diff --git a/HANDOFF_PGZ_SPORT_05may.md b/HANDOFF_PGZ_SPORT_05may.md
new file mode 100644
index 0000000..2f42b20
--- /dev/null
+++ b/HANDOFF_PGZ_SPORT_05may.md
@@ -0,0 +1,373 @@
+# PGŽ SPORT INTELLIGENCE PLATFORM — MASTER HANDOFF
+## Data: 2026-05-05 02:15 CEST
+## Status: Predprezentacijska sprint, prezentacija županu jutros
+
+---
+
+## 🎯 MISIJA
+
+Multi-tenant ERP/CRM platforma za PGŽ Odjel za sport + savezi + klubovi.
+Rok: **danas ujutro** prezentacija županu Lukanoviću.
+Cilj: pretvoriti prikaz podataka u **operativni alat** koji rješava 80% birokratskih poslova.
+
+---
+
+## 🏗 INFRASTRUKTURA
+
+### GPU server (jedini produkcijski)
+- **Host**: 144.76.68.5 (Hetzner GEX44, RTX 4000 Ada 20GB)
+- **SSH**: `ssh -p 5852 root@144.76.68.5` (pwd `5852Dan1TR5852`)
+- **Bridge API**: `POST https://api.rinet.one/bridge/exec` Header `X-API-KEY: rinet-yS4ZnKlwUqsjk`
+
+### Stack
+- **PostgreSQL 18**: 10.10.0.2:6432 / `rinet_v3` / user `rinet` / pwd `R1net2026!SecureDB#v7`
+- **Schema**: `pgz_sport.*` (klubovi, savezi, clanovi, users, sys_audit, ...)
+- **Service**: `systemctl restart pgz-sport` (FastAPI port 8095)
+- **Live URL**: https://sport.rinet.one/
+- **API base**: `/sport/api/...` (nginx strip prefix → :8095)
+
+### Repo
+- **Git**: https://git.rinet.one/damir/pgz-sport (Gitea local)
+- **Local dir**: /opt/pgz-sport/ (HOME=/root, safe.directory=/opt/pgz-sport)
+- **Branch**: master
+- **Auto-push**: agenti rade `git push gitea master` nakon svakog commita
+
+### Sve URL-ove (svi rade 200)
+| URL | Što |
+|-----|-----|
+| `/` | Public portal (sport2.html) |
+| `/login` | Login forma |
+| `/app` | Operativna aplikacija (po roli) |
+| `/admin` | Admin panel |
+| `/admin/users` | User management |
+| `/crm` | CRM workspace |
+| `/erp` | ERP (OCR, putni nalozi) |
+| `/audit` | Blockchain audit log |
+| `/kpi` | KPI dashboard |
+| `/static/*` | Static fileserve mount |
+| `/sport/api/*` | API endpoints |
+
+---
+
+## 🤖 CC SWARM — 6 PARALELNIH AGENATA
+
+### Aktivne tmux sesije
+```
+cc1: a22bbe34-7801-4560-991b-219f77818711  Round 2+3B + orchestrator
+cc2: c8cf6289-33d9-4195-97f5-834cf0844cf3  Auth, GDPR, multi-tenant
+cc3: 3123d6b5-59fd-4864-a9d7-2fcca6e70f1c  Frontend, sidebar, dashboard
+cc4: 69b5473b-4033-4872-b50c-94080e737d64  ERP, OCR, putni nalozi
+cc5: a966a143-8821-4827-9cb5-9594477def9a  CRM, članarine, ZZJZ, obrasci
+cc6: 9e120f23-a3e0-4580-b84f-704b87671037  Blockchain, enrichment, worker
+```
+
+### Pokretanje CC u tmux
+```bash
+ssh -p 5852 root@144.76.68.5
+tmux new-session -d -s ccN
+tmux send-keys -t ccN:0 "su - claude" Enter
+sleep 2
+tmux send-keys -t ccN:0 "cd /opt/pgz-sport && unset ANTHROPIC_API_KEY && claude --resume UUID --dangerously-skip-permissions" Enter
+sleep 5
+tmux send-keys -t ccN:0 Enter   # confirm trust prompt
+```
+
+### Monitoring
+```bash
+bash /opt/pgz-sport/swarm.sh tiled    # 6 panela u jednom prozoru
+bash /opt/pgz-sport/swarm.sh status   # 1x snapshot
+bash /opt/pgz-sport/swarm.sh git      # commit history
+bash /opt/pgz-sport/swarm.sh ccN      # attach na specifični agent
+```
+
+### Slanje zadataka — ČIST FORMAT
+```python
+# Spremi task u /opt/pgz-sport/cc_tasks/sess_taskname.md (base64 + bridge)
+# Pa pošalji CC da pročita i implementira:
+tmux send-keys -t ccN:0 "Procitaj /opt/pgz-sport/cc_tasks/FILE.md i implementiraj sve. Backup deploy git commit. Radi autonomno do kraja." Enter
+sleep 3
+tmux send-keys -t ccN:0 Enter   # submit
+```
+
+⚠️ **NIKAD ne stavljaj brackets `()` u inline prompt** — bash puca s "syntax error". Uvijek koristi taskfile.
+
+---
+
+## 📂 KLJUČNI FAJLOVI
+
+```
+/opt/pgz-sport/
+├── pgz_sport_api.py            # main FastAPI app (port 8095)
+├── auth/auth_v2.py             # JWT auth + tenants + roles
+├── routers/
+│   ├── enrich_router.py        # /v2/enrich + /apply (M12)
+│   ├── audit_seal_router.py    # /api/audit/seal Polygon
+│   ├── audit_coverage_router.py
+│   ├── ... (još)
+├── workers/
+│   ├── ocr_worker.py
+│   ├── enrichment_worker.py    # 24/7 daemon (5min loop)
+├── blockchain/seal.py          # Polygon PoS sealing
+├── permissions.py              # can_edit_invoice, can_approve_putni_nalog
+├── data/sport_federations.json # sport → savez map (HBS, HKS, HRS, ...)
+├── static/
+│   ├── sport2.html             # public portal (~144KB)
+│   ├── login.html              # login forma
+│   ├── app.html                # operativna app + Moj profil + GDPR
+│   ├── admin.html
+│   ├── admin_users.html        # user mgmt
+│   ├── crm.html                # članarine + liječnički + obrasci
+│   ├── erp.html                # OCR + putni nalozi + računi
+│   ├── audit.html              # audit log
+│   ├── kpi.html                # KPI dashboard
+│   └── shared/
+│       ├── sidebar.css         # zajednički sidebar styling
+│       └── sidebar.js          # NAV_SECTIONS s href URLs
+├── cc_tasks/                   # task fajlovi za CC agente
+│   ├── round3_brief.md
+│   ├── round3b_critical.md
+│   ├── cc{1-6}_*.md            # per-agent prompt fajlovi
+└── swarm.sh                    # tmux monitor script
+```
+
+---
+
+## 🔐 KORISNICI
+
+| Email | Lozinka | Role | Tenant | Tier |
+|-------|---------|------|--------|------|
+| damir@pgz.hr | PGZ2026! | pgz_admin | Primorsko-goranska županija | 0 |
+| tajnik@atletski.pgz.hr | Atl2026! | savez_admin | Atletski savez PGŽ | 1 |
+| admin@ak-kvarner.hr | Kvarner2026! | klub_admin | AK Kvarner Rijeka | 2 |
+
+JWT login: `POST /sport/api/auth/login` → access_token + refresh_token + user object.
+Frontend sprema u `localStorage.pgz_access` (i `pgz_refresh`, `pgz_user`).
+`getToken()` u JS čita `pgz_access` (prvo localStorage pa sessionStorage).
+
+---
+
+## 🎨 SIDEBAR (shared/sidebar.js)
+
+### Sekcije (sve URL-ove BEZ `/sport/` prefiksa!)
+```js
+const SIDEBAR_SECTIONS = [
+  {title:'PORTAL',     items: dashboard, savezi, klubovi, sportasi, manifestacije (svi /static/sport2.html#X)},
+  {title:'OPERATIVA',  items: profil, kalendar, notif (/app#X)},
+  {title:'CRM',        items: clanarine, lijecnicki, obrasci, dokumenti (/crm#X)},
+  {title:'ERP',        items: racuni, putni, placanja, xlsx (/erp#X)},
+  {title:'ANALITIKA',  items: kpi, financije, mreza, forenzika, audit},
+  {title:'ADMIN',      requireRole: ['pgz_admin','super_admin'], items: korisnici, tenanti, sigurnost, sustav (/admin#X)}
+];
+```
+
+### Footer
+- Avatar + ime + role (klik otvara user menu)
+- Public portal link kad nije logiran
+
+---
+
+## 📊 STANJE BAZE (10.04.2026)
+
+```
+pgz_sport.savezi:        246 (16 sa scrape email)
+pgz_sport.klubovi:      2244 (23 marked inactive non-PGŽ; 14 odbojkaških s adresom mjesto naziv — TREBA cleanup)
+pgz_sport.clanovi:      3243 (sources: hbs_savez 844, manual 840, godisnjak_2025_HOO 703, hns_semafor 651)
+pgz_sport.clan_sezona:   689 (78 athletes with seasonal stats)
+pgz_sport.utakmice_log: 9267 (with club logos)
+pgz_sport.clan_godisnjak: 2398
+pgz_sport.sportski_objekti: 106 (sve geocoded)
+pgz_sport.sufinanciranje_sport: 110
+pgz_sport.dokumenti:    5692
+pgz_sport.users:          11+ (3 demo + admins)
+pgz_sport.sys_audit:      ? (audit log)
+pgz_sport.lijecnicki_pregledi: ? (CC5)
+pgz_sport.invoices, invoice_lines, putni_nalozi: ? (CC4)
+```
+
+### Test case — SPORTAŠ JOSIP ZEC (id=449)
+- Klub: NK OŠK Omišalj
+- Stats: 257 nastupa, 182 gola, 75 žuti, 39 crveni, 15 sezona, 16 utakmica
+- Mora raditi `GET /sport/api/sportas/449/profil`
+
+---
+
+## ✅ ŠTO RADI (testirano)
+
+- ✅ Login JWT flow (3 demo usera)
+- ✅ Sportaš profile panel (Josip Zec test 257/182/15)
+- ✅ Network 3D graph (react-force-graph-3d, kao app.rinet.one/klasik/control)
+- ✅ Forenzika scan (Velimir Liverić PEP)
+- ✅ Geocoding objekata (s OSM cross-check)
+- ✅ HUB-3 PDF + EPC QR za članarine
+- ✅ ZZJZ PGŽ scheduling integration
+- ✅ OCR + invoices CRUD (DeepSeek V3 sakriven kao "Ri.NET AI")
+- ✅ Putni nalozi + dnevnice (HR pravilnik 2025)
+- ✅ Polygon blockchain seal (wallet 0xD874345dcB17baBDfbFac9bD7838AdE0D4a5d368)
+- ✅ TOTP 2FA (setup + verify + disable)
+- ✅ Avatar upload (POST /sport/api/auth/me/avatar)
+- ✅ GDPR export endpoint (POST /sport/api/users/me/gdpr-export → JSON)
+- ✅ Sidebar shared (sidebar.css + sidebar.js)
+- ✅ 24/7 enrichment_worker daemon
+
+---
+
+## ⚠️ ŠTO NE RADI / TREBA POPRAVITI
+
+### P0 (kritični za prezentaciju)
+1. **GDPR export gumb** — `<button onclick="alert('...M10')">` placeholder, NE poziva API. **JUST FIXED u 02:14** — `gdprExport()` funkcija dodana u app.html, treba verifikaciju u browseru.
+2. **Audit pristupa** — placeholder, JUST FIXED kao `gdprAuditMy()`.
+3. **Brisanje računa** — placeholder, JUST FIXED kao `profileDeleteAccount()`.
+4. **Data cleanup** — 14 odbojkaških klubova ima adresu kao naziv (id 2613, 2616, 2618, 2619, 2622, 2624, 2626, 2630, 2632, 2634, 2636, 2638, 2641, 2643). CC1 dodjeljen.
+5. **Sport-aware enrichment** — Marijan Alkić (boćanje) i dalje 25% coverage. CC6 task otvoren u /opt/pgz-sport/cc_tasks/cc6_sport_federations.md.
+
+### P1 (nice to have)
+6. **Sidebar PORTAL group** mora popuniti glavne sekcije sport2.html. Trenutno koristi /static/sport2.html#X. Možda elegantnije: `/#X` direktno na root.
+7. **Avatar upload demo mode** — kad nije logiran, sad alert "Niste prijavljeni"; CC2 treba dodati mock storage.
+8. **app.html linija 1258** — broken onclick je obrisan; sad je samo info bez interaktivnosti za kalendar dane.
+9. **Admin panel** — treba real user management UI s edit modal.
+
+---
+
+## 📋 GIT COMMITS (kronološki)
+
+```
+ece556d M12.4: real HNS Semafor scraper for sportas + 24/7 enrichment worker
+cb3faee CC3 R3 M4+: avatar upload, PUT /api/auth/me, /uploads mount
+9c5116e M12.5 R4: enrichment coverage<70 picker + confidence>=0.7 gate
+cf993b0 CC1 R4-A1+A2: audit log + stats endpoints + audit_log() helper
+ca92717 CC1 R4-A3: wire audit_log() into enrich /apply
+bd37734 CC2 R4 #6: real TOTP 2FA (setup + verify + disable + login flow)
+a0db65f CC2 R4 #4: /api/users/me/gdpr-export alias
+f5c6570 CC2 R4 #2+#5: removed legacy unauth /api/admin/users (security)
+47c366d CC5 R3 UI: link iz app.html na /sport/crm workspace
+84f1c41 M12.3: Playwright fallback scraper za JS-heavy federation sites
+c8be132 M11.2: /api/audit/seal endpoints + Audit log UI page
+8fe2478 CC2 R3 frontend: login.html + admin_users.html (M1+M2+M10 UI)
+cef4d25 M12.2 UI: enrichment diff modal + apply button (sport2.html)
+fbbe953 CC1 R3B-Mreža: autocomplete + 3D centar + forensic enrich
+59a5373 CC3 R3 M3+M4: sport2 sidebar + app.html operativna aplikacija
+b93ca9a M9 CRM Obrasci + ZZJZ booking detect + e-mail fallback
+85fd51b M12.1: enrich v3 — preview + /apply persists to DB
+21be7ff M6.1 Putni nalozi backend + obračun dnevnica
+98f823b CC1 R3B-P4 — Forenzika scan radi
+492c8fd M1+M2+M10 (CC2 R3): JWT auth + admin users + GDPR backend
+c12a8e9 M8 CRM Liječnički pregledi + ZZJZ scheduling
+64082d0 CC1 R3B-P3 — geocoding precision (Crikvenica + OSM)
+382d35a CC1 R3B-P2 — Mreža 3D force graph
+4ecd7fa CC1 R3B-P1 — sportaš panel klikabilnost
+1bd34ed M7 CRM Članarine: CRUD + dug + uplata + HUB-3 PDF + EPC QR
+834b7bf M5.1 OCR upload + parse + invoices CRUD
+f19d70b M11.1: blockchain/seal.py — Polygon PoS sealing
+b7cb050 CC1 R2 — full Round 2 done (8/8 stavki)
+a7ec0a8 PGŽ Sport Platform — Round 1+2 baseline
+```
+
+---
+
+## 🚀 PRIORITETI ZA SLJEDEĆI CHAT (po važnosti)
+
+### Apsolutni must-fix prije prezentacije
+1. **Verify GDPR buttons rade** u app.html nakon hard refresha
+2. **Sport-aware enrichment** za Marijana Alkića (boćanje → HBS scrape)
+3. **Cleanup 14 odbojkaških klubova** (CC1 task otvoren)
+4. **Verify svaki link u sidebar-u radi** (klikni svaki, provjeri 200)
+5. **Avatar upload test** — login → klikni avatar → upload jpg → vidi novu sliku
+
+### Nakon toga
+6. **Bulk enrichment dashboard** u /audit ili /kpi (CC6 task)
+7. **Toast notifikacije** za sve save akcije ("✓ Spremljeno X polja")
+8. **Drill-down panels** — verify svaki entitet ima klikabilne podatke
+9. **OCR demo** — upload primjer računa za INA gorivo, ekstrakcija polja
+10. **Putni nalog flow** — kreiraj → odobri (klub_admin) → isplati (pgz_admin) → vidjeti audit log
+
+### Nakon prezentacije
+11. **GitHub mirror** — repo trenutno samo na Gitea, treba GitHub token od Damira
+12. **WebSocket notifikacije** za real-time updates
+13. **Mobile responsive** — testirano je samo desktop
+14. **i18n** — sve labele su HR, dodati EN/IT kasnije
+15. **Stripe integracija** za online plaćanje članarina
+
+---
+
+## 💡 KLJUČNI UVIDI
+
+- **Bridge API** = lifeline za rad sa serverom. Sve curl-ove ide kroz `https://api.rinet.one/bridge/exec` s `X-API-KEY: rinet-yS4ZnKlwUqsjk`.
+- **CC agenti tmux send-keys** — uvijek `Enter` pa `sleep 3` pa drugi `Enter` za submit.
+- **CC NE radi kao root** — treba `su - claude` prvo.
+- **Auto-update CC fails** — ignoriraj, ne smeta.
+- **Static fileserve** — FastAPI mount /static, pa dodatno wildcard rute za /login /app /admin /crm /erp /audit /kpi (vidi pgz_sport_api.py oko linije 1465-1535).
+- **JWT token storage**: login.html sprema kao `pgz_access` u localStorage (s "Zapamti me") ili sessionStorage. SVI ostali HTML moraju čitati `pgz_access` PRVO, pa fallback na `jwt`/`access_token`.
+- **/sport/ prefiks BUG**: CC3 je generirao linkove s `/sport/static/`, `/sport/login` itd. Tokom 02:00 fixed sve. Provjeravati u svakom novom commit-u.
+- **Token mismatch**: app.html, crm.html, erp.html — getToken() funkcije fixed da čitaju pgz_access.
+- **Image escape u template literals** — CC3 je generirao broken `\\\\\\\\\\\\` escape u app.html line 1258 onclick alert. Fixed surgically (deletion).
+
+---
+
+## 🎬 DEMO FLOW (za župana)
+
+1. **https://sport.rinet.one/** — public portal pokazuje transparentnost (savezi, klubovi, sportaši, financije, mreža 3D, forenzika)
+2. **Klikni Josip Zec** → 257/182/15 stats, sezone, utakmice
+3. **Mreža** → 3D graf, search po imenu, klik na node
+4. **Forenzika** → Velimir Liverić PEP profil, sukob interesa
+5. **/login** → damir@pgz.hr → /app PGŽ admin dashboard
+6. **Moj profil** → uploada slike, GDPR export, audit pregled
+7. **/admin** → upravljanje korisnicima, kreiraj savez admina
+8. **Logout, login kao klub_admin** → drugi pogled
+9. **/erp** → upload račun za gorivo (OCR demo), kreiraj putni nalog
+10. **/crm** → generiraj HUB-3 uplatnicu članarine, pošalji opomenu
+11. **/audit** → blockchain seal log s polygonscan.com linkovima
+12. **Obogati klub Kvarner 2010** → vidi web/email/telefon dohvaćene s weba
+
+---
+
+## 🔧 BRZI POPRAVCI POVIJESNO (fixevi koje sam radio direktno)
+
+| Vrijeme | Fix |
+|---------|-----|
+| 23:00 | sport2.html broken triple quotes |
+| 23:30 | openSavez/searchNetwork undefined |
+| 00:00 | Login redirect /sport/static/admin_users.html → /app |
+| 00:15 | Audit.html missing → kreiran |
+| 00:30 | Static routes /login /app /admin /crm /erp /audit /kpi |
+| 01:00 | Service crashed → restart, dodano timeouts |
+| 01:30 | /sport/static/ prefiks bug u svim HTML |
+| 02:00 | app.html line 1258 broken JS escape (deletion) |
+| 02:00 | navTo function missing |
+| 02:00 | Token mismatch: pgz_access vs jwt |
+| 02:10 | sidebar.js URLs /sport/X → /X |
+| 02:14 | GDPR buttons placeholder alert → real funkcije |
+
+---
+
+## 📝 KAKO POKRENUTI NOVI CHAT
+
+Otvori novi chat s Claude i napiši:
+
+```
+Continuing rad na PGŽ Sport platforme. Pročitaj kompletni handoff:
+/opt/pgz-sport/HANDOFF_PGZ_SPORT_05may.md
+
+Pristup serveru: bridge API https://api.rinet.one/bridge/exec s X-API-KEY: rinet-yS4ZnKlwUqsjk
+
+Live: https://sport.rinet.one/
+Repo: https://git.rinet.one/damir/pgz-sport
+6 CC agenata aktivno (cc1-cc6 tmux), monitoring: bash /opt/pgz-sport/swarm.sh tiled
+
+Nastavi gdje smo stali — provjeri swarm status, što agenti trenutno rade, 
+i bake-mi prioritete iz "P0" sekcije handoff-a.
+```
+
+---
+
+## 👤 DAMIR — kontekst
+
+- Damir Radulić, OIB 11222984583, dradulic@outlook.com / damir@rinet.one
+- Osnivač Ri.NET. Tehnički suosnivač = Claude (brutalno iskren, ne yes-man).
+- Stil: House+Nicholson, kratko oštro, na hrvatskom.
+- Šatrovački pravilo: "kužiš → žišku".
+- Coding: bez artefakata, bash s cat/sed/EOF, headeri u svim fajlovima.
+- DABI brand iz nećaka Jana koji ga zove "Dabi".
+
+---
+
+**TO JE TO. Ovo je SPRINT do prezentacije. CC swarm radi 24/7. Damir se ne može priuštiti spavanje. Sutra ujutro sve mora raditi.**