Add complete FastAPI Todo application with Docker support

- Add FastAPI backend with JWT authentication
- Add task and subtask management APIs
- Add password reset functionality with email support
- Add Docker and docker-compose configuration
- Add Alembic migrations for database schema
- Add comprehensive API documentation
- Configure for Hugging Face Spaces deployment on port 7860

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

.dockerignore

@@ -0,0 +1,72 @@
+# Python
+__pycache__/
+*.py[cod]
+*$py.class
+*.so
+.Python
+env/
+venv/
+ENV/
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+
+# Environment variables
+.env
+.env.local
+
+# Database
+*.db
+*.sqlite
+*.sqlite3
+
+# IDE
+.vscode/
+.idea/
+*.swp
+*.swo
+*~
+
+# Git
+.git/
+.gitignore
+
+# Testing
+.pytest_cache/
+.coverage
+htmlcov/
+.tox/
+
+# Documentation
+*.md
+docs/
+
+# Logs
+*.log
+
+# OS
+.DS_Store
+Thumbs.db
+
+# Alembic
+alembic/versions/*.pyc
+
+# Vercel
+.vercel/
+vercel.json
+
+# Test files
+test_*.py
+*_test.py

.env.example

@@ -0,0 +1,44 @@
+# Backend Environment Variables
+# Copy this file to .env and fill in your values
+
+# Database Configuration
+DATABASE_URL=sqlite:///./todo.db
+# For production, use PostgreSQL:
+# DATABASE_URL=postgresql://user:password@host:5432/database
+
+# JWT Configuration
+JWT_SECRET_KEY=your-super-secret-key-change-this-min-32-characters-long
+JWT_ALGORITHM=HS256
+ACCESS_TOKEN_EXPIRE_MINUTES=30
+
+# CORS Configuration
+CORS_ORIGINS=http://localhost:3000,http://localhost:3001,http://localhost:3002
+# For production, add your frontend URL:
+# CORS_ORIGINS=https://your-frontend-url.com,http://localhost:3000
+
+# Gmail SMTP Configuration (for password reset emails)
+# To get app-specific password:
+# 1. Enable 2-Factor Authentication on your Gmail account
+# 2. Go to Google Account → Security → 2-Step Verification → App passwords
+# 3. Select "Mail" and "Other (Custom name)"
+# 4. Copy the 16-character password
+SMTP_HOST=smtp.gmail.com
+SMTP_PORT=587
+SMTP_USERNAME=your_email@gmail.com
+SMTP_PASSWORD=your_app_specific_password_here
+SMTP_USE_TLS=true
+EMAIL_FROM=your_email@gmail.com
+EMAIL_FROM_NAME=Todo Application
+
+# Frontend URL (for password reset links)
+FRONTEND_URL=http://localhost:3000
+# For production:
+# FRONTEND_URL=https://your-frontend-url.com
+
+# Password Reset Configuration
+PASSWORD_RESET_TOKEN_EXPIRY_MINUTES=15
+PASSWORD_RESET_MAX_REQUESTS_PER_HOUR=3
+
+# Cohere AI API Configuration
+# Get your API key from: https://dashboard.cohere.com/api-keys
+COHERE_API_KEY=your-cohere-api-key-here

.gitignore

@@ -0,0 +1,12 @@
+.vercel
+.env*.local
+
+# Test data and tokens
+*.token.json
+*_token.json
+token.txt
+*_test.json
+*_response.json
+signin_*.json
+signup_*.json
+fresh_token.json

DOCKER_SETUP.md

@@ -0,0 +1,178 @@
+# Docker Setup Guide
+
+## Quick Start
+
+### 1. Build and Run with Docker Compose (Recommended)
+
+```bash
+# Start all services (API + PostgreSQL)
+docker-compose up -d
+
+# View logs
+docker-compose logs -f
+
+# Stop services
+docker-compose down
+
+# Stop and remove volumes (clears database)
+docker-compose down -v
+```
+
+### 2. Build and Run Dockerfile Only
+
+```bash
+# Build the image
+docker build -t todo-api .
+
+# Run the container
+docker run -p 8000:8000 --env-file .env todo-api
+```
+
+## Configuration
+
+### Environment Variables
+
+Create a `.env` file in the project root with your configuration:
+
+```env
+# Required for docker-compose
+JWT_SECRET_KEY=your-super-secret-key-min-32-chars
+SMTP_USERNAME=your_email@gmail.com
+SMTP_PASSWORD=your_app_password
+EMAIL_FROM=your_email@gmail.com
+COHERE_API_KEY=your-cohere-key
+
+# Optional overrides
+FRONTEND_URL=http://localhost:3000
+EMAIL_FROM_NAME=Todo Application
+```
+
+## Accessing the Application
+
+Once running:
+- API: http://localhost:8000
+- API Docs: http://localhost:8000/docs
+- Health Check: http://localhost:8000/health
+- PostgreSQL: localhost:5432
+
+## Database Management
+
+### Run Migrations
+
+```bash
+# Access the API container
+docker-compose exec api bash
+
+# Run migrations (if using Alembic)
+alembic upgrade head
+```
+
+### Access PostgreSQL
+
+```bash
+# Connect to database
+docker-compose exec db psql -U todouser -d tododb
+
+# Backup database
+docker-compose exec db pg_dump -U todouser tododb > backup.sql
+
+# Restore database
+docker-compose exec -T db psql -U todouser tododb < backup.sql
+```
+
+## Development Workflow
+
+### Hot Reload (Development)
+
+The docker-compose.yml mounts `./src` as a volume, so code changes are reflected immediately.
+
+### View Logs
+
+```bash
+# All services
+docker-compose logs -f
+
+# Specific service
+docker-compose logs -f api
+docker-compose logs -f db
+```
+
+### Rebuild After Dependency Changes
+
+```bash
+# Rebuild and restart
+docker-compose up -d --build
+```
+
+## Production Deployment
+
+### Build Production Image
+
+```bash
+docker build -t todo-api:production .
+```
+
+### Security Considerations
+
+1. Change default PostgreSQL credentials in docker-compose.yml
+2. Use strong JWT_SECRET_KEY
+3. Enable HTTPS in production
+4. Use secrets management (Docker Secrets, Kubernetes Secrets)
+5. Regular security updates: `docker-compose pull && docker-compose up -d`
+
+### Deploy to Cloud
+
+**Docker Hub:**
+```bash
+docker tag todo-api:production yourusername/todo-api:latest
+docker push yourusername/todo-api:latest
+```
+
+**AWS ECS, Google Cloud Run, Azure Container Instances:**
+- Use the Dockerfile to build and deploy
+- Set environment variables in the cloud platform
+- Use managed PostgreSQL services (RDS, Cloud SQL, Azure Database)
+
+## Troubleshooting
+
+### Container won't start
+```bash
+# Check logs
+docker-compose logs api
+
+# Check if port is already in use
+netstat -ano | findstr :8000  # Windows
+lsof -i :8000                 # Linux/Mac
+```
+
+### Database connection issues
+```bash
+# Verify database is healthy
+docker-compose ps
+
+# Test connection
+docker-compose exec api python -c "from src.database import engine; print(engine.url)"
+```
+
+### Reset everything
+```bash
+# Stop and remove all containers, networks, and volumes
+docker-compose down -v
+docker-compose up -d --build
+```
+
+## Image Size Optimization
+
+Current Dockerfile uses multi-stage builds for smaller image size:
+- Builder stage: ~1GB (includes build tools)
+- Final stage: ~200-300MB (runtime only)
+
+## Health Checks
+
+The Dockerfile includes a health check that pings `/health` endpoint every 30 seconds.
+
+Check container health:
+```bash
+docker ps
+# Look for "healthy" status
+```

Dockerfile

@@ -0,0 +1,25 @@
+# Use Python 3.11 slim image
+FROM python:3.11-slim
+
+# Set working directory
+WORKDIR /app
+
+# Copy requirements first for better caching
+COPY requirements.txt .
+
+# Install Python dependencies
+RUN pip install --no-cache-dir -r requirements.txt
+
+# Copy application code
+COPY src ./src
+COPY api ./api
+COPY alembic ./alembic
+COPY alembic.ini .
+COPY init_db.py .
+COPY .env.example .env
+
+# Expose port
+EXPOSE 7860
+
+# Run the application
+CMD ["uvicorn", "src.main:app", "--host", "0.0.0.0", "--port", "7860"]

README.md

@@ -1,10 +1,53 @@
 ---
-title: Todo Web
-emoji: 👀
-colorFrom: pink
-colorTo: purple
+title: Todo Web Application
+emoji: ✅
+colorFrom: blue
+colorTo: green
 sdk: docker
 pinned: false
+license: mit
+app_port: 7860
 ---
 
-Check out the configuration reference at https://huggingface.co/docs/hub/spaces-config-reference
+# Todo Web Application
+
+A full-featured Todo application with JWT authentication, task management, and AI-powered features.
+
+## Features
+
+- 🔐 User authentication with JWT
+- ✅ Create, read, update, delete tasks
+- 📝 Subtasks support
+- 🔄 Task status management
+- 🎨 Modern REST API
+- 📧 Password reset functionality
+
+## API Documentation
+
+Once deployed, visit `/docs` for interactive API documentation.
+
+## Tech Stack
+
+- FastAPI
+- SQLModel
+- SQLite
+- JWT Authentication
+- Python 3.11
+
+## Endpoints
+
+- `GET /` - API information
+- `GET /health` - Health check
+- `GET /docs` - API documentation
+- `POST /api/auth/signup` - User registration
+- `POST /api/auth/login` - User login
+- `GET /api/tasks` - Get all tasks
+- `POST /api/tasks` - Create new task
+- And more...
+
+## Local Development
+
+```bash
+pip install -r requirements.txt
+uvicorn src.main:app --reload
+```

alembic.ini

@@ -0,0 +1,114 @@
+# A generic, single database configuration.
+
+[alembic]
+# path to migration scripts
+script_location = alembic
+
+# template used to generate migration file names; The default value is %%(rev)s_%%(slug)s
+# Uncomment the line below if you want the files to be prepended with date and time
+# file_template = %%(year)d_%%(month).2d_%%(day).2d_%%(hour).2d%%(minute).2d-%%(rev)s_%%(slug)s
+
+# sys.path path, will be prepended to sys.path if present.
+# defaults to the current working directory.
+prepend_sys_path = .
+
+# timezone to use when rendering the date within the migration file
+# as well as the filename.
+# If specified, requires the python>=3.9 or backports.zoneinfo library.
+# Any required deps can installed by adding `alembic[tz]` to the pip requirements
+# string value is passed to ZoneInfo()
+# leave blank for localtime
+# timezone =
+
+# max length of characters to apply to the
+# "slug" field
+# truncate_slug_length = 40
+
+# set to 'true' to run the environment during
+# the 'revision' command, regardless of autogenerate
+# revision_environment = false
+
+# set to 'true' to allow .pyc and .pyo files without
+# a source .py file to be detected as revisions in the
+# versions/ directory
+# sourceless = false
+
+# version location specification; This defaults
+# to alembic/versions.  When using multiple version
+# directories, initial revisions must be specified with --version-path.
+# The path separator used here should be the separator specified by "version_path_separator" below.
+# version_locations = %(here)s/bar:%(here)s/bat:alembic/versions
+
+# version path separator; As mentioned above, this is the character used to split
+# version_locations. The default within new alembic.ini files is "os", which uses os.pathsep.
+# If this key is omitted entirely, it falls back to the legacy behavior of splitting on spaces and/or commas.
+# Valid values for version_path_separator are:
+#
+# version_path_separator = :
+# version_path_separator = ;
+# version_path_separator = space
+version_path_separator = os  # Use os.pathsep. Default configuration used for new projects.
+
+# set to 'true' to search source files recursively
+# in each "version_locations" directory
+# new in Alembic version 1.10
+# recursive_version_locations = false
+
+# the output encoding used when revision files
+# are written from script.py.mako
+# output_encoding = utf-8
+
+sqlalchemy.url = postgresql://postgres:postgres@localhost:5432/todo_db
+
+
+[post_write_hooks]
+# post_write_hooks defines scripts or Python functions that are run
+# on newly generated revision scripts.  See the documentation for further
+# detail and examples
+
+# format using "black" - use the console_scripts runner, against the "black" entrypoint
+# hooks = black
+# black.type = console_scripts
+# black.entrypoint = black
+# black.options = -l 79 REVISION_SCRIPT_FILENAME
+
+# lint with attempts to fix using "ruff" - use the exec runner, execute a binary
+# hooks = ruff
+# ruff.type = exec
+# ruff.executable = %(here)s/.venv/bin/ruff
+# ruff.options = --fix REVISION_SCRIPT_FILENAME
+
+# Logging configuration
+[loggers]
+keys = root,sqlalchemy,alembic
+
+[handlers]
+keys = console
+
+[formatters]
+keys = generic
+
+[logger_root]
+level = WARN
+handlers = console
+qualname =
+
+[logger_sqlalchemy]
+level = WARN
+handlers =
+qualname = sqlalchemy.engine
+
+[logger_alembic]
+level = INFO
+handlers =
+qualname = alembic
+
+[handler_console]
+class = StreamHandler
+args = (sys.stderr,)
+level = NOTSET
+formatter = generic
+
+[formatter_generic]
+format = %(levelname)-5.5s [%(name)s] %(message)s
+datefmt = %H:%M:%S

alembic/env.py

@@ -0,0 +1,85 @@
+from logging.config import fileConfig
+
+from sqlalchemy import engine_from_config
+from sqlalchemy import pool
+
+from alembic import context
+
+# Import your models here
+import sys
+import os
+sys.path.insert(0, os.path.dirname(os.path.dirname(__file__)))
+
+from src.models.user import User
+from src.models.task import Task
+from sqlmodel import SQLModel
+
+# this is the Alembic Config object, which provides
+# access to the values within the .ini file in use.
+config = context.config
+
+# Interpret the config file for Python logging.
+# This line sets up loggers basically.
+if config.config_file_name is not None:
+    fileConfig(config.config_file_name)
+
+# add your model's MetaData object here
+# for 'autogenerate' support
+target_metadata = SQLModel.metadata
+
+# other values from the config, defined by the needs of env.py,
+# can be acquired:
+# my_important_option = config.get_main_option("my_important_option")
+# ... etc.
+
+
+def run_migrations_offline() -> None:
+    """Run migrations in 'offline' mode.
+
+    This configures the context with just a URL
+    and not an Engine, though an Engine is acceptable
+    here as well.  By skipping the Engine creation
+    we don't even need a DBAPI to be available.
+
+    Calls to context.execute() here emit the given string to the
+    script output.
+
+    """
+    url = config.get_main_option("sqlalchemy.url")
+    context.configure(
+        url=url,
+        target_metadata=target_metadata,
+        literal_binds=True,
+        dialect_opts={"paramstyle": "named"},
+    )
+
+    with context.begin_transaction():
+        context.run_migrations()
+
+
+def run_migrations_online() -> None:
+    """Run migrations in 'online' mode.
+
+    In this scenario we need to create an Engine
+    and associate a connection with the context.
+
+    """
+    connectable = engine_from_config(
+        config.get_section(config.config_ini_section, {}),
+        prefix="sqlalchemy.",
+        poolclass=pool.NullPool,
+    )
+
+    with connectable.connect() as connection:
+        context.configure(
+            connection=connection, target_metadata=target_metadata
+        )
+
+        with context.begin_transaction():
+            context.run_migrations()
+
+
+if context.is_offline_mode():
+    run_migrations_offline()
+else:
+    run_migrations_online()

alembic/script.py.mako

@@ -0,0 +1,24 @@
+"""${message}
+
+Revision ID: ${up_revision}
+Revises: ${down_revision | comma,n}
+Create Date: ${create_date}
+
+"""
+from alembic import op
+import sqlalchemy as sa
+${imports if imports else ""}
+
+# revision identifiers, used by Alembic.
+revision = ${repr(up_revision)}
+down_revision = ${repr(down_revision)}
+branch_labels = ${repr(branch_labels)}
+depends_on = ${repr(depends_on)}
+
+
+def upgrade() -> None:
+    ${upgrades if upgrades else "pass"}
+
+
+def downgrade() -> None:
+    ${downgrades if downgrades else "pass"}

alembic/versions/001_initial_schema.py

@@ -0,0 +1,52 @@
+"""Initial schema
+
+Revision ID: 001
+Revises:
+Create Date: 2026-02-05
+
+"""
+from alembic import op
+import sqlalchemy as sa
+from sqlalchemy.dialects import postgresql
+
+# revision identifiers, used by Alembic.
+revision = '001'
+down_revision = None
+branch_labels = None
+depends_on = None
+
+
+def upgrade() -> None:
+    # Create users table
+    op.create_table(
+        'users',
+        sa.Column('id', sa.Integer(), nullable=False),
+        sa.Column('email', sa.String(length=255), nullable=False),
+        sa.Column('hashed_password', sa.String(length=255), nullable=False),
+        sa.Column('created_at', sa.DateTime(), nullable=False),
+        sa.Column('updated_at', sa.DateTime(), nullable=False),
+        sa.PrimaryKeyConstraint('id')
+    )
+    op.create_index('idx_users_email', 'users', ['email'], unique=True)
+
+    # Create tasks table
+    op.create_table(
+        'tasks',
+        sa.Column('id', sa.Integer(), nullable=False),
+        sa.Column('user_id', sa.Integer(), nullable=False),
+        sa.Column('title', sa.String(length=500), nullable=False),
+        sa.Column('description', sa.Text(), nullable=True),
+        sa.Column('completed', sa.Boolean(), nullable=False, server_default='false'),
+        sa.Column('created_at', sa.DateTime(), nullable=False),
+        sa.Column('updated_at', sa.DateTime(), nullable=False),
+        sa.PrimaryKeyConstraint('id'),
+        sa.ForeignKeyConstraint(['user_id'], ['users.id'], ondelete='CASCADE')
+    )
+    op.create_index('idx_tasks_user_id', 'tasks', ['user_id'], unique=False)
+
+
+def downgrade() -> None:
+    op.drop_index('idx_tasks_user_id', table_name='tasks')
+    op.drop_table('tasks')
+    op.drop_index('idx_users_email', table_name='users')
+    op.drop_table('users')

alembic/versions/002_add_password_reset_tokens.py

@@ -0,0 +1,40 @@
+"""Add password reset tokens table
+
+Revision ID: 002
+Revises: a6878af5b66f
+Create Date: 2026-02-07
+
+"""
+from alembic import op
+import sqlalchemy as sa
+
+# revision identifiers, used by Alembic.
+revision = '002'
+down_revision = 'a6878af5b66f'
+branch_labels = None
+depends_on = None
+
+
+def upgrade() -> None:
+    # Create password_reset_tokens table
+    op.create_table(
+        'password_reset_tokens',
+        sa.Column('id', sa.Integer(), nullable=False),
+        sa.Column('user_id', sa.Integer(), nullable=False),
+        sa.Column('token', sa.String(length=255), nullable=False),
+        sa.Column('expires_at', sa.DateTime(), nullable=False),
+        sa.Column('used', sa.Boolean(), nullable=False, server_default='false'),
+        sa.Column('created_at', sa.DateTime(), nullable=False),
+        sa.PrimaryKeyConstraint('id'),
+        sa.ForeignKeyConstraint(['user_id'], ['users.id'], ondelete='CASCADE')
+    )
+    op.create_index('idx_password_reset_tokens_user_id', 'password_reset_tokens', ['user_id'], unique=False)
+    op.create_index('idx_password_reset_tokens_token', 'password_reset_tokens', ['token'], unique=True)
+    op.create_index('idx_password_reset_tokens_expires_at', 'password_reset_tokens', ['expires_at'], unique=False)
+
+
+def downgrade() -> None:
+    op.drop_index('idx_password_reset_tokens_expires_at', table_name='password_reset_tokens')
+    op.drop_index('idx_password_reset_tokens_token', table_name='password_reset_tokens')
+    op.drop_index('idx_password_reset_tokens_user_id', table_name='password_reset_tokens')
+    op.drop_table('password_reset_tokens')

alembic/versions/a6878af5b66f_add_category_and_due_date_to_tasks.py

@@ -0,0 +1,30 @@
+"""add_category_and_due_date_to_tasks
+
+Revision ID: a6878af5b66f
+Revises: 001
+Create Date: 2026-02-05 14:23:11.577860
+
+"""
+from alembic import op
+import sqlalchemy as sa
+
+
+# revision identifiers, used by Alembic.
+revision = 'a6878af5b66f'
+down_revision = '001'
+branch_labels = None
+depends_on = None
+
+
+def upgrade() -> None:
+    # Add category column
+    op.add_column('tasks', sa.Column('category', sa.String(length=50), nullable=True))
+
+    # Add due_date column
+    op.add_column('tasks', sa.Column('due_date', sa.DateTime(), nullable=True))
+
+
+def downgrade() -> None:
+    # Remove columns in reverse order
+    op.drop_column('tasks', 'due_date')
+    op.drop_column('tasks', 'category')

api/index.py

@@ -0,0 +1,19 @@
+"""
+Vercel Serverless Function for FastAPI
+Vercel natively supports ASGI apps - just export the app directly
+"""
+import sys
+import os
+
+# Add parent directory to path for imports
+sys.path.insert(0, os.path.dirname(os.path.dirname(os.path.abspath(__file__))))
+
+from src.main import app
+
+# Vercel will automatically detect and handle the ASGI app
+# No need for Mangum or any wrapper
+
+# For local testing
+if __name__ == "__main__":
+    import uvicorn
+    uvicorn.run(app, host="0.0.0.0", port=8000)

api/test.py

@@ -0,0 +1,45 @@
+"""
+Minimal test endpoint for Vercel deployment debugging
+"""
+from fastapi import FastAPI
+from fastapi.middleware.cors import CORSMiddleware
+import os
+
+app = FastAPI(title="Todo API - Minimal Test")
+
+# CORS
+app.add_middleware(
+    CORSMiddleware,
+    allow_origins=["*"],
+    allow_credentials=True,
+    allow_methods=["*"],
+    allow_headers=["*"],
+)
+
+@app.get("/")
+async def root():
+    return {
+        "status": "ok",
+        "message": "Minimal FastAPI working on Vercel",
+        "environment": {
+            "VERCEL": os.getenv("VERCEL", "not set"),
+            "VERCEL_ENV": os.getenv("VERCEL_ENV", "not set"),
+        }
+    }
+
+@app.get("/health")
+async def health():
+    return {"status": "healthy"}
+
+@app.get("/test-db")
+async def test_db():
+    """Test database connection"""
+    try:
+        from src.database import engine
+        from sqlmodel import text
+
+        with engine.connect() as conn:
+            result = conn.execute(text("SELECT 1"))
+            return {"status": "ok", "database": "connected"}
+    except Exception as e:
+        return {"status": "error", "message": str(e)}

docker-compose.yml

@@ -0,0 +1,55 @@
+version: '3.8'
+
+services:
+  # PostgreSQL Database
+  db:
+    image: postgres:15-alpine
+    container_name: todo-db
+    environment:
+      POSTGRES_USER: todouser
+      POSTGRES_PASSWORD: todopassword
+      POSTGRES_DB: tododb
+    volumes:
+      - postgres_data:/var/lib/postgresql/data
+    ports:
+      - "5432:5432"
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U todouser"]
+      interval: 10s
+      timeout: 5s
+      retries: 5
+
+  # FastAPI Backend
+  api:
+    build:
+      context: .
+      dockerfile: Dockerfile
+    container_name: todo-api
+    environment:
+      DATABASE_URL: postgresql://todouser:todopassword@db:5432/tododb
+      JWT_SECRET_KEY: ${JWT_SECRET_KEY:-your-super-secret-key-change-this-min-32-characters-long}
+      JWT_ALGORITHM: HS256
+      ACCESS_TOKEN_EXPIRE_MINUTES: 30
+      CORS_ORIGINS: http://localhost:3000,http://localhost:3001
+      SMTP_HOST: ${SMTP_HOST:-smtp.gmail.com}
+      SMTP_PORT: ${SMTP_PORT:-587}
+      SMTP_USERNAME: ${SMTP_USERNAME}
+      SMTP_PASSWORD: ${SMTP_PASSWORD}
+      SMTP_USE_TLS: ${SMTP_USE_TLS:-true}
+      EMAIL_FROM: ${EMAIL_FROM}
+      EMAIL_FROM_NAME: ${EMAIL_FROM_NAME:-Todo Application}
+      FRONTEND_URL: ${FRONTEND_URL:-http://localhost:3000}
+      PASSWORD_RESET_TOKEN_EXPIRY_MINUTES: 15
+      PASSWORD_RESET_MAX_REQUESTS_PER_HOUR: 3
+      COHERE_API_KEY: ${COHERE_API_KEY}
+    ports:
+      - "8000:8000"
+    depends_on:
+      db:
+        condition: service_healthy
+    volumes:
+      - ./src:/app/src
+    restart: unless-stopped
+
+volumes:
+  postgres_data:

init_db.py

@@ -0,0 +1,9 @@
+"""
+Initialize database tables for the Todo application.
+"""
+from src.database import create_db_and_tables
+
+if __name__ == "__main__":
+    print("Creating database tables...")
+    create_db_and_tables()
+    print("Database tables created successfully!")

migrate_db.py

@@ -0,0 +1,36 @@
+"""
+Simple migration script to add category and due_date columns to tasks table.
+"""
+import sqlite3
+
+# Connect to database
+conn = sqlite3.connect('todo.db')
+cursor = conn.cursor()
+
+try:
+    # Check if columns exist
+    cursor.execute("PRAGMA table_info(tasks)")
+    columns = [col[1] for col in cursor.fetchall()]
+
+    # Add category column if it doesn't exist
+    if 'category' not in columns:
+        cursor.execute("ALTER TABLE tasks ADD COLUMN category VARCHAR(50)")
+        print("Added 'category' column")
+    else:
+        print("'category' column already exists")
+
+    # Add due_date column if it doesn't exist
+    if 'due_date' not in columns:
+        cursor.execute("ALTER TABLE tasks ADD COLUMN due_date DATETIME")
+        print("Added 'due_date' column")
+    else:
+        print("'due_date' column already exists")
+
+    conn.commit()
+    print("\nDatabase migration completed successfully!")
+
+except Exception as e:
+    print(f"Error: {e}")
+    conn.rollback()
+finally:
+    conn.close()

requirements.txt

@@ -0,0 +1,13 @@
+fastapi
+sqlmodel
+python-jose
+passlib
+bcrypt
+python-multipart
+uvicorn
+psycopg2-binary
+pydantic
+pydantic-settings
+python-dotenv
+mangum
+email-validator

src/api/__init__.py

@@ -0,0 +1 @@
+# API module

src/api/ai.py

@@ -0,0 +1,228 @@
+"""
+AI-powered task management endpoints using Cohere.
+
+This module provides REST API endpoints for AI features:
+- Task suggestions
+- Smart auto-completion
+- Task categorization
+- Description enhancement
+- Complexity analysis
+"""
+
+from fastapi import APIRouter, HTTPException, Depends
+from pydantic import BaseModel, Field
+from typing import List, Dict, Optional
+from src.services.cohere_ai import cohere_service
+from src.middleware.jwt_auth import get_current_user
+
+router = APIRouter()
+
+
+# Request/Response Models
+class TaskSuggestionRequest(BaseModel):
+    context: str = Field(..., description="Context to generate suggestions from")
+    count: int = Field(default=5, ge=1, le=10, description="Number of suggestions")
+
+
+class TaskSuggestionResponse(BaseModel):
+    suggestions: List[str]
+
+
+class EnhanceDescriptionRequest(BaseModel):
+    title: str = Field(..., description="Task title")
+    description: str = Field(default="", description="Current description")
+
+
+class EnhanceDescriptionResponse(BaseModel):
+    enhanced_description: str
+
+
+class CategorizeTaskRequest(BaseModel):
+    title: str = Field(..., description="Task title")
+    description: str = Field(default="", description="Task description")
+
+
+class CategorizeTaskResponse(BaseModel):
+    category: str
+    priority: str
+    tags: List[str]
+
+
+class AutoCompleteRequest(BaseModel):
+    partial_title: str = Field(..., description="Partial task title")
+
+
+class AutoCompleteResponse(BaseModel):
+    completions: List[str]
+
+
+class AnalyzeComplexityRequest(BaseModel):
+    title: str = Field(..., description="Task title")
+    description: str = Field(default="", description="Task description")
+
+
+class AnalyzeComplexityResponse(BaseModel):
+    complexity: str
+    estimated_time: str
+    needs_subtasks: bool
+
+
+# Endpoints
+@router.post("/suggestions", response_model=TaskSuggestionResponse)
+async def generate_task_suggestions(
+    request: TaskSuggestionRequest,
+    current_user: dict = Depends(get_current_user)
+):
+    """
+    Generate AI-powered task suggestions based on context.
+
+    Requires authentication.
+    """
+    try:
+        suggestions = cohere_service.generate_task_suggestions(
+            context=request.context,
+            count=request.count
+        )
+
+        if not suggestions:
+            raise HTTPException(
+                status_code=500,
+                detail="Failed to generate suggestions. Please try again."
+            )
+
+        return TaskSuggestionResponse(suggestions=suggestions)
+
+    except Exception as e:
+        raise HTTPException(
+            status_code=500,
+            detail=f"Error generating suggestions: {str(e)}"
+        )
+
+
+@router.post("/enhance-description", response_model=EnhanceDescriptionResponse)
+async def enhance_task_description(
+    request: EnhanceDescriptionRequest,
+    current_user: dict = Depends(get_current_user)
+):
+    """
+    Enhance a task description with AI to make it more clear and actionable.
+
+    Requires authentication.
+    """
+    try:
+        enhanced = cohere_service.enhance_task_description(
+            title=request.title,
+            description=request.description
+        )
+
+        return EnhanceDescriptionResponse(enhanced_description=enhanced)
+
+    except Exception as e:
+        raise HTTPException(
+            status_code=500,
+            detail=f"Error enhancing description: {str(e)}"
+        )
+
+
+@router.post("/categorize", response_model=CategorizeTaskResponse)
+async def categorize_task(
+    request: CategorizeTaskRequest,
+    current_user: dict = Depends(get_current_user)
+):
+    """
+    Categorize a task and suggest priority level using AI.
+
+    Requires authentication.
+    """
+    try:
+        result = cohere_service.categorize_task(
+            title=request.title,
+            description=request.description
+        )
+
+        return CategorizeTaskResponse(**result)
+
+    except Exception as e:
+        raise HTTPException(
+            status_code=500,
+            detail=f"Error categorizing task: {str(e)}"
+        )
+
+
+@router.post("/autocomplete", response_model=AutoCompleteResponse)
+async def autocomplete_task(
+    request: AutoCompleteRequest,
+    current_user: dict = Depends(get_current_user)
+):
+    """
+    Provide smart auto-completion suggestions for task titles.
+
+    Requires authentication.
+    """
+    try:
+        completions = cohere_service.smart_complete_task(
+            partial_title=request.partial_title
+        )
+
+        return AutoCompleteResponse(completions=completions)
+
+    except Exception as e:
+        raise HTTPException(
+            status_code=500,
+            detail=f"Error generating completions: {str(e)}"
+        )
+
+
+@router.post("/analyze-complexity", response_model=AnalyzeComplexityResponse)
+async def analyze_task_complexity(
+    request: AnalyzeComplexityRequest,
+    current_user: dict = Depends(get_current_user)
+):
+    """
+    Analyze task complexity and provide time estimates using AI.
+
+    Requires authentication.
+    """
+    try:
+        result = cohere_service.analyze_task_complexity(
+            title=request.title,
+            description=request.description
+        )
+
+        return AnalyzeComplexityResponse(**result)
+
+    except Exception as e:
+        raise HTTPException(
+            status_code=500,
+            detail=f"Error analyzing complexity: {str(e)}"
+        )
+
+
+@router.get("/health")
+async def ai_health_check():
+    """
+    Check if AI service is properly configured.
+
+    Does not require authentication.
+    """
+    try:
+        import os
+        api_key = os.getenv("COHERE_API_KEY")
+
+        if not api_key:
+            return {
+                "status": "error",
+                "message": "COHERE_API_KEY not configured"
+            }
+
+        return {
+            "status": "healthy",
+            "message": "AI service is configured and ready",
+            "provider": "Cohere"
+        }
+
+    except Exception as e:
+        return {
+            "status": "error",
+            "message": str(e)
+        }

src/api/auth.py

@@ -0,0 +1,155 @@
+"""
+Authentication API endpoints for user signup and signin.
+
+This module provides:
+- POST /api/auth/signup - Create new user account
+- POST /api/auth/signin - Authenticate existing user
+"""
+
+from fastapi import APIRouter, HTTPException, Depends
+from sqlmodel import Session, select
+from pydantic import BaseModel, EmailStr, Field
+
+from ..models.user import User
+from ..services.auth import hash_password, verify_password, create_access_token
+from ..database import get_session
+
+router = APIRouter()
+
+
+# Request/Response Models
+class SignUpRequest(BaseModel):
+    """Request model for user signup."""
+    email: EmailStr = Field(..., description="User email address")
+    password: str = Field(..., min_length=8, description="User password (minimum 8 characters)")
+
+
+class SignInRequest(BaseModel):
+    """Request model for user signin."""
+    email: EmailStr = Field(..., description="User email address")
+    password: str = Field(..., description="User password")
+
+
+class UserResponse(BaseModel):
+    """User data response model."""
+    id: int
+    email: str
+    created_at: str
+    updated_at: str
+
+
+class AuthResponse(BaseModel):
+    """Authentication response with token and user data."""
+    token: str
+    user: UserResponse
+
+
+@router.post("/signup", response_model=AuthResponse, status_code=201)
+async def signup(
+    request: SignUpRequest,
+    session: Session = Depends(get_session)
+) -> AuthResponse:
+    """
+    Create a new user account.
+
+    Args:
+        request: Signup request with email and password
+        session: Database session
+
+    Returns:
+        AuthResponse with JWT token and user data
+
+    Raises:
+        HTTPException 400: If email already exists
+        HTTPException 422: If validation fails
+    """
+    # Check if email already exists
+    statement = select(User).where(User.email == request.email)
+    existing_user = session.exec(statement).first()
+
+    if existing_user:
+        raise HTTPException(
+            status_code=400,
+            detail="Email already registered"
+        )
+
+    # Hash password
+    hashed_password = hash_password(request.password)
+
+    # Create new user
+    new_user = User(
+        email=request.email,
+        hashed_password=hashed_password
+    )
+
+    session.add(new_user)
+    session.commit()
+    session.refresh(new_user)
+
+    # Create JWT token
+    token = create_access_token(
+        data={
+            "user_id": new_user.id,
+            "email": new_user.email
+        }
+    )
+
+    # Return response
+    return AuthResponse(
+        token=token,
+        user=UserResponse(
+            id=new_user.id,
+            email=new_user.email,
+            created_at=new_user.created_at.isoformat(),
+            updated_at=new_user.updated_at.isoformat()
+        )
+    )
+
+
+@router.post("/signin", response_model=AuthResponse)
+async def signin(
+    request: SignInRequest,
+    session: Session = Depends(get_session)
+) -> AuthResponse:
+    """
+    Authenticate an existing user.
+
+    Args:
+        request: Signin request with email and password
+        session: Database session
+
+    Returns:
+        AuthResponse with JWT token and user data
+
+    Raises:
+        HTTPException 401: If credentials are invalid
+    """
+    # Find user by email
+    statement = select(User).where(User.email == request.email)
+    user = session.exec(statement).first()
+
+    # Verify user exists and password is correct
+    if not user or not verify_password(request.password, user.hashed_password):
+        raise HTTPException(
+            status_code=401,
+            detail="Invalid email or password"
+        )
+
+    # Create JWT token
+    token = create_access_token(
+        data={
+            "user_id": user.id,
+            "email": user.email
+        }
+    )
+
+    # Return response
+    return AuthResponse(
+        token=token,
+        user=UserResponse(
+            id=user.id,
+            email=user.email,
+            created_at=user.created_at.isoformat(),
+            updated_at=user.updated_at.isoformat()
+        )
+    )

src/api/password_reset.py

@@ -0,0 +1,233 @@
+"""
+Password Reset API endpoints for secure password recovery.
+
+This module provides:
+- POST /api/auth/forgot-password - Request password reset email
+- GET /api/auth/reset-password/{token} - Verify reset token validity
+- POST /api/auth/reset-password - Reset password with token
+"""
+
+from fastapi import APIRouter, HTTPException, Depends
+from sqlmodel import Session
+from pydantic import BaseModel, EmailStr, Field
+from typing import Optional
+
+from ..models.user import User
+from ..services.auth import hash_password
+from ..services.password_reset import (
+    create_reset_token,
+    validate_reset_token,
+    invalidate_token,
+    check_rate_limit,
+    validate_password_strength,
+    get_user_by_email
+)
+from ..services.email import send_password_reset_email
+from ..database import get_session
+
+router = APIRouter()
+
+
+# Request/Response Models
+class ForgotPasswordRequest(BaseModel):
+    """Request model for forgot password."""
+    email: EmailStr = Field(..., description="User email address")
+
+
+class ForgotPasswordResponse(BaseModel):
+    """Response model for forgot password request."""
+    message: str
+
+
+class TokenValidationResponse(BaseModel):
+    """Response model for token validation."""
+    valid: bool
+    email: Optional[str] = None
+    error: Optional[str] = None
+
+
+class ResetPasswordRequest(BaseModel):
+    """Request model for password reset."""
+    token: str = Field(..., description="Password reset token")
+    new_password: str = Field(..., min_length=8, description="New password (minimum 8 characters)")
+
+
+class ResetPasswordResponse(BaseModel):
+    """Response model for password reset."""
+    message: str
+
+
+@router.post("/forgot-password", response_model=ForgotPasswordResponse)
+async def forgot_password(
+    request: ForgotPasswordRequest,
+    session: Session = Depends(get_session)
+) -> ForgotPasswordResponse:
+    """
+    Request a password reset email.
+
+    Security features:
+    - No user enumeration (same response for existing/non-existing emails)
+    - Rate limiting (3 requests per hour per user)
+    - Cryptographically secure tokens
+    - 15-minute token expiry
+
+    Args:
+        request: Forgot password request with email
+        session: Database session
+
+    Returns:
+        Generic success message (no user enumeration)
+
+    Raises:
+        HTTPException 400: If email format is invalid
+        HTTPException 429: If rate limit exceeded
+    """
+    # Find user by email
+    user = get_user_by_email(session, request.email)
+
+    # Always return same message to prevent user enumeration
+    generic_message = "If an account exists with this email, you will receive a password reset link shortly."
+
+    # If user doesn't exist, return generic message (no enumeration)
+    if not user:
+        return ForgotPasswordResponse(message=generic_message)
+
+    # Check rate limit
+    if not check_rate_limit(session, user.id):
+        raise HTTPException(
+            status_code=429,
+            detail="Too many password reset requests. Please try again later."
+        )
+
+    # Create reset token
+    token = create_reset_token(session, user.id)
+
+    # Send reset email
+    email_sent = send_password_reset_email(user.email, token)
+
+    if not email_sent:
+        # Log error but don't expose to user
+        print(f"Failed to send password reset email to {user.email}")
+
+    # Always return generic message
+    return ForgotPasswordResponse(message=generic_message)
+
+
+@router.get("/reset-password/{token}", response_model=TokenValidationResponse)
+async def verify_reset_token(
+    token: str,
+    session: Session = Depends(get_session)
+) -> TokenValidationResponse:
+    """
+    Verify if a password reset token is valid.
+
+    Checks:
+    - Token exists
+    - Token has not expired (15 minutes)
+    - Token has not been used
+
+    Args:
+        token: Password reset token to verify
+        session: Database session
+
+    Returns:
+        TokenValidationResponse with validity status and user email
+
+    Example:
+        GET /api/auth/reset-password/abc123def456
+    """
+    # Validate token
+    token_record = validate_reset_token(session, token)
+
+    if not token_record:
+        return TokenValidationResponse(
+            valid=False,
+            error="Invalid or expired reset token"
+        )
+
+    # Get user email
+    user = session.get(User, token_record.user_id)
+
+    if not user:
+        return TokenValidationResponse(
+            valid=False,
+            error="User not found"
+        )
+
+    return TokenValidationResponse(
+        valid=True,
+        email=user.email
+    )
+
+
+@router.post("/reset-password", response_model=ResetPasswordResponse)
+async def reset_password(
+    request: ResetPasswordRequest,
+    session: Session = Depends(get_session)
+) -> ResetPasswordResponse:
+    """
+    Reset user password with a valid token.
+
+    Security features:
+    - Token validation (expiry, usage)
+    - Password strength validation
+    - One-time use tokens
+    - Automatic token invalidation
+
+    Args:
+        request: Reset password request with token and new password
+        session: Database session
+
+    Returns:
+        Success message
+
+    Raises:
+        HTTPException 400: If token is invalid or password is weak
+        HTTPException 422: If validation fails
+    """
+    # Validate token
+    token_record = validate_reset_token(session, request.token)
+
+    if not token_record:
+        raise HTTPException(
+            status_code=400,
+            detail="Invalid or expired reset token"
+        )
+
+    # Validate password strength
+    password_validation = validate_password_strength(request.new_password)
+
+    if not password_validation["valid"]:
+        raise HTTPException(
+            status_code=400,
+            detail={
+                "message": "Password does not meet strength requirements",
+                "errors": password_validation["errors"]
+            }
+        )
+
+    # Get user
+    user = session.get(User, token_record.user_id)
+
+    if not user:
+        raise HTTPException(
+            status_code=400,
+            detail="User not found"
+        )
+
+    # Hash new password
+    hashed_password = hash_password(request.new_password)
+
+    # Update user password
+    user.hashed_password = hashed_password
+    session.add(user)
+
+    # Invalidate token (mark as used)
+    invalidate_token(session, request.token)
+
+    # Commit changes
+    session.commit()
+
+    return ResetPasswordResponse(
+        message="Password successfully reset. You can now sign in with your new password."
+    )

src/api/subtasks.py

@@ -0,0 +1,230 @@
+"""
+Subtasks API endpoints for CRUD operations on subtasks.
+
+This module provides:
+- GET /api/tasks/{task_id}/subtasks - List all subtasks for a task
+- POST /api/tasks/{task_id}/subtasks - Create new subtask
+- PUT /api/subtasks/{subtask_id} - Update existing subtask
+- DELETE /api/subtasks/{subtask_id} - Delete subtask
+
+All endpoints require JWT authentication and enforce user isolation.
+"""
+
+from fastapi import APIRouter, HTTPException, Depends, status
+from sqlmodel import Session
+from pydantic import BaseModel, Field
+from typing import Optional, List
+
+from ..models.subtask import Subtask
+from ..services import subtasks as subtask_service
+from ..middleware.jwt_auth import get_current_user_id
+from ..database import get_session
+
+router = APIRouter()
+
+
+# Request/Response Models
+class CreateSubtaskRequest(BaseModel):
+    """Request model for creating a subtask."""
+    title: str = Field(..., min_length=1, max_length=500, description="Subtask title")
+    order: Optional[int] = Field(0, description="Order position")
+
+
+class UpdateSubtaskRequest(BaseModel):
+    """Request model for updating a subtask."""
+    title: Optional[str] = Field(None, min_length=1, max_length=500, description="Subtask title")
+    completed: Optional[bool] = Field(None, description="Subtask completion status")
+    order: Optional[int] = Field(None, description="Order position")
+
+
+class SubtaskResponse(BaseModel):
+    """Subtask data response model."""
+    id: int
+    task_id: int
+    title: str
+    completed: bool
+    order: int
+    created_at: str
+    updated_at: str
+
+
+class SubtaskListResponse(BaseModel):
+    """Response model for subtask list."""
+    subtasks: List[SubtaskResponse]
+
+
+@router.get("/tasks/{task_id}/subtasks", response_model=SubtaskListResponse)
+async def list_subtasks(
+    task_id: int,
+    user_id: int = Depends(get_current_user_id),
+    session: Session = Depends(get_session)
+) -> SubtaskListResponse:
+    """
+    Get all subtasks for a task.
+
+    Args:
+        task_id: Task ID
+        user_id: Current user ID from JWT token
+        session: Database session
+
+    Returns:
+        SubtaskListResponse with array of subtasks
+
+    Raises:
+        HTTPException 401: If JWT token is invalid
+        HTTPException 404: If task not found or doesn't belong to user
+    """
+    # Get subtasks
+    subtasks = subtask_service.get_task_subtasks(session, task_id, user_id)
+
+    # Convert to response format
+    subtask_responses = [
+        SubtaskResponse(
+            id=subtask.id,
+            task_id=subtask.task_id,
+            title=subtask.title,
+            completed=subtask.completed,
+            order=subtask.order,
+            created_at=subtask.created_at.isoformat(),
+            updated_at=subtask.updated_at.isoformat()
+        )
+        for subtask in subtasks
+    ]
+
+    return SubtaskListResponse(subtasks=subtask_responses)
+
+
+@router.post("/tasks/{task_id}/subtasks", response_model=SubtaskResponse, status_code=status.HTTP_201_CREATED)
+async def create_subtask(
+    task_id: int,
+    request: CreateSubtaskRequest,
+    user_id: int = Depends(get_current_user_id),
+    session: Session = Depends(get_session)
+) -> SubtaskResponse:
+    """
+    Create a new subtask for a task.
+
+    Args:
+        task_id: Task ID
+        request: Subtask creation request
+        user_id: Current user ID from JWT token
+        session: Database session
+
+    Returns:
+        SubtaskResponse with created subtask data
+
+    Raises:
+        HTTPException 401: If JWT token is invalid
+        HTTPException 404: If task not found or doesn't belong to user
+    """
+    # Create subtask
+    subtask = subtask_service.create_subtask(
+        session=session,
+        task_id=task_id,
+        user_id=user_id,
+        title=request.title,
+        order=request.order or 0
+    )
+
+    if not subtask:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="Task not found"
+        )
+
+    # Return response
+    return SubtaskResponse(
+        id=subtask.id,
+        task_id=subtask.task_id,
+        title=subtask.title,
+        completed=subtask.completed,
+        order=subtask.order,
+        created_at=subtask.created_at.isoformat(),
+        updated_at=subtask.updated_at.isoformat()
+    )
+
+
+@router.put("/subtasks/{subtask_id}", response_model=SubtaskResponse)
+async def update_subtask(
+    subtask_id: int,
+    request: UpdateSubtaskRequest,
+    user_id: int = Depends(get_current_user_id),
+    session: Session = Depends(get_session)
+) -> SubtaskResponse:
+    """
+    Update an existing subtask.
+
+    Args:
+        subtask_id: ID of the subtask to update
+        request: Subtask update request
+        user_id: Current user ID from JWT token
+        session: Database session
+
+    Returns:
+        SubtaskResponse with updated subtask data
+
+    Raises:
+        HTTPException 401: If JWT token is invalid
+        HTTPException 404: If subtask not found or doesn't belong to user
+    """
+    # Update subtask
+    subtask = subtask_service.update_subtask(
+        session=session,
+        subtask_id=subtask_id,
+        user_id=user_id,
+        title=request.title,
+        completed=request.completed,
+        order=request.order
+    )
+
+    if not subtask:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="Subtask not found"
+        )
+
+    # Return response
+    return SubtaskResponse(
+        id=subtask.id,
+        task_id=subtask.task_id,
+        title=subtask.title,
+        completed=subtask.completed,
+        order=subtask.order,
+        created_at=subtask.created_at.isoformat(),
+        updated_at=subtask.updated_at.isoformat()
+    )
+
+
+@router.delete("/subtasks/{subtask_id}", status_code=status.HTTP_204_NO_CONTENT)
+async def delete_subtask(
+    subtask_id: int,
+    user_id: int = Depends(get_current_user_id),
+    session: Session = Depends(get_session)
+) -> None:
+    """
+    Delete a subtask.
+
+    Args:
+        subtask_id: ID of the subtask to delete
+        user_id: Current user ID from JWT token
+        session: Database session
+
+    Returns:
+        None (204 No Content)
+
+    Raises:
+        HTTPException 401: If JWT token is invalid
+        HTTPException 404: If subtask not found or doesn't belong to user
+    """
+    # Delete subtask
+    success = subtask_service.delete_subtask(
+        session=session,
+        subtask_id=subtask_id,
+        user_id=user_id
+    )
+
+    if not success:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="Subtask not found"
+        )

src/api/tasks.py

@@ -0,0 +1,278 @@
+"""
+Tasks API endpoints for CRUD operations on tasks.
+
+This module provides:
+- GET /api/tasks - List all user tasks
+- POST /api/tasks - Create new task
+- PUT /api/tasks/{id} - Update existing task
+- DELETE /api/tasks/{id} - Delete task
+
+All endpoints require JWT authentication and enforce user isolation.
+"""
+
+from fastapi import APIRouter, HTTPException, Depends, status
+from sqlmodel import Session
+from pydantic import BaseModel, Field
+from typing import Optional, List
+
+from ..models.task import Task
+from ..services import tasks as task_service
+from ..middleware.jwt_auth import get_current_user_id
+from ..database import get_session
+
+router = APIRouter()
+
+
+# Request/Response Models
+class CreateTaskRequest(BaseModel):
+    """Request model for creating a task."""
+    title: str = Field(..., min_length=1, max_length=500, description="Task title")
+    description: Optional[str] = Field(None, description="Optional task description")
+    category: Optional[str] = Field(None, max_length=50, description="Task category/tag")
+    due_date: Optional[str] = Field(None, description="Due date in ISO format")
+    priority: Optional[str] = Field("medium", description="Task priority: low, medium, high")
+    is_recurring: Optional[bool] = Field(False, description="Whether task is recurring")
+    recurrence_type: Optional[str] = Field(None, description="Recurrence type: daily, weekly, monthly, yearly")
+    recurrence_interval: Optional[int] = Field(1, description="Recurrence interval (e.g., every 2 days)")
+    recurrence_end_date: Optional[str] = Field(None, description="Recurrence end date in ISO format")
+
+
+class UpdateTaskRequest(BaseModel):
+    """Request model for updating a task."""
+    title: Optional[str] = Field(None, min_length=1, max_length=500, description="Task title")
+    description: Optional[str] = Field(None, description="Task description")
+    completed: Optional[bool] = Field(None, description="Task completion status")
+    category: Optional[str] = Field(None, max_length=50, description="Task category/tag")
+    due_date: Optional[str] = Field(None, description="Due date in ISO format")
+    priority: Optional[str] = Field(None, description="Task priority: low, medium, high")
+    is_recurring: Optional[bool] = Field(None, description="Whether task is recurring")
+    recurrence_type: Optional[str] = Field(None, description="Recurrence type: daily, weekly, monthly, yearly")
+    recurrence_interval: Optional[int] = Field(None, description="Recurrence interval")
+    recurrence_end_date: Optional[str] = Field(None, description="Recurrence end date in ISO format")
+
+
+class TaskResponse(BaseModel):
+    """Task data response model."""
+    id: int
+    user_id: int
+    title: str
+    description: Optional[str]
+    completed: bool
+    category: Optional[str]
+    due_date: Optional[str]
+    priority: Optional[str]
+    is_recurring: bool
+    recurrence_type: Optional[str]
+    recurrence_interval: Optional[int]
+    recurrence_end_date: Optional[str]
+    parent_task_id: Optional[int]
+    created_at: str
+    updated_at: str
+
+
+class TaskListResponse(BaseModel):
+    """Response model for task list."""
+    tasks: List[TaskResponse]
+
+
+@router.get("", response_model=TaskListResponse)
+async def list_tasks(
+    user_id: int = Depends(get_current_user_id),
+    session: Session = Depends(get_session)
+) -> TaskListResponse:
+    """
+    Get all tasks for the authenticated user.
+
+    Args:
+        user_id: Current user ID from JWT token
+        session: Database session
+
+    Returns:
+        TaskListResponse with array of user's tasks
+
+    Raises:
+        HTTPException 401: If JWT token is invalid
+    """
+    # Get user tasks
+    tasks = task_service.get_user_tasks(session, user_id)
+
+    # Convert to response format
+    task_responses = [
+        TaskResponse(
+            id=task.id,
+            user_id=task.user_id,
+            title=task.title,
+            description=task.description,
+            completed=task.completed,
+            category=task.category,
+            due_date=task.due_date.isoformat() if task.due_date else None,
+            priority=task.priority,
+            is_recurring=task.is_recurring,
+            recurrence_type=task.recurrence_type,
+            recurrence_interval=task.recurrence_interval,
+            recurrence_end_date=task.recurrence_end_date.isoformat() if task.recurrence_end_date else None,
+            parent_task_id=task.parent_task_id,
+            created_at=task.created_at.isoformat(),
+            updated_at=task.updated_at.isoformat()
+        )
+        for task in tasks
+    ]
+
+    return TaskListResponse(tasks=task_responses)
+
+
+@router.post("", response_model=TaskResponse, status_code=status.HTTP_201_CREATED)
+async def create_task(
+    request: CreateTaskRequest,
+    user_id: int = Depends(get_current_user_id),
+    session: Session = Depends(get_session)
+) -> TaskResponse:
+    """
+    Create a new task for the authenticated user.
+
+    Args:
+        request: Task creation request with title and optional description
+        user_id: Current user ID from JWT token
+        session: Database session
+
+    Returns:
+        TaskResponse with created task data
+
+    Raises:
+        HTTPException 401: If JWT token is invalid
+        HTTPException 422: If validation fails
+    """
+    # Create task
+    task = task_service.create_task(
+        session=session,
+        user_id=user_id,
+        title=request.title,
+        description=request.description,
+        category=request.category,
+        due_date=request.due_date,
+        priority=request.priority,
+        is_recurring=request.is_recurring or False,
+        recurrence_type=request.recurrence_type,
+        recurrence_interval=request.recurrence_interval or 1,
+        recurrence_end_date=request.recurrence_end_date
+    )
+
+    # Return response
+    return TaskResponse(
+        id=task.id,
+        user_id=task.user_id,
+        title=task.title,
+        description=task.description,
+        completed=task.completed,
+        category=task.category,
+        due_date=task.due_date.isoformat() if task.due_date else None,
+        priority=task.priority,
+        is_recurring=task.is_recurring,
+        recurrence_type=task.recurrence_type,
+        recurrence_interval=task.recurrence_interval,
+        recurrence_end_date=task.recurrence_end_date.isoformat() if task.recurrence_end_date else None,
+        parent_task_id=task.parent_task_id,
+        created_at=task.created_at.isoformat(),
+        updated_at=task.updated_at.isoformat()
+    )
+
+
+@router.put("/{task_id}", response_model=TaskResponse)
+async def update_task(
+    task_id: int,
+    request: UpdateTaskRequest,
+    user_id: int = Depends(get_current_user_id),
+    session: Session = Depends(get_session)
+) -> TaskResponse:
+    """
+    Update an existing task.
+
+    Args:
+        task_id: ID of the task to update
+        request: Task update request with optional fields
+        user_id: Current user ID from JWT token
+        session: Database session
+
+    Returns:
+        TaskResponse with updated task data
+
+    Raises:
+        HTTPException 401: If JWT token is invalid
+        HTTPException 404: If task not found or doesn't belong to user
+    """
+    # Update task
+    task = task_service.update_task(
+        session=session,
+        task_id=task_id,
+        user_id=user_id,
+        title=request.title,
+        description=request.description,
+        completed=request.completed,
+        category=request.category,
+        due_date=request.due_date,
+        priority=request.priority,
+        is_recurring=request.is_recurring,
+        recurrence_type=request.recurrence_type,
+        recurrence_interval=request.recurrence_interval,
+        recurrence_end_date=request.recurrence_end_date
+    )
+
+    if not task:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="Task not found"
+        )
+
+    # Return response
+    return TaskResponse(
+        id=task.id,
+        user_id=task.user_id,
+        title=task.title,
+        description=task.description,
+        completed=task.completed,
+        category=task.category,
+        due_date=task.due_date.isoformat() if task.due_date else None,
+        priority=task.priority,
+        is_recurring=task.is_recurring,
+        recurrence_type=task.recurrence_type,
+        recurrence_interval=task.recurrence_interval,
+        recurrence_end_date=task.recurrence_end_date.isoformat() if task.recurrence_end_date else None,
+        parent_task_id=task.parent_task_id,
+        created_at=task.created_at.isoformat(),
+        updated_at=task.updated_at.isoformat()
+    )
+
+
+@router.delete("/{task_id}", status_code=status.HTTP_204_NO_CONTENT)
+async def delete_task(
+    task_id: int,
+    user_id: int = Depends(get_current_user_id),
+    session: Session = Depends(get_session)
+) -> None:
+    """
+    Delete a task.
+
+    Args:
+        task_id: ID of the task to delete
+        user_id: Current user ID from JWT token
+        session: Database session
+
+    Returns:
+        None (204 No Content)
+
+    Raises:
+        HTTPException 401: If JWT token is invalid
+        HTTPException 404: If task not found or doesn't belong to user
+    """
+    # Delete task
+    success = task_service.delete_task(
+        session=session,
+        task_id=task_id,
+        user_id=user_id
+    )
+
+    if not success:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="Task not found"
+        )

src/database.py

@@ -0,0 +1,59 @@
+"""
+Database configuration and session management.
+
+This module provides:
+- Database engine creation
+- Session management
+- Dependency injection for FastAPI routes
+"""
+
+import os
+from typing import Generator
+
+from sqlmodel import Session, create_engine, SQLModel
+
+# Get database URL from environment variable
+# For Vercel serverless, use /tmp directory for SQLite
+DATABASE_URL = os.getenv("DATABASE_URL")
+
+if DATABASE_URL is None:
+    # Check if running on Vercel (serverless environment)
+    if os.getenv("VERCEL"):
+        # Use /tmp directory which is writable in Vercel serverless
+        DATABASE_URL = "sqlite:////tmp/todo.db"
+    else:
+        # Local development
+        DATABASE_URL = "sqlite:///./todo.db"
+
+# Create database engine
+# connect_args only needed for SQLite
+connect_args = {"check_same_thread": False} if DATABASE_URL.startswith("sqlite") else {}
+
+engine = create_engine(
+    DATABASE_URL,
+    echo=False,  # Disable SQL query logging for serverless
+    connect_args=connect_args,
+    pool_pre_ping=True,  # Verify connections before using
+)
+
+
+def create_db_and_tables():
+    """Create all database tables."""
+    SQLModel.metadata.create_all(engine)
+
+
+def get_session() -> Generator[Session, None, None]:
+    """
+    Dependency function to provide database session to FastAPI routes.
+
+    Yields:
+        Session: SQLModel database session
+
+    Example:
+        @app.get("/items")
+        def get_items(session: Session = Depends(get_session)):
+            items = session.exec(select(Item)).all()
+            return items
+    """
+    with Session(engine) as session:
+        yield session

src/main.py

@@ -0,0 +1,68 @@
+from fastapi import FastAPI
+from fastapi.middleware.cors import CORSMiddleware
+from dotenv import load_dotenv
+import os
+
+# Load environment variables
+load_dotenv()
+
+# Create FastAPI application
+app = FastAPI(
+    title="Todo Application API",
+    description="Backend API for Todo application with JWT authentication",
+    version="1.0.0",
+)
+
+# CORS Configuration
+CORS_ORIGINS = os.getenv("CORS_ORIGINS", "http://localhost:3000,http://localhost:3001,http://localhost:3002,http://localhost:3003,http://localhost:3004,http://localhost:3005").split(",")
+
+# Configure CORS middleware
+app.add_middleware(
+    CORSMiddleware,
+    allow_origins=CORS_ORIGINS,
+    allow_credentials=True,
+    allow_methods=["GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"],
+    allow_headers=["*"],
+    expose_headers=["*"],
+    max_age=3600,
+)
+
+# Initialize database tables on startup
+from src.database import create_db_and_tables
+
+@app.on_event("startup")
+def on_startup():
+    """Initialize database tables on application startup."""
+    try:
+        create_db_and_tables()
+    except Exception as e:
+        print(f"Warning: Could not initialize database tables: {e}")
+        # Continue anyway - tables might already exist
+
+# Health check endpoint
+@app.get("/health")
+async def health_check():
+    """Health check endpoint to verify API is running."""
+    return {"status": "healthy"}
+
+# Root endpoint
+@app.get("/")
+async def root():
+    """Root endpoint with API information."""
+    return {
+        "message": "Todo Application API",
+        "version": "1.0.0",
+        "docs": "/docs",
+        "health": "/health"
+    }
+
+# Router registration
+from src.api import auth, tasks, subtasks, password_reset
+# AI router temporarily disabled due to Vercel size constraints
+# from src.api import ai
+
+app.include_router(auth.router, prefix="/api/auth", tags=["Authentication"])
+app.include_router(password_reset.router, prefix="/api/auth", tags=["Password Reset"])
+app.include_router(tasks.router, prefix="/api/tasks", tags=["Tasks"])
+app.include_router(subtasks.router, prefix="/api", tags=["Subtasks"])
+# app.include_router(ai.router, prefix="/api/ai", tags=["AI Features"])

src/main_minimal.py

@@ -0,0 +1,21 @@
+from fastapi import FastAPI
+import os
+
+app = FastAPI(title="Todo API - Minimal Test")
+
+@app.get("/")
+def root():
+    return {
+        "status": "ok",
+        "message": "Railway FastAPI is working!",
+        "port": os.getenv("PORT", "not set"),
+        "database": "connected" if os.getenv("DATABASE_URL") else "not configured"
+    }
+
+@app.get("/health")
+def health():
+    return {"status": "healthy", "service": "railway-test"}
+
+@app.get("/api/health")
+def api_health():
+    return {"status": "healthy", "api": "working"}

src/middleware/jwt_auth.py

@@ -0,0 +1,86 @@
+from fastapi import Request, HTTPException, status, Depends
+from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
+from jose import JWTError, jwt
+from typing import Optional
+import os
+
+# JWT Configuration
+SECRET_KEY = os.getenv("JWT_SECRET_KEY", "your-secret-key-here")
+ALGORITHM = os.getenv("JWT_ALGORITHM", "HS256")
+
+security = HTTPBearer()
+
+
+async def verify_jwt_token(credentials: HTTPAuthorizationCredentials) -> dict:
+    """
+    Verify JWT token and return payload.
+
+    Args:
+        credentials: HTTP Authorization credentials with Bearer token
+
+    Returns:
+        dict: JWT payload containing user_id and other claims
+
+    Raises:
+        HTTPException: If token is invalid or expired
+    """
+    try:
+        token = credentials.credentials
+        payload = jwt.decode(token, SECRET_KEY, algorithms=[ALGORITHM])
+        user_id: Optional[int] = payload.get("user_id")
+
+        if user_id is None:
+            raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail="Invalid authentication credentials",
+                headers={"WWW-Authenticate": "Bearer"},
+            )
+
+        return payload
+
+    except JWTError:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Could not validate credentials",
+            headers={"WWW-Authenticate": "Bearer"},
+        )
+
+
+async def get_current_user_id(credentials: HTTPAuthorizationCredentials = Depends(security)) -> int:
+    """
+    Extract user_id from JWT token.
+
+    This function is used as a dependency in FastAPI routes to get the
+    authenticated user's ID from the JWT token.
+
+    Args:
+        credentials: HTTP Authorization credentials (injected by FastAPI)
+
+    Returns:
+        int: The authenticated user's ID
+
+    Raises:
+        HTTPException: If token is invalid or user_id is missing
+    """
+    payload = await verify_jwt_token(credentials)
+    return payload["user_id"]
+
+
+async def get_current_user(credentials: HTTPAuthorizationCredentials = Depends(security)) -> dict:
+    """
+    Extract full user payload from JWT token.
+
+    This function is used as a dependency in FastAPI routes to get the
+    authenticated user's full information from the JWT token.
+
+    Args:
+        credentials: HTTP Authorization credentials (injected by FastAPI)
+
+    Returns:
+        dict: The JWT payload containing user information
+
+    Raises:
+        HTTPException: If token is invalid
+    """
+    payload = await verify_jwt_token(credentials)
+    return payload

src/models/__init__.py

@@ -0,0 +1,6 @@
+from .user import User
+from .task import Task
+from .subtask import Subtask
+from .password_reset import PasswordResetToken
+
+__all__ = ["User", "Task", "Subtask", "PasswordResetToken"]

src/models/password_reset.py

@@ -0,0 +1,30 @@
+from sqlmodel import SQLModel, Field, Relationship
+from datetime import datetime
+from typing import Optional
+
+class PasswordResetToken(SQLModel, table=True):
+    """Password reset token model for secure password recovery."""
+
+    __tablename__ = "password_reset_tokens"
+
+    id: Optional[int] = Field(default=None, primary_key=True)
+    user_id: int = Field(foreign_key="users.id", index=True)
+    token: str = Field(unique=True, index=True, max_length=255)
+    expires_at: datetime = Field(index=True)
+    used: bool = Field(default=False)
+    created_at: datetime = Field(default_factory=datetime.utcnow)
+
+    # Relationships
+    user: Optional["User"] = Relationship()
+
+    class Config:
+        json_schema_extra = {
+            "example": {
+                "id": 1,
+                "user_id": 1,
+                "token": "abc123def456...",
+                "expires_at": "2026-02-07T12:15:00Z",
+                "used": False,
+                "created_at": "2026-02-07T12:00:00Z"
+            }
+        }

src/models/subtask.py

@@ -0,0 +1,32 @@
+from sqlmodel import SQLModel, Field, Relationship
+from datetime import datetime
+from typing import Optional
+
+class Subtask(SQLModel, table=True):
+    """Subtask model representing a checklist item within a task."""
+
+    __tablename__ = "subtasks"
+
+    id: Optional[int] = Field(default=None, primary_key=True)
+    task_id: int = Field(foreign_key="tasks.id", index=True)
+    title: str = Field(max_length=500)
+    completed: bool = Field(default=False)
+    order: int = Field(default=0)  # For ordering subtasks
+    created_at: datetime = Field(default_factory=datetime.utcnow)
+    updated_at: datetime = Field(default_factory=datetime.utcnow)
+
+    # Relationships
+    task: "Task" = Relationship(back_populates="subtasks")
+
+    class Config:
+        json_schema_extra = {
+            "example": {
+                "id": 1,
+                "task_id": 42,
+                "title": "Review documentation",
+                "completed": False,
+                "order": 0,
+                "created_at": "2026-02-05T10:00:00Z",
+                "updated_at": "2026-02-05T10:00:00Z"
+            }
+        }

src/models/task.py

@@ -0,0 +1,49 @@
+from sqlmodel import SQLModel, Field, Relationship
+from datetime import datetime
+from typing import Optional, List, TYPE_CHECKING
+
+if TYPE_CHECKING:
+    from .subtask import Subtask
+
+class Task(SQLModel, table=True):
+    """Task model representing a work item belonging to a user."""
+
+    __tablename__ = "tasks"
+
+    id: Optional[int] = Field(default=None, primary_key=True)
+    user_id: int = Field(foreign_key="users.id", index=True)
+    title: str = Field(max_length=500)
+    description: Optional[str] = Field(default=None)
+    completed: bool = Field(default=False)
+    category: Optional[str] = Field(default=None, max_length=50)
+    due_date: Optional[datetime] = Field(default=None)
+    priority: Optional[str] = Field(default="medium", max_length=20)  # low, medium, high
+
+    # Recurring task fields
+    is_recurring: bool = Field(default=False)
+    recurrence_type: Optional[str] = Field(default=None, max_length=20)  # daily, weekly, monthly, yearly
+    recurrence_interval: Optional[int] = Field(default=1)  # e.g., every 2 days, every 3 weeks
+    recurrence_end_date: Optional[datetime] = Field(default=None)
+    parent_task_id: Optional[int] = Field(default=None, foreign_key="tasks.id")  # For recurring instances
+
+    created_at: datetime = Field(default_factory=datetime.utcnow)
+    updated_at: datetime = Field(default_factory=datetime.utcnow)
+
+    # Relationships
+    user: "User" = Relationship(back_populates="tasks")
+    subtasks: List["Subtask"] = Relationship(back_populates="task")
+
+    class Config:
+        json_schema_extra = {
+            "example": {
+                "id": 1,
+                "user_id": 42,
+                "title": "Buy groceries",
+                "description": "Milk, eggs, bread",
+                "completed": False,
+                "category": "Personal",
+                "due_date": "2026-02-10T10:00:00Z",
+                "created_at": "2026-02-05T10:00:00Z",
+                "updated_at": "2026-02-05T10:00:00Z"
+            }
+        }

src/models/user.py

@@ -0,0 +1,27 @@
+from sqlmodel import SQLModel, Field, Relationship
+from datetime import datetime
+from typing import Optional, List
+
+class User(SQLModel, table=True):
+    """User model representing an authenticated user of the application."""
+
+    __tablename__ = "users"
+
+    id: Optional[int] = Field(default=None, primary_key=True)
+    email: str = Field(unique=True, index=True, max_length=255)
+    hashed_password: str = Field(max_length=255)
+    created_at: datetime = Field(default_factory=datetime.utcnow)
+    updated_at: datetime = Field(default_factory=datetime.utcnow)
+
+    # Relationships
+    tasks: List["Task"] = Relationship(back_populates="user")
+
+    class Config:
+        json_schema_extra = {
+            "example": {
+                "id": 1,
+                "email": "user@example.com",
+                "created_at": "2026-02-05T10:00:00Z",
+                "updated_at": "2026-02-05T10:00:00Z"
+            }
+        }

src/services/__init__.py

@@ -0,0 +1 @@
+# Services module