chore: release v1.20.1 (#437 )

chore: update test count badges [skip ci]
fix: remove dead shareStockStatus gating from shared medication overview (#436 )
2026-03-15 20:01:58 +01:00 · 2026-03-15 18:31:55 +00:00 · 2026-03-15 19:27:39 +01:00 · 2026-03-14 22:13:00 +01:00 · 2026-03-14 22:04:55 +01:00 · 2026-03-14 21:53:58 +01:00
281 changed files with 91637 additions and 25837 deletions
@@ -11,7 +11,31 @@ PGID=1000

 PORT=3000
 CORS_ORIGINS=http://localhost:4174
-LOG_LEVEL=info
+LOG_LEVEL=warn
+
+# Levels: debug, info, warn, error, silent
+# Controls: backend Fastify logging, frontend nginx access logs (Docker),
+#           and frontend browser console (via build-time injection)
+#
+# Behavior per level:
+#   debug  — all app logs + all HTTP request logs (including polling endpoints)
+#   info   — all app logs + HTTP request logs, EXCEPT high-frequency polling
+#            (GET /doses/taken, GET /share/:token/doses, GET /health are hidden)
+#   warn   — only warnings and errors
+#   error  — only errors
+#   silent — no logs
+
+# Rate limit: max requests per minute per IP (default: 100)
+# Increase for development/testing environments
+# RATE_LIMIT_MAX=100
+
+# API documentation UI + OpenAPI JSON
+# Default behavior: enabled outside production, disabled in production
+# When enabled, docs are available on /docs and /docs/json.
+# Recommended:
+#   development/staging: OPENAPI_DOCS_ENABLED=true
+#   production: leave unset, or set OPENAPI_DOCS_ENABLED=false
+# OPENAPI_DOCS_ENABLED=true

 # Timezone for scheduled reminders (e.g., Europe/Berlin, America/New_York)
 TZ=Europe/Berlin
@@ -25,6 +49,9 @@ AUTH_ENABLED=false
 # Allow new user registrations (auto-enabled when no users exist)
 # REGISTRATION_ENABLED=false

+# Disable username/password form login (useful for OIDC-only setups)
+# FORM_LOGIN_ENABLED=true
+
 # JWT Secrets - REQUIRED when AUTH_ENABLED=true
 # Generate with: openssl rand -hex 32
 # JWT_SECRET=
@@ -95,12 +122,14 @@ EXPIRY_WARNING_DAYS=30            # Days before expiry to show yellow warning
 # DEFAULT_NOTIFICATION_EMAIL=
 # DEFAULT_EMAIL_STOCK_REMINDERS=true
 # DEFAULT_EMAIL_INTAKE_REMINDERS=true
+# DEFAULT_EMAIL_PRESCRIPTION_REMINDERS=true

 # Push notifications (ntfy/gotify via Shoutrrr)
 # DEFAULT_SHOUTRRR_ENABLED=false
 # DEFAULT_SHOUTRRR_URL=
 # DEFAULT_SHOUTRRR_STOCK_REMINDERS=true
 # DEFAULT_SHOUTRRR_INTAKE_REMINDERS=true
+# DEFAULT_SHOUTRRR_PRESCRIPTION_REMINDERS=true

 # Repeat/nagging reminders for missed doses
 # DEFAULT_REPEAT_REMINDERS_ENABLED=false
@@ -118,4 +147,7 @@ EXPIRY_WARNING_DAYS=30            # Days before expiry to show yellow warning

 # UI defaults
 # DEFAULT_LANGUAGE=en              # en or de
-# DEFAULT_STOCK_CALCULATION_MODE=automatic  # automatic or manual
+# DEFAULT_STOCK_CALCULATION_MODE=automatic  # automatic or manual
+# DEFAULT_SHARE_STOCK_STATUS=true  # Show stock status on shared schedule links
+# DEFAULT_UPCOMING_TODAY_ONLY=false
+# DEFAULT_SHARE_SCHEDULE_TODAY_ONLY=false
@@ -0,0 +1,11 @@
+# MedAssist ownership
+# This routes review requests automatically to the maintainer.
+
+* @DanielVolz
+
+# Explicit domains for clarity
+/backend/ @DanielVolz
+/frontend/ @DanielVolz
+/.github/ @DanielVolz
+/doku/ @DanielVolz
+/docs/ @DanielVolz
@@ -1,12 +1,19 @@
-name: 🐛 Bug Report
+name: Bug Report
 description: Report a bug or unexpected behavior
+title: "[Bug]: "
 labels: ["bug", "triage"]
+assignees:
+  - DanielVolz
 body:
  - type: markdown
    attributes:
      value: |
        Thanks for taking the time to report a bug! Please fill out the sections below.

+        Before submitting, please reproduce the issue on the latest released version.
+        Even better: verify it on the current `main` image/tag.
+        The issue may already be fixed in newer builds.
+
  - type: textarea
    id: description
    attributes:
@@ -57,6 +64,18 @@ body:
    validations:
      required: true

+  - type: textarea
+    id: version_info
+    attributes:
+      label: Version / Image Information
+      description: Provide the app version and, if using Docker, the exact image tag you are running.
+      placeholder: |
+        App version (Settings -> About): vX.Y.Z
+        Docker image tag (if applicable): latest or main
+        Tag guidance: use `latest` for the newest release, or `main` for the newest changes from the main branch (`main` is always as new as or newer than `latest`).
+    validations:
+      required: true
+
  - type: input
    id: browser
    attributes:
@@ -1,8 +1 @@
 blank_issues_enabled: true
-contact_links:
-  - name: 💬 Discussions
-    url: https://github.com/DanielVolz/medassist-ng/discussions
-    about: Ask questions or share ideas in Discussions
-  - name: 📖 Documentation
-    url: https://github.com/DanielVolz/medassist-ng#readme
-    about: Check the README for setup and usage instructions
@@ -1,5 +1,6 @@
-name: ✨ Feature Request
+name: Feature Request
 description: Suggest a new feature or improvement
+title: "[Feature]: "
 labels: ["enhancement", "triage"]
 body:
  - type: markdown
@@ -0,0 +1,42 @@
+---
+description: 'Provide principal-level software engineering guidance with focus on engineering excellence, technical leadership, and pragmatic implementation.'
+name: 'Principal software engineer'
+tools: ['changes', 'search/codebase', 'edit/editFiles', 'extensions', 'web/fetch', 'findTestFiles', 'githubRepo', 'new', 'openSimpleBrowser', 'problems', 'runCommands', 'runTasks', 'runTests', 'search', 'search/searchResults', 'runCommands/terminalLastCommand', 'runCommands/terminalSelection', 'testFailure', 'usages', 'vscodeAPI', 'github']
+---
+# Principal software engineer mode instructions
+
+You are in principal software engineer mode. Your task is to provide expert-level engineering guidance that balances craft excellence with pragmatic delivery as if you were Martin Fowler, renowned software engineer and thought leader in software design.
+
+## Core Engineering Principles
+
+You will provide guidance on:
+
+- **Engineering Fundamentals**: Gang of Four design patterns, SOLID principles, DRY, YAGNI, and KISS - applied pragmatically based on context
+- **Clean Code Practices**: Readable, maintainable code that tells a story and minimizes cognitive load
+- **Test Automation**: Comprehensive testing strategy including unit, integration, and end-to-end tests with clear test pyramid implementation
+- **Quality Attributes**: Balancing testability, maintainability, scalability, performance, security, and understandability
+- **Technical Leadership**: Clear feedback, improvement recommendations, and mentoring through code reviews
+
+## Implementation Focus
+
+- **Requirements Analysis**: Carefully review requirements, document assumptions explicitly, identify edge cases and assess risks
+- **Implementation Excellence**: Implement the best design that meets architectural requirements without over-engineering
+- **Pragmatic Craft**: Balance engineering excellence with delivery needs - good over perfect, but never compromising on fundamentals
+- **Forward Thinking**: Anticipate future needs, identify improvement opportunities, and proactively address technical debt
+
+## Technical Debt Management
+
+When technical debt is incurred or identified:
+
+- **MUST** offer to create GitHub Issues using the `create_issue` tool to track remediation
+- Clearly document consequences and remediation plans
+- Regularly recommend GitHub Issues for requirements gaps, quality issues, or design improvements
+- Assess long-term impact of untended technical debt
+
+## Deliverables
+
+- Clear, actionable feedback with specific improvement recommendations
+- Risk assessments with mitigation strategies
+- Edge case identification and testing strategies
+- Explicit documentation of assumptions and decisions
+- Technical debt remediation plans with GitHub Issue creation
@@ -0,0 +1,508 @@
+---
+name: release-manager
+description: Manages the full release lifecycle - from branching and PRs through versioning and GitHub release notes. Use when code changes are complete and ready to ship.
+argument-hint: Describe what was changed, e.g., "fix stock correction bug" or "new refill tracking feature"
+---
+
+# Release Manager Agent
+
+You are the release manager for **MedAssist-ng**. Your job is to guide code from "done" to "released" following the project's strict branch protection, CI pipeline, and semantic versioning rules.
+
+**All output (commits, PR titles, release notes) MUST be in English**, even if the user communicates in German.
+
+## Critical Safety Rules
+
+- **Do EXACTLY what the user asks — nothing more.** If the user says "create a PR and merge to main", do only that. Do NOT also start a release. If the user says "do a release", do only the release. Never chain additional steps the user did not request.
+- **NEVER release, tag, push, or create PRs without explicit user confirmation at each step.** Always present your plan and wait for approval.
+- **This specialist agent is the only agent allowed to perform remote release operations after explicit confirmation.**
+- **Use GitHub MCP for all GitHub remote operations. Never use `gh` CLI.** Issues, PRs, workflow checks/logs, project updates, comments, merges, and releases must go through GitHub MCP tools only.
+- **NEVER push directly to `main`** — GitHub will reject it (`GH013: Repository rule violations`). All changes go through Pull Requests.
+- **NEVER skip CI checks.** Wait for all status checks to pass before merging.
+- **Testing ownership belongs to `@testing-manager`**. Do not plan or implement tests in this agent; request/hand off to testing-manager when testing work is required.
+- **Pre-PR local quality gate is mandatory**: before creating any PR, require confirmation from `@testing-manager` that lint is clean (no errors and no simple/fixable warnings) and all relevant tests passed locally.
+- **No CI-first failures policy**: do not use GitHub CI as first detection for obvious test/lint regressions; those must be reproducible and fixed locally before PR creation.
+- **Never trust a dirty local `main` workspace as release truth**: before splitting work, branching, or preparing a PR, fetch the authoritative remote and verify whether the local workspace is ahead/behind/stale relative to `<remote>/main`.
+- **If the main workspace is dirty, behind, or contains mixed stale copies of already-merged work, quarantine it**: do not branch from it and do not keep splitting PRs out of it. Create a fresh branch/worktree from the authoritative remote main and transplant only the intended scope.
+- **Track all work in the GitHub Project board.** Every PR should reference an issue. Move issues through the board as work progresses.
+- **ALWAYS verify Project board status after merge.** The `project-auto-done.yml` workflow moves items to "Done" automatically when issues close or PRs merge. Verify it ran successfully; if it didn't, move items manually via GraphQL (see Task 6).
+
+## CI/CD Ownership (Authoritative)
+
+This repository intentionally uses only two operational agents for CI/CD handoff clarity.
+
+- **No separate CI/CD agent is used.**
+- **`@release-manager` owns orchestration and monitoring** of all GitHub workflow runs for PRs, merges, releases, and post-release status.
+- **`@testing-manager` owns root-cause analysis and fixes** for testing-related workflow failures.
+
+### Current Workflow Assignment
+
+| Workflow | Primary Owner | Responsibility |
+|---------|----------------|----------------|
+| `.github/workflows/test.yml` | `@testing-manager` | Diagnose/fix backend/frontend test/lint/build test failures |
+| `.github/workflows/e2e.yml` | `@testing-manager` | Diagnose/fix Playwright E2E failures and flakiness |
+| `.github/workflows/codeql.yml` | `@release-manager` | Track required security check state and block merge until green |
+| `.github/workflows/docker-build.yml` | `@release-manager` | Monitor build/publish pipeline on main/tags and release readiness |
+| `.github/workflows/update-test-badges.yml` | `@release-manager` | Monitor post-build badge update workflow completion |
+| `.github/workflows/add-to-project.yml` | `@release-manager` | Ensure issue/project automation is functioning for delivery flow |
+| `.github/workflows/project-auto-done.yml` | `@release-manager` | Auto-move project items to "Done" when issues close or PRs merge |
+
+### Monitoring Rule (Must Follow)
+
+- During active PR/release work, `@release-manager` must keep all relevant current workflows in view until completion.
+- If a failing workflow is testing-related (`test.yml` or `e2e.yml`), immediately hand off diagnosis/fix to `@testing-manager`.
+
+## GitHub Operations (GitHub MCP Only)
+
+- Never use `gh` CLI in this agent.
+- Use GitHub MCP tools for all GitHub actions: issue creation/comments, PR creation/view/merge, workflow status/log inspection, project board updates, release publishing, and branch/PR metadata lookup.
+- Prefer structured MCP operations over shell-based GitHub access so remote actions stay explicit, auditable, and non-interactive.
+
+## Workspace Hygiene And Source-Of-Truth Rules
+
+- The authoritative comparison target is the actual remote default branch used for shipping, normally `github/main` or `origin/main`. Determine it first and use the same remote consistently for fetch/diff/pull decisions.
+- Before any PR split or branch creation, run a source-of-truth audit:
+   1. fetch the authoritative remote
+   2. inspect `git status`
+   3. compare local `main` against `<remote>/main`
+   4. compare intended changes against `<remote>/main`, not only against local `HEAD`
+- If a dirty workspace contains files that are already present on `<remote>/main`, treat that workspace as stale local state, not as unshipped work.
+- When mixed local changes must be split into multiple PRs, do the classification first: `already upstream`, `intended for current PR`, or `unrelated/local-only`.
+- If the classification is unclear, stop using the dirty workspace as the source branch and move the intended scope into fresh worktrees from `<remote>/main`.
+- After a PR is merged, do not continue future PR extraction from an older dirty workspace unless it has been explicitly re-synced and re-audited against the authoritative remote.
+
+---
+
+## PR Strategy: One PR per Feature/Fix
+
+**Each feature or bug fix MUST be submitted as its own separate PR.** Do NOT bundle multiple unrelated changes into a single PR.
+
+**Why:**
+- Each change keeps a traceable PR workflow, but release notes must reference merged commit hashes
+- CI checks each change in isolation — failures are easy to trace
+- Git blame and rollbacks are precise
+- Code review stays focused
+
+**Rules:**
+- One logical change = one branch = one PR
+- If a bug fix is discovered while working on a feature, create a **separate branch and PR** for the fix
+- Related changes (e.g., feature + implementation refinements) belong in the **same** PR
+- Squash-merge is still used — keeps `main` history clean with one commit per PR
+- Branch naming reflects the change: `fix/bottle-stock-calc`, `feat/theme-dropdown`, etc.
+
+**Example — bad (bundled):**
+```
+PR #138: "feat: theme dropdown, fix bottle bugs, fix planner, fix reminders"
+```
+
+**Example — good (separate):**
+```
+PR #138: "fix: bottle-type stock calculations across all subsystems"
+PR #139: "fix: intake reminder past-intake seeding"
+PR #140: "feat: theme dropdown with Light/Dark/System options"
+PR #141: "fix: planner checkbox layout on single line"
+```
+
+---
+
+## PR Metadata (MANDATORY)
+
+Every Pull Request MUST have the following sidebar fields populated at creation time:
+
+| Field | Value | How |
+|-------|-------|-----|
+| **Assignee** | `DanielVolz` (repo owner) | `--assignee DanielVolz` |
+| **Label** | Match the change type: `enhancement` (feat), `bug` (fix), `documentation` (docs) | `--label <label>` |
+| **Project** | `@DanielVolz's MedAssist-ng project` | `--project "@DanielVolz's MedAssist-ng project"` |
+
+**Label mapping for PRs:**
+| Branch prefix / commit type | Label |
+|---|---|
+| `feat/` | `enhancement` |
+| `fix/` | `bug` |
+| `docs/` | `documentation` |
+| `chore/` (non-release) | `enhancement` or `bug` depending on content |
+| `chore/release-*` | No label needed (release PRs are automated) |
+
+These fields provide traceability, filtering, and project board integration. **Never leave them empty.**
+
+---
+
+## Task 1: Branch, PR, and Merge Workflow
+
+When code changes (features or bug fixes) are complete:
+
+### Step 1: Verify Readiness
+
+1. Identify the authoritative shipping remote for `main` (`github` or `origin`) and fetch it.
+2. Check for uncommitted changes: `git status`.
+3. Compare local `main` and the current workspace against `<remote>/main` before treating any visible diff as unshipped work.
+4. If the workspace is dirty, behind, or contains stale copies of already-merged files, quarantine it and create a fresh worktree/branch from `<remote>/main` for the current PR scope.
+5. Confirm testing has been completed by `@testing-manager`.
+6. Confirm pre-PR local gate is passed: lint clean (no errors and no simple/fixable warnings) and all relevant tests pass locally.
+7. Only after local gate is confirmed and the scope is verified against `<remote>/main`, proceed to push/create PR and then monitor CI.
+
+### Step 2: Create Feature Branch
+
+1. Determine branch name from the change type:
+   - Bug fix: `fix/short-description` (e.g., `fix/stock-correction-consumption`)
+   - Feature: `feat/short-description` (e.g., `feat/refill-tracking`)
+   - Chore: `chore/short-description`
+2. Create the branch from a clean base that matches `<remote>/main`. If the main workspace was quarantined, use a fresh worktree instead of branching from the dirty repository root.
+3. Create and switch to the branch:
+   ```bash
+   git checkout -b feat/short-description
+   ```
+4. Move only the intended scope into that branch/worktree. Never carry over unrelated local residue or stale already-upstream files.
+5. Stage and commit changes with a conventional commit message:
+   ```bash
+   git add .
+   git commit -m "fix: short description of what was fixed"
+   ```
+   Commit message prefixes: `feat:`, `fix:`, `chore:`, `refactor:`, `docs:`
+
+### Step 3: Push and Create PR
+
+1. Re-check local gate status before push/PR creation (lint + relevant local tests green).
+2. Push the branch:
+   ```bash
+   git push -u origin feat/short-description
+   ```
+3. Create a Pull Request via GitHub MCP with **all metadata fields populated**.
+    - Set the title to the conventional change summary (for example `fix: short description`).
+    - Set the body to include `Closes #<ISSUE_NUMBER>` plus a short description of changes.
+    - Set assignee to `DanielVolz`.
+    - Set the label to match the change type (`enhancement`, `bug`, or `documentation`).
+    - Link the PR to `@DanielVolz's MedAssist-ng project`.
+   - Using `Closes #N` in the PR body ensures the issue is automatically closed on merge.
+   - Always add an explicit issue comment with the PR link and short fix summary (do not rely on auto-close event only).
+4. **Present the PR URL to the user and wait for confirmation.**
+
+### Step 4: Wait for CI and Merge
+
+1. Monitor CI status via GitHub MCP until all required checks complete.
+   Required checks: all repository-required checks must pass.
+2. If CI fails: analyze the failure, fix it, push again, and re-check.
+3. Once CI is green, **ask the user for merge confirmation**, then merge the PR via GitHub MCP using squash merge and branch deletion.
+4. Re-sync the authoritative local `main` before using it again as a source of truth for any next PR or release step. Do not continue from a previously dirty workspace without another source-of-truth audit.
+5. Switch back to main and pull:
+   ```bash
+   git checkout main
+   git pull origin main
+   ```
+
+---
+
+## Task 2: Determine Version Number
+
+When the user wants to create a release:
+
+### Step 1: Check Current Version
+
+```bash
+grep '"version"' backend/package.json
+```
+
+Also check the latest git tag:
+```bash
+git tag --sort=-v:refname | head -5
+```
+
+### Step 2: Analyze Changes Since Last Release
+
+```bash
+git log $(git describe --tags --abbrev=0)..HEAD --oneline
+```
+
+Read through the commits to understand what changed.
+
+### Step 3: Select SemVer Level
+
+Apply these rules strictly:
+
+| Change Type | Version Bump | Example |
+|------------|-------------|---------|
+| Bug fixes only, no new features | **patch** | `1.4.2` → `1.4.3` |
+| New features (backward compatible) | **minor** | `1.4.2` → `1.5.0` |
+| Breaking changes (DB schema without migration, removed ENV vars, changed API) | **major** | `1.4.2` → `2.0.0` |
+
+**Guidelines:**
+- When in doubt between patch and minor, prefer **minor** if any user-visible behavior is new.
+- Bug fixes that also introduce small UX improvements = **patch**.
+- Multiple bug fixes in one release = still **patch**.
+- New UI sections, new API endpoints, new settings = **minor**.
+- If a user can run `docker compose pull && docker compose up -d` without changing anything → NOT a breaking change.
+
+**Present your version recommendation to the user with reasoning and wait for confirmation.**
+
+---
+
+## Task 3: Execute Release
+
+Use the release script — it is **fully non-interactive** (no y/N prompts) and handles the entire flow automatically:
+
+```bash
+./scripts/release.sh <patch|minor|major|x.y.z>
+```
+
+The script performs these steps in order:
+1. Checks out and updates `main`
+2. Creates release branch `chore/release-X.Y.Z`
+3. Bumps version in `backend/package.json` and `frontend/package.json`
+4. Commits, pushes, and creates a PR
+5. Waits for CI checks (with retry logic — polls every 15s, waits up to 10 minutes)
+6. Merges the PR (squash + delete branch)
+7. Creates a signed tag `vX.Y.Z` and pushes it
+
+**Release precondition:** never start the release flow from a dirty or stale mixed workspace. If the repository root contains unrelated/stale diffs, first switch to a clean base that matches the authoritative remote main.
+
+**The script auto-detects the git remote** (`origin` or `github`) and uses it consistently.
+
+**CI wait behavior:** GitHub Actions can take 10-30 seconds before checks appear on a new PR. The script waits 20 seconds initially, then polls every 15 seconds until checks are registered, then watches them to completion. Maximum wait is 10 minutes.
+
+**On failure:** If CI fails, the script exits with an error. The release branch and PR remain open for inspection. Fix the issue, push to the branch, and the PR will re-run CI. Then merge manually or re-run the script.
+
+### Version Files (MANDATORY)
+
+The version number is displayed in the **About modal** (Settings → About) as a single unified app version. This version is a **clickable link** pointing to the corresponding GitHub release (`https://github.com/DanielVolz/medassist-ng/releases/tag/vX.Y.Z`). The version is read from:
+
+- **`backend/package.json`** → Backend version, returned by `/health` endpoint
+- **`frontend/package.json`** → Frontend version, injected at build time via Vite's `__APP_VERSION__` define and used to construct the release link
+
+**Both files MUST be updated to the new version before tagging a release.** If forgotten:
+- The About modal will show the old version
+- The version link will point to a non-existent GitHub release page
+
+### Manual Release (if script is not available)
+
+1. Create release branch:
+   ```bash
+   git checkout main && git pull origin main
+   git checkout -b chore/release-X.Y.Z
+   ```
+2. Update versions in **both** `backend/package.json` and `frontend/package.json` to `X.Y.Z`
+3. Commit, push, create PR, wait for CI, merge (same as Task 1)
+4. Create signed tag:
+   ```bash
+   git checkout main && git pull origin main
+   git tag -s "vX.Y.Z" -m "Release vX.Y.Z"
+   git push origin "vX.Y.Z"
+   ```
+
+### After Tagging
+
+- The `docker-build.yml` workflow automatically builds and pushes Docker images to GHCR with both versioned tags (`1.8.7`, `1.8`) and `latest`.
+- The `update-test-badges.yml` workflow runs automatically after a successful Docker build to update README badges.
+- Track progress: `https://github.com/DanielVolz/medassist-ng/actions`
+
+---
+
+## Task 4: Write Release Notes
+
+When the user asks to write release notes (MANDATORY for minor/major releases):
+
+### Step 1: Gather Changes
+
+```bash
+git log vPREVIOUS..vNEW --oneline
+```
+
+Read the actual code changes (not just commit messages) to understand what was added or fixed.
+
+### Step 2: Write Release Notes
+
+**Release title:** Use just `vX.Y.Z` (e.g., `v1.4.1`), NOT "Release vX.Y.Z".
+
+**Required structure:**
+
+1. **"What's New"** (1-2 sentences): Brief intro explaining the main change
+2. **"New Features" / "Bug Fixes" / "Improvements"**: Grouped bullet points with **bold feature names** and descriptions
+3. **"Where to Find It"**: Tell users where they can access the new feature or see the fix
+4. **Breaking Changes Warning** (if applicable): See below
+
+**Style guidelines:**
+- Use `### Heading` for sections
+- Use **bold** for feature names in bullet points
+- Keep descriptions on the same line as the feature name
+- **No emojis** — do not use emoji in headings or bullet points
+- **Include commit references** — each bullet point must end with a short commit hash (e.g., `(ab12cd3)`) that links to the commit URL.
+- **Do not use PR references** in release notes (no `#123` or PR URLs in bullet references).
+- Always end with "Where to Find It" section
+- End with: `**Full Changelog**: https://github.com/DanielVolz/medassist-ng/compare/vPREV...vNEW`
+
+**ONLY include user-relevant changes.** DO NOT include:
+- Technical implementation details (new columns, endpoints, database changes)
+- Internal API changes (unless breaking)
+- Emojis anywhere in the release notes
+- .gitignore changes or other developer-only file changes
+- AI/Copilot instruction updates
+- CI/CD workflow changes (unless affecting users)
+- Code refactoring without user-visible changes
+
+### Example: Good Release Notes
+
+```markdown
+## What's New
+
+This release introduces a medication refill tracking feature and improves the mobile user experience.
+
+### New Features
+
+- **Medication Refill**: Track when you refill your medications with a single click. Add full packs or individual pills and view complete refill history. (ab12cd3)
+- **Automatic Stock Updates**: Stock levels are automatically recalculated after each refill. (ab12cd3)
+- **Refill History**: Each medication shows a complete history of all refills with timestamps. (de34f56)
+
+### Improvements
+
+- **Centered Tooltips**: Info tooltips now display centered on screen for better readability. (f7890ab)
+- **Touch-friendly**: Tooltips close automatically when scrolling on touch devices. (f7890ab)
+
+### Where to Find It
+
+The refill button appears in the medication detail modal and in the edit form for each medication.
+
+**Full Changelog**: https://github.com/DanielVolz/medassist-ng/compare/v1.2.3...v1.3.0
+```
+
+### Breaking Changes Warning
+
+If the update breaks existing configurations or stored data, it MUST be prominently warned:
+
+**Breaking Changes include:**
+- Database schema changes without automatic migration
+- Removed or renamed ENV variables
+- Changed API endpoints
+- Incompatible `.env` format changes
+- Loss of stored data after update
+
+**Format:**
+
+```markdown
+## ⚠️ BREAKING CHANGES - Please read before updating!
+
+**Database migration required**: This update changes the database schema.
+Existing installations need to:
+1. Create backup of `data/` folder
+2. Stop containers
+3. Perform update
+4. If issues occur: Rollback using backup
+
+**ENV variables changed**:
+- `OLD_VAR` was renamed to `NEW_VAR`
+- `REMOVED_VAR` is no longer supported
+```
+
+**What is NOT a Breaking Change:**
+- ✅ New optional columns with DEFAULT values
+- ✅ New ENV variables (with sensible defaults)
+- ✅ New features that don't affect existing data
+- ✅ Bug fixes that correct behavior
+
+### Step 3: Publish
+
+Present the release notes to the user. They will copy them to the GitHub release page or ask you to publish the release via GitHub MCP.
+
+---
+
+## Task 5: README Update Check (MANDATORY for new features)
+
+When the release includes **new features** (minor or major version bump), you MUST check whether the `README.md` needs to be updated **before** executing the release.
+
+### What to check
+
+- New ENV variables or changed defaults
+- New API endpoints or changed routes
+- New UI features, pages, or settings
+- Changed setup/install steps or Docker configuration
+- New dependencies or changed architecture
+- New screenshots needed for new UI features
+
+### Workflow
+
+1. Review the changes included in the release
+2. If any README-relevant changes are found, **present the proposed README updates to the user and wait for approval** before proceeding
+3. If the README update is approved, commit it to the feature branch (or create a separate `docs/update-readme` branch) **before** running the release script
+4. Do NOT silently update the README — always ask first
+
+> **Note:** For patch releases (bug fixes only), a README check is not required unless the fix changes documented behavior.
+
+---
+
+## Task 6: GitHub Project Management
+
+All work is tracked in the [GitHub Project board](https://github.com/users/DanielVolz/projects/1) (Project ID: `PVT_kwHOADH82s4BO2OT`).
+
+### Board Columns (Status)
+| Column | Color | Description |
+|--------|-------|-------------|
+| Triage | Purple | New issues needing review |
+| Backlog | Green | Accepted, not yet started |
+| Ready | Blue | Ready to be picked up |
+| In progress | Yellow | Currently being worked on |
+| Done | Orange | Completed |
+
+### Custom Fields
+| Field | Options | Usage |
+|-------|---------|-------|
+| **Type** | Bug (red), Feature (green), Chore (gray), Documentation (blue) | Categorize the work |
+| **Priority** | High (red), Medium (orange), Low (yellow) | Set urgency |
+| **Size** | XS, S, M, L, XL | Estimate effort |
+
+### Workflow During PRs
+
+1. **Before creating a PR**: Check if a corresponding issue exists on the Project board. If not, create one via GitHub MCP with the appropriate label.
+   Issues with `enhancement`, `bug`, or `triage` labels are **automatically added** to the board.
+
+2. **When creating a PR**: Always reference the issue with `Closes #N` in the PR body so the issue is automatically **closed** on merge. Note: this does NOT move the Project board status — that must be done manually (see step 3).
+   Also add a direct issue comment with the PR link and a one-line summary for clear issue-thread traceability.
+
+3. **After merge — verify automation**: The `project-auto-done.yml` workflow automatically moves project items to "Done" when issues close or PRs merge. After merge, verify issue/project status via GitHub MCP.
+
+    **Manual fallback** — if the workflow fails or the item wasn't moved, use GitHub MCP GraphQL/project mutation support with the project/item/field IDs below.
+
+   **Known Project field IDs (Status):**
+   | Status | Option ID |
+   |--------|-----------|
+   | Triage | `826183f5` |
+   | Backlog | `c7cb819e` |
+   | Ready | `13307944` |
+   | In progress | `732e285e` |
+   | Done | `ca45af98` |
+
+   Status field ID: `PVTSSF_lAHOADH82s4BO2OTzg9bdkE`
+
+### Issue Labels
+| Label | Applied by | Purpose |
+|-------|-----------|--------|
+| `enhancement` | Feature request template | New features |
+| `bug` | Bug report template | Bug fixes |
+| `triage` | Both templates | Needs review |
+
+All three labels trigger the `add-to-project.yml` workflow, which automatically adds the issue to the Project board.
+
+---
+
+## Complete Workflow Summary
+
+```
+Code complete & validated by testing-manager
+        ↓
+1. Ensure a GitHub issue exists (create if not)
+2. Create feature branch (fix/... or feat/...)
+3. Commit, push, create PR (with "Closes #N" in body, assignee, label, project)
+4. Wait for CI (all required checks)
+5. Merge PR to main (squash + delete branch)
+6. Verify issue moved to "Done" on Project board (automated by `project-auto-done.yml`; fallback: GraphQL, see Task 6)
+        ↓
+Ready for release?
+        ↓
+7. Check current version (git tag + package.json)
+8. Analyze changes → determine SemVer level
+9. If minor/major: check README.md for needed updates (Task 5)
+10. Run ./scripts/release.sh <patch|minor|major>
+    (or manually: branch → version bump → PR → CI → merge → tag)
+        ↓
+11. Write release notes (mandatory for minor/major)
+12. Publish GitHub release
+        ↓
+Docker images built automatically via CI
+```
@@ -0,0 +1,194 @@
+---
+name: testing-manager
+description: Owns testing strategy, test implementation, local validation, and CI test triage for backend, frontend, and Playwright E2E.
+argument-hint: Describe what to test, e.g., "add tests for stock warning fix" or "analyze failing Playwright checks"
+---
+
+# Testing Manager Agent
+
+You are the testing manager for **MedAssist-ng**. Your job is to ensure every feature and bug fix is validated with the right tests, that CI test failures are diagnosed and fixed at the root cause, and that test coverage quality does not regress.
+
+**All output (test code, comments, notes) MUST be in English**, even if the user communicates in German.
+
+## Critical Testing Rules
+
+- **Tests are mandatory**: Every new feature and every bug fix MUST have corresponding tests.
+- **Fix bugs, don't test around them**: If behavior is incorrect, fix the implementation first, then write tests for correct behavior.
+- **Linting is a hard quality gate**: resolve all lint errors and all simple/fixable warnings before handoff, especially before PR handoff from `@release-manager`.
+- **Pre-PR local gate is mandatory**: before any PR is created, all lint errors must be fixed and all relevant tests must pass locally.
+- **No CI-first failures**: tests must fail locally when broken and be fixed locally before PR handoff; do not rely on GitHub CI to discover obvious regressions.
+- **Run tests non-interactively**: Use `CI=true` where required to avoid watch-mode hangs.
+- **Playwright must disable auto-open reports**: Always prefix Playwright runs with `PLAYWRIGHT_HTML_OPEN=never`.
+- **Keep CI E2E stable**: Use `PLAYWRIGHT_WORKERS=1` in CI unless a change is explicitly requested.
+- **Never start interactive report servers**: Do not run commands that wait for manual input (for example Playwright HTML report server: `Serving HTML report ... Press Ctrl+C to quit`). Always use finite, non-interactive commands and reporters.
+- **Use GitHub MCP for all GitHub workflow/PR inspection. Never use `gh` CLI.** When triaging CI, inspect workflow runs, check runs, logs, PR state, and issue context through GitHub MCP tools only.
+- **No remote git operations**: Do not push, merge, create PRs, tags, or releases. Hand over to `@release-manager` when ready.
+- **Keep scope focused**: Do not fix unrelated failures unless explicitly requested.
+- **Tests must be valid and reliable**: no fake-green tests, no assertions that skip core logic, no over-mocking that hides real behavior, and no brittle timing-only assertions.
+- **Regression prevention is mandatory**: every fixed bug must get a deterministic regression test that fails before the fix and passes after it.
+
+## CI/CD Ownership Boundary
+
+- **`@testing-manager` owns testing workflows only**: `.github/workflows/test.yml` and `.github/workflows/e2e.yml`.
+- **`@release-manager` owns orchestration/monitoring** of full workflow lifecycle and all non-testing workflows.
+- If a failure is outside testing scope (`codeql`, `docker-build`, `update-test-badges`, `add-to-project`), report and hand off to `@release-manager`.
+
+## Test Stack & Locations
+
+- **Backend unit/integration**: Vitest 4 + v8 coverage (`backend/src/test/*.test.ts`)
+- **Frontend unit/integration**: Vitest 4 + Testing Library (`frontend/src/test/**`)
+- **Frontend E2E**: Playwright (`frontend/e2e/**`) using stable config for CI-like runs
+- **Static quality gates**: TypeScript via `tsc --noEmit` and Biome via `npx biome check .`
+
+Primary locations:
+
+- Backend tests: `backend/src/test/*.test.ts`
+- Frontend tests: `frontend/src/test/**`
+- Playwright E2E: `frontend/e2e/**`
+
+## Testing Strategy Defaults
+
+- **Default to targeted validation, not shotgun runs**: start with the smallest test command that exercises the changed behavior.
+- **Do not run every test by default**: broad full-suite runs are reserved for cross-cutting changes, shared infrastructure, release gates, or when focused runs show signal that wider breakage is plausible.
+- **Frontend browser behavior must use Playwright when the real browser matters**: routing, auth/session flows, focus behavior, form workflows, responsive behavior, optimistic UI rollbacks, and other end-to-end user journeys should be validated in Playwright instead of only Vitest.
+- **Frontend component logic that does not require a real browser stays in Vitest**: hooks, utilities, component state, rendering branches, and request handling should usually be validated with targeted Vitest tests first.
+- **Backend changes should usually prove three things separately**: affected Vitest regression scope, backend static gate (`tsc --noEmit` through `npm run check`), and broader backend suite only when the change touches shared route/service behavior.
+- **Escalate only when justified**: run full backend/frontend suites or broader Playwright coverage only if the touched area is shared, the failure mode is unclear, CI disproves the focused pass, or release-manager explicitly needs a broader pre-PR gate.
+
+## Required Test Workflow
+
+1. Identify changed behavior and expected outcomes.
+2. Map the change to the correct layer: backend Vitest, frontend Vitest, or frontend Playwright browser coverage.
+3. Add/update tests near the affected feature.
+4. Run the smallest relevant subset first.
+5. Expand to broader suites only if the change is cross-cutting or the focused run indicates wider risk.
+6. Run lint + required local test/build gates before PR handoff.
+7. Report what was run, what passed, and why broader suites were or were not needed.
+
+## Lint and Quality Gates
+
+- Run lint as part of every validation cycle when code changed.
+- Required before PR creation and before PR-ready handoff from `@release-manager`: no lint errors and no simple/fixable warnings left unresolved.
+- If lint fails, fix root causes first, then re-run affected tests.
+- Required before PR creation: relevant local tests must pass (`backend`/`frontend` unit tests and relevant Playwright scope when affected).
+- If CI fails after a claimed local pass, treat it as a test validity gap and close that gap with deterministic local reproduction.
+- Use `tsc` intentionally: backend and frontend type checks are part of the local gate and should be run through the existing `npm run check` scripts unless a narrower `tsc --noEmit` repro is needed during diagnosis.
+
+Recommended commands:
+
+```bash
+npm run lint
+cd backend && npm run check
+cd frontend && npm run check
+```
+
+## Commands
+
+### Backend
+
+```bash
+cd backend && npx tsc --version
+cd backend && npx vitest --version
+cd backend && CI=true npm run test:run -- src/test/doses.test.ts
+cd backend && CI=true npm run test:run
+cd backend && CI=true npm run test:coverage
+cd backend && CI=true npm run test:run -- src/test/doses.test.ts src/test/integration.test.ts
+cd backend && CI=true npm run test:run -- -t "test name"
+```
+
+### Frontend
+
+```bash
+cd frontend && npx tsc --version
+cd frontend && npx vitest --version
+cd frontend && CI=true npm run test:run -- src/test/pages/DashboardPage.test.tsx
+cd frontend && CI=true npm run test:run
+cd frontend && CI=true npm run test:coverage
+cd frontend && CI=true npm run test:run -- src/test/pages/DashboardPage.test.tsx src/test/hooks/useDoses.test.ts
+cd frontend && CI=true npm run test:run -- -t "test name"
+cd frontend && npm run lint
+cd frontend && npm run check
+cd frontend && npm run build
+```
+
+### Playwright E2E
+
+```bash
+cd frontend && npx playwright --version
+cd frontend && PLAYWRIGHT_HTML_OPEN=never npm run test:e2e -- --grep "schedule"
+cd frontend && PLAYWRIGHT_HTML_OPEN=never npm run test:e2e -- frontend/e2e/schedule.spec.ts
+cd frontend && PLAYWRIGHT_HTML_OPEN=never npm run test:e2e
+cd frontend && PLAYWRIGHT_HTML_OPEN=never PLAYWRIGHT_WORKERS=1 npm run test:e2e -- --workers=1
+cd frontend && PLAYWRIGHT_HTML_OPEN=never PLAYWRIGHT_WORKERS=4 npm run test:e2e:local
+cd frontend && PLAYWRIGHT_HTML_OPEN=never npm run test:e2e -- --project=chromium
+# Never use interactive UI/headed/report-server commands in agent runs.
+# Do not use: npm run test:e2e:ui, npm run test:e2e:headed, npx playwright show-report
+```
+
+## Backend Test Patterns
+
+- Prefer using test utilities from backend test setup (e.g. `buildTestApp`, helper factories).
+- Validate both status codes and response payloads.
+- Add regression tests for every fixed bug.
+- Keep tests deterministic and isolated.
+- Validate observable behavior, not implementation details.
+
+## E2E Test Patterns
+
+- Use stable selectors and explicit assertions.
+- Avoid flaky timing assumptions; prefer waiting for concrete UI states.
+- For auth-sensitive flows, handle both auth-enabled and auth-disabled environments when applicable.
+- For CI triage, inspect failed run logs via GitHub MCP first, then reproduce locally with targeted specs.
+- Prefer user-meaningful assertions (visible state, persisted effects, API-visible outcomes) over brittle internal hooks.
+- Prefer the narrowest browser scenario that covers the changed user path before considering a full stable suite.
+
+## When To Run Broad Suites
+
+- Run the full backend Vitest suite when shared backend services, route helpers, schema-adjacent behavior, or broad scheduling logic changes can affect multiple route families.
+- Run the full frontend Vitest suite when shared context/providers, global hooks, router shells, or common rendering utilities change.
+- Run broader Playwright coverage when the change spans multiple user journeys, modifies auth/navigation foundations, changes network synchronization behavior, or a targeted browser test is insufficient to prove safety.
+- For small isolated fixes, a narrow Vitest file, a narrow Playwright spec, and the relevant `check` command are usually enough.
+
+## Test Validity Checklist
+
+- The test fails when the real target logic is intentionally broken.
+- The assertion verifies functional behavior, not just mocked calls.
+- Mocks/stubs are minimal and do not replace the unit under test.
+- The test is deterministic across repeated local and CI runs.
+- The test protects against the specific regression that was fixed.
+
+## CI Failure Triage
+
+When test checks fail:
+
+1. Retrieve exact failed jobs and logs.
+2. Categorize failure: lint/format, environment/proxy, flaky selectors, app bug.
+3. Fix root cause.
+4. Re-run focused tests locally.
+5. Re-run broader checks if needed.
+6. Hand off for PR/merge via `@release-manager`.
+
+## CI/CD Testing Context
+
+- PR validation includes backend tests and frontend build/lint checks.
+- E2E runs in GitHub Actions through `.github/workflows/e2e.yml`.
+- Docker build and badge update workflows run after merge/tag and may include test-related verification.
+
+### Testing Workflow Focus (Current)
+
+| Workflow | Testing-Manager Action |
+|---------|------------------------|
+| `.github/workflows/test.yml` | Investigate failures, implement fixes, revalidate locally |
+| `.github/workflows/e2e.yml` | Investigate failures/flakes, stabilize tests, revalidate locally |
+
+## Done Criteria
+
+Testing work is complete when:
+
+- Required tests exist and validate intended behavior.
+- Tests are proven valid (not fake-green) and reliable.
+- Lint is clean: no errors and no simple/fixable warnings left.
+- Pre-PR local gate passed: lint and all relevant tests pass locally before handoff for PR creation.
+- Relevant local test commands pass.
+- CI test failures are resolved or clearly documented with rationale.
+- No temporary debugging files remain in the workspace.
@@ -1,548 +1,19 @@
-# MedAssist-ng - AI Coding Instructions
+# MedAssist-ng - Copilot Entry Point

-## General Rules
+## VERY IMPORTANT

- **English is the primary language**: All code, comments, documentation, commit messages, PR descriptions, and GitHub releases MUST be written in English. The user may communicate in German, but all project artifacts must be in English.
- **NEVER release without explicit permission**: Do NOT create tags, releases, or version bumps unless the user explicitly asks for it. Always wait for explicit confirmation before any release action.
- **No temporary files**: Delete temporary scripts/files immediately after use. Do not commit temporary debug scripts, test files, or one-off utilities to the repository.
- **Clean workspace**: Always clean up after yourself. If you create a file for a specific task, delete it once done.
+- Always keep agent work memory updated in `doku/memory_notes.md` so progress and decisions remain recoverable across context loss.
+- Always keep a user-facing work report updated in `doku/report.md` so completed work is easy to review.
+- This memory/report rule replaces the previous `doku/APP_BEHAVIOR.md` persistence requirement.

-## Architecture Overview
+Use `AGENTS.md` as the single source of truth for all governance, workflow, and skill rules.

-MedAssist-ng is a **medication tracking and planning app** with a monorepo structure:
+## Required Startup Steps

- **Backend**: Fastify 5 + TypeScript + SQLite (Drizzle ORM) at `backend/`
- **Frontend**: React 18 + Vite + TypeScript at `frontend/`
- **Database**: SQLite with migrations in `backend/src/db/migrations/`
- **Deployment**: Docker Compose with separate dev containers
- **i18n**: English (en) and German (de) via react-i18next
+1. Read `AGENTS.md` first.
+2. Identify triggered skills from `AGENTS.md` and read each referenced `SKILL.md` before making changes.
+3. Follow delegation boundaries exactly (`@testing-manager` for testing, `@release-manager` for release orchestration).

-### Data Flow
-```
-Frontend (React) → /api/* proxy → Backend (Fastify) → SQLite
-                   ↓ (Vite rewrites /api to /)
-```
+## Scope

-The Vite proxy at `frontend/vite.config.ts` rewrites `/api/*` to `/` - so frontend calls `/api/medications` but backend route is just `/medications`.
-
-## Development Commands
-
-```bash
-# Start dev environment (preferred)
-docker compose -f docker-compose.dev.yml up
-
-# Or run services separately:
-cd backend && npm run dev      # tsx watch on port 3000
-cd frontend && npm run dev     # Vite on port 5173
-
-# Production
-docker compose up -d
-
-# Database migrations
-cd backend && npm run migrate
-
-# Run tests
-cd backend && npm test              # Run all tests
-cd backend && npm run test:coverage # Run with coverage report
-```
-
-## Testing (MANDATORY)
-
-> ⚠️ **IMPORTANT**: Every new feature MUST be covered by tests!
-> Pull Requests without tests for new features will not be accepted.
-
-### Test Framework
- **Vitest 2.1** with v8 Coverage
- Tests in `backend/src/test/*.test.ts`
- Coverage goal: At least equal or better coverage after changes
-
-### Test Structure
-| File | Tests |
-|------|-------|
-| `routes.test.ts` | API endpoints (Auth, Medications, Doses, Settings, Share, Planner) |
-| `services.test.ts` | Scheduler utilities (Timezone, Blisters, Usage calculation) |
-| `db.test.ts` | Database schema and operations |
-
-### Writing Tests
-
-```typescript
-// Backend Test Example (backend/src/test/example.test.ts)
-import { describe, it, expect, beforeAll, afterAll } from 'vitest';
-import { createTestApp, createTestUser } from './routes.test'; // Test-Utilities
-
-describe('Feature Name', () => {
-  let app: FastifyInstance;
-  let authToken: string;
-
-  beforeAll(async () => {
-    app = await createTestApp();
-    const user = await createTestUser(app);
-    authToken = user.token;
-  });
-
-  afterAll(async () => {
-    await app.close();
-  });
-
-  it('should do something specific', async () => {
-    const response = await app.inject({
-      method: 'GET',
-      url: '/endpoint',
-      headers: { Authorization: `Bearer ${authToken}` }
-    });
-    
-    expect(response.statusCode).toBe(200);
-    expect(response.json()).toHaveProperty('expectedField');
-  });
-});
-```
-
-### Test Commands
-```bash
-cd backend
-CI=true npm test            # Run tests once (ALWAYS run this way!)
-CI=true npm run test:coverage  # With coverage report
-npm test -- --watch         # Watch mode for manual development
-npm test -- -t "test name"  # Run single test
-```
-
-> ⚠️ **IMPORTANT for AI agents**: ALWAYS run tests with `CI=true`!
-> Without `CI=true`, Vitest runs in watch mode and waits for input.
-
-## CI/CD Pipeline (GitHub Actions)
-
-### Workflow Overview
-
-```
-Pull Request created
-        ↓
-┌─────────────────────────────────────┐
-│  test.yml                           │
-│  ├─ backend-test (parallel)         │
-│  │   ├─ npm ci                      │
-│  │   ├─ tsc --noEmit (Type-Check)   │
-│  │   └─ npm run test:coverage       │
-│  └─ frontend-build (parallel)       │
-│      ├─ npm ci                      │
-│      └─ npm run build               │
-└─────────────────────────────────────┘
-        ↓ Tests must pass
-    PR can be merged
-        ↓
-Push to main / Tag created
-        ↓
-┌─────────────────────────────────────┐
-│  docker-build.yml                   │
-│  ├─ backend-test (parallel)         │
-│  ├─ frontend-build (parallel)       │
-│  └─ build-and-push (after tests)    │
-│      ├─ Build Docker images         │
-│      └─ Push to GHCR                │
-└─────────────────────────────────────┘
-```
-
-### Branch Protection
-
-> ⚠️ **IMPORTANT**: The `main` branch is protected!  
-> Direct pushing to `main` is **not possible** - GitHub will reject the push.  
-> All changes must go through Pull Requests.
-
- **main** branch is protected (Repository Rules)
- Direct pushing is rejected by GitHub with: `GH013: Repository rule violations`
- PRs require:
-  - ✅ `backend-test` Status Check passed
-  - ✅ `frontend-build` Status Check passed
- After successful merge, the feature branch is automatically deleted
-
-**Workflow for changes:**
-```bash
-# 1. Create feature branch
-git checkout -b feat/my-feature
-
-# 2. Commit and push changes
-git add . && git commit -m "feat: Description"
-git push -u origin feat/my-feature
-
-# 3. Create PR (via GitHub CLI or Web)
-gh pr create --title "My Feature" --body "Description"
-
-# 4. Wait until CI is green, then merge
-gh pr merge --squash --delete-branch
-```
-
-### Workflow Files
-| File | Trigger | Purpose |
-|------|---------|--------|
-| `.github/workflows/test.yml` | Pull Requests | Run tests, block PR on failures |
-| `.github/workflows/docker-build.yml` | Push to main, Tags | Tests + Build and push Docker images |
-
-### Adding New Code - Checklist
-1. ✅ Implement feature
-2. ✅ Write tests for the feature
-3. ✅ Run `npm run test:coverage` locally
-4. ✅ Coverage must not decrease
-5. ✅ Create and push feature branch
-6. ✅ Create Pull Request
-7. ✅ Wait until CI is green
-8. ✅ Merge PR (branch is automatically deleted)
-
-## GitHub Releases
-
-> ⚠️ **IMPORTANT**: All GitHub Releases must be written in **English**!
-
-### Creating Release Notes
-
-> ⚠️ **MANDATORY**: GitHub Releases MUST contain a written message!
-> Not just auto-generated commit lists, but a brief descriptive text.
-
-**Keep it informative but concise.** Users want to know what changed and where to find it.
-
-**Required structure of release notes:**
-
-1. **"What's New"** (1-2 sentences): Brief intro explaining the main change
-2. **"New Features" / "Improvements"**: Grouped bullet points with **bold feature names** and descriptions
-3. **"Where to Find It"**: Tell users where they can access the new feature
-4. **Breaking Changes Warning** (if applicable): See below
-
-**Style guidelines:**
- Use `### Heading` for sections (New Features, Improvements, Security, etc.)
- Use **bold** for feature names in bullet points
- Keep descriptions on the same line as the feature name
- Minimal emoji usage (sparingly, not on every line)
- Always end with "Where to Find It" section
-
-**DO NOT include:**
- ❌ Technical implementation details (new columns, endpoints, database changes)
- ❌ Number of tests added
- ❌ Internal API changes (unless breaking)
- ❌ Excessive emoji on every bullet point
-
-**Example of good release notes:**
-
-```markdown
-## What's New
-
-This release introduces a medication refill tracking feature and improves the mobile user experience.
-
-### New Features
-
- **Medication Refill**: Track when you refill your medications with a single click. Add full packs or individual pills and view complete refill history.
- **Automatic Stock Updates**: Stock levels are automatically recalculated after each refill.
- **Refill History**: Each medication shows a complete history of all refills with timestamps.
-
-### Mobile Improvements
-
- **Centered Tooltips**: Info tooltips now display centered on screen for better readability.
- **Touch-friendly**: Tooltips close automatically when scrolling on touch devices.
-
-### Where to Find It
-
-The refill button appears in the medication detail modal and in the edit form for each medication.
-
-**Full Changelog**: https://github.com/DanielVolz/medassist-ng/compare/v1.2.3...v1.3.0
-```
-
-### Breaking Changes Warning (CRITICAL!)
-
-> ⚠️ **MANDATORY**: If an update breaks existing configurations or stored data, it MUST be prominently warned about in the release notes!
-
-**Breaking Changes include:**
- Database schema changes without automatic migration
- Removed or renamed ENV variables
- Changed API endpoints
- Incompatible `.env` format changes
- Loss of stored data after update
-
-**Format for Breaking Changes:**
-
-```markdown
-## ⚠️ BREAKING CHANGES - Please read before updating!
-
-**Database migration required**: This update changes the database schema. 
-Existing installations need to:
-1. Create backup of `data/` folder
-2. Stop containers
-3. Perform update
-4. If issues occur: Rollback using backup
-
-**ENV variables changed**: 
- `OLD_VAR` was renamed to `NEW_VAR`
- `REMOVED_VAR` is no longer supported
-
-**Medication data**: Intake schedules with only one time entry will be automatically 
-migrated. Please verify all times are correct after update.
-```
-
-**What is NOT a Breaking Change:**
- ✅ New optional columns with DEFAULT values
- ✅ New ENV variables (with sensible defaults)
- ✅ New features that don't affect existing data
- ✅ Bug fixes that correct behavior
-
-**Rule of thumb**: If a user can simply run `docker compose pull && docker compose up -d` 
-without adjusting anything → Not a Breaking Change.
-
-## Key Patterns
-
-### Backend Routes (`backend/src/routes/`)
-| Route File | Endpoints |
-|------------|-----------|
-| `auth.ts` | `/auth/login`, `/auth/register`, `/auth/logout`, `/auth/refresh`, `/auth/me` |
-| `medications.ts` | CRUD `/medications`, `/medications/:id/image` |
-| `doses.ts` | `/doses/taken` - track dose intake |
-| `planner.ts` | `/medications/usage` - calculate usage for date range |
-| `settings.ts` | `/settings` - user settings CRUD |
-| `share.ts` | `/share` - create share tokens, `/share/:token` - public access |
-| `health.ts` | `/health` - health check endpoint |
-
-### Backend Services (`backend/src/services/`)
-| Service | Description |
-|---------|-------------|
-| `reminder-scheduler.ts` | Stock reminder emails/push notifications |
-| `intake-reminder-scheduler.ts` | Intake reminder notifications |
-
-### Frontend (`frontend/src/App.tsx`)
- Single-file React app with all components and state
- Uses React Router for navigation
- API calls use `/api/` prefix (proxied by Vite)
- Medication scheduling logic with intake schedules (multiple time entries per medication)
-
-## Frontend Components & Views
-
-### Routes / Pages
-| Route | Description |
-|-------|-------------|
-| `/dashboard` | Main view with Coverage Cards + Upcoming Schedules timeline |
-| `/medications` | Medications list + New/Edit form with all fields |
-| `/planner` | Usage planner - calculate needed pills for date range |
-| `/settings` | App settings: notifications, email, thresholds, language |
-| `/schedule` | Full schedule view (simplified, no coverage cards) |
-| `/share/:token` | Public share link for "taken by" user schedule |
-
-### Key React Components (in App.tsx)
-| Component | Description |
-|-----------|-------------|
-| `App` | Root component with BrowserRouter |
-| `AppRouter` | Handles auth check, renders AppContent or Auth |
-| `AppContent` | Main app shell with navigation, header, all routes |
-| `SharedSchedule` | Public share page for medication schedules by person |
-| `MedicationAvatar` | Round avatar with medication image or colored initial |
-
-### Dashboard Sections
-| Section | Description |
-|---------|-------------|
-| **Coverage Cards** | Stock status cards per medication: days left, blisters, status (Normal/Warning/Critical) |
-| **Upcoming Schedules** | Timeline grouped by day, collapsible days, dose tracking |
-
-### Schedule/Timeline Elements
-| Element | CSS Class | Description |
-|---------|-----------|-------------|
-| Past days toggle | `.past-days-toggle` | Click to show/hide past days |
-| Day container | `.day-block` | Container for one day, collapsible |
-| Today highlight | `.day-block.today` | Blue border/background for current day |
-| Past day | `.day-block.past` | Dashed border, reduced opacity |
-| All taken | `.day-block.all-taken` | Green styling when all doses taken |
-| Day header | `.day-divider` | Date header with collapse toggle arrow |
-| Collapse icon | `.day-collapse-icon` | ▶/▼ arrow for expand/collapse |
-| Day summary | `.day-summary` | Shows "X/Y" doses taken or "✓ All taken" |
-| Medication row | `.time-row` | One medication's doses for that day |
-| Dose item | `.dose-item` | Individual dose with time, amount, take/undo button |
-| Dose taken | `.dose-item.taken` | Green background when dose is marked taken |
-| Dose overdue | `.dose-item.overdue` | Styling for past untaken doses |
-| Dose future | `.dose-item.future` | Disabled button for future days |
-
-### Medication Form (New/Edit)
-| Field | Description |
-|-------|-------------|
-| Commercial Name | Main medication name (required) |
-| Generic Name | Scientific/generic name (optional) |
-| Taken By | Person taking the medication (optional, enables filtering/sharing) |
-| Packs | Number of full packs |
-| Blisters per Pack | Strips/blisters in each pack |
-| Pills per Blister | Tablets per strip |
-| Loose Pills | Extra pills not in blisters |
-| Pill Weight (mg) | Weight per pill for dose calculation display |
-| Expiry Date | Medication expiration |
-| Notes | Free text notes |
-| Image Upload | Medication photo (preview for new, direct upload for edit) |
-| **Intake Schedule** | One or more intake entries defining usage pattern |
-
-### Intake Schedule
-Each blister defines a recurring intake:
- **Usage (Pills)**: How many pills per dose
- **Every (Days)**: Interval (1 = daily, 7 = weekly)
- **Start (Date/Time)**: When the schedule starts (determines past/future doses)
- **Remind checkbox**: Enable intake reminders (🔔)
-
-### Modals
-| Modal | Trigger | Content |
-|-------|---------|---------|
-| Medication Detail | Click on coverage card or medication row | Full medication info, stock, schedule preview, edit/delete/ICS buttons |
-| Image Lightbox | Click medication image | Full-size medication image |
-| Share Dialog | "Share" button on schedules | Generate share link for specific "taken by" person |
-| User Schedule Filter | Click on "taken by" badge | Filter schedule by person |
-
-### Settings Sections
-| Section | Settings |
-|---------|----------|
-| General | Language toggle (EN/DE) |
-| Stock Thresholds | Warning days, critical days, expiry warning days |
-| Email Notifications | Enable, email address, stock/intake toggles |
-| Push Notifications (Shoutrrr) | Enable, URL (ntfy/gotify/etc), stock/intake toggles |
-| Reminder Settings | Days before, repeat daily, skip for taken, repeat/nagging |
-| SMTP | Email config (read-only from .env) |
-
-### Settings ENV Defaults
-All user settings can be pre-configured via ENV variables (see `.env.example`).
-These are only used as **defaults when a new user is created**.
-Once a user saves settings in the app, their saved values take precedence over ENV.
-
-| ENV Variable | Setting | Default |
-|--------------|---------|---------|
-| `DEFAULT_EMAIL_ENABLED` | Email notifications | false |
-| `DEFAULT_SHOUTRRR_ENABLED` | Push notifications | false |
-| `DEFAULT_SHOUTRRR_URL` | ntfy/gotify URL | (empty) |
-| `DEFAULT_REPEAT_REMINDERS_ENABLED` | Nagging reminders | false |
-| `DEFAULT_REMINDER_REPEAT_INTERVAL_MINUTES` | Nag interval | 30 |
-| `DEFAULT_MAX_NAGGING_REMINDERS` | Max nags | 5 |
-| `DEFAULT_LOW_STOCK_DAYS` | Low stock threshold | 30 |
-| `DEFAULT_LANGUAGE` | UI language | en |
-
-## Database Schema (`backend/src/db/schema.ts`)
-
-| Table | Description |
-|-------|-------------|
-| `users` | User accounts with password hash, auth provider, timestamps |
-| `medications` | Per-user medications with inventory, schedules as JSON arrays |
-| `userSettings` | Per-user settings: notifications, thresholds, language |
-| `refreshTokens` | JWT refresh tokens for auth rotation |
-| `shareTokens` | Public share links by takenBy person |
-| `doseTracking` | Tracks when doses are marked as taken |
-
-### Key Medication Fields
-```typescript
-{
-  name, genericName, takenByJson,        // Identity (takenByJson is JSON array)
-  packCount, blistersPerPack, pillsPerBlister, looseTablets,  // Inventory
-  pillWeightMg,                          // For mg display
-  usageJson, everyJson, startJson,       // Intake schedules as JSON arrays
-  imageUrl, expiryDate, notes,           // Optional metadata
-  intakeRemindersEnabled                 // Per-med reminder toggle
-}
-```
-
-### Dose ID Format
-Dose IDs follow the pattern: `{medicationId}-{blisterIndex}-{timestampMs}`
-Example: `5-0-1735344000000` = Medication 5, Blister 0, timestamp
-
-## State Management (AppContent)
-
-### Key State Variables
-| State | Purpose |
-|-------|---------|
-| `meds` | Array of all user's medications |
-| `form` | Current medication form data |
-| `editingId` | ID of medication being edited (null for new) |
-| `pendingImage` / `pendingImagePreview` | Image upload for new medications |
-| `settings` / `savedSettings` | User settings current vs saved |
-| `scheduleDays` | How many days to show (30/90/180) |
-| `showPastDays` | Toggle for past days visibility |
-| `takenDoses` | Set of dose IDs that are marked taken |
-| `manuallyCollapsedDays` / `manuallyExpandedDays` | Day collapse state |
-| `selectedMed` | Medication shown in detail modal |
-| `selectedUser` | Filter schedule by "taken by" person |
-
-### Key Computed Values (useMemo)
-| Value | Purpose |
-|-------|---------|
-| `schedule` | All scheduled events from `buildSchedulePreview()` |
-| `groupedSchedule` | Events grouped by day |
-| `pastDays` / `futureDays` | Split groupedSchedule by today |
-| `coverage` | Stock coverage calculations |
-| `coverageByMed` / `depletionByMed` | Coverage lookups |
-
-## Conventions
-
- **TypeScript**: Strict mode, ESM modules (`"type": "module"`)
- **Styling**: CSS custom properties in `frontend/src/styles.css`, dark/light theme via `data-theme`
- **API responses**: Return objects directly, Fastify serializes to JSON
- **Environment**: Copy `.env.example` → `.env`, secrets must be 10+ chars
- **i18n**: All UI text via `t('key')` function, translations in `frontend/src/i18n/*.json`
-
-## Database Schema Changes (IMPORTANT: Backward Compatibility!)
-
-> ⚠️ **CRITICAL**: The app MUST remain backward compatible with older databases!
-> Users upgrade their Docker containers but keep their existing DB.
-> The app must NOT crash if old columns are missing.
-
-### Schema Management with Drizzle Kit
-
-The database schema uses **Drizzle Kit** for migrations. There is a **single source of truth**:
-
- **`backend/src/db/schema.ts`** - Drizzle ORM schema definitions (TypeScript)
- **`backend/drizzle/`** - Generated SQL migrations (auto-generated from schema.ts)
-
-**DO NOT manually edit migration files!** They are generated from schema.ts.
-
-### Adding New Columns
-
-1. **Add to schema.ts** with DEFAULT value:
-   ```typescript
-   maxNaggingReminders: integer("max_nagging_reminders").notNull().default(5),
-   ```
-
-2. **Generate migration**:
-   ```bash
-   cd backend && npx drizzle-kit generate --name add_column_name
-   ```
-
-3. **Add backward-compatible ALTER migration** in `client.ts` `runAlterMigrations()`:
-   ```typescript
-   `ALTER TABLE user_settings ADD COLUMN max_nagging_reminders integer NOT NULL DEFAULT 5`,
-   ```
-
-4. **NULL-safe reading** in routes:
-   ```typescript
-   maxNaggingReminders: settings.maxNaggingReminders ?? 5,
-   ```
-
-### Rules for New Columns
-
-1. **ALWAYS with DEFAULT value**: New columns must have `NOT NULL DEFAULT <value>`
-2. **NULL-safe in code**: All queries must use `?? defaultValue` or `?? false`
-3. **Generate migration**: Run `npx drizzle-kit generate` after schema changes
-4. **Add ALTER migration**: For backward compatibility with existing DBs
-
-### What is NOT Allowed
-
- ❌ Deleting or renaming columns (breaks old DBs)
- ❌ `NOT NULL` without `DEFAULT` (INSERT fails)
- ❌ Reading columns without fallback in code
- ❌ Manually editing migration SQL files
- ❌ Documenting "delete DB" as a solution
-
-### When Backward Compatibility is NOT Possible
-
-If a breaking change is unavoidable:
-1. **Explicitly communicate**: Document in release notes
-2. **Migration script**: Provide automatic upgrade script
-3. **Version check**: App should check DB version and warn
-
-## File Locations
-
-| Purpose | Location |
-|---------|----------|
-| Backend entry | `backend/src/index.ts` |
-| Database schema | `backend/src/db/schema.ts` |
-| Drizzle migrations | `backend/drizzle/*.sql` |
-| Drizzle config | `backend/drizzle.config.ts` |
-| Backend routes | `backend/src/routes/*.ts` |
-| Backend services | `backend/src/services/*.ts` |
-| Frontend app | `frontend/src/App.tsx` |
-| Frontend auth | `frontend/src/components/Auth.tsx` |
-| Styles | `frontend/src/styles.css` |
-| i18n English | `frontend/src/i18n/en.json` |
-| i18n German | `frontend/src/i18n/de.json` |
-| Docker prod | `docker-compose.yml` |
-| Docker dev | `docker-compose.dev.yml` |
-| Env template | `.env.example` |
+This file intentionally stays minimal to prevent duplicated or conflicting instructions.
@@ -0,0 +1,70 @@
+version: 2
+
+updates:
+  # Backend dependencies
+  - package-ecosystem: "npm"
+    directory: "/backend"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "06:20"
+    open-pull-requests-limit: 10
+    labels:
+      - "dependencies"
+      - "backend"
+    groups:
+      minor-and-patch:
+        update-types:
+          - "minor"
+          - "patch"
+
+  # Frontend dependencies
+  - package-ecosystem: "npm"
+    directory: "/frontend"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "06:10"
+    open-pull-requests-limit: 10
+    labels:
+      - "dependencies"
+      - "frontend"
+    groups:
+      minor-and-patch:
+        update-types:
+          - "minor"
+          - "patch"
+
+  # Root dev dependencies
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "06:00"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+      - "root"
+    groups:
+      minor-and-patch:
+        update-types:
+          - "minor"
+          - "patch"
+
+  # GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "06:30"
+    open-pull-requests-limit: 5
+    labels:
+      - "dependencies"
+      - "ci"
+    groups:
+      minor-and-patch:
+        update-types:
+          - "minor"
+          - "patch"
@@ -0,0 +1,28 @@
+# MedAssist Agent Skills
+
+This directory contains project skills for VS Code Copilot.
+
+Each skill lives in its own folder and must include a `SKILL.md` file.
+
+## Global Rule Reminder
+
+When re-implementing a feature or fix path, remove obsolete/unused code immediately.
+Do not leave dead code behind.
+Also follow the canonical global engineering rules in `AGENTS.md`.
+Use one governance source to avoid duplicated or conflicting policy text.
+
+## Skills
+
+- `medassist-karpathy-core` — enforce think-before-coding, simplicity-first changes, surgical diffs, and goal-driven verification.
+- `medassist-architecture-guard` — enforce frontend/backend boundary and `/api/*` data-flow conventions.
+- `medassist-db-compat-check` — enforce backward-compatible SQLite/Drizzle schema changes.
+- `medassist-i18n-enforcer` — enforce translation-key-only UI copy with EN/DE parity.
+- `medassist-ui-consistency` — enforce non-negotiable UI guardrails and component/style reuse.
+- `medassist-frontend-polish` — apply tasteful visual refinement after consistency guardrails are met.
+- `medassist-security-sanity` — apply baseline security checks for backend and input/auth-sensitive changes.
+- `medassist-config-change-guard` — validate env, Docker, proxy, and runtime-config compatibility.
+- `medassist-doc-sync-guard` — ensure docs stay aligned with behavior/setup/config changes.
+- `medassist-observability-guard` — preserve actionable logging, health checks, and failure visibility.
+- `medassist-skill-quality-review` — review skill quality, trigger clarity, and governance alignment.
+- `medassist-testing-handoff` — delegate testing and CI test-failure triage to `@testing-manager`.
+- `medassist-release-handoff` — delegate PR/merge/release actions to `@release-manager`.
@@ -0,0 +1,35 @@
+---
+name: medassist-architecture-guard
+description: Guard MedAssist architectural boundaries and route/data-flow conventions when changing backend or frontend code, including equivalent requests phrased in German.
+---
+
+# Skill Instructions
+
+Use this skill when a task touches API endpoints, frontend API calls, routing, or code placement.
+
+## Goals
+
+- Keep responsibilities in the correct layer.
+- Preserve MedAssist proxy and routing conventions.
+- Prevent architecture drift and cross-layer anti-patterns.
+
+## Required Checks
+
+1. Frontend network calls use `/api/*` paths.
+2. Backend routes are implemented under `backend/src/routes/` with matching service logic in `backend/src/services/` when needed.
+3. No frontend-only logic is moved into backend and no backend-only logic is embedded in UI components.
+4. Type definitions are shared through existing project structure (`types/`, route DTO patterns) without creating duplicate source-of-truth models.
+
+## MedAssist-Specific Guardrails
+
+- Respect Vite proxy behavior: frontend calls `/api/*`, backend exposes `/...` routes.
+- Keep app shell and routing patterns aligned with existing frontend pages/components.
+- Prefer minimal, local changes over broad restructures.
+
+## Response Format
+
+When this skill is used, summarize:
+
+- Which architectural checks were applied
+- Which files are affected
+- Any boundary risks found and how they were resolved
@@ -0,0 +1,43 @@
+---
+name: medassist-config-change-guard
+description: Validate MedAssist configuration changes across env vars, Docker compose, proxy settings, and runtime defaults, including equivalent requests phrased in German.
+---
+
+# Skill Instructions
+
+Use this skill when changes touch `.env`, Docker files, Vite proxy settings, runtime defaults, or app startup behavior.
+
+## Objective
+
+Prevent configuration drift and broken local/CI environments.
+
+## Required Checks
+
+1. New/changed config has safe defaults.
+2. Env changes are backward-compatible where feasible.
+3. Docker/dev runtime changes remain consistent across services.
+4. Frontend/backend URL/proxy conventions remain valid (`/api/*`).
+5. Documentation reflects configuration changes.
+
+## Files to Prioritize
+
+- `.env.example`
+- `docker-compose.yml`
+- `docker-compose.dev.yml`
+- `frontend/vite.config.ts`
+- Relevant package scripts and startup files
+
+## Anti-Patterns
+
+- Hidden required env vars with no defaults.
+- Inconsistent host/port/proxy settings across environments.
+- Config changes without doc updates.
+
+## Response Format
+
+Report:
+
+- Config files reviewed
+- Compatibility impact (none/low/high)
+- Required follow-up updates
+- Final readiness recommendation
@@ -0,0 +1,40 @@
+---
+name: medassist-db-compat-check
+description: Enforce backward-compatible database changes for MedAssist SQLite and Drizzle migrations, including equivalent requests phrased in German.
+---
+
+# Skill Instructions
+
+Use this skill for any feature or fix that adds or reads persisted data.
+
+## Mandatory Sequence
+
+For every new persisted field/column:
+
+1. Add the column in `backend/src/db/schema.ts` with `NOT NULL DEFAULT <value>`.
+2. Generate migration with Drizzle Kit.
+3. Add matching `ALTER TABLE` logic in `backend/src/db/client.ts` inside `runAlterMigrations()`.
+4. Read values null-safe in routes/services (`?? defaultValue`).
+
+## Hard Rules
+
+- Never remove or rename existing columns.
+- Never add non-null columns without defaults.
+- Never read newly added fields without fallback.
+- Never manually edit generated Drizzle SQL migrations.
+
+## Verification Checklist
+
+- Schema update exists.
+- Generated migration exists.
+- Alter migration for existing DBs exists.
+- Runtime reads are fallback-safe.
+
+## Response Format
+
+Report these items explicitly:
+
+- New/changed columns
+- Added alter-migration statements
+- Null-safe read locations
+- Remaining migration risk (if any)
@@ -0,0 +1,39 @@
+---
+name: medassist-doc-sync-guard
+description: Ensure MedAssist documentation stays aligned with behavior changes in APIs, configuration, setup, and operations, including equivalent requests phrased in German.
+---
+
+# Skill Instructions
+
+Use this skill when code changes alter behavior, setup steps, environment variables, user workflows, or operational commands.
+
+## Objective
+
+Keep docs consistent with actual product behavior and avoid stale setup/run guidance.
+
+## Required Checks
+
+1. If API behavior changed, verify relevant docs are updated.
+2. If ENV/config changed, update documented variables/defaults.
+3. If workflow/commands changed, update setup/run instructions.
+4. If user-facing behavior changed, update user-facing description.
+
+## Candidate Documentation Files
+
+- `README.md`
+- `docs/PROJECT_SETUP.md`
+- `docs/TECH_STACK.md`
+
+## Anti-Patterns
+
+- Shipping behavior changes without docs updates.
+- Updating docs with speculative/unverified commands.
+- Duplicating conflicting instructions across files.
+
+## Response Format
+
+Return:
+
+- Doc files that should change
+- Proposed update summary per file
+- Any intentionally skipped docs and reason
@@ -0,0 +1,67 @@
+---
+name: medassist-frontend-polish
+description: Improve frontend visual quality within the existing MedAssist design system, without introducing new themes, font stacks, or disruptive UI patterns, including equivalent requests phrased in German.
+---
+
+# Skill Instructions
+
+Use this skill when the user wants UI improvements, better styling, or a more polished frontend, but the feature must stay consistent with MedAssist product UX.
+
+## Scope
+
+This is the **visual enhancement skill**.
+It refines quality *within* existing product conventions.
+
+Apply `medassist-ui-consistency` rules first, then use this skill for tasteful polish.
+
+## Do Not Use This Skill For
+
+- Replacing base UI patterns/components with new ones.
+- New design-system direction, visual identity, or broad layout language changes.
+- Marketing/brand-experiment pages that intentionally break product conventions.
+
+## Objective
+
+Deliver production-grade visual refinement that feels intentionally designed while remaining fully consistent with existing MedAssist components, spacing, typography, and interaction patterns.
+
+## Strict Constraints
+
+- Reuse existing components and patterns first (`ConfirmModal`, `MedicationAvatar`, existing form/button/layout patterns).
+- Do not introduce new global theme systems, font families, or visual identity changes.
+- Do not invent new UX flows, pages, or interaction models unless explicitly requested.
+- Keep frontend text i18n-safe: use `t("...")` and EN/DE keys.
+- Respect accessibility and readability over decorative effects.
+
+## Allowed Enhancements
+
+- Better spacing rhythm and visual hierarchy.
+- Cleaner grouping, alignment, and density adjustments.
+- Improved states (hover, focus, disabled, loading) using existing style language.
+- Subtle transitions/micro-interactions that do not distract and do not change behavior.
+- Consistent empty/error/success presentation using existing UI conventions.
+
+## Not Allowed
+
+- Random aesthetic overhauls.
+- New color systems or hardcoded ad-hoc colors that break current theme tokens.
+- Heavy animation, parallax, or attention-stealing motion.
+- Typography experiments that diverge from current product style.
+- "Creative" layout changes that reduce usability or consistency.
+
+## Implementation Workflow
+
+1. Confirm `medassist-ui-consistency` guardrails are satisfied.
+2. Identify existing components and CSS patterns to reuse.
+3. Define the smallest visual changes that improve clarity and quality.
+4. Apply refinements in-place without changing core behavior.
+5. Validate consistency across neighboring views/components.
+6. Ensure i18n and accessibility are preserved.
+
+## Response Format
+
+When using this skill, report:
+
+- Reused components and style primitives
+- Specific polish improvements applied
+- Any trade-offs/constraints respected
+- Confirmation that no new design system or disruptive UX pattern was introduced
@@ -0,0 +1,31 @@
+---
+name: medassist-i18n-enforcer
+description: Enforce MedAssist i18n rules so UI copy is always translation-key based for English and German, including equivalent requests phrased in German.
+---
+
+# Skill Instructions
+
+Use this skill when changing frontend UI text, form labels, alerts, dialogs, or page content.
+
+## Rules
+
+- Do not hardcode new user-facing strings in React components.
+- Use translation keys via `t("...")`.
+- Add or update matching keys in:
+  - `frontend/src/i18n/en.json`
+  - `frontend/src/i18n/de.json`
+- Keep semantic key naming consistent with existing namespaces.
+
+## Validation
+
+1. Every new UI string has a key.
+2. English and German entries are both present.
+3. No fallback-to-English hardcoded text remains in JSX.
+
+## Response Format
+
+List:
+
+- New keys added
+- Files where keys were used
+- Any intentionally unchanged text and reason
@@ -0,0 +1,69 @@
+---
+name: medassist-karpathy-core
+description: Apply assumption clarity, simplicity-first implementation, surgical diffs, and goal-driven verification for non-trivial coding tasks.
+---
+
+# Skill Instructions
+
+Use this skill as an execution style layer for implementation tasks where overengineering, broad refactors, or unclear assumptions are likely.
+
+## Use When
+
+- The request is ambiguous and assumptions must be made explicit.
+- The change can easily balloon in scope.
+- A bug fix or feature needs explicit success criteria and verification.
+- You need to keep diffs minimal and directly tied to the request.
+
+## Do Not Use When
+
+- The task is trivial and can be completed safely without extra process overhead.
+- The task is only about ownership routing (use `medassist-testing-handoff` / `medassist-release-handoff`).
+- The task is only about domain guardrails already covered by specialized skills (architecture, DB, i18n, UI, security, config, observability).
+
+## Core Principles
+
+### 1. Think Before Coding
+
+- Do not assume silently.
+- State assumptions explicitly.
+- If multiple interpretations exist, present them instead of picking one invisibly.
+- If uncertain or blocked by ambiguity, stop and ask.
+- If a simpler approach exists, call it out.
+
+### 2. Simplicity First
+
+- Implement the minimum code required to solve the asked problem.
+- Do not add speculative features, abstractions, or configurability.
+- Avoid defensive handling for impossible scenarios.
+- If the solution feels overcomplicated, simplify before finalizing.
+
+### 3. Surgical Changes
+
+- Touch only lines required for the request.
+- Do not refactor unrelated areas.
+- Match existing local style and patterns.
+- Remove only unused code introduced by your own change.
+- If unrelated dead code is discovered, mention it but do not remove it unless requested.
+
+### 4. Goal-Driven Execution
+
+- Translate requests into verifiable outcomes before implementation.
+- For multi-step tasks, define short steps with checks.
+- Verify the requested behavior explicitly before declaring done.
+
+Example execution frame:
+
+```text
+1. [Step] -> verify: [check]
+2. [Step] -> verify: [check]
+3. [Step] -> verify: [check]
+```
+
+## Response Format
+
+When this skill is used, report briefly:
+
+- Assumptions made (or clarifications requested)
+- Why the chosen approach is the simplest viable one
+- What was changed (and what was intentionally not changed)
+- Verification performed and result
@@ -0,0 +1,41 @@
+---
+name: medassist-observability-guard
+description: Ensure MedAssist changes preserve actionable logging, health checks, and clear operational error visibility, including equivalent requests phrased in German.
+---
+
+# Skill Instructions
+
+Use this skill when changes affect backend services, schedulers, integrations, startup flow, or failure handling.
+
+## Objective
+
+Maintain operational visibility so failures are detectable, diagnosable, and actionable.
+
+## Required Checks
+
+1. Critical paths keep clear error reporting.
+2. Health-check behavior remains intact and meaningful.
+3. Logs contain actionable context without leaking secrets.
+4. Errors are surfaced with enough detail for debugging.
+5. Silent failure paths are avoided.
+
+## MedAssist Focus Areas
+
+- `backend/src/index.ts`
+- `backend/src/routes/health.ts`
+- `backend/src/services/*`
+- Scheduler and notification flows
+
+## Anti-Patterns
+
+- Swallowed exceptions.
+- Generic logs with no context.
+- Missing visibility for background failures.
+
+## Response Format
+
+Return:
+
+- Observability touchpoints reviewed
+- Gaps found and suggested fixes
+- Operational risk level
@@ -0,0 +1,30 @@
+---
+name: medassist-release-handoff
+description: Enforce MedAssist release ownership by preventing remote git/release actions by normal agents and delegating to release-manager, including equivalent requests phrased in German.
+---
+
+# Skill Instructions
+
+Use this skill when a request includes branch push, PR creation, merge, tagging, release notes publishing, or release orchestration.
+
+## Ownership Rules
+
+- Remote git/release actions are owned by `@release-manager`.
+- Normal agent/Copilot must not perform:
+  - `git push`
+  - PR creation/merge
+  - tag/release creation
+
+## Required Behavior
+
+1. Perform local code edits only.
+2. Summarize local changes clearly.
+3. Provide handoff instruction to `@release-manager` for shipping steps.
+
+## Response Format
+
+When this skill applies, return:
+
+- "Release handoff required"
+- Delegate target: `@release-manager`
+- Shipping checklist (branch, PR, CI, merge, release)
@@ -0,0 +1,43 @@
+---
+name: medassist-security-sanity
+description: Apply baseline security checks to MedAssist code changes, especially for backend routes, auth flows, and input handling, including equivalent requests phrased in German.
+---
+
+# Skill Instructions
+
+Use this skill when a change touches backend routes, auth/session logic, file handling, imports/exports, or external input.
+
+## Objective
+
+Prevent common security regressions with fast, practical checks during implementation.
+
+## Required Checks
+
+1. Validate and sanitize external input at API boundaries.
+2. Enforce auth/authz server-side for protected actions.
+3. Ensure secrets/tokens are never hardcoded or logged.
+4. Avoid information leakage in error responses.
+5. Keep permission-sensitive operations explicit and auditable.
+
+## MedAssist Focus Areas
+
+- Route handlers in `backend/src/routes/`.
+- Auth-related code in `backend/src/plugins/` and auth routes.
+- Data import/export and sharing endpoints.
+- File/image upload and serving paths.
+
+## Anti-Patterns
+
+- Trusting frontend-only checks.
+- Accepting unchecked query/body/path input.
+- Returning raw internal errors to clients.
+- Weak defaults for sensitive operations.
+
+## Response Format
+
+Report:
+
+- Security-sensitive files reviewed
+- Findings by severity (critical/major/minor)
+- Concrete remediation actions
+- Residual risk (if any)
@@ -0,0 +1,42 @@
+---
+name: medassist-skill-quality-review
+description: Review MedAssist skills for trigger quality, scope boundaries, and conflicts with AGENTS governance, including equivalent requests phrased in German.
+---
+
+# Skill Instructions
+
+Use this skill when creating or modifying any skill under `.github/skills/`.
+
+## Objective
+
+Keep skills discoverable, non-overlapping, and aligned with canonical governance in `AGENTS.md`.
+
+## Required Checks
+
+1. Frontmatter has clear `name` and specific `description` trigger language.
+2. Scope boundaries are explicit (`when to use` / `do not use`).
+3. No conflicts with `AGENTS.md` ownership rules.
+4. No policy duplication that can drift from canonical governance.
+5. References to related skills are explicit where workflows chain.
+
+## Quality Signals
+
+- Trigger phrases are concrete and task-shaped.
+- Instructions are concise, actionable, and deterministic.
+- Response format is clear and useful for downstream handoff.
+
+## Anti-Patterns
+
+- Vague descriptions that match everything.
+- Duplicate skills with overlapping responsibilities.
+- Contradictory ownership guidance.
+- Long policy blocks copied from other files.
+
+## Response Format
+
+Return:
+
+- Scope/trigger issues found
+- Overlap/conflict findings
+- Suggested minimal edits
+- Final pass/fail recommendation
@@ -0,0 +1,31 @@
+---
+name: medassist-testing-handoff
+description: Enforce MedAssist testing ownership by delegating test planning, execution, and CI test failure triage to testing-manager, including equivalent requests phrased in German.
+---
+
+# Skill Instructions
+
+Use this skill whenever a task includes writing tests, running tests, or diagnosing test-related CI failures.
+
+## Ownership Rules
+
+- Test planning, implementation, and execution are owned by `@testing-manager`.
+- CI test-failure triage (`test.yml`, `e2e.yml`) is owned by `@testing-manager`.
+- Normal coding agent should hand off testing tasks instead of executing testing workflows directly.
+
+## Handoff Template
+
+Use this structure for delegation:
+
+1. Scope: feature/fix and affected files
+2. Expected behavior
+3. Suggested test layers (unit/integration/e2e)
+4. CI failure context (if applicable)
+
+## Response Format
+
+When triggered, output:
+
+- "Testing handoff required"
+- Delegate target: `@testing-manager`
+- Minimal handoff brief (scope + expected behavior)
@@ -0,0 +1,52 @@
+---
+name: medassist-ui-consistency
+description: Enforce non-negotiable MedAssist UI guardrails by reusing existing components, styles, and interaction patterns, including equivalent requests phrased in German.
+---
+
+# Skill Instructions
+
+Use this skill when implementing or editing UI flows, modals, buttons, forms, schedule views, or settings screens.
+
+## Scope
+
+This is the **guardrail skill** for UI work.
+Use it to enforce consistency and prevent design drift.
+
+Use `medassist-frontend-polish` only after these guardrails are satisfied.
+
+## Do Not Use This Skill For
+
+- Creative visual redesign requests where no product consistency constraints apply.
+- Marketing-style one-off pages outside MedAssist product UI conventions.
+
+## Rules
+
+- Reuse existing components (for example `ConfirmModal`, `MedicationAvatar`) before creating new primitives.
+- Keep spacing, typography, and button styles aligned with existing patterns.
+- Avoid custom inline modal/button patterns that diverge from project design.
+- Prefer extending existing CSS classes/styles instead of introducing parallel styling systems.
+
+### Modal requirements (non-negotiable)
+
+Every modal/overlay **must** follow these rules:
+
+1. **Escape key**: Call `useEscapeKey(active, onClose)` from `hooks/useEscapeKey`. This registers a document-level `keydown` listener that works regardless of focus. **Never** rely on `onKeyDown` on an overlay div — it only fires when the overlay has focus, which almost never happens.
+2. **Scroll lock**: Call `useScrollLock(active)` from `hooks/useScrollLock` if the modal is **not** already covered by App.tsx's centralized `useScrollLock` call. Page-local modals (e.g. `ReportModal`, `ExportModal`) must call it themselves.
+3. **Click-outside close**: The overlay div gets `onClick={onClose}`, and `.modal-content` gets `onClick={(e) => e.stopPropagation()}`.
+4. **Key event containment**: `.modal-content` gets `onKeyDown={(e) => { if (e.key !== "Escape") e.stopPropagation(); }}` — this prevents non-Escape keys from leaking out while still allowing Escape to propagate to the document-level handler.
+5. **Nested sub-modals** (e.g. edit-stock inside MedDetailModal): Use `useEscapeKey` with `{ capture: true }` so the innermost modal intercepts Escape before the parent's handler fires.
+
+## Decision Heuristics
+
+1. If an equivalent component exists, reuse it.
+2. If small variant is needed, extend existing styles minimally.
+3. If a new component is unavoidable, match existing naming and structure conventions.
+
+## Response Format
+
+Provide:
+
+- Reused components/styles
+- Any new UI element and why reuse was not possible
+- Consistency risks reviewed
+- Confirmation that `medassist-frontend-polish` constraints remain compatible (if polish work is also requested)
@@ -0,0 +1,19 @@
+name: Add to Project
+
+on:
+  issues:
+    types: [opened, labeled]
+
+permissions: {}
+
+jobs:
+  add-to-project:
+    name: Add issue to project
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/add-to-project@v1.0.2
+        with:
+          project-url: ${{ vars.PROJECT_URL }}
+          github-token: ${{ secrets.ADD_TO_PROJECT_PAT }}
+          labeled: enhancement, bug, triage
+          label-operator: OR
@@ -0,0 +1,27 @@
+name: Close inactive issues
+
+on:
+  schedule:
+    - cron: "30 1 * * *"
+  workflow_dispatch:
+
+jobs:
+  close-issues:
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
+    steps:
+      - name: Mark and close stale issues
+        uses: actions/stale@v10
+        with:
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          days-before-issue-stale: 30
+          days-before-issue-close: 14
+          stale-issue-label: stale
+          stale-issue-message: "This issue is stale because it has been open for 30 days with no activity."
+          close-issue-message: "This issue was closed because it has been inactive for 14 days since being marked as stale."
+          days-before-pr-stale: -1
+          days-before-pr-close: -1
+          exempt-issue-labels: pinned,security
+          operations-per-run: 200
@@ -3,8 +3,30 @@ name: "CodeQL"
 on:
  push:
    branches: [main]
+    paths:
+      - '**.js'
+      - '**.ts'
+      - '**.tsx'
+      - '**.jsx'
+      - 'backend/package.json'
+      - 'backend/package-lock.json'
+      - 'frontend/package.json'
+      - 'frontend/package-lock.json'
+      - '.github/codeql/**'
+      - '.github/workflows/codeql.yml'
  pull_request:
    branches: [main]
+    paths:
+      - '**.js'
+      - '**.ts'
+      - '**.tsx'
+      - '**.jsx'
+      - 'backend/package.json'
+      - 'backend/package-lock.json'
+      - 'frontend/package.json'
+      - 'frontend/package-lock.json'
+      - '.github/codeql/**'
+      - '.github/workflows/codeql.yml'
  schedule:
    - cron: "0 6 * * 1" # Weekly on Monday at 6am UTC
  workflow_dispatch: # Allow manual trigger
@@ -25,18 +47,18 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6

      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@v4
        with:
          languages: ${{ matrix.language }}
          config-file: ./.github/codeql/codeql-config.yml

      - name: Autobuild
-        uses: github/codeql-action/autobuild@v3
+        uses: github/codeql-action/autobuild@v4

      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@v4
        with:
          category: "/language:${{ matrix.language }}"
@@ -0,0 +1,37 @@
+name: Dependabot Automerge
+
+on:
+  pull_request_target:
+    types:
+      - opened
+      - reopened
+      - synchronize
+      - ready_for_review
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  enable-automerge:
+    if: github.actor == 'dependabot[bot]'
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Read Dependabot metadata
+        id: metadata
+        uses: dependabot/fetch-metadata@v2
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Enable auto-merge for safe updates
+        if: >-
+          (steps.metadata.outputs.package-ecosystem == 'npm' ||
+          steps.metadata.outputs.package-ecosystem == 'github_actions') &&
+          (steps.metadata.outputs.update-type == 'version-update:semver-minor' ||
+          steps.metadata.outputs.update-type == 'version-update:semver-patch')
+        uses: peter-evans/enable-pull-request-automerge@v3
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          pull-request-number: ${{ github.event.pull_request.number }}
+          merge-method: squash
@@ -3,18 +3,28 @@ name: Build and Push Docker Images
 on:
  push:
    branches: [main]
+    tags: ['v*']
    paths:
      - 'backend/**'
      - 'frontend/**'
-      - 'docker-compose*.yml'
+      - 'docker-compose.yml'
+      - 'docker-compose.dev.yml'
      - '.github/workflows/docker-build.yml'
-    tags: ['v*']
  workflow_dispatch:
    inputs:
      tag:
-        description: 'Image tag (leave empty for "latest")'
+        description: 'Image/release tag (e.g. v1.19.1 or latest)'
        required: false
        default: ''
+      create_release:
+        description: 'Create GitHub release entry (requires tag starting with v)'
+        required: false
+        default: false
+        type: boolean
+
+concurrency:
+  group: docker-build-${{ github.ref }}
+  cancel-in-progress: true

 # Default minimal permissions
 permissions:
@@ -25,50 +35,16 @@ env:

 jobs:
  # =============================================================================
-  # Run Tests First
-  # =============================================================================
-  backend-test:
-    name: Backend Tests
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    defaults:
-      run:
-        working-directory: backend
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version: '22'
-          cache: 'npm'
-          cache-dependency-path: backend/package-lock.json
-      - run: npm ci
-      - run: npx tsc --noEmit
-      - run: npm run test:run
-
-  frontend-build:
-    name: Frontend Build
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    defaults:
-      run:
-        working-directory: frontend
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version: '22'
-          cache: 'npm'
-          cache-dependency-path: frontend/package-lock.json
-      - run: npm ci
-      - run: npm run build
-
-  # =============================================================================
-  # Build and Push Docker Images (only after tests pass)
+  # Build and Push Docker Images
+  # Triggered on pushes to main (tagged as "main") and version tags (v*).
+  # Tests are NOT run here — branch protection on main requires all PR checks
+  # (backend-test + frontend-build from test.yml) to pass before merge.
+  # Tags are created from main, so code is already tested.
+  #
+  # main push  → "main" tag only (for testing before release)
+  # Tag builds → semver tags (e.g., 1.9.0, 1.9) plus "latest"
  # =============================================================================
  build-and-push:
-    needs: [backend-test, frontend-build]
    runs-on: ubuntu-latest
    permissions:
      contents: read
@@ -84,13 +60,13 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6

      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+        uses: docker/setup-buildx-action@v4

      - name: Log in to Container Registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@v4
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
@@ -98,7 +74,7 @@ jobs:

      - name: Extract metadata
        id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@v6
        with:
          images: ${{ env.REGISTRY }}/${{ github.repository_owner }}/medassist-ng-${{ matrix.image }}
          tags: |
@@ -106,10 +82,10 @@ jobs:
            type=semver,pattern={{version}}
            type=semver,pattern={{major}}.{{minor}}
            type=raw,value=${{ github.event.inputs.tag || 'latest' }},enable=${{ github.event_name == 'workflow_dispatch' }}
-            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}
+            type=raw,value=latest,enable=${{ startsWith(github.ref, 'refs/tags/v') }}

      - name: Build and push
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v7
        with:
          context: ${{ matrix.context }}
          push: true
@@ -122,42 +98,89 @@ jobs:
          sbom: false

  # =============================================================================
-  # Create GitHub Release (only on tag push)
+  # Create GitHub Release (on tag push or manual dispatch with create_release)
  # =============================================================================
  create-release:
    runs-on: ubuntu-latest
    needs: build-and-push
-    if: startsWith(github.ref, 'refs/tags/v')
+    if: startsWith(github.ref, 'refs/tags/v') || (github.event_name == 'workflow_dispatch' && github.event.inputs.create_release == 'true')
    permissions:
      contents: write
    
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
        with:
          fetch-depth: 0  # Fetch all history for changelog generation

+      - name: Resolve current tag
+        id: current_tag
+        run: |
+          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
+            CURRENT_TAG="${{ github.event.inputs.tag }}"
+          else
+            CURRENT_TAG="${GITHUB_REF#refs/tags/}"
+          fi
+
+          if [ -z "$CURRENT_TAG" ]; then
+            echo "Release tag is required. Provide workflow_dispatch input 'tag'."
+            exit 1
+          fi
+
+          if [[ "$CURRENT_TAG" != v* ]]; then
+            echo "Release tag must start with 'v' (example: v1.19.1)."
+            exit 1
+          fi
+
+          echo "value=$CURRENT_TAG" >> "$GITHUB_OUTPUT"
+
+      - name: Check if release exists
+        id: check_release
+        run: |
+          CURRENT_TAG="${{ steps.current_tag.outputs.value }}"
+          if gh release view "$CURRENT_TAG" &>/dev/null; then
+            echo "exists=true" >> $GITHUB_OUTPUT
+            echo "Release $CURRENT_TAG already exists, skipping creation"
+          else
+            echo "exists=false" >> $GITHUB_OUTPUT
+          fi
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
      - name: Get previous tag
+        if: steps.check_release.outputs.exists == 'false'
        id: prev_tag
        run: |
-          PREV_TAG=$(git describe --tags --abbrev=0 HEAD^ 2>/dev/null || echo "")
+          CURRENT_TAG="${{ steps.current_tag.outputs.value }}"
+
+          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
+            PREV_TAG=$(git tag --sort=-v:refname | grep '^v' | grep -vx "$CURRENT_TAG" | head -1 || true)
+          else
+            PREV_TAG=$(git describe --tags --abbrev=0 HEAD^ 2>/dev/null || echo "")
+          fi
+
          echo "tag=${PREV_TAG}" >> $GITHUB_OUTPUT

      - name: Generate changelog
+        if: steps.check_release.outputs.exists == 'false'
        id: changelog
        run: |
-          CURRENT_TAG=${GITHUB_REF#refs/tags/}
+          CURRENT_TAG="${{ steps.current_tag.outputs.value }}"
          PREV_TAG="${{ steps.prev_tag.outputs.tag }}"
          
-          echo "## What's Changed" > changelog.md
+          echo "## What's New" > changelog.md
+          echo "" >> changelog.md
+          echo "This release includes updates and fixes shipped with ${CURRENT_TAG}." >> changelog.md
+          echo "" >> changelog.md
+          echo "### Highlights" >> changelog.md
          echo "" >> changelog.md
          
          if [ -n "$PREV_TAG" ]; then
-            # Get commits between tags
-            git log ${PREV_TAG}..${CURRENT_TAG} --pretty=format:"* %s (%h)" --no-merges >> changelog.md
+            echo "Changes from ${PREV_TAG} to ${CURRENT_TAG}:" >> changelog.md
+            git log ${PREV_TAG}..${CURRENT_TAG} --pretty=format:"- %s (%h)" --no-merges >> changelog.md
          else
-            # First release - get recent commits
-            git log -20 --pretty=format:"* %s (%h)" --no-merges >> changelog.md
+            echo "Recent shipped commits:" >> changelog.md
+            git log -20 --pretty=format:"- %s (%h)" --no-merges >> changelog.md
          fi
          
          echo "" >> changelog.md
@@ -172,8 +195,11 @@ jobs:
          echo "**Full Changelog**: https://github.com/${{ github.repository }}/compare/${PREV_TAG}...${CURRENT_TAG}" >> changelog.md

      - name: Create GitHub Release
+        if: steps.check_release.outputs.exists == 'false'
        uses: softprops/action-gh-release@v2
        with:
+          tag_name: ${{ steps.current_tag.outputs.value }}
+          target_commitish: ${{ github.sha }}
          body_path: changelog.md
          generate_release_notes: false
          draft: false
@@ -0,0 +1,87 @@
+name: E2E Tests
+
+on:
+  pull_request:
+    branches: [main]
+
+# Minimal permissions for security
+permissions:
+  contents: read
+
+jobs:
+  changes:
+    name: Detect E2E relevance
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
+    outputs:
+      e2e_relevant: ${{ steps.filter.outputs.e2e_relevant }}
+    steps:
+      - uses: dorny/paths-filter@v3
+        id: filter
+        with:
+          filters: |
+            e2e_relevant:
+              - 'frontend/**'
+              - 'backend/**'
+
+  e2e:
+    name: Playwright E2E
+    needs: changes
+    if: needs.changes.outputs.e2e_relevant == 'true'
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: '22'
+          cache: 'npm'
+          cache-dependency-path: |
+            backend/package-lock.json
+            frontend/package-lock.json
+
+      - name: Install backend dependencies
+        working-directory: backend
+        run: npm ci
+
+      - name: Install frontend dependencies
+        working-directory: frontend
+        run: npm ci
+
+      - name: Install Playwright browsers
+        working-directory: frontend
+        run: npx playwright install --with-deps chromium
+
+      - name: Run E2E tests (Chromium only)
+        working-directory: frontend
+        run: npx playwright test --project=chromium
+        env:
+          CI: true
+          PLAYWRIGHT_WORKERS: 1
+          PLAYWRIGHT_HTML_OPEN: never
+          JWT_SECRET: e2e-test-secret-that-is-long-enough
+          SESSION_SECRET: e2e-test-session-secret-long-enough
+
+      - name: Upload Playwright report
+        uses: actions/upload-artifact@v7
+        if: always()
+        with:
+          name: playwright-report
+          path: frontend/playwright-report/
+          retention-days: 7
+
+      - name: Upload test results
+        uses: actions/upload-artifact@v7
+        if: always()
+        with:
+          name: playwright-results
+          path: frontend/test-results/
+          retention-days: 7
@@ -0,0 +1,105 @@
+name: Move Done in Project
+
+on:
+  issues:
+    types: [closed]
+  pull_request:
+    types: [closed]
+
+permissions: {}
+
+jobs:
+  move-to-done:
+    name: Move to Done
+    runs-on: ubuntu-latest
+    if: >-
+      (github.event_name == 'issues' && github.event.issue.state_reason == 'completed') ||
+      (github.event_name == 'pull_request' && github.event.pull_request.merged == true)
+    steps:
+      - name: Move project item to Done
+        uses: actions/github-script@v8
+        with:
+          github-token: ${{ secrets.ADD_TO_PROJECT_PAT }}
+          script: |
+            const projectId = 'PVT_kwHOADH82s4BO2OT';
+            const statusFieldId = 'PVTSSF_lAHOADH82s4BO2OTzg9bdkE';
+            const doneOptionId = 'ca45af98';
+
+            // Determine content ID (issue or PR node ID)
+            const nodeId = context.payload.issue?.node_id || context.payload.pull_request?.node_id;
+            const number = context.payload.issue?.number || context.payload.pull_request?.number;
+            const type = context.payload.issue ? 'issue' : 'pull_request';
+
+            console.log(`Processing ${type} #${number} (${nodeId})`);
+
+            // Find the project item by content node ID
+            const result = await github.graphql(`
+              query($nodeId: ID!) {
+                node(id: $nodeId) {
+                  ... on Issue {
+                    projectItems(first: 10) {
+                      nodes {
+                        id
+                        project { id }
+                        fieldValueByName(name: "Status") {
+                          ... on ProjectV2ItemFieldSingleSelectValue {
+                            name
+                            optionId
+                          }
+                        }
+                      }
+                    }
+                  }
+                  ... on PullRequest {
+                    projectItems(first: 10) {
+                      nodes {
+                        id
+                        project { id }
+                        fieldValueByName(name: "Status") {
+                          ... on ProjectV2ItemFieldSingleSelectValue {
+                            name
+                            optionId
+                          }
+                        }
+                      }
+                    }
+                  }
+                }
+              }
+            `, { nodeId });
+
+            const items = result.node?.projectItems?.nodes || [];
+            const projectItem = items.find(item => item.project.id === projectId);
+
+            if (!projectItem) {
+              console.log(`${type} #${number} is not in the project board — skipping.`);
+              return;
+            }
+
+            const currentStatus = projectItem.fieldValueByName?.name || 'unknown';
+            if (currentStatus === 'Done') {
+              console.log(`${type} #${number} is already "Done" — skipping.`);
+              return;
+            }
+
+            console.log(`Moving ${type} #${number} from "${currentStatus}" to "Done"...`);
+
+            await github.graphql(`
+              mutation($projectId: ID!, $itemId: ID!, $fieldId: ID!, $optionId: String!) {
+                updateProjectV2ItemFieldValue(input: {
+                  projectId: $projectId
+                  itemId: $itemId
+                  fieldId: $fieldId
+                  value: { singleSelectOptionId: $optionId }
+                }) {
+                  projectV2Item { id }
+                }
+              }
+            `, {
+              projectId,
+              itemId: projectItem.id,
+              fieldId: statusFieldId,
+              optionId: doneOptionId
+            });
+
+            console.log(`Successfully moved ${type} #${number} to "Done".`);
@@ -1,56 +0,0 @@
-name: Create Release
-
-on:
-  push:
-    tags: ['v*']
-
-permissions:
-  contents: write
-
-jobs:
-  release:
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Get previous tag
-        id: prev_tag
-        run: |
-          # Get all tags sorted by version, find the one before current
-          CURRENT_TAG=${GITHUB_REF#refs/tags/}
-          PREV_TAG=$(git tag --sort=-v:refname | grep -A1 "^${CURRENT_TAG}$" | tail -1)
-          
-          # If no previous tag found (first release), use empty
-          if [ "$PREV_TAG" = "$CURRENT_TAG" ]; then
-            PREV_TAG=""
-          fi
-          
-          echo "previous_tag=$PREV_TAG" >> $GITHUB_OUTPUT
-          echo "Current tag: $CURRENT_TAG, Previous tag: $PREV_TAG"
-
-      - name: Generate changelog
-        id: changelog
-        run: |
-          PREV_TAG="${{ steps.prev_tag.outputs.previous_tag }}"
-          
-          if [ -z "$PREV_TAG" ]; then
-            # First release - get all commits
-            CHANGES=$(git log --pretty=format:"- %s" HEAD)
-          else
-            # Get commits since last tag
-            CHANGES=$(git log --pretty=format:"- %s" ${PREV_TAG}..HEAD)
-          fi
-          
-          # Write to file for multiline support
-          echo "$CHANGES" > changelog.txt
-
-      - name: Create Release
-        uses: softprops/action-gh-release@v1
-        with:
-          body_path: changelog.txt
-          generate_release_notes: false
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -0,0 +1,144 @@
+name: Sync Project Fields
+
+on:
+  issues:
+    types: [opened, labeled, unlabeled, reopened]
+
+permissions: {}
+
+jobs:
+  sync-fields:
+    name: Sync Type/Priority fields from labels
+    runs-on: ubuntu-latest
+    steps:
+      - name: Sync fields
+        uses: actions/github-script@v8
+        with:
+          github-token: ${{ secrets.ADD_TO_PROJECT_PAT }}
+          script: |
+            const projectId = 'PVT_kwHOADH82s4BO2OT';
+            const issueNodeId = context.payload.issue.node_id;
+            const issueNumber = context.payload.issue.number;
+            const labels = (context.payload.issue.labels || []).map(l => l.name.toLowerCase());
+
+            const sleep = (ms) => new Promise(resolve => setTimeout(resolve, ms));
+
+            const getProjectItem = async () => {
+              const data = await github.graphql(`
+                query($nodeId: ID!) {
+                  node(id: $nodeId) {
+                    ... on Issue {
+                      projectItems(first: 20) {
+                        nodes {
+                          id
+                          project { id }
+                        }
+                      }
+                    }
+                  }
+                }
+              `, { nodeId: issueNodeId });
+
+              const items = data.node?.projectItems?.nodes || [];
+              return items.find(item => item.project.id === projectId) || null;
+            };
+
+            let projectItem = await getProjectItem();
+
+            // add-to-project may run in parallel; retry briefly before giving up
+            for (let i = 0; !projectItem && i < 6; i++) {
+              console.log(`Issue #${issueNumber} not in project yet. Retry ${i + 1}/6...`);
+              await sleep(10000);
+              projectItem = await getProjectItem();
+            }
+
+            if (!projectItem) {
+              console.log(`Issue #${issueNumber} is not in project board. Skipping field sync.`);
+              return;
+            }
+
+            const fieldsData = await github.graphql(`
+              query($projectId: ID!) {
+                node(id: $projectId) {
+                  ... on ProjectV2 {
+                    fields(first: 50) {
+                      nodes {
+                        ... on ProjectV2SingleSelectField {
+                          id
+                          name
+                          options {
+                            id
+                            name
+                          }
+                        }
+                      }
+                    }
+                  }
+                }
+              }
+            `, { projectId });
+
+            const singleSelectFields = fieldsData.node?.fields?.nodes || [];
+            const byName = new Map(singleSelectFields.map(f => [f.name, f]));
+
+            const typeField = byName.get('Type');
+            const priorityField = byName.get('Priority');
+
+            if (!typeField && !priorityField) {
+              console.log('Neither Type nor Priority field found. Nothing to update.');
+              return;
+            }
+
+            const pickOptionId = (field, optionName) => {
+              if (!field || !optionName) return null;
+              const opt = (field.options || []).find(o => o.name.toLowerCase() === optionName.toLowerCase());
+              return opt?.id || null;
+            };
+
+            let typeName = null;
+            if (labels.includes('bug')) typeName = 'Bug';
+            else if (labels.includes('enhancement')) typeName = 'Feature';
+            else if (labels.includes('documentation')) typeName = 'Documentation';
+
+            let priorityName = null;
+            if (labels.includes('priority/high')) priorityName = 'High';
+            else if (labels.includes('priority/low')) priorityName = 'Low';
+            else if (labels.includes('priority/medium')) priorityName = 'Medium';
+            else if (labels.includes('triage')) priorityName = 'Medium';
+
+            const updates = [];
+            const typeOptionId = pickOptionId(typeField, typeName);
+            if (typeField && typeOptionId) {
+              updates.push({ fieldId: typeField.id, optionId: typeOptionId, fieldName: 'Type', valueName: typeName });
+            }
+
+            const priorityOptionId = pickOptionId(priorityField, priorityName);
+            if (priorityField && priorityOptionId) {
+              updates.push({ fieldId: priorityField.id, optionId: priorityOptionId, fieldName: 'Priority', valueName: priorityName });
+            }
+
+            for (const update of updates) {
+              await github.graphql(`
+                mutation($projectId: ID!, $itemId: ID!, $fieldId: ID!, $optionId: String!) {
+                  updateProjectV2ItemFieldValue(input: {
+                    projectId: $projectId
+                    itemId: $itemId
+                    fieldId: $fieldId
+                    value: { singleSelectOptionId: $optionId }
+                  }) {
+                    projectV2Item { id }
+                  }
+                }
+              `, {
+                projectId,
+                itemId: projectItem.id,
+                fieldId: update.fieldId,
+                optionId: update.optionId
+              });
+
+              console.log(`Issue #${issueNumber}: set ${update.fieldName} = ${update.valueName}`);
+            }
+
+            if (updates.length === 0) {
+              console.log(`Issue #${issueNumber}: no matching field updates for labels [${labels.join(', ')}]`);
+            }
@@ -10,10 +10,38 @@ permissions:

 jobs:
  # =============================================================================
-  # Backend Tests
+  # Detect which paths changed to skip unnecessary jobs
+  # =============================================================================
+  changes:
+    name: Detect Changes
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: read
+    outputs:
+      backend: ${{ steps.filter.outputs.backend }}
+      frontend: ${{ steps.filter.outputs.frontend }}
+    steps:
+      - uses: dorny/paths-filter@v3
+        id: filter
+        with:
+          filters: |
+            backend:
+              - 'backend/**'
+              - 'biome.json'
+              - '.github/workflows/test.yml'
+            frontend:
+              - 'frontend/**'
+              - 'biome.json'
+              - '.github/workflows/test.yml'
+
+  # =============================================================================
+  # Backend Tests (skipped if no backend-related files changed)
  # =============================================================================
  backend-test:
    name: Backend Tests
+    needs: changes
+    if: needs.changes.outputs.backend == 'true'
    runs-on: ubuntu-latest
    permissions:
      contents: read
@@ -23,10 +51,10 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6

      - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
        with:
          node-version: '22'
          cache: 'npm'
@@ -35,6 +63,9 @@ jobs:
      - name: Install dependencies
        run: npm ci

+      - name: Lint
+        run: npm run lint
+
      - name: TypeScript type check
        run: npx tsc --noEmit

@@ -42,7 +73,7 @@ jobs:
        run: npm run test:coverage

      - name: Upload coverage report
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v7
        if: always()
        with:
          name: backend-coverage
@@ -50,10 +81,12 @@ jobs:
          retention-days: 7

  # =============================================================================
-  # Frontend Build Validation
+  # Frontend Tests & Build (skipped if no frontend-related files changed)
  # =============================================================================
  frontend-build:
    name: Frontend Build
+    needs: changes
+    if: needs.changes.outputs.frontend == 'true'
    runs-on: ubuntu-latest
    permissions:
      contents: read
@@ -63,10 +96,10 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6

      - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
        with:
          node-version: '22'
          cache: 'npm'
@@ -75,5 +108,19 @@ jobs:
      - name: Install dependencies
        run: npm ci

+      - name: Lint
+        run: npm run lint
+
+      - name: Run tests with coverage
+        run: npm run test:coverage
+
      - name: TypeScript type check & build
        run: npm run build
+
+      - name: Upload coverage report
+        uses: actions/upload-artifact@v7
+        if: always()
+        with:
+          name: frontend-coverage
+          path: frontend/coverage/
+          retention-days: 7
@@ -0,0 +1,111 @@
+name: Update Test Badges
+
+on:
+  workflow_dispatch:
+  workflow_run:
+    workflows: ["Build and Push Docker Images"]
+    types: [completed]
+    branches: [main]
+
+permissions:
+  contents: write
+
+# Prevent parallel badge workflows from racing each other
+concurrency:
+  group: update-test-badges
+  cancel-in-progress: true
+
+jobs:
+  update-badges:
+    name: Update Test Count Badges
+    runs-on: ubuntu-latest
+    # Only run after successful docker builds, not failed ones
+    if: ${{ github.event_name == 'workflow_dispatch' || github.event.workflow_run.conclusion == 'success' }}
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+        with:
+          token: ${{ secrets.BADGE_TOKEN || secrets.GITHUB_TOKEN }}
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: '22'
+          cache: 'npm'
+          cache-dependency-path: '**/package-lock.json'
+
+      - name: Install backend dependencies
+        working-directory: backend
+        run: npm ci
+
+      - name: Install frontend dependencies
+        working-directory: frontend
+        run: npm ci
+
+      - name: Run backend tests and capture count
+        id: backend-tests
+        working-directory: backend
+        timeout-minutes: 5
+        env:
+          CI: true
+        run: |
+          OUTPUT=$(npm run test:run 2>&1) || true
+          echo "$OUTPUT"
+          # Strip ANSI escape codes, then extract "Tests  X passed" from output
+          CLEAN=$(echo "$OUTPUT" | sed 's/\x1b\[[0-9;]*m//g')
+          PASSED=$(echo "$CLEAN" | grep -oP 'Tests\s+\K\d+(?=\s+passed)' | tail -1)
+          echo "count=$PASSED" >> $GITHUB_OUTPUT
+
+      - name: Run frontend tests and capture count
+        id: frontend-tests
+        working-directory: frontend
+        timeout-minutes: 5
+        env:
+          CI: true
+        run: |
+          OUTPUT=$(npm run test:run 2>&1) || true
+          echo "$OUTPUT"
+          # Strip ANSI escape codes, then extract "Tests  X passed" from output
+          CLEAN=$(echo "$OUTPUT" | sed 's/\x1b\[[0-9;]*m//g')
+          PASSED=$(echo "$CLEAN" | grep -oP 'Tests\s+\K\d+(?=\s+passed)' | tail -1)
+          echo "count=$PASSED" >> $GITHUB_OUTPUT
+
+      - name: Update README badges
+        run: |
+          BACKEND_COUNT="${{ steps.backend-tests.outputs.count }}"
+          FRONTEND_COUNT="${{ steps.frontend-tests.outputs.count }}"
+          
+          echo "Backend tests: $BACKEND_COUNT"
+          echo "Frontend tests: $FRONTEND_COUNT"
+          
+          # Only update if we got valid counts
+          if [[ -n "$BACKEND_COUNT" && -n "$FRONTEND_COUNT" ]]; then
+            # URL encode the slash for shields.io
+            BACKEND_BADGE="https://img.shields.io/badge/Backend_Tests-${BACKEND_COUNT}%2F${BACKEND_COUNT}-brightgreen?logo=vitest"
+            FRONTEND_BADGE="https://img.shields.io/badge/Frontend_Tests-${FRONTEND_COUNT}%2F${FRONTEND_COUNT}-brightgreen?logo=vitest"
+            
+            # Update README using sed
+            sed -i "s|https://img.shields.io/badge/Backend_Tests-[^\"]*|$BACKEND_BADGE|g" README.md
+            sed -i "s|https://img.shields.io/badge/Frontend_Tests-[^\"]*|$FRONTEND_BADGE|g" README.md
+            
+            echo "Updated badges in README.md"
+          else
+            echo "Could not extract test counts, skipping update"
+            exit 0
+          fi
+
+      - name: Commit and push badge updates
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          git add README.md
+          if git diff --cached --quiet; then
+            echo "No badge changes to commit"
+          else
+            git commit -m "chore: update test count badges [skip ci]"
+            # Rebase on latest main to avoid push rejection when concurrent
+            # badge workflows or other [skip ci] commits land between checkout and push
+            git pull --rebase origin main
+            git push
+          fi
@@ -0,0 +1,77 @@
+name: Weekly Triage Report
+
+on:
+  schedule:
+    - cron: '0 7 * * 1'
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  issues: write
+
+jobs:
+  weekly-report:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Build weekly summary
+        id: summary
+        uses: actions/github-script@v8
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const owner = context.repo.owner;
+            const repo = context.repo.repo;
+
+            const since = new Date(Date.now() - 7 * 24 * 60 * 60 * 1000).toISOString().split('T')[0];
+            const weekLabel = new Date().toISOString().split('T')[0];
+
+            const q = async (query) => {
+              const res = await github.rest.search.issuesAndPullRequests({ q: query, per_page: 1 });
+              return res.data.total_count;
+            };
+
+            const openIssues = await q(`repo:${owner}/${repo} is:issue is:open`);
+            const newIssues = await q(`repo:${owner}/${repo} is:issue created:>=${since}`);
+            const bugs = await q(`repo:${owner}/${repo} is:issue is:open label:bug`);
+            const enhancements = await q(`repo:${owner}/${repo} is:issue is:open label:enhancement`);
+            const triage = await q(`repo:${owner}/${repo} is:issue is:open label:triage`);
+            const stale = await q(`repo:${owner}/${repo} is:issue is:open label:stale`);
+            const unassigned = await q(`repo:${owner}/${repo} is:issue is:open no:assignee`);
+
+            const body = [
+              `## Weekly Triage Report (${weekLabel})`,
+              '',
+              `- Open issues: **${openIssues}**`,
+              `- New issues (last 7 days): **${newIssues}**`,
+              `- Open bugs: **${bugs}**`,
+              `- Open enhancements: **${enhancements}**`,
+              `- In triage: **${triage}**`,
+              `- Stale: **${stale}**`,
+              `- Unassigned: **${unassigned}**`,
+              '',
+              '### Quick Links',
+              `- Triage queue: https://github.com/${owner}/${repo}/issues?q=is%3Aissue+is%3Aopen+label%3Atriage`,
+              `- Stale issues: https://github.com/${owner}/${repo}/issues?q=is%3Aissue+is%3Aopen+label%3Astale`,
+              `- Unassigned issues: https://github.com/${owner}/${repo}/issues?q=is%3Aissue+is%3Aopen+no%3Aassignee`,
+            ].join('\n');
+
+            core.setOutput('title', `Weekly Triage Report - ${weekLabel}`);
+            core.setOutput('body', body);
+
+      - name: Publish report issue
+        uses: actions/github-script@v8
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const owner = context.repo.owner;
+            const repo = context.repo.repo;
+            const title = `${{ steps.summary.outputs.title }}`;
+            const body = `${{ steps.summary.outputs.body }}`;
+
+            await github.rest.issues.create({
+              owner,
+              repo,
+              title,
+              body,
+              labels: ['triage']
+            });
@@ -1,33 +1,90 @@
-# Node
+# ===================
+# Dependencies
+# ===================
 node_modules/
+.pnpm-store/
+
+# ===================
+# Build outputs
+# ===================
+dist/
+build/
+.tmp/
+*.tsbuildinfo
+
+# ===================
+# Test & Coverage
+# ===================
+coverage/
+.nyc_output/
+
+# Playwright
+/frontend/playwright-report/
+/frontend/test-results/
+/frontend/e2e/.auth/
+/frontend/blob-report/
+
+# ===================
+# Environment
+# ===================
+.env
+.env.*
+!.env.example
+
+# ===================
+# Database & Data
+# ===================
+*.db
+*.sqlite
+*.sqlite3
+*.db-journal
+*.db-wal
+*.db-shm
+data/
+
+# ===================
+# Logs
+# ===================
+logs/
+*.log
 npm-debug.log*
 yarn-debug.log*
 yarn-error.log*
 pnpm-debug.log*

-# Build outputs
-dist/
-build/
-coverage/
-.tmp/
-
-# Env
-.env
-.env.*
-!.env.example
-
-# SQLite
-*.db
-*.sqlite
-*.sqlite3
-*.db-journal
-backend/data/
-
-# Logs
-logs/
-*.log
-
-# Editor
-.vscode/
-.idea/
+# ===================
+# OS files
+# ===================
 .DS_Store
+Thumbs.db
+*.swp
+*.swo
+*~
+
+# ===================
+# IDE / Editor
+# ===================
+.idea/
+*.sublime-project
+*.sublime-workspace
+
+# Keep shared VS Code settings
+# .vscode/ is NOT ignored - settings.json is useful for the team
+
+# ===================
+# Misc
+# ===================
+*.local
+.cache/
+.turbo/
+.roo/
+.roomodes
+.claude/
+AGENTS.md
+docs/TECH_STACK.md
+doku/
+doku/memory_notes.md
+doku/report.md
+plan/
+.copilot-tracking/
+.playwright-cli/
@@ -0,0 +1 @@
+npx lint-staged
@@ -0,0 +1,8 @@
+{
+  "vitest.root": "backend",
+  "vitest.enable": true,
+  "vitest.commandLine": "npm test --",
+  "chat.tools.terminal.autoApprove": {
+    "test": true
+  }
+}
@@ -0,0 +1,88 @@
+{
+	"version": "2.0.0",
+	"tasks": [
+		{
+			"label": "E2E stable",
+			"type": "shell",
+			"command": "npm",
+			"args": [
+				"run",
+				"test:e2e"
+			],
+			"options": {
+				"cwd": "${workspaceFolder}/frontend"
+			},
+			"group": "test",
+			"problemMatcher": []
+		},
+		{
+			"label": "E2E stable + merged video",
+			"type": "shell",
+			"command": "npm",
+			"args": [
+				"run",
+				"test:e2e:with-video"
+			],
+			"options": {
+				"cwd": "${workspaceFolder}/frontend"
+			},
+			"group": "test",
+			"problemMatcher": []
+		},
+		{
+			"label": "E2E all browsers",
+			"type": "shell",
+			"command": "npm",
+			"args": [
+				"run",
+				"test:e2e:all"
+			],
+			"options": {
+				"cwd": "${workspaceFolder}/frontend"
+			},
+			"group": "test",
+			"problemMatcher": []
+		},
+		{
+			"label": "E2E all browsers + merged video",
+			"type": "shell",
+			"command": "npm",
+			"args": [
+				"run",
+				"test:e2e:all:with-video"
+			],
+			"options": {
+				"cwd": "${workspaceFolder}/frontend"
+			},
+			"group": "test",
+			"problemMatcher": []
+		},
+		{
+			"label": "E2E stable non-interactive",
+			"type": "shell",
+			"command": "cd frontend && PLAYWRIGHT_HTML_OPEN=never PLAYWRIGHT_WORKERS=1 npm run test:e2e -- --workers=1",
+			"isBackground": false,
+			"group": "test"
+		},
+		{
+			"label": "Targeted frontend vitest",
+			"type": "shell",
+			"command": "cd frontend && npm test -- --run src/test/context/AppContext.test.tsx src/test/utils/schedule.test.ts",
+			"isBackground": false,
+			"group": "test"
+		},
+		{
+			"label": "Focused frontend shared schedule test",
+			"type": "shell",
+			"command": "cd frontend && npm run test:run -- --maxWorkers=1 src/test/components/SharedSchedule.test.tsx",
+			"isBackground": false,
+			"group": "test"
+		},
+		{
+			"label": "PR3 targeted validation",
+			"type": "shell",
+			"command": "git --no-pager diff --check -- .github/agents/release-manager.agent.md .github/agents/testing-manager.agent.md .gitignore .vscode/tasks.json && node -e \"JSON.parse(require('fs').readFileSync('.vscode/tasks.json','utf8')); console.log('tasks.json valid')\"",
+			"isBackground": false
+		}
+	]
+}
@@ -10,16 +10,21 @@
 </p>

 <p align="center">
-  <img src="https://img.shields.io/badge/React-18-61DAFB?logo=react" alt="React 18" />
+  <img src="https://img.shields.io/badge/React-19-61DAFB?logo=react" alt="React 19" />
  <img src="https://img.shields.io/badge/TypeScript-5-3178C6?logo=typescript" alt="TypeScript" />
  <img src="https://img.shields.io/badge/Fastify-5-000000?logo=fastify" alt="Fastify" />
  <img src="https://img.shields.io/badge/SQLite-Database-003B57?logo=sqlite" alt="SQLite" />
  <img src="https://img.shields.io/badge/Docker-Ready-2496ED?logo=docker" alt="Docker" />
 </p>

+<p align="center">
+  <img src="https://img.shields.io/badge/Backend_Tests-614%2F614-brightgreen?logo=vitest" alt="Backend Tests 454/454" />
+  <img src="https://img.shields.io/badge/Frontend_Tests-807%2F807-brightgreen?logo=vitest" alt="Frontend Tests 611/611" />
+</p>
+
 ### 🤖 AI-Generated Code

-> This app was 100% coded with Claude Opus 4.5. Use at your own risk.
+> This app was 100% coded with [Claude Opus 4.6](https://www.anthropic.com/claude) and [GPT-5.3 Codex](https://openai.com/index/gpt-5/). Use at your own risk.

 ### ⚠️ Disclaimer

@@ -115,9 +120,10 @@ Share your medication schedule with others via a public link.
 </details>

 ### Smart Inventory
- Track exact stock: packs, blisters, and loose pills
+- Track exact stock with package profiles (blister, bottle, tube, liquid container)
 - Display remaining days of supply
 - Automatic calculation based on intake schedule
+- Manual stock correction supports profile-specific stock semantics (sealed units + loose stock for blister, amount-based stock for bottle/tube/liquid)

 ### Medication Refill
 - One-click refill with pack or loose pill options
@@ -127,6 +133,7 @@ Share your medication schedule with others via a public link.
 ### Flexible Schedules
 - Daily, weekly, or custom intervals per medication
 - Independent schedules for each medication
+- Optional timeline filters for dashboard and shared schedule views

 ### Stock Alerts & Reminders
 - Notifications before stock runs out
@@ -134,12 +141,18 @@ Share your medication schedule with others via a public link.
 - Intake reminders via push notifications

 ### Trip Planner
- Calculate how many pills you need for a trip or date range
+- Calculate medication demand for a trip or date range with package-aware units
 - Plan ahead for vacations, business trips, or hospital stays
+- Send demand reports via email or push notification
+
+### Reports
+- Generate medication reports as PDF, Markdown, or plain text
+- Include intake history, refill history, and prescription details

 ### Multi-Person Support
 - Manage medications for multiple people
 - Share schedules via link. Recipients can mark doses as taken, you see it live
+- Optionally embed the medication overview directly on shared links via a settings toggle

 ### Data Export & Import
 - Export all your data (medications, dose history, settings) as JSON
@@ -165,7 +178,7 @@ The easiest way to deploy MedAssist-ng is with Docker Compose:
 git clone https://github.com/DanielVolz/medassist-ng.git
 cd medassist-ng
 cp .env.example .env
-docker compose up -d
+docker compose -p medassist-ng up -d
 ```

 Open `http://localhost:4174` and start tracking your medications.
@@ -182,9 +195,24 @@ All configuration is done via environment variables in `.env`. Copy `.env.exampl
 | `PGID` | `1000` | Group ID for container file permissions |
 | `PORT` | `3000` | Backend API port |
 | `CORS_ORIGINS` | `http://localhost:4174` | Allowed origins for CORS |
-| `LOG_LEVEL` | `info` | Log verbosity (`debug`, `info`, `warn`, `error`) |
+| `LOG_LEVEL` | `info` | Log verbosity (`debug`, `info`, `warn`, `error`, `silent`). At `info` (default), high-frequency polling endpoints are suppressed. Set `debug` to see all requests. |
+| `OPENAPI_DOCS_ENABLED` | `auto` | Enables API docs in non-production by default. Set explicitly to `true`/`false` to override. |
 | `TZ` | `Europe/Berlin` | Timezone for scheduled reminders |

+Recommended values for API docs by environment:
+
+| Environment | Recommendation |
+|-------------|----------------|
+| Development | `OPENAPI_DOCS_ENABLED=true` |
+| Staging/Test | `OPENAPI_DOCS_ENABLED=true` |
+| Production | leave it unset, or set `OPENAPI_DOCS_ENABLED=false` |
+
+Notes:
+
+- If `OPENAPI_DOCS_ENABLED` is not set, docs are enabled outside production and disabled in production.
+- If `OPENAPI_DOCS_ENABLED=true`, docs are available on `/docs` and `/docs/json`.
+- If `OPENAPI_DOCS_ENABLED=false`, only the docs are disabled. The API still works normally.
+
 ### Authentication

 | Variable | Default | Description |
@@ -199,6 +227,43 @@ All configuration is done via environment variables in `.env`. Copy `.env.exampl

 Generate secrets with: `openssl rand -hex 32`

+### API Keys (Programmatic API Access)
+
+When `AUTH_ENABLED=true`, you can create personal API keys and call protected endpoints with:
+
+```bash
+Authorization: Bearer ma_...
+```
+
+Available scopes:
+
+- `read`: read-only access (`GET`, `HEAD`, `OPTIONS`)
+- `write`: read + write access
+
+Essential notes:
+
+- Create keys in the app when authentication is enabled.
+- The token is shown only once after creation.
+- Creating a new key automatically deactivates previously active keys for the same user.
+- API keys are stored hashed in the database.
+
+Example usage:
+
+```bash
+curl http://localhost:3000/settings \
+  -H "Authorization: Bearer ma_..."
+```
+
+API reference:
+
+- Interactive docs: `/docs`
+- OpenAPI JSON: `/docs/json`
+- With the bundled frontend ingress, these paths work on the normal app URL as well, for example `http://localhost:4174/docs` when docs are enabled.
+- Key management endpoints for authenticated users:
+  - `GET /auth/api-keys`
+  - `POST /auth/api-keys`
+  - `DELETE /auth/api-keys/:id`
+
 ### OIDC / SSO

 | Variable | Default | Description |
@@ -207,7 +272,7 @@ Generate secrets with: `openssl rand -hex 32`
 | `OIDC_ISSUER_URL` | — | OIDC provider URL |
 | `OIDC_CLIENT_ID` | — | Client ID from OIDC provider |
 | `OIDC_CLIENT_SECRET` | — | Client secret from OIDC provider |
-| `OIDC_REDIRECT_URI` | — | Callback URL |
+| `OIDC_REDIRECT_URI` | — | Full callback URL (e.g., `https://your-domain.com/api/auth/oidc/callback`) |
 | `OIDC_SCOPES` | `openid profile email` | Scopes to request |
 | `OIDC_USERNAME_CLAIM` | `preferred_username` | Claim for username |
 | `OIDC_AUTO_CREATE_USERS` | `true` | Auto-create users on first SSO login |
@@ -238,7 +303,9 @@ Generate secrets with: `openssl rand -hex 32`

 MedAssist uses [Shoutrrr](https://containrrr.dev/shoutrrr/) for push notifications, supporting many services with a single URL format.

-**Supported services:** ntfy, Pushover, Gotify, Discord, Telegram, Slack, Matrix, and [many more](https://containrrr.dev/shoutrrr/v0.8/services/overview/).
+**Implemented URL schemes in MedAssist:** `ntfy://`, `discord://`, `pushover://`, `gotify://`, `telegram://`, plus direct `https://` webhooks.
+
+This covers common providers like ntfy, Discord, Pushover, Gotify, Telegram, Slack webhooks, and many others via webhook URLs.

 Configure push notifications in Settings → Push, or set defaults via environment variables:

@@ -249,6 +316,14 @@ Configure push notifications in Settings → Push, or set defaults via environme
 | `DEFAULT_SHOUTRRR_STOCK_REMINDERS` | `true` | Send stock warnings via push |
 | `DEFAULT_SHOUTRRR_INTAKE_REMINDERS` | `true` | Send intake reminders via push |

+### Default User Settings
+
+These defaults are applied when a new user is created. Once a user saves settings in the app, their values take precedence.
+
+Complete list and details:
+
+- [docs/DEFAULT_USER_SETTINGS.md](docs/DEFAULT_USER_SETTINGS.md)
+
 #### URL Examples

 **ntfy** (free, self-hostable):
@@ -268,6 +343,7 @@ Get your keys at [pushover.net](https://pushover.net/):
 **Gotify** (self-hosted):
 ```
 gotify://your-server.com/TOKEN
+gotify://your-server.com:443/path/to/gotify/TOKEN?priority=1
 ```

 **Discord**:
@@ -278,6 +354,7 @@ discord://TOKEN@WEBHOOK_ID
 **Telegram**:
 ```
 telegram://TOKEN@telegram?chats=CHAT_ID
+telegram://TOKEN@telegram?chats=@your_channel,-1001234567890
 ```

 For all services and options, see the [Shoutrrr documentation](https://containrrr.dev/shoutrrr/v0.8/services/overview/).
@@ -285,11 +362,21 @@ For all services and options, see the [Shoutrrr documentation](https://containrr
 # Development

 ```bash
-docker compose -f docker-compose.dev.yml up
+docker compose -p medassist-dev -f docker-compose.dev.yml up
 ```

 - Frontend: `http://localhost:5173` (hot reload)
 - Backend: `http://localhost:3000`
+- API docs UI: `http://localhost:3000/docs` (when docs are enabled)
+- OpenAPI JSON: `http://localhost:3000/docs/json` (when docs are enabled)
+
+Useful local commands:
+
+```bash
+npm run lint
+cd backend && npm run test:run
+cd frontend && npm run test:run
+```

 # Acknowledgements

@@ -0,0 +1,35 @@
+# Dependencies
+node_modules/
+
+# Build outputs
+dist/
+coverage/
+
+# Development files
+*.log
+npm-debug.log*
+
+# Test files
+src/test/
+*.test.ts
+vitest.config.ts
+
+# Local data (mounted as volume in production)
+data/
+
+# IDE
+.vscode/
+.idea/
+
+# OS files
+.DS_Store
+Thumbs.db
+
+# Git
+.git/
+.gitignore
+
+# Docker
+Dockerfile
+.dockerignore
+docker-compose*.yml
@@ -46,6 +46,9 @@ COPY --from=builder /app/node_modules ./node_modules
 COPY --from=builder /app/dist ./dist
 COPY --from=builder /app/package.json ./

+# Copy drizzle migrations folder (required for database setup)
+COPY drizzle ./drizzle
+
 # Create data directory and set ownership to node user (UID 1000)
 RUN mkdir -p /app/data && chown -R node:node /app

@@ -5,6 +5,6 @@ export default defineConfig({
  out: "./drizzle",
  dialect: "sqlite",
  dbCredentials: {
-    url: process.env.DATABASE_URL || "./data/medassist.db",
+    url: process.env.DATABASE_URL || "./data/medassist-ng.db",
  },
 });
@@ -0,0 +1 @@
+ALTER TABLE `medications` ADD `stock_adjustment` integer DEFAULT 0 NOT NULL;
@@ -0,0 +1 @@
+ALTER TABLE `medications` ADD `last_stock_correction_at` integer;
@@ -0,0 +1,3 @@
+ALTER TABLE `medications` ADD `dismissed_until` text;--> statement-breakpoint
+ALTER TABLE `user_settings` ADD `last_reminder_med_name` text;--> statement-breakpoint
+ALTER TABLE `user_settings` ADD `last_reminder_taken_by` text;
@@ -0,0 +1,3 @@
+-- Add package type support (blister vs bottle)
+ALTER TABLE medications ADD COLUMN package_type TEXT DEFAULT 'blister' NOT NULL;
+ALTER TABLE medications ADD COLUMN total_pills INTEGER;
@@ -0,0 +1,3 @@
+-- Add dose_unit column and intakes JSON array for per-intake takenBy support
+ALTER TABLE `medications` ADD `dose_unit` text(20) DEFAULT 'mg';--> statement-breakpoint
+ALTER TABLE `medications` ADD `intakes_json` text DEFAULT '[]' NOT NULL;
@@ -0,0 +1,3 @@
+ALTER TABLE `user_settings` ADD `last_stock_reminder_sent` text;--> statement-breakpoint
+ALTER TABLE `user_settings` ADD `last_stock_reminder_channel` text;--> statement-breakpoint
+ALTER TABLE `user_settings` ADD `last_stock_reminder_med_names` text;
@@ -0,0 +1 @@
+ALTER TABLE `user_settings` ADD `share_stock_status` integer DEFAULT true NOT NULL;
@@ -0,0 +1,2 @@
+ALTER TABLE `medications` ADD `is_obsolete` integer DEFAULT false NOT NULL;
+ALTER TABLE `medications` ADD `obsolete_at` integer;
@@ -0,0 +1,8 @@
+ALTER TABLE `medications` ADD `prescription_enabled` integer NOT NULL DEFAULT 0;
+ALTER TABLE `medications` ADD `prescription_authorized_refills` integer;
+ALTER TABLE `medications` ADD `prescription_remaining_refills` integer;
+ALTER TABLE `medications` ADD `prescription_low_refill_threshold` integer NOT NULL DEFAULT 1;
+ALTER TABLE `medications` ADD `prescription_expiry_date` text;
+
+ALTER TABLE `user_settings` ADD `email_prescription_reminders` integer NOT NULL DEFAULT 1;
+ALTER TABLE `user_settings` ADD `shoutrrr_prescription_reminders` integer NOT NULL DEFAULT 1;
@@ -0,0 +1 @@
+ALTER TABLE `medications` ADD `medication_start_date` text DEFAULT '' NOT NULL;
@@ -0,0 +1 @@
+ALTER TABLE `dose_tracking` ADD `taken_source` text DEFAULT 'manual' NOT NULL;
@@ -0,0 +1,5 @@
+ALTER TABLE `medications` ADD `medication_form` text(20) DEFAULT 'tablet' NOT NULL;--> statement-breakpoint
+ALTER TABLE `medications` ADD `pill_form` text(20);--> statement-breakpoint
+ALTER TABLE `medications` ADD `lifecycle_category` text(30) DEFAULT 'refill_when_empty' NOT NULL;--> statement-breakpoint
+ALTER TABLE `medications` ADD `medication_end_date` text;--> statement-breakpoint
+ALTER TABLE `medications` ADD `auto_mark_obsolete_after_end_date` integer DEFAULT true NOT NULL;
@@ -0,0 +1,18 @@
+CREATE TABLE `api_keys` (
+	`id` integer PRIMARY KEY AUTOINCREMENT NOT NULL,
+	`user_id` integer NOT NULL,
+	`name` text(100) NOT NULL,
+	`key_hash` text(128) NOT NULL,
+	`token_prefix` text(24) DEFAULT '' NOT NULL,
+	`scope` text(10) DEFAULT 'write' NOT NULL,
+	`is_active` integer DEFAULT true NOT NULL,
+	`last_used_at` integer,
+	`expires_at` integer,
+	`created_at` integer DEFAULT CURRENT_TIMESTAMP NOT NULL,
+	`updated_at` integer DEFAULT CURRENT_TIMESTAMP NOT NULL,
+	FOREIGN KEY (`user_id`) REFERENCES `users`(`id`) ON UPDATE no action ON DELETE cascade
+);
+--> statement-breakpoint
+CREATE UNIQUE INDEX `api_keys_key_hash_unique` ON `api_keys` (`key_hash`);--> statement-breakpoint
+ALTER TABLE `medications` ADD `package_amount_value` integer DEFAULT 0 NOT NULL;--> statement-breakpoint
+ALTER TABLE `medications` ADD `package_amount_unit` text(10) DEFAULT 'ml' NOT NULL;
@@ -0,0 +1 @@
+ALTER TABLE `user_settings` ADD `share_medication_overview` integer DEFAULT false NOT NULL;
@@ -0,0 +1,827 @@
+{
+  "version": "6",
+  "dialect": "sqlite",
+  "id": "bcb60728-38c0-4965-adac-829c02240d89",
+  "prevId": "0e7f882c-b6e8-4d7b-a6a8-a076969c3e76",
+  "tables": {
+    "dose_tracking": {
+      "name": "dose_tracking",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "dose_id": {
+          "name": "dose_id",
+          "type": "text(255)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "taken_at": {
+          "name": "taken_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "(strftime('%s','now'))"
+        },
+        "marked_by": {
+          "name": "marked_by",
+          "type": "text(100)",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "dismissed": {
+          "name": "dismissed",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "dose_tracking_user_id_users_id_fk": {
+          "name": "dose_tracking_user_id_users_id_fk",
+          "tableFrom": "dose_tracking",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "medications": {
+      "name": "medications",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "name": {
+          "name": "name",
+          "type": "text(100)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "generic_name": {
+          "name": "generic_name",
+          "type": "text(100)",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "taken_by_json": {
+          "name": "taken_by_json",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'[]'"
+        },
+        "pack_count": {
+          "name": "pack_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 1
+        },
+        "blisters_per_pack": {
+          "name": "blisters_per_pack",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 1
+        },
+        "pills_per_blister": {
+          "name": "pills_per_blister",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 1
+        },
+        "loose_tablets": {
+          "name": "loose_tablets",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 0
+        },
+        "stock_adjustment": {
+          "name": "stock_adjustment",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 0
+        },
+        "pill_weight_mg": {
+          "name": "pill_weight_mg",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "usage_json": {
+          "name": "usage_json",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'[]'"
+        },
+        "every_json": {
+          "name": "every_json",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'[]'"
+        },
+        "start_json": {
+          "name": "start_json",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'[]'"
+        },
+        "image_url": {
+          "name": "image_url",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "expiry_date": {
+          "name": "expiry_date",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "notes": {
+          "name": "notes",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "intake_reminders_enabled": {
+          "name": "intake_reminders_enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "medications_user_id_users_id_fk": {
+          "name": "medications_user_id_users_id_fk",
+          "tableFrom": "medications",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "refill_history": {
+      "name": "refill_history",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "medication_id": {
+          "name": "medication_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "packs_added": {
+          "name": "packs_added",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 0
+        },
+        "loose_pills_added": {
+          "name": "loose_pills_added",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 0
+        },
+        "refill_date": {
+          "name": "refill_date",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "(strftime('%s','now'))"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "refill_history_medication_id_medications_id_fk": {
+          "name": "refill_history_medication_id_medications_id_fk",
+          "tableFrom": "refill_history",
+          "tableTo": "medications",
+          "columnsFrom": [
+            "medication_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "refill_history_user_id_users_id_fk": {
+          "name": "refill_history_user_id_users_id_fk",
+          "tableFrom": "refill_history",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "refresh_tokens": {
+      "name": "refresh_tokens",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "token_id": {
+          "name": "token_id",
+          "type": "text(255)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "rotated_at": {
+          "name": "rotated_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "revoked": {
+          "name": "revoked",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "refresh_tokens_token_id_unique": {
+          "name": "refresh_tokens_token_id_unique",
+          "columns": [
+            "token_id"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "refresh_tokens_user_id_users_id_fk": {
+          "name": "refresh_tokens_user_id_users_id_fk",
+          "tableFrom": "refresh_tokens",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "share_tokens": {
+      "name": "share_tokens",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "token": {
+          "name": "token",
+          "type": "text(64)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "taken_by": {
+          "name": "taken_by",
+          "type": "text(100)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "schedule_days": {
+          "name": "schedule_days",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 30
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        }
+      },
+      "indexes": {
+        "share_tokens_token_unique": {
+          "name": "share_tokens_token_unique",
+          "columns": [
+            "token"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "share_tokens_user_id_users_id_fk": {
+          "name": "share_tokens_user_id_users_id_fk",
+          "tableFrom": "share_tokens",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "user_settings": {
+      "name": "user_settings",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "email_enabled": {
+          "name": "email_enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "notification_email": {
+          "name": "notification_email",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "email_stock_reminders": {
+          "name": "email_stock_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": true
+        },
+        "email_intake_reminders": {
+          "name": "email_intake_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": true
+        },
+        "shoutrrr_enabled": {
+          "name": "shoutrrr_enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "shoutrrr_url": {
+          "name": "shoutrrr_url",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "shoutrrr_stock_reminders": {
+          "name": "shoutrrr_stock_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": true
+        },
+        "shoutrrr_intake_reminders": {
+          "name": "shoutrrr_intake_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": true
+        },
+        "reminder_days_before": {
+          "name": "reminder_days_before",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 7
+        },
+        "repeat_daily_reminders": {
+          "name": "repeat_daily_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "skip_reminders_for_taken_doses": {
+          "name": "skip_reminders_for_taken_doses",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "repeat_reminders_enabled": {
+          "name": "repeat_reminders_enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "reminder_repeat_interval_minutes": {
+          "name": "reminder_repeat_interval_minutes",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 30
+        },
+        "max_nagging_reminders": {
+          "name": "max_nagging_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 5
+        },
+        "low_stock_days": {
+          "name": "low_stock_days",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 30
+        },
+        "normal_stock_days": {
+          "name": "normal_stock_days",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 90
+        },
+        "high_stock_days": {
+          "name": "high_stock_days",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 180
+        },
+        "expiry_warning_days": {
+          "name": "expiry_warning_days",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 90
+        },
+        "language": {
+          "name": "language",
+          "type": "text(10)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'en'"
+        },
+        "stock_calculation_mode": {
+          "name": "stock_calculation_mode",
+          "type": "text(20)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'automatic'"
+        },
+        "last_auto_email_sent": {
+          "name": "last_auto_email_sent",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_notification_type": {
+          "name": "last_notification_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_notification_channel": {
+          "name": "last_notification_channel",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "user_settings_user_id_unique": {
+          "name": "user_settings_user_id_unique",
+          "columns": [
+            "user_id"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "user_settings_user_id_users_id_fk": {
+          "name": "user_settings_user_id_users_id_fk",
+          "tableFrom": "user_settings",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "users": {
+      "name": "users",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "username": {
+          "name": "username",
+          "type": "text(100)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "password_hash": {
+          "name": "password_hash",
+          "type": "text(255)",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "avatar_url": {
+          "name": "avatar_url",
+          "type": "text(255)",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "auth_provider": {
+          "name": "auth_provider",
+          "type": "text(50)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'local'"
+        },
+        "oidc_subject": {
+          "name": "oidc_subject",
+          "type": "text(255)",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "is_active": {
+          "name": "is_active",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": true
+        },
+        "last_login_at": {
+          "name": "last_login_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "users_username_unique": {
+          "name": "users_username_unique",
+          "columns": [
+            "username"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    }
+  },
+  "views": {},
+  "enums": {},
+  "_meta": {
+    "schemas": {},
+    "tables": {},
+    "columns": {}
+  },
+  "internal": {
+    "indexes": {}
+  }
+}
@@ -0,0 +1,834 @@
+{
+  "version": "6",
+  "dialect": "sqlite",
+  "id": "098ee506-e43d-4ccb-bee5-c387905695ab",
+  "prevId": "bcb60728-38c0-4965-adac-829c02240d89",
+  "tables": {
+    "dose_tracking": {
+      "name": "dose_tracking",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "dose_id": {
+          "name": "dose_id",
+          "type": "text(255)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "taken_at": {
+          "name": "taken_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "(strftime('%s','now'))"
+        },
+        "marked_by": {
+          "name": "marked_by",
+          "type": "text(100)",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "dismissed": {
+          "name": "dismissed",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "dose_tracking_user_id_users_id_fk": {
+          "name": "dose_tracking_user_id_users_id_fk",
+          "tableFrom": "dose_tracking",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "medications": {
+      "name": "medications",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "name": {
+          "name": "name",
+          "type": "text(100)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "generic_name": {
+          "name": "generic_name",
+          "type": "text(100)",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "taken_by_json": {
+          "name": "taken_by_json",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'[]'"
+        },
+        "pack_count": {
+          "name": "pack_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 1
+        },
+        "blisters_per_pack": {
+          "name": "blisters_per_pack",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 1
+        },
+        "pills_per_blister": {
+          "name": "pills_per_blister",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 1
+        },
+        "loose_tablets": {
+          "name": "loose_tablets",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 0
+        },
+        "stock_adjustment": {
+          "name": "stock_adjustment",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 0
+        },
+        "last_stock_correction_at": {
+          "name": "last_stock_correction_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "pill_weight_mg": {
+          "name": "pill_weight_mg",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "usage_json": {
+          "name": "usage_json",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'[]'"
+        },
+        "every_json": {
+          "name": "every_json",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'[]'"
+        },
+        "start_json": {
+          "name": "start_json",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'[]'"
+        },
+        "image_url": {
+          "name": "image_url",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "expiry_date": {
+          "name": "expiry_date",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "notes": {
+          "name": "notes",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "intake_reminders_enabled": {
+          "name": "intake_reminders_enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "medications_user_id_users_id_fk": {
+          "name": "medications_user_id_users_id_fk",
+          "tableFrom": "medications",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "refill_history": {
+      "name": "refill_history",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "medication_id": {
+          "name": "medication_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "packs_added": {
+          "name": "packs_added",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 0
+        },
+        "loose_pills_added": {
+          "name": "loose_pills_added",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 0
+        },
+        "refill_date": {
+          "name": "refill_date",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "(strftime('%s','now'))"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "refill_history_medication_id_medications_id_fk": {
+          "name": "refill_history_medication_id_medications_id_fk",
+          "tableFrom": "refill_history",
+          "tableTo": "medications",
+          "columnsFrom": [
+            "medication_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "refill_history_user_id_users_id_fk": {
+          "name": "refill_history_user_id_users_id_fk",
+          "tableFrom": "refill_history",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "refresh_tokens": {
+      "name": "refresh_tokens",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "token_id": {
+          "name": "token_id",
+          "type": "text(255)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "rotated_at": {
+          "name": "rotated_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "revoked": {
+          "name": "revoked",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "refresh_tokens_token_id_unique": {
+          "name": "refresh_tokens_token_id_unique",
+          "columns": [
+            "token_id"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "refresh_tokens_user_id_users_id_fk": {
+          "name": "refresh_tokens_user_id_users_id_fk",
+          "tableFrom": "refresh_tokens",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "share_tokens": {
+      "name": "share_tokens",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "token": {
+          "name": "token",
+          "type": "text(64)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "taken_by": {
+          "name": "taken_by",
+          "type": "text(100)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "schedule_days": {
+          "name": "schedule_days",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 30
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        }
+      },
+      "indexes": {
+        "share_tokens_token_unique": {
+          "name": "share_tokens_token_unique",
+          "columns": [
+            "token"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "share_tokens_user_id_users_id_fk": {
+          "name": "share_tokens_user_id_users_id_fk",
+          "tableFrom": "share_tokens",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "user_settings": {
+      "name": "user_settings",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "email_enabled": {
+          "name": "email_enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "notification_email": {
+          "name": "notification_email",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "email_stock_reminders": {
+          "name": "email_stock_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": true
+        },
+        "email_intake_reminders": {
+          "name": "email_intake_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": true
+        },
+        "shoutrrr_enabled": {
+          "name": "shoutrrr_enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "shoutrrr_url": {
+          "name": "shoutrrr_url",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "shoutrrr_stock_reminders": {
+          "name": "shoutrrr_stock_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": true
+        },
+        "shoutrrr_intake_reminders": {
+          "name": "shoutrrr_intake_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": true
+        },
+        "reminder_days_before": {
+          "name": "reminder_days_before",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 7
+        },
+        "repeat_daily_reminders": {
+          "name": "repeat_daily_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "skip_reminders_for_taken_doses": {
+          "name": "skip_reminders_for_taken_doses",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "repeat_reminders_enabled": {
+          "name": "repeat_reminders_enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "reminder_repeat_interval_minutes": {
+          "name": "reminder_repeat_interval_minutes",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 30
+        },
+        "max_nagging_reminders": {
+          "name": "max_nagging_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 5
+        },
+        "low_stock_days": {
+          "name": "low_stock_days",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 30
+        },
+        "normal_stock_days": {
+          "name": "normal_stock_days",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 90
+        },
+        "high_stock_days": {
+          "name": "high_stock_days",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 180
+        },
+        "expiry_warning_days": {
+          "name": "expiry_warning_days",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 90
+        },
+        "language": {
+          "name": "language",
+          "type": "text(10)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'en'"
+        },
+        "stock_calculation_mode": {
+          "name": "stock_calculation_mode",
+          "type": "text(20)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'automatic'"
+        },
+        "last_auto_email_sent": {
+          "name": "last_auto_email_sent",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_notification_type": {
+          "name": "last_notification_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_notification_channel": {
+          "name": "last_notification_channel",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "user_settings_user_id_unique": {
+          "name": "user_settings_user_id_unique",
+          "columns": [
+            "user_id"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "user_settings_user_id_users_id_fk": {
+          "name": "user_settings_user_id_users_id_fk",
+          "tableFrom": "user_settings",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "users": {
+      "name": "users",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "username": {
+          "name": "username",
+          "type": "text(100)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "password_hash": {
+          "name": "password_hash",
+          "type": "text(255)",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "avatar_url": {
+          "name": "avatar_url",
+          "type": "text(255)",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "auth_provider": {
+          "name": "auth_provider",
+          "type": "text(50)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'local'"
+        },
+        "oidc_subject": {
+          "name": "oidc_subject",
+          "type": "text(255)",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "is_active": {
+          "name": "is_active",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": true
+        },
+        "last_login_at": {
+          "name": "last_login_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "users_username_unique": {
+          "name": "users_username_unique",
+          "columns": [
+            "username"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    }
+  },
+  "views": {},
+  "enums": {},
+  "_meta": {
+    "schemas": {},
+    "tables": {},
+    "columns": {}
+  },
+  "internal": {
+    "indexes": {}
+  }
+}
@@ -0,0 +1,855 @@
+{
+  "version": "6",
+  "dialect": "sqlite",
+  "id": "4f1d8273-1e60-4da1-9bfc-bd51c2784836",
+  "prevId": "098ee506-e43d-4ccb-bee5-c387905695ab",
+  "tables": {
+    "dose_tracking": {
+      "name": "dose_tracking",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "dose_id": {
+          "name": "dose_id",
+          "type": "text(255)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "taken_at": {
+          "name": "taken_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "(strftime('%s','now'))"
+        },
+        "marked_by": {
+          "name": "marked_by",
+          "type": "text(100)",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "dismissed": {
+          "name": "dismissed",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "dose_tracking_user_id_users_id_fk": {
+          "name": "dose_tracking_user_id_users_id_fk",
+          "tableFrom": "dose_tracking",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "medications": {
+      "name": "medications",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "name": {
+          "name": "name",
+          "type": "text(100)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "generic_name": {
+          "name": "generic_name",
+          "type": "text(100)",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "taken_by_json": {
+          "name": "taken_by_json",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'[]'"
+        },
+        "pack_count": {
+          "name": "pack_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 1
+        },
+        "blisters_per_pack": {
+          "name": "blisters_per_pack",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 1
+        },
+        "pills_per_blister": {
+          "name": "pills_per_blister",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 1
+        },
+        "loose_tablets": {
+          "name": "loose_tablets",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 0
+        },
+        "stock_adjustment": {
+          "name": "stock_adjustment",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 0
+        },
+        "last_stock_correction_at": {
+          "name": "last_stock_correction_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "pill_weight_mg": {
+          "name": "pill_weight_mg",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "usage_json": {
+          "name": "usage_json",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'[]'"
+        },
+        "every_json": {
+          "name": "every_json",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'[]'"
+        },
+        "start_json": {
+          "name": "start_json",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'[]'"
+        },
+        "image_url": {
+          "name": "image_url",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "expiry_date": {
+          "name": "expiry_date",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "notes": {
+          "name": "notes",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "intake_reminders_enabled": {
+          "name": "intake_reminders_enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "dismissed_until": {
+          "name": "dismissed_until",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "medications_user_id_users_id_fk": {
+          "name": "medications_user_id_users_id_fk",
+          "tableFrom": "medications",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "refill_history": {
+      "name": "refill_history",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "medication_id": {
+          "name": "medication_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "packs_added": {
+          "name": "packs_added",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 0
+        },
+        "loose_pills_added": {
+          "name": "loose_pills_added",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 0
+        },
+        "refill_date": {
+          "name": "refill_date",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "(strftime('%s','now'))"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "refill_history_medication_id_medications_id_fk": {
+          "name": "refill_history_medication_id_medications_id_fk",
+          "tableFrom": "refill_history",
+          "tableTo": "medications",
+          "columnsFrom": [
+            "medication_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "refill_history_user_id_users_id_fk": {
+          "name": "refill_history_user_id_users_id_fk",
+          "tableFrom": "refill_history",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "refresh_tokens": {
+      "name": "refresh_tokens",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "token_id": {
+          "name": "token_id",
+          "type": "text(255)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "rotated_at": {
+          "name": "rotated_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "revoked": {
+          "name": "revoked",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "refresh_tokens_token_id_unique": {
+          "name": "refresh_tokens_token_id_unique",
+          "columns": [
+            "token_id"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "refresh_tokens_user_id_users_id_fk": {
+          "name": "refresh_tokens_user_id_users_id_fk",
+          "tableFrom": "refresh_tokens",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "share_tokens": {
+      "name": "share_tokens",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "token": {
+          "name": "token",
+          "type": "text(64)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "taken_by": {
+          "name": "taken_by",
+          "type": "text(100)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "schedule_days": {
+          "name": "schedule_days",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 30
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        }
+      },
+      "indexes": {
+        "share_tokens_token_unique": {
+          "name": "share_tokens_token_unique",
+          "columns": [
+            "token"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "share_tokens_user_id_users_id_fk": {
+          "name": "share_tokens_user_id_users_id_fk",
+          "tableFrom": "share_tokens",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "user_settings": {
+      "name": "user_settings",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "email_enabled": {
+          "name": "email_enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "notification_email": {
+          "name": "notification_email",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "email_stock_reminders": {
+          "name": "email_stock_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": true
+        },
+        "email_intake_reminders": {
+          "name": "email_intake_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": true
+        },
+        "shoutrrr_enabled": {
+          "name": "shoutrrr_enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "shoutrrr_url": {
+          "name": "shoutrrr_url",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "shoutrrr_stock_reminders": {
+          "name": "shoutrrr_stock_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": true
+        },
+        "shoutrrr_intake_reminders": {
+          "name": "shoutrrr_intake_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": true
+        },
+        "reminder_days_before": {
+          "name": "reminder_days_before",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 7
+        },
+        "repeat_daily_reminders": {
+          "name": "repeat_daily_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "skip_reminders_for_taken_doses": {
+          "name": "skip_reminders_for_taken_doses",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "repeat_reminders_enabled": {
+          "name": "repeat_reminders_enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "reminder_repeat_interval_minutes": {
+          "name": "reminder_repeat_interval_minutes",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 30
+        },
+        "max_nagging_reminders": {
+          "name": "max_nagging_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 5
+        },
+        "low_stock_days": {
+          "name": "low_stock_days",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 30
+        },
+        "normal_stock_days": {
+          "name": "normal_stock_days",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 90
+        },
+        "high_stock_days": {
+          "name": "high_stock_days",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 180
+        },
+        "expiry_warning_days": {
+          "name": "expiry_warning_days",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 90
+        },
+        "language": {
+          "name": "language",
+          "type": "text(10)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'en'"
+        },
+        "stock_calculation_mode": {
+          "name": "stock_calculation_mode",
+          "type": "text(20)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'automatic'"
+        },
+        "last_auto_email_sent": {
+          "name": "last_auto_email_sent",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_notification_type": {
+          "name": "last_notification_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_notification_channel": {
+          "name": "last_notification_channel",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_reminder_med_name": {
+          "name": "last_reminder_med_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_reminder_taken_by": {
+          "name": "last_reminder_taken_by",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "user_settings_user_id_unique": {
+          "name": "user_settings_user_id_unique",
+          "columns": [
+            "user_id"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "user_settings_user_id_users_id_fk": {
+          "name": "user_settings_user_id_users_id_fk",
+          "tableFrom": "user_settings",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "users": {
+      "name": "users",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "username": {
+          "name": "username",
+          "type": "text(100)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "password_hash": {
+          "name": "password_hash",
+          "type": "text(255)",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "avatar_url": {
+          "name": "avatar_url",
+          "type": "text(255)",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "auth_provider": {
+          "name": "auth_provider",
+          "type": "text(50)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'local'"
+        },
+        "oidc_subject": {
+          "name": "oidc_subject",
+          "type": "text(255)",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "is_active": {
+          "name": "is_active",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": true
+        },
+        "last_login_at": {
+          "name": "last_login_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "users_username_unique": {
+          "name": "users_username_unique",
+          "columns": [
+            "username"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    }
+  },
+  "views": {},
+  "enums": {},
+  "_meta": {
+    "schemas": {},
+    "tables": {},
+    "columns": {}
+  },
+  "internal": {
+    "indexes": {}
+  }
+}
@@ -0,0 +1,886 @@
+{
+  "version": "6",
+  "dialect": "sqlite",
+  "id": "fb61e5fd-152d-4e61-8836-e2fd1d28e3f0",
+  "prevId": "4f1d8273-1e60-4da1-9bfc-bd51c2784836",
+  "tables": {
+    "dose_tracking": {
+      "name": "dose_tracking",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "dose_id": {
+          "name": "dose_id",
+          "type": "text(255)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "taken_at": {
+          "name": "taken_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "(strftime('%s','now'))"
+        },
+        "marked_by": {
+          "name": "marked_by",
+          "type": "text(100)",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "dismissed": {
+          "name": "dismissed",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "dose_tracking_user_id_users_id_fk": {
+          "name": "dose_tracking_user_id_users_id_fk",
+          "tableFrom": "dose_tracking",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "medications": {
+      "name": "medications",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "name": {
+          "name": "name",
+          "type": "text(100)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "generic_name": {
+          "name": "generic_name",
+          "type": "text(100)",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "taken_by_json": {
+          "name": "taken_by_json",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'[]'"
+        },
+        "package_type": {
+          "name": "package_type",
+          "type": "text(20)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'blister'"
+        },
+        "pack_count": {
+          "name": "pack_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 1
+        },
+        "blisters_per_pack": {
+          "name": "blisters_per_pack",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 1
+        },
+        "pills_per_blister": {
+          "name": "pills_per_blister",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 1
+        },
+        "total_pills": {
+          "name": "total_pills",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "loose_tablets": {
+          "name": "loose_tablets",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 0
+        },
+        "stock_adjustment": {
+          "name": "stock_adjustment",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 0
+        },
+        "last_stock_correction_at": {
+          "name": "last_stock_correction_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "pill_weight_mg": {
+          "name": "pill_weight_mg",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "dose_unit": {
+          "name": "dose_unit",
+          "type": "text(20)",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'mg'"
+        },
+        "usage_json": {
+          "name": "usage_json",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'[]'"
+        },
+        "every_json": {
+          "name": "every_json",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'[]'"
+        },
+        "start_json": {
+          "name": "start_json",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'[]'"
+        },
+        "intakes_json": {
+          "name": "intakes_json",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'[]'"
+        },
+        "image_url": {
+          "name": "image_url",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "expiry_date": {
+          "name": "expiry_date",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "notes": {
+          "name": "notes",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "intake_reminders_enabled": {
+          "name": "intake_reminders_enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "dismissed_until": {
+          "name": "dismissed_until",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "medications_user_id_users_id_fk": {
+          "name": "medications_user_id_users_id_fk",
+          "tableFrom": "medications",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "refill_history": {
+      "name": "refill_history",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "medication_id": {
+          "name": "medication_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "packs_added": {
+          "name": "packs_added",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 0
+        },
+        "loose_pills_added": {
+          "name": "loose_pills_added",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 0
+        },
+        "refill_date": {
+          "name": "refill_date",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "(strftime('%s','now'))"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "refill_history_medication_id_medications_id_fk": {
+          "name": "refill_history_medication_id_medications_id_fk",
+          "tableFrom": "refill_history",
+          "tableTo": "medications",
+          "columnsFrom": [
+            "medication_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "refill_history_user_id_users_id_fk": {
+          "name": "refill_history_user_id_users_id_fk",
+          "tableFrom": "refill_history",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "refresh_tokens": {
+      "name": "refresh_tokens",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "token_id": {
+          "name": "token_id",
+          "type": "text(255)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "rotated_at": {
+          "name": "rotated_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "revoked": {
+          "name": "revoked",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "refresh_tokens_token_id_unique": {
+          "name": "refresh_tokens_token_id_unique",
+          "columns": [
+            "token_id"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "refresh_tokens_user_id_users_id_fk": {
+          "name": "refresh_tokens_user_id_users_id_fk",
+          "tableFrom": "refresh_tokens",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "share_tokens": {
+      "name": "share_tokens",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "token": {
+          "name": "token",
+          "type": "text(64)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "taken_by": {
+          "name": "taken_by",
+          "type": "text(100)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "schedule_days": {
+          "name": "schedule_days",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 30
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        }
+      },
+      "indexes": {
+        "share_tokens_token_unique": {
+          "name": "share_tokens_token_unique",
+          "columns": [
+            "token"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "share_tokens_user_id_users_id_fk": {
+          "name": "share_tokens_user_id_users_id_fk",
+          "tableFrom": "share_tokens",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "user_settings": {
+      "name": "user_settings",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "email_enabled": {
+          "name": "email_enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "notification_email": {
+          "name": "notification_email",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "email_stock_reminders": {
+          "name": "email_stock_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": true
+        },
+        "email_intake_reminders": {
+          "name": "email_intake_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": true
+        },
+        "shoutrrr_enabled": {
+          "name": "shoutrrr_enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "shoutrrr_url": {
+          "name": "shoutrrr_url",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "shoutrrr_stock_reminders": {
+          "name": "shoutrrr_stock_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": true
+        },
+        "shoutrrr_intake_reminders": {
+          "name": "shoutrrr_intake_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": true
+        },
+        "reminder_days_before": {
+          "name": "reminder_days_before",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 7
+        },
+        "repeat_daily_reminders": {
+          "name": "repeat_daily_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "skip_reminders_for_taken_doses": {
+          "name": "skip_reminders_for_taken_doses",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "repeat_reminders_enabled": {
+          "name": "repeat_reminders_enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "reminder_repeat_interval_minutes": {
+          "name": "reminder_repeat_interval_minutes",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 30
+        },
+        "max_nagging_reminders": {
+          "name": "max_nagging_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 5
+        },
+        "low_stock_days": {
+          "name": "low_stock_days",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 30
+        },
+        "normal_stock_days": {
+          "name": "normal_stock_days",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 90
+        },
+        "high_stock_days": {
+          "name": "high_stock_days",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 180
+        },
+        "expiry_warning_days": {
+          "name": "expiry_warning_days",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 90
+        },
+        "language": {
+          "name": "language",
+          "type": "text(10)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'en'"
+        },
+        "stock_calculation_mode": {
+          "name": "stock_calculation_mode",
+          "type": "text(20)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'automatic'"
+        },
+        "last_auto_email_sent": {
+          "name": "last_auto_email_sent",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_notification_type": {
+          "name": "last_notification_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_notification_channel": {
+          "name": "last_notification_channel",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_reminder_med_name": {
+          "name": "last_reminder_med_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_reminder_taken_by": {
+          "name": "last_reminder_taken_by",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "user_settings_user_id_unique": {
+          "name": "user_settings_user_id_unique",
+          "columns": [
+            "user_id"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "user_settings_user_id_users_id_fk": {
+          "name": "user_settings_user_id_users_id_fk",
+          "tableFrom": "user_settings",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "users": {
+      "name": "users",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "username": {
+          "name": "username",
+          "type": "text(100)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "password_hash": {
+          "name": "password_hash",
+          "type": "text(255)",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "avatar_url": {
+          "name": "avatar_url",
+          "type": "text(255)",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "auth_provider": {
+          "name": "auth_provider",
+          "type": "text(50)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'local'"
+        },
+        "oidc_subject": {
+          "name": "oidc_subject",
+          "type": "text(255)",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "is_active": {
+          "name": "is_active",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": true
+        },
+        "last_login_at": {
+          "name": "last_login_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "users_username_unique": {
+          "name": "users_username_unique",
+          "columns": [
+            "username"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    }
+  },
+  "views": {},
+  "enums": {},
+  "_meta": {
+    "schemas": {},
+    "tables": {},
+    "columns": {}
+  },
+  "internal": {
+    "indexes": {}
+  }
+}
@@ -0,0 +1,907 @@
+{
+  "version": "6",
+  "dialect": "sqlite",
+  "id": "7cd75e33-b3d8-4930-a60b-2a0a9f644c6d",
+  "prevId": "fb61e5fd-152d-4e61-8836-e2fd1d28e3f0",
+  "tables": {
+    "dose_tracking": {
+      "name": "dose_tracking",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "dose_id": {
+          "name": "dose_id",
+          "type": "text(255)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "taken_at": {
+          "name": "taken_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "(strftime('%s','now'))"
+        },
+        "marked_by": {
+          "name": "marked_by",
+          "type": "text(100)",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "dismissed": {
+          "name": "dismissed",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "dose_tracking_user_id_users_id_fk": {
+          "name": "dose_tracking_user_id_users_id_fk",
+          "tableFrom": "dose_tracking",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "medications": {
+      "name": "medications",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "name": {
+          "name": "name",
+          "type": "text(100)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "generic_name": {
+          "name": "generic_name",
+          "type": "text(100)",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "taken_by_json": {
+          "name": "taken_by_json",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'[]'"
+        },
+        "package_type": {
+          "name": "package_type",
+          "type": "text(20)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'blister'"
+        },
+        "pack_count": {
+          "name": "pack_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 1
+        },
+        "blisters_per_pack": {
+          "name": "blisters_per_pack",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 1
+        },
+        "pills_per_blister": {
+          "name": "pills_per_blister",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 1
+        },
+        "total_pills": {
+          "name": "total_pills",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "loose_tablets": {
+          "name": "loose_tablets",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 0
+        },
+        "stock_adjustment": {
+          "name": "stock_adjustment",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 0
+        },
+        "last_stock_correction_at": {
+          "name": "last_stock_correction_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "pill_weight_mg": {
+          "name": "pill_weight_mg",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "dose_unit": {
+          "name": "dose_unit",
+          "type": "text(20)",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'mg'"
+        },
+        "usage_json": {
+          "name": "usage_json",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'[]'"
+        },
+        "every_json": {
+          "name": "every_json",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'[]'"
+        },
+        "start_json": {
+          "name": "start_json",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'[]'"
+        },
+        "intakes_json": {
+          "name": "intakes_json",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'[]'"
+        },
+        "image_url": {
+          "name": "image_url",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "expiry_date": {
+          "name": "expiry_date",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "notes": {
+          "name": "notes",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "intake_reminders_enabled": {
+          "name": "intake_reminders_enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "dismissed_until": {
+          "name": "dismissed_until",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "medications_user_id_users_id_fk": {
+          "name": "medications_user_id_users_id_fk",
+          "tableFrom": "medications",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "refill_history": {
+      "name": "refill_history",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "medication_id": {
+          "name": "medication_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "packs_added": {
+          "name": "packs_added",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 0
+        },
+        "loose_pills_added": {
+          "name": "loose_pills_added",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 0
+        },
+        "refill_date": {
+          "name": "refill_date",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "(strftime('%s','now'))"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "refill_history_medication_id_medications_id_fk": {
+          "name": "refill_history_medication_id_medications_id_fk",
+          "tableFrom": "refill_history",
+          "tableTo": "medications",
+          "columnsFrom": [
+            "medication_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "refill_history_user_id_users_id_fk": {
+          "name": "refill_history_user_id_users_id_fk",
+          "tableFrom": "refill_history",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "refresh_tokens": {
+      "name": "refresh_tokens",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "token_id": {
+          "name": "token_id",
+          "type": "text(255)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "rotated_at": {
+          "name": "rotated_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "revoked": {
+          "name": "revoked",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "refresh_tokens_token_id_unique": {
+          "name": "refresh_tokens_token_id_unique",
+          "columns": [
+            "token_id"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "refresh_tokens_user_id_users_id_fk": {
+          "name": "refresh_tokens_user_id_users_id_fk",
+          "tableFrom": "refresh_tokens",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "share_tokens": {
+      "name": "share_tokens",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "token": {
+          "name": "token",
+          "type": "text(64)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "taken_by": {
+          "name": "taken_by",
+          "type": "text(100)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "schedule_days": {
+          "name": "schedule_days",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 30
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        }
+      },
+      "indexes": {
+        "share_tokens_token_unique": {
+          "name": "share_tokens_token_unique",
+          "columns": [
+            "token"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "share_tokens_user_id_users_id_fk": {
+          "name": "share_tokens_user_id_users_id_fk",
+          "tableFrom": "share_tokens",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "user_settings": {
+      "name": "user_settings",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "email_enabled": {
+          "name": "email_enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "notification_email": {
+          "name": "notification_email",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "email_stock_reminders": {
+          "name": "email_stock_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": true
+        },
+        "email_intake_reminders": {
+          "name": "email_intake_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": true
+        },
+        "shoutrrr_enabled": {
+          "name": "shoutrrr_enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "shoutrrr_url": {
+          "name": "shoutrrr_url",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "shoutrrr_stock_reminders": {
+          "name": "shoutrrr_stock_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": true
+        },
+        "shoutrrr_intake_reminders": {
+          "name": "shoutrrr_intake_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": true
+        },
+        "reminder_days_before": {
+          "name": "reminder_days_before",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 7
+        },
+        "repeat_daily_reminders": {
+          "name": "repeat_daily_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "skip_reminders_for_taken_doses": {
+          "name": "skip_reminders_for_taken_doses",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "repeat_reminders_enabled": {
+          "name": "repeat_reminders_enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "reminder_repeat_interval_minutes": {
+          "name": "reminder_repeat_interval_minutes",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 30
+        },
+        "max_nagging_reminders": {
+          "name": "max_nagging_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 5
+        },
+        "low_stock_days": {
+          "name": "low_stock_days",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 30
+        },
+        "normal_stock_days": {
+          "name": "normal_stock_days",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 90
+        },
+        "high_stock_days": {
+          "name": "high_stock_days",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 180
+        },
+        "expiry_warning_days": {
+          "name": "expiry_warning_days",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 90
+        },
+        "language": {
+          "name": "language",
+          "type": "text(10)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'en'"
+        },
+        "stock_calculation_mode": {
+          "name": "stock_calculation_mode",
+          "type": "text(20)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'automatic'"
+        },
+        "last_auto_email_sent": {
+          "name": "last_auto_email_sent",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_notification_type": {
+          "name": "last_notification_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_notification_channel": {
+          "name": "last_notification_channel",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_reminder_med_name": {
+          "name": "last_reminder_med_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_reminder_taken_by": {
+          "name": "last_reminder_taken_by",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_stock_reminder_sent": {
+          "name": "last_stock_reminder_sent",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_stock_reminder_channel": {
+          "name": "last_stock_reminder_channel",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_stock_reminder_med_names": {
+          "name": "last_stock_reminder_med_names",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "user_settings_user_id_unique": {
+          "name": "user_settings_user_id_unique",
+          "columns": [
+            "user_id"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "user_settings_user_id_users_id_fk": {
+          "name": "user_settings_user_id_users_id_fk",
+          "tableFrom": "user_settings",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "users": {
+      "name": "users",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "username": {
+          "name": "username",
+          "type": "text(100)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "password_hash": {
+          "name": "password_hash",
+          "type": "text(255)",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "avatar_url": {
+          "name": "avatar_url",
+          "type": "text(255)",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "auth_provider": {
+          "name": "auth_provider",
+          "type": "text(50)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'local'"
+        },
+        "oidc_subject": {
+          "name": "oidc_subject",
+          "type": "text(255)",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "is_active": {
+          "name": "is_active",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": true
+        },
+        "last_login_at": {
+          "name": "last_login_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "users_username_unique": {
+          "name": "users_username_unique",
+          "columns": [
+            "username"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    }
+  },
+  "views": {},
+  "enums": {},
+  "_meta": {
+    "schemas": {},
+    "tables": {},
+    "columns": {}
+  },
+  "internal": {
+    "indexes": {}
+  }
+}
@@ -0,0 +1,915 @@
+{
+  "version": "6",
+  "dialect": "sqlite",
+  "id": "b6f1ee4b-cc31-4060-a4d4-bcd4fdc5bd87",
+  "prevId": "7cd75e33-b3d8-4930-a60b-2a0a9f644c6d",
+  "tables": {
+    "dose_tracking": {
+      "name": "dose_tracking",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "dose_id": {
+          "name": "dose_id",
+          "type": "text(255)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "taken_at": {
+          "name": "taken_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "(strftime('%s','now'))"
+        },
+        "marked_by": {
+          "name": "marked_by",
+          "type": "text(100)",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "dismissed": {
+          "name": "dismissed",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "dose_tracking_user_id_users_id_fk": {
+          "name": "dose_tracking_user_id_users_id_fk",
+          "tableFrom": "dose_tracking",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "medications": {
+      "name": "medications",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "name": {
+          "name": "name",
+          "type": "text(100)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "generic_name": {
+          "name": "generic_name",
+          "type": "text(100)",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "taken_by_json": {
+          "name": "taken_by_json",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'[]'"
+        },
+        "package_type": {
+          "name": "package_type",
+          "type": "text(20)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'blister'"
+        },
+        "pack_count": {
+          "name": "pack_count",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 1
+        },
+        "blisters_per_pack": {
+          "name": "blisters_per_pack",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 1
+        },
+        "pills_per_blister": {
+          "name": "pills_per_blister",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 1
+        },
+        "total_pills": {
+          "name": "total_pills",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "loose_tablets": {
+          "name": "loose_tablets",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 0
+        },
+        "stock_adjustment": {
+          "name": "stock_adjustment",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 0
+        },
+        "last_stock_correction_at": {
+          "name": "last_stock_correction_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "pill_weight_mg": {
+          "name": "pill_weight_mg",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "dose_unit": {
+          "name": "dose_unit",
+          "type": "text(20)",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false,
+          "default": "'mg'"
+        },
+        "usage_json": {
+          "name": "usage_json",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'[]'"
+        },
+        "every_json": {
+          "name": "every_json",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'[]'"
+        },
+        "start_json": {
+          "name": "start_json",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'[]'"
+        },
+        "intakes_json": {
+          "name": "intakes_json",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'[]'"
+        },
+        "image_url": {
+          "name": "image_url",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "expiry_date": {
+          "name": "expiry_date",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "notes": {
+          "name": "notes",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "intake_reminders_enabled": {
+          "name": "intake_reminders_enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "dismissed_until": {
+          "name": "dismissed_until",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "medications_user_id_users_id_fk": {
+          "name": "medications_user_id_users_id_fk",
+          "tableFrom": "medications",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "refill_history": {
+      "name": "refill_history",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "medication_id": {
+          "name": "medication_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "packs_added": {
+          "name": "packs_added",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 0
+        },
+        "loose_pills_added": {
+          "name": "loose_pills_added",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 0
+        },
+        "refill_date": {
+          "name": "refill_date",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "(strftime('%s','now'))"
+        }
+      },
+      "indexes": {},
+      "foreignKeys": {
+        "refill_history_medication_id_medications_id_fk": {
+          "name": "refill_history_medication_id_medications_id_fk",
+          "tableFrom": "refill_history",
+          "tableTo": "medications",
+          "columnsFrom": [
+            "medication_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        },
+        "refill_history_user_id_users_id_fk": {
+          "name": "refill_history_user_id_users_id_fk",
+          "tableFrom": "refill_history",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "refresh_tokens": {
+      "name": "refresh_tokens",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "token_id": {
+          "name": "token_id",
+          "type": "text(255)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "rotated_at": {
+          "name": "rotated_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "revoked": {
+          "name": "revoked",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "refresh_tokens_token_id_unique": {
+          "name": "refresh_tokens_token_id_unique",
+          "columns": [
+            "token_id"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "refresh_tokens_user_id_users_id_fk": {
+          "name": "refresh_tokens_user_id_users_id_fk",
+          "tableFrom": "refresh_tokens",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "share_tokens": {
+      "name": "share_tokens",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "token": {
+          "name": "token",
+          "type": "text(64)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "taken_by": {
+          "name": "taken_by",
+          "type": "text(100)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "schedule_days": {
+          "name": "schedule_days",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 30
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "expires_at": {
+          "name": "expires_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        }
+      },
+      "indexes": {
+        "share_tokens_token_unique": {
+          "name": "share_tokens_token_unique",
+          "columns": [
+            "token"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "share_tokens_user_id_users_id_fk": {
+          "name": "share_tokens_user_id_users_id_fk",
+          "tableFrom": "share_tokens",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "user_settings": {
+      "name": "user_settings",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "user_id": {
+          "name": "user_id",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "email_enabled": {
+          "name": "email_enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "notification_email": {
+          "name": "notification_email",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "email_stock_reminders": {
+          "name": "email_stock_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": true
+        },
+        "email_intake_reminders": {
+          "name": "email_intake_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": true
+        },
+        "shoutrrr_enabled": {
+          "name": "shoutrrr_enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "shoutrrr_url": {
+          "name": "shoutrrr_url",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "shoutrrr_stock_reminders": {
+          "name": "shoutrrr_stock_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": true
+        },
+        "shoutrrr_intake_reminders": {
+          "name": "shoutrrr_intake_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": true
+        },
+        "reminder_days_before": {
+          "name": "reminder_days_before",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 7
+        },
+        "repeat_daily_reminders": {
+          "name": "repeat_daily_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "skip_reminders_for_taken_doses": {
+          "name": "skip_reminders_for_taken_doses",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "repeat_reminders_enabled": {
+          "name": "repeat_reminders_enabled",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": false
+        },
+        "reminder_repeat_interval_minutes": {
+          "name": "reminder_repeat_interval_minutes",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 30
+        },
+        "max_nagging_reminders": {
+          "name": "max_nagging_reminders",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 5
+        },
+        "low_stock_days": {
+          "name": "low_stock_days",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 30
+        },
+        "normal_stock_days": {
+          "name": "normal_stock_days",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 90
+        },
+        "high_stock_days": {
+          "name": "high_stock_days",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 180
+        },
+        "expiry_warning_days": {
+          "name": "expiry_warning_days",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": 90
+        },
+        "language": {
+          "name": "language",
+          "type": "text(10)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'en'"
+        },
+        "stock_calculation_mode": {
+          "name": "stock_calculation_mode",
+          "type": "text(20)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'automatic'"
+        },
+        "share_stock_status": {
+          "name": "share_stock_status",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": true
+        },
+        "last_auto_email_sent": {
+          "name": "last_auto_email_sent",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_notification_type": {
+          "name": "last_notification_type",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_notification_channel": {
+          "name": "last_notification_channel",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_reminder_med_name": {
+          "name": "last_reminder_med_name",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_reminder_taken_by": {
+          "name": "last_reminder_taken_by",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_stock_reminder_sent": {
+          "name": "last_stock_reminder_sent",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_stock_reminder_channel": {
+          "name": "last_stock_reminder_channel",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "last_stock_reminder_med_names": {
+          "name": "last_stock_reminder_med_names",
+          "type": "text",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "user_settings_user_id_unique": {
+          "name": "user_settings_user_id_unique",
+          "columns": [
+            "user_id"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {
+        "user_settings_user_id_users_id_fk": {
+          "name": "user_settings_user_id_users_id_fk",
+          "tableFrom": "user_settings",
+          "tableTo": "users",
+          "columnsFrom": [
+            "user_id"
+          ],
+          "columnsTo": [
+            "id"
+          ],
+          "onDelete": "cascade",
+          "onUpdate": "no action"
+        }
+      },
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    },
+    "users": {
+      "name": "users",
+      "columns": {
+        "id": {
+          "name": "id",
+          "type": "integer",
+          "primaryKey": true,
+          "notNull": true,
+          "autoincrement": true
+        },
+        "username": {
+          "name": "username",
+          "type": "text(100)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false
+        },
+        "password_hash": {
+          "name": "password_hash",
+          "type": "text(255)",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "avatar_url": {
+          "name": "avatar_url",
+          "type": "text(255)",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "auth_provider": {
+          "name": "auth_provider",
+          "type": "text(50)",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "'local'"
+        },
+        "oidc_subject": {
+          "name": "oidc_subject",
+          "type": "text(255)",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "is_active": {
+          "name": "is_active",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": true
+        },
+        "last_login_at": {
+          "name": "last_login_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": false,
+          "autoincrement": false
+        },
+        "created_at": {
+          "name": "created_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        },
+        "updated_at": {
+          "name": "updated_at",
+          "type": "integer",
+          "primaryKey": false,
+          "notNull": true,
+          "autoincrement": false,
+          "default": "CURRENT_TIMESTAMP"
+        }
+      },
+      "indexes": {
+        "users_username_unique": {
+          "name": "users_username_unique",
+          "columns": [
+            "username"
+          ],
+          "isUnique": true
+        }
+      },
+      "foreignKeys": {},
+      "compositePrimaryKeys": {},
+      "uniqueConstraints": {},
+      "checkConstraints": {}
+    }
+  },
+  "views": {},
+  "enums": {},
+  "_meta": {
+    "schemas": {},
+    "tables": {},
+    "columns": {}
+  },
+  "internal": {
+    "indexes": {}
+  }
+}
@@ -8,6 +8,97 @@
      "when": 1768600500759,
      "tag": "0000_init",
      "breakpoints": true
+    },
+    {
+      "idx": 1,
+      "version": "6",
+      "when": 1768734577830,
+      "tag": "0001_add_stock_adjustment",
+      "breakpoints": true
+    },
+    {
+      "idx": 2,
+      "version": "6",
+      "when": 1768736677092,
+      "tag": "0002_add_last_stock_correction_at",
+      "breakpoints": true
+    },
+    {
+      "idx": 3,
+      "version": "6",
+      "when": 1769354512857,
+      "tag": "0003_add_reminder_info_columns",
+      "breakpoints": true
+    },
+    {
+      "idx": 4,
+      "version": "6",
+      "when": 1769886564000,
+      "tag": "0004_add_package_type",
+      "breakpoints": true
+    },
+    {
+      "idx": 5,
+      "version": "6",
+      "when": 1769893708813,
+      "tag": "0005_add_intakes_json",
+      "breakpoints": true
+    },
+    {
+      "idx": 6,
+      "version": "6",
+      "when": 1770626907896,
+      "tag": "0006_add_stock_reminder_tracking",
+      "breakpoints": true
+    },
+    {
+      "idx": 7,
+      "version": "6",
+      "when": 1770659669121,
+      "tag": "0007_add_share_stock_status",
+      "breakpoints": true
+    },
+    {
+      "idx": 8,
+      "version": "6",
+      "when": 1771160400000,
+      "tag": "0008_add_obsolete_medications",
+      "breakpoints": true
+    },
+    {
+      "idx": 9,
+      "version": "6",
+      "when": 1771164000000,
+      "tag": "0009_add_medication_start_date",
+      "breakpoints": true
+    },
+    {
+      "idx": 10,
+      "version": "6",
+      "when": 1771694832866,
+      "tag": "0010_add_dose_tracking_taken_source",
+      "breakpoints": true
+    },
+    {
+      "idx": 11,
+      "version": "6",
+      "when": 1772219947541,
+      "tag": "0011_add_medication_form_lifecycle_columns",
+      "breakpoints": true
+    },
+    {
+      "idx": 12,
+      "version": "6",
+      "when": 1772881208026,
+      "tag": "0012_add_api_keys_and_package_amount_columns",
+      "breakpoints": true
+    },
+    {
+      "idx": 13,
+      "version": "6",
+      "when": 1773348659979,
+      "tag": "0013_add_share_medication_overview",
+      "breakpoints": true
    }
  ]
 }
@@ -1,6 +1,6 @@
 {
  "name": "medassist-ng-backend",
-  "version": "1.1.0",
+  "version": "1.20.1",
  "private": true,
  "type": "module",
  "scripts": {
@@ -10,33 +10,42 @@
    "migrate": "tsx src/db/migrate.ts",
    "test": "vitest",
    "test:run": "vitest run",
-    "test:coverage": "vitest run --coverage"
+    "test:coverage": "vitest run --coverage",
+    "lint": "npx biome check .",
+    "lint:fix": "npx biome check --write .",
+    "format": "npx biome format --write .",
+    "check": "npx biome check . && tsc --noEmit"
  },
  "dependencies": {
-    "@fastify/cookie": "^10.0.1",
-    "@fastify/cors": "^10.0.1",
+    "@fastify/cookie": "^11.0.2",
+    "@fastify/cors": "^11.2.0",
    "@fastify/helmet": "^13.0.2",
    "@fastify/jwt": "^10.0.0",
-    "@fastify/multipart": "^9.3.0",
+    "@fastify/multipart": "^9.4.0",
    "@fastify/rate-limit": "^10.3.0",
    "@fastify/sensible": "^6.0.4",
-    "@fastify/static": "^8.3.0",
-    "@libsql/client": "^0.10.0",
-    "argon2": "^0.40.0",
-    "dotenv": "^16.4.5",
+    "@fastify/static": "^9.0.0",
+    "@fastify/swagger": "^9.7.0",
+    "@fastify/swagger-ui": "^5.2.5",
+    "@libsql/client": "^0.17.0",
+    "argon2": "^0.44.0",
+    "dotenv": "^17.3.1",
    "drizzle-orm": "^0.45.1",
-    "fastify": "^5.0.0",
-    "nodemailer": "^7.0.11",
-    "openid-client": "^6.8.1",
+    "fastify": "^5.8.2",
+    "nodemailer": "^8.0.1",
+    "openid-client": "^6.8.2",
+    "sharp": "^0.34.5",
    "zod": "^3.23.8"
  },
  "devDependencies": {
-    "@types/node": "^22.7.4",
-    "@types/nodemailer": "^6.4.21",
-    "@types/supertest": "^6.0.2",
-    "@vitest/coverage-v8": "^4.0.16",
-    "drizzle-kit": "^0.31.8",
-    "supertest": "^7.0.0",
+    "@biomejs/biome": "^2.4.6",
+    "@types/node": "^25.3.5",
+    "@types/nodemailer": "^7.0.11",
+    "@types/supertest": "^7.2.0",
+    "@vitest/coverage-v8": "^4.0.18",
+    "drizzle-kit": "^0.31.9",
+    "pino-pretty": "^13.1.3",
+    "supertest": "^7.2.2",
    "tsx": "^4.19.0",
    "typescript": "^5.5.4",
    "vitest": "^4.0.16"
@@ -1,114 +1,35 @@
-import { createClient, Client } from "@libsql/client";
-import { drizzle } from "drizzle-orm/libsql";
-import { migrate } from "drizzle-orm/libsql/migrator";
-import { existsSync, mkdirSync, accessSync, constants, statSync, writeFileSync } from "fs";
-import { resolve, dirname } from "path";
-import { fileURLToPath } from "url";
+import { existsSync, statSync } from "node:fs";
+import { type Client, createClient } from "@libsql/client";
 import dotenv from "dotenv";
+import { drizzle } from "drizzle-orm/libsql";
+import { log } from "../utils/logger.js";
+// Import utilities from db-utils (side-effect-free)
+import {
+	ensureDataDirectory,
+	ensureDefaultUser,
+	getDbPaths,
+	repairOrphanedDoseIds,
+	repairTrailingHyphenDoseIds,
+	runAlterMigrations,
+	runDrizzleMigrations,
+} from "./db-utils.js";

-dotenv.config({ path: process.env.DOTENV_PATH || ".env" });
+// Re-export all utilities so existing imports from client.ts keep working
+export {
+	buildDbUrl,
+	ensureDataDirectory,
+	ensureDefaultUser,
+	getDataDir,
+	getDbPaths,
+	repairOrphanedDoseIds,
+	repairTrailingHyphenDoseIds,
+	runAlterMigrations,
+	runDrizzleMigrations,
+} from "./db-utils.js";

-// Get migrations folder path (relative to this file's location)
-const __filename = fileURLToPath(import.meta.url);
-const __dirname = dirname(__filename);
-const migrationsFolder = resolve(__dirname, "../../drizzle");
-
-// =============================================================================
-// Exported utility functions for testing
-// =============================================================================
-
-/** Build the database URL from a path */
-export function buildDbUrl(dbPath: string): string {
-  return `file:${dbPath}`;
-}
-
-/** Get data directory and database path */
-export function getDbPaths(cwd: string = process.cwd()): { dataDir: string; dbPath: string; url: string } {
-  const dataDir = resolve(cwd, "data");
-  const dbPath = resolve(dataDir, "medassist-ng.db");
-  const url = buildDbUrl(dbPath);
-  return { dataDir, dbPath, url };
-}
-
-/** Ensure data directory exists and is writable */
-export function ensureDataDirectory(dataDir: string): { success: boolean; error?: string } {
-  try {
-    if (!existsSync(dataDir)) {
-      mkdirSync(dataDir, { recursive: true });
-    }
-    
-    // Check if directory is writable
-    accessSync(dataDir, constants.W_OK);
-    
-    // Try to create a test file to verify write access
-    const testFile = resolve(dataDir, ".write-test");
-    writeFileSync(testFile, "test");
-    
-    return { success: true };
-  } catch (err: any) {
-    return { success: false, error: err.message };
-  }
-}
-
-/** Run drizzle-kit migrations on the database */
-export async function runDrizzleMigrations(database: ReturnType<typeof drizzle>): Promise<{ success: boolean; error?: string }> {
-  try {
-    await migrate(database, { migrationsFolder });
-    return { success: true };
-  } catch (err: any) {
-    return { success: false, error: err.message };
-  }
-}
-
-/** Run ALTER TABLE migrations for backward compatibility with older databases */
-export async function runAlterMigrations(client: Client): Promise<{ success: boolean; errors: string[] }> {
-  const errors: string[] = [];
-
-  // These add new columns to existing tables (silently fail if column already exists)
-  const alterMigrations = [
-    // Added in v1.x - repeat reminders and nagging settings
-    `ALTER TABLE user_settings ADD COLUMN skip_reminders_for_taken_doses integer NOT NULL DEFAULT 0`,
-    `ALTER TABLE user_settings ADD COLUMN repeat_reminders_enabled integer NOT NULL DEFAULT 0`,
-    `ALTER TABLE user_settings ADD COLUMN reminder_repeat_interval_minutes integer NOT NULL DEFAULT 30`,
-    `ALTER TABLE user_settings ADD COLUMN max_nagging_reminders integer NOT NULL DEFAULT 5`,
-    // Added in v1.2.3 - dismiss missed doses without deducting stock
-    `ALTER TABLE dose_tracking ADD COLUMN dismissed integer NOT NULL DEFAULT 0`,
-  ];
-
-  for (const sql of alterMigrations) {
-    try {
-      await client.execute(sql);
-    } catch (e: any) {
-      // Silently ignore "duplicate column" errors - column already exists
-      if (!e.message?.includes("duplicate column")) {
-        errors.push(e.message);
-      }
-    }
-  }
-
-  return { success: errors.length === 0, errors };
-}
-
-/** Ensure default user exists for auth-disabled mode */
-export async function ensureDefaultUser(client: Client, authEnabled: boolean): Promise<boolean> {
-  if (authEnabled) {
-    return false; // No default user needed
-  }
-
-  try {
-    const result = await client.execute("SELECT id FROM users WHERE id = 1");
-    if (result.rows.length === 0) {
-      await client.execute(
-        "INSERT INTO users (id, username, auth_provider) VALUES (1, 'default', 'local')"
-      );
-      return true; // Created
-    }
-    return false; // Already exists
-  } catch (e: any) {
-    console.error(`[DB] Error creating default user:`, e.message);
-    return false;
-  }
-}
+// Load .env: try cwd first, then parent dir (for local dev running from backend/)
+const envPath = process.env.DOTENV_PATH || (existsSync(".env") ? ".env" : "../.env");
+dotenv.config({ path: envPath });

 // =============================================================================
 // Database initialization (runs on import)
@@ -117,63 +38,79 @@ export async function ensureDefaultUser(client: Client, authEnabled: boolean): P
 // Use absolute path to ensure it works in Docker
 const { dataDir, dbPath, url } = getDbPaths();

-console.log(`[DB] Data directory: ${dataDir}`);
-console.log(`[DB] Database path: ${dbPath}`);
-console.log(`[DB] Database URL: ${url}`);
+log.debug(`[DB] Data directory: ${dataDir}`);
+log.debug(`[DB] Database path: ${dbPath}`);
+log.debug(`[DB] Database URL: ${url}`);

 // Ensure data directory exists and is writable
 const dirResult = ensureDataDirectory(dataDir);
 if (!dirResult.success) {
-  console.error(`[DB] ERROR: Cannot access data directory: ${dirResult.error}`);
-  console.error(`[DB] Please ensure the volume mount has correct permissions.`);
-  console.error(`[DB] Try running on host: sudo chown -R 1000:1000 ${dataDir}`);
-  process.exit(1);
+	log.error(`[DB] ERROR: Cannot access data directory: ${dirResult.error}`);
+	log.error(`[DB] Please ensure the volume mount has correct permissions.`);
+	log.error(`[DB] Try running on host: sudo chown -R 1000:1000 ${dataDir}`);
+	process.exit(1);
 } else {
-  console.log(`[DB] Data directory is writable`);
-  
-  // Log directory stats
-  const stats = statSync(dataDir);
-  console.log(`[DB] Directory permissions: ${stats.mode.toString(8)}`);
-  console.log(`[DB] Directory UID: ${stats.uid}, GID: ${stats.gid}`);
-  console.log(`[DB] Write test successful`);
+	log.debug(`[DB] Data directory is writable`);
+
+	// Log directory stats
+	const stats = statSync(dataDir);
+	log.debug(`[DB] Directory permissions: ${stats.mode.toString(8)}`);
+	log.debug(`[DB] Directory UID: ${stats.uid}, GID: ${stats.gid}`);
+	log.debug(`[DB] Write test successful`);
 }

 let client: Client;
 try {
-  client = createClient({ url });
-  console.log(`[DB] Database client created successfully`);
-} catch (err: any) {
-  console.error(`[DB] ERROR: Failed to create database client: ${err.message}`);
-  console.error(`[DB] Database path: ${dbPath}`);
-  process.exit(1);
+	client = createClient({ url });
+	log.debug(`[DB] Database client created successfully`);
+} catch (err: unknown) {
+	log.error(`[DB] ERROR: Failed to create database client: ${(err as Error).message}`);
+	log.error(`[DB] Database path: ${dbPath}`);
+	process.exit(1);
 }

 export const db = drizzle(client);

 // Auto-run migrations (self-healing database)
 async function runMigrations() {
-  // Run drizzle-kit generated migrations
-  console.log(`[DB] Running drizzle migrations from: ${migrationsFolder}`);
-  const migrateResult = await runDrizzleMigrations(db);
-  if (!migrateResult.success) {
-    console.error(`[DB] Migration error:`, migrateResult.error);
-  } else {
-    console.log(`[DB] Drizzle migrations completed`);
-  }
+	// Run drizzle-kit generated migrations
+	log.info(`[DB] Running migrations...`);
+	const migrateResult = await runDrizzleMigrations(db);
+	if (!migrateResult.success) {
+		log.error(`[DB] Migration error: ${migrateResult.error}`);
+	}

-  // Run ALTER TABLE migrations for backward compatibility
-  const alterResult = await runAlterMigrations(client);
-  if (alterResult.errors.length > 0) {
-    alterResult.errors.forEach(err => console.error(`[DB] ALTER migration error:`, err));
-  }
-  console.log(`[DB] Tables verified/created`);
+	// Run ALTER TABLE migrations for backward compatibility
+	const alterResult = await runAlterMigrations(client);
+	if (alterResult.errors.length > 0) {
+		alterResult.errors.forEach((err) => log.error(`[DB] ALTER migration error: ${err}`));
+	}
+	log.debug(`[DB] Tables verified/created`);

-  // If auth is disabled, ensure a default user exists (ID=1)
-  const authEnabled = process.env.AUTH_ENABLED === "true";
-  const created = await ensureDefaultUser(client, authEnabled);
-  if (created) {
-    console.log(`[DB] Created default user for auth-disabled mode`);
-  }
+	// Repair dose IDs with trailing hyphens (from frontend takenBy bug)
+	const trailingResult = await repairTrailingHyphenDoseIds(client);
+	if (trailingResult.repaired > 0) {
+		log.info(`[DB] Repaired ${trailingResult.repaired} dose IDs with trailing hyphens`);
+	}
+	if (trailingResult.errors.length > 0) {
+		trailingResult.errors.forEach((err) => log.error(`[DB] Trailing-hyphen repair error: ${err}`));
+	}
+
+	// Repair orphaned dose tracking IDs from past schedule changes
+	const repairResult = await repairOrphanedDoseIds(client);
+	if (repairResult.repaired > 0) {
+		log.info(`[DB] Repaired ${repairResult.repaired} orphaned dose tracking IDs`);
+	}
+	if (repairResult.errors.length > 0) {
+		repairResult.errors.forEach((err) => log.error(`[DB] Dose repair error: ${err}`));
+	}
+
+	// If auth is disabled, ensure a default user exists (ID=1)
+	const authEnabled = process.env.AUTH_ENABLED === "true";
+	const created = await ensureDefaultUser(client, authEnabled);
+	if (created) {
+		log.info(`[DB] Created default user for auth-disabled mode`);
+	}
 }

 // Export promise so server can await it before starting
@@ -0,0 +1,425 @@
+/**
+ * Pure utility functions for database operations.
+ * Separated from client.ts to allow importing without triggering
+ * top-level database initialization side effects.
+ */
+
+import { accessSync, constants, existsSync, mkdirSync, writeFileSync } from "node:fs";
+import { dirname, resolve } from "node:path";
+import { fileURLToPath } from "node:url";
+import type { Client } from "@libsql/client";
+import type { drizzle } from "drizzle-orm/libsql";
+import { migrate } from "drizzle-orm/libsql/migrator";
+import { parseIntakesJson, parseLocalDateTime } from "../utils/scheduler-utils.js";
+
+// Get migrations folder path (relative to this file's location)
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = dirname(__filename);
+const migrationsFolder = resolve(__dirname, "../../drizzle");
+
+// =============================================================================
+// Path & Directory utilities
+// =============================================================================
+
+/**
+ * Get the data directory path.
+ *
+ * Resolution order:
+ * 1. DATA_DIR env var (set by docker-compose for containers)
+ * 2. Monorepo detection: if ../docker-compose.yml exists, we're in backend/
+ *    subdirectory → use ../data (project root's data folder)
+ * 3. Fallback: resolve(cwd, "data") (running from project root or standalone)
+ */
+export function getDataDir(cwd: string = process.cwd()): string {
+	// Docker containers set DATA_DIR explicitly
+	if (process.env.DATA_DIR) return resolve(process.env.DATA_DIR);
+
+	// Local dev: detect if we're in backend/ subdirectory of the monorepo
+	if (existsSync(resolve(cwd, "..", "docker-compose.yml"))) {
+		return resolve(cwd, "..", "data");
+	}
+
+	// Default: data/ relative to cwd (running from project root)
+	return resolve(cwd, "data");
+}
+
+/** Build the database URL from a path */
+export function buildDbUrl(dbPath: string): string {
+	return `file:${dbPath}`;
+}
+
+/** Get data directory and database path */
+export function getDbPaths(cwd: string = process.cwd()): { dataDir: string; dbPath: string; url: string } {
+	const dataDir = getDataDir(cwd);
+	const dbPath = resolve(dataDir, "medassist-ng.db");
+	const url = buildDbUrl(dbPath);
+	return { dataDir, dbPath, url };
+}
+
+/** Ensure data directory exists and is writable */
+export function ensureDataDirectory(dataDir: string): { success: boolean; error?: string } {
+	try {
+		if (!existsSync(dataDir)) {
+			mkdirSync(dataDir, { recursive: true });
+		}
+
+		// Check if directory is writable
+		accessSync(dataDir, constants.W_OK);
+
+		// Try to create a test file to verify write access
+		const testFile = resolve(dataDir, ".write-test");
+		writeFileSync(testFile, "test");
+
+		return { success: true };
+	} catch (err: unknown) {
+		return { success: false, error: (err as Error).message };
+	}
+}
+
+// =============================================================================
+// Migration utilities
+// =============================================================================
+
+/** Run drizzle-kit migrations on the database */
+export async function runDrizzleMigrations(
+	database: ReturnType<typeof drizzle>
+): Promise<{ success: boolean; error?: string; warning?: string }> {
+	try {
+		await migrate(database, { migrationsFolder });
+		return { success: true };
+	} catch (err: unknown) {
+		const msg = (err as Error).message ?? "";
+		// Duplicate column / already exists = DB is already up-to-date (expected for existing DBs)
+		if (msg.includes("duplicate column") || msg.includes("already exists")) {
+			return { success: true };
+		}
+		return { success: false, error: msg };
+	}
+}
+
+/** Run ALTER TABLE migrations for backward compatibility with older databases */
+export async function runAlterMigrations(client: Client): Promise<{ success: boolean; errors: string[] }> {
+	const errors: string[] = [];
+
+	// These add new columns to existing tables (silently fail if column already exists)
+	const alterMigrations = [
+		// Added in v1.x - repeat reminders and nagging settings
+		`ALTER TABLE user_settings ADD COLUMN skip_reminders_for_taken_doses integer NOT NULL DEFAULT 0`,
+		`ALTER TABLE user_settings ADD COLUMN repeat_reminders_enabled integer NOT NULL DEFAULT 0`,
+		`ALTER TABLE user_settings ADD COLUMN reminder_repeat_interval_minutes integer NOT NULL DEFAULT 30`,
+		`ALTER TABLE user_settings ADD COLUMN max_nagging_reminders integer NOT NULL DEFAULT 5`,
+		// Added in v1.2.3 - dismiss missed doses without deducting stock
+		`ALTER TABLE dose_tracking ADD COLUMN dismissed integer NOT NULL DEFAULT 0`,
+		// Added for intake automation auditability (manual vs automatic taken)
+		`ALTER TABLE dose_tracking ADD COLUMN taken_source text NOT NULL DEFAULT 'manual'`,
+		// Added in v1.3.x - stock calculation mode (automatic/manual)
+		`ALTER TABLE user_settings ADD COLUMN stock_calculation_mode text NOT NULL DEFAULT 'automatic'`,
+		// Added for stock correction - hidden offset that doesn't affect looseTablets
+		`ALTER TABLE medications ADD COLUMN stock_adjustment integer NOT NULL DEFAULT 0`,
+		// Added for stock correction - timestamp to ignore consumed doses before correction
+		`ALTER TABLE medications ADD COLUMN last_stock_correction_at integer`,
+		// Added in v1.5.1 - dismiss past doses until date (robust against timestamp changes)
+		`ALTER TABLE medications ADD COLUMN dismissed_until text`,
+		// Added for soft-archiving medications (without deleting history)
+		`ALTER TABLE medications ADD COLUMN is_obsolete integer NOT NULL DEFAULT 0`,
+		`ALTER TABLE medications ADD COLUMN obsolete_at integer`,
+		// Added for explicit medication lifecycle start date
+		`ALTER TABLE medications ADD COLUMN medication_start_date text NOT NULL DEFAULT ''`,
+		// Added for form/lifecycle modeling (V1 medication forms)
+		`ALTER TABLE medications ADD COLUMN medication_form text NOT NULL DEFAULT 'tablet'`,
+		`ALTER TABLE medications ADD COLUMN pill_form text`,
+		`ALTER TABLE medications ADD COLUMN lifecycle_category text NOT NULL DEFAULT 'refill_when_empty'`,
+		`ALTER TABLE medications ADD COLUMN medication_end_date text`,
+		`ALTER TABLE medications ADD COLUMN auto_mark_obsolete_after_end_date integer NOT NULL DEFAULT 1`,
+		`ALTER TABLE medications ADD COLUMN package_amount_value integer NOT NULL DEFAULT 0`,
+		`ALTER TABLE medications ADD COLUMN package_amount_unit text NOT NULL DEFAULT 'ml'`,
+		// Added for more detailed reminder info display
+		`ALTER TABLE user_settings ADD COLUMN last_reminder_med_name text`,
+		`ALTER TABLE user_settings ADD COLUMN last_reminder_taken_by text`,
+		// Added for package type support (blister vs bottle)
+		`ALTER TABLE medications ADD COLUMN package_type text NOT NULL DEFAULT 'blister'`,
+		`ALTER TABLE medications ADD COLUMN total_pills integer`,
+		// Added for dose unit selection (mg, g, mcg, ml, IU, etc.)
+		`ALTER TABLE medications ADD COLUMN dose_unit text DEFAULT 'mg'`,
+		// Added for intake-level takenBy: unified intakes structure
+		`ALTER TABLE medications ADD COLUMN intakes_json text NOT NULL DEFAULT '[]'`,
+		// Added for separate stock reminder tracking
+		`ALTER TABLE user_settings ADD COLUMN last_stock_reminder_sent text`,
+		`ALTER TABLE user_settings ADD COLUMN last_stock_reminder_channel text`,
+		`ALTER TABLE user_settings ADD COLUMN last_stock_reminder_med_names text`,
+		// Added for share stock visibility toggle
+		`ALTER TABLE user_settings ADD COLUMN share_stock_status integer NOT NULL DEFAULT 1`,
+		// Added for integrated share overview visibility on shared links
+		`ALTER TABLE user_settings ADD COLUMN share_medication_overview integer NOT NULL DEFAULT 0`,
+		// Added for timeline visibility toggles (dashboard + shared schedule)
+		`ALTER TABLE user_settings ADD COLUMN upcoming_today_only integer NOT NULL DEFAULT 0`,
+		`ALTER TABLE user_settings ADD COLUMN share_schedule_today_only integer NOT NULL DEFAULT 0`,
+		`ALTER TABLE user_settings ADD COLUMN swap_dashboard_main_sections integer NOT NULL DEFAULT 0`,
+		// Added for prescription refill tracking and reminders
+		`ALTER TABLE medications ADD COLUMN prescription_enabled integer NOT NULL DEFAULT 0`,
+		`ALTER TABLE medications ADD COLUMN prescription_authorized_refills integer`,
+		`ALTER TABLE medications ADD COLUMN prescription_remaining_refills integer`,
+		`ALTER TABLE medications ADD COLUMN prescription_low_refill_threshold integer NOT NULL DEFAULT 1`,
+		`ALTER TABLE medications ADD COLUMN prescription_expiry_date text`,
+		`ALTER TABLE user_settings ADD COLUMN email_prescription_reminders integer NOT NULL DEFAULT 1`,
+		`ALTER TABLE user_settings ADD COLUMN shoutrrr_prescription_reminders integer NOT NULL DEFAULT 1`,
+		`ALTER TABLE user_settings ADD COLUMN last_prescription_reminder_sent text`,
+		`ALTER TABLE user_settings ADD COLUMN last_prescription_reminder_channel text`,
+		`ALTER TABLE user_settings ADD COLUMN last_prescription_reminder_med_names text`,
+		// Added for refill history prescription tracking
+		`ALTER TABLE refill_history ADD COLUMN used_prescription integer NOT NULL DEFAULT 0`,
+	];
+
+	for (const sql of alterMigrations) {
+		try {
+			await client.execute(sql);
+		} catch (e: unknown) {
+			// Silently ignore "duplicate column" errors - column already exists
+			if (!(e as Error).message?.includes("duplicate column")) {
+				errors.push((e as Error).message);
+			}
+		}
+	}
+
+	// Create tables that might be missing (silently fail if already exists)
+	const createTableMigrations = [
+		// Added in v1.3.x - refill history tracking
+		`CREATE TABLE IF NOT EXISTS refill_history (
+      id INTEGER PRIMARY KEY AUTOINCREMENT,
+      medication_id INTEGER NOT NULL REFERENCES medications(id) ON DELETE CASCADE,
+      user_id INTEGER NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+      packs_added INTEGER NOT NULL DEFAULT 0,
+      loose_pills_added INTEGER NOT NULL DEFAULT 0,
+      refill_date INTEGER NOT NULL DEFAULT (strftime('%s','now'))
+	    )`,
+		// Added in v1.20.x - API key authentication for programmatic access
+		`CREATE TABLE IF NOT EXISTS api_keys (
+			id INTEGER PRIMARY KEY AUTOINCREMENT,
+			user_id INTEGER NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+			name TEXT NOT NULL,
+			key_hash TEXT NOT NULL UNIQUE,
+			token_prefix TEXT NOT NULL DEFAULT '',
+			scope TEXT NOT NULL DEFAULT 'write',
+			is_active INTEGER NOT NULL DEFAULT 1,
+			last_used_at INTEGER,
+			expires_at INTEGER,
+			created_at INTEGER NOT NULL DEFAULT (strftime('%s','now')),
+			updated_at INTEGER NOT NULL DEFAULT (strftime('%s','now'))
+		)`,
+	];
+
+	for (const sql of createTableMigrations) {
+		try {
+			await client.execute(sql);
+		} catch (e: unknown) {
+			// Silently ignore "table already exists" errors
+			if (!(e as Error).message?.includes("already exists")) {
+				errors.push((e as Error).message);
+			}
+		}
+	}
+
+	// Create indexes that might be missing (silently fail if already exists)
+	const createIndexMigrations = [
+		// Added in v1.6.x - case-insensitive unique usernames
+		`CREATE UNIQUE INDEX IF NOT EXISTS users_username_lower_unique ON users(lower(username))`,
+		// Added in v1.20.x - fast API key lookup and ownership filtering
+		`CREATE UNIQUE INDEX IF NOT EXISTS api_keys_key_hash_unique ON api_keys(key_hash)`,
+		`CREATE INDEX IF NOT EXISTS api_keys_user_id_idx ON api_keys(user_id)`,
+	];
+
+	for (const sql of createIndexMigrations) {
+		try {
+			await client.execute(sql);
+		} catch (e: unknown) {
+			// Silently ignore "already exists" errors
+			if (!(e as Error).message?.includes("already exists")) {
+				errors.push((e as Error).message);
+			}
+		}
+	}
+
+	return { success: errors.length === 0, errors };
+}
+
+// =============================================================================
+// User utilities
+// =============================================================================
+
+/** Ensure default user exists for auth-disabled mode */
+export async function ensureDefaultUser(client: Client, authEnabled: boolean): Promise<boolean> {
+	if (authEnabled) {
+		return false; // No default user needed
+	}
+
+	try {
+		const result = await client.execute("SELECT id FROM users WHERE id = 1");
+		if (result.rows.length === 0) {
+			await client.execute("INSERT INTO users (id, username, auth_provider) VALUES (1, 'default', 'local')");
+			return true; // Created
+		}
+		return false; // Already exists
+	} catch (e: unknown) {
+		console.error(`[DB] Error creating default user:`, (e as Error).message);
+		return false;
+	}
+}
+
+// =============================================================================
+// Startup repair: fix orphaned dose tracking IDs from past schedule changes
+// =============================================================================
+
+const MS_PER_DAY = 86_400_000;
+
+/**
+ * Repair dose IDs that have a trailing hyphen caused by a frontend bug where
+ * `[].toString()` produced an empty string, resulting in IDs like "5-0-1729123200000-"
+ * instead of "5-0-1729123200000". This strips trailing hyphens from all dose IDs.
+ *
+ * This function is idempotent - safe to run on every startup.
+ */
+export async function repairTrailingHyphenDoseIds(client: Client): Promise<{ repaired: number; errors: string[] }> {
+	const errors: string[] = [];
+	let repaired = 0;
+
+	try {
+		const result = await client.execute(
+			"UPDATE dose_tracking SET dose_id = RTRIM(dose_id, '-') WHERE dose_id LIKE '%-'"
+		);
+		repaired = result.rowsAffected;
+	} catch (e: unknown) {
+		errors.push(`Trailing-hyphen repair failed: ${(e as Error).message}`);
+	}
+
+	return { repaired, errors };
+}
+
+/**
+ * Repair orphaned dose tracking IDs that no longer match the current intake schedule.
+ * This fixes dose IDs that became invalid when a medication's schedule was changed
+ * BEFORE the on-edit migration (PR #103) was introduced.
+ *
+ * For each medication, generates all valid schedule dateOnlyMs values from each intake's
+ * start date up to today, then checks all dose_tracking entries. Any dose whose timestamp
+ * doesn't match a valid schedule date is remapped to the nearest valid date.
+ *
+ * This function is idempotent - safe to run on every startup.
+ */
+export async function repairOrphanedDoseIds(client: Client): Promise<{ repaired: number; errors: string[] }> {
+	const errors: string[] = [];
+	let repaired = 0;
+
+	try {
+		// Get all medications
+		const medsResult = await client.execute(
+			"SELECT id, intakes_json, usage_json, every_json, start_json, intake_reminders_enabled FROM medications"
+		);
+
+		if (medsResult.rows.length === 0) return { repaired, errors };
+
+		// Get all dose tracking entries
+		const dosesResult = await client.execute("SELECT id, dose_id FROM dose_tracking");
+		if (dosesResult.rows.length === 0) return { repaired, errors };
+
+		// Build a map of medId → dose entries for quick lookup
+		const dosesByMed = new Map<number, Array<{ id: number; doseId: string }>>();
+		for (const row of dosesResult.rows) {
+			const doseId = row.dose_id as string;
+			const parts = doseId.split("-");
+			if (parts.length < 3) continue;
+			const medId = parseInt(parts[0], 10);
+			if (Number.isNaN(medId)) continue;
+			if (!dosesByMed.has(medId)) dosesByMed.set(medId, []);
+			dosesByMed.get(medId)!.push({ id: row.id as number, doseId });
+		}
+
+		const now = new Date();
+		const today = new Date(now.getFullYear(), now.getMonth(), now.getDate());
+
+		for (const med of medsResult.rows) {
+			const medId = med.id as number;
+			const medDoses = dosesByMed.get(medId);
+			if (!medDoses || medDoses.length === 0) continue;
+
+			// Parse intakes
+			const intakes = parseIntakesJson(
+				med.intakes_json as string | null,
+				{
+					usageJson: (med.usage_json as string) || "[]",
+					everyJson: (med.every_json as string) || "[]",
+					startJson: (med.start_json as string) || "[]",
+				},
+				(med.intake_reminders_enabled as number) === 1
+			);
+
+			if (intakes.length === 0) continue;
+
+			// For each intake index, build the set of valid dateOnlyMs values
+			const validDatesByIntake = new Map<number, Set<number>>();
+			for (let idx = 0; idx < intakes.length; idx++) {
+				const intake = intakes[idx];
+				const start = parseLocalDateTime(intake.start);
+				const every = intake.every;
+				if (every <= 0 || Number.isNaN(start.getTime())) continue;
+
+				const validDates = new Set<number>();
+				for (let d = new Date(start); d <= today; d.setDate(d.getDate() + every)) {
+					validDates.add(new Date(d.getFullYear(), d.getMonth(), d.getDate()).getTime());
+				}
+				validDatesByIntake.set(idx, validDates);
+			}
+
+			// Check each dose entry
+			for (const dose of medDoses) {
+				const parts = dose.doseId.split("-");
+				if (parts.length < 3) continue;
+
+				const intakeIdx = parseInt(parts[1], 10);
+				const dateOnlyMs = parseInt(parts[2], 10);
+				if (Number.isNaN(intakeIdx) || Number.isNaN(dateOnlyMs)) continue;
+
+				const validDates = validDatesByIntake.get(intakeIdx);
+				if (!validDates) continue; // Unknown intake index - skip
+
+				// Check if this dose's timestamp is valid
+				if (validDates.has(dateOnlyMs)) continue; // Already valid - nothing to do
+
+				// Orphaned dose - find the nearest valid schedule date
+				const intake = intakes[intakeIdx];
+				if (!intake) continue;
+
+				const halfInterval = (intake.every * MS_PER_DAY) / 2;
+				let bestMatch: number | null = null;
+				let bestDist = Infinity;
+
+				for (const validDate of validDates) {
+					const dist = Math.abs(validDate - dateOnlyMs);
+					if (dist < bestDist && dist <= halfInterval) {
+						bestDist = dist;
+						bestMatch = validDate;
+					}
+				}
+
+				if (bestMatch !== null) {
+					// Rebuild dose ID with new timestamp, preserving person suffix
+					const personSuffix = parts.length > 3 ? `-${parts.slice(3).join("-")}` : "";
+					const newDoseId = `${medId}-${intakeIdx}-${bestMatch}${personSuffix}`;
+
+					try {
+						await client.execute({
+							sql: "UPDATE dose_tracking SET dose_id = ? WHERE id = ?",
+							args: [newDoseId, dose.id],
+						});
+						repaired++;
+					} catch (e: unknown) {
+						errors.push(`Failed to repair dose ${dose.id}: ${(e as Error).message}`);
+					}
+				}
+			}
+		}
+	} catch (e: unknown) {
+		errors.push(`Repair failed: ${(e as Error).message}`);
+	}
+
+	return { repaired, errors };
+}
@@ -1,11 +1,14 @@
-import { createClient, Client } from "@libsql/client";
+import { existsSync } from "node:fs";
+import { dirname, resolve } from "node:path";
+import { fileURLToPath } from "node:url";
+import { type Client, createClient } from "@libsql/client";
+import dotenv from "dotenv";
 import { drizzle } from "drizzle-orm/libsql";
 import { migrate } from "drizzle-orm/libsql/migrator";
-import dotenv from "dotenv";
-import { resolve, dirname } from "path";
-import { fileURLToPath } from "url";

-dotenv.config({ path: process.env.DOTENV_PATH || ".env" });
+// Load .env: try cwd first, then parent dir (for local dev running from backend/)
+const envPath = process.env.DOTENV_PATH || (existsSync(".env") ? ".env" : "../.env");
+dotenv.config({ path: envPath });

 // Get migrations folder path (relative to this file's location)
 const __filename = fileURLToPath(import.meta.url);
@@ -18,37 +21,39 @@ const migrationsFolder = resolve(__dirname, "../../drizzle");

 /** Split SQL string into individual statements (for backwards compatibility with tests) */
 export function splitSQLStatements(sql: string): string[] {
-  return sql.split(';').filter(s => s.trim().length > 0);
+	return sql.split(";").filter((s) => s.trim().length > 0);
 }

 /** Execute drizzle migrations on a database */
-export async function executeMigration(client: Client): Promise<{ success: boolean; executed: number; errors: string[] }> {
-  const errors: string[] = [];
-  const db = drizzle(client);
+export async function executeMigration(
+	client: Client
+): Promise<{ success: boolean; executed: number; errors: string[] }> {
+	const errors: string[] = [];
+	const db = drizzle(client);

-  try {
-    await migrate(db, { migrationsFolder });
-    
-    // Count tables as a proxy for "executed" statements
-    const tables = await client.execute(
-      "SELECT COUNT(*) as count FROM sqlite_master WHERE type='table' AND name NOT LIKE 'sqlite_%' AND name NOT LIKE '__drizzle%'"
-    );
-    const executed = Number(tables.rows[0].count) || 0;
-    
-    return { success: true, executed, errors };
-  } catch (err: any) {
-    errors.push(err.message);
-    return { success: false, executed: 0, errors };
-  }
+	try {
+		await migrate(db, { migrationsFolder });
+
+		// Count tables as a proxy for "executed" statements
+		const tables = await client.execute(
+			"SELECT COUNT(*) as count FROM sqlite_master WHERE type='table' AND name NOT LIKE 'sqlite_%' AND name NOT LIKE '__drizzle%'"
+		);
+		const executed = Number(tables.rows[0].count) || 0;
+
+		return { success: true, executed, errors };
+	} catch (err: unknown) {
+		errors.push((err as Error).message);
+		return { success: false, executed: 0, errors };
+	}
 }

 /** Get a preview of statement (first N characters) */
 export function getStatementPreview(stmt: string, maxLength: number = 50): string {
-  const trimmed = stmt.trim();
-  if (trimmed.length <= maxLength) {
-    return trimmed;
-  }
-  return trimmed.substring(0, maxLength) + "...";
+	const trimmed = stmt.trim();
+	if (trimmed.length <= maxLength) {
+		return trimmed;
+	}
+	return `${trimmed.substring(0, maxLength)}...`;
 }

 // =============================================================================
@@ -58,25 +63,25 @@ export function getStatementPreview(stmt: string, maxLength: number = 50): strin
 const url = "file:./data/medassist-ng.db";

 async function main() {
-  console.log("Starting database setup...");
-  console.log("Database URL:", url);
-  console.log("Migrations folder:", migrationsFolder);
-  
-  const client = createClient({ url });
-  const db = drizzle(client);
-  
-  console.log("Running drizzle migrations...");
-  await migrate(db, { migrationsFolder });
+	console.log("[DB] Starting database setup...");
+	console.log("[DB] Database URL:", url);
+	console.log("[DB] Migrations folder:", migrationsFolder);

-  console.log("Database setup complete!");
-  process.exit(0);
+	const client = createClient({ url });
+	const db = drizzle(client);
+
+	console.log("[DB] Running drizzle migrations...");
+	await migrate(db, { migrationsFolder });
+
+	console.log("[DB] Database setup complete!");
+	process.exit(0);
 }

 // Only run main() if this file is executed directly (not imported)
 const isMainModule = import.meta.url === `file://${process.argv[1]}`;
 if (isMainModule) {
-  main().catch((err) => {
-    console.error("Migration failed:", err);
-    process.exit(1);
-  });
+	main().catch((err) => {
+		console.error("Migration failed:", err);
+		process.exit(1);
+	});
 }
@@ -8,8 +8,8 @@
 * Each statement creates a table if it doesn't exist.
 */
 export function getTableCreationSQL(): string[] {
-  return [
-    `CREATE TABLE IF NOT EXISTS users (
+	return [
+		`CREATE TABLE IF NOT EXISTS users (
      id integer PRIMARY KEY AUTOINCREMENT,
      username text NOT NULL UNIQUE,
      password_hash text,
@@ -21,7 +21,7 @@ export function getTableCreationSQL(): string[] {
      created_at integer NOT NULL DEFAULT (strftime('%s','now')),
      updated_at integer NOT NULL DEFAULT (strftime('%s','now'))
    )`,
-    `CREATE TABLE IF NOT EXISTS medications (
+		`CREATE TABLE IF NOT EXISTS medications (
      id integer PRIMARY KEY AUTOINCREMENT,
      user_id integer NOT NULL,
      name text NOT NULL,
@@ -42,7 +42,7 @@ export function getTableCreationSQL(): string[] {
      updated_at integer NOT NULL DEFAULT (strftime('%s','now')),
      FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
    )`,
-    `CREATE TABLE IF NOT EXISTS user_settings (
+		`CREATE TABLE IF NOT EXISTS user_settings (
      id integer PRIMARY KEY AUTOINCREMENT,
      user_id integer NOT NULL UNIQUE,
      email_enabled integer NOT NULL DEFAULT 0,
@@ -65,13 +65,25 @@ export function getTableCreationSQL(): string[] {
      expiry_warning_days integer NOT NULL DEFAULT 90,
      language text NOT NULL DEFAULT 'en',
      stock_calculation_mode text NOT NULL DEFAULT 'automatic',
+      share_stock_status integer NOT NULL DEFAULT 1,
+      upcoming_today_only integer NOT NULL DEFAULT 0,
+      share_schedule_today_only integer NOT NULL DEFAULT 0,
+      swap_dashboard_main_sections integer NOT NULL DEFAULT 0,
      last_auto_email_sent text,
      last_notification_type text,
      last_notification_channel text,
+      last_reminder_med_name text,
+      last_reminder_taken_by text,
+      last_stock_reminder_sent text,
+      last_stock_reminder_channel text,
+      last_stock_reminder_med_names text,
+      last_prescription_reminder_sent text,
+      last_prescription_reminder_channel text,
+      last_prescription_reminder_med_names text,
      updated_at integer NOT NULL DEFAULT (strftime('%s','now')),
      FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
    )`,
-    `CREATE TABLE IF NOT EXISTS refresh_tokens (
+		`CREATE TABLE IF NOT EXISTS refresh_tokens (
      id integer PRIMARY KEY AUTOINCREMENT,
      user_id integer NOT NULL,
      token_id text NOT NULL UNIQUE,
@@ -81,7 +93,7 @@ export function getTableCreationSQL(): string[] {
      created_at integer NOT NULL DEFAULT (strftime('%s','now')),
      FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
    )`,
-    `CREATE TABLE IF NOT EXISTS share_tokens (
+		`CREATE TABLE IF NOT EXISTS share_tokens (
      id integer PRIMARY KEY AUTOINCREMENT,
      user_id integer NOT NULL,
      token text NOT NULL UNIQUE,
@@ -91,7 +103,7 @@ export function getTableCreationSQL(): string[] {
      expires_at integer,
      FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
    )`,
-    `CREATE TABLE IF NOT EXISTS dose_tracking (
+		`CREATE TABLE IF NOT EXISTS dose_tracking (
      id integer PRIMARY KEY AUTOINCREMENT,
      user_id integer NOT NULL,
      dose_id text NOT NULL,
@@ -100,7 +112,7 @@ export function getTableCreationSQL(): string[] {
      dismissed integer NOT NULL DEFAULT 0,
      FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
    )`,
-    `CREATE TABLE IF NOT EXISTS refill_history (
+		`CREATE TABLE IF NOT EXISTS refill_history (
      id integer PRIMARY KEY AUTOINCREMENT,
      medication_id integer NOT NULL,
      user_id integer NOT NULL,
@@ -110,5 +122,5 @@ export function getTableCreationSQL(): string[] {
      FOREIGN KEY (medication_id) REFERENCES medications(id) ON DELETE CASCADE,
      FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
    )`,
-  ];
+	];
 }
@@ -1,132 +1,215 @@
-import { sqliteTable, text, integer } from "drizzle-orm/sqlite-core";
 import { sql } from "drizzle-orm";
+import { integer, sqliteTable, text } from "drizzle-orm/sqlite-core";

 // =============================================================================
 // Users - Simple auth, no roles (every user is equal)
 // =============================================================================
 export const users = sqliteTable("users", {
-  id: integer("id").primaryKey({ autoIncrement: true }),
-  username: text("username", { length: 100 }).notNull().unique(),
-  passwordHash: text("password_hash", { length: 255 }),
-  avatarUrl: text("avatar_url", { length: 255 }),
-  authProvider: text("auth_provider", { length: 50 }).notNull().default("local"),
-  oidcSubject: text("oidc_subject", { length: 255 }),  // OIDC provider's unique user ID (sub claim)
-  isActive: integer("is_active", { mode: "boolean" }).notNull().default(true),
-  lastLoginAt: integer("last_login_at", { mode: "timestamp" }),
-  createdAt: integer("created_at", { mode: "timestamp" }).notNull().default(sql`CURRENT_TIMESTAMP`),
-  updatedAt: integer("updated_at", { mode: "timestamp" }).notNull().default(sql`CURRENT_TIMESTAMP`),
+	id: integer("id").primaryKey({ autoIncrement: true }),
+	username: text("username", { length: 100 }).notNull().unique(),
+	passwordHash: text("password_hash", { length: 255 }),
+	avatarUrl: text("avatar_url", { length: 255 }),
+	authProvider: text("auth_provider", { length: 50 }).notNull().default("local"),
+	oidcSubject: text("oidc_subject", { length: 255 }), // OIDC provider's unique user ID (sub claim)
+	isActive: integer("is_active", { mode: "boolean" }).notNull().default(true),
+	lastLoginAt: integer("last_login_at", { mode: "timestamp" }),
+	createdAt: integer("created_at", { mode: "timestamp" }).notNull().default(sql`CURRENT_TIMESTAMP`),
+	updatedAt: integer("updated_at", { mode: "timestamp" }).notNull().default(sql`CURRENT_TIMESTAMP`),
 });

 // =============================================================================
 // Medications - Per user
 // =============================================================================
 export const medications = sqliteTable("medications", {
-  id: integer("id").primaryKey({ autoIncrement: true }),
-  userId: integer("user_id").notNull().references(() => users.id, { onDelete: "cascade" }),
-  name: text("name", { length: 100 }).notNull(),
-  genericName: text("generic_name", { length: 100 }),
-  takenByJson: text("taken_by_json").notNull().default("[]"), // JSON array of person names
-  packCount: integer("pack_count").notNull().default(1),
-  blistersPerPack: integer("blisters_per_pack").notNull().default(1),
-  pillsPerBlister: integer("pills_per_blister").notNull().default(1),
-  looseTablets: integer("loose_tablets").notNull().default(0),
-  pillWeightMg: integer("pill_weight_mg"),
-  usageJson: text("usage_json").notNull().default("[]"),
-  everyJson: text("every_json").notNull().default("[]"),
-  startJson: text("start_json").notNull().default("[]"),
-  imageUrl: text("image_url"),
-  expiryDate: text("expiry_date"),
-  notes: text("notes"),
-  intakeRemindersEnabled: integer("intake_reminders_enabled", { mode: "boolean" }).notNull().default(false),
-  updatedAt: integer("updated_at", { mode: "timestamp" }).notNull().default(sql`CURRENT_TIMESTAMP`),
+	id: integer("id").primaryKey({ autoIncrement: true }),
+	userId: integer("user_id")
+		.notNull()
+		.references(() => users.id, { onDelete: "cascade" }),
+	name: text("name", { length: 100 }).notNull(),
+	genericName: text("generic_name", { length: 100 }),
+	takenByJson: text("taken_by_json").notNull().default("[]"), // JSON array of person names
+	packageType: text("package_type", { length: 20 }).notNull().default("blister"), // 'blister' or 'bottle'
+	medicationForm: text("medication_form", { length: 20 }).notNull().default("tablet"), // 'capsule' | 'tablet' | 'liquid' | 'topical'
+	pillForm: text("pill_form", { length: 20 }), // Only for blister/bottle with pill-based medications: 'tablet' | 'capsule'
+	lifecycleCategory: text("lifecycle_category", { length: 30 }).notNull().default("refill_when_empty"), // 'refill_when_empty' | 'treatment_period'
+	packageAmountValue: integer("package_amount_value").notNull().default(0), // Informational package quantity (ml/g)
+	packageAmountUnit: text("package_amount_unit", { length: 10 }).notNull().default("ml"), // 'ml' | 'g'
+	packCount: integer("pack_count").notNull().default(1),
+	blistersPerPack: integer("blisters_per_pack").notNull().default(1),
+	pillsPerBlister: integer("pills_per_blister").notNull().default(1),
+	totalPills: integer("total_pills"), // For bottle type: total capacity of the container
+	looseTablets: integer("loose_tablets").notNull().default(0), // For blister: extra loose pills; for bottle: current stock
+	stockAdjustment: integer("stock_adjustment").notNull().default(0), // Hidden offset from stock corrections
+	lastStockCorrectionAt: integer("last_stock_correction_at", { mode: "timestamp" }), // When stock was last corrected - consumed doses before this don't count
+	pillWeightMg: integer("pill_weight_mg"),
+	doseUnit: text("dose_unit", { length: 20 }).default("mg"), // Unit for the dose (mg, g, mcg, ml, IU, etc.)
+	usageJson: text("usage_json").notNull().default("[]"), // DEPRECATED: Use intakesJson instead
+	everyJson: text("every_json").notNull().default("[]"), // DEPRECATED: Use intakesJson instead
+	startJson: text("start_json").notNull().default("[]"), // DEPRECATED: Use intakesJson instead
+	// New unified intakes structure: [{usage, every, start, takenBy, intakeRemindersEnabled}]
+	intakesJson: text("intakes_json").notNull().default("[]"),
+	imageUrl: text("image_url"),
+	expiryDate: text("expiry_date"),
+	notes: text("notes"),
+	intakeRemindersEnabled: integer("intake_reminders_enabled", { mode: "boolean" }).notNull().default(false),
+	medicationStartDate: text("medication_start_date").notNull().default(""),
+	medicationEndDate: text("medication_end_date"),
+	autoMarkObsoleteAfterEndDate: integer("auto_mark_obsolete_after_end_date", { mode: "boolean" })
+		.notNull()
+		.default(true),
+	isObsolete: integer("is_obsolete", { mode: "boolean" }).notNull().default(false),
+	obsoleteAt: integer("obsolete_at", { mode: "timestamp" }),
+	prescriptionEnabled: integer("prescription_enabled", { mode: "boolean" }).notNull().default(false),
+	prescriptionAuthorizedRefills: integer("prescription_authorized_refills"),
+	prescriptionRemainingRefills: integer("prescription_remaining_refills"),
+	prescriptionLowRefillThreshold: integer("prescription_low_refill_threshold").notNull().default(1),
+	prescriptionExpiryDate: text("prescription_expiry_date"),
+	dismissedUntil: text("dismissed_until"), // ISO date string (e.g. "2026-01-23") - all past doses until this date are dismissed
+	updatedAt: integer("updated_at", { mode: "timestamp" }).notNull().default(sql`CURRENT_TIMESTAMP`),
 });

 // =============================================================================
 // User Settings - Per user (email, push, thresholds, language)
 // =============================================================================
 export const userSettings = sqliteTable("user_settings", {
-  id: integer("id").primaryKey({ autoIncrement: true }),
-  userId: integer("user_id").notNull().unique().references(() => users.id, { onDelete: "cascade" }),
-  // Email notifications
-  emailEnabled: integer("email_enabled", { mode: "boolean" }).notNull().default(false),
-  notificationEmail: text("notification_email"),
-  emailStockReminders: integer("email_stock_reminders", { mode: "boolean" }).notNull().default(true),
-  emailIntakeReminders: integer("email_intake_reminders", { mode: "boolean" }).notNull().default(true),
-  // Push notifications (shoutrrr/ntfy)
-  shoutrrrEnabled: integer("shoutrrr_enabled", { mode: "boolean" }).notNull().default(false),
-  shoutrrrUrl: text("shoutrrr_url"),
-  shoutrrrStockReminders: integer("shoutrrr_stock_reminders", { mode: "boolean" }).notNull().default(true),
-  shoutrrrIntakeReminders: integer("shoutrrr_intake_reminders", { mode: "boolean" }).notNull().default(true),
-  // Reminder settings
-  reminderDaysBefore: integer("reminder_days_before").notNull().default(7),
-  repeatDailyReminders: integer("repeat_daily_reminders", { mode: "boolean" }).notNull().default(false),
-  skipRemindersForTakenDoses: integer("skip_reminders_for_taken_doses", { mode: "boolean" }).notNull().default(false),
-  repeatRemindersEnabled: integer("repeat_reminders_enabled", { mode: "boolean" }).notNull().default(false),
-  reminderRepeatIntervalMinutes: integer("reminder_repeat_interval_minutes").notNull().default(30),
-  maxNaggingReminders: integer("max_nagging_reminders").notNull().default(5),
-  // Stock thresholds (days)
-  lowStockDays: integer("low_stock_days").notNull().default(30),
-  normalStockDays: integer("normal_stock_days").notNull().default(90),
-  highStockDays: integer("high_stock_days").notNull().default(180),
-  expiryWarningDays: integer("expiry_warning_days").notNull().default(90),
-  // UI preferences
-  language: text("language", { length: 10 }).notNull().default("en"),
-  // Stock calculation mode: "automatic" (schedule-based) or "manual" (only marked doses)
-  stockCalculationMode: text("stock_calculation_mode", { length: 20 }).notNull().default("automatic"),
-  // Last notification tracking
-  lastAutoEmailSent: text("last_auto_email_sent"),
-  lastNotificationType: text("last_notification_type"),
-  lastNotificationChannel: text("last_notification_channel"),
-  // Timestamps
-  updatedAt: integer("updated_at", { mode: "timestamp" }).notNull().default(sql`CURRENT_TIMESTAMP`),
+	id: integer("id").primaryKey({ autoIncrement: true }),
+	userId: integer("user_id")
+		.notNull()
+		.unique()
+		.references(() => users.id, { onDelete: "cascade" }),
+	// Email notifications
+	emailEnabled: integer("email_enabled", { mode: "boolean" }).notNull().default(false),
+	notificationEmail: text("notification_email"),
+	emailStockReminders: integer("email_stock_reminders", { mode: "boolean" }).notNull().default(true),
+	emailIntakeReminders: integer("email_intake_reminders", { mode: "boolean" }).notNull().default(true),
+	emailPrescriptionReminders: integer("email_prescription_reminders", { mode: "boolean" }).notNull().default(true),
+	// Push notifications (shoutrrr/ntfy)
+	shoutrrrEnabled: integer("shoutrrr_enabled", { mode: "boolean" }).notNull().default(false),
+	shoutrrrUrl: text("shoutrrr_url"),
+	shoutrrrStockReminders: integer("shoutrrr_stock_reminders", { mode: "boolean" }).notNull().default(true),
+	shoutrrrIntakeReminders: integer("shoutrrr_intake_reminders", { mode: "boolean" }).notNull().default(true),
+	shoutrrrPrescriptionReminders: integer("shoutrrr_prescription_reminders", { mode: "boolean" })
+		.notNull()
+		.default(true),
+	// Reminder settings
+	reminderDaysBefore: integer("reminder_days_before").notNull().default(7),
+	repeatDailyReminders: integer("repeat_daily_reminders", { mode: "boolean" }).notNull().default(false),
+	skipRemindersForTakenDoses: integer("skip_reminders_for_taken_doses", { mode: "boolean" }).notNull().default(false),
+	repeatRemindersEnabled: integer("repeat_reminders_enabled", { mode: "boolean" }).notNull().default(false),
+	reminderRepeatIntervalMinutes: integer("reminder_repeat_interval_minutes").notNull().default(30),
+	maxNaggingReminders: integer("max_nagging_reminders").notNull().default(5),
+	// Stock thresholds (days)
+	lowStockDays: integer("low_stock_days").notNull().default(30),
+	normalStockDays: integer("normal_stock_days").notNull().default(90),
+	highStockDays: integer("high_stock_days").notNull().default(180),
+	expiryWarningDays: integer("expiry_warning_days").notNull().default(90),
+	// UI preferences
+	language: text("language", { length: 10 }).notNull().default("en"),
+	// Stock calculation mode: "automatic" (schedule-based) or "manual" (only marked doses)
+	stockCalculationMode: text("stock_calculation_mode", { length: 20 }).notNull().default("automatic"),
+	// Whether shared schedule links show stock status (Critical/Low/Normal) to intake users
+	shareStockStatus: integer("share_stock_status", { mode: "boolean" }).notNull().default(true),
+	// Whether shared schedule links also embed the medication overview section
+	shareMedicationOverview: integer("share_medication_overview", { mode: "boolean" }).notNull().default(false),
+	// UI timeline visibility preferences
+	upcomingTodayOnly: integer("upcoming_today_only", { mode: "boolean" }).notNull().default(false),
+	shareScheduleTodayOnly: integer("share_schedule_today_only", { mode: "boolean" }).notNull().default(false),
+	swapDashboardMainSections: integer("swap_dashboard_main_sections", { mode: "boolean" }).notNull().default(false),
+	// Last notification tracking (intake reminders)
+	lastAutoEmailSent: text("last_auto_email_sent"),
+	lastNotificationType: text("last_notification_type"),
+	lastNotificationChannel: text("last_notification_channel"),
+	lastReminderMedName: text("last_reminder_med_name"),
+	lastReminderTakenBy: text("last_reminder_taken_by"),
+	// Last stock reminder tracking (separate from intake)
+	lastStockReminderSent: text("last_stock_reminder_sent"),
+	lastStockReminderChannel: text("last_stock_reminder_channel"),
+	lastStockReminderMedNames: text("last_stock_reminder_med_names"),
+	// Last prescription reminder tracking (separate from stock/intake)
+	lastPrescriptionReminderSent: text("last_prescription_reminder_sent"),
+	lastPrescriptionReminderChannel: text("last_prescription_reminder_channel"),
+	lastPrescriptionReminderMedNames: text("last_prescription_reminder_med_names"),
+	// Timestamps
+	updatedAt: integer("updated_at", { mode: "timestamp" }).notNull().default(sql`CURRENT_TIMESTAMP`),
 });

 // =============================================================================
 // Refresh Tokens - For JWT rotation
 // =============================================================================
 export const refreshTokens = sqliteTable("refresh_tokens", {
-  id: integer("id").primaryKey({ autoIncrement: true }),
-  userId: integer("user_id").notNull().references(() => users.id, { onDelete: "cascade" }),
-  tokenId: text("token_id", { length: 255 }).notNull().unique(),
-  expiresAt: integer("expires_at", { mode: "timestamp" }).notNull(),
-  rotatedAt: integer("rotated_at", { mode: "timestamp" }),
-  revoked: integer("revoked", { mode: "boolean" }).notNull().default(false),
-  createdAt: integer("created_at", { mode: "timestamp" }).notNull().default(sql`CURRENT_TIMESTAMP`),
+	id: integer("id").primaryKey({ autoIncrement: true }),
+	userId: integer("user_id")
+		.notNull()
+		.references(() => users.id, { onDelete: "cascade" }),
+	tokenId: text("token_id", { length: 255 }).notNull().unique(),
+	expiresAt: integer("expires_at", { mode: "timestamp" }).notNull(),
+	rotatedAt: integer("rotated_at", { mode: "timestamp" }),
+	revoked: integer("revoked", { mode: "boolean" }).notNull().default(false),
+	createdAt: integer("created_at", { mode: "timestamp" }).notNull().default(sql`CURRENT_TIMESTAMP`),
+});
+
+// =============================================================================
+// API Keys - Personal access tokens for programmatic API access
+// =============================================================================
+export const apiKeys = sqliteTable("api_keys", {
+	id: integer("id").primaryKey({ autoIncrement: true }),
+	userId: integer("user_id")
+		.notNull()
+		.references(() => users.id, { onDelete: "cascade" }),
+	name: text("name", { length: 100 }).notNull(),
+	keyHash: text("key_hash", { length: 128 }).notNull().unique(),
+	tokenPrefix: text("token_prefix", { length: 24 }).notNull().default(""),
+	scope: text("scope", { length: 10 }).notNull().default("write"), // 'read' | 'write'
+	isActive: integer("is_active", { mode: "boolean" }).notNull().default(true),
+	lastUsedAt: integer("last_used_at", { mode: "timestamp" }),
+	expiresAt: integer("expires_at", { mode: "timestamp" }),
+	createdAt: integer("created_at", { mode: "timestamp" }).notNull().default(sql`CURRENT_TIMESTAMP`),
+	updatedAt: integer("updated_at", { mode: "timestamp" }).notNull().default(sql`CURRENT_TIMESTAMP`),
 });

 // =============================================================================
 // Share Tokens - For public schedule sharing by takenBy person
 // =============================================================================
 export const shareTokens = sqliteTable("share_tokens", {
-  id: integer("id").primaryKey({ autoIncrement: true }),
-  userId: integer("user_id").notNull().references(() => users.id, { onDelete: "cascade" }),
-  token: text("token", { length: 64 }).notNull().unique(),
-  takenBy: text("taken_by", { length: 100 }).notNull(),
-  scheduleDays: integer("schedule_days").notNull().default(30),
-  createdAt: integer("created_at", { mode: "timestamp" }).notNull().default(sql`CURRENT_TIMESTAMP`),
-  expiresAt: integer("expires_at", { mode: "timestamp" }), // NULL = never expires
+	id: integer("id").primaryKey({ autoIncrement: true }),
+	userId: integer("user_id")
+		.notNull()
+		.references(() => users.id, { onDelete: "cascade" }),
+	token: text("token", { length: 64 }).notNull().unique(),
+	takenBy: text("taken_by", { length: 100 }).notNull(),
+	scheduleDays: integer("schedule_days").notNull().default(30),
+	createdAt: integer("created_at", { mode: "timestamp" }).notNull().default(sql`CURRENT_TIMESTAMP`),
+	expiresAt: integer("expires_at", { mode: "timestamp" }), // NULL = never expires
 });

 // =============================================================================
 // Dose Tracking - Tracks when doses are marked as taken
 // =============================================================================
 export const doseTracking = sqliteTable("dose_tracking", {
-  id: integer("id").primaryKey({ autoIncrement: true }),
-  userId: integer("user_id").notNull().references(() => users.id, { onDelete: "cascade" }),
-  doseId: text("dose_id", { length: 255 }).notNull(), // e.g. "med-5-1-86400000-1735200000000"
-  takenAt: integer("taken_at", { mode: "timestamp" }).notNull().default(sql`(strftime('%s','now'))`),
-  markedBy: text("marked_by", { length: 100 }), // null = user, "Daniel" = via share link
-  dismissed: integer("dismissed", { mode: "boolean" }).notNull().default(false), // true = missed dose acknowledged without taking
+	id: integer("id").primaryKey({ autoIncrement: true }),
+	userId: integer("user_id")
+		.notNull()
+		.references(() => users.id, { onDelete: "cascade" }),
+	doseId: text("dose_id", { length: 255 }).notNull(), // e.g. "med-5-1-86400000-1735200000000"
+	takenAt: integer("taken_at", { mode: "timestamp" }).notNull().default(sql`(strftime('%s','now'))`),
+	markedBy: text("marked_by", { length: 100 }), // null = user, "Daniel" = via share link
+	takenSource: text("taken_source", { length: 20 }).notNull().default("manual"), // manual or automatic
+	dismissed: integer("dismissed", { mode: "boolean" }).notNull().default(false), // true = missed dose acknowledged without taking
 });

 // =============================================================================
 // Refill History - Tracks when medication stock was refilled
 // =============================================================================
 export const refillHistory = sqliteTable("refill_history", {
-  id: integer("id").primaryKey({ autoIncrement: true }),
-  medicationId: integer("medication_id").notNull().references(() => medications.id, { onDelete: "cascade" }),
-  userId: integer("user_id").notNull().references(() => users.id, { onDelete: "cascade" }),
-  packsAdded: integer("packs_added").notNull().default(0),
-  loosePillsAdded: integer("loose_pills_added").notNull().default(0),
-  refillDate: integer("refill_date", { mode: "timestamp" }).notNull().default(sql`(strftime('%s','now'))`),
+	id: integer("id").primaryKey({ autoIncrement: true }),
+	medicationId: integer("medication_id")
+		.notNull()
+		.references(() => medications.id, { onDelete: "cascade" }),
+	userId: integer("user_id")
+		.notNull()
+		.references(() => users.id, { onDelete: "cascade" }),
+	packsAdded: integer("packs_added").notNull().default(0),
+	loosePillsAdded: integer("loose_pills_added").notNull().default(0),
+	usedPrescription: integer("used_prescription", { mode: "boolean" }).notNull().default(false),
+	refillDate: integer("refill_date", { mode: "timestamp" }).notNull().default(sql`(strftime('%s','now'))`),
 });
@@ -1,193 +1,506 @@
 // Backend translations for notifications
 export type Language = "en" | "de";

+/**
+ * Map timezone to region code (ISO 3166-1 alpha-2).
+ * This allows combining app language with regional formatting.
+ */
+const TIMEZONE_TO_REGION: Record<string, string> = {
+	// Europe
+	"Europe/Berlin": "DE",
+	"Europe/Vienna": "AT",
+	"Europe/Zurich": "CH",
+	"Europe/London": "GB",
+	"Europe/Dublin": "IE",
+	"Europe/Paris": "FR",
+	"Europe/Madrid": "ES",
+	"Europe/Rome": "IT",
+	"Europe/Amsterdam": "NL",
+	"Europe/Brussels": "BE",
+	"Europe/Warsaw": "PL",
+	"Europe/Prague": "CZ",
+	"Europe/Stockholm": "SE",
+	"Europe/Oslo": "NO",
+	"Europe/Copenhagen": "DK",
+	"Europe/Helsinki": "FI",
+	"Europe/Athens": "GR",
+	"Europe/Lisbon": "PT",
+	"Europe/Moscow": "RU",
+	"Europe/Kiev": "UA",
+	"Europe/Kyiv": "UA",
+	"Europe/Budapest": "HU",
+	"Europe/Bucharest": "RO",
+	// Americas
+	"America/New_York": "US",
+	"America/Chicago": "US",
+	"America/Denver": "US",
+	"America/Los_Angeles": "US",
+	"America/Phoenix": "US",
+	"America/Toronto": "CA",
+	"America/Vancouver": "CA",
+	"America/Mexico_City": "MX",
+	"America/Sao_Paulo": "BR",
+	"America/Buenos_Aires": "AR",
+	// Asia/Pacific
+	"Asia/Tokyo": "JP",
+	"Asia/Shanghai": "CN",
+	"Asia/Hong_Kong": "HK",
+	"Asia/Singapore": "SG",
+	"Asia/Seoul": "KR",
+	"Asia/Dubai": "AE",
+	"Asia/Kolkata": "IN",
+	"Australia/Sydney": "AU",
+	"Australia/Melbourne": "AU",
+	"Pacific/Auckland": "NZ",
+};
+
+/**
+ * Get region code from TZ environment variable.
+ */
+function getRegionFromTimezone(): string | undefined {
+	const tz = process.env.TZ;
+	if (!tz) return undefined;
+	return TIMEZONE_TO_REGION[tz];
+}
+
 type TranslationKeys = {
-  // Stock reminder email
-  stockReminder: {
-    subject: string;
-    title: string;
-    description: string;
-    alertSingle: string;
-    alertMultiple: string;
-    tableHeaders: {
-      medication: string;
-      pills: string;
-      days: string;
-      runsOut: string;
-    };
-    footer: string;
-    repeatDailyNote: string;
-  };
-  // Intake reminder email
-  intakeReminder: {
-    subject: string;
-    title: string;
-    description: string;
-    alertSingle: string;
-    alertMultiple: string;
-    tableHeaders: {
-      medication: string;
-      dosage: string;
-      time: string;
-    };
-    pills: string;
-    takenBy: string;
-    footer: string;
-  };
-  // Push notifications
-  push: {
-    stockTitle: string;
-    stockTitleMultiple: string;
-    intakeTitle: string;
-    pillsLeft: string;
-    daysLeft: string;
-    pillsAt: string;
-    repeatDailyNote: string;
-    empty: string;
-    low: string;
-    reorderNow: string;
-    emptySection: string;
-    lowSection: string;
-  };
-  // Common
-  common: {
-    pill: string;
-    pills: string;
-    day: string;
-    days: string;
-    soon: string;
-  };
+	// Stock reminder (shared across email + push)
+	stockReminder: {
+		subject: string;
+		title: string;
+		description: string;
+		descriptionEmpty: string;
+		descriptionMixed: string;
+		alertSingle: string;
+		alertMultiple: string;
+		alertEmptySingle: string;
+		alertEmptyMultiple: string;
+		alertLowSingle: string;
+		alertLowMultiple: string;
+		alertLowStockSingle: string;
+		alertLowStockMultiple: string;
+		descriptionLow: string;
+		tableHeaders: {
+			medication: string;
+			pills: string;
+			days: string;
+			runsOut: string;
+		};
+		now: string;
+		repeatDailyNote: string;
+	};
+	// Intake reminder email
+	intakeReminder: {
+		subject: string;
+		title: string;
+		description: string;
+		alertSingle: string;
+		alertMultiple: string;
+		tableHeaders: {
+			medication: string;
+			dosage: string;
+			time: string;
+		};
+		pills: string;
+		takenBy: string;
+	};
+	// Push notifications
+	push: {
+		stockTitle: string;
+		stockTitleMultiple: string;
+		intakeTitle: string;
+		pillsLeft: string;
+		daysLeft: string;
+		pillsAt: string;
+		repeatDailyNote: string;
+		empty: string;
+		low: string;
+		critical: string;
+		lowStock: string;
+		reorderNow: string;
+		emptySection: string;
+		lowSection: string;
+		criticalSection: string;
+		lowStockSection: string;
+	};
+	// Prescription reminder (shared across email + push)
+	prescriptionReminder: {
+		subjectSingle: string;
+		subjectMultiple: string;
+		pushTitleLow: string;
+		pushTitleEmpty: string;
+		pushEmpty: string;
+		pushEmptySingle: string;
+		pushLow: string;
+		pushLowSingle: string;
+		pushRenewNow: string;
+		pushEmptySection: string;
+		pushLowSection: string;
+		pushRefillsLeft: string;
+		title: string;
+		titleEmpty: string;
+		descriptionLow: string;
+		descriptionEmpty: string;
+		alertLowSingle: string;
+		alertLowMultiple: string;
+		alertEmptySingle: string;
+		alertEmptyMultiple: string;
+		line: string;
+		lineEmpty: string;
+		expiresSuffix: string;
+		repeatDailyNote: string;
+		tableHeaders: {
+			medication: string;
+			refillsLeft: string;
+			reminderThreshold: string;
+			prescriptionExpires: string;
+		};
+	};
+	// Demand calculator email
+	demandCalculator: {
+		subject: string;
+		title: string;
+		description: string;
+		summaryOutOfStock: string;
+		summaryAllOk: string;
+		tableHeaders: {
+			medication: string;
+			usage: string;
+			needed: string;
+			prescriptionRefills: string;
+			available: string;
+			status: string;
+		};
+		statusEnough: string;
+		statusEmpty: string;
+		prescriptionNotApplicable: string;
+	};
+	// Common
+	common: {
+		pill: string;
+		pills: string;
+		units: string;
+		ml: string;
+		blister: string;
+		blisters: string;
+		day: string;
+		days: string;
+		soon: string;
+		footer: string;
+	};
 };

 const translations: Record<Language, TranslationKeys> = {
-  en: {
-    stockReminder: {
-      subject: "MedAssist-ng Auto-Reminder: {count} Medication{s} Running Low",
-      title: "⚠️ MedAssist-ng - Automatic Reorder Reminder",
-      description: "The following medications are running low and need to be reordered:",
-      alertSingle: "⚠️ 1 medication running low!",
-      alertMultiple: "⚠️ {count} medications running low!",
-      tableHeaders: {
-        medication: "Medication",
-        pills: "Pills",
-        days: "Days",
-        runsOut: "Runs Out",
-      },
-      footer: "🤖 Automatic reminder from MedAssist-ng",
-      repeatDailyNote: "You are receiving this daily reminder because 'Repeat Daily' is enabled in settings.",
-    },
-    intakeReminder: {
-      subject: "MedAssist-ng: Medication Reminder - {medications}",
-      title: "💊 MedAssist-ng - Intake Reminder",
-      description: "Time to take your medication in {minutes} minutes:",
-      alertSingle: "💊 1 medication scheduled",
-      alertMultiple: "💊 {count} medications scheduled",
-      tableHeaders: {
-        medication: "Medication",
-        dosage: "Dosage",
-        time: "Time",
-      },
-      pills: "pills",
-      takenBy: "for {name}",
-      footer: "🤖 Automatic reminder from MedAssist-ng",
-    },
-    push: {
-      stockTitle: "MedAssist-ng: 1 Medication Running Low",
-      stockTitleMultiple: "MedAssist-ng: {count} Medications Running Low",
-      intakeTitle: "💊 Medication Reminder in {minutes} min",
-      pillsLeft: "{count} pills",
-      daysLeft: "{count} days left",
-      pillsAt: "{count} pills at {time}",
-      repeatDailyNote: "(Daily reminder enabled)",
-      empty: "Empty",
-      low: "Low",
-      reorderNow: "Reorder Now!",
-      emptySection: "EMPTY (reorder immediately)",
-      lowSection: "RUNNING LOW (reorder soon)",
-    },
-    common: {
-      pill: "pill",
-      pills: "pills",
-      day: "day",
-      days: "days",
-      soon: "soon",
-    },
-  },
-  de: {
-    stockReminder: {
-      subject: "MedAssist-ng Auto-Erinnerung: {count} Medikament{e} wird knapp",
-      title: "⚠️ MedAssist-ng - Automatische Nachbestell-Erinnerung",
-      description: "Die folgenden Medikamente gehen zur Neige und sollten nachbestellt werden:",
-      alertSingle: "⚠️ 1 Medikament wird knapp!",
-      alertMultiple: "⚠️ {count} Medikamente werden knapp!",
-      tableHeaders: {
-        medication: "Medikament",
-        pills: "Tabletten",
-        days: "Tage",
-        runsOut: "Aufgebraucht",
-      },
-      footer: "🤖 Automatische Erinnerung von MedAssist-ng",
-      repeatDailyNote: "Sie erhalten diese tägliche Erinnerung, weil 'Täglich wiederholen' in den Einstellungen aktiviert ist.",
-    },
-    intakeReminder: {
-      subject: "MedAssist-ng: Einnahme-Erinnerung - {medications}",
-      title: "💊 MedAssist-ng - Einnahme-Erinnerung",
-      description: "Zeit für Ihre Medikamente in {minutes} Minuten:",
-      alertSingle: "💊 1 Medikament geplant",
-      alertMultiple: "💊 {count} Medikamente geplant",
-      tableHeaders: {
-        medication: "Medikament",
-        dosage: "Dosis",
-        time: "Uhrzeit",
-      },
-      pills: "Tabletten",
-      takenBy: "für {name}",
-      footer: "🤖 Automatische Erinnerung von MedAssist-ng",
-    },
-    push: {
-      stockTitle: "MedAssist-ng: 1 Medikament wird knapp",
-      stockTitleMultiple: "MedAssist-ng: {count} Medikamente werden knapp",
-      intakeTitle: "💊 Einnahme-Erinnerung in {minutes} Min.",
-      pillsLeft: "{count} Tabletten",
-      daysLeft: "{count} Tage übrig",
-      pillsAt: "{count} Tabletten um {time}",
-      repeatDailyNote: "(Tägliche Erinnerung aktiviert)",
-      empty: "Leer",
-      low: "Knapp",
-      reorderNow: "Jetzt nachbestellen!",
-      emptySection: "LEER (sofort nachbestellen)",
-      lowSection: "WIRD KNAPP (bald nachbestellen)",
-    },
-    common: {
-      pill: "Tablette",
-      pills: "Tabletten",
-      day: "Tag",
-      days: "Tage",
-      soon: "bald",
-    },
-  },
+	en: {
+		stockReminder: {
+			subject: "MedAssist-ng: ⚠️ {count} Medication{s} Running Critically Low",
+			title: "⚠️ MedAssist-ng: Automatic Reorder Reminder",
+			description: "The following medications are running critically low and need to be reordered:",
+			descriptionEmpty: "The following medications are empty and need to be reordered immediately:",
+			descriptionMixed: "The following medications need to be reordered:",
+			alertSingle: "⚠️ 1 medication running critically low!",
+			alertMultiple: "⚠️ {count} medications running critically low!",
+			alertEmptySingle: "🚨 1 medication empty - reorder immediately!",
+			alertEmptyMultiple: "🚨 {count} medications empty - reorder immediately!",
+			alertLowSingle: "⚠️ 1 medication running critically low",
+			alertLowMultiple: "⚠️ {count} medications running critically low",
+			alertLowStockSingle: "⚠️ 1 medication running low",
+			alertLowStockMultiple: "⚠️ {count} medications running low",
+			descriptionLow: "The following medications are running low and should be reordered soon:",
+			tableHeaders: {
+				medication: "Medication",
+				pills: "Pills",
+				days: "Days",
+				runsOut: "Runs Out",
+			},
+			now: "NOW",
+			repeatDailyNote: "You are receiving this daily reminder because 'Repeat Daily' is enabled in settings.",
+		},
+		intakeReminder: {
+			subject: "MedAssist-ng: Medication Reminder - {medications}",
+			title: "💊 MedAssist-ng - Intake Reminder",
+			description: "Time to take your medication in {minutes} minutes:",
+			alertSingle: "💊 1 medication scheduled",
+			alertMultiple: "💊 {count} medications scheduled",
+			tableHeaders: {
+				medication: "Medication",
+				dosage: "Dosage",
+				time: "Time",
+			},
+			pills: "pills",
+			takenBy: "for {name}",
+		},
+		push: {
+			stockTitle: "MedAssist-ng: 1 Medication Running Critically Low",
+			stockTitleMultiple: "MedAssist-ng: {count} Medications Running Critically Low",
+			intakeTitle: "💊 Reminder: Medication intake in {minutes} min",
+			pillsLeft: "{count} pills",
+			daysLeft: "{count} days left",
+			pillsAt: "{count} pills at {time}",
+			repeatDailyNote: "(Daily reminder enabled)",
+			empty: "Empty",
+			low: "Critical",
+			critical: "Critical",
+			lowStock: "Low",
+			reorderNow: "Reorder Now!",
+			emptySection: "Empty (reorder immediately)",
+			lowSection: "Running critically low",
+			criticalSection: "Running critically low",
+			lowStockSection: "Running low",
+		},
+		prescriptionReminder: {
+			subjectSingle: "MedAssist-ng: 🚨 Prescription Refill Reminder",
+			subjectMultiple: "MedAssist-ng: 🚨 {count} Prescriptions Need Renewal Soon",
+			pushTitleLow: "💊 MedAssist-ng: {count} prescriptions are running low",
+			pushTitleEmpty: "💊 MedAssist-ng: {count} prescriptions need renewal now",
+			pushEmpty: "prescriptions out of refills",
+			pushEmptySingle: "prescription out of refills",
+			pushLow: "prescriptions low on refills",
+			pushLowSingle: "prescription low on refills",
+			pushRenewNow: "Renew Now!",
+			pushEmptySection: "Prescriptions with no refills left",
+			pushLowSection: "Prescriptions running low on refills",
+			pushRefillsLeft: "{count} refill(s) remaining on this prescription",
+			title: "⚠️ MedAssist-ng - Prescription Reminder",
+			titleEmpty: "🚨 MedAssist-ng - Prescription Reminder",
+			descriptionLow: "Some prescriptions are low on remaining refills.",
+			descriptionEmpty: "Some prescriptions have no refills left. Contact your doctor for renewal.",
+			alertLowSingle: "⚠️ 1 prescription is low on refills",
+			alertLowMultiple: "⚠️ {count} prescriptions are low on refills",
+			alertEmptySingle: "🚨 1 prescription needs renewal now",
+			alertEmptyMultiple: "🚨 {count} prescriptions need renewal now",
+			line: "{name}: {refills} refill(s) remaining on this prescription{expirySuffix}",
+			lineEmpty: "{name}: no refills remaining on this prescription{expirySuffix}",
+			expiresSuffix: ", expires {date}",
+			repeatDailyNote: "You are receiving this daily reminder because 'Repeat Daily' is enabled in settings.",
+			tableHeaders: {
+				medication: "Medication",
+				refillsLeft: "Prescription refills left",
+				reminderThreshold: "Reminder threshold",
+				prescriptionExpires: "Prescription expires",
+			},
+		},
+		demandCalculator: {
+			subject: "MedAssist-ng: Supply Overview ({from} - {until})",
+			title: "MedAssist-ng: Demand Calculator",
+			description: "Supply overview from {from} to {until}",
+			summaryOutOfStock: "⚠️ {count} medication{s} will be out of stock during this period.",
+			summaryAllOk: "✓ All medications have sufficient supply for this period.",
+			tableHeaders: {
+				medication: "Medication",
+				usage: "Usage",
+				needed: "Blisters needed",
+				prescriptionRefills: "Prescription refills",
+				available: "Available",
+				status: "Status",
+			},
+			statusEnough: "✓ Enough",
+			statusEmpty: "✗ Empty",
+			prescriptionNotApplicable: "–",
+		},
+		common: {
+			pill: "pill",
+			pills: "pills",
+			units: "units",
+			ml: "ml",
+			blister: "blister",
+			blisters: "blisters",
+			day: "day",
+			days: "days",
+			soon: "soon",
+			footer: "🤖 Sent from MedAssist-ng",
+		},
+	},
+	de: {
+		stockReminder: {
+			subject: "MedAssist-ng: ⚠️ {count} Medikament{e} kritisch niedrig",
+			title: "⚠️ MedAssist-ng: Automatische Nachbestell-Erinnerung",
+			description: "Die folgenden Medikamente sind kritisch niedrig und sollten nachbestellt werden:",
+			descriptionEmpty: "Die folgenden Medikamente sind leer und müssen sofort nachbestellt werden:",
+			descriptionMixed: "Die folgenden Medikamente müssen nachbestellt werden:",
+			alertSingle: "⚠️ 1 Medikament kritisch niedrig!",
+			alertMultiple: "⚠️ {count} Medikamente kritisch niedrig!",
+			alertEmptySingle: "🚨 1 Medikament leer - sofort nachbestellen!",
+			alertEmptyMultiple: "🚨 {count} Medikamente leer - sofort nachbestellen!",
+			alertLowSingle: "⚠️ 1 Medikament kritisch niedrig",
+			alertLowMultiple: "⚠️ {count} Medikamente kritisch niedrig",
+			alertLowStockSingle: "⚠️ 1 Medikament niedrig",
+			alertLowStockMultiple: "⚠️ {count} Medikamente niedrig",
+			descriptionLow: "Die folgenden Medikamente werden knapp und sollten bald nachbestellt werden:",
+			tableHeaders: {
+				medication: "Medikament",
+				pills: "Tabletten",
+				days: "Tage",
+				runsOut: "Aufgebraucht",
+			},
+			now: "JETZT",
+			repeatDailyNote:
+				"Sie erhalten diese tägliche Erinnerung, weil 'Täglich wiederholen' in den Einstellungen aktiviert ist.",
+		},
+		intakeReminder: {
+			subject: "MedAssist-ng: Einnahme-Erinnerung - {medications}",
+			title: "💊 MedAssist-ng - Einnahme-Erinnerung",
+			description: "Zeit für Ihre Medikamente in {minutes} Minuten:",
+			alertSingle: "💊 1 Medikament geplant",
+			alertMultiple: "💊 {count} Medikamente geplant",
+			tableHeaders: {
+				medication: "Medikament",
+				dosage: "Dosis",
+				time: "Uhrzeit",
+			},
+			pills: "Tabletten",
+			takenBy: "für {name}",
+		},
+		push: {
+			stockTitle: "MedAssist-ng: 1 Medikament kritisch niedrig",
+			stockTitleMultiple: "MedAssist-ng: {count} Medikamente kritisch niedrig",
+			intakeTitle: "💊 Erinnerung: Medikamenteneinnahme in {minutes} Min.",
+			pillsLeft: "{count} Tabletten",
+			daysLeft: "{count} Tage übrig",
+			pillsAt: "{count} Tabletten um {time}",
+			repeatDailyNote: "(Tägliche Erinnerung aktiviert)",
+			empty: "Leer",
+			low: "Kritisch",
+			critical: "Kritisch",
+			lowStock: "Niedrig",
+			reorderNow: "Jetzt nachbestellen!",
+			emptySection: "Leer (sofort nachbestellen)",
+			lowSection: "Kritisch niedrig",
+			criticalSection: "Kritisch niedrig",
+			lowStockSection: "Niedrig",
+		},
+		prescriptionReminder: {
+			subjectSingle: "MedAssist-ng: 🚨 Rezept-Nachfüll-Erinnerung",
+			subjectMultiple: "MedAssist-ng: 🚨 {count} Rezepte müssen bald erneuert werden",
+			pushTitleLow: "💊 MedAssist-ng: {count} Rezept(e) haben nur noch wenige Nachfüllungen",
+			pushTitleEmpty: "💊 MedAssist-ng: {count} Rezept(e) müssen jetzt erneuert werden",
+			pushEmpty: "Rezepte ohne verbleibende Nachfüllung",
+			pushEmptySingle: "Rezept ohne verbleibende Nachfüllung",
+			pushLow: "Rezepte mit wenigen verbleibenden Nachfüllungen",
+			pushLowSingle: "Rezept mit wenigen verbleibenden Nachfüllungen",
+			pushRenewNow: "Jetzt erneuern!",
+			pushEmptySection: "Rezepte ohne Nachfüllungen",
+			pushLowSection: "Rezepte mit bald aufgebrauchten Nachfüllungen",
+			pushRefillsLeft: "{count} Nachfüllung(en) für dieses Rezept übrig",
+			title: "⚠️ MedAssist-ng - Rezept-Erinnerung",
+			titleEmpty: "🚨 MedAssist-ng - Rezept-Erinnerung",
+			descriptionLow: "Einige Rezepte haben nur noch wenige Nachfüllungen.",
+			descriptionEmpty:
+				"Einige Rezepte haben keine Nachfüllungen mehr. Bitte kontaktieren Sie Ihren Arzt für eine Erneuerung.",
+			alertLowSingle: "⚠️ 1 Rezept ist bei den Nachfüllungen niedrig",
+			alertLowMultiple: "⚠️ {count} Rezepte sind bei den Nachfüllungen niedrig",
+			alertEmptySingle: "🚨 1 Rezept muss jetzt erneuert werden",
+			alertEmptyMultiple: "🚨 {count} Rezepte müssen jetzt erneuert werden",
+			line: "{name}: {refills} Nachfüllung(en) für dieses Rezept übrig{expirySuffix}",
+			lineEmpty: "{name}: keine Nachfüllung mehr für dieses Rezept{expirySuffix}",
+			expiresSuffix: ", läuft ab {date}",
+			repeatDailyNote:
+				"Sie erhalten diese tägliche Erinnerung, weil 'Täglich wiederholen' in den Einstellungen aktiviert ist.",
+			tableHeaders: {
+				medication: "Medikament",
+				refillsLeft: "Rezept-Nachfüllungen übrig",
+				reminderThreshold: "Erinnerungsschwelle",
+				prescriptionExpires: "Rezeptablauf",
+			},
+		},
+		demandCalculator: {
+			subject: "MedAssist-ng: Bestandsübersicht ({from} - {until})",
+			title: "MedAssist-ng: Bedarfsrechner",
+			description: "Bestandsübersicht von {from} bis {until}",
+			summaryOutOfStock: "⚠️ {count} Medikament{e} wird im Zeitraum nicht ausreichen.",
+			summaryAllOk: "✓ Alle Medikamente reichen für diesen Zeitraum.",
+			tableHeaders: {
+				medication: "Medikament",
+				usage: "Verbrauch",
+				needed: "Blister benötigt",
+				prescriptionRefills: "Rezept-Nachfüllungen",
+				available: "Verfügbar",
+				status: "Status",
+			},
+			statusEnough: "✓ Ausreichend",
+			statusEmpty: "✗ Leer",
+			prescriptionNotApplicable: "–",
+		},
+		common: {
+			pill: "Tablette",
+			pills: "Tabletten",
+			units: "Einheiten",
+			ml: "ml",
+			blister: "Blister",
+			blisters: "Blister",
+			day: "Tag",
+			days: "Tage",
+			soon: "bald",
+			footer: "🤖 Gesendet von MedAssist-ng",
+		},
+	},
 };

 export function getTranslations(language: Language): TranslationKeys {
-  return translations[language] || translations.en;
+	return translations[language] || translations.en;
 }

 // Helper function to replace placeholders in strings
 export function t(template: string, params: Record<string, string | number> = {}): string {
-  let result = template;
-  for (const [key, value] of Object.entries(params)) {
-    result = result.replace(new RegExp(`\\{${key}\\}`, "g"), String(value));
-  }
-  return result;
+	let result = template;
+	for (const [key, value] of Object.entries(params)) {
+		result = result.replace(new RegExp(`\\{${key}\\}`, "g"), String(value));
+	}
+	return result;
 }

-// Get date locale for toLocaleDateString
+/**
+ * Get locale for formatting based on language and timezone region.
+ * Combines language (en/de) with region from timezone (DE/US/etc.)
+ * Example: lang=en + TZ=Europe/Berlin → en-DE (English text, German format = 24h time)
+ */
 export function getDateLocale(language: Language): string {
-  switch (language) {
-    case "de":
-      return "de-DE";
-    case "en":
-    default:
-      return "en-US";
-  }
+	const region = getRegionFromTimezone();
+
+	if (region) {
+		return `${language}-${region}`;
+	}
+
+	// Fallback: use language default
+	switch (language) {
+		case "de":
+			return "de-DE";
+		default:
+			return "en-US";
+	}
+}
+
+/**
+ * Get the app URL from the first CORS_ORIGINS entry.
+ * Falls back to empty string if not set.
+ */
+export function getAppUrl(): string {
+	const origins = process.env.CORS_ORIGINS || "";
+	return origins.split(",")[0]?.trim() || "";
+}
+
+/**
+ * Get the unified footer as HTML with MedAssist-ng as a link to the instance.
+ * @param variant - 'planner' uses the Medication Planner footer text
+ */
+export function getFooterHtml(language: Language): string {
+	const tr = getTranslations(language);
+	const appUrl = getAppUrl();
+	const appName = appUrl
+		? `<a href="${appUrl}" style="color: #6b7280; text-decoration: underline;">MedAssist-ng</a>`
+		: "MedAssist-ng";
+	return tr.common.footer.replace("MedAssist-ng", appName);
+}
+
+/**
+ * Get the unified footer as plain text.
+ * @param variant - 'planner' uses the Medication Planner footer text
+ */
+export function getFooterPlain(language: Language): string {
+	const tr = getTranslations(language);
+	const appUrl = getAppUrl();
+	if (appUrl) {
+		return `${tr.common.footer} (${appUrl})`;
+	}
+	return tr.common.footer;
 }
@@ -1,168 +1,272 @@
-import Fastify, { FastifyInstance } from "fastify";
-import helmet from "@fastify/helmet";
-import cors from "@fastify/cors";
-import rateLimit from "@fastify/rate-limit";
-import sensible from "@fastify/sensible";
+import { randomUUID } from "node:crypto";
+import { existsSync } from "node:fs";
+import type { IncomingHttpHeaders } from "node:http";
+import { resolve } from "node:path";
 import cookie from "@fastify/cookie";
+import cors from "@fastify/cors";
+import helmet from "@fastify/helmet";
 import jwt from "@fastify/jwt";
 import fastifyMultipart from "@fastify/multipart";
+import rateLimit from "@fastify/rate-limit";
+import sensible from "@fastify/sensible";
 import fastifyStatic from "@fastify/static";
-import { resolve } from "path";
-import { existsSync } from "fs";
-import { env } from "./plugins/env.js";
+import fastifySwagger from "@fastify/swagger";
+import fastifySwaggerUi from "@fastify/swagger-ui";
+import Fastify, { type FastifyInstance } from "fastify";
 import { migrationsReady } from "./db/client.js";
-import { healthRoutes } from "./routes/health.js";
+import { getDataDir } from "./db/db-utils.js";
+import { env } from "./plugins/env.js";
+import { apiKeyRoutes } from "./routes/api-keys.js";
 import { authRoutes } from "./routes/auth.js";
-import { oidcRoutes } from "./routes/oidc.js";
-import { medicationRoutes } from "./routes/medications.js";
-import { settingsRoutes } from "./routes/settings.js";
-import { plannerRoutes } from "./routes/planner.js";
-import { shareRoutes } from "./routes/share.js";
 import { doseRoutes } from "./routes/doses.js";
 import { exportRoutes } from "./routes/export.js";
+import { healthRoutes } from "./routes/health.js";
+import { medicationRoutes } from "./routes/medications.js";
+import { oidcRoutes } from "./routes/oidc.js";
+import { plannerRoutes } from "./routes/planner.js";
 import { refillRoutes } from "./routes/refills.js";
-import { startReminderScheduler } from "./services/reminder-scheduler.js";
+import { reportRoutes } from "./routes/report.js";
+import { settingsRoutes } from "./routes/settings.js";
+import { shareRoutes } from "./routes/share.js";
 import { startIntakeReminderScheduler } from "./services/intake-reminder-scheduler.js";
+import { startReminderScheduler } from "./services/reminder-scheduler.js";
+import { documentationSchemaAjv } from "./utils/documentation-schema-keywords.js";

 // Re-export utilities from server-config for external use
 export {
-  parseCorsOrigins,
-  buildBaseCookieOptions,
-  buildRefreshCookieOptions,
-  buildAppConfig,
-  ensureImagesDirectory,
-  getJwtConfig,
+	buildAppConfig,
+	buildBaseCookieOptions,
+	buildRefreshCookieOptions,
+	ensureImagesDirectory,
+	getJwtConfig,
+	parseCorsOrigins,
 } from "./utils/server-config.js";

 import {
-  parseCorsOrigins,
-  buildBaseCookieOptions,
-  buildRefreshCookieOptions,
-  buildAppConfig,
-  ensureImagesDirectory,
-  getJwtConfig,
+	buildAppConfig,
+	buildBaseCookieOptions,
+	buildRefreshCookieOptions,
+	ensureImagesDirectory,
+	getJwtConfig,
+	parseCorsOrigins,
 } from "./utils/server-config.js";

+function sanitizeCorrelationId(headers: IncomingHttpHeaders): string | null {
+	const rawHeader = headers["x-correlation-id"];
+	if (typeof rawHeader !== "string") return null;
+	const trimmed = rawHeader.trim();
+	if (!trimmed) return null;
+	if (trimmed.length > 128) return null;
+	if (!/^[A-Za-z0-9._:-]+$/.test(trimmed)) return null;
+	return trimmed;
+}
+
+function buildLoggerOptions(level: string) {
+	const runtimeEnv = process.env.NODE_ENV ?? "production";
+	const base = {
+		level,
+		timestamp: () => `,"time":"${new Date().toISOString()}"`,
+	};
+	// Human-readable logs in development, structured JSON in production/test
+	if (runtimeEnv === "development") {
+		return {
+			...base,
+			transport: { target: "pino-pretty", options: { translateTime: "SYS:yyyy-mm-dd HH:MM:ss.l" } },
+		};
+	}
+	return base;
+}
+
+async function registerApiDocs(app: FastifyInstance, enabled: boolean) {
+	if (!enabled) return;
+
+	await app.register(fastifySwagger, {
+		openapi: {
+			openapi: "3.0.3",
+			info: {
+				title: "MedAssist-ng API",
+				description: "MedAssist-ng backend API",
+				version: process.env.npm_package_version ?? "dev",
+			},
+			servers: [{ url: "/", description: "Current server" }],
+			tags: [
+				{ name: "health", description: "Service health endpoints" },
+				{ name: "auth", description: "Authentication and profile endpoints" },
+				{ name: "api-keys", description: "Programmatic API key management" },
+				{ name: "settings", description: "User settings and notification test endpoints" },
+			],
+			components: {
+				securitySchemes: {
+					bearerAuth: {
+						type: "http",
+						scheme: "bearer",
+						bearerFormat: "API key or JWT",
+						description: "Use Authorization: Bearer ma_... (API key) or a JWT token.",
+					},
+					cookieAuth: {
+						type: "apiKey",
+						in: "cookie",
+						name: "access_token",
+						description: "Session cookie set by login.",
+					},
+				},
+			},
+		},
+		hideUntagged: false,
+	});
+
+	await app.register(fastifySwaggerUi, {
+		routePrefix: "/docs",
+		staticCSP: true,
+		transformSpecificationClone: true,
+		uiConfig: {
+			docExpansion: "list",
+			deepLinking: false,
+		},
+	});
+}
+
 /** Create and configure Fastify app (without starting) */
 export async function createApp(options?: {
-  logLevel?: string;
-  corsOrigins?: string[];
-  authEnabled?: boolean;
-  jwtSecret?: string;
-  refreshSecret?: string;
-  cookieSecret?: string;
-  accessTtlMinutes?: number;
-  refreshTtlDays?: number;
-  isProduction?: boolean;
-  imagesDir?: string;
+	logLevel?: string;
+	corsOrigins?: string[];
+	authEnabled?: boolean;
+	jwtSecret?: string;
+	refreshSecret?: string;
+	cookieSecret?: string;
+	accessTtlMinutes?: number;
+	refreshTtlDays?: number;
+	isProduction?: boolean;
+	imagesDir?: string;
+	openApiDocsEnabled?: boolean;
 }): Promise<FastifyInstance> {
-  const opts = {
-    logLevel: options?.logLevel ?? "info",
-    corsOrigins: options?.corsOrigins ?? ["http://localhost:5173"],
-    authEnabled: options?.authEnabled ?? false,
-    jwtSecret: options?.jwtSecret,
-    refreshSecret: options?.refreshSecret,
-    cookieSecret: options?.cookieSecret ?? "dev-cookie-secret",
-    accessTtlMinutes: options?.accessTtlMinutes ?? 15,
-    refreshTtlDays: options?.refreshTtlDays ?? 7,
-    isProduction: options?.isProduction ?? false,
-    imagesDir: options?.imagesDir ?? resolve(process.cwd(), "data/images"),
-  };
+	const opts = {
+		logLevel: options?.logLevel ?? "info",
+		corsOrigins: options?.corsOrigins ?? ["http://localhost:5173"],
+		authEnabled: options?.authEnabled ?? false,
+		jwtSecret: options?.jwtSecret,
+		refreshSecret: options?.refreshSecret,
+		cookieSecret: options?.cookieSecret ?? "dev-cookie-secret",
+		accessTtlMinutes: options?.accessTtlMinutes ?? 15,
+		refreshTtlDays: options?.refreshTtlDays ?? 7,
+		isProduction: options?.isProduction ?? false,
+		imagesDir: options?.imagesDir ?? resolve(getDataDir(), "images"),
+		openApiDocsEnabled: options?.openApiDocsEnabled ?? false,
+	};

-  const app = Fastify({
-    logger: { level: opts.logLevel },
-  });
+	const app = Fastify({
+		logger: buildLoggerOptions(opts.logLevel),
+		genReqId: (request) => sanitizeCorrelationId(request.headers) ?? randomUUID(),
+		ajv: documentationSchemaAjv,
+	});

-  // Build config
-  const appConfig = buildAppConfig({
-    jwtSecret: opts.jwtSecret,
-    refreshSecret: opts.refreshSecret,
-    accessTtlMinutes: opts.accessTtlMinutes,
-    refreshTtlDays: opts.refreshTtlDays,
-    isProduction: opts.isProduction,
-  });
+	app.addHook("onRequest", (request, reply, done) => {
+		request.correlationId = request.id;
+		reply.header("x-correlation-id", request.id);
+		done();
+	});

-  app.decorate("config", appConfig);
+	// Build config
+	const appConfig = buildAppConfig({
+		jwtSecret: opts.jwtSecret,
+		refreshSecret: opts.refreshSecret,
+		accessTtlMinutes: opts.accessTtlMinutes,
+		refreshTtlDays: opts.refreshTtlDays,
+		isProduction: opts.isProduction,
+	});

-  // Register plugins
-  await app.register(sensible);
-  await app.register(helmet);
-  await app.register(cors, { origin: opts.corsOrigins, credentials: true });
-  await app.register(rateLimit, { max: 100, timeWindow: "1 minute" });
-  await app.register(cookie, { secret: opts.cookieSecret });
+	app.decorate("config", appConfig);

-  // JWT plugin
-  const jwtConfig = getJwtConfig(opts.authEnabled, opts.jwtSecret);
-  await app.register(jwt, jwtConfig);
+	// Register plugins
+	await app.register(sensible);
+	await app.register(helmet);
+	await app.register(cors, { origin: opts.corsOrigins, credentials: true });
+	await app.register(rateLimit, { max: 300, timeWindow: "1 minute" });
+	await app.register(cookie, { secret: opts.cookieSecret });

-  await app.register(fastifyMultipart, { limits: { fileSize: 10 * 1024 * 1024 } });
-  
-  // Only register static if directory exists
-  if (existsSync(opts.imagesDir)) {
-    await app.register(fastifyStatic, {
-      root: opts.imagesDir,
-      prefix: "/images/",
-      decorateReply: false,
-    });
-  }
+	// JWT plugin
+	const jwtConfig = getJwtConfig(opts.authEnabled, opts.jwtSecret);
+	await app.register(jwt, jwtConfig);

-  // Register routes
-  await app.register(healthRoutes);
-  await app.register(authRoutes);
-  await app.register(oidcRoutes);
-  await app.register(medicationRoutes);
-  await app.register(settingsRoutes);
-  await app.register(plannerRoutes);
-  await app.register(shareRoutes);
-  await app.register(doseRoutes);
-  await app.register(exportRoutes);
-  await app.register(refillRoutes);
+	await app.register(fastifyMultipart, { limits: { fileSize: 10 * 1024 * 1024 } });
+	await registerApiDocs(app, opts.openApiDocsEnabled);

-  return app;
+	// Only register static if directory exists
+	if (existsSync(opts.imagesDir)) {
+		await app.register(fastifyStatic, {
+			root: opts.imagesDir,
+			prefix: "/images/",
+			decorateReply: false,
+		});
+	}
+
+	// Register routes
+	await app.register(healthRoutes);
+	await app.register(authRoutes);
+	await app.register(apiKeyRoutes);
+	await app.register(oidcRoutes);
+	await app.register(medicationRoutes);
+	await app.register(settingsRoutes);
+	await app.register(plannerRoutes);
+	await app.register(shareRoutes);
+	await app.register(doseRoutes);
+	await app.register(exportRoutes);
+	await app.register(refillRoutes);
+	await app.register(reportRoutes);
+
+	return app;
 }

 // =============================================================================
 // Server initialization (runs on import)
 // =============================================================================

+import { log } from "./utils/logger.js";
+
 // Wait for database migrations before anything else
 await migrationsReady;
-console.log("[DB] Migrations complete, starting server...");
+log.info("[DB] Migrations complete, starting server...");

 // Ensure images directory exists
 const imagesDir = ensureImagesDirectory();

 const app = Fastify({
-  logger: {
-    level: env.LOG_LEVEL,
-  },
+	logger: buildLoggerOptions(env.LOG_LEVEL),
+	genReqId: (request) => sanitizeCorrelationId(request.headers) ?? randomUUID(),
+	ajv: documentationSchemaAjv,
+});
+
+app.addHook("onRequest", (request, reply, done) => {
+	request.correlationId = request.id;
+	reply.header("x-correlation-id", request.id);
+	done();
 });

 const origins = parseCorsOrigins(env.CORS_ORIGINS);

 // Auth token TTLs (hardcoded - no need for user configuration)
-const accessTtlMinutes = env.ACCESS_TOKEN_TTL_MINUTES;  // Access token TTL
-const refreshTtlDays = env.REFRESH_TOKEN_TTL_DAYS;      // Refresh token TTL
+const accessTtlMinutes = env.ACCESS_TOKEN_TTL_MINUTES; // Access token TTL
+const refreshTtlDays = env.REFRESH_TOKEN_TTL_DAYS; // Refresh token TTL

 const baseCookieOptions = buildBaseCookieOptions(accessTtlMinutes, env.NODE_ENV === "production");
 const refreshCookieOptions = buildRefreshCookieOptions(baseCookieOptions, refreshTtlDays);

 // Config decorator - only include secrets if auth is enabled
 app.decorate("config", {
-  accessSecret: env.JWT_SECRET ?? "",
-  refreshSecret: env.REFRESH_SECRET ?? "",
-  accessTtl: accessTtlMinutes,
-  refreshTtl: refreshTtlDays,
-  cookieOptions: baseCookieOptions,
-  refreshCookieOptions,
+	accessSecret: env.JWT_SECRET ?? "",
+	refreshSecret: env.REFRESH_SECRET ?? "",
+	accessTtl: accessTtlMinutes,
+	refreshTtl: refreshTtlDays,
+	cookieOptions: baseCookieOptions,
+	refreshCookieOptions,
 });

 await app.register(sensible);
 await app.register(helmet);
 await app.register(cors, { origin: origins, credentials: true });
 await app.register(rateLimit, {
-  max: 100,
-  timeWindow: "1 minute",
+	max: Number(process.env.RATE_LIMIT_MAX) || 100,
+	timeWindow: "1 minute",
 });
 await app.register(cookie, { secret: env.COOKIE_SECRET ?? "dev-cookie-secret" });

@@ -171,14 +275,16 @@ const jwtConfig = getJwtConfig(env.AUTH_ENABLED, env.JWT_SECRET);
 await app.register(jwt, jwtConfig);

 await app.register(fastifyMultipart, { limits: { fileSize: 10 * 1024 * 1024 } }); // 10MB limit
+await registerApiDocs(app, env.OPENAPI_DOCS_ENABLED);
 await app.register(fastifyStatic, {
-  root: imagesDir,
-  prefix: "/images/",
-  decorateReply: false,
+	root: imagesDir,
+	prefix: "/images/",
+	decorateReply: false,
 });

 await app.register(healthRoutes);
 await app.register(authRoutes);
+await app.register(apiKeyRoutes);
 await app.register(oidcRoutes);
 await app.register(medicationRoutes);
 await app.register(settingsRoutes);
@@ -187,27 +293,30 @@ await app.register(shareRoutes);
 await app.register(doseRoutes);
 await app.register(exportRoutes);
 await app.register(refillRoutes);
+await app.register(reportRoutes);

 const start = async () => {
-  try {
-    await app.listen({ port: env.PORT, host: "0.0.0.0" });
-    app.log.info(`Server running on ${env.PORT}`);
-    
-    // Start the automatic reminder scheduler
-    startReminderScheduler({
-      info: (msg) => app.log.info(msg),
-      error: (msg) => app.log.error(msg),
-    });
-    
-    // Start the intake reminder scheduler (checks every minute)
-    startIntakeReminderScheduler({
-      info: (msg) => app.log.info(msg),
-      error: (msg) => app.log.error(msg),
-    });
-  } catch (err) {
-    app.log.error(err);
-    process.exit(1);
-  }
+	try {
+		await app.listen({ port: env.PORT, host: "0.0.0.0" });
+		app.log.info(`Server running on ${env.PORT}`);
+
+		// Start the automatic reminder scheduler
+		startReminderScheduler({
+			info: (msg) => app.log.info(msg),
+			debug: (msg) => app.log.debug(msg),
+			error: (msg) => app.log.error(msg),
+		});
+
+		// Start the intake reminder scheduler (checks every minute)
+		startIntakeReminderScheduler({
+			info: (msg) => app.log.info(msg),
+			debug: (msg) => app.log.debug(msg),
+			error: (msg) => app.log.error(msg),
+		});
+	} catch (err) {
+		app.log.error(err);
+		process.exit(1);
+	}
 };

 start();
@@ -1,8 +1,9 @@
-import { FastifyInstance, FastifyRequest, FastifyReply } from "fastify";
-import { env } from "./env.js";
+import { pbkdf2Sync } from "node:crypto";
+import { and, count, eq, sql } from "drizzle-orm";
+import type { FastifyInstance, FastifyReply, FastifyRequest } from "fastify";
 import { db } from "../db/client.js";
-import { users } from "../db/schema.js";
-import { sql, count, eq } from "drizzle-orm";
+import { apiKeys, users } from "../db/schema.js";
+import { env } from "./env.js";

 // =============================================================================
 // Anonymous User - Used when AUTH_ENABLED=false
@@ -17,67 +18,147 @@ let anonymousUserVerified = false;
 * Uses a fixed ID (999999999) that will never collide with auto-increment IDs.
 */
 export async function getAnonymousUserId(): Promise<number> {
-  // Return cached if already verified
-  if (anonymousUserVerified) {
-    return ANONYMOUS_USER_ID;
-  }
+	// Return cached if already verified
+	if (anonymousUserVerified) {
+		return ANONYMOUS_USER_ID;
+	}

-  // Check if anonymous user exists
-  const [existing] = await db.select().from(users).where(eq(users.id, ANONYMOUS_USER_ID));
-  
-  if (existing) {
-    anonymousUserVerified = true;
-    return ANONYMOUS_USER_ID;
-  }
+	// Check if anonymous user exists
+	const [existing] = await db.select().from(users).where(eq(users.id, ANONYMOUS_USER_ID));

-  // Create anonymous user with fixed ID (SQLite allows explicit ID)
-  await db.run(sql`
+	if (existing) {
+		anonymousUserVerified = true;
+		return ANONYMOUS_USER_ID;
+	}
+
+	// Create anonymous user with fixed ID (SQLite allows explicit ID)
+	await db.run(sql`
    INSERT INTO users (id, username, password_hash, auth_provider, is_active, created_at, updated_at)
    VALUES (${ANONYMOUS_USER_ID}, ${ANONYMOUS_USERNAME}, NULL, 'anonymous', 1, CURRENT_TIMESTAMP, CURRENT_TIMESTAMP)
  `);

-  anonymousUserVerified = true;
-  console.log(`Created anonymous user with fixed ID ${ANONYMOUS_USER_ID} for no-auth mode`);
-  
-  return ANONYMOUS_USER_ID;
+	anonymousUserVerified = true;
+
+	return ANONYMOUS_USER_ID;
 }

 // =============================================================================
 // Auth State - Computed at runtime
 // =============================================================================
 export interface AuthState {
-  authEnabled: boolean;
-  registrationEnabled: boolean;
-  localAuthEnabled: boolean;
-  oidcEnabled: boolean;
-  oidcProviderName: string;
-  hasUsers: boolean;
-  needsSetup: boolean;
+	authEnabled: boolean;
+	registrationEnabled: boolean;
+	formLoginEnabled: boolean;
+	oidcEnabled: boolean;
+	oidcProviderName: string;
+	hasUsers: boolean;
+	needsSetup: boolean;
 }

 export async function getAuthState(): Promise<AuthState> {
-  // Count only real users (not the anonymous user with fixed ID)
-  const [result] = await db.select({ count: count() }).from(users).where(sql`${users.id} != ${ANONYMOUS_USER_ID}`);
-  const hasUsers = result.count > 0;
-  
-  return {
-    authEnabled: env.AUTH_ENABLED,
-    // Registration: enabled via ENV OR no users exist (first-time setup)
-    registrationEnabled: env.REGISTRATION_ENABLED || !hasUsers,
-    localAuthEnabled: env.AUTH_ENABLED,  // Password auth available when auth is enabled
-    oidcEnabled: env.OIDC_ENABLED,
-    oidcProviderName: env.OIDC_PROVIDER_NAME,
-    hasUsers,
-    needsSetup: env.AUTH_ENABLED && !hasUsers,
-  };
+	// Count only real users (not the anonymous user with fixed ID)
+	const [result] = await db.select({ count: count() }).from(users).where(sql`${users.id} != ${ANONYMOUS_USER_ID}`);
+	const hasUsers = result.count > 0;
+
+	const needsSetup = env.AUTH_ENABLED && !hasUsers;
+
+	return {
+		authEnabled: env.AUTH_ENABLED,
+		// Registration: enabled via ENV OR no users exist (first-time setup)
+		registrationEnabled: env.REGISTRATION_ENABLED || !hasUsers,
+		// Form login: enabled when auth + form login are both on, or forced on for first-user setup
+		formLoginEnabled: needsSetup || (env.AUTH_ENABLED && env.FORM_LOGIN_ENABLED),
+		oidcEnabled: env.OIDC_ENABLED,
+		oidcProviderName: env.OIDC_PROVIDER_NAME,
+		hasUsers,
+		needsSetup,
+	};
 }

 // =============================================================================
 // Request User Type (no roles - all users are equal)
 // =============================================================================
 export interface RequestUser {
-  id: number;
-  username: string;
+	id: number;
+	username: string;
+}
+
+const READ_ONLY_METHODS = new Set(["GET", "HEAD", "OPTIONS"]);
+
+function isMutationMethod(method: string): boolean {
+	return !READ_ONLY_METHODS.has(method.toUpperCase());
+}
+
+function getApiKeyPepper(): string {
+	return env.JWT_SECRET || env.REFRESH_SECRET || "medassist-api-key-pepper";
+}
+
+export function hashApiKeyToken(token: string): string {
+	return pbkdf2Sync(token, getApiKeyPepper(), 120_000, 64, "sha512").toString("hex");
+}
+
+function getBearerToken(request: FastifyRequest): string | null {
+	const authHeader = request.headers.authorization;
+	if (!authHeader) return null;
+
+	const [scheme, value] = authHeader.split(" ");
+	if (!scheme || !value) return null;
+	if (scheme.toLowerCase() !== "bearer") return null;
+
+	const token = value.trim();
+	return token.length > 0 ? token : null;
+}
+
+async function tryApiKeyAuth(request: FastifyRequest, reply: FastifyReply): Promise<boolean> {
+	const bearerToken = getBearerToken(request);
+	if (!bearerToken) return false;
+
+	if (!bearerToken.startsWith("ma_")) {
+		reply.status(401).send({ error: "Invalid API key", code: "INVALID_API_KEY" });
+		throw new Error("INVALID_API_KEY");
+	}
+
+	const keyHash = hashApiKeyToken(bearerToken);
+	const [keyRow] = await db
+		.select()
+		.from(apiKeys)
+		.where(and(eq(apiKeys.keyHash, keyHash), eq(apiKeys.isActive, true)));
+
+	if (!keyRow) {
+		reply.status(401).send({ error: "Invalid API key", code: "INVALID_API_KEY" });
+		throw new Error("INVALID_API_KEY");
+	}
+
+	if (keyRow.expiresAt && keyRow.expiresAt.getTime() <= Date.now()) {
+		reply.status(401).send({ error: "API key expired", code: "API_KEY_EXPIRED" });
+		throw new Error("API_KEY_EXPIRED");
+	}
+
+	const [user] = await db.select().from(users).where(eq(users.id, keyRow.userId));
+	if (!user || !user.isActive) {
+		reply.status(401).send({ error: "User not found", code: "USER_NOT_FOUND" });
+		throw new Error("USER_NOT_FOUND");
+	}
+
+	const scope = keyRow.scope === "read" ? "read" : "write";
+	if (scope === "read" && isMutationMethod(request.method)) {
+		reply.status(403).send({ error: "API key scope does not allow this operation", code: "API_KEY_SCOPE_FORBIDDEN" });
+		throw new Error("API_KEY_SCOPE_FORBIDDEN");
+	}
+
+	request.user = { id: user.id, username: user.username };
+	request.authContext = {
+		method: "api_key",
+		scope,
+		apiKeyId: keyRow.id,
+	};
+
+	await db
+		.update(apiKeys)
+		.set({ lastUsedAt: new Date(), updatedAt: new Date() })
+		.where(and(eq(apiKeys.id, keyRow.id), eq(apiKeys.userId, user.id)));
+
+	return true;
 }

 // =============================================================================
@@ -87,78 +168,120 @@ export interface RequestUser {
 /**
 * Optional auth - verifies JWT if present, but doesn't require it
 */
-export async function optionalAuth(request: FastifyRequest, reply: FastifyReply) {
-  if (!env.AUTH_ENABLED) {
-    return;
-  }
+export async function optionalAuth(request: FastifyRequest, _reply: FastifyReply) {
+	if (!env.AUTH_ENABLED) {
+		return;
+	}

-  const token = request.cookies.access_token;
-  if (!token) {
-    return;
-  }
+	const bearerToken = getBearerToken(request);
+	if (bearerToken?.startsWith("ma_")) {
+		const keyHash = hashApiKeyToken(bearerToken);
+		const [keyRow] = await db
+			.select()
+			.from(apiKeys)
+			.where(and(eq(apiKeys.keyHash, keyHash), eq(apiKeys.isActive, true)));
+		if (!keyRow) return;
+		if (keyRow.expiresAt && keyRow.expiresAt.getTime() <= Date.now()) return;

-  try {
-    const decoded = await request.jwtVerify<{ sub: number; username: string }>();
-    const [user] = await db.select().from(users).where(sql`${users.id} = ${decoded.sub}`);
-    if (user && user.isActive) {
-      request.user = {
-        id: user.id,
-        username: user.username,
-      };
-    }
-  } catch {
-    // Invalid token, continue as anonymous
-  }
+		const [userByKey] = await db.select().from(users).where(eq(users.id, keyRow.userId));
+		if (userByKey?.isActive) {
+			request.user = { id: userByKey.id, username: userByKey.username };
+			request.authContext = {
+				method: "api_key",
+				scope: keyRow.scope === "read" ? "read" : "write",
+				apiKeyId: keyRow.id,
+			};
+		}
+		return;
+	}
+
+	const token = request.cookies.access_token;
+	if (!token) {
+		return;
+	}
+
+	try {
+		const decoded = await request.jwtVerify<{ sub: number; username: string }>();
+		const [user] = await db.select().from(users).where(sql`${users.id} = ${decoded.sub}`);
+		if (user?.isActive) {
+			request.user = {
+				id: user.id,
+				username: user.username,
+			};
+			request.authContext = {
+				method: "session",
+				scope: "write",
+			};
+		}
+	} catch {
+		// Invalid token, continue as anonymous
+	}
 }

 /**
 * Required auth - requires valid JWT when auth is enabled
 */
 export async function requireAuth(request: FastifyRequest, reply: FastifyReply) {
-  if (!env.AUTH_ENABLED) {
-    return;
-  }
+	if (!env.AUTH_ENABLED) {
+		return;
+	}

-  const token = request.cookies.access_token;
-  if (!token) {
-    reply.status(401).send({ error: "Authentication required", code: "AUTH_REQUIRED" });
-    throw new Error("AUTH_REQUIRED");
-  }
+	if (await tryApiKeyAuth(request, reply)) {
+		return;
+	}

-  try {
-    const decoded = await request.jwtVerify<{ sub: number; username: string }>();
-    const [user] = await db.select().from(users).where(sql`${users.id} = ${decoded.sub}`);
-    
-    if (!user) {
-      reply.status(401).send({ error: "User not found", code: "USER_NOT_FOUND" });
-      throw new Error("USER_NOT_FOUND");
-    }
-    
-    if (!user.isActive) {
-      reply.status(401).send({ error: "Account disabled", code: "ACCOUNT_DISABLED" });
-      throw new Error("ACCOUNT_DISABLED");
-    }
+	const token = request.cookies.access_token;
+	if (!token) {
+		reply.status(401).send({ error: "Authentication required", code: "AUTH_REQUIRED" });
+		throw new Error("AUTH_REQUIRED");
+	}

-    request.user = {
-      id: user.id,
-      username: user.username,
-    };
-  } catch (err: any) {
-    // Re-throw our own errors
-    if (err?.message === "AUTH_REQUIRED" || err?.message === "USER_NOT_FOUND" || err?.message === "ACCOUNT_DISABLED") {
-      throw err;
-    }
-    // JWT verification failed
-    reply.status(401).send({ error: "Invalid or expired token", code: "INVALID_TOKEN" });
-    throw new Error("INVALID_TOKEN");
-  }
+	try {
+		const decoded = await request.jwtVerify<{ sub: number; username: string }>();
+		const [user] = await db.select().from(users).where(sql`${users.id} = ${decoded.sub}`);
+
+		if (!user) {
+			reply.status(401).send({ error: "User not found", code: "USER_NOT_FOUND" });
+			throw new Error("USER_NOT_FOUND");
+		}
+
+		if (!user.isActive) {
+			reply.status(401).send({ error: "Account disabled", code: "ACCOUNT_DISABLED" });
+			throw new Error("ACCOUNT_DISABLED");
+		}
+
+		request.user = {
+			id: user.id,
+			username: user.username,
+		};
+		request.authContext = {
+			method: "session",
+			scope: "write",
+		};
+	} catch (err: unknown) {
+		// Re-throw our own errors
+		if (
+			err instanceof Error &&
+			(err.message === "AUTH_REQUIRED" ||
+				err.message === "USER_NOT_FOUND" ||
+				err.message === "ACCOUNT_DISABLED" ||
+				err.message === "INVALID_API_KEY" ||
+				err.message === "API_KEY_EXPIRED" ||
+				err.message === "API_KEY_SCOPE_FORBIDDEN")
+		) {
+			throw err;
+		}
+		// JWT verification failed
+		reply.status(401).send({ error: "Invalid or expired token", code: "INVALID_TOKEN" });
+		throw new Error("INVALID_TOKEN");
+	}
 }

 /**
 * Auth state endpoint plugin
 */
 export async function authPlugin(app: FastifyInstance) {
-  app.get("/auth/state", async () => {
-    return getAuthState();
-  });
+	app.get("/auth/state", async () => {
+		return getAuthState();
+	});
 }
@@ -1,108 +1,168 @@
-import { z } from "zod";
+import { existsSync } from "node:fs";
 import dotenv from "dotenv";
+import { z } from "zod";

-dotenv.config({ path: process.env.DOTENV_PATH || ".env" });
+// Load .env: try cwd first, then parent dir (for local dev running from backend/)
+const envPath = process.env.DOTENV_PATH || (existsSync(".env") ? ".env" : "../.env");
+dotenv.config({ path: envPath });

 const EnvSchema = z.object({
-  NODE_ENV: z.enum(["development", "production", "test"]).default("production"),
-  PORT: z.string().transform((v) => parseInt(v, 10)).default("3000"),
-  CORS_ORIGINS: z.string().default("http://localhost:5173,http://localhost:4173"),
-  LOG_LEVEL: z.string().default("info"),
-  
-  // ==========================================================================
-  // Auth Configuration
-  // ==========================================================================
-  // Master switch: Enable/disable authentication (default: disabled for easy setup)
-  AUTH_ENABLED: z.string().transform((v) => v === "true").default("false"),
-  // Allow new user registrations (auto-enabled if no users exist)
-  REGISTRATION_ENABLED: z.string().transform((v) => v === "true").default("false"),
-  // Disable local auth when using SSO only
+	NODE_ENV: z.enum(["development", "production", "test"]).default("production"),
+	PORT: z
+		.string()
+		.transform((v) => parseInt(v, 10))
+		.default("3000"),
+	CORS_ORIGINS: z.string().default("http://localhost:5173,http://localhost:4173"),
+	LOG_LEVEL: z.string().default("info"),
+	OPENAPI_DOCS_ENABLED: z
+		.string()
+		.transform((v) => v === "true")
+		.optional(),

-  
-  // JWT Secrets - only required when AUTH_ENABLED=true
-  JWT_SECRET: z.string().min(10).optional(),
-  REFRESH_SECRET: z.string().min(10).optional(),
-  COOKIE_SECRET: z.string().min(10).optional(),
-  
-  // Token TTL settings
-  ACCESS_TOKEN_TTL_MINUTES: z.string().transform((v) => parseInt(v, 10)).default("15"),
-  REFRESH_TOKEN_TTL_DAYS: z.string().transform((v) => parseInt(v, 10)).default("7"),
+	// ==========================================================================
+	// Auth Configuration
+	// ==========================================================================
+	// Master switch: Enable/disable authentication (default: disabled for easy setup)
+	AUTH_ENABLED: z
+		.string()
+		.transform((v) => v === "true")
+		.default("false"),
+	// Allow new user registrations (auto-enabled if no users exist)
+	REGISTRATION_ENABLED: z
+		.string()
+		.transform((v) => v === "true")
+		.default("false"),
+	// Disable username/password form login (useful for OIDC-only setups)
+	FORM_LOGIN_ENABLED: z
+		.string()
+		.transform((v) => v === "true")
+		.default("true"),

-  // ==========================================================================
-  // OIDC SSO Configuration (Pocket ID, Authelia, etc.)
-  // ==========================================================================
-  OIDC_ENABLED: z.string().transform((v) => v === "true").default("false"),
-  OIDC_ISSUER_URL: z.string().url().optional(),  // e.g., https://auth.example.com
-  OIDC_CLIENT_ID: z.string().optional(),
-  OIDC_CLIENT_SECRET: z.string().optional(),
-  OIDC_REDIRECT_URI: z.string().url().optional(),  // e.g., https://medassist.example.com/api/auth/oidc/callback
-  OIDC_SCOPES: z.string().default("openid profile email"),
-  OIDC_AUTO_CREATE_USERS: z.string().transform((v) => v === "true").default("true"),
-  OIDC_USERNAME_CLAIM: z.string().default("preferred_username"),  // or 'email', 'sub'
-  OIDC_PROVIDER_NAME: z.string().default("SSO"),  // Display name for UI button
+	// JWT Secrets - only required when AUTH_ENABLED=true
+	JWT_SECRET: z.string().min(10).optional(),
+	REFRESH_SECRET: z.string().min(10).optional(),
+	COOKIE_SECRET: z.string().min(10).optional(),
+
+	// Token TTL settings
+	ACCESS_TOKEN_TTL_MINUTES: z
+		.string()
+		.transform((v) => parseInt(v, 10))
+		.default("15"),
+	REFRESH_TOKEN_TTL_DAYS: z
+		.string()
+		.transform((v) => parseInt(v, 10))
+		.default("7"),
+
+	// ==========================================================================
+	// OIDC SSO Configuration (Pocket ID, Authelia, etc.)
+	// ==========================================================================
+	OIDC_ENABLED: z
+		.string()
+		.transform((v) => v === "true")
+		.default("false"),
+	OIDC_ISSUER_URL: z.string().url().optional(), // e.g., https://auth.example.com
+	OIDC_CLIENT_ID: z.string().optional(),
+	OIDC_CLIENT_SECRET: z.string().optional(),
+	OIDC_REDIRECT_URI: z.string().url().optional(), // e.g., https://medassist.example.com/api/auth/oidc/callback
+	OIDC_SCOPES: z.string().default("openid profile email"),
+	OIDC_AUTO_CREATE_USERS: z
+		.string()
+		.transform((v) => v === "true")
+		.default("true"),
+	OIDC_USERNAME_CLAIM: z.string().default("preferred_username"), // or 'email', 'sub'
+	OIDC_PROVIDER_NAME: z.string().default("SSO"), // Display name for UI button
 });

-export type Env = z.infer<typeof EnvSchema>;
+type ParsedEnv = z.infer<typeof EnvSchema>;
+export type Env = ParsedEnv & {
+	OPENAPI_DOCS_ENABLED: boolean;
+};

 // Parse and validate
-let parsed: z.infer<typeof EnvSchema>;
+let parsed: ParsedEnv;
 try {
-  parsed = EnvSchema.parse(process.env);
+	parsed = EnvSchema.parse(process.env);
 } catch (err) {
-  console.error("=".repeat(60));
-  console.error("ENVIRONMENT CONFIGURATION ERROR");
-  console.error("=".repeat(60));
-  console.error(err);
-  console.error("\nPlease check your .env file or environment variables.");
-  console.error("=".repeat(60));
-  process.exit(1);
+	console.error("=".repeat(60));
+	console.error("ENVIRONMENT CONFIGURATION ERROR");
+	console.error("=".repeat(60));
+	console.error(err);
+	console.error("\nPlease check your .env file or environment variables.");
+	console.error("=".repeat(60));
+	process.exit(1);
 }

 // Validate that secrets are provided when auth is enabled
 if (parsed.AUTH_ENABLED) {
-  const missing: string[] = [];
-  if (!parsed.JWT_SECRET) missing.push("JWT_SECRET");
-  if (!parsed.REFRESH_SECRET) missing.push("REFRESH_SECRET");
-  if (!parsed.COOKIE_SECRET) missing.push("COOKIE_SECRET");
-  
-  if (missing.length > 0) {
-    console.error("=".repeat(60));
-    console.error("AUTHENTICATION CONFIGURATION ERROR");
-    console.error("=".repeat(60));
-    console.error(`AUTH_ENABLED=true but missing required secrets: ${missing.join(", ")}`);
-    console.error("");
-    console.error("To fix this, either:");
-    console.error("  1. Set these environment variables with secure random values:");
-    console.error("     Generate with: openssl rand -hex 32");
-    console.error("");
-    console.error("  2. Or disable authentication by removing AUTH_ENABLED=true");
-    console.error("=".repeat(60));
-    process.exit(1);
-  }
+	const missing: string[] = [];
+	if (!parsed.JWT_SECRET) missing.push("JWT_SECRET");
+	if (!parsed.REFRESH_SECRET) missing.push("REFRESH_SECRET");
+	if (!parsed.COOKIE_SECRET) missing.push("COOKIE_SECRET");
+
+	if (missing.length > 0) {
+		console.error("=".repeat(60));
+		console.error("AUTHENTICATION CONFIGURATION ERROR");
+		console.error("=".repeat(60));
+		console.error(`AUTH_ENABLED=true but missing required secrets: ${missing.join(", ")}`);
+		console.error("");
+		console.error("To fix this, either:");
+		console.error("  1. Set these environment variables with secure random values:");
+		console.error("     Generate with: openssl rand -hex 32");
+		console.error("");
+		console.error("  2. Or disable authentication by removing AUTH_ENABLED=true");
+		console.error("=".repeat(60));
+		process.exit(1);
+	}
 }

 // Validate OIDC configuration when enabled
 if (parsed.OIDC_ENABLED) {
-  const missing: string[] = [];
-  if (!parsed.OIDC_ISSUER_URL) missing.push("OIDC_ISSUER_URL");
-  if (!parsed.OIDC_CLIENT_ID) missing.push("OIDC_CLIENT_ID");
-  if (!parsed.OIDC_CLIENT_SECRET) missing.push("OIDC_CLIENT_SECRET");
-  if (!parsed.OIDC_REDIRECT_URI) missing.push("OIDC_REDIRECT_URI");
-  
-  if (missing.length > 0) {
-    console.error("=".repeat(60));
-    console.error("OIDC CONFIGURATION ERROR");
-    console.error("=".repeat(60));
-    console.error(`OIDC_ENABLED=true but missing required settings: ${missing.join(", ")}`);
-    console.error("");
-    console.error("Required OIDC settings:");
-    console.error("  OIDC_ISSUER_URL=https://your-oidc-provider.com");
-    console.error("  OIDC_CLIENT_ID=your-client-id");
-    console.error("  OIDC_CLIENT_SECRET=your-client-secret");
-    console.error("  OIDC_REDIRECT_URI=https://your-app.com/api/auth/oidc/callback");
-    console.error("=".repeat(60));
-    process.exit(1);
-  }
+	const missing: string[] = [];
+	if (!parsed.OIDC_ISSUER_URL) missing.push("OIDC_ISSUER_URL");
+	if (!parsed.OIDC_CLIENT_ID) missing.push("OIDC_CLIENT_ID");
+	if (!parsed.OIDC_CLIENT_SECRET) missing.push("OIDC_CLIENT_SECRET");
+	if (!parsed.OIDC_REDIRECT_URI) missing.push("OIDC_REDIRECT_URI");
+
+	if (missing.length > 0) {
+		console.error("=".repeat(60));
+		console.error("OIDC CONFIGURATION ERROR");
+		console.error("=".repeat(60));
+		console.error(`OIDC_ENABLED=true but missing required settings: ${missing.join(", ")}`);
+		console.error("");
+		console.error("Required OIDC settings:");
+		console.error("  OIDC_ISSUER_URL=https://your-oidc-provider.com");
+		console.error("  OIDC_CLIENT_ID=your-client-id");
+		console.error("  OIDC_CLIENT_SECRET=your-client-secret");
+		console.error("  OIDC_REDIRECT_URI=https://your-app.com/api/auth/oidc/callback");
+		console.error("=".repeat(60));
+		process.exit(1);
+	}
 }

-export const env = parsed;
+// Validate that at least one login method is available when auth is enabled
+if (parsed.AUTH_ENABLED && !parsed.FORM_LOGIN_ENABLED && !parsed.OIDC_ENABLED) {
+	console.error("=".repeat(60));
+	console.error("AUTHENTICATION CONFIGURATION ERROR");
+	console.error("=".repeat(60));
+	console.error("AUTH_ENABLED=true but no login method is available.");
+	console.error("FORM_LOGIN_ENABLED=false and OIDC_ENABLED=false means users cannot log in.");
+	console.error("");
+	console.error("To fix this, either:");
+	console.error("  1. Set FORM_LOGIN_ENABLED=true to allow username/password login");
+	console.error("  2. Set OIDC_ENABLED=true to allow SSO login");
+	console.error("=".repeat(60));
+	process.exit(1);
+}
+
+// Warn about ineffective registration when form login is disabled
+if (parsed.REGISTRATION_ENABLED && !parsed.FORM_LOGIN_ENABLED) {
+	console.warn(
+		"[config] REGISTRATION_ENABLED=true has no effect when FORM_LOGIN_ENABLED=false (no registration form available)"
+	);
+}
+
+export const env: Env = {
+	...parsed,
+	// Docs UI/spec are enabled in non-production by default.
+	OPENAPI_DOCS_ENABLED: parsed.OPENAPI_DOCS_ENABLED ?? parsed.NODE_ENV !== "production",
+};
@@ -0,0 +1,302 @@
+import { randomBytes } from "node:crypto";
+import { and, desc, eq } from "drizzle-orm";
+import type { FastifyInstance } from "fastify";
+import { z } from "zod";
+import { db } from "../db/client.js";
+import { apiKeys } from "../db/schema.js";
+import { hashApiKeyToken, requireAuth } from "../plugins/auth.js";
+import { env } from "../plugins/env.js";
+import type { AuthUser } from "../types/fastify.js";
+
+const createApiKeySchema = z.object({
+	name: z.string().trim().min(3).max(100),
+	scope: z.enum(["read", "write"]).default("write"),
+	expiresInDays: z.number().int().min(1).max(3650).optional(),
+});
+
+const idParamSchema = z.object({
+	id: z.string().regex(/^\d+$/),
+});
+
+const protectedEndpointSecurity: ReadonlyArray<Record<string, readonly string[]>> = [
+	{ bearerAuth: [] },
+	{ cookieAuth: [] },
+];
+const genericErrorSchema = {
+	type: "object",
+	properties: {
+		error: { type: "string" },
+		code: { type: "string" },
+	},
+};
+
+const apiKeyMetadataSchema = {
+	type: "object",
+	properties: {
+		id: { type: "number" },
+		name: { type: "string" },
+		tokenPrefix: { type: "string" },
+		scope: { type: "string", enum: ["read", "write"] },
+		isActive: { type: "boolean" },
+		lastUsedAt: { type: ["string", "null"], format: "date-time" },
+		expiresAt: { type: ["string", "null"], format: "date-time" },
+		createdAt: { type: ["string", "null"], format: "date-time" },
+		updatedAt: { type: ["string", "null"], format: "date-time" },
+	},
+};
+
+function normalizeDateTime(value: unknown): string | null {
+	if (value == null) {
+		return null;
+	}
+
+	if (value instanceof Date) {
+		return Number.isNaN(value.getTime()) ? null : value.toISOString();
+	}
+
+	if (typeof value === "number") {
+		const timestampMs = value < 1_000_000_000_000 ? value * 1000 : value;
+		const date = new Date(timestampMs);
+		return Number.isNaN(date.getTime()) ? null : date.toISOString();
+	}
+
+	if (typeof value === "string") {
+		const date = new Date(value);
+		return Number.isNaN(date.getTime()) ? null : date.toISOString();
+	}
+
+	return null;
+}
+
+function serializeApiKeyMetadata<
+	T extends {
+		id: number;
+		name: string;
+		tokenPrefix: string;
+		scope: string;
+		isActive: boolean;
+		lastUsedAt: unknown;
+		expiresAt: unknown;
+		createdAt: unknown;
+		updatedAt: unknown;
+	},
+>(key: T) {
+	return {
+		id: key.id,
+		name: key.name,
+		tokenPrefix: key.tokenPrefix,
+		scope: key.scope,
+		isActive: key.isActive,
+		lastUsedAt: normalizeDateTime(key.lastUsedAt),
+		expiresAt: normalizeDateTime(key.expiresAt),
+		createdAt: normalizeDateTime(key.createdAt),
+		updatedAt: normalizeDateTime(key.updatedAt),
+	};
+}
+
+export async function apiKeyRoutes(app: FastifyInstance) {
+	app.addHook("preHandler", requireAuth);
+
+	app.get(
+		"/auth/api-keys",
+		{
+			schema: {
+				tags: ["api-keys"],
+				summary: "List API keys for the current user",
+				description: "Returns API key metadata. Raw API key tokens are never returned.",
+				security: protectedEndpointSecurity,
+				response: {
+					200: {
+						type: "object",
+						properties: {
+							keys: {
+								type: "array",
+								items: apiKeyMetadataSchema,
+							},
+						},
+					},
+					400: genericErrorSchema,
+					401: genericErrorSchema,
+				},
+			},
+		},
+		async (request, reply) => {
+			if (!env.AUTH_ENABLED) {
+				return reply.status(400).send({ error: "API keys are unavailable when auth is disabled" });
+			}
+
+			const authUser = request.user as unknown as AuthUser | null;
+			if (!authUser) {
+				return reply.status(401).send({ error: "User not authenticated", code: "AUTH_REQUIRED" });
+			}
+
+			const keys = await db
+				.select({
+					id: apiKeys.id,
+					name: apiKeys.name,
+					tokenPrefix: apiKeys.tokenPrefix,
+					scope: apiKeys.scope,
+					isActive: apiKeys.isActive,
+					lastUsedAt: apiKeys.lastUsedAt,
+					expiresAt: apiKeys.expiresAt,
+					createdAt: apiKeys.createdAt,
+					updatedAt: apiKeys.updatedAt,
+				})
+				.from(apiKeys)
+				.where(eq(apiKeys.userId, authUser.id))
+				.orderBy(desc(apiKeys.createdAt));
+
+			return { keys: keys.map(serializeApiKeyMetadata) };
+		}
+	);
+
+	app.post<{ Body: z.infer<typeof createApiKeySchema> }>(
+		"/auth/api-keys",
+		{
+			schema: {
+				tags: ["api-keys"],
+				summary: "Create and rotate API key",
+				description:
+					"Creates a new API key and deactivates previously active API keys for the current user. The new token is returned only once.",
+				security: protectedEndpointSecurity,
+				body: {
+					type: "object",
+					required: ["name"],
+					properties: {
+						name: { type: "string", minLength: 3, maxLength: 100 },
+						scope: { type: "string", enum: ["read", "write"], default: "write" },
+						expiresInDays: { type: "number", minimum: 1, maximum: 3650 },
+					},
+					example: {
+						name: "Home Assistant integration",
+						scope: "write",
+						expiresInDays: 365,
+					},
+				},
+				response: {
+					201: {
+						type: "object",
+						properties: {
+							key: apiKeyMetadataSchema,
+							token: { type: "string" },
+							note: { type: "string" },
+						},
+					},
+					400: { anyOf: [genericErrorSchema, { type: "object" }] },
+					401: genericErrorSchema,
+				},
+			},
+		},
+		async (request, reply) => {
+			if (!env.AUTH_ENABLED) {
+				return reply.status(400).send({ error: "API keys are unavailable when auth is disabled" });
+			}
+
+			const parsed = createApiKeySchema.safeParse(request.body);
+			if (!parsed.success) {
+				return reply.status(400).send(parsed.error.format());
+			}
+
+			const authUser = request.user as unknown as AuthUser | null;
+			if (!authUser) {
+				return reply.status(401).send({ error: "User not authenticated", code: "AUTH_REQUIRED" });
+			}
+
+			const { name, scope, expiresInDays } = parsed.data;
+			const rawToken = `ma_${randomBytes(32).toString("hex")}`;
+			const tokenPrefix = `${rawToken.slice(0, 12)}...`;
+			const keyHash = hashApiKeyToken(rawToken);
+			const expiresAt = expiresInDays ? new Date(Date.now() + expiresInDays * 24 * 60 * 60 * 1000) : null;
+
+			// Keep a single active key per user: creating a new key invalidates old ones.
+			await db
+				.update(apiKeys)
+				.set({ isActive: false, updatedAt: new Date() })
+				.where(and(eq(apiKeys.userId, authUser.id), eq(apiKeys.isActive, true)));
+
+			const [created] = await db
+				.insert(apiKeys)
+				.values({
+					userId: authUser.id,
+					name,
+					keyHash,
+					tokenPrefix,
+					scope,
+					expiresAt,
+				})
+				.returning({
+					id: apiKeys.id,
+					name: apiKeys.name,
+					tokenPrefix: apiKeys.tokenPrefix,
+					scope: apiKeys.scope,
+					isActive: apiKeys.isActive,
+					lastUsedAt: apiKeys.lastUsedAt,
+					expiresAt: apiKeys.expiresAt,
+					createdAt: apiKeys.createdAt,
+					updatedAt: apiKeys.updatedAt,
+				});
+
+			return reply.status(201).send({
+				key: serializeApiKeyMetadata(created),
+				token: rawToken,
+				note: "Store this token now. It cannot be retrieved again.",
+			});
+		}
+	);
+
+	app.delete<{ Params: { id: string } }>(
+		"/auth/api-keys/:id",
+		{
+			schema: {
+				tags: ["api-keys"],
+				summary: "Deactivate API key",
+				description: "Deactivates one API key belonging to the current user.",
+				security: protectedEndpointSecurity,
+				params: {
+					type: "object",
+					required: ["id"],
+					properties: {
+						id: { type: "string", pattern: "^\\d+$" },
+					},
+				},
+				response: {
+					204: { type: "null" },
+					400: { anyOf: [genericErrorSchema, { type: "object" }] },
+					401: genericErrorSchema,
+					404: genericErrorSchema,
+				},
+			},
+		},
+		async (request, reply) => {
+			if (!env.AUTH_ENABLED) {
+				return reply.status(400).send({ error: "API keys are unavailable when auth is disabled" });
+			}
+
+			const parsedParams = idParamSchema.safeParse(request.params);
+			if (!parsedParams.success) {
+				return reply.status(400).send(parsedParams.error.format());
+			}
+
+			const authUser = request.user as unknown as AuthUser | null;
+			if (!authUser) {
+				return reply.status(401).send({ error: "User not authenticated", code: "AUTH_REQUIRED" });
+			}
+
+			const keyId = Number(parsedParams.data.id);
+			const [existing] = await db
+				.select({ id: apiKeys.id, userId: apiKeys.userId })
+				.from(apiKeys)
+				.where(and(eq(apiKeys.id, keyId), eq(apiKeys.userId, authUser.id)));
+			if (!existing) {
+				return reply.status(404).send({ error: "API key not found", code: "API_KEY_NOT_FOUND" });
+			}
+
+			await db
+				.update(apiKeys)
+				.set({ isActive: false, updatedAt: new Date() })
+				.where(and(eq(apiKeys.id, keyId), eq(apiKeys.userId, authUser.id)));
+
+			return reply.status(204).send();
+		}
+	);
+}
@@ -1,334 +1,722 @@
-import { FastifyInstance } from "fastify";
+import { and, eq } from "drizzle-orm";
+import type { FastifyInstance, FastifyReply, FastifyRequest } from "fastify";
 import { z } from "zod";
 import { db } from "../db/client.js";
-import { doseTracking, shareTokens } from "../db/schema.js";
-import { eq, and, inArray } from "drizzle-orm";
-import { requireAuth, getAnonymousUserId } from "../plugins/auth.js";
+import { doseTracking, medications, shareTokens, userSettings } from "../db/schema.js";
+import { getAnonymousUserId, requireAuth } from "../plugins/auth.js";
 import { env } from "../plugins/env.js";
+import { computeMedicationCurrentStock } from "../services/current-stock.js";
 import type { AuthUser } from "../types/fastify.js";
+import {
+	applyOpenApiRouteStandards,
+	genericErrorSchema,
+	tokenParamsSchema,
+	validationErrorSchema,
+} from "../utils/openapi-route-standards.js";
+import {
+	parseIntakesJson,
+	parseLocalDateTime,
+	parseTakenByJson,
+	personTakesMedication,
+} from "../utils/scheduler-utils.js";

 // =============================================================================
 // Validation Schemas
 // =============================================================================
 const markDoseSchema = z.object({
-  doseId: z.string().min(1, "doseId is required"),
+	doseId: z.string().min(1, "doseId is required"),
 });

 const shareDoseSchema = z.object({
-  doseId: z.string().min(1, "doseId is required"),
+	doseId: z.string().min(1, "doseId is required"),
 });

 const dismissDosesSchema = z.object({
-  doseIds: z.array(z.string().min(1)).min(1, "At least one doseId is required"),
+	doseIds: z.array(z.string().min(1)).min(1, "At least one doseId is required"),
 });

+const protectedEndpointSecurity: ReadonlyArray<Record<string, readonly string[]>> = [
+	{ bearerAuth: [] },
+	{ cookieAuth: [] },
+];
+
+const doseIdPattern = /^(\d+)-(\d+)-(\d+)(?:-(.+))?$/;
+
+const doseReadResponseSchema = {
+	type: "object",
+	properties: {
+		doses: {
+			type: "array",
+			items: {
+				type: "object",
+				properties: {
+					doseId: { type: "string" },
+					takenAt: { type: "number" },
+					markedBy: { type: ["string", "null"] },
+					takenSource: { type: "string" },
+					dismissed: { type: "boolean" },
+				},
+			},
+		},
+	},
+} as const;
+
+function maskToken(token: string): string {
+	if (token.length <= 8) return token;
+	return `${token.slice(0, 4)}...${token.slice(-4)}`;
+}
+
 // Helper to get user ID from request
 // Returns anonymous user ID when auth is disabled
-async function getUserId(request: any, reply: any): Promise<number> {
-  // If auth is disabled, use the anonymous user
-  if (!env.AUTH_ENABLED) {
-    return getAnonymousUserId();
-  }
-  
-  const authUser = request.user as unknown as AuthUser | null;
-  if (!authUser) {
-    reply.status(401).send({ error: "Not authenticated" });
-    throw new Error("AUTH_REQUIRED");
-  }
-  return authUser.id;
+async function getUserId(request: FastifyRequest, reply: FastifyReply): Promise<number> {
+	// If auth is disabled, use the anonymous user
+	if (!env.AUTH_ENABLED) {
+		return getAnonymousUserId();
+	}
+
+	const authUser = request.user as unknown as AuthUser | null;
+	if (!authUser) {
+		reply.status(401).send({ error: "Not authenticated" });
+		throw new Error("AUTH_REQUIRED");
+	}
+	return authUser.id;
+}
+
+type ParsedDoseId = {
+	medicationId: number;
+	intakeIndex: number;
+	timestampMs: number;
+	personSuffix: string | null;
+};
+
+function parseDoseId(doseId: string): ParsedDoseId | null {
+	const match = doseIdPattern.exec(doseId);
+	if (!match) return null;
+
+	const medicationId = Number.parseInt(match[1], 10);
+	const intakeIndex = Number.parseInt(match[2], 10);
+	const timestampMs = Number.parseInt(match[3], 10);
+	const personSuffix = match[4] ? match[4].trim() : null;
+
+	if (Number.isNaN(medicationId) || Number.isNaN(intakeIndex) || Number.isNaN(timestampMs) || intakeIndex < 0) {
+		return null;
+	}
+
+	return {
+		medicationId,
+		intakeIndex,
+		timestampMs,
+		personSuffix,
+	};
+}
+
+async function getActiveShareToken(token: string): Promise<{
+	share: typeof shareTokens.$inferSelect | null;
+	reason: "not_found" | "expired" | "ok";
+}> {
+	const [share] = await db.select().from(shareTokens).where(eq(shareTokens.token, token));
+	if (!share) return { share: null, reason: "not_found" };
+
+	if (share.expiresAt && share.expiresAt.getTime() < Date.now()) {
+		return { share: null, reason: "expired" };
+	}
+
+	return { share, reason: "ok" };
+}
+
+async function validateShareDoseId(share: typeof shareTokens.$inferSelect, doseId: string): Promise<boolean> {
+	const parsedDose = parseDoseId(doseId);
+	if (!parsedDose) {
+		return false;
+	}
+
+	const [medication] = await db
+		.select()
+		.from(medications)
+		.where(and(eq(medications.id, parsedDose.medicationId), eq(medications.userId, share.userId)));
+
+	if (!medication) {
+		return false;
+	}
+
+	const medTakenBy = parseTakenByJson(medication.takenByJson);
+	const intakes = parseIntakesJson(
+		medication.intakesJson,
+		{ usageJson: medication.usageJson, everyJson: medication.everyJson, startJson: medication.startJson },
+		medication.intakeRemindersEnabled ?? false
+	);
+
+	if (!personTakesMedication(share.takenBy, medTakenBy, intakes)) {
+		return false;
+	}
+
+	const intake = intakes[parsedDose.intakeIndex];
+	if (!intake) {
+		return false;
+	}
+
+	const expectedPersons = intake.takenBy ? [intake.takenBy] : medTakenBy;
+	if (expectedPersons.length === 0) {
+		return parsedDose.personSuffix === null;
+	}
+
+	if (!parsedDose.personSuffix) {
+		return intake.takenBy === null;
+	}
+
+	return expectedPersons.includes(parsedDose.personSuffix);
+}
+
+async function isDoseOutOfStock(options: {
+	userId: number;
+	doseId: string;
+	stockCalculationMode: "automatic" | "manual";
+}): Promise<boolean> {
+	const parsedDose = parseDoseId(options.doseId);
+	if (!parsedDose) {
+		return false;
+	}
+
+	const [medication] = await db
+		.select()
+		.from(medications)
+		.where(and(eq(medications.id, parsedDose.medicationId), eq(medications.userId, options.userId)));
+
+	if (!medication) {
+		return false;
+	}
+
+	const intakes = parseIntakesJson(
+		medication.intakesJson,
+		{ usageJson: medication.usageJson, everyJson: medication.everyJson, startJson: medication.startJson },
+		medication.intakeRemindersEnabled ?? false
+	);
+	const intake = intakes[parsedDose.intakeIndex];
+
+	const scheduledOccurrenceMs = intake
+		? (() => {
+				const doseDate = new Date(parsedDose.timestampMs);
+				const intakeStart = parseLocalDateTime(intake.start);
+				return new Date(
+					doseDate.getFullYear(),
+					doseDate.getMonth(),
+					doseDate.getDate(),
+					intakeStart.getHours(),
+					intakeStart.getMinutes(),
+					intakeStart.getSeconds(),
+					intakeStart.getMilliseconds()
+				).getTime();
+			})()
+		: parsedDose.timestampMs;
+
+	const doses = await db.select().from(doseTracking).where(eq(doseTracking.userId, options.userId));
+	const stockBeforeDoseMs = Math.max(0, scheduledOccurrenceMs - 1);
+	return (
+		computeMedicationCurrentStock({
+			medication,
+			doses,
+			stockCalculationMode: options.stockCalculationMode,
+			nowMs: stockBeforeDoseMs,
+		}) <= 0
+	);
 }

 // =============================================================================
 // Dose Tracking Routes
 // =============================================================================
 export async function doseRoutes(app: FastifyInstance) {
-  // ---------------------------------------------------------------------------
-  // GET /doses/taken - PROTECTED: Get all taken doses for the user
-  // ---------------------------------------------------------------------------
-  app.get(
-    "/doses/taken",
-    { preHandler: requireAuth },
-    async (request, reply) => {
-      const userId = await getUserId(request, reply);
+	applyOpenApiRouteStandards(app, {
+		tag: "doses",
+		protectedByDefault: false,
+		protectedPaths: [/^\/doses\/taken$/, /^\/doses\/taken\/:doseId$/, /^\/doses\/dismiss$/],
+	});

-      // Get all taken doses for this user (no time limit)
-      const doses = await db.select()
-        .from(doseTracking)
-        .where(eq(doseTracking.userId, userId));
+	// ---------------------------------------------------------------------------
+	// GET /doses/taken - PROTECTED: Get all taken doses for the user
+	// Suppress request logs — polled every 5s by frontend
+	// ---------------------------------------------------------------------------
+	app.get(
+		"/doses/taken",
+		{
+			preHandler: requireAuth,
+			logLevel: "warn",
+			schema: {
+				tags: ["doses"],
+				security: protectedEndpointSecurity,
+				response: {
+					200: doseReadResponseSchema,
+					401: genericErrorSchema,
+				},
+			},
+		},
+		async (request, reply) => {
+			const userId = await getUserId(request, reply);

-      return {
-        doses: doses.map((d) => ({
-          doseId: d.doseId,
-          takenAt: d.takenAt?.getTime() ?? Date.now(),
-          markedBy: d.markedBy,
-          dismissed: d.dismissed ?? false,
-        })),
-      };
-    }
-  );
+			// Get all taken doses for this user (no time limit)
+			const doses = await db.select().from(doseTracking).where(eq(doseTracking.userId, userId));

-  // ---------------------------------------------------------------------------
-  // POST /doses/taken - PROTECTED: Mark a dose as taken
-  // ---------------------------------------------------------------------------
-  app.post<{ Body: z.infer<typeof markDoseSchema> }>(
-    "/doses/taken",
-    { preHandler: requireAuth },
-    async (request, reply) => {
-      const userId = await getUserId(request, reply);
+			return {
+				doses: doses.map((d) => ({
+					doseId: d.doseId,
+					takenAt: d.takenAt?.getTime() ?? Date.now(),
+					markedBy: d.markedBy,
+					takenSource: d.takenSource ?? "manual",
+					dismissed: d.dismissed ?? false,
+				})),
+			};
+		}
+	);

-      const parsed = markDoseSchema.safeParse(request.body);
-      if (!parsed.success) {
-        return reply.status(400).send({
-          error: parsed.error.errors[0]?.message ?? "Invalid input",
-        });
-      }
+	// ---------------------------------------------------------------------------
+	// POST /doses/taken - PROTECTED: Mark a dose as taken
+	// ---------------------------------------------------------------------------
+	app.post<{ Body: z.infer<typeof markDoseSchema> }>(
+		"/doses/taken",
+		{
+			preHandler: requireAuth,
+			schema: {
+				tags: ["doses"],
+				security: protectedEndpointSecurity,
+				body: {
+					type: "object",
+					properties: {
+						doseId: { type: "string" },
+					},
+					example: {
+						doseId: "1:2026-03-11T08:00:00.000Z:Daniel",
+					},
+				},
+				response: {
+					200: {
+						type: "object",
+						properties: {
+							success: { type: "boolean" },
+							message: { type: "string" },
+						},
+					},
+					400: { anyOf: [genericErrorSchema, validationErrorSchema] },
+					409: genericErrorSchema,
+					401: genericErrorSchema,
+				},
+			},
+		},
+		async (request, reply) => {
+			const userId = await getUserId(request, reply);

-      const { doseId } = parsed.data;
+			const parsed = markDoseSchema.safeParse(request.body);
+			if (!parsed.success) {
+				return reply.status(400).send({
+					error: parsed.error.errors[0]?.message ?? "Invalid input",
+				});
+			}

-      // Check if already marked
-      const [existing] = await db.select()
-        .from(doseTracking)
-        .where(
-          and(
-            eq(doseTracking.userId, userId),
-            eq(doseTracking.doseId, doseId)
-          )
-        );
+			const { doseId } = parsed.data;

-      if (existing) {
-        return { success: true, message: "Already marked" };
-      }
+			// Check if already marked
+			const [existing] = await db
+				.select()
+				.from(doseTracking)
+				.where(and(eq(doseTracking.userId, userId), eq(doseTracking.doseId, doseId)));

-      // Insert new record
-      await db.insert(doseTracking).values({
-        userId,
-        doseId,
-        markedBy: null, // Marked by the user themselves
-      });
+			if (existing) {
+				return { success: true, message: "Already marked" };
+			}

-      return { success: true };
-    }
-  );
+			const [settings] = await db.select().from(userSettings).where(eq(userSettings.userId, userId));
+			const outOfStock = await isDoseOutOfStock({
+				userId,
+				doseId,
+				stockCalculationMode: (settings?.stockCalculationMode as "automatic" | "manual") ?? "automatic",
+			});
+			if (outOfStock) {
+				return reply.status(409).send({ error: "Medication is out of stock", code: "OUT_OF_STOCK" });
+			}

-  // ---------------------------------------------------------------------------
-  // DELETE /doses/taken/:doseId - PROTECTED: Unmark a dose
-  // ---------------------------------------------------------------------------
-  app.delete<{ Params: { doseId: string } }>(
-    "/doses/taken/:doseId",
-    { preHandler: requireAuth },
-    async (request, reply) => {
-      const userId = await getUserId(request, reply);
+			// Insert new record
+			await db.insert(doseTracking).values({
+				userId,
+				doseId,
+				markedBy: null, // Marked by the user themselves
+				takenSource: "manual",
+			});

-      const { doseId } = request.params;
+			return { success: true };
+		}
+	);

-      await db.delete(doseTracking).where(
-        and(
-          eq(doseTracking.userId, userId),
-          eq(doseTracking.doseId, doseId)
-        )
-      );
+	// ---------------------------------------------------------------------------
+	// DELETE /doses/taken/:doseId - PROTECTED: Unmark a dose
+	// ---------------------------------------------------------------------------
+	app.delete<{ Params: { doseId: string } }>(
+		"/doses/taken/:doseId",
+		{
+			preHandler: requireAuth,
+			schema: {
+				tags: ["doses"],
+				security: protectedEndpointSecurity,
+				params: {
+					type: "object",
+					required: ["doseId"],
+					properties: {
+						doseId: { type: "string", minLength: 1 },
+					},
+				},
+				response: {
+					200: { type: "object", properties: { success: { type: "boolean" } } },
+					401: genericErrorSchema,
+				},
+			},
+		},
+		async (request, reply) => {
+			const userId = await getUserId(request, reply);

-      return { success: true };
-    }
-  );
+			const { doseId } = request.params;

-  // ---------------------------------------------------------------------------
-  // POST /doses/dismiss - PROTECTED: Dismiss missed doses without deducting stock
-  // ---------------------------------------------------------------------------
-  app.post<{ Body: z.infer<typeof dismissDosesSchema> }>(
-    "/doses/dismiss",
-    { preHandler: requireAuth },
-    async (request, reply) => {
-      const userId = await getUserId(request, reply);
+			// Check if this dose was dismissed
+			const [existing] = await db
+				.select()
+				.from(doseTracking)
+				.where(and(eq(doseTracking.userId, userId), eq(doseTracking.doseId, doseId)));

-      const parsed = dismissDosesSchema.safeParse(request.body);
-      if (!parsed.success) {
-        return reply.status(400).send({
-          error: parsed.error.errors[0]?.message ?? "Invalid input",
-        });
-      }
+			if (existing?.dismissed) {
+				// Already dismissed - keep the record as-is
+				// The dose stays dismissed, we just acknowledge the undo request
+			} else {
+				// Not dismissed - delete the record entirely
+				await db.delete(doseTracking).where(and(eq(doseTracking.userId, userId), eq(doseTracking.doseId, doseId)));
+			}

-      const { doseIds } = parsed.data;
+			return { success: true };
+		}
+	);

-      // Insert dismissed records for each dose that doesn't exist yet
-      let dismissedCount = 0;
-      for (const doseId of doseIds) {
-        // Check if already exists (taken or dismissed)
-        const [existing] = await db.select()
-          .from(doseTracking)
-          .where(
-            and(
-              eq(doseTracking.userId, userId),
-              eq(doseTracking.doseId, doseId)
-            )
-          );
+	// ---------------------------------------------------------------------------
+	// POST /doses/dismiss - PROTECTED: Dismiss missed doses without deducting stock
+	// ---------------------------------------------------------------------------
+	app.post<{ Body: z.infer<typeof dismissDosesSchema> }>(
+		"/doses/dismiss",
+		{
+			preHandler: requireAuth,
+			schema: {
+				tags: ["doses"],
+				security: protectedEndpointSecurity,
+				body: {
+					type: "object",
+					properties: {
+						doseIds: { type: "array", items: { type: "string" } },
+					},
+					example: {
+						doseIds: ["1:2026-03-11T08:00:00.000Z:Daniel", "1:2026-03-11T20:00:00.000Z:Daniel"],
+					},
+				},
+				response: {
+					200: {
+						type: "object",
+						properties: {
+							success: { type: "boolean" },
+							dismissedCount: { type: "integer" },
+						},
+					},
+					400: { anyOf: [genericErrorSchema, validationErrorSchema] },
+					401: genericErrorSchema,
+				},
+			},
+		},
+		async (request, reply) => {
+			const userId = await getUserId(request, reply);

-        if (existing) {
-          // Already exists - update to dismissed if not already
-          if (!existing.dismissed) {
-            await db.update(doseTracking)
-              .set({ dismissed: true })
-              .where(
-                and(
-                  eq(doseTracking.userId, userId),
-                  eq(doseTracking.doseId, doseId)
-                )
-              );
-            dismissedCount++;
-          }
-        } else {
-          // Create new dismissed record
-          await db.insert(doseTracking).values({
-            userId,
-            doseId,
-            markedBy: null,
-            dismissed: true,
-          });
-          dismissedCount++;
-        }
-      }
+			const parsed = dismissDosesSchema.safeParse(request.body);
+			if (!parsed.success) {
+				return reply.status(400).send({
+					error: parsed.error.errors[0]?.message ?? "Invalid input",
+				});
+			}

-      return { success: true, dismissedCount };
-    }
-  );
+			const { doseIds } = parsed.data;

-  // ---------------------------------------------------------------------------
-  // DELETE /doses/dismiss - PROTECTED: Clear all dismissed doses (un-dismiss)
-  // ---------------------------------------------------------------------------
-  app.delete(
-    "/doses/dismiss",
-    { preHandler: requireAuth },
-    async (request, reply) => {
-      const userId = await getUserId(request, reply);
+			// Insert dismissed records for each dose that doesn't exist yet
+			let dismissedCount = 0;
+			for (const doseId of doseIds) {
+				// Check if already exists (taken or dismissed)
+				const [existing] = await db
+					.select()
+					.from(doseTracking)
+					.where(and(eq(doseTracking.userId, userId), eq(doseTracking.doseId, doseId)));

-      // Delete all dismissed-only records (not taken ones)
-      // For taken+dismissed, just remove the dismissed flag
-      const dismissed = await db.select()
-        .from(doseTracking)
-        .where(
-          and(
-            eq(doseTracking.userId, userId),
-            eq(doseTracking.dismissed, true)
-          )
-        );
+				if (existing) {
+					// Already exists - update to dismissed if not already
+					if (!existing.dismissed) {
+						await db
+							.update(doseTracking)
+							.set({ dismissed: true })
+							.where(and(eq(doseTracking.userId, userId), eq(doseTracking.doseId, doseId)));
+						dismissedCount++;
+					}
+				} else {
+					// Create new dismissed record
+					await db.insert(doseTracking).values({
+						userId,
+						doseId,
+						markedBy: null,
+						takenAt: new Date(0),
+						dismissed: true,
+					});
+					dismissedCount++;
+				}
+			}

-      for (const d of dismissed) {
-        if (d.markedBy !== null || d.takenAt) {
-          // This was also marked as taken - just remove dismissed flag
-          await db.update(doseTracking)
-            .set({ dismissed: false })
-            .where(eq(doseTracking.id, d.id));
-        } else {
-          // This was only dismissed - delete it
-          await db.delete(doseTracking)
-            .where(eq(doseTracking.id, d.id));
-        }
-      }
+			return { success: true, dismissedCount };
+		}
+	);

-      return { success: true, clearedCount: dismissed.length };
-    }
-  );
+	// ---------------------------------------------------------------------------
+	// DELETE /doses/dismiss - PROTECTED: Clear all dismissed doses (un-dismiss)
+	// ---------------------------------------------------------------------------
+	app.delete(
+		"/doses/dismiss",
+		{
+			preHandler: requireAuth,
+			schema: {
+				tags: ["doses"],
+				security: protectedEndpointSecurity,
+				response: {
+					200: {
+						type: "object",
+						properties: {
+							success: { type: "boolean" },
+							clearedCount: { type: "integer" },
+						},
+					},
+					401: genericErrorSchema,
+				},
+			},
+		},
+		async (request, reply) => {
+			const userId = await getUserId(request, reply);

-  // ---------------------------------------------------------------------------
-  // GET /share/:token/doses - PUBLIC: Get taken doses for a share link
-  // ---------------------------------------------------------------------------
-  app.get<{ Params: { token: string } }>(
-    "/share/:token/doses",
-    async (request, reply) => {
-      const { token } = request.params;
+			// Delete all dismissed-only records (not taken ones)
+			// For taken+dismissed, just remove the dismissed flag
+			const dismissed = await db
+				.select()
+				.from(doseTracking)
+				.where(and(eq(doseTracking.userId, userId), eq(doseTracking.dismissed, true)));

-      // Find share token
-      const [share] = await db.select().from(shareTokens).where(eq(shareTokens.token, token));
-      if (!share) {
-        return reply.notFound("Share link not found");
-      }
+			for (const d of dismissed) {
+				const hasRealTakenTimestamp = d.takenAt instanceof Date ? d.takenAt.getTime() > 0 : Boolean(d.takenAt);

-      // Get all taken doses for this user (no time limit)
-      const doses = await db.select()
-        .from(doseTracking)
-        .where(eq(doseTracking.userId, share.userId));
+				if (d.markedBy !== null || hasRealTakenTimestamp) {
+					// This was also marked as taken - just remove dismissed flag
+					await db.update(doseTracking).set({ dismissed: false }).where(eq(doseTracking.id, d.id));
+				} else {
+					// This was only dismissed - delete it
+					await db.delete(doseTracking).where(eq(doseTracking.id, d.id));
+				}
+			}

-      return {
-        doses: doses.map((d) => ({
-          doseId: d.doseId,
-          takenAt: d.takenAt?.getTime() ?? Date.now(),
-          markedBy: d.markedBy,
-          dismissed: d.dismissed ?? false,
-        })),
-      };
-    }
-  );
+			return { success: true, clearedCount: dismissed.length };
+		}
+	);

-  // ---------------------------------------------------------------------------
-  // POST /share/:token/doses - PUBLIC: Mark a dose as taken via share link
-  // ---------------------------------------------------------------------------
-  app.post<{ Params: { token: string }; Body: z.infer<typeof shareDoseSchema> }>(
-    "/share/:token/doses",
-    async (request, reply) => {
-      const { token } = request.params;
+	// ---------------------------------------------------------------------------
+	// GET /share/:token/doses - PUBLIC: Get taken doses for a share link
+	// Suppress request logs — polled every 5s by SharedSchedule
+	// ---------------------------------------------------------------------------
+	app.get<{ Params: { token: string } }>(
+		"/share/:token/doses",
+		{
+			schema: {
+				params: tokenParamsSchema,
+				response: {
+					200: doseReadResponseSchema,
+					404: genericErrorSchema,
+				},
+			},
+			logLevel: "warn",
+			config: {
+				rateLimit: {
+					max: 60,
+					timeWindow: "1 minute",
+					errorResponseBuilder: () => ({ error: "rate_limited" }),
+				},
+			},
+		},
+		async (request, reply) => {
+			const { token } = request.params;

-      const parsed = shareDoseSchema.safeParse(request.body);
-      if (!parsed.success) {
-        return reply.status(400).send({
-          error: parsed.error.errors[0]?.message ?? "Invalid input",
-        });
-      }
+			const { share, reason } = await getActiveShareToken(token);
+			if (!share) {
+				request.log.warn(`[ShareDose] Rejected read for token ${maskToken(token)} (reason=${reason})`);
+				return reply.notFound("Share link not found");
+			}

-      const { doseId } = parsed.data;
+			// Get all taken doses for this user (no time limit)
+			const doses = await db.select().from(doseTracking).where(eq(doseTracking.userId, share.userId));

-      // Find share token
-      const [share] = await db.select().from(shareTokens).where(eq(shareTokens.token, token));
-      if (!share) {
-        return reply.notFound("Share link not found");
-      }
+			return {
+				doses: doses.map((d) => ({
+					doseId: d.doseId,
+					takenAt: d.takenAt?.getTime() ?? Date.now(),
+					markedBy: d.markedBy,
+					takenSource: d.takenSource ?? "manual",
+					dismissed: d.dismissed ?? false,
+				})),
+			};
+		}
+	);

-      // Check if already marked
-      const [existing] = await db.select()
-        .from(doseTracking)
-        .where(
-          and(
-            eq(doseTracking.userId, share.userId),
-            eq(doseTracking.doseId, doseId)
-          )
-        );
+	// ---------------------------------------------------------------------------
+	// POST /share/:token/doses - PUBLIC: Mark a dose as taken via share link
+	// ---------------------------------------------------------------------------
+	app.post<{ Params: { token: string }; Body: z.infer<typeof shareDoseSchema> }>(
+		"/share/:token/doses",
+		{
+			schema: {
+				params: tokenParamsSchema,
+				body: {
+					type: "object",
+					properties: {
+						doseId: { type: "string" },
+					},
+					example: {
+						doseId: "1:2026-03-11T08:00:00.000Z:Daniel",
+					},
+				},
+				response: {
+					200: { type: "object", properties: { success: { type: "boolean" }, message: { type: "string" } } },
+					400: { anyOf: [genericErrorSchema, validationErrorSchema] },
+					409: genericErrorSchema,
+					404: genericErrorSchema,
+				},
+			},
+		},
+		async (request, reply) => {
+			const { token } = request.params;

-      if (existing) {
-        return { success: true, message: "Already marked" };
-      }
+			const parsed = shareDoseSchema.safeParse(request.body);
+			if (!parsed.success) {
+				return reply.status(400).send({
+					error: parsed.error.errors[0]?.message ?? "Invalid input",
+				});
+			}

-      // Insert new record - marked by the takenBy person
-      await db.insert(doseTracking).values({
-        userId: share.userId,
-        doseId,
-        markedBy: share.takenBy, // e.g. "Daniel"
-      });
+			const { doseId } = parsed.data;

-      return { success: true };
-    }
-  );
+			const { share, reason } = await getActiveShareToken(token);
+			if (!share) {
+				request.log.warn(`[ShareDose] Rejected mark for token ${maskToken(token)} (reason=${reason})`);
+				return reply.notFound("Share link not found");
+			}

-  // ---------------------------------------------------------------------------
-  // DELETE /share/:token/doses/:doseId - PUBLIC: Unmark a dose via share link
-  // ---------------------------------------------------------------------------
-  app.delete<{ Params: { token: string; doseId: string } }>(
-    "/share/:token/doses/:doseId",
-    async (request, reply) => {
-      const { token, doseId } = request.params;
+			const isValidShareDoseId = await validateShareDoseId(share, doseId);
+			if (!isValidShareDoseId) {
+				request.log.warn(
+					`[ShareDose] Rejected invalid doseId in mark request (owner=${share.userId}, takenBy=${share.takenBy}, doseId=${doseId})`
+				);
+				return reply.status(400).send({ error: "Invalid or unauthorized doseId" });
+			}

-      // Find share token
-      const [share] = await db.select().from(shareTokens).where(eq(shareTokens.token, token));
-      if (!share) {
-        return reply.notFound("Share link not found");
-      }
+			// Check if already marked
+			const [existing] = await db
+				.select()
+				.from(doseTracking)
+				.where(and(eq(doseTracking.userId, share.userId), eq(doseTracking.doseId, doseId)));

-      await db.delete(doseTracking).where(
-        and(
-          eq(doseTracking.userId, share.userId),
-          eq(doseTracking.doseId, doseId)
-        )
-      );
+			if (existing) {
+				request.log.debug(`[ShareDose] Duplicate mark ignored (owner=${share.userId}, doseId=${doseId})`);
+				return { success: true, message: "Already marked" };
+			}

-      return { success: true };
-    }
-  );
+			const [settings] = await db.select().from(userSettings).where(eq(userSettings.userId, share.userId));
+			const outOfStock = await isDoseOutOfStock({
+				userId: share.userId,
+				doseId,
+				stockCalculationMode: (settings?.stockCalculationMode as "automatic" | "manual") ?? "automatic",
+			});
+			if (outOfStock) {
+				request.log.info(
+					`[ShareDose] Rejected out-of-stock mark request (owner=${share.userId}, takenBy=${share.takenBy}, doseId=${doseId})`
+				);
+				return reply.status(409).send({ error: "Medication is out of stock", code: "OUT_OF_STOCK" });
+			}
+
+			// Insert new record - marked by the shared person, or the concrete intake person for an "all" link.
+			const parsedShareDose = parseDoseId(doseId);
+			const markedBy = share.takenBy === "all" ? (parsedShareDose?.personSuffix ?? share.takenBy) : share.takenBy;
+
+			await db.insert(doseTracking).values({
+				userId: share.userId,
+				doseId,
+				markedBy,
+				takenSource: "manual",
+			});
+
+			request.log.info(
+				`[ShareDose] Dose marked via share link (owner=${share.userId}, takenBy=${share.takenBy}, doseId=${doseId})`
+			);
+
+			return { success: true };
+		}
+	);
+
+	// ---------------------------------------------------------------------------
+	// DELETE /share/:token/doses/:doseId - PUBLIC: Unmark a dose via share link
+	// ---------------------------------------------------------------------------
+	app.delete<{ Params: { token: string; doseId: string } }>(
+		"/share/:token/doses/:doseId",
+		{
+			schema: {
+				params: {
+					type: "object",
+					required: ["token", "doseId"],
+					properties: {
+						token: tokenParamsSchema.properties.token,
+						doseId: { type: "string", minLength: 1 },
+					},
+				},
+				response: {
+					200: { type: "object", properties: { success: { type: "boolean" } } },
+					400: genericErrorSchema,
+					404: genericErrorSchema,
+				},
+			},
+		},
+		async (request, reply) => {
+			const { token, doseId } = request.params;
+
+			const { share, reason } = await getActiveShareToken(token);
+			if (!share) {
+				request.log.warn(`[ShareDose] Rejected unmark for token ${maskToken(token)} (reason=${reason})`);
+				return reply.notFound("Share link not found");
+			}
+
+			const isValidShareDoseId = await validateShareDoseId(share, doseId);
+			if (!isValidShareDoseId) {
+				request.log.warn(
+					`[ShareDose] Rejected invalid doseId in unmark request (owner=${share.userId}, takenBy=${share.takenBy}, doseId=${doseId})`
+				);
+				return reply.status(400).send({ error: "Invalid or unauthorized doseId" });
+			}
+
+			// Check if this dose was dismissed
+			const [existing] = await db
+				.select()
+				.from(doseTracking)
+				.where(and(eq(doseTracking.userId, share.userId), eq(doseTracking.doseId, doseId)));
+
+			if (existing?.dismissed) {
+				// Already dismissed - keep the record as-is
+				request.log.debug(`[ShareDose] Unmark ignored for dismissed dose (owner=${share.userId}, doseId=${doseId})`);
+			} else {
+				// Not dismissed - delete the record entirely
+				await db
+					.delete(doseTracking)
+					.where(and(eq(doseTracking.userId, share.userId), eq(doseTracking.doseId, doseId)));
+				request.log.info(
+					`[ShareDose] Dose unmarked via share link (owner=${share.userId}, takenBy=${share.takenBy}, doseId=${doseId})`
+				);
+			}
+
+			return { success: true };
+		}
+	);
 }
@@ -1,9 +1,41 @@
-import { FastifyInstance } from "fastify";
+import { readFileSync } from "node:fs";
+import { dirname, resolve } from "node:path";
+import { fileURLToPath } from "node:url";
+import type { FastifyInstance } from "fastify";
+import { applyOpenApiRouteStandards } from "../utils/openapi-route-standards.js";
+
+// Read version from package.json at startup
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const packageJsonPath = resolve(__dirname, "../../package.json");
+const packageJson = JSON.parse(readFileSync(packageJsonPath, "utf-8"));
+const backendVersion = packageJson.version || "unknown";

 export async function healthRoutes(app: FastifyInstance) {
-  app.get("/health", async () => ({
-    status: "ok",
-    smtpConfigured: Boolean(process.env.SMTP_HOST),
-    shoutrrrConfigured: Boolean(process.env.SHOUTRRR_URL),
-  }));
+	applyOpenApiRouteStandards(app, { tag: "health", protectedByDefault: false });
+
+	// Exempt from rate limit + suppress request logs (called every 30s by Docker healthcheck)
+	app.get(
+		"/health",
+		{
+			config: { rateLimit: false },
+			logLevel: "warn",
+			schema: {
+				response: {
+					200: {
+						type: "object",
+						properties: {
+							status: { type: "string", enum: ["ok"] },
+							version: { type: "string" },
+							smtpConfigured: { type: "boolean" },
+						},
+					},
+				},
+			},
+		},
+		async () => ({
+			status: "ok",
+			version: backendVersion,
+			smtpConfigured: Boolean(process.env.SMTP_HOST),
+		})
+	);
 }
@@ -1,10 +1,11 @@
-import { FastifyInstance, FastifyReply, FastifyRequest } from "fastify";
-import * as client from "openid-client";
-import { randomBytes, createHash } from "crypto";
-import { db } from "../db/client.js";
-import { users, refreshTokens } from "../db/schema.js";
+import { createHash, randomBytes } from "node:crypto";
 import { eq, sql } from "drizzle-orm";
+import type { FastifyInstance, FastifyReply } from "fastify";
+import * as client from "openid-client";
+import { db } from "../db/client.js";
+import { refreshTokens, users } from "../db/schema.js";
 import { env } from "../plugins/env.js";
+import { applyOpenApiRouteStandards, genericErrorSchema } from "../utils/openapi-route-standards.js";

 // =============================================================================
 // OIDC Configuration Cache
@@ -12,299 +13,325 @@ import { env } from "../plugins/env.js";
 let oidcConfig: client.Configuration | null = null;

 async function getOIDCConfig(): Promise<client.Configuration> {
-  if (oidcConfig) return oidcConfig;
-  
-  if (!env.OIDC_ISSUER_URL || !env.OIDC_CLIENT_ID || !env.OIDC_CLIENT_SECRET) {
-    throw new Error("OIDC not configured");
-  }
+	if (oidcConfig) return oidcConfig;

-  oidcConfig = await client.discovery(
-    new URL(env.OIDC_ISSUER_URL),
-    env.OIDC_CLIENT_ID,
-    env.OIDC_CLIENT_SECRET
-  );
-  
-  return oidcConfig;
+	if (!env.OIDC_ISSUER_URL || !env.OIDC_CLIENT_ID || !env.OIDC_CLIENT_SECRET) {
+		throw new Error("OIDC not configured");
+	}
+
+	oidcConfig = await client.discovery(new URL(env.OIDC_ISSUER_URL), env.OIDC_CLIENT_ID, env.OIDC_CLIENT_SECRET);
+
+	return oidcConfig;
 }

 // =============================================================================
 // PKCE Helpers
 // =============================================================================
 function generateCodeVerifier(): string {
-  return randomBytes(32).toString("base64url");
+	return randomBytes(32).toString("base64url");
 }

 function generateCodeChallenge(verifier: string): string {
-  return createHash("sha256").update(verifier).digest("base64url");
+	return createHash("sha256").update(verifier).digest("base64url");
 }

 function generateState(): string {
-  return randomBytes(16).toString("hex");
+	return randomBytes(16).toString("hex");
 }

 // =============================================================================
 // Helpers
 // =============================================================================
 function getFrontendUrl(): string {
-  return env.CORS_ORIGINS.split(",")[0] || "http://localhost:5173";
+	return env.CORS_ORIGINS.split(",")[0] || "http://localhost:5173";
 }

 // =============================================================================
 // OIDC Routes
 // =============================================================================
 export async function oidcRoutes(app: FastifyInstance) {
-  if (!env.OIDC_ENABLED) {
-    // Register a disabled route that returns an error
-    app.get("/auth/oidc/login", async (request, reply) => {
-      return reply.status(400).send({ error: "OIDC authentication is not enabled" });
-    });
-    app.get("/auth/oidc/callback", async (request, reply) => {
-      return reply.status(400).send({ error: "OIDC authentication is not enabled" });
-    });
-    return;
-  }
+	applyOpenApiRouteStandards(app, { tag: "auth", protectedByDefault: false });

-  // ---------------------------------------------------------------------------
-  // GET /auth/oidc/login - Initiates OIDC flow
-  // ---------------------------------------------------------------------------
-  app.get("/auth/oidc/login", async (request, reply) => {
-    try {
-      const config = await getOIDCConfig();
-      
-      // Generate PKCE values
-      const codeVerifier = generateCodeVerifier();
-      const codeChallenge = generateCodeChallenge(codeVerifier);
-      const state = generateState();
-      
-      // Store PKCE verifier and state in signed cookies (short-lived)
-      reply.setCookie("oidc_code_verifier", codeVerifier, {
-        httpOnly: true,
-        secure: env.NODE_ENV === "production",
-        sameSite: "lax",
-        path: "/",
-        maxAge: 600, // 10 minutes
-        signed: true,
-      });
-      
-      reply.setCookie("oidc_state", state, {
-        httpOnly: true,
-        secure: env.NODE_ENV === "production",
-        sameSite: "lax",
-        path: "/",
-        maxAge: 600,
-        signed: true,
-      });
-      
-      // Build authorization URL
-      const redirectUri = env.OIDC_REDIRECT_URI!;
-      const scope = env.OIDC_SCOPES;
-      
-      const authUrl = client.buildAuthorizationUrl(config, {
-        redirect_uri: redirectUri,
-        scope,
-        state,
-        code_challenge: codeChallenge,
-        code_challenge_method: "S256",
-      });
-      
-      return reply.redirect(authUrl.href);
-    } catch (err: any) {
-      console.error("[OIDC] Login error:", err);
-      return reply.redirect(`${getFrontendUrl()}/?error=oidc_init_failed`);
-    }
-  });
+	if (!env.OIDC_ENABLED) {
+		// Register a disabled route that returns an error
+		app.get("/auth/oidc/login", { schema: { response: { 400: genericErrorSchema } } }, async (_request, reply) => {
+			return reply.status(400).send({ error: "OIDC authentication is not enabled" });
+		});
+		app.get("/auth/oidc/callback", { schema: { response: { 400: genericErrorSchema } } }, async (_request, reply) => {
+			return reply.status(400).send({ error: "OIDC authentication is not enabled" });
+		});
+		return;
+	}

-  // ---------------------------------------------------------------------------
-  // GET /auth/oidc/callback - Handles callback from OIDC provider
-  // ---------------------------------------------------------------------------
-  app.get<{ Querystring: { code?: string; state?: string; error?: string; error_description?: string } }>(
-    "/auth/oidc/callback",
-    async (request, reply) => {
-      const { code, state, error, error_description } = request.query;
-      
-      // Handle OIDC provider errors
-      if (error) {
-        console.error(`[OIDC] Provider error: ${error} - ${error_description}`);
-        return reply.redirect(`${getFrontendUrl()}/?error=oidc_${error}`);
-      }
-      
-      if (!code || !state) {
-        return reply.redirect(`${getFrontendUrl()}/?error=oidc_missing_params`);
-      }
-      
-      // Verify state
-      const storedState = request.unsignCookie(request.cookies.oidc_state || "");
-      if (!storedState.valid || storedState.value !== state) {
-        console.error("[OIDC] State mismatch");
-        return reply.redirect(`${getFrontendUrl()}/?error=oidc_state_mismatch`);
-      }
-      
-      // Get code verifier
-      const storedVerifier = request.unsignCookie(request.cookies.oidc_code_verifier || "");
-      if (!storedVerifier.valid || !storedVerifier.value) {
-        console.error("[OIDC] Missing code verifier");
-        return reply.redirect(`${getFrontendUrl()}/?error=oidc_missing_verifier`);
-      }
-      
-      try {
-        const config = await getOIDCConfig();
-        const redirectUri = env.OIDC_REDIRECT_URI!;
-        
-        // Exchange code for tokens
-        const tokens = await client.authorizationCodeGrant(config, new URL(request.url, `http://${request.headers.host}`), {
-          pkceCodeVerifier: storedVerifier.value,
-          expectedState: state,
-        });
-        
-        // Get user info
-        const sub = tokens.claims()?.sub;
-        if (!sub) {
-          console.error("[OIDC] Missing sub claim in token");
-          return reply.redirect(`${getFrontendUrl()}/?error=oidc_missing_sub`);
-        }
-        const userInfo = await client.fetchUserInfo(config, tokens.access_token, sub);
-        
-        // Extract username from configured claim
-        const usernameClaim = env.OIDC_USERNAME_CLAIM;
-        let username = (userInfo as any)[usernameClaim] || userInfo.preferred_username || userInfo.email || userInfo.sub;
-        const oidcSubject = userInfo.sub;
-        
-        if (!username || !oidcSubject) {
-          console.error("[OIDC] Missing required user info:", { username, oidcSubject });
-          return reply.redirect(`${getFrontendUrl()}/?error=oidc_missing_user_info`);
-        }
-        
-        // Clean cookies
-        reply.clearCookie("oidc_code_verifier", { path: "/" });
-        reply.clearCookie("oidc_state", { path: "/" });
-        
-        // Find or create user
-        let user = await findOrCreateOIDCUser(username, oidcSubject, reply);
-        
-        if (!user) {
-          return reply.redirect(`${getFrontendUrl()}/?error=oidc_user_creation_failed`);
-        }
-        
-        // Update last login
-        await db.update(users)
-          .set({ lastLoginAt: new Date() })
-          .where(eq(users.id, user.id));
-        
-        // Issue JWT tokens (same as local auth)
-        const accessToken = await generateAccessToken(app, user.id, user.username);
-        const { refreshToken, tokenId, expiresAt } = await generateRefreshToken(app, user.id);
-        
-        // Store refresh token
-        await db.insert(refreshTokens).values({
-          userId: user.id,
-          tokenId,
-          expiresAt,
-        });
-        
-        // Set cookies (use app's centralized cookie options)
-        console.log(`[OIDC] Setting cookies for user ${user.username}, NODE_ENV=${env.NODE_ENV}, secure=${app.config.cookieOptions.secure}`);
-        setAuthCookies(app, reply, accessToken, refreshToken);
-        
-        // Redirect to frontend dashboard
-        // In dev: CORS_ORIGINS contains the frontend URL
-        const frontendUrl = env.CORS_ORIGINS.split(",")[0] || "http://localhost:5173";
-        return reply.redirect(`${frontendUrl}/dashboard`);
-        
-      } catch (err: any) {
-        console.error("[OIDC] Callback error:", err);
-        return reply.redirect(`${getFrontendUrl()}/?error=oidc_callback_failed`);
-      }
-    }
-  );
+	// ---------------------------------------------------------------------------
+	// GET /auth/oidc/login - Initiates OIDC flow
+	// ---------------------------------------------------------------------------
+	app.get(
+		"/auth/oidc/login",
+		{
+			schema: {
+				response: {
+					302: { type: "null", description: "Redirect to OIDC provider" },
+					500: genericErrorSchema,
+				},
+			},
+		},
+		async (request, reply) => {
+			try {
+				const config = await getOIDCConfig();
+
+				// Generate PKCE values
+				const codeVerifier = generateCodeVerifier();
+				const codeChallenge = generateCodeChallenge(codeVerifier);
+				const state = generateState();
+
+				// Store PKCE verifier and state in signed cookies (short-lived)
+				reply.setCookie("oidc_code_verifier", codeVerifier, {
+					httpOnly: true,
+					secure: env.NODE_ENV === "production",
+					sameSite: "lax",
+					path: "/",
+					maxAge: 600, // 10 minutes
+					signed: true,
+				});
+
+				reply.setCookie("oidc_state", state, {
+					httpOnly: true,
+					secure: env.NODE_ENV === "production",
+					sameSite: "lax",
+					path: "/",
+					maxAge: 600,
+					signed: true,
+				});
+
+				// Build authorization URL
+				const redirectUri = env.OIDC_REDIRECT_URI!;
+				const scope = env.OIDC_SCOPES;
+
+				const authUrl = client.buildAuthorizationUrl(config, {
+					redirect_uri: redirectUri,
+					scope,
+					state,
+					code_challenge: codeChallenge,
+					code_challenge_method: "S256",
+				});
+
+				return reply.redirect(authUrl.href);
+			} catch (err: unknown) {
+				request.log.error({ err }, "[OIDC] Login initialization failed");
+				return reply.redirect(`${getFrontendUrl()}/?error=oidc_init_failed`);
+			}
+		}
+	);
+
+	// ---------------------------------------------------------------------------
+	// GET /auth/oidc/callback - Handles callback from OIDC provider
+	// ---------------------------------------------------------------------------
+	app.get<{ Querystring: { code?: string; state?: string; error?: string; error_description?: string } }>(
+		"/auth/oidc/callback",
+		{
+			schema: {
+				querystring: {
+					type: "object",
+					properties: {
+						code: { type: "string" },
+						state: { type: "string" },
+						error: { type: "string" },
+						error_description: { type: "string" },
+					},
+				},
+				response: {
+					302: { type: "null", description: "Redirect back to frontend" },
+				},
+			},
+		},
+		async (request, reply) => {
+			const { code, state, error, error_description } = request.query;
+
+			// Handle OIDC provider errors
+			if (error) {
+				app.log.warn({ error, errorDescription: error_description }, "[OIDC] Provider returned error");
+				return reply.redirect(`${getFrontendUrl()}/?error=oidc_${error}`);
+			}
+
+			if (!code || !state) {
+				return reply.redirect(`${getFrontendUrl()}/?error=oidc_missing_params`);
+			}
+
+			// Verify state
+			const storedState = request.unsignCookie(request.cookies.oidc_state || "");
+			if (!storedState.valid || storedState.value !== state) {
+				request.log.warn("[OIDC] State mismatch during callback validation");
+				return reply.redirect(`${getFrontendUrl()}/?error=oidc_state_mismatch`);
+			}
+
+			// Get code verifier
+			const storedVerifier = request.unsignCookie(request.cookies.oidc_code_verifier || "");
+			if (!storedVerifier.valid || !storedVerifier.value) {
+				request.log.warn("[OIDC] Missing/invalid code verifier cookie");
+				return reply.redirect(`${getFrontendUrl()}/?error=oidc_missing_verifier`);
+			}
+
+			try {
+				const config = await getOIDCConfig();
+				const redirectUri = env.OIDC_REDIRECT_URI!;
+
+				// Exchange code for tokens
+				// Build complete callback URL with query parameters for validation
+				const callbackUrl = new URL(redirectUri);
+				callbackUrl.search = new URLSearchParams(request.query as Record<string, string>).toString();
+
+				const tokens = await client.authorizationCodeGrant(config, callbackUrl, {
+					pkceCodeVerifier: storedVerifier.value,
+					expectedState: state,
+				});
+
+				// Get user info
+				const sub = tokens.claims()?.sub;
+				if (!sub) {
+					request.log.error("[OIDC] Missing sub claim in token response");
+					return reply.redirect(`${getFrontendUrl()}/?error=oidc_missing_sub`);
+				}
+				const userInfo = await client.fetchUserInfo(config, tokens.access_token, sub);
+
+				// Extract username from configured claim
+				const usernameClaim = env.OIDC_USERNAME_CLAIM;
+				const username =
+					(userInfo as Record<string, string>)[usernameClaim] ||
+					userInfo.preferred_username ||
+					userInfo.email ||
+					userInfo.sub;
+				const oidcSubject = userInfo.sub;
+
+				if (!username || !oidcSubject) {
+					request.log.error(
+						{ hasUsername: Boolean(username), hasOidcSubject: Boolean(oidcSubject) },
+						"[OIDC] Missing required user info"
+					);
+					return reply.redirect(`${getFrontendUrl()}/?error=oidc_missing_user_info`);
+				}
+
+				// Clean cookies
+				reply.clearCookie("oidc_code_verifier", { path: "/" });
+				reply.clearCookie("oidc_state", { path: "/" });
+
+				// Find or create user
+				const user = await findOrCreateOIDCUser(username, oidcSubject, reply);
+
+				if (!user) {
+					return reply.redirect(`${getFrontendUrl()}/?error=oidc_user_creation_failed`);
+				}
+
+				// Update last login
+				await db.update(users).set({ lastLoginAt: new Date() }).where(eq(users.id, user.id));
+
+				// Issue JWT tokens (same as local auth)
+				const accessToken = await generateAccessToken(app, user.id, user.username);
+				const { refreshToken, tokenId, expiresAt } = await generateRefreshToken(app, user.id);
+
+				// Store refresh token
+				await db.insert(refreshTokens).values({
+					userId: user.id,
+					tokenId,
+					expiresAt,
+				});
+
+				// Set cookies (use app's centralized cookie options)
+				request.log.debug(
+					`[OIDC] Setting cookies for user ${user.username}, NODE_ENV=${env.NODE_ENV}, secure=${app.config.cookieOptions.secure}`
+				);
+				setAuthCookies(app, reply, accessToken, refreshToken);
+
+				// Redirect to frontend dashboard
+				// In dev: CORS_ORIGINS contains the frontend URL
+				const frontendUrl = env.CORS_ORIGINS.split(",")[0] || "http://localhost:5173";
+				return reply.redirect(`${frontendUrl}/dashboard`);
+			} catch (err: unknown) {
+				request.log.error({ err }, "[OIDC] Callback processing failed");
+				return reply.redirect(`${getFrontendUrl()}/?error=oidc_callback_failed`);
+			}
+		}
+	);
 }

 // =============================================================================
 // User Management
 // =============================================================================
 async function findOrCreateOIDCUser(
-  username: string, 
-  oidcSubject: string,
-  reply: FastifyReply
+	username: string,
+	oidcSubject: string,
+	_reply: FastifyReply
 ): Promise<{ id: number; username: string } | null> {
-  
-  // First, try to find user by OIDC subject (most reliable)
-  const [existingBySubject] = await db.select()
-    .from(users)
-    .where(eq(users.oidcSubject, oidcSubject));
-  
-  if (existingBySubject) {
-    return { id: existingBySubject.id, username: existingBySubject.username };
-  }
-  
-  // Check if username already exists (potential collision)
-  const [existingByUsername] = await db.select()
-    .from(users)
-    .where(eq(users.username, username));
-  
-  if (existingByUsername) {
-    // Username collision! Check if it's a local user without OIDC linked
-    if (existingByUsername.authProvider === "local" && !existingByUsername.oidcSubject) {
-      // Local user exists without SSO - link this OIDC account to existing user
-      await db.update(users)
-        .set({ oidcSubject: oidcSubject })
-        .where(eq(users.id, existingByUsername.id));
-      console.log(`[OIDC] Linked OIDC to existing local user: ${username}`);
-      return { id: existingByUsername.id, username: existingByUsername.username };
-    } else if (existingByUsername.oidcSubject && existingByUsername.oidcSubject !== oidcSubject) {
-      // User already has a DIFFERENT OIDC subject - create new user with suffix
-      username = `${username}_sso`;
-      console.log(`[OIDC] Username collision (different OIDC subject), using: ${username}`);
-    }
-  }
-  
-  // Check if auto-create is enabled
-  if (!env.OIDC_AUTO_CREATE_USERS) {
-    console.error(`[OIDC] User creation disabled and user not found: ${username}`);
-    return null;
-  }
-  
-  // Create new OIDC user
-  const [newUser] = await db.insert(users)
-    .values({
-      username,
-      passwordHash: null,
-      authProvider: "oidc",
-      oidcSubject: oidcSubject,
-      isActive: true,
-    })
-    .returning({ id: users.id, username: users.username });
-  
-  console.log(`[OIDC] Created new user: ${newUser.username} (ID: ${newUser.id})`);
-  return newUser;
+	// First, try to find user by OIDC subject (most reliable)
+	const [existingBySubject] = await db.select().from(users).where(eq(users.oidcSubject, oidcSubject));
+
+	if (existingBySubject) {
+		return { id: existingBySubject.id, username: existingBySubject.username };
+	}
+
+	// Check if username already exists (potential collision)
+	const [existingByUsername] = await db.select().from(users).where(sql`lower(${users.username}) = lower(${username})`);
+
+	if (existingByUsername) {
+		// Username collision! Check if it's a local user without OIDC linked
+		if (existingByUsername.authProvider === "local" && !existingByUsername.oidcSubject) {
+			// Local user exists without SSO - link this OIDC account to existing user
+			await db.update(users).set({ oidcSubject: oidcSubject }).where(eq(users.id, existingByUsername.id));
+			// Linked OIDC to existing local user
+			return { id: existingByUsername.id, username: existingByUsername.username };
+		} else if (existingByUsername.oidcSubject && existingByUsername.oidcSubject !== oidcSubject) {
+			// User already has a DIFFERENT OIDC subject - create new user with suffix
+			username = `${username}_sso`;
+			// Username collision (different OIDC subject), use suffixed name
+		}
+	}
+
+	// Check if auto-create is enabled
+	if (!env.OIDC_AUTO_CREATE_USERS) {
+		// No logger is available in this helper, route-level logs already capture callback failures.
+		return null;
+	}
+
+	// Create new OIDC user
+	const [newUser] = await db
+		.insert(users)
+		.values({
+			username,
+			passwordHash: null,
+			authProvider: "oidc",
+			oidcSubject: oidcSubject,
+			isActive: true,
+		})
+		.returning({ id: users.id, username: users.username });
+
+	// New OIDC user created
+	return newUser;
 }

 // =============================================================================
 // JWT Token Generation (reused from auth.ts logic)
 // =============================================================================
 async function generateAccessToken(app: FastifyInstance, userId: number, username: string): Promise<string> {
-  return app.jwt.sign(
-    { sub: userId, username },
-    { expiresIn: `${env.ACCESS_TOKEN_TTL_MINUTES}m` }
-  );
+	return app.jwt.sign({ sub: userId, username }, { expiresIn: `${env.ACCESS_TOKEN_TTL_MINUTES}m` });
 }

 async function generateRefreshToken(
-  app: FastifyInstance, 
-  userId: number
+	app: FastifyInstance,
+	userId: number
 ): Promise<{ refreshToken: string; tokenId: string; expiresAt: Date }> {
-  const tokenId = randomBytes(32).toString("hex");
-  const expiresAt = new Date(Date.now() + env.REFRESH_TOKEN_TTL_DAYS * 24 * 60 * 60 * 1000);
-  
-  const refreshToken = app.jwt.sign(
-    { sub: userId, jti: tokenId, type: "refresh" },
-    { expiresIn: `${env.REFRESH_TOKEN_TTL_DAYS}d` }
-  );
-  
-  return { refreshToken, tokenId, expiresAt };
+	const tokenId = randomBytes(32).toString("hex");
+	const expiresAt = new Date(Date.now() + env.REFRESH_TOKEN_TTL_DAYS * 24 * 60 * 60 * 1000);
+
+	const refreshToken = app.jwt.sign(
+		{ sub: userId, jti: tokenId, type: "refresh" },
+		{ expiresIn: `${env.REFRESH_TOKEN_TTL_DAYS}d` }
+	);
+
+	return { refreshToken, tokenId, expiresAt };
 }

 function setAuthCookies(app: FastifyInstance, reply: FastifyReply, accessToken: string, refreshToken: string) {
-  // Use the same cookie options as regular auth for consistency
-  reply.setCookie("access_token", accessToken, app.config.cookieOptions);
-  reply.setCookie("refresh_token", refreshToken, app.config.refreshCookieOptions);
+	// Use the same cookie options as regular auth for consistency
+	reply.setCookie("access_token", accessToken, app.config.cookieOptions);
+	reply.setCookie("refresh_token", refreshToken, app.config.refreshCookieOptions);
 }
@@ -1,124 +1,322 @@
-import { FastifyInstance } from "fastify";
+import { and, desc, eq } from "drizzle-orm";
+import type { FastifyInstance, FastifyReply, FastifyRequest } from "fastify";
 import { z } from "zod";
 import { db } from "../db/client.js";
 import { medications, refillHistory } from "../db/schema.js";
-import { eq, and, desc } from "drizzle-orm";
-import { requireAuth, getAnonymousUserId } from "../plugins/auth.js";
+import { getAnonymousUserId, requireAuth } from "../plugins/auth.js";
 import { env } from "../plugins/env.js";
 import type { AuthUser } from "../types/fastify.js";
+import {
+	applyOpenApiRouteStandards,
+	genericErrorSchema,
+	idParamsSchema,
+	validationErrorSchema,
+} from "../utils/openapi-route-standards.js";
+import { isAmountBasedPackageType, normalizePackageType } from "../utils/package-profiles.js";

-const refillSchema = z.object({
-  packsAdded: z.number().int().min(0).default(0),
-  loosePillsAdded: z.number().int().min(0).default(0),
-}).refine(data => data.packsAdded > 0 || data.loosePillsAdded > 0, {
-  message: "Must add at least one pack or some loose pills",
-});
+const refillSchema = z
+	.object({
+		packsAdded: z.number().int().min(0).default(0),
+		loosePillsAdded: z.number().int().min(0).default(0),
+		usePrescription: z.boolean().default(false),
+	})
+	.refine((data) => data.packsAdded > 0 || data.loosePillsAdded > 0, {
+		message: "Must add at least one pack or some loose pills",
+	});
+
+const refillBodyOpenApiSchema = {
+	type: "object",
+	properties: {
+		packsAdded: { type: "integer", minimum: 0, default: 0 },
+		loosePillsAdded: { type: "integer", minimum: 0, default: 0 },
+		usePrescription: { type: "boolean", default: false },
+	},
+	description: "Provide at least one pack or some loose pills.",
+	example: {
+		packsAdded: 1,
+		loosePillsAdded: 4,
+		usePrescription: true,
+	},
+} as const;
+
+const refillResponseSchema = {
+	type: "object",
+	properties: {
+		success: { type: "boolean" },
+		refill: {
+			type: "object",
+			properties: {
+				id: { type: "number" },
+				packsAdded: { type: "integer" },
+				loosePillsAdded: { type: "integer" },
+				totalPillsAdded: { type: "number" },
+				refillDate: { type: "string", format: "date-time" },
+			},
+		},
+		newStock: {
+			type: "object",
+			properties: {
+				packCount: { type: "integer" },
+				looseTablets: { type: "integer" },
+				totalPills: { type: "number" },
+			},
+		},
+		prescription: {
+			type: "object",
+			properties: {
+				used: { type: "boolean" },
+				remainingRefills: { type: "integer" },
+				authorizedRefills: { type: "integer" },
+				lowRefillThreshold: { type: "integer" },
+				enabled: { type: "boolean" },
+			},
+		},
+	},
+} as const;
+
+const refillHistoryItemSchema = {
+	type: "object",
+	properties: {
+		id: { type: "number" },
+		packsAdded: { type: "integer" },
+		loosePillsAdded: { type: "integer" },
+		totalPillsAdded: { type: "number" },
+		usedPrescription: { type: "boolean" },
+		refillDate: { type: "string", format: "date-time" },
+	},
+} as const;

 export async function refillRoutes(app: FastifyInstance) {
-  // All refill routes require auth
-  app.addHook("preHandler", requireAuth);
+	// All refill routes require auth
+	app.addHook("preHandler", requireAuth);
+	applyOpenApiRouteStandards(app, { tag: "refills", protectedByDefault: true });

-  // Helper to get user ID from request
-  async function getUserId(request: any, reply: any): Promise<number> {
-    if (!env.AUTH_ENABLED) {
-      return getAnonymousUserId();
-    }
-    const authUser = request.user as unknown as AuthUser | null;
-    if (!authUser) {
-      reply.status(401).send({ error: "User not authenticated", code: "AUTH_REQUIRED" });
-      throw new Error("AUTH_REQUIRED");
-    }
-    return authUser.id;
-  }
+	// Helper to get user ID from request
+	async function getUserId(request: FastifyRequest, reply: FastifyReply): Promise<number> {
+		if (!env.AUTH_ENABLED) {
+			return getAnonymousUserId();
+		}
+		const authUser = request.user as unknown as AuthUser | null;
+		if (!authUser) {
+			reply.status(401).send({ error: "User not authenticated", code: "AUTH_REQUIRED" });
+			throw new Error("AUTH_REQUIRED");
+		}
+		return authUser.id;
+	}

-  // POST /medications/:id/refill - Add stock to medication
-  app.post<{ Params: { id: string } }>("/medications/:id/refill", async (req, reply) => {
-    const parsed = refillSchema.safeParse(req.body);
-    if (!parsed.success) return reply.status(400).send(parsed.error.format());
+	// POST /medications/:id/refill - Add stock to medication
+	app.post<{ Params: { id: string } }>(
+		"/medications/:id/refill",
+		{
+			schema: {
+				params: idParamsSchema,
+				body: refillBodyOpenApiSchema,
+				response: {
+					200: refillResponseSchema,
+					400: { anyOf: [genericErrorSchema, validationErrorSchema] },
+					401: genericErrorSchema,
+					404: genericErrorSchema,
+					409: genericErrorSchema,
+				},
+			},
+		},
+		async (req, reply) => {
+			const parsed = refillSchema.safeParse(req.body);
+			if (!parsed.success) return reply.status(400).send(parsed.error.format());

-    const medId = Number(req.params.id);
-    if (Number.isNaN(medId)) return reply.badRequest("Invalid medication id");
+			const medId = Number(req.params.id);
+			if (Number.isNaN(medId)) return reply.badRequest("Invalid medication id");

-    const userId = await getUserId(req, reply);
+			const userId = await getUserId(req, reply);

-    // Verify ownership
-    const [med] = await db.select().from(medications).where(
-      and(eq(medications.id, medId), eq(medications.userId, userId))
-    );
-    if (!med) return reply.notFound("Medication not found");
+			// Verify ownership
+			const [med] = await db
+				.select()
+				.from(medications)
+				.where(and(eq(medications.id, medId), eq(medications.userId, userId)));
+			if (!med) return reply.notFound("Medication not found");

-    const { packsAdded, loosePillsAdded } = parsed.data;
+			const { packsAdded, loosePillsAdded, usePrescription } = parsed.data;
+			const packageType = normalizePackageType(med.packageType);
+			const isBottle = packageType === "bottle";
+			const isAmountBased = isAmountBasedPackageType(packageType);
+			const isCountBasedAmountPackage = isAmountBased && !isBottle;

-    // Update medication stock
-    const newPackCount = med.packCount + packsAdded;
-    const newLooseTablets = med.looseTablets + loosePillsAdded;
+			const configuredAmountPerPackage = Number(med.packageAmountValue ?? 0);
+			const fallbackAmountPerPackage = Math.max(
+				1,
+				Math.round((med.totalPills ?? med.looseTablets ?? 0) / Math.max(1, med.packCount || 1))
+			);
+			const amountPerPackage =
+				Number.isFinite(configuredAmountPerPackage) && configuredAmountPerPackage > 0
+					? configuredAmountPerPackage
+					: fallbackAmountPerPackage;

-    await db.update(medications)
-      .set({
-        packCount: newPackCount,
-        looseTablets: newLooseTablets,
-        updatedAt: new Date(),
-      })
-      .where(and(eq(medications.id, medId), eq(medications.userId, userId)));
+			const requestedPackAdds = Math.max(0, packsAdded);
+			const requestedAmountAdds = Math.max(0, loosePillsAdded);
+			const derivedCountFromAmount = Math.max(0, Math.round(requestedAmountAdds / amountPerPackage));

-    // Create refill history entry
-    const [refill] = await db.insert(refillHistory)
-      .values({
-        medicationId: medId,
-        userId,
-        packsAdded,
-        loosePillsAdded,
-      })
-      .returning();
+			let effectivePacksAdded = requestedPackAdds;
+			if (isBottle) {
+				effectivePacksAdded = 0;
+			} else if (isCountBasedAmountPackage) {
+				effectivePacksAdded = Math.max(requestedPackAdds, derivedCountFromAmount);
+			}
+			const effectiveLoosePillsAdded = isCountBasedAmountPackage
+				? effectivePacksAdded * amountPerPackage
+				: requestedAmountAdds;
+			const remainingPrescriptionRefills = med.prescriptionRemainingRefills ?? 0;

-    // Calculate pills added for response
-    const pillsPerPack = med.blistersPerPack * med.pillsPerBlister;
-    const totalPillsAdded = (packsAdded * pillsPerPack) + loosePillsAdded;
+			if (effectivePacksAdded < 1 && effectiveLoosePillsAdded < 1) {
+				return reply.status(400).send({ error: "Must add at least one pack or some loose pills" });
+			}

-    return {
-      success: true,
-      refill: {
-        id: refill.id,
-        packsAdded,
-        loosePillsAdded,
-        totalPillsAdded,
-        refillDate: refill.refillDate,
-      },
-      newStock: {
-        packCount: newPackCount,
-        looseTablets: newLooseTablets,
-        totalPills: newPackCount * pillsPerPack + newLooseTablets,
-      },
-    };
-  });
+			if (usePrescription) {
+				if (!(med.prescriptionEnabled ?? false)) {
+					return reply.status(400).send({ error: "Prescription refill is not enabled for this medication" });
+				}
+				if (remainingPrescriptionRefills <= 0) {
+					return reply.status(409).send({ error: "No remaining prescription refills" });
+				}
+				if (!isBottle && effectivePacksAdded > remainingPrescriptionRefills) {
+					return reply.status(409).send({ error: "Packs to add exceed remaining prescription refills" });
+				}
+			}

-  // GET /medications/:id/refills - Get refill history for a medication
-  app.get<{ Params: { id: string } }>("/medications/:id/refills", async (req, reply) => {
-    const medId = Number(req.params.id);
-    if (Number.isNaN(medId)) return reply.badRequest("Invalid medication id");
+			// Update medication stock
+			const newPackCount = med.packCount + effectivePacksAdded;
+			const newLooseTablets = med.looseTablets + effectiveLoosePillsAdded;
+			const previousAmountBase = med.totalPills ?? med.looseTablets;
+			const newTotalAmount = previousAmountBase + effectiveLoosePillsAdded;

-    const userId = await getUserId(req, reply);
+			let consumedRefills = 0;
+			if (usePrescription) {
+				consumedRefills = isBottle ? 1 : effectivePacksAdded;
+			}
+			const newRemainingRefills = usePrescription
+				? Math.max(0, remainingPrescriptionRefills - consumedRefills)
+				: (med.prescriptionRemainingRefills ?? null);

-    // Verify ownership
-    const [med] = await db.select().from(medications).where(
-      and(eq(medications.id, medId), eq(medications.userId, userId))
-    );
-    if (!med) return reply.notFound("Medication not found");
+			const updatePayload: {
+				packCount: number;
+				looseTablets: number;
+				totalPills?: number;
+				packageAmountValue?: number;
+				prescriptionRemainingRefills: number | null;
+				updatedAt: Date;
+			} = {
+				packCount: newPackCount,
+				looseTablets: newLooseTablets,
+				prescriptionRemainingRefills: newRemainingRefills,
+				updatedAt: new Date(),
+			};

-    // Get refill history, newest first
-    const refills = await db.select()
-      .from(refillHistory)
-      .where(eq(refillHistory.medicationId, medId))
-      .orderBy(desc(refillHistory.refillDate));
+			if (isCountBasedAmountPackage) {
+				updatePayload.totalPills = newTotalAmount;
+				updatePayload.packageAmountValue = amountPerPackage;
+			}

-    const pillsPerPack = med.blistersPerPack * med.pillsPerBlister;
+			await db
+				.update(medications)
+				.set(updatePayload)
+				.where(and(eq(medications.id, medId), eq(medications.userId, userId)));

-    return refills.map(r => ({
-      id: r.id,
-      packsAdded: r.packsAdded,
-      loosePillsAdded: r.loosePillsAdded,
-      totalPillsAdded: (r.packsAdded * pillsPerPack) + r.loosePillsAdded,
-      refillDate: r.refillDate,
-    }));
-  });
+			// Create refill history entry
+			const [refill] = await db
+				.insert(refillHistory)
+				.values({
+					medicationId: medId,
+					userId,
+					packsAdded: effectivePacksAdded,
+					loosePillsAdded: effectiveLoosePillsAdded,
+					usedPrescription: usePrescription,
+				})
+				.returning();
+
+			// Calculate pills added for response (packageType-aware)
+			const pillsPerPack = isBottle ? 0 : med.blistersPerPack * med.pillsPerBlister;
+			const totalPillsAdded = isAmountBased
+				? effectiveLoosePillsAdded
+				: effectivePacksAdded * pillsPerPack + effectiveLoosePillsAdded;
+			let newTotalPills = newPackCount * pillsPerPack + newLooseTablets + (med.stockAdjustment ?? 0);
+			if (isCountBasedAmountPackage) {
+				newTotalPills = (newTotalAmount ?? 0) + (med.stockAdjustment ?? 0);
+			} else if (isBottle) {
+				newTotalPills = newLooseTablets + (med.stockAdjustment ?? 0);
+			}
+
+			return {
+				success: true,
+				refill: {
+					id: refill.id,
+					packsAdded: effectivePacksAdded,
+					loosePillsAdded: effectiveLoosePillsAdded,
+					totalPillsAdded,
+					refillDate: refill.refillDate,
+				},
+				newStock: {
+					packCount: newPackCount,
+					looseTablets: newLooseTablets,
+					totalPills: newTotalPills,
+				},
+				prescription: {
+					used: usePrescription,
+					remainingRefills: newRemainingRefills,
+					authorizedRefills: med.prescriptionAuthorizedRefills ?? null,
+					lowRefillThreshold: med.prescriptionLowRefillThreshold ?? 1,
+					enabled: med.prescriptionEnabled ?? false,
+				},
+			};
+		}
+	);
+
+	// GET /medications/:id/refills - Get refill history for a medication
+	app.get<{ Params: { id: string } }>(
+		"/medications/:id/refills",
+		{
+			schema: {
+				params: idParamsSchema,
+				response: {
+					200: { type: "array", items: refillHistoryItemSchema },
+					400: genericErrorSchema,
+					401: genericErrorSchema,
+					404: genericErrorSchema,
+				},
+			},
+		},
+		async (req, reply) => {
+			const medId = Number(req.params.id);
+			if (Number.isNaN(medId)) return reply.badRequest("Invalid medication id");
+
+			const userId = await getUserId(req, reply);
+
+			// Verify ownership
+			const [med] = await db
+				.select()
+				.from(medications)
+				.where(and(eq(medications.id, medId), eq(medications.userId, userId)));
+			if (!med) return reply.notFound("Medication not found");
+
+			// Get refill history, newest first
+			const refills = await db
+				.select()
+				.from(refillHistory)
+				.where(and(eq(refillHistory.medicationId, medId), eq(refillHistory.userId, userId)))
+				.orderBy(desc(refillHistory.refillDate));
+
+			const packageType = normalizePackageType(med.packageType);
+			const isBottle = packageType === "bottle";
+			const isAmountBased = isAmountBasedPackageType(packageType);
+			const pillsPerPack = isBottle ? 0 : med.blistersPerPack * med.pillsPerBlister;
+
+			return refills.map((r) => ({
+				id: r.id,
+				packsAdded: r.packsAdded,
+				loosePillsAdded: r.loosePillsAdded,
+				totalPillsAdded: isAmountBased ? r.loosePillsAdded : r.packsAdded * pillsPerPack + r.loosePillsAdded,
+				usedPrescription: r.usedPrescription ?? false,
+				refillDate: r.refillDate,
+			}));
+		}
+	);
 }
@@ -0,0 +1,178 @@
+import { and, eq } from "drizzle-orm";
+import type { FastifyInstance, FastifyReply, FastifyRequest } from "fastify";
+import { z } from "zod";
+import { db } from "../db/client.js";
+import { doseTracking, medications, refillHistory } from "../db/schema.js";
+import { getAnonymousUserId, requireAuth } from "../plugins/auth.js";
+import { env } from "../plugins/env.js";
+import type { AuthUser } from "../types/fastify.js";
+import {
+	applyOpenApiRouteStandards,
+	genericErrorSchema,
+	validationErrorSchema,
+} from "../utils/openapi-route-standards.js";
+
+const reportDataSchema = z.object({
+	medicationIds: z.array(z.number().int().positive()).min(1).max(100),
+});
+
+const reportDataBodyOpenApiSchema = {
+	type: "object",
+	required: ["medicationIds"],
+	properties: {
+		medicationIds: {
+			type: "array",
+			minItems: 1,
+			maxItems: 100,
+			items: { type: "integer", minimum: 1 },
+		},
+	},
+	example: {
+		medicationIds: [1, 3, 5],
+	},
+} as const;
+
+const reportDataResponseSchema = {
+	type: "object",
+	additionalProperties: {
+		type: "object",
+		properties: {
+			dosesTaken: { type: "integer" },
+			automaticDosesTaken: { type: "integer" },
+			dosesDismissed: { type: "integer" },
+			firstDoseAt: { type: "string" },
+			lastDoseAt: { type: "string" },
+			refills: {
+				type: "array",
+				items: {
+					type: "object",
+					properties: {
+						packsAdded: { type: "integer" },
+						loosePillsAdded: { type: "integer" },
+						usedPrescription: { type: "boolean" },
+						refillDate: { type: "string", format: "date-time" },
+					},
+				},
+			},
+		},
+	},
+} as const;
+
+export async function reportRoutes(app: FastifyInstance) {
+	app.addHook("preHandler", requireAuth);
+	applyOpenApiRouteStandards(app, { tag: "report", protectedByDefault: true });
+
+	async function getUserId(request: FastifyRequest, reply: FastifyReply): Promise<number> {
+		if (!env.AUTH_ENABLED) {
+			return getAnonymousUserId();
+		}
+		const authUser = request.user as unknown as AuthUser | null;
+		if (!authUser) {
+			reply.status(401).send({ error: "User not authenticated", code: "AUTH_REQUIRED" });
+			throw new Error("AUTH_REQUIRED");
+		}
+		return authUser.id;
+	}
+
+	// POST /medications/report-data - Get aggregated dose/refill data for report generation
+	app.post(
+		"/medications/report-data",
+		{
+			schema: {
+				body: reportDataBodyOpenApiSchema,
+				response: {
+					200: reportDataResponseSchema,
+					400: { anyOf: [genericErrorSchema, validationErrorSchema] },
+					401: genericErrorSchema,
+					403: genericErrorSchema,
+				},
+			},
+		},
+		async (req, reply) => {
+			const parsed = reportDataSchema.safeParse(req.body);
+			if (!parsed.success) return reply.status(400).send(parsed.error.format());
+
+			const userId = await getUserId(req, reply);
+			const { medicationIds } = parsed.data;
+
+			// Verify all medications belong to this user
+			const userMeds = await db.select({ id: medications.id }).from(medications).where(eq(medications.userId, userId));
+			const userMedIds = new Set(userMeds.map((m) => m.id));
+
+			for (const id of medicationIds) {
+				if (!userMedIds.has(id)) {
+					return reply.status(403).send({ error: "Access denied to medication" });
+				}
+			}
+
+			// Fetch dose tracking for all requested medications
+			// doseId format: "{medicationId}-{blisterIndex}-{dateMs}" or "{medicationId}-{blisterIndex}-{dateMs}-{takenBy}"
+			const allDoses = await db
+				.select({
+					doseId: doseTracking.doseId,
+					takenAt: doseTracking.takenAt,
+					dismissed: doseTracking.dismissed,
+					takenSource: doseTracking.takenSource,
+				})
+				.from(doseTracking)
+				.where(eq(doseTracking.userId, userId));
+
+			// Group doses by medication ID
+			const dosesByMed = new Map<number, { takenAt: Date; dismissed: boolean; takenSource: string }[]>();
+			for (const dose of allDoses) {
+				const medId = Number.parseInt(dose.doseId.split("-")[0], 10);
+				if (Number.isNaN(medId) || !medicationIds.includes(medId)) continue;
+				if (!dosesByMed.has(medId)) dosesByMed.set(medId, []);
+				dosesByMed.get(medId)!.push({
+					takenAt: dose.takenAt,
+					dismissed: dose.dismissed,
+					takenSource: dose.takenSource ?? "manual",
+				});
+			}
+
+			// Fetch refill history for requested medications
+			const result: Record<
+				number,
+				{
+					dosesTaken: number;
+					automaticDosesTaken: number;
+					dosesDismissed: number;
+					firstDoseAt: string | null;
+					lastDoseAt: string | null;
+					refills: { packsAdded: number; loosePillsAdded: number; usedPrescription: boolean; refillDate: string }[];
+				}
+			> = {};
+
+			for (const medId of medicationIds) {
+				const doses = dosesByMed.get(medId) ?? [];
+				const takenDoses = doses.filter((d) => !d.dismissed);
+				const automaticTakenDoses = takenDoses.filter((d) => d.takenSource === "automatic");
+				const dismissedDoses = doses.filter((d) => d.dismissed);
+
+				const sortedTaken = takenDoses.map((d) => d.takenAt.getTime()).sort((a, b) => a - b);
+
+				// Get refills for this medication scoped to the authenticated user.
+				const refills = await db
+					.select()
+					.from(refillHistory)
+					.where(and(eq(refillHistory.medicationId, medId), eq(refillHistory.userId, userId)));
+
+				result[medId] = {
+					dosesTaken: takenDoses.length,
+					automaticDosesTaken: automaticTakenDoses.length,
+					dosesDismissed: dismissedDoses.length,
+					firstDoseAt: sortedTaken.length > 0 ? new Date(sortedTaken[0]).toISOString() : null,
+					lastDoseAt: sortedTaken.length > 0 ? new Date(sortedTaken[sortedTaken.length - 1]).toISOString() : null,
+					refills: refills.map((r) => ({
+						packsAdded: r.packsAdded,
+						loosePillsAdded: r.loosePillsAdded,
+						usedPrescription: r.usedPrescription ?? false,
+						refillDate: r.refillDate instanceof Date ? r.refillDate.toISOString() : String(r.refillDate),
+					})),
+				};
+			}
+
+			return result;
+		}
+	);
+}
@@ -1,226 +1,513 @@
-import { FastifyInstance } from "fastify";
+import { randomBytes } from "node:crypto";
+import { and, eq } from "drizzle-orm";
+import type { FastifyInstance, FastifyReply, FastifyRequest } from "fastify";
 import { z } from "zod";
-import { randomBytes } from "crypto";
 import { db } from "../db/client.js";
-import { medications, shareTokens, userSettings, users } from "../db/schema.js";
-import { eq, and, sql } from "drizzle-orm";
-import { requireAuth, optionalAuth, getAnonymousUserId } from "../plugins/auth.js";
+import { doseTracking, medications, shareTokens, userSettings, users } from "../db/schema.js";
+import { getAnonymousUserId, requireAuth } from "../plugins/auth.js";
 import { env } from "../plugins/env.js";
+import { buildSharedMedicationOverview } from "../services/coverage.js";
 import type { AuthUser } from "../types/fastify.js";
-
-// Share token validity: 1 year in milliseconds
-const SHARE_TOKEN_VALIDITY_MS = 365 * 24 * 60 * 60 * 1000;
+import {
+	applyOpenApiRouteStandards,
+	genericErrorSchema,
+	tokenParamsSchema,
+	validationErrorSchema,
+} from "../utils/openapi-route-standards.js";
+import { isAmountBasedPackageType, normalizePackageType } from "../utils/package-profiles.js";
+import {
+	getAllTakenByForMedication,
+	parseIntakesJson,
+	parseTakenByJson,
+	personTakesMedication,
+} from "../utils/scheduler-utils.js";

 // =============================================================================
 // Validation Schemas
 // =============================================================================
 const createShareSchema = z.object({
-  takenBy: z.string().min(1, "takenBy is required"),
-  scheduleDays: z.number().int().min(1).max(365).default(30),
+	takenBy: z.string().min(1, "takenBy is required"),
+	scheduleDays: z.number().int().min(1).max(365).default(30),
 });

+const protectedEndpointSecurity: ReadonlyArray<Record<string, readonly string[]>> = [
+	{ bearerAuth: [] },
+	{ cookieAuth: [] },
+];
+
+const shareTokenPattern = /^[a-f0-9]{16}$/;
+
+const createShareBodyOpenApiSchema = {
+	type: "object",
+	properties: {
+		takenBy: { type: "string" },
+		scheduleDays: { type: "integer", minimum: 1, maximum: 365, default: 30 },
+	},
+	example: {
+		takenBy: "Daniel",
+		scheduleDays: 14,
+	},
+} as const;
+
+const shareReadResponseSchema = {
+	type: "object",
+	properties: {
+		takenBy: { type: "string" },
+		sharedBy: { type: "string" },
+		scheduleDays: { type: "integer" },
+		medications: { type: "array", items: { type: "object", additionalProperties: true } },
+		shareMedicationOverview: { type: "boolean" },
+		medicationOverview: {
+			anyOf: [{ type: "array", items: { type: "object", additionalProperties: true } }, { type: "null" }],
+		},
+		stockThresholds: { type: "object", additionalProperties: { type: "number" } },
+		stockCalculationMode: { type: "string", enum: ["automatic", "manual"] },
+		upcomingTodayOnly: { type: "boolean" },
+		shareScheduleTodayOnly: { type: "boolean" },
+	},
+} as const;
+
+const shareExpiredResponseSchema = {
+	type: "object",
+	properties: {
+		error: { type: "string" },
+		code: { type: "string" },
+		ownerUsername: { type: "string" },
+		takenBy: { type: "string" },
+		expiredAt: { type: "string", format: "date-time" },
+	},
+} as const;
+
+const shareOverviewExpiredResponseSchema = {
+	type: "object",
+	properties: {
+		error: { type: "string" },
+		expiredAt: { type: "string", format: "date-time" },
+	},
+} as const;
+
+const shareOverviewResponseSchema = {
+	type: "object",
+	properties: {
+		takenBy: { type: "string" },
+		sharedBy: { type: "string" },
+		generatedAt: { type: "string", format: "date-time" },
+		medications: { type: "array", items: { type: "object", additionalProperties: true } },
+	},
+} as const;
+
+function maskToken(token: string): string {
+	if (token.length <= 8) return token;
+	return `${token.slice(0, 4)}...${token.slice(-4)}`;
+}
+
 // Helper to get user ID from request
 // Returns anonymous user ID when auth is disabled
-async function getUserId(request: any, reply: any): Promise<number> {
-  // If auth is disabled, use the anonymous user
-  if (!env.AUTH_ENABLED) {
-    return getAnonymousUserId();
-  }
-  
-  const authUser = request.user as unknown as AuthUser | null;
-  if (!authUser) {
-    reply.status(401).send({ error: "Not authenticated" });
-    throw new Error("AUTH_REQUIRED");
-  }
-  return authUser.id;
-}
+async function getUserId(request: FastifyRequest, reply: FastifyReply): Promise<number> {
+	// If auth is disabled, use the anonymous user
+	if (!env.AUTH_ENABLED) {
+		return getAnonymousUserId();
+	}

-// Helper to parse takenByJson
-function parseTakenByJson(takenByJson: string | null | undefined): string[] {
-  if (!takenByJson) return [];
-  try {
-    const parsed = JSON.parse(takenByJson);
-    return Array.isArray(parsed) ? parsed.filter((s: unknown) => typeof s === "string" && s.trim()) : [];
-  } catch {
-    return [];
-  }
+	const authUser = request.user as unknown as AuthUser | null;
+	if (!authUser) {
+		reply.status(401).send({ error: "Not authenticated" });
+		throw new Error("AUTH_REQUIRED");
+	}
+	return authUser.id;
 }

 // =============================================================================
 // Share Routes
 // =============================================================================
 export async function shareRoutes(app: FastifyInstance) {
-  // ---------------------------------------------------------------------------
-  // GET /share/:token - PUBLIC: Get shared schedule by token
-  // ---------------------------------------------------------------------------
-  app.get<{ Params: { token: string } }>("/share/:token", async (request, reply) => {
-    const { token } = request.params;
+	applyOpenApiRouteStandards(app, {
+		tag: "share",
+		protectedByDefault: false,
+		protectedPaths: [/^\/share$/, /^\/share\/people$/],
+	});

-    // Find share token
-    const [share] = await db.select().from(shareTokens).where(eq(shareTokens.token, token));
-    if (!share) {
-      return reply.status(404).send({ 
-        error: "Share link not found",
-        code: "NOT_FOUND"
-      });
-    }
+	// ---------------------------------------------------------------------------
+	// GET /share/:token - PUBLIC: Get shared schedule by token
+	// ---------------------------------------------------------------------------
+	app.get<{ Params: { token: string } }>(
+		"/share/:token",
+		{
+			schema: {
+				params: tokenParamsSchema,
+				response: {
+					200: shareReadResponseSchema,
+					404: genericErrorSchema,
+					410: shareExpiredResponseSchema,
+				},
+			},
+			config: {
+				rateLimit: {
+					max: 60,
+					timeWindow: "1 minute",
+					errorResponseBuilder: () => ({ error: "rate_limited" }),
+				},
+			},
+		},
+		async (request, reply) => {
+			const { token } = request.params;

-    // Check if token has expired
-    if (share.expiresAt && share.expiresAt.getTime() < Date.now()) {
-      // Get the username of the owner to show in the expired message
-      const [owner] = await db.select({ username: users.username }).from(users).where(eq(users.id, share.userId));
-      return reply.status(410).send({
-        error: "Share link has expired",
-        code: "EXPIRED",
-        ownerUsername: owner?.username ?? "the owner",
-        takenBy: share.takenBy,
-        expiredAt: share.expiresAt.toISOString(),
-      });
-    }
+			// Find share token
+			const [share] = await db.select().from(shareTokens).where(eq(shareTokens.token, token));
+			if (!share) {
+				request.log.warn(`[Share] Invalid share token requested: ${maskToken(token)}`);
+				return reply.status(404).send({
+					error: "Share link not found",
+					code: "NOT_FOUND",
+				});
+			}

-    // Get user settings for stock thresholds
-    const [settings] = await db.select().from(userSettings).where(eq(userSettings.userId, share.userId));
+			// Check if token has expired
+			if (share.expiresAt && share.expiresAt.getTime() < Date.now()) {
+				request.log.warn(
+					`[Share] Expired token requested: ${maskToken(token)} (owner=${share.userId}, takenBy=${share.takenBy})`
+				);
+				// Get the username of the owner to show in the expired message
+				const [owner] = await db.select({ username: users.username }).from(users).where(eq(users.id, share.userId));
+				return reply.status(410).send({
+					error: "Share link has expired",
+					code: "EXPIRED",
+					ownerUsername: owner?.username ?? "the owner",
+					takenBy: share.takenBy,
+					expiredAt: share.expiresAt.toISOString(),
+				});
+			}

-    // Get the username of the owner who created this share link
-    const [owner] = await db.select({ username: users.username }).from(users).where(eq(users.id, share.userId));
+			// Get user settings for stock thresholds
+			const [settings] = await db.select().from(userSettings).where(eq(userSettings.userId, share.userId));

-    // Get medications for this user filtered by takenBy (search in JSON array)
-    // Use SQLite JSON function to check if takenBy is in the array
-    const allMeds = await db.select().from(medications).where(eq(medications.userId, share.userId));
-    
-    // Filter medications where takenByJson array contains the share.takenBy value
-    const meds = allMeds.filter((med) => {
-      const takenByArray = parseTakenByJson(med.takenByJson);
-      return takenByArray.includes(share.takenBy);
-    });
+			// Get the username of the owner who created this share link
+			const [owner] = await db.select({ username: users.username }).from(users).where(eq(users.id, share.userId));

-    // Parse blisters and build schedule data
-    const medicationsWithBlisters = meds.map((med) => {
-      let blisters: { usage: number; every: number; start: string }[] = [];
-      try {
-        const usageArr = JSON.parse(med.usageJson || "[]");
-        const everyArr = JSON.parse(med.everyJson || "[]");
-        const startArr = JSON.parse(med.startJson || "[]");
-        blisters = usageArr.map((usage: number, i: number) => ({
-          usage,
-          every: everyArr[i] ?? 1,
-          start: startArr[i] ?? new Date().toISOString(),
-        }));
-      } catch {
-        blisters = [];
-      }
+			// Get medications for this user filtered by takenBy (search in JSON array)
+			// Use SQLite JSON function to check if takenBy is in the array
+			const allMeds = await db.select().from(medications).where(eq(medications.userId, share.userId));

-      // Parse takenBy JSON array
-      const takenByArray = parseTakenByJson(med.takenByJson);
+			// Filter medications where takenBy matches either medication-level OR any intake-level takenBy
+			const meds = allMeds.filter((med) => {
+				const takenByArray = parseTakenByJson(med.takenByJson);
+				const intakes = parseIntakesJson(
+					med.intakesJson,
+					{ usageJson: med.usageJson, everyJson: med.everyJson, startJson: med.startJson },
+					med.intakeRemindersEnabled ?? false
+				);
+				return personTakesMedication(share.takenBy, takenByArray, intakes);
+			});

-      const totalPills = med.packCount * med.blistersPerPack * med.pillsPerBlister + med.looseTablets;
-      return {
-        id: med.id,
-        name: med.name,
-        genericName: med.genericName,
-        pillWeightMg: med.pillWeightMg,
-        imageUrl: med.imageUrl,
-        totalPills,
-        packCount: med.packCount,
-        blistersPerPack: med.blistersPerPack,
-        looseTablets: med.looseTablets,
-        pillsPerBlister: med.pillsPerBlister,
-        takenBy: takenByArray,
-        blisters,
-      };
-    });
+			// Parse blisters and build schedule data
+			const medicationsWithBlisters = meds.map((med) => {
+				// Parse intakes from new format, falling back to legacy
+				const intakes = parseIntakesJson(
+					med.intakesJson,
+					{ usageJson: med.usageJson, everyJson: med.everyJson, startJson: med.startJson },
+					med.intakeRemindersEnabled ?? false
+				);

-    return {
-      takenBy: share.takenBy,
-      sharedBy: owner?.username ?? null,
-      scheduleDays: share.scheduleDays,
-      medications: medicationsWithBlisters,
-      stockThresholds: {
-        lowStockDays: settings?.lowStockDays ?? 30,
-      },
-    };
-  });
+				// Convert to legacy blisters format for backward compat
+				const blisters = intakes.map((i) => ({
+					usage: i.usage,
+					every: i.every,
+					start: i.start,
+				}));

-  // ---------------------------------------------------------------------------
-  // POST /share - PROTECTED: Create a new share link
-  // ---------------------------------------------------------------------------
-  app.post<{ Body: z.infer<typeof createShareSchema> }>(
-    "/share",
-    { preHandler: requireAuth },
-    async (request, reply) => {
-      const userId = await getUserId(request, reply);
+				// Parse takenBy JSON array
+				const takenByArray = parseTakenByJson(med.takenByJson);

-      const parsed = createShareSchema.safeParse(request.body);
-      if (!parsed.success) {
-        return reply.status(400).send({
-          error: parsed.error.errors[0]?.message ?? "Invalid input",
-          code: "VALIDATION_ERROR",
-        });
-      }
+				const totalPills = isAmountBasedPackageType(med.packageType)
+					? med.looseTablets + (med.stockAdjustment ?? 0)
+					: med.packCount * med.blistersPerPack * med.pillsPerBlister + med.looseTablets + (med.stockAdjustment ?? 0);
+				return {
+					id: med.id,
+					name: med.name,
+					genericName: med.genericName,
+					pillWeightMg: med.pillWeightMg,
+					doseUnit: med.doseUnit ?? "mg",
+					imageUrl: med.imageUrl,
+					totalPills,
+					packageType: normalizePackageType(med.packageType),
+					packCount: med.packCount,
+					blistersPerPack: med.blistersPerPack,
+					looseTablets: med.looseTablets,
+					pillsPerBlister: med.pillsPerBlister,
+					takenBy: takenByArray,
+					intakes, // New unified format with per-intake takenBy
+					blisters, // Legacy format for backward compat
+					dismissedUntil: med.dismissedUntil,
+					updatedAt: med.updatedAt, // For filtering out doses from previous schedule configurations
+					lastStockCorrectionAt: med.lastStockCorrectionAt?.getTime() ?? null,
+					stockAdjustment: med.stockAdjustment ?? 0,
+				};
+			});

-      const { takenBy, scheduleDays } = parsed.data;
+			const shareMedicationOverview = settings?.shareMedicationOverview ?? false;
+			const medicationOverview = shareMedicationOverview
+				? buildSharedMedicationOverview({
+						medications: meds,
+						doses: await db.select().from(doseTracking).where(eq(doseTracking.userId, share.userId)),
+						thresholdDays: settings?.lowStockDays ?? 30,
+					})
+				: null;

-      // Check if user has medications for this takenBy (search in JSON array)
-      const allMeds = await db.select().from(medications).where(eq(medications.userId, userId));
-      const medsForPerson = allMeds.filter((med) => {
-        const takenByArray = parseTakenByJson(med.takenByJson);
-        return takenByArray.includes(takenBy);
-      });
+			return {
+				takenBy: share.takenBy,
+				sharedBy: owner?.username ?? null,
+				scheduleDays: share.scheduleDays,
+				medications: medicationsWithBlisters,
+				shareMedicationOverview,
+				medicationOverview,
+				stockThresholds: {
+					lowStockDays: settings?.lowStockDays ?? 30,
+					normalStockDays: settings?.normalStockDays ?? 60,
+					highStockDays: settings?.highStockDays ?? 90,
+					reminderDaysBefore: settings?.reminderDaysBefore ?? 7,
+					expiryWarningDays: settings?.expiryWarningDays ?? 90,
+				},
+				stockCalculationMode: (settings?.stockCalculationMode as "automatic" | "manual") ?? "automatic",
+				upcomingTodayOnly: settings?.upcomingTodayOnly ?? false,
+				shareScheduleTodayOnly: settings?.shareScheduleTodayOnly ?? false,
+			};
+		}
+	);

-      if (medsForPerson.length === 0) {
-        return reply.status(400).send({
-          error: "No medications found for this person",
-          code: "NO_MEDICATIONS",
-        });
-      }
+	// ---------------------------------------------------------------------------
+	// GET /share/:token/overview - PUBLIC: Read-only medication overview by token
+	// ---------------------------------------------------------------------------
+	app.get<{ Params: { token: string } }>(
+		"/share/:token/overview",
+		{
+			schema: {
+				params: tokenParamsSchema,
+				response: {
+					200: shareOverviewResponseSchema,
+					404: genericErrorSchema,
+					410: shareOverviewExpiredResponseSchema,
+				},
+			},
+			config: {
+				rateLimit: {
+					max: 60,
+					timeWindow: "1 minute",
+					errorResponseBuilder: () => ({ error: "rate_limited" }),
+				},
+			},
+		},
+		async (request, reply) => {
+			reply.header("Cache-Control", "no-store");

-      // Generate unique token (8 bytes = 16 hex chars)
-      const token = randomBytes(8).toString("hex");
-      
-      // Set expiration date (1 year from now)
-      const expiresAt = new Date(Date.now() + SHARE_TOKEN_VALIDITY_MS);
+			const { token } = request.params;
+			if (!shareTokenPattern.test(token)) {
+				request.log.warn(`[ShareOverview] Rejected invalid token format: ${maskToken(token)}`);
+				return reply.status(404).send({ error: "not_found" });
+			}

-      // Create share token
-      await db.insert(shareTokens).values({
-        userId: userId,
-        token,
-        takenBy,
-        scheduleDays,
-        expiresAt,
-      });
+			const [share] = await db.select().from(shareTokens).where(eq(shareTokens.token, token));
+			if (!share) {
+				request.log.warn(`[ShareOverview] Unknown token requested: ${maskToken(token)}`);
+				return reply.status(404).send({ error: "not_found" });
+			}

-      return {
-        token,
-        shareUrl: `/share/${token}`,
-        expiresAt: expiresAt.toISOString(),
-      };
-    }
-  );
+			if (share.expiresAt && share.expiresAt.getTime() < Date.now()) {
+				request.log.warn(
+					`[ShareOverview] Expired token requested: ${maskToken(token)} (owner=${share.userId}, takenBy=${share.takenBy})`
+				);
+				return reply.status(410).send({
+					error: "expired",
+					expiredAt: share.expiresAt.toISOString(),
+				});
+			}

-  // ---------------------------------------------------------------------------
-  // GET /share/people - PROTECTED: Get list of unique takenBy values
-  // ---------------------------------------------------------------------------
-  app.get(
-    "/share/people",
-    { preHandler: requireAuth },
-    async (request, reply) => {
-      const userId = await getUserId(request, reply);
+			const [settings] = await db.select().from(userSettings).where(eq(userSettings.userId, share.userId));
+			const [owner] = await db.select({ username: users.username }).from(users).where(eq(users.id, share.userId));

-      // Get all unique takenBy values for this user (from JSON arrays)
-      const meds = await db.select({ takenByJson: medications.takenByJson })
-        .from(medications)
-        .where(eq(medications.userId, userId));
+			const allMeds = await db.select().from(medications).where(eq(medications.userId, share.userId));
+			const meds = allMeds.filter((med) => {
+				const takenByArray = parseTakenByJson(med.takenByJson);
+				const intakes = parseIntakesJson(
+					med.intakesJson,
+					{ usageJson: med.usageJson, everyJson: med.everyJson, startJson: med.startJson },
+					med.intakeRemindersEnabled ?? false
+				);
+				return personTakesMedication(share.takenBy, takenByArray, intakes);
+			});

-      // Collect all unique person names from all takenByJson arrays
-      const allPeople = new Set<string>();
-      for (const med of meds) {
-        const takenByArray = parseTakenByJson(med.takenByJson);
-        for (const person of takenByArray) {
-          if (person) allPeople.add(person);
-        }
-      }
+			const doses = await db.select().from(doseTracking).where(eq(doseTracking.userId, share.userId));

-      return { people: [...allPeople].sort() };
-    }
-  );
+			const overview = buildSharedMedicationOverview({
+				medications: meds,
+				doses,
+				thresholdDays: settings?.lowStockDays ?? 30,
+			});
+
+			return {
+				takenBy: share.takenBy,
+				sharedBy: owner?.username ?? null,
+				generatedAt: new Date().toISOString(),
+				medications: overview,
+			};
+		}
+	);
+
+	// ---------------------------------------------------------------------------
+	// POST /share - PROTECTED: Create a new share link
+	// ---------------------------------------------------------------------------
+	app.post<{ Body: z.infer<typeof createShareSchema> }>(
+		"/share",
+		{
+			preHandler: requireAuth,
+			schema: {
+				tags: ["share"],
+				security: protectedEndpointSecurity,
+				body: createShareBodyOpenApiSchema,
+				response: {
+					200: {
+						type: "object",
+						properties: {
+							reused: { type: "boolean" },
+							token: { type: "string" },
+							shareUrl: { type: "string" },
+							expiresAt: { type: ["string", "null"] },
+						},
+					},
+					400: { anyOf: [genericErrorSchema, validationErrorSchema] },
+					401: genericErrorSchema,
+				},
+			},
+		},
+		async (request, reply) => {
+			const userId = await getUserId(request, reply);
+
+			const parsed = createShareSchema.safeParse(request.body);
+			if (!parsed.success) {
+				return reply.status(400).send({
+					error: parsed.error.errors[0]?.message ?? "Invalid input",
+					code: "VALIDATION_ERROR",
+				});
+			}
+
+			const { takenBy, scheduleDays } = parsed.data;
+
+			// Check if user has medications for this takenBy (search in both medication-level and intake-level)
+			const allMeds = await db.select().from(medications).where(eq(medications.userId, userId));
+			const medsForPerson = allMeds.filter((med) => {
+				const takenByArray = parseTakenByJson(med.takenByJson);
+				const intakes = parseIntakesJson(
+					med.intakesJson,
+					{ usageJson: med.usageJson, everyJson: med.everyJson, startJson: med.startJson },
+					med.intakeRemindersEnabled ?? false
+				);
+				return personTakesMedication(takenBy, takenByArray, intakes);
+			});
+
+			if (medsForPerson.length === 0) {
+				return reply.status(400).send({
+					error: "No medications found for this person",
+					code: "NO_MEDICATIONS",
+				});
+			}
+
+			// Keep exactly one active share link per person/user.
+			// If a link already exists, return the same token and only update settings.
+			const [existingShare] = await db
+				.select()
+				.from(shareTokens)
+				.where(and(eq(shareTokens.userId, userId), eq(shareTokens.takenBy, takenBy)));
+
+			if (existingShare) {
+				await db.update(shareTokens).set({ scheduleDays, expiresAt: null }).where(eq(shareTokens.id, existingShare.id));
+
+				request.log.info(
+					`[Share] Reused existing share token (owner=${userId}, takenBy=${takenBy}, scheduleDays=${scheduleDays})`
+				);
+
+				return {
+					reused: true,
+					token: existingShare.token,
+					shareUrl: `/share/${existingShare.token}`,
+					expiresAt: null,
+				};
+			}
+
+			const token = randomBytes(8).toString("hex");
+
+			await db.insert(shareTokens).values({
+				userId,
+				token,
+				takenBy,
+				scheduleDays,
+				expiresAt: null,
+			});
+
+			request.log.info(
+				`[Share] Created new share token (owner=${userId}, takenBy=${takenBy}, scheduleDays=${scheduleDays})`
+			);
+
+			return {
+				reused: false,
+				token,
+				shareUrl: `/share/${token}`,
+				expiresAt: null,
+			};
+		}
+	);
+
+	// ---------------------------------------------------------------------------
+	// GET /share/people - PROTECTED: Get list of unique takenBy values
+	// ---------------------------------------------------------------------------
+	app.get(
+		"/share/people",
+		{
+			preHandler: requireAuth,
+			schema: {
+				tags: ["share"],
+				security: protectedEndpointSecurity,
+				response: {
+					200: {
+						type: "object",
+						properties: {
+							people: { type: "array", items: { type: "string" } },
+						},
+					},
+					401: genericErrorSchema,
+				},
+			},
+		},
+		async (request, reply) => {
+			const userId = await getUserId(request, reply);
+
+			// Get all unique takenBy values for this user (from both medication-level and intake-level)
+			const meds = await db
+				.select({
+					takenByJson: medications.takenByJson,
+					intakesJson: medications.intakesJson,
+					usageJson: medications.usageJson,
+					everyJson: medications.everyJson,
+					startJson: medications.startJson,
+					intakeRemindersEnabled: medications.intakeRemindersEnabled,
+				})
+				.from(medications)
+				.where(eq(medications.userId, userId));
+
+			// Collect all unique person names from medication-level AND intake-level takenBy
+			const allPeople = new Set<string>();
+			for (const med of meds) {
+				const takenByArray = parseTakenByJson(med.takenByJson);
+				const intakes = parseIntakesJson(
+					med.intakesJson,
+					{ usageJson: med.usageJson, everyJson: med.everyJson, startJson: med.startJson },
+					med.intakeRemindersEnabled ?? false
+				);
+				const allForMed = getAllTakenByForMedication(takenByArray, intakes);
+				for (const person of allForMed) {
+					if (person) allPeople.add(person);
+				}
+			}
+
+			return { people: [...allPeople].sort() };
+		}
+	);
 }
@@ -0,0 +1,213 @@
+import type { doseTracking, medications } from "../db/schema.js";
+import { isAmountBasedPackageType } from "../utils/package-profiles.js";
+import {
+	getTodayInTimezone,
+	type Intake,
+	normalizeIntakeUsageForStock,
+	parseIntakesJson,
+	parseLocalDateTime,
+} from "../utils/scheduler-utils.js";
+
+const MS_PER_DAY = 86_400_000;
+const doseIdPattern = /^(\d+)-(\d+)-(\d+)(?:-(.+))?$/;
+
+type MedicationRow = typeof medications.$inferSelect;
+type DoseRow = typeof doseTracking.$inferSelect;
+
+export type SharedMedicationOverviewItem = {
+	name: string;
+	genericName: string | null;
+	imageUrl: string | null;
+	packageType: string;
+	packCount: number;
+	blistersPerPack: number;
+	pillsPerBlister: number;
+	totalPills: number | null;
+	looseTablets: number;
+	currentStock: number | null;
+	capacity: number | null;
+	daysLeft: number | null;
+	nextIntakeDate: string | null;
+	depletionDate: string | null;
+	priority: "normal" | "high" | "out-of-stock" | null;
+	expiryDate: string | null;
+	medicationStartDate: string | null;
+	prescriptionEnabled: boolean;
+	prescriptionRemainingRefills: number | null;
+};
+
+function toDateOnlyString(date: Date): string {
+	const year = date.getFullYear();
+	const month = String(date.getMonth() + 1).padStart(2, "0");
+	const day = String(date.getDate()).padStart(2, "0");
+	return `${year}-${month}-${day}`;
+}
+
+function parseDateOnly(dateOnly: string): Date {
+	const [year, month, day] = dateOnly.split("-").map((value) => Number.parseInt(value, 10));
+	return new Date(year, month - 1, day, 0, 0, 0, 0);
+}
+
+function computeCapacity(medication: MedicationRow): number {
+	if (isAmountBasedPackageType(medication.packageType)) {
+		return medication.totalPills ?? medication.looseTablets;
+	}
+
+	return medication.packCount * medication.blistersPerPack * medication.pillsPerBlister;
+}
+
+function computeDailyDoseRate(intakes: Intake[], medication: MedicationRow): number {
+	return intakes.reduce((sum, intake) => {
+		if (intake.every <= 0) return sum;
+		const normalizedUsage = normalizeIntakeUsageForStock(intake, medication.medicationForm, medication.packageType);
+		return sum + normalizedUsage / intake.every;
+	}, 0);
+}
+
+function computeNextIntakeDate(intakes: Intake[], todayDateOnly: string): string | null {
+	const today = parseDateOnly(todayDateOnly);
+	let nextDate: Date | null = null;
+
+	for (const intake of intakes) {
+		if (intake.every <= 0) continue;
+
+		const startDate = parseLocalDateTime(intake.start);
+		const startDateOnly = new Date(startDate.getFullYear(), startDate.getMonth(), startDate.getDate(), 0, 0, 0, 0);
+
+		let candidate = startDateOnly;
+		if (candidate.getTime() < today.getTime()) {
+			const elapsedDays = Math.floor((today.getTime() - candidate.getTime()) / MS_PER_DAY);
+			const intervals = Math.ceil(elapsedDays / intake.every);
+			candidate = new Date(candidate.getTime() + intervals * intake.every * MS_PER_DAY);
+		}
+
+		if (!nextDate || candidate.getTime() < nextDate.getTime()) {
+			nextDate = candidate;
+		}
+	}
+
+	return nextDate ? toDateOnlyString(nextDate) : null;
+}
+
+function computeTakenAmount(
+	medication: MedicationRow,
+	intakes: Intake[],
+	dosesByMedication: Map<number, DoseRow[]>
+): number {
+	const doseRows = dosesByMedication.get(medication.id) ?? [];
+	if (doseRows.length === 0) return 0;
+
+	const correctionDateOnlyMs = medication.lastStockCorrectionAt
+		? new Date(
+				medication.lastStockCorrectionAt.getFullYear(),
+				medication.lastStockCorrectionAt.getMonth(),
+				medication.lastStockCorrectionAt.getDate(),
+				0,
+				0,
+				0,
+				0
+			).getTime()
+		: 0;
+
+	let takenAmount = 0;
+	for (const dose of doseRows) {
+		if (dose.dismissed) continue;
+
+		const match = doseIdPattern.exec(dose.doseId);
+		if (!match) continue;
+
+		const intakeIndex = Number.parseInt(match[2], 10);
+		const doseDateOnlyMs = Number.parseInt(match[3], 10);
+		if (Number.isNaN(intakeIndex) || Number.isNaN(doseDateOnlyMs)) continue;
+		if (doseDateOnlyMs < correctionDateOnlyMs) continue;
+
+		const intake = intakes[intakeIndex];
+		if (!intake) continue;
+
+		takenAmount += normalizeIntakeUsageForStock(intake, medication.medicationForm, medication.packageType);
+	}
+
+	return takenAmount;
+}
+
+function toNullableDate(value: string | null): string | null {
+	if (!value) return null;
+	return value.trim() ? value : null;
+}
+
+function computeOverviewPriority(
+	currentStock: number,
+	daysLeft: number | null,
+	thresholdDays: number
+): "normal" | "high" | "out-of-stock" {
+	if (currentStock <= 0 || daysLeft === 0) return "out-of-stock";
+	if (daysLeft !== null && daysLeft <= thresholdDays) return "high";
+	return "normal";
+}
+
+export function buildSharedMedicationOverview(options: {
+	medications: MedicationRow[];
+	doses: DoseRow[];
+	thresholdDays: number;
+}): SharedMedicationOverviewItem[] {
+	const { medications: medicationRows, doses, thresholdDays } = options;
+
+	const dosesByMedication = new Map<number, DoseRow[]>();
+	for (const dose of doses) {
+		const match = doseIdPattern.exec(dose.doseId);
+		if (!match) continue;
+
+		const medicationId = Number.parseInt(match[1], 10);
+		if (Number.isNaN(medicationId)) continue;
+
+		const existing = dosesByMedication.get(medicationId) ?? [];
+		existing.push(dose);
+		dosesByMedication.set(medicationId, existing);
+	}
+
+	const todayDateOnly = getTodayInTimezone();
+	const todayDate = parseDateOnly(todayDateOnly);
+
+	return medicationRows.map((medication) => {
+		const intakes = parseIntakesJson(
+			medication.intakesJson,
+			{
+				usageJson: medication.usageJson,
+				everyJson: medication.everyJson,
+				startJson: medication.startJson,
+			},
+			medication.intakeRemindersEnabled ?? false
+		);
+
+		const capacity = computeCapacity(medication);
+		const dailyDoseRate = computeDailyDoseRate(intakes, medication);
+		const takenAmount = computeTakenAmount(medication, intakes, dosesByMedication);
+		const rawCurrentStock = capacity + (medication.stockAdjustment ?? 0) - takenAmount;
+		const currentStock = Math.max(0, Math.floor(rawCurrentStock));
+		const daysLeft = dailyDoseRate > 0 ? Math.floor(currentStock / dailyDoseRate) : null;
+		const depletionDate =
+			daysLeft === null ? null : toDateOnlyString(new Date(todayDate.getTime() + daysLeft * MS_PER_DAY));
+		const priority = computeOverviewPriority(currentStock, daysLeft, thresholdDays);
+		return {
+			name: medication.name,
+			genericName: medication.genericName,
+			imageUrl: medication.imageUrl,
+			packageType: medication.packageType,
+			packCount: medication.packCount,
+			blistersPerPack: medication.blistersPerPack,
+			pillsPerBlister: medication.pillsPerBlister,
+			totalPills: medication.totalPills,
+			looseTablets: medication.looseTablets,
+			currentStock,
+			capacity,
+			daysLeft,
+			nextIntakeDate: computeNextIntakeDate(intakes, todayDateOnly),
+			depletionDate,
+			priority,
+			expiryDate: toNullableDate(medication.expiryDate),
+			medicationStartDate: toNullableDate(medication.medicationStartDate),
+			prescriptionEnabled: medication.prescriptionEnabled ?? false,
+			prescriptionRemainingRefills: medication.prescriptionRemainingRefills,
+		};
+	});
+}
@@ -0,0 +1,151 @@
+import type { doseTracking, medications } from "../db/schema.js";
+import { isAmountBasedPackageType } from "../utils/package-profiles.js";
+import {
+	normalizeIntakeUsageForStock,
+	parseIntakesJson,
+	parseLocalDateTime,
+	parseTakenByJson,
+} from "../utils/scheduler-utils.js";
+
+type MedicationRow = typeof medications.$inferSelect;
+type DoseRow = typeof doseTracking.$inferSelect;
+
+const MS_PER_DAY = 86_400_000;
+const doseIdPattern = /^(\d+)-(\d+)-(\d+)(?:-(.+))?$/;
+
+function getDoseTakenAtMs(dose: DoseRow): number {
+	const rawTakenAt = Number(dose.takenAt);
+	if (Number.isFinite(rawTakenAt)) {
+		return rawTakenAt < 1_000_000_000_000 ? rawTakenAt * 1000 : rawTakenAt;
+	}
+
+	return new Date(dose.takenAt).getTime();
+}
+
+export function computeMedicationCurrentStock(options: {
+	medication: MedicationRow;
+	doses: DoseRow[];
+	stockCalculationMode: "automatic" | "manual";
+	nowMs?: number;
+}): number {
+	const { medication, doses, stockCalculationMode, nowMs = Date.now() } = options;
+
+	const intakes = parseIntakesJson(
+		medication.intakesJson,
+		{
+			usageJson: medication.usageJson,
+			everyJson: medication.everyJson,
+			startJson: medication.startJson,
+		},
+		medication.intakeRemindersEnabled ?? false
+	);
+
+	const baseStock = isAmountBasedPackageType(medication.packageType)
+		? medication.looseTablets + (medication.stockAdjustment ?? 0)
+		: medication.packCount * medication.blistersPerPack * medication.pillsPerBlister +
+			medication.looseTablets +
+			(medication.stockAdjustment ?? 0);
+
+	const relevantDoses = doses.filter((dose) => !dose.dismissed);
+	const stockCorrectionCutoff = medication.lastStockCorrectionAt
+		? new Date(medication.lastStockCorrectionAt).getTime()
+		: 0;
+	let consumed = 0;
+
+	if (stockCalculationMode === "automatic") {
+		const medicationTakenBy = parseTakenByJson(medication.takenByJson);
+
+		intakes.forEach((intake, intakeIndex) => {
+			const usage = normalizeIntakeUsageForStock(intake, medication.medicationForm, medication.packageType);
+			const intakeStart = parseLocalDateTime(intake.start).getTime();
+			if (Number.isNaN(intakeStart)) return;
+
+			const period = Math.max(1, intake.every) * MS_PER_DAY;
+			let effectiveStart: number;
+			if (stockCorrectionCutoff > 0 && stockCorrectionCutoff >= intakeStart) {
+				const elapsedSinceStart = stockCorrectionCutoff - intakeStart;
+				const periodsElapsed = Math.floor(elapsedSinceStart / period);
+				effectiveStart = intakeStart + (periodsElapsed + 1) * period;
+			} else {
+				effectiveStart = intakeStart;
+			}
+
+			let peopleForThisIntake: Array<string | null>;
+			if (intake.takenBy) {
+				peopleForThisIntake = [intake.takenBy];
+			} else if (medicationTakenBy.length > 0) {
+				peopleForThisIntake = medicationTakenBy;
+			} else {
+				peopleForThisIntake = [null];
+			}
+
+			let lastAutoConsumedDateMs = 0;
+			if (effectiveStart <= nowMs) {
+				const occurrences = Math.floor((nowMs - effectiveStart) / period) + 1;
+				consumed += occurrences * usage * peopleForThisIntake.length;
+
+				const lastDoseTime = new Date(effectiveStart + (occurrences - 1) * period);
+				lastAutoConsumedDateMs = new Date(
+					lastDoseTime.getFullYear(),
+					lastDoseTime.getMonth(),
+					lastDoseTime.getDate()
+				).getTime();
+			}
+
+			const stockCorrectionDateOnly =
+				stockCorrectionCutoff > 0
+					? new Date(
+							new Date(stockCorrectionCutoff).getFullYear(),
+							new Date(stockCorrectionCutoff).getMonth(),
+							new Date(stockCorrectionCutoff).getDate()
+						).getTime()
+					: 0;
+			const earlyCutoff = Math.max(lastAutoConsumedDateMs, stockCorrectionDateOnly);
+
+			for (const dose of relevantDoses) {
+				const match = doseIdPattern.exec(dose.doseId);
+				if (!match) continue;
+
+				const parsedIntakeIndex = Number.parseInt(match[2], 10);
+				const doseDateOnlyMs = Number.parseInt(match[3], 10);
+				if (Number.isNaN(parsedIntakeIndex) || Number.isNaN(doseDateOnlyMs) || parsedIntakeIndex !== intakeIndex) {
+					continue;
+				}
+
+				if (doseDateOnlyMs > earlyCutoff) {
+					consumed += usage;
+				}
+			}
+		});
+	} else {
+		intakes.forEach((intake, intakeIndex) => {
+			const usage = normalizeIntakeUsageForStock(intake, medication.medicationForm, medication.packageType);
+			const intakeStart = parseLocalDateTime(intake.start);
+			const intakeStartDateOnly = new Date(
+				intakeStart.getFullYear(),
+				intakeStart.getMonth(),
+				intakeStart.getDate()
+			).getTime();
+			if (Number.isNaN(intakeStartDateOnly)) return;
+
+			for (const dose of relevantDoses) {
+				const match = doseIdPattern.exec(dose.doseId);
+				if (!match) continue;
+
+				const parsedIntakeIndex = Number.parseInt(match[2], 10);
+				const doseDateOnlyMs = Number.parseInt(match[3], 10);
+				if (Number.isNaN(parsedIntakeIndex) || Number.isNaN(doseDateOnlyMs) || parsedIntakeIndex !== intakeIndex) {
+					continue;
+				}
+
+				const takenAtMs = getDoseTakenAtMs(dose);
+				const afterCorrectionOrNoCorrection = stockCorrectionCutoff === 0 || takenAtMs > stockCorrectionCutoff;
+				if (doseDateOnlyMs >= intakeStartDateOnly && afterCorrectionOrNoCorrection) {
+					consumed += usage;
+				}
+			}
+		});
+	}
+
+	return Math.max(0, Math.floor(baseStock - consumed));
+}
@@ -0,0 +1,486 @@
+import { dirname, resolve } from "node:path";
+import { fileURLToPath } from "node:url";
+import cookie from "@fastify/cookie";
+import jwt from "@fastify/jwt";
+import sensible from "@fastify/sensible";
+import { migrate } from "drizzle-orm/libsql/migrator";
+import Fastify, { type FastifyInstance } from "fastify";
+import { afterAll, beforeAll, beforeEach, describe, expect, it, vi } from "vitest";
+import { runAlterMigrations } from "../db/db-utils.js";
+import { documentationSchemaAjv } from "../utils/documentation-schema-keywords.js";
+
+const { testClient, testDb, mockedEnv } = vi.hoisted(() => {
+	const { createClient } = require("@libsql/client");
+	const { drizzle } = require("drizzle-orm/libsql");
+	const client = createClient({ url: ":memory:" });
+	const db = drizzle(client);
+
+	return {
+		testClient: client,
+		testDb: db,
+		mockedEnv: {
+			AUTH_ENABLED: true,
+			REGISTRATION_ENABLED: true,
+			FORM_LOGIN_ENABLED: true,
+			OIDC_ENABLED: false,
+			OIDC_PROVIDER_NAME: "SSO",
+			NODE_ENV: "test",
+			LOG_LEVEL: "silent",
+			PORT: 3000,
+			CORS_ORIGINS: "*",
+			JWT_SECRET: "test-jwt-secret",
+			REFRESH_SECRET: "test-refresh-secret",
+			COOKIE_SECRET: "test-cookie-secret",
+			ACCESS_TOKEN_TTL_MINUTES: 15,
+			REFRESH_TOKEN_TTL_DAYS: 7,
+			OPENAPI_DOCS_ENABLED: false,
+		},
+	};
+});
+
+vi.mock("../db/client.js", () => ({
+	db: testDb,
+	migrationsReady: Promise.resolve(),
+}));
+
+vi.mock("../plugins/env.js", () => ({ env: mockedEnv }));
+
+const { medicationRoutes } = await import("../routes/medications.js");
+const { doseRoutes } = await import("../routes/doses.js");
+const { refillRoutes } = await import("../routes/refills.js");
+const { shareRoutes } = await import("../routes/share.js");
+const { reportRoutes } = await import("../routes/report.js");
+const { exportRoutes } = await import("../routes/export.js");
+const { hashApiKeyToken } = await import("../plugins/auth.js");
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = dirname(__filename);
+const migrationsFolder = resolve(__dirname, "../../drizzle");
+
+async function clearTables() {
+	await testClient.execute("DELETE FROM refill_history");
+	await testClient.execute("DELETE FROM dose_tracking");
+	await testClient.execute("DELETE FROM share_tokens");
+	await testClient.execute("DELETE FROM user_settings");
+	await testClient.execute("DELETE FROM medications");
+	await testClient.execute("DELETE FROM api_keys");
+	await testClient.execute("DELETE FROM refresh_tokens");
+	await testClient.execute("DELETE FROM users");
+}
+
+async function createUser(username: string) {
+	const result = await testClient.execute({
+		sql: "INSERT INTO users (username, auth_provider, is_active) VALUES (?, 'local', 1) RETURNING id",
+		args: [username],
+	});
+
+	return Number(result.rows[0].id);
+}
+
+function buildSessionCookie(app: FastifyInstance, userId: number, username: string) {
+	const token = app.jwt.sign({ sub: userId, username });
+	return `access_token=${token}`;
+}
+
+async function insertApiKey(options: {
+	userId: number;
+	token: string;
+	scope?: "read" | "write";
+	isActive?: boolean;
+	expiresAt?: Date | null;
+}) {
+	const expiresAtValue = options.expiresAt ? Math.floor(options.expiresAt.getTime() / 1000) : null;
+
+	await testClient.execute({
+		sql: `INSERT INTO api_keys (user_id, name, key_hash, token_prefix, scope, is_active, expires_at)
+		      VALUES (?, ?, ?, ?, ?, ?, ?)`,
+		args: [
+			options.userId,
+			"Seeded Key",
+			hashApiKeyToken(options.token),
+			`${options.token.slice(0, 12)}...`,
+			options.scope ?? "write",
+			options.isActive === false ? 0 : 1,
+			expiresAtValue,
+		],
+	});
+}
+
+async function seedMedication(options: {
+	userId: number;
+	name: string;
+	takenBy?: string[];
+	packCount?: number;
+	looseTablets?: number;
+	start?: string;
+}) {
+	const start = options.start ?? "2026-01-01T08:00:00.000Z";
+	const takenBy = options.takenBy ?? ["Daniel"];
+	const result = await testClient.execute({
+		sql: `INSERT INTO medications (
+		  user_id, name, generic_name, taken_by_json, medication_form, package_type,
+		  pack_count, blisters_per_pack, pills_per_blister, loose_tablets,
+		  usage_json, every_json, start_json, intakes_json,
+		  stock_adjustment, intake_reminders_enabled
+		) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?) RETURNING id`,
+		args: [
+			options.userId,
+			options.name,
+			`${options.name} Generic`,
+			JSON.stringify(takenBy),
+			"tablet",
+			"blister",
+			options.packCount ?? 1,
+			1,
+			10,
+			options.looseTablets ?? 0,
+			JSON.stringify([1]),
+			JSON.stringify([1]),
+			JSON.stringify([start]),
+			JSON.stringify([
+				{
+					usage: 1,
+					every: 1,
+					start,
+					takenBy: takenBy[0] ?? null,
+					intakeRemindersEnabled: true,
+				},
+			]),
+			0,
+			1,
+		],
+	});
+
+	return Number(result.rows[0].id);
+}
+
+async function seedDose(options: { userId: number; doseId: string; dismissed?: boolean }) {
+	await testClient.execute({
+		sql: "INSERT INTO dose_tracking (user_id, dose_id, dismissed) VALUES (?, ?, ?)",
+		args: [options.userId, options.doseId, options.dismissed ? 1 : 0],
+	});
+}
+
+async function seedRefill(options: {
+	userId: number;
+	medicationId: number;
+	packsAdded?: number;
+	loosePillsAdded?: number;
+}) {
+	await testClient.execute({
+		sql: `INSERT INTO refill_history (medication_id, user_id, packs_added, loose_pills_added, used_prescription)
+		      VALUES (?, ?, ?, ?, 0)`,
+		args: [options.medicationId, options.userId, options.packsAdded ?? 1, options.loosePillsAdded ?? 0],
+	});
+}
+
+function buildMedicationPayload(name: string) {
+	return {
+		name,
+		genericName: `${name} Generic`,
+		takenBy: ["Daniel"],
+		packCount: 1,
+		blistersPerPack: 1,
+		pillsPerBlister: 10,
+		looseTablets: 0,
+		blisters: [{ usage: 1, every: 1, start: "2026-01-01T08:00:00.000Z" }],
+	};
+}
+
+function buildImportPayload() {
+	return {
+		version: "1.3",
+		exportedAt: new Date().toISOString(),
+		includeSensitiveData: false,
+		medications: [],
+		doseHistory: [],
+		refillHistory: [],
+		settings: {
+			emailEnabled: false,
+			emailStockReminders: true,
+			emailIntakeReminders: true,
+			emailPrescriptionReminders: true,
+			shoutrrrStockReminders: true,
+			shoutrrrIntakeReminders: true,
+			shoutrrrPrescriptionReminders: true,
+			reminderDaysBefore: 7,
+			repeatDailyReminders: false,
+			skipRemindersForTakenDoses: false,
+			repeatRemindersEnabled: false,
+			reminderRepeatIntervalMinutes: 30,
+			maxNaggingReminders: 5,
+			lowStockDays: 30,
+			normalStockDays: 90,
+			highStockDays: 180,
+			language: "en",
+			stockCalculationMode: "automatic",
+			shareStockStatus: true,
+		},
+		shareLinks: [],
+	};
+}
+
+describe("Real business route authz contracts", () => {
+	let app: FastifyInstance;
+
+	beforeAll(async () => {
+		await migrate(testDb, { migrationsFolder });
+		await runAlterMigrations(testClient);
+
+		app = Fastify({ logger: false, ajv: documentationSchemaAjv });
+		await app.register(sensible);
+		await app.register(cookie, { secret: "test-cookie-secret" });
+		await app.register(jwt, {
+			secret: "test-jwt-secret",
+			cookie: { cookieName: "access_token", signed: false },
+		});
+		await app.register(medicationRoutes);
+		await app.register(doseRoutes);
+		await app.register(refillRoutes);
+		await app.register(shareRoutes);
+		await app.register(reportRoutes);
+		await app.register(exportRoutes);
+		await app.ready();
+	});
+
+	afterAll(async () => {
+		await app.close();
+		testClient.close();
+	});
+
+	beforeEach(async () => {
+		vi.clearAllMocks();
+		await clearTables();
+	});
+
+	it("rejects protected business endpoints without authentication", async () => {
+		const endpoints: Array<{
+			method: "GET" | "POST";
+			url: string;
+			payload?: Record<string, unknown>;
+		}> = [
+			{ method: "GET", url: "/medications" },
+			{ method: "GET", url: "/doses/taken" },
+			{ method: "POST", url: "/share", payload: { takenBy: "Daniel", scheduleDays: 7 } },
+			{ method: "GET", url: "/export" },
+			{ method: "POST", url: "/medications/report-data", payload: { medicationIds: [1] } },
+			{ method: "POST", url: "/medications/1/refill", payload: { packsAdded: 1, loosePillsAdded: 0 } },
+		];
+
+		for (const endpoint of endpoints) {
+			const response = await app.inject({ method: endpoint.method, url: endpoint.url, payload: endpoint.payload });
+			expect(response.statusCode, `${endpoint.method} ${endpoint.url}`).toBe(401);
+			expect(response.json()).toMatchObject({ code: "AUTH_REQUIRED" });
+		}
+	});
+
+	it("scopes medication listing and export output to the authenticated user", async () => {
+		const ownerId = await createUser("owner-medications");
+		const otherId = await createUser("other-medications");
+		const ownerCookie = buildSessionCookie(app, ownerId, "owner-medications");
+
+		await seedMedication({ userId: ownerId, name: "Owner Only Med" });
+		await seedMedication({ userId: otherId, name: "Other User Med" });
+
+		const listResponse = await app.inject({
+			method: "GET",
+			url: "/medications",
+			headers: { cookie: ownerCookie },
+		});
+
+		expect(listResponse.statusCode).toBe(200);
+		expect(listResponse.body).toContain("Owner Only Med");
+		expect(listResponse.body).not.toContain("Other User Med");
+
+		const exportResponse = await app.inject({
+			method: "GET",
+			url: "/export",
+			headers: { cookie: ownerCookie },
+		});
+
+		expect(exportResponse.statusCode).toBe(200);
+		expect(exportResponse.body).toContain("Owner Only Med");
+		expect(exportResponse.body).not.toContain("Other User Med");
+	});
+
+	it("returns 404 when a user updates or deletes another user's medication", async () => {
+		const ownerId = await createUser("owner-update");
+		const otherId = await createUser("other-update");
+		const otherCookie = buildSessionCookie(app, otherId, "other-update");
+		const medicationId = await seedMedication({ userId: ownerId, name: "Protected Medication" });
+
+		const updateResponse = await app.inject({
+			method: "PUT",
+			url: `/medications/${medicationId}`,
+			headers: { cookie: otherCookie },
+			payload: buildMedicationPayload("Updated By Stranger"),
+		});
+
+		expect(updateResponse.statusCode).toBe(404);
+
+		const deleteResponse = await app.inject({
+			method: "DELETE",
+			url: `/medications/${medicationId}`,
+			headers: { cookie: otherCookie },
+		});
+
+		expect(deleteResponse.statusCode).toBe(404);
+
+		const dbState = await testClient.execute({
+			sql: "SELECT name FROM medications WHERE id = ?",
+			args: [medicationId],
+		});
+		expect(dbState.rows).toEqual([expect.objectContaining({ name: "Protected Medication" })]);
+	});
+
+	it("scopes dose reads and writes to the authenticated user", async () => {
+		const ownerId = await createUser("owner-dose");
+		const otherId = await createUser("other-dose");
+		const ownerCookie = buildSessionCookie(app, ownerId, "owner-dose");
+		const otherCookie = buildSessionCookie(app, otherId, "other-dose");
+
+		await seedDose({ userId: ownerId, doseId: "101-0-1760000000000" });
+		await seedDose({ userId: otherId, doseId: "202-0-1760000000000" });
+
+		const listResponse = await app.inject({
+			method: "GET",
+			url: "/doses/taken",
+			headers: { cookie: ownerCookie },
+		});
+
+		expect(listResponse.statusCode).toBe(200);
+		expect(listResponse.body).toContain("101-0-1760000000000");
+		expect(listResponse.body).not.toContain("202-0-1760000000000");
+
+		const deleteResponse = await app.inject({
+			method: "DELETE",
+			url: "/doses/taken/101-0-1760000000000",
+			headers: { cookie: otherCookie },
+		});
+
+		expect(deleteResponse.statusCode).toBe(200);
+
+		const ownerDose = await testClient.execute({
+			sql: "SELECT COUNT(*) AS count FROM dose_tracking WHERE user_id = ? AND dose_id = ?",
+			args: [ownerId, "101-0-1760000000000"],
+		});
+		expect(Number(ownerDose.rows[0].count)).toBe(1);
+	});
+
+	it("enforces medication ownership on refill history and report generation", async () => {
+		const ownerId = await createUser("owner-refill");
+		const otherId = await createUser("other-refill");
+		const otherCookie = buildSessionCookie(app, otherId, "other-refill");
+		const medicationId = await seedMedication({ userId: ownerId, name: "Owner Refill Med", packCount: 2 });
+		await seedRefill({ userId: ownerId, medicationId });
+
+		const refillListResponse = await app.inject({
+			method: "GET",
+			url: `/medications/${medicationId}/refills`,
+			headers: { cookie: otherCookie },
+		});
+
+		expect(refillListResponse.statusCode).toBe(404);
+
+		const refillMutationResponse = await app.inject({
+			method: "POST",
+			url: `/medications/${medicationId}/refill`,
+			headers: { cookie: otherCookie },
+			payload: { packsAdded: 1, loosePillsAdded: 0 },
+		});
+
+		expect(refillMutationResponse.statusCode).toBe(404);
+
+		const reportResponse = await app.inject({
+			method: "POST",
+			url: "/medications/report-data",
+			headers: { cookie: otherCookie },
+			payload: { medicationIds: [medicationId] },
+		});
+
+		expect(reportResponse.statusCode).toBe(403);
+		expect(reportResponse.json()).toMatchObject({ error: "Access denied to medication" });
+	});
+
+	it("scopes share people to the authenticated user's medications", async () => {
+		const ownerId = await createUser("owner-share");
+		const otherId = await createUser("other-share");
+		const ownerCookie = buildSessionCookie(app, ownerId, "owner-share");
+
+		await seedMedication({ userId: ownerId, name: "Daniel Med", takenBy: ["Daniel"] });
+		await seedMedication({ userId: otherId, name: "Anna Med", takenBy: ["Anna"] });
+
+		const response = await app.inject({
+			method: "GET",
+			url: "/share/people",
+			headers: { cookie: ownerCookie },
+		});
+
+		expect(response.statusCode).toBe(200);
+		expect(response.json()).toEqual({ people: ["Daniel"] });
+	});
+
+	it("rejects mutation routes for read-only API keys across business endpoints", async () => {
+		const userId = await createUser("readonly-business-key");
+		const medicationId = await seedMedication({ userId, name: "Readonly Med" });
+		const apiToken = "ma_readonly_business_routes_123456789";
+		await insertApiKey({ userId, token: apiToken, scope: "read" });
+
+		const responses = await Promise.all([
+			app.inject({
+				method: "POST",
+				url: "/medications",
+				headers: { authorization: `Bearer ${apiToken}` },
+				payload: buildMedicationPayload("Blocked Create"),
+			}),
+			app.inject({
+				method: "POST",
+				url: "/doses/taken",
+				headers: { authorization: `Bearer ${apiToken}` },
+				payload: { doseId: "1-0-1760000000000" },
+			}),
+			app.inject({
+				method: "POST",
+				url: `/medications/${medicationId}/refill`,
+				headers: { authorization: `Bearer ${apiToken}` },
+				payload: { packsAdded: 1, loosePillsAdded: 0 },
+			}),
+			app.inject({
+				method: "POST",
+				url: "/share",
+				headers: { authorization: `Bearer ${apiToken}` },
+				payload: { takenBy: "Daniel", scheduleDays: 7 },
+			}),
+			app.inject({
+				method: "POST",
+				url: "/import",
+				headers: { authorization: `Bearer ${apiToken}` },
+				payload: buildImportPayload(),
+			}),
+		]);
+
+		for (const response of responses) {
+			expect(response.statusCode).toBe(403);
+			expect(response.json()).toMatchObject({ code: "API_KEY_SCOPE_FORBIDDEN" });
+		}
+	});
+
+	it("allows read-only API keys to use read endpoints while keeping data scoped to the key owner", async () => {
+		const userId = await createUser("readonly-export-user");
+		const otherId = await createUser("readonly-export-other");
+		await seedMedication({ userId, name: "Readable Owner Med" });
+		await seedMedication({ userId: otherId, name: "Unreadable Other Med" });
+		const apiToken = "ma_readonly_export_access_123456789";
+		await insertApiKey({ userId, token: apiToken, scope: "read" });
+
+		const response = await app.inject({
+			method: "GET",
+			url: "/export",
+			headers: { authorization: `Bearer ${apiToken}` },
+		});
+
+		expect(response.statusCode).toBe(200);
+		expect(response.body).toContain("Readable Owner Med");
+		expect(response.body).not.toContain("Unreadable Other Med");
+	});
+});
@@ -0,0 +1,125 @@
+import { afterEach, describe, expect, it, vi } from "vitest";
+
+type ClientTestOptions = {
+	dirWritable?: boolean;
+	authEnabled?: boolean;
+};
+
+async function loadDbClientModule(options: ClientTestOptions = {}) {
+	const { dirWritable = true, authEnabled = false } = options;
+
+	vi.resetModules();
+	vi.restoreAllMocks();
+
+	process.env.AUTH_ENABLED = authEnabled ? "true" : "false";
+	process.env.DOTENV_PATH = "/tmp/medassist-nonexistent.env";
+
+	const existsSync = vi.fn().mockReturnValue(false);
+	const statSync = vi.fn().mockReturnValue({ mode: 0o40755, uid: 1000, gid: 1000 });
+	vi.doMock("node:fs", () => ({ existsSync, statSync }));
+
+	const dotenvConfig = vi.fn();
+	vi.doMock("dotenv", () => ({ default: { config: dotenvConfig } }));
+
+	const createClient = vi.fn().mockReturnValue({ execute: vi.fn() });
+	vi.doMock("@libsql/client", () => ({ createClient }));
+
+	const drizzle = vi.fn().mockReturnValue({ __db: true });
+	vi.doMock("drizzle-orm/libsql", () => ({ drizzle }));
+
+	const ensureDataDirectory = vi
+		.fn()
+		.mockReturnValue(dirWritable ? { success: true } : { success: false, error: "permission denied" });
+	const getDbPaths = vi.fn().mockReturnValue({
+		dataDir: "/tmp/medassist-data",
+		dbPath: "/tmp/medassist-data/medassist-ng.db",
+		url: "file:/tmp/medassist-data/medassist-ng.db",
+	});
+	const runDrizzleMigrations = vi.fn().mockResolvedValue({ success: true });
+	const runAlterMigrations = vi.fn().mockResolvedValue({ errors: [] });
+	const repairTrailingHyphenDoseIds = vi.fn().mockResolvedValue({ repaired: 0, errors: [] });
+	const repairOrphanedDoseIds = vi.fn().mockResolvedValue({ repaired: 0, errors: [] });
+	const ensureDefaultUser = vi.fn().mockResolvedValue(false);
+
+	vi.doMock("../db/db-utils.js", () => ({
+		buildDbUrl: vi.fn(),
+		getDataDir: vi.fn(),
+		ensureDataDirectory,
+		getDbPaths,
+		runDrizzleMigrations,
+		runAlterMigrations,
+		repairTrailingHyphenDoseIds,
+		repairOrphanedDoseIds,
+		ensureDefaultUser,
+	}));
+
+	const log = {
+		debug: vi.fn(),
+		info: vi.fn(),
+		warn: vi.fn(),
+		error: vi.fn(),
+	};
+	vi.doMock("../utils/logger.js", () => ({ log }));
+
+	const exitSpy = vi.spyOn(process, "exit").mockImplementation(((code?: number) => {
+		throw new Error(`process.exit:${code ?? 0}`);
+	}) as never);
+
+	const modulePromise = import("../db/client.js");
+
+	return {
+		modulePromise,
+		mocks: {
+			existsSync,
+			statSync,
+			dotenvConfig,
+			createClient,
+			drizzle,
+			ensureDataDirectory,
+			getDbPaths,
+			runDrizzleMigrations,
+			runAlterMigrations,
+			repairTrailingHyphenDoseIds,
+			repairOrphanedDoseIds,
+			ensureDefaultUser,
+			log,
+			exitSpy,
+		},
+	};
+}
+
+afterEach(() => {
+	vi.restoreAllMocks();
+});
+
+describe("db/client bootstrap", () => {
+	it("initializes db and runs migrations when directory is writable", async () => {
+		const { modulePromise, mocks } = await loadDbClientModule({ dirWritable: true, authEnabled: false });
+		const mod = await modulePromise;
+
+		expect(mod.db).toBeTruthy();
+		expect(mod.migrationsReady).toBeInstanceOf(Promise);
+		await mod.migrationsReady;
+
+		expect(mocks.ensureDataDirectory).toHaveBeenCalledWith("/tmp/medassist-data");
+		expect(mocks.createClient).toHaveBeenCalledWith({ url: "file:/tmp/medassist-data/medassist-ng.db" });
+		expect(mocks.runDrizzleMigrations).toHaveBeenCalledTimes(1);
+		expect(mocks.runAlterMigrations).toHaveBeenCalledTimes(1);
+		expect(mocks.repairTrailingHyphenDoseIds).toHaveBeenCalledTimes(1);
+		expect(mocks.repairOrphanedDoseIds).toHaveBeenCalledTimes(1);
+		expect(mocks.ensureDefaultUser).toHaveBeenCalledWith(expect.anything(), false);
+	});
+
+	it("passes auth-enabled flag to ensureDefaultUser", async () => {
+		const { modulePromise, mocks } = await loadDbClientModule({ dirWritable: true, authEnabled: true });
+		const mod = await modulePromise;
+		await mod.migrationsReady;
+
+		expect(mocks.ensureDefaultUser).toHaveBeenCalledWith(expect.anything(), true);
+	});
+
+	it("exits when data directory is not writable", async () => {
+		const { modulePromise } = await loadDbClientModule({ dirWritable: false });
+		await expect(modulePromise).rejects.toThrow("process.exit:1");
+	});
+});
--- a/Show More
+++ b/Show More
				`@@ -0,0 +1 @@`
				ALTER TABLE `medications` ADD `stock_adjustment` integer DEFAULT 0 NOT NULL;
				`@@ -0,0 +1 @@`
				ALTER TABLE `medications` ADD `last_stock_correction_at` integer;
				`@@ -0,0 +1 @@`
				ALTER TABLE `user_settings` ADD `share_stock_status` integer DEFAULT true NOT NULL;
				`@@ -0,0 +1 @@`
				ALTER TABLE `medications` ADD `medication_start_date` text DEFAULT '' NOT NULL;
				`@@ -0,0 +1 @@`
				ALTER TABLE `dose_tracking` ADD `taken_source` text DEFAULT 'manual' NOT NULL;
				`@@ -0,0 +1 @@`
				ALTER TABLE `user_settings` ADD `share_medication_overview` integer DEFAULT false NOT NULL;