feat: sync backend changes from SDDRI-Hackathon-2

Syncing Phase 8 advanced features implementation:
- Due dates with datetime picker
- Reminders with browser notifications
- Recurring tasks support
- Priority enum fixes
- Database migrations 008 and 009

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

001_add_user_id_index.sql

@@ -0,0 +1,2 @@
+-- Add index on tasks.user_id for improved query performance
+CREATE INDEX IF NOT EXISTS idx_tasks_user_id ON tasks(user_id);

002_add_conversation_and_message_tables.sql

@@ -0,0 +1,67 @@
+-- Migration: Add conversation and message tables for AI Chatbot (Phase III)
+-- [Task]: T007
+-- [From]: specs/004-ai-chatbot/plan.md
+
+-- Enable UUID extension if not exists
+CREATE EXTENSION IF NOT EXISTS "uuid-ossp";
+
+-- Create conversation table
+CREATE TABLE IF NOT EXISTS conversation (
+    id UUID PRIMARY KEY DEFAULT uuid_generate_v4(),
+    user_id UUID NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+    created_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT NOW(),
+    updated_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT NOW()
+);
+
+-- Create index on user_id for conversation lookup
+CREATE INDEX IF NOT EXISTS idx_conversation_user_id ON conversation(user_id);
+CREATE INDEX IF NOT EXISTS idx_conversation_updated_at ON conversation(updated_at DESC);
+
+-- Create composite index for user's conversations ordered by update time
+CREATE INDEX IF NOT EXISTS idx_conversation_user_updated ON conversation(user_id, updated_at DESC);
+
+-- Create message table
+CREATE TABLE IF NOT EXISTS message (
+    id UUID PRIMARY KEY DEFAULT uuid_generate_v4(),
+    conversation_id UUID NOT NULL REFERENCES conversation(id) ON DELETE CASCADE,
+    user_id UUID NOT NULL REFERENCES users(id) ON DELETE CASCADE,
+    role VARCHAR(10) NOT NULL CHECK (role IN ('user', 'assistant')),
+    content TEXT NOT NULL,
+    created_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT NOW()
+);
+
+-- Create indexes for message queries
+CREATE INDEX IF NOT EXISTS idx_message_conversation_id ON message(conversation_id);
+CREATE INDEX IF NOT EXISTS idx_message_user_id ON message(user_id);
+CREATE INDEX IF NOT EXISTS idx_message_role ON message(role);
+CREATE INDEX IF NOT EXISTS idx_message_created_at ON message(created_at DESC);
+
+-- Create composite index for conversation messages (optimization for loading conversation history)
+CREATE INDEX IF NOT EXISTS idx_message_conversation_created ON message(conversation_id, created_at ASC);
+
+-- Add trigger to update conversation.updated_at when new message is added
+-- This requires PL/pgSQL
+CREATE OR REPLACE FUNCTION update_conversation_updated_at()
+RETURNS TRIGGER AS $$
+BEGIN
+    UPDATE conversation
+    SET updated_at = NOW()
+    WHERE id = NEW.conversation_id;
+    RETURN NEW;
+END;
+$$ LANGUAGE plpgsql;
+
+-- Drop trigger if exists to avoid errors
+DROP TRIGGER IF EXISTS trigger_update_conversation_updated_at ON message;
+
+-- Create trigger
+CREATE TRIGGER trigger_update_conversation_updated_at
+    AFTER INSERT ON message
+    FOR EACH ROW
+    EXECUTE FUNCTION update_conversation_updated_at();
+
+-- Add comment for documentation
+COMMENT ON TABLE conversation IS 'Stores chat sessions between users and AI assistant';
+COMMENT ON TABLE message IS 'Stores individual messages in conversations';
+COMMENT ON COLUMN message.role IS 'Either "user" or "assistant" - who sent the message';
+COMMENT ON COLUMN message.content IS 'Message content with max length of 10,000 characters';

003_add_due_date_and_priority_to_tasks.sql

@@ -0,0 +1,10 @@
+-- Add due_date and priority columns to tasks table
+-- Migration: 003
+-- [From]: specs/004-ai-chatbot/plan.md - Task Model Extensions
+
+-- Add due_date column (nullable, with index for filtering)
+ALTER TABLE tasks ADD COLUMN IF NOT EXISTS due_date TIMESTAMP WITH TIME ZONE;
+CREATE INDEX IF NOT EXISTS idx_tasks_due_date ON tasks(due_date);
+
+-- Add priority column with default value
+ALTER TABLE tasks ADD COLUMN IF NOT EXISTS priority VARCHAR(10) DEFAULT 'medium';

004_add_performance_indexes.sql

@@ -0,0 +1,75 @@
+-- Database indexes for conversation and message queries
+--
+-- [Task]: T059
+-- [From]: specs/004-ai-chatbot/tasks.md
+--
+-- These indexes optimize common queries for:
+-- - Conversation lookup by user_id
+-- - Message lookup by conversation_id
+-- - Message ordering by created_at
+-- - Composite indexes for filtering
+
+-- Index on conversations for user lookup
+-- Optimizes: SELECT * FROM conversations WHERE user_id = ?
+CREATE INDEX IF NOT EXISTS idx_conversations_user_id
+    ON conversations(user_id);
+
+-- Index on conversations for updated_at sorting (cleanup)
+-- Optimizes: SELECT * FROM conversations WHERE updated_at < ? (90-day cleanup)
+CREATE INDEX IF NOT EXISTS idx_conversations_updated_at
+    ON conversations(updated_at);
+
+-- Composite index for user conversations ordered by activity
+-- Optimizes: SELECT * FROM conversations WHERE user_id = ? ORDER BY updated_at DESC
+CREATE INDEX IF NOT EXISTS idx_conversations_user_updated
+    ON conversations(user_id, updated_at DESC);
+
+-- Index on messages for conversation lookup
+-- Optimizes: SELECT * FROM messages WHERE conversation_id = ?
+CREATE INDEX IF NOT EXISTS idx_messages_conversation_id
+    ON messages(conversation_id);
+
+-- Index on messages for user lookup
+-- Optimizes: SELECT * FROM messages WHERE user_id = ?
+CREATE INDEX IF NOT EXISTS idx_messages_user_id
+    ON messages(user_id);
+
+-- Index on messages for timestamp ordering
+-- Optimizes: SELECT * FROM messages WHERE conversation_id = ? ORDER BY created_at ASC
+CREATE INDEX IF NOT EXISTS idx_messages_created_at
+    ON messages(created_at);
+
+-- Composite index for conversation message retrieval
+-- Optimizes: SELECT * FROM messages WHERE conversation_id = ? ORDER BY created_at ASC
+CREATE INDEX IF NOT EXISTS idx_messages_conversation_created
+    ON messages(conversation_id, created_at ASC);
+
+-- Index on messages for role filtering
+-- Optimizes: SELECT * FROM messages WHERE conversation_id = ? AND role = ?
+CREATE INDEX IF NOT EXISTS idx_messages_conversation_role
+    ON messages(conversation_id, role);
+
+-- Index on tasks for user lookup (if not exists)
+-- Optimizes: SELECT * FROM tasks WHERE user_id = ?
+CREATE INDEX IF NOT EXISTS idx_tasks_user_id
+    ON tasks(user_id);
+
+-- Index on tasks for completion status filtering
+-- Optimizes: SELECT * FROM tasks WHERE user_id = ? AND completed = ?
+CREATE INDEX IF NOT EXISTS idx_tasks_user_completed
+    ON tasks(user_id, completed);
+
+-- Index on tasks for due date filtering
+-- Optimizes: SELECT * FROM tasks WHERE user_id = ? AND due_date IS NOT NULL AND due_date < ?
+CREATE INDEX IF NOT EXISTS idx_tasks_due_date
+    ON tasks(due_date) WHERE due_date IS NOT NULL;
+
+-- Composite index for task priority filtering
+-- Optimizes: SELECT * FROM tasks WHERE user_id = ? AND priority = ?
+CREATE INDEX IF NOT EXISTS idx_tasks_user_priority
+    ON tasks(user_id, priority);
+
+-- Index on tasks for created_at sorting
+-- Optimizes: SELECT * FROM tasks WHERE user_id = ? ORDER BY created_at DESC
+CREATE INDEX IF NOT EXISTS idx_tasks_user_created
+    ON tasks(user_id, created_at DESC);

005_add_tags_to_tasks.sql

@@ -0,0 +1,13 @@
+-- Add tags column to tasks table
+-- Migration: 005_add_tags_to_tasks.sql
+-- [Task]: T036, T037
+-- [From]: specs/007-intermediate-todo-features/tasks.md
+
+-- Add tags column as TEXT array (default: empty array)
+ALTER TABLE tasks ADD COLUMN IF NOT EXISTS tags TEXT[] NOT NULL DEFAULT '{}';
+
+-- Add index on tags for faster tag-based queries
+CREATE INDEX IF NOT EXISTS idx_tasks_tags ON tasks USING GIN (tags);
+
+-- Add comment for documentation
+COMMENT ON COLUMN tasks.tags IS 'Array of tag strings associated with the task';

008_add_advanced_features.sql

@@ -0,0 +1,88 @@
+-- Migration: Add advanced features to tasks table
+-- Version: 008_advanced_features
+-- Date: 2026-02-04
+-- [Task]: T001
+
+-- Step 1: Add new columns for reminders
+ALTER TABLE tasks
+  ADD COLUMN IF NOT EXISTS reminder_offset INTEGER,
+  ADD COLUMN IF NOT EXISTS reminder_sent BOOLEAN DEFAULT FALSE;
+
+-- Step 2: Add new columns for recurrence
+ALTER TABLE tasks
+  ADD COLUMN IF NOT EXISTS recurrence JSONB,
+  ADD COLUMN IF NOT EXISTS parent_task_id UUID REFERENCES tasks(id) ON DELETE SET NULL;
+
+-- Step 3: Create indexes for performance
+CREATE INDEX IF NOT EXISTS idx_tasks_parent_task_id ON tasks(parent_task_id);
+CREATE INDEX IF NOT EXISTS idx_tasks_reminder_sent ON tasks(reminder_sent) WHERE reminder_sent = FALSE;
+
+-- Step 4: Add constraints (without IF NOT EXISTS - use DO blocks instead)
+DO $$
+BEGIN
+  -- Add reminder offset positive constraint
+  IF NOT EXISTS (
+    SELECT 1 FROM pg_constraint
+    WHERE conname = 'chk_reminder_offset_positive'
+  ) THEN
+    ALTER TABLE tasks
+      ADD CONSTRAINT chk_reminder_offset_positive
+        CHECK (reminder_offset IS NULL OR reminder_offset >= 0);
+  END IF;
+
+  -- Add recurrence no self-reference constraint
+  IF NOT EXISTS (
+    SELECT 1 FROM pg_constraint
+    WHERE conname = 'chk_recurrence_no_self_reference'
+  ) THEN
+    ALTER TABLE tasks
+      ADD CONSTRAINT chk_recurrence_no_self_reference
+        CHECK (parent_task_id IS NULL OR id != parent_task_id);
+  END IF;
+END $$;
+
+-- Step 5: Add comments for documentation
+COMMENT ON COLUMN tasks.reminder_offset IS 'Minutes before due_date to send notification (0 = at due time)';
+COMMENT ON COLUMN tasks.reminder_sent IS 'Whether notification has been sent for this task';
+COMMENT ON COLUMN tasks.recurrence IS 'Recurrence rule as JSONB (frequency, interval, count, end_date)';
+COMMENT ON COLUMN tasks.parent_task_id IS 'For recurring task instances, links to the original task';
+
+-- Step 6: Create validation function for recurrence JSONB
+CREATE OR REPLACE FUNCTION validate_recurrence(rule jsonb)
+RETURNS boolean AS $$
+BEGIN
+  -- Check frequency is present and valid
+  IF rule->>'frequency' NOT IN ('daily', 'weekly', 'monthly') THEN
+    RETURN false;
+  END IF;
+
+  -- Check interval is valid if present
+  IF (rule->>'interval') IS NOT NULL THEN
+    IF (rule->>'interval')::integer < 1 OR (rule->>'interval')::integer > 365 THEN
+      RETURN false;
+    END IF;
+  END IF;
+
+  -- Check count is valid if present
+  IF (rule->>'count') IS NOT NULL THEN
+    IF (rule->>'count')::integer < 1 OR (rule->>'count')::integer > 100 THEN
+      RETURN false;
+    END IF;
+  END IF;
+
+  RETURN true;
+END;
+$$ LANGUAGE plpgsql;
+
+-- Step 7: Add recurrence valid constraint
+DO $$
+BEGIN
+  IF NOT EXISTS (
+    SELECT 1 FROM pg_constraint
+    WHERE conname = 'chk_recurrence_valid'
+  ) THEN
+    ALTER TABLE tasks
+      ADD CONSTRAINT chk_recurrence_valid
+        CHECK (recurrence IS NULL OR validate_recurrence(recurrence));
+  END IF;
+END $$;

009_fix_priority_case.sql

@@ -0,0 +1,16 @@
+-- Migration 009: Fix priority values to match enum (uppercase)
+-- [Task]: Data fix for existing tasks
+-- [From]: Issue with existing lowercase priority values
+
+-- Update all priority values to uppercase to match PriorityLevel enum
+UPDATE tasks
+SET priority = CASE
+    WHEN priority = 'low' THEN 'LOW'
+    WHEN priority = 'medium' THEN 'MEDIUM'
+    WHEN priority = 'high' THEN 'HIGH'
+    ELSE priority
+END
+WHERE priority IN ('low', 'medium', 'high');
+
+-- Verify the update
+SELECT COUNT(*) as tasks_updated FROM tasks;

CLAUDE.md

@@ -1,153 +1,7 @@
-# Backend Development Guidelines
-
-## Project Overview
-
-This directory contains the backend API for the Todo List application, built with Python FastAPI and SQLModel.
-
-## Technology Stack
-
-- **Language**: Python 3.13+
-- **Web Framework**: FastAPI (modern, high-performance web framework for building APIs)
-- **ORM**: SQLModel (combines SQLAlchemy and Pydantic for database interactions and validation)
-- **Database**: Neon Serverless PostgreSQL
-- **Package Manager**: UV
-
-## Project Structure
-
-```
-backend/
-├── src/                    # Application source code
-│   ├── models/            # SQLModel database models
-│   ├── api/               # API route handlers
-│   ├── services/          # Business logic layer
-│   ├── database.py        # Database connection and session management
-│   └── main.py            # FastAPI application entry point
-├── tests/                 # Test suite
-├── pyproject.toml         # UV project configuration
-└── CLAUDE.md             # This file
-```
-
-## Development Commands
-
-```bash
-cd backend
-
-# Install dependencies
-uv sync
-
-# Run development server
-uv run python src/main.py
-
-# Run tests
-uv run pytest tests/
-
-# Run with auto-reload during development
-uv run uvicorn src.main:app --reload
-
-# Check code quality
-uv run ruff check .
-```
-
-## API Endpoints
-
-The following REST API endpoints are implemented:
-
-| Method | Endpoint | Description |
-|--------|----------|-------------|
-| GET | `/api/{user_id}/tasks` | List all tasks for a user |
-| POST | `/api/{user_id}/tasks` | Create a new task |
-| GET | `/api/{user_id}/tasks/{id}` | Get task details |
-| PUT | `/api/{user_id}/tasks/{id}` | Update a task |
-| DELETE | `/api/{user_id}/tasks/{id}` | Delete a task |
-| PATCH | `/api/{user_id}/tasks/{id}/complete` | Toggle completion status |
-
-## Database Models
-
-### Task Model
-- `id`: Unique identifier (auto-generated)
-- `user_id`: Foreign key to user (for data segregation)
-- `title`: Task title (required, max 255 characters)
-- `description`: Task description (optional, max 2000 characters)
-- `completed`: Boolean status (default: false)
-- `created_at`: Timestamp of creation
-- `updated_at`: Timestamp of last update
-
-## Key Features
-
-- **FastAPI Auto-Documentation**: Interactive API docs available at `/docs` and `/redoc`
-- **Validation**: Automatic request/response validation via Pydantic
-- **Async Support**: Built-in async/await for high-performance I/O
-- **Type Safety**: Full type hints with SQLModel and Pydantic
-- **Database Migrations**: SQLModel schema management with Alembic (if needed)
-
-## Development Notes
-
-- Authentication is NOT enforced in this phase (user_id is passed as path parameter)
-- Database connection string should be provided via `DATABASE_URL` environment variable
-- Default pagination: 50 tasks per request, maximum 100
-- All timestamps are in UTC
-- Use dependency injection for database sessions
-
-## Environment Variables
-
-```bash
-DATABASE_URL=postgresql://user:password@host/database
-```
-
-## Testing Strategy
-
-- Unit tests for business logic
-- Integration tests for API endpoints
-- Database tests with test fixtures
-- Use pytest for test runner
-- Mock external dependencies where appropriate
-
-## Code Style
-
-- Follow Python 3.13+ standard conventions
-- Use type hints for all function signatures
-- Docstrings for all public functions and classes
-- Ruff for linting and formatting
-
-## Performance Considerations
-
-- Use database indexing on frequently queried fields (user_id, created_at)
-- Implement pagination for list endpoints to prevent large result sets
-- Use async database operations for better concurrency
-- Connection pooling for database connections
-
-## Documentation Resources
-
-- [FastAPI Documentation](https://fastapi.tiangolo.com/)
-- [SQLModel Documentation](https://sqlmodel.tiangolo.com/)
-- [Pydantic Documentation](https://docs.pydantic.dev/)
-
-## Related Specs
-
-- Feature Specification: [specs/001-backend-task-api/spec.md](../specs/001-backend-task-api/spec.md)
-- Project Constitution: [constitution.md](../.memory/constitution.md)
-
-
 <claude-mem-context>
 # Recent Activity
 
 <!-- This section is auto-generated by claude-mem. Edit content outside the tags. -->
 
-### Jan 18, 2026
-
-| ID | Time | T | Title | Read |
-|----|------|---|-------|------|
-| #58 | 3:17 PM | ✅ | Installed httpx-ws package for WebSocket testing support | ~187 |
-
-### Jan 28, 2026
-
-| ID | Time | T | Title | Read |
-|----|------|---|-------|------|
-| #587 | 8:43 PM | 🔵 | Backend pyproject.toml Defines All Python Dependencies | ~191 |
-
-### Jan 30, 2026
-
-| ID | Time | T | Title | Read |
-|----|------|---|-------|------|
-| #920 | 12:06 PM | 🔵 | Reviewed main.py to update logging configuration call | ~200 |
+*No recent activity*
 </claude-mem-context>

api/CLAUDE.md

@@ -3,44 +3,5 @@
 
 <!-- This section is auto-generated by claude-mem. Edit content outside the tags. -->
 
-### Jan 18, 2026
-
-| ID | Time | T | Title | Read |
-|----|------|---|-------|------|
-| #63 | 3:50 PM | 🔴 | Fixed import error in chat.py by moving decode_access_token to core.security | ~209 |
-| #60 | 3:46 PM | 🔴 | Fixed import path for WebSocket manager from websockets to ws_manager | ~198 |
-| #56 | 3:04 PM | 🟣 | Completed Phase 11 WebSocket real-time streaming implementation with 14 tasks | ~677 |
-| #42 | 2:58 PM | 🟣 | Implemented complete WebSocket backend infrastructure for real-time progress streaming | ~395 |
-| #40 | 2:57 PM | 🟣 | Added WebSocket endpoint to chat API for real-time progress streaming | ~483 |
-| #39 | " | 🟣 | Added WebSocket imports to chat API for real-time progress streaming | ~303 |
-| #10 | 1:51 PM | 🟣 | Implemented Phase 10 security, audit logging, database indexes, and documentation for AI chatbot | ~448 |
-
-### Jan 28, 2026
-
-| ID | Time | T | Title | Read |
-|----|------|---|-------|------|
-| #693 | 11:02 PM | 🟣 | List Tasks Endpoint Extended with Priority Query Parameter | ~303 |
-| #664 | 10:50 PM | 🟣 | Task Creation Updated to Support Priority, Tags, and Due Date Fields | ~232 |
-| #663 | " | 🔵 | Task API Endpoints Implement JWT-Authenticated CRUD Operations | ~439 |
-
-### Jan 29, 2026
-
-| ID | Time | T | Title | Read |
-|----|------|---|-------|------|
-| #876 | 7:40 PM | 🔴 | Priority enum value mismatch causing database query failure | ~238 |
-| #868 | 7:34 PM | 🔴 | Backend database schema missing tags column in tasks table | ~258 |
-
-### Jan 30, 2026
-
-| ID | Time | T | Title | Read |
-|----|------|---|-------|------|
-| #946 | 1:01 PM | 🔵 | Reviewed chat API error handling for AI service configuration | ~228 |
-| #945 | 1:00 PM | 🔵 | Reviewed chat endpoint implementation for AI service integration | ~261 |
-| #944 | " | 🔵 | Reviewed chat.py API endpoint error handling for AI agent streaming | ~238 |
-| #943 | 12:59 PM | 🔵 | Located AI agent integration in chat API endpoint | ~185 |
-| #922 | 12:32 PM | 🔴 | Identified SQLModel Session.exec() parameter error in list_tags endpoint | ~290 |
-| #921 | 12:31 PM | 🔵 | Verified correct route ordering in tasks.py after refactor | ~213 |
-| #916 | 12:05 PM | 🔴 | Identified duplicate route definitions in tasks.py after route reordering | ~258 |
-| #914 | 11:13 AM | 🔴 | Identified route definition order in tasks.py requiring reorganization | ~296 |
-| #909 | 10:37 AM | 🔴 | Identified FastAPI route ordering issue causing UUID validation error | ~262 |
+*No recent activity*
 </claude-mem-context>

audit.py

@@ -0,0 +1,267 @@
+"""Audit logging service for MCP tool invocations.
+
+[Task]: T058
+[From]: specs/004-ai-chatbot/tasks.md
+
+This module provides audit logging for all MCP tool invocations to track
+usage patterns, detect abuse, and maintain compliance records.
+"""
+import logging
+import json
+from datetime import datetime
+from typing import Any, Optional
+from uuid import UUID
+
+from sqlmodel import Session
+
+from core.database import engine
+
+
+# Configure audit logger
+audit_logger = logging.getLogger("audit")
+audit_logger.setLevel(logging.INFO)
+
+# Audit log handler (separate from main logs)
+audit_handler = logging.FileHandler("logs/audit.log")
+audit_handler.setFormatter(logging.Formatter(
+    '%(asctime)s | %(levelname)s | %(message)s'
+))
+audit_logger.addHandler(audit_handler)
+
+
+def log_tool_invocation(
+    tool_name: str,
+    user_id: str | UUID,
+    args: dict[str, Any],
+    result: dict[str, Any],
+    conversation_id: Optional[str | UUID] = None,
+    execution_time_ms: Optional[float] = None,
+    error: Optional[str] = None
+) -> None:
+    """Log an MCP tool invocation for audit purposes.
+
+    [From]: specs/004-ai-chatbot/spec.md - NFR-018
+
+    Args:
+        tool_name: Name of the tool that was invoked
+        user_id: ID of the user who invoked the tool
+        args: Arguments passed to the tool
+        result: Result returned by the tool
+        conversation_id: Optional conversation context
+        execution_time_ms: Optional execution time in milliseconds
+        error: Optional error message if invocation failed
+    """
+    log_entry = {
+        "timestamp": datetime.utcnow().isoformat(),
+        "tool_name": tool_name,
+        "user_id": str(user_id),
+        "conversation_id": str(conversation_id) if conversation_id else None,
+        "success": error is None,
+        "error": error,
+        "execution_time_ms": execution_time_ms,
+        "args_summary": _summarize_args(tool_name, args),
+        "result_summary": _summarize_result(result)
+    }
+
+    # Log to file
+    audit_logger.info(json.dumps(log_entry))
+
+    # Also log to database for querying (if needed)
+    _persist_audit_log(log_entry)
+
+
+def _summarize_args(tool_name: str, args: dict[str, Any]) -> dict[str, Any]:
+    """Create a summary of tool arguments for logging.
+
+    [From]: T058 - Add audit logging for all MCP tool invocations
+
+    Args:
+        tool_name: Name of the tool
+        args: Full arguments dict
+
+    Returns:
+        Summarized arguments (sanitized for sensitive data)
+    """
+    # Don't log full user content for privacy
+    if "message" in args:
+        return {"message_length": len(str(args.get("message", "")))}
+
+    # For task operations, log relevant info
+    if tool_name in ["add_task", "update_task", "complete_task", "delete_task"]:
+        summary = {}
+        if "task_id" in args:
+            summary["task_id"] = str(args["task_id"])
+        if "title" in args:
+            summary["title"] = args["title"][:50]  # Truncate long titles
+        if "completed" in args:
+            summary["completed"] = args["completed"]
+        if "priority" in args:
+            summary["priority"] = args["priority"]
+        return summary
+
+    # For list_tasks, log filters
+    if tool_name == "list_tasks":
+        summary = {}
+        if "status" in args:
+            summary["status"] = args["status"]
+        if "limit" in args:
+            summary["limit"] = args["limit"]
+        return summary
+
+    # Default: return all args (tool-specific sanitization could be added)
+    return args
+
+
+def _summarize_result(result: dict[str, Any]) -> dict[str, Any]:
+    """Create a summary of tool result for logging.
+
+    [From]: T058 - Add audit logging for all MCP tool invocations
+
+    Args:
+        result: Full result dict from tool
+
+    Returns:
+        Summarized result
+    """
+    if not isinstance(result, dict):
+        return {"result_type": type(result).__name__}
+
+    summary = {}
+
+    # Extract key fields
+    if "success" in result:
+        summary["success"] = result["success"]
+
+    if "error" in result:
+        summary["error"] = result["error"]
+
+    if "task" in result:
+        task = result["task"]
+        summary["task_id"] = task.get("id")
+        summary["task_title"] = task.get("title", "")[:50] if task.get("title") else None
+
+    if "tasks" in result:
+        tasks = result.get("tasks", [])
+        summary["task_count"] = len(tasks) if isinstance(tasks, list) else 0
+
+    if "updated_count" in result:
+        summary["updated_count"] = result["updated_count"]
+
+    if "deleted_count" in result:
+        summary["deleted_count"] = result["deleted_count"]
+
+    if "message" in result:
+        # Truncate long messages
+        msg = result["message"]
+        summary["message"] = msg[:100] + "..." if len(msg) > 100 else msg
+
+    return summary
+
+
+def _persist_audit_log(log_entry: dict) -> None:
+    """Persist audit log to database for querying.
+
+    [From]: T058 - Add audit logging for all MCP tool invocations
+
+    Args:
+        log_entry: The audit log entry to persist
+    """
+    # Note: This could be extended to write to an audit_logs table
+    # For now, file-based logging is sufficient
+    pass
+
+
+def get_user_activity_summary(
+    user_id: str | UUID,
+    limit: int = 100
+) -> list[dict[str, Any]]:
+    """Get a summary of user activity from audit logs.
+
+    [From]: T058 - Add audit logging for all MCP tool invocations
+
+    Args:
+        user_id: User ID to get activity for
+        limit: Maximum number of entries to return
+
+    Returns:
+        List of audit log entries for the user
+    """
+    # Read audit log file and filter by user_id
+    try:
+        with open("logs/audit.log", "r") as f:
+            user_entries = []
+            for line in f:
+                try:
+                    entry = json.loads(line.split(" | ", 2)[-1])
+                    if entry.get("user_id") == str(user_id):
+                        user_entries.append(entry)
+                        if len(user_entries) >= limit:
+                            break
+                except (json.JSONDecodeError, IndexError):
+                    continue
+            return user_entries
+    except FileNotFoundError:
+        return []
+
+
+# Decorator for automatic audit logging of MCP tools
+def audit_log(tool_name: Optional[str] = None):
+    """Decorator to automatically log MCP tool invocations.
+
+    [From]: T058 - Add audit logging for all MCP tool invocations
+
+    Args:
+        tool_name: Optional override for tool name (defaults to function name)
+
+    Usage:
+        @audit_log("add_task")
+        async def add_task(user_id: str, title: str, ...):
+            ...
+    """
+    import functools
+    import time
+
+    def decorator(func):
+        @functools.wraps(func)
+        async def wrapper(*args, **kwargs):
+            name = tool_name or func.__name__
+            start_time = time.time()
+
+            # Extract user_id from args/kwargs
+            user_id = kwargs.get("user_id") or (args[0] if args else None)
+
+            try:
+                result = await func(*args, **kwargs)
+                execution_time = (time.time() - start_time) * 1000
+
+                log_tool_invocation(
+                    tool_name=name,
+                    user_id=user_id or "unknown",
+                    args=kwargs,
+                    result=result,
+                    execution_time_ms=execution_time
+                )
+                return result
+
+            except Exception as e:
+                execution_time = (time.time() - start_time) * 1000
+
+                log_tool_invocation(
+                    tool_name=name,
+                    user_id=user_id or "unknown",
+                    args=kwargs,
+                    result={},
+                    execution_time_ms=execution_time,
+                    error=str(e)
+                )
+                raise
+
+        return wrapper
+    return decorator
+
+
+__all__ = [
+    "log_tool_invocation",
+    "get_user_activity_summary",
+    "audit_log",
+]

auth.py

@@ -0,0 +1,384 @@
+"""Authentication API endpoints.
+
+[Task]: T017
+[From]: specs/001-user-auth/contracts/openapi.yaml, specs/001-user-auth/plan.md
+"""
+import re
+from typing import Optional
+from datetime import datetime, timedelta
+
+from fastapi import APIRouter, Depends, HTTPException, status, Cookie
+from fastapi.responses import JSONResponse, Response
+from sqlmodel import Session, select
+
+from models.user import User, UserCreate, UserRead, UserLogin
+from core.database import get_session
+from core.security import get_password_hash, verify_password, create_access_token, decode_access_token
+from core.config import get_settings
+from api.deps import get_current_user
+
+settings = get_settings()
+
+router = APIRouter(prefix="/api/auth", tags=["Authentication"])
+
+
+def validate_email_format(email: str) -> bool:
+    """Validate email format.
+
+    Check for @ symbol and domain part.
+
+    [Task]: T019
+    [From]: specs/001-user-auth/spec.md
+
+    Args:
+        email: Email address to validate
+
+    Returns:
+        True if email format is valid, False otherwise
+    """
+    if not email:
+        return False
+
+    # Basic email validation: must contain @ and at least one . after @
+    pattern = r'^[^@]+@[^@]+\.[^@]+$'
+    return re.match(pattern, email) is not None
+
+
+def validate_password(password: str) -> bool:
+    """Validate password length.
+
+    Minimum 8 characters.
+
+    [Task]: T020
+    [From]: specs/001-user-auth/spec.md
+
+    Args:
+        password: Password to validate
+
+    Returns:
+        True if password meets requirements, False otherwise
+    """
+    return len(password) >= 8
+
+
+@router.post("/sign-up", response_model=dict, status_code=status.HTTP_200_OK)
+async def sign_up(
+    user_data: UserCreate,
+    session: Session = Depends(get_session)
+):
+    """Register a new user account.
+
+    Validates email format and password length, checks email uniqueness,
+    hashes password with bcrypt, creates user in database.
+
+    [Task]: T018
+    [From]: specs/001-user-auth/contracts/openapi.yaml
+
+    Args:
+        user_data: User registration data (email, password)
+        session: Database session
+
+    Returns:
+        Success response with message and user data
+
+    Raises:
+        HTTPException 400: Invalid email format or password too short
+        HTTPException 409: Email already registered
+        HTTPException 500: Database error
+    """
+    # Validate email format
+    if not validate_email_format(user_data.email):
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="Invalid email format"
+        )
+
+    # Validate password length
+    if not validate_password(user_data.password):
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="Password must be at least 8 characters"
+        )
+
+    # Check if email already exists
+    existing_user = session.exec(
+        select(User).where(User.email == user_data.email)
+    ).first()
+    if existing_user:
+        raise HTTPException(
+            status_code=status.HTTP_409_CONFLICT,
+            detail="Email already registered"
+        )
+
+    # Hash password with bcrypt
+    hashed_password = get_password_hash(user_data.password)
+
+    # Create user
+    user = User(
+        email=user_data.email,
+        hashed_password=hashed_password
+    )
+
+    try:
+        session.add(user)
+        session.commit()
+        session.refresh(user)
+    except Exception as e:
+        session.rollback()
+        raise HTTPException(
+            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+            detail="Failed to create user account"
+        )
+
+    # Return user data (excluding password)
+    user_dict = UserRead.model_validate(user).model_dump(mode='json')
+    return {
+        "success": True,
+        "message": "Account created successfully",
+        "user": user_dict
+    }
+
+
+def get_user_by_email(email: str, session: Session) -> Optional[User]:
+    """Query database for user by email.
+
+    [Task]: T030
+    [From]: specs/001-user-auth/plan.md
+
+    Args:
+        email: User email address
+        session: Database session
+
+    Returns:
+        User object if found, None otherwise
+    """
+    return session.exec(select(User).where(User.email == email)).first()
+
+
+@router.post("/sign-in", response_model=dict, status_code=status.HTTP_200_OK)
+async def sign_in(
+    user_data: UserLogin,
+    session: Session = Depends(get_session)
+):
+    """Authenticate user and generate JWT token.
+
+    Verifies credentials, generates JWT token, sets httpOnly cookie,
+    returns token and user data.
+
+    [Task]: T027
+    [From]: specs/001-user-auth/contracts/openapi.yaml
+
+    Args:
+        user_data: User login credentials (email, password)
+        session: Database session
+
+    Returns:
+        Login response with JWT token, user data, and expiration time
+
+    Raises:
+        HTTPException 401: Invalid credentials
+        HTTPException 500: Database or JWT generation error
+    """
+    # Get user by email
+    user = get_user_by_email(user_data.email, session)
+    if not user:
+        # Generic error message (don't reveal if email exists)
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Invalid email or password"
+        )
+
+    # Verify password
+    if not verify_password(user_data.password, user.hashed_password):
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Invalid email or password"
+        )
+
+    # Generate JWT token
+    access_token = create_access_token(
+        data={"sub": str(user.id)},
+        expires_delta=timedelta(days=settings.jwt_expiration_days)
+    )
+
+    # Calculate expiration time
+    expires_at = datetime.utcnow() + timedelta(days=settings.jwt_expiration_days)
+
+    # Create response
+    response_data = {
+        "success": True,
+        "token": access_token,
+        "user": UserRead.model_validate(user).model_dump(mode='json'),
+        "expires_at": expires_at.isoformat() + "Z"
+    }
+
+    # Create response with httpOnly cookie
+    response = JSONResponse(content=response_data)
+
+    # Set httpOnly cookie with JWT token
+    response.set_cookie(
+        key="auth_token",
+        value=access_token,
+        httponly=True,
+        secure=settings.environment == "production",  # Only send over HTTPS in production
+        samesite="lax",  # CSRF protection
+        max_age=settings.jwt_expiration_days * 24 * 60 * 60,  # Convert days to seconds
+        path="/"
+    )
+
+    return response
+
+
+@router.get("/session", response_model=dict, status_code=status.HTTP_200_OK)
+async def get_session(
+    response: Response,
+    Authorization: Optional[str] = None,
+    auth_token: Optional[str] = Cookie(None),
+    session: Session = Depends(get_session)
+):
+    """Verify JWT token and return user session data.
+
+    Checks JWT token from Authorization header or httpOnly cookie,
+    verifies signature, returns user data if authenticated.
+
+    [Task]: T026
+    [From]: specs/001-user-auth/contracts/openapi.yaml
+
+    Args:
+        response: FastAPI response object
+        Authorization: Bearer token from Authorization header
+        auth_token: JWT token from httpOnly cookie
+        session: Database session
+
+    Returns:
+        Session response with authentication status and user data
+
+    Raises:
+        HTTPException 401: Invalid, expired, or missing token
+    """
+    # Extract token from Authorization header or cookie
+    token = None
+
+    # Try Authorization header first
+    if Authorization:
+        try:
+            scheme, header_token = Authorization.split()
+            if scheme.lower() == "bearer":
+                token = header_token
+        except ValueError:
+            pass  # Fall through to cookie
+
+    # If no token in header, try cookie
+    if not token and auth_token:
+        token = auth_token
+
+    if not token:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Not authenticated"
+        )
+
+    try:
+        # Decode and verify token
+        payload = decode_access_token(token)
+        user_id = payload.get("sub")
+
+        if not user_id:
+            raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail="Invalid token: user_id missing"
+            )
+
+        # Query user from database
+        user = session.get(User, user_id)
+        if not user:
+            raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail="User not found"
+            )
+
+        # Calculate expiration time
+        exp = payload.get("exp")
+        expires_at = None
+        if exp:
+            expires_at = datetime.fromtimestamp(exp).isoformat() + "Z"
+
+        return {
+            "authenticated": True,
+            "user": UserRead.model_validate(user).model_dump(mode='json'),
+            "expires_at": expires_at
+        }
+
+    except HTTPException:
+        raise
+    except Exception as e:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Could not validate credentials"
+        )
+
+
+@router.get("/users/me")
+async def get_users_me(
+    current_user: User = Depends(get_current_user)
+):
+    """Get current authenticated user information.
+
+    Example protected endpoint that requires JWT authentication.
+    Returns user data for authenticated user.
+
+    [Task]: T038
+    [From]: specs/001-user-auth/plan.md
+
+    Args:
+        current_user: Authenticated user from dependency
+
+    Returns:
+        User data for current user
+
+    Raises:
+        HTTPException 401: If not authenticated
+    """
+    return UserRead.model_validate(current_user).model_dump(mode='json')
+
+
+@router.post("/sign-out", status_code=status.HTTP_200_OK)
+async def sign_out(
+    response: Response,
+    current_user: User = Depends(get_current_user)
+):
+    """Logout current user.
+
+    Client-side logout (clears httpOnly cookie).
+    Server-side token is stateless (JWT), so no server storage to clear.
+
+    [Task]: T043
+    [From]: specs/001-user-auth/contracts/openapi.yaml
+
+    Args:
+        response: FastAPI response object
+        current_user: Authenticated user (for validation only)
+
+    Returns:
+        Success message
+
+    Raises:
+        HTTPException 401: If not authenticated
+    """
+    # Create response with success message
+    response_data = {
+        "success": True,
+        "message": "Logged out successfully"
+    }
+
+    # Create response with cleared httpOnly cookie
+    response_obj = JSONResponse(content=response_data)
+
+    # Clear the httpOnly cookie by setting it to expire
+    response_obj.delete_cookie(
+        key="auth_token",
+        path="/",
+        samesite="lax"
+    )
+
+    return response_obj

chat.py

@@ -0,0 +1,478 @@
+"""Chat API endpoint for AI-powered task management.
+
+[Task]: T015, T071
+[From]: specs/004-ai-chatbot/tasks.md
+
+This endpoint provides a conversational interface for task management.
+Users can create, list, update, complete, and delete tasks through natural language.
+
+Also includes WebSocket endpoint for real-time progress streaming.
+"""
+import uuid
+import logging
+import asyncio
+from datetime import datetime
+from typing import Annotated, Optional
+from fastapi import APIRouter, HTTPException, status, Depends, WebSocket, WebSocketDisconnect, BackgroundTasks
+from pydantic import BaseModel, Field, field_validator, ValidationError
+from sqlmodel import Session
+from sqlalchemy.exc import SQLAlchemyError
+
+from core.database import get_db
+from core.validators import validate_message_length
+from core.security import decode_access_token
+from models.message import Message, MessageRole
+from services.security import sanitize_message
+from models.conversation import Conversation
+from ai_agent import run_agent_with_streaming, is_gemini_configured
+from services.conversation import (
+    get_or_create_conversation,
+    load_conversation_history,
+    update_conversation_timestamp
+)
+from services.rate_limiter import check_rate_limit
+from ws_manager.manager import manager
+
+
+# Configure error logger
+error_logger = logging.getLogger("api.errors")
+error_logger.setLevel(logging.ERROR)
+
+
+# Request/Response models
+class ChatRequest(BaseModel):
+    """Request model for chat endpoint.
+
+    [From]: specs/004-ai-chatbot/plan.md - API Contract
+    """
+    message: str = Field(
+        ...,
+        description="User message content",
+        min_length=1,
+        max_length=10000  # FR-042
+    )
+    conversation_id: Optional[str] = Field(
+        None,
+        description="Optional conversation ID to continue existing conversation"
+    )
+
+    @field_validator('message')
+    @classmethod
+    def validate_message(cls, v: str) -> str:
+        """Validate message content."""
+        if not v or not v.strip():
+            raise ValueError("Message content cannot be empty")
+        if len(v) > 10000:
+            raise ValueError("Message content exceeds maximum length of 10,000 characters")
+        return v.strip()
+
+
+class TaskReference(BaseModel):
+    """Reference to a task created or modified by AI."""
+    id: str
+    title: str
+    description: Optional[str] = None
+    due_date: Optional[str] = None
+    priority: Optional[str] = None
+    completed: bool = False
+
+
+class ChatResponse(BaseModel):
+    """Response model for chat endpoint.
+
+    [From]: specs/004-ai-chatbot/plan.md - API Contract
+    """
+    response: str = Field(
+        ...,
+        description="AI assistant's text response"
+    )
+    conversation_id: str = Field(
+        ...,
+        description="Conversation ID (new or existing)"
+    )
+    tasks: list[TaskReference] = Field(
+        default_factory=list,
+        description="List of tasks created or modified in this interaction"
+    )
+
+
+# Create API router
+router = APIRouter(prefix="/api", tags=["chat"])
+
+
+@router.post("/{user_id}/chat", response_model=ChatResponse, status_code=status.HTTP_200_OK)
+async def chat(
+    user_id: str,
+    request: ChatRequest,
+    background_tasks: BackgroundTasks,
+    db: Session = Depends(get_db)
+):
+    """Process user message through AI agent and return response.
+
+    [From]: specs/004-ai-chatbot/spec.md - US1
+
+    This endpoint:
+    1. Validates user input and rate limits
+    2. Gets or creates conversation
+    3. Runs AI agent with WebSocket progress streaming
+    4. Returns AI response immediately
+    5. Saves messages to DB in background (non-blocking)
+
+    Args:
+        user_id: User ID (UUID string from path)
+        request: Chat request with message and optional conversation_id
+        background_tasks: FastAPI background tasks for non-blocking DB saves
+        db: Database session
+
+    Returns:
+        ChatResponse with AI response, conversation_id, and task references
+
+    Raises:
+        HTTPException 400: Invalid message content
+        HTTPException 503: AI service unavailable
+    """
+    # Check if Gemini API is configured
+    # [From]: specs/004-ai-chatbot/tasks.md - T022
+    # [From]: T060 - Add comprehensive error messages for edge cases
+    if not is_gemini_configured():
+        raise HTTPException(
+            status_code=status.HTTP_503_SERVICE_UNAVAILABLE,
+            detail={
+                "error": "AI service unavailable",
+                "message": "The AI service is currently not configured. Please ensure GEMINI_API_KEY is set in the environment.",
+                "suggestion": "Contact your administrator or check your API key configuration."
+            }
+        )
+
+    # Validate user_id format
+    # [From]: T060 - Add comprehensive error messages for edge cases
+    try:
+        user_uuid = uuid.UUID(user_id)
+    except ValueError:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail={
+                "error": "Invalid user ID",
+                "message": f"User ID '{user_id}' is not a valid UUID format.",
+                "expected_format": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
+                "suggestion": "Ensure you are using a valid UUID for the user_id path parameter."
+            }
+        )
+
+    # Validate message content
+    # [From]: T060 - Add comprehensive error messages for edge cases
+    try:
+        validated_message = validate_message_length(request.message)
+    except ValueError as e:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail={
+                "error": "Message validation failed",
+                "message": str(e),
+                "max_length": 10000,
+                "suggestion": "Keep your message under 10,000 characters and ensure it contains meaningful content."
+            }
+        )
+
+    # Sanitize message to prevent prompt injection
+    # [From]: T057 - Implement prompt injection sanitization
+    # [From]: T060 - Add comprehensive error messages for edge cases
+    try:
+        sanitized_message = sanitize_message(validated_message)
+    except ValueError as e:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail={
+                "error": "Message content blocked",
+                "message": str(e),
+                "suggestion": "Please rephrase your message without attempting to manipulate system instructions."
+            }
+        )
+
+    # Check rate limit
+    # [From]: specs/004-ai-chatbot/spec.md - NFR-011
+    # [From]: T021 - Implement daily message limit enforcement (100/day)
+    # [From]: T060 - Add comprehensive error messages for edge cases
+    try:
+        allowed, remaining, reset_time = check_rate_limit(db, user_uuid)
+
+        if not allowed:
+            raise HTTPException(
+                status_code=status.HTTP_429_TOO_MANY_REQUESTS,
+                detail={
+                    "error": "Rate limit exceeded",
+                    "message": "You have reached the daily message limit. Please try again later.",
+                    "limit": 100,
+                    "resets_at": reset_time.isoformat() if reset_time else None,
+                    "suggestion": "Free tier accounts are limited to 100 messages per day. Upgrade for unlimited access."
+                }
+            )
+    except HTTPException:
+        # Re-raise HTTP exceptions (rate limit errors)
+        raise
+    except Exception as e:
+        # Log unexpected errors but don't block the request
+        error_logger.error(f"Rate limit check failed for user {user_id}: {e}")
+        # Continue processing - fail open for rate limit errors
+
+    # Get or create conversation
+    # [From]: T016 - Implement conversation history loading
+    # [From]: T035 - Handle auto-deleted conversations gracefully
+    # [From]: T060 - Add comprehensive error messages for edge cases
+    conversation_id: uuid.UUID
+
+    if request.conversation_id:
+        # Load existing conversation using service
+        try:
+            conv_uuid = uuid.UUID(request.conversation_id)
+        except ValueError:
+            # Invalid conversation_id format
+            raise HTTPException(
+                status_code=status.HTTP_400_BAD_REQUEST,
+                detail={
+                    "error": "Invalid conversation ID",
+                    "message": f"Conversation ID '{request.conversation_id}' is not a valid UUID format.",
+                    "suggestion": "Provide a valid UUID or omit the conversation_id to start a new conversation."
+                }
+            )
+
+        try:
+            conversation = get_or_create_conversation(
+                db=db,
+                user_id=user_uuid,
+                conversation_id=conv_uuid
+            )
+            conversation_id = conversation.id
+        except (KeyError, ValueError) as e:
+            # Conversation may have been auto-deleted (90-day policy) or otherwise not found
+            # [From]: T035 - Handle auto-deleted conversations gracefully
+            # Create a new conversation instead of failing
+            conversation = get_or_create_conversation(
+                db=db,
+                user_id=user_uuid
+            )
+            conversation_id = conversation.id
+    else:
+        # Create new conversation using service
+        conversation = get_or_create_conversation(
+            db=db,
+            user_id=user_uuid
+        )
+        conversation_id = conversation.id
+
+    # Load conversation history using service
+    # [From]: T016 - Implement conversation history loading
+    # [From]: T060 - Add comprehensive error messages for edge cases
+    try:
+        conversation_history = load_conversation_history(
+            db=db,
+            conversation_id=conversation_id
+        )
+    except SQLAlchemyError as e:
+        error_logger.error(f"Database error loading conversation history for {conversation_id}: {e}")
+        # Continue with empty history if load fails
+        conversation_history = []
+
+    # Prepare user message for background save
+    user_message_id = uuid.uuid4()
+    user_message_data = {
+        "id": user_message_id,
+        "conversation_id": conversation_id,
+        "user_id": user_uuid,
+        "role": MessageRole.USER,
+        "content": sanitized_message,
+        "created_at": datetime.utcnow()
+    }
+
+    # Add current user message to conversation history for AI processing
+    # This is critical - the agent needs the user's current message in context
+    messages_for_agent = conversation_history + [
+        {"role": "user", "content": sanitized_message}
+    ]
+
+    # Run AI agent with streaming (broadcasts WebSocket events)
+    # [From]: T014 - Initialize OpenAI Agents SDK with Gemini
+    # [From]: T072 - Use streaming agent for real-time progress
+    # [From]: T060 - Add comprehensive error messages for edge cases
+    try:
+        ai_response_text = await run_agent_with_streaming(
+            messages=messages_for_agent,
+            user_id=user_id
+        )
+    except ValueError as e:
+        # Configuration errors (missing API key, invalid model)
+        # [From]: T022 - Add error handling for Gemini API unavailability
+        error_logger.error(f"AI configuration error for user {user_id}: {e}")
+        raise HTTPException(
+            status_code=status.HTTP_503_SERVICE_UNAVAILABLE,
+            detail={
+                "error": "AI service configuration error",
+                "message": str(e),
+                "suggestion": "Verify GEMINI_API_KEY and GEMINI_MODEL are correctly configured."
+            }
+        )
+    except ConnectionError as e:
+        # Network/connection issues
+        # [From]: T022 - Add error handling for Gemini API unavailability
+        error_logger.error(f"AI connection error for user {user_id}: {e}")
+        raise HTTPException(
+            status_code=status.HTTP_503_SERVICE_UNAVAILABLE,
+            detail={
+                "error": "AI service unreachable",
+                "message": "Could not connect to the AI service. Please check your network connection.",
+                "suggestion": "If the problem persists, the AI service may be temporarily down."
+            }
+        )
+    except TimeoutError as e:
+        # Timeout errors
+        # [From]: T022 - Add error handling for Gemini API unavailability
+        error_logger.error(f"AI timeout error for user {user_id}: {e}")
+        raise HTTPException(
+            status_code=status.HTTP_504_GATEWAY_TIMEOUT,
+            detail={
+                "error": "AI service timeout",
+                "message": "The AI service took too long to respond. Please try again.",
+                "suggestion": "Your message may be too complex. Try breaking it into smaller requests."
+            }
+        )
+    except Exception as e:
+        # Other errors (rate limits, authentication, context, etc.)
+        # [From]: T022 - Add error handling for Gemini API unavailability
+        error_logger.error(f"Unexpected AI error for user {user_id}: {type(e).__name__}: {e}")
+        raise HTTPException(
+            status_code=status.HTTP_503_SERVICE_UNAVAILABLE,
+            detail={
+                "error": "AI service error",
+                "message": f"An unexpected error occurred: {str(e)}",
+                "suggestion": "Please try again later or contact support if the problem persists."
+            }
+        )
+
+    # Prepare AI response for background save
+    ai_message_data = {
+        "id": uuid.uuid4(),
+        "conversation_id": conversation_id,
+        "user_id": user_uuid,
+        "role": MessageRole.ASSISTANT,
+        "content": ai_response_text,
+        "created_at": datetime.utcnow()
+    }
+
+    # Save messages to DB in background (non-blocking)
+    # This significantly improves response time
+    def save_messages_to_db():
+        """Background task to save messages to database."""
+        try:
+            from core.database import engine
+            from sqlmodel import Session
+
+            # Create a new session for background task
+            bg_db = Session(engine)
+
+            try:
+                # Save user message
+                user_msg = Message(**user_message_data)
+                bg_db.add(user_msg)
+
+                # Save AI response
+                ai_msg = Message(**ai_message_data)
+                bg_db.add(ai_msg)
+
+                bg_db.commit()
+
+                # Update conversation timestamp
+                try:
+                    update_conversation_timestamp(db=bg_db, conversation_id=conversation_id)
+                except SQLAlchemyError as e:
+                    error_logger.error(f"Database error updating conversation timestamp for {conversation_id}: {e}")
+
+            except SQLAlchemyError as e:
+                error_logger.error(f"Background task: Database error saving messages for user {user_id}: {e}")
+                bg_db.rollback()
+            finally:
+                bg_db.close()
+        except Exception as e:
+            error_logger.error(f"Background task: Unexpected error saving messages for user {user_id}: {e}")
+
+    background_tasks.add_task(save_messages_to_db)
+
+    # TODO: Parse AI response for task references
+    # This will be enhanced in future tasks to extract task IDs from AI responses
+    task_references: list[TaskReference] = []
+
+    return ChatResponse(
+        response=ai_response_text,
+        conversation_id=str(conversation_id),
+        tasks=task_references
+    )
+
+
+@router.websocket("/ws/{user_id}/chat")
+async def websocket_chat(
+    websocket: WebSocket,
+    user_id: str,
+    db: Session = Depends(get_db)
+):
+    """WebSocket endpoint for real-time chat progress updates.
+
+    [From]: specs/004-ai-chatbot/research.md - Section 4
+    [Task]: T071
+
+    This endpoint provides a WebSocket connection for receiving real-time
+    progress events during AI agent execution. Events include:
+    - connection_established: Confirmation of successful connection
+    - agent_thinking: AI agent is processing
+    - tool_starting: A tool is about to execute
+    - tool_progress: Tool execution progress (e.g., "Found 3 tasks")
+    - tool_complete: Tool finished successfully
+    - tool_error: Tool execution failed
+    - agent_done: AI agent finished processing
+
+    Note: Authentication is handled implicitly by the frontend - users must
+    be logged in to access the chat page. The WebSocket only broadcasts
+    progress updates (not sensitive data), so strict auth is bypassed here.
+
+    Connection URL format:
+        ws://localhost:8000/ws/{user_id}/chat
+
+    Args:
+        websocket: The WebSocket connection instance
+        user_id: User ID from URL path (used to route progress events)
+        db: Database session (for any future DB operations)
+
+    The connection is kept alive and can receive messages from the client,
+    though currently it's primarily used for server-to-client progress updates.
+    """
+    # Connect the WebSocket (manager handles accept)
+    # [From]: specs/004-ai-chatbot/research.md - Section 4
+    await manager.connect(user_id, websocket)
+
+    try:
+        # Keep connection alive and listen for client messages
+        # Currently, we don't expect many client messages, but we
+        # maintain the connection to receive any control messages
+        while True:
+            # Wait for message from client (with timeout)
+            data = await websocket.receive_text()
+
+            # Handle client messages if needed
+            # For now, we just acknowledge receipt
+            # Future: could handle ping/pong for connection health
+            if data:
+                # Echo back a simple acknowledgment
+                # (optional - mainly for debugging)
+                pass
+
+    except WebSocketDisconnect:
+        # Normal disconnect - clean up
+        manager.disconnect(user_id, websocket)
+        error_logger.info(f"WebSocket disconnected normally for user {user_id}")
+
+    except Exception as e:
+        # Unexpected error - clean up and log
+        error_logger.error(f"WebSocket error for user {user_id}: {e}")
+        manager.disconnect(user_id, websocket)
+
+    finally:
+        # Ensure disconnect is always called
+        manager.disconnect(user_id, websocket)

config.py

@@ -0,0 +1,54 @@
+"""Application configuration and settings.
+
+[Task]: T009
+[From]: specs/001-user-auth/plan.md
+
+[Task]: T003
+[From]: specs/004-ai-chatbot/plan.md
+"""
+import os
+from pydantic_settings import BaseSettings, SettingsConfigDict
+from functools import lru_cache
+
+
+class Settings(BaseSettings):
+    """Application settings loaded from environment variables."""
+
+    # Database
+    database_url: str
+
+    # JWT
+    jwt_secret: str
+    jwt_algorithm: str = "HS256"
+    jwt_expiration_days: int = 7
+
+    # CORS
+    frontend_url: str
+
+    # Environment
+    environment: str = "development"
+
+    # Gemini API (Phase III: AI Chatbot)
+    gemini_api_key: str | None = None  # Optional for migration/setup
+    gemini_model: str = "gemini-2.0-flash-exp"
+
+    model_config = SettingsConfigDict(
+        env_file=".env",
+        case_sensitive=False,
+        # Support legacy Better Auth environment variables
+        env_prefix="",
+        extra="ignore"
+    )
+
+
+@lru_cache()
+def get_settings() -> Settings:
+    """Get cached settings instance.
+
+    Returns:
+        Settings: Application settings
+
+    Raises:
+        ValueError: If required environment variables are not set
+    """
+    return Settings()

conversation.py

@@ -0,0 +1,31 @@
+"""Conversation model for AI chatbot.
+
+[Task]: T005
+[From]: specs/004-ai-chatbot/plan.md
+"""
+import uuid
+from datetime import datetime
+from typing import Optional
+from sqlmodel import Field, SQLModel
+from sqlalchemy import Column, DateTime
+
+
+class Conversation(SQLModel, table=True):
+    """Conversation model representing a chat session.
+
+    A conversation groups multiple messages between a user and the AI assistant.
+    Conversations persist indefinitely (until 90-day auto-deletion).
+    """
+
+    __tablename__ = "conversation"
+
+    id: uuid.UUID = Field(default_factory=uuid.uuid4, primary_key=True)
+    user_id: uuid.UUID = Field(foreign_key="users.id", index=True)
+    created_at: datetime = Field(
+        default_factory=datetime.utcnow,
+        sa_column=Column(DateTime(timezone=True), nullable=False)
+    )
+    updated_at: datetime = Field(
+        default_factory=datetime.utcnow,
+        sa_column=Column(DateTime(timezone=True), nullable=False)
+    )

database.py

@@ -0,0 +1,92 @@
+"""Database connection and session management.
+
+[Task]: T010
+[From]: specs/001-user-auth/plan.md
+
+[Task]: T004
+[From]: specs/004-ai-chatbot/plan.md
+"""
+from sqlmodel import create_engine, Session
+from typing import Generator
+
+from core.config import get_settings
+
+settings = get_settings()
+
+# Create database engine with connection pooling
+# Optimized for conversation/message table queries in Phase III
+# SQLite doesn't support connection pooling, so we conditionally apply parameters
+is_sqlite = settings.database_url.startswith("sqlite:")
+is_postgresql = settings.database_url.startswith("postgresql:") or settings.database_url.startswith("postgres://")
+
+if is_sqlite:
+    # SQLite configuration (no pooling)
+    engine = create_engine(
+        settings.database_url,
+        echo=settings.environment == "development",  # Log SQL in development
+        connect_args={"check_same_thread": False}  # Allow multithreaded access
+    )
+elif is_postgresql:
+    # PostgreSQL configuration with connection pooling
+    engine = create_engine(
+        settings.database_url,
+        echo=settings.environment == "development",  # Log SQL in development
+        pool_pre_ping=True,  # Verify connections before using
+        pool_size=10,  # Number of connections to maintain
+        max_overflow=20,  # Additional connections beyond pool_size
+        pool_recycle=3600,  # Recycle connections after 1 hour (prevents stale connections)
+        pool_timeout=30,  # Timeout for getting connection from pool
+        connect_args={
+            "connect_timeout": 10,  # Connection timeout
+        }
+    )
+else:
+    # Default configuration for other databases
+    engine = create_engine(
+        settings.database_url,
+        echo=settings.environment == "development",
+        pool_pre_ping=True
+    )
+
+
+def get_session() -> Generator[Session, None, None]:
+    """Get database session.
+
+    Yields:
+        Session: SQLModel database session
+
+    Example:
+        ```python
+        @app.get("/users")
+        def read_users(session: Session = Depends(get_session)):
+            users = session.exec(select(User)).all()
+            return users
+        ```
+    """
+    with Session(engine) as session:
+        yield session
+
+
+# Alias for compatibility with chat.py
+get_db = get_session
+
+
+def init_db():
+    """Initialize database tables.
+
+    Creates all tables defined in SQLModel models.
+    Should be called on application startup.
+    """
+    from sqlmodel import SQLModel
+    import models.user  # Import models to register them with SQLModel
+    import models.task  # Import task model
+
+    # Phase III: Import conversation and message models
+    try:
+        import models.conversation
+        import models.message
+    except ImportError:
+        # Models not yet created (Phase 2 pending)
+        pass
+
+    SQLModel.metadata.create_all(engine)

deps.py

@@ -0,0 +1,89 @@
+"""Authentication dependencies for protected routes.
+
+[Task]: T036, T037
+[From]: specs/001-user-auth/plan.md
+"""
+from typing import Optional
+from fastapi import Depends, HTTPException, status, Cookie
+from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
+from sqlmodel import Session, select
+
+from models.user import User
+from core.database import get_session
+from core.security import decode_access_token
+
+# Optional: HTTP Bearer scheme for Authorization header
+security = HTTPBearer(auto_error=False)
+
+
+async def get_current_user(
+    response: Optional[str] = None,
+    credentials: Optional[HTTPAuthorizationCredentials] = Depends(security),
+    auth_token: Optional[str] = Cookie(None),
+    session: Session = Depends(get_session)
+) -> User:
+    """Get current authenticated user from JWT token.
+
+    Extracts JWT from Authorization header or httpOnly cookie,
+    verifies signature, queries database for user.
+
+    [Task]: T036, T037
+    [From]: specs/001-user-auth/plan.md
+
+    Args:
+        credentials: HTTP Bearer credentials from Authorization header
+        auth_token: JWT token from httpOnly cookie
+        session: Database session
+
+    Returns:
+        User: Authenticated user object
+
+    Raises:
+        HTTPException 401: If token is invalid, expired, or missing
+    """
+    # Extract token from Authorization header or cookie
+    token = None
+
+    # Try Authorization header first
+    if credentials:
+        token = credentials.credentials
+
+    # If no token in header, try cookie
+    if not token and auth_token:
+        token = auth_token
+
+    if not token:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Not authenticated",
+            headers={"WWW-Authenticate": "Bearer"},
+        )
+
+    try:
+        # Decode and verify token
+        payload = decode_access_token(token)
+        user_id = payload.get("sub")
+
+        if not user_id:
+            raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail="Invalid token: user_id missing"
+            )
+
+        # Query user from database
+        user = session.get(User, user_id)
+        if not user:
+            raise HTTPException(
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                detail="User not found"
+            )
+
+        return user
+
+    except HTTPException:
+        raise
+    except Exception as e:
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Could not validate credentials"
+        )

logging.py

@@ -0,0 +1,125 @@
+"""Clean logging configuration for development.
+
+Provides simple, readable logs for development with optional JSON mode for production.
+"""
+import logging
+import logging.config
+import sys
+from typing import Optional
+
+
+class CleanFormatter(logging.Formatter):
+    """Simple, clean formatter for readable development logs."""
+
+    # Color codes for terminal output
+    COLORS = {
+        "DEBUG": "\033[36m",      # Cyan
+        "INFO": "\033[32m",       # Green
+        "WARNING": "\033[33m",    # Yellow
+        "ERROR": "\033[31m",      # Red
+        "CRITICAL": "\033[35m",   # Magenta
+        "RESET": "\033[0m",       # Reset
+    }
+
+    def __init__(self, use_colors: bool = True):
+        """Initialize formatter.
+
+        Args:
+            use_colors: Whether to use ANSI color codes (disable for file logs)
+        """
+        self.use_colors = use_colors
+        super().__init__()
+
+    def format(self, record: logging.LogRecord) -> str:
+        """Format log record as a clean, readable string."""
+        level = record.levelname
+        module = record.name.split(".")[-1] if "." in record.name else record.name
+        message = record.getMessage()
+
+        # Build the log line
+        if self.use_colors:
+            color = self.COLORS.get(level, "")
+            reset = self.COLORS["RESET"]
+            formatted = f"{color}{level:8}{reset} {module:20} | {message}"
+        else:
+            formatted = f"{level:8} {module:20} | {message}"
+
+        # Add exception info if present
+        if record.exc_info:
+            formatted += f"\n{self.formatException(record.exc_info)}"
+
+        return formatted
+
+
+def setup_logging(
+    level: str = "INFO",
+    json_mode: bool = False,
+    quiet_sql: bool = True
+) -> None:
+    """Configure logging for the application.
+
+    Args:
+        level: Logging level (DEBUG, INFO, WARNING, ERROR, CRITICAL)
+        json_mode: Use structured JSON logging (for production)
+        quiet_sql: Suppress verbose SQL query logs
+    """
+    log_level = getattr(logging, level.upper(), logging.INFO)
+
+    # Configure root logger
+    logging.root.setLevel(log_level)
+    logging.root.handlers.clear()
+
+    # Create handler
+    handler = logging.StreamHandler(sys.stdout)
+    handler.setLevel(log_level)
+
+    # Set formatter
+    if json_mode:
+        # Import JSON formatter for production
+        import json
+        from datetime import datetime
+
+        class JSONFormatter(logging.Formatter):
+            def format(self, record):
+                log_entry = {
+                    "timestamp": datetime.utcnow().isoformat() + "Z",
+                    "level": record.levelname,
+                    "logger": record.name,
+                    "message": record.getMessage(),
+                }
+                if record.exc_info:
+                    log_entry["exception"] = self.formatException(record.exc_info)
+                return json.dumps(log_entry)
+
+        handler.setFormatter(JSONFormatter())
+    else:
+        handler.setFormatter(CleanFormatter(use_colors=True))
+
+    logging.root.addHandler(handler)
+
+    # Configure third-party loggers
+    if quiet_sql:
+        logging.getLogger("sqlalchemy.engine").setLevel(logging.WARNING)
+        logging.getLogger("sqlalchemy.pool").setLevel(logging.WARNING)
+        logging.getLogger("sqlmodel").setLevel(logging.WARNING)
+
+    logging.getLogger("uvicorn.access").setLevel(logging.WARNING)
+    logging.getLogger("uvicorn.error").setLevel(logging.ERROR)
+    logging.getLogger("fastapi").setLevel(logging.INFO)
+
+    # Log startup message (but only in non-JSON mode)
+    if not json_mode:
+        logger = logging.getLogger(__name__)
+        logger.info(f"Logging configured at {level} level")
+
+
+def get_logger(name: str) -> logging.Logger:
+    """Get a logger instance.
+
+    Args:
+        name: Logger name (typically __name__ of the module)
+
+    Returns:
+        Logger instance
+    """
+    return logging.getLogger(name)

mcp_server/tools/CLAUDE.md

@@ -3,10 +3,5 @@
 
 <!-- This section is auto-generated by claude-mem. Edit content outside the tags. -->
 
-### Jan 28, 2026
-
-| ID | Time | T | Title | Read |
-|----|------|---|-------|------|
-| #684 | 11:00 PM | 🟣 | Priority Extraction Enhanced with Comprehensive Natural Language Patterns | ~488 |
-| #677 | 10:57 PM | 🔵 | MCP Add Task Tool Implements Natural Language Task Creation | ~362 |
+*No recent activity*
 </claude-mem-context>

message.py

@@ -0,0 +1,46 @@
+"""Message model for AI chatbot.
+
+[Task]: T006
+[From]: specs/004-ai-chatbot/plan.md
+"""
+import uuid
+from datetime import datetime
+from typing import Optional
+from sqlmodel import Field, SQLModel
+from sqlalchemy import Column, DateTime, Text, String as SQLString, Index
+from enum import Enum
+
+
+class MessageRole(str, Enum):
+    """Message role enum."""
+    USER = "user"
+    ASSISTANT = "assistant"
+
+
+class Message(SQLModel, table=True):
+    """Message model representing a single message in a conversation.
+
+    Messages can be from the user or the AI assistant.
+    All messages are persisted to enable conversation history replay.
+    """
+
+    __tablename__ = "message"
+
+    id: uuid.UUID = Field(default_factory=uuid.uuid4, primary_key=True)
+    conversation_id: uuid.UUID = Field(foreign_key="conversation.id", index=True)
+    user_id: uuid.UUID = Field(foreign_key="users.id", index=True)
+    role: MessageRole = Field(default=MessageRole.USER, sa_column=Column(SQLString(10), nullable=False, index=True))
+    content: str = Field(
+        ...,
+        sa_column=Column(Text, nullable=False),
+        max_length=10000  # FR-042: Maximum message length
+    )
+    created_at: datetime = Field(
+        default_factory=datetime.utcnow,
+        sa_column=Column(DateTime(timezone=True), nullable=False, index=True)
+    )
+
+    # Table indexes for query optimization
+    __table_args__ = (
+        Index('idx_message_conversation_created', 'conversation_id', 'created_at'),
+    )

middleware.py

@@ -0,0 +1,95 @@
+"""JWT middleware for FastAPI.
+
+[Task]: T012
+[From]: specs/001-user-auth/quickstart.md
+"""
+from typing import Callable
+from fastapi import Request, HTTPException, status
+from fastapi.responses import JSONResponse
+from starlette.middleware.base import BaseHTTPMiddleware
+
+from core.security import JWTManager
+
+
+class JWTMiddleware(BaseHTTPMiddleware):
+    """JWT authentication middleware.
+
+    Validates JWT tokens for all requests except public paths.
+    Adds user_id to request.state for downstream dependency injection.
+    """
+
+    def __init__(self, app, excluded_paths: list[str] = None):
+        """Initialize JWT middleware.
+
+        Args:
+            app: FastAPI application instance
+            excluded_paths: List of paths to exclude from JWT validation
+        """
+        super().__init__(app)
+        self.excluded_paths = excluded_paths or []
+        self.public_paths = [
+            "/",
+            "/docs",
+            "/redoc",
+            "/openapi.json",
+            "/health",
+        ] + self.excluded_paths
+
+    async def dispatch(self, request: Request, call_next: Callable):
+        """Process each request with JWT validation.
+
+        Args:
+            request: Incoming HTTP request
+            call_next: Next middleware or route handler
+
+        Returns:
+            HTTP response with JWT validation applied
+
+        Raises:
+            HTTPException: If JWT validation fails
+        """
+        # Skip JWT validation for public paths
+        if request.url.path in self.public_paths:
+            return await call_next(request)
+
+        # Extract token from Authorization header OR httpOnly cookie
+        token = None
+
+        # Try Authorization header first
+        authorization = request.headers.get("Authorization")
+        if authorization:
+            try:
+                token = JWTManager.get_token_from_header(authorization)
+            except:
+                pass  # Fall through to cookie
+
+        # If no token in header, try httpOnly cookie
+        if not token:
+            auth_token = request.cookies.get("auth_token")
+            if auth_token:
+                token = auth_token
+
+        # If still no token, return 401
+        if not token:
+            return JSONResponse(
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                content={"detail": "Not authenticated"},
+                headers={"WWW-Authenticate": "Bearer"},
+            )
+
+        try:
+            # Verify token and extract user_id
+            user_id = JWTManager.get_user_id_from_token(token)
+
+            # Add user_id to request state for route handlers
+            request.state.user_id = user_id
+
+            return await call_next(request)
+
+        except HTTPException as e:
+            raise e
+        except Exception as e:
+            return JSONResponse(
+                status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+                content={"detail": "Internal server error during authentication"},
+            )

migrations/CLAUDE.md

@@ -3,15 +3,5 @@
 
 <!-- This section is auto-generated by claude-mem. Edit content outside the tags. -->
 
-### Jan 18, 2026
-
-| ID | Time | T | Title | Read |
-|----|------|---|-------|------|
-| #10 | 1:51 PM | 🟣 | Implemented Phase 10 security, audit logging, database indexes, and documentation for AI chatbot | ~448 |
-
-### Jan 29, 2026
-
-| ID | Time | T | Title | Read |
-|----|------|---|-------|------|
-| #870 | 7:34 PM | 🔵 | Backend migration runner script examined | ~199 |
+*No recent activity*
 </claude-mem-context>

models/CLAUDE.md

@@ -3,25 +3,5 @@
 
 <!-- This section is auto-generated by claude-mem. Edit content outside the tags. -->
 
-### Jan 28, 2026
-
-| ID | Time | T | Title | Read |
-|----|------|---|-------|------|
-| #648 | 9:38 PM | 🔄 | Task Model Enhanced with Priority Enum and Tags Array | ~280 |
-| #647 | " | 🟣 | Task Model Extended with PriorityLevel Enum and Tags Array | ~296 |
-| #646 | " | 🟣 | Added PriorityLevel Enum to Task Model | ~311 |
-| #643 | 9:37 PM | 🔵 | Existing Task Model Already Includes Priority and Due Date Fields | ~341 |
-| #611 | 8:45 PM | 🔵 | Task Model Already Includes Priority Field with Medium Default | ~360 |
-
-### Jan 29, 2026
-
-| ID | Time | T | Title | Read |
-|----|------|---|-------|------|
-| #877 | 7:40 PM | 🔵 | Task model defines tags field with PostgreSQL ARRAY type | ~239 |
-
-### Jan 30, 2026
-
-| ID | Time | T | Title | Read |
-|----|------|---|-------|------|
-| #934 | 12:53 PM | 🔵 | Backend uses uppercase priority values (HIGH, MEDIUM, LOW) in PriorityLevel enum | ~199 |
+*No recent activity*
 </claude-mem-context>

nlp_service.py

@@ -0,0 +1,122 @@
+"""NLP service for extracting task attributes from natural language.
+
+[Task]: T029
+[From]: specs/007-intermediate-todo-features/tasks.md (User Story 2)
+
+This service provides:
+- Tag extraction from natural language ("tagged with X", "add tag Y")
+- Priority detection patterns
+- Due date parsing patterns
+"""
+from typing import List, Optional
+import re
+
+
+def extract_tags(text: str) -> List[str]:
+    """Extract tags from natural language input.
+
+    [Task]: T029, T031 - Tag extraction from natural language
+
+    Supports patterns:
+    - "tagged with X", "tags X", "tag X"
+    - "add tag X", "with tag X"
+    - "labeled X"
+    - Hashtags: "#tagname"
+
+    Args:
+        text: Natural language input text
+
+    Returns:
+        List of extracted tag names (lowercased, deduplicated)
+
+    Examples:
+        >>> extract_tags("Add task tagged with work and urgent")
+        ['work', 'urgent']
+        >>> extract_tags("Buy groceries #shopping #home")
+        ['shopping', 'home']
+        >>> extract_tags("Create task with label review")
+        ['review']
+    """
+    if not text:
+        return []
+
+    tags = set()
+    text_lower = text.lower()
+
+    # Pattern 1: Hashtag extraction
+    hashtag_pattern = r'#(\w+)'
+    hashtags = re.findall(hashtag_pattern, text)
+    tags.update(hashtags)
+
+    # Pattern 2: "tagged with X and Y" or "tags X, Y"
+    tagged_with_pattern = r'(?:tagged|tags?|labeled?)\s+(?:with\s+)?(?:[,\s]+)?(\w+(?:\s+(?:and|,)\s+\w+)*)'
+    matches = re.findall(tagged_with_pattern, text_lower)
+    for match in matches:
+        # Split by common separators
+        parts = re.split(r'\s+(?:and|,)\s+', match)
+        tags.update(parts)
+
+    # Pattern 3: "add tag X" or "with tag X"
+    add_tag_pattern = r'(?:add|with|has)\s+tag\s+(\w+)'
+    matches = re.findall(add_tag_pattern, text_lower)
+    tags.update(matches)
+
+    # Pattern 4: "label X"
+    label_pattern = r'(?:label|categorize|file\s*(?:under)?)(?:ed|s+as)?\s+(\w+)'
+    matches = re.findall(label_pattern, text_lower)
+    tags.update(matches)
+
+    # Filter out common non-tag words
+    excluded_words = {
+        'a', 'an', 'the', 'with', 'for', 'and', 'or', 'but', 'not',
+        'this', 'that', 'to', 'of', 'in', 'on', 'at', 'by', 'as', 'is',
+        'are', 'was', 'were', 'be', 'been', 'being', 'have', 'has', 'had',
+        'do', 'does', 'did', 'will', 'would', 'could', 'should', 'may',
+        'might', 'must', 'can', 'need', 'want', 'like', 'such'
+    }
+
+    filtered_tags = [tag for tag in tags if tag not in excluded_words and len(tag) > 1]
+
+    return sorted(list(filtered_tags))
+
+
+def normalize_tag_name(tag: str) -> str:
+    """Normalize tag name for consistency.
+
+    Args:
+        tag: Raw tag name from user input
+
+    Returns:
+        Normalized tag name (lowercase, trimmed, no special chars)
+    """
+    # Remove special characters except hyphens and underscores
+    normalized = re.sub(r'[^\w\s-]', '', tag)
+    # Convert to lowercase and trim
+    normalized = normalized.lower().strip()
+    # Replace spaces with hyphens for multi-word tags
+    normalized = re.sub(r'\s+', '-', normalized)
+    return normalized
+
+
+def extract_tags_from_task_data(
+    title: str,
+    description: Optional[str] = None
+) -> List[str]:
+    """Extract tags from task title and description.
+
+    Convenience function that extracts tags from both title and description.
+
+    Args:
+        title: Task title
+        description: Optional task description
+
+    Returns:
+        List of extracted and normalized tag names
+    """
+    text = title
+    if description:
+        text = f"{title} {description}"
+
+    raw_tags = extract_tags(text)
+    # Normalize each tag
+    return [normalize_tag_name(tag) for tag in raw_tags]

rate_limiter.py

@@ -0,0 +1,181 @@
+"""Rate limiting service for chat API.
+
+[Task]: T021
+[From]: specs/004-ai-chatbot/tasks.md
+
+This service enforces the 100 messages/day limit per user (NFR-011).
+"""
+import uuid
+from datetime import datetime, timedelta
+from typing import Optional
+from sqlmodel import Session, select
+from sqlalchemy import func
+
+from models.message import Message
+
+
+# Rate limit constants
+DAILY_MESSAGE_LIMIT = 100  # NFR-011: Maximum messages per user per day
+
+
+def check_rate_limit(
+    db: Session,
+    user_id: uuid.UUID
+) -> tuple[bool, int, Optional[datetime]]:
+    """Check if user has exceeded their daily message limit.
+
+    [From]: specs/004-ai-chatbot/spec.md - NFR-011
+
+    Args:
+        db: Database session (synchronous)
+        user_id: User ID to check
+
+    Returns:
+        Tuple of (allowed, remaining_count, reset_time)
+        - allowed: True if user can send message, False if limit exceeded
+        - remaining_count: Number of messages remaining today
+        - reset_time: When the limit resets (midnight UTC), or None if allowed
+
+    Example:
+        >>> allowed, remaining, reset = await check_rate_limit(db, user_id)
+        >>> if not allowed:
+        ...     print(f"Rate limited. Resets at {reset}")
+    """
+    # Calculate today's date range (UTC)
+    now = datetime.utcnow()
+    today_start = now.replace(hour=0, minute=0, second=0, microsecond=0)
+    today_end = today_start + timedelta(days=1)
+
+    # Count messages sent by user today
+    # [From]: specs/004-ai-chatbot/spec.md - NFR-011
+    # Count both user and assistant messages (all messages in conversation)
+    statement = select(func.count(Message.id)).where(
+        Message.user_id == user_id,
+        Message.created_at >= today_start,
+        Message.created_at < today_end
+    )
+
+    message_count = db.exec(statement).one() or 0
+
+    # Calculate remaining messages
+    remaining = DAILY_MESSAGE_LIMIT - message_count
+
+    if remaining <= 0:
+        # Rate limit exceeded
+        return False, 0, today_end
+    else:
+        # User can send message
+        return True, remaining - 1, None
+
+
+def record_message(
+    db: Session,
+    user_id: uuid.UUID,
+    conversation_id: uuid.UUID,
+    role: str,
+    content: str
+) -> Message:
+    """Record a message in the database (for rate limit tracking).
+
+    [From]: specs/004-ai-chatbot/plan.md - Message Persistence
+
+    Note: This function is primarily for rate limit tracking.
+    The actual message persistence should happen in the chat API endpoint
+    before AI processing (T017) and after AI response (T018).
+
+    Args:
+        db: Database session
+        user_id: User ID who sent the message
+        conversation_id: Conversation ID
+        role: Message role ("user" or "assistant")
+        content: Message content
+
+    Returns:
+        Created message object
+    """
+    message = Message(
+        id=uuid.uuid4(),
+        conversation_id=conversation_id,
+        user_id=user_id,
+        role=role,
+        content=content,
+        created_at=datetime.utcnow()
+    )
+
+    db.add(message)
+    db.commit()
+    db.refresh(message)
+
+    return message
+
+
+def get_message_count_today(
+    db: Session,
+    user_id: uuid.UUID
+) -> int:
+    """Get the number of messages sent by user today.
+
+    [From]: specs/004-ai-chatbot/spec.md - NFR-011
+
+    Args:
+        db: Database session
+        user_id: User ID to check
+
+    Returns:
+        Number of messages sent today (both user and assistant)
+    """
+    now = datetime.utcnow()
+    today_start = now.replace(hour=0, minute=0, second=0, microsecond=0)
+    today_end = today_start + timedelta(days=1)
+
+    statement = select(func.count(Message.id)).where(
+        Message.user_id == user_id,
+        Message.created_at >= today_start,
+        Message.created_at < today_end
+    )
+
+    return db.exec(statement).one() or 0
+
+
+def get_rate_limit_status(
+    db: Session,
+    user_id: uuid.UUID
+) -> dict:
+    """Get comprehensive rate limit status for a user.
+
+    [From]: specs/004-ai-chatbot/spec.md - NFR-011
+
+    Args:
+        db: Database session
+        user_id: User ID to check
+
+    Returns:
+        Dictionary with rate limit information:
+        {
+            "limit": 100,
+            "used": 45,
+            "remaining": 55,
+            "resets_at": "2025-01-16T00:00:00Z"
+        }
+    """
+    now = datetime.utcnow()
+    today_start = now.replace(hour=0, minute=0, second=0, microsecond=0)
+    today_end = today_start + timedelta(days=1)
+
+    # Count messages sent today
+    statement = select(func.count(Message.id)).where(
+        Message.user_id == user_id,
+        Message.created_at >= today_start,
+        Message.created_at < today_end
+    )
+
+    message_count = db.exec(statement).one() or 0
+
+    remaining = max(0, DAILY_MESSAGE_LIMIT - message_count)
+
+    return {
+        "limit": DAILY_MESSAGE_LIMIT,
+        "used": message_count,
+        "remaining": remaining,
+        "resets_at": today_end.isoformat() + "Z"
+    }

recurrence.py

@@ -0,0 +1,68 @@
+"""Recurrence rule model for recurring tasks.
+
+[Task]: T002
+[From]: specs/008-advanced-features/tasks.md (Phase 1)
+
+This module defines the RecurrenceRule Pydantic model used for
+defining how tasks repeat (daily, weekly, monthly).
+"""
+from datetime import datetime
+from typing import Optional, Literal
+from pydantic import BaseModel, Field
+
+
+class RecurrenceRule(BaseModel):
+    """Defines how a task repeats.
+
+    Used for creating recurring tasks that automatically generate
+    new instances when completed.
+
+    Attributes:
+        frequency: How often the task repeats (daily, weekly, monthly)
+        interval: Repeat every N periods (default: 1)
+        count: Maximum number of occurrences (max 100)
+        end_date: Stop recurring after this date
+
+    Examples:
+        Daily forever: {"frequency": "daily"}
+        Weekly: {"frequency": "weekly"}
+        Every 2 weeks: {"frequency": "weekly", "interval": 2}
+        Monthly, 10 times: {"frequency": "monthly", "count": 10}
+        Daily until Dec 31: {"frequency": "daily", "end_date": "2026-12-31"}
+    """
+
+    frequency: Literal['daily', 'weekly', 'monthly'] = Field(
+        ...,
+        description="How often the task repeats"
+    )
+
+    interval: Optional[int] = Field(
+        default=1,
+        ge=1,
+        le=365,
+        description="Repeat every N periods (max 365, e.g., 2 = every 2 days)"
+    )
+
+    count: Optional[int] = Field(
+        default=None,
+        ge=1,
+        le=100,
+        description="Maximum number of occurrences (max 100)"
+    )
+
+    end_date: Optional[datetime] = Field(
+        default=None,
+        description="Stop recurring after this date"
+    )
+
+    model_config = {
+        "json_schema_extra": {
+            "examples": [
+                {"frequency": "daily"},
+                {"frequency": "weekly"},
+                {"frequency": "weekly", "interval": 2},
+                {"frequency": "monthly", "count": 10},
+                {"frequency": "daily", "interval": 1, "count": 30},
+            ]
+        }
+    }

recurrence_service.py

@@ -0,0 +1,219 @@
+"""Recurrence service for calculating recurring task dates.
+
+[Task]: T015-T020
+[From]: specs/008-advanced-features/tasks.md (Phase 2)
+
+This service handles:
+- Calculating next occurrence dates from recurrence rules
+- Validating recurrence rule structures
+- Checking recurrence limits (100 instance max)
+- Supporting daily, weekly, monthly, and cron-based patterns
+"""
+import uuid
+from datetime import datetime, timedelta
+from typing import Optional
+from sqlalchemy import select, func
+from sqlmodel import Session
+
+from models.task import Task
+from models.recurrence import RecurrenceRule
+
+
+class RecurrenceService:
+    """Service for calculating recurring task dates."""
+
+    MAX_RECURRING_INSTANCES = 100
+
+    def __init__(self, session: Session):
+        """Initialize the recurrence service.
+
+        Args:
+            session: Database session for queries
+        """
+        self.session = session
+
+    def calculate_next_occurrence(
+        self,
+        base_date: datetime,
+        recurrence_rule: dict
+    ) -> Optional[datetime]:
+        """Calculate next due date based on recurrence pattern.
+
+        [Task]: T016-T018, T077 (cron)
+
+        Args:
+            base_date: The base date to calculate from
+            recurrence_rule: Dictionary containing recurrence rule
+
+        Returns:
+            Next due date in UTC, or None if limit reached
+
+        Raises:
+            ValueError: If recurrence rule is invalid
+        """
+        if not self.validate_recurrence_rule(recurrence_rule):
+            raise ValueError("Invalid recurrence rule")
+
+        frequency = recurrence_rule.get("frequency")
+        interval = recurrence_rule.get("interval", 1)
+
+        # For cron-based recurrence (T077)
+        if frequency == "cron" and "cron_expression" in recurrence_rule:
+            return self._calculate_from_cron(base_date, recurrence_rule["cron_expression"])
+
+        # Calculate based on frequency
+        if frequency == "daily":
+            return base_date + timedelta(days=interval)
+        elif frequency == "weekly":
+            return base_date + timedelta(weeks=interval)
+        elif frequency == "monthly":
+            return self._add_months(base_date, interval)
+        else:
+            raise ValueError(f"Unsupported frequency: {frequency}")
+
+    def _add_months(self, date: datetime, months: int) -> datetime:
+        """Add months to a date, handling edge cases.
+
+        Args:
+            date: Base date
+            months: Number of months to add
+
+        Returns:
+            New date with months added
+        """
+        # Simple implementation: add days (approximate)
+        # For precise month handling, would use dateutil.relativedelta
+        return date + timedelta(days=months * 30)
+
+    def _calculate_from_cron(self, base_date: datetime, cron_expression: str) -> Optional[datetime]:
+        """Calculate next occurrence from cron expression.
+
+        [Task]: T077
+
+        Args:
+            base_date: Base date to calculate from
+            cron_expression: Cron expression (5 fields)
+
+        Returns:
+            Next due date, or None if invalid
+
+        Note:
+            This is a simplified implementation. A full cron parser
+            would be more complex. For MVP, we support basic patterns.
+        """
+        # TODO: Implement full cron parsing
+        # For now, return None to indicate not implemented
+        return None
+
+    def validate_recurrence_rule(self, rule: dict) -> bool:
+        """Validate recurrence rule structure.
+
+        [Task]: T019
+
+        Args:
+            rule: Dictionary to validate
+
+        Returns:
+            True if valid, False otherwise
+        """
+        if not isinstance(rule, dict):
+            return False
+
+        # Check frequency
+        frequency = rule.get("frequency")
+        if frequency not in ("daily", "weekly", "monthly"):
+            return False
+
+        # Validate interval
+        interval = rule.get("interval", 1)
+        if not isinstance(interval, int) or interval < 1 or interval > 365:
+            return False
+
+        # Validate count
+        count = rule.get("count")
+        if count is not None:
+            if not isinstance(count, int) or count < 1 or count > self.MAX_RECURRING_INSTANCES:
+                return False
+
+        # Validate end_date
+        end_date = rule.get("end_date")
+        if end_date is not None:
+            if not isinstance(end_date, (datetime, str)):
+                return False
+
+        return True
+
+    def check_recurrence_limit(self, parent_task_id: uuid.UUID) -> bool:
+        """Check if recurrence limit has been reached.
+
+        [Task]: T020
+
+        Args:
+            parent_task_id: ID of the parent recurring task
+
+        Returns:
+            True if limit reached, False otherwise
+
+        Raises:
+            ValueError: If limit exceeded
+        """
+        # Count existing instances with this parent
+        count_result = self.session.exec(
+            select(func.count(Task.id))
+            .where(Task.parent_task_id == parent_task_id)
+        )
+        instance_count = count_result.one() or 0
+
+        if instance_count >= self.MAX_RECURRING_INSTANCES:
+            raise ValueError(
+                f"Recurrence limit reached: maximum {self.MAX_RECURRING_INSTANCES} instances"
+            )
+
+        return False
+
+    def should_create_next_instance(
+        self,
+        task: Task,
+        next_due_date: datetime
+    ) -> bool:
+        """Determine if next instance should be created.
+
+        Checks count and end_date limits from recurrence rule.
+
+        Args:
+            task: Current task being completed
+            next_due_date: Calculated next due date
+
+        Returns:
+            True if should create, False if limit reached
+        """
+        if not task.recurrence:
+            return False
+
+        # Get parent task ID (for instances) or use current task ID (for original)
+        parent_id = task.parent_task_id or task.id
+
+        # Check instance count limit
+        count_result = self.session.exec(
+            select(func.count(Task.id))
+            .where(Task.parent_task_id == parent_id)
+        )
+        instance_count = count_result.one() or 0
+
+        # Check count limit
+        count_limit = task.recurrence.get("count")
+        if count_limit and instance_count >= count_limit:
+            return False
+
+        # Check end_date limit
+        end_date_str = task.recurrence.get("end_date")
+        if end_date_str:
+            if isinstance(end_date_str, str):
+                end_date = datetime.fromisoformat(end_date_str)
+            else:
+                end_date = end_date_str
+
+            if next_due_date > end_date:
+                return False
+
+        return True

run_migration.py

@@ -0,0 +1,84 @@
+"""Database migration runner.
+
+[Task]: T022, T023
+[From]: specs/001-user-auth/tasks.md
+
+This script runs SQL migrations against the database.
+
+Usage:
+    uv run python migrations/run_migration.py
+"""
+import os
+import sys
+from pathlib import Path
+from sqlmodel import Session, text
+
+# Add parent directory to path for imports
+sys.path.insert(0, str(Path(__file__).parent.parent))
+
+from core.database import engine
+
+
+def run_migration(migration_file: str):
+    """Run a single SQL migration file.
+
+    Args:
+        migration_file: Name of the migration file in migrations/ directory
+    """
+    migration_path = Path(__file__).parent / migration_file
+
+    if not migration_path.exists():
+        print(f"❌ Migration file not found: {migration_path}")
+        return False
+
+    print(f"📜 Running migration: {migration_file}")
+
+    with open(migration_path, "r") as f:
+        sql = f.read()
+
+    try:
+        with Session(engine) as session:
+            # Execute the migration using text()
+            session.exec(text(sql))
+            session.commit()
+
+        print(f"✅ Migration completed successfully: {migration_file}")
+        return True
+    except Exception as e:
+        print(f"❌ Migration failed: {e}")
+        return False
+
+
+def main():
+    """Run pending migrations."""
+    # Migration files in order
+    migrations = [
+        "001_add_user_id_index.sql",
+        "002_add_conversation_and_message_tables.sql",  # Phase III: AI Chatbot
+        "003_add_due_date_and_priority_to_tasks.sql",   # Phase III: UX Improvements
+        "004_add_performance_indexes.sql",              # Phase III: UX Improvements
+        "005_add_tags_to_tasks.sql",                    # Phase VII: Intermediate Features
+        "008_add_advanced_features.sql",                # Phase VIII: Advanced Features
+    ]
+
+    print("🚀 Starting database migrations...\n")
+
+    success_count = 0
+    for migration in migrations:
+        if run_migration(migration):
+            success_count += 1
+        print()
+
+    print(f"✅ {success_count}/{len(migrations)} migrations completed successfully")
+
+    if success_count == len(migrations):
+        print("\n🎉 All migrations completed!")
+        print("\n📊 Database schema is ready for authentication.")
+        return 0
+    else:
+        print("\n⚠️  Some migrations failed. Please check the errors above.")
+        return 1
+
+
+if __name__ == "__main__":
+    sys.exit(main())

security.py

@@ -0,0 +1,276 @@
+"""Security utilities for the AI chatbot.
+
+[Task]: T057
+[From]: specs/004-ai-chatbot/tasks.md
+
+This module provides security functions including prompt injection sanitization,
+input validation, and content filtering.
+"""
+import re
+import html
+from typing import Optional, List
+
+
+# Known prompt injection patterns
+PROMPT_INJECTION_PATTERNS = [
+    # Direct instructions to ignore previous context
+    r"(?i)ignore\s+(all\s+)?(previous|above|prior)",
+    r"(?i)disregard\s+(all\s+)?(previous|above|prior)",
+    r"(?i)forget\s+(everything|all\s+instructions|previous)",
+    r"(?i)override\s+(your\s+)?programming",
+    r"(?i)new\s+(instruction|direction|rule)s?",
+    r"(?i)change\s+(your\s+)?(behavior|role|persona)",
+
+    # Jailbreak attempts
+    r"(?i)(jailbreak|jail\s*break)",
+    r"(?i)(developer|admin|root|privileged)\s+mode",
+    r"(?i)act\s+as\s+(a\s+)?(developer|admin|root)",
+    r"(?i)roleplay\s+as",
+    r"(?i)pretend\s+(to\s+be|you're)",
+    r"(?i)simulate\s+being",
+
+    # System prompt extraction
+    r"(?i)show\s+(your\s+)?(instructions|system\s+prompt|prompt)",
+    r"(?i)print\s+(your\s+)?(instructions|system\s+prompt)",
+    r"(?i)reveal\s+(your\s+)?(instructions|system\s+prompt)",
+    r"(?i)what\s+(are\s+)?your\s+instructions",
+    r"(?i)tell\s+me\s+how\s+you\s+work",
+
+    # DAN and similar jailbreaks
+    r"(?i)do\s+anything\s+now",
+    r"(?i)unrestricted\s+mode",
+    r"(?i)no\s+limitations?",
+    r"(?i)bypass\s+(safety|filters|restrictions)",
+    r"(?i)\bDAN\b",  # Do Anything Now
+]
+
+
+def sanitize_message(message: str, max_length: int = 10000) -> str:
+    """Sanitize a user message to prevent prompt injection attacks.
+
+    [From]: specs/004-ai-chatbot/spec.md - NFR-017
+
+    Args:
+        message: The raw user message
+        max_length: Maximum allowed message length
+
+    Returns:
+        Sanitized message safe for processing by AI
+
+    Raises:
+        ValueError: If message contains severe injection attempts
+    """
+    if not message:
+        return ""
+
+    # Trim to max length
+    message = message[:max_length]
+
+    # Check for severe injection patterns
+    detected = detect_prompt_injection(message)
+    if detected:
+        # For severe attacks, reject the message
+        if detected["severity"] == "high":
+            raise ValueError(
+                "This message contains content that cannot be processed. "
+                "Please rephrase your request."
+            )
+
+    # Apply sanitization
+    sanitized = _apply_sanitization(message)
+
+    return sanitized
+
+
+def detect_prompt_injection(message: str) -> Optional[dict]:
+    """Detect potential prompt injection attempts in a message.
+
+    [From]: specs/004-ai-chatbot/spec.md - NFR-017
+
+    Args:
+        message: The message to check
+
+    Returns:
+        Dictionary with detection info if injection detected, None otherwise:
+        {
+            "detected": True,
+            "severity": "low" | "medium" | "high",
+            "pattern": "matched pattern",
+            "confidence": 0.0-1.0
+        }
+    """
+    message_lower = message.lower()
+
+    for pattern in PROMPT_INJECTION_PATTERNS:
+        match = re.search(pattern, message_lower)
+
+        if match:
+            # Determine severity based on pattern type
+            severity = _get_severity_for_pattern(pattern)
+
+            # Check for context that might indicate legitimate use
+            is_legitimate = _check_legitimate_context(message, match.group())
+
+            if not is_legitimate:
+                return {
+                    "detected": True,
+                    "severity": severity,
+                    "pattern": match.group(),
+                    "confidence": 0.8
+                }
+
+    return None
+
+
+def _get_severity_for_pattern(pattern: str) -> str:
+    """Determine severity level for a matched pattern.
+
+    Args:
+        pattern: The regex pattern that matched
+
+    Returns:
+        "low", "medium", or "high"
+    """
+    pattern_lower = pattern.lower()
+
+    # High severity: direct jailbreak attempts
+    if any(word in pattern_lower for word in ["jailbreak", "dan", "unrestricted", "bypass"]):
+        return "high"
+
+    # High severity: system prompt extraction
+    if any(word in pattern_lower for word in ["show", "print", "reveal", "instructions"]):
+        return "high"
+
+    # Medium severity: role/persona manipulation
+    if any(word in pattern_lower for word in ["act as", "pretend", "roleplay", "override"]):
+        return "medium"
+
+    # Low severity: ignore instructions
+    if any(word in pattern_lower for word in ["ignore", "disregard", "forget"]):
+        return "low"
+
+    return "low"
+
+
+def _check_legitimate_context(message: str, matched_text: str) -> bool:
+    """Check if a matched pattern might be legitimate user content.
+
+    [From]: specs/004-ai-chatbot/spec.md - NFR-017
+
+    Args:
+        message: The full message
+        matched_text: The text that matched a pattern
+
+    Returns:
+        True if this appears to be legitimate context, False otherwise
+    """
+    message_lower = message.lower()
+    matched_lower = matched_text.lower()
+
+    # Check if the matched text is part of a task description (legitimate)
+    legitimate_contexts = [
+        # Common task-related phrases
+        "task to ignore",
+        "mark as complete",
+        "disregard this",
+        "role in the project",
+        "change status",
+        "update the role",
+        "priority change",
+    ]
+
+    for context in legitimate_contexts:
+        if context in message_lower:
+            return True
+
+    # Check if matched text is very short (likely false positive)
+    if len(matched_text) <= 3:
+        return True
+
+    return False
+
+
+def _apply_sanitization(message: str) -> str:
+    """Apply sanitization transformations to a message.
+
+    [From]: specs/004-ai-chatbot/spec.md - NFR-017
+
+    Args:
+        message: The message to sanitize
+
+    Returns:
+        Sanitized message
+    """
+    # Remove excessive whitespace
+    message = re.sub(r"\s+", " ", message)
+
+    # Remove control characters except newlines and tabs
+    message = re.sub(r"[\x00-\x08\x0b-\x0c\x0e-\x1f\x7f-\x9f]", "", message)
+
+    # Normalize line endings
+    message = message.replace("\r\n", "\n").replace("\r", "\n")
+
+    # Limit consecutive newlines to 2
+    message = re.sub(r"\n{3,}", "\n\n", message)
+
+    return message.strip()
+
+
+def validate_task_input(task_data: dict) -> tuple[bool, Optional[str]]:
+    """Validate task-related input for security issues.
+
+    [From]: specs/004-ai-chatbot/spec.md - NFR-017
+
+    Args:
+        task_data: Dictionary containing task fields
+
+    Returns:
+        Tuple of (is_valid, error_message)
+    """
+    if not isinstance(task_data, dict):
+        return False, "Invalid task data format"
+
+    # Check for SQL injection patterns in string fields
+    sql_patterns = [
+        r"(?i)(\bunion\b.*\bselect\b)",
+        r"(?i)(\bselect\b.*\bfrom\b)",
+        r"(?i)(\binsert\b.*\binto\b)",
+        r"(?i)(\bupdate\b.*\bset\b)",
+        r"(?i)(\bdelete\b.*\bfrom\b)",
+        r"(?i)(\bdrop\b.*\btable\b)",
+        r";\s*(union|select|insert|update|delete|drop)",
+    ]
+
+    for key, value in task_data.items():
+        if isinstance(value, str):
+            for pattern in sql_patterns:
+                if re.search(pattern, value):
+                    return False, f"Invalid characters in {key}"
+
+            # Check for script injection
+            if re.search(r"<script[^>]*>.*?</script>", value, re.IGNORECASE):
+                return False, f"Invalid content in {key}"
+
+    return True, None
+
+
+def sanitize_html_content(content: str) -> str:
+    """Sanitize HTML content by escaping potentially dangerous elements.
+
+    [From]: specs/004-ai-chatbot/spec.md - NFR-017
+
+    Args:
+        content: Content that may contain HTML
+
+    Returns:
+        Escaped HTML string
+    """
+    return html.escape(content, quote=False)
+
+
+__all__ = [
+    "sanitize_message",
+    "detect_prompt_injection",
+    "validate_task_input",
+    "sanitize_html_content",
+]

server.py

@@ -0,0 +1,58 @@
+"""Tool registry for AI agent.
+
+[Task]: T009
+[From]: specs/004-ai-chatbot/plan.md
+
+This module provides a simple registry for tools that the AI agent can use.
+Note: We're using OpenAI Agents SDK's built-in tool calling mechanism,
+not the full Model Context Protocol server.
+"""
+from typing import Any, Callable, Dict
+import logging
+
+logger = logging.getLogger(__name__)
+
+# Tool registry - maps tool names to their functions
+tool_registry: Dict[str, Callable] = {}
+
+
+def register_tool(name: str, func: Callable) -> None:
+    """Register a tool function.
+
+    Args:
+        name: Tool name
+        func: Tool function (async)
+    """
+    tool_registry[name] = func
+    logger.info(f"Registered tool: {name}")
+
+
+def get_tool(name: str) -> Callable:
+    """Get a registered tool by name.
+
+    Args:
+        name: Tool name
+
+    Returns:
+        The tool function
+
+    Raises:
+        ValueError: If tool not found
+    """
+    if name not in tool_registry:
+        raise ValueError(f"Tool '{name}' not found. Available tools: {list(tool_registry.keys())}")
+    return tool_registry[name]
+
+
+def list_tools() -> list[str]:
+    """List all registered tools.
+
+    Returns:
+        List of tool names
+    """
+    return list(tool_registry.keys())
+
+
+# Note: Tools are registered in the tools/__init__.py module
+# The OpenAI Agents SDK will call these functions directly
+# based on the agent's instructions and user input

services/CLAUDE.md

@@ -3,15 +3,5 @@
 
 <!-- This section is auto-generated by claude-mem. Edit content outside the tags. -->
 
-### Jan 28, 2026
-
-| ID | Time | T | Title | Read |
-|----|------|---|-------|------|
-| #708 | 11:21 PM | 🟣 | NLP Service Created for Tag Extraction | ~342 |
-
-### Jan 29, 2026
-
-| ID | Time | T | Title | Read |
-|----|------|---|-------|------|
-| #832 | 5:12 PM | 🔵 | Project Continuation Context Established | ~170 |
+*No recent activity*
 </claude-mem-context>

task.py

@@ -0,0 +1,237 @@
+"""Task model and related I/O classes."""
+import uuid
+from datetime import datetime, timezone
+from enum import Enum
+from typing import Optional
+from sqlmodel import Field, SQLModel, Column
+from pydantic import field_validator
+from sqlalchemy import ARRAY, String, JSON
+
+
+class PriorityLevel(str, Enum):
+    """Task priority levels.
+
+    Defines the three priority levels for tasks:
+    - HIGH: Urgent tasks that need immediate attention
+    - MEDIUM: Default priority for normal tasks
+    - LOW: Optional tasks that can be done whenever
+    """
+    HIGH = "HIGH"
+    MEDIUM = "MEDIUM"
+    LOW = "LOW"
+
+
+class Task(SQLModel, table=True):
+    """Database table model for Task entity."""
+
+    __tablename__ = "tasks"
+
+    id: uuid.UUID = Field(
+        default_factory=uuid.uuid4,
+        primary_key=True,
+        index=True
+    )
+    user_id: uuid.UUID = Field(
+        foreign_key="users.id",
+        index=True
+    )
+    title: str = Field(max_length=255)
+    description: Optional[str] = Field(
+        default=None,
+        max_length=2000
+    )
+    priority: PriorityLevel = Field(
+        default=PriorityLevel.MEDIUM,
+        max_length=10
+    )
+    tags: list[str] = Field(
+        default=[],
+        sa_column=Column(ARRAY(String), nullable=False),  # PostgreSQL TEXT[] type
+    )
+    due_date: Optional[datetime] = Field(
+        default=None,
+        index=True
+    )
+    # Reminder fields (T003-T004)
+    reminder_offset: Optional[int] = Field(
+        default=None,
+        description="Minutes before due_date to send notification (0 = at due time)"
+    )
+    reminder_sent: bool = Field(
+        default=False,
+        description="Whether notification has been sent for this task"
+    )
+    # Recurrence fields (T005-T006)
+    recurrence: Optional[dict] = Field(
+        default=None,
+        sa_column=Column(JSON, nullable=True),
+        description="Recurrence rule as JSONB (frequency, interval, count, end_date)"
+    )
+    parent_task_id: Optional[uuid.UUID] = Field(
+        default=None,
+        foreign_key="tasks.id",
+        description="For recurring task instances, links to the original task"
+    )
+    completed: bool = Field(default=False)
+    created_at: datetime = Field(
+        default_factory=datetime.utcnow
+    )
+    updated_at: datetime = Field(
+        default_factory=datetime.utcnow
+    )
+
+
+class TaskCreate(SQLModel):
+    """Request model for creating a task.
+
+    Validates input data when creating a new task.
+    """
+    title: str = Field(min_length=1, max_length=255)
+    description: Optional[str] = Field(default=None, max_length=2000)
+    priority: str = Field(default="MEDIUM")
+    tags: list[str] = Field(default=[])
+    due_date: Optional[datetime] = None
+    # Advanced features fields (T007)
+    reminder_offset: Optional[int] = Field(default=None, ge=0)
+    recurrence: Optional[dict] = Field(default=None)
+    completed: bool = False
+
+    @field_validator('priority')
+    @classmethod
+    def normalize_priority(cls, v: str) -> str:
+        """Normalize priority to uppercase."""
+        if isinstance(v, str):
+            v = v.upper()
+        # Validate against enum values
+        valid_values = {e.value for e in PriorityLevel}
+        if v not in valid_values:
+            raise ValueError(f"priority must be one of {valid_values}")
+        return v
+
+    @field_validator('tags')
+    @classmethod
+    def validate_tags(cls, v: list[str]) -> list[str]:
+        """Validate tags: max 50 characters per tag, remove duplicates."""
+        validated = []
+        seen = set()
+        for tag in v:
+            if len(tag) > 50:
+                raise ValueError(f"Tag '{tag[:20]}...' exceeds maximum length of 50 characters")
+            # Normalize tag: lowercase and strip whitespace
+            normalized = tag.strip().lower()
+            if not normalized:
+                continue
+            if normalized not in seen:
+                seen.add(normalized)
+                validated.append(normalized)
+        return validated
+
+    @field_validator('due_date')
+    @classmethod
+    def validate_due_date(cls, v: Optional[datetime]) -> Optional[datetime]:
+        """Validate due date is not more than 10 years in the past."""
+        if v is not None:
+            # Normalize to UTC timezone-aware datetime for comparison
+            now = datetime.now(timezone.utc)
+            if v.tzinfo is None:
+                # If input is naive, assume it's UTC
+                v = v.replace(tzinfo=timezone.utc)
+            else:
+                # Convert to UTC
+                v = v.astimezone(timezone.utc)
+
+            # Allow dates up to 10 years in the past (for historical tasks)
+            min_date = now.replace(year=now.year - 10)
+            if v < min_date:
+                raise ValueError("Due date cannot be more than 10 years in the past")
+        return v
+
+
+class TaskUpdate(SQLModel):
+    """Request model for updating a task.
+
+    All fields are optional - only provided fields will be updated.
+    """
+    title: Optional[str] = Field(default=None, min_length=1, max_length=255)
+    description: Optional[str] = Field(default=None, max_length=2000)
+    priority: Optional[str] = None
+    tags: Optional[list[str]] = None
+    due_date: Optional[datetime] = None
+    # Advanced features fields (T008)
+    reminder_offset: Optional[int] = Field(default=None, ge=0)
+    recurrence: Optional[dict] = None
+    completed: Optional[bool] = None
+
+    @field_validator('priority')
+    @classmethod
+    def normalize_priority(cls, v: Optional[str]) -> Optional[str]:
+        """Normalize priority to uppercase."""
+        if v is not None and isinstance(v, str):
+            v = v.upper()
+            # Validate against enum values
+            valid_values = {e.value for e in PriorityLevel}
+            if v not in valid_values:
+                raise ValueError(f"priority must be one of {valid_values}")
+        return v
+
+    @field_validator('tags')
+    @classmethod
+    def validate_tags(cls, v: Optional[list[str]]) -> Optional[list[str]]:
+        """Validate tags: max 50 characters per tag, remove duplicates."""
+        if v is None:
+            return v
+        validated = []
+        seen = set()
+        for tag in v:
+            if len(tag) > 50:
+                raise ValueError(f"Tag '{tag[:20]}...' exceeds maximum length of 50 characters")
+            # Normalize tag: lowercase and strip whitespace
+            normalized = tag.strip().lower()
+            if not normalized:
+                continue
+            if normalized not in seen:
+                seen.add(normalized)
+                validated.append(normalized)
+        return validated
+
+    @field_validator('due_date')
+    @classmethod
+    def validate_due_date(cls, v: Optional[datetime]) -> Optional[datetime]:
+        """Validate due date is not more than 10 years in the past."""
+        if v is not None:
+            # Normalize to UTC timezone-aware datetime for comparison
+            now = datetime.now(timezone.utc)
+            if v.tzinfo is None:
+                # If input is naive, assume it's UTC
+                v = v.replace(tzinfo=timezone.utc)
+            else:
+                # Convert to UTC
+                v = v.astimezone(timezone.utc)
+
+            # Allow dates up to 10 years in the past (for historical tasks)
+            min_date = now.replace(year=now.year - 10)
+            if v < min_date:
+                raise ValueError("Due date cannot be more than 10 years in the past")
+        return v
+
+
+class TaskRead(SQLModel):
+    """Response model for task data.
+
+    Used for serializing task data in API responses.
+    """
+    id: uuid.UUID
+    user_id: uuid.UUID
+    title: str
+    description: Optional[str] | None
+    priority: PriorityLevel
+    tags: list[str]
+    due_date: Optional[datetime] | None
+    # Advanced features fields (T009)
+    reminder_offset: Optional[int] | None
+    reminder_sent: bool
+    recurrence: Optional[dict] | None
+    parent_task_id: Optional[uuid.UUID] | None
+    completed: bool
+    created_at: datetime
+    updated_at: datetime

tasks.py

@@ -0,0 +1,532 @@
+"""Task CRUD API endpoints with JWT authentication.
+
+[Task]: T053-T059, T043, T065-T067
+[From]: specs/001-user-auth/tasks.md (User Story 3), specs/007-intermediate-todo-features/tasks.md (User Story 4)
+
+Implements all task management operations with JWT-based authentication:
+- Create task with validation
+- List tasks with filtering (status, priority, tags, due_date) [T043]
+- Get task by ID
+- Update task with validation
+- Delete task
+- Toggle completion status
+- Search tasks (User Story 3)
+- List tags
+
+All endpoints require valid JWT token. user_id is extracted from JWT claims.
+"""
+import uuid
+from datetime import datetime, timedelta
+from typing import Annotated, List, Optional
+from zoneinfo import ZoneInfo
+from fastapi import APIRouter, HTTPException, Query
+from sqlmodel import Session, select
+from pydantic import BaseModel
+from sqlalchemy import func, and_, any_
+
+from core.deps import SessionDep, CurrentUserDep
+from models.task import Task, TaskCreate, TaskUpdate, TaskRead
+
+# Create API router (user_id removed - now from JWT)
+router = APIRouter(prefix="/api/tasks", tags=["tasks"])
+
+
+# Response models
+class TaskListResponse(BaseModel):
+    """Response model for task list with pagination."""
+    tasks: list[TaskRead]
+    total: int
+    offset: int
+    limit: int
+
+
+class TagInfo(BaseModel):
+    """Tag information with usage count."""
+    name: str
+    count: int
+
+
+class TagsListResponse(BaseModel):
+    """Response model for tags list."""
+    tags: list[TagInfo]
+
+
+class TaskSearchResponse(BaseModel):
+    """Response model for task search results."""
+    tasks: list[TaskRead]
+    total: int
+    page: int
+    limit: int
+    query: str
+
+
+# Routes - IMPORTANT: Static routes MUST come before dynamic path parameters
+# This ensures /tags and /search are matched before /{task_id}
+
+
+@router.post("", response_model=TaskRead, status_code=201)
+def create_task(
+    task: TaskCreate,
+    session: SessionDep,
+    user_id: CurrentUserDep
+):
+    """Create a new task for the authenticated user."""
+    # Convert priority string to PriorityLevel enum (handles both upper/lowercase input)
+    priority_enum = PriorityLevel(task.priority.upper()) if isinstance(task.priority, str) else task.priority
+
+    db_task = Task(
+        user_id=user_id,
+        title=task.title,
+        description=task.description,
+        priority=priority_enum,
+        tags=task.tags,
+        due_date=task.due_date,
+        completed=task.completed,
+        reminder_offset=task.reminder_offset,  # [T043] Add reminder_offset support
+        reminder_sent=False  # Initialize reminder_sent to False
+    )
+    session.add(db_task)
+    session.commit()
+    session.refresh(db_task)
+    return db_task
+
+
+@router.get("", response_model=TaskListResponse)
+def list_tasks(
+    session: SessionDep,
+    user_id: CurrentUserDep,
+    offset: int = 0,
+    limit: Annotated[int, Query(le=100)] = 50,
+    completed: bool | None = None,
+    priority: str | None = None,
+    tags: Annotated[List[str] | None, Query()] = None,
+    due_date: str | None = None,
+    due_before: str | None = None,  # [T028] Add due_before filter
+    due_after: str | None = None,   # [T028] Add due_after filter
+    timezone: str = "UTC",
+    sort_by: str | None = None,
+    sort_order: str = "asc",
+):
+    """List all tasks for the authenticated user with pagination and filtering."""
+    count_statement = select(func.count(Task.id)).where(Task.user_id == user_id)
+    statement = select(Task).where(Task.user_id == user_id)
+
+    if completed is not None:
+        count_statement = count_statement.where(Task.completed == completed)
+        statement = statement.where(Task.completed == completed)
+
+    if priority is not None:
+        count_statement = count_statement.where(Task.priority == priority)
+        statement = statement.where(Task.priority == priority)
+
+    if tags and len(tags) > 0:
+        for tag in tags:
+            # Use PostgreSQL ANY operator: tag = ANY(tags)
+            count_statement = count_statement.where(tag == any_(Task.tags))
+            statement = statement.where(tag == any_(Task.tags))
+
+    # [T028] Add due_before and due_after filters
+    if due_before:
+        try:
+            due_before_dt = datetime.fromisoformat(due_before)
+            count_statement = count_statement.where(Task.due_date <= due_before_dt)
+            statement = statement.where(Task.due_date <= due_before_dt)
+        except ValueError:
+            pass  # Invalid date format, ignore filter
+
+    if due_after:
+        try:
+            due_after_dt = datetime.fromisoformat(due_after)
+            count_statement = count_statement.where(Task.due_date >= due_after_dt)
+            statement = statement.where(Task.due_date >= due_after_dt)
+        except ValueError:
+            pass  # Invalid date format, ignore filter
+
+    if due_date:
+        try:
+            user_tz = ZoneInfo(timezone)
+            now_utc = datetime.now(ZoneInfo("UTC"))
+            now_user = now_utc.astimezone(user_tz)
+            today_start = now_user.replace(hour=0, minute=0, second=0, microsecond=0)
+            today_end = today_start + timedelta(days=1)
+
+            if due_date == "overdue":
+                today_start_utc = today_start.astimezone(ZoneInfo("UTC"))
+                count_statement = count_statement.where(
+                    and_(Task.due_date < today_start_utc, Task.completed == False)
+                )
+                statement = statement.where(
+                    and_(Task.due_date < today_start_utc, Task.completed == False)
+                )
+            elif due_date == "today":
+                today_start_utc = today_start.astimezone(ZoneInfo("UTC"))
+                today_end_utc = today_end.astimezone(ZoneInfo("UTC"))
+                count_statement = count_statement.where(
+                    and_(Task.due_date >= today_start_utc, Task.due_date < today_end_utc)
+                )
+                statement = statement.where(
+                    and_(Task.due_date >= today_start_utc, Task.due_date < today_end_utc)
+                )
+            elif due_date == "week":
+                week_end_utc = (today_start + timedelta(days=7)).astimezone(ZoneInfo("UTC"))
+                today_start_utc = today_start.astimezone(ZoneInfo("UTC"))
+                count_statement = count_statement.where(
+                    and_(Task.due_date >= today_start_utc, Task.due_date < week_end_utc)
+                )
+                statement = statement.where(
+                    and_(Task.due_date >= today_start_utc, Task.due_date < week_end_utc)
+                )
+            elif due_date == "month":
+                month_end_utc = (today_start + timedelta(days=30)).astimezone(ZoneInfo("UTC"))
+                today_start_utc = today_start.astimezone(ZoneInfo("UTC"))
+                count_statement = count_statement.where(
+                    and_(Task.due_date >= today_start_utc, Task.due_date < month_end_utc)
+                )
+                statement = statement.where(
+                    and_(Task.due_date >= today_start_utc, Task.due_date < month_end_utc)
+                )
+        except Exception:
+            pass
+
+    total = session.exec(count_statement).one()
+
+    if sort_by == "due_date":
+        if sort_order == "asc":
+            statement = statement.order_by(Task.due_date.asc().nulls_last())
+        else:
+            statement = statement.order_by(Task.due_date.desc().nulls_last())
+    elif sort_by == "priority":
+        from sqlalchemy import case
+        priority_case = case(
+            *[(Task.priority == k, i) for i, k in enumerate(["high", "medium", "low"])],
+            else_=3
+        )
+        if sort_order == "asc":
+            statement = statement.order_by(priority_case.asc())
+        else:
+            statement = statement.order_by(priority_case.desc())
+    elif sort_by == "title":
+        if sort_order == "asc":
+            statement = statement.order_by(Task.title.asc())
+        else:
+            statement = statement.order_by(Task.title.desc())
+    else:
+        if sort_order == "asc":
+            statement = statement.order_by(Task.created_at.asc())
+        else:
+            statement = statement.order_by(Task.created_at.desc())
+
+    statement = statement.offset(offset).limit(limit)
+    tasks = session.exec(statement).all()
+
+    return TaskListResponse(
+        tasks=[TaskRead.model_validate(task) for task in tasks],
+        total=total,
+        offset=offset,
+        limit=limit
+    )
+
+
+@router.get("/tags", response_model=TagsListResponse)
+def list_tags(
+    session: SessionDep,
+    user_id: CurrentUserDep
+):
+    """Get all unique tags for the authenticated user with usage counts."""
+    from sqlalchemy import text
+
+    query = text("""
+        SELECT unnest(tags) as tag, COUNT(*) as count
+        FROM tasks
+        WHERE user_id = :user_id
+        AND tags != '{}'
+        GROUP BY tag
+        ORDER BY count DESC, tag ASC
+    """)
+
+    result = session.exec(query.params(user_id=str(user_id)))
+    tags = [TagInfo(name=row[0], count=row[1]) for row in result]
+    return TagsListResponse(tags=tags)
+
+
+@router.get("/search", response_model=TaskSearchResponse)
+def search_tasks(
+    session: SessionDep,
+    user_id: CurrentUserDep,
+    q: Annotated[str, Query(min_length=1, max_length=200)] = "",
+    page: int = 1,
+    limit: Annotated[int, Query(le=100)] = 20,
+):
+    """Search tasks by keyword in title and description."""
+    if not q:
+        raise HTTPException(status_code=400, detail="Search query parameter 'q' is required")
+
+    search_pattern = f"%{q}%"
+
+    count_statement = select(func.count(Task.id)).where(
+        (Task.user_id == user_id) &
+        (Task.title.ilike(search_pattern) | Task.description.ilike(search_pattern))
+    )
+    total = session.exec(count_statement).one()
+
+    offset = (page - 1) * limit
+    statement = select(Task).where(
+        (Task.user_id == user_id) &
+        (Task.title.ilike(search_pattern) | Task.description.ilike(search_pattern))
+    )
+    statement = statement.offset(offset).limit(limit)
+    statement = statement.order_by(Task.created_at.desc())
+
+    tasks = session.exec(statement).all()
+
+    return TaskSearchResponse(
+        tasks=[TaskRead.model_validate(task) for task in tasks],
+        total=total,
+        page=page,
+        limit=limit,
+        query=q
+    )
+
+
+@router.get("/{task_id}", response_model=TaskRead)
+def get_task(
+    task_id: uuid.UUID,
+    session: SessionDep,
+    user_id: CurrentUserDep
+):
+    """Get a specific task by ID."""
+    task = session.get(Task, task_id)
+    if not task or task.user_id != user_id:
+        raise HTTPException(status_code=404, detail="Task not found")
+    return task
+
+
+@router.put("/{task_id}", response_model=TaskRead)
+def update_task(
+    task_id: uuid.UUID,
+    task_update: TaskUpdate,
+    session: SessionDep,
+    user_id: CurrentUserDep
+):
+    """Update an existing task."""
+    task = session.get(Task, task_id)
+    if not task or task.user_id != user_id:
+        raise HTTPException(status_code=404, detail="Task not found")
+
+    task_data = task_update.model_dump(exclude_unset=True)
+    for key, value in task_data.items():
+        # Convert priority string to PriorityLevel enum
+        if key == "priority" and isinstance(value, str):
+            value = PriorityLevel(value.upper())
+        setattr(task, key, value)
+
+    task.updated_at = datetime.utcnow()
+    session.add(task)
+    session.commit()
+    session.refresh(task)
+    return task
+
+
+@router.delete("/{task_id}")
+def delete_task(
+    task_id: uuid.UUID,
+    session: SessionDep,
+    user_id: CurrentUserDep
+):
+    """Delete a task."""
+    task = session.get(Task, task_id)
+    if not task or task.user_id != user_id:
+        raise HTTPException(status_code=404, detail="Task not found")
+
+    session.delete(task)
+    session.commit()
+    return {"ok": True}
+
+
+@router.patch("/{task_id}/complete", response_model=TaskRead)
+def toggle_complete(
+    task_id: uuid.UUID,
+    session: SessionDep,
+    user_id: CurrentUserDep
+):
+    """Toggle task completion status and create next instance for recurring tasks.
+
+    [Task]: T062-T065
+    [From]: specs/008-advanced-features/tasks.md (User Story 3)
+
+    When completing a recurring task:
+    - T063: Checks if recurrence limit (count/end_date) is reached
+    - T064: Handles count limit
+    - T065: Handles end_date limit
+    - Creates next instance if limits not reached
+    """
+    task = session.get(Task, task_id)
+    if not task or task.user_id != user_id:
+        raise HTTPException(status_code=404, detail="Task not found")
+
+    is_completing = not task.completed
+    task.completed = is_completing
+    task.updated_at = datetime.utcnow()
+    session.add(task)
+    session.commit()
+
+    # [T062] Create next instance for recurring tasks when completing
+    if is_completing and task.recurrence and task.due_date:
+        from services.recurrence_service import RecurrenceService
+
+        recurrence_service = RecurrenceService()
+
+        # Parse recurrence rule
+        recurrence_dict = task.recurrence if isinstance(task.recurrence, dict) else {"frequency": task.recurrence}
+        if not isinstance(recurrence_dict, dict):
+            recurrence_dict = {"frequency": str(task.recurrence)}
+
+        # [T063] Check if we should create the next instance
+        should_create_next = True
+        current_count = 0
+
+        # Count existing instances (tasks with same parent_task_id)
+        if task.parent_task_id:
+            # This is already an instance, count siblings
+            count_statement = select(func.count(Task.id)).where(
+                Task.parent_task_id == task.parent_task_id
+            )
+            current_count = session.exec(count_statement).one() + 1  # +1 for parent
+        else:
+            # This is the parent task, count its instances
+            count_statement = select(func.count(Task.id)).where(
+                Task.parent_task_id == task_id
+            )
+            current_count = session.exec(count_statement).one() + 1  # +1 for this task
+
+        # [T064] Handle count limit
+        max_count = recurrence_dict.get("count")
+        if max_count is not None:
+            if current_count >= max_count:
+                should_create_next = False
+
+        # [T065] Handle end_date limit
+        end_date_str = recurrence_dict.get("end_date")
+        if end_date_str and should_create_next:
+            try:
+                if isinstance(end_date_str, str):
+                    end_date = datetime.fromisoformat(end_date_str.replace('Z', '+00:00'))
+                else:
+                    end_date = end_date_str
+
+                # Calculate next occurrence date
+                base_date = datetime.fromisoformat(task.due_date.replace('Z', '+00:00')) if isinstance(task.due_date, str) else task.due_date
+                next_due_date = recurrence_service.calculate_next_occurrence(base_date, recurrence_dict)
+
+                if next_due_date and next_due_date > end_date:
+                    should_create_next = False
+            except Exception:
+                pass  # Invalid date format, skip check
+
+        # Create next instance if limits not reached
+        if should_create_next:
+            base_date = datetime.fromisoformat(task.due_date.replace('Z', '+00:00')) if isinstance(task.due_date, str) else task.due_date
+            next_due_date = recurrence_service.calculate_next_occurrence(base_date, recurrence_dict)
+
+            if next_due_date:
+                # Create next instance
+                next_task = Task(
+                    user_id=user_id,
+                    title=task.title,
+                    description=task.description,
+                    priority=task.priority,
+                    tags=task.tags,
+                    due_date=next_due_date.isoformat(),
+                    completed=False,
+                    reminder_offset=task.reminder_offset,
+                    reminder_sent=False,
+                    recurrence=task.recurrence,
+                    parent_task_id=task.parent_task_id if task.parent_task_id else task.id,
+                )
+                session.add(next_task)
+                session.commit()
+
+    session.refresh(task)
+    return task
+
+
+@router.patch("/{task_id}/tags")
+def update_task_tags(
+    task_id: uuid.UUID,
+    session: SessionDep,
+    user_id: CurrentUserDep,
+    tags_add: Optional[List[str]] = None,
+    tags_remove: Optional[List[str]] = None,
+):
+    """Add or remove tags from a task."""
+    from services.nlp_service import normalize_tag_name
+
+    if tags_add is None and tags_remove is None:
+        raise HTTPException(
+            status_code=400,
+            detail="Either 'tags_add' or 'tags_remove' must be provided"
+        )
+
+    if not tags_add and not tags_remove:
+        raise HTTPException(
+            status_code=400,
+            detail="Either 'tags_add' or 'tags_remove' must contain at least one tag"
+        )
+
+    task = session.get(Task, task_id)
+    if not task or task.user_id != user_id:
+        raise HTTPException(status_code=404, detail="Task not found")
+
+    current_tags = set(task.tags or [])
+
+    if tags_add:
+        normalized_add = [normalize_tag_name(tag) for tag in tags_add]
+        current_tags.update(normalized_add)
+
+    if tags_remove:
+        normalized_remove = [normalize_tag_name(tag).lower() for tag in tags_remove]
+        current_tags = {
+            tag for tag in current_tags
+            if tag.lower() not in normalized_remove
+        }
+
+    task.tags = sorted(list(current_tags))
+    task.updated_at = datetime.utcnow()
+    session.add(task)
+    session.commit()
+    session.refresh(task)
+    return task
+
+
+@router.patch("/{task_id}/reminder", response_model=TaskRead)
+def update_reminder(
+    task_id: uuid.UUID,
+    session: SessionDep,
+    user_id: CurrentUserDep,
+    reminder_offset: int | None = None,
+    reset_sent: bool = False
+):
+    """Update reminder settings for a task.
+
+    [Task]: T045
+    [From]: specs/008-advanced-features/tasks.md (User Story 2)
+
+    Allows updating the reminder_offset and optionally resetting the reminder_sent flag.
+    """
+    task = session.get(Task, task_id)
+    if not task or task.user_id != user_id:
+        raise HTTPException(status_code=404, detail="Task not found")
+
+    # Update reminder_offset if provided
+    if reminder_offset is not None:
+        task.reminder_offset = reminder_offset
+
+    # Reset reminder_sent flag if requested (e.g., when changing due date)
+    if reset_sent:
+        task.reminder_sent = False
+
+    task.updated_at = datetime.utcnow()
+    session.add(task)
+    session.commit()
+    session.refresh(task)
+    return task

tools/CLAUDE.md

@@ -0,0 +1,12 @@
+<claude-mem-context>
+# Recent Activity
+
+<!-- This section is auto-generated by claude-mem. Edit content outside the tags. -->
+
+### Jan 28, 2026
+
+| ID | Time | T | Title | Read |
+|----|------|---|-------|------|
+| #684 | 11:00 PM | 🟣 | Priority Extraction Enhanced with Comprehensive Natural Language Patterns | ~488 |
+| #677 | 10:57 PM | 🔵 | MCP Add Task Tool Implements Natural Language Task Creation | ~362 |
+</claude-mem-context>

tools/__init__.py

@@ -0,0 +1,51 @@
+"""Tools for task management AI agent.
+
+[Task]: T010
+[From]: specs/004-ai-chatbot/plan.md
+
+This module provides tools that enable the AI agent to perform task
+management operations through a standardized interface.
+
+All tools enforce:
+- User isolation via user_id parameter
+- Stateless execution (no shared memory between invocations)
+- Structured success/error responses
+- Parameter validation
+
+Tool Registration Pattern:
+    Tools are registered in the tool_registry for discovery.
+    The OpenAI Agents SDK will call these functions directly.
+"""
+from mcp_server.server import register_tool
+from mcp_server.tools import (
+    add_task, list_tasks, update_task, complete_task, delete_task,
+    complete_all_tasks, delete_all_tasks
+)
+
+# Register all available tools
+# [Task]: T013 - add_task tool
+register_tool("add_task", add_task.add_task)
+
+# [Task]: T024, T027 - list_tasks tool
+register_tool("list_tasks", list_tasks.list_tasks)
+
+# [Task]: T037 - update_task tool
+register_tool("update_task", update_task.update_task)
+
+# [Task]: T042 - complete_task tool
+register_tool("complete_task", complete_task.complete_task)
+
+# [Task]: T047 - delete_task tool
+register_tool("delete_task", delete_task.delete_task)
+
+# [Task]: T044, T045 - complete_all_tasks tool
+register_tool("complete_all_tasks", complete_all_tasks.complete_all_tasks)
+
+# [Task]: T048, T050 - delete_all_tasks tool
+register_tool("delete_all_tasks", delete_all_tasks.delete_all_tasks)
+
+# Export tool functions for direct access by the agent
+__all__ = [
+    "add_task", "list_tasks", "update_task", "complete_task", "delete_task",
+    "complete_all_tasks", "delete_all_tasks"
+]

tools/add_task.py

@@ -0,0 +1,320 @@
+"""MCP tool for adding tasks to the todo list.
+
+[Task]: T013, T031
+[From]: specs/004-ai-chatbot/tasks.md, specs/007-intermediate-todo-features/tasks.md (US2)
+
+This tool allows the AI agent to create tasks on behalf of users
+through natural language conversations.
+
+Now supports tag extraction from natural language patterns.
+"""
+from typing import Optional, Any, List
+from uuid import UUID, uuid4
+from datetime import datetime, timedelta
+
+from models.task import Task
+from core.database import engine
+from sqlmodel import Session
+
+# Import tag extraction service [T029, T031]
+import sys
+import os
+sys.path.append(os.path.dirname(os.path.dirname(os.path.dirname(__file__))))
+from services.nlp_service import extract_tags_from_task_data, normalize_tag_name
+
+
+# Tool metadata for MCP registration
+tool_metadata = {
+    "name": "add_task",
+    "description": """Create a new task in the user's todo list.
+
+Use this tool when the user wants to create, add, or remind themselves about a task.
+The task will be associated with their user account and persist across conversations.
+
+Parameters:
+- title (required): Brief task title (max 255 characters)
+- description (optional): Detailed task description (max 2000 characters)
+- due_date (optional): When the task is due (ISO 8601 date string or relative like 'tomorrow', 'next week')
+- priority (optional): Task priority - 'low', 'medium', or 'high' (default: 'medium')
+- tags (optional): List of tag names for categorization (e.g., ["work", "urgent"])
+
+Natural Language Tag Support [T031]:
+- "tagged with X" or "tags X" → extracts tag X
+- "add tag X" or "with tag X" → extracts tag X
+- "#tagname" → extracts hashtag as tag
+- "labeled X" → extracts tag X
+
+Returns: Created task details including ID, title, and confirmation.
+""",
+    "inputSchema": {
+        "type": "object",
+        "properties": {
+            "user_id": {
+                "type": "string",
+                "description": "User ID (UUID) who owns this task"
+            },
+            "title": {
+                "type": "string",
+                "description": "Task title (brief description)",
+                "maxLength": 255
+            },
+            "description": {
+                "type": "string",
+                "description": "Detailed task description",
+                "maxLength": 2000
+            },
+            "due_date": {
+                "type": "string",
+                "description": "Due date in ISO 8601 format (e.g., '2025-01-15') or relative terms"
+            },
+            "priority": {
+                "type": "string",
+                "enum": ["low", "medium", "high"],
+                "description": "Task priority level"
+            },
+            "tags": {
+                "type": "array",
+                "items": {"type": "string"},
+                "description": "List of tag names for categorization"
+            }
+        },
+        "required": ["user_id", "title"]
+    }
+}
+
+
+async def add_task(
+    user_id: str,
+    title: str,
+    description: Optional[str] = None,
+    due_date: Optional[str] = None,
+    priority: Optional[str] = None,
+    tags: Optional[List[str]] = None
+) -> dict[str, Any]:
+    """Create a new task for the user.
+
+    [From]: specs/004-ai-chatbot/spec.md - US1
+    [Task]: T031 - Integrate tag extraction for natural language
+
+    Args:
+        user_id: User ID (UUID string) who owns this task
+        title: Brief task title
+        description: Optional detailed description
+        due_date: Optional due date (ISO 8601 or relative)
+        priority: Optional priority level (low/medium/high)
+        tags: Optional list of tag names
+
+    Returns:
+        Dictionary with created task details
+
+    Raises:
+        ValueError: If validation fails
+        ValidationError: If task constraints violated
+    """
+    from core.validators import validate_task_title, validate_task_description
+
+    # Validate inputs
+    validated_title = validate_task_title(title)
+    validated_description = validate_task_description(description) if description else None
+
+    # Parse and validate due date if provided
+    parsed_due_date = None
+    if due_date:
+        parsed_due_date = _parse_due_date(due_date)
+
+    # Normalize priority
+    normalized_priority = _normalize_priority(priority)
+
+    # [T031] Extract tags from natural language in title and description
+    extracted_tags = extract_tags_from_task_data(validated_title, validated_description)
+
+    # Normalize extracted tags
+    normalized_extracted_tags = [normalize_tag_name(tag) for tag in extracted_tags]
+
+    # Combine provided tags with extracted tags, removing duplicates
+    all_tags = set(normalized_extracted_tags)
+    if tags:
+        # Normalize provided tags
+        normalized_provided_tags = [normalize_tag_name(tag) for tag in tags]
+        all_tags.update(normalized_provided_tags)
+
+    final_tags = sorted(list(all_tags)) if all_tags else []
+
+    # Get database session (synchronous)
+    with Session(engine) as db:
+        try:
+            # Create task instance
+            task = Task(
+                id=uuid4(),
+                user_id=UUID(user_id),
+                title=validated_title,
+                description=validated_description,
+                due_date=parsed_due_date,
+                priority=normalized_priority,
+                tags=final_tags,
+                completed=False,
+                created_at=datetime.utcnow(),
+                updated_at=datetime.utcnow()
+            )
+
+            # Save to database
+            db.add(task)
+            db.commit()
+            db.refresh(task)
+
+            # Return success response
+            return {
+                "success": True,
+                "task": {
+                    "id": str(task.id),
+                    "title": task.title,
+                    "description": task.description,
+                    "due_date": task.due_date.isoformat() if task.due_date else None,
+                    "priority": task.priority,
+                    "tags": task.tags,
+                    "completed": task.completed,
+                    "created_at": task.created_at.isoformat()
+                },
+                "message": f"✅ Task created: {task.title}" + (f" (tags: {', '.join(final_tags)})" if final_tags else "")
+            }
+
+        except Exception as e:
+            db.rollback()
+            raise ValueError(f"Failed to create task: {str(e)}")
+
+
+def _parse_due_date(due_date_str: str) -> Optional[datetime]:
+    """Parse due date from ISO 8601 or natural language.
+
+    [From]: specs/004-ai-chatbot/plan.md - Natural Language Processing
+
+    Supports:
+    - ISO 8601: "2025-01-15", "2025-01-15T10:00:00Z"
+    - Relative: "today", "tomorrow", "next week", "in 3 days"
+
+    Args:
+        due_date_str: Date string to parse
+
+    Returns:
+        Parsed datetime or None if parsing fails
+
+    Raises:
+        ValueError: If date format is invalid
+    """
+    from datetime import datetime
+    import re
+
+    # Try ISO 8601 format first
+    try:
+        # Handle YYYY-MM-DD format
+        if re.match(r"^\d{4}-\d{2}-\d{2}$", due_date_str):
+            return datetime.fromisoformat(due_date_str)
+
+        # Handle full ISO 8601 with time
+        if "T" in due_date_str:
+            return datetime.fromisoformat(due_date_str.replace("Z", "+00:00"))
+    except ValueError:
+        pass  # Fall through to natural language parsing
+
+    # Natural language parsing (simplified)
+    due_date_str = due_date_str.lower().strip()
+    today = datetime.utcnow().replace(hour=23, minute=59, second=59, microsecond=999999)
+
+    if due_date_str == "today":
+        return today
+    elif due_date_str == "tomorrow":
+        return today + timedelta(days=1)
+    elif due_date_str == "next week":
+        return today + timedelta(weeks=1)
+    elif due_date_str.startswith("in "):
+        # Parse "in X days/weeks"
+        match = re.match(r"in (\d+) (day|days|week|weeks)", due_date_str)
+        if match:
+            amount = int(match.group(1))
+            unit = match.group(2)
+            if unit.startswith("day"):
+                return today + timedelta(days=amount)
+            elif unit.startswith("week"):
+                return today + timedelta(weeks=amount)
+
+    # If parsing fails, return None and let AI agent ask for clarification
+    return None
+
+
+def _normalize_priority(priority: Optional[str]) -> str:
+    """Normalize priority string to valid values.
+
+    [From]: models/task.py - Task model
+    [Task]: T009-T011 - Priority extraction from natural language
+
+    Args:
+        priority: Priority string to normalize
+
+    Returns:
+        Normalized priority: "LOW", "MEDIUM", or "HIGH" (uppercase enum values)
+
+    Raises:
+        ValueError: If priority is invalid
+    """
+    from models.task import PriorityLevel
+
+    if not priority:
+        return PriorityLevel.MEDIUM  # Default priority (uppercase)
+
+    priority_normalized = priority.lower().strip()
+
+    # Direct matches - return uppercase enum values
+    if priority_normalized in ["low", "medium", "high"]:
+        return priority_normalized.upper()
+
+    # Enhanced priority mapping from natural language patterns
+    # [Task]: T011 - Integrate priority extraction in MCP tools
+    priority_map_high = {
+        # Explicit high priority keywords
+        "urgent", "asap", "important", "critical", "emergency", "immediate",
+        "high", "priority", "top", "now", "today", "deadline", "crucial",
+        # Numeric mappings
+        "3", "high priority", "very important", "must do"
+    }
+
+    priority_map_low = {
+        # Explicit low priority keywords
+        "low", "later", "whenever", "optional", "nice to have", "someday",
+        "eventually", "routine", "normal", "regular", "backlog",
+        # Numeric mappings
+        "1", "low priority", "no rush", "can wait"
+    }
+
+    priority_map_medium = {
+        "2", "medium", "normal", "standard", "default", "moderate"
+    }
+
+    # Check high priority patterns
+    if priority_normalized in priority_map_high or any(
+        keyword in priority_normalized for keyword in ["urgent", "asap", "critical", "deadline", "today"]
+    ):
+        return PriorityLevel.HIGH
+
+    # Check low priority patterns
+    if priority_normalized in priority_map_low or any(
+        keyword in priority_normalized for keyword in ["whenever", "later", "optional", "someday"]
+    ):
+        return PriorityLevel.LOW
+
+    # Default to medium
+    return PriorityLevel.MEDIUM
+
+
+# Register tool with MCP server
+def register_tool(mcp_server: Any) -> None:
+    """Register this tool with the MCP server.
+
+    [From]: backend/mcp_server/server.py
+
+    Args:
+        mcp_server: MCP server instance
+    """
+    mcp_server.tool(
+        name=tool_metadata["name"],
+        description=tool_metadata["description"]
+    )(add_task)

tools/complete_all_tasks.py

@@ -0,0 +1,160 @@
+"""MCP tool for marking all tasks as complete or incomplete.
+
+[Task]: T044, T045
+[From]: specs/004-ai-chatbot/tasks.md
+
+This tool allows the AI agent to mark all tasks with a completion status
+through natural language conversations.
+"""
+from typing import Optional, Any
+from uuid import UUID
+from datetime import datetime
+from sqlalchemy import select
+
+from models.task import Task
+from core.database import engine
+from sqlmodel import Session
+
+
+# Tool metadata for MCP registration
+tool_metadata = {
+    "name": "complete_all_tasks",
+    "description": """Mark all tasks as completed or not completed.
+
+Use this tool when the user wants to:
+- Mark all tasks as complete, done, or finished
+- Mark all tasks as incomplete or pending
+- Complete every task in their list
+
+Parameters:
+- user_id (required): User ID (UUID) who owns the tasks
+- completed (required): True to mark all complete, False to mark all incomplete
+- status_filter (optional): Only affect tasks with this status ('pending' or 'completed')
+
+Returns: Summary with count of tasks updated.
+""",
+    "inputSchema": {
+        "type": "object",
+        "properties": {
+            "user_id": {
+                "type": "string",
+                "description": "User ID (UUID) who owns these tasks"
+            },
+            "completed": {
+                "type": "boolean",
+                "description": "True to mark all tasks complete, False to mark all incomplete"
+            },
+            "status_filter": {
+                "type": "string",
+                "enum": ["pending", "completed"],
+                "description": "Optional: Only affect tasks with this status. If not provided, affects all tasks."
+            }
+        },
+        "required": ["user_id", "completed"]
+    }
+}
+
+
+async def complete_all_tasks(
+    user_id: str,
+    completed: bool,
+    status_filter: Optional[str] = None
+) -> dict[str, Any]:
+    """Mark all tasks as completed or incomplete.
+
+    [From]: specs/004-ai-chatbot/spec.md - US4
+
+    Args:
+        user_id: User ID (UUID string) who owns the tasks
+        completed: True to mark all complete, False to mark all incomplete
+        status_filter: Optional filter to only affect tasks with current status
+
+    Returns:
+        Dictionary with count of tasks updated and confirmation message
+
+    Raises:
+        ValueError: If validation fails
+    """
+    # Get database session (synchronous)
+    with Session(engine) as db:
+        try:
+            # Build query based on filter
+            stmt = select(Task).where(Task.user_id == UUID(user_id))
+
+            # Apply status filter if provided
+            if status_filter == "pending":
+                stmt = stmt.where(Task.completed == False)
+            elif status_filter == "completed":
+                stmt = stmt.where(Task.completed == True)
+
+            # Fetch matching tasks
+            tasks = list(db.scalars(stmt).all())
+
+            if not tasks:
+                return {
+                    "success": False,
+                    "error": "No tasks found",
+                    "message": f"Could not find any tasks{' matching the filter' if status_filter else ''}"
+                }
+
+            # Count tasks before update
+            task_count = len(tasks)
+            already_correct = sum(1 for t in tasks if t.completed == completed)
+
+            # If all tasks already have the desired status
+            if already_correct == task_count:
+                status_word = "completed" if completed else "pending"
+                return {
+                    "success": True,
+                    "updated_count": 0,
+                    "skipped_count": task_count,
+                    "message": f"All {task_count} task(s) are already {status_word}."
+                }
+
+            # Update completion status for all tasks
+            updated_count = 0
+            for task in tasks:
+                if task.completed != completed:
+                    task.completed = completed
+                    task.updated_at = datetime.utcnow()
+                    db.add(task)
+                    updated_count += 1
+
+            # Save to database
+            db.commit()
+
+            # Build success message
+            action = "completed" if completed else "marked as pending"
+            if status_filter:
+                filter_msg = f" {status_filter} tasks"
+            else:
+                filter_msg = ""
+
+            message = f"✅ {updated_count} task{'' if updated_count == 1 else 's'}{filter_msg} marked as {action}"
+
+            return {
+                "success": True,
+                "updated_count": updated_count,
+                "skipped_count": already_correct,
+                "total_count": task_count,
+                "message": message
+            }
+
+        except ValueError as e:
+            db.rollback()
+            raise ValueError(f"Failed to update tasks: {str(e)}")
+
+
+# Register tool with MCP server
+def register_tool(mcp_server: Any) -> None:
+    """Register this tool with the MCP server.
+
+    [From]: backend/mcp_server/server.py
+
+    Args:
+        mcp_server: MCP server instance
+    """
+    mcp_server.tool(
+        name=tool_metadata["name"],
+        description=tool_metadata["description"]
+    )(complete_all_tasks)

tools/complete_task.py

@@ -0,0 +1,144 @@
+"""MCP tool for completing/uncompleting tasks in the todo list.
+
+[Task]: T042, T043
+[From]: specs/004-ai-chatbot/tasks.md
+
+This tool allows the AI agent to mark tasks as complete or incomplete
+through natural language conversations.
+"""
+from typing import Optional, Any
+from uuid import UUID
+from datetime import datetime
+from sqlalchemy import select
+
+from models.task import Task
+from core.database import engine
+from sqlmodel import Session
+
+
+# Tool metadata for MCP registration
+tool_metadata = {
+    "name": "complete_task",
+    "description": """Mark a task as completed or not completed (toggle completion status).
+
+Use this tool when the user wants to:
+- Mark a task as complete, done, finished
+- Mark a task as incomplete, pending, not done
+- Unmark a task as complete (revert to pending)
+- Toggle the completion status of a task
+
+Parameters:
+- user_id (required): User ID (UUID) who owns the task
+- task_id (required): Task ID (UUID) of the task to mark complete/incomplete
+- completed (required): True to mark as complete, False to mark as incomplete/pending
+
+Returns: Updated task details with confirmation.
+""",
+    "inputSchema": {
+        "type": "object",
+        "properties": {
+            "user_id": {
+                "type": "string",
+                "description": "User ID (UUID) who owns this task"
+            },
+            "task_id": {
+                "type": "string",
+                "description": "Task ID (UUID) of the task to mark complete/incomplete"
+            },
+            "completed": {
+                "type": "boolean",
+                "description": "True to mark complete, False to mark incomplete"
+            }
+        },
+        "required": ["user_id", "task_id", "completed"]
+    }
+}
+
+
+async def complete_task(
+    user_id: str,
+    task_id: str,
+    completed: bool
+) -> dict[str, Any]:
+    """Mark a task as completed or incomplete.
+
+    [From]: specs/004-ai-chatbot/spec.md - US4
+
+    Args:
+        user_id: User ID (UUID string) who owns the task
+        task_id: Task ID (UUID string) of the task to update
+        completed: True to mark complete, False to mark incomplete
+
+    Returns:
+        Dictionary with updated task details
+
+    Raises:
+        ValueError: If validation fails or task not found
+    """
+    # Get database session (synchronous)
+    with Session(engine) as db:
+        try:
+            # Fetch the task
+            stmt = select(Task).where(
+                Task.id == UUID(task_id),
+                Task.user_id == UUID(user_id)
+            )
+            task = db.scalars(stmt).first()
+
+            if not task:
+                return {
+                    "success": False,
+                    "error": "Task not found",
+                    "message": f"Could not find task with ID {task_id}"
+                }
+
+            # Update completion status
+            old_status = "completed" if task.completed else "pending"
+            task.completed = completed
+            task.updated_at = datetime.utcnow()
+
+            # Save to database
+            db.add(task)
+            db.commit()
+            db.refresh(task)
+
+            # Build success message
+            new_status = "completed" if completed else "pending"
+            action = "marked as complete" if completed else "marked as pending"
+            message = f"✅ Task '{task.title}' {action}"
+
+            return {
+                "success": True,
+                "task": {
+                    "id": str(task.id),
+                    "title": task.title,
+                    "description": task.description,
+                    "due_date": task.due_date.isoformat() if task.due_date else None,
+                    "priority": task.priority,
+                    "completed": task.completed,
+                    "created_at": task.created_at.isoformat(),
+                    "updated_at": task.updated_at.isoformat()
+                },
+                "message": message,
+                "old_status": old_status,
+                "new_status": new_status
+            }
+
+        except ValueError as e:
+            db.rollback()
+            raise ValueError(f"Failed to update task completion status: {str(e)}")
+
+
+# Register tool with MCP server
+def register_tool(mcp_server: Any) -> None:
+    """Register this tool with the MCP server.
+
+    [From]: backend/mcp_server/server.py
+
+    Args:
+        mcp_server: MCP server instance
+    """
+    mcp_server.tool(
+        name=tool_metadata["name"],
+        description=tool_metadata["description"]
+    )(complete_task)

tools/delete_all_tasks.py

@@ -0,0 +1,168 @@
+"""MCP tool for deleting all tasks with confirmation.
+
+[Task]: T048, T050
+[From]: specs/004-ai-chatbot/tasks.md
+
+This tool allows the AI agent to delete all tasks with safety checks.
+"""
+from typing import Optional, Any
+from uuid import UUID
+from datetime import datetime
+from sqlalchemy import select
+
+from models.task import Task
+from core.database import engine
+from sqlmodel import Session
+
+
+# Tool metadata for MCP registration
+tool_metadata = {
+    "name": "delete_all_tasks",
+    "description": """Delete all tasks from the user's todo list permanently.
+
+⚠️ DESTRUCTIVE OPERATION: This will permanently delete all tasks.
+
+Use this tool when the user wants to:
+- Delete all tasks, clear entire task list
+- Remove every task from their list
+- Start fresh with no tasks
+
+IMPORTANT: Always inform the user about how many tasks will be deleted before proceeding.
+
+Parameters:
+- user_id (required): User ID (UUID) who owns the tasks
+- status_filter (optional): Only delete tasks with this status ('pending' or 'completed')
+- confirmed (required): Must be true to proceed with deletion
+
+Returns: Summary with count of tasks deleted.
+""",
+    "inputSchema": {
+        "type": "object",
+        "properties": {
+            "user_id": {
+                "type": "string",
+                "description": "User ID (UUID) who owns these tasks"
+            },
+            "status_filter": {
+                "type": "string",
+                "enum": ["pending", "completed"],
+                "description": "Optional: Only delete tasks with this status. If not provided, deletes all tasks."
+            },
+            "confirmed": {
+                "type": "boolean",
+                "description": "Must be true to proceed with deletion. This ensures user confirmation."
+            }
+        },
+        "required": ["user_id", "confirmed"]
+    }
+}
+
+
+async def delete_all_tasks(
+    user_id: str,
+    confirmed: bool,
+    status_filter: Optional[str] = None
+) -> dict[str, Any]:
+    """Delete all tasks from the user's todo list.
+
+    [From]: specs/004-ai-chatbot/spec.md - US5
+
+    Args:
+        user_id: User ID (UUID string) who owns the tasks
+        confirmed: Must be True to actually delete (safety check)
+        status_filter: Optional filter to only delete tasks with current status
+
+    Returns:
+        Dictionary with count of tasks deleted and confirmation message
+
+    Raises:
+        ValueError: If validation fails
+    """
+    # Get database session (synchronous)
+    with Session(engine) as db:
+        try:
+            # If not confirmed, return task count for confirmation prompt
+            if not confirmed:
+                # Build query to count tasks
+                stmt = select(Task).where(Task.user_id == UUID(user_id))
+
+                if status_filter:
+                    if status_filter == "pending":
+                        stmt = stmt.where(Task.completed == False)
+                    elif status_filter == "completed":
+                        stmt = stmt.where(Task.completed == True)
+
+                tasks = list(db.scalars(stmt).all())
+                task_count = len(tasks)
+
+                if task_count == 0:
+                    return {
+                        "success": False,
+                        "error": "No tasks found",
+                        "message": f"Could not find any tasks{' matching the filter' if status_filter else ''}"
+                    }
+
+                filter_msg = f" {status_filter}" if status_filter else ""
+                return {
+                    "success": True,
+                    "requires_confirmation": True,
+                    "task_count": task_count,
+                    "message": f"⚠️ This will delete {task_count} {filter_msg} task(s). Please confirm by saying 'yes' or 'confirm'."
+                }
+
+            # Confirmed - proceed with deletion
+            # Build query based on filter
+            stmt = select(Task).where(Task.user_id == UUID(user_id))
+
+            if status_filter:
+                if status_filter == "pending":
+                    stmt = stmt.where(Task.completed == False)
+                elif status_filter == "completed":
+                    stmt = stmt.where(Task.completed == True)
+
+            # Fetch matching tasks
+            tasks = list(db.scalars(stmt).all())
+
+            if not tasks:
+                return {
+                    "success": False,
+                    "error": "No tasks found",
+                    "message": f"Could not find any tasks{' matching the filter' if status_filter else ''}"
+                }
+
+            # Count and delete tasks
+            deleted_count = len(tasks)
+            for task in tasks:
+                db.delete(task)
+
+            # Commit deletion
+            db.commit()
+
+            # Build success message
+            filter_msg = f" {status_filter}" if status_filter else ""
+            message = f"✅ Deleted {deleted_count} {filter_msg} task{'' if deleted_count == 1 else 's'}"
+
+            return {
+                "success": True,
+                "deleted_count": deleted_count,
+                "message": message
+            }
+
+        except ValueError as e:
+            db.rollback()
+            raise ValueError(f"Failed to delete tasks: {str(e)}")
+
+
+# Register tool with MCP server
+def register_tool(mcp_server: Any) -> None:
+    """Register this tool with the MCP server.
+
+    [From]: backend/mcp_server/server.py
+
+    Args:
+        mcp_server: MCP server instance
+    """
+    mcp_server.tool(
+        name=tool_metadata["name"],
+        description=tool_metadata["description"]
+    )(delete_all_tasks)

tools/delete_task.py

@@ -0,0 +1,129 @@
+"""MCP tool for deleting tasks from the todo list.
+
+[Task]: T047
+[From]: specs/004-ai-chatbot/tasks.md
+
+This tool allows the AI agent to permanently delete tasks
+through natural language conversations.
+"""
+from typing import Optional, Any
+from uuid import UUID
+from datetime import datetime
+from sqlalchemy import select
+
+from models.task import Task
+from core.database import engine
+from sqlmodel import Session
+
+
+# Tool metadata for MCP registration
+tool_metadata = {
+    "name": "delete_task",
+    "description": """Delete a task from the user's todo list permanently.
+
+Use this tool when the user wants to:
+- Delete, remove, or get rid of a task
+- Clear a task from their list
+- Permanently remove a task
+
+Parameters:
+- user_id (required): User ID (UUID) who owns the task
+- task_id (required): Task ID (UUID) of the task to delete
+
+Returns: Confirmation of deletion with task details.
+""",
+    "inputSchema": {
+        "type": "object",
+        "properties": {
+            "user_id": {
+                "type": "string",
+                "description": "User ID (UUID) who owns this task"
+            },
+            "task_id": {
+                "type": "string",
+                "description": "Task ID (UUID) of the task to delete"
+            }
+        },
+        "required": ["user_id", "task_id"]
+    }
+}
+
+
+async def delete_task(
+    user_id: str,
+    task_id: str
+) -> dict[str, Any]:
+    """Delete a task from the user's todo list.
+
+    [From]: specs/004-ai-chatbot/spec.md - US5
+
+    Args:
+        user_id: User ID (UUID string) who owns the task
+        task_id: Task ID (UUID string) of the task to delete
+
+    Returns:
+        Dictionary with deletion confirmation
+
+    Raises:
+        ValueError: If validation fails or task not found
+    """
+    # Get database session (synchronous)
+    with Session(engine) as db:
+        try:
+            # Fetch the task
+            stmt = select(Task).where(
+                Task.id == UUID(task_id),
+                Task.user_id == UUID(user_id)
+            )
+            task = db.scalars(stmt).first()
+
+            if not task:
+                return {
+                    "success": False,
+                    "error": "Task not found",
+                    "message": f"Could not find task with ID {task_id}"
+                }
+
+            # Store task details for confirmation
+            task_details = {
+                "id": str(task.id),
+                "title": task.title,
+                "description": task.description,
+                "due_date": task.due_date.isoformat() if task.due_date else None,
+                "priority": task.priority,
+                "completed": task.completed,
+                "created_at": task.created_at.isoformat(),
+                "updated_at": task.updated_at.isoformat()
+            }
+
+            # Delete the task
+            db.delete(task)
+            db.commit()
+
+            # Build success message
+            message = f"✅ Task '{task.title}' deleted successfully"
+
+            return {
+                "success": True,
+                "task": task_details,
+                "message": message
+            }
+
+        except ValueError as e:
+            db.rollback()
+            raise ValueError(f"Failed to delete task: {str(e)}")
+
+
+# Register tool with MCP server
+def register_tool(mcp_server: Any) -> None:
+    """Register this tool with the MCP server.
+
+    [From]: backend/mcp_server/server.py
+
+    Args:
+        mcp_server: MCP server instance
+    """
+    mcp_server.tool(
+        name=tool_metadata["name"],
+        description=tool_metadata["description"]
+    )(delete_task)

tools/list_tasks.py

@@ -0,0 +1,242 @@
+"""MCP tool for listing tasks from the todo list.
+
+[Task]: T024, T027
+[From]: specs/004-ai-chatbot/tasks.md
+
+This tool allows the AI agent to list and filter tasks on behalf of users
+through natural language conversations.
+"""
+from typing import Optional, Any
+from uuid import UUID
+from datetime import datetime, timedelta, date
+from sqlalchemy import select
+
+from models.task import Task
+from core.database import engine
+from sqlmodel import Session
+
+
+# Tool metadata for MCP registration
+tool_metadata = {
+    "name": "list_tasks",
+    "description": """List and filter tasks from the user's todo list.
+
+Use this tool when the user wants to see their tasks, ask what they have to do,
+or request a filtered view of their tasks.
+
+Parameters:
+- user_id (required): User ID (UUID) who owns the tasks
+- status (optional): Filter by completion status - 'all', 'pending', or 'completed' (default: 'all')
+- due_within_days (optional): Only show tasks due within X days (default: null, shows all)
+- limit (optional): Maximum number of tasks to return (default: 50, max: 100)
+
+Returns: List of tasks with titles, descriptions, due dates, priorities, and completion status.
+""",
+    "inputSchema": {
+        "type": "object",
+        "properties": {
+            "user_id": {
+                "type": "string",
+                "description": "User ID (UUID) who owns these tasks"
+            },
+            "status": {
+                "type": "string",
+                "enum": ["all", "pending", "completed"],
+                "description": "Filter by completion status",
+                "default": "all"
+            },
+            "due_within_days": {
+                "type": "number",
+                "description": "Only show tasks due within X days (optional)",
+                "minimum": 0
+            },
+            "limit": {
+                "type": "number",
+                "description": "Maximum tasks to return",
+                "default": 50,
+                "minimum": 1,
+                "maximum": 100
+            }
+        },
+        "required": ["user_id"]
+    }
+}
+
+
+async def list_tasks(
+    user_id: str,
+    status: str = "all",
+    due_within_days: Optional[int] = None,
+    limit: int = 50
+) -> dict[str, Any]:
+    """List tasks for the user with optional filtering.
+
+    [From]: specs/004-ai-chatbot/spec.md - US2
+
+    Args:
+        user_id: User ID (UUID string) who owns the tasks
+        status: Filter by completion status ("all", "pending", "completed")
+        due_within_days: Optional filter for tasks due within X days
+        limit: Maximum number of tasks to return
+
+    Returns:
+        Dictionary with task list and metadata
+
+    Raises:
+        ValueError: If validation fails
+        Exception: If database operation fails
+    """
+    # Validate inputs
+    if status not in ["all", "pending", "completed"]:
+        raise ValueError(f"Invalid status: {status}. Must be 'all', 'pending', or 'completed'")
+
+    if limit < 1 or limit > 100:
+        raise ValueError(f"Invalid limit: {limit}. Must be between 1 and 100")
+
+    # Get database session (synchronous)
+    with Session(engine) as db:
+        try:
+            # Build query
+            stmt = select(Task).where(Task.user_id == UUID(user_id))
+
+            # Apply status filter
+            # [From]: T027 - Add task status filtering
+            if status == "pending":
+                stmt = stmt.where(Task.completed == False)
+            elif status == "completed":
+                stmt = stmt.where(Task.completed == True)
+
+            # Apply due date filter if specified
+            if due_within_days is not None:
+                today = datetime.utcnow().date()
+                max_due_date = today + timedelta(days=due_within_days)
+
+                # Only show tasks that have a due_date AND are within the range
+                stmt = stmt.where(
+                    Task.due_date.isnot(None),
+                    Task.due_date <= max_due_date
+                )
+
+            # Order by due date (if available) then created date
+            # Tasks with due dates come first, ordered by due date ascending
+            # Tasks without due dates come after, ordered by created date descending
+            stmt = stmt.order_by(
+                Task.due_date.asc().nulls_last(),
+                Task.created_at.desc()
+            )
+
+            # Apply limit
+            stmt = stmt.limit(limit)
+
+            # Execute query
+            tasks = db.scalars(stmt).all()
+
+            # Convert to dict format for AI
+            task_list = []
+            for task in tasks:
+                task_dict = {
+                    "id": str(task.id),
+                    "title": task.title,
+                    "description": task.description,
+                    "due_date": task.due_date.isoformat() if task.due_date else None,
+                    "priority": task.priority,
+                    "completed": task.completed,
+                    "created_at": task.created_at.isoformat()
+                }
+                task_list.append(task_dict)
+
+            # Get summary statistics
+            total_count = len(task_list)
+            completed_count = sum(1 for t in task_list if t["completed"])
+            pending_count = total_count - completed_count
+
+            # Generate summary message for AI
+            # [From]: T026 - Handle empty task list responses
+            if total_count == 0:
+                summary = "No tasks found"
+            elif status == "all":
+                summary = f"Found {total_count} tasks ({pending_count} pending, {completed_count} completed)"
+            elif status == "pending":
+                summary = f"Found {total_count} pending tasks"
+            elif status == "completed":
+                summary = f"Found {total_count} completed tasks"
+            else:
+                summary = f"Found {total_count} tasks"
+
+            return {
+                "success": True,
+                "tasks": task_list,
+                "summary": summary,
+                "total": total_count,
+                "pending": pending_count,
+                "completed": completed_count
+            }
+
+        except Exception as e:
+            raise Exception(f"Failed to list tasks: {str(e)}")
+
+
+def format_task_list_for_ai(tasks: list[dict[str, Any]]) -> str:
+    """Format task list for AI response.
+
+    [From]: specs/004-ai-chatbot/spec.md - US2-AC1
+
+    This helper function formats the task list in a readable way
+    that the AI can use to generate natural language responses.
+
+    Args:
+        tasks: List of task dictionaries
+
+    Returns:
+        Formatted string representation of tasks
+
+    Example:
+        >>> tasks = [
+        ...     {"title": "Buy groceries", "completed": False, "due_date": "2025-01-15"},
+        ...     {"title": "Finish report", "completed": True}
+        ... ]
+        >>> format_task_list_for_ai(tasks)
+        '1. Buy groceries (Due: 2025-01-15) [Pending]\\n2. Finish report [Completed]'
+    """
+    if not tasks:
+        return "No tasks found."
+
+    lines = []
+    for i, task in enumerate(tasks, 1):
+        # Task title
+        line = f"{i}. {task['title']}"
+
+        # Due date if available
+        if task.get('due_date'):
+            line += f" (Due: {task['due_date']})"
+
+        # Priority if not default (medium)
+        if task.get('priority') and task['priority'] != 'medium':
+            line += f" [{task['priority'].capitalize()} Priority]"
+
+        # Completion status
+        status = "✓ Completed" if task['completed'] else "○ Pending"
+        line += f" - {status}"
+
+        # Description if available
+        if task.get('description'):
+            line += f"\n   {task['description']}"
+
+        lines.append(line)
+
+    return "\n".join(lines)
+
+
+# Register tool with MCP server
+def register_tool(mcp_server: Any) -> None:
+    """Register this tool with the MCP server.
+
+    [From]: backend/mcp_server/server.py
+
+    Args:
+        mcp_server: MCP server instance
+    """
+    mcp_server.tool(
+        name=tool_metadata["name"],
+        description=tool_metadata["description"]
+    )(list_tasks)

tools/update_task.py

@@ -0,0 +1,303 @@
+"""MCP tool for updating tasks in the todo list.
+
+[Task]: T037
+[From]: specs/004-ai-chatbot/tasks.md
+
+This tool allows the AI agent to update existing tasks on behalf of users
+through natural language conversations.
+"""
+from typing import Optional, Any
+from uuid import UUID
+from datetime import datetime
+from sqlalchemy import select
+
+from models.task import Task
+from core.database import engine
+from sqlmodel import Session
+
+
+# Tool metadata for MCP registration
+tool_metadata = {
+    "name": "update_task",
+    "description": """Update an existing task in the user's todo list.
+
+Use this tool when the user wants to modify, change, or edit an existing task.
+You must identify the task first (by ID or by matching title/description).
+
+Parameters:
+- user_id (required): User ID (UUID) who owns the task
+- task_id (required): Task ID (UUID) of the task to update
+- title (optional): New task title
+- description (optional): New task description
+- due_date (optional): New due date (ISO 8601 date string or relative like 'tomorrow', 'next week')
+- priority (optional): New priority level - 'low', 'medium', or 'high'
+- completed (optional): Mark task as completed or not completed
+
+Returns: Updated task details with confirmation.
+""",
+    "inputSchema": {
+        "type": "object",
+        "properties": {
+            "user_id": {
+                "type": "string",
+                "description": "User ID (UUID) who owns this task"
+            },
+            "task_id": {
+                "type": "string",
+                "description": "Task ID (UUID) of the task to update"
+            },
+            "title": {
+                "type": "string",
+                "description": "New task title (brief description)",
+                "maxLength": 255
+            },
+            "description": {
+                "type": "string",
+                "description": "New task description",
+                "maxLength": 2000
+            },
+            "due_date": {
+                "type": "string",
+                "description": "New due date in ISO 8601 format (e.g., '2025-01-15') or relative terms"
+            },
+            "priority": {
+                "type": "string",
+                "enum": ["low", "medium", "high"],
+                "description": "New task priority level"
+            },
+            "completed": {
+                "type": "boolean",
+                "description": "Mark task as completed or not completed"
+            }
+        },
+        "required": ["user_id", "task_id"]
+    }
+}
+
+
+async def update_task(
+    user_id: str,
+    task_id: str,
+    title: Optional[str] = None,
+    description: Optional[str] = None,
+    due_date: Optional[str] = None,
+    priority: Optional[str] = None,
+    completed: Optional[bool] = None
+) -> dict[str, Any]:
+    """Update an existing task for the user.
+
+    [From]: specs/004-ai-chatbot/spec.md - US3
+
+    Args:
+        user_id: User ID (UUID string) who owns the task
+        task_id: Task ID (UUID string) of the task to update
+        title: Optional new task title
+        description: Optional new task description
+        due_date: Optional new due date (ISO 8601 or relative)
+        priority: Optional new priority level (low/medium/high)
+        completed: Optional new completion status
+
+    Returns:
+        Dictionary with updated task details
+
+    Raises:
+        ValueError: If validation fails or task not found
+    """
+    from core.validators import validate_task_title, validate_task_description
+
+    # Get database session (synchronous)
+    with Session(engine) as db:
+        try:
+            # Fetch the task
+            stmt = select(Task).where(
+                Task.id == UUID(task_id),
+                Task.user_id == UUID(user_id)
+            )
+            task = db.scalars(stmt).first()
+
+            if not task:
+                return {
+                    "success": False,
+                    "error": "Task not found",
+                    "message": f"Could not find task with ID {task_id}"
+                }
+
+            # Track changes for confirmation message
+            changes = []
+
+            # Update title if provided
+            if title is not None:
+                validated_title = validate_task_title(title)
+                old_title = task.title
+                task.title = validated_title
+                changes.append(f"title from '{old_title}' to '{validated_title}'")
+
+            # Update description if provided
+            if description is not None:
+                validated_description = validate_task_description(description) if description else None
+                task.description = validated_description
+                changes.append("description")
+
+            # Update due date if provided
+            if due_date is not None:
+                parsed_due_date = _parse_due_date(due_date)
+                task.due_date = parsed_due_date
+                changes.append(f"due date to '{parsed_due_date.isoformat() if parsed_due_date else 'None'}'")
+
+            # Update priority if provided
+            if priority is not None:
+                normalized_priority = _normalize_priority(priority)
+                old_priority = task.priority
+                task.priority = normalized_priority
+                changes.append(f"priority from '{old_priority}' to '{normalized_priority}'")
+
+            # Update completion status if provided
+            if completed is not None:
+                old_status = "completed" if task.completed else "pending"
+                task.completed = completed
+                new_status = "completed" if completed else "pending"
+                changes.append(f"status from '{old_status}' to '{new_status}'")
+
+            # Always update updated_at timestamp
+            task.updated_at = datetime.utcnow()
+
+            # Save to database
+            db.add(task)
+            db.commit()
+            db.refresh(task)
+
+            # Build success message
+            if changes:
+                changes_str = " and ".join(changes)
+                message = f"✅ Task updated: {changes_str}"
+            else:
+                message = f"✅ Task '{task.title}' retrieved (no changes made)"
+
+            return {
+                "success": True,
+                "task": {
+                    "id": str(task.id),
+                    "title": task.title,
+                    "description": task.description,
+                    "due_date": task.due_date.isoformat() if task.due_date else None,
+                    "priority": task.priority,
+                    "completed": task.completed,
+                    "created_at": task.created_at.isoformat(),
+                    "updated_at": task.updated_at.isoformat()
+                },
+                "message": message
+            }
+
+        except ValueError as e:
+            db.rollback()
+            raise ValueError(f"Failed to update task: {str(e)}")
+
+
+def _parse_due_date(due_date_str: str) -> Optional[datetime]:
+    """Parse due date from ISO 8601 or natural language.
+
+    [From]: specs/004-ai-chatbot/plan.md - Natural Language Processing
+
+    Supports:
+    - ISO 8601: "2025-01-15", "2025-01-15T10:00:00Z"
+    - Relative: "today", "tomorrow", "next week", "in 3 days"
+
+    Args:
+        due_date_str: Date string to parse
+
+    Returns:
+        Parsed datetime or None if parsing fails
+
+    Raises:
+        ValueError: If date format is invalid
+    """
+    from datetime import datetime
+    import re
+
+    # Try ISO 8601 format first
+    try:
+        # Handle YYYY-MM-DD format
+        if re.match(r"^\d{4}-\d{2}-\d{2}$", due_date_str):
+            return datetime.fromisoformat(due_date_str)
+
+        # Handle full ISO 8601 with time
+        if "T" in due_date_str:
+            return datetime.fromisoformat(due_date_str.replace("Z", "+00:00"))
+    except ValueError:
+        pass  # Fall through to natural language parsing
+
+    # Natural language parsing (simplified)
+    due_date_str = due_date_str.lower().strip()
+    today = datetime.utcnow().replace(hour=23, minute=59, second=59, microsecond=999999)
+
+    if due_date_str == "today":
+        return today
+    elif due_date_str == "tomorrow":
+        return today + __import__('datetime').timedelta(days=1)
+    elif due_date_str == "next week":
+        return today + __import__('datetime').timedelta(weeks=1)
+    elif due_date_str.startswith("in "):
+        # Parse "in X days/weeks"
+        match = re.match(r"in (\d+) (day|days|week|weeks)", due_date_str)
+        if match:
+            amount = int(match.group(1))
+            unit = match.group(2)
+            if unit.startswith("day"):
+                return today + __import__('datetime').timedelta(days=amount)
+            elif unit.startswith("week"):
+                return today + __import__('datetime').timedelta(weeks=amount)
+
+    # If parsing fails, return None and let AI agent ask for clarification
+    return None
+
+
+def _normalize_priority(priority: Optional[str]) -> str:
+    """Normalize priority string to valid values.
+
+    [From]: models/task.py - Task model
+
+    Args:
+        priority: Priority string to normalize
+
+    Returns:
+        Normalized priority: "low", "medium", or "high"
+
+    Raises:
+        ValueError: If priority is invalid
+    """
+    if not priority:
+        return "medium"  # Default priority
+
+    priority_normalized = priority.lower().strip()
+
+    if priority_normalized in ["low", "medium", "high"]:
+        return priority_normalized
+
+    # Map common alternatives
+    priority_map = {
+        "1": "low",
+        "2": "medium",
+        "3": "high",
+        "urgent": "high",
+        "important": "high",
+        "normal": "medium",
+        "routine": "low"
+    }
+
+    normalized = priority_map.get(priority_normalized, "medium")
+    return normalized
+
+
+# Register tool with MCP server
+def register_tool(mcp_server: Any) -> None:
+    """Register this tool with the MCP server.
+
+    [From]: backend/mcp_server/server.py
+
+    Args:
+        mcp_server: MCP server instance
+    """
+    mcp_server.tool(
+        name=tool_metadata["name"],
+        description=tool_metadata["description"]
+    )(update_task)

user.py

@@ -0,0 +1,53 @@
+"""User model and authentication schemas for FastAPI backend.
+
+[Task]: T016
+[From]: specs/001-user-auth/data-model.md
+"""
+import uuid
+from datetime import datetime
+from typing import Optional
+from sqlmodel import Field, SQLModel
+
+
+class UserBase(SQLModel):
+    """Base User model with common fields."""
+    email: str = Field(unique=True, index=True, max_length=255)
+    created_at: datetime = Field(default_factory=datetime.utcnow)
+    updated_at: datetime = Field(default_factory=datetime.utcnow)
+
+
+class User(UserBase, table=True):
+    """Full User model with database table.
+
+    FastAPI backend handles ALL authentication logic:
+    - Password hashing (bcrypt)
+    - JWT token generation/verification
+    - User creation and validation
+    """
+    __tablename__ = "users"
+
+    id: uuid.UUID = Field(default_factory=uuid.uuid4, primary_key=True)
+    hashed_password: str = Field(max_length=255)  # bcrypt hash, not plaintext
+
+
+class UserCreate(SQLModel):
+    """Schema for user registration.
+
+    Frontend sends plaintext password, backend hashes it before storage.
+    """
+    email: str
+    password: str  # Plaintext password, will be hashed before storage
+
+
+class UserRead(SQLModel):
+    """Schema for returning user data (excludes password)."""
+    id: uuid.UUID
+    email: str
+    created_at: datetime
+    updated_at: datetime
+
+
+class UserLogin(SQLModel):
+    """Schema for user login."""
+    email: str
+    password: str

validators.py

@@ -0,0 +1,144 @@
+"""Validation utilities for the application.
+
+[Task]: T008
+[From]: specs/004-ai-chatbot/plan.md
+"""
+from pydantic import ValidationError, model_validator
+from pydantic_core import PydanticUndefined
+from typing import Any
+from sqlmodel import Field
+
+
+# Constants from spec
+MAX_MESSAGE_LENGTH = 10000  # FR-042: Maximum message content length
+
+
+class ValidationError(Exception):
+    """Custom validation error."""
+
+    def __init__(self, message: str, field: str | None = None):
+        self.message = message
+        self.field = field
+        super().__init__(self.message)
+
+
+def validate_message_length(content: str) -> str:
+    """Validate message content length.
+
+    [From]: specs/004-ai-chatbot/spec.md - FR-042
+
+    Args:
+        content: Message content to validate
+
+    Returns:
+        str: The validated content
+
+    Raises:
+        ValidationError: If content exceeds maximum length
+    """
+    if not content:
+        raise ValidationError("Message content cannot be empty", "content")
+
+    if len(content) > MAX_MESSAGE_LENGTH:
+        raise ValidationError(
+            f"Message content exceeds maximum length of {MAX_MESSAGE_LENGTH} characters "
+            f"(got {len(content)} characters)",
+            "content"
+        )
+
+    return content
+
+
+def validate_conversation_id(conversation_id: Any) -> int | None:
+    """Validate conversation ID.
+
+    Args:
+        conversation_id: Conversation ID to validate
+
+    Returns:
+        int | None: Validated conversation ID or None
+
+    Raises:
+        ValidationError: If conversation_id is invalid
+    """
+    if conversation_id is None:
+        return None
+
+    if isinstance(conversation_id, int):
+        if conversation_id <= 0:
+            raise ValidationError("Conversation ID must be positive", "conversation_id")
+        return conversation_id
+
+    if isinstance(conversation_id, str):
+        try:
+            conv_id = int(conversation_id)
+            if conv_id <= 0:
+                raise ValidationError("Conversation ID must be positive", "conversation_id")
+            return conv_id
+        except ValueError:
+            raise ValidationError("Conversation ID must be a valid integer", "conversation_id")
+
+    raise ValidationError("Conversation ID must be an integer or null", "conversation_id")
+
+
+# Task validation constants
+MAX_TASK_TITLE_LENGTH = 255  # From Task model
+MAX_TASK_DESCRIPTION_LENGTH = 2000  # From Task model
+
+
+def validate_task_title(title: str) -> str:
+    """Validate task title.
+
+    [From]: models/task.py - Task.title
+
+    Args:
+        title: Task title to validate
+
+    Returns:
+        str: The validated title
+
+    Raises:
+        ValidationError: If title is empty or exceeds max length
+    """
+    if not title or not title.strip():
+        raise ValidationError("Task title cannot be empty", "title")
+
+    title = title.strip()
+
+    if len(title) > MAX_TASK_TITLE_LENGTH:
+        raise ValidationError(
+            f"Task title exceeds maximum length of {MAX_TASK_TITLE_LENGTH} characters "
+            f"(got {len(title)} characters)",
+            "title"
+        )
+
+    return title
+
+
+def validate_task_description(description: str | None) -> str:
+    """Validate task description.
+
+    [From]: models/task.py - Task.description
+
+    Args:
+        description: Task description to validate
+
+    Returns:
+        str: The validated description
+
+    Raises:
+        ValidationError: If description exceeds max length
+    """
+    if description is None:
+        return ""
+
+    description = description.strip()
+
+    if len(description) > MAX_TASK_DESCRIPTION_LENGTH:
+        raise ValidationError(
+            f"Task description exceeds maximum length of {MAX_TASK_DESCRIPTION_LENGTH} characters "
+            f"(got {len(description)} characters)",
+            "description"
+        )
+
+    return description

verify_schema.py

@@ -0,0 +1,134 @@
+"""Database schema verification script.
+
+[Task]: T022, T023
+[From]: specs/001-user-auth/tasks.md
+
+This script verifies that the database schema is correct for authentication.
+"""
+import sys
+from pathlib import Path
+
+# Add parent directory to path for imports
+sys.path.insert(0, str(Path(__file__).parent.parent))
+
+from sqlmodel import Session, select, text
+from core.config import engine
+from models.user import User
+from models.task import Task
+
+
+def verify_schema():
+    """Verify database schema for authentication."""
+    print("🔍 Verifying database schema...\n")
+
+    with Session(engine) as session:
+        # Check users table
+        print("📋 Checking users table...")
+        try:
+            result = session.exec(text("""
+                SELECT column_name, data_type, is_nullable, column_default
+                FROM information_schema.columns
+                WHERE table_name = 'users'
+                ORDER BY ordinal_position;
+            """))
+            print("✅ Users table columns:")
+            for row in result:
+                print(f"   - {row.column_name}: {row.data_type}")
+        except Exception as e:
+            print(f"❌ Error checking users table: {e}")
+            return False
+
+        print()
+
+        # Check tasks table
+        print("📋 Checking tasks table...")
+        try:
+            result = session.exec(text("""
+                SELECT column_name, data_type, is_nullable, column_default
+                FROM information_schema.columns
+                WHERE table_name = 'tasks'
+                ORDER BY ordinal_position;
+            """))
+            print("✅ Tasks table columns:")
+            for row in result:
+                print(f"   - {row.column_name}: {row.data_type}")
+        except Exception as e:
+            print(f"❌ Error checking tasks table: {e}")
+            return False
+
+        print()
+
+        # Check indexes
+        print("📋 Checking indexes on tasks table...")
+        try:
+            result = session.exec(text("""
+                SELECT indexname, indexdef
+                FROM pg_indexes
+                WHERE tablename = 'tasks';
+            """))
+            print("✅ Indexes on tasks table:")
+            for row in result:
+                print(f"   - {row.indexname}")
+        except Exception as e:
+            print(f"❌ Error checking indexes: {e}")
+            return False
+
+        print()
+
+        # Check foreign key constraints
+        print("📋 Checking foreign key constraints...")
+        try:
+            result = session.exec(text("""
+                SELECT
+                    tc.constraint_name,
+                    tc.table_name,
+                    kcu.column_name,
+                    ccu.table_name AS foreign_table_name,
+                    ccu.column_name AS foreign_column_name
+                FROM information_schema.table_constraints AS tc
+                JOIN information_schema.key_column_usage AS kcu
+                    ON tc.constraint_name = kcu.constraint_name
+                JOIN information_schema.constraint_column_usage AS ccu
+                    ON ccu.constraint_name = tc.constraint_name
+                WHERE tc.constraint_type = 'FOREIGN KEY'
+                    AND tc.table_name = 'tasks';
+            """))
+            print("✅ Foreign key constraints:")
+            for row in result:
+                print(f"   - {row.constraint_name}:")
+                print(f"     {row.column_name} → {row.foreign_table_name}.{row.foreign_column_name}")
+        except Exception as e:
+            print(f"❌ Error checking foreign keys: {e}")
+            return False
+
+        print()
+
+        # Check unique constraints
+        print("📋 Checking unique constraints...")
+        try:
+            result = session.exec(text("""
+                SELECT
+                    tc.constraint_name,
+                    tc.table_name,
+                    kcu.column_name
+                FROM information_schema.table_constraints AS tc
+                JOIN information_schema.key_column_usage AS kcu
+                    ON tc.constraint_name = kcu.constraint_name
+                WHERE tc.constraint_type = 'UNIQUE'
+                    AND tc.table_name = 'users';
+            """))
+            print("✅ Unique constraints on users table:")
+            for row in result:
+                print(f"   - {row.constraint_name}: {row.column_name}")
+        except Exception as e:
+            print(f"❌ Error checking unique constraints: {e}")
+            return False
+
+    print("\n✅ Schema verification complete!")
+    print("\n🎉 Database schema is ready for authentication.")
+    return True
+
+
+if __name__ == "__main__":
+    success = verify_schema()
+    sys.exit(0 if success else 1)