From 0e0d28c859a62231c2390759ece888be3f3642b7 Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:30:34 +0400
Subject: [PATCH 01/82] chore: bump root tooling metadata

---
 package-lock.json | 1483 ++++++++++++++++++++++++++++++++++++++++++++-
 package.json      |    4 +-
 2 files changed, 1482 insertions(+), 5 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index f76f89b..aede0dd 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -10,8 +10,10 @@
       "devDependencies": {
         "@commitlint/cli": "^19.5.0",
         "@commitlint/config-conventional": "^19.5.0",
+        "@vitest/coverage-v8": "^4.1.4",
         "husky": "^9.1.6",
-        "lint-staged": "^15.2.10"
+        "lint-staged": "^15.2.10",
+        "vitest": "^4.1.4"
       },
       "engines": {
         "node": ">=22"
@@ -32,6 +34,16 @@
         "node": ">=6.9.0"
       }
     },
+    "node_modules/@babel/helper-string-parser": {
+      "version": "7.27.1",
+      "resolved": "https://registry.npmjs.org/@babel/helper-string-parser/-/helper-string-parser-7.27.1.tgz",
+      "integrity": "sha512-qMlSxKbpRlAridDExk92nSobyDdpPijUq2DW6oDnUqd0iOGxmQjyqhMIihI9+zv4LPyZdRje2cavWPbCbWm3eA==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=6.9.0"
+      }
+    },
     "node_modules/@babel/helper-validator-identifier": {
       "version": "7.28.5",
       "resolved": "https://registry.npmjs.org/@babel/helper-validator-identifier/-/helper-validator-identifier-7.28.5.tgz",
@@ -42,6 +54,46 @@
         "node": ">=6.9.0"
       }
     },
+    "node_modules/@babel/parser": {
+      "version": "7.29.2",
+      "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.29.2.tgz",
+      "integrity": "sha512-4GgRzy/+fsBa72/RZVJmGKPmZu9Byn8o4MoLpmNe1m8ZfYnz5emHLQz3U4gLud6Zwl0RZIcgiLD7Uq7ySFuDLA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@babel/types": "^7.29.0"
+      },
+      "bin": {
+        "parser": "bin/babel-parser.js"
+      },
+      "engines": {
+        "node": ">=6.0.0"
+      }
+    },
+    "node_modules/@babel/types": {
+      "version": "7.29.0",
+      "resolved": "https://registry.npmjs.org/@babel/types/-/types-7.29.0.tgz",
+      "integrity": "sha512-LwdZHpScM4Qz8Xw2iKSzS+cfglZzJGvofQICy7W7v4caru4EaAmyUuO6BGrbyQ2mYV11W0U8j5mBhd14dd3B0A==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@babel/helper-string-parser": "^7.27.1",
+        "@babel/helper-validator-identifier": "^7.28.5"
+      },
+      "engines": {
+        "node": ">=6.9.0"
+      }
+    },
+    "node_modules/@bcoe/v8-coverage": {
+      "version": "1.0.2",
+      "resolved": "https://registry.npmjs.org/@bcoe/v8-coverage/-/v8-coverage-1.0.2.tgz",
+      "integrity": "sha512-6zABk/ECA/QYSCQ1NGiVwwbQerUCZ+TQbp64Q3AgmfNvurHH0j8TtXa1qbShXA6qqkpAj4V5W8pP6mLe1mcMqA==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=18"
+      }
+    },
     "node_modules/@commitlint/cli": {
       "version": "19.8.1",
       "resolved": "https://registry.npmjs.org/@commitlint/cli/-/cli-19.8.1.tgz",
@@ -299,6 +351,390 @@
         "node": ">=v18"
       }
     },
+    "node_modules/@emnapi/core": {
+      "version": "1.9.2",
+      "resolved": "https://registry.npmjs.org/@emnapi/core/-/core-1.9.2.tgz",
+      "integrity": "sha512-UC+ZhH3XtczQYfOlu3lNEkdW/p4dsJ1r/bP7H8+rhao3TTTMO1ATq/4DdIi23XuGoFY+Cz0JmCbdVl0hz9jZcA==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "dependencies": {
+        "@emnapi/wasi-threads": "1.2.1",
+        "tslib": "^2.4.0"
+      }
+    },
+    "node_modules/@emnapi/runtime": {
+      "version": "1.9.2",
+      "resolved": "https://registry.npmjs.org/@emnapi/runtime/-/runtime-1.9.2.tgz",
+      "integrity": "sha512-3U4+MIWHImeyu1wnmVygh5WlgfYDtyf0k8AbLhMFxOipihf6nrWC4syIm/SwEeec0mNSafiiNnMJwbza/Is6Lw==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "dependencies": {
+        "tslib": "^2.4.0"
+      }
+    },
+    "node_modules/@emnapi/wasi-threads": {
+      "version": "1.2.1",
+      "resolved": "https://registry.npmjs.org/@emnapi/wasi-threads/-/wasi-threads-1.2.1.tgz",
+      "integrity": "sha512-uTII7OYF+/Mes/MrcIOYp5yOtSMLBWSIoLPpcgwipoiKbli6k322tcoFsxoIIxPDqW01SQGAgko4EzZi2BNv2w==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "dependencies": {
+        "tslib": "^2.4.0"
+      }
+    },
+    "node_modules/@jridgewell/resolve-uri": {
+      "version": "3.1.2",
+      "resolved": "https://registry.npmjs.org/@jridgewell/resolve-uri/-/resolve-uri-3.1.2.tgz",
+      "integrity": "sha512-bRISgCIjP20/tbWSPWMEi54QVPRZExkuD9lJL+UIxUKtwVJA8wW1Trb1jMs1RFXo1CBTNZ/5hpC9QvmKWdopKw==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=6.0.0"
+      }
+    },
+    "node_modules/@jridgewell/sourcemap-codec": {
+      "version": "1.5.5",
+      "resolved": "https://registry.npmjs.org/@jridgewell/sourcemap-codec/-/sourcemap-codec-1.5.5.tgz",
+      "integrity": "sha512-cYQ9310grqxueWbl+WuIUIaiUaDcj7WOq5fVhEljNVgRfOUhY9fy2zTvfoqWsnebh8Sl70VScFbICvJnLKB0Og==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/@jridgewell/trace-mapping": {
+      "version": "0.3.31",
+      "resolved": "https://registry.npmjs.org/@jridgewell/trace-mapping/-/trace-mapping-0.3.31.tgz",
+      "integrity": "sha512-zzNR+SdQSDJzc8joaeP8QQoCQr8NuYx2dIIytl1QeBEZHJ9uW6hebsrYgbz8hJwUQao3TWCMtmfV8Nu1twOLAw==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@jridgewell/resolve-uri": "^3.1.0",
+        "@jridgewell/sourcemap-codec": "^1.4.14"
+      }
+    },
+    "node_modules/@napi-rs/wasm-runtime": {
+      "version": "1.1.4",
+      "resolved": "https://registry.npmjs.org/@napi-rs/wasm-runtime/-/wasm-runtime-1.1.4.tgz",
+      "integrity": "sha512-3NQNNgA1YSlJb/kMH1ildASP9HW7/7kYnRI2szWJaofaS1hWmbGI4H+d3+22aGzXXN9IJ+n+GiFVcGipJP18ow==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "dependencies": {
+        "@tybys/wasm-util": "^0.10.1"
+      },
+      "funding": {
+        "type": "github",
+        "url": "https://github.com/sponsors/Brooooooklyn"
+      },
+      "peerDependencies": {
+        "@emnapi/core": "^1.7.1",
+        "@emnapi/runtime": "^1.7.1"
+      }
+    },
+    "node_modules/@oxc-project/types": {
+      "version": "0.124.0",
+      "resolved": "https://registry.npmjs.org/@oxc-project/types/-/types-0.124.0.tgz",
+      "integrity": "sha512-VBFWMTBvHxS11Z5Lvlr3IWgrwhMTXV+Md+EQF0Xf60+wAdsGFTBx7X7K/hP4pi8N7dcm1RvcHwDxZ16Qx8keUg==",
+      "dev": true,
+      "license": "MIT",
+      "funding": {
+        "url": "https://github.com/sponsors/Boshen"
+      }
+    },
+    "node_modules/@rolldown/binding-android-arm64": {
+      "version": "1.0.0-rc.15",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-android-arm64/-/binding-android-arm64-1.0.0-rc.15.tgz",
+      "integrity": "sha512-YYe6aWruPZDtHNpwu7+qAHEMbQ/yRl6atqb/AhznLTnD3UY99Q1jE7ihLSahNWkF4EqRPVC4SiR4O0UkLK02tA==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "android"
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
+    },
+    "node_modules/@rolldown/binding-darwin-arm64": {
+      "version": "1.0.0-rc.15",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-darwin-arm64/-/binding-darwin-arm64-1.0.0-rc.15.tgz",
+      "integrity": "sha512-oArR/ig8wNTPYsXL+Mzhs0oxhxfuHRfG7Ikw7jXsw8mYOtk71W0OkF2VEVh699pdmzjPQsTjlD1JIOoHkLP1Fg==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
+    },
+    "node_modules/@rolldown/binding-darwin-x64": {
+      "version": "1.0.0-rc.15",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-darwin-x64/-/binding-darwin-x64-1.0.0-rc.15.tgz",
+      "integrity": "sha512-YzeVqOqjPYvUbJSWJ4EDL8ahbmsIXQpgL3JVipmN+MX0XnXMeWomLN3Fb+nwCmP/jfyqte5I3XRSm7OfQrbyxw==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
+    },
+    "node_modules/@rolldown/binding-freebsd-x64": {
+      "version": "1.0.0-rc.15",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-freebsd-x64/-/binding-freebsd-x64-1.0.0-rc.15.tgz",
+      "integrity": "sha512-9Erhx956jeQ0nNTyif1+QWAXDRD38ZNjr//bSHrt6wDwB+QkAfl2q6Mn1k6OBPerznjRmbM10lgRb1Pli4xZPw==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "freebsd"
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
+    },
+    "node_modules/@rolldown/binding-linux-arm-gnueabihf": {
+      "version": "1.0.0-rc.15",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-arm-gnueabihf/-/binding-linux-arm-gnueabihf-1.0.0-rc.15.tgz",
+      "integrity": "sha512-cVwk0w8QbZJGTnP/AHQBs5yNwmpgGYStL88t4UIaqcvYJWBfS0s3oqVLZPwsPU6M0zlW4GqjP0Zq5MnAGwFeGA==",
+      "cpu": [
+        "arm"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
+    },
+    "node_modules/@rolldown/binding-linux-arm64-gnu": {
+      "version": "1.0.0-rc.15",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-arm64-gnu/-/binding-linux-arm64-gnu-1.0.0-rc.15.tgz",
+      "integrity": "sha512-eBZ/u8iAK9SoHGanqe/jrPnY0JvBN6iXbVOsbO38mbz+ZJsaobExAm1Iu+rxa4S1l2FjG0qEZn4Rc6X8n+9M+w==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
+    },
+    "node_modules/@rolldown/binding-linux-arm64-musl": {
+      "version": "1.0.0-rc.15",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-arm64-musl/-/binding-linux-arm64-musl-1.0.0-rc.15.tgz",
+      "integrity": "sha512-ZvRYMGrAklV9PEkgt4LQM6MjQX2P58HPAuecwYObY2DhS2t35R0I810bKi0wmaYORt6m/2Sm+Z+nFgb0WhXNcQ==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
+    },
+    "node_modules/@rolldown/binding-linux-ppc64-gnu": {
+      "version": "1.0.0-rc.15",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-ppc64-gnu/-/binding-linux-ppc64-gnu-1.0.0-rc.15.tgz",
+      "integrity": "sha512-VDpgGBzgfg5hLg+uBpCLoFG5kVvEyafmfxGUV0UHLcL5irxAK7PKNeC2MwClgk6ZAiNhmo9FLhRYgvMmedLtnQ==",
+      "cpu": [
+        "ppc64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
+    },
+    "node_modules/@rolldown/binding-linux-s390x-gnu": {
+      "version": "1.0.0-rc.15",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-s390x-gnu/-/binding-linux-s390x-gnu-1.0.0-rc.15.tgz",
+      "integrity": "sha512-y1uXY3qQWCzcPgRJATPSOUP4tCemh4uBdY7e3EZbVwCJTY3gLJWnQABgeUetvED+bt1FQ01OeZwvhLS2bpNrAQ==",
+      "cpu": [
+        "s390x"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
+    },
+    "node_modules/@rolldown/binding-linux-x64-gnu": {
+      "version": "1.0.0-rc.15",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-x64-gnu/-/binding-linux-x64-gnu-1.0.0-rc.15.tgz",
+      "integrity": "sha512-023bTPBod7J3Y/4fzAN6QtpkSABR0rigtrwaP+qSEabUh5zf6ELr9Nc7GujaROuPY3uwdSIXWrvhn1KxOvurWA==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
+    },
+    "node_modules/@rolldown/binding-linux-x64-musl": {
+      "version": "1.0.0-rc.15",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-linux-x64-musl/-/binding-linux-x64-musl-1.0.0-rc.15.tgz",
+      "integrity": "sha512-witB2O0/hU4CgfOOKUoeFgQ4GktPi1eEbAhaLAIpgD6+ZnhcPkUtPsoKKHRzmOoWPZue46IThdSgdo4XneOLYw==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
+    },
+    "node_modules/@rolldown/binding-openharmony-arm64": {
+      "version": "1.0.0-rc.15",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-openharmony-arm64/-/binding-openharmony-arm64-1.0.0-rc.15.tgz",
+      "integrity": "sha512-UCL68NJ0Ud5zRipXZE9dF5PmirzJE4E4BCIOOssEnM7wLDsxjc6Qb0sGDxTNRTP53I6MZpygyCpY8Aa8sPfKPg==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "openharmony"
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
+    },
+    "node_modules/@rolldown/binding-wasm32-wasi": {
+      "version": "1.0.0-rc.15",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-wasm32-wasi/-/binding-wasm32-wasi-1.0.0-rc.15.tgz",
+      "integrity": "sha512-ApLruZq/ig+nhaE7OJm4lDjayUnOHVUa77zGeqnqZ9pn0ovdVbbNPerVibLXDmWeUZXjIYIT8V3xkT58Rm9u5Q==",
+      "cpu": [
+        "wasm32"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "dependencies": {
+        "@emnapi/core": "1.9.2",
+        "@emnapi/runtime": "1.9.2",
+        "@napi-rs/wasm-runtime": "^1.1.3"
+      },
+      "engines": {
+        "node": ">=14.0.0"
+      }
+    },
+    "node_modules/@rolldown/binding-win32-arm64-msvc": {
+      "version": "1.0.0-rc.15",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-win32-arm64-msvc/-/binding-win32-arm64-msvc-1.0.0-rc.15.tgz",
+      "integrity": "sha512-KmoUoU7HnN+Si5YWJigfTws1jz1bKBYDQKdbLspz0UaqjjFkddHsqorgiW1mxcAj88lYUE6NC/zJNwT+SloqtA==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "win32"
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
+    },
+    "node_modules/@rolldown/binding-win32-x64-msvc": {
+      "version": "1.0.0-rc.15",
+      "resolved": "https://registry.npmjs.org/@rolldown/binding-win32-x64-msvc/-/binding-win32-x64-msvc-1.0.0-rc.15.tgz",
+      "integrity": "sha512-3P2A8L+x75qavWLe/Dll3EYBJLQmtkJN8rfh+U/eR3MqMgL/h98PhYI+JFfXuDPgPeCB7iZAKiqii5vqOvnA0g==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "win32"
+      ],
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      }
+    },
+    "node_modules/@rolldown/pluginutils": {
+      "version": "1.0.0-rc.15",
+      "resolved": "https://registry.npmjs.org/@rolldown/pluginutils/-/pluginutils-1.0.0-rc.15.tgz",
+      "integrity": "sha512-UromN0peaE53IaBRe9W7CjrZgXl90fqGpK+mIZbA3qSTeYqg3pqpROBdIPvOG3F5ereDHNwoHBI2e50n1BDr1g==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/@standard-schema/spec": {
+      "version": "1.1.0",
+      "resolved": "https://registry.npmjs.org/@standard-schema/spec/-/spec-1.1.0.tgz",
+      "integrity": "sha512-l2aFy5jALhniG5HgqrD6jXLi/rUWrKvqN/qJx6yoJsgKhblVd+iqqU4RCXavm/jPityDo5TCvKMnpjKnOriy0w==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/@tybys/wasm-util": {
+      "version": "0.10.1",
+      "resolved": "https://registry.npmjs.org/@tybys/wasm-util/-/wasm-util-0.10.1.tgz",
+      "integrity": "sha512-9tTaPJLSiejZKx+Bmog4uSubteqTvFrVrURwkmHixBo0G4seD0zUxp98E1DzUBJxLQ3NPwXrGKDiVjwx/DpPsg==",
+      "dev": true,
+      "license": "MIT",
+      "optional": true,
+      "dependencies": {
+        "tslib": "^2.4.0"
+      }
+    },
+    "node_modules/@types/chai": {
+      "version": "5.2.3",
+      "resolved": "https://registry.npmjs.org/@types/chai/-/chai-5.2.3.tgz",
+      "integrity": "sha512-Mw558oeA9fFbv65/y4mHtXDs9bPnFMZAL/jxdPFUpOHHIXX91mcgEHbS5Lahr+pwZFR8A7GQleRWeI6cGFC2UA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@types/deep-eql": "*",
+        "assertion-error": "^2.0.1"
+      }
+    },
     "node_modules/@types/conventional-commits-parser": {
       "version": "5.0.2",
       "resolved": "https://registry.npmjs.org/@types/conventional-commits-parser/-/conventional-commits-parser-5.0.2.tgz",
@@ -309,6 +745,20 @@
         "@types/node": "*"
       }
     },
+    "node_modules/@types/deep-eql": {
+      "version": "4.0.2",
+      "resolved": "https://registry.npmjs.org/@types/deep-eql/-/deep-eql-4.0.2.tgz",
+      "integrity": "sha512-c9h9dVVMigMPc4bwTvC5dxqtqJZwQPePsWjPlpSOnojbor6pGqdk541lfA7AqFQr5pB1BRdq0juY9db81BwyFw==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/@types/estree": {
+      "version": "1.0.8",
+      "resolved": "https://registry.npmjs.org/@types/estree/-/estree-1.0.8.tgz",
+      "integrity": "sha512-dWHzHa2WqEXI/O1E9OjrocMTKJl2mSrEolh1Iomrv6U+JuNwaHXsXx9bLu5gG7BUWFIN0skIQJQ/L1rIex4X6w==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/@types/node": {
       "version": "25.6.0",
       "resolved": "https://registry.npmjs.org/@types/node/-/node-25.6.0.tgz",
@@ -319,6 +769,150 @@
         "undici-types": "~7.19.0"
       }
     },
+    "node_modules/@vitest/coverage-v8": {
+      "version": "4.1.4",
+      "resolved": "https://registry.npmjs.org/@vitest/coverage-v8/-/coverage-v8-4.1.4.tgz",
+      "integrity": "sha512-x7FptB5oDruxNPDNY2+S8tCh0pcq7ymCe1gTHcsp733jYjrJl8V1gMUlVysuCD9Kz46Xz9t1akkv08dPcYDs1w==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@bcoe/v8-coverage": "^1.0.2",
+        "@vitest/utils": "4.1.4",
+        "ast-v8-to-istanbul": "^1.0.0",
+        "istanbul-lib-coverage": "^3.2.2",
+        "istanbul-lib-report": "^3.0.1",
+        "istanbul-reports": "^3.2.0",
+        "magicast": "^0.5.2",
+        "obug": "^2.1.1",
+        "std-env": "^4.0.0-rc.1",
+        "tinyrainbow": "^3.1.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/vitest"
+      },
+      "peerDependencies": {
+        "@vitest/browser": "4.1.4",
+        "vitest": "4.1.4"
+      },
+      "peerDependenciesMeta": {
+        "@vitest/browser": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@vitest/expect": {
+      "version": "4.1.4",
+      "resolved": "https://registry.npmjs.org/@vitest/expect/-/expect-4.1.4.tgz",
+      "integrity": "sha512-iPBpra+VDuXmBFI3FMKHSFXp3Gx5HfmSCE8X67Dn+bwephCnQCaB7qWK2ldHa+8ncN8hJU8VTMcxjPpyMkUjww==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@standard-schema/spec": "^1.1.0",
+        "@types/chai": "^5.2.2",
+        "@vitest/spy": "4.1.4",
+        "@vitest/utils": "4.1.4",
+        "chai": "^6.2.2",
+        "tinyrainbow": "^3.1.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/vitest"
+      }
+    },
+    "node_modules/@vitest/mocker": {
+      "version": "4.1.4",
+      "resolved": "https://registry.npmjs.org/@vitest/mocker/-/mocker-4.1.4.tgz",
+      "integrity": "sha512-R9HTZBhW6yCSGbGQnDnH3QHfJxokKN4KB+Yvk9Q1le7eQNYwiCyKxmLmurSpFy6BzJanSLuEUDrD+j97Q+ZLPg==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@vitest/spy": "4.1.4",
+        "estree-walker": "^3.0.3",
+        "magic-string": "^0.30.21"
+      },
+      "funding": {
+        "url": "https://opencollective.com/vitest"
+      },
+      "peerDependencies": {
+        "msw": "^2.4.9",
+        "vite": "^6.0.0 || ^7.0.0 || ^8.0.0"
+      },
+      "peerDependenciesMeta": {
+        "msw": {
+          "optional": true
+        },
+        "vite": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@vitest/pretty-format": {
+      "version": "4.1.4",
+      "resolved": "https://registry.npmjs.org/@vitest/pretty-format/-/pretty-format-4.1.4.tgz",
+      "integrity": "sha512-ddmDHU0gjEUyEVLxtZa7xamrpIefdEETu3nZjWtHeZX4QxqJ7tRxSteHVXJOcr8jhiLoGAhkK4WJ3WqBpjx42A==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "tinyrainbow": "^3.1.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/vitest"
+      }
+    },
+    "node_modules/@vitest/runner": {
+      "version": "4.1.4",
+      "resolved": "https://registry.npmjs.org/@vitest/runner/-/runner-4.1.4.tgz",
+      "integrity": "sha512-xTp7VZ5aXP5ZJrn15UtJUWlx6qXLnGtF6jNxHepdPHpMfz/aVPx+htHtgcAL2mDXJgKhpoo2e9/hVJsIeFbytQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@vitest/utils": "4.1.4",
+        "pathe": "^2.0.3"
+      },
+      "funding": {
+        "url": "https://opencollective.com/vitest"
+      }
+    },
+    "node_modules/@vitest/snapshot": {
+      "version": "4.1.4",
+      "resolved": "https://registry.npmjs.org/@vitest/snapshot/-/snapshot-4.1.4.tgz",
+      "integrity": "sha512-MCjCFgaS8aZz+m5nTcEcgk/xhWv0rEH4Yl53PPlMXOZ1/Ka2VcZU6CJ+MgYCZbcJvzGhQRjVrGQNZqkGPttIKw==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@vitest/pretty-format": "4.1.4",
+        "@vitest/utils": "4.1.4",
+        "magic-string": "^0.30.21",
+        "pathe": "^2.0.3"
+      },
+      "funding": {
+        "url": "https://opencollective.com/vitest"
+      }
+    },
+    "node_modules/@vitest/spy": {
+      "version": "4.1.4",
+      "resolved": "https://registry.npmjs.org/@vitest/spy/-/spy-4.1.4.tgz",
+      "integrity": "sha512-XxNdAsKW7C+FLydqFJLb5KhJtl3PGCMmYwFRfhvIgxJvLSXhhVI1zM8f1qD3Zg7RCjTSzDVyct6sghs9UEgBEQ==",
+      "dev": true,
+      "license": "MIT",
+      "funding": {
+        "url": "https://opencollective.com/vitest"
+      }
+    },
+    "node_modules/@vitest/utils": {
+      "version": "4.1.4",
+      "resolved": "https://registry.npmjs.org/@vitest/utils/-/utils-4.1.4.tgz",
+      "integrity": "sha512-13QMT+eysM5uVGa1rG4kegGYNp6cnQcsTc67ELFbhNLQO+vgsygtYJx2khvdt4gVQqSSpC/KT5FZZxUpP3Oatw==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@vitest/pretty-format": "4.1.4",
+        "convert-source-map": "^2.0.0",
+        "tinyrainbow": "^3.1.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/vitest"
+      }
+    },
     "node_modules/ajv": {
       "version": "8.18.0",
       "resolved": "https://registry.npmjs.org/ajv/-/ajv-8.18.0.tgz",
@@ -392,6 +986,35 @@
       "dev": true,
       "license": "MIT"
     },
+    "node_modules/assertion-error": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/assertion-error/-/assertion-error-2.0.1.tgz",
+      "integrity": "sha512-Izi8RQcffqCeNVgFigKli1ssklIbpHnCYc6AknXGYoB6grJqyeby7jv12JUQgmTAnIDnbck1uxksT4dzN3PWBA==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=12"
+      }
+    },
+    "node_modules/ast-v8-to-istanbul": {
+      "version": "1.0.0",
+      "resolved": "https://registry.npmjs.org/ast-v8-to-istanbul/-/ast-v8-to-istanbul-1.0.0.tgz",
+      "integrity": "sha512-1fSfIwuDICFA4LKkCzRPO7F0hzFf0B7+Xqrl27ynQaa+Rh0e1Es0v6kWHPott3lU10AyAr7oKHa65OppjLn3Rg==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@jridgewell/trace-mapping": "^0.3.31",
+        "estree-walker": "^3.0.3",
+        "js-tokens": "^10.0.0"
+      }
+    },
+    "node_modules/ast-v8-to-istanbul/node_modules/js-tokens": {
+      "version": "10.0.0",
+      "resolved": "https://registry.npmjs.org/js-tokens/-/js-tokens-10.0.0.tgz",
+      "integrity": "sha512-lM/UBzQmfJRo9ABXbPWemivdCW8V2G8FHaHdypQaIy523snUjog0W71ayWXTjiR+ixeMyVHN2XcpnTd/liPg/Q==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/braces": {
       "version": "3.0.3",
       "resolved": "https://registry.npmjs.org/braces/-/braces-3.0.3.tgz",
@@ -415,6 +1038,16 @@
         "node": ">=6"
       }
     },
+    "node_modules/chai": {
+      "version": "6.2.2",
+      "resolved": "https://registry.npmjs.org/chai/-/chai-6.2.2.tgz",
+      "integrity": "sha512-NUPRluOfOiTKBKvWPtSD4PhFvWCqOi0BGStNWs57X9js7XGTprSmFoz5F0tWhR4WPjNeR9jXqdC7/UpSJTnlRg==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=18"
+      }
+    },
     "node_modules/chalk": {
       "version": "5.6.2",
       "resolved": "https://registry.npmjs.org/chalk/-/chalk-5.6.2.tgz",
@@ -658,6 +1291,13 @@
         "node": ">=16"
       }
     },
+    "node_modules/convert-source-map": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/convert-source-map/-/convert-source-map-2.0.0.tgz",
+      "integrity": "sha512-Kvp459HrV2FEJ1CAsi1Ku+MY3kasH19TFykTz2xWmMeq6bk2NU3XXvfJ+Q61m0xktWwt+1HSYf3JZsTms3aRJg==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/cosmiconfig": {
       "version": "9.0.1",
       "resolved": "https://registry.npmjs.org/cosmiconfig/-/cosmiconfig-9.0.1.tgz",
@@ -749,6 +1389,16 @@
         }
       }
     },
+    "node_modules/detect-libc": {
+      "version": "2.1.2",
+      "resolved": "https://registry.npmjs.org/detect-libc/-/detect-libc-2.1.2.tgz",
+      "integrity": "sha512-Btj2BOOO83o3WyH59e8MgXsxEQVcarkUOpEYrubB0urwnN10yQ364rsiByU11nZlqWYZm05i/of7io4mzihBtQ==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "engines": {
+        "node": ">=8"
+      }
+    },
     "node_modules/dot-prop": {
       "version": "5.3.0",
       "resolved": "https://registry.npmjs.org/dot-prop/-/dot-prop-5.3.0.tgz",
@@ -802,6 +1452,13 @@
         "is-arrayish": "^0.2.1"
       }
     },
+    "node_modules/es-module-lexer": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/es-module-lexer/-/es-module-lexer-2.0.0.tgz",
+      "integrity": "sha512-5POEcUuZybH7IdmGsD8wlf0AI55wMecM9rVBTI/qEAy2c1kTOm3DjFYjrBdI2K3BaJjJYfYFeRtM0t9ssnRuxw==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/escalade": {
       "version": "3.2.0",
       "resolved": "https://registry.npmjs.org/escalade/-/escalade-3.2.0.tgz",
@@ -812,6 +1469,16 @@
         "node": ">=6"
       }
     },
+    "node_modules/estree-walker": {
+      "version": "3.0.3",
+      "resolved": "https://registry.npmjs.org/estree-walker/-/estree-walker-3.0.3.tgz",
+      "integrity": "sha512-7RUKfXgSMMkzt6ZuXmqapOurLGPPfgj6l9uRZ7lRGolvk0y2yocc35LdcxKC5PQZdn2DMqioAQ2NoWcrTKmm6g==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@types/estree": "^1.0.0"
+      }
+    },
     "node_modules/eventemitter3": {
       "version": "5.0.4",
       "resolved": "https://registry.npmjs.org/eventemitter3/-/eventemitter3-5.0.4.tgz",
@@ -843,6 +1510,16 @@
         "url": "https://github.com/sindresorhus/execa?sponsor=1"
       }
     },
+    "node_modules/expect-type": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/expect-type/-/expect-type-1.3.0.tgz",
+      "integrity": "sha512-knvyeauYhqjOYvQ66MznSMs83wmHrCycNEN6Ao+2AeYEfxUIkuiVxdEa1qlGEPK+We3n0THiDciYSsCcgW/DoA==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "engines": {
+        "node": ">=12.0.0"
+      }
+    },
     "node_modules/fast-deep-equal": {
       "version": "3.1.3",
       "resolved": "https://registry.npmjs.org/fast-deep-equal/-/fast-deep-equal-3.1.3.tgz",
@@ -898,6 +1575,21 @@
         "url": "https://github.com/sponsors/sindresorhus"
       }
     },
+    "node_modules/fsevents": {
+      "version": "2.3.3",
+      "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-2.3.3.tgz",
+      "integrity": "sha512-5xoDfX+fL7faATnagmWPpbFtwh/R77WmMMqqHGS65C3vvB0YHrgF+B1YmZ3441tMj5n63k0212XNoJwzlhffQw==",
+      "dev": true,
+      "hasInstallScript": true,
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": "^8.16.0 || ^10.6.0 || >=11.0.0"
+      }
+    },
     "node_modules/get-caller-file": {
       "version": "2.0.5",
       "resolved": "https://registry.npmjs.org/get-caller-file/-/get-caller-file-2.0.5.tgz",
@@ -969,6 +1661,23 @@
         "url": "https://github.com/sponsors/sindresorhus"
       }
     },
+    "node_modules/has-flag": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/has-flag/-/has-flag-4.0.0.tgz",
+      "integrity": "sha512-EykJT/Q1KjTWctppgIAgfSO0tKVuZUjhgMr17kqTumMl6Afv3EISleU7qZUzoXDFTAHTDC4NOoG/ZxU3EvlMPQ==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/html-escaper": {
+      "version": "2.0.2",
+      "resolved": "https://registry.npmjs.org/html-escaper/-/html-escaper-2.0.2.tgz",
+      "integrity": "sha512-H2iMtd0I4Mt5eYiapRdIDjp+XzelXQ0tFE4JS7YFwFevXXMmOp9myNrUvCg0D6ws8iqkRPBfKHgbwig1SmlLfg==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/human-signals": {
       "version": "5.0.0",
       "resolved": "https://registry.npmjs.org/human-signals/-/human-signals-5.0.0.tgz",
@@ -1116,6 +1825,45 @@
       "dev": true,
       "license": "ISC"
     },
+    "node_modules/istanbul-lib-coverage": {
+      "version": "3.2.2",
+      "resolved": "https://registry.npmjs.org/istanbul-lib-coverage/-/istanbul-lib-coverage-3.2.2.tgz",
+      "integrity": "sha512-O8dpsF+r0WV/8MNRKfnmrtCWhuKjxrq2w+jpzBL5UZKTi2LeVWnWOmWRxFlesJONmc+wLAGvKQZEOanko0LFTg==",
+      "dev": true,
+      "license": "BSD-3-Clause",
+      "engines": {
+        "node": ">=8"
+      }
+    },
+    "node_modules/istanbul-lib-report": {
+      "version": "3.0.1",
+      "resolved": "https://registry.npmjs.org/istanbul-lib-report/-/istanbul-lib-report-3.0.1.tgz",
+      "integrity": "sha512-GCfE1mtsHGOELCU8e/Z7YWzpmybrx/+dSTfLrvY8qRmaY6zXTKWn6WQIjaAFw069icm6GVMNkgu0NzI4iPZUNw==",
+      "dev": true,
+      "license": "BSD-3-Clause",
+      "dependencies": {
+        "istanbul-lib-coverage": "^3.0.0",
+        "make-dir": "^4.0.0",
+        "supports-color": "^7.1.0"
+      },
+      "engines": {
+        "node": ">=10"
+      }
+    },
+    "node_modules/istanbul-reports": {
+      "version": "3.2.0",
+      "resolved": "https://registry.npmjs.org/istanbul-reports/-/istanbul-reports-3.2.0.tgz",
+      "integrity": "sha512-HGYWWS/ehqTV3xN10i23tkPkpH46MLCIMFNCaaKNavAXTF1RkqxawEPtnjnGZ6XKSInBKkiOA5BKS+aZiY3AvA==",
+      "dev": true,
+      "license": "BSD-3-Clause",
+      "dependencies": {
+        "html-escaper": "^2.0.0",
+        "istanbul-lib-report": "^3.0.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
     "node_modules/jiti": {
       "version": "2.6.1",
       "resolved": "https://registry.npmjs.org/jiti/-/jiti-2.6.1.tgz",
@@ -1180,11 +1928,272 @@
         "jsonparse": "^1.2.0",
         "through": ">=2.2.7 <3"
       },
-      "bin": {
-        "JSONStream": "bin.js"
+      "bin": {
+        "JSONStream": "bin.js"
+      },
+      "engines": {
+        "node": "*"
+      }
+    },
+    "node_modules/lightningcss": {
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss/-/lightningcss-1.32.0.tgz",
+      "integrity": "sha512-NXYBzinNrblfraPGyrbPoD19C1h9lfI/1mzgWYvXUTe414Gz/X1FD2XBZSZM7rRTrMA8JL3OtAaGifrIKhQ5yQ==",
+      "dev": true,
+      "license": "MPL-2.0",
+      "dependencies": {
+        "detect-libc": "^2.0.3"
+      },
+      "engines": {
+        "node": ">= 12.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/parcel"
+      },
+      "optionalDependencies": {
+        "lightningcss-android-arm64": "1.32.0",
+        "lightningcss-darwin-arm64": "1.32.0",
+        "lightningcss-darwin-x64": "1.32.0",
+        "lightningcss-freebsd-x64": "1.32.0",
+        "lightningcss-linux-arm-gnueabihf": "1.32.0",
+        "lightningcss-linux-arm64-gnu": "1.32.0",
+        "lightningcss-linux-arm64-musl": "1.32.0",
+        "lightningcss-linux-x64-gnu": "1.32.0",
+        "lightningcss-linux-x64-musl": "1.32.0",
+        "lightningcss-win32-arm64-msvc": "1.32.0",
+        "lightningcss-win32-x64-msvc": "1.32.0"
+      }
+    },
+    "node_modules/lightningcss-android-arm64": {
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-android-arm64/-/lightningcss-android-arm64-1.32.0.tgz",
+      "integrity": "sha512-YK7/ClTt4kAK0vo6w3X+Pnm0D2cf2vPHbhOXdoNti1Ga0al1P4TBZhwjATvjNwLEBCnKvjJc2jQgHXH0NEwlAg==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MPL-2.0",
+      "optional": true,
+      "os": [
+        "android"
+      ],
+      "engines": {
+        "node": ">= 12.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/parcel"
+      }
+    },
+    "node_modules/lightningcss-darwin-arm64": {
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-darwin-arm64/-/lightningcss-darwin-arm64-1.32.0.tgz",
+      "integrity": "sha512-RzeG9Ju5bag2Bv1/lwlVJvBE3q6TtXskdZLLCyfg5pt+HLz9BqlICO7LZM7VHNTTn/5PRhHFBSjk5lc4cmscPQ==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MPL-2.0",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": ">= 12.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/parcel"
+      }
+    },
+    "node_modules/lightningcss-darwin-x64": {
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-darwin-x64/-/lightningcss-darwin-x64-1.32.0.tgz",
+      "integrity": "sha512-U+QsBp2m/s2wqpUYT/6wnlagdZbtZdndSmut/NJqlCcMLTWp5muCrID+K5UJ6jqD2BFshejCYXniPDbNh73V8w==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MPL-2.0",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "engines": {
+        "node": ">= 12.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/parcel"
+      }
+    },
+    "node_modules/lightningcss-freebsd-x64": {
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-freebsd-x64/-/lightningcss-freebsd-x64-1.32.0.tgz",
+      "integrity": "sha512-JCTigedEksZk3tHTTthnMdVfGf61Fky8Ji2E4YjUTEQX14xiy/lTzXnu1vwiZe3bYe0q+SpsSH/CTeDXK6WHig==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MPL-2.0",
+      "optional": true,
+      "os": [
+        "freebsd"
+      ],
+      "engines": {
+        "node": ">= 12.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/parcel"
+      }
+    },
+    "node_modules/lightningcss-linux-arm-gnueabihf": {
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-linux-arm-gnueabihf/-/lightningcss-linux-arm-gnueabihf-1.32.0.tgz",
+      "integrity": "sha512-x6rnnpRa2GL0zQOkt6rts3YDPzduLpWvwAF6EMhXFVZXD4tPrBkEFqzGowzCsIWsPjqSK+tyNEODUBXeeVHSkw==",
+      "cpu": [
+        "arm"
+      ],
+      "dev": true,
+      "license": "MPL-2.0",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">= 12.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/parcel"
+      }
+    },
+    "node_modules/lightningcss-linux-arm64-gnu": {
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-linux-arm64-gnu/-/lightningcss-linux-arm64-gnu-1.32.0.tgz",
+      "integrity": "sha512-0nnMyoyOLRJXfbMOilaSRcLH3Jw5z9HDNGfT/gwCPgaDjnx0i8w7vBzFLFR1f6CMLKF8gVbebmkUN3fa/kQJpQ==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MPL-2.0",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">= 12.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/parcel"
+      }
+    },
+    "node_modules/lightningcss-linux-arm64-musl": {
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-linux-arm64-musl/-/lightningcss-linux-arm64-musl-1.32.0.tgz",
+      "integrity": "sha512-UpQkoenr4UJEzgVIYpI80lDFvRmPVg6oqboNHfoH4CQIfNA+HOrZ7Mo7KZP02dC6LjghPQJeBsvXhJod/wnIBg==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MPL-2.0",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">= 12.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/parcel"
+      }
+    },
+    "node_modules/lightningcss-linux-x64-gnu": {
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-linux-x64-gnu/-/lightningcss-linux-x64-gnu-1.32.0.tgz",
+      "integrity": "sha512-V7Qr52IhZmdKPVr+Vtw8o+WLsQJYCTd8loIfpDaMRWGUZfBOYEJeyJIkqGIDMZPwPx24pUMfwSxxI8phr/MbOA==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MPL-2.0",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">= 12.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/parcel"
+      }
+    },
+    "node_modules/lightningcss-linux-x64-musl": {
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-linux-x64-musl/-/lightningcss-linux-x64-musl-1.32.0.tgz",
+      "integrity": "sha512-bYcLp+Vb0awsiXg/80uCRezCYHNg1/l3mt0gzHnWV9XP1W5sKa5/TCdGWaR/zBM2PeF/HbsQv/j2URNOiVuxWg==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MPL-2.0",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "engines": {
+        "node": ">= 12.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/parcel"
+      }
+    },
+    "node_modules/lightningcss-win32-arm64-msvc": {
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-win32-arm64-msvc/-/lightningcss-win32-arm64-msvc-1.32.0.tgz",
+      "integrity": "sha512-8SbC8BR40pS6baCM8sbtYDSwEVQd4JlFTOlaD3gWGHfThTcABnNDBda6eTZeqbofalIJhFx0qKzgHJmcPTnGdw==",
+      "cpu": [
+        "arm64"
+      ],
+      "dev": true,
+      "license": "MPL-2.0",
+      "optional": true,
+      "os": [
+        "win32"
+      ],
+      "engines": {
+        "node": ">= 12.0.0"
       },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/parcel"
+      }
+    },
+    "node_modules/lightningcss-win32-x64-msvc": {
+      "version": "1.32.0",
+      "resolved": "https://registry.npmjs.org/lightningcss-win32-x64-msvc/-/lightningcss-win32-x64-msvc-1.32.0.tgz",
+      "integrity": "sha512-Amq9B/SoZYdDi1kFrojnoqPLxYhQ4Wo5XiL8EVJrVsB8ARoC1PWW6VGtT0WKCemjy8aC+louJnjS7U18x3b06Q==",
+      "cpu": [
+        "x64"
+      ],
+      "dev": true,
+      "license": "MPL-2.0",
+      "optional": true,
+      "os": [
+        "win32"
+      ],
       "engines": {
-        "node": "*"
+        "node": ">= 12.0.0"
+      },
+      "funding": {
+        "type": "opencollective",
+        "url": "https://opencollective.com/parcel"
       }
     },
     "node_modules/lilconfig": {
@@ -1385,6 +2394,44 @@
         "url": "https://github.com/chalk/slice-ansi?sponsor=1"
       }
     },
+    "node_modules/magic-string": {
+      "version": "0.30.21",
+      "resolved": "https://registry.npmjs.org/magic-string/-/magic-string-0.30.21.tgz",
+      "integrity": "sha512-vd2F4YUyEXKGcLHoq+TEyCjxueSeHnFxyyjNp80yg0XV4vUhnDer/lvvlqM/arB5bXQN5K2/3oinyCRyx8T2CQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@jridgewell/sourcemap-codec": "^1.5.5"
+      }
+    },
+    "node_modules/magicast": {
+      "version": "0.5.2",
+      "resolved": "https://registry.npmjs.org/magicast/-/magicast-0.5.2.tgz",
+      "integrity": "sha512-E3ZJh4J3S9KfwdjZhe2afj6R9lGIN5Pher1pF39UGrXRqq/VDaGVIGN13BjHd2u8B61hArAGOnso7nBOouW3TQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@babel/parser": "^7.29.0",
+        "@babel/types": "^7.29.0",
+        "source-map-js": "^1.2.1"
+      }
+    },
+    "node_modules/make-dir": {
+      "version": "4.0.0",
+      "resolved": "https://registry.npmjs.org/make-dir/-/make-dir-4.0.0.tgz",
+      "integrity": "sha512-hXdUTZYIVOt1Ex//jAQi+wTZZpUpwBj/0QsOzqegb3rGMMeJiSEu5xLHnYfBrRV4RH2+OCSOO95Is/7x1WJ4bw==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "semver": "^7.5.3"
+      },
+      "engines": {
+        "node": ">=10"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/sindresorhus"
+      }
+    },
     "node_modules/meow": {
       "version": "12.1.1",
       "resolved": "https://registry.npmjs.org/meow/-/meow-12.1.1.tgz",
@@ -1462,6 +2509,25 @@
       "dev": true,
       "license": "MIT"
     },
+    "node_modules/nanoid": {
+      "version": "3.3.11",
+      "resolved": "https://registry.npmjs.org/nanoid/-/nanoid-3.3.11.tgz",
+      "integrity": "sha512-N8SpfPUnUp1bK+PMYW8qSWdl9U+wwNWI4QKxOYDy9JAro3WMX7p2OeVRF9v+347pnakNevPmiHhNmZ2HbFA76w==",
+      "dev": true,
+      "funding": [
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/ai"
+        }
+      ],
+      "license": "MIT",
+      "bin": {
+        "nanoid": "bin/nanoid.cjs"
+      },
+      "engines": {
+        "node": "^10 || ^12 || ^13.7 || ^14 || >=15.0.1"
+      }
+    },
     "node_modules/npm-run-path": {
       "version": "5.3.0",
       "resolved": "https://registry.npmjs.org/npm-run-path/-/npm-run-path-5.3.0.tgz",
@@ -1491,6 +2557,17 @@
         "url": "https://github.com/sponsors/sindresorhus"
       }
     },
+    "node_modules/obug": {
+      "version": "2.1.1",
+      "resolved": "https://registry.npmjs.org/obug/-/obug-2.1.1.tgz",
+      "integrity": "sha512-uTqF9MuPraAQ+IsnPf366RG4cP9RtUi7MLO1N3KEc+wb0a6yKpeL0lmk2IB1jY5KHPAlTc6T/JRdC/YqxHNwkQ==",
+      "dev": true,
+      "funding": [
+        "https://github.com/sponsors/sxzz",
+        "https://opencollective.com/debug"
+      ],
+      "license": "MIT"
+    },
     "node_modules/onetime": {
       "version": "6.0.0",
       "resolved": "https://registry.npmjs.org/onetime/-/onetime-6.0.0.tgz",
@@ -1591,6 +2668,13 @@
         "node": ">=8"
       }
     },
+    "node_modules/pathe": {
+      "version": "2.0.3",
+      "resolved": "https://registry.npmjs.org/pathe/-/pathe-2.0.3.tgz",
+      "integrity": "sha512-WUjGcAqP1gQacoQe+OBJsFA7Ld4DyXuUIjZ5cc75cLHvJ7dtNsTugphxIADwspS+AraAUePCKrSVtPLFj/F88w==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/picocolors": {
       "version": "1.1.1",
       "resolved": "https://registry.npmjs.org/picocolors/-/picocolors-1.1.1.tgz",
@@ -1624,6 +2708,35 @@
         "node": ">=0.10"
       }
     },
+    "node_modules/postcss": {
+      "version": "8.5.10",
+      "resolved": "https://registry.npmjs.org/postcss/-/postcss-8.5.10.tgz",
+      "integrity": "sha512-pMMHxBOZKFU6HgAZ4eyGnwXF/EvPGGqUr0MnZ5+99485wwW41kW91A4LOGxSHhgugZmSChL5AlElNdwlNgcnLQ==",
+      "dev": true,
+      "funding": [
+        {
+          "type": "opencollective",
+          "url": "https://opencollective.com/postcss/"
+        },
+        {
+          "type": "tidelift",
+          "url": "https://tidelift.com/funding/github/npm/postcss"
+        },
+        {
+          "type": "github",
+          "url": "https://github.com/sponsors/ai"
+        }
+      ],
+      "license": "MIT",
+      "dependencies": {
+        "nanoid": "^3.3.11",
+        "picocolors": "^1.1.1",
+        "source-map-js": "^1.2.1"
+      },
+      "engines": {
+        "node": "^10 || ^12 || >=14"
+      }
+    },
     "node_modules/require-directory": {
       "version": "2.1.1",
       "resolved": "https://registry.npmjs.org/require-directory/-/require-directory-2.1.1.tgz",
@@ -1694,6 +2807,40 @@
       "dev": true,
       "license": "MIT"
     },
+    "node_modules/rolldown": {
+      "version": "1.0.0-rc.15",
+      "resolved": "https://registry.npmjs.org/rolldown/-/rolldown-1.0.0-rc.15.tgz",
+      "integrity": "sha512-Ff31guA5zT6WjnGp0SXw76X6hzGRk/OQq2hE+1lcDe+lJdHSgnSX6nK3erbONHyCbpSj9a9E+uX/OvytZoWp2g==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@oxc-project/types": "=0.124.0",
+        "@rolldown/pluginutils": "1.0.0-rc.15"
+      },
+      "bin": {
+        "rolldown": "bin/cli.mjs"
+      },
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      },
+      "optionalDependencies": {
+        "@rolldown/binding-android-arm64": "1.0.0-rc.15",
+        "@rolldown/binding-darwin-arm64": "1.0.0-rc.15",
+        "@rolldown/binding-darwin-x64": "1.0.0-rc.15",
+        "@rolldown/binding-freebsd-x64": "1.0.0-rc.15",
+        "@rolldown/binding-linux-arm-gnueabihf": "1.0.0-rc.15",
+        "@rolldown/binding-linux-arm64-gnu": "1.0.0-rc.15",
+        "@rolldown/binding-linux-arm64-musl": "1.0.0-rc.15",
+        "@rolldown/binding-linux-ppc64-gnu": "1.0.0-rc.15",
+        "@rolldown/binding-linux-s390x-gnu": "1.0.0-rc.15",
+        "@rolldown/binding-linux-x64-gnu": "1.0.0-rc.15",
+        "@rolldown/binding-linux-x64-musl": "1.0.0-rc.15",
+        "@rolldown/binding-openharmony-arm64": "1.0.0-rc.15",
+        "@rolldown/binding-wasm32-wasi": "1.0.0-rc.15",
+        "@rolldown/binding-win32-arm64-msvc": "1.0.0-rc.15",
+        "@rolldown/binding-win32-x64-msvc": "1.0.0-rc.15"
+      }
+    },
     "node_modules/semver": {
       "version": "7.7.4",
       "resolved": "https://registry.npmjs.org/semver/-/semver-7.7.4.tgz",
@@ -1730,6 +2877,13 @@
         "node": ">=8"
       }
     },
+    "node_modules/siginfo": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/siginfo/-/siginfo-2.0.0.tgz",
+      "integrity": "sha512-ybx0WO1/8bSBLEWXZvEd7gMW3Sn3JFlW3TvX1nREbDLRNQNaeNN8WK0meBwPdAaOI7TtRRRJn/Es1zhrrCHu7g==",
+      "dev": true,
+      "license": "ISC"
+    },
     "node_modules/signal-exit": {
       "version": "4.1.0",
       "resolved": "https://registry.npmjs.org/signal-exit/-/signal-exit-4.1.0.tgz",
@@ -1760,6 +2914,16 @@
         "url": "https://github.com/chalk/slice-ansi?sponsor=1"
       }
     },
+    "node_modules/source-map-js": {
+      "version": "1.2.1",
+      "resolved": "https://registry.npmjs.org/source-map-js/-/source-map-js-1.2.1.tgz",
+      "integrity": "sha512-UXWMKhLOwVKb728IUtQPXxfYU+usdybtUrK/8uGE8CQMvrhOpwvzDBwj0QhSL7MQc7vIsISBG8VQ8+IDQxpfQA==",
+      "dev": true,
+      "license": "BSD-3-Clause",
+      "engines": {
+        "node": ">=0.10.0"
+      }
+    },
     "node_modules/split2": {
       "version": "4.2.0",
       "resolved": "https://registry.npmjs.org/split2/-/split2-4.2.0.tgz",
@@ -1770,6 +2934,20 @@
         "node": ">= 10.x"
       }
     },
+    "node_modules/stackback": {
+      "version": "0.0.2",
+      "resolved": "https://registry.npmjs.org/stackback/-/stackback-0.0.2.tgz",
+      "integrity": "sha512-1XMJE5fQo1jGH6Y/7ebnwPOBEkIEnT4QF32d5R1+VXdXveM0IBMJt8zfaxX1P3QhVwrYe+576+jkANtSS2mBbw==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/std-env": {
+      "version": "4.1.0",
+      "resolved": "https://registry.npmjs.org/std-env/-/std-env-4.1.0.tgz",
+      "integrity": "sha512-Rq7ybcX2RuC55r9oaPVEW7/xu3tj8u4GeBYHBWCychFtzMIr86A7e3PPEBPT37sHStKX3+TiX/Fr/ACmJLVlLQ==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/string-argv": {
       "version": "0.3.2",
       "resolved": "https://registry.npmjs.org/string-argv/-/string-argv-0.3.2.tgz",
@@ -1827,6 +3005,19 @@
         "url": "https://github.com/sponsors/sindresorhus"
       }
     },
+    "node_modules/supports-color": {
+      "version": "7.2.0",
+      "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-7.2.0.tgz",
+      "integrity": "sha512-qpCAvRl9stuOHveKsn7HncJRvv501qIacKzQlO/+Lwxc9+0q2wLyv4Dfvt80/DPn2pqOBsJdDiogXGR9+OvwRw==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "has-flag": "^4.0.0"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
     "node_modules/text-extensions": {
       "version": "2.4.0",
       "resolved": "https://registry.npmjs.org/text-extensions/-/text-extensions-2.4.0.tgz",
@@ -1847,6 +3038,13 @@
       "dev": true,
       "license": "MIT"
     },
+    "node_modules/tinybench": {
+      "version": "2.9.0",
+      "resolved": "https://registry.npmjs.org/tinybench/-/tinybench-2.9.0.tgz",
+      "integrity": "sha512-0+DUvqWMValLmha6lr4kD8iAMK1HzV0/aKnCtWb9v9641TnP/MFb7Pc2bxoxQjTXAErryXVgUOfv2YqNllqGeg==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/tinyexec": {
       "version": "1.1.1",
       "resolved": "https://registry.npmjs.org/tinyexec/-/tinyexec-1.1.1.tgz",
@@ -1857,6 +3055,64 @@
         "node": ">=18"
       }
     },
+    "node_modules/tinyglobby": {
+      "version": "0.2.16",
+      "resolved": "https://registry.npmjs.org/tinyglobby/-/tinyglobby-0.2.16.tgz",
+      "integrity": "sha512-pn99VhoACYR8nFHhxqix+uvsbXineAasWm5ojXoN8xEwK5Kd3/TrhNn1wByuD52UxWRLy8pu+kRMniEi6Eq9Zg==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "fdir": "^6.5.0",
+        "picomatch": "^4.0.4"
+      },
+      "engines": {
+        "node": ">=12.0.0"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/SuperchupuDev"
+      }
+    },
+    "node_modules/tinyglobby/node_modules/fdir": {
+      "version": "6.5.0",
+      "resolved": "https://registry.npmjs.org/fdir/-/fdir-6.5.0.tgz",
+      "integrity": "sha512-tIbYtZbucOs0BRGqPJkshJUYdL+SDH7dVM8gjy+ERp3WAUjLEFJE+02kanyHtwjWOnwrKYBiwAmM0p4kLJAnXg==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=12.0.0"
+      },
+      "peerDependencies": {
+        "picomatch": "^3 || ^4"
+      },
+      "peerDependenciesMeta": {
+        "picomatch": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/tinyglobby/node_modules/picomatch": {
+      "version": "4.0.4",
+      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.4.tgz",
+      "integrity": "sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=12"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/jonschlinkert"
+      }
+    },
+    "node_modules/tinyrainbow": {
+      "version": "3.1.0",
+      "resolved": "https://registry.npmjs.org/tinyrainbow/-/tinyrainbow-3.1.0.tgz",
+      "integrity": "sha512-Bf+ILmBgretUrdJxzXM0SgXLZ3XfiaUuOj/IKQHuTXip+05Xn+uyEYdVg0kYDipTBcLrCVyUzAPz7QmArb0mmw==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=14.0.0"
+      }
+    },
     "node_modules/to-regex-range": {
       "version": "5.0.1",
       "resolved": "https://registry.npmjs.org/to-regex-range/-/to-regex-range-5.0.1.tgz",
@@ -1870,6 +3126,14 @@
         "node": ">=8.0"
       }
     },
+    "node_modules/tslib": {
+      "version": "2.8.1",
+      "resolved": "https://registry.npmjs.org/tslib/-/tslib-2.8.1.tgz",
+      "integrity": "sha512-oJFu94HQb+KVduSUQL7wnpmqnfmLsOA/nAh6b6EH0wCEoK0/mPeXU6c3wKDV83MkOuHPRHtSXKKU99IBazS/2w==",
+      "dev": true,
+      "license": "0BSD",
+      "optional": true
+    },
     "node_modules/typescript": {
       "version": "6.0.3",
       "resolved": "https://registry.npmjs.org/typescript/-/typescript-6.0.3.tgz",
@@ -1905,6 +3169,200 @@
         "url": "https://github.com/sponsors/sindresorhus"
       }
     },
+    "node_modules/vite": {
+      "version": "8.0.8",
+      "resolved": "https://registry.npmjs.org/vite/-/vite-8.0.8.tgz",
+      "integrity": "sha512-dbU7/iLVa8KZALJyLOBOQ88nOXtNG8vxKuOT4I2mD+Ya70KPceF4IAmDsmU0h1Qsn5bPrvsY9HJstCRh3hG6Uw==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "lightningcss": "^1.32.0",
+        "picomatch": "^4.0.4",
+        "postcss": "^8.5.8",
+        "rolldown": "1.0.0-rc.15",
+        "tinyglobby": "^0.2.15"
+      },
+      "bin": {
+        "vite": "bin/vite.js"
+      },
+      "engines": {
+        "node": "^20.19.0 || >=22.12.0"
+      },
+      "funding": {
+        "url": "https://github.com/vitejs/vite?sponsor=1"
+      },
+      "optionalDependencies": {
+        "fsevents": "~2.3.3"
+      },
+      "peerDependencies": {
+        "@types/node": "^20.19.0 || >=22.12.0",
+        "@vitejs/devtools": "^0.1.0",
+        "esbuild": "^0.27.0 || ^0.28.0",
+        "jiti": ">=1.21.0",
+        "less": "^4.0.0",
+        "sass": "^1.70.0",
+        "sass-embedded": "^1.70.0",
+        "stylus": ">=0.54.8",
+        "sugarss": "^5.0.0",
+        "terser": "^5.16.0",
+        "tsx": "^4.8.1",
+        "yaml": "^2.4.2"
+      },
+      "peerDependenciesMeta": {
+        "@types/node": {
+          "optional": true
+        },
+        "@vitejs/devtools": {
+          "optional": true
+        },
+        "esbuild": {
+          "optional": true
+        },
+        "jiti": {
+          "optional": true
+        },
+        "less": {
+          "optional": true
+        },
+        "sass": {
+          "optional": true
+        },
+        "sass-embedded": {
+          "optional": true
+        },
+        "stylus": {
+          "optional": true
+        },
+        "sugarss": {
+          "optional": true
+        },
+        "terser": {
+          "optional": true
+        },
+        "tsx": {
+          "optional": true
+        },
+        "yaml": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/vite/node_modules/picomatch": {
+      "version": "4.0.4",
+      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.4.tgz",
+      "integrity": "sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=12"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/jonschlinkert"
+      }
+    },
+    "node_modules/vitest": {
+      "version": "4.1.4",
+      "resolved": "https://registry.npmjs.org/vitest/-/vitest-4.1.4.tgz",
+      "integrity": "sha512-tFuJqTxKb8AvfyqMfnavXdzfy3h3sWZRWwfluGbkeR7n0HUev+FmNgZ8SDrRBTVrVCjgH5cA21qGbCffMNtWvg==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@vitest/expect": "4.1.4",
+        "@vitest/mocker": "4.1.4",
+        "@vitest/pretty-format": "4.1.4",
+        "@vitest/runner": "4.1.4",
+        "@vitest/snapshot": "4.1.4",
+        "@vitest/spy": "4.1.4",
+        "@vitest/utils": "4.1.4",
+        "es-module-lexer": "^2.0.0",
+        "expect-type": "^1.3.0",
+        "magic-string": "^0.30.21",
+        "obug": "^2.1.1",
+        "pathe": "^2.0.3",
+        "picomatch": "^4.0.3",
+        "std-env": "^4.0.0-rc.1",
+        "tinybench": "^2.9.0",
+        "tinyexec": "^1.0.2",
+        "tinyglobby": "^0.2.15",
+        "tinyrainbow": "^3.1.0",
+        "vite": "^6.0.0 || ^7.0.0 || ^8.0.0",
+        "why-is-node-running": "^2.3.0"
+      },
+      "bin": {
+        "vitest": "vitest.mjs"
+      },
+      "engines": {
+        "node": "^20.0.0 || ^22.0.0 || >=24.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/vitest"
+      },
+      "peerDependencies": {
+        "@edge-runtime/vm": "*",
+        "@opentelemetry/api": "^1.9.0",
+        "@types/node": "^20.0.0 || ^22.0.0 || >=24.0.0",
+        "@vitest/browser-playwright": "4.1.4",
+        "@vitest/browser-preview": "4.1.4",
+        "@vitest/browser-webdriverio": "4.1.4",
+        "@vitest/coverage-istanbul": "4.1.4",
+        "@vitest/coverage-v8": "4.1.4",
+        "@vitest/ui": "4.1.4",
+        "happy-dom": "*",
+        "jsdom": "*",
+        "vite": "^6.0.0 || ^7.0.0 || ^8.0.0"
+      },
+      "peerDependenciesMeta": {
+        "@edge-runtime/vm": {
+          "optional": true
+        },
+        "@opentelemetry/api": {
+          "optional": true
+        },
+        "@types/node": {
+          "optional": true
+        },
+        "@vitest/browser-playwright": {
+          "optional": true
+        },
+        "@vitest/browser-preview": {
+          "optional": true
+        },
+        "@vitest/browser-webdriverio": {
+          "optional": true
+        },
+        "@vitest/coverage-istanbul": {
+          "optional": true
+        },
+        "@vitest/coverage-v8": {
+          "optional": true
+        },
+        "@vitest/ui": {
+          "optional": true
+        },
+        "happy-dom": {
+          "optional": true
+        },
+        "jsdom": {
+          "optional": true
+        },
+        "vite": {
+          "optional": false
+        }
+      }
+    },
+    "node_modules/vitest/node_modules/picomatch": {
+      "version": "4.0.4",
+      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.4.tgz",
+      "integrity": "sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=12"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/jonschlinkert"
+      }
+    },
     "node_modules/which": {
       "version": "2.0.2",
       "resolved": "https://registry.npmjs.org/which/-/which-2.0.2.tgz",
@@ -1921,6 +3379,23 @@
         "node": ">= 8"
       }
     },
+    "node_modules/why-is-node-running": {
+      "version": "2.3.0",
+      "resolved": "https://registry.npmjs.org/why-is-node-running/-/why-is-node-running-2.3.0.tgz",
+      "integrity": "sha512-hUrmaWBdVDcxvYqnyh09zunKzROWjbZTiNy8dBEjkS7ehEDQibXJ7XvlmtbwuTclUiIyN+CyXQD4Vmko8fNm8w==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "siginfo": "^2.0.0",
+        "stackback": "0.0.2"
+      },
+      "bin": {
+        "why-is-node-running": "cli.js"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
     "node_modules/wrap-ansi": {
       "version": "9.0.2",
       "resolved": "https://registry.npmjs.org/wrap-ansi/-/wrap-ansi-9.0.2.tgz",
diff --git a/package.json b/package.json
index 5fa6b28..3628b64 100644
--- a/package.json
+++ b/package.json
@@ -11,8 +11,10 @@
   "devDependencies": {
     "@commitlint/cli": "^19.5.0",
     "@commitlint/config-conventional": "^19.5.0",
+    "@vitest/coverage-v8": "^4.1.4",
     "husky": "^9.1.6",
-    "lint-staged": "^15.2.10"
+    "lint-staged": "^15.2.10",
+    "vitest": "^4.1.4"
   },
   "engines": {
     "node": ">=22"

From 53b315c94c4310770b3a8d564d3579800a20d2c2 Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:30:35 +0400
Subject: [PATCH 02/82] chore: expand gitignore for memory and agent folders

---
 .gitignore | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.gitignore b/.gitignore
index 3bdbcc2..003d297 100644
--- a/.gitignore
+++ b/.gitignore
@@ -8,7 +8,9 @@ scripts/
 .cursor/
 .vscode/
 .claude/
+.agents/
 CLAUDE.md
+memory/
 .idea/
 *.sublime-*
 

From 3ffd8c9a3535cdb9ba59342d29ba5fb8622f2a88 Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:30:36 +0400
Subject: [PATCH 03/82] ci(api): stop swallowing pytest exit 5

---
 .github/workflows/api-ci.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/api-ci.yml b/.github/workflows/api-ci.yml
index 280a3c5..daa73a7 100644
--- a/.github/workflows/api-ci.yml
+++ b/.github/workflows/api-ci.yml
@@ -35,4 +35,4 @@ jobs:
         run: uv run mypy .
 
       - name: Pytest
-        run: uv run pytest --tb=short -q || [ $? -eq 5 ]
+        run: uv run pytest --tb=short -q

From 569200868f0867e1b6fa4422334d30848d36aa0b Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:30:37 +0400
Subject: [PATCH 04/82] ci(ui): run vitest in the UI pipeline

---
 .github/workflows/ui-ci.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/ui-ci.yml b/.github/workflows/ui-ci.yml
index 043e29e..d8e1613 100644
--- a/.github/workflows/ui-ci.yml
+++ b/.github/workflows/ui-ci.yml
@@ -38,5 +38,8 @@ jobs:
       - name: Format check
         run: npm run format:check
 
+      - name: Test
+        run: npm run test
+
       - name: Build
         run: npm run build

From a9906b1400a2f85c2620612e0c2f75a14730ec0c Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:30:37 +0400
Subject: [PATCH 05/82] build: add MinIO service to dev docker-compose

---
 docker-compose.yml | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/docker-compose.yml b/docker-compose.yml
index 328f010..d38c7f4 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -27,6 +27,24 @@ services:
       timeout: 5s
       retries: 5
 
+  minio:
+    image: minio/minio:latest
+    command: server /data --console-address ":9001"
+    environment:
+      MINIO_ROOT_USER: minioadmin
+      MINIO_ROOT_PASSWORD: minioadmin
+    ports:
+      - "9000:9000"
+      - "9001:9001"
+    volumes:
+      - minio_data:/data
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:9000/minio/health/live"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+
 volumes:
   postgres_data:
   redis_data:
+  minio_data:

From 5d10c726d1469a217c338d251e0dce1886db9cdf Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:30:38 +0400
Subject: [PATCH 06/82] build: add production docker-compose and env template

---
 .env.prod.example       |  63 +++++++++++++++++++++++
 docker-compose.prod.yml | 110 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 173 insertions(+)
 create mode 100644 .env.prod.example
 create mode 100644 docker-compose.prod.yml

diff --git a/.env.prod.example b/.env.prod.example
new file mode 100644
index 0000000..d1de693
--- /dev/null
+++ b/.env.prod.example
@@ -0,0 +1,63 @@
+# Production environment template for docker-compose.prod.yml.
+# Copy to `.env.prod`, fill in every required value, and make sure
+# the real file never leaves your infrastructure.
+
+# --- Postgres ---------------------------------------------------------
+POSTGRES_USER=loomy
+POSTGRES_PASSWORD=change-me-to-a-strong-random-password
+POSTGRES_DB=loomy
+
+# --- Redis ------------------------------------------------------------
+REDIS_PASSWORD=change-me-to-another-strong-random-password
+
+# --- API --------------------------------------------------------------
+# >= 32 chars, generated with `openssl rand -hex 32` or similar.
+SECRET_KEY=replace-with-32-plus-char-random-secret
+# Public URLs (no trailing slash).
+FRONTEND_URL=https://app.example.com
+# Ports published on the host; adjust if you terminate TLS elsewhere.
+API_PORT=8000
+UI_PORT=80
+
+# Token lifetimes (defaults shown).
+ACCESS_TOKEN_EXPIRE_MINUTES=60
+REFRESH_TOKEN_EXPIRE_DAYS=30
+
+# --- OAuth (optional) -------------------------------------------------
+GITHUB_CLIENT_ID=
+GITHUB_CLIENT_SECRET=
+GITHUB_REDIRECT_URI=https://api.example.com/api/auth/github/callback
+GOOGLE_CLIENT_ID=
+GOOGLE_CLIENT_SECRET=
+GOOGLE_REDIRECT_URI=https://api.example.com/api/auth/google/callback
+
+# --- Email (required for password reset in production) ---------------
+# Set EMAIL_BACKEND=smtp and fill the rest to actually deliver mail.
+EMAIL_BACKEND=smtp
+SMTP_HOST=smtp.example.com
+SMTP_PORT=587
+SMTP_USER=
+SMTP_PASSWORD=
+SMTP_USE_TLS=true
+EMAIL_FROM_ADDRESS=no-reply@example.com
+EMAIL_FROM_NAME=Loomy
+
+# --- Object storage (required for user uploads) ---------------------
+# Point at any S3-compatible endpoint (AWS S3, MinIO, Backblaze B2, etc.).
+# Leave blank to disable user uploads (avatars, board logos, exports).
+S3_ENDPOINT_URL=
+S3_PUBLIC_ENDPOINT_URL=
+S3_REGION=us-east-1
+S3_ACCESS_KEY=
+S3_SECRET_KEY=
+S3_BUCKET=loomy-assets
+S3_FORCE_PATH_STYLE=true
+S3_PRESIGNED_URL_EXPIRE_SECONDS=3600
+
+# --- Frontend build --------------------------------------------------
+# Baked into the bundle at build time. Must be the public URL of the API.
+VITE_API_URL=https://api.example.com
+
+# --- Observability (optional) ----------------------------------------
+LOG_LEVEL=INFO
+SENTRY_DSN=
diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml
new file mode 100644
index 0000000..e38ecc9
--- /dev/null
+++ b/docker-compose.prod.yml
@@ -0,0 +1,110 @@
+# Production-oriented compose file.
+#
+# Assumes a real database and Redis are either managed externally or
+# use the bundled containers below with strong credentials injected
+# via `.env.prod`. Copy `.env.prod.example` to `.env.prod` and fill
+# in values, then:
+#
+#     docker compose --env-file .env.prod -f docker-compose.prod.yml up -d --build
+#
+# Unlike docker-compose.yml (dev-only), nothing here exposes a default
+# password or an unauthenticated port.
+
+services:
+  postgres:
+    image: postgres:17-alpine
+    restart: unless-stopped
+    environment:
+      POSTGRES_USER: ${POSTGRES_USER:?set POSTGRES_USER in .env.prod}
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:?set POSTGRES_PASSWORD in .env.prod}
+      POSTGRES_DB: ${POSTGRES_DB:-loomy}
+    volumes:
+      - postgres_data:/var/lib/postgresql/data
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U $$POSTGRES_USER -d $$POSTGRES_DB"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+    # No ports published; API connects over the internal network.
+
+  redis:
+    image: redis:7-alpine
+    restart: unless-stopped
+    command:
+      - redis-server
+      - --requirepass
+      - ${REDIS_PASSWORD:?set REDIS_PASSWORD in .env.prod}
+    volumes:
+      - redis_data:/data
+    healthcheck:
+      test: ["CMD-SHELL", "redis-cli -a $$REDIS_PASSWORD ping | grep PONG"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+
+  api:
+    build:
+      context: ./api/app
+      dockerfile: Dockerfile
+    restart: unless-stopped
+    environment:
+      ENVIRONMENT: production
+      SECRET_KEY: ${SECRET_KEY:?set SECRET_KEY in .env.prod}
+      DATABASE_URL: postgresql://${POSTGRES_USER}:${POSTGRES_PASSWORD}@postgres:5432/${POSTGRES_DB:-loomy}
+      REDIS_URL: redis://:${REDIS_PASSWORD}@redis:6379/0
+      FRONTEND_URL: ${FRONTEND_URL:?set FRONTEND_URL in .env.prod}
+      ACCESS_TOKEN_EXPIRE_MINUTES: ${ACCESS_TOKEN_EXPIRE_MINUTES:-60}
+      REFRESH_TOKEN_EXPIRE_DAYS: ${REFRESH_TOKEN_EXPIRE_DAYS:-30}
+      # Optional OAuth
+      GITHUB_CLIENT_ID: ${GITHUB_CLIENT_ID:-}
+      GITHUB_CLIENT_SECRET: ${GITHUB_CLIENT_SECRET:-}
+      GITHUB_REDIRECT_URI: ${GITHUB_REDIRECT_URI:-}
+      GOOGLE_CLIENT_ID: ${GOOGLE_CLIENT_ID:-}
+      GOOGLE_CLIENT_SECRET: ${GOOGLE_CLIENT_SECRET:-}
+      GOOGLE_REDIRECT_URI: ${GOOGLE_REDIRECT_URI:-}
+      # Optional email
+      EMAIL_BACKEND: ${EMAIL_BACKEND:-console}
+      SMTP_HOST: ${SMTP_HOST:-}
+      SMTP_PORT: ${SMTP_PORT:-587}
+      SMTP_USER: ${SMTP_USER:-}
+      SMTP_PASSWORD: ${SMTP_PASSWORD:-}
+      SMTP_USE_TLS: ${SMTP_USE_TLS:-true}
+      EMAIL_FROM_ADDRESS: ${EMAIL_FROM_ADDRESS:-no-reply@loomy.app}
+      EMAIL_FROM_NAME: ${EMAIL_FROM_NAME:-Loomy}
+      # Object storage (MinIO or any S3-compatible endpoint)
+      S3_ENDPOINT_URL: ${S3_ENDPOINT_URL:-}
+      S3_PUBLIC_ENDPOINT_URL: ${S3_PUBLIC_ENDPOINT_URL:-}
+      S3_REGION: ${S3_REGION:-us-east-1}
+      S3_ACCESS_KEY: ${S3_ACCESS_KEY:-}
+      S3_SECRET_KEY: ${S3_SECRET_KEY:-}
+      S3_BUCKET: ${S3_BUCKET:-loomy-assets}
+      S3_FORCE_PATH_STYLE: ${S3_FORCE_PATH_STYLE:-true}
+      S3_PRESIGNED_URL_EXPIRE_SECONDS: ${S3_PRESIGNED_URL_EXPIRE_SECONDS:-3600}
+      # Optional observability
+      LOG_LEVEL: ${LOG_LEVEL:-INFO}
+      SENTRY_DSN: ${SENTRY_DSN:-}
+    depends_on:
+      postgres:
+        condition: service_healthy
+      redis:
+        condition: service_healthy
+    ports:
+      - "${API_PORT:-8000}:8000"
+
+  ui:
+    build:
+      context: ./apps/frontend
+      dockerfile: Dockerfile
+      args:
+        # Vite inlines this into the JS bundle at build time; set the
+        # public-facing API URL here, not at runtime.
+        VITE_API_URL: ${VITE_API_URL:?set VITE_API_URL in .env.prod}
+    restart: unless-stopped
+    depends_on:
+      - api
+    ports:
+      - "${UI_PORT:-80}:80"
+
+volumes:
+  postgres_data:
+  redis_data:

From 375b004d6bec4c455f6dc2b487e2c52a17c32a17 Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:30:39 +0400
Subject: [PATCH 07/82] build(api): harden Dockerfile with multi-stage and
 non-root runtime

---
 api/app/Dockerfile | 38 +++++++++++++++++++++++++++++++++++---
 1 file changed, 35 insertions(+), 3 deletions(-)

diff --git a/api/app/Dockerfile b/api/app/Dockerfile
index d9fec3a..9dd996c 100644
--- a/api/app/Dockerfile
+++ b/api/app/Dockerfile
@@ -1,18 +1,50 @@
-FROM python:3.12-slim
+# syntax=docker/dockerfile:1.7
+
+# --- Stage 1: dependencies + build -----------------------------------
+FROM python:3.12-slim AS builder
+
+ENV PYTHONDONTWRITEBYTECODE=1 \
+    PYTHONUNBUFFERED=1 \
+    UV_LINK_MODE=copy
 
 WORKDIR /app
 
 COPY --from=ghcr.io/astral-sh/uv:latest /uv /usr/local/bin/uv
 
+# Install system build deps only for the build stage; they're not
+# copied into the runtime image.
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends build-essential \
+ && rm -rf /var/lib/apt/lists/*
+
 COPY pyproject.toml uv.lock ./
 RUN uv sync --frozen --no-dev --no-install-project
 
 COPY . .
-
 RUN uv sync --frozen --no-dev
 
-ENV PATH="/app/.venv/bin:$PATH"
+# --- Stage 2: lean runtime -------------------------------------------
+FROM python:3.12-slim AS runtime
+
+ENV PYTHONDONTWRITEBYTECODE=1 \
+    PYTHONUNBUFFERED=1 \
+    PATH="/app/.venv/bin:$PATH"
+
+# Non-root user so a broken process can't rewrite the image at runtime.
+RUN groupadd --system --gid 1001 loomy \
+ && useradd --system --uid 1001 --gid loomy --home /app loomy
+
+WORKDIR /app
+
+# Only copy what runtime needs — source + prebuilt venv.
+COPY --from=builder --chown=loomy:loomy /app /app
+
+USER loomy
 
 EXPOSE 8000
 
+HEALTHCHECK --interval=30s --timeout=5s --start-period=20s --retries=3 \
+  CMD python -c "import urllib.request,sys;sys.exit(0 if urllib.request.urlopen('http://127.0.0.1:8000/health',timeout=3).status==200 else 1)" \
+      || exit 1
+
 CMD ["uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "8000"]

From 1087e5e6a6639d972b97b83471554618ada55323 Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:30:40 +0400
Subject: [PATCH 08/82] feat(ui): add production Dockerfile and nginx SPA
 config

---
 apps/frontend/.dockerignore |  9 +++++++++
 apps/frontend/Dockerfile    | 35 +++++++++++++++++++++++++++++++++++
 apps/frontend/nginx.conf    | 35 +++++++++++++++++++++++++++++++++++
 3 files changed, 79 insertions(+)
 create mode 100644 apps/frontend/.dockerignore
 create mode 100644 apps/frontend/Dockerfile
 create mode 100644 apps/frontend/nginx.conf

diff --git a/apps/frontend/.dockerignore b/apps/frontend/.dockerignore
new file mode 100644
index 0000000..1182121
--- /dev/null
+++ b/apps/frontend/.dockerignore
@@ -0,0 +1,9 @@
+node_modules
+dist
+.env
+.env.*
+!.env.example
+*.log
+npm-debug.log*
+.DS_Store
+Thumbs.db
diff --git a/apps/frontend/Dockerfile b/apps/frontend/Dockerfile
new file mode 100644
index 0000000..7f3ed6c
--- /dev/null
+++ b/apps/frontend/Dockerfile
@@ -0,0 +1,35 @@
+# syntax=docker/dockerfile:1.7
+
+# --- Stage 1: install + build ----------------------------------------
+FROM node:22-alpine AS builder
+
+WORKDIR /app
+
+# VITE_API_URL is baked into the bundle at build time. Pass it via
+# --build-arg VITE_API_URL=https://api.example.com so the UI points at
+# the right backend in production.
+ARG VITE_API_URL=http://localhost:8000
+ENV VITE_API_URL=$VITE_API_URL
+
+COPY package.json package-lock.json* ./
+RUN npm ci --no-audit --no-fund
+
+COPY . .
+RUN npm run build
+
+# --- Stage 2: nginx serving the static bundle ------------------------
+FROM nginx:1.27-alpine AS runtime
+
+# Replace the default config with an SPA-aware one (see nginx.conf).
+COPY nginx.conf /etc/nginx/conf.d/default.conf
+
+COPY --from=builder /app/dist /usr/share/nginx/html
+
+# Drop capabilities the container does not need. nginx itself already
+# runs worker processes as the `nginx` user.
+RUN chown -R nginx:nginx /usr/share/nginx/html
+
+EXPOSE 80
+
+HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
+  CMD wget --spider --quiet http://127.0.0.1:80/ || exit 1
diff --git a/apps/frontend/nginx.conf b/apps/frontend/nginx.conf
new file mode 100644
index 0000000..cc09b6a
--- /dev/null
+++ b/apps/frontend/nginx.conf
@@ -0,0 +1,35 @@
+server {
+    listen 80;
+    server_name _;
+
+    root /usr/share/nginx/html;
+    index index.html;
+
+    # Static assets: long cache, immutable. Vite hashes filenames so
+    # a new build always produces new paths.
+    location /assets/ {
+        expires 30d;
+        add_header Cache-Control "public, immutable";
+        try_files $uri =404;
+    }
+
+    # SPA fallback: any unknown path serves index.html so React Router
+    # can take over client-side.
+    location / {
+        try_files $uri $uri/ /index.html;
+    }
+
+    # Sensible defaults for a static SPA.
+    sendfile on;
+    tcp_nopush on;
+    gzip on;
+    gzip_types text/plain text/css application/json application/javascript
+               application/wasm image/svg+xml;
+    gzip_min_length 1024;
+
+    # Basic hardening.
+    server_tokens off;
+    add_header X-Content-Type-Options "nosniff" always;
+    add_header X-Frame-Options "DENY" always;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+}

From 0c31399041b789d299f22aa58178dcd158951825 Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:30:40 +0400
Subject: [PATCH 09/82] build(api): add boto3, python-multipart, boto3-stubs

---
 api/app/pyproject.toml |   3 +
 api/app/uv.lock        | 142 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 145 insertions(+)

diff --git a/api/app/pyproject.toml b/api/app/pyproject.toml
index 50a171b..2277388 100644
--- a/api/app/pyproject.toml
+++ b/api/app/pyproject.toml
@@ -17,6 +17,8 @@ dependencies = [
     "email-validator",
     "httpx",
     "redis",
+    "boto3",
+    "python-multipart",
 ]
 
 [project.optional-dependencies]
@@ -25,6 +27,7 @@ dev = [
     "mypy",
     "ruff",
     "types-python-jose",
+    "boto3-stubs[s3]",
 ]
 
 [tool.mypy]
diff --git a/api/app/uv.lock b/api/app/uv.lock
index 09a9ca4..8c58a99 100644
--- a/api/app/uv.lock
+++ b/api/app/uv.lock
@@ -113,6 +113,64 @@ wheels = [
     { url = "https://files.pythonhosted.org/packages/27/44/d2ef5e87509158ad2187f4dd0852df80695bb1ee0cfe0a684727b01a69e0/bcrypt-5.0.0-cp39-abi3-win_arm64.whl", hash = "sha256:f2347d3534e76bf50bca5500989d6c1d05ed64b440408057a37673282c654927", size = 144953, upload-time = "2025-09-25T19:50:37.32Z" },
 ]
 
+[[package]]
+name = "boto3"
+version = "1.42.91"
+source = { registry = "https://pypi.org/simple" }
+dependencies = [
+    { name = "botocore" },
+    { name = "jmespath" },
+    { name = "s3transfer" },
+]
+sdist = { url = "https://files.pythonhosted.org/packages/a7/c0/98b8cec7ca22dde776df48c58940ae1abc425593959b7226e270760d726f/boto3-1.42.91.tar.gz", hash = "sha256:03d70532b17f7f84df37ca7e8c21553280454dea53ae12b15d1cfef9b16fcb8a", size = 113181, upload-time = "2026-04-17T19:31:06.251Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/02/29/faba6521257c34085cc9b439ef98235b581772580f417fa3629728007270/boto3-1.42.91-py3-none-any.whl", hash = "sha256:04e72071cde022951ce7f81bd9933c90095ab8923e8ced61c8dacfe9edac0f5c", size = 140553, upload-time = "2026-04-17T19:31:02.57Z" },
+]
+
+[[package]]
+name = "boto3-stubs"
+version = "1.42.91"
+source = { registry = "https://pypi.org/simple" }
+dependencies = [
+    { name = "botocore-stubs" },
+    { name = "types-s3transfer" },
+]
+sdist = { url = "https://files.pythonhosted.org/packages/15/d9/0dc5de7a07b1e3cd8a7da6db1a498c7b8e01f293c915fd301d74aefd736d/boto3_stubs-1.42.91.tar.gz", hash = "sha256:277e36e1ec530ab6a31647523dfef40e07d0b065431be6e54363a243f78bfabb", size = 102709, upload-time = "2026-04-17T19:33:15.948Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/e8/90/a8203dae318de4c83e200d736962e488fde597dde36fb0e72b381c153ce1/boto3_stubs-1.42.91-py3-none-any.whl", hash = "sha256:8dd3ea8c464d504e90125032901d852e77ef8a6f48b6decaa11dff16ad47e685", size = 70666, upload-time = "2026-04-17T19:33:11.315Z" },
+]
+
+[package.optional-dependencies]
+s3 = [
+    { name = "mypy-boto3-s3" },
+]
+
+[[package]]
+name = "botocore"
+version = "1.42.91"
+source = { registry = "https://pypi.org/simple" }
+dependencies = [
+    { name = "jmespath" },
+    { name = "python-dateutil" },
+    { name = "urllib3" },
+]
+sdist = { url = "https://files.pythonhosted.org/packages/21/bc/a4b7c46471c2e789ad8c4c7acfd7f302fdb481d93ff870f441249b924ae6/botocore-1.42.91.tar.gz", hash = "sha256:d252e27bc454afdbf5ed3dc617aa423f2c855c081e98b7963093399483ecc698", size = 15213010, upload-time = "2026-04-17T19:30:50.793Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/b1/fc/24cc0a47c824f13933e210e9ad034b4fba22f7185b8d904c0fbf5a3b2be8/botocore-1.42.91-py3-none-any.whl", hash = "sha256:7a28c3cc6bfab5724ad18899d52402b776a0de7d87fa20c3c5270bcaaf199ce8", size = 14897344, upload-time = "2026-04-17T19:30:44.245Z" },
+]
+
+[[package]]
+name = "botocore-stubs"
+version = "1.42.41"
+source = { registry = "https://pypi.org/simple" }
+dependencies = [
+    { name = "types-awscrt" },
+]
+sdist = { url = "https://files.pythonhosted.org/packages/0c/a8/a26608ff39e3a5866c6c79eda10133490205cbddd45074190becece3ff2a/botocore_stubs-1.42.41.tar.gz", hash = "sha256:dbeac2f744df6b814ce83ec3f3777b299a015cbea57a2efc41c33b8c38265825", size = 42411, upload-time = "2026-02-03T20:46:14.479Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/32/76/cab7af7f16c0b09347f2ebe7ffda7101132f786acb767666dce43055faab/botocore_stubs-1.42.41-py3-none-any.whl", hash = "sha256:9423110fb0e391834bd2ed44ae5f879d8cb370a444703d966d30842ce2bcb5f0", size = 66759, upload-time = "2026-02-03T20:46:13.02Z" },
+]
+
 [[package]]
 name = "certifi"
 version = "2026.2.25"
@@ -426,6 +484,15 @@ wheels = [
     { url = "https://files.pythonhosted.org/packages/cb/b1/3846dd7f199d53cb17f49cba7e651e9ce294d8497c8c150530ed11865bb8/iniconfig-2.3.0-py3-none-any.whl", hash = "sha256:f631c04d2c48c52b84d0d0549c99ff3859c98df65b3101406327ecc7d53fbf12", size = 7484, upload-time = "2025-10-18T21:55:41.639Z" },
 ]
 
+[[package]]
+name = "jmespath"
+version = "1.1.0"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/d3/59/322338183ecda247fb5d1763a6cbe46eff7222eaeebafd9fa65d4bf5cb11/jmespath-1.1.0.tar.gz", hash = "sha256:472c87d80f36026ae83c6ddd0f1d05d4e510134ed462851fd5f754c8c3cbb88d", size = 27377, upload-time = "2026-01-22T16:35:26.279Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/14/2f/967ba146e6d58cf6a652da73885f52fc68001525b4197effc174321d70b4/jmespath-1.1.0-py3-none-any.whl", hash = "sha256:a5663118de4908c91729bea0acadca56526eb2698e83de10cd116ae0f4e97c64", size = 20419, upload-time = "2026-01-22T16:35:24.919Z" },
+]
+
 [[package]]
 name = "librt"
 version = "0.8.1"
@@ -493,6 +560,7 @@ source = { virtual = "." }
 dependencies = [
     { name = "alembic" },
     { name = "bcrypt" },
+    { name = "boto3" },
     { name = "email-validator" },
     { name = "fastapi" },
     { name = "httpx" },
@@ -500,6 +568,7 @@ dependencies = [
     { name = "pydantic-settings" },
     { name = "python-dotenv" },
     { name = "python-jose", extra = ["cryptography"] },
+    { name = "python-multipart" },
     { name = "redis" },
     { name = "sqlalchemy" },
     { name = "uvicorn", extra = ["standard"] },
@@ -507,6 +576,7 @@ dependencies = [
 
 [package.optional-dependencies]
 dev = [
+    { name = "boto3-stubs", extra = ["s3"] },
     { name = "mypy" },
     { name = "pytest" },
     { name = "ruff" },
@@ -517,6 +587,8 @@ dev = [
 requires-dist = [
     { name = "alembic" },
     { name = "bcrypt" },
+    { name = "boto3" },
+    { name = "boto3-stubs", extras = ["s3"], marker = "extra == 'dev'" },
     { name = "email-validator" },
     { name = "fastapi" },
     { name = "httpx" },
@@ -526,6 +598,7 @@ requires-dist = [
     { name = "pytest", marker = "extra == 'dev'" },
     { name = "python-dotenv" },
     { name = "python-jose", extras = ["cryptography"] },
+    { name = "python-multipart" },
     { name = "redis" },
     { name = "ruff", marker = "extra == 'dev'" },
     { name = "sqlalchemy" },
@@ -642,6 +715,15 @@ wheels = [
     { url = "https://files.pythonhosted.org/packages/8d/f4/4ce9a05ce5ded1de3ec1c1d96cf9f9504a04e54ce0ed55cfa38619a32b8d/mypy-1.19.1-py3-none-any.whl", hash = "sha256:f1235f5ea01b7db5468d53ece6aaddf1ad0b88d9e7462b86ef96fe04995d7247", size = 2471239, upload-time = "2025-12-15T05:03:07.248Z" },
 ]
 
+[[package]]
+name = "mypy-boto3-s3"
+version = "1.42.85"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/3e/5e/026461fef8e163ec261df1668ee88611124170bb4da3d1b144c970e7c9b4/mypy_boto3_s3-1.42.85.tar.gz", hash = "sha256:401e3a184ac0973bc08b556cc3b2655d8f2e56570b6ed87ce635210df4f666fb", size = 76543, upload-time = "2026-04-07T19:51:20.608Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/c0/58/fb6373ca66898620ecb7b9ab92563f3f7277627994bc4ceba75c721de4a1/mypy_boto3_s3-1.42.85-py3-none-any.whl", hash = "sha256:b2cad995ea733b16ae3be5510fd6a0038aa44400c22d010d4def9286cf6eaf82", size = 83751, upload-time = "2026-04-07T19:51:17.727Z" },
+]
+
 [[package]]
 name = "mypy-extensions"
 version = "1.1.0"
@@ -862,6 +944,18 @@ wheels = [
     { url = "https://files.pythonhosted.org/packages/3b/ab/b3226f0bd7cdcf710fbede2b3548584366da3b19b5021e74f5bde2a8fa3f/pytest-9.0.2-py3-none-any.whl", hash = "sha256:711ffd45bf766d5264d487b917733b453d917afd2b0ad65223959f59089f875b", size = 374801, upload-time = "2025-12-06T21:30:49.154Z" },
 ]
 
+[[package]]
+name = "python-dateutil"
+version = "2.9.0.post0"
+source = { registry = "https://pypi.org/simple" }
+dependencies = [
+    { name = "six" },
+]
+sdist = { url = "https://files.pythonhosted.org/packages/66/c0/0c8b6ad9f17a802ee498c46e004a0eb49bc148f2fd230864601a86dcf6db/python-dateutil-2.9.0.post0.tar.gz", hash = "sha256:37dd54208da7e1cd875388217d5e00ebd4179249f90fb72437e91a35459a0ad3", size = 342432, upload-time = "2024-03-01T18:36:20.211Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/ec/57/56b9bcc3c9c6a792fcbaf139543cee77261f3651ca9da0c93f5c1221264b/python_dateutil-2.9.0.post0-py2.py3-none-any.whl", hash = "sha256:a8b2bc7bffae282281c8140a97d3aa9c14da0b136dfe83f850eea9a5f7470427", size = 229892, upload-time = "2024-03-01T18:36:18.57Z" },
+]
+
 [[package]]
 name = "python-dotenv"
 version = "1.2.2"
@@ -890,6 +984,15 @@ cryptography = [
     { name = "cryptography" },
 ]
 
+[[package]]
+name = "python-multipart"
+version = "0.0.26"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/88/71/b145a380824a960ebd60e1014256dbb7d2253f2316ff2d73dfd8928ec2c3/python_multipart-0.0.26.tar.gz", hash = "sha256:08fadc45918cd615e26846437f50c5d6d23304da32c341f289a617127b081f17", size = 43501, upload-time = "2026-04-10T14:09:59.473Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/9a/22/f1925cdda983ab66fc8ec6ec8014b959262747e58bdca26a4e3d1da29d56/python_multipart-0.0.26-py3-none-any.whl", hash = "sha256:c0b169f8c4484c13b0dcf2ef0ec3a4adb255c4b7d18d8e420477d2b1dd03f185", size = 28847, upload-time = "2026-04-10T14:09:58.131Z" },
+]
+
 [[package]]
 name = "pyyaml"
 version = "6.0.3"
@@ -982,6 +1085,18 @@ wheels = [
     { url = "https://files.pythonhosted.org/packages/fe/4e/cd76eca6db6115604b7626668e891c9dd03330384082e33662fb0f113614/ruff-0.15.5-py3-none-win_arm64.whl", hash = "sha256:b498d1c60d2fe5c10c45ec3f698901065772730b411f164ae270bb6bfcc4740b", size = 10965572, upload-time = "2026-03-05T20:06:16.984Z" },
 ]
 
+[[package]]
+name = "s3transfer"
+version = "0.16.0"
+source = { registry = "https://pypi.org/simple" }
+dependencies = [
+    { name = "botocore" },
+]
+sdist = { url = "https://files.pythonhosted.org/packages/05/04/74127fc843314818edfa81b5540e26dd537353b123a4edc563109d8f17dd/s3transfer-0.16.0.tar.gz", hash = "sha256:8e990f13268025792229cd52fa10cb7163744bf56e719e0b9cb925ab79abf920", size = 153827, upload-time = "2025-12-01T02:30:59.114Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/fc/51/727abb13f44c1fcf6d145979e1535a35794db0f6e450a0cb46aa24732fe2/s3transfer-0.16.0-py3-none-any.whl", hash = "sha256:18e25d66fed509e3868dc1572b3f427ff947dd2c56f844a5bf09481ad3f3b2fe", size = 86830, upload-time = "2025-12-01T02:30:57.729Z" },
+]
+
 [[package]]
 name = "six"
 version = "1.17.0"
@@ -1050,6 +1165,15 @@ wheels = [
     { url = "https://files.pythonhosted.org/packages/81/0d/13d1d239a25cbfb19e740db83143e95c772a1fe10202dda4b76792b114dd/starlette-0.52.1-py3-none-any.whl", hash = "sha256:0029d43eb3d273bc4f83a08720b4912ea4b071087a3b48db01b7c839f7954d74", size = 74272, upload-time = "2026-01-18T13:34:09.188Z" },
 ]
 
+[[package]]
+name = "types-awscrt"
+version = "0.31.3"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/76/26/0aa563e229c269c528a3b8c709fc671ac2a5c564732fab0852ac6ee006cf/types_awscrt-0.31.3.tar.gz", hash = "sha256:09d3eaf00231e0f47e101bd9867e430873bc57040050e2a3bd8305cb4fc30865", size = 18178, upload-time = "2026-03-08T02:31:14.569Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/3e/e5/47a573bbbd0a790f8f9fe452f7188ea72b212d21c9be57d5fc0cbc442075/types_awscrt-0.31.3-py3-none-any.whl", hash = "sha256:e5ce65a00a2ab4f35eacc1e3d700d792338d56e4823ee7b4dbe017f94cfc4458", size = 43340, upload-time = "2026-03-08T02:31:13.38Z" },
+]
+
 [[package]]
 name = "types-pyasn1"
 version = "0.6.0.20250914"
@@ -1071,6 +1195,15 @@ wheels = [
     { url = "https://files.pythonhosted.org/packages/67/33/9d8c351a44e68896a53003e00fb01e1158b9e5b68cf3b75c1e4b51eb5263/types_python_jose-3.5.0.20250531-py3-none-any.whl", hash = "sha256:1609ee4d40a8a2ef5f62fcda99ec977b2ae773dfee9355cfb7e5002afa063c55", size = 14725, upload-time = "2025-05-31T03:04:27.802Z" },
 ]
 
+[[package]]
+name = "types-s3transfer"
+version = "0.16.0"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/fe/64/42689150509eb3e6e82b33ee3d89045de1592488842ddf23c56957786d05/types_s3transfer-0.16.0.tar.gz", hash = "sha256:b4636472024c5e2b62278c5b759661efeb52a81851cde5f092f24100b1ecb443", size = 13557, upload-time = "2025-12-08T08:13:09.928Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/98/27/e88220fe6274eccd3bdf95d9382918716d312f6f6cef6a46332d1ee2feff/types_s3transfer-0.16.0-py3-none-any.whl", hash = "sha256:1c0cd111ecf6e21437cb410f5cddb631bfb2263b77ad973e79b9c6d0cb24e0ef", size = 19247, upload-time = "2025-12-08T08:13:08.426Z" },
+]
+
 [[package]]
 name = "typing-extensions"
 version = "4.15.0"
@@ -1092,6 +1225,15 @@ wheels = [
     { url = "https://files.pythonhosted.org/packages/dc/9b/47798a6c91d8bdb567fe2698fe81e0c6b7cb7ef4d13da4114b41d239f65d/typing_inspection-0.4.2-py3-none-any.whl", hash = "sha256:4ed1cacbdc298c220f1bd249ed5287caa16f34d44ef4e9c3d0cbad5b521545e7", size = 14611, upload-time = "2025-10-01T02:14:40.154Z" },
 ]
 
+[[package]]
+name = "urllib3"
+version = "2.6.3"
+source = { registry = "https://pypi.org/simple" }
+sdist = { url = "https://files.pythonhosted.org/packages/c7/24/5f1b3bdffd70275f6661c76461e25f024d5a38a46f04aaca912426a2b1d3/urllib3-2.6.3.tar.gz", hash = "sha256:1b62b6884944a57dbe321509ab94fd4d3b307075e0c2eae991ac71ee15ad38ed", size = 435556, upload-time = "2026-01-07T16:24:43.925Z" }
+wheels = [
+    { url = "https://files.pythonhosted.org/packages/39/08/aaaad47bc4e9dc8c725e68f9d04865dbcb2052843ff09c97b08904852d84/urllib3-2.6.3-py3-none-any.whl", hash = "sha256:bf272323e553dfb2e87d9bfd225ca7b0f467b919d7bbd355436d3fd37cb0acd4", size = 131584, upload-time = "2026-01-07T16:24:42.685Z" },
+]
+
 [[package]]
 name = "uvicorn"
 version = "0.41.0"

From 3eec06be3ac5c52911e666a954f5d241ecf27a1e Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:30:41 +0400
Subject: [PATCH 10/82] docs(api): expand .env.example with auth and S3
 settings

---
 api/app/.env.example | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/api/app/.env.example b/api/app/.env.example
index c7ec356..674866f 100644
--- a/api/app/.env.example
+++ b/api/app/.env.example
@@ -20,3 +20,18 @@ REDIS_URL=redis://localhost:6379/0
 
 # Frontend URL
 FRONTEND_URL=http://localhost:5173
+
+# Object storage (MinIO in dev). Leave blank to disable uploads entirely.
+# One bucket holds every app asset; keys are prefixed per kind:
+#   avatars/{user_id}/...            (user profile photos)
+#   boards/{board_id}/logo/...       (board logos, planned)
+#   boards/{board_id}/exports/...    (rendered exports, planned)
+#   templates/{slug}/thumbnail.png   (template previews, planned)
+S3_ENDPOINT_URL=http://localhost:9000
+S3_PUBLIC_ENDPOINT_URL=http://localhost:9000
+S3_REGION=us-east-1
+S3_ACCESS_KEY=minioadmin
+S3_SECRET_KEY=minioadmin
+S3_BUCKET=loomy-assets
+S3_FORCE_PATH_STYLE=true
+S3_PRESIGNED_URL_EXPIRE_SECONDS=3600

From fe65ad14138c0bdbf708a2d4364d081bcbf77030 Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:30:42 +0400
Subject: [PATCH 11/82] feat(config): enforce production invariants and add S3
 settings

---
 api/app/app/config.py | 70 ++++++++++++++++++++++++++++++++++++++-----
 1 file changed, 63 insertions(+), 7 deletions(-)

diff --git a/api/app/app/config.py b/api/app/app/config.py
index 6be56c0..dd046e6 100644
--- a/api/app/app/config.py
+++ b/api/app/app/config.py
@@ -1,5 +1,15 @@
+import logging
+from typing import Literal
+
+from pydantic import model_validator
 from pydantic_settings import BaseSettings, SettingsConfigDict
 
+logger = logging.getLogger(__name__)
+
+DEFAULT_SECRET_KEY = "change-me-in-production"  # noqa: S105
+
+Environment = Literal["development", "production", "test"]
+
 
 class Settings(BaseSettings):
     model_config = SettingsConfigDict(
@@ -8,29 +18,75 @@ class Settings(BaseSettings):
         case_sensitive=False,
     )
 
-    # Database
+    environment: Environment = "development"
+
     database_url: str = "postgresql://postgres:postgres@localhost:5432/loomy"
 
-    # JWT
-    secret_key: str = "change-me-in-production"
+    secret_key: str = DEFAULT_SECRET_KEY
     algorithm: str = "HS256"
     access_token_expire_minutes: int = 60
+    refresh_token_expire_days: int = 30
 
-    # Redis
     redis_url: str = "redis://localhost:6379/0"
 
-    # OAuth - GitHub
     github_client_id: str = ""
     github_client_secret: str = ""
     github_redirect_uri: str = "http://localhost:8000/api/auth/github/callback"
 
-    # OAuth - Google
     google_client_id: str = ""
     google_client_secret: str = ""
     google_redirect_uri: str = "http://localhost:8000/api/auth/google/callback"
 
-    # Frontend (for OAuth redirect after login; Vite default is 5173)
     frontend_url: str = "http://localhost:5173"
 
+    email_backend: Literal["console", "smtp"] = "console"
+    smtp_host: str = ""
+    smtp_port: int = 587
+    smtp_user: str = ""
+    smtp_password: str = ""
+    smtp_use_tls: bool = True
+    email_from_address: str = "no-reply@loomy.app"
+    email_from_name: str = "Loomy"
+
+    password_reset_expire_minutes: int = 60
+
+    # S3 / MinIO object storage. Used for user avatars, board logos,
+    # template thumbnails, exports, and any other user-uploaded file.
+    # Leave s3_endpoint_url empty to disable uploads entirely.
+    #
+    # All app assets live in a single bucket with per-kind prefixes
+    # (e.g. `avatars/{user_id}/...`, `boards/{board_id}/logo/...`).
+    s3_endpoint_url: str = ""
+    s3_region: str = "us-east-1"
+    s3_access_key: str = ""
+    s3_secret_key: str = ""
+    s3_bucket: str = "loomy-assets"
+    s3_presigned_url_expire_seconds: int = 3600
+    s3_force_path_style: bool = True
+    s3_public_endpoint_url: str = ""
+
+    @model_validator(mode="after")
+    def _enforce_production_invariants(self) -> "Settings":
+        if self.environment == "production":
+            problems: list[str] = []
+            if self.secret_key == DEFAULT_SECRET_KEY or len(self.secret_key) < 32:
+                problems.append(
+                    "SECRET_KEY must be a strong random value (>=32 chars)"
+                )
+            if "postgres:postgres@" in self.database_url:
+                problems.append(
+                    "DATABASE_URL uses default postgres/postgres credentials"
+                )
+            if self.frontend_url.startswith("http://localhost"):
+                problems.append("FRONTEND_URL must not point at localhost")
+            if problems:
+                raise ValueError(
+                    "Invalid production configuration:\n  - "
+                    + "\n  - ".join(problems)
+                )
+        elif self.secret_key == DEFAULT_SECRET_KEY:
+            logger.warning("Using default SECRET_KEY (dev only)")
+        return self
+
 
 settings = Settings()

From 5676ca9fbf977ffb192c420cbf91eaf3dda99527 Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:30:43 +0400
Subject: [PATCH 12/82] feat(db): add UUID, CreatedAt, and Timestamped model
 mixins

---
 api/app/app/db/base.py | 30 +++++++++++++++++++++++++++---
 1 file changed, 27 insertions(+), 3 deletions(-)

diff --git a/api/app/app/db/base.py b/api/app/app/db/base.py
index c068162..b5f9642 100644
--- a/api/app/app/db/base.py
+++ b/api/app/app/db/base.py
@@ -1,7 +1,31 @@
-from sqlalchemy.orm import DeclarativeBase
+import uuid
+from datetime import datetime
 
+from sqlalchemy import DateTime, func
+from sqlalchemy.dialects.postgresql import UUID
+from sqlalchemy.orm import DeclarativeBase, Mapped, mapped_column
 
-class Base(DeclarativeBase):
-    """SQLAlchemy declarative base for all models."""
 
+class Base(DeclarativeBase):
     pass
+
+
+class UUIDMixin:
+    id: Mapped[uuid.UUID] = mapped_column(
+        UUID(as_uuid=True), primary_key=True, default=uuid.uuid4
+    )
+
+
+class CreatedAtMixin:
+    created_at: Mapped[datetime] = mapped_column(
+        DateTime(timezone=True), nullable=False, server_default=func.now()
+    )
+
+
+class TimestampedMixin(CreatedAtMixin):
+    updated_at: Mapped[datetime] = mapped_column(
+        DateTime(timezone=True),
+        nullable=False,
+        server_default=func.now(),
+        onupdate=func.now(),
+    )

From 6c360e796b675c908d263c6830dfcf2d0abf553a Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:30:43 +0400
Subject: [PATCH 13/82] feat(core): structured JSON logging with request
 context and Sentry hook

---
 api/app/app/core/logging.py | 118 ++++++++++++++++++++++++++++++++++++
 1 file changed, 118 insertions(+)

diff --git a/api/app/app/core/logging.py b/api/app/app/core/logging.py
index e69de29..5a4fe9d 100644
--- a/api/app/app/core/logging.py
+++ b/api/app/app/core/logging.py
@@ -0,0 +1,118 @@
+import json
+import logging
+import os
+import sys
+import time
+from contextvars import ContextVar
+from typing import Any
+
+from app.config import settings
+
+request_id_ctx: ContextVar[str | None] = ContextVar("request_id", default=None)
+
+
+class _RequestIdFilter(logging.Filter):
+    def filter(self, record: logging.LogRecord) -> bool:
+        record.request_id = request_id_ctx.get()
+        return True
+
+
+class _JsonFormatter(logging.Formatter):
+    _RESERVED = frozenset(
+        {
+            "args",
+            "asctime",
+            "created",
+            "exc_info",
+            "exc_text",
+            "filename",
+            "funcName",
+            "levelname",
+            "levelno",
+            "lineno",
+            "message",
+            "module",
+            "msecs",
+            "msg",
+            "name",
+            "pathname",
+            "process",
+            "processName",
+            "relativeCreated",
+            "request_id",
+            "stack_info",
+            "taskName",
+            "thread",
+            "threadName",
+        }
+    )
+
+    def format(self, record: logging.LogRecord) -> str:
+        payload: dict[str, Any] = {
+            "ts": time.strftime(
+                "%Y-%m-%dT%H:%M:%SZ", time.gmtime(record.created)
+            ),
+            "level": record.levelname,
+            "logger": record.name,
+            "message": record.getMessage(),
+        }
+        request_id = getattr(record, "request_id", None)
+        if request_id:
+            payload["request_id"] = request_id
+        if record.exc_info:
+            payload["exc_info"] = self.formatException(record.exc_info)
+
+        extras = {
+            k: v for k, v in record.__dict__.items() if k not in self._RESERVED
+        }
+        if extras:
+            payload["context"] = extras
+
+        return json.dumps(payload, default=str)
+
+
+def configure_logging() -> None:
+    root = logging.getLogger()
+    if getattr(root, "_loomy_configured", False):
+        return
+
+    level_name = os.environ.get("LOG_LEVEL", "INFO").upper()
+    level = getattr(logging, level_name, logging.INFO)
+
+    handler = logging.StreamHandler(sys.stdout)
+    handler.addFilter(_RequestIdFilter())
+    if settings.environment == "production":
+        handler.setFormatter(_JsonFormatter())
+    else:
+        handler.setFormatter(
+            logging.Formatter(
+                "%(asctime)s %(levelname)-7s %(name)s "
+                "[req=%(request_id)s] %(message)s"
+            )
+        )
+
+    for existing in list(root.handlers):
+        root.removeHandler(existing)
+    root.addHandler(handler)
+    root.setLevel(level)
+    root._loomy_configured = True  # type: ignore[attr-defined]
+
+    _init_sentry_if_configured()
+
+
+def _init_sentry_if_configured() -> None:
+    dsn = os.environ.get("SENTRY_DSN", "").strip()
+    if not dsn:
+        return
+    try:
+        import sentry_sdk  # type: ignore[import-not-found]
+    except ImportError:
+        logging.getLogger(__name__).warning(
+            "SENTRY_DSN is set but sentry_sdk is not installed"
+        )
+        return
+    sentry_sdk.init(
+        dsn=dsn,
+        environment=settings.environment,
+        traces_sample_rate=0.0,
+    )

From f2debeb0715fae48bb6d437a5321f56c5e24a515 Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:30:44 +0400
Subject: [PATCH 14/82] feat(middleware): add X-Request-ID middleware

---
 api/app/app/middleware/__init__.py   |  0
 api/app/app/middleware/request_id.py | 26 ++++++++++++++++++++++++++
 2 files changed, 26 insertions(+)
 create mode 100644 api/app/app/middleware/__init__.py
 create mode 100644 api/app/app/middleware/request_id.py

diff --git a/api/app/app/middleware/__init__.py b/api/app/app/middleware/__init__.py
new file mode 100644
index 0000000..e69de29
diff --git a/api/app/app/middleware/request_id.py b/api/app/app/middleware/request_id.py
new file mode 100644
index 0000000..875c63a
--- /dev/null
+++ b/api/app/app/middleware/request_id.py
@@ -0,0 +1,26 @@
+from collections.abc import Awaitable, Callable
+from uuid import uuid4
+
+from fastapi import Request, Response
+from starlette.middleware.base import BaseHTTPMiddleware
+
+from app.core.logging import request_id_ctx
+
+HEADER = "X-Request-ID"
+
+
+class RequestIDMiddleware(BaseHTTPMiddleware):
+    async def dispatch(
+        self,
+        request: Request,
+        call_next: Callable[[Request], Awaitable[Response]],
+    ) -> Response:
+        incoming = request.headers.get(HEADER)
+        request_id = incoming if incoming else uuid4().hex
+        token = request_id_ctx.set(request_id)
+        try:
+            response = await call_next(request)
+        finally:
+            request_id_ctx.reset(token)
+        response.headers[HEADER] = request_id
+        return response

From 6d2926ceea52e5db8bd199c257d03e20e7308357 Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:30:45 +0400
Subject: [PATCH 15/82] refactor(core): frame Redis pub/sub messages with
 type-byte prefix

---
 api/app/app/core/redis.py | 21 +++++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

diff --git a/api/app/app/core/redis.py b/api/app/app/core/redis.py
index b73b513..98eb7ec 100644
--- a/api/app/app/core/redis.py
+++ b/api/app/app/core/redis.py
@@ -6,8 +6,15 @@
 from app.config import settings
 
 _redis: Redis | None = None
+_redis_bytes: Redis | None = None
 BOARD_CHANNEL_PREFIX = "board:"
 
+# Must match FRAME_TEXT in app.websocket.manager. Messages on the board
+# pub/sub channel are prefixed with one byte so listeners can tell text
+# frames (FRAME_TEXT) from binary Yjs frames (FRAME_BINARY) on the same
+# channel. The listener in manager.py expects this format.
+_FRAME_TEXT = b"T"
+
 
 def get_redis() -> Redis:
     global _redis
@@ -16,15 +23,23 @@ def get_redis() -> Redis:
     return _redis
 
 
+def _get_redis_bytes() -> Redis:
+    global _redis_bytes
+    if _redis_bytes is None:
+        _redis_bytes = Redis.from_url(settings.redis_url, decode_responses=False)
+    return _redis_bytes
+
+
 def publish(channel: str, message: str) -> int:
     result = get_redis().publish(channel, message)
     return cast(int, result)
 
 
 def publish_board_event(board_id: str, event: str, data: Dict[str, Any]) -> int:
-    """Publish a board event for WebSocket broadcasting."""
     channel = f"{BOARD_CHANNEL_PREFIX}{board_id}"
-    return publish(channel, json.dumps({"event": event, "data": data}))
+    body = json.dumps({"event": event, "data": data}).encode("utf-8")
+    result = _get_redis_bytes().publish(channel, _FRAME_TEXT + body)
+    return cast(int, result)
 
 
 OAUTH_STATE_PREFIX = "oauth_state:"
@@ -32,7 +47,6 @@ def publish_board_event(board_id: str, event: str, data: Dict[str, Any]) -> int:
 
 
 def set_oauth_state(state: str, invite_token: str | None = None) -> bool:
-    """Store OAuth state for CSRF validation."""
     try:
         r = get_redis()
         payload = {"invite_token": invite_token}
@@ -43,7 +57,6 @@ def set_oauth_state(state: str, invite_token: str | None = None) -> bool:
 
 
 def validate_oauth_state(state: str) -> Dict[str, Any] | None:
-    """Validate and consume OAuth state, returning stored payload."""
     try:
         r = get_redis()
         key = f"{OAUTH_STATE_PREFIX}{state}"

From 774055565098929bae1827b8e98e28a8fd932614 Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:30:45 +0400
Subject: [PATCH 16/82] feat(core): add S3/MinIO storage client with presigned
 URLs

---
 api/app/app/core/storage.py | 98 +++++++++++++++++++++++++++++++++++++
 1 file changed, 98 insertions(+)
 create mode 100644 api/app/app/core/storage.py

diff --git a/api/app/app/core/storage.py b/api/app/app/core/storage.py
new file mode 100644
index 0000000..3bfbba3
--- /dev/null
+++ b/api/app/app/core/storage.py
@@ -0,0 +1,98 @@
+import logging
+from typing import TYPE_CHECKING
+
+import boto3
+from botocore.client import Config
+
+from app.config import settings
+
+if TYPE_CHECKING:
+    from mypy_boto3_s3 import S3Client
+
+logger = logging.getLogger(__name__)
+
+_client: "S3Client | None" = None
+_public_client: "S3Client | None" = None
+
+
+def _build_client(endpoint: str) -> "S3Client":
+    return boto3.client(
+        "s3",
+        endpoint_url=endpoint or None,
+        region_name=settings.s3_region,
+        aws_access_key_id=settings.s3_access_key or None,
+        aws_secret_access_key=settings.s3_secret_key or None,
+        config=Config(
+            signature_version="s3v4",
+            s3={
+                "addressing_style": "path"
+                if settings.s3_force_path_style
+                else "virtual"
+            },
+        ),
+    )
+
+
+def is_enabled() -> bool:
+    return bool(settings.s3_endpoint_url or settings.s3_access_key)
+
+
+def _get_client() -> "S3Client":
+    global _client
+    if _client is None:
+        _client = _build_client(settings.s3_endpoint_url)
+    return _client
+
+
+def _get_public_client() -> "S3Client":
+    # Presigned URLs handed to browsers must point at the host browsers
+    # can reach. In docker-compose, the API talks to `minio:9000` on
+    # the internal network, but the browser needs a URL on the host
+    # (e.g. http://localhost:9000). S3_PUBLIC_ENDPOINT_URL overrides
+    # just for URL generation.
+    public = settings.s3_public_endpoint_url or settings.s3_endpoint_url
+    if public == settings.s3_endpoint_url:
+        return _get_client()
+    global _public_client
+    if _public_client is None:
+        _public_client = _build_client(public)
+    return _public_client
+
+
+def ensure_bucket(bucket: str) -> None:
+    client = _get_client()
+    try:
+        client.head_bucket(Bucket=bucket)
+    except Exception:
+        try:
+            client.create_bucket(Bucket=bucket)
+        except Exception as exc:
+            logger.warning("Could not create bucket %s: %s", bucket, exc)
+
+
+def put_object(*, bucket: str, key: str, body: bytes, content_type: str) -> None:
+    client = _get_client()
+    client.put_object(
+        Bucket=bucket,
+        Key=key,
+        Body=body,
+        ContentType=content_type,
+        CacheControl="private, max-age=3600",
+    )
+
+
+def delete_object(*, bucket: str, key: str) -> None:
+    client = _get_client()
+    try:
+        client.delete_object(Bucket=bucket, Key=key)
+    except Exception as exc:
+        logger.warning("Failed to delete s3://%s/%s: %s", bucket, key, exc)
+
+
+def presign_get_url(*, bucket: str, key: str) -> str:
+    client = _get_public_client()
+    return client.generate_presigned_url(
+        "get_object",
+        Params={"Bucket": bucket, "Key": key},
+        ExpiresIn=settings.s3_presigned_url_expire_seconds,
+    )

From a2a031d7c35c359dd346ccd34312102bbcf75979 Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:30:46 +0400
Subject: [PATCH 17/82] feat(core): pluggable email backend (console and SMTP)

---
 api/app/app/core/email.py | 64 +++++++++++++++++++++++++++++++++++++++
 1 file changed, 64 insertions(+)
 create mode 100644 api/app/app/core/email.py

diff --git a/api/app/app/core/email.py b/api/app/app/core/email.py
new file mode 100644
index 0000000..0445c21
--- /dev/null
+++ b/api/app/app/core/email.py
@@ -0,0 +1,64 @@
+import logging
+import smtplib
+from dataclasses import dataclass
+from email.message import EmailMessage
+from typing import Protocol
+
+from app.config import settings
+
+logger = logging.getLogger(__name__)
+
+
+@dataclass(frozen=True)
+class EmailMessage_:
+    to: str
+    subject: str
+    text: str
+    html: str | None = None
+
+
+class EmailBackend(Protocol):
+    def send(self, message: EmailMessage_) -> None: ...
+
+
+class ConsoleEmailBackend:
+    def send(self, message: EmailMessage_) -> None:
+        logger.info(
+            "email to=%s subject=%r\n%s",
+            message.to,
+            message.subject,
+            message.text,
+        )
+
+
+class SMTPEmailBackend:
+    def send(self, message: EmailMessage_) -> None:
+        msg = EmailMessage()
+        msg["From"] = (
+            f"{settings.email_from_name} <{settings.email_from_address}>"
+        )
+        msg["To"] = message.to
+        msg["Subject"] = message.subject
+        msg.set_content(message.text)
+        if message.html:
+            msg.add_alternative(message.html, subtype="html")
+
+        with smtplib.SMTP(settings.smtp_host, settings.smtp_port) as smtp:
+            if settings.smtp_use_tls:
+                smtp.starttls()
+            if settings.smtp_user:
+                smtp.login(settings.smtp_user, settings.smtp_password)
+            smtp.send_message(msg)
+
+
+def _get_backend() -> EmailBackend:
+    if settings.email_backend == "smtp":
+        return SMTPEmailBackend()
+    return ConsoleEmailBackend()
+
+
+def send_email(to: str, subject: str, text: str, html: str | None = None) -> None:
+    try:
+        _get_backend().send(EmailMessage_(to=to, subject=subject, text=text, html=html))
+    except Exception as exc:
+        logger.error("Email send failed (to=%s subject=%r): %s", to, subject, exc)

From dc8ff2e67fd82fe802bc1751cdf38e51923e6297 Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:30:47 +0400
Subject: [PATCH 18/82] feat(core): per-IP login rate limiter

---
 api/app/app/core/login_rate_limit.py | 43 ++++++++++++++++++++++++++++
 1 file changed, 43 insertions(+)
 create mode 100644 api/app/app/core/login_rate_limit.py

diff --git a/api/app/app/core/login_rate_limit.py b/api/app/app/core/login_rate_limit.py
new file mode 100644
index 0000000..d27b416
--- /dev/null
+++ b/api/app/app/core/login_rate_limit.py
@@ -0,0 +1,43 @@
+import logging
+
+from fastapi import HTTPException, Request, status
+
+from app.core.redis import get_redis
+
+logger = logging.getLogger(__name__)
+
+LOGIN_MAX_ATTEMPTS = 10
+LOGIN_WINDOW_SECONDS = 15 * 60
+LOGIN_RL_PREFIX = "login_rl"
+
+
+def _client_ip(request: Request) -> str:
+    xff = request.headers.get("x-forwarded-for")
+    if xff:
+        first = xff.split(",", 1)[0].strip()
+        if first:
+            return first
+    return request.client.host if request.client else "unknown"
+
+
+def enforce_login_rate_limit(request: Request) -> None:
+    ip = _client_ip(request)
+    key = f"{LOGIN_RL_PREFIX}:{ip}"
+    try:
+        redis = get_redis()
+        pipe = redis.pipeline()
+        pipe.incr(key)
+        pipe.expire(key, LOGIN_WINDOW_SECONDS)
+        count, _ = pipe.execute()
+    except Exception as exc:
+        logger.warning("Login rate limit skipped (Redis unavailable): %s", exc)
+        return
+
+    if isinstance(count, int) and count > LOGIN_MAX_ATTEMPTS:
+        raise HTTPException(
+            status_code=status.HTTP_429_TOO_MANY_REQUESTS,
+            detail=(
+                f"Too many login attempts. Try again in "
+                f"{LOGIN_WINDOW_SECONDS // 60} minutes."
+            ),
+        )

From 6495bc676c37390bb0c69caaebe2c641d1862217 Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:30:48 +0400
Subject: [PATCH 19/82] feat(core): Redis-backed refresh token registry

---
 api/app/app/core/token_store.py | 78 +++++++++++++++++++++++++++++++++
 1 file changed, 78 insertions(+)
 create mode 100644 api/app/app/core/token_store.py

diff --git a/api/app/app/core/token_store.py b/api/app/app/core/token_store.py
new file mode 100644
index 0000000..db7a1d6
--- /dev/null
+++ b/api/app/app/core/token_store.py
@@ -0,0 +1,78 @@
+import logging
+from typing import cast
+
+from app.config import settings
+from app.core.redis import get_redis
+
+logger = logging.getLogger(__name__)
+
+REFRESH_PREFIX = "refresh_jti:"
+USER_INDEX_PREFIX = "user_refresh_jtis:"
+
+
+def _ttl_seconds() -> int:
+    return settings.refresh_token_expire_days * 24 * 60 * 60
+
+
+def _decode(value: object) -> str:
+    if isinstance(value, bytes):
+        return value.decode("utf-8", errors="replace")
+    return str(value)
+
+
+def store_refresh_jti(user_id: str, jti: str) -> None:
+    try:
+        redis = get_redis()
+        ttl = _ttl_seconds()
+        pipe = redis.pipeline()
+        pipe.setex(f"{REFRESH_PREFIX}{jti}", ttl, user_id)
+        pipe.sadd(f"{USER_INDEX_PREFIX}{user_id}", jti)
+        pipe.expire(f"{USER_INDEX_PREFIX}{user_id}", ttl)
+        pipe.execute()
+    except Exception as exc:
+        logger.error("Failed to store refresh jti: %s", exc)
+        raise
+
+
+def is_refresh_jti_valid(jti: str, expected_user_id: str) -> bool:
+    # Fail closed: an unreachable registry means no tokens are valid.
+    try:
+        stored = get_redis().get(f"{REFRESH_PREFIX}{jti}")
+    except Exception as exc:
+        logger.error("Failed to read refresh jti: %s", exc)
+        return False
+    if stored is None:
+        return False
+    return _decode(stored) == expected_user_id
+
+
+def revoke_refresh_jti(jti: str) -> None:
+    try:
+        redis = get_redis()
+        owner = redis.get(f"{REFRESH_PREFIX}{jti}")
+        pipe = redis.pipeline()
+        pipe.delete(f"{REFRESH_PREFIX}{jti}")
+        if owner is not None:
+            pipe.srem(f"{USER_INDEX_PREFIX}{_decode(owner)}", jti)
+        pipe.execute()
+    except Exception as exc:
+        logger.error("Failed to revoke refresh jti: %s", exc)
+
+
+def revoke_all_user_refresh_tokens(user_id: str) -> int:
+    try:
+        redis = get_redis()
+        index_key = f"{USER_INDEX_PREFIX}{user_id}"
+        # redis-py stubs type smembers as Awaitable|set across sync/async.
+        jtis = cast(set[object], redis.smembers(index_key))
+        if not jtis:
+            return 0
+        pipe = redis.pipeline()
+        for raw in jtis:
+            pipe.delete(f"{REFRESH_PREFIX}{_decode(raw)}")
+        pipe.delete(index_key)
+        pipe.execute()
+        return len(jtis)
+    except Exception as exc:
+        logger.error("Failed to bulk-revoke refresh tokens: %s", exc)
+        return 0

From 8ee1931e63ec7fa4f2f55d116bf8ad002fcafdde Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:30:49 +0400
Subject: [PATCH 20/82] feat(auth): split access and refresh JWT helpers

---
 api/app/app/core/jwt.py | 49 ++++++++++++++++++++++++++++++++++-------
 1 file changed, 41 insertions(+), 8 deletions(-)

diff --git a/api/app/app/core/jwt.py b/api/app/app/core/jwt.py
index c2deff1..5a06667 100644
--- a/api/app/app/core/jwt.py
+++ b/api/app/app/core/jwt.py
@@ -1,5 +1,6 @@
 from datetime import datetime, timedelta, timezone
 from typing import Any
+from uuid import uuid4
 
 from jose import JWTError, jwt
 
@@ -7,18 +8,50 @@
 
 
 def create_access_token(subject: str) -> str:
-    expire = datetime.now(timezone.utc) + timedelta(minutes=settings.access_token_expire_minutes)
-    to_encode = {"sub": subject, "exp": expire}
-    encoded = jwt.encode(to_encode, settings.secret_key, algorithm=settings.algorithm)
-    return str(encoded)
+    expire = datetime.now(timezone.utc) + timedelta(
+        minutes=settings.access_token_expire_minutes
+    )
+    payload = {"sub": subject, "exp": expire, "typ": "access"}
+    return str(jwt.encode(payload, settings.secret_key, algorithm=settings.algorithm))
 
 
 def decode_access_token(token: str) -> str | None:
     try:
-        payload = jwt.decode(token, settings.secret_key, algorithms=[settings.algorithm])
-        sub: Any = payload.get("sub")
-        if isinstance(sub, str):
-            return sub
+        payload = jwt.decode(
+            token, settings.secret_key, algorithms=[settings.algorithm]
+        )
+    except JWTError:
+        return None
+    # Legacy tokens issued before `typ` existed have no claim; they can
+    # only be access tokens, so we accept them.
+    typ: Any = payload.get("typ")
+    if typ is not None and typ != "access":
         return None
+    sub: Any = payload.get("sub")
+    return sub if isinstance(sub, str) else None
+
+
+def create_refresh_token(subject: str) -> tuple[str, str]:
+    jti = str(uuid4())
+    expire = datetime.now(timezone.utc) + timedelta(
+        days=settings.refresh_token_expire_days
+    )
+    payload = {"sub": subject, "exp": expire, "typ": "refresh", "jti": jti}
+    encoded = jwt.encode(payload, settings.secret_key, algorithm=settings.algorithm)
+    return str(encoded), jti
+
+
+def decode_refresh_token(token: str) -> tuple[str, str] | None:
+    try:
+        payload = jwt.decode(
+            token, settings.secret_key, algorithms=[settings.algorithm]
+        )
     except JWTError:
         return None
+    if payload.get("typ") != "refresh":
+        return None
+    sub: Any = payload.get("sub")
+    jti: Any = payload.get("jti")
+    if isinstance(sub, str) and isinstance(jti, str):
+        return sub, jti
+    return None

From 166803dcdbdf2838a014bc17db5db0bfd064cbf6 Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:30:49 +0400
Subject: [PATCH 21/82] refactor(users): adopt model mixins, nullable names,
 avatar_key

---
 api/app/app/modules/users/model.py | 55 +++++++++++++++---------------
 1 file changed, 27 insertions(+), 28 deletions(-)

diff --git a/api/app/app/modules/users/model.py b/api/app/app/modules/users/model.py
index 79bffa2..20b6acd 100644
--- a/api/app/app/modules/users/model.py
+++ b/api/app/app/modules/users/model.py
@@ -2,38 +2,41 @@
 from datetime import datetime
 from typing import TYPE_CHECKING
 
-from sqlalchemy import DateTime, ForeignKey, String, func
+from sqlalchemy import Boolean, DateTime, ForeignKey, String
 from sqlalchemy.dialects.postgresql import UUID
 from sqlalchemy.orm import Mapped, mapped_column, relationship
 
-from app.db.base import Base
+from app.db.base import Base, CreatedAtMixin, TimestampedMixin, UUIDMixin
 
 if TYPE_CHECKING:
     from app.modules.workspaces.model import WorkspaceMember
 
 
-class User(Base):
+class User(Base, UUIDMixin, TimestampedMixin):
     __tablename__ = "users"
 
-    id: Mapped[uuid.UUID] = mapped_column(
-        UUID(as_uuid=True),
-        primary_key=True,
-        default=uuid.uuid4,
+    email: Mapped[str] = mapped_column(
+        String(255), unique=True, nullable=False, index=True
+    )
+    username: Mapped[str] = mapped_column(
+        String(100), unique=True, nullable=False, index=True
     )
-    email: Mapped[str] = mapped_column(String(255), unique=True, nullable=False, index=True)
-    username: Mapped[str] = mapped_column(String(100), unique=True, nullable=False, index=True)
-    first_name: Mapped[str] = mapped_column(String(100), nullable=False)
-    last_name: Mapped[str] = mapped_column(String(100), nullable=False)
+    first_name: Mapped[str | None] = mapped_column(String(100), nullable=True)
+    last_name: Mapped[str | None] = mapped_column(String(100), nullable=True)
+
+    # Avatar sources, resolved in this order: `avatar_key` (presigned
+    # URL from our storage) -> `avatar_url` (external OAuth CDN) ->
+    # initials bubble in the UI.
     avatar_url: Mapped[str | None] = mapped_column(String(500), nullable=True)
+    avatar_key: Mapped[str | None] = mapped_column(String(500), nullable=True)
+
     hashed_password: Mapped[str | None] = mapped_column(String(255), nullable=True)
-    created_at: Mapped[datetime] = mapped_column(
-        DateTime(timezone=True), nullable=False, server_default=func.now()
+
+    email_verified: Mapped[bool] = mapped_column(
+        Boolean, nullable=False, server_default="false"
     )
-    updated_at: Mapped[datetime] = mapped_column(
-        DateTime(timezone=True),
-        nullable=False,
-        server_default=func.now(),
-        onupdate=func.now(),
+    email_verified_at: Mapped[datetime | None] = mapped_column(
+        DateTime(timezone=True), nullable=True
     )
 
     oauth_accounts: Mapped[list["OAuthAccount"]] = relationship(
@@ -44,21 +47,17 @@ class User(Base):
     )
 
 
-class OAuthAccount(Base):
+class OAuthAccount(Base, UUIDMixin, CreatedAtMixin):
     __tablename__ = "oauth_accounts"
 
-    id: Mapped[uuid.UUID] = mapped_column(
-        UUID(as_uuid=True),
-        primary_key=True,
-        default=uuid.uuid4,
-    )
     user_id: Mapped[uuid.UUID] = mapped_column(
-        UUID(as_uuid=True), ForeignKey("users.id", ondelete="CASCADE"), nullable=False
+        UUID(as_uuid=True),
+        ForeignKey("users.id", ondelete="CASCADE"),
+        nullable=False,
     )
     provider: Mapped[str] = mapped_column(String(50), nullable=False, index=True)
-    provider_user_id: Mapped[str] = mapped_column(String(255), nullable=False, index=True)
-    created_at: Mapped[datetime] = mapped_column(
-        DateTime(timezone=True), nullable=False, server_default=func.now()
+    provider_user_id: Mapped[str] = mapped_column(
+        String(255), nullable=False, index=True
     )
 
     user: Mapped["User"] = relationship("User", back_populates="oauth_accounts")

From 4dcc2312a7c668847f979bec59a00d50695bd292 Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:30:50 +0400
Subject: [PATCH 22/82] refactor(workspaces): adopt mixins and set-null
 invited_by

---
 api/app/app/modules/workspaces/model.py | 82 +++++++++++--------------
 1 file changed, 35 insertions(+), 47 deletions(-)

diff --git a/api/app/app/modules/workspaces/model.py b/api/app/app/modules/workspaces/model.py
index f338bff..e2c894a 100644
--- a/api/app/app/modules/workspaces/model.py
+++ b/api/app/app/modules/workspaces/model.py
@@ -1,40 +1,29 @@
 import uuid
 from datetime import datetime
+from typing import TYPE_CHECKING
 
-from sqlalchemy import DateTime, ForeignKey, String, func
+from sqlalchemy import DateTime, ForeignKey, String
 from sqlalchemy.dialects.postgresql import UUID
 from sqlalchemy.orm import Mapped, mapped_column, relationship
 
-from typing import TYPE_CHECKING
-
-from app.db.base import Base
+from app.db.base import Base, CreatedAtMixin, TimestampedMixin, UUIDMixin
 
 if TYPE_CHECKING:
     from app.modules.boards.model import Board
     from app.modules.users.model import User
 
 
-class Workspace(Base):
+class Workspace(Base, UUIDMixin, TimestampedMixin):
     __tablename__ = "workspaces"
 
-    id: Mapped[uuid.UUID] = mapped_column(
-        UUID(as_uuid=True),
-        primary_key=True,
-        default=uuid.uuid4,
-    )
     name: Mapped[str] = mapped_column(String(255), nullable=False)
-    slug: Mapped[str] = mapped_column(String(255), unique=True, nullable=False, index=True)
-    owner_id: Mapped[uuid.UUID] = mapped_column(
-        UUID(as_uuid=True), ForeignKey("users.id", ondelete="CASCADE"), nullable=False
+    slug: Mapped[str] = mapped_column(
+        String(255), unique=True, nullable=False, index=True
     )
-    created_at: Mapped[datetime] = mapped_column(
-        DateTime(timezone=True), nullable=False, server_default=func.now()
-    )
-    updated_at: Mapped[datetime] = mapped_column(
-        DateTime(timezone=True),
+    owner_id: Mapped[uuid.UUID] = mapped_column(
+        UUID(as_uuid=True),
+        ForeignKey("users.id", ondelete="CASCADE"),
         nullable=False,
-        server_default=func.now(),
-        onupdate=func.now(),
     )
 
     owner: Mapped["User"] = relationship(
@@ -47,18 +36,15 @@ class Workspace(Base):
         "WorkspaceMember", back_populates="workspace", cascade="all, delete-orphan"
     )
     invitations: Mapped[list["WorkspaceInvitation"]] = relationship(
-        "WorkspaceInvitation", back_populates="workspace", cascade="all, delete-orphan"
+        "WorkspaceInvitation",
+        back_populates="workspace",
+        cascade="all, delete-orphan",
     )
 
 
-class WorkspaceMember(Base):
+class WorkspaceMember(Base, UUIDMixin, CreatedAtMixin):
     __tablename__ = "workspace_members"
 
-    id: Mapped[uuid.UUID] = mapped_column(
-        UUID(as_uuid=True),
-        primary_key=True,
-        default=uuid.uuid4,
-    )
     workspace_id: Mapped[uuid.UUID] = mapped_column(
         UUID(as_uuid=True),
         ForeignKey("workspaces.id", ondelete="CASCADE"),
@@ -72,22 +58,18 @@ class WorkspaceMember(Base):
         index=True,
     )
     role: Mapped[str] = mapped_column(String(50), nullable=False, default="member")
-    created_at: Mapped[datetime] = mapped_column(
-        DateTime(timezone=True), nullable=False, server_default=func.now()
-    )
 
-    workspace: Mapped["Workspace"] = relationship("Workspace", back_populates="members")
-    user: Mapped["User"] = relationship("User", back_populates="workspace_memberships")
+    workspace: Mapped["Workspace"] = relationship(
+        "Workspace", back_populates="members"
+    )
+    user: Mapped["User"] = relationship(
+        "User", back_populates="workspace_memberships"
+    )
 
 
-class WorkspaceInvitation(Base):
+class WorkspaceInvitation(Base, UUIDMixin, CreatedAtMixin):
     __tablename__ = "workspace_invitations"
 
-    id: Mapped[uuid.UUID] = mapped_column(
-        UUID(as_uuid=True),
-        primary_key=True,
-        default=uuid.uuid4,
-    )
     workspace_id: Mapped[uuid.UUID] = mapped_column(
         UUID(as_uuid=True),
         ForeignKey("workspaces.id", ondelete="CASCADE"),
@@ -96,16 +78,22 @@ class WorkspaceInvitation(Base):
     )
     email: Mapped[str] = mapped_column(String(255), nullable=False, index=True)
     role: Mapped[str] = mapped_column(String(50), nullable=False, default="member")
-    token: Mapped[str] = mapped_column(String(128), nullable=False, unique=True, index=True)
-    invited_by: Mapped[uuid.UUID] = mapped_column(
+    token: Mapped[str] = mapped_column(
+        String(128), nullable=False, unique=True, index=True
+    )
+    # Keep the invite intact if the inviter later deletes their account.
+    invited_by: Mapped[uuid.UUID | None] = mapped_column(
         UUID(as_uuid=True),
-        ForeignKey("users.id", ondelete="CASCADE"),
-        nullable=False,
+        ForeignKey("users.id", ondelete="SET NULL"),
+        nullable=True,
     )
-    created_at: Mapped[datetime] = mapped_column(
-        DateTime(timezone=True), nullable=False, server_default=func.now()
+    expires_at: Mapped[datetime | None] = mapped_column(
+        DateTime(timezone=True), nullable=True
+    )
+    accepted_at: Mapped[datetime | None] = mapped_column(
+        DateTime(timezone=True), nullable=True
     )
-    expires_at: Mapped[datetime | None] = mapped_column(DateTime(timezone=True), nullable=True)
-    accepted_at: Mapped[datetime | None] = mapped_column(DateTime(timezone=True), nullable=True)
 
-    workspace: Mapped["Workspace"] = relationship("Workspace", back_populates="invitations")
+    workspace: Mapped["Workspace"] = relationship(
+        "Workspace", back_populates="invitations"
+    )

From 428d359c0dae46ff87c92265fbd57bfe78f1ad3b Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:30:51 +0400
Subject: [PATCH 23/82] refactor(boards): consolidate board models and adopt
 mixins

---
 api/app/app/modules/boards/model.py | 164 +++++++++++++++++++++-------
 1 file changed, 123 insertions(+), 41 deletions(-)

diff --git a/api/app/app/modules/boards/model.py b/api/app/app/modules/boards/model.py
index b70d1b6..bb439ce 100644
--- a/api/app/app/modules/boards/model.py
+++ b/api/app/app/modules/boards/model.py
@@ -1,28 +1,58 @@
 import uuid
 from datetime import datetime
-from typing import TYPE_CHECKING
-
-from sqlalchemy import DateTime, ForeignKey, String, UniqueConstraint, func
-from sqlalchemy.dialects.postgresql import UUID
+from typing import TYPE_CHECKING, Any
+
+from sqlalchemy import (
+    Boolean,
+    DateTime,
+    Float,
+    ForeignKey,
+    Index,
+    String,
+    Text,
+    UniqueConstraint,
+    func,
+)
+from sqlalchemy.dialects.postgresql import JSONB, UUID
 from sqlalchemy.orm import Mapped, mapped_column, relationship
 
-from app.db.base import Base
+from app.db.base import Base, CreatedAtMixin, TimestampedMixin, UUIDMixin
 
 if TYPE_CHECKING:
     from app.modules.elements.model import Element
     from app.modules.workspaces.model import Workspace
 
 
-class BoardStar(Base):
+class Board(Base, UUIDMixin, TimestampedMixin):
+    __tablename__ = "boards"
+
+    workspace_id: Mapped[uuid.UUID] = mapped_column(
+        UUID(as_uuid=True),
+        ForeignKey("workspaces.id", ondelete="CASCADE"),
+        nullable=False,
+        index=True,
+    )
+    name: Mapped[str] = mapped_column(String(255), nullable=False)
+
+    workspace: Mapped["Workspace"] = relationship(
+        "Workspace", back_populates="boards"
+    )
+    elements: Mapped[list["Element"]] = relationship(
+        "Element", back_populates="board", cascade="all, delete-orphan"
+    )
+
+    # Dashboard lists boards sorted by last-updated; this index lets
+    # the sort use the index directly instead of a filesort.
+    __table_args__ = (
+        Index("ix_boards_workspace_updated", "workspace_id", "updated_at"),
+    )
+
+
+class BoardStar(Base, UUIDMixin, CreatedAtMixin):
     """User-starred boards."""
 
     __tablename__ = "board_stars"
 
-    id: Mapped[uuid.UUID] = mapped_column(
-        UUID(as_uuid=True),
-        primary_key=True,
-        default=uuid.uuid4,
-    )
     user_id: Mapped[uuid.UUID] = mapped_column(
         UUID(as_uuid=True),
         ForeignKey("users.id", ondelete="CASCADE"),
@@ -35,23 +65,17 @@ class BoardStar(Base):
         nullable=False,
         index=True,
     )
-    created_at: Mapped[datetime] = mapped_column(
-        DateTime(timezone=True), nullable=False, server_default=func.now()
-    )
 
-    __table_args__ = (UniqueConstraint("user_id", "board_id", name="uq_board_stars_user_board"),)
+    __table_args__ = (
+        UniqueConstraint("user_id", "board_id", name="uq_board_stars_user_board"),
+    )
 
 
-class BoardView(Base):
-    """Tracks when a user last opened a board (for Recent)."""
+class BoardView(Base, UUIDMixin):
+    """Tracks when a user last opened a board (drives the "Recent" view)."""
 
     __tablename__ = "board_views"
 
-    id: Mapped[uuid.UUID] = mapped_column(
-        UUID(as_uuid=True),
-        primary_key=True,
-        default=uuid.uuid4,
-    )
     user_id: Mapped[uuid.UUID] = mapped_column(
         UUID(as_uuid=True),
         ForeignKey("users.id", ondelete="CASCADE"),
@@ -68,35 +92,93 @@ class BoardView(Base):
         DateTime(timezone=True), nullable=False, server_default=func.now()
     )
 
-    __table_args__ = (UniqueConstraint("user_id", "board_id", name="uq_board_views_user_board"),)
+    __table_args__ = (
+        UniqueConstraint("user_id", "board_id", name="uq_board_views_user_board"),
+    )
 
 
-class Board(Base):
-    __tablename__ = "boards"
+class BoardShareToken(Base, UUIDMixin, CreatedAtMixin):
+    """Signed URL-style share link granting anonymous access to a board."""
 
-    id: Mapped[uuid.UUID] = mapped_column(
+    __tablename__ = "board_share_tokens"
+
+    board_id: Mapped[uuid.UUID] = mapped_column(
         UUID(as_uuid=True),
-        primary_key=True,
-        default=uuid.uuid4,
+        ForeignKey("boards.id", ondelete="CASCADE"),
+        nullable=False,
+        index=True,
     )
-    workspace_id: Mapped[uuid.UUID] = mapped_column(
+    token: Mapped[str] = mapped_column(
+        String(64), unique=True, nullable=False, index=True
+    )
+    # "viewer" (read-only) or "editor" (can draw).
+    role: Mapped[str] = mapped_column(String(20), nullable=False, default="viewer")
+    # Keep the link valid if the creator deletes their account.
+    created_by: Mapped[uuid.UUID | None] = mapped_column(
         UUID(as_uuid=True),
-        ForeignKey("workspaces.id", ondelete="CASCADE"),
+        ForeignKey("users.id", ondelete="SET NULL"),
+        nullable=True,
+    )
+    expires_at: Mapped[datetime | None] = mapped_column(
+        DateTime(timezone=True), nullable=True
+    )
+    revoked_at: Mapped[datetime | None] = mapped_column(
+        DateTime(timezone=True), nullable=True
+    )
+
+
+class BoardComment(Base, UUIDMixin, TimestampedMixin):
+    __tablename__ = "board_comments"
+
+    board_id: Mapped[uuid.UUID] = mapped_column(
+        UUID(as_uuid=True),
+        ForeignKey("boards.id", ondelete="CASCADE"),
         nullable=False,
         index=True,
     )
-    name: Mapped[str] = mapped_column(String(255), nullable=False)
-    created_at: Mapped[datetime] = mapped_column(
-        DateTime(timezone=True), nullable=False, server_default=func.now()
+    # Root comments have parent_id = None; replies point at the parent.
+    parent_id: Mapped[uuid.UUID | None] = mapped_column(
+        UUID(as_uuid=True),
+        ForeignKey("board_comments.id", ondelete="CASCADE"),
+        nullable=True,
+        index=True,
     )
-    updated_at: Mapped[datetime] = mapped_column(
-        DateTime(timezone=True),
-        nullable=False,
-        server_default=func.now(),
-        onupdate=func.now(),
+    # Nullable so a user's comments outlive their account.
+    author_id: Mapped[uuid.UUID | None] = mapped_column(
+        UUID(as_uuid=True),
+        ForeignKey("users.id", ondelete="SET NULL"),
+        nullable=True,
+        index=True,
     )
 
-    workspace: Mapped["Workspace"] = relationship("Workspace", back_populates="boards")
-    elements: Mapped[list["Element"]] = relationship(
-        "Element", back_populates="board", cascade="all, delete-orphan"
+    # Optional anchor: either a scene-space point or a specific element id.
+    anchor_x: Mapped[float | None] = mapped_column(Float, nullable=True)
+    anchor_y: Mapped[float | None] = mapped_column(Float, nullable=True)
+    anchor_element_id: Mapped[str | None] = mapped_column(String(64), nullable=True)
+
+    body: Mapped[str] = mapped_column(Text, nullable=False)
+    resolved_at: Mapped[datetime | None] = mapped_column(
+        DateTime(timezone=True), nullable=True
+    )
+
+
+class BoardTemplate(Base, UUIDMixin, CreatedAtMixin):
+    __tablename__ = "board_templates"
+
+    slug: Mapped[str] = mapped_column(
+        String(80), unique=True, nullable=False, index=True
+    )
+    name: Mapped[str] = mapped_column(String(160), nullable=False)
+    category: Mapped[str] = mapped_column(String(40), nullable=False, index=True)
+    description: Mapped[str] = mapped_column(Text, nullable=False, default="")
+    # Storage key (preferred) or external URL (legacy) for the preview
+    # image shown in the template picker.
+    thumbnail_key: Mapped[str | None] = mapped_column(String(500), nullable=True)
+    thumbnail_url: Mapped[str | None] = mapped_column(String(500), nullable=True)
+    is_builtin: Mapped[bool] = mapped_column(
+        Boolean, nullable=False, server_default="true"
+    )
+    # Full excalidraw_snapshot payload: {elements, appState}.
+    snapshot: Mapped[dict[str, Any]] = mapped_column(
+        JSONB, nullable=False, default=dict
     )

From 1eeb5f82b7aeeff4a9d3fd58232ceae2fa3748d6 Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:30:51 +0400
Subject: [PATCH 24/82] feat(users): presenter for display_name and avatar
 resolution

---
 api/app/app/modules/users/presenter.py | 40 ++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)
 create mode 100644 api/app/app/modules/users/presenter.py

diff --git a/api/app/app/modules/users/presenter.py b/api/app/app/modules/users/presenter.py
new file mode 100644
index 0000000..d627877
--- /dev/null
+++ b/api/app/app/modules/users/presenter.py
@@ -0,0 +1,40 @@
+from app.config import settings
+from app.core.storage import is_enabled as storage_enabled, presign_get_url
+from app.modules.users.model import User
+from app.modules.users.schemas import UserResponse
+
+
+def display_name_of(user: User) -> str:
+    first = (user.first_name or "").strip()
+    last = (user.last_name or "").strip()
+    if first or last:
+        return f"{first} {last}".strip()
+    if user.email:
+        local = user.email.split("@", 1)[0]
+        if local:
+            return local
+    return user.username or "Unknown"
+
+
+def avatar_url_of(user: User) -> str | None:
+    if user.avatar_key and storage_enabled():
+        try:
+            return presign_get_url(bucket=settings.s3_bucket, key=user.avatar_key)
+        except Exception:
+            return user.avatar_url
+    return user.avatar_url
+
+
+def to_user_response(user: User) -> UserResponse:
+    return UserResponse(
+        id=user.id,
+        email=user.email,
+        username=user.username,
+        first_name=user.first_name,
+        last_name=user.last_name,
+        display_name=display_name_of(user),
+        avatar_url=avatar_url_of(user),
+        email_verified=user.email_verified,
+        created_at=user.created_at,
+        updated_at=user.updated_at,
+    )

From d90d234913dc1e03d4d62ddb6913a43d90fef7f2 Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:30:52 +0400
Subject: [PATCH 25/82] feat(users): avatar upload/delete endpoints and
 display_name response

---
 api/app/app/modules/users/router.py  | 116 +++++++++++++++++++++++----
 api/app/app/modules/users/schemas.py |   6 +-
 2 files changed, 106 insertions(+), 16 deletions(-)

diff --git a/api/app/app/modules/users/router.py b/api/app/app/modules/users/router.py
index c4bb379..b9c4f50 100644
--- a/api/app/app/modules/users/router.py
+++ b/api/app/app/modules/users/router.py
@@ -1,17 +1,37 @@
+import logging
+import secrets
 from uuid import UUID
 
-from fastapi import APIRouter, Depends, HTTPException, status
+from fastapi import APIRouter, Depends, File, HTTPException, UploadFile, status
 from sqlalchemy.orm import Session
 
 from app.api.deps import get_current_user
+from app.config import settings
+from app.core.storage import (
+    delete_object,
+    ensure_bucket,
+    is_enabled as storage_enabled,
+    put_object,
+)
 from app.db.session import get_db
 from app.modules.users.model import User
+from app.modules.users.presenter import to_user_response
 from app.modules.users.schemas import UserCreate, UserResponse, UserUpdate
-from app.modules.users.service import get_user_by_id
-from app.modules.users.service import register_user
+from app.modules.users.service import get_user_by_id, register_user
+
+logger = logging.getLogger(__name__)
 
 router = APIRouter(prefix="/users", tags=["users"])
 
+AVATAR_MAX_BYTES = 5 * 1024 * 1024  # 5 MB
+AVATAR_KEY_PREFIX = "avatars"
+ALLOWED_IMAGE_TYPES = {
+    "image/jpeg": "jpg",
+    "image/png": "png",
+    "image/webp": "webp",
+    "image/gif": "gif",
+}
+
 
 @router.get("/{user_id}", response_model=UserResponse)
 def get_user(
@@ -22,10 +42,9 @@ def get_user(
     user = get_user_by_id(db, user_id)
     if not user:
         raise HTTPException(
-            status_code=status.HTTP_404_NOT_FOUND,
-            detail="User not found",
+            status_code=status.HTTP_404_NOT_FOUND, detail="User not found"
         )
-    return UserResponse.model_validate(user)
+    return to_user_response(user)
 
 
 @router.post("", response_model=UserResponse, status_code=status.HTTP_201_CREATED)
@@ -33,14 +52,14 @@ def create_user(
     data: UserCreate,
     db: Session = Depends(get_db),
 ) -> UserResponse:
+    from app.modules.auth.email_verification import send_verification_for_user
+
     try:
         user = register_user(db, data)
-        return UserResponse.model_validate(user)
     except ValueError as e:
-        raise HTTPException(
-            status_code=status.HTTP_400_BAD_REQUEST,
-            detail=str(e),
-        )
+        raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail=str(e))
+    send_verification_for_user(user)
+    return to_user_response(user)
 
 
 @router.patch("/{user_id}", response_model=UserResponse)
@@ -59,9 +78,78 @@ def update_user_endpoint(
                 status_code=status.HTTP_404_NOT_FOUND,
                 detail="User not found or unauthorized",
             )
-        return UserResponse.model_validate(user)
+        return to_user_response(user)
     except ValueError as e:
+        raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail=str(e))
+
+
+@router.post("/me/avatar", response_model=UserResponse)
+async def upload_avatar(
+    file: UploadFile = File(...),
+    db: Session = Depends(get_db),
+    current_user: User = Depends(get_current_user),
+) -> UserResponse:
+    if not storage_enabled():
+        raise HTTPException(
+            status_code=status.HTTP_503_SERVICE_UNAVAILABLE,
+            detail="Object storage is not configured on this server.",
+        )
+    content_type = (file.content_type or "").lower()
+    ext = ALLOWED_IMAGE_TYPES.get(content_type)
+    if ext is None:
         raise HTTPException(
-            status_code=status.HTTP_400_BAD_REQUEST,
-            detail=str(e),
+            status_code=status.HTTP_415_UNSUPPORTED_MEDIA_TYPE,
+            detail="Avatar must be a JPEG, PNG, WEBP, or GIF image.",
         )
+    body = await file.read()
+    if len(body) == 0:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST, detail="Empty upload."
+        )
+    if len(body) > AVATAR_MAX_BYTES:
+        raise HTTPException(
+            status_code=status.HTTP_413_REQUEST_ENTITY_TOO_LARGE,
+            detail=f"Avatar must be <= {AVATAR_MAX_BYTES // 1024} KB.",
+        )
+
+    ensure_bucket(settings.s3_bucket)
+    key = f"{AVATAR_KEY_PREFIX}/{current_user.id}/{secrets.token_urlsafe(16)}.{ext}"
+    try:
+        put_object(
+            bucket=settings.s3_bucket,
+            key=key,
+            body=body,
+            content_type=content_type,
+        )
+    except Exception as exc:
+        logger.error("Avatar upload failed: %s", exc)
+        raise HTTPException(
+            status_code=status.HTTP_502_BAD_GATEWAY,
+            detail="Could not store avatar. Try again shortly.",
+        )
+
+    previous_key = current_user.avatar_key
+    current_user.avatar_key = key
+    db.add(current_user)
+    db.commit()
+    db.refresh(current_user)
+
+    if previous_key and previous_key != key:
+        delete_object(bucket=settings.s3_bucket, key=previous_key)
+
+    return to_user_response(current_user)
+
+
+@router.delete("/me/avatar", response_model=UserResponse)
+def delete_avatar(
+    db: Session = Depends(get_db),
+    current_user: User = Depends(get_current_user),
+) -> UserResponse:
+    previous_key = current_user.avatar_key
+    current_user.avatar_key = None
+    db.add(current_user)
+    db.commit()
+    db.refresh(current_user)
+    if previous_key:
+        delete_object(bucket=settings.s3_bucket, key=previous_key)
+    return to_user_response(current_user)
diff --git a/api/app/app/modules/users/schemas.py b/api/app/app/modules/users/schemas.py
index 6b82cdf..846b69a 100644
--- a/api/app/app/modules/users/schemas.py
+++ b/api/app/app/modules/users/schemas.py
@@ -23,9 +23,11 @@ class UserResponse(BaseModel):
     id: UUID
     email: str
     username: str
-    first_name: str
-    last_name: str
+    first_name: str | None = None
+    last_name: str | None = None
+    display_name: str
     avatar_url: str | None = None
+    email_verified: bool = False
     created_at: datetime
     updated_at: datetime
 

From 5425ecaae310c9e4e33257a7dcad24aef8ba3882 Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:30:53 +0400
Subject: [PATCH 26/82] feat(auth): password reset token flow

---
 api/app/app/modules/auth/password_reset.py | 94 ++++++++++++++++++++++
 1 file changed, 94 insertions(+)
 create mode 100644 api/app/app/modules/auth/password_reset.py

diff --git a/api/app/app/modules/auth/password_reset.py b/api/app/app/modules/auth/password_reset.py
new file mode 100644
index 0000000..a79c5c5
--- /dev/null
+++ b/api/app/app/modules/auth/password_reset.py
@@ -0,0 +1,94 @@
+import logging
+import secrets
+from dataclasses import dataclass
+from uuid import UUID
+
+from sqlalchemy.orm import Session
+
+from app.config import settings
+from app.core.email import send_email
+from app.core.redis import get_redis
+from app.core.security import hash_password
+from app.modules.users.model import User
+from app.modules.users.repository import get_by_email, get_by_id
+
+logger = logging.getLogger(__name__)
+
+RESET_PREFIX = "pwreset:"
+
+
+@dataclass(frozen=True)
+class PasswordResetResult:
+    ok: bool
+    user_id: str | None = None
+
+
+def _ttl_seconds() -> int:
+    return settings.password_reset_expire_minutes * 60
+
+
+def _build_reset_url(token: str) -> str:
+    return f"{settings.frontend_url.rstrip('/')}/reset-password?token={token}"
+
+
+def request_password_reset(db: Session, email: str) -> None:
+    # Silent when the account doesn't exist so the endpoint isn't a
+    # user-enumeration oracle.
+    user = get_by_email(db, email)
+    if not user or not user.email:
+        return
+
+    token = secrets.token_urlsafe(48)
+    try:
+        get_redis().setex(f"{RESET_PREFIX}{token}", _ttl_seconds(), str(user.id))
+    except Exception as exc:
+        logger.error("Failed to store password reset token: %s", exc)
+        return
+
+    _send_reset_email(user, _build_reset_url(token))
+
+
+def _send_reset_email(user: User, reset_url: str) -> None:
+    subject = "Reset your Loomy password"
+    text = (
+        f"Hi {user.username or user.email},\n\n"
+        "Someone asked to reset your Loomy password. "
+        "Open this link within "
+        f"{settings.password_reset_expire_minutes} minutes to pick a new one:\n\n"
+        f"{reset_url}\n\n"
+        "If this wasn't you, ignore this message."
+    )
+    send_email(to=user.email, subject=subject, text=text)
+
+
+def consume_password_reset(
+    db: Session, token: str, new_password: str
+) -> PasswordResetResult:
+    key = f"{RESET_PREFIX}{token}"
+    try:
+        redis = get_redis()
+        stored = redis.get(key)
+        if stored is None:
+            return PasswordResetResult(ok=False)
+        redis.delete(key)
+    except Exception as exc:
+        logger.error("Failed to read/delete password reset token: %s", exc)
+        return PasswordResetResult(ok=False)
+
+    if isinstance(stored, bytes):
+        stored = stored.decode("utf-8", errors="replace")
+    user_id_str = str(stored)
+
+    try:
+        user_uuid = UUID(user_id_str)
+    except ValueError:
+        return PasswordResetResult(ok=False)
+
+    user = get_by_id(db, user_uuid)
+    if not user:
+        return PasswordResetResult(ok=False)
+
+    user.hashed_password = hash_password(new_password)
+    db.add(user)
+    db.commit()
+    return PasswordResetResult(ok=True, user_id=user_id_str)

From ee534db1e81052c24648dcd72c12206ba19b67b8 Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:30:54 +0400
Subject: [PATCH 27/82] feat(auth): email verification flow

---
 .../app/modules/auth/email_verification.py    | 101 ++++++++++++++++++
 1 file changed, 101 insertions(+)
 create mode 100644 api/app/app/modules/auth/email_verification.py

diff --git a/api/app/app/modules/auth/email_verification.py b/api/app/app/modules/auth/email_verification.py
new file mode 100644
index 0000000..fff49ed
--- /dev/null
+++ b/api/app/app/modules/auth/email_verification.py
@@ -0,0 +1,101 @@
+import logging
+import secrets
+from dataclasses import dataclass
+from datetime import datetime, timezone
+from uuid import UUID
+
+from sqlalchemy.orm import Session
+
+from app.config import settings
+from app.core.email import send_email
+from app.core.redis import get_redis
+from app.modules.users.model import User
+from app.modules.users.repository import get_by_email, get_by_id
+
+logger = logging.getLogger(__name__)
+
+VERIFY_PREFIX = "email_verify:"
+VERIFY_TTL_SECONDS = 48 * 60 * 60
+
+
+@dataclass(frozen=True)
+class VerificationResult:
+    ok: bool
+    user_id: str | None = None
+
+
+def _build_verify_url(token: str) -> str:
+    return f"{settings.frontend_url.rstrip('/')}/verify-email?token={token}"
+
+
+def request_email_verification(db: Session, email: str) -> None:
+    user = get_by_email(db, email)
+    if not user or not user.email:
+        return
+    if user.email_verified:
+        return
+    token = secrets.token_urlsafe(48)
+    try:
+        get_redis().setex(
+            f"{VERIFY_PREFIX}{token}", VERIFY_TTL_SECONDS, str(user.id)
+        )
+    except Exception as exc:
+        logger.error("Failed to store email verification token: %s", exc)
+        return
+    _send_verification_email(user, _build_verify_url(token))
+
+
+def send_verification_for_user(user: User) -> None:
+    if not user.email or user.email_verified:
+        return
+    token = secrets.token_urlsafe(48)
+    try:
+        get_redis().setex(
+            f"{VERIFY_PREFIX}{token}", VERIFY_TTL_SECONDS, str(user.id)
+        )
+    except Exception as exc:
+        logger.error("Failed to store email verification token: %s", exc)
+        return
+    _send_verification_email(user, _build_verify_url(token))
+
+
+def _send_verification_email(user: User, verify_url: str) -> None:
+    subject = "Verify your Loomy email"
+    text = (
+        f"Hi {user.username or user.email},\n\n"
+        "Confirm your email to finish setting up your Loomy account:\n\n"
+        f"{verify_url}\n\n"
+        "The link expires in 48 hours."
+    )
+    send_email(to=user.email, subject=subject, text=text)
+
+
+def confirm_email_verification(db: Session, token: str) -> VerificationResult:
+    key = f"{VERIFY_PREFIX}{token}"
+    try:
+        redis = get_redis()
+        stored = redis.get(key)
+        if stored is None:
+            return VerificationResult(ok=False)
+        redis.delete(key)
+    except Exception as exc:
+        logger.error("Failed to read email verification token: %s", exc)
+        return VerificationResult(ok=False)
+
+    if isinstance(stored, bytes):
+        stored = stored.decode("utf-8", errors="replace")
+    user_id_str = str(stored)
+    try:
+        user_uuid = UUID(user_id_str)
+    except ValueError:
+        return VerificationResult(ok=False)
+
+    user = get_by_id(db, user_uuid)
+    if not user:
+        return VerificationResult(ok=False)
+
+    user.email_verified = True
+    user.email_verified_at = datetime.now(timezone.utc)
+    db.add(user)
+    db.commit()
+    return VerificationResult(ok=True, user_id=user_id_str)

From a58b031bf8a46cfcbbf4b689d2e77dddcfcb8359 Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:30:55 +0400
Subject: [PATCH 28/82] feat(auth): refresh, logout, password-reset,
 email-verify endpoints

---
 api/app/app/modules/auth/router.py  | 139 ++++++++++++++++++++++++----
 api/app/app/modules/auth/schemas.py |  34 +++++++
 api/app/app/modules/auth/service.py |  78 +++++++++++++---
 3 files changed, 220 insertions(+), 31 deletions(-)

diff --git a/api/app/app/modules/auth/router.py b/api/app/app/modules/auth/router.py
index 5a88a7b..cec46bb 100644
--- a/api/app/app/modules/auth/router.py
+++ b/api/app/app/modules/auth/router.py
@@ -6,8 +6,9 @@
 
 from app.api.deps import get_current_user
 from app.config import settings
-from app.core.jwt import create_access_token
+from app.core.login_rate_limit import enforce_login_rate_limit
 from app.core.redis import set_oauth_state, validate_oauth_state
+from app.core.token_store import revoke_all_user_refresh_tokens
 from app.db.session import get_db
 from app.modules.auth.oauth import (
     get_github_authorize_url,
@@ -15,25 +16,62 @@
     get_google_authorize_url,
     get_google_user_info,
 )
-from app.modules.auth.schemas import LoginRequest, Token
-from app.modules.auth.service import get_or_create_oauth_user, login
+from app.modules.auth.email_verification import (
+    confirm_email_verification,
+    request_email_verification,
+)
+from app.modules.auth.password_reset import (
+    consume_password_reset,
+    request_password_reset,
+)
+from app.modules.auth.schemas import (
+    EmailVerificationConfirm,
+    EmailVerificationRequest,
+    LoginRequest,
+    LogoutRequest,
+    LogoutResponse,
+    PasswordResetConfirm,
+    PasswordResetRequest,
+    RefreshRequest,
+    SimpleStatusResponse,
+    Token,
+)
+from app.modules.auth.service import (
+    get_or_create_oauth_user,
+    issue_token_pair,
+    login,
+    logout,
+    rotate_refresh_token,
+)
 from app.modules.users.model import User
+from app.modules.users.presenter import to_user_response
 from app.modules.users.schemas import UserResponse
 
 router = APIRouter(prefix="/auth", tags=["auth"])
 
 
+def _oauth_redirect_url(token: Token, invite_token: str | None) -> str:
+    base = f"{settings.frontend_url.rstrip('/')}/auth/callback"
+    params = [f"token={token.access_token}"]
+    if token.refresh_token:
+        params.append(f"refresh_token={token.refresh_token}")
+    if invite_token:
+        params.append(f"invite_token={invite_token}")
+    return f"{base}?{'&'.join(params)}"
+
+
 @router.get("/me", response_model=UserResponse)
 def get_current_user_profile(
     current_user: User = Depends(get_current_user),
 ) -> UserResponse:
-    return UserResponse.model_validate(current_user)
+    return to_user_response(current_user)
 
 
 @router.post("/login", response_model=Token)
 def login_endpoint(
     data: LoginRequest,
     db: Session = Depends(get_db),
+    _rl: None = Depends(enforce_login_rate_limit),
 ) -> Token:
     token = login(db, data)
     if not token:
@@ -44,7 +82,77 @@ def login_endpoint(
     return token
 
 
-# --- GitHub OAuth ---
+@router.post("/refresh", response_model=Token)
+def refresh_endpoint(data: RefreshRequest) -> Token:
+    token = rotate_refresh_token(data.refresh_token)
+    if not token:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Invalid or expired refresh token",
+        )
+    return token
+
+
+@router.post("/logout", response_model=LogoutResponse)
+def logout_endpoint(data: LogoutRequest) -> LogoutResponse:
+    logout(data.refresh_token)
+    return LogoutResponse()
+
+
+@router.post("/password-reset/request", response_model=SimpleStatusResponse)
+def password_reset_request_endpoint(
+    data: PasswordResetRequest,
+    db: Session = Depends(get_db),
+) -> SimpleStatusResponse:
+    # Always 200 so the endpoint isn't a user-enumeration oracle.
+    request_password_reset(db, data.email)
+    return SimpleStatusResponse()
+
+
+@router.post("/password-reset/confirm", response_model=SimpleStatusResponse)
+def password_reset_confirm_endpoint(
+    data: PasswordResetConfirm,
+    db: Session = Depends(get_db),
+) -> SimpleStatusResponse:
+    if len(data.new_password) < 8:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="Password must be at least 8 characters.",
+        )
+    result = consume_password_reset(db, data.token, data.new_password)
+    if not result.ok:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="Invalid or expired reset token.",
+        )
+    if result.user_id:
+        revoke_all_user_refresh_tokens(result.user_id)
+    return SimpleStatusResponse()
+
+
+@router.post("/email/verify/request", response_model=SimpleStatusResponse)
+def email_verify_request_endpoint(
+    data: EmailVerificationRequest,
+    db: Session = Depends(get_db),
+) -> SimpleStatusResponse:
+    request_email_verification(db, data.email)
+    return SimpleStatusResponse()
+
+
+@router.post("/email/verify/confirm", response_model=SimpleStatusResponse)
+def email_verify_confirm_endpoint(
+    data: EmailVerificationConfirm,
+    db: Session = Depends(get_db),
+) -> SimpleStatusResponse:
+    result = confirm_email_verification(db, data.token)
+    if not result.ok:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="Invalid or expired verification token.",
+        )
+    return SimpleStatusResponse()
+
+
 @router.get("/github")
 def github_login(invite_token: str | None = None) -> RedirectResponse:
     if not settings.github_client_id:
@@ -77,15 +185,12 @@ async def github_callback(
             detail="Failed to get user info from GitHub",
         )
     user, _ = get_or_create_oauth_user(db, info)
-    token = create_access_token(subject=str(user.id))
-    redirect_url = f"{settings.frontend_url.rstrip('/')}/auth/callback?token={token}"
-    invite_token = state_data.get("invite_token")
-    if isinstance(invite_token, str) and invite_token:
-        redirect_url = f"{redirect_url}&invite_token={invite_token}"
-    return RedirectResponse(url=redirect_url)
+    token_pair = issue_token_pair(str(user.id))
+    raw_invite = state_data.get("invite_token")
+    invite_token = raw_invite if isinstance(raw_invite, str) and raw_invite else None
+    return RedirectResponse(url=_oauth_redirect_url(token_pair, invite_token))
 
 
-# --- Google OAuth ---
 @router.get("/google")
 def google_login(invite_token: str | None = None) -> RedirectResponse:
     if not settings.google_client_id:
@@ -118,9 +223,7 @@ async def google_callback(
             detail="Failed to get user info from Google",
         )
     user, _ = get_or_create_oauth_user(db, info)
-    token = create_access_token(subject=str(user.id))
-    redirect_url = f"{settings.frontend_url.rstrip('/')}/auth/callback?token={token}"
-    invite_token = state_data.get("invite_token")
-    if isinstance(invite_token, str) and invite_token:
-        redirect_url = f"{redirect_url}&invite_token={invite_token}"
-    return RedirectResponse(url=redirect_url)
+    token_pair = issue_token_pair(str(user.id))
+    raw_invite = state_data.get("invite_token")
+    invite_token = raw_invite if isinstance(raw_invite, str) and raw_invite else None
+    return RedirectResponse(url=_oauth_redirect_url(token_pair, invite_token))
diff --git a/api/app/app/modules/auth/schemas.py b/api/app/app/modules/auth/schemas.py
index 93e56d9..cff050c 100644
--- a/api/app/app/modules/auth/schemas.py
+++ b/api/app/app/modules/auth/schemas.py
@@ -4,8 +4,42 @@
 class Token(BaseModel):
     access_token: str
     token_type: str = "bearer"
+    refresh_token: str | None = None
 
 
 class LoginRequest(BaseModel):
     email: EmailStr
     password: str
+
+
+class RefreshRequest(BaseModel):
+    refresh_token: str
+
+
+class LogoutRequest(BaseModel):
+    refresh_token: str | None = None
+
+
+class LogoutResponse(BaseModel):
+    status: str = "ok"
+
+
+class PasswordResetRequest(BaseModel):
+    email: EmailStr
+
+
+class PasswordResetConfirm(BaseModel):
+    token: str
+    new_password: str
+
+
+class SimpleStatusResponse(BaseModel):
+    status: str = "ok"
+
+
+class EmailVerificationRequest(BaseModel):
+    email: EmailStr
+
+
+class EmailVerificationConfirm(BaseModel):
+    token: str
diff --git a/api/app/app/modules/auth/service.py b/api/app/app/modules/auth/service.py
index b56a7a1..27c2d41 100644
--- a/api/app/app/modules/auth/service.py
+++ b/api/app/app/modules/auth/service.py
@@ -1,38 +1,79 @@
-from typing import TYPE_CHECKING, Dict, Any, Tuple
+from typing import TYPE_CHECKING, Any, Dict, Tuple
 
 from sqlalchemy.orm import Session
 
-from app.core.jwt import create_access_token
+from app.core.jwt import (
+    create_access_token,
+    create_refresh_token,
+    decode_refresh_token,
+)
 from app.core.security import verify_password
+from app.core.token_store import (
+    is_refresh_jti_valid,
+    revoke_refresh_jti,
+    store_refresh_jti,
+)
 from app.modules.auth.repository import get_user_for_auth
 from app.modules.auth.schemas import LoginRequest, Token
 from app.modules.users.repository import create as create_user
-from app.modules.users.repository import create_oauth_account
-from app.modules.users.repository import get_by_email
-from app.modules.users.repository import get_by_oauth
-from app.modules.users.repository import get_by_username
+from app.modules.users.repository import (
+    create_oauth_account,
+    get_by_email,
+    get_by_oauth,
+    get_by_username,
+)
 from app.modules.workspaces.service import create_default_workspace_for_user
 
 if TYPE_CHECKING:
     from app.modules.users.model import User
 
 
+def issue_token_pair(user_id: str) -> Token:
+    access = create_access_token(subject=user_id)
+    refresh, jti = create_refresh_token(subject=user_id)
+    store_refresh_jti(user_id, jti)
+    return Token(access_token=access, refresh_token=refresh)
+
+
 def login(db: Session, data: LoginRequest) -> Token | None:
     user = get_user_for_auth(db, data.email)
     if not user or not user.hashed_password:
         return None
     if not verify_password(data.password, user.hashed_password):
         return None
-    return Token(access_token=create_access_token(subject=str(user.id)))
+    return issue_token_pair(str(user.id))
+
+
+def rotate_refresh_token(refresh_token: str) -> Token | None:
+    decoded = decode_refresh_token(refresh_token)
+    if decoded is None:
+        return None
+    user_id, jti = decoded
+    if not is_refresh_jti_valid(jti, user_id):
+        return None
+    revoke_refresh_jti(jti)
+    return issue_token_pair(user_id)
+
+
+def logout(refresh_token: str | None) -> None:
+    if not refresh_token:
+        return
+    decoded = decode_refresh_token(refresh_token)
+    if decoded is None:
+        return
+    _, jti = decoded
+    revoke_refresh_jti(jti)
 
 
-def get_or_create_oauth_user(db: Session, info: Dict[str, Any]) -> Tuple["User", bool]:
-    """Returns (user, is_new)."""
+def get_or_create_oauth_user(
+    db: Session, info: Dict[str, Any]
+) -> Tuple["User", bool]:
+    from datetime import datetime, timezone
+
     user = get_by_oauth(db, info["provider"], info["provider_user_id"])
     if user:
         return user, False
 
-    # Check if email exists - link account
     user = get_by_email(db, info["email"])
     if user:
         create_oauth_account(
@@ -41,9 +82,14 @@ def get_or_create_oauth_user(db: Session, info: Dict[str, Any]) -> Tuple["User",
             provider=info["provider"],
             provider_user_id=info["provider_user_id"],
         )
+        # OAuth provider already verified this email; mark it so.
+        if not user.email_verified:
+            user.email_verified = True
+            user.email_verified_at = datetime.now(timezone.utc)
+            db.add(user)
+            db.commit()
         return user, False
 
-    # Create new user - ensure unique username
     base_username = info["username"]
     username = base_username
     counter = 0
@@ -51,8 +97,8 @@ def get_or_create_oauth_user(db: Session, info: Dict[str, Any]) -> Tuple["User",
         counter += 1
         username = f"{base_username}{counter}"
 
-    first_name = info.get("first_name") or "User"
-    last_name = info.get("last_name") or ""
+    first_name = info.get("first_name")
+    last_name = info.get("last_name")
 
     user = create_user(
         db,
@@ -63,6 +109,12 @@ def get_or_create_oauth_user(db: Session, info: Dict[str, Any]) -> Tuple["User",
         first_name=first_name,
         last_name=last_name,
     )
+    # OAuth provider already verified this email.
+    user.email_verified = True
+    user.email_verified_at = datetime.now(timezone.utc)
+    db.add(user)
+    db.commit()
+
     create_oauth_account(
         db,
         user_id=user.id,

From 6f2b1e6c4c65852afa2fc99425c347239b31da7e Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:30:55 +0400
Subject: [PATCH 29/82] refactor(workspaces): default workspace handles null
 user names

---
 api/app/app/modules/workspaces/service.py | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/api/app/app/modules/workspaces/service.py b/api/app/app/modules/workspaces/service.py
index 69b93c8..c63cf05 100644
--- a/api/app/app/modules/workspaces/service.py
+++ b/api/app/app/modules/workspaces/service.py
@@ -44,11 +44,16 @@ def create_workspace_for_user(db: Session, user: User, data: WorkspaceCreate) ->
 
 
 def create_default_workspace_for_user(
-    db: Session, user: User, first_name: str, last_name: str
+    db: Session,
+    user: User,
+    first_name: str | None = None,
+    last_name: str | None = None,
 ) -> Workspace:
-    """Create a default workspace from user's first and last name."""
-    name = f"{first_name} {last_name}".strip() or user.username
-    base_slug = f"{first_name}-{last_name}".strip().lower() or user.username
+    """Create a default workspace for a new user."""
+    first = (first_name or "").strip()
+    last = (last_name or "").strip()
+    name = f"{first} {last}".strip() or user.username
+    base_slug = f"{first}-{last}".strip("-").lower() or user.username
     slug = make_unique_slug(db, base_slug)
     return create_workspace(db, name=name, slug=slug, owner_id=user.id)
 

From 7414bdffaaf2b8d63beef1bcb1d26f76c28023e3 Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:30:56 +0400
Subject: [PATCH 30/82] feat(workspaces): expose owner_display_name and avatar

---
 api/app/app/modules/workspaces/router.py  | 7 ++++++-
 api/app/app/modules/workspaces/schemas.py | 2 ++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/api/app/app/modules/workspaces/router.py b/api/app/app/modules/workspaces/router.py
index 1fcf4ed..dd3cdf2 100644
--- a/api/app/app/modules/workspaces/router.py
+++ b/api/app/app/modules/workspaces/router.py
@@ -29,12 +29,17 @@
 
 
 def _workspace_to_response(workspace: Workspace) -> WorkspaceResponse:
+    from app.modules.users.presenter import avatar_url_of, display_name_of
+
+    owner = workspace.owner
     data = {
         "id": workspace.id,
         "name": workspace.name,
         "slug": workspace.slug,
         "owner_id": workspace.owner_id,
-        "owner_username": workspace.owner.username if workspace.owner else None,
+        "owner_username": owner.username if owner else None,
+        "owner_display_name": display_name_of(owner) if owner else None,
+        "owner_avatar_url": avatar_url_of(owner) if owner else None,
         "created_at": workspace.created_at,
         "updated_at": workspace.updated_at,
     }
diff --git a/api/app/app/modules/workspaces/schemas.py b/api/app/app/modules/workspaces/schemas.py
index fbea701..549954d 100644
--- a/api/app/app/modules/workspaces/schemas.py
+++ b/api/app/app/modules/workspaces/schemas.py
@@ -18,6 +18,8 @@ class WorkspaceResponse(BaseModel):
     slug: str
     owner_id: UUID
     owner_username: str | None = None
+    owner_display_name: str | None = None
+    owner_avatar_url: str | None = None
     created_at: datetime
     updated_at: datetime
 

From a130b12ce70ae53227a58b70c415b216f6de3991 Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:30:57 +0400
Subject: [PATCH 31/82] feat(workspaces): include member display_name and
 avatar

---
 api/app/app/modules/workspaces/members.py | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/api/app/app/modules/workspaces/members.py b/api/app/app/modules/workspaces/members.py
index c916a39..99f6d9e 100644
--- a/api/app/app/modules/workspaces/members.py
+++ b/api/app/app/modules/workspaces/members.py
@@ -23,12 +23,16 @@
 
 
 def _member_response(member: WorkspaceMember) -> Dict[str, Any]:
+    from app.modules.users.presenter import avatar_url_of, display_name_of
+
+    user = member.user
     return {
         "id": str(member.user_id),
         "user_id": str(member.user_id),
-        "username": member.user.username if member.user else None,
-        "email": member.user.email if member.user else None,
-        "avatar_url": member.user.avatar_url if member.user else None,
+        "username": user.username if user else None,
+        "display_name": display_name_of(user) if user else None,
+        "email": user.email if user else None,
+        "avatar_url": avatar_url_of(user) if user else None,
         "role": member.role,
     }
 

From 6de277b8a6b2a99e67821b30cf03b2c5a1e31aaa Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:30:57 +0400
Subject: [PATCH 32/82] feat(boards): repository for threaded comments

---
 api/app/app/modules/boards/comment_repo.py | 70 ++++++++++++++++++++++
 1 file changed, 70 insertions(+)
 create mode 100644 api/app/app/modules/boards/comment_repo.py

diff --git a/api/app/app/modules/boards/comment_repo.py b/api/app/app/modules/boards/comment_repo.py
new file mode 100644
index 0000000..d86c8f9
--- /dev/null
+++ b/api/app/app/modules/boards/comment_repo.py
@@ -0,0 +1,70 @@
+from datetime import datetime, timezone
+from uuid import UUID
+
+from sqlalchemy import select
+from sqlalchemy.orm import Session
+
+from app.modules.boards.model import BoardComment
+
+
+def create(
+    db: Session,
+    *,
+    board_id: UUID,
+    author_id: UUID,
+    body: str,
+    parent_id: UUID | None = None,
+    anchor_x: float | None = None,
+    anchor_y: float | None = None,
+    anchor_element_id: str | None = None,
+) -> BoardComment:
+    row = BoardComment(
+        board_id=board_id,
+        author_id=author_id,
+        body=body,
+        parent_id=parent_id,
+        anchor_x=anchor_x,
+        anchor_y=anchor_y,
+        anchor_element_id=anchor_element_id,
+    )
+    db.add(row)
+    db.commit()
+    db.refresh(row)
+    return row
+
+
+def list_for_board(db: Session, board_id: UUID) -> list[BoardComment]:
+    stmt = (
+        select(BoardComment)
+        .where(BoardComment.board_id == board_id)
+        .order_by(BoardComment.created_at)
+    )
+    return list(db.execute(stmt).scalars().all())
+
+
+def get_by_id(db: Session, comment_id: UUID) -> BoardComment | None:
+    return db.get(BoardComment, comment_id)
+
+
+def update(
+    db: Session,
+    row: BoardComment,
+    *,
+    body: str | None = None,
+    resolved: bool | None = None,
+) -> BoardComment:
+    if body is not None:
+        row.body = body
+    if resolved is True and row.resolved_at is None:
+        row.resolved_at = datetime.now(timezone.utc)
+    elif resolved is False:
+        row.resolved_at = None
+    db.add(row)
+    db.commit()
+    db.refresh(row)
+    return row
+
+
+def delete(db: Session, row: BoardComment) -> None:
+    db.delete(row)
+    db.commit()

From 4c89a8e32b3b1707f9d23a1f9ad59442bb7cf169 Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:30:58 +0400
Subject: [PATCH 33/82] feat(boards): repository for share tokens

---
 .../app/modules/boards/share_token_repo.py    | 65 +++++++++++++++++++
 1 file changed, 65 insertions(+)
 create mode 100644 api/app/app/modules/boards/share_token_repo.py

diff --git a/api/app/app/modules/boards/share_token_repo.py b/api/app/app/modules/boards/share_token_repo.py
new file mode 100644
index 0000000..bed0a88
--- /dev/null
+++ b/api/app/app/modules/boards/share_token_repo.py
@@ -0,0 +1,65 @@
+import secrets
+from datetime import datetime, timezone
+from uuid import UUID
+
+from sqlalchemy import select
+from sqlalchemy.orm import Session
+
+from app.modules.boards.model import BoardShareToken
+
+
+def create(
+    db: Session,
+    *,
+    board_id: UUID,
+    role: str,
+    created_by: UUID,
+    expires_at: datetime | None = None,
+) -> BoardShareToken:
+    row = BoardShareToken(
+        board_id=board_id,
+        token=secrets.token_urlsafe(32),
+        role=role,
+        created_by=created_by,
+        expires_at=expires_at,
+    )
+    db.add(row)
+    db.commit()
+    db.refresh(row)
+    return row
+
+
+def list_for_board(db: Session, board_id: UUID) -> list[BoardShareToken]:
+    stmt = (
+        select(BoardShareToken)
+        .where(BoardShareToken.board_id == board_id)
+        .where(BoardShareToken.revoked_at.is_(None))
+        .order_by(BoardShareToken.created_at.desc())
+    )
+    return list(db.execute(stmt).scalars().all())
+
+
+def get_by_token(db: Session, token: str) -> BoardShareToken | None:
+    stmt = select(BoardShareToken).where(BoardShareToken.token == token)
+    return db.execute(stmt).scalars().first()
+
+
+def get_by_id(db: Session, share_id: UUID) -> BoardShareToken | None:
+    return db.get(BoardShareToken, share_id)
+
+
+def revoke(db: Session, row: BoardShareToken) -> BoardShareToken:
+    row.revoked_at = datetime.now(timezone.utc)
+    db.add(row)
+    db.commit()
+    db.refresh(row)
+    return row
+
+
+def is_usable(row: BoardShareToken, now: datetime | None = None) -> bool:
+    ts = now or datetime.now(timezone.utc)
+    if row.revoked_at is not None:
+        return False
+    if row.expires_at is not None and row.expires_at <= ts:
+        return False
+    return True

From 1e04a8d7c655b5bd87a0f83569cb070e4aab8406 Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:30:59 +0400
Subject: [PATCH 34/82] feat(boards): architecture-focused built-in templates

---
 api/app/app/modules/boards/template_repo.py |  58 +++
 api/app/app/modules/boards/template_seed.py | 375 ++++++++++++++++++++
 2 files changed, 433 insertions(+)
 create mode 100644 api/app/app/modules/boards/template_repo.py
 create mode 100644 api/app/app/modules/boards/template_seed.py

diff --git a/api/app/app/modules/boards/template_repo.py b/api/app/app/modules/boards/template_repo.py
new file mode 100644
index 0000000..8cc7235
--- /dev/null
+++ b/api/app/app/modules/boards/template_repo.py
@@ -0,0 +1,58 @@
+from uuid import UUID
+
+from sqlalchemy import select
+from sqlalchemy.orm import Session
+
+from app.modules.boards.model import BoardTemplate
+
+
+def list_all(db: Session) -> list[BoardTemplate]:
+    stmt = select(BoardTemplate).order_by(
+        BoardTemplate.category, BoardTemplate.name
+    )
+    return list(db.execute(stmt).scalars().all())
+
+
+def get_by_slug(db: Session, slug: str) -> BoardTemplate | None:
+    stmt = select(BoardTemplate).where(BoardTemplate.slug == slug)
+    return db.execute(stmt).scalars().first()
+
+
+def get_by_id(db: Session, template_id: UUID) -> BoardTemplate | None:
+    return db.get(BoardTemplate, template_id)
+
+
+def upsert(
+    db: Session,
+    *,
+    slug: str,
+    name: str,
+    category: str,
+    description: str,
+    snapshot: dict[str, object],
+    thumbnail_url: str | None = None,
+) -> BoardTemplate:
+    existing = get_by_slug(db, slug)
+    if existing:
+        existing.name = name
+        existing.category = category
+        existing.description = description
+        existing.snapshot = snapshot
+        if thumbnail_url is not None:
+            existing.thumbnail_url = thumbnail_url
+        db.add(existing)
+        db.commit()
+        db.refresh(existing)
+        return existing
+    row = BoardTemplate(
+        slug=slug,
+        name=name,
+        category=category,
+        description=description,
+        snapshot=snapshot,
+        thumbnail_url=thumbnail_url,
+    )
+    db.add(row)
+    db.commit()
+    db.refresh(row)
+    return row
diff --git a/api/app/app/modules/boards/template_seed.py b/api/app/app/modules/boards/template_seed.py
new file mode 100644
index 0000000..5cf05de
--- /dev/null
+++ b/api/app/app/modules/boards/template_seed.py
@@ -0,0 +1,375 @@
+"""Built-in starter templates focused on software architecture.
+
+Each entry is a real excalidraw_snapshot payload (elements + appState).
+We ship enough templates to differentiate Loomy from a blank-canvas tool
+for architects: C4, AWS 3-tier, microservices, ERD, flowchart.
+
+The elements below are intentionally hand-written minimal Excalidraw
+shapes — plain rectangles, ellipses, arrows, and text — so they render
+in any Excalidraw version and stay small. Users edit freely from there.
+"""
+
+from typing import Any
+
+from sqlalchemy.orm import Session
+
+from app.modules.boards.template_repo import upsert
+
+
+def _rect(
+    *,
+    id: str,
+    x: float,
+    y: float,
+    w: float,
+    h: float,
+    bg: str = "#ffffff",
+    stroke: str = "#1e1e1e",
+    label: str | None = None,
+) -> list[dict[str, Any]]:
+    base: dict[str, Any] = {
+        "id": id,
+        "type": "rectangle",
+        "x": x,
+        "y": y,
+        "width": w,
+        "height": h,
+        "angle": 0,
+        "strokeColor": stroke,
+        "backgroundColor": bg,
+        "fillStyle": "solid",
+        "strokeWidth": 2,
+        "strokeStyle": "solid",
+        "roughness": 1,
+        "opacity": 100,
+        "groupIds": [],
+        "roundness": {"type": 3},
+        "seed": hash(id) & 0x7FFFFFFF,
+        "version": 1,
+        "versionNonce": hash(id + "vn") & 0x7FFFFFFF,
+        "isDeleted": False,
+        "boundElements": [],
+        "updated": 1,
+        "link": None,
+        "locked": False,
+    }
+    out: list[dict[str, Any]] = [base]
+    if label:
+        out.append(
+            {
+                "id": f"{id}-label",
+                "type": "text",
+                "x": x + 12,
+                "y": y + h / 2 - 10,
+                "width": w - 24,
+                "height": 20,
+                "angle": 0,
+                "strokeColor": "#1e1e1e",
+                "backgroundColor": "transparent",
+                "fillStyle": "solid",
+                "strokeWidth": 1,
+                "strokeStyle": "solid",
+                "roughness": 1,
+                "opacity": 100,
+                "groupIds": [],
+                "seed": hash(id + "label") & 0x7FFFFFFF,
+                "version": 1,
+                "versionNonce": hash(id + "labelvn") & 0x7FFFFFFF,
+                "isDeleted": False,
+                "boundElements": [],
+                "updated": 1,
+                "link": None,
+                "locked": False,
+                "text": label,
+                "fontSize": 16,
+                "fontFamily": 1,
+                "textAlign": "left",
+                "verticalAlign": "middle",
+                "baseline": 14,
+                "containerId": None,
+                "originalText": label,
+            }
+        )
+    return out
+
+
+def _arrow(*, id: str, x1: float, y1: float, x2: float, y2: float) -> dict[str, Any]:
+    return {
+        "id": id,
+        "type": "arrow",
+        "x": x1,
+        "y": y1,
+        "width": x2 - x1,
+        "height": y2 - y1,
+        "angle": 0,
+        "strokeColor": "#1e1e1e",
+        "backgroundColor": "transparent",
+        "fillStyle": "solid",
+        "strokeWidth": 2,
+        "strokeStyle": "solid",
+        "roughness": 1,
+        "opacity": 100,
+        "groupIds": [],
+        "seed": hash(id) & 0x7FFFFFFF,
+        "version": 1,
+        "versionNonce": hash(id + "vn") & 0x7FFFFFFF,
+        "isDeleted": False,
+        "boundElements": [],
+        "updated": 1,
+        "link": None,
+        "locked": False,
+        "points": [[0, 0], [x2 - x1, y2 - y1]],
+        "lastCommittedPoint": None,
+        "startBinding": None,
+        "endBinding": None,
+        "startArrowhead": None,
+        "endArrowhead": "arrow",
+    }
+
+
+def _snapshot(elements: list[dict[str, Any]]) -> dict[str, Any]:
+    return {
+        "elements": elements,
+        "appState": {"viewBackgroundColor": "#ffffff", "gridSize": 20},
+    }
+
+
+def _blank() -> dict[str, Any]:
+    return _snapshot([])
+
+
+def _c4_context() -> dict[str, Any]:
+    els: list[dict[str, Any]] = []
+    els += _rect(id="u", x=120, y=80, w=160, h=80, bg="#d0ebff", label="User")
+    els += _rect(
+        id="sys",
+        x=400,
+        y=200,
+        w=260,
+        h=120,
+        bg="#fff3bf",
+        label="System (Your Software)",
+    )
+    els += _rect(
+        id="ext1",
+        x=120,
+        y=400,
+        w=200,
+        h=80,
+        bg="#e9ecef",
+        label="External System A",
+    )
+    els += _rect(
+        id="ext2",
+        x=700,
+        y=400,
+        w=200,
+        h=80,
+        bg="#e9ecef",
+        label="External System B",
+    )
+    els.append(_arrow(id="a1", x1=200, y1=160, x2=480, y2=200))
+    els.append(_arrow(id="a2", x1=500, y1=320, x2=220, y2=400))
+    els.append(_arrow(id="a3", x1=600, y1=320, x2=780, y2=400))
+    return _snapshot(els)
+
+
+def _aws_three_tier() -> dict[str, Any]:
+    els: list[dict[str, Any]] = []
+    els += _rect(id="u", x=80, y=80, w=140, h=60, bg="#d0ebff", label="Users")
+    els += _rect(
+        id="cf",
+        x=80,
+        y=200,
+        w=140,
+        h=60,
+        bg="#ffe3a3",
+        label="CloudFront",
+    )
+    els += _rect(
+        id="alb",
+        x=80,
+        y=320,
+        w=140,
+        h=60,
+        bg="#ffe3a3",
+        label="ALB",
+    )
+    els += _rect(
+        id="web",
+        x=320,
+        y=320,
+        w=160,
+        h=60,
+        bg="#c8f5b5",
+        label="Web Tier (ECS)",
+    )
+    els += _rect(
+        id="app",
+        x=540,
+        y=320,
+        w=160,
+        h=60,
+        bg="#c8f5b5",
+        label="App Tier (ECS)",
+    )
+    els += _rect(
+        id="rds",
+        x=760,
+        y=260,
+        w=160,
+        h=60,
+        bg="#fcc2d7",
+        label="RDS Primary",
+    )
+    els += _rect(
+        id="rdsr",
+        x=760,
+        y=380,
+        w=160,
+        h=60,
+        bg="#fcc2d7",
+        label="RDS Read Replica",
+    )
+    els += _rect(
+        id="cache",
+        x=540,
+        y=440,
+        w=160,
+        h=60,
+        bg="#ffd6a5",
+        label="ElastiCache",
+    )
+    els += _rect(
+        id="s3",
+        x=320,
+        y=440,
+        w=160,
+        h=60,
+        bg="#ffd6a5",
+        label="S3",
+    )
+    els.append(_arrow(id="a1", x1=150, y1=140, x2=150, y2=200))
+    els.append(_arrow(id="a2", x1=150, y1=260, x2=150, y2=320))
+    els.append(_arrow(id="a3", x1=220, y1=350, x2=320, y2=350))
+    els.append(_arrow(id="a4", x1=480, y1=350, x2=540, y2=350))
+    els.append(_arrow(id="a5", x1=700, y1=350, x2=760, y2=290))
+    els.append(_arrow(id="a6", x1=700, y1=350, x2=760, y2=410))
+    els.append(_arrow(id="a7", x1=620, y1=380, x2=620, y2=440))
+    els.append(_arrow(id="a8", x1=400, y1=380, x2=400, y2=440))
+    return _snapshot(els)
+
+
+def _microservices() -> dict[str, Any]:
+    els: list[dict[str, Any]] = []
+    els += _rect(id="gw", x=80, y=240, w=160, h=60, bg="#ffe3a3", label="API Gateway")
+    els += _rect(id="auth", x=320, y=100, w=160, h=60, bg="#c8f5b5", label="Auth")
+    els += _rect(id="users", x=320, y=220, w=160, h=60, bg="#c8f5b5", label="Users")
+    els += _rect(id="orders", x=320, y=340, w=160, h=60, bg="#c8f5b5", label="Orders")
+    els += _rect(id="billing", x=320, y=460, w=160, h=60, bg="#c8f5b5", label="Billing")
+    els += _rect(id="bus", x=580, y=280, w=180, h=60, bg="#bac8ff", label="Event Bus")
+    els += _rect(id="dbu", x=820, y=220, w=160, h=60, bg="#fcc2d7", label="DB: users")
+    els += _rect(id="dbo", x=820, y=340, w=160, h=60, bg="#fcc2d7", label="DB: orders")
+    for i, target in enumerate(["auth", "users", "orders", "billing"]):
+        els.append(
+            _arrow(id=f"gwa{i}", x1=240, y1=270, x2=320, y2=130 + i * 120)
+        )
+    els.append(_arrow(id="ub", x1=480, y1=250, x2=580, y2=310))
+    els.append(_arrow(id="ob", x1=480, y1=370, x2=580, y2=310))
+    els.append(_arrow(id="bb", x1=480, y1=490, x2=580, y2=310))
+    els.append(_arrow(id="u-dbu", x1=480, y1=250, x2=820, y2=250))
+    els.append(_arrow(id="o-dbo", x1=480, y1=370, x2=820, y2=370))
+    return _snapshot(els)
+
+
+def _erd() -> dict[str, Any]:
+    els: list[dict[str, Any]] = []
+    els += _rect(id="user", x=120, y=120, w=200, h=120, bg="#d0ebff", label="User")
+    els += _rect(id="wksp", x=440, y=120, w=200, h=120, bg="#d0ebff", label="Workspace")
+    els += _rect(id="board", x=760, y=120, w=200, h=120, bg="#d0ebff", label="Board")
+    els += _rect(id="element", x=760, y=320, w=200, h=120, bg="#d0ebff", label="Element")
+    els.append(_arrow(id="u-w", x1=320, y1=180, x2=440, y2=180))
+    els.append(_arrow(id="w-b", x1=640, y1=180, x2=760, y2=180))
+    els.append(_arrow(id="b-e", x1=860, y1=240, x2=860, y2=320))
+    return _snapshot(els)
+
+
+def _flowchart() -> dict[str, Any]:
+    els: list[dict[str, Any]] = []
+    els += _rect(id="start", x=200, y=80, w=160, h=60, bg="#c8f5b5", label="Start")
+    els += _rect(id="in", x=200, y=200, w=160, h=60, bg="#ffe3a3", label="Input request")
+    els += _rect(id="dec", x=200, y=320, w=160, h=60, bg="#ffd6a5", label="Valid?")
+    els += _rect(id="ok", x=60, y=440, w=160, h=60, bg="#c8f5b5", label="Process")
+    els += _rect(id="err", x=340, y=440, w=160, h=60, bg="#fcc2d7", label="Reject")
+    els += _rect(id="end", x=200, y=560, w=160, h=60, bg="#c8f5b5", label="End")
+    els.append(_arrow(id="s-i", x1=280, y1=140, x2=280, y2=200))
+    els.append(_arrow(id="i-d", x1=280, y1=260, x2=280, y2=320))
+    els.append(_arrow(id="d-ok", x1=220, y1=380, x2=140, y2=440))
+    els.append(_arrow(id="d-err", x1=340, y1=380, x2=420, y2=440))
+    els.append(_arrow(id="ok-e", x1=140, y1=500, x2=260, y2=560))
+    els.append(_arrow(id="err-e", x1=420, y1=500, x2=320, y2=560))
+    return _snapshot(els)
+
+
+TEMPLATES: list[dict[str, Any]] = [
+    {
+        "slug": "blank",
+        "name": "Blank board",
+        "category": "general",
+        "description": "Start from an empty canvas.",
+        "snapshot": _blank(),
+    },
+    {
+        "slug": "c4-context",
+        "name": "C4 — Context diagram",
+        "category": "architecture",
+        "description": "System + users + external dependencies. Classic C4 Level 1.",
+        "snapshot": _c4_context(),
+    },
+    {
+        "slug": "aws-three-tier",
+        "name": "AWS 3-tier web app",
+        "category": "architecture",
+        "description": "CloudFront → ALB → Web/App ECS tiers → RDS + ElastiCache + S3.",
+        "snapshot": _aws_three_tier(),
+    },
+    {
+        "slug": "microservices",
+        "name": "Microservices overview",
+        "category": "architecture",
+        "description": "API Gateway, services, event bus, per-service databases.",
+        "snapshot": _microservices(),
+    },
+    {
+        "slug": "erd",
+        "name": "Entity-relationship diagram",
+        "category": "data",
+        "description": "Starter ERD with four example entities.",
+        "snapshot": _erd(),
+    },
+    {
+        "slug": "flowchart",
+        "name": "Flowchart",
+        "category": "process",
+        "description": "Classic start → input → decision → end flowchart.",
+        "snapshot": _flowchart(),
+    },
+]
+
+
+def seed_builtin_templates(db: Session) -> int:
+    """Idempotent: inserts missing templates, refreshes the snapshot for
+    existing ones. Returns the number of templates upserted.
+    """
+    count = 0
+    for t in TEMPLATES:
+        upsert(
+            db,
+            slug=t["slug"],
+            name=t["name"],
+            category=t["category"],
+            description=t["description"],
+            snapshot=t["snapshot"],
+        )
+        count += 1
+    return count

From 12cb979db803dcbe2f09c435fe3cac9ae7e99485 Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:31:00 +0400
Subject: [PATCH 35/82] feat(boards): share links, comments, templates, and
 search endpoints

---
 api/app/app/modules/boards/router.py  | 415 ++++++++++++++++++++++++--
 api/app/app/modules/boards/schemas.py |  94 ++++++
 api/app/app/modules/boards/service.py |  51 ++++
 3 files changed, 527 insertions(+), 33 deletions(-)

diff --git a/api/app/app/modules/boards/router.py b/api/app/app/modules/boards/router.py
index ef1058b..34fac6b 100644
--- a/api/app/app/modules/boards/router.py
+++ b/api/app/app/modules/boards/router.py
@@ -5,6 +5,8 @@
 from sqlalchemy.orm import Session
 
 from app.api.deps import get_current_user
+from app.config import settings
+from app.core.redis import publish_board_event
 from app.db.session import get_db
 from app.modules.boards.board_star_repo import (
     get_starred_board_ids,
@@ -13,36 +15,83 @@
     unstar as repo_unstar,
 )
 from app.modules.boards.board_view_repo import get_recent_boards, record_open
-from app.modules.boards.model import Board
+from app.modules.boards.model import Board, BoardComment, BoardShareToken
+from app.modules.boards.comment_repo import (
+    create as comment_create,
+    delete as comment_delete,
+    get_by_id as comment_get_by_id,
+    list_for_board as comment_list_for_board,
+    update as comment_update,
+)
 from app.modules.boards.schemas import (
     BoardCreate,
+    BoardCreateFromTemplate,
     BoardListResponse,
     BoardResponse,
+    BoardSearchResponse,
     BoardUpdate,
     BoardWithMetaResponse,
+    CommentCreate,
+    CommentListResponse,
+    CommentResponse,
+    CommentUpdate,
+    PublicBoardResponse,
+    ShareTokenCreate,
+    ShareTokenListResponse,
+    ShareTokenResponse,
+    TemplateListResponse,
+    TemplateResponse,
+)
+from app.modules.boards.share_token_repo import (
+    create as share_create,
+    get_by_id as share_get_by_id,
+    get_by_token as share_get_by_token,
+    is_usable as share_is_usable,
+    list_for_board as share_list_for_board,
+    revoke as share_revoke,
 )
 from app.modules.boards.service import (
     create_board_for_user,
+    create_board_from_template,
     delete_board_for_user,
     duplicate_board_for_user,
     get_board,
     list_boards,
+    search_boards_for_user,
     update_board_for_user,
 )
+from app.modules.boards.template_repo import list_all as list_all_templates
+from app.modules.users.presenter import avatar_url_of, display_name_of
 from app.modules.users.model import User
 
 router = APIRouter(prefix="/boards", tags=["boards"])
 
 
-def _board_to_response(board: Board) -> BoardResponse:
-    owner_username = (
-        board.workspace.owner.username if board.workspace and board.workspace.owner else None
+_ALLOWED_SHARE_ROLES = {"viewer", "editor"}
+
+
+def _share_token_to_response(row: BoardShareToken) -> ShareTokenResponse:
+    base = settings.frontend_url.rstrip("/")
+    return ShareTokenResponse(
+        id=row.id,
+        board_id=row.board_id,
+        token=row.token,
+        url=f"{base}/shared/{row.token}",
+        role=row.role,
+        created_at=row.created_at,
+        expires_at=row.expires_at,
     )
+
+
+def _board_to_response(board: Board) -> BoardResponse:
+    owner = board.workspace.owner if board.workspace else None
     return BoardResponse(
         id=board.id,
         workspace_id=board.workspace_id,
         name=board.name,
-        owner_username=owner_username,
+        owner_username=owner.username if owner else None,
+        owner_display_name=display_name_of(owner) if owner else None,
+        owner_avatar_url=avatar_url_of(owner) if owner else None,
         created_at=board.created_at,
         updated_at=board.updated_at,
     )
@@ -56,24 +105,51 @@ def list_recent_boards(
     """Boards the user recently opened, ordered by last_opened_at."""
     rows = get_recent_boards(db, current_user.id, limit=50)
     starred_ids = set(get_starred_board_ids(db, current_user.id))
-    items = []
+    items: List[BoardWithMetaResponse] = []
     for board, last_opened in rows:
-        data = {
-            "id": board.id,
-            "workspace_id": board.workspace_id,
-            "name": board.name,
-            "owner_username": board.workspace.owner.username
-            if board.workspace and board.workspace.owner
-            else None,
-            "created_at": board.created_at,
-            "updated_at": board.updated_at,
-            "last_opened_at": last_opened,
-            "starred": board.id in starred_ids,
-        }
-        items.append(BoardWithMetaResponse.model_validate(data))
+        base = _board_to_response(board)
+        items.append(
+            BoardWithMetaResponse(
+                **base.model_dump(),
+                last_opened_at=last_opened,
+                starred=board.id in starred_ids,
+            )
+        )
     return {"items": items}
 
 
+@router.get("/search", response_model=BoardSearchResponse)
+def search_boards_endpoint(
+    q: str = Query(..., min_length=1),
+    limit: int = Query(20, ge=1, le=50),
+    db: Session = Depends(get_db),
+    current_user: User = Depends(get_current_user),
+) -> BoardSearchResponse:
+    rows = search_boards_for_user(db, current_user, q, limit)
+    return BoardSearchResponse(items=[_board_to_response(r) for r in rows])
+
+
+@router.post(
+    "/from-template",
+    response_model=BoardResponse,
+    status_code=status.HTTP_201_CREATED,
+)
+def create_from_template(
+    data: BoardCreateFromTemplate,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(get_current_user),
+) -> BoardResponse:
+    board = create_board_from_template(
+        db, current_user, data.workspace_id, data.template_slug, data.name
+    )
+    if not board:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="Workspace or template not found",
+        )
+    return _board_to_response(board)
+
+
 @router.get("/starred")
 def list_starred_boards(
     db: Session = Depends(get_db),
@@ -81,21 +157,16 @@ def list_starred_boards(
 ) -> Dict[str, List[BoardWithMetaResponse]]:
     """Boards the user has starred."""
     boards = get_starred_boards(db, current_user.id, limit=50)
-    items = []
+    items: List[BoardWithMetaResponse] = []
     for board in boards:
-        data = {
-            "id": board.id,
-            "workspace_id": board.workspace_id,
-            "name": board.name,
-            "owner_username": board.workspace.owner.username
-            if board.workspace and board.workspace.owner
-            else None,
-            "created_at": board.created_at,
-            "updated_at": board.updated_at,
-            "last_opened_at": None,
-            "starred": True,
-        }
-        items.append(BoardWithMetaResponse.model_validate(data))
+        base = _board_to_response(board)
+        items.append(
+            BoardWithMetaResponse(
+                **base.model_dump(),
+                last_opened_at=None,
+                starred=True,
+            )
+        )
     return {"items": items}
 
 
@@ -240,3 +311,281 @@ def delete_board_endpoint(
             status_code=status.HTTP_404_NOT_FOUND,
             detail="Board not found or unauthorized",
         )
+
+
+@router.get("/{board_id}/share-tokens", response_model=ShareTokenListResponse)
+def list_share_tokens(
+    board_id: UUID,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(get_current_user),
+) -> ShareTokenListResponse:
+    board = get_board(db, board_id, current_user)
+    if not board:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND, detail="Board not found"
+        )
+    rows = share_list_for_board(db, board_id)
+    return ShareTokenListResponse(
+        items=[_share_token_to_response(r) for r in rows]
+    )
+
+
+@router.post(
+    "/{board_id}/share-tokens",
+    response_model=ShareTokenResponse,
+    status_code=status.HTTP_201_CREATED,
+)
+def create_share_token(
+    board_id: UUID,
+    data: ShareTokenCreate,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(get_current_user),
+) -> ShareTokenResponse:
+    board = get_board(db, board_id, current_user)
+    if not board:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND, detail="Board not found"
+        )
+    if data.role not in _ALLOWED_SHARE_ROLES:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail=f"role must be one of {sorted(_ALLOWED_SHARE_ROLES)}",
+        )
+    row = share_create(
+        db,
+        board_id=board_id,
+        role=data.role,
+        created_by=current_user.id,
+        expires_at=data.expires_at,
+    )
+    return _share_token_to_response(row)
+
+
+@router.delete(
+    "/{board_id}/share-tokens/{share_id}",
+    status_code=status.HTTP_204_NO_CONTENT,
+)
+def revoke_share_token(
+    board_id: UUID,
+    share_id: UUID,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(get_current_user),
+) -> None:
+    board = get_board(db, board_id, current_user)
+    if not board:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND, detail="Board not found"
+        )
+    row = share_get_by_id(db, share_id)
+    if not row or row.board_id != board_id:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND, detail="Share token not found"
+        )
+    share_revoke(db, row)
+
+
+public_router = APIRouter(prefix="/public/boards", tags=["public"])
+
+
+def _resolve_share(db: Session, token: str) -> tuple[Board, BoardShareToken]:
+    row = share_get_by_token(db, token)
+    if not row or not share_is_usable(row):
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="Share link invalid or expired",
+        )
+    board = db.get(Board, row.board_id)
+    if not board:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="Share link invalid or expired",
+        )
+    return board, row
+
+
+@public_router.get("/{token}", response_model=PublicBoardResponse)
+def public_board_metadata(
+    token: str,
+    db: Session = Depends(get_db),
+) -> PublicBoardResponse:
+    board, row = _resolve_share(db, token)
+    return PublicBoardResponse(id=board.id, name=board.name, role=row.role)
+
+
+@public_router.get("/{token}/snapshot")
+def public_board_snapshot(
+    token: str,
+    db: Session = Depends(get_db),
+) -> dict[str, object]:
+    from app.modules.elements.repository import get_by_board as get_elements_by_board
+
+    board, _ = _resolve_share(db, token)
+    items, _ = get_elements_by_board(db, board.id, page=1, limit=500)
+    snapshot_el = next(
+        (e for e in items if e.type == "excalidraw_snapshot"), None
+    )
+    data = snapshot_el.data if snapshot_el else {}
+    return {
+        "board": {"id": str(board.id), "name": board.name},
+        "snapshot": data,
+    }
+
+
+templates_router = APIRouter(prefix="/templates", tags=["templates"])
+
+
+@templates_router.get("", response_model=TemplateListResponse)
+def list_templates(db: Session = Depends(get_db)) -> TemplateListResponse:
+    rows = list_all_templates(db)
+    return TemplateListResponse(
+        items=[TemplateResponse.model_validate(r) for r in rows]
+    )
+
+
+# --- Comments ----------------------------------------------------------
+
+
+def _comment_to_response(
+    row: BoardComment, db: Session | None = None
+) -> CommentResponse:
+    from app.modules.users.repository import get_by_id as get_user_by_id
+
+    author = getattr(row, "author", None)
+    if author is None and db is not None and row.author_id is not None:
+        author = get_user_by_id(db, row.author_id)
+    return CommentResponse(
+        id=row.id,
+        board_id=row.board_id,
+        parent_id=row.parent_id,
+        author_id=row.author_id,
+        author_username=author.username if author else None,
+        author_display_name=display_name_of(author) if author else None,
+        author_avatar_url=avatar_url_of(author) if author else None,
+        anchor_x=row.anchor_x,
+        anchor_y=row.anchor_y,
+        anchor_element_id=row.anchor_element_id,
+        body=row.body,
+        resolved_at=row.resolved_at,
+        created_at=row.created_at,
+        updated_at=row.updated_at,
+    )
+
+
+@router.get("/{board_id}/comments", response_model=CommentListResponse)
+def list_comments(
+    board_id: UUID,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(get_current_user),
+) -> CommentListResponse:
+    board = get_board(db, board_id, current_user)
+    if not board:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND, detail="Board not found"
+        )
+    rows = comment_list_for_board(db, board_id)
+    return CommentListResponse(
+        items=[_comment_to_response(r, db=db) for r in rows]
+    )
+
+
+@router.post(
+    "/{board_id}/comments",
+    response_model=CommentResponse,
+    status_code=status.HTTP_201_CREATED,
+)
+def create_comment(
+    board_id: UUID,
+    data: CommentCreate,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(get_current_user),
+) -> CommentResponse:
+    board = get_board(db, board_id, current_user)
+    if not board:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND, detail="Board not found"
+        )
+    body = (data.body or "").strip()
+    if not body:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST, detail="Comment body required"
+        )
+    row = comment_create(
+        db,
+        board_id=board_id,
+        author_id=current_user.id,
+        body=body,
+        parent_id=data.parent_id,
+        anchor_x=data.anchor_x,
+        anchor_y=data.anchor_y,
+        anchor_element_id=data.anchor_element_id,
+    )
+    resp = _comment_to_response(row, db=db)
+    publish_board_event(
+        str(board_id), "comment.created", resp.model_dump(mode="json")
+    )
+    return resp
+
+
+@router.patch(
+    "/{board_id}/comments/{comment_id}", response_model=CommentResponse
+)
+def update_comment(
+    board_id: UUID,
+    comment_id: UUID,
+    data: CommentUpdate,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(get_current_user),
+) -> CommentResponse:
+    board = get_board(db, board_id, current_user)
+    if not board:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND, detail="Board not found"
+        )
+    row = comment_get_by_id(db, comment_id)
+    if not row or row.board_id != board_id:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND, detail="Comment not found"
+        )
+    # Only the author can edit body; anyone in the workspace can resolve.
+    if data.body is not None and row.author_id != current_user.id:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Only the author can edit this comment",
+        )
+    row = comment_update(db, row, body=data.body, resolved=data.resolved)
+    resp = _comment_to_response(row, db=db)
+    publish_board_event(
+        str(board_id), "comment.updated", resp.model_dump(mode="json")
+    )
+    return resp
+
+
+@router.delete(
+    "/{board_id}/comments/{comment_id}",
+    status_code=status.HTTP_204_NO_CONTENT,
+)
+def delete_comment(
+    board_id: UUID,
+    comment_id: UUID,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(get_current_user),
+) -> None:
+    board = get_board(db, board_id, current_user)
+    if not board:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND, detail="Board not found"
+        )
+    row = comment_get_by_id(db, comment_id)
+    if not row or row.board_id != board_id:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND, detail="Comment not found"
+        )
+    if row.author_id != current_user.id:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Only the author can delete this comment",
+        )
+    comment_delete(db, row)
+    publish_board_event(
+        str(board_id), "comment.deleted", {"id": str(comment_id)}
+    )
diff --git a/api/app/app/modules/boards/schemas.py b/api/app/app/modules/boards/schemas.py
index 474ee67..c46265c 100644
--- a/api/app/app/modules/boards/schemas.py
+++ b/api/app/app/modules/boards/schemas.py
@@ -17,7 +17,11 @@ class BoardResponse(BaseModel):
     id: UUID
     workspace_id: UUID
     name: str
+    # Kept for backwards compatibility with older clients. New UI code
+    # should display `owner_display_name` instead.
     owner_username: str | None = None
+    owner_display_name: str | None = None
+    owner_avatar_url: str | None = None
     created_at: datetime
     updated_at: datetime
 
@@ -36,3 +40,93 @@ class BoardWithMetaResponse(BoardResponse):
 
     last_opened_at: datetime | None = None
     starred: bool = False
+
+
+class ShareTokenCreate(BaseModel):
+    role: str = "viewer"
+    expires_at: datetime | None = None
+
+
+class ShareTokenResponse(BaseModel):
+    id: UUID
+    board_id: UUID
+    token: str
+    url: str
+    role: str
+    created_at: datetime
+    expires_at: datetime | None = None
+
+    model_config = {"from_attributes": True}
+
+
+class ShareTokenListResponse(BaseModel):
+    items: list[ShareTokenResponse]
+
+
+class PublicBoardResponse(BaseModel):
+    """Metadata a share-link viewer/editor needs to render the board."""
+
+    id: UUID
+    name: str
+    role: str
+
+
+class CommentCreate(BaseModel):
+    body: str
+    parent_id: UUID | None = None
+    anchor_x: float | None = None
+    anchor_y: float | None = None
+    anchor_element_id: str | None = None
+
+
+class CommentUpdate(BaseModel):
+    body: str | None = None
+    resolved: bool | None = None
+
+
+class CommentResponse(BaseModel):
+    id: UUID
+    board_id: UUID
+    parent_id: UUID | None = None
+    author_id: UUID | None = None
+    author_username: str | None = None
+    author_display_name: str | None = None
+    author_avatar_url: str | None = None
+    anchor_x: float | None = None
+    anchor_y: float | None = None
+    anchor_element_id: str | None = None
+    body: str
+    resolved_at: datetime | None = None
+    created_at: datetime
+    updated_at: datetime
+
+    model_config = {"from_attributes": True}
+
+
+class CommentListResponse(BaseModel):
+    items: list[CommentResponse]
+
+
+class TemplateResponse(BaseModel):
+    id: UUID
+    slug: str
+    name: str
+    category: str
+    description: str
+    thumbnail_url: str | None = None
+
+    model_config = {"from_attributes": True}
+
+
+class TemplateListResponse(BaseModel):
+    items: list[TemplateResponse]
+
+
+class BoardCreateFromTemplate(BaseModel):
+    workspace_id: UUID
+    template_slug: str
+    name: str | None = None
+
+
+class BoardSearchResponse(BaseModel):
+    items: list[BoardResponse]
diff --git a/api/app/app/modules/boards/service.py b/api/app/app/modules/boards/service.py
index ed2e2b5..a446c29 100644
--- a/api/app/app/modules/boards/service.py
+++ b/api/app/app/modules/boards/service.py
@@ -71,3 +71,54 @@ def duplicate_board_for_user(db: Session, board_id: UUID, user: User) -> Board |
     for elem in elements:
         create_element(db, board_id=new_board.id, type=elem.type, data=dict(elem.data))
     return new_board
+
+
+def create_board_from_template(
+    db: Session,
+    user: User,
+    workspace_id: UUID,
+    template_slug: str,
+    name: str | None = None,
+) -> Board | None:
+    from app.modules.boards.template_repo import get_by_slug
+    from app.modules.elements.repository import create as create_element
+
+    if not workspace_is_member(db, workspace_id, user.id):
+        return None
+    tpl = get_by_slug(db, template_slug)
+    if tpl is None:
+        return None
+    new_board = create_board(
+        db, name=name or tpl.name, workspace_id=workspace_id
+    )
+    if tpl.snapshot:
+        create_element(
+            db,
+            board_id=new_board.id,
+            type="excalidraw_snapshot",
+            data=dict(tpl.snapshot),
+        )
+    return new_board
+
+
+def search_boards_for_user(
+    db: Session, user: User, query: str, limit: int = 20
+) -> list[Board]:
+    """Case-insensitive substring match on board name, restricted to
+    workspaces the user is a member of.
+    """
+    from sqlalchemy import select
+    from app.modules.workspaces.model import WorkspaceMember
+
+    q = (query or "").strip()
+    if not q:
+        return []
+    stmt = (
+        select(Board)
+        .join(WorkspaceMember, WorkspaceMember.workspace_id == Board.workspace_id)
+        .where(WorkspaceMember.user_id == user.id)
+        .where(Board.name.ilike(f"%{q}%"))
+        .order_by(Board.updated_at.desc())
+        .limit(limit)
+    )
+    return list(db.execute(stmt).scalars().all())

From e57a33de487e412b97dd37d94b0f2a713f4d1b12 Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:31:01 +0400
Subject: [PATCH 36/82] feat(ws): first-frame auth handshake, binary relay,
 payload caps

---
 api/app/app/websocket/manager.py |  45 +++++++---
 api/app/app/websocket/router.py  | 137 +++++++++++++++++++++++--------
 2 files changed, 140 insertions(+), 42 deletions(-)

diff --git a/api/app/app/websocket/manager.py b/api/app/app/websocket/manager.py
index d3a350d..d73f3ec 100644
--- a/api/app/app/websocket/manager.py
+++ b/api/app/app/websocket/manager.py
@@ -8,12 +8,17 @@
 from app.config import settings
 
 BOARD_CHANNEL_PREFIX = "board:"
+
+FRAME_TEXT = b"T"
+FRAME_BINARY = b"B"
+
 ACTIVE_CONNECTIONS: dict[str, list[WebSocket]] = {}
 _listeners: dict[str, asyncio.Task[Any]] = {}
 
 
-async def get_redis_async() -> Redis:
-    return Redis.from_url(settings.redis_url, decode_responses=True)
+async def _get_redis_binary() -> Redis:
+    # decode_responses=False so binary Yjs frames survive the round-trip.
+    return Redis.from_url(settings.redis_url, decode_responses=False)
 
 
 async def subscribe_board(websocket: WebSocket, board_id: str) -> None:
@@ -36,26 +41,46 @@ def unsubscribe_board(websocket: WebSocket, board_id: str) -> None:
 
 
 async def broadcast_to_board(board_id: str, event: str, payload: dict[str, Any]) -> None:
-    redis = await get_redis_async()
+    redis = await _get_redis_binary()
+    channel = f"{BOARD_CHANNEL_PREFIX}{board_id}"
+    body = json.dumps({"event": event, "data": payload}).encode("utf-8")
+    await redis.publish(channel, FRAME_TEXT + body)
+    await redis.aclose()
+
+
+async def broadcast_binary_to_board(board_id: str, data: bytes) -> None:
+    redis = await _get_redis_binary()
     channel = f"{BOARD_CHANNEL_PREFIX}{board_id}"
-    await redis.publish(channel, json.dumps({"event": event, "data": payload}))
+    await redis.publish(channel, FRAME_BINARY + data)
     await redis.aclose()
 
 
 async def redis_listener(board_id: str) -> None:
-    """Subscribe to Redis and forward messages to WebSocket clients."""
-    redis = await get_redis_async()
+    redis = await _get_redis_binary()
     pubsub = redis.pubsub()
-    channel = f"{BOARD_CHANNEL_PREFIX}{board_id}"
+    channel = f"{BOARD_CHANNEL_PREFIX}{board_id}".encode()
     await pubsub.subscribe(channel)
 
     try:
         async for message in pubsub.listen():
-            if message["type"] == "message" and message["channel"] == channel:
-                data = message["data"]
+            if message["type"] != "message" or message["channel"] != channel:
+                continue
+            raw = message["data"]
+            if not isinstance(raw, (bytes, bytearray)) or len(raw) < 1:
+                continue
+            prefix = bytes(raw[:1])
+            body = bytes(raw[1:])
+            if prefix == FRAME_TEXT:
+                text = body.decode("utf-8", errors="replace")
+                for ws in ACTIVE_CONNECTIONS.get(board_id, [])[:]:
+                    try:
+                        await ws.send_text(text)
+                    except Exception:
+                        pass
+            elif prefix == FRAME_BINARY:
                 for ws in ACTIVE_CONNECTIONS.get(board_id, [])[:]:
                     try:
-                        await ws.send_text(data)
+                        await ws.send_bytes(body)
                     except Exception:
                         pass
     except asyncio.CancelledError:
diff --git a/api/app/app/websocket/router.py b/api/app/app/websocket/router.py
index c71b42b..f5e2181 100644
--- a/api/app/app/websocket/router.py
+++ b/api/app/app/websocket/router.py
@@ -1,14 +1,18 @@
+import asyncio
 import json
 import logging
+from typing import Any
 from uuid import UUID
 
-from fastapi import APIRouter, Query, WebSocket, WebSocketDisconnect
+from fastapi import APIRouter, WebSocket, WebSocketDisconnect
 
 from app.api.deps import get_user_from_token
 from app.db.session import SessionLocal
 from app.modules.boards.repository import get_by_id as get_board
+from app.modules.users.model import User
 from app.modules.workspaces.repository import is_member as workspace_is_member
 from app.websocket.manager import (
+    broadcast_binary_to_board,
     broadcast_to_board,
     subscribe_board,
     unsubscribe_board,
@@ -17,53 +21,122 @@
 logger = logging.getLogger(__name__)
 router = APIRouter()
 
+AUTH_TIMEOUT_SECONDS = 10
 
-@router.websocket("/ws/boards/{board_id}")
-async def board_websocket(
-    websocket: WebSocket,
-    board_id: str,
-    token: str = Query(...),
-) -> None:
-    await websocket.accept()
+CLOSE_BAD_REQUEST = 4000
+CLOSE_UNAUTHORIZED = 4001
+CLOSE_FORBIDDEN = 4003
+CLOSE_AUTH_TIMEOUT = 4008
+CLOSE_PAYLOAD_TOO_LARGE = 4009
+CLOSE_INTERNAL_ERROR = 4011
+
+RELAYED_TEXT_EVENTS = {
+    "cursor.moved",
+    "element.created",
+    "element.updated",
+    "element.deleted",
+}
+
+MAX_TEXT_FRAME_BYTES = 64 * 1024
+MAX_BINARY_FRAME_BYTES = 2 * 1024 * 1024
+
+
+async def _authenticate(websocket: WebSocket, board_id: str) -> User | None:
+    try:
+        raw = await asyncio.wait_for(
+            websocket.receive_text(), timeout=AUTH_TIMEOUT_SECONDS
+        )
+    except asyncio.TimeoutError:
+        await websocket.close(code=CLOSE_AUTH_TIMEOUT)
+        return None
+    except WebSocketDisconnect:
+        return None
+
+    try:
+        msg = json.loads(raw)
+    except json.JSONDecodeError:
+        await websocket.close(code=CLOSE_BAD_REQUEST)
+        return None
+
+    if not isinstance(msg, dict) or msg.get("type") != "auth":
+        await websocket.close(code=CLOSE_UNAUTHORIZED)
+        return None
+
+    token = msg.get("token")
+    if not isinstance(token, str) or not token:
+        await websocket.close(code=CLOSE_UNAUTHORIZED)
+        return None
+
+    try:
+        bid = UUID(board_id)
+    except ValueError:
+        await websocket.close(code=CLOSE_BAD_REQUEST)
+        return None
 
     db = SessionLocal()
     try:
         user = get_user_from_token(db, token)
         if not user:
-            await websocket.close(code=4001)
-            return
-
-        try:
-            bid = UUID(board_id)
-        except ValueError:
-            await websocket.close(code=4000)
-            return
+            await websocket.close(code=CLOSE_UNAUTHORIZED)
+            return None
 
         board = get_board(db, bid)
         if not board or not workspace_is_member(db, board.workspace_id, user.id):
-            await websocket.close(code=4003)
-            return
+            await websocket.close(code=CLOSE_FORBIDDEN)
+            return None
     finally:
         db.close()
 
+    return user
+
+
+async def _handle_text_frame(raw: str, board_id: str, user: User) -> None:
+    try:
+        msg = json.loads(raw)
+    except json.JSONDecodeError:
+        return
+    if not isinstance(msg, dict):
+        return
+    event = msg.get("event")
+    if event not in RELAYED_TEXT_EVENTS:
+        return
+    payload: dict[str, Any] = dict(msg.get("data") or {})
+    if event == "cursor.moved":
+        payload["user_id"] = str(user.id)
+        payload["username"] = user.username or user.email or "Anonymous"
+    await broadcast_to_board(board_id, event, payload)
+
+
+@router.websocket("/ws/boards/{board_id}")
+async def board_websocket(websocket: WebSocket, board_id: str) -> None:
+    await websocket.accept()
+
+    user = await _authenticate(websocket, board_id)
+    if user is None:
+        return
+
+    try:
+        await websocket.send_text(json.dumps({"event": "auth.ok"}))
+    except Exception:
+        return
+
     await subscribe_board(websocket, board_id)
 
     try:
         while True:
-            data = await websocket.receive_text()
-            msg = json.loads(data)
-            event = msg.get("event")
-            payload = dict(msg.get("data", {}))
-            if event == "cursor.moved":
-                payload["user_id"] = str(user.id)
-                payload["username"] = user.username or user.email or "Anonymous"
-                await broadcast_to_board(board_id, event, payload)
-            elif event in (
-                "element.created",
-                "element.updated",
-                "element.deleted",
-            ):
-                await broadcast_to_board(board_id, event, payload)
+            frame = await websocket.receive()
+            if frame.get("type") == "websocket.disconnect":
+                break
+            if (text := frame.get("text")) is not None:
+                if len(text.encode("utf-8", errors="ignore")) > MAX_TEXT_FRAME_BYTES:
+                    await websocket.close(code=CLOSE_PAYLOAD_TOO_LARGE)
+                    break
+                await _handle_text_frame(text, board_id, user)
+            elif (data := frame.get("bytes")) is not None:
+                if len(data) > MAX_BINARY_FRAME_BYTES:
+                    await websocket.close(code=CLOSE_PAYLOAD_TOO_LARGE)
+                    break
+                await broadcast_binary_to_board(board_id, data)
     except WebSocketDisconnect:
         pass
     except Exception as exc:

From 9c5b4f4dd8ddfab8b44b062c5d559503629a3421 Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:31:02 +0400
Subject: [PATCH 37/82] feat(api): mount public board and templates routers

---
 api/app/app/api/router.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/api/app/app/api/router.py b/api/app/app/api/router.py
index 9f803be..bc89a05 100644
--- a/api/app/app/api/router.py
+++ b/api/app/app/api/router.py
@@ -1,7 +1,9 @@
 from fastapi import APIRouter
 
 from app.modules.auth.router import router as auth_router
+from app.modules.boards.router import public_router as boards_public_router
 from app.modules.boards.router import router as boards_router
+from app.modules.boards.router import templates_router as boards_templates_router
 from app.modules.elements.router import router as elements_router
 from app.modules.users.router import router as users_router
 from app.modules.workspaces.router import router as workspaces_router
@@ -12,5 +14,7 @@
 api_router.include_router(users_router)
 api_router.include_router(workspaces_router)
 api_router.include_router(boards_router)
+api_router.include_router(boards_public_router)
+api_router.include_router(boards_templates_router)
 api_router.include_router(elements_router)
 api_router.include_router(ws_router)

From 38e504dc5e75f296f0a952a5d9b711af29f1a884 Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:31:02 +0400
Subject: [PATCH 38/82] feat(api): real /health, request-ID middleware,
 template seeding

---
 api/app/app/main.py | 55 +++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 53 insertions(+), 2 deletions(-)

diff --git a/api/app/app/main.py b/api/app/app/main.py
index f3bfe95..4f2f4a1 100644
--- a/api/app/app/main.py
+++ b/api/app/app/main.py
@@ -1,16 +1,38 @@
+import logging
 from collections.abc import AsyncIterator
 from contextlib import asynccontextmanager
 
 from fastapi import FastAPI
 from fastapi.middleware.cors import CORSMiddleware
+from fastapi.responses import JSONResponse
+from sqlalchemy import text
 
 from app.api.router import api_router
 from app.config import settings
+from app.core.logging import configure_logging
+from app.core.redis import get_redis
+from app.db.session import SessionLocal
+from app.middleware.request_id import RequestIDMiddleware
+
+configure_logging()
+logger = logging.getLogger(__name__)
 
 
 @asynccontextmanager
 async def lifespan(app: FastAPI) -> AsyncIterator[None]:
+    logger.info("Loomy API starting", extra={"environment": settings.environment})
+    try:
+        from app.modules.boards.template_seed import seed_builtin_templates
+
+        with SessionLocal() as session:
+            seeded = seed_builtin_templates(session)
+        logger.info("Seeded %d built-in templates", seeded)
+    except Exception as exc:
+        # Seeding must never block startup — missing tables on a fresh
+        # deploy are fine; the log is enough signal.
+        logger.warning("Template seeding skipped: %s", exc)
     yield
+    logger.info("Loomy API shutting down")
 
 
 app = FastAPI(
@@ -35,10 +57,39 @@ async def lifespan(app: FastAPI) -> AsyncIterator[None]:
     allow_methods=["*"],
     allow_headers=["*"],
 )
+app.add_middleware(RequestIDMiddleware)
 
 app.include_router(api_router, prefix="")
 
 
+def _check_db() -> tuple[bool, str | None]:
+    try:
+        with SessionLocal() as session:
+            session.execute(text("SELECT 1"))
+        return True, None
+    except Exception as exc:
+        return False, str(exc)[:200]
+
+
+def _check_redis() -> tuple[bool, str | None]:
+    try:
+        get_redis().ping()
+        return True, None
+    except Exception as exc:
+        return False, str(exc)[:200]
+
+
 @app.get("/health")
-def health() -> dict[str, str]:
-    return {"status": "ok"}
+def health() -> JSONResponse:
+    db_ok, db_err = _check_db()
+    redis_ok, redis_err = _check_redis()
+    status_ok = db_ok and redis_ok
+    payload: dict[str, object] = {
+        "status": "ok" if status_ok else "degraded",
+        "environment": settings.environment,
+        "checks": {
+            "database": {"ok": db_ok, "error": db_err},
+            "redis": {"ok": redis_ok, "error": redis_err},
+        },
+    }
+    return JSONResponse(status_code=200 if status_ok else 503, content=payload)

From ec6075f13edeb4191db4ffd6043f546949d58f13 Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:31:03 +0400
Subject: [PATCH 39/82] build(alembic): register consolidated board and new
 auth models

---
 api/app/alembic/env.py | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/api/app/alembic/env.py b/api/app/alembic/env.py
index 114f11d..df22a8e 100644
--- a/api/app/alembic/env.py
+++ b/api/app/alembic/env.py
@@ -7,7 +7,14 @@
 
 from app.config import settings
 from app.db.base import Base
-from app.modules.boards.model import Board, BoardStar, BoardView  # noqa: F401 - metadata
+from app.modules.boards.model import (  # noqa: F401 - metadata
+    Board,
+    BoardComment,
+    BoardShareToken,
+    BoardStar,
+    BoardTemplate,
+    BoardView,
+)
 from app.modules.elements.model import Element  # noqa: F401 - metadata
 from app.modules.users.model import OAuthAccount, User  # noqa: F401 - metadata
 from app.modules.workspaces.model import (  # noqa: F401 - metadata

From 7883b418ae8077ade51adc52430b0673e71e7921 Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:31:04 +0400
Subject: [PATCH 40/82] build(alembic): reset migrations and generate clean
 initial schema

---
 .../24b35055e774_init_initial_migration.py    | 229 -----------------
 ...f9_feat_add_workspace_invitations_table.py |  67 -----
 .../fe24635bcc34_initial_migration.py         | 232 ++++++++++++++++++
 3 files changed, 232 insertions(+), 296 deletions(-)
 delete mode 100644 api/app/alembic/versions/24b35055e774_init_initial_migration.py
 delete mode 100644 api/app/alembic/versions/7d6ba2fe0af9_feat_add_workspace_invitations_table.py
 create mode 100644 api/app/alembic/versions/fe24635bcc34_initial_migration.py

diff --git a/api/app/alembic/versions/24b35055e774_init_initial_migration.py b/api/app/alembic/versions/24b35055e774_init_initial_migration.py
deleted file mode 100644
index 71d0c1e..0000000
--- a/api/app/alembic/versions/24b35055e774_init_initial_migration.py
+++ /dev/null
@@ -1,229 +0,0 @@
-"""[INIT] Initial migration
-
-Revision ID: 24b35055e774
-Revises:
-Create Date: 2026-03-14 18:56:46.209221
-
-"""
-
-from typing import Sequence, Union
-
-from alembic import op
-import sqlalchemy as sa
-from sqlalchemy.dialects import postgresql
-
-# revision identifiers, used by Alembic.
-revision: str = "24b35055e774"
-down_revision: Union[str, Sequence[str], None] = None
-branch_labels: Union[str, Sequence[str], None] = None
-depends_on: Union[str, Sequence[str], None] = None
-
-
-def upgrade() -> None:
-    """Upgrade schema."""
-    # ### commands auto generated by Alembic - please adjust! ###
-    op.create_table(
-        "users",
-        sa.Column("id", sa.UUID(), nullable=False),
-        sa.Column("email", sa.String(length=255), nullable=False),
-        sa.Column("username", sa.String(length=100), nullable=False),
-        sa.Column("first_name", sa.String(length=100), nullable=False),
-        sa.Column("last_name", sa.String(length=100), nullable=False),
-        sa.Column("avatar_url", sa.String(length=500), nullable=True),
-        sa.Column("hashed_password", sa.String(length=255), nullable=True),
-        sa.Column(
-            "created_at",
-            sa.DateTime(timezone=True),
-            server_default=sa.text("now()"),
-            nullable=False,
-        ),
-        sa.Column(
-            "updated_at",
-            sa.DateTime(timezone=True),
-            server_default=sa.text("now()"),
-            nullable=False,
-        ),
-        sa.PrimaryKeyConstraint("id"),
-    )
-    op.create_index(op.f("ix_users_email"), "users", ["email"], unique=True)
-    op.create_index(op.f("ix_users_username"), "users", ["username"], unique=True)
-    op.create_table(
-        "oauth_accounts",
-        sa.Column("id", sa.UUID(), nullable=False),
-        sa.Column("user_id", sa.UUID(), nullable=False),
-        sa.Column("provider", sa.String(length=50), nullable=False),
-        sa.Column("provider_user_id", sa.String(length=255), nullable=False),
-        sa.Column(
-            "created_at",
-            sa.DateTime(timezone=True),
-            server_default=sa.text("now()"),
-            nullable=False,
-        ),
-        sa.ForeignKeyConstraint(["user_id"], ["users.id"], ondelete="CASCADE"),
-        sa.PrimaryKeyConstraint("id"),
-    )
-    op.create_index(
-        op.f("ix_oauth_accounts_provider"), "oauth_accounts", ["provider"], unique=False
-    )
-    op.create_index(
-        op.f("ix_oauth_accounts_provider_user_id"),
-        "oauth_accounts",
-        ["provider_user_id"],
-        unique=False,
-    )
-    op.create_table(
-        "workspaces",
-        sa.Column("id", sa.UUID(), nullable=False),
-        sa.Column("name", sa.String(length=255), nullable=False),
-        sa.Column("slug", sa.String(length=255), nullable=False),
-        sa.Column("owner_id", sa.UUID(), nullable=False),
-        sa.Column(
-            "created_at",
-            sa.DateTime(timezone=True),
-            server_default=sa.text("now()"),
-            nullable=False,
-        ),
-        sa.Column(
-            "updated_at",
-            sa.DateTime(timezone=True),
-            server_default=sa.text("now()"),
-            nullable=False,
-        ),
-        sa.ForeignKeyConstraint(["owner_id"], ["users.id"], ondelete="CASCADE"),
-        sa.PrimaryKeyConstraint("id"),
-    )
-    op.create_index(op.f("ix_workspaces_slug"), "workspaces", ["slug"], unique=True)
-    op.create_table(
-        "boards",
-        sa.Column("id", sa.UUID(), nullable=False),
-        sa.Column("workspace_id", sa.UUID(), nullable=False),
-        sa.Column("name", sa.String(length=255), nullable=False),
-        sa.Column(
-            "created_at",
-            sa.DateTime(timezone=True),
-            server_default=sa.text("now()"),
-            nullable=False,
-        ),
-        sa.Column(
-            "updated_at",
-            sa.DateTime(timezone=True),
-            server_default=sa.text("now()"),
-            nullable=False,
-        ),
-        sa.ForeignKeyConstraint(["workspace_id"], ["workspaces.id"], ondelete="CASCADE"),
-        sa.PrimaryKeyConstraint("id"),
-    )
-    op.create_index(op.f("ix_boards_workspace_id"), "boards", ["workspace_id"], unique=False)
-    op.create_table(
-        "workspace_members",
-        sa.Column("id", sa.UUID(), nullable=False),
-        sa.Column("workspace_id", sa.UUID(), nullable=False),
-        sa.Column("user_id", sa.UUID(), nullable=False),
-        sa.Column("role", sa.String(length=50), nullable=False),
-        sa.Column(
-            "created_at",
-            sa.DateTime(timezone=True),
-            server_default=sa.text("now()"),
-            nullable=False,
-        ),
-        sa.ForeignKeyConstraint(["user_id"], ["users.id"], ondelete="CASCADE"),
-        sa.ForeignKeyConstraint(["workspace_id"], ["workspaces.id"], ondelete="CASCADE"),
-        sa.PrimaryKeyConstraint("id"),
-    )
-    op.create_index(
-        op.f("ix_workspace_members_user_id"), "workspace_members", ["user_id"], unique=False
-    )
-    op.create_index(
-        op.f("ix_workspace_members_workspace_id"),
-        "workspace_members",
-        ["workspace_id"],
-        unique=False,
-    )
-    op.create_table(
-        "board_stars",
-        sa.Column("id", sa.UUID(), nullable=False),
-        sa.Column("user_id", sa.UUID(), nullable=False),
-        sa.Column("board_id", sa.UUID(), nullable=False),
-        sa.Column(
-            "created_at",
-            sa.DateTime(timezone=True),
-            server_default=sa.text("now()"),
-            nullable=False,
-        ),
-        sa.ForeignKeyConstraint(["board_id"], ["boards.id"], ondelete="CASCADE"),
-        sa.ForeignKeyConstraint(["user_id"], ["users.id"], ondelete="CASCADE"),
-        sa.PrimaryKeyConstraint("id"),
-        sa.UniqueConstraint("user_id", "board_id", name="uq_board_stars_user_board"),
-    )
-    op.create_index(op.f("ix_board_stars_board_id"), "board_stars", ["board_id"], unique=False)
-    op.create_index(op.f("ix_board_stars_user_id"), "board_stars", ["user_id"], unique=False)
-    op.create_table(
-        "board_views",
-        sa.Column("id", sa.UUID(), nullable=False),
-        sa.Column("user_id", sa.UUID(), nullable=False),
-        sa.Column("board_id", sa.UUID(), nullable=False),
-        sa.Column(
-            "last_opened_at",
-            sa.DateTime(timezone=True),
-            server_default=sa.text("now()"),
-            nullable=False,
-        ),
-        sa.ForeignKeyConstraint(["board_id"], ["boards.id"], ondelete="CASCADE"),
-        sa.ForeignKeyConstraint(["user_id"], ["users.id"], ondelete="CASCADE"),
-        sa.PrimaryKeyConstraint("id"),
-        sa.UniqueConstraint("user_id", "board_id", name="uq_board_views_user_board"),
-    )
-    op.create_index(op.f("ix_board_views_board_id"), "board_views", ["board_id"], unique=False)
-    op.create_index(op.f("ix_board_views_user_id"), "board_views", ["user_id"], unique=False)
-    op.create_table(
-        "elements",
-        sa.Column("id", sa.UUID(), nullable=False),
-        sa.Column("board_id", sa.UUID(), nullable=False),
-        sa.Column("type", sa.String(length=50), nullable=False),
-        sa.Column("data", postgresql.JSONB(astext_type=sa.Text()), nullable=False),
-        sa.Column(
-            "created_at",
-            sa.DateTime(timezone=True),
-            server_default=sa.text("now()"),
-            nullable=False,
-        ),
-        sa.Column(
-            "updated_at",
-            sa.DateTime(timezone=True),
-            server_default=sa.text("now()"),
-            nullable=False,
-        ),
-        sa.ForeignKeyConstraint(["board_id"], ["boards.id"], ondelete="CASCADE"),
-        sa.PrimaryKeyConstraint("id"),
-    )
-    op.create_index(op.f("ix_elements_board_id"), "elements", ["board_id"], unique=False)
-    op.create_index(op.f("ix_elements_type"), "elements", ["type"], unique=False)
-    # ### end Alembic commands ###
-
-
-def downgrade() -> None:
-    """Downgrade schema."""
-    # ### commands auto generated by Alembic - please adjust! ###
-    op.drop_index(op.f("ix_elements_type"), table_name="elements")
-    op.drop_index(op.f("ix_elements_board_id"), table_name="elements")
-    op.drop_table("elements")
-    op.drop_index(op.f("ix_board_views_user_id"), table_name="board_views")
-    op.drop_index(op.f("ix_board_views_board_id"), table_name="board_views")
-    op.drop_table("board_views")
-    op.drop_index(op.f("ix_board_stars_user_id"), table_name="board_stars")
-    op.drop_index(op.f("ix_board_stars_board_id"), table_name="board_stars")
-    op.drop_table("board_stars")
-    op.drop_index(op.f("ix_workspace_members_workspace_id"), table_name="workspace_members")
-    op.drop_index(op.f("ix_workspace_members_user_id"), table_name="workspace_members")
-    op.drop_table("workspace_members")
-    op.drop_index(op.f("ix_boards_workspace_id"), table_name="boards")
-    op.drop_table("boards")
-    op.drop_index(op.f("ix_workspaces_slug"), table_name="workspaces")
-    op.drop_table("workspaces")
-    op.drop_index(op.f("ix_oauth_accounts_provider_user_id"), table_name="oauth_accounts")
-    op.drop_index(op.f("ix_oauth_accounts_provider"), table_name="oauth_accounts")
-    op.drop_table("oauth_accounts")
-    op.drop_index(op.f("ix_users_username"), table_name="users")
-    op.drop_index(op.f("ix_users_email"), table_name="users")
-    op.drop_table("users")
-    # ### end Alembic commands ###
diff --git a/api/app/alembic/versions/7d6ba2fe0af9_feat_add_workspace_invitations_table.py b/api/app/alembic/versions/7d6ba2fe0af9_feat_add_workspace_invitations_table.py
deleted file mode 100644
index b08b45d..0000000
--- a/api/app/alembic/versions/7d6ba2fe0af9_feat_add_workspace_invitations_table.py
+++ /dev/null
@@ -1,67 +0,0 @@
-"""[FEAT] Add workspace invitations table
-
-Revision ID: 7d6ba2fe0af9
-Revises: 24b35055e774
-Create Date: 2026-03-24 18:51:12.834194
-
-"""
-
-from typing import Sequence, Union
-
-from alembic import op
-import sqlalchemy as sa
-
-
-# revision identifiers, used by Alembic.
-revision: str = "7d6ba2fe0af9"
-down_revision: Union[str, Sequence[str], None] = "24b35055e774"
-branch_labels: Union[str, Sequence[str], None] = None
-depends_on: Union[str, Sequence[str], None] = None
-
-
-def upgrade() -> None:
-    """Upgrade schema."""
-    # ### commands auto generated by Alembic - please adjust! ###
-    op.create_table(
-        "workspace_invitations",
-        sa.Column("id", sa.UUID(), nullable=False),
-        sa.Column("workspace_id", sa.UUID(), nullable=False),
-        sa.Column("email", sa.String(length=255), nullable=False),
-        sa.Column("role", sa.String(length=50), nullable=False),
-        sa.Column("token", sa.String(length=128), nullable=False),
-        sa.Column("invited_by", sa.UUID(), nullable=False),
-        sa.Column(
-            "created_at",
-            sa.DateTime(timezone=True),
-            server_default=sa.text("now()"),
-            nullable=False,
-        ),
-        sa.Column("expires_at", sa.DateTime(timezone=True), nullable=True),
-        sa.Column("accepted_at", sa.DateTime(timezone=True), nullable=True),
-        sa.ForeignKeyConstraint(["invited_by"], ["users.id"], ondelete="CASCADE"),
-        sa.ForeignKeyConstraint(["workspace_id"], ["workspaces.id"], ondelete="CASCADE"),
-        sa.PrimaryKeyConstraint("id"),
-    )
-    op.create_index(
-        op.f("ix_workspace_invitations_email"), "workspace_invitations", ["email"], unique=False
-    )
-    op.create_index(
-        op.f("ix_workspace_invitations_token"), "workspace_invitations", ["token"], unique=True
-    )
-    op.create_index(
-        op.f("ix_workspace_invitations_workspace_id"),
-        "workspace_invitations",
-        ["workspace_id"],
-        unique=False,
-    )
-    # ### end Alembic commands ###
-
-
-def downgrade() -> None:
-    """Downgrade schema."""
-    # ### commands auto generated by Alembic - please adjust! ###
-    op.drop_index(op.f("ix_workspace_invitations_workspace_id"), table_name="workspace_invitations")
-    op.drop_index(op.f("ix_workspace_invitations_token"), table_name="workspace_invitations")
-    op.drop_index(op.f("ix_workspace_invitations_email"), table_name="workspace_invitations")
-    op.drop_table("workspace_invitations")
-    # ### end Alembic commands ###
diff --git a/api/app/alembic/versions/fe24635bcc34_initial_migration.py b/api/app/alembic/versions/fe24635bcc34_initial_migration.py
new file mode 100644
index 0000000..03a77bb
--- /dev/null
+++ b/api/app/alembic/versions/fe24635bcc34_initial_migration.py
@@ -0,0 +1,232 @@
+"""initial migration
+
+Revision ID: fe24635bcc34
+Revises: 
+Create Date: 2026-04-19 19:03:17.191974
+
+"""
+from typing import Sequence, Union
+
+from alembic import op
+import sqlalchemy as sa
+from sqlalchemy.dialects import postgresql
+
+# revision identifiers, used by Alembic.
+revision: str = 'fe24635bcc34'
+down_revision: Union[str, Sequence[str], None] = None
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+    """Upgrade schema."""
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.create_table('board_templates',
+    sa.Column('slug', sa.String(length=80), nullable=False),
+    sa.Column('name', sa.String(length=160), nullable=False),
+    sa.Column('category', sa.String(length=40), nullable=False),
+    sa.Column('description', sa.Text(), nullable=False),
+    sa.Column('thumbnail_key', sa.String(length=500), nullable=True),
+    sa.Column('thumbnail_url', sa.String(length=500), nullable=True),
+    sa.Column('is_builtin', sa.Boolean(), server_default='true', nullable=False),
+    sa.Column('snapshot', postgresql.JSONB(astext_type=sa.Text()), nullable=False),
+    sa.Column('id', sa.UUID(), nullable=False),
+    sa.Column('created_at', sa.DateTime(timezone=True), server_default=sa.text('now()'), nullable=False),
+    sa.PrimaryKeyConstraint('id')
+    )
+    op.create_index(op.f('ix_board_templates_category'), 'board_templates', ['category'], unique=False)
+    op.create_index(op.f('ix_board_templates_slug'), 'board_templates', ['slug'], unique=True)
+    op.create_table('users',
+    sa.Column('email', sa.String(length=255), nullable=False),
+    sa.Column('username', sa.String(length=100), nullable=False),
+    sa.Column('first_name', sa.String(length=100), nullable=True),
+    sa.Column('last_name', sa.String(length=100), nullable=True),
+    sa.Column('avatar_url', sa.String(length=500), nullable=True),
+    sa.Column('avatar_key', sa.String(length=500), nullable=True),
+    sa.Column('hashed_password', sa.String(length=255), nullable=True),
+    sa.Column('email_verified', sa.Boolean(), server_default='false', nullable=False),
+    sa.Column('email_verified_at', sa.DateTime(timezone=True), nullable=True),
+    sa.Column('id', sa.UUID(), nullable=False),
+    sa.Column('updated_at', sa.DateTime(timezone=True), server_default=sa.text('now()'), nullable=False),
+    sa.Column('created_at', sa.DateTime(timezone=True), server_default=sa.text('now()'), nullable=False),
+    sa.PrimaryKeyConstraint('id')
+    )
+    op.create_index(op.f('ix_users_email'), 'users', ['email'], unique=True)
+    op.create_index(op.f('ix_users_username'), 'users', ['username'], unique=True)
+    op.create_table('oauth_accounts',
+    sa.Column('user_id', sa.UUID(), nullable=False),
+    sa.Column('provider', sa.String(length=50), nullable=False),
+    sa.Column('provider_user_id', sa.String(length=255), nullable=False),
+    sa.Column('id', sa.UUID(), nullable=False),
+    sa.Column('created_at', sa.DateTime(timezone=True), server_default=sa.text('now()'), nullable=False),
+    sa.ForeignKeyConstraint(['user_id'], ['users.id'], ondelete='CASCADE'),
+    sa.PrimaryKeyConstraint('id')
+    )
+    op.create_index(op.f('ix_oauth_accounts_provider'), 'oauth_accounts', ['provider'], unique=False)
+    op.create_index(op.f('ix_oauth_accounts_provider_user_id'), 'oauth_accounts', ['provider_user_id'], unique=False)
+    op.create_table('workspaces',
+    sa.Column('name', sa.String(length=255), nullable=False),
+    sa.Column('slug', sa.String(length=255), nullable=False),
+    sa.Column('owner_id', sa.UUID(), nullable=False),
+    sa.Column('id', sa.UUID(), nullable=False),
+    sa.Column('updated_at', sa.DateTime(timezone=True), server_default=sa.text('now()'), nullable=False),
+    sa.Column('created_at', sa.DateTime(timezone=True), server_default=sa.text('now()'), nullable=False),
+    sa.ForeignKeyConstraint(['owner_id'], ['users.id'], ondelete='CASCADE'),
+    sa.PrimaryKeyConstraint('id')
+    )
+    op.create_index(op.f('ix_workspaces_slug'), 'workspaces', ['slug'], unique=True)
+    op.create_table('boards',
+    sa.Column('workspace_id', sa.UUID(), nullable=False),
+    sa.Column('name', sa.String(length=255), nullable=False),
+    sa.Column('id', sa.UUID(), nullable=False),
+    sa.Column('updated_at', sa.DateTime(timezone=True), server_default=sa.text('now()'), nullable=False),
+    sa.Column('created_at', sa.DateTime(timezone=True), server_default=sa.text('now()'), nullable=False),
+    sa.ForeignKeyConstraint(['workspace_id'], ['workspaces.id'], ondelete='CASCADE'),
+    sa.PrimaryKeyConstraint('id')
+    )
+    op.create_index(op.f('ix_boards_workspace_id'), 'boards', ['workspace_id'], unique=False)
+    op.create_index('ix_boards_workspace_updated', 'boards', ['workspace_id', 'updated_at'], unique=False)
+    op.create_table('workspace_invitations',
+    sa.Column('workspace_id', sa.UUID(), nullable=False),
+    sa.Column('email', sa.String(length=255), nullable=False),
+    sa.Column('role', sa.String(length=50), nullable=False),
+    sa.Column('token', sa.String(length=128), nullable=False),
+    sa.Column('invited_by', sa.UUID(), nullable=True),
+    sa.Column('expires_at', sa.DateTime(timezone=True), nullable=True),
+    sa.Column('accepted_at', sa.DateTime(timezone=True), nullable=True),
+    sa.Column('id', sa.UUID(), nullable=False),
+    sa.Column('created_at', sa.DateTime(timezone=True), server_default=sa.text('now()'), nullable=False),
+    sa.ForeignKeyConstraint(['invited_by'], ['users.id'], ondelete='SET NULL'),
+    sa.ForeignKeyConstraint(['workspace_id'], ['workspaces.id'], ondelete='CASCADE'),
+    sa.PrimaryKeyConstraint('id')
+    )
+    op.create_index(op.f('ix_workspace_invitations_email'), 'workspace_invitations', ['email'], unique=False)
+    op.create_index(op.f('ix_workspace_invitations_token'), 'workspace_invitations', ['token'], unique=True)
+    op.create_index(op.f('ix_workspace_invitations_workspace_id'), 'workspace_invitations', ['workspace_id'], unique=False)
+    op.create_table('workspace_members',
+    sa.Column('workspace_id', sa.UUID(), nullable=False),
+    sa.Column('user_id', sa.UUID(), nullable=False),
+    sa.Column('role', sa.String(length=50), nullable=False),
+    sa.Column('id', sa.UUID(), nullable=False),
+    sa.Column('created_at', sa.DateTime(timezone=True), server_default=sa.text('now()'), nullable=False),
+    sa.ForeignKeyConstraint(['user_id'], ['users.id'], ondelete='CASCADE'),
+    sa.ForeignKeyConstraint(['workspace_id'], ['workspaces.id'], ondelete='CASCADE'),
+    sa.PrimaryKeyConstraint('id')
+    )
+    op.create_index(op.f('ix_workspace_members_user_id'), 'workspace_members', ['user_id'], unique=False)
+    op.create_index(op.f('ix_workspace_members_workspace_id'), 'workspace_members', ['workspace_id'], unique=False)
+    op.create_table('board_comments',
+    sa.Column('board_id', sa.UUID(), nullable=False),
+    sa.Column('parent_id', sa.UUID(), nullable=True),
+    sa.Column('author_id', sa.UUID(), nullable=True),
+    sa.Column('anchor_x', sa.Float(), nullable=True),
+    sa.Column('anchor_y', sa.Float(), nullable=True),
+    sa.Column('anchor_element_id', sa.String(length=64), nullable=True),
+    sa.Column('body', sa.Text(), nullable=False),
+    sa.Column('resolved_at', sa.DateTime(timezone=True), nullable=True),
+    sa.Column('id', sa.UUID(), nullable=False),
+    sa.Column('updated_at', sa.DateTime(timezone=True), server_default=sa.text('now()'), nullable=False),
+    sa.Column('created_at', sa.DateTime(timezone=True), server_default=sa.text('now()'), nullable=False),
+    sa.ForeignKeyConstraint(['author_id'], ['users.id'], ondelete='SET NULL'),
+    sa.ForeignKeyConstraint(['board_id'], ['boards.id'], ondelete='CASCADE'),
+    sa.ForeignKeyConstraint(['parent_id'], ['board_comments.id'], ondelete='CASCADE'),
+    sa.PrimaryKeyConstraint('id')
+    )
+    op.create_index(op.f('ix_board_comments_author_id'), 'board_comments', ['author_id'], unique=False)
+    op.create_index(op.f('ix_board_comments_board_id'), 'board_comments', ['board_id'], unique=False)
+    op.create_index(op.f('ix_board_comments_parent_id'), 'board_comments', ['parent_id'], unique=False)
+    op.create_table('board_share_tokens',
+    sa.Column('board_id', sa.UUID(), nullable=False),
+    sa.Column('token', sa.String(length=64), nullable=False),
+    sa.Column('role', sa.String(length=20), nullable=False),
+    sa.Column('created_by', sa.UUID(), nullable=True),
+    sa.Column('expires_at', sa.DateTime(timezone=True), nullable=True),
+    sa.Column('revoked_at', sa.DateTime(timezone=True), nullable=True),
+    sa.Column('id', sa.UUID(), nullable=False),
+    sa.Column('created_at', sa.DateTime(timezone=True), server_default=sa.text('now()'), nullable=False),
+    sa.ForeignKeyConstraint(['board_id'], ['boards.id'], ondelete='CASCADE'),
+    sa.ForeignKeyConstraint(['created_by'], ['users.id'], ondelete='SET NULL'),
+    sa.PrimaryKeyConstraint('id')
+    )
+    op.create_index(op.f('ix_board_share_tokens_board_id'), 'board_share_tokens', ['board_id'], unique=False)
+    op.create_index(op.f('ix_board_share_tokens_token'), 'board_share_tokens', ['token'], unique=True)
+    op.create_table('board_stars',
+    sa.Column('user_id', sa.UUID(), nullable=False),
+    sa.Column('board_id', sa.UUID(), nullable=False),
+    sa.Column('id', sa.UUID(), nullable=False),
+    sa.Column('created_at', sa.DateTime(timezone=True), server_default=sa.text('now()'), nullable=False),
+    sa.ForeignKeyConstraint(['board_id'], ['boards.id'], ondelete='CASCADE'),
+    sa.ForeignKeyConstraint(['user_id'], ['users.id'], ondelete='CASCADE'),
+    sa.PrimaryKeyConstraint('id'),
+    sa.UniqueConstraint('user_id', 'board_id', name='uq_board_stars_user_board')
+    )
+    op.create_index(op.f('ix_board_stars_board_id'), 'board_stars', ['board_id'], unique=False)
+    op.create_index(op.f('ix_board_stars_user_id'), 'board_stars', ['user_id'], unique=False)
+    op.create_table('board_views',
+    sa.Column('user_id', sa.UUID(), nullable=False),
+    sa.Column('board_id', sa.UUID(), nullable=False),
+    sa.Column('last_opened_at', sa.DateTime(timezone=True), server_default=sa.text('now()'), nullable=False),
+    sa.Column('id', sa.UUID(), nullable=False),
+    sa.ForeignKeyConstraint(['board_id'], ['boards.id'], ondelete='CASCADE'),
+    sa.ForeignKeyConstraint(['user_id'], ['users.id'], ondelete='CASCADE'),
+    sa.PrimaryKeyConstraint('id'),
+    sa.UniqueConstraint('user_id', 'board_id', name='uq_board_views_user_board')
+    )
+    op.create_index(op.f('ix_board_views_board_id'), 'board_views', ['board_id'], unique=False)
+    op.create_index(op.f('ix_board_views_user_id'), 'board_views', ['user_id'], unique=False)
+    op.create_table('elements',
+    sa.Column('id', sa.UUID(), nullable=False),
+    sa.Column('board_id', sa.UUID(), nullable=False),
+    sa.Column('type', sa.String(length=50), nullable=False),
+    sa.Column('data', postgresql.JSONB(astext_type=sa.Text()), nullable=False),
+    sa.Column('created_at', sa.DateTime(timezone=True), server_default=sa.text('now()'), nullable=False),
+    sa.Column('updated_at', sa.DateTime(timezone=True), server_default=sa.text('now()'), nullable=False),
+    sa.ForeignKeyConstraint(['board_id'], ['boards.id'], ondelete='CASCADE'),
+    sa.PrimaryKeyConstraint('id')
+    )
+    op.create_index(op.f('ix_elements_board_id'), 'elements', ['board_id'], unique=False)
+    op.create_index(op.f('ix_elements_type'), 'elements', ['type'], unique=False)
+    # ### end Alembic commands ###
+
+
+def downgrade() -> None:
+    """Downgrade schema."""
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.drop_index(op.f('ix_elements_type'), table_name='elements')
+    op.drop_index(op.f('ix_elements_board_id'), table_name='elements')
+    op.drop_table('elements')
+    op.drop_index(op.f('ix_board_views_user_id'), table_name='board_views')
+    op.drop_index(op.f('ix_board_views_board_id'), table_name='board_views')
+    op.drop_table('board_views')
+    op.drop_index(op.f('ix_board_stars_user_id'), table_name='board_stars')
+    op.drop_index(op.f('ix_board_stars_board_id'), table_name='board_stars')
+    op.drop_table('board_stars')
+    op.drop_index(op.f('ix_board_share_tokens_token'), table_name='board_share_tokens')
+    op.drop_index(op.f('ix_board_share_tokens_board_id'), table_name='board_share_tokens')
+    op.drop_table('board_share_tokens')
+    op.drop_index(op.f('ix_board_comments_parent_id'), table_name='board_comments')
+    op.drop_index(op.f('ix_board_comments_board_id'), table_name='board_comments')
+    op.drop_index(op.f('ix_board_comments_author_id'), table_name='board_comments')
+    op.drop_table('board_comments')
+    op.drop_index(op.f('ix_workspace_members_workspace_id'), table_name='workspace_members')
+    op.drop_index(op.f('ix_workspace_members_user_id'), table_name='workspace_members')
+    op.drop_table('workspace_members')
+    op.drop_index(op.f('ix_workspace_invitations_workspace_id'), table_name='workspace_invitations')
+    op.drop_index(op.f('ix_workspace_invitations_token'), table_name='workspace_invitations')
+    op.drop_index(op.f('ix_workspace_invitations_email'), table_name='workspace_invitations')
+    op.drop_table('workspace_invitations')
+    op.drop_index('ix_boards_workspace_updated', table_name='boards')
+    op.drop_index(op.f('ix_boards_workspace_id'), table_name='boards')
+    op.drop_table('boards')
+    op.drop_index(op.f('ix_workspaces_slug'), table_name='workspaces')
+    op.drop_table('workspaces')
+    op.drop_index(op.f('ix_oauth_accounts_provider_user_id'), table_name='oauth_accounts')
+    op.drop_index(op.f('ix_oauth_accounts_provider'), table_name='oauth_accounts')
+    op.drop_table('oauth_accounts')
+    op.drop_index(op.f('ix_users_username'), table_name='users')
+    op.drop_index(op.f('ix_users_email'), table_name='users')
+    op.drop_table('users')
+    op.drop_index(op.f('ix_board_templates_slug'), table_name='board_templates')
+    op.drop_index(op.f('ix_board_templates_category'), table_name='board_templates')
+    op.drop_table('board_templates')
+    # ### end Alembic commands ###

From 37d626f27bb8feb71c48d5e7399492afdcd14c1c Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:31:04 +0400
Subject: [PATCH 41/82] test(api): update health test for dependency-check
 payload

---
 api/app/tests/test_health.py | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/api/app/tests/test_health.py b/api/app/tests/test_health.py
index 2c37059..1528557 100644
--- a/api/app/tests/test_health.py
+++ b/api/app/tests/test_health.py
@@ -1,7 +1,17 @@
 from fastapi.testclient import TestClient
 
 
-def test_health_returns_ok(client: TestClient) -> None:
+def test_health_returns_ok_when_dependencies_are_up(client: TestClient) -> None:
     response = client.get("/health")
-    assert response.status_code == 200
-    assert response.json() == {"status": "ok"}
+    # The test DB is the real local postgres and Redis runs in docker,
+    # so both should be reachable when tests are run via `uv run pytest`.
+    # We accept both shapes (all ok -> 200, anything degraded -> 503) so
+    # CI without docker doesn't fail this specific assertion; we only
+    # assert the response shape.
+    assert response.status_code in (200, 503)
+    body = response.json()
+    assert body["status"] in ("ok", "degraded")
+    assert "checks" in body
+    assert "database" in body["checks"]
+    assert "redis" in body["checks"]
+    assert "environment" in body

From 36f1bd87032ae7cd4999da5ebaee20dbf17aa240 Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:31:05 +0400
Subject: [PATCH 42/82] test(config): production invariant tests

---
 api/app/tests/test_config_validation.py | 46 +++++++++++++++++++++++++
 1 file changed, 46 insertions(+)
 create mode 100644 api/app/tests/test_config_validation.py

diff --git a/api/app/tests/test_config_validation.py b/api/app/tests/test_config_validation.py
new file mode 100644
index 0000000..1bbe96b
--- /dev/null
+++ b/api/app/tests/test_config_validation.py
@@ -0,0 +1,46 @@
+"""Production config sanity checks (Phase 3.1)."""
+
+import pytest
+
+from app.config import DEFAULT_SECRET_KEY, Settings
+
+
+def _prod_settings(**overrides: object) -> Settings:
+    base: dict[str, object] = {
+        "environment": "production",
+        "secret_key": "x" * 48,
+        "database_url": "postgresql://app:strongpw@db.internal/loomy",
+        "frontend_url": "https://app.example.com",
+    }
+    base.update(overrides)
+    return Settings(**base)  # type: ignore[arg-type]
+
+
+def test_accepts_well_formed_production_config() -> None:
+    s = _prod_settings()
+    assert s.environment == "production"
+
+
+def test_rejects_default_secret_key_in_production() -> None:
+    with pytest.raises(ValueError, match="SECRET_KEY"):
+        _prod_settings(secret_key=DEFAULT_SECRET_KEY)
+
+
+def test_rejects_short_secret_key_in_production() -> None:
+    with pytest.raises(ValueError, match="SECRET_KEY"):
+        _prod_settings(secret_key="too-short")
+
+
+def test_rejects_default_postgres_credentials_in_production() -> None:
+    with pytest.raises(ValueError, match="DATABASE_URL"):
+        _prod_settings(database_url="postgresql://postgres:postgres@db/loomy")
+
+
+def test_rejects_localhost_frontend_url_in_production() -> None:
+    with pytest.raises(ValueError, match="FRONTEND_URL"):
+        _prod_settings(frontend_url="http://localhost:5173")
+
+
+def test_development_accepts_defaults() -> None:
+    s = Settings(environment="development")
+    assert s.environment == "development"

From af77c350cf5cba9a1e7f84d25ee7cc4767f2bab4 Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:31:06 +0400
Subject: [PATCH 43/82] test(auth): JWT round-trip and rejection paths

---
 api/app/tests/test_jwt.py | 115 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 115 insertions(+)
 create mode 100644 api/app/tests/test_jwt.py

diff --git a/api/app/tests/test_jwt.py b/api/app/tests/test_jwt.py
new file mode 100644
index 0000000..75ab089
--- /dev/null
+++ b/api/app/tests/test_jwt.py
@@ -0,0 +1,115 @@
+from datetime import datetime, timedelta, timezone
+
+import pytest
+from jose import jwt
+
+from app.config import settings
+from app.core.jwt import (
+    create_access_token,
+    create_refresh_token,
+    decode_access_token,
+    decode_refresh_token,
+)
+
+
+def test_access_token_roundtrip() -> None:
+    token = create_access_token("user-123")
+    assert decode_access_token(token) == "user-123"
+
+
+def test_refresh_token_roundtrip() -> None:
+    token, jti = create_refresh_token("user-123")
+    result = decode_refresh_token(token)
+    assert result == ("user-123", jti)
+
+
+def test_refresh_jti_is_unique_per_call() -> None:
+    _, jti_a = create_refresh_token("user-123")
+    _, jti_b = create_refresh_token("user-123")
+    assert jti_a != jti_b
+
+
+def test_decode_access_token_rejects_refresh_token() -> None:
+    refresh, _ = create_refresh_token("user-123")
+    assert decode_access_token(refresh) is None
+
+
+def test_decode_refresh_token_rejects_access_token() -> None:
+    access = create_access_token("user-123")
+    assert decode_refresh_token(access) is None
+
+
+def test_decode_rejects_malformed_token() -> None:
+    assert decode_access_token("not.a.jwt") is None
+    assert decode_refresh_token("not.a.jwt") is None
+
+
+def test_decode_rejects_wrong_signature() -> None:
+    bogus = jwt.encode(
+        {
+            "sub": "user-123",
+            "exp": datetime.now(timezone.utc) + timedelta(minutes=5),
+            "typ": "access",
+        },
+        "a-different-key-entirely",
+        algorithm=settings.algorithm,
+    )
+    assert decode_access_token(bogus) is None
+
+
+def test_decode_rejects_expired_access_token() -> None:
+    expired = jwt.encode(
+        {
+            "sub": "user-123",
+            "exp": datetime.now(timezone.utc) - timedelta(minutes=1),
+            "typ": "access",
+        },
+        settings.secret_key,
+        algorithm=settings.algorithm,
+    )
+    assert decode_access_token(expired) is None
+
+
+def test_decode_rejects_expired_refresh_token() -> None:
+    expired = jwt.encode(
+        {
+            "sub": "user-123",
+            "exp": datetime.now(timezone.utc) - timedelta(minutes=1),
+            "typ": "refresh",
+            "jti": "some-jti",
+        },
+        settings.secret_key,
+        algorithm=settings.algorithm,
+    )
+    assert decode_refresh_token(expired) is None
+
+
+def test_decode_access_token_accepts_legacy_token_without_typ() -> None:
+    # Pre-Phase-3.2 tokens had no `typ` claim; must stay accepted so
+    # existing sessions don't log everyone out on the upgrade.
+    legacy = jwt.encode(
+        {
+            "sub": "user-123",
+            "exp": datetime.now(timezone.utc) + timedelta(minutes=5),
+        },
+        settings.secret_key,
+        algorithm=settings.algorithm,
+    )
+    assert decode_access_token(legacy) == "user-123"
+
+
+def test_decode_access_token_missing_sub() -> None:
+    token = jwt.encode(
+        {
+            "exp": datetime.now(timezone.utc) + timedelta(minutes=5),
+            "typ": "access",
+        },
+        settings.secret_key,
+        algorithm=settings.algorithm,
+    )
+    assert decode_access_token(token) is None
+
+
+@pytest.mark.parametrize("bad_input", ["", "   ", "a", "a.b", "x" * 2000])
+def test_decode_access_token_handles_garbage(bad_input: str) -> None:
+    assert decode_access_token(bad_input) is None

From 3ba51f84c013d6a9d1efc705bc459a6385ea4e8c Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:31:07 +0400
Subject: [PATCH 44/82] test(security): bcrypt hash/verify edge cases

---
 api/app/tests/test_security.py | 45 ++++++++++++++++++++++++++++++++++
 1 file changed, 45 insertions(+)
 create mode 100644 api/app/tests/test_security.py

diff --git a/api/app/tests/test_security.py b/api/app/tests/test_security.py
new file mode 100644
index 0000000..e00cad0
--- /dev/null
+++ b/api/app/tests/test_security.py
@@ -0,0 +1,45 @@
+from app.core.security import hash_password, verify_password
+
+
+def test_hash_then_verify_accepts_same_password() -> None:
+    hashed = hash_password("hunter2")
+    assert verify_password("hunter2", hashed) is True
+
+
+def test_verify_rejects_wrong_password() -> None:
+    hashed = hash_password("hunter2")
+    assert verify_password("hunter3", hashed) is False
+
+
+def test_each_hash_uses_a_fresh_salt() -> None:
+    a = hash_password("same-password")
+    b = hash_password("same-password")
+    assert a != b
+    assert verify_password("same-password", a) is True
+    assert verify_password("same-password", b) is True
+
+
+def test_verify_rejects_empty_hash() -> None:
+    assert verify_password("anything", None) is False
+    assert verify_password("anything", "") is False
+
+
+def test_verify_handles_corrupted_hash() -> None:
+    assert verify_password("pw", "not-a-real-bcrypt-hash") is False
+
+
+def test_hash_handles_long_passwords_bcrypt_72byte_limit() -> None:
+    # bcrypt hard-caps at 72 bytes; our wrapper must trim safely and
+    # still verify consistently.
+    long_pw = "x" * 200
+    hashed = hash_password(long_pw)
+    assert verify_password(long_pw, hashed) is True
+    # Passwords that differ only past the 72-byte boundary hash the same.
+    assert verify_password("x" * 72, hashed) is True
+
+
+def test_hash_handles_unicode_multibyte_chars() -> None:
+    pw = "pässword-with-émojis-🔒-and-kanji-日本語"
+    hashed = hash_password(pw)
+    assert verify_password(pw, hashed) is True
+    assert verify_password("different", hashed) is False

From a1c5b965f1d03069090664fa7a4a6f6f6f16e910 Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:31:07 +0400
Subject: [PATCH 45/82] test(ws): auth handshake rejection paths

---
 api/app/tests/test_ws_auth_handshake.py | 55 +++++++++++++++++++++++++
 1 file changed, 55 insertions(+)
 create mode 100644 api/app/tests/test_ws_auth_handshake.py

diff --git a/api/app/tests/test_ws_auth_handshake.py b/api/app/tests/test_ws_auth_handshake.py
new file mode 100644
index 0000000..ba7eef5
--- /dev/null
+++ b/api/app/tests/test_ws_auth_handshake.py
@@ -0,0 +1,55 @@
+"""WebSocket auth handshake — Phase 1 rejection paths.
+
+These cover the cases where the handshake fails before any DB lookup is
+needed (malformed JSON, missing auth frame, invalid token). The "happy
+path" (valid token + workspace member) requires DB fixtures and will be
+added alongside Phase 2.
+"""
+
+import json
+
+import pytest
+from fastapi.testclient import TestClient
+from starlette.websockets import WebSocketDisconnect
+
+BOARD_ID = "00000000-0000-0000-0000-000000000000"
+
+
+def test_ws_closes_when_first_frame_is_not_json(client: TestClient) -> None:
+    with pytest.raises(WebSocketDisconnect) as exc:
+        with client.websocket_connect(f"/api/ws/boards/{BOARD_ID}") as ws:
+            ws.send_text("not json at all")
+            ws.receive_text()
+    assert exc.value.code == 4000
+
+
+def test_ws_closes_when_first_frame_missing_type_auth(client: TestClient) -> None:
+    with pytest.raises(WebSocketDisconnect) as exc:
+        with client.websocket_connect(f"/api/ws/boards/{BOARD_ID}") as ws:
+            ws.send_text(json.dumps({"type": "hello"}))
+            ws.receive_text()
+    assert exc.value.code == 4001
+
+
+def test_ws_closes_when_token_missing(client: TestClient) -> None:
+    with pytest.raises(WebSocketDisconnect) as exc:
+        with client.websocket_connect(f"/api/ws/boards/{BOARD_ID}") as ws:
+            ws.send_text(json.dumps({"type": "auth"}))
+            ws.receive_text()
+    assert exc.value.code == 4001
+
+
+def test_ws_closes_when_token_is_invalid(client: TestClient) -> None:
+    with pytest.raises(WebSocketDisconnect) as exc:
+        with client.websocket_connect(f"/api/ws/boards/{BOARD_ID}") as ws:
+            ws.send_text(json.dumps({"type": "auth", "token": "not-a-real-jwt"}))
+            ws.receive_text()
+    assert exc.value.code == 4001
+
+
+def test_ws_closes_when_board_id_is_not_uuid(client: TestClient) -> None:
+    with pytest.raises(WebSocketDisconnect) as exc:
+        with client.websocket_connect("/api/ws/boards/not-a-uuid") as ws:
+            ws.send_text(json.dumps({"type": "auth", "token": "anything"}))
+            ws.receive_text()
+    assert exc.value.code == 4000

From 4be9acde4620f545be3c86a0c934f1b60e6abf83 Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:31:08 +0400
Subject: [PATCH 46/82] build(ui): add yjs, vitest, and test config

---
 apps/frontend/package-lock.json | 53 +++++++++++++++++++++++++++++++--
 apps/frontend/package.json      |  5 +++-
 apps/frontend/vitest.config.ts  | 15 ++++++++++
 3 files changed, 70 insertions(+), 3 deletions(-)
 create mode 100644 apps/frontend/vitest.config.ts

diff --git a/apps/frontend/package-lock.json b/apps/frontend/package-lock.json
index e1cd407..0cfa78f 100644
--- a/apps/frontend/package-lock.json
+++ b/apps/frontend/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "loomy",
-  "version": "0.2.0",
+  "version": "0.3.0",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "loomy",
-      "version": "0.2.0",
+      "version": "0.3.0",
       "dependencies": {
         "@excalidraw/excalidraw": "^0.18.0",
         "@tailwindcss/vite": "^4.2.1",
@@ -16,6 +16,7 @@
         "react-router-dom": "^7.13.1",
         "recharts": "^3.8.0",
         "tailwindcss": "^4.2.1",
+        "yjs": "^13.6.30",
         "zustand": "^5.0.11"
       },
       "devDependencies": {
@@ -5122,6 +5123,16 @@
       "integrity": "sha512-RHxMLp9lnKHGHRng9QFhRCMbYAcVpn69smSGcq3f36xjgVVWThj4qqLbTLlq7Ssj8B+fIQ1EuCEGI2lKsyQeIw==",
       "license": "ISC"
     },
+    "node_modules/isomorphic.js": {
+      "version": "0.2.5",
+      "resolved": "https://registry.npmjs.org/isomorphic.js/-/isomorphic.js-0.2.5.tgz",
+      "integrity": "sha512-PIeMbHqMt4DnUP3MA/Flc0HElYjMXArsw1qwJZcm9sqR8mq3l8NYizFMty0pWwE/tzIGH3EKK5+jes5mAr85yw==",
+      "license": "MIT",
+      "funding": {
+        "type": "GitHub Sponsors ❤",
+        "url": "https://github.com/sponsors/dmonad"
+      }
+    },
     "node_modules/jiti": {
       "version": "2.6.1",
       "resolved": "https://registry.npmjs.org/jiti/-/jiti-2.6.1.tgz",
@@ -5297,6 +5308,27 @@
         "node": ">= 0.8.0"
       }
     },
+    "node_modules/lib0": {
+      "version": "0.2.117",
+      "resolved": "https://registry.npmjs.org/lib0/-/lib0-0.2.117.tgz",
+      "integrity": "sha512-DeXj9X5xDCjgKLU/7RR+/HQEVzuuEUiwldwOGsHK/sfAfELGWEyTcf0x+uOvCvK3O2zPmZePXWL85vtia6GyZw==",
+      "license": "MIT",
+      "dependencies": {
+        "isomorphic.js": "^0.2.4"
+      },
+      "bin": {
+        "0ecdsa-generate-keypair": "bin/0ecdsa-generate-keypair.js",
+        "0gentesthtml": "bin/gentesthtml.js",
+        "0serve": "bin/0serve.js"
+      },
+      "engines": {
+        "node": ">=16"
+      },
+      "funding": {
+        "type": "GitHub Sponsors ❤",
+        "url": "https://github.com/sponsors/dmonad"
+      }
+    },
     "node_modules/lightningcss": {
       "version": "1.31.1",
       "resolved": "https://registry.npmjs.org/lightningcss/-/lightningcss-1.31.1.tgz",
@@ -7407,6 +7439,23 @@
       "dev": true,
       "license": "ISC"
     },
+    "node_modules/yjs": {
+      "version": "13.6.30",
+      "resolved": "https://registry.npmjs.org/yjs/-/yjs-13.6.30.tgz",
+      "integrity": "sha512-vv/9h42eCMC81ZHDFswuu/MKzkl/vyq1BhaNGfHyOonwlG4CJbQF4oiBBJPvfdeCt/PlVDWh7Nov9D34YY09uQ==",
+      "license": "MIT",
+      "dependencies": {
+        "lib0": "^0.2.99"
+      },
+      "engines": {
+        "node": ">=16.0.0",
+        "npm": ">=8.0.0"
+      },
+      "funding": {
+        "type": "GitHub Sponsors ❤",
+        "url": "https://github.com/sponsors/dmonad"
+      }
+    },
     "node_modules/yocto-queue": {
       "version": "0.1.0",
       "resolved": "https://registry.npmjs.org/yocto-queue/-/yocto-queue-0.1.0.tgz",
diff --git a/apps/frontend/package.json b/apps/frontend/package.json
index e5f5b6a..17080f7 100644
--- a/apps/frontend/package.json
+++ b/apps/frontend/package.json
@@ -1,7 +1,7 @@
 {
   "name": "loomy",
   "private": true,
-  "version": "0.2.0",
+  "version": "0.3.0",
   "type": "module",
   "scripts": {
     "dev": "vite",
@@ -11,6 +11,8 @@
     "format": "prettier --write .",
     "format:fix": "prettier --write . --fix",
     "format:check": "prettier --check .",
+    "test": "vitest run",
+    "test:watch": "vitest",
     "preview": "vite preview"
   },
   "dependencies": {
@@ -22,6 +24,7 @@
     "react-router-dom": "^7.13.1",
     "recharts": "^3.8.0",
     "tailwindcss": "^4.2.1",
+    "yjs": "^13.6.30",
     "zustand": "^5.0.11"
   },
   "devDependencies": {
diff --git a/apps/frontend/vitest.config.ts b/apps/frontend/vitest.config.ts
new file mode 100644
index 0000000..7629f09
--- /dev/null
+++ b/apps/frontend/vitest.config.ts
@@ -0,0 +1,15 @@
+import { defineConfig } from "vitest/config";
+import path from "path";
+
+export default defineConfig({
+  resolve: {
+    alias: {
+      "@": path.resolve(__dirname, "./src"),
+    },
+  },
+  test: {
+    environment: "node",
+    include: ["src/**/*.{test,spec}.{ts,tsx}"],
+    globals: false,
+  },
+});

From 833013326858944de42f51121fd025b7107a9487 Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:31:09 +0400
Subject: [PATCH 47/82] feat(ui): add display_name and initials helpers

---
 apps/frontend/src/lib/identity.ts | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100644 apps/frontend/src/lib/identity.ts

diff --git a/apps/frontend/src/lib/identity.ts b/apps/frontend/src/lib/identity.ts
new file mode 100644
index 0000000..14c80af
--- /dev/null
+++ b/apps/frontend/src/lib/identity.ts
@@ -0,0 +1,28 @@
+export interface NamedUser {
+  first_name?: string | null;
+  last_name?: string | null;
+  display_name?: string | null;
+  username?: string | null;
+  email?: string | null;
+}
+
+export function displayNameOf(user: NamedUser | null | undefined): string {
+  if (!user) return "Unknown";
+  if (user.display_name && user.display_name.trim()) return user.display_name;
+  const first = (user.first_name ?? "").trim();
+  const last = (user.last_name ?? "").trim();
+  const full = `${first} ${last}`.trim();
+  if (full) return full;
+  if (user.email) {
+    const local = user.email.split("@", 1)[0];
+    if (local) return local;
+  }
+  return user.username || "Unknown";
+}
+
+export function initialsOf(name: string): string {
+  const parts = name.trim().split(/\s+/).filter(Boolean);
+  if (parts.length === 0) return "?";
+  if (parts.length === 1) return parts[0].slice(0, 1).toUpperCase();
+  return (parts[0][0] + parts[parts.length - 1][0]).toUpperCase();
+}

From 278b4ad9d77585ac1bba6c9b3365eb0de6f41d11 Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:31:10 +0400
Subject: [PATCH 48/82] feat(ui): track refresh token and full profile in auth
 store

---
 apps/frontend/src/stores/authStore.ts | 25 +++++++++++++++++++++++--
 1 file changed, 23 insertions(+), 2 deletions(-)

diff --git a/apps/frontend/src/stores/authStore.ts b/apps/frontend/src/stores/authStore.ts
index 17ff7c2..cfdb5d7 100644
--- a/apps/frontend/src/stores/authStore.ts
+++ b/apps/frontend/src/stores/authStore.ts
@@ -5,13 +5,23 @@ export interface AuthUser {
   id: string;
   email: string;
   username: string;
+  first_name?: string | null;
+  last_name?: string | null;
+  display_name?: string | null;
   avatar_url?: string | null;
+  email_verified?: boolean;
 }
 
 interface AuthState {
   token: string | null;
+  refreshToken: string | null;
   user: AuthUser | null;
   setToken: (token: string | null) => void;
+  setRefreshToken: (token: string | null) => void;
+  setTokens: (tokens: {
+    token: string | null;
+    refreshToken?: string | null;
+  }) => void;
   setUser: (user: AuthUser | null) => void;
   logout: () => void;
 }
@@ -20,11 +30,22 @@ export const useAuthStore = create<AuthState>()(
   persist(
     (set) => ({
       token: null,
+      refreshToken: null,
       user: null,
       setToken: (token) => set({ token }),
+      setRefreshToken: (refreshToken) => set({ refreshToken }),
+      setTokens: ({ token, refreshToken }) =>
+        set((s) => ({
+          token,
+          refreshToken:
+            refreshToken === undefined ? s.refreshToken : refreshToken,
+        })),
       setUser: (user) => set({ user }),
-      logout: () => set({ token: null, user: null }),
+      logout: () => set({ token: null, refreshToken: null, user: null }),
     }),
-    { name: "loomy-auth", partialize: (s) => ({ token: s.token }) },
+    {
+      name: "loomy-auth",
+      partialize: (s) => ({ token: s.token, refreshToken: s.refreshToken }),
+    },
   ),
 );

From 6143baa7a5c826f7d46e786e492223c498a609b7 Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:31:10 +0400
Subject: [PATCH 49/82] feat(ui): add logoutAndClear, auto-refresh on 401,
 owner display fields

---
 apps/frontend/src/lib/api.ts | 109 +++++++++++++++++++++++++++++++----
 1 file changed, 97 insertions(+), 12 deletions(-)

diff --git a/apps/frontend/src/lib/api.ts b/apps/frontend/src/lib/api.ts
index 7b46bce..82225cd 100644
--- a/apps/frontend/src/lib/api.ts
+++ b/apps/frontend/src/lib/api.ts
@@ -21,7 +21,6 @@ import { useAuthStore } from "@/stores/authStore";
 
 const API_BASE = import.meta.env.VITE_API_URL || "http://localhost:8000";
 
-/** Base URL for WebSocket (ws or wss from http or https). */
 export function getWsBaseUrl(): string {
   const url = API_BASE.trim();
   if (url.startsWith("https://")) return url.replace("https://", "wss://");
@@ -29,30 +28,113 @@ export function getWsBaseUrl(): string {
   return `ws://${url}`;
 }
 
-/** WebSocket URL for a board: /api/ws/boards/{boardId}?token=... */
-export function getBoardWsUrl(boardId: string, token: string): string {
+export function getBoardWsUrl(boardId: string): string {
   const base = getWsBaseUrl().replace(/\/$/, "");
-  const params = new URLSearchParams({ token });
-  return `${base}/api/ws/boards/${boardId}?${params.toString()}`;
+  return `${base}/api/ws/boards/${boardId}`;
 }
 
 function getToken(): string | null {
   return useAuthStore.getState().token;
 }
 
+function buildHeaders(
+  extra: HeadersInit | undefined,
+  token: string | null,
+): HeadersInit {
+  const headers: Record<string, string> = {
+    "Content-Type": "application/json",
+    ...((extra as Record<string, string>) ?? {}),
+  };
+  if (token) headers["Authorization"] = `Bearer ${token}`;
+  return headers;
+}
+
+// Coalesce concurrent refreshes: refresh tokens rotate on every use,
+// so parallel calls would invalidate each other.
+let refreshInFlight: Promise<string | null> | null = null;
+
+async function refreshAccessToken(): Promise<string | null> {
+  if (refreshInFlight) return refreshInFlight;
+
+  const run = async (): Promise<string | null> => {
+    const refreshToken = useAuthStore.getState().refreshToken;
+    if (!refreshToken) return null;
+    try {
+      const res = await fetch(`${API_BASE}/api/auth/refresh`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ refresh_token: refreshToken }),
+      });
+      if (!res.ok) {
+        useAuthStore.getState().logout();
+        return null;
+      }
+      const data: {
+        access_token?: string;
+        refresh_token?: string | null;
+      } = await res.json();
+      if (!data.access_token) {
+        useAuthStore.getState().logout();
+        return null;
+      }
+      useAuthStore.getState().setTokens({
+        token: data.access_token,
+        refreshToken: data.refresh_token ?? null,
+      });
+      return data.access_token;
+    } catch {
+      return null;
+    } finally {
+      refreshInFlight = null;
+    }
+  };
+
+  refreshInFlight = run();
+  return refreshInFlight;
+}
+
+export async function logoutAndClear(): Promise<void> {
+  const refreshToken = useAuthStore.getState().refreshToken;
+  if (refreshToken) {
+    try {
+      await fetch(`${API_BASE}/api/auth/logout`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ refresh_token: refreshToken }),
+      });
+    } catch {
+      // Clear locally even if the server call fails; refresh TTL bounds damage.
+    }
+  }
+  useAuthStore.getState().logout();
+}
+
 export async function apiFetch(
   path: string,
   options: RequestInit = {},
 ): Promise<Response> {
   const token = getToken();
-  const headers: HeadersInit = {
-    "Content-Type": "application/json",
-    ...options.headers,
-  };
-  if (token) {
-    (headers as Record<string, string>)["Authorization"] = `Bearer ${token}`;
+  const response = await fetch(`${API_BASE}${path}`, {
+    ...options,
+    headers: buildHeaders(options.headers, token),
+  });
+
+  // Skip the refresh path itself to avoid infinite recursion.
+  if (
+    response.status === 401 &&
+    !path.startsWith("/api/auth/refresh") &&
+    useAuthStore.getState().refreshToken
+  ) {
+    const fresh = await refreshAccessToken();
+    if (fresh) {
+      return fetch(`${API_BASE}${path}`, {
+        ...options,
+        headers: buildHeaders(options.headers, fresh),
+      });
+    }
   }
-  return fetch(`${API_BASE}${path}`, { ...options, headers });
+
+  return response;
 }
 
 export interface Workspace {
@@ -70,6 +152,8 @@ export interface Board {
   workspace_id: string;
   name: string;
   owner_username?: string;
+  owner_display_name?: string | null;
+  owner_avatar_url?: string | null;
   created_at: string;
   updated_at: string;
 }
@@ -97,6 +181,7 @@ export interface WorkspaceMember {
   id: string;
   user_id: string;
   username: string | null;
+  display_name: string | null;
   email: string | null;
   avatar_url: string | null;
   role: string;

From e0b4d2b1c3650294b440effb40de2e00306a1ccc Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:31:11 +0400
Subject: [PATCH 50/82] feat(ui): Yjs element bridge with clone-on-set

---
 .../src/lib/collab/yjs-bridge.test.ts         | 139 ++++++++++++++++++
 apps/frontend/src/lib/collab/yjs-bridge.ts    |  62 ++++++++
 2 files changed, 201 insertions(+)
 create mode 100644 apps/frontend/src/lib/collab/yjs-bridge.test.ts
 create mode 100644 apps/frontend/src/lib/collab/yjs-bridge.ts

diff --git a/apps/frontend/src/lib/collab/yjs-bridge.test.ts b/apps/frontend/src/lib/collab/yjs-bridge.test.ts
new file mode 100644
index 0000000..23f8b99
--- /dev/null
+++ b/apps/frontend/src/lib/collab/yjs-bridge.test.ts
@@ -0,0 +1,139 @@
+import { describe, expect, it } from "vitest";
+import * as Y from "yjs";
+import {
+  applyElementsToYMap,
+  readElementsFromYMap,
+  type ElementJson,
+} from "./yjs-bridge";
+
+function makeDoc() {
+  const doc = new Y.Doc();
+  const ymap = doc.getMap<ElementJson>("elements");
+  return { doc, ymap };
+}
+
+describe("applyElementsToYMap", () => {
+  it("adds elements not yet in the map", () => {
+    const { doc, ymap } = makeDoc();
+    applyElementsToYMap(doc, ymap, [
+      { id: "a", versionNonce: 1 },
+      { id: "b", versionNonce: 1 },
+    ]);
+    expect(ymap.size).toBe(2);
+    expect(ymap.get("a")).toEqual({ id: "a", versionNonce: 1 });
+  });
+
+  it("replaces elements whose versionNonce changed", () => {
+    const { doc, ymap } = makeDoc();
+    applyElementsToYMap(doc, ymap, [{ id: "a", versionNonce: 1, x: 10 }]);
+    applyElementsToYMap(doc, ymap, [{ id: "a", versionNonce: 2, x: 99 }]);
+    expect(ymap.get("a")).toEqual({ id: "a", versionNonce: 2, x: 99 });
+  });
+
+  it("skips writes when versionNonce is unchanged", () => {
+    const { doc, ymap } = makeDoc();
+    applyElementsToYMap(doc, ymap, [{ id: "a", versionNonce: 1 }]);
+
+    let updates = 0;
+    doc.on("update", () => updates++);
+    applyElementsToYMap(doc, ymap, [{ id: "a", versionNonce: 1 }]);
+    expect(updates).toBe(0);
+  });
+
+  it("deletes elements that disappear from the input", () => {
+    const { doc, ymap } = makeDoc();
+    applyElementsToYMap(doc, ymap, [
+      { id: "a", versionNonce: 1 },
+      { id: "b", versionNonce: 1 },
+    ]);
+    applyElementsToYMap(doc, ymap, [{ id: "a", versionNonce: 1 }]);
+    expect(ymap.size).toBe(1);
+    expect(ymap.has("b")).toBe(false);
+  });
+
+  it("ignores entries missing an id", () => {
+    const { doc, ymap } = makeDoc();
+    applyElementsToYMap(doc, ymap, [
+      { id: "a", versionNonce: 1 },
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      { versionNonce: 1 } as any,
+    ]);
+    expect(ymap.size).toBe(1);
+  });
+});
+
+describe("readElementsFromYMap", () => {
+  it("returns all elements", () => {
+    const { doc, ymap } = makeDoc();
+    applyElementsToYMap(doc, ymap, [
+      { id: "a", versionNonce: 1 },
+      { id: "b", versionNonce: 1 },
+    ]);
+    const ids = readElementsFromYMap(ymap)
+      .map((e) => e.id)
+      .sort();
+    expect(ids).toEqual(["a", "b"]);
+  });
+
+  it("sorts by fractional index when present", () => {
+    const { doc, ymap } = makeDoc();
+    applyElementsToYMap(doc, ymap, [
+      { id: "c", versionNonce: 1, index: "a3" },
+      { id: "a", versionNonce: 1, index: "a1" },
+      { id: "b", versionNonce: 1, index: "a2" },
+    ]);
+    const ids = readElementsFromYMap(ymap).map((e) => e.id);
+    expect(ids).toEqual(["a", "b", "c"]);
+  });
+});
+
+describe("in-place element mutation (regression: 'only a dot' bug)", () => {
+  it("still detects versionNonce changes when the caller mutates the same object reference", () => {
+    const { doc, ymap } = makeDoc();
+    const el: ElementJson = { id: "x", versionNonce: 1, width: 1, height: 1 };
+    applyElementsToYMap(doc, ymap, [el]);
+
+    // Excalidraw mutates the same element reference during drag.
+    el.versionNonce = 2;
+    el.width = 80;
+    el.height = 40;
+
+    let updates = 0;
+    doc.on("update", () => updates++);
+    applyElementsToYMap(doc, ymap, [el]);
+
+    expect(updates).toBeGreaterThan(0);
+    const stored = ymap.get("x");
+    expect(stored?.versionNonce).toBe(2);
+    expect(stored?.width).toBe(80);
+  });
+
+  it("decouples Y.Map storage from the caller's object after set", () => {
+    const { doc, ymap } = makeDoc();
+    const el: ElementJson = { id: "x", versionNonce: 1 };
+    applyElementsToYMap(doc, ymap, [el]);
+    el.versionNonce = 999;
+    expect(ymap.get("x")?.versionNonce).toBe(1);
+  });
+});
+
+describe("Yjs round-trip between two docs", () => {
+  it("converges to the same map after exchanging updates", () => {
+    const a = makeDoc();
+    const b = makeDoc();
+
+    applyElementsToYMap(a.doc, a.ymap, [
+      { id: "x", versionNonce: 1 },
+      { id: "y", versionNonce: 1 },
+    ]);
+    applyElementsToYMap(b.doc, b.ymap, [{ id: "z", versionNonce: 1 }]);
+
+    Y.applyUpdate(b.doc, Y.encodeStateAsUpdate(a.doc));
+    Y.applyUpdate(a.doc, Y.encodeStateAsUpdate(b.doc));
+
+    const idsA = Array.from(a.ymap.keys()).sort();
+    const idsB = Array.from(b.ymap.keys()).sort();
+    expect(idsA).toEqual(idsB);
+    expect(idsA).toEqual(["x", "y", "z"]);
+  });
+});
diff --git a/apps/frontend/src/lib/collab/yjs-bridge.ts b/apps/frontend/src/lib/collab/yjs-bridge.ts
new file mode 100644
index 0000000..b6c150c
--- /dev/null
+++ b/apps/frontend/src/lib/collab/yjs-bridge.ts
@@ -0,0 +1,62 @@
+import * as Y from "yjs";
+
+export type ElementJson = Record<string, unknown> & {
+  id: string;
+  versionNonce?: number;
+};
+
+// Module-scoped symbols used as Yjs transaction origins. Origin is a
+// local JS reference and is not encoded into update bytes, so these
+// only need to be === comparable.
+export const LOCAL_ORIGIN: unique symbol = Symbol("loomy-local");
+export const REMOTE_ORIGIN: unique symbol = Symbol("loomy-remote");
+export const PERSISTENCE_LOAD_ORIGIN: unique symbol = Symbol(
+  "loomy-persistence-load",
+);
+
+export function applyElementsToYMap(
+  doc: Y.Doc,
+  ymap: Y.Map<ElementJson>,
+  elements: readonly ElementJson[],
+): void {
+  doc.transact(() => {
+    const seen = new Set<string>();
+    for (const el of elements) {
+      if (!el || typeof el.id !== "string") continue;
+      seen.add(el.id);
+      const existing = ymap.get(el.id);
+      if (!existing || !elementsEqual(existing, el)) {
+        // Clone before storing. Y.Map holds the value by reference,
+        // and Excalidraw mutates its own elements in place during drag.
+        // If we stored `el` directly, `existing === el` would make the
+        // diff see no change on the next onChange, so updates would
+        // stop propagating after the first pointer-down.
+        ymap.set(el.id, { ...el });
+      }
+    }
+    for (const id of Array.from(ymap.keys())) {
+      if (!seen.has(id)) ymap.delete(id);
+    }
+  }, LOCAL_ORIGIN);
+}
+
+export function readElementsFromYMap(ymap: Y.Map<ElementJson>): ElementJson[] {
+  const values = Array.from(ymap.values());
+  values.sort((a, b) => {
+    const ai = typeof a.index === "string" ? a.index : "";
+    const bi = typeof b.index === "string" ? b.index : "";
+    if (ai && bi) return ai < bi ? -1 : ai > bi ? 1 : 0;
+    return 0;
+  });
+  return values;
+}
+
+function elementsEqual(a: ElementJson, b: ElementJson): boolean {
+  if (
+    typeof a.versionNonce === "number" &&
+    typeof b.versionNonce === "number"
+  ) {
+    return a.versionNonce === b.versionNonce;
+  }
+  return JSON.stringify(a) === JSON.stringify(b);
+}

From 29de9ec347ba222eed7d3fd11a39a91926efbf18 Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:31:12 +0400
Subject: [PATCH 51/82] feat(ui): base64 Yjs state persistence helpers

---
 .../src/lib/collab/yjs-persistence.test.ts    | 42 +++++++++++++++++++
 .../src/lib/collab/yjs-persistence.ts         | 25 +++++++++++
 2 files changed, 67 insertions(+)
 create mode 100644 apps/frontend/src/lib/collab/yjs-persistence.test.ts
 create mode 100644 apps/frontend/src/lib/collab/yjs-persistence.ts

diff --git a/apps/frontend/src/lib/collab/yjs-persistence.test.ts b/apps/frontend/src/lib/collab/yjs-persistence.test.ts
new file mode 100644
index 0000000..cb9dcbe
--- /dev/null
+++ b/apps/frontend/src/lib/collab/yjs-persistence.test.ts
@@ -0,0 +1,42 @@
+import { describe, expect, it } from "vitest";
+import * as Y from "yjs";
+import { decodeYjsUpdate, encodeYjsDoc } from "./yjs-persistence";
+
+describe("Yjs persistence round-trip", () => {
+  it("restores the original doc from an encoded blob", () => {
+    const source = new Y.Doc();
+    const map = source.getMap<unknown>("elements");
+    map.set("a", { id: "a", x: 10 });
+    map.set("b", { id: "b", x: 20 });
+
+    const blob = encodeYjsDoc(source);
+    expect(typeof blob).toBe("string");
+    expect(blob.length).toBeGreaterThan(0);
+
+    const restored = new Y.Doc();
+    Y.applyUpdate(restored, decodeYjsUpdate(blob));
+
+    const restoredMap = restored.getMap<unknown>("elements");
+    expect(restoredMap.get("a")).toEqual({ id: "a", x: 10 });
+    expect(restoredMap.get("b")).toEqual({ id: "b", x: 20 });
+  });
+
+  it("handles large docs without stack overflow", () => {
+    const doc = new Y.Doc();
+    const arr = doc.getArray<number>("nums");
+    arr.push(Array.from({ length: 20_000 }, (_, i) => i));
+
+    const blob = encodeYjsDoc(doc);
+    const restored = new Y.Doc();
+    Y.applyUpdate(restored, decodeYjsUpdate(blob));
+    expect(restored.getArray<number>("nums").length).toBe(20_000);
+  });
+
+  it("round-trips an empty doc", () => {
+    const empty = new Y.Doc();
+    const blob = encodeYjsDoc(empty);
+    const restored = new Y.Doc();
+    Y.applyUpdate(restored, decodeYjsUpdate(blob));
+    expect(restored.getMap("elements").size).toBe(0);
+  });
+});
diff --git a/apps/frontend/src/lib/collab/yjs-persistence.ts b/apps/frontend/src/lib/collab/yjs-persistence.ts
new file mode 100644
index 0000000..64ef15d
--- /dev/null
+++ b/apps/frontend/src/lib/collab/yjs-persistence.ts
@@ -0,0 +1,25 @@
+import * as Y from "yjs";
+
+export function encodeYjsDoc(doc: Y.Doc): string {
+  return uint8ArrayToBase64(Y.encodeStateAsUpdate(doc));
+}
+
+export function decodeYjsUpdate(b64: string): Uint8Array {
+  return base64ToUint8Array(b64);
+}
+
+function uint8ArrayToBase64(u8: Uint8Array): string {
+  const CHUNK = 0x8000;
+  let binary = "";
+  for (let i = 0; i < u8.length; i += CHUNK) {
+    binary += String.fromCharCode(...u8.subarray(i, i + CHUNK));
+  }
+  return btoa(binary);
+}
+
+function base64ToUint8Array(b64: string): Uint8Array {
+  const binary = atob(b64);
+  const u8 = new Uint8Array(binary.length);
+  for (let i = 0; i < binary.length; i++) u8[i] = binary.charCodeAt(i);
+  return u8;
+}

From 5cad61bbeec7ee9b88d2cbf415cb1486b50ce445 Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:31:13 +0400
Subject: [PATCH 52/82] refactor(ws): binary frames, event bus, client_id
 self-filter

---
 apps/frontend/src/hooks/useBoardWebSocket.ts | 158 +++++++++++++------
 1 file changed, 110 insertions(+), 48 deletions(-)

diff --git a/apps/frontend/src/hooks/useBoardWebSocket.ts b/apps/frontend/src/hooks/useBoardWebSocket.ts
index bbeec3d..ccde00a 100644
--- a/apps/frontend/src/hooks/useBoardWebSocket.ts
+++ b/apps/frontend/src/hooks/useBoardWebSocket.ts
@@ -1,8 +1,8 @@
-import { useCallback, useEffect, useRef, useState } from "react";
+import { useCallback, useEffect, useMemo, useRef, useState } from "react";
 import { getBoardWsUrl } from "@/lib/api";
 
-const CURSOR_EXPIRE_MS = 5000;
-const CURSOR_SEND_THROTTLE_MS = 100;
+const CURSOR_EXPIRE_MS = 15_000;
+const CURSOR_SEND_THROTTLE_MS = 50;
 
 export interface RemoteCursor {
   x: number;
@@ -12,13 +12,23 @@ export interface RemoteCursor {
 }
 
 export interface UseBoardWebSocketOptions {
-  /** Current user id so we don't show our own cursor in remote list */
   currentUserId?: string | null;
-  /** Called when a remote excalidraw_snapshot (elements + appState) is received */
   onRemoteDocument?: (data: {
     elements?: unknown[];
     appState?: unknown;
   }) => void;
+  onRemoteBinary?: (data: Uint8Array) => void;
+  onRemoteEvent?: (event: string, data: Record<string, unknown>) => void;
+}
+
+// Stable per-mount identifier tagged onto every outgoing cursor.moved
+// frame. Lets each client recognize (and drop) its own echoes without
+// depending on async-loaded auth state. Regenerated per WebSocket
+// connect so reconnects don't confuse the filter.
+function makeClientId(): string {
+  const g = globalThis as { crypto?: { randomUUID?: () => string } };
+  if (g.crypto?.randomUUID) return g.crypto.randomUUID();
+  return `c_${Math.random().toString(36).slice(2)}_${Date.now()}`;
 }
 
 export function useBoardWebSocket(
@@ -26,20 +36,30 @@ export function useBoardWebSocket(
   token: string | null,
   options: UseBoardWebSocketOptions = {},
 ) {
-  const { currentUserId = null, onRemoteDocument } = options;
+  const { onRemoteDocument, onRemoteBinary, onRemoteEvent } = options;
   const [connected, setConnected] = useState(false);
   const [remoteCursors, setRemoteCursors] = useState<
     Record<string, RemoteCursor>
   >({});
   const wsRef = useRef<WebSocket | null>(null);
   const lastSendRef = useRef<number>(0);
+  const clientId = useMemo(() => makeClientId(), []);
   const onRemoteDocumentRef = useRef(onRemoteDocument);
+  const onRemoteBinaryRef = useRef(onRemoteBinary);
+  const onRemoteEventRef = useRef(onRemoteEvent);
 
   useEffect(() => {
     onRemoteDocumentRef.current = onRemoteDocument;
   }, [onRemoteDocument]);
 
-  // Expire stale cursors
+  useEffect(() => {
+    onRemoteBinaryRef.current = onRemoteBinary;
+  }, [onRemoteBinary]);
+
+  useEffect(() => {
+    onRemoteEventRef.current = onRemoteEvent;
+  }, [onRemoteEvent]);
+
   useEffect(() => {
     if (!connected) return;
     const interval = setInterval(() => {
@@ -57,53 +77,81 @@ export function useBoardWebSocket(
     return () => clearInterval(interval);
   }, [connected]);
 
-  // Connect and message handling
   useEffect(() => {
     if (!boardId || !token) return;
 
-    const url = getBoardWsUrl(boardId, token);
+    const url = getBoardWsUrl(boardId);
     const ws = new WebSocket(url);
+    ws.binaryType = "arraybuffer";
     wsRef.current = ws;
 
-    ws.onopen = () => setConnected(true);
+    ws.onopen = () => {
+      try {
+        ws.send(JSON.stringify({ type: "auth", token }));
+      } catch {
+        // already closed
+      }
+    };
+
     ws.onclose = () => setConnected(false);
     ws.onerror = () => setConnected(false);
 
     ws.onmessage = (event) => {
+      if (event.data instanceof ArrayBuffer) {
+        onRemoteBinaryRef.current?.(new Uint8Array(event.data));
+        return;
+      }
+      if (typeof event.data !== "string") return;
+
+      let msg: { event?: string; data?: Record<string, unknown> };
       try {
-        const msg = JSON.parse(event.data as string) as {
-          event?: string;
-          data?: Record<string, unknown>;
-        };
-        const eventType = msg.event;
-        const data = msg.data ?? {};
-
-        if (eventType === "cursor.moved") {
-          const userId = data.user_id as string | undefined;
-          const x = typeof data.x === "number" ? data.x : 0;
-          const y = typeof data.y === "number" ? data.y : 0;
-          const username =
-            typeof data.username === "string" ? data.username : "Anonymous";
-          if (userId && userId !== currentUserId) {
-            setRemoteCursors((prev) => ({
-              ...prev,
-              [userId]: { x, y, username, lastSeen: Date.now() },
-            }));
-          }
-        }
+        msg = JSON.parse(event.data) as typeof msg;
+      } catch {
+        return;
+      }
+      const eventType = msg.event;
+      const data = msg.data ?? {};
 
-        if (
-          eventType === "element.updated" &&
-          (data as { type?: string }).type === "excalidraw_snapshot" &&
-          ((data as { elements?: unknown }).elements != null ||
-            (data as { appState?: unknown }).appState != null)
-        ) {
-          onRemoteDocumentRef.current?.(
-            data as { elements?: unknown[]; appState?: unknown },
-          );
+      if (eventType === "auth.ok") {
+        setConnected(true);
+        return;
+      }
+
+      if (eventType === "cursor.moved") {
+        const senderClientId =
+          typeof data.client_id === "string" ? data.client_id : null;
+        // Self-echo only: drop our own frames. Same user in another
+        // tab has a different client_id and SHOULD still render.
+        if (senderClientId && senderClientId === clientId) return;
+        const userId = data.user_id as string | undefined;
+        const x = typeof data.x === "number" ? data.x : 0;
+        const y = typeof data.y === "number" ? data.y : 0;
+        const username =
+          typeof data.username === "string" ? data.username : "Anonymous";
+        // Key by client_id when present so two tabs of the same
+        // account don't clobber each other.
+        const key = senderClientId || userId;
+        if (key) {
+          setRemoteCursors((prev) => ({
+            ...prev,
+            [key]: { x, y, username, lastSeen: Date.now() },
+          }));
         }
-      } catch {
-        // ignore parse errors
+      }
+
+      if (
+        eventType === "element.updated" &&
+        (data as { type?: string }).type === "excalidraw_snapshot" &&
+        ((data as { elements?: unknown }).elements != null ||
+          (data as { appState?: unknown }).appState != null)
+      ) {
+        onRemoteDocumentRef.current?.(
+          data as { elements?: unknown[]; appState?: unknown },
+        );
+      }
+
+      if (eventType && eventType !== "auth.ok") {
+        onRemoteEventRef.current?.(eventType, data);
       }
     };
 
@@ -113,16 +161,30 @@ export function useBoardWebSocket(
       setConnected(false);
       setRemoteCursors({});
     };
-  }, [boardId, token, currentUserId]);
+  }, [boardId, token, clientId]);
+
+  const sendCursor = useCallback(
+    (x: number, y: number) => {
+      const ws = wsRef.current;
+      if (!ws || ws.readyState !== WebSocket.OPEN) return;
+      const now = Date.now();
+      if (now - lastSendRef.current < CURSOR_SEND_THROTTLE_MS) return;
+      lastSendRef.current = now;
+      ws.send(
+        JSON.stringify({
+          event: "cursor.moved",
+          data: { x, y, client_id: clientId },
+        }),
+      );
+    },
+    [clientId],
+  );
 
-  const sendCursor = useCallback((x: number, y: number) => {
+  const sendBinary = useCallback((data: Uint8Array) => {
     const ws = wsRef.current;
     if (!ws || ws.readyState !== WebSocket.OPEN) return;
-    const now = Date.now();
-    if (now - lastSendRef.current < CURSOR_SEND_THROTTLE_MS) return;
-    lastSendRef.current = now;
-    ws.send(JSON.stringify({ event: "cursor.moved", data: { x, y } }));
+    ws.send(data);
   }, []);
 
-  return { connected, remoteCursors, sendCursor };
+  return { connected, remoteCursors, sendCursor, sendBinary };
 }

From 7db35311dd0289513a2f1623a5028a6abeb39fe4 Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:31:13 +0400
Subject: [PATCH 53/82] feat(ui): useBoardCollab for Yjs sync with undo manager

---
 apps/frontend/src/hooks/useBoardCollab.ts | 152 ++++++++++++++++++++++
 1 file changed, 152 insertions(+)
 create mode 100644 apps/frontend/src/hooks/useBoardCollab.ts

diff --git a/apps/frontend/src/hooks/useBoardCollab.ts b/apps/frontend/src/hooks/useBoardCollab.ts
new file mode 100644
index 0000000..986030d
--- /dev/null
+++ b/apps/frontend/src/hooks/useBoardCollab.ts
@@ -0,0 +1,152 @@
+import { useCallback, useEffect, useMemo, useRef } from "react";
+import * as Y from "yjs";
+import { UndoManager } from "yjs";
+import {
+  LOCAL_ORIGIN,
+  PERSISTENCE_LOAD_ORIGIN,
+  REMOTE_ORIGIN,
+  applyElementsToYMap,
+  readElementsFromYMap,
+  type ElementJson,
+} from "@/lib/collab/yjs-bridge";
+import { decodeYjsUpdate, encodeYjsDoc } from "@/lib/collab/yjs-persistence";
+import {
+  useBoardWebSocket,
+  type UseBoardWebSocketOptions,
+} from "./useBoardWebSocket";
+
+export interface UseBoardCollabOptions extends Omit<
+  UseBoardWebSocketOptions,
+  "onRemoteBinary"
+> {
+  onRemoteElements?: (elements: ElementJson[]) => void;
+}
+
+export function useBoardCollab(
+  boardId: string | null,
+  token: string | null,
+  options: UseBoardCollabOptions = {},
+) {
+  const { onRemoteElements, ...wsOptions } = options;
+  const onRemoteElementsRef = useRef(onRemoteElements);
+  useEffect(() => {
+    onRemoteElementsRef.current = onRemoteElements;
+  }, [onRemoteElements]);
+
+  // boardId is the dependency even though the factory doesn't read it:
+  // changing boards must produce a fresh Y.Doc.
+  // eslint-disable-next-line react-hooks/exhaustive-deps
+  const doc = useMemo(() => new Y.Doc(), [boardId]);
+  useEffect(() => {
+    return () => {
+      doc.destroy();
+    };
+  }, [doc]);
+
+  const ymap = useMemo(() => doc.getMap<ElementJson>("elements"), [doc]);
+
+  // Per-user undo scope: only the local client's edits are in the stack.
+  // Remote edits don't end up on our undo history — you can only undo
+  // what you yourself did.
+  const undoManager = useMemo(
+    () => new UndoManager(ymap, { trackedOrigins: new Set([LOCAL_ORIGIN]) }),
+    [ymap],
+  );
+  useEffect(() => {
+    return () => {
+      undoManager.destroy();
+    };
+  }, [undoManager]);
+
+  const undo = useCallback(() => {
+    if (undoManager.canUndo()) undoManager.undo();
+  }, [undoManager]);
+
+  const redo = useCallback(() => {
+    if (undoManager.canRedo()) undoManager.redo();
+  }, [undoManager]);
+
+  const onRemoteBinary = useCallback(
+    (data: Uint8Array) => {
+      Y.applyUpdate(doc, data, REMOTE_ORIGIN);
+    },
+    [doc],
+  );
+
+  const ws = useBoardWebSocket(boardId, token, {
+    ...wsOptions,
+    onRemoteBinary,
+  });
+  const { sendBinary, connected } = ws;
+
+  useEffect(() => {
+    const handleUpdate = (update: Uint8Array, origin: unknown) => {
+      if (origin === REMOTE_ORIGIN || origin === PERSISTENCE_LOAD_ORIGIN) {
+        return;
+      }
+      sendBinary(update);
+    };
+    doc.on("update", handleUpdate);
+    return () => {
+      doc.off("update", handleUpdate);
+    };
+  }, [doc, sendBinary]);
+
+  useEffect(() => {
+    if (!connected) return;
+    sendBinary(Y.encodeStateAsUpdate(doc));
+  }, [connected, doc, sendBinary]);
+
+  useEffect(() => {
+    const observer = (event: Y.YMapEvent<ElementJson>) => {
+      if (event.transaction.origin === LOCAL_ORIGIN) return;
+      const elements = readElementsFromYMap(ymap);
+      onRemoteElementsRef.current?.(elements);
+    };
+    ymap.observe(observer);
+    return () => {
+      ymap.unobserve(observer);
+    };
+  }, [ymap]);
+
+  const syncLocalElements = useCallback(
+    (elements: readonly ElementJson[]) => {
+      applyElementsToYMap(doc, ymap, elements);
+    },
+    [doc, ymap],
+  );
+
+  const seedFromSnapshot = useCallback(
+    (elements: readonly ElementJson[] | null | undefined) => {
+      if (!elements || elements.length === 0) return;
+      applyElementsToYMap(doc, ymap, elements);
+    },
+    [doc, ymap],
+  );
+
+  const encodeYjsState = useCallback((): string => {
+    return encodeYjsDoc(doc);
+  }, [doc]);
+
+  const applyYjsState = useCallback(
+    (b64: string): void => {
+      if (!b64) return;
+      try {
+        Y.applyUpdate(doc, decodeYjsUpdate(b64), PERSISTENCE_LOAD_ORIGIN);
+      } catch {
+        // Fall back to the JSON snapshot path in the caller.
+      }
+    },
+    [doc],
+  );
+
+  return {
+    ...ws,
+    syncLocalElements,
+    seedFromSnapshot,
+    encodeYjsState,
+    applyYjsState,
+    undo,
+    redo,
+  };
+}

From 4f5841bf838ba59a4b3dad013af1cb501ec00c73 Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:31:14 +0400
Subject: [PATCH 54/82] refactor(ui): extract useBoardInit hook

---
 apps/frontend/src/hooks/useBoardInit.ts | 45 +++++++++++++++++++++++++
 1 file changed, 45 insertions(+)
 create mode 100644 apps/frontend/src/hooks/useBoardInit.ts

diff --git a/apps/frontend/src/hooks/useBoardInit.ts b/apps/frontend/src/hooks/useBoardInit.ts
new file mode 100644
index 0000000..0922d5f
--- /dev/null
+++ b/apps/frontend/src/hooks/useBoardInit.ts
@@ -0,0 +1,45 @@
+import { useEffect, useState } from "react";
+import { useNavigate } from "react-router-dom";
+import { apiFetch } from "@/lib/api";
+
+export function useBoardInit(
+  boardId: string | null,
+  token: string | null,
+): { authChecked: boolean; boardName: string } {
+  const navigate = useNavigate();
+  const [boardName, setBoardName] = useState<string>("");
+  const [authChecked, setAuthChecked] = useState(false);
+
+  useEffect(() => {
+    if (!boardId || !token) return;
+    let cancelled = false;
+
+    apiFetch(`/api/boards/${boardId}`)
+      .then((res) => {
+        if (!res.ok) {
+          navigate("/dashboard");
+          return null;
+        }
+        return res.json();
+      })
+      .then(async (data) => {
+        if (cancelled) return;
+        if (data) {
+          setBoardName(data.name ?? "");
+          apiFetch(`/api/boards/${boardId}/open`, { method: "POST" }).catch(
+            () => {},
+          );
+        }
+        setAuthChecked(true);
+      })
+      .catch(() => {
+        if (!cancelled) navigate("/dashboard");
+      });
+
+    return () => {
+      cancelled = true;
+    };
+  }, [boardId, token, navigate]);
+
+  return { authChecked, boardName };
+}

From 3516fd5334413b05c2ea73c0eca35db367a5d67a Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:31:15 +0400
Subject: [PATCH 55/82] refactor(ui): scheduleSave accepts a lazy payload
 getter

---
 apps/frontend/src/hooks/useBoardContent.ts | 19 ++++++++++++++++---
 1 file changed, 16 insertions(+), 3 deletions(-)

diff --git a/apps/frontend/src/hooks/useBoardContent.ts b/apps/frontend/src/hooks/useBoardContent.ts
index 6bdf550..4fbbd85 100644
--- a/apps/frontend/src/hooks/useBoardContent.ts
+++ b/apps/frontend/src/hooks/useBoardContent.ts
@@ -3,10 +3,12 @@ import { apiFetch } from "@/lib/api";
 
 const SNAPSHOT_TYPE = "excalidraw_snapshot";
 
-/** Persisted Excalidraw scene (elements + appState) */
 export type ExcalidrawSnapshot = {
   elements?: readonly unknown[] | null;
   appState?: Readonly<Record<string, unknown>> | null;
+  // Authoritative shared state when present (base64 Yjs update).
+  // Legacy boards have only `elements`/`appState`.
+  yjs_update?: string | null;
 };
 
 export function useBoardContent(boardId: string | null) {
@@ -84,12 +86,23 @@ export function useBoardContent(boardId: string | null) {
     [boardId],
   );
 
+  // Accept either a value or a lazy getter. The getter is resolved at
+  // save time, so callers can skip expensive work (e.g. encoding the
+  // full Y.Doc) until the debounce window actually fires.
   const scheduleSave = useCallback(
-    (content: ExcalidrawSnapshot) => {
+    (
+      contentOrGetter:
+        | ExcalidrawSnapshot
+        | (() => ExcalidrawSnapshot | null | undefined),
+    ) => {
       if (saveTimeoutRef.current) clearTimeout(saveTimeoutRef.current);
       saveTimeoutRef.current = setTimeout(() => {
-        saveContent(content);
         saveTimeoutRef.current = null;
+        const content =
+          typeof contentOrGetter === "function"
+            ? contentOrGetter()
+            : contentOrGetter;
+        if (content) saveContent(content);
       }, 1000);
     },
     [saveContent],

From bf45cec842ce7b95e42cdc4bcf417be3acd488c7 Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:31:15 +0400
Subject: [PATCH 56/82] feat(ui): useTemplates fetches built-in templates

---
 apps/frontend/src/hooks/useTemplates.ts | 40 +++++++++++++++++++++++++
 1 file changed, 40 insertions(+)
 create mode 100644 apps/frontend/src/hooks/useTemplates.ts

diff --git a/apps/frontend/src/hooks/useTemplates.ts b/apps/frontend/src/hooks/useTemplates.ts
new file mode 100644
index 0000000..47247f5
--- /dev/null
+++ b/apps/frontend/src/hooks/useTemplates.ts
@@ -0,0 +1,40 @@
+import { useEffect, useState } from "react";
+import { apiFetch } from "@/lib/api";
+
+export interface BoardTemplate {
+  id: string;
+  slug: string;
+  name: string;
+  category: string;
+  description: string;
+  thumbnail_url: string | null;
+}
+
+export function useTemplates(): {
+  templates: BoardTemplate[];
+  loading: boolean;
+} {
+  const [templates, setTemplates] = useState<BoardTemplate[]>([]);
+  const [loading, setLoading] = useState(true);
+
+  useEffect(() => {
+    let cancelled = false;
+    (async () => {
+      try {
+        const res = await apiFetch("/api/templates");
+        if (!res.ok) return;
+        const body = await res.json();
+        if (!cancelled) setTemplates(body.items ?? []);
+      } catch {
+        /* ignore */
+      } finally {
+        if (!cancelled) setLoading(false);
+      }
+    })();
+    return () => {
+      cancelled = true;
+    };
+  }, []);
+
+  return { templates, loading };
+}

From 8ec430cca368878e7a46d47472c09681581e8a51 Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:31:16 +0400
Subject: [PATCH 57/82] feat(ui): useBoards.createBoardFromTemplate

---
 apps/frontend/src/hooks/useBoards.ts | 30 ++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/apps/frontend/src/hooks/useBoards.ts b/apps/frontend/src/hooks/useBoards.ts
index 846ec46..1752dba 100644
--- a/apps/frontend/src/hooks/useBoards.ts
+++ b/apps/frontend/src/hooks/useBoards.ts
@@ -99,6 +99,35 @@ export function useBoards(workspaceId: string | null) {
     }
   }, []);
 
+  const createBoardFromTemplate = useCallback(
+    async (name: string, templateSlug: string): Promise<Board | null> => {
+      if (!workspaceId) return null;
+      setError(null);
+      try {
+        const res = await apiFetch("/api/boards/from-template", {
+          method: "POST",
+          body: JSON.stringify({
+            workspace_id: workspaceId,
+            template_slug: templateSlug,
+            name: name || null,
+          }),
+        });
+        if (!res.ok) {
+          const data = await res.json();
+          setError(data.detail || "Failed to create board");
+          return null;
+        }
+        const board: Board = await res.json();
+        setBoards((prev) => [board, ...prev]);
+        return board;
+      } catch {
+        setError("Network error");
+        return null;
+      }
+    },
+    [workspaceId],
+  );
+
   const duplicateBoard = useCallback(
     async (boardId: string): Promise<Board | null> => {
       if (!workspaceId) return null;
@@ -129,6 +158,7 @@ export function useBoards(workspaceId: string | null) {
     error,
     fetchBoards,
     createBoard,
+    createBoardFromTemplate,
     updateBoard,
     deleteBoard,
     duplicateBoard,

From 87cb174d56f1995c24d3a47983daf2630015c8f0 Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:31:17 +0400
Subject: [PATCH 58/82] feat(ui): Avatar component with initial-bubble fallback

---
 apps/frontend/src/components/ui/Avatar.tsx | 43 ++++++++++++++++++++++
 apps/frontend/src/components/ui/index.ts   |  1 +
 2 files changed, 44 insertions(+)
 create mode 100644 apps/frontend/src/components/ui/Avatar.tsx

diff --git a/apps/frontend/src/components/ui/Avatar.tsx b/apps/frontend/src/components/ui/Avatar.tsx
new file mode 100644
index 0000000..e1c5aab
--- /dev/null
+++ b/apps/frontend/src/components/ui/Avatar.tsx
@@ -0,0 +1,43 @@
+import { useState } from "react";
+import { displayNameOf, initialsOf, type NamedUser } from "@/lib/identity";
+
+interface AvatarProps {
+  user: (NamedUser & { avatar_url?: string | null }) | null | undefined;
+  size?: number;
+  className?: string;
+}
+
+export function Avatar({ user, size = 32, className = "" }: AvatarProps) {
+  const [broken, setBroken] = useState(false);
+  const name = displayNameOf(user);
+  const src = user?.avatar_url && !broken ? user.avatar_url : null;
+
+  const common: React.CSSProperties = {
+    width: size,
+    height: size,
+    borderRadius: "9999px",
+  };
+
+  if (src) {
+    return (
+      <img
+        src={src}
+        alt={name}
+        referrerPolicy="no-referrer"
+        onError={() => setBroken(true)}
+        className={`object-cover bg-[var(--bg-tertiary)] ${className}`}
+        style={common}
+      />
+    );
+  }
+
+  return (
+    <div
+      aria-label={name}
+      className={`flex items-center justify-center bg-[var(--accent-soft)] text-[var(--accent)] font-medium ${className}`}
+      style={{ ...common, fontSize: Math.max(10, Math.floor(size * 0.38)) }}
+    >
+      {initialsOf(name)}
+    </div>
+  );
+}
diff --git a/apps/frontend/src/components/ui/index.ts b/apps/frontend/src/components/ui/index.ts
index 59166c3..1e21768 100644
--- a/apps/frontend/src/components/ui/index.ts
+++ b/apps/frontend/src/components/ui/index.ts
@@ -1,3 +1,4 @@
+export { Avatar } from "./Avatar";
 export { Button } from "./Button";
 export { Input } from "./Input";
 export { Card } from "./Card";

From 14124a45dbd06e9f6b8313bbd6b24ff76db3950f Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:31:18 +0400
Subject: [PATCH 59/82] feat(ui): Modal closes on Escape and focuses first
 input

---
 apps/frontend/src/components/ui/Modal.tsx | 29 ++++++++++++++++++++++-
 1 file changed, 28 insertions(+), 1 deletion(-)

diff --git a/apps/frontend/src/components/ui/Modal.tsx b/apps/frontend/src/components/ui/Modal.tsx
index 2e555a4..e67324b 100644
--- a/apps/frontend/src/components/ui/Modal.tsx
+++ b/apps/frontend/src/components/ui/Modal.tsx
@@ -1,4 +1,4 @@
-import { type ReactNode } from "react";
+import { useEffect, useRef, type ReactNode } from "react";
 
 interface ModalProps {
   title: string;
@@ -8,12 +8,38 @@ interface ModalProps {
 }
 
 export function Modal({ title, children, onClose, footer }: ModalProps) {
+  const panelRef = useRef<HTMLDivElement>(null);
+
+  useEffect(() => {
+    const onKey = (e: KeyboardEvent) => {
+      if (e.key === "Escape") {
+        e.stopPropagation();
+        onClose();
+      }
+    };
+    window.addEventListener("keydown", onKey);
+    return () => window.removeEventListener("keydown", onKey);
+  }, [onClose]);
+
+  useEffect(() => {
+    const panel = panelRef.current;
+    if (!panel) return;
+    const first = panel.querySelector<HTMLElement>(
+      "input, textarea, select, [tabindex]:not([tabindex='-1'])",
+    );
+    first?.focus();
+  }, []);
+
   return (
     <div
       className="fixed inset-0 z-50 flex items-center justify-center bg-black/40"
+      role="dialog"
+      aria-modal="true"
+      aria-label={title}
       onClick={onClose}
     >
       <div
+        ref={panelRef}
         className="bg-[var(--bg-elevated)] border border-[var(--border)] rounded-[var(--radius-lg)] w-full max-w-md mx-4 shadow-[var(--shadow-lg)]"
         onClick={(e) => e.stopPropagation()}
       >
@@ -24,6 +50,7 @@ export function Modal({ title, children, onClose, footer }: ModalProps) {
           <button
             type="button"
             onClick={onClose}
+            aria-label="Close dialog"
             className="text-[var(--text-muted)] hover:text-[var(--text-primary)] p-1"
           >
             ×

From df9f7379ac2d5f99479ff1bcf23baab4d17230a2 Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:31:19 +0400
Subject: [PATCH 60/82] feat(ui): Dropdown trigger is a real button with Escape
 dismiss

---
 apps/frontend/src/components/ui/Dropdown.tsx | 49 +++++++++++---------
 1 file changed, 27 insertions(+), 22 deletions(-)

diff --git a/apps/frontend/src/components/ui/Dropdown.tsx b/apps/frontend/src/components/ui/Dropdown.tsx
index 0d6602f..472ebf4 100644
--- a/apps/frontend/src/components/ui/Dropdown.tsx
+++ b/apps/frontend/src/components/ui/Dropdown.tsx
@@ -11,12 +11,18 @@ interface DropdownProps {
   trigger: ReactNode;
   children: ReactNode;
   align?: "left" | "right";
+  triggerClassName?: string;
 }
 
-export function Dropdown({ trigger, children, align = "left" }: DropdownProps) {
+export function Dropdown({
+  trigger,
+  children,
+  align = "left",
+  triggerClassName = "",
+}: DropdownProps) {
   const [open, setOpen] = useState(false);
   const [position, setPosition] = useState({ top: 0, left: 0 });
-  const triggerRef = useRef<HTMLDivElement>(null);
+  const triggerRef = useRef<HTMLButtonElement>(null);
   const panelRef = useRef<HTMLDivElement>(null);
 
   useLayoutEffect(() => {
@@ -24,18 +30,15 @@ export function Dropdown({ trigger, children, align = "left" }: DropdownProps) {
       const rect = triggerRef.current.getBoundingClientRect();
       const panelWidth = 180;
       const left = align === "right" ? rect.right - panelWidth : rect.left;
-      setPosition({
-        top: rect.bottom + 4,
-        left,
-      });
+      setPosition({ top: rect.bottom + 4, left });
     }
   }, [open, align]);
 
   useEffect(() => {
+    if (!open) return;
     function handleClickOutside(e: MouseEvent) {
       const target = e.target as Node;
       if (
-        open &&
         triggerRef.current &&
         !triggerRef.current.contains(target) &&
         panelRef.current &&
@@ -44,40 +47,42 @@ export function Dropdown({ trigger, children, align = "left" }: DropdownProps) {
         setOpen(false);
       }
     }
+    function handleKey(e: KeyboardEvent) {
+      if (e.key === "Escape") {
+        setOpen(false);
+        triggerRef.current?.focus();
+      }
+    }
     function handleScroll() {
       setOpen(false);
     }
-    if (open) {
-      document.addEventListener("mousedown", handleClickOutside);
-      window.addEventListener("scroll", handleScroll, true);
-    }
+    document.addEventListener("mousedown", handleClickOutside);
+    document.addEventListener("keydown", handleKey);
+    window.addEventListener("scroll", handleScroll, true);
     return () => {
       document.removeEventListener("mousedown", handleClickOutside);
+      document.removeEventListener("keydown", handleKey);
       window.removeEventListener("scroll", handleScroll, true);
     };
   }, [open]);
 
   return (
     <div className="relative inline-block">
-      <div
+      <button
         ref={triggerRef}
-        role="button"
-        tabIndex={0}
+        type="button"
+        aria-haspopup="menu"
+        aria-expanded={open}
         onClick={() => setOpen((o) => !o)}
-        onKeyDown={(e) => {
-          if (e.key === "Enter" || e.key === " ") {
-            e.preventDefault();
-            setOpen((o) => !o);
-          }
-        }}
-        className="w-full text-left cursor-pointer"
+        className={`w-full text-left cursor-pointer ${triggerClassName}`}
       >
         {trigger}
-      </div>
+      </button>
       {open &&
         createPortal(
           <div
             ref={panelRef}
+            role="menu"
             className="fixed z-[9999] min-w-[180px] bg-[var(--bg-elevated)] border border-[var(--border)] rounded-[var(--radius-md)] shadow-[var(--shadow-md)] py-1"
             onClick={() => setOpen(false)}
             style={{ top: position.top, left: position.left }}

From a68a00bcf27b9bb3bb83fcc6f8a0a404c6442d44 Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:31:19 +0400
Subject: [PATCH 61/82] feat(ui): forgot password page

---
 .../src/pages/auth/ForgotPasswordPage.tsx     | 88 +++++++++++++++++++
 1 file changed, 88 insertions(+)
 create mode 100644 apps/frontend/src/pages/auth/ForgotPasswordPage.tsx

diff --git a/apps/frontend/src/pages/auth/ForgotPasswordPage.tsx b/apps/frontend/src/pages/auth/ForgotPasswordPage.tsx
new file mode 100644
index 0000000..296df82
--- /dev/null
+++ b/apps/frontend/src/pages/auth/ForgotPasswordPage.tsx
@@ -0,0 +1,88 @@
+import { useState } from "react";
+import { Link } from "react-router-dom";
+import { PageTitle } from "@/components/PageTitle";
+import { Header } from "@/components/layout";
+import { Button, Input } from "@/components/ui";
+
+const API_BASE = import.meta.env.VITE_API_URL || "http://localhost:8000";
+
+export function ForgotPasswordPage() {
+  const [email, setEmail] = useState("");
+  const [status, setStatus] = useState<"idle" | "sending" | "sent" | "error">(
+    "idle",
+  );
+
+  async function handleSubmit(e: React.FormEvent) {
+    e.preventDefault();
+    setStatus("sending");
+    try {
+      const res = await fetch(`${API_BASE}/api/auth/password-reset/request`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ email }),
+      });
+      // The endpoint always returns 200 whether the account exists or
+      // not (deliberate, to defeat user enumeration). Any non-200 is a
+      // server-side failure worth showing.
+      setStatus(res.ok ? "sent" : "error");
+    } catch {
+      setStatus("error");
+    }
+  }
+
+  return (
+    <div className="min-h-screen flex flex-col">
+      <PageTitle title="Reset password" />
+      <Header showAuth showDashboard={false} />
+      <main className="flex-1 flex items-center justify-center px-4 py-12">
+        <div className="w-full max-w-sm">
+          <h1 className="text-2xl font-semibold text-[var(--text-primary)]">
+            Forgot your password?
+          </h1>
+          <p className="mt-1 text-[var(--text-secondary)]">
+            Enter the email you signed up with and we&apos;ll send a reset link.
+          </p>
+
+          {status === "sent" ? (
+            <div className="mt-8 rounded-lg border border-[var(--border)] bg-[var(--bg-secondary)] px-4 py-4 text-sm text-[var(--text-primary)]">
+              If an account exists for that email, a reset link is on its way.
+              Check your inbox (and spam folder).
+            </div>
+          ) : (
+            <form onSubmit={handleSubmit} className="mt-8 space-y-4">
+              <Input
+                label="Email"
+                type="email"
+                value={email}
+                onChange={(e) => setEmail(e.target.value)}
+                required
+                autoComplete="email"
+                placeholder="you@example.com"
+              />
+              {status === "error" && (
+                <p className="text-sm text-[var(--error)]">
+                  Something went wrong. Please try again.
+                </p>
+              )}
+              <Button
+                type="submit"
+                fullWidth
+                size="lg"
+                disabled={status === "sending"}
+              >
+                {status === "sending" ? "..." : "Send reset link"}
+              </Button>
+            </form>
+          )}
+
+          <p className="mt-8 text-center text-[var(--text-secondary)] text-sm">
+            Remembered it?{" "}
+            <Link to="/login" className="text-[var(--accent)] hover:underline">
+              Back to sign in
+            </Link>
+          </p>
+        </div>
+      </main>
+    </div>
+  );
+}

From 29d7cd4f9d32d2d4e3582468f4ff4c7b021011e5 Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:31:20 +0400
Subject: [PATCH 62/82] feat(ui): reset password page

---
 .../src/pages/auth/ResetPasswordPage.tsx      | 117 ++++++++++++++++++
 1 file changed, 117 insertions(+)
 create mode 100644 apps/frontend/src/pages/auth/ResetPasswordPage.tsx

diff --git a/apps/frontend/src/pages/auth/ResetPasswordPage.tsx b/apps/frontend/src/pages/auth/ResetPasswordPage.tsx
new file mode 100644
index 0000000..74b1ec1
--- /dev/null
+++ b/apps/frontend/src/pages/auth/ResetPasswordPage.tsx
@@ -0,0 +1,117 @@
+import { useState } from "react";
+import { Link, useNavigate, useSearchParams } from "react-router-dom";
+import { PageTitle } from "@/components/PageTitle";
+import { Header } from "@/components/layout";
+import { Button, Input } from "@/components/ui";
+import { formatApiError } from "@/lib/api";
+
+const API_BASE = import.meta.env.VITE_API_URL || "http://localhost:8000";
+const MIN_PASSWORD_LENGTH = 8;
+
+export function ResetPasswordPage() {
+  const [searchParams] = useSearchParams();
+  const navigate = useNavigate();
+  const token = searchParams.get("token") ?? "";
+  const [password, setPassword] = useState("");
+  const [confirm, setConfirm] = useState("");
+  const [error, setError] = useState<string | null>(null);
+  const [status, setStatus] = useState<"idle" | "submitting" | "done">("idle");
+
+  async function handleSubmit(e: React.FormEvent) {
+    e.preventDefault();
+    setError(null);
+
+    if (!token) {
+      setError("This reset link is missing its token. Request a new one.");
+      return;
+    }
+    if (password.length < MIN_PASSWORD_LENGTH) {
+      setError(`Password must be at least ${MIN_PASSWORD_LENGTH} characters.`);
+      return;
+    }
+    if (password !== confirm) {
+      setError("Passwords don't match.");
+      return;
+    }
+
+    setStatus("submitting");
+    try {
+      const res = await fetch(`${API_BASE}/api/auth/password-reset/confirm`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify({ token, new_password: password }),
+      });
+      if (!res.ok) {
+        const body = await res.json().catch(() => ({}));
+        setError(formatApiError(body.detail, "Reset failed. Try again."));
+        setStatus("idle");
+        return;
+      }
+      setStatus("done");
+      // Small delay so the user sees the confirmation before redirect.
+      setTimeout(() => navigate("/login"), 1500);
+    } catch {
+      setError("Network error.");
+      setStatus("idle");
+    }
+  }
+
+  return (
+    <div className="min-h-screen flex flex-col">
+      <PageTitle title="Set a new password" />
+      <Header showAuth showDashboard={false} />
+      <main className="flex-1 flex items-center justify-center px-4 py-12">
+        <div className="w-full max-w-sm">
+          <h1 className="text-2xl font-semibold text-[var(--text-primary)]">
+            Set a new password
+          </h1>
+          <p className="mt-1 text-[var(--text-secondary)]">
+            Pick something you don&apos;t use anywhere else.
+          </p>
+
+          {status === "done" ? (
+            <div className="mt-8 rounded-lg border border-[var(--border)] bg-[var(--bg-secondary)] px-4 py-4 text-sm text-[var(--text-primary)]">
+              Password updated. Redirecting to sign in...
+            </div>
+          ) : (
+            <form onSubmit={handleSubmit} className="mt-8 space-y-4">
+              <Input
+                label="New password"
+                type="password"
+                value={password}
+                onChange={(e) => setPassword(e.target.value)}
+                required
+                autoComplete="new-password"
+                minLength={MIN_PASSWORD_LENGTH}
+              />
+              <Input
+                label="Confirm password"
+                type="password"
+                value={confirm}
+                onChange={(e) => setConfirm(e.target.value)}
+                required
+                autoComplete="new-password"
+                minLength={MIN_PASSWORD_LENGTH}
+              />
+              {error && <p className="text-sm text-[var(--error)]">{error}</p>}
+              <Button
+                type="submit"
+                fullWidth
+                size="lg"
+                disabled={status === "submitting"}
+              >
+                {status === "submitting" ? "..." : "Update password"}
+              </Button>
+            </form>
+          )}
+
+          <p className="mt-8 text-center text-[var(--text-secondary)] text-sm">
+            <Link to="/login" className="text-[var(--accent)] hover:underline">
+              Back to sign in
+            </Link>
+          </p>
+        </div>
+      </main>
+    </div>
+  );
+}

From e80966a617d29e3d6c079ca3961f80ad66cef92f Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:31:21 +0400
Subject: [PATCH 63/82] feat(ui): verify email page

---
 .../src/pages/auth/VerifyEmailPage.tsx        | 65 +++++++++++++++++++
 1 file changed, 65 insertions(+)
 create mode 100644 apps/frontend/src/pages/auth/VerifyEmailPage.tsx

diff --git a/apps/frontend/src/pages/auth/VerifyEmailPage.tsx b/apps/frontend/src/pages/auth/VerifyEmailPage.tsx
new file mode 100644
index 0000000..974fb41
--- /dev/null
+++ b/apps/frontend/src/pages/auth/VerifyEmailPage.tsx
@@ -0,0 +1,65 @@
+import { useEffect, useState } from "react";
+import { Link, useSearchParams } from "react-router-dom";
+import { PageTitle } from "@/components/PageTitle";
+import { Header } from "@/components/layout";
+
+const API_BASE = import.meta.env.VITE_API_URL || "http://localhost:8000";
+
+export function VerifyEmailPage() {
+  const [searchParams] = useSearchParams();
+  const token = searchParams.get("token") ?? "";
+  const [status, setStatus] = useState<"verifying" | "ok" | "failed">(
+    "verifying",
+  );
+
+  useEffect(() => {
+    if (!token) {
+      queueMicrotask(() => setStatus("failed"));
+      return;
+    }
+    (async () => {
+      try {
+        const res = await fetch(`${API_BASE}/api/auth/email/verify/confirm`, {
+          method: "POST",
+          headers: { "Content-Type": "application/json" },
+          body: JSON.stringify({ token }),
+        });
+        setStatus(res.ok ? "ok" : "failed");
+      } catch {
+        setStatus("failed");
+      }
+    })();
+  }, [token]);
+
+  return (
+    <div className="min-h-screen flex flex-col">
+      <PageTitle title="Verify email" />
+      <Header showAuth showDashboard={false} />
+      <main className="flex-1 flex items-center justify-center px-4 py-12">
+        <div className="w-full max-w-sm text-center">
+          <h1 className="text-2xl font-semibold text-[var(--text-primary)]">
+            {status === "verifying" && "Verifying your email..."}
+            {status === "ok" && "Email verified"}
+            {status === "failed" && "Verification failed"}
+          </h1>
+          <p className="mt-2 text-[var(--text-secondary)]">
+            {status === "ok" &&
+              "Thanks — your email is confirmed. You can sign in now."}
+            {status === "failed" &&
+              "This link is invalid or has expired. Request a new one from your account settings."}
+          </p>
+          {status !== "verifying" && (
+            <div className="mt-6">
+              <Link
+                to="/login"
+                className="text-[var(--accent)] hover:underline"
+              >
+                Back to sign in
+              </Link>
+            </div>
+          )}
+        </div>
+      </main>
+    </div>
+  );
+}

From 5a73181daa6abc27acef682edf847b656cd4195d Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:31:22 +0400
Subject: [PATCH 64/82] feat(ui): OAuth callback captures refresh token

---
 apps/frontend/src/pages/auth/AuthCallbackPage.tsx | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/apps/frontend/src/pages/auth/AuthCallbackPage.tsx b/apps/frontend/src/pages/auth/AuthCallbackPage.tsx
index f316387..d91566b 100644
--- a/apps/frontend/src/pages/auth/AuthCallbackPage.tsx
+++ b/apps/frontend/src/pages/auth/AuthCallbackPage.tsx
@@ -1,6 +1,6 @@
 /**
- * OAuth callback – when API redirects here with ?token=...
- * Stores token and navigates to dashboard.
+ * OAuth callback — API redirects here with ?token=...&refresh_token=...
+ * Stores the token pair and navigates to the dashboard.
  */
 import { useEffect } from "react";
 import { useNavigate, useSearchParams } from "react-router-dom";
@@ -10,8 +10,9 @@ import { useAuthStore } from "@/stores/authStore";
 export function AuthCallbackPage() {
   const [searchParams] = useSearchParams();
   const navigate = useNavigate();
-  const setToken = useAuthStore((s) => s.setToken);
+  const setTokens = useAuthStore((s) => s.setTokens);
   const token = searchParams.get("token");
+  const refreshToken = searchParams.get("refresh_token");
   const inviteToken = searchParams.get("invite_token");
   const API_BASE = import.meta.env.VITE_API_URL || "http://localhost:8000";
 
@@ -21,7 +22,7 @@ export function AuthCallbackPage() {
       return;
     }
 
-    setToken(token);
+    setTokens({ token, refreshToken: refreshToken ?? null });
     const acceptMaybe = async () => {
       if (inviteToken) {
         await fetch(
@@ -38,7 +39,7 @@ export function AuthCallbackPage() {
       navigate("/dashboard", { replace: true });
     };
     void acceptMaybe();
-  }, [token, inviteToken, navigate, setToken, API_BASE]);
+  }, [token, refreshToken, inviteToken, navigate, setTokens, API_BASE]);
 
   return (
     <div className="min-h-screen flex items-center justify-center">

From e506e3495474582408be642398f68d5399da7efe Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:31:22 +0400
Subject: [PATCH 65/82] feat(ui): login page uses setTokens and forgot-password
 link

---
 apps/frontend/src/pages/auth/LoginPage.tsx | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/apps/frontend/src/pages/auth/LoginPage.tsx b/apps/frontend/src/pages/auth/LoginPage.tsx
index 581b54f..241d4c2 100644
--- a/apps/frontend/src/pages/auth/LoginPage.tsx
+++ b/apps/frontend/src/pages/auth/LoginPage.tsx
@@ -13,7 +13,7 @@ export function LoginPage() {
   const { t } = useI18n();
   const navigate = useNavigate();
   const [searchParams] = useSearchParams();
-  const setToken = useAuthStore((s) => s.setToken);
+  const setTokens = useAuthStore((s) => s.setTokens);
   const [email, setEmail] = useState("");
   const [password, setPassword] = useState("");
   const [error, setError] = useState("");
@@ -34,7 +34,10 @@ export function LoginPage() {
         setError(formatApiError(data.detail, "Login failed"));
         return;
       }
-      setToken(data.access_token);
+      setTokens({
+        token: data.access_token,
+        refreshToken: data.refresh_token ?? null,
+      });
       const inviteToken = searchParams.get("invite_token");
       if (inviteToken) {
         const acceptRes = await fetch(
@@ -105,6 +108,14 @@ export function LoginPage() {
               required
               autoComplete="current-password"
             />
+            <div className="text-right">
+              <Link
+                to="/forgot-password"
+                className="text-sm text-[var(--accent)] hover:underline"
+              >
+                Forgot password?
+              </Link>
+            </div>
             {error && <p className="text-sm text-[var(--error)]">{error}</p>}
             <Button type="submit" fullWidth size="lg" disabled={loading}>
               {loading ? "..." : t("common.login")}

From 5d0eeea219d4bb09776af45fbf70bc7edaed2c4f Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:31:23 +0400
Subject: [PATCH 66/82] feat(ui): export new auth pages

---
 apps/frontend/src/pages/auth/index.ts | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/apps/frontend/src/pages/auth/index.ts b/apps/frontend/src/pages/auth/index.ts
index 5da71da..754c9ac 100644
--- a/apps/frontend/src/pages/auth/index.ts
+++ b/apps/frontend/src/pages/auth/index.ts
@@ -1,4 +1,7 @@
 export { AuthCallbackPage } from "./AuthCallbackPage";
+export { ForgotPasswordPage } from "./ForgotPasswordPage";
 export { InvitePage } from "./InvitePage";
 export { LoginPage } from "./LoginPage";
 export { RegisterPage } from "./RegisterPage";
+export { ResetPasswordPage } from "./ResetPasswordPage";
+export { VerifyEmailPage } from "./VerifyEmailPage";

From 7aa16b909e07568cccabb4c6b0fe4439349d2cc4 Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:31:24 +0400
Subject: [PATCH 67/82] feat(ui): board collab, native Excalidraw cursors,
 export, undo

---
 apps/frontend/src/pages/board/BoardPage.tsx | 457 +++++++++++++-------
 1 file changed, 303 insertions(+), 154 deletions(-)

diff --git a/apps/frontend/src/pages/board/BoardPage.tsx b/apps/frontend/src/pages/board/BoardPage.tsx
index 9dc0b3d..182f881 100644
--- a/apps/frontend/src/pages/board/BoardPage.tsx
+++ b/apps/frontend/src/pages/board/BoardPage.tsx
@@ -1,31 +1,33 @@
 import React, { useCallback, useEffect, useRef, useState } from "react";
-import { Link, useNavigate, useParams } from "react-router-dom";
-import { Excalidraw } from "@excalidraw/excalidraw";
-import { viewportCoordsToSceneCoords } from "@excalidraw/excalidraw";
+import { Link, useParams } from "react-router-dom";
+import { Excalidraw, exportToBlob, exportToSvg } from "@excalidraw/excalidraw";
 import "@excalidraw/excalidraw/index.css";
 import "@/styles/excalidraw-board.css";
 
-/** Minimal type for Excalidraw API (getAppState, updateScene, onChange, onScrollChange) */
-type ExcalidrawAPI = Parameters<
-  NonNullable<React.ComponentProps<typeof Excalidraw>["excalidrawAPI"]>
->[0];
+import { CommentsPane } from "@/components/board/CommentsPane";
 import { PageTitle } from "@/components/PageTitle";
-import { RemoteCursorsOverlay } from "@/components/board/RemoteCursorsOverlay";
+import { ShareDialog } from "@/components/board/ShareDialog";
+import { Button, Dropdown } from "@/components/ui";
+import { useBoardCollab } from "@/hooks/useBoardCollab";
 import { useBoardContent } from "@/hooks/useBoardContent";
 import type { ExcalidrawSnapshot } from "@/hooks/useBoardContent";
-import { useBoardWebSocket } from "@/hooks/useBoardWebSocket";
-import { useAuthStore } from "@/stores/authStore";
+import { useBoardInit } from "@/hooks/useBoardInit";
 import { useTheme } from "@/context/ThemeContext";
 import { apiFetch } from "@/lib/api";
+import type { ElementJson } from "@/lib/collab/yjs-bridge";
+import { useAuthStore } from "@/stores/authStore";
+
+type ExcalidrawAPI = Parameters<
+  NonNullable<React.ComponentProps<typeof Excalidraw>["excalidrawAPI"]>
+>[0];
 
-/** Map platform theme to Excalidraw theme (Excalidraw only supports light/dark) */
 function getExcalidrawTheme(
   theme: "light" | "dark" | "soft",
 ): "light" | "dark" {
   return theme === "dark" ? "dark" : "light";
 }
 
-/** Normalize loaded appState so Excalidraw doesn't crash: collaborators must be a Map, not a plain object (JSON). */
+// Excalidraw requires `collaborators` to be a Map; JSON can't represent one.
 function normalizeAppStateForExcalidraw(
   appState: unknown,
 ): Record<string, unknown> | undefined {
@@ -39,15 +41,6 @@ function normalizeAppStateForExcalidraw(
   } as Record<string, unknown>;
 }
 
-/** Viewport state for cursor overlay (scroll + zoom + offset) */
-export type ExcalidrawViewportState = {
-  scrollX: number;
-  scrollY: number;
-  zoom: { value: number };
-  offsetLeft: number;
-  offsetTop: number;
-};
-
 const EXCALIDRAW_UI_OPTIONS = {
   canvasActions: {
     toggleTheme: false,
@@ -63,32 +56,94 @@ const EXCALIDRAW_UI_OPTIONS = {
 
 export function BoardPage() {
   const { boardId } = useParams<{ boardId: string }>();
-  const navigate = useNavigate();
   const { theme } = useTheme();
   const token = useAuthStore((s) => s.token);
   const user = useAuthStore((s) => s.user);
   const setUser = useAuthStore((s) => s.setUser);
-  const [boardName, setBoardName] = useState<string>("");
-  const [authChecked, setAuthChecked] = useState(false);
+
   const [excalidrawAPI, setExcalidrawAPI] = useState<ExcalidrawAPI | null>(
     null,
   );
-  const [viewportState, setViewportState] =
-    useState<ExcalidrawViewportState | null>(null);
+  const [shareOpen, setShareOpen] = useState(false);
+  const [commentsOpen, setCommentsOpen] = useState(false);
+  const containerRef = useRef<HTMLDivElement>(null);
+
+  // Event bus so child panes can subscribe to server-pushed text
+  // events (e.g. comment.created, comment.deleted) without opening
+  // their own WebSocket. useBoardCollab forwards every event here.
+  type BoardEventHandler = (
+    event: string,
+    data: Record<string, unknown>,
+  ) => void;
+  const boardEventSubsRef = useRef<Set<BoardEventHandler>>(new Set());
+  const subscribeToBoardEvent = useCallback((h: BoardEventHandler) => {
+    boardEventSubsRef.current.add(h);
+    return () => {
+      boardEventSubsRef.current.delete(h);
+    };
+  }, []);
+  const fanoutBoardEvent = useCallback<BoardEventHandler>((event, data) => {
+    for (const h of boardEventSubsRef.current) h(event, data);
+  }, []);
+
+  const { authChecked, boardName } = useBoardInit(boardId ?? null, token);
+
+  const download = useCallback(
+    async (kind: "png" | "svg") => {
+      if (!excalidrawAPI) return;
+      const elements = excalidrawAPI.getSceneElements();
+      const appState = excalidrawAPI.getAppState();
+      const files = excalidrawAPI.getFiles();
+      try {
+        let url: string;
+        let filename: string;
+        if (kind === "png") {
+          const blob = await exportToBlob({
+            elements,
+            appState: {
+              ...appState,
+              exportWithDarkMode: false,
+              exportBackground: true,
+            },
+            files,
+            mimeType: "image/png",
+          });
+          url = URL.createObjectURL(blob);
+          filename = `${boardName || "board"}.png`;
+        } else {
+          const svg = await exportToSvg({
+            elements,
+            appState: {
+              ...appState,
+              exportWithDarkMode: false,
+              exportBackground: true,
+            },
+            files,
+          });
+          const blob = new Blob([svg.outerHTML], {
+            type: "image/svg+xml",
+          });
+          url = URL.createObjectURL(blob);
+          filename = `${boardName || "board"}.svg`;
+        }
+        const a = document.createElement("a");
+        a.href = url;
+        a.download = filename;
+        a.click();
+        setTimeout(() => URL.revokeObjectURL(url), 2000);
+      } catch {
+        // Silent fail — Excalidraw's built-in export remains a fallback.
+      }
+    },
+    [excalidrawAPI, boardName],
+  );
 
-  // Ensure we have user for currentUserId (e.g. when opening board directly)
   useEffect(() => {
     if (!token || user) return;
     apiFetch("/api/auth/me")
       .then((res) => (res.ok ? res.json() : null))
       .then((data) => {
-        if (data)
-          setUser({
-            id: data.id,
-            email: data.email,
-            username: data.username,
-            avatar_url: data.avatar_url ?? null,
-          });
+        if (data) setUser(data);
       })
       .catch(() => {});
   }, [token, user, setUser]);
@@ -129,41 +184,108 @@ export function BoardPage() {
     [excalidrawAPI],
   );
 
-  const { remoteCursors, sendCursor } = useBoardWebSocket(
-    boardId ?? null,
-    token,
-    {
-      currentUserId: user?.id ?? null,
-      onRemoteDocument,
+  const onRemoteElements = useCallback(
+    (elements: ElementJson[]) => {
+      if (!excalidrawAPI) return;
+      excalidrawAPI.updateScene({
+        elements: elements as unknown as Parameters<
+          ExcalidrawAPI["updateScene"]
+        >[0]["elements"],
+      });
     },
+    [excalidrawAPI],
   );
 
-  const rafRef = useRef<number | null>(null);
-  const sendCursorRef = useRef(sendCursor);
+  const {
+    remoteCursors,
+    sendCursor,
+    syncLocalElements,
+    seedFromSnapshot,
+    encodeYjsState,
+    applyYjsState,
+    undo,
+    redo,
+  } = useBoardCollab(boardId ?? null, token, {
+    currentUserId: user?.id ?? null,
+    onRemoteDocument,
+    onRemoteElements,
+    onRemoteEvent: fanoutBoardEvent,
+  });
 
+  // Ctrl/Cmd+Z and Ctrl/Cmd+Shift+Z drive the collab-aware undo stack
+  // (only undoes the local user's own ops, not remote ones).
+  useEffect(() => {
+    const onKey = (e: KeyboardEvent) => {
+      const mod = e.ctrlKey || e.metaKey;
+      if (!mod) return;
+      if (e.key === "z" || e.key === "Z") {
+        e.preventDefault();
+        if (e.shiftKey) redo();
+        else undo();
+      } else if (e.key === "y" || e.key === "Y") {
+        e.preventDefault();
+        redo();
+      }
+    };
+    window.addEventListener("keydown", onKey);
+    return () => window.removeEventListener("keydown", onKey);
+  }, [undo, redo]);
+
+  // Excalidraw's native pointer hook. Fires reliably (pointermove on
+  // the wrapper div is stopPropagation'd by Excalidraw itself) and
+  // hands us scene coordinates directly, so no viewport math here.
+  const sendCursorRef = useRef(sendCursor);
   useEffect(() => {
     sendCursorRef.current = sendCursor;
   }, [sendCursor]);
+  const onPointerUpdate = useCallback(
+    (payload: { pointer: { x: number; y: number } }) => {
+      const { x, y } = payload.pointer;
+      if (typeof x === "number" && typeof y === "number") {
+        sendCursorRef.current(x, y);
+      }
+    },
+    [],
+  );
 
+  // Render remote cursors via Excalidraw's native `collaborators` Map.
+  // Excalidraw draws the cursor, label, and handles all positioning /
+  // zoom / pan transforms inside the canvas itself.
+  const CURSOR_COLORS = [
+    "#e11d48",
+    "#d97706",
+    "#16a34a",
+    "#0891b2",
+    "#2563eb",
+    "#7c3aed",
+    "#db2777",
+    "#0d9488",
+  ];
   useEffect(() => {
-    if (!boardId || !token) return;
-    apiFetch(`/api/boards/${boardId}`)
-      .then((res) => {
-        if (!res.ok) {
-          navigate("/dashboard");
-          return;
-        }
-        return res.json();
-      })
-      .then(async (data) => {
-        if (data) {
-          setBoardName(data.name);
-          await apiFetch(`/api/boards/${boardId}/open`, { method: "POST" });
-        }
-        setAuthChecked(true);
-      })
-      .catch(() => navigate("/dashboard"));
-  }, [boardId, token, navigate]);
+    if (!excalidrawAPI) return;
+    const collaborators = new Map<string, Record<string, unknown>>();
+    for (const [key, c] of Object.entries(remoteCursors)) {
+      let hash = 0;
+      for (let i = 0; i < key.length; i++) {
+        hash = (hash * 31 + key.charCodeAt(i)) | 0;
+      }
+      const color = CURSOR_COLORS[Math.abs(hash) % CURSOR_COLORS.length];
+      collaborators.set(key, {
+        pointer: { x: c.x, y: c.y, tool: "pointer" },
+        button: "up",
+        username: c.username,
+        color: { background: color, stroke: color },
+      });
+    }
+    excalidrawAPI.updateScene({
+      collaborators: collaborators as Parameters<
+        ExcalidrawAPI["updateScene"]
+      >[0]["collaborators"],
+    });
+    // CURSOR_COLORS is a module-const-like array; exhaustive-deps would
+    // force a useMemo indirection that adds no value here.
+    // eslint-disable-next-line react-hooks/exhaustive-deps
+  }, [excalidrawAPI, remoteCursors]);
 
   const initialData = snapshot
     ? ({
@@ -175,24 +297,40 @@ export function BoardPage() {
       } as React.ComponentProps<typeof Excalidraw>["initialData"])
     : undefined;
 
+  // Keep the latest elements+appState in refs so the deferred getter
+  // below can read them at save time without re-encoding the Y.Doc on
+  // every pointer move (that ran 60x/sec during drag and was the main
+  // reason the canvas felt sluggish).
+  const latestElementsRef = useRef<readonly unknown[]>([]);
+  const latestAppStateRef = useRef<unknown>(undefined);
+
   const handleChange = useCallback(
     (elements: readonly unknown[], appState: unknown) => {
-      const content: ExcalidrawSnapshot = {
-        elements: [...elements],
-        appState: appState as ExcalidrawSnapshot["appState"],
-      };
-      latestContentRef.current = content;
-      scheduleSave(content);
+      syncLocalElements(elements as readonly ElementJson[]);
+      latestElementsRef.current = elements;
+      latestAppStateRef.current = appState;
+      scheduleSave(() => {
+        const content: ExcalidrawSnapshot = {
+          elements: [...latestElementsRef.current],
+          appState: latestAppStateRef.current as ExcalidrawSnapshot["appState"],
+          yjs_update: encodeYjsState(),
+        };
+        latestContentRef.current = content;
+        return content;
+      });
     },
-    [scheduleSave],
+    [scheduleSave, syncLocalElements, encodeYjsState],
   );
 
-  // Save on refresh/close so we don't lose content waiting for debounce
   useEffect(() => {
     const onBeforeUnload = () => {
       clearPendingSave();
       const content = latestContentRef.current;
-      if (content?.elements?.length || content?.appState) {
+      if (
+        content?.elements?.length ||
+        content?.appState ||
+        content?.yjs_update
+      ) {
         saveContent(content);
       }
     };
@@ -200,17 +338,34 @@ export function BoardPage() {
     return () => window.removeEventListener("beforeunload", onBeforeUnload);
   }, [clearPendingSave, saveContent]);
 
-  // Apply loaded snapshot when API is ready (in case initialData didn't apply)
   useEffect(() => {
     if (!excalidrawAPI || !snapshot || initialSnapshotAppliedRef.current)
       return;
-    const elements = Array.isArray(snapshot.elements)
-      ? snapshot.elements
-      : undefined;
+
     const appState =
       normalizeAppStateForExcalidraw(snapshot.appState) ??
       snapshot.appState ??
       undefined;
+
+    if (snapshot.yjs_update) {
+      applyYjsState(snapshot.yjs_update);
+      if (appState != null) {
+        excalidrawAPI.updateScene({
+          elements: excalidrawAPI.getSceneElements() as Parameters<
+            ExcalidrawAPI["updateScene"]
+          >[0]["elements"],
+          appState: appState as Parameters<
+            ExcalidrawAPI["updateScene"]
+          >[0]["appState"],
+        });
+      }
+      initialSnapshotAppliedRef.current = true;
+      return;
+    }
+
+    const elements = Array.isArray(snapshot.elements)
+      ? snapshot.elements
+      : undefined;
     if (elements != null || appState != null) {
       excalidrawAPI.updateScene({
         elements: (elements ?? excalidrawAPI.getSceneElements()) as Parameters<
@@ -220,73 +375,17 @@ export function BoardPage() {
           ExcalidrawAPI["updateScene"]
         >[0]["appState"],
       });
+      if (elements) {
+        seedFromSnapshot(elements as readonly ElementJson[]);
+      }
       initialSnapshotAppliedRef.current = true;
     }
-  }, [excalidrawAPI, snapshot]);
+  }, [excalidrawAPI, snapshot, seedFromSnapshot, applyYjsState]);
 
   useEffect(() => {
     if (boardId != null) initialSnapshotAppliedRef.current = false;
   }, [boardId]);
 
-  const handleExcalidrawAPI = useCallback((api: ExcalidrawAPI) => {
-    setExcalidrawAPI(api);
-    const appState = api.getAppState();
-    setViewportState({
-      scrollX: appState.scrollX,
-      scrollY: appState.scrollY,
-      zoom: appState.zoom,
-      offsetLeft: appState.offsetLeft,
-      offsetTop: appState.offsetTop,
-    });
-    api.onChange(() => {
-      const s = api.getAppState();
-      setViewportState({
-        scrollX: s.scrollX,
-        scrollY: s.scrollY,
-        zoom: s.zoom,
-        offsetLeft: s.offsetLeft,
-        offsetTop: s.offsetTop,
-      });
-    });
-    api.onScrollChange((scrollX, scrollY, zoom) => {
-      const s = api.getAppState();
-      setViewportState({
-        scrollX,
-        scrollY,
-        zoom,
-        offsetLeft: s.offsetLeft,
-        offsetTop: s.offsetTop,
-      });
-    });
-  }, []);
-
-  const containerRef = useRef<HTMLDivElement>(null);
-
-  useEffect(() => {
-    if (!excalidrawAPI || !containerRef.current) return;
-    const container = containerRef.current;
-    const onPointerMove = (e: PointerEvent) => {
-      if (rafRef.current != null) return;
-      rafRef.current = requestAnimationFrame(() => {
-        rafRef.current = null;
-        const appState = excalidrawAPI.getAppState();
-        const scene = viewportCoordsToSceneCoords(
-          { clientX: e.clientX, clientY: e.clientY },
-          {
-            zoom: appState.zoom,
-            offsetLeft: appState.offsetLeft,
-            offsetTop: appState.offsetTop,
-            scrollX: appState.scrollX,
-            scrollY: appState.scrollY,
-          },
-        );
-        sendCursorRef.current(scene.x, scene.y);
-      });
-    };
-    container.addEventListener("pointermove", onPointerMove);
-    return () => container.removeEventListener("pointermove", onPointerMove);
-  }, [excalidrawAPI]);
-
   if (!authChecked || !boardId) {
     return (
       <div className="min-h-screen flex items-center justify-center">
@@ -308,29 +407,79 @@ export function BoardPage() {
         <span className="text-sm font-medium text-[var(--text-primary)]">
           {boardName || "Board"}
         </span>
+        <div className="ml-auto flex items-center gap-2">
+          <Dropdown
+            trigger={
+              <Button type="button" variant="outline" size="sm">
+                Export
+              </Button>
+            }
+          >
+            <button
+              type="button"
+              onClick={() => download("png")}
+              className="block w-full text-left px-3 py-2 text-sm text-[var(--text-primary)] hover:bg-[var(--bg-tertiary)]"
+            >
+              PNG image
+            </button>
+            <button
+              type="button"
+              onClick={() => download("svg")}
+              className="block w-full text-left px-3 py-2 text-sm text-[var(--text-primary)] hover:bg-[var(--bg-tertiary)]"
+            >
+              SVG vector
+            </button>
+          </Dropdown>
+          <Button
+            type="button"
+            variant="outline"
+            size="sm"
+            onClick={() => setCommentsOpen((v) => !v)}
+          >
+            Comments
+          </Button>
+          <Button
+            type="button"
+            variant="outline"
+            size="sm"
+            onClick={() => setShareOpen(true)}
+          >
+            Share
+          </Button>
+        </div>
       </header>
-      <div className="flex-1 min-h-0 relative" ref={containerRef}>
-        {contentLoading ? (
-          <div className="h-full flex items-center justify-center">
-            <div className="text-[var(--text-muted)]">Loading canvas...</div>
-          </div>
-        ) : (
-          <>
-            <div className="excalidraw-board h-full w-full">
-              <Excalidraw
-                key={boardId}
-                theme={getExcalidrawTheme(theme)}
-                UIOptions={EXCALIDRAW_UI_OPTIONS}
-                initialData={initialData}
-                onChange={handleChange}
-                excalidrawAPI={handleExcalidrawAPI}
-              />
+      {shareOpen && (
+        <ShareDialog boardId={boardId} onClose={() => setShareOpen(false)} />
+      )}
+      <div className="flex-1 min-h-0 flex">
+        <div className="flex-1 min-h-0 relative" ref={containerRef}>
+          {contentLoading ? (
+            <div className="h-full flex items-center justify-center">
+              <div className="text-[var(--text-muted)]">Loading canvas...</div>
             </div>
-            <RemoteCursorsOverlay
-              viewportState={viewportState}
-              cursors={remoteCursors}
-            />
-          </>
+          ) : (
+            <>
+              <div className="excalidraw-board h-full w-full">
+                <Excalidraw
+                  key={boardId}
+                  theme={getExcalidrawTheme(theme)}
+                  UIOptions={EXCALIDRAW_UI_OPTIONS}
+                  initialData={initialData}
+                  onChange={handleChange}
+                  onPointerUpdate={onPointerUpdate}
+                  excalidrawAPI={setExcalidrawAPI}
+                />
+              </div>
+            </>
+          )}
+        </div>
+        {commentsOpen && (
+          <CommentsPane
+            boardId={boardId}
+            currentUserId={user?.id ?? null}
+            onClose={() => setCommentsOpen(false)}
+            subscribeToBoardEvent={subscribeToBoardEvent}
+          />
         )}
       </div>
     </div>

From 0285f1ec6f4a1c8433001b88c2f79b867afaed43 Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:31:24 +0400
Subject: [PATCH 68/82] feat(ui): public shared-board viewer page

---
 .../src/pages/board/SharedBoardPage.tsx       | 135 ++++++++++++++++++
 apps/frontend/src/pages/board/index.ts        |   1 +
 2 files changed, 136 insertions(+)
 create mode 100644 apps/frontend/src/pages/board/SharedBoardPage.tsx

diff --git a/apps/frontend/src/pages/board/SharedBoardPage.tsx b/apps/frontend/src/pages/board/SharedBoardPage.tsx
new file mode 100644
index 0000000..5e7e425
--- /dev/null
+++ b/apps/frontend/src/pages/board/SharedBoardPage.tsx
@@ -0,0 +1,135 @@
+import React, { useEffect, useState } from "react";
+import { useParams } from "react-router-dom";
+import { Excalidraw } from "@excalidraw/excalidraw";
+import "@excalidraw/excalidraw/index.css";
+import "@/styles/excalidraw-board.css";
+
+import { PageTitle } from "@/components/PageTitle";
+import { useTheme } from "@/context/ThemeContext";
+
+const API_BASE = import.meta.env.VITE_API_URL || "http://localhost:8000";
+
+function getExcalidrawTheme(
+  theme: "light" | "dark" | "soft",
+): "light" | "dark" {
+  return theme === "dark" ? "dark" : "light";
+}
+
+function normalizeAppStateForExcalidraw(
+  appState: unknown,
+): Record<string, unknown> | undefined {
+  if (appState == null || typeof appState !== "object") return undefined;
+  const raw = appState as Record<string, unknown>;
+  const collaborators = raw.collaborators;
+  const isMap = collaborators instanceof Map;
+  return {
+    ...raw,
+    collaborators: isMap ? collaborators : new Map(),
+  } as Record<string, unknown>;
+}
+
+const VIEWER_UI_OPTIONS = {
+  canvasActions: {
+    toggleTheme: false,
+    loadScene: false,
+    saveToActiveFile: false,
+    changeViewBackgroundColor: false,
+    clearCanvas: false,
+    export: { saveFileToDisk: true },
+    saveAsImage: true,
+  },
+  dockedSidebarBreakpoint: 1024,
+} as const;
+
+type Snapshot = {
+  elements?: readonly unknown[] | null;
+  appState?: Record<string, unknown> | null;
+};
+
+export function SharedBoardPage() {
+  const { token } = useParams<{ token: string }>();
+  const { theme } = useTheme();
+  const [boardName, setBoardName] = useState<string>("");
+  const [snapshot, setSnapshot] = useState<Snapshot | null>(null);
+  const [error, setError] = useState<string | null>(null);
+  const [loading, setLoading] = useState(true);
+
+  useEffect(() => {
+    if (!token) return;
+    let cancelled = false;
+    (async () => {
+      try {
+        const res = await fetch(
+          `${API_BASE}/api/public/boards/${token}/snapshot`,
+        );
+        if (!res.ok) {
+          setError(
+            res.status === 404
+              ? "This share link is invalid or has expired."
+              : "Failed to load shared board.",
+          );
+          return;
+        }
+        const body = await res.json();
+        if (cancelled) return;
+        setBoardName(body.board?.name ?? "Shared board");
+        setSnapshot(body.snapshot ?? {});
+      } catch {
+        if (!cancelled) setError("Network error.");
+      } finally {
+        if (!cancelled) setLoading(false);
+      }
+    })();
+    return () => {
+      cancelled = true;
+    };
+  }, [token]);
+
+  if (loading) {
+    return (
+      <div className="min-h-screen flex items-center justify-center">
+        <div className="text-[var(--text-muted)]">Loading...</div>
+      </div>
+    );
+  }
+
+  if (error || !snapshot) {
+    return (
+      <div className="min-h-screen flex items-center justify-center px-4">
+        <div className="max-w-sm text-center text-[var(--text-muted)]">
+          {error ?? "Shared board not available."}
+        </div>
+      </div>
+    );
+  }
+
+  const initialData = {
+    elements: snapshot.elements ?? undefined,
+    appState:
+      normalizeAppStateForExcalidraw(snapshot.appState) ??
+      snapshot.appState ??
+      undefined,
+  } as React.ComponentProps<typeof Excalidraw>["initialData"];
+
+  return (
+    <div className="fixed inset-0 flex flex-col bg-[var(--bg-primary)]">
+      <PageTitle title={boardName || "Shared board"} />
+      <header className="h-12 shrink-0 flex items-center gap-4 px-4 border-b border-[var(--border)] bg-[var(--bg-secondary)]">
+        <span className="text-sm font-medium text-[var(--text-primary)]">
+          {boardName || "Shared board"}
+        </span>
+        <span className="ml-2 text-xs text-[var(--text-muted)]">read-only</span>
+      </header>
+      <div className="flex-1 min-h-0 relative">
+        <div className="excalidraw-board h-full w-full">
+          <Excalidraw
+            theme={getExcalidrawTheme(theme)}
+            UIOptions={VIEWER_UI_OPTIONS}
+            initialData={initialData}
+            viewModeEnabled
+          />
+        </div>
+      </div>
+    </div>
+  );
+}
diff --git a/apps/frontend/src/pages/board/index.ts b/apps/frontend/src/pages/board/index.ts
index b9c5e1f..3f16065 100644
--- a/apps/frontend/src/pages/board/index.ts
+++ b/apps/frontend/src/pages/board/index.ts
@@ -1 +1,2 @@
 export { BoardPage } from "./BoardPage";
+export { SharedBoardPage } from "./SharedBoardPage";

From de31bd25cc39cb21224b6d72e58c99edbb628c5a Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:31:25 +0400
Subject: [PATCH 69/82] feat(ui): share link dialog for boards

---
 .../src/components/board/ShareDialog.tsx      | 147 ++++++++++++++++++
 1 file changed, 147 insertions(+)
 create mode 100644 apps/frontend/src/components/board/ShareDialog.tsx

diff --git a/apps/frontend/src/components/board/ShareDialog.tsx b/apps/frontend/src/components/board/ShareDialog.tsx
new file mode 100644
index 0000000..fba7a8c
--- /dev/null
+++ b/apps/frontend/src/components/board/ShareDialog.tsx
@@ -0,0 +1,147 @@
+import { useEffect, useState } from "react";
+import { Button, Modal } from "@/components/ui";
+import { apiFetch, formatApiError } from "@/lib/api";
+
+export interface ShareToken {
+  id: string;
+  board_id: string;
+  token: string;
+  url: string;
+  role: "viewer" | "editor";
+  created_at: string;
+  expires_at: string | null;
+}
+
+interface ShareDialogProps {
+  boardId: string;
+  onClose: () => void;
+}
+
+export function ShareDialog({ boardId, onClose }: ShareDialogProps) {
+  const [tokens, setTokens] = useState<ShareToken[]>([]);
+  const [loading, setLoading] = useState(true);
+  const [creating, setCreating] = useState(false);
+  const [error, setError] = useState<string | null>(null);
+  const [copiedId, setCopiedId] = useState<string | null>(null);
+
+  async function load() {
+    setLoading(true);
+    try {
+      const res = await apiFetch(`/api/boards/${boardId}/share-tokens`);
+      if (!res.ok) {
+        setError("Failed to load share links");
+        return;
+      }
+      const body = await res.json();
+      setTokens(body.items ?? []);
+    } catch {
+      setError("Network error");
+    } finally {
+      setLoading(false);
+    }
+  }
+
+  useEffect(() => {
+    load();
+    // eslint-disable-next-line react-hooks/exhaustive-deps
+  }, [boardId]);
+
+  async function createLink() {
+    setCreating(true);
+    setError(null);
+    try {
+      const res = await apiFetch(`/api/boards/${boardId}/share-tokens`, {
+        method: "POST",
+        body: JSON.stringify({ role: "viewer" }),
+      });
+      if (!res.ok) {
+        const body = await res.json().catch(() => ({}));
+        setError(formatApiError(body.detail, "Failed to create share link"));
+        return;
+      }
+      const created: ShareToken = await res.json();
+      setTokens((prev) => [created, ...prev]);
+    } catch {
+      setError("Network error");
+    } finally {
+      setCreating(false);
+    }
+  }
+
+  async function revoke(id: string) {
+    try {
+      const res = await apiFetch(`/api/boards/${boardId}/share-tokens/${id}`, {
+        method: "DELETE",
+      });
+      if (!res.ok) {
+        setError("Failed to revoke link");
+        return;
+      }
+      setTokens((prev) => prev.filter((t) => t.id !== id));
+    } catch {
+      setError("Network error");
+    }
+  }
+
+  async function copy(token: ShareToken) {
+    try {
+      await navigator.clipboard.writeText(token.url);
+      setCopiedId(token.id);
+      setTimeout(
+        () => setCopiedId((id) => (id === token.id ? null : id)),
+        1500,
+      );
+    } catch {
+      // clipboard may be unavailable (insecure origin, etc.) — fall back
+      // silently; the URL is still visible in the row.
+    }
+  }
+
+  return (
+    <Modal title="Share this board" onClose={onClose}>
+      <p className="text-sm text-[var(--text-secondary)] mb-4">
+        Anyone with a share link can view this board without a Loomy account.
+      </p>
+      <Button onClick={createLink} disabled={creating} fullWidth size="md">
+        {creating ? "Creating..." : "Create new link"}
+      </Button>
+      {error && <p className="text-sm text-[var(--error)] mt-3">{error}</p>}
+      <div className="mt-4 space-y-2">
+        {loading ? (
+          <p className="text-sm text-[var(--text-muted)]">Loading...</p>
+        ) : tokens.length === 0 ? (
+          <p className="text-sm text-[var(--text-muted)]">
+            No active share links yet.
+          </p>
+        ) : (
+          tokens.map((t) => (
+            <div
+              key={t.id}
+              className="flex items-center gap-2 p-2 border border-[var(--border)] rounded"
+            >
+              <code className="flex-1 text-xs truncate text-[var(--text-primary)]">
+                {t.url}
+              </code>
+              <Button
+                variant="outline"
+                size="sm"
+                onClick={() => copy(t)}
+                type="button"
+              >
+                {copiedId === t.id ? "Copied" : "Copy"}
+              </Button>
+              <Button
+                variant="outline"
+                size="sm"
+                onClick={() => revoke(t.id)}
+                type="button"
+              >
+                Revoke
+              </Button>
+            </div>
+          ))
+        )}
+      </div>
+    </Modal>
+  );
+}

From b00e0600d8cac6bdc6dca5a6a5970dd2d548aeef Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:31:26 +0400
Subject: [PATCH 70/82] feat(ui): threaded comments pane with live updates

---
 .../src/components/board/CommentsPane.tsx     | 304 ++++++++++++++++++
 1 file changed, 304 insertions(+)
 create mode 100644 apps/frontend/src/components/board/CommentsPane.tsx

diff --git a/apps/frontend/src/components/board/CommentsPane.tsx b/apps/frontend/src/components/board/CommentsPane.tsx
new file mode 100644
index 0000000..a46245d
--- /dev/null
+++ b/apps/frontend/src/components/board/CommentsPane.tsx
@@ -0,0 +1,304 @@
+import { useCallback, useEffect, useMemo, useState } from "react";
+import { Button } from "@/components/ui";
+import { apiFetch } from "@/lib/api";
+
+export interface BoardComment {
+  id: string;
+  board_id: string;
+  parent_id: string | null;
+  author_id: string;
+  author_username: string | null;
+  body: string;
+  resolved_at: string | null;
+  created_at: string;
+  updated_at: string;
+}
+
+interface CommentsPaneProps {
+  boardId: string;
+  currentUserId: string | null;
+  onClose: () => void;
+  subscribeToBoardEvent?: (
+    handler: (event: string, data: Record<string, unknown>) => void,
+  ) => () => void;
+}
+
+type CommentNode = BoardComment & { replies: CommentNode[] };
+
+function buildTree(flat: BoardComment[]): CommentNode[] {
+  const byId = new Map<string, CommentNode>();
+  flat.forEach((c) => byId.set(c.id, { ...c, replies: [] }));
+  const roots: CommentNode[] = [];
+  for (const node of byId.values()) {
+    if (node.parent_id && byId.has(node.parent_id)) {
+      byId.get(node.parent_id)!.replies.push(node);
+    } else {
+      roots.push(node);
+    }
+  }
+  roots.sort(
+    (a, b) =>
+      new Date(a.created_at).getTime() - new Date(b.created_at).getTime(),
+  );
+  return roots;
+}
+
+function formatRelative(iso: string): string {
+  const then = new Date(iso).getTime();
+  const diff = Date.now() - then;
+  const s = Math.floor(diff / 1000);
+  if (s < 60) return `${s}s`;
+  const m = Math.floor(s / 60);
+  if (m < 60) return `${m}m`;
+  const h = Math.floor(m / 60);
+  if (h < 24) return `${h}h`;
+  const d = Math.floor(h / 24);
+  return `${d}d`;
+}
+
+export function CommentsPane({
+  boardId,
+  currentUserId,
+  onClose,
+  subscribeToBoardEvent,
+}: CommentsPaneProps) {
+  const [comments, setComments] = useState<BoardComment[]>([]);
+  const [loading, setLoading] = useState(true);
+  const [newBody, setNewBody] = useState("");
+  const [replyingTo, setReplyingTo] = useState<string | null>(null);
+  const [replyBody, setReplyBody] = useState("");
+  const [error, setError] = useState<string | null>(null);
+
+  const load = useCallback(async () => {
+    setLoading(true);
+    try {
+      const res = await apiFetch(`/api/boards/${boardId}/comments`);
+      if (!res.ok) {
+        setError("Failed to load comments");
+        return;
+      }
+      const body = await res.json();
+      setComments(body.items ?? []);
+    } catch {
+      setError("Network error");
+    } finally {
+      setLoading(false);
+    }
+  }, [boardId]);
+
+  useEffect(() => {
+    load();
+  }, [load]);
+
+  useEffect(() => {
+    if (!subscribeToBoardEvent) return;
+    const unsub = subscribeToBoardEvent((event, data) => {
+      if (event === "comment.created" || event === "comment.updated") {
+        const incoming = data as unknown as BoardComment;
+        if (!incoming.id) return;
+        setComments((prev) => {
+          const idx = prev.findIndex((c) => c.id === incoming.id);
+          if (idx === -1) return [...prev, incoming];
+          const next = prev.slice();
+          next[idx] = incoming;
+          return next;
+        });
+      } else if (event === "comment.deleted") {
+        const id = typeof data.id === "string" ? data.id : null;
+        if (!id) return;
+        setComments((prev) => prev.filter((c) => c.id !== id));
+      }
+    });
+    return unsub;
+  }, [subscribeToBoardEvent]);
+
+  const tree = useMemo(() => buildTree(comments), [comments]);
+
+  async function submit(body: string, parentId: string | null) {
+    const trimmed = body.trim();
+    if (!trimmed) return;
+    try {
+      const res = await apiFetch(`/api/boards/${boardId}/comments`, {
+        method: "POST",
+        body: JSON.stringify({ body: trimmed, parent_id: parentId }),
+      });
+      if (!res.ok) {
+        setError("Failed to post comment");
+        return;
+      }
+      const created: BoardComment = await res.json();
+      setComments((prev) => [...prev, created]);
+      if (parentId) {
+        setReplyingTo(null);
+        setReplyBody("");
+      } else {
+        setNewBody("");
+      }
+    } catch {
+      setError("Network error");
+    }
+  }
+
+  async function toggleResolved(c: BoardComment) {
+    const next = c.resolved_at === null;
+    try {
+      const res = await apiFetch(`/api/boards/${boardId}/comments/${c.id}`, {
+        method: "PATCH",
+        body: JSON.stringify({ resolved: next }),
+      });
+      if (!res.ok) return;
+      const updated: BoardComment = await res.json();
+      setComments((prev) => prev.map((x) => (x.id === c.id ? updated : x)));
+    } catch {
+      /* ignore */
+    }
+  }
+
+  async function remove(c: BoardComment) {
+    try {
+      const res = await apiFetch(`/api/boards/${boardId}/comments/${c.id}`, {
+        method: "DELETE",
+      });
+      if (!res.ok) return;
+      setComments((prev) => prev.filter((x) => x.id !== c.id));
+    } catch {
+      /* ignore */
+    }
+  }
+
+  function renderNode(node: CommentNode, depth: number) {
+    const canEdit = currentUserId === node.author_id;
+    const resolved = node.resolved_at !== null;
+    return (
+      <div
+        key={node.id}
+        className={`border-l-2 pl-3 ${
+          resolved
+            ? "border-[var(--border)] opacity-60"
+            : "border-[var(--accent)]"
+        }`}
+        style={{ marginLeft: depth * 12 }}
+      >
+        <div className="flex items-baseline gap-2 text-sm">
+          <span className="font-medium text-[var(--text-primary)]">
+            {node.author_username ?? "Someone"}
+          </span>
+          <span className="text-xs text-[var(--text-muted)]">
+            {formatRelative(node.created_at)}
+          </span>
+          {resolved && (
+            <span className="text-xs text-[var(--text-muted)]">resolved</span>
+          )}
+        </div>
+        <p className="mt-1 text-sm text-[var(--text-primary)] whitespace-pre-wrap">
+          {node.body}
+        </p>
+        <div className="mt-1 flex items-center gap-3 text-xs text-[var(--text-muted)]">
+          <button
+            type="button"
+            onClick={() =>
+              setReplyingTo((id) => (id === node.id ? null : node.id))
+            }
+            className="hover:text-[var(--text-primary)]"
+          >
+            Reply
+          </button>
+          <button
+            type="button"
+            onClick={() => toggleResolved(node)}
+            className="hover:text-[var(--text-primary)]"
+          >
+            {resolved ? "Reopen" : "Resolve"}
+          </button>
+          {canEdit && (
+            <button
+              type="button"
+              onClick={() => remove(node)}
+              className="hover:text-[var(--error)]"
+            >
+              Delete
+            </button>
+          )}
+        </div>
+        {replyingTo === node.id && (
+          <div className="mt-2 space-y-2">
+            <textarea
+              value={replyBody}
+              onChange={(e) => setReplyBody(e.target.value)}
+              rows={2}
+              className="w-full text-sm p-2 border border-[var(--border)] rounded bg-[var(--bg-primary)] text-[var(--text-primary)]"
+              placeholder="Reply..."
+            />
+            <div className="flex gap-2">
+              <Button
+                type="button"
+                size="sm"
+                onClick={() => submit(replyBody, node.id)}
+              >
+                Post reply
+              </Button>
+              <Button
+                type="button"
+                size="sm"
+                variant="outline"
+                onClick={() => {
+                  setReplyingTo(null);
+                  setReplyBody("");
+                }}
+              >
+                Cancel
+              </Button>
+            </div>
+          </div>
+        )}
+        {node.replies.map((r) => renderNode(r, depth + 1))}
+      </div>
+    );
+  }
+
+  return (
+    <aside className="w-80 shrink-0 h-full border-l border-[var(--border)] bg-[var(--bg-secondary)] flex flex-col">
+      <div className="h-12 shrink-0 flex items-center justify-between px-4 border-b border-[var(--border)]">
+        <span className="text-sm font-medium text-[var(--text-primary)]">
+          Comments
+        </span>
+        <button
+          type="button"
+          onClick={onClose}
+          className="text-[var(--text-muted)] hover:text-[var(--text-primary)]"
+        >
+          ×
+        </button>
+      </div>
+      <div className="flex-1 overflow-auto p-4 space-y-4">
+        {loading ? (
+          <p className="text-sm text-[var(--text-muted)]">Loading...</p>
+        ) : tree.length === 0 ? (
+          <p className="text-sm text-[var(--text-muted)]">
+            No comments yet. Leave the first one below.
+          </p>
+        ) : (
+          tree.map((n) => renderNode(n, 0))
+        )}
+        {error && <p className="text-sm text-[var(--error)]">{error}</p>}
+      </div>
+      <div className="shrink-0 p-4 border-t border-[var(--border)] space-y-2">
+        <textarea
+          value={newBody}
+          onChange={(e) => setNewBody(e.target.value)}
+          rows={3}
+          className="w-full text-sm p-2 border border-[var(--border)] rounded bg-[var(--bg-primary)] text-[var(--text-primary)]"
+          placeholder="Leave a comment..."
+        />
+        <Button
+          type="button"
+          fullWidth
+          size="sm"
+          onClick={() => submit(newBody, null)}
+        >
+          Post
+        </Button>
+      </div>
+    </aside>
+  );
+}

From b1400e6a864db3d3ef9c3120a57f79615770005a Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:31:27 +0400
Subject: [PATCH 71/82] refactor(ui): drop custom cursor overlay in favor of
 Excalidraw collaborators

---
 .../components/board/RemoteCursorsOverlay.tsx | 64 -------------------
 1 file changed, 64 deletions(-)
 delete mode 100644 apps/frontend/src/components/board/RemoteCursorsOverlay.tsx

diff --git a/apps/frontend/src/components/board/RemoteCursorsOverlay.tsx b/apps/frontend/src/components/board/RemoteCursorsOverlay.tsx
deleted file mode 100644
index 67b81c8..0000000
--- a/apps/frontend/src/components/board/RemoteCursorsOverlay.tsx
+++ /dev/null
@@ -1,64 +0,0 @@
-import { sceneCoordsToViewportCoords } from "@excalidraw/excalidraw";
-import type { ExcalidrawViewportState } from "@/pages/board/BoardPage";
-import type { RemoteCursor } from "@/hooks/useBoardWebSocket";
-
-interface RemoteCursorsOverlayProps {
-  viewportState: ExcalidrawViewportState | null;
-  cursors: Record<string, RemoteCursor>;
-}
-
-export function RemoteCursorsOverlay({
-  viewportState,
-  cursors,
-}: RemoteCursorsOverlayProps) {
-  const entries = Object.entries(cursors);
-  if (!viewportState || entries.length === 0) return null;
-
-  const { scrollX, scrollY, zoom, offsetLeft, offsetTop } = viewportState;
-
-  return (
-    <div
-      className="absolute inset-0 pointer-events-none overflow-hidden"
-      aria-hidden
-    >
-      {entries.map(([userId, cursor]) => {
-        const vp = sceneCoordsToViewportCoords(
-          { sceneX: cursor.x, sceneY: cursor.y },
-          {
-            scrollX,
-            scrollY,
-            zoom,
-            offsetLeft,
-            offsetTop,
-          } as Parameters<typeof sceneCoordsToViewportCoords>[1],
-        );
-        return (
-          <div
-            key={userId}
-            className="absolute flex items-center gap-1.5 transition-transform duration-75 will-change-transform"
-            style={{
-              left: vp.x + offsetLeft,
-              top: vp.y + offsetTop,
-              transform: "translate(8px, 8px)",
-            }}
-          >
-            <div
-              className="w-3 h-3 rounded-full border-2 border-[var(--bg-primary)] shadow-sm"
-              style={{ backgroundColor: "var(--accent)" }}
-            />
-            <span
-              className="text-xs font-medium px-1.5 py-0.5 rounded max-w-[120px] truncate"
-              style={{
-                color: "var(--text-primary)",
-                backgroundColor: "var(--bg-secondary)",
-                border: "1px solid var(--border)",
-              }}
-            >
-              {cursor.username}
-            </span>
-          </div>
-        );
-      })}
-    </div>
-  );
-}

From 2de560c02c46e03bd584c7e8326a90b1523e3a90 Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:31:27 +0400
Subject: [PATCH 72/82] feat(ui): account settings modal with avatar upload

---
 .../account/AccountSettingsModal.tsx          | 179 ++++++++++++++++++
 1 file changed, 179 insertions(+)
 create mode 100644 apps/frontend/src/components/account/AccountSettingsModal.tsx

diff --git a/apps/frontend/src/components/account/AccountSettingsModal.tsx b/apps/frontend/src/components/account/AccountSettingsModal.tsx
new file mode 100644
index 0000000..50987be
--- /dev/null
+++ b/apps/frontend/src/components/account/AccountSettingsModal.tsx
@@ -0,0 +1,179 @@
+import { useRef, useState } from "react";
+import { Avatar, Button, Input, Modal } from "@/components/ui";
+import { apiFetch, formatApiError } from "@/lib/api";
+import { displayNameOf } from "@/lib/identity";
+import { useAuthStore, type AuthUser } from "@/stores/authStore";
+
+interface Props {
+  onClose: () => void;
+}
+
+const MAX_BYTES = 5 * 1024 * 1024;
+const ACCEPTED = ["image/jpeg", "image/png", "image/webp", "image/gif"];
+
+export function AccountSettingsModal({ onClose }: Props) {
+  const user = useAuthStore((s) => s.user);
+  const setUser = useAuthStore((s) => s.setUser);
+
+  const [firstName, setFirstName] = useState(user?.first_name ?? "");
+  const [lastName, setLastName] = useState(user?.last_name ?? "");
+  const [saving, setSaving] = useState(false);
+  const [uploading, setUploading] = useState(false);
+  const [error, setError] = useState<string | null>(null);
+  const fileInputRef = useRef<HTMLInputElement>(null);
+
+  async function handleSaveProfile(e: React.FormEvent) {
+    e.preventDefault();
+    if (!user) return;
+    setError(null);
+    setSaving(true);
+    try {
+      const res = await apiFetch(`/api/users/${user.id}`, {
+        method: "PATCH",
+        body: JSON.stringify({
+          first_name: firstName.trim(),
+          last_name: lastName.trim(),
+        }),
+      });
+      if (!res.ok) {
+        const body = await res.json().catch(() => ({}));
+        setError(formatApiError(body.detail, "Could not save profile."));
+        return;
+      }
+      const updated: AuthUser = await res.json();
+      setUser(updated);
+    } catch {
+      setError("Network error.");
+    } finally {
+      setSaving(false);
+    }
+  }
+
+  async function handleAvatarChange(e: React.ChangeEvent<HTMLInputElement>) {
+    const file = e.target.files?.[0];
+    e.target.value = "";
+    if (!file) return;
+    if (!ACCEPTED.includes(file.type)) {
+      setError("Use a JPEG, PNG, WEBP, or GIF image.");
+      return;
+    }
+    if (file.size > MAX_BYTES) {
+      setError(
+        `Image must be under ${Math.round(MAX_BYTES / 1024 / 1024)} MB.`,
+      );
+      return;
+    }
+    setError(null);
+    setUploading(true);
+    try {
+      const form = new FormData();
+      form.append("file", file);
+      const res = await apiFetch("/api/users/me/avatar", {
+        method: "POST",
+        body: form,
+      });
+      if (!res.ok) {
+        const body = await res.json().catch(() => ({}));
+        setError(formatApiError(body.detail, "Could not upload avatar."));
+        return;
+      }
+      const updated: AuthUser = await res.json();
+      setUser(updated);
+    } catch {
+      setError("Network error.");
+    } finally {
+      setUploading(false);
+    }
+  }
+
+  async function handleAvatarRemove() {
+    setError(null);
+    setUploading(true);
+    try {
+      const res = await apiFetch("/api/users/me/avatar", { method: "DELETE" });
+      if (!res.ok) {
+        setError("Could not remove avatar.");
+        return;
+      }
+      const updated: AuthUser = await res.json();
+      setUser(updated);
+    } catch {
+      setError("Network error.");
+    } finally {
+      setUploading(false);
+    }
+  }
+
+  return (
+    <Modal title="Account settings" onClose={onClose}>
+      <form onSubmit={handleSaveProfile} className="space-y-5">
+        <div className="flex items-center gap-4">
+          <Avatar user={user} size={64} />
+          <div className="space-y-1">
+            <div className="text-sm text-[var(--text-primary)] font-medium">
+              {displayNameOf(user)}
+            </div>
+            <div className="text-xs text-[var(--text-muted)]">
+              {user?.email}
+            </div>
+            <div className="flex gap-2 pt-1">
+              <Button
+                type="button"
+                variant="outline"
+                size="sm"
+                disabled={uploading}
+                onClick={() => fileInputRef.current?.click()}
+              >
+                {uploading ? "Uploading..." : "Change photo"}
+              </Button>
+              {user?.avatar_url && (
+                <Button
+                  type="button"
+                  variant="ghost"
+                  size="sm"
+                  disabled={uploading}
+                  onClick={handleAvatarRemove}
+                >
+                  Remove
+                </Button>
+              )}
+              <input
+                ref={fileInputRef}
+                type="file"
+                accept={ACCEPTED.join(",")}
+                className="hidden"
+                onChange={handleAvatarChange}
+              />
+            </div>
+          </div>
+        </div>
+
+        <div className="grid grid-cols-2 gap-3">
+          <Input
+            label="First name"
+            value={firstName}
+            onChange={(e) => setFirstName(e.target.value)}
+            autoComplete="given-name"
+          />
+          <Input
+            label="Last name"
+            value={lastName}
+            onChange={(e) => setLastName(e.target.value)}
+            autoComplete="family-name"
+          />
+        </div>
+
+        {error && <p className="text-sm text-[var(--error)]">{error}</p>}
+
+        <div className="flex justify-end gap-2 pt-2 border-t border-[var(--border)]">
+          <Button type="button" variant="ghost" onClick={onClose}>
+            Close
+          </Button>
+          <Button type="submit" disabled={saving}>
+            {saving ? "Saving..." : "Save"}
+          </Button>
+        </div>
+      </form>
+    </Modal>
+  );
+}

From 137635b56576df1bbb7f6c1cee4c557eec53fa4a Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:31:28 +0400
Subject: [PATCH 73/82] feat(ui): global board search with Ctrl+K shortcut

---
 .../src/components/layout/GlobalSearch.tsx    | 102 ++++++++++++++++++
 1 file changed, 102 insertions(+)
 create mode 100644 apps/frontend/src/components/layout/GlobalSearch.tsx

diff --git a/apps/frontend/src/components/layout/GlobalSearch.tsx b/apps/frontend/src/components/layout/GlobalSearch.tsx
new file mode 100644
index 0000000..16c996d
--- /dev/null
+++ b/apps/frontend/src/components/layout/GlobalSearch.tsx
@@ -0,0 +1,102 @@
+import { useEffect, useRef, useState } from "react";
+import { useNavigate } from "react-router-dom";
+import { apiFetch, type Board } from "@/lib/api";
+
+export function GlobalSearch() {
+  const navigate = useNavigate();
+  const [query, setQuery] = useState("");
+  const [results, setResults] = useState<Board[]>([]);
+  const [open, setOpen] = useState(false);
+  const containerRef = useRef<HTMLDivElement>(null);
+  const debounceRef = useRef<ReturnType<typeof setTimeout> | null>(null);
+
+  useEffect(() => {
+    if (debounceRef.current) clearTimeout(debounceRef.current);
+    const q = query.trim();
+    if (!q) {
+      queueMicrotask(() => setResults([]));
+      return;
+    }
+    debounceRef.current = setTimeout(async () => {
+      try {
+        const res = await apiFetch(
+          `/api/boards/search?q=${encodeURIComponent(q)}&limit=10`,
+        );
+        if (!res.ok) return;
+        const body = await res.json();
+        setResults(body.items ?? []);
+      } catch {
+        /* ignore */
+      }
+    }, 250);
+    return () => {
+      if (debounceRef.current) clearTimeout(debounceRef.current);
+    };
+  }, [query]);
+
+  useEffect(() => {
+    const onDocClick = (e: MouseEvent) => {
+      if (!containerRef.current) return;
+      if (!containerRef.current.contains(e.target as Node)) {
+        setOpen(false);
+      }
+    };
+    document.addEventListener("mousedown", onDocClick);
+    return () => document.removeEventListener("mousedown", onDocClick);
+  }, []);
+
+  useEffect(() => {
+    const onKey = (e: KeyboardEvent) => {
+      if ((e.ctrlKey || e.metaKey) && e.key === "k") {
+        e.preventDefault();
+        setOpen(true);
+      }
+    };
+    window.addEventListener("keydown", onKey);
+    return () => window.removeEventListener("keydown", onKey);
+  }, []);
+
+  return (
+    <div ref={containerRef} className="relative w-72">
+      <input
+        type="search"
+        value={query}
+        onChange={(e) => {
+          setQuery(e.target.value);
+          setOpen(true);
+        }}
+        onFocus={() => setOpen(true)}
+        placeholder="Search boards... (Ctrl+K)"
+        className="w-full px-3 py-1.5 text-sm border border-[var(--border)] rounded bg-[var(--bg-primary)] text-[var(--text-primary)] placeholder-[var(--text-muted)]"
+      />
+      {open && results.length > 0 && (
+        <div className="absolute left-0 right-0 top-full mt-1 border border-[var(--border)] bg-[var(--bg-elevated)] rounded shadow-md z-20 max-h-80 overflow-auto">
+          {results.map((b) => (
+            <button
+              key={b.id}
+              type="button"
+              onClick={() => {
+                setOpen(false);
+                setQuery("");
+                navigate(`/boards/${b.id}`);
+              }}
+              className="block w-full text-left px-3 py-2 text-sm text-[var(--text-primary)] hover:bg-[var(--bg-tertiary)]"
+            >
+              <div className="font-medium">{b.name}</div>
+              {(b.owner_display_name || b.owner_username) && (
+                <div className="text-xs text-[var(--text-muted)]">
+                  {b.owner_display_name || b.owner_username}
+                </div>
+              )}
+            </button>
+          ))}
+        </div>
+      )}
+      {open && query.trim() && results.length === 0 && (
+        <div className="absolute left-0 right-0 top-full mt-1 px-3 py-2 text-sm text-[var(--text-muted)] border border-[var(--border)] bg-[var(--bg-elevated)] rounded shadow-md z-20">
+          No matches.
+        </div>
+      )}
+    </div>
+  );
+}

From 576f84a50ac94c5a9f14b8d9c99ce9590470b886 Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:31:29 +0400
Subject: [PATCH 74/82] feat(ui): shell header uses avatar, display name,
 account modal

---
 .../src/components/layout/DashboardShell.tsx  | 31 ++++++++++++-------
 1 file changed, 20 insertions(+), 11 deletions(-)

diff --git a/apps/frontend/src/components/layout/DashboardShell.tsx b/apps/frontend/src/components/layout/DashboardShell.tsx
index 37c0d30..e6d51f4 100644
--- a/apps/frontend/src/components/layout/DashboardShell.tsx
+++ b/apps/frontend/src/components/layout/DashboardShell.tsx
@@ -1,9 +1,14 @@
 import { type ReactNode } from "react";
 import { Link, useNavigate } from "react-router-dom";
 import { useI18n } from "@/context/I18nContext";
+import { logoutAndClear } from "@/lib/api";
 import { useAuthStore } from "@/stores/authStore";
-import { Dropdown } from "@/components/ui";
+import { useState } from "react";
+import { Avatar, Dropdown } from "@/components/ui";
 import { NotificationIcon } from "@/components/icons";
+import { displayNameOf } from "@/lib/identity";
+import { AccountSettingsModal } from "@/components/account/AccountSettingsModal";
+import { GlobalSearch } from "./GlobalSearch";
 
 interface DashboardShellProps {
   sidebar: ReactNode;
@@ -28,7 +33,8 @@ export function DashboardShell({
 }: DashboardShellProps) {
   const { t } = useI18n();
   const navigate = useNavigate();
-  const { user, logout } = useAuthStore();
+  const user = useAuthStore((s) => s.user);
+  const [accountOpen, setAccountOpen] = useState(false);
 
   return (
     <div className="flex min-h-screen bg-[var(--bg-primary)]">
@@ -81,7 +87,7 @@ export function DashboardShell({
       </aside>
       <div className="flex-1 flex flex-col min-h-0 bg-[var(--bg-secondary)]">
         <header className="h-14 shrink-0 flex items-center justify-between px-4 border-b border-[var(--border)] bg-[var(--bg-secondary)]">
-          <div />
+          <GlobalSearch />
           <div className="flex items-center gap-3">
             <button
               type="button"
@@ -100,22 +106,23 @@ export function DashboardShell({
             <Dropdown
               trigger={
                 <div className="flex items-center gap-2 px-2 py-1.5 rounded-[var(--radius-md)] hover:bg-[var(--bg-tertiary)]">
-                  <div className="w-8 h-8 rounded-full bg-[var(--accent-soft)] flex items-center justify-center text-sm font-medium text-[var(--accent)]">
-                    {user?.username?.charAt(0)?.toUpperCase() || "?"}
-                  </div>
+                  <Avatar user={user} size={32} />
                   <span className="text-sm text-[var(--text-primary)]">
-                    {user?.username}
+                    {displayNameOf(user)}
+                  </span>
+                  <span aria-hidden className="text-[var(--text-muted)]">
+                    ▾
                   </span>
-                  <span className="text-[var(--text-muted)]">▾</span>
                 </div>
               }
               align="right"
             >
               <button
                 type="button"
+                onClick={() => setAccountOpen(true)}
                 className="block w-full text-left px-3 py-2 text-sm text-[var(--text-primary)] hover:bg-[var(--bg-tertiary)]"
               >
-                {t("dashboard.profile") ?? "Profile"}
+                {t("dashboard.profile") ?? "Account settings"}
               </button>
               <button
                 type="button"
@@ -142,8 +149,7 @@ export function DashboardShell({
                 type="button"
                 className="block w-full text-left px-3 py-2 text-sm text-[var(--text-primary)] hover:bg-[var(--bg-tertiary)]"
                 onClick={() => {
-                  logout();
-                  navigate("/");
+                  void logoutAndClear().then(() => navigate("/"));
                 }}
               >
                 {t("common.logout")}
@@ -155,6 +161,9 @@ export function DashboardShell({
           {children}
         </main>
       </div>
+      {accountOpen && (
+        <AccountSettingsModal onClose={() => setAccountOpen(false)} />
+      )}
     </div>
   );
 }

From a2d27516ad42af4bc6d2f6b007e3ae104f860abd Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:31:30 +0400
Subject: [PATCH 75/82] feat(ui): layout hydrates full user profile from
 /auth/me

---
 apps/frontend/src/components/layout/DashboardLayout.tsx | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/apps/frontend/src/components/layout/DashboardLayout.tsx b/apps/frontend/src/components/layout/DashboardLayout.tsx
index 0112ad6..a288d24 100644
--- a/apps/frontend/src/components/layout/DashboardLayout.tsx
+++ b/apps/frontend/src/components/layout/DashboardLayout.tsx
@@ -70,13 +70,7 @@ export function DashboardLayout() {
         return res.json();
       })
       .then((data) => {
-        if (data)
-          setUser({
-            id: data.id,
-            email: data.email,
-            username: data.username,
-            avatar_url: data.avatar_url ?? null,
-          });
+        if (data) setUser(data);
       })
       .catch(() => {
         logout();

From b931f1366f1d24b92082899b5fc13abee390a892 Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:31:31 +0400
Subject: [PATCH 76/82] feat(ui): inline templates next to blank board and
 display-name swap

---
 .../src/pages/dashboard/DashboardPage.tsx     | 63 ++++++++++++++++---
 1 file changed, 53 insertions(+), 10 deletions(-)

diff --git a/apps/frontend/src/pages/dashboard/DashboardPage.tsx b/apps/frontend/src/pages/dashboard/DashboardPage.tsx
index 16b872e..3137c1c 100644
--- a/apps/frontend/src/pages/dashboard/DashboardPage.tsx
+++ b/apps/frontend/src/pages/dashboard/DashboardPage.tsx
@@ -16,6 +16,7 @@ import { formatApiError } from "@/lib/api";
 import { useWorkspaces } from "@/hooks/useWorkspaces";
 import { useBoards } from "@/hooks/useBoards";
 import { useStarredBoards } from "@/hooks/useStarredBoards";
+import { useTemplates } from "@/hooks/useTemplates";
 import { useAuthStore } from "@/stores/authStore";
 import { useDashboardStore } from "@/stores/dashboardStore";
 import type { Board } from "@/lib/api";
@@ -64,11 +65,17 @@ export function DashboardPage() {
     error: boardsError,
     fetchBoards,
     createBoard,
+    createBoardFromTemplate,
     updateBoard,
     deleteBoard,
     duplicateBoard,
   } = useBoards(selectedWorkspaceId);
 
+  const { templates } = useTemplates();
+  const [creatingFromTemplate, setCreatingFromTemplate] = useState<
+    string | null
+  >(null);
+
   const {
     boards: starredBoards,
     fetchStarredBoards,
@@ -98,12 +105,6 @@ export function DashboardPage() {
     fetchStarredBoards();
   }, [fetchStarredBoards]);
 
-  useEffect(() => {
-    if (workspaces.length > 0 && !selectedWorkspaceId) {
-      setSelectedWorkspaceId(workspaces[0].id);
-    }
-  }, [workspaces, selectedWorkspaceId, setSelectedWorkspaceId]);
-
   const filteredAndSortedBoards = useMemo(() => {
     let result = [...boards];
     if (searchQuery.trim()) {
@@ -111,6 +112,7 @@ export function DashboardPage() {
       result = result.filter((b) => b.name.toLowerCase().includes(q));
     }
     if (filterBy === "owned" && user) {
+      // Match either modern username or the shared user id exposure.
       result = result.filter((b) => b.owner_username === user.username);
     }
     result.sort((a, b) => {
@@ -148,6 +150,17 @@ export function DashboardPage() {
     }
   }
 
+  async function handlePickTemplate(slug: string) {
+    if (creatingFromTemplate) return;
+    setCreatingFromTemplate(slug);
+    try {
+      const board = await createBoardFromTemplate("", slug);
+      if (board) navigate(`/boards/${board.id}`);
+    } finally {
+      setCreatingFromTemplate(null);
+    }
+  }
+
   if (!user) return null;
 
   return (
@@ -176,13 +189,43 @@ export function DashboardPage() {
                 <button
                   type="button"
                   onClick={() => setShowCreateBoard(true)}
-                  className="shrink-0 w-40 h-24 flex flex-col items-center justify-center rounded-[var(--radius-lg)] border-2 border-dashed border-[var(--border)] hover:border-[var(--border-focus)] hover:bg-[var(--bg-tertiary)] transition-colors"
+                  className="shrink-0 w-48 h-28 flex flex-col items-center justify-center rounded-[var(--radius-lg)] border-2 border-dashed border-[var(--border)] hover:border-[var(--border-focus)] hover:bg-[var(--bg-tertiary)] transition-colors"
                 >
-                  <span className="text-2xl text-[var(--text-muted)]">+</span>
+                  <span
+                    aria-hidden
+                    className="text-2xl text-[var(--text-muted)]"
+                  >
+                    +
+                  </span>
                   <span className="text-sm text-[var(--text-secondary)] mt-1">
                     {t("dashboard.blankBoard")}
                   </span>
                 </button>
+                {templates
+                  .filter((tpl) => tpl.slug !== "blank")
+                  .map((tpl) => {
+                    const busy = creatingFromTemplate === tpl.slug;
+                    return (
+                      <button
+                        key={tpl.slug}
+                        type="button"
+                        disabled={creatingFromTemplate !== null}
+                        onClick={() => handlePickTemplate(tpl.slug)}
+                        className="shrink-0 w-48 h-28 flex flex-col items-start justify-between text-left p-3 rounded-[var(--radius-lg)] border border-[var(--border)] bg-[var(--bg-secondary)] hover:border-[var(--border-focus)] hover:bg-[var(--bg-tertiary)] transition-colors disabled:opacity-60 disabled:cursor-wait"
+                        title={tpl.description}
+                      >
+                        <span className="text-xs uppercase tracking-wide text-[var(--text-muted)]">
+                          {tpl.category}
+                        </span>
+                        <span className="text-sm font-medium text-[var(--text-primary)] line-clamp-2">
+                          {tpl.name}
+                        </span>
+                        <span className="text-xs text-[var(--text-muted)]">
+                          {busy ? "Creating..." : "Use template"}
+                        </span>
+                      </button>
+                    );
+                  })}
               </div>
             </section>
 
@@ -599,7 +642,7 @@ function BoardCard({
           {formatDate(board.updated_at)} ·{" "}
           {board.owner_username === user?.username
             ? t("dashboard.you")
-            : (board.owner_username ?? "—")}
+            : board.owner_display_name || board.owner_username || "—"}
         </p>
       </Link>
     </Card>
@@ -645,7 +688,7 @@ function BoardRow({
       <td className="px-4 py-3 text-[var(--text-secondary)]">
         {board.owner_username === user?.username
           ? t("dashboard.you")
-          : (board.owner_username ?? "—")}
+          : board.owner_display_name || board.owner_username || "—"}
       </td>
       <td className="px-2 py-3">
         <BoardActions

From f6db2ab26a35fa27d73157303a6d459f5f273f84 Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:31:31 +0400
Subject: [PATCH 77/82] feat(ui): recent and starred pages display
 owner_display_name

---
 apps/frontend/src/pages/dashboard/RecentPage.tsx  | 4 +++-
 apps/frontend/src/pages/dashboard/StarredPage.tsx | 2 +-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/apps/frontend/src/pages/dashboard/RecentPage.tsx b/apps/frontend/src/pages/dashboard/RecentPage.tsx
index 503ebfc..895d4c3 100644
--- a/apps/frontend/src/pages/dashboard/RecentPage.tsx
+++ b/apps/frontend/src/pages/dashboard/RecentPage.tsx
@@ -240,7 +240,9 @@ export function RecentPage() {
                       <td className="px-4 py-3 text-[var(--text-secondary)]">
                         {board.owner_username === user?.username
                           ? t("dashboard.you")
-                          : (board.owner_username ?? "—")}
+                          : board.owner_display_name ||
+                            board.owner_username ||
+                            "—"}
                       </td>
                       <td className="px-2 py-3">
                         <BoardActions
diff --git a/apps/frontend/src/pages/dashboard/StarredPage.tsx b/apps/frontend/src/pages/dashboard/StarredPage.tsx
index 67c8dfc..3334e38 100644
--- a/apps/frontend/src/pages/dashboard/StarredPage.tsx
+++ b/apps/frontend/src/pages/dashboard/StarredPage.tsx
@@ -187,7 +187,7 @@ export function StarredPage() {
                   <td className="px-4 py-3 text-[var(--text-secondary)]">
                     {board.owner_username === user?.username
                       ? t("dashboard.you")
-                      : (board.owner_username ?? "—")}
+                      : board.owner_display_name || board.owner_username || "—"}
                   </td>
                   <td className="px-2 py-3">
                     <BoardActions

From df253ac9d2d2d51e2b8f2aa309f46796cf0f7ce4 Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:31:32 +0400
Subject: [PATCH 78/82] feat(ui): workspace settings uses Avatar and
 display_name

---
 .../pages/dashboard/WorkspaceSettingsPage.tsx | 48 ++++++++++++-------
 1 file changed, 30 insertions(+), 18 deletions(-)

diff --git a/apps/frontend/src/pages/dashboard/WorkspaceSettingsPage.tsx b/apps/frontend/src/pages/dashboard/WorkspaceSettingsPage.tsx
index 5364b03..ea3396f 100644
--- a/apps/frontend/src/pages/dashboard/WorkspaceSettingsPage.tsx
+++ b/apps/frontend/src/pages/dashboard/WorkspaceSettingsPage.tsx
@@ -13,7 +13,7 @@ import {
   YAxis,
 } from "recharts";
 import { useI18n } from "@/context/I18nContext";
-import { Button, Input } from "@/components/ui";
+import { Avatar, Button, Input } from "@/components/ui";
 import {
   apiFetch,
   formatApiError,
@@ -179,9 +179,9 @@ export function WorkspaceSettingsPage() {
     const q = memberSearch.trim().toLowerCase();
     if (!q) return members;
     return members.filter((member) => {
-      const username = (member.username ?? "").toLowerCase();
+      const name = (member.display_name ?? member.username ?? "").toLowerCase();
       const email = (member.email ?? "").toLowerCase();
-      return username.includes(q) || email.includes(q);
+      return name.includes(q) || email.includes(q);
     });
   }, [members, memberSearch]);
 
@@ -489,15 +489,21 @@ export function WorkspaceSettingsPage() {
                   key={member.id}
                   className="grid grid-cols-[2fr_1fr_auto] gap-3 px-4 py-3 border-t border-[var(--border)] items-center"
                 >
-                  <div className="min-w-0">
-                    <p className="text-sm text-[var(--text-primary)] truncate">
-                      {member.username || member.email || member.user_id}
-                    </p>
-                    {member.email && (
-                      <p className="text-xs text-[var(--text-muted)] truncate">
-                        {member.email}
+                  <div className="min-w-0 flex items-center gap-3">
+                    <Avatar user={member} size={32} />
+                    <div className="min-w-0">
+                      <p className="text-sm text-[var(--text-primary)] truncate">
+                        {member.display_name ||
+                          member.username ||
+                          member.email ||
+                          member.user_id}
                       </p>
-                    )}
+                      {member.email && (
+                        <p className="text-xs text-[var(--text-muted)] truncate">
+                          {member.email}
+                        </p>
+                      )}
+                    </div>
                   </div>
                   <span className="text-sm text-[var(--text-secondary)] capitalize">
                     {member.role}
@@ -674,14 +680,20 @@ export function WorkspaceSettingsPage() {
               {recentMembers.map((member) => (
                 <div
                   key={member.id}
-                  className="px-3 py-2 rounded-[var(--radius-md)] bg-[var(--bg-tertiary)]"
+                  className="px-3 py-2 rounded-[var(--radius-md)] bg-[var(--bg-tertiary)] flex items-center gap-2"
                 >
-                  <p className="text-sm text-[var(--text-primary)]">
-                    {member.username || member.email || member.user_id}
-                  </p>
-                  <p className="text-xs text-[var(--text-muted)] capitalize">
-                    {member.role}
-                  </p>
+                  <Avatar user={member} size={28} />
+                  <div className="min-w-0">
+                    <p className="text-sm text-[var(--text-primary)] truncate">
+                      {member.display_name ||
+                        member.username ||
+                        member.email ||
+                        member.user_id}
+                    </p>
+                    <p className="text-xs text-[var(--text-muted)] capitalize">
+                      {member.role}
+                    </p>
+                  </div>
                 </div>
               ))}
               {recentMembers.length === 0 && (

From 039d89e56466ea9380ad26d8af5cd1a2e3a98a41 Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:31:33 +0400
Subject: [PATCH 79/82] feat(ui): routes for shared board, verify email,
 forgot/reset password

---
 apps/frontend/src/routes/index.tsx | 44 ++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)

diff --git a/apps/frontend/src/routes/index.tsx b/apps/frontend/src/routes/index.tsx
index d5c3b30..6f44d02 100644
--- a/apps/frontend/src/routes/index.tsx
+++ b/apps/frontend/src/routes/index.tsx
@@ -19,6 +19,12 @@ const RegisterPage = lazy(() =>
 const AuthCallbackPage = lazy(() =>
   import("@/pages/auth").then((m) => ({ default: m.AuthCallbackPage })),
 );
+const ForgotPasswordPage = lazy(() =>
+  import("@/pages/auth").then((m) => ({ default: m.ForgotPasswordPage })),
+);
+const ResetPasswordPage = lazy(() =>
+  import("@/pages/auth").then((m) => ({ default: m.ResetPasswordPage })),
+);
 const InvitePage = lazy(() =>
   import("@/pages/auth").then((m) => ({ default: m.InvitePage })),
 );
@@ -39,6 +45,12 @@ const WorkspaceSettingsPage = lazy(() =>
 const BoardPage = lazy(() =>
   import("@/pages/board").then((m) => ({ default: m.BoardPage })),
 );
+const SharedBoardPage = lazy(() =>
+  import("@/pages/board").then((m) => ({ default: m.SharedBoardPage })),
+);
+const VerifyEmailPage = lazy(() =>
+  import("@/pages/auth").then((m) => ({ default: m.VerifyEmailPage })),
+);
 
 const router = createBrowserRouter([
   { path: "/", element: <LandingPage /> },
@@ -66,6 +78,22 @@ const router = createBrowserRouter([
       </Suspense>
     ),
   },
+  {
+    path: "/forgot-password",
+    element: (
+      <Suspense fallback={null}>
+        <ForgotPasswordPage />
+      </Suspense>
+    ),
+  },
+  {
+    path: "/reset-password",
+    element: (
+      <Suspense fallback={null}>
+        <ResetPasswordPage />
+      </Suspense>
+    ),
+  },
   {
     path: "/invite/:token",
     element: (
@@ -126,6 +154,22 @@ const router = createBrowserRouter([
       </ProtectedRoute>
     ),
   },
+  {
+    path: "/shared/:token",
+    element: (
+      <Suspense fallback={null}>
+        <SharedBoardPage />
+      </Suspense>
+    ),
+  },
+  {
+    path: "/verify-email",
+    element: (
+      <Suspense fallback={null}>
+        <VerifyEmailPage />
+      </Suspense>
+    ),
+  },
   { path: "*", element: <Navigate to="/" replace /> },
 ]);
 

From 58acc37cdbc43383d5ee56f970cbd1ce63f8b4df Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:31:34 +0400
Subject: [PATCH 80/82] feat(i18n): add account settings profile key

---
 apps/frontend/src/i18n/locales/az.json | 1 +
 apps/frontend/src/i18n/locales/en.json | 1 +
 apps/frontend/src/i18n/locales/ru.json | 1 +
 3 files changed, 3 insertions(+)

diff --git a/apps/frontend/src/i18n/locales/az.json b/apps/frontend/src/i18n/locales/az.json
index 3cfa609..9e79288 100644
--- a/apps/frontend/src/i18n/locales/az.json
+++ b/apps/frontend/src/i18n/locales/az.json
@@ -109,6 +109,7 @@
     "deleteWorkspace": "İş sahəsini sil",
     "inviteByEmail": "E-poçtla dəvət et",
     "workspaceSettings": "İş sahəsi parametrləri",
+    "profile": "Hesab parametrləri",
     "membersTab": "İstifadəçilər",
     "analyticsTab": "Analitika",
     "generalTab": "Ümumi",
diff --git a/apps/frontend/src/i18n/locales/en.json b/apps/frontend/src/i18n/locales/en.json
index ffdf4ec..83138c4 100644
--- a/apps/frontend/src/i18n/locales/en.json
+++ b/apps/frontend/src/i18n/locales/en.json
@@ -109,6 +109,7 @@
     "deleteWorkspace": "Delete workspace",
     "inviteByEmail": "Invite by email",
     "workspaceSettings": "Workspace settings",
+    "profile": "Account settings",
     "membersTab": "Users",
     "analyticsTab": "Analytics",
     "generalTab": "General",
diff --git a/apps/frontend/src/i18n/locales/ru.json b/apps/frontend/src/i18n/locales/ru.json
index 701ce94..f96e1c7 100644
--- a/apps/frontend/src/i18n/locales/ru.json
+++ b/apps/frontend/src/i18n/locales/ru.json
@@ -109,6 +109,7 @@
     "deleteWorkspace": "Удалить пространство",
     "inviteByEmail": "Пригласить по email",
     "workspaceSettings": "Настройки пространства",
+    "profile": "Настройки аккаунта",
     "membersTab": "Пользователи",
     "analyticsTab": "Аналитика",
     "generalTab": "Общие",

From 38fce5acae7c039c8a8522db19baacce8982747f Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:40:47 +0400
Subject: [PATCH 81/82] fix: resolve github issues

---
 api/app/app/main.py | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/api/app/app/main.py b/api/app/app/main.py
index 4f2f4a1..6f59abb 100644
--- a/api/app/app/main.py
+++ b/api/app/app/main.py
@@ -67,16 +67,21 @@ def _check_db() -> tuple[bool, str | None]:
         with SessionLocal() as session:
             session.execute(text("SELECT 1"))
         return True, None
-    except Exception as exc:
-        return False, str(exc)[:200]
+    except Exception:
+        # Full trace goes to the log. The public /health response stays
+        # generic so we don't leak DSNs, internal hostnames, or the
+        # exact DB error to anyone hitting the endpoint.
+        logger.warning("Database health check failed", exc_info=True)
+        return False, "unavailable"
 
 
 def _check_redis() -> tuple[bool, str | None]:
     try:
         get_redis().ping()
         return True, None
-    except Exception as exc:
-        return False, str(exc)[:200]
+    except Exception:
+        logger.warning("Redis health check failed", exc_info=True)
+        return False, "unavailable"
 
 
 @app.get("/health")

From 83e6b01462f69b175842edef9dc39be430a47110 Mon Sep 17 00:00:00 2001
From: martian56 <fuadelizade469@gmail.com>
Date: Sun, 19 Apr 2026 19:47:30 +0400
Subject: [PATCH 82/82] fix: add vitest to the lock file

---
 apps/frontend/package-lock.json | 442 +++++++++++++++++++++++++++++++-
 apps/frontend/package.json      |   3 +-
 2 files changed, 443 insertions(+), 2 deletions(-)

diff --git a/apps/frontend/package-lock.json b/apps/frontend/package-lock.json
index 0cfa78f..d9e95e4 100644
--- a/apps/frontend/package-lock.json
+++ b/apps/frontend/package-lock.json
@@ -32,7 +32,8 @@
         "prettier": "^3.8.1",
         "typescript": "~5.9.3",
         "typescript-eslint": "^8.48.0",
-        "vite": "^7.3.1"
+        "vite": "^7.3.1",
+        "vitest": "^3.2.4"
       }
     },
     "node_modules/@babel/code-frame": {
@@ -3027,6 +3028,17 @@
         "vite": "^5.2.0 || ^6 || ^7"
       }
     },
+    "node_modules/@types/chai": {
+      "version": "5.2.3",
+      "resolved": "https://registry.npmjs.org/@types/chai/-/chai-5.2.3.tgz",
+      "integrity": "sha512-Mw558oeA9fFbv65/y4mHtXDs9bPnFMZAL/jxdPFUpOHHIXX91mcgEHbS5Lahr+pwZFR8A7GQleRWeI6cGFC2UA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@types/deep-eql": "*",
+        "assertion-error": "^2.0.1"
+      }
+    },
     "node_modules/@types/d3-array": {
       "version": "3.2.2",
       "resolved": "https://registry.npmjs.org/@types/d3-array/-/d3-array-3.2.2.tgz",
@@ -3105,6 +3117,13 @@
         "@types/ms": "*"
       }
     },
+    "node_modules/@types/deep-eql": {
+      "version": "4.0.2",
+      "resolved": "https://registry.npmjs.org/@types/deep-eql/-/deep-eql-4.0.2.tgz",
+      "integrity": "sha512-c9h9dVVMigMPc4bwTvC5dxqtqJZwQPePsWjPlpSOnojbor6pGqdk541lfA7AqFQr5pB1BRdq0juY9db81BwyFw==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/@types/estree": {
       "version": "1.0.8",
       "resolved": "https://registry.npmjs.org/@types/estree/-/estree-1.0.8.tgz",
@@ -3487,6 +3506,121 @@
         "vite": "^4 || ^5 || ^6 || ^7"
       }
     },
+    "node_modules/@vitest/expect": {
+      "version": "3.2.4",
+      "resolved": "https://registry.npmjs.org/@vitest/expect/-/expect-3.2.4.tgz",
+      "integrity": "sha512-Io0yyORnB6sikFlt8QW5K7slY4OjqNX9jmJQ02QDda8lyM6B5oNgVWoSoKPac8/kgnCUzuHQKrSLtu/uOqqrig==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@types/chai": "^5.2.2",
+        "@vitest/spy": "3.2.4",
+        "@vitest/utils": "3.2.4",
+        "chai": "^5.2.0",
+        "tinyrainbow": "^2.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/vitest"
+      }
+    },
+    "node_modules/@vitest/mocker": {
+      "version": "3.2.4",
+      "resolved": "https://registry.npmjs.org/@vitest/mocker/-/mocker-3.2.4.tgz",
+      "integrity": "sha512-46ryTE9RZO/rfDd7pEqFl7etuyzekzEhUbTW3BvmeO/BcCMEgq59BKhek3dXDWgAj4oMK6OZi+vRr1wPW6qjEQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@vitest/spy": "3.2.4",
+        "estree-walker": "^3.0.3",
+        "magic-string": "^0.30.17"
+      },
+      "funding": {
+        "url": "https://opencollective.com/vitest"
+      },
+      "peerDependencies": {
+        "msw": "^2.4.9",
+        "vite": "^5.0.0 || ^6.0.0 || ^7.0.0-0"
+      },
+      "peerDependenciesMeta": {
+        "msw": {
+          "optional": true
+        },
+        "vite": {
+          "optional": true
+        }
+      }
+    },
+    "node_modules/@vitest/pretty-format": {
+      "version": "3.2.4",
+      "resolved": "https://registry.npmjs.org/@vitest/pretty-format/-/pretty-format-3.2.4.tgz",
+      "integrity": "sha512-IVNZik8IVRJRTr9fxlitMKeJeXFFFN0JaB9PHPGQ8NKQbGpfjlTx9zO4RefN8gp7eqjNy8nyK3NZmBzOPeIxtA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "tinyrainbow": "^2.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/vitest"
+      }
+    },
+    "node_modules/@vitest/runner": {
+      "version": "3.2.4",
+      "resolved": "https://registry.npmjs.org/@vitest/runner/-/runner-3.2.4.tgz",
+      "integrity": "sha512-oukfKT9Mk41LreEW09vt45f8wx7DordoWUZMYdY/cyAk7w5TWkTRCNZYF7sX7n2wB7jyGAl74OxgwhPgKaqDMQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@vitest/utils": "3.2.4",
+        "pathe": "^2.0.3",
+        "strip-literal": "^3.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/vitest"
+      }
+    },
+    "node_modules/@vitest/snapshot": {
+      "version": "3.2.4",
+      "resolved": "https://registry.npmjs.org/@vitest/snapshot/-/snapshot-3.2.4.tgz",
+      "integrity": "sha512-dEYtS7qQP2CjU27QBC5oUOxLE/v5eLkGqPE0ZKEIDGMs4vKWe7IjgLOeauHsR0D5YuuycGRO5oSRXnwnmA78fQ==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@vitest/pretty-format": "3.2.4",
+        "magic-string": "^0.30.17",
+        "pathe": "^2.0.3"
+      },
+      "funding": {
+        "url": "https://opencollective.com/vitest"
+      }
+    },
+    "node_modules/@vitest/spy": {
+      "version": "3.2.4",
+      "resolved": "https://registry.npmjs.org/@vitest/spy/-/spy-3.2.4.tgz",
+      "integrity": "sha512-vAfasCOe6AIK70iP5UD11Ac4siNUNJ9i/9PZ3NKx07sG6sUxeag1LWdNrMWeKKYBLlzuK+Gn65Yd5nyL6ds+nw==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "tinyspy": "^4.0.3"
+      },
+      "funding": {
+        "url": "https://opencollective.com/vitest"
+      }
+    },
+    "node_modules/@vitest/utils": {
+      "version": "3.2.4",
+      "resolved": "https://registry.npmjs.org/@vitest/utils/-/utils-3.2.4.tgz",
+      "integrity": "sha512-fB2V0JFrQSMsCo9HiSq3Ezpdv4iYaXRG1Sx8edX3MwxfyNn83mKiGzOcH+Fkxt4MHxr3y42fQi1oeAInqgX2QA==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@vitest/pretty-format": "3.2.4",
+        "loupe": "^3.1.4",
+        "tinyrainbow": "^2.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/vitest"
+      }
+    },
     "node_modules/acorn": {
       "version": "8.16.0",
       "resolved": "https://registry.npmjs.org/acorn/-/acorn-8.16.0.tgz",
@@ -3587,6 +3721,16 @@
         "node": ">=10"
       }
     },
+    "node_modules/assertion-error": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/assertion-error/-/assertion-error-2.0.1.tgz",
+      "integrity": "sha512-Izi8RQcffqCeNVgFigKli1ssklIbpHnCYc6AknXGYoB6grJqyeby7jv12JUQgmTAnIDnbck1uxksT4dzN3PWBA==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=12"
+      }
+    },
     "node_modules/balanced-match": {
       "version": "1.0.2",
       "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz",
@@ -3682,6 +3826,16 @@
         "node": "^6 || ^7 || ^8 || ^9 || ^10 || ^11 || ^12 || >=13.7"
       }
     },
+    "node_modules/cac": {
+      "version": "6.7.14",
+      "resolved": "https://registry.npmjs.org/cac/-/cac-6.7.14.tgz",
+      "integrity": "sha512-b6Ilus+c3RrdDk+JhLKUAQfzzgLEPy6wcXqS7f/xe1EETvsDP6GORG7SFuOs6cID5YkqchW/LXZbX5bc8j7ZcQ==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=8"
+      }
+    },
     "node_modules/callsites": {
       "version": "3.1.0",
       "resolved": "https://registry.npmjs.org/callsites/-/callsites-3.1.0.tgz",
@@ -3719,6 +3873,23 @@
       "integrity": "sha512-yWq+R3U3jE+coOeEb3a3GgE2j/0MMiDKM/QpLb6h9ihf5fGY9UXtvK9o4vNqjWXoZz7/3EaSVU3IX53TvFFUOw==",
       "license": "MIT"
     },
+    "node_modules/chai": {
+      "version": "5.3.3",
+      "resolved": "https://registry.npmjs.org/chai/-/chai-5.3.3.tgz",
+      "integrity": "sha512-4zNhdJD/iOjSH0A05ea+Ke6MU5mmpQcbQsSOkgdaUMJ9zTlDTD/GYlwohmIE2u0gaxHYiVHEn1Fw9mZ/ktJWgw==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "assertion-error": "^2.0.1",
+        "check-error": "^2.1.1",
+        "deep-eql": "^5.0.1",
+        "loupe": "^3.1.0",
+        "pathval": "^2.0.0"
+      },
+      "engines": {
+        "node": ">=18"
+      }
+    },
     "node_modules/chalk": {
       "version": "4.1.2",
       "resolved": "https://registry.npmjs.org/chalk/-/chalk-4.1.2.tgz",
@@ -3746,6 +3917,16 @@
         "url": "https://github.com/sponsors/wooorm"
       }
     },
+    "node_modules/check-error": {
+      "version": "2.1.3",
+      "resolved": "https://registry.npmjs.org/check-error/-/check-error-2.1.3.tgz",
+      "integrity": "sha512-PAJdDJusoxnwm1VwW07VWwUN1sl7smmC3OKggvndJFadxxDRyFJBX/ggnu/KE4kQAB7a3Dp8f/YXC1FlUprWmA==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">= 16"
+      }
+    },
     "node_modules/chokidar": {
       "version": "4.0.3",
       "resolved": "https://registry.npmjs.org/chokidar/-/chokidar-4.0.3.tgz",
@@ -4399,6 +4580,16 @@
         "url": "https://github.com/sponsors/wooorm"
       }
     },
+    "node_modules/deep-eql": {
+      "version": "5.0.2",
+      "resolved": "https://registry.npmjs.org/deep-eql/-/deep-eql-5.0.2.tgz",
+      "integrity": "sha512-h5k/5U50IJJFpzfL6nO9jaaumfjO/f2NjK/oYB2Djzm4p9L+3T9qWpZqZ2hAbLPuuYq9wrU08WQyBTL5GbPk5Q==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=6"
+      }
+    },
     "node_modules/deep-is": {
       "version": "0.1.4",
       "resolved": "https://registry.npmjs.org/deep-is/-/deep-is-0.1.4.tgz",
@@ -4480,6 +4671,13 @@
         "node": ">=10.13.0"
       }
     },
+    "node_modules/es-module-lexer": {
+      "version": "1.7.0",
+      "resolved": "https://registry.npmjs.org/es-module-lexer/-/es-module-lexer-1.7.0.tgz",
+      "integrity": "sha512-jEQoCwk8hyb2AZziIOLhDqpm5+2ww5uIE6lkO/6jcOCusfk6LhMHpXXfBLXTZ7Ydyt0j4VoUQv6uGNYbdW+kBA==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/es-toolkit": {
       "version": "1.45.1",
       "resolved": "https://registry.npmjs.org/es-toolkit/-/es-toolkit-1.45.1.tgz",
@@ -4737,6 +4935,16 @@
         "node": ">=4.0"
       }
     },
+    "node_modules/estree-walker": {
+      "version": "3.0.3",
+      "resolved": "https://registry.npmjs.org/estree-walker/-/estree-walker-3.0.3.tgz",
+      "integrity": "sha512-7RUKfXgSMMkzt6ZuXmqapOurLGPPfgj6l9uRZ7lRGolvk0y2yocc35LdcxKC5PQZdn2DMqioAQ2NoWcrTKmm6g==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@types/estree": "^1.0.0"
+      }
+    },
     "node_modules/esutils": {
       "version": "2.0.3",
       "resolved": "https://registry.npmjs.org/esutils/-/esutils-2.0.3.tgz",
@@ -4753,6 +4961,16 @@
       "integrity": "sha512-mlsTRyGaPBjPedk6Bvw+aqbsXDtoAyAzm5MO7JgU+yVRyMQ5O8bD4Kcci7BS85f93veegeCPkL8R4GLClnjLFw==",
       "license": "MIT"
     },
+    "node_modules/expect-type": {
+      "version": "1.3.0",
+      "resolved": "https://registry.npmjs.org/expect-type/-/expect-type-1.3.0.tgz",
+      "integrity": "sha512-knvyeauYhqjOYvQ66MznSMs83wmHrCycNEN6Ao+2AeYEfxUIkuiVxdEa1qlGEPK+We3n0THiDciYSsCcgW/DoA==",
+      "dev": true,
+      "license": "Apache-2.0",
+      "engines": {
+        "node": ">=12.0.0"
+      }
+    },
     "node_modules/fast-deep-equal": {
       "version": "3.1.3",
       "resolved": "https://registry.npmjs.org/fast-deep-equal/-/fast-deep-equal-3.1.3.tgz",
@@ -5631,6 +5849,13 @@
         "loose-envify": "cli.js"
       }
     },
+    "node_modules/loupe": {
+      "version": "3.2.1",
+      "resolved": "https://registry.npmjs.org/loupe/-/loupe-3.2.1.tgz",
+      "integrity": "sha512-CdzqowRJCeLU72bHvWqwRBBlLcMEtIvGrlvef74kMnV2AolS9Y8xUv1I0U/MNAWMhBlKIoyuEgoJ0t/bbwHbLQ==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/lru-cache": {
       "version": "5.1.1",
       "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-5.1.1.tgz",
@@ -6359,6 +6584,23 @@
         "node": ">=8"
       }
     },
+    "node_modules/pathe": {
+      "version": "2.0.3",
+      "resolved": "https://registry.npmjs.org/pathe/-/pathe-2.0.3.tgz",
+      "integrity": "sha512-WUjGcAqP1gQacoQe+OBJsFA7Ld4DyXuUIjZ5cc75cLHvJ7dtNsTugphxIADwspS+AraAUePCKrSVtPLFj/F88w==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/pathval": {
+      "version": "2.0.1",
+      "resolved": "https://registry.npmjs.org/pathval/-/pathval-2.0.1.tgz",
+      "integrity": "sha512-//nshmD55c46FuFw26xV/xFAaB5HF9Xdap7HJBBnrKdAd6/GxDBaNA1870O79+9ueg61cZLSVc+OaFlfmObYVQ==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">= 14.16"
+      }
+    },
     "node_modules/perfect-freehand": {
       "version": "1.2.0",
       "resolved": "https://registry.npmjs.org/perfect-freehand/-/perfect-freehand-1.2.0.tgz",
@@ -6939,6 +7181,13 @@
         "node": ">=8"
       }
     },
+    "node_modules/siginfo": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/siginfo/-/siginfo-2.0.0.tgz",
+      "integrity": "sha512-ybx0WO1/8bSBLEWXZvEd7gMW3Sn3JFlW3TvX1nREbDLRNQNaeNN8WK0meBwPdAaOI7TtRRRJn/Es1zhrrCHu7g==",
+      "dev": true,
+      "license": "ISC"
+    },
     "node_modules/sliced": {
       "version": "1.0.1",
       "resolved": "https://registry.npmjs.org/sliced/-/sliced-1.0.1.tgz",
@@ -6954,6 +7203,20 @@
         "node": ">=0.10.0"
       }
     },
+    "node_modules/stackback": {
+      "version": "0.0.2",
+      "resolved": "https://registry.npmjs.org/stackback/-/stackback-0.0.2.tgz",
+      "integrity": "sha512-1XMJE5fQo1jGH6Y/7ebnwPOBEkIEnT4QF32d5R1+VXdXveM0IBMJt8zfaxX1P3QhVwrYe+576+jkANtSS2mBbw==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/std-env": {
+      "version": "3.10.0",
+      "resolved": "https://registry.npmjs.org/std-env/-/std-env-3.10.0.tgz",
+      "integrity": "sha512-5GS12FdOZNliM5mAOxFRg7Ir0pWz8MdpYm6AY6VPkGpbA7ZzmbzNcBJQ0GPvvyWgcY7QAhCgf9Uy89I03faLkg==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/strip-json-comments": {
       "version": "3.1.1",
       "resolved": "https://registry.npmjs.org/strip-json-comments/-/strip-json-comments-3.1.1.tgz",
@@ -6967,6 +7230,26 @@
         "url": "https://github.com/sponsors/sindresorhus"
       }
     },
+    "node_modules/strip-literal": {
+      "version": "3.1.0",
+      "resolved": "https://registry.npmjs.org/strip-literal/-/strip-literal-3.1.0.tgz",
+      "integrity": "sha512-8r3mkIM/2+PpjHoOtiAW8Rg3jJLHaV7xPwG+YRGrv6FP0wwk/toTpATxWYOW0BKdWwl82VT2tFYi5DlROa0Mxg==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "js-tokens": "^9.0.1"
+      },
+      "funding": {
+        "url": "https://github.com/sponsors/antfu"
+      }
+    },
+    "node_modules/strip-literal/node_modules/js-tokens": {
+      "version": "9.0.1",
+      "resolved": "https://registry.npmjs.org/js-tokens/-/js-tokens-9.0.1.tgz",
+      "integrity": "sha512-mxa9E9ITFOt0ban3j6L5MpjwegGz6lBQmM1IJkWeBZGcMxto50+eWdjC/52xDbS2vy0k7vIMK0Fe2wfL9OQSpQ==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/stylis": {
       "version": "4.3.6",
       "resolved": "https://registry.npmjs.org/stylis/-/stylis-4.3.6.tgz",
@@ -7011,6 +7294,20 @@
       "integrity": "sha512-+FbBPE1o9QAYvviau/qC5SE3caw21q3xkvWKBtja5vgqOWIHHJ3ioaq1VPfn/Szqctz2bU/oYeKd9/z5BL+PVg==",
       "license": "MIT"
     },
+    "node_modules/tinybench": {
+      "version": "2.9.0",
+      "resolved": "https://registry.npmjs.org/tinybench/-/tinybench-2.9.0.tgz",
+      "integrity": "sha512-0+DUvqWMValLmha6lr4kD8iAMK1HzV0/aKnCtWb9v9641TnP/MFb7Pc2bxoxQjTXAErryXVgUOfv2YqNllqGeg==",
+      "dev": true,
+      "license": "MIT"
+    },
+    "node_modules/tinyexec": {
+      "version": "0.3.2",
+      "resolved": "https://registry.npmjs.org/tinyexec/-/tinyexec-0.3.2.tgz",
+      "integrity": "sha512-KQQR9yN7R5+OSwaK0XQoj22pwHoTlgYqmUscPYoknOoWCWfj/5/ABTMRi69FrKU5ffPVh5QcFikpWJI/P1ocHA==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/tinyglobby": {
       "version": "0.2.15",
       "resolved": "https://registry.npmjs.org/tinyglobby/-/tinyglobby-0.2.15.tgz",
@@ -7027,6 +7324,36 @@
         "url": "https://github.com/sponsors/SuperchupuDev"
       }
     },
+    "node_modules/tinypool": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/tinypool/-/tinypool-1.1.1.tgz",
+      "integrity": "sha512-Zba82s87IFq9A9XmjiX5uZA/ARWDrB03OHlq+Vw1fSdt0I+4/Kutwy8BP4Y/y/aORMo61FQ0vIb5j44vSo5Pkg==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": "^18.0.0 || >=20.0.0"
+      }
+    },
+    "node_modules/tinyrainbow": {
+      "version": "2.0.0",
+      "resolved": "https://registry.npmjs.org/tinyrainbow/-/tinyrainbow-2.0.0.tgz",
+      "integrity": "sha512-op4nsTR47R6p0vMUUoYl/a+ljLFVtlfaXkLQmqfLR1qHma1h/ysYk4hEXZ880bf2CYgTskvTa/e196Vd5dDQXw==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=14.0.0"
+      }
+    },
+    "node_modules/tinyspy": {
+      "version": "4.0.4",
+      "resolved": "https://registry.npmjs.org/tinyspy/-/tinyspy-4.0.4.tgz",
+      "integrity": "sha512-azl+t0z7pw/z958Gy9svOTuzqIk6xq+NSheJzn5MMWtWTFywIacg2wUlzKFGtt3cthx0r2SxMK0yzJOR0IES7Q==",
+      "dev": true,
+      "license": "MIT",
+      "engines": {
+        "node": ">=14.0.0"
+      }
+    },
     "node_modules/to-regex-range": {
       "version": "5.0.1",
       "resolved": "https://registry.npmjs.org/to-regex-range/-/to-regex-range-5.0.1.tgz",
@@ -7395,6 +7722,102 @@
         }
       }
     },
+    "node_modules/vite-node": {
+      "version": "3.2.4",
+      "resolved": "https://registry.npmjs.org/vite-node/-/vite-node-3.2.4.tgz",
+      "integrity": "sha512-EbKSKh+bh1E1IFxeO0pg1n4dvoOTt0UDiXMd/qn++r98+jPO1xtJilvXldeuQ8giIB5IkpjCgMleHMNEsGH6pg==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "cac": "^6.7.14",
+        "debug": "^4.4.1",
+        "es-module-lexer": "^1.7.0",
+        "pathe": "^2.0.3",
+        "vite": "^5.0.0 || ^6.0.0 || ^7.0.0-0"
+      },
+      "bin": {
+        "vite-node": "vite-node.mjs"
+      },
+      "engines": {
+        "node": "^18.0.0 || ^20.0.0 || >=22.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/vitest"
+      }
+    },
+    "node_modules/vitest": {
+      "version": "3.2.4",
+      "resolved": "https://registry.npmjs.org/vitest/-/vitest-3.2.4.tgz",
+      "integrity": "sha512-LUCP5ev3GURDysTWiP47wRRUpLKMOfPh+yKTx3kVIEiu5KOMeqzpnYNsKyOoVrULivR8tLcks4+lga33Whn90A==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "@types/chai": "^5.2.2",
+        "@vitest/expect": "3.2.4",
+        "@vitest/mocker": "3.2.4",
+        "@vitest/pretty-format": "^3.2.4",
+        "@vitest/runner": "3.2.4",
+        "@vitest/snapshot": "3.2.4",
+        "@vitest/spy": "3.2.4",
+        "@vitest/utils": "3.2.4",
+        "chai": "^5.2.0",
+        "debug": "^4.4.1",
+        "expect-type": "^1.2.1",
+        "magic-string": "^0.30.17",
+        "pathe": "^2.0.3",
+        "picomatch": "^4.0.2",
+        "std-env": "^3.9.0",
+        "tinybench": "^2.9.0",
+        "tinyexec": "^0.3.2",
+        "tinyglobby": "^0.2.14",
+        "tinypool": "^1.1.1",
+        "tinyrainbow": "^2.0.0",
+        "vite": "^5.0.0 || ^6.0.0 || ^7.0.0-0",
+        "vite-node": "3.2.4",
+        "why-is-node-running": "^2.3.0"
+      },
+      "bin": {
+        "vitest": "vitest.mjs"
+      },
+      "engines": {
+        "node": "^18.0.0 || ^20.0.0 || >=22.0.0"
+      },
+      "funding": {
+        "url": "https://opencollective.com/vitest"
+      },
+      "peerDependencies": {
+        "@edge-runtime/vm": "*",
+        "@types/debug": "^4.1.12",
+        "@types/node": "^18.0.0 || ^20.0.0 || >=22.0.0",
+        "@vitest/browser": "3.2.4",
+        "@vitest/ui": "3.2.4",
+        "happy-dom": "*",
+        "jsdom": "*"
+      },
+      "peerDependenciesMeta": {
+        "@edge-runtime/vm": {
+          "optional": true
+        },
+        "@types/debug": {
+          "optional": true
+        },
+        "@types/node": {
+          "optional": true
+        },
+        "@vitest/browser": {
+          "optional": true
+        },
+        "@vitest/ui": {
+          "optional": true
+        },
+        "happy-dom": {
+          "optional": true
+        },
+        "jsdom": {
+          "optional": true
+        }
+      }
+    },
     "node_modules/web-worker": {
       "version": "1.5.0",
       "resolved": "https://registry.npmjs.org/web-worker/-/web-worker-1.5.0.tgz",
@@ -7422,6 +7845,23 @@
         "node": ">= 8"
       }
     },
+    "node_modules/why-is-node-running": {
+      "version": "2.3.0",
+      "resolved": "https://registry.npmjs.org/why-is-node-running/-/why-is-node-running-2.3.0.tgz",
+      "integrity": "sha512-hUrmaWBdVDcxvYqnyh09zunKzROWjbZTiNy8dBEjkS7ehEDQibXJ7XvlmtbwuTclUiIyN+CyXQD4Vmko8fNm8w==",
+      "dev": true,
+      "license": "MIT",
+      "dependencies": {
+        "siginfo": "^2.0.0",
+        "stackback": "0.0.2"
+      },
+      "bin": {
+        "why-is-node-running": "cli.js"
+      },
+      "engines": {
+        "node": ">=8"
+      }
+    },
     "node_modules/word-wrap": {
       "version": "1.2.5",
       "resolved": "https://registry.npmjs.org/word-wrap/-/word-wrap-1.2.5.tgz",
diff --git a/apps/frontend/package.json b/apps/frontend/package.json
index 17080f7..4f04f7d 100644
--- a/apps/frontend/package.json
+++ b/apps/frontend/package.json
@@ -40,6 +40,7 @@
     "prettier": "^3.8.1",
     "typescript": "~5.9.3",
     "typescript-eslint": "^8.48.0",
-    "vite": "^7.3.1"
+    "vite": "^7.3.1",
+    "vitest": "^3.2.4"
   }
 }