From 87a69bcc8bdf8c7839edd3eeebdf5b973da48fe0 Mon Sep 17 00:00:00 2001
From: Davide Scaini <davide.scaini@alumni.cern>
Date: Wed, 15 Apr 2026 20:37:42 +0200
Subject: [PATCH] settings: add nav visibility prefs and per-user Strava
 credentials
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- user_prefs table in db.py with get/set helpers
- GET/PUT /api/me/prefs endpoints for bulk pref management
- GET/PUT/DELETE /api/me/strava-credentials; PUT preserves existing
  secret when client_secret field is left blank
- _strava_creds() helper resolves per-user → instance fallback across
  all five Strava endpoints
- Settings page: Navigation card (hide Feed/Community/About toggles)
  and Strava credentials card
- Base.astro: ids on feed/community/about nav links; applies
  nav_hide_* prefs after login
---
 bincio/serve/db.py                  |  38 ++++++
 bincio/serve/server.py              | 136 ++++++++++++++++++++--
 site/src/layouts/Base.astro         |  25 +++-
 site/src/pages/settings/index.astro | 172 ++++++++++++++++++++++++++++
 4 files changed, 358 insertions(+), 13 deletions(-)

diff --git a/bincio/serve/db.py b/bincio/serve/db.py
index 9a901cf..96f450e 100644
--- a/bincio/serve/db.py
+++ b/bincio/serve/db.py
@@ -59,9 +59,17 @@ CREATE TABLE IF NOT EXISTS settings (
     value TEXT NOT NULL
 );
 
+CREATE TABLE IF NOT EXISTS user_prefs (
+    handle  TEXT NOT NULL REFERENCES users(handle) ON DELETE CASCADE,
+    key     TEXT NOT NULL,
+    value   TEXT NOT NULL,
+    PRIMARY KEY (handle, key)
+);
+
 CREATE INDEX IF NOT EXISTS sessions_handle ON sessions(handle);
 CREATE INDEX IF NOT EXISTS invites_created_by ON invites(created_by);
 CREATE INDEX IF NOT EXISTS reset_codes_handle ON reset_codes(handle);
+CREATE INDEX IF NOT EXISTS user_prefs_handle ON user_prefs(handle);
 """
 
 _SESSION_DAYS = 30
@@ -361,6 +369,36 @@ def create_reset_code(db: sqlite3.Connection, handle: str, created_by: str) -> s
     return code
 
 
+# ── User preferences ─────────────────────────────────────────────────────────
+
+def get_user_prefs(db: sqlite3.Connection, handle: str) -> dict[str, str]:
+    """Return all preferences for a user as a plain dict."""
+    rows = db.execute(
+        "SELECT key, value FROM user_prefs WHERE handle = ?", (handle,)
+    ).fetchall()
+    return {r["key"]: r["value"] for r in rows}
+
+
+def set_user_pref(db: sqlite3.Connection, handle: str, key: str, value: str) -> None:
+    db.execute(
+        "INSERT INTO user_prefs (handle, key, value) VALUES (?, ?, ?) "
+        "ON CONFLICT(handle, key) DO UPDATE SET value = excluded.value",
+        (handle, key, value),
+    )
+    db.commit()
+
+
+def set_user_prefs(db: sqlite3.Connection, handle: str, prefs: dict[str, str]) -> None:
+    """Bulk-upsert multiple preferences for a user."""
+    for key, value in prefs.items():
+        db.execute(
+            "INSERT INTO user_prefs (handle, key, value) VALUES (?, ?, ?) "
+            "ON CONFLICT(handle, key) DO UPDATE SET value = excluded.value",
+            (handle, key, value),
+        )
+    db.commit()
+
+
 def use_reset_code(db: sqlite3.Connection, code: str, handle: str) -> bool:
     """Validate a reset code for the given handle and mark it used.
 
diff --git a/bincio/serve/server.py b/bincio/serve/server.py
index acac2dc..7d24c8e 100644
--- a/bincio/serve/server.py
+++ b/bincio/serve/server.py
@@ -41,6 +41,8 @@ from bincio.serve.db import (
     get_session,
     get_setting,
     get_user,
+    get_user_prefs,
+    set_user_prefs,
     list_invites,
     list_users,
     open_db,
@@ -99,6 +101,29 @@ def _get_db():
     return _db
 
 
+_STRAVA_CREDS_FILE = "strava_credentials.json"
+
+
+def _strava_creds(handle: str) -> tuple[str, str]:
+    """Return (client_id, client_secret) for a user.
+
+    Per-user credentials stored in {user_dir}/strava_credentials.json take
+    precedence over the global instance-level strava_client_id/secret.
+    Returns ("", "") when neither is configured.
+    """
+    creds_path = _get_data_dir() / handle / _STRAVA_CREDS_FILE
+    if creds_path.exists():
+        try:
+            d = json.loads(creds_path.read_text(encoding="utf-8"))
+            cid = str(d.get("client_id", "")).strip()
+            csec = str(d.get("client_secret", "")).strip()
+            if cid and csec:
+                return cid, csec
+        except Exception:
+            pass
+    return strava_client_id, strava_client_secret
+
+
 def _get_data_dir() -> Path:
     if data_dir is None:
         raise HTTPException(500, "Server not configured")
@@ -1013,6 +1038,92 @@ async def me_update_display_name(
     return JSONResponse({"ok": True, "display_name": display_name})
 
 
+@app.get("/api/me/prefs")
+async def me_get_prefs(bincio_session: Optional[str] = Cookie(default=None)) -> JSONResponse:
+    """Return all user preferences as a key→value dict."""
+    user = _require_user(bincio_session)
+    return JSONResponse(get_user_prefs(_get_db(), user.handle))
+
+
+@app.put("/api/me/prefs")
+async def me_set_prefs(
+    request: Request,
+    bincio_session: Optional[str] = Cookie(default=None),
+) -> JSONResponse:
+    """Upsert one or more user preferences. Body: {key: value, ...} (all strings)."""
+    user = _require_user(bincio_session)
+    body = await request.json()
+    if not isinstance(body, dict):
+        raise HTTPException(400, "Body must be a JSON object")
+    # Coerce all values to strings; ignore unknown keys silently
+    prefs = {str(k): str(v) for k, v in body.items()}
+    set_user_prefs(_get_db(), user.handle, prefs)
+    return JSONResponse({"ok": True})
+
+
+@app.get("/api/me/strava-credentials")
+async def me_get_strava_credentials(bincio_session: Optional[str] = Cookie(default=None)) -> JSONResponse:
+    """Return whether per-user Strava credentials are configured (never returns the secret)."""
+    user = _require_user(bincio_session)
+    creds_path = _get_data_dir() / user.handle / _STRAVA_CREDS_FILE
+    has_user_creds = False
+    client_id_hint = ""
+    if creds_path.exists():
+        try:
+            d = json.loads(creds_path.read_text(encoding="utf-8"))
+            cid = str(d.get("client_id", "")).strip()
+            csec = str(d.get("client_secret", "")).strip()
+            if cid and csec:
+                has_user_creds = True
+                client_id_hint = cid
+        except Exception:
+            pass
+    return JSONResponse({
+        "has_user_creds": has_user_creds,
+        "client_id": client_id_hint,
+        "instance_configured": bool(strava_client_id),
+    })
+
+
+@app.put("/api/me/strava-credentials")
+async def me_set_strava_credentials(
+    request: Request,
+    bincio_session: Optional[str] = Cookie(default=None),
+) -> JSONResponse:
+    """Save per-user Strava credentials. Body: {client_id, client_secret}."""
+    user = _require_user(bincio_session)
+    body = await request.json()
+    cid  = str(body.get("client_id",     "")).strip()
+    csec = str(body.get("client_secret", "")).strip()
+    if not cid:
+        raise HTTPException(400, "client_id is required")
+    creds_path = _get_data_dir() / user.handle / _STRAVA_CREDS_FILE
+    # If client_secret is omitted, preserve existing secret (if any)
+    if not csec:
+        if creds_path.exists():
+            try:
+                existing = json.loads(creds_path.read_text(encoding="utf-8"))
+                csec = str(existing.get("client_secret", "")).strip()
+            except Exception:
+                pass
+    if not csec:
+        raise HTTPException(400, "client_secret is required (no existing secret to preserve)")
+    creds_path.write_text(
+        json.dumps({"client_id": cid, "client_secret": csec}, indent=2),
+        encoding="utf-8",
+    )
+    return JSONResponse({"ok": True})
+
+
+@app.delete("/api/me/strava-credentials")
+async def me_delete_strava_credentials(bincio_session: Optional[str] = Cookie(default=None)) -> JSONResponse:
+    """Remove per-user Strava credentials (falls back to instance credentials)."""
+    user = _require_user(bincio_session)
+    creds_path = _get_data_dir() / user.handle / _STRAVA_CREDS_FILE
+    creds_path.unlink(missing_ok=True)
+    return JSONResponse({"ok": True})
+
+
 @app.put("/api/me/password")
 async def me_change_password(
     request: Request,
@@ -1574,7 +1685,8 @@ _strava_oauth_states: set[str] = set()
 @app.get("/api/strava/status")
 async def strava_status(bincio_session: Optional[str] = Cookie(default=None)) -> JSONResponse:
     user = _require_user(bincio_session)
-    if not strava_client_id:
+    cid, _ = _strava_creds(user.handle)
+    if not cid:
         return JSONResponse({"configured": False, "connected": False, "last_sync": None})
     dd = _get_data_dir() / user.handle
     from bincio.extract.strava_api import load_token
@@ -1640,8 +1752,9 @@ async def strava_reset(request: Request, bincio_session: Optional[str] = Cookie(
 
 @app.get("/api/strava/auth-url")
 async def strava_auth_url(request: Request, bincio_session: Optional[str] = Cookie(default=None)) -> JSONResponse:
-    _require_user(bincio_session)
-    if not strava_client_id:
+    user = _require_user(bincio_session)
+    cid, _ = _strava_creds(user.handle)
+    if not cid:
         raise HTTPException(400, "Strava client ID not configured on this server")
     state = secrets.token_urlsafe(16)
     _strava_oauth_states.add(state)
@@ -1650,7 +1763,7 @@ async def strava_auth_url(request: Request, bincio_session: Optional[str] = Cook
     else:
         redirect_uri = str(request.url_for("strava_callback"))
     from bincio.extract.strava_api import auth_url
-    return JSONResponse({"url": auth_url(strava_client_id, redirect_uri, state=state)})
+    return JSONResponse({"url": auth_url(cid, redirect_uri, state=state)})
 
 
 @app.get("/api/strava/callback", name="strava_callback")
@@ -1670,12 +1783,13 @@ async def strava_callback(
     user = _current_user(bincio_session)
     if not user:
         return RedirectResponse(f"{site_origin}/?strava=error")
-    if not strava_client_id or not strava_client_secret:
+    cid, csec = _strava_creds(user.handle)
+    if not cid or not csec:
         return RedirectResponse(f"{site_origin}/?strava=error")
     dd = _get_data_dir() / user.handle
     from bincio.extract.strava_api import StravaError, exchange_code, save_token
     try:
-        token = exchange_code(strava_client_id, strava_client_secret, code)
+        token = exchange_code(cid, csec, code)
     except StravaError:
         return RedirectResponse(f"{site_origin}/?strava=error")
     save_token(dd, token)
@@ -1686,7 +1800,8 @@ async def strava_callback(
 async def serve_strava_sync_stream(bincio_session: Optional[str] = Cookie(default=None)) -> StreamingResponse:
     """SSE endpoint — streams per-activity progress then a final summary event."""
     user = _require_user(bincio_session)
-    if not strava_client_id or not strava_client_secret:
+    cid, csec = _strava_creds(user.handle)
+    if not cid or not csec:
         raise HTTPException(400, "Strava not configured on this server")
     dd = _get_data_dir() / user.handle
     store_orig_setting = get_setting(_get_db(), "store_originals")
@@ -1699,7 +1814,7 @@ async def serve_strava_sync_stream(bincio_session: Optional[str] = Cookie(defaul
 
     def event_stream():
         try:
-            for event in strava_sync_iter(dd, strava_client_id, strava_client_secret, originals_dir):
+            for event in strava_sync_iter(dd, cid, csec, originals_dir):
                 if event["type"] == "done":
                     _trigger_rebuild(user.handle)  # start before client closes connection
                 yield f"data: {json.dumps(event)}\n\n"
@@ -1716,7 +1831,8 @@ async def serve_strava_sync_stream(bincio_session: Optional[str] = Cookie(defaul
 @app.post("/api/strava/sync")
 async def serve_strava_sync(bincio_session: Optional[str] = Cookie(default=None)) -> JSONResponse:
     user = _require_user(bincio_session)
-    if not strava_client_id or not strava_client_secret:
+    cid, csec = _strava_creds(user.handle)
+    if not cid or not csec:
         raise HTTPException(400, "Strava not configured on this server")
     dd = _get_data_dir() / user.handle
     store_orig_setting = get_setting(_get_db(), "store_originals")
@@ -1726,7 +1842,7 @@ async def serve_strava_sync(bincio_session: Optional[str] = Cookie(default=None)
         originals_dir.mkdir(parents=True, exist_ok=True)
     from bincio.edit.ops import run_strava_sync
     try:
-        result = run_strava_sync(dd, strava_client_id, strava_client_secret, originals_dir=originals_dir)
+        result = run_strava_sync(dd, cid, csec, originals_dir=originals_dir)
     except RuntimeError as e:
         raise HTTPException(502, str(e))
     _trigger_rebuild(user.handle)
diff --git a/site/src/layouts/Base.astro b/site/src/layouts/Base.astro
index 85ab878..4ac1b65 100644
--- a/site/src/layouts/Base.astro
+++ b/site/src/layouts/Base.astro
@@ -166,7 +166,7 @@ try {
         <div class="nav-links flex items-center gap-5 overflow-x-auto flex-1 min-w-0">
           <!-- Feed tab: only shown for multi-user (more than one shard) -->
           {!singleHandle && (
-            <a href={baseUrl} class="text-sm text-zinc-400 hover:text-white transition-colors shrink-0">Feed</a>
+            <a id="nav-feed" href={baseUrl} class="text-sm text-zinc-400 hover:text-white transition-colors shrink-0">Feed</a>
           )}
           <!-- Single-user: static handle link. Multi-user: populated by user-widget script. -->
           {singleHandle
@@ -177,7 +177,7 @@ try {
           <a id="nav-stats"   href={singleHandle ? `${baseUrl}u/${singleHandle}/stats/`   : `${baseUrl}stats/`}   data-user-path="stats/"   class="text-sm text-zinc-400 hover:text-white transition-colors shrink-0">Stats</a>
           <a id="nav-athlete" href={singleHandle ? `${baseUrl}u/${singleHandle}/athlete/` : `${baseUrl}athlete/`} data-user-path="athlete/" class="text-sm text-zinc-400 hover:text-white transition-colors shrink-0">Athlete</a>
           {!singleHandle && (
-            <a href={`${baseUrl}community/`} class="text-sm text-zinc-400 hover:text-white transition-colors shrink-0">Community</a>
+            <a id="nav-community" href={`${baseUrl}community/`} class="text-sm text-zinc-400 hover:text-white transition-colors shrink-0">Community</a>
           )}
           {mobileApp && (
             <a id="nav-record" href={singleHandle ? `${baseUrl}u/${singleHandle}/record/` : `${baseUrl}record/`} data-user-path="record/" class="text-sm text-zinc-400 hover:text-white transition-colors shrink-0">Record</a>
@@ -185,7 +185,7 @@ try {
           {mobileApp && (
             <a href={`${baseUrl}convert/`} class="text-sm text-zinc-400 hover:text-white transition-colors shrink-0">Convert</a>
           )}
-          <a href={`${baseUrl}about/`} class="text-sm text-zinc-400 hover:text-white transition-colors shrink-0">About</a>
+          <a id="nav-about" href={`${baseUrl}about/`} class="text-sm text-zinc-400 hover:text-white transition-colors shrink-0">About</a>
         </div>
       )}
 
@@ -511,6 +511,25 @@ try {
           const chk = document.getElementById('upload-keep-original');
           if (chk && user.store_originals_default) chk.checked = true;
 
+          // Apply nav visibility prefs
+          try {
+            const pr = await fetch('/api/me/prefs', { credentials: 'include' });
+            if (pr.ok) {
+              const prefs = await pr.json();
+              const navHideMap: Record<string, string> = {
+                'nav_hide_feed':      'nav-feed',
+                'nav_hide_community': 'nav-community',
+                'nav_hide_about':     'nav-about',
+              };
+              for (const [key, elId] of Object.entries(navHideMap)) {
+                if (prefs[key] === 'true') {
+                  const el = document.getElementById(elId);
+                  if (el) el.style.display = 'none';
+                }
+              }
+            }
+          } catch (_) {}
+
           // Admin: show admin link and poll for active jobs
           if (user.is_admin) {
             const adminLink = document.getElementById('nav-admin');
diff --git a/site/src/pages/settings/index.astro b/site/src/pages/settings/index.astro
index b0d95b9..9443846 100644
--- a/site/src/pages/settings/index.astro
+++ b/site/src/pages/settings/index.astro
@@ -85,6 +85,58 @@ import Base from '../../layouts/Base.astro';
       </form>
     </section>
 
+    <!-- Navigation visibility card -->
+    <section class="mb-6 rounded-xl bg-zinc-900 border border-zinc-800 p-5">
+      <h2 class="text-sm font-semibold text-zinc-400 uppercase tracking-wider mb-1">Navigation</h2>
+      <p class="text-xs text-zinc-600 mb-4">Hide items from the top nav bar. Affects only your view.</p>
+      <div class="space-y-3">
+        <label class="flex items-center gap-3 cursor-pointer group">
+          <input id="nav-hide-feed" type="checkbox" class="accent-[--accent]" />
+          <span class="text-sm text-zinc-300 group-hover:text-white transition-colors">Hide Feed</span>
+        </label>
+        <label class="flex items-center gap-3 cursor-pointer group">
+          <input id="nav-hide-community" type="checkbox" class="accent-[--accent]" />
+          <span class="text-sm text-zinc-300 group-hover:text-white transition-colors">Hide Community</span>
+        </label>
+        <label class="flex items-center gap-3 cursor-pointer group">
+          <input id="nav-hide-about" type="checkbox" class="accent-[--accent]" />
+          <span class="text-sm text-zinc-300 group-hover:text-white transition-colors">Hide About</span>
+        </label>
+      </div>
+      <p id="nav-prefs-status" class="text-xs mt-3 hidden"></p>
+    </section>
+
+    <!-- Strava credentials card -->
+    <section class="mb-6 rounded-xl bg-zinc-900 border border-zinc-800 p-5">
+      <h2 class="text-sm font-semibold text-zinc-400 uppercase tracking-wider mb-1">Strava API credentials</h2>
+      <p id="strava-creds-desc" class="text-xs text-zinc-600 mb-4">Loading…</p>
+      <form id="strava-creds-form" class="space-y-3">
+        <div>
+          <label class="block text-xs text-zinc-500 mb-1" for="strava-client-id">Client ID</label>
+          <input id="strava-client-id" type="text" autocomplete="off"
+            class="w-full px-3 py-2 rounded-lg bg-zinc-800 border border-zinc-700 text-white placeholder-zinc-500 focus:outline-none focus:border-[--accent] text-sm"
+            placeholder="123456" />
+        </div>
+        <div>
+          <label class="block text-xs text-zinc-500 mb-1" for="strava-client-secret">Client secret</label>
+          <input id="strava-client-secret" type="password" autocomplete="off"
+            class="w-full px-3 py-2 rounded-lg bg-zinc-800 border border-zinc-700 text-white placeholder-zinc-500 focus:outline-none focus:border-[--accent] text-sm"
+            placeholder="Leave blank to keep existing" />
+        </div>
+        <p id="strava-creds-status" class="text-xs hidden"></p>
+        <div class="flex gap-2">
+          <button type="submit"
+            class="px-4 py-2 rounded-lg text-sm bg-zinc-700 hover:bg-zinc-600 text-white transition-colors">
+            Save
+          </button>
+          <button type="button" id="strava-creds-clear"
+            class="px-4 py-2 rounded-lg text-sm bg-zinc-800 hover:bg-red-900 hover:text-red-300 text-zinc-400 transition-colors">
+            Use instance credentials
+          </button>
+        </div>
+      </form>
+    </section>
+
     <!-- Danger zone -->
     <section class="rounded-xl bg-zinc-900 border border-red-900/40 p-5">
       <h2 class="text-sm font-semibold text-red-400/70 uppercase tracking-wider mb-4">Danger zone</h2>
@@ -342,8 +394,128 @@ import Base from '../../layouts/Base.astro';
   document.getElementById('del-activities-btn')?.addEventListener('click', () => openConfirm('activities'));
   document.getElementById('del-account-btn')?.addEventListener('click',    () => openConfirm('account'));
 
+  // ── Navigation prefs ─────────────────────────────────────────────────────────
+
+  const NAV_PREF_KEYS: Record<string, string> = {
+    'nav-hide-feed':      'nav_hide_feed',
+    'nav-hide-community': 'nav_hide_community',
+    'nav-hide-about':     'nav_hide_about',
+  };
+
+  async function loadNavPrefs() {
+    try {
+      const r = await fetch('/api/me/prefs', { credentials: 'include' });
+      if (!r.ok) return;
+      const prefs = await r.json();
+      for (const [elId, key] of Object.entries(NAV_PREF_KEYS)) {
+        const el = document.getElementById(elId) as HTMLInputElement | null;
+        if (el) el.checked = prefs[key] === 'true';
+      }
+    } catch {}
+  }
+
+  async function saveNavPref(key: string, value: boolean) {
+    const statusEl = document.getElementById('nav-prefs-status')!;
+    try {
+      const r = await fetch('/api/me/prefs', {
+        method: 'PUT',
+        credentials: 'include',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ [key]: String(value) }),
+      });
+      if (r.ok) {
+        setStatus(statusEl, 'Saved.', true);
+        setTimeout(() => statusEl.classList.add('hidden'), 2000);
+      } else {
+        const d = await r.json();
+        setStatus(statusEl, d.detail ?? 'Failed', false);
+      }
+    } catch {
+      setStatus(statusEl, 'Could not reach server', false);
+    }
+  }
+
+  for (const [elId, key] of Object.entries(NAV_PREF_KEYS)) {
+    document.getElementById(elId)?.addEventListener('change', (e) => {
+      saveNavPref(key, (e.target as HTMLInputElement).checked);
+    });
+  }
+
+  // ── Strava credentials ────────────────────────────────────────────────────────
+
+  async function loadStravaCreds() {
+    const desc = document.getElementById('strava-creds-desc')!;
+    try {
+      const r = await fetch('/api/me/strava-credentials', { credentials: 'include' });
+      if (!r.ok) { desc.textContent = 'Not available.'; return; }
+      const d = await r.json();
+      if (d.has_user_creds) {
+        desc.textContent = `Using your own credentials (Client ID: ${d.client_id}).`;
+        (document.getElementById('strava-client-id') as HTMLInputElement).value = d.client_id ?? '';
+      } else if (d.instance_configured) {
+        desc.textContent = 'Using instance-level credentials. Enter your own below to override.';
+      } else {
+        desc.textContent = 'Strava is not configured on this instance. You can set your own API credentials below.';
+      }
+    } catch {
+      desc.textContent = 'Could not load Strava settings.';
+    }
+  }
+
+  document.getElementById('strava-creds-form')?.addEventListener('submit', async (e) => {
+    e.preventDefault();
+    const statusEl = document.getElementById('strava-creds-status')!;
+    const clientId     = (document.getElementById('strava-client-id')     as HTMLInputElement).value.trim();
+    const clientSecret = (document.getElementById('strava-client-secret') as HTMLInputElement).value.trim();
+    if (!clientId) {
+      setStatus(statusEl, 'Client ID is required.', false);
+      return;
+    }
+    try {
+      const body: Record<string, string> = { client_id: clientId };
+      if (clientSecret) body.client_secret = clientSecret;
+      const r = await fetch('/api/me/strava-credentials', {
+        method: 'PUT',
+        credentials: 'include',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify(body),
+      });
+      const d = await r.json();
+      if (r.ok) {
+        setStatus(statusEl, 'Saved.', true);
+        (document.getElementById('strava-client-secret') as HTMLInputElement).value = '';
+        loadStravaCreds();
+      } else {
+        setStatus(statusEl, d.detail ?? 'Failed', false);
+      }
+    } catch {
+      setStatus(statusEl, 'Could not reach server', false);
+    }
+  });
+
+  document.getElementById('strava-creds-clear')?.addEventListener('click', async () => {
+    const statusEl = document.getElementById('strava-creds-status')!;
+    if (!confirm('Remove your custom Strava credentials and fall back to instance credentials?')) return;
+    try {
+      const r = await fetch('/api/me/strava-credentials', { method: 'DELETE', credentials: 'include' });
+      if (r.ok) {
+        setStatus(statusEl, 'Cleared — using instance credentials.', true);
+        (document.getElementById('strava-client-id')     as HTMLInputElement).value = '';
+        (document.getElementById('strava-client-secret') as HTMLInputElement).value = '';
+        loadStravaCreds();
+      } else {
+        const d = await r.json();
+        setStatus(statusEl, d.detail ?? 'Failed', false);
+      }
+    } catch {
+      setStatus(statusEl, 'Could not reach server', false);
+    }
+  });
+
   // ── Init ─────────────────────────────────────────────────────────────────────
 
   loadMe();
   loadStorage();
+  loadNavPrefs();
+  loadStravaCreds();
 </script>