feat: Migrate to MySQL and add unified environment configuration

## Database Migration (SQLite → MySQL)
- Add Alembic migration framework
- Add 'tr_' prefix to all tables to avoid conflicts in shared database
- Remove SQLite support, use MySQL exclusively
- Add pymysql driver dependency
- Change ad_token column to Text type for long JWT tokens

## Unified Environment Configuration
- Centralize all hardcoded settings to environment variables
- Backend: Extend Settings class in app/core/config.py
- Frontend: Use Vite environment variables (import.meta.env)
- Docker: Move credentials to environment variables
- Update .env.example files with comprehensive documentation

## Test Organization
- Move root-level test files to tests/ directory:
  - test_chat_room.py → tests/test_chat_room.py
  - test_websocket.py → tests/test_websocket.py
  - test_realtime_implementation.py → tests/test_realtime_implementation.py
- Fix path references in test_realtime_implementation.py

Breaking Changes:
- CORS now requires explicit origins (no more wildcard)
- All database tables renamed with 'tr_' prefix
- SQLite no longer supported

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

alembic/README

@@ -0,0 +1 @@
+Generic single-database configuration.

alembic/env.py

@@ -0,0 +1,122 @@
+"""Alembic migrations environment configuration
+
+This configures Alembic to use the application's database settings
+and SQLAlchemy models for migration autogeneration.
+
+All tables use 'tr_' prefix to avoid conflicts in shared database.
+"""
+from logging.config import fileConfig
+import os
+import sys
+
+from sqlalchemy import engine_from_config
+from sqlalchemy import pool
+
+from alembic import context
+
+# Add parent directory to path so we can import app modules
+sys.path.insert(0, os.path.dirname(os.path.dirname(os.path.abspath(__file__))))
+
+# Import settings and models
+from app.core.config import get_settings
+from app.core.database import Base
+
+# Import all models to register them with Base.metadata
+from app.modules.auth.models import UserSession, User
+from app.modules.chat_room.models import IncidentRoom, RoomMember, RoomTemplate
+from app.modules.realtime.models import Message, MessageReaction, MessageEditHistory
+from app.modules.file_storage.models import RoomFile
+from app.modules.report_generation.models import GeneratedReport
+
+# this is the Alembic Config object, which provides
+# access to the values within the .ini file in use.
+config = context.config
+
+# Load database URL from settings
+settings = get_settings()
+config.set_main_option("sqlalchemy.url", settings.DATABASE_URL)
+
+# Custom version table name with tr_ prefix to avoid conflicts
+VERSION_TABLE = "tr_alembic_version"
+
+# Interpret the config file for Python logging.
+# This line sets up loggers basically.
+if config.config_file_name is not None:
+    fileConfig(config.config_file_name)
+
+# add your model's MetaData object here
+# for 'autogenerate' support
+target_metadata = Base.metadata
+
+# other values from the config, defined by the needs of env.py,
+# can be acquired:
+# my_important_option = config.get_main_option("my_important_option")
+# ... etc.
+
+
+def include_object(object, name, type_, reflected, compare_to):
+    """Filter to only include tables with 'tr_' prefix
+
+    This ensures migrations only affect Task Reporter tables
+    in the shared database.
+    """
+    if type_ == "table":
+        return name.startswith("tr_")
+    return True
+
+
+def run_migrations_offline() -> None:
+    """Run migrations in 'offline' mode.
+
+    This configures the context with just a URL
+    and not an Engine, though an Engine is acceptable
+    here as well.  By skipping the Engine creation
+    we don't even need a DBAPI to be available.
+
+    Calls to context.execute() here emit the given string to the
+    script output.
+
+    """
+    url = config.get_main_option("sqlalchemy.url")
+    context.configure(
+        url=url,
+        target_metadata=target_metadata,
+        literal_binds=True,
+        dialect_opts={"paramstyle": "named"},
+        include_object=include_object,
+        version_table=VERSION_TABLE,
+    )
+
+    with context.begin_transaction():
+        context.run_migrations()
+
+
+def run_migrations_online() -> None:
+    """Run migrations in 'online' mode.
+
+    In this scenario we need to create an Engine
+    and associate a connection with the context.
+
+    """
+    connectable = engine_from_config(
+        config.get_section(config.config_ini_section, {}),
+        prefix="sqlalchemy.",
+        poolclass=pool.NullPool,
+    )
+
+    with connectable.connect() as connection:
+        context.configure(
+            connection=connection,
+            target_metadata=target_metadata,
+            include_object=include_object,
+            version_table=VERSION_TABLE,
+        )
+
+        with context.begin_transaction():
+            context.run_migrations()
+
+
+if context.is_offline_mode():
+    run_migrations_offline()
+else:
+    run_migrations_online()

alembic/script.py.mako

@@ -0,0 +1,26 @@
+"""${message}
+
+Revision ID: ${up_revision}
+Revises: ${down_revision | comma,n}
+Create Date: ${create_date}
+
+"""
+from typing import Sequence, Union
+
+from alembic import op
+import sqlalchemy as sa
+${imports if imports else ""}
+
+# revision identifiers, used by Alembic.
+revision: str = ${repr(up_revision)}
+down_revision: Union[str, None] = ${repr(down_revision)}
+branch_labels: Union[str, Sequence[str], None] = ${repr(branch_labels)}
+depends_on: Union[str, Sequence[str], None] = ${repr(depends_on)}
+
+
+def upgrade() -> None:
+    ${upgrades if upgrades else "pass"}
+
+
+def downgrade() -> None:
+    ${downgrades if downgrades else "pass"}

alembic/versions/d80670b4abcb_initial_migration_create_tr__prefixed_.py

@@ -0,0 +1,200 @@
+"""Initial migration - create tr_ prefixed tables
+
+Revision ID: d80670b4abcb
+Revises: 
+Create Date: 2025-12-07 13:51:52.658701
+
+"""
+from typing import Sequence, Union
+
+from alembic import op
+import sqlalchemy as sa
+
+
+# revision identifiers, used by Alembic.
+revision: str = 'd80670b4abcb'
+down_revision: Union[str, None] = None
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.create_table('tr_incident_rooms',
+    sa.Column('room_id', sa.String(length=36), nullable=False),
+    sa.Column('title', sa.String(length=255), nullable=False),
+    sa.Column('incident_type', sa.Enum('EQUIPMENT_FAILURE', 'MATERIAL_SHORTAGE', 'QUALITY_ISSUE', 'OTHER', name='incidenttype'), nullable=False),
+    sa.Column('severity', sa.Enum('LOW', 'MEDIUM', 'HIGH', 'CRITICAL', name='severitylevel'), nullable=False),
+    sa.Column('status', sa.Enum('ACTIVE', 'RESOLVED', 'ARCHIVED', name='roomstatus'), nullable=False),
+    sa.Column('location', sa.String(length=255), nullable=True),
+    sa.Column('description', sa.Text(), nullable=True),
+    sa.Column('resolution_notes', sa.Text(), nullable=True),
+    sa.Column('created_by', sa.String(length=255), nullable=False),
+    sa.Column('created_at', sa.DateTime(), nullable=False),
+    sa.Column('resolved_at', sa.DateTime(), nullable=True),
+    sa.Column('archived_at', sa.DateTime(), nullable=True),
+    sa.Column('last_activity_at', sa.DateTime(), nullable=False),
+    sa.Column('last_updated_at', sa.DateTime(), nullable=False),
+    sa.Column('ownership_transferred_at', sa.DateTime(), nullable=True),
+    sa.Column('ownership_transferred_by', sa.String(length=255), nullable=True),
+    sa.Column('member_count', sa.Integer(), nullable=False),
+    sa.PrimaryKeyConstraint('room_id')
+    )
+    op.create_index('ix_tr_incident_rooms_created_by', 'tr_incident_rooms', ['created_by'], unique=False)
+    op.create_index('ix_tr_incident_rooms_status_created', 'tr_incident_rooms', ['status', 'created_at'], unique=False)
+    op.create_table('tr_room_templates',
+    sa.Column('template_id', sa.Integer(), autoincrement=True, nullable=False),
+    sa.Column('name', sa.String(length=100), nullable=False),
+    sa.Column('description', sa.Text(), nullable=True),
+    sa.Column('incident_type', sa.Enum('EQUIPMENT_FAILURE', 'MATERIAL_SHORTAGE', 'QUALITY_ISSUE', 'OTHER', name='incidenttype'), nullable=False),
+    sa.Column('default_severity', sa.Enum('LOW', 'MEDIUM', 'HIGH', 'CRITICAL', name='severitylevel'), nullable=False),
+    sa.Column('default_members', sa.Text(), nullable=True),
+    sa.Column('metadata_fields', sa.Text(), nullable=True),
+    sa.PrimaryKeyConstraint('template_id'),
+    sa.UniqueConstraint('name')
+    )
+    op.create_table('tr_user_sessions',
+    sa.Column('id', sa.Integer(), nullable=False),
+    sa.Column('username', sa.String(length=255), nullable=False, comment='User email from AD'),
+    sa.Column('display_name', sa.String(length=255), nullable=False, comment='Display name for chat'),
+    sa.Column('internal_token', sa.String(length=255), nullable=False, comment='Internal session token (UUID)'),
+    sa.Column('ad_token', sa.String(length=500), nullable=False, comment='AD API token'),
+    sa.Column('encrypted_password', sa.String(length=500), nullable=False, comment='AES-256 encrypted password'),
+    sa.Column('ad_token_expires_at', sa.DateTime(), nullable=False, comment='AD token expiry time'),
+    sa.Column('refresh_attempt_count', sa.Integer(), nullable=False, comment='Failed refresh attempts counter'),
+    sa.Column('last_activity', sa.DateTime(), nullable=False, comment='Last API request time'),
+    sa.Column('created_at', sa.DateTime(), nullable=False),
+    sa.PrimaryKeyConstraint('id')
+    )
+    op.create_index(op.f('ix_tr_user_sessions_id'), 'tr_user_sessions', ['id'], unique=False)
+    op.create_index(op.f('ix_tr_user_sessions_internal_token'), 'tr_user_sessions', ['internal_token'], unique=True)
+    op.create_table('tr_users',
+    sa.Column('user_id', sa.String(length=255), nullable=False, comment='User email address (e.g., ymirliu@panjit.com.tw)'),
+    sa.Column('display_name', sa.String(length=255), nullable=False, comment="Display name from AD (e.g., 'ymirliu 劉念蓉')"),
+    sa.Column('office_location', sa.String(length=100), nullable=True, comment="Office location from AD (e.g., '高雄')"),
+    sa.Column('job_title', sa.String(length=100), nullable=True, comment='Job title from AD'),
+    sa.Column('last_login_at', sa.DateTime(), nullable=True, comment='Last login timestamp'),
+    sa.Column('created_at', sa.DateTime(), nullable=False, comment='First login timestamp'),
+    sa.PrimaryKeyConstraint('user_id')
+    )
+    op.create_index('ix_tr_users_display_name', 'tr_users', ['display_name'], unique=False)
+    op.create_table('tr_generated_reports',
+    sa.Column('report_id', sa.String(length=36), nullable=False, comment='Unique report identifier (UUID)'),
+    sa.Column('room_id', sa.String(length=36), nullable=False, comment='Reference to incident room'),
+    sa.Column('generated_by', sa.String(length=255), nullable=False, comment='User email who triggered report generation'),
+    sa.Column('generated_at', sa.DateTime(), nullable=False, comment='Report generation timestamp'),
+    sa.Column('status', sa.String(length=30), nullable=False, comment='Current generation status'),
+    sa.Column('error_message', sa.Text(), nullable=True, comment='User-friendly error message if generation failed'),
+    sa.Column('dify_message_id', sa.String(length=100), nullable=True, comment='DIFY API message ID for tracking'),
+    sa.Column('dify_conversation_id', sa.String(length=100), nullable=True, comment='DIFY conversation ID'),
+    sa.Column('prompt_tokens', sa.Integer(), nullable=True, comment='Number of prompt tokens used'),
+    sa.Column('completion_tokens', sa.Integer(), nullable=True, comment='Number of completion tokens used'),
+    sa.Column('report_title', sa.String(length=255), nullable=True, comment='Generated report title'),
+    sa.Column('report_json', sa.JSON(), nullable=True, comment='Parsed AI output as JSON'),
+    sa.Column('docx_storage_path', sa.String(length=500), nullable=True, comment='Path to generated .docx file in MinIO or local storage'),
+    sa.ForeignKeyConstraint(['room_id'], ['tr_incident_rooms.room_id'], ondelete='CASCADE'),
+    sa.PrimaryKeyConstraint('report_id')
+    )
+    op.create_index('ix_tr_generated_reports_room_date', 'tr_generated_reports', ['room_id', 'generated_at'], unique=False)
+    op.create_index('ix_tr_generated_reports_status', 'tr_generated_reports', ['status'], unique=False)
+    op.create_table('tr_messages',
+    sa.Column('message_id', sa.String(length=36), nullable=False),
+    sa.Column('room_id', sa.String(length=36), nullable=False),
+    sa.Column('sender_id', sa.String(length=255), nullable=False),
+    sa.Column('content', sa.Text(), nullable=False),
+    sa.Column('message_type', sa.Enum('TEXT', 'IMAGE_REF', 'FILE_REF', 'SYSTEM', 'INCIDENT_DATA', name='messagetype'), nullable=False),
+    sa.Column('message_metadata', sa.JSON(), nullable=True),
+    sa.Column('created_at', sa.DateTime(), nullable=False),
+    sa.Column('edited_at', sa.DateTime(), nullable=True),
+    sa.Column('deleted_at', sa.DateTime(), nullable=True),
+    sa.Column('sequence_number', sa.BigInteger(), nullable=False),
+    sa.ForeignKeyConstraint(['room_id'], ['tr_incident_rooms.room_id'], ondelete='CASCADE'),
+    sa.PrimaryKeyConstraint('message_id')
+    )
+    op.create_index('ix_tr_messages_room_created', 'tr_messages', ['room_id', 'created_at'], unique=False)
+    op.create_index('ix_tr_messages_room_sequence', 'tr_messages', ['room_id', 'sequence_number'], unique=False)
+    op.create_index('ix_tr_messages_sender', 'tr_messages', ['sender_id'], unique=False)
+    op.create_table('tr_room_files',
+    sa.Column('file_id', sa.String(length=36), nullable=False),
+    sa.Column('room_id', sa.String(length=36), nullable=False),
+    sa.Column('uploader_id', sa.String(length=255), nullable=False),
+    sa.Column('filename', sa.String(length=255), nullable=False),
+    sa.Column('file_type', sa.String(length=20), nullable=False),
+    sa.Column('mime_type', sa.String(length=100), nullable=False),
+    sa.Column('file_size', sa.BigInteger(), nullable=False),
+    sa.Column('minio_bucket', sa.String(length=100), nullable=False),
+    sa.Column('minio_object_path', sa.String(length=500), nullable=False),
+    sa.Column('uploaded_at', sa.DateTime(), nullable=False),
+    sa.Column('deleted_at', sa.DateTime(), nullable=True),
+    sa.ForeignKeyConstraint(['room_id'], ['tr_incident_rooms.room_id'], ondelete='CASCADE'),
+    sa.PrimaryKeyConstraint('file_id')
+    )
+    op.create_index('ix_tr_room_files_room_uploaded', 'tr_room_files', ['room_id', 'uploaded_at'], unique=False)
+    op.create_index('ix_tr_room_files_uploader', 'tr_room_files', ['uploader_id'], unique=False)
+    op.create_table('tr_room_members',
+    sa.Column('id', sa.Integer(), autoincrement=True, nullable=False),
+    sa.Column('room_id', sa.String(length=36), nullable=False),
+    sa.Column('user_id', sa.String(length=255), nullable=False),
+    sa.Column('role', sa.Enum('OWNER', 'EDITOR', 'VIEWER', name='memberrole'), nullable=False),
+    sa.Column('added_by', sa.String(length=255), nullable=False),
+    sa.Column('added_at', sa.DateTime(), nullable=False),
+    sa.Column('removed_at', sa.DateTime(), nullable=True),
+    sa.ForeignKeyConstraint(['room_id'], ['tr_incident_rooms.room_id'], ondelete='CASCADE'),
+    sa.PrimaryKeyConstraint('id'),
+    sa.UniqueConstraint('room_id', 'user_id', 'removed_at', name='uq_tr_room_member_active')
+    )
+    op.create_index('ix_tr_room_members_room_user', 'tr_room_members', ['room_id', 'user_id'], unique=False)
+    op.create_index('ix_tr_room_members_user', 'tr_room_members', ['user_id'], unique=False)
+    op.create_table('tr_message_edit_history',
+    sa.Column('edit_id', sa.Integer(), autoincrement=True, nullable=False),
+    sa.Column('message_id', sa.String(length=36), nullable=False),
+    sa.Column('original_content', sa.Text(), nullable=False),
+    sa.Column('edited_by', sa.String(length=255), nullable=False),
+    sa.Column('edited_at', sa.DateTime(), nullable=False),
+    sa.ForeignKeyConstraint(['message_id'], ['tr_messages.message_id'], ondelete='CASCADE'),
+    sa.PrimaryKeyConstraint('edit_id')
+    )
+    op.create_index('ix_tr_message_edit_history_message', 'tr_message_edit_history', ['message_id', 'edited_at'], unique=False)
+    op.create_table('tr_message_reactions',
+    sa.Column('reaction_id', sa.Integer(), autoincrement=True, nullable=False),
+    sa.Column('message_id', sa.String(length=36), nullable=False),
+    sa.Column('user_id', sa.String(length=255), nullable=False),
+    sa.Column('emoji', sa.String(length=10), nullable=False),
+    sa.Column('created_at', sa.DateTime(), nullable=False),
+    sa.ForeignKeyConstraint(['message_id'], ['tr_messages.message_id'], ondelete='CASCADE'),
+    sa.PrimaryKeyConstraint('reaction_id'),
+    sa.UniqueConstraint('message_id', 'user_id', 'emoji', name='uq_tr_message_reaction')
+    )
+    op.create_index('ix_tr_message_reactions_message', 'tr_message_reactions', ['message_id'], unique=False)
+    # ### end Alembic commands ###
+
+
+def downgrade() -> None:
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.drop_index('ix_tr_message_reactions_message', table_name='tr_message_reactions')
+    op.drop_table('tr_message_reactions')
+    op.drop_index('ix_tr_message_edit_history_message', table_name='tr_message_edit_history')
+    op.drop_table('tr_message_edit_history')
+    op.drop_index('ix_tr_room_members_user', table_name='tr_room_members')
+    op.drop_index('ix_tr_room_members_room_user', table_name='tr_room_members')
+    op.drop_table('tr_room_members')
+    op.drop_index('ix_tr_room_files_uploader', table_name='tr_room_files')
+    op.drop_index('ix_tr_room_files_room_uploaded', table_name='tr_room_files')
+    op.drop_table('tr_room_files')
+    op.drop_index('ix_tr_messages_sender', table_name='tr_messages')
+    op.drop_index('ix_tr_messages_room_sequence', table_name='tr_messages')
+    op.drop_index('ix_tr_messages_room_created', table_name='tr_messages')
+    op.drop_table('tr_messages')
+    op.drop_index('ix_tr_generated_reports_status', table_name='tr_generated_reports')
+    op.drop_index('ix_tr_generated_reports_room_date', table_name='tr_generated_reports')
+    op.drop_table('tr_generated_reports')
+    op.drop_index('ix_tr_users_display_name', table_name='tr_users')
+    op.drop_table('tr_users')
+    op.drop_index(op.f('ix_tr_user_sessions_internal_token'), table_name='tr_user_sessions')
+    op.drop_index(op.f('ix_tr_user_sessions_id'), table_name='tr_user_sessions')
+    op.drop_table('tr_user_sessions')
+    op.drop_table('tr_room_templates')
+    op.drop_index('ix_tr_incident_rooms_status_created', table_name='tr_incident_rooms')
+    op.drop_index('ix_tr_incident_rooms_created_by', table_name='tr_incident_rooms')
+    op.drop_table('tr_incident_rooms')
+    # ### end Alembic commands ###

alembic/versions/ea3798f776f4_change_ad_token_to_text_type.py

@@ -0,0 +1,40 @@
+"""change ad_token to text type
+
+Revision ID: ea3798f776f4
+Revises: d80670b4abcb
+Create Date: 2025-12-07 14:13:47.469856
+
+"""
+from typing import Sequence, Union
+
+from alembic import op
+import sqlalchemy as sa
+from sqlalchemy.dialects import mysql
+
+# revision identifiers, used by Alembic.
+revision: str = 'ea3798f776f4'
+down_revision: Union[str, None] = 'd80670b4abcb'
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.alter_column('tr_user_sessions', 'ad_token',
+               existing_type=mysql.VARCHAR(length=500),
+               type_=sa.Text(),
+               comment='AD API token (JWT)',
+               existing_comment='AD API token',
+               existing_nullable=False)
+    # ### end Alembic commands ###
+
+
+def downgrade() -> None:
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.alter_column('tr_user_sessions', 'ad_token',
+               existing_type=sa.Text(),
+               type_=mysql.VARCHAR(length=500),
+               comment='AD API token',
+               existing_comment='AD API token (JWT)',
+               existing_nullable=False)
+    # ### end Alembic commands ###