diff --git a/api/update.php b/api/update.php
new file mode 100644
index 0000000..a4b76a7
--- /dev/null
+++ b/api/update.php
@@ -0,0 +1,111 @@
+
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see .
+ */
+
+/**
+ * \file netdiag/api/update.php
+ * \ingroup netdiag
+ * \brief APK-Update-Proxy.
+ *
+ * Die Forgejo-Paket-Registry ist privat — die App kann sie nicht direkt
+ * abfragen. Dieser Endpunkt prueft die Registry serverseitig (mit Token aus
+ * der Dolibarr-Konfiguration NETDIAG_FORGEJO_TOKEN) und liefert der App:
+ * GET update.php -> { version: "" }
+ * GET update.php?download=1 -> die APK-Datei (zum Installieren)
+ * Der Registry-Token bleibt so ausschliesslich auf dem Server.
+ */
+
+require_once __DIR__.'/netdiag_api.lib.php';
+
+netdiag_api_bootstrap();
+
+/**
+ * @var DoliDB $db
+ */
+
+$user = netdiag_api_authenticate($db);
+
+$registry = 'https://git.data-it-solution.de';
+$owner = 'data-it';
+$pkg = 'netdiag-apk';
+
+$token = getDolGlobalString('NETDIAG_FORGEJO_TOKEN');
+if (empty($token)) {
+ netdiag_api_error('Update-Funktion nicht konfiguriert (NETDIAG_FORGEJO_TOKEN fehlt)', 500);
+}
+
+// ---------------------------------------------------------------------------
+// APK herunterladen (Proxy) — Datei streamen
+// ---------------------------------------------------------------------------
+if (isset($_GET['download'])) {
+ $tmp = tempnam(sys_get_temp_dir(), 'netdiag_apk_');
+ $fp = fopen($tmp, 'w');
+ $ch = curl_init($registry.'/api/packages/'.$owner.'/generic/'.$pkg.'/latest/NetDiag.apk');
+ curl_setopt_array($ch, array(
+ CURLOPT_HTTPHEADER => array('Authorization: token '.$token),
+ CURLOPT_FOLLOWLOCATION => true,
+ CURLOPT_FILE => $fp,
+ CURLOPT_TIMEOUT => 120,
+ ));
+ curl_exec($ch);
+ $code = (int) curl_getinfo($ch, CURLINFO_HTTP_CODE);
+ curl_close($ch);
+ fclose($fp);
+
+ if ($code !== 200 || filesize($tmp) < 1024) {
+ @unlink($tmp);
+ netdiag_api_error('APK-Download fehlgeschlagen (HTTP '.$code.')', 502);
+ }
+
+ header('Content-Type: application/vnd.android.package-archive');
+ header('Content-Disposition: attachment; filename="NetDiag.apk"');
+ header('Content-Length: '.filesize($tmp));
+ readfile($tmp);
+ @unlink($tmp);
+ exit;
+}
+
+// ---------------------------------------------------------------------------
+// Versionspruefung — neueste Version aus der Registry
+// ---------------------------------------------------------------------------
+$ch = curl_init($registry.'/api/v1/packages/'.$owner.'?type=generic&q='.$pkg);
+curl_setopt_array($ch, array(
+ CURLOPT_HTTPHEADER => array('Authorization: token '.$token),
+ CURLOPT_RETURNTRANSFER => true,
+ CURLOPT_FOLLOWLOCATION => true,
+ CURLOPT_TIMEOUT => 30,
+));
+$body = curl_exec($ch);
+$code = (int) curl_getinfo($ch, CURLINFO_HTTP_CODE);
+curl_close($ch);
+
+if ($code !== 200) {
+ netdiag_api_error('Registry nicht erreichbar (HTTP '.$code.')', 502);
+}
+
+$pkgs = json_decode($body, true);
+$versions = array();
+if (is_array($pkgs)) {
+ foreach ($pkgs as $p) {
+ if (isset($p['name'], $p['version']) && $p['name'] === $pkg && $p['version'] !== 'latest') {
+ $versions[] = (string) $p['version'];
+ }
+ }
+}
+sort($versions);
+$latest = empty($versions) ? null : end($versions);
+
+netdiag_api_respond(array('version' => $latest));