## 1. Implementation
- [x] 1.1 Update WebSocket auth spec and align server handshake/error messaging with the agreed behavior
- [x] 1.2 Update optimistic locking conflict response spec and implement standardized payload
- [x] 1.3 Update workload heatmap defaults (hide_empty, week window) and cache behavior
- [x] 1.4 Update frontend workload views and API handling if required by new defaults
- [x] 1.5 Add/adjust tests for WebSocket auth, conflict responses, and workload heatmap defaults

---

## Implementation Summary

### Changes Made (commit f5f870d)

1. **WebSocket Auth** (`backend/app/api/websocket/router.py`)
   - Standardized error codes: 4001 (invalid token), 4003 (access denied), 4004 (not found)
   - Clear error reasons in WebSocket close messages

2. **Optimistic Locking** (`backend/app/api/tasks/router.py`)
   - 409 Conflict response with standardized payload:
     - `error: "conflict"`
     - `message`, `current_version`, `provided_version`, `your_version`

3. **Workload Heatmap** (`backend/app/api/workload/router.py`, `workload_service.py`)
   - `hide_empty=True` as default
   - Caching only when `hide_empty=True`
   - Week bounds handle Sunday correctly (returns previous Monday)

4. **Frontend** (already aligned)
   - `workload.ts`: `hideEmpty: boolean = true` default
   - TaskDetailModal, GanttChart, CalendarView: Handle 409 conflict with conflict banner UI

5. **Tests** (`backend/tests/test_workload.py`)
   - Week bounds tests including Sunday handling
   - Load level calculation tests