test: expand test suite to 87.3% backend coverage

Add new integration test files covering previously untested routes:
- categories.test.ts — GET /api/categories
- oidc.test.ts — full OIDC login flow (callback, state, errors)
- settings.test.ts — GET/PUT /api/settings, bulk save
- tags.test.ts — CRUD for trip tags
- todo.test.ts — todo items CRUD and reorder

Add new unit test files covering service-layer logic:
- adminService.test.ts — user/invite management, packing templates, OIDC settings
- atlasService.test.ts — atlas search and place enrichment
- authServiceDb.test.ts — DB-backed auth helpers (login, register, MFA)
- backupService.test.ts — export/import/restore logic
- categoryService.test.ts — category CRUD
- dayService.test.ts — day management and accommodation helpers
- mapsService.test.ts — route/directions helpers
- oidcService.test.ts — OIDC state, auth code, role resolution, user upsert
- packingService.test.ts — packing item/bag/template operations
- placeService.test.ts — place CRUD and tag attachment
- settingsService.test.ts — settings get/set/bulk
- tagService.test.ts — tag CRUD
- todoService.test.ts — todo CRUD and reorder
- tripService.test.ts — trip CRUD, member management, archiving
- vacayService.test.ts — vacay integration helpers
- tripAccess.test.ts (middleware) — requireTripAccess middleware

Expand existing integration and unit test files with additional cases
across admin, atlas, auth, backup, collab, days, files, maps, memories
(Immich/Synology), notifications, places, reservations, share, vacay,
weather, auth middleware, ephemeral tokens, notification preferences,
permissions, SSRF guard, and WebSocket connection tests.

Update test helpers (factories.ts, test-db.ts) with new factory
functions and seed data required by the expanded suite.

Fix minor issues in server/src/routes/reservations.ts and
server/src/services/atlasService.ts surfaced by new test coverage.

Update sonar-project.properties to reflect new coverage thresholds.

server/tests/integration/share.test.ts

@@ -41,7 +41,7 @@ import { createApp } from '../../src/app';
 import { createTables } from '../../src/db/schema';
 import { runMigrations } from '../../src/db/migrations';
 import { resetTestDb } from '../helpers/test-db';
-import { createUser, createTrip, addTripMember } from '../helpers/factories';
+import { createUser, createTrip, addTripMember, createDay, createPlace, createDayAssignment, createDayNote } from '../helpers/factories';
 import { authCookie } from '../helpers/auth';
 import { loginAttempts, mfaAttempts } from '../../src/routes/auth';
 
@@ -205,3 +205,83 @@ describe('Shared trip access', () => {
     expect(res.status).toBe(404);
   });
 });
+
+describe('Shared trip — day assignments and notes', () => {
+  it('SHARE-010 — shared trip with days and assignments includes place data in assignments', async () => {
+    const { user } = createUser(testDb);
+    const trip = createTrip(testDb, user.id, { title: 'Rome Trip' });
+    const day = createDay(testDb, trip.id, { date: '2025-06-01' });
+    const place = createPlace(testDb, trip.id, { name: 'Colosseum', lat: 41.89, lng: 12.49 });
+    createDayAssignment(testDb, day.id, place.id, { notes: 'Amazing site' });
+
+    const create = await request(app)
+      .post(`/api/trips/${trip.id}/share-link`)
+      .set('Cookie', authCookie(user.id))
+      .send({});
+    const token = create.body.token;
+
+    const res = await request(app).get(`/api/shared/${token}`);
+    expect(res.status).toBe(200);
+    expect(res.body.days).toHaveLength(1);
+    const dayAssignments = res.body.assignments[day.id];
+    expect(Array.isArray(dayAssignments)).toBe(true);
+    expect(dayAssignments).toHaveLength(1);
+    expect(dayAssignments[0].place.name).toBe('Colosseum');
+    expect(dayAssignments[0].place.lat).toBe(41.89);
+  });
+
+  it('SHARE-011 — shared trip with day notes includes notes in response', async () => {
+    const { user } = createUser(testDb);
+    const trip = createTrip(testDb, user.id, { title: 'Notes Trip' });
+    const day = createDay(testDb, trip.id, { date: '2025-07-01' });
+    createDayNote(testDb, day.id, trip.id, { text: 'Meet at the station' });
+
+    const create = await request(app)
+      .post(`/api/trips/${trip.id}/share-link`)
+      .set('Cookie', authCookie(user.id))
+      .send({});
+    const token = create.body.token;
+
+    const res = await request(app).get(`/api/shared/${token}`);
+    expect(res.status).toBe(200);
+    const dayNotes = res.body.dayNotes[day.id];
+    expect(Array.isArray(dayNotes)).toBe(true);
+    expect(dayNotes).toHaveLength(1);
+    expect(dayNotes[0].text).toBe('Meet at the station');
+  });
+
+  it('SHARE-012 — share_collab=true includes collab messages in response', async () => {
+    const { user } = createUser(testDb);
+    const trip = createTrip(testDb, user.id);
+    testDb.prepare('INSERT INTO collab_messages (trip_id, user_id, text, deleted) VALUES (?, ?, ?, 0)').run(trip.id, user.id, 'Hello team!');
+
+    const create = await request(app)
+      .post(`/api/trips/${trip.id}/share-link`)
+      .set('Cookie', authCookie(user.id))
+      .send({ share_collab: true });
+    const token = create.body.token;
+
+    const res = await request(app).get(`/api/shared/${token}`);
+    expect(res.status).toBe(200);
+    expect(Array.isArray(res.body.collab)).toBe(true);
+    expect(res.body.collab).toHaveLength(1);
+    expect(res.body.collab[0].text).toBe('Hello team!');
+  });
+
+  it('SHARE-013 — assignments empty when days have no assignments', async () => {
+    const { user } = createUser(testDb);
+    const trip = createTrip(testDb, user.id);
+    createDay(testDb, trip.id, { date: '2025-08-01' });
+
+    const create = await request(app)
+      .post(`/api/trips/${trip.id}/share-link`)
+      .set('Cookie', authCookie(user.id))
+      .send({});
+    const token = create.body.token;
+
+    const res = await request(app).get(`/api/shared/${token}`);
+    expect(res.status).toBe(200);
+    expect(res.body.days).toHaveLength(1);
+    expect(res.body.assignments).toEqual({});
+  });
+});