chore: release v1.17.0 (#348 )

docs: update memory and report for multi-pr delivery (#347 )
chore: update dependabot automation and agent governance (#341 )
2026-02-27 01:19:39 +01:00 · 2026-02-27 01:15:40 +01:00 · 2026-02-27 01:11:05 +01:00 · 2026-02-27 01:01:48 +01:00 · 2026-02-27 00:54:21 +01:00 · 2026-02-27 00:48:58 +01:00
270 changed files with 83904 additions and 13130 deletions
@@ -11,7 +11,22 @@ PGID=1000

 PORT=3000
 CORS_ORIGINS=http://localhost:4174
-LOG_LEVEL=info
+LOG_LEVEL=warn
+# Levels: debug, info, warn, error, silent
+# Controls: backend Fastify logging, frontend nginx access logs (Docker),
+#           and frontend browser console (via build-time injection)
+#
+# Behavior per level:
+#   debug  — all app logs + all HTTP request logs (including polling endpoints)
+#   info   — all app logs + HTTP request logs, EXCEPT high-frequency polling
+#            (GET /doses/taken, GET /share/:token/doses, GET /health are hidden)
+#   warn   — only warnings and errors
+#   error  — only errors
+#   silent — no logs
+
+# Rate limit: max requests per minute per IP (default: 100)
+# Increase for development/testing environments
+# RATE_LIMIT_MAX=100

 # Timezone for scheduled reminders (e.g., Europe/Berlin, America/New_York)
 TZ=Europe/Berlin
@@ -25,6 +40,9 @@ AUTH_ENABLED=false
 # Allow new user registrations (auto-enabled when no users exist)
 # REGISTRATION_ENABLED=false

+# Disable username/password form login (useful for OIDC-only setups)
+# FORM_LOGIN_ENABLED=true
+
 # JWT Secrets - REQUIRED when AUTH_ENABLED=true
 # Generate with: openssl rand -hex 32
 # JWT_SECRET=
@@ -78,4 +96,45 @@ REMINDER_DAYS_BEFORE=7
 # Admin settings (not editable in UI)
 REMINDER_HOUR=6                   # 24h format (0-23), e.g. 6 = 6:00 AM, 18 = 6:00 PM
 REMINDER_MINUTES_BEFORE=15        # Minutes before intake to send reminder
-EXPIRY_WARNING_DAYS=30            # Days before expiry to show yellow warning
+EXPIRY_WARNING_DAYS=30            # Days before expiry to show yellow warning
+
+# =============================================================================
+# Default User Settings (applied when new user is created)
+# =============================================================================
+# These ENV values are only used as DEFAULTS when a new user is created.
+# Once a user saves their settings in the app, these ENV values are ignored
+# for that user - their saved preferences take precedence.
+#
+# Useful for server admins to pre-configure settings for all new users.
+# =============================================================================
+
+# Email notifications (requires SMTP config above)
+# DEFAULT_EMAIL_ENABLED=false
+# DEFAULT_NOTIFICATION_EMAIL=
+# DEFAULT_EMAIL_STOCK_REMINDERS=true
+# DEFAULT_EMAIL_INTAKE_REMINDERS=true
+
+# Push notifications (ntfy/gotify via Shoutrrr)
+# DEFAULT_SHOUTRRR_ENABLED=false
+# DEFAULT_SHOUTRRR_URL=
+# DEFAULT_SHOUTRRR_STOCK_REMINDERS=true
+# DEFAULT_SHOUTRRR_INTAKE_REMINDERS=true
+
+# Repeat/nagging reminders for missed doses
+# DEFAULT_REPEAT_REMINDERS_ENABLED=false
+# DEFAULT_REMINDER_REPEAT_INTERVAL_MINUTES=30
+# DEFAULT_MAX_NAGGING_REMINDERS=5
+# DEFAULT_SKIP_REMINDERS_FOR_TAKEN_DOSES=false
+
+# Stock reminder settings
+# DEFAULT_REPEAT_DAILY_REMINDERS=false
+
+# Stock thresholds (days of supply)
+# DEFAULT_LOW_STOCK_DAYS=30
+# DEFAULT_NORMAL_STOCK_DAYS=90
+# DEFAULT_HIGH_STOCK_DAYS=180
+
+# UI defaults
+# DEFAULT_LANGUAGE=en              # en or de
+# DEFAULT_STOCK_CALCULATION_MODE=automatic  # automatic or manual
+# DEFAULT_SHARE_STOCK_STATUS=true  # Show stock status on shared schedule links
@@ -0,0 +1,94 @@
+name: 🐛 Bug Report
+description: Report a bug or unexpected behavior
+labels: ["bug", "triage"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to report a bug! Please fill out the sections below.
+
+        Before submitting, please reproduce the issue on the latest released version.
+        Even better: verify it on the current `main` image/tag.
+        The issue may already be fixed in newer builds.
+
+  - type: textarea
+    id: description
+    attributes:
+      label: Bug Description
+      description: A clear and concise description of what the bug is.
+      placeholder: What happened?
+    validations:
+      required: true
+
+  - type: textarea
+    id: steps
+    attributes:
+      label: Steps to Reproduce
+      description: How can we reproduce this issue?
+      placeholder: |
+        1. Go to '...'
+        2. Click on '...'
+        3. See error
+    validations:
+      required: true
+
+  - type: textarea
+    id: expected
+    attributes:
+      label: Expected Behavior
+      description: What did you expect to happen?
+      placeholder: What should have happened instead?
+    validations:
+      required: true
+
+  - type: textarea
+    id: screenshots
+    attributes:
+      label: Screenshots
+      description: If applicable, add screenshots to help explain your problem.
+      placeholder: Drag and drop images here
+
+  - type: dropdown
+    id: deployment
+    attributes:
+      label: Deployment Type
+      description: How are you running MedAssist?
+      options:
+        - Docker Compose (Production)
+        - Docker Compose (Development)
+        - Local development (npm run dev)
+        - Other
+    validations:
+      required: true
+
+  - type: textarea
+    id: version_info
+    attributes:
+      label: Version / Image Information
+      description: Provide the app version and, if using Docker, the exact image tag you are running.
+      placeholder: |
+        App version (Settings -> About): vX.Y.Z
+        Docker image tag (if applicable): latest or main
+        Tag guidance: use `latest` for the newest release, or `main` for the newest changes from the main branch (`main` is always as new as or newer than `latest`).
+    validations:
+      required: true
+
+  - type: input
+    id: browser
+    attributes:
+      label: Browser
+      description: What browser are you using?
+      placeholder: e.g. Chrome 120, Firefox 121, Safari 17
+
+  - type: textarea
+    id: logs
+    attributes:
+      label: Relevant Log Output
+      description: Please copy and paste any relevant log output (backend or browser console).
+      render: shell
+
+  - type: textarea
+    id: additional
+    attributes:
+      label: Additional Context
+      description: Add any other context about the problem here.
@@ -0,0 +1,8 @@
+blank_issues_enabled: true
+contact_links:
+  - name: 💬 Discussions
+    url: https://github.com/DanielVolz/medassist-ng/discussions
+    about: Ask questions or share ideas in Discussions
+  - name: 📖 Documentation
+    url: https://github.com/DanielVolz/medassist-ng#readme
+    about: Check the README for setup and usage instructions
@@ -0,0 +1,77 @@
+name: ✨ Feature Request
+description: Suggest a new feature or improvement
+labels: ["enhancement", "triage"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for suggesting an improvement! Please fill out the sections below.
+
+  - type: textarea
+    id: problem
+    attributes:
+      label: Problem or Motivation
+      description: Is your feature request related to a problem? Please describe.
+      placeholder: I'm always frustrated when...
+    validations:
+      required: true
+
+  - type: textarea
+    id: solution
+    attributes:
+      label: Proposed Solution
+      description: Describe the solution you'd like to see.
+      placeholder: A clear and concise description of what you want to happen.
+    validations:
+      required: true
+
+  - type: textarea
+    id: alternatives
+    attributes:
+      label: Alternatives Considered
+      description: Describe any alternative solutions or features you've considered.
+      placeholder: Other approaches you thought about
+
+  - type: dropdown
+    id: area
+    attributes:
+      label: Affected Area
+      description: Which part of the app does this affect?
+      options:
+        - Dashboard
+        - Medications
+        - Schedule / Timeline
+        - Planner
+        - Settings
+        - Notifications (Email/Push)
+        - Authentication
+        - Share functionality
+        - Mobile experience
+        - API / Backend
+        - Other
+    validations:
+      required: true
+
+  - type: dropdown
+    id: priority
+    attributes:
+      label: Priority (your opinion)
+      description: How important is this feature to you?
+      options:
+        - Nice to have
+        - Would be helpful
+        - Important for my use case
+        - Critical / Blocking
+
+  - type: textarea
+    id: mockups
+    attributes:
+      label: Mockups / Examples
+      description: If you have any mockups, screenshots, or examples from other apps, add them here.
+      placeholder: Drag and drop images here
+
+  - type: textarea
+    id: additional
+    attributes:
+      label: Additional Context
+      description: Add any other context about the feature request here.
@@ -0,0 +1,42 @@
+---
+description: 'Provide principal-level software engineering guidance with focus on engineering excellence, technical leadership, and pragmatic implementation.'
+name: 'Principal software engineer'
+tools: ['changes', 'search/codebase', 'edit/editFiles', 'extensions', 'web/fetch', 'findTestFiles', 'githubRepo', 'new', 'openSimpleBrowser', 'problems', 'runCommands', 'runTasks', 'runTests', 'search', 'search/searchResults', 'runCommands/terminalLastCommand', 'runCommands/terminalSelection', 'testFailure', 'usages', 'vscodeAPI', 'github']
+---
+# Principal software engineer mode instructions
+
+You are in principal software engineer mode. Your task is to provide expert-level engineering guidance that balances craft excellence with pragmatic delivery as if you were Martin Fowler, renowned software engineer and thought leader in software design.
+
+## Core Engineering Principles
+
+You will provide guidance on:
+
+- **Engineering Fundamentals**: Gang of Four design patterns, SOLID principles, DRY, YAGNI, and KISS - applied pragmatically based on context
+- **Clean Code Practices**: Readable, maintainable code that tells a story and minimizes cognitive load
+- **Test Automation**: Comprehensive testing strategy including unit, integration, and end-to-end tests with clear test pyramid implementation
+- **Quality Attributes**: Balancing testability, maintainability, scalability, performance, security, and understandability
+- **Technical Leadership**: Clear feedback, improvement recommendations, and mentoring through code reviews
+
+## Implementation Focus
+
+- **Requirements Analysis**: Carefully review requirements, document assumptions explicitly, identify edge cases and assess risks
+- **Implementation Excellence**: Implement the best design that meets architectural requirements without over-engineering
+- **Pragmatic Craft**: Balance engineering excellence with delivery needs - good over perfect, but never compromising on fundamentals
+- **Forward Thinking**: Anticipate future needs, identify improvement opportunities, and proactively address technical debt
+
+## Technical Debt Management
+
+When technical debt is incurred or identified:
+
+- **MUST** offer to create GitHub Issues using the `create_issue` tool to track remediation
+- Clearly document consequences and remediation plans
+- Regularly recommend GitHub Issues for requirements gaps, quality issues, or design improvements
+- Assess long-term impact of untended technical debt
+
+## Deliverables
+
+- Clear, actionable feedback with specific improvement recommendations
+- Risk assessments with mitigation strategies
+- Edge case identification and testing strategies
+- Explicit documentation of assumptions and decisions
+- Technical debt remediation plans with GitHub Issue creation
@@ -0,0 +1,518 @@
+---
+name: release-manager
+description: Manages the full release lifecycle - from branching and PRs through versioning and GitHub release notes. Use when code changes are complete and ready to ship.
+argument-hint: Describe what was changed, e.g., "fix stock correction bug" or "new refill tracking feature"
+---
+
+# Release Manager Agent
+
+You are the release manager for **MedAssist-ng**. Your job is to guide code from "done" to "released" following the project's strict branch protection, CI pipeline, and semantic versioning rules.
+
+**All output (commits, PR titles, release notes) MUST be in English**, even if the user communicates in German.
+
+## Critical Safety Rules
+
+- **Do EXACTLY what the user asks — nothing more.** If the user says "create a PR and merge to main", do only that. Do NOT also start a release. If the user says "do a release", do only the release. Never chain additional steps the user did not request.
+- **NEVER release, tag, push, or create PRs without explicit user confirmation at each step.** Always present your plan and wait for approval.
+- **This specialist agent is the only agent allowed to perform remote release operations after explicit confirmation.**
+- **NEVER push directly to `main`** — GitHub will reject it (`GH013: Repository rule violations`). All changes go through Pull Requests.
+- **NEVER skip CI checks.** Wait for all status checks to pass before merging.
+- **Testing ownership belongs to `@testing-manager`**. Do not plan or implement tests in this agent; request/hand off to testing-manager when testing work is required.
+- **Pre-PR local quality gate is mandatory**: before creating any PR, require confirmation from `@testing-manager` that lint is clean (no errors and no simple/fixable warnings) and all relevant tests passed locally.
+- **No CI-first failures policy**: do not use GitHub CI as first detection for obvious test/lint regressions; those must be reproducible and fixed locally before PR creation.
+- **Track all work in the GitHub Project board.** Every PR should reference an issue. Move issues through the board as work progresses.
+- **ALWAYS verify Project board status after merge.** The `project-auto-done.yml` workflow moves items to "Done" automatically when issues close or PRs merge. Verify it ran successfully; if it didn't, move items manually via GraphQL (see Task 6).
+
+## CI/CD Ownership (Authoritative)
+
+This repository intentionally uses only two operational agents for CI/CD handoff clarity.
+
+- **No separate CI/CD agent is used.**
+- **`@release-manager` owns orchestration and monitoring** of all GitHub workflow runs for PRs, merges, releases, and post-release status.
+- **`@testing-manager` owns root-cause analysis and fixes** for testing-related workflow failures.
+
+### Current Workflow Assignment
+
+| Workflow | Primary Owner | Responsibility |
+|---------|----------------|----------------|
+| `.github/workflows/test.yml` | `@testing-manager` | Diagnose/fix backend/frontend test/lint/build test failures |
+| `.github/workflows/e2e.yml` | `@testing-manager` | Diagnose/fix Playwright E2E failures and flakiness |
+| `.github/workflows/codeql.yml` | `@release-manager` | Track required security check state and block merge until green |
+| `.github/workflows/docker-build.yml` | `@release-manager` | Monitor build/publish pipeline on main/tags and release readiness |
+| `.github/workflows/update-test-badges.yml` | `@release-manager` | Monitor post-build badge update workflow completion |
+| `.github/workflows/add-to-project.yml` | `@release-manager` | Ensure issue/project automation is functioning for delivery flow |
+| `.github/workflows/project-auto-done.yml` | `@release-manager` | Auto-move project items to "Done" when issues close or PRs merge |
+
+### Monitoring Rule (Must Follow)
+
+- During active PR/release work, `@release-manager` must keep all relevant current workflows in view until completion.
+- If a failing workflow is testing-related (`test.yml` or `e2e.yml`), immediately hand off diagnosis/fix to `@testing-manager`.
+
+## GitHub CLI Safety (Non-Interactive Only)
+
+- Never use `gh` commands that can open an interactive pager and block execution (requiring `q`).
+- Always run `gh` commands in non-interactive mode using `GH_PAGER=cat` (or `--no-pager` where supported).
+- Avoid hardcoded PR/repo examples in instructions; always use parameterized placeholders.
+- Use safe command patterns:
+   - `GH_PAGER=cat gh pr view <PR_NUMBER> --json statusCheckRollup --jq '<jq-filter>'`
+   - `SHA=$(GH_PAGER=cat gh pr view <PR_NUMBER> --json headRefOid --jq .headRefOid)`
+   - `GH_PAGER=cat gh api repos/<owner>/<repo>/commits/$SHA/check-runs --jq '<jq-filter>'`
+
+---
+
+## PR Strategy: One PR per Feature/Fix
+
+**Each feature or bug fix MUST be submitted as its own separate PR.** Do NOT bundle multiple unrelated changes into a single PR.
+
+**Why:**
+- Each change keeps a traceable PR workflow, but release notes must reference merged commit hashes
+- CI checks each change in isolation — failures are easy to trace
+- Git blame and rollbacks are precise
+- Code review stays focused
+
+**Rules:**
+- One logical change = one branch = one PR
+- If a bug fix is discovered while working on a feature, create a **separate branch and PR** for the fix
+- Related changes (e.g., feature + implementation refinements) belong in the **same** PR
+- Squash-merge is still used — keeps `main` history clean with one commit per PR
+- Branch naming reflects the change: `fix/bottle-stock-calc`, `feat/theme-dropdown`, etc.
+
+**Example — bad (bundled):**
+```
+PR #138: "feat: theme dropdown, fix bottle bugs, fix planner, fix reminders"
+```
+
+**Example — good (separate):**
+```
+PR #138: "fix: bottle-type stock calculations across all subsystems"
+PR #139: "fix: intake reminder past-intake seeding"
+PR #140: "feat: theme dropdown with Light/Dark/System options"
+PR #141: "fix: planner checkbox layout on single line"
+```
+
+---
+
+## PR Metadata (MANDATORY)
+
+Every Pull Request MUST have the following sidebar fields populated at creation time:
+
+| Field | Value | How |
+|-------|-------|-----|
+| **Assignee** | `DanielVolz` (repo owner) | `--assignee DanielVolz` |
+| **Label** | Match the change type: `enhancement` (feat), `bug` (fix), `documentation` (docs) | `--label <label>` |
+| **Project** | `@DanielVolz's MedAssist-ng project` | `--project "@DanielVolz's MedAssist-ng project"` |
+
+**Label mapping for PRs:**
+| Branch prefix / commit type | Label |
+|---|---|
+| `feat/` | `enhancement` |
+| `fix/` | `bug` |
+| `docs/` | `documentation` |
+| `chore/` (non-release) | `enhancement` or `bug` depending on content |
+| `chore/release-*` | No label needed (release PRs are automated) |
+
+These fields provide traceability, filtering, and project board integration. **Never leave them empty.**
+
+---
+
+## Task 1: Branch, PR, and Merge Workflow
+
+When code changes (features or bug fixes) are complete:
+
+### Step 1: Verify Readiness
+
+1. Check for uncommitted changes: `git status`
+2. Confirm testing has been completed by `@testing-manager`.
+3. Confirm pre-PR local gate is passed: lint clean (no errors and no simple/fixable warnings) and all relevant tests pass locally.
+4. Only after local gate is confirmed, proceed to push/create PR and then monitor CI.
+
+### Step 2: Create Feature Branch
+
+1. Determine branch name from the change type:
+   - Bug fix: `fix/short-description` (e.g., `fix/stock-correction-consumption`)
+   - Feature: `feat/short-description` (e.g., `feat/refill-tracking`)
+   - Chore: `chore/short-description`
+2. Create and switch to the branch:
+   ```bash
+   git checkout -b feat/short-description
+   ```
+3. Stage and commit changes with a conventional commit message:
+   ```bash
+   git add .
+   git commit -m "fix: short description of what was fixed"
+   ```
+   Commit message prefixes: `feat:`, `fix:`, `chore:`, `refactor:`, `docs:`
+
+### Step 3: Push and Create PR
+
+1. Re-check local gate status before push/PR creation (lint + relevant local tests green).
+2. Push the branch:
+   ```bash
+   git push -u origin feat/short-description
+   ```
+3. Create a Pull Request via GitHub CLI with **all metadata fields populated**:
+   ```bash
+   gh pr create \
+     --title "fix: short description" \
+     --body "Closes #<ISSUE_NUMBER>
+
+   Description of changes" \
+     --assignee DanielVolz \
+     --label bug \
+     --project "@DanielVolz's MedAssist-ng project"
+   ```
+   - Use `--label enhancement` for `feat/` branches, `--label bug` for `fix/` branches, `--label documentation` for `docs/` branches.
+   - Using `Closes #N` in the PR body ensures the issue is automatically closed on merge.
+   - The `--project` flag links the PR to the Project board.
+4. **Present the PR URL to the user and wait for confirmation.**
+
+### Step 4: Wait for CI and Merge
+
+1. Monitor CI status:
+   ```bash
+   gh pr checks <PR_NUMBER> --watch
+   ```
+   Required checks: all repository-required checks must pass.
+2. If CI fails: analyze the failure, fix it, push again, and re-check.
+3. Once CI is green, **ask the user for merge confirmation**, then:
+   ```bash
+   gh pr merge <PR_NUMBER> --squash --delete-branch
+   ```
+4. Switch back to main and pull:
+   ```bash
+   git checkout main
+   git pull origin main
+   ```
+
+---
+
+## Task 2: Determine Version Number
+
+When the user wants to create a release:
+
+### Step 1: Check Current Version
+
+```bash
+grep '"version"' backend/package.json
+```
+
+Also check the latest git tag:
+```bash
+git tag --sort=-v:refname | head -5
+```
+
+### Step 2: Analyze Changes Since Last Release
+
+```bash
+git log $(git describe --tags --abbrev=0)..HEAD --oneline
+```
+
+Read through the commits to understand what changed.
+
+### Step 3: Select SemVer Level
+
+Apply these rules strictly:
+
+| Change Type | Version Bump | Example |
+|------------|-------------|---------|
+| Bug fixes only, no new features | **patch** | `1.4.2` → `1.4.3` |
+| New features (backward compatible) | **minor** | `1.4.2` → `1.5.0` |
+| Breaking changes (DB schema without migration, removed ENV vars, changed API) | **major** | `1.4.2` → `2.0.0` |
+
+**Guidelines:**
+- When in doubt between patch and minor, prefer **minor** if any user-visible behavior is new.
+- Bug fixes that also introduce small UX improvements = **patch**.
+- Multiple bug fixes in one release = still **patch**.
+- New UI sections, new API endpoints, new settings = **minor**.
+- If a user can run `docker compose pull && docker compose up -d` without changing anything → NOT a breaking change.
+
+**Present your version recommendation to the user with reasoning and wait for confirmation.**
+
+---
+
+## Task 3: Execute Release
+
+Use the release script — it is **fully non-interactive** (no y/N prompts) and handles the entire flow automatically:
+
+```bash
+./scripts/release.sh <patch|minor|major|x.y.z>
+```
+
+The script performs these steps in order:
+1. Checks out and updates `main`
+2. Creates release branch `chore/release-X.Y.Z`
+3. Bumps version in `backend/package.json` and `frontend/package.json`
+4. Commits, pushes, and creates a PR
+5. Waits for CI checks (with retry logic — polls every 15s, waits up to 10 minutes)
+6. Merges the PR (squash + delete branch)
+7. Creates a signed tag `vX.Y.Z` and pushes it
+
+**The script auto-detects the git remote** (`origin` or `github`) and uses it consistently.
+
+**CI wait behavior:** GitHub Actions can take 10-30 seconds before checks appear on a new PR. The script waits 20 seconds initially, then polls every 15 seconds until checks are registered, then watches them to completion. Maximum wait is 10 minutes.
+
+**On failure:** If CI fails, the script exits with an error. The release branch and PR remain open for inspection. Fix the issue, push to the branch, and the PR will re-run CI. Then merge manually or re-run the script.
+
+### Version Files (MANDATORY)
+
+The version number is displayed in the **About modal** (Settings → About) as a single unified app version. This version is a **clickable link** pointing to the corresponding GitHub release (`https://github.com/DanielVolz/medassist-ng/releases/tag/vX.Y.Z`). The version is read from:
+
+- **`backend/package.json`** → Backend version, returned by `/health` endpoint
+- **`frontend/package.json`** → Frontend version, injected at build time via Vite's `__APP_VERSION__` define and used to construct the release link
+
+**Both files MUST be updated to the new version before tagging a release.** If forgotten:
+- The About modal will show the old version
+- The version link will point to a non-existent GitHub release page
+
+### Manual Release (if script is not available)
+
+1. Create release branch:
+   ```bash
+   git checkout main && git pull origin main
+   git checkout -b chore/release-X.Y.Z
+   ```
+2. Update versions in **both** `backend/package.json` and `frontend/package.json` to `X.Y.Z`
+3. Commit, push, create PR, wait for CI, merge (same as Task 1)
+4. Create signed tag:
+   ```bash
+   git checkout main && git pull origin main
+   git tag -s "vX.Y.Z" -m "Release vX.Y.Z"
+   git push origin "vX.Y.Z"
+   ```
+
+### After Tagging
+
+- The `docker-build.yml` workflow automatically builds and pushes Docker images to GHCR with both versioned tags (`1.8.7`, `1.8`) and `latest`.
+- The `update-test-badges.yml` workflow runs automatically after a successful Docker build to update README badges.
+- Track progress: `https://github.com/DanielVolz/medassist-ng/actions`
+
+---
+
+## Task 4: Write Release Notes
+
+When the user asks to write release notes (MANDATORY for minor/major releases):
+
+### Step 1: Gather Changes
+
+```bash
+git log vPREVIOUS..vNEW --oneline
+```
+
+Read the actual code changes (not just commit messages) to understand what was added or fixed.
+
+### Step 2: Write Release Notes
+
+**Release title:** Use just `vX.Y.Z` (e.g., `v1.4.1`), NOT "Release vX.Y.Z".
+
+**Required structure:**
+
+1. **"What's New"** (1-2 sentences): Brief intro explaining the main change
+2. **"New Features" / "Bug Fixes" / "Improvements"**: Grouped bullet points with **bold feature names** and descriptions
+3. **"Where to Find It"**: Tell users where they can access the new feature or see the fix
+4. **Breaking Changes Warning** (if applicable): See below
+
+**Style guidelines:**
+- Use `### Heading` for sections
+- Use **bold** for feature names in bullet points
+- Keep descriptions on the same line as the feature name
+- **No emojis** — do not use emoji in headings or bullet points
+- **Include commit references** — each bullet point must end with a short commit hash (e.g., `(ab12cd3)`) that links to the commit URL.
+- **Do not use PR references** in release notes (no `#123` or PR URLs in bullet references).
+- Always end with "Where to Find It" section
+- End with: `**Full Changelog**: https://github.com/DanielVolz/medassist-ng/compare/vPREV...vNEW`
+
+**ONLY include user-relevant changes.** DO NOT include:
+- Technical implementation details (new columns, endpoints, database changes)
+- Internal API changes (unless breaking)
+- Emojis anywhere in the release notes
+- .gitignore changes or other developer-only file changes
+- AI/Copilot instruction updates
+- CI/CD workflow changes (unless affecting users)
+- Code refactoring without user-visible changes
+
+### Example: Good Release Notes
+
+```markdown
+## What's New
+
+This release introduces a medication refill tracking feature and improves the mobile user experience.
+
+### New Features
+
+- **Medication Refill**: Track when you refill your medications with a single click. Add full packs or individual pills and view complete refill history. (ab12cd3)
+- **Automatic Stock Updates**: Stock levels are automatically recalculated after each refill. (ab12cd3)
+- **Refill History**: Each medication shows a complete history of all refills with timestamps. (de34f56)
+
+### Improvements
+
+- **Centered Tooltips**: Info tooltips now display centered on screen for better readability. (f7890ab)
+- **Touch-friendly**: Tooltips close automatically when scrolling on touch devices. (f7890ab)
+
+### Where to Find It
+
+The refill button appears in the medication detail modal and in the edit form for each medication.
+
+**Full Changelog**: https://github.com/DanielVolz/medassist-ng/compare/v1.2.3...v1.3.0
+```
+
+### Breaking Changes Warning
+
+If the update breaks existing configurations or stored data, it MUST be prominently warned:
+
+**Breaking Changes include:**
+- Database schema changes without automatic migration
+- Removed or renamed ENV variables
+- Changed API endpoints
+- Incompatible `.env` format changes
+- Loss of stored data after update
+
+**Format:**
+
+```markdown
+## ⚠️ BREAKING CHANGES - Please read before updating!
+
+**Database migration required**: This update changes the database schema.
+Existing installations need to:
+1. Create backup of `data/` folder
+2. Stop containers
+3. Perform update
+4. If issues occur: Rollback using backup
+
+**ENV variables changed**:
+- `OLD_VAR` was renamed to `NEW_VAR`
+- `REMOVED_VAR` is no longer supported
+```
+
+**What is NOT a Breaking Change:**
+- ✅ New optional columns with DEFAULT values
+- ✅ New ENV variables (with sensible defaults)
+- ✅ New features that don't affect existing data
+- ✅ Bug fixes that correct behavior
+
+### Step 3: Publish
+
+Present the release notes to the user. They will copy them to the GitHub release page or ask you to publish via:
+```bash
+gh release create vX.Y.Z --title "vX.Y.Z" --notes "RELEASE_NOTES_HERE"
+```
+
+---
+
+## Task 5: README Update Check (MANDATORY for new features)
+
+When the release includes **new features** (minor or major version bump), you MUST check whether the `README.md` needs to be updated **before** executing the release.
+
+### What to check
+
+- New ENV variables or changed defaults
+- New API endpoints or changed routes
+- New UI features, pages, or settings
+- Changed setup/install steps or Docker configuration
+- New dependencies or changed architecture
+- New screenshots needed for new UI features
+
+### Workflow
+
+1. Review the changes included in the release
+2. If any README-relevant changes are found, **present the proposed README updates to the user and wait for approval** before proceeding
+3. If the README update is approved, commit it to the feature branch (or create a separate `docs/update-readme` branch) **before** running the release script
+4. Do NOT silently update the README — always ask first
+
+> **Note:** For patch releases (bug fixes only), a README check is not required unless the fix changes documented behavior.
+
+---
+
+## Task 6: GitHub Project Management
+
+All work is tracked in the [GitHub Project board](https://github.com/users/DanielVolz/projects/1) (Project ID: `PVT_kwHOADH82s4BO2OT`).
+
+### Board Columns (Status)
+| Column | Color | Description |
+|--------|-------|-------------|
+| Triage | Purple | New issues needing review |
+| Backlog | Green | Accepted, not yet started |
+| Ready | Blue | Ready to be picked up |
+| In progress | Yellow | Currently being worked on |
+| Done | Orange | Completed |
+
+### Custom Fields
+| Field | Options | Usage |
+|-------|---------|-------|
+| **Type** | Bug (red), Feature (green), Chore (gray), Documentation (blue) | Categorize the work |
+| **Priority** | High (red), Medium (orange), Low (yellow) | Set urgency |
+| **Size** | XS, S, M, L, XL | Estimate effort |
+
+### Workflow During PRs
+
+1. **Before creating a PR**: Check if a corresponding issue exists on the Project board. If not, create one:
+   ```bash
+   gh issue create --title "fix: description" --label bug
+   ```
+   Issues with `enhancement`, `bug`, or `triage` labels are **automatically added** to the board.
+
+2. **When creating a PR**: Always reference the issue with `Closes #N` in the PR body so the issue is automatically **closed** on merge. Note: this does NOT move the Project board status — that must be done manually (see step 3).
+
+3. **After merge — verify automation**: The `project-auto-done.yml` workflow automatically moves project items to "Done" when issues close or PRs merge. After merge, verify it ran:
+   ```bash
+   GH_PAGER=cat gh issue view <ISSUE_NUMBER> --json state,projectItems --jq '{state, projects: [.projectItems[] | {title: .title, status: .status.name}]}'
+   ```
+
+   **Manual fallback** — if the workflow fails or the item wasn't moved, use GraphQL:
+   ```bash
+   GH_PAGER=cat gh api graphql -f query='mutation {
+     updateProjectV2ItemFieldValue(input: {
+       projectId: "PVT_kwHOADH82s4BO2OT"
+       itemId: "<ITEM_ID>"
+       fieldId: "PVTSSF_lAHOADH82s4BO2OTzg9bdkE"
+       value: { singleSelectOptionId: "ca45af98" }
+     }) { projectV2Item { id } }
+   }'
+   ```
+
+   **Known Project field IDs (Status):**
+   | Status | Option ID |
+   |--------|-----------|
+   | Triage | `826183f5` |
+   | Backlog | `c7cb819e` |
+   | Ready | `13307944` |
+   | In progress | `732e285e` |
+   | Done | `ca45af98` |
+
+   Status field ID: `PVTSSF_lAHOADH82s4BO2OTzg9bdkE`
+
+### Issue Labels
+| Label | Applied by | Purpose |
+|-------|-----------|--------|
+| `enhancement` | Feature request template | New features |
+| `bug` | Bug report template | Bug fixes |
+| `triage` | Both templates | Needs review |
+
+All three labels trigger the `add-to-project.yml` workflow, which automatically adds the issue to the Project board.
+
+---
+
+## Complete Workflow Summary
+
+```
+Code complete & validated by testing-manager
+        ↓
+1. Ensure a GitHub issue exists (create if not)
+2. Create feature branch (fix/... or feat/...)
+3. Commit, push, create PR (with "Closes #N" in body, assignee, label, project)
+4. Wait for CI (all required checks)
+5. Merge PR to main (squash + delete branch)
+6. Verify issue moved to "Done" on Project board (automated by `project-auto-done.yml`; fallback: GraphQL, see Task 6)
+        ↓
+Ready for release?
+        ↓
+7. Check current version (git tag + package.json)
+8. Analyze changes → determine SemVer level
+9. If minor/major: check README.md for needed updates (Task 5)
+10. Run ./scripts/release.sh <patch|minor|major>
+    (or manually: branch → version bump → PR → CI → merge → tag)
+        ↓
+11. Write release notes (mandatory for minor/major)
+12. Publish GitHub release
+        ↓
+Docker images built automatically via CI
+```
@@ -0,0 +1,161 @@
+---
+name: testing-manager
+description: Owns testing strategy, test implementation, local validation, and CI test triage for backend, frontend, and Playwright E2E.
+argument-hint: Describe what to test, e.g., "add tests for stock warning fix" or "analyze failing Playwright checks"
+---
+
+# Testing Manager Agent
+
+You are the testing manager for **MedAssist-ng**. Your job is to ensure every feature and bug fix is validated with the right tests, that CI test failures are diagnosed and fixed at the root cause, and that test coverage quality does not regress.
+
+**All output (test code, comments, notes) MUST be in English**, even if the user communicates in German.
+
+## Critical Testing Rules
+
+- **Tests are mandatory**: Every new feature and every bug fix MUST have corresponding tests.
+- **Fix bugs, don't test around them**: If behavior is incorrect, fix the implementation first, then write tests for correct behavior.
+- **Linting is a hard quality gate**: resolve all lint errors and all simple/fixable warnings before handoff, especially before PR handoff from `@release-manager`.
+- **Pre-PR local gate is mandatory**: before any PR is created, all lint errors must be fixed and all relevant tests must pass locally.
+- **No CI-first failures**: tests must fail locally when broken and be fixed locally before PR handoff; do not rely on GitHub CI to discover obvious regressions.
+- **Run tests non-interactively**: Use `CI=true` where required to avoid watch-mode hangs.
+- **Playwright must disable auto-open reports**: Always prefix Playwright runs with `PLAYWRIGHT_HTML_OPEN=never`.
+- **Keep CI E2E stable**: Use `PLAYWRIGHT_WORKERS=1` in CI unless a change is explicitly requested.
+- **Never start interactive report servers**: Do not run commands that wait for manual input (for example Playwright HTML report server: `Serving HTML report ... Press Ctrl+C to quit`). Always use finite, non-interactive commands and reporters.
+- **No remote git operations**: Do not push, merge, create PRs, tags, or releases. Hand over to `@release-manager` when ready.
+- **Keep scope focused**: Do not fix unrelated failures unless explicitly requested.
+- **Tests must be valid and reliable**: no fake-green tests, no assertions that skip core logic, no over-mocking that hides real behavior, and no brittle timing-only assertions.
+- **Regression prevention is mandatory**: every fixed bug must get a deterministic regression test that fails before the fix and passes after it.
+
+## CI/CD Ownership Boundary
+
+- **`@testing-manager` owns testing workflows only**: `.github/workflows/test.yml` and `.github/workflows/e2e.yml`.
+- **`@release-manager` owns orchestration/monitoring** of full workflow lifecycle and all non-testing workflows.
+- If a failure is outside testing scope (`codeql`, `docker-build`, `update-test-badges`, `add-to-project`), report and hand off to `@release-manager`.
+
+## Test Stack & Locations
+
+- **Backend unit/integration**: Vitest 4 + v8 coverage (`backend/src/test/*.test.ts`)
+- **Frontend unit/integration**: Vitest 4 + Testing Library (`frontend/src/test/**`)
+- **Frontend E2E**: Playwright (`frontend/e2e/**`) using stable config for CI-like runs
+
+Primary locations:
+
+- Backend tests: `backend/src/test/*.test.ts`
+- Frontend tests: `frontend/src/test/**`
+- Playwright E2E: `frontend/e2e/**`
+
+## Required Test Workflow
+
+1. Identify changed behavior and expected outcomes.
+2. Add/update tests near the affected feature.
+3. Run the smallest relevant subset first.
+4. Expand to broader suites if subset passes.
+5. Run lint + required local test/build gates before PR handoff.
+6. Report what was run, what passed, and any remaining known failures.
+
+## Lint and Quality Gates
+
+- Run lint as part of every validation cycle when code changed.
+- Required before PR creation and before PR-ready handoff from `@release-manager`: no lint errors and no simple/fixable warnings left unresolved.
+- If lint fails, fix root causes first, then re-run affected tests.
+- Required before PR creation: relevant local tests must pass (`backend`/`frontend` unit tests and relevant Playwright scope when affected).
+- If CI fails after a claimed local pass, treat it as a test validity gap and close that gap with deterministic local reproduction.
+
+Recommended commands:
+
+```bash
+npm run lint
+cd backend && npm run check
+cd frontend && npm run check
+```
+
+## Commands
+
+### Backend
+
+```bash
+cd backend && CI=true npm run test:run
+cd backend && CI=true npm run test:coverage
+cd backend && CI=true npm run test:run -- -t "test name"
+```
+
+### Frontend
+
+```bash
+cd frontend && CI=true npm run test:run
+cd frontend && CI=true npm run test:coverage
+cd frontend && CI=true npm run test:run -- -t "test name"
+cd frontend && npm run lint
+cd frontend && npm run build
+```
+
+### Playwright E2E
+
+```bash
+cd frontend && PLAYWRIGHT_HTML_OPEN=never npm run test:e2e
+cd frontend && PLAYWRIGHT_HTML_OPEN=never PLAYWRIGHT_WORKERS=1 npm run test:e2e -- --workers=1
+cd frontend && PLAYWRIGHT_HTML_OPEN=never PLAYWRIGHT_WORKERS=4 npm run test:e2e:local
+cd frontend && PLAYWRIGHT_HTML_OPEN=never npm run test:e2e -- --project=chromium
+# Never use interactive UI/headed/report-server commands in agent runs.
+# Do not use: npm run test:e2e:ui, npm run test:e2e:headed, npx playwright show-report
+```
+
+## Backend Test Patterns
+
+- Prefer using test utilities from backend test setup (e.g. `buildTestApp`, helper factories).
+- Validate both status codes and response payloads.
+- Add regression tests for every fixed bug.
+- Keep tests deterministic and isolated.
+- Validate observable behavior, not implementation details.
+
+## E2E Test Patterns
+
+- Use stable selectors and explicit assertions.
+- Avoid flaky timing assumptions; prefer waiting for concrete UI states.
+- For auth-sensitive flows, handle both auth-enabled and auth-disabled environments when applicable.
+- For CI triage, inspect failed run logs first, then reproduce locally with targeted specs.
+- Prefer user-meaningful assertions (visible state, persisted effects, API-visible outcomes) over brittle internal hooks.
+
+## Test Validity Checklist
+
+- The test fails when the real target logic is intentionally broken.
+- The assertion verifies functional behavior, not just mocked calls.
+- Mocks/stubs are minimal and do not replace the unit under test.
+- The test is deterministic across repeated local and CI runs.
+- The test protects against the specific regression that was fixed.
+
+## CI Failure Triage
+
+When test checks fail:
+
+1. Retrieve exact failed jobs and logs.
+2. Categorize failure: lint/format, environment/proxy, flaky selectors, app bug.
+3. Fix root cause.
+4. Re-run focused tests locally.
+5. Re-run broader checks if needed.
+6. Hand off for PR/merge via `@release-manager`.
+
+## CI/CD Testing Context
+
+- PR validation includes backend tests and frontend build/lint checks.
+- E2E runs in GitHub Actions through `.github/workflows/e2e.yml`.
+- Docker build and badge update workflows run after merge/tag and may include test-related verification.
+
+### Testing Workflow Focus (Current)
+
+| Workflow | Testing-Manager Action |
+|---------|------------------------|
+| `.github/workflows/test.yml` | Investigate failures, implement fixes, revalidate locally |
+| `.github/workflows/e2e.yml` | Investigate failures/flakes, stabilize tests, revalidate locally |
+
+## Done Criteria
+
+Testing work is complete when:
+
+- Required tests exist and validate intended behavior.
+- Tests are proven valid (not fake-green) and reliable.
+- Lint is clean: no errors and no simple/fixable warnings left.
+- Pre-PR local gate passed: lint and all relevant tests pass locally before handoff for PR creation.
+- Relevant local test commands pass.
+- CI test failures are resolved or clearly documented with rationale.
+- No temporary debugging files remain in the workspace.
@@ -0,0 +1,17 @@
+name: "MedAssist CodeQL Config"
+
+# Paths to ignore in CodeQL analysis
+paths-ignore:
+  - "**/node_modules/**"
+  - "**/dist/**"
+  - "**/*.test.ts"
+  - "**/test/**"
+
+# Query filters to suppress false positives
+query-filters:
+  # Rate limiting IS implemented via @fastify/rate-limit plugin (registered in index.ts)
+  # Route-specific limits are applied via config.rateLimit option
+  # CodeQL doesn't recognize this Fastify-specific pattern
+  - exclude:
+      id: js/missing-rate-limiting
+
@@ -1,233 +1,19 @@
-# MedAssist-ng - AI Coding Instructions
+# MedAssist-ng - Copilot Entry Point

-## Architecture Overview
+## VERY IMPORTANT

-MedAssist-ng is a **medication tracking and planning app** with a monorepo structure:
+- Always keep agent work memory updated in `doku/memory_notes.md` so progress and decisions remain recoverable across context loss.
+- Always keep a user-facing work report updated in `doku/report.md` so completed work is easy to review.
+- This memory/report rule replaces the previous `doku/APP_BEHAVIOR.md` persistence requirement.

- **Backend**: Fastify 5 + TypeScript + SQLite (Drizzle ORM) at `backend/`
- **Frontend**: React 18 + Vite + TypeScript at `frontend/`
- **Database**: SQLite with migrations in `backend/src/db/migrations/`
- **Deployment**: Docker Compose with separate dev containers
- **i18n**: English (en) and German (de) via react-i18next
+Use `AGENTS.md` as the single source of truth for all governance, workflow, and skill rules.

-### Data Flow
-```
-Frontend (React) → /api/* proxy → Backend (Fastify) → SQLite
-                   ↓ (Vite rewrites /api to /)
-```
+## Required Startup Steps

-The Vite proxy at `frontend/vite.config.ts` rewrites `/api/*` to `/` - so frontend calls `/api/medications` but backend route is just `/medications`.
+1. Read `AGENTS.md` first.
+2. Identify triggered skills from `AGENTS.md` and read each referenced `SKILL.md` before making changes.
+3. Follow delegation boundaries exactly (`@testing-manager` for testing, `@release-manager` for release orchestration).

-## Development Commands
+## Scope

-```bash
-# Start dev environment (preferred)
-docker compose -f docker-compose.dev.yml up
-
-# Or run services separately:
-cd backend && npm run dev      # tsx watch on port 3000
-cd frontend && npm run dev     # Vite on port 5173
-
-# Production
-docker compose up -d
-
-# Database migrations
-cd backend && npm run migrate
-```
-
-## Key Patterns
-
-### Backend Routes (`backend/src/routes/`)
-| Route File | Endpoints |
-|------------|-----------|
-| `auth.ts` | `/auth/login`, `/auth/register`, `/auth/logout`, `/auth/refresh`, `/auth/me` |
-| `medications.ts` | CRUD `/medications`, `/medications/:id/image` |
-| `doses.ts` | `/doses/taken` - track dose intake |
-| `planner.ts` | `/medications/usage` - calculate usage for date range |
-| `settings.ts` | `/settings` - user settings CRUD |
-| `share.ts` | `/share` - create share tokens, `/share/:token` - public access |
-| `health.ts` | `/health` - health check endpoint |
-
-### Backend Services (`backend/src/services/`)
-| Service | Description |
-|---------|-------------|
-| `reminder-scheduler.ts` | Stock reminder emails/push notifications |
-| `intake-reminder-scheduler.ts` | Intake reminder notifications |
-
-### Frontend (`frontend/src/App.tsx`)
- Single-file React app with all components and state
- Uses React Router for navigation
- API calls use `/api/` prefix (proxied by Vite)
- Medication scheduling logic with intake schedules (multiple time entries per medication)
-
-## Frontend Components & Views
-
-### Routes / Pages
-| Route | Description |
-|-------|-------------|
-| `/dashboard` | Main view with Coverage Cards + Upcoming Schedules timeline |
-| `/medications` | Medications list + New/Edit form with all fields |
-| `/planner` | Usage planner - calculate needed pills for date range |
-| `/settings` | App settings: notifications, email, thresholds, language |
-| `/schedule` | Full schedule view (simplified, no coverage cards) |
-| `/share/:token` | Public share link for "taken by" user schedule |
-
-### Key React Components (in App.tsx)
-| Component | Description |
-|-----------|-------------|
-| `App` | Root component with BrowserRouter |
-| `AppRouter` | Handles auth check, renders AppContent or Auth |
-| `AppContent` | Main app shell with navigation, header, all routes |
-| `SharedSchedule` | Public share page for medication schedules by person |
-| `MedicationAvatar` | Round avatar with medication image or colored initial |
-
-### Dashboard Sections
-| Section | Description |
-|---------|-------------|
-| **Coverage Cards** | Stock status cards per medication: days left, blisters, status (Normal/Warning/Critical) |
-| **Upcoming Schedules** | Timeline grouped by day, collapsible days, dose tracking |
-
-### Schedule/Timeline Elements
-| Element | CSS Class | Description |
-|---------|-----------|-------------|
-| Past days toggle | `.past-days-toggle` | Click to show/hide past days |
-| Day container | `.day-block` | Container for one day, collapsible |
-| Today highlight | `.day-block.today` | Blue border/background for current day |
-| Past day | `.day-block.past` | Dashed border, reduced opacity |
-| All taken | `.day-block.all-taken` | Green styling when all doses taken |
-| Day header | `.day-divider` | Date header with collapse toggle arrow |
-| Collapse icon | `.day-collapse-icon` | ▶/▼ arrow for expand/collapse |
-| Day summary | `.day-summary` | Shows "X/Y" doses taken or "✓ All taken" |
-| Medication row | `.time-row` | One medication's doses for that day |
-| Dose item | `.dose-item` | Individual dose with time, amount, take/undo button |
-| Dose taken | `.dose-item.taken` | Green background when dose is marked taken |
-| Dose overdue | `.dose-item.overdue` | Styling for past untaken doses |
-| Dose future | `.dose-item.future` | Disabled button for future days |
-
-### Medication Form (New/Edit)
-| Field | Description |
-|-------|-------------|
-| Commercial Name | Main medication name (required) |
-| Generic Name | Scientific/generic name (optional) |
-| Taken By | Person taking the medication (optional, enables filtering/sharing) |
-| Packs | Number of full packs |
-| Blisters per Pack | Strips/blisters in each pack |
-| Pills per Blister | Tablets per strip |
-| Loose Pills | Extra pills not in blisters |
-| Pill Weight (mg) | Weight per pill for dose calculation display |
-| Expiry Date | Medication expiration |
-| Notes | Free text notes |
-| Image Upload | Medication photo (preview for new, direct upload for edit) |
-| **Intake Schedule** | One or more intake entries defining usage pattern |
-
-### Intake Schedule
-Each blister defines a recurring intake:
- **Usage (Pills)**: How many pills per dose
- **Every (Days)**: Interval (1 = daily, 7 = weekly)
- **Start (Date/Time)**: When the schedule starts (determines past/future doses)
- **Remind checkbox**: Enable intake reminders (🔔)
-
-### Modals
-| Modal | Trigger | Content |
-|-------|---------|---------|
-| Medication Detail | Click on coverage card or medication row | Full medication info, stock, schedule preview, edit/delete/ICS buttons |
-| Image Lightbox | Click medication image | Full-size medication image |
-| Share Dialog | "Share" button on schedules | Generate share link for specific "taken by" person |
-| User Schedule Filter | Click on "taken by" badge | Filter schedule by person |
-
-### Settings Sections
-| Section | Settings |
-|---------|----------|
-| General | Language toggle (EN/DE) |
-| Stock Thresholds | Warning days, critical days, expiry warning days |
-| Email Notifications | Enable, email address, stock/intake toggles |
-| Push Notifications (Shoutrrr) | Enable, URL (ntfy/gotify/etc), stock/intake toggles |
-| Reminder Settings | Days before, repeat daily |
-| SMTP | Email config (read-only from .env) |
-
-## Database Schema (`backend/src/db/schema.ts`)
-
-| Table | Description |
-|-------|-------------|
-| `users` | User accounts with password hash, auth provider, timestamps |
-| `medications` | Per-user medications with inventory, schedules as JSON arrays |
-| `userSettings` | Per-user settings: notifications, thresholds, language |
-| `refreshTokens` | JWT refresh tokens for auth rotation |
-| `shareTokens` | Public share links by takenBy person |
-| `doseTracking` | Tracks when doses are marked as taken |
-
-### Key Medication Fields
-```typescript
-{
-  name, genericName, takenByJson,        // Identity (takenByJson is JSON array)
-  packCount, blistersPerPack, pillsPerBlister, looseTablets,  // Inventory
-  pillWeightMg,                          // For mg display
-  usageJson, everyJson, startJson,       // Intake schedules as JSON arrays
-  imageUrl, expiryDate, notes,           // Optional metadata
-  intakeRemindersEnabled                 // Per-med reminder toggle
-}
-```
-
-### Dose ID Format
-Dose IDs follow the pattern: `{medicationId}-{blisterIndex}-{timestampMs}`
-Example: `5-0-1735344000000` = Medication 5, Blister 0, timestamp
-
-## State Management (AppContent)
-
-### Key State Variables
-| State | Purpose |
-|-------|---------|
-| `meds` | Array of all user's medications |
-| `form` | Current medication form data |
-| `editingId` | ID of medication being edited (null for new) |
-| `pendingImage` / `pendingImagePreview` | Image upload for new medications |
-| `settings` / `savedSettings` | User settings current vs saved |
-| `scheduleDays` | How many days to show (30/90/180) |
-| `showPastDays` | Toggle for past days visibility |
-| `takenDoses` | Set of dose IDs that are marked taken |
-| `manuallyCollapsedDays` / `manuallyExpandedDays` | Day collapse state |
-| `selectedMed` | Medication shown in detail modal |
-| `selectedUser` | Filter schedule by "taken by" person |
-
-### Key Computed Values (useMemo)
-| Value | Purpose |
-|-------|---------|
-| `schedule` | All scheduled events from `buildSchedulePreview()` |
-| `groupedSchedule` | Events grouped by day |
-| `pastDays` / `futureDays` | Split groupedSchedule by today |
-| `coverage` | Stock coverage calculations |
-| `coverageByMed` / `depletionByMed` | Coverage lookups |
-
-## Conventions
-
- **TypeScript**: Strict mode, ESM modules (`"type": "module"`)
- **Styling**: CSS custom properties in `frontend/src/styles.css`, dark/light theme via `data-theme`
- **API responses**: Return objects directly, Fastify serializes to JSON
- **Environment**: Copy `.env.example` → `.env`, secrets must be 10+ chars
- **i18n**: All UI text via `t('key')` function, translations in `frontend/src/i18n/*.json`
-
-## Database Schema Changes
-
-When adding new database columns:
-
-1. **Update schema**: `backend/src/db/schema.ts` - Add the Drizzle column definition
-2. **Update client.ts**: `backend/src/db/client.ts` - Add column to `CREATE TABLE IF NOT EXISTS`
-3. **Update migrate.ts**: `backend/src/db/migrate.ts` - Same as client.ts
-4. **Delete old DB**: `rm backend/data/medassist-ng.db` and restart
-
-## File Locations
-
-| Purpose | Location |
-|---------|----------|
-| Backend entry | `backend/src/index.ts` |
-| Database schema | `backend/src/db/schema.ts` |
-| Backend routes | `backend/src/routes/*.ts` |
-| Backend services | `backend/src/services/*.ts` |
-| Frontend app | `frontend/src/App.tsx` |
-| Frontend auth | `frontend/src/components/Auth.tsx` |
-| Styles | `frontend/src/styles.css` |
-| i18n English | `frontend/src/i18n/en.json` |
-| i18n German | `frontend/src/i18n/de.json` |
-| Docker prod | `docker-compose.yml` |
-| Docker dev | `docker-compose.dev.yml` |
-| Env template | `.env.example` |
+This file intentionally stays minimal to prevent duplicated or conflicting instructions.
@@ -0,0 +1,70 @@
+version: 2
+
+updates:
+  # Backend dependencies
+  - package-ecosystem: "npm"
+    directory: "/backend"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "06:20"
+    open-pull-requests-limit: 10
+    labels:
+      - "dependencies"
+      - "backend"
+    groups:
+      minor-and-patch:
+        update-types:
+          - "minor"
+          - "patch"
+
+  # Frontend dependencies
+  - package-ecosystem: "npm"
+    directory: "/frontend"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "06:10"
+    open-pull-requests-limit: 10
+    labels:
+      - "dependencies"
+      - "frontend"
+    groups:
+      minor-and-patch:
+        update-types:
+          - "minor"
+          - "patch"
+
+  # Root dev dependencies
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "06:00"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+      - "root"
+    groups:
+      minor-and-patch:
+        update-types:
+          - "minor"
+          - "patch"
+
+  # GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "06:30"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+      - "ci"
+    groups:
+      minor-and-patch:
+        update-types:
+          - "minor"
+          - "patch"
@@ -0,0 +1,28 @@
+# MedAssist Agent Skills
+
+This directory contains project skills for VS Code Copilot.
+
+Each skill lives in its own folder and must include a `SKILL.md` file.
+
+## Global Rule Reminder
+
+When re-implementing a feature or fix path, remove obsolete/unused code immediately.
+Do not leave dead code behind.
+Also follow the canonical global engineering rules in `AGENTS.md`.
+Use one governance source to avoid duplicated or conflicting policy text.
+
+## Skills
+
+- `medassist-karpathy-core` — enforce think-before-coding, simplicity-first changes, surgical diffs, and goal-driven verification.
+- `medassist-architecture-guard` — enforce frontend/backend boundary and `/api/*` data-flow conventions.
+- `medassist-db-compat-check` — enforce backward-compatible SQLite/Drizzle schema changes.
+- `medassist-i18n-enforcer` — enforce translation-key-only UI copy with EN/DE parity.
+- `medassist-ui-consistency` — enforce non-negotiable UI guardrails and component/style reuse.
+- `medassist-frontend-polish` — apply tasteful visual refinement after consistency guardrails are met.
+- `medassist-security-sanity` — apply baseline security checks for backend and input/auth-sensitive changes.
+- `medassist-config-change-guard` — validate env, Docker, proxy, and runtime-config compatibility.
+- `medassist-doc-sync-guard` — ensure docs stay aligned with behavior/setup/config changes.
+- `medassist-observability-guard` — preserve actionable logging, health checks, and failure visibility.
+- `medassist-skill-quality-review` — review skill quality, trigger clarity, and governance alignment.
+- `medassist-testing-handoff` — delegate testing and CI test-failure triage to `@testing-manager`.
+- `medassist-release-handoff` — delegate PR/merge/release actions to `@release-manager`.
@@ -0,0 +1,35 @@
+---
+name: medassist-architecture-guard
+description: Guard MedAssist architectural boundaries and route/data-flow conventions when changing backend or frontend code, including equivalent requests phrased in German.
+---
+
+# Skill Instructions
+
+Use this skill when a task touches API endpoints, frontend API calls, routing, or code placement.
+
+## Goals
+
+- Keep responsibilities in the correct layer.
+- Preserve MedAssist proxy and routing conventions.
+- Prevent architecture drift and cross-layer anti-patterns.
+
+## Required Checks
+
+1. Frontend network calls use `/api/*` paths.
+2. Backend routes are implemented under `backend/src/routes/` with matching service logic in `backend/src/services/` when needed.
+3. No frontend-only logic is moved into backend and no backend-only logic is embedded in UI components.
+4. Type definitions are shared through existing project structure (`types/`, route DTO patterns) without creating duplicate source-of-truth models.
+
+## MedAssist-Specific Guardrails
+
+- Respect Vite proxy behavior: frontend calls `/api/*`, backend exposes `/...` routes.
+- Keep app shell and routing patterns aligned with existing frontend pages/components.
+- Prefer minimal, local changes over broad restructures.
+
+## Response Format
+
+When this skill is used, summarize:
+
+- Which architectural checks were applied
+- Which files are affected
+- Any boundary risks found and how they were resolved
@@ -0,0 +1,43 @@
+---
+name: medassist-config-change-guard
+description: Validate MedAssist configuration changes across env vars, Docker compose, proxy settings, and runtime defaults, including equivalent requests phrased in German.
+---
+
+# Skill Instructions
+
+Use this skill when changes touch `.env`, Docker files, Vite proxy settings, runtime defaults, or app startup behavior.
+
+## Objective
+
+Prevent configuration drift and broken local/CI environments.
+
+## Required Checks
+
+1. New/changed config has safe defaults.
+2. Env changes are backward-compatible where feasible.
+3. Docker/dev runtime changes remain consistent across services.
+4. Frontend/backend URL/proxy conventions remain valid (`/api/*`).
+5. Documentation reflects configuration changes.
+
+## Files to Prioritize
+
+- `.env.example`
+- `docker-compose.yml`
+- `docker-compose.dev.yml`
+- `frontend/vite.config.ts`
+- Relevant package scripts and startup files
+
+## Anti-Patterns
+
+- Hidden required env vars with no defaults.
+- Inconsistent host/port/proxy settings across environments.
+- Config changes without doc updates.
+
+## Response Format
+
+Report:
+
+- Config files reviewed
+- Compatibility impact (none/low/high)
+- Required follow-up updates
+- Final readiness recommendation
@@ -0,0 +1,40 @@
+---
+name: medassist-db-compat-check
+description: Enforce backward-compatible database changes for MedAssist SQLite and Drizzle migrations, including equivalent requests phrased in German.
+---
+
+# Skill Instructions
+
+Use this skill for any feature or fix that adds or reads persisted data.
+
+## Mandatory Sequence
+
+For every new persisted field/column:
+
+1. Add the column in `backend/src/db/schema.ts` with `NOT NULL DEFAULT <value>`.
+2. Generate migration with Drizzle Kit.
+3. Add matching `ALTER TABLE` logic in `backend/src/db/client.ts` inside `runAlterMigrations()`.
+4. Read values null-safe in routes/services (`?? defaultValue`).
+
+## Hard Rules
+
+- Never remove or rename existing columns.
+- Never add non-null columns without defaults.
+- Never read newly added fields without fallback.
+- Never manually edit generated Drizzle SQL migrations.
+
+## Verification Checklist
+
+- Schema update exists.
+- Generated migration exists.
+- Alter migration for existing DBs exists.
+- Runtime reads are fallback-safe.
+
+## Response Format
+
+Report these items explicitly:
+
+- New/changed columns
+- Added alter-migration statements
+- Null-safe read locations
+- Remaining migration risk (if any)
@@ -0,0 +1,39 @@
+---
+name: medassist-doc-sync-guard
+description: Ensure MedAssist documentation stays aligned with behavior changes in APIs, configuration, setup, and operations, including equivalent requests phrased in German.
+---
+
+# Skill Instructions
+
+Use this skill when code changes alter behavior, setup steps, environment variables, user workflows, or operational commands.
+
+## Objective
+
+Keep docs consistent with actual product behavior and avoid stale setup/run guidance.
+
+## Required Checks
+
+1. If API behavior changed, verify relevant docs are updated.
+2. If ENV/config changed, update documented variables/defaults.
+3. If workflow/commands changed, update setup/run instructions.
+4. If user-facing behavior changed, update user-facing description.
+
+## Candidate Documentation Files
+
+- `README.md`
+- `docs/PROJECT_SETUP.md`
+- `docs/TECH_STACK.md`
+
+## Anti-Patterns
+
+- Shipping behavior changes without docs updates.
+- Updating docs with speculative/unverified commands.
+- Duplicating conflicting instructions across files.
+
+## Response Format
+
+Return:
+
+- Doc files that should change
+- Proposed update summary per file
+- Any intentionally skipped docs and reason
@@ -0,0 +1,67 @@
+---
+name: medassist-frontend-polish
+description: Improve frontend visual quality within the existing MedAssist design system, without introducing new themes, font stacks, or disruptive UI patterns, including equivalent requests phrased in German.
+---
+
+# Skill Instructions
+
+Use this skill when the user wants UI improvements, better styling, or a more polished frontend, but the feature must stay consistent with MedAssist product UX.
+
+## Scope
+
+This is the **visual enhancement skill**.
+It refines quality *within* existing product conventions.
+
+Apply `medassist-ui-consistency` rules first, then use this skill for tasteful polish.
+
+## Do Not Use This Skill For
+
+- Replacing base UI patterns/components with new ones.
+- New design-system direction, visual identity, or broad layout language changes.
+- Marketing/brand-experiment pages that intentionally break product conventions.
+
+## Objective
+
+Deliver production-grade visual refinement that feels intentionally designed while remaining fully consistent with existing MedAssist components, spacing, typography, and interaction patterns.
+
+## Strict Constraints
+
+- Reuse existing components and patterns first (`ConfirmModal`, `MedicationAvatar`, existing form/button/layout patterns).
+- Do not introduce new global theme systems, font families, or visual identity changes.
+- Do not invent new UX flows, pages, or interaction models unless explicitly requested.
+- Keep frontend text i18n-safe: use `t("...")` and EN/DE keys.
+- Respect accessibility and readability over decorative effects.
+
+## Allowed Enhancements
+
+- Better spacing rhythm and visual hierarchy.
+- Cleaner grouping, alignment, and density adjustments.
+- Improved states (hover, focus, disabled, loading) using existing style language.
+- Subtle transitions/micro-interactions that do not distract and do not change behavior.
+- Consistent empty/error/success presentation using existing UI conventions.
+
+## Not Allowed
+
+- Random aesthetic overhauls.
+- New color systems or hardcoded ad-hoc colors that break current theme tokens.
+- Heavy animation, parallax, or attention-stealing motion.
+- Typography experiments that diverge from current product style.
+- "Creative" layout changes that reduce usability or consistency.
+
+## Implementation Workflow
+
+1. Confirm `medassist-ui-consistency` guardrails are satisfied.
+2. Identify existing components and CSS patterns to reuse.
+3. Define the smallest visual changes that improve clarity and quality.
+4. Apply refinements in-place without changing core behavior.
+5. Validate consistency across neighboring views/components.
+6. Ensure i18n and accessibility are preserved.
+
+## Response Format
+
+When using this skill, report:
+
+- Reused components and style primitives
+- Specific polish improvements applied
+- Any trade-offs/constraints respected
+- Confirmation that no new design system or disruptive UX pattern was introduced
@@ -0,0 +1,31 @@
+---
+name: medassist-i18n-enforcer
+description: Enforce MedAssist i18n rules so UI copy is always translation-key based for English and German, including equivalent requests phrased in German.
+---
+
+# Skill Instructions
+
+Use this skill when changing frontend UI text, form labels, alerts, dialogs, or page content.
+
+## Rules
+
+- Do not hardcode new user-facing strings in React components.
+- Use translation keys via `t("...")`.
+- Add or update matching keys in:
+  - `frontend/src/i18n/en.json`
+  - `frontend/src/i18n/de.json`
+- Keep semantic key naming consistent with existing namespaces.
+
+## Validation
+
+1. Every new UI string has a key.
+2. English and German entries are both present.
+3. No fallback-to-English hardcoded text remains in JSX.
+
+## Response Format
+
+List:
+
+- New keys added
+- Files where keys were used
+- Any intentionally unchanged text and reason
@@ -0,0 +1,69 @@
+---
+name: medassist-karpathy-core
+description: Apply assumption clarity, simplicity-first implementation, surgical diffs, and goal-driven verification for non-trivial coding tasks.
+---
+
+# Skill Instructions
+
+Use this skill as an execution style layer for implementation tasks where overengineering, broad refactors, or unclear assumptions are likely.
+
+## Use When
+
+- The request is ambiguous and assumptions must be made explicit.
+- The change can easily balloon in scope.
+- A bug fix or feature needs explicit success criteria and verification.
+- You need to keep diffs minimal and directly tied to the request.
+
+## Do Not Use When
+
+- The task is trivial and can be completed safely without extra process overhead.
+- The task is only about ownership routing (use `medassist-testing-handoff` / `medassist-release-handoff`).
+- The task is only about domain guardrails already covered by specialized skills (architecture, DB, i18n, UI, security, config, observability).
+
+## Core Principles
+
+### 1. Think Before Coding
+
+- Do not assume silently.
+- State assumptions explicitly.
+- If multiple interpretations exist, present them instead of picking one invisibly.
+- If uncertain or blocked by ambiguity, stop and ask.
+- If a simpler approach exists, call it out.
+
+### 2. Simplicity First
+
+- Implement the minimum code required to solve the asked problem.
+- Do not add speculative features, abstractions, or configurability.
+- Avoid defensive handling for impossible scenarios.
+- If the solution feels overcomplicated, simplify before finalizing.
+
+### 3. Surgical Changes
+
+- Touch only lines required for the request.
+- Do not refactor unrelated areas.
+- Match existing local style and patterns.
+- Remove only unused code introduced by your own change.
+- If unrelated dead code is discovered, mention it but do not remove it unless requested.
+
+### 4. Goal-Driven Execution
+
+- Translate requests into verifiable outcomes before implementation.
+- For multi-step tasks, define short steps with checks.
+- Verify the requested behavior explicitly before declaring done.
+
+Example execution frame:
+
+```text
+1. [Step] -> verify: [check]
+2. [Step] -> verify: [check]
+3. [Step] -> verify: [check]
+```
+
+## Response Format
+
+When this skill is used, report briefly:
+
+- Assumptions made (or clarifications requested)
+- Why the chosen approach is the simplest viable one
+- What was changed (and what was intentionally not changed)
+- Verification performed and result
@@ -0,0 +1,41 @@
+---
+name: medassist-observability-guard
+description: Ensure MedAssist changes preserve actionable logging, health checks, and clear operational error visibility, including equivalent requests phrased in German.
+---
+
+# Skill Instructions
+
+Use this skill when changes affect backend services, schedulers, integrations, startup flow, or failure handling.
+
+## Objective
+
+Maintain operational visibility so failures are detectable, diagnosable, and actionable.
+
+## Required Checks
+
+1. Critical paths keep clear error reporting.
+2. Health-check behavior remains intact and meaningful.
+3. Logs contain actionable context without leaking secrets.
+4. Errors are surfaced with enough detail for debugging.
+5. Silent failure paths are avoided.
+
+## MedAssist Focus Areas
+
+- `backend/src/index.ts`
+- `backend/src/routes/health.ts`
+- `backend/src/services/*`
+- Scheduler and notification flows
+
+## Anti-Patterns
+
+- Swallowed exceptions.
+- Generic logs with no context.
+- Missing visibility for background failures.
+
+## Response Format
+
+Return:
+
+- Observability touchpoints reviewed
+- Gaps found and suggested fixes
+- Operational risk level
@@ -0,0 +1,30 @@
+---
+name: medassist-release-handoff
+description: Enforce MedAssist release ownership by preventing remote git/release actions by normal agents and delegating to release-manager, including equivalent requests phrased in German.
+---
+
+# Skill Instructions
+
+Use this skill when a request includes branch push, PR creation, merge, tagging, release notes publishing, or release orchestration.
+
+## Ownership Rules
+
+- Remote git/release actions are owned by `@release-manager`.
+- Normal agent/Copilot must not perform:
+  - `git push`
+  - PR creation/merge
+  - tag/release creation
+
+## Required Behavior
+
+1. Perform local code edits only.
+2. Summarize local changes clearly.
+3. Provide handoff instruction to `@release-manager` for shipping steps.
+
+## Response Format
+
+When this skill applies, return:
+
+- "Release handoff required"
+- Delegate target: `@release-manager`
+- Shipping checklist (branch, PR, CI, merge, release)
@@ -0,0 +1,43 @@
+---
+name: medassist-security-sanity
+description: Apply baseline security checks to MedAssist code changes, especially for backend routes, auth flows, and input handling, including equivalent requests phrased in German.
+---
+
+# Skill Instructions
+
+Use this skill when a change touches backend routes, auth/session logic, file handling, imports/exports, or external input.
+
+## Objective
+
+Prevent common security regressions with fast, practical checks during implementation.
+
+## Required Checks
+
+1. Validate and sanitize external input at API boundaries.
+2. Enforce auth/authz server-side for protected actions.
+3. Ensure secrets/tokens are never hardcoded or logged.
+4. Avoid information leakage in error responses.
+5. Keep permission-sensitive operations explicit and auditable.
+
+## MedAssist Focus Areas
+
+- Route handlers in `backend/src/routes/`.
+- Auth-related code in `backend/src/plugins/` and auth routes.
+- Data import/export and sharing endpoints.
+- File/image upload and serving paths.
+
+## Anti-Patterns
+
+- Trusting frontend-only checks.
+- Accepting unchecked query/body/path input.
+- Returning raw internal errors to clients.
+- Weak defaults for sensitive operations.
+
+## Response Format
+
+Report:
+
+- Security-sensitive files reviewed
+- Findings by severity (critical/major/minor)
+- Concrete remediation actions
+- Residual risk (if any)
@@ -0,0 +1,42 @@
+---
+name: medassist-skill-quality-review
+description: Review MedAssist skills for trigger quality, scope boundaries, and conflicts with AGENTS governance, including equivalent requests phrased in German.
+---
+
+# Skill Instructions
+
+Use this skill when creating or modifying any skill under `.github/skills/`.
+
+## Objective
+
+Keep skills discoverable, non-overlapping, and aligned with canonical governance in `AGENTS.md`.
+
+## Required Checks
+
+1. Frontmatter has clear `name` and specific `description` trigger language.
+2. Scope boundaries are explicit (`when to use` / `do not use`).
+3. No conflicts with `AGENTS.md` ownership rules.
+4. No policy duplication that can drift from canonical governance.
+5. References to related skills are explicit where workflows chain.
+
+## Quality Signals
+
+- Trigger phrases are concrete and task-shaped.
+- Instructions are concise, actionable, and deterministic.
+- Response format is clear and useful for downstream handoff.
+
+## Anti-Patterns
+
+- Vague descriptions that match everything.
+- Duplicate skills with overlapping responsibilities.
+- Contradictory ownership guidance.
+- Long policy blocks copied from other files.
+
+## Response Format
+
+Return:
+
+- Scope/trigger issues found
+- Overlap/conflict findings
+- Suggested minimal edits
+- Final pass/fail recommendation
@@ -0,0 +1,31 @@
+---
+name: medassist-testing-handoff
+description: Enforce MedAssist testing ownership by delegating test planning, execution, and CI test failure triage to testing-manager, including equivalent requests phrased in German.
+---
+
+# Skill Instructions
+
+Use this skill whenever a task includes writing tests, running tests, or diagnosing test-related CI failures.
+
+## Ownership Rules
+
+- Test planning, implementation, and execution are owned by `@testing-manager`.
+- CI test-failure triage (`test.yml`, `e2e.yml`) is owned by `@testing-manager`.
+- Normal coding agent should hand off testing tasks instead of executing testing workflows directly.
+
+## Handoff Template
+
+Use this structure for delegation:
+
+1. Scope: feature/fix and affected files
+2. Expected behavior
+3. Suggested test layers (unit/integration/e2e)
+4. CI failure context (if applicable)
+
+## Response Format
+
+When triggered, output:
+
+- "Testing handoff required"
+- Delegate target: `@testing-manager`
+- Minimal handoff brief (scope + expected behavior)
@@ -0,0 +1,52 @@
+---
+name: medassist-ui-consistency
+description: Enforce non-negotiable MedAssist UI guardrails by reusing existing components, styles, and interaction patterns, including equivalent requests phrased in German.
+---
+
+# Skill Instructions
+
+Use this skill when implementing or editing UI flows, modals, buttons, forms, schedule views, or settings screens.
+
+## Scope
+
+This is the **guardrail skill** for UI work.
+Use it to enforce consistency and prevent design drift.
+
+Use `medassist-frontend-polish` only after these guardrails are satisfied.
+
+## Do Not Use This Skill For
+
+- Creative visual redesign requests where no product consistency constraints apply.
+- Marketing-style one-off pages outside MedAssist product UI conventions.
+
+## Rules
+
+- Reuse existing components (for example `ConfirmModal`, `MedicationAvatar`) before creating new primitives.
+- Keep spacing, typography, and button styles aligned with existing patterns.
+- Avoid custom inline modal/button patterns that diverge from project design.
+- Prefer extending existing CSS classes/styles instead of introducing parallel styling systems.
+
+### Modal requirements (non-negotiable)
+
+Every modal/overlay **must** follow these rules:
+
+1. **Escape key**: Call `useEscapeKey(active, onClose)` from `hooks/useEscapeKey`. This registers a document-level `keydown` listener that works regardless of focus. **Never** rely on `onKeyDown` on an overlay div — it only fires when the overlay has focus, which almost never happens.
+2. **Scroll lock**: Call `useScrollLock(active)` from `hooks/useScrollLock` if the modal is **not** already covered by App.tsx's centralized `useScrollLock` call. Page-local modals (e.g. `ReportModal`, `ExportModal`) must call it themselves.
+3. **Click-outside close**: The overlay div gets `onClick={onClose}`, and `.modal-content` gets `onClick={(e) => e.stopPropagation()}`.
+4. **Key event containment**: `.modal-content` gets `onKeyDown={(e) => { if (e.key !== "Escape") e.stopPropagation(); }}` — this prevents non-Escape keys from leaking out while still allowing Escape to propagate to the document-level handler.
+5. **Nested sub-modals** (e.g. edit-stock inside MedDetailModal): Use `useEscapeKey` with `{ capture: true }` so the innermost modal intercepts Escape before the parent's handler fires.
+
+## Decision Heuristics
+
+1. If an equivalent component exists, reuse it.
+2. If small variant is needed, extend existing styles minimally.
+3. If a new component is unavoidable, match existing naming and structure conventions.
+
+## Response Format
+
+Provide:
+
+- Reused components/styles
+- Any new UI element and why reuse was not possible
+- Consistency risks reviewed
+- Confirmation that `medassist-frontend-polish` constraints remain compatible (if polish work is also requested)
@@ -0,0 +1,19 @@
+name: Add to Project
+
+on:
+  issues:
+    types: [opened, labeled]
+
+permissions: {}
+
+jobs:
+  add-to-project:
+    name: Add issue to project
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/add-to-project@v1.0.2
+        with:
+          project-url: ${{ vars.PROJECT_URL }}
+          github-token: ${{ secrets.ADD_TO_PROJECT_PAT }}
+          labeled: enhancement, bug, triage
+          label-operator: OR
@@ -0,0 +1,64 @@
+name: "CodeQL"
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - '**.js'
+      - '**.ts'
+      - '**.tsx'
+      - '**.jsx'
+      - 'backend/package.json'
+      - 'backend/package-lock.json'
+      - 'frontend/package.json'
+      - 'frontend/package-lock.json'
+      - '.github/codeql/**'
+      - '.github/workflows/codeql.yml'
+  pull_request:
+    branches: [main]
+    paths:
+      - '**.js'
+      - '**.ts'
+      - '**.tsx'
+      - '**.jsx'
+      - 'backend/package.json'
+      - 'backend/package-lock.json'
+      - 'frontend/package.json'
+      - 'frontend/package-lock.json'
+      - '.github/codeql/**'
+      - '.github/workflows/codeql.yml'
+  schedule:
+    - cron: "0 6 * * 1" # Weekly on Monday at 6am UTC
+  workflow_dispatch: # Allow manual trigger
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [javascript-typescript]
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v4
+        with:
+          languages: ${{ matrix.language }}
+          config-file: ./.github/codeql/codeql-config.yml
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v4
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v4
+        with:
+          category: "/language:${{ matrix.language }}"
@@ -0,0 +1,37 @@
+name: Dependabot Automerge
+
+on:
+  pull_request_target:
+    types:
+      - opened
+      - reopened
+      - synchronize
+      - ready_for_review
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  enable-automerge:
+    if: github.actor == 'dependabot[bot]'
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Read Dependabot metadata
+        id: metadata
+        uses: dependabot/fetch-metadata@v2
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Enable auto-merge for safe updates
+        if: >-
+          (steps.metadata.outputs.package-ecosystem == 'npm' ||
+          steps.metadata.outputs.package-ecosystem == 'github_actions') &&
+          (steps.metadata.outputs.update-type == 'version-update:semver-minor' ||
+          steps.metadata.outputs.update-type == 'version-update:semver-patch')
+        uses: peter-evans/enable-pull-request-automerge@v3
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          pull-request-number: ${{ github.event.pull_request.number }}
+          merge-method: squash
@@ -4,8 +4,12 @@ on:
  push:
    branches: [main]
    tags: ['v*']
-  pull_request:
-    branches: [main]
+    paths:
+      - 'backend/**'
+      - 'frontend/**'
+      - 'docker-compose.yml'
+      - 'docker-compose.dev.yml'
+      - '.github/workflows/docker-build.yml'
  workflow_dispatch:
    inputs:
      tag:
@@ -13,10 +17,24 @@ on:
        required: false
        default: ''

+# Default minimal permissions
+permissions:
+  contents: read
+
 env:
  REGISTRY: ghcr.io

 jobs:
+  # =============================================================================
+  # Build and Push Docker Images
+  # Triggered on pushes to main (tagged as "main") and version tags (v*).
+  # Tests are NOT run here — branch protection on main requires all PR checks
+  # (backend-test + frontend-build from test.yml) to pass before merge.
+  # Tags are created from main, so code is already tested.
+  #
+  # main push  → "main" tag only (for testing before release)
+  # Tag builds → semver tags (e.g., 1.9.0, 1.9) plus "latest"
+  # =============================================================================
  build-and-push:
    runs-on: ubuntu-latest
    permissions:
@@ -33,7 +51,7 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
@@ -55,10 +73,10 @@ jobs:
            type=semver,pattern={{version}}
            type=semver,pattern={{major}}.{{minor}}
            type=raw,value=${{ github.event.inputs.tag || 'latest' }},enable=${{ github.event_name == 'workflow_dispatch' }}
-            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}
+            type=raw,value=latest,enable=${{ startsWith(github.ref, 'refs/tags/v') }}

      - name: Build and push
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
        with:
          context: ${{ matrix.context }}
          push: true
@@ -67,3 +85,81 @@ jobs:
          cache-from: type=gha
          cache-to: type=gha,mode=max
          platforms: linux/amd64,linux/arm64
+          provenance: false
+          sbom: false
+
+  # =============================================================================
+  # Create GitHub Release (only on tag push)
+  # =============================================================================
+  create-release:
+    runs-on: ubuntu-latest
+    needs: build-and-push
+    if: startsWith(github.ref, 'refs/tags/v')
+    permissions:
+      contents: write
+    
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+        with:
+          fetch-depth: 0  # Fetch all history for changelog generation
+
+      - name: Check if release exists
+        id: check_release
+        run: |
+          CURRENT_TAG=${GITHUB_REF#refs/tags/}
+          if gh release view "$CURRENT_TAG" &>/dev/null; then
+            echo "exists=true" >> $GITHUB_OUTPUT
+            echo "Release $CURRENT_TAG already exists, skipping creation"
+          else
+            echo "exists=false" >> $GITHUB_OUTPUT
+          fi
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Get previous tag
+        if: steps.check_release.outputs.exists == 'false'
+        id: prev_tag
+        run: |
+          PREV_TAG=$(git describe --tags --abbrev=0 HEAD^ 2>/dev/null || echo "")
+          echo "tag=${PREV_TAG}" >> $GITHUB_OUTPUT
+
+      - name: Generate changelog
+        if: steps.check_release.outputs.exists == 'false'
+        id: changelog
+        run: |
+          CURRENT_TAG=${GITHUB_REF#refs/tags/}
+          PREV_TAG="${{ steps.prev_tag.outputs.tag }}"
+          
+          echo "## What's Changed" > changelog.md
+          echo "" >> changelog.md
+          
+          if [ -n "$PREV_TAG" ]; then
+            # Get commits between tags
+            git log ${PREV_TAG}..${CURRENT_TAG} --pretty=format:"* %s (%h)" --no-merges >> changelog.md
+          else
+            # First release - get recent commits
+            git log -20 --pretty=format:"* %s (%h)" --no-merges >> changelog.md
+          fi
+          
+          echo "" >> changelog.md
+          echo "" >> changelog.md
+          echo "## Docker Images" >> changelog.md
+          echo "" >> changelog.md
+          echo '```bash' >> changelog.md
+          echo "docker pull ghcr.io/${{ github.repository_owner }}/medassist-ng-backend:${CURRENT_TAG#v}" >> changelog.md
+          echo "docker pull ghcr.io/${{ github.repository_owner }}/medassist-ng-frontend:${CURRENT_TAG#v}" >> changelog.md
+          echo '```' >> changelog.md
+          echo "" >> changelog.md
+          echo "**Full Changelog**: https://github.com/${{ github.repository }}/compare/${PREV_TAG}...${CURRENT_TAG}" >> changelog.md
+
+      - name: Create GitHub Release
+        if: steps.check_release.outputs.exists == 'false'
+        uses: softprops/action-gh-release@v2
+        with:
+          body_path: changelog.md
+          generate_release_notes: false
+          draft: false
+          prerelease: ${{ contains(github.ref, '-rc') || contains(github.ref, '-beta') || contains(github.ref, '-alpha') }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -0,0 +1,72 @@
+name: E2E Tests
+
+on:
+  pull_request:
+    branches: [main]
+    paths:
+      - 'frontend/**'
+      - 'backend/**'
+      - '.github/workflows/e2e.yml'
+
+# Minimal permissions for security
+permissions:
+  contents: read
+
+jobs:
+  e2e:
+    name: Playwright E2E
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: '22'
+          cache: 'npm'
+          cache-dependency-path: |
+            backend/package-lock.json
+            frontend/package-lock.json
+
+      - name: Install backend dependencies
+        working-directory: backend
+        run: npm ci
+
+      - name: Install frontend dependencies
+        working-directory: frontend
+        run: npm ci
+
+      - name: Install Playwright browsers
+        working-directory: frontend
+        run: npx playwright install --with-deps chromium
+
+      - name: Run E2E tests (Chromium only)
+        working-directory: frontend
+        run: npx playwright test --project=chromium
+        env:
+          CI: true
+          PLAYWRIGHT_WORKERS: 1
+          PLAYWRIGHT_HTML_OPEN: never
+          JWT_SECRET: e2e-test-secret-that-is-long-enough
+          SESSION_SECRET: e2e-test-session-secret-long-enough
+
+      - name: Upload Playwright report
+        uses: actions/upload-artifact@v6
+        if: always()
+        with:
+          name: playwright-report
+          path: frontend/playwright-report/
+          retention-days: 7
+
+      - name: Upload test results
+        uses: actions/upload-artifact@v6
+        if: always()
+        with:
+          name: playwright-results
+          path: frontend/test-results/
+          retention-days: 7
@@ -0,0 +1,105 @@
+name: Move Done in Project
+
+on:
+  issues:
+    types: [closed]
+  pull_request:
+    types: [closed]
+
+permissions: {}
+
+jobs:
+  move-to-done:
+    name: Move to Done
+    runs-on: ubuntu-latest
+    if: >-
+      (github.event_name == 'issues' && github.event.issue.state_reason == 'completed') ||
+      (github.event_name == 'pull_request' && github.event.pull_request.merged == true)
+    steps:
+      - name: Move project item to Done
+        uses: actions/github-script@v8
+        with:
+          github-token: ${{ secrets.ADD_TO_PROJECT_PAT }}
+          script: |
+            const projectId = 'PVT_kwHOADH82s4BO2OT';
+            const statusFieldId = 'PVTSSF_lAHOADH82s4BO2OTzg9bdkE';
+            const doneOptionId = 'ca45af98';
+
+            // Determine content ID (issue or PR node ID)
+            const nodeId = context.payload.issue?.node_id || context.payload.pull_request?.node_id;
+            const number = context.payload.issue?.number || context.payload.pull_request?.number;
+            const type = context.payload.issue ? 'issue' : 'pull_request';
+
+            console.log(`Processing ${type} #${number} (${nodeId})`);
+
+            // Find the project item by content node ID
+            const result = await github.graphql(`
+              query($nodeId: ID!) {
+                node(id: $nodeId) {
+                  ... on Issue {
+                    projectItems(first: 10) {
+                      nodes {
+                        id
+                        project { id }
+                        fieldValueByName(name: "Status") {
+                          ... on ProjectV2ItemFieldSingleSelectValue {
+                            name
+                            optionId
+                          }
+                        }
+                      }
+                    }
+                  }
+                  ... on PullRequest {
+                    projectItems(first: 10) {
+                      nodes {
+                        id
+                        project { id }
+                        fieldValueByName(name: "Status") {
+                          ... on ProjectV2ItemFieldSingleSelectValue {
+                            name
+                            optionId
+                          }
+                        }
+                      }
+                    }
+                  }
+                }
+              }
+            `, { nodeId });
+
+            const items = result.node?.projectItems?.nodes || [];
+            const projectItem = items.find(item => item.project.id === projectId);
+
+            if (!projectItem) {
+              console.log(`${type} #${number} is not in the project board — skipping.`);
+              return;
+            }
+
+            const currentStatus = projectItem.fieldValueByName?.name || 'unknown';
+            if (currentStatus === 'Done') {
+              console.log(`${type} #${number} is already "Done" — skipping.`);
+              return;
+            }
+
+            console.log(`Moving ${type} #${number} from "${currentStatus}" to "Done"...`);
+
+            await github.graphql(`
+              mutation($projectId: ID!, $itemId: ID!, $fieldId: ID!, $optionId: String!) {
+                updateProjectV2ItemFieldValue(input: {
+                  projectId: $projectId
+                  itemId: $itemId
+                  fieldId: $fieldId
+                  value: { singleSelectOptionId: $optionId }
+                }) {
+                  projectV2Item { id }
+                }
+              }
+            `, {
+              projectId,
+              itemId: projectItem.id,
+              fieldId: statusFieldId,
+              optionId: doneOptionId
+            });
+
+            console.log(`Successfully moved ${type} #${number} to "Done".`);
@@ -1,42 +0,0 @@
-name: Create Release
-
-on:
-  push:
-    tags: ['v*']
-
-permissions:
-  contents: write
-
-jobs:
-  release:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Generate changelog
-        id: changelog
-        run: |
-          # Get previous tag
-          PREV_TAG=$(git describe --tags --abbrev=0 HEAD^ 2>/dev/null || echo "")
-          
-          if [ -z "$PREV_TAG" ]; then
-            # First release - get all commits
-            CHANGES=$(git log --pretty=format:"- %s" HEAD)
-          else
-            # Get commits since last tag
-            CHANGES=$(git log --pretty=format:"- %s" ${PREV_TAG}..HEAD)
-          fi
-          
-          # Write to file for multiline support
-          echo "$CHANGES" > changelog.txt
-
-      - name: Create Release
-        uses: softprops/action-gh-release@v1
-        with:
-          body_path: changelog.txt
-          generate_release_notes: true
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -0,0 +1,126 @@
+name: Test
+
+on:
+  pull_request:
+    branches: [main]
+
+# Minimal permissions for security
+permissions:
+  contents: read
+
+jobs:
+  # =============================================================================
+  # Detect which paths changed to skip unnecessary jobs
+  # =============================================================================
+  changes:
+    name: Detect Changes
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
+    outputs:
+      backend: ${{ steps.filter.outputs.backend }}
+      frontend: ${{ steps.filter.outputs.frontend }}
+    steps:
+      - uses: dorny/paths-filter@v3
+        id: filter
+        with:
+          filters: |
+            backend:
+              - 'backend/**'
+              - 'biome.json'
+              - '.github/workflows/test.yml'
+            frontend:
+              - 'frontend/**'
+              - 'biome.json'
+              - '.github/workflows/test.yml'
+
+  # =============================================================================
+  # Backend Tests (skipped if no backend-related files changed)
+  # =============================================================================
+  backend-test:
+    name: Backend Tests
+    needs: changes
+    if: needs.changes.outputs.backend == 'true'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    defaults:
+      run:
+        working-directory: backend
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: '22'
+          cache: 'npm'
+          cache-dependency-path: backend/package-lock.json
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Lint
+        run: npm run lint
+
+      - name: TypeScript type check
+        run: npx tsc --noEmit
+
+      - name: Run tests with coverage
+        run: npm run test:coverage
+
+      - name: Upload coverage report
+        uses: actions/upload-artifact@v6
+        if: always()
+        with:
+          name: backend-coverage
+          path: backend/coverage/
+          retention-days: 7
+
+  # =============================================================================
+  # Frontend Tests & Build (skipped if no frontend-related files changed)
+  # =============================================================================
+  frontend-build:
+    name: Frontend Build
+    needs: changes
+    if: needs.changes.outputs.frontend == 'true'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    defaults:
+      run:
+        working-directory: frontend
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: '22'
+          cache: 'npm'
+          cache-dependency-path: frontend/package-lock.json
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Lint
+        run: npm run lint
+
+      - name: Run tests with coverage
+        run: npm run test:coverage
+
+      - name: TypeScript type check & build
+        run: npm run build
+
+      - name: Upload coverage report
+        uses: actions/upload-artifact@v6
+        if: always()
+        with:
+          name: frontend-coverage
+          path: frontend/coverage/
+          retention-days: 7
@@ -0,0 +1,111 @@
+name: Update Test Badges
+
+on:
+  workflow_dispatch:
+  workflow_run:
+    workflows: ["Build and Push Docker Images"]
+    types: [completed]
+    branches: [main]
+
+permissions:
+  contents: write
+
+# Prevent parallel badge workflows from racing each other
+concurrency:
+  group: update-test-badges
+  cancel-in-progress: true
+
+jobs:
+  update-badges:
+    name: Update Test Count Badges
+    runs-on: ubuntu-latest
+    # Only run after successful docker builds, not failed ones
+    if: ${{ github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success' }}
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+        with:
+          token: ${{ secrets.BADGE_TOKEN || secrets.GITHUB_TOKEN }}
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: '22'
+          cache: 'npm'
+          cache-dependency-path: '**/package-lock.json'
+
+      - name: Install backend dependencies
+        working-directory: backend
+        run: npm ci
+
+      - name: Install frontend dependencies
+        working-directory: frontend
+        run: npm ci
+
+      - name: Run backend tests and capture count
+        id: backend-tests
+        working-directory: backend
+        timeout-minutes: 5
+        env:
+          CI: true
+        run: |
+          OUTPUT=$(npm run test:run 2>&1) || true
+          echo "$OUTPUT"
+          # Strip ANSI escape codes, then extract "Tests  X passed" from output
+          CLEAN=$(echo "$OUTPUT" | sed 's/\x1b\[[0-9;]*m//g')
+          PASSED=$(echo "$CLEAN" | grep -oP 'Tests\s+\K\d+(?=\s+passed)' | tail -1)
+          echo "count=$PASSED" >> $GITHUB_OUTPUT
+
+      - name: Run frontend tests and capture count
+        id: frontend-tests
+        working-directory: frontend
+        timeout-minutes: 5
+        env:
+          CI: true
+        run: |
+          OUTPUT=$(npm run test:run 2>&1) || true
+          echo "$OUTPUT"
+          # Strip ANSI escape codes, then extract "Tests  X passed" from output
+          CLEAN=$(echo "$OUTPUT" | sed 's/\x1b\[[0-9;]*m//g')
+          PASSED=$(echo "$CLEAN" | grep -oP 'Tests\s+\K\d+(?=\s+passed)' | tail -1)
+          echo "count=$PASSED" >> $GITHUB_OUTPUT
+
+      - name: Update README badges
+        run: |
+          BACKEND_COUNT="${{ steps.backend-tests.outputs.count }}"
+          FRONTEND_COUNT="${{ steps.frontend-tests.outputs.count }}"
+          
+          echo "Backend tests: $BACKEND_COUNT"
+          echo "Frontend tests: $FRONTEND_COUNT"
+          
+          # Only update if we got valid counts
+          if [[ -n "$BACKEND_COUNT" && -n "$FRONTEND_COUNT" ]]; then
+            # URL encode the slash for shields.io
+            BACKEND_BADGE="https://img.shields.io/badge/Backend_Tests-${BACKEND_COUNT}%2F${BACKEND_COUNT}-brightgreen?logo=vitest"
+            FRONTEND_BADGE="https://img.shields.io/badge/Frontend_Tests-${FRONTEND_COUNT}%2F${FRONTEND_COUNT}-brightgreen?logo=vitest"
+            
+            # Update README using sed
+            sed -i "s|https://img.shields.io/badge/Backend_Tests-[^\"]*|$BACKEND_BADGE|g" README.md
+            sed -i "s|https://img.shields.io/badge/Frontend_Tests-[^\"]*|$FRONTEND_BADGE|g" README.md
+            
+            echo "Updated badges in README.md"
+          else
+            echo "Could not extract test counts, skipping update"
+            exit 0
+          fi
+
+      - name: Commit and push badge updates
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git add README.md
+          if git diff --cached --quiet; then
+            echo "No badge changes to commit"
+          else
+            git commit -m "chore: update test count badges [skip ci]"
+            # Rebase on latest main to avoid push rejection when concurrent
+            # badge workflows or other [skip ci] commits land between checkout and push
+            git pull --rebase origin main
+            git push
+          fi
@@ -1,33 +1,86 @@
-# Node
+# ===================
+# Dependencies
+# ===================
 node_modules/
+.pnpm-store/
+
+# ===================
+# Build outputs
+# ===================
+dist/
+build/
+.tmp/
+*.tsbuildinfo
+
+# ===================
+# Test & Coverage
+# ===================
+coverage/
+.nyc_output/
+
+# Playwright
+/frontend/playwright-report/
+/frontend/test-results/
+/frontend/e2e/.auth/
+/frontend/blob-report/
+
+# ===================
+# Environment
+# ===================
+.env
+.env.*
+!.env.example
+
+# ===================
+# Database & Data
+# ===================
+*.db
+*.sqlite
+*.sqlite3
+*.db-journal
+*.db-wal
+*.db-shm
+data/
+
+# ===================
+# Logs
+# ===================
+logs/
+*.log
 npm-debug.log*
 yarn-debug.log*
 yarn-error.log*
 pnpm-debug.log*

-# Build outputs
-dist/
-build/
-coverage/
-.tmp/
-
-# Env
-.env
-.env.*
-!.env.example
-
-# SQLite
-*.db
-*.sqlite
-*.sqlite3
-*.db-journal
-backend/data/
-
-# Logs
-logs/
-*.log
-
-# Editor
-.vscode/
-.idea/
+# ===================
+# OS files
+# ===================
 .DS_Store
+Thumbs.db
+*.swp
+*.swo
+*~
+
+# ===================
+# IDE / Editor
+# ===================
+.idea/
+*.sublime-project
+*.sublime-workspace
+
+# Keep shared VS Code settings
+# .vscode/ is NOT ignored - settings.json is useful for the team
+
+# ===================
+# Misc
+# ===================
+*.local
+.cache/
+.turbo/
+.roo/
+.roomodes
+.claude/
+AGENTS.md
+docs/TECH_STACK.md
+doku
+plan
@@ -0,0 +1 @@
+npx lint-staged
@@ -0,0 +1,8 @@
+{
+  "vitest.root": "backend",
+  "vitest.enable": true,
+  "vitest.commandLine": "npm test --",
+  "chat.tools.terminal.autoApprove": {
+    "test": true
+  }
+}
@@ -0,0 +1,49 @@
+{
+  "version": "2.0.0",
+  "tasks": [
+    {
+      "label": "E2E stable",
+      "type": "shell",
+      "command": "npm",
+      "args": ["run", "test:e2e"],
+      "options": {
+        "cwd": "${workspaceFolder}/frontend"
+      },
+      "group": "test",
+      "problemMatcher": []
+    },
+    {
+      "label": "E2E stable + merged video",
+      "type": "shell",
+      "command": "npm",
+      "args": ["run", "test:e2e:with-video"],
+      "options": {
+        "cwd": "${workspaceFolder}/frontend"
+      },
+      "group": "test",
+      "problemMatcher": []
+    },
+    {
+      "label": "E2E all browsers",
+      "type": "shell",
+      "command": "npm",
+      "args": ["run", "test:e2e:all"],
+      "options": {
+        "cwd": "${workspaceFolder}/frontend"
+      },
+      "group": "test",
+      "problemMatcher": []
+    },
+    {
+      "label": "E2E all browsers + merged video",
+      "type": "shell",
+      "command": "npm",
+      "args": ["run", "test:e2e:all:with-video"],
+      "options": {
+        "cwd": "${workspaceFolder}/frontend"
+      },
+      "group": "test",
+      "problemMatcher": []
+    }
+  ]
+}
@@ -10,16 +10,21 @@
 </p>

 <p align="center">
-  <img src="https://img.shields.io/badge/React-18-61DAFB?logo=react" alt="React 18" />
+  <img src="https://img.shields.io/badge/React-19-61DAFB?logo=react" alt="React 19" />
  <img src="https://img.shields.io/badge/TypeScript-5-3178C6?logo=typescript" alt="TypeScript" />
  <img src="https://img.shields.io/badge/Fastify-5-000000?logo=fastify" alt="Fastify" />
  <img src="https://img.shields.io/badge/SQLite-Database-003B57?logo=sqlite" alt="SQLite" />
  <img src="https://img.shields.io/badge/Docker-Ready-2496ED?logo=docker" alt="Docker" />
 </p>

+<p align="center">
+  <img src="https://img.shields.io/badge/Backend_Tests-569%2F569-brightgreen?logo=vitest" alt="Backend Tests 454/454" />
+  <img src="https://img.shields.io/badge/Frontend_Tests-769%2F769-brightgreen?logo=vitest" alt="Frontend Tests 611/611" />
+</p>
+
 ### 🤖 AI-Generated Code

-> This app was 100% coded with Claude Opus 4.5. Use at your own risk.
+> This app was 100% coded with [Claude Opus 4.6](https://www.anthropic.com/claude) and [GPT-5.3 Codex](https://openai.com/index/gpt-5/). Use at your own risk.

 ### ⚠️ Disclaimer

@@ -28,6 +33,7 @@
 > **Think of this app as a helpful tool, but make all health decisions independently!**

 - [Features](#features)
+- [Screenshots](#screenshots)
 - [Getting Started](#getting-started)
 - [Configuration](#configuration)
 - [Development](#development)
@@ -38,14 +44,96 @@
  <img src="docs/gifs/MedAssist-demo.gif" alt="MedAssist-ng Dashboard" width="100%" />
 </p>

+<a id="screenshots"></a>
+<details>
+<summary><strong>Screenshots</strong></summary>
+<blockquote>
+
+<details>
+<summary>Dashboard</summary>
+
+Overview with stock status, reorder reminders, and upcoming schedules.
+
+<img src="docs/screenshots/dashboard-desktop.png" alt="Dashboard" width="100%" />
+
+</details>
+
+<details>
+<summary>Medication Detail</summary>
+
+View medication details, stock information, and intake schedule.
+
+<img src="docs/screenshots/medication-detail-modal.png" alt="Medication Detail Modal" width="100%" />
+
+</details>
+
+<details>
+<summary>Medications & Edit Form</summary>
+
+Manage your medications with the edit form and refill feature.
+
+<img src="docs/screenshots/medications-edit-desktop.png" alt="Medications Edit Form" width="100%" />
+
+</details>
+
+<details>
+<summary>Demand Calculator (Planner)</summary>
+
+Calculate how many pills you need for a specific date range.
+
+<img src="docs/screenshots/planner-desktop.png" alt="Planner - Demand Calculator" width="100%" />
+
+</details>
+
+<details>
+<summary>Shared Schedule</summary>
+
+Share your medication schedule with others via a public link.
+
+<img src="docs/screenshots/share-schedule-desktop.png" alt="Shared Schedule" width="100%" />
+
+</details>
+
+<details>
+<summary>Mobile Views</summary>
+
+<table>
+  <tr>
+    <td align="center" width="33%">
+      <strong>Dashboard</strong><br>
+      <img src="docs/screenshots/dashboard-mobile.png" alt="Mobile Dashboard" width="100%" />
+    </td>
+    <td align="center" width="33%">
+      <strong>Medications</strong><br>
+      <img src="docs/screenshots/medications-mobile.png" alt="Mobile Medications" width="100%" />
+    </td>
+    <td align="center" width="33%">
+      <strong>Schedule</strong><br>
+      <img src="docs/screenshots/schedule-mobile.png" alt="Mobile Schedule" width="100%" />
+    </td>
+  </tr>
+</table>
+
+</details>
+
+</blockquote>
+</details>
+
 ### Smart Inventory
- Track exact stock: packs, blisters, and loose pills
+- Track exact stock: packs, blisters, bottles, and loose pills
 - Display remaining days of supply
 - Automatic calculation based on intake schedule
+- Manual stock correction supports partial blisters and loose pills
+
+### Medication Refill
+- One-click refill with pack or loose pill options
+- Complete refill history per medication
+- Automatic stock updates after each refill

 ### Flexible Schedules
 - Daily, weekly, or custom intervals per medication
 - Independent schedules for each medication
+- Optional timeline filters for dashboard and shared schedule views

 ### Stock Alerts & Reminders
 - Notifications before stock runs out
@@ -55,14 +143,24 @@
 ### Trip Planner
 - Calculate how many pills you need for a trip or date range
 - Plan ahead for vacations, business trips, or hospital stays
+- Send demand reports via email or push notification
+
+### Reports
+- Generate medication reports as PDF, Markdown, or plain text
+- Include intake history, refill history, and prescription details

 ### Multi-Person Support
 - Manage medications for multiple people
 - Share schedules via link. Recipients can mark doses as taken, you see it live

+### Data Export & Import
+- Export all your data (medications, dose history, settings) as JSON
+- Import previously exported data with automatic ID remapping
+- Choose whether to include sensitive data in exports
+
 ### Notifications
 - Email via SMTP
- Push notifications via ntfy, Gotify, Telegram, Discord (Shoutrrr)
+- Push notifications via ntfy, Pushover, Gotify, Telegram, Discord & more ([Shoutrrr](https://containrrr.dev/shoutrrr/))
 - Supports both stock warnings and intake reminders

 ### Privacy & Security
@@ -96,7 +194,7 @@ All configuration is done via environment variables in `.env`. Copy `.env.exampl
 | `PGID` | `1000` | Group ID for container file permissions |
 | `PORT` | `3000` | Backend API port |
 | `CORS_ORIGINS` | `http://localhost:4174` | Allowed origins for CORS |
-| `LOG_LEVEL` | `info` | Log verbosity (`debug`, `info`, `warn`, `error`) |
+| `LOG_LEVEL` | `info` | Log verbosity (`debug`, `info`, `warn`, `error`, `silent`). At `info` (default), high-frequency polling endpoints are suppressed. Set `debug` to see all requests. |
 | `TZ` | `Europe/Berlin` | Timezone for scheduled reminders |

 ### Authentication
@@ -121,7 +219,7 @@ Generate secrets with: `openssl rand -hex 32`
 | `OIDC_ISSUER_URL` | — | OIDC provider URL |
 | `OIDC_CLIENT_ID` | — | Client ID from OIDC provider |
 | `OIDC_CLIENT_SECRET` | — | Client secret from OIDC provider |
-| `OIDC_REDIRECT_URI` | — | Callback URL |
+| `OIDC_REDIRECT_URI` | — | Full callback URL (e.g., `https://your-domain.com/api/auth/oidc/callback`) |
 | `OIDC_SCOPES` | `openid profile email` | Scopes to request |
 | `OIDC_USERNAME_CLAIM` | `preferred_username` | Claim for username |
 | `OIDC_AUTO_CREATE_USERS` | `true` | Auto-create users on first SSO login |
@@ -148,6 +246,66 @@ Generate secrets with: `openssl rand -hex 32`
 | `REMINDER_MINUTES_BEFORE` | `15` | Minutes before intake to send reminder |
 | `EXPIRY_WARNING_DAYS` | `30` | Days before expiry to show warning |

+### Push Notifications (Shoutrrr)
+
+MedAssist uses [Shoutrrr](https://containrrr.dev/shoutrrr/) for push notifications, supporting many services with a single URL format.
+
+**Implemented URL schemes in MedAssist:** `ntfy://`, `discord://`, `pushover://`, `gotify://`, `telegram://`, plus direct `https://` webhooks.
+
+This covers common providers like ntfy, Discord, Pushover, Gotify, Telegram, Slack webhooks, and many others via webhook URLs.
+
+Configure push notifications in Settings → Push, or set defaults via environment variables:
+
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `DEFAULT_SHOUTRRR_ENABLED` | `false` | Enable push notifications by default |
+| `DEFAULT_SHOUTRRR_URL` | — | Shoutrrr URL (see examples below) |
+| `DEFAULT_SHOUTRRR_STOCK_REMINDERS` | `true` | Send stock warnings via push |
+| `DEFAULT_SHOUTRRR_INTAKE_REMINDERS` | `true` | Send intake reminders via push |
+
+### Default User Settings
+
+These defaults are applied when a new user is created. Once a user saves settings in the app, their values take precedence.
+
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `DEFAULT_SHARE_STOCK_STATUS` | `true` | Show stock status (Normal/Low/Critical) on shared schedule links |
+
+#### URL Examples
+
+**ntfy** (free, self-hostable):
+```
+ntfy://ntfy.sh/your-topic
+ntfy://user:password@your-server.com/topic
+```
+
+**Pushover** (free app for iOS/Android):
+```
+pushover://shoutrrr:API_TOKEN@USER_KEY/
+```
+Get your keys at [pushover.net](https://pushover.net/):
+- **User Key**: Shown on your dashboard (top right)
+- **API Token**: Create an application → copy the API Token
+
+**Gotify** (self-hosted):
+```
+gotify://your-server.com/TOKEN
+gotify://your-server.com:443/path/to/gotify/TOKEN?priority=1
+```
+
+**Discord**:
+```
+discord://TOKEN@WEBHOOK_ID
+```
+
+**Telegram**:
+```
+telegram://TOKEN@telegram?chats=CHAT_ID
+telegram://TOKEN@telegram?chats=@your_channel,-1001234567890
+```
+
+For all services and options, see the [Shoutrrr documentation](https://containrrr.dev/shoutrrr/v0.8/services/overview/).
+
 # Development

 ```bash
@@ -157,6 +315,24 @@ docker compose -f docker-compose.dev.yml up
 - Frontend: `http://localhost:5173` (hot reload)
 - Backend: `http://localhost:3000`

+Playwright E2E recommendations:
+
+```bash
+cd frontend
+npm run test:e2e:local      # local run with PLAYWRIGHT_WORKERS=4
+npm run test:e2e:all:local  # local all-browser run with PLAYWRIGHT_WORKERS=4
+```
+
+- CI stays at `PLAYWRIGHT_WORKERS=1` for stability.
+- Data-heavy specs remain sequential via the `chromium-data` project config.
+
+# Dependency Updates
+
+- Dependabot checks dependencies weekly for `frontend`, `backend`, repository root tooling, and GitHub Actions.
+- Minor and patch updates are grouped to reduce PR noise.
+- Dependabot minor/patch PRs are configured for auto-merge after required CI checks pass.
+- Major updates still require manual review before merge.
+
 # Acknowledgements

 This project was inspired by [MedAssist](https://github.com/njic/medassist) by njic.
@@ -0,0 +1,35 @@
+# Dependencies
+node_modules/
+
+# Build outputs
+dist/
+coverage/
+
+# Development files
+*.log
+npm-debug.log*
+
+# Test files
+src/test/
+*.test.ts
+vitest.config.ts
+
+# Local data (mounted as volume in production)
+data/
+
+# IDE
+.vscode/
+.idea/
+
+# OS files
+.DS_Store
+Thumbs.db
+
+# Git
+.git/
+.gitignore
+
+# Docker
+Dockerfile
+.dockerignore
+docker-compose*.yml
@@ -46,6 +46,9 @@ COPY --from=builder /app/node_modules ./node_modules
 COPY --from=builder /app/dist ./dist
 COPY --from=builder /app/package.json ./

+# Copy drizzle migrations folder (required for database setup)
+COPY drizzle ./drizzle
+
 # Create data directory and set ownership to node user (UID 1000)
 RUN mkdir -p /app/data && chown -R node:node /app

@@ -0,0 +1,10 @@
+import { defineConfig } from "drizzle-kit";
+
+export default defineConfig({
+  schema: "./src/db/schema.ts",
+  out: "./drizzle",
+  dialect: "sqlite",
+  dbCredentials: {
+    url: process.env.DATABASE_URL || "./data/medassist-ng.db",
+  },
+});
@@ -0,0 +1,112 @@
+CREATE TABLE `dose_tracking` (
+	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+	`user_id` integer NOT NULL,
+	`dose_id` text(255) NOT NULL,
+	`taken_at` integer DEFAULT (strftime('%s','now')) NOT NULL,
+	`marked_by` text(100),
+	`dismissed` integer DEFAULT false NOT NULL,
+	FOREIGN KEY (`user_id`) REFERENCES `users`(`id`) ON UPDATE no action ON DELETE cascade
+);
+--> statement-breakpoint
+CREATE TABLE `medications` (
+	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+	`user_id` integer NOT NULL,
+	`name` text(100) NOT NULL,
+	`generic_name` text(100),
+	`taken_by_json` text DEFAULT '[]' NOT NULL,
+	`pack_count` integer DEFAULT 1 NOT NULL,
+	`blisters_per_pack` integer DEFAULT 1 NOT NULL,
+	`pills_per_blister` integer DEFAULT 1 NOT NULL,
+	`loose_tablets` integer DEFAULT 0 NOT NULL,
+	`pill_weight_mg` integer,
+	`usage_json` text DEFAULT '[]' NOT NULL,
+	`every_json` text DEFAULT '[]' NOT NULL,
+	`start_json` text DEFAULT '[]' NOT NULL,
+	`image_url` text,
+	`expiry_date` text,
+	`notes` text,
+	`intake_reminders_enabled` integer DEFAULT false NOT NULL,
+	`updated_at` integer DEFAULT CURRENT_TIMESTAMP NOT NULL,
+	FOREIGN KEY (`user_id`) REFERENCES `users`(`id`) ON UPDATE no action ON DELETE cascade
+);
+--> statement-breakpoint
+CREATE TABLE `refill_history` (
+	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+	`medication_id` integer NOT NULL,
+	`user_id` integer NOT NULL,
+	`packs_added` integer DEFAULT 0 NOT NULL,
+	`loose_pills_added` integer DEFAULT 0 NOT NULL,
+	`refill_date` integer DEFAULT (strftime('%s','now')) NOT NULL,
+	FOREIGN KEY (`medication_id`) REFERENCES `medications`(`id`) ON UPDATE no action ON DELETE cascade,
+	FOREIGN KEY (`user_id`) REFERENCES `users`(`id`) ON UPDATE no action ON DELETE cascade
+);
+--> statement-breakpoint
+CREATE TABLE `refresh_tokens` (
+	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+	`user_id` integer NOT NULL,
+	`token_id` text(255) NOT NULL,
+	`expires_at` integer NOT NULL,
+	`rotated_at` integer,
+	`revoked` integer DEFAULT false NOT NULL,
+	`created_at` integer DEFAULT CURRENT_TIMESTAMP NOT NULL,
+	FOREIGN KEY (`user_id`) REFERENCES `users`(`id`) ON UPDATE no action ON DELETE cascade
+);
+--> statement-breakpoint
+CREATE UNIQUE INDEX `refresh_tokens_token_id_unique` ON `refresh_tokens` (`token_id`);--> statement-breakpoint
+CREATE TABLE `share_tokens` (
+	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+	`user_id` integer NOT NULL,
+	`token` text(64) NOT NULL,
+	`taken_by` text(100) NOT NULL,
+	`schedule_days` integer DEFAULT 30 NOT NULL,
+	`created_at` integer DEFAULT CURRENT_TIMESTAMP NOT NULL,
+	`expires_at` integer,
+	FOREIGN KEY (`user_id`) REFERENCES `users`(`id`) ON UPDATE no action ON DELETE cascade
+);
+--> statement-breakpoint
+CREATE UNIQUE INDEX `share_tokens_token_unique` ON `share_tokens` (`token`);--> statement-breakpoint
+CREATE TABLE `user_settings` (
+	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+	`user_id` integer NOT NULL,
+	`email_enabled` integer DEFAULT false NOT NULL,
+	`notification_email` text,
+	`email_stock_reminders` integer DEFAULT true NOT NULL,
+	`email_intake_reminders` integer DEFAULT true NOT NULL,
+	`shoutrrr_enabled` integer DEFAULT false NOT NULL,
+	`shoutrrr_url` text,
+	`shoutrrr_stock_reminders` integer DEFAULT true NOT NULL,
+	`shoutrrr_intake_reminders` integer DEFAULT true NOT NULL,
+	`reminder_days_before` integer DEFAULT 7 NOT NULL,
+	`repeat_daily_reminders` integer DEFAULT false NOT NULL,
+	`skip_reminders_for_taken_doses` integer DEFAULT false NOT NULL,
+	`repeat_reminders_enabled` integer DEFAULT false NOT NULL,
+	`reminder_repeat_interval_minutes` integer DEFAULT 30 NOT NULL,
+	`max_nagging_reminders` integer DEFAULT 5 NOT NULL,
+	`low_stock_days` integer DEFAULT 30 NOT NULL,
+	`normal_stock_days` integer DEFAULT 90 NOT NULL,
+	`high_stock_days` integer DEFAULT 180 NOT NULL,
+	`expiry_warning_days` integer DEFAULT 90 NOT NULL,
+	`language` text(10) DEFAULT 'en' NOT NULL,
+	`stock_calculation_mode` text(20) DEFAULT 'automatic' NOT NULL,
+	`last_auto_email_sent` text,
+	`last_notification_type` text,
+	`last_notification_channel` text,
+	`updated_at` integer DEFAULT CURRENT_TIMESTAMP NOT NULL,
+	FOREIGN KEY (`user_id`) REFERENCES `users`(`id`) ON UPDATE no action ON DELETE cascade
+);
+--> statement-breakpoint
+CREATE UNIQUE INDEX `user_settings_user_id_unique` ON `user_settings` (`user_id`);--> statement-breakpoint
+CREATE TABLE `users` (
+	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+	`username` text(100) NOT NULL,
+	`password_hash` text(255),
+	`avatar_url` text(255),
+	`auth_provider` text(50) DEFAULT 'local' NOT NULL,
+	`oidc_subject` text(255),
+	`is_active` integer DEFAULT true NOT NULL,
+	`last_login_at` integer,
+	`created_at` integer DEFAULT CURRENT_TIMESTAMP NOT NULL,
+	`updated_at` integer DEFAULT CURRENT_TIMESTAMP NOT NULL
+);
+--> statement-breakpoint
+CREATE UNIQUE INDEX `users_username_unique` ON `users` (`username`);
@@ -0,0 +1 @@
+ALTER TABLE `medications` ADD `stock_adjustment` integer DEFAULT 0 NOT NULL;
@@ -0,0 +1 @@
+ALTER TABLE `medications` ADD `last_stock_correction_at` integer;
@@ -0,0 +1,3 @@
+ALTER TABLE `medications` ADD `dismissed_until` text;--> statement-breakpoint
+ALTER TABLE `user_settings` ADD `last_reminder_med_name` text;--> statement-breakpoint
+ALTER TABLE `user_settings` ADD `last_reminder_taken_by` text;
@@ -0,0 +1,3 @@
+-- Add package type support (blister vs bottle)
+ALTER TABLE medications ADD COLUMN package_type TEXT DEFAULT 'blister' NOT NULL;
+ALTER TABLE medications ADD COLUMN total_pills INTEGER;
@@ -0,0 +1,3 @@
+-- Add dose_unit column and intakes JSON array for per-intake takenBy support
+ALTER TABLE `medications` ADD `dose_unit` text(20) DEFAULT 'mg';--> statement-breakpoint
+ALTER TABLE `medications` ADD `intakes_json` text DEFAULT '[]' NOT NULL;
@@ -0,0 +1,3 @@
+ALTER TABLE `user_settings` ADD `last_stock_reminder_sent` text;--> statement-breakpoint
+ALTER TABLE `user_settings` ADD `last_stock_reminder_channel` text;--> statement-breakpoint
+ALTER TABLE `user_settings` ADD `last_stock_reminder_med_names` text;
@@ -0,0 +1 @@
+ALTER TABLE `user_settings` ADD `share_stock_status` integer DEFAULT true NOT NULL;
@@ -0,0 +1,2 @@
+ALTER TABLE `medications` ADD `is_obsolete` integer DEFAULT false NOT NULL;
+ALTER TABLE `medications` ADD `obsolete_at` integer;
@@ -0,0 +1,8 @@
+ALTER TABLE `medications` ADD `prescription_enabled` integer NOT NULL DEFAULT 0;
+ALTER TABLE `medications` ADD `prescription_authorized_refills` integer;
+ALTER TABLE `medications` ADD `prescription_remaining_refills` integer;
+ALTER TABLE `medications` ADD `prescription_low_refill_threshold` integer NOT NULL DEFAULT 1;
+ALTER TABLE `medications` ADD `prescription_expiry_date` text;
+
+ALTER TABLE `user_settings` ADD `email_prescription_reminders` integer NOT NULL DEFAULT 1;
+ALTER TABLE `user_settings` ADD `shoutrrr_prescription_reminders` integer NOT NULL DEFAULT 1;
@@ -0,0 +1 @@
+ALTER TABLE `medications` ADD `medication_start_date` text DEFAULT '' NOT NULL;
@@ -0,0 +1 @@
+ALTER TABLE `dose_tracking` ADD `taken_source` text DEFAULT 'manual' NOT NULL;
@@ -0,0 +1,819 @@
+{
+  "version": "6",
+  "dialect": "sqlite",
+  "id": "0e7f882c-b6e8-4d7b-a6a8-a076969c3e76",
+  "prevId": "00000000-0000-0000-0000-000000000000",
+  "tables": {
+    "dose_tracking": {
+      "name": "dose_tracking",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "dose_id": {
+          "name": "dose_id",
+          "type": "text(255)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "taken_at": {
+          "name": "taken_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "(strftime('%s','now'))"
+        },
+        "marked_by": {
+          "name": "marked_by",
+          "type": "text(100)",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "dismissed": {
+          "name": "dismissed",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "dose_tracking_user_id_users_id_fk": {
+          "name": "dose_tracking_user_id_users_id_fk",
+          "tableFrom": "dose_tracking",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "medications": {
+      "name": "medications",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "name": {
+          "name": "name",
+          "type": "text(100)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "generic_name": {
+          "name": "generic_name",
+          "type": "text(100)",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "taken_by_json": {
+          "name": "taken_by_json",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'[]'"
+        },
+        "pack_count": {
+          "name": "pack_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 1
+        },
+        "blisters_per_pack": {
+          "name": "blisters_per_pack",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 1
+        },
+        "pills_per_blister": {
+          "name": "pills_per_blister",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 1
+        },
+        "loose_tablets": {
+          "name": "loose_tablets",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 0
+        },
+        "pill_weight_mg": {
+          "name": "pill_weight_mg",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "usage_json": {
+          "name": "usage_json",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'[]'"
+        },
+        "every_json": {
+          "name": "every_json",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'[]'"
+        },
+        "start_json": {
+          "name": "start_json",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'[]'"
+        },
+        "image_url": {
+          "name": "image_url",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "expiry_date": {
+          "name": "expiry_date",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "notes": {
+          "name": "notes",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "intake_reminders_enabled": {
+          "name": "intake_reminders_enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "medications_user_id_users_id_fk": {
+          "name": "medications_user_id_users_id_fk",
+          "tableFrom": "medications",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "refill_history": {
+      "name": "refill_history",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "medication_id": {
+          "name": "medication_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "packs_added": {
+          "name": "packs_added",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 0
+        },
+        "loose_pills_added": {
+          "name": "loose_pills_added",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 0
+        },
+        "refill_date": {
+          "name": "refill_date",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "(strftime('%s','now'))"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "refill_history_medication_id_medications_id_fk": {
+          "name": "refill_history_medication_id_medications_id_fk",
+          "tableFrom": "refill_history",
+          "tableTo": "medications",
+          "columnsFrom": [
+            "medication_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "refill_history_user_id_users_id_fk": {
+          "name": "refill_history_user_id_users_id_fk",
+          "tableFrom": "refill_history",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "refresh_tokens": {
+      "name": "refresh_tokens",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "token_id": {
+          "name": "token_id",
+          "type": "text(255)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "rotated_at": {
+          "name": "rotated_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "revoked": {
+          "name": "revoked",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "refresh_tokens_token_id_unique": {
+          "name": "refresh_tokens_token_id_unique",
+          "columns": [
+            "token_id"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "refresh_tokens_user_id_users_id_fk": {
+          "name": "refresh_tokens_user_id_users_id_fk",
+          "tableFrom": "refresh_tokens",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "share_tokens": {
+      "name": "share_tokens",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "token": {
+          "name": "token",
+          "type": "text(64)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "taken_by": {
+          "name": "taken_by",
+          "type": "text(100)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "schedule_days": {
+          "name": "schedule_days",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 30
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        }
+      },
+      "indexes": {
+        "share_tokens_token_unique": {
+          "name": "share_tokens_token_unique",
+          "columns": [
+            "token"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "share_tokens_user_id_users_id_fk": {
+          "name": "share_tokens_user_id_users_id_fk",
+          "tableFrom": "share_tokens",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "user_settings": {
+      "name": "user_settings",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "email_enabled": {
+          "name": "email_enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "notification_email": {
+          "name": "notification_email",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "email_stock_reminders": {
+          "name": "email_stock_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": true
+        },
+        "email_intake_reminders": {
+          "name": "email_intake_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": true
+        },
+        "shoutrrr_enabled": {
+          "name": "shoutrrr_enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "shoutrrr_url": {
+          "name": "shoutrrr_url",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "shoutrrr_stock_reminders": {
+          "name": "shoutrrr_stock_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": true
+        },
+        "shoutrrr_intake_reminders": {
+          "name": "shoutrrr_intake_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": true
+        },
+        "reminder_days_before": {
+          "name": "reminder_days_before",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 7
+        },
+        "repeat_daily_reminders": {
+          "name": "repeat_daily_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "skip_reminders_for_taken_doses": {
+          "name": "skip_reminders_for_taken_doses",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "repeat_reminders_enabled": {
+          "name": "repeat_reminders_enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "reminder_repeat_interval_minutes": {
+          "name": "reminder_repeat_interval_minutes",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 30
+        },
+        "max_nagging_reminders": {
+          "name": "max_nagging_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 5
+        },
+        "low_stock_days": {
+          "name": "low_stock_days",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 30
+        },
+        "normal_stock_days": {
+          "name": "normal_stock_days",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 90
+        },
+        "high_stock_days": {
+          "name": "high_stock_days",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 180
+        },
+        "expiry_warning_days": {
+          "name": "expiry_warning_days",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 90
+        },
+        "language": {
+          "name": "language",
+          "type": "text(10)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'en'"
+        },
+        "stock_calculation_mode": {
+          "name": "stock_calculation_mode",
+          "type": "text(20)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'automatic'"
+        },
+        "last_auto_email_sent": {
+          "name": "last_auto_email_sent",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_notification_type": {
+          "name": "last_notification_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_notification_channel": {
+          "name": "last_notification_channel",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "user_settings_user_id_unique": {
+          "name": "user_settings_user_id_unique",
+          "columns": [
+            "user_id"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "user_settings_user_id_users_id_fk": {
+          "name": "user_settings_user_id_users_id_fk",
+          "tableFrom": "user_settings",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "users": {
+      "name": "users",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "username": {
+          "name": "username",
+          "type": "text(100)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "password_hash": {
+          "name": "password_hash",
+          "type": "text(255)",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "avatar_url": {
+          "name": "avatar_url",
+          "type": "text(255)",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "auth_provider": {
+          "name": "auth_provider",
+          "type": "text(50)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'local'"
+        },
+        "oidc_subject": {
+          "name": "oidc_subject",
+          "type": "text(255)",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "is_active": {
+          "name": "is_active",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": true
+        },
+        "last_login_at": {
+          "name": "last_login_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "users_username_unique": {
+          "name": "users_username_unique",
+          "columns": [
+            "username"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    }
+  },
+  "views": {},
+  "enums": {},
+  "_meta": {
+    "schemas": {},
+    "tables": {},
+    "columns": {}
+  },
+  "internal": {
+    "indexes": {}
+  }
+}
@@ -0,0 +1,827 @@
+{
+  "version": "6",
+  "dialect": "sqlite",
+  "id": "bcb60728-38c0-4965-adac-829c02240d89",
+  "prevId": "0e7f882c-b6e8-4d7b-a6a8-a076969c3e76",
+  "tables": {
+    "dose_tracking": {
+      "name": "dose_tracking",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "dose_id": {
+          "name": "dose_id",
+          "type": "text(255)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "taken_at": {
+          "name": "taken_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "(strftime('%s','now'))"
+        },
+        "marked_by": {
+          "name": "marked_by",
+          "type": "text(100)",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "dismissed": {
+          "name": "dismissed",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "dose_tracking_user_id_users_id_fk": {
+          "name": "dose_tracking_user_id_users_id_fk",
+          "tableFrom": "dose_tracking",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "medications": {
+      "name": "medications",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "name": {
+          "name": "name",
+          "type": "text(100)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "generic_name": {
+          "name": "generic_name",
+          "type": "text(100)",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "taken_by_json": {
+          "name": "taken_by_json",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'[]'"
+        },
+        "pack_count": {
+          "name": "pack_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 1
+        },
+        "blisters_per_pack": {
+          "name": "blisters_per_pack",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 1
+        },
+        "pills_per_blister": {
+          "name": "pills_per_blister",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 1
+        },
+        "loose_tablets": {
+          "name": "loose_tablets",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 0
+        },
+        "stock_adjustment": {
+          "name": "stock_adjustment",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 0
+        },
+        "pill_weight_mg": {
+          "name": "pill_weight_mg",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "usage_json": {
+          "name": "usage_json",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'[]'"
+        },
+        "every_json": {
+          "name": "every_json",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'[]'"
+        },
+        "start_json": {
+          "name": "start_json",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'[]'"
+        },
+        "image_url": {
+          "name": "image_url",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "expiry_date": {
+          "name": "expiry_date",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "notes": {
+          "name": "notes",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "intake_reminders_enabled": {
+          "name": "intake_reminders_enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "medications_user_id_users_id_fk": {
+          "name": "medications_user_id_users_id_fk",
+          "tableFrom": "medications",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "refill_history": {
+      "name": "refill_history",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "medication_id": {
+          "name": "medication_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "packs_added": {
+          "name": "packs_added",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 0
+        },
+        "loose_pills_added": {
+          "name": "loose_pills_added",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 0
+        },
+        "refill_date": {
+          "name": "refill_date",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "(strftime('%s','now'))"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "refill_history_medication_id_medications_id_fk": {
+          "name": "refill_history_medication_id_medications_id_fk",
+          "tableFrom": "refill_history",
+          "tableTo": "medications",
+          "columnsFrom": [
+            "medication_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "refill_history_user_id_users_id_fk": {
+          "name": "refill_history_user_id_users_id_fk",
+          "tableFrom": "refill_history",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "refresh_tokens": {
+      "name": "refresh_tokens",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "token_id": {
+          "name": "token_id",
+          "type": "text(255)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "rotated_at": {
+          "name": "rotated_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "revoked": {
+          "name": "revoked",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "refresh_tokens_token_id_unique": {
+          "name": "refresh_tokens_token_id_unique",
+          "columns": [
+            "token_id"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "refresh_tokens_user_id_users_id_fk": {
+          "name": "refresh_tokens_user_id_users_id_fk",
+          "tableFrom": "refresh_tokens",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "share_tokens": {
+      "name": "share_tokens",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "token": {
+          "name": "token",
+          "type": "text(64)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "taken_by": {
+          "name": "taken_by",
+          "type": "text(100)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "schedule_days": {
+          "name": "schedule_days",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 30
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        }
+      },
+      "indexes": {
+        "share_tokens_token_unique": {
+          "name": "share_tokens_token_unique",
+          "columns": [
+            "token"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "share_tokens_user_id_users_id_fk": {
+          "name": "share_tokens_user_id_users_id_fk",
+          "tableFrom": "share_tokens",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "user_settings": {
+      "name": "user_settings",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "email_enabled": {
+          "name": "email_enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "notification_email": {
+          "name": "notification_email",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "email_stock_reminders": {
+          "name": "email_stock_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": true
+        },
+        "email_intake_reminders": {
+          "name": "email_intake_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": true
+        },
+        "shoutrrr_enabled": {
+          "name": "shoutrrr_enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "shoutrrr_url": {
+          "name": "shoutrrr_url",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "shoutrrr_stock_reminders": {
+          "name": "shoutrrr_stock_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": true
+        },
+        "shoutrrr_intake_reminders": {
+          "name": "shoutrrr_intake_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": true
+        },
+        "reminder_days_before": {
+          "name": "reminder_days_before",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 7
+        },
+        "repeat_daily_reminders": {
+          "name": "repeat_daily_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "skip_reminders_for_taken_doses": {
+          "name": "skip_reminders_for_taken_doses",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "repeat_reminders_enabled": {
+          "name": "repeat_reminders_enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "reminder_repeat_interval_minutes": {
+          "name": "reminder_repeat_interval_minutes",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 30
+        },
+        "max_nagging_reminders": {
+          "name": "max_nagging_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 5
+        },
+        "low_stock_days": {
+          "name": "low_stock_days",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 30
+        },
+        "normal_stock_days": {
+          "name": "normal_stock_days",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 90
+        },
+        "high_stock_days": {
+          "name": "high_stock_days",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 180
+        },
+        "expiry_warning_days": {
+          "name": "expiry_warning_days",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 90
+        },
+        "language": {
+          "name": "language",
+          "type": "text(10)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'en'"
+        },
+        "stock_calculation_mode": {
+          "name": "stock_calculation_mode",
+          "type": "text(20)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'automatic'"
+        },
+        "last_auto_email_sent": {
+          "name": "last_auto_email_sent",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_notification_type": {
+          "name": "last_notification_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_notification_channel": {
+          "name": "last_notification_channel",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "user_settings_user_id_unique": {
+          "name": "user_settings_user_id_unique",
+          "columns": [
+            "user_id"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "user_settings_user_id_users_id_fk": {
+          "name": "user_settings_user_id_users_id_fk",
+          "tableFrom": "user_settings",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "users": {
+      "name": "users",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "username": {
+          "name": "username",
+          "type": "text(100)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "password_hash": {
+          "name": "password_hash",
+          "type": "text(255)",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "avatar_url": {
+          "name": "avatar_url",
+          "type": "text(255)",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "auth_provider": {
+          "name": "auth_provider",
+          "type": "text(50)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'local'"
+        },
+        "oidc_subject": {
+          "name": "oidc_subject",
+          "type": "text(255)",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "is_active": {
+          "name": "is_active",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": true
+        },
+        "last_login_at": {
+          "name": "last_login_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "users_username_unique": {
+          "name": "users_username_unique",
+          "columns": [
+            "username"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    }
+  },
+  "views": {},
+  "enums": {},
+  "_meta": {
+    "schemas": {},
+    "tables": {},
+    "columns": {}
+  },
+  "internal": {
+    "indexes": {}
+  }
+}
@@ -0,0 +1,834 @@
+{
+  "version": "6",
+  "dialect": "sqlite",
+  "id": "098ee506-e43d-4ccb-bee5-c387905695ab",
+  "prevId": "bcb60728-38c0-4965-adac-829c02240d89",
+  "tables": {
+    "dose_tracking": {
+      "name": "dose_tracking",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "dose_id": {
+          "name": "dose_id",
+          "type": "text(255)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "taken_at": {
+          "name": "taken_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "(strftime('%s','now'))"
+        },
+        "marked_by": {
+          "name": "marked_by",
+          "type": "text(100)",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "dismissed": {
+          "name": "dismissed",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "dose_tracking_user_id_users_id_fk": {
+          "name": "dose_tracking_user_id_users_id_fk",
+          "tableFrom": "dose_tracking",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "medications": {
+      "name": "medications",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "name": {
+          "name": "name",
+          "type": "text(100)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "generic_name": {
+          "name": "generic_name",
+          "type": "text(100)",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "taken_by_json": {
+          "name": "taken_by_json",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'[]'"
+        },
+        "pack_count": {
+          "name": "pack_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 1
+        },
+        "blisters_per_pack": {
+          "name": "blisters_per_pack",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 1
+        },
+        "pills_per_blister": {
+          "name": "pills_per_blister",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 1
+        },
+        "loose_tablets": {
+          "name": "loose_tablets",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 0
+        },
+        "stock_adjustment": {
+          "name": "stock_adjustment",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 0
+        },
+        "last_stock_correction_at": {
+          "name": "last_stock_correction_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "pill_weight_mg": {
+          "name": "pill_weight_mg",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "usage_json": {
+          "name": "usage_json",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'[]'"
+        },
+        "every_json": {
+          "name": "every_json",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'[]'"
+        },
+        "start_json": {
+          "name": "start_json",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'[]'"
+        },
+        "image_url": {
+          "name": "image_url",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "expiry_date": {
+          "name": "expiry_date",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "notes": {
+          "name": "notes",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "intake_reminders_enabled": {
+          "name": "intake_reminders_enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "medications_user_id_users_id_fk": {
+          "name": "medications_user_id_users_id_fk",
+          "tableFrom": "medications",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "refill_history": {
+      "name": "refill_history",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "medication_id": {
+          "name": "medication_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "packs_added": {
+          "name": "packs_added",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 0
+        },
+        "loose_pills_added": {
+          "name": "loose_pills_added",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 0
+        },
+        "refill_date": {
+          "name": "refill_date",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "(strftime('%s','now'))"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "refill_history_medication_id_medications_id_fk": {
+          "name": "refill_history_medication_id_medications_id_fk",
+          "tableFrom": "refill_history",
+          "tableTo": "medications",
+          "columnsFrom": [
+            "medication_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "refill_history_user_id_users_id_fk": {
+          "name": "refill_history_user_id_users_id_fk",
+          "tableFrom": "refill_history",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "refresh_tokens": {
+      "name": "refresh_tokens",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "token_id": {
+          "name": "token_id",
+          "type": "text(255)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "rotated_at": {
+          "name": "rotated_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "revoked": {
+          "name": "revoked",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "refresh_tokens_token_id_unique": {
+          "name": "refresh_tokens_token_id_unique",
+          "columns": [
+            "token_id"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "refresh_tokens_user_id_users_id_fk": {
+          "name": "refresh_tokens_user_id_users_id_fk",
+          "tableFrom": "refresh_tokens",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "share_tokens": {
+      "name": "share_tokens",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "token": {
+          "name": "token",
+          "type": "text(64)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "taken_by": {
+          "name": "taken_by",
+          "type": "text(100)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "schedule_days": {
+          "name": "schedule_days",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 30
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        }
+      },
+      "indexes": {
+        "share_tokens_token_unique": {
+          "name": "share_tokens_token_unique",
+          "columns": [
+            "token"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "share_tokens_user_id_users_id_fk": {
+          "name": "share_tokens_user_id_users_id_fk",
+          "tableFrom": "share_tokens",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "user_settings": {
+      "name": "user_settings",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "email_enabled": {
+          "name": "email_enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "notification_email": {
+          "name": "notification_email",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "email_stock_reminders": {
+          "name": "email_stock_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": true
+        },
+        "email_intake_reminders": {
+          "name": "email_intake_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": true
+        },
+        "shoutrrr_enabled": {
+          "name": "shoutrrr_enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "shoutrrr_url": {
+          "name": "shoutrrr_url",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "shoutrrr_stock_reminders": {
+          "name": "shoutrrr_stock_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": true
+        },
+        "shoutrrr_intake_reminders": {
+          "name": "shoutrrr_intake_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": true
+        },
+        "reminder_days_before": {
+          "name": "reminder_days_before",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 7
+        },
+        "repeat_daily_reminders": {
+          "name": "repeat_daily_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "skip_reminders_for_taken_doses": {
+          "name": "skip_reminders_for_taken_doses",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "repeat_reminders_enabled": {
+          "name": "repeat_reminders_enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "reminder_repeat_interval_minutes": {
+          "name": "reminder_repeat_interval_minutes",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 30
+        },
+        "max_nagging_reminders": {
+          "name": "max_nagging_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 5
+        },
+        "low_stock_days": {
+          "name": "low_stock_days",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 30
+        },
+        "normal_stock_days": {
+          "name": "normal_stock_days",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 90
+        },
+        "high_stock_days": {
+          "name": "high_stock_days",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 180
+        },
+        "expiry_warning_days": {
+          "name": "expiry_warning_days",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 90
+        },
+        "language": {
+          "name": "language",
+          "type": "text(10)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'en'"
+        },
+        "stock_calculation_mode": {
+          "name": "stock_calculation_mode",
+          "type": "text(20)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'automatic'"
+        },
+        "last_auto_email_sent": {
+          "name": "last_auto_email_sent",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_notification_type": {
+          "name": "last_notification_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_notification_channel": {
+          "name": "last_notification_channel",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "user_settings_user_id_unique": {
+          "name": "user_settings_user_id_unique",
+          "columns": [
+            "user_id"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "user_settings_user_id_users_id_fk": {
+          "name": "user_settings_user_id_users_id_fk",
+          "tableFrom": "user_settings",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "users": {
+      "name": "users",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "username": {
+          "name": "username",
+          "type": "text(100)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "password_hash": {
+          "name": "password_hash",
+          "type": "text(255)",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "avatar_url": {
+          "name": "avatar_url",
+          "type": "text(255)",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "auth_provider": {
+          "name": "auth_provider",
+          "type": "text(50)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'local'"
+        },
+        "oidc_subject": {
+          "name": "oidc_subject",
+          "type": "text(255)",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "is_active": {
+          "name": "is_active",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": true
+        },
+        "last_login_at": {
+          "name": "last_login_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "users_username_unique": {
+          "name": "users_username_unique",
+          "columns": [
+            "username"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    }
+  },
+  "views": {},
+  "enums": {},
+  "_meta": {
+    "schemas": {},
+    "tables": {},
+    "columns": {}
+  },
+  "internal": {
+    "indexes": {}
+  }
+}
@@ -0,0 +1,855 @@
+{
+  "version": "6",
+  "dialect": "sqlite",
+  "id": "4f1d8273-1e60-4da1-9bfc-bd51c2784836",
+  "prevId": "098ee506-e43d-4ccb-bee5-c387905695ab",
+  "tables": {
+    "dose_tracking": {
+      "name": "dose_tracking",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "dose_id": {
+          "name": "dose_id",
+          "type": "text(255)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "taken_at": {
+          "name": "taken_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "(strftime('%s','now'))"
+        },
+        "marked_by": {
+          "name": "marked_by",
+          "type": "text(100)",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "dismissed": {
+          "name": "dismissed",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "dose_tracking_user_id_users_id_fk": {
+          "name": "dose_tracking_user_id_users_id_fk",
+          "tableFrom": "dose_tracking",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "medications": {
+      "name": "medications",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "name": {
+          "name": "name",
+          "type": "text(100)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "generic_name": {
+          "name": "generic_name",
+          "type": "text(100)",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "taken_by_json": {
+          "name": "taken_by_json",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'[]'"
+        },
+        "pack_count": {
+          "name": "pack_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 1
+        },
+        "blisters_per_pack": {
+          "name": "blisters_per_pack",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 1
+        },
+        "pills_per_blister": {
+          "name": "pills_per_blister",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 1
+        },
+        "loose_tablets": {
+          "name": "loose_tablets",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 0
+        },
+        "stock_adjustment": {
+          "name": "stock_adjustment",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 0
+        },
+        "last_stock_correction_at": {
+          "name": "last_stock_correction_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "pill_weight_mg": {
+          "name": "pill_weight_mg",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "usage_json": {
+          "name": "usage_json",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'[]'"
+        },
+        "every_json": {
+          "name": "every_json",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'[]'"
+        },
+        "start_json": {
+          "name": "start_json",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'[]'"
+        },
+        "image_url": {
+          "name": "image_url",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "expiry_date": {
+          "name": "expiry_date",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "notes": {
+          "name": "notes",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "intake_reminders_enabled": {
+          "name": "intake_reminders_enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "dismissed_until": {
+          "name": "dismissed_until",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "medications_user_id_users_id_fk": {
+          "name": "medications_user_id_users_id_fk",
+          "tableFrom": "medications",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "refill_history": {
+      "name": "refill_history",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "medication_id": {
+          "name": "medication_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "packs_added": {
+          "name": "packs_added",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 0
+        },
+        "loose_pills_added": {
+          "name": "loose_pills_added",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 0
+        },
+        "refill_date": {
+          "name": "refill_date",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "(strftime('%s','now'))"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "refill_history_medication_id_medications_id_fk": {
+          "name": "refill_history_medication_id_medications_id_fk",
+          "tableFrom": "refill_history",
+          "tableTo": "medications",
+          "columnsFrom": [
+            "medication_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "refill_history_user_id_users_id_fk": {
+          "name": "refill_history_user_id_users_id_fk",
+          "tableFrom": "refill_history",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "refresh_tokens": {
+      "name": "refresh_tokens",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "token_id": {
+          "name": "token_id",
+          "type": "text(255)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "rotated_at": {
+          "name": "rotated_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "revoked": {
+          "name": "revoked",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "refresh_tokens_token_id_unique": {
+          "name": "refresh_tokens_token_id_unique",
+          "columns": [
+            "token_id"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "refresh_tokens_user_id_users_id_fk": {
+          "name": "refresh_tokens_user_id_users_id_fk",
+          "tableFrom": "refresh_tokens",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "share_tokens": {
+      "name": "share_tokens",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "token": {
+          "name": "token",
+          "type": "text(64)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "taken_by": {
+          "name": "taken_by",
+          "type": "text(100)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "schedule_days": {
+          "name": "schedule_days",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 30
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        }
+      },
+      "indexes": {
+        "share_tokens_token_unique": {
+          "name": "share_tokens_token_unique",
+          "columns": [
+            "token"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "share_tokens_user_id_users_id_fk": {
+          "name": "share_tokens_user_id_users_id_fk",
+          "tableFrom": "share_tokens",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "user_settings": {
+      "name": "user_settings",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "email_enabled": {
+          "name": "email_enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "notification_email": {
+          "name": "notification_email",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "email_stock_reminders": {
+          "name": "email_stock_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": true
+        },
+        "email_intake_reminders": {
+          "name": "email_intake_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": true
+        },
+        "shoutrrr_enabled": {
+          "name": "shoutrrr_enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "shoutrrr_url": {
+          "name": "shoutrrr_url",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "shoutrrr_stock_reminders": {
+          "name": "shoutrrr_stock_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": true
+        },
+        "shoutrrr_intake_reminders": {
+          "name": "shoutrrr_intake_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": true
+        },
+        "reminder_days_before": {
+          "name": "reminder_days_before",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 7
+        },
+        "repeat_daily_reminders": {
+          "name": "repeat_daily_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "skip_reminders_for_taken_doses": {
+          "name": "skip_reminders_for_taken_doses",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "repeat_reminders_enabled": {
+          "name": "repeat_reminders_enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "reminder_repeat_interval_minutes": {
+          "name": "reminder_repeat_interval_minutes",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 30
+        },
+        "max_nagging_reminders": {
+          "name": "max_nagging_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 5
+        },
+        "low_stock_days": {
+          "name": "low_stock_days",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 30
+        },
+        "normal_stock_days": {
+          "name": "normal_stock_days",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 90
+        },
+        "high_stock_days": {
+          "name": "high_stock_days",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 180
+        },
+        "expiry_warning_days": {
+          "name": "expiry_warning_days",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 90
+        },
+        "language": {
+          "name": "language",
+          "type": "text(10)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'en'"
+        },
+        "stock_calculation_mode": {
+          "name": "stock_calculation_mode",
+          "type": "text(20)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'automatic'"
+        },
+        "last_auto_email_sent": {
+          "name": "last_auto_email_sent",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_notification_type": {
+          "name": "last_notification_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_notification_channel": {
+          "name": "last_notification_channel",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_reminder_med_name": {
+          "name": "last_reminder_med_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_reminder_taken_by": {
+          "name": "last_reminder_taken_by",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "user_settings_user_id_unique": {
+          "name": "user_settings_user_id_unique",
+          "columns": [
+            "user_id"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "user_settings_user_id_users_id_fk": {
+          "name": "user_settings_user_id_users_id_fk",
+          "tableFrom": "user_settings",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "users": {
+      "name": "users",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "username": {
+          "name": "username",
+          "type": "text(100)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "password_hash": {
+          "name": "password_hash",
+          "type": "text(255)",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "avatar_url": {
+          "name": "avatar_url",
+          "type": "text(255)",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "auth_provider": {
+          "name": "auth_provider",
+          "type": "text(50)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'local'"
+        },
+        "oidc_subject": {
+          "name": "oidc_subject",
+          "type": "text(255)",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "is_active": {
+          "name": "is_active",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": true
+        },
+        "last_login_at": {
+          "name": "last_login_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "users_username_unique": {
+          "name": "users_username_unique",
+          "columns": [
+            "username"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    }
+  },
+  "views": {},
+  "enums": {},
+  "_meta": {
+    "schemas": {},
+    "tables": {},
+    "columns": {}
+  },
+  "internal": {
+    "indexes": {}
+  }
+}
@@ -0,0 +1,886 @@
+{
+  "version": "6",
+  "dialect": "sqlite",
+  "id": "fb61e5fd-152d-4e61-8836-e2fd1d28e3f0",
+  "prevId": "4f1d8273-1e60-4da1-9bfc-bd51c2784836",
+  "tables": {
+    "dose_tracking": {
+      "name": "dose_tracking",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "dose_id": {
+          "name": "dose_id",
+          "type": "text(255)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "taken_at": {
+          "name": "taken_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "(strftime('%s','now'))"
+        },
+        "marked_by": {
+          "name": "marked_by",
+          "type": "text(100)",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "dismissed": {
+          "name": "dismissed",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "dose_tracking_user_id_users_id_fk": {
+          "name": "dose_tracking_user_id_users_id_fk",
+          "tableFrom": "dose_tracking",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "medications": {
+      "name": "medications",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "name": {
+          "name": "name",
+          "type": "text(100)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "generic_name": {
+          "name": "generic_name",
+          "type": "text(100)",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "taken_by_json": {
+          "name": "taken_by_json",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'[]'"
+        },
+        "package_type": {
+          "name": "package_type",
+          "type": "text(20)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'blister'"
+        },
+        "pack_count": {
+          "name": "pack_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 1
+        },
+        "blisters_per_pack": {
+          "name": "blisters_per_pack",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 1
+        },
+        "pills_per_blister": {
+          "name": "pills_per_blister",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 1
+        },
+        "total_pills": {
+          "name": "total_pills",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "loose_tablets": {
+          "name": "loose_tablets",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 0
+        },
+        "stock_adjustment": {
+          "name": "stock_adjustment",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 0
+        },
+        "last_stock_correction_at": {
+          "name": "last_stock_correction_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "pill_weight_mg": {
+          "name": "pill_weight_mg",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "dose_unit": {
+          "name": "dose_unit",
+          "type": "text(20)",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'mg'"
+        },
+        "usage_json": {
+          "name": "usage_json",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'[]'"
+        },
+        "every_json": {
+          "name": "every_json",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'[]'"
+        },
+        "start_json": {
+          "name": "start_json",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'[]'"
+        },
+        "intakes_json": {
+          "name": "intakes_json",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'[]'"
+        },
+        "image_url": {
+          "name": "image_url",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "expiry_date": {
+          "name": "expiry_date",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "notes": {
+          "name": "notes",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "intake_reminders_enabled": {
+          "name": "intake_reminders_enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "dismissed_until": {
+          "name": "dismissed_until",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "medications_user_id_users_id_fk": {
+          "name": "medications_user_id_users_id_fk",
+          "tableFrom": "medications",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "refill_history": {
+      "name": "refill_history",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "medication_id": {
+          "name": "medication_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "packs_added": {
+          "name": "packs_added",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 0
+        },
+        "loose_pills_added": {
+          "name": "loose_pills_added",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 0
+        },
+        "refill_date": {
+          "name": "refill_date",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "(strftime('%s','now'))"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "refill_history_medication_id_medications_id_fk": {
+          "name": "refill_history_medication_id_medications_id_fk",
+          "tableFrom": "refill_history",
+          "tableTo": "medications",
+          "columnsFrom": [
+            "medication_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "refill_history_user_id_users_id_fk": {
+          "name": "refill_history_user_id_users_id_fk",
+          "tableFrom": "refill_history",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "refresh_tokens": {
+      "name": "refresh_tokens",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "token_id": {
+          "name": "token_id",
+          "type": "text(255)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "rotated_at": {
+          "name": "rotated_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "revoked": {
+          "name": "revoked",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "refresh_tokens_token_id_unique": {
+          "name": "refresh_tokens_token_id_unique",
+          "columns": [
+            "token_id"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "refresh_tokens_user_id_users_id_fk": {
+          "name": "refresh_tokens_user_id_users_id_fk",
+          "tableFrom": "refresh_tokens",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "share_tokens": {
+      "name": "share_tokens",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "token": {
+          "name": "token",
+          "type": "text(64)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "taken_by": {
+          "name": "taken_by",
+          "type": "text(100)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "schedule_days": {
+          "name": "schedule_days",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 30
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        }
+      },
+      "indexes": {
+        "share_tokens_token_unique": {
+          "name": "share_tokens_token_unique",
+          "columns": [
+            "token"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "share_tokens_user_id_users_id_fk": {
+          "name": "share_tokens_user_id_users_id_fk",
+          "tableFrom": "share_tokens",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "user_settings": {
+      "name": "user_settings",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "email_enabled": {
+          "name": "email_enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "notification_email": {
+          "name": "notification_email",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "email_stock_reminders": {
+          "name": "email_stock_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": true
+        },
+        "email_intake_reminders": {
+          "name": "email_intake_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": true
+        },
+        "shoutrrr_enabled": {
+          "name": "shoutrrr_enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "shoutrrr_url": {
+          "name": "shoutrrr_url",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "shoutrrr_stock_reminders": {
+          "name": "shoutrrr_stock_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": true
+        },
+        "shoutrrr_intake_reminders": {
+          "name": "shoutrrr_intake_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": true
+        },
+        "reminder_days_before": {
+          "name": "reminder_days_before",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 7
+        },
+        "repeat_daily_reminders": {
+          "name": "repeat_daily_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "skip_reminders_for_taken_doses": {
+          "name": "skip_reminders_for_taken_doses",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "repeat_reminders_enabled": {
+          "name": "repeat_reminders_enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "reminder_repeat_interval_minutes": {
+          "name": "reminder_repeat_interval_minutes",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 30
+        },
+        "max_nagging_reminders": {
+          "name": "max_nagging_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 5
+        },
+        "low_stock_days": {
+          "name": "low_stock_days",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 30
+        },
+        "normal_stock_days": {
+          "name": "normal_stock_days",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 90
+        },
+        "high_stock_days": {
+          "name": "high_stock_days",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 180
+        },
+        "expiry_warning_days": {
+          "name": "expiry_warning_days",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 90
+        },
+        "language": {
+          "name": "language",
+          "type": "text(10)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'en'"
+        },
+        "stock_calculation_mode": {
+          "name": "stock_calculation_mode",
+          "type": "text(20)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'automatic'"
+        },
+        "last_auto_email_sent": {
+          "name": "last_auto_email_sent",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_notification_type": {
+          "name": "last_notification_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_notification_channel": {
+          "name": "last_notification_channel",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_reminder_med_name": {
+          "name": "last_reminder_med_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_reminder_taken_by": {
+          "name": "last_reminder_taken_by",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "user_settings_user_id_unique": {
+          "name": "user_settings_user_id_unique",
+          "columns": [
+            "user_id"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "user_settings_user_id_users_id_fk": {
+          "name": "user_settings_user_id_users_id_fk",
+          "tableFrom": "user_settings",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "users": {
+      "name": "users",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "username": {
+          "name": "username",
+          "type": "text(100)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "password_hash": {
+          "name": "password_hash",
+          "type": "text(255)",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "avatar_url": {
+          "name": "avatar_url",
+          "type": "text(255)",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "auth_provider": {
+          "name": "auth_provider",
+          "type": "text(50)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'local'"
+        },
+        "oidc_subject": {
+          "name": "oidc_subject",
+          "type": "text(255)",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "is_active": {
+          "name": "is_active",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": true
+        },
+        "last_login_at": {
+          "name": "last_login_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "users_username_unique": {
+          "name": "users_username_unique",
+          "columns": [
+            "username"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    }
+  },
+  "views": {},
+  "enums": {},
+  "_meta": {
+    "schemas": {},
+    "tables": {},
+    "columns": {}
+  },
+  "internal": {
+    "indexes": {}
+  }
+}
@@ -0,0 +1,907 @@
+{
+  "version": "6",
+  "dialect": "sqlite",
+  "id": "7cd75e33-b3d8-4930-a60b-2a0a9f644c6d",
+  "prevId": "fb61e5fd-152d-4e61-8836-e2fd1d28e3f0",
+  "tables": {
+    "dose_tracking": {
+      "name": "dose_tracking",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "dose_id": {
+          "name": "dose_id",
+          "type": "text(255)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "taken_at": {
+          "name": "taken_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "(strftime('%s','now'))"
+        },
+        "marked_by": {
+          "name": "marked_by",
+          "type": "text(100)",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "dismissed": {
+          "name": "dismissed",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "dose_tracking_user_id_users_id_fk": {
+          "name": "dose_tracking_user_id_users_id_fk",
+          "tableFrom": "dose_tracking",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "medications": {
+      "name": "medications",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "name": {
+          "name": "name",
+          "type": "text(100)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "generic_name": {
+          "name": "generic_name",
+          "type": "text(100)",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "taken_by_json": {
+          "name": "taken_by_json",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'[]'"
+        },
+        "package_type": {
+          "name": "package_type",
+          "type": "text(20)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'blister'"
+        },
+        "pack_count": {
+          "name": "pack_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 1
+        },
+        "blisters_per_pack": {
+          "name": "blisters_per_pack",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 1
+        },
+        "pills_per_blister": {
+          "name": "pills_per_blister",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 1
+        },
+        "total_pills": {
+          "name": "total_pills",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "loose_tablets": {
+          "name": "loose_tablets",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 0
+        },
+        "stock_adjustment": {
+          "name": "stock_adjustment",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 0
+        },
+        "last_stock_correction_at": {
+          "name": "last_stock_correction_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "pill_weight_mg": {
+          "name": "pill_weight_mg",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "dose_unit": {
+          "name": "dose_unit",
+          "type": "text(20)",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'mg'"
+        },
+        "usage_json": {
+          "name": "usage_json",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'[]'"
+        },
+        "every_json": {
+          "name": "every_json",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'[]'"
+        },
+        "start_json": {
+          "name": "start_json",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'[]'"
+        },
+        "intakes_json": {
+          "name": "intakes_json",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'[]'"
+        },
+        "image_url": {
+          "name": "image_url",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "expiry_date": {
+          "name": "expiry_date",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "notes": {
+          "name": "notes",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "intake_reminders_enabled": {
+          "name": "intake_reminders_enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "dismissed_until": {
+          "name": "dismissed_until",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "medications_user_id_users_id_fk": {
+          "name": "medications_user_id_users_id_fk",
+          "tableFrom": "medications",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "refill_history": {
+      "name": "refill_history",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "medication_id": {
+          "name": "medication_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "packs_added": {
+          "name": "packs_added",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 0
+        },
+        "loose_pills_added": {
+          "name": "loose_pills_added",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 0
+        },
+        "refill_date": {
+          "name": "refill_date",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "(strftime('%s','now'))"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "refill_history_medication_id_medications_id_fk": {
+          "name": "refill_history_medication_id_medications_id_fk",
+          "tableFrom": "refill_history",
+          "tableTo": "medications",
+          "columnsFrom": [
+            "medication_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "refill_history_user_id_users_id_fk": {
+          "name": "refill_history_user_id_users_id_fk",
+          "tableFrom": "refill_history",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "refresh_tokens": {
+      "name": "refresh_tokens",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "token_id": {
+          "name": "token_id",
+          "type": "text(255)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "rotated_at": {
+          "name": "rotated_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "revoked": {
+          "name": "revoked",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "refresh_tokens_token_id_unique": {
+          "name": "refresh_tokens_token_id_unique",
+          "columns": [
+            "token_id"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "refresh_tokens_user_id_users_id_fk": {
+          "name": "refresh_tokens_user_id_users_id_fk",
+          "tableFrom": "refresh_tokens",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "share_tokens": {
+      "name": "share_tokens",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "token": {
+          "name": "token",
+          "type": "text(64)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "taken_by": {
+          "name": "taken_by",
+          "type": "text(100)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "schedule_days": {
+          "name": "schedule_days",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 30
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        }
+      },
+      "indexes": {
+        "share_tokens_token_unique": {
+          "name": "share_tokens_token_unique",
+          "columns": [
+            "token"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "share_tokens_user_id_users_id_fk": {
+          "name": "share_tokens_user_id_users_id_fk",
+          "tableFrom": "share_tokens",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "user_settings": {
+      "name": "user_settings",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "email_enabled": {
+          "name": "email_enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "notification_email": {
+          "name": "notification_email",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "email_stock_reminders": {
+          "name": "email_stock_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": true
+        },
+        "email_intake_reminders": {
+          "name": "email_intake_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": true
+        },
+        "shoutrrr_enabled": {
+          "name": "shoutrrr_enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "shoutrrr_url": {
+          "name": "shoutrrr_url",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "shoutrrr_stock_reminders": {
+          "name": "shoutrrr_stock_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": true
+        },
+        "shoutrrr_intake_reminders": {
+          "name": "shoutrrr_intake_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": true
+        },
+        "reminder_days_before": {
+          "name": "reminder_days_before",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 7
+        },
+        "repeat_daily_reminders": {
+          "name": "repeat_daily_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "skip_reminders_for_taken_doses": {
+          "name": "skip_reminders_for_taken_doses",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "repeat_reminders_enabled": {
+          "name": "repeat_reminders_enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "reminder_repeat_interval_minutes": {
+          "name": "reminder_repeat_interval_minutes",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 30
+        },
+        "max_nagging_reminders": {
+          "name": "max_nagging_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 5
+        },
+        "low_stock_days": {
+          "name": "low_stock_days",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 30
+        },
+        "normal_stock_days": {
+          "name": "normal_stock_days",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 90
+        },
+        "high_stock_days": {
+          "name": "high_stock_days",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 180
+        },
+        "expiry_warning_days": {
+          "name": "expiry_warning_days",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 90
+        },
+        "language": {
+          "name": "language",
+          "type": "text(10)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'en'"
+        },
+        "stock_calculation_mode": {
+          "name": "stock_calculation_mode",
+          "type": "text(20)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'automatic'"
+        },
+        "last_auto_email_sent": {
+          "name": "last_auto_email_sent",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_notification_type": {
+          "name": "last_notification_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_notification_channel": {
+          "name": "last_notification_channel",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_reminder_med_name": {
+          "name": "last_reminder_med_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_reminder_taken_by": {
+          "name": "last_reminder_taken_by",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_stock_reminder_sent": {
+          "name": "last_stock_reminder_sent",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_stock_reminder_channel": {
+          "name": "last_stock_reminder_channel",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_stock_reminder_med_names": {
+          "name": "last_stock_reminder_med_names",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "user_settings_user_id_unique": {
+          "name": "user_settings_user_id_unique",
+          "columns": [
+            "user_id"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "user_settings_user_id_users_id_fk": {
+          "name": "user_settings_user_id_users_id_fk",
+          "tableFrom": "user_settings",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "users": {
+      "name": "users",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "username": {
+          "name": "username",
+          "type": "text(100)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "password_hash": {
+          "name": "password_hash",
+          "type": "text(255)",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "avatar_url": {
+          "name": "avatar_url",
+          "type": "text(255)",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "auth_provider": {
+          "name": "auth_provider",
+          "type": "text(50)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'local'"
+        },
+        "oidc_subject": {
+          "name": "oidc_subject",
+          "type": "text(255)",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "is_active": {
+          "name": "is_active",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": true
+        },
+        "last_login_at": {
+          "name": "last_login_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "users_username_unique": {
+          "name": "users_username_unique",
+          "columns": [
+            "username"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    }
+  },
+  "views": {},
+  "enums": {},
+  "_meta": {
+    "schemas": {},
+    "tables": {},
+    "columns": {}
+  },
+  "internal": {
+    "indexes": {}
+  }
+}
@@ -0,0 +1,915 @@
+{
+  "version": "6",
+  "dialect": "sqlite",
+  "id": "b6f1ee4b-cc31-4060-a4d4-bcd4fdc5bd87",
+  "prevId": "7cd75e33-b3d8-4930-a60b-2a0a9f644c6d",
+  "tables": {
+    "dose_tracking": {
+      "name": "dose_tracking",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "dose_id": {
+          "name": "dose_id",
+          "type": "text(255)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "taken_at": {
+          "name": "taken_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "(strftime('%s','now'))"
+        },
+        "marked_by": {
+          "name": "marked_by",
+          "type": "text(100)",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "dismissed": {
+          "name": "dismissed",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "dose_tracking_user_id_users_id_fk": {
+          "name": "dose_tracking_user_id_users_id_fk",
+          "tableFrom": "dose_tracking",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "medications": {
+      "name": "medications",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "name": {
+          "name": "name",
+          "type": "text(100)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "generic_name": {
+          "name": "generic_name",
+          "type": "text(100)",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "taken_by_json": {
+          "name": "taken_by_json",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'[]'"
+        },
+        "package_type": {
+          "name": "package_type",
+          "type": "text(20)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'blister'"
+        },
+        "pack_count": {
+          "name": "pack_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 1
+        },
+        "blisters_per_pack": {
+          "name": "blisters_per_pack",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 1
+        },
+        "pills_per_blister": {
+          "name": "pills_per_blister",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 1
+        },
+        "total_pills": {
+          "name": "total_pills",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "loose_tablets": {
+          "name": "loose_tablets",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 0
+        },
+        "stock_adjustment": {
+          "name": "stock_adjustment",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 0
+        },
+        "last_stock_correction_at": {
+          "name": "last_stock_correction_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "pill_weight_mg": {
+          "name": "pill_weight_mg",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "dose_unit": {
+          "name": "dose_unit",
+          "type": "text(20)",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'mg'"
+        },
+        "usage_json": {
+          "name": "usage_json",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'[]'"
+        },
+        "every_json": {
+          "name": "every_json",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'[]'"
+        },
+        "start_json": {
+          "name": "start_json",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'[]'"
+        },
+        "intakes_json": {
+          "name": "intakes_json",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'[]'"
+        },
+        "image_url": {
+          "name": "image_url",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "expiry_date": {
+          "name": "expiry_date",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "notes": {
+          "name": "notes",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "intake_reminders_enabled": {
+          "name": "intake_reminders_enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "dismissed_until": {
+          "name": "dismissed_until",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "medications_user_id_users_id_fk": {
+          "name": "medications_user_id_users_id_fk",
+          "tableFrom": "medications",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "refill_history": {
+      "name": "refill_history",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "medication_id": {
+          "name": "medication_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "packs_added": {
+          "name": "packs_added",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 0
+        },
+        "loose_pills_added": {
+          "name": "loose_pills_added",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 0
+        },
+        "refill_date": {
+          "name": "refill_date",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "(strftime('%s','now'))"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "refill_history_medication_id_medications_id_fk": {
+          "name": "refill_history_medication_id_medications_id_fk",
+          "tableFrom": "refill_history",
+          "tableTo": "medications",
+          "columnsFrom": [
+            "medication_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "refill_history_user_id_users_id_fk": {
+          "name": "refill_history_user_id_users_id_fk",
+          "tableFrom": "refill_history",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "refresh_tokens": {
+      "name": "refresh_tokens",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "token_id": {
+          "name": "token_id",
+          "type": "text(255)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "rotated_at": {
+          "name": "rotated_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "revoked": {
+          "name": "revoked",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "refresh_tokens_token_id_unique": {
+          "name": "refresh_tokens_token_id_unique",
+          "columns": [
+            "token_id"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "refresh_tokens_user_id_users_id_fk": {
+          "name": "refresh_tokens_user_id_users_id_fk",
+          "tableFrom": "refresh_tokens",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "share_tokens": {
+      "name": "share_tokens",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "token": {
+          "name": "token",
+          "type": "text(64)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "taken_by": {
+          "name": "taken_by",
+          "type": "text(100)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "schedule_days": {
+          "name": "schedule_days",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 30
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        }
+      },
+      "indexes": {
+        "share_tokens_token_unique": {
+          "name": "share_tokens_token_unique",
+          "columns": [
+            "token"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "share_tokens_user_id_users_id_fk": {
+          "name": "share_tokens_user_id_users_id_fk",
+          "tableFrom": "share_tokens",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "user_settings": {
+      "name": "user_settings",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "email_enabled": {
+          "name": "email_enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "notification_email": {
+          "name": "notification_email",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "email_stock_reminders": {
+          "name": "email_stock_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": true
+        },
+        "email_intake_reminders": {
+          "name": "email_intake_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": true
+        },
+        "shoutrrr_enabled": {
+          "name": "shoutrrr_enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "shoutrrr_url": {
+          "name": "shoutrrr_url",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "shoutrrr_stock_reminders": {
+          "name": "shoutrrr_stock_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": true
+        },
+        "shoutrrr_intake_reminders": {
+          "name": "shoutrrr_intake_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": true
+        },
+        "reminder_days_before": {
+          "name": "reminder_days_before",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 7
+        },
+        "repeat_daily_reminders": {
+          "name": "repeat_daily_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "skip_reminders_for_taken_doses": {
+          "name": "skip_reminders_for_taken_doses",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "repeat_reminders_enabled": {
+          "name": "repeat_reminders_enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "reminder_repeat_interval_minutes": {
+          "name": "reminder_repeat_interval_minutes",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 30
+        },
+        "max_nagging_reminders": {
+          "name": "max_nagging_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 5
+        },
+        "low_stock_days": {
+          "name": "low_stock_days",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 30
+        },
+        "normal_stock_days": {
+          "name": "normal_stock_days",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 90
+        },
+        "high_stock_days": {
+          "name": "high_stock_days",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 180
+        },
+        "expiry_warning_days": {
+          "name": "expiry_warning_days",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 90
+        },
+        "language": {
+          "name": "language",
+          "type": "text(10)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'en'"
+        },
+        "stock_calculation_mode": {
+          "name": "stock_calculation_mode",
+          "type": "text(20)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'automatic'"
+        },
+        "share_stock_status": {
+          "name": "share_stock_status",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": true
+        },
+        "last_auto_email_sent": {
+          "name": "last_auto_email_sent",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_notification_type": {
+          "name": "last_notification_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_notification_channel": {
+          "name": "last_notification_channel",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_reminder_med_name": {
+          "name": "last_reminder_med_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_reminder_taken_by": {
+          "name": "last_reminder_taken_by",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_stock_reminder_sent": {
+          "name": "last_stock_reminder_sent",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_stock_reminder_channel": {
+          "name": "last_stock_reminder_channel",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_stock_reminder_med_names": {
+          "name": "last_stock_reminder_med_names",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "user_settings_user_id_unique": {
+          "name": "user_settings_user_id_unique",
+          "columns": [
+            "user_id"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "user_settings_user_id_users_id_fk": {
+          "name": "user_settings_user_id_users_id_fk",
+          "tableFrom": "user_settings",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "users": {
+      "name": "users",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "username": {
+          "name": "username",
+          "type": "text(100)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "password_hash": {
+          "name": "password_hash",
+          "type": "text(255)",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "avatar_url": {
+          "name": "avatar_url",
+          "type": "text(255)",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "auth_provider": {
+          "name": "auth_provider",
+          "type": "text(50)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'local'"
+        },
+        "oidc_subject": {
+          "name": "oidc_subject",
+          "type": "text(255)",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "is_active": {
+          "name": "is_active",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": true
+        },
+        "last_login_at": {
+          "name": "last_login_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "users_username_unique": {
+          "name": "users_username_unique",
+          "columns": [
+            "username"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    }
+  },
+  "views": {},
+  "enums": {},
+  "_meta": {
+    "schemas": {},
+    "tables": {},
+    "columns": {}
+  },
+  "internal": {
+    "indexes": {}
+  }
+}
@@ -0,0 +1,83 @@
+{
+  "version": "7",
+  "dialect": "sqlite",
+  "entries": [
+    {
+      "idx": 0,
+      "version": "6",
+      "when": 1768600500759,
+      "tag": "0000_init",
+      "breakpoints": true
+    },
+    {
+      "idx": 1,
+      "version": "6",
+      "when": 1768734577830,
+      "tag": "0001_add_stock_adjustment",
+      "breakpoints": true
+    },
+    {
+      "idx": 2,
+      "version": "6",
+      "when": 1768736677092,
+      "tag": "0002_add_last_stock_correction_at",
+      "breakpoints": true
+    },
+    {
+      "idx": 3,
+      "version": "6",
+      "when": 1769354512857,
+      "tag": "0003_add_reminder_info_columns",
+      "breakpoints": true
+    },
+    {
+      "idx": 4,
+      "version": "6",
+      "when": 1769886564000,
+      "tag": "0004_add_package_type",
+      "breakpoints": true
+    },
+    {
+      "idx": 5,
+      "version": "6",
+      "when": 1769893708813,
+      "tag": "0005_add_intakes_json",
+      "breakpoints": true
+    },
+    {
+      "idx": 6,
+      "version": "6",
+      "when": 1770626907896,
+      "tag": "0006_add_stock_reminder_tracking",
+      "breakpoints": true
+    },
+    {
+      "idx": 7,
+      "version": "6",
+      "when": 1770659669121,
+      "tag": "0007_add_share_stock_status",
+      "breakpoints": true
+    },
+    {
+      "idx": 8,
+      "version": "6",
+      "when": 1771160400000,
+      "tag": "0008_add_obsolete_medications",
+      "breakpoints": true
+    },
+    {
+      "idx": 9,
+      "version": "6",
+      "when": 1771164000000,
+      "tag": "0009_add_medication_start_date",
+      "breakpoints": true
+    },
+    {
+      "idx": 10,
+      "version": "6",
+      "when": 1771694832866,
+      "tag": "0010_mean_spot",
+      "breakpoints": true
+    }
+  ]
+}
@@ -1,36 +1,51 @@
 {
  "name": "medassist-ng-backend",
-  "version": "0.1.0",
+  "version": "1.17.0",
  "private": true,
  "type": "module",
  "scripts": {
    "dev": "tsx watch src/index.ts",
    "build": "tsc -p tsconfig.json",
    "start": "node dist/index.js",
-    "migrate": "tsx src/db/migrate.ts"
+    "migrate": "tsx src/db/migrate.ts",
+    "test": "vitest",
+    "test:run": "vitest run",
+    "test:coverage": "vitest run --coverage",
+    "lint": "npx biome check .",
+    "lint:fix": "npx biome check --write .",
+    "format": "npx biome format --write .",
+    "check": "npx biome check . && tsc --noEmit"
  },
  "dependencies": {
-    "@fastify/cookie": "^10.0.1",
-    "@fastify/cors": "^10.0.1",
+    "@fastify/cookie": "^11.0.2",
+    "@fastify/cors": "^11.2.0",
    "@fastify/helmet": "^13.0.2",
    "@fastify/jwt": "^10.0.0",
-    "@fastify/multipart": "^9.3.0",
-    "@fastify/rate-limit": "^10.1.0",
+    "@fastify/multipart": "^9.4.0",
+    "@fastify/rate-limit": "^10.3.0",
    "@fastify/sensible": "^6.0.4",
-    "@fastify/static": "^8.3.0",
-    "@libsql/client": "^0.10.0",
-    "argon2": "^0.40.0",
-    "dotenv": "^16.4.5",
-    "drizzle-orm": "^0.32.2",
-    "fastify": "^5.0.0",
-    "nodemailer": "^7.0.11",
-    "openid-client": "^6.8.1",
+    "@fastify/static": "^9.0.0",
+    "@libsql/client": "^0.17.0",
+    "argon2": "^0.44.0",
+    "dotenv": "^17.3.1",
+    "drizzle-orm": "^0.45.1",
+    "fastify": "^5.7.4",
+    "nodemailer": "^8.0.1",
+    "openid-client": "^6.8.2",
+    "sharp": "^0.34.5",
    "zod": "^3.23.8"
  },
  "devDependencies": {
-    "@types/node": "^22.7.4",
-    "@types/nodemailer": "^6.4.21",
+    "@biomejs/biome": "^2.4.4",
+    "@types/node": "^25.3.0",
+    "@types/nodemailer": "^7.0.11",
+    "@types/supertest": "^6.0.2",
+    "@vitest/coverage-v8": "^4.0.18",
+    "drizzle-kit": "^0.31.9",
+    "pino-pretty": "^13.1.3",
+    "supertest": "^7.2.2",
    "tsx": "^4.19.0",
-    "typescript": "^5.5.4"
+    "typescript": "^5.5.4",
+    "vitest": "^4.0.16"
  }
 }
@@ -1,179 +1,116 @@
-import { createClient, Client } from "@libsql/client";
-import { drizzle } from "drizzle-orm/libsql";
-import { existsSync, mkdirSync, accessSync, constants, statSync, writeFileSync } from "fs";
-import { resolve } from "path";
+import { existsSync, statSync } from "node:fs";
+import { type Client, createClient } from "@libsql/client";
 import dotenv from "dotenv";
+import { drizzle } from "drizzle-orm/libsql";
+import { log } from "../utils/logger.js";
+// Import utilities from db-utils (side-effect-free)
+import {
+	ensureDataDirectory,
+	ensureDefaultUser,
+	getDbPaths,
+	repairOrphanedDoseIds,
+	repairTrailingHyphenDoseIds,
+	runAlterMigrations,
+	runDrizzleMigrations,
+} from "./db-utils.js";

-dotenv.config({ path: process.env.DOTENV_PATH || ".env" });
+// Re-export all utilities so existing imports from client.ts keep working
+export {
+	buildDbUrl,
+	ensureDataDirectory,
+	ensureDefaultUser,
+	getDataDir,
+	getDbPaths,
+	repairOrphanedDoseIds,
+	repairTrailingHyphenDoseIds,
+	runAlterMigrations,
+	runDrizzleMigrations,
+} from "./db-utils.js";
+
+// Load .env: try cwd first, then parent dir (for local dev running from backend/)
+const envPath = process.env.DOTENV_PATH || (existsSync(".env") ? ".env" : "../.env");
+dotenv.config({ path: envPath });
+
+// =============================================================================
+// Database initialization (runs on import)
+// =============================================================================

 // Use absolute path to ensure it works in Docker
-const dataDir = resolve(process.cwd(), "data");
-const dbPath = resolve(dataDir, "medassist-ng.db");
-const url = `file:${dbPath}`;
+const { dataDir, dbPath, url } = getDbPaths();

-console.log(`[DB] Data directory: ${dataDir}`);
-console.log(`[DB] Database path: ${dbPath}`);
-console.log(`[DB] Database URL: ${url}`);
+log.debug(`[DB] Data directory: ${dataDir}`);
+log.debug(`[DB] Database path: ${dbPath}`);
+log.debug(`[DB] Database URL: ${url}`);

 // Ensure data directory exists and is writable
-try {
-  if (!existsSync(dataDir)) {
-    mkdirSync(dataDir, { recursive: true });
-    console.log(`[DB] Created data directory: ${dataDir}`);
-  } else {
-    console.log(`[DB] Data directory exists: ${dataDir}`);
-  }
-  
-  // Check if directory is writable
-  accessSync(dataDir, constants.W_OK);
-  console.log(`[DB] Data directory is writable`);
-  
-  // Log directory stats
-  const stats = statSync(dataDir);
-  console.log(`[DB] Directory permissions: ${stats.mode.toString(8)}`);
-  console.log(`[DB] Directory UID: ${stats.uid}, GID: ${stats.gid}`);
-  
-  // Try to create a test file to verify write access
-  const testFile = resolve(dataDir, ".write-test");
-  writeFileSync(testFile, "test");
-  console.log(`[DB] Write test successful`);
-  
-} catch (err: any) {
-  console.error(`[DB] ERROR: Cannot access data directory: ${err.message}`);
-  console.error(`[DB] Please ensure the volume mount has correct permissions.`);
-  console.error(`[DB] Try running on host: sudo chown -R 1000:1000 ${dataDir}`);
-  process.exit(1);
+const dirResult = ensureDataDirectory(dataDir);
+if (!dirResult.success) {
+	log.error(`[DB] ERROR: Cannot access data directory: ${dirResult.error}`);
+	log.error(`[DB] Please ensure the volume mount has correct permissions.`);
+	log.error(`[DB] Try running on host: sudo chown -R 1000:1000 ${dataDir}`);
+	process.exit(1);
+} else {
+	log.debug(`[DB] Data directory is writable`);
+
+	// Log directory stats
+	const stats = statSync(dataDir);
+	log.debug(`[DB] Directory permissions: ${stats.mode.toString(8)}`);
+	log.debug(`[DB] Directory UID: ${stats.uid}, GID: ${stats.gid}`);
+	log.debug(`[DB] Write test successful`);
 }

 let client: Client;
 try {
-  client = createClient({ url });
-  console.log(`[DB] Database client created successfully`);
-} catch (err: any) {
-  console.error(`[DB] ERROR: Failed to create database client: ${err.message}`);
-  console.error(`[DB] Database path: ${dbPath}`);
-  process.exit(1);
+	client = createClient({ url });
+	log.debug(`[DB] Database client created successfully`);
+} catch (err: unknown) {
+	log.error(`[DB] ERROR: Failed to create database client: ${(err as Error).message}`);
+	log.error(`[DB] Database path: ${dbPath}`);
+	process.exit(1);
 }

 export const db = drizzle(client);

 // Auto-run migrations (self-healing database)
 async function runMigrations() {
-  // First, ensure all tables exist (for fresh databases)
-  const tableCreations = [
-    `CREATE TABLE IF NOT EXISTS users (
-      id integer PRIMARY KEY AUTOINCREMENT,
-      username text NOT NULL UNIQUE,
-      password_hash text,
-      avatar_url text,
-      auth_provider text NOT NULL DEFAULT 'local',
-      oidc_subject text,
-      is_active integer NOT NULL DEFAULT 1,
-      last_login_at integer,
-      created_at integer NOT NULL DEFAULT (strftime('%s','now')),
-      updated_at integer NOT NULL DEFAULT (strftime('%s','now'))
-    )`,
-    `CREATE TABLE IF NOT EXISTS medications (
-      id integer PRIMARY KEY AUTOINCREMENT,
-      user_id integer NOT NULL,
-      name text NOT NULL,
-      generic_name text,
-      taken_by_json text NOT NULL DEFAULT '[]',
-      pack_count integer NOT NULL DEFAULT 1,
-      blisters_per_pack integer NOT NULL DEFAULT 1,
-      pills_per_blister integer NOT NULL DEFAULT 1,
-      loose_tablets integer NOT NULL DEFAULT 0,
-      pill_weight_mg integer,
-      usage_json text NOT NULL DEFAULT '[]',
-      every_json text NOT NULL DEFAULT '[]',
-      start_json text NOT NULL DEFAULT '[]',
-      image_url text,
-      expiry_date text,
-      notes text,
-      intake_reminders_enabled integer NOT NULL DEFAULT 0,
-      updated_at integer NOT NULL DEFAULT (strftime('%s','now')),
-      FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
-    )`,
-    `CREATE TABLE IF NOT EXISTS user_settings (
-      id integer PRIMARY KEY AUTOINCREMENT,
-      user_id integer NOT NULL UNIQUE,
-      email_enabled integer NOT NULL DEFAULT 0,
-      notification_email text,
-      email_stock_reminders integer NOT NULL DEFAULT 1,
-      email_intake_reminders integer NOT NULL DEFAULT 1,
-      shoutrrr_enabled integer NOT NULL DEFAULT 0,
-      shoutrrr_url text,
-      shoutrrr_stock_reminders integer NOT NULL DEFAULT 1,
-      shoutrrr_intake_reminders integer NOT NULL DEFAULT 1,
-      reminder_days_before integer NOT NULL DEFAULT 7,
-      repeat_daily_reminders integer NOT NULL DEFAULT 0,
-      low_stock_days integer NOT NULL DEFAULT 30,
-      normal_stock_days integer NOT NULL DEFAULT 90,
-      high_stock_days integer NOT NULL DEFAULT 180,
-      expiry_warning_days integer NOT NULL DEFAULT 90,
-      language text NOT NULL DEFAULT 'en',
-      stock_calculation_mode text NOT NULL DEFAULT 'automatic',
-      last_auto_email_sent text,
-      last_notification_type text,
-      last_notification_channel text,
-      updated_at integer NOT NULL DEFAULT (strftime('%s','now')),
-      FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
-    )`,
-    `CREATE TABLE IF NOT EXISTS refresh_tokens (
-      id integer PRIMARY KEY AUTOINCREMENT,
-      user_id integer NOT NULL,
-      token_id text NOT NULL UNIQUE,
-      expires_at integer NOT NULL,
-      rotated_at integer,
-      revoked integer NOT NULL DEFAULT 0,
-      created_at integer NOT NULL DEFAULT (strftime('%s','now')),
-      FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
-    )`,
-    `CREATE TABLE IF NOT EXISTS share_tokens (
-      id integer PRIMARY KEY AUTOINCREMENT,
-      user_id integer NOT NULL,
-      token text NOT NULL UNIQUE,
-      taken_by text NOT NULL,
-      schedule_days integer NOT NULL DEFAULT 30,
-      created_at integer NOT NULL DEFAULT (strftime('%s','now')),
-      expires_at integer,
-      FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
-    )`,
-    `CREATE TABLE IF NOT EXISTS dose_tracking (
-      id integer PRIMARY KEY AUTOINCREMENT,
-      user_id integer NOT NULL,
-      dose_id text NOT NULL,
-      taken_at integer NOT NULL DEFAULT (strftime('%s','now')),
-      marked_by text,
-      FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
-    )`,
-  ];
+	// Run drizzle-kit generated migrations
+	log.info(`[DB] Running migrations...`);
+	const migrateResult = await runDrizzleMigrations(db);
+	if (!migrateResult.success) {
+		log.error(`[DB] Migration error: ${migrateResult.error}`);
+	}

-  for (const sql of tableCreations) {
-    try {
-      await client.execute(sql);
-    } catch (e: any) {
-      console.error(`[DB] Table creation error:`, e.message);
-    }
-  }
-  console.log(`[DB] Tables verified/created`);
+	// Run ALTER TABLE migrations for backward compatibility
+	const alterResult = await runAlterMigrations(client);
+	if (alterResult.errors.length > 0) {
+		alterResult.errors.forEach((err) => log.error(`[DB] ALTER migration error: ${err}`));
+	}
+	log.debug(`[DB] Tables verified/created`);

-  // If auth is disabled, ensure a default user exists (ID=1)
-  const authEnabled = process.env.AUTH_ENABLED === "true";
-  if (!authEnabled) {
-    try {
-      // Check if default user exists
-      const result = await client.execute("SELECT id FROM users WHERE id = 1");
-      if (result.rows.length === 0) {
-        await client.execute(
-          "INSERT INTO users (id, username, auth_provider) VALUES (1, 'default', 'local')"
-        );
-        console.log(`[DB] Created default user for auth-disabled mode`);
-      }
-    } catch (e: any) {
-      console.error(`[DB] Error creating default user:`, e.message);
-    }
-  }
+	// Repair dose IDs with trailing hyphens (from frontend takenBy bug)
+	const trailingResult = await repairTrailingHyphenDoseIds(client);
+	if (trailingResult.repaired > 0) {
+		log.info(`[DB] Repaired ${trailingResult.repaired} dose IDs with trailing hyphens`);
+	}
+	if (trailingResult.errors.length > 0) {
+		trailingResult.errors.forEach((err) => log.error(`[DB] Trailing-hyphen repair error: ${err}`));
+	}
+
+	// Repair orphaned dose tracking IDs from past schedule changes
+	const repairResult = await repairOrphanedDoseIds(client);
+	if (repairResult.repaired > 0) {
+		log.info(`[DB] Repaired ${repairResult.repaired} orphaned dose tracking IDs`);
+	}
+	if (repairResult.errors.length > 0) {
+		repairResult.errors.forEach((err) => log.error(`[DB] Dose repair error: ${err}`));
+	}
+
+	// If auth is disabled, ensure a default user exists (ID=1)
+	const authEnabled = process.env.AUTH_ENABLED === "true";
+	const created = await ensureDefaultUser(client, authEnabled);
+	if (created) {
+		log.info(`[DB] Created default user for auth-disabled mode`);
+	}
 }

 // Export promise so server can await it before starting
@@ -0,0 +1,398 @@
+/**
+ * Pure utility functions for database operations.
+ * Separated from client.ts to allow importing without triggering
+ * top-level database initialization side effects.
+ */
+
+import { accessSync, constants, existsSync, mkdirSync, writeFileSync } from "node:fs";
+import { dirname, resolve } from "node:path";
+import { fileURLToPath } from "node:url";
+import type { Client } from "@libsql/client";
+import type { drizzle } from "drizzle-orm/libsql";
+import { migrate } from "drizzle-orm/libsql/migrator";
+import { parseIntakesJson, parseLocalDateTime } from "../utils/scheduler-utils.js";
+
+// Get migrations folder path (relative to this file's location)
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = dirname(__filename);
+const migrationsFolder = resolve(__dirname, "../../drizzle");
+
+// =============================================================================
+// Path & Directory utilities
+// =============================================================================
+
+/**
+ * Get the data directory path.
+ *
+ * Resolution order:
+ * 1. DATA_DIR env var (set by docker-compose for containers)
+ * 2. Monorepo detection: if ../docker-compose.yml exists, we're in backend/
+ *    subdirectory → use ../data (project root's data folder)
+ * 3. Fallback: resolve(cwd, "data") (running from project root or standalone)
+ */
+export function getDataDir(cwd: string = process.cwd()): string {
+	// Docker containers set DATA_DIR explicitly
+	if (process.env.DATA_DIR) return resolve(process.env.DATA_DIR);
+
+	// Local dev: detect if we're in backend/ subdirectory of the monorepo
+	if (existsSync(resolve(cwd, "..", "docker-compose.yml"))) {
+		return resolve(cwd, "..", "data");
+	}
+
+	// Default: data/ relative to cwd (running from project root)
+	return resolve(cwd, "data");
+}
+
+/** Build the database URL from a path */
+export function buildDbUrl(dbPath: string): string {
+	return `file:${dbPath}`;
+}
+
+/** Get data directory and database path */
+export function getDbPaths(cwd: string = process.cwd()): { dataDir: string; dbPath: string; url: string } {
+	const dataDir = getDataDir(cwd);
+	const dbPath = resolve(dataDir, "medassist-ng.db");
+	const url = buildDbUrl(dbPath);
+	return { dataDir, dbPath, url };
+}
+
+/** Ensure data directory exists and is writable */
+export function ensureDataDirectory(dataDir: string): { success: boolean; error?: string } {
+	try {
+		if (!existsSync(dataDir)) {
+			mkdirSync(dataDir, { recursive: true });
+		}
+
+		// Check if directory is writable
+		accessSync(dataDir, constants.W_OK);
+
+		// Try to create a test file to verify write access
+		const testFile = resolve(dataDir, ".write-test");
+		writeFileSync(testFile, "test");
+
+		return { success: true };
+	} catch (err: unknown) {
+		return { success: false, error: (err as Error).message };
+	}
+}
+
+// =============================================================================
+// Migration utilities
+// =============================================================================
+
+/** Run drizzle-kit migrations on the database */
+export async function runDrizzleMigrations(
+	database: ReturnType<typeof drizzle>
+): Promise<{ success: boolean; error?: string; warning?: string }> {
+	try {
+		await migrate(database, { migrationsFolder });
+		return { success: true };
+	} catch (err: unknown) {
+		const msg = (err as Error).message ?? "";
+		// Duplicate column / already exists = DB is already up-to-date (expected for existing DBs)
+		if (msg.includes("duplicate column") || msg.includes("already exists")) {
+			return { success: true };
+		}
+		return { success: false, error: msg };
+	}
+}
+
+/** Run ALTER TABLE migrations for backward compatibility with older databases */
+export async function runAlterMigrations(client: Client): Promise<{ success: boolean; errors: string[] }> {
+	const errors: string[] = [];
+
+	// These add new columns to existing tables (silently fail if column already exists)
+	const alterMigrations = [
+		// Added in v1.x - repeat reminders and nagging settings
+		`ALTER TABLE user_settings ADD COLUMN skip_reminders_for_taken_doses integer NOT NULL DEFAULT 0`,
+		`ALTER TABLE user_settings ADD COLUMN repeat_reminders_enabled integer NOT NULL DEFAULT 0`,
+		`ALTER TABLE user_settings ADD COLUMN reminder_repeat_interval_minutes integer NOT NULL DEFAULT 30`,
+		`ALTER TABLE user_settings ADD COLUMN max_nagging_reminders integer NOT NULL DEFAULT 5`,
+		// Added in v1.2.3 - dismiss missed doses without deducting stock
+		`ALTER TABLE dose_tracking ADD COLUMN dismissed integer NOT NULL DEFAULT 0`,
+		// Added for intake automation auditability (manual vs automatic taken)
+		`ALTER TABLE dose_tracking ADD COLUMN taken_source text NOT NULL DEFAULT 'manual'`,
+		// Added in v1.3.x - stock calculation mode (automatic/manual)
+		`ALTER TABLE user_settings ADD COLUMN stock_calculation_mode text NOT NULL DEFAULT 'automatic'`,
+		// Added for stock correction - hidden offset that doesn't affect looseTablets
+		`ALTER TABLE medications ADD COLUMN stock_adjustment integer NOT NULL DEFAULT 0`,
+		// Added for stock correction - timestamp to ignore consumed doses before correction
+		`ALTER TABLE medications ADD COLUMN last_stock_correction_at integer`,
+		// Added in v1.5.1 - dismiss past doses until date (robust against timestamp changes)
+		`ALTER TABLE medications ADD COLUMN dismissed_until text`,
+		// Added for soft-archiving medications (without deleting history)
+		`ALTER TABLE medications ADD COLUMN is_obsolete integer NOT NULL DEFAULT 0`,
+		`ALTER TABLE medications ADD COLUMN obsolete_at integer`,
+		// Added for explicit medication lifecycle start date
+		`ALTER TABLE medications ADD COLUMN medication_start_date text NOT NULL DEFAULT ''`,
+		// Added for more detailed reminder info display
+		`ALTER TABLE user_settings ADD COLUMN last_reminder_med_name text`,
+		`ALTER TABLE user_settings ADD COLUMN last_reminder_taken_by text`,
+		// Added for package type support (blister vs bottle)
+		`ALTER TABLE medications ADD COLUMN package_type text NOT NULL DEFAULT 'blister'`,
+		`ALTER TABLE medications ADD COLUMN total_pills integer`,
+		// Added for dose unit selection (mg, g, mcg, ml, IU, etc.)
+		`ALTER TABLE medications ADD COLUMN dose_unit text DEFAULT 'mg'`,
+		// Added for intake-level takenBy: unified intakes structure
+		`ALTER TABLE medications ADD COLUMN intakes_json text NOT NULL DEFAULT '[]'`,
+		// Added for separate stock reminder tracking
+		`ALTER TABLE user_settings ADD COLUMN last_stock_reminder_sent text`,
+		`ALTER TABLE user_settings ADD COLUMN last_stock_reminder_channel text`,
+		`ALTER TABLE user_settings ADD COLUMN last_stock_reminder_med_names text`,
+		// Added for share stock visibility toggle
+		`ALTER TABLE user_settings ADD COLUMN share_stock_status integer NOT NULL DEFAULT 1`,
+		// Added for timeline visibility toggles (dashboard + shared schedule)
+		`ALTER TABLE user_settings ADD COLUMN upcoming_today_only integer NOT NULL DEFAULT 0`,
+		`ALTER TABLE user_settings ADD COLUMN share_schedule_today_only integer NOT NULL DEFAULT 0`,
+		`ALTER TABLE user_settings ADD COLUMN swap_dashboard_main_sections integer NOT NULL DEFAULT 0`,
+		// Added for prescription refill tracking and reminders
+		`ALTER TABLE medications ADD COLUMN prescription_enabled integer NOT NULL DEFAULT 0`,
+		`ALTER TABLE medications ADD COLUMN prescription_authorized_refills integer`,
+		`ALTER TABLE medications ADD COLUMN prescription_remaining_refills integer`,
+		`ALTER TABLE medications ADD COLUMN prescription_low_refill_threshold integer NOT NULL DEFAULT 1`,
+		`ALTER TABLE medications ADD COLUMN prescription_expiry_date text`,
+		`ALTER TABLE user_settings ADD COLUMN email_prescription_reminders integer NOT NULL DEFAULT 1`,
+		`ALTER TABLE user_settings ADD COLUMN shoutrrr_prescription_reminders integer NOT NULL DEFAULT 1`,
+		`ALTER TABLE user_settings ADD COLUMN last_prescription_reminder_sent text`,
+		`ALTER TABLE user_settings ADD COLUMN last_prescription_reminder_channel text`,
+		`ALTER TABLE user_settings ADD COLUMN last_prescription_reminder_med_names text`,
+		// Added for refill history prescription tracking
+		`ALTER TABLE refill_history ADD COLUMN used_prescription integer NOT NULL DEFAULT 0`,
+	];
+
+	for (const sql of alterMigrations) {
+		try {
+			await client.execute(sql);
+		} catch (e: unknown) {
+			// Silently ignore "duplicate column" errors - column already exists
+			if (!(e as Error).message?.includes("duplicate column")) {
+				errors.push((e as Error).message);
+			}
+		}
+	}
+
+	// Create tables that might be missing (silently fail if already exists)
+	const createTableMigrations = [
+		// Added in v1.3.x - refill history tracking
+		`CREATE TABLE IF NOT EXISTS refill_history (
+      id INTEGER PRIMARY KEY AUTOINCREMENT,
+      medication_id INTEGER NOT NULL REFERENCES medications(id) ON DELETE CASCADE,
+      user_id INTEGER NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+      packs_added INTEGER NOT NULL DEFAULT 0,
+      loose_pills_added INTEGER NOT NULL DEFAULT 0,
+      refill_date INTEGER NOT NULL DEFAULT (strftime('%s','now'))
+    )`,
+	];
+
+	for (const sql of createTableMigrations) {
+		try {
+			await client.execute(sql);
+		} catch (e: unknown) {
+			// Silently ignore "table already exists" errors
+			if (!(e as Error).message?.includes("already exists")) {
+				errors.push((e as Error).message);
+			}
+		}
+	}
+
+	// Create indexes that might be missing (silently fail if already exists)
+	const createIndexMigrations = [
+		// Added in v1.6.x - case-insensitive unique usernames
+		`CREATE UNIQUE INDEX IF NOT EXISTS users_username_lower_unique ON users(lower(username))`,
+	];
+
+	for (const sql of createIndexMigrations) {
+		try {
+			await client.execute(sql);
+		} catch (e: unknown) {
+			// Silently ignore "already exists" errors
+			if (!(e as Error).message?.includes("already exists")) {
+				errors.push((e as Error).message);
+			}
+		}
+	}
+
+	return { success: errors.length === 0, errors };
+}
+
+// =============================================================================
+// User utilities
+// =============================================================================
+
+/** Ensure default user exists for auth-disabled mode */
+export async function ensureDefaultUser(client: Client, authEnabled: boolean): Promise<boolean> {
+	if (authEnabled) {
+		return false; // No default user needed
+	}
+
+	try {
+		const result = await client.execute("SELECT id FROM users WHERE id = 1");
+		if (result.rows.length === 0) {
+			await client.execute("INSERT INTO users (id, username, auth_provider) VALUES (1, 'default', 'local')");
+			return true; // Created
+		}
+		return false; // Already exists
+	} catch (e: unknown) {
+		console.error(`[DB] Error creating default user:`, (e as Error).message);
+		return false;
+	}
+}
+
+// =============================================================================
+// Startup repair: fix orphaned dose tracking IDs from past schedule changes
+// =============================================================================
+
+const MS_PER_DAY = 86_400_000;
+
+/**
+ * Repair dose IDs that have a trailing hyphen caused by a frontend bug where
+ * `[].toString()` produced an empty string, resulting in IDs like "5-0-1729123200000-"
+ * instead of "5-0-1729123200000". This strips trailing hyphens from all dose IDs.
+ *
+ * This function is idempotent - safe to run on every startup.
+ */
+export async function repairTrailingHyphenDoseIds(client: Client): Promise<{ repaired: number; errors: string[] }> {
+	const errors: string[] = [];
+	let repaired = 0;
+
+	try {
+		const result = await client.execute(
+			"UPDATE dose_tracking SET dose_id = RTRIM(dose_id, '-') WHERE dose_id LIKE '%-'"
+		);
+		repaired = result.rowsAffected;
+	} catch (e: unknown) {
+		errors.push(`Trailing-hyphen repair failed: ${(e as Error).message}`);
+	}
+
+	return { repaired, errors };
+}
+
+/**
+ * Repair orphaned dose tracking IDs that no longer match the current intake schedule.
+ * This fixes dose IDs that became invalid when a medication's schedule was changed
+ * BEFORE the on-edit migration (PR #103) was introduced.
+ *
+ * For each medication, generates all valid schedule dateOnlyMs values from each intake's
+ * start date up to today, then checks all dose_tracking entries. Any dose whose timestamp
+ * doesn't match a valid schedule date is remapped to the nearest valid date.
+ *
+ * This function is idempotent - safe to run on every startup.
+ */
+export async function repairOrphanedDoseIds(client: Client): Promise<{ repaired: number; errors: string[] }> {
+	const errors: string[] = [];
+	let repaired = 0;
+
+	try {
+		// Get all medications
+		const medsResult = await client.execute(
+			"SELECT id, intakes_json, usage_json, every_json, start_json, intake_reminders_enabled FROM medications"
+		);
+
+		if (medsResult.rows.length === 0) return { repaired, errors };
+
+		// Get all dose tracking entries
+		const dosesResult = await client.execute("SELECT id, dose_id FROM dose_tracking");
+		if (dosesResult.rows.length === 0) return { repaired, errors };
+
+		// Build a map of medId → dose entries for quick lookup
+		const dosesByMed = new Map<number, Array<{ id: number; doseId: string }>>();
+		for (const row of dosesResult.rows) {
+			const doseId = row.dose_id as string;
+			const parts = doseId.split("-");
+			if (parts.length < 3) continue;
+			const medId = parseInt(parts[0], 10);
+			if (Number.isNaN(medId)) continue;
+			if (!dosesByMed.has(medId)) dosesByMed.set(medId, []);
+			dosesByMed.get(medId)!.push({ id: row.id as number, doseId });
+		}
+
+		const now = new Date();
+		const today = new Date(now.getFullYear(), now.getMonth(), now.getDate());
+
+		for (const med of medsResult.rows) {
+			const medId = med.id as number;
+			const medDoses = dosesByMed.get(medId);
+			if (!medDoses || medDoses.length === 0) continue;
+
+			// Parse intakes
+			const intakes = parseIntakesJson(
+				med.intakes_json as string | null,
+				{
+					usageJson: (med.usage_json as string) || "[]",
+					everyJson: (med.every_json as string) || "[]",
+					startJson: (med.start_json as string) || "[]",
+				},
+				(med.intake_reminders_enabled as number) === 1
+			);
+
+			if (intakes.length === 0) continue;
+
+			// For each intake index, build the set of valid dateOnlyMs values
+			const validDatesByIntake = new Map<number, Set<number>>();
+			for (let idx = 0; idx < intakes.length; idx++) {
+				const intake = intakes[idx];
+				const start = parseLocalDateTime(intake.start);
+				const every = intake.every;
+				if (every <= 0 || Number.isNaN(start.getTime())) continue;
+
+				const validDates = new Set<number>();
+				for (let d = new Date(start); d <= today; d.setDate(d.getDate() + every)) {
+					validDates.add(new Date(d.getFullYear(), d.getMonth(), d.getDate()).getTime());
+				}
+				validDatesByIntake.set(idx, validDates);
+			}
+
+			// Check each dose entry
+			for (const dose of medDoses) {
+				const parts = dose.doseId.split("-");
+				if (parts.length < 3) continue;
+
+				const intakeIdx = parseInt(parts[1], 10);
+				const dateOnlyMs = parseInt(parts[2], 10);
+				if (Number.isNaN(intakeIdx) || Number.isNaN(dateOnlyMs)) continue;
+
+				const validDates = validDatesByIntake.get(intakeIdx);
+				if (!validDates) continue; // Unknown intake index - skip
+
+				// Check if this dose's timestamp is valid
+				if (validDates.has(dateOnlyMs)) continue; // Already valid - nothing to do
+
+				// Orphaned dose - find the nearest valid schedule date
+				const intake = intakes[intakeIdx];
+				if (!intake) continue;
+
+				const halfInterval = (intake.every * MS_PER_DAY) / 2;
+				let bestMatch: number | null = null;
+				let bestDist = Infinity;
+
+				for (const validDate of validDates) {
+					const dist = Math.abs(validDate - dateOnlyMs);
+					if (dist < bestDist && dist <= halfInterval) {
+						bestDist = dist;
+						bestMatch = validDate;
+					}
+				}
+
+				if (bestMatch !== null) {
+					// Rebuild dose ID with new timestamp, preserving person suffix
+					const personSuffix = parts.length > 3 ? `-${parts.slice(3).join("-")}` : "";
+					const newDoseId = `${medId}-${intakeIdx}-${bestMatch}${personSuffix}`;
+
+					try {
+						await client.execute({
+							sql: "UPDATE dose_tracking SET dose_id = ? WHERE id = ?",
+							args: [newDoseId, dose.id],
+						});
+						repaired++;
+					} catch (e: unknown) {
+						errors.push(`Failed to repair dose ${dose.id}: ${(e as Error).message}`);
+					}
+				}
+			}
+		}
+	} catch (e: unknown) {
+		errors.push(`Repair failed: ${(e as Error).message}`);
+	}
+
+	return { repaired, errors };
+}
@@ -1,125 +1,87 @@
-import { createClient } from "@libsql/client";
+import { existsSync } from "node:fs";
+import { dirname, resolve } from "node:path";
+import { fileURLToPath } from "node:url";
+import { type Client, createClient } from "@libsql/client";
 import dotenv from "dotenv";
-import fs from "fs";
-import path from "path";
+import { drizzle } from "drizzle-orm/libsql";
+import { migrate } from "drizzle-orm/libsql/migrator";

-dotenv.config({ path: process.env.DOTENV_PATH || ".env" });
+// Load .env: try cwd first, then parent dir (for local dev running from backend/)
+const envPath = process.env.DOTENV_PATH || (existsSync(".env") ? ".env" : "../.env");
+dotenv.config({ path: envPath });
+
+// Get migrations folder path (relative to this file's location)
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = dirname(__filename);
+const migrationsFolder = resolve(__dirname, "../../drizzle");
+
+// =============================================================================
+// Exported utility functions for testing
+// =============================================================================
+
+/** Split SQL string into individual statements (for backwards compatibility with tests) */
+export function splitSQLStatements(sql: string): string[] {
+	return sql.split(";").filter((s) => s.trim().length > 0);
+}
+
+/** Execute drizzle migrations on a database */
+export async function executeMigration(
+	client: Client
+): Promise<{ success: boolean; executed: number; errors: string[] }> {
+	const errors: string[] = [];
+	const db = drizzle(client);
+
+	try {
+		await migrate(db, { migrationsFolder });
+
+		// Count tables as a proxy for "executed" statements
+		const tables = await client.execute(
+			"SELECT COUNT(*) as count FROM sqlite_master WHERE type='table' AND name NOT LIKE 'sqlite_%' AND name NOT LIKE '__drizzle%'"
+		);
+		const executed = Number(tables.rows[0].count) || 0;
+
+		return { success: true, executed, errors };
+	} catch (err: unknown) {
+		errors.push((err as Error).message);
+		return { success: false, executed: 0, errors };
+	}
+}
+
+/** Get a preview of statement (first N characters) */
+export function getStatementPreview(stmt: string, maxLength: number = 50): string {
+	const trimmed = stmt.trim();
+	if (trimmed.length <= maxLength) {
+		return trimmed;
+	}
+	return `${trimmed.substring(0, maxLength)}...`;
+}
+
+// =============================================================================
+// CLI execution (only runs when called directly)
+// =============================================================================

 const url = "file:./data/medassist-ng.db";

 async function main() {
-  console.log("Starting database setup...");
-  console.log("Database URL:", url);
-  
-  const client = createClient({ url });
-  
-  // Create tables - fresh schema without roles, with per-user settings
-  const sql = `
-    CREATE TABLE IF NOT EXISTS users (
-      id integer PRIMARY KEY AUTOINCREMENT,
-      username text NOT NULL UNIQUE,
-      password_hash text,
-      avatar_url text,
-      auth_provider text NOT NULL DEFAULT 'local',
-      oidc_subject text,
-      is_active integer NOT NULL DEFAULT 1,
-      last_login_at integer,
-      created_at integer NOT NULL DEFAULT (strftime('%s','now')),
-      updated_at integer NOT NULL DEFAULT (strftime('%s','now'))
-    );
+	console.log("[DB] Starting database setup...");
+	console.log("[DB] Database URL:", url);
+	console.log("[DB] Migrations folder:", migrationsFolder);

-    CREATE TABLE IF NOT EXISTS medications (
-      id integer PRIMARY KEY AUTOINCREMENT,
-      user_id integer NOT NULL,
-      name text NOT NULL,
-      generic_name text,
-      taken_by_json text NOT NULL DEFAULT '[]',
-      pack_count integer NOT NULL DEFAULT 1,
-      blisters_per_pack integer NOT NULL DEFAULT 1,
-      pills_per_blister integer NOT NULL DEFAULT 1,
-      loose_tablets integer NOT NULL DEFAULT 0,
-      pill_weight_mg integer,
-      usage_json text NOT NULL DEFAULT '[]',
-      every_json text NOT NULL DEFAULT '[]',
-      start_json text NOT NULL DEFAULT '[]',
-      image_url text,
-      expiry_date text,
-      notes text,
-      intake_reminders_enabled integer NOT NULL DEFAULT 0,
-      updated_at integer NOT NULL DEFAULT (strftime('%s','now')),
-      FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
-    );
+	const client = createClient({ url });
+	const db = drizzle(client);

-    CREATE TABLE IF NOT EXISTS user_settings (
-      id integer PRIMARY KEY AUTOINCREMENT,
-      user_id integer NOT NULL UNIQUE,
-      email_enabled integer NOT NULL DEFAULT 0,
-      notification_email text,
-      email_stock_reminders integer NOT NULL DEFAULT 1,
-      email_intake_reminders integer NOT NULL DEFAULT 1,
-      shoutrrr_enabled integer NOT NULL DEFAULT 0,
-      shoutrrr_url text,
-      shoutrrr_stock_reminders integer NOT NULL DEFAULT 1,
-      shoutrrr_intake_reminders integer NOT NULL DEFAULT 1,
-      reminder_days_before integer NOT NULL DEFAULT 7,
-      repeat_daily_reminders integer NOT NULL DEFAULT 0,
-      low_stock_days integer NOT NULL DEFAULT 30,
-      normal_stock_days integer NOT NULL DEFAULT 90,
-      high_stock_days integer NOT NULL DEFAULT 180,
-      language text NOT NULL DEFAULT 'en',
-      stock_calculation_mode text NOT NULL DEFAULT 'automatic',
-      last_auto_email_sent text,
-      last_notification_type text,
-      last_notification_channel text,
-      updated_at integer NOT NULL DEFAULT (strftime('%s','now')),
-      FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
-    );
+	console.log("[DB] Running drizzle migrations...");
+	await migrate(db, { migrationsFolder });

-    CREATE TABLE IF NOT EXISTS refresh_tokens (
-      id integer PRIMARY KEY AUTOINCREMENT,
-      user_id integer NOT NULL,
-      token_id text NOT NULL UNIQUE,
-      expires_at integer NOT NULL,
-      rotated_at integer,
-      revoked integer NOT NULL DEFAULT 0,
-      created_at integer NOT NULL DEFAULT (strftime('%s','now')),
-      FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
-    );
-
-    CREATE TABLE IF NOT EXISTS share_tokens (
-      id integer PRIMARY KEY AUTOINCREMENT,
-      user_id integer NOT NULL,
-      token text NOT NULL UNIQUE,
-      taken_by text NOT NULL,
-      schedule_days integer NOT NULL DEFAULT 30,
-      created_at integer NOT NULL DEFAULT (strftime('%s','now')),
-      expires_at integer,
-      FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
-    );
-
-    CREATE TABLE IF NOT EXISTS dose_tracking (
-      id integer PRIMARY KEY AUTOINCREMENT,
-      user_id integer NOT NULL,
-      dose_id text NOT NULL,
-      taken_at integer NOT NULL DEFAULT (strftime('%s','now')),
-      marked_by text,
-      FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
-    );
-  `;
-
-  // Execute each statement separately
-  const statements = sql.split(';').filter(s => s.trim().length > 0);
-  
-  for (const stmt of statements) {
-    console.log("Executing:", stmt.trim().substring(0, 50) + "...");
-    await client.execute(stmt);
-  }
-
-  console.log("Database setup complete!");
-  process.exit(0);
+	console.log("[DB] Database setup complete!");
+	process.exit(0);
 }

-main().catch((err) => {
-  console.error("Migration failed:", err);
-  process.exit(1);
-});
+// Only run main() if this file is executed directly (not imported)
+const isMainModule = import.meta.url === `file://${process.argv[1]}`;
+if (isMainModule) {
+	main().catch((err) => {
+		console.error("Migration failed:", err);
+		process.exit(1);
+	});
+}
@@ -0,0 +1,126 @@
+/**
+ * Shared SQL table creation statements for database initialization.
+ * Used by client.ts, migrate.ts, and test setup to avoid duplication.
+ */
+
+/**
+ * Get all SQL table creation statements as an array.
+ * Each statement creates a table if it doesn't exist.
+ */
+export function getTableCreationSQL(): string[] {
+	return [
+		`CREATE TABLE IF NOT EXISTS users (
+      id integer PRIMARY KEY AUTOINCREMENT,
+      username text NOT NULL UNIQUE,
+      password_hash text,
+      avatar_url text,
+      auth_provider text NOT NULL DEFAULT 'local',
+      oidc_subject text,
+      is_active integer NOT NULL DEFAULT 1,
+      last_login_at integer,
+      created_at integer NOT NULL DEFAULT (strftime('%s','now')),
+      updated_at integer NOT NULL DEFAULT (strftime('%s','now'))
+    )`,
+		`CREATE TABLE IF NOT EXISTS medications (
+      id integer PRIMARY KEY AUTOINCREMENT,
+      user_id integer NOT NULL,
+      name text NOT NULL,
+      generic_name text,
+      taken_by_json text NOT NULL DEFAULT '[]',
+      pack_count integer NOT NULL DEFAULT 1,
+      blisters_per_pack integer NOT NULL DEFAULT 1,
+      pills_per_blister integer NOT NULL DEFAULT 1,
+      loose_tablets integer NOT NULL DEFAULT 0,
+      pill_weight_mg integer,
+      usage_json text NOT NULL DEFAULT '[]',
+      every_json text NOT NULL DEFAULT '[]',
+      start_json text NOT NULL DEFAULT '[]',
+      image_url text,
+      expiry_date text,
+      notes text,
+      intake_reminders_enabled integer NOT NULL DEFAULT 0,
+      updated_at integer NOT NULL DEFAULT (strftime('%s','now')),
+      FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
+    )`,
+		`CREATE TABLE IF NOT EXISTS user_settings (
+      id integer PRIMARY KEY AUTOINCREMENT,
+      user_id integer NOT NULL UNIQUE,
+      email_enabled integer NOT NULL DEFAULT 0,
+      notification_email text,
+      email_stock_reminders integer NOT NULL DEFAULT 1,
+      email_intake_reminders integer NOT NULL DEFAULT 1,
+      shoutrrr_enabled integer NOT NULL DEFAULT 0,
+      shoutrrr_url text,
+      shoutrrr_stock_reminders integer NOT NULL DEFAULT 1,
+      shoutrrr_intake_reminders integer NOT NULL DEFAULT 1,
+      reminder_days_before integer NOT NULL DEFAULT 7,
+      repeat_daily_reminders integer NOT NULL DEFAULT 0,
+      skip_reminders_for_taken_doses integer NOT NULL DEFAULT 0,
+      repeat_reminders_enabled integer NOT NULL DEFAULT 0,
+      reminder_repeat_interval_minutes integer NOT NULL DEFAULT 30,
+      max_nagging_reminders integer NOT NULL DEFAULT 5,
+      low_stock_days integer NOT NULL DEFAULT 30,
+      normal_stock_days integer NOT NULL DEFAULT 90,
+      high_stock_days integer NOT NULL DEFAULT 180,
+      expiry_warning_days integer NOT NULL DEFAULT 90,
+      language text NOT NULL DEFAULT 'en',
+      stock_calculation_mode text NOT NULL DEFAULT 'automatic',
+      share_stock_status integer NOT NULL DEFAULT 1,
+      upcoming_today_only integer NOT NULL DEFAULT 0,
+      share_schedule_today_only integer NOT NULL DEFAULT 0,
+      swap_dashboard_main_sections integer NOT NULL DEFAULT 0,
+      last_auto_email_sent text,
+      last_notification_type text,
+      last_notification_channel text,
+      last_reminder_med_name text,
+      last_reminder_taken_by text,
+      last_stock_reminder_sent text,
+      last_stock_reminder_channel text,
+      last_stock_reminder_med_names text,
+      last_prescription_reminder_sent text,
+      last_prescription_reminder_channel text,
+      last_prescription_reminder_med_names text,
+      updated_at integer NOT NULL DEFAULT (strftime('%s','now')),
+      FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
+    )`,
+		`CREATE TABLE IF NOT EXISTS refresh_tokens (
+      id integer PRIMARY KEY AUTOINCREMENT,
+      user_id integer NOT NULL,
+      token_id text NOT NULL UNIQUE,
+      expires_at integer NOT NULL,
+      rotated_at integer,
+      revoked integer NOT NULL DEFAULT 0,
+      created_at integer NOT NULL DEFAULT (strftime('%s','now')),
+      FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
+    )`,
+		`CREATE TABLE IF NOT EXISTS share_tokens (
+      id integer PRIMARY KEY AUTOINCREMENT,
+      user_id integer NOT NULL,
+      token text NOT NULL UNIQUE,
+      taken_by text NOT NULL,
+      schedule_days integer NOT NULL DEFAULT 30,
+      created_at integer NOT NULL DEFAULT (strftime('%s','now')),
+      expires_at integer,
+      FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
+    )`,
+		`CREATE TABLE IF NOT EXISTS dose_tracking (
+      id integer PRIMARY KEY AUTOINCREMENT,
+      user_id integer NOT NULL,
+      dose_id text NOT NULL,
+      taken_at integer NOT NULL DEFAULT (strftime('%s','now')),
+      marked_by text,
+      dismissed integer NOT NULL DEFAULT 0,
+      FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
+    )`,
+		`CREATE TABLE IF NOT EXISTS refill_history (
+      id integer PRIMARY KEY AUTOINCREMENT,
+      medication_id integer NOT NULL,
+      user_id integer NOT NULL,
+      packs_added integer NOT NULL DEFAULT 0,
+      loose_pills_added integer NOT NULL DEFAULT 0,
+      refill_date integer NOT NULL DEFAULT (strftime('%s','now')),
+      FOREIGN KEY (medication_id) REFERENCES medications(id) ON DELETE CASCADE,
+      FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
+    )`,
+	];
+}
@@ -1,114 +1,185 @@
-import { sqliteTable, text, integer } from "drizzle-orm/sqlite-core";
 import { sql } from "drizzle-orm";
+import { integer, sqliteTable, text } from "drizzle-orm/sqlite-core";

 // =============================================================================
 // Users - Simple auth, no roles (every user is equal)
 // =============================================================================
 export const users = sqliteTable("users", {
-  id: integer("id").primaryKey({ autoIncrement: true }),
-  username: text("username", { length: 100 }).notNull().unique(),
-  passwordHash: text("password_hash", { length: 255 }),
-  avatarUrl: text("avatar_url", { length: 255 }),
-  authProvider: text("auth_provider", { length: 50 }).notNull().default("local"),
-  oidcSubject: text("oidc_subject", { length: 255 }),  // OIDC provider's unique user ID (sub claim)
-  isActive: integer("is_active", { mode: "boolean" }).notNull().default(true),
-  lastLoginAt: integer("last_login_at", { mode: "timestamp" }),
-  createdAt: integer("created_at", { mode: "timestamp" }).notNull().default(sql`CURRENT_TIMESTAMP`),
-  updatedAt: integer("updated_at", { mode: "timestamp" }).notNull().default(sql`CURRENT_TIMESTAMP`),
+	id: integer("id").primaryKey({ autoIncrement: true }),
+	username: text("username", { length: 100 }).notNull().unique(),
+	passwordHash: text("password_hash", { length: 255 }),
+	avatarUrl: text("avatar_url", { length: 255 }),
+	authProvider: text("auth_provider", { length: 50 }).notNull().default("local"),
+	oidcSubject: text("oidc_subject", { length: 255 }), // OIDC provider's unique user ID (sub claim)
+	isActive: integer("is_active", { mode: "boolean" }).notNull().default(true),
+	lastLoginAt: integer("last_login_at", { mode: "timestamp" }),
+	createdAt: integer("created_at", { mode: "timestamp" }).notNull().default(sql`CURRENT_TIMESTAMP`),
+	updatedAt: integer("updated_at", { mode: "timestamp" }).notNull().default(sql`CURRENT_TIMESTAMP`),
 });

 // =============================================================================
 // Medications - Per user
 // =============================================================================
 export const medications = sqliteTable("medications", {
-  id: integer("id").primaryKey({ autoIncrement: true }),
-  userId: integer("user_id").notNull().references(() => users.id, { onDelete: "cascade" }),
-  name: text("name", { length: 100 }).notNull(),
-  genericName: text("generic_name", { length: 100 }),
-  takenByJson: text("taken_by_json").notNull().default("[]"), // JSON array of person names
-  packCount: integer("pack_count").notNull().default(1),
-  blistersPerPack: integer("blisters_per_pack").notNull().default(1),
-  pillsPerBlister: integer("pills_per_blister").notNull().default(1),
-  looseTablets: integer("loose_tablets").notNull().default(0),
-  pillWeightMg: integer("pill_weight_mg"),
-  usageJson: text("usage_json").notNull().default("[]"),
-  everyJson: text("every_json").notNull().default("[]"),
-  startJson: text("start_json").notNull().default("[]"),
-  imageUrl: text("image_url"),
-  expiryDate: text("expiry_date"),
-  notes: text("notes"),
-  intakeRemindersEnabled: integer("intake_reminders_enabled", { mode: "boolean" }).notNull().default(false),
-  updatedAt: integer("updated_at", { mode: "timestamp" }).notNull().default(sql`CURRENT_TIMESTAMP`),
+	id: integer("id").primaryKey({ autoIncrement: true }),
+	userId: integer("user_id")
+		.notNull()
+		.references(() => users.id, { onDelete: "cascade" }),
+	name: text("name", { length: 100 }).notNull(),
+	genericName: text("generic_name", { length: 100 }),
+	takenByJson: text("taken_by_json").notNull().default("[]"), // JSON array of person names
+	packageType: text("package_type", { length: 20 }).notNull().default("blister"), // 'blister' or 'bottle'
+	packCount: integer("pack_count").notNull().default(1),
+	blistersPerPack: integer("blisters_per_pack").notNull().default(1),
+	pillsPerBlister: integer("pills_per_blister").notNull().default(1),
+	totalPills: integer("total_pills"), // For bottle type: total capacity of the container
+	looseTablets: integer("loose_tablets").notNull().default(0), // For blister: extra loose pills; for bottle: current stock
+	stockAdjustment: integer("stock_adjustment").notNull().default(0), // Hidden offset from stock corrections
+	lastStockCorrectionAt: integer("last_stock_correction_at", { mode: "timestamp" }), // When stock was last corrected - consumed doses before this don't count
+	pillWeightMg: integer("pill_weight_mg"),
+	doseUnit: text("dose_unit", { length: 20 }).default("mg"), // Unit for the dose (mg, g, mcg, ml, IU, etc.)
+	usageJson: text("usage_json").notNull().default("[]"), // DEPRECATED: Use intakesJson instead
+	everyJson: text("every_json").notNull().default("[]"), // DEPRECATED: Use intakesJson instead
+	startJson: text("start_json").notNull().default("[]"), // DEPRECATED: Use intakesJson instead
+	// New unified intakes structure: [{usage, every, start, takenBy, intakeRemindersEnabled}]
+	intakesJson: text("intakes_json").notNull().default("[]"),
+	imageUrl: text("image_url"),
+	expiryDate: text("expiry_date"),
+	notes: text("notes"),
+	intakeRemindersEnabled: integer("intake_reminders_enabled", { mode: "boolean" }).notNull().default(false),
+	medicationStartDate: text("medication_start_date").notNull().default(""),
+	isObsolete: integer("is_obsolete", { mode: "boolean" }).notNull().default(false),
+	obsoleteAt: integer("obsolete_at", { mode: "timestamp" }),
+	prescriptionEnabled: integer("prescription_enabled", { mode: "boolean" }).notNull().default(false),
+	prescriptionAuthorizedRefills: integer("prescription_authorized_refills"),
+	prescriptionRemainingRefills: integer("prescription_remaining_refills"),
+	prescriptionLowRefillThreshold: integer("prescription_low_refill_threshold").notNull().default(1),
+	prescriptionExpiryDate: text("prescription_expiry_date"),
+	dismissedUntil: text("dismissed_until"), // ISO date string (e.g. "2026-01-23") - all past doses until this date are dismissed
+	updatedAt: integer("updated_at", { mode: "timestamp" }).notNull().default(sql`CURRENT_TIMESTAMP`),
 });

 // =============================================================================
 // User Settings - Per user (email, push, thresholds, language)
 // =============================================================================
 export const userSettings = sqliteTable("user_settings", {
-  id: integer("id").primaryKey({ autoIncrement: true }),
-  userId: integer("user_id").notNull().unique().references(() => users.id, { onDelete: "cascade" }),
-  // Email notifications
-  emailEnabled: integer("email_enabled", { mode: "boolean" }).notNull().default(false),
-  notificationEmail: text("notification_email"),
-  emailStockReminders: integer("email_stock_reminders", { mode: "boolean" }).notNull().default(true),
-  emailIntakeReminders: integer("email_intake_reminders", { mode: "boolean" }).notNull().default(true),
-  // Push notifications (shoutrrr/ntfy)
-  shoutrrrEnabled: integer("shoutrrr_enabled", { mode: "boolean" }).notNull().default(false),
-  shoutrrrUrl: text("shoutrrr_url"),
-  shoutrrrStockReminders: integer("shoutrrr_stock_reminders", { mode: "boolean" }).notNull().default(true),
-  shoutrrrIntakeReminders: integer("shoutrrr_intake_reminders", { mode: "boolean" }).notNull().default(true),
-  // Reminder settings
-  reminderDaysBefore: integer("reminder_days_before").notNull().default(7),
-  repeatDailyReminders: integer("repeat_daily_reminders", { mode: "boolean" }).notNull().default(false),
-  // Stock thresholds (days)
-  lowStockDays: integer("low_stock_days").notNull().default(30),
-  normalStockDays: integer("normal_stock_days").notNull().default(90),
-  highStockDays: integer("high_stock_days").notNull().default(180),
-  // UI preferences
-  language: text("language", { length: 10 }).notNull().default("en"),
-  // Stock calculation mode: "automatic" (schedule-based) or "manual" (only marked doses)
-  stockCalculationMode: text("stock_calculation_mode", { length: 20 }).notNull().default("automatic"),
-  // Last notification tracking
-  lastAutoEmailSent: text("last_auto_email_sent"),
-  lastNotificationType: text("last_notification_type"),
-  lastNotificationChannel: text("last_notification_channel"),
-  // Timestamps
-  updatedAt: integer("updated_at", { mode: "timestamp" }).notNull().default(sql`CURRENT_TIMESTAMP`),
+	id: integer("id").primaryKey({ autoIncrement: true }),
+	userId: integer("user_id")
+		.notNull()
+		.unique()
+		.references(() => users.id, { onDelete: "cascade" }),
+	// Email notifications
+	emailEnabled: integer("email_enabled", { mode: "boolean" }).notNull().default(false),
+	notificationEmail: text("notification_email"),
+	emailStockReminders: integer("email_stock_reminders", { mode: "boolean" }).notNull().default(true),
+	emailIntakeReminders: integer("email_intake_reminders", { mode: "boolean" }).notNull().default(true),
+	emailPrescriptionReminders: integer("email_prescription_reminders", { mode: "boolean" }).notNull().default(true),
+	// Push notifications (shoutrrr/ntfy)
+	shoutrrrEnabled: integer("shoutrrr_enabled", { mode: "boolean" }).notNull().default(false),
+	shoutrrrUrl: text("shoutrrr_url"),
+	shoutrrrStockReminders: integer("shoutrrr_stock_reminders", { mode: "boolean" }).notNull().default(true),
+	shoutrrrIntakeReminders: integer("shoutrrr_intake_reminders", { mode: "boolean" }).notNull().default(true),
+	shoutrrrPrescriptionReminders: integer("shoutrrr_prescription_reminders", { mode: "boolean" })
+		.notNull()
+		.default(true),
+	// Reminder settings
+	reminderDaysBefore: integer("reminder_days_before").notNull().default(7),
+	repeatDailyReminders: integer("repeat_daily_reminders", { mode: "boolean" }).notNull().default(false),
+	skipRemindersForTakenDoses: integer("skip_reminders_for_taken_doses", { mode: "boolean" }).notNull().default(false),
+	repeatRemindersEnabled: integer("repeat_reminders_enabled", { mode: "boolean" }).notNull().default(false),
+	reminderRepeatIntervalMinutes: integer("reminder_repeat_interval_minutes").notNull().default(30),
+	maxNaggingReminders: integer("max_nagging_reminders").notNull().default(5),
+	// Stock thresholds (days)
+	lowStockDays: integer("low_stock_days").notNull().default(30),
+	normalStockDays: integer("normal_stock_days").notNull().default(90),
+	highStockDays: integer("high_stock_days").notNull().default(180),
+	expiryWarningDays: integer("expiry_warning_days").notNull().default(90),
+	// UI preferences
+	language: text("language", { length: 10 }).notNull().default("en"),
+	// Stock calculation mode: "automatic" (schedule-based) or "manual" (only marked doses)
+	stockCalculationMode: text("stock_calculation_mode", { length: 20 }).notNull().default("automatic"),
+	// Whether shared schedule links show stock status (Critical/Low/Normal) to intake users
+	shareStockStatus: integer("share_stock_status", { mode: "boolean" }).notNull().default(true),
+	// UI timeline visibility preferences
+	upcomingTodayOnly: integer("upcoming_today_only", { mode: "boolean" }).notNull().default(false),
+	shareScheduleTodayOnly: integer("share_schedule_today_only", { mode: "boolean" }).notNull().default(false),
+	swapDashboardMainSections: integer("swap_dashboard_main_sections", { mode: "boolean" }).notNull().default(false),
+	// Last notification tracking (intake reminders)
+	lastAutoEmailSent: text("last_auto_email_sent"),
+	lastNotificationType: text("last_notification_type"),
+	lastNotificationChannel: text("last_notification_channel"),
+	lastReminderMedName: text("last_reminder_med_name"),
+	lastReminderTakenBy: text("last_reminder_taken_by"),
+	// Last stock reminder tracking (separate from intake)
+	lastStockReminderSent: text("last_stock_reminder_sent"),
+	lastStockReminderChannel: text("last_stock_reminder_channel"),
+	lastStockReminderMedNames: text("last_stock_reminder_med_names"),
+	// Last prescription reminder tracking (separate from stock/intake)
+	lastPrescriptionReminderSent: text("last_prescription_reminder_sent"),
+	lastPrescriptionReminderChannel: text("last_prescription_reminder_channel"),
+	lastPrescriptionReminderMedNames: text("last_prescription_reminder_med_names"),
+	// Timestamps
+	updatedAt: integer("updated_at", { mode: "timestamp" }).notNull().default(sql`CURRENT_TIMESTAMP`),
 });

 // =============================================================================
 // Refresh Tokens - For JWT rotation
 // =============================================================================
 export const refreshTokens = sqliteTable("refresh_tokens", {
-  id: integer("id").primaryKey({ autoIncrement: true }),
-  userId: integer("user_id").notNull().references(() => users.id, { onDelete: "cascade" }),
-  tokenId: text("token_id", { length: 255 }).notNull().unique(),
-  expiresAt: integer("expires_at", { mode: "timestamp" }).notNull(),
-  rotatedAt: integer("rotated_at", { mode: "timestamp" }),
-  revoked: integer("revoked", { mode: "boolean" }).notNull().default(false),
-  createdAt: integer("created_at", { mode: "timestamp" }).notNull().default(sql`CURRENT_TIMESTAMP`),
+	id: integer("id").primaryKey({ autoIncrement: true }),
+	userId: integer("user_id")
+		.notNull()
+		.references(() => users.id, { onDelete: "cascade" }),
+	tokenId: text("token_id", { length: 255 }).notNull().unique(),
+	expiresAt: integer("expires_at", { mode: "timestamp" }).notNull(),
+	rotatedAt: integer("rotated_at", { mode: "timestamp" }),
+	revoked: integer("revoked", { mode: "boolean" }).notNull().default(false),
+	createdAt: integer("created_at", { mode: "timestamp" }).notNull().default(sql`CURRENT_TIMESTAMP`),
 });

 // =============================================================================
 // Share Tokens - For public schedule sharing by takenBy person
 // =============================================================================
 export const shareTokens = sqliteTable("share_tokens", {
-  id: integer("id").primaryKey({ autoIncrement: true }),
-  userId: integer("user_id").notNull().references(() => users.id, { onDelete: "cascade" }),
-  token: text("token", { length: 64 }).notNull().unique(),
-  takenBy: text("taken_by", { length: 100 }).notNull(),
-  scheduleDays: integer("schedule_days").notNull().default(30),
-  createdAt: integer("created_at", { mode: "timestamp" }).notNull().default(sql`CURRENT_TIMESTAMP`),
-  expiresAt: integer("expires_at", { mode: "timestamp" }), // NULL = never expires
+	id: integer("id").primaryKey({ autoIncrement: true }),
+	userId: integer("user_id")
+		.notNull()
+		.references(() => users.id, { onDelete: "cascade" }),
+	token: text("token", { length: 64 }).notNull().unique(),
+	takenBy: text("taken_by", { length: 100 }).notNull(),
+	scheduleDays: integer("schedule_days").notNull().default(30),
+	createdAt: integer("created_at", { mode: "timestamp" }).notNull().default(sql`CURRENT_TIMESTAMP`),
+	expiresAt: integer("expires_at", { mode: "timestamp" }), // NULL = never expires
 });

 // =============================================================================
 // Dose Tracking - Tracks when doses are marked as taken
 // =============================================================================
 export const doseTracking = sqliteTable("dose_tracking", {
-  id: integer("id").primaryKey({ autoIncrement: true }),
-  userId: integer("user_id").notNull().references(() => users.id, { onDelete: "cascade" }),
-  doseId: text("dose_id", { length: 255 }).notNull(), // e.g. "med-5-1-86400000-1735200000000"
-  takenAt: integer("taken_at", { mode: "timestamp" }).notNull().default(sql`CURRENT_TIMESTAMP`),
-  markedBy: text("marked_by", { length: 100 }), // null = user, "Daniel" = via share link
+	id: integer("id").primaryKey({ autoIncrement: true }),
+	userId: integer("user_id")
+		.notNull()
+		.references(() => users.id, { onDelete: "cascade" }),
+	doseId: text("dose_id", { length: 255 }).notNull(), // e.g. "med-5-1-86400000-1735200000000"
+	takenAt: integer("taken_at", { mode: "timestamp" }).notNull().default(sql`(strftime('%s','now'))`),
+	markedBy: text("marked_by", { length: 100 }), // null = user, "Daniel" = via share link
+	takenSource: text("taken_source", { length: 20 }).notNull().default("manual"), // manual or automatic
+	dismissed: integer("dismissed", { mode: "boolean" }).notNull().default(false), // true = missed dose acknowledged without taking
+});
+
+// =============================================================================
+// Refill History - Tracks when medication stock was refilled
+// =============================================================================
+export const refillHistory = sqliteTable("refill_history", {
+	id: integer("id").primaryKey({ autoIncrement: true }),
+	medicationId: integer("medication_id")
+		.notNull()
+		.references(() => medications.id, { onDelete: "cascade" }),
+	userId: integer("user_id")
+		.notNull()
+		.references(() => users.id, { onDelete: "cascade" }),
+	packsAdded: integer("packs_added").notNull().default(0),
+	loosePillsAdded: integer("loose_pills_added").notNull().default(0),
+	usedPrescription: integer("used_prescription", { mode: "boolean" }).notNull().default(false),
+	refillDate: integer("refill_date", { mode: "timestamp" }).notNull().default(sql`(strftime('%s','now'))`),
 });
@@ -1,193 +1,500 @@
 // Backend translations for notifications
 export type Language = "en" | "de";

+/**
+ * Map timezone to region code (ISO 3166-1 alpha-2).
+ * This allows combining app language with regional formatting.
+ */
+const TIMEZONE_TO_REGION: Record<string, string> = {
+	// Europe
+	"Europe/Berlin": "DE",
+	"Europe/Vienna": "AT",
+	"Europe/Zurich": "CH",
+	"Europe/London": "GB",
+	"Europe/Dublin": "IE",
+	"Europe/Paris": "FR",
+	"Europe/Madrid": "ES",
+	"Europe/Rome": "IT",
+	"Europe/Amsterdam": "NL",
+	"Europe/Brussels": "BE",
+	"Europe/Warsaw": "PL",
+	"Europe/Prague": "CZ",
+	"Europe/Stockholm": "SE",
+	"Europe/Oslo": "NO",
+	"Europe/Copenhagen": "DK",
+	"Europe/Helsinki": "FI",
+	"Europe/Athens": "GR",
+	"Europe/Lisbon": "PT",
+	"Europe/Moscow": "RU",
+	"Europe/Kiev": "UA",
+	"Europe/Kyiv": "UA",
+	"Europe/Budapest": "HU",
+	"Europe/Bucharest": "RO",
+	// Americas
+	"America/New_York": "US",
+	"America/Chicago": "US",
+	"America/Denver": "US",
+	"America/Los_Angeles": "US",
+	"America/Phoenix": "US",
+	"America/Toronto": "CA",
+	"America/Vancouver": "CA",
+	"America/Mexico_City": "MX",
+	"America/Sao_Paulo": "BR",
+	"America/Buenos_Aires": "AR",
+	// Asia/Pacific
+	"Asia/Tokyo": "JP",
+	"Asia/Shanghai": "CN",
+	"Asia/Hong_Kong": "HK",
+	"Asia/Singapore": "SG",
+	"Asia/Seoul": "KR",
+	"Asia/Dubai": "AE",
+	"Asia/Kolkata": "IN",
+	"Australia/Sydney": "AU",
+	"Australia/Melbourne": "AU",
+	"Pacific/Auckland": "NZ",
+};
+
+/**
+ * Get region code from TZ environment variable.
+ */
+function getRegionFromTimezone(): string | undefined {
+	const tz = process.env.TZ;
+	if (!tz) return undefined;
+	return TIMEZONE_TO_REGION[tz];
+}
+
 type TranslationKeys = {
-  // Stock reminder email
-  stockReminder: {
-    subject: string;
-    title: string;
-    description: string;
-    alertSingle: string;
-    alertMultiple: string;
-    tableHeaders: {
-      medication: string;
-      pills: string;
-      days: string;
-      runsOut: string;
-    };
-    footer: string;
-    repeatDailyNote: string;
-  };
-  // Intake reminder email
-  intakeReminder: {
-    subject: string;
-    title: string;
-    description: string;
-    alertSingle: string;
-    alertMultiple: string;
-    tableHeaders: {
-      medication: string;
-      dosage: string;
-      time: string;
-    };
-    pills: string;
-    takenBy: string;
-    footer: string;
-  };
-  // Push notifications
-  push: {
-    stockTitle: string;
-    stockTitleMultiple: string;
-    intakeTitle: string;
-    pillsLeft: string;
-    daysLeft: string;
-    pillsAt: string;
-    repeatDailyNote: string;
-    empty: string;
-    low: string;
-    reorderNow: string;
-    emptySection: string;
-    lowSection: string;
-  };
-  // Common
-  common: {
-    pill: string;
-    pills: string;
-    day: string;
-    days: string;
-    soon: string;
-  };
+	// Stock reminder (shared across email + push)
+	stockReminder: {
+		subject: string;
+		title: string;
+		description: string;
+		descriptionEmpty: string;
+		descriptionMixed: string;
+		alertSingle: string;
+		alertMultiple: string;
+		alertEmptySingle: string;
+		alertEmptyMultiple: string;
+		alertLowSingle: string;
+		alertLowMultiple: string;
+		alertLowStockSingle: string;
+		alertLowStockMultiple: string;
+		descriptionLow: string;
+		tableHeaders: {
+			medication: string;
+			pills: string;
+			days: string;
+			runsOut: string;
+		};
+		now: string;
+		repeatDailyNote: string;
+	};
+	// Intake reminder email
+	intakeReminder: {
+		subject: string;
+		title: string;
+		description: string;
+		alertSingle: string;
+		alertMultiple: string;
+		tableHeaders: {
+			medication: string;
+			dosage: string;
+			time: string;
+		};
+		pills: string;
+		takenBy: string;
+	};
+	// Push notifications
+	push: {
+		stockTitle: string;
+		stockTitleMultiple: string;
+		intakeTitle: string;
+		pillsLeft: string;
+		daysLeft: string;
+		pillsAt: string;
+		repeatDailyNote: string;
+		empty: string;
+		low: string;
+		critical: string;
+		lowStock: string;
+		reorderNow: string;
+		emptySection: string;
+		lowSection: string;
+		criticalSection: string;
+		lowStockSection: string;
+	};
+	// Prescription reminder (shared across email + push)
+	prescriptionReminder: {
+		subjectSingle: string;
+		subjectMultiple: string;
+		pushTitleLow: string;
+		pushTitleEmpty: string;
+		pushEmpty: string;
+		pushEmptySingle: string;
+		pushLow: string;
+		pushLowSingle: string;
+		pushRenewNow: string;
+		pushEmptySection: string;
+		pushLowSection: string;
+		pushRefillsLeft: string;
+		title: string;
+		titleEmpty: string;
+		descriptionLow: string;
+		descriptionEmpty: string;
+		alertLowSingle: string;
+		alertLowMultiple: string;
+		alertEmptySingle: string;
+		alertEmptyMultiple: string;
+		line: string;
+		lineEmpty: string;
+		expiresSuffix: string;
+		repeatDailyNote: string;
+		tableHeaders: {
+			medication: string;
+			refillsLeft: string;
+			reminderThreshold: string;
+			prescriptionExpires: string;
+		};
+	};
+	// Demand calculator email
+	demandCalculator: {
+		subject: string;
+		title: string;
+		description: string;
+		summaryOutOfStock: string;
+		summaryAllOk: string;
+		tableHeaders: {
+			medication: string;
+			usage: string;
+			needed: string;
+			prescriptionRefills: string;
+			available: string;
+			status: string;
+		};
+		statusEnough: string;
+		statusEmpty: string;
+		prescriptionNotApplicable: string;
+	};
+	// Common
+	common: {
+		pill: string;
+		pills: string;
+		blister: string;
+		blisters: string;
+		day: string;
+		days: string;
+		soon: string;
+		footer: string;
+	};
 };

 const translations: Record<Language, TranslationKeys> = {
-  en: {
-    stockReminder: {
-      subject: "MedAssist-ng Auto-Reminder: {count} Medication{s} Running Low",
-      title: "⚠️ MedAssist-ng - Automatic Reorder Reminder",
-      description: "The following medications are running low and need to be reordered:",
-      alertSingle: "⚠️ 1 medication running low!",
-      alertMultiple: "⚠️ {count} medications running low!",
-      tableHeaders: {
-        medication: "Medication",
-        pills: "Pills",
-        days: "Days",
-        runsOut: "Runs Out",
-      },
-      footer: "🤖 Automatic reminder from MedAssist-ng",
-      repeatDailyNote: "You are receiving this daily reminder because 'Repeat Daily' is enabled in settings.",
-    },
-    intakeReminder: {
-      subject: "MedAssist-ng: Medication Reminder - {medications}",
-      title: "💊 MedAssist-ng - Intake Reminder",
-      description: "Time to take your medication in {minutes} minutes:",
-      alertSingle: "💊 1 medication scheduled",
-      alertMultiple: "💊 {count} medications scheduled",
-      tableHeaders: {
-        medication: "Medication",
-        dosage: "Dosage",
-        time: "Time",
-      },
-      pills: "pills",
-      takenBy: "for {name}",
-      footer: "🤖 Automatic reminder from MedAssist-ng",
-    },
-    push: {
-      stockTitle: "MedAssist-ng: 1 Medication Running Low",
-      stockTitleMultiple: "MedAssist-ng: {count} Medications Running Low",
-      intakeTitle: "💊 Medication Reminder in {minutes} min",
-      pillsLeft: "{count} pills",
-      daysLeft: "{count} days left",
-      pillsAt: "{count} pills at {time}",
-      repeatDailyNote: "(Daily reminder enabled)",
-      empty: "Empty",
-      low: "Low",
-      reorderNow: "Reorder Now!",
-      emptySection: "EMPTY (reorder immediately)",
-      lowSection: "RUNNING LOW (reorder soon)",
-    },
-    common: {
-      pill: "pill",
-      pills: "pills",
-      day: "day",
-      days: "days",
-      soon: "soon",
-    },
-  },
-  de: {
-    stockReminder: {
-      subject: "MedAssist-ng Auto-Erinnerung: {count} Medikament{e} wird knapp",
-      title: "⚠️ MedAssist-ng - Automatische Nachbestell-Erinnerung",
-      description: "Die folgenden Medikamente gehen zur Neige und sollten nachbestellt werden:",
-      alertSingle: "⚠️ 1 Medikament wird knapp!",
-      alertMultiple: "⚠️ {count} Medikamente werden knapp!",
-      tableHeaders: {
-        medication: "Medikament",
-        pills: "Tabletten",
-        days: "Tage",
-        runsOut: "Aufgebraucht",
-      },
-      footer: "🤖 Automatische Erinnerung von MedAssist-ng",
-      repeatDailyNote: "Sie erhalten diese tägliche Erinnerung, weil 'Täglich wiederholen' in den Einstellungen aktiviert ist.",
-    },
-    intakeReminder: {
-      subject: "MedAssist-ng: Einnahme-Erinnerung - {medications}",
-      title: "💊 MedAssist-ng - Einnahme-Erinnerung",
-      description: "Zeit für Ihre Medikamente in {minutes} Minuten:",
-      alertSingle: "💊 1 Medikament geplant",
-      alertMultiple: "💊 {count} Medikamente geplant",
-      tableHeaders: {
-        medication: "Medikament",
-        dosage: "Dosis",
-        time: "Uhrzeit",
-      },
-      pills: "Tabletten",
-      takenBy: "für {name}",
-      footer: "🤖 Automatische Erinnerung von MedAssist-ng",
-    },
-    push: {
-      stockTitle: "MedAssist-ng: 1 Medikament wird knapp",
-      stockTitleMultiple: "MedAssist-ng: {count} Medikamente werden knapp",
-      intakeTitle: "💊 Einnahme-Erinnerung in {minutes} Min.",
-      pillsLeft: "{count} Tabletten",
-      daysLeft: "{count} Tage übrig",
-      pillsAt: "{count} Tabletten um {time}",
-      repeatDailyNote: "(Tägliche Erinnerung aktiviert)",
-      empty: "Leer",
-      low: "Knapp",
-      reorderNow: "Jetzt nachbestellen!",
-      emptySection: "LEER (sofort nachbestellen)",
-      lowSection: "WIRD KNAPP (bald nachbestellen)",
-    },
-    common: {
-      pill: "Tablette",
-      pills: "Tabletten",
-      day: "Tag",
-      days: "Tage",
-      soon: "bald",
-    },
-  },
+	en: {
+		stockReminder: {
+			subject: "MedAssist-ng: ⚠️ {count} Medication{s} Running Critically Low",
+			title: "⚠️ MedAssist-ng: Automatic Reorder Reminder",
+			description: "The following medications are running critically low and need to be reordered:",
+			descriptionEmpty: "The following medications are empty and need to be reordered immediately:",
+			descriptionMixed: "The following medications need to be reordered:",
+			alertSingle: "⚠️ 1 medication running critically low!",
+			alertMultiple: "⚠️ {count} medications running critically low!",
+			alertEmptySingle: "🚨 1 medication empty - reorder immediately!",
+			alertEmptyMultiple: "🚨 {count} medications empty - reorder immediately!",
+			alertLowSingle: "⚠️ 1 medication running critically low",
+			alertLowMultiple: "⚠️ {count} medications running critically low",
+			alertLowStockSingle: "⚠️ 1 medication running low",
+			alertLowStockMultiple: "⚠️ {count} medications running low",
+			descriptionLow: "The following medications are running low and should be reordered soon:",
+			tableHeaders: {
+				medication: "Medication",
+				pills: "Pills",
+				days: "Days",
+				runsOut: "Runs Out",
+			},
+			now: "NOW",
+			repeatDailyNote: "You are receiving this daily reminder because 'Repeat Daily' is enabled in settings.",
+		},
+		intakeReminder: {
+			subject: "MedAssist-ng: Medication Reminder - {medications}",
+			title: "💊 MedAssist-ng - Intake Reminder",
+			description: "Time to take your medication in {minutes} minutes:",
+			alertSingle: "💊 1 medication scheduled",
+			alertMultiple: "💊 {count} medications scheduled",
+			tableHeaders: {
+				medication: "Medication",
+				dosage: "Dosage",
+				time: "Time",
+			},
+			pills: "pills",
+			takenBy: "for {name}",
+		},
+		push: {
+			stockTitle: "MedAssist-ng: 1 Medication Running Critically Low",
+			stockTitleMultiple: "MedAssist-ng: {count} Medications Running Critically Low",
+			intakeTitle: "💊 Reminder: Medication intake in {minutes} min",
+			pillsLeft: "{count} pills",
+			daysLeft: "{count} days left",
+			pillsAt: "{count} pills at {time}",
+			repeatDailyNote: "(Daily reminder enabled)",
+			empty: "Empty",
+			low: "Critical",
+			critical: "Critical",
+			lowStock: "Low",
+			reorderNow: "Reorder Now!",
+			emptySection: "Empty (reorder immediately)",
+			lowSection: "Running critically low",
+			criticalSection: "Running critically low",
+			lowStockSection: "Running low",
+		},
+		prescriptionReminder: {
+			subjectSingle: "MedAssist-ng: 🚨 Prescription Refill Reminder",
+			subjectMultiple: "MedAssist-ng: 🚨 {count} Prescriptions Need Renewal Soon",
+			pushTitleLow: "💊 MedAssist-ng: {count} prescriptions are running low",
+			pushTitleEmpty: "💊 MedAssist-ng: {count} prescriptions need renewal now",
+			pushEmpty: "prescriptions out of refills",
+			pushEmptySingle: "prescription out of refills",
+			pushLow: "prescriptions low on refills",
+			pushLowSingle: "prescription low on refills",
+			pushRenewNow: "Renew Now!",
+			pushEmptySection: "Prescriptions with no refills left",
+			pushLowSection: "Prescriptions running low on refills",
+			pushRefillsLeft: "{count} refill(s) remaining on this prescription",
+			title: "⚠️ MedAssist-ng - Prescription Reminder",
+			titleEmpty: "🚨 MedAssist-ng - Prescription Reminder",
+			descriptionLow: "Some prescriptions are low on remaining refills.",
+			descriptionEmpty: "Some prescriptions have no refills left. Contact your doctor for renewal.",
+			alertLowSingle: "⚠️ 1 prescription is low on refills",
+			alertLowMultiple: "⚠️ {count} prescriptions are low on refills",
+			alertEmptySingle: "🚨 1 prescription needs renewal now",
+			alertEmptyMultiple: "🚨 {count} prescriptions need renewal now",
+			line: "{name}: {refills} refill(s) remaining on this prescription{expirySuffix}",
+			lineEmpty: "{name}: no refills remaining on this prescription{expirySuffix}",
+			expiresSuffix: ", expires {date}",
+			repeatDailyNote: "You are receiving this daily reminder because 'Repeat Daily' is enabled in settings.",
+			tableHeaders: {
+				medication: "Medication",
+				refillsLeft: "Prescription refills left",
+				reminderThreshold: "Reminder threshold",
+				prescriptionExpires: "Prescription expires",
+			},
+		},
+		demandCalculator: {
+			subject: "MedAssist-ng: Supply Overview ({from} - {until})",
+			title: "MedAssist-ng: Demand Calculator",
+			description: "Supply overview from {from} to {until}",
+			summaryOutOfStock: "⚠️ {count} medication{s} will be out of stock during this period.",
+			summaryAllOk: "✓ All medications have sufficient supply for this period.",
+			tableHeaders: {
+				medication: "Medication",
+				usage: "Usage",
+				needed: "Blisters needed",
+				prescriptionRefills: "Prescription refills",
+				available: "Available",
+				status: "Status",
+			},
+			statusEnough: "✓ Enough",
+			statusEmpty: "✗ Empty",
+			prescriptionNotApplicable: "–",
+		},
+		common: {
+			pill: "pill",
+			pills: "pills",
+			blister: "blister",
+			blisters: "blisters",
+			day: "day",
+			days: "days",
+			soon: "soon",
+			footer: "🤖 Sent from MedAssist-ng",
+		},
+	},
+	de: {
+		stockReminder: {
+			subject: "MedAssist-ng: ⚠️ {count} Medikament{e} kritisch niedrig",
+			title: "⚠️ MedAssist-ng: Automatische Nachbestell-Erinnerung",
+			description: "Die folgenden Medikamente sind kritisch niedrig und sollten nachbestellt werden:",
+			descriptionEmpty: "Die folgenden Medikamente sind leer und müssen sofort nachbestellt werden:",
+			descriptionMixed: "Die folgenden Medikamente müssen nachbestellt werden:",
+			alertSingle: "⚠️ 1 Medikament kritisch niedrig!",
+			alertMultiple: "⚠️ {count} Medikamente kritisch niedrig!",
+			alertEmptySingle: "🚨 1 Medikament leer - sofort nachbestellen!",
+			alertEmptyMultiple: "🚨 {count} Medikamente leer - sofort nachbestellen!",
+			alertLowSingle: "⚠️ 1 Medikament kritisch niedrig",
+			alertLowMultiple: "⚠️ {count} Medikamente kritisch niedrig",
+			alertLowStockSingle: "⚠️ 1 Medikament niedrig",
+			alertLowStockMultiple: "⚠️ {count} Medikamente niedrig",
+			descriptionLow: "Die folgenden Medikamente werden knapp und sollten bald nachbestellt werden:",
+			tableHeaders: {
+				medication: "Medikament",
+				pills: "Tabletten",
+				days: "Tage",
+				runsOut: "Aufgebraucht",
+			},
+			now: "JETZT",
+			repeatDailyNote:
+				"Sie erhalten diese tägliche Erinnerung, weil 'Täglich wiederholen' in den Einstellungen aktiviert ist.",
+		},
+		intakeReminder: {
+			subject: "MedAssist-ng: Einnahme-Erinnerung - {medications}",
+			title: "💊 MedAssist-ng - Einnahme-Erinnerung",
+			description: "Zeit für Ihre Medikamente in {minutes} Minuten:",
+			alertSingle: "💊 1 Medikament geplant",
+			alertMultiple: "💊 {count} Medikamente geplant",
+			tableHeaders: {
+				medication: "Medikament",
+				dosage: "Dosis",
+				time: "Uhrzeit",
+			},
+			pills: "Tabletten",
+			takenBy: "für {name}",
+		},
+		push: {
+			stockTitle: "MedAssist-ng: 1 Medikament kritisch niedrig",
+			stockTitleMultiple: "MedAssist-ng: {count} Medikamente kritisch niedrig",
+			intakeTitle: "💊 Erinnerung: Medikamenteneinnahme in {minutes} Min.",
+			pillsLeft: "{count} Tabletten",
+			daysLeft: "{count} Tage übrig",
+			pillsAt: "{count} Tabletten um {time}",
+			repeatDailyNote: "(Tägliche Erinnerung aktiviert)",
+			empty: "Leer",
+			low: "Kritisch",
+			critical: "Kritisch",
+			lowStock: "Niedrig",
+			reorderNow: "Jetzt nachbestellen!",
+			emptySection: "Leer (sofort nachbestellen)",
+			lowSection: "Kritisch niedrig",
+			criticalSection: "Kritisch niedrig",
+			lowStockSection: "Niedrig",
+		},
+		prescriptionReminder: {
+			subjectSingle: "MedAssist-ng: 🚨 Rezept-Nachfüll-Erinnerung",
+			subjectMultiple: "MedAssist-ng: 🚨 {count} Rezepte müssen bald erneuert werden",
+			pushTitleLow: "💊 MedAssist-ng: {count} Rezept(e) haben nur noch wenige Nachfüllungen",
+			pushTitleEmpty: "💊 MedAssist-ng: {count} Rezept(e) müssen jetzt erneuert werden",
+			pushEmpty: "Rezepte ohne verbleibende Nachfüllung",
+			pushEmptySingle: "Rezept ohne verbleibende Nachfüllung",
+			pushLow: "Rezepte mit wenigen verbleibenden Nachfüllungen",
+			pushLowSingle: "Rezept mit wenigen verbleibenden Nachfüllungen",
+			pushRenewNow: "Jetzt erneuern!",
+			pushEmptySection: "Rezepte ohne Nachfüllungen",
+			pushLowSection: "Rezepte mit bald aufgebrauchten Nachfüllungen",
+			pushRefillsLeft: "{count} Nachfüllung(en) für dieses Rezept übrig",
+			title: "⚠️ MedAssist-ng - Rezept-Erinnerung",
+			titleEmpty: "🚨 MedAssist-ng - Rezept-Erinnerung",
+			descriptionLow: "Einige Rezepte haben nur noch wenige Nachfüllungen.",
+			descriptionEmpty:
+				"Einige Rezepte haben keine Nachfüllungen mehr. Bitte kontaktieren Sie Ihren Arzt für eine Erneuerung.",
+			alertLowSingle: "⚠️ 1 Rezept ist bei den Nachfüllungen niedrig",
+			alertLowMultiple: "⚠️ {count} Rezepte sind bei den Nachfüllungen niedrig",
+			alertEmptySingle: "🚨 1 Rezept muss jetzt erneuert werden",
+			alertEmptyMultiple: "🚨 {count} Rezepte müssen jetzt erneuert werden",
+			line: "{name}: {refills} Nachfüllung(en) für dieses Rezept übrig{expirySuffix}",
+			lineEmpty: "{name}: keine Nachfüllung mehr für dieses Rezept{expirySuffix}",
+			expiresSuffix: ", läuft ab {date}",
+			repeatDailyNote:
+				"Sie erhalten diese tägliche Erinnerung, weil 'Täglich wiederholen' in den Einstellungen aktiviert ist.",
+			tableHeaders: {
+				medication: "Medikament",
+				refillsLeft: "Rezept-Nachfüllungen übrig",
+				reminderThreshold: "Erinnerungsschwelle",
+				prescriptionExpires: "Rezeptablauf",
+			},
+		},
+		demandCalculator: {
+			subject: "MedAssist-ng: Bestandsübersicht ({from} - {until})",
+			title: "MedAssist-ng: Bedarfsrechner",
+			description: "Bestandsübersicht von {from} bis {until}",
+			summaryOutOfStock: "⚠️ {count} Medikament{e} wird im Zeitraum nicht ausreichen.",
+			summaryAllOk: "✓ Alle Medikamente reichen für diesen Zeitraum.",
+			tableHeaders: {
+				medication: "Medikament",
+				usage: "Verbrauch",
+				needed: "Blister benötigt",
+				prescriptionRefills: "Rezept-Nachfüllungen",
+				available: "Verfügbar",
+				status: "Status",
+			},
+			statusEnough: "✓ Ausreichend",
+			statusEmpty: "✗ Leer",
+			prescriptionNotApplicable: "–",
+		},
+		common: {
+			pill: "Tablette",
+			pills: "Tabletten",
+			blister: "Blister",
+			blisters: "Blister",
+			day: "Tag",
+			days: "Tage",
+			soon: "bald",
+			footer: "🤖 Gesendet von MedAssist-ng",
+		},
+	},
 };

 export function getTranslations(language: Language): TranslationKeys {
-  return translations[language] || translations.en;
+	return translations[language] || translations.en;
 }

 // Helper function to replace placeholders in strings
 export function t(template: string, params: Record<string, string | number> = {}): string {
-  let result = template;
-  for (const [key, value] of Object.entries(params)) {
-    result = result.replace(new RegExp(`\\{${key}\\}`, "g"), String(value));
-  }
-  return result;
+	let result = template;
+	for (const [key, value] of Object.entries(params)) {
+		result = result.replace(new RegExp(`\\{${key}\\}`, "g"), String(value));
+	}
+	return result;
 }

-// Get date locale for toLocaleDateString
+/**
+ * Get locale for formatting based on language and timezone region.
+ * Combines language (en/de) with region from timezone (DE/US/etc.)
+ * Example: lang=en + TZ=Europe/Berlin → en-DE (English text, German format = 24h time)
+ */
 export function getDateLocale(language: Language): string {
-  switch (language) {
-    case "de":
-      return "de-DE";
-    case "en":
-    default:
-      return "en-US";
-  }
+	const region = getRegionFromTimezone();
+
+	if (region) {
+		return `${language}-${region}`;
+	}
+
+	// Fallback: use language default
+	switch (language) {
+		case "de":
+			return "de-DE";
+		default:
+			return "en-US";
+	}
+}
+
+/**
+ * Get the app URL from the first CORS_ORIGINS entry.
+ * Falls back to empty string if not set.
+ */
+export function getAppUrl(): string {
+	const origins = process.env.CORS_ORIGINS || "";
+	return origins.split(",")[0]?.trim() || "";
+}
+
+/**
+ * Get the unified footer as HTML with MedAssist-ng as a link to the instance.
+ * @param variant - 'planner' uses the Medication Planner footer text
+ */
+export function getFooterHtml(language: Language): string {
+	const tr = getTranslations(language);
+	const appUrl = getAppUrl();
+	const appName = appUrl
+		? `<a href="${appUrl}" style="color: #6b7280; text-decoration: underline;">MedAssist-ng</a>`
+		: "MedAssist-ng";
+	return tr.common.footer.replace("MedAssist-ng", appName);
+}
+
+/**
+ * Get the unified footer as plain text.
+ * @param variant - 'planner' uses the Medication Planner footer text
+ */
+export function getFooterPlain(language: Language): string {
+	const tr = getTranslations(language);
+	const appUrl = getAppUrl();
+	if (appUrl) {
+		return `${tr.common.footer} (${appUrl})`;
+	}
+	return tr.common.footer;
 }
@@ -1,100 +1,224 @@
-import Fastify from "fastify";
-import helmet from "@fastify/helmet";
+import { randomUUID } from "node:crypto";
+import { existsSync } from "node:fs";
+import type { IncomingHttpHeaders } from "node:http";
+import { resolve } from "node:path";
+import cookie from "@fastify/cookie";
 import cors from "@fastify/cors";
-import rateLimit from "@fastify/rate-limit";
-import sensible from "@fastify/sensible";
-import cookie, { CookieSerializeOptions } from "@fastify/cookie";
+import helmet from "@fastify/helmet";
 import jwt from "@fastify/jwt";
 import fastifyMultipart from "@fastify/multipart";
+import rateLimit from "@fastify/rate-limit";
+import sensible from "@fastify/sensible";
 import fastifyStatic from "@fastify/static";
-import { resolve } from "path";
-import { existsSync, mkdirSync } from "fs";
-import { env } from "./plugins/env.js";
+import Fastify, { type FastifyInstance } from "fastify";
 import { migrationsReady } from "./db/client.js";
-import { healthRoutes } from "./routes/health.js";
+import { getDataDir } from "./db/db-utils.js";
+import { env } from "./plugins/env.js";
 import { authRoutes } from "./routes/auth.js";
-import { oidcRoutes } from "./routes/oidc.js";
-import { medicationRoutes } from "./routes/medications.js";
-import { settingsRoutes } from "./routes/settings.js";
-import { plannerRoutes } from "./routes/planner.js";
-import { shareRoutes } from "./routes/share.js";
 import { doseRoutes } from "./routes/doses.js";
-import { startReminderScheduler } from "./services/reminder-scheduler.js";
+import { exportRoutes } from "./routes/export.js";
+import { healthRoutes } from "./routes/health.js";
+import { medicationRoutes } from "./routes/medications.js";
+import { oidcRoutes } from "./routes/oidc.js";
+import { plannerRoutes } from "./routes/planner.js";
+import { refillRoutes } from "./routes/refills.js";
+import { reportRoutes } from "./routes/report.js";
+import { settingsRoutes } from "./routes/settings.js";
+import { shareRoutes } from "./routes/share.js";
 import { startIntakeReminderScheduler } from "./services/intake-reminder-scheduler.js";
+import { startReminderScheduler } from "./services/reminder-scheduler.js";
+
+// Re-export utilities from server-config for external use
+export {
+	buildAppConfig,
+	buildBaseCookieOptions,
+	buildRefreshCookieOptions,
+	ensureImagesDirectory,
+	getJwtConfig,
+	parseCorsOrigins,
+} from "./utils/server-config.js";
+
+import {
+	buildAppConfig,
+	buildBaseCookieOptions,
+	buildRefreshCookieOptions,
+	ensureImagesDirectory,
+	getJwtConfig,
+	parseCorsOrigins,
+} from "./utils/server-config.js";
+
+function sanitizeCorrelationId(headers: IncomingHttpHeaders): string | null {
+	const rawHeader = headers["x-correlation-id"];
+	if (typeof rawHeader !== "string") return null;
+	const trimmed = rawHeader.trim();
+	if (!trimmed) return null;
+	if (trimmed.length > 128) return null;
+	if (!/^[A-Za-z0-9._:-]+$/.test(trimmed)) return null;
+	return trimmed;
+}
+
+function buildLoggerOptions(level: string) {
+	const base = {
+		level,
+		timestamp: () => `,"time":"${new Date().toISOString()}"`,
+	};
+	// Human readable logs in development, structured JSON in production/test
+	if (process.env.NODE_ENV !== "production" && process.env.NODE_ENV !== "test") {
+		return {
+			...base,
+			transport: { target: "pino-pretty", options: { translateTime: "SYS:yyyy-mm-dd HH:MM:ss.l" } },
+		};
+	}
+	return base;
+}
+
+/** Create and configure Fastify app (without starting) */
+export async function createApp(options?: {
+	logLevel?: string;
+	corsOrigins?: string[];
+	authEnabled?: boolean;
+	jwtSecret?: string;
+	refreshSecret?: string;
+	cookieSecret?: string;
+	accessTtlMinutes?: number;
+	refreshTtlDays?: number;
+	isProduction?: boolean;
+	imagesDir?: string;
+}): Promise<FastifyInstance> {
+	const opts = {
+		logLevel: options?.logLevel ?? "info",
+		corsOrigins: options?.corsOrigins ?? ["http://localhost:5173"],
+		authEnabled: options?.authEnabled ?? false,
+		jwtSecret: options?.jwtSecret,
+		refreshSecret: options?.refreshSecret,
+		cookieSecret: options?.cookieSecret ?? "dev-cookie-secret",
+		accessTtlMinutes: options?.accessTtlMinutes ?? 15,
+		refreshTtlDays: options?.refreshTtlDays ?? 7,
+		isProduction: options?.isProduction ?? false,
+		imagesDir: options?.imagesDir ?? resolve(getDataDir(), "images"),
+	};
+
+	const app = Fastify({
+		logger: buildLoggerOptions(opts.logLevel),
+		genReqId: (request) => sanitizeCorrelationId(request.headers) ?? randomUUID(),
+	});
+
+	app.addHook("onRequest", (request, reply, done) => {
+		request.correlationId = request.id;
+		reply.header("x-correlation-id", request.id);
+		done();
+	});
+
+	// Build config
+	const appConfig = buildAppConfig({
+		jwtSecret: opts.jwtSecret,
+		refreshSecret: opts.refreshSecret,
+		accessTtlMinutes: opts.accessTtlMinutes,
+		refreshTtlDays: opts.refreshTtlDays,
+		isProduction: opts.isProduction,
+	});
+
+	app.decorate("config", appConfig);
+
+	// Register plugins
+	await app.register(sensible);
+	await app.register(helmet);
+	await app.register(cors, { origin: opts.corsOrigins, credentials: true });
+	await app.register(rateLimit, { max: 300, timeWindow: "1 minute" });
+	await app.register(cookie, { secret: opts.cookieSecret });
+
+	// JWT plugin
+	const jwtConfig = getJwtConfig(opts.authEnabled, opts.jwtSecret);
+	await app.register(jwt, jwtConfig);
+
+	await app.register(fastifyMultipart, { limits: { fileSize: 10 * 1024 * 1024 } });
+
+	// Only register static if directory exists
+	if (existsSync(opts.imagesDir)) {
+		await app.register(fastifyStatic, {
+			root: opts.imagesDir,
+			prefix: "/images/",
+			decorateReply: false,
+		});
+	}
+
+	// Register routes
+	await app.register(healthRoutes);
+	await app.register(authRoutes);
+	await app.register(oidcRoutes);
+	await app.register(medicationRoutes);
+	await app.register(settingsRoutes);
+	await app.register(plannerRoutes);
+	await app.register(shareRoutes);
+	await app.register(doseRoutes);
+	await app.register(exportRoutes);
+	await app.register(refillRoutes);
+	await app.register(reportRoutes);
+
+	return app;
+}
+
+// =============================================================================
+// Server initialization (runs on import)
+// =============================================================================
+
+import { log } from "./utils/logger.js";

 // Wait for database migrations before anything else
 await migrationsReady;
-console.log("[DB] Migrations complete, starting server...");
+log.info("[DB] Migrations complete, starting server...");

 // Ensure images directory exists
-const imagesDir = resolve(process.cwd(), "data/images");
-if (!existsSync(imagesDir)) {
-  mkdirSync(imagesDir, { recursive: true });
-}
+const imagesDir = ensureImagesDirectory();

 const app = Fastify({
-  logger: {
-    level: env.LOG_LEVEL,
-  },
+	logger: buildLoggerOptions(env.LOG_LEVEL),
+	genReqId: (request) => sanitizeCorrelationId(request.headers) ?? randomUUID(),
 });

-const origins = env.CORS_ORIGINS.split(",").map((o) => o.trim()).filter(Boolean);
+app.addHook("onRequest", (request, reply, done) => {
+	request.correlationId = request.id;
+	reply.header("x-correlation-id", request.id);
+	done();
+});
+
+const origins = parseCorsOrigins(env.CORS_ORIGINS);

 // Auth token TTLs (hardcoded - no need for user configuration)
-const accessTtlMinutes = env.ACCESS_TOKEN_TTL_MINUTES;  // Access token TTL
-const refreshTtlDays = env.REFRESH_TOKEN_TTL_DAYS;      // Refresh token TTL
+const accessTtlMinutes = env.ACCESS_TOKEN_TTL_MINUTES; // Access token TTL
+const refreshTtlDays = env.REFRESH_TOKEN_TTL_DAYS; // Refresh token TTL

-const baseCookieOptions: CookieSerializeOptions = {
-  httpOnly: true,
-  sameSite: "lax",
-  secure: env.NODE_ENV === "production",
-  path: "/",
-  maxAge: accessTtlMinutes * 60,
-};
-
-const refreshCookieOptions: CookieSerializeOptions = {
-  ...baseCookieOptions,
-  maxAge: refreshTtlDays * 24 * 60 * 60,
-};
+const baseCookieOptions = buildBaseCookieOptions(accessTtlMinutes, env.NODE_ENV === "production");
+const refreshCookieOptions = buildRefreshCookieOptions(baseCookieOptions, refreshTtlDays);

 // Config decorator - only include secrets if auth is enabled
 app.decorate("config", {
-  accessSecret: env.JWT_SECRET ?? "",
-  refreshSecret: env.REFRESH_SECRET ?? "",
-  accessTtl: accessTtlMinutes,
-  refreshTtl: refreshTtlDays,
-  cookieOptions: baseCookieOptions,
-  refreshCookieOptions,
+	accessSecret: env.JWT_SECRET ?? "",
+	refreshSecret: env.REFRESH_SECRET ?? "",
+	accessTtl: accessTtlMinutes,
+	refreshTtl: refreshTtlDays,
+	cookieOptions: baseCookieOptions,
+	refreshCookieOptions,
 });

 await app.register(sensible);
 await app.register(helmet);
 await app.register(cors, { origin: origins, credentials: true });
 await app.register(rateLimit, {
-  max: 100,
-  timeWindow: "1 minute",
+	max: Number(process.env.RATE_LIMIT_MAX) || 100,
+	timeWindow: "1 minute",
 });
 await app.register(cookie, { secret: env.COOKIE_SECRET ?? "dev-cookie-secret" });

 // JWT plugin - only register with valid secret if auth is enabled
-if (env.AUTH_ENABLED && env.JWT_SECRET) {
-  await app.register(jwt, { 
-    secret: env.JWT_SECRET, 
-    cookie: { cookieName: "access_token", signed: false } 
-  });
-} else {
-  // Dummy JWT for when auth is disabled - prevents errors
-  await app.register(jwt, { 
-    secret: "auth-disabled-no-secret-needed", 
-    cookie: { cookieName: "access_token", signed: false } 
-  });
-}
+const jwtConfig = getJwtConfig(env.AUTH_ENABLED, env.JWT_SECRET);
+await app.register(jwt, jwtConfig);

 await app.register(fastifyMultipart, { limits: { fileSize: 10 * 1024 * 1024 } }); // 10MB limit
 await app.register(fastifyStatic, {
-  root: imagesDir,
-  prefix: "/images/",
-  decorateReply: false,
+	root: imagesDir,
+	prefix: "/images/",
+	decorateReply: false,
 });

 await app.register(healthRoutes);
@@ -105,27 +229,32 @@ await app.register(settingsRoutes);
 await app.register(plannerRoutes);
 await app.register(shareRoutes);
 await app.register(doseRoutes);
+await app.register(exportRoutes);
+await app.register(refillRoutes);
+await app.register(reportRoutes);

 const start = async () => {
-  try {
-    await app.listen({ port: env.PORT, host: "0.0.0.0" });
-    app.log.info(`Server running on ${env.PORT}`);
-    
-    // Start the automatic reminder scheduler
-    startReminderScheduler({
-      info: (msg) => app.log.info(msg),
-      error: (msg) => app.log.error(msg),
-    });
-    
-    // Start the intake reminder scheduler (checks every minute)
-    startIntakeReminderScheduler({
-      info: (msg) => app.log.info(msg),
-      error: (msg) => app.log.error(msg),
-    });
-  } catch (err) {
-    app.log.error(err);
-    process.exit(1);
-  }
+	try {
+		await app.listen({ port: env.PORT, host: "0.0.0.0" });
+		app.log.info(`Server running on ${env.PORT}`);
+
+		// Start the automatic reminder scheduler
+		startReminderScheduler({
+			info: (msg) => app.log.info(msg),
+			debug: (msg) => app.log.debug(msg),
+			error: (msg) => app.log.error(msg),
+		});
+
+		// Start the intake reminder scheduler (checks every minute)
+		startIntakeReminderScheduler({
+			info: (msg) => app.log.info(msg),
+			debug: (msg) => app.log.debug(msg),
+			error: (msg) => app.log.error(msg),
+		});
+	} catch (err) {
+		app.log.error(err);
+		process.exit(1);
+	}
 };

 start();
@@ -1,8 +1,8 @@
-import { FastifyInstance, FastifyRequest, FastifyReply } from "fastify";
-import { env } from "./env.js";
+import { count, eq, sql } from "drizzle-orm";
+import type { FastifyInstance, FastifyReply, FastifyRequest } from "fastify";
 import { db } from "../db/client.js";
 import { users } from "../db/schema.js";
-import { sql, count, eq } from "drizzle-orm";
+import { env } from "./env.js";

 // =============================================================================
 // Anonymous User - Used when AUTH_ENABLED=false
@@ -17,67 +17,69 @@ let anonymousUserVerified = false;
 * Uses a fixed ID (999999999) that will never collide with auto-increment IDs.
 */
 export async function getAnonymousUserId(): Promise<number> {
-  // Return cached if already verified
-  if (anonymousUserVerified) {
-    return ANONYMOUS_USER_ID;
-  }
+	// Return cached if already verified
+	if (anonymousUserVerified) {
+		return ANONYMOUS_USER_ID;
+	}

-  // Check if anonymous user exists
-  const [existing] = await db.select().from(users).where(eq(users.id, ANONYMOUS_USER_ID));
-  
-  if (existing) {
-    anonymousUserVerified = true;
-    return ANONYMOUS_USER_ID;
-  }
+	// Check if anonymous user exists
+	const [existing] = await db.select().from(users).where(eq(users.id, ANONYMOUS_USER_ID));

-  // Create anonymous user with fixed ID (SQLite allows explicit ID)
-  await db.run(sql`
+	if (existing) {
+		anonymousUserVerified = true;
+		return ANONYMOUS_USER_ID;
+	}
+
+	// Create anonymous user with fixed ID (SQLite allows explicit ID)
+	await db.run(sql`
    INSERT INTO users (id, username, password_hash, auth_provider, is_active, created_at, updated_at)
    VALUES (${ANONYMOUS_USER_ID}, ${ANONYMOUS_USERNAME}, NULL, 'anonymous', 1, CURRENT_TIMESTAMP, CURRENT_TIMESTAMP)
  `);

-  anonymousUserVerified = true;
-  console.log(`Created anonymous user with fixed ID ${ANONYMOUS_USER_ID} for no-auth mode`);
-  
-  return ANONYMOUS_USER_ID;
+	anonymousUserVerified = true;
+
+	return ANONYMOUS_USER_ID;
 }

 // =============================================================================
 // Auth State - Computed at runtime
 // =============================================================================
 export interface AuthState {
-  authEnabled: boolean;
-  registrationEnabled: boolean;
-  localAuthEnabled: boolean;
-  oidcEnabled: boolean;
-  oidcProviderName: string;
-  hasUsers: boolean;
-  needsSetup: boolean;
+	authEnabled: boolean;
+	registrationEnabled: boolean;
+	formLoginEnabled: boolean;
+	oidcEnabled: boolean;
+	oidcProviderName: string;
+	hasUsers: boolean;
+	needsSetup: boolean;
 }

 export async function getAuthState(): Promise<AuthState> {
-  // Count only real users (not the anonymous user with fixed ID)
-  const [result] = await db.select({ count: count() }).from(users).where(sql`${users.id} != ${ANONYMOUS_USER_ID}`);
-  const hasUsers = result.count > 0;
-  
-  return {
-    authEnabled: env.AUTH_ENABLED,
-    // Registration: enabled via ENV OR no users exist (first-time setup)
-    registrationEnabled: env.REGISTRATION_ENABLED || !hasUsers,
-    localAuthEnabled: env.AUTH_ENABLED,  // Password auth available when auth is enabled
-    oidcEnabled: env.OIDC_ENABLED,
-    oidcProviderName: env.OIDC_PROVIDER_NAME,
-    hasUsers,
-    needsSetup: env.AUTH_ENABLED && !hasUsers,
-  };
+	// Count only real users (not the anonymous user with fixed ID)
+	const [result] = await db.select({ count: count() }).from(users).where(sql`${users.id} != ${ANONYMOUS_USER_ID}`);
+	const hasUsers = result.count > 0;
+
+	const needsSetup = env.AUTH_ENABLED && !hasUsers;
+
+	return {
+		authEnabled: env.AUTH_ENABLED,
+		// Registration: enabled via ENV OR no users exist (first-time setup)
+		registrationEnabled: env.REGISTRATION_ENABLED || !hasUsers,
+		// Form login: enabled when auth + form login are both on, or forced on for first-user setup
+		formLoginEnabled: needsSetup || (env.AUTH_ENABLED && env.FORM_LOGIN_ENABLED),
+		oidcEnabled: env.OIDC_ENABLED,
+		oidcProviderName: env.OIDC_PROVIDER_NAME,
+		hasUsers,
+		needsSetup,
+	};
 }

 // =============================================================================
 // Request User Type (no roles - all users are equal)
 // =============================================================================
 export interface RequestUser {
-  id: number;
-  username: string;
+	id: number;
+	username: string;
 }

 // =============================================================================
@@ -87,78 +89,81 @@ export interface RequestUser {
 /**
 * Optional auth - verifies JWT if present, but doesn't require it
 */
-export async function optionalAuth(request: FastifyRequest, reply: FastifyReply) {
-  if (!env.AUTH_ENABLED) {
-    return;
-  }
+export async function optionalAuth(request: FastifyRequest, _reply: FastifyReply) {
+	if (!env.AUTH_ENABLED) {
+		return;
+	}

-  const token = request.cookies.access_token;
-  if (!token) {
-    return;
-  }
+	const token = request.cookies.access_token;
+	if (!token) {
+		return;
+	}

-  try {
-    const decoded = await request.jwtVerify<{ sub: number; username: string }>();
-    const [user] = await db.select().from(users).where(sql`${users.id} = ${decoded.sub}`);
-    if (user && user.isActive) {
-      request.user = {
-        id: user.id,
-        username: user.username,
-      };
-    }
-  } catch {
-    // Invalid token, continue as anonymous
-  }
+	try {
+		const decoded = await request.jwtVerify<{ sub: number; username: string }>();
+		const [user] = await db.select().from(users).where(sql`${users.id} = ${decoded.sub}`);
+		if (user?.isActive) {
+			request.user = {
+				id: user.id,
+				username: user.username,
+			};
+		}
+	} catch {
+		// Invalid token, continue as anonymous
+	}
 }

 /**
 * Required auth - requires valid JWT when auth is enabled
 */
 export async function requireAuth(request: FastifyRequest, reply: FastifyReply) {
-  if (!env.AUTH_ENABLED) {
-    return;
-  }
+	if (!env.AUTH_ENABLED) {
+		return;
+	}

-  const token = request.cookies.access_token;
-  if (!token) {
-    reply.status(401).send({ error: "Authentication required", code: "AUTH_REQUIRED" });
-    throw new Error("AUTH_REQUIRED");
-  }
+	const token = request.cookies.access_token;
+	if (!token) {
+		reply.status(401).send({ error: "Authentication required", code: "AUTH_REQUIRED" });
+		throw new Error("AUTH_REQUIRED");
+	}

-  try {
-    const decoded = await request.jwtVerify<{ sub: number; username: string }>();
-    const [user] = await db.select().from(users).where(sql`${users.id} = ${decoded.sub}`);
-    
-    if (!user) {
-      reply.status(401).send({ error: "User not found", code: "USER_NOT_FOUND" });
-      throw new Error("USER_NOT_FOUND");
-    }
-    
-    if (!user.isActive) {
-      reply.status(401).send({ error: "Account disabled", code: "ACCOUNT_DISABLED" });
-      throw new Error("ACCOUNT_DISABLED");
-    }
+	try {
+		const decoded = await request.jwtVerify<{ sub: number; username: string }>();
+		const [user] = await db.select().from(users).where(sql`${users.id} = ${decoded.sub}`);

-    request.user = {
-      id: user.id,
-      username: user.username,
-    };
-  } catch (err: any) {
-    // Re-throw our own errors
-    if (err?.message === "AUTH_REQUIRED" || err?.message === "USER_NOT_FOUND" || err?.message === "ACCOUNT_DISABLED") {
-      throw err;
-    }
-    // JWT verification failed
-    reply.status(401).send({ error: "Invalid or expired token", code: "INVALID_TOKEN" });
-    throw new Error("INVALID_TOKEN");
-  }
+		if (!user) {
+			reply.status(401).send({ error: "User not found", code: "USER_NOT_FOUND" });
+			throw new Error("USER_NOT_FOUND");
+		}
+
+		if (!user.isActive) {
+			reply.status(401).send({ error: "Account disabled", code: "ACCOUNT_DISABLED" });
+			throw new Error("ACCOUNT_DISABLED");
+		}
+
+		request.user = {
+			id: user.id,
+			username: user.username,
+		};
+	} catch (err: unknown) {
+		// Re-throw our own errors
+		if (
+			err instanceof Error &&
+			(err.message === "AUTH_REQUIRED" || err.message === "USER_NOT_FOUND" || err.message === "ACCOUNT_DISABLED")
+		) {
+			throw err;
+		}
+		// JWT verification failed
+		reply.status(401).send({ error: "Invalid or expired token", code: "INVALID_TOKEN" });
+		throw new Error("INVALID_TOKEN");
+	}
 }

 /**
 * Auth state endpoint plugin
 */
 export async function authPlugin(app: FastifyInstance) {
-  app.get("/auth/state", async () => {
-    return getAuthState();
-  });
+	app.get("/auth/state", async () => {
+		return getAuthState();
+	});
 }
@@ -1,45 +1,72 @@
-import { z } from "zod";
+import { existsSync } from "node:fs";
 import dotenv from "dotenv";
+import { z } from "zod";

-dotenv.config({ path: process.env.DOTENV_PATH || ".env" });
+// Load .env: try cwd first, then parent dir (for local dev running from backend/)
+const envPath = process.env.DOTENV_PATH || (existsSync(".env") ? ".env" : "../.env");
+dotenv.config({ path: envPath });

 const EnvSchema = z.object({
-  NODE_ENV: z.enum(["development", "production", "test"]).default("production"),
-  PORT: z.string().transform((v) => parseInt(v, 10)).default("3000"),
-  CORS_ORIGINS: z.string().default("http://localhost:5173,http://localhost:4173"),
-  LOG_LEVEL: z.string().default("info"),
-  
-  // ==========================================================================
-  // Auth Configuration
-  // ==========================================================================
-  // Master switch: Enable/disable authentication (default: disabled for easy setup)
-  AUTH_ENABLED: z.string().transform((v) => v === "true").default("false"),
-  // Allow new user registrations (auto-enabled if no users exist)
-  REGISTRATION_ENABLED: z.string().transform((v) => v === "true").default("false"),
-  // Disable local auth when using SSO only
+	NODE_ENV: z.enum(["development", "production", "test"]).default("production"),
+	PORT: z
+		.string()
+		.transform((v) => parseInt(v, 10))
+		.default("3000"),
+	CORS_ORIGINS: z.string().default("http://localhost:5173,http://localhost:4173"),
+	LOG_LEVEL: z.string().default("info"),

-  
-  // JWT Secrets - only required when AUTH_ENABLED=true
-  JWT_SECRET: z.string().min(10).optional(),
-  REFRESH_SECRET: z.string().min(10).optional(),
-  COOKIE_SECRET: z.string().min(10).optional(),
-  
-  // Token TTL settings
-  ACCESS_TOKEN_TTL_MINUTES: z.string().transform((v) => parseInt(v, 10)).default("15"),
-  REFRESH_TOKEN_TTL_DAYS: z.string().transform((v) => parseInt(v, 10)).default("7"),
+	// ==========================================================================
+	// Auth Configuration
+	// ==========================================================================
+	// Master switch: Enable/disable authentication (default: disabled for easy setup)
+	AUTH_ENABLED: z
+		.string()
+		.transform((v) => v === "true")
+		.default("false"),
+	// Allow new user registrations (auto-enabled if no users exist)
+	REGISTRATION_ENABLED: z
+		.string()
+		.transform((v) => v === "true")
+		.default("false"),
+	// Disable username/password form login (useful for OIDC-only setups)
+	FORM_LOGIN_ENABLED: z
+		.string()
+		.transform((v) => v === "true")
+		.default("true"),

-  // ==========================================================================
-  // OIDC SSO Configuration (Pocket ID, Authelia, etc.)
-  // ==========================================================================
-  OIDC_ENABLED: z.string().transform((v) => v === "true").default("false"),
-  OIDC_ISSUER_URL: z.string().url().optional(),  // e.g., https://auth.example.com
-  OIDC_CLIENT_ID: z.string().optional(),
-  OIDC_CLIENT_SECRET: z.string().optional(),
-  OIDC_REDIRECT_URI: z.string().url().optional(),  // e.g., https://medassist.example.com/api/auth/oidc/callback
-  OIDC_SCOPES: z.string().default("openid profile email"),
-  OIDC_AUTO_CREATE_USERS: z.string().transform((v) => v === "true").default("true"),
-  OIDC_USERNAME_CLAIM: z.string().default("preferred_username"),  // or 'email', 'sub'
-  OIDC_PROVIDER_NAME: z.string().default("SSO"),  // Display name for UI button
+	// JWT Secrets - only required when AUTH_ENABLED=true
+	JWT_SECRET: z.string().min(10).optional(),
+	REFRESH_SECRET: z.string().min(10).optional(),
+	COOKIE_SECRET: z.string().min(10).optional(),
+
+	// Token TTL settings
+	ACCESS_TOKEN_TTL_MINUTES: z
+		.string()
+		.transform((v) => parseInt(v, 10))
+		.default("15"),
+	REFRESH_TOKEN_TTL_DAYS: z
+		.string()
+		.transform((v) => parseInt(v, 10))
+		.default("7"),
+
+	// ==========================================================================
+	// OIDC SSO Configuration (Pocket ID, Authelia, etc.)
+	// ==========================================================================
+	OIDC_ENABLED: z
+		.string()
+		.transform((v) => v === "true")
+		.default("false"),
+	OIDC_ISSUER_URL: z.string().url().optional(), // e.g., https://auth.example.com
+	OIDC_CLIENT_ID: z.string().optional(),
+	OIDC_CLIENT_SECRET: z.string().optional(),
+	OIDC_REDIRECT_URI: z.string().url().optional(), // e.g., https://medassist.example.com/api/auth/oidc/callback
+	OIDC_SCOPES: z.string().default("openid profile email"),
+	OIDC_AUTO_CREATE_USERS: z
+		.string()
+		.transform((v) => v === "true")
+		.default("true"),
+	OIDC_USERNAME_CLAIM: z.string().default("preferred_username"), // or 'email', 'sub'
+	OIDC_PROVIDER_NAME: z.string().default("SSO"), // Display name for UI button
 });

 export type Env = z.infer<typeof EnvSchema>;
@@ -47,62 +74,84 @@ export type Env = z.infer<typeof EnvSchema>;
 // Parse and validate
 let parsed: z.infer<typeof EnvSchema>;
 try {
-  parsed = EnvSchema.parse(process.env);
+	parsed = EnvSchema.parse(process.env);
 } catch (err) {
-  console.error("=".repeat(60));
-  console.error("ENVIRONMENT CONFIGURATION ERROR");
-  console.error("=".repeat(60));
-  console.error(err);
-  console.error("\nPlease check your .env file or environment variables.");
-  console.error("=".repeat(60));
-  process.exit(1);
+	console.error("=".repeat(60));
+	console.error("ENVIRONMENT CONFIGURATION ERROR");
+	console.error("=".repeat(60));
+	console.error(err);
+	console.error("\nPlease check your .env file or environment variables.");
+	console.error("=".repeat(60));
+	process.exit(1);
 }

 // Validate that secrets are provided when auth is enabled
 if (parsed.AUTH_ENABLED) {
-  const missing: string[] = [];
-  if (!parsed.JWT_SECRET) missing.push("JWT_SECRET");
-  if (!parsed.REFRESH_SECRET) missing.push("REFRESH_SECRET");
-  if (!parsed.COOKIE_SECRET) missing.push("COOKIE_SECRET");
-  
-  if (missing.length > 0) {
-    console.error("=".repeat(60));
-    console.error("AUTHENTICATION CONFIGURATION ERROR");
-    console.error("=".repeat(60));
-    console.error(`AUTH_ENABLED=true but missing required secrets: ${missing.join(", ")}`);
-    console.error("");
-    console.error("To fix this, either:");
-    console.error("  1. Set these environment variables with secure random values:");
-    console.error("     Generate with: openssl rand -hex 32");
-    console.error("");
-    console.error("  2. Or disable authentication by removing AUTH_ENABLED=true");
-    console.error("=".repeat(60));
-    process.exit(1);
-  }
+	const missing: string[] = [];
+	if (!parsed.JWT_SECRET) missing.push("JWT_SECRET");
+	if (!parsed.REFRESH_SECRET) missing.push("REFRESH_SECRET");
+	if (!parsed.COOKIE_SECRET) missing.push("COOKIE_SECRET");
+
+	if (missing.length > 0) {
+		console.error("=".repeat(60));
+		console.error("AUTHENTICATION CONFIGURATION ERROR");
+		console.error("=".repeat(60));
+		console.error(`AUTH_ENABLED=true but missing required secrets: ${missing.join(", ")}`);
+		console.error("");
+		console.error("To fix this, either:");
+		console.error("  1. Set these environment variables with secure random values:");
+		console.error("     Generate with: openssl rand -hex 32");
+		console.error("");
+		console.error("  2. Or disable authentication by removing AUTH_ENABLED=true");
+		console.error("=".repeat(60));
+		process.exit(1);
+	}
 }

 // Validate OIDC configuration when enabled
 if (parsed.OIDC_ENABLED) {
-  const missing: string[] = [];
-  if (!parsed.OIDC_ISSUER_URL) missing.push("OIDC_ISSUER_URL");
-  if (!parsed.OIDC_CLIENT_ID) missing.push("OIDC_CLIENT_ID");
-  if (!parsed.OIDC_CLIENT_SECRET) missing.push("OIDC_CLIENT_SECRET");
-  if (!parsed.OIDC_REDIRECT_URI) missing.push("OIDC_REDIRECT_URI");
-  
-  if (missing.length > 0) {
-    console.error("=".repeat(60));
-    console.error("OIDC CONFIGURATION ERROR");
-    console.error("=".repeat(60));
-    console.error(`OIDC_ENABLED=true but missing required settings: ${missing.join(", ")}`);
-    console.error("");
-    console.error("Required OIDC settings:");
-    console.error("  OIDC_ISSUER_URL=https://your-oidc-provider.com");
-    console.error("  OIDC_CLIENT_ID=your-client-id");
-    console.error("  OIDC_CLIENT_SECRET=your-client-secret");
-    console.error("  OIDC_REDIRECT_URI=https://your-app.com/api/auth/oidc/callback");
-    console.error("=".repeat(60));
-    process.exit(1);
-  }
+	const missing: string[] = [];
+	if (!parsed.OIDC_ISSUER_URL) missing.push("OIDC_ISSUER_URL");
+	if (!parsed.OIDC_CLIENT_ID) missing.push("OIDC_CLIENT_ID");
+	if (!parsed.OIDC_CLIENT_SECRET) missing.push("OIDC_CLIENT_SECRET");
+	if (!parsed.OIDC_REDIRECT_URI) missing.push("OIDC_REDIRECT_URI");
+
+	if (missing.length > 0) {
+		console.error("=".repeat(60));
+		console.error("OIDC CONFIGURATION ERROR");
+		console.error("=".repeat(60));
+		console.error(`OIDC_ENABLED=true but missing required settings: ${missing.join(", ")}`);
+		console.error("");
+		console.error("Required OIDC settings:");
+		console.error("  OIDC_ISSUER_URL=https://your-oidc-provider.com");
+		console.error("  OIDC_CLIENT_ID=your-client-id");
+		console.error("  OIDC_CLIENT_SECRET=your-client-secret");
+		console.error("  OIDC_REDIRECT_URI=https://your-app.com/api/auth/oidc/callback");
+		console.error("=".repeat(60));
+		process.exit(1);
+	}
+}
+
+// Validate that at least one login method is available when auth is enabled
+if (parsed.AUTH_ENABLED && !parsed.FORM_LOGIN_ENABLED && !parsed.OIDC_ENABLED) {
+	console.error("=".repeat(60));
+	console.error("AUTHENTICATION CONFIGURATION ERROR");
+	console.error("=".repeat(60));
+	console.error("AUTH_ENABLED=true but no login method is available.");
+	console.error("FORM_LOGIN_ENABLED=false and OIDC_ENABLED=false means users cannot log in.");
+	console.error("");
+	console.error("To fix this, either:");
+	console.error("  1. Set FORM_LOGIN_ENABLED=true to allow username/password login");
+	console.error("  2. Set OIDC_ENABLED=true to allow SSO login");
+	console.error("=".repeat(60));
+	process.exit(1);
+}
+
+// Warn about ineffective registration when form login is disabled
+if (parsed.REGISTRATION_ENABLED && !parsed.FORM_LOGIN_ENABLED) {
+	console.warn(
+		"[config] REGISTRATION_ENABLED=true has no effect when FORM_LOGIN_ENABLED=false (no registration form available)"
+	);
 }

 export const env = parsed;
@@ -1,468 +1,575 @@
-import { FastifyInstance } from "fastify";
-import { z } from "zod";
+import { randomBytes } from "node:crypto";
+import { resolve } from "node:path";
 import argon2 from "argon2";
-import { randomBytes } from "crypto";
+import { eq, sql } from "drizzle-orm";
+import type { FastifyInstance } from "fastify";
+import { z } from "zod";
 import { db } from "../db/client.js";
-import { users, refreshTokens } from "../db/schema.js";
-import { eq } from "drizzle-orm";
-import { env } from "../plugins/env.js";
+import { getDataDir } from "../db/db-utils.js";
+import { refreshTokens, users } from "../db/schema.js";
 import { getAuthState, requireAuth } from "../plugins/auth.js";
 import type { AuthUser } from "../types/fastify.js";
+import {
+	ALLOWED_IMAGE_MIME_TYPES,
+	removeImageFiles,
+	streamToBuffer,
+	writeOptimizedImageSet,
+} from "../utils/image-upload.js";

 // =============================================================================
 // Argon2id Configuration - State of the Art Password Hashing
 // =============================================================================
 const ARGON2_OPTIONS: argon2.Options = {
-  type: argon2.argon2id,       // Argon2id - best for password hashing
-  memoryCost: 65536,           // 64 MB memory
-  timeCost: 3,                 // 3 iterations
-  parallelism: 4,              // 4 parallel threads
-  hashLength: 32,              // 256-bit hash
+	type: argon2.argon2id, // Argon2id - best for password hashing
+	memoryCost: 65536, // 64 MB memory
+	timeCost: 3, // 3 iterations
+	parallelism: 4, // 4 parallel threads
+	hashLength: 32, // 256-bit hash
+};
+
+// =============================================================================
+// Rate Limiting Configuration for Auth Routes
+// =============================================================================
+// Stricter rate limits for authentication endpoints to prevent brute-force attacks
+// Note: Rate limiting is implemented via @fastify/rate-limit plugin registered in index.ts
+// and route-specific limits are applied via the 'config.rateLimit' option below.
+// CodeQL may not recognize this pattern - see: https://github.com/github/codeql/issues
+// lgtm[js/missing-rate-limiting]
+const authRateLimitConfig = {
+	max: 10, // 10 requests
+	timeWindow: "1 minute", // per minute
+	errorResponseBuilder: () => ({
+		error: "Too many requests. Please try again later.",
+		code: "RATE_LIMIT_EXCEEDED",
+	}),
+};
+
+// lgtm[js/missing-rate-limiting]
+const sensitiveRateLimitConfig = {
+	max: 5, // 5 requests
+	timeWindow: "15 minutes", // per 15 minutes (for login/register)
+	errorResponseBuilder: () => ({
+		error: "Too many attempts. Please try again later.",
+		code: "RATE_LIMIT_EXCEEDED",
+	}),
 };

 // =============================================================================
 // Validation Schemas
 // =============================================================================
 const registerSchema = z.object({
-  username: z.string()
-    .min(3, "Username must be at least 3 characters")
-    .max(50, "Username must be at most 50 characters")
-    .regex(/^[a-zA-Z0-9_-]+$/, "Username can only contain letters, numbers, underscores, and hyphens"),
-  password: z.string()
-    .min(8, "Password must be at least 8 characters")
-    .max(128, "Password must be at most 128 characters"),
+	username: z
+		.string()
+		.trim()
+		.min(3, "Username must be at least 3 characters")
+		.max(50, "Username must be at most 50 characters")
+		.regex(/^[a-zA-Z0-9_-]+$/, "Username can only contain letters, numbers, underscores, and hyphens"),
+	password: z
+		.string()
+		.min(8, "Password must be at least 8 characters")
+		.max(128, "Password must be at most 128 characters"),
 });

 const loginSchema = z.object({
-  username: z.string().min(1, "Username is required"),
-  password: z.string().min(1, "Password is required"),
-  rememberMe: z.boolean().optional().default(false),
+	username: z.string().trim().min(1, "Username is required"),
+	password: z.string().min(1, "Password is required"),
+	rememberMe: z.boolean().optional().default(false),
 });

 const updateProfileSchema = z.object({
-  currentPassword: z.string().optional(),
-  newPassword: z.string()
-    .min(8, "Password must be at least 8 characters")
-    .max(128, "Password must be at most 128 characters")
-    .optional(),
+	currentPassword: z.string().optional(),
+	newPassword: z
+		.string()
+		.min(8, "Password must be at least 8 characters")
+		.max(128, "Password must be at most 128 characters")
+		.optional(),
 });

 // =============================================================================
 // Auth Routes
 // =============================================================================
 export async function authRoutes(app: FastifyInstance) {
-  // Token TTLs
-  const accessTtlMinutes = 15;
-  const refreshTtlDays = 14;
+	const IMAGES_DIR = resolve(getDataDir(), "images");

-  // ---------------------------------------------------------------------------
-  // GET /auth/state - Public auth state (needed before login)
-  // ---------------------------------------------------------------------------
-  app.get("/auth/state", async () => {
-    return getAuthState();
-  });
+	// Token TTLs
+	const accessTtlMinutes = 15;
+	const refreshTtlDays = 14;

-  // ---------------------------------------------------------------------------
-  // POST /auth/register - User registration
-  // ---------------------------------------------------------------------------
-  app.post<{ Body: z.infer<typeof registerSchema> }>("/auth/register", async (request, reply) => {
-    // Check auth state
-    const state = await getAuthState();
-    
-    if (!state.authEnabled) {
-      return reply.status(400).send({ error: "Authentication is disabled", code: "AUTH_DISABLED" });
-    }
-    
-    if (!state.registrationEnabled) {
-      return reply.status(400).send({ error: "Registration is disabled", code: "REGISTRATION_DISABLED" });
-    }
-    
-    if (!state.localAuthEnabled) {
-      return reply.status(400).send({ error: "Local authentication is disabled", code: "LOCAL_AUTH_DISABLED" });
-    }
+	// ---------------------------------------------------------------------------
+	// GET /auth/state - Public auth state (needed before login)
+	// Exempt from rate limit - lightweight state check called frequently
+	// ---------------------------------------------------------------------------
+	app.get("/auth/state", { config: { rateLimit: false } }, async () => {
+		return getAuthState();
+	});

-    // Validate input
-    const parsed = registerSchema.safeParse(request.body);
-    if (!parsed.success) {
-      return reply.status(400).send({ 
-        error: parsed.error.errors[0]?.message ?? "Invalid input",
-        code: "VALIDATION_ERROR" 
-      });
-    }
+	// ---------------------------------------------------------------------------
+	// POST /auth/register - User registration
+	// ---------------------------------------------------------------------------
+	app.post<{ Body: z.infer<typeof registerSchema> }>(
+		"/auth/register",
+		{
+			config: { rateLimit: sensitiveRateLimitConfig },
+		},
+		async (request, reply) => {
+			// Check auth state
+			const state = await getAuthState();

-    const { username, password } = parsed.data;
+			if (!state.authEnabled) {
+				return reply.status(400).send({ error: "Authentication is disabled", code: "AUTH_DISABLED" });
+			}

-    // Check if username already exists
-    const [existingUser] = await db.select().from(users).where(eq(users.username, username));
-    if (existingUser) {
-      return reply.status(409).send({ error: "Username already taken", code: "USERNAME_EXISTS" });
-    }
+			if (!state.registrationEnabled) {
+				return reply.status(400).send({ error: "Registration is disabled", code: "REGISTRATION_DISABLED" });
+			}

-    // Hash password with Argon2id
-    const passwordHash = await argon2.hash(password, ARGON2_OPTIONS);
+			if (!state.formLoginEnabled) {
+				return reply.status(400).send({ error: "Form login is disabled", code: "FORM_LOGIN_DISABLED" });
+			}

-    // Create user
-    const [newUser] = await db.insert(users).values({
-      username,
-      passwordHash,
-      authProvider: "local",
-    }).returning();
+			// Validate input
+			const parsed = registerSchema.safeParse(request.body);
+			if (!parsed.success) {
+				return reply.status(400).send({
+					error: parsed.error.errors[0]?.message ?? "Invalid input",
+					code: "VALIDATION_ERROR",
+				});
+			}

-    app.log.info(`User registered: ${username}`);
+			const { username, password } = parsed.data;

-    return reply.status(201).send({
-      ok: true,
-      user: {
-        id: newUser.id,
-        username: newUser.username,
-      },
-      message: "Account created",
-    });
-  });
+			// Check if username already exists
+			const [existingUser] = await db.select().from(users).where(sql`lower(${users.username}) = lower(${username})`);
+			if (existingUser) {
+				return reply.status(409).send({ error: "Username already taken", code: "USERNAME_EXISTS" });
+			}

-  // ---------------------------------------------------------------------------
-  // POST /auth/login - User login
-  // ---------------------------------------------------------------------------
-  app.post<{ Body: z.infer<typeof loginSchema> }>("/auth/login", async (request, reply) => {
-    const state = await getAuthState();
-    
-    if (!state.authEnabled) {
-      return reply.status(400).send({ error: "Authentication is disabled", code: "AUTH_DISABLED" });
-    }
-    
-    if (!state.localAuthEnabled) {
-      return reply.status(400).send({ error: "Local authentication is disabled", code: "LOCAL_AUTH_DISABLED" });
-    }
+			// Hash password with Argon2id
+			const passwordHash = await argon2.hash(password, ARGON2_OPTIONS);

-    const parsed = loginSchema.safeParse(request.body);
-    if (!parsed.success) {
-      return reply.status(400).send({ 
-        error: "Invalid credentials",
-        code: "VALIDATION_ERROR" 
-      });
-    }
+			// Create user
+			const [newUser] = await db
+				.insert(users)
+				.values({
+					username,
+					passwordHash,
+					authProvider: "local",
+				})
+				.returning();

-    const { username, password, rememberMe } = parsed.data;
+			app.log.info(`User registered: ${username}`);

-    // Find user by username
-    const [user] = await db.select().from(users).where(eq(users.username, username));
-    
-    // Generic error to prevent user enumeration
-    const invalidCredentialsError = () => 
-      reply.status(401).send({ error: "Invalid username or password", code: "INVALID_CREDENTIALS" });
+			return reply.status(201).send({
+				ok: true,
+				user: {
+					id: newUser.id,
+					username: newUser.username,
+				},
+				message: "Account created",
+			});
+		}
+	);

-    if (!user) {
-      // Perform dummy hash to prevent timing attacks
-      await argon2.hash("dummy", ARGON2_OPTIONS);
-      return invalidCredentialsError();
-    }
+	// ---------------------------------------------------------------------------
+	// POST /auth/login - User login
+	// ---------------------------------------------------------------------------
+	app.post<{ Body: z.infer<typeof loginSchema> }>(
+		"/auth/login",
+		{
+			config: { rateLimit: sensitiveRateLimitConfig },
+		},
+		async (request, reply) => {
+			const state = await getAuthState();

-    if (!user.isActive) {
-      return reply.status(401).send({ error: "Account disabled", code: "ACCOUNT_DISABLED" });
-    }
+			if (!state.authEnabled) {
+				return reply.status(400).send({ error: "Authentication is disabled", code: "AUTH_DISABLED" });
+			}

-    if (!user.passwordHash) {
-      // SSO-only user trying local login
-      return reply.status(401).send({ error: "Please use SSO to login", code: "SSO_ONLY" });
-    }
+			if (!state.formLoginEnabled) {
+				return reply.status(400).send({ error: "Form login is disabled", code: "FORM_LOGIN_DISABLED" });
+			}

-    // Verify password
-    const valid = await argon2.verify(user.passwordHash, password, ARGON2_OPTIONS);
-    if (!valid) {
-      return invalidCredentialsError();
-    }
+			const parsed = loginSchema.safeParse(request.body);
+			if (!parsed.success) {
+				return reply.status(400).send({
+					error: "Invalid credentials",
+					code: "VALIDATION_ERROR",
+				});
+			}

-    // Update last login
-    await db.update(users)
-      .set({ lastLoginAt: new Date(), updatedAt: new Date() })
-      .where(eq(users.id, user.id));
+			const { username, password, rememberMe } = parsed.data;

-    // Generate tokens
-    const accessToken = app.jwt.sign(
-      { sub: user.id, username: user.username },
-      { expiresIn: `${accessTtlMinutes}m` }
-    );
+			// Find user by username
+			const [user] = await db.select().from(users).where(sql`lower(${users.username}) = lower(${username})`);

-    const tokenId = randomBytes(32).toString("hex");
-    const refreshExp = new Date(Date.now() + refreshTtlDays * 24 * 60 * 60 * 1000);
-    
-    await db.insert(refreshTokens).values({
-      userId: user.id,
-      tokenId,
-      expiresAt: refreshExp,
-    });
+			// Generic error to prevent user enumeration
+			const invalidCredentialsError = () =>
+				reply.status(401).send({ error: "Invalid username or password", code: "INVALID_CREDENTIALS" });

-    const refreshToken = app.jwt.sign(
-      { sub: user.id, jti: tokenId },
-      { expiresIn: `${refreshTtlDays}d`, key: app.config.refreshSecret }
-    );
+			if (!user) {
+				// Perform dummy hash to prevent timing attacks
+				await argon2.hash("dummy", ARGON2_OPTIONS);
+				return invalidCredentialsError();
+			}

-    app.log.info(`User logged in: ${username} (rememberMe: ${rememberMe})`);
+			if (!user.isActive) {
+				return reply.status(401).send({ error: "Account disabled", code: "ACCOUNT_DISABLED" });
+			}

-    // Cookie options: with maxAge for "remember me", without for session cookie
-    const accessCookieOptions = rememberMe 
-      ? app.config.cookieOptions 
-      : { ...app.config.cookieOptions, maxAge: undefined };
-    const refreshCookieOptions = rememberMe 
-      ? app.config.refreshCookieOptions 
-      : { ...app.config.refreshCookieOptions, maxAge: undefined };
+			if (!user.passwordHash) {
+				// SSO-only user trying local login
+				return reply.status(401).send({ error: "Please use SSO to login", code: "SSO_ONLY" });
+			}

-    return reply
-      .setCookie("access_token", accessToken, accessCookieOptions)
-      .setCookie("refresh_token", refreshToken, refreshCookieOptions)
-      .send({
-        ok: true,
-        user: {
-          id: user.id,
-          username: user.username,
-          avatarUrl: user.avatarUrl,
-        },
-      });
-  });
+			// Verify password
+			const valid = await argon2.verify(user.passwordHash, password, ARGON2_OPTIONS);
+			if (!valid) {
+				return invalidCredentialsError();
+			}

-  // ---------------------------------------------------------------------------
-  // POST /auth/refresh - Refresh access token
-  // ---------------------------------------------------------------------------
-  app.post("/auth/refresh", async (request, reply) => {
-    const refreshTokenCookie = request.cookies.refresh_token;
-    if (!refreshTokenCookie) {
-      return reply.status(401).send({ error: "No refresh token", code: "NO_REFRESH_TOKEN" });
-    }
+			// Update last login
+			await db.update(users).set({ lastLoginAt: new Date(), updatedAt: new Date() }).where(eq(users.id, user.id));

-    try {
-      // Verify refresh token
-      const decoded = app.jwt.verify<{ sub: number; jti: string }>(
-        refreshTokenCookie,
-        { key: app.config.refreshSecret }
-      );
+			// Generate tokens
+			const accessToken = app.jwt.sign(
+				{ sub: user.id, username: user.username },
+				{ expiresIn: `${accessTtlMinutes}m` }
+			);

-      // Check if token exists and is valid
-      const [token] = await db.select().from(refreshTokens)
-        .where(eq(refreshTokens.tokenId, decoded.jti));
+			const tokenId = randomBytes(32).toString("hex");
+			const refreshExp = new Date(Date.now() + refreshTtlDays * 24 * 60 * 60 * 1000);

-      if (!token || token.revoked || token.expiresAt < new Date()) {
-        return reply.status(401).send({ error: "Invalid refresh token", code: "INVALID_REFRESH_TOKEN" });
-      }
+			await db.insert(refreshTokens).values({
+				userId: user.id,
+				tokenId,
+				expiresAt: refreshExp,
+			});

-      // Get user
-      const [user] = await db.select().from(users).where(eq(users.id, decoded.sub));
-      if (!user || !user.isActive) {
-        return reply.status(401).send({ error: "User not found or disabled", code: "USER_INVALID" });
-      }
+			const refreshToken = app.jwt.sign(
+				{ sub: user.id, jti: tokenId },
+				{ expiresIn: `${refreshTtlDays}d`, key: app.config.refreshSecret }
+			);

-      // Rotate refresh token (revoke old, create new)
-      await db.update(refreshTokens)
-        .set({ revoked: true, rotatedAt: new Date() })
-        .where(eq(refreshTokens.id, token.id));
+			app.log.info(`User logged in: ${username} (rememberMe: ${rememberMe})`);

-      const newTokenId = randomBytes(32).toString("hex");
-      const refreshExp = new Date(Date.now() + refreshTtlDays * 24 * 60 * 60 * 1000);
-      
-      await db.insert(refreshTokens).values({
-        userId: user.id,
-        tokenId: newTokenId,
-        expiresAt: refreshExp,
-      });
+			// Cookie options: with maxAge for "remember me", without for session cookie
+			const accessCookieOptions = rememberMe
+				? app.config.cookieOptions
+				: { ...app.config.cookieOptions, maxAge: undefined };
+			const refreshCookieOptions = rememberMe
+				? app.config.refreshCookieOptions
+				: { ...app.config.refreshCookieOptions, maxAge: undefined };

-      // Generate new tokens
-      const newAccessToken = app.jwt.sign(
-        { sub: user.id, username: user.username },
-        { expiresIn: `${accessTtlMinutes}m` }
-      );
+			return reply
+				.setCookie("access_token", accessToken, accessCookieOptions)
+				.setCookie("refresh_token", refreshToken, refreshCookieOptions)
+				.send({
+					ok: true,
+					user: {
+						id: user.id,
+						username: user.username,
+						avatarUrl: user.avatarUrl,
+					},
+				});
+		}
+	);

-      const newRefreshToken = app.jwt.sign(
-        { sub: user.id, jti: newTokenId },
-        { expiresIn: `${refreshTtlDays}d`, key: app.config.refreshSecret }
-      );
+	// ---------------------------------------------------------------------------
+	// POST /auth/refresh - Refresh access token
+	// ---------------------------------------------------------------------------
+	app.post(
+		"/auth/refresh",
+		{
+			config: { rateLimit: authRateLimitConfig },
+		},
+		async (request, reply) => {
+			const refreshTokenCookie = request.cookies.refresh_token;
+			if (!refreshTokenCookie) {
+				return reply.status(401).send({ error: "No refresh token", code: "NO_REFRESH_TOKEN" });
+			}

-      return reply
-        .setCookie("access_token", newAccessToken, app.config.cookieOptions)
-        .setCookie("refresh_token", newRefreshToken, app.config.refreshCookieOptions)
-        .send({ ok: true });
+			try {
+				// Verify refresh token
+				const decoded = app.jwt.verify<{ sub: number; jti: string }>(refreshTokenCookie, {
+					key: app.config.refreshSecret,
+				});

-    } catch {
-      return reply.status(401).send({ error: "Invalid refresh token", code: "INVALID_REFRESH_TOKEN" });
-    }
-  });
+				// Check if token exists and is valid
+				const [token] = await db.select().from(refreshTokens).where(eq(refreshTokens.tokenId, decoded.jti));

-  // ---------------------------------------------------------------------------
-  // POST /auth/logout - Logout (revoke refresh token)
-  // ---------------------------------------------------------------------------
-  app.post("/auth/logout", async (request, reply) => {
-    const refreshTokenCookie = request.cookies.refresh_token;
-    
-    if (refreshTokenCookie) {
-      try {
-        const decoded = app.jwt.verify<{ jti: string }>(
-          refreshTokenCookie,
-          { key: app.config.refreshSecret }
-        );
-        
-        // Revoke the refresh token
-        await db.update(refreshTokens)
-          .set({ revoked: true })
-          .where(eq(refreshTokens.tokenId, decoded.jti));
-      } catch {
-        // Invalid token, ignore
-      }
-    }
+				if (!token || token.revoked || token.expiresAt < new Date()) {
+					return reply.status(401).send({ error: "Invalid refresh token", code: "INVALID_REFRESH_TOKEN" });
+				}

-    return reply
-      .clearCookie("access_token", app.config.cookieOptions)
-      .clearCookie("refresh_token", app.config.refreshCookieOptions)
-      .send({ ok: true });
-  });
+				// Get user
+				const [user] = await db.select().from(users).where(eq(users.id, decoded.sub));
+				if (!user || !user.isActive) {
+					return reply.status(401).send({ error: "User not found or disabled", code: "USER_INVALID" });
+				}

-  // ---------------------------------------------------------------------------
-  // GET /auth/me - Get current user profile
-  // ---------------------------------------------------------------------------
-  app.get("/auth/me", { preHandler: requireAuth }, async (request, reply) => {
-    const authUser = request.user as unknown as AuthUser | null;
-    if (!authUser) {
-      return reply.status(401).send({ error: "Not authenticated" });
-    }
+				// Rotate refresh token (revoke old, create new)
+				await db
+					.update(refreshTokens)
+					.set({ revoked: true, rotatedAt: new Date() })
+					.where(eq(refreshTokens.id, token.id));

-    const [user] = await db.select().from(users).where(eq(users.id, authUser.id));
-    if (!user) {
-      return reply.status(404).send({ error: "User not found" });
-    }
+				const newTokenId = randomBytes(32).toString("hex");
+				const refreshExp = new Date(Date.now() + refreshTtlDays * 24 * 60 * 60 * 1000);

-    return {
-      id: user.id,
-      username: user.username,
-      avatarUrl: user.avatarUrl,
-      authProvider: user.authProvider,
-      createdAt: user.createdAt,
-      lastLoginAt: user.lastLoginAt,
-    };
-  });
+				await db.insert(refreshTokens).values({
+					userId: user.id,
+					tokenId: newTokenId,
+					expiresAt: refreshExp,
+				});

-  // ---------------------------------------------------------------------------
-  // PUT /auth/me - Update current user profile
-  // ---------------------------------------------------------------------------
-  app.put<{ Body: z.infer<typeof updateProfileSchema> }>("/auth/me", { preHandler: requireAuth }, async (request, reply) => {
-    const authUser = request.user as unknown as AuthUser | null;
-    if (!authUser) {
-      return reply.status(401).send({ error: "Not authenticated" });
-    }
+				// Generate new tokens
+				const newAccessToken = app.jwt.sign(
+					{ sub: user.id, username: user.username },
+					{ expiresIn: `${accessTtlMinutes}m` }
+				);

-    const parsed = updateProfileSchema.safeParse(request.body);
-    if (!parsed.success) {
-      return reply.status(400).send({ 
-        error: parsed.error.errors[0]?.message ?? "Invalid input",
-        code: "VALIDATION_ERROR" 
-      });
-    }
+				const newRefreshToken = app.jwt.sign(
+					{ sub: user.id, jti: newTokenId },
+					{ expiresIn: `${refreshTtlDays}d`, key: app.config.refreshSecret }
+				);

-    const { currentPassword, newPassword } = parsed.data;
-    const [user] = await db.select().from(users).where(eq(users.id, authUser.id));
+				return reply
+					.setCookie("access_token", newAccessToken, app.config.cookieOptions)
+					.setCookie("refresh_token", newRefreshToken, app.config.refreshCookieOptions)
+					.send({ ok: true });
+			} catch {
+				return reply.status(401).send({ error: "Invalid refresh token", code: "INVALID_REFRESH_TOKEN" });
+			}
+		}
+	);

-    if (!user) {
-      return reply.status(404).send({ error: "User not found" });
-    }
+	// ---------------------------------------------------------------------------
+	// POST /auth/logout - Logout (revoke refresh token)
+	// ---------------------------------------------------------------------------
+	app.post(
+		"/auth/logout",
+		{
+			config: { rateLimit: authRateLimitConfig },
+		},
+		async (request, reply) => {
+			const refreshTokenCookie = request.cookies.refresh_token;

-    const updates: Partial<typeof users.$inferInsert> = {
-      updatedAt: new Date(),
-    };
+			if (refreshTokenCookie) {
+				try {
+					const decoded = app.jwt.verify<{ jti: string }>(refreshTokenCookie, { key: app.config.refreshSecret });

-    // Update password if provided
-    if (newPassword) {
-      if (!currentPassword) {
-        return reply.status(400).send({ error: "Current password required", code: "CURRENT_PASSWORD_REQUIRED" });
-      }
+					// Revoke the refresh token
+					await db.update(refreshTokens).set({ revoked: true }).where(eq(refreshTokens.tokenId, decoded.jti));
+				} catch {
+					// Invalid token, ignore
+				}
+			}

-      if (!user.passwordHash) {
-        return reply.status(400).send({ error: "Cannot change password for SSO account", code: "SSO_ACCOUNT" });
-      }
+			return reply
+				.clearCookie("access_token", app.config.cookieOptions)
+				.clearCookie("refresh_token", app.config.refreshCookieOptions)
+				.send({ ok: true });
+		}
+	);

-      const valid = await argon2.verify(user.passwordHash, currentPassword, ARGON2_OPTIONS);
-      if (!valid) {
-        return reply.status(401).send({ error: "Current password is incorrect", code: "INVALID_PASSWORD" });
-      }
+	// ---------------------------------------------------------------------------
+	// GET /auth/me - Get current user profile
+	// ---------------------------------------------------------------------------
+	app.get("/auth/me", { preHandler: requireAuth }, async (request, reply) => {
+		const authUser = request.user as unknown as AuthUser | null;
+		if (!authUser) {
+			return reply.status(401).send({ error: "Not authenticated" });
+		}

-      updates.passwordHash = await argon2.hash(newPassword, ARGON2_OPTIONS);
-    }
+		const [user] = await db.select().from(users).where(eq(users.id, authUser.id));
+		if (!user) {
+			return reply.status(404).send({ error: "User not found" });
+		}

-    await db.update(users).set(updates).where(eq(users.id, user.id));
+		return {
+			id: user.id,
+			username: user.username,
+			avatarUrl: user.avatarUrl,
+			authProvider: user.authProvider,
+			createdAt: user.createdAt,
+			lastLoginAt: user.lastLoginAt,
+		};
+	});

-    return { ok: true, message: "Profile updated" };
-  });
+	// ---------------------------------------------------------------------------
+	// PUT /auth/me - Update current user profile
+	// ---------------------------------------------------------------------------
+	app.put<{ Body: z.infer<typeof updateProfileSchema> }>(
+		"/auth/me",
+		{
+			preHandler: requireAuth,
+			config: { rateLimit: authRateLimitConfig },
+		},
+		async (request, reply) => {
+			const authUser = request.user as unknown as AuthUser | null;
+			if (!authUser) {
+				return reply.status(401).send({ error: "Not authenticated" });
+			}

-  // ---------------------------------------------------------------------------
-  // POST /auth/avatar - Upload user avatar
-  // ---------------------------------------------------------------------------
-  app.post("/auth/avatar", { preHandler: requireAuth }, async (request, reply) => {
-    const authUser = request.user as unknown as AuthUser | null;
-    if (!authUser) {
-      return reply.status(401).send({ error: "Not authenticated" });
-    }
+			const parsed = updateProfileSchema.safeParse(request.body);
+			if (!parsed.success) {
+				return reply.status(400).send({
+					error: parsed.error.errors[0]?.message ?? "Invalid input",
+					code: "VALIDATION_ERROR",
+				});
+			}

-    const data = await request.file();
-    if (!data) {
-      return reply.status(400).send({ error: "No file uploaded" });
-    }
+			const { currentPassword, newPassword } = parsed.data;
+			const [user] = await db.select().from(users).where(eq(users.id, authUser.id));

-    // Validate file type
-    const allowedTypes = ["image/jpeg", "image/png", "image/webp", "image/gif"];
-    if (!allowedTypes.includes(data.mimetype)) {
-      return reply.status(400).send({ error: "Invalid file type. Allowed: JPEG, PNG, WebP, GIF" });
-    }
+			if (!user) {
+				return reply.status(404).send({ error: "User not found" });
+			}

-    // Generate unique filename
-    const ext = data.filename.split(".").pop() || "jpg";
-    const filename = `avatar_${authUser.id}_${Date.now()}.${ext}`;
-    
-    // Save file
-    const fs = await import("fs/promises");
-    const path = await import("path");
-    const imagesDir = path.join(process.cwd(), "data", "images");
-    await fs.mkdir(imagesDir, { recursive: true });
-    
-    const buffer = await data.toBuffer();
-    await fs.writeFile(path.join(imagesDir, filename), buffer);
+			const updates: Partial<typeof users.$inferInsert> = {
+				updatedAt: new Date(),
+			};

-    // Delete old avatar if exists
-    const [user] = await db.select().from(users).where(eq(users.id, authUser.id));
-    if (user?.avatarUrl) {
-      try {
-        await fs.unlink(path.join(imagesDir, user.avatarUrl));
-      } catch {
-        // Ignore if file doesn't exist
-      }
-    }
+			// Update password if provided
+			if (newPassword) {
+				if (!currentPassword) {
+					return reply.status(400).send({ error: "Current password required", code: "CURRENT_PASSWORD_REQUIRED" });
+				}

-    // Update user
-    await db.update(users).set({ avatarUrl: filename, updatedAt: new Date() }).where(eq(users.id, authUser.id));
+				if (!user.passwordHash) {
+					return reply.status(400).send({ error: "Cannot change password for SSO account", code: "SSO_ACCOUNT" });
+				}

-    return { ok: true, avatarUrl: filename };
-  });
+				const valid = await argon2.verify(user.passwordHash, currentPassword, ARGON2_OPTIONS);
+				if (!valid) {
+					return reply.status(401).send({ error: "Current password is incorrect", code: "INVALID_PASSWORD" });
+				}

-  // ---------------------------------------------------------------------------
-  // DELETE /auth/avatar - Delete user avatar
-  // ---------------------------------------------------------------------------
-  app.delete("/auth/avatar", { preHandler: requireAuth }, async (request, reply) => {
-    const authUser = request.user as unknown as AuthUser | null;
-    if (!authUser) {
-      return reply.status(401).send({ error: "Not authenticated" });
-    }
+				updates.passwordHash = await argon2.hash(newPassword, ARGON2_OPTIONS);
+			}

-    const [user] = await db.select().from(users).where(eq(users.id, authUser.id));
-    if (!user?.avatarUrl) {
-      return reply.status(404).send({ error: "No avatar to delete" });
-    }
+			await db.update(users).set(updates).where(eq(users.id, user.id));

-    // Delete file
-    const fs = await import("fs/promises");
-    const path = await import("path");
-    try {
-      await fs.unlink(path.join(process.cwd(), "data", "images", user.avatarUrl));
-    } catch {
-      // Ignore if file doesn't exist
-    }
+			return { ok: true, message: "Profile updated" };
+		}
+	);

-    // Update user
-    await db.update(users).set({ avatarUrl: null, updatedAt: new Date() }).where(eq(users.id, authUser.id));
+	// ---------------------------------------------------------------------------
+	// POST /auth/avatar - Upload user avatar
+	// ---------------------------------------------------------------------------
+	app.post(
+		"/auth/avatar",
+		{
+			preHandler: requireAuth,
+			config: { rateLimit: authRateLimitConfig },
+		},
+		async (request, reply) => {
+			const authUser = request.user as unknown as AuthUser | null;
+			if (!authUser) {
+				return reply.status(401).send({ error: "Not authenticated" });
+			}

-    return { ok: true };
-  });
+			const data = await request.file();
+			if (!data) {
+				return reply.status(400).send({ error: "No file uploaded", code: "NO_FILE" });
+			}
+
+			// Validate file type
+			if (!ALLOWED_IMAGE_MIME_TYPES.includes(data.mimetype)) {
+				return reply.status(400).send({ error: "Invalid file type", code: "INVALID_TYPE" });
+			}
+
+			let uploadBuffer: Buffer;
+			try {
+				uploadBuffer = await streamToBuffer(data.file);
+			} catch (error) {
+				if (error instanceof Error && error.message === "IMAGE_TOO_LARGE") {
+					return reply.status(400).send({ error: "Image too large", code: "IMAGE_TOO_LARGE" });
+				}
+				throw error;
+			}
+
+			let filename: string;
+			try {
+				({ filename } = await writeOptimizedImageSet(IMAGES_DIR, `avatar_${authUser.id}`, uploadBuffer));
+			} catch {
+				return reply.status(400).send({ error: "Invalid image", code: "INVALID_IMAGE" });
+			}
+
+			// Delete old avatar if exists
+			const [user] = await db.select().from(users).where(eq(users.id, authUser.id));
+			if (user?.avatarUrl) {
+				removeImageFiles(IMAGES_DIR, user.avatarUrl);
+			}
+
+			// Update user
+			await db.update(users).set({ avatarUrl: filename, updatedAt: new Date() }).where(eq(users.id, authUser.id));
+
+			return { ok: true, avatarUrl: filename };
+		}
+	);
+
+	// ---------------------------------------------------------------------------
+	// DELETE /auth/avatar - Delete user avatar
+	// ---------------------------------------------------------------------------
+	app.delete(
+		"/auth/avatar",
+		{
+			preHandler: requireAuth,
+			config: { rateLimit: authRateLimitConfig },
+		},
+		async (request, reply) => {
+			const authUser = request.user as unknown as AuthUser | null;
+			if (!authUser) {
+				return reply.status(401).send({ error: "Not authenticated" });
+			}
+
+			const [user] = await db.select().from(users).where(eq(users.id, authUser.id));
+			if (!user?.avatarUrl) {
+				return reply.status(404).send({ error: "No avatar to delete" });
+			}
+
+			// Delete file
+			removeImageFiles(IMAGES_DIR, user.avatarUrl);
+
+			// Update user
+			await db.update(users).set({ avatarUrl: null, updatedAt: new Date() }).where(eq(users.id, authUser.id));
+
+			return { ok: true };
+		}
+	);
+
+	// ---------------------------------------------------------------------------
+	// DELETE /auth/me - Delete user account and all data
+	// ---------------------------------------------------------------------------
+	app.delete(
+		"/auth/me",
+		{
+			preHandler: requireAuth,
+			config: { rateLimit: sensitiveRateLimitConfig },
+		},
+		async (request, reply) => {
+			const authUser = request.user as unknown as AuthUser | null;
+			if (!authUser) {
+				return reply.status(401).send({ error: "Not authenticated" });
+			}
+
+			// Delete avatar file if exists
+			const [user] = await db.select().from(users).where(eq(users.id, authUser.id));
+			if (user?.avatarUrl) {
+				removeImageFiles(IMAGES_DIR, user.avatarUrl);
+			}
+
+			// Delete user - cascade delete handles all related data
+			await db.delete(users).where(eq(users.id, authUser.id));
+
+			app.log.info(`User deleted account: ${authUser.username} (ID: ${authUser.id})`);
+
+			// Clear auth cookies
+			return reply
+				.clearCookie("access_token", app.config.cookieOptions)
+				.clearCookie("refresh_token", app.config.refreshCookieOptions)
+				.send({ ok: true, message: "Account deleted" });
+		}
+	);
 }
@@ -1,231 +1,430 @@
-import { FastifyInstance } from "fastify";
+import { and, eq } from "drizzle-orm";
+import type { FastifyInstance, FastifyReply, FastifyRequest } from "fastify";
 import { z } from "zod";
 import { db } from "../db/client.js";
-import { doseTracking, shareTokens } from "../db/schema.js";
-import { eq, and } from "drizzle-orm";
-import { requireAuth, getAnonymousUserId } from "../plugins/auth.js";
+import { doseTracking, medications, shareTokens } from "../db/schema.js";
+import { getAnonymousUserId, requireAuth } from "../plugins/auth.js";
 import { env } from "../plugins/env.js";
 import type { AuthUser } from "../types/fastify.js";
+import { parseIntakesJson, parseTakenByJson, personTakesMedication } from "../utils/scheduler-utils.js";

 // =============================================================================
 // Validation Schemas
 // =============================================================================
 const markDoseSchema = z.object({
-  doseId: z.string().min(1, "doseId is required"),
+	doseId: z.string().min(1, "doseId is required"),
 });

 const shareDoseSchema = z.object({
-  doseId: z.string().min(1, "doseId is required"),
+	doseId: z.string().min(1, "doseId is required"),
 });

+const dismissDosesSchema = z.object({
+	doseIds: z.array(z.string().min(1)).min(1, "At least one doseId is required"),
+});
+
+const doseIdPattern = /^(\d+)-(\d+)-(\d+)(?:-(.+))?$/;
+
+function maskToken(token: string): string {
+	if (token.length <= 8) return token;
+	return `${token.slice(0, 4)}...${token.slice(-4)}`;
+}
+
 // Helper to get user ID from request
 // Returns anonymous user ID when auth is disabled
-async function getUserId(request: any, reply: any): Promise<number> {
-  // If auth is disabled, use the anonymous user
-  if (!env.AUTH_ENABLED) {
-    return getAnonymousUserId();
-  }
-  
-  const authUser = request.user as unknown as AuthUser | null;
-  if (!authUser) {
-    reply.status(401).send({ error: "Not authenticated" });
-    throw new Error("AUTH_REQUIRED");
-  }
-  return authUser.id;
+async function getUserId(request: FastifyRequest, reply: FastifyReply): Promise<number> {
+	// If auth is disabled, use the anonymous user
+	if (!env.AUTH_ENABLED) {
+		return getAnonymousUserId();
+	}
+
+	const authUser = request.user as unknown as AuthUser | null;
+	if (!authUser) {
+		reply.status(401).send({ error: "Not authenticated" });
+		throw new Error("AUTH_REQUIRED");
+	}
+	return authUser.id;
+}
+
+type ParsedDoseId = {
+	medicationId: number;
+	intakeIndex: number;
+	timestampMs: number;
+	personSuffix: string | null;
+};
+
+function parseDoseId(doseId: string): ParsedDoseId | null {
+	const match = doseIdPattern.exec(doseId);
+	if (!match) return null;
+
+	const medicationId = Number.parseInt(match[1], 10);
+	const intakeIndex = Number.parseInt(match[2], 10);
+	const timestampMs = Number.parseInt(match[3], 10);
+	const personSuffix = match[4] ? match[4].trim() : null;
+
+	if (Number.isNaN(medicationId) || Number.isNaN(intakeIndex) || Number.isNaN(timestampMs) || intakeIndex < 0) {
+		return null;
+	}
+
+	return {
+		medicationId,
+		intakeIndex,
+		timestampMs,
+		personSuffix,
+	};
+}
+
+async function getActiveShareToken(token: string): Promise<{
+	share: typeof shareTokens.$inferSelect | null;
+	reason: "not_found" | "expired" | "ok";
+}> {
+	const [share] = await db.select().from(shareTokens).where(eq(shareTokens.token, token));
+	if (!share) return { share: null, reason: "not_found" };
+
+	if (share.expiresAt && share.expiresAt.getTime() < Date.now()) {
+		return { share: null, reason: "expired" };
+	}
+
+	return { share, reason: "ok" };
+}
+
+async function validateShareDoseId(share: typeof shareTokens.$inferSelect, doseId: string): Promise<boolean> {
+	const parsedDose = parseDoseId(doseId);
+	if (!parsedDose) {
+		return false;
+	}
+
+	const [medication] = await db
+		.select()
+		.from(medications)
+		.where(and(eq(medications.id, parsedDose.medicationId), eq(medications.userId, share.userId)));
+
+	if (!medication) {
+		return false;
+	}
+
+	const medTakenBy = parseTakenByJson(medication.takenByJson);
+	const intakes = parseIntakesJson(
+		medication.intakesJson,
+		{ usageJson: medication.usageJson, everyJson: medication.everyJson, startJson: medication.startJson },
+		medication.intakeRemindersEnabled ?? false
+	);
+
+	if (!personTakesMedication(share.takenBy, medTakenBy, intakes)) {
+		return false;
+	}
+
+	const intake = intakes[parsedDose.intakeIndex];
+	if (!intake) {
+		return false;
+	}
+
+	const expectedPersons = intake.takenBy ? [intake.takenBy] : medTakenBy;
+	if (expectedPersons.length === 0) {
+		return parsedDose.personSuffix === null;
+	}
+
+	if (!parsedDose.personSuffix) {
+		return true;
+	}
+
+	return expectedPersons.includes(parsedDose.personSuffix);
 }

 // =============================================================================
 // Dose Tracking Routes
 // =============================================================================
 export async function doseRoutes(app: FastifyInstance) {
-  // ---------------------------------------------------------------------------
-  // GET /doses/taken - PROTECTED: Get all taken doses for the user
-  // ---------------------------------------------------------------------------
-  app.get(
-    "/doses/taken",
-    { preHandler: requireAuth },
-    async (request, reply) => {
-      const userId = await getUserId(request, reply);
+	// ---------------------------------------------------------------------------
+	// GET /doses/taken - PROTECTED: Get all taken doses for the user
+	// Suppress request logs — polled every 5s by frontend
+	// ---------------------------------------------------------------------------
+	app.get("/doses/taken", { preHandler: requireAuth, logLevel: "warn" }, async (request, reply) => {
+		const userId = await getUserId(request, reply);

-      // Get all taken doses for this user (no time limit)
-      const doses = await db.select()
-        .from(doseTracking)
-        .where(eq(doseTracking.userId, userId));
+		// Get all taken doses for this user (no time limit)
+		const doses = await db.select().from(doseTracking).where(eq(doseTracking.userId, userId));

-      return {
-        doses: doses.map((d) => ({
-          doseId: d.doseId,
-          takenAt: d.takenAt?.getTime() ?? Date.now(),
-          markedBy: d.markedBy,
-        })),
-      };
-    }
-  );
+		return {
+			doses: doses.map((d) => ({
+				doseId: d.doseId,
+				takenAt: d.takenAt?.getTime() ?? Date.now(),
+				markedBy: d.markedBy,
+				takenSource: d.takenSource ?? "manual",
+				dismissed: d.dismissed ?? false,
+			})),
+		};
+	});

-  // ---------------------------------------------------------------------------
-  // POST /doses/taken - PROTECTED: Mark a dose as taken
-  // ---------------------------------------------------------------------------
-  app.post<{ Body: z.infer<typeof markDoseSchema> }>(
-    "/doses/taken",
-    { preHandler: requireAuth },
-    async (request, reply) => {
-      const userId = await getUserId(request, reply);
+	// ---------------------------------------------------------------------------
+	// POST /doses/taken - PROTECTED: Mark a dose as taken
+	// ---------------------------------------------------------------------------
+	app.post<{ Body: z.infer<typeof markDoseSchema> }>(
+		"/doses/taken",
+		{ preHandler: requireAuth },
+		async (request, reply) => {
+			const userId = await getUserId(request, reply);

-      const parsed = markDoseSchema.safeParse(request.body);
-      if (!parsed.success) {
-        return reply.status(400).send({
-          error: parsed.error.errors[0]?.message ?? "Invalid input",
-        });
-      }
+			const parsed = markDoseSchema.safeParse(request.body);
+			if (!parsed.success) {
+				return reply.status(400).send({
+					error: parsed.error.errors[0]?.message ?? "Invalid input",
+				});
+			}

-      const { doseId } = parsed.data;
+			const { doseId } = parsed.data;

-      // Check if already marked
-      const [existing] = await db.select()
-        .from(doseTracking)
-        .where(
-          and(
-            eq(doseTracking.userId, userId),
-            eq(doseTracking.doseId, doseId)
-          )
-        );
+			// Check if already marked
+			const [existing] = await db
+				.select()
+				.from(doseTracking)
+				.where(and(eq(doseTracking.userId, userId), eq(doseTracking.doseId, doseId)));

-      if (existing) {
-        return { success: true, message: "Already marked" };
-      }
+			if (existing) {
+				return { success: true, message: "Already marked" };
+			}

-      // Insert new record
-      await db.insert(doseTracking).values({
-        userId,
-        doseId,
-        markedBy: null, // Marked by the user themselves
-      });
+			// Insert new record
+			await db.insert(doseTracking).values({
+				userId,
+				doseId,
+				markedBy: null, // Marked by the user themselves
+				takenSource: "manual",
+			});

-      return { success: true };
-    }
-  );
+			return { success: true };
+		}
+	);

-  // ---------------------------------------------------------------------------
-  // DELETE /doses/taken/:doseId - PROTECTED: Unmark a dose
-  // ---------------------------------------------------------------------------
-  app.delete<{ Params: { doseId: string } }>(
-    "/doses/taken/:doseId",
-    { preHandler: requireAuth },
-    async (request, reply) => {
-      const userId = await getUserId(request, reply);
+	// ---------------------------------------------------------------------------
+	// DELETE /doses/taken/:doseId - PROTECTED: Unmark a dose
+	// ---------------------------------------------------------------------------
+	app.delete<{ Params: { doseId: string } }>(
+		"/doses/taken/:doseId",
+		{ preHandler: requireAuth },
+		async (request, reply) => {
+			const userId = await getUserId(request, reply);

-      const { doseId } = request.params;
+			const { doseId } = request.params;

-      await db.delete(doseTracking).where(
-        and(
-          eq(doseTracking.userId, userId),
-          eq(doseTracking.doseId, doseId)
-        )
-      );
+			// Check if this dose was dismissed
+			const [existing] = await db
+				.select()
+				.from(doseTracking)
+				.where(and(eq(doseTracking.userId, userId), eq(doseTracking.doseId, doseId)));

-      return { success: true };
-    }
-  );
+			if (existing?.dismissed) {
+				// Already dismissed - keep the record as-is
+				// The dose stays dismissed, we just acknowledge the undo request
+			} else {
+				// Not dismissed - delete the record entirely
+				await db.delete(doseTracking).where(and(eq(doseTracking.userId, userId), eq(doseTracking.doseId, doseId)));
+			}

-  // ---------------------------------------------------------------------------
-  // GET /share/:token/doses - PUBLIC: Get taken doses for a share link
-  // ---------------------------------------------------------------------------
-  app.get<{ Params: { token: string } }>(
-    "/share/:token/doses",
-    async (request, reply) => {
-      const { token } = request.params;
+			return { success: true };
+		}
+	);

-      // Find share token
-      const [share] = await db.select().from(shareTokens).where(eq(shareTokens.token, token));
-      if (!share) {
-        return reply.notFound("Share link not found");
-      }
+	// ---------------------------------------------------------------------------
+	// POST /doses/dismiss - PROTECTED: Dismiss missed doses without deducting stock
+	// ---------------------------------------------------------------------------
+	app.post<{ Body: z.infer<typeof dismissDosesSchema> }>(
+		"/doses/dismiss",
+		{ preHandler: requireAuth },
+		async (request, reply) => {
+			const userId = await getUserId(request, reply);

-      // Get all taken doses for this user (no time limit)
-      const doses = await db.select()
-        .from(doseTracking)
-        .where(eq(doseTracking.userId, share.userId));
+			const parsed = dismissDosesSchema.safeParse(request.body);
+			if (!parsed.success) {
+				return reply.status(400).send({
+					error: parsed.error.errors[0]?.message ?? "Invalid input",
+				});
+			}

-      return {
-        doses: doses.map((d) => ({
-          doseId: d.doseId,
-          takenAt: d.takenAt?.getTime() ?? Date.now(),
-          markedBy: d.markedBy,
-        })),
-      };
-    }
-  );
+			const { doseIds } = parsed.data;

-  // ---------------------------------------------------------------------------
-  // POST /share/:token/doses - PUBLIC: Mark a dose as taken via share link
-  // ---------------------------------------------------------------------------
-  app.post<{ Params: { token: string }; Body: z.infer<typeof shareDoseSchema> }>(
-    "/share/:token/doses",
-    async (request, reply) => {
-      const { token } = request.params;
+			// Insert dismissed records for each dose that doesn't exist yet
+			let dismissedCount = 0;
+			for (const doseId of doseIds) {
+				// Check if already exists (taken or dismissed)
+				const [existing] = await db
+					.select()
+					.from(doseTracking)
+					.where(and(eq(doseTracking.userId, userId), eq(doseTracking.doseId, doseId)));

-      const parsed = shareDoseSchema.safeParse(request.body);
-      if (!parsed.success) {
-        return reply.status(400).send({
-          error: parsed.error.errors[0]?.message ?? "Invalid input",
-        });
-      }
+				if (existing) {
+					// Already exists - update to dismissed if not already
+					if (!existing.dismissed) {
+						await db
+							.update(doseTracking)
+							.set({ dismissed: true })
+							.where(and(eq(doseTracking.userId, userId), eq(doseTracking.doseId, doseId)));
+						dismissedCount++;
+					}
+				} else {
+					// Create new dismissed record
+					await db.insert(doseTracking).values({
+						userId,
+						doseId,
+						markedBy: null,
+						dismissed: true,
+					});
+					dismissedCount++;
+				}
+			}

-      const { doseId } = parsed.data;
+			return { success: true, dismissedCount };
+		}
+	);

-      // Find share token
-      const [share] = await db.select().from(shareTokens).where(eq(shareTokens.token, token));
-      if (!share) {
-        return reply.notFound("Share link not found");
-      }
+	// ---------------------------------------------------------------------------
+	// DELETE /doses/dismiss - PROTECTED: Clear all dismissed doses (un-dismiss)
+	// ---------------------------------------------------------------------------
+	app.delete("/doses/dismiss", { preHandler: requireAuth }, async (request, reply) => {
+		const userId = await getUserId(request, reply);

-      // Check if already marked
-      const [existing] = await db.select()
-        .from(doseTracking)
-        .where(
-          and(
-            eq(doseTracking.userId, share.userId),
-            eq(doseTracking.doseId, doseId)
-          )
-        );
+		// Delete all dismissed-only records (not taken ones)
+		// For taken+dismissed, just remove the dismissed flag
+		const dismissed = await db
+			.select()
+			.from(doseTracking)
+			.where(and(eq(doseTracking.userId, userId), eq(doseTracking.dismissed, true)));

-      if (existing) {
-        return { success: true, message: "Already marked" };
-      }
+		for (const d of dismissed) {
+			if (d.markedBy !== null || d.takenAt) {
+				// This was also marked as taken - just remove dismissed flag
+				await db.update(doseTracking).set({ dismissed: false }).where(eq(doseTracking.id, d.id));
+			} else {
+				// This was only dismissed - delete it
+				await db.delete(doseTracking).where(eq(doseTracking.id, d.id));
+			}
+		}

-      // Insert new record - marked by the takenBy person
-      await db.insert(doseTracking).values({
-        userId: share.userId,
-        doseId,
-        markedBy: share.takenBy, // e.g. "Daniel"
-      });
+		return { success: true, clearedCount: dismissed.length };
+	});

-      return { success: true };
-    }
-  );
+	// ---------------------------------------------------------------------------
+	// GET /share/:token/doses - PUBLIC: Get taken doses for a share link
+	// Suppress request logs — polled every 5s by SharedSchedule
+	// ---------------------------------------------------------------------------
+	app.get<{ Params: { token: string } }>("/share/:token/doses", { logLevel: "warn" }, async (request, reply) => {
+		const { token } = request.params;

-  // ---------------------------------------------------------------------------
-  // DELETE /share/:token/doses/:doseId - PUBLIC: Unmark a dose via share link
-  // ---------------------------------------------------------------------------
-  app.delete<{ Params: { token: string; doseId: string } }>(
-    "/share/:token/doses/:doseId",
-    async (request, reply) => {
-      const { token, doseId } = request.params;
+		const { share, reason } = await getActiveShareToken(token);
+		if (!share) {
+			request.log.warn(`[ShareDose] Rejected read for token ${maskToken(token)} (reason=${reason})`);
+			return reply.notFound("Share link not found");
+		}

-      // Find share token
-      const [share] = await db.select().from(shareTokens).where(eq(shareTokens.token, token));
-      if (!share) {
-        return reply.notFound("Share link not found");
-      }
+		// Get all taken doses for this user (no time limit)
+		const doses = await db.select().from(doseTracking).where(eq(doseTracking.userId, share.userId));

-      await db.delete(doseTracking).where(
-        and(
-          eq(doseTracking.userId, share.userId),
-          eq(doseTracking.doseId, doseId)
-        )
-      );
+		return {
+			doses: doses.map((d) => ({
+				doseId: d.doseId,
+				takenAt: d.takenAt?.getTime() ?? Date.now(),
+				markedBy: d.markedBy,
+				takenSource: d.takenSource ?? "manual",
+				dismissed: d.dismissed ?? false,
+			})),
+		};
+	});

-      return { success: true };
-    }
-  );
+	// ---------------------------------------------------------------------------
+	// POST /share/:token/doses - PUBLIC: Mark a dose as taken via share link
+	// ---------------------------------------------------------------------------
+	app.post<{ Params: { token: string }; Body: z.infer<typeof shareDoseSchema> }>(
+		"/share/:token/doses",
+		async (request, reply) => {
+			const { token } = request.params;
+
+			const parsed = shareDoseSchema.safeParse(request.body);
+			if (!parsed.success) {
+				return reply.status(400).send({
+					error: parsed.error.errors[0]?.message ?? "Invalid input",
+				});
+			}
+
+			const { doseId } = parsed.data;
+
+			const { share, reason } = await getActiveShareToken(token);
+			if (!share) {
+				request.log.warn(`[ShareDose] Rejected mark for token ${maskToken(token)} (reason=${reason})`);
+				return reply.notFound("Share link not found");
+			}
+
+			const isValidShareDoseId = await validateShareDoseId(share, doseId);
+			if (!isValidShareDoseId) {
+				request.log.warn(
+					`[ShareDose] Rejected invalid doseId in mark request (owner=${share.userId}, takenBy=${share.takenBy}, doseId=${doseId})`
+				);
+				return reply.status(400).send({ error: "Invalid or unauthorized doseId" });
+			}
+
+			// Check if already marked
+			const [existing] = await db
+				.select()
+				.from(doseTracking)
+				.where(and(eq(doseTracking.userId, share.userId), eq(doseTracking.doseId, doseId)));
+
+			if (existing) {
+				request.log.debug(`[ShareDose] Duplicate mark ignored (owner=${share.userId}, doseId=${doseId})`);
+				return { success: true, message: "Already marked" };
+			}
+
+			// Insert new record - marked by the takenBy person
+			await db.insert(doseTracking).values({
+				userId: share.userId,
+				doseId,
+				markedBy: share.takenBy, // e.g. "Daniel"
+				takenSource: "manual",
+			});
+
+			request.log.info(
+				`[ShareDose] Dose marked via share link (owner=${share.userId}, takenBy=${share.takenBy}, doseId=${doseId})`
+			);
+
+			return { success: true };
+		}
+	);
+
+	// ---------------------------------------------------------------------------
+	// DELETE /share/:token/doses/:doseId - PUBLIC: Unmark a dose via share link
+	// ---------------------------------------------------------------------------
+	app.delete<{ Params: { token: string; doseId: string } }>("/share/:token/doses/:doseId", async (request, reply) => {
+		const { token, doseId } = request.params;
+
+		const { share, reason } = await getActiveShareToken(token);
+		if (!share) {
+			request.log.warn(`[ShareDose] Rejected unmark for token ${maskToken(token)} (reason=${reason})`);
+			return reply.notFound("Share link not found");
+		}
+
+		const isValidShareDoseId = await validateShareDoseId(share, doseId);
+		if (!isValidShareDoseId) {
+			request.log.warn(
+				`[ShareDose] Rejected invalid doseId in unmark request (owner=${share.userId}, takenBy=${share.takenBy}, doseId=${doseId})`
+			);
+			return reply.status(400).send({ error: "Invalid or unauthorized doseId" });
+		}
+
+		// Check if this dose was dismissed
+		const [existing] = await db
+			.select()
+			.from(doseTracking)
+			.where(and(eq(doseTracking.userId, share.userId), eq(doseTracking.doseId, doseId)));
+
+		if (existing?.dismissed) {
+			// Already dismissed - keep the record as-is
+			request.log.debug(`[ShareDose] Unmark ignored for dismissed dose (owner=${share.userId}, doseId=${doseId})`);
+		} else {
+			// Not dismissed - delete the record entirely
+			await db.delete(doseTracking).where(and(eq(doseTracking.userId, share.userId), eq(doseTracking.doseId, doseId)));
+			request.log.info(
+				`[ShareDose] Dose unmarked via share link (owner=${share.userId}, takenBy=${share.takenBy}, doseId=${doseId})`
+			);
+		}
+
+		return { success: true };
+	});
 }
@@ -0,0 +1,706 @@
+import { randomBytes } from "node:crypto";
+import { existsSync, mkdirSync, readFileSync, unlinkSync, writeFileSync } from "node:fs";
+import { extname, resolve } from "node:path";
+import { eq } from "drizzle-orm";
+import type { FastifyInstance, FastifyReply, FastifyRequest } from "fastify";
+import { z } from "zod";
+import { db } from "../db/client.js";
+import { getDataDir } from "../db/db-utils.js";
+import { doseTracking, medications, refillHistory, shareTokens, userSettings } from "../db/schema.js";
+import { getAnonymousUserId, requireAuth } from "../plugins/auth.js";
+import { env } from "../plugins/env.js";
+import type { AuthUser } from "../types/fastify.js";
+import { parseIntakesJson, parseTakenByJson } from "../utils/scheduler-utils.js";
+
+const IMAGES_DIR = resolve(getDataDir(), "images");
+
+// =============================================================================
+// Export Format Version (bump this when format changes)
+// =============================================================================
+const EXPORT_VERSION = "1.1";
+
+// =============================================================================
+// Zod Schemas for Import Validation
+// =============================================================================
+
+const scheduleSchema = z.object({
+	usage: z.number().nonnegative(),
+	every: z.number().int().min(1),
+	start: z.string(), // ISO datetime string
+	remind: z.boolean().optional().default(false),
+	takenBy: z.string().nullable().optional(), // Per-intake takenBy (new field)
+});
+
+const inventorySchema = z.object({
+	packCount: z.number().int().min(0).default(1),
+	blistersPerPack: z.number().int().min(1).default(1),
+	pillsPerBlister: z.number().int().min(1).default(1),
+	totalPills: z.number().int().nullable().optional(), // For bottle type: total capacity
+	looseTablets: z.number().int().min(0).default(0),
+	stockAdjustment: z.number().int().default(0), // Manual stock correction
+	packageType: z.enum(["blister", "bottle"]).default("blister"),
+});
+
+const medicationExportSchema = z.object({
+	_exportId: z.string(),
+	name: z.string().min(1),
+	genericName: z.string().nullable().optional(),
+	takenBy: z.array(z.string()).default([]),
+	inventory: inventorySchema,
+	pillWeightMg: z.number().int().nullable().optional(),
+	doseUnit: z.enum(["mg", "g", "mcg", "ml", "IU", "units", "drops", "puffs"]).default("mg"),
+	schedules: z.array(scheduleSchema).default([]),
+	medicationStartDate: z.string().nullable().optional(),
+	expiryDate: z.string().nullable().optional(),
+	notes: z.string().nullable().optional(),
+	intakeRemindersEnabled: z.boolean().default(false),
+	isObsolete: z.boolean().default(false),
+	obsoleteAt: z.string().nullable().optional(),
+	prescriptionEnabled: z.boolean().default(false),
+	prescriptionAuthorizedRefills: z.number().int().min(0).nullable().optional(),
+	prescriptionRemainingRefills: z.number().int().min(0).nullable().optional(),
+	prescriptionLowRefillThreshold: z.number().int().min(0).default(1),
+	prescriptionExpiryDate: z.string().nullable().optional(),
+	dismissedUntil: z.string().nullable().optional(), // ISO date string for dismissed past doses
+	image: z.string().nullable().optional(), // base64 data URL or null
+	lastStockCorrectionAt: z.string().nullable().optional(), // ISO datetime of last stock correction
+});
+
+const doseHistorySchema = z.object({
+	medicationRef: z.string(), // References _exportId
+	scheduleIndex: z.number().int().min(0),
+	scheduledTime: z.string(), // ISO datetime
+	takenAt: z.string(), // ISO datetime
+	markedBy: z.string().nullable().optional(),
+	takenSource: z.enum(["manual", "automatic"]).default("manual"),
+	dismissed: z.boolean().default(false),
+	takenByPerson: z.string().nullable().optional(), // Person suffix from dose ID (e.g., "Daniel")
+});
+
+const refillHistoryExportSchema = z.object({
+	medicationRef: z.string(), // References _exportId
+	packsAdded: z.number().int().min(0).default(0),
+	loosePillsAdded: z.number().int().min(0).default(0),
+	usedPrescription: z.boolean().default(false),
+	refillDate: z.string(), // ISO datetime
+});
+
+const shareLinkSchema = z.object({
+	takenBy: z.string().min(1),
+	scheduleDays: z.number().int().min(1).default(30),
+	expiresAt: z.string().nullable().optional(), // ISO datetime
+	regenerateToken: z.boolean().default(true),
+});
+
+const settingsExportSchema = z
+	.object({
+		// Email notifications
+		emailEnabled: z.boolean().default(false),
+		notificationEmail: z.string().nullable().optional(),
+		emailStockReminders: z.boolean().default(true),
+		emailIntakeReminders: z.boolean().default(true),
+		emailPrescriptionReminders: z.boolean().default(true),
+		// Push notifications
+		shoutrrrEnabled: z.boolean().optional(),
+		shoutrrrUrl: z.string().nullable().optional(),
+		shoutrrrStockReminders: z.boolean().default(true),
+		shoutrrrIntakeReminders: z.boolean().default(true),
+		shoutrrrPrescriptionReminders: z.boolean().default(true),
+		// Reminder settings
+		reminderDaysBefore: z.number().int().default(7),
+		repeatDailyReminders: z.boolean().default(false),
+		skipRemindersForTakenDoses: z.boolean().default(false),
+		repeatRemindersEnabled: z.boolean().default(false),
+		reminderRepeatIntervalMinutes: z.number().int().default(30),
+		maxNaggingReminders: z.number().int().default(5),
+		// Stock thresholds
+		lowStockDays: z.number().int().default(30),
+		normalStockDays: z.number().int().default(90),
+		highStockDays: z.number().int().default(180),
+		expiryWarningDays: z.number().int().default(90),
+		// UI preferences
+		language: z.string().default("en"),
+		stockCalculationMode: z.enum(["automatic", "manual"]).default("automatic"),
+		shareStockStatus: z.boolean().default(true),
+	})
+	.optional();
+
+const importDataSchema = z.object({
+	version: z.string(),
+	exportedAt: z.string(),
+	includeSensitiveData: z.boolean().default(false),
+	medications: z.array(medicationExportSchema).default([]),
+	doseHistory: z.array(doseHistorySchema).default([]),
+	refillHistory: z.array(refillHistoryExportSchema).default([]),
+	settings: settingsExportSchema,
+	shareLinks: z.array(shareLinkSchema).default([]),
+});
+
+// =============================================================================
+// Helper Functions
+// =============================================================================
+
+// Helper to get user ID from request
+async function getUserId(request: FastifyRequest, reply: FastifyReply): Promise<number> {
+	if (!env.AUTH_ENABLED) {
+		return getAnonymousUserId();
+	}
+
+	const authUser = request.user as unknown as AuthUser | null;
+	if (!authUser) {
+		reply.status(401).send({ error: "Not authenticated" });
+		throw new Error("AUTH_REQUIRED");
+	}
+	return authUser.id;
+}
+
+// Parse intakes from DB format to export format (with per-intake takenBy)
+function parseIntakesForExport(
+	row: typeof medications.$inferSelect
+): Array<{ usage: number; every: number; start: string; remind: boolean; takenBy: string | null }> {
+	// Use the new parseIntakesJson which falls back to legacy format
+	const intakes = parseIntakesJson(
+		row.intakesJson,
+		{ usageJson: row.usageJson, everyJson: row.everyJson, startJson: row.startJson },
+		row.intakeRemindersEnabled ?? false
+	);
+
+	return intakes.map((intake) => ({
+		usage: intake.usage,
+		every: intake.every,
+		start: intake.start,
+		remind: intake.intakeRemindersEnabled,
+		takenBy: intake.takenBy, // Per-intake takenBy
+	}));
+}
+
+// Read image file and convert to base64 data URL
+function imageToBase64(imageUrl: string | null): string | null {
+	if (!imageUrl) return null;
+	const imagePath = resolve(IMAGES_DIR, imageUrl);
+	if (!existsSync(imagePath)) return null;
+
+	try {
+		const imageBuffer = readFileSync(imagePath);
+		const ext = extname(imageUrl).toLowerCase();
+		const mimeTypes: Record<string, string> = {
+			".jpg": "image/jpeg",
+			".jpeg": "image/jpeg",
+			".png": "image/png",
+			".webp": "image/webp",
+			".gif": "image/gif",
+		};
+		const mimeType = mimeTypes[ext] || "image/jpeg";
+		return `data:${mimeType};base64,${imageBuffer.toString("base64")}`;
+	} catch {
+		return null;
+	}
+}
+
+// Save base64 image to file and return filename
+function base64ToImage(base64: string, medicationId: number): string | null {
+	if (!base64 || !base64.startsWith("data:")) return null;
+
+	try {
+		// Parse data URL: "data:image/jpeg;base64,/9j/4AAQ..."
+		const matches = base64.match(/^data:image\/(\w+);base64,(.+)$/);
+		if (!matches) return null;
+
+		const ext = matches[1] === "jpeg" ? "jpg" : matches[1];
+		const data = matches[2];
+		const buffer = Buffer.from(data, "base64");
+
+		const filename = `med-${medicationId}-${Date.now()}.${ext}`;
+		const filepath = resolve(IMAGES_DIR, filename);
+
+		// Ensure images directory exists
+		if (!existsSync(IMAGES_DIR)) {
+			mkdirSync(IMAGES_DIR, { recursive: true });
+		}
+
+		writeFileSync(filepath, buffer);
+		return filename;
+	} catch {
+		return null;
+	}
+}
+
+// Parse dose ID to extract medication ID and timestamp
+// Format: "{medicationId}-{blisterIndex}-{timestampMs}" or "{medicationId}-{blisterIndex}-{timestampMs}-{person}"
+function parseDoseId(
+	doseId: string
+): { medicationId: number; blisterIndex: number; timestampMs: number; person: string | null } | null {
+	const parts = doseId.split("-");
+	if (parts.length < 3) return null;
+
+	const medicationId = parseInt(parts[0], 10);
+	const blisterIndex = parseInt(parts[1], 10);
+	const timestampMs = parseInt(parts[2], 10);
+
+	if (Number.isNaN(medicationId) || Number.isNaN(blisterIndex) || Number.isNaN(timestampMs)) return null;
+
+	// Check if there's a person suffix (4th part onwards, could be multi-part name)
+	const person = parts.length > 3 ? parts.slice(3).join("-") : null;
+
+	return { medicationId, blisterIndex, timestampMs, person };
+}
+
+// Build dose ID from parts (with optional person suffix)
+function buildDoseId(medicationId: number, blisterIndex: number, timestampMs: number, person?: string | null): string {
+	const base = `${medicationId}-${blisterIndex}-${timestampMs}`;
+	return person ? `${base}-${person}` : base;
+}
+
+// =============================================================================
+// Export Routes
+// =============================================================================
+export async function exportRoutes(app: FastifyInstance) {
+	// All export routes require auth
+	app.addHook("preHandler", requireAuth);
+
+	// ---------------------------------------------------------------------------
+	// GET /export - Export all user data
+	// ---------------------------------------------------------------------------
+	app.get<{ Querystring: { includeSensitive?: string; includeImages?: string } }>("/export", async (request, reply) => {
+		const userId = await getUserId(request, reply);
+		const includeSensitive = request.query.includeSensitive === "true";
+		const includeImages = request.query.includeImages !== "false"; // Default to true
+
+		// 1. Load all medications
+		const meds = await db.select().from(medications).where(eq(medications.userId, userId)).orderBy(medications.id);
+
+		// Build medication ID to export ID mapping
+		const medIdToExportId = new Map<number, string>();
+		const exportMedications = meds.map((med, index) => {
+			const exportId = `med-${index + 1}`;
+			medIdToExportId.set(med.id, exportId);
+
+			// Safely convert lastStockCorrectionAt to ISO string
+			let lastStockCorrectionAtIso: string | null = null;
+			if (med.lastStockCorrectionAt) {
+				try {
+					if (med.lastStockCorrectionAt instanceof Date && !Number.isNaN(med.lastStockCorrectionAt.getTime())) {
+						lastStockCorrectionAtIso = med.lastStockCorrectionAt.toISOString();
+					} else if (typeof med.lastStockCorrectionAt === "number" || typeof med.lastStockCorrectionAt === "string") {
+						const d = new Date(med.lastStockCorrectionAt);
+						lastStockCorrectionAtIso = !Number.isNaN(d.getTime()) ? d.toISOString() : null;
+					}
+				} catch {
+					lastStockCorrectionAtIso = null;
+				}
+			}
+
+			return {
+				_exportId: exportId,
+				name: med.name,
+				genericName: med.genericName,
+				takenBy: parseTakenByJson(med.takenByJson),
+				inventory: {
+					packCount: med.packCount ?? 1,
+					blistersPerPack: med.blistersPerPack ?? 1,
+					pillsPerBlister: med.pillsPerBlister ?? 1,
+					totalPills: med.totalPills ?? null,
+					looseTablets: med.looseTablets ?? 0,
+					stockAdjustment: med.stockAdjustment ?? 0,
+					packageType: med.packageType ?? "blister",
+				},
+				pillWeightMg: med.pillWeightMg,
+				doseUnit: med.doseUnit ?? "mg",
+				schedules: parseIntakesForExport(med),
+				medicationStartDate: med.medicationStartDate || null,
+				expiryDate: med.expiryDate,
+				notes: med.notes,
+				intakeRemindersEnabled: med.intakeRemindersEnabled ?? false,
+				isObsolete: med.isObsolete ?? false,
+				obsoleteAt: med.obsoleteAt?.toISOString() ?? null,
+				prescriptionEnabled: med.prescriptionEnabled ?? false,
+				prescriptionAuthorizedRefills: med.prescriptionAuthorizedRefills ?? null,
+				prescriptionRemainingRefills: med.prescriptionRemainingRefills ?? null,
+				prescriptionLowRefillThreshold: med.prescriptionLowRefillThreshold ?? 1,
+				prescriptionExpiryDate: med.prescriptionExpiryDate ?? null,
+				dismissedUntil: med.dismissedUntil ?? null,
+				image: includeImages ? imageToBase64(med.imageUrl) : null,
+				lastStockCorrectionAt: lastStockCorrectionAtIso,
+			};
+		});
+
+		// 2. Load all dose tracking entries
+		const doses = await db.select().from(doseTracking).where(eq(doseTracking.userId, userId));
+
+		const exportDoseHistory = doses
+			.map((dose) => {
+				const parsed = parseDoseId(dose.doseId);
+				if (!parsed) return null;
+
+				const exportId = medIdToExportId.get(parsed.medicationId);
+				if (!exportId) return null; // Orphaned dose, skip
+
+				// Safely convert takenAt to ISO string
+				let takenAtIso: string;
+				try {
+					if (dose.takenAt instanceof Date && !Number.isNaN(dose.takenAt.getTime())) {
+						takenAtIso = dose.takenAt.toISOString();
+					} else if (typeof dose.takenAt === "number" || typeof dose.takenAt === "string") {
+						const d = new Date(dose.takenAt);
+						takenAtIso = !Number.isNaN(d.getTime()) ? d.toISOString() : new Date().toISOString();
+					} else {
+						takenAtIso = new Date().toISOString();
+					}
+				} catch {
+					takenAtIso = new Date().toISOString();
+				}
+
+				// Safely convert scheduled time
+				let scheduledTimeIso: string;
+				try {
+					const d = new Date(parsed.timestampMs);
+					scheduledTimeIso = !Number.isNaN(d.getTime()) ? d.toISOString() : new Date().toISOString();
+				} catch {
+					scheduledTimeIso = new Date().toISOString();
+				}
+
+				return {
+					medicationRef: exportId,
+					scheduleIndex: parsed.blisterIndex,
+					scheduledTime: scheduledTimeIso,
+					takenAt: takenAtIso,
+					markedBy: dose.markedBy,
+					takenSource: dose.takenSource === "automatic" ? "automatic" : "manual",
+					dismissed: dose.dismissed ?? false,
+					takenByPerson: parsed.person,
+				};
+			})
+			.filter((d): d is NonNullable<typeof d> => d !== null);
+
+		// 3. Load user settings
+		const [settings] = await db.select().from(userSettings).where(eq(userSettings.userId, userId));
+
+		const exportSettings = settings
+			? {
+					emailEnabled: settings.emailEnabled,
+					notificationEmail: settings.notificationEmail,
+					emailStockReminders: settings.emailStockReminders,
+					emailIntakeReminders: settings.emailIntakeReminders,
+					emailPrescriptionReminders: settings.emailPrescriptionReminders ?? true,
+					// Only include sensitive data if requested
+					shoutrrrEnabled: includeSensitive ? settings.shoutrrrEnabled : undefined,
+					shoutrrrUrl: includeSensitive ? settings.shoutrrrUrl : undefined,
+					shoutrrrStockReminders: settings.shoutrrrStockReminders,
+					shoutrrrIntakeReminders: settings.shoutrrrIntakeReminders,
+					shoutrrrPrescriptionReminders: settings.shoutrrrPrescriptionReminders ?? true,
+					reminderDaysBefore: settings.reminderDaysBefore,
+					repeatDailyReminders: settings.repeatDailyReminders,
+					skipRemindersForTakenDoses: settings.skipRemindersForTakenDoses,
+					repeatRemindersEnabled: settings.repeatRemindersEnabled,
+					reminderRepeatIntervalMinutes: settings.reminderRepeatIntervalMinutes,
+					maxNaggingReminders: settings.maxNaggingReminders,
+					lowStockDays: settings.lowStockDays,
+					normalStockDays: settings.normalStockDays,
+					highStockDays: settings.highStockDays,
+					expiryWarningDays: settings.expiryWarningDays,
+					language: settings.language,
+					stockCalculationMode: settings.stockCalculationMode,
+					shareStockStatus: settings.shareStockStatus,
+				}
+			: undefined;
+
+		// 4. Load share links
+		const shares = await db.select().from(shareTokens).where(eq(shareTokens.userId, userId));
+
+		const exportShareLinks = shares.map((share) => {
+			// Safely convert expiresAt to ISO string
+			let expiresAtIso: string | null = null;
+			if (share.expiresAt) {
+				try {
+					if (share.expiresAt instanceof Date && !Number.isNaN(share.expiresAt.getTime())) {
+						expiresAtIso = share.expiresAt.toISOString();
+					} else if (typeof share.expiresAt === "number" || typeof share.expiresAt === "string") {
+						const d = new Date(share.expiresAt);
+						expiresAtIso = !Number.isNaN(d.getTime()) ? d.toISOString() : null;
+					}
+				} catch {
+					expiresAtIso = null;
+				}
+			}
+
+			return {
+				takenBy: share.takenBy,
+				scheduleDays: share.scheduleDays,
+				expiresAt: expiresAtIso,
+				regenerateToken: true, // Always regenerate tokens on import for security
+			};
+		});
+
+		// 5. Load refill history
+		const refills = await db.select().from(refillHistory).where(eq(refillHistory.userId, userId));
+
+		const exportRefillHistory = refills
+			.map((refill) => {
+				const exportId = medIdToExportId.get(refill.medicationId);
+				if (!exportId) return null; // Orphaned refill, skip
+
+				// Safely convert refillDate to ISO string
+				let refillDateIso: string;
+				try {
+					if (refill.refillDate instanceof Date && !Number.isNaN(refill.refillDate.getTime())) {
+						refillDateIso = refill.refillDate.toISOString();
+					} else if (typeof refill.refillDate === "number" || typeof refill.refillDate === "string") {
+						const d = new Date(refill.refillDate);
+						refillDateIso = !Number.isNaN(d.getTime()) ? d.toISOString() : new Date().toISOString();
+					} else {
+						refillDateIso = new Date().toISOString();
+					}
+				} catch {
+					refillDateIso = new Date().toISOString();
+				}
+
+				return {
+					medicationRef: exportId,
+					packsAdded: refill.packsAdded ?? 0,
+					loosePillsAdded: refill.loosePillsAdded ?? 0,
+					usedPrescription: refill.usedPrescription ?? false,
+					refillDate: refillDateIso,
+				};
+			})
+			.filter((r): r is NonNullable<typeof r> => r !== null);
+
+		// Build export object
+		const exportData = {
+			version: EXPORT_VERSION,
+			exportedAt: new Date().toISOString(),
+			includeSensitiveData: includeSensitive,
+			medications: exportMedications,
+			doseHistory: exportDoseHistory,
+			refillHistory: exportRefillHistory,
+			settings: exportSettings,
+			shareLinks: exportShareLinks,
+		};
+
+		// Set download headers
+		const now = new Date();
+		const dateStr = now.toISOString().replace(/[-:]/g, "").replace(/T/, "-").slice(0, 13);
+		const authUser = env.AUTH_ENABLED ? (request.user as unknown as AuthUser | null) : null;
+		const userPart = authUser?.username ? `-${authUser.username}` : "";
+		const filename = `medassist-export${userPart}-${dateStr}.json`;
+		reply.header("Content-Type", "application/json");
+		reply.header("Content-Disposition", `attachment; filename="${filename}"`);
+
+		return exportData;
+	});
+
+	// ---------------------------------------------------------------------------
+	// POST /import - Import user data (replaces all existing data!)
+	// ---------------------------------------------------------------------------
+	app.post(
+		"/import",
+		{
+			config: {
+				// Increase body limit to 50MB to handle exports with base64 images
+				rawBody: true,
+			},
+			bodyLimit: 50 * 1024 * 1024, // 50 MB
+		},
+		async (request, reply) => {
+			const userId = await getUserId(request, reply);
+
+			// 1. Parse and validate import data
+			const parsed = importDataSchema.safeParse(request.body);
+			if (!parsed.success) {
+				return reply.status(400).send({
+					error: "Invalid import data format",
+					details: parsed.error.format(),
+				});
+			}
+
+			const importData = parsed.data;
+
+			// 2. Delete all existing user data (in correct order to respect foreign keys)
+			// Note: CASCADE delete should handle this, but let's be explicit
+
+			// First, delete images for existing medications
+			const existingMeds = await db.select().from(medications).where(eq(medications.userId, userId));
+			for (const med of existingMeds) {
+				if (med.imageUrl) {
+					const imagePath = resolve(IMAGES_DIR, med.imageUrl);
+					if (existsSync(imagePath)) {
+						try {
+							unlinkSync(imagePath);
+						} catch {
+							/* ignore */
+						}
+					}
+				}
+			}
+
+			// Delete in order: refill history, doses, share tokens, medications, settings
+			await db.delete(refillHistory).where(eq(refillHistory.userId, userId));
+			await db.delete(doseTracking).where(eq(doseTracking.userId, userId));
+			await db.delete(shareTokens).where(eq(shareTokens.userId, userId));
+			await db.delete(medications).where(eq(medications.userId, userId));
+			await db.delete(userSettings).where(eq(userSettings.userId, userId));
+
+			// 3. Import medications and build ID mapping
+			const exportIdToNewId = new Map<string, number>();
+
+			for (const med of importData.medications) {
+				// Convert schedules to both legacy and new formats
+				const usageJson = JSON.stringify(med.schedules.map((s) => s.usage));
+				const everyJson = JSON.stringify(med.schedules.map((s) => s.every));
+				const startJson = JSON.stringify(med.schedules.map((s) => s.start));
+				const takenByJson = JSON.stringify(med.takenBy);
+
+				// Build intakesJson array (new unified format with per-intake takenBy)
+				const intakesJson = JSON.stringify(
+					med.schedules.map((s) => ({
+						usage: s.usage,
+						every: s.every,
+						start: s.start,
+						takenBy: s.takenBy || null,
+						intakeRemindersEnabled: s.remind ?? false,
+					}))
+				);
+
+				// Check if any schedule has remind enabled
+				const intakeRemindersEnabled = med.schedules.some((s) => s.remind) || med.intakeRemindersEnabled;
+
+				const [inserted] = await db
+					.insert(medications)
+					.values({
+						userId,
+						name: med.name,
+						genericName: med.genericName || null,
+						takenByJson,
+						packageType: med.inventory.packageType ?? "blister",
+						packCount: med.inventory.packCount,
+						blistersPerPack: med.inventory.blistersPerPack,
+						pillsPerBlister: med.inventory.pillsPerBlister,
+						looseTablets: med.inventory.looseTablets,
+						totalPills: med.inventory.totalPills ?? null,
+						stockAdjustment: med.inventory.stockAdjustment ?? 0,
+						lastStockCorrectionAt: med.lastStockCorrectionAt ? new Date(med.lastStockCorrectionAt) : null,
+						pillWeightMg: med.pillWeightMg || null,
+						doseUnit: med.doseUnit ?? "mg",
+						medicationStartDate: med.medicationStartDate || "",
+						intakesJson,
+						usageJson,
+						everyJson,
+						startJson,
+						expiryDate: med.expiryDate || null,
+						notes: med.notes || null,
+						intakeRemindersEnabled,
+						isObsolete: med.isObsolete ?? false,
+						obsoleteAt: med.obsoleteAt ? new Date(med.obsoleteAt) : null,
+						prescriptionEnabled: med.prescriptionEnabled ?? false,
+						prescriptionAuthorizedRefills: med.prescriptionEnabled ? (med.prescriptionAuthorizedRefills ?? null) : null,
+						prescriptionRemainingRefills: med.prescriptionEnabled ? (med.prescriptionRemainingRefills ?? null) : null,
+						prescriptionLowRefillThreshold: med.prescriptionLowRefillThreshold ?? 1,
+						prescriptionExpiryDate: med.prescriptionExpiryDate || null,
+						dismissedUntil: med.dismissedUntil || null,
+						imageUrl: null, // Will be set after image is saved
+					})
+					.returning();
+
+				// Save mapping
+				exportIdToNewId.set(med._exportId, inserted.id);
+
+				// Save image if present
+				if (med.image) {
+					const imageUrl = base64ToImage(med.image, inserted.id);
+					if (imageUrl) {
+						await db.update(medications).set({ imageUrl }).where(eq(medications.id, inserted.id));
+					}
+				}
+			}
+
+			// 4. Import dose history with remapped medication IDs
+			for (const dose of importData.doseHistory) {
+				const newMedId = exportIdToNewId.get(dose.medicationRef);
+				if (!newMedId) continue; // Skip orphaned doses
+
+				// Convert ISO timestamp back to milliseconds for dose ID
+				const timestampMs = new Date(dose.scheduledTime).getTime();
+				// Rebuild dose ID with optional person suffix
+				const doseId = buildDoseId(newMedId, dose.scheduleIndex, timestampMs, dose.takenByPerson);
+
+				await db.insert(doseTracking).values({
+					userId,
+					doseId,
+					takenAt: new Date(dose.takenAt),
+					markedBy: dose.markedBy || null,
+					takenSource: dose.takenSource ?? "manual",
+					dismissed: dose.dismissed ?? false,
+				});
+			}
+
+			// 5. Import settings
+			if (importData.settings) {
+				await db.insert(userSettings).values({
+					userId,
+					emailEnabled: importData.settings.emailEnabled ?? false,
+					notificationEmail: importData.settings.notificationEmail || null,
+					emailStockReminders: importData.settings.emailStockReminders ?? true,
+					emailIntakeReminders: importData.settings.emailIntakeReminders ?? true,
+					emailPrescriptionReminders: importData.settings.emailPrescriptionReminders ?? true,
+					shoutrrrEnabled: importData.settings.shoutrrrEnabled ?? false,
+					shoutrrrUrl: importData.settings.shoutrrrUrl || null,
+					shoutrrrStockReminders: importData.settings.shoutrrrStockReminders ?? true,
+					shoutrrrIntakeReminders: importData.settings.shoutrrrIntakeReminders ?? true,
+					shoutrrrPrescriptionReminders: importData.settings.shoutrrrPrescriptionReminders ?? true,
+					reminderDaysBefore: importData.settings.reminderDaysBefore ?? 7,
+					repeatDailyReminders: importData.settings.repeatDailyReminders ?? false,
+					skipRemindersForTakenDoses: importData.settings.skipRemindersForTakenDoses ?? false,
+					repeatRemindersEnabled: importData.settings.repeatRemindersEnabled ?? false,
+					reminderRepeatIntervalMinutes: importData.settings.reminderRepeatIntervalMinutes ?? 30,
+					maxNaggingReminders: importData.settings.maxNaggingReminders ?? 5,
+					lowStockDays: importData.settings.lowStockDays ?? 30,
+					normalStockDays: importData.settings.normalStockDays ?? 90,
+					highStockDays: importData.settings.highStockDays ?? 180,
+					expiryWarningDays: importData.settings.expiryWarningDays ?? 90,
+					language: importData.settings.language ?? "en",
+					stockCalculationMode: importData.settings.stockCalculationMode ?? "automatic",
+					shareStockStatus: importData.settings.shareStockStatus ?? true,
+				});
+			}
+
+			// 6. Import share links (with new tokens)
+			for (const share of importData.shareLinks) {
+				// Always generate new token for security
+				const token = randomBytes(8).toString("hex");
+
+				await db.insert(shareTokens).values({
+					userId,
+					token,
+					takenBy: share.takenBy,
+					scheduleDays: share.scheduleDays,
+					expiresAt: share.expiresAt ? new Date(share.expiresAt) : null,
+				});
+			}
+
+			// 7. Import refill history with remapped medication IDs
+			for (const refill of importData.refillHistory) {
+				const newMedId = exportIdToNewId.get(refill.medicationRef);
+				if (!newMedId) continue; // Skip orphaned refill records
+
+				await db.insert(refillHistory).values({
+					medicationId: newMedId,
+					userId,
+					packsAdded: refill.packsAdded ?? 0,
+					loosePillsAdded: refill.loosePillsAdded ?? 0,
+					usedPrescription: refill.usedPrescription ?? false,
+					refillDate: new Date(refill.refillDate),
+				});
+			}
+
+			return {
+				success: true,
+				imported: {
+					medications: importData.medications.length,
+					doseHistory: importData.doseHistory.length,
+					refillHistory: importData.refillHistory.length,
+					settings: importData.settings ? 1 : 0,
+					shareLinks: importData.shareLinks.length,
+				},
+			};
+		}
+	);
+}
@@ -1,5 +1,19 @@
-import { FastifyInstance } from "fastify";
+import { readFileSync } from "node:fs";
+import { dirname, resolve } from "node:path";
+import { fileURLToPath } from "node:url";
+import type { FastifyInstance } from "fastify";
+
+// Read version from package.json at startup
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const packageJsonPath = resolve(__dirname, "../../package.json");
+const packageJson = JSON.parse(readFileSync(packageJsonPath, "utf-8"));
+const backendVersion = packageJson.version || "unknown";

 export async function healthRoutes(app: FastifyInstance) {
-  app.get("/health", async () => ({ status: "ok" }));
+	// Exempt from rate limit + suppress request logs (called every 30s by Docker healthcheck)
+	app.get("/health", { config: { rateLimit: false }, logLevel: "warn" }, async () => ({
+		status: "ok",
+		version: backendVersion,
+		smtpConfigured: Boolean(process.env.SMTP_HOST),
+	}));
 }
@@ -1,9 +1,9 @@
-import { FastifyInstance, FastifyReply, FastifyRequest } from "fastify";
-import * as client from "openid-client";
-import { randomBytes, createHash } from "crypto";
-import { db } from "../db/client.js";
-import { users, refreshTokens } from "../db/schema.js";
+import { createHash, randomBytes } from "node:crypto";
 import { eq, sql } from "drizzle-orm";
+import type { FastifyInstance, FastifyReply } from "fastify";
+import * as client from "openid-client";
+import { db } from "../db/client.js";
+import { refreshTokens, users } from "../db/schema.js";
 import { env } from "../plugins/env.js";

 // =============================================================================
@@ -12,299 +12,296 @@ import { env } from "../plugins/env.js";
 let oidcConfig: client.Configuration | null = null;

 async function getOIDCConfig(): Promise<client.Configuration> {
-  if (oidcConfig) return oidcConfig;
-  
-  if (!env.OIDC_ISSUER_URL || !env.OIDC_CLIENT_ID || !env.OIDC_CLIENT_SECRET) {
-    throw new Error("OIDC not configured");
-  }
+	if (oidcConfig) return oidcConfig;

-  oidcConfig = await client.discovery(
-    new URL(env.OIDC_ISSUER_URL),
-    env.OIDC_CLIENT_ID,
-    env.OIDC_CLIENT_SECRET
-  );
-  
-  return oidcConfig;
+	if (!env.OIDC_ISSUER_URL || !env.OIDC_CLIENT_ID || !env.OIDC_CLIENT_SECRET) {
+		throw new Error("OIDC not configured");
+	}
+
+	oidcConfig = await client.discovery(new URL(env.OIDC_ISSUER_URL), env.OIDC_CLIENT_ID, env.OIDC_CLIENT_SECRET);
+
+	return oidcConfig;
 }

 // =============================================================================
 // PKCE Helpers
 // =============================================================================
 function generateCodeVerifier(): string {
-  return randomBytes(32).toString("base64url");
+	return randomBytes(32).toString("base64url");
 }

 function generateCodeChallenge(verifier: string): string {
-  return createHash("sha256").update(verifier).digest("base64url");
+	return createHash("sha256").update(verifier).digest("base64url");
 }

 function generateState(): string {
-  return randomBytes(16).toString("hex");
+	return randomBytes(16).toString("hex");
 }

 // =============================================================================
 // Helpers
 // =============================================================================
 function getFrontendUrl(): string {
-  return env.CORS_ORIGINS.split(",")[0] || "http://localhost:5173";
+	return env.CORS_ORIGINS.split(",")[0] || "http://localhost:5173";
 }

 // =============================================================================
 // OIDC Routes
 // =============================================================================
 export async function oidcRoutes(app: FastifyInstance) {
-  if (!env.OIDC_ENABLED) {
-    // Register a disabled route that returns an error
-    app.get("/auth/oidc/login", async (request, reply) => {
-      return reply.status(400).send({ error: "OIDC authentication is not enabled" });
-    });
-    app.get("/auth/oidc/callback", async (request, reply) => {
-      return reply.status(400).send({ error: "OIDC authentication is not enabled" });
-    });
-    return;
-  }
+	if (!env.OIDC_ENABLED) {
+		// Register a disabled route that returns an error
+		app.get("/auth/oidc/login", async (_request, reply) => {
+			return reply.status(400).send({ error: "OIDC authentication is not enabled" });
+		});
+		app.get("/auth/oidc/callback", async (_request, reply) => {
+			return reply.status(400).send({ error: "OIDC authentication is not enabled" });
+		});
+		return;
+	}

-  // ---------------------------------------------------------------------------
-  // GET /auth/oidc/login - Initiates OIDC flow
-  // ---------------------------------------------------------------------------
-  app.get("/auth/oidc/login", async (request, reply) => {
-    try {
-      const config = await getOIDCConfig();
-      
-      // Generate PKCE values
-      const codeVerifier = generateCodeVerifier();
-      const codeChallenge = generateCodeChallenge(codeVerifier);
-      const state = generateState();
-      
-      // Store PKCE verifier and state in signed cookies (short-lived)
-      reply.setCookie("oidc_code_verifier", codeVerifier, {
-        httpOnly: true,
-        secure: env.NODE_ENV === "production",
-        sameSite: "lax",
-        path: "/",
-        maxAge: 600, // 10 minutes
-        signed: true,
-      });
-      
-      reply.setCookie("oidc_state", state, {
-        httpOnly: true,
-        secure: env.NODE_ENV === "production",
-        sameSite: "lax",
-        path: "/",
-        maxAge: 600,
-        signed: true,
-      });
-      
-      // Build authorization URL
-      const redirectUri = env.OIDC_REDIRECT_URI!;
-      const scope = env.OIDC_SCOPES;
-      
-      const authUrl = client.buildAuthorizationUrl(config, {
-        redirect_uri: redirectUri,
-        scope,
-        state,
-        code_challenge: codeChallenge,
-        code_challenge_method: "S256",
-      });
-      
-      return reply.redirect(authUrl.href);
-    } catch (err: any) {
-      console.error("[OIDC] Login error:", err);
-      return reply.redirect(`${getFrontendUrl()}/?error=oidc_init_failed`);
-    }
-  });
+	// ---------------------------------------------------------------------------
+	// GET /auth/oidc/login - Initiates OIDC flow
+	// ---------------------------------------------------------------------------
+	app.get("/auth/oidc/login", async (request, reply) => {
+		try {
+			const config = await getOIDCConfig();

-  // ---------------------------------------------------------------------------
-  // GET /auth/oidc/callback - Handles callback from OIDC provider
-  // ---------------------------------------------------------------------------
-  app.get<{ Querystring: { code?: string; state?: string; error?: string; error_description?: string } }>(
-    "/auth/oidc/callback",
-    async (request, reply) => {
-      const { code, state, error, error_description } = request.query;
-      
-      // Handle OIDC provider errors
-      if (error) {
-        console.error(`[OIDC] Provider error: ${error} - ${error_description}`);
-        return reply.redirect(`${getFrontendUrl()}/?error=oidc_${error}`);
-      }
-      
-      if (!code || !state) {
-        return reply.redirect(`${getFrontendUrl()}/?error=oidc_missing_params`);
-      }
-      
-      // Verify state
-      const storedState = request.unsignCookie(request.cookies.oidc_state || "");
-      if (!storedState.valid || storedState.value !== state) {
-        console.error("[OIDC] State mismatch");
-        return reply.redirect(`${getFrontendUrl()}/?error=oidc_state_mismatch`);
-      }
-      
-      // Get code verifier
-      const storedVerifier = request.unsignCookie(request.cookies.oidc_code_verifier || "");
-      if (!storedVerifier.valid || !storedVerifier.value) {
-        console.error("[OIDC] Missing code verifier");
-        return reply.redirect(`${getFrontendUrl()}/?error=oidc_missing_verifier`);
-      }
-      
-      try {
-        const config = await getOIDCConfig();
-        const redirectUri = env.OIDC_REDIRECT_URI!;
-        
-        // Exchange code for tokens
-        const tokens = await client.authorizationCodeGrant(config, new URL(request.url, `http://${request.headers.host}`), {
-          pkceCodeVerifier: storedVerifier.value,
-          expectedState: state,
-        });
-        
-        // Get user info
-        const sub = tokens.claims()?.sub;
-        if (!sub) {
-          console.error("[OIDC] Missing sub claim in token");
-          return reply.redirect(`${getFrontendUrl()}/?error=oidc_missing_sub`);
-        }
-        const userInfo = await client.fetchUserInfo(config, tokens.access_token, sub);
-        
-        // Extract username from configured claim
-        const usernameClaim = env.OIDC_USERNAME_CLAIM;
-        let username = (userInfo as any)[usernameClaim] || userInfo.preferred_username || userInfo.email || userInfo.sub;
-        const oidcSubject = userInfo.sub;
-        
-        if (!username || !oidcSubject) {
-          console.error("[OIDC] Missing required user info:", { username, oidcSubject });
-          return reply.redirect(`${getFrontendUrl()}/?error=oidc_missing_user_info`);
-        }
-        
-        // Clean cookies
-        reply.clearCookie("oidc_code_verifier", { path: "/" });
-        reply.clearCookie("oidc_state", { path: "/" });
-        
-        // Find or create user
-        let user = await findOrCreateOIDCUser(username, oidcSubject, reply);
-        
-        if (!user) {
-          return reply.redirect(`${getFrontendUrl()}/?error=oidc_user_creation_failed`);
-        }
-        
-        // Update last login
-        await db.update(users)
-          .set({ lastLoginAt: new Date() })
-          .where(eq(users.id, user.id));
-        
-        // Issue JWT tokens (same as local auth)
-        const accessToken = await generateAccessToken(app, user.id, user.username);
-        const { refreshToken, tokenId, expiresAt } = await generateRefreshToken(app, user.id);
-        
-        // Store refresh token
-        await db.insert(refreshTokens).values({
-          userId: user.id,
-          tokenId,
-          expiresAt,
-        });
-        
-        // Set cookies (use app's centralized cookie options)
-        console.log(`[OIDC] Setting cookies for user ${user.username}, NODE_ENV=${env.NODE_ENV}, secure=${app.config.cookieOptions.secure}`);
-        setAuthCookies(app, reply, accessToken, refreshToken);
-        
-        // Redirect to frontend dashboard
-        // In dev: CORS_ORIGINS contains the frontend URL
-        const frontendUrl = env.CORS_ORIGINS.split(",")[0] || "http://localhost:5173";
-        return reply.redirect(`${frontendUrl}/dashboard`);
-        
-      } catch (err: any) {
-        console.error("[OIDC] Callback error:", err);
-        return reply.redirect(`${getFrontendUrl()}/?error=oidc_callback_failed`);
-      }
-    }
-  );
+			// Generate PKCE values
+			const codeVerifier = generateCodeVerifier();
+			const codeChallenge = generateCodeChallenge(codeVerifier);
+			const state = generateState();
+
+			// Store PKCE verifier and state in signed cookies (short-lived)
+			reply.setCookie("oidc_code_verifier", codeVerifier, {
+				httpOnly: true,
+				secure: env.NODE_ENV === "production",
+				sameSite: "lax",
+				path: "/",
+				maxAge: 600, // 10 minutes
+				signed: true,
+			});
+
+			reply.setCookie("oidc_state", state, {
+				httpOnly: true,
+				secure: env.NODE_ENV === "production",
+				sameSite: "lax",
+				path: "/",
+				maxAge: 600,
+				signed: true,
+			});
+
+			// Build authorization URL
+			const redirectUri = env.OIDC_REDIRECT_URI!;
+			const scope = env.OIDC_SCOPES;
+
+			const authUrl = client.buildAuthorizationUrl(config, {
+				redirect_uri: redirectUri,
+				scope,
+				state,
+				code_challenge: codeChallenge,
+				code_challenge_method: "S256",
+			});
+
+			return reply.redirect(authUrl.href);
+		} catch (err: unknown) {
+			request.log.error({ err }, "[OIDC] Login initialization failed");
+			return reply.redirect(`${getFrontendUrl()}/?error=oidc_init_failed`);
+		}
+	});
+
+	// ---------------------------------------------------------------------------
+	// GET /auth/oidc/callback - Handles callback from OIDC provider
+	// ---------------------------------------------------------------------------
+	app.get<{ Querystring: { code?: string; state?: string; error?: string; error_description?: string } }>(
+		"/auth/oidc/callback",
+		async (request, reply) => {
+			const { code, state, error, error_description } = request.query;
+
+			// Handle OIDC provider errors
+			if (error) {
+				app.log.warn({ error, errorDescription: error_description }, "[OIDC] Provider returned error");
+				return reply.redirect(`${getFrontendUrl()}/?error=oidc_${error}`);
+			}
+
+			if (!code || !state) {
+				return reply.redirect(`${getFrontendUrl()}/?error=oidc_missing_params`);
+			}
+
+			// Verify state
+			const storedState = request.unsignCookie(request.cookies.oidc_state || "");
+			if (!storedState.valid || storedState.value !== state) {
+				request.log.warn("[OIDC] State mismatch during callback validation");
+				return reply.redirect(`${getFrontendUrl()}/?error=oidc_state_mismatch`);
+			}
+
+			// Get code verifier
+			const storedVerifier = request.unsignCookie(request.cookies.oidc_code_verifier || "");
+			if (!storedVerifier.valid || !storedVerifier.value) {
+				request.log.warn("[OIDC] Missing/invalid code verifier cookie");
+				return reply.redirect(`${getFrontendUrl()}/?error=oidc_missing_verifier`);
+			}
+
+			try {
+				const config = await getOIDCConfig();
+				const redirectUri = env.OIDC_REDIRECT_URI!;
+
+				// Exchange code for tokens
+				// Build complete callback URL with query parameters for validation
+				const callbackUrl = new URL(redirectUri);
+				callbackUrl.search = new URLSearchParams(request.query as Record<string, string>).toString();
+
+				const tokens = await client.authorizationCodeGrant(config, callbackUrl, {
+					pkceCodeVerifier: storedVerifier.value,
+					expectedState: state,
+				});
+
+				// Get user info
+				const sub = tokens.claims()?.sub;
+				if (!sub) {
+					request.log.error("[OIDC] Missing sub claim in token response");
+					return reply.redirect(`${getFrontendUrl()}/?error=oidc_missing_sub`);
+				}
+				const userInfo = await client.fetchUserInfo(config, tokens.access_token, sub);
+
+				// Extract username from configured claim
+				const usernameClaim = env.OIDC_USERNAME_CLAIM;
+				const username =
+					(userInfo as Record<string, string>)[usernameClaim] ||
+					userInfo.preferred_username ||
+					userInfo.email ||
+					userInfo.sub;
+				const oidcSubject = userInfo.sub;
+
+				if (!username || !oidcSubject) {
+					request.log.error(
+						{ hasUsername: Boolean(username), hasOidcSubject: Boolean(oidcSubject) },
+						"[OIDC] Missing required user info"
+					);
+					return reply.redirect(`${getFrontendUrl()}/?error=oidc_missing_user_info`);
+				}
+
+				// Clean cookies
+				reply.clearCookie("oidc_code_verifier", { path: "/" });
+				reply.clearCookie("oidc_state", { path: "/" });
+
+				// Find or create user
+				const user = await findOrCreateOIDCUser(username, oidcSubject, reply);
+
+				if (!user) {
+					return reply.redirect(`${getFrontendUrl()}/?error=oidc_user_creation_failed`);
+				}
+
+				// Update last login
+				await db.update(users).set({ lastLoginAt: new Date() }).where(eq(users.id, user.id));
+
+				// Issue JWT tokens (same as local auth)
+				const accessToken = await generateAccessToken(app, user.id, user.username);
+				const { refreshToken, tokenId, expiresAt } = await generateRefreshToken(app, user.id);
+
+				// Store refresh token
+				await db.insert(refreshTokens).values({
+					userId: user.id,
+					tokenId,
+					expiresAt,
+				});
+
+				// Set cookies (use app's centralized cookie options)
+				request.log.debug(
+					`[OIDC] Setting cookies for user ${user.username}, NODE_ENV=${env.NODE_ENV}, secure=${app.config.cookieOptions.secure}`
+				);
+				setAuthCookies(app, reply, accessToken, refreshToken);
+
+				// Redirect to frontend dashboard
+				// In dev: CORS_ORIGINS contains the frontend URL
+				const frontendUrl = env.CORS_ORIGINS.split(",")[0] || "http://localhost:5173";
+				return reply.redirect(`${frontendUrl}/dashboard`);
+			} catch (err: unknown) {
+				request.log.error({ err }, "[OIDC] Callback processing failed");
+				return reply.redirect(`${getFrontendUrl()}/?error=oidc_callback_failed`);
+			}
+		}
+	);
 }

 // =============================================================================
 // User Management
 // =============================================================================
 async function findOrCreateOIDCUser(
-  username: string, 
-  oidcSubject: string,
-  reply: FastifyReply
+	username: string,
+	oidcSubject: string,
+	_reply: FastifyReply
 ): Promise<{ id: number; username: string } | null> {
-  
-  // First, try to find user by OIDC subject (most reliable)
-  const [existingBySubject] = await db.select()
-    .from(users)
-    .where(eq(users.oidcSubject, oidcSubject));
-  
-  if (existingBySubject) {
-    return { id: existingBySubject.id, username: existingBySubject.username };
-  }
-  
-  // Check if username already exists (potential collision)
-  const [existingByUsername] = await db.select()
-    .from(users)
-    .where(eq(users.username, username));
-  
-  if (existingByUsername) {
-    // Username collision! Check if it's a local user without OIDC linked
-    if (existingByUsername.authProvider === "local" && !existingByUsername.oidcSubject) {
-      // Local user exists without SSO - link this OIDC account to existing user
-      await db.update(users)
-        .set({ oidcSubject: oidcSubject })
-        .where(eq(users.id, existingByUsername.id));
-      console.log(`[OIDC] Linked OIDC to existing local user: ${username}`);
-      return { id: existingByUsername.id, username: existingByUsername.username };
-    } else if (existingByUsername.oidcSubject && existingByUsername.oidcSubject !== oidcSubject) {
-      // User already has a DIFFERENT OIDC subject - create new user with suffix
-      username = `${username}_sso`;
-      console.log(`[OIDC] Username collision (different OIDC subject), using: ${username}`);
-    }
-  }
-  
-  // Check if auto-create is enabled
-  if (!env.OIDC_AUTO_CREATE_USERS) {
-    console.error(`[OIDC] User creation disabled and user not found: ${username}`);
-    return null;
-  }
-  
-  // Create new OIDC user
-  const [newUser] = await db.insert(users)
-    .values({
-      username,
-      passwordHash: null,
-      authProvider: "oidc",
-      oidcSubject: oidcSubject,
-      isActive: true,
-    })
-    .returning({ id: users.id, username: users.username });
-  
-  console.log(`[OIDC] Created new user: ${newUser.username} (ID: ${newUser.id})`);
-  return newUser;
+	// First, try to find user by OIDC subject (most reliable)
+	const [existingBySubject] = await db.select().from(users).where(eq(users.oidcSubject, oidcSubject));
+
+	if (existingBySubject) {
+		return { id: existingBySubject.id, username: existingBySubject.username };
+	}
+
+	// Check if username already exists (potential collision)
+	const [existingByUsername] = await db.select().from(users).where(sql`lower(${users.username}) = lower(${username})`);
+
+	if (existingByUsername) {
+		// Username collision! Check if it's a local user without OIDC linked
+		if (existingByUsername.authProvider === "local" && !existingByUsername.oidcSubject) {
+			// Local user exists without SSO - link this OIDC account to existing user
+			await db.update(users).set({ oidcSubject: oidcSubject }).where(eq(users.id, existingByUsername.id));
+			// Linked OIDC to existing local user
+			return { id: existingByUsername.id, username: existingByUsername.username };
+		} else if (existingByUsername.oidcSubject && existingByUsername.oidcSubject !== oidcSubject) {
+			// User already has a DIFFERENT OIDC subject - create new user with suffix
+			username = `${username}_sso`;
+			// Username collision (different OIDC subject), use suffixed name
+		}
+	}
+
+	// Check if auto-create is enabled
+	if (!env.OIDC_AUTO_CREATE_USERS) {
+		// No logger is available in this helper, route-level logs already capture callback failures.
+		return null;
+	}
+
+	// Create new OIDC user
+	const [newUser] = await db
+		.insert(users)
+		.values({
+			username,
+			passwordHash: null,
+			authProvider: "oidc",
+			oidcSubject: oidcSubject,
+			isActive: true,
+		})
+		.returning({ id: users.id, username: users.username });
+
+	// New OIDC user created
+	return newUser;
 }

 // =============================================================================
 // JWT Token Generation (reused from auth.ts logic)
 // =============================================================================
 async function generateAccessToken(app: FastifyInstance, userId: number, username: string): Promise<string> {
-  return app.jwt.sign(
-    { sub: userId, username },
-    { expiresIn: `${env.ACCESS_TOKEN_TTL_MINUTES}m` }
-  );
+	return app.jwt.sign({ sub: userId, username }, { expiresIn: `${env.ACCESS_TOKEN_TTL_MINUTES}m` });
 }

 async function generateRefreshToken(
-  app: FastifyInstance, 
-  userId: number
+	app: FastifyInstance,
+	userId: number
 ): Promise<{ refreshToken: string; tokenId: string; expiresAt: Date }> {
-  const tokenId = randomBytes(32).toString("hex");
-  const expiresAt = new Date(Date.now() + env.REFRESH_TOKEN_TTL_DAYS * 24 * 60 * 60 * 1000);
-  
-  const refreshToken = app.jwt.sign(
-    { sub: userId, jti: tokenId, type: "refresh" },
-    { expiresIn: `${env.REFRESH_TOKEN_TTL_DAYS}d` }
-  );
-  
-  return { refreshToken, tokenId, expiresAt };
+	const tokenId = randomBytes(32).toString("hex");
+	const expiresAt = new Date(Date.now() + env.REFRESH_TOKEN_TTL_DAYS * 24 * 60 * 60 * 1000);
+
+	const refreshToken = app.jwt.sign(
+		{ sub: userId, jti: tokenId, type: "refresh" },
+		{ expiresIn: `${env.REFRESH_TOKEN_TTL_DAYS}d` }
+	);
+
+	return { refreshToken, tokenId, expiresAt };
 }

 function setAuthCookies(app: FastifyInstance, reply: FastifyReply, accessToken: string, refreshToken: string) {
-  // Use the same cookie options as regular auth for consistency
-  reply.setCookie("access_token", accessToken, app.config.cookieOptions);
-  reply.setCookie("refresh_token", refreshToken, app.config.refreshCookieOptions);
+	// Use the same cookie options as regular auth for consistency
+	reply.setCookie("access_token", accessToken, app.config.cookieOptions);
+	reply.setCookie("refresh_token", refreshToken, app.config.refreshCookieOptions);
 }
@@ -0,0 +1,176 @@
+import { and, desc, eq } from "drizzle-orm";
+import type { FastifyInstance, FastifyReply, FastifyRequest } from "fastify";
+import { z } from "zod";
+import { db } from "../db/client.js";
+import { medications, refillHistory } from "../db/schema.js";
+import { getAnonymousUserId, requireAuth } from "../plugins/auth.js";
+import { env } from "../plugins/env.js";
+import type { AuthUser } from "../types/fastify.js";
+
+const refillSchema = z
+	.object({
+		packsAdded: z.number().int().min(0).default(0),
+		loosePillsAdded: z.number().int().min(0).default(0),
+		usePrescription: z.boolean().default(false),
+	})
+	.refine((data) => data.packsAdded > 0 || data.loosePillsAdded > 0, {
+		message: "Must add at least one pack or some loose pills",
+	});
+
+export async function refillRoutes(app: FastifyInstance) {
+	// All refill routes require auth
+	app.addHook("preHandler", requireAuth);
+
+	// Helper to get user ID from request
+	async function getUserId(request: FastifyRequest, reply: FastifyReply): Promise<number> {
+		if (!env.AUTH_ENABLED) {
+			return getAnonymousUserId();
+		}
+		const authUser = request.user as unknown as AuthUser | null;
+		if (!authUser) {
+			reply.status(401).send({ error: "User not authenticated", code: "AUTH_REQUIRED" });
+			throw new Error("AUTH_REQUIRED");
+		}
+		return authUser.id;
+	}
+
+	// POST /medications/:id/refill - Add stock to medication
+	app.post<{ Params: { id: string } }>("/medications/:id/refill", async (req, reply) => {
+		const parsed = refillSchema.safeParse(req.body);
+		if (!parsed.success) return reply.status(400).send(parsed.error.format());
+
+		const medId = Number(req.params.id);
+		if (Number.isNaN(medId)) return reply.badRequest("Invalid medication id");
+
+		const userId = await getUserId(req, reply);
+
+		// Verify ownership
+		const [med] = await db
+			.select()
+			.from(medications)
+			.where(and(eq(medications.id, medId), eq(medications.userId, userId)));
+		if (!med) return reply.notFound("Medication not found");
+
+		const { packsAdded, loosePillsAdded, usePrescription } = parsed.data;
+		const isBottle = (med.packageType ?? "blister") === "bottle";
+		const effectivePacksAdded = isBottle ? 0 : packsAdded;
+		const effectiveLoosePillsAdded = loosePillsAdded;
+		const remainingPrescriptionRefills = med.prescriptionRemainingRefills ?? 0;
+
+		if (effectivePacksAdded < 1 && effectiveLoosePillsAdded < 1) {
+			return reply.status(400).send({ error: "Must add at least one pack or some loose pills" });
+		}
+
+		if (usePrescription) {
+			if (!(med.prescriptionEnabled ?? false)) {
+				return reply.status(400).send({ error: "Prescription refill is not enabled for this medication" });
+			}
+			if (remainingPrescriptionRefills <= 0) {
+				return reply.status(409).send({ error: "No remaining prescription refills" });
+			}
+			if (!isBottle && effectivePacksAdded > remainingPrescriptionRefills) {
+				return reply.status(409).send({ error: "Packs to add exceed remaining prescription refills" });
+			}
+		}
+
+		// Update medication stock
+		const newPackCount = med.packCount + effectivePacksAdded;
+		const newLooseTablets = med.looseTablets + effectiveLoosePillsAdded;
+
+		let consumedRefills = 0;
+		if (usePrescription) {
+			consumedRefills = isBottle ? 1 : effectivePacksAdded;
+		}
+		const newRemainingRefills = usePrescription
+			? Math.max(0, remainingPrescriptionRefills - consumedRefills)
+			: (med.prescriptionRemainingRefills ?? null);
+
+		await db
+			.update(medications)
+			.set({
+				packCount: newPackCount,
+				looseTablets: newLooseTablets,
+				prescriptionRemainingRefills: newRemainingRefills,
+				updatedAt: new Date(),
+			})
+			.where(and(eq(medications.id, medId), eq(medications.userId, userId)));
+
+		// Create refill history entry
+		const [refill] = await db
+			.insert(refillHistory)
+			.values({
+				medicationId: medId,
+				userId,
+				packsAdded: effectivePacksAdded,
+				loosePillsAdded: effectiveLoosePillsAdded,
+				usedPrescription: usePrescription,
+			})
+			.returning();
+
+		// Calculate pills added for response (packageType-aware)
+		const pillsPerPack = isBottle ? 0 : med.blistersPerPack * med.pillsPerBlister;
+		const totalPillsAdded = isBottle
+			? effectiveLoosePillsAdded
+			: effectivePacksAdded * pillsPerPack + effectiveLoosePillsAdded;
+		const newTotalPills = isBottle
+			? newLooseTablets + (med.stockAdjustment ?? 0)
+			: newPackCount * pillsPerPack + newLooseTablets + (med.stockAdjustment ?? 0);
+
+		return {
+			success: true,
+			refill: {
+				id: refill.id,
+				packsAdded: effectivePacksAdded,
+				loosePillsAdded: effectiveLoosePillsAdded,
+				totalPillsAdded,
+				refillDate: refill.refillDate,
+			},
+			newStock: {
+				packCount: newPackCount,
+				looseTablets: newLooseTablets,
+				totalPills: newTotalPills,
+			},
+			prescription: {
+				used: usePrescription,
+				remainingRefills: newRemainingRefills,
+				authorizedRefills: med.prescriptionAuthorizedRefills ?? null,
+				lowRefillThreshold: med.prescriptionLowRefillThreshold ?? 1,
+				enabled: med.prescriptionEnabled ?? false,
+			},
+		};
+	});
+
+	// GET /medications/:id/refills - Get refill history for a medication
+	app.get<{ Params: { id: string } }>("/medications/:id/refills", async (req, reply) => {
+		const medId = Number(req.params.id);
+		if (Number.isNaN(medId)) return reply.badRequest("Invalid medication id");
+
+		const userId = await getUserId(req, reply);
+
+		// Verify ownership
+		const [med] = await db
+			.select()
+			.from(medications)
+			.where(and(eq(medications.id, medId), eq(medications.userId, userId)));
+		if (!med) return reply.notFound("Medication not found");
+
+		// Get refill history, newest first
+		const refills = await db
+			.select()
+			.from(refillHistory)
+			.where(eq(refillHistory.medicationId, medId))
+			.orderBy(desc(refillHistory.refillDate));
+
+		const isBottle = (med.packageType ?? "blister") === "bottle";
+		const pillsPerPack = isBottle ? 0 : med.blistersPerPack * med.pillsPerBlister;
+
+		return refills.map((r) => ({
+			id: r.id,
+			packsAdded: r.packsAdded,
+			loosePillsAdded: r.loosePillsAdded,
+			totalPillsAdded: isBottle ? r.loosePillsAdded : r.packsAdded * pillsPerPack + r.loosePillsAdded,
+			usedPrescription: r.usedPrescription ?? false,
+			refillDate: r.refillDate,
+		}));
+	});
+}
@@ -0,0 +1,113 @@
+import { eq } from "drizzle-orm";
+import type { FastifyInstance, FastifyReply, FastifyRequest } from "fastify";
+import { z } from "zod";
+import { db } from "../db/client.js";
+import { doseTracking, medications, refillHistory } from "../db/schema.js";
+import { getAnonymousUserId, requireAuth } from "../plugins/auth.js";
+import { env } from "../plugins/env.js";
+import type { AuthUser } from "../types/fastify.js";
+
+const reportDataSchema = z.object({
+	medicationIds: z.array(z.number().int().positive()).min(1).max(100),
+});
+
+export async function reportRoutes(app: FastifyInstance) {
+	app.addHook("preHandler", requireAuth);
+
+	async function getUserId(request: FastifyRequest, reply: FastifyReply): Promise<number> {
+		if (!env.AUTH_ENABLED) {
+			return getAnonymousUserId();
+		}
+		const authUser = request.user as unknown as AuthUser | null;
+		if (!authUser) {
+			reply.status(401).send({ error: "User not authenticated", code: "AUTH_REQUIRED" });
+			throw new Error("AUTH_REQUIRED");
+		}
+		return authUser.id;
+	}
+
+	// POST /medications/report-data - Get aggregated dose/refill data for report generation
+	app.post("/medications/report-data", async (req, reply) => {
+		const parsed = reportDataSchema.safeParse(req.body);
+		if (!parsed.success) return reply.status(400).send(parsed.error.format());
+
+		const userId = await getUserId(req, reply);
+		const { medicationIds } = parsed.data;
+
+		// Verify all medications belong to this user
+		const userMeds = await db.select({ id: medications.id }).from(medications).where(eq(medications.userId, userId));
+		const userMedIds = new Set(userMeds.map((m) => m.id));
+
+		for (const id of medicationIds) {
+			if (!userMedIds.has(id)) {
+				return reply.status(403).send({ error: "Access denied to medication" });
+			}
+		}
+
+		// Fetch dose tracking for all requested medications
+		// doseId format: "{medicationId}-{blisterIndex}-{dateMs}" or "{medicationId}-{blisterIndex}-{dateMs}-{takenBy}"
+		const allDoses = await db
+			.select({
+				doseId: doseTracking.doseId,
+				takenAt: doseTracking.takenAt,
+				dismissed: doseTracking.dismissed,
+				takenSource: doseTracking.takenSource,
+			})
+			.from(doseTracking)
+			.where(eq(doseTracking.userId, userId));
+
+		// Group doses by medication ID
+		const dosesByMed = new Map<number, { takenAt: Date; dismissed: boolean; takenSource: string }[]>();
+		for (const dose of allDoses) {
+			const medId = Number.parseInt(dose.doseId.split("-")[0], 10);
+			if (Number.isNaN(medId) || !medicationIds.includes(medId)) continue;
+			if (!dosesByMed.has(medId)) dosesByMed.set(medId, []);
+			dosesByMed.get(medId)!.push({
+				takenAt: dose.takenAt,
+				dismissed: dose.dismissed,
+				takenSource: dose.takenSource ?? "manual",
+			});
+		}
+
+		// Fetch refill history for requested medications
+		const result: Record<
+			number,
+			{
+				dosesTaken: number;
+				automaticDosesTaken: number;
+				dosesDismissed: number;
+				firstDoseAt: string | null;
+				lastDoseAt: string | null;
+				refills: { packsAdded: number; loosePillsAdded: number; usedPrescription: boolean; refillDate: string }[];
+			}
+		> = {};
+
+		for (const medId of medicationIds) {
+			const doses = dosesByMed.get(medId) ?? [];
+			const takenDoses = doses.filter((d) => !d.dismissed);
+			const automaticTakenDoses = takenDoses.filter((d) => d.takenSource === "automatic");
+			const dismissedDoses = doses.filter((d) => d.dismissed);
+
+			const sortedTaken = takenDoses.map((d) => d.takenAt.getTime()).sort((a, b) => a - b);
+
+			// Get refills for this medication
+			const refills = await db.select().from(refillHistory).where(eq(refillHistory.medicationId, medId));
+
+			result[medId] = {
+				dosesTaken: takenDoses.length,
+				automaticDosesTaken: automaticTakenDoses.length,
+				dosesDismissed: dismissedDoses.length,
+				firstDoseAt: sortedTaken.length > 0 ? new Date(sortedTaken[0]).toISOString() : null,
+				lastDoseAt: sortedTaken.length > 0 ? new Date(sortedTaken[sortedTaken.length - 1]).toISOString() : null,
+				refills: refills.map((r) => ({
+					packsAdded: r.packsAdded,
+					loosePillsAdded: r.loosePillsAdded,
+					usedPrescription: r.usedPrescription ?? false,
+					refillDate: r.refillDate instanceof Date ? r.refillDate.toISOString() : String(r.refillDate),
+				})),
+			};
+		}
+
+		return result;
+	});
+}
@@ -1,226 +1,287 @@
-import { FastifyInstance } from "fastify";
+import { randomBytes } from "node:crypto";
+import { and, eq } from "drizzle-orm";
+import type { FastifyInstance, FastifyReply, FastifyRequest } from "fastify";
 import { z } from "zod";
-import { randomBytes } from "crypto";
 import { db } from "../db/client.js";
 import { medications, shareTokens, userSettings, users } from "../db/schema.js";
-import { eq, and, sql } from "drizzle-orm";
-import { requireAuth, optionalAuth, getAnonymousUserId } from "../plugins/auth.js";
+import { getAnonymousUserId, requireAuth } from "../plugins/auth.js";
 import { env } from "../plugins/env.js";
 import type { AuthUser } from "../types/fastify.js";
-
-// Share token validity: 1 year in milliseconds
-const SHARE_TOKEN_VALIDITY_MS = 365 * 24 * 60 * 60 * 1000;
+import {
+	getAllTakenByForMedication,
+	parseIntakesJson,
+	parseTakenByJson,
+	personTakesMedication,
+} from "../utils/scheduler-utils.js";

 // =============================================================================
 // Validation Schemas
 // =============================================================================
 const createShareSchema = z.object({
-  takenBy: z.string().min(1, "takenBy is required"),
-  scheduleDays: z.number().int().min(1).max(365).default(30),
+	takenBy: z.string().min(1, "takenBy is required"),
+	scheduleDays: z.number().int().min(1).max(365).default(30),
 });

+function maskToken(token: string): string {
+	if (token.length <= 8) return token;
+	return `${token.slice(0, 4)}...${token.slice(-4)}`;
+}
+
 // Helper to get user ID from request
 // Returns anonymous user ID when auth is disabled
-async function getUserId(request: any, reply: any): Promise<number> {
-  // If auth is disabled, use the anonymous user
-  if (!env.AUTH_ENABLED) {
-    return getAnonymousUserId();
-  }
-  
-  const authUser = request.user as unknown as AuthUser | null;
-  if (!authUser) {
-    reply.status(401).send({ error: "Not authenticated" });
-    throw new Error("AUTH_REQUIRED");
-  }
-  return authUser.id;
-}
+async function getUserId(request: FastifyRequest, reply: FastifyReply): Promise<number> {
+	// If auth is disabled, use the anonymous user
+	if (!env.AUTH_ENABLED) {
+		return getAnonymousUserId();
+	}

-// Helper to parse takenByJson
-function parseTakenByJson(takenByJson: string | null | undefined): string[] {
-  if (!takenByJson) return [];
-  try {
-    const parsed = JSON.parse(takenByJson);
-    return Array.isArray(parsed) ? parsed.filter((s: unknown) => typeof s === "string" && s.trim()) : [];
-  } catch {
-    return [];
-  }
+	const authUser = request.user as unknown as AuthUser | null;
+	if (!authUser) {
+		reply.status(401).send({ error: "Not authenticated" });
+		throw new Error("AUTH_REQUIRED");
+	}
+	return authUser.id;
 }

 // =============================================================================
 // Share Routes
 // =============================================================================
 export async function shareRoutes(app: FastifyInstance) {
-  // ---------------------------------------------------------------------------
-  // GET /share/:token - PUBLIC: Get shared schedule by token
-  // ---------------------------------------------------------------------------
-  app.get<{ Params: { token: string } }>("/share/:token", async (request, reply) => {
-    const { token } = request.params;
+	// ---------------------------------------------------------------------------
+	// GET /share/:token - PUBLIC: Get shared schedule by token
+	// ---------------------------------------------------------------------------
+	app.get<{ Params: { token: string } }>("/share/:token", async (request, reply) => {
+		const { token } = request.params;

-    // Find share token
-    const [share] = await db.select().from(shareTokens).where(eq(shareTokens.token, token));
-    if (!share) {
-      return reply.status(404).send({ 
-        error: "Share link not found",
-        code: "NOT_FOUND"
-      });
-    }
+		// Find share token
+		const [share] = await db.select().from(shareTokens).where(eq(shareTokens.token, token));
+		if (!share) {
+			request.log.warn(`[Share] Invalid share token requested: ${maskToken(token)}`);
+			return reply.status(404).send({
+				error: "Share link not found",
+				code: "NOT_FOUND",
+			});
+		}

-    // Check if token has expired
-    if (share.expiresAt && share.expiresAt.getTime() < Date.now()) {
-      // Get the username of the owner to show in the expired message
-      const [owner] = await db.select({ username: users.username }).from(users).where(eq(users.id, share.userId));
-      return reply.status(410).send({
-        error: "Share link has expired",
-        code: "EXPIRED",
-        ownerUsername: owner?.username ?? "the owner",
-        takenBy: share.takenBy,
-        expiredAt: share.expiresAt.toISOString(),
-      });
-    }
+		// Check if token has expired
+		if (share.expiresAt && share.expiresAt.getTime() < Date.now()) {
+			request.log.warn(
+				`[Share] Expired token requested: ${maskToken(token)} (owner=${share.userId}, takenBy=${share.takenBy})`
+			);
+			// Get the username of the owner to show in the expired message
+			const [owner] = await db.select({ username: users.username }).from(users).where(eq(users.id, share.userId));
+			return reply.status(410).send({
+				error: "Share link has expired",
+				code: "EXPIRED",
+				ownerUsername: owner?.username ?? "the owner",
+				takenBy: share.takenBy,
+				expiredAt: share.expiresAt.toISOString(),
+			});
+		}

-    // Get user settings for stock thresholds
-    const [settings] = await db.select().from(userSettings).where(eq(userSettings.userId, share.userId));
+		// Get user settings for stock thresholds
+		const [settings] = await db.select().from(userSettings).where(eq(userSettings.userId, share.userId));

-    // Get the username of the owner who created this share link
-    const [owner] = await db.select({ username: users.username }).from(users).where(eq(users.id, share.userId));
+		// Get the username of the owner who created this share link
+		const [owner] = await db.select({ username: users.username }).from(users).where(eq(users.id, share.userId));

-    // Get medications for this user filtered by takenBy (search in JSON array)
-    // Use SQLite JSON function to check if takenBy is in the array
-    const allMeds = await db.select().from(medications).where(eq(medications.userId, share.userId));
-    
-    // Filter medications where takenByJson array contains the share.takenBy value
-    const meds = allMeds.filter((med) => {
-      const takenByArray = parseTakenByJson(med.takenByJson);
-      return takenByArray.includes(share.takenBy);
-    });
+		// Get medications for this user filtered by takenBy (search in JSON array)
+		// Use SQLite JSON function to check if takenBy is in the array
+		const allMeds = await db.select().from(medications).where(eq(medications.userId, share.userId));

-    // Parse blisters and build schedule data
-    const medicationsWithBlisters = meds.map((med) => {
-      let blisters: { usage: number; every: number; start: string }[] = [];
-      try {
-        const usageArr = JSON.parse(med.usageJson || "[]");
-        const everyArr = JSON.parse(med.everyJson || "[]");
-        const startArr = JSON.parse(med.startJson || "[]");
-        blisters = usageArr.map((usage: number, i: number) => ({
-          usage,
-          every: everyArr[i] ?? 1,
-          start: startArr[i] ?? new Date().toISOString(),
-        }));
-      } catch {
-        blisters = [];
-      }
+		// Filter medications where takenBy matches either medication-level OR any intake-level takenBy
+		const meds = allMeds.filter((med) => {
+			const takenByArray = parseTakenByJson(med.takenByJson);
+			const intakes = parseIntakesJson(
+				med.intakesJson,
+				{ usageJson: med.usageJson, everyJson: med.everyJson, startJson: med.startJson },
+				med.intakeRemindersEnabled ?? false
+			);
+			return personTakesMedication(share.takenBy, takenByArray, intakes);
+		});

-      // Parse takenBy JSON array
-      const takenByArray = parseTakenByJson(med.takenByJson);
+		// Parse blisters and build schedule data
+		const medicationsWithBlisters = meds.map((med) => {
+			// Parse intakes from new format, falling back to legacy
+			const intakes = parseIntakesJson(
+				med.intakesJson,
+				{ usageJson: med.usageJson, everyJson: med.everyJson, startJson: med.startJson },
+				med.intakeRemindersEnabled ?? false
+			);

-      const totalPills = med.packCount * med.blistersPerPack * med.pillsPerBlister + med.looseTablets;
-      return {
-        id: med.id,
-        name: med.name,
-        genericName: med.genericName,
-        pillWeightMg: med.pillWeightMg,
-        imageUrl: med.imageUrl,
-        totalPills,
-        packCount: med.packCount,
-        blistersPerPack: med.blistersPerPack,
-        looseTablets: med.looseTablets,
-        pillsPerBlister: med.pillsPerBlister,
-        takenBy: takenByArray,
-        blisters,
-      };
-    });
+			// Convert to legacy blisters format for backward compat
+			const blisters = intakes.map((i) => ({
+				usage: i.usage,
+				every: i.every,
+				start: i.start,
+			}));

-    return {
-      takenBy: share.takenBy,
-      sharedBy: owner?.username ?? null,
-      scheduleDays: share.scheduleDays,
-      medications: medicationsWithBlisters,
-      stockThresholds: {
-        lowStockDays: settings?.lowStockDays ?? 30,
-      },
-    };
-  });
+			// Parse takenBy JSON array
+			const takenByArray = parseTakenByJson(med.takenByJson);

-  // ---------------------------------------------------------------------------
-  // POST /share - PROTECTED: Create a new share link
-  // ---------------------------------------------------------------------------
-  app.post<{ Body: z.infer<typeof createShareSchema> }>(
-    "/share",
-    { preHandler: requireAuth },
-    async (request, reply) => {
-      const userId = await getUserId(request, reply);
+			const totalPills =
+				(med.packageType ?? "blister") === "bottle"
+					? med.looseTablets + (med.stockAdjustment ?? 0)
+					: med.packCount * med.blistersPerPack * med.pillsPerBlister + med.looseTablets + (med.stockAdjustment ?? 0);
+			return {
+				id: med.id,
+				name: med.name,
+				genericName: med.genericName,
+				pillWeightMg: med.pillWeightMg,
+				doseUnit: med.doseUnit ?? "mg",
+				imageUrl: med.imageUrl,
+				totalPills,
+				packageType: med.packageType ?? "blister",
+				packCount: med.packCount,
+				blistersPerPack: med.blistersPerPack,
+				looseTablets: med.looseTablets,
+				pillsPerBlister: med.pillsPerBlister,
+				takenBy: takenByArray,
+				intakes, // New unified format with per-intake takenBy
+				blisters, // Legacy format for backward compat
+				dismissedUntil: med.dismissedUntil,
+				updatedAt: med.updatedAt, // For filtering out doses from previous schedule configurations
+				lastStockCorrectionAt: med.lastStockCorrectionAt?.getTime() ?? null,
+				stockAdjustment: med.stockAdjustment ?? 0,
+			};
+		});

-      const parsed = createShareSchema.safeParse(request.body);
-      if (!parsed.success) {
-        return reply.status(400).send({
-          error: parsed.error.errors[0]?.message ?? "Invalid input",
-          code: "VALIDATION_ERROR",
-        });
-      }
+		return {
+			takenBy: share.takenBy,
+			sharedBy: owner?.username ?? null,
+			scheduleDays: share.scheduleDays,
+			medications: medicationsWithBlisters,
+			stockThresholds: {
+				lowStockDays: settings?.lowStockDays ?? 30,
+				normalStockDays: settings?.normalStockDays ?? 60,
+				highStockDays: settings?.highStockDays ?? 90,
+				reminderDaysBefore: settings?.reminderDaysBefore ?? 7,
+				expiryWarningDays: settings?.expiryWarningDays ?? 90,
+			},
+			stockCalculationMode: (settings?.stockCalculationMode as "automatic" | "manual") ?? "automatic",
+			shareStockStatus: settings?.shareStockStatus ?? true,
+			upcomingTodayOnly: settings?.upcomingTodayOnly ?? false,
+			shareScheduleTodayOnly: settings?.shareScheduleTodayOnly ?? false,
+		};
+	});

-      const { takenBy, scheduleDays } = parsed.data;
+	// ---------------------------------------------------------------------------
+	// POST /share - PROTECTED: Create a new share link
+	// ---------------------------------------------------------------------------
+	app.post<{ Body: z.infer<typeof createShareSchema> }>(
+		"/share",
+		{ preHandler: requireAuth },
+		async (request, reply) => {
+			const userId = await getUserId(request, reply);

-      // Check if user has medications for this takenBy (search in JSON array)
-      const allMeds = await db.select().from(medications).where(eq(medications.userId, userId));
-      const medsForPerson = allMeds.filter((med) => {
-        const takenByArray = parseTakenByJson(med.takenByJson);
-        return takenByArray.includes(takenBy);
-      });
+			const parsed = createShareSchema.safeParse(request.body);
+			if (!parsed.success) {
+				return reply.status(400).send({
+					error: parsed.error.errors[0]?.message ?? "Invalid input",
+					code: "VALIDATION_ERROR",
+				});
+			}

-      if (medsForPerson.length === 0) {
-        return reply.status(400).send({
-          error: "No medications found for this person",
-          code: "NO_MEDICATIONS",
-        });
-      }
+			const { takenBy, scheduleDays } = parsed.data;

-      // Generate unique token (8 bytes = 16 hex chars)
-      const token = randomBytes(8).toString("hex");
-      
-      // Set expiration date (1 year from now)
-      const expiresAt = new Date(Date.now() + SHARE_TOKEN_VALIDITY_MS);
+			// Check if user has medications for this takenBy (search in both medication-level and intake-level)
+			const allMeds = await db.select().from(medications).where(eq(medications.userId, userId));
+			const medsForPerson = allMeds.filter((med) => {
+				const takenByArray = parseTakenByJson(med.takenByJson);
+				const intakes = parseIntakesJson(
+					med.intakesJson,
+					{ usageJson: med.usageJson, everyJson: med.everyJson, startJson: med.startJson },
+					med.intakeRemindersEnabled ?? false
+				);
+				return personTakesMedication(takenBy, takenByArray, intakes);
+			});

-      // Create share token
-      await db.insert(shareTokens).values({
-        userId: userId,
-        token,
-        takenBy,
-        scheduleDays,
-        expiresAt,
-      });
+			if (medsForPerson.length === 0) {
+				return reply.status(400).send({
+					error: "No medications found for this person",
+					code: "NO_MEDICATIONS",
+				});
+			}

-      return {
-        token,
-        shareUrl: `/share/${token}`,
-        expiresAt: expiresAt.toISOString(),
-      };
-    }
-  );
+			// Keep exactly one active share link per person/user.
+			// If a link already exists, return the same token and only update settings.
+			const [existingShare] = await db
+				.select()
+				.from(shareTokens)
+				.where(and(eq(shareTokens.userId, userId), eq(shareTokens.takenBy, takenBy)));

-  // ---------------------------------------------------------------------------
-  // GET /share/people - PROTECTED: Get list of unique takenBy values
-  // ---------------------------------------------------------------------------
-  app.get(
-    "/share/people",
-    { preHandler: requireAuth },
-    async (request, reply) => {
-      const userId = await getUserId(request, reply);
+			if (existingShare) {
+				await db.update(shareTokens).set({ scheduleDays, expiresAt: null }).where(eq(shareTokens.id, existingShare.id));

-      // Get all unique takenBy values for this user (from JSON arrays)
-      const meds = await db.select({ takenByJson: medications.takenByJson })
-        .from(medications)
-        .where(eq(medications.userId, userId));
+				request.log.info(
+					`[Share] Reused existing share token (owner=${userId}, takenBy=${takenBy}, scheduleDays=${scheduleDays})`
+				);

-      // Collect all unique person names from all takenByJson arrays
-      const allPeople = new Set<string>();
-      for (const med of meds) {
-        const takenByArray = parseTakenByJson(med.takenByJson);
-        for (const person of takenByArray) {
-          if (person) allPeople.add(person);
-        }
-      }
+				return {
+					reused: true,
+					token: existingShare.token,
+					shareUrl: `/share/${existingShare.token}`,
+					expiresAt: null,
+				};
+			}

-      return { people: [...allPeople].sort() };
-    }
-  );
+			const token = randomBytes(8).toString("hex");
+
+			await db.insert(shareTokens).values({
+				userId,
+				token,
+				takenBy,
+				scheduleDays,
+				expiresAt: null,
+			});
+
+			request.log.info(
+				`[Share] Created new share token (owner=${userId}, takenBy=${takenBy}, scheduleDays=${scheduleDays})`
+			);
+
+			return {
+				reused: false,
+				token,
+				shareUrl: `/share/${token}`,
+				expiresAt: null,
+			};
+		}
+	);
+
+	// ---------------------------------------------------------------------------
+	// GET /share/people - PROTECTED: Get list of unique takenBy values
+	// ---------------------------------------------------------------------------
+	app.get("/share/people", { preHandler: requireAuth }, async (request, reply) => {
+		const userId = await getUserId(request, reply);
+
+		// Get all unique takenBy values for this user (from both medication-level and intake-level)
+		const meds = await db
+			.select({
+				takenByJson: medications.takenByJson,
+				intakesJson: medications.intakesJson,
+				usageJson: medications.usageJson,
+				everyJson: medications.everyJson,
+				startJson: medications.startJson,
+				intakeRemindersEnabled: medications.intakeRemindersEnabled,
+			})
+			.from(medications)
+			.where(eq(medications.userId, userId));
+
+		// Collect all unique person names from medication-level AND intake-level takenBy
+		const allPeople = new Set<string>();
+		for (const med of meds) {
+			const takenByArray = parseTakenByJson(med.takenByJson);
+			const intakes = parseIntakesJson(
+				med.intakesJson,
+				{ usageJson: med.usageJson, everyJson: med.everyJson, startJson: med.startJson },
+				med.intakeRemindersEnabled ?? false
+			);
+			const allForMed = getAllTakenByForMedication(takenByArray, intakes);
+			for (const person of allForMed) {
+				if (person) allPeople.add(person);
+			}
+		}
+
+		return { people: [...allPeople].sort() };
+	});
 }
@@ -0,0 +1,861 @@
+/**
+ * E2E Tests for auth routes with AUTH_ENABLED=true
+ */
+
+import cookie from "@fastify/cookie";
+import jwt from "@fastify/jwt";
+import sensible from "@fastify/sensible";
+import type { Client } from "@libsql/client";
+import Fastify, { type FastifyInstance } from "fastify";
+import { afterAll, beforeAll, beforeEach, describe, expect, it, vi } from "vitest";
+
+// Use vi.hoisted to create the db BEFORE mocks are set up
+const { testClient, testDb } = vi.hoisted(() => {
+	const { createClient } = require("@libsql/client");
+	const { drizzle } = require("drizzle-orm/libsql");
+	const client = createClient({ url: ":memory:" });
+	const db = drizzle(client);
+	return { testClient: client, testDb: db };
+});
+
+// Mock modules using the hoisted db
+vi.mock("../db/client.js", () => ({
+	db: testDb,
+	migrationsReady: Promise.resolve(),
+}));
+
+// Enable auth for these tests
+vi.mock("../plugins/env.js", () => ({
+	env: {
+		AUTH_ENABLED: true,
+		FORM_LOGIN_ENABLED: true,
+		REGISTRATION_ENABLED: true,
+		OIDC_ENABLED: false,
+		NODE_ENV: "test",
+		LOG_LEVEL: "silent",
+		PORT: 3000,
+		CORS_ORIGINS: "*",
+		JWT_SECRET: "test-jwt-secret-12345",
+		REFRESH_SECRET: "test-refresh-secret-12345",
+		COOKIE_SECRET: "test-cookie-secret-12345",
+		ACCESS_TOKEN_TTL_MINUTES: 15,
+		REFRESH_TOKEN_TTL_DAYS: 7,
+	},
+}));
+
+// Import real auth plugin and routes
+const { authRoutes } = await import("../routes/auth.js");
+
+// =============================================================================
+// Test Setup
+// =============================================================================
+
+async function createSchema(client: Client) {
+	const tableCreations = [
+		`CREATE TABLE IF NOT EXISTS users (
+      id integer PRIMARY KEY AUTOINCREMENT,
+      username text NOT NULL UNIQUE,
+      password_hash text,
+      avatar_url text,
+      auth_provider text NOT NULL DEFAULT 'local',
+      oidc_subject text,
+      is_active integer NOT NULL DEFAULT 1,
+      last_login_at integer,
+      created_at integer NOT NULL DEFAULT (strftime('%s','now')),
+      updated_at integer NOT NULL DEFAULT (strftime('%s','now'))
+    )`,
+		`CREATE TABLE IF NOT EXISTS refresh_tokens (
+      id integer PRIMARY KEY AUTOINCREMENT,
+      user_id integer NOT NULL,
+      token_id text NOT NULL UNIQUE,
+      expires_at integer NOT NULL,
+      revoked integer NOT NULL DEFAULT 0,
+      rotated_at integer,
+      created_at integer NOT NULL DEFAULT (strftime('%s','now')),
+      FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
+    )`,
+	];
+
+	for (const sql of tableCreations) {
+		await client.execute(sql);
+	}
+}
+
+async function clearData(client: Client) {
+	await client.execute("DELETE FROM refresh_tokens");
+	await client.execute("DELETE FROM users");
+	await client.execute("DELETE FROM sqlite_sequence");
+}
+
+// =============================================================================
+// Tests
+// =============================================================================
+
+describe("Auth Routes (AUTH_ENABLED=true)", () => {
+	let app: FastifyInstance;
+
+	beforeAll(async () => {
+		await createSchema(testClient);
+
+		app = Fastify({ logger: false });
+
+		await app.register(sensible);
+		await app.register(cookie, { secret: "test-cookie-secret-12345" });
+		await app.register(jwt, {
+			secret: "test-jwt-secret-12345",
+			cookie: { cookieName: "access_token", signed: false },
+		});
+
+		// Decorate with config needed by auth routes
+		app.decorate("config", {
+			accessSecret: "test-jwt-secret-12345",
+			refreshSecret: "test-refresh-secret-12345",
+			accessTtl: 15,
+			refreshTtl: 7,
+			cookieOptions: { httpOnly: true, sameSite: "lax", secure: false, path: "/", maxAge: 15 * 60 },
+			refreshCookieOptions: { httpOnly: true, sameSite: "lax", secure: false, path: "/auth", maxAge: 7 * 24 * 60 * 60 },
+		});
+
+		await app.register(authRoutes);
+		await app.ready();
+	});
+
+	afterAll(async () => {
+		await app.close();
+		testClient.close();
+	});
+
+	beforeEach(async () => {
+		await clearData(testClient);
+	});
+
+	// ---------------------------------------------------------------------------
+	// Auth State Tests
+	// ---------------------------------------------------------------------------
+
+	describe("GET /auth/state", () => {
+		it("should return auth state", async () => {
+			const response = await app.inject({
+				method: "GET",
+				url: "/auth/state",
+			});
+
+			expect(response.statusCode).toBe(200);
+			const data = response.json();
+			expect(data.authEnabled).toBe(true);
+			expect(data.registrationEnabled).toBe(true);
+			expect(data.formLoginEnabled).toBe(true);
+		});
+	});
+
+	// ---------------------------------------------------------------------------
+	// Registration Tests
+	// ---------------------------------------------------------------------------
+
+	describe("POST /auth/register", () => {
+		it("should register a new user", async () => {
+			const response = await app.inject({
+				method: "POST",
+				url: "/auth/register",
+				payload: {
+					username: "testuser",
+					password: "TestPassword123",
+				},
+			});
+
+			expect(response.statusCode).toBe(201);
+			const data = response.json();
+			expect(data.ok).toBe(true);
+			expect(data.user.username).toBe("testuser");
+		});
+
+		it("should reject duplicate username", async () => {
+			// First registration
+			await app.inject({
+				method: "POST",
+				url: "/auth/register",
+				payload: {
+					username: "duplicate",
+					password: "TestPassword123",
+				},
+			});
+
+			// Second registration with same username
+			const response = await app.inject({
+				method: "POST",
+				url: "/auth/register",
+				payload: {
+					username: "duplicate",
+					password: "AnotherPassword123",
+				},
+			});
+
+			expect(response.statusCode).toBe(409);
+			expect(response.json().code).toBe("USERNAME_EXISTS");
+		});
+
+		it("should reject duplicate username regardless of case", async () => {
+			await app.inject({
+				method: "POST",
+				url: "/auth/register",
+				payload: {
+					username: "CaseUser",
+					password: "TestPassword123",
+				},
+			});
+
+			const response = await app.inject({
+				method: "POST",
+				url: "/auth/register",
+				payload: {
+					username: "caseuser",
+					password: "AnotherPassword123",
+				},
+			});
+
+			expect(response.statusCode).toBe(409);
+			expect(response.json().code).toBe("USERNAME_EXISTS");
+		});
+
+		it("should reject short password", async () => {
+			const response = await app.inject({
+				method: "POST",
+				url: "/auth/register",
+				payload: {
+					username: "testuser",
+					password: "short",
+				},
+			});
+
+			expect(response.statusCode).toBe(400);
+			expect(response.json().code).toBe("VALIDATION_ERROR");
+		});
+
+		it("should reject short username", async () => {
+			const response = await app.inject({
+				method: "POST",
+				url: "/auth/register",
+				payload: {
+					username: "ab",
+					password: "ValidPassword123",
+				},
+			});
+
+			expect(response.statusCode).toBe(400);
+			expect(response.json().code).toBe("VALIDATION_ERROR");
+		});
+
+		it("should register with trimmed username when input has whitespace", async () => {
+			const response = await app.inject({
+				method: "POST",
+				url: "/auth/register",
+				payload: {
+					username: "  trimuser  ",
+					password: "TestPassword123",
+				},
+			});
+
+			expect(response.statusCode).toBe(201);
+			expect(response.json().user.username).toBe("trimuser");
+		});
+
+		it("should reject whitespace-only username on registration", async () => {
+			const response = await app.inject({
+				method: "POST",
+				url: "/auth/register",
+				payload: {
+					username: "   ",
+					password: "TestPassword123",
+				},
+			});
+
+			expect(response.statusCode).toBe(400);
+			expect(response.json().code).toBe("VALIDATION_ERROR");
+		});
+
+		it("should reject duplicate username even with surrounding whitespace", async () => {
+			await app.inject({
+				method: "POST",
+				url: "/auth/register",
+				payload: {
+					username: "spacedupe",
+					password: "TestPassword123",
+				},
+			});
+
+			const response = await app.inject({
+				method: "POST",
+				url: "/auth/register",
+				payload: {
+					username: "  spacedupe  ",
+					password: "AnotherPassword123",
+				},
+			});
+
+			expect(response.statusCode).toBe(409);
+			expect(response.json().code).toBe("USERNAME_EXISTS");
+		});
+
+		it("should reject invalid username characters", async () => {
+			const response = await app.inject({
+				method: "POST",
+				url: "/auth/register",
+				payload: {
+					username: "test@user",
+					password: "ValidPassword123",
+				},
+			});
+
+			expect(response.statusCode).toBe(400);
+			expect(response.json().code).toBe("VALIDATION_ERROR");
+		});
+	});
+
+	// ---------------------------------------------------------------------------
+	// Login Tests
+	// ---------------------------------------------------------------------------
+
+	describe("POST /auth/login", () => {
+		beforeEach(async () => {
+			// Create a test user
+			await app.inject({
+				method: "POST",
+				url: "/auth/register",
+				payload: {
+					username: "loginuser",
+					password: "TestPassword123",
+				},
+			});
+		});
+
+		it("should login with valid credentials", async () => {
+			const response = await app.inject({
+				method: "POST",
+				url: "/auth/login",
+				payload: {
+					username: "loginuser",
+					password: "TestPassword123",
+				},
+			});
+
+			expect(response.statusCode).toBe(200);
+			const data = response.json();
+			expect(data.ok).toBe(true);
+			expect(data.user.username).toBe("loginuser");
+
+			// Should set cookies
+			const cookies = response.cookies;
+			expect(cookies.find((c: { name: string }) => c.name === "access_token")).toBeDefined();
+			expect(cookies.find((c: { name: string }) => c.name === "refresh_token")).toBeDefined();
+		});
+
+		it("should login case-insensitively with different username casing", async () => {
+			const response = await app.inject({
+				method: "POST",
+				url: "/auth/login",
+				payload: {
+					username: "LOGINUSER",
+					password: "TestPassword123",
+				},
+			});
+
+			expect(response.statusCode).toBe(200);
+			expect(response.json().ok).toBe(true);
+			expect(response.json().user.username).toBe("loginuser");
+		});
+
+		it("should reject invalid password", async () => {
+			const response = await app.inject({
+				method: "POST",
+				url: "/auth/login",
+				payload: {
+					username: "loginuser",
+					password: "WrongPassword",
+				},
+			});
+
+			expect(response.statusCode).toBe(401);
+			expect(response.json().code).toBe("INVALID_CREDENTIALS");
+		});
+
+		it("should reject non-existent user", async () => {
+			const response = await app.inject({
+				method: "POST",
+				url: "/auth/login",
+				payload: {
+					username: "nonexistent",
+					password: "TestPassword123",
+				},
+			});
+
+			expect(response.statusCode).toBe(401);
+			expect(response.json().code).toBe("INVALID_CREDENTIALS");
+		});
+
+		it("should login successfully when username has leading/trailing whitespace", async () => {
+			const response = await app.inject({
+				method: "POST",
+				url: "/auth/login",
+				payload: {
+					username: "  loginuser  ",
+					password: "TestPassword123",
+				},
+			});
+
+			expect(response.statusCode).toBe(200);
+			expect(response.json().ok).toBe(true);
+			expect(response.json().user.username).toBe("loginuser");
+		});
+
+		it("should reject whitespace-only username on login", async () => {
+			const response = await app.inject({
+				method: "POST",
+				url: "/auth/login",
+				payload: {
+					username: "   ",
+					password: "TestPassword123",
+				},
+			});
+
+			expect(response.statusCode).toBe(400);
+			expect(response.json().code).toBe("VALIDATION_ERROR");
+		});
+
+		it("should support rememberMe option", async () => {
+			const response = await app.inject({
+				method: "POST",
+				url: "/auth/login",
+				payload: {
+					username: "loginuser",
+					password: "TestPassword123",
+					rememberMe: true,
+				},
+			});
+
+			expect(response.statusCode).toBe(200);
+			const data = response.json();
+			expect(data.ok).toBe(true);
+		});
+	});
+
+	// ---------------------------------------------------------------------------
+	// Token Refresh Tests
+	// ---------------------------------------------------------------------------
+
+	describe("POST /auth/refresh", () => {
+		it("should refresh access token with valid refresh token", async () => {
+			// Login first to get tokens
+			const _loginResponse = await app.inject({
+				method: "POST",
+				url: "/auth/login",
+				payload: {
+					username: "loginuser",
+					password: "TestPassword123",
+				},
+			});
+
+			// Need to create user first
+			await app.inject({
+				method: "POST",
+				url: "/auth/register",
+				payload: {
+					username: "refreshuser",
+					password: "TestPassword123",
+				},
+			});
+
+			const login = await app.inject({
+				method: "POST",
+				url: "/auth/login",
+				payload: {
+					username: "refreshuser",
+					password: "TestPassword123",
+				},
+			});
+
+			const refreshToken = login.cookies.find((c: { name: string }) => c.name === "refresh_token");
+
+			const response = await app.inject({
+				method: "POST",
+				url: "/auth/refresh",
+				cookies: {
+					refresh_token: refreshToken?.value ?? "",
+				},
+			});
+
+			expect(response.statusCode).toBe(200);
+			expect(response.json().ok).toBe(true);
+		});
+
+		it("should reject without refresh token", async () => {
+			const response = await app.inject({
+				method: "POST",
+				url: "/auth/refresh",
+			});
+
+			expect(response.statusCode).toBe(401);
+			expect(response.json().code).toBe("NO_REFRESH_TOKEN");
+		});
+
+		it("should reject invalid refresh token", async () => {
+			const response = await app.inject({
+				method: "POST",
+				url: "/auth/refresh",
+				cookies: {
+					refresh_token: "invalid-token",
+				},
+			});
+
+			expect(response.statusCode).toBe(401);
+			expect(response.json().code).toBe("INVALID_REFRESH_TOKEN");
+		});
+	});
+
+	// ---------------------------------------------------------------------------
+	// Logout Tests
+	// ---------------------------------------------------------------------------
+
+	describe("POST /auth/logout", () => {
+		it("should logout and clear cookies", async () => {
+			// Register and login first
+			await app.inject({
+				method: "POST",
+				url: "/auth/register",
+				payload: {
+					username: "logoutuser",
+					password: "TestPassword123",
+				},
+			});
+
+			const login = await app.inject({
+				method: "POST",
+				url: "/auth/login",
+				payload: {
+					username: "logoutuser",
+					password: "TestPassword123",
+				},
+			});
+
+			const refreshToken = login.cookies.find((c: { name: string }) => c.name === "refresh_token");
+
+			const response = await app.inject({
+				method: "POST",
+				url: "/auth/logout",
+				cookies: {
+					refresh_token: refreshToken?.value ?? "",
+				},
+			});
+
+			expect(response.statusCode).toBe(200);
+			expect(response.json().ok).toBe(true);
+		});
+
+		it("should succeed even without refresh token", async () => {
+			const response = await app.inject({
+				method: "POST",
+				url: "/auth/logout",
+			});
+
+			expect(response.statusCode).toBe(200);
+			expect(response.json().ok).toBe(true);
+		});
+	});
+
+	// ---------------------------------------------------------------------------
+	// Me Endpoint Tests
+	// ---------------------------------------------------------------------------
+
+	describe("GET /auth/me", () => {
+		it("should return user info with valid access token", async () => {
+			// Register and login
+			await app.inject({
+				method: "POST",
+				url: "/auth/register",
+				payload: {
+					username: "meuser",
+					password: "TestPassword123",
+				},
+			});
+
+			const login = await app.inject({
+				method: "POST",
+				url: "/auth/login",
+				payload: {
+					username: "meuser",
+					password: "TestPassword123",
+				},
+			});
+
+			const accessToken = login.cookies.find((c: { name: string }) => c.name === "access_token");
+
+			const response = await app.inject({
+				method: "GET",
+				url: "/auth/me",
+				cookies: {
+					access_token: accessToken?.value ?? "",
+				},
+			});
+
+			expect(response.statusCode).toBe(200);
+			const data = response.json();
+			expect(data.username).toBe("meuser");
+		});
+
+		it("should reject without access token", async () => {
+			const response = await app.inject({
+				method: "GET",
+				url: "/auth/me",
+			});
+
+			expect(response.statusCode).toBe(401);
+		});
+
+		it("should reject with invalid access token", async () => {
+			const response = await app.inject({
+				method: "GET",
+				url: "/auth/me",
+				cookies: {
+					access_token: "invalid.jwt.token",
+				},
+			});
+
+			expect(response.statusCode).toBe(401);
+		});
+	});
+
+	// ---------------------------------------------------------------------------
+	// Inactive User Tests
+	// ---------------------------------------------------------------------------
+
+	describe("Inactive user handling", () => {
+		it("should reject login for inactive user", async () => {
+			// Create user
+			await app.inject({
+				method: "POST",
+				url: "/auth/register",
+				payload: {
+					username: "inactiveuser",
+					password: "TestPassword123",
+				},
+			});
+
+			// Manually deactivate user in DB
+			await testClient.execute({
+				sql: "UPDATE users SET is_active = 0 WHERE username = ?",
+				args: ["inactiveuser"],
+			});
+
+			const response = await app.inject({
+				method: "POST",
+				url: "/auth/login",
+				payload: {
+					username: "inactiveuser",
+					password: "TestPassword123",
+				},
+			});
+
+			expect(response.statusCode).toBe(401);
+			expect(response.json().code).toBe("ACCOUNT_DISABLED");
+		});
+	});
+
+	// ---------------------------------------------------------------------------
+	// Profile Update Tests
+	// ---------------------------------------------------------------------------
+
+	describe("PUT /auth/me (profile update)", () => {
+		it("should update password with valid current password", async () => {
+			// Register and login
+			await app.inject({
+				method: "POST",
+				url: "/auth/register",
+				payload: {
+					username: "profileuser",
+					password: "TestPassword123",
+				},
+			});
+
+			const login = await app.inject({
+				method: "POST",
+				url: "/auth/login",
+				payload: {
+					username: "profileuser",
+					password: "TestPassword123",
+				},
+			});
+
+			const accessToken = login.cookies.find((c: { name: string }) => c.name === "access_token");
+
+			const response = await app.inject({
+				method: "PUT",
+				url: "/auth/me",
+				cookies: {
+					access_token: accessToken?.value ?? "",
+				},
+				payload: {
+					currentPassword: "TestPassword123",
+					newPassword: "NewPassword456",
+				},
+			});
+
+			expect(response.statusCode).toBe(200);
+			expect(response.json().ok).toBe(true);
+
+			// Verify can login with new password
+			const newLogin = await app.inject({
+				method: "POST",
+				url: "/auth/login",
+				payload: {
+					username: "profileuser",
+					password: "NewPassword456",
+				},
+			});
+
+			expect(newLogin.statusCode).toBe(200);
+		});
+
+		it("should reject password change without current password", async () => {
+			await app.inject({
+				method: "POST",
+				url: "/auth/register",
+				payload: {
+					username: "profileuser2",
+					password: "TestPassword123",
+				},
+			});
+
+			const login = await app.inject({
+				method: "POST",
+				url: "/auth/login",
+				payload: {
+					username: "profileuser2",
+					password: "TestPassword123",
+				},
+			});
+
+			const accessToken = login.cookies.find((c: { name: string }) => c.name === "access_token");
+
+			const response = await app.inject({
+				method: "PUT",
+				url: "/auth/me",
+				cookies: {
+					access_token: accessToken?.value ?? "",
+				},
+				payload: {
+					newPassword: "NewPassword456",
+				},
+			});
+
+			expect(response.statusCode).toBe(400);
+			expect(response.json().code).toBe("CURRENT_PASSWORD_REQUIRED");
+		});
+
+		it("should reject password change with wrong current password", async () => {
+			await app.inject({
+				method: "POST",
+				url: "/auth/register",
+				payload: {
+					username: "profileuser3",
+					password: "TestPassword123",
+				},
+			});
+
+			const login = await app.inject({
+				method: "POST",
+				url: "/auth/login",
+				payload: {
+					username: "profileuser3",
+					password: "TestPassword123",
+				},
+			});
+
+			const accessToken = login.cookies.find((c: { name: string }) => c.name === "access_token");
+
+			const response = await app.inject({
+				method: "PUT",
+				url: "/auth/me",
+				cookies: {
+					access_token: accessToken?.value ?? "",
+				},
+				payload: {
+					currentPassword: "WrongPassword",
+					newPassword: "NewPassword456",
+				},
+			});
+
+			expect(response.statusCode).toBe(401);
+			expect(response.json().code).toBe("INVALID_PASSWORD");
+		});
+
+		it("should reject profile update without auth", async () => {
+			const response = await app.inject({
+				method: "PUT",
+				url: "/auth/me",
+				payload: {
+					currentPassword: "Test123",
+					newPassword: "NewPassword456",
+				},
+			});
+
+			expect(response.statusCode).toBe(401);
+		});
+	});
+
+	describe("DELETE /auth/me - Delete Account", () => {
+		it("should delete user account and all data", async () => {
+			// Register and login
+			await app.inject({
+				method: "POST",
+				url: "/auth/register",
+				payload: {
+					username: "deleteuser",
+					password: "TestPassword123",
+				},
+			});
+
+			const login = await app.inject({
+				method: "POST",
+				url: "/auth/login",
+				payload: {
+					username: "deleteuser",
+					password: "TestPassword123",
+				},
+			});
+
+			const accessToken = login.cookies.find((c: { name: string }) => c.name === "access_token");
+
+			// Delete account
+			const response = await app.inject({
+				method: "DELETE",
+				url: "/auth/me",
+				cookies: {
+					access_token: accessToken?.value ?? "",
+				},
+			});
+
+			expect(response.statusCode).toBe(200);
+			expect(response.json().ok).toBe(true);
+
+			// Verify can't login anymore
+			const loginAgain = await app.inject({
+				method: "POST",
+				url: "/auth/login",
+				payload: {
+					username: "deleteuser",
+					password: "TestPassword123",
+				},
+			});
+
+			expect(loginAgain.statusCode).toBe(401);
+		});
+
+		it("should reject delete without auth", async () => {
+			const response = await app.inject({
+				method: "DELETE",
+				url: "/auth/me",
+			});
+
+			expect(response.statusCode).toBe(401);
+		});
+	});
+});
@@ -0,0 +1,125 @@
+import { afterEach, describe, expect, it, vi } from "vitest";
+
+type ClientTestOptions = {
+	dirWritable?: boolean;
+	authEnabled?: boolean;
+};
+
+async function loadDbClientModule(options: ClientTestOptions = {}) {
+	const { dirWritable = true, authEnabled = false } = options;
+
+	vi.resetModules();
+	vi.restoreAllMocks();
+
+	process.env.AUTH_ENABLED = authEnabled ? "true" : "false";
+	process.env.DOTENV_PATH = "/tmp/medassist-nonexistent.env";
+
+	const existsSync = vi.fn().mockReturnValue(false);
+	const statSync = vi.fn().mockReturnValue({ mode: 0o40755, uid: 1000, gid: 1000 });
+	vi.doMock("node:fs", () => ({ existsSync, statSync }));
+
+	const dotenvConfig = vi.fn();
+	vi.doMock("dotenv", () => ({ default: { config: dotenvConfig } }));
+
+	const createClient = vi.fn().mockReturnValue({ execute: vi.fn() });
+	vi.doMock("@libsql/client", () => ({ createClient }));
+
+	const drizzle = vi.fn().mockReturnValue({ __db: true });
+	vi.doMock("drizzle-orm/libsql", () => ({ drizzle }));
+
+	const ensureDataDirectory = vi
+		.fn()
+		.mockReturnValue(dirWritable ? { success: true } : { success: false, error: "permission denied" });
+	const getDbPaths = vi.fn().mockReturnValue({
+		dataDir: "/tmp/medassist-data",
+		dbPath: "/tmp/medassist-data/medassist.db",
+		url: "file:/tmp/medassist-data/medassist.db",
+	});
+	const runDrizzleMigrations = vi.fn().mockResolvedValue({ success: true });
+	const runAlterMigrations = vi.fn().mockResolvedValue({ errors: [] });
+	const repairTrailingHyphenDoseIds = vi.fn().mockResolvedValue({ repaired: 0, errors: [] });
+	const repairOrphanedDoseIds = vi.fn().mockResolvedValue({ repaired: 0, errors: [] });
+	const ensureDefaultUser = vi.fn().mockResolvedValue(false);
+
+	vi.doMock("../db/db-utils.js", () => ({
+		buildDbUrl: vi.fn(),
+		getDataDir: vi.fn(),
+		ensureDataDirectory,
+		getDbPaths,
+		runDrizzleMigrations,
+		runAlterMigrations,
+		repairTrailingHyphenDoseIds,
+		repairOrphanedDoseIds,
+		ensureDefaultUser,
+	}));
+
+	const log = {
+		debug: vi.fn(),
+		info: vi.fn(),
+		warn: vi.fn(),
+		error: vi.fn(),
+	};
+	vi.doMock("../utils/logger.js", () => ({ log }));
+
+	const exitSpy = vi.spyOn(process, "exit").mockImplementation(((code?: number) => {
+		throw new Error(`process.exit:${code ?? 0}`);
+	}) as never);
+
+	const modulePromise = import("../db/client.js");
+
+	return {
+		modulePromise,
+		mocks: {
+			existsSync,
+			statSync,
+			dotenvConfig,
+			createClient,
+			drizzle,
+			ensureDataDirectory,
+			getDbPaths,
+			runDrizzleMigrations,
+			runAlterMigrations,
+			repairTrailingHyphenDoseIds,
+			repairOrphanedDoseIds,
+			ensureDefaultUser,
+			log,
+			exitSpy,
+		},
+	};
+}
+
+afterEach(() => {
+	vi.restoreAllMocks();
+});
+
+describe("db/client bootstrap", () => {
+	it("initializes db and runs migrations when directory is writable", async () => {
+		const { modulePromise, mocks } = await loadDbClientModule({ dirWritable: true, authEnabled: false });
+		const mod = await modulePromise;
+
+		expect(mod.db).toBeTruthy();
+		expect(mod.migrationsReady).toBeInstanceOf(Promise);
+		await mod.migrationsReady;
+
+		expect(mocks.ensureDataDirectory).toHaveBeenCalledWith("/tmp/medassist-data");
+		expect(mocks.createClient).toHaveBeenCalledWith({ url: "file:/tmp/medassist-data/medassist.db" });
+		expect(mocks.runDrizzleMigrations).toHaveBeenCalledTimes(1);
+		expect(mocks.runAlterMigrations).toHaveBeenCalledTimes(1);
+		expect(mocks.repairTrailingHyphenDoseIds).toHaveBeenCalledTimes(1);
+		expect(mocks.repairOrphanedDoseIds).toHaveBeenCalledTimes(1);
+		expect(mocks.ensureDefaultUser).toHaveBeenCalledWith(expect.anything(), false);
+	});
+
+	it("passes auth-enabled flag to ensureDefaultUser", async () => {
+		const { modulePromise, mocks } = await loadDbClientModule({ dirWritable: true, authEnabled: true });
+		const mod = await modulePromise;
+		await mod.migrationsReady;
+
+		expect(mocks.ensureDefaultUser).toHaveBeenCalledWith(expect.anything(), true);
+	});
+
+	it("exits when data directory is not writable", async () => {
+		const { modulePromise } = await loadDbClientModule({ dirWritable: false });
+		await expect(modulePromise).rejects.toThrow("process.exit:1");
+	});
+});
@@ -0,0 +1,542 @@
+/**
+ * Tests for /doses/taken API endpoints.
+ * Tests marking doses as taken, listing taken doses, and unmarking.
+ */
+import { afterAll, beforeAll, beforeEach, describe, expect, it } from "vitest";
+import { buildTestApp, clearTestData, closeTestApp, createTestUser, type TestContext } from "./setup.js";
+
+// =============================================================================
+// Route Registration
+// Since we can't easily import routes that depend on the global db,
+// we'll create simplified route handlers for testing the core logic.
+// =============================================================================
+
+async function registerDoseRoutes(ctx: TestContext) {
+	const { app, client } = ctx;
+
+	// GET /doses/taken - List all taken doses
+	app.get("/doses/taken", async (_request, _reply) => {
+		// In test mode, use user ID 1 (will be created in tests)
+		const userId = 1;
+
+		const result = await client.execute({
+			sql: `SELECT dose_id, taken_at, marked_by FROM dose_tracking WHERE user_id = ?`,
+			args: [userId],
+		});
+
+		return {
+			doses: result.rows.map((d) => ({
+				doseId: d.dose_id,
+				takenAt: (d.taken_at as number) * 1000, // Convert to ms
+				markedBy: d.marked_by,
+			})),
+		};
+	});
+
+	// POST /doses/taken - Mark a dose as taken
+	app.post<{ Body: { doseId: string } }>("/doses/taken", async (request, reply) => {
+		const userId = 1;
+		const { doseId } = request.body || {};
+
+		if (!doseId || typeof doseId !== "string" || doseId.length === 0) {
+			return reply.status(400).send({ error: "doseId is required" });
+		}
+
+		// Check if already marked
+		const existing = await client.execute({
+			sql: `SELECT id FROM dose_tracking WHERE user_id = ? AND dose_id = ?`,
+			args: [userId, doseId],
+		});
+
+		if (existing.rows.length > 0) {
+			return { success: true, message: "Already marked" };
+		}
+
+		// Insert new record
+		await client.execute({
+			sql: `INSERT INTO dose_tracking (user_id, dose_id, marked_by) VALUES (?, ?, NULL)`,
+			args: [userId, doseId],
+		});
+
+		return { success: true };
+	});
+
+	// DELETE /doses/taken/:doseId - Unmark a dose
+	app.delete<{ Params: { doseId: string } }>("/doses/taken/:doseId", async (request, _reply) => {
+		const userId = 1;
+		const { doseId } = request.params;
+
+		// Check if this dose was also dismissed
+		const existing = await client.execute({
+			sql: `SELECT id, dismissed FROM dose_tracking WHERE user_id = ? AND dose_id = ?`,
+			args: [userId, doseId],
+		});
+
+		if (existing.rows.length > 0 && existing.rows[0].dismissed) {
+			// Already dismissed - keep the record as-is (don't delete)
+			// The dose stays dismissed, we just ignore the undo request
+		} else {
+			// Not dismissed - delete the record entirely
+			await client.execute({
+				sql: `DELETE FROM dose_tracking WHERE user_id = ? AND dose_id = ?`,
+				args: [userId, doseId],
+			});
+		}
+
+		return { success: true };
+	});
+
+	// POST /doses/dismiss - Dismiss missed doses without deducting stock
+	app.post<{ Body: { doseIds: string[] } }>("/doses/dismiss", async (request, reply) => {
+		const userId = 1;
+		const { doseIds } = request.body || {};
+
+		if (!doseIds || !Array.isArray(doseIds) || doseIds.length === 0) {
+			return reply.status(400).send({ error: "doseIds array is required" });
+		}
+
+		let dismissedCount = 0;
+		for (const doseId of doseIds) {
+			// Check if already exists
+			const existing = await client.execute({
+				sql: `SELECT id, dismissed FROM dose_tracking WHERE user_id = ? AND dose_id = ?`,
+				args: [userId, doseId],
+			});
+
+			if (existing.rows.length > 0) {
+				// Update to dismissed if not already
+				if (!existing.rows[0].dismissed) {
+					await client.execute({
+						sql: `UPDATE dose_tracking SET dismissed = 1 WHERE id = ?`,
+						args: [existing.rows[0].id],
+					});
+					dismissedCount++;
+				}
+			} else {
+				// Insert new dismissed record
+				await client.execute({
+					sql: `INSERT INTO dose_tracking (user_id, dose_id, dismissed) VALUES (?, ?, 1)`,
+					args: [userId, doseId],
+				});
+				dismissedCount++;
+			}
+		}
+
+		return { success: true, dismissedCount };
+	});
+}
+
+// =============================================================================
+// Tests
+// =============================================================================
+
+describe("Dose Tracking API", () => {
+	let ctx: TestContext;
+	let userId: number;
+
+	beforeAll(async () => {
+		ctx = await buildTestApp();
+		await registerDoseRoutes(ctx);
+		await ctx.app.ready();
+	});
+
+	afterAll(async () => {
+		await closeTestApp(ctx);
+	});
+
+	beforeEach(async () => {
+		await clearTestData(ctx.client);
+		// Create test user - will get ID 1 since table is cleared
+		userId = await createTestUser(ctx.client, { username: "testuser" });
+		// Reset SQLite autoincrement so user gets ID 1
+		await ctx.client.execute("DELETE FROM sqlite_sequence WHERE name='users'");
+		await clearTestData(ctx.client);
+		userId = await createTestUser(ctx.client, { username: "testuser" });
+	});
+
+	// ---------------------------------------------------------------------------
+	// POST /doses/taken
+	// ---------------------------------------------------------------------------
+
+	describe("POST /doses/taken", () => {
+		it("should mark a dose as taken", async () => {
+			const doseId = "1-0-1735344000000";
+
+			const response = await ctx.app.inject({
+				method: "POST",
+				url: "/doses/taken",
+				payload: { doseId },
+			});
+
+			expect(response.statusCode).toBe(200);
+			expect(response.json()).toEqual({ success: true });
+
+			// Verify in database
+			const result = await ctx.client.execute({
+				sql: `SELECT dose_id, marked_by FROM dose_tracking WHERE user_id = ? AND dose_id = ?`,
+				args: [userId, doseId],
+			});
+			expect(result.rows.length).toBe(1);
+			expect(result.rows[0].dose_id).toBe(doseId);
+			expect(result.rows[0].marked_by).toBeNull();
+		});
+
+		it("should return idempotent response when dose already marked", async () => {
+			const doseId = "1-0-1735344000000";
+
+			// Mark once
+			await ctx.app.inject({
+				method: "POST",
+				url: "/doses/taken",
+				payload: { doseId },
+			});
+
+			// Mark again
+			const response = await ctx.app.inject({
+				method: "POST",
+				url: "/doses/taken",
+				payload: { doseId },
+			});
+
+			expect(response.statusCode).toBe(200);
+			expect(response.json()).toEqual({ success: true, message: "Already marked" });
+
+			// Should still only have one record
+			const result = await ctx.client.execute({
+				sql: `SELECT COUNT(*) as count FROM dose_tracking WHERE user_id = ? AND dose_id = ?`,
+				args: [userId, doseId],
+			});
+			expect(result.rows[0].count).toBe(1);
+		});
+
+		it("should reject request without doseId", async () => {
+			const response = await ctx.app.inject({
+				method: "POST",
+				url: "/doses/taken",
+				payload: {},
+			});
+
+			expect(response.statusCode).toBe(400);
+			expect(response.json()).toEqual({ error: "doseId is required" });
+		});
+
+		it("should reject request with empty doseId", async () => {
+			const response = await ctx.app.inject({
+				method: "POST",
+				url: "/doses/taken",
+				payload: { doseId: "" },
+			});
+
+			expect(response.statusCode).toBe(400);
+			expect(response.json()).toEqual({ error: "doseId is required" });
+		});
+	});
+
+	// ---------------------------------------------------------------------------
+	// GET /doses/taken
+	// ---------------------------------------------------------------------------
+
+	describe("GET /doses/taken", () => {
+		it("should return empty array when no doses taken", async () => {
+			const response = await ctx.app.inject({
+				method: "GET",
+				url: "/doses/taken",
+			});
+
+			expect(response.statusCode).toBe(200);
+			expect(response.json()).toEqual({ doses: [] });
+		});
+
+		it("should return list of taken doses", async () => {
+			const doseId1 = "1-0-1735344000000";
+			const doseId2 = "1-0-1735430400000";
+
+			// Mark two doses
+			await ctx.app.inject({
+				method: "POST",
+				url: "/doses/taken",
+				payload: { doseId: doseId1 },
+			});
+			await ctx.app.inject({
+				method: "POST",
+				url: "/doses/taken",
+				payload: { doseId: doseId2 },
+			});
+
+			const response = await ctx.app.inject({
+				method: "GET",
+				url: "/doses/taken",
+			});
+
+			expect(response.statusCode).toBe(200);
+			const data = response.json();
+			expect(data.doses).toHaveLength(2);
+			expect(data.doses.map((d: { doseId: string }) => d.doseId).sort()).toEqual([doseId1, doseId2].sort());
+			// Each dose should have a takenAt timestamp
+			for (const dose of data.doses) {
+				expect(dose.takenAt).toBeTypeOf("number");
+				expect(dose.takenAt).toBeGreaterThan(0);
+				expect(dose.markedBy).toBeNull();
+			}
+		});
+
+		it("should include markedBy when present", async () => {
+			const doseId = "1-0-1735344000000";
+
+			// Insert directly with markedBy
+			await ctx.client.execute({
+				sql: `INSERT INTO dose_tracking (user_id, dose_id, marked_by) VALUES (?, ?, ?)`,
+				args: [userId, doseId, "Daniel"],
+			});
+
+			const response = await ctx.app.inject({
+				method: "GET",
+				url: "/doses/taken",
+			});
+
+			expect(response.statusCode).toBe(200);
+			const data = response.json();
+			expect(data.doses).toHaveLength(1);
+			expect(data.doses[0].markedBy).toBe("Daniel");
+		});
+	});
+
+	// ---------------------------------------------------------------------------
+	// DELETE /doses/taken/:doseId
+	// ---------------------------------------------------------------------------
+
+	describe("DELETE /doses/taken/:doseId", () => {
+		it("should unmark a dose", async () => {
+			const doseId = "1-0-1735344000000";
+
+			// Mark first
+			await ctx.app.inject({
+				method: "POST",
+				url: "/doses/taken",
+				payload: { doseId },
+			});
+
+			// Verify marked
+			let result = await ctx.client.execute({
+				sql: `SELECT COUNT(*) as count FROM dose_tracking WHERE dose_id = ?`,
+				args: [doseId],
+			});
+			expect(result.rows[0].count).toBe(1);
+
+			// Unmark
+			const response = await ctx.app.inject({
+				method: "DELETE",
+				url: `/doses/taken/${encodeURIComponent(doseId)}`,
+			});
+
+			expect(response.statusCode).toBe(200);
+			expect(response.json()).toEqual({ success: true });
+
+			// Verify unmarked
+			result = await ctx.client.execute({
+				sql: `SELECT COUNT(*) as count FROM dose_tracking WHERE dose_id = ?`,
+				args: [doseId],
+			});
+			expect(result.rows[0].count).toBe(0);
+		});
+
+		it("should succeed even if dose was not marked", async () => {
+			const doseId = "nonexistent-dose-id";
+
+			const response = await ctx.app.inject({
+				method: "DELETE",
+				url: `/doses/taken/${encodeURIComponent(doseId)}`,
+			});
+
+			expect(response.statusCode).toBe(200);
+			expect(response.json()).toEqual({ success: true });
+		});
+
+		it("should preserve dismissed status when unmarking a dose", async () => {
+			const doseId = "1-0-1735344000000";
+
+			// First dismiss the dose
+			await ctx.app.inject({
+				method: "POST",
+				url: "/doses/dismiss",
+				payload: { doseIds: [doseId] },
+			});
+
+			// Verify it's dismissed
+			let result = await ctx.client.execute({
+				sql: `SELECT dismissed, taken_at FROM dose_tracking WHERE dose_id = ?`,
+				args: [doseId],
+			});
+			expect(result.rows[0].dismissed).toBe(1);
+			const originalTakenAt = result.rows[0].taken_at;
+
+			// Now try to unmark it (undo) - should keep the dismissed record
+			const response = await ctx.app.inject({
+				method: "DELETE",
+				url: `/doses/taken/${encodeURIComponent(doseId)}`,
+			});
+
+			expect(response.statusCode).toBe(200);
+			expect(response.json()).toEqual({ success: true });
+
+			// Verify the record still exists and is still dismissed
+			result = await ctx.client.execute({
+				sql: `SELECT dose_id, dismissed, taken_at FROM dose_tracking WHERE dose_id = ?`,
+				args: [doseId],
+			});
+			expect(result.rows.length).toBe(1);
+			expect(result.rows[0].dismissed).toBe(1);
+			expect(result.rows[0].taken_at).toBe(originalTakenAt); // unchanged
+		});
+	});
+
+	// ---------------------------------------------------------------------------
+	// Dose ID Format Tests
+	// ---------------------------------------------------------------------------
+
+	describe("Dose ID Format", () => {
+		it("should handle standard dose ID format: {medId}-{blisterIdx}-{timestamp}", async () => {
+			const doseId = "5-0-1735344000000";
+
+			const response = await ctx.app.inject({
+				method: "POST",
+				url: "/doses/taken",
+				payload: { doseId },
+			});
+
+			expect(response.statusCode).toBe(200);
+			expect(response.json()).toEqual({ success: true });
+		});
+
+		it("should handle dose ID with person: {medId}-{blisterIdx}-{timestamp}-{person}", async () => {
+			const doseId = "5-0-1735344000000-Daniel";
+
+			const response = await ctx.app.inject({
+				method: "POST",
+				url: "/doses/taken",
+				payload: { doseId },
+			});
+
+			expect(response.statusCode).toBe(200);
+			expect(response.json()).toEqual({ success: true });
+		});
+
+		it("should handle special characters in dose ID", async () => {
+			// Dose ID with URL-unsafe characters (edge case)
+			const doseId = "5-0-1735344000000-Max Müller";
+
+			const response = await ctx.app.inject({
+				method: "POST",
+				url: "/doses/taken",
+				payload: { doseId },
+			});
+
+			expect(response.statusCode).toBe(200);
+
+			// Can retrieve it
+			const getResponse = await ctx.app.inject({
+				method: "GET",
+				url: "/doses/taken",
+			});
+
+			expect(getResponse.json().doses[0].doseId).toBe(doseId);
+		});
+	});
+
+	// ---------------------------------------------------------------------------
+	// Dismiss Doses Tests (POST /doses/dismiss)
+	// ---------------------------------------------------------------------------
+
+	describe("POST /doses/dismiss", () => {
+		it("should dismiss multiple doses", async () => {
+			const doseIds = ["1-0-1735344000000", "1-0-1735430400000"];
+
+			const response = await ctx.app.inject({
+				method: "POST",
+				url: "/doses/dismiss",
+				payload: { doseIds },
+			});
+
+			expect(response.statusCode).toBe(200);
+			expect(response.json()).toEqual({ success: true, dismissedCount: 2 });
+
+			// Verify in database
+			const result = await ctx.client.execute({
+				sql: `SELECT dose_id, dismissed FROM dose_tracking WHERE user_id = ? AND dismissed = 1`,
+				args: [userId],
+			});
+			expect(result.rows.length).toBe(2);
+		});
+
+		it("should not double-count already dismissed doses", async () => {
+			const doseId = "1-0-1735344000000";
+
+			// Dismiss once
+			await ctx.app.inject({
+				method: "POST",
+				url: "/doses/dismiss",
+				payload: { doseIds: [doseId] },
+			});
+
+			// Dismiss again
+			const response = await ctx.app.inject({
+				method: "POST",
+				url: "/doses/dismiss",
+				payload: { doseIds: [doseId] },
+			});
+
+			expect(response.statusCode).toBe(200);
+			expect(response.json()).toEqual({ success: true, dismissedCount: 0 });
+		});
+
+		it("should reject empty doseIds array", async () => {
+			const response = await ctx.app.inject({
+				method: "POST",
+				url: "/doses/dismiss",
+				payload: { doseIds: [] },
+			});
+
+			expect(response.statusCode).toBe(400);
+			expect(response.json()).toEqual({ error: "doseIds array is required" });
+		});
+
+		it("should reject missing doseIds", async () => {
+			const response = await ctx.app.inject({
+				method: "POST",
+				url: "/doses/dismiss",
+				payload: {},
+			});
+
+			expect(response.statusCode).toBe(400);
+			expect(response.json()).toEqual({ error: "doseIds array is required" });
+		});
+
+		it("should dismiss a dose that was already taken (convert to dismissed)", async () => {
+			const doseId = "1-0-1735344000000";
+
+			// First mark as taken
+			await ctx.app.inject({
+				method: "POST",
+				url: "/doses/taken",
+				payload: { doseId },
+			});
+
+			// Then dismiss it
+			const response = await ctx.app.inject({
+				method: "POST",
+				url: "/doses/dismiss",
+				payload: { doseIds: [doseId] },
+			});
+
+			expect(response.statusCode).toBe(200);
+			expect(response.json()).toEqual({ success: true, dismissedCount: 1 });
+
+			// Verify it's now dismissed
+			const result = await ctx.client.execute({
+				sql: `SELECT dismissed FROM dose_tracking WHERE user_id = ? AND dose_id = ?`,
+				args: [userId, doseId],
+			});
+			expect(result.rows[0].dismissed).toBe(1);
+		});
+	});
+});
@@ -0,0 +1,76 @@
+import { afterAll, beforeEach, describe, expect, it, vi } from "vitest";
+
+const ORIGINAL_ENV = { ...process.env };
+
+describe("plugins/env runtime validation", () => {
+	beforeEach(() => {
+		vi.resetModules();
+		vi.restoreAllMocks();
+		process.env = {
+			...ORIGINAL_ENV,
+			DOTENV_PATH: "/tmp/medassist-nonexistent.env",
+		};
+	});
+
+	afterAll(() => {
+		process.env = ORIGINAL_ENV;
+	});
+
+	it("loads with defaults when auth and oidc are disabled", async () => {
+		delete process.env.AUTH_ENABLED;
+		delete process.env.OIDC_ENABLED;
+		delete process.env.JWT_SECRET;
+		delete process.env.REFRESH_SECRET;
+		delete process.env.COOKIE_SECRET;
+
+		const mod = await import("../plugins/env.js");
+		expect(mod.env.AUTH_ENABLED).toBe(false);
+		expect(mod.env.OIDC_ENABLED).toBe(false);
+		expect(mod.env.PORT).toBe(3000);
+	});
+
+	it("exits when auth is enabled but secrets are missing", async () => {
+		process.env.AUTH_ENABLED = "true";
+		delete process.env.JWT_SECRET;
+		delete process.env.REFRESH_SECRET;
+		delete process.env.COOKIE_SECRET;
+
+		vi.spyOn(process, "exit").mockImplementation(((code?: number) => {
+			throw new Error(`process.exit:${code ?? 0}`);
+		}) as never);
+
+		await expect(import("../plugins/env.js")).rejects.toThrow("process.exit:1");
+	});
+
+	it("exits when oidc is enabled but required settings are missing", async () => {
+		process.env.AUTH_ENABLED = "false";
+		process.env.OIDC_ENABLED = "true";
+		delete process.env.OIDC_ISSUER_URL;
+		delete process.env.OIDC_CLIENT_ID;
+		delete process.env.OIDC_CLIENT_SECRET;
+		delete process.env.OIDC_REDIRECT_URI;
+
+		vi.spyOn(process, "exit").mockImplementation(((code?: number) => {
+			throw new Error(`process.exit:${code ?? 0}`);
+		}) as never);
+
+		await expect(import("../plugins/env.js")).rejects.toThrow("process.exit:1");
+	});
+
+	it("loads when auth and oidc settings are complete", async () => {
+		process.env.AUTH_ENABLED = "true";
+		process.env.JWT_SECRET = "jwt-secret-for-runtime-test";
+		process.env.REFRESH_SECRET = "refresh-secret-runtime-test";
+		process.env.COOKIE_SECRET = "cookie-secret-runtime-test";
+		process.env.OIDC_ENABLED = "true";
+		process.env.OIDC_ISSUER_URL = "https://auth.example.com";
+		process.env.OIDC_CLIENT_ID = "medassist";
+		process.env.OIDC_CLIENT_SECRET = "super-secret-client";
+		process.env.OIDC_REDIRECT_URI = "https://app.example.com/api/auth/oidc/callback";
+
+		const mod = await import("../plugins/env.js");
+		expect(mod.env.AUTH_ENABLED).toBe(true);
+		expect(mod.env.OIDC_ENABLED).toBe(true);
+		expect(mod.env.OIDC_CLIENT_ID).toBe("medassist");
+	});
+});
@@ -0,0 +1,386 @@
+import { describe, expect, it, vi } from "vitest";
+import { z } from "zod";
+
+// Mock process.exit to prevent tests from exiting
+const mockExit = vi.fn();
+vi.spyOn(process, "exit").mockImplementation(mockExit as unknown as (...args: unknown[]) => never);
+
+// Re-create the schema from env.ts for testing
+const EnvSchema = z.object({
+	NODE_ENV: z.enum(["development", "production", "test"]).default("production"),
+	PORT: z
+		.string()
+		.transform((v) => parseInt(v, 10))
+		.default("3000"),
+	CORS_ORIGINS: z.string().default("http://localhost:5173,http://localhost:4173"),
+	LOG_LEVEL: z.string().default("info"),
+	AUTH_ENABLED: z
+		.string()
+		.transform((v) => v === "true")
+		.default("false"),
+	REGISTRATION_ENABLED: z
+		.string()
+		.transform((v) => v === "true")
+		.default("false"),
+	JWT_SECRET: z.string().min(10).optional(),
+	REFRESH_SECRET: z.string().min(10).optional(),
+	COOKIE_SECRET: z.string().min(10).optional(),
+	ACCESS_TOKEN_TTL_MINUTES: z
+		.string()
+		.transform((v) => parseInt(v, 10))
+		.default("15"),
+	REFRESH_TOKEN_TTL_DAYS: z
+		.string()
+		.transform((v) => parseInt(v, 10))
+		.default("7"),
+	OIDC_ENABLED: z
+		.string()
+		.transform((v) => v === "true")
+		.default("false"),
+	OIDC_ISSUER_URL: z.string().url().optional(),
+	OIDC_CLIENT_ID: z.string().optional(),
+	OIDC_CLIENT_SECRET: z.string().optional(),
+	OIDC_REDIRECT_URI: z.string().url().optional(),
+	OIDC_SCOPES: z.string().default("openid profile email"),
+	OIDC_AUTO_CREATE_USERS: z
+		.string()
+		.transform((v) => v === "true")
+		.default("true"),
+	OIDC_USERNAME_CLAIM: z.string().default("preferred_username"),
+	OIDC_PROVIDER_NAME: z.string().default("SSO"),
+});
+
+// Validation functions from env.ts
+function validateAuthSecrets(parsed: z.infer<typeof EnvSchema>): string[] {
+	const missing: string[] = [];
+	if (parsed.AUTH_ENABLED) {
+		if (!parsed.JWT_SECRET) missing.push("JWT_SECRET");
+		if (!parsed.REFRESH_SECRET) missing.push("REFRESH_SECRET");
+		if (!parsed.COOKIE_SECRET) missing.push("COOKIE_SECRET");
+	}
+	return missing;
+}
+
+function validateOidcConfig(parsed: z.infer<typeof EnvSchema>): string[] {
+	const missing: string[] = [];
+	if (parsed.OIDC_ENABLED) {
+		if (!parsed.OIDC_ISSUER_URL) missing.push("OIDC_ISSUER_URL");
+		if (!parsed.OIDC_CLIENT_ID) missing.push("OIDC_CLIENT_ID");
+		if (!parsed.OIDC_CLIENT_SECRET) missing.push("OIDC_CLIENT_SECRET");
+		if (!parsed.OIDC_REDIRECT_URI) missing.push("OIDC_REDIRECT_URI");
+	}
+	return missing;
+}
+
+describe("EnvSchema", () => {
+	describe("default values", () => {
+		it("should use default values when env vars are empty", () => {
+			const result = EnvSchema.parse({});
+
+			expect(result.NODE_ENV).toBe("production");
+			expect(result.PORT).toBe(3000);
+			expect(result.CORS_ORIGINS).toBe("http://localhost:5173,http://localhost:4173");
+			expect(result.LOG_LEVEL).toBe("info");
+			expect(result.AUTH_ENABLED).toBe(false);
+			expect(result.REGISTRATION_ENABLED).toBe(false);
+			expect(result.ACCESS_TOKEN_TTL_MINUTES).toBe(15);
+			expect(result.REFRESH_TOKEN_TTL_DAYS).toBe(7);
+			expect(result.OIDC_ENABLED).toBe(false);
+			expect(result.OIDC_SCOPES).toBe("openid profile email");
+			expect(result.OIDC_AUTO_CREATE_USERS).toBe(true);
+			expect(result.OIDC_USERNAME_CLAIM).toBe("preferred_username");
+			expect(result.OIDC_PROVIDER_NAME).toBe("SSO");
+		});
+	});
+
+	describe("NODE_ENV validation", () => {
+		it("should accept development", () => {
+			const result = EnvSchema.parse({ NODE_ENV: "development" });
+			expect(result.NODE_ENV).toBe("development");
+		});
+
+		it("should accept production", () => {
+			const result = EnvSchema.parse({ NODE_ENV: "production" });
+			expect(result.NODE_ENV).toBe("production");
+		});
+
+		it("should accept test", () => {
+			const result = EnvSchema.parse({ NODE_ENV: "test" });
+			expect(result.NODE_ENV).toBe("test");
+		});
+
+		it("should reject invalid NODE_ENV values", () => {
+			expect(() => EnvSchema.parse({ NODE_ENV: "staging" })).toThrow();
+			expect(() => EnvSchema.parse({ NODE_ENV: "invalid" })).toThrow();
+		});
+	});
+
+	describe("PORT transformation", () => {
+		it("should transform string PORT to number", () => {
+			const result = EnvSchema.parse({ PORT: "8080" });
+			expect(result.PORT).toBe(8080);
+		});
+
+		it("should use default port when not provided", () => {
+			const result = EnvSchema.parse({});
+			expect(result.PORT).toBe(3000);
+		});
+	});
+
+	describe("boolean transformations", () => {
+		it("should transform AUTH_ENABLED=true to boolean true", () => {
+			const result = EnvSchema.parse({ AUTH_ENABLED: "true" });
+			expect(result.AUTH_ENABLED).toBe(true);
+		});
+
+		it("should transform AUTH_ENABLED=false to boolean false", () => {
+			const result = EnvSchema.parse({ AUTH_ENABLED: "false" });
+			expect(result.AUTH_ENABLED).toBe(false);
+		});
+
+		it("should treat non-true string as false", () => {
+			const result = EnvSchema.parse({ AUTH_ENABLED: "yes" });
+			expect(result.AUTH_ENABLED).toBe(false);
+		});
+
+		it("should transform REGISTRATION_ENABLED correctly", () => {
+			expect(EnvSchema.parse({ REGISTRATION_ENABLED: "true" }).REGISTRATION_ENABLED).toBe(true);
+			expect(EnvSchema.parse({ REGISTRATION_ENABLED: "false" }).REGISTRATION_ENABLED).toBe(false);
+		});
+
+		it("should transform OIDC_ENABLED correctly", () => {
+			expect(EnvSchema.parse({ OIDC_ENABLED: "true" }).OIDC_ENABLED).toBe(true);
+			expect(EnvSchema.parse({ OIDC_ENABLED: "false" }).OIDC_ENABLED).toBe(false);
+		});
+
+		it("should transform OIDC_AUTO_CREATE_USERS correctly", () => {
+			expect(EnvSchema.parse({ OIDC_AUTO_CREATE_USERS: "true" }).OIDC_AUTO_CREATE_USERS).toBe(true);
+			expect(EnvSchema.parse({ OIDC_AUTO_CREATE_USERS: "false" }).OIDC_AUTO_CREATE_USERS).toBe(false);
+		});
+	});
+
+	describe("JWT secret validation", () => {
+		it("should accept JWT_SECRET with 10+ characters", () => {
+			const result = EnvSchema.parse({ JWT_SECRET: "1234567890" });
+			expect(result.JWT_SECRET).toBe("1234567890");
+		});
+
+		it("should reject JWT_SECRET with less than 10 characters", () => {
+			expect(() => EnvSchema.parse({ JWT_SECRET: "123456789" })).toThrow();
+		});
+
+		it("should allow optional JWT_SECRET", () => {
+			const result = EnvSchema.parse({});
+			expect(result.JWT_SECRET).toBeUndefined();
+		});
+	});
+
+	describe("TTL transformations", () => {
+		it("should transform ACCESS_TOKEN_TTL_MINUTES to number", () => {
+			const result = EnvSchema.parse({ ACCESS_TOKEN_TTL_MINUTES: "30" });
+			expect(result.ACCESS_TOKEN_TTL_MINUTES).toBe(30);
+		});
+
+		it("should transform REFRESH_TOKEN_TTL_DAYS to number", () => {
+			const result = EnvSchema.parse({ REFRESH_TOKEN_TTL_DAYS: "14" });
+			expect(result.REFRESH_TOKEN_TTL_DAYS).toBe(14);
+		});
+	});
+
+	describe("OIDC URL validation", () => {
+		it("should accept valid OIDC_ISSUER_URL", () => {
+			const result = EnvSchema.parse({ OIDC_ISSUER_URL: "https://auth.example.com" });
+			expect(result.OIDC_ISSUER_URL).toBe("https://auth.example.com");
+		});
+
+		it("should reject invalid OIDC_ISSUER_URL", () => {
+			expect(() => EnvSchema.parse({ OIDC_ISSUER_URL: "not-a-url" })).toThrow();
+		});
+
+		it("should accept valid OIDC_REDIRECT_URI", () => {
+			const result = EnvSchema.parse({ OIDC_REDIRECT_URI: "https://app.example.com/callback" });
+			expect(result.OIDC_REDIRECT_URI).toBe("https://app.example.com/callback");
+		});
+
+		it("should reject invalid OIDC_REDIRECT_URI", () => {
+			expect(() => EnvSchema.parse({ OIDC_REDIRECT_URI: "invalid" })).toThrow();
+		});
+	});
+
+	describe("CORS_ORIGINS parsing", () => {
+		it("should accept comma-separated origins", () => {
+			const result = EnvSchema.parse({ CORS_ORIGINS: "http://a.com,http://b.com" });
+			expect(result.CORS_ORIGINS).toBe("http://a.com,http://b.com");
+		});
+
+		it("should accept single origin", () => {
+			const result = EnvSchema.parse({ CORS_ORIGINS: "http://localhost:3000" });
+			expect(result.CORS_ORIGINS).toBe("http://localhost:3000");
+		});
+	});
+});
+
+describe("Auth validation", () => {
+	it("should require secrets when AUTH_ENABLED=true", () => {
+		const parsed = EnvSchema.parse({ AUTH_ENABLED: "true" });
+		const missing = validateAuthSecrets(parsed);
+		expect(missing).toContain("JWT_SECRET");
+		expect(missing).toContain("REFRESH_SECRET");
+		expect(missing).toContain("COOKIE_SECRET");
+	});
+
+	it("should not require secrets when AUTH_ENABLED=false", () => {
+		const parsed = EnvSchema.parse({ AUTH_ENABLED: "false" });
+		const missing = validateAuthSecrets(parsed);
+		expect(missing).toHaveLength(0);
+	});
+
+	it("should pass validation with all secrets provided", () => {
+		const parsed = EnvSchema.parse({
+			AUTH_ENABLED: "true",
+			JWT_SECRET: "super-secret-jwt-key-12345",
+			REFRESH_SECRET: "super-secret-refresh-key-12345",
+			COOKIE_SECRET: "super-secret-cookie-key-12345",
+		});
+		const missing = validateAuthSecrets(parsed);
+		expect(missing).toHaveLength(0);
+	});
+
+	it("should identify which specific secrets are missing", () => {
+		const parsed = EnvSchema.parse({
+			AUTH_ENABLED: "true",
+			JWT_SECRET: "super-secret-jwt-key-12345",
+			// REFRESH_SECRET missing
+			COOKIE_SECRET: "super-secret-cookie-key-12345",
+		});
+		const missing = validateAuthSecrets(parsed);
+		expect(missing).toHaveLength(1);
+		expect(missing).toContain("REFRESH_SECRET");
+	});
+});
+
+describe("OIDC validation", () => {
+	it("should require all OIDC settings when OIDC_ENABLED=true", () => {
+		const parsed = EnvSchema.parse({ OIDC_ENABLED: "true" });
+		const missing = validateOidcConfig(parsed);
+		expect(missing).toContain("OIDC_ISSUER_URL");
+		expect(missing).toContain("OIDC_CLIENT_ID");
+		expect(missing).toContain("OIDC_CLIENT_SECRET");
+		expect(missing).toContain("OIDC_REDIRECT_URI");
+	});
+
+	it("should not require OIDC settings when OIDC_ENABLED=false", () => {
+		const parsed = EnvSchema.parse({ OIDC_ENABLED: "false" });
+		const missing = validateOidcConfig(parsed);
+		expect(missing).toHaveLength(0);
+	});
+
+	it("should pass validation with all OIDC settings provided", () => {
+		const parsed = EnvSchema.parse({
+			OIDC_ENABLED: "true",
+			OIDC_ISSUER_URL: "https://auth.example.com",
+			OIDC_CLIENT_ID: "my-client-id",
+			OIDC_CLIENT_SECRET: "my-client-secret",
+			OIDC_REDIRECT_URI: "https://app.example.com/callback",
+		});
+		const missing = validateOidcConfig(parsed);
+		expect(missing).toHaveLength(0);
+	});
+
+	it("should identify which specific OIDC settings are missing", () => {
+		const parsed = EnvSchema.parse({
+			OIDC_ENABLED: "true",
+			OIDC_ISSUER_URL: "https://auth.example.com",
+			OIDC_CLIENT_ID: "my-client-id",
+			// OIDC_CLIENT_SECRET missing
+			// OIDC_REDIRECT_URI missing
+		});
+		const missing = validateOidcConfig(parsed);
+		expect(missing).toHaveLength(2);
+		expect(missing).toContain("OIDC_CLIENT_SECRET");
+		expect(missing).toContain("OIDC_REDIRECT_URI");
+	});
+});
+
+describe("Full configuration scenarios", () => {
+	it("should parse minimal config (auth disabled)", () => {
+		const result = EnvSchema.parse({});
+		expect(result.AUTH_ENABLED).toBe(false);
+		expect(result.OIDC_ENABLED).toBe(false);
+	});
+
+	it("should parse full production config with auth enabled", () => {
+		const env = {
+			NODE_ENV: "production",
+			PORT: "8080",
+			CORS_ORIGINS: "https://myapp.com",
+			LOG_LEVEL: "warn",
+			AUTH_ENABLED: "true",
+			REGISTRATION_ENABLED: "false",
+			JWT_SECRET: "production-jwt-secret-key-12345",
+			REFRESH_SECRET: "production-refresh-secret-key-12345",
+			COOKIE_SECRET: "production-cookie-secret-key-12345",
+			ACCESS_TOKEN_TTL_MINUTES: "30",
+			REFRESH_TOKEN_TTL_DAYS: "14",
+		};
+
+		const result = EnvSchema.parse(env);
+
+		expect(result.NODE_ENV).toBe("production");
+		expect(result.PORT).toBe(8080);
+		expect(result.CORS_ORIGINS).toBe("https://myapp.com");
+		expect(result.LOG_LEVEL).toBe("warn");
+		expect(result.AUTH_ENABLED).toBe(true);
+		expect(result.REGISTRATION_ENABLED).toBe(false);
+		expect(result.ACCESS_TOKEN_TTL_MINUTES).toBe(30);
+		expect(result.REFRESH_TOKEN_TTL_DAYS).toBe(14);
+
+		// Should pass auth validation
+		const missing = validateAuthSecrets(result);
+		expect(missing).toHaveLength(0);
+	});
+
+	it("should parse config with OIDC SSO enabled", () => {
+		const env = {
+			AUTH_ENABLED: "true",
+			JWT_SECRET: "production-jwt-secret-key-12345",
+			REFRESH_SECRET: "production-refresh-secret-key-12345",
+			COOKIE_SECRET: "production-cookie-secret-key-12345",
+			OIDC_ENABLED: "true",
+			OIDC_ISSUER_URL: "https://authelia.example.com",
+			OIDC_CLIENT_ID: "medassist",
+			OIDC_CLIENT_SECRET: "super-secret-oidc-secret",
+			OIDC_REDIRECT_URI: "https://medassist.example.com/api/auth/oidc/callback",
+			OIDC_SCOPES: "openid profile email groups",
+			OIDC_USERNAME_CLAIM: "email",
+			OIDC_PROVIDER_NAME: "Authelia",
+		};
+
+		const result = EnvSchema.parse(env);
+
+		expect(result.OIDC_ENABLED).toBe(true);
+		expect(result.OIDC_ISSUER_URL).toBe("https://authelia.example.com");
+		expect(result.OIDC_SCOPES).toBe("openid profile email groups");
+		expect(result.OIDC_USERNAME_CLAIM).toBe("email");
+		expect(result.OIDC_PROVIDER_NAME).toBe("Authelia");
+
+		// Should pass both validations
+		expect(validateAuthSecrets(result)).toHaveLength(0);
+		expect(validateOidcConfig(result)).toHaveLength(0);
+	});
+
+	it("should parse development config", () => {
+		const env = {
+			NODE_ENV: "development",
+			PORT: "3000",
+			LOG_LEVEL: "debug",
+			AUTH_ENABLED: "false",
+		};
+
+		const result = EnvSchema.parse(env);
+
+		expect(result.NODE_ENV).toBe("development");
+		expect(result.LOG_LEVEL).toBe("debug");
+		expect(result.AUTH_ENABLED).toBe(false);
+	});
+});
@@ -0,0 +1,852 @@
+/**
+ * Tests for /export and /import API endpoints.
+ * Tests export/import functionality with schema-independent format.
+ */
+
+import { randomBytes } from "node:crypto";
+import { afterAll, beforeAll, beforeEach, describe, expect, it } from "vitest";
+import {
+	buildTestApp,
+	clearTestData,
+	closeTestApp,
+	createTestMedication,
+	createTestUser,
+	type TestContext,
+} from "./setup.js";
+
+// =============================================================================
+// Route Registration (simplified test routes)
+// =============================================================================
+
+async function registerExportRoutes(ctx: TestContext) {
+	const { app, client } = ctx;
+	const userId = 1; // Test user ID
+
+	// Helper to parse blisters from DB
+	function parseBlisters(
+		row: Record<string, unknown>
+	): Array<{ usage: number; every: number; start: string; remind: boolean }> {
+		const usage = JSON.parse((row.usage_json as string) || "[]") as number[];
+		const every = JSON.parse((row.every_json as string) || "[]") as number[];
+		const start = JSON.parse((row.start_json as string) || "[]") as string[];
+		const len = Math.min(usage.length, every.length, start.length);
+		return Array.from({ length: len }, (_, i) => ({
+			usage: usage[i],
+			every: every[i],
+			start: start[i],
+			remind: Boolean(row.intake_reminders_enabled),
+		}));
+	}
+
+	// GET /export
+	app.get<{ Querystring: { includeSensitive?: string } }>("/export", async (request, _reply) => {
+		const includeSensitive = request.query.includeSensitive === "true";
+
+		// Load medications
+		const medsResult = await client.execute({
+			sql: `SELECT * FROM medications WHERE user_id = ? ORDER BY id`,
+			args: [userId],
+		});
+
+		const medIdToExportId = new Map<number, string>();
+		const medications = medsResult.rows.map((m, i) => {
+			const exportId = `med-${i + 1}`;
+			medIdToExportId.set(m.id as number, exportId);
+			return {
+				_exportId: exportId,
+				name: m.name,
+				genericName: m.generic_name,
+				takenBy: JSON.parse((m.taken_by_json as string) || "[]"),
+				inventory: {
+					packCount: m.pack_count ?? 1,
+					blistersPerPack: m.blisters_per_pack ?? 1,
+					pillsPerBlister: m.pills_per_blister ?? 1,
+					looseTablets: m.loose_tablets ?? 0,
+				},
+				pillWeightMg: m.pill_weight_mg,
+				schedules: parseBlisters(m),
+				expiryDate: m.expiry_date,
+				notes: m.notes,
+				intakeRemindersEnabled: Boolean(m.intake_reminders_enabled),
+				image: null, // Skip images in test
+			};
+		});
+
+		// Load dose tracking
+		const dosesResult = await client.execute({
+			sql: `SELECT * FROM dose_tracking WHERE user_id = ?`,
+			args: [userId],
+		});
+
+		const doseHistory = dosesResult.rows
+			.map((d) => {
+				const parts = (d.dose_id as string).split("-");
+				if (parts.length < 3) return null;
+				const medId = parseInt(parts[0], 10);
+				const exportId = medIdToExportId.get(medId);
+				if (!exportId) return null;
+				return {
+					medicationRef: exportId,
+					scheduleIndex: parseInt(parts[1], 10),
+					scheduledTime: new Date(parseInt(parts[2], 10)).toISOString(),
+					takenAt: d.taken_at ? new Date((d.taken_at as number) * 1000).toISOString() : new Date().toISOString(),
+					markedBy: d.marked_by,
+				};
+			})
+			.filter(Boolean);
+
+		// Load settings
+		const settingsResult = await client.execute({
+			sql: `SELECT * FROM user_settings WHERE user_id = ?`,
+			args: [userId],
+		});
+
+		let settings: Record<string, unknown> | undefined;
+		if (settingsResult.rows.length > 0) {
+			const s = settingsResult.rows[0];
+			settings = {
+				emailEnabled: Boolean(s.email_enabled),
+				notificationEmail: s.notification_email,
+				emailStockReminders: Boolean(s.email_stock_reminders ?? 1),
+				emailIntakeReminders: Boolean(s.email_intake_reminders ?? 1),
+				shoutrrrEnabled: includeSensitive ? Boolean(s.shoutrrr_enabled) : undefined,
+				shoutrrrUrl: includeSensitive ? s.shoutrrr_url : undefined,
+				shoutrrrStockReminders: Boolean(s.shoutrrr_stock_reminders ?? 1),
+				shoutrrrIntakeReminders: Boolean(s.shoutrrr_intake_reminders ?? 1),
+				reminderDaysBefore: s.reminder_days_before ?? 7,
+				repeatDailyReminders: Boolean(s.repeat_daily_reminders),
+				skipRemindersForTakenDoses: Boolean(s.skip_reminders_for_taken_doses),
+				repeatRemindersEnabled: Boolean(s.repeat_reminders_enabled),
+				reminderRepeatIntervalMinutes: s.reminder_repeat_interval_minutes ?? 30,
+				maxNaggingReminders: s.max_nagging_reminders ?? 5,
+				lowStockDays: s.low_stock_days ?? 30,
+				normalStockDays: s.normal_stock_days ?? 90,
+				highStockDays: s.high_stock_days ?? 180,
+				language: s.language ?? "en",
+				stockCalculationMode: s.stock_calculation_mode ?? "automatic",
+			};
+		}
+
+		// Load share links
+		const sharesResult = await client.execute({
+			sql: `SELECT * FROM share_tokens WHERE user_id = ?`,
+			args: [userId],
+		});
+
+		const shareLinks = sharesResult.rows.map((s) => ({
+			takenBy: s.taken_by,
+			scheduleDays: s.schedule_days ?? 30,
+			expiresAt: s.expires_at ? new Date((s.expires_at as number) * 1000).toISOString() : null,
+			regenerateToken: true,
+		}));
+
+		return {
+			version: "1.0",
+			exportedAt: new Date().toISOString(),
+			includeSensitiveData: includeSensitive,
+			medications,
+			doseHistory,
+			settings,
+			shareLinks,
+		};
+	});
+
+	// POST /import
+	app.post("/import", async (request, reply) => {
+		// biome-ignore lint/suspicious/noExplicitAny: test helper with dynamic import data shape
+		const importData = request.body as any;
+
+		// Basic validation
+		if (!importData.version) {
+			return reply.status(400).send({ error: "Invalid import data format" });
+		}
+
+		// Delete existing data
+		await client.execute({ sql: `DELETE FROM dose_tracking WHERE user_id = ?`, args: [userId] });
+		await client.execute({ sql: `DELETE FROM share_tokens WHERE user_id = ?`, args: [userId] });
+		await client.execute({ sql: `DELETE FROM medications WHERE user_id = ?`, args: [userId] });
+		await client.execute({ sql: `DELETE FROM user_settings WHERE user_id = ?`, args: [userId] });
+
+		// Import medications
+		const exportIdToNewId = new Map<string, number>();
+		for (const med of importData.medications || []) {
+			const usageJson = JSON.stringify(
+				((med.schedules as Array<Record<string, unknown>>) || []).map((s: Record<string, unknown>) => s.usage)
+			);
+			const everyJson = JSON.stringify(
+				((med.schedules as Array<Record<string, unknown>>) || []).map((s: Record<string, unknown>) => s.every)
+			);
+			const startJson = JSON.stringify(
+				((med.schedules as Array<Record<string, unknown>>) || []).map((s: Record<string, unknown>) => s.start)
+			);
+			const takenByJson = JSON.stringify(med.takenBy || []);
+
+			const result = await client.execute({
+				sql: `INSERT INTO medications (
+          user_id, name, generic_name, taken_by_json,
+          pack_count, blisters_per_pack, pills_per_blister, loose_tablets,
+          pill_weight_mg, expiry_date, notes, intake_reminders_enabled,
+          usage_json, every_json, start_json
+        ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?) RETURNING id`,
+				args: [
+					userId,
+					med.name,
+					med.genericName || null,
+					takenByJson,
+					med.inventory?.packCount ?? 1,
+					med.inventory?.blistersPerPack ?? 1,
+					med.inventory?.pillsPerBlister ?? 1,
+					med.inventory?.looseTablets ?? 0,
+					med.pillWeightMg ?? null,
+					med.expiryDate || null,
+					med.notes || null,
+					med.intakeRemindersEnabled ? 1 : 0,
+					usageJson,
+					everyJson,
+					startJson,
+				],
+			});
+
+			exportIdToNewId.set(med._exportId, result.rows[0].id as number);
+		}
+
+		// Import dose history
+		for (const dose of importData.doseHistory || []) {
+			const newMedId = exportIdToNewId.get(dose.medicationRef);
+			if (!newMedId) continue;
+
+			const timestampMs = new Date(dose.scheduledTime).getTime();
+			const doseId = `${newMedId}-${dose.scheduleIndex}-${timestampMs}`;
+
+			await client.execute({
+				sql: `INSERT INTO dose_tracking (user_id, dose_id, taken_at, marked_by) VALUES (?, ?, ?, ?)`,
+				args: [userId, doseId, Math.floor(new Date(dose.takenAt).getTime() / 1000), dose.markedBy || null],
+			});
+		}
+
+		// Import settings
+		if (importData.settings) {
+			const s = importData.settings;
+			await client.execute({
+				sql: `INSERT INTO user_settings (
+          user_id, email_enabled, notification_email,
+          email_stock_reminders, email_intake_reminders,
+          shoutrrr_enabled, shoutrrr_url,
+          shoutrrr_stock_reminders, shoutrrr_intake_reminders,
+          reminder_days_before, repeat_daily_reminders,
+          skip_reminders_for_taken_doses, repeat_reminders_enabled,
+          reminder_repeat_interval_minutes, max_nagging_reminders,
+          low_stock_days, normal_stock_days, high_stock_days,
+          language, stock_calculation_mode
+        ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)`,
+				args: [
+					userId,
+					s.emailEnabled ? 1 : 0,
+					s.notificationEmail || null,
+					s.emailStockReminders ?? 1,
+					s.emailIntakeReminders ?? 1,
+					s.shoutrrrEnabled ? 1 : 0,
+					s.shoutrrrUrl || null,
+					s.shoutrrrStockReminders ?? 1,
+					s.shoutrrrIntakeReminders ?? 1,
+					s.reminderDaysBefore ?? 7,
+					s.repeatDailyReminders ? 1 : 0,
+					s.skipRemindersForTakenDoses ? 1 : 0,
+					s.repeatRemindersEnabled ? 1 : 0,
+					s.reminderRepeatIntervalMinutes ?? 30,
+					s.maxNaggingReminders ?? 5,
+					s.lowStockDays ?? 30,
+					s.normalStockDays ?? 90,
+					s.highStockDays ?? 180,
+					s.language ?? "en",
+					s.stockCalculationMode ?? "automatic",
+				],
+			});
+		}
+
+		// Import share links
+		for (const share of importData.shareLinks || []) {
+			const token = randomBytes(8).toString("hex");
+			await client.execute({
+				sql: `INSERT INTO share_tokens (user_id, token, taken_by, schedule_days, expires_at) VALUES (?, ?, ?, ?, ?)`,
+				args: [
+					userId,
+					token,
+					share.takenBy,
+					share.scheduleDays ?? 30,
+					share.expiresAt ? Math.floor(new Date(share.expiresAt).getTime() / 1000) : null,
+				],
+			});
+		}
+
+		return {
+			success: true,
+			imported: {
+				medications: (importData.medications || []).length,
+				doseHistory: (importData.doseHistory || []).length,
+				settings: importData.settings ? 1 : 0,
+				shareLinks: (importData.shareLinks || []).length,
+			},
+		};
+	});
+}
+
+// =============================================================================
+// Tests
+// =============================================================================
+
+describe("Export/Import API", () => {
+	let ctx: TestContext;
+	let userId: number;
+
+	beforeAll(async () => {
+		ctx = await buildTestApp();
+		await registerExportRoutes(ctx);
+		await ctx.app.ready();
+	});
+
+	afterAll(async () => {
+		await closeTestApp(ctx);
+	});
+
+	beforeEach(async () => {
+		await clearTestData(ctx.client);
+		await ctx.client.execute("DELETE FROM sqlite_sequence WHERE name='users'");
+		await ctx.client.execute("DELETE FROM sqlite_sequence WHERE name='medications'");
+		userId = await createTestUser(ctx.client, { username: "testuser" });
+	});
+
+	// ---------------------------------------------------------------------------
+	// GET /export
+	// ---------------------------------------------------------------------------
+
+	describe("GET /export", () => {
+		it("should export empty data for new user", async () => {
+			const response = await ctx.app.inject({
+				method: "GET",
+				url: "/export",
+			});
+
+			expect(response.statusCode).toBe(200);
+			const data = response.json();
+			expect(data.version).toBe("1.0");
+			expect(data.exportedAt).toBeDefined();
+			expect(data.medications).toEqual([]);
+			expect(data.doseHistory).toEqual([]);
+			expect(data.shareLinks).toEqual([]);
+		});
+
+		it("should export medications with correct format", async () => {
+			const startDate = "2025-01-15T08:00:00.000Z";
+			await createTestMedication(ctx.client, {
+				userId,
+				name: "Aspirin",
+				genericName: "Acetylsalicylic acid",
+				takenBy: ["Daniel", "Maria"],
+				packCount: 2,
+				blistersPerPack: 3,
+				pillsPerBlister: 10,
+				looseTablets: 5,
+				pillWeightMg: 500,
+				expiryDate: "2027-06-30",
+				notes: "Take with food",
+				intakeRemindersEnabled: true,
+				blisters: [
+					{ usage: 1, every: 1, start: startDate },
+					{ usage: 0.5, every: 7, start: startDate },
+				],
+			});
+
+			const response = await ctx.app.inject({
+				method: "GET",
+				url: "/export",
+			});
+
+			expect(response.statusCode).toBe(200);
+			const data = response.json();
+			expect(data.medications).toHaveLength(1);
+
+			const med = data.medications[0];
+			expect(med._exportId).toBe("med-1");
+			expect(med.name).toBe("Aspirin");
+			expect(med.genericName).toBe("Acetylsalicylic acid");
+			expect(med.takenBy).toEqual(["Daniel", "Maria"]);
+			expect(med.inventory).toEqual({
+				packCount: 2,
+				blistersPerPack: 3,
+				pillsPerBlister: 10,
+				looseTablets: 5,
+			});
+			expect(med.pillWeightMg).toBe(500);
+			expect(med.expiryDate).toBe("2027-06-30");
+			expect(med.notes).toBe("Take with food");
+			expect(med.intakeRemindersEnabled).toBe(true);
+			expect(med.schedules).toHaveLength(2);
+			expect(med.schedules[0]).toEqual({
+				usage: 1,
+				every: 1,
+				start: startDate,
+				remind: true,
+			});
+		});
+
+		it("should export settings", async () => {
+			// Create settings
+			await ctx.client.execute({
+				sql: `INSERT INTO user_settings (
+          user_id, email_enabled, notification_email, language, low_stock_days
+        ) VALUES (?, 1, 'test@example.com', 'de', 14)`,
+				args: [userId],
+			});
+
+			const response = await ctx.app.inject({
+				method: "GET",
+				url: "/export",
+			});
+
+			expect(response.statusCode).toBe(200);
+			const data = response.json();
+			expect(data.settings).toBeDefined();
+			expect(data.settings.emailEnabled).toBe(true);
+			expect(data.settings.notificationEmail).toBe("test@example.com");
+			expect(data.settings.language).toBe("de");
+			expect(data.settings.lowStockDays).toBe(14);
+		});
+
+		it("should exclude sensitive data by default", async () => {
+			await ctx.client.execute({
+				sql: `INSERT INTO user_settings (
+          user_id, shoutrrr_enabled, shoutrrr_url
+        ) VALUES (?, 1, 'ntfy://user:pass@ntfy.sh/topic')`,
+				args: [userId],
+			});
+
+			const response = await ctx.app.inject({
+				method: "GET",
+				url: "/export",
+			});
+
+			expect(response.statusCode).toBe(200);
+			const data = response.json();
+			expect(data.includeSensitiveData).toBe(false);
+			expect(data.settings.shoutrrrEnabled).toBeUndefined();
+			expect(data.settings.shoutrrrUrl).toBeUndefined();
+		});
+
+		it("should include sensitive data when requested", async () => {
+			await ctx.client.execute({
+				sql: `INSERT INTO user_settings (
+          user_id, shoutrrr_enabled, shoutrrr_url
+        ) VALUES (?, 1, 'ntfy://user:pass@ntfy.sh/topic')`,
+				args: [userId],
+			});
+
+			const response = await ctx.app.inject({
+				method: "GET",
+				url: "/export?includeSensitive=true",
+			});
+
+			expect(response.statusCode).toBe(200);
+			const data = response.json();
+			expect(data.includeSensitiveData).toBe(true);
+			expect(data.settings.shoutrrrEnabled).toBe(true);
+			expect(data.settings.shoutrrrUrl).toBe("ntfy://user:pass@ntfy.sh/topic");
+		});
+
+		it("should export dose history with medication references", async () => {
+			const medId = await createTestMedication(ctx.client, {
+				userId,
+				name: "Test Med",
+			});
+
+			// Create dose tracking entry
+			const timestampMs = Date.now();
+			const doseId = `${medId}-0-${timestampMs}`;
+			await ctx.client.execute({
+				sql: `INSERT INTO dose_tracking (user_id, dose_id, taken_at) VALUES (?, ?, ?)`,
+				args: [userId, doseId, Math.floor(Date.now() / 1000)],
+			});
+
+			const response = await ctx.app.inject({
+				method: "GET",
+				url: "/export",
+			});
+
+			expect(response.statusCode).toBe(200);
+			const data = response.json();
+			expect(data.doseHistory).toHaveLength(1);
+			expect(data.doseHistory[0].medicationRef).toBe("med-1");
+			expect(data.doseHistory[0].scheduleIndex).toBe(0);
+			expect(data.doseHistory[0].scheduledTime).toBeDefined();
+			expect(data.doseHistory[0].takenAt).toBeDefined();
+		});
+
+		it("should export share links", async () => {
+			await ctx.client.execute({
+				sql: `INSERT INTO share_tokens (user_id, token, taken_by, schedule_days) VALUES (?, ?, ?, ?)`,
+				args: [userId, "abc123", "Daniel", 30],
+			});
+
+			const response = await ctx.app.inject({
+				method: "GET",
+				url: "/export",
+			});
+
+			expect(response.statusCode).toBe(200);
+			const data = response.json();
+			expect(data.shareLinks).toHaveLength(1);
+			expect(data.shareLinks[0].takenBy).toBe("Daniel");
+			expect(data.shareLinks[0].scheduleDays).toBe(30);
+			expect(data.shareLinks[0].regenerateToken).toBe(true);
+		});
+	});
+
+	// ---------------------------------------------------------------------------
+	// POST /import
+	// ---------------------------------------------------------------------------
+
+	describe("POST /import", () => {
+		it("should import medications", async () => {
+			const importData = {
+				version: "1.0",
+				exportedAt: new Date().toISOString(),
+				medications: [
+					{
+						_exportId: "med-1",
+						name: "Imported Med",
+						genericName: "Generic",
+						takenBy: ["Alice"],
+						inventory: {
+							packCount: 2,
+							blistersPerPack: 3,
+							pillsPerBlister: 10,
+							looseTablets: 5,
+						},
+						pillWeightMg: 250,
+						schedules: [{ usage: 1, every: 1, start: "2025-01-15T08:00:00.000Z", remind: true }],
+						expiryDate: "2027-12-31",
+						notes: "Test notes",
+						intakeRemindersEnabled: true,
+					},
+				],
+				doseHistory: [],
+				shareLinks: [],
+			};
+
+			const response = await ctx.app.inject({
+				method: "POST",
+				url: "/import",
+				payload: importData,
+			});
+
+			expect(response.statusCode).toBe(200);
+			expect(response.json().success).toBe(true);
+			expect(response.json().imported.medications).toBe(1);
+
+			// Verify in database
+			const result = await ctx.client.execute({
+				sql: `SELECT * FROM medications WHERE user_id = ?`,
+				args: [userId],
+			});
+			expect(result.rows).toHaveLength(1);
+			expect(result.rows[0].name).toBe("Imported Med");
+			expect(result.rows[0].generic_name).toBe("Generic");
+			expect(result.rows[0].pack_count).toBe(2);
+			expect(result.rows[0].blisters_per_pack).toBe(3);
+			expect(result.rows[0].pills_per_blister).toBe(10);
+			expect(result.rows[0].loose_tablets).toBe(5);
+		});
+
+		it("should replace existing data on import", async () => {
+			// Create existing medication
+			await createTestMedication(ctx.client, {
+				userId,
+				name: "Existing Med",
+			});
+
+			const importData = {
+				version: "1.0",
+				exportedAt: new Date().toISOString(),
+				medications: [
+					{
+						_exportId: "med-1",
+						name: "New Med",
+						schedules: [{ usage: 1, every: 1, start: "2025-01-15T08:00:00.000Z" }],
+					},
+				],
+				doseHistory: [],
+				shareLinks: [],
+			};
+
+			await ctx.app.inject({
+				method: "POST",
+				url: "/import",
+				payload: importData,
+			});
+
+			// Verify old med deleted, new one exists
+			const result = await ctx.client.execute({
+				sql: `SELECT * FROM medications WHERE user_id = ?`,
+				args: [userId],
+			});
+			expect(result.rows).toHaveLength(1);
+			expect(result.rows[0].name).toBe("New Med");
+		});
+
+		it("should import dose history with remapped IDs", async () => {
+			const importData = {
+				version: "1.0",
+				exportedAt: new Date().toISOString(),
+				medications: [
+					{
+						_exportId: "med-1",
+						name: "Med 1",
+						schedules: [{ usage: 1, every: 1, start: "2025-01-15T08:00:00.000Z" }],
+					},
+				],
+				doseHistory: [
+					{
+						medicationRef: "med-1",
+						scheduleIndex: 0,
+						scheduledTime: "2025-01-15T08:00:00.000Z",
+						takenAt: "2025-01-15T08:15:00.000Z",
+						markedBy: null,
+					},
+				],
+				shareLinks: [],
+			};
+
+			await ctx.app.inject({
+				method: "POST",
+				url: "/import",
+				payload: importData,
+			});
+
+			// Verify dose tracking
+			const doses = await ctx.client.execute({
+				sql: `SELECT * FROM dose_tracking WHERE user_id = ?`,
+				args: [userId],
+			});
+			expect(doses.rows).toHaveLength(1);
+			// Dose ID should contain the NEW medication ID
+			const doseId = doses.rows[0].dose_id as string;
+			expect(doseId).toMatch(/^\d+-0-\d+$/);
+		});
+
+		it("should import settings", async () => {
+			const importData = {
+				version: "1.0",
+				exportedAt: new Date().toISOString(),
+				medications: [],
+				doseHistory: [],
+				settings: {
+					emailEnabled: true,
+					notificationEmail: "imported@example.com",
+					language: "de",
+					lowStockDays: 14,
+					normalStockDays: 60,
+					highStockDays: 120,
+				},
+				shareLinks: [],
+			};
+
+			await ctx.app.inject({
+				method: "POST",
+				url: "/import",
+				payload: importData,
+			});
+
+			// Verify settings
+			const settings = await ctx.client.execute({
+				sql: `SELECT * FROM user_settings WHERE user_id = ?`,
+				args: [userId],
+			});
+			expect(settings.rows).toHaveLength(1);
+			expect(settings.rows[0].email_enabled).toBe(1);
+			expect(settings.rows[0].notification_email).toBe("imported@example.com");
+			expect(settings.rows[0].language).toBe("de");
+			expect(settings.rows[0].low_stock_days).toBe(14);
+		});
+
+		it("should import share links with new tokens", async () => {
+			const importData = {
+				version: "1.0",
+				exportedAt: new Date().toISOString(),
+				medications: [],
+				doseHistory: [],
+				shareLinks: [
+					{
+						takenBy: "Daniel",
+						scheduleDays: 60,
+						regenerateToken: true,
+					},
+				],
+			};
+
+			await ctx.app.inject({
+				method: "POST",
+				url: "/import",
+				payload: importData,
+			});
+
+			// Verify share token
+			const shares = await ctx.client.execute({
+				sql: `SELECT * FROM share_tokens WHERE user_id = ?`,
+				args: [userId],
+			});
+			expect(shares.rows).toHaveLength(1);
+			expect(shares.rows[0].taken_by).toBe("Daniel");
+			expect(shares.rows[0].schedule_days).toBe(60);
+			expect(shares.rows[0].token).toBeDefined();
+			expect((shares.rows[0].token as string).length).toBe(16); // 8 bytes = 16 hex chars
+		});
+
+		it("should reject invalid import data", async () => {
+			const response = await ctx.app.inject({
+				method: "POST",
+				url: "/import",
+				payload: { invalid: "data" },
+			});
+
+			expect(response.statusCode).toBe(400);
+			expect(response.json().error).toBe("Invalid import data format");
+		});
+	});
+
+	// ---------------------------------------------------------------------------
+	// Export/Import Roundtrip Tests
+	// ---------------------------------------------------------------------------
+
+	describe("Export/Import Roundtrip", () => {
+		it("should preserve all data through export/import cycle", async () => {
+			// Setup: Create medications, doses, settings, shares
+			const startDate = "2025-01-15T08:00:00.000Z";
+			const medId = await createTestMedication(ctx.client, {
+				userId,
+				name: "Roundtrip Med",
+				genericName: "Generic Name",
+				takenBy: ["Daniel", "Maria"],
+				packCount: 2,
+				blistersPerPack: 3,
+				pillsPerBlister: 10,
+				looseTablets: 5,
+				pillWeightMg: 500,
+				expiryDate: "2027-06-30",
+				notes: "Test notes",
+				intakeRemindersEnabled: true,
+				blisters: [
+					{ usage: 1, every: 1, start: startDate },
+					{ usage: 0.5, every: 7, start: startDate },
+				],
+			});
+
+			// Create dose
+			const timestampMs = new Date(startDate).getTime();
+			const doseId = `${medId}-0-${timestampMs}`;
+			await ctx.client.execute({
+				sql: `INSERT INTO dose_tracking (user_id, dose_id, taken_at, marked_by) VALUES (?, ?, ?, ?)`,
+				args: [userId, doseId, Math.floor(Date.now() / 1000), "Daniel"],
+			});
+
+			// Create settings
+			await ctx.client.execute({
+				sql: `INSERT INTO user_settings (user_id, email_enabled, notification_email, language, low_stock_days) VALUES (?, 1, 'test@example.com', 'de', 14)`,
+				args: [userId],
+			});
+
+			// Create share
+			await ctx.client.execute({
+				sql: `INSERT INTO share_tokens (user_id, token, taken_by, schedule_days) VALUES (?, ?, ?, ?)`,
+				args: [userId, "original123", "Daniel", 60],
+			});
+
+			// Export
+			const exportResponse = await ctx.app.inject({
+				method: "GET",
+				url: "/export",
+			});
+			expect(exportResponse.statusCode).toBe(200);
+			const exportData = exportResponse.json();
+
+			// Import (this replaces all data)
+			const importResponse = await ctx.app.inject({
+				method: "POST",
+				url: "/import",
+				payload: exportData,
+			});
+			expect(importResponse.statusCode).toBe(200);
+
+			// Export again and compare
+			const reExportResponse = await ctx.app.inject({
+				method: "GET",
+				url: "/export",
+			});
+			const reExportData = reExportResponse.json();
+
+			// Compare (excluding timestamps and IDs that change)
+			expect(reExportData.medications).toHaveLength(1);
+			expect(reExportData.medications[0].name).toBe("Roundtrip Med");
+			expect(reExportData.medications[0].genericName).toBe("Generic Name");
+			expect(reExportData.medications[0].takenBy).toEqual(["Daniel", "Maria"]);
+			expect(reExportData.medications[0].inventory).toEqual({
+				packCount: 2,
+				blistersPerPack: 3,
+				pillsPerBlister: 10,
+				looseTablets: 5,
+			});
+			expect(reExportData.medications[0].schedules).toHaveLength(2);
+
+			expect(reExportData.doseHistory).toHaveLength(1);
+			expect(reExportData.doseHistory[0].markedBy).toBe("Daniel");
+
+			expect(reExportData.settings.emailEnabled).toBe(true);
+			expect(reExportData.settings.notificationEmail).toBe("test@example.com");
+			expect(reExportData.settings.language).toBe("de");
+
+			expect(reExportData.shareLinks).toHaveLength(1);
+			expect(reExportData.shareLinks[0].takenBy).toBe("Daniel");
+		});
+
+		it("should handle import with different schema (backward compatibility)", async () => {
+			// Simulate import from older version without some fields
+			const importData = {
+				version: "1.0",
+				exportedAt: new Date().toISOString(),
+				medications: [
+					{
+						_exportId: "med-1",
+						name: "Legacy Med",
+						// Missing: genericName, takenBy, pillWeightMg, etc.
+						inventory: {
+							packCount: 1,
+							blistersPerPack: 1,
+							pillsPerBlister: 10,
+							looseTablets: 0,
+						},
+						schedules: [{ usage: 1, every: 1, start: "2025-01-15T08:00:00.000Z" }],
+					},
+				],
+				doseHistory: [],
+				// Missing: settings, shareLinks
+			};
+
+			const response = await ctx.app.inject({
+				method: "POST",
+				url: "/import",
+				payload: importData,
+			});
+
+			expect(response.statusCode).toBe(200);
+			expect(response.json().success).toBe(true);
+
+			// Verify defaults were applied
+			const result = await ctx.client.execute({
+				sql: `SELECT * FROM medications WHERE user_id = ?`,
+				args: [userId],
+			});
+			expect(result.rows[0].name).toBe("Legacy Med");
+			expect(result.rows[0].generic_name).toBeNull();
+			expect(result.rows[0].taken_by_json).toBe("[]");
+		});
+	});
+});
@@ -0,0 +1,671 @@
+/**
+ * Tests for /medications API endpoints.
+ * Tests CRUD operations for medications.
+ */
+import { afterAll, beforeAll, beforeEach, describe, expect, it } from "vitest";
+import {
+	buildTestApp,
+	clearTestData,
+	closeTestApp,
+	createTestMedication,
+	createTestUser,
+	type TestContext,
+} from "./setup.js";
+
+// =============================================================================
+// Route Registration
+// =============================================================================
+
+async function registerMedicationRoutes(ctx: TestContext) {
+	const { app, client } = ctx;
+
+	// GET /medications - List all medications
+	app.get("/medications", async (_request, _reply) => {
+		const userId = 1;
+
+		const result = await client.execute({
+			sql: `SELECT * FROM medications WHERE user_id = ? ORDER BY name`,
+			args: [userId],
+		});
+
+		return result.rows.map((m) => ({
+			id: m.id,
+			name: m.name,
+			genericName: m.generic_name,
+			takenBy: JSON.parse((m.taken_by_json as string) || "[]"),
+			packCount: m.pack_count,
+			blistersPerPack: m.blisters_per_pack,
+			pillsPerBlister: m.pills_per_blister,
+			looseTablets: m.loose_tablets,
+			pillWeightMg: m.pill_weight_mg,
+			imageUrl: m.image_url,
+			expiryDate: m.expiry_date,
+			notes: m.notes,
+			intakeRemindersEnabled: Boolean(m.intake_reminders_enabled),
+			blisters: (() => {
+				const usage: number[] = JSON.parse((m.usage_json as string) || "[]");
+				const every: number[] = JSON.parse((m.every_json as string) || "[]");
+				const start: string[] = JSON.parse((m.start_json as string) || "[]");
+				return usage.map((u, i) => ({
+					usage: u,
+					every: every[i] || 1,
+					start: start[i] || new Date().toISOString(),
+				}));
+			})(),
+		}));
+	});
+
+	// POST /medications - Create medication
+	app.post<{
+		Body: {
+			name: string;
+			genericName?: string;
+			takenBy?: string[];
+			packCount?: number;
+			blistersPerPack?: number;
+			pillsPerBlister?: number;
+			looseTablets?: number;
+			pillWeightMg?: number;
+			expiryDate?: string;
+			notes?: string;
+			intakeRemindersEnabled?: boolean;
+			blisters: Array<{ usage: number; every: number; start: string }>;
+		};
+	}>("/medications", async (request, reply) => {
+		const userId = 1;
+		const body = request.body || {};
+
+		// Validation
+		if (!body.name || body.name.length === 0) {
+			return reply.status(400).send({ error: "Name is required" });
+		}
+		if (body.name.length > 100) {
+			return reply.status(400).send({ error: "Name must be 100 characters or less" });
+		}
+		if (!body.blisters || body.blisters.length === 0) {
+			return reply.status(400).send({ error: "At least one intake schedule is required" });
+		}
+		if (body.blisters.length > 12) {
+			return reply.status(400).send({ error: "Maximum 12 intake schedules allowed" });
+		}
+
+		const usageJson = JSON.stringify(body.blisters.map((b) => b.usage));
+		const everyJson = JSON.stringify(body.blisters.map((b) => b.every));
+		const startJson = JSON.stringify(body.blisters.map((b) => b.start));
+		const takenByJson = JSON.stringify(body.takenBy || []);
+
+		const result = await client.execute({
+			sql: `INSERT INTO medications (
+        user_id, name, generic_name, taken_by_json,
+        pack_count, blisters_per_pack, pills_per_blister, loose_tablets,
+        pill_weight_mg, expiry_date, notes, intake_reminders_enabled,
+        usage_json, every_json, start_json
+      ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?) RETURNING id`,
+			args: [
+				userId,
+				body.name,
+				body.genericName || null,
+				takenByJson,
+				body.packCount ?? 1,
+				body.blistersPerPack ?? 1,
+				body.pillsPerBlister ?? 1,
+				body.looseTablets ?? 0,
+				body.pillWeightMg ?? null,
+				body.expiryDate || null,
+				body.notes || null,
+				body.intakeRemindersEnabled ? 1 : 0,
+				usageJson,
+				everyJson,
+				startJson,
+			],
+		});
+
+		return { id: result.rows[0].id, success: true };
+	});
+
+	// PUT /medications/:id - Update medication
+	app.put<{
+		Params: { id: string };
+		Body: {
+			name: string;
+			genericName?: string;
+			takenBy?: string[];
+			packCount?: number;
+			blistersPerPack?: number;
+			pillsPerBlister?: number;
+			looseTablets?: number;
+			pillWeightMg?: number;
+			expiryDate?: string;
+			notes?: string;
+			intakeRemindersEnabled?: boolean;
+			blisters: Array<{ usage: number; every: number; start: string }>;
+		};
+	}>("/medications/:id", async (request, reply) => {
+		const userId = 1;
+		const medId = parseInt(request.params.id, 10);
+		const body = request.body || {};
+
+		// Check ownership
+		const existing = await client.execute({
+			sql: `SELECT id FROM medications WHERE id = ? AND user_id = ?`,
+			args: [medId, userId],
+		});
+
+		if (existing.rows.length === 0) {
+			return reply.status(404).send({ error: "Medication not found" });
+		}
+
+		// Validation
+		if (!body.name || body.name.length === 0) {
+			return reply.status(400).send({ error: "Name is required" });
+		}
+		if (!body.blisters || body.blisters.length === 0) {
+			return reply.status(400).send({ error: "At least one intake schedule is required" });
+		}
+
+		const usageJson = JSON.stringify(body.blisters.map((b) => b.usage));
+		const everyJson = JSON.stringify(body.blisters.map((b) => b.every));
+		const startJson = JSON.stringify(body.blisters.map((b) => b.start));
+		const takenByJson = JSON.stringify(body.takenBy || []);
+
+		await client.execute({
+			sql: `UPDATE medications SET
+        name = ?, generic_name = ?, taken_by_json = ?,
+        pack_count = ?, blisters_per_pack = ?, pills_per_blister = ?, loose_tablets = ?,
+        pill_weight_mg = ?, expiry_date = ?, notes = ?, intake_reminders_enabled = ?,
+        usage_json = ?, every_json = ?, start_json = ?,
+        updated_at = strftime('%s','now')
+      WHERE id = ? AND user_id = ?`,
+			args: [
+				body.name,
+				body.genericName || null,
+				takenByJson,
+				body.packCount ?? 1,
+				body.blistersPerPack ?? 1,
+				body.pillsPerBlister ?? 1,
+				body.looseTablets ?? 0,
+				body.pillWeightMg ?? null,
+				body.expiryDate || null,
+				body.notes || null,
+				body.intakeRemindersEnabled ? 1 : 0,
+				usageJson,
+				everyJson,
+				startJson,
+				medId,
+				userId,
+			],
+		});
+
+		return { success: true };
+	});
+
+	// DELETE /medications/:id - Delete medication
+	app.delete<{ Params: { id: string } }>("/medications/:id", async (request, reply) => {
+		const userId = 1;
+		const medId = parseInt(request.params.id, 10);
+
+		// Check ownership
+		const existing = await client.execute({
+			sql: `SELECT id FROM medications WHERE id = ? AND user_id = ?`,
+			args: [medId, userId],
+		});
+
+		if (existing.rows.length === 0) {
+			return reply.status(404).send({ error: "Medication not found" });
+		}
+
+		await client.execute({
+			sql: `DELETE FROM medications WHERE id = ? AND user_id = ?`,
+			args: [medId, userId],
+		});
+
+		return { success: true };
+	});
+
+	// GET /medications/:id - Get single medication
+	app.get<{ Params: { id: string } }>("/medications/:id", async (request, reply) => {
+		const userId = 1;
+		const medId = parseInt(request.params.id, 10);
+
+		const result = await client.execute({
+			sql: `SELECT * FROM medications WHERE id = ? AND user_id = ?`,
+			args: [medId, userId],
+		});
+
+		if (result.rows.length === 0) {
+			return reply.status(404).send({ error: "Medication not found" });
+		}
+
+		const m = result.rows[0];
+		return {
+			id: m.id,
+			name: m.name,
+			genericName: m.generic_name,
+			takenBy: JSON.parse((m.taken_by_json as string) || "[]"),
+			packCount: m.pack_count,
+			blistersPerPack: m.blisters_per_pack,
+			pillsPerBlister: m.pills_per_blister,
+			looseTablets: m.loose_tablets,
+			pillWeightMg: m.pill_weight_mg,
+			imageUrl: m.image_url,
+			expiryDate: m.expiry_date,
+			notes: m.notes,
+			intakeRemindersEnabled: Boolean(m.intake_reminders_enabled),
+			blisters: (() => {
+				const usage: number[] = JSON.parse((m.usage_json as string) || "[]");
+				const every: number[] = JSON.parse((m.every_json as string) || "[]");
+				const start: string[] = JSON.parse((m.start_json as string) || "[]");
+				return usage.map((u, i) => ({
+					usage: u,
+					every: every[i] || 1,
+					start: start[i] || new Date().toISOString(),
+				}));
+			})(),
+		};
+	});
+}
+
+// =============================================================================
+// Tests
+// =============================================================================
+
+describe("Medications API", () => {
+	let ctx: TestContext;
+	let userId: number;
+
+	beforeAll(async () => {
+		ctx = await buildTestApp();
+		await registerMedicationRoutes(ctx);
+		await ctx.app.ready();
+	});
+
+	afterAll(async () => {
+		await closeTestApp(ctx);
+	});
+
+	beforeEach(async () => {
+		await clearTestData(ctx.client);
+		await ctx.client.execute("DELETE FROM sqlite_sequence WHERE name='users'");
+		await ctx.client.execute("DELETE FROM sqlite_sequence WHERE name='medications'");
+		userId = await createTestUser(ctx.client, { username: "testuser" });
+	});
+
+	// ---------------------------------------------------------------------------
+	// GET /medications
+	// ---------------------------------------------------------------------------
+
+	describe("GET /medications", () => {
+		it("should return empty array when no medications", async () => {
+			const response = await ctx.app.inject({
+				method: "GET",
+				url: "/medications",
+			});
+
+			expect(response.statusCode).toBe(200);
+			expect(response.json()).toEqual([]);
+		});
+
+		it("should return list of medications", async () => {
+			await createTestMedication(ctx.client, {
+				userId,
+				name: "Aspirin",
+				genericName: "Acetylsalicylic acid",
+				takenBy: ["Daniel"],
+				packCount: 2,
+				pillsPerBlister: 10,
+			});
+			await createTestMedication(ctx.client, {
+				userId,
+				name: "Ibuprofen",
+			});
+
+			const response = await ctx.app.inject({
+				method: "GET",
+				url: "/medications",
+			});
+
+			expect(response.statusCode).toBe(200);
+			const data = response.json();
+			expect(data).toHaveLength(2);
+			// Sorted by name
+			expect(data[0].name).toBe("Aspirin");
+			expect(data[0].genericName).toBe("Acetylsalicylic acid");
+			expect(data[0].takenBy).toEqual(["Daniel"]);
+			expect(data[1].name).toBe("Ibuprofen");
+		});
+
+		it("should return medication with all fields", async () => {
+			const startDate = "2025-01-01T08:00:00.000Z";
+			await createTestMedication(ctx.client, {
+				userId,
+				name: "Test Med",
+				genericName: "Generic Name",
+				takenBy: ["Person1", "Person2"],
+				packCount: 3,
+				blistersPerPack: 2,
+				pillsPerBlister: 14,
+				looseTablets: 5,
+				pillWeightMg: 500,
+				blisters: [
+					{ usage: 1, every: 1, start: startDate },
+					{ usage: 2, every: 2, start: startDate },
+				],
+			});
+
+			const response = await ctx.app.inject({
+				method: "GET",
+				url: "/medications",
+			});
+
+			expect(response.statusCode).toBe(200);
+			const [med] = response.json();
+			expect(med.name).toBe("Test Med");
+			expect(med.genericName).toBe("Generic Name");
+			expect(med.takenBy).toEqual(["Person1", "Person2"]);
+			expect(med.packCount).toBe(3);
+			expect(med.blistersPerPack).toBe(2);
+			expect(med.pillsPerBlister).toBe(14);
+			expect(med.looseTablets).toBe(5);
+			expect(med.pillWeightMg).toBe(500);
+			expect(med.blisters).toHaveLength(2);
+			expect(med.blisters[0]).toEqual({ usage: 1, every: 1, start: startDate });
+			expect(med.blisters[1]).toEqual({ usage: 2, every: 2, start: startDate });
+		});
+	});
+
+	// ---------------------------------------------------------------------------
+	// POST /medications
+	// ---------------------------------------------------------------------------
+
+	describe("POST /medications", () => {
+		it("should create a medication", async () => {
+			const response = await ctx.app.inject({
+				method: "POST",
+				url: "/medications",
+				payload: {
+					name: "New Med",
+					blisters: [{ usage: 1, every: 1, start: "2025-01-01T08:00:00.000Z" }],
+				},
+			});
+
+			expect(response.statusCode).toBe(200);
+			const data = response.json();
+			expect(data.success).toBe(true);
+			expect(data.id).toBeDefined();
+
+			// Verify in database
+			const result = await ctx.client.execute({
+				sql: `SELECT name FROM medications WHERE id = ?`,
+				args: [data.id],
+			});
+			expect(result.rows[0].name).toBe("New Med");
+		});
+
+		it("should create medication with all fields", async () => {
+			const response = await ctx.app.inject({
+				method: "POST",
+				url: "/medications",
+				payload: {
+					name: "Full Med",
+					genericName: "Generic",
+					takenBy: ["Alice", "Bob"],
+					packCount: 2,
+					blistersPerPack: 3,
+					pillsPerBlister: 10,
+					looseTablets: 5,
+					pillWeightMg: 250,
+					expiryDate: "2026-12-31",
+					notes: "Take with food",
+					intakeRemindersEnabled: true,
+					blisters: [
+						{ usage: 1, every: 1, start: "2025-01-01T08:00:00.000Z" },
+						{ usage: 2, every: 1, start: "2025-01-01T20:00:00.000Z" },
+					],
+				},
+			});
+
+			expect(response.statusCode).toBe(200);
+
+			// Verify
+			const medId = response.json().id;
+			const result = await ctx.client.execute({
+				sql: `SELECT * FROM medications WHERE id = ?`,
+				args: [medId],
+			});
+			const med = result.rows[0];
+			expect(med.name).toBe("Full Med");
+			expect(med.generic_name).toBe("Generic");
+			expect(JSON.parse(med.taken_by_json as string)).toEqual(["Alice", "Bob"]);
+			expect(med.pack_count).toBe(2);
+			expect(med.blisters_per_pack).toBe(3);
+			expect(med.pills_per_blister).toBe(10);
+			expect(med.loose_tablets).toBe(5);
+			expect(med.pill_weight_mg).toBe(250);
+			expect(med.expiry_date).toBe("2026-12-31");
+			expect(med.notes).toBe("Take with food");
+			expect(med.intake_reminders_enabled).toBe(1);
+		});
+
+		it("should reject request without name", async () => {
+			const response = await ctx.app.inject({
+				method: "POST",
+				url: "/medications",
+				payload: {
+					blisters: [{ usage: 1, every: 1, start: "2025-01-01T08:00:00.000Z" }],
+				},
+			});
+
+			expect(response.statusCode).toBe(400);
+			expect(response.json().error).toBe("Name is required");
+		});
+
+		it("should reject request without blisters", async () => {
+			const response = await ctx.app.inject({
+				method: "POST",
+				url: "/medications",
+				payload: {
+					name: "Test",
+					blisters: [],
+				},
+			});
+
+			expect(response.statusCode).toBe(400);
+			expect(response.json().error).toBe("At least one intake schedule is required");
+		});
+
+		it("should reject name over 100 characters", async () => {
+			const response = await ctx.app.inject({
+				method: "POST",
+				url: "/medications",
+				payload: {
+					name: "A".repeat(101),
+					blisters: [{ usage: 1, every: 1, start: "2025-01-01T08:00:00.000Z" }],
+				},
+			});
+
+			expect(response.statusCode).toBe(400);
+			expect(response.json().error).toBe("Name must be 100 characters or less");
+		});
+
+		it("should reject more than 12 blisters", async () => {
+			const response = await ctx.app.inject({
+				method: "POST",
+				url: "/medications",
+				payload: {
+					name: "Test",
+					blisters: Array(13).fill({ usage: 1, every: 1, start: "2025-01-01T08:00:00.000Z" }),
+				},
+			});
+
+			expect(response.statusCode).toBe(400);
+			expect(response.json().error).toBe("Maximum 12 intake schedules allowed");
+		});
+	});
+
+	// ---------------------------------------------------------------------------
+	// PUT /medications/:id
+	// ---------------------------------------------------------------------------
+
+	describe("PUT /medications/:id", () => {
+		it("should update a medication", async () => {
+			const medId = await createTestMedication(ctx.client, {
+				userId,
+				name: "Old Name",
+			});
+
+			const response = await ctx.app.inject({
+				method: "PUT",
+				url: `/medications/${medId}`,
+				payload: {
+					name: "New Name",
+					blisters: [{ usage: 2, every: 1, start: "2025-01-01T08:00:00.000Z" }],
+				},
+			});
+
+			expect(response.statusCode).toBe(200);
+			expect(response.json()).toEqual({ success: true });
+
+			// Verify
+			const result = await ctx.client.execute({
+				sql: `SELECT name, usage_json FROM medications WHERE id = ?`,
+				args: [medId],
+			});
+			expect(result.rows[0].name).toBe("New Name");
+			expect(JSON.parse(result.rows[0].usage_json as string)).toEqual([2]);
+		});
+
+		it("should return 404 for non-existent medication", async () => {
+			const response = await ctx.app.inject({
+				method: "PUT",
+				url: "/medications/99999",
+				payload: {
+					name: "Test",
+					blisters: [{ usage: 1, every: 1, start: "2025-01-01T08:00:00.000Z" }],
+				},
+			});
+
+			expect(response.statusCode).toBe(404);
+			expect(response.json().error).toBe("Medication not found");
+		});
+
+		it("should not update medication of another user", async () => {
+			// Create another user
+			const otherUserId = await createTestUser(ctx.client, { username: "other" });
+			const medId = await createTestMedication(ctx.client, {
+				userId: otherUserId,
+				name: "Other Med",
+			});
+
+			const response = await ctx.app.inject({
+				method: "PUT",
+				url: `/medications/${medId}`,
+				payload: {
+					name: "Hacked",
+					blisters: [{ usage: 1, every: 1, start: "2025-01-01T08:00:00.000Z" }],
+				},
+			});
+
+			expect(response.statusCode).toBe(404);
+		});
+	});
+
+	// ---------------------------------------------------------------------------
+	// DELETE /medications/:id
+	// ---------------------------------------------------------------------------
+
+	describe("DELETE /medications/:id", () => {
+		it("should delete a medication", async () => {
+			const medId = await createTestMedication(ctx.client, {
+				userId,
+				name: "To Delete",
+			});
+
+			const response = await ctx.app.inject({
+				method: "DELETE",
+				url: `/medications/${medId}`,
+			});
+
+			expect(response.statusCode).toBe(200);
+			expect(response.json()).toEqual({ success: true });
+
+			// Verify deleted
+			const result = await ctx.client.execute({
+				sql: `SELECT COUNT(*) as count FROM medications WHERE id = ?`,
+				args: [medId],
+			});
+			expect(result.rows[0].count).toBe(0);
+		});
+
+		it("should return 404 for non-existent medication", async () => {
+			const response = await ctx.app.inject({
+				method: "DELETE",
+				url: "/medications/99999",
+			});
+
+			expect(response.statusCode).toBe(404);
+		});
+	});
+
+	// ---------------------------------------------------------------------------
+	// GET /medications/:id
+	// ---------------------------------------------------------------------------
+
+	describe("GET /medications/:id", () => {
+		it("should return single medication", async () => {
+			const medId = await createTestMedication(ctx.client, {
+				userId,
+				name: "Single Med",
+				genericName: "Generic",
+				takenBy: ["Daniel"],
+			});
+
+			const response = await ctx.app.inject({
+				method: "GET",
+				url: `/medications/${medId}`,
+			});
+
+			expect(response.statusCode).toBe(200);
+			const data = response.json();
+			expect(data.id).toBe(medId);
+			expect(data.name).toBe("Single Med");
+			expect(data.genericName).toBe("Generic");
+			expect(data.takenBy).toEqual(["Daniel"]);
+		});
+
+		it("should return 404 for non-existent medication", async () => {
+			const response = await ctx.app.inject({
+				method: "GET",
+				url: "/medications/99999",
+			});
+
+			expect(response.statusCode).toBe(404);
+		});
+	});
+
+	// ---------------------------------------------------------------------------
+	// Stock Calculation Tests
+	// ---------------------------------------------------------------------------
+
+	describe("Stock Calculation", () => {
+		it("should calculate total pills correctly", async () => {
+			await createTestMedication(ctx.client, {
+				userId,
+				name: "Stock Test",
+				packCount: 2,
+				blistersPerPack: 3,
+				pillsPerBlister: 10,
+				looseTablets: 5,
+			});
+
+			const response = await ctx.app.inject({
+				method: "GET",
+				url: "/medications",
+			});
+
+			const [med] = response.json();
+			// Total = (2 packs × 3 blisters × 10 pills) + 5 loose = 65
+			const totalPills = med.packCount * med.blistersPerPack * med.pillsPerBlister + med.looseTablets;
+			expect(totalPills).toBe(65);
+		});
+	});
+});
@@ -0,0 +1,151 @@
+import cookie from "@fastify/cookie";
+import Fastify from "fastify";
+import { afterEach, describe, expect, it, vi } from "vitest";
+
+type OidcMocks = {
+	discovery: ReturnType<typeof vi.fn>;
+	buildAuthorizationUrl: ReturnType<typeof vi.fn>;
+};
+
+async function buildOidcApp(envOverrides: Record<string, unknown>) {
+	vi.resetModules();
+
+	const env = {
+		OIDC_ENABLED: true,
+		OIDC_ISSUER_URL: "https://issuer.example.com",
+		OIDC_CLIENT_ID: "medassist-client",
+		OIDC_CLIENT_SECRET: "medassist-client-secret",
+		OIDC_REDIRECT_URI: "https://app.example.com/api/auth/oidc/callback",
+		OIDC_SCOPES: "openid profile email",
+		OIDC_AUTO_CREATE_USERS: true,
+		OIDC_USERNAME_CLAIM: "preferred_username",
+		OIDC_PROVIDER_NAME: "SSO",
+		NODE_ENV: "test",
+		CORS_ORIGINS: "http://localhost:5173",
+		ACCESS_TOKEN_TTL_MINUTES: 15,
+		REFRESH_TOKEN_TTL_DAYS: 7,
+		...envOverrides,
+	};
+
+	vi.doMock("../plugins/env.js", () => ({ env }));
+
+	vi.doMock("../db/client.js", () => ({
+		db: {
+			select: vi.fn(() => ({ from: vi.fn(() => ({ where: vi.fn().mockResolvedValue([]) })) })),
+			insert: vi.fn(() => ({
+				values: vi.fn(() => ({ returning: vi.fn().mockResolvedValue([{ id: 1, username: "sso-user" }]) })),
+			})),
+			update: vi.fn(() => ({ set: vi.fn(() => ({ where: vi.fn().mockResolvedValue(undefined) })) })),
+		},
+	}));
+
+	const discovery = vi.fn().mockResolvedValue({ issuer: "https://issuer.example.com" });
+	const buildAuthorizationUrl = vi.fn().mockImplementation((_cfg, params) => {
+		const state = typeof params?.state === "string" ? params.state : "state";
+		return new URL(`https://issuer.example.com/authorize?state=${state}`);
+	});
+
+	vi.doMock("openid-client", () => ({
+		discovery,
+		buildAuthorizationUrl,
+		authorizationCodeGrant: vi.fn(),
+		fetchUserInfo: vi.fn(),
+	}));
+
+	const { oidcRoutes } = await import("../routes/oidc.js");
+
+	const app = Fastify({ logger: false });
+	await app.register(cookie, { secret: "test-cookie-secret" });
+	app.decorate("config", {
+		accessSecret: "test-jwt-secret-12345",
+		refreshSecret: "test-refresh-secret-12345",
+		accessTtl: 15 * 60,
+		refreshTtl: 7 * 24 * 60 * 60,
+		cookieOptions: { httpOnly: true, sameSite: "lax", secure: false, path: "/" },
+		refreshCookieOptions: { httpOnly: true, sameSite: "lax", secure: false, path: "/auth" },
+	});
+	await app.register(oidcRoutes);
+	await app.ready();
+
+	return {
+		app,
+		mocks: { discovery, buildAuthorizationUrl } as OidcMocks,
+	};
+}
+
+afterEach(() => {
+	vi.restoreAllMocks();
+});
+
+describe("OIDC routes", () => {
+	it("returns 400 on login and callback when oidc is disabled", async () => {
+		const { app } = await buildOidcApp({ OIDC_ENABLED: false });
+		try {
+			const login = await app.inject({ method: "GET", url: "/auth/oidc/login" });
+			const callback = await app.inject({ method: "GET", url: "/auth/oidc/callback" });
+
+			expect(login.statusCode).toBe(400);
+			expect(callback.statusCode).toBe(400);
+		} finally {
+			await app.close();
+		}
+	});
+
+	it("redirects to provider and sets PKCE cookies on /auth/oidc/login", async () => {
+		const { app, mocks } = await buildOidcApp({ OIDC_ENABLED: true });
+		try {
+			const res = await app.inject({ method: "GET", url: "/auth/oidc/login" });
+
+			expect(res.statusCode).toBe(302);
+			expect(res.headers.location).toContain("https://issuer.example.com/authorize");
+			expect(res.cookies.some((c) => c.name === "oidc_code_verifier")).toBe(true);
+			expect(res.cookies.some((c) => c.name === "oidc_state")).toBe(true);
+			expect(mocks.discovery).toHaveBeenCalledTimes(1);
+			expect(mocks.buildAuthorizationUrl).toHaveBeenCalledTimes(1);
+		} finally {
+			await app.close();
+		}
+	});
+
+	it("redirects with provider error when callback contains error params", async () => {
+		const { app } = await buildOidcApp({ OIDC_ENABLED: true });
+		try {
+			const res = await app.inject({
+				method: "GET",
+				url: "/auth/oidc/callback?error=access_denied&error_description=user_cancelled",
+			});
+
+			expect(res.statusCode).toBe(302);
+			expect(res.headers.location).toBe("http://localhost:5173/?error=oidc_access_denied");
+		} finally {
+			await app.close();
+		}
+	});
+
+	it("redirects when callback is missing required params", async () => {
+		const { app } = await buildOidcApp({ OIDC_ENABLED: true });
+		try {
+			const res = await app.inject({ method: "GET", url: "/auth/oidc/callback" });
+
+			expect(res.statusCode).toBe(302);
+			expect(res.headers.location).toBe("http://localhost:5173/?error=oidc_missing_params");
+		} finally {
+			await app.close();
+		}
+	});
+
+	it("redirects when callback state validation fails", async () => {
+		const { app } = await buildOidcApp({ OIDC_ENABLED: true });
+		try {
+			const res = await app.inject({
+				method: "GET",
+				url: "/auth/oidc/callback?code=abc123&state=state123",
+			});
+
+			expect(res.statusCode).toBe(302);
+			expect(res.headers.location).toBe("http://localhost:5173/?error=oidc_state_mismatch");
+		} finally {
+			await app.close();
+		}
+	});
+});
@@ -0,0 +1,396 @@
+/**
+ * Tests for /medications/:id/refill and /medications/:id/refills API endpoints.
+ * Tests adding refills to medication stock and retrieving refill history.
+ */
+import { afterAll, beforeAll, beforeEach, describe, expect, it } from "vitest";
+import {
+	buildTestApp,
+	clearTestData,
+	closeTestApp,
+	createTestMedication,
+	createTestUser,
+	type TestContext,
+} from "./setup.js";
+
+// Store userId at module level so routes can access it
+let currentUserId = 1;
+
+// =============================================================================
+// Route Registration
+// =============================================================================
+
+async function registerRefillRoutes(ctx: TestContext) {
+	const { app, client } = ctx;
+
+	// POST /medications/:id/refill - Add stock and record history
+	app.post<{ Params: { id: string }; Body: { packsAdded?: number; loosePillsAdded?: number } }>(
+		"/medications/:id/refill",
+		async (request, reply) => {
+			const userId = currentUserId;
+			const medId = parseInt(request.params.id, 10);
+			const { packsAdded = 0, loosePillsAdded = 0 } = request.body || {};
+
+			// Validate input
+			if (packsAdded < 0 || loosePillsAdded < 0) {
+				return reply.status(400).send({ error: "packsAdded and loosePillsAdded must be non-negative" });
+			}
+			if (packsAdded === 0 && loosePillsAdded === 0) {
+				return reply
+					.status(400)
+					.send({ error: "At least one of packsAdded or loosePillsAdded must be greater than 0" });
+			}
+
+			// Check medication exists and belongs to user
+			const medResult = await client.execute({
+				sql: `SELECT id, pack_count, loose_tablets, blisters_per_pack, pills_per_blister 
+              FROM medications WHERE id = ? AND user_id = ?`,
+				args: [medId, userId],
+			});
+
+			if (medResult.rows.length === 0) {
+				return reply.status(404).send({ error: "Medication not found" });
+			}
+
+			const med = medResult.rows[0];
+			const newPackCount = (med.pack_count as number) + packsAdded;
+			const newLooseTablets = (med.loose_tablets as number) + loosePillsAdded;
+			const pillsPerPack = (med.blisters_per_pack as number) * (med.pills_per_blister as number);
+			const totalPillsAdded = packsAdded * pillsPerPack + loosePillsAdded;
+
+			// Update medication stock
+			await client.execute({
+				sql: `UPDATE medications SET pack_count = ?, loose_tablets = ? WHERE id = ?`,
+				args: [newPackCount, newLooseTablets, medId],
+			});
+
+			// Record refill history
+			await client.execute({
+				sql: `INSERT INTO refill_history (medication_id, user_id, packs_added, loose_pills_added) 
+              VALUES (?, ?, ?, ?)`,
+				args: [medId, userId, packsAdded, loosePillsAdded],
+			});
+
+			return {
+				success: true,
+				pillsAdded: totalPillsAdded,
+				newPackCount,
+				newLooseTablets,
+			};
+		}
+	);
+
+	// GET /medications/:id/refills - Get refill history
+	app.get<{ Params: { id: string } }>("/medications/:id/refills", async (request, reply) => {
+		const userId = currentUserId;
+		const medId = parseInt(request.params.id, 10);
+
+		// Check medication exists and belongs to user
+		const medResult = await client.execute({
+			sql: `SELECT id FROM medications WHERE id = ? AND user_id = ?`,
+			args: [medId, userId],
+		});
+
+		if (medResult.rows.length === 0) {
+			return reply.status(404).send({ error: "Medication not found" });
+		}
+
+		// Get refill history, newest first
+		const refillResult = await client.execute({
+			sql: `SELECT id, packs_added, loose_pills_added, refill_date 
+            FROM refill_history 
+            WHERE medication_id = ? AND user_id = ?
+            ORDER BY refill_date DESC`,
+			args: [medId, userId],
+		});
+
+		return {
+			refills: refillResult.rows.map((r) => ({
+				id: r.id,
+				packsAdded: r.packs_added,
+				loosePillsAdded: r.loose_pills_added,
+				refillDate: r.refill_date,
+			})),
+		};
+	});
+}
+
+// =============================================================================
+// Tests
+// =============================================================================
+
+describe("Refill API", () => {
+	let ctx: TestContext;
+	let userId: number;
+	let medId: number;
+
+	beforeAll(async () => {
+		ctx = await buildTestApp();
+		await registerRefillRoutes(ctx);
+		await ctx.app.ready();
+	});
+
+	afterAll(async () => {
+		await closeTestApp(ctx);
+	});
+
+	beforeEach(async () => {
+		await clearTestData(ctx.client);
+		// Create test user
+		userId = await createTestUser(ctx.client, { username: "testuser" });
+		// Update the module-level userId so routes use the correct one
+		currentUserId = userId;
+		// Create a test medication with 1 pack (10 blisters × 10 pills = 100 pills/pack)
+		medId = await createTestMedication(ctx.client, {
+			userId,
+			name: "Test Med",
+			packCount: 1,
+			blistersPerPack: 10,
+			pillsPerBlister: 10,
+			looseTablets: 5,
+		});
+	});
+
+	// ---------------------------------------------------------------------------
+	// POST /medications/:id/refill
+	// ---------------------------------------------------------------------------
+
+	describe("POST /medications/:id/refill", () => {
+		it("should add packs to medication stock", async () => {
+			const response = await ctx.app.inject({
+				method: "POST",
+				url: `/medications/${medId}/refill`,
+				payload: { packsAdded: 2 },
+			});
+
+			expect(response.statusCode).toBe(200);
+			const data = response.json();
+			expect(data.success).toBe(true);
+			expect(data.pillsAdded).toBe(200); // 2 packs × 100 pills
+			expect(data.newPackCount).toBe(3); // 1 + 2
+
+			// Verify in database
+			const result = await ctx.client.execute({
+				sql: `SELECT pack_count FROM medications WHERE id = ?`,
+				args: [medId],
+			});
+			expect(result.rows[0].pack_count).toBe(3);
+		});
+
+		it("should add loose pills to medication stock", async () => {
+			const response = await ctx.app.inject({
+				method: "POST",
+				url: `/medications/${medId}/refill`,
+				payload: { loosePillsAdded: 15 },
+			});
+
+			expect(response.statusCode).toBe(200);
+			const data = response.json();
+			expect(data.success).toBe(true);
+			expect(data.pillsAdded).toBe(15);
+			expect(data.newLooseTablets).toBe(20); // 5 + 15
+
+			// Verify in database
+			const result = await ctx.client.execute({
+				sql: `SELECT loose_tablets FROM medications WHERE id = ?`,
+				args: [medId],
+			});
+			expect(result.rows[0].loose_tablets).toBe(20);
+		});
+
+		it("should add both packs and loose pills", async () => {
+			const response = await ctx.app.inject({
+				method: "POST",
+				url: `/medications/${medId}/refill`,
+				payload: { packsAdded: 1, loosePillsAdded: 10 },
+			});
+
+			expect(response.statusCode).toBe(200);
+			const data = response.json();
+			expect(data.success).toBe(true);
+			expect(data.pillsAdded).toBe(110); // 1 pack (100) + 10 loose
+			expect(data.newPackCount).toBe(2);
+			expect(data.newLooseTablets).toBe(15);
+		});
+
+		it("should record refill in history", async () => {
+			await ctx.app.inject({
+				method: "POST",
+				url: `/medications/${medId}/refill`,
+				payload: { packsAdded: 2, loosePillsAdded: 5 },
+			});
+
+			// Check history
+			const result = await ctx.client.execute({
+				sql: `SELECT packs_added, loose_pills_added FROM refill_history WHERE medication_id = ?`,
+				args: [medId],
+			});
+			expect(result.rows.length).toBe(1);
+			expect(result.rows[0].packs_added).toBe(2);
+			expect(result.rows[0].loose_pills_added).toBe(5);
+		});
+
+		it("should reject refill with zero amounts", async () => {
+			const response = await ctx.app.inject({
+				method: "POST",
+				url: `/medications/${medId}/refill`,
+				payload: { packsAdded: 0, loosePillsAdded: 0 },
+			});
+
+			expect(response.statusCode).toBe(400);
+			expect(response.json().error).toContain("At least one");
+		});
+
+		it("should reject refill with negative amounts", async () => {
+			const response = await ctx.app.inject({
+				method: "POST",
+				url: `/medications/${medId}/refill`,
+				payload: { packsAdded: -1 },
+			});
+
+			expect(response.statusCode).toBe(400);
+			expect(response.json().error).toContain("non-negative");
+		});
+
+		it("should return 404 for non-existent medication", async () => {
+			const response = await ctx.app.inject({
+				method: "POST",
+				url: `/medications/99999/refill`,
+				payload: { packsAdded: 1 },
+			});
+
+			expect(response.statusCode).toBe(404);
+			expect(response.json().error).toBe("Medication not found");
+		});
+	});
+
+	// ---------------------------------------------------------------------------
+	// GET /medications/:id/refills
+	// ---------------------------------------------------------------------------
+
+	describe("GET /medications/:id/refills", () => {
+		it("should return empty array when no refills", async () => {
+			const response = await ctx.app.inject({
+				method: "GET",
+				url: `/medications/${medId}/refills`,
+			});
+
+			expect(response.statusCode).toBe(200);
+			expect(response.json()).toEqual({ refills: [] });
+		});
+
+		it("should return refill history newest first", async () => {
+			// Add two refills with different values so we can identify them
+			await ctx.app.inject({
+				method: "POST",
+				url: `/medications/${medId}/refill`,
+				payload: { packsAdded: 1, loosePillsAdded: 0 },
+			});
+
+			// Increase delay to ensure different timestamps (SQLite datetime has second precision)
+			await new Promise((r) => setTimeout(r, 1100));
+
+			await ctx.app.inject({
+				method: "POST",
+				url: `/medications/${medId}/refill`,
+				payload: { packsAdded: 0, loosePillsAdded: 20 },
+			});
+
+			const response = await ctx.app.inject({
+				method: "GET",
+				url: `/medications/${medId}/refills`,
+			});
+
+			expect(response.statusCode).toBe(200);
+			const data = response.json();
+			expect(data.refills).toHaveLength(2);
+
+			// Newest first (loose pills - added second)
+			expect(data.refills[0].packsAdded).toBe(0);
+			expect(data.refills[0].loosePillsAdded).toBe(20);
+
+			// Older (packs - added first)
+			expect(data.refills[1].packsAdded).toBe(1);
+			expect(data.refills[1].loosePillsAdded).toBe(0);
+
+			// Each entry should have an id and refillDate
+			for (const refill of data.refills) {
+				expect(refill.id).toBeTypeOf("number");
+				expect(refill.refillDate).toBeTruthy();
+			}
+		});
+
+		it("should return 404 for non-existent medication", async () => {
+			const response = await ctx.app.inject({
+				method: "GET",
+				url: `/medications/99999/refills`,
+			});
+
+			expect(response.statusCode).toBe(404);
+			expect(response.json().error).toBe("Medication not found");
+		});
+	});
+
+	// ---------------------------------------------------------------------------
+	// Cascade Delete Tests
+	// ---------------------------------------------------------------------------
+
+	describe("Cascade Delete", () => {
+		it("should delete refill history when medication is deleted", async () => {
+			// Add a refill
+			await ctx.app.inject({
+				method: "POST",
+				url: `/medications/${medId}/refill`,
+				payload: { packsAdded: 1 },
+			});
+
+			// Verify refill exists
+			let result = await ctx.client.execute({
+				sql: `SELECT COUNT(*) as count FROM refill_history WHERE medication_id = ?`,
+				args: [medId],
+			});
+			expect(result.rows[0].count).toBe(1);
+
+			// Delete medication
+			await ctx.client.execute({
+				sql: `DELETE FROM medications WHERE id = ?`,
+				args: [medId],
+			});
+
+			// Verify refill history was cascade deleted
+			result = await ctx.client.execute({
+				sql: `SELECT COUNT(*) as count FROM refill_history WHERE medication_id = ?`,
+				args: [medId],
+			});
+			expect(result.rows[0].count).toBe(0);
+		});
+
+		it("should delete refill history when user is deleted", async () => {
+			// Add a refill
+			await ctx.app.inject({
+				method: "POST",
+				url: `/medications/${medId}/refill`,
+				payload: { packsAdded: 1 },
+			});
+
+			// Verify refill exists
+			let result = await ctx.client.execute({
+				sql: `SELECT COUNT(*) as count FROM refill_history WHERE user_id = ?`,
+				args: [userId],
+			});
+			expect(result.rows[0].count).toBe(1);
+
+			// Delete user
+			await ctx.client.execute({
+				sql: `DELETE FROM users WHERE id = ?`,
+				args: [userId],
+			});
+
+			// Verify refill history was cascade deleted
+			result = await ctx.client.execute({
+				sql: `SELECT COUNT(*) as count FROM refill_history WHERE user_id = ?`,
+				args: [userId],
+			});
+			expect(result.rows[0].count).toBe(0);
+		});
+	});
+});
@@ -0,0 +1,422 @@
+import { dirname, resolve } from "node:path";
+import { fileURLToPath } from "node:url";
+import { migrate } from "drizzle-orm/libsql/migrator";
+import Fastify, { type FastifyInstance } from "fastify";
+import { afterAll, beforeAll, beforeEach, describe, expect, it, vi } from "vitest";
+import { runAlterMigrations } from "../db/db-utils.js";
+
+const { testClient, testDb, mockedEnv, nodemailerSendMail, fetchMock } = vi.hoisted(() => {
+	const { createClient } = require("@libsql/client");
+	const { drizzle } = require("drizzle-orm/libsql");
+	const client = createClient({ url: ":memory:" });
+	const db = drizzle(client);
+	const env = {
+		AUTH_ENABLED: false,
+		OIDC_ENABLED: false,
+		OIDC_PROVIDER_NAME: "SSO",
+		NODE_ENV: "test",
+	};
+	return {
+		testClient: client,
+		testDb: db,
+		mockedEnv: env,
+		nodemailerSendMail: vi.fn(),
+		fetchMock: vi.fn(),
+	};
+});
+
+vi.mock("../db/client.js", () => ({
+	db: testDb,
+	migrationsReady: Promise.resolve(),
+}));
+
+vi.mock("../plugins/env.js", () => ({ env: mockedEnv }));
+
+vi.mock("../plugins/auth.js", () => ({
+	requireAuth: async () => {},
+	getAnonymousUserId: async () => 1,
+}));
+
+vi.mock("nodemailer", () => ({
+	default: {
+		createTransport: () => ({
+			sendMail: nodemailerSendMail,
+		}),
+	},
+}));
+
+const { settingsRoutes, sendShoutrrrNotification } = await import("../routes/settings.js");
+const { exportRoutes } = await import("../routes/export.js");
+const { reportRoutes } = await import("../routes/report.js");
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = dirname(__filename);
+const migrationsFolder = resolve(__dirname, "../../drizzle");
+
+async function clearTables() {
+	await testClient.execute("DELETE FROM refill_history");
+	await testClient.execute("DELETE FROM dose_tracking");
+	await testClient.execute("DELETE FROM share_tokens");
+	await testClient.execute("DELETE FROM user_settings");
+	await testClient.execute("DELETE FROM medications");
+	await testClient.execute("DELETE FROM users");
+}
+
+async function seedAnonymousUser() {
+	await testClient.execute({
+		sql: "INSERT INTO users (id, username, auth_provider, is_active) VALUES (?, ?, ?, 1)",
+		args: [1, "anon", "anonymous"],
+	});
+}
+
+async function seedMedication(name = "Aspirin") {
+	const result = await testClient.execute({
+		sql: `INSERT INTO medications (
+      user_id, name, generic_name, taken_by_json, package_type,
+      pack_count, blisters_per_pack, pills_per_blister, loose_tablets,
+      usage_json, every_json, start_json, intakes_json,
+      stock_adjustment, intake_reminders_enabled
+    ) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?) RETURNING id`,
+		args: [
+			1,
+			name,
+			"Acetylsalicylic acid",
+			JSON.stringify(["Daniel"]),
+			"blister",
+			2,
+			2,
+			10,
+			3,
+			JSON.stringify([1]),
+			JSON.stringify([1]),
+			JSON.stringify(["2026-01-01T08:00:00.000Z"]),
+			JSON.stringify([
+				{ usage: 1, every: 1, start: "2026-01-01T08:00:00.000Z", takenBy: "Daniel", intakeRemindersEnabled: true },
+			]),
+			0,
+			1,
+		],
+	});
+	return result.rows[0].id as number;
+}
+
+describe("Real route coverage: settings/export/report", () => {
+	let app: FastifyInstance;
+
+	beforeAll(async () => {
+		await migrate(testDb, { migrationsFolder });
+		await runAlterMigrations(testClient);
+		app = Fastify({ logger: false });
+		await app.register(settingsRoutes);
+		await app.register(exportRoutes);
+		await app.register(reportRoutes);
+		await app.ready();
+	});
+
+	afterAll(async () => {
+		await app.close();
+		testClient.close();
+	});
+
+	beforeEach(async () => {
+		vi.clearAllMocks();
+		vi.stubGlobal("fetch", fetchMock);
+		await clearTables();
+		await seedAnonymousUser();
+		delete process.env.SMTP_HOST;
+		delete process.env.SMTP_USER;
+		delete process.env.SMTP_TOKEN;
+		delete process.env.SMTP_PASS;
+		delete process.env.SMTP_FROM;
+		delete process.env.SMTP_PORT;
+		delete process.env.SMTP_SECURE;
+	});
+
+	it("GET /settings creates defaults for anonymous user", async () => {
+		const response = await app.inject({ method: "GET", url: "/settings" });
+		expect(response.statusCode).toBe(200);
+		const body = response.json();
+		expect(body.language).toBe("en");
+		expect(body.shareStockStatus).toBe(true);
+		expect(body.upcomingTodayOnly).toBe(false);
+		expect(body.shareScheduleTodayOnly).toBe(false);
+	});
+
+	it("PUT /settings disables repeatDailyReminders when no stock reminder channel exists", async () => {
+		const response = await app.inject({
+			method: "PUT",
+			url: "/settings",
+			payload: {
+				emailEnabled: false,
+				notificationEmail: "",
+				reminderDaysBefore: 7,
+				repeatDailyReminders: true,
+				lowStockDays: 30,
+				normalStockDays: 90,
+				highStockDays: 180,
+				shoutrrrEnabled: false,
+				shoutrrrUrl: "",
+				emailStockReminders: true,
+				emailIntakeReminders: true,
+				emailPrescriptionReminders: true,
+				shoutrrrStockReminders: true,
+				shoutrrrIntakeReminders: true,
+				shoutrrrPrescriptionReminders: true,
+				skipRemindersForTakenDoses: false,
+				repeatRemindersEnabled: false,
+				reminderRepeatIntervalMinutes: 30,
+				maxNaggingReminders: 5,
+				language: "en",
+				stockCalculationMode: "automatic",
+				shareStockStatus: true,
+				upcomingTodayOnly: false,
+				shareScheduleTodayOnly: false,
+				swapDashboardMainSections: false,
+			},
+		});
+
+		expect(response.statusCode).toBe(200);
+
+		const stored = await testClient.execute({
+			sql: "SELECT repeat_daily_reminders FROM user_settings WHERE user_id = 1",
+		});
+		expect(stored.rows[0].repeat_daily_reminders).toBe(0);
+	});
+
+	it("PUT /settings/language validates supported language", async () => {
+		const response = await app.inject({
+			method: "PUT",
+			url: "/settings/language",
+			payload: { language: "fr" },
+		});
+		expect(response.statusCode).toBe(400);
+		expect(response.json().error).toBe("Invalid language");
+	});
+
+	it("POST /settings/test-email fails when SMTP is not configured", async () => {
+		const response = await app.inject({
+			method: "POST",
+			url: "/settings/test-email",
+			payload: { email: "person@example.com" },
+		});
+		expect(response.statusCode).toBe(400);
+		expect(response.json().error).toBe("SMTP not configured");
+	});
+
+	it("POST /settings/test-email sends email when SMTP is configured", async () => {
+		process.env.SMTP_HOST = "smtp.example.com";
+		process.env.SMTP_USER = "mailer@example.com";
+		process.env.SMTP_TOKEN = "secret";
+		nodemailerSendMail.mockResolvedValue(undefined);
+
+		const response = await app.inject({
+			method: "POST",
+			url: "/settings/test-email",
+			payload: { email: "person@example.com" },
+		});
+
+		expect(response.statusCode).toBe(200);
+		expect(nodemailerSendMail).toHaveBeenCalledTimes(1);
+	});
+
+	it("POST /settings/test-shoutrrr validates URL presence", async () => {
+		const response = await app.inject({
+			method: "POST",
+			url: "/settings/test-shoutrrr",
+			payload: { url: "" },
+		});
+		expect(response.statusCode).toBe(400);
+	});
+
+	it("sendShoutrrrNotification blocks localhost/private targets", async () => {
+		const result = await sendShoutrrrNotification("http://127.0.0.1/hook", "test", "message");
+		expect(result.success).toBe(false);
+		expect(result.error).toContain("not allowed");
+	});
+
+	it("sendShoutrrrNotification handles ntfy auth and safe URL reconstruction", async () => {
+		fetchMock.mockResolvedValue({ ok: true });
+
+		const result = await sendShoutrrrNotification("ntfy://user:pass@ntfy.sh/mytopic", "Title ä", "Message");
+
+		expect(result.success).toBe(true);
+		expect(fetchMock).toHaveBeenCalledWith(
+			"https://ntfy.sh/mytopic",
+			expect.objectContaining({
+				headers: expect.objectContaining({
+					Authorization: expect.stringMatching(/^Basic /),
+				}),
+				method: "POST",
+				redirect: "error",
+			})
+		);
+	});
+
+	it("sendShoutrrrNotification uses JSON payload for webhook URLs", async () => {
+		fetchMock.mockResolvedValue({ ok: true });
+		const result = await sendShoutrrrNotification("https://hooks.slack.com/services/a/b/c", "Title", "Body");
+		expect(result.success).toBe(true);
+		const call = fetchMock.mock.calls[0];
+		expect(call[1].headers["Content-Type"]).toBe("application/json");
+		expect(JSON.parse(call[1].body)).toMatchObject({ title: "Title", message: "Body" });
+	});
+
+	it("POST /medications/report-data returns 403 for meds not owned by user", async () => {
+		await seedMedication("Owned Med");
+		const response = await app.inject({
+			method: "POST",
+			url: "/medications/report-data",
+			payload: { medicationIds: [9999] },
+		});
+		expect(response.statusCode).toBe(403);
+	});
+
+	it("POST /medications/report-data aggregates doses and refills", async () => {
+		const medId = await seedMedication("Report Med");
+		await testClient.execute({
+			sql: "INSERT INTO dose_tracking (user_id, dose_id, taken_at, dismissed) VALUES (?, ?, ?, ?)",
+			args: [1, `${medId}-0-1700000000000-Daniel`, 1700000000, 0],
+		});
+		await testClient.execute({
+			sql: "INSERT INTO dose_tracking (user_id, dose_id, taken_at, dismissed) VALUES (?, ?, ?, ?)",
+			args: [1, `${medId}-0-1700000600000-Daniel`, 1700000600, 1],
+		});
+		await testClient.execute({
+			sql: "INSERT INTO refill_history (medication_id, user_id, packs_added, loose_pills_added, used_prescription, refill_date) VALUES (?, ?, ?, ?, ?, ?)",
+			args: [medId, 1, 1, 2, 1, 1700001200],
+		});
+
+		const response = await app.inject({
+			method: "POST",
+			url: "/medications/report-data",
+			payload: { medicationIds: [medId] },
+		});
+		expect(response.statusCode).toBe(200);
+		const body = response.json();
+		expect(body[medId].dosesTaken).toBe(1);
+		expect(body[medId].dosesDismissed).toBe(1);
+		expect(body[medId].refills).toHaveLength(1);
+	});
+
+	it("GET /export includes medications, settings, doseHistory and refillHistory", async () => {
+		const medId = await seedMedication("Export Med");
+		await testClient.execute({
+			sql: "INSERT INTO dose_tracking (user_id, dose_id, taken_at, marked_by) VALUES (?, ?, ?, ?)",
+			args: [1, `${medId}-0-1700000000000-Daniel`, 1700000000, "Daniel"],
+		});
+		await testClient.execute({
+			sql: "INSERT INTO refill_history (medication_id, user_id, packs_added, loose_pills_added, used_prescription, refill_date) VALUES (?, ?, ?, ?, ?, ?)",
+			args: [medId, 1, 1, 3, 0, 1700000000],
+		});
+		await testClient.execute({
+			sql: "INSERT INTO user_settings (user_id, email_enabled, notification_email, share_stock_status, language) VALUES (?, ?, ?, ?, ?)",
+			args: [1, 1, "x@example.com", 1, "de"],
+		});
+		await testClient.execute({
+			sql: "INSERT INTO share_tokens (user_id, token, taken_by, schedule_days) VALUES (?, ?, ?, ?)",
+			args: [1, "abc123", "Daniel", 30],
+		});
+
+		const response = await app.inject({
+			method: "GET",
+			url: "/export?includeSensitive=true&includeImages=false",
+		});
+		expect(response.statusCode).toBe(200);
+		const body = response.json();
+		expect(body.medications).toHaveLength(1);
+		expect(body.doseHistory).toHaveLength(1);
+		expect(body.refillHistory).toHaveLength(1);
+		expect(body.settings.language).toBe("de");
+		expect(body.shareLinks).toHaveLength(1);
+	});
+
+	it("POST /import validates payload and imports minimal valid structure", async () => {
+		const invalid = await app.inject({
+			method: "POST",
+			url: "/import",
+			payload: { foo: "bar" },
+		});
+		expect(invalid.statusCode).toBe(400);
+
+		const validImport = {
+			version: "1.1",
+			exportedAt: new Date().toISOString(),
+			includeSensitiveData: false,
+			medications: [
+				{
+					_exportId: "med-1",
+					name: "Imported Med",
+					genericName: null,
+					takenBy: ["Daniel"],
+					inventory: {
+						packCount: 1,
+						blistersPerPack: 1,
+						pillsPerBlister: 10,
+						totalPills: null,
+						looseTablets: 0,
+						stockAdjustment: 0,
+						packageType: "blister",
+					},
+					pillWeightMg: null,
+					doseUnit: "mg",
+					schedules: [{ usage: 1, every: 1, start: "2026-01-01T08:00:00.000Z", remind: false, takenBy: "Daniel" }],
+					medicationStartDate: "",
+					expiryDate: null,
+					notes: null,
+					intakeRemindersEnabled: false,
+					isObsolete: false,
+					obsoleteAt: null,
+					prescriptionEnabled: false,
+					prescriptionAuthorizedRefills: null,
+					prescriptionRemainingRefills: null,
+					prescriptionLowRefillThreshold: 1,
+					prescriptionExpiryDate: null,
+					dismissedUntil: null,
+					image: null,
+					lastStockCorrectionAt: null,
+				},
+			],
+			doseHistory: [],
+			refillHistory: [],
+			settings: {
+				emailEnabled: false,
+				notificationEmail: null,
+				emailStockReminders: true,
+				emailIntakeReminders: true,
+				emailPrescriptionReminders: true,
+				shoutrrrEnabled: false,
+				shoutrrrUrl: null,
+				shoutrrrStockReminders: true,
+				shoutrrrIntakeReminders: true,
+				shoutrrrPrescriptionReminders: true,
+				reminderDaysBefore: 7,
+				repeatDailyReminders: false,
+				skipRemindersForTakenDoses: false,
+				repeatRemindersEnabled: false,
+				reminderRepeatIntervalMinutes: 30,
+				maxNaggingReminders: 5,
+				lowStockDays: 30,
+				normalStockDays: 90,
+				highStockDays: 180,
+				expiryWarningDays: 30,
+				language: "en",
+				stockCalculationMode: "automatic",
+				shareStockStatus: true,
+			},
+			shareLinks: [],
+		};
+
+		const valid = await app.inject({
+			method: "POST",
+			url: "/import",
+			payload: validImport,
+		});
+		expect(valid.statusCode).toBe(200);
+		expect(valid.json().imported.medications).toBe(1);
+
+		const rows = await testClient.execute({
+			sql: "SELECT name FROM medications WHERE user_id = 1",
+		});
+		expect(rows.rows[0].name).toBe("Imported Med");
+	});
+});
--- a/Show More
+++ b/Show More
				`@@ -0,0 +1 @@`
				ALTER TABLE `medications` ADD `stock_adjustment` integer DEFAULT 0 NOT NULL;
				`@@ -0,0 +1 @@`
				ALTER TABLE `medications` ADD `last_stock_correction_at` integer;
				`@@ -0,0 +1 @@`
				ALTER TABLE `user_settings` ADD `share_stock_status` integer DEFAULT true NOT NULL;
				`@@ -0,0 +1 @@`
				ALTER TABLE `medications` ADD `medication_start_date` text DEFAULT '' NOT NULL;
				`@@ -0,0 +1 @@`
				ALTER TABLE `dose_tracking` ADD `taken_source` text DEFAULT 'manual' NOT NULL;