spec: update api consistency

Align optimistic locking conflict payload, update websocket docs, and adjust tests.

openspec/changes/update-api-consistency/specs/resource-management/spec.md

@@ -0,0 +1,35 @@
+## MODIFIED Requirements
+### Requirement: Workload Heatmap UI
+The system SHALL provide a visual workload heatmap interface for managers.
+
+#### Scenario: View workload heatmap
+- **GIVEN** user is logged in as manager or admin
+- **WHEN** user navigates to /workload page without filters
+- **THEN** system displays a heatmap showing all accessible users' workload
+- **AND** users with zero workload are included by default
+- **AND** each user cell is color-coded by load level (green/yellow/red)
+
+#### Scenario: Hide empty workloads
+- **GIVEN** user is viewing the workload page
+- **WHEN** user enables the hide_empty filter
+- **THEN** the heatmap excludes users with zero workload
+
+#### Scenario: Navigate between weeks
+- **GIVEN** user is viewing the workload page
+- **WHEN** user clicks previous/next week buttons
+- **THEN** the heatmap updates to show that week's workload data
+
+#### Scenario: Default week window on Sunday
+- **GIVEN** today is Sunday and user opens workload page without selecting week_start
+- **THEN** the default heatmap window includes tasks due in the upcoming week
+
+#### Scenario: View user workload details
+- **GIVEN** user is viewing the workload heatmap
+- **WHEN** user clicks on a specific user's cell
+- **THEN** a modal/drawer opens showing that user's task breakdown
+- **AND** tasks show title, project, time estimate, and due date
+
+#### Scenario: Filter by department
+- **GIVEN** user is a system admin
+- **WHEN** user selects a department from the filter
+- **THEN** the heatmap shows only users from that department

openspec/changes/update-api-consistency/specs/task-management/spec.md

@@ -0,0 +1,16 @@
+## MODIFIED Requirements
+### Requirement: Optimistic Locking for Task Updates
+The system SHALL use optimistic locking to prevent concurrent update conflicts on tasks.
+
+#### Scenario: Concurrent update detected
+- **WHEN** user A and user B both load task at version 1
+- **WHEN** user A saves changes, incrementing version to 2
+- **WHEN** user B attempts to save with version 1
+- **THEN** system returns 409 Conflict error
+- **AND** response includes a human-readable message instructing refresh and retry
+- **AND** response includes the current and provided version numbers
+
+#### Scenario: Sequential updates succeed
+- **WHEN** user loads task at version N
+- **WHEN** user saves changes with correct version N
+- **THEN** system accepts update and increments version to N+1

openspec/changes/update-api-consistency/specs/user-auth/spec.md

@@ -0,0 +1,18 @@
+## MODIFIED Requirements
+### Requirement: Secure WebSocket Authentication
+The system SHALL authenticate WebSocket connections without exposing tokens in URL query parameters.
+
+#### Scenario: WebSocket connection with token in first message
+- **WHEN** client connects to WebSocket endpoint without a query token
+- **THEN** server waits for authentication message containing JWT token
+- **THEN** server validates token before accepting further messages
+- **THEN** server sends an authentication acknowledgment message
+
+#### Scenario: WebSocket connection with invalid token
+- **WHEN** client sends an invalid or expired token
+- **THEN** server sends an error message indicating invalid or expired token
+- **THEN** server closes the connection with an authentication error code
+
+#### Scenario: WebSocket connection timeout without authentication
+- **WHEN** client connects but does not send authentication within 10 seconds
+- **THEN** server closes the connection with appropriate error code