Fix issues #6, #7, #11, #12, #13: med reminders, push notifications, auth persistence, scheduling conflicts

- Fix TIME object vs string comparison in scheduler preventing adaptive med
  reminders from ever firing (#12, #6)
- Add frequency filtering to midnight schedule creation for every_n_days meds
- Require start_date and interval_days for every_n_days medications
- Add refresh token support (30-day) to API and bot for persistent sessions (#13)
- Add "trusted device" checkbox to frontend login for long-lived sessions (#7)
- Auto-refresh expired tokens in both bot (apiRequest) and frontend (api.ts)
- Restore bot sessions from cache on restart using refresh tokens
- Duration-aware routine scheduling conflict detection (#11)
- Add conflict check when starting routine sessions against medication times
- Add diagnostic logging to notification delivery channels

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

core/auth.py

@@ -7,6 +7,16 @@ import datetime
 import os
 
 
+REFRESH_TOKEN_SECRET = None
+
+
+def _get_refresh_secret():
+    global REFRESH_TOKEN_SECRET
+    if REFRESH_TOKEN_SECRET is None:
+        REFRESH_TOKEN_SECRET = os.getenv("JWT_SECRET", "") + "_refresh"
+    return REFRESH_TOKEN_SECRET
+
+
 def verifyLoginToken(login_token, username=False, userUUID=False):
     if username:
         userUUID = users.getUserUUID(username)
@@ -49,6 +59,44 @@ def getLoginToken(username, password):
     return False
 
 
+def createRefreshToken(userUUID):
+    """Create a long-lived refresh token (30 days)."""
+    payload = {
+        "sub": str(userUUID),
+        "type": "refresh",
+        "exp": datetime.datetime.utcnow() + datetime.timedelta(days=30),
+    }
+    return jwt.encode(payload, _get_refresh_secret(), algorithm="HS256")
+
+
+def refreshAccessToken(refresh_token):
+    """Validate a refresh token and return a new access token + user_uuid.
+    Returns (access_token, user_uuid) or (None, None)."""
+    try:
+        decoded = jwt.decode(
+            refresh_token, _get_refresh_secret(), algorithms=["HS256"]
+        )
+        if decoded.get("type") != "refresh":
+            return None, None
+        user_uuid = decoded.get("sub")
+        if not user_uuid:
+            return None, None
+        # Verify user still exists
+        user = postgres.select_one("users", {"id": user_uuid})
+        if not user:
+            return None, None
+        # Create new access token
+        payload = {
+            "sub": user_uuid,
+            "name": user.get("first_name", ""),
+            "exp": datetime.datetime.utcnow() + datetime.timedelta(hours=1),
+        }
+        access_token = jwt.encode(payload, os.getenv("JWT_SECRET"), algorithm="HS256")
+        return access_token, user_uuid
+    except (ExpiredSignatureError, InvalidTokenError):
+        return None, None
+
+
 def unregisterUser(userUUID, password):
     pw_hash = getUserpasswordHash(userUUID)
     if not pw_hash: