feat: add ntfy notification action context service

.github/copilot-instructions.md

@@ -1,17 +1,11 @@
 # MedAssist-ng - Copilot Entry Point
 
-## VERY IMPORTANT - Prioritized Constraints
+## VERY IMPORTANT
 
-**First: Update Memory and Reports**
 - Always keep agent work memory updated in `doku/memory_notes.md` so progress and decisions remain recoverable across context loss.
-  - If `doku/memory_notes.md` is missing, create it immediately.
 - Always keep a user-facing work report updated in `doku/report.md` so completed work is easy to review.
-  - If `doku/report.md` is missing, create it immediately.
 - This memory/report rule replaces the previous `doku/APP_BEHAVIOR.md` persistence requirement.
 
-**Second: Follow Governance Rules**
-- Consult `AGENTS.md` for all governance, workflow, and skill rules.
-
 Use `AGENTS.md` as the single source of truth for all governance, workflow, and skill rules.
 
 ## Required Startup Steps

.gitignore

@@ -107,18 +107,4 @@ docs/SPEC_KIT.md
 .github/skills/nodejs-backend-patterns/
 .github/skills/nodejs-best-practices/
 .github/skills/seo/
-.playwright-mcp
-
-# Local GSD/copilot generated workspace artifacts (not for upstream)
-.github/agents/copilot-instructions.md
-.github/agents/gsd-*.agent.md
-.github/agents/medassist-feature-orchestrator.agent.md
-.github/agents/speckit.*.agent.md
-.github/get-shit-done/
-.github/gsd-file-manifest.json
-.github/prompts/speckit.*.prompt.md
-.github/skills/gsd-*/
-.planning/
-doku/memory_notes.md
-doku/report.md
-ops/medtest/
+.playwright-mcp

README.md

@@ -378,14 +378,6 @@ docker compose -p medassist-dev -f docker-compose.dev.yml up
 - API docs UI: `http://localhost:3000/docs` (when docs are enabled)
 - OpenAPI JSON: `http://localhost:3000/docs/json` (when docs are enabled)
 
-If you run the frontend dev server behind a reverse proxy or on a remote host, you can optionally set these frontend-only environment variables before starting Vite:
-
-- `VITE_ALLOWED_HOSTS`: comma-separated hostnames allowed to connect to the dev server; defaults to `localhost,127.0.0.1`
-- `VITE_HMR_HOST`: public hostname used for HMR websocket connections
-- `VITE_HMR_PROTOCOL`: optional websocket protocol override (`ws` or `wss`)
-- `VITE_HMR_CLIENT_PORT`: optional public websocket port exposed to the browser
-- `VITE_HMR_PORT`: optional server-side websocket port for the Vite process
-
 Useful local commands:
 
 ```bash

backend/src/services/notification-actions-service.ts

@@ -0,0 +1,350 @@
+import { createHash, randomBytes } from "node:crypto";
+import { and, eq, gt, isNull } from "drizzle-orm";
+import { db } from "../db/client.js";
+import { notificationActionGroups, notificationActionTokens } from "../db/schema.js";
+import type { Language } from "../i18n/translations.js";
+import { env } from "../plugins/env.js";
+import { getNotificationActionLabels, type PushNotificationAction } from "./notifications/action-renderer.js";
+
+export type NotificationActionKind = "taken" | "skip" | "respond" | "view";
+
+type TokenKind = Exclude<NotificationActionKind, "view">;
+type ActiveTokenKind = "taken" | "skip" | "respond";
+
+export type NotificationActionContext = {
+	groupId?: number;
+	sequenceId?: string;
+	respondUrl?: string;
+	viewUrl: string;
+	actions: PushNotificationAction[];
+};
+
+type NotificationActionMode = "full" | "view-only";
+
+export type NotificationActionTokenRecord = {
+	token: typeof notificationActionTokens.$inferSelect;
+	group: typeof notificationActionGroups.$inferSelect;
+	doseIds: string[];
+	viewUrl: string | null;
+};
+
+const NOTIFICATION_ACTION_TTL_MS = 24 * 60 * 60 * 1000;
+
+function normalizePublicAppUrl(publicAppUrl: string): string {
+	return publicAppUrl.replace(/\/+$/, "");
+}
+
+function parseConfiguredUrl(value: string | null | undefined): URL | null {
+	const trimmedValue = value?.trim();
+	if (!trimmedValue) {
+		return null;
+	}
+
+	try {
+		return new URL(trimmedValue);
+	} catch {
+		return null;
+	}
+}
+
+function isLoopbackHostname(hostname: string): boolean {
+	const normalizedHostname = hostname.toLowerCase();
+	return normalizedHostname === "localhost" || normalizedHostname === "127.0.0.1" || normalizedHostname === "::1";
+}
+
+function resolveNotificationPublicAppUrl(publicAppUrl: string | null | undefined): string | null {
+	const configuredUrl = parseConfiguredUrl(publicAppUrl ?? env.PUBLIC_APP_URL);
+	if (configuredUrl && !isLoopbackHostname(configuredUrl.hostname)) {
+		return normalizePublicAppUrl(configuredUrl.toString());
+	}
+
+	const corsOrigins = env.CORS_ORIGINS.split(",")
+		.map((origin) => parseConfiguredUrl(origin))
+		.filter((origin): origin is URL => origin !== null);
+	const reachableCorsOrigin =
+		corsOrigins.find((origin) => !isLoopbackHostname(origin.hostname)) ?? corsOrigins[0] ?? null;
+	if (reachableCorsOrigin) {
+		return normalizePublicAppUrl(reachableCorsOrigin.toString());
+	}
+
+	return configuredUrl ? normalizePublicAppUrl(configuredUrl.toString()) : null;
+}
+
+function getScheduledKey(scheduledFor: Date): string {
+	return String(Math.floor(scheduledFor.getTime() / 60000));
+}
+
+function formatDateParam(value: Date): string {
+	const year = value.getFullYear();
+	const month = String(value.getMonth() + 1).padStart(2, "0");
+	const day = String(value.getDate()).padStart(2, "0");
+	return `${year}-${month}-${day}`;
+}
+
+function buildViewUrl(baseUrl: string, scheduledFor: Date | null, doseIds: string[]): string {
+	const params = new URLSearchParams();
+	const primaryDoseId = doseIds[0];
+
+	if (scheduledFor) {
+		params.set("day", formatDateParam(scheduledFor));
+	}
+
+	if (primaryDoseId) {
+		params.set("dose", primaryDoseId);
+	}
+
+	const queryString = params.toString();
+	return queryString.length > 0 ? `${baseUrl}/dashboard?${queryString}` : `${baseUrl}/dashboard`;
+}
+
+function parseDoseIdsJson(value: string): string[] {
+	try {
+		const parsed = JSON.parse(value) as unknown;
+		if (!Array.isArray(parsed)) {
+			return [];
+		}
+
+		return parsed.filter((entry): entry is string => typeof entry === "string" && entry.length > 0);
+	} catch {
+		return [];
+	}
+}
+
+function createSequenceId(groupKey: string): string {
+	return `medassist-${createHash("sha256").update(groupKey, "utf8").digest("hex").slice(0, 32)}`;
+}
+
+export function createActionToken(): string {
+	return randomBytes(32).toString("hex");
+}
+
+export function hashActionToken(token: string): string {
+	return createHash("sha256").update(token, "utf8").digest("hex");
+}
+
+async function createTokenRow(groupId: number, kind: TokenKind): Promise<{ kind: TokenKind; token: string }> {
+	const token = createActionToken();
+	await db.insert(notificationActionTokens).values({
+		groupId,
+		tokenHash: hashActionToken(token),
+		kind,
+	});
+
+	return { kind, token };
+}
+
+async function createActionTokens(groupId: number): Promise<Record<ActiveTokenKind, string>> {
+	const createdTokens = await Promise.all([
+		createTokenRow(groupId, "taken"),
+		createTokenRow(groupId, "skip"),
+		createTokenRow(groupId, "respond"),
+	]);
+
+	return createdTokens.reduce(
+		(accumulator, entry) => {
+			accumulator[entry.kind] = entry.token;
+			return accumulator;
+		},
+		{ taken: "", skip: "", respond: "" } as Record<ActiveTokenKind, string>
+	);
+}
+
+export async function createNotificationActionContext(input: {
+	userId: number;
+	title: string;
+	message: string;
+	doseIds: string[];
+	scheduledFor: Date;
+	publicAppUrl?: string | null;
+	language: Language;
+	actionMode?: NotificationActionMode;
+}): Promise<NotificationActionContext | null> {
+	const publicAppUrl = resolveNotificationPublicAppUrl(input.publicAppUrl);
+	if (!publicAppUrl) {
+		return null;
+	}
+
+	const uniqueDoseIds = [...new Set(input.doseIds.filter((doseId) => doseId.trim().length > 0))].sort();
+	if (uniqueDoseIds.length === 0) {
+		return null;
+	}
+
+	const baseUrl = publicAppUrl;
+	const actionMode = input.actionMode ?? "full";
+	const labels = getNotificationActionLabels(input.language);
+	const viewUrl = buildViewUrl(baseUrl, input.scheduledFor, uniqueDoseIds);
+
+	if (actionMode === "view-only") {
+		return {
+			viewUrl,
+			actions: [{ kind: "view", label: labels.view, url: viewUrl, method: "GET" }],
+		};
+	}
+
+	const groupKey = `intake:${input.userId}:${uniqueDoseIds.join(",")}:${getScheduledKey(input.scheduledFor)}`;
+	const sequenceId = createSequenceId(groupKey);
+	const now = new Date();
+	const expiresAt = new Date(now.getTime() + NOTIFICATION_ACTION_TTL_MS);
+
+	let [group] = await db
+		.select()
+		.from(notificationActionGroups)
+		.where(
+			and(
+				eq(notificationActionGroups.groupKey, groupKey),
+				isNull(notificationActionGroups.resolvedAction),
+				gt(notificationActionGroups.expiresAt, now)
+			)
+		);
+
+	if (!group) {
+		[group] = await db
+			.insert(notificationActionGroups)
+			.values({
+				userId: input.userId,
+				groupKey,
+				sequenceId,
+				doseIdsJson: JSON.stringify(uniqueDoseIds),
+				title: input.title,
+				message: input.message,
+				language: input.language,
+				scheduledFor: input.scheduledFor,
+				expiresAt,
+				updatedAt: now,
+			})
+			.returning();
+	}
+
+	const tokens = await createActionTokens(group.id);
+	const groupLanguage = (group.language as Language | null) ?? input.language;
+	const groupLabels = getNotificationActionLabels(groupLanguage);
+	const respondUrl = `${baseUrl}/api/notification-actions/${tokens.respond}`;
+	const resolvedViewUrl = buildViewUrl(baseUrl, group.scheduledFor ?? input.scheduledFor, uniqueDoseIds);
+
+	return {
+		groupId: group.id,
+		sequenceId: group.sequenceId,
+		respondUrl,
+		viewUrl: resolvedViewUrl,
+		actions: [
+			{
+				kind: "taken",
+				label: groupLabels.taken,
+				url: `${baseUrl}/api/notification-actions/${tokens.taken}`,
+				method: "POST",
+			},
+			{
+				kind: "skip",
+				label: groupLabels.skip,
+				url: `${baseUrl}/api/notification-actions/${tokens.skip}`,
+				method: "POST",
+			},
+			{ kind: "view", label: groupLabels.view, url: resolvedViewUrl, method: "GET" },
+		],
+	};
+}
+
+export async function createTestNotificationActionContext(input: {
+	userId: number;
+	title: string;
+	message: string;
+	publicAppUrl?: string | null;
+	language: Language;
+}): Promise<NotificationActionContext | null> {
+	const publicAppUrl = resolveNotificationPublicAppUrl(input.publicAppUrl);
+	if (!publicAppUrl) {
+		return null;
+	}
+
+	const baseUrl = publicAppUrl;
+	const now = new Date();
+	const groupKey = `test:${input.userId}:${now.getTime()}:${randomBytes(8).toString("hex")}`;
+	const sequenceId = createSequenceId(groupKey);
+	const expiresAt = new Date(now.getTime() + NOTIFICATION_ACTION_TTL_MS);
+	const viewUrl = buildViewUrl(baseUrl, null, []);
+
+	const [group] = await db
+		.insert(notificationActionGroups)
+		.values({
+			userId: input.userId,
+			groupKey,
+			sequenceId,
+			doseIdsJson: "[]",
+			title: input.title,
+			message: input.message,
+			language: input.language,
+			scheduledFor: now,
+			expiresAt,
+			updatedAt: now,
+		})
+		.returning();
+
+	const tokens = await createActionTokens(group.id);
+	const groupLanguage = (group.language as Language | null) ?? input.language;
+	const groupLabels = getNotificationActionLabels(groupLanguage);
+	const respondUrl = `${baseUrl}/api/notification-actions/${tokens.respond}`;
+
+	return {
+		groupId: group.id,
+		sequenceId: group.sequenceId,
+		respondUrl,
+		viewUrl,
+		actions: [
+			{
+				kind: "taken",
+				label: groupLabels.taken,
+				url: `${baseUrl}/api/notification-actions/${tokens.taken}`,
+				method: "POST",
+			},
+			{
+				kind: "skip",
+				label: groupLabels.skip,
+				url: `${baseUrl}/api/notification-actions/${tokens.skip}`,
+				method: "POST",
+			},
+			{ kind: "view", label: groupLabels.view, url: viewUrl, method: "GET" },
+		],
+	};
+}
+
+export async function getNotificationActionTokenRecord(
+	rawToken: string
+): Promise<NotificationActionTokenRecord | null> {
+	const tokenHash = hashActionToken(rawToken);
+	const rows = await db
+		.select({ token: notificationActionTokens, group: notificationActionGroups })
+		.from(notificationActionTokens)
+		.innerJoin(notificationActionGroups, eq(notificationActionTokens.groupId, notificationActionGroups.id))
+		.where(eq(notificationActionTokens.tokenHash, tokenHash));
+
+	const record = rows[0];
+	if (!record) {
+		return null;
+	}
+
+	const baseUrl = resolveNotificationPublicAppUrl(env.PUBLIC_APP_URL);
+	return {
+		token: record.token,
+		group: record.group,
+		doseIds: parseDoseIdsJson(record.group.doseIdsJson),
+		viewUrl: baseUrl
+			? buildViewUrl(baseUrl, record.group.scheduledFor, parseDoseIdsJson(record.group.doseIdsJson))
+			: null,
+	};
+}
+
+export function isNotificationActionExpired(record: NotificationActionTokenRecord): boolean {
+	return record.group.expiresAt.getTime() <= Date.now();
+}
+
+export async function storeNotificationActionGroupNtfyMessageId(groupId: number, ntfyMessageId: string): Promise<void> {
+	const normalizedMessageId = ntfyMessageId.trim();
+	if (normalizedMessageId.length === 0) {
+		return;
+	}
+
+	await db
+		.update(notificationActionGroups)
+		.set({ ntfyOriginalMessageId: normalizedMessageId, updatedAt: new Date() })
+		.where(eq(notificationActionGroups.id, groupId));
+}

backend/src/services/notifications/action-renderer.ts

@@ -0,0 +1,175 @@
+import type { Language } from "../../i18n/translations.js";
+
+export type PushNotificationAction =
+	| {
+			kind: "taken";
+			label: string;
+			url: string;
+			method: "POST";
+	  }
+	| {
+			kind: "skip";
+			label: string;
+			url: string;
+			method: "POST";
+	  }
+	| {
+			kind: "view";
+			label: string;
+			url: string;
+			method: "GET";
+	  };
+
+export type PushNotificationOptions = {
+	actions?: PushNotificationAction[];
+	respondUrl?: string;
+	viewUrl?: string;
+	clickUrl?: string;
+	tags?: string[];
+	priority?: number;
+	sequenceId?: string;
+};
+
+type NtfyActionPayload = {
+	action: "http" | "view";
+	label: string;
+	url: string;
+	method?: "POST";
+	clear: boolean;
+};
+
+function encodeHeaderValue(value: string): string {
+	if ([...value].every((char) => char.charCodeAt(0) <= 0x7f)) {
+		return value;
+	}
+
+	return `=?UTF-8?B?${Buffer.from(value, "utf-8").toString("base64")}?=`;
+}
+
+export function isNtfyNotificationUrl(urlStr: string): boolean {
+	if (urlStr.startsWith("ntfy://")) {
+		return true;
+	}
+
+	try {
+		const parsed = new URL(urlStr);
+		if (!["http:", "https:"].includes(parsed.protocol)) {
+			return false;
+		}
+
+		const hostname = parsed.hostname.toLowerCase();
+		return hostname === "ntfy.sh" || hostname === "ntfy" || hostname.startsWith("ntfy.") || hostname.includes(".ntfy.");
+	} catch {
+		return false;
+	}
+}
+
+export function getNotificationProvider(urlStr: string): string {
+	if (isNtfyNotificationUrl(urlStr)) {
+		return "ntfy";
+	}
+
+	try {
+		return new URL(urlStr).protocol.replace(":", "").toLowerCase();
+	} catch {
+		return "unknown";
+	}
+}
+
+export function getNotificationActionLabels(language: Language): {
+	taken: string;
+	skip: string;
+	respond: string;
+	view: string;
+} {
+	if (language === "de") {
+		return {
+			taken: "Einnehmen",
+			skip: "Überspringen",
+			respond: "Antworten",
+			view: "Öffnen",
+		};
+	}
+
+	return {
+		taken: "Take",
+		skip: "Skip",
+		respond: "Respond",
+		view: "View",
+	};
+}
+
+export function buildNtfyActions(options: PushNotificationOptions): NtfyActionPayload[] {
+	const actions = options.actions ?? [];
+
+	return actions.map((action) => {
+		if (action.kind === "view") {
+			return {
+				action: "view",
+				label: action.label,
+				url: action.url,
+				clear: false,
+			};
+		}
+
+		return {
+			action: "http",
+			label: action.label,
+			url: action.url,
+			method: "POST",
+			// Clear the original actionable ntfy notification locally after a successful mutation.
+			clear: true,
+		};
+	});
+}
+
+export function appendFallbackActionLinks(message: string, options: PushNotificationOptions): string {
+	if (!options.respondUrl && !options.viewUrl) {
+		return message;
+	}
+
+	const lines = [message.trimEnd()];
+
+	if (options.respondUrl) {
+		lines.push("", "Respond:", options.respondUrl);
+	}
+
+	if (options.viewUrl) {
+		lines.push("", "View:", options.viewUrl);
+	}
+
+	return lines.join("\n");
+}
+
+export function renderNotificationActionPayload(
+	urlStr: string,
+	message: string,
+	options: PushNotificationOptions
+): { message: string; headers: Record<string, string> } {
+	if (!isNtfyNotificationUrl(urlStr)) {
+		return {
+			message: appendFallbackActionLinks(message, options),
+			headers: {},
+		};
+	}
+
+	const headers: Record<string, string> = {};
+	const ntfyActions = buildNtfyActions(options);
+	if (ntfyActions.length > 0) {
+		headers.Actions = encodeHeaderValue(JSON.stringify(ntfyActions));
+	}
+	if (options.clickUrl && ntfyActions.length === 0) {
+		headers.Click = options.clickUrl;
+	}
+	if (options.tags && options.tags.length > 0) {
+		headers.Tags = options.tags.join(",");
+	}
+	if (typeof options.priority === "number") {
+		headers.Priority = String(options.priority);
+	}
+	if (options.sequenceId) {
+		headers["X-Sequence-ID"] = options.sequenceId;
+	}
+
+	return { message, headers };
+}

backend/src/test/notification-action-renderer.test.ts

@@ -0,0 +1,186 @@
+import { describe, expect, it } from "vitest";
+import {
+	getNotificationActionLabels,
+	isNtfyNotificationUrl,
+	type PushNotificationAction,
+	renderNotificationActionPayload,
+} from "../services/notifications/action-renderer.js";
+
+function decodeRfc2047Base64(value: string): string {
+	const match = /^=\?UTF-8\?B\?(.+)\?=$/.exec(value);
+	if (!match) {
+		return value;
+	}
+
+	return Buffer.from(match[1], "base64").toString("utf-8");
+}
+
+const actions: PushNotificationAction[] = [
+	{
+		kind: "taken",
+		label: "Take",
+		url: "https://app.example.com/api/notification-actions/taken-token",
+		method: "POST",
+	},
+	{
+		kind: "skip",
+		label: "Skip",
+		url: "https://app.example.com/api/notification-actions/skip-token",
+		method: "POST",
+	},
+	{ kind: "view", label: "View", url: "https://app.example.com/?date=2026-01-05", method: "GET" },
+];
+
+describe("notification action renderer", () => {
+	it("builds ntfy native actions without duplicate click headers", () => {
+		const result = renderNotificationActionPayload("ntfy://ntfy.sh/medassist", "Body", {
+			actions,
+			clickUrl: "https://app.example.com/api/notification-actions/respond-token",
+			respondUrl: "https://app.example.com/api/notification-actions/respond-token",
+			viewUrl: "https://app.example.com/?date=2026-01-05",
+			tags: ["pill"],
+			priority: 4,
+			sequenceId: "medassist-sequence",
+		});
+
+		expect(result.message).toBe("Body");
+		expect(result.headers).toMatchObject({
+			Tags: "pill",
+			Priority: "4",
+			"X-Sequence-ID": "medassist-sequence",
+		});
+		expect(result.headers.Click).toBeUndefined();
+
+		const parsedActions = JSON.parse(result.headers.Actions ?? "[]");
+		expect(parsedActions).toEqual([
+			{
+				action: "http",
+				label: "Take",
+				url: "https://app.example.com/api/notification-actions/taken-token",
+				method: "POST",
+				clear: true,
+			},
+			{
+				action: "http",
+				label: "Skip",
+				url: "https://app.example.com/api/notification-actions/skip-token",
+				method: "POST",
+				clear: true,
+			},
+			{
+				action: "view",
+				label: "View",
+				url: "https://app.example.com/?date=2026-01-05",
+				clear: false,
+			},
+		]);
+	});
+
+	it("keeps the ntfy click header when there are no native actions", () => {
+		const result = renderNotificationActionPayload("ntfy://ntfy.sh/medassist", "Body", {
+			clickUrl: "https://app.example.com/api/notification-actions/respond-token",
+		});
+
+		expect(result.headers.Click).toBe("https://app.example.com/api/notification-actions/respond-token");
+	});
+
+	it("treats direct https ntfy URLs as ntfy targets with native actions", () => {
+		const result = renderNotificationActionPayload("https://ntfy.danielvolz.org/medis_test", "Body", {
+			actions,
+			clickUrl: "https://app.example.com/api/notification-actions/respond-token",
+			respondUrl: "https://app.example.com/api/notification-actions/respond-token",
+			viewUrl: "https://app.example.com/?date=2026-01-05",
+		});
+
+		expect(isNtfyNotificationUrl("https://ntfy.danielvolz.org/medis_test")).toBe(true);
+		expect(result.message).toBe("Body");
+		expect(result.headers.Actions).toBeTruthy();
+		expect(result.message).not.toContain("Respond:");
+	});
+
+	it("keeps insecure http mutation targets as direct ntfy http actions without the dev fallback", () => {
+		const result = renderNotificationActionPayload("https://ntfy.danielvolz.org/medis_test", "Body", {
+			actions: [
+				{
+					kind: "taken",
+					label: "Take",
+					url: "http://192.168.0.113:5173/api/notification-actions/taken-token",
+					method: "POST",
+				},
+			],
+		});
+
+		expect(JSON.parse(result.headers.Actions ?? "[]")).toEqual([
+			{
+				action: "http",
+				label: "Take",
+				url: "http://192.168.0.113:5173/api/notification-actions/taken-token",
+				method: "POST",
+				clear: true,
+			},
+		]);
+	});
+
+	it("encodes non-ascii ntfy action labels as RFC 2047 headers", () => {
+		const result = renderNotificationActionPayload("https://ntfy.danielvolz.org/medis_test", "Body", {
+			actions: [
+				{
+					kind: "skip",
+					label: "Überspringen",
+					url: "https://app.example.com/api/notification-actions/skip-token",
+					method: "POST",
+				},
+				{
+					kind: "view",
+					label: "Öffnen",
+					url: "https://app.example.com/?date=2026-01-05",
+					method: "GET",
+				},
+			],
+		});
+
+		expect(result.headers.Actions).toMatch(/^=\?UTF-8\?B\?/);
+		expect(JSON.parse(decodeRfc2047Base64(result.headers.Actions ?? "[]"))).toEqual([
+			{
+				action: "http",
+				label: "Überspringen",
+				url: "https://app.example.com/api/notification-actions/skip-token",
+				method: "POST",
+				clear: true,
+			},
+			{
+				action: "view",
+				label: "Öffnen",
+				url: "https://app.example.com/?date=2026-01-05",
+				clear: false,
+			},
+		]);
+	});
+
+	it("uses consistent action-form labels for English and German", () => {
+		expect(getNotificationActionLabels("en")).toEqual({
+			taken: "Take",
+			skip: "Skip",
+			respond: "Respond",
+			view: "View",
+		});
+		expect(getNotificationActionLabels("de")).toEqual({
+			taken: "Einnehmen",
+			skip: "Überspringen",
+			respond: "Antworten",
+			view: "Öffnen",
+		});
+	});
+
+	it("appends respond and view fallback links for non-ntfy providers", () => {
+		const result = renderNotificationActionPayload("https://hooks.slack.com/services/a/b/c", "Body", {
+			respondUrl: "https://app.example.com/api/notification-actions/respond-token",
+			viewUrl: "https://app.example.com/?date=2026-01-05",
+		});
+
+		expect(result.headers).toEqual({});
+		expect(result.message).toBe(
+			"Body\n\nRespond:\nhttps://app.example.com/api/notification-actions/respond-token\n\nView:\nhttps://app.example.com/?date=2026-01-05"
+		);
+	});
+});

backend/src/test/notification-actions-service.test.ts

@@ -0,0 +1,225 @@
+import { dirname, resolve } from "node:path";
+import { fileURLToPath } from "node:url";
+import { migrate } from "drizzle-orm/libsql/migrator";
+import { afterAll, beforeAll, beforeEach, describe, expect, it, vi } from "vitest";
+import { runAlterMigrations } from "../db/db-utils.js";
+
+const { testClient, testDb, mockedEnv } = vi.hoisted(() => {
+	const { createClient } = require("@libsql/client");
+	const { drizzle } = require("drizzle-orm/libsql");
+	const client = createClient({ url: ":memory:" });
+	const db = drizzle(client);
+
+	return {
+		testClient: client,
+		testDb: db,
+		mockedEnv: {
+			PUBLIC_APP_URL: "https://app.example.com",
+			CORS_ORIGINS: "http://localhost:5173,http://localhost:4173",
+		},
+	};
+});
+
+vi.mock("../db/client.js", () => ({
+	db: testDb,
+	migrationsReady: Promise.resolve(),
+}));
+
+vi.mock("../plugins/env.js", () => ({ env: mockedEnv }));
+
+const { createNotificationActionContext, getNotificationActionTokenRecord, hashActionToken } = await import(
+	"../services/notification-actions-service.js"
+);
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = dirname(__filename);
+const migrationsFolder = resolve(__dirname, "../../drizzle");
+
+function extractToken(url: string): string {
+	return url.split("/").at(-1) ?? "";
+}
+
+async function clearTables() {
+	await testClient.execute("DELETE FROM notification_action_tokens");
+	await testClient.execute("DELETE FROM notification_action_groups");
+	await testClient.execute("DELETE FROM users");
+}
+
+async function createUser(username: string) {
+	const result = await testClient.execute({
+		sql: "INSERT INTO users (username, auth_provider, is_active) VALUES (?, 'local', 1) RETURNING id",
+		args: [username],
+	});
+
+	return Number(result.rows[0].id);
+}
+
+describe("notification-actions-service", () => {
+	beforeAll(async () => {
+		await migrate(testDb, { migrationsFolder });
+		await runAlterMigrations(testClient);
+	});
+
+	afterAll(() => {
+		testClient.close();
+	});
+
+	beforeEach(async () => {
+		await clearTables();
+		mockedEnv.PUBLIC_APP_URL = "https://app.example.com";
+		mockedEnv.CORS_ORIGINS = "http://localhost:5173,http://localhost:4173";
+	});
+
+	it("creates a notification action group with hashed tokens and app/view links", async () => {
+		const userId = await createUser("notify-actions-user");
+		const scheduledFor = new Date("2026-01-05T08:00:00.000Z");
+
+		const context = await createNotificationActionContext({
+			userId,
+			title: "Reminder",
+			message: "Take your medication now",
+			doseIds: ["9-1-1736064000000", "9-0-1736064000000", "9-1-1736064000000"],
+			scheduledFor,
+			publicAppUrl: mockedEnv.PUBLIC_APP_URL,
+			language: "en",
+		});
+
+		expect(context).toMatchObject({
+			respondUrl: expect.stringContaining("/api/notification-actions/"),
+			viewUrl: "https://app.example.com/dashboard?day=2026-01-05&dose=9-0-1736064000000",
+			sequenceId: expect.stringMatching(/^medassist-/),
+		});
+		expect(context?.actions.map((action) => action.kind)).toEqual(["taken", "skip", "view"]);
+
+		const groups = await testClient.execute({
+			sql: "SELECT COUNT(*) AS count FROM notification_action_groups WHERE user_id = ?",
+			args: [userId],
+		});
+		expect(Number(groups.rows[0].count)).toBe(1);
+
+		const tokenRows = await testClient.execute({
+			sql: "SELECT kind, token_hash FROM notification_action_tokens ORDER BY kind ASC",
+		});
+		expect(tokenRows.rows).toHaveLength(3);
+
+		const respondToken = extractToken(context!.respondUrl!);
+		const respondRow = tokenRows.rows.find((row: { kind?: unknown }) => row.kind === "respond");
+		expect(respondRow).toEqual(expect.objectContaining({ token_hash: hashActionToken(respondToken), kind: "respond" }));
+		expect(respondRow?.token_hash).not.toBe(respondToken);
+
+		const record = await getNotificationActionTokenRecord(respondToken);
+		expect(record).toMatchObject({
+			doseIds: ["9-0-1736064000000", "9-1-1736064000000"],
+			viewUrl: "https://app.example.com/dashboard?day=2026-01-05&dose=9-0-1736064000000",
+		});
+	});
+
+	it("creates a view-only context without mutation tokens", async () => {
+		const userId = await createUser("notify-actions-view-only");
+		const scheduledFor = new Date("2026-01-05T08:00:00.000Z");
+
+		const context = await createNotificationActionContext({
+			userId,
+			title: "Grouped reminder",
+			message: "Open the dashboard for details",
+			doseIds: ["9-0-1736064000000", "10-0-1736064000000"],
+			scheduledFor,
+			publicAppUrl: mockedEnv.PUBLIC_APP_URL,
+			language: "en",
+			actionMode: "view-only",
+		});
+
+		expect(context).toEqual({
+			viewUrl: "https://app.example.com/dashboard?day=2026-01-05&dose=10-0-1736064000000",
+			actions: [
+				{
+					kind: "view",
+					label: "View",
+					url: "https://app.example.com/dashboard?day=2026-01-05&dose=10-0-1736064000000",
+					method: "GET",
+				},
+			],
+		});
+
+		const groups = await testClient.execute("SELECT COUNT(*) AS count FROM notification_action_groups");
+		expect(Number(groups.rows[0].count)).toBe(0);
+
+		const tokens = await testClient.execute("SELECT COUNT(*) AS count FROM notification_action_tokens");
+		expect(Number(tokens.rows[0].count)).toBe(0);
+	});
+
+	it("reuses an unresolved active group for the same dose set and schedule", async () => {
+		const userId = await createUser("notify-actions-reuse");
+		const scheduledFor = new Date("2026-01-05T08:00:00.000Z");
+
+		const first = await createNotificationActionContext({
+			userId,
+			title: "Reminder",
+			message: "Take your medication now",
+			doseIds: ["9-0-1736064000000"],
+			scheduledFor,
+			publicAppUrl: mockedEnv.PUBLIC_APP_URL,
+			language: "en",
+		});
+		const second = await createNotificationActionContext({
+			userId,
+			title: "Reminder",
+			message: "Take your medication now",
+			doseIds: ["9-0-1736064000000"],
+			scheduledFor,
+			publicAppUrl: mockedEnv.PUBLIC_APP_URL,
+			language: "en",
+		});
+
+		expect(second?.sequenceId).toBe(first?.sequenceId);
+
+		const groups = await testClient.execute("SELECT id, sequence_id FROM notification_action_groups");
+		expect(groups.rows).toHaveLength(1);
+		expect(groups.rows[0]).toEqual(expect.objectContaining({ sequence_id: first?.sequenceId }));
+
+		const tokens = await testClient.execute("SELECT COUNT(*) AS count FROM notification_action_tokens");
+		expect(Number(tokens.rows[0].count)).toBe(6);
+	});
+
+	it("prefers a non-local CORS origin when PUBLIC_APP_URL points to localhost", async () => {
+		const userId = await createUser("notify-actions-mobile");
+		const scheduledFor = new Date("2026-01-05T08:00:00.000Z");
+		mockedEnv.PUBLIC_APP_URL = "http://localhost:5173";
+		mockedEnv.CORS_ORIGINS = "http://localhost:5173,http://192.168.0.113:5173";
+
+		const context = await createNotificationActionContext({
+			userId,
+			title: "Reminder",
+			message: "Take your medication now",
+			doseIds: ["9-0-1736064000000"],
+			scheduledFor,
+			publicAppUrl: mockedEnv.PUBLIC_APP_URL,
+			language: "en",
+		});
+
+		expect(context).toMatchObject({
+			respondUrl: `http://192.168.0.113:5173/api/notification-actions/${extractToken(context!.respondUrl!)}`,
+			viewUrl: "http://192.168.0.113:5173/dashboard?day=2026-01-05&dose=9-0-1736064000000",
+		});
+
+		const record = await getNotificationActionTokenRecord(extractToken(context!.respondUrl!));
+		expect(record?.viewUrl).toBe("http://192.168.0.113:5173/dashboard?day=2026-01-05&dose=9-0-1736064000000");
+	});
+
+	it("falls back to the date view when dose ids do not contain a medication id", async () => {
+		const userId = await createUser("notify-actions-fallback");
+		const scheduledFor = new Date("2026-01-05T08:00:00.000Z");
+
+		const context = await createNotificationActionContext({
+			userId,
+			title: "Reminder",
+			message: "Take your medication now",
+			doseIds: ["invalid-dose-id"],
+			scheduledFor,
+			publicAppUrl: mockedEnv.PUBLIC_APP_URL,
+			language: "en",
+		});
+
+		expect(context?.viewUrl).toBe("https://app.example.com/dashboard?day=2026-01-05&dose=invalid-dose-id");
+	});
+});

docs/DEFAULT_USER_SETTINGS.md

@@ -6,6 +6,7 @@ Scope and behavior:
 
 - These values are applied only when a user's settings are created for the first time.
 - After that, values stored in the database are used and take precedence.
+- Source of truth in code: [backend/src/routes/settings.ts](backend/src/routes/settings.ts).
 
 ## Email Defaults
 
@@ -46,6 +47,6 @@ Scope and behavior:
 |----------|---------|-------------|
 | `DEFAULT_LANGUAGE` | `en` | Default language (`en` or `de`). |
 | `DEFAULT_STOCK_CALCULATION_MODE` | `automatic` | Default stock mode (`automatic` or `manual`). |
-| `DEFAULT_SHARE_MEDICATION_OVERVIEW` | `false` | Show medication overview section on shared schedule links. |
+| `DEFAULT_SHARE_STOCK_STATUS` | `true` | Show stock status on shared schedule links. |
 | `DEFAULT_UPCOMING_TODAY_ONLY` | `false` | Show only today's upcoming doses by default. |
 | `DEFAULT_SHARE_SCHEDULE_TODAY_ONLY` | `false` | Show only today's schedule in shared view by default. |

frontend/src/App.tsx

@@ -506,7 +506,7 @@ function AppContent() {
 			<AboutModal isOpen={showAbout} onClose={closeAbout} />
 
 			<Routes>
-				<Route path="/" element={<Navigate to={{ pathname: "/dashboard", search: location.search }} replace />} />
+				<Route path="/" element={<Navigate to="/dashboard" replace />} />
 				<Route path="/dashboard" element={<DashboardPage />} />
 
 				<Route path="/medications" element={<MedicationsPage />} />

frontend/src/components/SharedSchedule.tsx

@@ -235,6 +235,10 @@ export function SharedSchedule() {
 	}
 
 	async function markDoseTaken(doseId: string) {
+		if (dismissedDoses.has(doseId)) {
+			return;
+		}
+
 		const wasTaken = takenDoses.has(doseId);
 		const wasSkipped = dismissedDoses.has(doseId);
 		const wasAutomatic = automaticTakenDoses.has(doseId);
@@ -462,7 +466,7 @@ export function SharedSchedule() {
 			<button
 				className={`dose-btn take${options.isEmpty ? " out-of-stock" : ""}`}
 				onClick={() => markDoseTaken(options.doseId)}
-				disabled={options.isEmpty}
+				disabled={options.isEmpty || options.isSkipped}
 				title={options.isEmpty ? t("common.outOfStockTakeBlocked") : t("dose.markAsTaken")}
 			>
 				<span className="dose-btn-label">{t("dose.take")}</span>
@@ -472,7 +476,7 @@ export function SharedSchedule() {
 
 		const skipButton = options.isSkipped ? (
 			<button className="dose-btn undo skip" onClick={() => undoDoseSkipped(options.doseId)} title={t("common.undo")}>
-				<span className="dose-btn-label">{t("dose.undoSkip")}</span>
+				<span className="dose-btn-label">{t("common.undo")}</span>
 				<span aria-hidden="true">↩</span>
 			</button>
 		) : (

frontend/src/pages/MedicationsPage.tsx

@@ -257,10 +257,8 @@ export function MedicationsPage() {
 	useUnsavedChangesWarning(formChanged);
 
 	// View mode: grid (default) or form (edit/new)
-	// If navigating in with a medication deep-link, suppress rendering until the target form is ready
-	const [pendingEditTransition, setPendingEditTransition] = useState(
-		() => searchParams.has("editMedId") || searchParams.has("viewMedId")
-	);
+	// If navigating in with editMedId, suppress rendering until the edit form is ready
+	const [pendingEditTransition, setPendingEditTransition] = useState(() => searchParams.has("editMedId"));
 	const [viewMode, setViewMode] = useState<"grid" | "form">(pendingEditTransition ? "form" : "grid");
 	const [lightboxImage, setLightboxImage] = useState<{ src: string; alt: string } | null>(null);
 	const [activeTab, setActiveTab] = useState<"general" | "stock" | "prescription" | "schedule">("general");
@@ -271,23 +269,9 @@ export function MedicationsPage() {
 	useEffect(() => {
 		showEditModalRef.current = showEditModal;
 	}, [showEditModal]);
-	const processedMedicationLinkRef = useRef<string | null>(null);
+	const processedEditMedIdRef = useRef<string | null>(null);
 	const hasDesktopFormHistoryState = useRef(false);
 
-	const getMedicationLinkState = useCallback((params: URLSearchParams) => {
-		const viewMedId = params.get("viewMedId");
-		if (viewMedId) {
-			return { mode: "view" as const, linkedMedId: viewMedId };
-		}
-
-		const editMedId = params.get("editMedId");
-		if (editMedId) {
-			return { mode: "edit" as const, linkedMedId: editMedId };
-		}
-
-		return { mode: null, linkedMedId: null };
-	}, []);
-
 	// Sync formChanged state to the global context for navigation blocking
 	const { setHasUnsavedChanges } = useUnsavedChanges();
 	useEffect(() => {
@@ -835,13 +819,12 @@ export function MedicationsPage() {
 		[t]
 	);
 
-	const clearMedicationLinkParams = useCallback(() => {
+	const clearEditMedIdParam = useCallback(() => {
 		setSearchParams(
 			(prevParams) => {
-				if (!prevParams.has("editMedId") && !prevParams.has("viewMedId")) return prevParams;
+				if (!prevParams.has("editMedId")) return prevParams;
 				const nextParams = new URLSearchParams(prevParams);
 				nextParams.delete("editMedId");
-				nextParams.delete("viewMedId");
 				return nextParams;
 			},
 			{ replace: true }
@@ -865,7 +848,7 @@ export function MedicationsPage() {
 				setShowUnsavedConfirm(true);
 				return;
 			}
-			clearMedicationLinkParams();
+			clearEditMedIdParam();
 			// Mark as confirmed to avoid double confirmation in popstate handler
 			closeConfirmedRef.current = true;
 			window.history.back();
@@ -1176,7 +1159,7 @@ export function MedicationsPage() {
 				if (shouldCloseMobileModal) {
 					// Treat post-save close as confirmed so popstate does not trigger unsaved guards.
 					closeConfirmedRef.current = true;
-					clearMedicationLinkParams();
+					clearEditMedIdParam();
 					setShowEditModal(false);
 					setReadOnlyView(false);
 					setActiveTab("general");
@@ -1205,8 +1188,7 @@ export function MedicationsPage() {
 	// Handle browser back button for modals and unsaved changes
 	useEffect(() => {
 		const handlePopState = () => {
-			const currentParams = new URLSearchParams(window.location.search);
-			const { mode: currentLinkMode, linkedMedId: currentMedicationLinkId } = getMedicationLinkState(currentParams);
+			const currentEditMedId = new URLSearchParams(window.location.search).get("editMedId");
 
 			// Obsolete confirmation is open — dismiss it and stay where we are
 			if (showObsoleteConfirm) {
@@ -1225,10 +1207,10 @@ export function MedicationsPage() {
 			// If close was already confirmed programmatically, allow navigation
 			if (closeConfirmedRef.current) {
 				closeConfirmedRef.current = false;
-				if (currentMedicationLinkId && currentLinkMode) {
+				if (currentEditMedId) {
 					// Prevent URL popstate from immediately reopening mobile edit for the same id.
-					processedMedicationLinkRef.current = `${currentLinkMode}:${currentMedicationLinkId}`;
-					clearMedicationLinkParams();
+					processedEditMedIdRef.current = currentEditMedId;
+					clearEditMedIdParam();
 				}
 				if (showEditModal) {
 					setShowEditModal(false);
@@ -1249,11 +1231,11 @@ export function MedicationsPage() {
 					setShowUnsavedConfirm(true);
 					return;
 				}
-				if (currentMedicationLinkId && currentLinkMode) {
+				if (currentEditMedId) {
 					// Mark as handled before URL cleanup to avoid same-tick re-open races.
-					processedMedicationLinkRef.current = `${currentLinkMode}:${currentMedicationLinkId}`;
+					processedEditMedIdRef.current = currentEditMedId;
 				}
-				clearMedicationLinkParams();
+				clearEditMedIdParam();
 				setShowEditModal(false);
 				resetForm();
 				resetMedicationEnrichment();
@@ -1289,16 +1271,7 @@ export function MedicationsPage() {
 		};
 		window.addEventListener("popstate", handlePopState);
 		return () => window.removeEventListener("popstate", handlePopState);
-	}, [
-		showObsoleteConfirm,
-		showDeleteConfirm,
-		showEditModal,
-		viewMode,
-		formChanged,
-		resetForm,
-		clearMedicationLinkParams,
-		getMedicationLinkState,
-	]);
+	}, [showObsoleteConfirm, showDeleteConfirm, showEditModal, viewMode, formChanged, resetForm, clearEditMedIdParam]);
 
 	// Close modal on Escape key
 	useEffect(() => {
@@ -1416,23 +1389,22 @@ export function MedicationsPage() {
 	}, [activeMeds, editingId]);
 
 	useEffect(() => {
-		const { mode: linkMode, linkedMedId } = getMedicationLinkState(searchParams);
-		if (!linkedMedId || !linkMode) {
-			processedMedicationLinkRef.current = null;
+		const editMedId = searchParams.get("editMedId");
+		if (!editMedId) {
+			processedEditMedIdRef.current = null;
 			return;
 		}
-		const linkKey = `${linkMode}:${linkedMedId}`;
-		if (processedMedicationLinkRef.current === linkKey) return;
-		const parsedMedId = Number.parseInt(linkedMedId, 10);
+		if (processedEditMedIdRef.current === editMedId) return;
+		const parsedMedId = Number.parseInt(editMedId, 10);
 		if (Number.isNaN(parsedMedId)) return;
 		const medicationToEdit =
 			meds.find((med) => med.id === parsedMedId) ?? allMeds.find((med) => med.id === parsedMedId);
 		if (!medicationToEdit) return;
 
-		processedMedicationLinkRef.current = linkKey;
+		processedEditMedIdRef.current = editMedId;
 
 		setShowNameValidation(false);
-		setReadOnlyView(linkMode === "view");
+		setReadOnlyView(false);
 		setActiveTab("general");
 		resetMedicationEnrichment(medicationToEdit.name || medicationToEdit.genericName || "");
 		startEdit(medicationToEdit, openEditModal);
@@ -1443,9 +1415,8 @@ export function MedicationsPage() {
 
 		const nextParams = new URLSearchParams(searchParams);
 		nextParams.delete("editMedId");
-		nextParams.delete("viewMedId");
 		setSearchParams(nextParams, { replace: true });
-	}, [allMeds, getMedicationLinkState, meds, openEditModal, searchParams, setSearchParams, startEdit]);
+	}, [allMeds, meds, openEditModal, searchParams, setSearchParams, startEdit]);
 
 	const selectedMedication = useMemo(() => {
 		if (!editingId) return null;

frontend/src/test/App.test.tsx

@@ -1,5 +1,5 @@
 import { fireEvent, render, screen } from "@testing-library/react";
-import { MemoryRouter, useLocation } from "react-router-dom";
+import { MemoryRouter } from "react-router-dom";
 import { beforeEach, describe, expect, it, vi } from "vitest";
 import App from "../App";
 
@@ -59,15 +59,7 @@ vi.mock("../context", async () => {
 });
 
 vi.mock("../pages", () => ({
-	DashboardPage: () => {
-		const location = useLocation();
-		return (
-			<div>
-				<span>dashboard-page</span>
-				<span data-testid="dashboard-location-search">{location.search}</span>
-			</div>
-		);
-	},
+	DashboardPage: () => <div>dashboard-page</div>,
 	MedicationsPage: () => <div>medications-page</div>,
 	PlannerPage: () => <div>planner-page</div>,
 	SchedulePage: () => <div>schedule-page</div>,
@@ -273,19 +265,6 @@ describe("App", () => {
 		expect(screen.getByText("dashboard-page")).toBeInTheDocument();
 	});
 
-	it("preserves notification query params when redirecting root to dashboard", () => {
-		const search = "?date=2026-05-06&medId=4332&doseId=4332-0-1778104500000";
-
-		render(
-			<MemoryRouter initialEntries={[`/${search}`]}>
-				<App />
-			</MemoryRouter>
-		);
-
-		expect(screen.getByText("dashboard-page")).toBeInTheDocument();
-		expect(screen.getByTestId("dashboard-location-search")).toHaveTextContent(search);
-	});
-
 	it("renders initializing state when auth state is missing", () => {
 		authMock = {
 			user: null,

frontend/src/test/components/Auth.test.tsx

@@ -175,10 +175,6 @@ describe("LoginForm", () => {
 		oidcProviderName: "",
 	};
 
-	afterEach(() => {
-		window.history.replaceState({}, "", "/");
-	});
-
 	beforeEach(() => {
 		vi.clearAllMocks();
 		(global.fetch as ReturnType<typeof vi.fn>)

frontend/src/test/pages/MedicationsPage.test.tsx

@@ -475,21 +475,6 @@ describe("MedicationsPage with items", () => {
 		});
 	});
 
-	it("opens read-only view from viewMedId query parameter", async () => {
-		const startEdit = vi.fn();
-		mockFormHookValue = createMockFormHook({ startEdit });
-		fetchMock.mockResolvedValue({ ok: true, json: async () => mockMeds });
-
-		renderPage("/medications?viewMedId=1");
-
-		await waitFor(() => {
-			expect(startEdit).toHaveBeenCalledTimes(1);
-		});
-
-		expect(screen.getByText("common.close")).toBeInTheDocument();
-		expect(screen.queryByText("common.save")).not.toBeInTheDocument();
-	});
-
 	it("opens unsaved confirm and continues edit after confirmation", async () => {
 		const startEdit = vi.fn();
 		const resetForm = vi.fn();

frontend/vite.config.ts

@@ -2,24 +2,6 @@ import { existsSync, readFileSync } from "fs";
 import { defineConfig } from "vite";
 import react from "@vitejs/plugin-react";
 
-function parseCsvEnv(value: string | undefined, fallback: string[]) {
-  const entries = value
-    ?.split(",")
-    .map((entry) => entry.trim())
-    .filter((entry) => entry.length > 0);
-
-  return entries && entries.length > 0 ? entries : fallback;
-}
-
-function parseOptionalPort(value: string | undefined) {
-  if (!value) {
-    return undefined;
-  }
-
-  const parsed = Number.parseInt(value, 10);
-  return Number.isFinite(parsed) ? parsed : undefined;
-}
-
 // Read version from package.json at build time
 const packageJson = JSON.parse(readFileSync("./package.json", "utf-8"));
 
@@ -27,19 +9,6 @@ const packageJson = JSON.parse(readFileSync("./package.json", "utf-8"));
 // In Docker, prefer backend-dev to avoid localhost proxy failures.
 const defaultBackendTarget = existsSync("/.dockerenv") ? "http://backend-dev:3000" : "http://localhost:3000";
 const backendTarget = process.env.BACKEND_URL || defaultBackendTarget;
-const allowedHosts = parseCsvEnv(process.env.VITE_ALLOWED_HOSTS, ["localhost", "127.0.0.1"]);
-const hmrHost = process.env.VITE_HMR_HOST?.trim();
-const hmrProtocol = process.env.VITE_HMR_PROTOCOL === "ws" ? "ws" : process.env.VITE_HMR_PROTOCOL === "wss" ? "wss" : undefined;
-const hmrClientPort = parseOptionalPort(process.env.VITE_HMR_CLIENT_PORT);
-const hmrPort = parseOptionalPort(process.env.VITE_HMR_PORT);
-const hmr = hmrHost
-  ? {
-      host: hmrHost,
-      protocol: hmrProtocol ?? "wss",
-      clientPort: hmrClientPort ?? (hmrProtocol === "ws" ? 80 : 443),
-      port: hmrPort ?? 5173,
-    }
-  : undefined;
 
 export default defineConfig({
   plugins: [react()],
@@ -50,8 +19,6 @@ export default defineConfig({
   server: {
     port: 5173,
     strictPort: true,
-    allowedHosts,
-    hmr,
     proxy: {
       "/api": {
         target: backendTarget,