Backend:
- Add rate limiting to login (5 attempts / 5 min window)
- Add secure flag to session cookies with helper function
- Add PIN min-length validation via Pydantic field_validator
- Fix naive datetime usage in todos.py (datetime.now() not UTC)
- Disable SQLAlchemy echo in production
- Remove auto-commit from get_db to prevent double commits
- Add lower bound filter to upcoming events query
- Add SECRET_KEY default warning on startup
- Remove create_all from lifespan (Alembic handles migrations)
Frontend:
- Fix ReminderForm remind_at slice for datetime-local input
- Add window.confirm() dialogs on all destructive actions
- Redirect authenticated users away from login screen
- Replace error: any with getErrorMessage helper in LockScreen
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Chain second-level selectinload(ProjectTask.subtasks) on task create, update,
and list endpoints. Pydantic's recursive ProjectTaskResponse schema accesses
.subtasks on each subtask, which triggers lazy loading without eager load.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Backend:
- Add self-referencing parent_task_id FK on project_tasks with CASCADE delete
- Add Alembic migration 002 for parent_task_id column + index
- Update schemas with parent_task_id in create, nested subtasks in response
- Chain selectinload for subtasks on all project queries
- Validate parent must be top-level task (single nesting level only)
Frontend:
- Add parent_task_id and subtasks[] to ProjectTask type
- ProjectDetail: expand/collapse chevrons, subtask progress bars, inline
subtask rendering with accent left border, add/edit/delete subtask buttons
- TaskForm: accept parentTaskId prop, include in create payload, context-aware
dialog title (New Task vs New Subtask)
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Sonner's toaster container has z-index: 999999999 with no pointer-events: none,
creating an invisible overlay that intercepts clicks. Set pointer-events: none on
the container and pointer-events: auto on individual toasts so buttons underneath
remain clickable while toasts stay interactive.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Add logout button to sidebar with destructive hover styling
- Fix case-sensitive todo category filter with .toLowerCase()
- Widen dialog popups from max-w-lg to max-w-xl with mobile margin
- Update CLAUDE.md with commit-and-push instruction
- Update progress.md: all CRUD tests verified, all outstanding items resolved
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
