fix(security): S1 encrypted backup, S2 mounted guard, P1 holidays out of build

- S1: AES-256-GCM + PBKDF2-SHA256 passphrase backup (200k iter), .enc envelope,
  password dialog with confirm field; auto-detect on restore
- S2: if (!mounted) return; guard at start of _syncPendingEvents()
- P1: _loadHolidays() moved out of build() — initState postFrameCallback + ref.listen
- Lint: remove unused headerStyle in pdf_export_service.dart

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: sprobst76

CHANGELOG.md

@@ -14,6 +14,16 @@ und dieses Projekt folgt [Semantic Versioning](https://semver.org/lang/de/).
 
 ---
 
+## [0.1.0-beta.70] - 2026-03-22
+
+### Sicherheit & Fixes
+- **S1 — Verschlüsseltes Backup**: Neues "Verschlüsseltes Backup"-Feature mit AES-256-GCM + PBKDF2-SHA256 (200.000 Iterationen); Passwort-Dialog mit Bestätigungsfeld; `.enc`-Format mit JSON-Envelope (salt, nonce, mac, ciphertext)
+- **S2 — mounted-Guard**: `_syncPendingEvents()` in `home_screen.dart` prüft nun `if (!mounted) return;` vor async-Operationen (verhindert Fehler nach Widget-Dispose)
+- **P1 — _loadHolidays aus build()**: Initialer Holiday-Load in `initState` via `addPostFrameCallback`; Bundesland-Änderungen über `ref.listen` — kein async-Aufruf mehr direkt in `build()`
+- **Lint**: Ungenutzten `headerStyle` in `pdf_export_service.dart` entfernt
+
+---
+
 ## [0.1.0-beta.69] - 2026-03-22
 
 ### Tests

lib/screens/home_screen.dart

@@ -678,6 +678,7 @@ class _HomeState extends ConsumerState<HomeScreen> with WidgetsBindingObserver {
   }
 
   Future<void> _syncPendingEvents() async {
+    if (!mounted) return;
     final processedCount = await _syncService.syncPendingEvents();
     if (processedCount > 0) {
       ref.invalidate(workListProvider);

lib/screens/report_screen.dart

@@ -41,6 +41,10 @@ class _ReportScreenState extends ConsumerState<ReportScreen> with SingleTickerPr
   void initState() {
     super.initState();
     _tabController = TabController(length: 4, vsync: this);
+    WidgetsBinding.instance.addPostFrameCallback((_) {
+      final settings = ref.read(settingsProvider);
+      _loadHolidays(settings.bundesland);
+    });
   }
 
   @override
@@ -317,9 +321,11 @@ class _ReportScreenState extends ConsumerState<ReportScreen> with SingleTickerPr
     final periodsNotifier = ref.watch(weeklyHoursPeriodsProvider.notifier);
 
     // Lade Feiertage wenn sich das Bundesland ändert
-    if (_loadedBundesland != settings.bundesland) {
-      _loadHolidays(settings.bundesland);
-    }
+    ref.listen(settingsProvider, (prev, next) {
+      if (prev?.bundesland != next.bundesland) {
+        _loadHolidays(next.bundesland);
+      }
+    });
 
     return Scaffold(
       appBar: AppBar(

lib/screens/settings_screen.dart

@@ -1486,6 +1486,15 @@ class SettingsScreen extends ConsumerWidget {
               ],
             ),
             const SizedBox(height: 8),
+            SizedBox(
+              width: double.infinity,
+              child: OutlinedButton.icon(
+                onPressed: () => _createEncryptedBackup(context),
+                icon: const Icon(Icons.lock_outline),
+                label: const Text('Verschlüsseltes Backup'),
+              ),
+            ),
+            const SizedBox(height: 8),
             Container(
               padding: const EdgeInsets.all(8),
               decoration: BoxDecoration(
@@ -1590,6 +1599,84 @@ class SettingsScreen extends ConsumerWidget {
     }
   }
 
+  Future<void> _createEncryptedBackup(BuildContext context) async {
+    final controller = TextEditingController();
+    final confirmController = TextEditingController();
+    final passphrase = await showDialog<String>(
+      context: context,
+      builder: (ctx) => AlertDialog(
+        title: const Text('Verschlüsseltes Backup'),
+        content: Column(
+          mainAxisSize: MainAxisSize.min,
+          children: [
+            const Text('Backup wird mit einem Passwort verschlüsselt (AES-256-GCM). '
+                'Bewahre das Passwort sicher auf — ohne es kann das Backup nicht wiederhergestellt werden.'),
+            const SizedBox(height: 16),
+            TextField(
+              controller: controller,
+              obscureText: true,
+              decoration: const InputDecoration(
+                labelText: 'Passwort',
+                border: OutlineInputBorder(),
+              ),
+            ),
+            const SizedBox(height: 8),
+            TextField(
+              controller: confirmController,
+              obscureText: true,
+              decoration: const InputDecoration(
+                labelText: 'Passwort bestätigen',
+                border: OutlineInputBorder(),
+              ),
+            ),
+          ],
+        ),
+        actions: [
+          TextButton(
+            onPressed: () => Navigator.pop(ctx),
+            child: const Text('Abbrechen'),
+          ),
+          TextButton(
+            onPressed: () {
+              if (controller.text.isEmpty) return;
+              if (controller.text != confirmController.text) {
+                ScaffoldMessenger.of(ctx).showSnackBar(
+                  const SnackBar(content: Text('Passwörter stimmen nicht überein')),
+                );
+                return;
+              }
+              Navigator.pop(ctx, controller.text);
+            },
+            child: const Text('Erstellen'),
+          ),
+        ],
+      ),
+    );
+    if (passphrase == null || !context.mounted) return;
+
+    showDialog(
+      context: context,
+      barrierDismissible: false,
+      builder: (_) => const Center(child: CircularProgressIndicator()),
+    );
+    try {
+      final backupService = BackupService();
+      await backupService.shareEncryptedBackup(passphrase);
+      if (context.mounted) Navigator.pop(context);
+    } catch (e) {
+      if (context.mounted) {
+        Navigator.pop(context);
+        ScaffoldMessenger.of(context).showSnackBar(
+          SnackBar(
+            content: Text('Verschlüsseltes Backup fehlgeschlagen: $e'),
+            backgroundColor: Colors.red,
+            behavior: SnackBarBehavior.floating,
+          ),
+        );
+      }
+    }
+  }
+
   void _showImportInfo(BuildContext context, WidgetRef ref) {
     showDialog(
       context: context,

lib/services/backup_service.dart

@@ -1,6 +1,9 @@
 import 'dart:convert';
 import 'dart:io';
+import 'dart:math';
+import 'dart:typed_data';
 import 'package:archive/archive.dart';
+import 'package:cryptography/cryptography.dart';
 import 'package:hive/hive.dart';
 import 'package:path_provider/path_provider.dart';
 import 'package:share_plus/share_plus.dart';
@@ -89,6 +92,154 @@ class BackupService {
     );
   }
 
+  /// Erstellt ein passphrase-verschlüsseltes Backup (AES-256-GCM + PBKDF2-SHA256)
+  Future<File> createEncryptedBackup(String passphrase) async {
+    final archive = Archive();
+
+    final metadata = {
+      'version': backupVersion,
+      'createdAt': DateTime.now().toIso8601String(),
+      'appVersion': '0.1.0',
+    };
+    archive.addFile(_createJsonFile('metadata.json', metadata));
+
+    final workBox = Hive.box<WorkEntry>('work');
+    archive.addFile(_createJsonFile('work_entries.json',
+        workBox.values.map(_workEntryToJson).toList()));
+
+    final vacationBox = Hive.box<Vacation>('vacations');
+    archive.addFile(_createJsonFile('vacations.json',
+        vacationBox.values.map(_vacationToJson).toList()));
+
+    final quotaBox = Hive.box<VacationQuota>('vacation_quotas');
+    archive.addFile(_createJsonFile('vacation_quotas.json',
+        quotaBox.values.map(_quotaToJson).toList()));
+
+    final settingsBox = Hive.box<Settings>('settings');
+    if (settingsBox.isNotEmpty) {
+      archive.addFile(_createJsonFile('settings.json',
+          _settingsToJson(settingsBox.getAt(0)!)));
+    }
+
+    final projectBox = Hive.box<Project>('projects');
+    archive.addFile(_createJsonFile('projects.json',
+        projectBox.values.map(_projectToJson).toList()));
+
+    final periodsBox = Hive.box<WeeklyHoursPeriod>('weekly_hours_periods');
+    archive.addFile(_createJsonFile('weekly_hours_periods.json',
+        periodsBox.values.map(_periodToJson).toList()));
+
+    final zonesBox = Hive.box<GeofenceZone>('geofence_zones');
+    archive.addFile(_createJsonFile('geofence_zones.json',
+        zonesBox.values.map(_zoneToJson).toList()));
+
+    final zipData = ZipEncoder().encode(archive);
+    if (zipData == null) throw Exception('Failed to create ZIP archive');
+
+    // PBKDF2-SHA256 key derivation
+    final rng = Random.secure();
+    final salt = Uint8List.fromList(List.generate(16, (_) => rng.nextInt(256)));
+    final nonce = Uint8List.fromList(List.generate(12, (_) => rng.nextInt(256)));
+
+    const kdfIterations = 200000;
+    final pbkdf2 = Pbkdf2(
+      macAlgorithm: Hmac.sha256(),
+      iterations: kdfIterations,
+      bits: 256,
+    );
+    final secretKey = await pbkdf2.deriveKey(
+      secretKey: SecretKey(utf8.encode(passphrase)),
+      nonce: salt,
+    );
+
+    // AES-256-GCM encryption
+    final algorithm = AesGcm.with256bits();
+    final secretBox = await algorithm.encrypt(
+      zipData,
+      secretKey: secretKey,
+      nonce: nonce,
+    );
+
+    // JSON envelope
+    final envelope = jsonEncode({
+      'v': 1,
+      'alg': 'AES-256-GCM',
+      'kdf': 'PBKDF2-SHA256',
+      'iter': kdfIterations,
+      'salt': base64Encode(salt),
+      'nonce': base64Encode(secretBox.nonce),
+      'mac': base64Encode(secretBox.mac.bytes),
+      'data': base64Encode(secretBox.cipherText),
+    });
+
+    final dir = await getApplicationDocumentsDirectory();
+    final timestamp = DateTime.now().toIso8601String().replaceAll(':', '-').split('.').first;
+    final file = File('${dir.path}/vibedtracker_backup_$timestamp.enc');
+    await file.writeAsString(envelope);
+    return file;
+  }
+
+  /// Teilt das verschlüsselte Backup über Share-Dialog
+  Future<void> shareEncryptedBackup(String passphrase) async {
+    final file = await createEncryptedBackup(passphrase);
+    await Share.shareXFiles(
+      [XFile(file.path)],
+      subject: 'VibedTracker Backup (verschlüsselt)',
+      text: 'VibedTracker Daten-Backup (verschlüsselt)',
+    );
+  }
+
+  /// Stellt Daten aus einem verschlüsselten Backup wieder her
+  Future<BackupRestoreResult> restoreFromEncryptedFile(
+      File encFile, String passphrase) async {
+    try {
+      final envelope = jsonDecode(await encFile.readAsString()) as Map<String, dynamic>;
+
+      if (envelope['v'] != 1 || envelope['alg'] != 'AES-256-GCM') {
+        return BackupRestoreResult(
+            success: false, error: 'Unbekanntes Backup-Format');
+      }
+
+      final salt = base64Decode(envelope['salt'] as String);
+      final nonce = base64Decode(envelope['nonce'] as String);
+      final mac = base64Decode(envelope['mac'] as String);
+      final cipherText = base64Decode(envelope['data'] as String);
+      final iterations = (envelope['iter'] as int?) ?? 200000;
+
+      final pbkdf2 = Pbkdf2(
+        macAlgorithm: Hmac.sha256(),
+        iterations: iterations,
+        bits: 256,
+      );
+      final secretKey = await pbkdf2.deriveKey(
+        secretKey: SecretKey(utf8.encode(passphrase)),
+        nonce: salt,
+      );
+
+      final algorithm = AesGcm.with256bits();
+      final List<int> zipData;
+      try {
+        zipData = await algorithm.decrypt(
+          SecretBox(cipherText, nonce: nonce, mac: Mac(mac)),
+          secretKey: secretKey,
+        );
+      } on SecretBoxAuthenticationError {
+        return BackupRestoreResult(
+            success: false, error: 'Falsches Passwort oder beschädigtes Backup');
+      }
+
+      // Temporäre ZIP-Datei schreiben und restore aufrufen
+      final dir = await getApplicationDocumentsDirectory();
+      final tmpFile = File('${dir.path}/_restore_tmp.zip');
+      await tmpFile.writeAsBytes(zipData);
+      final result = await restoreFromFile(tmpFile);
+      await tmpFile.delete();
+      return result;
+    } catch (e) {
+      return BackupRestoreResult(success: false, error: e.toString());
+    }
+  }
+
   /// Stellt Daten aus einem Backup wieder her
   Future<BackupRestoreResult> restoreFromFile(File zipFile) async {
     try {

lib/services/pdf_export_service.dart

@@ -145,7 +145,6 @@ class PdfExportService {
   // ── Tabelle ──────────────────────────────────────────────────────────────────
 
   pw.Widget _buildTable(List<WorkEntry> sorted, List<Project> projects) {
-    const headerStyle = pw.TextStyle(fontSize: 9, color: PdfColors.white);
     const cellStyle   = pw.TextStyle(fontSize: 9);
     const headerBg    = PdfColors.blueGrey700;
 
@@ -163,8 +162,7 @@ class PdfExportService {
     return pw.TableHelper.fromTextArray(
       columnWidths: {for (var i = 0; i < widths.length; i++) i: widths[i]},
       headers: headers,
-      headerStyle: pw.TextStyle(
-          fontSize: 9, fontWeight: pw.FontWeight.bold, color: PdfColors.white),
+      headerStyle: const pw.TextStyle(fontSize: 9, color: PdfColors.white),
       headerDecoration: const pw.BoxDecoration(color: headerBg),
       cellStyle: cellStyle,
       cellAlignments: {

pubspec.yaml

@@ -1,6 +1,6 @@
 name: time_tracker
 description: Zeiterfassung mit Geofence, Urlaub, Feiertagen & ICS-Sync
-version: 0.1.0-beta.69+69
+version: 0.1.0-beta.70+70
 publish_to: 'none'
 
 environment: