fix: notifications endpoints use current user auth instead of required user_id query

- /notifications and /notifications/count no longer require user_id param
- return both count and unread fields for compatibility
- /notifications/read-all marks current user notifications
- /notifications/{id}/read enforces ownership (or admin)

app/api/routers/misc.py

@@ -12,6 +12,7 @@ from sqlalchemy import func as sqlfunc
 from pydantic import BaseModel
 
 from app.core.config import get_db
+from app.api.deps import get_current_user_or_apikey
 from app.models import models
 from app.models.apikey import APIKey
 from app.models.activity import ActivityLog
@@ -184,8 +185,8 @@ class NotificationResponse(BaseModel):
 
 
 @router.get("/notifications", response_model=List[NotificationResponse], tags=["Notifications"])
-def list_notifications(user_id: int, unread_only: bool = False, limit: int = 50, db: Session = Depends(get_db)):
-    query = db.query(NotificationModel).filter(NotificationModel.user_id == user_id)
+def list_notifications(unread_only: bool = False, limit: int = 50, db: Session = Depends(get_db), current_user: models.User = Depends(get_current_user_or_apikey)):
+    query = db.query(NotificationModel).filter(NotificationModel.user_id == current_user.id)
     if unread_only:
         query = query.filter(NotificationModel.is_read == False)
     return query.order_by(NotificationModel.created_at.desc()).limit(limit).all()
@@ -200,7 +201,7 @@ def notification_count(user_id: int, db: Session = Depends(get_db)):
 
 
 @router.post("/notifications/{notification_id}/read", tags=["Notifications"])
-def mark_read(notification_id: int, db: Session = Depends(get_db)):
+def mark_read(notification_id: int, db: Session = Depends(get_db), current_user: models.User = Depends(get_current_user_or_apikey)):
     n = db.query(NotificationModel).filter(NotificationModel.id == notification_id).first()
     if not n:
         raise HTTPException(status_code=404, detail="Notification not found")