feat: complete issue fixes and implement remaining features

## Critical Issues (CRIT-001~003) - All Fixed
- JWT secret key validation with pydantic field_validator
- Login audit logging for success/failure attempts
- Frontend API path prefix removal

## High Priority Issues (HIGH-001~008) - All Fixed
- Project soft delete using is_active flag
- Redis session token bytes handling
- Rate limiting with slowapi (5 req/min for login)
- Attachment API permission checks
- Kanban view with drag-and-drop
- Workload heatmap UI (WorkloadPage, WorkloadHeatmap)
- TaskDetailModal integrating Comments/Attachments
- UserSelect component for task assignment

## Medium Priority Issues (MED-001~012) - All Fixed
- MED-001~005: DB commits, N+1 queries, datetime, error format, blocker flag
- MED-006: Project health dashboard (HealthService, ProjectHealthPage)
- MED-007: Capacity update API (PUT /api/users/{id}/capacity)
- MED-008: Schedule triggers (cron parsing, deadline reminders)
- MED-009: Watermark feature (image/PDF watermarking)
- MED-010~012: useEffect deps, DOM operations, PDF export

## New Files
- backend/app/api/health/ - Project health API
- backend/app/services/health_service.py
- backend/app/services/trigger_scheduler.py
- backend/app/services/watermark_service.py
- backend/app/core/rate_limiter.py
- frontend/src/pages/ProjectHealthPage.tsx
- frontend/src/components/ProjectHealthCard.tsx
- frontend/src/components/KanbanBoard.tsx
- frontend/src/components/WorkloadHeatmap.tsx

## Tests
- 113 new tests passing (health: 32, users: 14, triggers: 35, watermark: 32)

## OpenSpec Archives
- add-project-health-dashboard
- add-capacity-update-api
- add-schedule-triggers
- add-watermark-feature
- add-rate-limiting
- enhance-frontend-ux
- add-resource-management-ui

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

openspec/changes/archive/2026-01-04-add-capacity-update-api/proposal.md

@@ -0,0 +1,15 @@
+# Change: Add Capacity Update API
+
+## Why
+MED-007: The `Capacity Planning` requirement exists but there is no API to update user capacity. The original design had `PUT /api/users/{id}/capacity` but it was replaced with `GET /api/workload/me`. Managers cannot adjust team members' weekly capacity.
+
+## What Changes
+- Add `PUT /api/users/{user_id}/capacity` endpoint
+- Add capacity validation logic
+- Record capacity changes in audit trail
+
+## Impact
+- Affected specs: resource-management
+- Affected code:
+  - `backend/app/api/users/router.py` (modify)
+  - `backend/app/schemas/user.py` (modify)

openspec/changes/archive/2026-01-04-add-capacity-update-api/specs/resource-management/spec.md

@@ -0,0 +1,29 @@
+## MODIFIED Requirements
+
+### Requirement: Capacity Planning
+
+系統 SHALL 支援人員容量規劃，包含預設容量與臨時調整。
+
+#### Scenario: 設定人員預設容量
+- **GIVEN** 管理者需要設定人員的週工時上限
+- **WHEN** 管理者更新使用者的 `capacity` 值
+- **THEN** 系統儲存新的容量設定
+- **AND** 後續負載計算使用新容量值
+
+#### Scenario: 容量為零處理
+- **GIVEN** 使用者的容量設為 0
+- **WHEN** 系統計算該使用者的負載
+- **THEN** `load_percentage` 顯示為 `null`
+- **AND** `load_level` 顯示為 `unavailable`
+
+#### Scenario: 容量更新 API
+- **GIVEN** 管理者需要更新團隊成員的容量
+- **WHEN** 管理者呼叫 `PUT /api/users/{user_id}/capacity` 並提供新容量值
+- **THEN** 系統驗證容量值在有效範圍內 (0-168 小時)
+- **AND** 更新使用者的 capacity 欄位
+- **AND** 記錄變更至稽核日誌
+
+#### Scenario: 容量更新權限控制
+- **GIVEN** 一般使用者嘗試更新他人容量
+- **WHEN** 使用者呼叫 `PUT /api/users/{other_id}/capacity`
+- **THEN** 系統拒絕請求並回傳 403 Forbidden

openspec/changes/archive/2026-01-04-add-capacity-update-api/tasks.md

@@ -0,0 +1,24 @@
+# Tasks: add-capacity-update-api
+
+## Phase 1: Backend - Schema & Validation
+
+- [x] 1.1 Add CapacityUpdate schema to `backend/app/schemas/user.py`
+- [x] 1.2 Add capacity validation (must be >= 0, <= 168 hours/week)
+
+## Phase 2: Backend - API Endpoint
+
+- [x] 2.1 Implement `PUT /api/users/{user_id}/capacity` endpoint
+- [x] 2.2 Add permission check (only admin/manager can update others)
+- [x] 2.3 Record capacity change in audit trail
+- [x] 2.4 Invalidate workload cache after capacity update
+
+## Phase 3: Backend - Testing
+
+- [x] 3.1 Unit tests for capacity update endpoint
+- [x] 3.2 Permission tests (admin vs regular user)
+
+## Validation Criteria
+
+- Only authorized users can update capacity
+- Capacity changes are audit logged
+- Workload calculations reflect new capacity immediately