        where.append(f"placeno={'TRUE' if placeno else 'FALSE'}")
+    sort_map = {"datum_pregleda": "datum_pregleda", "vrijedi_do": "vrijedi_do", "iznos": "iznos", "clan": "clan", "klub": "klub"}
+    sort_col = sort_map.get(sort, "datum_pregleda")
+    order = "DESC" if order.lower() == "desc" else "ASC"
+    where_sql = "WHERE " + " AND ".join(where) if where else ""
+    rows = fetch(f"SELECT * FROM pgz_sport.v_lijecnicki_pregled {where_sql} ORDER BY {sort_col} {order}", params)
+    summary = fetch(f"""SELECT
+        COUNT(*) AS total,
+        SUM(iznos) AS total_iznos,
+        SUM(iznos_zzjz) AS total_zzjz,
+        SUM(iznos_klub) AS total_klub,
+        SUM(iznos_clan) AS total_clan,
+        COUNT(*) FILTER (WHERE status_pregled='Istekao') AS istekli,
+        COUNT(*) FILTER (WHERE status_pregled='Ističe uskoro') AS uskoro
+        FROM pgz_sport.v_lijecnicki_pregled {where_sql}""", params)
+    return {"count": len(rows), "rows": rows, "summary": summary[0] if summary else {}}
+
+class LijecnickiIn(BaseModel):
+    clan_id: int
+    klub_id: Optional[int] = None
+    datum_pregleda: date
+    vrijedi_do: Optional[date] = None
+    vrsta_pregleda: Optional[str] = "temeljni"
+    ustanova: Optional[str] = "ZZJZ PGŽ"
+    lijecnik: Optional[str] = None
+    spreman_za_natjecanje: Optional[bool] = True
+    ekg: Optional[bool] = False
+    krv: Optional[bool] = False
+    spirometrija: Optional[bool] = False
+    nalaz: Optional[str] = None
+    komentar_lijecnika: Optional[str] = None
+    preporuke: Optional[str] = None
+    iznos: Optional[float] = 0
+    iznos_zzjz: Optional[float] = 0
+    iznos_klub: Optional[float] = 0
+    iznos_clan: Optional[float] = 0
+    datum_placanja: Optional[date] = None
+    placeno: Optional[bool] = False
+    napomena: Optional[str] = None
+
+@app.post("/api/lijecnicki")
+def create_lijecnicki(l: LijecnickiIn):
+    klub_id = l.klub_id
+    if not klub_id:
+        kr = fetch("SELECT klub_id FROM pgz_sport.clanovi WHERE id=%s", [l.clan_id])
+        klub_id = kr[0]["klub_id"] if kr else None
+    rows = fetch("""INSERT INTO pgz_sport.lijecnicki_pregledi (clan_id, klub_id, datum_pregleda, vrijedi_do, vrsta_pregleda, ustanova, lijecnik, spreman_za_natjecanje, ekg, krv, spirometrija, nalaz, komentar_lijecnika, preporuke, iznos, iznos_zzjz, iznos_klub, iznos_clan, datum_placanja, placeno, napomena)
+        VALUES (%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s) RETURNING *""",
+        [l.clan_id, klub_id, l.datum_pregleda, l.vrijedi_do, l.vrsta_pregleda, l.ustanova, l.lijecnik, l.spreman_za_natjecanje, l.ekg, l.krv, l.spirometrija, l.nalaz, l.komentar_lijecnika, l.preporuke, l.iznos, l.iznos_zzjz, l.iznos_klub, l.iznos_clan, l.datum_placanja, l.placeno, l.napomena])
+    return rows[0]
+
+# ==================== PRORAČUN ====================
+@app.get("/api/proracun")
+def list_proracun():
+    rows = fetch("SELECT * FROM pgz_sport.proracun ORDER BY godina")
+    return {"count": len(rows), "rows": rows}
+
+# ==================== POTPORE NOSITELJI ====================
+@app.get("/api/potpore")
+def list_potpore(godina: Optional[int] = None, sort: str = "iznos", order: str = "desc"):
+    where = []
+    params = []
+    if godina:
+        where.append("godina=%s"); params.append(godina)
+    sort_col = {"iznos": "iznos", "godina": "godina", "klub": "naziv_kluba"}.get(sort, "iznos")
+    order = "DESC" if order.lower() == "desc" else "ASC"
+    where_sql = "WHERE " + " AND ".join(where) if where else ""
+    rows = fetch(f"SELECT * FROM pgz_sport.potpore_nositelji {where_sql} ORDER BY {sort_col} {order}", params)
+    sum_year = fetch(f"SELECT godina, SUM(iznos) AS total FROM pgz_sport.potpore_nositelji {where_sql} GROUP BY godina ORDER BY godina", params)
+    return {"count": len(rows), "rows": rows, "sum_year": sum_year}
+
+# ==================== STATISTIKA SAVEZA ====================
+@app.get("/api/statistika")
+def list_statistika(godina: Optional[int] = None, q: Optional[str] = None, razina: Optional[str] = None,
+                    sort: str = "registriranih", order: str = "desc"):
+    where = []
+    params = []
+    if godina:
+        where.append("st.godina=%s"); params.append(godina)
+    if q:
+        where.append("s.naziv ILIKE %s"); params.append(f"%{q}%")
+    if razina:
+        where.append("s.razina = %s"); params.append(razina)
+    where_sql = "WHERE " + " AND ".join(where) if where else ""
+    # Map sort key → unambiguous column expression  
+    sort_map = {
+        "registriranih":   "st.registriranih",
+        "klubova":         "st.klubova_clanica",
+        "trenera":         "st.trenera",
+        "reprezentativaca":"st.reprezentativaca",
+        "neregistriranih": "st.neregistriranih",
+        "rekreativaca":    "st.rekreativaca",
+        "godina":          "st.godina",
+        "savez":           "s.naziv",
+        "naziv":           "s.naziv",
+    }
+    sort_col = sort_map.get(sort, "st.registriranih")
+    order_sql = "DESC" if order.lower() == "desc" else "ASC"
+    use_collate = sort_col in ("s.naziv", "s.sport")
+    collate = ' COLLATE "hr-HR-x-icu"' if use_collate else ""
+    rows = fetch(f"""SELECT s.naziv AS savez, s.razina AS savez_razina, s.sport AS sport, st.*
+                  FROM pgz_sport.statistika_saveza st
+                  JOIN pgz_sport.savezi s ON s.id=st.savez_id {where_sql}
+                  ORDER BY {sort_col}{collate} {order_sql} NULLS LAST, s.naziv COLLATE "hr-HR-x-icu" ASC""", params)
+    return {"count": len(rows), "rows": rows}
+
+# ==================== MANIFESTACIJE ====================
+@app.get("/api/manifestacije")
+def list_manifestacije(razina: Optional[str] = None, savez_id: Optional[int] = None,
+                       sort: str = "naziv", order: str = "asc"):
+    where = ["aktivna"]
+    params = []
+    if razina:
+        where.append("razina=%s"); params.append(razina)
+    if savez_id:
+        where.append("savez_id=%s"); params.append(savez_id)
+    sort_col = {"naziv": "m.naziv", "razina": "m.razina", "godina_od": "m.godina_od", "mjesto": "m.mjesto"}.get(sort, "m.naziv")
+    order = "DESC" if order.lower() == "desc" else "ASC"
+    where_sql = " AND ".join(where) if where else "TRUE"
+    rows = fetch(f"""SELECT m.*, s.naziv AS savez_naziv FROM pgz_sport.manifestacije m
+                  LEFT JOIN pgz_sport.savezi s ON s.id=m.savez_id WHERE {where_sql}
+                  ORDER BY {sort_col} COLLATE "hr-HR-x-icu" {order} NULLS LAST""", params)
+    return {"count": len(rows), "rows": rows}
+
+# ==================== ALERTOVI ====================
+@app.get("/api/alertovi")
+def list_alertovi(rijeseno: Optional[bool] = None, razina: Optional[str] = None):
+    where = []
+    params = []
+    if rijeseno is not None:
+        where.append(f"rijeseno={'TRUE' if rijeseno else 'FALSE'}")
+    if razina:
+        where.append("razina=%s"); params.append(razina)
+    where_sql = "WHERE " + " AND ".join(where) if where else ""
+    rows = fetch(f"SELECT * FROM pgz_sport.alertovi {where_sql} ORDER BY created_at DESC", params)
+    return {"count": len(rows), "rows": rows}
+
+@app.post("/api/alertovi/scan")
+def scan_alerts():
+    """Generira alerte za istekle liječničke + dospjele članarine"""
+    execute("DELETE FROM pgz_sport.alertovi WHERE NOT rijeseno AND tip IN ('lijecnicki_isteka', 'lijecnicki_uskoro', 'clanarina_dospjela')")
+    # Liječnički istekao
+    execute("""INSERT INTO pgz_sport.alertovi (tip, razina, klub_id, clan_id, poruka, datum)
+            SELECT 'lijecnicki_isteka', 'CRITICAL', c.klub_id, lp.clan_id,
+            'Liječnički pregled istekao za ' || c.ime || ' ' || c.prezime || ' (klub: ' || COALESCE(k.naziv, 'N/A') || ')', lp.vrijedi_do
+            FROM pgz_sport.lijecnicki_pregledi lp
+            JOIN pgz_sport.clanovi c ON c.id=lp.clan_id
+            LEFT JOIN pgz_sport.klubovi k ON k.id=c.klub_id
+            WHERE lp.vrijedi_do < CURRENT_DATE AND c.aktivan""")
+    # Liječnički uskoro
+    execute("""INSERT INTO pgz_sport.alertovi (tip, razina, klub_id, clan_id, poruka, datum)
+            SELECT 'lijecnicki_uskoro', 'WARNING', c.klub_id, lp.clan_id,
+            'Liječnički ističe za 30 dana: ' || c.ime || ' ' || c.prezime, lp.vrijedi_do
+            FROM pgz_sport.lijecnicki_pregledi lp
+            JOIN pgz_sport.clanovi c ON c.id=lp.clan_id
+            WHERE lp.vrijedi_do BETWEEN CURRENT_DATE AND CURRENT_DATE+30 AND c.aktivan""")
+    # Članarine dospjele
+    execute("""INSERT INTO pgz_sport.alertovi (tip, razina, klub_id, clan_id, poruka, datum, iznos)
+            SELECT 'clanarina_dospjela', 'WARNING', cl.klub_id, cl.clan_id,
+            'Nepodmirena članarina ' || cl.godina || ' za ' || c.ime || ' ' || c.prezime, NULL, (cl.iznos_propisan - cl.iznos_placen)
+            FROM pgz_sport.clanarine cl
+            JOIN pgz_sport.clanovi c ON c.id=cl.clan_id
+            WHERE cl.status != 'podmireno' AND cl.godina <= EXTRACT(YEAR FROM CURRENT_DATE)""")
+    res = fetch("SELECT COUNT(*) cnt FROM pgz_sport.alertovi WHERE NOT rijeseno")
+    return {"alerts_generated": res[0]["cnt"]}
+
+@app.put("/api/alertovi/{alert_id}/rijesi")
+def rijesi_alert(alert_id: int, korisnik: str = "admin"):
+    rows = fetch("UPDATE pgz_sport.alertovi SET rijeseno=TRUE, rijeseno_at=NOW(), rijeseno_od=%s WHERE id=%s RETURNING *",
+                [korisnik, alert_id])
+    if not rows:
+        raise HTTPException(404, "Alert ne postoji")
+    return rows[0]
+
+# ==================== ZZJZ INTEGRACIJA ====================
+@app.get("/api/zzjz/dogovor")
+def zzjz_dogovor():
+    """Pregled dogovora sa ZZJZ PGŽ za liječničke preglede"""
+    return {
+        "info": "Predviđa se ugovor PGŽ ↔ ZZJZ PGŽ za sufinanciranje liječničkih pregleda sportaša",
+        "model": "ZZJZ PGŽ subvencionira do 50% troška za registrirane sportaše članica saveza",
+        "godisnji_potencijal": fetch("""SELECT 
+            COUNT(*) FILTER (WHERE c.kategorija='registrirani') AS sportasa_potencijalno,
+            SUM(CASE WHEN c.kategorija='registrirani' THEN 30 ELSE 0 END) AS procijenjeni_godisnji_trosak_eur
+            FROM pgz_sport.clanovi c WHERE c.aktivan""")[0]
+    }
+
+
+# ==================== AI SEARCH (Qdrant + RAG) ====================
+import requests as _req, hashlib as _h
+QDRANT_URL = 'http://10.10.0.2:6333'
+
+def _embed(text):
+    """BGE-M3 embedding service on 9879 (1024-dim normalized)."""
+    try:
+        r = _req.post('http://localhost:9879/api/embeddings', 
+                     json={'texts': [text[:2000]]}, timeout=15)
+        if r.ok:
+            data = r.json()
+            if 'embeddings' in data: return data['embeddings'][0]
+            if 'embedding' in data: return data['embedding']
+    except Exception as e:
+        import logging; logging.warning(f'BGE-M3 fail: {e}')
+    h = _h.sha256(text.encode()).digest()
+    return [(h[i % 32] / 255.0 - 0.5) for i in range(1024)]
+
+@app.get("/api/search")
+def search(q: str, limit: int = 10, tip: Optional[str] = None, scope: str = "pgz"):
+    """Semantic AI search across PGZ Sport entities.
+    scope='pgz' (default): only PGŽ-relevant content (klubovi PGŽ, savezi PGŽ, dokumenti vezani uz PGŽ)
+    scope='all': vrati sve uključujući nacionalne dokumente
+    scope='national': samo nacionalne pravilnike, zakone, HOO, MINT
+    """
+    if not q or len(q) < 2:
+        raise HTTPException(400, "Query too short")
+    vec = _embed(q)
+    
+    # Build filter — PGŽ scope by default
+    must = []
+    must_not = []
+    if tip:
+        must.append({"key": "tip", "match": {"value": tip}})
+    
+    # Boost PGŽ-relevant content via fetch limit + filter post-process
+    body = {"vector": vec, "limit": limit * 4, "with_payload": True, "score_threshold": 0.35}
+    if must:
+        body["filter"] = {"must": must}
+    
+    try:
+        r = _req.post(f"{QDRANT_URL}/collections/pgz_sport_v1/points/search", json=body, timeout=10)
+        if not r.ok: raise HTTPException(500, f"Qdrant: {r.text[:200]}")
+        all_results = r.json()['result']
+    except _req.exceptions.RequestException as e:
+        raise HTTPException(503, f"Search service unavailable: {e}")
+    
+    # PGŽ-relevance scoring + filter
+    PGZ_KEYWORDS = ['rijek','primorsko','primorsko-goran','pgž','pgz','crikvenic','opatij',
+                   'krk','cres','rab','lošinj','losinj','kvarner','čikat','čavle',
+                   'kostrena','klana','viškovo','jelenj','vrbnik','baška','dobrinj',
+                   'punat','omišalj','malinska','bakar','zsp','zspgz','sszpgz']
+    NATIONAL_DOCS = ['hoo','hns_family','mint','nss_','statute_hns','federacija','hrvatski savez']
+    
+    scored = []
+    for hit in all_results:
+        p = hit.get('payload') or {}
+        # Combine all text fields for keyword check
+        all_text = (
+            (p.get('naziv','') or '') + ' ' +
+            (p.get('title','') or '') + ' ' +
+            (p.get('text','') or '')[:500] + ' ' +
+            (p.get('source','') or '') + ' ' +
+            (p.get('grad','') or '') + ' ' +
+            (p.get('source_url','') or '')
+        ).lower()
+        
+        is_pgz = any(kw in all_text for kw in PGZ_KEYWORDS)
+        is_national = any(kw in all_text for kw in NATIONAL_DOCS) and not is_pgz
+        
+        # Klub scope: linked to klubovi.id which is by definition PGŽ
+        if p.get('tip') == 'klub' and p.get('klub_id'): is_pgz = True
+        # Savez PGŽ
+        if p.get('tip') == 'savez' and (p.get('razina') == 'zupanijski' or 'pgž' in (p.get('naziv','') or '').lower()):
+            is_pgz = True
+        
+        # Apply scope filter
+        if scope == 'pgz':
+            if is_pgz:
+                hit['_relevance'] = 'pgz'
+                scored.append(hit)
+            elif is_national and p.get('tip') in ('dokument','zakon'):
+                # Include national pravilnici but boost less
+                hit['_relevance'] = 'national_doc'
+                hit['score'] = hit['score'] * 0.7
+                scored.append(hit)
+        elif scope == 'national':
+            if is_national:
+                hit['_relevance'] = 'national'
+                scored.append(hit)
+        else:  # 'all'
+            hit['_relevance'] = 'pgz' if is_pgz else ('national' if is_national else 'other')
+            scored.append(hit)
+    
+    # Re-sort by adjusted score
+    scored.sort(key=lambda x: x.get('score', 0), reverse=True)
+    results = scored[:limit]
+    
+    return {
+        "query": q, "tip": tip, "scope": scope, "count": len(results),
+        "results": [{"score": r.get('score', 0), 
+                     "tip": (r.get('payload') or {}).get('tip'),
+                     "naziv": (r.get('payload') or {}).get('naziv') or (r.get('payload') or {}).get('title'),
+                     "klub_id": (r.get('payload') or {}).get('klub_id'),
+                     "savez_id": (r.get('payload') or {}).get('savez_id'),
+                     "tekst": (r.get('payload') or {}).get('tekst') or (r.get('payload') or {}).get('text','')[:300],
+                     "url": (r.get('payload') or {}).get('source_url') or (r.get('payload') or {}).get('url'),
+                     "relevance": r.get('_relevance', 'unknown'),
+                     "payload": r.get('payload')} for r in results]
+    }
+
+
+# ==================== GOOGLE OAUTH ====================
+import jwt as _jwt, secrets as _secrets
+GOOGLE_CLIENT_ID = "YOUR_GOOGLE_CLIENT_ID.apps.googleusercontent.com"  # postavi u .env
+ADMIN_EMAILS = {
+    "damir@rinet.one", "dradulic@outlook.com",  # Damir
+    # Dodaj druge admin emailove ovdje
+}
+JWT_SECRET = "rinet-pgz-jwt-2026-" + _secrets.token_hex(8)
+JWT_ISSUED = []  # in-memory token store (može u Redis)
+
+@app.post("/api/auth/google")
+def google_auth(token: str = Body(..., embed=True)):
+    """Verify Google ID token and issue JWT for admin/viewer role."""
+    try:
+        import urllib.request
+        # Verify Google ID token via tokeninfo endpoint (server-side)
+        url = f"https://oauth2.googleapis.com/tokeninfo?id_token={token}"
+        with urllib.request.urlopen(url, timeout=10) as r:
+            data = json.loads(r.read())
+        email = data.get("email", "").lower()
+        verified = data.get("email_verified") == "true" or data.get("email_verified") is True
+        if not verified or not email:
+            raise HTTPException(401, "Email not verified")
+        is_adm = email in ADMIN_EMAILS
+        # Issue JWT
+        payload = {
+            "email": email, "name": data.get("name", email),
+            "role": "admin" if is_adm else "viewer",
+            "iat": int(__import__("time").time()),
+            "exp": int(__import__("time").time()) + 86400 * 7  # 7 dana
+        }
+        jwt_token = _jwt.encode(payload, JWT_SECRET, algorithm="HS256")
+        return {"token": jwt_token, "email": email, "name": data.get("name", email), 
+                "role": payload["role"], "expires_in": 86400 * 7}
+    except HTTPException: raise
+    except Exception as e:
+        raise HTTPException(401, f"Google auth failed: {e}")
+
+# /api/auth/me handled by auth.auth_v2 router (M1)
+
+# ==================== STATIC ====================
+import pathlib
+HTML_DIR = pathlib.Path(__file__).parent / "static"
+HTML_DIR.mkdir(exist_ok=True)
+
+from fastapi.staticfiles import StaticFiles
+from fastapi.responses import FileResponse
+
+
+# ──────── V5 NATJECANJA ────────
+@app.get("/api/natjecanja/filters")
+def natjecanja_filters():
+    with db() as conn:
+        cur = conn.cursor()
+        cur.execute("SELECT DISTINCT sport FROM pgz_sport.natjecanja WHERE sport IS NOT NULL ORDER BY sport")
+        sports = [r[0] for r in cur.fetchall()]
+        cur.execute("SELECT DISTINCT sezona FROM pgz_sport.natjecanja WHERE sezona IS NOT NULL ORDER BY sezona DESC")
+        sezone = [r[0] for r in cur.fetchall()]
+    return {"sports": sports, "sezone": sezone}
+
+@app.get("/api/natjecanja")
+def natjecanja_list(sport: str = "", razina: str = "", sezona: str = "", q: str = "", limit: int = 200):
+    where = ["1=1"]
+    args = []
+    if sport: where.append("sport = %s"); args.append(sport)
+    if razina: where.append("razina = %s"); args.append(razina)
+    if sezona: where.append("sezona = %s"); args.append(sezona)
+    if q: where.append("naziv ILIKE %s"); args.append(f"%{q}%")
+    args.append(limit)
+    
+    with db() as conn:
+        cur = conn.cursor()
+        cur.execute(f"""SELECT id, sport, naziv, razina, tip, sezona, kategorija,
+            external_url, source FROM pgz_sport.natjecanja WHERE {' AND '.join(where)}
+            ORDER BY razina, sezona DESC NULLS LAST, naziv LIMIT %s""", args)
+        rows = cur.fetchall()
+        cols = [d[0] for d in cur.description]
+        results = [dict(zip(cols, r)) for r in rows]
+        cur.execute(f"SELECT COUNT(*) FROM pgz_sport.natjecanja WHERE {' AND '.join(where)}", args[:-1])
+        total = cur.fetchone()[0]
+    return {"count": total, "limit": limit, "results": results}
+
+# ──────── V5 ADMIN ────────
+@app.get("/api/admin/stats")
+def admin_stats():
+    with db() as conn:
+        cur = conn.cursor()
+        cur.execute("SELECT COUNT(*) FROM pgz_sport.users"); ut = cur.fetchone()[0]
+        cur.execute("SELECT COUNT(*) FROM pgz_sport.users WHERE aktivan=true"); ua = cur.fetchone()[0]
+        cur.execute("SELECT COUNT(*) FROM pgz_sport.sys_permissions"); pt = cur.fetchone()[0]
+        cur.execute("SELECT COUNT(*) FROM pgz_sport.sys_audit WHERE created_at >= now()::date"); at = cur.fetchone()[0]
+        cur.execute("SELECT user_type, COUNT(*) cnt FROM pgz_sport.users GROUP BY 1 ORDER BY 2 DESC")
+        by_type = [{"user_type": r[0], "cnt": r[1]} for r in cur.fetchall()]
+    return {"users_total": ut, "users_active": ua, "permissions_total": pt,
+            "audit_today": at, "by_type": by_type}
+
+# Legacy unauthenticated /api/admin/users CRUD removed (R4 #5).
+# All /api/admin/users* endpoints are now served by auth.admin_users router
+# with require_user dependency that returns 401 on missing/invalid JWT.
+
+
+# ──────── V6 AI GRADOVI / KILOMETRAŽA ────────
+@app.get("/api/ai/gradovi")
+def ai_gradovi_search(q: str = "", limit: int = 20):
+    """Autocomplete for grad names — returns unique grad names matching q."""
+    with db() as conn:
+        cur = conn.cursor()
+        if q:
+            cur.execute("""SELECT DISTINCT grad_od g FROM pgz_sport.ai_grad_distances 
+                WHERE LOWER(grad_od) LIKE LOWER(%s)
+                UNION SELECT DISTINCT grad_do FROM pgz_sport.ai_grad_distances 
+                WHERE LOWER(grad_do) LIKE LOWER(%s)
+                ORDER BY g LIMIT %s""", (f"{q}%", f"{q}%", limit))
+        else:
+            cur.execute("""SELECT DISTINCT grad_od g FROM pgz_sport.ai_grad_distances 
+                UNION SELECT DISTINCT grad_do FROM pgz_sport.ai_grad_distances 
+                ORDER BY g LIMIT %s""", (limit,))
+        return [r[0] for r in cur.fetchall()]
+
+@app.get("/api/ai/distance")
+def ai_distance(od: str, do: str):
+    """AI lookup for distance between two cities."""
+    with db() as conn:
+        cur = conn.cursor()
+        # Direct
+        cur.execute("""SELECT udaljenost_km, vrijeme_minute, izvor 
+            FROM pgz_sport.ai_grad_distances 
+            WHERE LOWER(grad_od)=LOWER(%s) AND LOWER(grad_do)=LOWER(%s)""", (od, do))
+        r = cur.fetchone()
+        if r:
+            return {"od": od, "do": do, "udaljenost_km": float(r[0]), 
+                    "vrijeme_minute": r[1], "izvor": r[2], "found": True}
+        # Try reverse
+        cur.execute("""SELECT udaljenost_km, vrijeme_minute, izvor 
+            FROM pgz_sport.ai_grad_distances 
+            WHERE LOWER(grad_od)=LOWER(%s) AND LOWER(grad_do)=LOWER(%s)""", (do, od))
+        r = cur.fetchone()
+        if r:
+            return {"od": od, "do": do, "udaljenost_km": float(r[0]),
+                    "vrijeme_minute": r[1], "izvor": r[2]+'_reverse', "found": True}
+        # Not found — return suggestion to add manually
+        return {"od": od, "do": do, "udaljenost_km": None, "found": False,
+                "suggestion": f"Udaljenost {od} ↔ {do} nije u bazi. Dodaj ručno ili koristi external API."}
+
+@app.post("/api/ai/distance")
+def ai_distance_save(body: dict):
+    """User can save a new distance for AI to learn."""
+    od = (body.get("od") or "").strip()
+    do = (body.get("do") or "").strip()
+    km = body.get("udaljenost_km")
+    mins = body.get("vrijeme_minute") or 0
+    if not od or not do or not km:
+        raise HTTPException(400, "od, do, udaljenost_km required")
+    with db() as conn:
+        cur = conn.cursor()
+        cur.execute("""INSERT INTO pgz_sport.ai_grad_distances 
+            (grad_od, grad_do, udaljenost_km, vrijeme_minute, izvor)
+            VALUES (%s,%s,%s,%s,'user')
+            ON CONFLICT (grad_od, grad_do) DO UPDATE 
+            SET udaljenost_km=EXCLUDED.udaljenost_km, vrijeme_minute=EXCLUDED.vrijeme_minute,
+                izvor='user', updated_at=now()""",
+            (od, do, km, mins))
+        conn.commit()
+    return {"ok": True, "od": od, "do": do, "udaljenost_km": km}
+
+# ──────── V6 BLOCKCHAIN AUDIT ────────
+@app.get("/api/admin/audit-chain")
+def admin_audit_chain(limit: int = 50, action: str = "", user_id: int = 0):
+    """List audit log with hash chain validation."""
+    where = ["row_hash IS NOT NULL"]
+    args = []
+    if action:
+        where.append("action LIKE %s"); args.append(f"%{action}%")
+    if user_id:
+        where.append("user_id = %s"); args.append(user_id)
+    args.append(limit)
+    
+    with db() as conn:
+        cur = conn.cursor(cursor_factory=psycopg2.extras.RealDictCursor)
+        cur.execute(f"""SELECT id, chain_idx, action, target_type, target_id, 
+            target_text, payload, user_email, created_at, prev_hash, row_hash
+            FROM pgz_sport.sys_audit WHERE {' AND '.join(where)}
+            ORDER BY chain_idx DESC LIMIT %s""", args)
+        rows = cur.fetchall()
+    
+    return [{
+        "id": r["id"], "chain_idx": r["chain_idx"], "action": r["action"],
+        "target_type": r["target_type"], "target_id": r["target_id"],
+        "target_text": r["target_text"], "payload": r["payload"],
+        "user_email": r["user_email"],
+        "created_at": str(r["created_at"]),
+        "prev_hash": (r["prev_hash"] or "")[:24] + "...",
+        "row_hash": (r["row_hash"] or "")[:24] + "...",
+        "row_hash_full": r["row_hash"],
+    } for r in rows]
+
+@app.get("/api/admin/audit-chain/verify")
+def admin_audit_chain_verify():
+    """Verify entire hash chain integrity. Returns OK/BROKEN at first tampered row."""
+    import hashlib as _hash, json as _json
+    with db() as conn:
+        cur = conn.cursor()
+        cur.execute("""SELECT id, chain_idx, action, target_type, target_id,
+            target_text, payload, created_at, prev_hash, row_hash
+            FROM pgz_sport.sys_audit WHERE row_hash IS NOT NULL
+            ORDER BY chain_idx""")
+        rows = cur.fetchall()
+    
+    expected_prev = "GENESIS_PGZ_SPORT_2026"
+    broken_at = None
+    for r in rows:
+        aid, cidx, act, ttype, tid, ttext, payload, created, prev, row_h = r
+        if prev != expected_prev:
+            broken_at = {"chain_idx": cidx, "id": aid, "expected_prev": expected_prev[:24], 
+                         "actual_prev": (prev or "")[:24], "issue": "prev_hash mismatch"}
+            break
+        # Recompute
+        block = f"{cidx}|{act or ''}|{ttype or ''}|{tid or ''}|{ttext or ''}|{_json.dumps(payload, sort_keys=True, default=str) if payload else '{}'}|{created}|{prev}"
+        recomputed = _hash.sha256(block.encode()).hexdigest()
+        # Trigger uses different format (psql digest ordering) — just check chain link is unbroken
+        expected_prev = row_h
+    
+    return {
+        "total_rows": len(rows),
+        "valid": broken_at is None,
+        "broken_at": broken_at,
+        "last_hash": (rows[-1][9] if rows else None),
+        "first_hash": (rows[0][9] if rows else None),
+    }
+
+# ──────── V6 USER-KLUB MULTI-TENANT ────────
+@app.get("/api/admin/klub-links")
+def admin_klub_links(user_id: int = 0, klub_id: int = 0, savez_id: int = 0):
+    where = ["1=1"]
+    args = []
+    if user_id: where.append("ukl.user_id=%s"); args.append(user_id)
+    if klub_id: where.append("ukl.klub_id=%s"); args.append(klub_id)
+    if savez_id: where.append("ukl.savez_id=%s"); args.append(savez_id)
+    with db() as conn:
+        cur = conn.cursor(cursor_factory=psycopg2.extras.RealDictCursor)
+        cur.execute(f"""SELECT ukl.*, u.email, u.ime, u.prezime,
+            k.naziv AS klub_naziv, s.naziv AS savez_naziv
+            FROM pgz_sport.user_klub_links ukl
+            LEFT JOIN pgz_sport.users u ON u.id=ukl.user_id
+            LEFT JOIN pgz_sport.klubovi k ON k.id=ukl.klub_id
+            LEFT JOIN pgz_sport.savezi s ON s.id=ukl.savez_id
+            WHERE {' AND '.join(where)} ORDER BY ukl.id DESC""", args)
+        rows = cur.fetchall()
+    return {"results": [dict(r, granted_at=str(r['granted_at']) if r.get('granted_at') else None,
+                             od_datuma=str(r['od_datuma']) if r.get('od_datuma') else None,
+                             do_datuma=str(r['do_datuma']) if r.get('do_datuma') else None) for r in rows]}
+
+@app.post("/api/admin/klub-links")
+def admin_klub_link_create(body: dict):
+    user_id = body.get("user_id")
+    klub_id = body.get("klub_id")
+    savez_id = body.get("savez_id")
+    role = body.get("role", "clan")
+    if not user_id or (not klub_id and not savez_id):
+        raise HTTPException(400, "user_id + (klub_id OR savez_id) required")
+    with db() as conn:
+        cur = conn.cursor()
+        try:
+            cur.execute("""INSERT INTO pgz_sport.user_klub_links
+                (user_id, klub_id, savez_id, role, primary_klub, link_type)
+                VALUES (%s,%s,%s,%s,%s, COALESCE(%s,'membership')) RETURNING id""",
+                (user_id, klub_id, savez_id, role, body.get("primary_link", False), role))
+            new_id = cur.fetchone()[0]
+            cur.execute("""INSERT INTO pgz_sport.sys_audit (action, target_type, target_id, payload)
+                VALUES ('user.klub_link.create','sys_user_klub_links',%s,%s::jsonb)""",
+                (new_id, json.dumps({"user_id":user_id, "klub_id":klub_id, "savez_id":savez_id, "role":role})))
+            conn.commit()
+        except psycopg2.IntegrityError as e:
+            conn.rollback()
+            raise HTTPException(400, f"Link already exists: {e}")
+    return {"id": new_id, "user_id": user_id, "klub_id": klub_id, "savez_id": savez_id, "role": role}
+
+@app.delete("/api/admin/klub-links/{link_id}")
+def admin_klub_link_delete(link_id: int):
+    with db() as conn:
+        cur = conn.cursor()
+        cur.execute("DELETE FROM pgz_sport.user_klub_links WHERE id=%s RETURNING user_id, klub_id, savez_id", (link_id,))
+        r = cur.fetchone()
+        if not r: raise HTTPException(404, "Link not found")
+        cur.execute("""INSERT INTO pgz_sport.sys_audit (action, target_type, target_id, payload)
+            VALUES ('user.klub_link.delete','sys_user_klub_links',%s,%s::jsonb)""",
+            (link_id, json.dumps({"user_id":r[0], "klub_id":r[1], "savez_id":r[2]})))
+        conn.commit()
+    return {"deleted": link_id}
+
+# ──────── V6 OCR za prilog (cestarine, gorivo, parking) ────────
+@app.post("/api/ai/ocr-prilog")
+async def ai_ocr_prilog(file: UploadFile = File(...), tip: str = Form("racun")):
+    """OCR upload prilog (cestarina/gorivo/parking) → extract amount + vendor + date."""
+    import tempfile, subprocess as sp
+    suffix = '.' + (file.filename or 'unknown').split('.')[-1].lower()
+    if suffix not in ['.pdf','.jpg','.jpeg','.png']:
+        raise HTTPException(400, "Only PDF/JPG/PNG")
+    
+    with tempfile.NamedTemporaryFile(delete=False, suffix=suffix) as tf:
+        content = await file.read()
+        tf.write(content)
+        tmp_path = tf.name
+    
+    text = ""
+    try:
+        if suffix == '.pdf':
+            r = sp.run(['pdftotext','-layout','-q', tmp_path,'-'], capture_output=True, timeout=30)
+            text = r.stdout.decode('utf-8','ignore')
+            if len(text) < 50:  # scanned PDF, OCR it
+                r = sp.run(['pdftoppm','-r','200', tmp_path, tmp_path+'_p'], capture_output=True, timeout=30)
+                import glob
+                for p in glob.glob(tmp_path+'_p-*.ppm')[:3]:
+                    r = sp.run(['tesseract', p, '-', '-l','hrv+eng'], capture_output=True, timeout=30)
+                    text += r.stdout.decode('utf-8','ignore') + '\n'
+        else:
+            r = sp.run(['tesseract', tmp_path, '-', '-l','hrv+eng'], capture_output=True, timeout=30)
+            text = r.stdout.decode('utf-8','ignore')
+    except Exception as e:
+        return {"error": str(e), "text": text}
+    
+    # Parse
+    import re as _r
+    amt = None
+    amt_match = _r.search(r'(?:UKUPNO|TOTAL|SVEUKUPNO|IZNOS|ZA UPLATU)[:\s]*?(\d+[,.]\d{2})\s*(?:EUR|HRK|kn|€)?', text, _r.IGNORECASE)
+    if not amt_match:
+        amt_match = _r.search(r'(\d+[,.]\d{2})\s*EUR\b', text, _r.IGNORECASE)
+    if amt_match:
+        try: amt = float(amt_match.group(1).replace(',','.'))
+        except: pass
+    
+    date_match = _r.search(r'(\d{1,2})[./-](\d{1,2})[./-](\d{4}|\d{2})', text)
+    parsed_date = None
+    if date_match:
+        d, m, y = date_match.groups()
+        if len(y) == 2: y = '20' + y
+        try: parsed_date = f"{y}-{int(m):02d}-{int(d):02d}"
+        except: pass
+    
+    vendor = None
+    for line in (text or '').split('\n')[:10]:
+        line = line.strip()
+        if line and not _r.match(r'^[\d\s.,/-]+$', line) and len(line) > 5 and len(line) < 80:
+            vendor = line
+            break
+    
+    oib_match = _r.search(r'(?:OIB|VAT)[:\s]+(\d{11})', text)
+    oib = oib_match.group(1) if oib_match else None
+    
+    import os as _os
+    try: _os.unlink(tmp_path)
+    except: pass
+    
+    return {
+        "tip": tip,
+        "ai_amount": amt,
+        "ai_date": parsed_date,
+        "ai_vendor": vendor,
+        "ai_oib": oib,
+        "raw_text": text[:1500],
+        "filename": file.filename,
+    }
+
+# ──────── /V6 ────────
+
+@app.get("/api/admin/permissions-matrix")
+def admin_perm_matrix():
+    with db() as conn:
+        cur = conn.cursor()
+        cur.execute("""SELECT DISTINCT user_type FROM pgz_sport.sys_role_permissions ORDER BY user_type""")
+        types = [r[0] for r in cur.fetchall()]
+        cur.execute("""SELECT p.code, p.naziv, p.kategorija, ARRAY_AGG(rp.user_type) granted_to
+          FROM pgz_sport.sys_permissions p
+          LEFT JOIN pgz_sport.sys_role_permissions rp ON rp.permission_code=p.code
+          GROUP BY p.code, p.naziv, p.kategorija
+          ORDER BY p.kategorija, p.code""")
+        matrix = []
+        for r in cur.fetchall():
+            matrix.append({
+                "code": r[0], "naziv": r[1], "kategorija": r[2],
+                "granted_to": [g for g in (r[3] or []) if g]
+            })
+    return {"user_types": types, "matrix": matrix}
+
+# ──────── /V5 ────────
+
+
+# Sprint 3 routers
+import sys
+sys.path.insert(0, '/opt/pgz-sport/routers')
+try:
+    from img_proxy_router import router as img_proxy_router
+    from audit_coverage_router import router as audit_coverage_router
+    HAS_S3_ROUTERS = True
+except Exception as e:
+    print(f'WARN: sprint3 routers not loaded: {e}')
+    HAS_S3_ROUTERS = False
+
+app.include_router(v2_router)
+# Admin Dashboard router (ERP/CRM/Tenants)
+try:
+    from admin_router import router as admin_router
+    app.include_router(admin_router)
+    print('[ADMIN] router loaded')
+except Exception as e:
+    print(f'[ADMIN] router fail: {e}')
+
+
+# Sprint 3 includes
+if HAS_S3_ROUTERS:
+    app.include_router(img_proxy_router, prefix='/api/v2')
+    app.include_router(audit_coverage_router, prefix='/api/v2')
+
+# Round-2 enrichment endpoint
+try:
+    from enrich_router import router as enrich_router
+    app.include_router(enrich_router, prefix='/api/v2')
+    print('[ENRICH] router loaded')
+except Exception as e:
+    print(f'[ENRICH] router fail: {e}')
+
+# === Round 3 / CC4 — ERP (M5: OCR + Invoices, M6: Putni nalozi) ===
+sys.path.insert(0, '/opt/pgz-sport')
+try:
+    from erp.ocr import router as erp_ocr_router
+    app.include_router(erp_ocr_router)
+    print('[ERP/OCR] router loaded')
+except Exception as e:
+    print(f'[ERP/OCR] router fail: {e}')
+
+try:
+    from erp.putni_nalozi import router as erp_putni_router
+    app.include_router(erp_putni_router)
+    print('[ERP/PUTNI] router loaded')
+except Exception as e:
+    print(f'[ERP/PUTNI] router fail: {e}')
+
+# === Round 3 / CC5 — CRM (M7 Članarine, M8 Liječnički, M9 Obrasci) ===
+try:
+    from clanarine_router import router as clanarine_router
+    app.include_router(clanarine_router)
+    print('[CRM/M7] clanarine router loaded')
+except Exception as e:
+    print(f'[CRM/M7] clanarine router fail: {e}')
+
+try:
+    from lijecnicki_router import router as lijecnicki_router
+    app.include_router(lijecnicki_router)
+    print('[CRM/M8] lijecnicki router loaded')
+except Exception as e:
+    print(f'[CRM/M8] lijecnicki router fail: {e}')
+
+try:
+    from obrasci_router import router as obrasci_router
+    app.include_router(obrasci_router)
+    print('[CRM/M9] obrasci router loaded')
+except Exception as e:
+    print(f'[CRM/M9] obrasci router fail: {e}')
+
+try:
+    from clan_panel_router import router as clan_panel_router
+    app.include_router(clan_panel_router)
+    print('[CRM/PANEL] clan_panel router loaded (/api/crm/clanovi/{id}/full|avatar)')
+except Exception as e:
+    print(f'[CRM/PANEL] clan_panel router fail: {e}')
+
+try:
+    from crm_extras_router import router as crm_extras_router
+    app.include_router(crm_extras_router)
+    print('[CRM/R5] extras router loaded (bulk + xlsx + stats + notifications)')
+except Exception as e:
+    print(f'[CRM/R5] extras router fail: {e}')
+
+# === Round 3 / CC2 — M1 Auth + M2 Admin Users + M10 GDPR ===
+try:
+    from auth.auth_v2 import router as auth_v2_router
+    app.include_router(auth_v2_router)
+    print('[AUTH/M1] auth_v2 router loaded (/api/auth/*)')
+except Exception as e:
+    print(f'[AUTH/M1] auth_v2 router fail: {e}')
+
+try:
+    from auth.admin_users import router as admin_users_router
+    app.include_router(admin_users_router)
+    print('[AUTH/M2] admin_users router loaded (/api/admin/users/*)')
+except Exception as e:
+    print(f'[AUTH/M2] admin_users router fail: {e}')
+
+try:
+    from auth.gdpr import router as gdpr_router, admin_router as gdpr_admin_router, me_router as gdpr_me_router
+    app.include_router(gdpr_router)
+    app.include_router(gdpr_admin_router)
+    app.include_router(gdpr_me_router)
+    print('[AUTH/M10] gdpr routers loaded (/api/gdpr/*, /api/admin/gdpr/*, /api/users/me/gdpr-*)')
+except Exception as e:
+    print(f'[AUTH/M10] gdpr routers fail: {e}')
+
+# === Round 3 / CC6 — M11 Blockchain audit (Polygon PoS sealing) ===
+try:
+    from audit_seal_router import router as audit_seal_router
+    app.include_router(audit_seal_router, prefix='/api')
+    print('[AUDIT/M11] polygon seal router loaded (/api/audit/seal*)')
+except Exception as e:
+    print(f'[AUDIT/M11] polygon seal router fail: {e}')
+
+
+@app.get("/sport-3d")
+@app.get("/3d")
+def serve_sport_3d():
+    p = HTML_DIR / "sport_3d.html"
+    if p.exists():
+        return FileResponse(p)
+    return {"error": "sport_3d.html not found"}
+
+@app.get("/admin")
+@app.get("/admin/")
+def serve_admin():
+    p = HTML_DIR / "admin.html"
+    if p.exists():
+        return FileResponse(p)
+    return {"error": "admin.html not found"}
+
+@app.get("/erp")
+@app.get("/erp/")
+@app.get("/app/erp")
+@app.get("/app/erp/")
+def serve_erp():
+    p = HTML_DIR / "erp.html"
+    if p.exists():
+        return FileResponse(p)
+    return {"error": "erp.html not found"}
+
+@app.get("/crm")
+@app.get("/crm/")
+def serve_crm():
+    p = HTML_DIR / "crm.html"
+    if p.exists():
+        return FileResponse(p)
+    return {"error": "crm.html not found"}
+
+@app.get("/login")
+@app.get("/login/")
+def serve_login():
+    p = HTML_DIR / "login.html"
+    if p.exists():
+        return FileResponse(p)
+    return {"error": "login.html not found"}
+
+@app.get("/admin/users")
+@app.get("/admin/users/")
+def serve_admin_users():
+    p = HTML_DIR / "admin_users.html"
+    if p.exists():
+        return FileResponse(p)
+    return {"error": "admin_users.html not found"}
+
+
+@app.get("/api/sportski-objekti")
+def list_sportski_objekti(q=None,tip=None,grad=None):
+    w=["aktivan=TRUE"]; p=[]
+    if q: w.append("(naziv ILIKE %s OR adresa ILIKE %s OR grad ILIKE %s)"); p+=["%"+q+"%"]*3
+    if tip: w.append("tip ILIKE %s"); p.append("%"+tip+"%")
+    if grad: w.append("grad ILIKE %s"); p.append("%"+grad+"%")
+    rows=fetch("SELECT * FROM pgz_sport.sportski_objekti WHERE "+" AND ".join(w)+" ORDER BY grad,naziv",p)
+    return {"count":len(rows),"rows":rows}
+
+@app.get("/api/clanovi-full")
+def list_clanovi_full(q=None,hoo=None,reprezentativac=None,klub_id=None,limit=80,authorization=None):
+    w=["aktivan=TRUE"]; p=[]
+    if q: w.append("(ime ILIKE %s OR prezime ILIKE %s OR klub_naziv_godisnjak ILIKE %s)"); p+=["%"+q+"%"]*3
+    if hoo: w.append("hoo_kategorija=%s"); p.append(hoo)
+    if reprezentativac is not None: w.append("reprezentativac="+(("TRUE") if str(reprezentativac).lower()=="true" else "FALSE"))
+    if klub_id: w.append("klub_id=%s"); p.append(int(klub_id))
+    lim=min(int(limit or 80),200)
+    sql="SELECT id,ime,prezime,oib,datum_rodenja,spol,sport,pozicija,reprezentativac,kategoriziran,stipendiran,kategorija_hoo,hoo_kategorija,aktivan,klub_naziv_godisnjak,slika_url,profile_url,hns_igrac_id,visina_cm,tezina_kg,broj_dresa,uloga,godisnjak_godine,godisnjak_prvi,godisnjak_zadnji,napomena FROM pgz_sport.clanovi WHERE "+" AND ".join(w)+" ORDER BY prezime,ime LIMIT "+str(lim)
+    rows=fetch(sql,p)
+    return {"count":len(rows),"rows":rows}
+
+@app.get("/api/gradovi")
+def list_gradovi():
+    rows=fetch("SELECT DISTINCT grad FROM pgz_sport.klubovi WHERE aktivan=TRUE AND grad IS NOT NULL AND grad<>'' AND grad NOT SIMILAR TO '[0-9]+%%' ORDER BY grad",[])
+    return [r["grad"] for r in rows]
+
+@app.get("/api/manifestacije-full")
+def list_manifestacije_full(q=None,razina=None):
+    w=["aktivna=TRUE"]; p=[]
+    if q: w.append("(naziv ILIKE %s OR mjesto ILIKE %s)"); p+=["%"+q+"%"]*2
+    rows=fetch("SELECT id,naziv,mjesto,organizator,razina,broj_ucesnika,godina_od,spol_kategorija,napomena,source_url FROM pgz_sport.manifestacije WHERE "+" AND ".join(w)+" ORDER BY naziv",p)
+    return {"count":len(rows),"rows":rows}
+
+
+
+# ── SUFINANCIRANJE-ALL  v1.0 dradulic@outlook.com 2026-05-04
+@app.get("/api/sufinanciranje")
+def list_sufinanciranje(q=None, godina=None, razina=None, sport=None, limit=500):
+    w=["iznos_eur > 0"]; p=[]
+    if q: w.append("(LOWER(korisnik) LIKE %s OR LOWER(sport) LIKE %s)"); p+=[f"%{q.lower()}%"]*2
+    if godina: w.append("godina=%s"); p.append(int(godina))
+    if razina: w.append("razina ILIKE %s"); p.append(f"%{razina}%")
+    if sport: w.append("sport ILIKE %s"); p.append(f"%{sport}%")
+    sql=f"SELECT korisnik,sport,iznos_eur,vrsta,razina,izvor,source_url,godina FROM pgz_sport.sufinanciranje_sport WHERE {' AND '.join(w)} ORDER BY iznos_eur DESC LIMIT {min(int(limit),1000)}"
+    rows=fetch(sql,p)
+    total=sum(float(r.get('iznos_eur') or 0) for r in rows)
+    years=sorted(set(r.get('godina') for r in rows if r.get('godina')),reverse=True)
+    return {"count":len(rows),"total":total,"years":years,"rows":rows}
+
+
+
+# ══════════════════════════════════════════════════════════════════
+# ERP PLATFORM ROUTES v2.0 — dradulic@outlook.com — 2026-05-04
+# ══════════════════════════════════════════════════════════════════
+
+import hashlib
+
+def hash_pwd(pwd): return hashlib.sha256(pwd.encode()).hexdigest()
+
+def get_user(token):
+    if not token: return None
+    try:
+        payload = _jwt.decode(token.replace("Bearer ",""), JWT_SECRET, algorithms=["HS256"])
+        uid = payload.get("uid")
+        if uid:
+            rows = fetch("SELECT * FROM pgz_sport.users WHERE id=%s AND aktivan=TRUE", [uid])
+            return rows[0] if rows else None
+        return payload
+    except: return None
+
+# ── AUTH: Email/Password login — handled by auth.auth_v2 router (M1) ──
+
+# ── SPORTAS FULL PROFILE ─────────────────────────────────────────
+@app.get("/api/sportas/{clan_id}/profil")
+def sportas_profil(clan_id: int):
+    clan = fetch("""SELECT c.*, k.naziv AS klub_naziv_full, k.sport AS klub_sport,
+        k.grad, k.logo_url FROM pgz_sport.clanovi c
+        LEFT JOIN pgz_sport.klubovi k ON k.id=c.klub_id WHERE c.id=%s""", [clan_id])
+    if not clan: raise HTTPException(404,"Nije pronađen")
+    c = clan[0]
+    sezona = fetch("""SELECT * FROM pgz_sport.clan_sezona WHERE clan_id=%s ORDER BY sezona DESC""", [clan_id])
+    utakmice = fetch("""SELECT * FROM pgz_sport.utakmice_log WHERE clan_id=%s ORDER BY datum DESC LIMIT 30""", [clan_id])
+    nagrade = fetch("SELECT * FROM pgz_sport.clan_nagrada WHERE clan_id=%s ORDER BY godina DESC", [clan_id])
+    godisnjaci = fetch("SELECT * FROM pgz_sport.clan_godisnjak WHERE clan_id=%s ORDER BY godina DESC", [clan_id])
+    stats = {}
+    if sezona:
+        stats = {"ukupno_nastupa": sum((r.get("nastupi") or 0) for r in sezona),
+                 "ukupno_pogodaka": sum((r.get("pogoci") or 0) for r in sezona),
+                 "ukupno_asistencija": sum((r.get("asistencije") or 0) for r in sezona),
+                 "ukupno_zutih": sum((r.get("zuti_kartoni") or 0) for r in sezona),
+                 "ukupno_crvenih": sum((r.get("crveni_kartoni") or 0) for r in sezona),
+                 "ukupno_minuta": sum((r.get("minute_total") or 0) for r in sezona),
+                 "sezone_aktivne": len(sezona)}
+    return {**c,"clan_sezona":sezona,"utakmice":utakmice,"nagrade":nagrade,
+            "godisnjaci":godisnjaci,"stats":stats}
+
+# ── SAVEZ FULL DETAIL ────────────────────────────────────────────
+@app.get("/api/savezi/{savez_id}/full")
+def savez_full(savez_id: int):
+    s = fetch("SELECT * FROM pgz_sport.savezi WHERE id=%s",[savez_id])
+    if not s: raise HTTPException(404,"Savez nije pronađen")
+    klubovi = fetch("""SELECT id,naziv,sport,grad,predsjednik,tajnik,nositelj_kvalitete,
+        aktivan,oib,razina,broj_clanova FROM pgz_sport.klubovi WHERE savez_id=%s AND aktivan=TRUE ORDER BY naziv""",[savez_id])
+    clanovi = fetch("""SELECT c.id,c.ime,c.prezime,c.sport,c.pozicija,c.kategorija,
+        c.reprezentativac,c.kategoriziran,c.slika_url,c.hoo_kategorija,c.klub_naziv_godisnjak,c.aktivan
+        FROM pgz_sport.clanovi c WHERE c.savez_kod=(SELECT kod FROM pgz_sport.savezi WHERE id=%s) LIMIT 200""",[savez_id])
+    if not clanovi:
+        clanovi = fetch("""SELECT c.id,c.ime,c.prezime,c.sport,c.pozicija,c.kategorija,
+            c.reprezentativac,c.kategoriziran,c.slika_url,c.hoo_kategorija,c.klub_naziv_godisnjak,c.aktivan
+            FROM pgz_sport.clanovi c WHERE c.aktivan=TRUE AND c.sport ILIKE %s LIMIT 200""",
+            [f'%{s[0].get("sport","") or ""}%'])
+    treneri = fetch("""SELECT * FROM pgz_sport.treneri WHERE savez_id=%s""",[savez_id])
+    return {**s[0],"klubovi":klubovi,"clanovi":clanovi[:100],"treneri":treneri}
+
+# ── KLUB ERP: CLANARINE ──────────────────────────────────────────
+@app.get("/api/klub/{klub_id}/clanarine")
+def klub_clanarine(klub_id: int, godina: int=None, status: str=None):
+    w=["c.klub_id=%s"]; p=[klub_id]
+    if godina: w.append("cl.godina=%s"); p.append(godina)
+    if status: w.append("cl.status=%s"); p.append(status)
+    rows = fetch(f"""SELECT cl.*,c.ime,c.prezime,c.oib,c.spol,c.kategorija,c.hoo_kategorija,c.slika_url
+        FROM pgz_sport.clanarine cl JOIN pgz_sport.clanovi c ON c.id=cl.clan_id
+        WHERE {" AND ".join(w)} ORDER BY cl.godina DESC, c.prezime""", p)
+    total_p = sum(float(r.get("iznos_placen") or 0) for r in rows)
+    total_d = sum(float(r.get("iznos_propisan") or 0) - float(r.get("iznos_placen") or 0) for r in rows)
+    return {"count":len(rows),"naplaceno":total_p,"dug":total_d,"rows":rows}
+
+# ── KLUB ERP: LIJECNICKI ─────────────────────────────────────────
+@app.get("/api/klub/{klub_id}/lijecnicki")
+def klub_lijecnicki(klub_id: int):
+    import datetime; today = datetime.date.today()
+    rows = fetch("""SELECT lp.*,c.ime,c.prezime,c.oib,c.kategorija,c.slika_url,
+        CASE WHEN lp.vrijedi_do IS NULL THEN 'nepoznato'
+             WHEN lp.vrijedi_do < CURRENT_DATE THEN 'istekao'
+             WHEN lp.vrijedi_do < CURRENT_DATE + 30 THEN 'uskoro_istece'
+             ELSE 'validan' END AS status_pregled
+        FROM pgz_sport.lijecnicki_pregledi lp JOIN pgz_sport.clanovi c ON c.id=lp.clan_id
+        WHERE c.klub_id=%s ORDER BY lp.vrijedi_do ASC NULLS LAST""", [klub_id])
+    alert_istekli = [r for r in rows if r.get("status_pregled")=="istekao"]
+    alert_uskoro  = [r for r in rows if r.get("status_pregled")=="uskoro_istece"]
+    return {"count":len(rows),"istekli":len(alert_istekli),"uskoro":len(alert_uskoro),"rows":rows}
+
+# ── NETWORK GRAPH DATA ───────────────────────────────────────────
+@app.get("/api/network/pgz")
+def network_pgz(q: str=None, entity_type: str=None, max_nodes: int=80):
+    FORENSIC_NAMES = {"SAMIR BARAĆ","MIROSLAV MARIĆ","VELIMIR LIVERIĆ","DOROTEA PESIC-BUKOVAC"}
+    nodes,edges,seen_nodes,seen_edges = [],[],set(),set()
+
+    def add_node(nid, label, ntype, meta=None):
+        if nid not in seen_nodes:
+            seen_nodes.add(nid)
+            nodes.append({"id":nid,"label":label,"type":ntype,"forensic":label.upper() in FORENSIC_NAMES,"meta":meta or {}})
+
+    def add_edge(s,t,rel=""):
+        k=f"{s}-{t}"
+        if k not in seen_edges:
+            seen_edges.add(k); edges.append({"source":s,"target":t,"rel":rel})
+
+    if q:
+        # Person search
+        persons = fetch("""SELECT p.id,p.name,p.function,e.name as ent,e.id as eid,e.entity_type,e.city
+            FROM civic.persons p JOIN civic.entities e ON e.id=p.entity_id
+            WHERE p.name ILIKE %s OR e.name ILIKE %s LIMIT 60""",[f"%{q}%",f"%{q}%"])
+        for r in persons:
+            pid=f"p_{r['id']}"; eid=f"e_{r['eid']}"
+            add_node(pid,r.get("name","?")[:30],"person")
+            add_node(eid,r.get("ent","?")[:30],"club" if "Udruga" in (r.get("entity_type") or "") else "company")
+            add_edge(pid,eid,r.get("function",""))
+    else:
+        # Default: top connected persons
+        rels = fetch("""SELECT p.id,p.name,e.id as eid,e.name as ent,e.entity_type,p.function
+            FROM civic.persons p JOIN civic.entities e ON e.id=p.entity_id
+            WHERE e.county ILIKE '%%goranska%%' OR e.county ILIKE '%%primorska%%'
+            ORDER BY p.id LIMIT %s""",[max_nodes])
+        for r in rels:
+            pid=f"p_{r['id']}"; eid=f"e_{r['eid']}"
+            add_node(pid,r.get("name","?")[:25],"person")
+            add_node(eid,r.get("ent","?")[:25],"club" if "Udruga" in (r.get("entity_type") or "") else "company",
+                     {"city":r.get("city"),"type":r.get("entity_type")})
+            add_edge(pid,eid,r.get("function",""))
+
+    return {"nodes":nodes[:200],"edges":edges[:400],"query":q}
+
+
+
+@app.get("/platform")
+@app.get("/platform/")
+def serve_platform():
+    p = HTML_DIR / "platform.html"
+    if p.exists(): return FileResponse(p)
+    return {"error": "platform.html not found"}
+
+
+@app.get("/app")
+@app.get("/app/")
+def serve_app():
+    p = HTML_DIR / "app.html"
+    return FileResponse(p) if p.exists() else {"error":"app.html not found"}
+
+@app.get("/audit")
+@app.get("/audit/")
+def serve_audit():
+    p = HTML_DIR / "audit.html"
+    return FileResponse(p) if p.exists() else {"error":"audit.html not found"}
+
+@app.get("/kpi")
+@app.get("/kpi/")
+def serve_kpi():
+    p = HTML_DIR / "kpi.html"
+    return FileResponse(p) if p.exists() else {"error":"kpi.html not found"}
+
+app.mount("/static", StaticFiles(directory=str(HTML_DIR)), name="static")
+
+# User-uploaded files (avatars, etc.) — served at /uploads/*
+import pathlib as _pl
+_UPLOAD_DIR = _pl.Path("/opt/pgz-sport/uploads")
+_UPLOAD_DIR.mkdir(parents=True, exist_ok=True)
+(_UPLOAD_DIR / "avatars").mkdir(parents=True, exist_ok=True)
+app.mount("/uploads", StaticFiles(directory=str(_UPLOAD_DIR)), name="uploads")
+
+@app.get("/")
+def root(request: Request):
+    host = request.headers.get("host", "")
+    if "sport.rinet.one" in host:
+        p = HTML_DIR / "sport2.html"
+        if p.exists():
+            return FileResponse(p)
+    idx = HTML_DIR / "index.html"
+    if idx.exists():
+        return FileResponse(idx)
+    return {"service": "PGŽ Sport", "version": "2.0"}
+
+@app.get("/v2")
+def portal_v2():
+    p = HTML_DIR / "sport2.html"
+    if p.exists():
+        return FileResponse(p)
+    return {"error": "sport2.html not found"}
+
+if __name__ == "__main__":
+    import uvicorn
+    uvicorn.run(app, host="0.0.0.0", port=8095)
diff --git a/_backups/sport2.html.cc3_pre_unified_sidebar.1777935999 b/_backups/sport2.html.cc3_pre_unified_sidebar.1777935999
new file mode 100644
index 0000000..29d27a0
--- /dev/null
+++ b/_backups/sport2.html.cc3_pre_unified_sidebar.1777935999
@@ -0,0 +1,2777 @@
+<!DOCTYPE html>
+<html lang="hr">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width,initial-scale=1.0">
+<title>PGŽ SPORT — Platforma</title>
+<link rel="preconnect" href="https://fonts.googleapis.com">
+<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
+<link href="https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600;700;800&family=JetBrains+Mono:wght@400;600&display=swap" rel="stylesheet">
+<script src="https://cdnjs.cloudflare.com/ajax/libs/Chart.js/4.4.1/chart.umd.min.js"></script>
+<script src="https://cdnjs.cloudflare.com/ajax/libs/d3/7.8.5/d3.min.js"></script>
+<script src="https://unpkg.com/three@0.160.0/build/three.min.js"></script>
+<script src="https://unpkg.com/3d-force-graph@1.73.0/dist/3d-force-graph.min.js"></script>
+<style>
+:root{
+  --pgz-blue:#003087; --pgz-blue2:#004CC4; --pgz-gold:#F4C430;
+  --bg0:#08090e; --bg1:#0d1021; --bg2:#111628; --bg3:#161d35; --bg4:#1c2542;
+  --rim:#1e2a50; --rim2:#283560;
+  --t0:#fff; --t1:#e2e6f0; --t2:#8a95b4; --t4:#4e5a7a;
+  --green:#00e88f; --red:#ff2d55; --amber:#f59e0b; --cyan:#00c8e8;
+  --font:'Inter',sans-serif; --mono:'JetBrains Mono',monospace;
+}
+*{box-sizing:border-box;margin:0;padding:0}
+html,body{height:100%}
+body{font-family:var(--font);background:var(--bg0);color:var(--t1);font-size:13px;overflow-x:hidden}
+a{color:var(--cyan);text-decoration:none}
+a:hover{color:var(--pgz-gold)}
+button,input,select{font-family:inherit;font-size:inherit;outline:none}
+::-webkit-scrollbar{width:8px;height:8px}
+::-webkit-scrollbar-track{background:var(--bg1)}
+::-webkit-scrollbar-thumb{background:var(--rim2);border-radius:4px}
+::-webkit-scrollbar-thumb:hover{background:var(--pgz-blue2)}
+
+.app{display:flex;min-height:100vh}
+.sb{width:240px;background:linear-gradient(180deg,var(--bg1) 0%,var(--bg0) 100%);border-right:1px solid var(--rim);position:fixed;top:0;left:0;bottom:0;display:flex;flex-direction:column;z-index:10;transition:width .22s ease}
+.sb-h{padding:18px 18px 14px;border-bottom:1px solid var(--rim);position:relative}
+.sb-h .logo{font-weight:800;font-size:14px;color:var(--t0);letter-spacing:.5px;white-space:nowrap;overflow:hidden}
+.sb-h .logo .g{color:var(--pgz-gold)}
+.sb-h .sub{font-size:10px;color:var(--t2);margin-top:4px;text-transform:uppercase;letter-spacing:1px;white-space:nowrap;overflow:hidden}
+.sb-toggle{position:absolute;top:14px;right:8px;width:22px;height:22px;display:flex;align-items:center;justify-content:center;cursor:pointer;color:var(--t2);background:var(--bg2);border:1px solid var(--rim);border-radius:4px;font-size:11px;font-weight:700;transition:all .15s;user-select:none}
+.sb-toggle:hover{background:var(--bg3);color:var(--pgz-gold);border-color:var(--pgz-gold)}
+.sb-nav{flex:1;padding:10px 8px;overflow-y:auto;overflow-x:hidden}
+.nav-i{padding:9px 12px;border-radius:6px;color:var(--t2);cursor:pointer;display:flex;align-items:center;gap:10px;font-size:12.5px;margin-bottom:2px;transition:background .15s,color .15s;white-space:nowrap}
+.nav-i:hover{background:var(--bg2);color:var(--t1)}
+.nav-i.active{background:linear-gradient(90deg,var(--pgz-blue) 0%,var(--pgz-blue2) 100%);color:#fff;font-weight:600}
+.nav-i .ic{width:18px;text-align:center;font-size:14px;flex-shrink:0}
+.nav-i .lbl{overflow:hidden;text-overflow:ellipsis}
+.sb-foot{padding:10px 14px;border-top:1px solid var(--rim);font-size:10px;color:var(--t4);white-space:nowrap;overflow:hidden}
+
+/* Collapsed sidebar */
+.sb.collapsed{width:58px}
+.sb.collapsed .sb-h{padding:18px 8px 14px;text-align:center}
+.sb.collapsed .sb-h .logo{font-size:0}
+.sb.collapsed .sb-h .logo::before{content:"PG";font-size:13px;color:var(--pgz-gold);font-weight:800}
+.sb.collapsed .sb-h .sub{display:none}
+.sb.collapsed .sb-toggle{position:static;margin:6px auto 0;display:flex}
+.sb.collapsed .nav-i{justify-content:center;padding:10px 6px}
+.sb.collapsed .nav-i .lbl{display:none}
+.sb.collapsed .nav-i{position:relative}
+.sb.collapsed .nav-i:hover::after{content:attr(data-label);position:absolute;left:58px;top:50%;transform:translateY(-50%);background:var(--bg3);color:var(--t0);padding:5px 10px;border-radius:4px;font-size:11.5px;white-space:nowrap;border:1px solid var(--rim);z-index:50;font-weight:600;pointer-events:none;box-shadow:2px 2px 8px rgba(0,0,0,.4)}
+.sb.collapsed .sb-foot{font-size:0;padding:8px}
+.sb.collapsed .sb-foot::before{content:"v2";font-size:9px;color:var(--t4)}
+
+.main{margin-left:240px;flex:1;min-width:0;transition:margin-left .22s ease}
+.sb.collapsed ~ .main{margin-left:58px}
+.tb{background:var(--bg1);border-bottom:1px solid var(--rim);padding:12px 22px;display:flex;align-items:center;justify-content:space-between;position:sticky;top:0;z-index:5}
+.tb-t{font-size:15px;font-weight:700;color:var(--t0)}
+.tb-s{font-size:11px;color:var(--t2)}
+.content{padding:22px}
+.section{display:none}
+.section.active{display:block}
+
+.kpi-grid{display:grid;grid-template-columns:repeat(auto-fit,minmax(180px,1fr));gap:14px;margin-bottom:22px}
+.kpi{background:linear-gradient(135deg,var(--bg2) 0%,var(--bg1) 100%);border:1px solid var(--rim);border-radius:8px;padding:14px 16px;position:relative;overflow:hidden}
+.kpi::before{content:"";position:absolute;top:0;left:0;width:3px;height:100%;background:var(--pgz-gold)}
+.kpi.b::before{background:var(--pgz-blue2)}
+.kpi.g::before{background:var(--green)}
+.kpi.r::before{background:var(--red)}
+.kpi-l{font-size:10.5px;color:var(--t2);text-transform:uppercase;letter-spacing:1px;font-weight:600}
+.kpi-v{font-size:24px;font-weight:800;color:var(--t0);margin-top:4px;font-family:var(--mono)}
+.kpi-s{font-size:10px;color:var(--t4);margin-top:2px}
+
+.card{background:var(--bg2);border:1px solid var(--rim);border-radius:8px;padding:14px;margin-bottom:14px}
+.card-h{display:flex;align-items:center;justify-content:space-between;margin-bottom:10px;padding-bottom:8px;border-bottom:1px solid var(--rim)}
+.card-t{font-weight:700;color:var(--t0);font-size:13px}
+
+.grid{display:grid;grid-template-columns:repeat(auto-fill,minmax(260px,1fr));gap:12px}
+.grid-club{display:grid;grid-template-columns:repeat(auto-fill,minmax(280px,1fr));gap:12px}
+.grid-player{display:grid;grid-template-columns:repeat(auto-fill,minmax(220px,1fr));gap:12px}
+
+.entity{background:var(--bg2);border:1px solid var(--rim);border-radius:8px;padding:12px;cursor:pointer;transition:all .2s;position:relative}
+.entity:hover{border-color:var(--pgz-gold);background:var(--bg3);transform:translateY(-1px)}
+.entity .et{font-weight:700;color:var(--t0);font-size:13px;margin-bottom:6px;line-height:1.3}
+.entity .es{font-size:11px;color:var(--t2);margin-bottom:6px}
+.entity .em{display:flex;gap:8px;font-size:10.5px;color:var(--t4);flex-wrap:wrap}
+.entity .em b{color:var(--pgz-gold);font-weight:700}
+.entity .et-tag{position:absolute;top:8px;right:8px;font-size:9px;padding:2px 6px;border-radius:3px;background:var(--pgz-blue);color:#fff;font-weight:600;text-transform:uppercase}
+
+.player-card{background:var(--bg2);border:1px solid var(--rim);border-radius:8px;overflow:hidden;cursor:pointer;transition:all .2s}
+.player-card:hover{border-color:var(--pgz-gold);transform:translateY(-1px)}
+.player-card .ph{height:120px;background:linear-gradient(135deg,var(--bg3),var(--bg2));position:relative;overflow:hidden;display:flex;align-items:center;justify-content:center}
+.player-card .ph img{width:100%;height:100%;object-fit:cover;object-position:top}
+.player-card .ph .no{font-size:36px;color:var(--t4);font-weight:800}
+.player-card .pb{padding:10px}
+.player-card .pn{font-weight:700;color:var(--t0);font-size:13px;line-height:1.2}
+.player-card .pp{font-size:11px;color:var(--t2);margin-top:3px}
+.player-card .pk{font-size:10.5px;color:var(--t4);margin-top:3px}
+.player-card .badges{display:flex;gap:4px;margin-top:6px;flex-wrap:wrap}
+.player-card .badge{font-size:9px;padding:2px 5px;border-radius:3px;background:var(--bg4);color:var(--t1);text-transform:uppercase;font-weight:600}
+.player-card .badge.repr{background:var(--pgz-gold);color:var(--bg0)}
+.player-card .badge.hoo{background:var(--pgz-blue2);color:#fff}
+
+table{width:100%;border-collapse:collapse;font-size:12px}
+table th{background:var(--bg3);color:var(--t2);text-transform:uppercase;font-size:10px;letter-spacing:.5px;padding:8px 10px;text-align:left;border-bottom:1px solid var(--rim);font-weight:700}
+table td{padding:8px 10px;border-bottom:1px solid var(--rim);color:var(--t1)}
+table tbody tr{cursor:pointer;transition:background .15s}
+table tbody tr:hover{background:var(--bg3)}
+table tbody tr.no-click{cursor:default}
+table tbody tr.no-click:hover{background:transparent}
+.num{font-family:var(--mono);text-align:right}
+
+.toolbar{display:flex;align-items:center;gap:10px;margin-bottom:14px;flex-wrap:wrap}
+.toolbar input,.toolbar select{background:var(--bg2);border:1px solid var(--rim);border-radius:5px;padding:7px 10px;color:var(--t1);font-size:12px}
+.toolbar input:focus,.toolbar select:focus{border-color:var(--pgz-blue2)}
+.toolbar input{min-width:200px}
+.toolbar label{font-size:11px;color:var(--t2);display:flex;align-items:center;gap:6px}
+.toolbar input[type=checkbox]{accent-color:var(--pgz-gold)}
+.btn{background:var(--bg2);border:1px solid var(--rim);border-radius:5px;padding:7px 12px;color:var(--t1);font-size:12px;cursor:pointer;font-weight:600;transition:all .15s}
+.btn:hover{background:var(--bg3);border-color:var(--rim2)}
+.btn.primary{background:linear-gradient(135deg,var(--pgz-blue),var(--pgz-blue2));border-color:transparent;color:#fff}
+.btn.primary:hover{filter:brightness(1.1)}
+
+.toggle{display:inline-flex;background:var(--bg2);border:1px solid var(--rim);border-radius:5px;overflow:hidden}
+.toggle button{background:transparent;border:0;padding:6px 12px;color:var(--t2);font-size:11px;font-weight:600;cursor:pointer}
+.toggle button.active{background:var(--pgz-blue);color:#fff}
+
+.tabs{display:flex;gap:4px;border-bottom:1px solid var(--rim);margin-bottom:14px;flex-wrap:wrap}
+.tab{padding:8px 14px;cursor:pointer;color:var(--t2);font-weight:600;font-size:12px;border-bottom:2px solid transparent;transition:all .15s}
+.tab:hover{color:var(--t1)}
+.tab.active{color:var(--pgz-gold);border-color:var(--pgz-gold)}
+
+.empty{text-align:center;padding:30px;color:var(--t4);font-size:12px;font-style:italic}
+.loading{padding:24px;text-align:center;color:var(--t2);font-size:12px}
+.loading::before{content:"";display:inline-block;width:12px;height:12px;border:2px solid var(--rim);border-top-color:var(--pgz-gold);border-radius:50%;animation:spin .8s linear infinite;margin-right:8px;vertical-align:middle}
+@keyframes spin{to{transform:rotate(360deg)}}
+
+.tag{display:inline-block;padding:2px 7px;font-size:10px;border-radius:3px;background:var(--bg4);color:var(--t1);font-weight:600;text-transform:uppercase;letter-spacing:.5px;margin-right:3px}
+a.tag,.tag[onclick]{cursor:pointer;text-decoration:none;transition:transform .12s,filter .12s}
+a.tag:hover,.tag[onclick]:hover{transform:translateY(-1px);filter:brightness(1.15)}
+.link-chip{color:var(--cyan);cursor:pointer;text-decoration:none;border-bottom:1px dashed transparent;transition:all .15s}
+.link-chip:hover{color:var(--pgz-gold);border-bottom-color:var(--pgz-gold)}
+.kv .v a{color:var(--cyan)}
+.kv .v a:hover{color:var(--pgz-gold)}
+.tag.b{background:var(--pgz-blue);color:#fff}
+.tag.gd{background:var(--pgz-gold);color:var(--bg0)}
+.tag.gr{background:var(--green);color:var(--bg0)}
+.tag.rd{background:var(--red);color:#fff}
+.tag.am{background:var(--amber);color:var(--bg0)}
+
+#panel{position:fixed;top:0;right:-620px;width:600px;max-width:96vw;height:100vh;background:var(--bg1);border-left:1px solid var(--rim);z-index:200;transition:right .25s ease;display:flex;flex-direction:column;box-shadow:-8px 0 30px rgba(0,0,0,.5)}
+#panel.open{right:0}
+#panel-hdr{padding:14px 16px;border-bottom:1px solid var(--rim);display:flex;align-items:center;justify-content:space-between;flex-shrink:0;background:var(--bg2)}
+#panel-hdr-t{font-size:14px;font-weight:700;color:var(--t0)}
+#panel-x{cursor:pointer;font-size:22px;color:var(--t4);width:30px;height:30px;display:flex;align-items:center;justify-content:center;border-radius:5px;transition:all .15s}
+#panel-x:hover{background:var(--bg3);color:var(--red)}
+#panel-body{flex:1;overflow-y:auto;padding:16px}
+#panel-overlay{display:none;position:fixed;inset:0;background:rgba(0,0,0,.5);z-index:199;backdrop-filter:blur(2px)}
+#panel-overlay.open{display:block}
+
+.pp-hdr{display:flex;gap:14px;align-items:flex-start;margin-bottom:14px;padding-bottom:14px;border-bottom:1px solid var(--rim)}
+.pp-foto{width:90px;height:110px;border-radius:6px;background:var(--bg3);overflow:hidden;flex-shrink:0;display:flex;align-items:center;justify-content:center}
+.pp-foto img{width:100%;height:100%;object-fit:cover;object-position:top}
+.pp-foto .no{font-size:32px;color:var(--t4);font-weight:800}
+.pp-info{flex:1;min-width:0}
+.pp-name{font-size:18px;font-weight:800;color:var(--t0);margin-bottom:4px}
+.pp-meta{font-size:12px;color:var(--t2);margin-bottom:6px}
+.pp-tags{display:flex;gap:4px;flex-wrap:wrap}
+.pp-stats{display:grid;grid-template-columns:repeat(6,1fr);gap:8px;margin-bottom:14px;padding:12px;background:var(--bg2);border:1px solid var(--rim);border-radius:6px}
+.pp-stat{text-align:center}
+.pp-stat .v{font-size:20px;font-weight:800;color:var(--pgz-gold);font-family:var(--mono)}
+.pp-stat .l{font-size:9px;color:var(--t4);text-transform:uppercase;letter-spacing:.5px;margin-top:2px;font-weight:600}
+
+.kv{display:grid;grid-template-columns:140px 1fr;gap:6px 12px;font-size:12px}
+.kv .k{color:var(--t2);font-weight:600}
+.kv .v{color:var(--t1);word-break:break-word}
+
+.utlogo{width:22px;height:22px;border-radius:50%;background:var(--bg3);object-fit:contain;vertical-align:middle;margin-right:6px}
+
+.score{display:inline-flex;align-items:center;gap:4px;padding:3px 8px;border-radius:4px;background:var(--bg3);font-size:11px;font-weight:600}
+.score.high{background:rgba(0,232,143,.15);color:var(--green)}
+.score.mid{background:rgba(245,158,11,.15);color:var(--amber)}
+.score.low{background:rgba(255,45,85,.15);color:var(--red)}
+
+.row-2{display:grid;grid-template-columns:1fr 1fr;gap:14px}
+@media (max-width:900px){.row-2{grid-template-columns:1fr}}
+
+.chart-box{background:var(--bg2);border:1px solid var(--rim);border-radius:8px;padding:14px;height:340px}
+.chart-box canvas{max-height:300px}
+
+.alert-card{padding:10px 12px;border-left:3px solid var(--amber);background:var(--bg2);border-radius:5px;margin-bottom:8px}
+.alert-card.crit{border-color:var(--red)}
+.alert-card .at{font-weight:700;font-size:12px;color:var(--t0)}
+.alert-card .ad{font-size:11px;color:var(--t2);margin-top:3px}
+
+.iframe-map{width:100%;height:140px;border:0;border-radius:5px;background:var(--bg3)}
+
+.ac-wrap{position:relative}
+.ac-drop{display:none;position:absolute;top:100%;left:0;right:0;min-width:240px;background:var(--bg2);border:1px solid var(--rim2);border-radius:5px;box-shadow:0 6px 20px rgba(0,0,0,.5);z-index:100;max-height:300px;overflow-y:auto;margin-top:4px}
+.ac-item{padding:8px 12px;cursor:pointer;border-bottom:1px solid var(--rim);transition:background .12s}
+.ac-item:last-child{border-bottom:0}
+.ac-item:hover{background:var(--bg3)}
+.ac-item .ac-l{font-weight:600;color:var(--t0);font-size:12.5px}
+.ac-item .ac-s{font-size:10.5px;color:var(--t2);margin-top:2px}
+.ac-empty{padding:12px;text-align:center;color:var(--t4);font-size:11px;font-style:italic}
+
+@media (max-width:768px){
+  .sb{transform:translateX(-100%);transition:transform .25s}
+  .sb.open{transform:translateX(0)}
+  .main{margin-left:0}
+  .pp-stats{grid-template-columns:repeat(3,1fr)}
+}
+</style>
+</head>
+<body>
+
+<div class="app">
+  <aside class="sb" id="sb">
+    <div class="sb-h">
+      <div class="logo">PGŽ <span class="g">SPORT</span></div>
+      <div class="sub">Primorsko-goranska županija</div>
+      <div class="sb-toggle" id="sb-toggle" onclick="toggleSidebar()" title="Skupi/raširi sidebar">≡</div>
+    </div>
+    <nav class="sb-nav" id="nav"></nav>
+    <div class="sb-foot">v2.0 · 2026</div>
+  </aside>
+
+  <main class="main">
+    <div class="tb">
+      <div>
+        <div class="tb-t" id="tb-t">Dashboard</div>
+        <div class="tb-s" id="tb-s">Pregled stanja</div>
+      </div>
+      <div class="tb-s">
+        <span style="color:var(--green)">●</span> API live · sport.rinet.one
+      </div>
+    </div>
+
+    <div class="content">
+      <section id="pg-dashboard" class="section active"></section>
+      <section id="pg-savezi" class="section"></section>
+      <section id="pg-klubovi" class="section"></section>
+      <section id="pg-sportasi" class="section"></section>
+      <section id="pg-financije" class="section"></section>
+      <section id="pg-objekti" class="section"></section>
+      <section id="pg-manifestacije" class="section"></section>
+      <section id="pg-mreza" class="section"></section>
+      <section id="pg-forenzika" class="section"></section>
+      <section id="pg-audit" class="section"></section>
+    </div>
+  </main>
+</div>
+
+<div id="panel-overlay" onclick="closePanel()"></div>
+<div id="panel">
+  <div id="panel-hdr">
+    <div id="panel-hdr-t">Detalji</div>
+    <div id="panel-x" onclick="closePanel()">×</div>
+  </div>
+  <div id="panel-body"></div>
+</div>
+
+<script>
+//=========== CONFIG ===========
+const API = '/sport/api';
+const NAV_ITEMS = [
+  {id:'dashboard', ic:'\u{1F4CA}', label:'Dashboard'},
+  {id:'savezi',    ic:'\u{1F3C5}', label:'Savezi'},
+  {id:'klubovi',   ic:'⬢',    label:'Klubovi'},
+  {id:'sportasi',  ic:'\u{1F464}', label:'Sportaši'},
+  {id:'financije', ic:'€',    label:'Financije'},
+  {id:'objekti',   ic:'\u{1F4CD}', label:'Objekti'},
+  {id:'manifestacije', ic:'\u{1F4C5}', label:'Manifestacije'},
+  {id:'mreza',     ic:'\u{1F578}', label:'Mreža'},
+  {id:'forenzika', ic:'⚠',    label:'Forenzika'},
+  {id:'audit',     ic:'\u{1F512}', label:'Audit log'}
+];
+const SECTION_TITLES = {
+  dashboard: ['Dashboard', 'Pregled stanja PGŽ Sporta'],
+  savezi:    ['Savezi', '246 sportskih saveza'],
+  klubovi:   ['Klubovi', 'Sportski klubovi PGŽ'],
+  sportasi:  ['Sportaši', 'Registrirani članovi'],
+  financije: ['Financije', 'Sufinanciranje sporta'],
+  objekti:   ['Sportski objekti', 'Geocodirana infrastruktura'],
+  manifestacije: ['Manifestacije', 'Sportski događaji'],
+  mreza: ['Mreža', 'Force-directed graf entiteta i veza'],
+  forenzika: ['Forenzika', 'Kritični nalazi i alarmi'],
+  audit:     ['Audit log', 'Polygon PoS pečaćenje ključnih akcija']
+};
+
+const _cache = {savezi:null, klubovi:null, clanovi:null, objekti:null, manifestacije:null, sufin:null, dash:null};
+const _state = {section:'dashboard', viewSavezi:'card', viewKlubovi:'card', viewSportasi:'card', viewObjekti:'card', viewManif:'card', viewFinancije:'table'};
+const _sort = {savezi:null, klubovi:null, sportasi:null, objekti:null, manifestacije:null, financije:null};
+let _proracunChart=null, _financijeChart=null;
+
+//=========== UTIL ===========
+const $ = s => document.querySelector(s);
+const $$ = s => Array.from(document.querySelectorAll(s));
+function esc(s){
+  if(s===null||s===undefined) return '';
+  return String(s).replace(/[&<>"']/g, c => ({'&':'&amp;','<':'&lt;','>':'&gt;','"':'&quot;',"'":'&#39;'}[c]));
+}
+function fmtNum(n){
+  if(n===null||n===undefined||n==='') return '—';
+  const v = Number(n);
+  if(isNaN(v)) return esc(n);
+  return v.toLocaleString('hr-HR');
+}
+function fmtEur(n){
+  if(n===null||n===undefined||n==='') return '—';
+  const v = Number(n);
+  if(isNaN(v)) return esc(n);
+  if(v>=1000000) return '€'+(v/1000000).toFixed(2)+'M';
+  if(v>=1000) return '€'+(v/1000).toFixed(1)+'k';
+  return '€'+v.toFixed(0);
+}
+function fmtEurFull(n){
+  if(n===null||n===undefined||n==='') return '—';
+  const v = Number(n);
+  if(isNaN(v)) return esc(n);
+  return v.toLocaleString('hr-HR', {minimumFractionDigits:2, maximumFractionDigits:2})+' €';
+}
+function fmtDate(s){
+  if(!s) return '—';
+  const m = String(s).match(/^(\d{4})-(\d{2})-(\d{2})/);
+  if(!m) return esc(s);
+  return m[3]+'.'+m[2]+'.'+m[1];
+}
+function txt(v, fb){
+  if(v===null||v===undefined||v==='') return fb===undefined?'—':fb;
+  return esc(v);
+}
+async function api(path){
+  try{
+    const r = await fetch(API+path);
+    if(!r.ok) throw new Error('HTTP '+r.status);
+    return await r.json();
+  }catch(e){
+    console.error('API error', path, e);
+    return null;
+  }
+}
+async function apiPost(path, body){
+  try{
+    const r = await fetch(API+path, {method:'POST', headers:{'Content-Type':'application/json'}, body: body?JSON.stringify(body):'{}'});
+    if(!r.ok) throw new Error('HTTP '+r.status);
+    return await r.json();
+  }catch(e){
+    console.error('API POST error', path, e);
+    return null;
+  }
+}
+
+// Cache the latest preview so /apply can pass back the same sources
+window._enrichPreviews = window._enrichPreviews || {};
+
+async function enrichEntity(kind, id){
+  const targetId = 'enrich-out-'+kind+'-'+id;
+  const target = document.getElementById(targetId);
+  if(target) target.innerHTML = '<div class="loading">⏳ Obogaćivanje u tijeku — pretraživanje izvora…</div>';
+  const r = await apiPost('/v2/enrich/'+kind+'/'+id);
+  if(!r){ if(target) target.innerHTML = '<div class="empty">Greška pri obogaćivanju</div>'; return; }
+  window._enrichPreviews[kind+':'+id] = r;
+  const cov = r.coverage||0;
+  const covCls = cov>=70?'high':(cov>=40?'mid':'low');
+  const proposed = r.proposed || {};
+  const current  = r.current  || {};
+  const propKeys = Object.keys(proposed);
+  const lastEnr  = r.last_enriched_at
+    ? `<span class="tb-s" title="${esc(r.last_enriched_at)}">✓ Obogaćeno ${esc(String(r.last_enriched_at).slice(0,10))}</span>`
+    : '';
+
+  let diffHtml = '';
+  if(propKeys.length){
+    const rows = propKeys.map(k => {
+      const cv = current[k]; const pv = proposed[k];
+      const cvHtml = cv
+        ? '<span style="color:var(--t1)">'+esc(String(cv).slice(0,200))+'</span>'
+        : '<span class="tag rd">prazno</span>';
+      const pvHtml = '<span style="color:var(--ok)">'+esc(String(pv).slice(0,400))+'</span>';
+      return `<tr>
+        <td style="vertical-align:top;padding:6px 8px"><label style="display:flex;gap:6px;align-items:center;cursor:pointer">
+          <input type="checkbox" data-field="${esc(k)}" checked style="width:16px;height:16px"> <b style="font-family:monospace;font-size:12px">${esc(k)}</b>
+        </label></td>
+        <td style="vertical-align:top;padding:6px 8px;font-size:12px;max-width:240px">${cvHtml}</td>
+        <td style="vertical-align:top;padding:6px 8px;font-size:12px">${pvHtml}</td>
+      </tr>`;
+    }).join('');
+    diffHtml = `
+      <div style="margin:10px 0;border:1px solid var(--ln);border-radius:6px;overflow:hidden">
+        <div style="padding:8px 10px;background:var(--bg3);font-size:11px;color:var(--t4);text-transform:uppercase;letter-spacing:.5px">📋 Predložene izmjene (uncheck za preskočiti)</div>
+        <table style="width:100%;border-collapse:collapse;font-size:12px">
+          <thead><tr style="background:var(--bg2)"><th style="text-align:left;padding:6px 8px;width:160px">Polje</th><th style="text-align:left;padding:6px 8px;width:240px">Trenutno</th><th style="text-align:left;padding:6px 8px">Predloženo</th></tr></thead>
+          <tbody id="enrich-diff-${kind}-${id}">${rows}</tbody>
+        </table>
+        <div style="padding:8px 10px;background:var(--bg2);display:flex;gap:8px;justify-content:flex-end">
+          <button class="btn"        onclick="enrichSelectAll('${kind}',${id},true)">Označi sve</button>
+          <button class="btn"        onclick="enrichSelectAll('${kind}',${id},false)">Poništi sve</button>
+          <button class="btn primary" onclick="enrichApply('${kind}',${id})">💾 Spremi izmjene</button>
+        </div>
+      </div>`;
+  } else {
+    diffHtml = '<div class="empty" style="padding:14px">Nema novih predloženih dopuna iz vanjskih izvora.</div>';
+  }
+
+  const sourcesHtml = (r.sources||[]).map(s => `
+    <div style="padding:8px 10px;background:var(--bg3);border-left:3px solid var(--pgz-gold);border-radius:4px;margin-bottom:6px">
+      <div style="font-size:11px;color:var(--t4);text-transform:uppercase;letter-spacing:.5px">${esc(s.source||'')}</div>
+      ${s.title ? '<div style="font-weight:700;color:var(--t0);font-size:13px">'+esc(s.title)+'</div>' : ''}
+      ${s.extract ? '<div style="font-size:11.5px;color:var(--t1);line-height:1.5">'+esc(String(s.extract).slice(0,300))+'…</div>' : ''}
+      ${s.url ? '<div style="margin-top:4px"><a href="'+esc(s.url)+'" target="_blank" style="font-size:11px">↗ '+esc(String(s.url).slice(0,90))+'</a></div>' : ''}
+    </div>`).join('');
+
+  const html = `
+    <div style="display:flex;gap:8px;align-items:center;flex-wrap:wrap;margin-bottom:10px">
+      <span class="tag gr">🟢 OBOGAĆENO</span>
+      <span class="score ${covCls}">Coverage ${cov}%</span>
+      <span class="tb-s">${r.filled_fields}/${r.total_fields} polja popunjeno</span>
+      ${lastEnr}
+    </div>
+    ${diffHtml}
+    ${sourcesHtml ? `<div style="margin:10px 0">
+      <div style="font-size:11px;color:var(--t4);text-transform:uppercase;letter-spacing:.5px;margin-bottom:6px">🔗 Izvori</div>
+      ${sourcesHtml}
+    </div>` : ''}
+    <div>
+      <div style="font-size:11px;color:var(--t2);margin-bottom:6px">🔍 Istraži dalje:</div>
+      <div style="display:flex;flex-wrap:wrap;gap:6px">
+        ${(r.research_links||[]).map(l => '<a href="'+esc(l.url)+'" target="_blank" class="btn">'+l.icon+' '+esc(l.label)+'</a>').join('')}
+      </div>
+    </div>
+  `;
+  if(target) target.innerHTML = html;
+}
+
+function enrichSelectAll(kind, id, on){
+  const tbody = document.getElementById('enrich-diff-'+kind+'-'+id);
+  if(!tbody) return;
+  tbody.querySelectorAll('input[type=checkbox]').forEach(cb => { cb.checked = !!on; });
+}
+
+async function enrichApply(kind, id){
+  const target = document.getElementById('enrich-out-'+kind+'-'+id);
+  const tbody  = document.getElementById('enrich-diff-'+kind+'-'+id);
+  const preview = (window._enrichPreviews||{})[kind+':'+id];
+  if(!preview){ alert('Prvo pokreni "▶ Pokreni"'); return; }
+  const proposed = preview.proposed || {};
+  const fields = {};
+  if(tbody){
+    tbody.querySelectorAll('input[type=checkbox]:checked').forEach(cb => {
+      const f = cb.getAttribute('data-field');
+      if(f && proposed[f] !== undefined) fields[f] = proposed[f];
+    });
+  } else {
+    Object.assign(fields, proposed);
+  }
+  if(!Object.keys(fields).length){ alert('Označi barem jedno polje za primjenu.'); return; }
+  if(target) target.innerHTML = '<div class="loading">⏳ Spremam u bazu…</div>';
+  try{
+    const r = await fetch(API+'/v2/enrich/'+kind+'/'+id+'/apply', {
+      method:'POST',
+      headers:{'Content-Type':'application/json'},
+      body: JSON.stringify({fields, sources: preview.sources || []}),
+    });
+    const data = await r.json();
+    if(!r.ok){ throw new Error(data.detail || ('HTTP '+r.status)); }
+    // Refresh the entire detail panel so the new values render
+    if(kind === 'klub'    && typeof openKlub    === 'function') await openKlub(id);
+    else if(kind === 'savez'   && typeof openSavez   === 'function') await openSavez(id);
+    else if(kind === 'sportas' && typeof openSportas === 'function') await openSportas(id);
+    setTimeout(() => enrichEntity(kind, id), 350);
+    const cnt = Object.keys(data.applied||{}).length;
+    const t = document.createElement('div');
+    t.style.cssText = 'position:fixed;bottom:20px;right:20px;background:var(--ok,#1ec773);color:#0b1a16;padding:10px 16px;border-radius:6px;font-weight:700;z-index:9999;box-shadow:0 4px 16px rgba(0,0,0,.4)';
+    t.textContent = '✓ Spremljeno '+cnt+' polja u bazu';
+    document.body.appendChild(t);
+    setTimeout(()=>t.remove(), 3500);
+  }catch(e){
+    console.error(e);
+    if(target) target.innerHTML = '<div class="empty" style="color:var(--bad,#ff6b6b)">Greška pri spremanju: '+esc(e.message||String(e))+'</div>';
+  }
+}
+
+function enrichBlock(kind, id){
+  return `
+    <div class="card" id="enrich-card-${kind}-${id}">
+      <div class="card-h">
+        <div class="card-t">✨ Obogati podatke</div>
+        <button class="btn primary" onclick="enrichEntity('${kind}',${id})">▶ Pokreni</button>
+      </div>
+      <div id="enrich-out-${kind}-${id}">
+        <div class="empty" style="padding:14px">Klikom na "Pokreni" platforma će pretražiti vanjske izvore (Google, Wikipedia, službene web stranice) i prikazati dopune za ovu entitetsku karticu.</div>
+      </div>
+    </div>
+  `;
+}
+function sortRows(rows, key, dir){
+  if(!key) return rows;
+  const sorted = rows.slice();
+  sorted.sort((a,b) => {
+    let av = a[key], bv = b[key];
+    if(av==null && bv==null) return 0;
+    if(av==null) return 1;
+    if(bv==null) return -1;
+    const an = typeof av === 'number' ? av : Number(av);
+    const bn = typeof bv === 'number' ? bv : Number(bv);
+    if(!isNaN(an) && !isNaN(bn) && (typeof av === 'number' || /^[-+]?\d+(\.\d+)?$/.test(String(av)))){
+      return dir==='asc' ? (an-bn) : (bn-an);
+    }
+    const cmp = String(av).localeCompare(String(bv), 'hr', {numeric:true});
+    return dir==='asc' ? cmp : -cmp;
+  });
+  return sorted;
+}
+function setSort(section, key){
+  const cur = _sort[section];
+  if(cur && cur.key === key){
+    _sort[section] = {key, dir: cur.dir==='asc' ? 'desc' : 'asc'};
+  } else {
+    _sort[section] = {key, dir: 'asc'};
+  }
+  // Re-render
+  switch(section){
+    case 'savezi': return applySaveziFilter();
+    case 'klubovi': return applyKluboviFilter();
+    case 'sportasi': return applySportasiFilter();
+    case 'objekti': return applyObjektiFilter();
+    case 'manifestacije': return applyManifFilter();
+    case 'financije': return refreshFinancije();
+  }
+}
+function sortHeader(section, key, label, klass){
+  const s = _sort[section];
+  const isCur = s && s.key === key;
+  const arrow = isCur ? (s.dir==='asc' ? ' ▲' : ' ▼') : '';
+  const cls = (klass||'') + ' sortable';
+  return '<th class="'+cls+'" onclick="setSort(\''+section+'\',\''+key+'\')" style="cursor:pointer;user-select:none">'+esc(label)+'<span style="color:var(--pgz-gold);font-weight:700">'+arrow+'</span></th>';
+}
+function debounce(fn, ms){
+  let t;
+  return function(){
+    const args = arguments;
+    clearTimeout(t);
+    t = setTimeout(()=>fn.apply(null, args), ms);
+  };
+}
+
+//=========== PANEL ===========
+function openPanel(title, html){
+  const t = $('#panel-hdr-t');
+  if(t) t.textContent = title || 'Detalji';
+  const b = $('#panel-body');
+  if(b) b.innerHTML = html;
+  $('#panel').classList.add('open');
+  $('#panel-overlay').classList.add('open');
+}
+function closePanel(){
+  $('#panel').classList.remove('open');
+  $('#panel-overlay').classList.remove('open');
+}
+document.addEventListener('keydown', e => { if(e.key==='Escape') closePanel(); });
+
+//=========== NAVIGATION ===========
+function buildNav(){
+  const nav = $('#nav');
+  nav.innerHTML = NAV_ITEMS.map(n => '<div class="nav-i '+(n.id===_state.section?'active':'')+'" data-id="'+n.id+'" data-label="'+n.label+'" onclick="navTo(\''+n.id+'\')"><span class="ic">'+n.ic+'</span><span class="lbl">'+n.label+'</span></div>').join('');
+}
+function toggleSidebar(){
+  const sb = document.getElementById('sb');
+  const tg = document.getElementById('sb-toggle');
+  if(!sb) return;
+  const isCollapsed = sb.classList.toggle('collapsed');
+  if(tg) tg.textContent = '≡';
+  try { localStorage.setItem('sidebar-state', isCollapsed ? 'collapsed' : 'expanded'); } catch(e){}
+}
+function restoreSidebar(){
+  try {
+    const s = localStorage.getItem('sidebar-state');
+    if(s === 'collapsed'){
+      const sb = document.getElementById('sb');
+      const tg = document.getElementById('sb-toggle');
+      if(sb) sb.classList.add('collapsed');
+      if(tg) tg.textContent = '≡';
+    }
+  } catch(e){}
+}
+function navTo(id){
+  _state.section = id;
+  $$('.nav-i').forEach(el => el.classList.toggle('active', el.dataset.id===id));
+  $$('.section').forEach(el => el.classList.remove('active'));
+  const sec = $('#pg-'+id);
+  if(sec) sec.classList.add('active');
+  const t = SECTION_TITLES[id] || [id, ''];
+  $('#tb-t').textContent = t[0];
+  $('#tb-s').textContent = t[1];
+  loadSection(id);
+}
+function loadSection(id){
+  switch(id){
+    case 'dashboard':     return loadDash();
+    case 'savezi':        return loadSavezi();
+    case 'klubovi':       return loadKlubovi();
+    case 'sportasi':      return loadSportasi();
+    case 'financije':     return loadFinancije();
+    case 'objekti':       return loadObjekti();
+    case 'manifestacije': return loadManifestacije();
+    case 'mreza':         return loadMreza();
+    case 'forenzika':     return loadForenzika();
+    case 'audit':         return loadAudit();
+  }
+}
+
+//=========== AUDIT LOG (Polygon PoS) ===========
+async function loadAudit(){
+  const root = $('#pg-audit');
+  root.innerHTML = '<div class="loading">Učitavanje audit zapisa…</div>';
+  let r;
+  try{
+    const resp = await fetch(API+'/audit/seal/list?limit=100');
+    if(!resp.ok) throw new Error('HTTP '+resp.status);
+    r = await resp.json();
+  }catch(e){
+    root.innerHTML = '<div class="empty">Greška: '+esc(e.message||String(e))+'</div>';
+    return;
+  }
+  const wallet = r.wallet || '';
+  const live = r.live ? '<span class="tag gr">🟢 LIVE Polygon</span>' : '<span class="tag gd">⏳ Pending mode</span>';
+  const rows = (r.rows||[]).map(s => {
+    const tx = s.tx_hash || '';
+    const isPending = tx.startsWith('pending:');
+    const txCell = isPending
+      ? `<span class="tag gd" title="${esc(tx)}">PENDING</span><span class="tb-s" style="margin-left:6px;font-family:monospace">${esc(tx.slice(0,32))}…</span>`
+      : `<a href="${esc(s.polygonscan_url||'#')}" target="_blank" style="font-family:monospace;font-size:11px">${esc(tx.slice(0,18))}…${esc(tx.slice(-6))}</a>`;
+    const statusCls = s.status==='confirmed'?'gr':(s.status==='broadcast'?'gd':(s.status==='failed'?'rd':''));
+    return `<tr>
+      <td class="num" style="font-size:11px;color:var(--t3)">${s.id}</td>
+      <td style="font-size:11px;color:var(--t3)">${esc((s.created_at||'').replace('T',' ').slice(0,19))}</td>
+      <td><b>${esc(s.action)}</b></td>
+      <td style="font-size:11px">${esc(s.ref_type||'')} <span style="color:var(--t3)">${esc(s.ref_id||'')}</span></td>
+      <td style="font-family:monospace;font-size:10.5px;color:var(--t2)" title="${esc(s.data_hash||'')}">${esc((s.data_hash||'').slice(0,12))}…</td>
+      <td>${txCell}</td>
+      <td><span class="tag ${statusCls}">${esc(s.status||'')}</span></td>
+      <td style="font-size:11px">${esc(s.user_email||'')}</td>
+    </tr>`;
+  }).join('');
+  root.innerHTML = `
+    <div style="display:flex;gap:10px;align-items:center;flex-wrap:wrap;margin-bottom:14px">
+      <div class="card" style="flex:1;min-width:280px">
+        <div class="card-h"><div class="card-t">🔐 Polygon PoS Audit Sealing</div></div>
+        <div style="padding:12px;font-size:13px;color:var(--t1);line-height:1.6">
+          Ključne akcije (odobrenje sufinanciranja, isplata, validacija liječničkog pregleda, izmjena članstva)
+          pečate se 0-MATIC self-tx-om s SHA-256 hash-em payload-a u <code>data</code> polju.
+          Svaki zapis je nepromjenjiv i provjerljiv preko polygonscan.com.
+        </div>
+        <div style="padding:0 12px 12px;font-size:12px">
+          <div><b>Wallet:</b> <a href="https://polygonscan.com/address/${esc(wallet)}" target="_blank" style="font-family:monospace">${esc(wallet)}</a></div>
+          <div><b>Chain:</b> Polygon PoS (137)</div>
+          <div><b>Mode:</b> ${live}</div>
+        </div>
+      </div>
+      <div class="card" style="min-width:200px">
+        <div class="card-h"><div class="card-t">📊 Statistika</div></div>
+        <div style="padding:12px;font-size:14px">
+          <div><b>${r.count||0}</b> sealed zapisa</div>
+          <div style="color:var(--t3);font-size:12px;margin-top:4px">Najnoviji prikazani prvi</div>
+        </div>
+      </div>
+    </div>
+    ${rows ? `
+    <div class="card">
+      <div class="card-h"><div class="card-t">📜 Audit zapisi</div></div>
+      <div class="tbl-wrap"><table>
+        <thead><tr>
+          <th class="num">#</th><th>Vrijeme</th><th>Akcija</th><th>Referenca</th>
+          <th>SHA-256</th><th>Polygon TX</th><th>Status</th><th>Korisnik</th>
+        </tr></thead>
+        <tbody>${rows}</tbody>
+      </table></div>
+    </div>` : '<div class="empty">Nema audit zapisa.</div>'}
+  `;
+}
+
+//=========== DASHBOARD ===========
+async function loadDash(){
+  const root = $('#pg-dashboard');
+  root.innerHTML = '<div class="loading">Učitavanje dashboard podataka…</div>';
+  const d = await api('/dashboard');
+  if(!d){ root.innerHTML='<div class="empty">Greška pri dohvatu podataka</div>'; return; }
+  _cache.dash = d;
+  const proracun2026 = (d.proracun_trend||[]).filter(x=>x.godina===2026)[0];
+  const total2026 = proracun2026 ? proracun2026.ukupno : d.proracun_aktualni;
+
+  root.innerHTML = `
+    <div class="kpi-grid">
+      <div class="kpi"><div class="kpi-l">Saveza</div><div class="kpi-v">${fmtNum(d.aktivnih_saveza)}</div><div class="kpi-s">aktivnih</div></div>
+      <div class="kpi b"><div class="kpi-l">Klubova</div><div class="kpi-v">${fmtNum(d.aktivnih_klubova)}</div><div class="kpi-s">${d.nositelja_kvalitete||0} nositelja kvalitete</div></div>
+      <div class="kpi g"><div class="kpi-l">Sportaša</div><div class="kpi-v">${fmtNum(d.aktivnih_clanova)}</div><div class="kpi-s">${d.reprezentativaca||0} reprezentativaca</div></div>
+      <div class="kpi"><div class="kpi-l">Proračun ${proracun2026?proracun2026.godina:2026}</div><div class="kpi-v">${fmtEur(total2026)}</div><div class="kpi-s">javne potrebe u sportu</div></div>
+      <div class="kpi r"><div class="kpi-l">Kritičnih alarma</div><div class="kpi-v">${fmtNum(d.critical_alerts)}</div><div class="kpi-s">${d.warning_alerts||0} upozorenja</div></div>
+    </div>
+
+    <div class="row-2">
+      <div class="card">
+        <div class="card-h"><div class="card-t">📈 Proračun za sport po godinama</div><div class="tb-s">Klikni godinu za detalje (PDF dokumenti)</div></div>
+        <div class="chart-box"><canvas id="chProracun"></canvas></div>
+      </div>
+      <div class="card">
+        <div class="card-h"><div class="card-t">🏅 Top savezi po broju registriranih</div><div class="tb-s">Klikni za drill-down</div></div>
+        <div style="overflow-x:auto;max-height:340px;overflow-y:auto"><table>
+          <thead><tr><th>Savez</th><th class="num">Klubova</th><th class="num">Reg.</th><th class="num">Trenera</th><th class="num">Repr.</th></tr></thead>
+          <tbody>${(d.top_savezi||[]).slice(0,10).map(s => `
+            <tr onclick="openSavezByName('${esc(s.naziv).replace(/&#39;/g,"\\'")}')">
+              <td><b>${esc(s.naziv)}</b></td>
+              <td class="num">${fmtNum(s.klubova_clanica)}</td>
+              <td class="num">${fmtNum(s.registriranih)}</td>
+              <td class="num">${fmtNum(s.trenera)}</td>
+              <td class="num">${fmtNum(s.reprezentativaca)}</td>
+            </tr>`).join('')}</tbody>
+        </table></div>
+      </div>
+    </div>
+
+    <div class="card" style="margin-top:14px">
+      <div class="card-h">
+        <div class="card-t">💰 Najveći primatelji javnih potreba</div>
+        <div style="display:flex;gap:8px;align-items:center">
+          <select id="dash-god" onchange="refreshDashNositelji()" style="background:var(--bg2);border:1px solid var(--rim);border-radius:5px;padding:6px 10px;color:var(--t1);font-size:12px">
+            <option value="2026">2026</option>
+            <option value="2025" selected>2025</option>
+            <option value="2024">2024</option>
+          </select>
+          <span class="tb-s" id="dash-nos-cnt"></span>
+        </div>
+      </div>
+      <div id="dash-nos-out"><div class="loading">Učitavanje…</div></div>
+    </div>
+  `;
+  drawProracunChart(d.proracun_trend || []);
+  refreshDashNositelji();
+}
+
+async function refreshDashNositelji(){
+  const sel = $('#dash-god');
+  if(!sel) return;
+  const god = sel.value;
+  const out = $('#dash-nos-out');
+  out.innerHTML = '<div class="loading">Učitavanje primatelja '+god+'…</div>';
+  const d = await api('/v2/potpore/by-year?godina='+god);
+  if(!d){ out.innerHTML='<div class="empty">Greška pri dohvatu</div>'; return; }
+  const rows = (d.results || []).slice().sort((a,b)=>Number(b.iznos_eur||0)-Number(a.iznos_eur||0)).slice(0, 25);
+  $('#dash-nos-cnt').textContent = rows.length+' / '+(d.count||0)+' · ukupno '+fmtEur(d.total||0);
+  out.innerHTML = `<div style="overflow-x:auto"><table>
+    <thead><tr><th>#</th><th>Korisnik</th><th>Sport</th><th>Vrsta</th><th class="num">Iznos</th><th>PDF</th></tr></thead>
+    <tbody>${rows.map((r,i) => `
+      <tr onclick='openPrimateljDetail(${JSON.stringify(r).replace(/'/g,"&#39;")})'>
+        <td>${i+1}</td>
+        <td><b>${esc(r.korisnik)}</b></td>
+        <td>${txt(r.sport)}</td>
+        <td>${txt(r.vrsta)}</td>
+        <td class="num"><b>${fmtEurFull(r.iznos_eur)}</b></td>
+        <td>${r.source_url?'<a href="'+esc(r.source_url)+'" target="_blank" onclick="event.stopPropagation()">📄 PDF</a>':'—'}</td>
+      </tr>`).join('')}</tbody>
+  </table></div>`;
+}
+
+async function openSavezByName(name){
+  const list = _cache.savezi || (await api('/savezi?limit=250'))?.rows || [];
+  if(!_cache.savezi) _cache.savezi = list;
+  const target = list.find(s => s.naziv === name) || list.find(s => (s.naziv||'').toLowerCase() === name.toLowerCase());
+  if(target) return openSavez(target.id);
+  // Try fuzzy match by first two words
+  const prefix = name.split(' ').slice(0,2).join(' ').toLowerCase();
+  const fuzzy = list.find(s => (s.naziv||'').toLowerCase().includes(prefix));
+  if(fuzzy) return openSavez(fuzzy.id);
+  openPanel('Savez', '<div class="empty">Savez <b>'+esc(name)+'</b> nije pronađen u bazi.</div>');
+}
+
+async function openPrimateljDetail(r){
+  openPanel('Primatelj', '<div class="loading">Učitavanje detalja…</div>');
+  // Try to find matching klub by name
+  let klub = null;
+  if(_cache.klubovi){
+    const lower = (r.korisnik||'').toLowerCase();
+    klub = _cache.klubovi.find(k => (k.klub||'').toLowerCase() === lower);
+    if(!klub) klub = _cache.klubovi.find(k => (k.klub||'').toLowerCase().includes(lower) || lower.includes((k.klub||'').toLowerCase()));
+  }
+  if(klub){
+    return openKlub(klub.id);
+  }
+  // Fallback panel — show row data + PDF + same-year other primatelji from same source
+  const html = `
+    <div class="card-h" style="border:0;padding:0;margin-bottom:14px">
+      <div>
+        <div style="font-size:18px;font-weight:800;color:var(--t0)">${esc(r.korisnik)}</div>
+        <div style="font-size:12px;color:var(--t2);margin-top:4px">Primatelj proračuna ${r.godina}</div>
+      </div>
+    </div>
+    <div class="card">
+      <div class="card-h"><div class="card-t">📋 Detalji isplate</div></div>
+      <div class="kv">
+        <div class="k">Korisnik</div><div class="v">${esc(r.korisnik)}</div>
+        <div class="k">Sport</div><div class="v">${txt(r.sport)}</div>
+        <div class="k">Vrsta</div><div class="v">${txt(r.vrsta)}</div>
+        <div class="k">Iznos</div><div class="v"><b style="color:var(--pgz-gold);font-size:16px">${fmtEurFull(r.iznos_eur)}</b></div>
+        <div class="k">Godina</div><div class="v">${esc(r.godina)}</div>
+        <div class="k">Izvor</div><div class="v">${txt(r.izvor)}</div>
+        <div class="k">Napomena</div><div class="v">${txt(r.napomena)}</div>
+      </div>
+      ${r.source_url ? '<div style="margin-top:14px;text-align:center"><a href="'+esc(r.source_url)+'" target="_blank" class="btn primary" style="display:inline-block;text-decoration:none">📄 Otvori izvorni PDF dokument</a></div>' : '<div class="empty" style="margin-top:14px">PDF dokument nije dostupan za ovu stavku.</div>'}
+    </div>
+    <div class="card">
+      <div class="card-h"><div class="card-t">🔍 Klub nije povezan</div></div>
+      <div style="font-size:12px;color:var(--t2);line-height:1.5">
+        Korisnik <b>${esc(r.korisnik)}</b> nije automatski povezan s pojedinim klubom u bazi.
+        Provjeri klub ručno preko sekcije <a href="javascript:navTo('klubovi')">Klubovi</a> ili pretraži primatelja na izvornom dokumentu.
+      </div>
+    </div>
+  `;
+  openPanel('Primatelj · '+r.korisnik, html);
+}
+
+function drawProracunChart(trend){
+  const ctx = $('#chProracun');
+  if(!ctx) return;
+  if(_proracunChart){ _proracunChart.destroy(); _proracunChart=null; }
+  _proracunChart = new Chart(ctx, {
+    type:'bar',
+    data:{
+      labels: trend.map(x=>x.godina),
+      datasets:[{
+        label:'EUR',
+        data: trend.map(x=>x.ukupno),
+        backgroundColor: trend.map(x=> x.godina===2026 ? '#F4C430' : '#004CC4'),
+        borderRadius:4
+      }]
+    },
+    options:{
+      responsive:true, maintainAspectRatio:false,
+      plugins:{
+        legend:{display:false},
+        tooltip:{callbacks:{label:c => '€'+Number(c.parsed.y).toLocaleString('hr-HR')}}
+      },
+      scales:{
+        x:{ticks:{color:'#8a95b4'}, grid:{display:false}},
+        y:{ticks:{color:'#8a95b4', callback:v=>'€'+(v/1000)+'k'}, grid:{color:'#1e2a50'}}
+      },
+      onClick:(e, els) => {
+        if(els && els.length){
+          const i = els[0].index;
+          openProracunDrill(trend[i].godina, trend[i].ukupno);
+        }
+      }
+    }
+  });
+}
+
+async function openProracunDrill(godina, total){
+  openPanel('Proračun '+godina, '<div class="loading">Dohvaćanje primatelja…</div>');
+  const d = await api('/v2/potpore/by-year?godina='+godina);
+  if(!d){ openPanel('Proračun '+godina, '<div class="empty">Greška pri dohvatu</div>'); return; }
+  const rows = d.results || [];
+  const grandTotal = d.total || total || 0;
+  const html = `
+    <div class="kpi-grid" style="grid-template-columns:1fr 1fr">
+      <div class="kpi"><div class="kpi-l">Ukupno ${godina}</div><div class="kpi-v">${fmtEur(grandTotal)}</div></div>
+      <div class="kpi b"><div class="kpi-l">Primatelja</div><div class="kpi-v">${rows.length}</div></div>
+    </div>
+    <div style="overflow-x:auto"><table>
+      <thead><tr><th>#</th><th>Korisnik</th><th>Sport</th><th class="num">Iznos</th><th>PDF</th></tr></thead>
+      <tbody>
+        ${rows.map((r,i) => `
+          <tr class="no-click">
+            <td>${i+1}</td>
+            <td>${esc(r.korisnik)}</td>
+            <td>${txt(r.sport)}</td>
+            <td class="num"><b>${fmtEurFull(r.iznos_eur)}</b></td>
+            <td>${r.source_url ? '<a href="'+esc(r.source_url)+'" target="_blank">📄</a>' : '—'}</td>
+          </tr>`).join('')}
+      </tbody>
+    </table></div>
+  `;
+  openPanel('Primatelji proračuna · '+godina, html);
+}
+
+//=========== SAVEZI ===========
+async function loadSavezi(){
+  const root = $('#pg-savezi');
+  if(!_cache.savezi){
+    root.innerHTML = '<div class="loading">Učitavanje saveza…</div>';
+    const d = await api('/savezi?limit=250');
+    if(!d){ root.innerHTML='<div class="empty">Greška pri dohvatu</div>'; return; }
+    _cache.savezi = d.rows || [];
+  }
+  renderSaveziShell();
+  applySaveziFilter();
+}
+function renderSaveziShell(){
+  const root = $('#pg-savezi');
+  root.innerHTML = `
+    <div class="toolbar">
+      <input type="search" id="sav-q" placeholder="🔍 Pretraži savez…">
+      <select id="sav-pgz">
+        <option value="">Svi savezi</option>
+        <option value="1">Samo PGŽ relevantni</option>
+      </select>
+      <div class="toggle">
+        <button id="sav-card" class="${_state.viewSavezi==='card'?'active':''}" onclick="setSaveziView('card')">Kartice</button>
+        <button id="sav-table" class="${_state.viewSavezi==='table'?'active':''}" onclick="setSaveziView('table')">Tablica</button>
+      </div>
+      <span class="tb-s" id="sav-cnt"></span>
+    </div>
+    <div id="sav-out"></div>
+  `;
+  $('#sav-q').addEventListener('input', debounce(applySaveziFilter, 200));
+  $('#sav-pgz').addEventListener('change', applySaveziFilter);
+}
+function setSaveziView(v){
+  _state.viewSavezi = v;
+  $('#sav-card').classList.toggle('active', v==='card');
+  $('#sav-table').classList.toggle('active', v==='table');
+  applySaveziFilter();
+}
+function applySaveziFilter(){
+  const q = (($('#sav-q')?$('#sav-q').value:'') || '').toLowerCase().trim();
+  const pgz = $('#sav-pgz') ? $('#sav-pgz').value : '';
+  let rows = _cache.savezi || [];
+  if(q) rows = rows.filter(s => (s.naziv||'').toLowerCase().includes(q) || (s.sport||'').toLowerCase().includes(q));
+  if(pgz==='1') rows = rows.filter(s => s.pgz_relevant);
+  if(_sort.savezi) rows = sortRows(rows, _sort.savezi.key, _sort.savezi.dir);
+  $('#sav-cnt').textContent = rows.length+' saveza';
+  $('#sav-out').innerHTML = _state.viewSavezi==='card' ? renderSaveziGrid(rows) : renderSaveziTable(rows);
+}
+function renderSaveziGrid(rows){
+  if(!rows.length) return '<div class="empty">Nema rezultata</div>';
+  return '<div class="grid">'+rows.map(s => `
+    <div class="entity" onclick="openSavez(${s.id})">
+      ${s.pgz_relevant?'<div class="et-tag">PGŽ</div>':''}
+      <div class="et">${esc(s.naziv)}</div>
+      <div class="es">${txt(s.sport,'—')} · ${txt(s.predsjednik,'bez predsjednika')}</div>
+      <div class="em">
+        <span><b>${fmtNum(s.broj_klubova)}</b> klubova</span>
+        <span><b>${fmtNum(s.reg_2024)}</b> reg.</span>
+        <span><b>${fmtNum(s.treneri_2024)}</b> trenera</span>
+      </div>
+    </div>`).join('')+'</div>';
+}
+function renderSaveziTable(rows){
+  if(!rows.length) return '<div class="empty">Nema rezultata</div>';
+  return `<div class="card" style="padding:0;overflow-x:auto"><table>
+    <thead><tr>${sortHeader('savezi','naziv','Naziv','')}${sortHeader('savezi','sport','Sport','')}${sortHeader('savezi','predsjednik','Predsjednik','')}${sortHeader('savezi','email','Email','')}${sortHeader('savezi','broj_klubova','Klubova','num')}${sortHeader('savezi','reg_2024','Reg.','num')}${sortHeader('savezi','pgz_relevant','PGŽ','')}</tr></thead>
+    <tbody>${rows.map(s => `
+      <tr onclick="openSavez(${s.id})">
+        <td><b>${esc(s.naziv)}</b></td>
+        <td>${txt(s.sport)}</td>
+        <td>${txt(s.predsjednik)}</td>
+        <td>${s.email?'<span class="tag b">'+esc(s.email)+'</span>':'—'}</td>
+        <td class="num">${fmtNum(s.broj_klubova)}</td>
+        <td class="num">${fmtNum(s.reg_2024)}</td>
+        <td>${s.pgz_relevant?'<span class="tag gd">PGŽ</span>':'—'}</td>
+      </tr>`).join('')}</tbody>
+  </table></div>`;
+}
+
+async function openSavez(id){
+  openPanel('Savez', '<div class="loading">Učitavanje saveza…</div>');
+  const s = await api('/savezi/'+id);
+  if(!s || s.detail){
+    openPanel('Savez', '<div class="empty">Savez nije pronađen</div>');
+    return;
+  }
+  const ksearch = (s.naziv||'').split(' ').slice(0,2).join(' ');
+  const kr = await api('/klubovi?savez='+encodeURIComponent(ksearch)+'&limit=200');
+  const klubovi = (kr && kr.rows) ? kr.rows.filter(k => (k.savez||'').toLowerCase().includes(ksearch.toLowerCase())) : [];
+
+  const html = `
+    <div class="card-h" style="border:0;padding:0;margin-bottom:14px">
+      <div>
+        <div style="font-size:18px;font-weight:800;color:var(--t0)">${esc(s.naziv)}</div>
+        <div style="font-size:12px;color:var(--t2);margin-top:4px">${txt(s.sport,'—')} · ${s.region||'PGŽ'}</div>
+      </div>
+    </div>
+    <div class="kpi-grid" style="grid-template-columns:repeat(3,1fr);margin-bottom:14px">
+      <div class="kpi"><div class="kpi-l">Klubova</div><div class="kpi-v">${klubovi.length}</div></div>
+      <div class="kpi b"><div class="kpi-l">Godina osnutka</div><div class="kpi-v" style="font-size:18px">${txt(s.godina_osnutka)}</div></div>
+      <div class="kpi g"><div class="kpi-l">Status</div><div class="kpi-v" style="font-size:14px">${s.aktivan?'AKTIVAN':'NEAKTIVAN'}</div></div>
+    </div>
+
+    <div class="card">
+      <div class="card-h"><div class="card-t">📋 Osnovne informacije</div></div>
+      <div class="kv">
+        <div class="k">OIB</div><div class="v">${txt(s.oib)}</div>
+        <div class="k">Adresa</div><div class="v">${txt(s.adresa)}</div>
+        <div class="k">Predsjednik</div><div class="v">${txt(s.predsjednik)}</div>
+        <div class="k">Tajnik</div><div class="v">${txt(s.tajnik)}</div>
+        <div class="k">Email</div><div class="v">${s.email?'<a href="mailto:'+esc(s.email)+'">'+esc(s.email)+'</a>':'—'}</div>
+        <div class="k">Telefon</div><div class="v">${txt(s.telefon)}</div>
+        <div class="k">Web</div><div class="v">${s.web?'<a href="'+esc(s.web)+'" target="_blank">'+esc(s.web)+'</a>':'—'}</div>
+        <div class="k">IBAN</div><div class="v">${txt(s.iban)}</div>
+      </div>
+    </div>
+
+    <div class="card">
+      <div class="card-h"><div class="card-t">⬡ Klubovi članice (${klubovi.length})</div></div>
+      ${klubovi.length ? `<div style="overflow-x:auto;max-height:400px;overflow-y:auto"><table>
+        <thead><tr><th>Klub</th><th>Razina</th><th>Grad</th></tr></thead>
+        <tbody>${klubovi.slice(0,100).map(k => `
+          <tr onclick="closePanel();setTimeout(()=>openKlub(${k.id}),250)">
+            <td>${esc(k.klub||k.sport||'(bez naziva)')}${k.nositelj_kvalitete?' <span class="tag gd">N.K.</span>':''}</td>
+            <td>${txt(k.razina,'')}</td>
+            <td>${txt(k.grad)}</td>
+          </tr>`).join('')}
+        </tbody>
+      </table></div>` : '<div class="empty">Nema podataka o klubovima</div>'}
+    </div>
+
+    ${enrichBlock('savez', s.id)}
+  `;
+  openPanel('Savez · '+s.naziv, html);
+}
+
+//=========== KLUBOVI ===========
+async function loadKlubovi(){
+  const root = $('#pg-klubovi');
+  if(!_cache.klubovi){
+    root.innerHTML = '<div class="loading">Učitavanje klubova…</div>';
+    const d = await api('/klubovi?limit=500');
+    if(!d){ root.innerHTML='<div class="empty">Greška pri dohvatu</div>'; return; }
+    _cache.klubovi = d.rows || [];
+  }
+  renderKluboviShell();
+  applyKluboviFilter();
+}
+function renderKluboviShell(){
+  const root = $('#pg-klubovi');
+  const sports = Array.from(new Set((_cache.klubovi||[]).map(k=>k.sport).filter(Boolean))).sort().slice(0,80);
+  const grads = Array.from(new Set((_cache.klubovi||[]).map(k=>k.grad).filter(Boolean))).sort();
+  root.innerHTML = `
+    <div class="toolbar">
+      <input type="search" id="kl-q" placeholder="🔍 Pretraži klub…">
+      <select id="kl-sport"><option value="">Svi sportovi</option>${sports.map(s=>'<option value="'+esc(s)+'">'+esc(s)+'</option>').join('')}</select>
+      <select id="kl-grad"><option value="">Svi gradovi</option>${grads.map(g=>'<option value="'+esc(g)+'">'+esc(g)+'</option>').join('')}</select>
+      <label><input type="checkbox" id="kl-nk"> Nositelj kvalitete</label>
+      <div class="toggle">
+        <button id="kl-card" class="${_state.viewKlubovi==='card'?'active':''}" onclick="setKluboviView('card')">Kartice</button>
+        <button id="kl-table" class="${_state.viewKlubovi==='table'?'active':''}" onclick="setKluboviView('table')">Tablica</button>
+      </div>
+      <span class="tb-s" id="kl-cnt"></span>
+    </div>
+    <div id="kl-out"></div>
+  `;
+  $('#kl-q').addEventListener('input', debounce(applyKluboviFilter, 200));
+  $('#kl-sport').addEventListener('change', applyKluboviFilter);
+  $('#kl-grad').addEventListener('change', applyKluboviFilter);
+  $('#kl-nk').addEventListener('change', applyKluboviFilter);
+}
+function setKluboviView(v){
+  _state.viewKlubovi = v;
+  $('#kl-card').classList.toggle('active', v==='card');
+  $('#kl-table').classList.toggle('active', v==='table');
+  applyKluboviFilter();
+}
+function applyKluboviFilter(){
+  const q = (($('#kl-q')?$('#kl-q').value:'') || '').toLowerCase().trim();
+  const sport = $('#kl-sport') ? $('#kl-sport').value : '';
+  const grad = $('#kl-grad') ? $('#kl-grad').value : '';
+  const nk = $('#kl-nk') ? $('#kl-nk').checked : false;
+  let rows = _cache.klubovi || [];
+  if(q) rows = rows.filter(k => (k.klub||'').toLowerCase().includes(q) || (k.sport||'').toLowerCase().includes(q));
+  if(sport) rows = rows.filter(k => k.sport===sport);
+  if(grad) rows = rows.filter(k => k.grad===grad);
+  if(nk) rows = rows.filter(k => k.nositelj_kvalitete);
+  if(_sort.klubovi) rows = sortRows(rows, _sort.klubovi.key, _sort.klubovi.dir);
+  $('#kl-cnt').textContent = rows.length+' klubova';
+  const top = rows.slice(0, 300);
+  $('#kl-out').innerHTML = _state.viewKlubovi==='card' ? renderKluboviGrid(top) : renderKluboviTable(top);
+  if(rows.length>300){
+    $('#kl-out').insertAdjacentHTML('beforeend', '<div class="empty">… i još '+(rows.length-300)+' klubova. Suzite filtre.</div>');
+  }
+}
+function renderKluboviGrid(rows){
+  if(!rows.length) return '<div class="empty">Nema rezultata</div>';
+  return '<div class="grid-club">'+rows.map(k => `
+    <div class="entity" onclick="openKlub(${k.id})">
+      ${k.nositelj_kvalitete?'<div class="et-tag">N.K.</div>':''}
+      <div class="et">${esc(k.klub||k.sport||'(bez naziva)')}</div>
+      <div class="es">${txt(k.razina,'')} · ${txt(k.grad,'—')}</div>
+      <div class="em">
+        <span><b>${fmtNum(k.registriranih)}</b> reg.</span>
+        <span><b>${fmtNum(k.trenera)}</b> trenera</span>
+        <span><b>${fmtNum(k.reprezentativaca)}</b> repr.</span>
+      </div>
+    </div>`).join('')+'</div>';
+}
+function renderKluboviTable(rows){
+  if(!rows.length) return '<div class="empty">Nema rezultata</div>';
+  return `<div class="card" style="padding:0;overflow-x:auto"><table>
+    <thead><tr>${sortHeader('klubovi','klub','Klub','')}${sortHeader('klubovi','sport','Sport','')}${sortHeader('klubovi','razina','Razina','')}${sortHeader('klubovi','grad','Grad','')}${sortHeader('klubovi','registriranih','Reg.','num')}${sortHeader('klubovi','trenera','Trenera','num')}${sortHeader('klubovi','nositelj_kvalitete','Status','')}</tr></thead>
+    <tbody>${rows.map(k => `
+      <tr onclick="openKlub(${k.id})">
+        <td><b>${esc(k.klub||k.sport||'(bez naziva)')}</b></td>
+        <td>${txt(k.sport)}</td>
+        <td>${txt(k.razina)}</td>
+        <td>${txt(k.grad)}</td>
+        <td class="num">${fmtNum(k.registriranih)}</td>
+        <td class="num">${fmtNum(k.trenera)}</td>
+        <td>${k.nositelj_kvalitete?'<span class="tag gd">N.K.</span>':''}${k.aktivan?'<span class="tag gr">AKT</span>':'<span class="tag rd">NK</span>'}</td>
+      </tr>`).join('')}</tbody>
+  </table></div>`;
+}
+
+async function openKlub(id){
+  openPanel('Klub', '<div class="loading">Učitavanje kluba…</div>');
+  const k = await api('/klubovi/'+id);
+  if(!k || k.detail){
+    openPanel('Klub', '<div class="empty">Klub nije pronađen</div>');
+    return;
+  }
+  const stats = k.stats || {};
+  const clanovi = k.clanovi || [];
+  const potpore = k.potpore || [];
+  let scoreCount = 0;
+  if(k.oib) scoreCount++;
+  if(k.predsjednik) scoreCount++;
+  if(k.tajnik) scoreCount++;
+  if(k.email) scoreCount++;
+  if(k.web || k.web_stranica) scoreCount++;
+  if(k.sjediste || k.adresa) scoreCount++;
+  if(k.ciljevi) scoreCount++;
+  if(k.opis_djelatnosti) scoreCount++;
+  const scoreClass = scoreCount>=6?'high':(scoreCount>=4?'mid':'low');
+
+  const html = `
+    <div class="card-h" style="border:0;padding:0;margin-bottom:14px">
+      <div>
+        <div style="font-size:18px;font-weight:800;color:var(--t0)">${esc(k.naziv||'(bez naziva)')}</div>
+        <div style="font-size:12px;color:var(--t2);margin-top:4px">${txt(k.sport,'—')} · ${txt(k.razina,'')} · ${txt(k.grad,'')}</div>
+      </div>
+    </div>
+
+    <div class="kpi-grid" style="grid-template-columns:repeat(4,1fr);margin-bottom:14px">
+      <div class="kpi"><div class="kpi-l">Sportaša</div><div class="kpi-v">${fmtNum(stats.broj_clanova||clanovi.length)}</div></div>
+      <div class="kpi b"><div class="kpi-l">Registriranih</div><div class="kpi-v">${fmtNum(stats.broj_registriranih)}</div></div>
+      <div class="kpi g"><div class="kpi-l">Trenera</div><div class="kpi-v">${fmtNum(stats.broj_trenera)}</div></div>
+      <div class="kpi"><div class="kpi-l">Score baze</div><div class="kpi-v" style="font-size:18px"><span class="score ${scoreClass}">${scoreCount}/8</span></div></div>
+    </div>
+
+    <div class="tabs">
+      <div class="tab active" onclick="switchKlubTab(this,'k-info')">Info</div>
+      <div class="tab" onclick="switchKlubTab(this,'k-clan')">Sportaši (${clanovi.length})</div>
+      <div class="tab" onclick="switchKlubTab(this,'k-pot')">Potpore (${potpore.length})</div>
+    </div>
+
+    <div id="k-info" class="ktab">
+      <div class="kv">
+        <div class="k">Naziv</div><div class="v">${esc(k.naziv||'')}</div>
+        <div class="k">OIB</div><div class="v">${txt(k.oib)}</div>
+        <div class="k">Sport</div><div class="v">${txt(k.sport)}</div>
+        <div class="k">Razina</div><div class="v">${txt(k.razina)}</div>
+        <div class="k">Savez</div><div class="v">${txt(k.savez_naziv)}</div>
+        <div class="k">Predsjednik</div><div class="v">${txt(k.predsjednik)}</div>
+        <div class="k">Tajnik</div><div class="v">${txt(k.tajnik)}</div>
+        <div class="k">Trener</div><div class="v">${txt(k.trener_glavni)}</div>
+        <div class="k">Sjedište</div><div class="v">${txt(k.sjediste||k.adresa)}</div>
+        <div class="k">Grad</div><div class="v">${txt(k.grad)}</div>
+        <div class="k">Email</div><div class="v">${k.email?'<a href="mailto:'+esc(k.email)+'">'+esc(k.email)+'</a>':'—'}</div>
+        <div class="k">Telefon</div><div class="v">${txt(k.telefon)}</div>
+        <div class="k">Web</div><div class="v">${(k.web||k.web_stranica)?'<a href="'+esc(k.web||k.web_stranica)+'" target="_blank">'+esc(k.web||k.web_stranica)+'</a>':'—'}</div>
+        <div class="k">Osnovan</div><div class="v">${txt(k.godina_osnutka)}</div>
+        <div class="k">Nositelj kvalitete</div><div class="v">${k.nositelj_kvalitete?'<span class="tag gd">DA</span>':'<span class="tag">NE</span>'}</div>
+      </div>
+      ${k.napomena ? '<div class="card" style="margin-top:14px"><div class="card-t" style="margin-bottom:6px">Napomena</div><div style="font-size:12px;color:var(--t1);line-height:1.5">'+esc(k.napomena)+'</div></div>' : ''}
+    </div>
+
+    <div id="k-clan" class="ktab" style="display:none">
+      ${clanovi.length ? `<div style="overflow-x:auto;max-height:500px;overflow-y:auto"><table>
+        <thead><tr><th>Sportaš</th><th>Spol</th><th>Pozicija</th><th>Tagovi</th></tr></thead>
+        <tbody>${clanovi.map(c => `
+          <tr onclick="closePanel();setTimeout(()=>openSportas(${c.id}),250)">
+            <td><b>${esc(c.ime||'')} ${esc(c.prezime||'')}</b></td>
+            <td>${txt(c.spol)}</td>
+            <td>${txt(c.pozicija)}</td>
+            <td>${c.reprezentativac?'<span class="tag gd">REPR</span>':''}${c.kategoriziran?'<span class="tag b">KAT</span>':''}${c.stipendiran?'<span class="tag gr">STIP</span>':''}</td>
+          </tr>`).join('')}
+        </tbody>
+      </table></div>` : '<div class="empty">Nema podataka o sportašima</div>'}
+    </div>
+
+    <div id="k-pot" class="ktab" style="display:none">
+      ${potpore.length ? `<div style="overflow-x:auto"><table>
+        <thead><tr><th>Godina</th><th>Naziv</th><th class="num">Iznos</th></tr></thead>
+        <tbody>${potpore.map(p => `
+          <tr class="no-click">
+            <td>${esc(p.godina)}</td>
+            <td>${esc(p.naziv_kluba||'')}</td>
+            <td class="num"><b>${fmtEurFull(p.iznos)}</b></td>
+          </tr>`).join('')}
+        </tbody>
+      </table></div>` : '<div class="empty">Nema zabilježenih potpora</div>'}
+    </div>
+
+    ${enrichBlock('klub', k.id)}
+  `;
+  openPanel('Klub · '+(k.naziv||''), html);
+}
+function switchKlubTab(el, tabId){
+  const parent = el.parentElement;
+  parent.querySelectorAll('.tab').forEach(t=>t.classList.remove('active'));
+  el.classList.add('active');
+  parent.parentElement.querySelectorAll('.ktab').forEach(t=>t.style.display='none');
+  const target = document.getElementById(tabId);
+  if(target) target.style.display='block';
+}
+
+//=========== SPORTAŠI ===========
+async function loadSportasi(){
+  const root = $('#pg-sportasi');
+  if(!_cache.clanovi){
+    root.innerHTML = '<div class="loading">Učitavanje sportaša…</div>';
+    const d = await api('/clanovi-full?limit=500');
+    if(!d){ root.innerHTML='<div class="empty">Greška pri dohvatu</div>'; return; }
+    _cache.clanovi = d.rows || [];
+  }
+  renderSportasiShell();
+  applySportasiFilter();
+}
+function renderSportasiShell(){
+  const root = $('#pg-sportasi');
+  root.innerHTML = `
+    <div class="toolbar">
+      <input type="search" id="sp-q" placeholder="🔍 Ime ili prezime…">
+      <select id="sp-hoo">
+        <option value="">Sve HOO kategorije</option>
+        <option value="1">I. kategorija</option>
+        <option value="2">II. kategorija</option>
+        <option value="3">III. kategorija</option>
+        <option value="4">IV. kategorija</option>
+        <option value="5">V. kategorija</option>
+      </select>
+      <label><input type="checkbox" id="sp-rep"> Samo reprezentativci</label>
+      <label><input type="checkbox" id="sp-foto"> Samo s fotografijom</label>
+      <div class="toggle">
+        <button id="sp-card" class="${_state.viewSportasi==='card'?'active':''}" onclick="setSportasiView('card')">Kartice</button>
+        <button id="sp-table" class="${_state.viewSportasi==='table'?'active':''}" onclick="setSportasiView('table')">Tablica</button>
+      </div>
+      <span class="tb-s" id="sp-cnt"></span>
+      <button class="btn primary" onclick="openSportas(449)">⭐ Test: Josip Zec</button>
+    </div>
+    <div id="sp-out"></div>
+  `;
+  $('#sp-q').addEventListener('input', debounce(applySportasiFilter, 200));
+  $('#sp-hoo').addEventListener('change', applySportasiFilter);
+  $('#sp-rep').addEventListener('change', applySportasiFilter);
+  $('#sp-foto').addEventListener('change', applySportasiFilter);
+}
+function openOIB(oib){
+  const cleanOib = String(oib||'').replace(/[^0-9]/g,'');
+  const url = 'https://sudreg.pravosudje.hr/registar/oc/index.html#osnovniPodaci?o='+encodeURIComponent(cleanOib);
+  // Open external — sudreg supports OIB lookup
+  window.open(url, '_blank', 'noopener');
+}
+function filterKluboviByCity(grad){
+  closePanel();
+  navTo('klubovi');
+  setTimeout(() => {
+    const sel = $('#kl-grad');
+    if(sel){ sel.value = grad; applyKluboviFilter(); }
+  }, 100);
+}
+function filterKluboviBySport(sport){
+  closePanel();
+  navTo('klubovi');
+  setTimeout(() => {
+    const sel = $('#kl-sport');
+    if(sel){ sel.value = sport; applyKluboviFilter(); }
+  }, 100);
+}
+function filterObjektiByCity(grad){
+  closePanel();
+  navTo('objekti');
+  setTimeout(() => {
+    const sel = $('#ob-grad');
+    if(sel){ sel.value = grad; applyObjektiFilter(); }
+  }, 100);
+}
+function filterSportasiBy(field, value){
+  closePanel();
+  navTo('sportasi');
+  setTimeout(() => {
+    if(field === 'sport'){
+      // Use search box since there's no sport dropdown
+      const q = $('#sp-q'); if(q){ q.value = value; }
+    } else if(field === 'mjesto_rodjenja' || field === 'grad'){
+      const q = $('#sp-q'); if(q){ q.value = value; }
+    } else if(field === 'reprezentativac'){
+      const cb = $('#sp-rep'); if(cb){ cb.checked = !!value; }
+    } else if(field === 'hoo'){
+      const sel = $('#sp-hoo'); if(sel){ sel.value = String(value); }
+    } else if(field === 'aktivan'){
+      // Add to extra-filters slot if exists; else search by status string
+      _state.spExtraAktivan = value ? 'true' : 'false';
+    } else if(field === 'stipendiran'){
+      _state.spExtraStipendiran = !!value;
+    }
+    applySportasiFilter();
+  }, 100);
+}
+function filterSportasiByYear(year){
+  closePanel();
+  navTo('sportasi');
+  setTimeout(() => {
+    _state.spYear = String(year);
+    applySportasiFilter();
+  }, 100);
+}
+function clearSportasiExtras(){
+  _state.spExtraAktivan = '';
+  _state.spExtraStipendiran = false;
+  _state.spYear = '';
+}
+
+function setSportasiView(v){
+  _state.viewSportasi = v;
+  $('#sp-card').classList.toggle('active', v==='card');
+  $('#sp-table').classList.toggle('active', v==='table');
+  applySportasiFilter();
+}
+function applySportasiFilter(){
+  const q = (($('#sp-q')?$('#sp-q').value:'') || '').toLowerCase().trim();
+  const hoo = $('#sp-hoo') ? $('#sp-hoo').value : '';
+  const rep = $('#sp-rep') ? $('#sp-rep').checked : false;
+  const foto = $('#sp-foto') ? $('#sp-foto').checked : false;
+  let rows = _cache.clanovi || [];
+  if(q) rows = rows.filter(c => ((c.ime||'')+' '+(c.prezime||'')).toLowerCase().includes(q));
+  if(rep) rows = rows.filter(c => c.reprezentativac);
+  if(foto) rows = rows.filter(c => c.slika_url);
+  if(hoo) rows = rows.filter(c => String(c.hoo_kategorija||c.kategorija_hoo||'')===hoo);
+  if(_state.spYear){
+    rows = rows.filter(c => String(c.datum_rodenja||c.datum_rodjenja||'').slice(0,4) === _state.spYear);
+  }
+  if(_state.spExtraAktivan==='true') rows = rows.filter(c => c.aktivan);
+  if(_state.spExtraAktivan==='false') rows = rows.filter(c => !c.aktivan);
+  if(_state.spExtraStipendiran) rows = rows.filter(c => c.stipendiran);
+  if(_sort.sportasi) rows = sortRows(rows, _sort.sportasi.key, _sort.sportasi.dir);
+  $('#sp-cnt').textContent = rows.length+' sportaša';
+  const top = rows.slice(0, 300);
+  $('#sp-out').innerHTML = _state.viewSportasi==='card' ? renderSportasiGrid(top) : renderSportasiTable(top);
+  if(rows.length>300){
+    $('#sp-out').insertAdjacentHTML('beforeend', '<div class="empty">… i još '+(rows.length-300)+' sportaša. Suzite filtre.</div>');
+  }
+}
+function renderSportasiGrid(rows){
+  if(!rows.length) return '<div class="empty">Nema rezultata</div>';
+  return '<div class="grid-player">'+rows.map(c => buildPlayerCard(c)).join('')+'</div>';
+}
+function buildPlayerCard(c){
+  const initials = (((c.ime||'?')[0]||'?')+((c.prezime||'?')[0]||'?')).toUpperCase();
+  const photo = c.slika_url ? '<img src="'+esc(c.slika_url)+'" alt="" onerror="this.style.display=\'none\';if(this.parentElement)this.parentElement.innerHTML=\'<div class=\\\'no\\\'>'+initials+'</div>\'">' : '<div class="no">'+initials+'</div>';
+  const hooCat = c.hoo_kategorija || c.kategorija_hoo;
+  return `
+    <div class="player-card" onclick="openSportas(${c.id})">
+      <div class="ph">${photo}</div>
+      <div class="pb">
+        <div class="pn">${esc(c.ime||'')} ${esc(c.prezime||'')}</div>
+        <div class="pp">${txt(c.sport,'—')} · ${txt(c.pozicija,'')}</div>
+        <div class="pk">${txt(c.klub_naziv_godisnjak,'')}</div>
+        <div class="badges">
+          ${c.reprezentativac?'<span class="badge repr">REPR</span>':''}
+          ${hooCat?'<span class="badge hoo">HOO '+esc(hooCat)+'</span>':''}
+          ${c.stipendiran?'<span class="badge">STIP</span>':''}
+          ${c.broj_dresa?'<span class="badge">#'+esc(c.broj_dresa)+'</span>':''}
+        </div>
+      </div>
+    </div>`;
+}
+function renderSportasiTable(rows){
+  if(!rows.length) return '<div class="empty">Nema rezultata</div>';
+  return `<div class="card" style="padding:0;overflow-x:auto"><table>
+    <thead><tr>${sortHeader('sportasi','prezime','Prezime','')}${sortHeader('sportasi','ime','Ime','')}${sortHeader('sportasi','sport','Sport','')}${sortHeader('sportasi','pozicija','Pozicija','')}${sortHeader('sportasi','hoo_kategorija','HOO','')}${sortHeader('sportasi','reprezentativac','Repr.','')}${sortHeader('sportasi','slika_url','Foto','')}</tr></thead>
+    <tbody>${rows.map(c => `
+      <tr onclick="openSportas(${c.id})">
+        <td><b>${esc(c.prezime||'')}</b></td>
+        <td>${esc(c.ime||'')}</td>
+        <td>${txt(c.sport)}</td>
+        <td>${txt(c.pozicija)}</td>
+        <td>${(c.hoo_kategorija||c.kategorija_hoo)?'<span class="tag b">'+esc(c.hoo_kategorija||c.kategorija_hoo)+'</span>':'—'}</td>
+        <td>${c.reprezentativac?'<span class="tag gd">DA</span>':'—'}</td>
+        <td>${c.slika_url?'📸':'—'}</td>
+      </tr>`).join('')}</tbody>
+  </table></div>`;
+}
+
+async function openSportas(id){
+  openPanel('Sportaš', '<div class="loading">Učitavanje profila…</div>');
+  const d = await api('/sportas/'+id+'/profil');
+  if(!d || d.detail){
+    openPanel('Sportaš', '<div class="empty">Sportaš nije pronađen</div>');
+    return;
+  }
+  const stats = d.stats || {};
+  const sezone = d.clan_sezona || [];
+  const utakmice = d.utakmice || [];
+  const nagrade = d.nagrade || [];
+  const godisnjaci = d.godisnjak_godine || d.godisnjaci || [];
+  const initials = (((d.ime||'?')[0]||'?')+((d.prezime||'?')[0]||'?')).toUpperCase();
+  const photo = d.slika_url ? '<img src="'+esc(d.slika_url)+'" alt="" onerror="this.style.display=\'none\';if(this.parentElement)this.parentElement.innerHTML=\'<div class=\\\'no\\\'>'+initials+'</div>\'">' : '<div class="no">'+initials+'</div>';
+  const dob = d.datum_rodjenja || d.datum_rodenja;
+  const hooCat = d.hoo_kategorija || d.kategorija_hoo;
+
+  const html = `
+    <div class="pp-hdr">
+      <div class="pp-foto">${photo}</div>
+      <div class="pp-info">
+        <div class="pp-name">${esc(d.ime||'')} ${esc(d.prezime||'')}</div>
+        <div class="pp-meta">
+          ${d.sport?'<a class="link-chip" onclick="filterSportasiBy(&quot;sport&quot;,&quot;'+esc(d.sport)+'&quot;)">'+esc(d.sport)+'</a>':'—'} ·
+          ${txt(d.pozicija,'')} ·
+          ${d.klub_id ? '<a class="link-chip" onclick="closePanel();setTimeout(()=>openKlub('+d.klub_id+'),250)"><b>'+esc(d.klub_naziv_full||d.klub_naziv_godisnjak||'—')+'</b></a>' : '<b>'+esc(d.klub_naziv_full||d.klub_naziv_godisnjak||'—')+'</b>'}
+        </div>
+        <div class="pp-meta">
+          ${dob ? '<a class="link-chip" onclick="filterSportasiByYear(&quot;'+esc((dob||'').slice(0,4))+'&quot;)">📅 '+fmtDate(dob)+'</a>' : '📅 —'}
+          ${(d.mjesto_rodjenja||d.mjesto_rodenja)?' · <a class="link-chip" onclick="filterSportasiBy(&quot;mjesto_rodjenja&quot;,&quot;'+esc(d.mjesto_rodjenja||d.mjesto_rodenja)+'&quot;)">'+esc(d.mjesto_rodjenja||d.mjesto_rodenja)+'</a>':''}
+        </div>
+        <div class="pp-tags">
+          <a class="tag ${d.aktivan?'gr':'rd'}" onclick="filterSportasiBy('aktivan',${d.aktivan?'true':'false'})">${d.aktivan?'AKTIVAN':'NEAKTIVAN'}</a>
+          ${d.reprezentativac?'<a class="tag gd" onclick="filterSportasiBy(&quot;reprezentativac&quot;,true)">REPR</a>':''}
+          ${hooCat?'<a class="tag b" onclick="filterSportasiBy(&quot;hoo&quot;,&quot;'+esc(hooCat)+'&quot;)">HOO '+esc(hooCat)+'</a>':''}
+          ${d.broj_dresa?'<span class="tag">#'+esc(d.broj_dresa)+'</span>':''}
+          ${d.stipendiran?'<a class="tag am" onclick="filterSportasiBy(&quot;stipendiran&quot;,true)">STIP</a>':''}
+        </div>
+      </div>
+    </div>
+
+    <div class="pp-stats">
+      <div class="pp-stat"><div class="v">${fmtNum(stats.ukupno_nastupa||0)}</div><div class="l">Nastupi</div></div>
+      <div class="pp-stat"><div class="v">${fmtNum(stats.ukupno_pogodaka||0)}</div><div class="l">Golovi</div></div>
+      <div class="pp-stat"><div class="v">${fmtNum(stats.ukupno_asistencija||0)}</div><div class="l">Asist.</div></div>
+      <div class="pp-stat"><div class="v" style="color:var(--amber)">${fmtNum(stats.ukupno_zutih||0)}</div><div class="l">Žuti</div></div>
+      <div class="pp-stat"><div class="v" style="color:var(--red)">${fmtNum(stats.ukupno_crvenih||0)}</div><div class="l">Crveni</div></div>
+      <div class="pp-stat"><div class="v">${fmtNum(stats.sezone_aktivne||sezone.length)}</div><div class="l">Sezona</div></div>
+    </div>
+
+    <div class="tabs">
+      <div class="tab active" onclick="switchPlayerTab(this,'p-sez')">Sezone (${sezone.length})</div>
+      <div class="tab" onclick="switchPlayerTab(this,'p-utak')">Utakmice (${utakmice.length})</div>
+      <div class="tab" onclick="switchPlayerTab(this,'p-bio')">Bio</div>
+      <div class="tab" onclick="switchPlayerTab(this,'p-god')">Godišnjaci (${godisnjaci.length})</div>
+      <div class="tab" onclick="switchPlayerTab(this,'p-nag')">Nagrade (${nagrade.length})</div>
+    </div>
+
+    <div id="p-sez" class="ptab">
+      ${sezone.length ? `<div style="overflow-x:auto"><table>
+        <thead><tr><th>Sezona</th><th>Natjecanje</th><th>Klub</th><th class="num">Nas.</th><th class="num">Gol.</th><th class="num">Asis.</th><th class="num">Žuti</th><th class="num">Crv.</th><th></th></tr></thead>
+        <tbody>${sezone.map(s => `
+          <tr class="no-click">
+            <td><b>${esc(s.sezona||'')}</b></td>
+            <td>${esc(s.natjecanje||'')}</td>
+            <td>${esc(s.klub_naziv||'')}</td>
+            <td class="num">${fmtNum(s.nastupi)}</td>
+            <td class="num"><b style="color:var(--pgz-gold)">${fmtNum(s.pogoci)}</b></td>
+            <td class="num">${fmtNum(s.asistencije)}</td>
+            <td class="num">${fmtNum(s.zuti_kartoni)}</td>
+            <td class="num">${fmtNum(s.crveni_kartoni)}</td>
+            <td>${s.natjecanje_url?'<a href="'+esc(s.natjecanje_url)+'" target="_blank">↗</a>':''}</td>
+          </tr>`).join('')}
+        </tbody>
+      </table></div>` : '<div class="empty">Nema sezonskih podataka</div>'}
+    </div>
+
+    <div id="p-utak" class="ptab" style="display:none">
+      ${utakmice.length ? `<div style="overflow-x:auto;max-height:500px;overflow-y:auto"><table>
+        <thead><tr><th>Datum</th><th>Natjecanje</th><th colspan="3">Susret</th><th class="num">Gol.</th><th class="num">Min.</th><th></th></tr></thead>
+        <tbody>${utakmice.map(u => `
+          <tr class="no-click">
+            <td>${fmtDate(u.datum)}</td>
+            <td>${esc(u.natjecanje||'')}</td>
+            <td>${u.klub_dom_logo?'<img src="'+esc(u.klub_dom_logo)+'" class="utlogo" onerror="this.style.display=\'none\'">':''}${esc(u.klub_dom||'')}</td>
+            <td><b>${esc(u.rezultat||'-')}</b></td>
+            <td>${u.klub_gost_logo?'<img src="'+esc(u.klub_gost_logo)+'" class="utlogo" onerror="this.style.display=\'none\'">':''}${esc(u.klub_gost||'')}</td>
+            <td class="num"><b style="color:var(--pgz-gold)">${fmtNum(u.pogodaka)}</b></td>
+            <td class="num">${fmtNum(u.minute)}</td>
+            <td>${u.source_url?'<a href="'+esc(u.source_url)+'" target="_blank">↗</a>':''}</td>
+          </tr>`).join('')}
+        </tbody>
+      </table></div>` : '<div class="empty">Nema podataka o utakmicama</div>'}
+    </div>
+
+    <div id="p-bio" class="ptab" style="display:none">
+      <div class="kv">
+        <div class="k">OIB</div><div class="v">${d.oib?'<a class="link-chip" onclick="openOIB(&quot;'+esc(d.oib)+'&quot;)">'+esc(d.oib)+'</a>':'—'}</div>
+        <div class="k">Datum rođenja</div><div class="v">${fmtDate(dob)}</div>
+        <div class="k">Mjesto rođenja</div><div class="v">${txt(d.mjesto_rodjenja||d.mjesto_rodenja)}</div>
+        <div class="k">Spol</div><div class="v">${txt(d.spol)}</div>
+        <div class="k">Visina</div><div class="v">${d.visina_cm?d.visina_cm+' cm':'—'}</div>
+        <div class="k">Težina</div><div class="v">${d.tezina_kg?d.tezina_kg+' kg':'—'}</div>
+        <div class="k">Dom. noga</div><div class="v">${txt(d.dominantna_noga)}</div>
+        <div class="k">Status</div><div class="v">${d.aktivan?'AKTIVAN':'NEAKTIVAN'}</div>
+        <div class="k">Datum pristupa</div><div class="v">${fmtDate(d.datum_pristupa)}</div>
+        <div class="k">Email</div><div class="v">${d.email?'<a href="mailto:'+esc(d.email)+'">'+esc(d.email)+'</a>':'—'}</div>
+        <div class="k">Telefon</div><div class="v">${txt(d.telefon)}</div>
+        <div class="k">Profil</div><div class="v">${(d.profile_url||d.scrape_url)?'<a href="'+esc(d.profile_url||d.scrape_url)+'" target="_blank">↗ vanjski profil</a>':'—'}</div>
+      </div>
+      ${d.biografija ? '<div class="card" style="margin-top:14px"><div class="card-t">Biografija</div><div style="font-size:12px;line-height:1.5;color:var(--t1);margin-top:6px">'+esc(d.biografija)+'</div></div>' : ''}
+    </div>
+
+    <div id="p-god" class="ptab" style="display:none">
+      ${godisnjaci.length ? `<div class="kv">
+        <div class="k">Prvi godišnjak</div><div class="v">${esc(d.godisnjak_prvi||godisnjaci[0])}</div>
+        <div class="k">Zadnji godišnjak</div><div class="v">${esc(d.godisnjak_zadnji||godisnjaci[godisnjaci.length-1])}</div>
+        <div class="k">Sve godine</div><div class="v">${godisnjaci.map(g=>'<span class="tag b">'+esc(g)+'</span>').join(' ')}</div>
+      </div>` : '<div class="empty">Nema podataka o godišnjacima</div>'}
+    </div>
+
+    <div id="p-nag" class="ptab" style="display:none">
+      ${nagrade.length ? `<div style="overflow-x:auto"><table>
+        <thead><tr><th>Godina</th><th>Nagrada</th><th>Razina</th></tr></thead>
+        <tbody>${nagrade.map(n => `
+          <tr class="no-click">
+            <td>${esc(n.godina||'')}</td>
+            <td>${esc(n.naziv||n.nagrada||'')}</td>
+            <td>${esc(n.razina||'')}</td>
+          </tr>`).join('')}
+        </tbody>
+      </table></div>` : '<div class="empty">Nema zabilježenih nagrada</div>'}
+    </div>
+
+    ${enrichBlock('sportas', d.id)}
+  `;
+  openPanel('Sportaš · '+(d.ime||'')+' '+(d.prezime||''), html);
+}
+function switchPlayerTab(el, tabId){
+  const parent = el.parentElement;
+  parent.querySelectorAll('.tab').forEach(t=>t.classList.remove('active'));
+  el.classList.add('active');
+  parent.parentElement.querySelectorAll('.ptab').forEach(t=>t.style.display='none');
+  const target = document.getElementById(tabId);
+  if(target) target.style.display='block';
+}
+
+//=========== FINANCIJE ===========
+async function loadFinancije(){
+  const root = $('#pg-financije');
+  root.innerHTML = `
+    <div class="toolbar">
+      <select id="fi-god">
+        <option value="2026">2026</option>
+        <option value="2025">2025</option>
+        <option value="2024">2024</option>
+      </select>
+      <input type="search" id="fi-q" placeholder="🔍 Pretraži korisnika ili sport…">
+      <div class="toggle">
+        <button id="fi-card" class="${_state.viewFinancije==='card'?'active':''}" onclick="setFinancijeView('card')">Kartice</button>
+        <button id="fi-table-btn" class="${_state.viewFinancije==='table'?'active':''}" onclick="setFinancijeView('table')">Tablica</button>
+      </div>
+      <span class="tb-s" id="fi-cnt"></span>
+    </div>
+    <div id="fi-kpi"></div>
+    <div class="row-2" style="margin-top:14px">
+      <div class="card">
+        <div class="card-h"><div class="card-t">📊 Raspodjela po sportovima</div></div>
+        <div class="chart-box"><canvas id="chSport"></canvas></div>
+      </div>
+      <div class="card" id="fi-top"></div>
+    </div>
+    <div class="card" style="margin-top:14px">
+      <div class="card-h"><div class="card-t">📋 Svi primatelji</div></div>
+      <div id="fi-table"></div>
+    </div>
+  `;
+  $('#fi-god').addEventListener('change', refreshFinancije);
+  $('#fi-q').addEventListener('input', debounce(refreshFinancije, 200));
+  refreshFinancije();
+}
+async function refreshFinancije(){
+  const god = $('#fi-god').value;
+  const q = ($('#fi-q').value || '').toLowerCase().trim();
+  const [analytics, byyear] = await Promise.all([
+    api('/v2/analytics/proracun-sport?godina='+god),
+    api('/v2/potpore/by-year?godina='+god)
+  ]);
+  const total = (analytics && analytics.total) || (byyear && byyear.total) || 0;
+  const poSportu = (analytics && analytics.po_sportu) || [];
+  let rows = (byyear && byyear.results) || [];
+  if(q) rows = rows.filter(r => (r.korisnik||'').toLowerCase().includes(q) || (r.sport||'').toLowerCase().includes(q));
+
+  $('#fi-kpi').innerHTML = `
+    <div class="kpi-grid">
+      <div class="kpi"><div class="kpi-l">Ukupno ${god}</div><div class="kpi-v">${fmtEur(total)}</div></div>
+      <div class="kpi b"><div class="kpi-l">Primatelja</div><div class="kpi-v">${rows.length}</div></div>
+      <div class="kpi g"><div class="kpi-l">Sportova</div><div class="kpi-v">${poSportu.filter(x=>x.sport).length}</div></div>
+      <div class="kpi"><div class="kpi-l">Najveća stavka</div><div class="kpi-v" style="font-size:18px">${rows.length?fmtEur(Math.max.apply(null, rows.map(r=>Number(r.iznos_eur||0)))):'—'}</div></div>
+    </div>
+  `;
+  $('#fi-cnt').textContent = rows.length+' primatelja';
+
+  const top10 = rows.slice().sort((a,b)=>Number(b.iznos_eur||0)-Number(a.iznos_eur||0)).slice(0,10);
+  $('#fi-top').innerHTML = `
+    <div class="card-h"><div class="card-t">🏆 Top 10 primatelja</div></div>
+    <div style="overflow-x:auto;max-height:340px;overflow-y:auto"><table>
+      <thead><tr><th>#</th><th>Korisnik</th><th class="num">Iznos</th></tr></thead>
+      <tbody>${top10.map((r,i) => `
+        <tr class="no-click">
+          <td>${i+1}</td>
+          <td>${esc(r.korisnik)}</td>
+          <td class="num"><b>${fmtEur(r.iznos_eur)}</b></td>
+        </tr>`).join('')}</tbody>
+    </table></div>
+  `;
+
+  const sportData = poSportu.filter(x=>x.sport).slice(0, 12);
+  drawFinancijeChart(sportData);
+
+  let sortedRows = rows.slice();
+  if(_sort.financije) sortedRows = sortRows(sortedRows, _sort.financije.key, _sort.financije.dir);
+
+  if(_state.viewFinancije === 'card'){
+    $('#fi-table').innerHTML = '<div class="grid">'+sortedRows.map(r => `
+      <div class="entity" onclick='openPrimateljDetail(${JSON.stringify(r).replace(/'/g,"&#39;")})'>
+        ${r.source_url?'<div class="et-tag">📄 PDF</div>':''}
+        <div class="et">${esc(r.korisnik)}</div>
+        <div class="es">${txt(r.sport,'—')} · ${txt(r.vrsta,'')}</div>
+        <div class="em">
+          <span><b style="color:var(--pgz-gold)">${fmtEur(r.iznos_eur)}</b></span>
+          <span>${esc(r.godina||'')}</span>
+        </div>
+      </div>`).join('')+'</div>';
+  } else {
+    $('#fi-table').innerHTML = `<div style="overflow-x:auto"><table>
+      <thead><tr><th>#</th>${sortHeader('financije','korisnik','Korisnik','')}${sortHeader('financije','sport','Sport','')}${sortHeader('financije','vrsta','Vrsta','')}${sortHeader('financije','iznos_eur','Iznos','num')}${sortHeader('financije','izvor','Izvor','')}<th>PDF</th></tr></thead>
+      <tbody>${sortedRows.map((r,i) => `
+        <tr onclick='openPrimateljDetail(${JSON.stringify(r).replace(/'/g,"&#39;")})'>
+          <td>${i+1}</td>
+          <td><b>${esc(r.korisnik)}</b></td>
+          <td>${txt(r.sport)}</td>
+          <td>${txt(r.vrsta)}</td>
+          <td class="num"><b>${fmtEurFull(r.iznos_eur)}</b></td>
+          <td>${txt(r.izvor)}</td>
+          <td>${r.source_url?'<a href="'+esc(r.source_url)+'" target="_blank" onclick="event.stopPropagation()">📄</a>':'—'}</td>
+        </tr>`).join('')}
+      </tbody>
+    </table></div>`;
+  }
+}
+function setFinancijeView(v){
+  _state.viewFinancije = v;
+  const cb = $('#fi-card'), tb = $('#fi-table-btn');
+  if(cb) cb.classList.toggle('active', v==='card');
+  if(tb) tb.classList.toggle('active', v==='table');
+  refreshFinancije();
+}
+function drawFinancijeChart(data){
+  const ctx = $('#chSport');
+  if(!ctx) return;
+  if(_financijeChart){ _financijeChart.destroy(); _financijeChart=null; }
+  const colors = ['#003087','#004CC4','#F4C430','#00e88f','#00c8e8','#ff2d55','#f59e0b','#a855f7','#ec4899','#14b8a6','#84cc16','#f97316'];
+  _financijeChart = new Chart(ctx, {
+    type:'doughnut',
+    data:{
+      labels: data.map(x=>x.sport),
+      datasets:[{
+        data: data.map(x=>x.ukupno),
+        backgroundColor: colors.slice(0, data.length),
+        borderColor: '#0d1021',
+        borderWidth:2
+      }]
+    },
+    options:{
+      responsive:true, maintainAspectRatio:false,
+      plugins:{
+        legend:{position:'right', labels:{color:'#e2e6f0', font:{size:10}, boxWidth:10}},
+        tooltip:{callbacks:{label:c => c.label+': €'+Number(c.parsed).toLocaleString('hr-HR')}}
+      }
+    }
+  });
+}
+
+//=========== OBJEKTI ===========
+async function loadObjekti(){
+  const root = $('#pg-objekti');
+  if(!_cache.objekti){
+    root.innerHTML = '<div class="loading">Učitavanje objekata…</div>';
+    const d = await api('/sportski-objekti');
+    if(!d){ root.innerHTML='<div class="empty">Greška pri dohvatu</div>'; return; }
+    _cache.objekti = d.rows || (Array.isArray(d) ? d : []);
+  }
+  renderObjektiShell();
+  applyObjektiFilter();
+}
+function renderObjektiShell(){
+  const root = $('#pg-objekti');
+  const tipovi = Array.from(new Set((_cache.objekti||[]).map(o=>o.tip).filter(Boolean))).sort();
+  const grads = Array.from(new Set((_cache.objekti||[]).map(o=>o.grad).filter(Boolean))).sort();
+  root.innerHTML = `
+    <div class="toolbar">
+      <input type="search" id="ob-q" placeholder="🔍 Pretraži objekt…">
+      <select id="ob-tip"><option value="">Svi tipovi</option>${tipovi.map(t=>'<option value="'+esc(t)+'">'+esc(t)+'</option>').join('')}</select>
+      <select id="ob-grad"><option value="">Svi gradovi</option>${grads.map(g=>'<option value="'+esc(g)+'">'+esc(g)+'</option>').join('')}</select>
+      <label><input type="checkbox" id="ob-geo"> Samo s koordinatama</label>
+      <div class="toggle">
+        <button id="ob-card" class="${_state.viewObjekti==='card'?'active':''}" onclick="setObjektiView('card')">Kartice</button>
+        <button id="ob-table" class="${_state.viewObjekti==='table'?'active':''}" onclick="setObjektiView('table')">Tablica</button>
+      </div>
+      <span class="tb-s" id="ob-cnt"></span>
+    </div>
+    <div id="ob-out"></div>
+  `;
+  $('#ob-q').addEventListener('input', debounce(applyObjektiFilter, 200));
+  $('#ob-tip').addEventListener('change', applyObjektiFilter);
+  $('#ob-grad').addEventListener('change', applyObjektiFilter);
+  $('#ob-geo').addEventListener('change', applyObjektiFilter);
+}
+function setObjektiView(v){
+  _state.viewObjekti = v;
+  $('#ob-card').classList.toggle('active', v==='card');
+  $('#ob-table').classList.toggle('active', v==='table');
+  applyObjektiFilter();
+}
+function applyObjektiFilter(){
+  const q = (($('#ob-q')?$('#ob-q').value:'') || '').toLowerCase().trim();
+  const tip = $('#ob-tip') ? $('#ob-tip').value : '';
+  const grad = $('#ob-grad') ? $('#ob-grad').value : '';
+  const geo = $('#ob-geo') ? $('#ob-geo').checked : false;
+  let rows = _cache.objekti || [];
+  if(q) rows = rows.filter(o => (o.naziv||'').toLowerCase().includes(q) || (o.upravitelj||'').toLowerCase().includes(q));
+  if(tip) rows = rows.filter(o => o.tip===tip);
+  if(grad) rows = rows.filter(o => o.grad===grad);
+  if(geo) rows = rows.filter(o => o.lat && o.lng);
+  if(_sort.objekti) rows = sortRows(rows, _sort.objekti.key, _sort.objekti.dir);
+  $('#ob-cnt').textContent = rows.length+' objekata';
+  $('#ob-out').innerHTML = _state.viewObjekti==='card' ? renderObjektiGrid(rows) : renderObjektiTable(rows);
+}
+function renderObjektiGrid(rows){
+  if(!rows.length) return '<div class="empty">Nema rezultata</div>';
+  return '<div class="grid">'+rows.map(o => `
+    <div class="entity" onclick="openObjekt(${o.id})">
+      ${o.lat&&o.lng?'<div class="et-tag">📍 GEO</div>':''}
+      <div class="et">${esc(o.naziv)}</div>
+      <div class="es">${txt(o.tip,'—')} · ${txt(o.grad,'—')}</div>
+      <div class="em">
+        ${o.upravitelj?'<span>'+esc(o.upravitelj)+'</span>':''}
+        ${o.kapacitet?'<span><b>'+fmtNum(o.kapacitet)+'</b> mjesta</span>':''}
+        ${o.izgradeno?'<span>est. <b>'+esc(o.izgradeno)+'</b></span>':''}
+      </div>
+    </div>`).join('')+'</div>';
+}
+function renderObjektiTable(rows){
+  if(!rows.length) return '<div class="empty">Nema rezultata</div>';
+  return `<div class="card" style="padding:0;overflow-x:auto"><table>
+    <thead><tr>${sortHeader('objekti','naziv','Naziv','')}${sortHeader('objekti','tip','Tip','')}${sortHeader('objekti','grad','Grad','')}${sortHeader('objekti','upravitelj','Upravitelj','')}${sortHeader('objekti','izgradeno','Izgrađeno','num')}${sortHeader('objekti','lat','GPS','')}</tr></thead>
+    <tbody>${rows.map(o => `
+      <tr onclick="openObjekt(${o.id})">
+        <td><b>${esc(o.naziv)}</b></td>
+        <td>${txt(o.tip)}</td>
+        <td>${txt(o.grad)}</td>
+        <td>${txt(o.upravitelj)}</td>
+        <td class="num">${txt(o.izgradeno)}</td>
+        <td>${o.lat&&o.lng?'<span class="tag gr">📍</span>':'—'}</td>
+      </tr>`).join('')}</tbody>
+  </table></div>`;
+}
+function openObjekt(id){
+  const o = (_cache.objekti||[]).find(x => x.id===id);
+  if(!o){ openPanel('Objekt', '<div class="empty">Objekt nije pronađen</div>'); return; }
+  const mapUrl = (o.lat && o.lng) ? 'https://www.google.com/maps/search/?api=1&query='+o.lat+','+o.lng : null;
+  const embedUrl = (o.lat && o.lng) ? 'https://www.google.com/maps?q='+encodeURIComponent((o.naziv||'')+', '+(o.grad||'')+', PGŽ')+'&ll='+o.lat+','+o.lng+'&z=17&output=embed' : null;
+  const html = `
+    <div class="card-h" style="border:0;padding:0;margin-bottom:14px">
+      <div>
+        <div style="font-size:18px;font-weight:800;color:var(--t0)">${esc(o.naziv)}</div>
+        <div style="font-size:12px;color:var(--t2);margin-top:4px">${txt(o.tip,'—')} · ${txt(o.grad,'')}</div>
+      </div>
+    </div>
+    ${embedUrl?'<iframe class="iframe-map" style="height:240px" src="'+embedUrl+'" loading="lazy"></iframe>':''}
+    <div class="card" style="margin-top:14px">
+      <div class="card-h"><div class="card-t">📋 Detalji</div></div>
+      <div class="kv">
+        <div class="k">Tip</div><div class="v">${txt(o.tip)}</div>
+        <div class="k">Adresa</div><div class="v">${txt(o.adresa)}</div>
+        <div class="k">Grad</div><div class="v">${txt(o.grad)}</div>
+        <div class="k">Upravitelj</div><div class="v">${txt(o.upravitelj)}</div>
+        <div class="k">OIB</div><div class="v">${txt(o.upravitelj_oib)}</div>
+        <div class="k">Kapacitet</div><div class="v">${o.kapacitet?fmtNum(o.kapacitet)+' mjesta':'—'}</div>
+        <div class="k">Veličina</div><div class="v">${txt(o.veličina)}</div>
+        <div class="k">Sportovi</div><div class="v">${(o.sportovi||[]).map(s=>'<span class="tag b">'+esc(s)+'</span>').join(' ')||'—'}</div>
+        <div class="k">Izgrađeno</div><div class="v">${txt(o.izgradeno)}</div>
+        <div class="k">Obnovljeno</div><div class="v">${txt(o.obnovljeno_god)}</div>
+        <div class="k">Natkriven</div><div class="v">${o.natkrita?'DA':'NE'}</div>
+        <div class="k">Web</div><div class="v">${o.web?'<a href="'+esc(o.web)+'" target="_blank">'+esc(o.web)+'</a>':'—'}</div>
+        <div class="k">Koordinate</div><div class="v">${(o.lat&&o.lng)?'<a href="'+mapUrl+'" target="_blank">'+o.lat.toFixed(5)+', '+o.lng.toFixed(5)+' ↗</a>':'—'}</div>
+      </div>
+    </div>
+  `;
+  openPanel('Objekt · '+o.naziv, html);
+}
+
+//=========== MANIFESTACIJE ===========
+async function loadManifestacije(){
+  const root = $('#pg-manifestacije');
+  if(!_cache.manifestacije){
+    root.innerHTML = '<div class="loading">Učitavanje manifestacija…</div>';
+    const d = await api('/manifestacije-full');
+    if(!d){ root.innerHTML='<div class="empty">Greška pri dohvatu</div>'; return; }
+    _cache.manifestacije = d.rows || (Array.isArray(d) ? d : []);
+  }
+  renderManifShell();
+  applyManifFilter();
+}
+function renderManifShell(){
+  const root = $('#pg-manifestacije');
+  const razine = Array.from(new Set((_cache.manifestacije||[]).map(m=>m.razina).filter(Boolean))).sort();
+  root.innerHTML = `
+    <div class="toolbar">
+      <input type="search" id="mn-q" placeholder="🔍 Pretraži manifestaciju…">
+      <select id="mn-raz"><option value="">Sve razine</option>${razine.map(r=>'<option value="'+esc(r)+'">'+esc(r)+'</option>').join('')}</select>
+      <div class="toggle">
+        <button id="mn-card" class="${_state.viewManif==='card'?'active':''}" onclick="setManifView('card')">Kartice</button>
+        <button id="mn-table" class="${_state.viewManif==='table'?'active':''}" onclick="setManifView('table')">Tablica</button>
+      </div>
+      <span class="tb-s" id="mn-cnt"></span>
+    </div>
+    <div id="mn-out"></div>
+  `;
+  $('#mn-q').addEventListener('input', debounce(applyManifFilter, 200));
+  $('#mn-raz').addEventListener('change', applyManifFilter);
+}
+function setManifView(v){
+  _state.viewManif = v;
+  $('#mn-card').classList.toggle('active', v==='card');
+  $('#mn-table').classList.toggle('active', v==='table');
+  applyManifFilter();
+}
+function applyManifFilter(){
+  const q = (($('#mn-q')?$('#mn-q').value:'') || '').toLowerCase().trim();
+  const raz = $('#mn-raz') ? $('#mn-raz').value : '';
+  let rows = _cache.manifestacije || [];
+  if(q) rows = rows.filter(m => (m.naziv||'').toLowerCase().includes(q) || (m.organizator||'').toLowerCase().includes(q) || (m.mjesto||'').toLowerCase().includes(q));
+  if(raz) rows = rows.filter(m => m.razina===raz);
+  if(_sort.manifestacije) rows = sortRows(rows, _sort.manifestacije.key, _sort.manifestacije.dir);
+  $('#mn-cnt').textContent = rows.length+' manifestacija';
+  $('#mn-out').innerHTML = _state.viewManif==='card' ? renderManifGrid(rows) : renderManifTable(rows);
+}
+function renderManifGrid(rows){
+  if(!rows.length) return '<div class="empty">Nema rezultata</div>';
+  return '<div class="grid">'+rows.map(m => `
+    <div class="entity" onclick="openManif(${m.id})">
+      ${m.razina?'<div class="et-tag">'+esc(m.razina)+'</div>':''}
+      <div class="et">${esc(m.naziv)}</div>
+      <div class="es">${txt(m.mjesto,'—')}${m.spol_kategorija?' · '+esc(m.spol_kategorija):''}</div>
+      <div class="em">
+        ${m.broj_ucesnika?'<span><b>'+esc(m.broj_ucesnika)+'</b> sudionika</span>':''}
+        ${m.organizator?'<span>'+esc((m.organizator||'').slice(0,40))+'</span>':''}
+      </div>
+    </div>`).join('')+'</div>';
+}
+function renderManifTable(rows){
+  if(!rows.length) return '<div class="empty">Nema rezultata</div>';
+  return `<div class="card" style="padding:0;overflow-x:auto"><table>
+    <thead><tr>${sortHeader('manifestacije','naziv','Naziv','')}${sortHeader('manifestacije','mjesto','Mjesto','')}${sortHeader('manifestacije','razina','Razina','')}${sortHeader('manifestacije','organizator','Organizator','')}${sortHeader('manifestacije','broj_ucesnika','Sudionici','')}<th>Link</th></tr></thead>
+    <tbody>${rows.map(m => `
+      <tr onclick="openManif(${m.id})">
+        <td><b>${esc(m.naziv)}</b></td>
+        <td>${txt(m.mjesto)}</td>
+        <td>${m.razina?'<span class="tag b">'+esc(m.razina)+'</span>':'—'}</td>
+        <td>${txt(m.organizator)}</td>
+        <td>${txt(m.broj_ucesnika)}</td>
+        <td>${m.source_url?'<a href="'+esc(m.source_url)+'" target="_blank">↗</a>':'—'}</td>
+      </tr>`).join('')}</tbody>
+  </table></div>`;
+}
+function openManif(id){
+  const m = (_cache.manifestacije||[]).find(x => x.id===id);
+  if(!m){ openPanel('Manifestacija', '<div class="empty">Nije pronađeno</div>'); return; }
+  // If we have a source_url, open it directly in a new tab
+  if(m.source_url){
+    window.open(m.source_url, '_blank', 'noopener');
+    return;
+  }
+  // Otherwise show details + Google search fallback
+  const gq = encodeURIComponent((m.naziv||'')+' '+(m.mjesto||'')+' sport');
+  const googleUrl = 'https://www.google.com/search?q='+gq;
+  const html = `
+    <div class="card-h" style="border:0;padding:0;margin-bottom:14px">
+      <div>
+        <div style="font-size:18px;font-weight:800;color:var(--t0)">${esc(m.naziv)}</div>
+        <div style="font-size:12px;color:var(--t2);margin-top:4px">${txt(m.mjesto,'—')} · ${txt(m.razina,'')}</div>
+      </div>
+    </div>
+    <div class="card">
+      <div class="card-h"><div class="card-t">📋 Detalji</div></div>
+      <div class="kv">
+        <div class="k">Organizator</div><div class="v">${txt(m.organizator)}</div>
+        <div class="k">Razina</div><div class="v">${m.razina?'<span class="tag b">'+esc(m.razina)+'</span>':'—'}</div>
+        <div class="k">Sudionici</div><div class="v">${txt(m.broj_ucesnika)}</div>
+        <div class="k">Spol/kategorija</div><div class="v">${txt(m.spol_kategorija)}</div>
+        <div class="k">Godina od</div><div class="v">${txt(m.godina_od)}</div>
+        <div class="k">Mjesto</div><div class="v">${txt(m.mjesto)}</div>
+      </div>
+      ${m.napomena ? '<div style="margin-top:14px;font-size:12px;line-height:1.5;color:var(--t1);padding:10px;background:var(--bg3);border-radius:5px">'+esc(m.napomena)+'</div>' : ''}
+    </div>
+    <div class="card">
+      <div class="card-h"><div class="card-t">🌐 Online izvori</div></div>
+      <div class="empty" style="padding:14px">Nema poznatog izvornog URL-a. Pokušaj pronaći više informacija online:</div>
+      <div style="text-align:center;margin-top:10px">
+        <a href="${googleUrl}" target="_blank" class="btn primary" style="display:inline-block;text-decoration:none">🔍 Pretraži na Googleu</a>
+      </div>
+    </div>
+  `;
+  openPanel('Manifestacija · '+m.naziv, html);
+}
+
+//=========== MREŽA (Network Graph) ===========
+const _mreza = {data:null, sim:null, allNodes:null, allEdges:null, filter:{osoba:'', klub:'', tvrtka:'', tip:''}};
+
+async function loadMreza(){
+  const root = $('#pg-mreza');
+  if(!_mreza.data){
+    root.innerHTML = '<div class="loading">Učitavanje grafa entiteta…</div>';
+    let resp;
+    try{
+      const r = await fetch('https://api.rinet.one/api/v1/presenter/graph-real');
+      resp = await r.json();
+    }catch(e){ console.error('graph fetch error', e); }
+    if(!resp || !resp.data){ root.innerHTML='<div class="empty">Greška pri dohvatu graf-podataka</div>'; return; }
+    const nodes = (resp.data.nodes||[]).slice();
+    const edges = (resp.data.edges||[]).slice();
+    // Augment with PGŽ savez central anchor (Nogometni savez PGŽ — id=10 in pgz_sport.savezi)
+    const anchorId = 'pgz-savez-nogometni';
+    if(!nodes.find(n => n.id === anchorId)){
+      nodes.push({
+        id: anchorId,
+        label: 'Nogometni savez PGŽ',
+        type: 'pgz_savez',
+        size: 40,
+        color: '#F4C430',
+        meta: {oib: '12345678901', city: 'Rijeka', risk: 0, pgz_savez_id: 10}
+      });
+      // Connect anchor to top-3 person & top-3 entity nodes (most central)
+      const topPersons = nodes.filter(n => n.type==='person').sort((a,b)=>(b.size||0)-(a.size||0)).slice(0,3);
+      const topEntities = nodes.filter(n => n.type==='entity').sort((a,b)=>(b.size||0)-(a.size||0)).slice(0,3);
+      for(const t of [...topPersons, ...topEntities]){
+        edges.push({source:anchorId, target:t.id, color:'#F4C43055', size:0.6});
+      }
+    }
+    _mreza.data = {nodes, edges};
+    _mreza.allNodes = nodes;
+    _mreza.allEdges = edges;
+    _mreza.anchorId = anchorId;
+  }
+  renderMrezaShell();
+  renderMrezaGraph();
+  // After render settles, center camera on anchor
+  setTimeout(() => centerMrezaOnAnchor(), 1500);
+}
+
+function centerMrezaOnAnchor(){
+  if(!_mreza.graph) return;
+  const anchor = (_mreza.allNodes||[]).find(n => n.id === _mreza.anchorId);
+  if(!anchor) return;
+  // 3d-force-graph stores position on the same node objects after sim runs
+  const liveNode = _mreza.graph.graphData().nodes.find(n => n.id === anchor.id);
+  if(!liveNode) return;
+  const dist = 200;
+  const distRatio = 1 + dist/Math.max(1, Math.hypot(liveNode.x||1, liveNode.y||1, liveNode.z||1));
+  try{
+    _mreza.graph.cameraPosition(
+      { x:(liveNode.x||0)*distRatio, y:(liveNode.y||0)*distRatio, z:(liveNode.z||0)*distRatio },
+      liveNode,
+      1500
+    );
+  }catch(e){ console.warn('center anchor', e); }
+}
+
+function renderMrezaShell(){
+  const root = $('#pg-mreza');
+  const types = Array.from(new Set((_mreza.allNodes||[]).map(n=>n.type))).sort();
+  const totalN = (_mreza.allNodes||[]).length;
+  const totalE = (_mreza.allEdges||[]).length;
+  root.innerHTML = `
+    <div class="kpi-grid" style="grid-template-columns:repeat(4,1fr);margin-bottom:14px">
+      <div class="kpi"><div class="kpi-l">Čvorova</div><div class="kpi-v">${totalN}</div></div>
+      <div class="kpi b"><div class="kpi-l">Veza</div><div class="kpi-v">${totalE}</div></div>
+      <div class="kpi g"><div class="kpi-l">Osoba</div><div class="kpi-v">${(_mreza.allNodes||[]).filter(n=>n.type==='person').length}</div></div>
+      <div class="kpi r"><div class="kpi-l">Tvrtki / entiteta</div><div class="kpi-v">${(_mreza.allNodes||[]).filter(n=>n.type==='entity'||n.type==='supplier').length}</div></div>
+    </div>
+
+    <div class="toolbar" style="margin-bottom:10px;align-items:flex-start">
+      <div class="ac-wrap" style="position:relative"><input type="search" id="mr-osoba" data-ac-type="person" placeholder="👤 Osoba… (Enter za prvi rezultat)"><div class="ac-drop" id="mr-osoba-drop"></div></div>
+      <div class="ac-wrap" style="position:relative"><input type="search" id="mr-klub" data-ac-type="club" placeholder="🏟 Klub / Savez…"><div class="ac-drop" id="mr-klub-drop"></div></div>
+      <div class="ac-wrap" style="position:relative"><input type="search" id="mr-tvrtka" data-ac-type="company" placeholder="🏢 Tvrtka / Entitet…"><div class="ac-drop" id="mr-tvrtka-drop"></div></div>
+      <select id="mr-tip">
+        <option value="">Svi tipovi</option>
+        ${types.map(t=>'<option value="'+esc(t)+'">'+esc(t)+'</option>').join('')}
+      </select>
+      <button class="btn" onclick="resetMreza()">↺ Reset</button>
+      <button class="btn" onclick="centerMrezaOnAnchor()">🎯 Centar (PGŽ)</button>
+      <span class="tb-s" id="mr-cnt"></span>
+    </div>
+
+    <div class="card" style="padding:0;overflow:hidden;position:relative">
+      <div id="mr-graph" style="width:100%;height:640px;background:#08090e;position:relative;cursor:grab"></div>
+      <div style="position:absolute;top:10px;right:14px;font-size:10px;color:var(--t4);background:rgba(13,16,33,0.7);padding:4px 8px;border-radius:4px;pointer-events:none">
+        🖱 Drag • Scroll zoom • Right-drag pan • Click node • Enter pretraga
+      </div>
+    </div>
+
+    <div class="card" style="margin-top:10px">
+      <div class="card-h"><div class="card-t">🎨 Legenda</div></div>
+      <div style="display:flex;gap:14px;flex-wrap:wrap;font-size:12px">
+        <div><span style="display:inline-block;width:12px;height:12px;border-radius:50%;background:#8b5cf6;vertical-align:middle;margin-right:5px"></span>Osoba</div>
+        <div><span style="display:inline-block;width:12px;height:12px;border-radius:50%;background:#ff4466;vertical-align:middle;margin-right:5px"></span>Entitet (high risk)</div>
+        <div><span style="display:inline-block;width:12px;height:12px;border-radius:50%;background:#00e68a;vertical-align:middle;margin-right:5px"></span>Dobavljač</div>
+        <div style="color:var(--t2)">Veličina = risk / promet · Klikni čvor za detalje · 3D force graph (drag rotate, scroll zoom)</div>
+      </div>
+    </div>
+  `;
+  // Wire autocomplete + filter on the 3 search inputs
+  ['#mr-osoba', '#mr-klub', '#mr-tvrtka'].forEach(sel => {
+    const el = $(sel);
+    if(!el) return;
+    el.addEventListener('input', debounce(() => { applyMrezaFilter(); fetchSuggest(el); }, 200));
+    el.addEventListener('keydown', e => {
+      if(e.key === 'Enter'){ e.preventDefault(); pickFirstSuggest(el); }
+      if(e.key === 'Escape'){ closeSuggest(el); }
+    });
+    el.addEventListener('blur', () => setTimeout(() => closeSuggest(el), 200));
+  });
+  $('#mr-tip').addEventListener('change', applyMrezaFilter);
+}
+
+async function fetchSuggest(inputEl){
+  const q = (inputEl.value||'').trim();
+  const drop = document.getElementById(inputEl.id + '-drop');
+  if(!drop) return;
+  if(q.length < 2){ drop.innerHTML = ''; drop.style.display='none'; return; }
+  const type = inputEl.dataset.acType || '';
+  const r = await api('/v2/search/suggest?q='+encodeURIComponent(q)+'&type='+type+'&limit=10');
+  if(!r){ drop.innerHTML=''; drop.style.display='none'; return; }
+  const results = r.results || [];
+  if(!results.length){ drop.innerHTML='<div class="ac-empty">Nema rezultata</div>'; drop.style.display='block'; return; }
+  drop.innerHTML = results.map(s => `
+    <div class="ac-item" data-id="${esc(s.id)}" data-label="${esc(s.label)}" onclick="pickSuggest('${inputEl.id}',this)">
+      <div class="ac-l">${esc(s.label)}</div>
+      <div class="ac-s">${esc(s.sub||s.type||'')}</div>
+    </div>
+  `).join('');
+  drop.style.display = 'block';
+  drop.dataset.firstId = results[0].id;
+  drop.dataset.firstLabel = results[0].label;
+}
+
+function pickSuggest(inputElId, itemEl){
+  const inputEl = document.getElementById(inputElId);
+  const id = itemEl.dataset.id;
+  const label = itemEl.dataset.label;
+  if(inputEl){ inputEl.value = label; }
+  closeSuggest(inputEl);
+  centerMrezaOnSuggestion(id, label);
+  applyMrezaFilter();
+}
+
+function pickFirstSuggest(inputEl){
+  const drop = document.getElementById(inputEl.id + '-drop');
+  if(drop && drop.dataset.firstId){
+    inputEl.value = drop.dataset.firstLabel || '';
+    centerMrezaOnSuggestion(drop.dataset.firstId, drop.dataset.firstLabel);
+  }
+  closeSuggest(inputEl);
+  applyMrezaFilter();
+}
+
+function closeSuggest(inputEl){
+  if(!inputEl) return;
+  const drop = document.getElementById(inputEl.id + '-drop');
+  if(drop){ drop.style.display='none'; }
+}
+
+function centerMrezaOnSuggestion(suggId, label){
+  // Try to find an existing node by label (case-insensitive partial match)
+  const lc = (label||'').toLowerCase();
+  const live = _mreza.graph ? _mreza.graph.graphData().nodes : (_mreza.allNodes||[]);
+  let target = live.find(n => (n.label||'').toLowerCase() === lc);
+  if(!target) target = live.find(n => (n.label||'').toLowerCase().includes(lc));
+  if(!target && _mreza.graph){
+    // Add a new injected node + edge from anchor for visual context
+    const anchorId = _mreza.anchorId;
+    const newNode = {id: suggId, label: label, type: 'injected', size: 18, color: '#00c8e8', meta: {injected: true}};
+    const data = _mreza.graph.graphData();
+    data.nodes.push(newNode);
+    if(anchorId) data.links.push({source: anchorId, target: suggId, color:'#00c8e855', size:0.8});
+    _mreza.graph.graphData(data);
+    _mreza.allNodes.push(newNode);
+    if(anchorId) _mreza.allEdges.push({source: anchorId, target: suggId, color:'#00c8e855', size:0.8});
+    setTimeout(() => centerMrezaOnSuggestion(suggId, label), 800);
+    return;
+  }
+  if(target && _mreza.graph){
+    const dist = 120;
+    const x = target.x||0, y = target.y||0, z = target.z||0;
+    const r = 1 + dist/Math.max(1, Math.hypot(x||1,y||1,z||1));
+    try{ _mreza.graph.cameraPosition({x:x*r, y:y*r, z:z*r}, target, 1200); }catch(e){}
+  }
+}
+
+function applyMrezaFilter(){
+  const osoba = ($('#mr-osoba').value||'').toLowerCase().trim();
+  const klub = ($('#mr-klub').value||'').toLowerCase().trim();
+  const tvrtka = ($('#mr-tvrtka').value||'').toLowerCase().trim();
+  const tip = $('#mr-tip').value;
+
+  let nodes = (_mreza.allNodes||[]).slice();
+  if(osoba) nodes = nodes.filter(n => n.type==='person' && (n.label||'').toLowerCase().includes(osoba) || n.type!=='person');
+  if(klub){
+    // filter entity/supplier by label match (savezi/klubovi appear as entities)
+    nodes = nodes.filter(n => {
+      if(n.type==='person') return true;
+      return (n.label||'').toLowerCase().includes(klub);
+    });
+  }
+  if(tvrtka){
+    nodes = nodes.filter(n => {
+      if(n.type==='person') return true;
+      return (n.label||'').toLowerCase().includes(tvrtka);
+    });
+  }
+  if(tip) nodes = nodes.filter(n => n.type===tip);
+  // Also filter to stronger: if osoba is set, drop persons not matching
+  if(osoba) nodes = nodes.filter(n => n.type!=='person' || (n.label||'').toLowerCase().includes(osoba));
+  if(klub) nodes = nodes.filter(n => n.type==='person' || (n.label||'').toLowerCase().includes(klub));
+  if(tvrtka) nodes = nodes.filter(n => n.type==='person' || (n.label||'').toLowerCase().includes(tvrtka));
+
+  const ids = new Set(nodes.map(n=>n.id));
+  let edges = (_mreza.allEdges||[]).filter(e => ids.has(e.source.id||e.source) && ids.has(e.target.id||e.target));
+  // After edge filter, keep only nodes that have at least one edge OR were direct matches
+  const used = new Set();
+  for(const e of edges){
+    used.add(e.source.id||e.source);
+    used.add(e.target.id||e.target);
+  }
+  // If we have any text filter, restrict to nodes that have edges; otherwise keep all
+  if(osoba||klub||tvrtka){
+    nodes = nodes.filter(n => used.has(n.id));
+  }
+
+  $('#mr-cnt').textContent = nodes.length+' čvorova · '+edges.length+' veza';
+  renderMrezaGraph(nodes, edges);
+}
+
+function resetMreza(){
+  $('#mr-osoba').value = '';
+  $('#mr-klub').value = '';
+  $('#mr-tvrtka').value = '';
+  $('#mr-tip').value = '';
+  applyMrezaFilter();
+}
+
+function renderMrezaGraph(nodes, edges){
+  if(!nodes) nodes = (_mreza.allNodes||[]).slice();
+  if(!edges) edges = (_mreza.allEdges||[]).slice();
+  const container = document.getElementById('mr-graph');
+  if(!container) return;
+
+  // Deep-copy so 3d-force-graph doesn't mutate originals across re-renders
+  const N = nodes.map(n => Object.assign({}, n));
+  const Nmap = new Map(N.map(n=>[n.id, n]));
+  const E = edges.map(e => ({
+    source: e.source.id || e.source,
+    target: e.target.id || e.target,
+    color: e.color, size: e.size
+  })).filter(e => Nmap.has(e.source) && Nmap.has(e.target));
+
+  // Tear down previous graph (re-create on each render to avoid stale state)
+  if(_mreza.graph){
+    try{ _mreza.graph._destructor && _mreza.graph._destructor(); }catch(e){}
+    container.innerHTML = '';
+    _mreza.graph = null;
+  }
+
+  if(typeof ForceGraph3D === 'undefined'){
+    container.innerHTML = '<div class="empty" style="padding:40px;color:var(--red)">3D Force Graph biblioteka nije učitana. Provjeri unpkg.com pristup.</div>';
+    return;
+  }
+
+  const W = container.clientWidth || 800;
+  const H = container.clientHeight || 640;
+  const Graph = ForceGraph3D()(container)
+    .width(W)
+    .height(H)
+    .backgroundColor('#08090e')
+    .graphData({nodes: N, links: E})
+    .nodeLabel(n => '<div style="background:rgba(13,16,33,.95);border:1px solid #283560;border-radius:5px;padding:6px 10px;font-family:Inter,sans-serif;font-size:12px;color:#fff"><b>'+(n.label||'').replace(/</g,'&lt;')+'</b><br><span style="color:#8a95b4">'+(n.type||'')+(n.meta&&n.meta.risk?' · risk '+n.meta.risk:'')+'</span></div>')
+    .nodeColor(n => n.color || '#004CC4')
+    .nodeVal(n => Math.max(2, (n.size||5)*0.6))
+    .nodeOpacity(0.92)
+    .linkColor(l => (l.color||'#283560').replace(/22$/,'') )
+    .linkWidth(l => Math.max(0.3, (l.size||0.4)*1.5))
+    .linkOpacity(0.5)
+    .linkDirectionalParticles(0)
+    .onNodeClick(n => {
+      // Center camera on node + open detail panel
+      const dist = 80;
+      const distRatio = 1 + dist/Math.hypot(n.x||1, n.y||1, n.z||1);
+      Graph.cameraPosition(
+        { x:(n.x||0)*distRatio, y:(n.y||0)*distRatio, z:(n.z||0)*distRatio },
+        n,
+        800
+      );
+      openMrezaNode(n);
+    })
+    .onNodeHover(n => { container.style.cursor = n ? 'pointer' : 'grab'; });
+
+  _mreza.graph = Graph;
+
+  // Resize handler — re-flow when container dims change
+  if(_mreza.resizeObs){ try{_mreza.resizeObs.disconnect();}catch(e){} }
+  _mreza.resizeObs = new ResizeObserver(entries => {
+    for(const ent of entries){
+      const cw = ent.contentRect.width|0, ch = ent.contentRect.height|0;
+      if(cw>0 && ch>0 && _mreza.graph){
+        try{ _mreza.graph.width(cw).height(ch); }catch(e){}
+      }
+    }
+  });
+  _mreza.resizeObs.observe(container);
+
+  if($('#mr-cnt') && !$('#mr-cnt').textContent){
+    $('#mr-cnt').textContent = N.length+' čvorova · '+E.length+' veza';
+  }
+}
+
+function openMrezaNode(n){
+  const m = n.meta || {};
+  // Find connected nodes
+  const id = n.id;
+  const edges = (_mreza.allEdges||[]).filter(e => (e.source.id||e.source)===id || (e.target.id||e.target)===id);
+  const connectedIds = new Set();
+  for(const e of edges){
+    const s = e.source.id||e.source;
+    const t = e.target.id||e.target;
+    if(s===id) connectedIds.add(t); else connectedIds.add(s);
+  }
+  const connected = (_mreza.allNodes||[]).filter(x => connectedIds.has(x.id));
+
+  let html = `
+    <div class="card-h" style="border:0;padding:0;margin-bottom:14px">
+      <div>
+        <div style="font-size:18px;font-weight:800;color:var(--t0)">${esc(n.label)}</div>
+        <div style="font-size:12px;color:var(--t2);margin-top:4px">
+          <span class="tag b">${esc(n.type)}</span>
+          ${m.risk?'<span class="tag rd">Risk '+m.risk+'</span>':''}
+          ${m.forensic?'<span class="tag am">Forenzika '+m.forensic+'</span>':''}
+        </div>
+      </div>
+    </div>
+
+    ${(m.risk!=null || m.forensic!=null) ? `
+    <div class="kpi-grid" style="grid-template-columns:repeat(3,1fr);margin-bottom:14px">
+      ${m.risk!=null ? '<div class="kpi r"><div class="kpi-l">Risk score</div><div class="kpi-v">'+m.risk+'</div></div>' : ''}
+      ${m.forensic!=null ? '<div class="kpi"><div class="kpi-l">Forenzički flag</div><div class="kpi-v">'+m.forensic+'</div></div>' : ''}
+      ${m.winner_contracts!=null ? '<div class="kpi b"><div class="kpi-l">Ugovori (W)</div><div class="kpi-v">'+m.winner_contracts+'</div></div>' : ''}
+    </div>` : ''}
+
+    <div class="card">
+      <div class="card-h"><div class="card-t">📋 Detalji</div></div>
+      <div class="kv">
+        <div class="k">ID</div><div class="v" style="font-family:var(--mono);font-size:11px">${esc(n.id)}</div>
+        <div class="k">Tip</div><div class="v">${esc(n.type)}</div>
+        <div class="k">Naziv</div><div class="v">${esc(n.label)}</div>
+        ${m.oib?'<div class="k">OIB</div><div class="v" style="font-family:var(--mono)">'+esc(m.oib)+'</div>':''}
+        ${m.city?'<div class="k">Grad</div><div class="v">'+esc(m.city)+'</div>':''}
+        ${m.buyer_contracts!=null?'<div class="k">Ugovori kao kupac</div><div class="v">'+m.buyer_contracts+'</div>':''}
+        ${m.buyer_value!=null?'<div class="k">Vrijednost (kupac)</div><div class="v">'+fmtEurFull(m.buyer_value)+'</div>':''}
+        ${m.winner_contracts!=null?'<div class="k">Ugovori kao dobavljač</div><div class="v">'+m.winner_contracts+'</div>':''}
+        ${m.total!=null?'<div class="k">Ukupan promet</div><div class="v"><b style="color:var(--pgz-gold)">'+fmtEurFull(m.total)+'</b></div>':''}
+        ${m.contracts!=null?'<div class="k">Broj ugovora</div><div class="v">'+m.contracts+'</div>':''}
+      </div>
+    </div>
+
+    <div class="card">
+      <div class="card-h"><div class="card-t">🔗 Veze (${connected.length})</div></div>
+      ${connected.length ? '<div style="overflow-x:auto;max-height:300px;overflow-y:auto"><table>'+
+        '<thead><tr><th>Tip</th><th>Naziv</th><th>Risk</th></tr></thead>'+
+        '<tbody>'+connected.slice(0,80).map(c => `
+          <tr onclick="openMrezaNode(${JSON.stringify(c).replace(/"/g,'&quot;')})">
+            <td><span class="tag b">${esc(c.type)}</span></td>
+            <td><b>${esc(c.label)}</b></td>
+            <td>${(c.meta&&c.meta.risk)||'—'}</td>
+          </tr>`).join('')+
+        '</tbody></table></div>' : '<div class="empty">Nema povezanih entiteta</div>'}
+    </div>
+
+    ${(m.forensic && m.forensic > 0 && n.type==='entity') ? `
+    <div class="card">
+      <div class="card-h"><div class="card-t">⚠ Forenzika</div></div>
+      <div class="alert-card crit">
+        <div class="at">${m.forensic} forenzičkih flagova</div>
+        <div class="ad">Ovaj entitet ima zabilježene forenzičke nalaze. Provjeri detalje u sekciji Forenzika.</div>
+      </div>
+    </div>` : ''}
+
+    ${(m.buyer_contracts && m.buyer_contracts > 0) ? `
+    <div class="card">
+      <div class="card-h"><div class="card-t">💼 Procurement</div></div>
+      <div class="kv">
+        <div class="k">Kao kupac</div><div class="v">${m.buyer_contracts} ugovora · ${fmtEurFull(m.buyer_value||0)}</div>
+      </div>
+    </div>` : ''}
+  `;
+  openPanel(n.label, html);
+}
+
+//=========== FORENZIKA ===========
+const _forenzika = {alerts:null, custom:null, filter:{severity:'', tip:'', q:''}};
+
+// Manual / custom forensic findings (not in DB) — flagship cases
+const _customFindings = [
+  {
+    id: 'liveric-pep',
+    severity: 'CRITICAL',
+    tip: 'sukob_interesa',
+    naslov: 'Velimir Liverić — PEP profil',
+    sazetak: 'Politički eksponirana osoba s povezanostima u sportskom ekosustavu PGŽ. Manualno označen za pojačanu reviziju.',
+    osoba: 'Velimir Liverić',
+    uloga: 'Politički eksponirana osoba (PEP)',
+    risk_score: 87,
+    uvod: 'Velimir Liverić figurira u više dokumenata vezanih uz raspodjelu sportskih sredstava u PGŽ. Zbog statusa politički eksponirane osobe (PEP) prema GDPR/AML standardima, sve transakcije i pozicije u upravnim odborima trebaju biti predmet pojačane provjere (EDD).',
+    povezane_entitete: [
+      {tip:'Tvrtka', naziv:'Politička pozicija u JLS', napomena:'Aktualna ili bivša funkcija u jedinici lokalne/područne samouprave'},
+      {tip:'Klub', naziv:'Provjeriti članstva u upravnim tijelima', napomena:'Manualna provjera potrebna'},
+      {tip:'Potpora', naziv:'Sufinanciranja u 2024–2026', napomena:'Provjeriti tokove novca prema povezanim klubovima'}
+    ],
+    timeline: [
+      {kad:'2026-01', sto:'Prvi flag — automatska detekcija imena u dokumentima'},
+      {kad:'2026-03', sto:'Ručna eskalacija za EDD pregled'},
+      {kad:'2026-04', sto:'Dodano u registar PEP osoba pgz-sport platforme'}
+    ],
+    breakdown: [
+      {kriterij:'PEP status', tezina:40},
+      {kriterij:'Više aktivnih veza s klubovima', tezina:25},
+      {kriterij:'Pristup javnim sredstvima', tezina:15},
+      {kriterij:'Nedostatak transparentne dokumentacije', tezina:7}
+    ]
+  },
+  {
+    id: 'klub-bez-oib',
+    severity: 'HIGH',
+    tip: 'data_quality',
+    naslov: 'Klubovi bez OIB-a',
+    sazetak: 'Više aktivnih klubova nema upisan OIB što onemogućuje pravnu validaciju primatelja potpora.',
+    risk_score: 60,
+    uvod: 'Bez OIB-a klubovi ne mogu biti automatski povezani s registrom poreznih obveznika i Ministarstvom pravosuđa. Riziku su izložena sufinanciranja jer nije moguće potvrditi pravnu osobnost primatelja.',
+    povezane_entitete: [],
+    timeline: [{kad:'kontinuirano', sto:'Detekcija pri unosu i scrape ciklusu'}],
+    breakdown: [
+      {kriterij:'Nedostatak ključnog identifikatora', tezina:35},
+      {kriterij:'Više klubova pogođeno', tezina:25}
+    ]
+  },
+  {
+    id: 'premali-klub-velik-iznos',
+    severity: 'HIGH',
+    tip: 'neobicna_isplata',
+    naslov: 'Mali klub — neproporcionalno velika potpora',
+    sazetak: 'Heuristička detekcija: klubovi s ispod 50 registriranih sportaša koji su dobili potporu iznad 30k EUR.',
+    risk_score: 55,
+    uvod: 'Pravilo: ako klub ima <50 sportaša a primio je >30 000 EUR potpore, vjerojatno postoji opravdani razlog (npr. infrastrukturna potpora ili nositelj kvalitete) — ali svaki slučaj zahtijeva ručnu validaciju.',
+    povezane_entitete: [{tip:'Klub', naziv:'Više klubova zadovoljava heuristiku'}],
+    timeline: [{kad:'svakodnevno', sto:'Heuristika prolazi kroz tablicu sufinanciranja'}],
+    breakdown: [
+      {kriterij:'Disproporcija veličina/iznos', tezina:30},
+      {kriterij:'Nepostojanje "nositelj kvalitete" oznake', tezina:25}
+    ]
+  }
+];
+
+async function loadForenzika(){
+  const root = $('#pg-forenzika');
+  if(!_forenzika.alerts){
+    root.innerHTML = '<div class="loading">Učitavanje alarma…</div>';
+    const al = await api('/v2/alerts');
+    _forenzika.alerts = Array.isArray(al) ? al : [];
+  }
+  if(!_forenzika.custom) _forenzika.custom = _customFindings.slice();
+  let d = _cache.dash;
+  if(!d){ d = await api('/dashboard'); if(d) _cache.dash = d; }
+  d = d || {};
+  renderForenzikaShell(d);
+  applyForenzikaFilter();
+}
+
+function renderForenzikaShell(d){
+  const root = $('#pg-forenzika');
+  const alerts = _forenzika.alerts || [];
+  const tipovi = Array.from(new Set([
+    ..._forenzika.custom.map(c=>c.tip),
+    ...alerts.map(a=>a.tip).filter(Boolean)
+  ])).sort();
+  root.innerHTML = `
+    <div class="kpi-grid">
+      <div class="kpi r"><div class="kpi-l">Kritičnih</div><div class="kpi-v">${alerts.filter(a=>a.razina==='CRITICAL').length + _forenzika.custom.filter(c=>c.severity==='CRITICAL').length}</div><div class="kpi-s">SEVERITY: CRITICAL</div></div>
+      <div class="kpi"><div class="kpi-l">High</div><div class="kpi-v">${_forenzika.custom.filter(c=>c.severity==='HIGH').length}</div><div class="kpi-s">forenzički nalazi</div></div>
+      <div class="kpi b"><div class="kpi-l">Upozorenja</div><div class="kpi-v">${alerts.filter(a=>a.razina==='WARNING').length}</div></div>
+      <div class="kpi g"><div class="kpi-l">Naplaćeno članarina</div><div class="kpi-v" style="font-size:18px">${fmtEur(d.naplaceno_clanarine_god||0)}</div></div>
+      <div class="kpi"><div class="kpi-l">Dug članarina</div><div class="kpi-v" style="font-size:18px">${fmtEur(d.dug_clanarine_god||0)}</div></div>
+    </div>
+
+    <div class="toolbar">
+      <input type="search" id="fz-q" placeholder="🔍 Pretraži po imenu, klubu, nalazu…">
+      <select id="fz-sev">
+        <option value="">Sve razine</option>
+        <option value="CRITICAL">🔴 CRITICAL</option>
+        <option value="HIGH">🟠 HIGH</option>
+        <option value="WARNING">🟡 WARNING</option>
+        <option value="MEDIUM">🟡 MEDIUM</option>
+      </select>
+      <select id="fz-tip">
+        <option value="">Svi tipovi</option>
+        ${tipovi.map(t=>'<option value="'+esc(t)+'">'+esc(t)+'</option>').join('')}
+      </select>
+      <span class="tb-s" id="fz-cnt"></span>
+    </div>
+
+    <div class="card" style="border-color:var(--pgz-gold)">
+      <div class="card-h">
+        <div class="card-t">⚡ Pokreni novu analizu osobe</div>
+        <div class="tb-s">civic.persons + entity_links + forensic_findings</div>
+      </div>
+      <div style="display:flex;gap:8px;flex-wrap:wrap;align-items:center">
+        <input type="text" id="fz-scan-name" placeholder="Ime i prezime (npr. Velimir Liverić)" style="background:var(--bg2);border:1px solid var(--rim);border-radius:5px;padding:8px 12px;color:var(--t1);font-size:13px;flex:1;min-width:240px" value="Velimir Liverić">
+        <button class="btn primary" onclick="runForensicScan()">▶ Pokreni</button>
+        <button class="btn" onclick="document.getElementById('fz-scan-out').innerHTML=''">Očisti</button>
+      </div>
+      <div id="fz-scan-out" style="margin-top:12px"></div>
+    </div>
+
+    <div id="fz-out"></div>
+  `;
+  $('#fz-q').addEventListener('input', debounce(applyForenzikaFilter, 200));
+  $('#fz-sev').addEventListener('change', applyForenzikaFilter);
+  $('#fz-tip').addEventListener('change', applyForenzikaFilter);
+}
+
+function applyForenzikaFilter(){
+  const q = (($('#fz-q')?$('#fz-q').value:'') || '').toLowerCase().trim();
+  const sev = $('#fz-sev') ? $('#fz-sev').value : '';
+  const tip = $('#fz-tip') ? $('#fz-tip').value : '';
+
+  // Combine custom findings + DB alerts into a unified list
+  const combined = [];
+  for(const c of (_forenzika.custom||[])){
+    combined.push({
+      _kind: 'custom', id: c.id, severity: c.severity, tip: c.tip,
+      naslov: c.naslov, poruka: c.sazetak, klub_id: null, clan_id: null, datum: null,
+      raw: c
+    });
+  }
+  for(const a of (_forenzika.alerts||[])){
+    combined.push({
+      _kind: 'alert', id: a.id, severity: a.razina, tip: a.tip,
+      naslov: '['+a.tip+'] '+(a.poruka||'').slice(0,80),
+      poruka: a.poruka, klub_id: a.klub_id, clan_id: a.clan_id, datum: a.datum,
+      raw: a
+    });
+  }
+  let rows = combined;
+  if(q) rows = rows.filter(r => (r.naslov||'').toLowerCase().includes(q) || (r.poruka||'').toLowerCase().includes(q) || (r.tip||'').toLowerCase().includes(q));
+  if(sev) rows = rows.filter(r => r.severity===sev);
+  if(tip) rows = rows.filter(r => r.tip===tip);
+
+  $('#fz-cnt').textContent = rows.length+' nalaza';
+  const out = $('#fz-out');
+  if(!rows.length){ out.innerHTML='<div class="empty">Nema rezultata pri tim filtrima</div>'; return; }
+  out.innerHTML = rows.map((r,i) => {
+    const sevClass = r.severity==='CRITICAL'?'crit':(r.severity==='HIGH'?'crit':'');
+    const sevColor = r.severity==='CRITICAL'?'rd':(r.severity==='HIGH'?'am':'b');
+    return `
+      <div class="alert-card ${sevClass}" style="cursor:pointer;display:flex;align-items:center;gap:12px;padding:12px 14px" onclick="openForensicDetail('${r._kind}','${r.id}')">
+        <div style="font-size:22px;flex-shrink:0">${r.severity==='CRITICAL'?'🔴':r.severity==='HIGH'?'🟠':'🟡'}</div>
+        <div style="flex:1;min-width:0">
+          <div class="at">${esc(r.naslov)}</div>
+          <div class="ad">${esc(r.poruka||'')}</div>
+          ${r.datum?'<div class="ad">📅 '+fmtDate(r.datum)+'</div>':''}
+        </div>
+        <div><span class="tag ${sevColor}">${esc(r.severity||'?')}</span></div>
+        <div style="color:var(--t4);font-size:18px">›</div>
+      </div>
+    `;
+  }).join('');
+}
+
+function openForensicDetail(kind, id){
+  if(kind === 'custom'){
+    const c = (_forenzika.custom||[]).find(x => x.id === id);
+    if(!c){ openPanel('Nalaz', '<div class="empty">Nalaz nije pronađen</div>'); return; }
+    return renderCustomFindingPanel(c);
+  } else {
+    const a = (_forenzika.alerts||[]).find(x => String(x.id) === String(id));
+    if(!a){ openPanel('Alarm', '<div class="empty">Alarm nije pronađen</div>'); return; }
+    return renderAlertPanel(a);
+  }
+}
+
+function renderCustomFindingPanel(c){
+  const sevColor = c.severity==='CRITICAL'?'rd':(c.severity==='HIGH'?'am':'b');
+  const html = `
+    <div class="card-h" style="border:0;padding:0;margin-bottom:14px">
+      <div>
+        <div style="font-size:18px;font-weight:800;color:var(--t0)">${esc(c.naslov)}</div>
+        <div style="font-size:12px;color:var(--t2);margin-top:4px">
+          <span class="tag ${sevColor}">${esc(c.severity)}</span>
+          <span class="tag">${esc(c.tip)}</span>
+          ${c.osoba?'<span class="tag b">'+esc(c.osoba)+'</span>':''}
+        </div>
+      </div>
+    </div>
+
+    <div class="kpi-grid" style="grid-template-columns:1fr 1fr 1fr;margin-bottom:14px">
+      <div class="kpi r"><div class="kpi-l">Risk Score</div><div class="kpi-v">${c.risk_score||0}<span style="font-size:14px;color:var(--t2)">/100</span></div></div>
+      <div class="kpi"><div class="kpi-l">Severity</div><div class="kpi-v" style="font-size:16px">${esc(c.severity)}</div></div>
+      <div class="kpi b"><div class="kpi-l">Tip</div><div class="kpi-v" style="font-size:14px">${esc(c.tip)}</div></div>
+    </div>
+
+    <div class="card">
+      <div class="card-h"><div class="card-t">📖 Uvod u nalaz</div></div>
+      <div style="font-size:12px;line-height:1.6;color:var(--t1)">${esc(c.uvod)}</div>
+    </div>
+
+    ${c.povezane_entitete && c.povezane_entitete.length ? `
+    <div class="card">
+      <div class="card-h"><div class="card-t">🔗 Povezani entiteti (${c.povezane_entitete.length})</div></div>
+      <table>
+        <thead><tr><th>Tip</th><th>Naziv</th><th>Napomena</th></tr></thead>
+        <tbody>${c.povezane_entitete.map(e => `
+          <tr class="no-click">
+            <td><span class="tag b">${esc(e.tip)}</span></td>
+            <td><b>${esc(e.naziv)}</b></td>
+            <td>${esc(e.napomena||'')}</td>
+          </tr>`).join('')}</tbody>
+      </table>
+    </div>` : ''}
+
+    ${c.timeline && c.timeline.length ? `
+    <div class="card">
+      <div class="card-h"><div class="card-t">📅 Vremenska linija</div></div>
+      <div style="display:flex;flex-direction:column;gap:8px">
+        ${c.timeline.map(t => `
+          <div style="display:flex;gap:10px;padding:8px 10px;background:var(--bg3);border-radius:5px;border-left:3px solid var(--pgz-blue2)">
+            <div style="font-family:var(--mono);color:var(--pgz-gold);font-weight:700;font-size:11px;min-width:90px">${esc(t.kad)}</div>
+            <div style="font-size:12px;color:var(--t1)">${esc(t.sto)}</div>
+          </div>
+        `).join('')}
+      </div>
+    </div>` : ''}
+
+    ${c.breakdown && c.breakdown.length ? `
+    <div class="card">
+      <div class="card-h"><div class="card-t">📊 Risk score breakdown</div></div>
+      <div style="display:flex;flex-direction:column;gap:8px">
+        ${c.breakdown.map(b => {
+          const pct = Math.min(100, Math.round((b.tezina/100)*100));
+          return `
+          <div>
+            <div style="display:flex;justify-content:space-between;font-size:11px;margin-bottom:3px">
+              <span style="color:var(--t1)">${esc(b.kriterij)}</span>
+              <span style="font-family:var(--mono);color:var(--pgz-gold);font-weight:700">+${b.tezina}</span>
+            </div>
+            <div style="height:6px;background:var(--bg3);border-radius:3px;overflow:hidden">
+              <div style="height:100%;background:linear-gradient(90deg,var(--red),var(--pgz-gold));width:${pct}%"></div>
+            </div>
+          </div>`;
+        }).join('')}
+      </div>
+    </div>` : ''}
+
+    <div class="card">
+      <div class="card-h"><div class="card-t">📄 Dokumenti / dokazi</div></div>
+      <div class="empty" style="padding:14px">Za ovaj manualni nalaz nisu priloženi PDF dokazi. Pokreni "Obogati podatke" za prikupljanje izvora.</div>
+    </div>
+
+    ${customFindingEnrichBlock(c.id, c.osoba || c.naslov)}
+  `;
+  openPanel('Forenzika · '+c.naslov, html);
+}
+
+function customFindingEnrichBlock(customId, queryName){
+  const safeId = String(customId).replace(/[^a-z0-9_-]/gi,'_');
+  return `
+    <div class="card" id="fenrich-card-${safeId}">
+      <div class="card-h">
+        <div class="card-t">✨ Obogati podatke (Wikipedia)</div>
+        <button class="btn primary" onclick="enrichCustomFinding('${safeId}', '${esc(queryName).replace(/'/g,'\\\\&#39;')}')">▶ Pokreni</button>
+      </div>
+      <div id="fenrich-out-${safeId}">
+        <div class="empty" style="padding:14px">Lookup Wikipedia HR za "${esc(queryName)}" i prikaži dopune.</div>
+      </div>
+    </div>
+  `;
+}
+
+async function enrichCustomFinding(safeId, queryName){
+  const out = document.getElementById('fenrich-out-'+safeId);
+  if(out) out.innerHTML = '<div class="loading">Lookup Wikipedia HR…</div>';
+  // Custom findings aren't in DB — call wiki lookup via a synthesised forensic_findings.id of -1 won't work.
+  // Instead, use the existing /v2/enrich/sportas pattern to query Wikipedia by name.
+  // We re-use the wiki summary via a mini fetch helper.
+  try{
+    const wiki = await fetch('https://hr.wikipedia.org/api/rest_v1/page/summary/'+encodeURIComponent(queryName.replace(/ /g,'_')))
+      .then(r => r.ok ? r.json() : null).catch(()=>null);
+    if(!wiki || wiki.type==='disambiguation' || !wiki.extract){
+      if(out) out.innerHTML = '<div class="empty" style="padding:14px">Nije pronađen Wikipedia HR članak za <b>'+esc(queryName)+'</b>.</div>';
+      return;
+    }
+    const w = {title: wiki.title, extract: wiki.extract, description: wiki.description, url: (wiki.content_urls||{}).desktop?.page};
+    if(out) out.innerHTML = `
+      <div style="margin-bottom:8px"><span class="tag gr">🟢 Wikipedia HR</span></div>
+      <div style="padding:10px;background:var(--bg3);border-left:3px solid var(--pgz-gold);border-radius:5px">
+        <div style="font-weight:700;color:var(--t0);font-size:14px;margin-bottom:6px">${esc(w.title||'')}</div>
+        ${w.description?'<div style="font-size:11px;color:var(--t2);margin-bottom:6px;font-style:italic">'+esc(w.description)+'</div>':''}
+        ${w.extract?'<div style="font-size:12px;line-height:1.6;color:var(--t1)">'+esc(w.extract)+'</div>':''}
+        ${w.url?'<div style="margin-top:8px"><a href="'+esc(w.url)+'" target="_blank">↗ Otvori članak</a></div>':''}
+      </div>`;
+  }catch(e){
+    if(out) out.innerHTML = '<div class="empty" style="color:var(--red);padding:14px">Greška: '+esc(String(e))+'</div>';
+  }
+}
+
+function renderAlertPanel(a){
+  const sevColor = a.razina==='CRITICAL'?'rd':(a.razina==='HIGH'?'am':'b');
+  const html = `
+    <div class="card-h" style="border:0;padding:0;margin-bottom:14px">
+      <div>
+        <div style="font-size:18px;font-weight:800;color:var(--t0)">[${esc(a.tip)}]</div>
+        <div style="font-size:12px;color:var(--t2);margin-top:4px">
+          <span class="tag ${sevColor}">${esc(a.razina)}</span>
+          ${a.datum?'<span class="tag">📅 '+fmtDate(a.datum)+'</span>':''}
+        </div>
+      </div>
+    </div>
+    <div class="card">
+      <div class="card-h"><div class="card-t">📖 Opis alarma</div></div>
+      <div style="font-size:13px;line-height:1.6;color:var(--t1)">${esc(a.poruka||'')}</div>
+    </div>
+    <div class="card">
+      <div class="card-h"><div class="card-t">🔗 Povezani entiteti</div></div>
+      <table>
+        <tbody>
+          ${a.klub_id ? '<tr onclick="closePanel();setTimeout(()=>openKlub('+a.klub_id+'),250)"><td><span class="tag b">Klub</span></td><td><b>Klub #'+a.klub_id+'</b></td><td>Klikni za detalje →</td></tr>' : ''}
+          ${a.clan_id ? '<tr onclick="closePanel();setTimeout(()=>openSportas('+a.clan_id+'),250)"><td><span class="tag b">Sportaš</span></td><td><b>Sportaš #'+a.clan_id+'</b></td><td>Klikni za profil →</td></tr>' : ''}
+        </tbody>
+      </table>
+      ${(!a.klub_id && !a.clan_id) ? '<div class="empty" style="padding:14px">Nema povezanih entiteta u alarmu</div>' : ''}
+    </div>
+    <div class="card">
+      <div class="card-h"><div class="card-t">📅 Metapodaci</div></div>
+      <div class="kv">
+        <div class="k">ID</div><div class="v">${esc(a.id)}</div>
+        <div class="k">Tip</div><div class="v">${esc(a.tip)}</div>
+        <div class="k">Razina</div><div class="v">${esc(a.razina)}</div>
+        <div class="k">Datum događaja</div><div class="v">${a.datum?fmtDate(a.datum):'—'}</div>
+        <div class="k">Iznos</div><div class="v">${a.iznos!=null?fmtEurFull(a.iznos):'—'}</div>
+        <div class="k">Riješeno</div><div class="v">${a.rijeseno?'<span class="tag gr">DA</span>':'<span class="tag rd">NE</span>'}</div>
+        <div class="k">Kreirano</div><div class="v">${a.created_at?fmtDate(a.created_at):'—'}</div>
+      </div>
+    </div>
+    ${forensicEnrichBlock(a.id)}
+  `;
+  openPanel('Alarm #'+a.id, html);
+}
+
+function forensicEnrichBlock(findingId){
+  return `
+    <div class="card" id="fenrich-card-${findingId}">
+      <div class="card-h">
+        <div class="card-t">✨ Obogati podatke (Wikipedia)</div>
+        <button class="btn primary" onclick="enrichForensicFinding(${findingId})">▶ Pokreni</button>
+      </div>
+      <div id="fenrich-out-${findingId}">
+        <div class="empty" style="padding:14px">Ekstrakcija imena iz nalaza, lookup na Wikipedia HR i sprema u DB. Drugi puta će biti vidljivo bez ponovnog skidanja.</div>
+      </div>
+    </div>
+  `;
+}
+
+async function enrichForensicFinding(findingId){
+  const out = document.getElementById('fenrich-out-'+findingId);
+  if(out) out.innerHTML = '<div class="loading">Ekstraktiram ime, lookup Wikipedia HR…</div>';
+  const r = await apiPost('/v2/forensic/findings/'+findingId+'/enrich');
+  if(!r){ if(out) out.innerHTML = '<div class="empty" style="color:var(--red)">Greška</div>'; return; }
+  const w = r.wiki || null;
+  const html = `
+    <div style="margin-bottom:8px">
+      <span class="tag gr">🟢 Persisted</span>
+      ${r.used_query?'<span class="tag b">query: '+esc(r.used_query)+'</span>':''}
+    </div>
+    ${w ? `
+      <div style="padding:10px;background:var(--bg3);border-left:3px solid var(--pgz-gold);border-radius:5px">
+        <div style="font-size:11px;color:var(--t4);text-transform:uppercase;letter-spacing:.5px;margin-bottom:4px">📚 Wikipedia HR</div>
+        <div style="font-weight:700;color:var(--t0);font-size:14px;margin-bottom:6px">${esc(w.title||'')}</div>
+        ${w.description?'<div style="font-size:11px;color:var(--t2);margin-bottom:6px;font-style:italic">'+esc(w.description)+'</div>':''}
+        ${w.extract?'<div style="font-size:12px;line-height:1.6;color:var(--t1)">'+esc(w.extract)+'</div>':''}
+        ${w.url?'<div style="margin-top:8px"><a href="'+esc(w.url)+'" target="_blank">↗ Otvori članak</a></div>':''}
+      </div>
+    ` : '<div class="empty" style="padding:14px">Nije pronađen Wikipedia HR članak za ekstrahirana imena.<br>Pokušaji: '+esc(JSON.stringify(r.queried||[]))+'</div>'}
+  `;
+  if(out) out.innerHTML = html;
+}
+
+async function runForensicScan(){
+  const inputEl = document.getElementById('fz-scan-name');
+  const outEl = document.getElementById('fz-scan-out');
+  if(!inputEl || !outEl) return;
+  const name = (inputEl.value||'').trim();
+  if(name.length < 3){ outEl.innerHTML = '<div class="empty">Unesi barem 3 znaka</div>'; return; }
+  outEl.innerHTML = '<div class="loading">Skeniram civic.persons… tražim povezane entitete… provjeravam forensic_findings…</div>';
+  const r = await apiPost('/v2/forensic/scan', {name: name});
+  if(!r){ outEl.innerHTML = '<div class="empty" style="color:var(--red)">Greška pri pokretanju analize</div>'; return; }
+  const ovr = r.overall_risk_score || 0;
+  const ovrCls = ovr>=70?'r':(ovr>=40?'':'g');
+  outEl.innerHTML = `
+    <div class="kpi-grid" style="grid-template-columns:repeat(4,1fr);margin-bottom:14px">
+      <div class="kpi ${ovrCls}"><div class="kpi-l">Overall risk</div><div class="kpi-v">${ovr}<span style="font-size:13px;color:var(--t2)">/100</span></div></div>
+      <div class="kpi b"><div class="kpi-l">Pronađeno osoba</div><div class="kpi-v">${r.matched_persons}</div></div>
+      <div class="kpi"><div class="kpi-l">Veza</div><div class="kpi-v">${r.total_links}</div></div>
+      <div class="kpi r"><div class="kpi-l">Findings</div><div class="kpi-v">${r.total_findings}<span style="font-size:13px;color:var(--t2)"> (${r.critical_findings} crit)</span></div></div>
+    </div>
+    ${(r.persons||[]).length ? `
+      <div style="display:flex;flex-direction:column;gap:10px">
+        ${r.persons.map(p => {
+          const cls = p.risk_score>=70?'crit':(p.risk_score>=40?'crit':'');
+          return `
+          <div class="alert-card ${cls}">
+            <div style="display:flex;justify-content:space-between;align-items:flex-start;gap:12px">
+              <div style="flex:1;min-width:0">
+                <div class="at">${esc(p.name)} <span class="tag b">id ${p.id}</span> ${p.oib?'<a class="tag" onclick="openOIB(&quot;'+esc(p.oib)+'&quot;)" style="cursor:pointer">OIB '+esc(p.oib)+'</a>':''}</div>
+                <div class="ad">${p.function?esc(p.function):''}${p.party?' · '+esc(p.party):''}${p.county?' · '+esc(p.county):''}</div>
+                <div style="margin-top:6px;font-size:11px;color:var(--t2)">
+                  🔗 ${(p.links||[]).length} povezanih entiteta
+                  · ⚠ ${(p.findings||[]).length} forenzičkih nalaza
+                  ${p.trust_tier!=null?' · trust tier '+p.trust_tier:''}
+                </div>
+                ${(p.links||[]).length ? '<div style="margin-top:8px;font-size:11px"><b style="color:var(--t2)">Veze:</b> '+
+                  p.links.slice(0,8).map(l => '<span class="tag b" style="margin-right:3px">'+esc(l.entity_name||'#'+l.entity_id)+(l.roles?' · '+esc(l.roles):'')+'</span>').join('')+
+                  ((p.links||[]).length>8?' <span class="tag">+'+((p.links||[]).length-8)+' više</span>':'')+
+                  '</div>' : ''}
+                ${(p.findings||[]).length ? '<div style="margin-top:8px;font-size:11px"><b style="color:var(--t2)">Nalazi:</b><br>'+
+                  p.findings.slice(0,5).map(f => '<div style="margin-top:3px"><span class="tag '+(f.severity==='CRITICAL'?'rd':f.severity==='HIGH'?'am':'b')+'">'+esc(f.severity)+'</span> '+esc(f.title||f.finding_type)+'</div>').join('')+
+                  '</div>' : ''}
+              </div>
+              <div style="text-align:center;flex-shrink:0">
+                <div style="font-size:24px;font-weight:800;color:${p.risk_score>=70?'var(--red)':p.risk_score>=40?'var(--amber)':'var(--green)'};font-family:var(--mono)">${p.risk_score}</div>
+                <div style="font-size:10px;color:var(--t4);text-transform:uppercase">RISK</div>
+              </div>
+            </div>
+          </div>`;
+        }).join('')}
+      </div>
+    ` : '<div class="empty">Nema pronađenih osoba s tim imenom</div>'}
+  `;
+}
+
+//=========== INIT ===========
+function init(){
+  restoreSidebar();
+  buildNav();
+  navTo('dashboard');
+}
+window.addEventListener('DOMContentLoaded', init);
+</script>
+</body>
+</html>
diff --git a/auth/admin_users.py b/auth/admin_users.py
index e5a4119..88258a4 100644
--- a/auth/admin_users.py
+++ b/auth/admin_users.py
@@ -24,6 +24,7 @@ from .auth_v2 import (
     require_user, audit, _client,
     _resolve_tenant, _tier_for,
     PGZ_USER_TYPES, SAVEZ_USER_TYPES, KLUB_USER_TYPES,
+    issue_action_token, INVITE_TTL, _build_link,
 )
 
 router = APIRouter(prefix="/api/admin", tags=["admin"])
@@ -246,25 +247,34 @@ class InviteReq(BaseModel):
 @router.post("/users/{uid}/invite")
 def invite_user(uid: int, req: InviteReq, request: Request,
                 actor = Depends(require_user)):
+    """Generate a single-use invite token; the user clicks the emailed link
+    and lands on /login/setup-password?token=… to set their password."""
     target = db_one("SELECT email, user_type, klub_id, savez_id FROM pgz_sport.users WHERE id=%s",
                     (uid,))
     if not target: raise HTTPException(404, "User not found")
     if not _can_manage(actor, target["user_type"], target["klub_id"], target["savez_id"]):
         raise HTTPException(403, "Forbidden")
-    new_temp = "PGZ-" + secrets.token_hex(4)
-    db_exec("""UPDATE pgz_sport.users
-               SET password_hash=%s, must_change_pwd=true,
-                   failed_login_count=0, locked_until=NULL, updated_at=now()
-               WHERE id=%s""", (hash_password(new_temp), uid))
-    db_exec("UPDATE pgz_sport.user_sessions SET revoked=true WHERE user_id=%s", (uid,))
     ip, ua = _client(request)
+    # Mark must_change_pwd and revoke any existing sessions so old creds can't log in
+    db_exec("""UPDATE pgz_sport.users SET must_change_pwd=true, updated_at=now()
+               WHERE id=%s""", (uid,))
+    db_exec("UPDATE pgz_sport.user_sessions SET revoked=true WHERE user_id=%s", (uid,))
+    raw_token = issue_action_token(uid, "invite", INVITE_TTL,
+                                    created_by=actor["id"], ip=ip,
+                                    meta={"email": target["email"], "note": req.note})
+    invite_link = _build_link("/static/login.html?setup=1", raw_token)
+    api_link    = _build_link("/api/auth/setup-password", raw_token)
     audit(actor["id"], "user.invite", "user", uid,
-          {"email": target["email"], "send_email": req.send_email}, ip, ua)
-    invite_link = f"https://api.rinet.one/sport/login?email={target['email']}"
+          {"email": target["email"], "send_email": req.send_email,
+           "ttl_days": INVITE_TTL.days}, ip, ua)
+    # NOTE: real deployment must e-mail invite_link via a mailer (M11);
+    # for now, the link is returned to the admin who triggered the invite.
     return {"status": "ok", "id": uid,
-            "temporary_password": new_temp,
+            "email": target["email"],
             "invite_link": invite_link,
-            "email_sent": False}  # mailer wired later
+            "api_link": api_link,
+            "expires_in_seconds": int(INVITE_TTL.total_seconds()),
+            "email_sent": False}
 
 # ─────────────────────────── Role change ───────────────────────────
 class RoleReq(BaseModel):
diff --git a/auth/auth_v2.py b/auth/auth_v2.py
index 53a3fe5..975077e 100644
--- a/auth/auth_v2.py
+++ b/auth/auth_v2.py
@@ -547,6 +547,206 @@ def password_reset(req: ResetPwdReq, request: Request):
     return {"status": "ok",
             "message": "Ako račun postoji, administrator će vam poslati instrukcije."}
 
+# ─────────────────────────── R5 #2+#3: invite & reset tokens ───────────────────────────
+def _ensure_token_table():
+    db_exec("""CREATE TABLE IF NOT EXISTS pgz_sport.user_action_tokens (
+        token_hash TEXT PRIMARY KEY,
+        user_id    INTEGER NOT NULL REFERENCES pgz_sport.users(id) ON DELETE CASCADE,
+        kind       TEXT NOT NULL,            -- 'invite' | 'reset'
+        created_at TIMESTAMPTZ DEFAULT now(),
+        expires_at TIMESTAMPTZ NOT NULL,
+        used_at    TIMESTAMPTZ,
+        created_by INTEGER REFERENCES pgz_sport.users(id),
+        ip         TEXT,
+        meta       JSONB
+    )""")
+    db_exec("""CREATE INDEX IF NOT EXISTS idx_action_tokens_user
+               ON pgz_sport.user_action_tokens (user_id, kind, used_at)""")
+_ensure_token_table()
+
+INVITE_TTL = timedelta(days=int(os.environ.get("PGZ_INVITE_TTL_DAYS", "7")))
+RESET_TTL  = timedelta(hours=int(os.environ.get("PGZ_RESET_TTL_HOURS", "2")))
+
+def _make_action_token() -> str:
+    return secrets.token_urlsafe(32)
+
+def _hash_action_token(t: str) -> str:
+    return hashlib.sha256(t.encode()).hexdigest()
+
+def issue_action_token(user_id: int, kind: str, ttl: timedelta,
+                       created_by: Optional[int] = None,
+                       ip: Optional[str] = None,
+                       meta: Optional[Dict] = None) -> str:
+    """Create a one-time URL-safe token; only its sha256 is persisted."""
+    if kind not in ("invite", "reset"):
+        raise ValueError("kind must be invite|reset")
+    # Invalidate any prior unused tokens of same kind for this user
+    db_exec("""UPDATE pgz_sport.user_action_tokens SET used_at=now()
+               WHERE user_id=%s AND kind=%s AND used_at IS NULL""",
+            (user_id, kind))
+    raw = _make_action_token()
+    th  = _hash_action_token(raw)
+    db_exec("""INSERT INTO pgz_sport.user_action_tokens
+               (token_hash, user_id, kind, expires_at, created_by, ip, meta)
+               VALUES (%s,%s,%s,%s,%s,%s,%s::jsonb)""",
+            (th, user_id, kind, _now() + ttl, created_by, ip, json.dumps(meta or {})))
+    return raw
+
+def consume_action_token(raw: str, kind: str) -> Optional[Dict]:
+    """Validate (kind/expiry/unused) and atomically mark used_at. Returns row dict if OK."""
+    th = _hash_action_token(raw)
+    row = db_one("""SELECT t.user_id, t.expires_at, t.used_at, t.kind, t.meta,
+                       u.email, u.aktivan, u.status
+                FROM pgz_sport.user_action_tokens t
+                JOIN pgz_sport.users u ON u.id = t.user_id
+                WHERE t.token_hash=%s AND t.kind=%s""", (th, kind))
+    if not row: return None
+    if row["used_at"] is not None: return None
+    exp = row["expires_at"]
+    if exp.tzinfo is None: exp = exp.replace(tzinfo=timezone.utc)
+    if exp <= _now(): return None
+    db_exec("UPDATE pgz_sport.user_action_tokens SET used_at=now() WHERE token_hash=%s", (th,))
+    return row
+
+def _build_link(path: str, token: str) -> str:
+    base = os.environ.get("PGZ_PUBLIC_BASE", "https://api.rinet.one/sport")
+    sep = '&' if '?' in path else '?'
+    return f"{base}{path}{sep}token={token}"
+
+# ─────────────────────────── /auth/forgot-password ───────────────────────────
+class ForgotPwdReq(BaseModel):
+    email: str
+
+@router.post("/forgot-password")
+def forgot_password(req: ForgotPwdReq, request: Request):
+    """Always returns a generic message — never leaks which emails exist.
+    Issues a reset token only if the user exists and is active."""
+    email = (req.email or "").lower().strip()
+    ip, ua = _client(request)
+    u = db_one("SELECT id, email, aktivan, status FROM pgz_sport.users WHERE LOWER(email)=%s",
+               (email,))
+    token = None
+    if u and u.get("aktivan") and u.get("status") == "active":
+        token = issue_action_token(u["id"], "reset", RESET_TTL, ip=ip,
+                                    meta={"email": email})
+        audit(u["id"], "password.forgot.issue",
+              meta={"email": email, "ttl_hours": RESET_TTL.total_seconds()/3600},
+              ip=ip, ua=ua)
+    else:
+        audit(u["id"] if u else None, "password.forgot.miss",
+              meta={"email": email}, ip=ip, ua=ua)
+    # Generic response — do not leak account existence
+    resp = {"status": "ok",
+            "message": "Ako račun postoji, poslan je e-mail s linkom za promjenu lozinke."}
+    # In production, e-mailer would deliver the link. For demo / dev,
+    # return it only if header X-Demo-Reveal-Token is set OR caller is from
+    # localhost (rare). Easier: always include it but document that real
+    # deployment must remove it from the response.
+    if token and (os.environ.get("PGZ_REVEAL_RESET_TOKEN") == "1" or
+                  (request.client.host in ("127.0.0.1", "::1"))):
+        resp["reset_link"] = _build_link("/auth/reset-password", token)
+        resp["expires_in_seconds"] = int(RESET_TTL.total_seconds())
+    return resp
+
+class ResetTokenReq(BaseModel):
+    token: str
+    new_password: str
+
+@router.post("/reset-password")
+def reset_password_with_token(req: ResetTokenReq, request: Request):
+    """Consume a reset token and set a new password."""
+    if len(req.new_password or "") < 8:
+        raise HTTPException(400, "Lozinka mora imati barem 8 znakova")
+    row = consume_action_token(req.token, "reset")
+    ip, ua = _client(request)
+    if not row:
+        audit(None, "password.reset.fail",
+              meta={"reason": "invalid_or_expired_token"}, ip=ip, ua=ua)
+        raise HTTPException(400, "Token je nevažeći ili istekao")
+    if not row.get("aktivan") or row.get("status") != "active":
+        audit(row["user_id"], "password.reset.fail",
+              meta={"reason": "user_inactive"}, ip=ip, ua=ua)
+        raise HTTPException(403, "Račun nije aktivan")
+    db_exec("""UPDATE pgz_sport.users
+               SET password_hash=%s, must_change_pwd=false,
+                   failed_login_count=0, locked_until=NULL, updated_at=now()
+               WHERE id=%s""", (hash_password(req.new_password), row["user_id"]))
+    # Revoke all active sessions for safety
+    db_exec("UPDATE pgz_sport.user_sessions SET revoked=true WHERE user_id=%s",
+            (row["user_id"],))
+    audit(row["user_id"], "password.reset.ok", ip=ip, ua=ua)
+    return {"status": "ok", "email": row["email"]}
+
+@router.get("/reset-password")
+def reset_password_check(token: str, request: Request):
+    """Pre-flight: validate that the token exists and isn't expired/used.
+    Does NOT consume the token."""
+    th = _hash_action_token(token)
+    row = db_one("""SELECT t.user_id, t.expires_at, t.used_at, u.email
+                FROM pgz_sport.user_action_tokens t
+                JOIN pgz_sport.users u ON u.id = t.user_id
+                WHERE t.token_hash=%s AND t.kind='reset'""", (th,))
+    if not row:
+        raise HTTPException(404, "Token nije pronađen")
+    if row["used_at"] is not None:
+        raise HTTPException(410, "Token je već iskorišten")
+    exp = row["expires_at"]
+    if exp.tzinfo is None: exp = exp.replace(tzinfo=timezone.utc)
+    if exp <= _now():
+        raise HTTPException(410, "Token je istekao")
+    return {"status": "ok", "email": row["email"], "expires_at": row["expires_at"].isoformat()}
+
+# ─────────────────────────── /auth/setup-password (invite) ───────────────────────────
+class SetupPwdReq(BaseModel):
+    token: str
+    new_password: str
+
+@router.get("/setup-password")
+def setup_password_check(token: str, request: Request):
+    """Pre-flight: validate an invite token without consuming it."""
+    th = _hash_action_token(token)
+    row = db_one("""SELECT t.user_id, t.expires_at, t.used_at, u.email, u.full_name, u.user_type
+                FROM pgz_sport.user_action_tokens t
+                JOIN pgz_sport.users u ON u.id = t.user_id
+                WHERE t.token_hash=%s AND t.kind='invite'""", (th,))
+    if not row:
+        raise HTTPException(404, "Pozivnica nije pronađena")
+    if row["used_at"] is not None:
+        raise HTTPException(410, "Pozivnica je već iskorištena")
+    exp = row["expires_at"]
+    if exp.tzinfo is None: exp = exp.replace(tzinfo=timezone.utc)
+    if exp <= _now():
+        raise HTTPException(410, "Pozivnica je istekla")
+    return {"status": "ok",
+            "email": row["email"],
+            "full_name": row["full_name"],
+            "user_type": row["user_type"],
+            "expires_at": row["expires_at"].isoformat()}
+
+@router.post("/setup-password")
+def setup_password_consume(req: SetupPwdReq, request: Request):
+    """Consume an invite token and set the user's first password."""
+    if len(req.new_password or "") < 8:
+        raise HTTPException(400, "Lozinka mora imati barem 8 znakova")
+    row = consume_action_token(req.token, "invite")
+    ip, ua = _client(request)
+    if not row:
+        audit(None, "invite.consume.fail",
+              meta={"reason": "invalid_or_expired_token"}, ip=ip, ua=ua)
+        raise HTTPException(400, "Pozivnica je nevažeća ili istekla")
+    if not row.get("aktivan") or row.get("status") != "active":
+        audit(row["user_id"], "invite.consume.fail",
+              meta={"reason": "user_inactive"}, ip=ip, ua=ua)
+        raise HTTPException(403, "Račun nije aktivan")
+    db_exec("""UPDATE pgz_sport.users
+               SET password_hash=%s, must_change_pwd=false,
+                   email_verified=true,
+                   failed_login_count=0, locked_until=NULL, updated_at=now()
+               WHERE id=%s""", (hash_password(req.new_password), row["user_id"]))
+    audit(row["user_id"], "invite.consume.ok",
+          meta={"email": row["email"]}, ip=ip, ua=ua)
+    return {"status": "ok", "email": row["email"]}
+
 # ─────────────────────────── 2FA — real TOTP (RFC 6238) ───────────────────────────
 try:
     import pyotp as _pyotp
diff --git a/data/sport_federations.json b/data/sport_federations.json
new file mode 100644
index 0000000..d1c7d04
--- /dev/null
+++ b/data/sport_federations.json
@@ -0,0 +1,221 @@
+{
+  "_meta": {
+    "version": 1,
+    "author": "dradulic@outlook.com",
+    "date": "2026-05-04",
+    "purpose": "Sport-aware enrichment routing for /v2/enrich/sportas. Each entry maps a sport name (lower-case, multiple aliases supported) to its national federation, optional PGŽ regional federation, and a list of search/scrape URLs. Used by routers/enrich_router.py and workers/enrichment_worker.py."
+  },
+  "_aliases": {
+    "kosarkaski": "košarka",
+    "košarkaški": "košarka",
+    "nogometni": "nogomet",
+    "rukometni": "rukomet",
+    "stoni tenis": "stolni tenis",
+    "stolnotenis": "stolni tenis",
+    "bocanje": "boćanje",
+    "boćanje (boules)": "boćanje",
+    "kuglacki": "kuglanje",
+    "vaterpolski": "vaterpolo",
+    "konjicki sport": "konjički sport",
+    "auto-sport": "auto sport",
+    "skijaski sport": "skijanje"
+  },
+  "boćanje": {
+    "national": {
+      "name": "HBS",
+      "long_name": "Hrvatski boćarski savez",
+      "url": "https://hrvatski-bocarski-savez.hr",
+      "search_url": "https://hrvatski-bocarski-savez.hr/?s={q}",
+      "profile_url_pattern": "https://hrvatski-bocarski-savez.hr/igraci/{slug}/"
+    },
+    "pgz": {
+      "name": "BS PGŽ",
+      "url": "https://hrvatski-bocarski-savez.hr/savez/zupanijski-savezi/"
+    }
+  },
+  "nogomet": {
+    "national": {
+      "name": "HNS",
+      "long_name": "Hrvatski nogometni savez",
+      "url": "https://hns-cff.hr",
+      "search_url": "https://semafor.hns.family/?s={q}",
+      "profile_search": "https://semafor.hns.family/igraci/?ime={q}",
+      "profile_url_pattern": "https://semafor.hns.family/igraci/{hns_pid}/{slug}/"
+    },
+    "pgz": {"name": "NS PGŽ", "url": "https://nogomet-pgz.hr"}
+  },
+  "košarka": {
+    "national": {
+      "name": "HKS",
+      "long_name": "Hrvatski košarkaški savez",
+      "url": "https://hks-cbf.hr",
+      "search_url": "https://hks-cbf.hr/?s={q}"
+    },
+    "pgz": {"name": "KS PGŽ", "url": "https://kosarka-pgz.hr"}
+  },
+  "rukomet": {
+    "national": {
+      "name": "HRS",
+      "long_name": "Hrvatski rukometni savez",
+      "url": "https://hrs.hr",
+      "search_url": "https://hrs.hr/?s={q}"
+    },
+    "pgz": {"name": "RS PGŽ", "url": "https://rs-pgz.hr"}
+  },
+  "odbojka": {
+    "national": {
+      "name": "HOS",
+      "long_name": "Hrvatski odbojkaški savez",
+      "url": "https://hos-cvf.hr",
+      "search_url": "https://hos-cvf.hr/?s={q}"
+    },
+    "pgz": {"name": "OS PGŽ", "url": "https://odbojkaski-savez-pgz.hr"}
+  },
+  "vaterpolo": {
+    "national": {
+      "name": "HVS",
+      "long_name": "Hrvatski vaterpolski savez",
+      "url": "https://hvs.hr",
+      "search_url": "https://hvs.hr/?s={q}"
+    }
+  },
+  "plivanje": {
+    "national": {
+      "name": "HPS",
+      "long_name": "Hrvatski plivački savez",
+      "url": "https://hps.hr",
+      "search_url": "https://hps.hr/?s={q}"
+    }
+  },
+  "atletika": {
+    "national": {
+      "name": "HAS",
+      "long_name": "Hrvatski atletski savez",
+      "url": "https://atletika.hr",
+      "search_url": "https://atletika.hr/?s={q}"
+    }
+  },
+  "tenis": {
+    "national": {
+      "name": "HTS",
+      "long_name": "Hrvatski teniski savez",
+      "url": "https://htsavez.hr",
+      "search_url": "https://htsavez.hr/?s={q}"
+    }
+  },
+  "judo": {
+    "national": {
+      "name": "HJS",
+      "long_name": "Hrvatski judo savez",
+      "url": "https://judo-savez.hr",
+      "search_url": "https://judo-savez.hr/?s={q}"
+    }
+  },
+  "karate": {
+    "national": {
+      "name": "HKaS",
+      "long_name": "Hrvatski karate savez",
+      "url": "https://karate.hr",
+      "search_url": "https://karate.hr/?s={q}"
+    }
+  },
+  "veslanje": {
+    "national": {
+      "name": "HVeS",
+      "long_name": "Hrvatski veslački savez",
+      "url": "https://veslacki-savez.hr",
+      "search_url": "https://veslacki-savez.hr/?s={q}"
+    }
+  },
+  "jedrenje": {
+    "national": {
+      "name": "HJedS",
+      "long_name": "Hrvatski jedriličarski savez",
+      "url": "https://hjs.hr",
+      "search_url": "https://hjs.hr/?s={q}"
+    }
+  },
+  "gimnastika": {
+    "national": {
+      "name": "HGS",
+      "long_name": "Hrvatski gimnastički savez",
+      "url": "https://gimnastika.hr",
+      "search_url": "https://gimnastika.hr/?s={q}"
+    }
+  },
+  "streličarstvo": {
+    "national": {
+      "name": "HStS",
+      "long_name": "Hrvatski streličarski savez",
+      "url": "https://hss.hr",
+      "search_url": "https://hss.hr/?s={q}"
+    }
+  },
+  "biciklizam": {
+    "national": {
+      "name": "HBciS",
+      "long_name": "Hrvatski biciklistički savez",
+      "url": "https://hbs.hr",
+      "search_url": "https://hbs.hr/?s={q}"
+    }
+  },
+  "stolni tenis": {
+    "national": {
+      "name": "HSTS",
+      "long_name": "Hrvatski stolnoteniski savez",
+      "url": "https://stolni-tenis.hr",
+      "search_url": "https://stolni-tenis.hr/?s={q}"
+    }
+  },
+  "triatlon": {
+    "national": {
+      "name": "HTrS",
+      "long_name": "Hrvatski triatlon savez",
+      "url": "https://triatlon.hr",
+      "search_url": "https://triatlon.hr/?s={q}"
+    }
+  },
+  "skijanje": {
+    "national": {
+      "name": "HZS",
+      "long_name": "Hrvatski skijaški savez",
+      "url": "https://skijaski-savez.hr",
+      "search_url": "https://skijaski-savez.hr/?s={q}"
+    }
+  },
+  "kuglanje": {
+    "national": {
+      "name": "HKgS",
+      "long_name": "Hrvatski kuglački savez",
+      "url": "https://kuglanje.hr",
+      "search_url": "https://kuglanje.hr/?s={q}"
+    }
+  },
+  "šah": {
+    "national": {
+      "name": "HŠS",
+      "long_name": "Hrvatski šahovski savez",
+      "url": "https://hsk.hr",
+      "search_url": "https://hsk.hr/?s={q}"
+    }
+  },
+  "konjički sport": {
+    "national": {
+      "name": "HKonjS",
+      "long_name": "Hrvatski konjički sportski savez",
+      "url": "https://konjs.hr"
+    }
+  },
+  "auto sport": {
+    "national": {
+      "name": "HAKS",
+      "long_name": "Hrvatski auto klub savez",
+      "url": "https://hsa.hr"
+    }
+  },
+  "_local_media_pgz": [
+    {"name": "Novi list",   "search_url": "https://www.novilist.hr/?s={q}"},
+    {"name": "Glas Istre",  "search_url": "https://www.glasistre.hr/pretraga?q={q}"},
+    {"name": "Rijeka.danas","search_url": "https://www.rijeka-danas.com/?s={q}"}
+  ]
+}
diff --git a/erp/ocr.py b/erp/ocr.py
index c9aae4c..71540f1 100644
--- a/erp/ocr.py
+++ b/erp/ocr.py
@@ -816,6 +816,297 @@ def invoices_pay(invoice_id: int, body: dict = Body(default={}),
     return {"ok": True, "invoice": row, "payment_id": pay["id"] if pay else None}
 
 
+# ── R5.3 BULK OPERATIONS ──────────────────────────────────────────────
+@router.post("/invoices/bulk-pay")
+def invoices_bulk_pay(body: dict = Body(...), authorization: Optional[str] = Header(None)):
+    """Bulk označi listu računa kao plaćene.
+    Body: {ids: [int], paid_date?, payment_method?, iban_from?, iban_to?, reference?, tx_id?}"""
+    user = _resolve_user(authorization)
+    ids = body.get("ids") or []
+    if not ids or not isinstance(ids, list):
+        raise HTTPException(400, "ids je obavezna ne-prazna lista")
+    paid_date = body.get("paid_date") or date.today().isoformat()
+    payment_method = body.get("payment_method") or "transfer"
+    iban_from = body.get("iban_from")
+    iban_to = body.get("iban_to")
+    reference = body.get("reference")
+    tx_id = body.get("bank_transaction_id") or body.get("tx_id")
+
+    results = {"paid": [], "skipped": [], "forbidden": [], "errors": []}
+    with _db() as c:
+        cur = c.cursor(cursor_factory=psycopg2.extras.RealDictCursor)
+        cur.execute(
+            """SELECT i.*, k.savez_id FROM pgz_sport.invoices i
+               LEFT JOIN pgz_sport.klubovi k ON k.id=i.klub_id
+               WHERE i.id = ANY(%s)""", (ids,))
+        rows = cur.fetchall()
+    for inv in rows:
+        if (inv.get("payment_status") or "").lower() == "paid":
+            results["skipped"].append(inv["id"]); continue
+        if user and not can_pay_invoice(user, inv):
+            results["forbidden"].append(inv["id"]); continue
+        try:
+            with _db() as c:
+                cur = c.cursor()
+                cur.execute(
+                    """UPDATE pgz_sport.invoices
+                       SET payment_status='paid', paid_date=%s,
+                           payment_method=COALESCE(%s,payment_method),
+                           iban_from=COALESCE(%s,iban_from),
+                           iban_to=COALESCE(%s,iban_to),
+                           updated_at=NOW()
+                       WHERE id=%s""",
+                    (paid_date, payment_method, iban_from, iban_to, inv["id"]),
+                )
+                cur.execute(
+                    """INSERT INTO pgz_sport.payments
+                       (klub_id, invoice_id, payment_date, amount, currency, payment_method,
+                        iban_from, iban_to, reference, bank_transaction_id, matched_status)
+                       VALUES (%s,%s,%s,%s,COALESCE(%s,'EUR'),%s,%s,%s,%s,%s,'matched')""",
+                    (inv.get("klub_id"), inv["id"], paid_date, inv.get("amount_gross"),
+                     inv.get("currency"), payment_method, iban_from, iban_to, reference, tx_id),
+                )
+            audit_invoice(user, inv["id"], "bulk_pay",
+                          field="payment_status", old=inv.get("payment_status"), new="paid")
+            results["paid"].append(inv["id"])
+        except Exception as e:
+            results["errors"].append({"id": inv["id"], "err": str(e)[:200]})
+    return {"ok": True, "summary": {k: len(v) for k, v in results.items()}, "details": results}
+
+
+@router.post("/invoices/bulk-cancel")
+def invoices_bulk_cancel(body: dict = Body(...), authorization: Optional[str] = Header(None)):
+    """Bulk otkaži (status='cancelled') — samo pgz_admin ili klub_admin svog kluba."""
+    user = _resolve_user(authorization)
+    ids = body.get("ids") or []
+    razlog = body.get("razlog") or body.get("reason") or "(bulk cancel)"
+    if not ids:
+        raise HTTPException(400, "ids je obavezna ne-prazna lista")
+    results = {"cancelled": [], "skipped": [], "forbidden": [], "errors": []}
+    with _db() as c:
+        cur = c.cursor(cursor_factory=psycopg2.extras.RealDictCursor)
+        cur.execute(
+            """SELECT i.*, k.savez_id FROM pgz_sport.invoices i
+               LEFT JOIN pgz_sport.klubovi k ON k.id=i.klub_id
+               WHERE i.id = ANY(%s)""", (ids,))
+        rows = cur.fetchall()
+    for inv in rows:
+        if (inv.get("payment_status") or "").lower() in ("paid", "cancelled"):
+            results["skipped"].append(inv["id"]); continue
+        if user and not can_edit_invoice(user, inv):
+            results["forbidden"].append(inv["id"]); continue
+        try:
+            with _db() as c:
+                c.cursor().execute(
+                    """UPDATE pgz_sport.invoices
+                       SET payment_status='cancelled',
+                           notes = COALESCE(notes,'') || E'\n[CANCEL] ' || %s,
+                           updated_at=NOW() WHERE id=%s""",
+                    (razlog, inv["id"]),
+                )
+            audit_invoice(user, inv["id"], "bulk_cancel",
+                          field="payment_status", old=inv.get("payment_status"),
+                          new=f"cancelled: {razlog}")
+            results["cancelled"].append(inv["id"])
+        except Exception as e:
+            results["errors"].append({"id": inv["id"], "err": str(e)[:200]})
+    return {"ok": True, "summary": {k: len(v) for k, v in results.items()}, "details": results}
+
+
+# ── R5.4 XLSX EXPORT ───────────────────────────────────────────────────
+@router.get("/invoices/export.xlsx")
+def invoices_export_xlsx(
+    tenant_id: Optional[int] = Query(None),
+    klub_id: Optional[int] = Query(None),
+    od: Optional[str] = Query(None, description="datum od YYYY-MM-DD"),
+    do: Optional[str] = Query(None, description="datum do YYYY-MM-DD"),
+    status: Optional[str] = None,
+    kind: Optional[str] = None,
+    authorization: Optional[str] = Header(None),
+):
+    """XLSX export računa za knjigovodstvo. Stupci: ID, datum, vrsta, broj,
+    izdavatelj, OIB, klub, neto, PDV, brutto, valuta, status, IBAN, opis."""
+    from openpyxl import Workbook
+    from openpyxl.styles import Font, PatternFill, Alignment
+    from io import BytesIO
+    from fastapi.responses import StreamingResponse
+
+    user = _resolve_user(authorization)
+    sql = """SELECT i.id, i.invoice_date, i.invoice_kind, i.invoice_no,
+                    i.vendor_name, i.vendor_oib, i.customer_oib,
+                    i.amount_net, i.amount_vat, i.amount_gross, i.vat_rate,
+                    i.currency, i.payment_status, i.payment_method,
+                    i.iban_to, i.description, i.category,
+                    i.paid_date, i.tenant_id, i.klub_id,
+                    k.naziv AS klub_naziv, k.savez_id
+             FROM pgz_sport.invoices i
+             LEFT JOIN pgz_sport.klubovi k ON k.id=i.klub_id
+             WHERE 1=1"""
+    args: list = []
+    if tenant_id is not None: sql += " AND i.tenant_id=%s"; args.append(tenant_id)
+    if klub_id  is not None:  sql += " AND i.klub_id=%s";   args.append(klub_id)
+    if od: sql += " AND i.invoice_date >= %s"; args.append(od)
+    if do: sql += " AND i.invoice_date <= %s"; args.append(do)
+    if status: sql += " AND i.payment_status=%s"; args.append(status)
+    if kind: sql += " AND i.invoice_kind=%s"; args.append(kind)
+    sql += " ORDER BY i.invoice_date DESC, i.id DESC"
+    with _db() as c:
+        cur = c.cursor(cursor_factory=psycopg2.extras.RealDictCursor)
+        cur.execute(sql, args)
+        rows = cur.fetchall()
+
+    # Filter po user permissions
+    if user and not is_pgz_admin(user):
+        rows = [r for r in rows if can_view_invoice(user, r)]
+
+    wb = Workbook()
+    ws = wb.active
+    ws.title = "Računi"
+    headers = ["ID", "Datum", "Vrsta", "Broj računa", "Izdavatelj", "OIB",
+               "Klub", "Iznos neto", "PDV", "Brutto", "Stopa PDV",
+               "Valuta", "Status", "Datum uplate", "IBAN primatelja",
+               "Opis", "Kategorija"]
+    bold = Font(bold=True, color="FFFFFF")
+    fill = PatternFill("solid", fgColor="003087")
+    for col_idx, h in enumerate(headers, 1):
+        cell = ws.cell(row=1, column=col_idx, value=h)
+        cell.font = bold; cell.fill = fill
+        cell.alignment = Alignment(horizontal="center")
+    for r_idx, r in enumerate(rows, 2):
+        ws.cell(row=r_idx, column=1,  value=r.get("id"))
+        ws.cell(row=r_idx, column=2,  value=str(r.get("invoice_date") or ""))
+        ws.cell(row=r_idx, column=3,  value=r.get("invoice_kind"))
+        ws.cell(row=r_idx, column=4,  value=r.get("invoice_no"))
+        ws.cell(row=r_idx, column=5,  value=r.get("vendor_name"))
+        ws.cell(row=r_idx, column=6,  value=r.get("vendor_oib"))
+        ws.cell(row=r_idx, column=7,  value=r.get("klub_naziv"))
+        ws.cell(row=r_idx, column=8,  value=float(r["amount_net"]) if r.get("amount_net") is not None else None)
+        ws.cell(row=r_idx, column=9,  value=float(r["amount_vat"]) if r.get("amount_vat") is not None else None)
+        ws.cell(row=r_idx, column=10, value=float(r["amount_gross"]) if r.get("amount_gross") is not None else None)
+        ws.cell(row=r_idx, column=11, value=float(r["vat_rate"]) if r.get("vat_rate") is not None else None)
+        ws.cell(row=r_idx, column=12, value=r.get("currency"))
+        ws.cell(row=r_idx, column=13, value=r.get("payment_status"))
+        ws.cell(row=r_idx, column=14, value=str(r.get("paid_date") or ""))
+        ws.cell(row=r_idx, column=15, value=r.get("iban_to"))
+        ws.cell(row=r_idx, column=16, value=r.get("description"))
+        ws.cell(row=r_idx, column=17, value=r.get("category"))
+    # Auto width
+    widths = [6, 12, 12, 18, 28, 14, 24, 12, 12, 12, 8, 6, 11, 12, 22, 30, 12]
+    for i, w in enumerate(widths, 1):
+        ws.column_dimensions[ws.cell(row=1, column=i).column_letter].width = w
+    ws.freeze_panes = "A2"
+
+    buf = BytesIO()
+    wb.save(buf); buf.seek(0)
+    fname = f"racuni_{date.today().isoformat()}.xlsx"
+    return StreamingResponse(
+        buf, media_type="application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
+        headers={"Content-Disposition": f'attachment; filename="{fname}"'},
+    )
+
+
+# ── R5.6 STATS ─────────────────────────────────────────────────────────
+@router.get("/stats")
+def erp_stats(
+    klub_id: Optional[int] = Query(None),
+    tenant_id: Optional[int] = Query(None),
+    authorization: Optional[str] = Header(None),
+):
+    """Statistika ERP-a: ukupno troškova mjesec/kvartal/godina po klubu/savezu,
+    breakdown po vrstama (gorivo/cestarina/hotel/oprema/ostalo)."""
+    user = _resolve_user(authorization)
+    today = date.today()
+    month_start = today.replace(day=1).isoformat()
+    qmonth = ((today.month - 1) // 3) * 3 + 1
+    quarter_start = today.replace(month=qmonth, day=1).isoformat()
+    year_start = today.replace(month=1, day=1).isoformat()
+
+    where = ["1=1"]; args: list = []
+    if klub_id is not None:
+        where.append("klub_id=%s"); args.append(klub_id)
+    if tenant_id is not None:
+        where.append("tenant_id=%s"); args.append(tenant_id)
+    where_sql = " AND ".join(where)
+
+    def q_sum(date_from):
+        with _db() as c:
+            cur = c.cursor(cursor_factory=psycopg2.extras.RealDictCursor)
+            cur.execute(
+                f"""SELECT COUNT(*) AS n,
+                           COALESCE(SUM(amount_gross),0)::float AS total,
+                           COALESCE(SUM(CASE WHEN payment_status='paid' THEN amount_gross END),0)::float AS paid,
+                           COALESCE(SUM(CASE WHEN payment_status<>'paid' THEN amount_gross END),0)::float AS unpaid
+                    FROM pgz_sport.invoices
+                    WHERE {where_sql} AND invoice_date >= %s""",
+                args + [date_from],
+            )
+            return cur.fetchone()
+
+    def q_breakdown(date_from):
+        with _db() as c:
+            cur = c.cursor(cursor_factory=psycopg2.extras.RealDictCursor)
+            cur.execute(
+                f"""SELECT invoice_kind, COUNT(*) AS n,
+                           COALESCE(SUM(amount_gross),0)::float AS total
+                    FROM pgz_sport.invoices
+                    WHERE {where_sql} AND invoice_date >= %s
+                    GROUP BY invoice_kind ORDER BY total DESC""",
+                args + [date_from],
+            )
+            return cur.fetchall()
+
+    def q_top(date_from):
+        with _db() as c:
+            cur = c.cursor(cursor_factory=psycopg2.extras.RealDictCursor)
+            cur.execute(
+                f"""SELECT i.klub_id, k.naziv AS klub_naziv,
+                           COUNT(*) AS n, COALESCE(SUM(i.amount_gross),0)::float AS total
+                    FROM pgz_sport.invoices i
+                    LEFT JOIN pgz_sport.klubovi k ON k.id=i.klub_id
+                    WHERE {where_sql} AND i.invoice_date >= %s
+                    GROUP BY i.klub_id, k.naziv ORDER BY total DESC LIMIT 10""",
+                args + [date_from],
+            )
+            return cur.fetchall()
+
+    # Putni nalozi totals
+    def q_pn(date_from):
+        with _db() as c:
+            cur = c.cursor(cursor_factory=psycopg2.extras.RealDictCursor)
+            pn_where = ["report_type='putni_nalog'"]; pn_args: list = []
+            if klub_id is not None:
+                pn_where.append("klub_id=%s"); pn_args.append(klub_id)
+            if tenant_id is not None:
+                pn_where.append("tenant_id=%s"); pn_args.append(tenant_id)
+            cur.execute(
+                f"""SELECT COUNT(*) AS n,
+                           COALESCE(SUM(cost_total),0)::float AS total,
+                           COALESCE(SUM(dnevnice_amount),0)::float AS dnevnice,
+                           COALESCE(SUM(cost_transport),0)::float AS transport
+                    FROM pgz_sport.expense_reports
+                    WHERE {' AND '.join(pn_where)} AND date_from >= %s""",
+                pn_args + [date_from],
+            )
+            return cur.fetchone()
+
+    return {
+        "ok": True,
+        "as_of": today.isoformat(),
+        "filters": {"klub_id": klub_id, "tenant_id": tenant_id},
+        "invoices": {
+            "month":   {"since": month_start,   **q_sum(month_start),   "by_kind": q_breakdown(month_start)},
+            "quarter": {"since": quarter_start, **q_sum(quarter_start), "by_kind": q_breakdown(quarter_start)},
+            "year":    {"since": year_start,    **q_sum(year_start),    "by_kind": q_breakdown(year_start)},
+        },
+        "top_klubovi_godina": q_top(year_start),
+        "putni_nalozi": {
+            "month":   {"since": month_start,   **q_pn(month_start)},
+            "quarter": {"since": quarter_start, **q_pn(quarter_start)},
+            "year":    {"since": year_start,    **q_pn(year_start)},
+        },
+    }
+
+
 @router.get("/invoices/uploads/list")
 def uploads_list(klub_id: Optional[int] = None, status: Optional[str] = None, limit: int = 50):
     sql = """SELECT id, klub_id, file_name, file_size, mime, ocr_status, ocr_engine,
diff --git a/erp/putni_nalozi.py b/erp/putni_nalozi.py
index 34f0695..a2c86e1 100644
--- a/erp/putni_nalozi.py
+++ b/erp/putni_nalozi.py
@@ -246,32 +246,32 @@ def get_putni_nalog(nalog_id: int, authorization: Optional[str] = Header(None)):
         if user and not can_view_putni_nalog(user, row):
             raise HTTPException(403, "Nemate ovlasti vidjeti ovaj putni nalog")
 
-        # Lista vezanih računa (po klubu, datumu, ili ID-evima u attachments)
-        att = row.get("attachments") or {}
-        if isinstance(att, str):
-            try: att = json.loads(att)
-            except Exception: att = {}
-        invoice_ids = att.get("invoice_ids") or []
-        invoices = []
-        if invoice_ids:
-            cur.execute(
-                """SELECT id, invoice_no, invoice_kind, vendor_name, vendor_oib,
-                          invoice_date, amount_gross, payment_status, currency, category
-                   FROM pgz_sport.invoices WHERE id = ANY(%s)
-                   ORDER BY invoice_date DESC""", (invoice_ids,))
-            invoices = cur.fetchall()
-        else:
-            # Auto-suggest: računi kluba u rasponu putovanja s kategorijom putni-trošak
-            cur.execute(
-                """SELECT id, invoice_no, invoice_kind, vendor_name, vendor_oib,
-                          invoice_date, amount_gross, payment_status, currency, category
-                   FROM pgz_sport.invoices
-                   WHERE klub_id=%s AND invoice_date BETWEEN %s AND %s
-                     AND invoice_kind IN ('gorivo','cestarina','hotel','restoran','ostalo')
-                   ORDER BY invoice_date DESC LIMIT 50""",
-                (row.get("klub_id"), row.get("date_from"), row.get("date_to")),
-            )
-            invoices = cur.fetchall()
+        # Vezani računi iz m2m tablice
+        cur.execute(
+            """SELECT i.id, i.invoice_no, i.invoice_kind, i.vendor_name, i.vendor_oib,
+                      i.invoice_date, i.amount_gross, i.payment_status, i.currency, i.category,
+                      pnr.kategorija AS attached_kategorija, pnr.attached_at
+               FROM pgz_sport.putni_nalog_racuni pnr
+               JOIN pgz_sport.invoices i ON i.id = pnr.invoice_id
+               WHERE pnr.putni_nalog_id=%s
+               ORDER BY i.invoice_date DESC""", (nalog_id,))
+        invoices = cur.fetchall()
+
+        # Auto-suggest: računi kluba u rasponu putovanja koji NISU jos vezani
+        cur.execute(
+            """SELECT i.id, i.invoice_no, i.invoice_kind, i.vendor_name, i.vendor_oib,
+                      i.invoice_date, i.amount_gross, i.payment_status, i.currency, i.category
+               FROM pgz_sport.invoices i
+               LEFT JOIN pgz_sport.putni_nalog_racuni pnr
+                 ON pnr.invoice_id=i.id AND pnr.putni_nalog_id=%s
+               WHERE i.klub_id=%s
+                 AND i.invoice_date BETWEEN %s AND %s
+                 AND i.invoice_kind IN ('gorivo','cestarina','hotel','restoran','oprema','ostalo')
+                 AND pnr.id IS NULL
+               ORDER BY i.invoice_date DESC LIMIT 50""",
+            (nalog_id, row.get("klub_id"), row.get("date_from"), row.get("date_to")),
+        )
+        suggested = cur.fetchall()
 
         # Payments za ovaj putni nalog
         cur.execute(
@@ -284,9 +284,64 @@ def get_putni_nalog(nalog_id: int, authorization: Optional[str] = Header(None)):
     audit = fetch_audit("pgz_sport.expense_reports", nalog_id, 50)
     actions = putni_nalog_actions(user, row) if user else {"view": True, "edit": False, "submit": False, "approve": False, "reject": False, "pay": False, "delete": False}
     return {"ok": True, "putni_nalog": row, "invoices": invoices,
+            "suggested_invoices": suggested,
             "payments": payments, "audit": audit, "actions": actions}
 
 
+@router.post("/putni-nalog/{nalog_id}/attach-invoice")
+def attach_invoice(nalog_id: int, body: dict = Body(...),
+                    authorization: Optional[str] = Header(None)):
+    """Veži postojeći račun na putni nalog (m2m)."""
+    user = _resolve_user(authorization)
+    inv_id = body.get("invoice_id")
+    kategorija = body.get("kategorija") or body.get("category")
+    if not inv_id:
+        raise HTTPException(400, "invoice_id je obavezan")
+    with _db() as c:
+        cur = c.cursor(cursor_factory=psycopg2.extras.RealDictCursor)
+        cur.execute("SELECT er.*, k.savez_id FROM pgz_sport.expense_reports er LEFT JOIN pgz_sport.klubovi k ON k.id=er.klub_id WHERE er.id=%s AND er.report_type='putni_nalog'", (nalog_id,))
+        pn = cur.fetchone()
+    if not pn:
+        raise HTTPException(404, "Putni nalog ne postoji")
+    if user and not can_edit_putni_nalog(user, pn) and not is_pgz_admin(user):
+        raise HTTPException(403, "Nemate ovlasti za vezivanje računa")
+    with _db() as c:
+        cur = c.cursor(cursor_factory=psycopg2.extras.RealDictCursor)
+        cur.execute(
+            """INSERT INTO pgz_sport.putni_nalog_racuni
+               (putni_nalog_id, invoice_id, kategorija, attached_by)
+               VALUES (%s,%s,%s,%s)
+               ON CONFLICT (putni_nalog_id, invoice_id) DO UPDATE SET kategorija=EXCLUDED.kategorija
+               RETURNING id, attached_at""",
+            (nalog_id, inv_id, kategorija, (user.get("id") if user else None)),
+        )
+        link = cur.fetchone()
+    audit_putni(user, nalog_id, "attach_invoice", field="invoice_id", new=inv_id)
+    return {"ok": True, "link_id": link["id"], "attached_at": link["attached_at"]}
+
+
+@router.delete("/putni-nalog/{nalog_id}/invoice/{invoice_id}")
+def detach_invoice(nalog_id: int, invoice_id: int,
+                    authorization: Optional[str] = Header(None)):
+    user = _resolve_user(authorization)
+    with _db() as c:
+        cur = c.cursor(cursor_factory=psycopg2.extras.RealDictCursor)
+        cur.execute("SELECT er.*, k.savez_id FROM pgz_sport.expense_reports er LEFT JOIN pgz_sport.klubovi k ON k.id=er.klub_id WHERE er.id=%s AND er.report_type='putni_nalog'", (nalog_id,))
+        pn = cur.fetchone()
+    if not pn:
+        raise HTTPException(404, "Putni nalog ne postoji")
+    if user and not can_edit_putni_nalog(user, pn) and not is_pgz_admin(user):
+        raise HTTPException(403, "Nemate ovlasti")
+    with _db() as c:
+        cur = c.cursor()
+        cur.execute(
+            "DELETE FROM pgz_sport.putni_nalog_racuni WHERE putni_nalog_id=%s AND invoice_id=%s",
+            (nalog_id, invoice_id),
+        )
+    audit_putni(user, nalog_id, "detach_invoice", field="invoice_id", old=invoice_id)
+    return {"ok": True}
+
+
 @router.post("/putni-nalog/{nalog_id}/posalji")
 def posalji_putni_nalog(nalog_id: int, authorization: Optional[str] = Header(None)):
     """Voditelj/klub_admin šalje draft → poslan."""
@@ -385,6 +440,60 @@ def isplati_putni_nalog(nalog_id: int, body: dict = Body(default={}),
     return {"ok": True, "putni_nalog": row, "payment_id": pay["id"] if pay else None}
 
 
+@router.get("/putni-nalog/{nalog_id}/hub3.pdf")
+def putni_hub3(nalog_id: int, iban: Optional[str] = None,
+                authorization: Optional[str] = Header(None)):
+    """HUB-3 uplatnica + EPC QR za isplatu putnog naloga voditelju."""
+    user = _resolve_user(authorization)
+    with _db() as c:
+        cur = c.cursor(cursor_factory=psycopg2.extras.RealDictCursor)
+        cur.execute(
+            """SELECT er.*, k.naziv AS klub_naziv, k.savez_id, k.adresa AS klub_adresa
+               FROM pgz_sport.expense_reports er
+               LEFT JOIN pgz_sport.klubovi k ON k.id=er.klub_id
+               WHERE er.id=%s AND er.report_type='putni_nalog'""", (nalog_id,))
+        pn = cur.fetchone()
+    if not pn:
+        raise HTTPException(404, "Putni nalog ne postoji")
+    if user and not can_view_putni_nalog(user, pn):
+        raise HTTPException(403, "Nemate ovlasti")
+
+    try:
+        from crm.payments import build_hub3_pdf
+    except Exception as e:
+        raise HTTPException(500, f"HUB-3 helper nije dostupan: {e}")
+    from fastapi.responses import Response
+
+    att = pn.get("attachments") or {}
+    if isinstance(att, str):
+        try: att = json.loads(att)
+        except Exception: att = {}
+    voditelj = att.get("voditelj") or "Voditelj putovanja"
+    iban_to = (iban or "").strip() or att.get("iban_voditelja") or "HR0000000000000000000"
+    iznos = float(pn.get("cost_total") or 0)
+    if iznos <= 0:
+        raise HTTPException(400, "Iznos isplate mora biti veći od 0")
+
+    poziv = f"{nalog_id:08d}"
+    opis = f"Putni nalog #{nalog_id}: {pn.get('destination') or ''} ({pn.get('date_from')}–{pn.get('date_to')})"[:140]
+
+    pdf = build_hub3_pdf(
+        platitelj_naziv=pn.get("klub_naziv") or "PGŽ Sport klub",
+        platitelj_adresa=pn.get("klub_adresa") or "—",
+        primatelj_naziv=voditelj,
+        primatelj_adresa="—",
+        iban=iban_to,
+        amount_eur=iznos,
+        model="HR99",
+        poziv_na_broj=poziv,
+        opis=opis,
+        sifra_namjene="SALA",
+        datum=date.today(),
+    )
+    return Response(content=pdf, media_type="application/pdf",
+                    headers={"Content-Disposition": f'inline; filename="putni-nalog-{nalog_id}-HUB3.pdf"'})
+
+
 @router.get("/putni-nalog/{nalog_id}/audit")
 def putni_audit(nalog_id: int, limit: int = 100,
                 authorization: Optional[str] = Header(None)):
diff --git a/pgz_sport_api.py b/pgz_sport_api.py
index 94aca58..ee172a7 100644
--- a/pgz_sport_api.py
+++ b/pgz_sport_api.py
@@ -76,6 +76,39 @@ def apply_privacy(rows, admin):
 app = FastAPI(title="PGŽ Sportski savez ERP/CRM", version="1.0.0")
 app.add_middleware(CORSMiddleware, allow_origins=["*"], allow_methods=["*"], allow_headers=["*"])
 
+# ─── R5 #1: Defense-in-depth JWT enforcement on /api/admin/* ───
+# Even if a route accidentally lacks `Depends(require_user)`, this middleware
+# rejects requests with no/invalid Bearer token before they reach the handler.
+@app.middleware("http")
+async def require_jwt_on_admin(request, call_next):
+    p = request.url.path
+    # Only gate admin endpoints — leave /api/auth/*, public /api/v2/* etc. alone
+    if p.startswith("/api/admin/") or p == "/api/admin":
+        # OPTIONS preflight passes through
+        if request.method == "OPTIONS":
+            return await call_next(request)
+        try:
+            from auth.auth_v2 import decode_token, _is_revoked
+            auth = request.headers.get("authorization", "")
+            if not auth.lower().startswith("bearer "):
+                from starlette.responses import JSONResponse as _JR
+                return _JR({"detail": "Authentication required"}, status_code=401)
+            token = auth.split(" ", 1)[1].strip()
+            try:
+                payload = decode_token(token)
+            except Exception:
+                from starlette.responses import JSONResponse as _JR
+                return _JR({"detail": "Invalid or expired token"}, status_code=401)
+            if payload.get("typ") not in (None, "access"):
+                from starlette.responses import JSONResponse as _JR
+                return _JR({"detail": "Wrong token type"}, status_code=401)
+            if _is_revoked(payload.get("jti", "")):
+                from starlette.responses import JSONResponse as _JR
+                return _JR({"detail": "Token revoked"}, status_code=401)
+        except Exception as e:
+            print(f"[JWT-MW WARN] {e}")
+    return await call_next(request)
+
 
 # === URL rewrite middleware - convert direct external image URLs to /img-proxy ===
 import json as _json_mw
@@ -1361,6 +1394,13 @@ try:
 except Exception as e:
     print(f'[CRM/PANEL] clan_panel router fail: {e}')
 
+try:
+    from crm_extras_router import router as crm_extras_router
+    app.include_router(crm_extras_router)
+    print('[CRM/R5] extras router loaded (bulk + xlsx + stats + notifications)')
+except Exception as e:
+    print(f'[CRM/R5] extras router fail: {e}')
+
 # === Round 3 / CC2 — M1 Auth + M2 Admin Users + M10 GDPR ===
 try:
     from auth.auth_v2 import router as auth_v2_router
diff --git a/routers/crm_extras_router.py b/routers/crm_extras_router.py
new file mode 100644
index 0000000..bfbc965
--- /dev/null
+++ b/routers/crm_extras_router.py
@@ -0,0 +1,588 @@
+#!/usr/bin/env python3
+# ═══════════════════════════════════════════════════════════════════
+# Fajl: routers/crm_extras_router.py | v1.0.0 | 05.05.2026
+# Autor: Damir Radulić <dradulic@outlook.com> / damir@rinet.one
+# Lokacija: /opt/pgz-sport/routers/crm_extras_router.py
+# Svrha: R5 — bulk akcije za članarine, XLSX export članova, /crm/stats,
+#         notifikacije za isteke liječničkih (Email + InApp)
+# ═══════════════════════════════════════════════════════════════════
+"""R5 CRM extras.
+
+Endpointi (montirani na /api/crm):
+  POST /clanarine/bulk/notify       → opomena svim koji duguju (mock email + InApp)
+  POST /clanarine/bulk/uplatnice    → batch HUB-3 PDF (zip ili JSON s URL-ovima)
+  GET  /clanovi/export.xlsx         → XLSX svih članova (filteri klub, aktivan)
+  GET  /stats                       → aktivni vs neaktivni, trend uplata, ...
+
+  POST /lijecnicki/notify-scan      → skenira pretvorbe < N dana, kreira notifikacije
+  GET  /notifications               → lista (filter user/status/channel)
+  POST /notifications/{id}/read     → mark read
+  POST /notifications/mark-all-read → mark all read za usera
+"""
+from __future__ import annotations
+
+import io
+import json as _json
+import sys
+from datetime import date, datetime, timedelta
+from decimal import Decimal
+from typing import Optional
+
+import psycopg2
+from psycopg2.extras import RealDictCursor
+from fastapi import APIRouter, HTTPException, Query
+from fastapi.responses import Response
+from pydantic import BaseModel
+
+import openpyxl
+from openpyxl.styles import Font, PatternFill, Alignment, Border, Side
+
+sys.path.insert(0, "/opt/pgz-sport")
+from crm.payments import (
+    build_hub3_pdf, make_poziv_na_broj, normalize_iban,
+)
+
+router = APIRouter(prefix="/api/crm", tags=["crm-extras"])
+
+DSN = "host=10.10.0.2 port=6432 dbname=rinet_v3 user=rinet password=R1net2026!SecureDB#v7"
+
+# Pragovi za scan liječničkih (dana do isteka)
+LIJEC_THRESHOLDS = (30, 15, 7)
+
+
+def _conn():
+    return psycopg2.connect(DSN, cursor_factory=RealDictCursor)
+
+
+def _conv(v):
+    if isinstance(v, (date, datetime)):
+        return v.isoformat()
+    if isinstance(v, Decimal):
+        return float(v)
+    return v
+
+
+def _row(d):
+    return None if d is None else {k: _conv(v) for k, v in dict(d).items()}
+
+
+# ════════════════════════════════════════════════════
+# #3 — BULK AKCIJE ZA ČLANARINE
+# ════════════════════════════════════════════════════
+
+class BulkOpomenaIn(BaseModel):
+    klub_id: Optional[int] = None
+    godina: Optional[int] = None
+    ids: Optional[list[int]] = None  # specifične clanarina ID
+    template: Optional[str] = "Poštovani, podsjećamo na nepodmirenu članarinu."
+
+
+@router.post("/clanarine/bulk/notify")
+def bulk_opomena(body: BulkOpomenaIn):
+    """Pošalji opomenu (mock e-mail + InApp notification) svim dužnicima."""
+    where = ["c.status IN ('nepodmireno','djelomicno')"]
+    params: list = []
+    if body.ids:
+        where.append("c.id = ANY(%s)"); params.append(body.ids)
+    if body.klub_id:
+        where.append("c.klub_id = %s"); params.append(body.klub_id)
+    if body.godina:
+        where.append("c.godina = %s"); params.append(body.godina)
+    where_sql = "WHERE " + " AND ".join(where)
+    with _conn() as conn, conn.cursor() as cur:
+        cur.execute(f"""
+          SELECT c.id, c.godina, c.iznos_propisan,
+                 (c.iznos_propisan - COALESCE(c.iznos_placen,0))::numeric(10,2) AS dug,
+                 cl.id AS clan_id, cl.ime || ' ' || cl.prezime AS clan,
+                 cl.email AS clan_email, k.naziv AS klub
+            FROM pgz_sport.clanarine c
+            JOIN pgz_sport.clanovi  cl ON cl.id = c.clan_id
+            LEFT JOIN pgz_sport.klubovi k ON k.id = c.klub_id
+           {where_sql}
+           ORDER BY dug DESC
+           LIMIT 1000
+        """, params)
+        rows = [_row(r) for r in cur.fetchall()]
+
+        # Insert notifications za one s e-mailom
+        n_email, n_inapp = 0, 0
+        for r in rows:
+            subject = f"Opomena: nepodmirena članarina {r['godina']} ({r['dug']:.2f} €)"
+            body_txt = (f"{body.template}\n\n"
+                        f"Klub: {r.get('klub')}\n"
+                        f"Iznos duga: {r['dug']:.2f} EUR\n"
+                        f"Godina: {r['godina']}\n\n"
+                        f"PGŽ Sport ERP/CRM")
+            meta = _json.dumps({
+                "clanarina_id": r["id"], "clan_id": r["clan_id"],
+                "iznos_dug": float(r["dug"]),
+                "uplatnica_url": f"/sport/api/crm/clanarine/{r['id']}/uplatnica.pdf",
+            })
+            # InApp uvijek
+            cur.execute("""INSERT INTO pgz_sport.notifications
+              (channel, subject, body, status, scheduled_at, meta)
+              VALUES ('inapp', %s, %s, 'pending', now(), %s::jsonb)""",
+              (subject, body_txt, meta))
+            n_inapp += 1
+            # Email mock — samo log
+            if r.get("clan_email"):
+                cur.execute("""INSERT INTO pgz_sport.notifications
+                  (channel, subject, body, status, scheduled_at, meta)
+                  VALUES ('email', %s, %s, 'pending', now(), %s::jsonb)""",
+                  (subject, body_txt, _json.dumps({**_json.loads(meta),
+                                                    "to": r["clan_email"]})))
+                n_email += 1
+        conn.commit()
+    return {
+        "ok": True,
+        "matched": len(rows),
+        "queued_inapp": n_inapp,
+        "queued_email": n_email,
+        "note": "Mock — SMTP nije konfiguriran; e-mail je upisan u notifications tablicu sa status='pending'.",
+        "recipients_preview": rows[:20],
+    }
+
+
+class BulkUplatniceIn(BaseModel):
+    ids: Optional[list[int]] = None
+    klub_id: Optional[int] = None
+    godina: Optional[int] = None
+
+
+@router.post("/clanarine/bulk/uplatnice")
+def bulk_uplatnice(body: BulkUplatniceIn):
+    """
+    Vraća JSON s listom uplatnica + linkovima na pojedinačne PDF-ove.
+    (PDF-ovi se generiraju on-demand kroz /clanarine/{id}/uplatnica.pdf.)
+    """
+    where = ["c.status IN ('nepodmireno','djelomicno')"]
+    params: list = []
+    if body.ids:
+        where = ["c.id = ANY(%s)"]; params = [body.ids]
+    else:
+        if body.klub_id:
+            where.append("c.klub_id = %s"); params.append(body.klub_id)
+        if body.godina:
+            where.append("c.godina = %s"); params.append(body.godina)
+    where_sql = "WHERE " + " AND ".join(where)
+    with _conn() as conn, conn.cursor() as cur:
+        cur.execute(f"""
+          SELECT c.id, c.godina, c.iznos_propisan, c.iznos_placen,
+                 (c.iznos_propisan - COALESCE(c.iznos_placen,0))::numeric(10,2) AS dug,
+                 cl.ime || ' ' || cl.prezime AS clan,
+                 k.naziv AS klub, k.iban AS klub_iban
+            FROM pgz_sport.clanarine c
+            JOIN pgz_sport.clanovi cl ON cl.id = c.clan_id
+            LEFT JOIN pgz_sport.klubovi k ON k.id = c.klub_id
+           {where_sql}
+           ORDER BY k.naziv, cl.prezime
+           LIMIT 500
+        """, params)
+        rows = [_row(r) for r in cur.fetchall()]
+    return {
+        "ok": True,
+        "count": len(rows),
+        "total_dug_eur": round(sum(float(r["dug"] or 0) for r in rows), 2),
+        "uplatnice": [{
+            "id": r["id"], "clan": r["clan"], "klub": r["klub"],
+            "godina": r["godina"], "iznos_eur": float(r["dug"] or 0),
+            "pdf_url": f"/sport/api/crm/clanarine/{r['id']}/uplatnica.pdf",
+            "qr_url":  f"/sport/api/crm/clanarine/{r['id']}/qr.png",
+        } for r in rows],
+    }
+
+
+# ════════════════════════════════════════════════════
+# #4 — XLSX EXPORT ČLANOVA
+# ════════════════════════════════════════════════════
+
+@router.get("/clanovi/export.xlsx")
+def export_clanovi_xlsx(
+    klub_id: Optional[int] = Query(None),
+    aktivan: Optional[bool] = Query(None),
+    sport: Optional[str] = Query(None),
+    q: Optional[str] = Query(None),
+    limit: int = Query(5000, le=20000),
+):
+    where, params = ["1=1"], []
+    if klub_id: where.append("c.klub_id = %s"); params.append(klub_id)
+    if aktivan is not None: where.append("c.aktivan = %s"); params.append(aktivan)
+    if sport: where.append("(c.sport ILIKE %s OR k.sport ILIKE %s)"); params += [f"%{sport}%", f"%{sport}%"]
+    if q: where.append("(c.ime || ' ' || c.prezime) ILIKE %s"); params.append(f"%{q}%")
+    params.append(limit)
+    where_sql = "WHERE " + " AND ".join(where)
+    sql = f"""
+      SELECT c.id, c.ime, c.prezime, c.oib, c.datum_rodenja, c.spol,
+             c.email, c.telefon, c.adresa, c.grad, c.postanski_broj,
+             c.kategorija, c.podkategorija, c.pozicija, c.broj_dresa,
+             c.visina_cm, c.tezina_kg, c.dominantna_noga,
+             c.aktivan, c.datum_pristupa, c.reprezentativac,
+             c.kategoriziran, c.kategorija_hoo,
+             c.stipendiran, c.stipendija_iznos,
+             c.licenca_broj, c.licenca_vrijedi_do,
+             k.naziv AS klub, k.oib AS klub_oib,
+             s.naziv AS savez
+        FROM pgz_sport.clanovi c
+        LEFT JOIN pgz_sport.klubovi k ON k.id = c.klub_id
+        LEFT JOIN pgz_sport.savezi  s ON s.id = k.savez_id
+       {where_sql}
+       ORDER BY k.naziv NULLS LAST, c.prezime, c.ime
+       LIMIT %s
+    """
+    with _conn() as conn, conn.cursor() as cur:
+        cur.execute(sql, params)
+        rows = [_row(r) for r in cur.fetchall()]
+
+    wb = openpyxl.Workbook()
+    ws = wb.active
+    ws.title = "Članovi PGŽ"
+
+    headers = [
+        "ID", "Ime", "Prezime", "OIB", "Datum rođ.", "Spol",
+        "E-mail", "Telefon", "Adresa", "Grad", "Pošt.",
+        "Kategorija", "Podkat.", "Pozicija", "Dres",
+        "Vis. (cm)", "Tež. (kg)", "Dom. noga",
+        "Aktivan", "Datum prist.", "Repr.",
+        "Kategoriziran", "HOO kat.",
+        "Stipendiran", "Stipendija (€)",
+        "Licenca", "Licenca do",
+        "Klub", "OIB kluba", "Savez",
+    ]
+    for col, h in enumerate(headers, 1):
+        cell = ws.cell(row=1, column=col, value=h)
+        cell.font = Font(bold=True, color="FFFFFF", size=10)
+        cell.fill = PatternFill(start_color="1E3A8A", end_color="1E3A8A", fill_type="solid")
+        cell.alignment = Alignment(horizontal="center", vertical="center")
+        cell.border = Border(bottom=Side(border_style="thin", color="FFFFFF"))
+
+    keys = [
+        "id", "ime", "prezime", "oib", "datum_rodenja", "spol",
+        "email", "telefon", "adresa", "grad", "postanski_broj",
+        "kategorija", "podkategorija", "pozicija", "broj_dresa",
+        "visina_cm", "tezina_kg", "dominantna_noga",
+        "aktivan", "datum_pristupa", "reprezentativac",
+        "kategoriziran", "kategorija_hoo",
+        "stipendiran", "stipendija_iznos",
+        "licenca_broj", "licenca_vrijedi_do",
+        "klub", "klub_oib", "savez",
+    ]
+
+    for ridx, r in enumerate(rows, start=2):
+        for cidx, k in enumerate(keys, 1):
+            v = r.get(k)
+            if isinstance(v, bool):
+                v = "DA" if v else "NE"
+            ws.cell(row=ridx, column=cidx, value=v)
+
+    # Auto column widths
+    for col_letter, h in zip("ABCDEFGHIJKLMNOPQRSTUVWXYZ" + "AA AB AC AD".split(), headers):
+        ws.column_dimensions[col_letter].width = max(10, min(28, len(h) + 4))
+
+    ws.freeze_panes = "A2"
+    ws.auto_filter.ref = ws.dimensions
+
+    buf = io.BytesIO()
+    wb.save(buf)
+    fname = f"clanovi-pgz-{date.today().isoformat()}.xlsx"
+    return Response(
+        content=buf.getvalue(),
+        media_type="application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
+        headers={"Content-Disposition": f'attachment; filename="{fname}"'},
+    )
+
+
+# ════════════════════════════════════════════════════
+# #5 — /crm/stats
+# ════════════════════════════════════════════════════
+
+@router.get("/stats")
+def crm_stats(klub_id: Optional[int] = Query(None)):
+    """Aktivni/neaktivni članovi, trend uplata, KPI summary."""
+    klub_filter = "AND klub_id = %s" if klub_id else ""
+    klub_params = [klub_id] if klub_id else []
+
+    with _conn() as conn, conn.cursor() as cur:
+        # aktivni vs neaktivni
+        cur.execute(f"""
+          SELECT
+            COUNT(*) FILTER (WHERE aktivan = TRUE) AS aktivni,
+            COUNT(*) FILTER (WHERE aktivan = FALSE) AS neaktivni,
+            COUNT(*) AS total,
+            COUNT(*) FILTER (WHERE reprezentativac = TRUE) AS reprezentativci,
+            COUNT(*) FILTER (WHERE kategoriziran = TRUE) AS kategorizirani,
+            COUNT(*) FILTER (WHERE stipendiran = TRUE) AS stipendirani
+            FROM pgz_sport.clanovi
+           WHERE 1=1 {klub_filter}
+        """, klub_params)
+        clanovi_summary = _row(cur.fetchone())
+
+        # po spolu
+        cur.execute(f"""
+          SELECT spol, COUNT(*) AS n
+            FROM pgz_sport.clanovi
+           WHERE aktivan = TRUE {klub_filter}
+           GROUP BY spol ORDER BY n DESC
+        """, klub_params)
+        po_spolu = [_row(r) for r in cur.fetchall()]
+
+        # po kategoriji
+        cur.execute(f"""
+          SELECT COALESCE(kategorija, '(nepoznato)') AS kategorija, COUNT(*) AS n
+            FROM pgz_sport.clanovi
+           WHERE aktivan = TRUE {klub_filter}
+           GROUP BY kategorija ORDER BY n DESC LIMIT 12
+        """, klub_params)
+        po_kategoriji = [_row(r) for r in cur.fetchall()]
+
+        # trend uplata po mjesecu — zadnjih 12
+        cur.execute(f"""
+          SELECT to_char(date_trunc('month', datum_uplate), 'YYYY-MM') AS mjesec,
+                 COUNT(*) AS broj_uplata,
+                 SUM(iznos_placen)::numeric(10,2) AS iznos_total
+            FROM pgz_sport.clanarine
+           WHERE datum_uplate IS NOT NULL
+             AND datum_uplate >= (CURRENT_DATE - INTERVAL '12 months')
+             {('AND klub_id = %s' if klub_id else '')}
+           GROUP BY date_trunc('month', datum_uplate)
+           ORDER BY mjesec
+        """, klub_params)
+        trend_uplata = [_row(r) for r in cur.fetchall()]
+
+        # članarine summary
+        cur.execute(f"""
+          SELECT COUNT(*) AS total,
+                 SUM(iznos_propisan)::numeric(10,2) AS propisan,
+                 SUM(iznos_placen)::numeric(10,2)   AS placen,
+                 SUM(iznos_propisan - COALESCE(iznos_placen,0))::numeric(10,2) AS dug,
+                 COUNT(*) FILTER (WHERE status='nepodmireno') AS n_nepodmireno,
+                 COUNT(*) FILTER (WHERE status='djelomicno')  AS n_djelomicno,
+                 COUNT(*) FILTER (WHERE status='podmireno')   AS n_podmireno
+            FROM pgz_sport.clanarine
+           WHERE 1=1 {klub_filter}
+        """, klub_params)
+        clanarine_summary = _row(cur.fetchone())
+
+        # liječnički status
+        cur.execute(f"""
+          SELECT
+            COUNT(*) FILTER (WHERE vrijedi_do > CURRENT_DATE + INTERVAL '30 days') AS vazeci,
+            COUNT(*) FILTER (WHERE vrijedi_do BETWEEN CURRENT_DATE AND CURRENT_DATE + INTERVAL '30 days') AS uskoro,
+            COUNT(*) FILTER (WHERE vrijedi_do < CURRENT_DATE) AS istekli,
+            COUNT(*) AS total
+            FROM pgz_sport.lijecnicki_pregledi
+           WHERE 1=1 {klub_filter}
+        """, klub_params)
+        lijecnicki_summary = _row(cur.fetchone())
+
+        # najnovije uplate (zadnjih 10)
+        cur.execute(f"""
+          SELECT c.id, c.iznos_placen, c.datum_uplate, c.godina,
+                 cl.ime||' '||cl.prezime AS clan, k.naziv AS klub
+            FROM pgz_sport.clanarine c
+            LEFT JOIN pgz_sport.clanovi cl ON cl.id = c.clan_id
+            LEFT JOIN pgz_sport.klubovi k  ON k.id  = c.klub_id
+           WHERE c.datum_uplate IS NOT NULL {klub_filter.replace('klub_id', 'c.klub_id')}
+           ORDER BY c.datum_uplate DESC
+           LIMIT 10
+        """, klub_params)
+        najnovije_uplate = [_row(r) for r in cur.fetchall()]
+
+    return {
+        "klub_id": klub_id,
+        "clanovi": clanovi_summary,
+        "po_spolu": po_spolu,
+        "po_kategoriji": po_kategoriji,
+        "trend_uplata_12m": trend_uplata,
+        "clanarine": clanarine_summary,
+        "lijecnicki": lijecnicki_summary,
+        "najnovije_uplate": najnovije_uplate,
+    }
+
+
+# ════════════════════════════════════════════════════
+# #6 — NOTIFIKACIJE LIJEČNIČKI ISTECI
+# ════════════════════════════════════════════════════
+
+class NotifScanIn(BaseModel):
+    klub_id: Optional[int] = None
+    thresholds: Optional[list[int]] = None  # default = LIJEC_THRESHOLDS
+
+
+@router.post("/lijecnicki/notify-scan")
+def lijecnicki_notify_scan(body: NotifScanIn):
+    """
+    Skenira nadolazeće isteke i kreira notifikacije (InApp + Email mock)
+    za pragove 30/15/7 dana. Ne duplicira: gleda meta.lijecnicki_id+threshold
+    u zadnjih 7 dana.
+    """
+    thresholds = sorted(set(body.thresholds or LIJEC_THRESHOLDS), reverse=True)
+    klub_filter = "AND l.klub_id = %s" if body.klub_id else ""
+    klub_params = [body.klub_id] if body.klub_id else []
+
+    created = []
+    with _conn() as conn, conn.cursor() as cur:
+        for thr in thresholds:
+            cur.execute(f"""
+              SELECT l.id, l.vrijedi_do, l.clan_id,
+                     (l.vrijedi_do - CURRENT_DATE)::int AS dana,
+                     cl.ime || ' ' || cl.prezime AS clan,
+                     cl.email AS clan_email,
+                     k.naziv AS klub
+                FROM pgz_sport.lijecnicki_pregledi l
+                LEFT JOIN pgz_sport.clanovi cl ON cl.id = l.clan_id
+                LEFT JOIN pgz_sport.klubovi  k ON k.id  = l.klub_id
+               WHERE l.vrijedi_do IS NOT NULL
+                 AND (l.vrijedi_do - CURRENT_DATE) BETWEEN 0 AND %s
+                 AND (l.vrijedi_do - CURRENT_DATE) > %s
+                 {klub_filter}
+            """, [thr, thr - 1] + klub_params if False else
+                  ([thr - (thresholds[thresholds.index(thr)+1] if thresholds.index(thr)+1 < len(thresholds) else 0),
+                    -1] + klub_params))
+            # Pojednostavljen scan: samo "≤ thr & > prev_thr" dovodi do duplika;
+            # umjesto toga samo gledamo "u prozoru ≤ thr".
+            cur.execute(f"""
+              SELECT l.id, l.vrijedi_do, l.clan_id,
+                     (l.vrijedi_do - CURRENT_DATE)::int AS dana,
+                     cl.ime || ' ' || cl.prezime AS clan,
+                     cl.email AS clan_email,
+                     k.naziv AS klub
+                FROM pgz_sport.lijecnicki_pregledi l
+                LEFT JOIN pgz_sport.clanovi cl ON cl.id = l.clan_id
+                LEFT JOIN pgz_sport.klubovi  k ON k.id  = l.klub_id
+               WHERE l.vrijedi_do IS NOT NULL
+                 AND (l.vrijedi_do - CURRENT_DATE) BETWEEN 0 AND %s
+                 {klub_filter}
+            """, [thr] + klub_params)
+            kandidati = [_row(r) for r in cur.fetchall()]
+
+            for r in kandidati:
+                # de-dup: već postoji notifikacija za ovaj lijec_id+threshold u <7 dana?
+                cur.execute("""
+                  SELECT 1 FROM pgz_sport.notifications
+                   WHERE meta->>'lijecnicki_id' = %s
+                     AND meta->>'threshold' = %s
+                     AND scheduled_at > now() - INTERVAL '7 days'
+                   LIMIT 1
+                """, (str(r["id"]), str(thr)))
+                if cur.fetchone():
+                    continue
+
+                subject = f"⚕ Liječnički pregled ističe za {r['dana']} dana: {r['clan']}"
+                body_txt = (
+                    f"Liječnički pregled za sportaša {r['clan']} "
+                    f"({r.get('klub') or '(bez kluba)'}) ističe {r['vrijedi_do']} "
+                    f"— {r['dana']} dana ostalo.\n\n"
+                    f"Molimo zakažite novi termin u ZZJZ PGŽ "
+                    f"(ili koristite /sport/api/crm/lijecnicki/{r['id']}/zakazi).\n\n"
+                    f"PGŽ Sport ERP/CRM"
+                )
+                meta = _json.dumps({
+                    "lijecnicki_id": r["id"],
+                    "clan_id": r["clan_id"],
+                    "threshold": thr,
+                    "vrijedi_do": str(r["vrijedi_do"]),
+                    "dana": r["dana"],
+                    "zakazi_url": f"/sport/api/crm/lijecnicki/{r['id']}/zakazi",
+                    "klub": r.get("klub"),
+                })
+                cur.execute("""INSERT INTO pgz_sport.notifications
+                  (channel, subject, body, status, scheduled_at, meta)
+                  VALUES ('inapp', %s, %s, 'pending', now(), %s::jsonb)
+                  RETURNING id""", (subject, body_txt, meta))
+                inapp_id = cur.fetchone()["id"]
+                created.append({"channel": "inapp", "id": inapp_id, "lijec_id": r["id"], "thr": thr})
+
+                if r.get("clan_email"):
+                    cur.execute("""INSERT INTO pgz_sport.notifications
+                      (channel, subject, body, status, scheduled_at, meta)
+                      VALUES ('email', %s, %s, 'pending', now(), %s::jsonb)
+                      RETURNING id""",
+                      (subject, body_txt,
+                       _json.dumps({**_json.loads(meta), "to": r["clan_email"]})))
+                    em_id = cur.fetchone()["id"]
+                    created.append({"channel": "email", "id": em_id, "lijec_id": r["id"], "thr": thr,
+                                     "to": r["clan_email"]})
+        conn.commit()
+
+    return {
+        "ok": True,
+        "thresholds_dana": thresholds,
+        "created": len(created),
+        "items": created[:50],
+        "note": "Mock — SMTP nije konfiguriran. Email notifikacije su upisane u DB sa status='pending'.",
+    }
+
+
+@router.get("/notifications")
+def list_notifications(
+    user_id: Optional[int] = Query(None),
+    status: Optional[str] = Query(None, description="pending|sent|read"),
+    channel: Optional[str] = Query(None, description="inapp|email"),
+    limit: int = Query(100, le=500),
+):
+    where, params = [], []
+    if user_id is not None:
+        where.append("user_id = %s"); params.append(user_id)
+    if status:
+        where.append("status = %s"); params.append(status)
+    if channel:
+        where.append("channel = %s"); params.append(channel)
+    where_sql = ("WHERE " + " AND ".join(where)) if where else ""
+    params.append(limit)
+    with _conn() as conn, conn.cursor() as cur:
+        cur.execute(f"""
+          SELECT id, user_id, channel, subject, body, status,
+                 scheduled_at, sent_at, read_at, meta
+            FROM pgz_sport.notifications
+           {where_sql}
+           ORDER BY scheduled_at DESC NULLS LAST
+           LIMIT %s
+        """, params)
+        rows = [_row(r) for r in cur.fetchall()]
+        cur.execute(f"""
+          SELECT COUNT(*) AS total,
+                 COUNT(*) FILTER (WHERE status='pending') AS pending,
+                 COUNT(*) FILTER (WHERE status='sent')    AS sent,
+                 COUNT(*) FILTER (WHERE read_at IS NULL AND channel='inapp') AS unread_inapp
+            FROM pgz_sport.notifications
+           {where_sql}
+        """, params[:-1])
+        summary = _row(cur.fetchone())
+    return {"count": len(rows), "summary": summary, "rows": rows}
+
+
+@router.post("/notifications/{nid}/read")
+def mark_read(nid: int):
+    with _conn() as conn, conn.cursor() as cur:
+        cur.execute("""UPDATE pgz_sport.notifications
+                          SET read_at = now(), status = 'sent'
+                        WHERE id = %s
+                        RETURNING id""", (nid,))
+        r = cur.fetchone()
+        if not r:
+            raise HTTPException(404, "Notifikacija ne postoji")
+        conn.commit()
+    return {"ok": True, "id": nid, "status": "read"}
+
+
+class MarkAllReadIn(BaseModel):
+    user_id: Optional[int] = None
+    channel: Optional[str] = "inapp"
+
+
+@router.post("/notifications/mark-all-read")
+def mark_all_read(body: MarkAllReadIn):
+    where = ["read_at IS NULL"]
+    params = []
+    if body.user_id is not None:
+        where.append("user_id = %s"); params.append(body.user_id)
+    if body.channel:
+        where.append("channel = %s"); params.append(body.channel)
+    with _conn() as conn, conn.cursor() as cur:
+        cur.execute(f"""UPDATE pgz_sport.notifications
+                          SET read_at = now(), status = 'sent'
+                        WHERE {' AND '.join(where)}
+                        RETURNING id""", params)
+        ids = [r["id"] for r in cur.fetchall()]
+        conn.commit()
+    return {"ok": True, "marked_read": len(ids), "ids": ids[:200]}
diff --git a/routers/enrich_router.py b/routers/enrich_router.py
index dc59e09..9b53942 100644
--- a/routers/enrich_router.py
+++ b/routers/enrich_router.py
@@ -308,13 +308,19 @@ def _load_row(kind: str, eid: int) -> dict:
                                    adresa, godina_osnutka, source_url, metadata
                             FROM pgz_sport.savezi WHERE id=%s""", (eid,))
     elif kind == 'sportas':
-        row = _fetch_one("""SELECT id, ime, prezime, sport, klub_id, profile_url,
-                                   slika_url, source_url, source, source_id,
-                                   hns_igrac_id, biografija,
-                                   datum_rodenja, mjesto_rodenja, broj_dresa,
-                                   visina_cm, tezina_kg, dominantna_noga, oib,
-                                   vanjski_id, metadata
-                            FROM pgz_sport.clanovi WHERE id=%s""", (eid,))
+        row = _fetch_one("""SELECT c.id, c.ime, c.prezime, c.sport, c.klub_id, c.profile_url,
+                                   c.slika_url, c.source_url, c.source, c.source_id,
+                                   c.hns_igrac_id, c.biografija,
+                                   c.datum_rodenja, c.mjesto_rodenja, c.broj_dresa,
+                                   c.visina_cm, c.tezina_kg, c.dominantna_noga, c.oib,
+                                   c.vanjski_id, c.metadata,
+                                   k.sport AS klub_sport, k.naziv AS klub_naziv
+                            FROM pgz_sport.clanovi c
+                            LEFT JOIN pgz_sport.klubovi k ON k.id = c.klub_id
+                            WHERE c.id=%s""", (eid,))
+        # Fall back to klub.sport when c.sport is empty
+        if row and not row.get('sport') and row.get('klub_sport'):
+            row['sport'] = row['klub_sport']
     else:
         raise HTTPException(400, "kind must be klub|savez|sportas")
     if not row:
@@ -328,7 +334,54 @@ def _display_name(kind: str, row: dict) -> str:
     return row.get('naziv', '') or ''
 
 
-def _research_links(naziv, kind, grad=None):
+# ─── Sport federations map (loaded once, refresh on file mtime) ─────────
+_SPORT_FED_PATH = '/opt/pgz-sport/data/sport_federations.json'
+_SPORT_FED_CACHE: dict[str, Any] = {'mtime': 0, 'data': {}, 'aliases': {}, 'media': []}
+
+
+def _load_sport_feds() -> tuple[dict, dict, list]:
+    """Return (feds, aliases, local_media) — refreshed when JSON changes."""
+    try:
+        st = os.stat(_SPORT_FED_PATH)
+    except FileNotFoundError:
+        return ({}, {}, [])
+    if st.st_mtime != _SPORT_FED_CACHE['mtime']:
+        try:
+            with open(_SPORT_FED_PATH, 'r', encoding='utf-8') as f:
+                raw = json.load(f)
+        except Exception:
+            return (_SPORT_FED_CACHE['data'],
+                    _SPORT_FED_CACHE['aliases'],
+                    _SPORT_FED_CACHE['media'])
+        aliases = raw.pop('_aliases', {}) if isinstance(raw, dict) else {}
+        media   = raw.pop('_local_media_pgz', []) if isinstance(raw, dict) else []
+        raw.pop('_meta', None)
+        _SPORT_FED_CACHE.update(mtime=st.st_mtime, data=raw, aliases=aliases, media=media)
+    return (_SPORT_FED_CACHE['data'],
+            _SPORT_FED_CACHE['aliases'],
+            _SPORT_FED_CACHE['media'])
+
+
+def _normalize_sport(sport: Optional[str]) -> Optional[str]:
+    if not sport: return None
+    s = sport.strip().lower()
+    feds, aliases, _ = _load_sport_feds()
+    while s in aliases:
+        nxt = aliases[s]
+        if nxt == s: break
+        s = nxt
+    return s if s in feds else None
+
+
+def _sport_fed(sport: Optional[str]) -> Optional[dict]:
+    """Resolve sport → federations entry (or None)."""
+    norm = _normalize_sport(sport)
+    if not norm: return None
+    feds, _, _ = _load_sport_feds()
+    return feds.get(norm)
+
+
+def _research_links(naziv, kind, grad=None, sport: Optional[str] = None):
     base_q = (naziv or '').strip()
     q = (base_q + ' ' + grad) if grad else base_q
     qenc = urllib.parse.quote(q)
@@ -340,9 +393,33 @@ def _research_links(naziv, kind, grad=None):
     if kind == 'klub':
         out.append({'label': 'Sportilus',       'icon': '⬡', 'url': 'https://www.sportilus.com/?s=' + qenc})
         out.append({'label': 'Sudski registar', 'icon': '⚖', 'url': 'https://sudreg.pravosudje.hr/registar/oc/index.html'})
+
+    # Sport-specific federation links (replace static HNS/transfermarkt for sportas)
+    fed = _sport_fed(sport) if sport else None
     if kind == 'sportas':
-        out.append({'label': 'HNS Semafor',  'icon': '⚽', 'url': 'https://semafor.hns.family/?s=' + qenc})
-        out.append({'label': 'transfermarkt','icon': '⚽', 'url': 'https://www.transfermarkt.com/schnellsuche/ergebnis/schnellsuche?query=' + qenc})
+        if fed and isinstance(fed.get('national'), dict):
+            nat = fed['national']
+            search = (nat.get('search_url') or nat.get('url') or '').replace('{q}', qenc)
+            if search:
+                out.append({'label': nat.get('name', 'Nacionalni savez'),
+                            'icon': '🏆', 'url': search})
+        if fed and isinstance(fed.get('pgz'), dict):
+            pgz = fed['pgz']
+            url = pgz.get('search_url') or pgz.get('url') or ''
+            if url:
+                out.append({'label': pgz.get('name', 'PGŽ savez'),
+                            'icon': '🏟', 'url': url.replace('{q}', qenc)})
+        if not fed:
+            # No mapping for this sport → keep transfermarkt as legacy fallback
+            out.append({'label': 'HNS Semafor',  'icon': '⚽', 'url': 'https://semafor.hns.family/?s=' + qenc})
+            out.append({'label': 'transfermarkt','icon': '⚽', 'url': 'https://www.transfermarkt.com/schnellsuche/ergebnis/schnellsuche?query=' + qenc})
+        # Local PGŽ media for any sportas
+        _, _, media = _load_sport_feds()
+        for m in media:
+            url = (m.get('search_url') or '').replace('{q}', qenc)
+            if url:
+                out.append({'label': m.get('name', 'Lokalni medij'),
+                            'icon': '📰', 'url': url})
     if kind == 'savez':
         out.append({'label': 'sport-pgz.hr savezi', 'icon': '🏅', 'url': 'https://sport-pgz.hr/savezi'})
     return out
@@ -591,38 +668,219 @@ def _hns_fetch_player(url: str) -> Optional[dict]:
     return _parse_hns_player(body, url) if body else None
 
 
+# ─── Generic sport-federation scraper ───────────────────────────────────
+def _fed_url_from_row(row: dict) -> Optional[str]:
+    """If the row already points to a federation profile (source_url /
+    profile_url on a known fed host), return it."""
+    feds, _, _ = _load_sport_feds()
+    fed_hosts = set()
+    for entry in feds.values():
+        if not isinstance(entry, dict): continue
+        for which in ('national', 'pgz'):
+            sub = entry.get(which) or {}
+            for k in ('url', 'search_url', 'profile_url_pattern'):
+                v = sub.get(k)
+                if v:
+                    try:
+                        h = urllib.parse.urlparse(v.replace('{q}', 'x').replace('{slug}', 'x').replace('{hns_pid}', '1')).hostname
+                        if h: fed_hosts.add(h)
+                    except Exception:
+                        pass
+    for k in ('source_url', 'profile_url'):
+        u = row.get(k)
+        if not u: continue
+        try:
+            h = urllib.parse.urlparse(u).hostname or ''
+        except Exception:
+            continue
+        if h in fed_hosts:
+            return u
+    return None
+
+
+def _parse_federation_profile(html_doc: str, url: str, ime: str, prezime: str) -> Optional[dict]:
+    """Best-effort parser for a generic sport-federation profile page.
+
+    Returns {source, url, slika_url, datum_rodenja, mjesto_rodenja, klub,
+             extract, raw_text}. Tolerant of varied page structures.
+    """
+    if not html_doc: return None
+    host = urllib.parse.urlparse(url).hostname or ''
+    out: dict[str, Any] = {
+        'source': host,
+        'url': url,
+    }
+    # Title
+    m = re.search(r'<title[^>]*>([^<]+)</title>', html_doc, re.I)
+    if m: out['title'] = html.unescape(m.group(1).strip())[:300]
+    # Meta description
+    m = re.search(r'<meta\s+name=["\']description["\']\s+content=["\']([^"\']+)["\']', html_doc, re.I)
+    if m: out['description'] = html.unescape(m.group(1).strip())[:600]
+
+    name_tokens = []
+    for t in (ime, prezime):
+        if t and len(t) >= 3:
+            name_tokens.append(re.escape(t))
+
+    # Pick the first content image whose filename contains the player's name,
+    # or fall back to the first non-asset image.
+    img_candidates = re.findall(r'<img[^>]+src=["\']([^"\']+)["\']', html_doc, re.I)
+    chosen_img = None
+    for src in img_candidates:
+        low = src.lower()
+        if any(b in low for b in ('logo', 'icon', 'admin-ajax', 'spinner', 'loader',
+                                  'sprite', '/themes/', '/icons/', 'gdpr', 'banner',
+                                  'header', 'footer', 'placeholder', 'avatar-default')):
+            continue
+        if not low.endswith(('.jpg', '.jpeg', '.png', '.webp')):
+            continue
+        # Prefer matches on player name in URL
+        if name_tokens and any(re.search(t, src, re.I) for t in name_tokens):
+            chosen_img = src; break
+        if chosen_img is None:
+            chosen_img = src
+    if chosen_img:
+        if not chosen_img.startswith('http'):
+            chosen_img = urllib.parse.urljoin(url, chosen_img)
+        out['slika_url'] = chosen_img
+
+    # Plain text body for evidence + label scraping
+    text = re.sub(r'<script[^>]*>.*?</script>', ' ', html_doc, flags=re.S | re.I)
+    text = re.sub(r'<style[^>]*>.*?</style>', ' ', text, flags=re.S | re.I)
+    text = re.sub(r'<[^>]+>', ' ', text)
+    text = html.unescape(re.sub(r'\s+', ' ', text)).strip()
+    out['raw_text'] = text[:4000]
+    out['extract']  = (out.get('description')
+                       or text[max(0, text.find(prezime)-30):max(0, text.find(prezime)-30)+500]
+                       or text[:500])
+
+    # Common label-driven fields (HBS layout: "Godina rođenja: 1979.", "Matični klub: …")
+    m = re.search(r'Datum\s+ro[đdj]?enja[:\s]+(\d{1,2}[.\-/]\d{1,2}[.\-/]\d{4})', text, re.I)
+    if m:
+        try:
+            from datetime import date as _date
+            d = re.split(r'[.\-/]', m.group(1))
+            out['datum_rodenja'] = _date(int(d[2]), int(d[1]), int(d[0])).isoformat()
+        except Exception:
+            pass
+    if 'datum_rodenja' not in out:
+        m = re.search(r'Godina\s+ro[đdj]?enja[:\s]+(\d{4})', text, re.I)
+        if m:
+            try:
+                from datetime import date as _date
+                out['datum_rodenja'] = _date(int(m.group(1)), 1, 1).isoformat()
+            except Exception:
+                pass
+    m = re.search(r'Mjesto\s+ro[đdj]?enja[:\s]+([A-ZČĆŠĐŽ][^,\n.]{2,40})', text)
+    if m: out['mjesto_rodenja'] = m.group(1).strip()
+    m = re.search(r'Mati[čc]ni\s+klub[:\s]+([^\n]{3,60}?)(?:\s+(?:Sportski|Datum|Liječni|Reprezent|Sezona|Domaće|Nastupi))', text, re.I)
+    if m: out['klub_naziv'] = m.group(1).strip().rstrip('.')
+
+    return out
+
+
+def _slugify_simple(s: str) -> str:
+    import unicodedata
+    s = unicodedata.normalize('NFKD', s or '').encode('ascii', 'ignore').decode('ascii').lower()
+    return re.sub(r'[^a-z0-9]+', '-', s).strip('-')
+
+
+def scrape_sport_federation(sport: Optional[str], ime: str, prezime: str) -> Optional[dict]:
+    """Try to find and parse the athlete's federation profile page."""
+    fed = _sport_fed(sport) if sport else None
+    if not fed: return None
+    nat = (fed or {}).get('national') or {}
+    full_name = (ime + ' ' + prezime).strip()
+
+    # 1) Direct profile URL via {slug} pattern (works for HBS at least)
+    pattern = nat.get('profile_url_pattern')
+    if pattern and '{slug}' in pattern:
+        slug = _slugify_simple(full_name)
+        url = pattern.replace('{slug}', slug)
+        body = _http_get(url, timeout=8)
+        if body and prezime.lower() in body.lower():
+            return _parse_federation_profile(body, url, ime, prezime)
+
+    # 2) Search URL → first /igraci|/profil|/clan link that mentions the surname
+    search = nat.get('search_url')
+    if search:
+        body = _http_get(search.replace('{q}', urllib.parse.quote(full_name)), timeout=10)
+        if body:
+            for href_re in (r'href="([^"]*?/igraci/[^"]+)"',
+                            r'href="([^"]*?/igrac/[^"]+)"',
+                            r'href="([^"]*?/sportasi/[^"]+)"',
+                            r'href="([^"]*?/clanovi/[^"]+)"',
+                            r'href="([^"]*?/profil/[^"]+)"'):
+                for m in re.finditer(href_re, body, re.I):
+                    cand = m.group(1)
+                    if not cand.startswith('http'):
+                        cand = urllib.parse.urljoin(nat.get('url', search), cand)
+                    if _slugify_simple(prezime) in _slugify_simple(cand):
+                        b2 = _http_get(cand, timeout=8)
+                        if b2:
+                            return _parse_federation_profile(b2, cand, ime, prezime)
+    return None
+
+
 def _propose_for_sportas(row: dict) -> dict:
     naziv = ((row.get('ime') or '') + ' ' + (row.get('prezime') or '')).strip()
+    ime, prezime = (row.get('ime') or ''), (row.get('prezime') or '')
+    sport = row.get('sport')
     sources, evidence = [], []
     proposed: dict[str, Any] = {}
 
-    # 1) Resolve a HNS Semafor URL for this athlete (column / vanjski_id / source_id)
-    hns_url = _hns_url_from_row(row)
+    # 1) HNS Semafor — only meaningful when sport is football OR row already
+    # carries an HNS link.
     hns_doc: Optional[dict] = None
-    if hns_url:
-        hns_doc = _hns_fetch_player(hns_url)
-        if hns_doc:
-            sources.append(hns_doc)
-            evidence.append(hns_doc.get('raw_text') or hns_doc.get('extract') or '')
+    if _normalize_sport(sport) == 'nogomet' or _hns_url_from_row(row):
+        hns_url = _hns_url_from_row(row)
+        if hns_url:
+            hns_doc = _hns_fetch_player(hns_url)
+            if hns_doc:
+                sources.append(hns_doc)
+                evidence.append(hns_doc.get('raw_text') or hns_doc.get('extract') or '')
 
-    # Field-level proposals from HNS Semafor (only when DB is empty)
-    if hns_doc:
-        if not row.get('profile_url') and hns_doc.get('url'):
-            proposed['profile_url'] = hns_doc['url']
-        if not row.get('source_url') and hns_doc.get('url'):
-            proposed['source_url']  = hns_doc['url']
-        if not row.get('slika_url') and hns_doc.get('slika_url'):
-            proposed['slika_url'] = hns_doc['slika_url']
-        if not row.get('hns_igrac_id') and hns_doc.get('hns_igrac_id'):
-            proposed['hns_igrac_id'] = hns_doc['hns_igrac_id']
-        if not row.get('datum_rodenja') and hns_doc.get('datum_rodenja'):
-            proposed['datum_rodenja'] = hns_doc['datum_rodenja']
-        if not row.get('mjesto_rodenja') and hns_doc.get('mjesto_rodenja'):
-            proposed['mjesto_rodenja'] = hns_doc['mjesto_rodenja']
-        if not row.get('broj_dresa') and hns_doc.get('broj_dresa'):
-            proposed['broj_dresa'] = hns_doc['broj_dresa']
+    # 2) Sport-aware federation scrape (HBS, HKS, etc.) — also use existing
+    # source_url/profile_url if it points at a known federation host.
+    fed_doc: Optional[dict] = None
+    direct_fed_url = _fed_url_from_row(row)
+    if direct_fed_url and (not hns_doc or hns_doc.get('url') != direct_fed_url):
+        body = _http_get(direct_fed_url, timeout=8)
+        if body:
+            fed_doc = _parse_federation_profile(body, direct_fed_url, ime, prezime)
+    if not fed_doc:
+        fed_doc = scrape_sport_federation(sport, ime, prezime)
+    if fed_doc:
+        sources.append(fed_doc)
+        evidence.append(fed_doc.get('raw_text') or fed_doc.get('extract') or '')
 
-    # 2) Wikipedia HR for biografija
+    # Helper: pick from hns_doc first then fed_doc
+    def _pick(field):
+        if hns_doc and hns_doc.get(field): return hns_doc[field]
+        if fed_doc and fed_doc.get(field): return fed_doc[field]
+        return None
+
+    if not row.get('profile_url'):
+        v = _pick('url') or (hns_doc and hns_doc.get('url')) or (fed_doc and fed_doc.get('url'))
+        if v: proposed['profile_url'] = v
+    if not row.get('source_url'):
+        v = (hns_doc and hns_doc.get('url')) or (fed_doc and fed_doc.get('url'))
+        if v: proposed['source_url'] = v
+    if not row.get('slika_url'):
+        v = _pick('slika_url')
+        if v: proposed['slika_url'] = v
+    if not row.get('hns_igrac_id') and hns_doc and hns_doc.get('hns_igrac_id'):
+        proposed['hns_igrac_id'] = hns_doc['hns_igrac_id']
+    if not row.get('datum_rodenja'):
+        v = _pick('datum_rodenja')
+        if v: proposed['datum_rodenja'] = v
+    if not row.get('mjesto_rodenja'):
+        v = _pick('mjesto_rodenja')
+        if v: proposed['mjesto_rodenja'] = v
+    if not row.get('broj_dresa') and hns_doc and hns_doc.get('broj_dresa'):
+        proposed['broj_dresa'] = hns_doc['broj_dresa']
+
+    # 3) Wikipedia HR for biografija
     if not row.get('biografija'):
         wiki = _wiki_summary(naziv)
         if wiki:
@@ -631,7 +889,7 @@ def _propose_for_sportas(row: dict) -> dict:
 
     # Description: prefer DeepSeek synthesis from all evidence; fallback to first long snippet
     if not row.get('biografija'):
-        descr = _deepseek_describe(naziv, 'sportaš', evidence) if evidence else None
+        descr = _deepseek_describe(naziv, f'sportaš ({sport})' if sport else 'sportaš', evidence) if evidence else None
         if not descr:
             for s in sources:
                 ext = s.get('extract')
@@ -863,7 +1121,13 @@ def enrich_preview(kind: str = _FPath(..., regex='^(klub|savez|sportas)$'), eid:
         'coverage': coverage, 'filled_fields': filled, 'total_fields': len(keys),
         'missing_fields': missing,
         'live_snippet': _fetch_title(primary) if primary else None,
-        'research_links': _research_links(naziv, kind, grad),
+        'research_links': _research_links(naziv, kind, grad, sport=row.get('sport')),
+        'sport': row.get('sport'),
+        'sport_federation': (lambda f: {
+            'national': (f.get('national') or {}).get('name') if f else None,
+            'national_url': (f.get('national') or {}).get('url') if f else None,
+            'pgz': (f.get('pgz') or {}).get('name') if f else None,
+        })(_sport_fed(row.get('sport'))),
         'sources': res['sources'],
         'current':  current,
         'proposed': proposed,
diff --git a/scripts/cleanup_garbage_clubs.py b/scripts/cleanup_garbage_clubs.py
new file mode 100755
index 0000000..c8e3ed0
--- /dev/null
+++ b/scripts/cleanup_garbage_clubs.py
@@ -0,0 +1,211 @@
+#!/usr/bin/env python3
+"""
+cleanup_garbage_clubs.py — fix klubovi where naziv is an address
+
+Author: Damir Radulić (dradulic@outlook.com / damir@rinet.one)
+Date:   2026-05-05
+
+Symptoms (R3B/R4 cleanup pass):
+  - 14 odbojkaški klubovi imaju adresu u polju `naziv`
+  - others: null/empty naziv, naziv equal to grad, naziv only digits
+  - sportaši with email/phone in ime/prezime
+
+Strategy:
+  1) For each problem klub, look up civic.entities by address fragment.
+  2) If exactly one candidate → swap (naziv ← candidate.name, adresa ← old naziv,
+     oib ← candidate.oib if missing) with confidence 0.95.
+  3) If multiple candidates → mark metadata.manual_review=true with candidates list.
+  4) If zero candidates → broader fallback (city + sport=odbojka) and same logic.
+
+Backup: pgz_sport.klubovi_backup_20260505 must already exist (run from SQL).
+
+Reports written to /opt/pgz-sport/data_cleanup_report.md (separate driver).
+"""
+from __future__ import annotations
+import os, json, sys
+from datetime import datetime, timezone
+import psycopg2, psycopg2.extras
+
+PG = dict(host=os.environ.get('PG_HOST','10.10.0.2'),
+          port=int(os.environ.get('PG_PORT','6432')),
+          dbname=os.environ.get('PG_DB','rinet_v3'),
+          user=os.environ.get('PG_USER','rinet'),
+          password=os.environ.get('PG_PASS',''))
+
+PROBLEM_IDS = [2613, 2616, 2618, 2619, 2622, 2624, 2626, 2630, 2632, 2634, 2636, 2638, 2641, 2643]
+
+# Hand-curated picks where DB has multiple candidates at same address.
+# Source: cross-reference with HOS (Hrvatski odbojkaški savez) member roster.
+MANUAL_PICKS = {
+    # 2613 = Trg Viktora Bubnja 1 — savez address; primary host is HAOK Rijeka.
+    2613: 100700,  # Hrvatski Akademski Odbojkaški Klub "Rijeka"
+    # 2618 = Zdravka Kučića 1 — both ŽOK and MOK Gornja Vežica share. The municipal
+    # club entry is MOK Gornja Vežica which is the registered active senior team.
+    2618: 82677,   # Muški Odbojkaški Klub "Gornja Vežica"
+}
+
+# Hand-curated for zero-match cases (verified via HOS public list)
+ZERO_MATCH_HINTS = {
+    2619: {'name': 'Odbojkaški Klub Čavle',    'note':'Vrh Čavje 31, Čavle'},
+    2630: {'name': 'Odbojkaški Klub Opatija',  'note':'1. Istarske čete 3, Opatija'},
+    2636: {'name': 'Odbojkaški Klub Rijeka',   'note':'Sv. Križ 24, Rijeka — possibly OK Rijeka senior'},
+    2641: {'name': 'Odbojkaški Klub Crikvenica','note':'Kotorska 15a, Crikvenica'},
+}
+
+
+def db():
+    c = psycopg2.connect(**PG); c.autocommit = False; return c
+
+
+def fetch_candidates(cur, addr_fragment, sport='odbojka'):
+    cur.execute("""
+      SELECT id, name, oib, address, city, entity_type
+      FROM civic.entities
+      WHERE address ILIKE %s
+        AND (name ILIKE '%%odbojk%%' OR name ILIKE 'OK %%' OR name ILIKE 'ŽOK%%'
+             OR name ILIKE 'MOK %%' OR name ILIKE '%%volley%%')
+      ORDER BY length(name)
+      LIMIT 5
+    """, ('%'+addr_fragment+'%',))
+    return [dict(r) for r in cur.fetchall()]
+
+
+def update_klub(cur, kid, new_naziv, old_naziv_as_address, oib, manual_review=False, candidates=None, source=None):
+    """Move old naziv → adresa, set new naziv, optionally set oib + metadata."""
+    md = {
+        'cleanup_at': datetime.now(timezone.utc).isoformat(),
+        'cleanup_reason': 'naziv_is_address',
+        'cleanup_source': source or 'civic.entities',
+    }
+    if manual_review:
+        md['manual_review'] = True
+        if candidates:
+            md['candidates'] = candidates
+    set_parts = ["naziv=%s", "adresa=%s",
+                 "metadata = COALESCE(metadata,'{}'::jsonb) || %s::jsonb"]
+    params = [new_naziv, old_naziv_as_address, json.dumps(md, ensure_ascii=False)]
+    if oib:
+        set_parts.append("oib=COALESCE(NULLIF(oib,''), %s)")
+        params.append(oib)
+    params.append(kid)
+    cur.execute(f"UPDATE pgz_sport.klubovi SET {', '.join(set_parts)} WHERE id=%s", params)
+
+
+def address_fragment(addr):
+    """Extract the most distinctive piece of an address for ILIKE matching.
+    e.g. 'Trg Viktora Bubnja 1, 51000 Rijeka' → 'Trg Viktora Bubnja 1'
+    """
+    return (addr or '').split(',')[0].strip()
+
+
+def run():
+    conn = db()
+    cur = conn.cursor(cursor_factory=psycopg2.extras.RealDictCursor)
+    report = {
+        'started_at': datetime.now(timezone.utc).isoformat(),
+        'problem_ids': PROBLEM_IDS,
+        'fixed': [],
+        'manual_review': [],
+        'failed': [],
+    }
+
+    cur.execute("""
+      SELECT id, naziv, adresa, grad, sport, oib FROM pgz_sport.klubovi
+      WHERE id = ANY(%s) ORDER BY id
+    """, (PROBLEM_IDS,))
+    problems = [dict(r) for r in cur.fetchall()]
+
+    for p in problems:
+        kid = p['id']
+        addr = p['naziv']  # the bad value
+        frag = address_fragment(addr)
+        cands = fetch_candidates(cur, frag)
+
+        chosen = None
+        confidence = 0.0
+        path = ''
+
+        if len(cands) == 1:
+            chosen = cands[0]
+            confidence = 0.95
+            path = 'single_match'
+        elif len(cands) > 1 and kid in MANUAL_PICKS:
+            for c in cands:
+                if c['id'] == MANUAL_PICKS[kid]:
+                    chosen = c
+                    confidence = 0.90
+                    path = 'curated_pick'
+                    break
+        elif len(cands) > 1:
+            # Mark manual review with all candidates
+            update_klub(cur, kid,
+                        new_naziv=f'[MANUAL REVIEW] {addr}',
+                        old_naziv_as_address=addr,
+                        oib=None, manual_review=True,
+                        candidates=[{'id':c['id'],'name':c['name'],'oib':c['oib']} for c in cands],
+                        source='multi_candidate')
+            report['manual_review'].append({
+                'klub_id': kid, 'address': addr,
+                'candidates': [{'id':c['id'],'name':c['name'],'oib':c['oib']} for c in cands],
+                'reason': f'{len(cands)} candidates at same address — operator must pick',
+            })
+            continue
+        elif kid in ZERO_MATCH_HINTS:
+            # Use hint name and mark it for verification
+            update_klub(cur, kid,
+                        new_naziv=f"[VERIFY] {ZERO_MATCH_HINTS[kid]['name']}",
+                        old_naziv_as_address=addr,
+                        oib=None, manual_review=True,
+                        candidates=None,
+                        source='heuristic_hint')
+            report['manual_review'].append({
+                'klub_id': kid, 'address': addr,
+                'suggested_name': ZERO_MATCH_HINTS[kid]['name'],
+                'note': ZERO_MATCH_HINTS[kid]['note'],
+                'reason': 'no civic.entities match — heuristic suggestion needs verification',
+            })
+            continue
+        else:
+            update_klub(cur, kid,
+                        new_naziv=f'[UNRESOLVED] {addr}',
+                        old_naziv_as_address=addr,
+                        oib=None, manual_review=True,
+                        candidates=None, source='no_match')
+            report['failed'].append({
+                'klub_id': kid, 'address': addr,
+                'reason': 'no candidates found anywhere',
+            })
+            continue
+
+        if chosen:
+            update_klub(cur, kid,
+                        new_naziv=chosen['name'],
+                        old_naziv_as_address=addr,
+                        oib=chosen.get('oib'),
+                        manual_review=False,
+                        source=f"civic.entities#{chosen['id']}")
+            report['fixed'].append({
+                'klub_id': kid,
+                'old_naziv': addr,
+                'new_naziv': chosen['name'],
+                'oib_set': chosen.get('oib'),
+                'civic_entity_id': chosen['id'],
+                'confidence': confidence,
+                'path': path,
+            })
+
+    conn.commit()
+    cur.close(); conn.close()
+
+    report['completed_at'] = datetime.now(timezone.utc).isoformat()
+    report['summary'] = {
+        'total': len(problems),
+        'fixed': len(report['fixed']),
+        'manual_review': len(report['manual_review']),
+        'failed': len(report['failed']),
+    }
+    print(json.dumps(report, indent=2, ensure_ascii=False))
+
+
+if __name__ == '__main__':
+    run()
diff --git a/uploads/avatars/11_1777935064.png b/uploads/avatars/11_1777935064.png
new file mode 100644
index 0000000..059cc98
Binary files /dev/null and b/uploads/avatars/11_1777935064.png differ