feat: ST-601-ST-612 M6 polish, beveiliging en launch-ready

- ST-601/602: loading skeletons en error boundary
- ST-603: Sonner toasts op alle CRUD-operaties
- ST-604: DemoTooltip op uitgeschakelde knoppen
- ST-605: KeyboardSensor dnd-kit, Escape sluit modals
- ST-606: min-width banner < 1024px
- ST-607: WCAG AA aria-labels en skip link
- ST-608: rate limiting login (10/min) en registratie (5/uur)
- ST-609: security integratietests cross-user toegang (7 tests)
- ST-610: GitHub Actions CI/CD workflow
- ST-611: README met quickstart, deployment en API-docs
- ST-612: Lars-flow acceptatiechecklist
- fix: settings toont gebruikersnaam i.p.v. interne id
- fix: seed idempotent, testdata altijd gekoppeld aan demo-gebruiker

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

README.md

@@ -1,36 +1,234 @@
-This is a [Next.js](https://nextjs.org) project bootstrapped with [`create-next-app`](https://nextjs.org/docs/app/api-reference/cli/create-next-app).
+# Scrum4Me
 
-## Getting Started
+Lichtgewicht Scrum-planner voor solo developers en kleine teams die meerdere softwareprojecten parallel beheren.
 
-First, run the development server:
+**Functies:**
+- Hiërarchisch werkbeheer: Product → PBI → Story → Taak
+- Gesplitste planningsschermen met drag-and-drop
+- Sprint backlog en planning
+- REST API voor integratie met Claude Code
+- Demo-modus (alleen lezen)
+
+---
+
+## Lokale quickstart
+
+### Vereisten
+- Node.js 20+
+- npm
+
+### Stappen
 
 ```bash
+# 1. Clone de repository
+git clone <repo-url>
+cd scrum4me
+
+# 2. Installeer dependencies
+npm install
+
+# 3. Configureer omgevingsvariabelen
+cp .env.example .env.local
+# Bewerk .env.local en vul SESSION_SECRET in:
+# openssl rand -base64 32
+
+# 4. Database initialiseren (SQLite lokaal)
+npx prisma db push
+
+# 5. Testdata inladen
+npx prisma db seed
+
+# 6. Start de ontwikkelserver
 npm run dev
-# or
-yarn dev
-# or
-pnpm dev
-# or
-bun dev
 ```
 
-Open [http://localhost:3000](http://localhost:3000) with your browser to see the result.
+Open [http://localhost:3000](http://localhost:3000).
 
-You can start editing the page by modifying `app/page.tsx`. The page auto-updates as you edit the file.
+**Demo-account:** gebruikersnaam `demo` / wachtwoord `demo1234` (alleen lezen)
 
-This project uses [`next/font`](https://nextjs.org/docs/app/building-your-application/optimizing/fonts) to automatically optimize and load [Geist](https://vercel.com/font), a new font family for Vercel.
+---
 
-## Learn More
+## Omgevingsvariabelen
 
-To learn more about Next.js, take a look at the following resources:
+| Variabele | Beschrijving |
+|---|---|
+| `DATABASE_URL` | SQLite: `file:./dev.db` · PostgreSQL: zie Neon-sectie |
+| `DIRECT_URL` | Alleen bij PostgreSQL met connection pooling (Neon) |
+| `SESSION_SECRET` | Minimaal 32 tekens — genereer met `openssl rand -base64 32` |
 
-- [Next.js Documentation](https://nextjs.org/docs) - learn about Next.js features and API.
-- [Learn Next.js](https://nextjs.org/learn) - an interactive Next.js tutorial.
+---
 
-You can check out [the Next.js GitHub repository](https://github.com/vercel/next.js) - your feedback and contributions are welcome!
+## Cloud deployment (Vercel + Neon)
 
-## Deploy on Vercel
+### 1. Database aanmaken op Neon
 
-The easiest way to deploy your Next.js app is to use the [Vercel Platform](https://vercel.com/new?utm_medium=default-template&filter=next.js&utm_source=create-next-app&utm_campaign=create-next-app-readme) from the creators of Next.js.
+1. Maak een account op [neon.tech](https://neon.tech)
+2. Maak een nieuw project en database
+3. Kopieer de connection strings:
+   - **DATABASE_URL**: de pooled connection string
+   - **DIRECT_URL**: de directe (niet-gepoolde) connection string
 
-Check out our [Next.js deployment documentation](https://nextjs.org/docs/app/building-your-application/deploying) for more details.
+### 2. Deployen op Vercel
+
+1. Push de code naar GitHub
+2. Importeer het project in [vercel.com](https://vercel.com)
+3. Voeg de volgende environment variables toe in Vercel:
+   - `DATABASE_URL` (Neon pooled URL)
+   - `DIRECT_URL` (Neon direct URL)
+   - `SESSION_SECRET` (random string >= 32 tekens)
+4. Deploy
+
+### 3. Database migraties uitvoeren
+
+```bash
+# Eenmalig na deploy:
+npx prisma migrate deploy
+npx prisma db seed
+```
+
+---
+
+## REST API
+
+Alle endpoints vereisen `Authorization: Bearer <token>`.
+Maak een token aan via **Instellingen -> API Tokens** in de app.
+
+### Endpoints
+
+#### `GET /api/products`
+Haal alle actieve producten op.
+
+```bash
+curl -H "Authorization: Bearer <token>" \
+  https://your-app.vercel.app/api/products
+```
+
+**Response:**
+```json
+[
+  { "id": "clx...", "name": "Mijn Product", "repo_url": "https://github.com/..." }
+]
+```
+
+---
+
+#### `GET /api/products/:id/next-story`
+Haal de hoogst geprioriteerde open story uit de actieve sprint op.
+
+```bash
+curl -H "Authorization: Bearer <token>" \
+  https://your-app.vercel.app/api/products/<product-id>/next-story
+```
+
+**Response:** story-object inclusief taken.
+
+---
+
+#### `GET /api/sprints/:id/tasks?limit=10`
+Haal de eerste N taken uit de sprint op (standaard 10, max 50).
+
+```bash
+curl -H "Authorization: Bearer <token>" \
+  "https://your-app.vercel.app/api/sprints/<sprint-id>/tasks?limit=5"
+```
+
+---
+
+#### `POST /api/stories/:id/log`
+Voeg een logvermelding toe aan een story.
+
+```bash
+# Implementatieplan:
+curl -X POST -H "Authorization: Bearer <token>" \
+  -H "Content-Type: application/json" \
+  -d '{"type":"IMPLEMENTATION_PLAN","content":"Aanpak: ..."}' \
+  https://your-app.vercel.app/api/stories/<story-id>/log
+
+# Testresultaat:
+curl -X POST -H "Authorization: Bearer <token>" \
+  -H "Content-Type: application/json" \
+  -d '{"type":"TEST_RESULT","content":"Alle tests geslaagd","status":"PASSED"}' \
+  https://your-app.vercel.app/api/stories/<story-id>/log
+
+# Commit:
+curl -X POST -H "Authorization: Bearer <token>" \
+  -H "Content-Type: application/json" \
+  -d '{"type":"COMMIT","content":"feat: ST-001","commit_hash":"abc123","commit_message":"feat: ST-001 scaffolding"}' \
+  https://your-app.vercel.app/api/stories/<story-id>/log
+```
+
+---
+
+#### `PATCH /api/stories/:id/tasks/reorder`
+Pas de taakvolgorde aan binnen een story.
+
+```bash
+curl -X PATCH -H "Authorization: Bearer <token>" \
+  -H "Content-Type: application/json" \
+  -d '{"task_ids":["id-1","id-2","id-3"]}' \
+  https://your-app.vercel.app/api/stories/<story-id>/tasks/reorder
+```
+
+---
+
+#### `PATCH /api/tasks/:id`
+Werk de status van een taak bij.
+
+```bash
+curl -X PATCH -H "Authorization: Bearer <token>" \
+  -H "Content-Type: application/json" \
+  -d '{"status":"IN_PROGRESS"}' \
+  https://your-app.vercel.app/api/tasks/<task-id>
+```
+
+**Status waarden:** `TO_DO` - `IN_PROGRESS` - `DONE`
+
+---
+
+#### `POST /api/todos`
+Maak een todo aan.
+
+```bash
+curl -X POST -H "Authorization: Bearer <token>" \
+  -H "Content-Type: application/json" \
+  -d '{"title":"Mijn nieuwe todo"}' \
+  https://your-app.vercel.app/api/todos
+```
+
+---
+
+## Claude Code integratie
+
+Scrum4Me integreert met [Claude Code](https://claude.ai/claude-code) via de REST API.
+
+1. Maak een API token aan via **Instellingen -> API Tokens**
+2. Gebruik de API om implementatieplannen, testresultaten en commits automatisch te loggen in stories
+
+---
+
+## Scripts
+
+| Script | Beschrijving |
+|---|---|
+| `npm run dev` | Lokale ontwikkelserver |
+| `npm run build` | Productie-build |
+| `npm run lint` | ESLint |
+| `npm test` | Beveiligingstests uitvoeren |
+| `npx tsc --noEmit` | TypeScript-check |
+| `npx prisma db push` | Database schema synchroniseren |
+| `npx prisma db seed` | Testdata inladen |
+
+---
+
+## Tech stack
+
+- **Next.js 15** (App Router) + **React 19**
+- **TypeScript** strict
+- **Tailwind CSS** + **shadcn/ui** (Base UI)
+- **Zustand** (client state)
+- **dnd-kit** (drag-and-drop)
+- **Prisma v7** (ORM)
+- **PostgreSQL** (Neon) / **SQLite** (lokaal)
+- **iron-session** (auth)
+- **Sonner** (toasts)
+- **Zod** (validatie)