feat: Nagging reminders with max limit + ENV defaults for settings (#18)

* ci: prevent duplicate test runs - tests only on PRs, inline tests for builds

* docs: add testing and CI/CD documentation

* security: fix CodeQL vulnerabilities (SSRF, XSS, rate limiting)

- Add URL validation to prevent SSRF attacks on notification endpoints
  - Block private IPs (10.x, 172.16-31.x, 192.168.x, 169.254.x)
  - Block localhost and internal hostnames
  - Only allow HTTP/HTTPS protocols
- Add HTML escaping for medication names in email templates (XSS)
- Add stricter rate limiting for auth routes (5 req/15min for login/register)
- Add SSRF protection tests (405 tests total)

* security: add rate limiting to remaining auth routes

* chore: add CodeQL config to suppress rate-limit false positives

Rate limiting IS implemented via @fastify/rate-limit plugin:
- Global: 100 req/min (index.ts)
- Auth routes: 5-10 req/min via config.rateLimit option

CodeQL doesn't recognize Fastify's plugin-based rate limiting pattern.

* ci: switch to CodeQL Advanced Setup

- Add custom codeql.yml workflow
- Configure to use codeql-config.yml
- Exclude js/missing-rate-limiting rule (false positive)
  Rate limiting is implemented via @fastify/rate-limit plugin

* ci: add explicit permissions to workflows

Fixes CodeQL 'Workflow does not contain permissions' warnings.
Sets minimal 'contents: read' at top level.

* ci: add manual trigger to CodeQL workflow

* ci: add explicit permissions to all workflow jobs

* build(deps): bump esbuild, @vitest/coverage-v8 and vitest in /backend

Bumps [esbuild](https://github.com/evanw/esbuild) to 0.27.2 and updates ancestor dependencies [esbuild](https://github.com/evanw/esbuild), [@vitest/coverage-v8](https://github.com/vitest-dev/vitest/tree/HEAD/packages/coverage-v8) and [vitest](https://github.com/vitest-dev/vitest/tree/HEAD/packages/vitest). These dependencies need to be updated together.


Updates `esbuild` from 0.21.5 to 0.27.2
- [Release notes](https://github.com/evanw/esbuild/releases)
- [Changelog](https://github.com/evanw/esbuild/blob/main/CHANGELOG-2024.md)
- [Commits](https://github.com/evanw/esbuild/compare/v0.21.5...v0.27.2)

Updates `@vitest/coverage-v8` from 2.1.9 to 4.0.16
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.0.16/packages/coverage-v8)

Updates `vitest` from 2.1.9 to 4.0.16
- [Release notes](https://github.com/vitest-dev/vitest/releases)
- [Commits](https://github.com/vitest-dev/vitest/commits/v4.0.16/packages/vitest)

---
updated-dependencies:
- dependency-name: esbuild
  dependency-version: 0.27.2
  dependency-type: indirect
- dependency-name: "@vitest/coverage-v8"
  dependency-version: 4.0.16
  dependency-type: direct:development
- dependency-name: vitest
  dependency-version: 4.0.16
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>

* docs: add GitHub issue templates

- Bug report template with deployment type, browser info, logs
- Feature request template with affected area, priority
- Config with link to discussions and README
- Optimize test.yml to skip tests for non-code changes

* Initial plan

* Remove database schema duplication by creating shared schema-sql.ts module

Co-authored-by: DanielVolz <3275994+DanielVolz@users.noreply.github.com>

* Refactor frontend date formatting to eliminate duplication

Co-authored-by: DanielVolz <3275994+DanielVolz@users.noreply.github.com>

* docs: Add branch protection warning and PR workflow to instructions

* ci: remove paths filter from test workflow to fix branch protection

* fix: add .js extension to schema-sql imports for ESM compatibility (#15)

* feat: add setting to skip reminders for taken doses

- Add skipRemindersForTakenDoses setting to database schema
- Extend settings API to save and load new setting
- Update intake reminder scheduler to filter taken doses
- Add frontend toggle in settings with i18n (EN/DE)
- Only check doses from today (timezone-aware)
- Update all test schemas with new field
- All 405 tests passing

* feat: add repeat reminders for missed doses

- Add repeatRemindersEnabled and reminderRepeatIntervalMinutes settings
- Refactor intake reminder state from array to object with sendCount tracking
- Update scheduler to send repeated reminders at configurable intervals
- Only remind for today's doses (timezone-aware filtering)
- Add frontend toggle and interval input (5-480 minutes) in settings
- Maintain backward compatibility for old state file format
- Update all test schemas and assertions
- All 406 tests passing

* feat: add nagging reminders with max limit and ENV defaults

- Add maxNaggingReminders setting to limit repeat reminders (1-20)
- Add ENV defaults for all user settings (DEFAULT_*)
- Add ALTER TABLE migrations for backward compatibility
- Add smtpConfigured/shoutrrrConfigured to health endpoint
- Fix Push toggle to allow enabling without existing URL
- Disable skip/repeat toggles when no notifications enabled
- Add Pocket ID button to registration page
- Add getTodaysIntakes() for repeat reminder logic
- Update translations (en/de) for new settings
- Add comprehensive tests for new features

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: DanielVolz <3275994+DanielVolz@users.noreply.github.com>

.github/copilot-instructions.md

@@ -1,5 +1,10 @@
 # MedAssist-ng - AI Coding Instructions
 
+## General Rules
+
+- **No temporary files**: Delete temporary scripts/files immediately after use. Do not commit temporary debug scripts, test files, or one-off utilities to the repository.
+- **Clean workspace**: Always clean up after yourself. If you create a file for a specific task, delete it once done.
+
 ## Architecture Overview
 
 MedAssist-ng is a **medication tracking and planning app** with a monorepo structure:
@@ -93,12 +98,15 @@ describe('Feature Name', () => {
 ### Test-Commands
 ```bash
 cd backend
-npm test                    # Alle Tests ausführen
-npm run test:coverage       # Mit Coverage-Report
-npm test -- --watch         # Watch-Mode für Entwicklung
+CI=true npm test            # Tests einmal ausführen (IMMER so ausführen!)
+CI=true npm run test:coverage  # Mit Coverage-Report
+npm test -- --watch         # Watch-Mode für manuelle Entwicklung
 npm test -- -t "test name"  # Einzelnen Test ausführen
 ```
 
+> ⚠️ **WICHTIG für AI-Agenten**: Tests IMMER mit `CI=true` ausführen!
+> Ohne `CI=true` läuft Vitest im Watch-Mode und wartet auf Eingaben.
+
 ## CI/CD Pipeline (GitHub Actions)
 
 ### Workflow-Übersicht
@@ -283,9 +291,25 @@ Each blister defines a recurring intake:
 | Stock Thresholds | Warning days, critical days, expiry warning days |
 | Email Notifications | Enable, email address, stock/intake toggles |
 | Push Notifications (Shoutrrr) | Enable, URL (ntfy/gotify/etc), stock/intake toggles |
-| Reminder Settings | Days before, repeat daily |
+| Reminder Settings | Days before, repeat daily, skip for taken, repeat/nagging |
 | SMTP | Email config (read-only from .env) |
 
+### Settings ENV Defaults
+All user settings can be pre-configured via ENV variables (see `.env.example`).
+These are only used as **defaults when a new user is created**.
+Once a user saves settings in the app, their saved values take precedence over ENV.
+
+| ENV Variable | Setting | Default |
+|--------------|---------|---------|
+| `DEFAULT_EMAIL_ENABLED` | Email notifications | false |
+| `DEFAULT_SHOUTRRR_ENABLED` | Push notifications | false |
+| `DEFAULT_SHOUTRRR_URL` | ntfy/gotify URL | (empty) |
+| `DEFAULT_REPEAT_REMINDERS_ENABLED` | Nagging reminders | false |
+| `DEFAULT_REMINDER_REPEAT_INTERVAL_MINUTES` | Nag interval | 30 |
+| `DEFAULT_MAX_NAGGING_REMINDERS` | Max nags | 5 |
+| `DEFAULT_LOW_STOCK_DAYS` | Low stock threshold | 30 |
+| `DEFAULT_LANGUAGE` | UI language | en |
+
 ## Database Schema (`backend/src/db/schema.ts`)
 
 | Table | Description |
@@ -347,14 +371,54 @@ Example: `5-0-1735344000000` = Medication 5, Blister 0, timestamp
 - **Environment**: Copy `.env.example` → `.env`, secrets must be 10+ chars
 - **i18n**: All UI text via `t('key')` function, translations in `frontend/src/i18n/*.json`
 
-## Database Schema Changes
+## Database Schema Changes (WICHTIG: Abwärtskompatibilität!)
 
-When adding new database columns:
+> ⚠️ **KRITISCH**: Die App MUSS abwärtskompatibel mit älteren Datenbanken bleiben!
+> Nutzer upgraden ihre Docker-Container, aber behalten ihre bestehende DB.
+> Die App darf NICHT abstürzen wenn alte Spalten fehlen.
 
-1. **Update schema**: `backend/src/db/schema.ts` - Add the Drizzle column definition
-2. **Update client.ts**: `backend/src/db/client.ts` - Add column to `CREATE TABLE IF NOT EXISTS`
-3. **Update migrate.ts**: `backend/src/db/migrate.ts` - Same as client.ts
-4. **Delete old DB**: `rm backend/data/medassist-ng.db` and restart
+### Regeln für neue Spalten
+
+1. **IMMER mit DEFAULT-Wert**: Neue Spalten müssen `NOT NULL DEFAULT <wert>` haben
+2. **NULL-sicher im Code**: Alle Abfragen müssen `?? defaultValue` oder `?? false` verwenden
+3. **Schema-SQL aktualisieren**: In diesen Dateien hinzufügen:
+   - `backend/src/db/schema.ts` - Drizzle Schema
+   - `backend/src/db/schema-sql.ts` - `getTableCreationSQL()` für neue DBs
+   - `backend/src/db/client.ts` - `ALTER TABLE ADD COLUMN IF NOT EXISTS` Migration
+4. **Test-Schemas updaten**: Alle Test-Dateien mit eigenem Schema:
+   - `backend/src/test/e2e-routes.test.ts`
+   - `backend/src/test/integration.test.ts`
+   - `backend/src/test/planner.test.ts`
+
+### Beispiel: Neue Spalte hinzufügen
+
+```typescript
+// 1. schema.ts - Drizzle Definition
+maxNaggingReminders: integer("max_nagging_reminders").notNull().default(5),
+
+// 2. schema-sql.ts - Für neue Datenbanken
+"max_nagging_reminders integer NOT NULL DEFAULT 5,"
+
+// 3. client.ts - Migration für bestehende DBs (IN ensureTablesExist())
+await client.execute(`ALTER TABLE user_settings ADD COLUMN max_nagging_reminders integer NOT NULL DEFAULT 5`).catch(() => {});
+
+// 4. Routes - NULL-sicher lesen
+maxNaggingReminders: settings.maxNaggingReminders ?? 5,
+```
+
+### Was NICHT erlaubt ist
+
+- ❌ Spalten löschen oder umbenennen (bricht alte DBs)
+- ❌ `NOT NULL` ohne `DEFAULT` (INSERT schlägt fehl)
+- ❌ Spalten ohne Fallback im Code lesen
+- ❌ DB löschen als "Lösung" dokumentieren
+
+### Wann Abwärtskompatibilität NICHT möglich ist
+
+Wenn eine Breaking Change unvermeidbar ist:
+1. **Explizit kommunizieren**: In Release Notes dokumentieren
+2. **Migration-Script**: Automatisches Upgrade-Script bereitstellen
+3. **Versionsprüfung**: App sollte DB-Version prüfen und warnen
 
 ## File Locations