feat: implement 8 OpenSpec proposals for security, reliability, and UX improvements

## Security Enhancements (P0)
- Add input validation with max_length and numeric range constraints
- Implement WebSocket token authentication via first message
- Add path traversal prevention in file storage service

## Permission Enhancements (P0)
- Add project member management for cross-department access
- Implement is_department_manager flag for workload visibility

## Cycle Detection (P0)
- Add DFS-based cycle detection for task dependencies
- Add formula field circular reference detection
- Display user-friendly cycle path visualization

## Concurrency & Reliability (P1)
- Implement optimistic locking with version field (409 Conflict on mismatch)
- Add trigger retry mechanism with exponential backoff (1s, 2s, 4s)
- Implement cascade restore for soft-deleted tasks

## Rate Limiting (P1)
- Add tiered rate limits: standard (60/min), sensitive (20/min), heavy (5/min)
- Apply rate limits to tasks, reports, attachments, and comments

## Frontend Improvements (P1)
- Add responsive sidebar with hamburger menu for mobile
- Improve touch-friendly UI with proper tap target sizes
- Complete i18n translations for all components

## Backend Reliability (P2)
- Configure database connection pool (size=10, overflow=20)
- Add Redis fallback mechanism with message queue
- Add blocker check before task deletion

## API Enhancements (P3)
- Add standardized response wrapper utility
- Add /health/ready and /health/live endpoints
- Implement project templates with status/field copying

## Tests Added
- test_input_validation.py - Schema and path traversal tests
- test_concurrency_reliability.py - Optimistic locking and retry tests
- test_backend_reliability.py - Connection pool and Redis tests
- test_api_enhancements.py - Health check and template tests

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

backend/app/api/reports/router.py

@@ -1,8 +1,10 @@
-from fastapi import APIRouter, Depends, HTTPException, status, Query
+from fastapi import APIRouter, Depends, HTTPException, status, Query, Request
 from sqlalchemy.orm import Session
 from typing import Optional
 
 from app.core.database import get_db
+from app.core.rate_limiter import limiter
+from app.core.config import settings
 from app.models import User, ReportHistory, ScheduledReport
 from app.schemas.report import (
     WeeklyReportContent, ReportHistoryListResponse, ReportHistoryItem,
@@ -35,12 +37,16 @@ async def preview_weekly_report(
 
 
 @router.post("/api/reports/weekly/generate", response_model=GenerateReportResponse)
+@limiter.limit(settings.RATE_LIMIT_HEAVY)
 async def generate_weekly_report(
+    request: Request,
     db: Session = Depends(get_db),
     current_user: User = Depends(get_current_user),
 ):
     """
     Manually trigger weekly report generation for the current user.
+
+    Rate limited: 5 requests per minute (heavy tier).
     """
     # Generate report
     report_history = ReportService.generate_weekly_report(db, current_user.id)
@@ -112,13 +118,17 @@ async def list_report_history(
 
 
 @router.get("/api/reports/history/{report_id}")
+@limiter.limit(settings.RATE_LIMIT_SENSITIVE)
 async def get_report_detail(
+    request: Request,
     report_id: str,
     db: Session = Depends(get_db),
     current_user: User = Depends(get_current_user),
 ):
     """
     Get detailed content of a specific report.
+
+    Rate limited: 20 requests per minute (sensitive tier).
     """
     report = db.query(ReportHistory).filter(ReportHistory.id == report_id).first()