feat: implement 8 OpenSpec proposals for security, reliability, and UX improvements

## Security Enhancements (P0)
- Add input validation with max_length and numeric range constraints
- Implement WebSocket token authentication via first message
- Add path traversal prevention in file storage service

## Permission Enhancements (P0)
- Add project member management for cross-department access
- Implement is_department_manager flag for workload visibility

## Cycle Detection (P0)
- Add DFS-based cycle detection for task dependencies
- Add formula field circular reference detection
- Display user-friendly cycle path visualization

## Concurrency & Reliability (P1)
- Implement optimistic locking with version field (409 Conflict on mismatch)
- Add trigger retry mechanism with exponential backoff (1s, 2s, 4s)
- Implement cascade restore for soft-deleted tasks

## Rate Limiting (P1)
- Add tiered rate limits: standard (60/min), sensitive (20/min), heavy (5/min)
- Apply rate limits to tasks, reports, attachments, and comments

## Frontend Improvements (P1)
- Add responsive sidebar with hamburger menu for mobile
- Improve touch-friendly UI with proper tap target sizes
- Complete i18n translations for all components

## Backend Reliability (P2)
- Configure database connection pool (size=10, overflow=20)
- Add Redis fallback mechanism with message queue
- Add blocker check before task deletion

## API Enhancements (P3)
- Add standardized response wrapper utility
- Add /health/ready and /health/live endpoints
- Implement project templates with status/field copying

## Tests Added
- test_input_validation.py - Schema and path traversal tests
- test_concurrency_reliability.py - Optimistic locking and retry tests
- test_backend_reliability.py - Connection pool and Redis tests
- test_api_enhancements.py - Health check and template tests

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

openspec/changes/archive/2026-01-10-add-input-validation-security/specs/user-auth/spec.md

@@ -0,0 +1,37 @@
+## ADDED Requirements
+
+### Requirement: Input Length Validation
+The system SHALL enforce maximum length limits on all user-provided string inputs to prevent DoS attacks and database overflow.
+
+#### Scenario: Task title exceeds maximum length
+- **WHEN** user submits a task with title longer than 500 characters
+- **THEN** system returns 422 Validation Error with descriptive message
+
+#### Scenario: Description field within limits
+- **WHEN** user submits content with description under 10000 characters
+- **THEN** system accepts the input and processes normally
+
+### Requirement: Secure WebSocket Authentication
+The system SHALL authenticate WebSocket connections without exposing tokens in URL query parameters.
+
+#### Scenario: WebSocket connection with token in first message
+- **WHEN** client connects to WebSocket endpoint
+- **THEN** server waits for authentication message containing JWT token
+- **THEN** server validates token before accepting further messages
+
+#### Scenario: WebSocket connection timeout without authentication
+- **WHEN** client connects but does not send authentication within 10 seconds
+- **THEN** server closes the connection with appropriate error code
+
+### Requirement: Path Traversal Protection
+The system SHALL prevent file path traversal attacks by validating all file paths resolve within the designated storage directory.
+
+#### Scenario: Path traversal attempt detected
+- **WHEN** request contains file path with "../" or absolute path outside storage
+- **THEN** system rejects request and logs security warning
+- **THEN** system returns 403 Forbidden error
+
+#### Scenario: Valid file path within storage
+- **WHEN** request contains valid relative file path
+- **THEN** system resolves path and verifies it is within storage directory
+- **THEN** system processes file operation normally