chore: release v1.16.1 (#326)

* fix: support core shoutrrr provider schemes

* fix(ci): resolve backend lint failures and harden shoutrrr URL handling

* fix(codeql): mark validated gotify target as intentional external call

* fix(codeql): route gotify scheme through validated webhook sink

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -7,6 +7,10 @@ body:
       value: |
         Thanks for taking the time to report a bug! Please fill out the sections below.
 
+        Before submitting, please reproduce the issue on the latest released version.
+        Even better: verify it on the current `main` image/tag.
+        The issue may already be fixed in newer builds.
+
   - type: textarea
     id: description
     attributes:
@@ -57,6 +61,18 @@ body:
     validations:
       required: true
 
+  - type: textarea
+    id: version_info
+    attributes:
+      label: Version / Image Information
+      description: Provide the app version and, if using Docker, the exact image tag you are running.
+      placeholder: |
+        App version (Settings -> About): vX.Y.Z
+        Docker image tag (if applicable): latest or main
+        Tag guidance: use `latest` for the newest release, or `main` for the newest changes from the main branch (`main` is always as new as or newer than `latest`).
+    validations:
+      required: true
+
   - type: input
     id: browser
     attributes:

.github/agents/release-manager.agent.md

@@ -13,6 +13,7 @@ You are the release manager for **MedAssist-ng**. Your job is to guide code from
 ## Critical Safety Rules
 
 - **NEVER release, tag, push, or create PRs without explicit user confirmation at each step.** Always present your plan and wait for approval.
+- **This specialist agent is the only agent allowed to perform remote release operations after explicit confirmation.**
 - **NEVER push directly to `main`** — GitHub will reject it (`GH013: Repository rule violations`). All changes go through Pull Requests.
 - **NEVER skip CI checks.** Wait for all status checks to pass before merging.
 - **Testing ownership belongs to `@testing-manager`**. Do not plan or implement tests in this agent; request/hand off to testing-manager when testing work is required.
@@ -48,12 +49,11 @@ This repository intentionally uses only two operational agents for CI/CD handoff
 
 - Never use `gh` commands that can open an interactive pager and block execution (requiring `q`).
 - Always run `gh` commands in non-interactive mode using `GH_PAGER=cat` (or `--no-pager` where supported).
-- Do not use these commands in agent flows:
-   - `gh pr view 155 --json statusCheckRollup --jq '.statusCheckRollup[] | {name:.name,conclusion:.conclusion,detailsUrl:.detailsUrl,workflowName:.workflowName}'`
-   - `SHA=$(gh pr view 155 --json headRefOid --jq .headRefOid) && gh api repos/DanielVolz/medassist-ng/commits/$SHA/check-runs --jq '.check_runs[] | {name,conclusion,details_url,html_url,app:.app.name}'`
-- Use safe variants instead:
+- Avoid hardcoded PR/repo examples in instructions; always use parameterized placeholders.
+- Use safe command patterns:
    - `GH_PAGER=cat gh pr view <PR_NUMBER> --json statusCheckRollup --jq '<jq-filter>'`
-   - `GH_PAGER=cat gh api repos/<owner>/<repo>/commits/<sha>/check-runs --jq '<jq-filter>'`
+   - `SHA=$(GH_PAGER=cat gh pr view <PR_NUMBER> --json headRefOid --jq .headRefOid)`
+   - `GH_PAGER=cat gh api repos/<owner>/<repo>/commits/$SHA/check-runs --jq '<jq-filter>'`
 
 ---
 

.github/agents/testing-manager.agent.md

@@ -15,6 +15,8 @@ You are the testing manager for **MedAssist-ng**. Your job is to ensure every fe
 - **Tests are mandatory**: Every new feature and every bug fix MUST have corresponding tests.
 - **Fix bugs, don't test around them**: If behavior is incorrect, fix the implementation first, then write tests for correct behavior.
 - **Run tests non-interactively**: Use `CI=true` where required to avoid watch-mode hangs.
+- **Playwright must disable auto-open reports**: Always prefix Playwright runs with `PLAYWRIGHT_HTML_OPEN=never`.
+- **Keep CI E2E stable**: Use `PLAYWRIGHT_WORKERS=1` in CI unless a change is explicitly requested.
 - **Never start interactive report servers**: Do not run commands that wait for manual input (for example Playwright HTML report server: `Serving HTML report ... Press Ctrl+C to quit`). Always use finite, non-interactive commands and reporters.
 - **No remote git operations**: Do not push, merge, create PRs, tags, or releases. Hand over to `@release-manager` when ready.
 - **Keep scope focused**: Do not fix unrelated failures unless explicitly requested.
@@ -66,8 +68,9 @@ cd frontend && npm run build
 ### Playwright E2E
 
 ```bash
-cd frontend && npm run test:e2e
-cd frontend && npm run test:e2e -- --project=chromium
+cd frontend && PLAYWRIGHT_HTML_OPEN=never npm run test:e2e
+cd frontend && PLAYWRIGHT_HTML_OPEN=never PLAYWRIGHT_WORKERS=4 npm run test:e2e:local
+cd frontend && PLAYWRIGHT_HTML_OPEN=never npm run test:e2e -- --project=chromium
 # Never use interactive UI/headed/report-server commands in agent runs.
 # Do not use: npm run test:e2e:ui, npm run test:e2e:headed, npx playwright show-report
 ```

.github/copilot-instructions.md

@@ -1,77 +1,13 @@
-# MedAssist-ng - AI Coding Instructions
+# MedAssist-ng - Copilot Entry Point
 
-## Purpose
+Use `AGENTS.md` as the single source of truth for all governance, workflow, and skill rules.
 
-Use `AGENTS.md` as the canonical governance source. Read the referenced skill files before starting any task.
+## Required Startup Steps
 
-## Project Orientation (Read First)
+1. Read `AGENTS.md` first.
+2. Identify triggered skills from `AGENTS.md` and read each referenced `SKILL.md` before making changes.
+3. Follow delegation boundaries exactly (`@testing-manager` for testing, `@release-manager` for release orchestration).
 
-- **Product**: MedAssist-ng is a medication planner with stock tracking, reminders (email/push), refill history, and schedule sharing.
-- **Tech stack**: React + TypeScript + Vite (`frontend/`), Fastify + TypeScript + Drizzle + SQLite (`backend/`).
-- **Request path**: Frontend uses `/api/*` only; backend route handlers live in `backend/src/routes/`.
-- **Primary backend modules**:
-	- Auth/SSO: `backend/src/routes/auth.ts`, `backend/src/routes/oidc.ts`, `backend/src/plugins/auth.ts`
-	- Medications/data: `backend/src/routes/medications.ts`, `backend/src/db/schema.ts`
-	- Reminders: `backend/src/services/reminder-scheduler.ts`, `backend/src/routes/planner.ts`, `backend/src/routes/settings.ts`
-- **Primary frontend modules**:
-	- Pages: `frontend/src/pages/`
-	- Shared app state: `frontend/src/context/AppContext.tsx`
-	- Domain hooks: `frontend/src/hooks/`
-	- Translations: `frontend/src/i18n/en.json`, `frontend/src/i18n/de.json`
+## Scope
 
-Use this orientation for quick navigation before applying the rules below.
-
-## Always-On Rules
-
-- English only for project artifacts.
-- **NEVER run remote git commands** — no `git push`, no `gh pr create/merge`, no `gh release`, no `git tag`. Prepare locally, then hand off to `@release-manager`.
-- Testing work belongs to `@testing-manager`.
-- PR/release/CI orchestration belongs to `@release-manager`.
-- Keep changes local, focused, and consistent with existing UI/API patterns.
-- **Hard PR scope + size rule**: one cohesive objective per PR; if scope drifts or diff becomes large (target <= 500 changed lines, hard split at ~800+), split into logical follow-up PRs instead of bundling.
-- Remove obsolete code when re-implementing — never leave dead code behind.
-- **Document behavioral discoveries**: When you discover or clarify how a feature works (e.g., what triggers notifications, how thresholds interact, which code paths exist), **always** add or update the relevant section in `doku/APP_BEHAVIOR.md`. This is mandatory — do not rely on conversation context alone.
-
-## MedAssist Essentials
-
-- Frontend calls backend through `/api/*`.
-- DB changes must stay backward-compatible (schema default + alter migration + null-safe reads).
-
----
-
-## Skills (MANDATORY — read before every task)
-
-Before starting any task, identify which skills apply and **read their full SKILL.md file** for detailed rules.
-
-| Skill | Trigger | File |
-|---|---|---|
-| **Architecture Guard** | API endpoints, frontend API calls, routing, code placement | `.github/skills/medassist-architecture-guard/SKILL.md` |
-| **DB Compatibility** | Persisted data, schema changes, migrations | `.github/skills/medassist-db-compat-check/SKILL.md` |
-| **i18n Enforcer** ⚠️ | Any user-facing text in frontend or backend | `.github/skills/medassist-i18n-enforcer/SKILL.md` |
-| **UI Consistency** | UI flows, modals, buttons, forms, settings | `.github/skills/medassist-ui-consistency/SKILL.md` |
-| **Frontend Polish** | Visual quality improvements | `.github/skills/medassist-frontend-polish/SKILL.md` |
-| **Security Sanity** | Backend routes, auth, file handling, external input | `.github/skills/medassist-security-sanity/SKILL.md` |
-| **Observability Guard** | Services, schedulers, startup, failure handling | `.github/skills/medassist-observability-guard/SKILL.md` |
-| **Config Change Guard** | `.env`, Docker, Vite proxy, runtime defaults | `.github/skills/medassist-config-change-guard/SKILL.md` |
-| **Doc Sync Guard** | Behavior changes, setup, env vars, workflows | `.github/skills/medassist-doc-sync-guard/SKILL.md` |
-| **Testing Handoff** | Writing/running tests, CI test failures | `.github/skills/medassist-testing-handoff/SKILL.md` |
-| **Release Handoff** | Branch push, PR, merge, tagging, release | `.github/skills/medassist-release-handoff/SKILL.md` |
-| **Skill Quality Review** | Creating/modifying skills | `.github/skills/medassist-skill-quality-review/SKILL.md` |
-
-### Non-negotiable parity rules (always apply)
-
-1. **Desktop + Mobile Parity**: Medication edit has two paths — `MedicationsPage.tsx` (desktop) and `MobileEditModal` (mobile). **Always update BOTH**.
-2. **Notification Dual Code Paths**: Notifications have two code paths — `backend/src/services/reminder-scheduler.ts` (scheduler) and `backend/src/routes/planner.ts` (manual). **Always update BOTH**.
-
----
-
-## Delegation
-
-- **Testing handoff → `@testing-manager`**: test planning, writing, execution, CI test triage.
-- **Release handoff → `@release-manager`**: PR/release orchestration, merge flow, workflow monitoring.
-
-## Key References
-
-- Canonical governance: `AGENTS.md`
-- Skill files: `.github/skills/*/SKILL.md`
-- Specialist agents: `.github/agents/testing-manager.agent.md`, `.github/agents/release-manager.agent.md`
+This file intentionally stays minimal to prevent duplicated or conflicting instructions.

.github/skills/README.md

@@ -13,7 +13,7 @@ Use one governance source to avoid duplicated or conflicting policy text.
 
 ## Skills
 
-- `medassist-karpathy-core` — enforce assumption clarity, simplicity, surgical diffs, and verifiable execution.
+- `medassist-karpathy-core` — enforce think-before-coding, simplicity-first changes, surgical diffs, and goal-driven verification.
 - `medassist-architecture-guard` — enforce frontend/backend boundary and `/api/*` data-flow conventions.
 - `medassist-db-compat-check` — enforce backward-compatible SQLite/Drizzle schema changes.
 - `medassist-i18n-enforcer` — enforce translation-key-only UI copy with EN/DE parity.

.github/skills/medassist-karpathy-core/SKILL.md

@@ -0,0 +1,69 @@
+---
+name: medassist-karpathy-core
+description: Apply assumption clarity, simplicity-first implementation, surgical diffs, and goal-driven verification for non-trivial coding tasks.
+---
+
+# Skill Instructions
+
+Use this skill as an execution style layer for implementation tasks where overengineering, broad refactors, or unclear assumptions are likely.
+
+## Use When
+
+- The request is ambiguous and assumptions must be made explicit.
+- The change can easily balloon in scope.
+- A bug fix or feature needs explicit success criteria and verification.
+- You need to keep diffs minimal and directly tied to the request.
+
+## Do Not Use When
+
+- The task is trivial and can be completed safely without extra process overhead.
+- The task is only about ownership routing (use `medassist-testing-handoff` / `medassist-release-handoff`).
+- The task is only about domain guardrails already covered by specialized skills (architecture, DB, i18n, UI, security, config, observability).
+
+## Core Principles
+
+### 1. Think Before Coding
+
+- Do not assume silently.
+- State assumptions explicitly.
+- If multiple interpretations exist, present them instead of picking one invisibly.
+- If uncertain or blocked by ambiguity, stop and ask.
+- If a simpler approach exists, call it out.
+
+### 2. Simplicity First
+
+- Implement the minimum code required to solve the asked problem.
+- Do not add speculative features, abstractions, or configurability.
+- Avoid defensive handling for impossible scenarios.
+- If the solution feels overcomplicated, simplify before finalizing.
+
+### 3. Surgical Changes
+
+- Touch only lines required for the request.
+- Do not refactor unrelated areas.
+- Match existing local style and patterns.
+- Remove only unused code introduced by your own change.
+- If unrelated dead code is discovered, mention it but do not remove it unless requested.
+
+### 4. Goal-Driven Execution
+
+- Translate requests into verifiable outcomes before implementation.
+- For multi-step tasks, define short steps with checks.
+- Verify the requested behavior explicitly before declaring done.
+
+Example execution frame:
+
+```text
+1. [Step] -> verify: [check]
+2. [Step] -> verify: [check]
+3. [Step] -> verify: [check]
+```
+
+## Response Format
+
+When this skill is used, report briefly:
+
+- Assumptions made (or clarifications requested)
+- Why the chosen approach is the simplest viable one
+- What was changed (and what was intentionally not changed)
+- Verification performed and result

.github/skills/medassist-ui-consistency/SKILL.md

@@ -26,6 +26,16 @@ Use `medassist-frontend-polish` only after these guardrails are satisfied.
 - Avoid custom inline modal/button patterns that diverge from project design.
 - Prefer extending existing CSS classes/styles instead of introducing parallel styling systems.
 
+### Modal requirements (non-negotiable)
+
+Every modal/overlay **must** follow these rules:
+
+1. **Escape key**: Call `useEscapeKey(active, onClose)` from `hooks/useEscapeKey`. This registers a document-level `keydown` listener that works regardless of focus. **Never** rely on `onKeyDown` on an overlay div — it only fires when the overlay has focus, which almost never happens.
+2. **Scroll lock**: Call `useScrollLock(active)` from `hooks/useScrollLock` if the modal is **not** already covered by App.tsx's centralized `useScrollLock` call. Page-local modals (e.g. `ReportModal`, `ExportModal`) must call it themselves.
+3. **Click-outside close**: The overlay div gets `onClick={onClose}`, and `.modal-content` gets `onClick={(e) => e.stopPropagation()}`.
+4. **Key event containment**: `.modal-content` gets `onKeyDown={(e) => { if (e.key !== "Escape") e.stopPropagation(); }}` — this prevents non-Escape keys from leaking out while still allowing Escape to propagate to the document-level handler.
+5. **Nested sub-modals** (e.g. edit-stock inside MedDetailModal): Use `useEscapeKey` with `{ capture: true }` so the innermost modal intercepts Escape before the parent's handler fires.
+
 ## Decision Heuristics
 
 1. If an equivalent component exists, reuse it.

.github/workflows/e2e.yml

@@ -50,6 +50,8 @@ jobs:
         run: npx playwright test --project=chromium
         env:
           CI: true
+          PLAYWRIGHT_WORKERS: 1
+          PLAYWRIGHT_HTML_OPEN: never
           JWT_SECRET: e2e-test-secret-that-is-long-enough
           SESSION_SECRET: e2e-test-session-secret-long-enough
 

.gitignore

@@ -79,6 +79,7 @@ Thumbs.db
 .turbo/
 .roo/
 .roomodes
+.claude/
 AGENTS.md
 docs/TECH_STACK.md
 doku

README.md

@@ -18,8 +18,8 @@
 </p>
 
 <p align="center">
-  <img src="https://img.shields.io/badge/Backend_Tests-564%2F564-brightgreen?logo=vitest" alt="Backend Tests 454/454" />
-  <img src="https://img.shields.io/badge/Frontend_Tests-777%2F777-brightgreen?logo=vitest" alt="Frontend Tests 611/611" />
+  <img src="https://img.shields.io/badge/Backend_Tests-569%2F569-brightgreen?logo=vitest" alt="Backend Tests 454/454" />
+  <img src="https://img.shields.io/badge/Frontend_Tests-771%2F771-brightgreen?logo=vitest" alt="Frontend Tests 611/611" />
 </p>
 
 ### 🤖 AI-Generated Code
@@ -250,7 +250,9 @@ Generate secrets with: `openssl rand -hex 32`
 
 MedAssist uses [Shoutrrr](https://containrrr.dev/shoutrrr/) for push notifications, supporting many services with a single URL format.
 
-**Supported services:** ntfy, Pushover, Gotify, Discord, Telegram, Slack, Matrix, and [many more](https://containrrr.dev/shoutrrr/v0.8/services/overview/).
+**Implemented URL schemes in MedAssist:** `ntfy://`, `discord://`, `pushover://`, `gotify://`, `telegram://`, plus direct `https://` webhooks.
+
+This covers common providers like ntfy, Discord, Pushover, Gotify, Telegram, Slack webhooks, and many others via webhook URLs.
 
 Configure push notifications in Settings → Push, or set defaults via environment variables:
 
@@ -288,6 +290,7 @@ Get your keys at [pushover.net](https://pushover.net/):
 **Gotify** (self-hosted):
 ```
 gotify://your-server.com/TOKEN
+gotify://your-server.com:443/path/to/gotify/TOKEN?priority=1
 ```
 
 **Discord**:
@@ -298,6 +301,7 @@ discord://TOKEN@WEBHOOK_ID
 **Telegram**:
 ```
 telegram://TOKEN@telegram?chats=CHAT_ID
+telegram://TOKEN@telegram?chats=@your_channel,-1001234567890
 ```
 
 For all services and options, see the [Shoutrrr documentation](https://containrrr.dev/shoutrrr/v0.8/services/overview/).
@@ -311,6 +315,17 @@ docker compose -f docker-compose.dev.yml up
 - Frontend: `http://localhost:5173` (hot reload)
 - Backend: `http://localhost:3000`
 
+Playwright E2E recommendations:
+
+```bash
+cd frontend
+npm run test:e2e:local      # local run with PLAYWRIGHT_WORKERS=4
+npm run test:e2e:all:local  # local all-browser run with PLAYWRIGHT_WORKERS=4
+```
+
+- CI stays at `PLAYWRIGHT_WORKERS=1` for stability.
+- Data-heavy specs remain sequential via the `chromium-data` project config.
+
 # Acknowledgements
 
 This project was inspired by [MedAssist](https://github.com/njic/medassist) by njic.

backend/package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "medassist-ng-backend",
-  "version": "1.12.0",
+  "version": "1.16.0",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "medassist-ng-backend",
-      "version": "1.12.0",
+      "version": "1.16.0",
       "dependencies": {
         "@fastify/cookie": "^11.0.2",
         "@fastify/cors": "^11.2.0",
@@ -23,12 +23,13 @@
         "fastify": "^5.7.4",
         "nodemailer": "^8.0.1",
         "openid-client": "^6.8.2",
+        "sharp": "^0.34.5",
         "zod": "^3.23.8"
       },
       "devDependencies": {
-        "@biomejs/biome": "^2.4.1",
-        "@types/node": "^25.2.3",
-        "@types/nodemailer": "^7.0.10",
+        "@biomejs/biome": "^2.4.4",
+        "@types/node": "^25.3.0",
+        "@types/nodemailer": "^7.0.11",
         "@types/supertest": "^6.0.2",
         "@vitest/coverage-v8": "^4.0.18",
         "drizzle-kit": "^0.31.9",
@@ -99,9 +100,9 @@
       }
     },
     "node_modules/@biomejs/biome": {
-      "version": "2.4.1",
-      "resolved": "https://registry.npmjs.org/@biomejs/biome/-/biome-2.4.1.tgz",
-      "integrity": "sha512-8c5DZQl1hfpLRlTZ21W5Ef2R314E4UJUEtkMbo303ElTVe6fYtapwldv7tZlgwm+9YP0Mhk7dUSTkOY8nQ2/2w==",
+      "version": "2.4.4",
+      "resolved": "https://registry.npmjs.org/@biomejs/biome/-/biome-2.4.4.tgz",
+      "integrity": "sha512-tigwWS5KfJf0cABVd52NVaXyAVv4qpUXOWJ1rxFL8xF1RVoeS2q/LK+FHgYoKMclJCuRoCWAPy1IXaN9/mS61Q==",
       "dev": true,
       "license": "MIT OR Apache-2.0",
       "bin": {
@@ -115,20 +116,20 @@
         "url": "https://opencollective.com/biome"
       },
       "optionalDependencies": {
-        "@biomejs/cli-darwin-arm64": "2.4.1",
-        "@biomejs/cli-darwin-x64": "2.4.1",
-        "@biomejs/cli-linux-arm64": "2.4.1",
-        "@biomejs/cli-linux-arm64-musl": "2.4.1",
-        "@biomejs/cli-linux-x64": "2.4.1",
-        "@biomejs/cli-linux-x64-musl": "2.4.1",
-        "@biomejs/cli-win32-arm64": "2.4.1",
-        "@biomejs/cli-win32-x64": "2.4.1"
+        "@biomejs/cli-darwin-arm64": "2.4.4",
+        "@biomejs/cli-darwin-x64": "2.4.4",
+        "@biomejs/cli-linux-arm64": "2.4.4",
+        "@biomejs/cli-linux-arm64-musl": "2.4.4",
+        "@biomejs/cli-linux-x64": "2.4.4",
+        "@biomejs/cli-linux-x64-musl": "2.4.4",
+        "@biomejs/cli-win32-arm64": "2.4.4",
+        "@biomejs/cli-win32-x64": "2.4.4"
       }
     },
     "node_modules/@biomejs/cli-darwin-arm64": {
-      "version": "2.4.1",
-      "resolved": "https://registry.npmjs.org/@biomejs/cli-darwin-arm64/-/cli-darwin-arm64-2.4.1.tgz",
-      "integrity": "sha512-wKiX2znbgFRaivRplSbu53hiREp1ohlGRuWqOL90IPetLi5E32tkiMYu8uSLXVzDgbIVM58WsesPaczIVtJkOQ==",
+      "version": "2.4.4",
+      "resolved": "https://registry.npmjs.org/@biomejs/cli-darwin-arm64/-/cli-darwin-arm64-2.4.4.tgz",
+      "integrity": "sha512-jZ+Xc6qvD6tTH5jM6eKX44dcbyNqJHssfl2nnwT6vma6B1sj7ZLTGIk6N5QwVBs5xGN52r3trk5fgd3sQ9We9A==",
       "cpu": [
         "arm64"
       ],
@@ -143,9 +144,9 @@
       }
     },
     "node_modules/@biomejs/cli-darwin-x64": {
-      "version": "2.4.1",
-      "resolved": "https://registry.npmjs.org/@biomejs/cli-darwin-x64/-/cli-darwin-x64-2.4.1.tgz",
-      "integrity": "sha512-rxLYVg3skeXh9K0om7JdkKcCdvtqrF9ECZ7dsmLuYObboK7DZ1J0z6xc2NGKSXw+cEQo3ie6NQgWBcdGJ16yQg==",
+      "version": "2.4.4",
+      "resolved": "https://registry.npmjs.org/@biomejs/cli-darwin-x64/-/cli-darwin-x64-2.4.4.tgz",
+      "integrity": "sha512-Dh1a/+W+SUCXhEdL7TiX3ArPTFCQKJTI1mGncZNWfO+6suk+gYA4lNyJcBB+pwvF49uw0pEbUS49BgYOY4hzUg==",
       "cpu": [
         "x64"
       ],
@@ -160,9 +161,9 @@
       }
     },
     "node_modules/@biomejs/cli-linux-arm64": {
-      "version": "2.4.1",
-      "resolved": "https://registry.npmjs.org/@biomejs/cli-linux-arm64/-/cli-linux-arm64-2.4.1.tgz",
-      "integrity": "sha512-nlGO5KzoEKhGj2i3QXyyNCeFk8SVwyes0wo0/X9w943darnlAHfi8MYYunPf8lsz5C0JaH6pJYB6D9HnDwUPQA==",
+      "version": "2.4.4",
+      "resolved": "https://registry.npmjs.org/@biomejs/cli-linux-arm64/-/cli-linux-arm64-2.4.4.tgz",
+      "integrity": "sha512-V/NFfbWhsUU6w+m5WYbBenlEAz8eYnSqRMDMAW3K+3v0tYVkNyZn8VU0XPxk/lOqNXLSCCrV7FmV/u3SjCBShg==",
       "cpu": [
         "arm64"
       ],
@@ -177,9 +178,9 @@
       }
     },
     "node_modules/@biomejs/cli-linux-arm64-musl": {
-      "version": "2.4.1",
-      "resolved": "https://registry.npmjs.org/@biomejs/cli-linux-arm64-musl/-/cli-linux-arm64-musl-2.4.1.tgz",
-      "integrity": "sha512-Brwh/QL3wfX5UyZcyEamS1Q+EF8Q7ud+MS5mq/9BWX2ArfxQlgsqlukwK92xrGpXWcspXkSG9U0CoxvCZZkTKQ==",
+      "version": "2.4.4",
+      "resolved": "https://registry.npmjs.org/@biomejs/cli-linux-arm64-musl/-/cli-linux-arm64-musl-2.4.4.tgz",
+      "integrity": "sha512-+sPAXq3bxmFwhVFJnSwkSF5Rw2ZAJMH3MF6C9IveAEOdSpgajPhoQhbbAK12SehN9j2QrHpk4J/cHsa/HqWaYQ==",
       "cpu": [
         "arm64"
       ],
@@ -194,9 +195,9 @@
       }
     },
     "node_modules/@biomejs/cli-linux-x64": {
-      "version": "2.4.1",
-      "resolved": "https://registry.npmjs.org/@biomejs/cli-linux-x64/-/cli-linux-x64-2.4.1.tgz",
-      "integrity": "sha512-Rmhm/mQ/3pejy1WtWLKurV1fN6zvCrqKz/ART2ZzgqY4ozL07uys5R9jA0A+yLjA79JTkcpIe85ygXv0FnSPRg==",
+      "version": "2.4.4",
+      "resolved": "https://registry.npmjs.org/@biomejs/cli-linux-x64/-/cli-linux-x64-2.4.4.tgz",
+      "integrity": "sha512-R4+ZCDtG9kHArasyBO+UBD6jr/FcFCTH8QkNTOCu0pRJzCWyWC4EtZa2AmUZB5h3e0jD7bRV2KvrENcf8rndBg==",
       "cpu": [
         "x64"
       ],
@@ -211,9 +212,9 @@
       }
     },
     "node_modules/@biomejs/cli-linux-x64-musl": {
-      "version": "2.4.1",
-      "resolved": "https://registry.npmjs.org/@biomejs/cli-linux-x64-musl/-/cli-linux-x64-musl-2.4.1.tgz",
-      "integrity": "sha512-kz1QpA+PXouNyWw2VzeoMlzMn99hlyOC/El2uSy+DS8gcb6tOsKEeZ5e2onnFIfZKe9AeKMFbTowDNLXwjwGjw==",
+      "version": "2.4.4",
+      "resolved": "https://registry.npmjs.org/@biomejs/cli-linux-x64-musl/-/cli-linux-x64-musl-2.4.4.tgz",
+      "integrity": "sha512-gGvFTGpOIQDb5CQ2VC0n9Z2UEqlP46c4aNgHmAMytYieTGEcfqhfCFnhs6xjt0S3igE6q5GLuIXtdQt3Izok+g==",
       "cpu": [
         "x64"
       ],
@@ -228,9 +229,9 @@
       }
     },
     "node_modules/@biomejs/cli-win32-arm64": {
-      "version": "2.4.1",
-      "resolved": "https://registry.npmjs.org/@biomejs/cli-win32-arm64/-/cli-win32-arm64-2.4.1.tgz",
-      "integrity": "sha512-e+PrlbQ/tez7W9EAzzCGUH1ovq31kR5r8sfCDzasrmoADLnDafet8pA8LdXnt0GwkeOem5Hz6WHCVZPRmaXiXw==",
+      "version": "2.4.4",
+      "resolved": "https://registry.npmjs.org/@biomejs/cli-win32-arm64/-/cli-win32-arm64-2.4.4.tgz",
+      "integrity": "sha512-trzCqM7x+Gn832zZHgr28JoYagQNX4CZkUZhMUac2YxvvyDRLJDrb5m9IA7CaZLlX6lTQmADVfLEKP1et1Ma4Q==",
       "cpu": [
         "arm64"
       ],
@@ -245,9 +246,9 @@
       }
     },
     "node_modules/@biomejs/cli-win32-x64": {
-      "version": "2.4.1",
-      "resolved": "https://registry.npmjs.org/@biomejs/cli-win32-x64/-/cli-win32-x64-2.4.1.tgz",
-      "integrity": "sha512-kfjOCzvaHC7olg8pmEuSsYzHntxdipkAGzr5nFiaEU2EPDWRE/myqUBaFDl9pHqEc8yEtQFiXF945PlTSkuOTw==",
+      "version": "2.4.4",
+      "resolved": "https://registry.npmjs.org/@biomejs/cli-win32-x64/-/cli-win32-x64-2.4.4.tgz",
+      "integrity": "sha512-gnOHKVPFAAPrpoPt2t+Q6FZ7RPry/FDV3GcpU53P3PtLNnQjBmKyN2Vh/JtqXet+H4pme8CC76rScwdjDcT1/A==",
       "cpu": [
         "x64"
       ],
@@ -268,6 +269,16 @@
       "dev": true,
       "license": "Apache-2.0"
     },
+    "node_modules/@emnapi/runtime": {
+      "version": "1.8.1",
+      "resolved": "https://registry.npmjs.org/@emnapi/runtime/-/runtime-1.8.1.tgz",
+      "integrity": "sha512-mehfKSMWjjNol8659Z8KxEMrdSJDDot5SXMq00dM8BN4o+CLNXQ0xH2V7EchNHV4RmbZLmmPdEaXZc5H2FXmDg==",
+      "license": "MIT",
+      "optional": true,
+      "dependencies": {
+        "tslib": "^2.4.0"
+      }
+    },
     "node_modules/@epic-web/invariant": {
       "version": "1.0.0",
       "resolved": "https://registry.npmjs.org/@epic-web/invariant/-/invariant-1.0.0.tgz",
@@ -1500,6 +1511,471 @@
         "glob": "^13.0.0"
       }
     },
+    "node_modules/@img/colour": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/@img/colour/-/colour-1.0.0.tgz",
+      "integrity": "sha512-A5P/LfWGFSl6nsckYtjw9da+19jB8hkJ6ACTGcDfEJ0aE+l2n2El7dsVM7UVHZQ9s2lmYMWlrS21YLy2IR1LUw==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=18"
+      }
+    },
+    "node_modules/@img/sharp-darwin-arm64": {
+      "version": "0.34.5",
+      "resolved": "https://registry.npmjs.org/@img/sharp-darwin-arm64/-/sharp-darwin-arm64-0.34.5.tgz",
+      "integrity": "sha512-imtQ3WMJXbMY4fxb/Ndp6HBTNVtWCUI0WdobyheGf5+ad6xX8VIDO8u2xE4qc/fr08CKG/7dDseFtn6M6g/r3w==",
+      "cpu": [
+        "arm64"
+      ],
+      "license": "Apache-2.0",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      },
+      "optionalDependencies": {
+        "@img/sharp-libvips-darwin-arm64": "1.2.4"
+      }
+    },
+    "node_modules/@img/sharp-darwin-x64": {
+      "version": "0.34.5",
+      "resolved": "https://registry.npmjs.org/@img/sharp-darwin-x64/-/sharp-darwin-x64-0.34.5.tgz",
+      "integrity": "sha512-YNEFAF/4KQ/PeW0N+r+aVVsoIY0/qxxikF2SWdp+NRkmMB7y9LBZAVqQ4yhGCm/H3H270OSykqmQMKLBhBJDEw==",
+      "cpu": [
+        "x64"
+      ],
+      "license": "Apache-2.0",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      },
+      "optionalDependencies": {
+        "@img/sharp-libvips-darwin-x64": "1.2.4"
+      }
+    },
+    "node_modules/@img/sharp-libvips-darwin-arm64": {
+      "version": "1.2.4",
+      "resolved": "https://registry.npmjs.org/@img/sharp-libvips-darwin-arm64/-/sharp-libvips-darwin-arm64-1.2.4.tgz",
+      "integrity": "sha512-zqjjo7RatFfFoP0MkQ51jfuFZBnVE2pRiaydKJ1G/rHZvnsrHAOcQALIi9sA5co5xenQdTugCvtb1cuf78Vf4g==",
+      "cpu": [
+        "arm64"
+      ],
+      "license": "LGPL-3.0-or-later",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      }
+    },
+    "node_modules/@img/sharp-libvips-darwin-x64": {
+      "version": "1.2.4",
+      "resolved": "https://registry.npmjs.org/@img/sharp-libvips-darwin-x64/-/sharp-libvips-darwin-x64-1.2.4.tgz",
+      "integrity": "sha512-1IOd5xfVhlGwX+zXv2N93k0yMONvUlANylbJw1eTah8K/Jtpi15KC+WSiaX/nBmbm2HxRM1gZ0nSdjSsrZbGKg==",
+      "cpu": [
+        "x64"
+      ],
+      "license": "LGPL-3.0-or-later",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      }
+    },
+    "node_modules/@img/sharp-libvips-linux-arm": {
+      "version": "1.2.4",
+      "resolved": "https://registry.npmjs.org/@img/sharp-libvips-linux-arm/-/sharp-libvips-linux-arm-1.2.4.tgz",
+      "integrity": "sha512-bFI7xcKFELdiNCVov8e44Ia4u2byA+l3XtsAj+Q8tfCwO6BQ8iDojYdvoPMqsKDkuoOo+X6HZA0s0q11ANMQ8A==",
+      "cpu": [
+        "arm"
+      ],
+      "license": "LGPL-3.0-or-later",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      }
+    },
+    "node_modules/@img/sharp-libvips-linux-arm64": {
+      "version": "1.2.4",
+      "resolved": "https://registry.npmjs.org/@img/sharp-libvips-linux-arm64/-/sharp-libvips-linux-arm64-1.2.4.tgz",
+      "integrity": "sha512-excjX8DfsIcJ10x1Kzr4RcWe1edC9PquDRRPx3YVCvQv+U5p7Yin2s32ftzikXojb1PIFc/9Mt28/y+iRklkrw==",
+      "cpu": [
+        "arm64"
+      ],
+      "license": "LGPL-3.0-or-later",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      }
+    },
+    "node_modules/@img/sharp-libvips-linux-ppc64": {
+      "version": "1.2.4",
+      "resolved": "https://registry.npmjs.org/@img/sharp-libvips-linux-ppc64/-/sharp-libvips-linux-ppc64-1.2.4.tgz",
+      "integrity": "sha512-FMuvGijLDYG6lW+b/UvyilUWu5Ayu+3r2d1S8notiGCIyYU/76eig1UfMmkZ7vwgOrzKzlQbFSuQfgm7GYUPpA==",
+      "cpu": [
+        "ppc64"
+      ],
+      "license": "LGPL-3.0-or-later",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      }
+    },
+    "node_modules/@img/sharp-libvips-linux-riscv64": {
+      "version": "1.2.4",
+      "resolved": "https://registry.npmjs.org/@img/sharp-libvips-linux-riscv64/-/sharp-libvips-linux-riscv64-1.2.4.tgz",
+      "integrity": "sha512-oVDbcR4zUC0ce82teubSm+x6ETixtKZBh/qbREIOcI3cULzDyb18Sr/Wcyx7NRQeQzOiHTNbZFF1UwPS2scyGA==",
+      "cpu": [
+        "riscv64"
+      ],
+      "license": "LGPL-3.0-or-later",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      }
+    },
+    "node_modules/@img/sharp-libvips-linux-s390x": {
+      "version": "1.2.4",
+      "resolved": "https://registry.npmjs.org/@img/sharp-libvips-linux-s390x/-/sharp-libvips-linux-s390x-1.2.4.tgz",
+      "integrity": "sha512-qmp9VrzgPgMoGZyPvrQHqk02uyjA0/QrTO26Tqk6l4ZV0MPWIW6LTkqOIov+J1yEu7MbFQaDpwdwJKhbJvuRxQ==",
+      "cpu": [
+        "s390x"
+      ],
+      "license": "LGPL-3.0-or-later",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      }
+    },
+    "node_modules/@img/sharp-libvips-linux-x64": {
+      "version": "1.2.4",
+      "resolved": "https://registry.npmjs.org/@img/sharp-libvips-linux-x64/-/sharp-libvips-linux-x64-1.2.4.tgz",
+      "integrity": "sha512-tJxiiLsmHc9Ax1bz3oaOYBURTXGIRDODBqhveVHonrHJ9/+k89qbLl0bcJns+e4t4rvaNBxaEZsFtSfAdquPrw==",
+      "cpu": [
+        "x64"
+      ],
+      "license": "LGPL-3.0-or-later",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      }
+    },
+    "node_modules/@img/sharp-libvips-linuxmusl-arm64": {
+      "version": "1.2.4",
+      "resolved": "https://registry.npmjs.org/@img/sharp-libvips-linuxmusl-arm64/-/sharp-libvips-linuxmusl-arm64-1.2.4.tgz",
+      "integrity": "sha512-FVQHuwx1IIuNow9QAbYUzJ+En8KcVm9Lk5+uGUQJHaZmMECZmOlix9HnH7n1TRkXMS0pGxIJokIVB9SuqZGGXw==",
+      "cpu": [
+        "arm64"
+      ],
+      "license": "LGPL-3.0-or-later",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      }
+    },
+    "node_modules/@img/sharp-libvips-linuxmusl-x64": {
+      "version": "1.2.4",
+      "resolved": "https://registry.npmjs.org/@img/sharp-libvips-linuxmusl-x64/-/sharp-libvips-linuxmusl-x64-1.2.4.tgz",
+      "integrity": "sha512-+LpyBk7L44ZIXwz/VYfglaX/okxezESc6UxDSoyo2Ks6Jxc4Y7sGjpgU9s4PMgqgjj1gZCylTieNamqA1MF7Dg==",
+      "cpu": [
+        "x64"
+      ],
+      "license": "LGPL-3.0-or-later",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      }
+    },
+    "node_modules/@img/sharp-linux-arm": {
+      "version": "0.34.5",
+      "resolved": "https://registry.npmjs.org/@img/sharp-linux-arm/-/sharp-linux-arm-0.34.5.tgz",
+      "integrity": "sha512-9dLqsvwtg1uuXBGZKsxem9595+ujv0sJ6Vi8wcTANSFpwV/GONat5eCkzQo/1O6zRIkh0m/8+5BjrRr7jDUSZw==",
+      "cpu": [
+        "arm"
+      ],
+      "license": "Apache-2.0",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      },
+      "optionalDependencies": {
+        "@img/sharp-libvips-linux-arm": "1.2.4"
+      }
+    },
+    "node_modules/@img/sharp-linux-arm64": {
+      "version": "0.34.5",
+      "resolved": "https://registry.npmjs.org/@img/sharp-linux-arm64/-/sharp-linux-arm64-0.34.5.tgz",
+      "integrity": "sha512-bKQzaJRY/bkPOXyKx5EVup7qkaojECG6NLYswgktOZjaXecSAeCWiZwwiFf3/Y+O1HrauiE3FVsGxFg8c24rZg==",
+      "cpu": [
+        "arm64"
+      ],
+      "license": "Apache-2.0",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      },
+      "optionalDependencies": {
+        "@img/sharp-libvips-linux-arm64": "1.2.4"
+      }
+    },
+    "node_modules/@img/sharp-linux-ppc64": {
+      "version": "0.34.5",
+      "resolved": "https://registry.npmjs.org/@img/sharp-linux-ppc64/-/sharp-linux-ppc64-0.34.5.tgz",
+      "integrity": "sha512-7zznwNaqW6YtsfrGGDA6BRkISKAAE1Jo0QdpNYXNMHu2+0dTrPflTLNkpc8l7MUP5M16ZJcUvysVWWrMefZquA==",
+      "cpu": [
+        "ppc64"
+      ],
+      "license": "Apache-2.0",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      },
+      "optionalDependencies": {
+        "@img/sharp-libvips-linux-ppc64": "1.2.4"
+      }
+    },
+    "node_modules/@img/sharp-linux-riscv64": {
+      "version": "0.34.5",
+      "resolved": "https://registry.npmjs.org/@img/sharp-linux-riscv64/-/sharp-linux-riscv64-0.34.5.tgz",
+      "integrity": "sha512-51gJuLPTKa7piYPaVs8GmByo7/U7/7TZOq+cnXJIHZKavIRHAP77e3N2HEl3dgiqdD/w0yUfiJnII77PuDDFdw==",
+      "cpu": [
+        "riscv64"
+      ],
+      "license": "Apache-2.0",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      },
+      "optionalDependencies": {
+        "@img/sharp-libvips-linux-riscv64": "1.2.4"
+      }
+    },
+    "node_modules/@img/sharp-linux-s390x": {
+      "version": "0.34.5",
+      "resolved": "https://registry.npmjs.org/@img/sharp-linux-s390x/-/sharp-linux-s390x-0.34.5.tgz",
+      "integrity": "sha512-nQtCk0PdKfho3eC5MrbQoigJ2gd1CgddUMkabUj+rBevs8tZ2cULOx46E7oyX+04WGfABgIwmMC0VqieTiR4jg==",
+      "cpu": [
+        "s390x"
+      ],
+      "license": "Apache-2.0",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      },
+      "optionalDependencies": {
+        "@img/sharp-libvips-linux-s390x": "1.2.4"
+      }
+    },
+    "node_modules/@img/sharp-linux-x64": {
+      "version": "0.34.5",
+      "resolved": "https://registry.npmjs.org/@img/sharp-linux-x64/-/sharp-linux-x64-0.34.5.tgz",
+      "integrity": "sha512-MEzd8HPKxVxVenwAa+JRPwEC7QFjoPWuS5NZnBt6B3pu7EG2Ge0id1oLHZpPJdn3OQK+BQDiw9zStiHBTJQQQQ==",
+      "cpu": [
+        "x64"
+      ],
+      "license": "Apache-2.0",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      },
+      "optionalDependencies": {
+        "@img/sharp-libvips-linux-x64": "1.2.4"
+      }
+    },
+    "node_modules/@img/sharp-linuxmusl-arm64": {
+      "version": "0.34.5",
+      "resolved": "https://registry.npmjs.org/@img/sharp-linuxmusl-arm64/-/sharp-linuxmusl-arm64-0.34.5.tgz",
+      "integrity": "sha512-fprJR6GtRsMt6Kyfq44IsChVZeGN97gTD331weR1ex1c1rypDEABN6Tm2xa1wE6lYb5DdEnk03NZPqA7Id21yg==",
+      "cpu": [
+        "arm64"
+      ],
+      "license": "Apache-2.0",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      },
+      "optionalDependencies": {
+        "@img/sharp-libvips-linuxmusl-arm64": "1.2.4"
+      }
+    },
+    "node_modules/@img/sharp-linuxmusl-x64": {
+      "version": "0.34.5",
+      "resolved": "https://registry.npmjs.org/@img/sharp-linuxmusl-x64/-/sharp-linuxmusl-x64-0.34.5.tgz",
+      "integrity": "sha512-Jg8wNT1MUzIvhBFxViqrEhWDGzqymo3sV7z7ZsaWbZNDLXRJZoRGrjulp60YYtV4wfY8VIKcWidjojlLcWrd8Q==",
+      "cpu": [
+        "x64"
+      ],
+      "license": "Apache-2.0",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      },
+      "optionalDependencies": {
+        "@img/sharp-libvips-linuxmusl-x64": "1.2.4"
+      }
+    },
+    "node_modules/@img/sharp-wasm32": {
+      "version": "0.34.5",
+      "resolved": "https://registry.npmjs.org/@img/sharp-wasm32/-/sharp-wasm32-0.34.5.tgz",
+      "integrity": "sha512-OdWTEiVkY2PHwqkbBI8frFxQQFekHaSSkUIJkwzclWZe64O1X4UlUjqqqLaPbUpMOQk6FBu/HtlGXNblIs0huw==",
+      "cpu": [
+        "wasm32"
+      ],
+      "license": "Apache-2.0 AND LGPL-3.0-or-later AND MIT",
+      "optional": true,
+      "dependencies": {
+        "@emnapi/runtime": "^1.7.0"
+      },
+      "engines": {
+        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      }
+    },
+    "node_modules/@img/sharp-win32-arm64": {
+      "version": "0.34.5",
+      "resolved": "https://registry.npmjs.org/@img/sharp-win32-arm64/-/sharp-win32-arm64-0.34.5.tgz",
+      "integrity": "sha512-WQ3AgWCWYSb2yt+IG8mnC6Jdk9Whs7O0gxphblsLvdhSpSTtmu69ZG1Gkb6NuvxsNACwiPV6cNSZNzt0KPsw7g==",
+      "cpu": [
+        "arm64"
+      ],
+      "license": "Apache-2.0 AND LGPL-3.0-or-later",
+      "optional": true,
+      "os": [
+        "win32"
+      ],
+      "engines": {
+        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      }
+    },
+    "node_modules/@img/sharp-win32-ia32": {
+      "version": "0.34.5",
+      "resolved": "https://registry.npmjs.org/@img/sharp-win32-ia32/-/sharp-win32-ia32-0.34.5.tgz",
+      "integrity": "sha512-FV9m/7NmeCmSHDD5j4+4pNI8Cp3aW+JvLoXcTUo0IqyjSfAZJ8dIUmijx1qaJsIiU+Hosw6xM5KijAWRJCSgNg==",
+      "cpu": [
+        "ia32"
+      ],
+      "license": "Apache-2.0 AND LGPL-3.0-or-later",
+      "optional": true,
+      "os": [
+        "win32"
+      ],
+      "engines": {
+        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      }
+    },
+    "node_modules/@img/sharp-win32-x64": {
+      "version": "0.34.5",
+      "resolved": "https://registry.npmjs.org/@img/sharp-win32-x64/-/sharp-win32-x64-0.34.5.tgz",
+      "integrity": "sha512-+29YMsqY2/9eFEiW93eqWnuLcWcufowXewwSNIT6UwZdUUCrM3oFjMWH/Z6/TMmb4hlFenmfAVbpWeup2jryCw==",
+      "cpu": [
+        "x64"
+      ],
+      "license": "Apache-2.0 AND LGPL-3.0-or-later",
+      "optional": true,
+      "os": [
+        "win32"
+      ],
+      "engines": {
+        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      }
+    },
     "node_modules/@isaacs/cliui": {
       "version": "9.0.0",
       "resolved": "https://registry.npmjs.org/@isaacs/cliui/-/cliui-9.0.0.tgz",
@@ -2148,18 +2624,18 @@
       "license": "MIT"
     },
     "node_modules/@types/node": {
-      "version": "25.2.3",
-      "resolved": "https://registry.npmjs.org/@types/node/-/node-25.2.3.tgz",
-      "integrity": "sha512-m0jEgYlYz+mDJZ2+F4v8D1AyQb+QzsNqRuI7xg1VQX/KlKS0qT9r1Mo16yo5F/MtifXFgaofIFsdFMox2SxIbQ==",
+      "version": "25.3.0",
+      "resolved": "https://registry.npmjs.org/@types/node/-/node-25.3.0.tgz",
+      "integrity": "sha512-4K3bqJpXpqfg2XKGK9bpDTc6xO/xoUP/RBWS7AtRMug6zZFaRekiLzjVtAoZMquxoAbzBvy5nxQ7veS5eYzf8A==",
       "license": "MIT",
       "dependencies": {
-        "undici-types": "~7.16.0"
+        "undici-types": "~7.18.0"
       }
     },
     "node_modules/@types/nodemailer": {
-      "version": "7.0.10",
-      "resolved": "https://registry.npmjs.org/@types/nodemailer/-/nodemailer-7.0.10.tgz",
-      "integrity": "sha512-tP+9WggTFN22Zxh0XFyst7239H0qwiRCogsk7v9aQS79sYAJY+WEbTHbNYcxUMaalHKmsNpxmoTe35hBEMMd6g==",
+      "version": "7.0.11",
+      "resolved": "https://registry.npmjs.org/@types/nodemailer/-/nodemailer-7.0.11.tgz",
+      "integrity": "sha512-E+U4RzR2dKrx+u3N4DlsmLaDC6mMZOM/TPROxA0UAPiTgI0y4CEFBmZE+coGWTjakDriRsXG368lNk1u9Q0a2g==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -4912,6 +5388,59 @@
       "integrity": "sha512-E5LDX7Wrp85Kil5bhZv46j8jOeboKq5JMmYM3gVGdGH8xFpPWXUMsNrlODCrkoxMEeNi/XZIwuRvY4XNwYMJpw==",
       "license": "ISC"
     },
+    "node_modules/sharp": {
+      "version": "0.34.5",
+      "resolved": "https://registry.npmjs.org/sharp/-/sharp-0.34.5.tgz",
+      "integrity": "sha512-Ou9I5Ft9WNcCbXrU9cMgPBcCK8LiwLqcbywW3t4oDV37n1pzpuNLsYiAV8eODnjbtQlSDwZ2cUEeQz4E54Hltg==",
+      "hasInstallScript": true,
+      "license": "Apache-2.0",
+      "dependencies": {
+        "@img/colour": "^1.0.0",
+        "detect-libc": "^2.1.2",
+        "semver": "^7.7.3"
+      },
+      "engines": {
+        "node": "^18.17.0 || ^20.3.0 || >=21.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/libvips"
+      },
+      "optionalDependencies": {
+        "@img/sharp-darwin-arm64": "0.34.5",
+        "@img/sharp-darwin-x64": "0.34.5",
+        "@img/sharp-libvips-darwin-arm64": "1.2.4",
+        "@img/sharp-libvips-darwin-x64": "1.2.4",
+        "@img/sharp-libvips-linux-arm": "1.2.4",
+        "@img/sharp-libvips-linux-arm64": "1.2.4",
+        "@img/sharp-libvips-linux-ppc64": "1.2.4",
+        "@img/sharp-libvips-linux-riscv64": "1.2.4",
+        "@img/sharp-libvips-linux-s390x": "1.2.4",
+        "@img/sharp-libvips-linux-x64": "1.2.4",
+        "@img/sharp-libvips-linuxmusl-arm64": "1.2.4",
+        "@img/sharp-libvips-linuxmusl-x64": "1.2.4",
+        "@img/sharp-linux-arm": "0.34.5",
+        "@img/sharp-linux-arm64": "0.34.5",
+        "@img/sharp-linux-ppc64": "0.34.5",
+        "@img/sharp-linux-riscv64": "0.34.5",
+        "@img/sharp-linux-s390x": "0.34.5",
+        "@img/sharp-linux-x64": "0.34.5",
+        "@img/sharp-linuxmusl-arm64": "0.34.5",
+        "@img/sharp-linuxmusl-x64": "0.34.5",
+        "@img/sharp-wasm32": "0.34.5",
+        "@img/sharp-win32-arm64": "0.34.5",
+        "@img/sharp-win32-ia32": "0.34.5",
+        "@img/sharp-win32-x64": "0.34.5"
+      }
+    },
+    "node_modules/sharp/node_modules/detect-libc": {
+      "version": "2.1.2",
+      "resolved": "https://registry.npmjs.org/detect-libc/-/detect-libc-2.1.2.tgz",
+      "integrity": "sha512-Btj2BOOO83o3WyH59e8MgXsxEQVcarkUOpEYrubB0urwnN10yQ364rsiByU11nZlqWYZm05i/of7io4mzihBtQ==",
+      "license": "Apache-2.0",
+      "engines": {
+        "node": ">=8"
+      }
+    },
     "node_modules/shebang-command": {
       "version": "2.0.0",
       "resolved": "https://registry.npmjs.org/shebang-command/-/shebang-command-2.0.0.tgz",
@@ -5240,6 +5769,13 @@
       "integrity": "sha512-N3WMsuqV66lT30CrXNbEjx4GEwlow3v6rr4mCcv6prnfwhS01rkgyFdjPNBYd9br7LpXV1+Emh01fHnq2Gdgrw==",
       "license": "MIT"
     },
+    "node_modules/tslib": {
+      "version": "2.8.1",
+      "resolved": "https://registry.npmjs.org/tslib/-/tslib-2.8.1.tgz",
+      "integrity": "sha512-oJFu94HQb+KVduSUQL7wnpmqnfmLsOA/nAh6b6EH0wCEoK0/mPeXU6c3wKDV83MkOuHPRHtSXKKU99IBazS/2w==",
+      "license": "0BSD",
+      "optional": true
+    },
     "node_modules/tsx": {
       "version": "4.21.0",
       "resolved": "https://registry.npmjs.org/tsx/-/tsx-4.21.0.tgz",
@@ -5289,9 +5825,9 @@
       }
     },
     "node_modules/undici-types": {
-      "version": "7.16.0",
-      "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-7.16.0.tgz",
-      "integrity": "sha512-Zz+aZWSj8LE6zoxD+xrjh4VfkIG8Ya6LvYkZqtUQGJPZjYl53ypCaUwWqo7eI0x66KBGeRo+mlBEkMSeSZ38Nw==",
+      "version": "7.18.2",
+      "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-7.18.2.tgz",
+      "integrity": "sha512-AsuCzffGHJybSaRrmr5eHr81mwJU3kjw6M+uprWvCXiNeN9SOGwQ3Jn8jb8m3Z6izVgknn1R0FTCEAP2QrLY/w==",
       "license": "MIT"
     },
     "node_modules/vary": {

backend/package.json

@@ -1,6 +1,6 @@
 {
   "name": "medassist-ng-backend",
-  "version": "1.14.1",
+  "version": "1.16.1",
   "private": true,
   "type": "module",
   "scripts": {
@@ -32,12 +32,13 @@
     "fastify": "^5.7.4",
     "nodemailer": "^8.0.1",
     "openid-client": "^6.8.2",
+    "sharp": "^0.34.5",
     "zod": "^3.23.8"
   },
   "devDependencies": {
-    "@biomejs/biome": "^2.4.1",
-    "@types/node": "^25.2.3",
-    "@types/nodemailer": "^7.0.10",
+    "@biomejs/biome": "^2.4.4",
+    "@types/node": "^25.3.0",
+    "@types/nodemailer": "^7.0.11",
     "@types/supertest": "^6.0.2",
     "@vitest/coverage-v8": "^4.0.18",
     "drizzle-kit": "^0.31.9",

backend/src/index.ts

@@ -1,4 +1,6 @@
+import { randomUUID } from "node:crypto";
 import { existsSync } from "node:fs";
+import type { IncomingHttpHeaders } from "node:http";
 import { resolve } from "node:path";
 import cookie from "@fastify/cookie";
 import cors from "@fastify/cors";
@@ -45,6 +47,23 @@ import {
 	parseCorsOrigins,
 } from "./utils/server-config.js";
 
+function sanitizeCorrelationId(headers: IncomingHttpHeaders): string | null {
+	const rawHeader = headers["x-correlation-id"];
+	if (typeof rawHeader !== "string") return null;
+	const trimmed = rawHeader.trim();
+	if (!trimmed) return null;
+	if (trimmed.length > 128) return null;
+	if (!/^[A-Za-z0-9._:-]+$/.test(trimmed)) return null;
+	return trimmed;
+}
+
+function buildLoggerOptions(level: string) {
+	return {
+		level,
+		timestamp: () => `,"time":"${new Date().toISOString()}"`,
+	};
+}
+
 /** Create and configure Fastify app (without starting) */
 export async function createApp(options?: {
 	logLevel?: string;
@@ -72,7 +91,14 @@ export async function createApp(options?: {
 	};
 
 	const app = Fastify({
-		logger: { level: opts.logLevel },
+		logger: buildLoggerOptions(opts.logLevel),
+		genReqId: (request) => sanitizeCorrelationId(request.headers) ?? randomUUID(),
+	});
+
+	app.addHook("onRequest", (request, reply, done) => {
+		request.correlationId = request.id;
+		reply.header("x-correlation-id", request.id);
+		done();
 	});
 
 	// Build config
@@ -138,9 +164,14 @@ log.info("[DB] Migrations complete, starting server...");
 const imagesDir = ensureImagesDirectory();
 
 const app = Fastify({
-	logger: {
-		level: env.LOG_LEVEL,
-	},
+	logger: buildLoggerOptions(env.LOG_LEVEL),
+	genReqId: (request) => sanitizeCorrelationId(request.headers) ?? randomUUID(),
+});
+
+app.addHook("onRequest", (request, reply, done) => {
+	request.correlationId = request.id;
+	reply.header("x-correlation-id", request.id);
+	done();
 });
 
 const origins = parseCorsOrigins(env.CORS_ORIGINS);

backend/src/routes/auth.ts

@@ -1,4 +1,5 @@
 import { randomBytes } from "node:crypto";
+import { resolve } from "node:path";
 import argon2 from "argon2";
 import { eq, sql } from "drizzle-orm";
 import type { FastifyInstance } from "fastify";
@@ -8,6 +9,12 @@ import { getDataDir } from "../db/db-utils.js";
 import { refreshTokens, users } from "../db/schema.js";
 import { getAuthState, requireAuth } from "../plugins/auth.js";
 import type { AuthUser } from "../types/fastify.js";
+import {
+	ALLOWED_IMAGE_MIME_TYPES,
+	removeImageFiles,
+	streamToBuffer,
+	writeOptimizedImageSet,
+} from "../utils/image-upload.js";
 
 // =============================================================================
 // Argon2id Configuration - State of the Art Password Hashing
@@ -53,6 +60,7 @@ const sensitiveRateLimitConfig = {
 const registerSchema = z.object({
 	username: z
 		.string()
+		.trim()
 		.min(3, "Username must be at least 3 characters")
 		.max(50, "Username must be at most 50 characters")
 		.regex(/^[a-zA-Z0-9_-]+$/, "Username can only contain letters, numbers, underscores, and hyphens"),
@@ -63,7 +71,7 @@ const registerSchema = z.object({
 });
 
 const loginSchema = z.object({
-	username: z.string().min(1, "Username is required"),
+	username: z.string().trim().min(1, "Username is required"),
 	password: z.string().min(1, "Password is required"),
 	rememberMe: z.boolean().optional().default(false),
 });
@@ -81,6 +89,8 @@ const updateProfileSchema = z.object({
 // Auth Routes
 // =============================================================================
 export async function authRoutes(app: FastifyInstance) {
+	const IMAGES_DIR = resolve(getDataDir(), "images");
+
 	// Token TTLs
 	const accessTtlMinutes = 15;
 	const refreshTtlDays = 14;
@@ -461,36 +471,35 @@ export async function authRoutes(app: FastifyInstance) {
 
 			const data = await request.file();
 			if (!data) {
-				return reply.status(400).send({ error: "No file uploaded" });
+				return reply.status(400).send({ error: "No file uploaded", code: "NO_FILE" });
 			}
 
 			// Validate file type
-			const allowedTypes = ["image/jpeg", "image/png", "image/webp", "image/gif"];
-			if (!allowedTypes.includes(data.mimetype)) {
-				return reply.status(400).send({ error: "Invalid file type. Allowed: JPEG, PNG, WebP, GIF" });
+			if (!ALLOWED_IMAGE_MIME_TYPES.includes(data.mimetype)) {
+				return reply.status(400).send({ error: "Invalid file type", code: "INVALID_TYPE" });
 			}
 
-			// Generate unique filename
-			const ext = data.filename.split(".").pop() || "jpg";
-			const filename = `avatar_${authUser.id}_${Date.now()}.${ext}`;
+			let uploadBuffer: Buffer;
+			try {
+				uploadBuffer = await streamToBuffer(data.file);
+			} catch (error) {
+				if (error instanceof Error && error.message === "IMAGE_TOO_LARGE") {
+					return reply.status(400).send({ error: "Image too large", code: "IMAGE_TOO_LARGE" });
+				}
+				throw error;
+			}
 
-			// Save file
-			const fs = await import("node:fs/promises");
-			const path = await import("node:path");
-			const imagesDir = path.join(getDataDir(), "images");
-			await fs.mkdir(imagesDir, { recursive: true });
-
-			const buffer = await data.toBuffer();
-			await fs.writeFile(path.join(imagesDir, filename), buffer);
+			let filename: string;
+			try {
+				({ filename } = await writeOptimizedImageSet(IMAGES_DIR, `avatar_${authUser.id}`, uploadBuffer));
+			} catch {
+				return reply.status(400).send({ error: "Invalid image", code: "INVALID_IMAGE" });
+			}
 
 			// Delete old avatar if exists
 			const [user] = await db.select().from(users).where(eq(users.id, authUser.id));
 			if (user?.avatarUrl) {
-				try {
-					await fs.unlink(path.join(imagesDir, user.avatarUrl));
-				} catch {
-					// Ignore if file doesn't exist
-				}
+				removeImageFiles(IMAGES_DIR, user.avatarUrl);
 			}
 
 			// Update user
@@ -521,13 +530,7 @@ export async function authRoutes(app: FastifyInstance) {
 			}
 
 			// Delete file
-			const fs = await import("node:fs/promises");
-			const path = await import("node:path");
-			try {
-				await fs.unlink(path.join(getDataDir(), "images", user.avatarUrl));
-			} catch {
-				// Ignore if file doesn't exist
-			}
+			removeImageFiles(IMAGES_DIR, user.avatarUrl);
 
 			// Update user
 			await db.update(users).set({ avatarUrl: null, updatedAt: new Date() }).where(eq(users.id, authUser.id));
@@ -554,13 +557,7 @@ export async function authRoutes(app: FastifyInstance) {
 			// Delete avatar file if exists
 			const [user] = await db.select().from(users).where(eq(users.id, authUser.id));
 			if (user?.avatarUrl) {
-				const fs = await import("node:fs/promises");
-				const path = await import("node:path");
-				try {
-					await fs.unlink(path.join(getDataDir(), "images", user.avatarUrl));
-				} catch {
-					// Ignore if file doesn't exist
-				}
+				removeImageFiles(IMAGES_DIR, user.avatarUrl);
 			}
 
 			// Delete user - cascade delete handles all related data

backend/src/routes/doses.ts

@@ -2,10 +2,11 @@ import { and, eq } from "drizzle-orm";
 import type { FastifyInstance, FastifyReply, FastifyRequest } from "fastify";
 import { z } from "zod";
 import { db } from "../db/client.js";
-import { doseTracking, shareTokens } from "../db/schema.js";
+import { doseTracking, medications, shareTokens } from "../db/schema.js";
 import { getAnonymousUserId, requireAuth } from "../plugins/auth.js";
 import { env } from "../plugins/env.js";
 import type { AuthUser } from "../types/fastify.js";
+import { parseIntakesJson, parseTakenByJson, personTakesMedication } from "../utils/scheduler-utils.js";
 
 // =============================================================================
 // Validation Schemas
@@ -22,6 +23,13 @@ const dismissDosesSchema = z.object({
 	doseIds: z.array(z.string().min(1)).min(1, "At least one doseId is required"),
 });
 
+const doseIdPattern = /^(\d+)-(\d+)-(\d+)(?:-(.+))?$/;
+
+function maskToken(token: string): string {
+	if (token.length <= 8) return token;
+	return `${token.slice(0, 4)}...${token.slice(-4)}`;
+}
+
 // Helper to get user ID from request
 // Returns anonymous user ID when auth is disabled
 async function getUserId(request: FastifyRequest, reply: FastifyReply): Promise<number> {
@@ -38,6 +46,91 @@ async function getUserId(request: FastifyRequest, reply: FastifyReply): Promise<
 	return authUser.id;
 }
 
+type ParsedDoseId = {
+	medicationId: number;
+	intakeIndex: number;
+	timestampMs: number;
+	personSuffix: string | null;
+};
+
+function parseDoseId(doseId: string): ParsedDoseId | null {
+	const match = doseIdPattern.exec(doseId);
+	if (!match) return null;
+
+	const medicationId = Number.parseInt(match[1], 10);
+	const intakeIndex = Number.parseInt(match[2], 10);
+	const timestampMs = Number.parseInt(match[3], 10);
+	const personSuffix = match[4] ? match[4].trim() : null;
+
+	if (Number.isNaN(medicationId) || Number.isNaN(intakeIndex) || Number.isNaN(timestampMs) || intakeIndex < 0) {
+		return null;
+	}
+
+	return {
+		medicationId,
+		intakeIndex,
+		timestampMs,
+		personSuffix,
+	};
+}
+
+async function getActiveShareToken(token: string): Promise<{
+	share: typeof shareTokens.$inferSelect | null;
+	reason: "not_found" | "expired" | "ok";
+}> {
+	const [share] = await db.select().from(shareTokens).where(eq(shareTokens.token, token));
+	if (!share) return { share: null, reason: "not_found" };
+
+	if (share.expiresAt && share.expiresAt.getTime() < Date.now()) {
+		return { share: null, reason: "expired" };
+	}
+
+	return { share, reason: "ok" };
+}
+
+async function validateShareDoseId(share: typeof shareTokens.$inferSelect, doseId: string): Promise<boolean> {
+	const parsedDose = parseDoseId(doseId);
+	if (!parsedDose) {
+		return false;
+	}
+
+	const [medication] = await db
+		.select()
+		.from(medications)
+		.where(and(eq(medications.id, parsedDose.medicationId), eq(medications.userId, share.userId)));
+
+	if (!medication) {
+		return false;
+	}
+
+	const medTakenBy = parseTakenByJson(medication.takenByJson);
+	const intakes = parseIntakesJson(
+		medication.intakesJson,
+		{ usageJson: medication.usageJson, everyJson: medication.everyJson, startJson: medication.startJson },
+		medication.intakeRemindersEnabled ?? false
+	);
+
+	if (!personTakesMedication(share.takenBy, medTakenBy, intakes)) {
+		return false;
+	}
+
+	const intake = intakes[parsedDose.intakeIndex];
+	if (!intake) {
+		return false;
+	}
+
+	const expectedPersons = intake.takenBy ? [intake.takenBy] : medTakenBy;
+	if (expectedPersons.length === 0) {
+		return parsedDose.personSuffix === null;
+	}
+
+	if (!parsedDose.personSuffix) {
+		return true;
+	}
+
+	return expectedPersons.includes(parsedDose.personSuffix);
+}
+
 // =============================================================================
 // Dose Tracking Routes
 // =============================================================================
@@ -215,9 +308,9 @@ export async function doseRoutes(app: FastifyInstance) {
 	app.get<{ Params: { token: string } }>("/share/:token/doses", async (request, reply) => {
 		const { token } = request.params;
 
-		// Find share token
-		const [share] = await db.select().from(shareTokens).where(eq(shareTokens.token, token));
+		const { share, reason } = await getActiveShareToken(token);
 		if (!share) {
+			request.log.warn(`[ShareDose] Rejected read for token ${maskToken(token)} (reason=${reason})`);
 			return reply.notFound("Share link not found");
 		}
 
@@ -252,12 +345,20 @@ export async function doseRoutes(app: FastifyInstance) {
 
 			const { doseId } = parsed.data;
 
-			// Find share token
-			const [share] = await db.select().from(shareTokens).where(eq(shareTokens.token, token));
+			const { share, reason } = await getActiveShareToken(token);
 			if (!share) {
+				request.log.warn(`[ShareDose] Rejected mark for token ${maskToken(token)} (reason=${reason})`);
 				return reply.notFound("Share link not found");
 			}
 
+			const isValidShareDoseId = await validateShareDoseId(share, doseId);
+			if (!isValidShareDoseId) {
+				request.log.warn(
+					`[ShareDose] Rejected invalid doseId in mark request (owner=${share.userId}, takenBy=${share.takenBy}, doseId=${doseId})`
+				);
+				return reply.status(400).send({ error: "Invalid or unauthorized doseId" });
+			}
+
 			// Check if already marked
 			const [existing] = await db
 				.select()
@@ -265,6 +366,7 @@ export async function doseRoutes(app: FastifyInstance) {
 				.where(and(eq(doseTracking.userId, share.userId), eq(doseTracking.doseId, doseId)));
 
 			if (existing) {
+				request.log.debug(`[ShareDose] Duplicate mark ignored (owner=${share.userId}, doseId=${doseId})`);
 				return { success: true, message: "Already marked" };
 			}
 
@@ -276,6 +378,10 @@ export async function doseRoutes(app: FastifyInstance) {
 				takenSource: "manual",
 			});
 
+			request.log.info(
+				`[ShareDose] Dose marked via share link (owner=${share.userId}, takenBy=${share.takenBy}, doseId=${doseId})`
+			);
+
 			return { success: true };
 		}
 	);
@@ -286,12 +392,20 @@ export async function doseRoutes(app: FastifyInstance) {
 	app.delete<{ Params: { token: string; doseId: string } }>("/share/:token/doses/:doseId", async (request, reply) => {
 		const { token, doseId } = request.params;
 
-		// Find share token
-		const [share] = await db.select().from(shareTokens).where(eq(shareTokens.token, token));
+		const { share, reason } = await getActiveShareToken(token);
 		if (!share) {
+			request.log.warn(`[ShareDose] Rejected unmark for token ${maskToken(token)} (reason=${reason})`);
 			return reply.notFound("Share link not found");
 		}
 
+		const isValidShareDoseId = await validateShareDoseId(share, doseId);
+		if (!isValidShareDoseId) {
+			request.log.warn(
+				`[ShareDose] Rejected invalid doseId in unmark request (owner=${share.userId}, takenBy=${share.takenBy}, doseId=${doseId})`
+			);
+			return reply.status(400).send({ error: "Invalid or unauthorized doseId" });
+		}
+
 		// Check if this dose was dismissed
 		const [existing] = await db
 			.select()
@@ -300,9 +414,13 @@ export async function doseRoutes(app: FastifyInstance) {
 
 		if (existing?.dismissed) {
 			// Already dismissed - keep the record as-is
+			request.log.debug(`[ShareDose] Unmark ignored for dismissed dose (owner=${share.userId}, doseId=${doseId})`);
 		} else {
 			// Not dismissed - delete the record entirely
 			await db.delete(doseTracking).where(and(eq(doseTracking.userId, share.userId), eq(doseTracking.doseId, doseId)));
+			request.log.info(
+				`[ShareDose] Dose unmarked via share link (owner=${share.userId}, takenBy=${share.takenBy}, doseId=${doseId})`
+			);
 		}
 
 		return { success: true };

backend/src/routes/medications.ts

@@ -1,6 +1,4 @@
-import { createWriteStream, existsSync, unlinkSync } from "node:fs";
-import { extname, resolve } from "node:path";
-import { pipeline } from "node:stream/promises";
+import { resolve } from "node:path";
 import { and, eq, like } from "drizzle-orm";
 import type { FastifyInstance, FastifyReply, FastifyRequest } from "fastify";
 import { z } from "zod";
@@ -10,6 +8,12 @@ import { doseTracking, medications, userSettings } from "../db/schema.js";
 import { getAnonymousUserId, requireAuth } from "../plugins/auth.js";
 import { env } from "../plugins/env.js";
 import type { AuthUser } from "../types/fastify.js";
+import {
+	ALLOWED_IMAGE_MIME_TYPES,
+	removeImageFiles,
+	streamToBuffer,
+	writeOptimizedImageSet,
+} from "../utils/image-upload.js";
 import { type Intake, parseIntakesJson, parseLocalDateTime, parseTakenByJson } from "../utils/scheduler-utils.js";
 
 const IMAGES_DIR = resolve(getDataDir(), "images");
@@ -38,7 +42,7 @@ const medicationStartDateSchema = z
 
 const medicationSchema = z
 	.object({
-		name: z.string().trim().min(1).max(100),
+		name: z.string().trim().max(100).default(""),
 		genericName: z.string().trim().max(100).nullable().optional(),
 		takenBy: z.array(z.string().trim().max(100)).default([]), // Medication-level takenBy (fallback)
 		packageType: packageTypeSchema,
@@ -62,6 +66,10 @@ const medicationSchema = z
 		intakes: z.array(intakeSchema).min(1).max(12).optional(),
 		blisters: z.array(blisterSchema).min(1).max(12).optional(), // Legacy format
 	})
+	.refine((data) => (data.name && data.name.length > 0) || (data.genericName && data.genericName.length > 0), {
+		message: "Either 'name' or 'genericName' must be provided",
+		path: ["name"],
+	})
 	.refine((data) => data.intakes || data.blisters, { message: "Either 'intakes' or 'blisters' must be provided" })
 	.refine(
 		(data) => {
@@ -693,10 +701,7 @@ export async function medicationRoutes(app: FastifyInstance) {
 			.where(and(eq(medications.id, idNum), eq(medications.userId, userId)));
 		if (!existing) return reply.notFound();
 
-		if (existing.imageUrl) {
-			const imagePath = resolve(IMAGES_DIR, existing.imageUrl);
-			if (existsSync(imagePath)) unlinkSync(imagePath);
-		}
+		if (existing.imageUrl) removeImageFiles(IMAGES_DIR, existing.imageUrl);
 
 		const deleted = await db
 			.delete(medications)
@@ -719,24 +724,31 @@ export async function medicationRoutes(app: FastifyInstance) {
 		if (!existing) return reply.notFound();
 
 		const data = await req.file();
-		if (!data) return reply.badRequest("No file uploaded");
+		if (!data) return reply.status(400).send({ error: "No file uploaded", code: "NO_FILE" });
 
-		const allowedTypes = ["image/jpeg", "image/png", "image/webp", "image/gif"];
-		if (!allowedTypes.includes(data.mimetype)) {
-			return reply.badRequest("Invalid file type. Allowed: JPEG, PNG, WebP, GIF");
+		if (!ALLOWED_IMAGE_MIME_TYPES.includes(data.mimetype)) {
+			return reply.status(400).send({ error: "Invalid file type", code: "INVALID_TYPE" });
 		}
 
-		const ext = extname(data.filename) || ".jpg";
-		const filename = `med-${idNum}-${Date.now()}${ext}`;
-		const filepath = resolve(IMAGES_DIR, filename);
+		let uploadBuffer: Buffer;
+		try {
+			uploadBuffer = await streamToBuffer(data.file);
+		} catch (error) {
+			if (error instanceof Error && error.message === "IMAGE_TOO_LARGE") {
+				return reply.status(400).send({ error: "Image too large", code: "IMAGE_TOO_LARGE" });
+			}
+			throw error;
+		}
 
-		await pipeline(data.file, createWriteStream(filepath));
+		let filename: string;
+		try {
+			({ filename } = await writeOptimizedImageSet(IMAGES_DIR, `med-${idNum}`, uploadBuffer));
+		} catch {
+			return reply.status(400).send({ error: "Invalid image", code: "INVALID_IMAGE" });
+		}
 
 		// Delete old image if exists
-		if (existing.imageUrl) {
-			const oldPath = resolve(IMAGES_DIR, existing.imageUrl);
-			if (existsSync(oldPath)) unlinkSync(oldPath);
-		}
+		if (existing.imageUrl) removeImageFiles(IMAGES_DIR, existing.imageUrl);
 
 		await db
 			.update(medications)
@@ -758,10 +770,7 @@ export async function medicationRoutes(app: FastifyInstance) {
 			.where(and(eq(medications.id, idNum), eq(medications.userId, userId)));
 		if (!existing) return reply.notFound();
 
-		if (existing.imageUrl) {
-			const filepath = resolve(IMAGES_DIR, existing.imageUrl);
-			if (existsSync(filepath)) unlinkSync(filepath);
-		}
+		if (existing.imageUrl) removeImageFiles(IMAGES_DIR, existing.imageUrl);
 
 		await db
 			.update(medications)
@@ -817,11 +826,12 @@ export async function medicationRoutes(app: FastifyInstance) {
 			}
 			takenDoseIdsByMed.get(medId)!.add(dose.doseId);
 			const rawTakenAt = Number(dose.takenAt);
-			const takenAtMs = Number.isFinite(rawTakenAt)
-				? rawTakenAt < 1_000_000_000_000
-					? rawTakenAt * 1000
-					: rawTakenAt
-				: new Date(dose.takenAt).getTime();
+			let takenAtMs: number;
+			if (Number.isFinite(rawTakenAt)) {
+				takenAtMs = rawTakenAt < 1_000_000_000_000 ? rawTakenAt * 1000 : rawTakenAt;
+			} else {
+				takenAtMs = new Date(dose.takenAt).getTime();
+			}
 			takenDoseTimestamps.set(dose.doseId, takenAtMs);
 		});
 
@@ -876,11 +886,14 @@ export async function medicationRoutes(app: FastifyInstance) {
 					const intake = intakes[blisterIdx];
 					const intakePerson = intake?.takenBy;
 					const fallbackPeople = parseTakenByJson(row.takenByJson);
-					const peopleForThisIntake = intakePerson
-						? [intakePerson]
-						: fallbackPeople.length > 0
-							? fallbackPeople
-							: [null];
+					let peopleForThisIntake: Array<string | null>;
+					if (intakePerson) {
+						peopleForThisIntake = [intakePerson];
+					} else if (fallbackPeople.length > 0) {
+						peopleForThisIntake = fallbackPeople;
+					} else {
+						peopleForThisIntake = [null];
+					}
 
 					let timeBasedConsumed = 0;
 					let lastAutoConsumedDateMs = 0;

backend/src/routes/oidc.ts

@@ -63,7 +63,7 @@ export async function oidcRoutes(app: FastifyInstance) {
 	// ---------------------------------------------------------------------------
 	// GET /auth/oidc/login - Initiates OIDC flow
 	// ---------------------------------------------------------------------------
-	app.get("/auth/oidc/login", async (_request, reply) => {
+	app.get("/auth/oidc/login", async (request, reply) => {
 		try {
 			const config = await getOIDCConfig();
 
@@ -105,7 +105,7 @@ export async function oidcRoutes(app: FastifyInstance) {
 
 			return reply.redirect(authUrl.href);
 		} catch (err: unknown) {
-			console.error("[OIDC] Login error:", err);
+			request.log.error({ err }, "[OIDC] Login initialization failed");
 			return reply.redirect(`${getFrontendUrl()}/?error=oidc_init_failed`);
 		}
 	});
@@ -120,7 +120,7 @@ export async function oidcRoutes(app: FastifyInstance) {
 
 			// Handle OIDC provider errors
 			if (error) {
-				console.error(`[OIDC] Provider error: ${error} - ${error_description}`);
+				app.log.warn({ error, errorDescription: error_description }, "[OIDC] Provider returned error");
 				return reply.redirect(`${getFrontendUrl()}/?error=oidc_${error}`);
 			}
 
@@ -131,14 +131,14 @@ export async function oidcRoutes(app: FastifyInstance) {
 			// Verify state
 			const storedState = request.unsignCookie(request.cookies.oidc_state || "");
 			if (!storedState.valid || storedState.value !== state) {
-				console.error("[OIDC] State mismatch");
+				request.log.warn("[OIDC] State mismatch during callback validation");
 				return reply.redirect(`${getFrontendUrl()}/?error=oidc_state_mismatch`);
 			}
 
 			// Get code verifier
 			const storedVerifier = request.unsignCookie(request.cookies.oidc_code_verifier || "");
 			if (!storedVerifier.valid || !storedVerifier.value) {
-				console.error("[OIDC] Missing code verifier");
+				request.log.warn("[OIDC] Missing/invalid code verifier cookie");
 				return reply.redirect(`${getFrontendUrl()}/?error=oidc_missing_verifier`);
 			}
 
@@ -159,7 +159,7 @@ export async function oidcRoutes(app: FastifyInstance) {
 				// Get user info
 				const sub = tokens.claims()?.sub;
 				if (!sub) {
-					console.error("[OIDC] Missing sub claim in token");
+					request.log.error("[OIDC] Missing sub claim in token response");
 					return reply.redirect(`${getFrontendUrl()}/?error=oidc_missing_sub`);
 				}
 				const userInfo = await client.fetchUserInfo(config, tokens.access_token, sub);
@@ -174,7 +174,10 @@ export async function oidcRoutes(app: FastifyInstance) {
 				const oidcSubject = userInfo.sub;
 
 				if (!username || !oidcSubject) {
-					console.error("[OIDC] Missing required user info:", { username, oidcSubject });
+					request.log.error(
+						{ hasUsername: Boolean(username), hasOidcSubject: Boolean(oidcSubject) },
+						"[OIDC] Missing required user info"
+					);
 					return reply.redirect(`${getFrontendUrl()}/?error=oidc_missing_user_info`);
 				}
 
@@ -214,7 +217,7 @@ export async function oidcRoutes(app: FastifyInstance) {
 				const frontendUrl = env.CORS_ORIGINS.split(",")[0] || "http://localhost:5173";
 				return reply.redirect(`${frontendUrl}/dashboard`);
 			} catch (err: unknown) {
-				console.error("[OIDC] Callback error:", err);
+				request.log.error({ err }, "[OIDC] Callback processing failed");
 				return reply.redirect(`${getFrontendUrl()}/?error=oidc_callback_failed`);
 			}
 		}
@@ -255,7 +258,7 @@ async function findOrCreateOIDCUser(
 
 	// Check if auto-create is enabled
 	if (!env.OIDC_AUTO_CREATE_USERS) {
-		console.error(`[OIDC] User creation disabled and user not found: ${username}`);
+		// No logger is available in this helper, route-level logs already capture callback failures.
 		return null;
 	}
 

backend/src/routes/planner.ts

@@ -371,10 +371,10 @@ ${getFooterPlain(language)}`;
 		// Load user settings
 		const userId = await getUserId(request);
 		const activeMeds = await db
-			.select({ name: medications.name })
+			.select({ name: medications.name, genericName: medications.genericName })
 			.from(medications)
 			.where(and(eq(medications.userId, userId), eq(medications.isObsolete, false)));
-		const activeMedNames = new Set(activeMeds.map((med) => med.name));
+		const activeMedNames = new Set(activeMeds.map((med) => med.name || med.genericName || ""));
 		const filteredLowStock = lowStock.filter((item) => activeMedNames.has(item.name));
 		if (filteredLowStock.length === 0) {
 			return reply.status(400).send({ error: "No active medications to notify" });
@@ -641,10 +641,10 @@ ${getFooterPlain(language)}`;
 
 		const userId = await getUserId(request);
 		const activeMeds = await db
-			.select({ name: medications.name })
+			.select({ name: medications.name, genericName: medications.genericName })
 			.from(medications)
 			.where(and(eq(medications.userId, userId), eq(medications.isObsolete, false)));
-		const activeMedNames = new Set(activeMeds.map((med) => med.name));
+		const activeMedNames = new Set(activeMeds.map((med) => med.name || med.genericName || ""));
 		const filteredPrescriptionLow = prescriptionLow.filter((item) => activeMedNames.has(item.name));
 		if (filteredPrescriptionLow.length === 0) {
 			return reply.status(400).send({ error: "No active medications to notify" });

backend/src/routes/refills.ts

@@ -77,7 +77,10 @@ export async function refillRoutes(app: FastifyInstance) {
 		const newPackCount = med.packCount + effectivePacksAdded;
 		const newLooseTablets = med.looseTablets + effectiveLoosePillsAdded;
 
-		const consumedRefills = usePrescription ? (isBottle ? 1 : effectivePacksAdded) : 0;
+		let consumedRefills = 0;
+		if (usePrescription) {
+			consumedRefills = isBottle ? 1 : effectivePacksAdded;
+		}
 		const newRemainingRefills = usePrescription
 			? Math.max(0, remainingPrescriptionRefills - consumedRefills)
 			: (med.prescriptionRemainingRefills ?? null);

backend/src/routes/settings.ts

@@ -85,6 +85,21 @@ type TestShoutrrrBody = {
 	url: string;
 };
 
+function getNotificationProvider(url: string): string {
+	if (url.startsWith("discord://")) return "discord";
+	if (url.startsWith("telegram://")) return "telegram";
+	if (url.startsWith("gotify://")) return "gotify";
+	if (url.startsWith("pushover://")) return "pushover";
+	if (url.startsWith("ntfy://")) return "ntfy";
+
+	try {
+		const parsed = new URL(url);
+		return parsed.hostname || "https";
+	} catch {
+		return "unknown";
+	}
+}
+
 // Helper to parse boolean env vars
 function envBool(key: string, defaultVal: boolean): boolean {
 	const val = process.env[key];
@@ -467,6 +482,7 @@ export async function settingsRoutes(app: FastifyInstance) {
 		}
 
 		try {
+			const provider = getNotificationProvider(url);
 			const result = await sendShoutrrrNotification(
 				url,
 				"MedAssist-ng Test",
@@ -474,11 +490,17 @@ export async function settingsRoutes(app: FastifyInstance) {
 			);
 
 			if (result.success) {
+				request.log.info({ provider }, "[Settings] Test push notification sent");
 				return reply.send({ success: true, message: "Test notification sent successfully" });
 			} else {
+				request.log.warn({ provider, error: result.error ?? "unknown" }, "[Settings] Test push notification failed");
 				return reply.status(500).send({ error: result.error });
 			}
 		} catch (error) {
+			request.log.error(
+				{ provider: getNotificationProvider(url), error },
+				"[Settings] Unexpected error while sending test push notification"
+			);
 			const errorMessage = error instanceof Error ? error.message : "Unknown error";
 			return reply.status(500).send({ error: `Failed to send notification: ${errorMessage}` });
 		}
@@ -491,6 +513,28 @@ function sanitizeNotificationUrl(
 	urlStr: string
 ): { url: string; isNtfy: boolean; auth?: { user: string; pass: string } } | { error: string } {
 	try {
+		// Support Shoutrrr Discord format: discord://TOKEN@WEBHOOK_ID
+		if (urlStr.startsWith("discord://")) {
+			const parsedDiscord = new URL(urlStr);
+			const webhookId = parsedDiscord.hostname;
+			const webhookToken = parsedDiscord.username;
+
+			if (!webhookId || !webhookToken) {
+				return { error: "Invalid Discord URL format" };
+			}
+
+			if (!/^\d+$/.test(webhookId)) {
+				return { error: "Invalid Discord webhook ID" };
+			}
+
+			if (!/^[A-Za-z0-9._-]+$/.test(webhookToken)) {
+				return { error: "Invalid Discord webhook token" };
+			}
+
+			const discordWebhookUrl = `https://discord.com/api/webhooks/${webhookId}/${webhookToken}`;
+			return { url: discordWebhookUrl, isNtfy: false };
+		}
+
 		// Convert ntfy:// to https:// for parsing, track if it was ntfy
 		const isNtfy = urlStr.startsWith("ntfy://");
 		const normalizedUrl = isNtfy ? urlStr.replace("ntfy://", "https://") : urlStr;
@@ -502,38 +546,9 @@ function sanitizeNotificationUrl(
 			return { error: "Only HTTP/HTTPS protocols are allowed" };
 		}
 
-		// Block private/internal IP addresses
-		const hostname = parsed.hostname.toLowerCase();
-
-		// Block localhost
-		if (hostname === "localhost" || hostname === "127.0.0.1" || hostname === "::1") {
-			return { error: "Localhost URLs are not allowed" };
-		}
-
-		// Block private IP ranges (basic check)
-		const ipMatch = hostname.match(/^(\d+)\.(\d+)\.(\d+)\.(\d+)$/);
-		if (ipMatch) {
-			const [, a, b] = ipMatch.map(Number);
-			// 10.x.x.x, 172.16-31.x.x, 192.168.x.x, 169.254.x.x (link-local)
-			if (
-				a === 10 ||
-				a === 127 ||
-				(a === 172 && b >= 16 && b <= 31) ||
-				(a === 192 && b === 168) ||
-				(a === 169 && b === 254)
-			) {
-				return { error: "Private IP addresses are not allowed" };
-			}
-		}
-
-		// Block common internal hostnames
-		if (
-			hostname.endsWith(".local") ||
-			hostname.endsWith(".internal") ||
-			hostname.endsWith(".lan") ||
-			hostname === "metadata.google.internal"
-		) {
-			return { error: "Internal hostnames are not allowed" };
+		const hostValidationError = validateNotificationHostname(parsed.hostname);
+		if (hostValidationError) {
+			return { error: hostValidationError };
 		}
 
 		// Reconstruct URL from validated components - this breaks taint tracking
@@ -550,6 +565,39 @@ function sanitizeNotificationUrl(
 	}
 }
 
+function validateNotificationHostname(hostnameRaw: string): string | null {
+	const hostname = hostnameRaw.toLowerCase();
+
+	if (hostname === "localhost" || hostname === "127.0.0.1" || hostname === "::1") {
+		return "Localhost URLs are not allowed";
+	}
+
+	const ipMatch = hostname.match(/^(\d+)\.(\d+)\.(\d+)\.(\d+)$/);
+	if (ipMatch) {
+		const [, a, b] = ipMatch.map(Number);
+		if (
+			a === 10 ||
+			a === 127 ||
+			(a === 172 && b >= 16 && b <= 31) ||
+			(a === 192 && b === 168) ||
+			(a === 169 && b === 254)
+		) {
+			return "Private IP addresses are not allowed";
+		}
+	}
+
+	if (
+		hostname.endsWith(".local") ||
+		hostname.endsWith(".internal") ||
+		hostname.endsWith(".lan") ||
+		hostname === "metadata.google.internal"
+	) {
+		return "Internal hostnames are not allowed";
+	}
+
+	return null;
+}
+
 // Send notification via Shoutrrr-compatible URL (supports ntfy, Discord, Telegram, etc.)
 export async function sendShoutrrrNotification(
 	urlStr: string,
@@ -557,6 +605,149 @@ export async function sendShoutrrrNotification(
 	message: string
 ): Promise<{ success: boolean; error?: string }> {
 	try {
+		if (urlStr.startsWith("pushover://")) {
+			const pushoverAuthority = urlStr.slice("pushover://".length).split("/")[0] ?? "";
+			const atIndex = pushoverAuthority.lastIndexOf("@");
+			const credentialPart = atIndex >= 0 ? pushoverAuthority.slice(0, atIndex) : "";
+			const userKey = atIndex >= 0 ? pushoverAuthority.slice(atIndex + 1) : "";
+
+			const tokenSeparatorIndex = credentialPart.indexOf(":");
+			const apiToken = tokenSeparatorIndex >= 0 ? credentialPart.slice(tokenSeparatorIndex + 1) : "";
+
+			const parsedPushover = new URL(urlStr);
+
+			if (!apiToken || !userKey) {
+				return { success: false, error: "Invalid Pushover URL format" };
+			}
+
+			const pushoverBody = new URLSearchParams({
+				token: apiToken,
+				user: userKey,
+				title,
+				message,
+			});
+
+			const devices = parsedPushover.searchParams.get("devices");
+			if (devices) {
+				pushoverBody.set("device", devices);
+			}
+
+			const priority = parsedPushover.searchParams.get("priority");
+			if (priority && /^-?\d+$/.test(priority)) {
+				pushoverBody.set("priority", priority);
+			}
+
+			const response = await fetch("https://api.pushover.net/1/messages.json", {
+				method: "POST",
+				headers: { "Content-Type": "application/x-www-form-urlencoded" },
+				body: pushoverBody.toString(),
+				redirect: "error",
+			});
+
+			if (response.ok) return { success: true };
+			const errorText = await response.text();
+			return { success: false, error: `HTTP ${response.status}: ${errorText}` };
+		}
+
+		if (urlStr.startsWith("telegram://")) {
+			const parsedTelegram = new URL(urlStr);
+			const token = parsedTelegram.username;
+			if (!token || parsedTelegram.hostname !== "telegram") {
+				return { success: false, error: "Invalid Telegram URL format" };
+			}
+
+			const chatsRaw = parsedTelegram.searchParams.get("chats") ?? parsedTelegram.searchParams.get("channels") ?? "";
+			const chats = chatsRaw
+				.split(",")
+				.map((chat) => chat.trim())
+				.filter(Boolean);
+
+			if (chats.length === 0) {
+				return { success: false, error: "Telegram URL requires chats parameter" };
+			}
+
+			const parseModeRaw = parsedTelegram.searchParams.get("parseMode")?.toLowerCase();
+			let parseMode: "HTML" | "Markdown" | "MarkdownV2" | undefined;
+			if (parseModeRaw === "html") {
+				parseMode = "HTML";
+			} else if (parseModeRaw === "markdown") {
+				parseMode = "Markdown";
+			} else if (parseModeRaw === "markdownv2") {
+				parseMode = "MarkdownV2";
+			}
+
+			const notificationRaw = parsedTelegram.searchParams.get("notification")?.toLowerCase();
+			const disableNotification = notificationRaw === "no" || notificationRaw === "false";
+
+			const previewRaw = parsedTelegram.searchParams.get("preview")?.toLowerCase();
+			const disablePreview = previewRaw === "no" || previewRaw === "false";
+
+			if (!/^\d+:[A-Za-z0-9_-]+$/.test(token)) {
+				return { success: false, error: "Invalid Telegram token format" };
+			}
+
+			const telegramSendMessageUrl = new URL("/bot/sendMessage", "https://api.telegram.org");
+			telegramSendMessageUrl.pathname = `/bot${token}/sendMessage`;
+
+			for (const chatId of chats) {
+				const payload: Record<string, string | boolean> = {
+					chat_id: chatId,
+					text: `${title}\n\n${message}`,
+					disable_notification: disableNotification,
+					disable_web_page_preview: disablePreview,
+				};
+				if (parseMode) {
+					payload.parse_mode = parseMode;
+				}
+
+				// codeql[js/request-forgery]: host is fixed to api.telegram.org and token is pattern-validated.
+				const response = await fetch(telegramSendMessageUrl.toString(), {
+					method: "POST",
+					headers: { "Content-Type": "application/json" },
+					body: JSON.stringify(payload),
+					redirect: "error",
+				});
+
+				if (!response.ok) {
+					const errorText = await response.text();
+					return { success: false, error: `HTTP ${response.status}: ${errorText}` };
+				}
+			}
+
+			return { success: true };
+		}
+
+		if (urlStr.startsWith("gotify://")) {
+			const parsedGotify = new URL(urlStr);
+			const hostValidationError = validateNotificationHostname(parsedGotify.hostname);
+			if (hostValidationError) {
+				return { success: false, error: hostValidationError };
+			}
+
+			const pathParts = parsedGotify.pathname
+				.split("/")
+				.map((part) => part.trim())
+				.filter(Boolean);
+
+			if (pathParts.length === 0) {
+				return { success: false, error: "Invalid Gotify URL format" };
+			}
+
+			const token = pathParts[pathParts.length - 1];
+			const basePath = pathParts.slice(0, -1).join("/");
+
+			const disableTlsRaw = parsedGotify.searchParams.get("disabletls")?.toLowerCase();
+			const protocol = disableTlsRaw === "yes" || disableTlsRaw === "true" || disableTlsRaw === "1" ? "http" : "https";
+
+			const gotifyWebhookUrl = `${protocol}://${parsedGotify.host}${basePath ? `/${basePath}` : ""}/message?token=${encodeURIComponent(token)}`;
+
+			const gotifyPriority = parsedGotify.searchParams.get("priority");
+			const gotifyMessage = gotifyPriority ? `${message}\n\n(priority=${gotifyPriority})` : message;
+
+			// Reuse validated https webhook path to keep a single outbound request sink.
+			return sendShoutrrrNotification(gotifyWebhookUrl, title, gotifyMessage);
+		}
+
 		// Validate and sanitize URL to prevent SSRF - this reconstructs the URL
 		// from validated components, breaking taint tracking
 		const validation = sanitizeNotificationUrl(urlStr);
@@ -584,14 +775,17 @@ export async function sendShoutrrrNotification(
 		// Use JSON format only for known webhook services that require it
 		// Use proper URL parsing to prevent bypass attacks (e.g., evil.com?hooks.slack.com)
 		let isJsonWebhook = false;
+		let isDiscordWebhook = false;
 		try {
 			const parsedUrl = new URL(sanitizedUrl);
 			const hostname = parsedUrl.hostname.toLowerCase();
 			const pathname = parsedUrl.pathname.toLowerCase();
+			isDiscordWebhook =
+				(hostname === "discord.com" || hostname === "discordapp.com") && pathname.startsWith("/api/webhooks");
 
 			isJsonWebhook =
 				// Discord webhooks
-				((hostname === "discord.com" || hostname === "discordapp.com") && pathname.startsWith("/api/webhooks")) ||
+				isDiscordWebhook ||
 				// Slack webhooks
 				hostname === "hooks.slack.com" ||
 				hostname.endsWith(".hooks.slack.com") ||
@@ -621,9 +815,16 @@ export async function sendShoutrrrNotification(
 		} else if (sanitizedUrl.startsWith("http://") || sanitizedUrl.startsWith("https://")) {
 			targetUrl = sanitizedUrl;
 			headers = { "Content-Type": "application/json" };
-			body = JSON.stringify({ title, message, text: `${title}\n\n${message}` });
+			if (isDiscordWebhook) {
+				body = JSON.stringify({ content: `${title}\n\n${message}` });
+			} else {
+				body = JSON.stringify({ title, message, text: `${title}\n\n${message}` });
+			}
 		} else {
-			return { success: false, error: "Unsupported URL format. Use ntfy:// or https:// URL" };
+			return {
+				success: false,
+				error: "Unsupported URL format. Use ntfy://, discord://, pushover://, gotify://, telegram://, or https:// URL",
+			};
 		}
 
 		// SSRF protection: targetUrl is reconstructed from sanitizeNotificationUrl() which validates:

backend/src/routes/share.ts

@@ -1,5 +1,5 @@
 import { randomBytes } from "node:crypto";
-import { eq } from "drizzle-orm";
+import { and, eq } from "drizzle-orm";
 import type { FastifyInstance, FastifyReply, FastifyRequest } from "fastify";
 import { z } from "zod";
 import { db } from "../db/client.js";
@@ -14,9 +14,6 @@ import {
 	personTakesMedication,
 } from "../utils/scheduler-utils.js";
 
-// Share token validity: 1 year in milliseconds
-const SHARE_TOKEN_VALIDITY_MS = 365 * 24 * 60 * 60 * 1000;
-
 // =============================================================================
 // Validation Schemas
 // =============================================================================
@@ -25,6 +22,11 @@ const createShareSchema = z.object({
 	scheduleDays: z.number().int().min(1).max(365).default(30),
 });
 
+function maskToken(token: string): string {
+	if (token.length <= 8) return token;
+	return `${token.slice(0, 4)}...${token.slice(-4)}`;
+}
+
 // Helper to get user ID from request
 // Returns anonymous user ID when auth is disabled
 async function getUserId(request: FastifyRequest, reply: FastifyReply): Promise<number> {
@@ -54,6 +56,7 @@ export async function shareRoutes(app: FastifyInstance) {
 		// Find share token
 		const [share] = await db.select().from(shareTokens).where(eq(shareTokens.token, token));
 		if (!share) {
+			request.log.warn(`[Share] Invalid share token requested: ${maskToken(token)}`);
 			return reply.status(404).send({
 				error: "Share link not found",
 				code: "NOT_FOUND",
@@ -62,6 +65,9 @@ export async function shareRoutes(app: FastifyInstance) {
 
 		// Check if token has expired
 		if (share.expiresAt && share.expiresAt.getTime() < Date.now()) {
+			request.log.warn(
+				`[Share] Expired token requested: ${maskToken(token)} (owner=${share.userId}, takenBy=${share.takenBy})`
+			);
 			// Get the username of the owner to show in the expired message
 			const [owner] = await db.select({ username: users.username }).from(users).where(eq(users.id, share.userId));
 			return reply.status(410).send({
@@ -197,25 +203,47 @@ export async function shareRoutes(app: FastifyInstance) {
 				});
 			}
 
-			// Generate unique token (8 bytes = 16 hex chars)
+			// Keep exactly one active share link per person/user.
+			// If a link already exists, return the same token and only update settings.
+			const [existingShare] = await db
+				.select()
+				.from(shareTokens)
+				.where(and(eq(shareTokens.userId, userId), eq(shareTokens.takenBy, takenBy)));
+
+			if (existingShare) {
+				await db.update(shareTokens).set({ scheduleDays, expiresAt: null }).where(eq(shareTokens.id, existingShare.id));
+
+				request.log.info(
+					`[Share] Reused existing share token (owner=${userId}, takenBy=${takenBy}, scheduleDays=${scheduleDays})`
+				);
+
+				return {
+					reused: true,
+					token: existingShare.token,
+					shareUrl: `/share/${existingShare.token}`,
+					expiresAt: null,
+				};
+			}
+
 			const token = randomBytes(8).toString("hex");
 
-			// Set expiration date (1 year from now)
-			const expiresAt = new Date(Date.now() + SHARE_TOKEN_VALIDITY_MS);
-
-			// Create share token
 			await db.insert(shareTokens).values({
-				userId: userId,
+				userId,
 				token,
 				takenBy,
 				scheduleDays,
-				expiresAt,
+				expiresAt: null,
 			});
 
+			request.log.info(
+				`[Share] Created new share token (owner=${userId}, takenBy=${takenBy}, scheduleDays=${scheduleDays})`
+			);
+
 			return {
+				reused: false,
 				token,
 				shareUrl: `/share/${token}`,
-				expiresAt: expiresAt.toISOString(),
+				expiresAt: null,
 			};
 		}
 	);

backend/src/services/intake-reminder-scheduler.ts

@@ -106,8 +106,9 @@ async function autoMarkDueIntakesAsTaken(
 		}
 
 		const medicationTakenBy = parseTakenByJson(med.takenByJson);
+		const medDisplayName = med.name || med.genericName || "";
 		const todaysIntakes = getTodaysIntakes(
-			med.name,
+			medDisplayName,
 			intakes,
 			medicationTakenBy,
 			med.pillWeightMg,
@@ -415,9 +416,10 @@ async function checkAndSendIntakeRemindersForUser(
 		);
 		// Medication-level takenBy (for fallback/display purposes)
 		const medicationTakenBy = parseTakenByJson(med.takenByJson);
+		const medDisplayName = med.name || med.genericName || "";
 
 		logger.debug(
-			`[IntakeReminder] User ${settings.userId}: Processing medication "${med.name}" with ${intakes.length} intakes`
+			`[IntakeReminder] User ${settings.userId}: Processing medication "${medDisplayName}" with ${intakes.length} intakes`
 		);
 
 		// Filter intakes that have reminders enabled (per-intake setting or medication-level)
@@ -438,7 +440,7 @@ async function checkAndSendIntakeRemindersForUser(
 
 			// Always get upcoming intakes (15 min before) for first reminders
 			const upcomingIntakes = getUpcomingIntakes(
-				med.name,
+				medDisplayName,
 				[intake],
 				REMINDER_MINUTES_BEFORE,
 				medicationTakenBy,
@@ -465,7 +467,7 @@ async function checkAndSendIntakeRemindersForUser(
 			// If repeat reminders enabled, also check for missed intakes (past the intake time)
 			if (settings.repeatRemindersEnabled) {
 				const allTodaysIntakes = getTodaysIntakes(
-					med.name,
+					medDisplayName,
 					[intake],
 					medicationTakenBy,
 					med.pillWeightMg,

backend/src/services/reminder-scheduler.ts

@@ -1,4 +1,4 @@
-import { existsSync, readFileSync, writeFileSync } from "node:fs";
+import { closeSync, existsSync, mkdirSync, openSync, readFileSync, statSync, unlinkSync, writeFileSync } from "node:fs";
 import { resolve } from "node:path";
 import { and, eq } from "drizzle-orm";
 import nodemailer from "nodemailer";
@@ -40,6 +40,56 @@ function escapeHtml(text: string): string {
 const REMINDER_HOUR = parseInt(process.env.REMINDER_HOUR ?? "6", 10); // Default 6:00 AM local time
 
 const reminderStateFile = resolve(getDataDir(), "reminder-state.json");
+const reminderLocksDir = resolve(getDataDir(), "scheduler-locks");
+const LOCK_STALE_MS = 15 * 60 * 1000;
+
+function ensureReminderLocksDir(): void {
+	if (!existsSync(reminderLocksDir)) {
+		mkdirSync(reminderLocksDir, { recursive: true });
+	}
+}
+
+function acquireReminderSendLock(lockKey: string): string | null {
+	ensureReminderLocksDir();
+	const lockFilePath = resolve(reminderLocksDir, `${lockKey}.lock`);
+
+	const tryCreateLock = (): boolean => {
+		try {
+			const fd = openSync(lockFilePath, "wx");
+			closeSync(fd);
+			return true;
+		} catch {
+			return false;
+		}
+	};
+
+	if (tryCreateLock()) {
+		return lockFilePath;
+	}
+
+	try {
+		const stats = statSync(lockFilePath);
+		if (Date.now() - stats.mtimeMs > LOCK_STALE_MS) {
+			unlinkSync(lockFilePath);
+			if (tryCreateLock()) {
+				return lockFilePath;
+			}
+		}
+	} catch {
+		// ignore; lock acquisition fails safely
+	}
+
+	return null;
+}
+
+function releaseReminderSendLock(lockFilePath: string | null): void {
+	if (!lockFilePath) return;
+	try {
+		unlinkSync(lockFilePath);
+	} catch {
+		// ignore release errors
+	}
+}
 
 function loadReminderState(): ReminderState {
 	try {
@@ -167,11 +217,12 @@ async function getMedicationsNeedingReminder(
 		}
 		takenDoseIdsByMed.get(medId)!.add(dose.doseId);
 		const rawTakenAt = Number(dose.takenAt);
-		const takenAtMs = Number.isFinite(rawTakenAt)
-			? rawTakenAt < 1_000_000_000_000
-				? rawTakenAt * 1000
-				: rawTakenAt
-			: new Date(dose.takenAt).getTime();
+		let takenAtMs: number;
+		if (Number.isFinite(rawTakenAt)) {
+			takenAtMs = rawTakenAt < 1_000_000_000_000 ? rawTakenAt * 1000 : rawTakenAt;
+		} else {
+			takenAtMs = new Date(dose.takenAt).getTime();
+		}
 		takenDoseTimestamps.set(dose.doseId, takenAtMs);
 	}
 
@@ -216,7 +267,14 @@ async function getMedicationsNeedingReminder(
 				const intake = intakes[blisterIdx];
 				const intakePerson = intake?.takenBy;
 				const fallbackPeople = parseTakenByJson(row.takenByJson);
-				const peopleForThisIntake = intakePerson ? [intakePerson] : fallbackPeople.length > 0 ? fallbackPeople : [null];
+				let peopleForThisIntake: Array<string | null>;
+				if (intakePerson) {
+					peopleForThisIntake = [intakePerson];
+				} else if (fallbackPeople.length > 0) {
+					peopleForThisIntake = fallbackPeople;
+				} else {
+					peopleForThisIntake = [null];
+				}
 
 				let timeBasedConsumed = 0;
 				let lastAutoConsumedDateMs = 0;
@@ -509,6 +567,15 @@ ${getFooterPlain(language)}${isRepeatDaily ? `\n\n${tr.stockReminder.repeatDaily
 }
 
 async function checkAndSendReminder(logger: ServiceLogger): Promise<void> {
+	// Track stock-scheduler daily execution separately from intake updates.
+	// This prevents intake reminders from suppressing stock catch-up after restarts.
+	const state = loadReminderState();
+	const today = getTodayInTimezone();
+	saveReminderState({
+		...state,
+		lastStockSchedulerCheckDate: today,
+	});
+
 	// Get all user settings to iterate over each user
 	const allUserSettings = await getAllUserSettings();
 
@@ -557,166 +624,213 @@ async function checkAndSendReminderForUser(
 
 	if (allLowStock.length > 0 && (stockEmailEnabled || stockPushEnabled)) {
 		if (!state.notifiedMedications.includes(userStockNotifiedKey) || settings.repeatDailyReminders) {
-			logger.info(
-				`[Reminder] User ${settings.userId}: Sending stock reminder for ${allLowStock.length} medications...`
-			);
-
-			let emailSuccess = false;
-			let shoutrrrSuccess = false;
-
-			if (stockEmailEnabled) {
-				const result = await sendReminderEmail(
-					settings.notificationEmail!,
-					allLowStock,
-					language,
-					settings.repeatDailyReminders
-				);
-				emailSuccess = result.success;
-				if (!result.success) {
-					logger.error(`[Reminder] User ${settings.userId}: Failed to send stock email: ${result.error}`);
-				}
-			}
-
-			if (stockPushEnabled) {
-				const emptyMeds = allLowStock.filter((m) => m.medsLeft <= 0);
-				const criticalMeds = allLowStock.filter((m) => m.medsLeft > 0 && m.isCritical);
-				const lowStockMeds = allLowStock.filter((m) => m.medsLeft > 0 && !m.isCritical);
-
-				const titleParts: string[] = [];
-				if (emptyMeds.length > 0) titleParts.push(`🚨 ${emptyMeds.length} ${tr.push.empty}`);
-				if (criticalMeds.length > 0) titleParts.push(`🚨 ${criticalMeds.length} ${tr.push.critical}`);
-				if (lowStockMeds.length > 0) titleParts.push(`⚠️ ${lowStockMeds.length} ${tr.push.lowStock}`);
-				const title = `MedAssist-ng: ${titleParts.join(", ")} - ${tr.push.reorderNow}`;
-
-				const messageParts: string[] = [];
-				if (emptyMeds.length > 0) {
-					messageParts.push(`🚨 ${tr.push.emptySection}:`);
-					emptyMeds.forEach((m) => messageParts.push(`  • ${m.name}`));
-				}
-				if (criticalMeds.length > 0) {
-					if (messageParts.length > 0) messageParts.push("");
-					messageParts.push(`🚨 ${tr.push.criticalSection}:`);
-					criticalMeds.forEach((m) =>
-						messageParts.push(
-							`  • ${m.name}: ${t(tr.push.pillsLeft, { count: m.medsLeft })}, ${t(tr.push.daysLeft, { count: m.daysLeft ?? 0 })}`
-						)
+			const stockSendLock = acquireReminderSendLock(userStockNotifiedKey);
+			if (!stockSendLock) {
+				logger.debug(`[Reminder] User ${settings.userId}: stock reminder lock already held, skipping duplicate send`);
+			} else {
+				try {
+					logger.info(
+						`[Reminder] User ${settings.userId}: Sending stock reminder for ${allLowStock.length} medications...`
 					);
-				}
-				if (lowStockMeds.length > 0) {
-					if (messageParts.length > 0) messageParts.push("");
-					messageParts.push(`⚠️ ${tr.push.lowStockSection}:`);
-					lowStockMeds.forEach((m) =>
-						messageParts.push(
-							`  • ${m.name}: ${t(tr.push.pillsLeft, { count: m.medsLeft })}, ${t(tr.push.daysLeft, { count: m.daysLeft ?? 0 })}`
-						)
-					);
-				}
-				const message = `${messageParts.join("\n")}\n\n---\n${getFooterPlain(language)}`;
-				const result = await sendShoutrrrNotification(settings.shoutrrrUrl!, title, message);
-				shoutrrrSuccess = result.success;
-				if (!result.success) {
-					logger.error(`[Reminder] User ${settings.userId}: Failed to send stock push: ${result.error}`);
-				}
-			}
 
-			if (emailSuccess || shoutrrrSuccess) {
-				const currentState = loadReminderState();
-				const singleChannel = emailSuccess ? "email" : "push";
-				const channel = emailSuccess && shoutrrrSuccess ? "both" : singleChannel;
-				saveReminderState({
-					lastAutoEmailSent: new Date().toISOString(),
-					lastAutoEmailDate: today,
-					notifiedMedications: [...new Set([...currentState.notifiedMedications, userStockNotifiedKey])],
-					nextScheduledCheck: currentState.nextScheduledCheck,
-					lastNotificationType: "stock",
-					lastNotificationChannel: channel,
-				});
+					let emailSuccess = false;
+					let shoutrrrSuccess = false;
 
-				const medNames = allLowStock.map((m) => m.name).join(", ");
-				await updateUserReminderSentTime(settings.userId, "stock", channel, medNames);
+					if (stockEmailEnabled) {
+						const result = await sendReminderEmail(
+							settings.notificationEmail!,
+							allLowStock,
+							language,
+							settings.repeatDailyReminders
+						);
+						emailSuccess = result.success;
+						if (!result.success) {
+							logger.error(`[Reminder] User ${settings.userId}: Failed to send stock email: ${result.error}`);
+						}
+					}
+
+					if (stockPushEnabled) {
+						const emptyMeds = allLowStock.filter((m) => m.medsLeft <= 0);
+						const criticalMeds = allLowStock.filter((m) => m.medsLeft > 0 && m.isCritical);
+						const lowStockMeds = allLowStock.filter((m) => m.medsLeft > 0 && !m.isCritical);
+
+						const titleParts: string[] = [];
+						if (emptyMeds.length > 0) titleParts.push(`🚨 ${emptyMeds.length} ${tr.push.empty}`);
+						if (criticalMeds.length > 0) titleParts.push(`🚨 ${criticalMeds.length} ${tr.push.critical}`);
+						if (lowStockMeds.length > 0) titleParts.push(`⚠️ ${lowStockMeds.length} ${tr.push.lowStock}`);
+						const title = `MedAssist-ng: ${titleParts.join(", ")} - ${tr.push.reorderNow}`;
+
+						const messageParts: string[] = [];
+						if (emptyMeds.length > 0) {
+							messageParts.push(`🚨 ${tr.push.emptySection}:`);
+							emptyMeds.forEach((m) => messageParts.push(`  • ${m.name}`));
+						}
+						if (criticalMeds.length > 0) {
+							if (messageParts.length > 0) messageParts.push("");
+							messageParts.push(`🚨 ${tr.push.criticalSection}:`);
+							criticalMeds.forEach((m) =>
+								messageParts.push(
+									`  • ${m.name}: ${t(tr.push.pillsLeft, { count: m.medsLeft })}, ${t(tr.push.daysLeft, { count: m.daysLeft ?? 0 })}`
+								)
+							);
+						}
+						if (lowStockMeds.length > 0) {
+							if (messageParts.length > 0) messageParts.push("");
+							messageParts.push(`⚠️ ${tr.push.lowStockSection}:`);
+							lowStockMeds.forEach((m) =>
+								messageParts.push(
+									`  • ${m.name}: ${t(tr.push.pillsLeft, { count: m.medsLeft })}, ${t(tr.push.daysLeft, { count: m.daysLeft ?? 0 })}`
+								)
+							);
+						}
+						const message = `${messageParts.join("\n")}\n\n---\n${getFooterPlain(language)}`;
+						const result = await sendShoutrrrNotification(settings.shoutrrrUrl!, title, message);
+						shoutrrrSuccess = result.success;
+						if (!result.success) {
+							logger.error(`[Reminder] User ${settings.userId}: Failed to send stock push: ${result.error}`);
+						}
+					}
+
+					if (emailSuccess || shoutrrrSuccess) {
+						const currentState = loadReminderState();
+						const singleChannel = emailSuccess ? "email" : "push";
+						const channel = emailSuccess && shoutrrrSuccess ? "both" : singleChannel;
+						saveReminderState({
+							lastAutoEmailSent: new Date().toISOString(),
+							lastAutoEmailDate: today,
+							lastStockSchedulerCheckDate: currentState.lastStockSchedulerCheckDate,
+							notifiedMedications: [...new Set([...currentState.notifiedMedications, userStockNotifiedKey])],
+							nextScheduledCheck: currentState.nextScheduledCheck,
+							lastNotificationType: "stock",
+							lastNotificationChannel: channel,
+						});
+
+						const medNames = allLowStock.map((m) => m.name).join(", ");
+						await updateUserReminderSentTime(settings.userId, "stock", channel, medNames);
+					}
+				} finally {
+					releaseReminderSendLock(stockSendLock);
+				}
 			}
 		}
 	}
 
 	if (allPrescriptionLow.length > 0 && (prescriptionEmailEnabled || prescriptionPushEnabled)) {
 		if (!state.notifiedMedications.includes(userPrescriptionNotifiedKey) || settings.repeatDailyReminders) {
-			logger.info(
-				`[Reminder] User ${settings.userId}: Sending prescription reminder for ${allPrescriptionLow.length} medications...`
-			);
+			const prescriptionSendLock = acquireReminderSendLock(userPrescriptionNotifiedKey);
+			if (!prescriptionSendLock) {
+				logger.debug(
+					`[Reminder] User ${settings.userId}: prescription reminder lock already held, skipping duplicate send`
+				);
+			} else {
+				try {
+					// Re-check using fresh state after acquiring lock and pre-mark today as notified.
+					// This blocks duplicate sends when two reminder checks overlap in time.
+					const lockedState = loadReminderState();
+					const alreadyNotified = lockedState.notifiedMedications.includes(userPrescriptionNotifiedKey);
+					const shouldSend = !alreadyNotified || settings.repeatDailyReminders;
+					if (!shouldSend) {
+						logger.debug(
+							`[Reminder] User ${settings.userId}: prescription reminder already marked as sent today, skipping`
+						);
+					}
 
-			const emptyRx = allPrescriptionLow.filter((m) => m.remainingRefills <= 0);
-			const lowRx = allPrescriptionLow.filter((m) => m.remainingRefills > 0);
-			const lines = allPrescriptionLow.map((m) => {
-				const expirySuffix = m.expiryDate ? t(tr.prescriptionReminder.expiresSuffix, { date: m.expiryDate }) : "";
-				if (m.remainingRefills <= 0) {
-					return `- ${t(tr.prescriptionReminder.lineEmpty, {
-						name: m.name,
-						expirySuffix,
-					})}`;
-				}
-				return `- ${t(tr.prescriptionReminder.line, {
-					name: m.name,
-					refills: m.remainingRefills,
-					expirySuffix,
-				})}`;
-			});
+					const preMarkedNotified =
+						!shouldSend || alreadyNotified
+							? lockedState.notifiedMedications
+							: [...new Set([...lockedState.notifiedMedications, userPrescriptionNotifiedKey])];
+					if (shouldSend && !alreadyNotified) {
+						saveReminderState({
+							lastAutoEmailSent: lockedState.lastAutoEmailSent,
+							lastAutoEmailDate: lockedState.lastAutoEmailDate,
+							lastStockSchedulerCheckDate: lockedState.lastStockSchedulerCheckDate,
+							notifiedMedications: preMarkedNotified,
+							nextScheduledCheck: lockedState.nextScheduledCheck,
+							lastNotificationType: lockedState.lastNotificationType,
+							lastNotificationChannel: lockedState.lastNotificationChannel,
+						});
+					}
 
-			let emailSuccess = false;
-			let shoutrrrSuccess = false;
+					if (shouldSend) {
+						logger.info(
+							`[Reminder] User ${settings.userId}: Sending prescription reminder for ${allPrescriptionLow.length} medications...`
+						);
 
-			if (prescriptionEmailEnabled) {
-				const smtpHost = process.env.SMTP_HOST;
-				const smtpUser = process.env.SMTP_USER;
-				const smtpPass = process.env.SMTP_TOKEN || process.env.SMTP_PASS;
-				const smtpPort = parseInt(process.env.SMTP_PORT ?? "587", 10);
-				const smtpSecure = process.env.SMTP_SECURE === "true";
-				const smtpFrom = process.env.SMTP_FROM ?? smtpUser;
-
-				if (smtpHost && smtpUser) {
-					try {
-						const transporter = nodemailer.createTransport({
-							host: smtpHost,
-							port: smtpPort,
-							secure: smtpSecure,
-							auth: { user: smtpUser, pass: smtpPass ?? "" },
+						const emptyRx = allPrescriptionLow.filter((m) => m.remainingRefills <= 0);
+						const lowRx = allPrescriptionLow.filter((m) => m.remainingRefills > 0);
+						const lines = allPrescriptionLow.map((m) => {
+							const expirySuffix = m.expiryDate ? t(tr.prescriptionReminder.expiresSuffix, { date: m.expiryDate }) : "";
+							if (m.remainingRefills <= 0) {
+								return `- ${t(tr.prescriptionReminder.lineEmpty, {
+									name: m.name,
+									expirySuffix,
+								})}`;
+							}
+							return `- ${t(tr.prescriptionReminder.line, {
+								name: m.name,
+								refills: m.remainingRefills,
+								expirySuffix,
+							})}`;
 						});
 
-						const subject =
-							allPrescriptionLow.length === 1
-								? tr.prescriptionReminder.subjectSingle
-								: t(tr.prescriptionReminder.subjectMultiple, { count: allPrescriptionLow.length });
+						let emailSuccess = false;
+						let shoutrrrSuccess = false;
 
-						const bodyText =
-							emptyRx.length > 0 ? tr.prescriptionReminder.descriptionEmpty : tr.prescriptionReminder.descriptionLow;
-						const emptyAlert =
-							emptyRx.length === 1
-								? tr.prescriptionReminder.alertEmptySingle
-								: t(tr.prescriptionReminder.alertEmptyMultiple, { count: emptyRx.length });
-						const lowAlert =
-							lowRx.length === 1
-								? tr.prescriptionReminder.alertLowSingle
-								: t(tr.prescriptionReminder.alertLowMultiple, { count: lowRx.length });
-						const alertText = emptyRx.length > 0 ? emptyAlert : lowAlert;
+						if (prescriptionEmailEnabled) {
+							const smtpHost = process.env.SMTP_HOST;
+							const smtpUser = process.env.SMTP_USER;
+							const smtpPass = process.env.SMTP_TOKEN || process.env.SMTP_PASS;
+							const smtpPort = parseInt(process.env.SMTP_PORT ?? "587", 10);
+							const smtpSecure = process.env.SMTP_SECURE === "true";
+							const smtpFrom = process.env.SMTP_FROM ?? smtpUser;
 
-						const tableRows = allPrescriptionLow
-							.map((item) => {
-								const isEmpty = item.remainingRefills <= 0;
-								const safeName = escapeHtml(item.name);
-								const safeRefills = Number(item.remainingRefills) || 0;
-								const safeThreshold = Number(item.lowThreshold) || 0;
-								const safeExpiry = item.expiryDate ? escapeHtml(String(item.expiryDate)) : "-";
-								const rowBg = isEmpty ? "#fef2f2" : "white";
-								return `
+							if (smtpHost && smtpUser) {
+								try {
+									const transporter = nodemailer.createTransport({
+										host: smtpHost,
+										port: smtpPort,
+										secure: smtpSecure,
+										auth: { user: smtpUser, pass: smtpPass ?? "" },
+									});
+
+									const subject =
+										allPrescriptionLow.length === 1
+											? tr.prescriptionReminder.subjectSingle
+											: t(tr.prescriptionReminder.subjectMultiple, { count: allPrescriptionLow.length });
+
+									const bodyText =
+										emptyRx.length > 0
+											? tr.prescriptionReminder.descriptionEmpty
+											: tr.prescriptionReminder.descriptionLow;
+									const emptyAlert =
+										emptyRx.length === 1
+											? tr.prescriptionReminder.alertEmptySingle
+											: t(tr.prescriptionReminder.alertEmptyMultiple, { count: emptyRx.length });
+									const lowAlert =
+										lowRx.length === 1
+											? tr.prescriptionReminder.alertLowSingle
+											: t(tr.prescriptionReminder.alertLowMultiple, { count: lowRx.length });
+									const alertText = emptyRx.length > 0 ? emptyAlert : lowAlert;
+
+									const tableRows = allPrescriptionLow
+										.map((item) => {
+											const isEmpty = item.remainingRefills <= 0;
+											const safeName = escapeHtml(item.name);
+											const safeRefills = Number(item.remainingRefills) || 0;
+											const safeThreshold = Number(item.lowThreshold) || 0;
+											const safeExpiry = item.expiryDate ? escapeHtml(String(item.expiryDate)) : "-";
+											const rowBg = isEmpty ? "#fef2f2" : "white";
+											return `
       <tr style="background: ${rowBg};">
         <td style="padding: 10px 12px; border-bottom: 1px solid #e5e7eb; white-space: nowrap;">${isEmpty ? "🚨" : "⚠️"} ${safeName}</td>
         <td style="padding: 10px 12px; border-bottom: 1px solid #e5e7eb; text-align: center; white-space: nowrap; ${isEmpty ? "color: #dc2626; font-weight: 600;" : ""}"><strong>${safeRefills}</strong></td>
         <td style="padding: 10px 12px; border-bottom: 1px solid #e5e7eb; text-align: center; white-space: nowrap;">${safeThreshold}</td>
         <td style="padding: 10px 12px; border-bottom: 1px solid #e5e7eb; text-align: center; white-space: nowrap;">${safeExpiry}</td>
       </tr>`;
-							})
-							.join("");
+										})
+										.join("");
 
-						const html = `
+									const html = `
     <div style="font-family: system-ui, -apple-system, sans-serif; max-width: 100%; margin: 0 auto; padding: 12px; background: #f9fafb;">
       <div style="background: white; border-radius: 12px; padding: 16px; box-shadow: 0 1px 3px rgba(0,0,0,0.1);">
         <h2 style="color: #1f2937; margin: 0 0 8px; font-size: 18px;">${emptyRx.length > 0 ? tr.prescriptionReminder.titleEmpty : tr.prescriptionReminder.title}</h2>
@@ -756,80 +870,103 @@ async function checkAndSendReminderForUser(
       </div>
     </div>
   `;
-						const text = `${emptyRx.length > 0 ? tr.prescriptionReminder.titleEmpty : tr.prescriptionReminder.title}\n\n${bodyText}\n\n${lines.join("\n")}\n\n---\n${getFooterPlain(language)}${settings.repeatDailyReminders ? `\n\n${tr.prescriptionReminder.repeatDailyNote}` : ""}`;
+									const text = `${emptyRx.length > 0 ? tr.prescriptionReminder.titleEmpty : tr.prescriptionReminder.title}\n\n${bodyText}\n\n${lines.join("\n")}\n\n---\n${getFooterPlain(language)}${settings.repeatDailyReminders ? `\n\n${tr.prescriptionReminder.repeatDailyNote}` : ""}`;
 
-						await transporter.sendMail({
-							from: smtpFrom,
-							to: settings.notificationEmail!,
-							subject,
-							text,
-							html,
-						});
-						emailSuccess = true;
-					} catch (error) {
-						const errorMessage = error instanceof Error ? error.message : "Unknown error";
-						logger.error(`[Reminder] User ${settings.userId}: Failed to send prescription email: ${errorMessage}`);
+									await transporter.sendMail({
+										from: smtpFrom,
+										to: settings.notificationEmail!,
+										subject,
+										text,
+										html,
+									});
+									emailSuccess = true;
+								} catch (error) {
+									const errorMessage = error instanceof Error ? error.message : "Unknown error";
+									logger.error(
+										`[Reminder] User ${settings.userId}: Failed to send prescription email: ${errorMessage}`
+									);
+								}
+							}
+						}
+
+						if (prescriptionPushEnabled) {
+							const titleParts: string[] = [];
+							if (emptyRx.length > 0)
+								titleParts.push(
+									`🚨 ${emptyRx.length} ${emptyRx.length === 1 ? tr.prescriptionReminder.pushEmptySingle : tr.prescriptionReminder.pushEmpty}`
+								);
+							if (lowRx.length > 0)
+								titleParts.push(
+									`🚨 ${lowRx.length} ${lowRx.length === 1 ? tr.prescriptionReminder.pushLowSingle : tr.prescriptionReminder.pushLow}`
+								);
+							const title = `MedAssist-ng: ${titleParts.join(", ")} - ${tr.prescriptionReminder.pushRenewNow}`;
+
+							const messageParts: string[] = [];
+							if (emptyRx.length > 0) {
+								messageParts.push(`🚨 ${tr.prescriptionReminder.pushEmptySection}:`);
+								for (const m of emptyRx) {
+									messageParts.push(`  • ${m.name}`);
+								}
+							}
+							if (lowRx.length > 0) {
+								if (emptyRx.length > 0) messageParts.push("");
+								messageParts.push(`🚨 ${tr.prescriptionReminder.pushLowSection}:`);
+								for (const m of lowRx) {
+									messageParts.push(
+										`  • ${m.name}: ${t(tr.prescriptionReminder.pushRefillsLeft, { count: m.remainingRefills })}`
+									);
+								}
+							}
+							const message = `${messageParts.join("\n")}\n\n---\n${getFooterPlain(language)}`;
+							const result = await sendShoutrrrNotification(settings.shoutrrrUrl!, title, message);
+							shoutrrrSuccess = result.success;
+							if (!result.success) {
+								logger.error(`[Reminder] User ${settings.userId}: Failed to send prescription push: ${result.error}`);
+							}
+						}
+
+						if (emailSuccess || shoutrrrSuccess) {
+							const currentState = loadReminderState();
+							const singleChannel = emailSuccess ? "email" : "push";
+							const channel = emailSuccess && shoutrrrSuccess ? "both" : singleChannel;
+							saveReminderState({
+								lastAutoEmailSent: new Date().toISOString(),
+								lastAutoEmailDate: today,
+								lastStockSchedulerCheckDate: currentState.lastStockSchedulerCheckDate,
+								notifiedMedications: [...new Set([...currentState.notifiedMedications, userPrescriptionNotifiedKey])],
+								nextScheduledCheck: currentState.nextScheduledCheck,
+								lastNotificationType: "prescription",
+								lastNotificationChannel: channel,
+							});
+
+							const medNames = allPrescriptionLow.map((m) => m.name).join(", ");
+							await updateUserReminderSentTime(settings.userId, "prescription", channel, medNames);
+						} else if (!alreadyNotified) {
+							// Roll back pre-mark when both channels failed so retries remain possible.
+							const currentState = loadReminderState();
+							saveReminderState({
+								lastAutoEmailSent: currentState.lastAutoEmailSent,
+								lastAutoEmailDate: currentState.lastAutoEmailDate,
+								lastStockSchedulerCheckDate: currentState.lastStockSchedulerCheckDate,
+								notifiedMedications: currentState.notifiedMedications.filter(
+									(key) => key !== userPrescriptionNotifiedKey
+								),
+								nextScheduledCheck: currentState.nextScheduledCheck,
+								lastNotificationType: currentState.lastNotificationType,
+								lastNotificationChannel: currentState.lastNotificationChannel,
+							});
+						}
 					}
+				} finally {
+					releaseReminderSendLock(prescriptionSendLock);
 				}
 			}
-
-			if (prescriptionPushEnabled) {
-				const titleParts: string[] = [];
-				if (emptyRx.length > 0)
-					titleParts.push(
-						`🚨 ${emptyRx.length} ${emptyRx.length === 1 ? tr.prescriptionReminder.pushEmptySingle : tr.prescriptionReminder.pushEmpty}`
-					);
-				if (lowRx.length > 0)
-					titleParts.push(
-						`🚨 ${lowRx.length} ${lowRx.length === 1 ? tr.prescriptionReminder.pushLowSingle : tr.prescriptionReminder.pushLow}`
-					);
-				const title = `MedAssist-ng: ${titleParts.join(", ")} - ${tr.prescriptionReminder.pushRenewNow}`;
-
-				const messageParts: string[] = [];
-				if (emptyRx.length > 0) {
-					messageParts.push(`🚨 ${tr.prescriptionReminder.pushEmptySection}:`);
-					for (const m of emptyRx) {
-						messageParts.push(`  • ${m.name}`);
-					}
-				}
-				if (lowRx.length > 0) {
-					if (emptyRx.length > 0) messageParts.push("");
-					messageParts.push(`🚨 ${tr.prescriptionReminder.pushLowSection}:`);
-					for (const m of lowRx) {
-						messageParts.push(
-							`  • ${m.name}: ${t(tr.prescriptionReminder.pushRefillsLeft, { count: m.remainingRefills })}`
-						);
-					}
-				}
-				const message = `${messageParts.join("\n")}\n\n---\n${getFooterPlain(language)}`;
-				const result = await sendShoutrrrNotification(settings.shoutrrrUrl!, title, message);
-				shoutrrrSuccess = result.success;
-				if (!result.success) {
-					logger.error(`[Reminder] User ${settings.userId}: Failed to send prescription push: ${result.error}`);
-				}
-			}
-
-			if (emailSuccess || shoutrrrSuccess) {
-				const currentState = loadReminderState();
-				const singleChannel = emailSuccess ? "email" : "push";
-				const channel = emailSuccess && shoutrrrSuccess ? "both" : singleChannel;
-				saveReminderState({
-					lastAutoEmailSent: new Date().toISOString(),
-					lastAutoEmailDate: today,
-					notifiedMedications: [...new Set([...currentState.notifiedMedications, userPrescriptionNotifiedKey])],
-					nextScheduledCheck: currentState.nextScheduledCheck,
-					lastNotificationType: "prescription",
-					lastNotificationChannel: channel,
-				});
-
-				const medNames = allPrescriptionLow.map((m) => m.name).join(", ");
-				await updateUserReminderSentTime(settings.userId, "prescription", channel, medNames);
-			}
 		}
 	}
 }
 
 let schedulerTimeout: NodeJS.Timeout | null = null;
+let schedulerStarted = false;
 
 function scheduleNextCheck(logger: ServiceLogger): void {
 	const msUntilNext = getMsUntilNextCheck(REMINDER_HOUR);
@@ -854,6 +991,11 @@ function scheduleNextCheck(logger: ServiceLogger): void {
 }
 
 export function startReminderScheduler(logger: ServiceLogger): void {
+	if (schedulerStarted) {
+		logger.info(`[Reminder] Scheduler already started, skipping duplicate start call`);
+		return;
+	}
+	schedulerStarted = true;
 	logger.info(`[Reminder] Starting reminder scheduler (timezone: ${getTimezone()})...`);
 
 	// Check if we need to run immediately (missed today's check)
@@ -861,9 +1003,10 @@ export function startReminderScheduler(logger: ServiceLogger): void {
 	const today = getTodayInTimezone();
 	const currentHour = getCurrentHourInTimezone();
 
-	// If it's past REMINDER_HOUR today in the configured timezone and we haven't checked today, run immediately
-	if (currentHour >= REMINDER_HOUR && state.lastAutoEmailDate !== today) {
-		logger.info("[Reminder] Missed today's check, running now...");
+	// If it's past REMINDER_HOUR today in the configured timezone and we haven't checked today, run one catch-up.
+	// This is intentionally a single current-state snapshot (no replay of missed days).
+	if (currentHour >= REMINDER_HOUR && state.lastStockSchedulerCheckDate !== today) {
+		logger.info("[Reminder] Missed today's check, running one catch-up snapshot (no historical replay)...");
 		checkAndSendReminder(logger).catch((err) => logger.error(`[Reminder] Error: ${err}`));
 	}
 
@@ -873,9 +1016,15 @@ export function startReminderScheduler(logger: ServiceLogger): void {
 	logger.info(`[Reminder] Scheduler started - daily check at ${REMINDER_HOUR}:00 ${getTimezone()}`);
 }
 
+export async function runReminderSchedulerNow(logger: ServiceLogger): Promise<void> {
+	logger.info(`[Reminder] Manual trigger: running reminder check now (${getTimezone()})`);
+	await checkAndSendReminder(logger);
+}
+
 export function stopReminderScheduler(): void {
 	if (schedulerTimeout) {
 		clearTimeout(schedulerTimeout);
 		schedulerTimeout = null;
 	}
+	schedulerStarted = false;
 }

backend/src/test/auth.test.ts

@@ -245,6 +245,57 @@ describe("Auth Routes (AUTH_ENABLED=true)", () => {
 			expect(response.json().code).toBe("VALIDATION_ERROR");
 		});
 
+		it("should register with trimmed username when input has whitespace", async () => {
+			const response = await app.inject({
+				method: "POST",
+				url: "/auth/register",
+				payload: {
+					username: "  trimuser  ",
+					password: "TestPassword123",
+				},
+			});
+
+			expect(response.statusCode).toBe(201);
+			expect(response.json().user.username).toBe("trimuser");
+		});
+
+		it("should reject whitespace-only username on registration", async () => {
+			const response = await app.inject({
+				method: "POST",
+				url: "/auth/register",
+				payload: {
+					username: "   ",
+					password: "TestPassword123",
+				},
+			});
+
+			expect(response.statusCode).toBe(400);
+			expect(response.json().code).toBe("VALIDATION_ERROR");
+		});
+
+		it("should reject duplicate username even with surrounding whitespace", async () => {
+			await app.inject({
+				method: "POST",
+				url: "/auth/register",
+				payload: {
+					username: "spacedupe",
+					password: "TestPassword123",
+				},
+			});
+
+			const response = await app.inject({
+				method: "POST",
+				url: "/auth/register",
+				payload: {
+					username: "  spacedupe  ",
+					password: "AnotherPassword123",
+				},
+			});
+
+			expect(response.statusCode).toBe(409);
+			expect(response.json().code).toBe("USERNAME_EXISTS");
+		});
+
 		it("should reject invalid username characters", async () => {
 			const response = await app.inject({
 				method: "POST",
@@ -341,6 +392,35 @@ describe("Auth Routes (AUTH_ENABLED=true)", () => {
 			expect(response.json().code).toBe("INVALID_CREDENTIALS");
 		});
 
+		it("should login successfully when username has leading/trailing whitespace", async () => {
+			const response = await app.inject({
+				method: "POST",
+				url: "/auth/login",
+				payload: {
+					username: "  loginuser  ",
+					password: "TestPassword123",
+				},
+			});
+
+			expect(response.statusCode).toBe(200);
+			expect(response.json().ok).toBe(true);
+			expect(response.json().user.username).toBe("loginuser");
+		});
+
+		it("should reject whitespace-only username on login", async () => {
+			const response = await app.inject({
+				method: "POST",
+				url: "/auth/login",
+				payload: {
+					username: "   ",
+					password: "TestPassword123",
+				},
+			});
+
+			expect(response.statusCode).toBe(400);
+			expect(response.json().code).toBe("VALIDATION_ERROR");
+		});
+
 		it("should support rememberMe option", async () => {
 			const response = await app.inject({
 				method: "POST",

backend/src/test/export.test.ts

@@ -152,8 +152,8 @@ async function registerExportRoutes(ctx: TestContext) {
 	});
 
 	// POST /import
-	// biome-ignore lint/suspicious/noExplicitAny: test helper with dynamic import data shape
 	app.post("/import", async (request, reply) => {
+		// biome-ignore lint/suspicious/noExplicitAny: test helper with dynamic import data shape
 		const importData = request.body as any;
 
 		// Basic validation

backend/src/test/oidc.test.ts

@@ -1,5 +1,5 @@
 import cookie from "@fastify/cookie";
-import Fastify, { type FastifyInstance } from "fastify";
+import Fastify from "fastify";
 import { afterEach, describe, expect, it, vi } from "vitest";
 
 type OidcMocks = {

backend/src/types/fastify.d.ts

@@ -22,6 +22,7 @@ declare module "fastify" {
 
 	interface FastifyRequest {
 		user?: AuthUser | null;
+		correlationId?: string;
 	}
 }
 

backend/src/utils/image-upload.ts

@@ -0,0 +1,80 @@
+import { existsSync, unlinkSync } from "node:fs";
+import { writeFile } from "node:fs/promises";
+import { extname, resolve } from "node:path";
+import sharp from "sharp";
+
+export const ALLOWED_IMAGE_MIME_TYPES = ["image/jpeg", "image/png", "image/webp", "image/gif"];
+export const MAX_IMAGE_UPLOAD_BYTES = 10 * 1024 * 1024;
+
+export function getThumbFilename(imageFilename: string): string {
+	const ext = extname(imageFilename);
+	const base = ext ? imageFilename.slice(0, -ext.length) : imageFilename;
+	return `${base}-thumb.webp`;
+}
+
+export function removeImageFiles(imagesDir: string, imageFilename: string): void {
+	const fullPath = resolve(imagesDir, imageFilename);
+	if (existsSync(fullPath)) unlinkSync(fullPath);
+
+	const thumbFilename = getThumbFilename(imageFilename);
+	if (thumbFilename !== imageFilename) {
+		const thumbPath = resolve(imagesDir, thumbFilename);
+		if (existsSync(thumbPath)) unlinkSync(thumbPath);
+	}
+}
+
+export async function streamToBuffer(stream: NodeJS.ReadableStream): Promise<Buffer> {
+	const chunks: Buffer[] = [];
+	let totalSize = 0;
+
+	for await (const chunk of stream) {
+		const buffer = Buffer.isBuffer(chunk) ? chunk : Buffer.from(chunk);
+		totalSize += buffer.length;
+		if (totalSize > MAX_IMAGE_UPLOAD_BYTES) {
+			throw new Error("IMAGE_TOO_LARGE");
+		}
+		chunks.push(buffer);
+	}
+
+	return Buffer.concat(chunks);
+}
+
+export async function writeOptimizedImageSet(
+	imagesDir: string,
+	filePrefix: string,
+	uploadBuffer: Buffer,
+	options?: {
+		maxEdgePx?: number;
+		thumbSizePx?: number;
+		fullQuality?: number;
+		thumbQuality?: number;
+	}
+): Promise<{ filename: string; thumbFilename: string }> {
+	const maxEdgePx = options?.maxEdgePx ?? 1600;
+	const thumbSizePx = options?.thumbSizePx ?? 96;
+	const fullQuality = options?.fullQuality ?? 82;
+	const thumbQuality = options?.thumbQuality ?? 76;
+
+	const filename = `${filePrefix}-${Date.now()}.webp`;
+	const thumbFilename = getThumbFilename(filename);
+
+	const filepath = resolve(imagesDir, filename);
+	const thumbFilepath = resolve(imagesDir, thumbFilename);
+
+	const optimizedBuffer = await sharp(uploadBuffer, { failOn: "error" })
+		.rotate()
+		.resize({ width: maxEdgePx, height: maxEdgePx, fit: "inside", withoutEnlargement: true })
+		.webp({ quality: fullQuality })
+		.toBuffer();
+
+	const thumbBuffer = await sharp(uploadBuffer, { failOn: "error" })
+		.rotate()
+		.resize({ width: thumbSizePx, height: thumbSizePx, fit: "cover", position: "attention" })
+		.webp({ quality: thumbQuality })
+		.toBuffer();
+
+	await writeFile(filepath, optimizedBuffer);
+	await writeFile(thumbFilepath, thumbBuffer);
+
+	return { filename, thumbFilename };
+}

backend/src/utils/scheduler-utils.ts

@@ -122,7 +122,11 @@ export function getNextScheduledTime(reminderHour: number, tz?: string): Date {
 /** Calculate milliseconds until next check at the given reminder hour */
 export function getMsUntilNextCheck(reminderHour: number, tz?: string): number {
 	const next = getNextScheduledTime(reminderHour, tz);
-	return next.getTime() - Date.now();
+	const msUntilNext = next.getTime() - Date.now();
+	if (msUntilNext <= 0) {
+		return msUntilNext + 24 * 60 * 60 * 1000;
+	}
+	return msUntilNext;
 }
 
 // =============================================================================
@@ -483,6 +487,7 @@ export function getUpcomingIntakes(
 export type ReminderState = {
 	lastAutoEmailSent: string | null;
 	lastAutoEmailDate: string | null;
+	lastStockSchedulerCheckDate: string | null;
 	notifiedMedications: string[];
 	nextScheduledCheck: string | null;
 	lastNotificationType: "stock" | "intake" | "prescription" | null;
@@ -505,6 +510,7 @@ export function createDefaultReminderState(): ReminderState {
 	return {
 		lastAutoEmailSent: null,
 		lastAutoEmailDate: null,
+		lastStockSchedulerCheckDate: null,
 		notifiedMedications: [],
 		nextScheduledCheck: null,
 		lastNotificationType: null,
@@ -524,6 +530,7 @@ export function parseReminderState(json: string): ReminderState {
 		return {
 			lastAutoEmailSent: saved.lastAutoEmailSent ?? null,
 			lastAutoEmailDate: saved.lastAutoEmailDate ?? null,
+			lastStockSchedulerCheckDate: saved.lastStockSchedulerCheckDate ?? null,
 			notifiedMedications: saved.notifiedMedications ?? [],
 			nextScheduledCheck: saved.nextScheduledCheck ?? null,
 			lastNotificationType: saved.lastNotificationType ?? null,

docs/PROJECT_SETUP.md

@@ -1,80 +0,0 @@
-# GitHub Project Setup
-
-This repository includes a GitHub Actions workflow that automatically adds new issues to a GitHub Project for tracking feature requests and bugs.
-
-## Setup Steps
-
-### 1. Create a GitHub Project
-
-1. Go to your GitHub profile → **Projects** → **New project**
-2. Choose the **Board** template (recommended for feature tracking)
-3. Name it e.g. **MedAssist-ng Roadmap**
-4. Configure the default columns:
-   - **Triage** – New issues land here
-   - **Backlog** – Accepted but not yet started
-   - **In Progress** – Currently being worked on
-   - **Done** – Completed
-
-### 2. Create a Personal Access Token (PAT)
-
-The workflow needs a token with project permissions. The built-in `GITHUB_TOKEN` does not support GitHub Projects.
-
-1. Go to **Settings** → **Developer settings** → **Personal access tokens** → **Fine-grained tokens**
-2. Click **Generate new token**
-3. Set:
-   - **Token name**: `add-to-project`
-   - **Expiration**: Choose an appropriate duration
-   - **Repository access**: Select **Only select repositories** → `DanielVolz/medassist-ng`
-   - **Permissions**:
-     - Repository permissions: **Issues** → Read
-     - Organization permissions (if applicable): **Projects** → Read and write
-   - For **user-owned projects**, you need a **classic** token with the `project` scope instead
-4. Copy the generated token
-
-### 3. Add Repository Secrets and Variables
-
-1. Go to the repository → **Settings** → **Secrets and variables** → **Actions**
-2. Add a **secret**:
-   - Name: `ADD_TO_PROJECT_PAT`
-   - Value: The PAT from step 2
-3. Add a **variable** (under the **Variables** tab):
-   - Name: `PROJECT_URL`
-   - Value: The full URL of your GitHub Project (e.g. `https://github.com/users/DanielVolz/projects/1`)
-
-### 4. Verify
-
-1. Create a test issue using the **✨ Feature Request** template
-2. Check the **Actions** tab to see the workflow run
-3. Verify the issue appears in your GitHub Project under **Triage**
-
-## How It Works
-
-The workflow (`.github/workflows/add-to-project.yml`) triggers when:
-- A new issue is **opened**
-- A label is **added** to an existing issue
-
-Issues with any of these labels are automatically added to the project:
-- `enhancement` – Feature requests
-- `bug` – Bug reports
-- `triage` – New issues needing review
-
-Both the feature request and bug report issue templates automatically apply the `triage` label, so all new issues from templates are captured.
-
-## Customization
-
-### Adding more labels
-
-Edit `.github/workflows/add-to-project.yml` and add labels to the `labeled` field:
-
-```yaml
-labeled: enhancement, bug, triage, documentation
-```
-
-### Restricting to feature requests only
-
-Change the `labeled` field to only include `enhancement`:
-
-```yaml
-labeled: enhancement
-label-operator: OR
-```

frontend/e2e/auth.setup.ts

@@ -1,7 +1,7 @@
 import * as fs from "node:fs";
 import * as path from "node:path";
 import { expect, test as setup } from "@playwright/test";
-import { TEST_USER } from "./fixtures";
+import { applyVideoSafetyMode, TEST_USER } from "./fixtures";
 
 const authFile = path.join(import.meta.dirname, ".auth", "user.json");
 
@@ -33,6 +33,8 @@ function isTokenValid(token: string): boolean {
  * 4. Log in via the UI.
  */
 setup("authenticate", async ({ page }) => {
+	await applyVideoSafetyMode(page);
+
 	// Create .auth directory if it doesn't exist
 	const authDir = path.dirname(authFile);
 	if (!fs.existsSync(authDir)) {

frontend/e2e/fixtures/index.ts

@@ -60,6 +60,29 @@ async function setupAuthMeMock(page: Page): Promise<void> {
 	}
 }
 
+/**
+ * Reduce visual flashing in recorded videos by forcing a dark first paint and
+ * disabling most animations/transitions in test mode.
+ */
+export async function applyVideoSafetyMode(page: Page): Promise<void> {
+	await page.emulateMedia({ reducedMotion: "reduce", colorScheme: "dark" });
+	await page.addInitScript(() => {
+		const style = document.createElement("style");
+		style.id = "pw-video-safety-style";
+		style.textContent = `
+			html, body {
+				background: #111111 !important;
+				color-scheme: dark !important;
+			}
+			*, *::before, *::after {
+				animation: none !important;
+				transition: none !important;
+			}
+		`;
+		document.documentElement.appendChild(style);
+	});
+}
+
 /**
  * Extended test fixture that automatically mocks /auth/me on every page
  * using user data from the JWT in the stored auth file.
@@ -70,8 +93,9 @@ async function setupAuthMeMock(page: Page): Promise<void> {
  * auth.spec.ts should keep importing from `@playwright/test` directly
  * since it tests the unauthenticated flow.
  */
-export const test = base.extend<{}>({
+export const test = base.extend<object>({
 	page: async ({ page }, use) => {
+		await applyVideoSafetyMode(page);
 		await setupAuthMeMock(page);
 		await use(page);
 	},

frontend/e2e/tooltip-data.spec.ts

@@ -0,0 +1,264 @@
+import {
+	authFile,
+	createMedicationViaAPI,
+	deleteAllMedicationsViaAPI,
+	expect,
+	navigateTo,
+	type TestMedication,
+	test,
+} from "./fixtures";
+
+/**
+ * Tooltip Visibility Regression Tests
+ *
+ * Ensures that tooltip pseudo-elements on MedDetail footer icon buttons
+ * are not clipped by ancestor overflow or hidden behind modal overlays.
+ * This is a regression guard — tooltips have repeatedly broken due to
+ * CSS overflow/z-index changes on modal containers.
+ */
+test.describe("MedDetail footer tooltip visibility", () => {
+	test.use({ storageState: authFile });
+	test.describe.configure({ timeout: 60000 });
+
+	const MED_NAME = "Tooltip Test Med";
+	const createdMeds: TestMedication[] = [];
+
+	test.beforeAll(async () => {
+		await deleteAllMedicationsViaAPI();
+		createdMeds.push(
+			await createMedicationViaAPI({
+				name: MED_NAME,
+				packageType: "blister",
+				packCount: 1,
+				blistersPerPack: 1,
+				pillsPerBlister: 10,
+				looseTablets: 0,
+				intakes: [
+					{
+						usage: 1,
+						every: 1,
+						start: new Date().toISOString().slice(0, 16),
+						intakeRemindersEnabled: false,
+					},
+				],
+			})
+		);
+	});
+
+	test.afterAll(async () => {
+		await deleteAllMedicationsViaAPI();
+	});
+
+	/**
+	 * Open the MedDetail modal by clicking a medication row in the Dashboard overview table.
+	 */
+	async function openMedDetailModal(page: import("@playwright/test").Page) {
+		await navigateTo(page, "/dashboard");
+		const overviewTable = page.locator(".table.table-7");
+		await expect(overviewTable).toBeVisible({ timeout: 10000 });
+
+		const medRow = overviewTable.locator(".table-row").filter({ hasText: MED_NAME }).first();
+		await medRow.click();
+
+		const modal = page.locator(".modal-overlay.med-detail-overlay");
+		await expect(modal).toBeVisible({ timeout: 5000 });
+		return modal;
+	}
+
+	test("no ancestor of footer tooltip buttons has overflow:hidden", async ({ page }) => {
+		const modal = await openMedDetailModal(page);
+
+		const footer = modal.locator(".med-detail-footer");
+		await expect(footer).toBeVisible();
+
+		// Walk up from footer through modal-content to modal-overlay and check overflow
+		const overflowHiddenAncestors = await page.evaluate(() => {
+			const footer = document.querySelector(".med-detail-footer");
+			if (!footer) return ["footer not found"];
+
+			const problems: string[] = [];
+			let el: HTMLElement | null = footer as HTMLElement;
+			while (el && !el.classList.contains("modal-overlay")) {
+				const computed = window.getComputedStyle(el);
+				const overflowX = computed.overflowX;
+				const overflowY = computed.overflowY;
+				if (overflowX === "hidden" || overflowY === "hidden") {
+					const id = el.id ? `#${el.id}` : "";
+					const cls = el.className ? `.${el.className.split(" ").join(".")}` : "";
+					problems.push(`${el.tagName.toLowerCase()}${id}${cls} has overflow: ${overflowX}/${overflowY}`);
+				}
+				el = el.parentElement;
+			}
+			return problems;
+		});
+
+		expect(
+			overflowHiddenAncestors,
+			`Tooltip ancestors must not clip with overflow:hidden: ${overflowHiddenAncestors.join("; ")}`
+		).toHaveLength(0);
+	});
+
+	test("tooltip z-index is above modal overlay", async ({ page }) => {
+		const _modal = await openMedDetailModal(page);
+
+		// Get modal overlay z-index and tooltip pseudo-element z-index from CSS
+		const { modalZIndex, tooltipZIndex, arrowZIndex } = await page.evaluate(() => {
+			const overlay = document.querySelector(".modal-overlay");
+			const overlayZ = overlay ? Number.parseInt(window.getComputedStyle(overlay).zIndex, 10) : 0;
+
+			// Read the tooltip ::after z-index from stylesheets
+			let ttZ = 0;
+			let arrZ = 0;
+			for (const sheet of document.styleSheets) {
+				try {
+					for (const rule of sheet.cssRules) {
+						const cssRule = rule as CSSStyleRule;
+						if (cssRule.selectorText?.includes("tooltip-trigger[data-tooltip]::after")) {
+							const z = Number.parseInt(cssRule.style.zIndex, 10);
+							if (z > ttZ) ttZ = z;
+						}
+						if (cssRule.selectorText?.includes("tooltip-trigger[data-tooltip]::before")) {
+							const z = Number.parseInt(cssRule.style.zIndex, 10);
+							if (z > arrZ) arrZ = z;
+						}
+					}
+				} catch {
+					// cross-origin sheets — skip
+				}
+			}
+			return { modalZIndex: overlayZ, tooltipZIndex: ttZ, arrowZIndex: arrZ };
+		});
+
+		expect(
+			tooltipZIndex,
+			`Tooltip ::after z-index (${tooltipZIndex}) must be > modal overlay z-index (${modalZIndex})`
+		).toBeGreaterThan(modalZIndex);
+		expect(
+			arrowZIndex,
+			`Tooltip ::before z-index (${arrowZIndex}) must be > modal overlay z-index (${modalZIndex})`
+		).toBeGreaterThan(modalZIndex);
+	});
+
+	test("edit button tooltip is visible on hover", async ({ page }) => {
+		const modal = await openMedDetailModal(page);
+
+		const editBtn = modal.locator(".med-detail-footer button.tooltip-trigger.info.icon-only");
+		await expect(editBtn).toBeVisible();
+
+		// Hover to activate tooltip
+		await editBtn.hover();
+		// Small wait for CSS transition
+		await page.waitForTimeout(300);
+
+		// Verify the tooltip pseudo-element is visible and within viewport
+		const isVisible = await page.evaluate(() => {
+			const btn = document.querySelector(".med-detail-footer button.tooltip-trigger.info.icon-only");
+			if (!btn) return { visible: false, reason: "button not found" };
+
+			const style = window.getComputedStyle(btn, "::after");
+			const opacity = Number.parseFloat(style.opacity);
+			const visibility = style.visibility;
+
+			if (opacity < 0.5 || visibility === "hidden") {
+				return {
+					visible: false,
+					reason: `opacity=${opacity}, visibility=${visibility}`,
+				};
+			}
+			return { visible: true, reason: "ok" };
+		});
+
+		expect(isVisible.visible, `Edit tooltip should be visible on hover: ${isVisible.reason}`).toBe(true);
+	});
+
+	test("stock correction button tooltip is visible on hover", async ({ page }) => {
+		const modal = await openMedDetailModal(page);
+
+		const stockBtn = modal.locator(".med-detail-footer button.tooltip-trigger.icon-stock-correction");
+		await expect(stockBtn).toBeVisible();
+
+		await stockBtn.hover();
+		await page.waitForTimeout(300);
+
+		const isVisible = await page.evaluate(() => {
+			const btn = document.querySelector(".med-detail-footer button.tooltip-trigger.icon-stock-correction");
+			if (!btn) return { visible: false, reason: "button not found" };
+
+			const style = window.getComputedStyle(btn, "::after");
+			const opacity = Number.parseFloat(style.opacity);
+			const visibility = style.visibility;
+
+			if (opacity < 0.5 || visibility === "hidden") {
+				return {
+					visible: false,
+					reason: `opacity=${opacity}, visibility=${visibility}`,
+				};
+			}
+			return { visible: true, reason: "ok" };
+		});
+
+		expect(isVisible.visible, `Stock correction tooltip should be visible on hover: ${isVisible.reason}`).toBe(true);
+	});
+
+	test("export button tooltip is visible on hover", async ({ page }) => {
+		const modal = await openMedDetailModal(page);
+
+		const exportBtn = modal.locator(".med-detail-footer button.tooltip-trigger.secondary.icon-only");
+		// Export button only shows when blisters exist — skip if not present
+		if (!(await exportBtn.isVisible().catch(() => false))) {
+			test.skip(true, "Export button not visible (no blisters)");
+			return;
+		}
+
+		await exportBtn.hover();
+		await page.waitForTimeout(300);
+
+		const isVisible = await page.evaluate(() => {
+			const btn = document.querySelector(".med-detail-footer button.tooltip-trigger.secondary.icon-only");
+			if (!btn) return { visible: false, reason: "button not found" };
+
+			const style = window.getComputedStyle(btn, "::after");
+			const opacity = Number.parseFloat(style.opacity);
+			const visibility = style.visibility;
+
+			if (opacity < 0.5 || visibility === "hidden") {
+				return {
+					visible: false,
+					reason: `opacity=${opacity}, visibility=${visibility}`,
+				};
+			}
+			return { visible: true, reason: "ok" };
+		});
+
+		expect(isVisible.visible, `Export tooltip should be visible on hover: ${isVisible.reason}`).toBe(true);
+	});
+
+	test("close button tooltip in header is visible on hover", async ({ page }) => {
+		const modal = await openMedDetailModal(page);
+
+		const closeBtn = modal.locator("button.modal-close.tooltip-trigger");
+		await expect(closeBtn).toBeVisible();
+
+		await closeBtn.hover();
+		await page.waitForTimeout(300);
+
+		const isVisible = await page.evaluate(() => {
+			const btn = document.querySelector(".med-detail-overlay button.modal-close.tooltip-trigger");
+			if (!btn) return { visible: false, reason: "button not found" };
+
+			const style = window.getComputedStyle(btn, "::after");
+			const opacity = Number.parseFloat(style.opacity);
+			const visibility = style.visibility;
+
+			if (opacity < 0.5 || visibility === "hidden") {
+				return {
+					visible: false,
+					reason: `opacity=${opacity}, visibility=${visibility}`,
+				};
+			}
+			return { visible: true, reason: "ok" };
+		});
+
+		expect(isVisible.visible, `Close button tooltip should be visible on hover: ${isVisible.reason}`).toBe(true);
+	});
+});

frontend/index.html

@@ -6,7 +6,6 @@
     <title>MedAssist-ng</title>
     
     <!-- Favicons -->
-    <link rel="icon" type="image/svg+xml" href="/favicon.svg" />
     <link rel="icon" type="image/png" sizes="96x96" href="/favicon-96x96.png" />
     <link rel="icon" type="image/x-icon" href="/favicon.ico" />
     <link rel="apple-touch-icon" sizes="180x180" href="/apple-touch-icon.png" />
@@ -14,7 +13,7 @@
     
     <!-- Theme color -->
     <meta name="theme-color" content="#0f172a" />
-    <meta name="apple-mobile-web-app-capable" content="yes" />
+    <meta name="mobile-web-app-capable" content="yes" />
     <meta name="apple-mobile-web-app-status-bar-style" content="black-translucent" />
   </head>
   <body>

frontend/nginx.conf

@@ -14,6 +14,8 @@ server {
     add_header X-Content-Type-Options "nosniff" always;
     add_header X-XSS-Protection "1; mode=block" always;
     add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+    add_header Content-Security-Policy "default-src 'self'; base-uri 'self'; frame-ancestors 'self'; object-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com data:; img-src 'self' data: blob:; connect-src 'self' https://api.github.com; frame-src 'self'; form-action 'self'; upgrade-insecure-requests" always;
+    add_header Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=(), usb=(), accelerometer=(), gyroscope=(), magnetometer=()" always;
 
     # Allow larger file uploads (for medication images and data import/export)
     client_max_body_size 50M;

frontend/package-lock.json

@@ -1,28 +1,29 @@
 {
   "name": "medassist-ng-frontend",
-  "version": "1.12.0",
+  "version": "1.16.0",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "medassist-ng-frontend",
-      "version": "1.12.0",
+      "version": "1.16.0",
       "dependencies": {
-        "i18next": "^25.8.10",
+        "i18next": "^25.8.13",
         "i18next-browser-languagedetector": "^8.2.1",
-        "lucide-react": "^0.574.0",
+        "lucide-react": "^0.575.0",
         "react": "^18.3.1",
         "react-dom": "^18.3.1",
         "react-i18next": "^15.4.1",
-        "react-router-dom": "^7.13.0",
+        "react-router-dom": "^7.13.1",
         "zod": "^4.3.6"
       },
       "devDependencies": {
-        "@biomejs/biome": "^2.4.1",
+        "@biomejs/biome": "^2.4.4",
         "@playwright/test": "^1.58.2",
         "@testing-library/jest-dom": "^6.9.1",
         "@testing-library/react": "^16.3.2",
         "@testing-library/user-event": "^14.6.1",
+        "@types/node": "^25.3.0",
         "@types/react": "^18.3.4",
         "@types/react-dom": "^18.3.0",
         "@types/react-router-dom": "^5.3.3",
@@ -405,9 +406,9 @@
       }
     },
     "node_modules/@biomejs/biome": {
-      "version": "2.4.1",
-      "resolved": "https://registry.npmjs.org/@biomejs/biome/-/biome-2.4.1.tgz",
-      "integrity": "sha512-8c5DZQl1hfpLRlTZ21W5Ef2R314E4UJUEtkMbo303ElTVe6fYtapwldv7tZlgwm+9YP0Mhk7dUSTkOY8nQ2/2w==",
+      "version": "2.4.4",
+      "resolved": "https://registry.npmjs.org/@biomejs/biome/-/biome-2.4.4.tgz",
+      "integrity": "sha512-tigwWS5KfJf0cABVd52NVaXyAVv4qpUXOWJ1rxFL8xF1RVoeS2q/LK+FHgYoKMclJCuRoCWAPy1IXaN9/mS61Q==",
       "dev": true,
       "license": "MIT OR Apache-2.0",
       "bin": {
@@ -421,20 +422,20 @@
         "url": "https://opencollective.com/biome"
       },
       "optionalDependencies": {
-        "@biomejs/cli-darwin-arm64": "2.4.1",
-        "@biomejs/cli-darwin-x64": "2.4.1",
-        "@biomejs/cli-linux-arm64": "2.4.1",
-        "@biomejs/cli-linux-arm64-musl": "2.4.1",
-        "@biomejs/cli-linux-x64": "2.4.1",
-        "@biomejs/cli-linux-x64-musl": "2.4.1",
-        "@biomejs/cli-win32-arm64": "2.4.1",
-        "@biomejs/cli-win32-x64": "2.4.1"
+        "@biomejs/cli-darwin-arm64": "2.4.4",
+        "@biomejs/cli-darwin-x64": "2.4.4",
+        "@biomejs/cli-linux-arm64": "2.4.4",
+        "@biomejs/cli-linux-arm64-musl": "2.4.4",
+        "@biomejs/cli-linux-x64": "2.4.4",
+        "@biomejs/cli-linux-x64-musl": "2.4.4",
+        "@biomejs/cli-win32-arm64": "2.4.4",
+        "@biomejs/cli-win32-x64": "2.4.4"
       }
     },
     "node_modules/@biomejs/cli-darwin-arm64": {
-      "version": "2.4.1",
-      "resolved": "https://registry.npmjs.org/@biomejs/cli-darwin-arm64/-/cli-darwin-arm64-2.4.1.tgz",
-      "integrity": "sha512-wKiX2znbgFRaivRplSbu53hiREp1ohlGRuWqOL90IPetLi5E32tkiMYu8uSLXVzDgbIVM58WsesPaczIVtJkOQ==",
+      "version": "2.4.4",
+      "resolved": "https://registry.npmjs.org/@biomejs/cli-darwin-arm64/-/cli-darwin-arm64-2.4.4.tgz",
+      "integrity": "sha512-jZ+Xc6qvD6tTH5jM6eKX44dcbyNqJHssfl2nnwT6vma6B1sj7ZLTGIk6N5QwVBs5xGN52r3trk5fgd3sQ9We9A==",
       "cpu": [
         "arm64"
       ],
@@ -449,9 +450,9 @@
       }
     },
     "node_modules/@biomejs/cli-darwin-x64": {
-      "version": "2.4.1",
-      "resolved": "https://registry.npmjs.org/@biomejs/cli-darwin-x64/-/cli-darwin-x64-2.4.1.tgz",
-      "integrity": "sha512-rxLYVg3skeXh9K0om7JdkKcCdvtqrF9ECZ7dsmLuYObboK7DZ1J0z6xc2NGKSXw+cEQo3ie6NQgWBcdGJ16yQg==",
+      "version": "2.4.4",
+      "resolved": "https://registry.npmjs.org/@biomejs/cli-darwin-x64/-/cli-darwin-x64-2.4.4.tgz",
+      "integrity": "sha512-Dh1a/+W+SUCXhEdL7TiX3ArPTFCQKJTI1mGncZNWfO+6suk+gYA4lNyJcBB+pwvF49uw0pEbUS49BgYOY4hzUg==",
       "cpu": [
         "x64"
       ],
@@ -466,9 +467,9 @@
       }
     },
     "node_modules/@biomejs/cli-linux-arm64": {
-      "version": "2.4.1",
-      "resolved": "https://registry.npmjs.org/@biomejs/cli-linux-arm64/-/cli-linux-arm64-2.4.1.tgz",
-      "integrity": "sha512-nlGO5KzoEKhGj2i3QXyyNCeFk8SVwyes0wo0/X9w943darnlAHfi8MYYunPf8lsz5C0JaH6pJYB6D9HnDwUPQA==",
+      "version": "2.4.4",
+      "resolved": "https://registry.npmjs.org/@biomejs/cli-linux-arm64/-/cli-linux-arm64-2.4.4.tgz",
+      "integrity": "sha512-V/NFfbWhsUU6w+m5WYbBenlEAz8eYnSqRMDMAW3K+3v0tYVkNyZn8VU0XPxk/lOqNXLSCCrV7FmV/u3SjCBShg==",
       "cpu": [
         "arm64"
       ],
@@ -483,9 +484,9 @@
       }
     },
     "node_modules/@biomejs/cli-linux-arm64-musl": {
-      "version": "2.4.1",
-      "resolved": "https://registry.npmjs.org/@biomejs/cli-linux-arm64-musl/-/cli-linux-arm64-musl-2.4.1.tgz",
-      "integrity": "sha512-Brwh/QL3wfX5UyZcyEamS1Q+EF8Q7ud+MS5mq/9BWX2ArfxQlgsqlukwK92xrGpXWcspXkSG9U0CoxvCZZkTKQ==",
+      "version": "2.4.4",
+      "resolved": "https://registry.npmjs.org/@biomejs/cli-linux-arm64-musl/-/cli-linux-arm64-musl-2.4.4.tgz",
+      "integrity": "sha512-+sPAXq3bxmFwhVFJnSwkSF5Rw2ZAJMH3MF6C9IveAEOdSpgajPhoQhbbAK12SehN9j2QrHpk4J/cHsa/HqWaYQ==",
       "cpu": [
         "arm64"
       ],
@@ -500,9 +501,9 @@
       }
     },
     "node_modules/@biomejs/cli-linux-x64": {
-      "version": "2.4.1",
-      "resolved": "https://registry.npmjs.org/@biomejs/cli-linux-x64/-/cli-linux-x64-2.4.1.tgz",
-      "integrity": "sha512-Rmhm/mQ/3pejy1WtWLKurV1fN6zvCrqKz/ART2ZzgqY4ozL07uys5R9jA0A+yLjA79JTkcpIe85ygXv0FnSPRg==",
+      "version": "2.4.4",
+      "resolved": "https://registry.npmjs.org/@biomejs/cli-linux-x64/-/cli-linux-x64-2.4.4.tgz",
+      "integrity": "sha512-R4+ZCDtG9kHArasyBO+UBD6jr/FcFCTH8QkNTOCu0pRJzCWyWC4EtZa2AmUZB5h3e0jD7bRV2KvrENcf8rndBg==",
       "cpu": [
         "x64"
       ],
@@ -517,9 +518,9 @@
       }
     },
     "node_modules/@biomejs/cli-linux-x64-musl": {
-      "version": "2.4.1",
-      "resolved": "https://registry.npmjs.org/@biomejs/cli-linux-x64-musl/-/cli-linux-x64-musl-2.4.1.tgz",
-      "integrity": "sha512-kz1QpA+PXouNyWw2VzeoMlzMn99hlyOC/El2uSy+DS8gcb6tOsKEeZ5e2onnFIfZKe9AeKMFbTowDNLXwjwGjw==",
+      "version": "2.4.4",
+      "resolved": "https://registry.npmjs.org/@biomejs/cli-linux-x64-musl/-/cli-linux-x64-musl-2.4.4.tgz",
+      "integrity": "sha512-gGvFTGpOIQDb5CQ2VC0n9Z2UEqlP46c4aNgHmAMytYieTGEcfqhfCFnhs6xjt0S3igE6q5GLuIXtdQt3Izok+g==",
       "cpu": [
         "x64"
       ],
@@ -534,9 +535,9 @@
       }
     },
     "node_modules/@biomejs/cli-win32-arm64": {
-      "version": "2.4.1",
-      "resolved": "https://registry.npmjs.org/@biomejs/cli-win32-arm64/-/cli-win32-arm64-2.4.1.tgz",
-      "integrity": "sha512-e+PrlbQ/tez7W9EAzzCGUH1ovq31kR5r8sfCDzasrmoADLnDafet8pA8LdXnt0GwkeOem5Hz6WHCVZPRmaXiXw==",
+      "version": "2.4.4",
+      "resolved": "https://registry.npmjs.org/@biomejs/cli-win32-arm64/-/cli-win32-arm64-2.4.4.tgz",
+      "integrity": "sha512-trzCqM7x+Gn832zZHgr28JoYagQNX4CZkUZhMUac2YxvvyDRLJDrb5m9IA7CaZLlX6lTQmADVfLEKP1et1Ma4Q==",
       "cpu": [
         "arm64"
       ],
@@ -551,9 +552,9 @@
       }
     },
     "node_modules/@biomejs/cli-win32-x64": {
-      "version": "2.4.1",
-      "resolved": "https://registry.npmjs.org/@biomejs/cli-win32-x64/-/cli-win32-x64-2.4.1.tgz",
-      "integrity": "sha512-kfjOCzvaHC7olg8pmEuSsYzHntxdipkAGzr5nFiaEU2EPDWRE/myqUBaFDl9pHqEc8yEtQFiXF945PlTSkuOTw==",
+      "version": "2.4.4",
+      "resolved": "https://registry.npmjs.org/@biomejs/cli-win32-x64/-/cli-win32-x64-2.4.4.tgz",
+      "integrity": "sha512-gnOHKVPFAAPrpoPt2t+Q6FZ7RPry/FDV3GcpU53P3PtLNnQjBmKyN2Vh/JtqXet+H4pme8CC76rScwdjDcT1/A==",
       "cpu": [
         "x64"
       ],
@@ -1735,6 +1736,16 @@
       "dev": true,
       "license": "MIT"
     },
+    "node_modules/@types/node": {
+      "version": "25.3.0",
+      "resolved": "https://registry.npmjs.org/@types/node/-/node-25.3.0.tgz",
+      "integrity": "sha512-4K3bqJpXpqfg2XKGK9bpDTc6xO/xoUP/RBWS7AtRMug6zZFaRekiLzjVtAoZMquxoAbzBvy5nxQ7veS5eYzf8A==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "undici-types": "~7.18.0"
+      }
+    },
     "node_modules/@types/prop-types": {
       "version": "15.7.15",
       "resolved": "https://registry.npmjs.org/@types/prop-types/-/prop-types-15.7.15.tgz",
@@ -2449,9 +2460,9 @@
       }
     },
     "node_modules/i18next": {
-      "version": "25.8.10",
-      "resolved": "https://registry.npmjs.org/i18next/-/i18next-25.8.10.tgz",
-      "integrity": "sha512-CtPJLMAz1G8sxo+mIzfBjGgLxWs7d6WqIjlmmv9BTsOat4pJIfwZ8cm07n3kFS6bP9c6YwsYutYrwsEeJVBo2g==",
+      "version": "25.8.13",
+      "resolved": "https://registry.npmjs.org/i18next/-/i18next-25.8.13.tgz",
+      "integrity": "sha512-E0vzjBY1yM+nsFrtgkjLhST2NBkirkvOVoQa0MSldhsuZ3jUge7ZNpuwG0Cfc74zwo5ZwRzg3uOgT+McBn32iA==",
       "funding": [
         {
           "type": "individual",
@@ -2640,9 +2651,9 @@
       }
     },
     "node_modules/lucide-react": {
-      "version": "0.574.0",
-      "resolved": "https://registry.npmjs.org/lucide-react/-/lucide-react-0.574.0.tgz",
-      "integrity": "sha512-dJ8xb5juiZVIbdSn3HTyHsjjIwUwZ4FNwV0RtYDScOyySOeie1oXZTymST6YPJ4Qwt3Po8g4quhYl4OxtACiuQ==",
+      "version": "0.575.0",
+      "resolved": "https://registry.npmjs.org/lucide-react/-/lucide-react-0.575.0.tgz",
+      "integrity": "sha512-VuXgKZrk0uiDlWjGGXmKV6MSk9Yy4l10qgVvzGn2AWBx1Ylt0iBexKOAoA6I7JO3m+M9oeovJd3yYENfkUbOeg==",
       "license": "ISC",
       "peerDependencies": {
         "react": "^16.5.1 || ^17.0.0 || ^18.0.0 || ^19.0.0"
@@ -2983,9 +2994,9 @@
       }
     },
     "node_modules/react-router": {
-      "version": "7.13.0",
-      "resolved": "https://registry.npmjs.org/react-router/-/react-router-7.13.0.tgz",
-      "integrity": "sha512-PZgus8ETambRT17BUm/LL8lX3Of+oiLaPuVTRH3l1eLvSPpKO3AvhAEb5N7ihAFZQrYDqkvvWfFh9p0z9VsjLw==",
+      "version": "7.13.1",
+      "resolved": "https://registry.npmjs.org/react-router/-/react-router-7.13.1.tgz",
+      "integrity": "sha512-td+xP4X2/6BJvZoX6xw++A2DdEi++YypA69bJUV5oVvqf6/9/9nNlD70YO1e9d3MyamJEBQFEzk6mbfDYbqrSA==",
       "license": "MIT",
       "dependencies": {
         "cookie": "^1.0.1",
@@ -3005,12 +3016,12 @@
       }
     },
     "node_modules/react-router-dom": {
-      "version": "7.13.0",
-      "resolved": "https://registry.npmjs.org/react-router-dom/-/react-router-dom-7.13.0.tgz",
-      "integrity": "sha512-5CO/l5Yahi2SKC6rGZ+HDEjpjkGaG/ncEP7eWFTvFxbHP8yeeI0PxTDjimtpXYlR3b3i9/WIL4VJttPrESIf2g==",
+      "version": "7.13.1",
+      "resolved": "https://registry.npmjs.org/react-router-dom/-/react-router-dom-7.13.1.tgz",
+      "integrity": "sha512-UJnV3Rxc5TgUPJt2KJpo1Jpy0OKQr0AjgbZzBFjaPJcFOb2Y8jA5H3LT8HUJAiRLlWrEXWHbF1Z4SCZaQjWDHw==",
       "license": "MIT",
       "dependencies": {
-        "react-router": "7.13.0"
+        "react-router": "7.13.1"
       },
       "engines": {
         "node": ">=20.0.0"
@@ -3302,6 +3313,13 @@
         "node": ">=20.18.1"
       }
     },
+    "node_modules/undici-types": {
+      "version": "7.18.2",
+      "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-7.18.2.tgz",
+      "integrity": "sha512-AsuCzffGHJybSaRrmr5eHr81mwJU3kjw6M+uprWvCXiNeN9SOGwQ3Jn8jb8m3Z6izVgknn1R0FTCEAP2QrLY/w==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/update-browserslist-db": {
       "version": "1.2.3",
       "resolved": "https://registry.npmjs.org/update-browserslist-db/-/update-browserslist-db-1.2.3.tgz",

frontend/package.json

@@ -1,7 +1,7 @@
 {
   "name": "medassist-ng-frontend",
   "private": true,
-  "version": "1.14.1",
+  "version": "1.16.1",
   "type": "module",
   "scripts": {
     "dev": "vite",
@@ -16,6 +16,8 @@
     "test:coverage": "vitest run --coverage",
     "test:e2e": "rm -rf test-results && playwright test --config=playwright.stable.config.ts",
     "test:e2e:all": "rm -rf test-results && playwright test --config=playwright.all.config.ts",
+    "test:e2e:local": "PLAYWRIGHT_HTML_OPEN=never PLAYWRIGHT_WORKERS=4 npm run test:e2e",
+    "test:e2e:all:local": "PLAYWRIGHT_HTML_OPEN=never PLAYWRIGHT_WORKERS=4 npm run test:e2e:all",
     "test:e2e:with-video": "npm run test:e2e && npm run test:e2e:video",
     "test:e2e:all:with-video": "npm run test:e2e:all && npm run test:e2e:video",
     "test:e2e:video": "find \"$PWD/test-results\" -name video.webm -not -path '*retry*' -print0 | xargs -0 ls -tr > /tmp/e2e-videos.list && if [ -s /tmp/e2e-videos.list ]; then sed \"s/^/file '/\" /tmp/e2e-videos.list | sed \"s/$/'/\" > /tmp/e2e-videos.txt && ffmpeg -y -f concat -safe 0 -i /tmp/e2e-videos.txt -c copy test-results/all-tests.webm; else echo 'No videos found to merge'; fi",
@@ -25,21 +27,22 @@
     "test:e2e:report": "playwright show-report"
   },
   "dependencies": {
-    "i18next": "^25.8.10",
+    "i18next": "^25.8.13",
     "i18next-browser-languagedetector": "^8.2.1",
-    "lucide-react": "^0.574.0",
+    "lucide-react": "^0.575.0",
     "react": "^18.3.1",
     "react-dom": "^18.3.1",
     "react-i18next": "^15.4.1",
-    "react-router-dom": "^7.13.0",
+    "react-router-dom": "^7.13.1",
     "zod": "^4.3.6"
   },
   "devDependencies": {
-    "@biomejs/biome": "^2.4.1",
+    "@biomejs/biome": "^2.4.4",
     "@playwright/test": "^1.58.2",
     "@testing-library/jest-dom": "^6.9.1",
     "@testing-library/react": "^16.3.2",
     "@testing-library/user-event": "^14.6.1",
+    "@types/node": "^25.3.0",
     "@types/react": "^18.3.4",
     "@types/react-dom": "^18.3.0",
     "@types/react-router-dom": "^5.3.3",

frontend/playwright.base.config.ts

@@ -6,6 +6,8 @@ export function buildPlaywrightConfig(runAllBrowsers: boolean) {
 			? ((globalThis as { process?: { env?: Record<string, string | undefined> } }).process?.env ?? {})
 			: {};
 	const baseURL = env.PLAYWRIGHT_BASE_URL || "http://localhost:5173";
+	const parsedWorkers = Number.parseInt(env.PLAYWRIGHT_WORKERS ?? "", 10);
+	const workers = Number.isFinite(parsedWorkers) && parsedWorkers > 0 ? parsedWorkers : env.CI ? 1 : 4;
 
 	const projects: NonNullable<PlaywrightTestConfig["projects"]> = [
 		{
@@ -64,7 +66,7 @@ export function buildPlaywrightConfig(runAllBrowsers: boolean) {
 		fullyParallel: true,
 		forbidOnly: !!env.CI,
 		retries: env.CI ? 2 : 0,
-		workers: 1,
+		workers,
 		reporter: env.CI
 			? [["html", { outputFolder: "playwright-report" }], ["github"]]
 			: [["html", { outputFolder: "playwright-report" }], ["list"]],

frontend/src/App.tsx

@@ -1,5 +1,5 @@
-import { useEffect, useState } from "react";
-import { Navigate, Route, Routes, useNavigate } from "react-router-dom";
+import { useCallback, useEffect, useRef, useState } from "react";
+import { Navigate, Route, Routes, useLocation, useNavigate } from "react-router-dom";
 import {
 	AboutModal,
 	Lightbox,
@@ -12,6 +12,7 @@ import {
 import { AppHeader } from "./components/AppHeader";
 import { AuthPage, AuthProvider, useAuth } from "./components/Auth";
 import { AppProvider, UnsavedChangesProvider, useAppContext } from "./context";
+import { useScrollLock } from "./hooks/useScrollLock";
 import { DashboardPage, MedicationsPage, PlannerPage, SchedulePage, SettingsPage } from "./pages";
 
 // Vite injects this at build time from package.json
@@ -113,14 +114,13 @@ function AppRouter() {
 
 function AppContent() {
 	const navigate = useNavigate();
+	const location = useLocation();
 	// Get shared state from AppContext
 	const ctx = useAppContext();
 	const {
 		// Medications
 		meds,
 		loadMeds,
-		// Settings
-		settings,
 		// Refill
 		showRefillModal,
 		setShowRefillModal,
@@ -190,59 +190,24 @@ function AppContent() {
 	// Local-only state (not shared across components)
 	const [showProfile, setShowProfile] = useState(false);
 	const [showAbout, setShowAbout] = useState(false);
+	const [routeTransitionMaskActive, setRouteTransitionMaskActive] = useState(false);
+	const routeTransitionMinEndRef = useRef(0);
+	const routeTransitionFallbackTimerRef = useRef<number | null>(null);
+	const closeProfile = useCallback(() => {
+		if (showProfile) {
+			window.history.back();
+		}
+	}, [showProfile]);
+
+	const closeAbout = useCallback(() => {
+		if (showAbout) {
+			window.history.back();
+		}
+	}, [showAbout]);
 
 	// Get centralized stockThresholds from context
 	const { stockThresholds } = ctx;
 
-	// Close modal on Escape key
-	useEffect(() => {
-		const handleEscape = (e: KeyboardEvent) => {
-			if (e.key === "Escape") {
-				// Close modals in order of priority (topmost first)
-				if (scheduleLightboxImage) {
-					closeScheduleLightbox();
-				} else if (showImageLightbox) {
-					closeImageLightbox();
-				} else if (showEditStockModal) {
-					closeEditStockModal();
-				} else if (showRefillModal) {
-					closeRefillModal();
-				} else if (showShareDialog) {
-					closeShareDialog();
-				} else if (showAbout) {
-					closeAbout();
-				} else if (showProfile) {
-					closeProfile();
-				} else if (selectedUser) {
-					closeUserFilter();
-				} else if (selectedMed) {
-					closeMedDetail();
-				}
-			}
-		};
-		document.addEventListener("keydown", handleEscape);
-		return () => document.removeEventListener("keydown", handleEscape);
-	}, [
-		selectedMed,
-		showImageLightbox,
-		scheduleLightboxImage,
-		selectedUser,
-		showProfile,
-		showAbout,
-		showShareDialog,
-		showRefillModal,
-		showEditStockModal,
-		closeAbout,
-		closeEditStockModal,
-		closeImageLightbox,
-		closeMedDetail,
-		closeProfile,
-		closeRefillModal,
-		closeScheduleLightbox,
-		closeShareDialog,
-		closeUserFilter,
-	]);
-
 	// Handle browser back button to close modals (in priority order)
 	useEffect(() => {
 		const handlePopState = () => {
@@ -331,21 +296,86 @@ function AppContent() {
 		};
 	}, []);
 
-	// Prevent background scroll when modal is open
+	// Global Escape handling in priority order.
+	// This keeps behavior consistent even when child modals are mocked in tests.
 	useEffect(() => {
-		const isModalOpen = selectedMed || selectedUser || showProfile || showAbout || showShareDialog;
-		if (isModalOpen) {
-			document.documentElement.classList.add("modal-open");
-			document.body.classList.add("modal-open");
-		} else {
-			document.documentElement.classList.remove("modal-open");
-			document.body.classList.remove("modal-open");
-		}
-		return () => {
-			document.documentElement.classList.remove("modal-open");
-			document.body.classList.remove("modal-open");
+		const handleEscape = (e: KeyboardEvent) => {
+			if (e.key !== "Escape") return;
+
+			if (scheduleLightboxImage) {
+				closeScheduleLightbox();
+				return;
+			}
+			if (showImageLightbox) {
+				closeImageLightbox();
+				return;
+			}
+			if (showEditStockModal) {
+				closeEditStockModal();
+				return;
+			}
+			if (showRefillModal) {
+				closeRefillModal();
+				return;
+			}
+			if (showShareDialog) {
+				closeShareDialog();
+				return;
+			}
+			if (showAbout) {
+				closeAbout();
+				return;
+			}
+			if (showProfile) {
+				closeProfile();
+				return;
+			}
+			if (selectedUser) {
+				closeUserFilter();
+				return;
+			}
+			if (selectedMed) {
+				closeMedDetail();
+			}
 		};
-	}, [selectedMed, selectedUser, showProfile, showAbout, showShareDialog]);
+
+		document.addEventListener("keydown", handleEscape);
+		return () => document.removeEventListener("keydown", handleEscape);
+	}, [
+		showImageLightbox,
+		scheduleLightboxImage,
+		showEditStockModal,
+		showRefillModal,
+		showShareDialog,
+		showAbout,
+		showProfile,
+		selectedUser,
+		selectedMed,
+		closeImageLightbox,
+		closeScheduleLightbox,
+		closeEditStockModal,
+		closeRefillModal,
+		closeShareDialog,
+		closeAbout,
+		closeProfile,
+		closeUserFilter,
+		closeMedDetail,
+	]);
+
+	// Prevent background scroll when any modal is open
+	useScrollLock(
+		!!(
+			selectedMed ||
+			selectedUser ||
+			showProfile ||
+			showAbout ||
+			showShareDialog ||
+			showRefillModal ||
+			showEditStockModal ||
+			showImageLightbox ||
+			scheduleLightboxImage
+		)
+	);
 
 	// Update selectedMed when meds change (e.g., after refill)
 	useEffect(() => {
@@ -374,9 +404,57 @@ function AppContent() {
 		await ctx.submitRefill(medId, null, () => {}, loadMeds, usePrescription);
 	};
 
+	useEffect(() => {
+		if (!routeTransitionMaskActive) return;
+		if (location.pathname !== "/medications") return;
+
+		const hasEditMedIdParam = new URLSearchParams(location.search).has("editMedId");
+		if (hasEditMedIdParam) return;
+
+		const remaining = Math.max(0, routeTransitionMinEndRef.current - performance.now());
+		const timer = window.setTimeout(() => setRouteTransitionMaskActive(false), remaining);
+		return () => window.clearTimeout(timer);
+	}, [location.pathname, location.search, routeTransitionMaskActive]);
+
+	useEffect(() => {
+		const handleEditTransitionReady = () => {
+			if (!routeTransitionMaskActive) return;
+			const remaining = Math.max(0, routeTransitionMinEndRef.current - performance.now());
+			window.setTimeout(() => {
+				setRouteTransitionMaskActive(false);
+				if (routeTransitionFallbackTimerRef.current !== null) {
+					window.clearTimeout(routeTransitionFallbackTimerRef.current);
+					routeTransitionFallbackTimerRef.current = null;
+				}
+			}, remaining);
+		};
+
+		window.addEventListener("medassist:edit-transition-ready", handleEditTransitionReady);
+		return () => {
+			window.removeEventListener("medassist:edit-transition-ready", handleEditTransitionReady);
+		};
+	}, [routeTransitionMaskActive]);
+
+	useEffect(() => {
+		return () => {
+			if (routeTransitionFallbackTimerRef.current !== null) {
+				window.clearTimeout(routeTransitionFallbackTimerRef.current);
+			}
+		};
+	}, []);
+
 	const handleOpenMedicationEdit = () => {
 		if (!selectedMed) return;
 		const medId = selectedMed.id;
+		routeTransitionMinEndRef.current = performance.now() + 80;
+		setRouteTransitionMaskActive(true);
+		if (routeTransitionFallbackTimerRef.current !== null) {
+			window.clearTimeout(routeTransitionFallbackTimerRef.current);
+		}
+		routeTransitionFallbackTimerRef.current = window.setTimeout(() => {
+			setRouteTransitionMaskActive(false);
+			routeTransitionFallbackTimerRef.current = null;
+		}, 700);
 		setShowImageLightbox(false);
 		setShowRefillModal(false);
 		setShowEditStockModal(false);
@@ -389,25 +467,15 @@ function AppContent() {
 		openEditStockModal(selectedMed, coverage);
 	};
 
-	function openProfile() {
+	const openProfile = useCallback(() => {
 		setShowProfile(true);
 		window.history.pushState({ modal: "profile" }, "");
-	}
-	function closeProfile() {
-		if (showProfile) {
-			window.history.back();
-		}
-	}
+	}, []);
 
-	function openAbout() {
+	const openAbout = useCallback(() => {
 		setShowAbout(true);
 		window.history.pushState({ modal: "about" }, "");
-	}
-	function closeAbout() {
-		if (showAbout) {
-			window.history.back();
-		}
-	}
+	}, []);
 
 	return (
 		<main className="page">
@@ -509,6 +577,8 @@ function AppContent() {
 			{scheduleLightboxImage && (
 				<Lightbox src={scheduleLightboxImage} alt="Medication" onClose={closeScheduleLightbox} />
 			)}
+
+			<div className={`route-transition-mask${routeTransitionMaskActive ? " active" : ""}`} aria-hidden="true" />
 		</main>
 	);
 }

frontend/src/components/AboutModal.tsx

@@ -1,6 +1,7 @@
 import { useEffect, useState } from "react";
 import { useTranslation } from "react-i18next";
 import { FRONTEND_VERSION, GITHUB_URL } from "../App";
+import { useEscapeKey } from "../hooks/useEscapeKey";
 
 interface UpdateCheckResult {
 	status: "up-to-date" | "update-available" | "error";
@@ -17,6 +18,8 @@ export default function AboutModal({ isOpen, onClose }: AboutModalProps) {
 	const [isChecking, setIsChecking] = useState(false);
 	const [updateCheckResult, setUpdateCheckResult] = useState<UpdateCheckResult | null>(null);
 
+	useEscapeKey(isOpen, onClose);
+
 	// Reset check result when modal opens so stale results are never shown
 	useEffect(() => {
 		if (isOpen) {
@@ -55,20 +58,22 @@ export default function AboutModal({ isOpen, onClose }: AboutModalProps) {
 			className="modal-overlay"
 			onClick={onClose}
 			onKeyDown={(e) => {
-				if (e.key === "Escape") onClose();
+				if (e.key !== "Escape") e.stopPropagation();
 			}}
 		>
 			<div
 				className="modal-content about-modal"
 				onClick={(e) => e.stopPropagation()}
-				onKeyDown={(e) => e.stopPropagation()}
+				onKeyDown={(e) => {
+					if (e.key !== "Escape") e.stopPropagation();
+				}}
 			>
 				<button className="modal-close" onClick={onClose}>
 					×
 				</button>
 				<div className="about-header">
 					<div className="about-logo">
-						<img src="/favicon.svg" alt="MedAssist-ng" />
+						<img src="/app-logo.png" alt="MedAssist-ng" />
 					</div>
 					<h2>{t("about.appName", "MedAssist-ng")}</h2>
 					<p className="about-tagline">{t("about.description", "Personal medication tracking and reminder app")}</p>

frontend/src/components/AppHeader.tsx

@@ -73,7 +73,7 @@ export function AppHeader({ onOpenProfile, onOpenAbout }: AppHeaderProps) {
 	return (
 		<header className="hero">
 			<div className="hero-title">
-				<img src="/favicon.svg" alt="MedAssist-ng" className="hero-logo" />
+				<img src="/app-logo.png" alt="MedAssist-ng" className="hero-logo" />
 				<div>
 					<p className="eyebrow">{pageInfo.eyebrow}</p>
 					<h1>{pageInfo.title}</h1>

frontend/src/components/Auth.tsx

@@ -1,5 +1,9 @@
+/* biome-ignore-all lint/correctness/useExhaustiveDependencies: auth refresh callbacks intentionally coordinate via refs/guards */
 import { createContext, type ReactNode, useCallback, useContext, useEffect, useRef, useState } from "react";
 import { useTranslation } from "react-i18next";
+import { useEscapeKey } from "../hooks/useEscapeKey";
+import { withCorrelation } from "../utils/correlation";
+import { MAX_IMAGE_UPLOAD_BYTES, resolveImageUploadError } from "../utils/image-upload";
 import { log } from "../utils/logger";
 import { ConfirmModal } from "./ConfirmModal";
 import { PasswordInput } from "./PasswordInput";
@@ -60,7 +64,6 @@ export function AuthProvider({ children }: { children: ReactNode }) {
 	const [authState, setAuthState] = useState<AuthState | null>(null);
 	const [loading, setLoading] = useState(true);
 	const [authError, setAuthError] = useState<string | null>(null);
-
 	// Track if initial fetch has been done to prevent duplicate calls
 	const initialFetchDone = useRef(false);
 
@@ -70,7 +73,7 @@ export function AuthProvider({ children }: { children: ReactNode }) {
 		initialFetchDone.current = true;
 		fetchAuthState();
 		// eslint-disable-next-line react-hooks/exhaustive-deps
-	}, []);
+	}, [fetchAuthState]);
 
 	// Proactively refresh token every 10 minutes to prevent expiration
 	useEffect(() => {
@@ -89,15 +92,18 @@ export function AuthProvider({ children }: { children: ReactNode }) {
 
 		return () => clearInterval(refreshInterval);
 		// eslint-disable-next-line react-hooks/exhaustive-deps
-	}, [user, authState?.authEnabled]);
+	}, [user, authState?.authEnabled, refreshUser, tryRefreshToken]);
 
 	async function fetchAuthState(retryCount = 0) {
 		const maxRetries = 3;
 		const retryDelay = 1000; // 1 second
+		let correlationId: string | null = null;
 
 		try {
 			setAuthError(null);
-			const res = await fetch("/api/auth/state");
+			const correlated = withCorrelation(undefined, "fe-auth-state");
+			correlationId = correlated.correlationId;
+			const res = await fetch("/api/auth/state", correlated.init);
 			if (!res.ok) {
 				throw new Error(`Server error: ${res.status}`);
 			}
@@ -110,7 +116,9 @@ export function AuthProvider({ children }: { children: ReactNode }) {
 			}
 			setLoading(false);
 		} catch (err) {
-			log.error(`Failed to fetch auth state (attempt ${retryCount + 1}/${maxRetries + 1}):`, err);
+			log.error(`Failed to fetch auth state (attempt ${retryCount + 1}/${maxRetries + 1}):`, err, {
+				correlationId,
+			});
 
 			// Retry on connection errors or 5xx errors (server might be restarting)
 			if (retryCount < maxRetries) {
@@ -125,27 +133,38 @@ export function AuthProvider({ children }: { children: ReactNode }) {
 
 	async function refreshUser() {
 		try {
-			const res = await fetch("/api/auth/me", { credentials: "include" });
+			const { correlationId, init } = withCorrelation({ credentials: "include" }, "fe-auth-me");
+			const res = await fetch("/api/auth/me", init);
 			if (res.ok) {
 				const userData = await res.json();
 				setUser(userData);
+				log.debug("[Auth] Session user loaded", { userId: userData.id, correlationId });
 			} else if (res.status === 401) {
 				// Access token expired - try to refresh it
+				log.info("[Auth] Access token invalid, attempting refresh", { correlationId });
 				const refreshed = await tryRefreshToken();
 				if (refreshed) {
 					// Retry /auth/me with new token
-					const retryRes = await fetch("/api/auth/me", { credentials: "include" });
+					const retry = withCorrelation({ credentials: "include" }, "fe-auth-me-retry");
+					const retryRes = await fetch("/api/auth/me", retry.init);
 					if (retryRes.ok) {
 						const userData = await retryRes.json();
 						setUser(userData);
+						log.info("[Auth] Session restored after token refresh", {
+							userId: userData.id,
+							correlationId: retry.correlationId,
+						});
 						return;
 					}
 				}
+				log.warn("[Auth] Session refresh failed, clearing local user state", { correlationId });
 				setUser(null);
 			} else {
+				log.warn("[Auth] Unexpected /auth/me response", { status: res.status, correlationId });
 				setUser(null);
 			}
-		} catch {
+		} catch (error) {
+			log.error("[Auth] Failed to refresh user", { error });
 			setUser(null);
 		}
 	}
@@ -153,31 +172,46 @@ export function AuthProvider({ children }: { children: ReactNode }) {
 	// Try to refresh the access token using the refresh token
 	async function tryRefreshToken(): Promise<boolean> {
 		try {
-			const res = await fetch("/api/auth/refresh", {
-				method: "POST",
-				credentials: "include",
-			});
+			const { correlationId, init } = withCorrelation(
+				{
+					method: "POST",
+					credentials: "include",
+				},
+				"fe-auth-refresh"
+			);
+			const res = await fetch("/api/auth/refresh", init);
+			if (!res.ok) {
+				log.warn("[Auth] Token refresh rejected", { status: res.status, correlationId });
+			}
 			return res.ok;
-		} catch {
+		} catch (error) {
+			log.error("[Auth] Token refresh request failed", { error });
 			return false;
 		}
 	}
 
 	async function login(username: string, password: string, rememberMe: boolean = false) {
-		const res = await fetch("/api/auth/login", {
-			method: "POST",
-			headers: { "Content-Type": "application/json" },
-			credentials: "include",
-			body: JSON.stringify({ username, password, rememberMe }),
-		});
+		const { correlationId, init } = withCorrelation(
+			{
+				method: "POST",
+				headers: { "Content-Type": "application/json" },
+				credentials: "include",
+				body: JSON.stringify({ username, password, rememberMe }),
+			},
+			"fe-auth-login"
+		);
+		log.info("[Auth] Login requested", { username, rememberMe, correlationId });
+		const res = await fetch("/api/auth/login", init);
 
 		if (!res.ok) {
 			const data = await res.json();
+			log.warn("[Auth] Login failed", { username, status: res.status, code: data.code, correlationId });
 			throw new Error(data.error || "Login failed");
 		}
 
 		const data = await res.json();
 		setUser(data.user);
+		log.info("[Auth] Login successful", { userId: data.user?.id, username: data.user?.username, correlationId });
 	}
 
 	async function register(username: string, password: string) {
@@ -201,11 +235,17 @@ export function AuthProvider({ children }: { children: ReactNode }) {
 	}
 
 	async function logout() {
-		await fetch("/api/auth/logout", {
-			method: "POST",
-			credentials: "include",
-		});
+		const { correlationId, init } = withCorrelation(
+			{
+				method: "POST",
+				credentials: "include",
+			},
+			"fe-auth-logout"
+		);
+		log.info("[Auth] Logout requested", { userId: user?.id ?? null, correlationId });
+		await fetch("/api/auth/logout", init);
 		setUser(null);
+		log.info("[Auth] Logout completed", { correlationId });
 	}
 
 	async function updateProfile(data: { currentPassword?: string; newPassword?: string }) {
@@ -236,8 +276,16 @@ export function AuthProvider({ children }: { children: ReactNode }) {
 		});
 
 		if (!res.ok) {
-			const err = await res.json().catch(() => ({ error: "Upload failed" }));
-			throw new Error(err.error || "Upload failed");
+			let code = "UNKNOWN";
+			try {
+				const body = (await res.json()) as { code?: string };
+				if (typeof body?.code === "string" && body.code.trim().length > 0) {
+					code = body.code;
+				}
+			} catch {
+				// No JSON body
+			}
+			throw new Error(code);
 		}
 
 		await refreshUser();
@@ -574,34 +622,32 @@ export function UserProfile({ onClose }: { onClose?: () => void }) {
 	const [confirmPassword, setConfirmPassword] = useState("");
 	const [error, setError] = useState("");
 	const [success, setSuccess] = useState("");
+	const [avatarError, setAvatarError] = useState("");
 	const [loading, setLoading] = useState(false);
 	const [avatarLoading, setAvatarLoading] = useState(false);
 	const [showDeleteConfirm, setShowDeleteConfirm] = useState(false);
 	const [deleteLoading, setDeleteLoading] = useState(false);
 	const fileInputRef = useRef<HTMLInputElement>(null);
 
-	// Close on Escape key
-	useEffect(() => {
-		const handleEscape = (e: KeyboardEvent) => {
-			if (e.key === "Escape" && onClose) {
-				onClose();
-			}
-		};
-		document.addEventListener("keydown", handleEscape);
-		return () => document.removeEventListener("keydown", handleEscape);
-	}, [onClose]);
+	useEscapeKey(!!onClose, onClose ?? (() => {}));
 
 	async function handleAvatarUpload(e: React.ChangeEvent<HTMLInputElement>) {
 		const file = e.target.files?.[0];
 		if (!file) return;
+		if (file.size > MAX_IMAGE_UPLOAD_BYTES) {
+			setAvatarError(t("form.imageUploadErrors.tooLarge"));
+			if (fileInputRef.current) fileInputRef.current.value = "";
+			return;
+		}
 
 		setAvatarLoading(true);
-		setError("");
+		setAvatarError("");
 		try {
 			await uploadAvatar(file);
-			setSuccess(t("auth.avatarUpdated", "Avatar updated"));
+			setAvatarError("");
 		} catch (err) {
-			setError(err instanceof Error ? err.message : "Upload failed");
+			const code = err instanceof Error ? err.message : "UNKNOWN";
+			setAvatarError(resolveImageUploadError(code, t));
 		} finally {
 			setAvatarLoading(false);
 			if (fileInputRef.current) fileInputRef.current.value = "";
@@ -610,12 +656,13 @@ export function UserProfile({ onClose }: { onClose?: () => void }) {
 
 	async function handleAvatarDelete() {
 		setAvatarLoading(true);
-		setError("");
+		setAvatarError("");
 		try {
 			await deleteAvatar();
-			setSuccess(t("auth.avatarRemoved", "Avatar removed"));
+			setAvatarError("");
 		} catch (err) {
-			setError(err instanceof Error ? err.message : "Delete failed");
+			const code = err instanceof Error ? err.message : "UNKNOWN";
+			setAvatarError(resolveImageUploadError(code, t));
 		} finally {
 			setAvatarLoading(false);
 		}
@@ -710,6 +757,7 @@ export function UserProfile({ onClose }: { onClose?: () => void }) {
 					</div>
 				</div>
 				<span className="profile-username">{user.username}</span>
+				{avatarError && <span className="field-error">{avatarError}</span>}
 			</div>
 
 			<form onSubmit={handleUpdate} className="profile-form">

frontend/src/components/ConfirmModal.tsx

@@ -2,7 +2,8 @@
 // ConfirmModal Component - Simple confirmation dialog
 // =============================================================================
 
-import { type ReactNode, useEffect } from "react";
+import type { ReactNode } from "react";
+import { useEscapeKey } from "../hooks/useEscapeKey";
 
 export interface ConfirmModalProps {
 	title: string;
@@ -27,29 +28,22 @@ export function ConfirmModal({
 	confirmVariant = "primary",
 	overlayClassName,
 }: ConfirmModalProps) {
-	// Close on Escape key
-	useEffect(() => {
-		function handleKeyDown(e: KeyboardEvent) {
-			if (e.key === "Escape") {
-				onCancel();
-			}
-		}
-		document.addEventListener("keydown", handleKeyDown);
-		return () => document.removeEventListener("keydown", handleKeyDown);
-	}, [onCancel]);
+	useEscapeKey(true, onCancel);
 
 	return (
 		<div
 			className={`modal-overlay${overlayClassName ? ` ${overlayClassName}` : ""}`}
 			onClick={onCancel}
 			onKeyDown={(e) => {
-				if (e.key === "Escape") onCancel();
+				if (e.key !== "Escape") e.stopPropagation();
 			}}
 		>
 			<div
 				className="modal-content confirm-modal"
 				onClick={(e) => e.stopPropagation()}
-				onKeyDown={(e) => e.stopPropagation()}
+				onKeyDown={(e) => {
+					if (e.key !== "Escape") e.stopPropagation();
+				}}
 				style={{ maxWidth: "450px" }}
 			>
 				<button className="modal-close" onClick={onCancel}>

frontend/src/components/ExportModal.tsx

@@ -1,4 +1,6 @@
 import { useTranslation } from "react-i18next";
+import { useEscapeKey } from "../hooks/useEscapeKey";
+import { useScrollLock } from "../hooks/useScrollLock";
 
 interface ExportModalProps {
 	isOpen: boolean;
@@ -10,6 +12,9 @@ interface ExportModalProps {
 export default function ExportModal({ isOpen, onClose, onExport, exporting }: ExportModalProps) {
 	const { t } = useTranslation();
 
+	useScrollLock(isOpen);
+	useEscapeKey(isOpen, onClose);
+
 	if (!isOpen) return null;
 
 	return (
@@ -17,13 +22,15 @@ export default function ExportModal({ isOpen, onClose, onExport, exporting }: Ex
 			className="modal-overlay"
 			onClick={onClose}
 			onKeyDown={(e) => {
-				if (e.key === "Escape") onClose();
+				if (e.key !== "Escape") e.stopPropagation();
 			}}
 		>
 			<div
 				className="modal-content"
 				onClick={(e) => e.stopPropagation()}
-				onKeyDown={(e) => e.stopPropagation()}
+				onKeyDown={(e) => {
+					if (e.key !== "Escape") e.stopPropagation();
+				}}
 				style={{ maxWidth: "450px" }}
 			>
 				<button className="modal-close" onClick={onClose}>

frontend/src/components/FormNumberStepper.tsx

@@ -0,0 +1,117 @@
+import { Minus, Plus } from "lucide-react";
+
+interface FormNumberStepperProps {
+	value: string;
+	onChange: (nextValue: string) => void;
+	min?: number;
+	max?: number;
+	step?: number;
+	allowDecimal?: boolean;
+	decrementLabel: string;
+	incrementLabel: string;
+	className?: string;
+}
+
+const DECIMAL_ROUNDING_FACTOR = 1000;
+
+function clamp(value: number, min: number, max?: number): number {
+	const clampedMin = Math.max(min, value);
+	if (max == null) return clampedMin;
+	return Math.min(max, clampedMin);
+}
+
+function normalizeDecimal(value: number): number {
+	return Math.round(value * DECIMAL_ROUNDING_FACTOR) / DECIMAL_ROUNDING_FACTOR;
+}
+
+function toDisplayValue(value: number, allowDecimal: boolean): string {
+	if (!allowDecimal) return String(Math.max(0, Math.trunc(value)));
+	const normalized = normalizeDecimal(value);
+	return normalized.toString();
+}
+
+function sanitizeRawInput(raw: string, allowDecimal: boolean): string {
+	const normalizedRaw = raw.replace(",", ".");
+	if (allowDecimal) {
+		const cleaned = normalizedRaw.replace(/[^\d.]/g, "");
+		const [integerPart = "", ...fractionalParts] = cleaned.split(".");
+		if (fractionalParts.length === 0) return integerPart;
+		return `${integerPart}.${fractionalParts.join("")}`;
+	}
+	return normalizedRaw.replace(/\D/g, "");
+}
+
+function parseInputValue(raw: string, allowDecimal: boolean): number | null {
+	if (raw.trim() === "") return null;
+	const parsed = allowDecimal ? Number.parseFloat(raw) : Number.parseInt(raw, 10);
+	if (Number.isNaN(parsed)) return null;
+	return parsed;
+}
+
+export function FormNumberStepper({
+	value,
+	onChange,
+	min = 0,
+	max,
+	step = 1,
+	allowDecimal = false,
+	decrementLabel,
+	incrementLabel,
+	className = "",
+}: FormNumberStepperProps) {
+	const parsed = parseInputValue(value, allowDecimal);
+	const baseValue = parsed ?? min;
+	const canDecrement = baseValue > min;
+	const canIncrement = max == null || baseValue < max;
+
+	const normalizedClassName = ["number-stepper", "form-number-stepper", className].filter(Boolean).join(" ");
+
+	const handleStep = (direction: -1 | 1) => {
+		const nextRaw = clamp(baseValue + direction * step, min, max);
+		onChange(toDisplayValue(nextRaw, allowDecimal));
+	};
+
+	const handleInputChange = (nextRaw: string) => {
+		onChange(sanitizeRawInput(nextRaw, allowDecimal));
+	};
+
+	const handleBlur = () => {
+		const nextParsed = parseInputValue(value, allowDecimal);
+		if (nextParsed == null) return;
+		const clamped = clamp(nextParsed, min, max);
+		onChange(toDisplayValue(clamped, allowDecimal));
+	};
+
+	return (
+		<div className={normalizedClassName}>
+			{/* Input first in DOM so <label> associates with it, not the decrement button.
+			    CSS order restores the visual layout: [−] [input] [+]. */}
+			<input
+				type="text"
+				inputMode={allowDecimal ? "decimal" : "numeric"}
+				pattern={allowDecimal ? "[0-9]*\\.?[0-9]*" : "[0-9]*"}
+				value={value}
+				onChange={(e) => handleInputChange(e.target.value)}
+				onBlur={handleBlur}
+			/>
+			<button
+				type="button"
+				className="stepper-btn decrement"
+				onClick={() => handleStep(-1)}
+				disabled={!canDecrement}
+				aria-label={decrementLabel}
+			>
+				<Minus size={16} aria-hidden="true" />
+			</button>
+			<button
+				type="button"
+				className="stepper-btn increment"
+				onClick={() => handleStep(1)}
+				disabled={!canIncrement}
+				aria-label={incrementLabel}
+			>
+				<Plus size={16} aria-hidden="true" />
+			</button>
+		</div>
+	);
+}

frontend/src/components/Lightbox.tsx

@@ -3,7 +3,7 @@
 // =============================================================================
 
 import type { MouseEvent } from "react";
-import { useEffect } from "react";
+import { useEscapeKey } from "../hooks/useEscapeKey";
 
 export interface LightboxProps {
 	src: string;
@@ -12,16 +12,7 @@ export interface LightboxProps {
 }
 
 export function Lightbox({ src, alt, onClose }: LightboxProps) {
-	useEffect(() => {
-		const handleKeyDown = (event: KeyboardEvent) => {
-			if (event.key === "Escape") {
-				onClose();
-			}
-		};
-
-		document.addEventListener("keydown", handleKeyDown);
-		return () => document.removeEventListener("keydown", handleKeyDown);
-	}, [onClose]);
+	useEscapeKey(true, onClose);
 
 	function handleOverlayClick(e: MouseEvent) {
 		e.stopPropagation();
@@ -31,7 +22,13 @@ export function Lightbox({ src, alt, onClose }: LightboxProps) {
 	}
 
 	return (
-		<div className="lightbox-overlay" onClick={handleOverlayClick}>
+		<div
+			className="lightbox-overlay"
+			onClick={handleOverlayClick}
+			onKeyDown={(e) => {
+				if (e.key !== "Escape") e.stopPropagation();
+			}}
+		>
 			<div className="lightbox-container">
 				<button className="lightbox-close" onClick={onClose}>
 					×
@@ -41,7 +38,9 @@ export function Lightbox({ src, alt, onClose }: LightboxProps) {
 					alt={alt}
 					className="lightbox-image"
 					onClick={(e) => e.stopPropagation()}
-					onKeyDown={(e) => e.stopPropagation()}
+					onKeyDown={(e) => {
+						if (e.key !== "Escape") e.stopPropagation();
+					}}
 				/>
 			</div>
 		</div>

frontend/src/components/MedDetailModal.tsx

@@ -6,13 +6,16 @@
  * 1. Context mode: Uses useAppContext() for all state (when no props provided)
  * 2. Props mode: Accepts all required data as props (for gradual adoption)
  */
+/* biome-ignore-all lint/a11y/noLabelWithoutControl: modal uses label-styled wrappers with custom interactive rows */
+/* biome-ignore-all lint/style/noNestedTernary: stock/preview rendering keeps explicit branch mapping */
 
 import { Bell, Calendar, ClipboardList, FilePenLine, Minus, NotebookPen, Pencil, Plus, X } from "lucide-react";
 import { useEffect, useRef, useState } from "react";
 import { useTranslation } from "react-i18next";
 import { Lightbox, MedicationAvatar } from "../components";
+import { useEscapeKey } from "../hooks";
 import type { Coverage, Medication, RefillEntry, StockThresholds } from "../types";
-import { getMedTotal, getPackageSize } from "../types";
+import { getMedDisplayName, getMedTotal, getPackageSize } from "../types";
 import { formatNumber, generateICS, getExpiryClass, getSystemLocale } from "../utils";
 import { getStockStatus } from "../utils/schedule";
 import { splitCurrentBlisterStock } from "../utils/stock";
@@ -153,21 +156,11 @@ export function MedDetailModal({
 		}
 	}, [showEditStockModal, editStockFullBlisters, editStockPartialBlisterPills, editStockLoosePills]);
 
-	useEffect(() => {
-		if (!showEditStockModal) return;
-		const handleEscape = (event: KeyboardEvent) => {
-			if (event.key === "Escape") {
-				event.stopPropagation();
-				if (typeof event.stopImmediatePropagation === "function") {
-					event.stopImmediatePropagation();
-				}
-				event.preventDefault();
-				onCloseEditStockModal();
-			}
-		};
-		document.addEventListener("keydown", handleEscape, true);
-		return () => document.removeEventListener("keydown", handleEscape, true);
-	}, [showEditStockModal, onCloseEditStockModal]);
+	// Escape key: only one handler is active at a time (sub-modal states are mutually exclusive).
+	// Lightbox has its own useEscapeKey internally.
+	useEscapeKey(!showEditStockModal && !showImageLightbox && !showRefillModal, onClose);
+	useEscapeKey(showEditStockModal, onCloseEditStockModal);
+	useEscapeKey(showRefillModal, onCloseRefillModal);
 
 	useEffect(() => {
 		if (showEditStockModal) return;
@@ -200,7 +193,7 @@ export function MedDetailModal({
 
 	if (!selectedMed) return null;
 
-	const medCoverage = coverage.all.find((c) => c.name === selectedMed.name);
+	const medCoverage = coverage.all.find((c) => c.name === getMedDisplayName(selectedMed));
 	const packageSize = getPackageSize(selectedMed);
 	// Structural max = sealed package capacity only (excludes pre-existing looseTablets).
 	const structuralMax =
@@ -273,6 +266,14 @@ export function MedDetailModal({
 
 		return (
 			<div className="number-stepper refill-number-stepper">
+				<input
+					type="number"
+					min={min}
+					max={max}
+					value={value}
+					onChange={(e) => onChange(e.target.value)}
+					onBlur={onBlur}
+				/>
 				<button
 					type="button"
 					className="stepper-btn decrement"
@@ -282,14 +283,6 @@ export function MedDetailModal({
 				>
 					<Minus size={16} aria-hidden="true" />
 				</button>
-				<input
-					type="number"
-					min={min}
-					max={max}
-					value={value}
-					onChange={(e) => onChange(e.target.value)}
-					onBlur={onBlur}
-				/>
 				<button
 					type="button"
 					className="stepper-btn increment"
@@ -319,16 +312,7 @@ export function MedDetailModal({
 		const canIncrement = clamped < max;
 
 		return (
-			<div className="number-stepper">
-				<button
-					type="button"
-					className="stepper-btn decrement"
-					onClick={() => onChange(Math.max(min, clamped - 1))}
-					disabled={!canDecrement}
-					aria-label={decrementLabel}
-				>
-					<Minus size={16} aria-hidden="true" />
-				</button>
+			<div className="number-stepper refill-number-stepper">
 				<input
 					type="number"
 					min={min}
@@ -339,6 +323,15 @@ export function MedDetailModal({
 						onChange(Number.isNaN(parsed) ? min : Math.min(max, Math.max(min, parsed)));
 					}}
 				/>
+				<button
+					type="button"
+					className="stepper-btn decrement"
+					onClick={() => onChange(Math.max(min, clamped - 1))}
+					disabled={!canDecrement}
+					aria-label={decrementLabel}
+				>
+					<Minus size={16} aria-hidden="true" />
+				</button>
 				<button
 					type="button"
 					className="stepper-btn increment"
@@ -367,21 +360,15 @@ export function MedDetailModal({
 					onCloseEditStockModal();
 				}}
 				onKeyDown={(e) => {
-					e.stopPropagation();
-					if (e.key === "Escape") onCloseEditStockModal();
+					if (e.key !== "Escape") e.stopPropagation();
 				}}
 			>
 				<div
 					className="modal-content edit-stock-modal"
 					onClick={(e) => e.stopPropagation()}
-					onKeyDownCapture={(e) => {
-						if (e.key === "Escape") {
-							e.preventDefault();
-							e.stopPropagation();
-							onCloseEditStockModal();
-						}
+					onKeyDown={(e) => {
+						if (e.key !== "Escape") e.stopPropagation();
 					}}
-					onKeyDown={(e) => e.stopPropagation()}
 				>
 					<button
 						type="button"
@@ -393,7 +380,7 @@ export function MedDetailModal({
 						<X size={18} aria-hidden="true" />
 					</button>
 					<h2>{t("editStock.title")}</h2>
-					<p className="edit-stock-med-name">{selectedMed.name}</p>
+					<p className="edit-stock-med-name">{getMedDisplayName(selectedMed)}</p>
 					<p className="edit-stock-hint">{t("editStock.hint")}</p>
 					{selectedMed.packageType === "blister" && (
 						<p className="edit-stock-cap-info edit-stock-live-breakdown">
@@ -474,7 +461,7 @@ export function MedDetailModal({
 														const rawFull = raw === "" ? 0 : Math.max(0, parseStockInput(raw));
 														const rawPartial = Math.max(0, parseStockInput(editStockPartialInput));
 														const rawLoose = Math.max(0, parseStockInput(editStockLooseInput));
-														const rawTotal = rawFull * selectedMed.pillsPerBlister + rawPartial + rawLoose;
+														const _rawTotal = rawFull * selectedMed.pillsPerBlister + rawPartial + rawLoose;
 														setEditStockFullInput(raw);
 														const normalized = normalizeBlisterStock(rawFull, rawPartial, rawLoose);
 														onEditStockFullBlistersChange(normalized.full);
@@ -503,7 +490,7 @@ export function MedDetailModal({
 														const rawFull = Math.max(0, parseStockInput(editStockFullInput) + delta);
 														const rawPartial = Math.max(0, parseStockInput(editStockPartialInput));
 														const rawLoose = Math.max(0, parseStockInput(editStockLooseInput));
-														const rawTotal = rawFull * selectedMed.pillsPerBlister + rawPartial + rawLoose;
+														const _rawTotal = rawFull * selectedMed.pillsPerBlister + rawPartial + rawLoose;
 														const normalized = normalizeBlisterStock(rawFull, rawPartial, rawLoose);
 														onEditStockFullBlistersChange(normalized.full);
 														onEditStockPartialBlisterPillsChange(normalized.partial);
@@ -560,7 +547,7 @@ export function MedDetailModal({
 														const nextPartial = Math.max(0, parseStockInput(editStockPartialInput) + delta);
 														const nextFull = Math.max(0, parseStockInput(editStockFullInput));
 														const nextLoose = Math.max(0, parseStockInput(editStockLooseInput));
-														const rawTotal = nextFull * selectedMed.pillsPerBlister + nextPartial + nextLoose;
+														const _rawTotal = nextFull * selectedMed.pillsPerBlister + nextPartial + nextLoose;
 														const normalized = normalizeBlisterStock(nextFull, nextPartial, nextLoose);
 														onEditStockFullBlistersChange(normalized.full);
 														onEditStockPartialBlisterPillsChange(normalized.partial);
@@ -646,8 +633,7 @@ export function MedDetailModal({
 			className="modal-overlay med-detail-overlay"
 			onClick={onClose}
 			onKeyDown={(e) => {
-				if (showEditStockModal) return;
-				if (e.key === "Escape") onClose();
+				if (e.key !== "Escape") e.stopPropagation();
 			}}
 		>
 			<div
@@ -655,14 +641,9 @@ export function MedDetailModal({
 				ref={detailModalRef}
 				tabIndex={-1}
 				onClick={(e) => e.stopPropagation()}
-				onKeyDownCapture={(e) => {
-					if (e.key === "Escape") {
-						e.preventDefault();
-						e.stopPropagation();
-						onClose();
-					}
+				onKeyDown={(e) => {
+					if (e.key !== "Escape") e.stopPropagation();
 				}}
-				onKeyDown={(e) => e.stopPropagation()}
 			>
 				<button
 					type="button"
@@ -686,18 +667,20 @@ export function MedDetailModal({
 								}
 							}}
 						>
-							<MedicationAvatar name={selectedMed.name} imageUrl={selectedMed.imageUrl} size="lg" />
+							<MedicationAvatar name={getMedDisplayName(selectedMed)} imageUrl={selectedMed.imageUrl} size="lg" />
 							{selectedMed.imageUrl && <span className="expand-icon">🔍</span>}
 						</div>
 						<div className="med-detail-titles">
-							<h2>{selectedMed.name}</h2>
-							{selectedMed.genericName && <span className="med-generic-name">{selectedMed.genericName}</span>}
+							<h2>{getMedDisplayName(selectedMed)}</h2>
+							{selectedMed.name && selectedMed.genericName && (
+								<span className="med-generic-name">{selectedMed.genericName}</span>
+							)}
 							{selectedMed.takenBy && (selectedMed.takenBy || []).length > 0 && (
 								<span className="med-taken-by">
 									{t("modal.for")}{" "}
 									{selectedMed.takenBy.map((person, index) => (
-										<span key={person}>
-											{index > 0 && ", "}
+										<span key={person} style={{ whiteSpace: "nowrap" }}>
+											{index > 0 && (index === selectedMed.takenBy.length - 1 ? ` ${t("common.and")} ` : ", ")}
 											{person}
 											{selectedMed.intakes?.some(
 												(intake) => intake.takenBy === person && intake.intakeRemindersEnabled
@@ -815,35 +798,49 @@ export function MedDetailModal({
 								)}
 							</h3>
 							<div className="med-detail-schedules">
-								{selectedMed.blisters.map((blister, idx) => {
-									// When using new intakes format with per-intake takenBy,
-									// each intake already represents one person's dose — don't multiply.
-									// For legacy intakes (no per-intake takenBy), multiply by personCount.
-									const intake = selectedMed.intakes?.[idx];
-									const hasPerIntakeTakenBy = !!intake?.takenBy;
-									const personCount = hasPerIntakeTakenBy ? 1 : Math.max(1, selectedMed.takenBy?.length || 1);
-									const totalUsage = blister.usage * personCount;
+								{(selectedMed.intakes && selectedMed.intakes.length > 0
+									? selectedMed.intakes
+									: selectedMed.blisters.map((blister) => ({
+											usage: blister.usage,
+											every: blister.every,
+											start: blister.start,
+											takenBy: null,
+											intakeRemindersEnabled: selectedMed.intakeRemindersEnabled ?? false,
+										}))
+								).map((intake, idx) => {
+									const hasPerIntakeTakenBy = !!intake.takenBy;
+									const personCount = Math.max(1, selectedMed.takenBy?.length ?? 0);
+									const totalUsage = hasPerIntakeTakenBy ? intake.usage : intake.usage * personCount;
+									const showIntakeBell = intake.intakeRemindersEnabled ?? selectedMed.intakeRemindersEnabled ?? false;
+
 									return (
-										<div key={idx} className="med-schedule-item">
+										<div key={`${intake.start}-${intake.usage}-${intake.every}-${idx}`} className="med-schedule-item">
 											<span className="med-schedule-usage">
 												{totalUsage} {totalUsage !== 1 ? t("common.pills") : t("common.pill")}
 												{selectedMed.pillWeightMg &&
 													` (${totalUsage * selectedMed.pillWeightMg} ${selectedMed.doseUnit ?? "mg"})`}
 											</span>
 											<span className="med-schedule-freq">
-												{blister.every === 1 ? t("common.daily") : t("common.everyNDays", { count: blister.every })}
+												{intake.every === 1 ? t("common.daily") : t("common.everyNDays", { count: intake.every })}
 											</span>
-											{hasPerIntakeTakenBy && intake.takenBy && (
-												<span className="med-schedule-person">{intake.takenBy}</span>
+											{hasPerIntakeTakenBy && (
+												<span className="med-schedule-person">
+													{intake.takenBy}
+													{showIntakeBell && (
+														<span className="med-schedule-bell" role="img" aria-label={t("tooltips.intakeReminders")}>
+															<Bell size={13} aria-hidden="true" />
+														</span>
+													)}
+												</span>
 											)}
-											{intake?.intakeRemindersEnabled && (
+											{!hasPerIntakeTakenBy && showIntakeBell && (
 												<span className="med-schedule-bell" role="img" aria-label={t("tooltips.intakeReminders")}>
 													<Bell size={13} aria-hidden="true" />
 												</span>
 											)}
 											<span className="med-schedule-time">
 												{t("modal.at")}{" "}
-												{new Date(blister.start).toLocaleTimeString(getSystemLocale(i18n.language), {
+												{new Date(intake.start).toLocaleTimeString(getSystemLocale(i18n.language), {
 													hour: "2-digit",
 													minute: "2-digit",
 												})}
@@ -1022,7 +1019,11 @@ export function MedDetailModal({
 
 			{/* Image Lightbox */}
 			{showImageLightbox && selectedMed.imageUrl && (
-				<Lightbox src={`/api/images/${selectedMed.imageUrl}`} alt={selectedMed.name} onClose={onCloseImageLightbox} />
+				<Lightbox
+					src={`/api/images/${selectedMed.imageUrl}`}
+					alt={getMedDisplayName(selectedMed)}
+					onClose={onCloseImageLightbox}
+				/>
 			)}
 
 			{/* Refill Modal */}
@@ -1034,14 +1035,15 @@ export function MedDetailModal({
 						onCloseRefillModal();
 					}}
 					onKeyDown={(e) => {
-						e.stopPropagation();
-						if (e.key === "Escape") onCloseRefillModal();
+						if (e.key !== "Escape") e.stopPropagation();
 					}}
 				>
 					<div
 						className="modal-content refill-modal"
 						onClick={(e) => e.stopPropagation()}
-						onKeyDown={(e) => e.stopPropagation()}
+						onKeyDown={(e) => {
+							if (e.key !== "Escape") e.stopPropagation();
+						}}
 					>
 						<button
 							type="button"
@@ -1053,7 +1055,7 @@ export function MedDetailModal({
 							<X size={18} aria-hidden="true" />
 						</button>
 						<h2>{t("refill.title")}</h2>
-						<p className="refill-med-name">{selectedMed.name}</p>
+						<p className="refill-med-name">{getMedDisplayName(selectedMed)}</p>
 
 						<div className="refill-form">
 							{selectedMed.packageType === "blister" ? (

frontend/src/components/MedicationAvatar.tsx

@@ -2,6 +2,8 @@
 // MedicationAvatar Component
 // =============================================================================
 
+import { useEffect, useState } from "react";
+
 export type MedicationAvatarProps = {
 	name: string;
 	imageUrl?: string | null;
@@ -9,6 +11,12 @@ export type MedicationAvatarProps = {
 };
 
 export function MedicationAvatar({ name, imageUrl, size = "sm" }: MedicationAvatarProps) {
+	const [thumbFailed, setThumbFailed] = useState(false);
+
+	useEffect(() => {
+		setThumbFailed(false);
+	}, [imageUrl]);
+
 	const initials =
 		name
 			.split(" ")
@@ -19,7 +27,26 @@ export function MedicationAvatar({ name, imageUrl, size = "sm" }: MedicationAvat
 	const sizeClass = `med-avatar med-avatar-${size}`;
 
 	if (imageUrl) {
-		return <img src={`/api/images/${imageUrl}`} alt={name} className={sizeClass} />;
+		const normalizedImageUrl = imageUrl.toLowerCase();
+		const shouldUseThumbFirst = normalizedImageUrl.endsWith(".webp");
+		const extIndex = imageUrl.lastIndexOf(".");
+		const baseName = extIndex > 0 ? imageUrl.slice(0, extIndex) : imageUrl;
+		const thumbSrc = `/api/images/${baseName}-thumb.webp`;
+		const fullSrc = `/api/images/${imageUrl}`;
+		const resolvedSrc = shouldUseThumbFirst && !thumbFailed ? thumbSrc : fullSrc;
+
+		return (
+			<img
+				src={resolvedSrc}
+				alt={name}
+				className={sizeClass}
+				loading="lazy"
+				decoding="async"
+				onError={() => {
+					if (shouldUseThumbFirst && !thumbFailed) setThumbFailed(true);
+				}}
+			/>
+		);
 	}
 	return <div className={`${sizeClass} med-avatar-initials`}>{initials}</div>;
 }

frontend/src/components/MobileEditModal.tsx

@@ -3,13 +3,17 @@
  * Handles new medication creation and editing existing medications
  */
 
+/* biome-ignore-all lint/a11y/noLabelWithoutControl: modal uses custom DateInput and static value fields */
 import { Bell, Minus, Plus, Trash2 } from "lucide-react";
 import { useEffect, useRef, useState } from "react";
 import { useTranslation } from "react-i18next";
+import { useEscapeKey } from "../hooks/useEscapeKey";
+import { useScrollLock } from "../hooks/useScrollLock";
 import type { DoseUnit, FieldErrors, FormBlister, FormIntake, FormState, Medication } from "../types";
 import { DOSE_UNITS } from "../types";
 import { deriveTotal } from "../utils";
 import { DateInput } from "./DateInput";
+import { FormNumberStepper } from "./FormNumberStepper";
 
 // Field limits for validation
 const FIELD_LIMITS = {
@@ -55,6 +59,7 @@ export interface MobileEditModalProps {
 	meds: Medication[];
 	onUploadMedImage: (medId: number, file: File) => Promise<void>;
 	onDeleteMedImage: (medId: number) => Promise<void>;
+	imageUploadError: string | null;
 	// Actions
 	onClose: () => void;
 	onResetForm: () => void;
@@ -91,9 +96,9 @@ export function MobileEditModal({
 	onAddTakenByPerson,
 	onRemoveTakenByPerson,
 	onTakenByKeyDown,
-	onSetBlisterValue,
-	onAddBlister,
-	onRemoveBlister,
+	_onSetBlisterValue,
+	_onAddBlister,
+	_onRemoveBlister,
 	onSetIntakeValue,
 	onAddIntake,
 	onRemoveIntake,
@@ -101,11 +106,14 @@ export function MobileEditModal({
 	meds,
 	onUploadMedImage,
 	onDeleteMedImage,
+	imageUploadError,
 	onClose,
 	_onResetForm,
 	onSaveMedication,
 }: MobileEditModalProps) {
 	const { t } = useTranslation();
+	const decrementValueLabel = t("editStock.decreaseValue");
+	const incrementValueLabel = t("editStock.increaseValue");
 	const [activeTab, setActiveTab] = useState<MobileTab>("general");
 	const fieldsetRef = useRef<HTMLFieldSetElement | null>(null);
 	const tabStripRef = useRef<HTMLDivElement | null>(null);
@@ -114,74 +122,27 @@ export function MobileEditModal({
 	const swipeAxisRef = useRef<"x" | "y" | null>(null);
 	const [swipeDeltaX, setSwipeDeltaX] = useState(0);
 	const [isHorizontalSwiping, setIsHorizontalSwiping] = useState(false);
+	const [showNameValidation, setShowNameValidation] = useState(false);
 	const activeTabIndexRef = useRef(0);
 
 	// Reset tab when modal opens
 	useEffect(() => {
-		if (show) setActiveTab("general");
+		if (show) {
+			setActiveTab("general");
+			setShowNameValidation(false);
+		}
 	}, [show]);
 
-	// Close on Escape key
 	useEffect(() => {
-		if (!show) return;
-		function handleKeyDown(e: KeyboardEvent) {
-			if (e.key === "Escape") {
-				onClose();
-			}
+		if (show && (hasValidationErrors || !!fieldErrors.name)) {
+			setShowNameValidation(true);
 		}
-		document.addEventListener("keydown", handleKeyDown);
-		return () => document.removeEventListener("keydown", handleKeyDown);
-	}, [show, onClose]);
+	}, [show, hasValidationErrors, fieldErrors.name]);
+
+	useEscapeKey(show, onClose);
 
 	// Lock background scroll while modal is open.
-	useEffect(() => {
-		if (!show) return;
-		const html = document.documentElement;
-		const body = document.body;
-		const scrollY = window.scrollY;
-
-		const hadHtmlModalClass = html.classList.contains("modal-open");
-		const hadBodyModalClass = body.classList.contains("modal-open");
-
-		const previousHtmlOverflow = html.style.overflow;
-		const previousHtmlOverscrollBehavior = html.style.overscrollBehavior;
-		const previousBodyOverflow = body.style.overflow;
-		const previousBodyPosition = body.style.position;
-		const previousBodyTop = body.style.top;
-		const previousBodyLeft = body.style.left;
-		const previousBodyRight = body.style.right;
-		const previousBodyWidth = body.style.width;
-		const previousBodyOverscrollBehavior = body.style.overscrollBehavior;
-
-		html.classList.add("modal-open");
-		body.classList.add("modal-open");
-		html.style.overflow = "hidden";
-		html.style.overscrollBehavior = "none";
-		body.style.overflow = "hidden";
-		body.style.position = "fixed";
-		body.style.top = `-${scrollY}px`;
-		body.style.left = "0";
-		body.style.right = "0";
-		body.style.width = "100%";
-		body.style.overscrollBehavior = "none";
-
-		return () => {
-			if (!hadHtmlModalClass) html.classList.remove("modal-open");
-			if (!hadBodyModalClass) body.classList.remove("modal-open");
-
-			html.style.overflow = previousHtmlOverflow;
-			html.style.overscrollBehavior = previousHtmlOverscrollBehavior;
-			body.style.overflow = previousBodyOverflow;
-			body.style.position = previousBodyPosition;
-			body.style.top = previousBodyTop;
-			body.style.left = previousBodyLeft;
-			body.style.right = previousBodyRight;
-			body.style.width = previousBodyWidth;
-			body.style.overscrollBehavior = previousBodyOverscrollBehavior;
-
-			window.scrollTo(0, scrollY);
-		};
-	}, [show]);
+	useScrollLock(show);
 
 	// Keep activeTabIndex ref in sync for native listeners
 	const activeTabIndex = MOBILE_TAB_ORDER.indexOf(activeTab);
@@ -292,7 +253,10 @@ export function MobileEditModal({
 	const mobileTitle = (() => {
 		if (!editingId) return t("form.newEntry");
 		if (readOnlyMode) return t("form.viewEntry");
-		const medicationName = currentMed?.name?.trim() || form.name.trim();
+		const medicationName =
+			(currentMed ? currentMed.name?.trim() || currentMed.genericName?.trim() : null) ||
+			form.name.trim() ||
+			form.genericName.trim();
 		if (!medicationName) return t("form.editEntry");
 		return t("form.editEntryWithName", { name: medicationName });
 	})();
@@ -302,13 +266,15 @@ export function MobileEditModal({
 			className="modal-overlay mobile-edit-overlay"
 			onClick={onClose}
 			onKeyDown={(e) => {
-				if (e.key === "Escape") onClose();
+				if (e.key !== "Escape") e.stopPropagation();
 			}}
 		>
 			<div
 				className="modal-content edit-modal"
 				onClick={(e) => e.stopPropagation()}
-				onKeyDown={(e) => e.stopPropagation()}
+				onKeyDown={(e) => {
+					if (e.key !== "Escape") e.stopPropagation();
+				}}
 			>
 				<div className="edit-modal-header">
 					<button type="button" className="ghost small btn-nav" onClick={onClose}>
@@ -385,26 +351,41 @@ export function MobileEditModal({
 								<div className={`form-tab-panel${activeTab === "general" ? " active" : ""}`}>
 									<div className="full form-category">
 										<h4 className="form-category-title">{t("form.sections.general")}</h4>
-										<label className={`full ${!readOnlyMode && fieldErrors.name ? "has-error" : ""}`}>
+										<label
+											className={`full ${!readOnlyMode && showNameValidation && fieldErrors.name ? "has-error" : ""}`}
+										>
 											{t("form.commercialName")}
 											<input
 												value={form.name}
-												onChange={(e) => onFormChange({ ...form, name: e.target.value })}
+												onChange={(e) => {
+													setShowNameValidation(true);
+													onFormChange({ ...form, name: e.target.value });
+												}}
+												onBlur={() => setShowNameValidation(true)}
 												placeholder={t("form.placeholders.commercial")}
 												maxLength={FIELD_LIMITS.name.max}
-												required={!readOnlyMode}
 											/>
-											{!readOnlyMode && fieldErrors.name && <span className="field-error">{fieldErrors.name}</span>}
+											{!readOnlyMode && showNameValidation && fieldErrors.name && (
+												<span className="field-error">{fieldErrors.name}</span>
+											)}
 										</label>
-										<label className={`full ${fieldErrors.genericName ? "has-error" : ""}`}>
+										<label
+											className={`full ${!readOnlyMode && showNameValidation && fieldErrors.genericName ? "has-error" : ""}`}
+										>
 											{t("form.genericName")}
 											<input
 												value={form.genericName}
-												onChange={(e) => onFormChange({ ...form, genericName: e.target.value })}
+												onChange={(e) => {
+													setShowNameValidation(true);
+													onFormChange({ ...form, genericName: e.target.value });
+												}}
+												onBlur={() => setShowNameValidation(true)}
 												placeholder={t("form.placeholders.generic")}
 												maxLength={FIELD_LIMITS.genericName.max}
 											/>
-											{fieldErrors.genericName && <span className="field-error">{fieldErrors.genericName}</span>}
+											{!readOnlyMode && showNameValidation && fieldErrors.genericName && (
+												<span className="field-error">{fieldErrors.genericName}</span>
+											)}
 										</label>
 										<label className="full">
 											{t("form.medicationStartDate")}
@@ -485,9 +466,14 @@ export function MobileEditModal({
 												<input
 													type="file"
 													accept="image/*"
-													onChange={(e) => e.target.files?.[0] && onUploadMedImage(editingId, e.target.files[0])}
+													onChange={(e) => {
+														const file = e.target.files?.[0];
+														e.target.value = "";
+														if (file) void onUploadMedImage(editingId, file);
+													}}
 												/>
 											)}
+											{imageUploadError && <span className="field-error">{imageUploadError}</span>}
 										</div>
 									)}
 								</div>
@@ -498,32 +484,32 @@ export function MobileEditModal({
 											<>
 												<label>
 													{t("form.packs")}
-													<input
-														type="text"
-														inputMode="numeric"
-														pattern="[0-9]*"
+													<FormNumberStepper
 														value={form.packCount}
-														onChange={(e) => onHandleValueChange("packCount", e.target.value)}
+														onChange={(nextValue) => onHandleValueChange("packCount", nextValue)}
+														min={0}
+														decrementLabel={decrementValueLabel}
+														incrementLabel={incrementValueLabel}
 													/>
 												</label>
 												<label>
 													{t("form.blistersPerPack")}
-													<input
-														type="text"
-														inputMode="numeric"
-														pattern="[0-9]*"
+													<FormNumberStepper
 														value={form.blistersPerPack}
-														onChange={(e) => onHandleValueChange("blistersPerPack", e.target.value)}
+														onChange={(nextValue) => onHandleValueChange("blistersPerPack", nextValue)}
+														min={1}
+														decrementLabel={decrementValueLabel}
+														incrementLabel={incrementValueLabel}
 													/>
 												</label>
 												<label>
 													{t("form.pillsPerBlister")}
-													<input
-														type="text"
-														inputMode="numeric"
-														pattern="[0-9]*"
+													<FormNumberStepper
 														value={form.pillsPerBlister}
-														onChange={(e) => onHandleValueChange("pillsPerBlister", e.target.value)}
+														onChange={(nextValue) => onHandleValueChange("pillsPerBlister", nextValue)}
+														min={1}
+														decrementLabel={decrementValueLabel}
+														incrementLabel={incrementValueLabel}
 													/>
 												</label>
 												<label>
@@ -535,22 +521,22 @@ export function MobileEditModal({
 											<>
 												<label>
 													{t("form.totalCapacity")}
-													<input
-														type="text"
-														inputMode="numeric"
-														pattern="[0-9]*"
+													<FormNumberStepper
 														value={form.totalPills}
-														onChange={(e) => onHandleValueChange("totalPills", e.target.value)}
+														onChange={(nextValue) => onHandleValueChange("totalPills", nextValue)}
+														min={0}
+														decrementLabel={decrementValueLabel}
+														incrementLabel={incrementValueLabel}
 													/>
 												</label>
 												<label>
 													{t("form.currentPills")}
-													<input
-														type="text"
-														inputMode="numeric"
-														pattern="[0-9]*"
+													<FormNumberStepper
 														value={form.looseTablets}
-														onChange={(e) => onHandleValueChange("looseTablets", e.target.value)}
+														onChange={(nextValue) => onHandleValueChange("looseTablets", nextValue)}
+														min={0}
+														decrementLabel={decrementValueLabel}
+														incrementLabel={incrementValueLabel}
 													/>
 												</label>
 											</>
@@ -639,25 +625,30 @@ export function MobileEditModal({
 											)}
 										</div>
 										{form.intakes.map((intake, idx) => (
-											<div key={idx} className="blister-row">
+											<div
+												key={`${intake.startDate}-${intake.startTime}-${intake.usage}-${intake.every}-${intake.takenBy ?? ""}`}
+												className="blister-row"
+											>
 												<label className="compact">
 													<span>{t("form.blisters.usage")}</span>
-													<input
-														type="text"
-														inputMode="decimal"
-														pattern="[0-9]*\.?[0-9]*"
+													<FormNumberStepper
 														value={intake.usage}
-														onChange={(e) => onSetIntakeValue(idx, "usage", e.target.value)}
+														onChange={(nextValue) => onSetIntakeValue(idx, "usage", nextValue)}
+														min={0.5}
+														step={0.5}
+														allowDecimal={true}
+														decrementLabel={decrementValueLabel}
+														incrementLabel={incrementValueLabel}
 													/>
 												</label>
 												<label className="compact">
 													<span>{t("form.blisters.everyDays")}</span>
-													<input
-														type="text"
-														inputMode="numeric"
-														pattern="[0-9]*"
+													<FormNumberStepper
 														value={intake.every}
-														onChange={(e) => onSetIntakeValue(idx, "every", e.target.value)}
+														onChange={(nextValue) => onSetIntakeValue(idx, "every", nextValue)}
+														min={1}
+														decrementLabel={decrementValueLabel}
+														incrementLabel={incrementValueLabel}
 													/>
 												</label>
 												<label className="compact full-row">
@@ -736,32 +727,32 @@ export function MobileEditModal({
 											<>
 												<label className="prescription-field">
 													{t("prescription.authorizedRefills")}
-													<input
-														type="text"
-														inputMode="numeric"
-														pattern="[0-9]*"
+													<FormNumberStepper
 														value={form.prescriptionAuthorizedRefills}
-														onChange={(e) => onHandleValueChange("prescriptionAuthorizedRefills", e.target.value)}
+														onChange={(nextValue) => onHandleValueChange("prescriptionAuthorizedRefills", nextValue)}
+														min={0}
+														decrementLabel={decrementValueLabel}
+														incrementLabel={incrementValueLabel}
 													/>
 												</label>
 												<label className="prescription-field">
 													{t("prescription.remainingRefills")}
-													<input
-														type="text"
-														inputMode="numeric"
-														pattern="[0-9]*"
+													<FormNumberStepper
 														value={form.prescriptionRemainingRefills}
-														onChange={(e) => onHandleValueChange("prescriptionRemainingRefills", e.target.value)}
+														onChange={(nextValue) => onHandleValueChange("prescriptionRemainingRefills", nextValue)}
+														min={0}
+														decrementLabel={decrementValueLabel}
+														incrementLabel={incrementValueLabel}
 													/>
 												</label>
 												<label className="prescription-field">
 													{t("prescription.lowThreshold")}
-													<input
-														type="text"
-														inputMode="numeric"
-														pattern="[0-9]*"
+													<FormNumberStepper
 														value={form.prescriptionLowRefillThreshold}
-														onChange={(e) => onHandleValueChange("prescriptionLowRefillThreshold", e.target.value)}
+														onChange={(nextValue) => onHandleValueChange("prescriptionLowRefillThreshold", nextValue)}
+														min={0}
+														decrementLabel={decrementValueLabel}
+														incrementLabel={incrementValueLabel}
 													/>
 												</label>
 												<label className="prescription-field">

frontend/src/components/ProfileModal.tsx

@@ -1,3 +1,4 @@
+import { useEscapeKey } from "../hooks/useEscapeKey";
 import { UserProfile } from "./Auth";
 
 interface ProfileModalProps {
@@ -6,6 +7,8 @@ interface ProfileModalProps {
 }
 
 export default function ProfileModal({ isOpen, onClose }: ProfileModalProps) {
+	useEscapeKey(isOpen, onClose);
+
 	if (!isOpen) return null;
 
 	return (
@@ -13,13 +16,15 @@ export default function ProfileModal({ isOpen, onClose }: ProfileModalProps) {
 			className="modal-overlay"
 			onClick={onClose}
 			onKeyDown={(e) => {
-				if (e.key === "Escape") onClose();
+				if (e.key !== "Escape") e.stopPropagation();
 			}}
 		>
 			<div
 				className="modal-content profile-modal"
 				onClick={(e) => e.stopPropagation()}
-				onKeyDown={(e) => e.stopPropagation()}
+				onKeyDown={(e) => {
+					if (e.key !== "Escape") e.stopPropagation();
+				}}
 			>
 				<button className="modal-close" onClick={onClose}>
 					×

frontend/src/components/ReportModal.tsx

@@ -1,7 +1,9 @@
 import { useCallback, useEffect, useMemo, useState } from "react";
 import { useTranslation } from "react-i18next";
+import { useEscapeKey } from "../hooks/useEscapeKey";
+import { useScrollLock } from "../hooks/useScrollLock";
 import type { Medication } from "../types";
-import { getPackageSize } from "../types";
+import { getMedDisplayName, getPackageSize } from "../types";
 import { MedicationAvatar } from "./MedicationAvatar";
 
 type ReportFormat = "txt" | "md" | "pdf";
@@ -31,6 +33,9 @@ export function ReportModal({ isOpen, onClose, medications }: ReportModalProps)
 	const [generating, setGenerating] = useState(false);
 	const [takenByFilter, setTakenByFilter] = useState<Set<string>>(new Set());
 
+	useScrollLock(isOpen);
+	useEscapeKey(isOpen, onClose);
+
 	// Collect all unique "taken by" people across all medications
 	const allPeople = useMemo(() => {
 		const people = new Set<string>();
@@ -138,13 +143,15 @@ export function ReportModal({ isOpen, onClose, medications }: ReportModalProps)
 			className="modal-overlay"
 			onClick={onClose}
 			onKeyDown={(e) => {
-				if (e.key === "Escape") onClose();
+				if (e.key !== "Escape") e.stopPropagation();
 			}}
 		>
 			<div
 				className="modal-content report-modal"
 				onClick={(e) => e.stopPropagation()}
-				onKeyDown={(e) => e.stopPropagation()}
+				onKeyDown={(e) => {
+					if (e.key !== "Escape") e.stopPropagation();
+				}}
 			>
 				<button className="modal-close" onClick={onClose}>
 					×
@@ -193,10 +200,10 @@ export function ReportModal({ isOpen, onClose, medications }: ReportModalProps)
 								{activeMeds.map((med) => (
 									<label key={med.id} className="report-med-item">
 										<input type="checkbox" checked={selectedIds.has(med.id)} onChange={() => toggleMed(med.id)} />
-										<MedicationAvatar name={med.name} imageUrl={med.imageUrl} size="sm" />
+										<MedicationAvatar name={getMedDisplayName(med)} imageUrl={med.imageUrl} size="sm" />
 										<span className="report-med-name">
-											{med.name}
-											{med.genericName && <span className="report-med-generic"> ({med.genericName})</span>}
+											{getMedDisplayName(med)}
+											{med.name && med.genericName && <span className="report-med-generic"> ({med.genericName})</span>}
 										</span>
 									</label>
 								))}
@@ -211,10 +218,10 @@ export function ReportModal({ isOpen, onClose, medications }: ReportModalProps)
 								{obsoleteMeds.map((med) => (
 									<label key={med.id} className="report-med-item">
 										<input type="checkbox" checked={selectedIds.has(med.id)} onChange={() => toggleMed(med.id)} />
-										<MedicationAvatar name={med.name} imageUrl={med.imageUrl} size="sm" />
+										<MedicationAvatar name={getMedDisplayName(med)} imageUrl={med.imageUrl} size="sm" />
 										<span className="report-med-name obsolete-name">
-											{med.name}
-											{med.genericName && <span className="report-med-generic"> ({med.genericName})</span>}
+											{getMedDisplayName(med)}
+											{med.name && med.genericName && <span className="report-med-generic"> ({med.genericName})</span>}
 										</span>
 									</label>
 								))}
@@ -313,13 +320,15 @@ function generateTextReport(
 	for (const med of meds) {
 		lines.push(sep);
 		lines.push("");
-		const title = med.isObsolete ? `${med.name} (${t("report.docStatusObsolete")})` : med.name;
+		const title = med.isObsolete
+			? `${getMedDisplayName(med)} (${t("report.docStatusObsolete")})`
+			: getMedDisplayName(med);
 		lines.push(h2(title));
 		lines.push("");
 
 		// General
 		lines.push(h3(t("report.docGeneral")));
-		lines.push(item(t("report.docCommercialName"), med.name));
+		if (med.name) lines.push(item(t("report.docCommercialName"), med.name));
 		if (med.genericName) lines.push(item(t("report.docGenericName"), med.genericName));
 		if (med.takenBy?.length) lines.push(item(t("report.docTakenBy"), med.takenBy.join(", ")));
 		lines.push(
@@ -482,22 +491,24 @@ function buildPrintHtml(
 	for (const med of meds) {
 		const data = reportData[med.id];
 		const intakes = med.intakes ?? med.blisters;
+		const displayName = getMedDisplayName(med);
 		const title = med.isObsolete
-			? `${escHtml(med.name)} <span class="obsolete-badge">${escHtml(t("report.docStatusObsolete"))}</span>`
-			: escHtml(med.name);
+			? `${escHtml(displayName)} <span class="obsolete-badge">${escHtml(t("report.docStatusObsolete"))}</span>`
+			: escHtml(displayName);
 
 		let s = `<div class="med-section">`;
 		const imgDataUrl = imageMap[med.id];
 
 		// Title with generic name subtitle
 		s += `<h2>${title}</h2>`;
-		if (med.genericName) s += `<p class="generic-subtitle">${escHtml(med.genericName)}</p>`;
+		if (med.name && med.genericName) s += `<p class="generic-subtitle">${escHtml(med.genericName)}</p>`;
 
 		// Build general info table rows
 		const generalRows: string[] = [];
-		generalRows.push(
-			`<tr><td class="label">${escHtml(t("report.docCommercialName"))}</td><td>${escHtml(med.name)}</td></tr>`
-		);
+		if (med.name)
+			generalRows.push(
+				`<tr><td class="label">${escHtml(t("report.docCommercialName"))}</td><td>${escHtml(med.name)}</td></tr>`
+			);
 		if (med.genericName)
 			generalRows.push(
 				`<tr><td class="label">${escHtml(t("report.docGenericName"))}</td><td>${escHtml(med.genericName)}</td></tr>`
@@ -520,7 +531,7 @@ function buildPrintHtml(
 		const generalTable = `<h3>${escHtml(t("report.docGeneral"))}</h3><table><tbody>${generalRows.join("")}</tbody></table>`;
 
 		if (imgDataUrl) {
-			s += `<div class="med-overview"><img class="med-img" src="${imgDataUrl}" alt="${escHtml(med.name)}" /><div class="med-overview-info">${generalTable}</div></div>`;
+			s += `<div class="med-overview"><img class="med-img" src="${imgDataUrl}" alt="${escHtml(displayName)}" /><div class="med-overview-info">${generalTable}</div></div>`;
 		} else {
 			s += generalTable;
 		}

frontend/src/components/ShareDialog.tsx

@@ -5,6 +5,7 @@
 
 import { Check, Copy, Link2, X } from "lucide-react";
 import { useTranslation } from "react-i18next";
+import { useEscapeKey } from "../hooks/useEscapeKey";
 
 export interface ShareDialogProps {
 	show: boolean;
@@ -43,6 +44,8 @@ export function ShareDialog({
 	const closeLabel = t("common.close");
 	const copyLabel = shareCopied ? t("share.copied") : t("share.copyLink");
 
+	useEscapeKey(show, onClose);
+
 	if (!show) return null;
 
 	return (
@@ -50,13 +53,15 @@ export function ShareDialog({
 			className="modal-overlay"
 			onClick={onClose}
 			onKeyDown={(e) => {
-				if (e.key === "Escape") onClose();
+				if (e.key !== "Escape") e.stopPropagation();
 			}}
 		>
 			<div
 				className="modal-content share-dialog-modal"
 				onClick={(e) => e.stopPropagation()}
-				onKeyDown={(e) => e.stopPropagation()}
+				onKeyDown={(e) => {
+					if (e.key !== "Escape") e.stopPropagation();
+				}}
 			>
 				<button
 					type="button"
@@ -124,8 +129,12 @@ export function ShareDialog({
 					return (
 						<div className="share-dialog-form">
 							<div className="form-group">
-								<label>{t("share.selectPerson")}</label>
-								<select value={shareSelectedPerson} onChange={(e) => onShareSelectedPersonChange(e.target.value)}>
+								<label htmlFor="share-person-select">{t("share.selectPerson")}</label>
+								<select
+									id="share-person-select"
+									value={shareSelectedPerson}
+									onChange={(e) => onShareSelectedPersonChange(e.target.value)}
+								>
 									{sharePeople.map((person) => (
 										<option key={person} value={person}>
 											{person}
@@ -135,8 +144,12 @@ export function ShareDialog({
 							</div>
 
 							<div className="form-group">
-								<label>{t("share.selectPeriod")}</label>
-								<select value={shareSelectedDays} onChange={(e) => onShareSelectedDaysChange(Number(e.target.value))}>
+								<label htmlFor="share-period-select">{t("share.selectPeriod")}</label>
+								<select
+									id="share-period-select"
+									value={shareSelectedDays}
+									onChange={(e) => onShareSelectedDaysChange(Number(e.target.value))}
+								>
 									<option value={30}>{t("dashboard.schedules.1month")}</option>
 									<option value={90}>{t("dashboard.schedules.3months")}</option>
 									<option value={180}>{t("dashboard.schedules.6months")}</option>

frontend/src/components/SharedSchedule.tsx

@@ -1,12 +1,15 @@
 // =============================================================================
 // SharedSchedule Component - Public view for shared schedules
 // =============================================================================
+/* biome-ignore-all lint/style/noNestedTernary: rendering branches are intentionally explicit in schedule UI */
+/* biome-ignore-all lint/correctness/useExhaustiveDependencies: modal and helper callbacks are stable at runtime */
 
 import { useEffect, useMemo, useRef, useState } from "react";
 import { useTranslation } from "react-i18next";
 import { useParams } from "react-router-dom";
+import { useEscapeKey } from "../hooks";
 import type { ExpiredLinkData, SharedScheduleData } from "../types";
-import { getMedTotal } from "../types";
+import { getMedDisplayName, getMedTotal } from "../types";
 import { getSystemLocale } from "../utils/formatters";
 import { isDoseDismissed } from "../utils/schedule";
 import { loadCollapsedDaysFromStorage } from "../utils/storage";
@@ -149,15 +152,7 @@ export function SharedSchedule() {
 	}
 
 	// Close lightbox on Escape key
-	useEffect(() => {
-		function handleKeyDown(e: KeyboardEvent) {
-			if (e.key === "Escape" && lightboxImage) {
-				closeLightbox();
-			}
-		}
-		window.addEventListener("keydown", handleKeyDown);
-		return () => window.removeEventListener("keydown", handleKeyDown);
-	}, [lightboxImage, closeLightbox]);
+	useEscapeKey(!!lightboxImage, closeLightbox);
 
 	// Handle browser back button to close lightbox
 	useEffect(() => {
@@ -348,7 +343,7 @@ export function SharedSchedule() {
 					doses.push({
 						id: doseId,
 						when: t,
-						medName: med.name,
+						medName: getMedDisplayName(med),
 						usage: intake.usage,
 						isPast,
 						takenBy: intake.takenBy, // Per-intake takenBy (string | null)
@@ -552,8 +547,8 @@ export function SharedSchedule() {
 			const daysLeft = rawDaysLeft !== null ? Math.max(0, Math.floor(rawDaysLeft)) : null;
 			const depletionMs = daysLeft !== null ? now + daysLeft * MS_PER_DAY : null;
 
-			coverage[med.name] = { daysLeft, medsLeft: Number(medsLeft.toFixed(1)), dailyUsage: dailyRate };
-			depletion[med.name] = depletionMs;
+			coverage[getMedDisplayName(med)] = { daysLeft, medsLeft: Number(medsLeft.toFixed(1)), dailyUsage: dailyRate };
+			depletion[getMedDisplayName(med)] = depletionMs;
 		}
 		return { coverageByMed: coverage, depletionByMed: depletion };
 	}, [data, takenDoses]);
@@ -751,7 +746,7 @@ export function SharedSchedule() {
 
 									// Count missed doses that are NOT dismissed (for warning icon)
 									const missedNotDismissedCount = day.meds.reduce((count, item) => {
-										const med = data.medications.find((m) => m.name === item.medName);
+										const med = data.medications.find((m) => getMedDisplayName(m) === item.medName);
 										const dismissedUntilDate = med?.dismissedUntil ?? undefined;
 										return (
 											count +
@@ -805,7 +800,7 @@ export function SharedSchedule() {
 											</div>
 											{!isCollapsed &&
 												day.meds.map((item) => {
-													const med = data.medications.find((m) => m.name === item.medName);
+													const med = data.medications.find((m) => getMedDisplayName(m) === item.medName);
 													const medCoverage = coverageByMed[item.medName];
 													const isEmpty = showStock && medCoverage ? medCoverage.medsLeft <= 0 : false;
 													const depletionTime = depletionByMed[item.medName];
@@ -830,10 +825,10 @@ export function SharedSchedule() {
 																<div className="med-name">
 																	<div
 																		className={med?.imageUrl ? "med-avatar clickable" : ""}
-																		onClick={() => med?.imageUrl && openLightbox(med.imageUrl, med.name)}
+																		onClick={() => med?.imageUrl && openLightbox(med.imageUrl, getMedDisplayName(med))}
 																		onKeyDown={(e) => {
 																			if (e.key === "Enter" || e.key === " ") {
-																				if (med?.imageUrl) openLightbox(med.imageUrl, med.name);
+																				if (med?.imageUrl) openLightbox(med.imageUrl, getMedDisplayName(med));
 																			}
 																		}}
 																	>
@@ -989,7 +984,7 @@ export function SharedSchedule() {
 											</div>
 											{!isCollapsed &&
 												day.meds.map((item) => {
-													const med = data.medications.find((m) => m.name === item.medName);
+													const med = data.medications.find((m) => getMedDisplayName(m) === item.medName);
 													const medCoverage = coverageByMed[item.medName];
 													const isEmpty = showStock && medCoverage ? medCoverage.medsLeft <= 0 : false;
 													const depletionTime = depletionByMed[item.medName];
@@ -1013,10 +1008,10 @@ export function SharedSchedule() {
 																<div className="med-name">
 																	<div
 																		className={med?.imageUrl ? "med-avatar clickable" : ""}
-																		onClick={() => med?.imageUrl && openLightbox(med.imageUrl, med.name)}
+																		onClick={() => med?.imageUrl && openLightbox(med.imageUrl, getMedDisplayName(med))}
 																		onKeyDown={(e) => {
 																			if (e.key === "Enter" || e.key === " ") {
-																				if (med?.imageUrl) openLightbox(med.imageUrl, med.name);
+																				if (med?.imageUrl) openLightbox(med.imageUrl, getMedDisplayName(med));
 																			}
 																		}}
 																	>
@@ -1166,7 +1161,7 @@ export function SharedSchedule() {
 											</div>
 											{!isCollapsed &&
 												day.meds.map((item) => {
-													const med = data.medications.find((m) => m.name === item.medName);
+													const med = data.medications.find((m) => getMedDisplayName(m) === item.medName);
 													const medCoverage = coverageByMed[item.medName];
 													const depletionTime = depletionByMed[item.medName];
 													const willBeOutOfStock = typeof depletionTime === "number" && item.lastWhen > depletionTime;
@@ -1189,10 +1184,10 @@ export function SharedSchedule() {
 																<div className="med-name">
 																	<div
 																		className={med?.imageUrl ? "med-avatar clickable" : ""}
-																		onClick={() => med?.imageUrl && openLightbox(med.imageUrl, med.name)}
+																		onClick={() => med?.imageUrl && openLightbox(med.imageUrl, getMedDisplayName(med))}
 																		onKeyDown={(e) => {
 																			if (e.key === "Enter" || e.key === " ") {
-																				if (med?.imageUrl) openLightbox(med.imageUrl, med.name);
+																				if (med?.imageUrl) openLightbox(med.imageUrl, getMedDisplayName(med));
 																			}
 																		}}
 																	>
@@ -1281,7 +1276,7 @@ export function SharedSchedule() {
 					className="lightbox-overlay"
 					onClick={closeLightbox}
 					onKeyDown={(e) => {
-						if (e.key === "Escape") closeLightbox();
+						if (e.key !== "Escape") e.stopPropagation();
 					}}
 				>
 					<button className="lightbox-close" onClick={closeLightbox}>
@@ -1292,7 +1287,9 @@ export function SharedSchedule() {
 						alt={lightboxImage.name}
 						className="lightbox-image"
 						onClick={(e) => e.stopPropagation()}
-						onKeyDown={(e) => e.stopPropagation()}
+						onKeyDown={(e) => {
+							if (e.key !== "Escape") e.stopPropagation();
+						}}
 					/>
 				</div>
 			)}

frontend/src/components/UserFilterModal.tsx

@@ -4,8 +4,9 @@
  */
 import { useTranslation } from "react-i18next";
 import { MedicationAvatar } from "../components";
+import { useEscapeKey } from "../hooks/useEscapeKey";
 import type { Coverage, Medication, StockThresholds } from "../types";
-import { getMedTotal, getPackageSize } from "../types";
+import { getMedDisplayName, getMedTotal, getPackageSize } from "../types";
 import { formatNumber } from "../utils";
 import { getSystemLocale } from "../utils/formatters";
 import { getStockStatus } from "../utils/schedule";
@@ -31,6 +32,8 @@ export function UserFilterModal({
 }: UserFilterModalProps) {
 	const { t, i18n } = useTranslation();
 
+	useEscapeKey(!!selectedUser, onClose);
+
 	if (!selectedUser) return null;
 
 	const userMeds = meds.filter((m) => !m.isObsolete && (m.takenBy || []).includes(selectedUser));
@@ -40,13 +43,15 @@ export function UserFilterModal({
 			className="modal-overlay"
 			onClick={onClose}
 			onKeyDown={(e) => {
-				if (e.key === "Escape") onClose();
+				if (e.key !== "Escape") e.stopPropagation();
 			}}
 		>
 			<div
 				className="modal-content user-meds-modal"
 				onClick={(e) => e.stopPropagation()}
-				onKeyDown={(e) => e.stopPropagation()}
+				onKeyDown={(e) => {
+					if (e.key !== "Escape") e.stopPropagation();
+				}}
 			>
 				<button className="modal-close" onClick={onClose}>
 					×
@@ -59,7 +64,7 @@ export function UserFilterModal({
 
 				<div className="user-meds-list">
 					{userMeds.map((med) => {
-						const medCoverage = coverage.all.find((c) => c.name === med.name);
+						const medCoverage = coverage.all.find((c) => c.name === getMedDisplayName(med));
 						// Fallback: if no coverage data (e.g. obsolete med), compute basic status from total pills
 						const status = medCoverage
 							? getStockStatus(medCoverage.daysLeft, medCoverage.medsLeft, settings)
@@ -92,19 +97,20 @@ export function UserFilterModal({
 									}
 								}}
 							>
-								<MedicationAvatar name={med.name} imageUrl={med.imageUrl} size="sm" />
+								<MedicationAvatar name={getMedDisplayName(med)} imageUrl={med.imageUrl} size="sm" />
 								<div className="user-med-info">
-									<span className="user-med-name">{med.name}</span>
-									{med.genericName && <span className="user-med-generic">{med.genericName}</span>}
+									<span className="user-med-name">{getMedDisplayName(med)}</span>
+									{med.name && med.genericName && <span className="user-med-generic">{med.genericName}</span>}
 									{personIntakes.length > 0 && (
 										<div className="user-med-intakes">
-											{personIntakes.map((intake, idx) => {
+											{personIntakes.map((intake) => {
 												const timeStr = new Date(intake.start).toLocaleTimeString(getSystemLocale(i18n.language), {
 													hour: "2-digit",
 													minute: "2-digit",
 												});
+												const intakeKey = `${intake.start}-${intake.usage}-${intake.every}-${intake.takenBy ?? ""}`;
 												return (
-													<span key={idx} className="user-med-intake-item">
+													<span key={intakeKey} className="user-med-intake-item">
 														{intake.usage} {intake.usage !== 1 ? t("common.pills") : t("common.pill")}
 														{med.pillWeightMg != null &&
 															` (${intake.usage * med.pillWeightMg} ${med.doseUnit ?? "mg"})`}{" "}

frontend/src/components/index.ts

@@ -6,6 +6,7 @@ export { ConfirmModal } from "./ConfirmModal";
 export { DateInput } from "./DateInput";
 export { DateTimeInput } from "./DateTimeInput";
 export { default as ExportModal } from "./ExportModal";
+export { FormNumberStepper } from "./FormNumberStepper";
 export type { LightboxProps } from "./Lightbox";
 
 export { Lightbox } from "./Lightbox";

frontend/src/context/AppContext.tsx

@@ -1,5 +1,5 @@
 import type React from "react";
-import { createContext, useCallback, useContext, useEffect, useMemo, useState } from "react";
+import { createContext, useCallback, useContext, useEffect, useMemo, useRef, useState } from "react";
 import { useTranslation } from "react-i18next";
 import { useAuth } from "../components/Auth";
 import { useCollapsedDays, useDoses, useMedications, useRefill, useSettings, useShare } from "../hooks";
@@ -253,9 +253,32 @@ export function AppProvider({ children }: { children: React.ReactNode }) {
 
 	// Modal state
 	const [selectedMed, setSelectedMed] = useState<Medication | null>(null);
+	const selectedMedIdRef = useRef<number | null>(null);
+	const medDetailOpenedAtRef = useRef(0);
+	const medDetailCloseInFlightRef = useRef(false);
+	useEffect(() => {
+		selectedMedIdRef.current = selectedMed?.id ?? null;
+		if (!selectedMed) {
+			medDetailCloseInFlightRef.current = false;
+		}
+	}, [selectedMed]);
 	const [showImageLightbox, setShowImageLightbox] = useState(false);
+	const imageLightboxOpenedAtRef = useRef(0);
+	const imageLightboxCloseInFlightRef = useRef(false);
 	const [scheduleLightboxImage, setScheduleLightboxImage] = useState<string | null>(null);
+	const scheduleLightboxOpenedAtRef = useRef(0);
+	const scheduleLightboxCloseInFlightRef = useRef(false);
 	const [selectedUser, setSelectedUser] = useState<string | null>(null);
+	useEffect(() => {
+		if (!showImageLightbox) {
+			imageLightboxCloseInFlightRef.current = false;
+		}
+	}, [showImageLightbox]);
+	useEffect(() => {
+		if (!scheduleLightboxImage) {
+			scheduleLightboxCloseInFlightRef.current = false;
+		}
+	}, [scheduleLightboxImage]);
 
 	// Export/Import state
 	const [exporting, setExporting] = useState(false);
@@ -467,6 +490,10 @@ export function AppProvider({ children }: { children: React.ReactNode }) {
 	// Modal helpers with browser history support
 	const openMedDetail = useCallback(
 		(med: Medication) => {
+			if (selectedMedIdRef.current === med.id) return;
+			selectedMedIdRef.current = med.id;
+			medDetailOpenedAtRef.current = Date.now();
+			medDetailCloseInFlightRef.current = false;
 			setSelectedMed(med);
 			refill.setRefillHistoryExpanded(false);
 			refill.loadRefillHistory(med.id);
@@ -476,37 +503,78 @@ export function AppProvider({ children }: { children: React.ReactNode }) {
 	);
 
 	const closeMedDetail = useCallback(() => {
-		if (selectedMed) {
-			window.history.back();
+		if (!selectedMed || medDetailCloseInFlightRef.current) return;
+
+		// Ignore ultra-fast close requests caused by rapid double-click races
+		if (Date.now() - medDetailOpenedAtRef.current < 320) return;
+
+		const currentState = window.history.state as { modal?: string } | null;
+		if (currentState?.modal !== "medDetail") {
+			// State already popped by another event: close locally without another back step.
+			selectedMedIdRef.current = null;
+			setSelectedMed(null);
+			return;
 		}
+
+		medDetailCloseInFlightRef.current = true;
+		window.history.back();
 	}, [selectedMed]);
 
 	const openImageLightbox = useCallback(() => {
+		if (showImageLightbox) return;
+		imageLightboxOpenedAtRef.current = Date.now();
+		imageLightboxCloseInFlightRef.current = false;
 		setShowImageLightbox(true);
 		window.history.pushState({ modal: "imageLightbox" }, "");
-	}, []);
-
-	const closeImageLightbox = useCallback(() => {
-		if (showImageLightbox) {
-			window.history.back();
-		}
 	}, [showImageLightbox]);
 
-	const openScheduleLightbox = useCallback((imageUrl: string) => {
-		setScheduleLightboxImage(imageUrl);
-		window.history.pushState({ modal: "scheduleLightbox" }, "");
-	}, []);
+	const closeImageLightbox = useCallback(() => {
+		if (!showImageLightbox || imageLightboxCloseInFlightRef.current) return;
+		if (Date.now() - imageLightboxOpenedAtRef.current < 320) return;
+
+		const currentState = window.history.state as { modal?: string } | null;
+		if (currentState?.modal !== "imageLightbox") {
+			setShowImageLightbox(false);
+			return;
+		}
+
+		imageLightboxCloseInFlightRef.current = true;
+		window.history.back();
+	}, [showImageLightbox]);
+
+	const openScheduleLightbox = useCallback(
+		(imageUrl: string) => {
+			if (scheduleLightboxImage) return;
+			scheduleLightboxOpenedAtRef.current = Date.now();
+			scheduleLightboxCloseInFlightRef.current = false;
+			setScheduleLightboxImage(imageUrl);
+			window.history.pushState({ modal: "scheduleLightbox" }, "");
+		},
+		[scheduleLightboxImage]
+	);
 
 	const closeScheduleLightbox = useCallback(() => {
-		if (scheduleLightboxImage) {
-			window.history.back();
+		if (!scheduleLightboxImage || scheduleLightboxCloseInFlightRef.current) return;
+		if (Date.now() - scheduleLightboxOpenedAtRef.current < 320) return;
+
+		const currentState = window.history.state as { modal?: string } | null;
+		if (currentState?.modal !== "scheduleLightbox") {
+			setScheduleLightboxImage(null);
+			return;
 		}
+
+		scheduleLightboxCloseInFlightRef.current = true;
+		window.history.back();
 	}, [scheduleLightboxImage]);
 
-	const openUserFilter = useCallback((person: string) => {
-		setSelectedUser(person);
-		window.history.pushState({ modal: "userFilter", person }, "");
-	}, []);
+	const openUserFilter = useCallback(
+		(person: string) => {
+			if (selectedUser === person) return;
+			setSelectedUser(person);
+			window.history.pushState({ modal: "userFilter", person }, "");
+		},
+		[selectedUser]
+	);
 
 	const closeUserFilter = useCallback(() => {
 		if (selectedUser) {

frontend/src/hooks/index.ts

@@ -4,6 +4,7 @@ export type { UseCollapsedDaysReturn } from "./useCollapsedDays";
 export { useCollapsedDays } from "./useCollapsedDays";
 export type { UseDosesReturn } from "./useDoses";
 export { useDoses } from "./useDoses";
+export { useEscapeKey } from "./useEscapeKey";
 export type { UseMedicationFormReturn } from "./useMedicationForm";
 export { defaultBlister, defaultForm, useMedicationForm } from "./useMedicationForm";
 export type { UseMedicationsReturn } from "./useMedications";
@@ -11,6 +12,7 @@ export { useMedications } from "./useMedications";
 export { useModalHistory } from "./useModalHistory";
 export type { UseRefillReturn } from "./useRefill";
 export { useRefill } from "./useRefill";
+export { useScrollLock } from "./useScrollLock";
 export type { Settings, UseSettingsReturn } from "./useSettings";
 export { useSettings } from "./useSettings";
 export type { UseShareReturn } from "./useShare";

frontend/src/hooks/useEscapeKey.ts

@@ -0,0 +1,36 @@
+import { useEffect, useRef } from "react";
+
+/**
+ * Close a modal/overlay when the user presses Escape.
+ *
+ * Registers a document-level `keydown` listener so it works regardless
+ * of which element has focus. Every modal **must** use this hook —
+ * relying on `onKeyDown` on overlay divs is unreliable because those
+ * handlers only fire when the overlay itself (or a descendant) has focus.
+ *
+ * @param active  – whether the modal is currently open
+ * @param onClose – callback to close the modal
+ * @param options.capture – use capture phase (default: false).
+ *   Set to `true` for nested sub-modals that must intercept Escape
+ *   before a parent's handler fires.
+ */
+export function useEscapeKey(active: boolean, onClose: () => void, options?: { capture?: boolean }): void {
+	const capture = options?.capture ?? false;
+	const activeRef = useRef(active);
+	const onCloseRef = useRef(onClose);
+
+	// Keep refs in sync without re-registering the listener
+	activeRef.current = active;
+	onCloseRef.current = onClose;
+
+	useEffect(() => {
+		if (!active) return;
+		const handleKeyDown = (e: KeyboardEvent) => {
+			if (e.key === "Escape" && activeRef.current) {
+				onCloseRef.current();
+			}
+		};
+		document.addEventListener("keydown", handleKeyDown, capture);
+		return () => document.removeEventListener("keydown", handleKeyDown, capture);
+	}, [active, capture]);
+}

frontend/src/hooks/useMedicationForm.ts

@@ -115,9 +115,6 @@ export function useMedicationForm(): UseMedicationFormReturn {
 			// Skip validation for takenBy array (individual items validated on add)
 			if (field === "takenBy") return undefined;
 			const strValue = typeof value === "string" ? value : "";
-			if (field === "name" && (!strValue || strValue.trim().length === 0)) {
-				return t("common.validation.required");
-			}
 			if ("max" in limits && strValue.length > limits.max) {
 				return t("common.validation.maxLength", { max: limits.max, current: strValue.length });
 			}
@@ -150,8 +147,16 @@ export function useMedicationForm(): UseMedicationFormReturn {
 			const error = validateField(f, form[f]);
 			if (error) errors[f] = error;
 		});
+		// Cross-field validation: at least one of name or genericName is required
+		const hasName = form.name && form.name.trim().length > 0;
+		const hasGenericName = form.genericName && form.genericName.trim().length > 0;
+		if (!hasName && !hasGenericName) {
+			const msg = t("common.validation.nameOrGenericRequired");
+			errors.name = errors.name || msg;
+			errors.genericName = errors.genericName || msg;
+		}
 		setFieldErrors(errors);
-	}, [form.name, form.genericName, form.notes, validateField]);
+	}, [form.name, form.genericName, form.notes, validateField, form, t]);
 
 	const setBlisterValue = useCallback((idx: number, field: keyof FormBlister, value: string) => {
 		setForm((prev) => {

frontend/src/hooks/useMedications.ts

@@ -50,13 +50,33 @@ export function useMedications(): UseMedicationsReturn {
 					body: formData,
 					credentials: "include",
 				});
-				if (res.ok) {
-					loadMeds();
+				if (!res.ok) {
+					let code = "UNKNOWN";
+					try {
+						const errorBody = (await res.json()) as { code?: string };
+						if (typeof errorBody?.code === "string" && errorBody.code.trim().length > 0) {
+							code = errorBody.code;
+						}
+					} catch {
+						// Keep fallback code when backend response has no JSON body.
+					}
+					throw new Error(code);
 				}
-			} catch {
-				// ignore
+
+				loadMeds();
+			} catch (error) {
+				if (error instanceof Error) {
+					// Network failures (fetch itself throws) produce browser-specific messages.
+					// Normalise to NETWORK_ERROR code so the UI can map to a translated string.
+					if (error.message === "Failed to fetch" || error.message.startsWith("NetworkError")) {
+						throw new Error("NETWORK_ERROR");
+					}
+					throw error;
+				}
+				throw new Error("UNKNOWN");
+			} finally {
+				setUploadingImage(false);
 			}
-			setUploadingImage(false);
 		},
 		[loadMeds]
 	);

frontend/src/hooks/useScrollLock.ts

@@ -0,0 +1,81 @@
+import { useEffect, useRef } from "react";
+
+/**
+ * Lock background scrolling when a modal/overlay is visible.
+ *
+ * Uses the `position: fixed` technique to prevent scroll on iOS Safari
+ * and other browsers where `overflow: hidden` alone is insufficient.
+ * Saves and restores the scroll position on cleanup so users don't
+ * lose their place.
+ *
+ * Supports nesting: a scroll-lock counter prevents premature unlock
+ * when multiple modals stack (e.g. MedDetail → RefillModal).
+ */
+
+let lockCount = 0;
+let savedScrollY = 0;
+
+export function useScrollLock(active: boolean): void {
+	const wasActive = useRef(false);
+
+	useEffect(() => {
+		if (active && !wasActive.current) {
+			wasActive.current = true;
+			const html = document.documentElement;
+			const body = document.body;
+
+			if (lockCount === 0) {
+				savedScrollY = window.scrollY;
+				html.classList.add("modal-open");
+				html.style.overflow = "hidden";
+				html.style.overscrollBehavior = "none";
+				body.classList.add("modal-open");
+				body.style.overflow = "hidden";
+				body.style.position = "fixed";
+				body.style.top = `-${savedScrollY}px`;
+				body.style.left = "0";
+				body.style.right = "0";
+				body.style.width = "100%";
+				body.style.overscrollBehavior = "none";
+			}
+			lockCount++;
+		}
+
+		if (!active && wasActive.current) {
+			wasActive.current = false;
+			lockCount--;
+			if (lockCount <= 0) {
+				lockCount = 0;
+				unlock();
+			}
+		}
+
+		return () => {
+			if (wasActive.current) {
+				wasActive.current = false;
+				lockCount--;
+				if (lockCount <= 0) {
+					lockCount = 0;
+					unlock();
+				}
+			}
+		};
+	}, [active]);
+}
+
+function unlock(): void {
+	const html = document.documentElement;
+	const body = document.body;
+	html.classList.remove("modal-open");
+	html.style.overflow = "";
+	html.style.overscrollBehavior = "";
+	body.classList.remove("modal-open");
+	body.style.overflow = "";
+	body.style.position = "";
+	body.style.top = "";
+	body.style.left = "";
+	body.style.right = "";
+	body.style.width = "";
+	body.style.overscrollBehavior = "";
+	window.scrollTo(0, savedScrollY);
+}

frontend/src/hooks/useShare.ts

@@ -4,6 +4,8 @@
 
 import { useCallback, useState } from "react";
 import type { Medication } from "../types";
+import { withCorrelation } from "../utils/correlation";
+import { log } from "../utils/logger";
 
 export interface UseShareReturn {
 	showShareDialog: boolean;
@@ -45,36 +47,57 @@ export function useShare(): UseShareReturn {
 		const allPeople = meds.flatMap((m) => m.takenBy || []);
 		const uniquePeople = [...new Set(allPeople)].filter(Boolean).sort();
 		setSharePeople(uniquePeople);
+		log.info("[ShareDialog] Opened", { medicationCount: meds.length, personCount: uniquePeople.length });
 		if (uniquePeople.length > 0) {
 			setShareSelectedPerson(uniquePeople[0]);
 		}
 	}, []);
 
 	const generateShareLink = useCallback(async () => {
-		if (!shareSelectedPerson) return;
+		if (!shareSelectedPerson) {
+			log.warn("[ShareDialog] Attempted to generate link without selected person");
+			return;
+		}
 		setShareGenerating(true);
 		setShareCopied(false);
 
 		try {
-			const res = await fetch("/api/share", {
-				method: "POST",
-				headers: { "Content-Type": "application/json" },
-				credentials: "include",
-				body: JSON.stringify({
-					takenBy: shareSelectedPerson,
-					scheduleDays: shareSelectedDays,
-				}),
-			});
+			const { correlationId, init } = withCorrelation(
+				{
+					method: "POST",
+					headers: { "Content-Type": "application/json" },
+					credentials: "include",
+					body: JSON.stringify({
+						takenBy: shareSelectedPerson,
+						scheduleDays: shareSelectedDays,
+					}),
+				},
+				"fe-share"
+			);
+			const res = await fetch("/api/share", init);
 
 			if (res.ok) {
 				const data = await res.json();
 				const fullUrl = `${window.location.origin}/share/${data.token}`;
 				setShareLink(fullUrl);
+				log.info("[ShareDialog] Share link ready", {
+					person: shareSelectedPerson,
+					days: shareSelectedDays,
+					reused: Boolean(data.reused),
+					correlationId,
+				});
 			} else {
 				const err = await res.json();
+				log.error("[ShareDialog] Failed to generate share link", {
+					status: res.status,
+					person: shareSelectedPerson,
+					error: err.error,
+					correlationId,
+				});
 				alert(err.error || "Failed to generate share link");
 			}
-		} catch {
+		} catch (error) {
+			log.error("[ShareDialog] Share link request threw error", { person: shareSelectedPerson, error });
 			alert("Failed to generate share link");
 		} finally {
 			setShareGenerating(false);
@@ -83,20 +106,53 @@ export function useShare(): UseShareReturn {
 
 	const copyShareLink = useCallback(() => {
 		if (shareLink) {
-			navigator.clipboard.writeText(shareLink);
-			setShareCopied(true);
-			setTimeout(() => setShareCopied(false), 2000);
+			if (navigator.clipboard?.writeText) {
+				navigator.clipboard.writeText(shareLink).then(
+					() => {
+						setShareCopied(true);
+						log.debug("[ShareDialog] Share link copied to clipboard");
+						setTimeout(() => setShareCopied(false), 2000);
+					},
+					() => {
+						// Clipboard API blocked (non-secure context / permissions)
+						fallbackCopyToClipboard(shareLink);
+					}
+				);
+			} else {
+				fallbackCopyToClipboard(shareLink);
+			}
+		}
+
+		function fallbackCopyToClipboard(text: string) {
+			const textarea = document.createElement("textarea");
+			textarea.value = text;
+			textarea.style.position = "fixed";
+			textarea.style.opacity = "0";
+			document.body.appendChild(textarea);
+			textarea.select();
+			try {
+				document.execCommand("copy");
+				setShareCopied(true);
+				log.debug("[ShareDialog] Share link copied via fallback");
+				setTimeout(() => setShareCopied(false), 2000);
+			} catch {
+				log.warn("[ShareDialog] Clipboard copy failed — not in secure context");
+			} finally {
+				document.body.removeChild(textarea);
+			}
 		}
 	}, [shareLink]);
 
 	const closeShareDialog = useCallback(() => {
 		if (showShareDialog) {
+			log.debug("[ShareDialog] Closing dialog");
 			window.history.back();
 		}
 	}, [showShareDialog]);
 
 	// Internal function to reset share dialog state (called by popstate handler)
 	const resetShareDialogState = useCallback(() => {
+		log.debug("[ShareDialog] Reset dialog state");
 		setShowShareDialog(false);
 		setShareLink(null);
 		setShareCopied(false);

frontend/src/i18n/de.json

@@ -183,9 +183,16 @@
     "notes": "Notizen",
     "medicationImage": "Medikamentenbild",
     "removeImage": "Bild entfernen",
+    "imageUploadErrors": {
+      "tooLarge": "Das Bild ist zu groß. Die maximale Upload-Größe beträgt 10 MB.",
+      "invalidType": "Ungültiger Dateityp. Erlaubte Formate: JPEG, PNG, WebP, GIF.",
+      "invalidImage": "Ungültige oder nicht unterstützte Bilddatei.",
+      "noFile": "Es wurde keine Datei zum Hochladen ausgewählt.",
+      "generic": "Bild-Upload fehlgeschlagen. Bitte versuche es erneut."
+    },
     "placeholders": {
       "commercial": "z.B. Ozempic",
-      "generic": "z.B. Semaglutid (optional)",
+      "generic": "z.B. Semaglutid",
       "takenBy": "Name eingeben und Enter drücken",
       "addPerson": "Weitere Person hinzufügen...",
       "weight": "z.B. 240",
@@ -353,6 +360,7 @@
     "intakeReminders": "Einnahme-Erinnerungen aktiviert",
     "automaticTaken": "Automatisch eingenommen",
     "hasNotes": "Hat Notizen",
+    "hasPrescription": "Rezeptverfolgung aktiviert",
     "stockExceedsCapacity": "Bestand überschreitet Packungskapazität — Packungsanzahl anpassen",
     "lightMode": "Zum hellen Modus wechseln",
     "darkMode": "Zum dunklen Modus wechseln"
@@ -428,6 +436,7 @@
     },
     "validation": {
       "required": "Dieses Feld ist erforderlich",
+      "nameOrGenericRequired": "Handelsname oder Wirkstoff ist erforderlich",
       "maxLength": "Maximal {{max}} Zeichen ({{current}}/{{max}})",
       "tooLong": "{{current}}/{{max}} Zeichen"
     },
@@ -452,6 +461,7 @@
     "loose": "lose",
     "none": "Kein",
     "daily": "täglich",
+    "and": "und",
     "everyNDays": "alle {{count}} Tage",
     "day": "Tag",
     "days": "Tage",

frontend/src/i18n/en.json

@@ -183,9 +183,16 @@
     "notes": "Notes",
     "medicationImage": "Medication Image",
     "removeImage": "Remove Image",
+    "imageUploadErrors": {
+      "tooLarge": "Image is too large. Maximum upload size is 10 MB.",
+      "invalidType": "Invalid file type. Allowed formats: JPEG, PNG, WebP, GIF.",
+      "invalidImage": "Invalid or unsupported image file.",
+      "noFile": "No file was selected for upload.",
+      "generic": "Image upload failed. Please try again."
+    },
     "placeholders": {
       "commercial": "e.g. Ozempic",
-      "generic": "e.g. Semaglutide (optional)",
+      "generic": "e.g. Semaglutide",
       "takenBy": "Type name and press Enter",
       "addPerson": "Add another person...",
       "weight": "e.g. 240",
@@ -353,6 +360,7 @@
     "intakeReminders": "Intake reminders enabled",
     "automaticTaken": "Automatically taken",
     "hasNotes": "Has notes",
+    "hasPrescription": "Prescription tracking enabled",
     "stockExceedsCapacity": "Stock exceeds package capacity — consider updating pack count",
     "lightMode": "Switch to light mode",
     "darkMode": "Switch to dark mode"
@@ -428,6 +436,7 @@
     },
     "validation": {
       "required": "This field is required",
+      "nameOrGenericRequired": "Either commercial name or generic name is required",
       "maxLength": "Maximum {{max}} characters ({{current}}/{{max}})",
       "tooLong": "{{current}}/{{max}} characters"
     },
@@ -452,6 +461,7 @@
     "loose": "loose",
     "none": "None",
     "daily": "daily",
+    "and": "and",
     "everyNDays": "every {{count}} days",
     "day": "day",
     "days": "days",

frontend/src/pages/DashboardPage.tsx

@@ -1,10 +1,12 @@
-import { Bell, NotebookPen, Share2 } from "lucide-react";
+/* biome-ignore-all lint/style/noNestedTernary: timeline rendering uses explicit UI-state branching */
+import { Bell, ClipboardList, NotebookPen, Share2 } from "lucide-react";
 import { useState } from "react";
 import { useTranslation } from "react-i18next";
 import { ConfirmModal, MedicationAvatar } from "../components";
 import { useAuth } from "../components/Auth";
 import { useAppContext } from "../context";
 import { useModalHistory } from "../hooks";
+import { getMedDisplayName } from "../types";
 import { formatNumber, getExpiryClass, getSystemLocale } from "../utils/formatters";
 import { expandDoseIds, getStockStatus, isDoseDismissed } from "../utils/schedule";
 import {
@@ -117,7 +119,7 @@ export function DashboardPage() {
 		})
 		.map((med) => ({
 			id: med.id,
-			name: med.name,
+			name: getMedDisplayName(med),
 			remainingRefills: med.prescriptionRemainingRefills ?? 0,
 			threshold: med.prescriptionLowRefillThreshold ?? 1,
 		}))
@@ -249,7 +251,7 @@ export function DashboardPage() {
 									<span className="reminder-status-label">{t("dashboard.reminders.needsRefill")}:</span>
 									<span className="reminder-status-value">
 										{reminderData.lowStockMeds.map((med, idx) => {
-											const medication = meds.find((m) => m.name === med.name);
+											const medication = meds.find((m) => getMedDisplayName(m) === med.name);
 											const cov = coverage.all.find((c) => c.name === med.name);
 											const status = cov ? getStockStatus(cov.daysLeft, cov.medsLeft, stockThresholds) : null;
 											const textClass =
@@ -321,7 +323,7 @@ export function DashboardPage() {
 											(() => {
 												const names = reminderData.lastStockSent!.medNames!.split(", ");
 												return names.map((name, idx) => {
-													const medication = meds.find((m) => m.name === name);
+													const medication = meds.find((m) => getMedDisplayName(m) === name);
 													return (
 														<span key={name}>
 															{idx > 0 && ", "}
@@ -352,7 +354,9 @@ export function DashboardPage() {
 									<span className="reminder-status-value">
 										{reminderData.lastIntakeSent.medName &&
 											(() => {
-												const medication = meds.find((m) => m.name === reminderData.lastIntakeSent!.medName);
+												const medication = meds.find(
+													(m) => getMedDisplayName(m) === reminderData.lastIntakeSent!.medName
+												);
 												return medication ? (
 													<span
 														className="med-link clickable"
@@ -427,7 +431,7 @@ export function DashboardPage() {
 								<p>
 									{t("dashboard.reorder.lowWarningPrefix")}{" "}
 									{lowStockMeds.map((c, idx) => {
-										const med = meds.find((m) => m.name === c.name);
+										const med = meds.find((m) => getMedDisplayName(m) === c.name);
 										const status = getStockStatus(c.daysLeft, c.medsLeft, stockThresholds);
 										const textClass =
 											status.className === "danger"
@@ -484,7 +488,7 @@ export function DashboardPage() {
 							</div>
 							{coverage.all.map((row) => {
 								const status = getStockStatus(row.daysLeft, row.medsLeft, stockThresholds);
-								const med = meds.find((m) => m.name === row.name);
+								const med = meds.find((m) => getMedDisplayName(m) === row.name);
 								const expiryClass = getExpiryClass(med?.expiryDate, settings.expiryWarningDays);
 								const textClass =
 									status.className === "danger"
@@ -511,7 +515,21 @@ export function DashboardPage() {
 									>
 										<span data-label={t("table.name")} className="cell-with-avatar">
 											<span className="med-name-line">
-												<MedicationAvatar name={row.name} imageUrl={med?.imageUrl} />
+												<span
+													className={med?.imageUrl ? "med-avatar-clickable" : undefined}
+													onClick={(e) => {
+														e.stopPropagation();
+														if (med?.imageUrl) openScheduleLightbox(`/api/images/${med.imageUrl}`);
+													}}
+													onKeyDown={(e) => {
+														e.stopPropagation();
+														if (e.key === "Enter" || e.key === " ") {
+															if (med?.imageUrl) openScheduleLightbox(`/api/images/${med.imageUrl}`);
+														}
+													}}
+												>
+													<MedicationAvatar name={row.name} imageUrl={med?.imageUrl} />
+												</span>
 												<span className="med-name-block-dash">
 													<span className="med-name-text">
 														{row.name}
@@ -523,6 +541,17 @@ export function DashboardPage() {
 																</span>
 															</>
 														)}
+														{med?.prescriptionEnabled && (
+															<>
+																{" "}
+																<span
+																	className="prescription-icon info-tooltip"
+																	data-tooltip={t("tooltips.hasPrescription")}
+																>
+																	<ClipboardList size={13} aria-hidden="true" />
+																</span>
+															</>
+														)}
 													</span>
 													{med?.takenBy && med.takenBy.length > 0 && (
 														<span className="med-taken-by-line">
@@ -647,7 +676,7 @@ export function DashboardPage() {
 
 									// Count missed doses that are NOT dismissed (for warning icon)
 									const missedNotDismissedCount = day.meds.reduce((count, item) => {
-										const med = meds.find((m) => m.name === item.medName);
+										const med = meds.find((m) => getMedDisplayName(m) === item.medName);
 										const dismissedUntilDate = med?.dismissedUntil ?? undefined;
 										return (
 											count +
@@ -703,7 +732,7 @@ export function DashboardPage() {
 											</div>
 											{!isCollapsed &&
 												day.meds.map((item) => {
-													const med = meds.find((m) => m.name === item.medName);
+													const med = meds.find((m) => getMedDisplayName(m) === item.medName);
 													const medCov = coverageByMed[item.medName];
 													const isEmpty = medCov ? medCov.medsLeft <= 0 : false;
 													const status = medCov
@@ -729,7 +758,15 @@ export function DashboardPage() {
 																	>
 																		<MedicationAvatar name={item.medName} imageUrl={med?.imageUrl} size="sm" />
 																	</div>
-																	<div className="med-name-stack">
+																	<div
+																		className="med-name-stack clickable"
+																		onClick={() => med && openMedDetail(med)}
+																		onKeyDown={(e) => {
+																			if (e.key === "Enter" || e.key === " ") {
+																				if (med) openMedDetail(med);
+																			}
+																		}}
+																	>
 																		<span className="med-name-text">{item.medName}</span>
 																		{med?.genericName && <span className="med-generic-inline">{med.genericName}</span>}
 																	</div>
@@ -952,7 +989,7 @@ export function DashboardPage() {
 											{!isCollapsed &&
 												day.meds.map((item) => {
 													const medCoverage = coverageByMed[item.medName];
-													const med = meds.find((m) => m.name === item.medName);
+													const med = meds.find((m) => getMedDisplayName(m) === item.medName);
 													const depletionTime = depletionByMed[item.medName];
 													const isEmpty = medCoverage ? medCoverage.medsLeft <= 0 : false;
 													const willBeOutOfStock = typeof depletionTime === "number" && item.lastWhen > depletionTime;
@@ -981,7 +1018,15 @@ export function DashboardPage() {
 																	>
 																		<MedicationAvatar name={item.medName} imageUrl={med?.imageUrl} size="sm" />
 																	</div>
-																	<div className="med-name-stack">
+																	<div
+																		className="med-name-stack clickable"
+																		onClick={() => med && openMedDetail(med)}
+																		onKeyDown={(e) => {
+																			if (e.key === "Enter" || e.key === " ") {
+																				if (med) openMedDetail(med);
+																			}
+																		}}
+																	>
 																		<span className="med-name-text">{item.medName}</span>
 																		{med?.genericName && <span className="med-generic-inline">{med.genericName}</span>}
 																	</div>
@@ -1175,7 +1220,7 @@ export function DashboardPage() {
 											{!isCollapsed &&
 												day.meds.map((item) => {
 													const medCoverage = coverageByMed[item.medName];
-													const med = meds.find((m) => m.name === item.medName);
+													const med = meds.find((m) => getMedDisplayName(m) === item.medName);
 													const depletionTime = depletionByMed[item.medName];
 													const _isEmpty = medCoverage ? medCoverage.medsLeft <= 0 : false;
 													const willBeOutOfStock = typeof depletionTime === "number" && item.lastWhen > depletionTime;
@@ -1204,7 +1249,15 @@ export function DashboardPage() {
 																	>
 																		<MedicationAvatar name={item.medName} imageUrl={med?.imageUrl} size="sm" />
 																	</div>
-																	<div className="med-name-stack">
+																	<div
+																		className="med-name-stack clickable"
+																		onClick={() => med && openMedDetail(med)}
+																		onKeyDown={(e) => {
+																			if (e.key === "Enter" || e.key === " ") {
+																				if (med) openMedDetail(med);
+																			}
+																		}}
+																	>
 																		<span className="med-name-text">{item.medName}</span>
 																		{med?.genericName && <span className="med-generic-inline">{med.genericName}</span>}
 																	</div>

frontend/src/pages/MedicationsPage.tsx

@@ -1,14 +1,26 @@
+/* biome-ignore-all lint/a11y/noLabelWithoutControl: form uses custom inputs and display fields wrapped in label-like layout */
+/* biome-ignore-all lint/correctness/useExhaustiveDependencies: modal-history callbacks are intentionally managed outside hook deps */
+/* biome-ignore-all lint/suspicious/noArrayIndexKey: local draft intake rows do not have stable ids before persistence */
 import { Bell, Eye, Minus, Pencil, Plus, Trash2 } from "lucide-react";
 import { useCallback, useEffect, useMemo, useRef, useState } from "react";
 import { useTranslation } from "react-i18next";
 import { useSearchParams } from "react-router-dom";
-import { ConfirmModal, DateInput, Lightbox, MedicationAvatar, MobileEditModal, ReportModal } from "../components";
+import {
+	ConfirmModal,
+	DateInput,
+	FormNumberStepper,
+	Lightbox,
+	MedicationAvatar,
+	MobileEditModal,
+	ReportModal,
+} from "../components";
 import { useAuth } from "../components/Auth";
 import { useAppContext, useUnsavedChanges } from "../context";
 import { useMedicationForm, useModalHistory, useUnsavedChangesWarning } from "../hooks";
 import type { DoseUnit, Medication } from "../types";
-import { DOSE_UNITS, FIELD_LIMITS, getMedTotal, getPackageSize } from "../types";
+import { DOSE_UNITS, FIELD_LIMITS, getMedDisplayName, getPackageSize } from "../types";
 import { combineDateAndTime, formatDate, formatDateTime, formatNumber } from "../utils/formatters";
+import { MAX_IMAGE_UPLOAD_BYTES, resolveImageUploadError } from "../utils/image-upload";
 import { log } from "../utils/logger";
 
 function userStorageKey(userId: number | undefined, key: string): string {
@@ -31,7 +43,6 @@ export function MedicationsPage() {
 		deleteMedImage,
 		uploadingImage,
 		existingPeople,
-		coverage,
 		coverageByMed,
 	} = useAppContext();
 
@@ -41,6 +52,7 @@ export function MedicationsPage() {
 		setForm,
 		setOriginalForm,
 		editingId,
+		setEditingId,
 		formSaved,
 		setFormSaved,
 		formChanged,
@@ -66,12 +78,18 @@ export function MedicationsPage() {
 	useUnsavedChangesWarning(formChanged);
 
 	// View mode: grid (default) or form (edit/new)
-	const [viewMode, setViewMode] = useState<"grid" | "form">("grid");
+	// If navigating in with editMedId, suppress rendering until the edit form is ready
+	const [pendingEditTransition, setPendingEditTransition] = useState(() => searchParams.has("editMedId"));
+	const [viewMode, setViewMode] = useState<"grid" | "form">(pendingEditTransition ? "form" : "grid");
 	const [lightboxImage, setLightboxImage] = useState<{ src: string; alt: string } | null>(null);
 	const [activeTab, setActiveTab] = useState<"general" | "stock" | "prescription" | "schedule">("general");
 
 	// Mobile modal state (declared early because it's used in useEffect below)
-	const [showEditModal, setShowEditModal] = useState(false);
+	const [showEditModal, setShowEditModal] = useState(pendingEditTransition && window.innerWidth <= 768);
+	const showEditModalRef = useRef(false);
+	useEffect(() => {
+		showEditModalRef.current = showEditModal;
+	}, [showEditModal]);
 	const processedEditMedIdRef = useRef<string | null>(null);
 	const hasDesktopFormHistoryState = useRef(false);
 
@@ -122,6 +140,32 @@ export function MedicationsPage() {
 	const [showObsoleteConfirm, setShowObsoleteConfirm] = useState(false);
 	const [obsoleteCandidate, setObsoleteCandidate] = useState<Medication | null>(null);
 	const [allMeds, setAllMeds] = useState<Medication[]>(meds);
+	const [imageUploadError, setImageUploadError] = useState<string | null>(null);
+
+	const handlePendingMedicationImageSelection = useCallback(
+		(event: React.ChangeEvent<HTMLInputElement>) => {
+			const file = event.target.files?.[0];
+			event.target.value = "";
+			if (!file) return;
+			if (file.size > MAX_IMAGE_UPLOAD_BYTES) {
+				setImageUploadError(t("form.imageUploadErrors.tooLarge"));
+				setPendingImage(null);
+				setPendingImagePreview(null);
+				return;
+			}
+
+			setImageUploadError(null);
+			setPendingImage(file);
+			const reader = new FileReader();
+			reader.onload = (ev) => setPendingImagePreview(ev.target?.result as string);
+			reader.readAsDataURL(file);
+		},
+		[t]
+	);
+
+	useEffect(() => {
+		setImageUploadError(null);
+	}, [editingId]);
 	const [showObsolete, setShowObsolete] = useState(true);
 	const [readOnlyView, setReadOnlyView] = useState(false);
 	const [showReportModal, setShowReportModal] = useState(false);
@@ -157,6 +201,42 @@ export function MedicationsPage() {
 		void loadAllMeds();
 	}, [loadAllMeds]);
 
+	const tryUploadMedImage = useCallback(
+		async (medId: number, file: File) => {
+			setImageUploadError(null);
+			if (file.size > MAX_IMAGE_UPLOAD_BYTES) {
+				setImageUploadError(t("form.imageUploadErrors.tooLarge"));
+				return false;
+			}
+			try {
+				await uploadMedImage(medId, file);
+				void loadAllMeds();
+				setImageUploadError(null);
+				return true;
+			} catch (error) {
+				const code = error instanceof Error ? error.message : "UNKNOWN";
+				setImageUploadError(resolveImageUploadError(code, t));
+				return false;
+			}
+		},
+		[t, uploadMedImage, loadAllMeds]
+	);
+
+	const handleUploadMedImage = useCallback(
+		async (medId: number, file: File) => {
+			await tryUploadMedImage(medId, file);
+		},
+		[tryUploadMedImage]
+	);
+
+	const handleDeleteMedImage = useCallback(
+		async (medId: number) => {
+			await deleteMedImage(medId);
+			void loadAllMeds();
+		},
+		[deleteMedImage, loadAllMeds]
+	);
+
 	// Calculate total tablets
 	const totalTablets = useMemo(() => {
 		if (form.packageType === "bottle") {
@@ -169,6 +249,8 @@ export function MedicationsPage() {
 		const pillsPerBlister = Number(form.pillsPerBlister) || 1;
 		return packCount * blistersPerPack * pillsPerBlister;
 	}, [form.packageType, form.packCount, form.blistersPerPack, form.pillsPerBlister, form.looseTablets]);
+	const decrementValueLabel = t("editStock.decreaseValue");
+	const incrementValueLabel = t("editStock.increaseValue");
 
 	const dateConsistencyError = useMemo(() => {
 		const medicationStartDate = form.medicationStartDate;
@@ -197,6 +279,8 @@ export function MedicationsPage() {
 
 	// Open mobile edit modal
 	function openEditModal() {
+		if (showEditModalRef.current) return;
+		showEditModalRef.current = true;
 		setShowEditModal(true);
 		window.history.pushState({ modal: "edit" }, "");
 	}
@@ -447,7 +531,19 @@ export function MedicationsPage() {
 
 			// Upload image if pending (for new medications)
 			if (!editingId && pendingImage && saved.id) {
-				await uploadMedImage(saved.id, pendingImage);
+				const uploaded = await tryUploadMedImage(saved.id, pendingImage);
+				if (!uploaded) {
+					// Keep user in edit mode so upload error stays visible and retry is immediate.
+					setEditingId(saved.id);
+					setFormSaved(true);
+					setOriginalForm(form);
+					setPendingImage(null);
+					setPendingImagePreview(null);
+					loadMeds();
+					void loadAllMeds();
+					setSaving(false);
+					return;
+				}
 				setPendingImage(null);
 				setPendingImagePreview(null);
 			}
@@ -588,6 +684,13 @@ export function MedicationsPage() {
 		return () => document.removeEventListener("keydown", handleEscape);
 	}, [showEditModal, closeEditModal]);
 
+	function scrollToTopForDesktopEdit() {
+		if (window.innerWidth <= 768) return;
+		window.requestAnimationFrame(() => {
+			window.scrollTo({ top: 0, behavior: "smooth" });
+		});
+	}
+
 	function handleEditClick(med: Medication) {
 		if (formChanged) {
 			pendingActionRef.current = () => {
@@ -595,6 +698,7 @@ export function MedicationsPage() {
 				setReadOnlyView(false);
 				startEdit(med, openEditModal);
 				setViewMode("form");
+				scrollToTopForDesktopEdit();
 			};
 			setUnsavedConfirmSource(showEditModal ? "mobile-edit" : "desktop-form");
 			setShowUnsavedConfirm(true);
@@ -605,6 +709,7 @@ export function MedicationsPage() {
 		setActiveTab("general");
 		startEdit(med, openEditModal);
 		setViewMode("form");
+		scrollToTopForDesktopEdit();
 	}
 
 	function handleViewClick(med: Medication) {
@@ -687,6 +792,8 @@ export function MedicationsPage() {
 		setActiveTab("general");
 		startEdit(medicationToEdit, openEditModal);
 		setViewMode("form");
+		setPendingEditTransition(false);
+		window.dispatchEvent(new Event("medassist:edit-transition-ready"));
 
 		const nextParams = new URLSearchParams(searchParams);
 		nextParams.delete("editMedId");
@@ -698,6 +805,11 @@ export function MedicationsPage() {
 		return allMeds.find((med) => med.id === editingId) ?? null;
 	}, [allMeds, editingId]);
 
+	// While navigating from detail modal to edit, render nothing until form is populated
+	if (pendingEditTransition) {
+		return null;
+	}
+
 	return (
 		<section className={`med-grid-wrapper${viewMode === "form" ? " desktop-edit-open" : ""}`}>
 			{/* ── Grid View: always visible medication cards ── */}
@@ -724,19 +836,21 @@ export function MedicationsPage() {
 												<span
 													className={med.imageUrl ? "med-avatar-clickable" : undefined}
 													onClick={() =>
-														med.imageUrl && setLightboxImage({ src: `/api/images/${med.imageUrl}`, alt: med.name })
+														med.imageUrl &&
+														setLightboxImage({ src: `/api/images/${med.imageUrl}`, alt: getMedDisplayName(med) })
 													}
 													onKeyDown={(e) => {
 														if (e.key === "Enter" || e.key === " ") {
-															if (med.imageUrl) setLightboxImage({ src: `/api/images/${med.imageUrl}`, alt: med.name });
+															if (med.imageUrl)
+																setLightboxImage({ src: `/api/images/${med.imageUrl}`, alt: getMedDisplayName(med) });
 														}
 													}}
 												>
-													<MedicationAvatar name={med.name} imageUrl={med.imageUrl} size="lg" />
+													<MedicationAvatar name={getMedDisplayName(med)} imageUrl={med.imageUrl} size="lg" />
 												</span>
 												<div className="med-name-block">
-													<div className="med-name">{med.name}</div>
-													{med.genericName && <div className="med-generic-name">{med.genericName}</div>}
+													<div className="med-name">{getMedDisplayName(med)}</div>
+													{med.name && med.genericName && <div className="med-generic-name">{med.genericName}</div>}
 												</div>
 											</div>
 											<div className="med-actions">
@@ -798,10 +912,12 @@ export function MedicationsPage() {
 											)}
 											<div className="med-total">
 												{t("medications.details.stock")}:{" "}
-												{coverageByMed[med.name] ? Math.round(coverageByMed[med.name].medsLeft) : getPackageSize(med)} /{" "}
-												{getPackageSize(med)} {getPackageSize(med) === 1 ? t("common.pill") : t("common.pills")}
-												{(coverageByMed[med.name]
-													? Math.round(coverageByMed[med.name].medsLeft)
+												{coverageByMed[getMedDisplayName(med)]
+													? Math.round(coverageByMed[getMedDisplayName(med)].medsLeft)
+													: getPackageSize(med)}{" "}
+												/ {getPackageSize(med)} {getPackageSize(med) === 1 ? t("common.pill") : t("common.pills")}
+												{(coverageByMed[getMedDisplayName(med)]
+													? Math.round(coverageByMed[getMedDisplayName(med)].medsLeft)
 													: getPackageSize(med)) > getPackageSize(med) && (
 													<span
 														className="info-tooltip tooltip-align-left warning-text"
@@ -820,8 +936,10 @@ export function MedicationsPage() {
 												{s.usage} {s.usage === 1 ? t("common.pill") : t("common.pills")} ·{" "}
 												{s.every === 1 ? t("common.daily") : t("common.everyNDays", { count: s.every })} ·{" "}
 												{t("form.blisters.from")} {formatDateTime(s.start)}
-												{"takenBy" in s && s.takenBy && <span className="blister-taken-by"> · {s.takenBy}</span>}
-												{"intakeRemindersEnabled" in s && s.intakeRemindersEnabled && (
+												{"takenBy" in s && (s as import("../types").Intake).takenBy && (
+													<span className="blister-taken-by"> · {(s as import("../types").Intake).takenBy}</span>
+												)}
+												{"intakeRemindersEnabled" in s && (s as import("../types").Intake).intakeRemindersEnabled && (
 													<span className="blister-reminder-icon" title={t("form.blisters.remindTooltip")}>
 														{" "}
 														<Bell size={12} aria-hidden="true" />
@@ -856,20 +974,24 @@ export function MedicationsPage() {
 														<span
 															className={med.imageUrl ? "med-avatar-clickable" : undefined}
 															onClick={() =>
-																med.imageUrl && setLightboxImage({ src: `/api/images/${med.imageUrl}`, alt: med.name })
+																med.imageUrl &&
+																setLightboxImage({ src: `/api/images/${med.imageUrl}`, alt: getMedDisplayName(med) })
 															}
 															onKeyDown={(e) => {
 																if (e.key === "Enter" || e.key === " ") {
 																	if (med.imageUrl)
-																		setLightboxImage({ src: `/api/images/${med.imageUrl}`, alt: med.name });
+																		setLightboxImage({
+																			src: `/api/images/${med.imageUrl}`,
+																			alt: getMedDisplayName(med),
+																		});
 																}
 															}}
 														>
-															<MedicationAvatar name={med.name} imageUrl={med.imageUrl} size="lg" />
+															<MedicationAvatar name={getMedDisplayName(med)} imageUrl={med.imageUrl} size="lg" />
 														</span>
 														<div className="med-name-block">
-															<div className="med-name">{med.name}</div>
-															{med.genericName && <div className="med-generic-name">{med.genericName}</div>}
+															<div className="med-name">{getMedDisplayName(med)}</div>
+															{med.name && med.genericName && <div className="med-generic-name">{med.genericName}</div>}
 														</div>
 													</div>
 													<div className="med-actions">
@@ -958,15 +1080,6 @@ export function MedicationsPage() {
 							>
 								{t("form.sections.stock")}
 							</button>
-							<button
-								type="button"
-								role="tab"
-								aria-selected={activeTab === "prescription"}
-								className={`form-tab${activeTab === "prescription" ? " active" : ""}`}
-								onClick={() => setActiveTab("prescription")}
-							>
-								{t("form.sections.prescription")}
-							</button>
 							<button
 								type="button"
 								role="tab"
@@ -976,6 +1089,15 @@ export function MedicationsPage() {
 							>
 								{t("form.sections.schedule")}
 							</button>
+							<button
+								type="button"
+								role="tab"
+								aria-selected={activeTab === "prescription"}
+								className={`form-tab${activeTab === "prescription" ? " active" : ""}`}
+								onClick={() => setActiveTab("prescription")}
+							>
+								{t("form.sections.prescription")}
+							</button>
 						</div>
 						<fieldset className="readonly-fieldset" disabled={readOnlyView}>
 							<div className={`form-tab-panel${activeTab === "general" ? " active" : ""}`}>
@@ -992,21 +1114,26 @@ export function MedicationsPage() {
 											onBlur={() => setShowNameValidation(true)}
 											placeholder={t("form.placeholders.commercial")}
 											maxLength={FIELD_LIMITS.name.max}
-											required={!readOnlyView}
 										/>
 										{!readOnlyView && showNameValidation && fieldErrors.name && (
 											<span className="field-error">{fieldErrors.name}</span>
 										)}
 									</label>
-									<label className={fieldErrors.genericName ? "has-error" : ""}>
+									<label className={!readOnlyView && showNameValidation && fieldErrors.genericName ? "has-error" : ""}>
 										{t("form.genericName")}
 										<input
 											value={form.genericName}
-											onChange={(e) => setForm({ ...form, genericName: e.target.value })}
+											onChange={(e) => {
+												setShowNameValidation(true);
+												setForm({ ...form, genericName: e.target.value });
+											}}
+											onBlur={() => setShowNameValidation(true)}
 											placeholder={t("form.placeholders.generic")}
 											maxLength={FIELD_LIMITS.genericName.max}
 										/>
-										{fieldErrors.genericName && <span className="field-error">{fieldErrors.genericName}</span>}
+										{!readOnlyView && showNameValidation && fieldErrors.genericName && (
+											<span className="field-error">{fieldErrors.genericName}</span>
+										)}
 									</label>
 									<label>
 										{t("form.medicationStartDate")}
@@ -1023,7 +1150,9 @@ export function MedicationsPage() {
 										<select
 											className="package-type-select"
 											value={form.packageType}
-											onChange={(e) => handleValueChange("packageType", e.target.value)}
+											onChange={(e) =>
+												handleValueChange("packageType", e.target.value as import("../types").PackageType)
+											}
 										>
 											<option value="blister">{t("form.packageTypeBlister")}</option>
 											<option value="bottle">{t("form.packageTypeBottle")}</option>
@@ -1085,7 +1214,7 @@ export function MedicationsPage() {
 														<button
 															type="button"
 															className="danger icon-only tooltip-trigger"
-															onClick={() => deleteMedImage(editingId)}
+															onClick={() => handleDeleteMedImage(editingId)}
 															aria-label={t("form.removeImage")}
 															data-tooltip={t("form.removeImage")}
 														>
@@ -1098,7 +1227,11 @@ export function MedicationsPage() {
 												<input
 													type="file"
 													accept="image/jpeg,image/png,image/webp,image/gif"
-													onChange={(e) => e.target.files?.[0] && uploadMedImage(editingId, e.target.files[0])}
+													onChange={(e) => {
+														const file = e.target.files?.[0];
+														e.target.value = "";
+														if (file) void tryUploadMedImage(editingId, file);
+													}}
 													disabled={uploadingImage}
 												/>
 											);
@@ -1126,18 +1259,11 @@ export function MedicationsPage() {
 											<input
 												type="file"
 												accept="image/jpeg,image/png,image/webp,image/gif"
-												onChange={(e) => {
-													const file = e.target.files?.[0];
-													if (file) {
-														setPendingImage(file);
-														const reader = new FileReader();
-														reader.onload = (ev) => setPendingImagePreview(ev.target?.result as string);
-														reader.readAsDataURL(file);
-													}
-												}}
+												onChange={handlePendingMedicationImageSelection}
 											/>
 										);
 									})()}
+									{imageUploadError && <span className="field-error">{imageUploadError}</span>}
 								</div>
 							</div>
 							{/* end general tab */}
@@ -1149,32 +1275,32 @@ export function MedicationsPage() {
 										<>
 											<label>
 												{t("form.packs")}
-												<input
-													type="text"
-													inputMode="numeric"
-													pattern="[0-9]*"
+												<FormNumberStepper
 													value={form.packCount}
-													onChange={(e) => handleValueChange("packCount", e.target.value)}
+													onChange={(nextValue) => handleValueChange("packCount", nextValue)}
+													min={0}
+													decrementLabel={decrementValueLabel}
+													incrementLabel={incrementValueLabel}
 												/>
 											</label>
 											<label>
 												{t("form.blistersPerPack")}
-												<input
-													type="text"
-													inputMode="numeric"
-													pattern="[0-9]*"
+												<FormNumberStepper
 													value={form.blistersPerPack}
-													onChange={(e) => handleValueChange("blistersPerPack", e.target.value)}
+													onChange={(nextValue) => handleValueChange("blistersPerPack", nextValue)}
+													min={1}
+													decrementLabel={decrementValueLabel}
+													incrementLabel={incrementValueLabel}
 												/>
 											</label>
 											<label>
 												{t("form.pillsPerBlister")}
-												<input
-													type="text"
-													inputMode="numeric"
-													pattern="[0-9]*"
+												<FormNumberStepper
 													value={form.pillsPerBlister}
-													onChange={(e) => handleValueChange("pillsPerBlister", e.target.value)}
+													onChange={(nextValue) => handleValueChange("pillsPerBlister", nextValue)}
+													min={1}
+													decrementLabel={decrementValueLabel}
+													incrementLabel={incrementValueLabel}
 												/>
 											</label>
 											<label>
@@ -1186,22 +1312,22 @@ export function MedicationsPage() {
 										<>
 											<label>
 												{t("form.totalCapacity")}
-												<input
-													type="text"
-													inputMode="numeric"
-													pattern="[0-9]*"
+												<FormNumberStepper
 													value={form.totalPills}
-													onChange={(e) => handleValueChange("totalPills", e.target.value)}
+													onChange={(nextValue) => handleValueChange("totalPills", nextValue)}
+													min={0}
+													decrementLabel={decrementValueLabel}
+													incrementLabel={incrementValueLabel}
 												/>
 											</label>
 											<label>
 												{t("form.currentPills")}
-												<input
-													type="text"
-													inputMode="numeric"
-													pattern="[0-9]*"
+												<FormNumberStepper
 													value={form.looseTablets}
-													onChange={(e) => handleValueChange("looseTablets", e.target.value)}
+													onChange={(nextValue) => handleValueChange("looseTablets", nextValue)}
+													min={0}
+													decrementLabel={decrementValueLabel}
+													incrementLabel={incrementValueLabel}
 												/>
 											</label>
 										</>
@@ -1292,32 +1418,32 @@ export function MedicationsPage() {
 										<>
 											<label className="prescription-field">
 												{t("prescription.authorizedRefills")}
-												<input
-													type="text"
-													inputMode="numeric"
-													pattern="[0-9]*"
+												<FormNumberStepper
 													value={form.prescriptionAuthorizedRefills}
-													onChange={(e) => handleValueChange("prescriptionAuthorizedRefills", e.target.value)}
+													onChange={(nextValue) => handleValueChange("prescriptionAuthorizedRefills", nextValue)}
+													min={0}
+													decrementLabel={decrementValueLabel}
+													incrementLabel={incrementValueLabel}
 												/>
 											</label>
 											<label className="prescription-field">
 												{t("prescription.remainingRefills")}
-												<input
-													type="text"
-													inputMode="numeric"
-													pattern="[0-9]*"
+												<FormNumberStepper
 													value={form.prescriptionRemainingRefills}
-													onChange={(e) => handleValueChange("prescriptionRemainingRefills", e.target.value)}
+													onChange={(nextValue) => handleValueChange("prescriptionRemainingRefills", nextValue)}
+													min={0}
+													decrementLabel={decrementValueLabel}
+													incrementLabel={incrementValueLabel}
 												/>
 											</label>
 											<label className="prescription-field">
 												{t("prescription.lowThreshold")}
-												<input
-													type="text"
-													inputMode="numeric"
-													pattern="[0-9]*"
+												<FormNumberStepper
 													value={form.prescriptionLowRefillThreshold}
-													onChange={(e) => handleValueChange("prescriptionLowRefillThreshold", e.target.value)}
+													onChange={(nextValue) => handleValueChange("prescriptionLowRefillThreshold", nextValue)}
+													min={0}
+													decrementLabel={decrementValueLabel}
+													incrementLabel={incrementValueLabel}
 												/>
 											</label>
 											<label className="prescription-field">
@@ -1354,22 +1480,24 @@ export function MedicationsPage() {
 											<div className="blister-inputs">
 												<label>
 													{t("form.blisters.usage")}
-													<input
-														type="text"
-														inputMode="decimal"
-														pattern="[0-9]*\.?[0-9]*"
+													<FormNumberStepper
 														value={intake.usage}
-														onChange={(e) => setIntakeValue(idx, "usage", e.target.value)}
+														onChange={(nextValue) => setIntakeValue(idx, "usage", nextValue)}
+														min={0.5}
+														step={0.5}
+														allowDecimal={true}
+														decrementLabel={decrementValueLabel}
+														incrementLabel={incrementValueLabel}
 													/>
 												</label>
 												<label>
 													{t("form.blisters.everyDays")}
-													<input
-														type="text"
-														inputMode="numeric"
-														pattern="[0-9]*"
+													<FormNumberStepper
 														value={intake.every}
-														onChange={(e) => setIntakeValue(idx, "every", e.target.value)}
+														onChange={(nextValue) => setIntakeValue(idx, "every", nextValue)}
+														min={1}
+														decrementLabel={decrementValueLabel}
+														incrementLabel={incrementValueLabel}
 													/>
 												</label>
 												<label>
@@ -1478,8 +1606,9 @@ export function MedicationsPage() {
 				onRemoveIntake={removeIntake}
 				onHandleValueChange={handleValueChange}
 				meds={allMeds}
-				onUploadMedImage={uploadMedImage}
-				onDeleteMedImage={deleteMedImage}
+				onUploadMedImage={handleUploadMedImage}
+				onDeleteMedImage={handleDeleteMedImage}
+				imageUploadError={imageUploadError}
 				onClose={() => {
 					closeEditModal();
 				}}

frontend/src/pages/PlannerPage.tsx

@@ -1,9 +1,11 @@
+/* biome-ignore-all lint/a11y/noLabelWithoutControl: planner uses custom DateTimeInput control wrappers */
 import { useEffect, useState } from "react";
 import { useTranslation } from "react-i18next";
 import { DateTimeInput, MedicationAvatar } from "../components";
 import { useAuth } from "../components/Auth";
 import { useAppContext } from "../context";
 import type { PlannerRow } from "../types";
+import { getMedDisplayName } from "../types";
 import { toInputValue } from "../utils/formatters";
 
 // Date helpers
@@ -203,7 +205,8 @@ export function PlannerPage() {
 							</div>
 							{plannerRows.map((row) => {
 								const med =
-									meds.find((m) => m.id === row.medicationId) || meds.find((m) => m.name === row.medicationName);
+									meds.find((m) => m.id === row.medicationId) ||
+									meds.find((m) => getMedDisplayName(m) === row.medicationName);
 								const remainingRefills = med?.prescriptionEnabled ? (med.prescriptionRemainingRefills ?? 0) : null;
 								return (
 									<div

frontend/src/pages/SchedulePage.tsx

@@ -1,9 +1,11 @@
+/* biome-ignore-all lint/style/noNestedTernary: schedule timeline branches are intentionally explicit */
 import { Bell } from "lucide-react";
 import { useTranslation } from "react-i18next";
 import { MedicationAvatar } from "../components";
 import { useAuth } from "../components/Auth";
 import { useAppContext } from "../context";
 import type { Coverage } from "../types";
+import { getMedDisplayName } from "../types";
 import { expandDoseIds, isDoseDismissed } from "../utils/schedule";
 
 // Helper for user-specific localStorage keys
@@ -115,7 +117,7 @@ export function SchedulePage() {
 
 							// Count missed doses that are NOT dismissed (for warning icon)
 							const missedNotDismissedCount = day.meds.reduce((count, item) => {
-								const med = meds.find((m) => m.name === item.medName);
+								const med = meds.find((m) => getMedDisplayName(m) === item.medName);
 								const dismissedUntilDate = med?.dismissedUntil ?? undefined;
 								return (
 									count +
@@ -170,7 +172,7 @@ export function SchedulePage() {
 									</div>
 									{!isCollapsed &&
 										day.meds.map((item) => {
-											const med = meds.find((m) => m.name === item.medName);
+											const med = meds.find((m) => getMedDisplayName(m) === item.medName);
 											const medCov = coverageByMed[item.medName];
 											const isEmpty = medCov ? medCov.medsLeft <= 0 : false;
 											const itemDoseIds = expandDoseIds(item.doses);
@@ -332,7 +334,7 @@ export function SchedulePage() {
 								{day.meds.map((item) => {
 									const medCoverage = coverageByMed[item.medName];
 									const isEmpty = medCoverage ? medCoverage.medsLeft <= 0 : false;
-									const med = meds.find((m) => m.name === item.medName);
+									const med = meds.find((m) => getMedDisplayName(m) === item.medName);
 									const depletionTime = depletionByMed[item.medName];
 									// Check if this dose is scheduled after medication runs out
 									const willBeOutOfStock = typeof depletionTime === "number" && item.lastWhen > depletionTime;

frontend/src/pages/SettingsPage.tsx

@@ -1,3 +1,4 @@
+/* biome-ignore-all lint/a11y/noLabelWithoutControl: settings rows use label-styled text with adjacent custom toggle controls */
 import { useTranslation } from "react-i18next";
 import { ConfirmModal, ExportModal } from "../components";
 import { useAppContext } from "../context";

frontend/src/styles.css

@@ -108,6 +108,22 @@ body.modal-open {
 	overflow-x: hidden;
 }
 
+.route-transition-mask {
+	position: fixed;
+	inset: 0;
+	background: var(--bg-primary);
+	opacity: 0;
+	pointer-events: none;
+	transition: opacity 140ms ease-out;
+	z-index: 1500;
+}
+
+.route-transition-mask.active {
+	transition: none;
+	opacity: 1;
+	pointer-events: auto;
+}
+
 .hero {
 	background: linear-gradient(135deg, rgba(67, 106, 255, 0.08), rgba(115, 195, 255, 0.06));
 	border: 1px solid var(--border-primary);
@@ -1127,11 +1143,15 @@ body.modal-open {
 }
 .blister-row .blister-inputs {
 	display: grid;
-	grid-template-columns: 1fr 1fr 1fr 1fr;
+	grid-template-columns: minmax(0, 1.05fr) minmax(0, 1.05fr) minmax(10.75rem, 1fr) minmax(7.25rem, 0.8fr);
 	gap: 0.75rem;
 	align-items: end;
 }
 
+.blister-row .blister-inputs > label {
+	min-width: 0;
+}
+
 .blister-row .blister-inputs label.taken-by-field {
 	grid-column: span 2;
 }
@@ -1154,6 +1174,17 @@ body.modal-open {
 	}
 }
 
+/* Desktop edit sidebar can be narrow; avoid clipping right-side controls. */
+@media (min-width: 769px) {
+	.edit-sidebar .blister-row .blister-inputs {
+		grid-template-columns: 1fr 1fr;
+	}
+
+	.edit-sidebar .blister-row .blister-inputs label.taken-by-field {
+		grid-column: 1 / -1;
+	}
+}
+
 .gap {
 	gap: 0.6rem;
 }
@@ -2212,6 +2243,9 @@ button.has-validation-error {
 .time-main .med-name span.clickable {
 	cursor: pointer;
 }
+.time-main .med-name .med-name-stack.clickable {
+	cursor: pointer;
+}
 .time-main .med-name span.clickable:hover .med-avatar {
 	transform: scale(1.1);
 	box-shadow: 0 4px 12px rgba(0, 0, 0, 0.2);
@@ -3373,7 +3407,7 @@ button.has-validation-error {
 	transition:
 		opacity 0.15s,
 		visibility 0.15s;
-	z-index: 100;
+	z-index: 1100;
 	pointer-events: none;
 }
 
@@ -3391,7 +3425,7 @@ button.has-validation-error {
 	transition:
 		opacity 0.15s,
 		visibility 0.15s;
-	z-index: 101;
+	z-index: 1101;
 }
 
 /* Tooltip aligned to left edge of icon (prevents clipping inside modals) */
@@ -4332,7 +4366,7 @@ button.has-validation-error {
 	overscroll-behavior: contain;
 	display: flex;
 	flex-direction: column;
-	overflow: hidden;
+	overflow: visible;
 }
 
 .med-detail-modal .med-detail-body {
@@ -4379,6 +4413,7 @@ button.has-validation-error {
 	color: white;
 	font-weight: 600;
 	text-shadow: 0 1px 3px rgba(0, 0, 0, 0.3);
+	text-align: center;
 }
 
 .taken-by-badge {
@@ -4531,7 +4566,7 @@ button.has-validation-error {
 }
 
 .med-detail-body {
-	padding: 1.5rem 2rem 0;
+	padding: 1.5rem 2rem 2rem;
 	background: var(--bg-primary);
 }
 
@@ -4605,9 +4640,6 @@ button.has-validation-error {
 	align-items: start;
 }
 
-.prescription-detail-grid .med-detail-value {
-}
-
 .med-detail-item {
 	background: var(--bg-secondary);
 	padding: 0.75rem;
@@ -4650,8 +4682,8 @@ button.has-validation-error {
 .med-schedule-item {
 	display: flex;
 	align-items: center;
-	justify-content: flex-start;
-	gap: 1rem;
+	flex-wrap: wrap;
+	gap: 0.35rem 0.75rem;
 	background: var(--bg-secondary);
 	padding: 0.75rem 1rem;
 	border-radius: 8px;
@@ -4665,22 +4697,26 @@ button.has-validation-error {
 
 .med-schedule-freq {
 	color: var(--text-secondary);
+	white-space: nowrap;
 }
 
 .med-schedule-time {
 	font-weight: 500;
 	margin-left: auto;
+	white-space: nowrap;
 }
 
 .med-schedule-person {
 	color: var(--text-secondary);
 	font-size: 0.85rem;
+	white-space: nowrap;
 }
 
 .med-schedule-bell {
 	color: var(--warning);
 	display: inline-flex;
 	align-items: center;
+	margin-left: 0.35rem;
 }
 
 [data-theme="light"] .med-schedule-bell {
@@ -4697,7 +4733,7 @@ button.has-validation-error {
 	background: var(--bg-primary);
 	border-radius: 0 0 12px 12px;
 	flex-shrink: 0;
-	overflow: hidden;
+	overflow: visible;
 	position: relative;
 	z-index: 1;
 	padding-bottom: calc(1rem + env(safe-area-inset-bottom, 0px));
@@ -4993,7 +5029,8 @@ button.has-validation-error {
 
 /* Reminder icon indicator */
 .reminder-icon.info-tooltip,
-.notes-icon.info-tooltip {
+.notes-icon.info-tooltip,
+.prescription-icon.info-tooltip {
 	width: auto;
 	height: auto;
 	margin: 0 !important;
@@ -5008,6 +5045,10 @@ button.has-validation-error {
 	vertical-align: baseline;
 }
 
+.prescription-icon.info-tooltip {
+	color: var(--success);
+}
+
 .reminder-icon.info-tooltip,
 .blister-reminder-icon {
 	color: var(--warning);
@@ -5022,8 +5063,13 @@ button.has-validation-error {
 	color: #1d4ed8; /* darker blue — strong contrast on light backgrounds */
 }
 
+[data-theme="light"] .prescription-icon.info-tooltip {
+	color: #047857; /* dark emerald — strong contrast on light backgrounds */
+}
+
 .reminder-icon.info-tooltip:hover,
-.notes-icon.info-tooltip:hover {
+.notes-icon.info-tooltip:hover,
+.prescription-icon.info-tooltip:hover {
 	opacity: 1;
 }
 

frontend/src/styles/medication-workflows.css

@@ -446,7 +446,7 @@
 }
 
 .refill-number-stepper input {
-	order: initial;
+	order: 0;
 	text-align: center;
 	padding: 0.75rem 0.5rem;
 }
@@ -460,21 +460,29 @@
 }
 
 .refill-number-stepper .stepper-btn.decrement {
-	order: initial;
+	order: -1;
+	background: color-mix(in srgb, var(--danger) 22%, var(--bg-tertiary));
 	color: var(--danger);
 }
 
 .refill-number-stepper .stepper-btn.increment {
-	order: initial;
+	order: 1;
 	border-right: none;
 	border-left: 1px solid var(--border-primary);
-	background: color-mix(in srgb, var(--bg-tertiary) 85%, transparent);
+	background: color-mix(in srgb, var(--success) 22%, var(--bg-tertiary));
 	color: var(--success);
 }
 
 .refill-number-stepper .stepper-btn:hover:not(:disabled) {
 	filter: none;
-	background: color-mix(in srgb, var(--accent) 14%, var(--bg-tertiary));
+}
+
+.refill-number-stepper .stepper-btn.decrement:hover:not(:disabled) {
+	background: color-mix(in srgb, var(--danger) 36%, var(--bg-tertiary));
+}
+
+.refill-number-stepper .stepper-btn.increment:hover:not(:disabled) {
+	background: color-mix(in srgb, var(--success) 36%, var(--bg-tertiary));
 }
 
 @media (min-width: 641px) {
@@ -488,12 +496,12 @@
 	}
 
 	[data-theme="light"] .refill-number-stepper .stepper-btn.decrement {
-		background: color-mix(in srgb, var(--bg-tertiary) 90%, transparent);
+		background: color-mix(in srgb, #dc2626 18%, white);
 		color: #b91c1c;
 	}
 
 	[data-theme="light"] .refill-number-stepper .stepper-btn.increment {
-		background: color-mix(in srgb, var(--bg-tertiary) 90%, transparent);
+		background: color-mix(in srgb, #0f766e 18%, white);
 		color: #0f766e;
 	}
 }
@@ -504,6 +512,111 @@
 	}
 }
 
+/* Form stepper keeps symmetric - value + layout in all contexts (desktop/mobile). */
+.form-number-stepper {
+	display: grid;
+	grid-template-columns: 2.75rem minmax(0, 1fr) 2.75rem;
+}
+
+.form-number-stepper input {
+	order: 0;
+	text-align: center;
+	padding: 0.75rem 0.5rem;
+	min-width: 0;
+	width: 100%;
+	color: var(--text-primary);
+}
+
+.form-number-stepper .stepper-btn {
+	flex: 0 0 auto;
+	border-right: 1px solid var(--border-primary);
+	border-left: none;
+	background: color-mix(in srgb, var(--bg-tertiary) 85%, transparent);
+	color: var(--text-secondary);
+}
+
+.form-number-stepper .stepper-btn.decrement {
+	order: -1;
+	background: color-mix(in srgb, var(--danger) 22%, var(--bg-tertiary));
+	color: var(--danger);
+}
+
+.form-number-stepper .stepper-btn.increment {
+	order: 1;
+	border-right: none;
+	border-left: 1px solid var(--border-primary);
+	background: color-mix(in srgb, var(--success) 22%, var(--bg-tertiary));
+	color: var(--success);
+}
+
+.form-number-stepper .stepper-btn:hover:not(:disabled) {
+	filter: none;
+}
+
+.form-number-stepper .stepper-btn.decrement:hover:not(:disabled) {
+	background: color-mix(in srgb, var(--danger) 36%, var(--bg-tertiary));
+}
+
+.form-number-stepper .stepper-btn.increment:hover:not(:disabled) {
+	background: color-mix(in srgb, var(--success) 36%, var(--bg-tertiary));
+}
+
+/* Highlight both controls when the center value field is focused (keyboard/click). */
+.form-number-stepper:has(input:focus) .stepper-btn.decrement:not(:disabled),
+.form-number-stepper:has(input:focus-visible) .stepper-btn.decrement:not(:disabled) {
+	background: color-mix(in srgb, var(--danger) 36%, var(--bg-tertiary));
+}
+
+.form-number-stepper:has(input:focus) .stepper-btn.increment:not(:disabled),
+.form-number-stepper:has(input:focus-visible) .stepper-btn.increment:not(:disabled) {
+	background: color-mix(in srgb, var(--success) 36%, var(--bg-tertiary));
+}
+
+/* Dense schedule grids need a compact variant so the middle value stays visible. */
+.blister-inputs .form-number-stepper,
+.mobile-edit-form .blister-row .form-number-stepper {
+	grid-template-columns: 2.35rem minmax(2rem, 1fr) 2.35rem;
+}
+
+.blister-inputs .form-number-stepper input,
+.mobile-edit-form .blister-row .form-number-stepper input {
+	min-height: 2.35rem;
+	padding: 0.5rem 0.35rem;
+}
+
+.blister-inputs .form-number-stepper .stepper-btn,
+.mobile-edit-form .blister-row .form-number-stepper .stepper-btn {
+	min-width: 2.35rem;
+	min-height: 2.35rem;
+}
+
+@media (min-width: 641px) {
+	.form-number-stepper {
+		display: grid;
+		grid-template-columns: 2.75rem minmax(0, 1fr) 2.75rem;
+	}
+
+	.form-number-stepper input {
+		padding-left: 0.5rem;
+	}
+
+	[data-theme="light"] .form-number-stepper .stepper-btn.decrement {
+		background: color-mix(in srgb, #dc2626 18%, white);
+		color: #b91c1c;
+	}
+
+	[data-theme="light"] .form-number-stepper .stepper-btn.increment {
+		background: color-mix(in srgb, #0f766e 18%, white);
+		color: #0f766e;
+	}
+}
+
+@media (max-width: 640px) {
+	.form-number-stepper {
+		grid-template-columns: 2.75rem minmax(0, 1fr) 2.75rem;
+	}
+}
+
 .edit-stock-summary {
 	display: flex;
 	gap: 0.5rem;

frontend/src/test/App.test.tsx

@@ -284,24 +284,6 @@ describe("App", () => {
 		expect(screen.getByText("lightbox-open-med-image.png")).toBeInTheDocument();
 	});
 
-	it("handles Escape key with modal priority", () => {
-		appContextMock.scheduleLightboxImage = "med-image.png";
-		appContextMock.showImageLightbox = true;
-		appContextMock.showShareDialog = true;
-
-		render(
-			<MemoryRouter initialEntries={["/dashboard"]}>
-				<App />
-			</MemoryRouter>
-		);
-
-		document.dispatchEvent(new KeyboardEvent("keydown", { key: "Escape" }));
-
-		expect(appContextMock.closeScheduleLightbox).toHaveBeenCalled();
-		expect(appContextMock.closeImageLightbox).not.toHaveBeenCalled();
-		expect(appContextMock.closeShareDialog).not.toHaveBeenCalled();
-	});
-
 	it("handles popstate by closing selected medication", () => {
 		appContextMock.selectedMed = { id: 1, packCount: 1, looseTablets: 0, updatedAt: null };
 
@@ -344,20 +326,6 @@ describe("App", () => {
 		expect(window.history.pushState).toHaveBeenCalled();
 	});
 
-	it("Escape key closes about modal via history back", () => {
-		render(
-			<MemoryRouter initialEntries={["/dashboard"]}>
-				<App />
-			</MemoryRouter>
-		);
-
-		fireEvent.click(screen.getByRole("button", { name: "open-about" }));
-		expect(screen.getByText("about-modal-open")).toBeInTheDocument();
-
-		document.dispatchEvent(new KeyboardEvent("keydown", { key: "Escape" }));
-		expect(window.history.back).toHaveBeenCalled();
-	});
-
 	it("handles popstate by resetting share dialog state", () => {
 		appContextMock.showShareDialog = true;
 
@@ -381,47 +349,6 @@ describe("App", () => {
 		expect(screen.getByText("dashboard-page")).toBeInTheDocument();
 	});
 
-	it("Escape closes refill modal when it is topmost", () => {
-		appContextMock.showRefillModal = true;
-
-		render(
-			<MemoryRouter initialEntries={["/dashboard"]}>
-				<App />
-			</MemoryRouter>
-		);
-
-		document.dispatchEvent(new KeyboardEvent("keydown", { key: "Escape" }));
-		expect(appContextMock.closeRefillModal).toHaveBeenCalled();
-	});
-
-	it("Escape closes edit stock modal when it is topmost", () => {
-		appContextMock.showEditStockModal = true;
-
-		render(
-			<MemoryRouter initialEntries={["/dashboard"]}>
-				<App />
-			</MemoryRouter>
-		);
-
-		document.dispatchEvent(new KeyboardEvent("keydown", { key: "Escape" }));
-		expect(appContextMock.closeEditStockModal).toHaveBeenCalled();
-	});
-
-	it("Escape closes user filter and medication detail in lower priority", () => {
-		appContextMock.selectedUser = "Max";
-		appContextMock.selectedMed = { id: 1, packCount: 1, looseTablets: 0, updatedAt: null };
-
-		render(
-			<MemoryRouter initialEntries={["/dashboard"]}>
-				<App />
-			</MemoryRouter>
-		);
-
-		document.dispatchEvent(new KeyboardEvent("keydown", { key: "Escape" }));
-		expect(appContextMock.closeUserFilter).toHaveBeenCalled();
-		expect(appContextMock.closeMedDetail).not.toHaveBeenCalled();
-	});
-
 	it("popstate closes image lightbox before other modals", () => {
 		appContextMock.showImageLightbox = true;
 		appContextMock.scheduleLightboxImage = "img.png";
@@ -450,17 +377,4 @@ describe("App", () => {
 		window.dispatchEvent(new PopStateEvent("popstate"));
 		expect(appContextMock.setScheduleLightboxImage).toHaveBeenCalledWith(null);
 	});
-
-	it("Escape closes medication detail when no higher-priority modal is open", () => {
-		appContextMock.selectedMed = { id: 1, packCount: 1, looseTablets: 0, updatedAt: null };
-
-		render(
-			<MemoryRouter initialEntries={["/dashboard"]}>
-				<App />
-			</MemoryRouter>
-		);
-
-		document.dispatchEvent(new KeyboardEvent("keydown", { key: "Escape" }));
-		expect(appContextMock.closeMedDetail).toHaveBeenCalled();
-	});
 });

frontend/src/test/components/AppHeader.test.tsx

@@ -370,10 +370,13 @@ describe("AppHeader", () => {
 		fireEvent.click(userMenuBtn);
 		fireEvent.click(screen.getByText(/auth\.signOut/i));
 		await waitFor(() => {
-			expect(fetch).toHaveBeenCalledWith("/api/auth/logout", {
-				method: "POST",
-				credentials: "include",
-			});
+			expect(fetch).toHaveBeenCalledWith(
+				"/api/auth/logout",
+				expect.objectContaining({
+					method: "POST",
+					credentials: "include",
+				})
+			);
 		});
 	});
 });

frontend/src/test/components/Auth.test.tsx

@@ -39,7 +39,7 @@ describe("AuthProvider", () => {
 		renderHook(() => useAuth(), { wrapper });
 
 		await waitFor(() => {
-			expect(fetch).toHaveBeenCalledWith("/api/auth/state");
+			expect(fetch).toHaveBeenCalledWith("/api/auth/state", expect.anything());
 		});
 	});
 
@@ -55,7 +55,7 @@ describe("AuthProvider", () => {
 
 		// Wait for the initial fetch to complete
 		await waitFor(() => {
-			expect(fetch).toHaveBeenCalledWith("/api/auth/state");
+			expect(fetch).toHaveBeenCalledWith("/api/auth/state", expect.anything());
 		});
 
 		// Wait a bit more to ensure no additional calls happen
@@ -94,18 +94,21 @@ describe("AuthProvider", () => {
 		const response = await result.current.authFetch("/api/medications", { method: "GET" });
 
 		expect(response.ok).toBe(true);
-		expect(fetch).toHaveBeenNthCalledWith(2, "/api/medications", {
-			method: "GET",
-			credentials: "include",
-		});
-		expect(fetch).toHaveBeenNthCalledWith(3, "/api/auth/refresh", {
-			method: "POST",
-			credentials: "include",
-		});
-		expect(fetch).toHaveBeenNthCalledWith(4, "/api/medications", {
-			method: "GET",
-			credentials: "include",
-		});
+		expect(fetch).toHaveBeenNthCalledWith(
+			2,
+			"/api/medications",
+			expect.objectContaining({ method: "GET", credentials: "include" })
+		);
+		expect(fetch).toHaveBeenNthCalledWith(
+			3,
+			"/api/auth/refresh",
+			expect.objectContaining({ method: "POST", credentials: "include" })
+		);
+		expect(fetch).toHaveBeenNthCalledWith(
+			4,
+			"/api/medications",
+			expect.objectContaining({ method: "GET", credentials: "include" })
+		);
 	});
 
 	it("authFetch logs user out when refresh fails", async () => {
@@ -893,7 +896,7 @@ describe("AuthProvider methods", () => {
 		});
 
 		const file = new File(["avatar"], "avatar.png", { type: "image/png" });
-		await expect(result.current.uploadAvatar(file)).rejects.toThrow("Upload failed");
+		await expect(result.current.uploadAvatar(file)).rejects.toThrow("UNKNOWN");
 	});
 
 	it("deleteAvatar succeeds and refreshes user", async () => {

frontend/src/test/components/Lightbox.test.tsx

@@ -48,9 +48,10 @@ describe("Lightbox", () => {
 
 	it("calls onClose when Escape key is pressed", () => {
 		const onClose = vi.fn();
-		render(<Lightbox {...defaultProps} onClose={onClose} />);
+		const { container } = render(<Lightbox {...defaultProps} onClose={onClose} />);
 
-		fireEvent.keyDown(document, { key: "Escape" });
+		const overlay = container.querySelector(".lightbox-overlay");
+		fireEvent.keyDown(overlay!, { key: "Escape" });
 
 		expect(onClose).toHaveBeenCalled();
 	});

frontend/src/test/hooks/useMedicationForm.test.ts

@@ -123,7 +123,7 @@ describe("useMedicationForm", () => {
 		expect(result.current.formChanged).toBe(false);
 
 		await waitFor(() => {
-			expect(result.current.fieldErrors.name).toBe("common.validation.required");
+			expect(result.current.fieldErrors.name).toBe("common.validation.nameOrGenericRequired");
 			expect(result.current.hasValidationErrors).toBe(true);
 		});
 	});
@@ -131,7 +131,8 @@ describe("useMedicationForm", () => {
 	it("validates name required and max length fields", () => {
 		const { result } = renderHook(() => useMedicationForm());
 
-		expect(result.current.validateField("name", "")).toBe("common.validation.required");
+		// Cross-field validation: empty name alone returns no per-field error
+		expect(result.current.validateField("name", "")).toBeUndefined();
 		expect(result.current.validateField("takenBy", ["Alice"])).toBeUndefined();
 
 		const tooLongGeneric = "a".repeat(101);

frontend/src/test/hooks/useMedications.test.ts

@@ -1,6 +1,7 @@
 import { act, renderHook, waitFor } from "@testing-library/react";
 import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
 import { useMedications } from "../../hooks/useMedications";
+import type { Medication } from "../../types";
 
 describe("useMedications", () => {
 	beforeEach(() => {
@@ -169,9 +170,11 @@ describe("useMedications", () => {
 		const { result } = renderHook(() => useMedications());
 		const file = new File(["test"], "test.jpg", { type: "image/jpeg" });
 
-		await act(async () => {
-			await result.current.uploadMedImage(1, file);
-		});
+		await expect(
+			act(async () => {
+				await result.current.uploadMedImage(1, file);
+			})
+		).rejects.toThrow("Upload failed");
 
 		expect(result.current.uploadingImage).toBe(false);
 	});
@@ -193,7 +196,7 @@ describe("useMedications", () => {
 	it("allows setting meds directly", () => {
 		const { result } = renderHook(() => useMedications());
 
-		const newMeds = [{ id: 1, name: "NewMed" }] as any;
+		const newMeds: Array<Pick<Medication, "id" | "name">> = [{ id: 1, name: "NewMed" }];
 
 		act(() => {
 			result.current.setMeds(newMeds);

frontend/src/test/hooks/useShare.test.ts

@@ -14,7 +14,7 @@ describe("useShare", () => {
 		mockAlert = vi.fn();
 		global.alert = mockAlert;
 
-		mockClipboard = { writeText: vi.fn() };
+		mockClipboard = { writeText: vi.fn().mockResolvedValue(undefined) };
 		Object.defineProperty(navigator, "clipboard", {
 			value: mockClipboard,
 			writable: true,
@@ -237,7 +237,7 @@ describe("useShare", () => {
 			result.current.setShareLink("http://localhost:5173/share/test-token");
 		});
 
-		act(() => {
+		await act(async () => {
 			result.current.copyShareLink();
 		});
 

frontend/src/test/types.test.ts

@@ -152,7 +152,7 @@ describe("getPackageSize", () => {
 
 describe("FIELD_LIMITS", () => {
 	it("has correct limits for name field", () => {
-		expect(FIELD_LIMITS.name.min).toBe(1);
+		expect(FIELD_LIMITS.name.min).toBe(0);
 		expect(FIELD_LIMITS.name.max).toBe(100);
 	});
 

frontend/src/types/index.ts

@@ -230,12 +230,17 @@ export type ExpiredLinkData = {
 // Field Validation Limits (must match backend)
 // =============================================================================
 export const FIELD_LIMITS = {
-	name: { min: 1, max: 100 },
+	name: { min: 0, max: 100 },
 	genericName: { max: 100 },
 	takenBy: { max: 100 },
 	notes: { max: 2000 },
 } as const;
 
+/** Returns the best display name for a medication: commercial name, or generic name as fallback */
+export function getMedDisplayName(med: { name: string; genericName?: string | null }): string {
+	return med.name || med.genericName || "";
+}
+
 // =============================================================================
 // Helper Functions for Medication Calculations
 // =============================================================================

frontend/src/utils/correlation.ts

@@ -0,0 +1,20 @@
+export function createCorrelationId(prefix: string = "fe"): string {
+	const randomPart = Math.random().toString(36).slice(2, 10);
+	return `${prefix}-${Date.now().toString(36)}-${randomPart}`;
+}
+
+export function withCorrelation(
+	init?: RequestInit,
+	prefix: string = "fe"
+): { correlationId: string; init: RequestInit } {
+	const correlationId = createCorrelationId(prefix);
+	const headers = new Headers(init?.headers ?? {});
+	headers.set("x-correlation-id", correlationId);
+	return {
+		correlationId,
+		init: {
+			...init,
+			headers,
+		},
+	};
+}

frontend/src/utils/ics.ts

@@ -3,6 +3,7 @@
 // =============================================================================
 
 import type { Medication } from "../types";
+import { getMedDisplayName } from "../types";
 
 /**
  * Format a Date for ICS format (YYYYMMDDTHHMMSSZ)
@@ -18,6 +19,7 @@ function formatICSDate(date: Date): string {
  * Generate and download an ICS calendar file for a medication's schedule
  */
 export function generateICS(med: Medication): void {
+	const displayName = getMedDisplayName(med);
 	const events = med.blisters
 		.map((blister, idx) => {
 			const start = new Date(blister.start);
@@ -25,9 +27,9 @@ export function generateICS(med: Medication): void {
 			const interval = blister.every;
 
 			const pillInfo = `${blister.usage} pill${blister.usage !== 1 ? "s" : ""}${med.pillWeightMg ? ` (${blister.usage * med.pillWeightMg} mg)` : ""}`;
-			const summary = `💊 ${med.name} - ${pillInfo}`;
+			const summary = `💊 ${displayName} - ${pillInfo}`;
 			const description = [
-				`Medication: ${med.name}`,
+				`Medication: ${displayName}`,
 				med.genericName ? `Generic: ${med.genericName}` : "",
 				med.takenBy && med.takenBy.length > 0 ? `For: ${med.takenBy.join(", ")}` : "",
 				`Dosage: ${pillInfo}`,
@@ -48,7 +50,7 @@ DESCRIPTION:${description}
 BEGIN:VALARM
 TRIGGER:-PT5M
 ACTION:DISPLAY
-DESCRIPTION:Time to take ${med.name}
+DESCRIPTION:Time to take ${displayName}
 END:VALARM
 END:VEVENT`;
 		})
@@ -59,7 +61,7 @@ VERSION:2.0
 PRODID:-//MedAssist-ng//Medication Schedule//EN
 CALSCALE:GREGORIAN
 METHOD:PUBLISH
-X-WR-CALNAME:${med.name} Schedule
+X-WR-CALNAME:${displayName} Schedule
 ${events}
 END:VCALENDAR`;
 
@@ -67,7 +69,7 @@ END:VCALENDAR`;
 	const url = URL.createObjectURL(blob);
 	const link = document.createElement("a");
 	link.href = url;
-	link.download = `${med.name.replace(/[^a-zA-Z0-9]/g, "_")}_schedule.ics`;
+	link.download = `${displayName.replace(/[^a-zA-Z0-9]/g, "_")}_schedule.ics`;
 	document.body.appendChild(link);
 	link.click();
 	document.body.removeChild(link);

frontend/src/utils/image-upload.ts

@@ -0,0 +1,30 @@
+import type { TFunction } from "i18next";
+
+export const MAX_IMAGE_UPLOAD_BYTES = 10 * 1024 * 1024;
+
+/** Error codes returned by the backend image upload endpoints. */
+const IMAGE_ERROR_CODE_MAP: Record<string, string> = {
+	IMAGE_TOO_LARGE: "form.imageUploadErrors.tooLarge",
+	INVALID_TYPE: "form.imageUploadErrors.invalidType",
+	INVALID_IMAGE: "form.imageUploadErrors.invalidImage",
+	NO_FILE: "form.imageUploadErrors.noFile",
+	NETWORK_ERROR: "common.networkError",
+};
+
+/**
+ * Maps a backend image-upload error code to a translated user-facing message.
+ * Falls back to a generic error when the code is unknown.
+ */
+export function resolveImageUploadError(code: string, t: TFunction): string {
+	const normalized = normalizeErrorCode(code);
+	const key = IMAGE_ERROR_CODE_MAP[normalized];
+	return key ? t(key) : t("form.imageUploadErrors.generic");
+}
+
+/** Browser network errors are not error codes — normalise them. */
+function normalizeErrorCode(code: string): string {
+	if (code === "Failed to fetch" || code.startsWith("NetworkError")) {
+		return "NETWORK_ERROR";
+	}
+	return code;
+}

frontend/src/utils/schedule.ts

@@ -3,7 +3,7 @@
 // =============================================================================
 
 import type { Blister, Coverage, Intake, Medication, ScheduleEvent, StockStatus, StockThresholds } from "../types";
-import { getMedTotal } from "../types";
+import { getMedDisplayName, getMedTotal } from "../types";
 
 /**
  * Get intakes for a medication, preferring new intakes format over legacy blisters
@@ -63,7 +63,7 @@ export function buildSchedulePreview(
 				const dateOnlyMs = new Date(d.getFullYear(), d.getMonth(), d.getDate()).getTime();
 				events.push({
 					id: `${med.id}-${idx}-${dateOnlyMs}`,
-					medName: med.name,
+					medName: getMedDisplayName(med),
 					takenBy: intake.takenBy, // Per-intake takenBy (string | null)
 					usage: intake.usage,
 					when: whenMs,
@@ -267,10 +267,11 @@ export function calculateCoverage(
 			depletionMs !== null
 				? new Date(depletionMs).toLocaleDateString(locale, { weekday: "short", day: "2-digit", month: "short" })
 				: null;
-		const nextEvent = events.find((e) => e.medName === m.name);
+		const displayName = getMedDisplayName(m);
+		const nextEvent = events.find((e) => e.medName === displayName);
 
 		return {
-			name: m.name,
+			name: displayName,
 			medsLeft: Number(medsLeft.toFixed(1)),
 			daysLeft,
 			depletionDate,

package-lock.json

@@ -6,7 +6,7 @@
     "": {
       "name": "medassist-ng",
       "devDependencies": {
-        "@biomejs/biome": "^2.4.1",
+        "@biomejs/biome": "^2.4.4",
         "husky": "^9.1.0",
         "lint-staged": "^16.2.7"
       }
@@ -76,9 +76,9 @@
       }
     },
     "node_modules/@biomejs/biome": {
-      "version": "2.4.1",
-      "resolved": "https://registry.npmjs.org/@biomejs/biome/-/biome-2.4.1.tgz",
-      "integrity": "sha512-8c5DZQl1hfpLRlTZ21W5Ef2R314E4UJUEtkMbo303ElTVe6fYtapwldv7tZlgwm+9YP0Mhk7dUSTkOY8nQ2/2w==",
+      "version": "2.4.4",
+      "resolved": "https://registry.npmjs.org/@biomejs/biome/-/biome-2.4.4.tgz",
+      "integrity": "sha512-tigwWS5KfJf0cABVd52NVaXyAVv4qpUXOWJ1rxFL8xF1RVoeS2q/LK+FHgYoKMclJCuRoCWAPy1IXaN9/mS61Q==",
       "dev": true,
       "license": "MIT OR Apache-2.0",
       "bin": {
@@ -92,20 +92,20 @@
         "url": "https://opencollective.com/biome"
       },
       "optionalDependencies": {
-        "@biomejs/cli-darwin-arm64": "2.4.1",
-        "@biomejs/cli-darwin-x64": "2.4.1",
-        "@biomejs/cli-linux-arm64": "2.4.1",
-        "@biomejs/cli-linux-arm64-musl": "2.4.1",
-        "@biomejs/cli-linux-x64": "2.4.1",
-        "@biomejs/cli-linux-x64-musl": "2.4.1",
-        "@biomejs/cli-win32-arm64": "2.4.1",
-        "@biomejs/cli-win32-x64": "2.4.1"
+        "@biomejs/cli-darwin-arm64": "2.4.4",
+        "@biomejs/cli-darwin-x64": "2.4.4",
+        "@biomejs/cli-linux-arm64": "2.4.4",
+        "@biomejs/cli-linux-arm64-musl": "2.4.4",
+        "@biomejs/cli-linux-x64": "2.4.4",
+        "@biomejs/cli-linux-x64-musl": "2.4.4",
+        "@biomejs/cli-win32-arm64": "2.4.4",
+        "@biomejs/cli-win32-x64": "2.4.4"
       }
     },
     "node_modules/@biomejs/cli-darwin-arm64": {
-      "version": "2.4.1",
-      "resolved": "https://registry.npmjs.org/@biomejs/cli-darwin-arm64/-/cli-darwin-arm64-2.4.1.tgz",
-      "integrity": "sha512-wKiX2znbgFRaivRplSbu53hiREp1ohlGRuWqOL90IPetLi5E32tkiMYu8uSLXVzDgbIVM58WsesPaczIVtJkOQ==",
+      "version": "2.4.4",
+      "resolved": "https://registry.npmjs.org/@biomejs/cli-darwin-arm64/-/cli-darwin-arm64-2.4.4.tgz",
+      "integrity": "sha512-jZ+Xc6qvD6tTH5jM6eKX44dcbyNqJHssfl2nnwT6vma6B1sj7ZLTGIk6N5QwVBs5xGN52r3trk5fgd3sQ9We9A==",
       "cpu": [
         "arm64"
       ],
@@ -120,9 +120,9 @@
       }
     },
     "node_modules/@biomejs/cli-darwin-x64": {
-      "version": "2.4.1",
-      "resolved": "https://registry.npmjs.org/@biomejs/cli-darwin-x64/-/cli-darwin-x64-2.4.1.tgz",
-      "integrity": "sha512-rxLYVg3skeXh9K0om7JdkKcCdvtqrF9ECZ7dsmLuYObboK7DZ1J0z6xc2NGKSXw+cEQo3ie6NQgWBcdGJ16yQg==",
+      "version": "2.4.4",
+      "resolved": "https://registry.npmjs.org/@biomejs/cli-darwin-x64/-/cli-darwin-x64-2.4.4.tgz",
+      "integrity": "sha512-Dh1a/+W+SUCXhEdL7TiX3ArPTFCQKJTI1mGncZNWfO+6suk+gYA4lNyJcBB+pwvF49uw0pEbUS49BgYOY4hzUg==",
       "cpu": [
         "x64"
       ],
@@ -137,9 +137,9 @@
       }
     },
     "node_modules/@biomejs/cli-linux-arm64": {
-      "version": "2.4.1",
-      "resolved": "https://registry.npmjs.org/@biomejs/cli-linux-arm64/-/cli-linux-arm64-2.4.1.tgz",
-      "integrity": "sha512-nlGO5KzoEKhGj2i3QXyyNCeFk8SVwyes0wo0/X9w943darnlAHfi8MYYunPf8lsz5C0JaH6pJYB6D9HnDwUPQA==",
+      "version": "2.4.4",
+      "resolved": "https://registry.npmjs.org/@biomejs/cli-linux-arm64/-/cli-linux-arm64-2.4.4.tgz",
+      "integrity": "sha512-V/NFfbWhsUU6w+m5WYbBenlEAz8eYnSqRMDMAW3K+3v0tYVkNyZn8VU0XPxk/lOqNXLSCCrV7FmV/u3SjCBShg==",
       "cpu": [
         "arm64"
       ],
@@ -154,9 +154,9 @@
       }
     },
     "node_modules/@biomejs/cli-linux-arm64-musl": {
-      "version": "2.4.1",
-      "resolved": "https://registry.npmjs.org/@biomejs/cli-linux-arm64-musl/-/cli-linux-arm64-musl-2.4.1.tgz",
-      "integrity": "sha512-Brwh/QL3wfX5UyZcyEamS1Q+EF8Q7ud+MS5mq/9BWX2ArfxQlgsqlukwK92xrGpXWcspXkSG9U0CoxvCZZkTKQ==",
+      "version": "2.4.4",
+      "resolved": "https://registry.npmjs.org/@biomejs/cli-linux-arm64-musl/-/cli-linux-arm64-musl-2.4.4.tgz",
+      "integrity": "sha512-+sPAXq3bxmFwhVFJnSwkSF5Rw2ZAJMH3MF6C9IveAEOdSpgajPhoQhbbAK12SehN9j2QrHpk4J/cHsa/HqWaYQ==",
       "cpu": [
         "arm64"
       ],
@@ -171,9 +171,9 @@
       }
     },
     "node_modules/@biomejs/cli-linux-x64": {
-      "version": "2.4.1",
-      "resolved": "https://registry.npmjs.org/@biomejs/cli-linux-x64/-/cli-linux-x64-2.4.1.tgz",
-      "integrity": "sha512-Rmhm/mQ/3pejy1WtWLKurV1fN6zvCrqKz/ART2ZzgqY4ozL07uys5R9jA0A+yLjA79JTkcpIe85ygXv0FnSPRg==",
+      "version": "2.4.4",
+      "resolved": "https://registry.npmjs.org/@biomejs/cli-linux-x64/-/cli-linux-x64-2.4.4.tgz",
+      "integrity": "sha512-R4+ZCDtG9kHArasyBO+UBD6jr/FcFCTH8QkNTOCu0pRJzCWyWC4EtZa2AmUZB5h3e0jD7bRV2KvrENcf8rndBg==",
       "cpu": [
         "x64"
       ],
@@ -188,9 +188,9 @@
       }
     },
     "node_modules/@biomejs/cli-linux-x64-musl": {
-      "version": "2.4.1",
-      "resolved": "https://registry.npmjs.org/@biomejs/cli-linux-x64-musl/-/cli-linux-x64-musl-2.4.1.tgz",
-      "integrity": "sha512-kz1QpA+PXouNyWw2VzeoMlzMn99hlyOC/El2uSy+DS8gcb6tOsKEeZ5e2onnFIfZKe9AeKMFbTowDNLXwjwGjw==",
+      "version": "2.4.4",
+      "resolved": "https://registry.npmjs.org/@biomejs/cli-linux-x64-musl/-/cli-linux-x64-musl-2.4.4.tgz",
+      "integrity": "sha512-gGvFTGpOIQDb5CQ2VC0n9Z2UEqlP46c4aNgHmAMytYieTGEcfqhfCFnhs6xjt0S3igE6q5GLuIXtdQt3Izok+g==",
       "cpu": [
         "x64"
       ],
@@ -205,9 +205,9 @@
       }
     },
     "node_modules/@biomejs/cli-win32-arm64": {
-      "version": "2.4.1",
-      "resolved": "https://registry.npmjs.org/@biomejs/cli-win32-arm64/-/cli-win32-arm64-2.4.1.tgz",
-      "integrity": "sha512-e+PrlbQ/tez7W9EAzzCGUH1ovq31kR5r8sfCDzasrmoADLnDafet8pA8LdXnt0GwkeOem5Hz6WHCVZPRmaXiXw==",
+      "version": "2.4.4",
+      "resolved": "https://registry.npmjs.org/@biomejs/cli-win32-arm64/-/cli-win32-arm64-2.4.4.tgz",
+      "integrity": "sha512-trzCqM7x+Gn832zZHgr28JoYagQNX4CZkUZhMUac2YxvvyDRLJDrb5m9IA7CaZLlX6lTQmADVfLEKP1et1Ma4Q==",
       "cpu": [
         "arm64"
       ],
@@ -222,9 +222,9 @@
       }
     },
     "node_modules/@biomejs/cli-win32-x64": {
-      "version": "2.4.1",
-      "resolved": "https://registry.npmjs.org/@biomejs/cli-win32-x64/-/cli-win32-x64-2.4.1.tgz",
-      "integrity": "sha512-kfjOCzvaHC7olg8pmEuSsYzHntxdipkAGzr5nFiaEU2EPDWRE/myqUBaFDl9pHqEc8yEtQFiXF945PlTSkuOTw==",
+      "version": "2.4.4",
+      "resolved": "https://registry.npmjs.org/@biomejs/cli-win32-x64/-/cli-win32-x64-2.4.4.tgz",
+      "integrity": "sha512-gnOHKVPFAAPrpoPt2t+Q6FZ7RPry/FDV3GcpU53P3PtLNnQjBmKyN2Vh/JtqXet+H4pme8CC76rScwdjDcT1/A==",
       "cpu": [
         "x64"
       ],

package.json

@@ -7,7 +7,7 @@
     "lint:fix": "cd backend && npm run lint:fix && cd ../frontend && npm run lint:fix"
   },
   "devDependencies": {
-    "@biomejs/biome": "^2.4.1",
+    "@biomejs/biome": "^2.4.4",
     "husky": "^9.1.0",
     "lint-staged": "^16.2.7"
   },

scripts/release.sh

@@ -33,16 +33,36 @@ SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 PROJECT_ROOT="$(dirname "$SCRIPT_DIR")"
 cd "$PROJECT_ROOT"
 
-# Detect git remote name (prefer 'origin', fall back to 'github')
+# Detect git remote name for the configured GitHub repository.
+# This avoids accidentally pulling from a non-GitHub origin in multi-remote setups.
 detect_remote() {
-    if git remote | grep -q '^origin$'; then
-        echo "origin"
-    elif git remote | grep -q '^github$'; then
+    local target_repo_lower
+    target_repo_lower=$(echo "${GITHUB_REPO}" | tr '[:upper:]' '[:lower:]')
+
+    local remote
+    while read -r remote; do
+        local url
+        url=$(git remote get-url "$remote" 2>/dev/null || true)
+        local url_lower
+        url_lower=$(echo "$url" | tr '[:upper:]' '[:lower:]')
+
+        if [[ "$url_lower" == *"github.com"* && "$url_lower" == *"${target_repo_lower}.git"* ]]; then
+            echo "$remote"
+            return 0
+        fi
+        if [[ "$url_lower" == *"github.com"* && "$url_lower" == *"${target_repo_lower}" ]]; then
+            echo "$remote"
+            return 0
+        fi
+    done < <(git remote)
+
+    if git remote | grep -q '^github$'; then
         echo "github"
-    else
-        echo -e "${RED}Error: No 'origin' or 'github' remote found.${NC}" >&2
-        exit 1
+        return 0
     fi
+
+    echo -e "${RED}Error: No git remote points to github.com/${GITHUB_REPO}.${NC}" >&2
+    exit 1
 }
 
 GIT_REMOTE=$(detect_remote)
@@ -180,6 +200,8 @@ This PR was created by the release script.")
 echo -e "${GREEN}PR created: ${YELLOW}${PR_URL}${NC}"
 PR_NUMBER=$(echo "$PR_URL" | grep -oE '[0-9]+$')
 
+MERGED_SHA=""
+
 # ─── Wait for CI and merge ────────────────────────────────────────────────────
 
 if ! wait_for_ci "${PR_NUMBER}"; then
@@ -191,9 +213,35 @@ fi
 echo -e "${BLUE}Merging PR #${PR_NUMBER}...${NC}"
 gh pr merge "${PR_NUMBER}" --repo "${GITHUB_REPO}" --squash --delete-branch
 
+MERGED_SHA=$(gh pr view "${PR_NUMBER}" --repo "${GITHUB_REPO}" --json mergeCommit --jq '.mergeCommit.oid')
+if [[ -z "${MERGED_SHA}" || "${MERGED_SHA}" == "null" ]]; then
+    echo -e "${RED}Error: Could not resolve merge commit SHA for PR #${PR_NUMBER}.${NC}"
+    exit 1
+fi
+echo -e "${BLUE}Resolved merge commit: ${YELLOW}${MERGED_SHA}${NC}"
+
 echo -e "${BLUE}Updating main branch...${NC}"
 git checkout main
-git pull "${GIT_REMOTE}" main
+git fetch "${GIT_REMOTE}" main
+git pull --ff-only "${GIT_REMOTE}" main
+
+if ! git cat-file -e "${MERGED_SHA}^{commit}" 2>/dev/null; then
+    echo -e "${BLUE}Fetching merge commit from ${GIT_REMOTE}...${NC}"
+    git fetch "${GIT_REMOTE}" "${MERGED_SHA}"
+fi
+
+HEAD_SHA=$(git rev-parse HEAD)
+if [[ "${HEAD_SHA}" != "${MERGED_SHA}" ]]; then
+    echo -e "${YELLOW}Local main is at ${HEAD_SHA}, expected merge commit ${MERGED_SHA}.${NC}"
+    echo -e "${YELLOW}Tag will be created on the merge commit SHA to avoid stale tags.${NC}"
+fi
+
+MERGED_VERSION=$(git show "${MERGED_SHA}:backend/package.json" | sed -n 's/.*"version": "\([^"]*\)".*/\1/p')
+if [[ "${MERGED_VERSION}" != "${NEW_VERSION}" ]]; then
+    echo -e "${RED}Error: merge commit backend/package.json version is '${MERGED_VERSION}', expected '${NEW_VERSION}'.${NC}"
+    echo -e "${RED}Aborting to prevent creating a tag on the wrong release commit.${NC}"
+    exit 1
+fi
 
 # ─── Create and push signed tag ──────────────────────────────────────────────
 
@@ -208,7 +256,7 @@ if git ls-remote --tags "${GIT_REMOTE}" "v${NEW_VERSION}" 2>/dev/null | grep -q
 fi
 
 echo -e "${BLUE}Creating signed tag v${NEW_VERSION}...${NC}"
-git tag -s "v${NEW_VERSION}" -m "Release v${NEW_VERSION}"
+git tag -s "v${NEW_VERSION}" "${MERGED_SHA}" -m "Release v${NEW_VERSION}"
 
 echo -e "${BLUE}Pushing tag...${NC}"
 git push "${GIT_REMOTE}" "v${NEW_VERSION}"