feat(notifications): add delete functionality for individual and all notifications

feat(guest-join): support access code in guest join URL

server/routes/federation.js

@@ -83,8 +83,11 @@ router.post('/invite', authenticateToken, async (req, res) => {
         }
 
         // Build guest join URL for the remote user
+        // If the room has an access code, embed it so the recipient can join without manual entry
         const baseUrl = process.env.APP_URL || `${req.protocol}://${req.get('host')}`;
-        const joinUrl = `${baseUrl}/join/${room.uid}`;
+        const joinUrl = room.access_code
+            ? `${baseUrl}/join/${room.uid}?ac=${encodeURIComponent(room.access_code)}`
+            : `${baseUrl}/join/${room.uid}`;
 
         // Build invitation payload
         const inviteId = uuidv4();

server/routes/notifications.js

@@ -45,4 +45,30 @@ router.post('/:id/read', authenticateToken, async (req, res) => {
   }
 });
 
+// DELETE /api/notifications/all — Delete all notifications for current user
+// NOTE: Declared before /:id to avoid routing collision
+router.delete('/all', authenticateToken, async (req, res) => {
+  try {
+    const db = getDb();
+    await db.run('DELETE FROM notifications WHERE user_id = ?', [req.user.id]);
+    res.json({ success: true });
+  } catch {
+    res.status(500).json({ error: 'Failed to delete notifications' });
+  }
+});
+
+// DELETE /api/notifications/:id — Delete a single notification
+router.delete('/:id', authenticateToken, async (req, res) => {
+  try {
+    const db = getDb();
+    await db.run(
+      'DELETE FROM notifications WHERE id = ? AND user_id = ?',
+      [req.params.id, req.user.id],
+    );
+    res.json({ success: true });
+  } catch {
+    res.status(500).json({ error: 'Failed to delete notification' });
+  }
+});
+
 export default router;