test: expand test suite to 87.3% backend coverage

Add new integration test files covering previously untested routes:
- categories.test.ts — GET /api/categories
- oidc.test.ts — full OIDC login flow (callback, state, errors)
- settings.test.ts — GET/PUT /api/settings, bulk save
- tags.test.ts — CRUD for trip tags
- todo.test.ts — todo items CRUD and reorder

Add new unit test files covering service-layer logic:
- adminService.test.ts — user/invite management, packing templates, OIDC settings
- atlasService.test.ts — atlas search and place enrichment
- authServiceDb.test.ts — DB-backed auth helpers (login, register, MFA)
- backupService.test.ts — export/import/restore logic
- categoryService.test.ts — category CRUD
- dayService.test.ts — day management and accommodation helpers
- mapsService.test.ts — route/directions helpers
- oidcService.test.ts — OIDC state, auth code, role resolution, user upsert
- packingService.test.ts — packing item/bag/template operations
- placeService.test.ts — place CRUD and tag attachment
- settingsService.test.ts — settings get/set/bulk
- tagService.test.ts — tag CRUD
- todoService.test.ts — todo CRUD and reorder
- tripService.test.ts — trip CRUD, member management, archiving
- vacayService.test.ts — vacay integration helpers
- tripAccess.test.ts (middleware) — requireTripAccess middleware

Expand existing integration and unit test files with additional cases
across admin, atlas, auth, backup, collab, days, files, maps, memories
(Immich/Synology), notifications, places, reservations, share, vacay,
weather, auth middleware, ephemeral tokens, notification preferences,
permissions, SSRF guard, and WebSocket connection tests.

Update test helpers (factories.ts, test-db.ts) with new factory
functions and seed data required by the expanded suite.

Fix minor issues in server/src/routes/reservations.ts and
server/src/services/atlasService.ts surfaced by new test coverage.

Update sonar-project.properties to reflect new coverage thresholds.

server/tests/integration/notifications.test.ts

@@ -40,6 +40,14 @@ vi.mock('../../src/config', () => ({
   updateJwtSecret: () => {},
 }));
 vi.mock('../../src/websocket', () => ({ broadcastToUser: vi.fn() }));
+vi.mock('../../src/services/notifications', async (importOriginal) => {
+  const actual = await importOriginal<typeof import('../../src/services/notifications')>();
+  return {
+    ...actual,
+    testSmtp: vi.fn().mockResolvedValue({ success: true }),
+    testWebhook: vi.fn().mockResolvedValue({ success: true }),
+  };
+});
 
 import { createApp } from '../../src/app';
 import { createTables } from '../../src/db/schema';
@@ -316,6 +324,30 @@ describe('Notification test endpoints', () => {
       .send({ url: 'not-a-url' });
     expect(res.status).toBe(400);
   });
+
+  it('NOTIF-005b — admin can call test-smtp and gets a result', async () => {
+    const { user } = createAdmin(testDb);
+
+    const res = await request(app)
+      .post('/api/notifications/test-smtp')
+      .set('Cookie', authCookie(user.id))
+      .send({ email: 'test@example.com' });
+
+    expect(res.status).toBe(200);
+    expect(res.body).toHaveProperty('success');
+  });
+
+  it('NOTIF-006c — POST /api/notifications/test-webhook with valid URL calls testWebhook', async () => {
+    const { user } = createUser(testDb);
+
+    const res = await request(app)
+      .post('/api/notifications/test-webhook')
+      .set('Cookie', authCookie(user.id))
+      .send({ url: 'https://webhook.site/test-endpoint' });
+
+    expect(res.status).toBe(200);
+    expect(res.body).toHaveProperty('success');
+  });
 });
 
 // ─────────────────────────────────────────────────────────────────────────────