Initial commit for Hugging Face Space deployment

.gitignore

@@ -0,0 +1,33 @@
+# Dependencies
+node_modules/
+**/node_modules/
+
+# Build outputs
+build/
+dist/
+**/build/
+
+# Environment files
+.env
+**/.env
+!**/.env.example
+
+# PostgreSQL data
+postgres_data/
+
+# Logs
+*.log
+npm-debug.log*
+
+# OS artifacts
+.DS_Store
+Thumbs.db
+
+# IDE
+.vscode/
+.idea/
+*.swp
+*.swo
+
+# Docker volumes
+postgres_data/

DEPLOY.md

@@ -0,0 +1,246 @@
+# Deploying Taskflow to Hugging Face Spaces
+
+This folder contains everything needed to run the full Taskflow app on
+Hugging Face Spaces for free — no local Docker, no paid server.
+
+When you push these files to a HF Space, HF automatically:
+1. Builds the Docker image
+2. Initialises PostgreSQL
+3. Runs migrations and seeds demo data
+4. Starts nginx, the Node API, and the database
+5. Serves your app at `https://your-username-taskflow.hf.space`
+
+---
+
+## What runs inside the container
+
+```
+Port 7860 (public)
+    └── Nginx
+         ├── /api/*  →  Node.js Express (port 5000, internal)
+         └── /*      →  React SPA (static files)
+
+PostgreSQL (port 5432, internal only)
+```
+
+All three services are managed by supervisord so they restart
+automatically if they crash.
+
+---
+
+## Step-by-step deployment
+
+### Step 1 — Create a Hugging Face account
+
+Go to https://huggingface.co and sign up (free).
+
+---
+
+### Step 2 — Create a new Space
+
+1. Click your profile picture → **New Space**
+2. Fill in the form:
+   - **Space name**: `taskflow` (or any name you like)
+   - **License**: MIT
+   - **SDK**: Select **Docker**  ← this is the important one
+   - **Docker template**: Blank
+   - **Hardware**: CPU Basic (free)
+   - **Visibility**: Public or Private
+3. Click **Create Space**
+
+HF will create an empty git repository for your space.
+
+---
+
+### Step 3 — Get the repository URL
+
+After creating the space, you'll see a page with a Git URL like:
+
+```
+https://huggingface.co/spaces/YOUR_USERNAME/taskflow
+```
+
+The git remote URL will be:
+
+```
+https://huggingface.co/YOUR_USERNAME/taskflow
+```
+
+---
+
+### Step 4 — Copy these files into the space repository
+
+You have two options:
+
+#### Option A — Upload via the HF web UI (easiest, no git needed)
+
+1. Open your Space on huggingface.co
+2. Click **Files** tab
+3. Click **+ Add file → Upload files**
+4. Upload all files from this `huggingface/` folder:
+   - `Dockerfile`
+   - `hf.nginx.conf`
+   - `supervisord.conf`
+   - `start.sh`
+   - `README.md`
+5. Also upload the entire `backend/` folder
+6. Also upload the entire `frontend/` folder (without `node_modules`)
+7. Commit the changes
+
+The folder structure in your Space should look like:
+
+```
+your-space/
+├── README.md          ← the one from this folder (has the --- header block)
+├── Dockerfile
+├── hf.nginx.conf
+├── supervisord.conf
+├── start.sh
+├── backend/
+│   ├── package.json
+│   ├── src/
+│   └── ...
+└── frontend/
+    ├── package.json
+    ├── public/
+    ├── src/
+    └── ...
+```
+
+#### Option B — Use Git (if you have Git installed)
+
+```bash
+# Clone your HF space repository
+git clone https://huggingface.co/spaces/YOUR_USERNAME/taskflow
+cd taskflow
+
+# Copy everything from the huggingface/ folder to the root
+cp path/to/taskflow/huggingface/Dockerfile .
+cp path/to/taskflow/huggingface/hf.nginx.conf .
+cp path/to/taskflow/huggingface/supervisord.conf .
+cp path/to/taskflow/huggingface/start.sh .
+cp path/to/taskflow/huggingface/README.md .
+
+# Copy backend and frontend
+cp -r path/to/taskflow/backend ./backend
+cp -r path/to/taskflow/frontend ./frontend
+
+# Remove node_modules if they exist
+rm -rf backend/node_modules frontend/node_modules frontend/build
+
+# Push
+git add .
+git commit -m "Initial deployment"
+git push
+```
+
+---
+
+### Step 5 — Watch the build
+
+After pushing, go to your Space URL and click the **Logs** tab.
+
+You'll see:
+```
+▶ Initialising PostgreSQL data directory...
+▶ Starting PostgreSQL for setup...
+  PostgreSQL is ready.
+▶ Setting up database...
+▶ Running migrations...
+▶ Seeding demo data...
+▶ Starting all services via supervisord...
+```
+
+The build typically takes **3–6 minutes** the first time (npm install + React build).
+After that, rebuilds are faster because HF caches Docker layers.
+
+---
+
+### Step 6 — Open the app
+
+Once the build finishes, click **App** in your Space.
+
+Your app will be live at:
+```
+https://YOUR_USERNAME-taskflow.hf.space
+```
+
+Log in with any demo account:
+
+| Email | Password | Role |
+|---|---|---|
+| alice@acme.com | Password123! | Admin |
+| bob@acme.com | Password123! | Member |
+| carol@globex.com | Password123! | Admin |
+
+---
+
+## Important notes about HF Spaces
+
+### Data persistence
+
+HF Spaces on the **free tier use ephemeral storage** — if the space restarts
+or is rebuilt, the PostgreSQL data is wiped and the seed data is re-applied.
+
+This is fine for demo and internship purposes. For permanent data, you would
+connect to an external PostgreSQL service (Neon, Supabase, Railway, etc.)
+by setting environment variables in the Space settings.
+
+### Environment variables / secrets
+
+You can override any environment variable from the Space settings:
+
+1. Go to your Space → **Settings** → **Variables and Secrets**
+2. Add secrets (they won't appear in logs):
+   - `JWT_SECRET` → set a strong random value for any real use
+   - `DB_PASSWORD` → only needed if using external Postgres
+   - `DB_HOST`, `DB_NAME`, `DB_USER` → for external Postgres
+
+### Waking up from sleep
+
+Free HF Spaces pause after ~30 minutes of inactivity.
+The first request after sleeping takes ~30 seconds to wake up.
+This is normal for the free tier.
+
+### Port
+
+HF Spaces only allows port **7860** to be public. The Dockerfile
+and nginx config are already set up correctly for this.
+
+---
+
+## Connecting to an external PostgreSQL (optional)
+
+For data that survives restarts, use a free external Postgres:
+
+**Neon** (recommended, free tier): https://neon.tech
+1. Create a free project
+2. Copy the connection string
+3. In your HF Space settings → Secrets, add:
+   - `DB_HOST` = your-neon-host.neon.tech
+   - `DB_PORT` = 5432
+   - `DB_NAME` = neondb
+   - `DB_USER` = your-neon-user
+   - `DB_PASSWORD` = your-neon-password
+
+Then update `start.sh` to skip the local postgres setup when `DB_HOST`
+is not `127.0.0.1`.
+
+---
+
+## Troubleshooting
+
+| Problem | Fix |
+|---|---|
+| Build fails with "permission denied" | Check start.sh has Unix line endings (LF not CRLF) |
+| App loads but API returns 502 | Backend didn't start — check Logs for Node.js errors |
+| White screen | React build failed — check Logs for npm build errors |
+| "Cannot connect to database" | PostgreSQL init failed — check Logs for postgres errors |
+| Space shows "Building" for >10 min | Click **Factory rebuild** in Space settings |
+
+If you edited files on Windows, run this to fix line endings before uploading:
+
+```bash
+# PowerShell
+(Get-Content start.sh -Raw).Replace("`r`n","`n") | Set-Content start.sh -NoNewline
+```

Dockerfile

@@ -0,0 +1,93 @@
+# ─────────────────────────────────────────────────────────────────
+# Taskflow — All-in-one Dockerfile for Hugging Face Spaces
+#
+# HF Spaces rules this file must satisfy:
+#   - Expose exactly port 7860
+#   - Run as non-root user (we use "user" uid 1000)
+#   - Single container (no docker-compose)
+#
+# Architecture inside this container:
+#   PostgreSQL 16  →  internal port 5432
+#   Node/Express   →  internal port 5000
+#   Nginx          →  port 7860  (serves React SPA + proxies /api to Express)
+#
+# Process manager: supervisord keeps all three services alive.
+# ─────────────────────────────────────────────────────────────────
+
+FROM ubuntu:22.04
+
+ENV DEBIAN_FRONTEND=noninteractive
+ENV NODE_ENV=production
+ENV PORT=5000
+ENV DB_HOST=127.0.0.1
+ENV DB_PORT=5432
+ENV DB_NAME=taskflow
+ENV DB_USER=taskflow_user
+ENV DB_PASSWORD=taskflow_hf_secret
+ENV JWT_SECRET=taskflow_huggingface_jwt_secret_change_for_production_use
+ENV JWT_EXPIRES_IN=7d
+ENV FRONTEND_URL=http://localhost:7860
+
+# ── System packages ────────────────────────────────────────────────
+RUN apt-get update && apt-get install -y \
+    curl wget gnupg2 lsb-release ca-certificates \
+    nginx supervisor \
+    postgresql-14 postgresql-client-14 \
+    && rm -rf /var/lib/apt/lists/*
+
+# ── Node.js 20 ─────────────────────────────────────────────────────
+RUN curl -fsSL https://deb.nodesource.com/setup_20.x | bash - \
+    && apt-get install -y nodejs \
+    && rm -rf /var/lib/apt/lists/*
+
+# ── Working directories ────────────────────────────────────────────
+WORKDIR /app
+RUN mkdir -p /app/backend /app/frontend /var/log/supervisor \
+             /run/postgresql /var/lib/postgresql/data
+
+# ── Backend ────────────────────────────────────────────────────────
+COPY backend/package*.json /app/backend/
+RUN cd /app/backend && npm ci --only=production
+
+COPY backend/ /app/backend/
+
+# ── Frontend — build React app ─────────────────────────────────────
+COPY frontend/package*.json /app/frontend/
+RUN cd /app/frontend && npm ci
+
+COPY frontend/ /app/frontend/
+# Point the API at the same origin so nginx can proxy it
+RUN echo "REACT_APP_API_URL=/api" > /app/frontend/.env.production
+RUN cd /app/frontend && npm run build
+
+# ── Nginx config ───────────────────────────────────────────────────
+RUN rm -f /etc/nginx/sites-enabled/default
+COPY hf.nginx.conf /etc/nginx/sites-enabled/taskflow.conf
+
+# ── Supervisord config ─────────────────────────────────────────────
+COPY supervisord.conf /etc/supervisor/conf.d/taskflow.conf
+
+# ── Startup script ─────────────────────────────────────────────────
+COPY start.sh /app/start.sh
+RUN chmod +x /app/start.sh
+
+# ── HF Spaces: must run as non-root with uid 1000 ──────────────────
+RUN useradd -m -u 1000 hfuser \
+    && chown -R hfuser:hfuser /app \
+    && chown -R hfuser:hfuser /var/log/nginx \
+    && chown -R hfuser:hfuser /var/lib/nginx \
+    && chown -R hfuser:hfuser /run \
+    && chown -R postgres:postgres /var/lib/postgresql \
+    && chown -R postgres:postgres /run/postgresql \
+    && chmod 777 /var/log/supervisor \
+    && chmod 777 /tmp
+
+# Nginx needs to write to these as non-root
+RUN chown -R hfuser:hfuser /var/log/nginx /var/lib/nginx /run/nginx* 2>/dev/null || true \
+    && touch /run/nginx.pid && chown hfuser:hfuser /run/nginx.pid 2>/dev/null || true
+
+USER hfuser
+
+EXPOSE 7860
+
+CMD ["/app/start.sh"]

README.md

@@ -0,0 +1,24 @@
+---
+title: Taskflow
+emoji: ✅
+colorFrom: yellow
+colorTo: green
+sdk: docker
+pinned: false
+license: mit
+short_description: Multi-tenant task management with RBAC and Kanban board
+---
+
+# Taskflow — Multi-Tenant Task Management
+
+A full-stack task management platform. Multiple organizations, role-based access, Kanban board, task comments, and audit logs.
+
+**Demo accounts (password: `Password123!`)**
+
+| Email | Role | Org |
+|---|---|---|
+| alice@acme.com | Admin | Acme Corp |
+| bob@acme.com | Member | Acme Corp |
+| carol@globex.com | Admin | Globex Inc |
+
+Built with React · Node.js · PostgreSQL · JWT auth.

backend/.env.example

@@ -0,0 +1,21 @@
+PORT=5000
+NODE_ENV=development
+
+# PostgreSQL
+DB_HOST=postgres
+DB_PORT=5432
+DB_NAME=taskflow
+DB_USER=taskflow_user
+DB_PASSWORD=taskflow_secret
+
+# JWT
+JWT_SECRET=your_super_secret_jwt_key_change_in_production_min_32_chars
+JWT_EXPIRES_IN=7d
+
+# Optional: OAuth (Google)
+GOOGLE_CLIENT_ID=
+GOOGLE_CLIENT_SECRET=
+GOOGLE_CALLBACK_URL=http://localhost:5000/api/auth/google/callback
+
+# Frontend URL for CORS
+FRONTEND_URL=http://localhost:3000

backend/Dockerfile

@@ -0,0 +1,15 @@
+FROM node:20-alpine
+
+WORKDIR /app
+
+# Install dependencies first (layer caching)
+COPY package*.json ./
+RUN npm ci --only=production
+
+# Copy source
+COPY . .
+
+EXPOSE 5000
+
+# Run migrations then start server
+CMD ["sh", "-c", "node src/utils/migrate.js && node src/server.js"]

backend/package-lock.json

@@ -0,0 +1,1573 @@
+{
+  "name": "taskflow-backend",
+  "version": "1.0.0",
+  "lockfileVersion": 3,
+  "requires": true,
+  "packages": {
+    "": {
+      "name": "taskflow-backend",
+      "version": "1.0.0",
+      "dependencies": {
+        "bcryptjs": "^2.4.3",
+        "cors": "^2.8.5",
+        "dotenv": "^16.3.1",
+        "express": "^4.18.2",
+        "express-rate-limit": "^7.1.5",
+        "express-validator": "^7.0.1",
+        "helmet": "^7.1.0",
+        "jsonwebtoken": "^9.0.2",
+        "pg": "^8.11.3",
+        "uuid": "^9.0.0"
+      },
+      "devDependencies": {
+        "nodemon": "^3.0.2"
+      }
+    },
+    "node_modules/accepts": {
+      "version": "1.3.8",
+      "resolved": "https://registry.npmjs.org/accepts/-/accepts-1.3.8.tgz",
+      "integrity": "sha512-PYAthTa2m2VKxuvSD3DPC/Gy+U+sOA1LAuT8mkmRuvw+NACSaeXEQ+NHcVF7rONl6qcaxV3Uuemwawk+7+SJLw==",
+      "license": "MIT",
+      "dependencies": {
+        "mime-types": "~2.1.34",
+        "negotiator": "0.6.3"
+      },
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/anymatch": {
+      "version": "3.1.3",
+      "resolved": "https://registry.npmjs.org/anymatch/-/anymatch-3.1.3.tgz",
+      "integrity": "sha512-KMReFUr0B4t+D+OBkjR3KYqvocp2XaSzO55UcB6mgQMd3KbcE+mWTyvVV7D/zsdEbNnV6acZUutkiHQXvTr1Rw==",
+      "dev": true,
+      "license": "ISC",
+      "dependencies": {
+        "normalize-path": "^3.0.0",
+        "picomatch": "^2.0.4"
+      },
+      "engines": {
+        "node": ">= 8"
+      }
+    },
+    "node_modules/array-flatten": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/array-flatten/-/array-flatten-1.1.1.tgz",
+      "integrity": "sha512-PCVAQswWemu6UdxsDFFX/+gVeYqKAod3D3UVm91jHwynguOwAvYPhx8nNlM++NqRcK6CxxpUafjmhIdKiHibqg==",
+      "license": "MIT"
+    },
+    "node_modules/balanced-match": {
+      "version": "4.0.4",
+      "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-4.0.4.tgz",
+      "integrity": "sha512-BLrgEcRTwX2o6gGxGOCNyMvGSp35YofuYzw9h1IMTRmKqttAZZVU67bdb9Pr2vUHA8+j3i2tJfjO6C6+4myGTA==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": "18 || 20 || >=22"
+      }
+    },
+    "node_modules/bcryptjs": {
+      "version": "2.4.3",
+      "resolved": "https://registry.npmjs.org/bcryptjs/-/bcryptjs-2.4.3.tgz",
+      "integrity": "sha512-V/Hy/X9Vt7f3BbPJEi8BdVFMByHi+jNXrYkW3huaybV/kQ0KJg0Y6PkEMbn+zeT+i+SiKZ/HMqJGIIt4LZDqNQ==",
+      "license": "MIT"
+    },
+    "node_modules/binary-extensions": {
+      "version": "2.3.0",
+      "resolved": "https://registry.npmjs.org/binary-extensions/-/binary-extensions-2.3.0.tgz",
+      "integrity": "sha512-Ceh+7ox5qe7LJuLHoY0feh3pHuUDHAcRUeyL2VYghZwfpkNIy/+8Ocg0a3UuSoYzavmylwuLWQOf3hl0jjMMIw==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=8"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/body-parser": {
+      "version": "1.20.4",
+      "resolved": "https://registry.npmjs.org/body-parser/-/body-parser-1.20.4.tgz",
+      "integrity": "sha512-ZTgYYLMOXY9qKU/57FAo8F+HA2dGX7bqGc71txDRC1rS4frdFI5R7NhluHxH6M0YItAP0sHB4uqAOcYKxO6uGA==",
+      "license": "MIT",
+      "dependencies": {
+        "bytes": "~3.1.2",
+        "content-type": "~1.0.5",
+        "debug": "2.6.9",
+        "depd": "2.0.0",
+        "destroy": "~1.2.0",
+        "http-errors": "~2.0.1",
+        "iconv-lite": "~0.4.24",
+        "on-finished": "~2.4.1",
+        "qs": "~6.14.0",
+        "raw-body": "~2.5.3",
+        "type-is": "~1.6.18",
+        "unpipe": "~1.0.0"
+      },
+      "engines": {
+        "node": ">= 0.8",
+        "npm": "1.2.8000 || >= 1.4.16"
+      }
+    },
+    "node_modules/brace-expansion": {
+      "version": "5.0.5",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.5.tgz",
+      "integrity": "sha512-VZznLgtwhn+Mact9tfiwx64fA9erHH/MCXEUfB/0bX/6Fz6ny5EGTXYltMocqg4xFAQZtnO3DHWWXi8RiuN7cQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "balanced-match": "^4.0.2"
+      },
+      "engines": {
+        "node": "18 || 20 || >=22"
+      }
+    },
+    "node_modules/braces": {
+      "version": "3.0.3",
+      "resolved": "https://registry.npmjs.org/braces/-/braces-3.0.3.tgz",
+      "integrity": "sha512-yQbXgO/OSZVD2IsiLlro+7Hf6Q18EJrKSEsdoMzKePKXct3gvD8oLcOQdIzGupr5Fj+EDe8gO/lxc1BzfMpxvA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "fill-range": "^7.1.1"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/buffer-equal-constant-time": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/buffer-equal-constant-time/-/buffer-equal-constant-time-1.0.1.tgz",
+      "integrity": "sha512-zRpUiDwd/xk6ADqPMATG8vc9VPrkck7T07OIx0gnjmJAnHnTVXNQG3vfvWNuiZIkwu9KrKdA1iJKfsfTVxE6NA==",
+      "license": "BSD-3-Clause"
+    },
+    "node_modules/bytes": {
+      "version": "3.1.2",
+      "resolved": "https://registry.npmjs.org/bytes/-/bytes-3.1.2.tgz",
+      "integrity": "sha512-/Nf7TyzTx6S3yRJObOAV7956r8cr2+Oj8AC5dt8wSP3BQAoeX58NoHyCU8P8zGkNXStjTSi6fzO6F0pBdcYbEg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/call-bind-apply-helpers": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/call-bind-apply-helpers/-/call-bind-apply-helpers-1.0.2.tgz",
+      "integrity": "sha512-Sp1ablJ0ivDkSzjcaJdxEunN5/XvksFJ2sMBFfq6x0ryhQV/2b/KwFe21cMpmHtPOSij8K99/wSfoEuTObmuMQ==",
+      "license": "MIT",
+      "dependencies": {
+        "es-errors": "^1.3.0",
+        "function-bind": "^1.1.2"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/call-bound": {
+      "version": "1.0.4",
+      "resolved": "https://registry.npmjs.org/call-bound/-/call-bound-1.0.4.tgz",
+      "integrity": "sha512-+ys997U96po4Kx/ABpBCqhA9EuxJaQWDQg7295H4hBphv3IZg0boBKuwYpt4YXp6MZ5AmZQnU/tyMTlRpaSejg==",
+      "license": "MIT",
+      "dependencies": {
+        "call-bind-apply-helpers": "^1.0.2",
+        "get-intrinsic": "^1.3.0"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/chokidar": {
+      "version": "3.6.0",
+      "resolved": "https://registry.npmjs.org/chokidar/-/chokidar-3.6.0.tgz",
+      "integrity": "sha512-7VT13fmjotKpGipCW9JEQAusEPE+Ei8nl6/g4FBAmIm0GOOLMua9NDDo/DWp0ZAxCr3cPq5ZpBqmPAQgDda2Pw==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "anymatch": "~3.1.2",
+        "braces": "~3.0.2",
+        "glob-parent": "~5.1.2",
+        "is-binary-path": "~2.1.0",
+        "is-glob": "~4.0.1",
+        "normalize-path": "~3.0.0",
+        "readdirp": "~3.6.0"
+      },
+      "engines": {
+        "node": ">= 8.10.0"
+      },
+      "funding": {
+        "url": "https://paulmillr.com/funding/"
+      },
+      "optionalDependencies": {
+        "fsevents": "~2.3.2"
+      }
+    },
+    "node_modules/content-disposition": {
+      "version": "0.5.4",
+      "resolved": "https://registry.npmjs.org/content-disposition/-/content-disposition-0.5.4.tgz",
+      "integrity": "sha512-FveZTNuGw04cxlAiWbzi6zTAL/lhehaWbTtgluJh4/E95DqMwTmha3KZN1aAWA8cFIhHzMZUvLevkw5Rqk+tSQ==",
+      "license": "MIT",
+      "dependencies": {
+        "safe-buffer": "5.2.1"
+      },
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/content-type": {
+      "version": "1.0.5",
+      "resolved": "https://registry.npmjs.org/content-type/-/content-type-1.0.5.tgz",
+      "integrity": "sha512-nTjqfcBFEipKdXCv4YDQWCfmcLZKm81ldF0pAopTvyrFGVbcR6P/VAAd5G7N+0tTr8QqiU0tFadD6FK4NtJwOA==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/cookie": {
+      "version": "0.7.2",
+      "resolved": "https://registry.npmjs.org/cookie/-/cookie-0.7.2.tgz",
+      "integrity": "sha512-yki5XnKuf750l50uGTllt6kKILY4nQ1eNIQatoXEByZ5dWgnKqbnqmTrBE5B4N7lrMJKQ2ytWMiTO2o0v6Ew/w==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/cookie-signature": {
+      "version": "1.0.7",
+      "resolved": "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.0.7.tgz",
+      "integrity": "sha512-NXdYc3dLr47pBkpUCHtKSwIOQXLVn8dZEuywboCOJY/osA0wFSLlSawr3KN8qXJEyX66FcONTH8EIlVuK0yyFA==",
+      "license": "MIT"
+    },
+    "node_modules/cors": {
+      "version": "2.8.6",
+      "resolved": "https://registry.npmjs.org/cors/-/cors-2.8.6.tgz",
+      "integrity": "sha512-tJtZBBHA6vjIAaF6EnIaq6laBBP9aq/Y3ouVJjEfoHbRBcHBAHYcMh/w8LDrk2PvIMMq8gmopa5D4V8RmbrxGw==",
+      "license": "MIT",
+      "dependencies": {
+        "object-assign": "^4",
+        "vary": "^1"
+      },
+      "engines": {
+        "node": ">= 0.10"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/express"
+      }
+    },
+    "node_modules/debug": {
+      "version": "2.6.9",
+      "resolved": "https://registry.npmjs.org/debug/-/debug-2.6.9.tgz",
+      "integrity": "sha512-bC7ElrdJaJnPbAP+1EotYvqZsb3ecl5wi6Bfi6BJTUcNowp6cvspg0jXznRTKDjm/E7AdgFBVeAPVMNcKGsHMA==",
+      "license": "MIT",
+      "dependencies": {
+        "ms": "2.0.0"
+      }
+    },
+    "node_modules/depd": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/depd/-/depd-2.0.0.tgz",
+      "integrity": "sha512-g7nH6P6dyDioJogAAGprGpCtVImJhpPk/roCzdb3fIh61/s/nPsfR6onyMwkCAR/OlC3yBC0lESvUoQEAssIrw==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/destroy": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/destroy/-/destroy-1.2.0.tgz",
+      "integrity": "sha512-2sJGJTaXIIaR1w4iJSNoN0hnMY7Gpc/n8D4qSCJw8QqFWXf7cuAgnEHxBpweaVcPevC2l3KpjYCx3NypQQgaJg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.8",
+        "npm": "1.2.8000 || >= 1.4.16"
+      }
+    },
+    "node_modules/dotenv": {
+      "version": "16.6.1",
+      "resolved": "https://registry.npmjs.org/dotenv/-/dotenv-16.6.1.tgz",
+      "integrity": "sha512-uBq4egWHTcTt33a72vpSG0z3HnPuIl6NqYcTrKEg2azoEyl2hpW0zqlxysq2pK9HlDIHyHyakeYaYnSAwd8bow==",
+      "license": "BSD-2-Clause",
+      "engines": {
+        "node": ">=12"
+      },
+      "funding": {
+        "url": "https://dotenvx.com"
+      }
+    },
+    "node_modules/dunder-proto": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/dunder-proto/-/dunder-proto-1.0.1.tgz",
+      "integrity": "sha512-KIN/nDJBQRcXw0MLVhZE9iQHmG68qAVIBg9CqmUYjmQIhgij9U5MFvrqkUL5FbtyyzZuOeOt0zdeRe4UY7ct+A==",
+      "license": "MIT",
+      "dependencies": {
+        "call-bind-apply-helpers": "^1.0.1",
+        "es-errors": "^1.3.0",
+        "gopd": "^1.2.0"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/ecdsa-sig-formatter": {
+      "version": "1.0.11",
+      "resolved": "https://registry.npmjs.org/ecdsa-sig-formatter/-/ecdsa-sig-formatter-1.0.11.tgz",
+      "integrity": "sha512-nagl3RYrbNv6kQkeJIpt6NJZy8twLB/2vtz6yN9Z4vRKHN4/QZJIEbqohALSgwKdnksuY3k5Addp5lg8sVoVcQ==",
+      "license": "Apache-2.0",
+      "dependencies": {
+        "safe-buffer": "^5.0.1"
+      }
+    },
+    "node_modules/ee-first": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/ee-first/-/ee-first-1.1.1.tgz",
+      "integrity": "sha512-WMwm9LhRUo+WUaRN+vRuETqG89IgZphVSNkdFgeb6sS/E4OrDIN7t48CAewSHXc6C8lefD8KKfr5vY61brQlow==",
+      "license": "MIT"
+    },
+    "node_modules/encodeurl": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/encodeurl/-/encodeurl-2.0.0.tgz",
+      "integrity": "sha512-Q0n9HRi4m6JuGIV1eFlmvJB7ZEVxu93IrMyiMsGC0lrMJMWzRgx6WGquyfQgZVb31vhGgXnfmPNNXmxnOkRBrg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/es-define-property": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/es-define-property/-/es-define-property-1.0.1.tgz",
+      "integrity": "sha512-e3nRfgfUZ4rNGL232gUgX06QNyyez04KdjFrF+LTRoOXmrOgFKDg4BCdsjW8EnT69eqdYGmRpJwiPVYNrCaW3g==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/es-errors": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/es-errors/-/es-errors-1.3.0.tgz",
+      "integrity": "sha512-Zf5H2Kxt2xjTvbJvP2ZWLEICxA6j+hAmMzIlypy4xcBg1vKVnx89Wy0GbS+kf5cwCVFFzdCFh2XSCFNULS6csw==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/es-object-atoms": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/es-object-atoms/-/es-object-atoms-1.1.1.tgz",
+      "integrity": "sha512-FGgH2h8zKNim9ljj7dankFPcICIK9Cp5bm+c2gQSYePhpaG5+esrLODihIorn+Pe6FGJzWhXQotPv73jTaldXA==",
+      "license": "MIT",
+      "dependencies": {
+        "es-errors": "^1.3.0"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/escape-html": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/escape-html/-/escape-html-1.0.3.tgz",
+      "integrity": "sha512-NiSupZ4OeuGwr68lGIeym/ksIZMJodUGOSCZ/FSnTxcrekbvqrgdUxlJOMpijaKZVjAJrWrGs/6Jy8OMuyj9ow==",
+      "license": "MIT"
+    },
+    "node_modules/etag": {
+      "version": "1.8.1",
+      "resolved": "https://registry.npmjs.org/etag/-/etag-1.8.1.tgz",
+      "integrity": "sha512-aIL5Fx7mawVa300al2BnEE4iNvo1qETxLrPI/o05L7z6go7fCw1J6EQmbK4FmJ2AS7kgVF/KEZWufBfdClMcPg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/express": {
+      "version": "4.22.1",
+      "resolved": "https://registry.npmjs.org/express/-/express-4.22.1.tgz",
+      "integrity": "sha512-F2X8g9P1X7uCPZMA3MVf9wcTqlyNp7IhH5qPCI0izhaOIYXaW9L535tGA3qmjRzpH+bZczqq7hVKxTR4NWnu+g==",
+      "license": "MIT",
+      "dependencies": {
+        "accepts": "~1.3.8",
+        "array-flatten": "1.1.1",
+        "body-parser": "~1.20.3",
+        "content-disposition": "~0.5.4",
+        "content-type": "~1.0.4",
+        "cookie": "~0.7.1",
+        "cookie-signature": "~1.0.6",
+        "debug": "2.6.9",
+        "depd": "2.0.0",
+        "encodeurl": "~2.0.0",
+        "escape-html": "~1.0.3",
+        "etag": "~1.8.1",
+        "finalhandler": "~1.3.1",
+        "fresh": "~0.5.2",
+        "http-errors": "~2.0.0",
+        "merge-descriptors": "1.0.3",
+        "methods": "~1.1.2",
+        "on-finished": "~2.4.1",
+        "parseurl": "~1.3.3",
+        "path-to-regexp": "~0.1.12",
+        "proxy-addr": "~2.0.7",
+        "qs": "~6.14.0",
+        "range-parser": "~1.2.1",
+        "safe-buffer": "5.2.1",
+        "send": "~0.19.0",
+        "serve-static": "~1.16.2",
+        "setprototypeof": "1.2.0",
+        "statuses": "~2.0.1",
+        "type-is": "~1.6.18",
+        "utils-merge": "1.0.1",
+        "vary": "~1.1.2"
+      },
+      "engines": {
+        "node": ">= 0.10.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/express"
+      }
+    },
+    "node_modules/express-rate-limit": {
+      "version": "7.5.1",
+      "resolved": "https://registry.npmjs.org/express-rate-limit/-/express-rate-limit-7.5.1.tgz",
+      "integrity": "sha512-7iN8iPMDzOMHPUYllBEsQdWVB6fPDMPqwjBaFrgr4Jgr/+okjvzAy+UHlYYL/Vs0OsOrMkwS6PJDkFlJwoxUnw==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 16"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/express-rate-limit"
+      },
+      "peerDependencies": {
+        "express": ">= 4.11"
+      }
+    },
+    "node_modules/express-validator": {
+      "version": "7.3.2",
+      "resolved": "https://registry.npmjs.org/express-validator/-/express-validator-7.3.2.tgz",
+      "integrity": "sha512-ctLw1Vl6dXVH62dIQMDdTAQkrh480mkFuG6/SGXOaVlwPNukhRAe7EgJIMJ2TSAni8iwHBRp530zAZE5ZPF2IA==",
+      "license": "MIT",
+      "dependencies": {
+        "lodash": "^4.18.1",
+        "validator": "~13.15.23"
+      },
+      "engines": {
+        "node": ">= 8.0.0"
+      }
+    },
+    "node_modules/fill-range": {
+      "version": "7.1.1",
+      "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.1.1.tgz",
+      "integrity": "sha512-YsGpe3WHLK8ZYi4tWDg2Jy3ebRz2rXowDxnld4bkQB00cc/1Zw9AWnC0i9ztDJitivtQvaI9KaLyKrc+hBW0yg==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "to-regex-range": "^5.0.1"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/finalhandler": {
+      "version": "1.3.2",
+      "resolved": "https://registry.npmjs.org/finalhandler/-/finalhandler-1.3.2.tgz",
+      "integrity": "sha512-aA4RyPcd3badbdABGDuTXCMTtOneUCAYH/gxoYRTZlIJdF0YPWuGqiAsIrhNnnqdXGswYk6dGujem4w80UJFhg==",
+      "license": "MIT",
+      "dependencies": {
+        "debug": "2.6.9",
+        "encodeurl": "~2.0.0",
+        "escape-html": "~1.0.3",
+        "on-finished": "~2.4.1",
+        "parseurl": "~1.3.3",
+        "statuses": "~2.0.2",
+        "unpipe": "~1.0.0"
+      },
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/forwarded": {
+      "version": "0.2.0",
+      "resolved": "https://registry.npmjs.org/forwarded/-/forwarded-0.2.0.tgz",
+      "integrity": "sha512-buRG0fpBtRHSTCOASe6hD258tEubFoRLb4ZNA6NxMVHNw2gOcwHo9wyablzMzOA5z9xA9L1KNjk/Nt6MT9aYow==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/fresh": {
+      "version": "0.5.2",
+      "resolved": "https://registry.npmjs.org/fresh/-/fresh-0.5.2.tgz",
+      "integrity": "sha512-zJ2mQYM18rEFOudeV4GShTGIQ7RbzA7ozbU9I/XBpm7kqgMywgmylMwXHxZJmkVoYkna9d2pVXVXPdYTP9ej8Q==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/fsevents": {
+      "version": "2.3.3",
+      "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-2.3.3.tgz",
+      "integrity": "sha512-5xoDfX+fL7faATnagmWPpbFtwh/R77WmMMqqHGS65C3vvB0YHrgF+B1YmZ3441tMj5n63k0212XNoJwzlhffQw==",
+      "dev": true,
+      "hasInstallScript": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": "^8.16.0 || ^10.6.0 || >=11.0.0"
+      }
+    },
+    "node_modules/function-bind": {
+      "version": "1.1.2",
+      "resolved": "https://registry.npmjs.org/function-bind/-/function-bind-1.1.2.tgz",
+      "integrity": "sha512-7XHNxH7qX9xG5mIwxkhumTox/MIRNcOgDrxWsMt2pAr23WHp6MrRlN7FBSFpCpr+oVO0F744iUgR82nJMfG2SA==",
+      "license": "MIT",
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/get-intrinsic": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/get-intrinsic/-/get-intrinsic-1.3.0.tgz",
+      "integrity": "sha512-9fSjSaos/fRIVIp+xSJlE6lfwhES7LNtKaCBIamHsjr2na1BiABJPo0mOjjz8GJDURarmCPGqaiVg5mfjb98CQ==",
+      "license": "MIT",
+      "dependencies": {
+        "call-bind-apply-helpers": "^1.0.2",
+        "es-define-property": "^1.0.1",
+        "es-errors": "^1.3.0",
+        "es-object-atoms": "^1.1.1",
+        "function-bind": "^1.1.2",
+        "get-proto": "^1.0.1",
+        "gopd": "^1.2.0",
+        "has-symbols": "^1.1.0",
+        "hasown": "^2.0.2",
+        "math-intrinsics": "^1.1.0"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/get-proto": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/get-proto/-/get-proto-1.0.1.tgz",
+      "integrity": "sha512-sTSfBjoXBp89JvIKIefqw7U2CCebsc74kiY6awiGogKtoSGbgjYE/G/+l9sF3MWFPNc9IcoOC4ODfKHfxFmp0g==",
+      "license": "MIT",
+      "dependencies": {
+        "dunder-proto": "^1.0.1",
+        "es-object-atoms": "^1.0.0"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/glob-parent": {
+      "version": "5.1.2",
+      "resolved": "https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.2.tgz",
+      "integrity": "sha512-AOIgSQCepiJYwP3ARnGx+5VnTu2HBYdzbGP45eLw1vr3zB3vZLeyed1sC9hnbcOc9/SrMyM5RPQrkGz4aS9Zow==",
+      "dev": true,
+      "license": "ISC",
+      "dependencies": {
+        "is-glob": "^4.0.1"
+      },
+      "engines": {
+        "node": ">= 6"
+      }
+    },
+    "node_modules/gopd": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/gopd/-/gopd-1.2.0.tgz",
+      "integrity": "sha512-ZUKRh6/kUFoAiTAtTYPZJ3hw9wNxx+BIBOijnlG9PnrJsCcSjs1wyyD6vJpaYtgnzDrKYRSqf3OO6Rfa93xsRg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/has-flag": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/has-flag/-/has-flag-3.0.0.tgz",
+      "integrity": "sha512-sKJf1+ceQBr4SMkvQnBDNDtf4TXpVhVGateu0t918bl30FnbE2m4vNLX+VWe/dpjlb+HugGYzW7uQXH98HPEYw==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=4"
+      }
+    },
+    "node_modules/has-symbols": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/has-symbols/-/has-symbols-1.1.0.tgz",
+      "integrity": "sha512-1cDNdwJ2Jaohmb3sg4OmKaMBwuC48sYni5HUw2DvsC8LjGTLK9h+eb1X6RyuOHe4hT0ULCW68iomhjUoKUqlPQ==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/hasown": {
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/hasown/-/hasown-2.0.2.tgz",
+      "integrity": "sha512-0hJU9SCPvmMzIBdZFqNPXWa6dqh7WdH0cII9y+CyS8rG3nL48Bclra9HmKhVVUHyPWNH5Y7xDwAB7bfgSjkUMQ==",
+      "license": "MIT",
+      "dependencies": {
+        "function-bind": "^1.1.2"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/helmet": {
+      "version": "7.2.0",
+      "resolved": "https://registry.npmjs.org/helmet/-/helmet-7.2.0.tgz",
+      "integrity": "sha512-ZRiwvN089JfMXokizgqEPXsl2Guk094yExfoDXR0cBYWxtBbaSww/w+vT4WEJsBW2iTUi1GgZ6swmoug3Oy4Xw==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=16.0.0"
+      }
+    },
+    "node_modules/http-errors": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/http-errors/-/http-errors-2.0.1.tgz",
+      "integrity": "sha512-4FbRdAX+bSdmo4AUFuS0WNiPz8NgFt+r8ThgNWmlrjQjt1Q7ZR9+zTlce2859x4KSXrwIsaeTqDoKQmtP8pLmQ==",
+      "license": "MIT",
+      "dependencies": {
+        "depd": "~2.0.0",
+        "inherits": "~2.0.4",
+        "setprototypeof": "~1.2.0",
+        "statuses": "~2.0.2",
+        "toidentifier": "~1.0.1"
+      },
+      "engines": {
+        "node": ">= 0.8"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/express"
+      }
+    },
+    "node_modules/iconv-lite": {
+      "version": "0.4.24",
+      "resolved": "https://registry.npmjs.org/iconv-lite/-/iconv-lite-0.4.24.tgz",
+      "integrity": "sha512-v3MXnZAcvnywkTUEZomIActle7RXXeedOR31wwl7VlyoXO4Qi9arvSenNQWne1TcRwhCL1HwLI21bEqdpj8/rA==",
+      "license": "MIT",
+      "dependencies": {
+        "safer-buffer": ">= 2.1.2 < 3"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/ignore-by-default": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/ignore-by-default/-/ignore-by-default-1.0.1.tgz",
+      "integrity": "sha512-Ius2VYcGNk7T90CppJqcIkS5ooHUZyIQK+ClZfMfMNFEF9VSE73Fq+906u/CWu92x4gzZMWOwfFYckPObzdEbA==",
+      "dev": true,
+      "license": "ISC"
+    },
+    "node_modules/inherits": {
+      "version": "2.0.4",
+      "resolved": "https://registry.npmjs.org/inherits/-/inherits-2.0.4.tgz",
+      "integrity": "sha512-k/vGaX4/Yla3WzyMCvTQOXYeIHvqOKtnqBduzTHpzpQZzAskKMhZ2K+EnBiSM9zGSoIFeMpXKxa4dYeZIQqewQ==",
+      "license": "ISC"
+    },
+    "node_modules/ipaddr.js": {
+      "version": "1.9.1",
+      "resolved": "https://registry.npmjs.org/ipaddr.js/-/ipaddr.js-1.9.1.tgz",
+      "integrity": "sha512-0KI/607xoxSToH7GjN1FfSbLoU0+btTicjsQSWQlh/hZykN8KpmMf7uYwPW3R+akZ6R/w18ZlXSHBYXiYUPO3g==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.10"
+      }
+    },
+    "node_modules/is-binary-path": {
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/is-binary-path/-/is-binary-path-2.1.0.tgz",
+      "integrity": "sha512-ZMERYes6pDydyuGidse7OsHxtbI7WVeUEozgR/g7rd0xUimYNlvZRE/K2MgZTjWy725IfelLeVcEM97mmtRGXw==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "binary-extensions": "^2.0.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/is-extglob": {
+      "version": "2.1.1",
+      "resolved": "https://registry.npmjs.org/is-extglob/-/is-extglob-2.1.1.tgz",
+      "integrity": "sha512-SbKbANkN603Vi4jEZv49LeVJMn4yGwsbzZworEoyEiutsN3nJYdbO36zfhGJ6QEDpOZIFkDtnq5JRxmvl3jsoQ==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/is-glob": {
+      "version": "4.0.3",
+      "resolved": "https://registry.npmjs.org/is-glob/-/is-glob-4.0.3.tgz",
+      "integrity": "sha512-xelSayHH36ZgE7ZWhli7pW34hNbNl8Ojv5KVmkJD4hBdD3th8Tfk9vYasLM+mXWOZhFkgZfxhLSnrwRr4elSSg==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "is-extglob": "^2.1.1"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/is-number": {
+      "version": "7.0.0",
+      "resolved": "https://registry.npmjs.org/is-number/-/is-number-7.0.0.tgz",
+      "integrity": "sha512-41Cifkg6e8TylSpdtTpeLVMqvSBEVzTttHvERD741+pnZ8ANv0004MRL43QKPDlK9cGvNp6NZWZUBlbGXYxxng==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=0.12.0"
+      }
+    },
+    "node_modules/jsonwebtoken": {
+      "version": "9.0.3",
+      "resolved": "https://registry.npmjs.org/jsonwebtoken/-/jsonwebtoken-9.0.3.tgz",
+      "integrity": "sha512-MT/xP0CrubFRNLNKvxJ2BYfy53Zkm++5bX9dtuPbqAeQpTVe0MQTFhao8+Cp//EmJp244xt6Drw/GVEGCUj40g==",
+      "license": "MIT",
+      "dependencies": {
+        "jws": "^4.0.1",
+        "lodash.includes": "^4.3.0",
+        "lodash.isboolean": "^3.0.3",
+        "lodash.isinteger": "^4.0.4",
+        "lodash.isnumber": "^3.0.3",
+        "lodash.isplainobject": "^4.0.6",
+        "lodash.isstring": "^4.0.1",
+        "lodash.once": "^4.0.0",
+        "ms": "^2.1.1",
+        "semver": "^7.5.4"
+      },
+      "engines": {
+        "node": ">=12",
+        "npm": ">=6"
+      }
+    },
+    "node_modules/jsonwebtoken/node_modules/ms": {
+      "version": "2.1.3",
+      "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz",
+      "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==",
+      "license": "MIT"
+    },
+    "node_modules/jwa": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/jwa/-/jwa-2.0.1.tgz",
+      "integrity": "sha512-hRF04fqJIP8Abbkq5NKGN0Bbr3JxlQ+qhZufXVr0DvujKy93ZCbXZMHDL4EOtodSbCWxOqR8MS1tXA5hwqCXDg==",
+      "license": "MIT",
+      "dependencies": {
+        "buffer-equal-constant-time": "^1.0.1",
+        "ecdsa-sig-formatter": "1.0.11",
+        "safe-buffer": "^5.0.1"
+      }
+    },
+    "node_modules/jws": {
+      "version": "4.0.1",
+      "resolved": "https://registry.npmjs.org/jws/-/jws-4.0.1.tgz",
+      "integrity": "sha512-EKI/M/yqPncGUUh44xz0PxSidXFr/+r0pA70+gIYhjv+et7yxM+s29Y+VGDkovRofQem0fs7Uvf4+YmAdyRduA==",
+      "license": "MIT",
+      "dependencies": {
+        "jwa": "^2.0.1",
+        "safe-buffer": "^5.0.1"
+      }
+    },
+    "node_modules/lodash": {
+      "version": "4.18.1",
+      "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.18.1.tgz",
+      "integrity": "sha512-dMInicTPVE8d1e5otfwmmjlxkZoUpiVLwyeTdUsi/Caj/gfzzblBcCE5sRHV/AsjuCmxWrte2TNGSYuCeCq+0Q==",
+      "license": "MIT"
+    },
+    "node_modules/lodash.includes": {
+      "version": "4.3.0",
+      "resolved": "https://registry.npmjs.org/lodash.includes/-/lodash.includes-4.3.0.tgz",
+      "integrity": "sha512-W3Bx6mdkRTGtlJISOvVD/lbqjTlPPUDTMnlXZFnVwi9NKJ6tiAk6LVdlhZMm17VZisqhKcgzpO5Wz91PCt5b0w==",
+      "license": "MIT"
+    },
+    "node_modules/lodash.isboolean": {
+      "version": "3.0.3",
+      "resolved": "https://registry.npmjs.org/lodash.isboolean/-/lodash.isboolean-3.0.3.tgz",
+      "integrity": "sha512-Bz5mupy2SVbPHURB98VAcw+aHh4vRV5IPNhILUCsOzRmsTmSQ17jIuqopAentWoehktxGd9e/hbIXq980/1QJg==",
+      "license": "MIT"
+    },
+    "node_modules/lodash.isinteger": {
+      "version": "4.0.4",
+      "resolved": "https://registry.npmjs.org/lodash.isinteger/-/lodash.isinteger-4.0.4.tgz",
+      "integrity": "sha512-DBwtEWN2caHQ9/imiNeEA5ys1JoRtRfY3d7V9wkqtbycnAmTvRRmbHKDV4a0EYc678/dia0jrte4tjYwVBaZUA==",
+      "license": "MIT"
+    },
+    "node_modules/lodash.isnumber": {
+      "version": "3.0.3",
+      "resolved": "https://registry.npmjs.org/lodash.isnumber/-/lodash.isnumber-3.0.3.tgz",
+      "integrity": "sha512-QYqzpfwO3/CWf3XP+Z+tkQsfaLL/EnUlXWVkIk5FUPc4sBdTehEqZONuyRt2P67PXAk+NXmTBcc97zw9t1FQrw==",
+      "license": "MIT"
+    },
+    "node_modules/lodash.isplainobject": {
+      "version": "4.0.6",
+      "resolved": "https://registry.npmjs.org/lodash.isplainobject/-/lodash.isplainobject-4.0.6.tgz",
+      "integrity": "sha512-oSXzaWypCMHkPC3NvBEaPHf0KsA5mvPrOPgQWDsbg8n7orZ290M0BmC/jgRZ4vcJ6DTAhjrsSYgdsW/F+MFOBA==",
+      "license": "MIT"
+    },
+    "node_modules/lodash.isstring": {
+      "version": "4.0.1",
+      "resolved": "https://registry.npmjs.org/lodash.isstring/-/lodash.isstring-4.0.1.tgz",
+      "integrity": "sha512-0wJxfxH1wgO3GrbuP+dTTk7op+6L41QCXbGINEmD+ny/G/eCqGzxyCsh7159S+mgDDcoarnBw6PC1PS5+wUGgw==",
+      "license": "MIT"
+    },
+    "node_modules/lodash.once": {
+      "version": "4.1.1",
+      "resolved": "https://registry.npmjs.org/lodash.once/-/lodash.once-4.1.1.tgz",
+      "integrity": "sha512-Sb487aTOCr9drQVL8pIxOzVhafOjZN9UU54hiN8PU3uAiSV7lx1yYNpbNmex2PK6dSJoNTSJUUswT651yww3Mg==",
+      "license": "MIT"
+    },
+    "node_modules/math-intrinsics": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/math-intrinsics/-/math-intrinsics-1.1.0.tgz",
+      "integrity": "sha512-/IXtbwEk5HTPyEwyKX6hGkYXxM9nbj64B+ilVJnC/R6B0pH5G4V3b0pVbL7DBj4tkhBAppbQUlf6F6Xl9LHu1g==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.4"
+      }
+    },
+    "node_modules/media-typer": {
+      "version": "0.3.0",
+      "resolved": "https://registry.npmjs.org/media-typer/-/media-typer-0.3.0.tgz",
+      "integrity": "sha512-dq+qelQ9akHpcOl/gUVRTxVIOkAJ1wR3QAvb4RsVjS8oVoFjDGTc679wJYmUmknUF5HwMLOgb5O+a3KxfWapPQ==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/merge-descriptors": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/merge-descriptors/-/merge-descriptors-1.0.3.tgz",
+      "integrity": "sha512-gaNvAS7TZ897/rVaZ0nMtAyxNyi/pdbjbAwUpFQpN70GqnVfOiXpeUUMKRBmzXaSQ8DdTX4/0ms62r2K+hE6mQ==",
+      "license": "MIT",
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
+    "node_modules/methods": {
+      "version": "1.1.2",
+      "resolved": "https://registry.npmjs.org/methods/-/methods-1.1.2.tgz",
+      "integrity": "sha512-iclAHeNqNm68zFtnZ0e+1L2yUIdvzNoauKU4WBA3VvH/vPFieF7qfRlwUZU+DA9P9bPXIS90ulxoUoCH23sV2w==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/mime": {
+      "version": "1.6.0",
+      "resolved": "https://registry.npmjs.org/mime/-/mime-1.6.0.tgz",
+      "integrity": "sha512-x0Vn8spI+wuJ1O6S7gnbaQg8Pxh4NNHb7KSINmEWKiPE4RKOplvijn+NkmYmmRgP68mc70j2EbeTFRsrswaQeg==",
+      "license": "MIT",
+      "bin": {
+        "mime": "cli.js"
+      },
+      "engines": {
+        "node": ">=4"
+      }
+    },
+    "node_modules/mime-db": {
+      "version": "1.52.0",
+      "resolved": "https://registry.npmjs.org/mime-db/-/mime-db-1.52.0.tgz",
+      "integrity": "sha512-sPU4uV7dYlvtWJxwwxHD0PuihVNiE7TyAbQ5SWxDCB9mUYvOgroQOwYQQOKPJ8CIbE+1ETVlOoK1UC2nU3gYvg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/mime-types": {
+      "version": "2.1.35",
+      "resolved": "https://registry.npmjs.org/mime-types/-/mime-types-2.1.35.tgz",
+      "integrity": "sha512-ZDY+bPm5zTTF+YpCrAU9nK0UgICYPT0QtT1NZWFv4s++TNkcgVaT0g6+4R2uI4MjQjzysHB1zxuWL50hzaeXiw==",
+      "license": "MIT",
+      "dependencies": {
+        "mime-db": "1.52.0"
+      },
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/minimatch": {
+      "version": "10.2.5",
+      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-10.2.5.tgz",
+      "integrity": "sha512-MULkVLfKGYDFYejP07QOurDLLQpcjk7Fw+7jXS2R2czRQzR56yHRveU5NDJEOviH+hETZKSkIk5c+T23GjFUMg==",
+      "dev": true,
+      "license": "BlueOak-1.0.0",
+      "dependencies": {
+        "brace-expansion": "^5.0.5"
+      },
+      "engines": {
+        "node": "18 || 20 || >=22"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/isaacs"
+      }
+    },
+    "node_modules/ms": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/ms/-/ms-2.0.0.tgz",
+      "integrity": "sha512-Tpp60P6IUJDTuOq/5Z8cdskzJujfwqfOTkrwIwj7IRISpnkJnT6SyJ4PCPnGMoFjC9ddhal5KVIYtAt97ix05A==",
+      "license": "MIT"
+    },
+    "node_modules/negotiator": {
+      "version": "0.6.3",
+      "resolved": "https://registry.npmjs.org/negotiator/-/negotiator-0.6.3.tgz",
+      "integrity": "sha512-+EUsqGPLsM+j/zdChZjsnX51g4XrHFOIXwfnCVPGlQk/k5giakcKsuxCObBRu6DSm9opw/O6slWbJdghQM4bBg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/nodemon": {
+      "version": "3.1.14",
+      "resolved": "https://registry.npmjs.org/nodemon/-/nodemon-3.1.14.tgz",
+      "integrity": "sha512-jakjZi93UtB3jHMWsXL68FXSAosbLfY0In5gtKq3niLSkrWznrVBzXFNOEMJUfc9+Ke7SHWoAZsiMkNP3vq6Jw==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "chokidar": "^3.5.2",
+        "debug": "^4",
+        "ignore-by-default": "^1.0.1",
+        "minimatch": "^10.2.1",
+        "pstree.remy": "^1.1.8",
+        "semver": "^7.5.3",
+        "simple-update-notifier": "^2.0.0",
+        "supports-color": "^5.5.0",
+        "touch": "^3.1.0",
+        "undefsafe": "^2.0.5"
+      },
+      "bin": {
+        "nodemon": "bin/nodemon.js"
+      },
+      "engines": {
+        "node": ">=10"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/nodemon"
+      }
+    },
+    "node_modules/nodemon/node_modules/debug": {
+      "version": "4.4.3",
+      "resolved": "https://registry.npmjs.org/debug/-/debug-4.4.3.tgz",
+      "integrity": "sha512-RGwwWnwQvkVfavKVt22FGLw+xYSdzARwm0ru6DhTVA3umU5hZc28V3kO4stgYryrTlLpuvgI9GiijltAjNbcqA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "ms": "^2.1.3"
+      },
+      "engines": {
+        "node": ">=6.0"
+      },
+      "peerDependenciesMeta": {
+        "supports-color": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/nodemon/node_modules/ms": {
+      "version": "2.1.3",
+      "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz",
+      "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/normalize-path": {
+      "version": "3.0.0",
+      "resolved": "https://registry.npmjs.org/normalize-path/-/normalize-path-3.0.0.tgz",
+      "integrity": "sha512-6eZs5Ls3WtCisHWp9S2GUy8dqkpGi4BVSz3GaqiE6ezub0512ESztXUwUB6C6IKbQkY2Pnb/mD4WYojCRwcwLA==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/object-assign": {
+      "version": "4.1.1",
+      "resolved": "https://registry.npmjs.org/object-assign/-/object-assign-4.1.1.tgz",
+      "integrity": "sha512-rJgTQnkUnH1sFw8yT6VSU3zD3sWmu6sZhIseY8VX+GRu3P6F7Fu+JNDoXfklElbLJSnc3FUQHVe4cU5hj+BcUg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/object-inspect": {
+      "version": "1.13.4",
+      "resolved": "https://registry.npmjs.org/object-inspect/-/object-inspect-1.13.4.tgz",
+      "integrity": "sha512-W67iLl4J2EXEGTbfeHCffrjDfitvLANg0UlX3wFUUSTx92KXRFegMHUVgSqE+wvhAbi4WqjGg9czysTV2Epbew==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/on-finished": {
+      "version": "2.4.1",
+      "resolved": "https://registry.npmjs.org/on-finished/-/on-finished-2.4.1.tgz",
+      "integrity": "sha512-oVlzkg3ENAhCk2zdv7IJwd/QUD4z2RxRwpkcGY8psCVcCYZNq4wYnVWALHM+brtuJjePWiYF/ClmuDr8Ch5+kg==",
+      "license": "MIT",
+      "dependencies": {
+        "ee-first": "1.1.1"
+      },
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/parseurl": {
+      "version": "1.3.3",
+      "resolved": "https://registry.npmjs.org/parseurl/-/parseurl-1.3.3.tgz",
+      "integrity": "sha512-CiyeOxFT/JZyN5m0z9PfXw4SCBJ6Sygz1Dpl0wqjlhDEGGBP1GnsUVEL0p63hoG1fcj3fHynXi9NYO4nWOL+qQ==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/path-to-regexp": {
+      "version": "0.1.13",
+      "resolved": "https://registry.npmjs.org/path-to-regexp/-/path-to-regexp-0.1.13.tgz",
+      "integrity": "sha512-A/AGNMFN3c8bOlvV9RreMdrv7jsmF9XIfDeCd87+I8RNg6s78BhJxMu69NEMHBSJFxKidViTEdruRwEk/WIKqA==",
+      "license": "MIT"
+    },
+    "node_modules/pg": {
+      "version": "8.20.0",
+      "resolved": "https://registry.npmjs.org/pg/-/pg-8.20.0.tgz",
+      "integrity": "sha512-ldhMxz2r8fl/6QkXnBD3CR9/xg694oT6DZQ2s6c/RI28OjtSOpxnPrUCGOBJ46RCUxcWdx3p6kw/xnDHjKvaRA==",
+      "license": "MIT",
+      "dependencies": {
+        "pg-connection-string": "^2.12.0",
+        "pg-pool": "^3.13.0",
+        "pg-protocol": "^1.13.0",
+        "pg-types": "2.2.0",
+        "pgpass": "1.0.5"
+      },
+      "engines": {
+        "node": ">= 16.0.0"
+      },
+      "optionalDependencies": {
+        "pg-cloudflare": "^1.3.0"
+      },
+      "peerDependencies": {
+        "pg-native": ">=3.0.1"
+      },
+      "peerDependenciesMeta": {
+        "pg-native": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/pg-cloudflare": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/pg-cloudflare/-/pg-cloudflare-1.3.0.tgz",
+      "integrity": "sha512-6lswVVSztmHiRtD6I8hw4qP/nDm1EJbKMRhf3HCYaqud7frGysPv7FYJ5noZQdhQtN2xJnimfMtvQq21pdbzyQ==",
+      "license": "MIT",
+      "optional": true
+    },
+    "node_modules/pg-connection-string": {
+      "version": "2.12.0",
+      "resolved": "https://registry.npmjs.org/pg-connection-string/-/pg-connection-string-2.12.0.tgz",
+      "integrity": "sha512-U7qg+bpswf3Cs5xLzRqbXbQl85ng0mfSV/J0nnA31MCLgvEaAo7CIhmeyrmJpOr7o+zm0rXK+hNnT5l9RHkCkQ==",
+      "license": "MIT"
+    },
+    "node_modules/pg-int8": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/pg-int8/-/pg-int8-1.0.1.tgz",
+      "integrity": "sha512-WCtabS6t3c8SkpDBUlb1kjOs7l66xsGdKpIPZsg4wR+B3+u9UAum2odSsF9tnvxg80h4ZxLWMy4pRjOsFIqQpw==",
+      "license": "ISC",
+      "engines": {
+        "node": ">=4.0.0"
+      }
+    },
+    "node_modules/pg-pool": {
+      "version": "3.13.0",
+      "resolved": "https://registry.npmjs.org/pg-pool/-/pg-pool-3.13.0.tgz",
+      "integrity": "sha512-gB+R+Xud1gLFuRD/QgOIgGOBE2KCQPaPwkzBBGC9oG69pHTkhQeIuejVIk3/cnDyX39av2AxomQiyPT13WKHQA==",
+      "license": "MIT",
+      "peerDependencies": {
+        "pg": ">=8.0"
+      }
+    },
+    "node_modules/pg-protocol": {
+      "version": "1.13.0",
+      "resolved": "https://registry.npmjs.org/pg-protocol/-/pg-protocol-1.13.0.tgz",
+      "integrity": "sha512-zzdvXfS6v89r6v7OcFCHfHlyG/wvry1ALxZo4LqgUoy7W9xhBDMaqOuMiF3qEV45VqsN6rdlcehHrfDtlCPc8w==",
+      "license": "MIT"
+    },
+    "node_modules/pg-types": {
+      "version": "2.2.0",
+      "resolved": "https://registry.npmjs.org/pg-types/-/pg-types-2.2.0.tgz",
+      "integrity": "sha512-qTAAlrEsl8s4OiEQY69wDvcMIdQN6wdz5ojQiOy6YRMuynxenON0O5oCpJI6lshc6scgAY8qvJ2On/p+CXY0GA==",
+      "license": "MIT",
+      "dependencies": {
+        "pg-int8": "1.0.1",
+        "postgres-array": "~2.0.0",
+        "postgres-bytea": "~1.0.0",
+        "postgres-date": "~1.0.4",
+        "postgres-interval": "^1.1.0"
+      },
+      "engines": {
+        "node": ">=4"
+      }
+    },
+    "node_modules/pgpass": {
+      "version": "1.0.5",
+      "resolved": "https://registry.npmjs.org/pgpass/-/pgpass-1.0.5.tgz",
+      "integrity": "sha512-FdW9r/jQZhSeohs1Z3sI1yxFQNFvMcnmfuj4WBMUTxOrAyLMaTcE1aAMBiTlbMNaXvBCQuVi0R7hd8udDSP7ug==",
+      "license": "MIT",
+      "dependencies": {
+        "split2": "^4.1.0"
+      }
+    },
+    "node_modules/picomatch": {
+      "version": "2.3.2",
+      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.2.tgz",
+      "integrity": "sha512-V7+vQEJ06Z+c5tSye8S+nHUfI51xoXIXjHQ99cQtKUkQqqO1kO/KCJUfZXuB47h/YBlDhah2H3hdUGXn8ie0oA==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=8.6"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/jonschlinkert"
+      }
+    },
+    "node_modules/postgres-array": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/postgres-array/-/postgres-array-2.0.0.tgz",
+      "integrity": "sha512-VpZrUqU5A69eQyW2c5CA1jtLecCsN2U/bD6VilrFDWq5+5UIEVO7nazS3TEcHf1zuPYO/sqGvUvW62g86RXZuA==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=4"
+      }
+    },
+    "node_modules/postgres-bytea": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/postgres-bytea/-/postgres-bytea-1.0.1.tgz",
+      "integrity": "sha512-5+5HqXnsZPE65IJZSMkZtURARZelel2oXUEO8rH83VS/hxH5vv1uHquPg5wZs8yMAfdv971IU+kcPUczi7NVBQ==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/postgres-date": {
+      "version": "1.0.7",
+      "resolved": "https://registry.npmjs.org/postgres-date/-/postgres-date-1.0.7.tgz",
+      "integrity": "sha512-suDmjLVQg78nMK2UZ454hAG+OAW+HQPZ6n++TNDUX+L0+uUlLywnoxJKDou51Zm+zTCjrCl0Nq6J9C5hP9vK/Q==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/postgres-interval": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/postgres-interval/-/postgres-interval-1.2.0.tgz",
+      "integrity": "sha512-9ZhXKM/rw350N1ovuWHbGxnGh/SNJ4cnxHiM0rxE4VN41wsg8P8zWn9hv/buK00RP4WvlOyr/RBDiptyxVbkZQ==",
+      "license": "MIT",
+      "dependencies": {
+        "xtend": "^4.0.0"
+      },
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
+    "node_modules/proxy-addr": {
+      "version": "2.0.7",
+      "resolved": "https://registry.npmjs.org/proxy-addr/-/proxy-addr-2.0.7.tgz",
+      "integrity": "sha512-llQsMLSUDUPT44jdrU/O37qlnifitDP+ZwrmmZcoSKyLKvtZxpyV0n2/bD/N4tBAAZ/gJEdZU7KMraoK1+XYAg==",
+      "license": "MIT",
+      "dependencies": {
+        "forwarded": "0.2.0",
+        "ipaddr.js": "1.9.1"
+      },
+      "engines": {
+        "node": ">= 0.10"
+      }
+    },
+    "node_modules/pstree.remy": {
+      "version": "1.1.8",
+      "resolved": "https://registry.npmjs.org/pstree.remy/-/pstree.remy-1.1.8.tgz",
+      "integrity": "sha512-77DZwxQmxKnu3aR542U+X8FypNzbfJ+C5XQDk3uWjWxn6151aIMGthWYRXTqT1E5oJvg+ljaa2OJi+VfvCOQ8w==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/qs": {
+      "version": "6.14.2",
+      "resolved": "https://registry.npmjs.org/qs/-/qs-6.14.2.tgz",
+      "integrity": "sha512-V/yCWTTF7VJ9hIh18Ugr2zhJMP01MY7c5kh4J870L7imm6/DIzBsNLTXzMwUA3yZ5b/KBqLx8Kp3uRvd7xSe3Q==",
+      "license": "BSD-3-Clause",
+      "dependencies": {
+        "side-channel": "^1.1.0"
+      },
+      "engines": {
+        "node": ">=0.6"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/range-parser": {
+      "version": "1.2.1",
+      "resolved": "https://registry.npmjs.org/range-parser/-/range-parser-1.2.1.tgz",
+      "integrity": "sha512-Hrgsx+orqoygnmhFbKaHE6c296J+HTAQXoxEF6gNupROmmGJRoyzfG3ccAveqCBrwr/2yxQ5BVd/GTl5agOwSg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/raw-body": {
+      "version": "2.5.3",
+      "resolved": "https://registry.npmjs.org/raw-body/-/raw-body-2.5.3.tgz",
+      "integrity": "sha512-s4VSOf6yN0rvbRZGxs8Om5CWj6seneMwK3oDb4lWDH0UPhWcxwOWw5+qk24bxq87szX1ydrwylIOp2uG1ojUpA==",
+      "license": "MIT",
+      "dependencies": {
+        "bytes": "~3.1.2",
+        "http-errors": "~2.0.1",
+        "iconv-lite": "~0.4.24",
+        "unpipe": "~1.0.0"
+      },
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/readdirp": {
+      "version": "3.6.0",
+      "resolved": "https://registry.npmjs.org/readdirp/-/readdirp-3.6.0.tgz",
+      "integrity": "sha512-hOS089on8RduqdbhvQ5Z37A0ESjsqz6qnRcffsMU3495FuTdqSm+7bhJ29JvIOsBDEEnan5DPu9t3To9VRlMzA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "picomatch": "^2.2.1"
+      },
+      "engines": {
+        "node": ">=8.10.0"
+      }
+    },
+    "node_modules/safe-buffer": {
+      "version": "5.2.1",
+      "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.2.1.tgz",
+      "integrity": "sha512-rp3So07KcdmmKbGvgaNxQSJr7bGVSVk5S9Eq1F+ppbRo70+YeaDxkw5Dd8NPN+GD6bjnYm2VuPuCXmpuYvmCXQ==",
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/feross"
+        },
+        {
+          "type": "patreon",
+          "url": "https://www.patreon.com/feross"
+        },
+        {
+          "type": "consulting",
+          "url": "https://feross.org/support"
+        }
+      ],
+      "license": "MIT"
+    },
+    "node_modules/safer-buffer": {
+      "version": "2.1.2",
+      "resolved": "https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz",
+      "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==",
+      "license": "MIT"
+    },
+    "node_modules/semver": {
+      "version": "7.7.4",
+      "resolved": "https://registry.npmjs.org/semver/-/semver-7.7.4.tgz",
+      "integrity": "sha512-vFKC2IEtQnVhpT78h1Yp8wzwrf8CM+MzKMHGJZfBtzhZNycRFnXsHk6E5TxIkkMsgNS7mdX3AGB7x2QM2di4lA==",
+      "license": "ISC",
+      "bin": {
+        "semver": "bin/semver.js"
+      },
+      "engines": {
+        "node": ">=10"
+      }
+    },
+    "node_modules/send": {
+      "version": "0.19.2",
+      "resolved": "https://registry.npmjs.org/send/-/send-0.19.2.tgz",
+      "integrity": "sha512-VMbMxbDeehAxpOtWJXlcUS5E8iXh6QmN+BkRX1GARS3wRaXEEgzCcB10gTQazO42tpNIya8xIyNx8fll1OFPrg==",
+      "license": "MIT",
+      "dependencies": {
+        "debug": "2.6.9",
+        "depd": "2.0.0",
+        "destroy": "1.2.0",
+        "encodeurl": "~2.0.0",
+        "escape-html": "~1.0.3",
+        "etag": "~1.8.1",
+        "fresh": "~0.5.2",
+        "http-errors": "~2.0.1",
+        "mime": "1.6.0",
+        "ms": "2.1.3",
+        "on-finished": "~2.4.1",
+        "range-parser": "~1.2.1",
+        "statuses": "~2.0.2"
+      },
+      "engines": {
+        "node": ">= 0.8.0"
+      }
+    },
+    "node_modules/send/node_modules/ms": {
+      "version": "2.1.3",
+      "resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz",
+      "integrity": "sha512-6FlzubTLZG3J2a/NVCAleEhjzq5oxgHyaCU9yYXvcLsvoVaHJq/s5xXI6/XXP6tz7R9xAOtHnSO/tXtF3WRTlA==",
+      "license": "MIT"
+    },
+    "node_modules/serve-static": {
+      "version": "1.16.3",
+      "resolved": "https://registry.npmjs.org/serve-static/-/serve-static-1.16.3.tgz",
+      "integrity": "sha512-x0RTqQel6g5SY7Lg6ZreMmsOzncHFU7nhnRWkKgWuMTu5NN0DR5oruckMqRvacAN9d5w6ARnRBXl9xhDCgfMeA==",
+      "license": "MIT",
+      "dependencies": {
+        "encodeurl": "~2.0.0",
+        "escape-html": "~1.0.3",
+        "parseurl": "~1.3.3",
+        "send": "~0.19.1"
+      },
+      "engines": {
+        "node": ">= 0.8.0"
+      }
+    },
+    "node_modules/setprototypeof": {
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/setprototypeof/-/setprototypeof-1.2.0.tgz",
+      "integrity": "sha512-E5LDX7Wrp85Kil5bhZv46j8jOeboKq5JMmYM3gVGdGH8xFpPWXUMsNrlODCrkoxMEeNi/XZIwuRvY4XNwYMJpw==",
+      "license": "ISC"
+    },
+    "node_modules/side-channel": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/side-channel/-/side-channel-1.1.0.tgz",
+      "integrity": "sha512-ZX99e6tRweoUXqR+VBrslhda51Nh5MTQwou5tnUDgbtyM0dBgmhEDtWGP/xbKn6hqfPRHujUNwz5fy/wbbhnpw==",
+      "license": "MIT",
+      "dependencies": {
+        "es-errors": "^1.3.0",
+        "object-inspect": "^1.13.3",
+        "side-channel-list": "^1.0.0",
+        "side-channel-map": "^1.0.1",
+        "side-channel-weakmap": "^1.0.2"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/side-channel-list": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/side-channel-list/-/side-channel-list-1.0.1.tgz",
+      "integrity": "sha512-mjn/0bi/oUURjc5Xl7IaWi/OJJJumuoJFQJfDDyO46+hBWsfaVM65TBHq2eoZBhzl9EchxOijpkbRC8SVBQU0w==",
+      "license": "MIT",
+      "dependencies": {
+        "es-errors": "^1.3.0",
+        "object-inspect": "^1.13.4"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/side-channel-map": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/side-channel-map/-/side-channel-map-1.0.1.tgz",
+      "integrity": "sha512-VCjCNfgMsby3tTdo02nbjtM/ewra6jPHmpThenkTYh8pG9ucZ/1P8So4u4FGBek/BjpOVsDCMoLA/iuBKIFXRA==",
+      "license": "MIT",
+      "dependencies": {
+        "call-bound": "^1.0.2",
+        "es-errors": "^1.3.0",
+        "get-intrinsic": "^1.2.5",
+        "object-inspect": "^1.13.3"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/side-channel-weakmap": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/side-channel-weakmap/-/side-channel-weakmap-1.0.2.tgz",
+      "integrity": "sha512-WPS/HvHQTYnHisLo9McqBHOJk2FkHO/tlpvldyrnem4aeQp4hai3gythswg6p01oSoTl58rcpiFAjF2br2Ak2A==",
+      "license": "MIT",
+      "dependencies": {
+        "call-bound": "^1.0.2",
+        "es-errors": "^1.3.0",
+        "get-intrinsic": "^1.2.5",
+        "object-inspect": "^1.13.3",
+        "side-channel-map": "^1.0.1"
+      },
+      "engines": {
+        "node": ">= 0.4"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/ljharb"
+      }
+    },
+    "node_modules/simple-update-notifier": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/simple-update-notifier/-/simple-update-notifier-2.0.0.tgz",
+      "integrity": "sha512-a2B9Y0KlNXl9u/vsW6sTIu9vGEpfKu2wRV6l1H3XEas/0gUIzGzBoP/IouTcUQbm9JWZLH3COxyn03TYlFax6w==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "semver": "^7.5.3"
+      },
+      "engines": {
+        "node": ">=10"
+      }
+    },
+    "node_modules/split2": {
+      "version": "4.2.0",
+      "resolved": "https://registry.npmjs.org/split2/-/split2-4.2.0.tgz",
+      "integrity": "sha512-UcjcJOWknrNkF6PLX83qcHM6KHgVKNkV62Y8a5uYDVv9ydGQVwAHMKqHdJje1VTWpljG0WYpCDhrCdAOYH4TWg==",
+      "license": "ISC",
+      "engines": {
+        "node": ">= 10.x"
+      }
+    },
+    "node_modules/statuses": {
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/statuses/-/statuses-2.0.2.tgz",
+      "integrity": "sha512-DvEy55V3DB7uknRo+4iOGT5fP1slR8wQohVdknigZPMpMstaKJQWhwiYBACJE3Ul2pTnATihhBYnRhZQHGBiRw==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/supports-color": {
+      "version": "5.5.0",
+      "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-5.5.0.tgz",
+      "integrity": "sha512-QjVjwdXIt408MIiAqCX4oUKsgU2EqAGzs2Ppkm4aQYbjm+ZEWEcW4SfFNTr4uMNZma0ey4f5lgLrkB0aX0QMow==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "has-flag": "^3.0.0"
+      },
+      "engines": {
+        "node": ">=4"
+      }
+    },
+    "node_modules/to-regex-range": {
+      "version": "5.0.1",
+      "resolved": "https://registry.npmjs.org/to-regex-range/-/to-regex-range-5.0.1.tgz",
+      "integrity": "sha512-65P7iz6X5yEr1cwcgvQxbbIw7Uk3gOy5dIdtZ4rDveLqhrdJP+Li/Hx6tyK0NEb+2GCyneCMJiGqrADCSNk8sQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "is-number": "^7.0.0"
+      },
+      "engines": {
+        "node": ">=8.0"
+      }
+    },
+    "node_modules/toidentifier": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/toidentifier/-/toidentifier-1.0.1.tgz",
+      "integrity": "sha512-o5sSPKEkg/DIQNmH43V0/uerLrpzVedkUh8tGNvaeXpfpuwjKenlSox/2O/BTlZUtEe+JG7s5YhEz608PlAHRA==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=0.6"
+      }
+    },
+    "node_modules/touch": {
+      "version": "3.1.1",
+      "resolved": "https://registry.npmjs.org/touch/-/touch-3.1.1.tgz",
+      "integrity": "sha512-r0eojU4bI8MnHr8c5bNo7lJDdI2qXlWWJk6a9EAFG7vbhTjElYhBVS3/miuE0uOuoLdb8Mc/rVfsmm6eo5o9GA==",
+      "dev": true,
+      "license": "ISC",
+      "bin": {
+        "nodetouch": "bin/nodetouch.js"
+      }
+    },
+    "node_modules/type-is": {
+      "version": "1.6.18",
+      "resolved": "https://registry.npmjs.org/type-is/-/type-is-1.6.18.tgz",
+      "integrity": "sha512-TkRKr9sUTxEH8MdfuCSP7VizJyzRNMjj2J2do2Jr3Kym598JVdEksuzPQCnlFPW4ky9Q+iA+ma9BGm06XQBy8g==",
+      "license": "MIT",
+      "dependencies": {
+        "media-typer": "0.3.0",
+        "mime-types": "~2.1.24"
+      },
+      "engines": {
+        "node": ">= 0.6"
+      }
+    },
+    "node_modules/undefsafe": {
+      "version": "2.0.5",
+      "resolved": "https://registry.npmjs.org/undefsafe/-/undefsafe-2.0.5.tgz",
+      "integrity": "sha512-WxONCrssBM8TSPRqN5EmsjVrsv4A8X12J4ArBiiayv3DyyG3ZlIg6yysuuSYdZsVz3TKcTg2fd//Ujd4CHV1iA==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/unpipe": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/unpipe/-/unpipe-1.0.0.tgz",
+      "integrity": "sha512-pjy2bYhSsufwWlKwPc+l3cN7+wuJlK6uz0YdJEOlQDbl6jo/YlPi4mb8agUkVC8BF7V8NuzeyPNqRksA3hztKQ==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/utils-merge": {
+      "version": "1.0.1",
+      "resolved": "https://registry.npmjs.org/utils-merge/-/utils-merge-1.0.1.tgz",
+      "integrity": "sha512-pMZTvIkT1d+TFGvDOqodOclx0QWkkgi6Tdoa8gC8ffGAAqz9pzPTZWAybbsHHoED/ztMtkv/VoYTYyShUn81hA==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.4.0"
+      }
+    },
+    "node_modules/uuid": {
+      "version": "9.0.1",
+      "resolved": "https://registry.npmjs.org/uuid/-/uuid-9.0.1.tgz",
+      "integrity": "sha512-b+1eJOlsR9K8HJpow9Ok3fiWOWSIcIzXodvv0rQjVoOVNpWMpxf1wZNpt4y9h10odCNrqnYp1OBzRktckBe3sA==",
+      "funding": [
+        "https://github.com/sponsors/broofa",
+        "https://github.com/sponsors/ctavan"
+      ],
+      "license": "MIT",
+      "bin": {
+        "uuid": "dist/bin/uuid"
+      }
+    },
+    "node_modules/validator": {
+      "version": "13.15.35",
+      "resolved": "https://registry.npmjs.org/validator/-/validator-13.15.35.tgz",
+      "integrity": "sha512-TQ5pAGhd5whStmqWvYF4OjQROlmv9SMFVt37qoCBdqRffuuklWYQlCNnEs2ZaIBD1kZRNnikiZOS1eqgkar0iw==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.10"
+      }
+    },
+    "node_modules/vary": {
+      "version": "1.1.2",
+      "resolved": "https://registry.npmjs.org/vary/-/vary-1.1.2.tgz",
+      "integrity": "sha512-BNGbWLfd0eUPabhkXUVm0j8uuvREyTh5ovRa/dyow/BqAbZJyC+5fU+IzQOzmAKzYqYRAISoRhdQr3eIZ/PXqg==",
+      "license": "MIT",
+      "engines": {
+        "node": ">= 0.8"
+      }
+    },
+    "node_modules/xtend": {
+      "version": "4.0.2",
+      "resolved": "https://registry.npmjs.org/xtend/-/xtend-4.0.2.tgz",
+      "integrity": "sha512-LKYU1iAXJXUgAXn9URjiu+MWhyUXHsvfp7mcuYm9dSUKK0/CjtrUwFAxD82/mCWbtLsGjFIad0wIsod4zrTAEQ==",
+      "license": "MIT",
+      "engines": {
+        "node": ">=0.4"
+      }
+    }
+  }
+}

backend/package.json

@@ -0,0 +1,27 @@
+{
+  "name": "taskflow-backend",
+  "version": "1.0.0",
+  "description": "Multi-tenant task management API",
+  "main": "src/server.js",
+  "scripts": {
+    "start": "node src/server.js",
+    "dev": "nodemon src/server.js",
+    "migrate": "node src/utils/migrate.js",
+    "seed": "node src/utils/seed.js"
+  },
+  "dependencies": {
+    "bcryptjs": "^2.4.3",
+    "cors": "^2.8.5",
+    "dotenv": "^16.3.1",
+    "express": "^4.18.2",
+    "express-rate-limit": "^7.1.5",
+    "express-validator": "^7.0.1",
+    "helmet": "^7.1.0",
+    "jsonwebtoken": "^9.0.2",
+    "pg": "^8.11.3",
+    "uuid": "^9.0.0"
+  },
+  "devDependencies": {
+    "nodemon": "^3.0.2"
+  }
+}

backend/src/controllers/adminController.js

@@ -0,0 +1,269 @@
+const { query } = require('../utils/db');
+const { auditLog } = require('../utils/auditLogger');
+const { v4: uuidv4 } = require('uuid');
+const crypto = require('crypto');
+
+/**
+ * GET /api/admin/users
+ * List all users in the admin's organization
+ */
+const listUsers = async (req, res) => {
+  try {
+    const { organization_id: orgId } = req.user;
+
+    const { rows } = await query(
+      `SELECT id, name, email, role, is_active, created_at, updated_at
+       FROM users
+       WHERE organization_id = $1
+       ORDER BY created_at ASC`,
+      [orgId]
+    );
+
+    return res.json(rows);
+  } catch (err) {
+    console.error('List users error:', err);
+    return res.status(500).json({ error: 'Failed to retrieve users.' });
+  }
+};
+
+/**
+ * PATCH /api/admin/users/:id/role
+ * Change a user's role
+ */
+const updateUserRole = async (req, res) => {
+  try {
+    const { organization_id: orgId, id: actorId, name: actorName, email: actorEmail } = req.user;
+    const { id } = req.params;
+    const { role } = req.body;
+
+    if (!['admin', 'member'].includes(role)) {
+      return res.status(400).json({ error: 'Role must be admin or member.' });
+    }
+
+    // Cannot change own role
+    if (id === actorId) {
+      return res.status(400).json({ error: 'You cannot change your own role.' });
+    }
+
+    const { rows } = await query(
+      `UPDATE users SET role = $1, updated_at = NOW()
+       WHERE id = $2 AND organization_id = $3
+       RETURNING id, name, email, role, is_active`,
+      [role, id, orgId]
+    );
+
+    if (!rows.length) {
+      return res.status(404).json({ error: 'User not found in your organization.' });
+    }
+
+    await auditLog({
+      organizationId: orgId,
+      actorId,
+      actorName,
+      actorEmail,
+      action: 'USER_ROLE_CHANGED',
+      entityType: 'user',
+      newValues: { userId: id, newRole: role },
+    });
+
+    return res.json(rows[0]);
+  } catch (err) {
+    console.error('Update role error:', err);
+    return res.status(500).json({ error: 'Failed to update role.' });
+  }
+};
+
+/**
+ * PATCH /api/admin/users/:id/deactivate
+ */
+const deactivateUser = async (req, res) => {
+  try {
+    const { organization_id: orgId, id: actorId, name: actorName, email: actorEmail } = req.user;
+    const { id } = req.params;
+
+    if (id === actorId) {
+      return res.status(400).json({ error: 'You cannot deactivate your own account.' });
+    }
+
+    const { rows } = await query(
+      `UPDATE users SET is_active = false, updated_at = NOW()
+       WHERE id = $1 AND organization_id = $2
+       RETURNING id, name, email, role, is_active`,
+      [id, orgId]
+    );
+
+    if (!rows.length) {
+      return res.status(404).json({ error: 'User not found in your organization.' });
+    }
+
+    await auditLog({
+      organizationId: orgId,
+      actorId,
+      actorName,
+      actorEmail,
+      action: 'USER_DEACTIVATED',
+      entityType: 'user',
+      newValues: { userId: id },
+    });
+
+    return res.json(rows[0]);
+  } catch (err) {
+    console.error('Deactivate user error:', err);
+    return res.status(500).json({ error: 'Failed to deactivate user.' });
+  }
+};
+
+/**
+ * POST /api/admin/invites
+ * Send an invite to join the organization
+ */
+const createInvite = async (req, res) => {
+  try {
+    const { organization_id: orgId, id: actorId, name: actorName, email: actorEmail } = req.user;
+    const { email, role = 'member' } = req.body;
+
+    if (!['admin', 'member'].includes(role)) {
+      return res.status(400).json({ error: 'Role must be admin or member.' });
+    }
+
+    // Check if email already a member
+    const existing = await query(`SELECT id FROM users WHERE email = $1`, [email.toLowerCase()]);
+    if (existing.rows.length) {
+      return res.status(409).json({ error: 'A user with this email already exists.' });
+    }
+
+    const token = crypto.randomBytes(32).toString('hex');
+    const expiresAt = new Date(Date.now() + 7 * 24 * 60 * 60 * 1000); // 7 days
+
+    const { rows } = await query(
+      `INSERT INTO invites (id, organization_id, email, role, token, invited_by, expires_at)
+       VALUES ($1, $2, $3, $4, $5, $6, $7)
+       RETURNING id, email, role, token, expires_at`,
+      [uuidv4(), orgId, email.toLowerCase(), role, token, actorId, expiresAt]
+    );
+
+    await auditLog({
+      organizationId: orgId,
+      actorId,
+      actorName,
+      actorEmail,
+      action: 'USER_INVITED',
+      entityType: 'invite',
+      newValues: { invitedEmail: email, role },
+    });
+
+    return res.status(201).json({
+      ...rows[0],
+      inviteUrl: `${process.env.FRONTEND_URL}/accept-invite?token=${token}`,
+    });
+  } catch (err) {
+    console.error('Create invite error:', err);
+    return res.status(500).json({ error: 'Failed to create invite.' });
+  }
+};
+
+/**
+ * GET /api/admin/invites
+ */
+const listInvites = async (req, res) => {
+  try {
+    const { organization_id: orgId } = req.user;
+
+    const { rows } = await query(
+      `SELECT i.id, i.email, i.role, i.expires_at, i.used_at, i.created_at,
+              u.name AS invited_by_name
+       FROM invites i
+       LEFT JOIN users u ON u.id = i.invited_by
+       WHERE i.organization_id = $1
+       ORDER BY i.created_at DESC`,
+      [orgId]
+    );
+
+    return res.json(rows);
+  } catch (err) {
+    console.error('List invites error:', err);
+    return res.status(500).json({ error: 'Failed to retrieve invites.' });
+  }
+};
+
+/**
+ * GET /api/admin/audit-logs
+ */
+const getAuditLogs = async (req, res) => {
+  try {
+    const { organization_id: orgId } = req.user;
+    const { page = 1, limit = 50, action, task_id } = req.query;
+
+    const pageNum = Math.max(1, parseInt(page));
+    const limitNum = Math.min(200, Math.max(1, parseInt(limit)));
+    const offset = (pageNum - 1) * limitNum;
+
+    const conditions = [`organization_id = $1`];
+    const params = [orgId];
+    let idx = 2;
+
+    if (action) {
+      conditions.push(`action = $${idx++}`);
+      params.push(action);
+    }
+    if (task_id) {
+      conditions.push(`task_id = $${idx++}`);
+      params.push(task_id);
+    }
+
+    const where = `WHERE ${conditions.join(' AND ')}`;
+
+    const countResult = await query(`SELECT COUNT(*) FROM audit_logs ${where}`, params);
+    const total = parseInt(countResult.rows[0].count);
+
+    const { rows } = await query(
+      `SELECT id, task_id, actor_id, actor_name, actor_email, action, entity_type,
+              old_values, new_values, metadata, created_at
+       FROM audit_logs
+       ${where}
+       ORDER BY created_at DESC
+       LIMIT $${idx} OFFSET $${idx + 1}`,
+      [...params, limitNum, offset]
+    );
+
+    return res.json({
+      logs: rows,
+      pagination: { page: pageNum, limit: limitNum, total, totalPages: Math.ceil(total / limitNum) },
+    });
+  } catch (err) {
+    console.error('Audit logs error:', err);
+    return res.status(500).json({ error: 'Failed to retrieve audit logs.' });
+  }
+};
+
+/**
+ * GET /api/admin/org
+ * Get organization info
+ */
+const getOrg = async (req, res) => {
+  try {
+    const { organization_id: orgId } = req.user;
+    const { rows } = await query(`SELECT id, name, slug, created_at FROM organizations WHERE id = $1`, [orgId]);
+    return res.json(rows[0]);
+  } catch (err) {
+    return res.status(500).json({ error: 'Failed to retrieve organization.' });
+  }
+};
+
+/**
+ * GET /api/users - org-scoped user list for dropdowns (any authenticated user)
+ */
+const listOrgUsers = async (req, res) => {
+  try {
+    const { organization_id: orgId } = req.user;
+    const { rows } = await query(
+      `SELECT id, name, email, role FROM users WHERE organization_id = $1 AND is_active = true ORDER BY name`,
+      [orgId]
+    );
+    return res.json(rows);
+  } catch (err) {
+    return res.status(500).json({ error: 'Failed to retrieve users.' });
+  }
+};
+
+module.exports = { listUsers, updateUserRole, deactivateUser, createInvite, listInvites, getAuditLogs, getOrg, listOrgUsers };

backend/src/controllers/authController.js

@@ -0,0 +1,193 @@
+const bcrypt = require('bcryptjs');
+const { v4: uuidv4 } = require('uuid');
+const { query } = require('../utils/db');
+const { generateToken, buildTokenPayload } = require('../utils/jwt');
+const { auditLog } = require('../utils/auditLogger');
+
+/**
+ * POST /api/auth/register
+ * Register a new organization + admin user
+ */
+const register = async (req, res) => {
+  try {
+    const { orgName, name, email, password } = req.body;
+
+    // Check email uniqueness across all orgs (global unique email)
+    const existing = await query(`SELECT id FROM users WHERE email = $1`, [email.toLowerCase()]);
+    if (existing.rows.length) {
+      return res.status(409).json({ error: 'An account with this email already exists.' });
+    }
+
+    // Generate org slug
+    const baseSlug = orgName.toLowerCase().replace(/[^a-z0-9]+/g, '-').replace(/(^-|-$)/g, '');
+    let slug = baseSlug;
+    let suffix = 1;
+    while (true) {
+      const check = await query(`SELECT id FROM organizations WHERE slug = $1`, [slug]);
+      if (!check.rows.length) break;
+      slug = `${baseSlug}-${suffix++}`;
+    }
+
+    const orgId = uuidv4();
+    const userId = uuidv4();
+    const passwordHash = await bcrypt.hash(password, 12);
+
+    await query(`INSERT INTO organizations (id, name, slug) VALUES ($1, $2, $3)`, [orgId, orgName, slug]);
+    await query(
+      `INSERT INTO users (id, organization_id, name, email, password_hash, role) VALUES ($1, $2, $3, $4, $5, 'admin')`,
+      [userId, orgId, name, email.toLowerCase(), passwordHash]
+    );
+
+    const user = { id: userId, name, email: email.toLowerCase(), role: 'admin', organization_id: orgId, org_slug: slug };
+    const token = generateToken(buildTokenPayload(user));
+
+    await auditLog({
+      organizationId: orgId,
+      actorId: userId,
+      actorName: name,
+      actorEmail: email.toLowerCase(),
+      action: 'USER_REGISTERED',
+      entityType: 'user',
+      newValues: { userId, orgId, role: 'admin' },
+    });
+
+    return res.status(201).json({
+      token,
+      user: { id: userId, name, email: email.toLowerCase(), role: 'admin', organizationId: orgId, orgSlug: slug, orgName },
+    });
+  } catch (err) {
+    console.error('Register error:', err);
+    return res.status(500).json({ error: 'Registration failed.' });
+  }
+};
+
+/**
+ * POST /api/auth/login
+ */
+const login = async (req, res) => {
+  try {
+    const { email, password } = req.body;
+
+    const { rows } = await query(
+      `SELECT u.id, u.name, u.email, u.password_hash, u.role, u.organization_id, u.is_active,
+              o.slug as org_slug, o.name as org_name
+       FROM users u
+       JOIN organizations o ON o.id = u.organization_id
+       WHERE u.email = $1`,
+      [email.toLowerCase()]
+    );
+
+    if (!rows.length) {
+      return res.status(401).json({ error: 'Invalid email or password.' });
+    }
+
+    const user = rows[0];
+    if (!user.is_active) {
+      return res.status(403).json({ error: 'Your account has been deactivated.' });
+    }
+
+    if (!user.password_hash) {
+      return res.status(401).json({ error: 'This account uses OAuth login. Please sign in with your provider.' });
+    }
+
+    const valid = await bcrypt.compare(password, user.password_hash);
+    if (!valid) {
+      return res.status(401).json({ error: 'Invalid email or password.' });
+    }
+
+    const token = generateToken(buildTokenPayload(user));
+
+    return res.json({
+      token,
+      user: {
+        id: user.id,
+        name: user.name,
+        email: user.email,
+        role: user.role,
+        organizationId: user.organization_id,
+        orgSlug: user.org_slug,
+        orgName: user.org_name,
+      },
+    });
+  } catch (err) {
+    console.error('Login error:', err);
+    return res.status(500).json({ error: 'Login failed.' });
+  }
+};
+
+/**
+ * GET /api/auth/me
+ */
+const getMe = async (req, res) => {
+  const u = req.user;
+  return res.json({
+    id: u.id,
+    name: u.name,
+    email: u.email,
+    role: u.role,
+    organizationId: u.organization_id,
+    orgSlug: u.org_slug,
+    orgName: u.org_name,
+  });
+};
+
+/**
+ * POST /api/auth/accept-invite
+ */
+const acceptInvite = async (req, res) => {
+  try {
+    const { token, name, password } = req.body;
+
+    const { rows: invites } = await query(
+      `SELECT * FROM invites WHERE token = $1 AND used_at IS NULL AND expires_at > NOW()`,
+      [token]
+    );
+
+    if (!invites.length) {
+      return res.status(400).json({ error: 'Invite link is invalid or has expired.' });
+    }
+
+    const invite = invites[0];
+
+    // Check email not already registered in this org
+    const dup = await query(`SELECT id FROM users WHERE email = $1`, [invite.email.toLowerCase()]);
+    if (dup.rows.length) {
+      return res.status(409).json({ error: 'An account with this email already exists.' });
+    }
+
+    const userId = uuidv4();
+    const passwordHash = await bcrypt.hash(password, 12);
+
+    await query(
+      `INSERT INTO users (id, organization_id, name, email, password_hash, role) VALUES ($1, $2, $3, $4, $5, $6)`,
+      [userId, invite.organization_id, name, invite.email.toLowerCase(), passwordHash, invite.role]
+    );
+    await query(`UPDATE invites SET used_at = NOW() WHERE id = $1`, [invite.id]);
+
+    const { rows: orgs } = await query(`SELECT slug, name FROM organizations WHERE id = $1`, [invite.organization_id]);
+    const org = orgs[0];
+
+    const user = { id: userId, name, email: invite.email, role: invite.role, organization_id: invite.organization_id, org_slug: org.slug };
+    const authToken = generateToken(buildTokenPayload(user));
+
+    await auditLog({
+      organizationId: invite.organization_id,
+      actorId: userId,
+      actorName: name,
+      actorEmail: invite.email.toLowerCase(),
+      action: 'USER_JOINED_VIA_INVITE',
+      entityType: 'user',
+      newValues: { userId, role: invite.role },
+    });
+
+    return res.status(201).json({
+      token: authToken,
+      user: { id: userId, name, email: invite.email, role: invite.role, organizationId: invite.organization_id, orgSlug: org.slug, orgName: org.name },
+    });
+  } catch (err) {
+    console.error('Accept invite error:', err);
+    return res.status(500).json({ error: 'Failed to accept invite.' });
+  }
+};
+
+module.exports = { register, login, getMe, acceptInvite };

backend/src/controllers/commentController.js

@@ -0,0 +1,127 @@
+const { query } = require('../utils/db');
+const { auditLog } = require('../utils/auditLogger');
+const { v4: uuidv4 } = require('uuid');
+
+/**
+ * GET /api/tasks/:id/comments
+ */
+const listComments = async (req, res) => {
+  try {
+    const { organization_id: orgId, id: userId, role } = req.user;
+    const { id: taskId } = req.params;
+
+    // Verify task belongs to org
+    const taskCheck = await query(
+      `SELECT id, creator_id, assignee_id FROM tasks WHERE id = $1 AND organization_id = $2`,
+      [taskId, orgId]
+    );
+    if (!taskCheck.rows.length) return res.status(404).json({ error: 'Task not found.' });
+
+    const task = taskCheck.rows[0];
+    if (role === 'member' && task.creator_id !== userId && task.assignee_id !== userId) {
+      return res.status(403).json({ error: 'Access denied.' });
+    }
+
+    const { rows } = await query(
+      `SELECT c.id, c.body, c.created_at, c.updated_at,
+              c.author_id, u.name AS author_name, u.email AS author_email
+       FROM task_comments c
+       JOIN users u ON u.id = c.author_id
+       WHERE c.task_id = $1 AND c.organization_id = $2
+       ORDER BY c.created_at ASC`,
+      [taskId, orgId]
+    );
+    return res.json(rows);
+  } catch (err) {
+    console.error('List comments error:', err);
+    return res.status(500).json({ error: 'Failed to retrieve comments.' });
+  }
+};
+
+/**
+ * POST /api/tasks/:id/comments
+ */
+const addComment = async (req, res) => {
+  try {
+    const { organization_id: orgId, id: userId, name: userName, email: userEmail, role } = req.user;
+    const { id: taskId } = req.params;
+    const { body } = req.body;
+
+    if (!body || !body.trim()) {
+      return res.status(422).json({ error: 'Comment cannot be empty.' });
+    }
+
+    const taskCheck = await query(
+      `SELECT id, creator_id, assignee_id FROM tasks WHERE id = $1 AND organization_id = $2`,
+      [taskId, orgId]
+    );
+    if (!taskCheck.rows.length) return res.status(404).json({ error: 'Task not found.' });
+
+    const task = taskCheck.rows[0];
+    if (role === 'member' && task.creator_id !== userId && task.assignee_id !== userId) {
+      return res.status(403).json({ error: 'Access denied.' });
+    }
+
+    const { rows } = await query(
+      `INSERT INTO task_comments (id, task_id, organization_id, author_id, body)
+       VALUES ($1, $2, $3, $4, $5)
+       RETURNING id, body, created_at, author_id`,
+      [uuidv4(), taskId, orgId, userId, body.trim()]
+    );
+
+    // Touch task updated_at so it surfaces in recent activity
+    await query(`UPDATE tasks SET updated_at = NOW() WHERE id = $1`, [taskId]);
+
+    await auditLog({
+      organizationId: orgId,
+      taskId,
+      actorId: userId,
+      actorName: userName,
+      actorEmail: userEmail,
+      action: 'COMMENT_ADDED',
+      entityType: 'comment',
+      newValues: { body: body.trim().slice(0, 120) },
+    });
+
+    return res.status(201).json({
+      ...rows[0],
+      author_name: userName,
+      author_email: userEmail,
+    });
+  } catch (err) {
+    console.error('Add comment error:', err);
+    return res.status(500).json({ error: 'Failed to add comment.' });
+  }
+};
+
+/**
+ * DELETE /api/tasks/:id/comments/:commentId
+ */
+const deleteComment = async (req, res) => {
+  try {
+    const { organization_id: orgId, id: userId, role } = req.user;
+    const { id: taskId, commentId } = req.params;
+
+    const { rows } = await query(
+      `SELECT c.id, c.author_id FROM task_comments c
+       JOIN tasks t ON t.id = c.task_id
+       WHERE c.id = $1 AND c.task_id = $2 AND c.organization_id = $3`,
+      [commentId, taskId, orgId]
+    );
+
+    if (!rows.length) return res.status(404).json({ error: 'Comment not found.' });
+
+    const comment = rows[0];
+    if (role !== 'admin' && comment.author_id !== userId) {
+      return res.status(403).json({ error: 'You can only delete your own comments.' });
+    }
+
+    await query(`DELETE FROM task_comments WHERE id = $1`, [commentId]);
+    return res.status(204).send();
+  } catch (err) {
+    console.error('Delete comment error:', err);
+    return res.status(500).json({ error: 'Failed to delete comment.' });
+  }
+};
+
+module.exports = { listComments, addComment, deleteComment };

backend/src/controllers/taskController.js

@@ -0,0 +1,347 @@
+const { query } = require('../utils/db');
+const { auditLog } = require('../utils/auditLogger');
+const { v4: uuidv4 } = require('uuid');
+
+const VALID_STATUSES = ['todo', 'in_progress', 'in_review', 'done', 'cancelled'];
+const VALID_PRIORITIES = ['low', 'medium', 'high', 'critical'];
+
+/**
+ * GET /api/tasks
+ * List tasks scoped to the authenticated user's organization.
+ * Members only see their assigned or created tasks.
+ * Admins see all tasks in the org.
+ */
+const listTasks = async (req, res) => {
+  try {
+    const { organization_id: orgId, id: userId, role } = req.user;
+    const {
+      status, priority, assignee_id, search,
+      sort_by = 'created_at', sort_dir = 'desc',
+      page = 1, limit = 20,
+    } = req.query;
+
+    const pageNum = Math.max(1, parseInt(page));
+    const limitNum = Math.min(100, Math.max(1, parseInt(limit)));
+    const offset = (pageNum - 1) * limitNum;
+
+    const conditions = [`t.organization_id = $1`];
+    const params = [orgId];
+    let idx = 2;
+
+    // Members only see tasks they created or are assigned to
+    if (role === 'member') {
+      conditions.push(`(t.creator_id = $${idx} OR t.assignee_id = $${idx})`);
+      params.push(userId);
+      idx++;
+    }
+
+    if (status && VALID_STATUSES.includes(status)) {
+      conditions.push(`t.status = $${idx++}`);
+      params.push(status);
+    }
+    if (priority && VALID_PRIORITIES.includes(priority)) {
+      conditions.push(`t.priority = $${idx++}`);
+      params.push(priority);
+    }
+    if (assignee_id) {
+      conditions.push(`t.assignee_id = $${idx++}`);
+      params.push(assignee_id);
+    }
+    if (search) {
+      conditions.push(`(t.title ILIKE $${idx} OR t.description ILIKE $${idx})`);
+      params.push(`%${search}%`);
+      idx++;
+    }
+
+    const allowed_sort = ['created_at', 'updated_at', 'due_date', 'priority', 'status', 'title'];
+    const sortCol = allowed_sort.includes(sort_by) ? sort_by : 'created_at';
+    const sortDir = sort_dir === 'asc' ? 'ASC' : 'DESC';
+
+    const whereClause = `WHERE ${conditions.join(' AND ')}`;
+
+    const countResult = await query(
+      `SELECT COUNT(*) FROM tasks t ${whereClause}`,
+      params
+    );
+    const total = parseInt(countResult.rows[0].count);
+
+    const { rows: tasks } = await query(
+      `SELECT t.id, t.title, t.description, t.status, t.priority, t.due_date,
+              t.created_at, t.updated_at,
+              t.creator_id,
+              creator.name AS creator_name, creator.email AS creator_email,
+              t.assignee_id,
+              assignee.name AS assignee_name, assignee.email AS assignee_email
+       FROM tasks t
+       LEFT JOIN users creator ON creator.id = t.creator_id
+       LEFT JOIN users assignee ON assignee.id = t.assignee_id
+       ${whereClause}
+       ORDER BY t.${sortCol} ${sortDir}
+       LIMIT $${idx} OFFSET $${idx + 1}`,
+      [...params, limitNum, offset]
+    );
+
+    return res.json({
+      tasks,
+      pagination: { page: pageNum, limit: limitNum, total, totalPages: Math.ceil(total / limitNum) },
+    });
+  } catch (err) {
+    console.error('List tasks error:', err);
+    return res.status(500).json({ error: 'Failed to retrieve tasks.' });
+  }
+};
+
+/**
+ * GET /api/tasks/:id
+ */
+const getTask = async (req, res) => {
+  try {
+    const { organization_id: orgId, id: userId, role } = req.user;
+    const { id } = req.params;
+
+    const { rows } = await query(
+      `SELECT t.id, t.title, t.description, t.status, t.priority, t.due_date,
+              t.created_at, t.updated_at, t.organization_id,
+              t.creator_id, creator.name AS creator_name, creator.email AS creator_email,
+              t.assignee_id, assignee.name AS assignee_name, assignee.email AS assignee_email
+       FROM tasks t
+       LEFT JOIN users creator ON creator.id = t.creator_id
+       LEFT JOIN users assignee ON assignee.id = t.assignee_id
+       WHERE t.id = $1 AND t.organization_id = $2`,
+      [id, orgId]
+    );
+
+    if (!rows.length) {
+      return res.status(404).json({ error: 'Task not found.' });
+    }
+
+    const task = rows[0];
+
+    // Members can only view tasks they created or are assigned to
+    if (role === 'member' && task.creator_id !== userId && task.assignee_id !== userId) {
+      return res.status(403).json({ error: 'You do not have permission to view this task.' });
+    }
+
+    return res.json(task);
+  } catch (err) {
+    console.error('Get task error:', err);
+    return res.status(500).json({ error: 'Failed to retrieve task.' });
+  }
+};
+
+/**
+ * POST /api/tasks
+ */
+const createTask = async (req, res) => {
+  try {
+    const { organization_id: orgId, id: userId, name: userName, email: userEmail } = req.user;
+    const { title, description, status = 'todo', priority = 'medium', assignee_id, due_date } = req.body;
+
+    // Validate assignee belongs to same org
+    if (assignee_id) {
+      const check = await query(`SELECT id FROM users WHERE id = $1 AND organization_id = $2`, [assignee_id, orgId]);
+      if (!check.rows.length) {
+        return res.status(400).json({ error: 'Assignee must belong to your organization.' });
+      }
+    }
+
+    const taskId = uuidv4();
+    const { rows } = await query(
+      `INSERT INTO tasks (id, organization_id, title, description, status, priority, creator_id, assignee_id, due_date)
+       VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)
+       RETURNING *`,
+      [taskId, orgId, title, description || null, status, priority, userId, assignee_id || null, due_date || null]
+    );
+
+    const task = rows[0];
+
+    await auditLog({
+      organizationId: orgId,
+      taskId: task.id,
+      actorId: userId,
+      actorName: userName,
+      actorEmail: userEmail,
+      action: 'TASK_CREATED',
+      newValues: { title, status, priority, assignee_id: assignee_id || null },
+    });
+
+    return res.status(201).json(task);
+  } catch (err) {
+    console.error('Create task error:', err);
+    return res.status(500).json({ error: 'Failed to create task.' });
+  }
+};
+
+/**
+ * PATCH /api/tasks/:id
+ */
+const updateTask = async (req, res) => {
+  try {
+    const { organization_id: orgId, id: userId, name: userName, email: userEmail, role } = req.user;
+    const { id } = req.params;
+
+    const { rows: existing } = await query(
+      `SELECT * FROM tasks WHERE id = $1 AND organization_id = $2`,
+      [id, orgId]
+    );
+    if (!existing.length) {
+      return res.status(404).json({ error: 'Task not found.' });
+    }
+
+    const task = existing[0];
+
+    // Members can only update tasks they created or are assigned to
+    if (role === 'member' && task.creator_id !== userId && task.assignee_id !== userId) {
+      return res.status(403).json({ error: 'You do not have permission to update this task.' });
+    }
+
+    const { title, description, status, priority, assignee_id, due_date } = req.body;
+    const updates = {};
+
+    if (title !== undefined) updates.title = title;
+    if (description !== undefined) updates.description = description;
+    if (status !== undefined && VALID_STATUSES.includes(status)) updates.status = status;
+    if (priority !== undefined && VALID_PRIORITIES.includes(priority)) updates.priority = priority;
+    if (due_date !== undefined) updates.due_date = due_date || null;
+
+    if (assignee_id !== undefined) {
+      if (assignee_id === null) {
+        updates.assignee_id = null;
+      } else {
+        const check = await query(`SELECT id FROM users WHERE id = $1 AND organization_id = $2`, [assignee_id, orgId]);
+        if (!check.rows.length) {
+          return res.status(400).json({ error: 'Assignee must belong to your organization.' });
+        }
+        updates.assignee_id = assignee_id;
+      }
+    }
+
+    if (!Object.keys(updates).length) {
+      return res.status(400).json({ error: 'No valid fields provided for update.' });
+    }
+
+    const setClauses = Object.keys(updates).map((k, i) => `${k} = $${i + 3}`);
+    const setValues = Object.values(updates);
+
+    const { rows: updated } = await query(
+      `UPDATE tasks SET ${setClauses.join(', ')}, updated_at = NOW()
+       WHERE id = $1 AND organization_id = $2
+       RETURNING *`,
+      [id, orgId, ...setValues]
+    );
+
+    await auditLog({
+      organizationId: orgId,
+      taskId: id,
+      actorId: userId,
+      actorName: userName,
+      actorEmail: userEmail,
+      action: 'TASK_UPDATED',
+      oldValues: { title: task.title, status: task.status, priority: task.priority, assignee_id: task.assignee_id },
+      newValues: updates,
+    });
+
+    return res.json(updated[0]);
+  } catch (err) {
+    console.error('Update task error:', err);
+    return res.status(500).json({ error: 'Failed to update task.' });
+  }
+};
+
+/**
+ * DELETE /api/tasks/:id
+ */
+const deleteTask = async (req, res) => {
+  try {
+    const { organization_id: orgId, id: userId, name: userName, email: userEmail, role } = req.user;
+    const { id } = req.params;
+
+    const { rows: existing } = await query(
+      `SELECT * FROM tasks WHERE id = $1 AND organization_id = $2`,
+      [id, orgId]
+    );
+    if (!existing.length) {
+      return res.status(404).json({ error: 'Task not found.' });
+    }
+
+    const task = existing[0];
+
+    // Members can only delete tasks they created
+    if (role === 'member' && task.creator_id !== userId) {
+      return res.status(403).json({ error: 'You can only delete tasks you created.' });
+    }
+
+    await query(`DELETE FROM tasks WHERE id = $1 AND organization_id = $2`, [id, orgId]);
+
+    await auditLog({
+      organizationId: orgId,
+      taskId: id,
+      actorId: userId,
+      actorName: userName,
+      actorEmail: userEmail,
+      action: 'TASK_DELETED',
+      oldValues: { title: task.title, status: task.status, priority: task.priority },
+    });
+
+    return res.status(204).send();
+  } catch (err) {
+    console.error('Delete task error:', err);
+    return res.status(500).json({ error: 'Failed to delete task.' });
+  }
+};
+
+/**
+ * GET /api/tasks/stats
+ * Dashboard stats for the org
+ */
+const getStats = async (req, res) => {
+  try {
+    const { organization_id: orgId, id: userId, role } = req.user;
+
+    let scopeClause = `organization_id = $1`;
+    const params = [orgId];
+
+    if (role === 'member') {
+      scopeClause += ` AND (creator_id = $2 OR assignee_id = $2)`;
+      params.push(userId);
+    }
+
+    const { rows: statusCounts } = await query(
+      `SELECT status, COUNT(*) as count FROM tasks WHERE ${scopeClause} GROUP BY status`,
+      params
+    );
+
+    const { rows: priorityCounts } = await query(
+      `SELECT priority, COUNT(*) as count FROM tasks WHERE ${scopeClause} GROUP BY priority`,
+      params
+    );
+
+    const { rows: overdue } = await query(
+      `SELECT COUNT(*) as count FROM tasks
+       WHERE ${scopeClause} AND due_date < NOW() AND status NOT IN ('done', 'cancelled')`,
+      params
+    );
+
+    const { rows: recent } = await query(
+      `SELECT t.id, t.title, t.status, t.priority, t.updated_at,
+              assignee.name AS assignee_name
+       FROM tasks t
+       LEFT JOIN users assignee ON assignee.id = t.assignee_id
+       WHERE t.${scopeClause}
+       ORDER BY t.updated_at DESC LIMIT 5`,
+      params
+    );
+
+    return res.json({
+      statusCounts: Object.fromEntries(statusCounts.map(r => [r.status, parseInt(r.count)])),
+      priorityCounts: Object.fromEntries(priorityCounts.map(r => [r.priority, parseInt(r.count)])),
+      overdueCount: parseInt(overdue[0].count),
+      recentTasks: recent,
+    });
+  } catch (err) {
+    console.error('Stats error:', err);
+    return res.status(500).json({ error: 'Failed to retrieve stats.' });
+  }
+};
+
+module.exports = { listTasks, getTask, createTask, updateTask, deleteTask, getStats };

backend/src/middleware/auth.js

@@ -0,0 +1,61 @@
+const { verifyToken } = require('../utils/jwt');
+const { query } = require('../utils/db');
+
+/**
+ * Middleware: Validate JWT and attach user to req.user
+ */
+const authenticate = async (req, res, next) => {
+  try {
+    const authHeader = req.headers.authorization;
+    if (!authHeader || !authHeader.startsWith('Bearer ')) {
+      return res.status(401).json({ error: 'Authentication required.' });
+    }
+
+    const token = authHeader.split(' ')[1];
+    let decoded;
+    try {
+      decoded = verifyToken(token);
+    } catch (err) {
+      if (err.name === 'TokenExpiredError') {
+        return res.status(401).json({ error: 'Token has expired. Please log in again.' });
+      }
+      return res.status(401).json({ error: 'Invalid token.' });
+    }
+
+    // Verify user still exists and is active in the database
+    const { rows } = await query(
+      `SELECT u.id, u.name, u.email, u.role, u.organization_id, u.is_active, o.slug as org_slug, o.name as org_name
+       FROM users u
+       JOIN organizations o ON o.id = u.organization_id
+       WHERE u.id = $1 AND u.organization_id = $2`,
+      [decoded.sub, decoded.org]
+    );
+
+    if (!rows.length || !rows[0].is_active) {
+      return res.status(401).json({ error: 'User account not found or deactivated.' });
+    }
+
+    req.user = rows[0];
+    next();
+  } catch (err) {
+    console.error('Auth middleware error:', err);
+    return res.status(500).json({ error: 'Internal server error.' });
+  }
+};
+
+/**
+ * Middleware factory: Require specific roles
+ */
+const requireRole = (...roles) => {
+  return (req, res, next) => {
+    if (!req.user) {
+      return res.status(401).json({ error: 'Authentication required.' });
+    }
+    if (!roles.includes(req.user.role)) {
+      return res.status(403).json({ error: 'You do not have permission to perform this action.' });
+    }
+    next();
+  };
+};
+
+module.exports = { authenticate, requireRole };

backend/src/middleware/validate.js

@@ -0,0 +1,14 @@
+const { validationResult } = require('express-validator');
+
+const validate = (req, res, next) => {
+  const errors = validationResult(req);
+  if (!errors.isEmpty()) {
+    return res.status(422).json({
+      error: 'Validation failed.',
+      details: errors.array().map(e => ({ field: e.path, message: e.msg })),
+    });
+  }
+  next();
+};
+
+module.exports = { validate };

backend/src/routes/admin.js

@@ -0,0 +1,41 @@
+const express = require('express');
+const router = express.Router();
+const { body } = require('express-validator');
+const { validate } = require('../middleware/validate');
+const { authenticate, requireRole } = require('../middleware/auth');
+const {
+  listUsers, updateUserRole, deactivateUser,
+  createInvite, listInvites, getAuditLogs, getOrg, listOrgUsers
+} = require('../controllers/adminController');
+
+// All admin routes require authentication
+router.use(authenticate);
+
+// Org-scoped user list (available to all authenticated users for assignee dropdowns)
+router.get('/users/org', listOrgUsers);
+
+// Admin-only below
+router.use(requireRole('admin'));
+
+router.get('/org', getOrg);
+
+router.get('/users', listUsers);
+
+router.patch('/users/:id/role', [
+  body('role').isIn(['admin', 'member']).withMessage('Role must be admin or member.'),
+  validate,
+], updateUserRole);
+
+router.patch('/users/:id/deactivate', deactivateUser);
+
+router.get('/invites', listInvites);
+
+router.post('/invites', [
+  body('email').isEmail().normalizeEmail().withMessage('Valid email is required.'),
+  body('role').optional().isIn(['admin', 'member']).withMessage('Role must be admin or member.'),
+  validate,
+], createInvite);
+
+router.get('/audit-logs', getAuditLogs);
+
+module.exports = router;

backend/src/routes/auth.js

@@ -0,0 +1,33 @@
+const express = require('express');
+const router = express.Router();
+const { body } = require('express-validator');
+const { validate } = require('../middleware/validate');
+const { authenticate } = require('../middleware/auth');
+const { register, login, getMe, acceptInvite } = require('../controllers/authController');
+
+router.post('/register', [
+  body('orgName').trim().isLength({ min: 2, max: 100 }).withMessage('Organization name must be 2-100 characters.'),
+  body('name').trim().isLength({ min: 2, max: 100 }).withMessage('Name must be 2-100 characters.'),
+  body('email').isEmail().normalizeEmail().withMessage('Valid email is required.'),
+  body('password').isLength({ min: 8 }).withMessage('Password must be at least 8 characters.')
+    .matches(/[A-Z]/).withMessage('Password must contain at least one uppercase letter.')
+    .matches(/[0-9]/).withMessage('Password must contain at least one number.'),
+  validate,
+], register);
+
+router.post('/login', [
+  body('email').isEmail().normalizeEmail().withMessage('Valid email is required.'),
+  body('password').notEmpty().withMessage('Password is required.'),
+  validate,
+], login);
+
+router.get('/me', authenticate, getMe);
+
+router.post('/accept-invite', [
+  body('token').notEmpty().withMessage('Invite token is required.'),
+  body('name').trim().isLength({ min: 2, max: 100 }).withMessage('Name is required.'),
+  body('password').isLength({ min: 8 }).withMessage('Password must be at least 8 characters.'),
+  validate,
+], acceptInvite);
+
+module.exports = router;

backend/src/routes/comments.js

@@ -0,0 +1,12 @@
+const express = require('express');
+const router = express.Router({ mergeParams: true }); // inherit :id from parent
+const { authenticate } = require('../middleware/auth');
+const { listComments, addComment, deleteComment } = require('../controllers/commentController');
+
+router.use(authenticate);
+
+router.get('/', listComments);
+router.post('/', addComment);
+router.delete('/:commentId', deleteComment);
+
+module.exports = router;

backend/src/routes/tasks.js

@@ -0,0 +1,36 @@
+const express = require('express');
+const router = express.Router();
+const { body } = require('express-validator');
+const { validate } = require('../middleware/validate');
+const { authenticate } = require('../middleware/auth');
+const { listTasks, getTask, createTask, updateTask, deleteTask, getStats } = require('../controllers/taskController');
+
+router.use(authenticate);
+
+router.get('/stats', getStats);
+
+router.get('/', listTasks);
+
+router.get('/:id', getTask);
+
+router.post('/', [
+  body('title').trim().isLength({ min: 1, max: 500 }).withMessage('Title is required (max 500 chars).'),
+  body('description').optional().isLength({ max: 5000 }).withMessage('Description too long.'),
+  body('status').optional().isIn(['todo', 'in_progress', 'in_review', 'done', 'cancelled']).withMessage('Invalid status.'),
+  body('priority').optional().isIn(['low', 'medium', 'high', 'critical']).withMessage('Invalid priority.'),
+  body('due_date').optional({ nullable: true }).isISO8601().withMessage('Due date must be a valid date.'),
+  validate,
+], createTask);
+
+router.patch('/:id', [
+  body('title').optional().trim().isLength({ min: 1, max: 500 }).withMessage('Title must be 1-500 chars.'),
+  body('description').optional().isLength({ max: 5000 }).withMessage('Description too long.'),
+  body('status').optional().isIn(['todo', 'in_progress', 'in_review', 'done', 'cancelled']).withMessage('Invalid status.'),
+  body('priority').optional().isIn(['low', 'medium', 'high', 'critical']).withMessage('Invalid priority.'),
+  body('due_date').optional({ nullable: true }).isISO8601().withMessage('Due date must be a valid date.'),
+  validate,
+], updateTask);
+
+router.delete('/:id', deleteTask);
+
+module.exports = router;

backend/src/server.js

@@ -0,0 +1,62 @@
+require('dotenv').config();
+const express = require('express');
+const cors    = require('cors');
+const helmet  = require('helmet');
+const rateLimit = require('express-rate-limit');
+
+const authRoutes    = require('./routes/auth');
+const taskRoutes    = require('./routes/tasks');
+const adminRoutes   = require('./routes/admin');
+const commentRoutes = require('./routes/comments');
+
+const app = express();
+
+// On HuggingFace, nginx proxies /api/* to this process on 127.0.0.1:5000
+// so requests arrive without an Origin header — CORS is only needed for local dev
+app.use(helmet({ contentSecurityPolicy: false }));
+
+const allowedOrigins = [
+  process.env.FRONTEND_URL || 'http://localhost:3000',
+  'http://localhost:3000',
+  'http://127.0.0.1:3000',
+];
+
+app.use(cors({
+  origin: (origin, cb) => {
+    // Allow requests with no origin (nginx proxy, curl, etc.)
+    if (!origin || allowedOrigins.includes(origin)) return cb(null, true);
+    cb(new Error('CORS blocked'));
+  },
+  credentials: true,
+  methods: ['GET','POST','PATCH','PUT','DELETE','OPTIONS'],
+  allowedHeaders: ['Content-Type','Authorization'],
+}));
+
+const generalLimiter = rateLimit({ windowMs: 15*60*1000, max: 500, standardHeaders: true, legacyHeaders: false });
+const authLimiter    = rateLimit({ windowMs: 15*60*1000, max: 20,  message: { error: 'Too many attempts. Try again later.' } });
+
+app.use(generalLimiter);
+app.use(express.json({ limit: '2mb' }));
+app.use(express.urlencoded({ extended: true }));
+
+app.get('/health', (req, res) =>
+  res.json({ status: 'ok', service: 'taskflow-api', ts: new Date().toISOString() })
+);
+
+app.use('/api/auth',               authLimiter, authRoutes);
+app.use('/api/tasks',              taskRoutes);
+app.use('/api/tasks/:id/comments', commentRoutes);
+app.use('/api/admin',              adminRoutes);
+
+app.use((req, res) => res.status(404).json({ error: 'Endpoint not found.' }));
+app.use((err, req, res, next) => {
+  console.error('Unhandled error:', err.message);
+  res.status(500).json({ error: 'An unexpected error occurred.' });
+});
+
+const PORT = process.env.PORT || 5000;
+app.listen(PORT, '127.0.0.1', () =>
+  console.log(`Taskflow API on port ${PORT} [${process.env.NODE_ENV || 'development'}]`)
+);
+
+module.exports = app;

backend/src/utils/auditLogger.js

@@ -0,0 +1,42 @@
+const { query } = require('./db');
+
+/**
+ * Write an audit log entry (append-only, never updated or deleted).
+ */
+const auditLog = async ({
+  organizationId,
+  taskId = null,
+  actorId,
+  actorName,
+  actorEmail,
+  action,
+  entityType = 'task',
+  oldValues = null,
+  newValues = null,
+  metadata = null,
+}) => {
+  try {
+    await query(
+      `INSERT INTO audit_logs
+         (organization_id, task_id, actor_id, actor_name, actor_email, action, entity_type, old_values, new_values, metadata)
+       VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10)`,
+      [
+        organizationId,
+        taskId,
+        actorId,
+        actorName,
+        actorEmail,
+        action,
+        entityType,
+        oldValues ? JSON.stringify(oldValues) : null,
+        newValues ? JSON.stringify(newValues) : null,
+        metadata ? JSON.stringify(metadata) : null,
+      ]
+    );
+  } catch (err) {
+    // Audit log failures must never crash the main request
+    console.error('[AUDIT LOG ERROR]', err.message);
+  }
+};
+
+module.exports = { auditLog };

backend/src/utils/db.js

@@ -0,0 +1,23 @@
+const { Pool } = require('pg');
+
+const pool = new Pool({
+  host: process.env.DB_HOST || 'localhost',
+  port: parseInt(process.env.DB_PORT) || 5432,
+  database: process.env.DB_NAME || 'taskflow',
+  user: process.env.DB_USER || 'taskflow_user',
+  password: process.env.DB_PASSWORD || 'taskflow_secret',
+  max: 20,
+  idleTimeoutMillis: 30000,
+  connectionTimeoutMillis: 2000,
+});
+
+pool.on('error', (err) => {
+  console.error('Unexpected PostgreSQL error:', err);
+  process.exit(-1);
+});
+
+const query = (text, params) => pool.query(text, params);
+
+const getClient = () => pool.connect();
+
+module.exports = { query, getClient, pool };

backend/src/utils/jwt.js

@@ -0,0 +1,23 @@
+const jwt = require('jsonwebtoken');
+
+const JWT_SECRET = process.env.JWT_SECRET || 'fallback_dev_secret_change_in_prod';
+const JWT_EXPIRES_IN = process.env.JWT_EXPIRES_IN || '7d';
+
+const generateToken = (payload) => {
+  return jwt.sign(payload, JWT_SECRET, { expiresIn: JWT_EXPIRES_IN });
+};
+
+const verifyToken = (token) => {
+  return jwt.verify(token, JWT_SECRET);
+};
+
+const buildTokenPayload = (user) => ({
+  sub: user.id,
+  email: user.email,
+  name: user.name,
+  role: user.role,
+  org: user.organization_id,
+  orgSlug: user.org_slug || null,
+});
+
+module.exports = { generateToken, verifyToken, buildTokenPayload };

backend/src/utils/migrate.js

@@ -0,0 +1,115 @@
+require('dotenv').config();
+const { query } = require('./db');
+
+const migrate = async () => {
+  console.log('Running database migrations...');
+
+  await query(`
+    CREATE TABLE IF NOT EXISTS organizations (
+      id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+      name VARCHAR(255) NOT NULL,
+      slug VARCHAR(100) UNIQUE NOT NULL,
+      created_at TIMESTAMPTZ DEFAULT NOW(),
+      updated_at TIMESTAMPTZ DEFAULT NOW()
+    );
+  `);
+
+  await query(`
+    CREATE TABLE IF NOT EXISTS users (
+      id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+      organization_id UUID NOT NULL REFERENCES organizations(id) ON DELETE CASCADE,
+      name VARCHAR(255) NOT NULL,
+      email VARCHAR(255) NOT NULL,
+      password_hash VARCHAR(255),
+      role VARCHAR(50) NOT NULL DEFAULT 'member' CHECK (role IN ('admin', 'member')),
+      oauth_provider VARCHAR(50),
+      oauth_provider_id VARCHAR(255),
+      is_active BOOLEAN DEFAULT TRUE,
+      created_at TIMESTAMPTZ DEFAULT NOW(),
+      updated_at TIMESTAMPTZ DEFAULT NOW(),
+      UNIQUE(email, organization_id)
+    );
+  `);
+
+  await query(`CREATE INDEX IF NOT EXISTS idx_users_org ON users(organization_id);`);
+  await query(`CREATE INDEX IF NOT EXISTS idx_users_email ON users(email);`);
+
+  await query(`
+    CREATE TABLE IF NOT EXISTS tasks (
+      id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+      organization_id UUID NOT NULL REFERENCES organizations(id) ON DELETE CASCADE,
+      title VARCHAR(500) NOT NULL,
+      description TEXT,
+      status VARCHAR(50) NOT NULL DEFAULT 'todo' CHECK (status IN ('todo', 'in_progress', 'in_review', 'done', 'cancelled')),
+      priority VARCHAR(50) NOT NULL DEFAULT 'medium' CHECK (priority IN ('low', 'medium', 'high', 'critical')),
+      creator_id UUID NOT NULL REFERENCES users(id) ON DELETE SET NULL,
+      assignee_id UUID REFERENCES users(id) ON DELETE SET NULL,
+      due_date TIMESTAMPTZ,
+      created_at TIMESTAMPTZ DEFAULT NOW(),
+      updated_at TIMESTAMPTZ DEFAULT NOW()
+    );
+  `);
+
+  await query(`CREATE INDEX IF NOT EXISTS idx_tasks_org ON tasks(organization_id);`);
+  await query(`CREATE INDEX IF NOT EXISTS idx_tasks_status ON tasks(organization_id, status);`);
+  await query(`CREATE INDEX IF NOT EXISTS idx_tasks_assignee ON tasks(assignee_id);`);
+  await query(`CREATE INDEX IF NOT EXISTS idx_tasks_priority ON tasks(organization_id, priority);`);
+  await query(`CREATE INDEX IF NOT EXISTS idx_tasks_due_date ON tasks(organization_id, due_date);`);
+
+  await query(`
+    CREATE TABLE IF NOT EXISTS task_comments (
+      id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+      task_id UUID NOT NULL REFERENCES tasks(id) ON DELETE CASCADE,
+      organization_id UUID NOT NULL REFERENCES organizations(id) ON DELETE CASCADE,
+      author_id UUID NOT NULL REFERENCES users(id) ON DELETE SET NULL,
+      body TEXT NOT NULL,
+      created_at TIMESTAMPTZ DEFAULT NOW(),
+      updated_at TIMESTAMPTZ DEFAULT NOW()
+    );
+  `);
+  await query(`CREATE INDEX IF NOT EXISTS idx_comments_task ON task_comments(task_id);`);
+
+  await query(`
+    CREATE TABLE IF NOT EXISTS audit_logs (
+      id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+      organization_id UUID NOT NULL REFERENCES organizations(id) ON DELETE CASCADE,
+      task_id UUID REFERENCES tasks(id) ON DELETE SET NULL,
+      actor_id UUID REFERENCES users(id) ON DELETE SET NULL,
+      actor_name VARCHAR(255) NOT NULL,
+      actor_email VARCHAR(255) NOT NULL,
+      action VARCHAR(100) NOT NULL,
+      entity_type VARCHAR(50) NOT NULL DEFAULT 'task',
+      old_values JSONB,
+      new_values JSONB,
+      metadata JSONB,
+      created_at TIMESTAMPTZ DEFAULT NOW()
+    );
+  `);
+  await query(`CREATE INDEX IF NOT EXISTS idx_audit_org ON audit_logs(organization_id);`);
+  await query(`CREATE INDEX IF NOT EXISTS idx_audit_task ON audit_logs(task_id);`);
+  await query(`CREATE INDEX IF NOT EXISTS idx_audit_created ON audit_logs(organization_id, created_at DESC);`);
+
+  await query(`
+    CREATE TABLE IF NOT EXISTS invites (
+      id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+      organization_id UUID NOT NULL REFERENCES organizations(id) ON DELETE CASCADE,
+      email VARCHAR(255) NOT NULL,
+      role VARCHAR(50) NOT NULL DEFAULT 'member',
+      token VARCHAR(255) UNIQUE NOT NULL,
+      invited_by UUID REFERENCES users(id) ON DELETE SET NULL,
+      expires_at TIMESTAMPTZ NOT NULL,
+      used_at TIMESTAMPTZ,
+      created_at TIMESTAMPTZ DEFAULT NOW()
+    );
+  `);
+  await query(`CREATE INDEX IF NOT EXISTS idx_invites_token ON invites(token);`);
+  await query(`CREATE INDEX IF NOT EXISTS idx_invites_org ON invites(organization_id);`);
+
+  console.log('✅ Migrations complete.');
+  process.exit(0);
+};
+
+migrate().catch(err => {
+  console.error('Migration failed:', err);
+  process.exit(1);
+});

backend/src/utils/seed.js

@@ -0,0 +1,87 @@
+require('dotenv').config();
+const bcrypt = require('bcryptjs');
+const { v4: uuidv4 } = require('uuid');
+const { query } = require('./db');
+
+const seed = async () => {
+  console.log('Seeding database...');
+
+  // Create two demo organizations
+  const org1Id = uuidv4();
+  const org2Id = uuidv4();
+
+  await query(`
+    INSERT INTO organizations (id, name, slug) VALUES
+    ($1, 'Acme Corp', 'acme-corp'),
+    ($2, 'Globex Inc', 'globex-inc')
+    ON CONFLICT (slug) DO NOTHING;
+  `, [org1Id, org2Id]);
+
+  // Fetch actual org IDs in case they already existed
+  const { rows: orgs } = await query(`SELECT id, slug FROM organizations WHERE slug IN ('acme-corp', 'globex-inc')`);
+  const acme = orgs.find(o => o.slug === 'acme-corp');
+  const globex = orgs.find(o => o.slug === 'globex-inc');
+
+  const hash = await bcrypt.hash('Password123!', 12);
+
+  // Acme users
+  const admin1Id = uuidv4();
+  const member1Id = uuidv4();
+  await query(`
+    INSERT INTO users (id, organization_id, name, email, password_hash, role) VALUES
+    ($1, $2, 'Alice Admin', 'alice@acme.com', $3, 'admin'),
+    ($4, $2, 'Bob Member', 'bob@acme.com', $3, 'member')
+    ON CONFLICT DO NOTHING;
+  `, [admin1Id, acme.id, hash, member1Id]);
+
+  // Globex users
+  const admin2Id = uuidv4();
+  await query(`
+    INSERT INTO users (id, organization_id, name, email, password_hash, role) VALUES
+    ($1, $2, 'Carol Admin', 'carol@globex.com', $3, 'admin')
+    ON CONFLICT DO NOTHING;
+  `, [admin2Id, globex.id, hash]);
+
+  // Fetch real user IDs
+  const { rows: users } = await query(`SELECT id, email FROM users WHERE email IN ('alice@acme.com', 'bob@acme.com', 'carol@globex.com')`);
+  const alice = users.find(u => u.email === 'alice@acme.com');
+  const bob = users.find(u => u.email === 'bob@acme.com');
+
+  // Seed tasks for Acme
+  const taskStatuses = ['todo', 'in_progress', 'in_review', 'done'];
+  const taskPriorities = ['low', 'medium', 'high', 'critical'];
+  const sampleTasks = [
+    { title: 'Set up CI/CD pipeline', description: 'Configure GitHub Actions for automated testing and deployment', status: 'done', priority: 'high' },
+    { title: 'Design database schema', description: 'Create ERD and finalize relationships for all entities', status: 'done', priority: 'critical' },
+    { title: 'Build authentication module', description: 'Implement JWT-based auth with refresh token support', status: 'in_progress', priority: 'critical' },
+    { title: 'Create task CRUD endpoints', description: 'RESTful API endpoints for task management', status: 'in_progress', priority: 'high' },
+    { title: 'Write unit tests', description: 'Cover all service functions with Jest unit tests', status: 'todo', priority: 'medium' },
+    { title: 'Implement RBAC middleware', description: 'Role-based access control for all protected routes', status: 'in_review', priority: 'high' },
+    { title: 'Set up Docker Compose', description: 'Containerize all services with proper networking', status: 'done', priority: 'medium' },
+    { title: 'Add audit logging', description: 'Track all create, update, delete operations with metadata', status: 'todo', priority: 'medium' },
+  ];
+
+  for (const task of sampleTasks) {
+    const taskId = uuidv4();
+    const assignee = Math.random() > 0.5 ? alice.id : bob.id;
+    await query(`
+      INSERT INTO tasks (id, organization_id, title, description, status, priority, creator_id, assignee_id, due_date)
+      VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)
+      ON CONFLICT DO NOTHING;
+    `, [taskId, acme.id, task.title, task.description, task.status, task.priority, alice.id, assignee,
+        new Date(Date.now() + Math.random() * 14 * 24 * 60 * 60 * 1000)]);
+  }
+
+  console.log('✅ Seed complete.');
+  console.log('');
+  console.log('Demo accounts (password: Password123!):');
+  console.log('  alice@acme.com  — Admin @ Acme Corp');
+  console.log('  bob@acme.com    — Member @ Acme Corp');
+  console.log('  carol@globex.com — Admin @ Globex Inc');
+  process.exit(0);
+};
+
+seed().catch(err => {
+  console.error('Seed failed:', err);
+  process.exit(1);
+});

docker-compose.dev.yml

@@ -0,0 +1,44 @@
+version: '3.9'
+
+# Development override - mounts source code for hot reloading
+# Usage: docker-compose -f docker-compose.yml -f docker-compose.dev.yml up
+
+services:
+  postgres:
+    ports:
+      - "5432:5432"   # expose DB port for local tools (TablePlus, DBeaver, etc.)
+
+  backend:
+    build:
+      context: ./backend
+      dockerfile: Dockerfile
+    command: ["sh", "-c", "node src/utils/migrate.js && npm run dev"]
+    environment:
+      NODE_ENV: development
+      PORT: 5000
+      DB_HOST: postgres
+      DB_PORT: 5432
+      DB_NAME: taskflow
+      DB_USER: taskflow_user
+      DB_PASSWORD: taskflow_secret
+      JWT_SECRET: dev_secret_change_in_production_min_32_chars_long
+      JWT_EXPIRES_IN: 7d
+      FRONTEND_URL: http://localhost:3000
+    volumes:
+      - ./backend:/app
+      - /app/node_modules
+    ports:
+      - "5000:5000"
+
+  frontend:
+    build:
+      context: ./frontend
+      dockerfile: Dockerfile.dev
+    environment:
+      REACT_APP_API_URL: http://localhost:5000/api
+      CHOKIDAR_USEPOLLING: "true"
+    volumes:
+      - ./frontend/src:/app/src
+      - ./frontend/public:/app/public
+    ports:
+      - "3000:3000"

docker-compose.yml

@@ -0,0 +1,90 @@
+version: '3.9'
+
+services:
+  postgres:
+    image: postgres:16-alpine
+    container_name: taskflow_postgres
+    restart: unless-stopped
+    environment:
+      POSTGRES_DB: taskflow
+      POSTGRES_USER: taskflow_user
+      POSTGRES_PASSWORD: taskflow_secret
+    volumes:
+      - postgres_data:/var/lib/postgresql/data
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U taskflow_user -d taskflow"]
+      interval: 5s
+      timeout: 5s
+      retries: 10
+    networks:
+      - taskflow_net
+
+  backend:
+    build:
+      context: ./backend
+      dockerfile: Dockerfile
+    container_name: taskflow_backend
+    restart: unless-stopped
+    depends_on:
+      postgres:
+        condition: service_healthy
+    environment:
+      NODE_ENV: production
+      PORT: 5000
+      DB_HOST: postgres
+      DB_PORT: 5432
+      DB_NAME: taskflow
+      DB_USER: taskflow_user
+      DB_PASSWORD: taskflow_secret
+      JWT_SECRET: change_this_to_a_long_random_secret_min_32_chars_in_production
+      JWT_EXPIRES_IN: 7d
+      FRONTEND_URL: http://localhost:3000
+    networks:
+      - taskflow_net
+    healthcheck:
+      test: ["CMD-SHELL", "wget -qO- http://localhost:5000/health || exit 1"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+
+  seed:
+    build:
+      context: ./backend
+      dockerfile: Dockerfile
+    container_name: taskflow_seed
+    depends_on:
+      backend:
+        condition: service_healthy
+    environment:
+      NODE_ENV: development
+      DB_HOST: postgres
+      DB_PORT: 5432
+      DB_NAME: taskflow
+      DB_USER: taskflow_user
+      DB_PASSWORD: taskflow_secret
+    command: ["node", "src/utils/seed.js"]
+    networks:
+      - taskflow_net
+    profiles:
+      - seed
+
+  frontend:
+    build:
+      context: ./frontend
+      dockerfile: Dockerfile
+    container_name: taskflow_frontend
+    restart: unless-stopped
+    depends_on:
+      backend:
+        condition: service_healthy
+    ports:
+      - "3000:80"
+    networks:
+      - taskflow_net
+
+volumes:
+  postgres_data:
+
+networks:
+  taskflow_net:
+    driver: bridge

frontend/.env.example

@@ -0,0 +1 @@
+REACT_APP_API_URL=http://localhost:5000/api

frontend/Dockerfile

@@ -0,0 +1,14 @@
+# Build stage
+FROM node:20-alpine AS builder
+WORKDIR /app
+COPY package*.json ./
+RUN npm ci
+COPY . .
+RUN npm run build
+
+# Production stage - serve with nginx
+FROM nginx:alpine
+COPY --from=builder /app/build /usr/share/nginx/html
+COPY nginx.conf /etc/nginx/conf.d/default.conf
+EXPOSE 80
+CMD ["nginx", "-g", "daemon off;"]

frontend/Dockerfile.dev

@@ -0,0 +1,7 @@
+FROM node:20-alpine
+WORKDIR /app
+COPY package*.json ./
+RUN npm ci
+COPY . .
+EXPOSE 3000
+CMD ["npm", "start"]

frontend/nginx.conf

@@ -0,0 +1,33 @@
+server {
+    listen 80;
+    server_name _;
+    root /usr/share/nginx/html;
+    index index.html;
+
+    # Gzip compression
+    gzip on;
+    gzip_types text/plain text/css application/json application/javascript text/xml application/xml text/javascript;
+
+    # Proxy API requests to backend
+    location /api/ {
+        proxy_pass http://backend:5000;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection 'upgrade';
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_cache_bypass $http_upgrade;
+    }
+
+    # React SPA - all routes serve index.html
+    location / {
+        try_files $uri $uri/ /index.html;
+    }
+
+    # Cache static assets
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff2?)$ {
+        expires 1y;
+        add_header Cache-Control "public, immutable";
+    }
+}

frontend/package.json

@@ -0,0 +1,28 @@
+{
+  "name": "taskflow-frontend",
+  "version": "1.0.0",
+  "private": true,
+  "dependencies": {
+    "@tanstack/react-query": "^5.17.0",
+    "axios": "^1.6.5",
+    "date-fns": "^3.3.1",
+    "lucide-react": "^0.309.0",
+    "react": "^18.2.0",
+    "react-dom": "^18.2.0",
+    "react-router-dom": "^6.21.3",
+    "react-scripts": "5.0.1",
+    "react-hot-toast": "^2.4.1"
+  },
+  "scripts": {
+    "start": "react-scripts start",
+    "build": "react-scripts build"
+  },
+  "eslintConfig": {
+    "extends": ["react-app"]
+  },
+  "browserslist": {
+    "production": [">0.2%", "not dead", "not op_mini all"],
+    "development": ["last 1 chrome version", "last 1 firefox version"]
+  },
+  "proxy": "http://backend:5000"
+}

frontend/public/index.html

@@ -0,0 +1,14 @@
+<!DOCTYPE html>
+<html lang="en">
+  <head>
+    <meta charset="utf-8" />
+    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <meta name="theme-color" content="#0d0f12" />
+    <meta name="description" content="TaskFlow - Multi-tenant task management" />
+    <title>TaskFlow</title>
+  </head>
+  <body>
+    <noscript>You need to enable JavaScript to run this app.</noscript>
+    <div id="root"></div>
+  </body>
+</html>

frontend/src/App.jsx

@@ -0,0 +1,76 @@
+import React from 'react';
+import { BrowserRouter, Routes, Route, Navigate } from 'react-router-dom';
+import { QueryClient, QueryClientProvider } from '@tanstack/react-query';
+import { Toaster } from 'react-hot-toast';
+import { AuthProvider, useAuth } from './context/AuthContext';
+import AppLayout from './components/layout/AppLayout';
+
+import LoginPage       from './pages/LoginPage';
+import RegisterPage    from './pages/RegisterPage';
+import AcceptInvitePage from './pages/AcceptInvitePage';
+import DashboardPage   from './pages/DashboardPage';
+import TasksPage       from './pages/TasksPage';
+import BoardPage       from './pages/BoardPage';
+import TaskDetailPage  from './pages/TaskDetailPage';
+import AdminPage       from './pages/AdminPage';
+import NotFoundPage    from './pages/NotFoundPage';
+
+const queryClient = new QueryClient({
+  defaultOptions: { queries: { retry: 1, staleTime: 30000, refetchOnWindowFocus: false } },
+});
+
+const PrivateRoute = ({ children, adminOnly = false }) => {
+  const { user, isAdmin } = useAuth();
+  if (!user) return <Navigate to="/login" replace />;
+  if (adminOnly && !isAdmin) return <Navigate to="/dashboard" replace />;
+  return children;
+};
+
+const PublicRoute = ({ children }) => {
+  const { user } = useAuth();
+  return user ? <Navigate to="/dashboard" replace /> : children;
+};
+
+const AppRoutes = () => (
+  <Routes>
+    <Route path="/"              element={<Navigate to="/dashboard" replace />} />
+    <Route path="/login"         element={<PublicRoute><LoginPage /></PublicRoute>} />
+    <Route path="/register"      element={<PublicRoute><RegisterPage /></PublicRoute>} />
+    <Route path="/accept-invite" element={<AcceptInvitePage />} />
+
+    <Route element={<PrivateRoute><AppLayout /></PrivateRoute>}>
+      <Route path="/dashboard" element={<DashboardPage />} />
+      <Route path="/tasks"     element={<TasksPage />} />
+      <Route path="/tasks/:id" element={<TaskDetailPage />} />
+      <Route path="/board"     element={<BoardPage />} />
+      <Route path="/admin"     element={<PrivateRoute adminOnly><AdminPage /></PrivateRoute>} />
+    </Route>
+
+    <Route path="*" element={<NotFoundPage />} />
+  </Routes>
+);
+
+export default function App() {
+  return (
+    <QueryClientProvider client={queryClient}>
+      <AuthProvider>
+        <BrowserRouter>
+          <AppRoutes />
+          <Toaster
+            position="top-right"
+            toastOptions={{
+              style: {
+                background: '#faf7f2', color: '#1c1814',
+                border: '1.5px solid #ddd6c8',
+                borderRadius: '8px', fontSize: '13.5px',
+                boxShadow: '0 4px 12px rgba(28,24,20,.1)',
+              },
+              success: { iconTheme: { primary: '#2d5a3d', secondary: '#faf7f2' } },
+              error:   { iconTheme: { primary: '#9b3a3a', secondary: '#faf7f2' } },
+            }}
+          />
+        </BrowserRouter>
+      </AuthProvider>
+    </QueryClientProvider>
+  );
+}

frontend/src/components/layout/AppLayout.jsx

@@ -0,0 +1,73 @@
+import React, { useState } from 'react';
+import { Outlet, NavLink, useNavigate } from 'react-router-dom';
+import { LayoutDashboard, CheckSquare, ShieldCheck, LogOut, Menu, X, Building2, Kanban } from 'lucide-react';
+import { useAuth } from '../../context/AuthContext';
+import styles from './AppLayout.module.css';
+
+export default function AppLayout() {
+  const { user, logout, isAdmin } = useAuth();
+  const [sidebarOpen, setSidebarOpen] = useState(false);
+  const navigate = useNavigate();
+
+  const handleLogout = () => { logout(); navigate('/login'); };
+
+  return (
+    <div className={styles.shell}>
+      {sidebarOpen && <div className={styles.overlay} onClick={() => setSidebarOpen(false)} />}
+
+      <aside className={`${styles.sidebar} ${sidebarOpen ? styles.sidebarOpen : ''}`}>
+        <div className={styles.sidebarHeader}>
+          <div className={styles.logo}>
+            <div className={styles.logoMark}>T</div>
+            <span className={styles.logoText}>Taskflow</span>
+          </div>
+          <button className={styles.closeMobile} onClick={() => setSidebarOpen(false)}><X size={18} /></button>
+        </div>
+
+        <div className={styles.orgBadge}>
+          <Building2 size={12} />
+          <span>{user?.orgName || 'Organization'}</span>
+        </div>
+
+        <nav className={styles.nav}>
+          <span className={styles.navSection}>Workspace</span>
+          {[
+            { to: '/dashboard', icon: LayoutDashboard, label: 'Dashboard' },
+            { to: '/tasks',     icon: CheckSquare,     label: 'Task List'  },
+            { to: '/board',     icon: Kanban,          label: 'Board'      },
+            ...(isAdmin ? [{ to: '/admin', icon: ShieldCheck, label: 'Admin' }] : []),
+          ].map(({ to, icon: Icon, label }) => (
+            <NavLink key={to} to={to}
+              className={({ isActive }) => `${styles.navItem} ${isActive ? styles.navItemActive : ''}`}
+              onClick={() => setSidebarOpen(false)}
+            >
+              <Icon size={16} /><span>{label}</span>
+            </NavLink>
+          ))}
+        </nav>
+
+        <div className={styles.userSection}>
+          <div className={styles.userInfo}>
+            <div className={styles.avatar}>{user?.name?.[0]?.toUpperCase()}</div>
+            <div className={styles.userDetails}>
+              <span className={styles.userName}>{user?.name}</span>
+              <span className={styles.userRole}>{user?.role}</span>
+            </div>
+          </div>
+          <button className={styles.logoutBtn} onClick={handleLogout} title="Logout"><LogOut size={15} /></button>
+        </div>
+      </aside>
+
+      <div className={styles.main}>
+        <header className={styles.header}>
+          <button className={styles.menuBtn} onClick={() => setSidebarOpen(true)}><Menu size={20} /></button>
+          <div className={styles.headerRight}>
+            <span className={styles.headerOrg}>{user?.orgName}</span>
+            <div className={styles.headerAvatar}>{user?.name?.[0]?.toUpperCase()}</div>
+          </div>
+        </header>
+        <main className={styles.content}><Outlet /></main>
+      </div>
+    </div>
+  );
+}

frontend/src/components/layout/AppLayout.module.css

@@ -0,0 +1,71 @@
+.shell { display:flex; height:100vh; overflow:hidden; }
+.overlay { display:none; position:fixed; inset:0; background:rgba(28,24,20,.45); z-index:40; }
+
+.sidebar {
+  width:var(--sidebar-w); background:var(--bg-surface);
+  border-right:1.5px solid var(--border); display:flex;
+  flex-direction:column; flex-shrink:0; z-index:50;
+  transition:transform .25s ease;
+}
+
+.sidebarHeader { display:flex;align-items:center;justify-content:space-between;padding:18px 18px 14px;border-bottom:1px solid var(--border); }
+
+.logo { display:flex;align-items:center;gap:9px; }
+.logoMark { width:30px;height:30px;background:var(--accent);border-radius:7px;display:flex;align-items:center;justify-content:center;color:#fff;font-weight:700;font-size:14px;font-family:'Lora',serif;flex-shrink:0; }
+.logoText { font-family:'Lora',serif;font-weight:700;font-size:17px;color:var(--text-primary);letter-spacing:-.2px; }
+
+.closeMobile { display:none; background:none; border:none; color:var(--text-muted); padding:4px; }
+
+.orgBadge {
+  display:flex;align-items:center;gap:7px;margin:10px 14px;
+  padding:7px 11px;background:var(--bg-base);border-radius:var(--radius);
+  font-size:11.5px;font-weight:600;color:var(--text-muted);border:1px solid var(--border);
+  overflow:hidden;white-space:nowrap;
+}
+.orgBadge span { overflow:hidden;text-overflow:ellipsis; }
+
+.nav { flex:1;padding:6px 10px;display:flex;flex-direction:column;gap:1px; }
+
+.navItem {
+  display:flex;align-items:center;gap:11px;padding:9px 12px;
+  border-radius:var(--radius);color:var(--text-secondary);
+  font-size:13.5px;font-weight:500;transition:all .13s ease;text-decoration:none;
+  border:1px solid transparent;
+}
+.navItem:hover { background:var(--bg-hover);color:var(--text-primary);text-decoration:none; }
+.navItemActive { background:var(--accent-light);color:var(--accent);border-color:var(--accent-border);font-weight:600; }
+.navItemActive:hover { background:var(--accent-light);color:var(--accent);text-decoration:none; }
+
+.navSection { font-size:10.5px;font-weight:700;letter-spacing:.08em;color:var(--text-faint);text-transform:uppercase;padding:10px 12px 4px; }
+
+.userSection { padding:14px;border-top:1px solid var(--border);display:flex;align-items:center;gap:8px; }
+.userInfo { flex:1;display:flex;align-items:center;gap:10px;min-width:0; }
+.avatar {
+  width:32px;height:32px;border-radius:50%;background:var(--accent);
+  color:#fff;font-weight:700;font-size:12.5px;display:flex;align-items:center;
+  justify-content:center;flex-shrink:0;font-family:'Lora',serif;
+}
+.userDetails { display:flex;flex-direction:column;min-width:0; }
+.userName { font-size:13px;font-weight:600;color:var(--text-primary);white-space:nowrap;overflow:hidden;text-overflow:ellipsis; }
+.userRole { font-size:11px;color:var(--text-muted);text-transform:capitalize; }
+
+.logoutBtn { background:none;border:none;color:var(--text-faint);padding:5px;border-radius:var(--radius);display:flex;align-items:center;transition:all .15s; }
+.logoutBtn:hover { background:var(--rose-light);color:var(--rose); }
+
+.main { flex:1;display:flex;flex-direction:column;overflow:hidden; }
+.header { height:var(--header-h);background:var(--bg-surface);border-bottom:1.5px solid var(--border);display:flex;align-items:center;justify-content:space-between;padding:0 24px;flex-shrink:0; }
+.menuBtn { display:none;background:none;border:none;color:var(--text-muted);padding:4px;cursor:pointer; }
+.headerRight { display:flex;align-items:center;gap:10px;margin-left:auto; }
+.headerOrg { font-size:12.5px;color:var(--text-muted);font-weight:500; }
+.headerAvatar { width:30px;height:30px;border-radius:50%;background:var(--accent);color:#fff;font-weight:700;font-size:11.5px;display:flex;align-items:center;justify-content:center;font-family:'Lora',serif; }
+.content { flex:1;overflow-y:auto;padding:26px 30px; }
+
+@media(max-width:768px){
+  .sidebar{position:fixed;top:0;left:0;height:100%;transform:translateX(-100%);}
+  .sidebarOpen{transform:translateX(0);}
+  .overlay{display:block;}
+  .closeMobile{display:flex;}
+  .menuBtn{display:flex;}
+  .headerOrg{display:none;}
+  .content{padding:18px 16px;}
+}

frontend/src/components/tasks/TaskModal.jsx

@@ -0,0 +1,140 @@
+import React, { useState, useEffect } from 'react';
+import { useMutation, useQuery } from '@tanstack/react-query';
+import { X } from 'lucide-react';
+import api from '../../utils/api';
+import toast from 'react-hot-toast';
+import '../../components/ui/components.css';
+import styles from './TaskModal.module.css';
+
+export default function TaskModal({ task, defaultStatus = 'todo', onClose, onSuccess }) {
+  const isEdit = !!task;
+
+  const [form, setForm] = useState({
+    title:       task?.title       || '',
+    description: task?.description || '',
+    status:      task?.status      || defaultStatus,
+    priority:    task?.priority    || 'medium',
+    assignee_id: task?.assignee_id || '',
+    due_date:    task?.due_date    ? task.due_date.slice(0, 10) : '',
+  });
+  const [errors, setErrors] = useState({});
+
+  const { data: orgUsers = [] } = useQuery({
+    queryKey: ['org-users'],
+    queryFn: () => api.get('/admin/users/org').then(r => r.data),
+  });
+
+  const set = k => e => setForm(f => ({ ...f, [k]: e.target.value }));
+
+  const validate = () => {
+    const e = {};
+    if (!form.title.trim()) e.title = 'Title is required.';
+    setErrors(e);
+    return !Object.keys(e).length;
+  };
+
+  const mutation = useMutation({
+    mutationFn: payload =>
+      isEdit
+        ? api.patch(`/tasks/${task.id}`, payload).then(r => r.data)
+        : api.post('/tasks', payload).then(r => r.data),
+    onSuccess: () => { toast.success(isEdit ? 'Task updated.' : 'Task created.'); onSuccess(); },
+    onError: err => {
+      const d = err.response?.data;
+      if (d?.details) {
+        const fe = {};
+        d.details.forEach(({ field, message }) => { fe[field] = message; });
+        setErrors(fe);
+      } else toast.error(d?.error || 'Something went wrong.');
+    },
+  });
+
+  const handleSubmit = ev => {
+    ev.preventDefault();
+    if (!validate()) return;
+    mutation.mutate({ ...form, assignee_id: form.assignee_id || null, due_date: form.due_date || null });
+  };
+
+  useEffect(() => {
+    const h = e => { if (e.key === 'Escape') onClose(); };
+    window.addEventListener('keydown', h);
+    return () => window.removeEventListener('keydown', h);
+  }, [onClose]);
+
+  return (
+    <div className={styles.overlay} onClick={e => { if (e.target === e.currentTarget) onClose(); }}>
+      <div className={styles.modal} role="dialog" aria-modal="true">
+        <div className={styles.header}>
+          <h2 className={styles.title}>{isEdit ? 'Edit Task' : 'New Task'}</h2>
+          <button className={styles.closeBtn} onClick={onClose}><X size={17}/></button>
+        </div>
+
+        <form onSubmit={handleSubmit} className={styles.body} noValidate>
+          <div className="field">
+            <label className="field-label">Title <span style={{color:'var(--rose)'}}>*</span></label>
+            <input
+              className={`field-input ${errors.title ? 'field-input-error' : ''}`}
+              type="text" placeholder="What needs to be done?"
+              value={form.title} onChange={set('title')} autoFocus
+            />
+            {errors.title && <span className="field-error">{errors.title}</span>}
+          </div>
+
+          <div className="field">
+            <label className="field-label">Description</label>
+            <textarea
+              className="field-input" placeholder="Add more detail, context, or acceptance criteria…"
+              value={form.description} onChange={set('description')} rows={3}
+            />
+          </div>
+
+          <div className={styles.row}>
+            <div className="field">
+              <label className="field-label">Status</label>
+              <select className="field-input" value={form.status} onChange={set('status')}>
+                <option value="todo">To Do</option>
+                <option value="in_progress">In Progress</option>
+                <option value="in_review">In Review</option>
+                <option value="done">Done</option>
+                <option value="cancelled">Cancelled</option>
+              </select>
+            </div>
+            <div className="field">
+              <label className="field-label">Priority</label>
+              <select className="field-input" value={form.priority} onChange={set('priority')}>
+                <option value="low">Low</option>
+                <option value="medium">Medium</option>
+                <option value="high">High</option>
+                <option value="critical">Critical</option>
+              </select>
+            </div>
+          </div>
+
+          <div className={styles.row}>
+            <div className="field">
+              <label className="field-label">Assignee</label>
+              <select className="field-input" value={form.assignee_id} onChange={set('assignee_id')}>
+                <option value="">Unassigned</option>
+                {orgUsers.map(u => (
+                  <option key={u.id} value={u.id}>{u.name}</option>
+                ))}
+              </select>
+            </div>
+            <div className="field">
+              <label className="field-label">Due Date</label>
+              <input className="field-input" type="date" value={form.due_date} onChange={set('due_date')}/>
+            </div>
+          </div>
+
+          <div className={styles.footer}>
+            <button type="button" className="btn btn-secondary btn-md" onClick={onClose}>Cancel</button>
+            <button type="submit" className="btn btn-primary btn-md" disabled={mutation.isPending}>
+              {mutation.isPending ? <span className="spinner"/> : null}
+              {mutation.isPending ? 'Saving…' : isEdit ? 'Save Changes' : 'Create Task'}
+            </button>
+          </div>
+        </form>
+      </div>
+    </div>
+  );
+}

frontend/src/components/tasks/TaskModal.module.css

@@ -0,0 +1,42 @@
+.overlay {
+  position: fixed; inset: 0; background: rgba(28,24,20,.5);
+  display: flex; align-items: center; justify-content: center;
+  z-index: 100; padding: 16px;
+  backdrop-filter: blur(3px);
+  animation: fadeIn .15s ease;
+}
+@keyframes fadeIn { from{opacity:0} to{opacity:1} }
+
+.modal {
+  background: var(--bg-elevated); border: 1.5px solid var(--border-strong);
+  border-radius: var(--radius-xl); width: 100%; max-width: 530px;
+  box-shadow: var(--shadow-lg);
+  animation: slideUp .2s ease;
+  max-height: 92vh; overflow-y: auto;
+}
+@keyframes slideUp { from{transform:translateY(18px);opacity:0} to{transform:translateY(0);opacity:1} }
+
+.header {
+  display: flex; align-items: center; justify-content: space-between;
+  padding: 20px 22px 0;
+}
+
+.title { font-family: 'Lora', serif; font-size: 17px; font-weight: 700; color: var(--text-primary); }
+
+.closeBtn {
+  background: none; border: none; color: var(--text-muted); cursor: pointer;
+  padding: 5px; border-radius: var(--radius); display: flex; align-items: center;
+  transition: all .13s;
+}
+.closeBtn:hover { background: var(--bg-hover); color: var(--text-primary); }
+
+.body { padding: 18px 22px; display: flex; flex-direction: column; gap: 14px; }
+
+.row { display: grid; grid-template-columns: 1fr 1fr; gap: 14px; }
+
+.footer {
+  display: flex; justify-content: flex-end; gap: 9px;
+  padding-top: 4px; border-top: 1px solid var(--border); margin-top: 4px;
+}
+
+@media(max-width:480px){ .row{grid-template-columns:1fr;} }

frontend/src/components/ui/components.css

@@ -0,0 +1,94 @@
+/* ── Buttons ── */
+.btn {
+  display:inline-flex; align-items:center; justify-content:center; gap:7px;
+  font-weight:500; border:1px solid transparent; border-radius:var(--radius);
+  cursor:pointer; transition:all .15s ease; white-space:nowrap;
+  font-family:'Inter',sans-serif; letter-spacing:0.01em;
+}
+.btn:disabled { opacity:.5; cursor:not-allowed; }
+
+.btn-primary   { background:var(--accent); color:#fff; border-color:var(--accent); }
+.btn-primary:hover:not(:disabled)   { background:var(--accent-hover); border-color:var(--accent-hover); }
+
+.btn-secondary { background:var(--bg-elevated); color:var(--text-secondary); border-color:var(--border); }
+.btn-secondary:hover:not(:disabled) { background:var(--bg-hover); border-color:var(--border-strong); }
+
+.btn-danger    { background:var(--rose-light); color:var(--rose); border-color:var(--rose-border); }
+.btn-danger:hover:not(:disabled)    { background:#f7e0e0; }
+
+.btn-ghost     { background:transparent; color:var(--text-muted); border-color:transparent; }
+.btn-ghost:hover:not(:disabled)     { background:var(--bg-hover); color:var(--text-secondary); }
+
+.btn-sm  { padding:5px 11px;  font-size:12.5px; }
+.btn-md  { padding:8px 16px;  font-size:13.5px; }
+.btn-lg  { padding:11px 22px; font-size:14.5px; }
+
+/* ── Badges ── */
+.badge {
+  display:inline-flex; align-items:center; padding:2px 9px;
+  border-radius:100px; font-size:11.5px; font-weight:600; white-space:nowrap;
+  border:1px solid transparent; font-family:'Inter',sans-serif;
+}
+.badge-todo       { background:var(--s-todo-bg);     color:var(--s-todo);      border-color:#ddd6c8; }
+.badge-inprogress { background:var(--s-progress-bg); color:var(--s-progress);  border-color:var(--blue-border); }
+.badge-inreview   { background:var(--s-review-bg);   color:var(--s-review);    border-color:var(--violet-border); }
+.badge-done       { background:var(--s-done-bg);     color:var(--s-done);      border-color:var(--accent-border); }
+.badge-cancelled  { background:var(--s-cancelled-bg);color:var(--s-cancelled); border-color:var(--rose-border); }
+
+.badge-low      { background:var(--accent-light); color:var(--p-low);      border-color:var(--accent-border); }
+.badge-medium   { background:var(--amber-light);  color:var(--p-medium);   border-color:var(--amber-border); }
+.badge-high     { background:#fef3ea;             color:var(--p-high);     border-color:#e8b880; }
+.badge-critical { background:var(--rose-light);   color:var(--p-critical); border-color:var(--rose-border); }
+
+/* ── Fields ── */
+.field { display:flex; flex-direction:column; gap:5px; }
+.field-label { font-size:12.5px; font-weight:600; color:var(--text-secondary); letter-spacing:.02em; }
+.field-input {
+  background:var(--bg-elevated); border:1.5px solid var(--border);
+  border-radius:var(--radius); color:var(--text-primary);
+  font-size:13.5px; padding:9px 13px; transition:border-color .15s;
+  width:100%;
+}
+.field-input:focus { outline:none; border-color:var(--accent); box-shadow:0 0 0 3px rgba(45,90,61,0.1); }
+.field-input-error { border-color:var(--rose) !important; }
+.field-error { font-size:11.5px; color:var(--rose); }
+select.field-input { appearance:none; cursor:pointer; }
+textarea.field-input { resize:vertical; min-height:90px; line-height:1.6; }
+
+/* ── Card ── */
+.card {
+  background:var(--bg-elevated); border:1px solid var(--border);
+  border-radius:var(--radius-lg); padding:22px;
+  box-shadow:var(--shadow-sm);
+}
+
+/* ── Empty State ── */
+.empty-state { display:flex;flex-direction:column;align-items:center;justify-content:center;text-align:center;padding:56px 24px;gap:10px; }
+.empty-icon { width:52px;height:52px;border-radius:50%;background:var(--bg-base);border:1.5px solid var(--border);display:flex;align-items:center;justify-content:center;color:var(--text-faint);margin-bottom:4px; }
+.empty-title { font-family:'Lora',serif;font-size:16px;font-weight:600;color:var(--text-secondary); }
+.empty-desc { font-size:13px;color:var(--text-muted);max-width:300px;line-height:1.5; }
+.empty-action { margin-top:10px; }
+
+/* ── Spinner ── */
+@keyframes spin { to { transform:rotate(360deg); } }
+.spinner {
+  width:15px; height:15px;
+  border:2px solid rgba(255,255,255,.35);
+  border-top-color:white; border-radius:50%;
+  animation:spin .7s linear infinite;
+  display:inline-block; flex-shrink:0;
+}
+.spinner-dark {
+  width:18px; height:18px;
+  border:2px solid var(--border); border-top-color:var(--accent);
+  border-radius:50%; animation:spin .7s linear infinite; display:inline-block;
+}
+
+/* ── Page Header ── */
+.page-header { display:flex;align-items:flex-start;justify-content:space-between;gap:14px;margin-bottom:24px;flex-wrap:wrap; }
+.page-title  { font-family:'Lora',serif;font-size:22px;font-weight:700;color:var(--text-primary);letter-spacing:-.2px; }
+.page-subtitle { font-size:13px;color:var(--text-muted);margin-top:3px; }
+.page-action { flex-shrink:0; }
+
+/* ── Divider ── */
+.divider { height:1px; background:var(--border); margin:16px 0; }

frontend/src/components/ui/index.jsx

@@ -0,0 +1,86 @@
+import React from 'react';
+
+export const Button = ({ children, variant='primary', size='md', loading=false, disabled=false, className='', ...props }) => (
+  <button className={`btn btn-${variant} btn-${size} ${className}`} disabled={disabled||loading} {...props}>
+    {loading && <span className="spinner"/>}{children}
+  </button>
+);
+
+export const StatusBadge = ({ status }) => {
+  const map = {
+    todo:        { label:'To Do',       cls:'badge-todo' },
+    in_progress: { label:'In Progress', cls:'badge-inprogress' },
+    in_review:   { label:'In Review',   cls:'badge-inreview' },
+    done:        { label:'Done',        cls:'badge-done' },
+    cancelled:   { label:'Cancelled',   cls:'badge-cancelled' },
+  };
+  const { label, cls } = map[status] || { label: status, cls: '' };
+  return <span className={`badge ${cls}`}>{label}</span>;
+};
+
+export const PriorityBadge = ({ priority }) => {
+  const map = {
+    low:      { label:'Low',      cls:'badge-low' },
+    medium:   { label:'Medium',   cls:'badge-medium' },
+    high:     { label:'High',     cls:'badge-high' },
+    critical: { label:'Critical', cls:'badge-critical' },
+  };
+  const { label, cls } = map[priority] || { label: priority, cls: '' };
+  return <span className={`badge ${cls}`}>{label}</span>;
+};
+
+export const Input = React.forwardRef(({ label, error, ...props }, ref) => (
+  <div className="field">
+    {label && <label className="field-label">{label}</label>}
+    <input ref={ref} className={`field-input ${error ? 'field-input-error' : ''}`} {...props}/>
+    {error && <span className="field-error">{error}</span>}
+  </div>
+));
+
+export const Select = React.forwardRef(({ label, error, children, ...props }, ref) => (
+  <div className="field">
+    {label && <label className="field-label">{label}</label>}
+    <select ref={ref} className={`field-input ${error ? 'field-input-error' : ''}`} {...props}>{children}</select>
+    {error && <span className="field-error">{error}</span>}
+  </div>
+));
+
+export const Textarea = React.forwardRef(({ label, error, ...props }, ref) => (
+  <div className="field">
+    {label && <label className="field-label">{label}</label>}
+    <textarea ref={ref} className={`field-input ${error ? 'field-input-error' : ''}`} {...props}/>
+    {error && <span className="field-error">{error}</span>}
+  </div>
+));
+
+export const Card = ({ children, className='', ...props }) => (
+  <div className={`card ${className}`} {...props}>{children}</div>
+);
+
+export const EmptyState = ({ icon, title, description, action }) => (
+  <div className="empty-state">
+    {icon && <div className="empty-icon">{icon}</div>}
+    <h3 className="empty-title">{title}</h3>
+    {description && <p className="empty-desc">{description}</p>}
+    {action && <div className="empty-action">{action}</div>}
+  </div>
+);
+
+export const Spinner = ({ size=24 }) => (
+  <svg width={size} height={size} viewBox="0 0 24 24" fill="none"
+    style={{animation:'spin .8s linear infinite',flexShrink:0}}>
+    <style>{'@keyframes spin{to{transform:rotate(360deg)}}'}</style>
+    <circle cx="12" cy="12" r="10" stroke="var(--border-strong)" strokeWidth="3"/>
+    <path d="M12 2a10 10 0 0 1 10 10" stroke="var(--accent)" strokeWidth="3" strokeLinecap="round"/>
+  </svg>
+);
+
+export const PageHeader = ({ title, subtitle, action }) => (
+  <div className="page-header">
+    <div>
+      <h1 className="page-title">{title}</h1>
+      {subtitle && <p className="page-subtitle">{subtitle}</p>}
+    </div>
+    {action && <div className="page-action">{action}</div>}
+  </div>
+);

frontend/src/context/AuthContext.jsx

@@ -0,0 +1,49 @@
+import React, { createContext, useContext, useState, useCallback } from 'react';
+import api from '../utils/api';
+
+const AuthContext = createContext(null);
+
+export const AuthProvider = ({ children }) => {
+  const [user, setUser] = useState(() => {
+    try {
+      const stored = localStorage.getItem('tf_user');
+      return stored ? JSON.parse(stored) : null;
+    } catch { return null; }
+  });
+
+  const login = useCallback(async (email, password) => {
+    const { data } = await api.post('/auth/login', { email, password });
+    localStorage.setItem('tf_token', data.token);
+    localStorage.setItem('tf_user', JSON.stringify(data.user));
+    setUser(data.user);
+    return data.user;
+  }, []);
+
+  const register = useCallback(async (payload) => {
+    const { data } = await api.post('/auth/register', payload);
+    localStorage.setItem('tf_token', data.token);
+    localStorage.setItem('tf_user', JSON.stringify(data.user));
+    setUser(data.user);
+    return data.user;
+  }, []);
+
+  const logout = useCallback(() => {
+    localStorage.removeItem('tf_token');
+    localStorage.removeItem('tf_user');
+    setUser(null);
+  }, []);
+
+  const isAdmin = user?.role === 'admin';
+
+  return (
+    <AuthContext.Provider value={{ user, login, register, logout, isAdmin }}>
+      {children}
+    </AuthContext.Provider>
+  );
+};
+
+export const useAuth = () => {
+  const ctx = useContext(AuthContext);
+  if (!ctx) throw new Error('useAuth must be used within AuthProvider');
+  return ctx;
+};

frontend/src/index.css

@@ -0,0 +1,90 @@
+@import url('https://fonts.googleapis.com/css2?family=Lora:ital,wght@0,400;0,500;0,600;0,700;1,400;1,500&family=Inter:wght@300;400;500;600;700&family=JetBrains+Mono:wght@400;500&display=swap');
+
+*, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }
+
+:root {
+  /* Cream / warm parchment palette */
+  --bg-base:       #f5f0e8;
+  --bg-surface:    #faf7f2;
+  --bg-elevated:   #ffffff;
+  --bg-hover:      #ede8de;
+  --bg-active:     #e4ddd0;
+
+  --border:        #ddd6c8;
+  --border-strong: #c9c0b0;
+
+  --text-primary:  #1c1814;
+  --text-secondary:#4a4540;
+  --text-muted:    #8c8278;
+  --text-faint:    #b8b0a4;
+
+  --accent:        #2d5a3d;
+  --accent-hover:  #234a31;
+  --accent-light:  #eef5f0;
+  --accent-border: #a8c8b4;
+
+  --amber:         #c17d11;
+  --amber-light:   #fdf3e0;
+  --amber-border:  #e8c070;
+
+  --rose:          #9b3a3a;
+  --rose-light:    #fdf0f0;
+  --rose-border:   #dba8a8;
+
+  --blue:          #2a5080;
+  --blue-light:    #eef3fa;
+  --blue-border:   #a0bcd8;
+
+  --violet:        #5a3a7a;
+  --violet-light:  #f3eefa;
+  --violet-border: #c0a0d8;
+
+  /* Status */
+  --s-todo:        #6b6258;
+  --s-todo-bg:     #f0ece5;
+  --s-progress:    var(--blue);
+  --s-progress-bg: var(--blue-light);
+  --s-review:      var(--violet);
+  --s-review-bg:   var(--violet-light);
+  --s-done:        var(--accent);
+  --s-done-bg:     var(--accent-light);
+  --s-cancelled:   var(--rose);
+  --s-cancelled-bg:var(--rose-light);
+
+  /* Priority */
+  --p-low:      var(--accent);
+  --p-medium:   var(--amber);
+  --p-high:     #c15a11;
+  --p-critical: var(--rose);
+
+  --sidebar-w:  252px;
+  --header-h:   56px;
+  --radius:     6px;
+  --radius-lg:  10px;
+  --radius-xl:  14px;
+  --shadow-sm:  0 1px 3px rgba(28,24,20,0.08);
+  --shadow-md:  0 4px 12px rgba(28,24,20,0.1);
+  --shadow-lg:  0 8px 32px rgba(28,24,20,0.14);
+}
+
+html, body, #root { height: 100%; }
+body {
+  font-family: 'Inter', system-ui, sans-serif;
+  background: var(--bg-base);
+  color: var(--text-primary);
+  line-height: 1.6;
+  -webkit-font-smoothing: antialiased;
+}
+
+h1,h2,h3,h4 { font-family: 'Lora', serif; line-height: 1.25; }
+a { color: var(--accent); text-decoration: none; }
+a:hover { color: var(--accent-hover); text-decoration: underline; }
+input, textarea, select, button { font-family: inherit; }
+button { cursor: pointer; }
+code, pre { font-family: 'JetBrains Mono', monospace; }
+
+::-webkit-scrollbar { width: 5px; height: 5px; }
+::-webkit-scrollbar-track { background: var(--bg-base); }
+::-webkit-scrollbar-thumb { background: var(--border-strong); border-radius: 3px; }
+
+.sr-only { position:absolute;width:1px;height:1px;padding:0;margin:-1px;overflow:hidden;clip:rect(0,0,0,0);white-space:nowrap;border:0; }

frontend/src/index.jsx

@@ -0,0 +1,11 @@
+import React from 'react';
+import ReactDOM from 'react-dom/client';
+import './index.css';
+import App from './App';
+
+const root = ReactDOM.createRoot(document.getElementById('root'));
+root.render(
+  <React.StrictMode>
+    <App />
+  </React.StrictMode>
+);

frontend/src/pages/AcceptInvitePage.jsx

@@ -0,0 +1,76 @@
+import React, { useState } from 'react';
+import { useNavigate, useSearchParams, Link } from 'react-router-dom';
+import { Eye, EyeOff } from 'lucide-react';
+import api from '../utils/api';
+import toast from 'react-hot-toast';
+import '../components/ui/components.css';
+import styles from './AuthPage.module.css';
+
+export default function AcceptInvitePage() {
+  const [params] = useSearchParams();
+  const token = params.get('token');
+  const [form, setForm] = useState({ name: '', password: '' });
+  const [showPw, setShowPw] = useState(false);
+  const [loading, setLoading] = useState(false);
+  const [errors, setErrors] = useState({});
+
+  if (!token) return (
+    <div style={{minHeight:'100vh',display:'flex',alignItems:'center',justifyContent:'center',background:'var(--bg-base)'}}>
+      <p style={{color:'var(--rose)'}}>Invalid invite link. <Link to="/login">Go to login</Link></p>
+    </div>
+  );
+
+  const handleSubmit = async ev => {
+    ev.preventDefault();
+    const e = {};
+    if (!form.name.trim()) e.name = 'Name is required.';
+    if (form.password.length < 8) e.password = 'Password must be at least 8 characters.';
+    setErrors(e);
+    if (Object.keys(e).length) return;
+    setLoading(true);
+    try {
+      const { data } = await api.post('/auth/accept-invite', { token, ...form });
+      localStorage.setItem('tf_token', data.token);
+      localStorage.setItem('tf_user', JSON.stringify(data.user));
+      window.location.href = '/dashboard';
+    } catch (err) {
+      toast.error(err.response?.data?.error || 'Failed to accept invite.');
+    } finally { setLoading(false); }
+  };
+
+  return (
+    <div className={styles.page}>
+      <div className={styles.card}>
+        <div className={styles.logoArea}>
+          <div className={styles.logoMark}>T</div>
+          <span className={styles.logoName}>Taskflow</span>
+        </div>
+        <h2 className={styles.heading}>You've been invited</h2>
+        <p className={styles.sub}>Set your name and password to join the workspace</p>
+        <form onSubmit={handleSubmit} className={styles.form} noValidate>
+          <div className="field">
+            <label className="field-label">Your full name</label>
+            <input className={`field-input ${errors.name?'field-input-error':''}`} type="text"
+              placeholder="Jane Smith" value={form.name} onChange={e=>setForm(f=>({...f,name:e.target.value}))} autoFocus/>
+            {errors.name && <span className="field-error">{errors.name}</span>}
+          </div>
+          <div className="field">
+            <label className="field-label">Choose a password</label>
+            <div className={styles.pwWrap}>
+              <input className={`field-input ${errors.password?'field-input-error':''}`}
+                type={showPw?'text':'password'} placeholder="Min 8 characters"
+                value={form.password} onChange={e=>setForm(f=>({...f,password:e.target.value}))}/>
+              <button type="button" className={styles.pwToggle} onClick={()=>setShowPw(v=>!v)}>
+                {showPw?<Eye size={15}/>:<Eye size={15}/>}
+              </button>
+            </div>
+            {errors.password && <span className="field-error">{errors.password}</span>}
+          </div>
+          <button type="submit" className="btn btn-primary btn-md" style={{width:'100%'}} disabled={loading}>
+            {loading?<span className="spinner"/>:null}{loading?'Joining…':'Join Workspace'}
+          </button>
+        </form>
+      </div>
+    </div>
+  );
+}

frontend/src/pages/AdminPage.jsx

@@ -0,0 +1,257 @@
+import React, { useState } from 'react';
+import { useQuery, useMutation, useQueryClient } from '@tanstack/react-query';
+import { Users, ClipboardList, Mail, Plus, X } from 'lucide-react';
+import api from '../utils/api';
+import { Spinner, PageHeader } from '../components/ui';
+import toast from 'react-hot-toast';
+import { format, formatDistanceToNow } from 'date-fns';
+import '../components/ui/components.css';
+import styles from './AdminPage.module.css';
+
+const TABS = [
+  { id:'users',  label:'Team',       icon:Users },
+  { id:'invites',label:'Invites',    icon:Mail },
+  { id:'audit',  label:'Audit Log',  icon:ClipboardList },
+];
+
+export default function AdminPage() {
+  const [tab, setTab] = useState('users');
+  return (
+    <div className={styles.page}>
+      <PageHeader title="Admin" subtitle="Manage your organization"/>
+      <div className={styles.tabs}>
+        {TABS.map(({id,label,icon:Icon})=>(
+          <button key={id} className={`${styles.tab} ${tab===id?styles.tabActive:''}`} onClick={()=>setTab(id)}>
+            <Icon size={14}/>{label}
+          </button>
+        ))}
+      </div>
+      {tab==='users'  && <UsersTab/>}
+      {tab==='invites'&& <InvitesTab/>}
+      {tab==='audit'  && <AuditTab/>}
+    </div>
+  );
+}
+
+function UsersTab() {
+  const qc = useQueryClient();
+  const [showInvite, setShowInvite] = useState(false);
+  const [inviteForm, setInviteForm] = useState({email:'',role:'member'});
+  const [inviteLoading, setInviteLoading] = useState(false);
+
+  const { data:users=[], isLoading } = useQuery({
+    queryKey:['admin-users'],
+    queryFn:()=>api.get('/admin/users').then(r=>r.data),
+  });
+
+  const roleMutation = useMutation({
+    mutationFn:({id,role})=>api.patch(`/admin/users/${id}/role`,{role}),
+    onSuccess:()=>{ toast.success('Role updated.'); qc.invalidateQueries(['admin-users']); },
+    onError:err=>toast.error(err.response?.data?.error||'Failed.'),
+  });
+
+  const deactivateMutation = useMutation({
+    mutationFn:id=>api.patch(`/admin/users/${id}/deactivate`),
+    onSuccess:()=>{ toast.success('User deactivated.'); qc.invalidateQueries(['admin-users']); },
+    onError:err=>toast.error(err.response?.data?.error||'Failed.'),
+  });
+
+  const handleInvite = async e => {
+    e.preventDefault();
+    if (!inviteForm.email) return;
+    setInviteLoading(true);
+    try {
+      const { data } = await api.post('/admin/invites', inviteForm);
+      toast.success(`Invite link: ${data.inviteUrl}`, { duration: 8000 });
+      setShowInvite(false);
+      setInviteForm({email:'',role:'member'});
+      qc.invalidateQueries(['admin-invites']);
+    } catch(err) { toast.error(err.response?.data?.error||'Failed.'); }
+    finally { setInviteLoading(false); }
+  };
+
+  if (isLoading) return <div className={styles.loadArea}><span className="spinner-dark"/></div>;
+
+  return (
+    <div>
+      <div className={styles.sectionHead}>
+        <span className={styles.sectionCount}>{users.length} member{users.length!==1?'s':''}</span>
+        <button className="btn btn-primary btn-sm" onClick={()=>setShowInvite(v=>!v)}>
+          <Plus size={13}/> Invite
+        </button>
+      </div>
+
+      {showInvite && (
+        <div className={styles.inviteBox}>
+          <form onSubmit={handleInvite} className={styles.inviteRow}>
+            <input className="field-input" style={{flex:1}} type="email"
+              placeholder="colleague@company.com" value={inviteForm.email}
+              onChange={e=>setInviteForm(f=>({...f,email:e.target.value}))} required/>
+            <select className="field-input" style={{width:'auto'}}
+              value={inviteForm.role} onChange={e=>setInviteForm(f=>({...f,role:e.target.value}))}>
+              <option value="member">Member</option>
+              <option value="admin">Admin</option>
+            </select>
+            <button type="submit" className="btn btn-primary btn-sm" disabled={inviteLoading}>
+              {inviteLoading?<span className="spinner"/>:'Send'}
+            </button>
+            <button type="button" className="btn btn-ghost btn-sm" onClick={()=>setShowInvite(false)}><X size={13}/></button>
+          </form>
+        </div>
+      )}
+
+      <div className={styles.tableWrap}>
+        <table className={styles.table}>
+          <thead><tr><th>Member</th><th>Role</th><th>Status</th><th>Joined</th><th>Actions</th></tr></thead>
+          <tbody>
+            {users.map(u=>(
+              <tr key={u.id}>
+                <td>
+                  <div className={styles.userCell}>
+                    <div className={styles.userAvatar}>{u.name?.[0]?.toUpperCase()}</div>
+                    <div>
+                      <p className={styles.userName}>{u.name}</p>
+                      <p className={styles.userEmail}>{u.email}</p>
+                    </div>
+                  </div>
+                </td>
+                <td>
+                  <span className={`badge ${u.role==='admin'?'badge-inreview':'badge-todo'}`}>{u.role}</span>
+                </td>
+                <td>
+                  <span className={`badge ${u.is_active?'badge-done':'badge-cancelled'}`}>
+                    {u.is_active?'Active':'Inactive'}
+                  </span>
+                </td>
+                <td className={styles.dateCell}>{formatDistanceToNow(new Date(u.created_at),{addSuffix:true})}</td>
+                <td>
+                  <div className={styles.rowActions}>
+                    <select className={styles.roleSelect} value={u.role}
+                      onChange={e=>{ if(window.confirm(`Change ${u.name} to ${e.target.value}?`)) roleMutation.mutate({id:u.id,role:e.target.value}); }}>
+                      <option value="member">Member</option>
+                      <option value="admin">Admin</option>
+                    </select>
+                    {u.is_active && (
+                      <button className="btn btn-danger btn-sm"
+                        onClick={()=>{ if(window.confirm(`Deactivate ${u.name}?`)) deactivateMutation.mutate(u.id); }}>
+                        Deactivate
+                      </button>
+                    )}
+                  </div>
+                </td>
+              </tr>
+            ))}
+          </tbody>
+        </table>
+      </div>
+    </div>
+  );
+}
+
+function InvitesTab() {
+  const { data:invites=[], isLoading } = useQuery({
+    queryKey:['admin-invites'],
+    queryFn:()=>api.get('/admin/invites').then(r=>r.data),
+  });
+  if (isLoading) return <div className={styles.loadArea}><span className="spinner-dark"/></div>;
+  return (
+    <div>
+      <div className={styles.sectionHead}>
+        <span className={styles.sectionCount}>{invites.length} invite{invites.length!==1?'s':''}</span>
+      </div>
+      {invites.length===0
+        ? <p style={{color:'var(--text-muted)',fontSize:13,padding:'16px 0',fontStyle:'italic'}}>No invites sent yet.</p>
+        : (
+          <div className={styles.tableWrap}>
+            <table className={styles.table}>
+              <thead><tr><th>Email</th><th>Role</th><th>Invited By</th><th>Status</th><th>Expires</th></tr></thead>
+              <tbody>
+                {invites.map(inv=>(
+                  <tr key={inv.id}>
+                    <td style={{fontWeight:500}}>{inv.email}</td>
+                    <td><span className={`badge ${inv.role==='admin'?'badge-inreview':'badge-todo'}`}>{inv.role}</span></td>
+                    <td className={styles.dateCell}>{inv.invited_by_name||'—'}</td>
+                    <td>
+                      <span className={`badge ${inv.used_at?'badge-done':new Date(inv.expires_at)<new Date()?'badge-cancelled':'badge-inprogress'}`}>
+                        {inv.used_at?'Accepted':new Date(inv.expires_at)<new Date()?'Expired':'Pending'}
+                      </span>
+                    </td>
+                    <td className={styles.dateCell}>{format(new Date(inv.expires_at),'MMM d, yyyy')}</td>
+                  </tr>
+                ))}
+              </tbody>
+            </table>
+          </div>
+        )
+      }
+    </div>
+  );
+}
+
+function AuditTab() {
+  const [page, setPage] = useState(1);
+  const { data, isLoading } = useQuery({
+    queryKey:['audit-logs',page],
+    queryFn:()=>api.get('/admin/audit-logs',{params:{page,limit:25}}).then(r=>r.data),
+    keepPreviousData:true,
+  });
+
+  const actionColor = a => {
+    if (a.includes('CREATED')||a.includes('JOINED')) return 'badge-done';
+    if (a.includes('DELETED')||a.includes('DEACTIVATED')) return 'badge-cancelled';
+    if (a.includes('UPDATED')||a.includes('CHANGED')) return 'badge-inprogress';
+    if (a.includes('INVITED')) return 'badge-inreview';
+    return 'badge-todo';
+  };
+
+  if (isLoading) return <div className={styles.loadArea}><span className="spinner-dark"/></div>;
+
+  return (
+    <div>
+      <div className={styles.sectionHead}>
+        <span className={styles.sectionCount}>{data?.pagination?.total||0} entries</span>
+      </div>
+      <div className={styles.tableWrap}>
+        <table className={styles.table}>
+          <thead><tr><th>Actor</th><th>Action</th><th>Details</th><th>When</th></tr></thead>
+          <tbody>
+            {data?.logs?.map(log=>(
+              <tr key={log.id}>
+                <td>
+                  <p style={{fontSize:13,fontWeight:500}}>{log.actor_name}</p>
+                  <p style={{fontSize:11.5,color:'var(--text-muted)'}}>{log.actor_email}</p>
+                </td>
+                <td>
+                  <span className={`badge ${actionColor(log.action)}`} style={{fontSize:11}}>
+                    {log.action.replace(/_/g,' ').toLowerCase().replace(/\b\w/g,c=>c.toUpperCase())}
+                  </span>
+                </td>
+                <td>
+                  {log.new_values && (
+                    <div style={{fontSize:12,color:'var(--text-muted)'}}>
+                      {Object.entries(log.new_values).slice(0,2).map(([k,v])=>(
+                        <span key={k} style={{marginRight:8}}>
+                          <b style={{color:'var(--text-secondary)'}}>{k.replace(/_/g,' ')}:</b> {String(v??'—').slice(0,40)}
+                        </span>
+                      ))}
+                    </div>
+                  )}
+                </td>
+                <td className={styles.dateCell} title={format(new Date(log.created_at),'PPpp')}>
+                  {formatDistanceToNow(new Date(log.created_at),{addSuffix:true})}
+                </td>
+              </tr>
+            ))}
+          </tbody>
+        </table>
+      </div>
+      {data?.pagination?.totalPages>1 && (
+        <div className={styles.pagination}>
+          <button className="btn btn-secondary btn-sm" disabled={page<=1} onClick={()=>setPage(p=>p-1)}>← Prev</button>
+          <span style={{fontSize:13,color:'var(--text-muted)'}}>Page {page} of {data.pagination.totalPages}</span>
+          <button className="btn btn-secondary btn-sm" disabled={page>=data.pagination.totalPages} onClick={()=>setPage(p=>p+1)}>Next →</button>
+        </div>
+      )}
+    </div>
+  );
+}

frontend/src/pages/AdminPage.module.css

@@ -0,0 +1,57 @@
+.page { max-width: 1100px; }
+
+.tabs { display:flex;gap:3px;border-bottom:1.5px solid var(--border);margin-bottom:22px; }
+.tab {
+  display:inline-flex;align-items:center;gap:7px;padding:9px 16px;
+  font-size:13.5px;font-weight:500;color:var(--text-muted);
+  background:none;border:none;border-bottom:2px solid transparent;
+  cursor:pointer;transition:all .13s;margin-bottom:-1.5px;
+}
+.tab:hover { color:var(--text-primary); }
+.tabActive { color:var(--accent);border-bottom-color:var(--accent); }
+
+.sectionHead { display:flex;align-items:center;justify-content:space-between;margin-bottom:14px; }
+.sectionCount { font-size:13px;font-weight:500;color:var(--text-muted); }
+
+.inviteBox {
+  background:var(--bg-base);border:1.5px solid var(--border);
+  border-radius:var(--radius-lg);padding:14px;margin-bottom:14px;
+}
+.inviteRow { display:flex;gap:8px;align-items:center;flex-wrap:wrap; }
+
+.tableWrap {
+  background:var(--bg-elevated);border:1.5px solid var(--border);
+  border-radius:var(--radius-lg);overflow:hidden;
+}
+.table { width:100%;border-collapse:collapse;font-size:13.5px; }
+.table thead tr { border-bottom:1.5px solid var(--border);background:var(--bg-surface); }
+.table th { padding:11px 14px;text-align:left;font-size:11px;font-weight:700;color:var(--text-muted);text-transform:uppercase;letter-spacing:.06em; }
+.table td { padding:13px 14px;border-bottom:1px solid var(--border);vertical-align:middle; }
+.table tbody tr:last-child td { border-bottom:none; }
+.table tbody tr:hover td { background:var(--bg-base); }
+
+.userCell { display:flex;align-items:center;gap:10px; }
+.userAvatar {
+  width:34px;height:34px;border-radius:50%;background:var(--accent);color:#fff;
+  font-weight:700;font-size:13px;display:flex;align-items:center;justify-content:center;
+  flex-shrink:0;font-family:'Lora',serif;
+}
+.userName  { font-size:13.5px;font-weight:500;color:var(--text-primary); }
+.userEmail { font-size:12px;color:var(--text-muted);margin-top:1px; }
+
+.dateCell { font-size:12px;color:var(--text-muted);white-space:nowrap; }
+.rowActions { display:flex;align-items:center;gap:7px; }
+.roleSelect {
+  background:var(--bg-base);border:1.5px solid var(--border);
+  border-radius:var(--radius);color:var(--text-secondary);
+  font-size:12.5px;padding:5px 9px;cursor:pointer;appearance:none;
+}
+
+.loadArea { display:flex;align-items:center;justify-content:center;padding:56px; }
+
+.pagination { display:flex;align-items:center;justify-content:center;gap:14px;margin-top:18px; }
+
+@media(max-width:640px){
+  .table th:nth-child(3),.table td:nth-child(3),
+  .table th:nth-child(4),.table td:nth-child(4){ display:none; }
+}

frontend/src/pages/AuthPage.module.css

@@ -0,0 +1,44 @@
+.page {
+  min-height:100vh; display:flex; align-items:center; justify-content:center;
+  background:var(--bg-base); padding:24px; position:relative; overflow:hidden;
+}
+/* Subtle paper texture illusion with radial bg */
+.page::before {
+  content:''; position:absolute; inset:0;
+  background:
+    radial-gradient(ellipse 60% 40% at 20% 20%, rgba(45,90,61,.05) 0%, transparent 60%),
+    radial-gradient(ellipse 50% 50% at 80% 80%, rgba(193,125,17,.04) 0%, transparent 60%);
+  pointer-events:none;
+}
+
+.card {
+  background:var(--bg-elevated); border:1.5px solid var(--border);
+  border-radius:var(--radius-xl); padding:38px 36px;
+  width:100%; max-width:430px; position:relative; z-index:1;
+  box-shadow:var(--shadow-lg);
+}
+
+.logoArea { display:flex;align-items:center;gap:10px;margin-bottom:26px; }
+.logoMark { width:34px;height:34px;background:var(--accent);border-radius:8px;display:flex;align-items:center;justify-content:center;color:#fff;font-weight:700;font-size:16px;font-family:'Lora',serif; }
+.logoName { font-family:'Lora',serif;font-size:20px;font-weight:700;color:var(--text-primary);letter-spacing:-.2px; }
+
+.heading { font-family:'Lora',serif;font-size:19px;font-weight:700;margin-bottom:4px;color:var(--text-primary); }
+.sub { font-size:13px;color:var(--text-muted);margin-bottom:26px; }
+.form { display:flex;flex-direction:column;gap:14px; }
+
+.pwWrap { position:relative; }
+.pwWrap .field-input { padding-right:40px; }
+.pwToggle { position:absolute;right:10px;top:50%;transform:translateY(-50%);background:none;border:none;color:var(--text-muted);cursor:pointer;padding:4px;display:flex;align-items:center;transition:color .15s; }
+.pwToggle:hover { color:var(--text-secondary); }
+
+.demos { margin-top:18px;padding-top:18px;border-top:1px solid var(--border); }
+.demosLabel { font-size:12px;color:var(--text-muted);margin-bottom:9px;font-style:italic; }
+.demoBtns { display:flex;gap:8px;flex-wrap:wrap; }
+
+.switchLink { margin-top:18px;font-size:12.5px;color:var(--text-muted);text-align:center; }
+.row { display:grid;grid-template-columns:1fr 1fr;gap:14px; }
+
+@media(max-width:480px){
+  .card{padding:26px 18px;}
+  .row{grid-template-columns:1fr;}
+}

frontend/src/pages/BoardPage.jsx

@@ -0,0 +1,217 @@
+import React, { useState, useRef } from 'react';
+import { useQuery, useMutation, useQueryClient } from '@tanstack/react-query';
+import { Link } from 'react-router-dom';
+import { Plus, MoreHorizontal, Calendar, User } from 'lucide-react';
+import api from '../utils/api';
+import { PriorityBadge, Spinner, PageHeader } from '../components/ui';
+import TaskModal from '../components/tasks/TaskModal';
+import toast from 'react-hot-toast';
+import { format, isPast } from 'date-fns';
+import '../components/ui/components.css';
+import styles from './BoardPage.module.css';
+
+const COLUMNS = [
+  { id: 'todo',        label: 'To Do',       color: 'var(--s-todo)',     bg: 'var(--s-todo-bg)' },
+  { id: 'in_progress', label: 'In Progress', color: 'var(--s-progress)', bg: 'var(--s-progress-bg)' },
+  { id: 'in_review',   label: 'In Review',   color: 'var(--s-review)',   bg: 'var(--s-review-bg)' },
+  { id: 'done',        label: 'Done',        color: 'var(--s-done)',     bg: 'var(--s-done-bg)' },
+];
+
+export default function BoardPage() {
+  const qc = useQueryClient();
+  const [showModal, setShowModal] = useState(false);
+  const [defaultStatus, setDefaultStatus] = useState('todo');
+  const [dragging, setDragging] = useState(null);      // { taskId, fromStatus }
+  const [dragOver, setDragOver] = useState(null);      // status column id
+  const dragItem = useRef(null);
+
+  const { data, isLoading } = useQuery({
+    queryKey: ['tasks-board'],
+    queryFn: () => api.get('/tasks', { params: { limit: 200 } }).then(r => r.data),
+  });
+
+  const moveMutation = useMutation({
+    mutationFn: ({ id, status }) => api.patch(`/tasks/${id}`, { status }),
+    onMutate: async ({ id, status }) => {
+      // Optimistic update
+      await qc.cancelQueries(['tasks-board']);
+      const prev = qc.getQueryData(['tasks-board']);
+      qc.setQueryData(['tasks-board'], old => ({
+        ...old,
+        tasks: old.tasks.map(t => t.id === id ? { ...t, status } : t),
+      }));
+      return { prev };
+    },
+    onError: (err, _vars, ctx) => {
+      qc.setQueryData(['tasks-board'], ctx.prev);
+      toast.error('Failed to move task.');
+    },
+    onSettled: () => {
+      qc.invalidateQueries(['tasks-board']);
+      qc.invalidateQueries(['task-stats']);
+    },
+  });
+
+  const tasksByStatus = (status) =>
+    (data?.tasks || []).filter(t => t.status === status);
+
+  /* ─── Drag handlers ─── */
+  const onDragStart = (e, task) => {
+    dragItem.current = task;
+    setDragging({ taskId: task.id, fromStatus: task.status });
+    e.dataTransfer.effectAllowed = 'move';
+  };
+
+  const onDragOver = (e, colId) => {
+    e.preventDefault();
+    e.dataTransfer.dropEffect = 'move';
+    setDragOver(colId);
+  };
+
+  const onDrop = (e, colId) => {
+    e.preventDefault();
+    const task = dragItem.current;
+    if (task && task.status !== colId) {
+      moveMutation.mutate({ id: task.id, status: colId });
+    }
+    setDragging(null);
+    setDragOver(null);
+    dragItem.current = null;
+  };
+
+  const onDragEnd = () => {
+    setDragging(null);
+    setDragOver(null);
+  };
+
+  const openCreate = (status) => {
+    setDefaultStatus(status);
+    setShowModal(true);
+  };
+
+  if (isLoading) return (
+    <div style={{ display: 'flex', alignItems: 'center', justifyContent: 'center', height: 300 }}>
+      <span className="spinner-dark" />
+    </div>
+  );
+
+  return (
+    <div className={styles.page}>
+      <PageHeader
+        title="Board"
+        subtitle="Drag tasks between columns to update their status"
+        action={
+          <button className="btn btn-primary btn-md" onClick={() => openCreate('todo')}>
+            <Plus size={15} /> New Task
+          </button>
+        }
+      />
+
+      <div className={styles.board}>
+        {COLUMNS.map(col => {
+          const tasks = tasksByStatus(col.id);
+          const isOver = dragOver === col.id;
+
+          return (
+            <div
+              key={col.id}
+              className={`${styles.column} ${isOver ? styles.columnOver : ''}`}
+              onDragOver={e => onDragOver(e, col.id)}
+              onDrop={e => onDrop(e, col.id)}
+            >
+              {/* Column header */}
+              <div className={styles.colHeader}>
+                <div className={styles.colHeaderLeft}>
+                  <div className={styles.colDot} style={{ background: col.color }} />
+                  <span className={styles.colLabel}>{col.label}</span>
+                  <span className={styles.colCount} style={{ background: col.bg, color: col.color }}>
+                    {tasks.length}
+                  </span>
+                </div>
+                <button
+                  className={styles.addColBtn}
+                  onClick={() => openCreate(col.id)}
+                  title={`Add to ${col.label}`}
+                >
+                  <Plus size={14} />
+                </button>
+              </div>
+
+              {/* Task cards */}
+              <div className={styles.cards}>
+                {tasks.length === 0 && (
+                  <div className={`${styles.emptyCol} ${isOver ? styles.emptyColOver : ''}`}>
+                    <span>Drop tasks here</span>
+                  </div>
+                )}
+
+                {tasks.map(task => {
+                  const overdue = task.due_date && isPast(new Date(task.due_date)) &&
+                    !['done', 'cancelled'].includes(task.status);
+                  const isDraggingThis = dragging?.taskId === task.id;
+
+                  return (
+                    <div
+                      key={task.id}
+                      className={`${styles.card} ${isDraggingThis ? styles.cardDragging : ''}`}
+                      draggable
+                      onDragStart={e => onDragStart(e, task)}
+                      onDragEnd={onDragEnd}
+                    >
+                      <div className={styles.cardTop}>
+                        <PriorityBadge priority={task.priority} />
+                        <Link to={`/tasks/${task.id}`} className={styles.cardMenuBtn} title="Open task">
+                          <MoreHorizontal size={14} />
+                        </Link>
+                      </div>
+
+                      <Link to={`/tasks/${task.id}`} className={styles.cardTitle}>
+                        {task.title}
+                      </Link>
+
+                      {task.description && (
+                        <p className={styles.cardDesc}>
+                          {task.description.slice(0, 80)}{task.description.length > 80 ? '…' : ''}
+                        </p>
+                      )}
+
+                      <div className={styles.cardMeta}>
+                        {task.assignee_name && (
+                          <span className={styles.cardAssignee}>
+                            <span className={styles.miniAvatar}>
+                              {task.assignee_name[0].toUpperCase()}
+                            </span>
+                            {task.assignee_name.split(' ')[0]}
+                          </span>
+                        )}
+                        {task.due_date && (
+                          <span className={`${styles.cardDue} ${overdue ? styles.cardDueOverdue : ''}`}>
+                            <Calendar size={11} />
+                            {format(new Date(task.due_date), 'MMM d')}
+                          </span>
+                        )}
+                      </div>
+                    </div>
+                  );
+                })}
+              </div>
+            </div>
+          );
+        })}
+      </div>
+
+      {showModal && (
+        <TaskModal
+          task={null}
+          defaultStatus={defaultStatus}
+          onClose={() => setShowModal(false)}
+          onSuccess={() => {
+            setShowModal(false);
+            qc.invalidateQueries(['tasks-board']);
+            qc.invalidateQueries(['task-stats']);
+          }}
+        />
+      )}
+    </div>
+  );
+}

frontend/src/pages/BoardPage.module.css

@@ -0,0 +1,214 @@
+.page { max-width: 100%; }
+
+.board {
+  display: grid;
+  grid-template-columns: repeat(4, minmax(230px, 1fr));
+  gap: 16px;
+  align-items: start;
+  overflow-x: auto;
+  padding-bottom: 16px;
+}
+
+.column {
+  background: var(--bg-surface);
+  border: 1.5px solid var(--border);
+  border-radius: var(--radius-lg);
+  padding: 14px;
+  min-height: 300px;
+  transition: border-color .15s, background .15s;
+}
+
+.columnOver {
+  border-color: var(--accent);
+  background: var(--accent-light);
+}
+
+.colHeader {
+  display: flex;
+  align-items: center;
+  justify-content: space-between;
+  margin-bottom: 12px;
+}
+
+.colHeaderLeft {
+  display: flex;
+  align-items: center;
+  gap: 7px;
+}
+
+.colDot {
+  width: 8px;
+  height: 8px;
+  border-radius: 50%;
+  flex-shrink: 0;
+}
+
+.colLabel {
+  font-size: 13px;
+  font-weight: 600;
+  color: var(--text-secondary);
+  font-family: 'Inter', sans-serif;
+}
+
+.colCount {
+  font-size: 11px;
+  font-weight: 700;
+  padding: 1px 7px;
+  border-radius: 100px;
+  font-family: 'Inter', sans-serif;
+}
+
+.addColBtn {
+  background: none;
+  border: 1px solid var(--border);
+  border-radius: var(--radius);
+  color: var(--text-muted);
+  width: 26px;
+  height: 26px;
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  cursor: pointer;
+  transition: all .15s;
+}
+.addColBtn:hover { background: var(--bg-hover); color: var(--text-secondary); border-color: var(--border-strong); }
+
+.cards {
+  display: flex;
+  flex-direction: column;
+  gap: 10px;
+  min-height: 80px;
+}
+
+.emptyCol {
+  border: 1.5px dashed var(--border);
+  border-radius: var(--radius);
+  padding: 20px;
+  text-align: center;
+  font-size: 12px;
+  color: var(--text-faint);
+  transition: all .15s;
+}
+
+.emptyColOver {
+  border-color: var(--accent);
+  color: var(--accent);
+  background: var(--accent-light);
+}
+
+/* Task card */
+.card {
+  background: var(--bg-elevated);
+  border: 1.5px solid var(--border);
+  border-radius: var(--radius);
+  padding: 12px;
+  cursor: grab;
+  transition: all .15s;
+  user-select: none;
+}
+
+.card:hover {
+  border-color: var(--border-strong);
+  box-shadow: var(--shadow-md);
+  transform: translateY(-1px);
+}
+
+.card:active { cursor: grabbing; }
+
+.cardDragging {
+  opacity: 0.45;
+  transform: rotate(1.5deg) scale(0.97);
+}
+
+.cardTop {
+  display: flex;
+  align-items: center;
+  justify-content: space-between;
+  margin-bottom: 8px;
+}
+
+.cardMenuBtn {
+  color: var(--text-faint);
+  display: flex;
+  align-items: center;
+  padding: 2px;
+  border-radius: 4px;
+  transition: all .12s;
+  text-decoration: none;
+}
+.cardMenuBtn:hover { color: var(--text-secondary); background: var(--bg-hover); text-decoration: none; }
+
+.cardTitle {
+  display: block;
+  font-size: 13.5px;
+  font-weight: 500;
+  color: var(--text-primary);
+  line-height: 1.4;
+  margin-bottom: 6px;
+  text-decoration: none;
+  transition: color .12s;
+}
+.cardTitle:hover { color: var(--accent); text-decoration: none; }
+
+.cardDesc {
+  font-size: 12px;
+  color: var(--text-muted);
+  line-height: 1.5;
+  margin-bottom: 10px;
+}
+
+.cardMeta {
+  display: flex;
+  align-items: center;
+  justify-content: space-between;
+  gap: 8px;
+  flex-wrap: wrap;
+}
+
+.cardAssignee {
+  display: flex;
+  align-items: center;
+  gap: 5px;
+  font-size: 11.5px;
+  color: var(--text-muted);
+}
+
+.miniAvatar {
+  width: 18px;
+  height: 18px;
+  border-radius: 50%;
+  background: var(--accent);
+  color: #fff;
+  font-size: 9px;
+  font-weight: 700;
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  flex-shrink: 0;
+}
+
+.cardDue {
+  display: flex;
+  align-items: center;
+  gap: 4px;
+  font-size: 11px;
+  color: var(--text-muted);
+  background: var(--bg-base);
+  padding: 2px 7px;
+  border-radius: 4px;
+  border: 1px solid var(--border);
+}
+
+.cardDueOverdue {
+  color: var(--rose);
+  background: var(--rose-light);
+  border-color: var(--rose-border);
+}
+
+@media (max-width: 960px) {
+  .board { grid-template-columns: repeat(2, 1fr); }
+}
+
+@media (max-width: 560px) {
+  .board { grid-template-columns: 1fr; }
+}

frontend/src/pages/DashboardPage.jsx

@@ -0,0 +1,140 @@
+import React from 'react';
+import { Link } from 'react-router-dom';
+import { useQuery } from '@tanstack/react-query';
+import { CheckCircle2, Clock, Zap, CircleDot, TrendingUp, Plus, AlertTriangle, BarChart2 } from 'lucide-react';
+import api from '../utils/api';
+import { useAuth } from '../context/AuthContext';
+import { StatusBadge, PriorityBadge, Spinner, PageHeader } from '../components/ui';
+import { formatDistanceToNow, format, isPast } from 'date-fns';
+import '../components/ui/components.css';
+import styles from './DashboardPage.module.css';
+
+const STATUS_META = {
+  todo:        { label:'To Do',       icon:CircleDot,    color:'var(--s-todo)',     bg:'var(--s-todo-bg)' },
+  in_progress: { label:'In Progress', icon:TrendingUp,   color:'var(--s-progress)', bg:'var(--s-progress-bg)' },
+  in_review:   { label:'In Review',   icon:Zap,          color:'var(--s-review)',   bg:'var(--s-review-bg)' },
+  done:        { label:'Done',        icon:CheckCircle2, color:'var(--s-done)',      bg:'var(--s-done-bg)' },
+};
+
+export default function DashboardPage() {
+  const { user } = useAuth();
+
+  const { data:stats, isLoading } = useQuery({
+    queryKey:['task-stats'],
+    queryFn:()=>api.get('/tasks/stats').then(r=>r.data),
+  });
+
+  if (isLoading) return <div className={styles.center}><span className="spinner-dark"/></div>;
+
+  const total = Object.values(stats?.statusCounts||{}).reduce((a,b)=>a+b,0);
+
+  return (
+    <div className={styles.page}>
+      <PageHeader
+        title={`Hello, ${user?.name?.split(' ')[0]}`}
+        subtitle={`${user?.orgName} · ${user?.role === 'admin' ? 'Administrator' : 'Team Member'}`}
+        action={
+          <Link to="/tasks" className="btn btn-primary btn-md">
+            <Plus size={15}/> New Task
+          </Link>
+        }
+      />
+
+      {/* KPI cards */}
+      <div className={styles.kpiGrid}>
+        {Object.entries(STATUS_META).map(([key, m]) => {
+          const Icon = m.icon;
+          const count = stats?.statusCounts?.[key] || 0;
+          return (
+            <Link to={`/tasks?status=${key}`} key={key} className={styles.kpiCard}>
+              <div className={styles.kpiIconWrap} style={{background:m.bg,color:m.color}}>
+                <Icon size={18}/>
+              </div>
+              <div className={styles.kpiBody}>
+                <span className={styles.kpiCount}>{count}</span>
+                <span className={styles.kpiLabel}>{m.label}</span>
+              </div>
+              {key==='in_progress' && count>0 && <div className={styles.kpiPulse}/>}
+            </Link>
+          );
+        })}
+
+        <div className={styles.kpiCard} style={{cursor:'default'}}>
+          <div className={styles.kpiIconWrap} style={{background:'var(--rose-light)',color:'var(--rose)'}}>
+            <AlertTriangle size={18}/>
+          </div>
+          <div className={styles.kpiBody}>
+            <span className={styles.kpiCount} style={stats?.overdueCount>0?{color:'var(--rose)'}:{}}>
+              {stats?.overdueCount||0}
+            </span>
+            <span className={styles.kpiLabel}>Overdue</span>
+          </div>
+        </div>
+      </div>
+
+      <div className={styles.grid2}>
+        {/* Recent activity */}
+        <div className="card">
+          <div className={styles.cardHead}>
+            <h3 className={styles.cardTitle}>Recent Activity</h3>
+            <Link to="/tasks" className="btn btn-ghost btn-sm">View all →</Link>
+          </div>
+
+          {stats?.recentTasks?.length > 0 ? (
+            <div className={styles.activityList}>
+              {stats.recentTasks.map(task => (
+                <Link key={task.id} to={`/tasks/${task.id}`} className={styles.activityRow}>
+                  <div className={styles.activityLeft}>
+                    <StatusBadge status={task.status}/>
+                    <div className={styles.activityInfo}>
+                      <span className={styles.activityTitle}>{task.title}</span>
+                      {task.assignee_name && <span className={styles.activityMeta}>→ {task.assignee_name}</span>}
+                    </div>
+                  </div>
+                  <span className={styles.activityTime}>
+                    {formatDistanceToNow(new Date(task.updated_at),{addSuffix:true})}
+                  </span>
+                </Link>
+              ))}
+            </div>
+          ) : (
+            <p className={styles.emptyNote}>No tasks yet. <Link to="/tasks">Create your first task →</Link></p>
+          )}
+        </div>
+
+        {/* Priority breakdown */}
+        <div className="card">
+          <div className={styles.cardHead}>
+            <h3 className={styles.cardTitle}>Priority Breakdown</h3>
+            <span className={styles.totalPill}>{total} total</span>
+          </div>
+
+          <div className={styles.priorityChart}>
+            {[
+              {key:'critical',label:'Critical',color:'var(--p-critical)'},
+              {key:'high',    label:'High',    color:'var(--p-high)'},
+              {key:'medium',  label:'Medium',  color:'var(--p-medium)'},
+              {key:'low',     label:'Low',     color:'var(--p-low)'},
+            ].map(({key,label,color})=>{
+              const count = stats?.priorityCounts?.[key]||0;
+              const pct = total>0?(count/total)*100:0;
+              return (
+                <div key={key} className={styles.pRow}>
+                  <span className={styles.pLabel}>{label}</span>
+                  <div className={styles.pTrack}>
+                    <div className={styles.pFill} style={{width:`${pct}%`,background:color}}/>
+                  </div>
+                  <span className={styles.pCount}>{count}</span>
+                </div>
+              );
+            })}
+          </div>
+
+          <Link to="/board" className={styles.boardLink}>
+            <BarChart2 size={14}/> View Kanban Board →
+          </Link>
+        </div>
+      </div>
+    </div>
+  );
+}