feat(PBI-76): user-settings DB-store infrastructure (Phase 0) (#185)

* docs(PBI-76): plan for user-settings DB-store

Persists view/filter prefs in User.settings (Json) instead of
localStorage. SSR-correct hydration, cross-tab sync via
LISTEN/NOTIFY + SSE, cross-device persistence.

Phased: 0=infra, 1=migrate flicker sources, 2=cookie consolidation.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(PBI-76): User.settings json column + migration

Adds JSONB column to users table for persistent user prefs.
Idempotent SQL — safe on databases where column already exists.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(PBI-76): user-settings types and merge helpers

Zod schema for User.settings shape (views/devTools), deep-merge
helper that replaces arrays and merges nested objects, and a
safe parser that returns defaults on invalid input.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(PBI-76): updateUserSettingsAction with notify

Validates patch via Zod, deep-merges with current settings in
a transaction, persists to DB, and emits pg_notify on
scrum4me_changes for cross-tab/cross-device sync. Demo accounts
get 403, unauthenticated 401, invalid input 422.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(PBI-76): user-settings zustand store with optimistic flow

Hydrate from prop (SSR-correct), setPref via path with optimistic
update + rollback on server error, applyServerPatch for SSE-driven
cross-tab updates. Demo accounts skip server-write entirely.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(PBI-76): SSE route for user-settings

User-scoped /api/realtime/user-settings stream that filters
scrum4me_changes notifications on kind=user_settings and matching
userId. Forwards the patch as a data: event so other tabs can
applyServerPatch without re-fetching settings.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(PBI-76): user-settings bridge mounted in app layout

Hydrates the zustand store with the user's persisted settings via
prop (SSR-correct, no flicker). Opens an EventSource to
/api/realtime/user-settings so changes from other tabs/devices
flow into the same store. Demo accounts skip the SSE subscription.

Layout now selects user.settings alongside the other user fields,
no extra DB roundtrip.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* test(PBI-76): user-settings lib/action/store coverage

22 vitest cases covering merge semantics (no mutation, array
replace, nested merge), Zod schema strictness, server action
auth/demo/validation paths, and the optimistic store flow
including rollback and demo-mode skip.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* chore(PBI-76): sync package-lock to v1.3.3

Lockfile drifted after @prisma/client reinstall during the
schema regenerate. No dependency changes — just the version
field tracking package.json bumped in #184.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

__tests__/actions/user-settings.test.ts

@@ -0,0 +1,82 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest'
+
+vi.mock('next/headers', () => ({ cookies: vi.fn().mockResolvedValue({}) }))
+vi.mock('iron-session', () => ({
+  getIronSession: vi.fn().mockResolvedValue({ userId: 'user-1', isDemo: false }),
+}))
+vi.mock('@/lib/session', () => ({
+  sessionOptions: { cookieName: 'test', password: 'test' },
+}))
+vi.mock('@/lib/prisma', () => ({
+  prisma: {
+    user: { findUnique: vi.fn() },
+    $transaction: vi.fn(async (fn: (tx: unknown) => Promise<unknown>) => {
+      return fn({
+        user: {
+          findUnique: vi.fn().mockResolvedValue({ settings: {} }),
+          update: vi.fn().mockResolvedValue({}),
+        },
+      })
+    }),
+    $executeRaw: vi.fn().mockResolvedValue(1),
+  },
+}))
+
+import { prisma } from '@/lib/prisma'
+import { getIronSession } from 'iron-session'
+import { updateUserSettingsAction } from '@/actions/user-settings'
+
+const mockPrisma = prisma as unknown as {
+  user: { findUnique: ReturnType<typeof vi.fn> }
+  $transaction: ReturnType<typeof vi.fn>
+  $executeRaw: ReturnType<typeof vi.fn>
+}
+const mockGetIronSession = getIronSession as ReturnType<typeof vi.fn>
+
+beforeEach(() => {
+  vi.clearAllMocks()
+  mockGetIronSession.mockResolvedValue({ userId: 'user-1', isDemo: false })
+  mockPrisma.$executeRaw.mockResolvedValue(1)
+})
+
+describe('updateUserSettingsAction', () => {
+  it('returns 401 when not logged in', async () => {
+    mockGetIronSession.mockResolvedValue({ userId: undefined, isDemo: false })
+    const result = await updateUserSettingsAction({})
+    expect(result).toEqual({ error: 'Niet ingelogd', code: 401 })
+  })
+
+  it('returns 403 for demo accounts', async () => {
+    mockGetIronSession.mockResolvedValue({ userId: 'user-1', isDemo: true })
+    const result = await updateUserSettingsAction({})
+    expect('error' in result && result.code).toBe(403)
+  })
+
+  it('returns 422 when patch is invalid', async () => {
+    const result = await updateUserSettingsAction({
+      views: { sprintBacklog: { filterStatus: 'NONSENSE' } },
+    } as never)
+    expect('error' in result && result.code).toBe(422)
+  })
+
+  it('merges with current settings and emits notify on success', async () => {
+    const existingFindUnique = vi.fn().mockResolvedValue({
+      settings: { views: { sprintBacklog: { sort: 'code' } } },
+    })
+    const update = vi.fn().mockResolvedValue({})
+    mockPrisma.$transaction.mockImplementationOnce(async (fn: (tx: unknown) => Promise<unknown>) => {
+      return fn({ user: { findUnique: existingFindUnique, update } })
+    })
+
+    const result = await updateUserSettingsAction({
+      views: { sprintBacklog: { sortDir: 'desc' } },
+    })
+
+    expect('success' in result && result.success).toBe(true)
+    expect(update).toHaveBeenCalledWith({
+      where: { id: 'user-1' },
+      data: { settings: { views: { sprintBacklog: { sort: 'code', sortDir: 'desc' } } } },
+    })
+    expect(mockPrisma.$executeRaw).toHaveBeenCalled()
+  })
+})