Add versioned DB migration system with automatic backup

migrations.py
- schema_migrations table tracks applied versions (version, description, applied_at)
- MIGRATIONS list is append-only; each entry is (version, description, sql)
- backup() dumps all user-data tables to a timestamped JSON file in backups/
  before any schema changes so data can be recovered if something goes wrong
- run_migrations() is idempotent: already-applied versions are skipped

Integration
- app.py calls _run_startup_migrations() at module load so every restart
  applies any pending migrations (no-op if schema is current)
- setup_routes.py calls run_migrations() after the initial setup form is
  submitted so all tables exist before the user hits the main page for the
  first time
- notes.py and admin.py: removed all per-request CREATE TABLE DDL; schema is
  now owned entirely by the migration system

Docker
- docker-compose.dev.yml: add backups-data volume so JSON backups survive
  container restarts and rebuilds
- Dockerfile: pre-create /app/backend/logs and /app/backend/backups so the
  directories exist even before volumes are mounted

Adding future schema changes
- Append a new (version, description, sql) tuple to MIGRATIONS in migrations.py
- The next restart will detect it as pending, back up first, then apply it

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/tools/notes.py

@@ -6,35 +6,6 @@ from auth.token import verify_token
 
 notes_blueprint = Blueprint('notes_tool', __name__)
 
-# Module-level flag: DDL runs at most once per process lifetime.
-# Resets automatically on worker restart, which re-triggers the check.
-_table_ready = False
-
-
-def _ensure_table():
-    global _table_ready
-    if _table_ready:
-        return
-    conn = get_connection()
-    try:
-        cursor = conn.cursor()
-        cursor.execute("""
-            CREATE TABLE IF NOT EXISTS notes (
-                id INT AUTO_INCREMENT PRIMARY KEY,
-                user_id INT NOT NULL,
-                title VARCHAR(255) NOT NULL,
-                content TEXT,
-                language VARCHAR(50) DEFAULT 'text',
-                created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
-                updated_at DATETIME DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP
-            )
-        """)
-        conn.commit()
-        cursor.close()
-        _table_ready = True
-    finally:
-        conn.close()
-
 
 @notes_blueprint.route('/api/notes', methods=['GET'])
 def get_notes():
@@ -42,12 +13,12 @@ def get_notes():
     if not user:
         return jsonify({"message": "Nicht autorisiert"}), 401
     try:
-        _ensure_table()
         conn = get_connection()
         try:
             cursor = conn.cursor(dictionary=True)
             cursor.execute(
-                "SELECT id, title, content, language, created_at, updated_at FROM notes WHERE user_id = %s ORDER BY updated_at DESC",
+                "SELECT id, title, content, language, created_at, updated_at "
+                "FROM notes WHERE user_id = %s ORDER BY updated_at DESC",
                 (user['id'],)
             )
             notes = cursor.fetchall()
@@ -71,7 +42,6 @@ def create_note():
     if not user:
         return jsonify({"message": "Nicht autorisiert"}), 401
     try:
-        _ensure_table()
         data = request.get_json(silent=True) or {}
         title = data.get("title", "Neue Notiz").strip() or "Neue Notiz"
         content = data.get("content", "")
@@ -103,7 +73,6 @@ def update_note(note_id):
     if not user:
         return jsonify({"message": "Nicht autorisiert"}), 401
     try:
-        _ensure_table()
         data = request.get_json(silent=True) or {}
         title = data.get("title", "").strip() or "Neue Notiz"
         content = data.get("content", "")
@@ -116,7 +85,8 @@ def update_note(note_id):
         try:
             cursor = conn.cursor()
             cursor.execute(
-                "UPDATE notes SET title=%s, content=%s, language=%s, updated_at=%s WHERE id=%s AND user_id=%s",
+                "UPDATE notes SET title=%s, content=%s, language=%s, updated_at=%s "
+                "WHERE id=%s AND user_id=%s",
                 (title, content, language, now, note_id, user['id'])
             )
             conn.commit()
@@ -139,7 +109,6 @@ def delete_note(note_id):
     if not user:
         return jsonify({"message": "Nicht autorisiert"}), 401
     try:
-        _ensure_table()
         conn = get_connection()
         try:
             cursor = conn.cursor()