feat: implement 8 OpenSpec proposals for security, reliability, and UX improvements

## Security Enhancements (P0)
- Add input validation with max_length and numeric range constraints
- Implement WebSocket token authentication via first message
- Add path traversal prevention in file storage service

## Permission Enhancements (P0)
- Add project member management for cross-department access
- Implement is_department_manager flag for workload visibility

## Cycle Detection (P0)
- Add DFS-based cycle detection for task dependencies
- Add formula field circular reference detection
- Display user-friendly cycle path visualization

## Concurrency & Reliability (P1)
- Implement optimistic locking with version field (409 Conflict on mismatch)
- Add trigger retry mechanism with exponential backoff (1s, 2s, 4s)
- Implement cascade restore for soft-deleted tasks

## Rate Limiting (P1)
- Add tiered rate limits: standard (60/min), sensitive (20/min), heavy (5/min)
- Apply rate limits to tasks, reports, attachments, and comments

## Frontend Improvements (P1)
- Add responsive sidebar with hamburger menu for mobile
- Improve touch-friendly UI with proper tap target sizes
- Complete i18n translations for all components

## Backend Reliability (P2)
- Configure database connection pool (size=10, overflow=20)
- Add Redis fallback mechanism with message queue
- Add blocker check before task deletion

## API Enhancements (P3)
- Add standardized response wrapper utility
- Add /health/ready and /health/live endpoints
- Implement project templates with status/field copying

## Tests Added
- test_input_validation.py - Schema and path traversal tests
- test_concurrency_reliability.py - Optimistic locking and retry tests
- test_backend_reliability.py - Connection pool and Redis tests
- test_api_enhancements.py - Health check and template tests

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

openspec/changes/archive/2026-01-10-add-input-validation-security/proposal.md

@@ -0,0 +1,17 @@
+# Change: Add Input Validation and Security Enhancements
+
+## Why
+Current API endpoints lack comprehensive input validation, exposing the system to potential DoS attacks, database overflow errors, and security vulnerabilities. Additionally, WebSocket authentication tokens are exposed in query parameters which may be logged.
+
+## What Changes
+- Add length validation to all Pydantic schema string fields
+- Add numeric range validation for decimal/integer fields
+- Enhance WebSocket token handling to avoid query parameter exposure
+- Strengthen file path traversal protection in file storage service
+
+## Impact
+- Affected specs: user-auth
+- Affected code:
+  - `backend/app/schemas/*.py` - All schema files
+  - `backend/app/api/websocket/router.py` - WebSocket authentication
+  - `backend/app/services/file_storage_service.py` - Path validation

openspec/changes/archive/2026-01-10-add-input-validation-security/specs/user-auth/spec.md

@@ -0,0 +1,37 @@
+## ADDED Requirements
+
+### Requirement: Input Length Validation
+The system SHALL enforce maximum length limits on all user-provided string inputs to prevent DoS attacks and database overflow.
+
+#### Scenario: Task title exceeds maximum length
+- **WHEN** user submits a task with title longer than 500 characters
+- **THEN** system returns 422 Validation Error with descriptive message
+
+#### Scenario: Description field within limits
+- **WHEN** user submits content with description under 10000 characters
+- **THEN** system accepts the input and processes normally
+
+### Requirement: Secure WebSocket Authentication
+The system SHALL authenticate WebSocket connections without exposing tokens in URL query parameters.
+
+#### Scenario: WebSocket connection with token in first message
+- **WHEN** client connects to WebSocket endpoint
+- **THEN** server waits for authentication message containing JWT token
+- **THEN** server validates token before accepting further messages
+
+#### Scenario: WebSocket connection timeout without authentication
+- **WHEN** client connects but does not send authentication within 10 seconds
+- **THEN** server closes the connection with appropriate error code
+
+### Requirement: Path Traversal Protection
+The system SHALL prevent file path traversal attacks by validating all file paths resolve within the designated storage directory.
+
+#### Scenario: Path traversal attempt detected
+- **WHEN** request contains file path with "../" or absolute path outside storage
+- **THEN** system rejects request and logs security warning
+- **THEN** system returns 403 Forbidden error
+
+#### Scenario: Valid file path within storage
+- **WHEN** request contains valid relative file path
+- **THEN** system resolves path and verifies it is within storage directory
+- **THEN** system processes file operation normally

openspec/changes/archive/2026-01-10-add-input-validation-security/tasks.md

@@ -0,0 +1,24 @@
+# Tasks: Add Input Validation and Security Enhancements
+
+## 1. Schema Input Validation
+- [x] 1.1 Add max_length validation to TaskBase schema (title: 500, description: 10000)
+- [x] 1.2 Add max_length validation to ProjectBase schema
+- [x] 1.3 Add max_length validation to SpaceBase schema
+- [x] 1.4 Add max_length validation to CommentBase schema
+- [x] 1.5 Add max_length validation to all other schema string fields
+- [x] 1.6 Add numeric range validation (ge=0, le=max_value) for decimal fields
+
+## 2. WebSocket Token Security
+- [x] 2.1 Implement WebSocket authentication via first message instead of query parameter
+- [x] 2.2 Update frontend WebSocket connection to send token in first message
+- [x] 2.3 Add server log filtering to mask sensitive query parameters as fallback (N/A - token no longer in query params)
+
+## 3. File Path Security
+- [x] 3.1 Add explicit path traversal validation in file_storage_service.py
+- [x] 3.2 Ensure resolved path is within base directory
+- [x] 3.3 Add logging for path traversal attempts
+
+## 4. Testing
+- [x] 4.1 Add unit tests for input validation edge cases
+- [x] 4.2 Add security tests for path traversal attempts
+- [x] 4.3 Test WebSocket authentication flow