diff --git a/CHANGELOG.md b/CHANGELOG.md
index e1f59a8d..a65a17cf 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -13,6 +13,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - **Architecture refactor** — API v1 split into per-resource sub-blueprints (projects, tasks, clients, invoices, expenses, payments, mileage, deals, leads, contacts) under `app/routes/api_v1_*.py`; bootstrap slimmed by moving `setup_logging` to `app/utils/setup_logging.py` and legacy migrations to `app/utils/legacy_migrations.py`. Dashboard aggregations (top projects, time-by-project chart) moved into `AnalyticsService` (`get_dashboard_top_projects`, `get_time_by_project_chart`); dashboard route simplified to call services only. ARCHITECTURE.md updated with module table, API structure, and data flow; DEVELOPMENT.md with development workflow and build steps.
 
 ### Fixed
+- **Xero integration for apps created after March 2026 (Issue #567)** — OAuth no longer fails with "Invalid scope for client" for Xero Developer apps created on or after March 2, 2026. Replaced deprecated `accounting.transactions` scope with granular `accounting.invoices` and `accounting.payments`. Expense sync now uses the correct `/api.xro/2.0/ExpenseClaims` endpoint (replacing the non-existent `/api.xro/2.0/Expenses`) and reads `ExpenseClaimID` from the response. `_api_request` now accepts an optional request body so invoice and expense payloads are sent to the Xero API. See [docs/integrations/XERO.md](docs/integrations/XERO.md).
 - **Time Entries date filter and export (Issue #555)** — Start/End date filters were hard to discover and exports ignored them. The Time Entries overview now has a visible **Apply filters** button in the filter header (next to Clear Filters and Export) so users can apply date and other filters without scrolling. CSV and PDF export links always use the current filter parameters: export href is set from the page URL on load and updated whenever filter form values change, so left-click export, right-click "Open in new tab", and "Save link as" all produce filtered exports. The in-form Apply filters button and the header button both trigger the same filter logic; clicking the header button expands the filter panel if it is collapsed.
 - **Log Time / Edit Time Entry on mobile (Issue #557)** — Opening the manual time entry ("Log Time") or edit time entry page on mobile could freeze or crash the browser. The Toast UI Editor (WYSIWYG markdown editor) for the notes field is heavy and causes freezes on mobile Safari/Chrome. On viewports ≤767px we now skip loading the editor and show a plain textarea for notes instead; desktop behavior is unchanged. Manual entry and edit timer templates load Toast UI only when not in mobile view.
 - **Stop & Save error (Issue #563)** — Fixed error after clicking "Stop & Save" on the dashboard. The post-timer toast was building the "View time entries" URL with the wrong route name (`timer.time_entries`); the correct endpoint is `timer.time_entries_overview`. Time entries were already saved; the error occurred when rendering the dashboard redirect.
diff --git a/app/integrations/xero.py b/app/integrations/xero.py
index 566e8958..66004694 100644
--- a/app/integrations/xero.py
+++ b/app/integrations/xero.py
@@ -38,7 +38,7 @@ def get_authorization_url(self, redirect_uri: str, state: str = None) -> str:
         if not client_id:
             raise ValueError("XERO_CLIENT_ID not configured")
 
-        scopes = ["accounting.transactions", "accounting.contacts", "accounting.settings", "offline_access"]
+        scopes = ["accounting.invoices", "accounting.payments", "accounting.contacts", "accounting.settings", "offline_access"]
 
         auth_url = "https://login.xero.com/identity/connect/authorize"
         params = {
@@ -180,7 +180,14 @@ def test_connection(self) -> Dict[str, Any]:
         except Exception as e:
             return {"success": False, "message": f"Connection test failed: {str(e)}"}
 
-    def _api_request(self, method: str, endpoint: str, access_token: str, tenant_id: str) -> Optional[Dict]:
+    def _api_request(
+        self,
+        method: str,
+        endpoint: str,
+        access_token: str,
+        tenant_id: str,
+        json_body: Optional[Dict] = None,
+    ) -> Optional[Dict]:
         """Make API request to Xero"""
         url = f"{self.BASE_URL}{endpoint}"
 
@@ -195,7 +202,7 @@ def _api_request(self, method: str, endpoint: str, access_token: str, tenant_id:
             if method.upper() == "GET":
                 response = requests.get(url, headers=headers, timeout=10)
             elif method.upper() == "POST":
-                response = requests.post(url, headers=headers, timeout=10, json={})
+                response = requests.post(url, headers=headers, timeout=10, json=json_body or {})
             else:
                 response = requests.request(method, url, headers=headers, timeout=10)
 
@@ -251,7 +258,7 @@ def sync_data(self, sync_type: str = "full") -> Dict[str, Any]:
                         if xero_expense:
                             if not hasattr(expense, "metadata") or not expense.metadata:
                                 expense.metadata = {}
-                            expense.metadata["xero_expense_id"] = xero_expense.get("Expenses", [{}])[0].get("ExpenseID")
+                            expense.metadata["xero_expense_id"] = xero_expense.get("ExpenseClaims", [{}])[0].get("ExpenseClaimID")
                             synced_count += 1
                     except Exception as e:
                         errors.append(f"Error syncing expense {expense.id}: {str(e)}")
@@ -316,7 +323,7 @@ def _create_xero_invoice(self, invoice, access_token: str, tenant_id: str) -> Op
             xero_invoice["LineItems"].append(line_item)
 
         endpoint = "/api.xro/2.0/Invoices"
-        return self._api_request("POST", endpoint, access_token, tenant_id)
+        return self._api_request("POST", endpoint, access_token, tenant_id, json_body={"Invoices": [xero_invoice]})
 
     def _create_xero_expense(self, expense, access_token: str, tenant_id: str) -> Optional[Dict]:
         """Create expense in Xero"""
@@ -346,8 +353,8 @@ def _create_xero_expense(self, expense, access_token: str, tenant_id: str) -> Op
             ],
         }
 
-        endpoint = "/api.xro/2.0/Expenses"
-        return self._api_request("POST", endpoint, access_token, tenant_id)
+        endpoint = "/api.xro/2.0/ExpenseClaims"
+        return self._api_request("POST", endpoint, access_token, tenant_id, json_body={"ExpenseClaims": [xero_expense]})
 
     def get_config_schema(self) -> Dict[str, Any]:
         """Get configuration schema."""
diff --git a/app/routes/auth.py b/app/routes/auth.py
index ce7f32d0..931db3d0 100644
--- a/app/routes/auth.py
+++ b/app/routes/auth.py
@@ -758,15 +758,38 @@ def oidc_callback():
         try:
             token = client.authorize_access_token()
         except Exception as token_err:
-            current_app.logger.warning(
-                "OIDC token exchange failed (state/code_verifier mismatch or invalid code). "
-                "Session may have been lost between redirect and callback – check cookie size, domain, Secure, SameSite and proxy headers: %s",
-                token_err,
-            )
-            current_app.logger.info("OIDC callback redirect to login: reason=token_exchange_failed")
-            flash(
-                _("SSO failed. If this repeats, check session cookie and proxy configuration."), "error"
+            err_str = str(token_err).lower()
+            err_type_name = type(token_err).__name__
+            is_algorithm_or_jwe = (
+                "unsupported_algorithm" in err_str
+                or "unsupportedalgorithmerror" in err_type_name.lower()
+                or "jwe" in err_str
+                or "authlib.jose" in (getattr(token_err, "__module__", "") or "")
             )
+            if is_algorithm_or_jwe:
+                current_app.logger.warning(
+                    "OIDC token exchange failed: unsupported token algorithm or encrypted ID token (JWE). "
+                    "IdP may have ID token encryption enabled: %s",
+                    token_err,
+                )
+                current_app.logger.info("OIDC callback redirect to login: reason=unsupported_algorithm_or_jwe")
+                flash(
+                    _(
+                        "SSO failed: encrypted or unsupported ID tokens. "
+                        "Disable ID token encryption on your provider (e.g. in Authentik, leave the Encryption Key empty)."
+                    ),
+                    "error",
+                )
+            else:
+                current_app.logger.warning(
+                    "OIDC token exchange failed (state/code_verifier mismatch or invalid code). "
+                    "Session may have been lost between redirect and callback – check cookie size, domain, Secure, SameSite and proxy headers: %s",
+                    token_err,
+                )
+                current_app.logger.info("OIDC callback redirect to login: reason=token_exchange_failed")
+                flash(
+                    _("SSO failed. If this repeats, check session cookie and proxy configuration."), "error"
+                )
             return redirect(url_for("auth.login"))
 
         current_app.logger.info(
diff --git a/app/templates/inventory/movements/form.html b/app/templates/inventory/movements/form.html
index 35e1567c..c858dde8 100644
--- a/app/templates/inventory/movements/form.html
+++ b/app/templates/inventory/movements/form.html
@@ -22,7 +22,8 @@
           data-hint-devaluation="{{ _('Quantity to revalue (positive)') }}"
           data-hint-default="{{ _('Use positive values for additions, negative for removals') }}"
           data-msg-return-positive="{{ _('Return requires a positive quantity.') }}"
-          data-msg-waste-negative="{{ _('Waste requires a negative quantity.') }}">
+          data-msg-waste-negative="{{ _('Waste requires a negative quantity.') }}"
+          data-msg-devaluation-unsupported="{{ _('Devaluation requires a trackable item with a default cost.') }}">
         <input type="hidden" name="csrf_token" value="{{ csrf_token() }}">
         <div class="space-y-6">
             <div>
@@ -44,7 +45,7 @@
                 <select name="stock_item_id" id="stock_item_id" class="form-input" required>
                     <option value="">{{ _('Select Item') }}</option>
                     {% for item in stock_items %}
-                    <option value="{{ item.id }}">{{ item.sku }} - {{ item.name }}</option>
+                    <option value="{{ item.id }}" data-devaluation-supported="{{ 'true' if (item.is_trackable and item.default_cost is not none and (item.default_cost|float) > 0) else 'false' }}">{{ item.sku }} - {{ item.name }}</option>
                     {% endfor %}
                 </select>
             </div>
@@ -66,6 +67,7 @@
 
             <!-- Devaluation options (Return / Waste / Devaluation) -->
             <div id="devaluation_section" class="hidden border border-gray-200 dark:border-gray-700 rounded-lg p-4">
+                <p class="text-sm text-amber-600 dark:text-amber-400 hidden mt-0 mb-2" id="devaluation_unsupported_msg" role="alert"></p>
                 <div class="flex items-center justify-between">
                     <div>
                         <h3 class="text-sm font-semibold text-gray-800 dark:text-gray-200">{{ _('Devaluation') }}</h3>
@@ -133,6 +135,14 @@ <h3 class="text-sm font-semibold text-gray-800 dark:text-gray-200">{{ _('Devalua
         const devaluePercent = document.getElementById('devalue_percent');
         const devalueUnitCost = document.getElementById('devalue_unit_cost');
         const discoveryHint = document.getElementById('devaluation_discovery_hint');
+        const unsupportedMsg = document.getElementById('devaluation_unsupported_msg');
+
+        function selectedItemSupportsDevaluation() {
+            const sel = document.getElementById('stock_item_id');
+            const opt = sel.options[sel.selectedIndex];
+            if (!opt || !opt.value) return true;
+            return opt.getAttribute('data-devaluation-supported') === 'true';
+        }
 
         function refreshVisibility() {
             const type = (movementType.value || '').toLowerCase();
@@ -142,14 +152,34 @@ <h3 class="text-sm font-semibold text-gray-800 dark:text-gray-200">{{ _('Devalua
             const showDiscoveryHint = (type === 'return' || type === 'waste');
             if (discoveryHint) discoveryHint.classList.toggle('hidden', !showDiscoveryHint);
 
+            const canDevalue = selectedItemSupportsDevaluation();
+            const isReturnOrWaste = (type === 'return' || type === 'waste');
+
             if (type === 'devaluation') {
                 enabled.checked = true;
                 enabled.disabled = true;
+                if (unsupportedMsg) {
+                    if (!canDevalue) {
+                        unsupportedMsg.textContent = form.dataset.msgDevaluationUnsupported || 'Devaluation requires a trackable item with a default cost.';
+                        unsupportedMsg.classList.remove('hidden');
+                    } else {
+                        unsupportedMsg.classList.add('hidden');
+                        unsupportedMsg.textContent = '';
+                    }
+                }
+            } else if (isReturnOrWaste && !canDevalue) {
+                enabled.checked = false;
+                enabled.disabled = true;
+                if (unsupportedMsg) {
+                    unsupportedMsg.textContent = form.dataset.msgDevaluationUnsupported || 'Devaluation requires a trackable item with a default cost.';
+                    unsupportedMsg.classList.remove('hidden');
+                }
             } else {
                 enabled.disabled = false;
+                if (unsupportedMsg) { unsupportedMsg.classList.add('hidden'); unsupportedMsg.textContent = ''; }
             }
 
-            const showFields = showSection && enabled.checked;
+            const showFields = showSection && enabled.checked && !enabled.disabled;
             fields.classList.toggle('hidden', !showFields);
 
             const m = (method.value || 'percent');
@@ -185,6 +215,7 @@ <h3 class="text-sm font-semibold text-gray-800 dark:text-gray-200">{{ _('Devalua
         });
 
         movementType.addEventListener('change', refreshVisibility);
+        document.getElementById('stock_item_id').addEventListener('change', refreshVisibility);
         enabled.addEventListener('change', refreshVisibility);
         method.addEventListener('change', refreshVisibility);
         refreshVisibility();
diff --git a/app/templates/timer/manual_entry.html b/app/templates/timer/manual_entry.html
index b375f017..2b6a0cb8 100644
--- a/app/templates/timer/manual_entry.html
+++ b/app/templates/timer/manual_entry.html
@@ -321,6 +321,25 @@ <h2 class="text-sm font-semibold text-text-light dark:text-text-dark uppercase t
         else updateWorkedFromStartEnd();
     }
 
+    // Defer recalculation so the DOM has the latest date/time values (Issue #559)
+    let scheduledWorkedTime = false;
+    let pendingStart = false;
+    let pendingEnd = false;
+    function scheduleWorkedTimeUpdate(isStart) {
+        if (isStart) pendingStart = true; else pendingEnd = true;
+        if (scheduledWorkedTime) return;
+        scheduledWorkedTime = true;
+        queueMicrotask(function() {
+            scheduledWorkedTime = false;
+            const runStart = pendingStart;
+            const runEnd = pendingEnd;
+            pendingStart = false;
+            pendingEnd = false;
+            if (runStart) onStartChange();
+            if (runEnd) updateWorkedFromStartEnd();
+        });
+    }
+
     // Dynamic task loading when a project is chosen
     const projectSelect = document.getElementById('project_id');
     const clientSelect = document.getElementById('client_id');
@@ -466,19 +485,23 @@ <h2 class="text-sm font-semibold text-text-light dark:text-text-dark uppercase t
         });
     }
     if (startDate) {
-        startDate.addEventListener('change', () => { timeFieldsUserEdited = true; onStartChange(); });
+        startDate.addEventListener('change', () => { timeFieldsUserEdited = true; scheduleWorkedTimeUpdate(true); });
+        startDate.addEventListener('input', () => { timeFieldsUserEdited = true; scheduleWorkedTimeUpdate(true); });
         startDate.addEventListener('focus', () => { if (startDate.disabled) { setDurationOnlyMode(false); ensureStartEndDefaultsIfEmpty(); } });
     }
     if (startTime) {
-        startTime.addEventListener('change', () => { timeFieldsUserEdited = true; onStartChange(); });
+        startTime.addEventListener('change', () => { timeFieldsUserEdited = true; scheduleWorkedTimeUpdate(true); });
+        startTime.addEventListener('input', () => { timeFieldsUserEdited = true; scheduleWorkedTimeUpdate(true); });
         startTime.addEventListener('focus', () => { if (startTime.disabled) { setDurationOnlyMode(false); ensureStartEndDefaultsIfEmpty(); } });
     }
     if (endDate) {
-        endDate.addEventListener('change', () => { timeFieldsUserEdited = true; updateWorkedFromStartEnd(); });
+        endDate.addEventListener('change', () => { timeFieldsUserEdited = true; scheduleWorkedTimeUpdate(false); });
+        endDate.addEventListener('input', () => { timeFieldsUserEdited = true; scheduleWorkedTimeUpdate(false); });
         endDate.addEventListener('focus', () => { if (endDate.disabled) { setDurationOnlyMode(false); ensureStartEndDefaultsIfEmpty(); } });
     }
     if (endTime) {
-        endTime.addEventListener('change', () => { timeFieldsUserEdited = true; updateWorkedFromStartEnd(); });
+        endTime.addEventListener('change', () => { timeFieldsUserEdited = true; scheduleWorkedTimeUpdate(false); });
+        endTime.addEventListener('input', () => { timeFieldsUserEdited = true; scheduleWorkedTimeUpdate(false); });
         endTime.addEventListener('focus', () => { if (endTime.disabled) { setDurationOnlyMode(false); ensureStartEndDefaultsIfEmpty(); } });
     }
     
diff --git a/docs/BREAK_TIME_FEATURE.md b/docs/BREAK_TIME_FEATURE.md
index 1eedf53c..f6b97b02 100644
--- a/docs/BREAK_TIME_FEATURE.md
+++ b/docs/BREAK_TIME_FEATURE.md
@@ -33,6 +33,7 @@ This feature lets you account for break time when tracking work: either by pausi
 ### Break field
 
 - On **Log Time** (manual entry) and **Edit time entry** you can enter **Break** in HH:MM (e.g. `0:30` for 30 minutes).
+- **Worked time** is recalculated automatically whenever you change start/end date or time (including when using past dates); see [Manual Entry Worked Time Fix (#559)](implementation-notes/MANUAL_ENTRY_WORKED_TIME_FIX_559.md).
 - **Effective duration** (what is stored and shown) = (end − start) − break. If you also use **Worked time**, that value is treated as net (after break); break can still be entered and is subtracted when both are present.
 - Break is optional; leave it empty for no break.
 
diff --git a/docs/admin/configuration/OIDC_SETUP.md b/docs/admin/configuration/OIDC_SETUP.md
index 229391d6..ae858e85 100644
--- a/docs/admin/configuration/OIDC_SETUP.md
+++ b/docs/admin/configuration/OIDC_SETUP.md
@@ -96,6 +96,9 @@ Also ensure the standard app settings are configured (database, secret key, etc.
   - Issuer: `https://accounts.google.com`
   - Groups generally not available by default; prefer admin mapping via emails.
 
+- Authentik
+  - TimeTracker does **not** support JWE-encrypted ID tokens. If using Authentik, leave the **Encryption Key** field **empty** on the OAuth2/OpenID provider. If an Encryption Key is set, Authentik sends the ID token as JWE and login will fail with an error about unsupported algorithm or encrypted tokens.
+
 ### 4) Behavior and Mapping
 
 - When a user completes SSO:
@@ -191,6 +194,9 @@ services:
 - “User is not admin”
   - Verify `OIDC_ADMIN_GROUP` matches the group claim value, or add the user’s email to `OIDC_ADMIN_EMAILS`.
 
+- **“SSO failed” with “unsupported algorithm” or “encrypted ID token” in logs**
+  - The IdP is sending an encrypted ID token (JWE). TimeTracker does not support JWE-encrypted ID tokens. Disable ID token encryption at the provider. For Authentik, clear the **Encryption Key** on the OAuth2/OpenID provider so it returns a signed (e.g. RS256) JWT instead.
+
 - "Logout keeps me signed in" or "Logout redirects to provider error page"
   - Not all IdPs support RP-Initiated Logout (end-session). If your provider doesn't support it (e.g., Authelia), **do not set** `OIDC_POST_LOGOUT_REDIRECT_URI`. TimeTracker will then perform local logout only and redirect to the login page.
   - If your provider supports end-session and you want to log out from the IdP too, set `OIDC_POST_LOGOUT_REDIRECT_URI` to your desired post-logout landing page.
@@ -201,7 +207,7 @@ services:
   - **Cookie attributes**: Ensure `SESSION_COOKIE_SECURE`, `SESSION_COOKIE_SAMESITE`, and domain match how users access the app (e.g. HTTPS, same domain).
   - **Proxy headers**: Behind a reverse proxy, ensure `X-Forwarded-Proto` and `X-Forwarded-Host` are set correctly so redirect URLs and cookies use the same host/scheme the user sees.
   - **Callback URL**: The callback URL must match exactly (no trailing slash, same scheme and host) between TimeTracker (`OIDC_REDIRECT_URI`) and the IdP client configuration.
-  - **Logs**: TimeTracker logs a line like `OIDC callback redirect to login: reason=...` before each redirect to login. Use this to see the exact cause (e.g. `reason=token_exchange_failed` for session/state issues, `reason=missing_issuer_sub` for claim issues).
+  - **Logs**: TimeTracker logs a line like `OIDC callback redirect to login: reason=...` before each redirect to login. Use this to see the exact cause (e.g. `reason=token_exchange_failed` for session/state issues, `reason=unsupported_algorithm_or_jwe` for encrypted/unsupported ID tokens, `reason=missing_issuer_sub` for claim issues).
 
 ### 9) Routes Reference
 
diff --git a/docs/features/INVENTORY_MANAGEMENT_PLAN.md b/docs/features/INVENTORY_MANAGEMENT_PLAN.md
index b6c2e2c4..a15d12ab 100644
--- a/docs/features/INVENTORY_MANAGEMENT_PLAN.md
+++ b/docs/features/INVENTORY_MANAGEMENT_PLAN.md
@@ -460,7 +460,13 @@ Stock can be devalued when recording **return** or **waste** movements so that i
    - The system first revalues that quantity into a devalued lot (FIFO consume from existing lots, create a devalued lot at the new cost), then records the waste movement consuming from that devalued lot.
    - Use this when writing off damaged or obsolete stock at a lower value for accounting.
 
-**Requirements**: The stock item must be **trackable** and have a **default cost** set. Devaluation options are available on the Record Movement form when movement type is Return, Waste, or Devaluation (standalone revaluation of quantity in place).
+**Requirements**: The stock item must be **trackable** and have a **default cost** set. Devaluation options are available on the Record Movement form when movement type is Return, Waste, or Devaluation (standalone revaluation of quantity in place). If the selected item is not trackable or has no default cost, the form shows a message and disables the "Apply devaluation" option.
+
+**How to use (UI)**:
+- **Return with devaluation**: Go to Inventory → Stock Movements → Record Movement. Choose movement type **Return**, select the stock item and warehouse, enter a **positive** quantity. Check **Apply devaluation**, then set either a percent off default cost or a fixed new unit cost. Submit. The returned quantity is booked into a devalued lot at that cost; no new stock item is created.
+- **Waste with devaluation**: Same form; choose movement type **Waste**, enter a **negative** quantity. Check **Apply devaluation** and set the devalued cost. Submit. The system revalues that quantity into a devalued lot, then records the waste from that lot.
+
+**API**: `POST /api/v1/inventory/movements` accepts `devalue_enabled`, `devalue_method` (`"percent"` or `"fixed"`), `devalue_percent`, and `devalue_unit_cost` for return and waste movements. See the endpoint implementation for validation rules.
 
 ---
 
diff --git a/docs/implementation-notes/MANUAL_ENTRY_WORKED_TIME_FIX_559.md b/docs/implementation-notes/MANUAL_ENTRY_WORKED_TIME_FIX_559.md
new file mode 100644
index 00000000..fe71a155
--- /dev/null
+++ b/docs/implementation-notes/MANUAL_ENTRY_WORKED_TIME_FIX_559.md
@@ -0,0 +1,31 @@
+# Manual Entry Worked Time Recalculation (Issue #559)
+
+**Issue:** [#559](https://github.com/DRYTRIX/TimeTracker/issues/559) — "Worked Time" on manual entry only recalculated after reselecting end date.
+
+## Problem
+
+When creating a manual time entry with start/end dates that are **not** today:
+
+1. User selects start and end date (e.g. yesterday).
+2. User then selects start and end time.
+3. **Bug:** Worked time was calculated from start date/time to **today's date** (with the selected end time), instead of the selected end date.
+4. Worked time only became correct after the user reselected the end date.
+
+## Root cause
+
+Recalculation ran synchronously in `change` handlers for the date/time inputs. In some browsers or interaction orders, the `change` event can fire before the input’s `.value` is updated in the DOM (e.g. date picker commits the value after the event). So `getStartEnd()` sometimes read the previous end date (today) when recalculating.
+
+## Solution
+
+- **Deferred recalculation:** When any of the four fields (start_date, start_time, end_date, end_time) changes, the update is scheduled with `queueMicrotask(...)` so it runs in the next task. By then the browser has committed the new value, and `getStartEnd()` reads the correct DOM state.
+- **Recalculate on every selection:** Both `change` and `input` events are listened to on all four fields, so worked time is recalculated on every date/time change (picker or keyboard).
+- **Single run per tick:** A small scheduler with `pendingStart` / `pendingEnd` and one microtask prevents duplicate work when multiple events fire in the same turn.
+
+## File changed
+
+- **`app/templates/timer/manual_entry.html`** — Added `scheduleWorkedTimeUpdate(isStart)` and wired `change` + `input` on start_date, start_time, end_date, end_time to use it. Initial `updateWorkedFromStartEnd()` on load is unchanged.
+
+## User-visible behavior
+
+- Worked time now updates correctly as soon as the user selects dates and times, including when the end date is in the past, without needing to reselect the end date.
+- Recalculation runs after every relevant selection (date or time), as requested in the issue.
diff --git a/docs/integrations/XERO.md b/docs/integrations/XERO.md
new file mode 100644
index 00000000..3ef6c751
--- /dev/null
+++ b/docs/integrations/XERO.md
@@ -0,0 +1,49 @@
+# Xero Integration
+
+TimeTracker can sync invoices, expenses, and payments with [Xero](https://www.xero.com/) via the Xero Accounting API and OAuth 2.0.
+
+## Requirements
+
+- A [Xero Developer](https://developer.xero.com/) app (Client ID and Client Secret).
+- For apps **created on or after March 2, 2026**, the integration uses the granular accounting scopes required by Xero; older apps continue to work until broad scopes are retired (see [Xero scope changes](https://developer.xero.com/documentation/guides/oauth2/scopes/)).
+
+## OAuth scopes
+
+The integration requests the following scopes:
+
+| Scope | Purpose |
+|-------|---------|
+| `accounting.invoices` | Invoices, credit notes, purchase orders, quotes, items |
+| `accounting.payments` | Payments, batch payments, overpayments, prepayments |
+| `accounting.contacts` | Contacts |
+| `accounting.settings` | Organisation and account settings |
+| `offline_access` | Refresh token for background sync |
+
+**Note:** The deprecated scope `accounting.transactions` is no longer used. For apps created on or after March 2, 2026, Xero requires the granular scopes above (see [Issue #567](https://github.com/DRYTRIX/TimeTracker/issues/567)).
+
+## Setup
+
+1. In [Xero Developer](https://developer.xero.com/app/manage), create an app (or use an existing one) and note the **Client ID** and **Client Secret**.
+2. Set the app **Redirect URI** to your TimeTracker base URL plus `/integrations/xero/callback` (e.g. `https://your-timetracker.example.com/integrations/xero/callback`).
+3. In TimeTracker: **Integrations** → **Xero** → complete the setup wizard with your Client ID and Client Secret.
+4. Open **Connect** (or go to `/integrations/xero/connect`) to start the OAuth flow. Sign in to Xero, select the organisation, and authorise. You are redirected back with the connection stored.
+
+## Configuration
+
+- **Tenant ID** — Set automatically during OAuth; you can also enter it manually if needed.
+- **Sync direction** — Xero → TimeTracker (import), TimeTracker → Xero (export), or bidirectional.
+- **Items to sync** — Invoices, expenses, payments, contacts.
+- **Data mapping** — Contact mappings (clients → Xero contacts), item mappings (invoice items → Xero items), account mappings (expense categories → Xero account codes), and default expense account code.
+
+## Sync behaviour
+
+- **Invoices** — Pushed to Xero as sales invoices via `POST /api.xro/2.0/Invoices`. Response `InvoiceID` is stored in invoice metadata as `xero_invoice_id`.
+- **Expenses** — Pushed to Xero as expense claims via `POST /api.xro/2.0/ExpenseClaims`. Response `ExpenseClaimID` is stored in expense metadata as `xero_expense_id`. The Xero ExpenseClaims API expects a specific payload shape (e.g. User and Receipts); if you see validation errors, the payload may need to be adapted to your Xero app and workflow.
+- **Manual sync** — Use **Sync Now** on the integration page.
+- **Auto sync** — Enable in setup and choose a schedule (e.g. hourly, daily).
+
+## Troubleshooting
+
+- **"Invalid scope for client"** — Ensure you are using TimeTracker with the updated scopes (`accounting.invoices`, `accounting.payments`, etc.). Re-create your Xero app or use an app created before March 2, 2026 if you must use the old broad scope during the transition.
+- **404 on expense sync** — The integration uses `/api.xro/2.0/ExpenseClaims`; the previous `/api.xro/2.0/Expenses` endpoint does not exist in the Xero API.
+- **Connection test** — Use the integration’s connection test to verify tenant and token; fix any credential or tenant ID issues before syncing.
diff --git a/setup.py b/setup.py
index 2ef7aaa8..d1f29d5f 100644
--- a/setup.py
+++ b/setup.py
@@ -7,7 +7,7 @@
 
 setup(
     name='timetracker',
-    version='4.22.1',
+    version='4.22.2',
     packages=find_packages(),
     include_package_data=True,
     install_requires=[
diff --git a/translations/en/LC_MESSAGES/messages.po b/translations/en/LC_MESSAGES/messages.po
index cd8b703c..879541e0 100644
--- a/translations/en/LC_MESSAGES/messages.po
+++ b/translations/en/LC_MESSAGES/messages.po
@@ -2268,6 +2268,10 @@ msgstr ""
 msgid "Stock item must have a default cost to perform devaluation"
 msgstr ""
 
+#: app/templates/inventory/movements/form.html
+msgid "Devaluation requires a trackable item with a default cost."
+msgstr ""
+
 #: app/routes/inventory.py:938
 msgid "Devaluation percent is required when using percent method"
 msgstr ""