KayvanShah1
diff --git a/‎CHANGELOG.md‎
Lines changed: 80 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 80 additions & 0 deletions
diff --git a/‎backend/README.md‎
Lines changed: 47 additions & 18 deletions b/‎backend/README.md‎
Lines changed: 47 additions & 18 deletions
diff --git a/‎backend/app/api/v1/login.py‎
Lines changed: 38 additions & 3 deletions b/‎backend/app/api/v1/login.py‎
Lines changed: 38 additions & 3 deletions
@@ -0,0 +1,80 @@
+# Changelog
+
+All notable changes to this project are documented here. The format follows Keep a Changelog principles.
+
+## [Unreleased]
+### Planned
+- Team collaboration features (shared tasks and roles).
+- Notification and reminder channels (email/Slack).
+- Rich text task descriptions and attachment support.
+- Vector search for semantic task discovery.
+- Enhanced observability with metrics and structured logs.
+
+## [2025-09-29] Backend reliability & lifecycle polish
+### Added
+- Added complete user CRUD surface in the service layer and API, including secure self-delete endpoint helpers.
+- Added pytest utilities and scenarios that exercise nested task flows, user deletion, and authentication bootstrapping.
+- Added linting/formatting config to keep the backend style consistent.
+
+### Changed
+- Reworked task CRUD to eagerly load full trees, offer shallow vs tree responses, and refresh cascades after updates.
+- Updated access token model to embed user IDs and refactored verification helpers to rely on IDs instead of usernames.
+- Hardened SQLAlchemy session pragmas and cascade handling for consistent SQLite/Postgres behaviour and developer hot reloads.
+- Opened up CORS defaults to support external dashboard clients during development.
+
+### Fixed
+- Removed trailing slash mismatches from task endpoints and corrected `get_current_user` to validate by id.
+- Ensured orphaned subtasks are purged by enabling foreign key enforcement in tests and double-checking cascaded deletes.
+
+### Documentation
+- Expanded FastAPI docstrings and README coverage for authentication, task endpoints, and local dev workflows.
+- Polished OpenAPI metadata and backend README feature lists.
+
+## [2025-09-27] Authenticated dashboard & UI system
+### Added
+- Bootstrapped a Next.js App Router frontend with marketing landing, dashboard segment, and route groups for `home`, `tasks`, `agent`, and `settings`.
+- Implemented dedicated sign-in/sign-up pages powered by shared `AuthShell`, `PasswordField`, and `OAuthButtons` components plus validation hooks.
+- Integrated shadcn/ui primitives, thin-scrollbar utilities, and a marketing logo cloud block for consistent theming.
+- Added dashboard middleware, JWT client helpers, and API proxy route handlers to forward auth headers to the backend.
+- Authored an `AGENTS.md` integration guide describing how to wire the AskBar to backend MCP endpoints.
+
+### Infrastructure
+- Added `vercel.json`, Dockerfiles for dev/prod, and `.env.local` scaffolding to support local/hosted frontend deployments.
+- Updated metadata, navigation config, and marketing assets (icons, logos) for the new UI.
+
+## [2025-09-02] CI/CD & deployment pipeline
+### Added
+- Introduced Render deployment blueprint updates and GitHub Actions jobs to build, cache, and push backend Docker images before deployment.
+- Added Docker build caching and tag management to speed up container publishing.
+- Added `.dockerignore` / `.docker` tweaks and context fixes so backend and frontend images build from the correct paths.
+- Registered Vercel deployment configuration and telemetry settings for the Next.js app.
+
+### Documentation
+- Added frontend configuration docs and expanded README badges for deployment/test workflows.
+
+## [2025-08-31] Database & ops enhancements
+### Added
+- Added Postgres service to `docker-compose.yml` with health checks plus `asyncpg` support in the backend.
+- Added a global `.gitignore`, dev requirements fixes, and instructions for running GitHub Actions tests.
+- Documented project structure and agent setup guidance for contributors.
+
+### Changed
+- Refined database engine initialization, path configuration, and README disclaimers to clarify setup steps.
+- Updated workflow configuration to ensure backend paths trigger CI from the new `backend/` root.
+
+## [2025-07-31] Testing & tooling expansion
+### Added
+- Added comprehensive pytest coverage spanning auth failures, nested task lifecycle, and integration flows.
+- Added Postman collection, curl quickstart examples, and Docker instructions for running the API locally.
+- Added architecture diagrams and metadata updates to aid onboarding.
+
+### Fixed
+- Ignored local SQLite data and other generated artefacts to keep repos clean.
+
+## [2025-07-30] Initial API scaffold
+### Added
+- Bootstrapped the FastAPI application with configuration modules, routing skeleton, and OpenAPI metadata.
+- Added SQLAlchemy models for users and tasks with status/priority/category enums and relationships.
+- Implemented authentication utilities for password hashing, token creation/verification, and API key enforcement.
+- Delivered initial user signup/login endpoints and task create/list routes backed by async database sessions.
+- Added Docker configuration, environment files, and packaging metadata to support containerized development.
@@ -7,12 +7,13 @@ Taskaza is a secure, async API built with FastAPI. It supports user sign-up/logi
 
 ## 📦 Features
 
-* User registration (`/signup`) and login (`/token`, OAuth2 password flow)
+* User registration (`/signup`), profile management (`/users/me`), and login (`/token`, OAuth2 password flow)
 * JWT authentication + secure password hashing
 * API key header (`X-API-Key: 123456`) on protected routes
-* Task CRUD (create, list, get, update status/full, delete)
-* Async SQLAlchemy + SQLite, Pydantic v2 validation
-* Thorough tests (unit + full-flow)
+* Hierarchical tasks with nested subtasks, priorities, categories, tags, and computed progress
+* Rich task querying (status filters, search, pagination, sorting, include/exclude subtasks) plus bulk create/status updates
+* Async SQLAlchemy + SQLite (extensible via `TSKZ_DATABASE_URL`), Pydantic v2 validation
+* Thorough async tests (unit + integration/auth flows)
 
 [📊 View architecture diagram](docs/ARCHITECTURE.md)
 
@@ -32,23 +33,39 @@ X-API-Key: 123456
 
 ## 📚 API Endpoints
 
-### Users
+### Auth
 
-| Method | Endpoint  | Description             |
-| ------ | --------- | ----------------------- |
-| POST   | `/signup` | Register a new user     |
-| POST   | `/token`  | Login and get JWT token |
+| Method | Endpoint    | Description                        |
+| ------ | ----------- | ---------------------------------- |
+| POST   | `/signup`   | Register a new user                |
+| POST   | `/token`    | Exchange username/password for JWT |
+
+### Users (Protected)
+
+| Method | Endpoint          | Description                          |
+| ------ | ----------------- | ------------------------------------ |
+| GET    | `/users/me`       | Get the authenticated user's profile |
+| PUT    | `/users/me`       | Replace the authenticated user's profile |
+| PATCH  | `/users/me`       | Partially update your profile        |
+| DELETE | `/users/{user_id}` | Delete your own account              |
 
 ### Tasks (Protected)
 
-| Method | Endpoint      | Description            |
-| ------ | ------------- | ---------------------- |
-| POST   | `/tasks/`     | Create a task          |
-| GET    | `/tasks/`     | List your tasks        |
-| GET    | `/tasks/{id}` | Get a task by ID       |
-| PATCH  | `/tasks/{id}` | Update **status** only |
-| PUT    | `/tasks/{id}` | Update **entire** task |
-| DELETE | `/tasks/{id}` | Delete a task          |
+| Method | Endpoint             | Description                                       |
+| ------ | -------------------- | ------------------------------------------------- |
+| POST   | `/tasks`             | Create a task, optionally with nested subtasks    |
+| GET    | `/tasks`             | List tasks with filtering, search, and pagination |
+| GET    | `/tasks/{task_id}`   | Retrieve a task (optionally include the subtree)  |
+| PUT    | `/tasks/{task_id}`   | Update task fields (partial)                      |
+| PATCH  | `/tasks/{task_id}`   | Update only the task status                       |
+| DELETE | `/tasks/{task_id}`   | Delete a task                                     |
+| POST   | `/tasks/bulk`        | Bulk create tasks and/or change statuses          |
+
+**Extras**
+
+- All `/tasks/*` and `/users/*` endpoints require both `Authorization: Bearer <token>` and `X-API-Key: 123456`.
+- `GET /tasks` supports `status`, `q`, `page`, `limit`, `sort`, `include_tree`, and `roots_only` query params.
+- `POST /tasks` accepts the `create_subtree` query flag (defaults to `true`) to cascade nested subtasks when provided.
 
 ---
 
@@ -99,12 +116,22 @@ openssl rand -base64 32
 
 ### 4) Run locally
 
-**Development:**
+**Development (auto-reload; tests excluded by default):**
 
 ```bash
 uv run fastapi dev app/main.py
 ```
 
+FastAPI already excludes the `tests/` directory from reloads via `pyproject.toml`. To be explicit or customise the ignore pattern:
+
+```bash
+# macOS/Linux shells
+uv run fastapi dev app/main.py --reload-exclude 'tests/*'
+
+# Windows PowerShell
+uv run fastapi dev app/main.py --reload-exclude "tests/*"
+```
+
 **Production:**
 
 ```bash
@@ -119,6 +146,8 @@ docker compose up --build
 
 App: [http://localhost:8000/](http://localhost:8000/)
 
+Local SQLite data lives in `data/taskaza.db`. Delete the file to reset your environment or set `TSKZ_DATABASE_URL` to point at another database.
+
 ---
 
 ## 🔁 Export pip-style requirements (for CI/Render)
 
@@ -10,11 +10,46 @@
 router = APIRouter(tags=["Login"])
 
 
-@router.post("/token", response_model=Token)
-async def login(form_data: OAuth2PasswordRequestForm = Depends(), db: AsyncSession = Depends(get_db)):
+@router.post(
+    "/token",
+    response_model=Token,
+    summary="Login with username and password",
+    description="""
+Obtain a **JWT access token** using the OAuth2 password flow.
+
+### Authentication
+- Requires valid username and password.
+
+### Usage
+- Use the returned `access_token` in the `Authorization` header for all protected endpoints:
+    `Authorization: Bearer <access_token>`
+
+### Notes
+- This endpoint does **not** require API Key.
+- Token expiration and lifetime are configured in `create_access_token`.
+  """,
+)
+async def login_with_access_token(form_data: OAuth2PasswordRequestForm = Depends(), db: AsyncSession = Depends(get_db)):
+    """
+    **Login with Access Token**
+
+    **Request Body (form-data)**
+    - `username` (str): Registered username
+    - `password` (str): Corresponding password
+
+    **Responses**
+    - `200`: Returns a `Token` object
+      ```json
+      {
+        "access_token": "jwt.token.here",
+        "token_type": "bearer"
+      }
+      ```
+    - `401`: Incorrect username or password
+    """
     user = await authenticate_user(db, form_data.username, form_data.password)
     if not user:
         raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Incorrect username or password")
     authd_user = UserOut.model_validate(user)
-    token = create_access_token(data={"sub": authd_user.username})
+    token = create_access_token(data={"sub": str(authd_user.id)})
     return {"access_token": token, "token_type": "bearer"}