feat: implement task management module

Backend (FastAPI):
- Database migration for spaces, projects, task_statuses, tasks tables
- SQLAlchemy models with relationships
- Pydantic schemas for CRUD operations
- Spaces API: CRUD with soft delete
- Projects API: CRUD with auto-created default statuses
- Tasks API: CRUD, status change, assign, subtask support
- Permission middleware with Security Level filtering
- Subtask depth limit (max 2 levels)

Frontend (React + Vite):
- Layout component with navigation
- Spaces list page
- Projects list page
- Tasks list page with status management

Fixes:
- auth_client.py: use 'username' field for external API
- config.py: extend JWT expiry to 7 days
- auth/router.py: sync Redis session with JWT expiry

Tests: 36 passed (unit + integration)
E2E: All APIs verified with real authentication

OpenSpec: add-task-management archived

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

backend/app/middleware/auth.py

@@ -167,3 +167,107 @@ def check_department_access(
         return True
 
     return False
+
+
+def check_space_access(user: User, space) -> bool:
+    """
+    Check if user has access to a space.
+
+    Currently all active users can see all spaces.
+    Owner has edit/delete permissions.
+    """
+    # System admin has full access
+    if user.is_system_admin:
+        return True
+
+    # All active users can view spaces
+    return True
+
+
+def check_space_edit_access(user: User, space) -> bool:
+    """
+    Check if user can edit/delete a space.
+    """
+    # System admin has full access
+    if user.is_system_admin:
+        return True
+
+    # Only owner can edit
+    return space.owner_id == user.id
+
+
+def check_project_access(user: User, project) -> bool:
+    """
+    Check if user has access to a project based on security level.
+
+    Security Levels:
+    - public: All logged-in users
+    - department: Same department users + project owner
+    - confidential: Only project owner (+ system admin)
+    """
+    # System admin bypasses all restrictions
+    if user.is_system_admin:
+        return True
+
+    # Project owner always has access
+    if project.owner_id == user.id:
+        return True
+
+    # Check by security level
+    security_level = project.security_level
+
+    if security_level == "public":
+        return True
+
+    elif security_level == "department":
+        # Same department has access
+        if project.department_id and user.department_id == project.department_id:
+            return True
+        return False
+
+    else:  # confidential
+        # Only owner has access (already checked above)
+        return False
+
+
+def check_project_edit_access(user: User, project) -> bool:
+    """
+    Check if user can edit/delete a project.
+    """
+    # System admin has full access
+    if user.is_system_admin:
+        return True
+
+    # Only owner can edit
+    return project.owner_id == user.id
+
+
+def check_task_access(user: User, task, project) -> bool:
+    """
+    Check if user has access to a task.
+    Task access is based on project access.
+    """
+    return check_project_access(user, project)
+
+
+def check_task_edit_access(user: User, task, project) -> bool:
+    """
+    Check if user can edit a task.
+    """
+    # System admin has full access
+    if user.is_system_admin:
+        return True
+
+    # Project owner can edit all tasks
+    if project.owner_id == user.id:
+        return True
+
+    # Task creator can edit their own tasks
+    if task.created_by == user.id:
+        return True
+
+    # Assignee can edit their assigned tasks
+    if task.assignee_id == user.id:
+        return True
+
+    return False