test: apply suite review improvements (01–11)

- Fix SEC-005: rewrite path traversal test to upload a real file, inject
  traversal filename into DB, and assert the download does not succeed
- Fix SEC-007: rename misleading test description to reflect it tests
  rejection of an invalid token, not acceptance of a valid one
- Delete health.test.ts: all 3 tests were exact duplicates of auth.test.ts
  and misc.test.ts
- Remove duplicate describe blocks from misc.test.ts: Categories endpoint
  (duplicate of categories.test.ts) and App config (duplicate of auth.test.ts)
- Remove TRIP-016 from trips.test.ts: weaker duplicate of TRIP-007 (no body
  assertion)
- Remove API Keys describe block from profile.test.ts: canonical copy lives
  in security.test.ts where it belongs
- Remove avatarUrl describe block from budgetService.test.ts: identical tests
  already exist in authService.test.ts; drop now-unused import
- Add DB verification to ASSIGN-007 and PACK-006 reorder tests: query
  day_assignments / packing_items after PUT reorder to confirm order changed
- Strengthen BUDGET-007/008/009: add member/payer setup and assert concrete
  values (total_paid, per-user balance, flow direction and amount)
- Remove 6 pointless Map-semantics tests from inAppNotificationActions.test.ts;
  keep only the two built-in registration checks
- Remove 5 passthrough tests from queryHelpers.test.ts; keep the 4 tests that
  cover actual flat-to-nested transformation logic

server/tests/integration/assignments.test.ts

@@ -41,7 +41,7 @@ import { createApp } from '../../src/app';
 import { createTables } from '../../src/db/schema';
 import { runMigrations } from '../../src/db/migrations';
 import { resetTestDb } from '../helpers/test-db';
-import { createUser, createTrip, createDay, createPlace, addTripMember } from '../helpers/factories';
+import { createUser, createTrip, createDay, createPlace, addTripMember, createTag } from '../helpers/factories';
 import { authCookie } from '../helpers/auth';
 import { loginAttempts, mfaAttempts } from '../../src/routes/auth';
 
@@ -261,6 +261,12 @@ describe('Reorder assignments', () => {
       .send({ orderedIds: [a2.body.assignment.id, a1.body.assignment.id] });
     expect(reorder.status).toBe(200);
     expect(reorder.body.success).toBe(true);
+
+    const rows = testDb
+      .prepare('SELECT id, order_index FROM day_assignments WHERE day_id = ? ORDER BY order_index')
+      .all(day.id) as Array<{ id: number; order_index: number }>;
+    expect(rows[0].id).toBe(a2.body.assignment.id);
+    expect(rows[1].id).toBe(a1.body.assignment.id);
   });
 });
 
@@ -321,6 +327,41 @@ describe('Assignment participants', () => {
     expect(getParticipants.body.participants).toHaveLength(2);
   });
 
+  it('ASSIGN-010 — GET /assignments includes tags and participants when present', async () => {
+    const { user } = createUser(testDb);
+    const { user: member } = createUser(testDb);
+    const { trip, day, place } = setupAssignmentFixtures(user.id);
+    addTripMember(testDb, trip.id, member.id);
+
+    // Attach a tag to the place
+    const tag = createTag(testDb, user.id, { name: 'Must See' });
+    testDb.prepare('INSERT INTO place_tags (place_id, tag_id) VALUES (?, ?)').run(place.id, tag.id);
+
+    // Create the assignment via API
+    const create = await request(app)
+      .post(`/api/trips/${trip.id}/days/${day.id}/assignments`)
+      .set('Cookie', authCookie(user.id))
+      .send({ place_id: place.id });
+    expect(create.status).toBe(201);
+    const assignmentId = create.body.assignment.id;
+
+    // Add participants to the assignment
+    await request(app)
+      .put(`/api/trips/${trip.id}/assignments/${assignmentId}/participants`)
+      .set('Cookie', authCookie(user.id))
+      .send({ user_ids: [user.id, member.id] });
+
+    // List assignments — should include tags (compact) and participants
+    const res = await request(app)
+      .get(`/api/trips/${trip.id}/days/${day.id}/assignments`)
+      .set('Cookie', authCookie(user.id));
+    expect(res.status).toBe(200);
+    const found = (res.body.assignments as any[]).find((a: any) => a.id === assignmentId);
+    expect(found).toBeDefined();
+    expect(found.place.tags).toHaveLength(1);
+    expect(found.participants).toHaveLength(2);
+  });
+
   it('ASSIGN-009 — PUT /time updates assignment time fields', async () => {
     const { user } = createUser(testDb);
     const { trip, day, place } = setupAssignmentFixtures(user.id);