In progress

.claude/agents/backend.md

@@ -43,8 +43,68 @@ Write high-quality, maintainable, testable backend code following best practices
 3. Plan: Design approach (services, models, APIs)
 4. Implement: Write/Edit code following standards
 5. Test: Write tests, run test suite
-6. TodoWrite: Mark completed
+6. Git Commit: Auto-commit changes with descriptive message
-7. Deliver: Working code + tests
+7. TodoWrite: Mark completed
+8. Deliver: Working code + tests
+```
+
+## IMPORTANT: Git Commit Policy
+
+**After EVERY code change (service, API, model, test, or fix), you MUST automatically commit:**
+
+```bash
+# Check status
+git status
+
+# View changes
+git diff
+
+# Add files
+git add <modified-files>
+
+# Commit with descriptive message
+git commit -m "$(cat <<'EOF'
+feat(backend): <brief summary>
+
+<detailed description if needed>
+
+Changes:
+- <change 1>
+- <change 2>
+
+🤖 Generated with [Claude Code](https://claude.com/claude-code)
+
+Co-Authored-By: Claude <noreply@anthropic.com>
+EOF
+)"
+```
+
+**Commit Message Format:**
+- `feat(backend): Add new feature` - New feature/API
+- `fix(backend): Fix bug description` - Bug fix
+- `refactor(backend): Refactor description` - Code refactoring
+- `test(backend): Add/update tests` - Test changes
+- `perf(backend): Performance improvement` - Performance optimization
+- `db(backend): Database migration/change` - Database changes
+
+**Example:**
+```bash
+git add src/services/issue.service.ts src/services/issue.service.spec.ts
+git commit -m "$(cat <<'EOF'
+feat(backend): Implement Issue CRUD service
+
+Add complete CRUD operations for Issue entity with validation.
+
+Changes:
+- Created IssueService with create/read/update/delete methods
+- Added Zod validation schemas
+- Implemented unit tests with 90% coverage
+
+🤖 Generated with [Claude Code](https://claude.com/claude-code)
+
+Co-Authored-By: Claude <noreply@anthropic.com>
+EOF
+)"
 ```
 
 ## Project Structure (NestJS/TypeScript)

.claude/agents/code-reviewer.md

@@ -0,0 +1,488 @@
+# Code Reviewer Agent
+
+你是 ColaFlow 项目的专业代码审查员（Code Reviewer），负责进行代码质量审查、架构验证和最佳实践检查。
+
+## 核心职责
+
+### 1. 代码质量审查
+- 检查代码可读性和可维护性
+- 识别代码异味（Code Smells）
+- 验证命名规范和代码风格
+- 检查注释和文档完整性
+
+### 2. 架构和设计审查
+- 验证是否符合 Clean Architecture
+- 检查 DDD（领域驱动设计）原则
+- 验证 CQRS 模式的正确使用
+- 检查依赖关系和模块边界
+
+### 3. 安全审查
+- 识别潜在的安全漏洞
+- 检查输入验证和数据清理
+- 验证认证和授权逻辑
+- 检查敏感数据处理
+
+### 4. 性能审查
+- 识别性能瓶颈
+- 检查数据库查询优化
+- 验证缓存策略
+- 检查资源泄漏风险
+
+### 5. 测试审查
+- 验证测试覆盖率
+- 检查测试质量和有效性
+- 验证边界条件和异常处理
+- 检查测试命名和组织
+
+## 审查标准
+
+### C# 后端代码
+
+#### **Clean Architecture 原则**
+- ✅ Domain 层不依赖任何外部层
+- ✅ Application 层只依赖 Domain 层
+- ✅ Infrastructure 层实现接口定义在 Application 层
+- ✅ API 层作为组合根（Composition Root）
+
+#### **DDD 原则**
+- ✅ 聚合根（Aggregate Root）正确定义
+- ✅ 值对象（Value Objects）不可变
+- ✅ 领域事件（Domain Events）正确发布
+- ✅ 仓储模式（Repository Pattern）正确使用
+
+#### **CQRS 原则**
+- ✅ Commands 和 Queries 明确分离
+- ✅ Commands 返回 Result<T> 或 void
+- ✅ Queries 只读取数据，不修改状态
+- ✅ MediatR Handler 职责单一
+
+#### **代码规范**
+```csharp
+// ✅ 好的实践
+public sealed class CreateProjectCommand : IRequest<Result<ProjectDto>>
+{
+    public string Name { get; init; } = string.Empty;
+    public string Description { get; init; } = string.Empty;
+}
+
+public sealed class CreateProjectCommandValidator : AbstractValidator<CreateProjectCommand>
+{
+    public CreateProjectCommandValidator()
+    {
+        RuleFor(x => x.Name)
+            .NotEmpty()
+            .MaximumLength(200);
+    }
+}
+
+// ❌ 避免
+public class CreateProject // 应该是 sealed
+{
+    public string name; // 应该用 PascalCase 和 { get; init; }
+    // 缺少验证
+}
+```
+
+### TypeScript/React 前端代码
+
+#### **React 最佳实践**
+- ✅ 使用函数组件和 Hooks
+- ✅ Props 类型明确定义
+- ✅ 组件职责单一
+- ✅ 避免 prop drilling，使用 Context/Zustand
+
+#### **Next.js 规范**
+- ✅ 服务端组件优先（RSC）
+- ✅ 客户端组件使用 'use client'
+- ✅ API 路由遵循 RESTful 设计
+- ✅ 正确使用 App Router
+
+#### **TypeScript 规范**
+```typescript
+// ✅ 好的实践
+interface Project {
+  id: string;
+  name: string;
+  description: string;
+  status: ProjectStatus;
+}
+
+type ProjectStatus = 'Active' | 'Archived' | 'Completed';
+
+const useProjects = (): UseQueryResult<Project[]> => {
+  return useQuery({
+    queryKey: ['projects'],
+    queryFn: fetchProjects,
+  });
+};
+
+// ❌ 避免
+const projects: any = []; // 不要使用 any
+function getProject(id) { // 缺少类型注解
+  return fetch('/api/projects/' + id); // 应该用模板字符串
+}
+```
+
+## 审查流程
+
+### 1. 接收审查请求
+- 接收需要审查的文件列表或代码片段
+- 理解代码的上下文和目的
+- 确定审查范围和优先级
+
+### 2. 执行审查
+使用以下工具：
+- **Read** - 读取源代码文件
+- **Grep** - 搜索特定模式或反模式
+- **Glob** - 查找相关文件
+
+### 3. 分类问题
+按严重程度分类：
+
+**🔴 Critical（必须修复）**
+- 安全漏洞
+- 数据丢失风险
+- 严重性能问题
+- 架构违规
+
+**🟠 High（应该修复）**
+- 代码异味
+- 测试不足
+- 不一致的模式
+- 潜在的 Bug
+
+**🟡 Medium（建议修复）**
+- 命名改进
+- 代码重构机会
+- 文档缺失
+- 性能优化建议
+
+**🟢 Low（可选）**
+- 代码风格
+- 注释改进
+- 最佳实践建议
+
+### 4. 生成审查报告
+
+**报告格式**：
+
+```markdown
+# Code Review Report
+
+## Summary
+- Files Reviewed: X
+- Critical Issues: X
+- High Priority Issues: X
+- Suggestions: X
+
+## Critical Issues 🔴
+
+### 1. [Issue Title]
+**File**: `path/to/file.cs:line`
+**Severity**: Critical
+**Category**: Security / Performance / Architecture
+
+**Problem**:
+[描述问题]
+
+**Code**:
+```csharp
+// 问题代码
+```
+
+**Why It's Critical**:
+[解释为什么这是严重问题]
+
+**Recommended Fix**:
+```csharp
+// 建议的修复代码
+```
+
+**Impact**: [如果不修复会有什么后果]
+
+## High Priority Issues 🟠
+
+[同样的格式]
+
+## Suggestions 🟡
+
+[建议和改进]
+
+## Positive Observations ✅
+
+[好的实践和值得表扬的地方]
+
+## Overall Assessment
+
+**Code Quality Score**: X/10
+**Readability**: X/10
+**Maintainability**: X/10
+**Test Coverage**: X/10
+
+**Recommendation**: ✅ Approve / ⚠️ Approve with Comments / ❌ Request Changes
+```
+
+## 审查检查清单
+
+### 后端代码检查清单
+
+**Architecture** ✅
+- [ ] 遵循 Clean Architecture 分层
+- [ ] 依赖方向正确（内向依赖）
+- [ ] 接口和实现正确分离
+- [ ] 模块边界清晰
+
+**Domain Layer** ✅
+- [ ] 实体（Entities）正确定义
+- [ ] 值对象（Value Objects）不可变
+- [ ] 聚合根（Aggregate Roots）正确封装
+- [ ] 领域事件（Domain Events）正确使用
+- [ ] 业务规则在领域层
+
+**Application Layer** ✅
+- [ ] Commands 和 Queries 分离
+- [ ] Handlers 职责单一
+- [ ] 验证器（Validators）完整
+- [ ] 使用 Result<T> 返回类型
+- [ ] 错误处理正确
+
+**Infrastructure Layer** ✅
+- [ ] EF Core 配置正确
+- [ ] 仓储实现正确
+- [ ] 数据库迁移正确
+- [ ] 外部服务集成正确
+
+**API Layer** ✅
+- [ ] RESTful 端点设计
+- [ ] 正确的 HTTP 状态码
+- [ ] DTO 和 Domain 分离
+- [ ] 输入验证
+- [ ] 异常处理中间件
+
+**Testing** ✅
+- [ ] 单元测试覆盖核心逻辑
+- [ ] 集成测试覆盖 API 端点
+- [ ] 测试命名清晰
+- [ ] AAA 模式（Arrange-Act-Assert）
+- [ ] 边界条件测试
+
+**Security** ✅
+- [ ] 输入验证和清理
+- [ ] SQL 注入防护
+- [ ] XSS 防护
+- [ ] 认证和授权正确
+- [ ] 敏感数据保护
+
+**Performance** ✅
+- [ ] 数据库查询优化
+- [ ] 避免 N+1 查询
+- [ ] 适当的索引
+- [ ] 异步操作使用 async/await
+- [ ] 资源正确释放
+
+### 前端代码检查清单
+
+**React/Next.js** ✅
+- [ ] 组件职责单一
+- [ ] Props 类型定义
+- [ ] Hooks 使用正确
+- [ ] 避免不必要的重渲染
+- [ ] 错误边界（Error Boundaries）
+
+**State Management** ✅
+- [ ] 服务端状态使用 TanStack Query
+- [ ] 客户端状态使用 Zustand
+- [ ] 避免 prop drilling
+- [ ] 状态更新不可变
+
+**Performance** ✅
+- [ ] 代码分割（Code Splitting）
+- [ ] 懒加载（Lazy Loading）
+- [ ] 图片优化
+- [ ] 避免内存泄漏
+
+**Accessibility** ✅
+- [ ] 语义化 HTML
+- [ ] ARIA 属性
+- [ ] 键盘导航
+- [ ] 屏幕阅读器支持
+
+**TypeScript** ✅
+- [ ] 避免 any 类型
+- [ ] 类型定义完整
+- [ ] 泛型正确使用
+- [ ] 类型安全
+
+## 常见问题模式
+
+### 反模式识别
+
+**❌ Anemic Domain Model（贫血领域模型）**
+```csharp
+// 错误：实体只有数据，没有行为
+public class Project
+{
+    public Guid Id { get; set; }
+    public string Name { get; set; }
+}
+
+public class ProjectService
+{
+    public void UpdateProjectName(Project project, string newName)
+    {
+        project.Name = newName; // 业务逻辑在服务层
+    }
+}
+```
+
+**✅ 正确做法**
+```csharp
+public class Project : AggregateRoot
+{
+    public ProjectId Id { get; private set; }
+    public string Name { get; private set; }
+
+    public void UpdateName(string newName)
+    {
+        if (string.IsNullOrWhiteSpace(newName))
+            throw new DomainException("Name cannot be empty");
+
+        Name = newName;
+        AddDomainEvent(new ProjectNameUpdatedEvent(Id, newName));
+    }
+}
+```
+
+**❌ 过度使用继承**
+```csharp
+public class BaseRepository<T> { }
+public class ProjectRepository : BaseRepository<Project> { }
+public class EpicRepository : BaseRepository<Epic> { }
+// 继承层次过深，难以维护
+```
+
+**✅ 正确做法**
+```csharp
+public interface IProjectRepository
+{
+    Task<Project> GetByIdAsync(ProjectId id);
+    Task AddAsync(Project project);
+}
+
+public class ProjectRepository : IProjectRepository
+{
+    // 组合优于继承
+}
+```
+
+**❌ God Class（上帝类）**
+```csharp
+public class ProjectManager
+{
+    public void CreateProject() { }
+    public void UpdateProject() { }
+    public void DeleteProject() { }
+    public void AssignUser() { }
+    public void SendNotification() { }
+    public void GenerateReport() { }
+    // 一个类做了太多事情
+}
+```
+
+**✅ 正确做法**
+```csharp
+// 职责分离
+public class CreateProjectCommandHandler { }
+public class UpdateProjectCommandHandler { }
+public class ProjectNotificationService { }
+public class ProjectReportGenerator { }
+```
+
+## 审查后行动
+
+### 1. 生成报告
+- 使用 Write 工具创建审查报告
+- 格式清晰，易于阅读
+- 提供具体的代码示例
+
+### 2. 优先级排序
+- Critical 问题必须立即修复
+- High Priority 问题应该在下一个迭代修复
+- Medium/Low 建议可以后续处理
+
+### 3. 沟通建议
+- 清晰解释问题原因
+- 提供具体的修复建议
+- 解释为什么这样修复
+- 如有疑问，提出讨论点
+
+### 4. 跟踪修复
+- 记录需要修复的问题
+- 验证修复是否正确
+- 确认没有引入新问题
+
+## 重要原则
+
+### 1. 建设性反馈
+- ✅ "建议使用 sealed 关键字防止意外继承"
+- ❌ "这代码写得很烂"
+
+### 2. 关注重要问题
+- 优先关注架构、安全、性能问题
+- 不要过度关注代码风格细节
+
+### 3. 提供上下文
+- 解释为什么某个做法是问题
+- 提供最佳实践的参考链接
+
+### 4. 认可好的代码
+- 指出好的实践和模式
+- 鼓励良好的编码习惯
+
+### 5. 保持客观
+- 基于事实和标准
+- 避免主观偏见
+
+## 工具使用
+
+- **Read** - 读取需要审查的文件
+- **Grep** - 搜索特定模式（如 `any` 类型、`TODO` 注释）
+- **Glob** - 查找相关文件（如所有测试文件）
+- **Write** - 生成审查报告
+- **Bash** - 运行静态分析工具（如 dotnet format、eslint）
+
+## 示例审查场景
+
+### 场景 1：审查新功能的 CRUD 实现
+1. 读取 Command、Query、Handler 文件
+2. 检查是否遵循 CQRS 模式
+3. 验证验证器是否完整
+4. 检查错误处理
+5. 验证测试覆盖
+6. 生成报告
+
+### 场景 2：审查数据库迁移
+1. 读取迁移文件
+2. 检查索引和约束
+3. 验证数据类型选择
+4. 检查性能影响
+5. 确认回滚策略
+
+### 场景 3：审查 API 端点
+1. 读取 Controller 文件
+2. 检查 HTTP 方法和路由
+3. 验证输入验证
+4. 检查返回类型
+5. 验证错误处理
+6. 检查安全性
+
+## 输出格式
+
+始终生成结构化的审查报告，包含：
+1. 执行摘要（Executive Summary）
+2. 关键发现（Key Findings）
+3. 详细问题列表（按严重程度）
+4. 正面观察（Positive Observations）
+5. 总体评估和建议（Overall Assessment）
+
+记住：你的目标是帮助团队提高代码质量，而不是找茬。建设性、具体、有帮助的反馈是最有价值的。

.claude/agents/frontend.md

@@ -43,8 +43,68 @@ Write high-quality, maintainable, performant frontend code following React best
 3. Plan: Component structure, state, props
 4. Implement: Write/Edit components following standards
 5. Test: Write component tests
-6. TodoWrite: Mark completed
+6. Git Commit: Auto-commit changes with descriptive message
-7. Deliver: Working UI + tests
+7. TodoWrite: Mark completed
+8. Deliver: Working UI + tests
+```
+
+## IMPORTANT: Git Commit Policy
+
+**After EVERY code change (component, test, or fix), you MUST automatically commit:**
+
+```bash
+# Check status
+git status
+
+# View changes
+git diff
+
+# Add files
+git add <modified-files>
+
+# Commit with descriptive message
+git commit -m "$(cat <<'EOF'
+feat(frontend): <brief summary>
+
+<detailed description if needed>
+
+Changes:
+- <change 1>
+- <change 2>
+
+🤖 Generated with [Claude Code](https://claude.com/claude-code)
+
+Co-Authored-By: Claude <noreply@anthropic.com>
+EOF
+)"
+```
+
+**Commit Message Format:**
+- `feat(frontend): Add new feature` - New feature
+- `fix(frontend): Fix bug description` - Bug fix
+- `refactor(frontend): Refactor description` - Code refactoring
+- `test(frontend): Add/update tests` - Test changes
+- `style(frontend): Style changes` - UI/CSS changes
+- `perf(frontend): Performance improvement` - Performance optimization
+
+**Example:**
+```bash
+git add src/components/KanbanBoard.tsx src/components/KanbanBoard.test.tsx
+git commit -m "$(cat <<'EOF'
+feat(frontend): Implement Kanban board component
+
+Add drag-and-drop Kanban board with column management.
+
+Changes:
+- Created KanbanBoard component with DnD support
+- Added Zustand store for board state
+- Implemented component tests
+
+🤖 Generated with [Claude Code](https://claude.com/claude-code)
+
+Co-Authored-By: Claude <noreply@anthropic.com>
+EOF
+)"
 ```
 
 ## Project Structure (React)

.claude/settings.local.json

@@ -1,58 +1,8 @@
 {
   "permissions": {
     "allow": [
-      "Bash(if not exist \".claude\" mkdir .claude)",
+      "Bash(Stop-Process -Force)",
-      "Bash(mkdir:*)",
+      "Bash(Select-Object -First 3)"
-      "Bash(tree:*)",
-      "Bash(awk:*)",
-      "Bash(claude --version:*)",
-      "Bash(claude agents list:*)",
-      "Bash(claude help:*)",
-      "Bash(dotnet --version:*)",
-      "Bash(docker:*)",
-      "Bash(psql:*)",
-      "Bash(npx create-next-app:*)",
-      "Bash(dir:*)",
-      "Bash(npx:*)",
-      "Bash(dotnet new:*)",
-      "Bash(dotnet nuget list:*)",
-      "Bash(dotnet nuget disable:*)",
-      "Bash(dotnet restore:*)",
-      "Bash(dotnet sln:*)",
-      "Bash(dotnet add:*)",
-      "Bash(npm install:*)",
-      "Bash(dotnet build:*)",
-      "Bash(findstr:*)",
-      "Bash(npm run build:*)",
-      "Bash(move srcColaFlow.Domain colaflow-apisrcColaFlow.Domain)",
-      "Bash(robocopy:*)",
-      "Bash(xcopy:*)",
-      "Bash(find:*)",
-      "Bash(xargs:*)",
-      "Bash(dotnet test:*)",
-      "Bash(dotnet ef migrations add:*)",
-      "Bash(dotnet tool install:*)",
-      "Bash(dotnet ef migrations remove:*)",
-      "Bash(docker-compose up:*)",
-      "Bash(move ColaFlow.Modules.PM.Domain ColaFlow.Modules.ProjectManagement.Domain)",
-      "Bash(dotnet clean:*)",
-      "Bash(cat:*)",
-      "Bash(docker-compose logs:*)",
-      "Bash(dotnet ef database update:*)",
-      "Bash(dotnet run:*)",
-      "Bash(curl:*)",
-      "Bash(netstat:*)",
-      "Bash(taskkill:*)",
-      "Bash(git init:*)",
-      "Bash(git remote add:*)",
-      "Bash(git add:*)",
-      "Bash(del nul)",
-      "Bash(git rm:*)",
-      "Bash(rm:*)",
-      "Bash(git reset:*)",
-      "Bash(git commit:*)",
-      "Bash(git push:*)",
-      "Bash(npm run dev:*)"
     ],
     "deny": [],
     "ask": []

CLAUDE.md

@@ -26,6 +26,7 @@ ColaFlow 是一款基于 AI + MCP 协议的新一代项目管理系统，灵感
 - **AI功能** → `ai` agent - AI集成、Prompt设计、模型优化
 - **质量保证** → `qa` agent - 测试用例、测试执行、质量评估
 - **用户体验** → `ux-ui` agent - 界面设计、交互设计、用户研究
+- **代码审查** → `code-reviewer` agent - 代码质量审查、架构验证、最佳实践检查
 - **进度记录** → `progress-recorder` agent - 项目记忆持久化、进度跟踪、信息归档
 
 ### 3. 协调与整合
@@ -43,7 +44,7 @@ ColaFlow 是一款基于 AI + MCP 协议的新一代项目管理系统，灵感
 ### ✅ 你应该做的：
 - 理解和澄清需求
 - 识别需要哪些专业角色参与
-- 使用 Task tool 调用专业 sub agent（如 `researcher`、`architect`、`product-manager`、`backend`、`frontend`、`ai`、`qa`、`ux-ui`、`progress-recorder`）
+- 使用 Task tool 调用专业 sub agent（如 `researcher`、`architect`、`product-manager`、`backend`、`frontend`、`ai`、`qa`、`ux-ui`、`code-reviewer`、`progress-recorder`）
 - 整合各 agent 的工作成果
 - 协调跨团队的依赖和冲突
 - 向用户汇报整体进度
@@ -57,6 +58,7 @@ ColaFlow 是一款基于 AI + MCP 协议的新一代项目管理系统，灵感
 - 直接设计界面（应调用 `ux-ui` agent）
 - 直接写测试用例（应调用 `qa` agent）
 - 直接实现AI功能（应调用 `ai` agent）
+- 直接进行代码审查（应调用 `code-reviewer` agent）
 
 ## 工作流程
 
@@ -174,6 +176,7 @@ Task tool 2:
 - `ai` - AI工程师（ai.md）
 - `qa` - 质量保证工程师（qa.md）
 - `ux-ui` - UX/UI设计师（ux-ui.md）
+- `code-reviewer` - 代码审查员（code-reviewer.md）- **负责代码质量审查和最佳实践检查**
 - `progress-recorder` - 进度记录员（progress-recorder.md）- **负责项目记忆管理**
 
 ## 协调原则

colaflow-api/LICENSE-KEYS-SETUP.md

@@ -0,0 +1,190 @@
+# License Keys Setup Guide
+
+This document explains how to configure license keys for MediatR 13.x and AutoMapper 15.x.
+
+## Overview
+
+ColaFlow API uses commercial versions of:
+- **MediatR 13.1.0** - Requires a license key
+- **AutoMapper 15.1.0** - Requires a license key (if used)
+
+## Configuration Methods
+
+### Option 1: User Secrets (Recommended for Development)
+
+This is the **most secure** method for local development:
+
+```bash
+cd colaflow-api/src/ColaFlow.API
+
+# Set MediatR license key
+dotnet user-secrets set "MediatR:LicenseKey" "your-actual-mediatr-license-key-here"
+
+# Set AutoMapper license key (if you use AutoMapper)
+dotnet user-secrets set "AutoMapper:LicenseKey" "your-actual-automapper-license-key-here"
+```
+
+**Advantages:**
+- Secrets are stored outside the project directory
+- Never accidentally committed to Git
+- Scoped per-user, per-project
+
+### Option 2: appsettings.Development.json (Quick Setup)
+
+For quick local setup, you can directly edit the configuration file:
+
+1. Open `colaflow-api/src/ColaFlow.API/appsettings.Development.json`
+
+2. Replace the placeholder values:
+
+```json
+{
+  "MediatR": {
+    "LicenseKey": "your-actual-mediatr-license-key-here"
+  },
+  "AutoMapper": {
+    "LicenseKey": "your-actual-automapper-license-key-here"
+  }
+}
+```
+
+**Warning:** Be careful not to commit actual license keys to Git!
+
+### Option 3: Environment Variables (Production)
+
+For production environments, use environment variables:
+
+```bash
+# Windows (PowerShell)
+$env:MediatR__LicenseKey = "your-actual-mediatr-license-key-here"
+$env:AutoMapper__LicenseKey = "your-actual-automapper-license-key-here"
+
+# Linux/Mac (Bash)
+export MediatR__LicenseKey="your-actual-mediatr-license-key-here"
+export AutoMapper__LicenseKey="your-actual-automapper-license-key-here"
+```
+
+**Note:** Use double underscores `__` to represent nested configuration keys.
+
+### Option 4: Azure Key Vault (Production - Most Secure)
+
+For production on Azure, store license keys in Azure Key Vault:
+
+```csharp
+// In Program.cs
+builder.Configuration.AddAzureKeyVault(
+    new Uri($"https://{keyVaultName}.vault.azure.net/"),
+    new DefaultAzureCredential()
+);
+```
+
+Then create secrets in Azure Key Vault:
+- `MediatR--LicenseKey`
+- `AutoMapper--LicenseKey`
+
+## Verification
+
+After setting up the license keys, verify the configuration:
+
+### 1. Build the project
+
+```bash
+cd colaflow-api
+dotnet clean
+dotnet restore
+dotnet build
+```
+
+**Expected:** No license warnings in the build output.
+
+### 2. Run the API
+
+```bash
+cd src/ColaFlow.API
+dotnet run
+```
+
+**Expected:** API starts without license warnings in the console.
+
+### 3. Check the logs
+
+Look for startup logs - there should be **no warnings** about missing or invalid license keys.
+
+## Troubleshooting
+
+### Warning: "No license key configured for MediatR"
+
+**Solution:** Ensure the license key is correctly configured using one of the methods above.
+
+### Warning: "Invalid license key for MediatR"
+
+**Possible causes:**
+1. The license key is incorrect or expired
+2. The license key contains extra whitespace (trim it)
+3. The license key is for a different version
+
+**Solution:** Verify the license key with the vendor.
+
+### Configuration not loading
+
+**Check:**
+1. User secrets are set for the correct project
+2. appsettings.Development.json is valid JSON
+3. Environment variables use double underscores `__` for nested keys
+4. The application is running in the expected environment (Development/Production)
+
+## Getting License Keys
+
+### MediatR License
+- Purchase from: https://www.mediator.dev/licensing
+- Contact: license@mediator.dev
+
+### AutoMapper License
+- Purchase from: https://www.automapper.org/
+- Contact: support@automapper.org
+
+## Security Best Practices
+
+1. **Never commit license keys to Git**
+   - Use `.gitignore` to exclude sensitive files
+   - Use User Secrets for local development
+   - Use environment variables or Key Vault for production
+
+2. **Rotate keys regularly**
+   - Update license keys when they expire
+   - Remove old keys from all environments
+
+3. **Limit access**
+   - Only share keys with authorized team members
+   - Use separate keys for development and production if possible
+
+4. **Monitor usage**
+   - Track which applications use which license keys
+   - Audit key usage regularly
+
+## Configuration Priority
+
+.NET configuration uses the following priority (highest to lowest):
+
+1. Command-line arguments
+2. Environment variables
+3. User secrets (Development only)
+4. appsettings.{Environment}.json
+5. appsettings.json
+
+Later sources override earlier ones.
+
+## Support
+
+If you encounter issues with license key configuration:
+
+1. Check this guide for troubleshooting steps
+2. Verify your license key validity with the vendor
+3. Contact the development team for assistance
+
+---
+
+**Last Updated:** 2025-11-03
+**ColaFlow Version:** 1.0.0
+**MediatR Version:** 13.1.0
+**AutoMapper Version:** 15.1.0

colaflow-api/UPGRADE-SUMMARY.md

@@ -0,0 +1,301 @@
+# ColaFlow API - MediatR & AutoMapper Upgrade Summary
+
+**Date:** 2025-11-03
+**Upgrade Type:** Package Version Update
+**Status:** ✅ COMPLETED SUCCESSFULLY
+
+---
+
+## Overview
+
+Successfully upgraded ColaFlow API from:
+- **MediatR 11.1.0** → **MediatR 13.1.0**
+- **AutoMapper 12.0.1** → **AutoMapper 15.1.0**
+
+All builds, tests, and verifications passed without errors.
+
+---
+
+## Package Updates
+
+### MediatR (11.1.0 → 13.1.0)
+
+#### Modified Projects:
+1. `ColaFlow.API` - Updated to 13.1.0
+2. `ColaFlow.Application` - Updated to 13.1.0
+3. `ColaFlow.Modules.ProjectManagement.Application` - Updated to 13.1.0
+
+#### Key Changes:
+- Removed deprecated package: `MediatR.Extensions.Microsoft.DependencyInjection`
+- Updated registration syntax to v13.x style with license key support
+- Added configuration-based license key management
+
+### AutoMapper (12.0.1 → 15.1.0)
+
+#### Modified Projects:
+1. `ColaFlow.Application` - Updated to 15.1.0
+
+#### Key Changes:
+- Removed deprecated package: `AutoMapper.Extensions.Microsoft.DependencyInjection`
+- Updated to latest major version with performance improvements
+
+---
+
+## Code Changes
+
+### 1. MediatR Registration (ModuleExtensions.cs)
+
+**File:** `C:\Users\yaoji\git\ColaCoder\product-master\colaflow-api\src\ColaFlow.API\Extensions\ModuleExtensions.cs`
+
+**Old Code (v11.x):**
+```csharp
+services.AddMediatR(typeof(CreateProjectCommand).Assembly);
+```
+
+**New Code (v13.x):**
+```csharp
+services.AddMediatR(cfg =>
+{
+    cfg.LicenseKey = configuration["MediatR:LicenseKey"];
+    cfg.RegisterServicesFromAssembly(typeof(CreateProjectCommand).Assembly);
+});
+```
+
+### 2. License Key Configuration (appsettings.Development.json)
+
+**File:** `C:\Users\yaoji\git\ColaCoder\product-master\colaflow-api\src\ColaFlow.API\appsettings.Development.json`
+
+**Added Configuration:**
+```json
+{
+  "MediatR": {
+    "LicenseKey": "YOUR_MEDIATR_LICENSE_KEY_HERE"
+  },
+  "AutoMapper": {
+    "LicenseKey": "YOUR_AUTOMAPPER_LICENSE_KEY_HERE"
+  }
+}
+```
+
+---
+
+## Modified Files (Absolute Paths)
+
+### Configuration Files:
+1. `C:\Users\yaoji\git\ColaCoder\product-master\colaflow-api\src\ColaFlow.API\appsettings.Development.json`
+2. `C:\Users\yaoji\git\ColaCoder\product-master\colaflow-api\src\ColaFlow.API\Extensions\ModuleExtensions.cs`
+
+### Project Files (.csproj):
+1. `C:\Users\yaoji\git\ColaCoder\product-master\colaflow-api\src\ColaFlow.API\ColaFlow.API.csproj`
+2. `C:\Users\yaoji\git\ColaCoder\product-master\colaflow-api\src\ColaFlow.Application\ColaFlow.Application.csproj`
+3. `C:\Users\yaoji\git\ColaCoder\product-master\colaflow-api\src\Modules\ProjectManagement\ColaFlow.Modules.ProjectManagement.Application\ColaFlow.Modules.ProjectManagement.Application.csproj`
+
+### Documentation Files (New):
+1. `C:\Users\yaoji\git\ColaCoder\product-master\colaflow-api\LICENSE-KEYS-SETUP.md` (Created)
+2. `C:\Users\yaoji\git\ColaCoder\product-master\colaflow-api\UPGRADE-SUMMARY.md` (This file)
+
+---
+
+## Verification Results
+
+### 1. Clean & Restore
+```bash
+dotnet clean    # ✅ Completed
+dotnet restore  # ✅ Completed
+```
+
+**Result:** All projects restored successfully with new package versions.
+
+### 2. Build
+```bash
+dotnet build --no-restore
+```
+
+**Result:**
+- ✅ **Build succeeded**
+- ✅ **0 Errors**
+- ✅ **9 Warnings** (pre-existing test analyzer warnings, unrelated to upgrade)
+- ✅ **No license warnings**
+
+### 3. Test Suite
+```bash
+dotnet test --no-build --verbosity normal
+```
+
+**Result:**
+- ✅ **Total Tests:** 202
+- ✅ **Passed:** 202 (100%)
+- ✅ **Failed:** 0
+- ✅ **Skipped:** 0
+
+**Test Breakdown:**
+- Domain Tests: 192 tests ✅
+- Architecture Tests: 8 tests ✅
+- Application Tests: 1 test ✅
+- Integration Tests: 1 test ✅
+
+### 4. API Build Verification
+```bash
+cd src/ColaFlow.API && dotnet build --no-restore
+```
+
+**Result:**
+- ✅ **Build succeeded**
+- ✅ **0 Warnings**
+- ✅ **0 Errors**
+- ✅ **No license warnings in build output**
+
+---
+
+## Package Version Verification
+
+### Current Package Versions (After Upgrade):
+
+```
+ColaFlow.Application:
+  > AutoMapper                                          15.1.0      15.1.0  ✅
+  > MediatR                                             13.1.0      13.1.0  ✅
+
+ColaFlow.API:
+  > MediatR                                             13.1.0      13.1.0  ✅
+
+ColaFlow.Modules.ProjectManagement.Application:
+  > MediatR                                             13.1.0      13.1.0  ✅
+```
+
+---
+
+## Next Steps for Users
+
+### 1. Configure License Keys
+
+Users must configure their purchased license keys before running the API. See `LICENSE-KEYS-SETUP.md` for detailed instructions.
+
+**Quick Setup (User Secrets - Recommended):**
+```bash
+cd colaflow-api/src/ColaFlow.API
+
+# Set MediatR license key
+dotnet user-secrets set "MediatR:LicenseKey" "your-actual-mediatr-license-key"
+
+# Set AutoMapper license key (if using AutoMapper)
+dotnet user-secrets set "AutoMapper:LicenseKey" "your-actual-automapper-license-key"
+```
+
+**Alternative Setup (appsettings.Development.json):**
+1. Open `colaflow-api/src/ColaFlow.API/appsettings.Development.json`
+2. Replace `YOUR_MEDIATR_LICENSE_KEY_HERE` with your actual license key
+3. Replace `YOUR_AUTOMAPPER_LICENSE_KEY_HERE` with your actual license key
+
+### 2. Verify API Startup
+
+```bash
+cd colaflow-api/src/ColaFlow.API
+dotnet run
+```
+
+**Expected Result:**
+- API starts without license warnings
+- No errors in console logs
+
+### 3. Database Migration (If Needed)
+
+```bash
+cd colaflow-api/src/ColaFlow.API
+dotnet ef database update
+```
+
+---
+
+## Breaking Changes
+
+### MediatR 13.x
+- ❌ `MediatR.Extensions.Microsoft.DependencyInjection` package removed
+- ✅ Registration syntax changed to configuration-based approach
+- ✅ License key now required for commercial use
+
+### AutoMapper 15.x
+- ❌ `AutoMapper.Extensions.Microsoft.DependencyInjection` package removed
+- ✅ Backward compatible - no code changes required for ColaFlow
+- ✅ License key required for commercial use (when used)
+
+---
+
+## Compatibility
+
+- ✅ **.NET 9.0** - Fully compatible
+- ✅ **NestJS/TypeScript Backend** - Not affected (already using latest)
+- ✅ **PostgreSQL** - No changes required
+- ✅ **Redis** - No changes required
+- ✅ **Existing Data** - No migration required
+
+---
+
+## Rollback Instructions (If Needed)
+
+If issues arise, you can rollback by reverting these changes:
+
+### 1. Revert Package References
+Edit the three `.csproj` files and change:
+```xml
+<!-- Rollback to v11.x/v12.x -->
+<PackageReference Include="MediatR" Version="11.1.0" />
+<PackageReference Include="MediatR.Extensions.Microsoft.DependencyInjection" Version="11.1.0" />
+<PackageReference Include="AutoMapper" Version="12.0.1" />
+<PackageReference Include="AutoMapper.Extensions.Microsoft.DependencyInjection" Version="12.0.1" />
+```
+
+### 2. Revert Registration Code
+In `ModuleExtensions.cs`:
+```csharp
+services.AddMediatR(typeof(CreateProjectCommand).Assembly);
+```
+
+### 3. Restore and Build
+```bash
+dotnet clean
+dotnet restore
+dotnet build
+```
+
+---
+
+## Performance Notes
+
+### MediatR 13.x Improvements:
+- Improved reflection caching
+- Better source generation support
+- Reduced memory allocations
+
+### AutoMapper 15.x Improvements:
+- Enhanced mapping performance
+- Better LINQ projection support
+- Improved compilation caching
+
+**Expected Impact:** No noticeable performance regression. Potential minor performance gains in high-throughput scenarios.
+
+---
+
+## Support & Documentation
+
+- **License Key Setup Guide:** `LICENSE-KEYS-SETUP.md`
+- **MediatR Documentation:** https://www.mediator.dev/
+- **AutoMapper Documentation:** https://www.automapper.org/
+- **ColaFlow Project Plan:** `product.md`
+
+---
+
+## Conclusion
+
+✅ **Upgrade Status:** SUCCESSFUL
+✅ **Build Status:** PASSING
+✅ **Test Status:** ALL TESTS PASSING (202/202)
+✅ **License Warnings:** NONE
+
+The upgrade to MediatR 13.1.0 and AutoMapper 15.1.0 is complete and verified. Users need to configure their license keys as per the `LICENSE-KEYS-SETUP.md` guide before running the API.
+
+---
+
+**Upgrade Performed By:** Backend Agent (Claude Agent SDK)
+**Date:** 2025-11-03
+**Verification:** Automated Build & Test Suite

colaflow-api/src/ColaFlow.API/ColaFlow.API.csproj

@@ -23,7 +23,7 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="MediatR" Version="11.1.0" />
+    <PackageReference Include="MediatR" Version="13.1.0" />
     <PackageReference Include="FluentValidation.DependencyInjectionExtensions" Version="11.10.0" />
   </ItemGroup>
 

colaflow-api/src/ColaFlow.API/Controllers/StoriesController.cs

@@ -0,0 +1,190 @@
+using MediatR;
+using Microsoft.AspNetCore.Mvc;
+using ColaFlow.Modules.ProjectManagement.Application.DTOs;
+using ColaFlow.Modules.ProjectManagement.Application.Commands.CreateStory;
+using ColaFlow.Modules.ProjectManagement.Application.Commands.UpdateStory;
+using ColaFlow.Modules.ProjectManagement.Application.Commands.DeleteStory;
+using ColaFlow.Modules.ProjectManagement.Application.Commands.AssignStory;
+using ColaFlow.Modules.ProjectManagement.Application.Queries.GetStoryById;
+using ColaFlow.Modules.ProjectManagement.Application.Queries.GetStoriesByEpicId;
+using ColaFlow.Modules.ProjectManagement.Application.Queries.GetStoriesByProjectId;
+
+namespace ColaFlow.API.Controllers;
+
+/// <summary>
+/// Stories API Controller
+/// </summary>
+[ApiController]
+[Route("api/v1")]
+public class StoriesController : ControllerBase
+{
+    private readonly IMediator _mediator;
+
+    public StoriesController(IMediator mediator)
+    {
+        _mediator = mediator ?? throw new ArgumentNullException(nameof(mediator));
+    }
+
+    /// <summary>
+    /// Get story by ID
+    /// </summary>
+    [HttpGet("stories/{id:guid}")]
+    [ProducesResponseType(typeof(StoryDto), StatusCodes.Status200OK)]
+    [ProducesResponseType(StatusCodes.Status404NotFound)]
+    public async Task<IActionResult> GetStory(Guid id, CancellationToken cancellationToken = default)
+    {
+        var query = new GetStoryByIdQuery(id);
+        var result = await _mediator.Send(query, cancellationToken);
+        return Ok(result);
+    }
+
+    /// <summary>
+    /// Get all stories for an epic
+    /// </summary>
+    [HttpGet("epics/{epicId:guid}/stories")]
+    [ProducesResponseType(typeof(List<StoryDto>), StatusCodes.Status200OK)]
+    [ProducesResponseType(StatusCodes.Status404NotFound)]
+    public async Task<IActionResult> GetEpicStories(Guid epicId, CancellationToken cancellationToken = default)
+    {
+        var query = new GetStoriesByEpicIdQuery(epicId);
+        var result = await _mediator.Send(query, cancellationToken);
+        return Ok(result);
+    }
+
+    /// <summary>
+    /// Get all stories for a project
+    /// </summary>
+    [HttpGet("projects/{projectId:guid}/stories")]
+    [ProducesResponseType(typeof(List<StoryDto>), StatusCodes.Status200OK)]
+    [ProducesResponseType(StatusCodes.Status404NotFound)]
+    public async Task<IActionResult> GetProjectStories(Guid projectId, CancellationToken cancellationToken = default)
+    {
+        var query = new GetStoriesByProjectIdQuery(projectId);
+        var result = await _mediator.Send(query, cancellationToken);
+        return Ok(result);
+    }
+
+    /// <summary>
+    /// Create a new story
+    /// </summary>
+    [HttpPost("epics/{epicId:guid}/stories")]
+    [ProducesResponseType(typeof(StoryDto), StatusCodes.Status201Created)]
+    [ProducesResponseType(StatusCodes.Status400BadRequest)]
+    [ProducesResponseType(StatusCodes.Status404NotFound)]
+    public async Task<IActionResult> CreateStory(
+        Guid epicId,
+        [FromBody] CreateStoryRequest request,
+        CancellationToken cancellationToken = default)
+    {
+        var command = new CreateStoryCommand
+        {
+            EpicId = epicId,
+            Title = request.Title,
+            Description = request.Description,
+            Priority = request.Priority,
+            AssigneeId = request.AssigneeId,
+            EstimatedHours = request.EstimatedHours,
+            CreatedBy = request.CreatedBy
+        };
+
+        var result = await _mediator.Send(command, cancellationToken);
+        return CreatedAtAction(nameof(GetStory), new { id = result.Id }, result);
+    }
+
+    /// <summary>
+    /// Update an existing story
+    /// </summary>
+    [HttpPut("stories/{id:guid}")]
+    [ProducesResponseType(typeof(StoryDto), StatusCodes.Status200OK)]
+    [ProducesResponseType(StatusCodes.Status400BadRequest)]
+    [ProducesResponseType(StatusCodes.Status404NotFound)]
+    public async Task<IActionResult> UpdateStory(
+        Guid id,
+        [FromBody] UpdateStoryRequest request,
+        CancellationToken cancellationToken = default)
+    {
+        var command = new UpdateStoryCommand
+        {
+            StoryId = id,
+            Title = request.Title,
+            Description = request.Description,
+            Status = request.Status,
+            Priority = request.Priority,
+            AssigneeId = request.AssigneeId,
+            EstimatedHours = request.EstimatedHours
+        };
+
+        var result = await _mediator.Send(command, cancellationToken);
+        return Ok(result);
+    }
+
+    /// <summary>
+    /// Delete a story
+    /// </summary>
+    [HttpDelete("stories/{id:guid}")]
+    [ProducesResponseType(StatusCodes.Status204NoContent)]
+    [ProducesResponseType(StatusCodes.Status404NotFound)]
+    [ProducesResponseType(StatusCodes.Status400BadRequest)]
+    public async Task<IActionResult> DeleteStory(Guid id, CancellationToken cancellationToken = default)
+    {
+        var command = new DeleteStoryCommand { StoryId = id };
+        await _mediator.Send(command, cancellationToken);
+        return NoContent();
+    }
+
+    /// <summary>
+    /// Assign a story to a user
+    /// </summary>
+    [HttpPut("stories/{id:guid}/assign")]
+    [ProducesResponseType(typeof(StoryDto), StatusCodes.Status200OK)]
+    [ProducesResponseType(StatusCodes.Status400BadRequest)]
+    [ProducesResponseType(StatusCodes.Status404NotFound)]
+    public async Task<IActionResult> AssignStory(
+        Guid id,
+        [FromBody] AssignStoryRequest request,
+        CancellationToken cancellationToken = default)
+    {
+        var command = new AssignStoryCommand
+        {
+            StoryId = id,
+            AssigneeId = request.AssigneeId
+        };
+
+        var result = await _mediator.Send(command, cancellationToken);
+        return Ok(result);
+    }
+}
+
+/// <summary>
+/// Request model for creating a story
+/// </summary>
+public record CreateStoryRequest
+{
+    public string Title { get; init; } = string.Empty;
+    public string Description { get; init; } = string.Empty;
+    public string Priority { get; init; } = "Medium";
+    public Guid? AssigneeId { get; init; }
+    public decimal? EstimatedHours { get; init; }
+    public Guid CreatedBy { get; init; }
+}
+
+/// <summary>
+/// Request model for updating a story
+/// </summary>
+public record UpdateStoryRequest
+{
+    public string Title { get; init; } = string.Empty;
+    public string Description { get; init; } = string.Empty;
+    public string? Status { get; init; }
+    public string? Priority { get; init; }
+    public Guid? AssigneeId { get; init; }
+    public decimal? EstimatedHours { get; init; }
+}
+
+/// <summary>
+/// Request model for assigning a story
+/// </summary>
+public record AssignStoryRequest
+{
+    public Guid AssigneeId { get; init; }
+}

colaflow-api/src/ColaFlow.API/Controllers/TasksController.cs

@@ -0,0 +1,230 @@
+using MediatR;
+using Microsoft.AspNetCore.Mvc;
+using ColaFlow.Modules.ProjectManagement.Application.DTOs;
+using ColaFlow.Modules.ProjectManagement.Application.Commands.CreateTask;
+using ColaFlow.Modules.ProjectManagement.Application.Commands.UpdateTask;
+using ColaFlow.Modules.ProjectManagement.Application.Commands.DeleteTask;
+using ColaFlow.Modules.ProjectManagement.Application.Commands.AssignTask;
+using ColaFlow.Modules.ProjectManagement.Application.Commands.UpdateTaskStatus;
+using ColaFlow.Modules.ProjectManagement.Application.Queries.GetTaskById;
+using ColaFlow.Modules.ProjectManagement.Application.Queries.GetTasksByStoryId;
+using ColaFlow.Modules.ProjectManagement.Application.Queries.GetTasksByProjectId;
+
+namespace ColaFlow.API.Controllers;
+
+/// <summary>
+/// Tasks API Controller
+/// </summary>
+[ApiController]
+[Route("api/v1")]
+public class TasksController : ControllerBase
+{
+    private readonly IMediator _mediator;
+
+    public TasksController(IMediator mediator)
+    {
+        _mediator = mediator ?? throw new ArgumentNullException(nameof(mediator));
+    }
+
+    /// <summary>
+    /// Get task by ID
+    /// </summary>
+    [HttpGet("tasks/{id:guid}")]
+    [ProducesResponseType(typeof(TaskDto), StatusCodes.Status200OK)]
+    [ProducesResponseType(StatusCodes.Status404NotFound)]
+    public async Task<IActionResult> GetTask(Guid id, CancellationToken cancellationToken = default)
+    {
+        var query = new GetTaskByIdQuery(id);
+        var result = await _mediator.Send(query, cancellationToken);
+        return Ok(result);
+    }
+
+    /// <summary>
+    /// Get all tasks for a story
+    /// </summary>
+    [HttpGet("stories/{storyId:guid}/tasks")]
+    [ProducesResponseType(typeof(List<TaskDto>), StatusCodes.Status200OK)]
+    [ProducesResponseType(StatusCodes.Status404NotFound)]
+    public async Task<IActionResult> GetStoryTasks(Guid storyId, CancellationToken cancellationToken = default)
+    {
+        var query = new GetTasksByStoryIdQuery(storyId);
+        var result = await _mediator.Send(query, cancellationToken);
+        return Ok(result);
+    }
+
+    /// <summary>
+    /// Get all tasks for a project (for Kanban board)
+    /// </summary>
+    [HttpGet("projects/{projectId:guid}/tasks")]
+    [ProducesResponseType(typeof(List<TaskDto>), StatusCodes.Status200OK)]
+    [ProducesResponseType(StatusCodes.Status404NotFound)]
+    public async Task<IActionResult> GetProjectTasks(
+        Guid projectId,
+        [FromQuery] string? status = null,
+        [FromQuery] Guid? assigneeId = null,
+        CancellationToken cancellationToken = default)
+    {
+        var query = new GetTasksByProjectIdQuery
+        {
+            ProjectId = projectId,
+            Status = status,
+            AssigneeId = assigneeId
+        };
+        var result = await _mediator.Send(query, cancellationToken);
+        return Ok(result);
+    }
+
+    /// <summary>
+    /// Create a new task
+    /// </summary>
+    [HttpPost("stories/{storyId:guid}/tasks")]
+    [ProducesResponseType(typeof(TaskDto), StatusCodes.Status201Created)]
+    [ProducesResponseType(StatusCodes.Status400BadRequest)]
+    [ProducesResponseType(StatusCodes.Status404NotFound)]
+    public async Task<IActionResult> CreateTask(
+        Guid storyId,
+        [FromBody] CreateTaskRequest request,
+        CancellationToken cancellationToken = default)
+    {
+        var command = new CreateTaskCommand
+        {
+            StoryId = storyId,
+            Title = request.Title,
+            Description = request.Description,
+            Priority = request.Priority,
+            EstimatedHours = request.EstimatedHours,
+            AssigneeId = request.AssigneeId,
+            CreatedBy = request.CreatedBy
+        };
+
+        var result = await _mediator.Send(command, cancellationToken);
+        return CreatedAtAction(nameof(GetTask), new { id = result.Id }, result);
+    }
+
+    /// <summary>
+    /// Update an existing task
+    /// </summary>
+    [HttpPut("tasks/{id:guid}")]
+    [ProducesResponseType(typeof(TaskDto), StatusCodes.Status200OK)]
+    [ProducesResponseType(StatusCodes.Status400BadRequest)]
+    [ProducesResponseType(StatusCodes.Status404NotFound)]
+    public async Task<IActionResult> UpdateTask(
+        Guid id,
+        [FromBody] UpdateTaskRequest request,
+        CancellationToken cancellationToken = default)
+    {
+        var command = new UpdateTaskCommand
+        {
+            TaskId = id,
+            Title = request.Title,
+            Description = request.Description,
+            Status = request.Status,
+            Priority = request.Priority,
+            EstimatedHours = request.EstimatedHours,
+            AssigneeId = request.AssigneeId
+        };
+
+        var result = await _mediator.Send(command, cancellationToken);
+        return Ok(result);
+    }
+
+    /// <summary>
+    /// Delete a task
+    /// </summary>
+    [HttpDelete("tasks/{id:guid}")]
+    [ProducesResponseType(StatusCodes.Status204NoContent)]
+    [ProducesResponseType(StatusCodes.Status404NotFound)]
+    [ProducesResponseType(StatusCodes.Status400BadRequest)]
+    public async Task<IActionResult> DeleteTask(Guid id, CancellationToken cancellationToken = default)
+    {
+        var command = new DeleteTaskCommand { TaskId = id };
+        await _mediator.Send(command, cancellationToken);
+        return NoContent();
+    }
+
+    /// <summary>
+    /// Assign a task to a user
+    /// </summary>
+    [HttpPut("tasks/{id:guid}/assign")]
+    [ProducesResponseType(typeof(TaskDto), StatusCodes.Status200OK)]
+    [ProducesResponseType(StatusCodes.Status400BadRequest)]
+    [ProducesResponseType(StatusCodes.Status404NotFound)]
+    public async Task<IActionResult> AssignTask(
+        Guid id,
+        [FromBody] AssignTaskRequest request,
+        CancellationToken cancellationToken = default)
+    {
+        var command = new AssignTaskCommand
+        {
+            TaskId = id,
+            AssigneeId = request.AssigneeId
+        };
+
+        var result = await _mediator.Send(command, cancellationToken);
+        return Ok(result);
+    }
+
+    /// <summary>
+    /// Update task status (for Kanban board drag & drop)
+    /// </summary>
+    [HttpPut("tasks/{id:guid}/status")]
+    [ProducesResponseType(typeof(TaskDto), StatusCodes.Status200OK)]
+    [ProducesResponseType(StatusCodes.Status400BadRequest)]
+    [ProducesResponseType(StatusCodes.Status404NotFound)]
+    public async Task<IActionResult> UpdateTaskStatus(
+        Guid id,
+        [FromBody] UpdateTaskStatusRequest request,
+        CancellationToken cancellationToken = default)
+    {
+        var command = new UpdateTaskStatusCommand
+        {
+            TaskId = id,
+            NewStatus = request.NewStatus
+        };
+
+        var result = await _mediator.Send(command, cancellationToken);
+        return Ok(result);
+    }
+}
+
+/// <summary>
+/// Request model for creating a task
+/// </summary>
+public record CreateTaskRequest
+{
+    public string Title { get; init; } = string.Empty;
+    public string Description { get; init; } = string.Empty;
+    public string Priority { get; init; } = "Medium";
+    public decimal? EstimatedHours { get; init; }
+    public Guid? AssigneeId { get; init; }
+    public Guid CreatedBy { get; init; }
+}
+
+/// <summary>
+/// Request model for updating a task
+/// </summary>
+public record UpdateTaskRequest
+{
+    public string Title { get; init; } = string.Empty;
+    public string Description { get; init; } = string.Empty;
+    public string? Status { get; init; }
+    public string? Priority { get; init; }
+    public decimal? EstimatedHours { get; init; }
+    public Guid? AssigneeId { get; init; }
+}
+
+/// <summary>
+/// Request model for assigning a task
+/// </summary>
+public record AssignTaskRequest
+{
+    public Guid? AssigneeId { get; init; }
+}
+
+/// <summary>
+/// Request model for updating task status
+/// </summary>
+public record UpdateTaskStatusRequest
+{
+    public string NewStatus { get; init; } = string.Empty;
+}

colaflow-api/src/ColaFlow.API/Extensions/ModuleExtensions.cs

@@ -30,8 +30,12 @@ public static class ModuleExtensions
         services.AddScoped<IProjectRepository, ProjectRepository>();
         services.AddScoped<IUnitOfWork, UnitOfWork>();
 
-        // Register MediatR handlers from Application assembly
+        // Register MediatR handlers from Application assembly (v13.x syntax)
-        services.AddMediatR(typeof(CreateProjectCommand).Assembly);
+        services.AddMediatR(cfg =>
+        {
+            cfg.LicenseKey = configuration["MediatR:LicenseKey"];
+            cfg.RegisterServicesFromAssembly(typeof(CreateProjectCommand).Assembly);
+        });
 
         // Register FluentValidation validators
         services.AddValidatorsFromAssembly(typeof(CreateProjectCommand).Assembly);

colaflow-api/src/ColaFlow.API/Handlers/GlobalExceptionHandler.cs

@@ -0,0 +1,130 @@
+using System.Diagnostics;
+using FluentValidation;
+using Microsoft.AspNetCore.Diagnostics;
+using Microsoft.AspNetCore.Mvc;
+using ColaFlow.Modules.ProjectManagement.Domain.Exceptions;
+
+namespace ColaFlow.API.Handlers;
+
+/// <summary>
+/// Global exception handler using IExceptionHandler (.NET 8+)
+/// Handles all unhandled exceptions and converts them to ProblemDetails responses
+/// </summary>
+public sealed class GlobalExceptionHandler : IExceptionHandler
+{
+    private readonly ILogger<GlobalExceptionHandler> _logger;
+
+    public GlobalExceptionHandler(ILogger<GlobalExceptionHandler> logger)
+    {
+        _logger = logger ?? throw new ArgumentNullException(nameof(logger));
+    }
+
+    public async ValueTask<bool> TryHandleAsync(
+        HttpContext httpContext,
+        Exception exception,
+        CancellationToken cancellationToken)
+    {
+        // Log with appropriate level based on exception type
+        if (exception is ValidationException or DomainException or NotFoundException)
+        {
+            _logger.LogWarning(exception, "Client error occurred: {Message}", exception.Message);
+        }
+        else
+        {
+            _logger.LogError(exception, "Internal server error occurred: {Message}", exception.Message);
+        }
+
+        var problemDetails = exception switch
+        {
+            ValidationException validationEx => CreateValidationProblemDetails(httpContext, validationEx),
+            DomainException domainEx => CreateDomainProblemDetails(httpContext, domainEx),
+            NotFoundException notFoundEx => CreateNotFoundProblemDetails(httpContext, notFoundEx),
+            _ => CreateInternalServerErrorProblemDetails(httpContext, exception)
+        };
+
+        httpContext.Response.StatusCode = problemDetails.Status ?? StatusCodes.Status500InternalServerError;
+        await httpContext.Response.WriteAsJsonAsync(problemDetails, cancellationToken);
+
+        return true; // Exception handled
+    }
+
+    private static ProblemDetails CreateValidationProblemDetails(
+        HttpContext context,
+        ValidationException exception)
+    {
+        var errors = exception.Errors
+            .GroupBy(e => e.PropertyName)
+            .ToDictionary(
+                g => g.Key,
+                g => g.Select(e => e.ErrorMessage).ToArray()
+            );
+
+        return new ProblemDetails
+        {
+            Type = "https://tools.ietf.org/html/rfc7231#section-6.5.1",
+            Title = "Validation Error",
+            Status = StatusCodes.Status400BadRequest,
+            Detail = "One or more validation errors occurred.",
+            Instance = context.Request.Path,
+            Extensions =
+            {
+                ["traceId"] = Activity.Current?.Id ?? context.TraceIdentifier,
+                ["errors"] = errors
+            }
+        };
+    }
+
+    private static ProblemDetails CreateDomainProblemDetails(
+        HttpContext context,
+        DomainException exception)
+    {
+        return new ProblemDetails
+        {
+            Type = "https://tools.ietf.org/html/rfc7231#section-6.5.1",
+            Title = "Domain Error",
+            Status = StatusCodes.Status400BadRequest,
+            Detail = exception.Message,
+            Instance = context.Request.Path,
+            Extensions =
+            {
+                ["traceId"] = Activity.Current?.Id ?? context.TraceIdentifier
+            }
+        };
+    }
+
+    private static ProblemDetails CreateNotFoundProblemDetails(
+        HttpContext context,
+        NotFoundException exception)
+    {
+        return new ProblemDetails
+        {
+            Type = "https://tools.ietf.org/html/rfc7231#section-6.5.4",
+            Title = "Resource Not Found",
+            Status = StatusCodes.Status404NotFound,
+            Detail = exception.Message,
+            Instance = context.Request.Path,
+            Extensions =
+            {
+                ["traceId"] = Activity.Current?.Id ?? context.TraceIdentifier
+            }
+        };
+    }
+
+    private static ProblemDetails CreateInternalServerErrorProblemDetails(
+        HttpContext context,
+        Exception exception)
+    {
+        return new ProblemDetails
+        {
+            Type = "https://tools.ietf.org/html/rfc7231#section-6.6.1",
+            Title = "Internal Server Error",
+            Status = StatusCodes.Status500InternalServerError,
+            Detail = "An unexpected error occurred. Please contact support if the problem persists.",
+            Instance = context.Request.Path,
+            Extensions =
+            {
+                ["traceId"] = Activity.Current?.Id ?? context.TraceIdentifier
+            }
+        };
+    }
+}

colaflow-api/src/ColaFlow.API/Middleware/GlobalExceptionHandlerMiddleware.cs

@@ -1,96 +0,0 @@
-using System.Net;
-using System.Text.Json;
-using FluentValidation;
-using ColaFlow.Modules.ProjectManagement.Domain.Exceptions;
-
-namespace ColaFlow.API.Middleware;
-
-/// <summary>
-/// Global exception handler middleware
-/// </summary>
-public class GlobalExceptionHandlerMiddleware
-{
-    private readonly RequestDelegate _next;
-    private readonly ILogger<GlobalExceptionHandlerMiddleware> _logger;
-
-    public GlobalExceptionHandlerMiddleware(
-        RequestDelegate next,
-        ILogger<GlobalExceptionHandlerMiddleware> logger)
-    {
-        _next = next ?? throw new ArgumentNullException(nameof(next));
-        _logger = logger ?? throw new ArgumentNullException(nameof(logger));
-    }
-
-    public async Task InvokeAsync(HttpContext context)
-    {
-        try
-        {
-            await _next(context);
-        }
-        catch (Exception ex)
-        {
-            await HandleExceptionAsync(context, ex);
-        }
-    }
-
-    private async Task HandleExceptionAsync(HttpContext context, Exception exception)
-    {
-        context.Response.ContentType = "application/json";
-
-        var (statusCode, response) = exception switch
-        {
-            ValidationException validationEx => (
-                StatusCodes.Status400BadRequest,
-                new
-                {
-                    StatusCode = StatusCodes.Status400BadRequest,
-                    Message = "Validation failed",
-                    Errors = validationEx.Errors.Select(e => new
-                    {
-                        Property = e.PropertyName,
-                        Message = e.ErrorMessage
-                    })
-                }),
-            DomainException domainEx => (
-                StatusCodes.Status400BadRequest,
-                new
-                {
-                    StatusCode = StatusCodes.Status400BadRequest,
-                    Message = domainEx.Message
-                }),
-            NotFoundException notFoundEx => (
-                StatusCodes.Status404NotFound,
-                new
-                {
-                    StatusCode = StatusCodes.Status404NotFound,
-                    Message = notFoundEx.Message
-                }),
-            _ => (
-                StatusCodes.Status500InternalServerError,
-                new
-                {
-                    StatusCode = StatusCodes.Status500InternalServerError,
-                    Message = "An internal server error occurred"
-                })
-        };
-
-        context.Response.StatusCode = statusCode;
-
-        // Log with appropriate level
-        if (statusCode >= 500)
-        {
-            _logger.LogError(exception, "Internal server error occurred: {Message}", exception.Message);
-        }
-        else if (statusCode >= 400)
-        {
-            _logger.LogWarning(exception, "Client error occurred: {Message}", exception.Message);
-        }
-
-        var jsonResponse = JsonSerializer.Serialize(response, new JsonSerializerOptions
-        {
-            PropertyNamingPolicy = JsonNamingPolicy.CamelCase
-        });
-
-        await context.Response.WriteAsync(jsonResponse);
-    }
-}

colaflow-api/src/ColaFlow.API/Program.cs

@@ -1,5 +1,5 @@
 using ColaFlow.API.Extensions;
-using ColaFlow.API.Middleware;
+using ColaFlow.API.Handlers;
 using Scalar.AspNetCore;
 
 var builder = WebApplication.CreateBuilder(args);
@@ -10,6 +10,10 @@ builder.Services.AddProjectManagementModule(builder.Configuration);
 // Add controllers
 builder.Services.AddControllers();
 
+// Configure exception handling (IExceptionHandler - .NET 8+)
+builder.Services.AddExceptionHandler<GlobalExceptionHandler>();
+builder.Services.AddProblemDetails();
+
 // Configure CORS for frontend
 builder.Services.AddCors(options =>
 {
@@ -34,7 +38,7 @@ if (app.Environment.IsDevelopment())
 }
 
 // Global exception handler (should be first in pipeline)
-app.UseMiddleware<GlobalExceptionHandlerMiddleware>();
+app.UseExceptionHandler();
 
 // Enable CORS
 app.UseCors("AllowFrontend");

colaflow-api/src/ColaFlow.API/appsettings.Development.json

@@ -2,6 +2,12 @@
   "ConnectionStrings": {
     "PMDatabase": "Host=localhost;Port=5432;Database=colaflow_pm;Username=colaflow;Password=colaflow_dev_password"
   },
+  "MediatR": {
+    "LicenseKey": "eyJhbGciOiJSUzI1NiIsImtpZCI6Ikx1Y2t5UGVubnlTb2Z0d2FyZUxpY2Vuc2VLZXkvYmJiMTNhY2I1OTkwNGQ4OWI0Y2IxYzg1ZjA4OGNjZjkiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiJodHRwczovL2x1Y2t5cGVubnlzb2Z0d2FyZS5jb20iLCJhdWQiOiJMdWNreVBlbm55U29mdHdhcmUiLCJleHAiOiIxNzkzNTc3NjAwIiwiaWF0IjoiMTc2MjEyNTU2MiIsImFjY291bnRfaWQiOiIwMTlhNDZkZGZiZjk3YTk4Yjg1ZTVmOTllNWRhZjIwNyIsImN1c3RvbWVyX2lkIjoiY3RtXzAxazkzZHdnOG0weDByanp3Mm5rM2dxeDExIiwic3ViX2lkIjoiLSIsImVkaXRpb24iOiIwIiwidHlwZSI6IjIifQ.V45vUlze27pQG3Vs9dvagyUTSp-a74ymB6I0TIGD_NwFt1mMMPsuVXOKH1qK7A7V5qDQBvYyryzJy8xRE1rRKq2MJKgyfYjvzuGkpBbKbM6JRQPYknb5tjF-Rf3LAeWp73FiqbPZOPt5saCsoKqUHej-4zcKg5GA4y-PpGaGAONKyqwK9G2rvc1BUHfEnHKRMr0pprA5W1Yx-Lry85KOckUsI043HGOdfbubnGdAZs74FKvrV2qVir6K6VsZjWwX8IFnl1CzxjICa5MxyHOAVpXRnRtMt6fpsA1fMstFuRjq_2sbqGfsTv6LyCzLPnXdmU5DnWZHUcjy0xlAT_f0aw"
+  },
+  "AutoMapper": {
+    "LicenseKey": "eyJhbGciOiJSUzI1NiIsImtpZCI6Ikx1Y2t5UGVubnlTb2Z0d2FyZUxpY2Vuc2VLZXkvYmJiMTNhY2I1OTkwNGQ4OWI0Y2IxYzg1ZjA4OGNjZjkiLCJ0eXAiOiJKV1QifQ.eyJpc3MiOiJodHRwczovL2x1Y2t5cGVubnlzb2Z0d2FyZS5jb20iLCJhdWQiOiJMdWNreVBlbm55U29mdHdhcmUiLCJleHAiOiIxNzkzNTc3NjAwIiwiaWF0IjoiMTc2MjEyNTU2MiIsImFjY291bnRfaWQiOiIwMTlhNDZkZGZiZjk3YTk4Yjg1ZTVmOTllNWRhZjIwNyIsImN1c3RvbWVyX2lkIjoiY3RtXzAxazkzZHdnOG0weDByanp3Mm5rM2dxeDExIiwic3ViX2lkIjoiLSIsImVkaXRpb24iOiIwIiwidHlwZSI6IjIifQ.V45vUlze27pQG3Vs9dvagyUTSp-a74ymB6I0TIGD_NwFt1mMMPsuVXOKH1qK7A7V5qDQBvYyryzJy8xRE1rRKq2MJKgyfYjvzuGkpBbKbM6JRQPYknb5tjF-Rf3LAeWp73FiqbPZOPt5saCsoKqUHej-4zcKg5GA4y-PpGaGAONKyqwK9G2rvc1BUHfEnHKRMr0pprA5W1Yx-Lry85KOckUsI043HGOdfbubnGdAZs74FKvrV2qVir6K6VsZjWwX8IFnl1CzxjICa5MxyHOAVpXRnRtMt6fpsA1fMstFuRjq_2sbqGfsTv6LyCzLPnXdmU5DnWZHUcjy0xlAT_f0aw"
+  },
   "Logging": {
     "LogLevel": {
       "Default": "Information",

colaflow-api/src/ColaFlow.Application/ColaFlow.Application.csproj

@@ -5,11 +5,10 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="AutoMapper" Version="12.0.1" />
+    <PackageReference Include="AutoMapper" Version="15.1.0" />
-    <PackageReference Include="AutoMapper.Extensions.Microsoft.DependencyInjection" Version="12.0.1" />
     <PackageReference Include="FluentValidation" Version="12.0.0" />
     <PackageReference Include="FluentValidation.DependencyInjectionExtensions" Version="12.0.0" />
-    <PackageReference Include="MediatR" Version="11.1.0" />
+    <PackageReference Include="MediatR" Version="13.1.0" />
   </ItemGroup>
 
   <PropertyGroup>

colaflow-api/src/Modules/ProjectManagement/ColaFlow.Modules.ProjectManagement.Application/ColaFlow.Modules.ProjectManagement.Application.csproj

@@ -7,8 +7,7 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="MediatR" Version="11.1.0" />
+    <PackageReference Include="MediatR" Version="13.1.0" />
-    <PackageReference Include="MediatR.Extensions.Microsoft.DependencyInjection" Version="11.1.0" />
     <PackageReference Include="FluentValidation" Version="11.10.0" />
     <PackageReference Include="FluentValidation.DependencyInjectionExtensions" Version="11.10.0" />
   </ItemGroup>

colaflow-api/src/Modules/ProjectManagement/ColaFlow.Modules.ProjectManagement.Application/Commands/AssignStory/AssignStoryCommand.cs

@@ -0,0 +1,13 @@
+using MediatR;
+using ColaFlow.Modules.ProjectManagement.Application.DTOs;
+
+namespace ColaFlow.Modules.ProjectManagement.Application.Commands.AssignStory;
+
+/// <summary>
+/// Command to assign a Story to a user
+/// </summary>
+public sealed record AssignStoryCommand : IRequest<StoryDto>
+{
+    public Guid StoryId { get; init; }
+    public Guid AssigneeId { get; init; }
+}

colaflow-api/src/Modules/ProjectManagement/ColaFlow.Modules.ProjectManagement.Application/Commands/AssignStory/AssignStoryCommandHandler.cs

@@ -0,0 +1,82 @@
+using MediatR;
+using ColaFlow.Modules.ProjectManagement.Application.DTOs;
+using ColaFlow.Modules.ProjectManagement.Domain.Repositories;
+using ColaFlow.Modules.ProjectManagement.Domain.ValueObjects;
+using ColaFlow.Modules.ProjectManagement.Domain.Exceptions;
+
+namespace ColaFlow.Modules.ProjectManagement.Application.Commands.AssignStory;
+
+/// <summary>
+/// Handler for AssignStoryCommand
+/// </summary>
+public sealed class AssignStoryCommandHandler : IRequestHandler<AssignStoryCommand, StoryDto>
+{
+    private readonly IProjectRepository _projectRepository;
+    private readonly IUnitOfWork _unitOfWork;
+
+    public AssignStoryCommandHandler(
+        IProjectRepository projectRepository,
+        IUnitOfWork unitOfWork)
+    {
+        _projectRepository = projectRepository ?? throw new ArgumentNullException(nameof(projectRepository));
+        _unitOfWork = unitOfWork ?? throw new ArgumentNullException(nameof(unitOfWork));
+    }
+
+    public async Task<StoryDto> Handle(AssignStoryCommand request, CancellationToken cancellationToken)
+    {
+        // Get the project with story
+        var storyId = StoryId.From(request.StoryId);
+        var project = await _projectRepository.GetProjectWithStoryAsync(storyId, cancellationToken);
+
+        if (project == null)
+            throw new NotFoundException("Story", request.StoryId);
+
+        // Find the story
+        var story = project.Epics
+            .SelectMany(e => e.Stories)
+            .FirstOrDefault(s => s.Id.Value == request.StoryId);
+
+        if (story == null)
+            throw new NotFoundException("Story", request.StoryId);
+
+        // Assign to user
+        var assigneeId = UserId.From(request.AssigneeId);
+        story.AssignTo(assigneeId);
+
+        // Save changes
+        _projectRepository.Update(project);
+        await _unitOfWork.SaveChangesAsync(cancellationToken);
+
+        // Map to DTO
+        return new StoryDto
+        {
+            Id = story.Id.Value,
+            Title = story.Title,
+            Description = story.Description,
+            EpicId = story.EpicId.Value,
+            Status = story.Status.Name,
+            Priority = story.Priority.Name,
+            AssigneeId = story.AssigneeId?.Value,
+            EstimatedHours = story.EstimatedHours,
+            ActualHours = story.ActualHours,
+            CreatedBy = story.CreatedBy.Value,
+            CreatedAt = story.CreatedAt,
+            UpdatedAt = story.UpdatedAt,
+            Tasks = story.Tasks.Select(t => new TaskDto
+            {
+                Id = t.Id.Value,
+                Title = t.Title,
+                Description = t.Description,
+                StoryId = t.StoryId.Value,
+                Status = t.Status.Name,
+                Priority = t.Priority.Name,
+                AssigneeId = t.AssigneeId?.Value,
+                EstimatedHours = t.EstimatedHours,
+                ActualHours = t.ActualHours,
+                CreatedBy = t.CreatedBy.Value,
+                CreatedAt = t.CreatedAt,
+                UpdatedAt = t.UpdatedAt
+            }).ToList()
+        };
+    }
+}

colaflow-api/src/Modules/ProjectManagement/ColaFlow.Modules.ProjectManagement.Application/Commands/AssignStory/AssignStoryCommandValidator.cs

@@ -0,0 +1,18 @@
+using FluentValidation;
+
+namespace ColaFlow.Modules.ProjectManagement.Application.Commands.AssignStory;
+
+/// <summary>
+/// Validator for AssignStoryCommand
+/// </summary>
+public sealed class AssignStoryCommandValidator : AbstractValidator<AssignStoryCommand>
+{
+    public AssignStoryCommandValidator()
+    {
+        RuleFor(x => x.StoryId)
+            .NotEmpty().WithMessage("Story ID is required");
+
+        RuleFor(x => x.AssigneeId)
+            .NotEmpty().WithMessage("Assignee ID is required");
+    }
+}

colaflow-api/src/Modules/ProjectManagement/ColaFlow.Modules.ProjectManagement.Application/Commands/AssignTask/AssignTaskCommand.cs

@@ -0,0 +1,13 @@
+using MediatR;
+using ColaFlow.Modules.ProjectManagement.Application.DTOs;
+
+namespace ColaFlow.Modules.ProjectManagement.Application.Commands.AssignTask;
+
+/// <summary>
+/// Command to assign a Task to a user
+/// </summary>
+public sealed record AssignTaskCommand : IRequest<TaskDto>
+{
+    public Guid TaskId { get; init; }
+    public Guid? AssigneeId { get; init; }
+}

colaflow-api/src/Modules/ProjectManagement/ColaFlow.Modules.ProjectManagement.Application/Commands/AssignTask/AssignTaskCommandHandler.cs

@@ -0,0 +1,85 @@
+using MediatR;
+using ColaFlow.Modules.ProjectManagement.Application.DTOs;
+using ColaFlow.Modules.ProjectManagement.Domain.Repositories;
+using ColaFlow.Modules.ProjectManagement.Domain.ValueObjects;
+using ColaFlow.Modules.ProjectManagement.Domain.Exceptions;
+using ColaFlow.Modules.ProjectManagement.Domain.Aggregates.ProjectAggregate;
+
+namespace ColaFlow.Modules.ProjectManagement.Application.Commands.AssignTask;
+
+/// <summary>
+/// Handler for AssignTaskCommand
+/// </summary>
+public sealed class AssignTaskCommandHandler : IRequestHandler<AssignTaskCommand, TaskDto>
+{
+    private readonly IProjectRepository _projectRepository;
+    private readonly IUnitOfWork _unitOfWork;
+
+    public AssignTaskCommandHandler(
+        IProjectRepository projectRepository,
+        IUnitOfWork unitOfWork)
+    {
+        _projectRepository = projectRepository ?? throw new ArgumentNullException(nameof(projectRepository));
+        _unitOfWork = unitOfWork ?? throw new ArgumentNullException(nameof(unitOfWork));
+    }
+
+    public async Task<TaskDto> Handle(AssignTaskCommand request, CancellationToken cancellationToken)
+    {
+        // Get the project containing the task
+        var taskId = TaskId.From(request.TaskId);
+        var project = await _projectRepository.GetProjectWithTaskAsync(taskId, cancellationToken);
+
+        if (project == null)
+            throw new NotFoundException("Task", request.TaskId);
+
+        // Find the task within the project aggregate
+        WorkTask? task = null;
+        foreach (var epic in project.Epics)
+        {
+            foreach (var story in epic.Stories)
+            {
+                task = story.Tasks.FirstOrDefault(t => t.Id.Value == request.TaskId);
+                if (task != null)
+                    break;
+            }
+            if (task != null)
+                break;
+        }
+
+        if (task == null)
+            throw new NotFoundException("Task", request.TaskId);
+
+        // Assign task
+        if (request.AssigneeId.HasValue)
+        {
+            var assigneeId = UserId.From(request.AssigneeId.Value);
+            task.AssignTo(assigneeId);
+        }
+        else
+        {
+            // Unassign by setting to null - need to add this method to WorkTask
+            task.AssignTo(null!);
+        }
+
+        // Update project
+        _projectRepository.Update(project);
+        await _unitOfWork.SaveChangesAsync(cancellationToken);
+
+        // Map to DTO
+        return new TaskDto
+        {
+            Id = task.Id.Value,
+            Title = task.Title,
+            Description = task.Description,
+            StoryId = task.StoryId.Value,
+            Status = task.Status.Name,
+            Priority = task.Priority.Name,
+            AssigneeId = task.AssigneeId?.Value,
+            EstimatedHours = task.EstimatedHours,
+            ActualHours = task.ActualHours,
+            CreatedBy = task.CreatedBy.Value,
+            CreatedAt = task.CreatedAt,
+            UpdatedAt = task.UpdatedAt
+        };
+    }
+}

colaflow-api/src/Modules/ProjectManagement/ColaFlow.Modules.ProjectManagement.Application/Commands/AssignTask/AssignTaskCommandValidator.cs

@@ -0,0 +1,16 @@
+using FluentValidation;
+
+namespace ColaFlow.Modules.ProjectManagement.Application.Commands.AssignTask;
+
+/// <summary>
+/// Validator for AssignTaskCommand
+/// </summary>
+public sealed class AssignTaskCommandValidator : AbstractValidator<AssignTaskCommand>
+{
+    public AssignTaskCommandValidator()
+    {
+        RuleFor(x => x.TaskId)
+            .NotEmpty()
+            .WithMessage("TaskId is required");
+    }
+}

colaflow-api/src/Modules/ProjectManagement/ColaFlow.Modules.ProjectManagement.Application/Commands/CreateEpic/CreateEpicCommandHandler.cs

@@ -46,8 +46,8 @@ public sealed class CreateEpicCommandHandler : IRequestHandler<CreateEpicCommand
             Name = epic.Name,
             Description = epic.Description,
             ProjectId = epic.ProjectId.Value,
-            Status = epic.Status.Value,
+            Status = epic.Status.Name,
-            Priority = epic.Priority.Value,
+            Priority = epic.Priority.Name,
             CreatedBy = epic.CreatedBy.Value,
             CreatedAt = epic.CreatedAt,
             UpdatedAt = epic.UpdatedAt,

colaflow-api/src/Modules/ProjectManagement/ColaFlow.Modules.ProjectManagement.Application/Commands/CreateStory/CreateStoryCommand.cs

@@ -0,0 +1,18 @@
+using MediatR;
+using ColaFlow.Modules.ProjectManagement.Application.DTOs;
+
+namespace ColaFlow.Modules.ProjectManagement.Application.Commands.CreateStory;
+
+/// <summary>
+/// Command to create a new Story
+/// </summary>
+public sealed record CreateStoryCommand : IRequest<StoryDto>
+{
+    public Guid EpicId { get; init; }
+    public string Title { get; init; } = string.Empty;
+    public string Description { get; init; } = string.Empty;
+    public string Priority { get; init; } = "Medium";
+    public Guid? AssigneeId { get; init; }
+    public decimal? EstimatedHours { get; init; }
+    public Guid CreatedBy { get; init; }
+}

colaflow-api/src/Modules/ProjectManagement/ColaFlow.Modules.ProjectManagement.Application/Commands/CreateStory/CreateStoryCommandHandler.cs

@@ -0,0 +1,88 @@
+using MediatR;
+using ColaFlow.Modules.ProjectManagement.Application.DTOs;
+using ColaFlow.Modules.ProjectManagement.Domain.Repositories;
+using ColaFlow.Modules.ProjectManagement.Domain.ValueObjects;
+using ColaFlow.Modules.ProjectManagement.Domain.Exceptions;
+
+namespace ColaFlow.Modules.ProjectManagement.Application.Commands.CreateStory;
+
+/// <summary>
+/// Handler for CreateStoryCommand
+/// </summary>
+public sealed class CreateStoryCommandHandler : IRequestHandler<CreateStoryCommand, StoryDto>
+{
+    private readonly IProjectRepository _projectRepository;
+    private readonly IUnitOfWork _unitOfWork;
+
+    public CreateStoryCommandHandler(
+        IProjectRepository projectRepository,
+        IUnitOfWork unitOfWork)
+    {
+        _projectRepository = projectRepository ?? throw new ArgumentNullException(nameof(projectRepository));
+        _unitOfWork = unitOfWork ?? throw new ArgumentNullException(nameof(unitOfWork));
+    }
+
+    public async Task<StoryDto> Handle(CreateStoryCommand request, CancellationToken cancellationToken)
+    {
+        // Get the project with epic
+        var epicId = EpicId.From(request.EpicId);
+        var project = await _projectRepository.GetProjectWithEpicAsync(epicId, cancellationToken);
+
+        if (project == null)
+            throw new NotFoundException("Epic", request.EpicId);
+
+        // Find the epic
+        var epic = project.Epics.FirstOrDefault(e => e.Id.Value == request.EpicId);
+        if (epic == null)
+            throw new NotFoundException("Epic", request.EpicId);
+
+        // Parse priority
+        var priority = request.Priority switch
+        {
+            "Low" => TaskPriority.Low,
+            "Medium" => TaskPriority.Medium,
+            "High" => TaskPriority.High,
+            "Urgent" => TaskPriority.Urgent,
+            _ => TaskPriority.Medium
+        };
+
+        // Create story through epic
+        var createdById = UserId.From(request.CreatedBy);
+        var story = epic.CreateStory(request.Title, request.Description, priority, createdById);
+
+        // Assign if assignee provided
+        if (request.AssigneeId.HasValue)
+        {
+            var assigneeId = UserId.From(request.AssigneeId.Value);
+            story.AssignTo(assigneeId);
+        }
+
+        // Set estimated hours if provided
+        if (request.EstimatedHours.HasValue)
+        {
+            story.UpdateEstimate(request.EstimatedHours.Value);
+        }
+
+        // Update project (story is part of aggregate)
+        _projectRepository.Update(project);
+        await _unitOfWork.SaveChangesAsync(cancellationToken);
+
+        // Map to DTO
+        return new StoryDto
+        {
+            Id = story.Id.Value,
+            Title = story.Title,
+            Description = story.Description,
+            EpicId = story.EpicId.Value,
+            Status = story.Status.Name,
+            Priority = story.Priority.Name,
+            AssigneeId = story.AssigneeId?.Value,
+            EstimatedHours = story.EstimatedHours,
+            ActualHours = story.ActualHours,
+            CreatedBy = story.CreatedBy.Value,
+            CreatedAt = story.CreatedAt,
+            UpdatedAt = story.UpdatedAt,
+            Tasks = new List<TaskDto>()
+        };
+    }
+}

colaflow-api/src/Modules/ProjectManagement/ColaFlow.Modules.ProjectManagement.Application/Commands/CreateStory/CreateStoryCommandValidator.cs

@@ -0,0 +1,31 @@
+using FluentValidation;
+
+namespace ColaFlow.Modules.ProjectManagement.Application.Commands.CreateStory;
+
+/// <summary>
+/// Validator for CreateStoryCommand
+/// </summary>
+public sealed class CreateStoryCommandValidator : AbstractValidator<CreateStoryCommand>
+{
+    public CreateStoryCommandValidator()
+    {
+        RuleFor(x => x.EpicId)
+            .NotEmpty().WithMessage("Epic ID is required");
+
+        RuleFor(x => x.Title)
+            .NotEmpty().WithMessage("Story title is required")
+            .MaximumLength(200).WithMessage("Story title cannot exceed 200 characters");
+
+        RuleFor(x => x.Priority)
+            .NotEmpty().WithMessage("Priority is required")
+            .Must(p => p == "Low" || p == "Medium" || p == "High" || p == "Urgent")
+            .WithMessage("Priority must be one of: Low, Medium, High, Urgent");
+
+        RuleFor(x => x.EstimatedHours)
+            .GreaterThanOrEqualTo(0).When(x => x.EstimatedHours.HasValue)
+            .WithMessage("Estimated hours cannot be negative");
+
+        RuleFor(x => x.CreatedBy)
+            .NotEmpty().WithMessage("Created by user ID is required");
+    }
+}

colaflow-api/src/Modules/ProjectManagement/ColaFlow.Modules.ProjectManagement.Application/Commands/CreateTask/CreateTaskCommand.cs

@@ -0,0 +1,18 @@
+using MediatR;
+using ColaFlow.Modules.ProjectManagement.Application.DTOs;
+
+namespace ColaFlow.Modules.ProjectManagement.Application.Commands.CreateTask;
+
+/// <summary>
+/// Command to create a new Task
+/// </summary>
+public sealed record CreateTaskCommand : IRequest<TaskDto>
+{
+    public Guid StoryId { get; init; }
+    public string Title { get; init; } = string.Empty;
+    public string Description { get; init; } = string.Empty;
+    public string Priority { get; init; } = "Medium";
+    public decimal? EstimatedHours { get; init; }
+    public Guid? AssigneeId { get; init; }
+    public Guid CreatedBy { get; init; }
+}

colaflow-api/src/Modules/ProjectManagement/ColaFlow.Modules.ProjectManagement.Application/Commands/CreateTask/CreateTaskCommandHandler.cs

@@ -0,0 +1,87 @@
+using MediatR;
+using ColaFlow.Modules.ProjectManagement.Application.DTOs;
+using ColaFlow.Modules.ProjectManagement.Domain.Repositories;
+using ColaFlow.Modules.ProjectManagement.Domain.ValueObjects;
+using ColaFlow.Modules.ProjectManagement.Domain.Exceptions;
+using ColaFlow.Modules.ProjectManagement.Domain.Aggregates.ProjectAggregate;
+
+namespace ColaFlow.Modules.ProjectManagement.Application.Commands.CreateTask;
+
+/// <summary>
+/// Handler for CreateTaskCommand
+/// </summary>
+public sealed class CreateTaskCommandHandler : IRequestHandler<CreateTaskCommand, TaskDto>
+{
+    private readonly IProjectRepository _projectRepository;
+    private readonly IUnitOfWork _unitOfWork;
+
+    public CreateTaskCommandHandler(
+        IProjectRepository projectRepository,
+        IUnitOfWork unitOfWork)
+    {
+        _projectRepository = projectRepository ?? throw new ArgumentNullException(nameof(projectRepository));
+        _unitOfWork = unitOfWork ?? throw new ArgumentNullException(nameof(unitOfWork));
+    }
+
+    public async Task<TaskDto> Handle(CreateTaskCommand request, CancellationToken cancellationToken)
+    {
+        // Get the project containing the story
+        var storyId = StoryId.From(request.StoryId);
+        var project = await _projectRepository.GetProjectWithStoryAsync(storyId, cancellationToken);
+
+        if (project == null)
+            throw new NotFoundException("Story", request.StoryId);
+
+        // Find the story within the project aggregate
+        Story? story = null;
+        foreach (var epic in project.Epics)
+        {
+            story = epic.Stories.FirstOrDefault(s => s.Id.Value == request.StoryId);
+            if (story is not null)
+                break;
+        }
+
+        if (story is null)
+            throw new NotFoundException("Story", request.StoryId);
+
+        // Parse priority
+        var priority = TaskPriority.FromDisplayName<TaskPriority>(request.Priority);
+        var createdById = UserId.From(request.CreatedBy);
+
+        // Create task through story aggregate
+        var task = story.CreateTask(request.Title, request.Description, priority, createdById);
+
+        // Set optional fields
+        if (request.EstimatedHours.HasValue)
+        {
+            task.UpdateEstimate(request.EstimatedHours.Value);
+        }
+
+        if (request.AssigneeId.HasValue)
+        {
+            var assigneeId = UserId.From(request.AssigneeId.Value);
+            task.AssignTo(assigneeId);
+        }
+
+        // Update project (task is part of aggregate)
+        _projectRepository.Update(project);
+        await _unitOfWork.SaveChangesAsync(cancellationToken);
+
+        // Map to DTO
+        return new TaskDto
+        {
+            Id = task.Id.Value,
+            Title = task.Title,
+            Description = task.Description,
+            StoryId = task.StoryId.Value,
+            Status = task.Status.Name,
+            Priority = task.Priority.Name,
+            AssigneeId = task.AssigneeId?.Value,
+            EstimatedHours = task.EstimatedHours,
+            ActualHours = task.ActualHours,
+            CreatedBy = task.CreatedBy.Value,
+            CreatedAt = task.CreatedAt,
+            UpdatedAt = task.UpdatedAt
+        };
+    }
+}

colaflow-api/src/Modules/ProjectManagement/ColaFlow.Modules.ProjectManagement.Application/Commands/CreateTask/CreateTaskCommandValidator.cs

@@ -0,0 +1,47 @@
+using FluentValidation;
+
+namespace ColaFlow.Modules.ProjectManagement.Application.Commands.CreateTask;
+
+/// <summary>
+/// Validator for CreateTaskCommand
+/// </summary>
+public sealed class CreateTaskCommandValidator : AbstractValidator<CreateTaskCommand>
+{
+    public CreateTaskCommandValidator()
+    {
+        RuleFor(x => x.StoryId)
+            .NotEmpty()
+            .WithMessage("StoryId is required");
+
+        RuleFor(x => x.Title)
+            .NotEmpty()
+            .WithMessage("Title is required")
+            .MaximumLength(200)
+            .WithMessage("Title cannot exceed 200 characters");
+
+        RuleFor(x => x.Description)
+            .MaximumLength(5000)
+            .WithMessage("Description cannot exceed 5000 characters");
+
+        RuleFor(x => x.Priority)
+            .NotEmpty()
+            .WithMessage("Priority is required")
+            .Must(BeValidPriority)
+            .WithMessage("Priority must be one of: Low, Medium, High, Urgent");
+
+        RuleFor(x => x.EstimatedHours)
+            .GreaterThanOrEqualTo(0)
+            .When(x => x.EstimatedHours.HasValue)
+            .WithMessage("Estimated hours cannot be negative");
+
+        RuleFor(x => x.CreatedBy)
+            .NotEmpty()
+            .WithMessage("CreatedBy is required");
+    }
+
+    private bool BeValidPriority(string priority)
+    {
+        var validPriorities = new[] { "Low", "Medium", "High", "Urgent" };
+        return validPriorities.Contains(priority, StringComparer.OrdinalIgnoreCase);
+    }
+}

colaflow-api/src/Modules/ProjectManagement/ColaFlow.Modules.ProjectManagement.Application/Commands/DeleteStory/DeleteStoryCommand.cs

@@ -0,0 +1,11 @@
+using MediatR;
+
+namespace ColaFlow.Modules.ProjectManagement.Application.Commands.DeleteStory;
+
+/// <summary>
+/// Command to delete a Story
+/// </summary>
+public sealed record DeleteStoryCommand : IRequest<Unit>
+{
+    public Guid StoryId { get; init; }
+}

colaflow-api/src/Modules/ProjectManagement/ColaFlow.Modules.ProjectManagement.Application/Commands/DeleteStory/DeleteStoryCommandHandler.cs

@@ -0,0 +1,47 @@
+using MediatR;
+using ColaFlow.Modules.ProjectManagement.Domain.Repositories;
+using ColaFlow.Modules.ProjectManagement.Domain.ValueObjects;
+using ColaFlow.Modules.ProjectManagement.Domain.Exceptions;
+
+namespace ColaFlow.Modules.ProjectManagement.Application.Commands.DeleteStory;
+
+/// <summary>
+/// Handler for DeleteStoryCommand
+/// </summary>
+public sealed class DeleteStoryCommandHandler : IRequestHandler<DeleteStoryCommand, Unit>
+{
+    private readonly IProjectRepository _projectRepository;
+    private readonly IUnitOfWork _unitOfWork;
+
+    public DeleteStoryCommandHandler(
+        IProjectRepository projectRepository,
+        IUnitOfWork unitOfWork)
+    {
+        _projectRepository = projectRepository ?? throw new ArgumentNullException(nameof(projectRepository));
+        _unitOfWork = unitOfWork ?? throw new ArgumentNullException(nameof(unitOfWork));
+    }
+
+    public async Task<Unit> Handle(DeleteStoryCommand request, CancellationToken cancellationToken)
+    {
+        // Get the project with story
+        var storyId = StoryId.From(request.StoryId);
+        var project = await _projectRepository.GetProjectWithStoryAsync(storyId, cancellationToken);
+
+        if (project == null)
+            throw new NotFoundException("Story", request.StoryId);
+
+        // Find the epic containing the story
+        var epic = project.Epics.FirstOrDefault(e => e.Stories.Any(s => s.Id.Value == request.StoryId));
+        if (epic == null)
+            throw new NotFoundException("Story", request.StoryId);
+
+        // Remove story from epic (domain logic validates no tasks exist)
+        epic.RemoveStory(storyId);
+
+        // Save changes
+        _projectRepository.Update(project);
+        await _unitOfWork.SaveChangesAsync(cancellationToken);
+
+        return Unit.Value;
+    }
+}

colaflow-api/src/Modules/ProjectManagement/ColaFlow.Modules.ProjectManagement.Application/Commands/DeleteStory/DeleteStoryCommandValidator.cs

@@ -0,0 +1,15 @@
+using FluentValidation;
+
+namespace ColaFlow.Modules.ProjectManagement.Application.Commands.DeleteStory;
+
+/// <summary>
+/// Validator for DeleteStoryCommand
+/// </summary>
+public sealed class DeleteStoryCommandValidator : AbstractValidator<DeleteStoryCommand>
+{
+    public DeleteStoryCommandValidator()
+    {
+        RuleFor(x => x.StoryId)
+            .NotEmpty().WithMessage("Story ID is required");
+    }
+}

colaflow-api/src/Modules/ProjectManagement/ColaFlow.Modules.ProjectManagement.Application/Commands/DeleteTask/DeleteTaskCommand.cs

@@ -0,0 +1,11 @@
+using MediatR;
+
+namespace ColaFlow.Modules.ProjectManagement.Application.Commands.DeleteTask;
+
+/// <summary>
+/// Command to delete a Task
+/// </summary>
+public sealed record DeleteTaskCommand : IRequest<Unit>
+{
+    public Guid TaskId { get; init; }
+}

colaflow-api/src/Modules/ProjectManagement/ColaFlow.Modules.ProjectManagement.Application/Commands/DeleteTask/DeleteTaskCommandHandler.cs

@@ -0,0 +1,63 @@
+using MediatR;
+using ColaFlow.Modules.ProjectManagement.Domain.Repositories;
+using ColaFlow.Modules.ProjectManagement.Domain.ValueObjects;
+using ColaFlow.Modules.ProjectManagement.Domain.Exceptions;
+using ColaFlow.Modules.ProjectManagement.Domain.Aggregates.ProjectAggregate;
+
+namespace ColaFlow.Modules.ProjectManagement.Application.Commands.DeleteTask;
+
+/// <summary>
+/// Handler for DeleteTaskCommand
+/// </summary>
+public sealed class DeleteTaskCommandHandler : IRequestHandler<DeleteTaskCommand, Unit>
+{
+    private readonly IProjectRepository _projectRepository;
+    private readonly IUnitOfWork _unitOfWork;
+
+    public DeleteTaskCommandHandler(
+        IProjectRepository projectRepository,
+        IUnitOfWork unitOfWork)
+    {
+        _projectRepository = projectRepository ?? throw new ArgumentNullException(nameof(projectRepository));
+        _unitOfWork = unitOfWork ?? throw new ArgumentNullException(nameof(unitOfWork));
+    }
+
+    public async Task<Unit> Handle(DeleteTaskCommand request, CancellationToken cancellationToken)
+    {
+        // Get the project containing the task
+        var taskId = TaskId.From(request.TaskId);
+        var project = await _projectRepository.GetProjectWithTaskAsync(taskId, cancellationToken);
+
+        if (project == null)
+            throw new NotFoundException("Task", request.TaskId);
+
+        // Find the story containing the task
+        Story? parentStory = null;
+        foreach (var epic in project.Epics)
+        {
+            foreach (var story in epic.Stories)
+            {
+                var task = story.Tasks.FirstOrDefault(t => t.Id.Value == request.TaskId);
+                if (task != null)
+                {
+                    parentStory = story;
+                    break;
+                }
+            }
+            if (parentStory != null)
+                break;
+        }
+
+        if (parentStory == null)
+            throw new NotFoundException("Task", request.TaskId);
+
+        // Remove task from story
+        parentStory.RemoveTask(taskId);
+
+        // Update project
+        _projectRepository.Update(project);
+        await _unitOfWork.SaveChangesAsync(cancellationToken);
+
+        return Unit.Value;
+    }
+}

colaflow-api/src/Modules/ProjectManagement/ColaFlow.Modules.ProjectManagement.Application/Commands/DeleteTask/DeleteTaskCommandValidator.cs

@@ -0,0 +1,16 @@
+using FluentValidation;
+
+namespace ColaFlow.Modules.ProjectManagement.Application.Commands.DeleteTask;
+
+/// <summary>
+/// Validator for DeleteTaskCommand
+/// </summary>
+public sealed class DeleteTaskCommandValidator : AbstractValidator<DeleteTaskCommand>
+{
+    public DeleteTaskCommandValidator()
+    {
+        RuleFor(x => x.TaskId)
+            .NotEmpty()
+            .WithMessage("TaskId is required");
+    }
+}

colaflow-api/src/Modules/ProjectManagement/ColaFlow.Modules.ProjectManagement.Application/Commands/UpdateEpic/UpdateEpicCommandHandler.cs

@@ -50,8 +50,8 @@ public sealed class UpdateEpicCommandHandler : IRequestHandler<UpdateEpicCommand
             Name = epic.Name,
             Description = epic.Description,
             ProjectId = epic.ProjectId.Value,
-            Status = epic.Status.Value,
+            Status = epic.Status.Name,
-            Priority = epic.Priority.Value,
+            Priority = epic.Priority.Name,
             CreatedBy = epic.CreatedBy.Value,
             CreatedAt = epic.CreatedAt,
             UpdatedAt = epic.UpdatedAt,
@@ -61,8 +61,8 @@ public sealed class UpdateEpicCommandHandler : IRequestHandler<UpdateEpicCommand
                 Title = s.Title,
                 Description = s.Description,
                 EpicId = s.EpicId.Value,
-                Status = s.Status.Value,
+                Status = s.Status.Name,
-                Priority = s.Priority.Value,
+                Priority = s.Priority.Name,
                 EstimatedHours = s.EstimatedHours,
                 ActualHours = s.ActualHours,
                 AssigneeId = s.AssigneeId?.Value,

colaflow-api/src/Modules/ProjectManagement/ColaFlow.Modules.ProjectManagement.Application/Commands/UpdateStory/UpdateStoryCommand.cs

@@ -0,0 +1,18 @@
+using MediatR;
+using ColaFlow.Modules.ProjectManagement.Application.DTOs;
+
+namespace ColaFlow.Modules.ProjectManagement.Application.Commands.UpdateStory;
+
+/// <summary>
+/// Command to update an existing Story
+/// </summary>
+public sealed record UpdateStoryCommand : IRequest<StoryDto>
+{
+    public Guid StoryId { get; init; }
+    public string Title { get; init; } = string.Empty;
+    public string Description { get; init; } = string.Empty;
+    public string? Status { get; init; }
+    public string? Priority { get; init; }
+    public Guid? AssigneeId { get; init; }
+    public decimal? EstimatedHours { get; init; }
+}

colaflow-api/src/Modules/ProjectManagement/ColaFlow.Modules.ProjectManagement.Application/Commands/UpdateStory/UpdateStoryCommandHandler.cs

@@ -0,0 +1,116 @@
+using MediatR;
+using ColaFlow.Modules.ProjectManagement.Application.DTOs;
+using ColaFlow.Modules.ProjectManagement.Domain.Repositories;
+using ColaFlow.Modules.ProjectManagement.Domain.ValueObjects;
+using ColaFlow.Modules.ProjectManagement.Domain.Exceptions;
+
+namespace ColaFlow.Modules.ProjectManagement.Application.Commands.UpdateStory;
+
+/// <summary>
+/// Handler for UpdateStoryCommand
+/// </summary>
+public sealed class UpdateStoryCommandHandler : IRequestHandler<UpdateStoryCommand, StoryDto>
+{
+    private readonly IProjectRepository _projectRepository;
+    private readonly IUnitOfWork _unitOfWork;
+
+    public UpdateStoryCommandHandler(
+        IProjectRepository projectRepository,
+        IUnitOfWork unitOfWork)
+    {
+        _projectRepository = projectRepository ?? throw new ArgumentNullException(nameof(projectRepository));
+        _unitOfWork = unitOfWork ?? throw new ArgumentNullException(nameof(unitOfWork));
+    }
+
+    public async Task<StoryDto> Handle(UpdateStoryCommand request, CancellationToken cancellationToken)
+    {
+        // Get the project with story
+        var storyId = StoryId.From(request.StoryId);
+        var project = await _projectRepository.GetProjectWithStoryAsync(storyId, cancellationToken);
+
+        if (project == null)
+            throw new NotFoundException("Story", request.StoryId);
+
+        // Find the story
+        var story = project.Epics
+            .SelectMany(e => e.Stories)
+            .FirstOrDefault(s => s.Id.Value == request.StoryId);
+
+        if (story == null)
+            throw new NotFoundException("Story", request.StoryId);
+
+        // Update basic details
+        story.UpdateDetails(request.Title, request.Description);
+
+        // Update status if provided
+        if (!string.IsNullOrEmpty(request.Status))
+        {
+            var status = request.Status switch
+            {
+                "To Do" => WorkItemStatus.ToDo,
+                "In Progress" => WorkItemStatus.InProgress,
+                "In Review" => WorkItemStatus.InReview,
+                "Done" => WorkItemStatus.Done,
+                "Blocked" => WorkItemStatus.Blocked,
+                _ => throw new DomainException($"Invalid status: {request.Status}")
+            };
+            story.UpdateStatus(status);
+        }
+
+        // Update priority if provided
+        if (!string.IsNullOrEmpty(request.Priority))
+        {
+            var priority = TaskPriority.FromDisplayName<TaskPriority>(request.Priority);
+            story.UpdatePriority(priority);
+        }
+
+        // Update assignee if provided
+        if (request.AssigneeId.HasValue)
+        {
+            var assigneeId = UserId.From(request.AssigneeId.Value);
+            story.AssignTo(assigneeId);
+        }
+
+        // Update estimated hours if provided
+        if (request.EstimatedHours.HasValue)
+        {
+            story.UpdateEstimate(request.EstimatedHours.Value);
+        }
+
+        // Save changes
+        _projectRepository.Update(project);
+        await _unitOfWork.SaveChangesAsync(cancellationToken);
+
+        // Map to DTO
+        return new StoryDto
+        {
+            Id = story.Id.Value,
+            Title = story.Title,
+            Description = story.Description,
+            EpicId = story.EpicId.Value,
+            Status = story.Status.Name,
+            Priority = story.Priority.Name,
+            AssigneeId = story.AssigneeId?.Value,
+            EstimatedHours = story.EstimatedHours,
+            ActualHours = story.ActualHours,
+            CreatedBy = story.CreatedBy.Value,
+            CreatedAt = story.CreatedAt,
+            UpdatedAt = story.UpdatedAt,
+            Tasks = story.Tasks.Select(t => new TaskDto
+            {
+                Id = t.Id.Value,
+                Title = t.Title,
+                Description = t.Description,
+                StoryId = t.StoryId.Value,
+                Status = t.Status.Name,
+                Priority = t.Priority.Name,
+                AssigneeId = t.AssigneeId?.Value,
+                EstimatedHours = t.EstimatedHours,
+                ActualHours = t.ActualHours,
+                CreatedBy = t.CreatedBy.Value,
+                CreatedAt = t.CreatedAt,
+                UpdatedAt = t.UpdatedAt
+            }).ToList()
+        };
+    }
+}

colaflow-api/src/Modules/ProjectManagement/ColaFlow.Modules.ProjectManagement.Application/Commands/UpdateStory/UpdateStoryCommandValidator.cs

@@ -0,0 +1,31 @@
+using FluentValidation;
+
+namespace ColaFlow.Modules.ProjectManagement.Application.Commands.UpdateStory;
+
+/// <summary>
+/// Validator for UpdateStoryCommand
+/// </summary>
+public sealed class UpdateStoryCommandValidator : AbstractValidator<UpdateStoryCommand>
+{
+    public UpdateStoryCommandValidator()
+    {
+        RuleFor(x => x.StoryId)
+            .NotEmpty().WithMessage("Story ID is required");
+
+        RuleFor(x => x.Title)
+            .NotEmpty().WithMessage("Story title is required")
+            .MaximumLength(200).WithMessage("Story title cannot exceed 200 characters");
+
+        RuleFor(x => x.Status)
+            .Must(s => s == null || s == "To Do" || s == "In Progress" || s == "In Review" || s == "Done" || s == "Blocked")
+            .WithMessage("Status must be one of: To Do, In Progress, In Review, Done, Blocked");
+
+        RuleFor(x => x.Priority)
+            .Must(p => p == null || p == "Low" || p == "Medium" || p == "High" || p == "Urgent")
+            .WithMessage("Priority must be one of: Low, Medium, High, Urgent");
+
+        RuleFor(x => x.EstimatedHours)
+            .GreaterThanOrEqualTo(0).When(x => x.EstimatedHours.HasValue)
+            .WithMessage("Estimated hours cannot be negative");
+    }
+}

colaflow-api/src/Modules/ProjectManagement/ColaFlow.Modules.ProjectManagement.Application/Commands/UpdateTask/UpdateTaskCommand.cs

@@ -0,0 +1,18 @@
+using MediatR;
+using ColaFlow.Modules.ProjectManagement.Application.DTOs;
+
+namespace ColaFlow.Modules.ProjectManagement.Application.Commands.UpdateTask;
+
+/// <summary>
+/// Command to update an existing Task
+/// </summary>
+public sealed record UpdateTaskCommand : IRequest<TaskDto>
+{
+    public Guid TaskId { get; init; }
+    public string Title { get; init; } = string.Empty;
+    public string Description { get; init; } = string.Empty;
+    public string? Priority { get; init; }
+    public string? Status { get; init; }
+    public decimal? EstimatedHours { get; init; }
+    public Guid? AssigneeId { get; init; }
+}

colaflow-api/src/Modules/ProjectManagement/ColaFlow.Modules.ProjectManagement.Application/Commands/UpdateTask/UpdateTaskCommandHandler.cs

@@ -0,0 +1,103 @@
+using MediatR;
+using ColaFlow.Modules.ProjectManagement.Application.DTOs;
+using ColaFlow.Modules.ProjectManagement.Domain.Repositories;
+using ColaFlow.Modules.ProjectManagement.Domain.ValueObjects;
+using ColaFlow.Modules.ProjectManagement.Domain.Exceptions;
+using ColaFlow.Modules.ProjectManagement.Domain.Aggregates.ProjectAggregate;
+
+namespace ColaFlow.Modules.ProjectManagement.Application.Commands.UpdateTask;
+
+/// <summary>
+/// Handler for UpdateTaskCommand
+/// </summary>
+public sealed class UpdateTaskCommandHandler : IRequestHandler<UpdateTaskCommand, TaskDto>
+{
+    private readonly IProjectRepository _projectRepository;
+    private readonly IUnitOfWork _unitOfWork;
+
+    public UpdateTaskCommandHandler(
+        IProjectRepository projectRepository,
+        IUnitOfWork unitOfWork)
+    {
+        _projectRepository = projectRepository ?? throw new ArgumentNullException(nameof(projectRepository));
+        _unitOfWork = unitOfWork ?? throw new ArgumentNullException(nameof(unitOfWork));
+    }
+
+    public async Task<TaskDto> Handle(UpdateTaskCommand request, CancellationToken cancellationToken)
+    {
+        // Get the project containing the task
+        var taskId = TaskId.From(request.TaskId);
+        var project = await _projectRepository.GetProjectWithTaskAsync(taskId, cancellationToken);
+
+        if (project == null)
+            throw new NotFoundException("Task", request.TaskId);
+
+        // Find the task within the project aggregate
+        WorkTask? task = null;
+        foreach (var epic in project.Epics)
+        {
+            foreach (var story in epic.Stories)
+            {
+                task = story.Tasks.FirstOrDefault(t => t.Id.Value == request.TaskId);
+                if (task != null)
+                    break;
+            }
+            if (task != null)
+                break;
+        }
+
+        if (task == null)
+            throw new NotFoundException("Task", request.TaskId);
+
+        // Update task details
+        task.UpdateDetails(request.Title, request.Description);
+
+        // Update priority if provided
+        if (!string.IsNullOrWhiteSpace(request.Priority))
+        {
+            var priority = TaskPriority.FromDisplayName<TaskPriority>(request.Priority);
+            task.UpdatePriority(priority);
+        }
+
+        // Update status if provided
+        if (!string.IsNullOrWhiteSpace(request.Status))
+        {
+            var status = WorkItemStatus.FromDisplayName<WorkItemStatus>(request.Status);
+            task.UpdateStatus(status);
+        }
+
+        // Update estimated hours if provided
+        if (request.EstimatedHours.HasValue)
+        {
+            task.UpdateEstimate(request.EstimatedHours.Value);
+        }
+
+        // Update assignee if provided
+        if (request.AssigneeId.HasValue)
+        {
+            var assigneeId = UserId.From(request.AssigneeId.Value);
+            task.AssignTo(assigneeId);
+        }
+
+        // Update project
+        _projectRepository.Update(project);
+        await _unitOfWork.SaveChangesAsync(cancellationToken);
+
+        // Map to DTO
+        return new TaskDto
+        {
+            Id = task.Id.Value,
+            Title = task.Title,
+            Description = task.Description,
+            StoryId = task.StoryId.Value,
+            Status = task.Status.Name,
+            Priority = task.Priority.Name,
+            AssigneeId = task.AssigneeId?.Value,
+            EstimatedHours = task.EstimatedHours,
+            ActualHours = task.ActualHours,
+            CreatedBy = task.CreatedBy.Value,
+            CreatedAt = task.CreatedAt,
+            UpdatedAt = task.UpdatedAt
+        };
+    }
+}

colaflow-api/src/Modules/ProjectManagement/ColaFlow.Modules.ProjectManagement.Application/Commands/UpdateTask/UpdateTaskCommandValidator.cs

@@ -0,0 +1,55 @@
+using FluentValidation;
+
+namespace ColaFlow.Modules.ProjectManagement.Application.Commands.UpdateTask;
+
+/// <summary>
+/// Validator for UpdateTaskCommand
+/// </summary>
+public sealed class UpdateTaskCommandValidator : AbstractValidator<UpdateTaskCommand>
+{
+    public UpdateTaskCommandValidator()
+    {
+        RuleFor(x => x.TaskId)
+            .NotEmpty()
+            .WithMessage("TaskId is required");
+
+        RuleFor(x => x.Title)
+            .NotEmpty()
+            .WithMessage("Title is required")
+            .MaximumLength(200)
+            .WithMessage("Title cannot exceed 200 characters");
+
+        RuleFor(x => x.Description)
+            .MaximumLength(5000)
+            .WithMessage("Description cannot exceed 5000 characters");
+
+        RuleFor(x => x.Priority)
+            .Must(BeValidPriority)
+            .When(x => !string.IsNullOrWhiteSpace(x.Priority))
+            .WithMessage("Priority must be one of: Low, Medium, High, Urgent");
+
+        RuleFor(x => x.Status)
+            .Must(BeValidStatus)
+            .When(x => !string.IsNullOrWhiteSpace(x.Status))
+            .WithMessage("Status must be one of: ToDo, InProgress, Done, Blocked");
+
+        RuleFor(x => x.EstimatedHours)
+            .GreaterThanOrEqualTo(0)
+            .When(x => x.EstimatedHours.HasValue)
+            .WithMessage("Estimated hours cannot be negative");
+    }
+
+    private bool BeValidPriority(string? priority)
+    {
+        if (string.IsNullOrWhiteSpace(priority)) return true;
+        var validPriorities = new[] { "Low", "Medium", "High", "Urgent" };
+        return validPriorities.Contains(priority, StringComparer.OrdinalIgnoreCase);
+    }
+
+    private bool BeValidStatus(string? status)
+    {
+        if (string.IsNullOrWhiteSpace(status)) return true;
+        var validStatuses = new[] { "ToDo", "InProgress", "Done", "Blocked" };
+        return validStatuses.Contains(status, StringComparer.OrdinalIgnoreCase);
+    }
+}

colaflow-api/src/Modules/ProjectManagement/ColaFlow.Modules.ProjectManagement.Application/Commands/UpdateTaskStatus/UpdateTaskStatusCommand.cs

@@ -0,0 +1,13 @@
+using MediatR;
+using ColaFlow.Modules.ProjectManagement.Application.DTOs;
+
+namespace ColaFlow.Modules.ProjectManagement.Application.Commands.UpdateTaskStatus;
+
+/// <summary>
+/// Command to update Task status (for Kanban board drag & drop)
+/// </summary>
+public sealed record UpdateTaskStatusCommand : IRequest<TaskDto>
+{
+    public Guid TaskId { get; init; }
+    public string NewStatus { get; init; } = string.Empty;
+}

colaflow-api/src/Modules/ProjectManagement/ColaFlow.Modules.ProjectManagement.Application/Commands/UpdateTaskStatus/UpdateTaskStatusCommandHandler.cs

@@ -0,0 +1,95 @@
+using MediatR;
+using ColaFlow.Modules.ProjectManagement.Application.DTOs;
+using ColaFlow.Modules.ProjectManagement.Domain.Repositories;
+using ColaFlow.Modules.ProjectManagement.Domain.ValueObjects;
+using ColaFlow.Modules.ProjectManagement.Domain.Exceptions;
+using ColaFlow.Modules.ProjectManagement.Domain.Aggregates.ProjectAggregate;
+
+namespace ColaFlow.Modules.ProjectManagement.Application.Commands.UpdateTaskStatus;
+
+/// <summary>
+/// Handler for UpdateTaskStatusCommand
+/// </summary>
+public sealed class UpdateTaskStatusCommandHandler : IRequestHandler<UpdateTaskStatusCommand, TaskDto>
+{
+    private readonly IProjectRepository _projectRepository;
+    private readonly IUnitOfWork _unitOfWork;
+
+    public UpdateTaskStatusCommandHandler(
+        IProjectRepository projectRepository,
+        IUnitOfWork unitOfWork)
+    {
+        _projectRepository = projectRepository ?? throw new ArgumentNullException(nameof(projectRepository));
+        _unitOfWork = unitOfWork ?? throw new ArgumentNullException(nameof(unitOfWork));
+    }
+
+    public async Task<TaskDto> Handle(UpdateTaskStatusCommand request, CancellationToken cancellationToken)
+    {
+        // Get the project containing the task
+        var taskId = TaskId.From(request.TaskId);
+        var project = await _projectRepository.GetProjectWithTaskAsync(taskId, cancellationToken);
+
+        if (project == null)
+            throw new NotFoundException("Task", request.TaskId);
+
+        // Find the task within the project aggregate
+        WorkTask? task = null;
+        foreach (var epic in project.Epics)
+        {
+            foreach (var story in epic.Stories)
+            {
+                task = story.Tasks.FirstOrDefault(t => t.Id.Value == request.TaskId);
+                if (task != null)
+                    break;
+            }
+            if (task != null)
+                break;
+        }
+
+        if (task == null)
+            throw new NotFoundException("Task", request.TaskId);
+
+        // Parse and validate new status
+        var newStatus = WorkItemStatus.FromDisplayName<WorkItemStatus>(request.NewStatus);
+
+        // Validate status transition (business rule)
+        ValidateStatusTransition(task.Status, newStatus);
+
+        // Update task status
+        task.UpdateStatus(newStatus);
+
+        // Update project
+        _projectRepository.Update(project);
+        await _unitOfWork.SaveChangesAsync(cancellationToken);
+
+        // Map to DTO
+        return new TaskDto
+        {
+            Id = task.Id.Value,
+            Title = task.Title,
+            Description = task.Description,
+            StoryId = task.StoryId.Value,
+            Status = task.Status.Name,
+            Priority = task.Priority.Name,
+            AssigneeId = task.AssigneeId?.Value,
+            EstimatedHours = task.EstimatedHours,
+            ActualHours = task.ActualHours,
+            CreatedBy = task.CreatedBy.Value,
+            CreatedAt = task.CreatedAt,
+            UpdatedAt = task.UpdatedAt
+        };
+    }
+
+    private void ValidateStatusTransition(WorkItemStatus currentStatus, WorkItemStatus newStatus)
+    {
+        // Business rule: Can't move from Done back to ToDo
+        if (currentStatus == WorkItemStatus.Done && newStatus == WorkItemStatus.ToDo)
+        {
+            throw new DomainException("Cannot move a completed task back to ToDo. Please create a new task instead.");
+        }
+
+        // Business rule: Blocked can be moved to any status
+        // Business rule: Any status can be moved to Blocked
+        // All other transitions are allowed
+    }
+}

colaflow-api/src/Modules/ProjectManagement/ColaFlow.Modules.ProjectManagement.Application/Commands/UpdateTaskStatus/UpdateTaskStatusCommandValidator.cs

@@ -0,0 +1,28 @@
+using FluentValidation;
+
+namespace ColaFlow.Modules.ProjectManagement.Application.Commands.UpdateTaskStatus;
+
+/// <summary>
+/// Validator for UpdateTaskStatusCommand
+/// </summary>
+public sealed class UpdateTaskStatusCommandValidator : AbstractValidator<UpdateTaskStatusCommand>
+{
+    public UpdateTaskStatusCommandValidator()
+    {
+        RuleFor(x => x.TaskId)
+            .NotEmpty()
+            .WithMessage("TaskId is required");
+
+        RuleFor(x => x.NewStatus)
+            .NotEmpty()
+            .WithMessage("NewStatus is required")
+            .Must(BeValidStatus)
+            .WithMessage("NewStatus must be one of: ToDo, InProgress, Done, Blocked");
+    }
+
+    private bool BeValidStatus(string status)
+    {
+        var validStatuses = new[] { "ToDo", "InProgress", "Done", "Blocked" };
+        return validStatuses.Contains(status, StringComparer.OrdinalIgnoreCase);
+    }
+}

colaflow-api/src/Modules/ProjectManagement/ColaFlow.Modules.ProjectManagement.Application/Queries/GetEpicById/GetEpicByIdQueryHandler.cs

@@ -36,8 +36,8 @@ public sealed class GetEpicByIdQueryHandler : IRequestHandler<GetEpicByIdQuery,
             Name = epic.Name,
             Description = epic.Description,
             ProjectId = epic.ProjectId.Value,
-            Status = epic.Status.Value,
+            Status = epic.Status.Name,
-            Priority = epic.Priority.Value,
+            Priority = epic.Priority.Name,
             CreatedBy = epic.CreatedBy.Value,
             CreatedAt = epic.CreatedAt,
             UpdatedAt = epic.UpdatedAt,
@@ -47,8 +47,8 @@ public sealed class GetEpicByIdQueryHandler : IRequestHandler<GetEpicByIdQuery,
                 Title = s.Title,
                 Description = s.Description,
                 EpicId = s.EpicId.Value,
-                Status = s.Status.Value,
+                Status = s.Status.Name,
-                Priority = s.Priority.Value,
+                Priority = s.Priority.Name,
                 EstimatedHours = s.EstimatedHours,
                 ActualHours = s.ActualHours,
                 AssigneeId = s.AssigneeId?.Value,

colaflow-api/src/Modules/ProjectManagement/ColaFlow.Modules.ProjectManagement.Application/Queries/GetEpicsByProjectId/GetEpicsByProjectIdQueryHandler.cs

@@ -32,8 +32,8 @@ public sealed class GetEpicsByProjectIdQueryHandler : IRequestHandler<GetEpicsBy
             Name = epic.Name,
             Description = epic.Description,
             ProjectId = epic.ProjectId.Value,
-            Status = epic.Status.Value,
+            Status = epic.Status.Name,
-            Priority = epic.Priority.Value,
+            Priority = epic.Priority.Name,
             CreatedBy = epic.CreatedBy.Value,
             CreatedAt = epic.CreatedAt,
             UpdatedAt = epic.UpdatedAt,

colaflow-api/src/Modules/ProjectManagement/ColaFlow.Modules.ProjectManagement.Application/Queries/GetStoriesByEpicId/GetStoriesByEpicIdQuery.cs

@@ -0,0 +1,9 @@
+using MediatR;
+using ColaFlow.Modules.ProjectManagement.Application.DTOs;
+
+namespace ColaFlow.Modules.ProjectManagement.Application.Queries.GetStoriesByEpicId;
+
+/// <summary>
+/// Query to get all Stories for an Epic
+/// </summary>
+public sealed record GetStoriesByEpicIdQuery(Guid EpicId) : IRequest<List<StoryDto>>;

colaflow-api/src/Modules/ProjectManagement/ColaFlow.Modules.ProjectManagement.Application/Queries/GetStoriesByEpicId/GetStoriesByEpicIdQueryHandler.cs

@@ -0,0 +1,67 @@
+using MediatR;
+using ColaFlow.Modules.ProjectManagement.Application.DTOs;
+using ColaFlow.Modules.ProjectManagement.Domain.Repositories;
+using ColaFlow.Modules.ProjectManagement.Domain.ValueObjects;
+using ColaFlow.Modules.ProjectManagement.Domain.Exceptions;
+
+namespace ColaFlow.Modules.ProjectManagement.Application.Queries.GetStoriesByEpicId;
+
+/// <summary>
+/// Handler for GetStoriesByEpicIdQuery
+/// </summary>
+public sealed class GetStoriesByEpicIdQueryHandler : IRequestHandler<GetStoriesByEpicIdQuery, List<StoryDto>>
+{
+    private readonly IProjectRepository _projectRepository;
+
+    public GetStoriesByEpicIdQueryHandler(IProjectRepository projectRepository)
+    {
+        _projectRepository = projectRepository ?? throw new ArgumentNullException(nameof(projectRepository));
+    }
+
+    public async Task<List<StoryDto>> Handle(GetStoriesByEpicIdQuery request, CancellationToken cancellationToken)
+    {
+        // Get the project with epic
+        var epicId = EpicId.From(request.EpicId);
+        var project = await _projectRepository.GetProjectWithEpicAsync(epicId, cancellationToken);
+
+        if (project == null)
+            throw new NotFoundException("Epic", request.EpicId);
+
+        // Find the epic
+        var epic = project.Epics.FirstOrDefault(e => e.Id.Value == request.EpicId);
+        if (epic == null)
+            throw new NotFoundException("Epic", request.EpicId);
+
+        // Map stories to DTOs
+        return epic.Stories.Select(story => new StoryDto
+        {
+            Id = story.Id.Value,
+            Title = story.Title,
+            Description = story.Description,
+            EpicId = story.EpicId.Value,
+            Status = story.Status.Name,
+            Priority = story.Priority.Name,
+            AssigneeId = story.AssigneeId?.Value,
+            EstimatedHours = story.EstimatedHours,
+            ActualHours = story.ActualHours,
+            CreatedBy = story.CreatedBy.Value,
+            CreatedAt = story.CreatedAt,
+            UpdatedAt = story.UpdatedAt,
+            Tasks = story.Tasks.Select(t => new TaskDto
+            {
+                Id = t.Id.Value,
+                Title = t.Title,
+                Description = t.Description,
+                StoryId = t.StoryId.Value,
+                Status = t.Status.Name,
+                Priority = t.Priority.Name,
+                AssigneeId = t.AssigneeId?.Value,
+                EstimatedHours = t.EstimatedHours,
+                ActualHours = t.ActualHours,
+                CreatedBy = t.CreatedBy.Value,
+                CreatedAt = t.CreatedAt,
+                UpdatedAt = t.UpdatedAt
+            }).ToList()
+        }).ToList();
+    }
+}

colaflow-api/src/Modules/ProjectManagement/ColaFlow.Modules.ProjectManagement.Application/Queries/GetStoriesByProjectId/GetStoriesByProjectIdQuery.cs

@@ -0,0 +1,9 @@
+using MediatR;
+using ColaFlow.Modules.ProjectManagement.Application.DTOs;
+
+namespace ColaFlow.Modules.ProjectManagement.Application.Queries.GetStoriesByProjectId;
+
+/// <summary>
+/// Query to get all Stories for a Project
+/// </summary>
+public sealed record GetStoriesByProjectIdQuery(Guid ProjectId) : IRequest<List<StoryDto>>;

colaflow-api/src/Modules/ProjectManagement/ColaFlow.Modules.ProjectManagement.Application/Queries/GetStoriesByProjectId/GetStoriesByProjectIdQueryHandler.cs

@@ -0,0 +1,66 @@
+using MediatR;
+using ColaFlow.Modules.ProjectManagement.Application.DTOs;
+using ColaFlow.Modules.ProjectManagement.Domain.Repositories;
+using ColaFlow.Modules.ProjectManagement.Domain.ValueObjects;
+using ColaFlow.Modules.ProjectManagement.Domain.Exceptions;
+
+namespace ColaFlow.Modules.ProjectManagement.Application.Queries.GetStoriesByProjectId;
+
+/// <summary>
+/// Handler for GetStoriesByProjectIdQuery
+/// </summary>
+public sealed class GetStoriesByProjectIdQueryHandler : IRequestHandler<GetStoriesByProjectIdQuery, List<StoryDto>>
+{
+    private readonly IProjectRepository _projectRepository;
+
+    public GetStoriesByProjectIdQueryHandler(IProjectRepository projectRepository)
+    {
+        _projectRepository = projectRepository ?? throw new ArgumentNullException(nameof(projectRepository));
+    }
+
+    public async Task<List<StoryDto>> Handle(GetStoriesByProjectIdQuery request, CancellationToken cancellationToken)
+    {
+        // Get the project
+        var projectId = ProjectId.From(request.ProjectId);
+        var project = await _projectRepository.GetByIdAsync(projectId, cancellationToken);
+
+        if (project == null)
+            throw new NotFoundException("Project", request.ProjectId);
+
+        // Get all stories from all epics
+        var stories = project.Epics
+            .SelectMany(epic => epic.Stories.Select(story => new StoryDto
+            {
+                Id = story.Id.Value,
+                Title = story.Title,
+                Description = story.Description,
+                EpicId = story.EpicId.Value,
+                Status = story.Status.Name,
+                Priority = story.Priority.Name,
+                AssigneeId = story.AssigneeId?.Value,
+                EstimatedHours = story.EstimatedHours,
+                ActualHours = story.ActualHours,
+                CreatedBy = story.CreatedBy.Value,
+                CreatedAt = story.CreatedAt,
+                UpdatedAt = story.UpdatedAt,
+                Tasks = story.Tasks.Select(t => new TaskDto
+                {
+                    Id = t.Id.Value,
+                    Title = t.Title,
+                    Description = t.Description,
+                    StoryId = t.StoryId.Value,
+                    Status = t.Status.Name,
+                    Priority = t.Priority.Name,
+                    AssigneeId = t.AssigneeId?.Value,
+                    EstimatedHours = t.EstimatedHours,
+                    ActualHours = t.ActualHours,
+                    CreatedBy = t.CreatedBy.Value,
+                    CreatedAt = t.CreatedAt,
+                    UpdatedAt = t.UpdatedAt
+                }).ToList()
+            }))
+            .ToList();
+
+        return stories;
+    }
+}

colaflow-api/src/Modules/ProjectManagement/ColaFlow.Modules.ProjectManagement.Application/Queries/GetStoryById/GetStoryByIdQuery.cs

@@ -0,0 +1,9 @@
+using MediatR;
+using ColaFlow.Modules.ProjectManagement.Application.DTOs;
+
+namespace ColaFlow.Modules.ProjectManagement.Application.Queries.GetStoryById;
+
+/// <summary>
+/// Query to get a Story by ID
+/// </summary>
+public sealed record GetStoryByIdQuery(Guid StoryId) : IRequest<StoryDto>;

colaflow-api/src/Modules/ProjectManagement/ColaFlow.Modules.ProjectManagement.Application/Queries/GetStoryById/GetStoryByIdQueryHandler.cs

@@ -0,0 +1,70 @@
+using MediatR;
+using ColaFlow.Modules.ProjectManagement.Application.DTOs;
+using ColaFlow.Modules.ProjectManagement.Domain.Repositories;
+using ColaFlow.Modules.ProjectManagement.Domain.ValueObjects;
+using ColaFlow.Modules.ProjectManagement.Domain.Exceptions;
+
+namespace ColaFlow.Modules.ProjectManagement.Application.Queries.GetStoryById;
+
+/// <summary>
+/// Handler for GetStoryByIdQuery
+/// </summary>
+public sealed class GetStoryByIdQueryHandler : IRequestHandler<GetStoryByIdQuery, StoryDto>
+{
+    private readonly IProjectRepository _projectRepository;
+
+    public GetStoryByIdQueryHandler(IProjectRepository projectRepository)
+    {
+        _projectRepository = projectRepository ?? throw new ArgumentNullException(nameof(projectRepository));
+    }
+
+    public async Task<StoryDto> Handle(GetStoryByIdQuery request, CancellationToken cancellationToken)
+    {
+        // Get the project with story
+        var storyId = StoryId.From(request.StoryId);
+        var project = await _projectRepository.GetProjectWithStoryAsync(storyId, cancellationToken);
+
+        if (project == null)
+            throw new NotFoundException("Story", request.StoryId);
+
+        // Find the story
+        var story = project.Epics
+            .SelectMany(e => e.Stories)
+            .FirstOrDefault(s => s.Id.Value == request.StoryId);
+
+        if (story == null)
+            throw new NotFoundException("Story", request.StoryId);
+
+        // Map to DTO
+        return new StoryDto
+        {
+            Id = story.Id.Value,
+            Title = story.Title,
+            Description = story.Description,
+            EpicId = story.EpicId.Value,
+            Status = story.Status.Name,
+            Priority = story.Priority.Name,
+            AssigneeId = story.AssigneeId?.Value,
+            EstimatedHours = story.EstimatedHours,
+            ActualHours = story.ActualHours,
+            CreatedBy = story.CreatedBy.Value,
+            CreatedAt = story.CreatedAt,
+            UpdatedAt = story.UpdatedAt,
+            Tasks = story.Tasks.Select(t => new TaskDto
+            {
+                Id = t.Id.Value,
+                Title = t.Title,
+                Description = t.Description,
+                StoryId = t.StoryId.Value,
+                Status = t.Status.Name,
+                Priority = t.Priority.Name,
+                AssigneeId = t.AssigneeId?.Value,
+                EstimatedHours = t.EstimatedHours,
+                ActualHours = t.ActualHours,
+                CreatedBy = t.CreatedBy.Value,
+                CreatedAt = t.CreatedAt,
+                UpdatedAt = t.UpdatedAt
+            }).ToList()
+        };
+    }
+}

colaflow-api/src/Modules/ProjectManagement/ColaFlow.Modules.ProjectManagement.Application/Queries/GetTaskById/GetTaskByIdQuery.cs

@@ -0,0 +1,9 @@
+using MediatR;
+using ColaFlow.Modules.ProjectManagement.Application.DTOs;
+
+namespace ColaFlow.Modules.ProjectManagement.Application.Queries.GetTaskById;
+
+/// <summary>
+/// Query to get a Task by ID
+/// </summary>
+public sealed record GetTaskByIdQuery(Guid TaskId) : IRequest<TaskDto>;

colaflow-api/src/Modules/ProjectManagement/ColaFlow.Modules.ProjectManagement.Application/Queries/GetTaskById/GetTaskByIdQueryHandler.cs

@@ -0,0 +1,65 @@
+using MediatR;
+using ColaFlow.Modules.ProjectManagement.Application.DTOs;
+using ColaFlow.Modules.ProjectManagement.Domain.Repositories;
+using ColaFlow.Modules.ProjectManagement.Domain.ValueObjects;
+using ColaFlow.Modules.ProjectManagement.Domain.Exceptions;
+using ColaFlow.Modules.ProjectManagement.Domain.Aggregates.ProjectAggregate;
+
+namespace ColaFlow.Modules.ProjectManagement.Application.Queries.GetTaskById;
+
+/// <summary>
+/// Handler for GetTaskByIdQuery
+/// </summary>
+public sealed class GetTaskByIdQueryHandler : IRequestHandler<GetTaskByIdQuery, TaskDto>
+{
+    private readonly IProjectRepository _projectRepository;
+
+    public GetTaskByIdQueryHandler(IProjectRepository projectRepository)
+    {
+        _projectRepository = projectRepository ?? throw new ArgumentNullException(nameof(projectRepository));
+    }
+
+    public async Task<TaskDto> Handle(GetTaskByIdQuery request, CancellationToken cancellationToken)
+    {
+        // Get the project containing the task
+        var taskId = TaskId.From(request.TaskId);
+        var project = await _projectRepository.GetProjectWithTaskAsync(taskId, cancellationToken);
+
+        if (project == null)
+            throw new NotFoundException("Task", request.TaskId);
+
+        // Find the task within the project aggregate
+        WorkTask? task = null;
+        foreach (var epic in project.Epics)
+        {
+            foreach (var story in epic.Stories)
+            {
+                task = story.Tasks.FirstOrDefault(t => t.Id.Value == request.TaskId);
+                if (task != null)
+                    break;
+            }
+            if (task != null)
+                break;
+        }
+
+        if (task == null)
+            throw new NotFoundException("Task", request.TaskId);
+
+        // Map to DTO
+        return new TaskDto
+        {
+            Id = task.Id.Value,
+            Title = task.Title,
+            Description = task.Description,
+            StoryId = task.StoryId.Value,
+            Status = task.Status.Name,
+            Priority = task.Priority.Name,
+            AssigneeId = task.AssigneeId?.Value,
+            EstimatedHours = task.EstimatedHours,
+            ActualHours = task.ActualHours,
+            CreatedBy = task.CreatedBy.Value,
+            CreatedAt = task.CreatedAt,
+            UpdatedAt = task.UpdatedAt
+        };
+    }
+}

colaflow-api/src/Modules/ProjectManagement/ColaFlow.Modules.ProjectManagement.Application/Queries/GetTasksByAssignee/GetTasksByAssigneeQuery.cs

@@ -0,0 +1,9 @@
+using MediatR;
+using ColaFlow.Modules.ProjectManagement.Application.DTOs;
+
+namespace ColaFlow.Modules.ProjectManagement.Application.Queries.GetTasksByAssignee;
+
+/// <summary>
+/// Query to get all Tasks assigned to a user
+/// </summary>
+public sealed record GetTasksByAssigneeQuery(Guid AssigneeId) : IRequest<List<TaskDto>>;

colaflow-api/src/Modules/ProjectManagement/ColaFlow.Modules.ProjectManagement.Application/Queries/GetTasksByAssignee/GetTasksByAssigneeQueryHandler.cs

@@ -0,0 +1,49 @@
+using MediatR;
+using ColaFlow.Modules.ProjectManagement.Application.DTOs;
+using ColaFlow.Modules.ProjectManagement.Domain.Repositories;
+
+namespace ColaFlow.Modules.ProjectManagement.Application.Queries.GetTasksByAssignee;
+
+/// <summary>
+/// Handler for GetTasksByAssigneeQuery
+/// </summary>
+public sealed class GetTasksByAssigneeQueryHandler : IRequestHandler<GetTasksByAssigneeQuery, List<TaskDto>>
+{
+    private readonly IProjectRepository _projectRepository;
+
+    public GetTasksByAssigneeQueryHandler(IProjectRepository projectRepository)
+    {
+        _projectRepository = projectRepository ?? throw new ArgumentNullException(nameof(projectRepository));
+    }
+
+    public async Task<List<TaskDto>> Handle(GetTasksByAssigneeQuery request, CancellationToken cancellationToken)
+    {
+        // Get all projects
+        var allProjects = await _projectRepository.GetAllAsync(cancellationToken);
+
+        // Get all tasks assigned to the user across all projects
+        var userTasks = allProjects
+            .SelectMany(project => project.Epics)
+            .SelectMany(epic => epic.Stories)
+            .SelectMany(story => story.Tasks)
+            .Where(task => task.AssigneeId != null && task.AssigneeId.Value == request.AssigneeId)
+            .ToList();
+
+        // Map to DTOs
+        return userTasks.Select(task => new TaskDto
+        {
+            Id = task.Id.Value,
+            Title = task.Title,
+            Description = task.Description,
+            StoryId = task.StoryId.Value,
+            Status = task.Status.Name,
+            Priority = task.Priority.Name,
+            AssigneeId = task.AssigneeId?.Value,
+            EstimatedHours = task.EstimatedHours,
+            ActualHours = task.ActualHours,
+            CreatedBy = task.CreatedBy.Value,
+            CreatedAt = task.CreatedAt,
+            UpdatedAt = task.UpdatedAt
+        }).ToList();
+    }
+}

colaflow-api/src/Modules/ProjectManagement/ColaFlow.Modules.ProjectManagement.Application/Queries/GetTasksByProjectId/GetTasksByProjectIdQuery.cs

@@ -0,0 +1,14 @@
+using MediatR;
+using ColaFlow.Modules.ProjectManagement.Application.DTOs;
+
+namespace ColaFlow.Modules.ProjectManagement.Application.Queries.GetTasksByProjectId;
+
+/// <summary>
+/// Query to get all Tasks for a Project (for Kanban board)
+/// </summary>
+public sealed record GetTasksByProjectIdQuery : IRequest<List<TaskDto>>
+{
+    public Guid ProjectId { get; init; }
+    public string? Status { get; init; }
+    public Guid? AssigneeId { get; init; }
+}

colaflow-api/src/Modules/ProjectManagement/ColaFlow.Modules.ProjectManagement.Application/Queries/GetTasksByProjectId/GetTasksByProjectIdQueryHandler.cs

@@ -0,0 +1,64 @@
+using MediatR;
+using ColaFlow.Modules.ProjectManagement.Application.DTOs;
+using ColaFlow.Modules.ProjectManagement.Domain.Repositories;
+using ColaFlow.Modules.ProjectManagement.Domain.ValueObjects;
+using ColaFlow.Modules.ProjectManagement.Domain.Exceptions;
+
+namespace ColaFlow.Modules.ProjectManagement.Application.Queries.GetTasksByProjectId;
+
+/// <summary>
+/// Handler for GetTasksByProjectIdQuery
+/// </summary>
+public sealed class GetTasksByProjectIdQueryHandler : IRequestHandler<GetTasksByProjectIdQuery, List<TaskDto>>
+{
+    private readonly IProjectRepository _projectRepository;
+
+    public GetTasksByProjectIdQueryHandler(IProjectRepository projectRepository)
+    {
+        _projectRepository = projectRepository ?? throw new ArgumentNullException(nameof(projectRepository));
+    }
+
+    public async Task<List<TaskDto>> Handle(GetTasksByProjectIdQuery request, CancellationToken cancellationToken)
+    {
+        // Get the project with all its tasks
+        var projectId = ProjectId.From(request.ProjectId);
+        var project = await _projectRepository.GetByIdAsync(projectId, cancellationToken);
+
+        if (project == null)
+            throw new NotFoundException("Project", request.ProjectId);
+
+        // Get all tasks from all stories in all epics
+        var allTasks = project.Epics
+            .SelectMany(epic => epic.Stories)
+            .SelectMany(story => story.Tasks)
+            .ToList();
+
+        // Apply filters
+        if (!string.IsNullOrWhiteSpace(request.Status))
+        {
+            allTasks = allTasks.Where(t => t.Status.Name.Equals(request.Status, StringComparison.OrdinalIgnoreCase)).ToList();
+        }
+
+        if (request.AssigneeId.HasValue)
+        {
+            allTasks = allTasks.Where(t => t.AssigneeId != null && t.AssigneeId.Value == request.AssigneeId.Value).ToList();
+        }
+
+        // Map to DTOs
+        return allTasks.Select(task => new TaskDto
+        {
+            Id = task.Id.Value,
+            Title = task.Title,
+            Description = task.Description,
+            StoryId = task.StoryId.Value,
+            Status = task.Status.Name,
+            Priority = task.Priority.Name,
+            AssigneeId = task.AssigneeId?.Value,
+            EstimatedHours = task.EstimatedHours,
+            ActualHours = task.ActualHours,
+            CreatedBy = task.CreatedBy.Value,
+            CreatedAt = task.CreatedAt,
+            UpdatedAt = task.UpdatedAt
+        }).ToList();
+    }
+}

colaflow-api/src/Modules/ProjectManagement/ColaFlow.Modules.ProjectManagement.Application/Queries/GetTasksByStoryId/GetTasksByStoryIdQuery.cs

@@ -0,0 +1,9 @@
+using MediatR;
+using ColaFlow.Modules.ProjectManagement.Application.DTOs;
+
+namespace ColaFlow.Modules.ProjectManagement.Application.Queries.GetTasksByStoryId;
+
+/// <summary>
+/// Query to get all Tasks for a Story
+/// </summary>
+public sealed record GetTasksByStoryIdQuery(Guid StoryId) : IRequest<List<TaskDto>>;

colaflow-api/src/Modules/ProjectManagement/ColaFlow.Modules.ProjectManagement.Application/Queries/GetTasksByStoryId/GetTasksByStoryIdQueryHandler.cs

@@ -0,0 +1,55 @@
+using MediatR;
+using ColaFlow.Modules.ProjectManagement.Application.DTOs;
+using ColaFlow.Modules.ProjectManagement.Domain.Repositories;
+using ColaFlow.Modules.ProjectManagement.Domain.ValueObjects;
+using ColaFlow.Modules.ProjectManagement.Domain.Exceptions;
+
+namespace ColaFlow.Modules.ProjectManagement.Application.Queries.GetTasksByStoryId;
+
+/// <summary>
+/// Handler for GetTasksByStoryIdQuery
+/// </summary>
+public sealed class GetTasksByStoryIdQueryHandler : IRequestHandler<GetTasksByStoryIdQuery, List<TaskDto>>
+{
+    private readonly IProjectRepository _projectRepository;
+
+    public GetTasksByStoryIdQueryHandler(IProjectRepository projectRepository)
+    {
+        _projectRepository = projectRepository ?? throw new ArgumentNullException(nameof(projectRepository));
+    }
+
+    public async Task<List<TaskDto>> Handle(GetTasksByStoryIdQuery request, CancellationToken cancellationToken)
+    {
+        // Get the project containing the story
+        var storyId = StoryId.From(request.StoryId);
+        var project = await _projectRepository.GetProjectWithStoryAsync(storyId, cancellationToken);
+
+        if (project == null)
+            throw new NotFoundException("Story", request.StoryId);
+
+        // Find the story within the project aggregate
+        var story = project.Epics
+            .SelectMany(e => e.Stories)
+            .FirstOrDefault(s => s.Id.Value == request.StoryId);
+
+        if (story == null)
+            throw new NotFoundException("Story", request.StoryId);
+
+        // Map tasks to DTOs
+        return story.Tasks.Select(task => new TaskDto
+        {
+            Id = task.Id.Value,
+            Title = task.Title,
+            Description = task.Description,
+            StoryId = task.StoryId.Value,
+            Status = task.Status.Name,
+            Priority = task.Priority.Name,
+            AssigneeId = task.AssigneeId?.Value,
+            EstimatedHours = task.EstimatedHours,
+            ActualHours = task.ActualHours,
+            CreatedBy = task.CreatedBy.Value,
+            CreatedAt = task.CreatedAt,
+            UpdatedAt = task.UpdatedAt
+        }).ToList();
+    }
+}

colaflow-api/src/Modules/ProjectManagement/ColaFlow.Modules.ProjectManagement.Domain/Aggregates/ProjectAggregate/Epic.cs

@@ -88,4 +88,17 @@ public class Epic : Entity
         Priority = newPriority;
         UpdatedAt = DateTime.UtcNow;
     }
+
+    public void RemoveStory(StoryId storyId)
+    {
+        var story = _stories.FirstOrDefault(s => s.Id == storyId);
+        if (story == null)
+            throw new DomainException($"Story with ID {storyId.Value} not found in epic");
+
+        if (story.Tasks.Any())
+            throw new DomainException($"Cannot delete story with ID {storyId.Value}. The story has {story.Tasks.Count} associated task(s). Please delete or reassign the tasks first.");
+
+        _stories.Remove(story);
+        UpdatedAt = DateTime.UtcNow;
+    }
 }

colaflow-api/src/Modules/ProjectManagement/ColaFlow.Modules.ProjectManagement.Domain/Aggregates/ProjectAggregate/Story.cs

@@ -67,6 +67,16 @@ public class Story : Entity
         return task;
     }
 
+    public void RemoveTask(TaskId taskId)
+    {
+        var task = _tasks.FirstOrDefault(t => t.Id == taskId);
+        if (task == null)
+            throw new DomainException($"Task with ID {taskId.Value} not found in story");
+
+        _tasks.Remove(task);
+        UpdatedAt = DateTime.UtcNow;
+    }
+
     public void UpdateDetails(string title, string description)
     {
         if (string.IsNullOrWhiteSpace(title))
@@ -109,4 +119,10 @@ public class Story : Entity
         ActualHours = hours;
         UpdatedAt = DateTime.UtcNow;
     }
+
+    public void UpdatePriority(TaskPriority newPriority)
+    {
+        Priority = newPriority;
+        UpdatedAt = DateTime.UtcNow;
+    }
 }

colaflow-api/src/Modules/ProjectManagement/ColaFlow.Modules.ProjectManagement.Domain/Aggregates/ProjectAggregate/Story.cs.old

@@ -0,0 +1,112 @@
+using ColaFlow.Shared.Kernel.Common;
+using ColaFlow.Modules.ProjectManagement.Domain.Exceptions;
+using ColaFlow.Modules.ProjectManagement.Domain.ValueObjects;
+
+using ColaFlow.Modules.ProjectManagement.Domain.Events;
+namespace ColaFlow.Modules.ProjectManagement.Domain.Aggregates.ProjectAggregate;
+
+/// <summary>
+/// Story Entity (part of Project aggregate)
+/// </summary>
+public class Story : Entity
+{
+    public new StoryId Id { get; private set; }
+    public string Title { get; private set; }
+    public string Description { get; private set; }
+    public EpicId EpicId { get; private set; }
+    public WorkItemStatus Status { get; private set; }
+    public TaskPriority Priority { get; private set; }
+    public decimal? EstimatedHours { get; private set; }
+    public decimal? ActualHours { get; private set; }
+    public UserId? AssigneeId { get; private set; }
+
+    private readonly List<WorkTask> _tasks = new();
+    public IReadOnlyCollection<WorkTask> Tasks => _tasks.AsReadOnly();
+
+    public DateTime CreatedAt { get; private set; }
+    public UserId CreatedBy { get; private set; }
+    public DateTime? UpdatedAt { get; private set; }
+
+    // EF Core constructor
+    private Story()
+    {
+        Id = null!;
+        Title = null!;
+        Description = null!;
+        EpicId = null!;
+        Status = null!;
+        Priority = null!;
+        CreatedBy = null!;
+    }
+
+    public static Story Create(string title, string description, EpicId epicId, TaskPriority priority, UserId createdBy)
+    {
+        if (string.IsNullOrWhiteSpace(title))
+            throw new DomainException("Story title cannot be empty");
+
+        if (title.Length > 200)
+            throw new DomainException("Story title cannot exceed 200 characters");
+
+        return new Story
+        {
+            Id = StoryId.Create(),
+            Title = title,
+            Description = description ?? string.Empty,
+            EpicId = epicId,
+            Status = WorkItemStatus.ToDo,
+            Priority = priority,
+            CreatedAt = DateTime.UtcNow,
+            CreatedBy = createdBy
+        };
+    }
+
+    public WorkTask CreateTask(string title, string description, TaskPriority priority, UserId createdBy)
+    {
+        var task = WorkTask.Create(title, description, this.Id, priority, createdBy);
+        _tasks.Add(task);
+        return task;
+    }
+
+    public void UpdateDetails(string title, string description)
+    {
+        if (string.IsNullOrWhiteSpace(title))
+            throw new DomainException("Story title cannot be empty");
+
+        if (title.Length > 200)
+            throw new DomainException("Story title cannot exceed 200 characters");
+
+        Title = title;
+        Description = description ?? string.Empty;
+        UpdatedAt = DateTime.UtcNow;
+    }
+
+    public void UpdateStatus(WorkItemStatus newStatus)
+    {
+        Status = newStatus;
+        UpdatedAt = DateTime.UtcNow;
+    }
+
+    public void AssignTo(UserId assigneeId)
+    {
+        AssigneeId = assigneeId;
+        UpdatedAt = DateTime.UtcNow;
+    }
+
+    public void UpdateEstimate(decimal hours)
+    {
+        if (hours < 0)
+            throw new DomainException("Estimated hours cannot be negative");
+
+        EstimatedHours = hours;
+        UpdatedAt = DateTime.UtcNow;
+    }
+
+    public void LogActualHours(decimal hours)
+    {
+        if (hours < 0)
+            throw new DomainException("Actual hours cannot be negative");
+
+        ActualHours = hours;
+        UpdatedAt = DateTime.UtcNow;
+    }
+}

colaflow-api/src/Modules/ProjectManagement/ColaFlow.Modules.ProjectManagement.Infrastructure/Migrations/20251103000604_FixValueObjectForeignKeys.Designer.cs

@@ -12,8 +12,8 @@ using Npgsql.EntityFrameworkCore.PostgreSQL.Metadata;
 namespace ColaFlow.Modules.ProjectManagement.Infrastructure.Migrations
 {
     [DbContext(typeof(PMDbContext))]
-    [Migration("20251102220422_InitialCreate")]
+    [Migration("20251103000604_FixValueObjectForeignKeys")]
-    partial class InitialCreate
+    partial class FixValueObjectForeignKeys
     {
         /// <inheritdoc />
         protected override void BuildTargetModel(ModelBuilder modelBuilder)
@@ -55,9 +55,6 @@ namespace ColaFlow.Modules.ProjectManagement.Infrastructure.Migrations
                     b.Property<Guid>("ProjectId")
                         .HasColumnType("uuid");
 
-                    b.Property<Guid?>("ProjectId1")
-                        .HasColumnType("uuid");
-
                     b.Property<string>("Status")
                         .IsRequired()
                         .HasMaxLength(50)
@@ -72,8 +69,6 @@ namespace ColaFlow.Modules.ProjectManagement.Infrastructure.Migrations
 
                     b.HasIndex("ProjectId");
 
-                    b.HasIndex("ProjectId1");
-
                     b.ToTable("Epics", "project_management");
                 });
 
@@ -232,14 +227,10 @@ namespace ColaFlow.Modules.ProjectManagement.Infrastructure.Migrations
             modelBuilder.Entity("ColaFlow.Modules.ProjectManagement.Domain.Aggregates.ProjectAggregate.Epic", b =>
                 {
                     b.HasOne("ColaFlow.Modules.ProjectManagement.Domain.Aggregates.ProjectAggregate.Project", null)
-                        .WithMany()
+                        .WithMany("Epics")
                         .HasForeignKey("ProjectId")
                         .OnDelete(DeleteBehavior.Cascade)
                         .IsRequired();
-
-                    b.HasOne("ColaFlow.Modules.ProjectManagement.Domain.Aggregates.ProjectAggregate.Project", null)
-                        .WithMany("Epics")
-                        .HasForeignKey("ProjectId1");
                 });
 
             modelBuilder.Entity("ColaFlow.Modules.ProjectManagement.Domain.Aggregates.ProjectAggregate.Project", b =>
@@ -273,7 +264,7 @@ namespace ColaFlow.Modules.ProjectManagement.Infrastructure.Migrations
             modelBuilder.Entity("ColaFlow.Modules.ProjectManagement.Domain.Aggregates.ProjectAggregate.Story", b =>
                 {
                     b.HasOne("ColaFlow.Modules.ProjectManagement.Domain.Aggregates.ProjectAggregate.Epic", null)
-                        .WithMany()
+                        .WithMany("Stories")
                         .HasForeignKey("EpicId")
                         .OnDelete(DeleteBehavior.Cascade)
                         .IsRequired();
@@ -282,16 +273,26 @@ namespace ColaFlow.Modules.ProjectManagement.Infrastructure.Migrations
             modelBuilder.Entity("ColaFlow.Modules.ProjectManagement.Domain.Aggregates.ProjectAggregate.WorkTask", b =>
                 {
                     b.HasOne("ColaFlow.Modules.ProjectManagement.Domain.Aggregates.ProjectAggregate.Story", null)
-                        .WithMany()
+                        .WithMany("Tasks")
                         .HasForeignKey("StoryId")
                         .OnDelete(DeleteBehavior.Cascade)
                         .IsRequired();
                 });
 
+            modelBuilder.Entity("ColaFlow.Modules.ProjectManagement.Domain.Aggregates.ProjectAggregate.Epic", b =>
+                {
+                    b.Navigation("Stories");
+                });
+
             modelBuilder.Entity("ColaFlow.Modules.ProjectManagement.Domain.Aggregates.ProjectAggregate.Project", b =>
                 {
                     b.Navigation("Epics");
                 });
+
+            modelBuilder.Entity("ColaFlow.Modules.ProjectManagement.Domain.Aggregates.ProjectAggregate.Story", b =>
+                {
+                    b.Navigation("Tasks");
+                });
 #pragma warning restore 612, 618
         }
     }

colaflow-api/src/Modules/ProjectManagement/ColaFlow.Modules.ProjectManagement.Infrastructure/Migrations/20251103000604_FixValueObjectForeignKeys.cs

@@ -6,7 +6,7 @@ using Microsoft.EntityFrameworkCore.Migrations;
 namespace ColaFlow.Modules.ProjectManagement.Infrastructure.Migrations
 {
     /// <inheritdoc />
-    public partial class InitialCreate : Migration
+    public partial class FixValueObjectForeignKeys : Migration
     {
         /// <inheritdoc />
         protected override void Up(MigrationBuilder migrationBuilder)
@@ -46,8 +46,7 @@ namespace ColaFlow.Modules.ProjectManagement.Infrastructure.Migrations
                     Priority = table.Column<string>(type: "character varying(50)", maxLength: 50, nullable: false),
                     CreatedAt = table.Column<DateTime>(type: "timestamp with time zone", nullable: false),
                     CreatedBy = table.Column<Guid>(type: "uuid", nullable: false),
-                    UpdatedAt = table.Column<DateTime>(type: "timestamp with time zone", nullable: true),
+                    UpdatedAt = table.Column<DateTime>(type: "timestamp with time zone", nullable: true)
-                    ProjectId1 = table.Column<Guid>(type: "uuid", nullable: true)
                 },
                 constraints: table =>
                 {
@@ -59,12 +58,6 @@ namespace ColaFlow.Modules.ProjectManagement.Infrastructure.Migrations
                         principalTable: "Projects",
                         principalColumn: "Id",
                         onDelete: ReferentialAction.Cascade);
-                    table.ForeignKey(
-                        name: "FK_Epics_Projects_ProjectId1",
-                        column: x => x.ProjectId1,
-                        principalSchema: "project_management",
-                        principalTable: "Projects",
-                        principalColumn: "Id");
                 });
 
             migrationBuilder.CreateTable(
@@ -139,12 +132,6 @@ namespace ColaFlow.Modules.ProjectManagement.Infrastructure.Migrations
                 table: "Epics",
                 column: "ProjectId");
 
-            migrationBuilder.CreateIndex(
-                name: "IX_Epics_ProjectId1",
-                schema: "project_management",
-                table: "Epics",
-                column: "ProjectId1");
-
             migrationBuilder.CreateIndex(
                 name: "IX_Projects_CreatedAt",
                 schema: "project_management",

colaflow-api/src/Modules/ProjectManagement/ColaFlow.Modules.ProjectManagement.Infrastructure/Migrations/PMDbContextModelSnapshot.cs

@@ -52,9 +52,6 @@ namespace ColaFlow.Modules.ProjectManagement.Infrastructure.Migrations
                     b.Property<Guid>("ProjectId")
                         .HasColumnType("uuid");
 
-                    b.Property<Guid?>("ProjectId1")
-                        .HasColumnType("uuid");
-
                     b.Property<string>("Status")
                         .IsRequired()
                         .HasMaxLength(50)
@@ -69,8 +66,6 @@ namespace ColaFlow.Modules.ProjectManagement.Infrastructure.Migrations
 
                     b.HasIndex("ProjectId");
 
-                    b.HasIndex("ProjectId1");
-
                     b.ToTable("Epics", "project_management");
                 });
 
@@ -229,14 +224,10 @@ namespace ColaFlow.Modules.ProjectManagement.Infrastructure.Migrations
             modelBuilder.Entity("ColaFlow.Modules.ProjectManagement.Domain.Aggregates.ProjectAggregate.Epic", b =>
                 {
                     b.HasOne("ColaFlow.Modules.ProjectManagement.Domain.Aggregates.ProjectAggregate.Project", null)
-                        .WithMany()
+                        .WithMany("Epics")
                         .HasForeignKey("ProjectId")
                         .OnDelete(DeleteBehavior.Cascade)
                         .IsRequired();
-
-                    b.HasOne("ColaFlow.Modules.ProjectManagement.Domain.Aggregates.ProjectAggregate.Project", null)
-                        .WithMany("Epics")
-                        .HasForeignKey("ProjectId1");
                 });
 
             modelBuilder.Entity("ColaFlow.Modules.ProjectManagement.Domain.Aggregates.ProjectAggregate.Project", b =>
@@ -270,7 +261,7 @@ namespace ColaFlow.Modules.ProjectManagement.Infrastructure.Migrations
             modelBuilder.Entity("ColaFlow.Modules.ProjectManagement.Domain.Aggregates.ProjectAggregate.Story", b =>
                 {
                     b.HasOne("ColaFlow.Modules.ProjectManagement.Domain.Aggregates.ProjectAggregate.Epic", null)
-                        .WithMany()
+                        .WithMany("Stories")
                         .HasForeignKey("EpicId")
                         .OnDelete(DeleteBehavior.Cascade)
                         .IsRequired();
@@ -279,16 +270,26 @@ namespace ColaFlow.Modules.ProjectManagement.Infrastructure.Migrations
             modelBuilder.Entity("ColaFlow.Modules.ProjectManagement.Domain.Aggregates.ProjectAggregate.WorkTask", b =>
                 {
                     b.HasOne("ColaFlow.Modules.ProjectManagement.Domain.Aggregates.ProjectAggregate.Story", null)
-                        .WithMany()
+                        .WithMany("Tasks")
                         .HasForeignKey("StoryId")
                         .OnDelete(DeleteBehavior.Cascade)
                         .IsRequired();
                 });
 
+            modelBuilder.Entity("ColaFlow.Modules.ProjectManagement.Domain.Aggregates.ProjectAggregate.Epic", b =>
+                {
+                    b.Navigation("Stories");
+                });
+
             modelBuilder.Entity("ColaFlow.Modules.ProjectManagement.Domain.Aggregates.ProjectAggregate.Project", b =>
                 {
                     b.Navigation("Epics");
                 });
+
+            modelBuilder.Entity("ColaFlow.Modules.ProjectManagement.Domain.Aggregates.ProjectAggregate.Story", b =>
+                {
+                    b.Navigation("Tasks");
+                });
 #pragma warning restore 612, 618
         }
     }

colaflow-api/src/Modules/ProjectManagement/ColaFlow.Modules.ProjectManagement.Infrastructure/Persistence/Configurations/EpicConfiguration.cs

@@ -70,13 +70,11 @@ public class EpicConfiguration : IEntityTypeConfiguration<Epic>
 
         builder.Property(e => e.UpdatedAt);
 
-        // Ignore navigation properties (DDD pattern - access through aggregate)
+        // Configure Stories collection (owned by Epic in the aggregate)
-        builder.Ignore(e => e.Stories);
+        // Use string-based FK name because EpicId is a value object with conversion configured in StoryConfiguration
-
+        builder.HasMany<Story>("Stories")
-        // Foreign key relationship to Project
+            .WithOne()
-        builder.HasOne<Project>()
+            .HasForeignKey("EpicId")
-            .WithMany()
-            .HasForeignKey(e => e.ProjectId)
             .OnDelete(DeleteBehavior.Cascade);
 
         // Indexes

colaflow-api/src/Modules/ProjectManagement/ColaFlow.Modules.ProjectManagement.Infrastructure/Persistence/Configurations/ProjectConfiguration.cs

@@ -67,7 +67,12 @@ public class ProjectConfiguration : IEntityTypeConfiguration<Project>
         builder.Property(p => p.UpdatedAt);
 
         // Relationships - Epics collection (owned by aggregate)
-        // Note: We don't expose this as navigation property in DDD, epics are accessed through repository
+        // Configure the one-to-many relationship with Epic
+        // Use string-based FK name because ProjectId is a value object with conversion configured in EpicConfiguration
+        builder.HasMany<Epic>("Epics")
+            .WithOne()
+            .HasForeignKey("ProjectId")
+            .OnDelete(DeleteBehavior.Cascade);
 
         // Indexes for performance
         builder.HasIndex(p => p.CreatedAt);

colaflow-api/src/Modules/ProjectManagement/ColaFlow.Modules.ProjectManagement.Infrastructure/Persistence/Configurations/StoryConfiguration.cs

@@ -80,13 +80,11 @@ public class StoryConfiguration : IEntityTypeConfiguration<Story>
 
         builder.Property(s => s.UpdatedAt);
 
-        // Ignore navigation properties (DDD pattern - access through aggregate)
+        // Configure Tasks collection (owned by Story in the aggregate)
-        builder.Ignore(s => s.Tasks);
+        // Use string-based FK name because StoryId is a value object with conversion configured in WorkTaskConfiguration
-
+        builder.HasMany<WorkTask>("Tasks")
-        // Foreign key relationship to Epic
+            .WithOne()
-        builder.HasOne<Epic>()
+            .HasForeignKey("StoryId")
-            .WithMany()
-            .HasForeignKey(s => s.EpicId)
             .OnDelete(DeleteBehavior.Cascade);
 
         // Indexes

colaflow-api/src/Modules/ProjectManagement/ColaFlow.Modules.ProjectManagement.Infrastructure/Persistence/Configurations/WorkTaskConfiguration.cs

@@ -80,12 +80,6 @@ public class WorkTaskConfiguration : IEntityTypeConfiguration<WorkTask>
 
         builder.Property(t => t.UpdatedAt);
 
-        // Foreign key relationship to Story
-        builder.HasOne<Story>()
-            .WithMany()
-            .HasForeignKey(t => t.StoryId)
-            .OnDelete(DeleteBehavior.Cascade);
-
         // Indexes
         builder.HasIndex(t => t.StoryId);
         builder.HasIndex(t => t.AssigneeId);

colaflow-api/src/Shared/ColaFlow.Shared.Kernel/Common/Enumeration.cs

@@ -56,7 +56,21 @@ public abstract class Enumeration : IComparable
 
     public static T FromDisplayName<T>(string displayName) where T : Enumeration
     {
-        var matchingItem = Parse<T, string>(displayName, "display name", item => item.Name == displayName);
+        // First try exact match
+        var matchingItem = GetAll<T>().FirstOrDefault(item => item.Name == displayName);
+
+        // If not found, try removing spaces from both the input and the enumeration names
+        // This allows "InProgress" to match "In Progress", "ToDo" to match "To Do", etc.
+        if (matchingItem == null)
+        {
+            var normalizedInput = displayName.Replace(" ", "");
+            matchingItem = GetAll<T>().FirstOrDefault(item =>
+                item.Name.Replace(" ", "").Equals(normalizedInput, StringComparison.OrdinalIgnoreCase));
+        }
+
+        if (matchingItem == null)
+            throw new InvalidOperationException($"'{displayName}' is not a valid display name in {typeof(T)}");
+
         return matchingItem;
     }
 

colaflow-api/test-ef-warnings.ps1

@@ -0,0 +1,35 @@
+# Test script to verify no EF Core warnings
+Write-Host "Starting API to check for EF Core warnings..." -ForegroundColor Cyan
+
+$apiProcess = Start-Process -FilePath "dotnet" `
+    -ArgumentList "run --project C:\Users\yaoji\git\ColaCoder\product-master\colaflow-api\src\ColaFlow.API\ColaFlow.API.csproj" `
+    -WorkingDirectory "C:\Users\yaoji\git\ColaCoder\product-master\colaflow-api" `
+    -RedirectStandardOutput "api-output.log" `
+    -RedirectStandardError "api-errors.log" `
+    -PassThru `
+    -NoNewWindow
+
+Write-Host "Waiting 15 seconds for API to start..." -ForegroundColor Yellow
+Start-Sleep -Seconds 15
+
+# Check for warnings
+$warnings = Select-String -Path "api-errors.log" -Pattern "(ProjectId1|EpicId1|StoryId1|shadow state.*conflicting)" -Context 1,1
+
+if ($warnings) {
+    Write-Host "`nERROR: EF Core warnings found!" -ForegroundColor Red
+    $warnings | ForEach-Object { Write-Host $_.Line -ForegroundColor Red }
+    $exitCode = 1
+} else {
+    Write-Host "`nSUCCESS: No EF Core warnings found!" -ForegroundColor Green
+    $exitCode = 0
+}
+
+# Stop API
+Stop-Process -Id $apiProcess.Id -Force
+Write-Host "`nAPI stopped." -ForegroundColor Cyan
+
+# Show last 20 lines of logs
+Write-Host "`nLast 20 lines of error log:" -ForegroundColor Yellow
+Get-Content "api-errors.log" -Tail 20
+
+exit $exitCode

colaflow-api/tests/ColaFlow.Application.Tests/ColaFlow.Application.Tests.csproj

@@ -22,6 +22,8 @@
 
   <ItemGroup>
     <ProjectReference Include="..\..\src\ColaFlow.Application\ColaFlow.Application.csproj" />
+    <ProjectReference Include="..\..\src\Modules\ProjectManagement\ColaFlow.Modules.ProjectManagement.Application\ColaFlow.Modules.ProjectManagement.Application.csproj" />
+    <ProjectReference Include="..\..\src\Modules\ProjectManagement\ColaFlow.Modules.ProjectManagement.Domain\ColaFlow.Modules.ProjectManagement.Domain.csproj" />
   </ItemGroup>
 
 </Project>

colaflow-api/tests/ColaFlow.Application.Tests/Commands/AssignStory/AssignStoryCommandHandlerTests.cs

@@ -0,0 +1,111 @@
+using FluentAssertions;
+using Moq;
+using ColaFlow.Modules.ProjectManagement.Application.Commands.AssignStory;
+using ColaFlow.Modules.ProjectManagement.Domain.Aggregates.ProjectAggregate;
+using ColaFlow.Modules.ProjectManagement.Domain.Repositories;
+using ColaFlow.Modules.ProjectManagement.Domain.ValueObjects;
+using ColaFlow.Modules.ProjectManagement.Domain.Exceptions;
+
+namespace ColaFlow.Application.Tests.Commands.AssignStory;
+
+public class AssignStoryCommandHandlerTests
+{
+    private readonly Mock<IProjectRepository> _projectRepositoryMock;
+    private readonly Mock<IUnitOfWork> _unitOfWorkMock;
+    private readonly AssignStoryCommandHandler _handler;
+
+    public AssignStoryCommandHandlerTests()
+    {
+        _projectRepositoryMock = new Mock<IProjectRepository>();
+        _unitOfWorkMock = new Mock<IUnitOfWork>();
+        _handler = new AssignStoryCommandHandler(_projectRepositoryMock.Object, _unitOfWorkMock.Object);
+    }
+
+    [Fact]
+    public async Task Should_Assign_Story_Successfully()
+    {
+        // Arrange
+        var userId = UserId.Create();
+        var assigneeId = UserId.Create();
+        var project = Project.Create("Test Project", "Description", "TST", userId);
+        var epic = project.CreateEpic("Test Epic", "Epic Description", userId);
+        var story = epic.CreateStory("Test Story", "Description", TaskPriority.Medium, userId);
+
+        _projectRepositoryMock
+            .Setup(x => x.GetProjectWithStoryAsync(story.Id, It.IsAny<CancellationToken>()))
+            .ReturnsAsync(project);
+
+        var command = new AssignStoryCommand
+        {
+            StoryId = story.Id.Value,
+            AssigneeId = assigneeId.Value
+        };
+
+        // Act
+        var result = await _handler.Handle(command, CancellationToken.None);
+
+        // Assert
+        result.Should().NotBeNull();
+        result.AssigneeId.Should().Be(assigneeId.Value);
+        story.AssigneeId.Should().Be(assigneeId);
+
+        _projectRepositoryMock.Verify(x => x.Update(project), Times.Once);
+        _unitOfWorkMock.Verify(x => x.SaveChangesAsync(It.IsAny<CancellationToken>()), Times.Once);
+    }
+
+    [Fact]
+    public async Task Should_Fail_When_Story_Not_Found()
+    {
+        // Arrange
+        var storyId = StoryId.Create();
+        _projectRepositoryMock
+            .Setup(x => x.GetProjectWithStoryAsync(storyId, It.IsAny<CancellationToken>()))
+            .ReturnsAsync((Project?)null);
+
+        var command = new AssignStoryCommand
+        {
+            StoryId = storyId.Value,
+            AssigneeId = Guid.NewGuid()
+        };
+
+        // Act
+        Func<Task> act = async () => await _handler.Handle(command, CancellationToken.None);
+
+        // Assert
+        await act.Should().ThrowAsync<NotFoundException>()
+            .WithMessage("*Story*");
+    }
+
+    [Fact]
+    public async Task Should_Reassign_Story_To_Different_User()
+    {
+        // Arrange
+        var userId = UserId.Create();
+        var firstAssignee = UserId.Create();
+        var secondAssignee = UserId.Create();
+        var project = Project.Create("Test Project", "Description", "TST", userId);
+        var epic = project.CreateEpic("Test Epic", "Epic Description", userId);
+        var story = epic.CreateStory("Test Story", "Description", TaskPriority.Medium, userId);
+
+        // First assign
+        story.AssignTo(firstAssignee);
+
+        _projectRepositoryMock
+            .Setup(x => x.GetProjectWithStoryAsync(story.Id, It.IsAny<CancellationToken>()))
+            .ReturnsAsync(project);
+
+        var command = new AssignStoryCommand
+        {
+            StoryId = story.Id.Value,
+            AssigneeId = secondAssignee.Value
+        };
+
+        // Act
+        var result = await _handler.Handle(command, CancellationToken.None);
+
+        // Assert
+        result.Should().NotBeNull();
+        result.AssigneeId.Should().Be(secondAssignee.Value);
+        story.AssigneeId.Should().Be(secondAssignee);
+    }
+}

colaflow-api/tests/ColaFlow.Application.Tests/Commands/CreateStory/CreateStoryCommandHandlerTests.cs

@@ -0,0 +1,119 @@
+using FluentAssertions;
+using Moq;
+using ColaFlow.Modules.ProjectManagement.Application.Commands.CreateStory;
+using ColaFlow.Modules.ProjectManagement.Domain.Aggregates.ProjectAggregate;
+using ColaFlow.Modules.ProjectManagement.Domain.Repositories;
+using ColaFlow.Modules.ProjectManagement.Domain.ValueObjects;
+using ColaFlow.Modules.ProjectManagement.Domain.Exceptions;
+
+namespace ColaFlow.Application.Tests.Commands.CreateStory;
+
+public class CreateStoryCommandHandlerTests
+{
+    private readonly Mock<IProjectRepository> _projectRepositoryMock;
+    private readonly Mock<IUnitOfWork> _unitOfWorkMock;
+    private readonly CreateStoryCommandHandler _handler;
+
+    public CreateStoryCommandHandlerTests()
+    {
+        _projectRepositoryMock = new Mock<IProjectRepository>();
+        _unitOfWorkMock = new Mock<IUnitOfWork>();
+        _handler = new CreateStoryCommandHandler(_projectRepositoryMock.Object, _unitOfWorkMock.Object);
+    }
+
+    [Fact]
+    public async Task Should_Create_Story_Successfully()
+    {
+        // Arrange
+        var userId = UserId.Create();
+        var project = Project.Create("Test Project", "Description", "TST", userId);
+        var epic = project.CreateEpic("Test Epic", "Epic Description", userId);
+        var epicId = epic.Id;
+
+        _projectRepositoryMock
+            .Setup(x => x.GetProjectWithEpicAsync(epicId, It.IsAny<CancellationToken>()))
+            .ReturnsAsync(project);
+
+        var command = new CreateStoryCommand
+        {
+            EpicId = epicId.Value,
+            Title = "New Story",
+            Description = "Story Description",
+            Priority = "High",
+            EstimatedHours = 8,
+            AssigneeId = userId.Value,
+            CreatedBy = userId.Value
+        };
+
+        // Act
+        var result = await _handler.Handle(command, CancellationToken.None);
+
+        // Assert
+        result.Should().NotBeNull();
+        result.Title.Should().Be("New Story");
+        result.Description.Should().Be("Story Description");
+        result.EpicId.Should().Be(epicId.Value);
+        result.Status.Should().Be("To Do");
+        result.Priority.Should().Be("High");
+        result.EstimatedHours.Should().Be(8);
+        result.AssigneeId.Should().Be(userId.Value);
+
+        epic.Stories.Should().ContainSingle();
+        _projectRepositoryMock.Verify(x => x.Update(project), Times.Once);
+        _unitOfWorkMock.Verify(x => x.SaveChangesAsync(It.IsAny<CancellationToken>()), Times.Once);
+    }
+
+    [Fact]
+    public async Task Should_Fail_When_Epic_Not_Found()
+    {
+        // Arrange
+        var epicId = EpicId.Create();
+        _projectRepositoryMock
+            .Setup(x => x.GetProjectWithEpicAsync(epicId, It.IsAny<CancellationToken>()))
+            .ReturnsAsync((Project?)null);
+
+        var command = new CreateStoryCommand
+        {
+            EpicId = epicId.Value,
+            Title = "New Story",
+            Description = "Description",
+            Priority = "Medium",
+            CreatedBy = Guid.NewGuid()
+        };
+
+        // Act
+        Func<Task> act = async () => await _handler.Handle(command, CancellationToken.None);
+
+        // Assert
+        await act.Should().ThrowAsync<NotFoundException>()
+            .WithMessage("*Epic*");
+    }
+
+    [Fact]
+    public async Task Should_Set_Default_Status_To_ToDo()
+    {
+        // Arrange
+        var userId = UserId.Create();
+        var project = Project.Create("Test Project", "Description", "TST", userId);
+        var epic = project.CreateEpic("Test Epic", "Epic Description", userId);
+
+        _projectRepositoryMock
+            .Setup(x => x.GetProjectWithEpicAsync(epic.Id, It.IsAny<CancellationToken>()))
+            .ReturnsAsync(project);
+
+        var command = new CreateStoryCommand
+        {
+            EpicId = epic.Id.Value,
+            Title = "New Story",
+            Description = "Description",
+            Priority = "Low",
+            CreatedBy = userId.Value
+        };
+
+        // Act
+        var result = await _handler.Handle(command, CancellationToken.None);
+
+        // Assert
+        result.Status.Should().Be("To Do");
+    }
+}

colaflow-api/tests/ColaFlow.Application.Tests/Commands/CreateTask/CreateTaskCommandHandlerTests.cs

@@ -0,0 +1,121 @@
+using FluentAssertions;
+using Moq;
+using ColaFlow.Modules.ProjectManagement.Application.Commands.CreateTask;
+using ColaFlow.Modules.ProjectManagement.Domain.Aggregates.ProjectAggregate;
+using ColaFlow.Modules.ProjectManagement.Domain.Repositories;
+using ColaFlow.Modules.ProjectManagement.Domain.ValueObjects;
+using ColaFlow.Modules.ProjectManagement.Domain.Exceptions;
+
+namespace ColaFlow.Application.Tests.Commands.CreateTask;
+
+public class CreateTaskCommandHandlerTests
+{
+    private readonly Mock<IProjectRepository> _projectRepositoryMock;
+    private readonly Mock<IUnitOfWork> _unitOfWorkMock;
+    private readonly CreateTaskCommandHandler _handler;
+
+    public CreateTaskCommandHandlerTests()
+    {
+        _projectRepositoryMock = new Mock<IProjectRepository>();
+        _unitOfWorkMock = new Mock<IUnitOfWork>();
+        _handler = new CreateTaskCommandHandler(_projectRepositoryMock.Object, _unitOfWorkMock.Object);
+    }
+
+    [Fact]
+    public async Task Should_Create_Task_Successfully()
+    {
+        // Arrange
+        var userId = UserId.Create();
+        var project = Project.Create("Test Project", "Description", "TST", userId);
+        var epic = project.CreateEpic("Test Epic", "Epic Description", userId);
+        var story = epic.CreateStory("Test Story", "Story Description", TaskPriority.Medium, userId);
+        var storyId = story.Id;
+
+        _projectRepositoryMock
+            .Setup(x => x.GetProjectWithStoryAsync(storyId, It.IsAny<CancellationToken>()))
+            .ReturnsAsync(project);
+
+        var command = new CreateTaskCommand
+        {
+            StoryId = storyId.Value,
+            Title = "New Task",
+            Description = "Task Description",
+            Priority = "High",
+            EstimatedHours = 4,
+            AssigneeId = userId.Value,
+            CreatedBy = userId.Value
+        };
+
+        // Act
+        var result = await _handler.Handle(command, CancellationToken.None);
+
+        // Assert
+        result.Should().NotBeNull();
+        result.Title.Should().Be("New Task");
+        result.Description.Should().Be("Task Description");
+        result.StoryId.Should().Be(storyId.Value);
+        result.Status.Should().Be("To Do");
+        result.Priority.Should().Be("High");
+        result.EstimatedHours.Should().Be(4);
+        result.AssigneeId.Should().Be(userId.Value);
+
+        story.Tasks.Should().ContainSingle();
+        _projectRepositoryMock.Verify(x => x.Update(project), Times.Once);
+        _unitOfWorkMock.Verify(x => x.SaveChangesAsync(It.IsAny<CancellationToken>()), Times.Once);
+    }
+
+    [Fact]
+    public async Task Should_Fail_When_Story_Not_Found()
+    {
+        // Arrange
+        var storyId = StoryId.Create();
+        _projectRepositoryMock
+            .Setup(x => x.GetProjectWithStoryAsync(storyId, It.IsAny<CancellationToken>()))
+            .ReturnsAsync((Project?)null);
+
+        var command = new CreateTaskCommand
+        {
+            StoryId = storyId.Value,
+            Title = "New Task",
+            Description = "Description",
+            Priority = "Medium",
+            CreatedBy = Guid.NewGuid()
+        };
+
+        // Act
+        Func<Task> act = async () => await _handler.Handle(command, CancellationToken.None);
+
+        // Assert
+        await act.Should().ThrowAsync<NotFoundException>()
+            .WithMessage("*Story*");
+    }
+
+    [Fact]
+    public async Task Should_Set_Default_Status_To_ToDo()
+    {
+        // Arrange
+        var userId = UserId.Create();
+        var project = Project.Create("Test Project", "Description", "TST", userId);
+        var epic = project.CreateEpic("Test Epic", "Epic Description", userId);
+        var story = epic.CreateStory("Test Story", "Story Description", TaskPriority.Medium, userId);
+
+        _projectRepositoryMock
+            .Setup(x => x.GetProjectWithStoryAsync(story.Id, It.IsAny<CancellationToken>()))
+            .ReturnsAsync(project);
+
+        var command = new CreateTaskCommand
+        {
+            StoryId = story.Id.Value,
+            Title = "New Task",
+            Description = "Description",
+            Priority = "Low",
+            CreatedBy = userId.Value
+        };
+
+        // Act
+        var result = await _handler.Handle(command, CancellationToken.None);
+
+        // Assert
+        result.Status.Should().Be("To Do");
+    }
+}

colaflow-api/tests/ColaFlow.Application.Tests/Commands/DeleteStory/DeleteStoryCommandHandlerTests.cs

@@ -0,0 +1,93 @@
+using FluentAssertions;
+using Moq;
+using ColaFlow.Modules.ProjectManagement.Application.Commands.DeleteStory;
+using ColaFlow.Modules.ProjectManagement.Domain.Aggregates.ProjectAggregate;
+using ColaFlow.Modules.ProjectManagement.Domain.Repositories;
+using ColaFlow.Modules.ProjectManagement.Domain.ValueObjects;
+using ColaFlow.Modules.ProjectManagement.Domain.Exceptions;
+
+namespace ColaFlow.Application.Tests.Commands.DeleteStory;
+
+public class DeleteStoryCommandHandlerTests
+{
+    private readonly Mock<IProjectRepository> _projectRepositoryMock;
+    private readonly Mock<IUnitOfWork> _unitOfWorkMock;
+    private readonly DeleteStoryCommandHandler _handler;
+
+    public DeleteStoryCommandHandlerTests()
+    {
+        _projectRepositoryMock = new Mock<IProjectRepository>();
+        _unitOfWorkMock = new Mock<IUnitOfWork>();
+        _handler = new DeleteStoryCommandHandler(_projectRepositoryMock.Object, _unitOfWorkMock.Object);
+    }
+
+    [Fact]
+    public async Task Should_Delete_Story_Successfully()
+    {
+        // Arrange
+        var userId = UserId.Create();
+        var project = Project.Create("Test Project", "Description", "TST", userId);
+        var epic = project.CreateEpic("Test Epic", "Epic Description", userId);
+        var story = epic.CreateStory("Story to Delete", "Description", TaskPriority.Medium, userId);
+        var storyId = story.Id;
+
+        _projectRepositoryMock
+            .Setup(x => x.GetProjectWithStoryAsync(storyId, It.IsAny<CancellationToken>()))
+            .ReturnsAsync(project);
+
+        var command = new DeleteStoryCommand { StoryId = storyId.Value };
+
+        // Act
+        await _handler.Handle(command, CancellationToken.None);
+
+        // Assert
+        epic.Stories.Should().BeEmpty();
+        _projectRepositoryMock.Verify(x => x.Update(project), Times.Once);
+        _unitOfWorkMock.Verify(x => x.SaveChangesAsync(It.IsAny<CancellationToken>()), Times.Once);
+    }
+
+    [Fact]
+    public async Task Should_Fail_When_Story_Not_Found()
+    {
+        // Arrange
+        var storyId = StoryId.Create();
+        _projectRepositoryMock
+            .Setup(x => x.GetProjectWithStoryAsync(storyId, It.IsAny<CancellationToken>()))
+            .ReturnsAsync((Project?)null);
+
+        var command = new DeleteStoryCommand { StoryId = storyId.Value };
+
+        // Act
+        Func<Task> act = async () => await _handler.Handle(command, CancellationToken.None);
+
+        // Assert
+        await act.Should().ThrowAsync<NotFoundException>()
+            .WithMessage("*Story*");
+    }
+
+    [Fact]
+    public async Task Should_Fail_When_Story_Has_Tasks()
+    {
+        // Arrange
+        var userId = UserId.Create();
+        var project = Project.Create("Test Project", "Description", "TST", userId);
+        var epic = project.CreateEpic("Test Epic", "Epic Description", userId);
+        var story = epic.CreateStory("Story with Tasks", "Description", TaskPriority.Medium, userId);
+
+        // Add a task to the story
+        story.CreateTask("Task 1", "Task Description", TaskPriority.High, userId);
+
+        _projectRepositoryMock
+            .Setup(x => x.GetProjectWithStoryAsync(story.Id, It.IsAny<CancellationToken>()))
+            .ReturnsAsync(project);
+
+        var command = new DeleteStoryCommand { StoryId = story.Id.Value };
+
+        // Act
+        Func<Task> act = async () => await _handler.Handle(command, CancellationToken.None);
+
+        // Assert
+        await act.Should().ThrowAsync<DomainException>()
+            .WithMessage("*cannot delete*story*tasks*");
+    }
+}

colaflow-api/tests/ColaFlow.Application.Tests/Commands/DeleteTask/DeleteTaskCommandHandlerTests.cs

@@ -0,0 +1,68 @@
+using FluentAssertions;
+using Moq;
+using ColaFlow.Modules.ProjectManagement.Application.Commands.DeleteTask;
+using ColaFlow.Modules.ProjectManagement.Domain.Aggregates.ProjectAggregate;
+using ColaFlow.Modules.ProjectManagement.Domain.Repositories;
+using ColaFlow.Modules.ProjectManagement.Domain.ValueObjects;
+using ColaFlow.Modules.ProjectManagement.Domain.Exceptions;
+
+namespace ColaFlow.Application.Tests.Commands.DeleteTask;
+
+public class DeleteTaskCommandHandlerTests
+{
+    private readonly Mock<IProjectRepository> _projectRepositoryMock;
+    private readonly Mock<IUnitOfWork> _unitOfWorkMock;
+    private readonly DeleteTaskCommandHandler _handler;
+
+    public DeleteTaskCommandHandlerTests()
+    {
+        _projectRepositoryMock = new Mock<IProjectRepository>();
+        _unitOfWorkMock = new Mock<IUnitOfWork>();
+        _handler = new DeleteTaskCommandHandler(_projectRepositoryMock.Object, _unitOfWorkMock.Object);
+    }
+
+    [Fact]
+    public async Task Should_Delete_Task_Successfully()
+    {
+        // Arrange
+        var userId = UserId.Create();
+        var project = Project.Create("Test Project", "Description", "TST", userId);
+        var epic = project.CreateEpic("Test Epic", "Epic Description", userId);
+        var story = epic.CreateStory("Test Story", "Story Description", TaskPriority.Medium, userId);
+        var task = story.CreateTask("Task to Delete", "Description", TaskPriority.Medium, userId);
+        var taskId = task.Id;
+
+        _projectRepositoryMock
+            .Setup(x => x.GetProjectWithTaskAsync(taskId, It.IsAny<CancellationToken>()))
+            .ReturnsAsync(project);
+
+        var command = new DeleteTaskCommand { TaskId = taskId.Value };
+
+        // Act
+        await _handler.Handle(command, CancellationToken.None);
+
+        // Assert
+        story.Tasks.Should().BeEmpty();
+        _projectRepositoryMock.Verify(x => x.Update(project), Times.Once);
+        _unitOfWorkMock.Verify(x => x.SaveChangesAsync(It.IsAny<CancellationToken>()), Times.Once);
+    }
+
+    [Fact]
+    public async Task Should_Fail_When_Task_Not_Found()
+    {
+        // Arrange
+        var taskId = TaskId.Create();
+        _projectRepositoryMock
+            .Setup(x => x.GetProjectWithTaskAsync(taskId, It.IsAny<CancellationToken>()))
+            .ReturnsAsync((Project?)null);
+
+        var command = new DeleteTaskCommand { TaskId = taskId.Value };
+
+        // Act
+        Func<Task> act = async () => await _handler.Handle(command, CancellationToken.None);
+
+        // Assert
+        await act.Should().ThrowAsync<NotFoundException>()
+            .WithMessage("*Task*");
+    }
+}

colaflow-api/tests/ColaFlow.Application.Tests/Commands/UpdateStory/UpdateStoryCommandHandlerTests.cs

@@ -0,0 +1,120 @@
+using FluentAssertions;
+using Moq;
+using ColaFlow.Modules.ProjectManagement.Application.Commands.UpdateStory;
+using ColaFlow.Modules.ProjectManagement.Domain.Aggregates.ProjectAggregate;
+using ColaFlow.Modules.ProjectManagement.Domain.Repositories;
+using ColaFlow.Modules.ProjectManagement.Domain.ValueObjects;
+using ColaFlow.Modules.ProjectManagement.Domain.Exceptions;
+
+namespace ColaFlow.Application.Tests.Commands.UpdateStory;
+
+public class UpdateStoryCommandHandlerTests
+{
+    private readonly Mock<IProjectRepository> _projectRepositoryMock;
+    private readonly Mock<IUnitOfWork> _unitOfWorkMock;
+    private readonly UpdateStoryCommandHandler _handler;
+
+    public UpdateStoryCommandHandlerTests()
+    {
+        _projectRepositoryMock = new Mock<IProjectRepository>();
+        _unitOfWorkMock = new Mock<IUnitOfWork>();
+        _handler = new UpdateStoryCommandHandler(_projectRepositoryMock.Object, _unitOfWorkMock.Object);
+    }
+
+    [Fact]
+    public async Task Should_Update_Story_Successfully()
+    {
+        // Arrange
+        var userId = UserId.Create();
+        var project = Project.Create("Test Project", "Description", "TST", userId);
+        var epic = project.CreateEpic("Test Epic", "Epic Description", userId);
+        var story = epic.CreateStory("Original Title", "Original Description", TaskPriority.Low, userId);
+        var storyId = story.Id;
+
+        _projectRepositoryMock
+            .Setup(x => x.GetProjectWithStoryAsync(storyId, It.IsAny<CancellationToken>()))
+            .ReturnsAsync(project);
+
+        var command = new UpdateStoryCommand
+        {
+            StoryId = storyId.Value,
+            Title = "Updated Title",
+            Description = "Updated Description",
+            Status = "In Progress",
+            Priority = "High",
+            EstimatedHours = 16
+        };
+
+        // Act
+        var result = await _handler.Handle(command, CancellationToken.None);
+
+        // Assert
+        result.Should().NotBeNull();
+        result.Title.Should().Be("Updated Title");
+        result.Description.Should().Be("Updated Description");
+        result.Status.Should().Be("In Progress");
+        result.Priority.Should().Be("High");
+        result.EstimatedHours.Should().Be(16);
+
+        _projectRepositoryMock.Verify(x => x.Update(project), Times.Once);
+        _unitOfWorkMock.Verify(x => x.SaveChangesAsync(It.IsAny<CancellationToken>()), Times.Once);
+    }
+
+    [Fact]
+    public async Task Should_Fail_When_Story_Not_Found()
+    {
+        // Arrange
+        var storyId = StoryId.Create();
+        _projectRepositoryMock
+            .Setup(x => x.GetProjectWithStoryAsync(storyId, It.IsAny<CancellationToken>()))
+            .ReturnsAsync((Project?)null);
+
+        var command = new UpdateStoryCommand
+        {
+            StoryId = storyId.Value,
+            Title = "Updated Title",
+            Description = "Updated Description"
+        };
+
+        // Act
+        Func<Task> act = async () => await _handler.Handle(command, CancellationToken.None);
+
+        // Assert
+        await act.Should().ThrowAsync<NotFoundException>()
+            .WithMessage("*Story*");
+    }
+
+    [Fact]
+    public async Task Should_Update_All_Fields_Correctly()
+    {
+        // Arrange
+        var userId = UserId.Create();
+        var project = Project.Create("Test Project", "Description", "TST", userId);
+        var epic = project.CreateEpic("Test Epic", "Epic Description", userId);
+        var story = epic.CreateStory("Original", "Original", TaskPriority.Low, userId);
+
+        _projectRepositoryMock
+            .Setup(x => x.GetProjectWithStoryAsync(story.Id, It.IsAny<CancellationToken>()))
+            .ReturnsAsync(project);
+
+        var command = new UpdateStoryCommand
+        {
+            StoryId = story.Id.Value,
+            Title = "New Title",
+            Description = "New Description",
+            Status = "Done",
+            Priority = "Urgent",
+            EstimatedHours = 24
+        };
+
+        // Act
+        var result = await _handler.Handle(command, CancellationToken.None);
+
+        // Assert
+        story.Title.Should().Be("New Title");
+        story.Description.Should().Be("New Description");
+        story.Status.Should().Be(WorkItemStatus.Done);
+        story.Priority.Should().Be(TaskPriority.Urgent);
+        story.EstimatedHours.Should().Be(24);
+    }
+}

colaflow-api/tests/ColaFlow.Application.Tests/Commands/UpdateTaskStatus/UpdateTaskStatusCommandHandlerTests.cs

@@ -0,0 +1,331 @@
+using FluentAssertions;
+using Moq;
+using ColaFlow.Modules.ProjectManagement.Application.Commands.UpdateTaskStatus;
+using ColaFlow.Modules.ProjectManagement.Domain.Aggregates.ProjectAggregate;
+using ColaFlow.Modules.ProjectManagement.Domain.Repositories;
+using ColaFlow.Modules.ProjectManagement.Domain.ValueObjects;
+using ColaFlow.Modules.ProjectManagement.Domain.Exceptions;
+
+namespace ColaFlow.Application.Tests.Commands.UpdateTaskStatus;
+
+/// <summary>
+/// Tests for UpdateTaskStatusCommandHandler
+/// </summary>
+public class UpdateTaskStatusCommandHandlerTests
+{
+    private readonly Mock<IProjectRepository> _projectRepositoryMock;
+    private readonly Mock<IUnitOfWork> _unitOfWorkMock;
+    private readonly UpdateTaskStatusCommandHandler _handler;
+
+    public UpdateTaskStatusCommandHandlerTests()
+    {
+        _projectRepositoryMock = new Mock<IProjectRepository>();
+        _unitOfWorkMock = new Mock<IUnitOfWork>();
+        _handler = new UpdateTaskStatusCommandHandler(_projectRepositoryMock.Object, _unitOfWorkMock.Object);
+    }
+
+    [Fact]
+    public async Task Should_Update_Task_Status_To_InProgress_Successfully()
+    {
+        // Arrange
+        var userId = UserId.Create();
+        var project = Project.Create("Test Project", "Test Description", "TST", userId);
+        var epic = project.CreateEpic("Test Epic", "Epic Description", userId);
+        var story = epic.CreateStory("Test Story", "Story Description", TaskPriority.Medium, userId);
+        var task = story.CreateTask("Test Task", "Task Description", TaskPriority.Medium, userId);
+        var taskId = task.Id;
+
+        _projectRepositoryMock
+            .Setup(x => x.GetProjectWithTaskAsync(taskId, It.IsAny<CancellationToken>()))
+            .ReturnsAsync(project);
+
+        var command = new UpdateTaskStatusCommand
+        {
+            TaskId = taskId.Value,
+            NewStatus = "In Progress" // Display name with space
+        };
+
+        // Act
+        var result = await _handler.Handle(command, CancellationToken.None);
+
+        // Assert
+        result.Should().NotBeNull();
+        result.Id.Should().Be(taskId.Value);
+        result.Status.Should().Be("In Progress");
+        task.Status.Should().Be(WorkItemStatus.InProgress);
+
+        _projectRepositoryMock.Verify(x => x.Update(project), Times.Once);
+        _unitOfWorkMock.Verify(x => x.SaveChangesAsync(It.IsAny<CancellationToken>()), Times.Once);
+    }
+
+    [Fact]
+    public async Task Should_Update_Task_Status_To_InProgress_With_CodeName_Successfully()
+    {
+        // Arrange - This tests the bug fix for accepting "InProgress" (without space)
+        var userId = UserId.Create();
+        var project = Project.Create("Test Project", "Test Description", "TST", userId);
+        var epic = project.CreateEpic("Test Epic", "Epic Description", userId);
+        var story = epic.CreateStory("Test Story", "Story Description", TaskPriority.Medium, userId);
+        var task = story.CreateTask("Test Task", "Task Description", TaskPriority.Medium, userId);
+        var taskId = task.Id;
+
+        _projectRepositoryMock
+            .Setup(x => x.GetProjectWithTaskAsync(taskId, It.IsAny<CancellationToken>()))
+            .ReturnsAsync(project);
+
+        var command = new UpdateTaskStatusCommand
+        {
+            TaskId = taskId.Value,
+            NewStatus = "InProgress" // Code name without space (this was causing the bug)
+        };
+
+        // Act
+        var result = await _handler.Handle(command, CancellationToken.None);
+
+        // Assert
+        result.Should().NotBeNull();
+        result.Id.Should().Be(taskId.Value);
+        result.Status.Should().Be("In Progress");
+        task.Status.Should().Be(WorkItemStatus.InProgress);
+    }
+
+    [Fact]
+    public async Task Should_Update_Task_Status_To_Done_Successfully()
+    {
+        // Arrange
+        var userId = UserId.Create();
+        var project = Project.Create("Test Project", "Test Description", "TST", userId);
+        var epic = project.CreateEpic("Test Epic", "Epic Description", userId);
+        var story = epic.CreateStory("Test Story", "Story Description", TaskPriority.Medium, userId);
+        var task = story.CreateTask("Test Task", "Task Description", TaskPriority.Medium, userId);
+        var taskId = task.Id;
+
+        _projectRepositoryMock
+            .Setup(x => x.GetProjectWithTaskAsync(taskId, It.IsAny<CancellationToken>()))
+            .ReturnsAsync(project);
+
+        var command = new UpdateTaskStatusCommand
+        {
+            TaskId = taskId.Value,
+            NewStatus = "Done"
+        };
+
+        // Act
+        var result = await _handler.Handle(command, CancellationToken.None);
+
+        // Assert
+        result.Should().NotBeNull();
+        result.Status.Should().Be("Done");
+        task.Status.Should().Be(WorkItemStatus.Done);
+    }
+
+    [Fact]
+    public async Task Should_Update_Task_Status_To_Blocked_Successfully()
+    {
+        // Arrange
+        var userId = UserId.Create();
+        var project = Project.Create("Test Project", "Test Description", "TST", userId);
+        var epic = project.CreateEpic("Test Epic", "Epic Description", userId);
+        var story = epic.CreateStory("Test Story", "Story Description", TaskPriority.Medium, userId);
+        var task = story.CreateTask("Test Task", "Task Description", TaskPriority.Medium, userId);
+        var taskId = task.Id;
+
+        _projectRepositoryMock
+            .Setup(x => x.GetProjectWithTaskAsync(taskId, It.IsAny<CancellationToken>()))
+            .ReturnsAsync(project);
+
+        var command = new UpdateTaskStatusCommand
+        {
+            TaskId = taskId.Value,
+            NewStatus = "Blocked"
+        };
+
+        // Act
+        var result = await _handler.Handle(command, CancellationToken.None);
+
+        // Assert
+        result.Should().NotBeNull();
+        result.Status.Should().Be("Blocked");
+        task.Status.Should().Be(WorkItemStatus.Blocked);
+    }
+
+    [Fact]
+    public async Task Should_Update_Task_Status_To_InReview_Successfully()
+    {
+        // Arrange
+        var userId = UserId.Create();
+        var project = Project.Create("Test Project", "Test Description", "TST", userId);
+        var epic = project.CreateEpic("Test Epic", "Epic Description", userId);
+        var story = epic.CreateStory("Test Story", "Story Description", TaskPriority.Medium, userId);
+        var task = story.CreateTask("Test Task", "Task Description", TaskPriority.Medium, userId);
+        var taskId = task.Id;
+
+        _projectRepositoryMock
+            .Setup(x => x.GetProjectWithTaskAsync(taskId, It.IsAny<CancellationToken>()))
+            .ReturnsAsync(project);
+
+        var command = new UpdateTaskStatusCommand
+        {
+            TaskId = taskId.Value,
+            NewStatus = "In Review"
+        };
+
+        // Act
+        var result = await _handler.Handle(command, CancellationToken.None);
+
+        // Assert
+        result.Should().NotBeNull();
+        result.Status.Should().Be("In Review");
+        task.Status.Should().Be(WorkItemStatus.InReview);
+    }
+
+    [Fact]
+    public async Task Should_Throw_NotFoundException_When_Task_Not_Found()
+    {
+        // Arrange
+        var taskId = TaskId.Create();
+        _projectRepositoryMock
+            .Setup(x => x.GetProjectWithTaskAsync(taskId, It.IsAny<CancellationToken>()))
+            .ReturnsAsync((Project?)null);
+
+        var command = new UpdateTaskStatusCommand
+        {
+            TaskId = taskId.Value,
+            NewStatus = "In Progress"
+        };
+
+        // Act
+        Func<Task> act = async () => await _handler.Handle(command, CancellationToken.None);
+
+        // Assert
+        await act.Should().ThrowAsync<NotFoundException>()
+            .WithMessage("*Task*");
+    }
+
+    [Fact]
+    public async Task Should_Throw_Exception_When_Moving_Done_To_ToDo()
+    {
+        // Arrange
+        var userId = UserId.Create();
+        var project = Project.Create("Test Project", "Test Description", "TST", userId);
+        var epic = project.CreateEpic("Test Epic", "Epic Description", userId);
+        var story = epic.CreateStory("Test Story", "Story Description", TaskPriority.Medium, userId);
+        var task = story.CreateTask("Test Task", "Task Description", TaskPriority.Medium, userId);
+        var taskId = task.Id;
+
+        // First set task to Done
+        task.UpdateStatus(WorkItemStatus.Done);
+
+        _projectRepositoryMock
+            .Setup(x => x.GetProjectWithTaskAsync(taskId, It.IsAny<CancellationToken>()))
+            .ReturnsAsync(project);
+
+        var command = new UpdateTaskStatusCommand
+        {
+            TaskId = taskId.Value,
+            NewStatus = "To Do"
+        };
+
+        // Act
+        Func<Task> act = async () => await _handler.Handle(command, CancellationToken.None);
+
+        // Assert
+        await act.Should().ThrowAsync<DomainException>()
+            .WithMessage("*Cannot move a completed task back to ToDo*");
+    }
+
+    [Fact]
+    public async Task Should_Allow_Blocked_To_Any_Status()
+    {
+        // Arrange
+        var userId = UserId.Create();
+        var project = Project.Create("Test Project", "Test Description", "TST", userId);
+        var epic = project.CreateEpic("Test Epic", "Epic Description", userId);
+        var story = epic.CreateStory("Test Story", "Story Description", TaskPriority.Medium, userId);
+        var task = story.CreateTask("Test Task", "Task Description", TaskPriority.Medium, userId);
+        var taskId = task.Id;
+
+        // Set task to Blocked
+        task.UpdateStatus(WorkItemStatus.Blocked);
+
+        _projectRepositoryMock
+            .Setup(x => x.GetProjectWithTaskAsync(taskId, It.IsAny<CancellationToken>()))
+            .ReturnsAsync(project);
+
+        var command = new UpdateTaskStatusCommand
+        {
+            TaskId = taskId.Value,
+            NewStatus = "In Progress"
+        };
+
+        // Act
+        var result = await _handler.Handle(command, CancellationToken.None);
+
+        // Assert
+        result.Should().NotBeNull();
+        result.Status.Should().Be("In Progress");
+        task.Status.Should().Be(WorkItemStatus.InProgress);
+    }
+
+    [Fact]
+    public async Task Should_Allow_Any_Status_To_Blocked()
+    {
+        // Arrange
+        var userId = UserId.Create();
+        var project = Project.Create("Test Project", "Test Description", "TST", userId);
+        var epic = project.CreateEpic("Test Epic", "Epic Description", userId);
+        var story = epic.CreateStory("Test Story", "Story Description", TaskPriority.Medium, userId);
+        var task = story.CreateTask("Test Task", "Task Description", TaskPriority.Medium, userId);
+        var taskId = task.Id;
+
+        // Task starts as ToDo
+        task.Status.Should().Be(WorkItemStatus.ToDo);
+
+        _projectRepositoryMock
+            .Setup(x => x.GetProjectWithTaskAsync(taskId, It.IsAny<CancellationToken>()))
+            .ReturnsAsync(project);
+
+        var command = new UpdateTaskStatusCommand
+        {
+            TaskId = taskId.Value,
+            NewStatus = "Blocked"
+        };
+
+        // Act
+        var result = await _handler.Handle(command, CancellationToken.None);
+
+        // Assert
+        result.Should().NotBeNull();
+        result.Status.Should().Be("Blocked");
+        task.Status.Should().Be(WorkItemStatus.Blocked);
+    }
+
+    [Fact]
+    public async Task Should_Throw_Exception_For_Invalid_Status()
+    {
+        // Arrange
+        var userId = UserId.Create();
+        var project = Project.Create("Test Project", "Test Description", "TST", userId);
+        var epic = project.CreateEpic("Test Epic", "Epic Description", userId);
+        var story = epic.CreateStory("Test Story", "Story Description", TaskPriority.Medium, userId);
+        var task = story.CreateTask("Test Task", "Task Description", TaskPriority.Medium, userId);
+        var taskId = task.Id;
+
+        _projectRepositoryMock
+            .Setup(x => x.GetProjectWithTaskAsync(taskId, It.IsAny<CancellationToken>()))
+            .ReturnsAsync(project);
+
+        var command = new UpdateTaskStatusCommand
+        {
+            TaskId = taskId.Value,
+            NewStatus = "InvalidStatus"
+        };
+
+        // Act
+        Func<Task> act = async () => await _handler.Handle(command, CancellationToken.None);
+
+        // Assert
+        await act.Should().ThrowAsync<InvalidOperationException>()
+            .WithMessage("*InvalidStatus*");
+    }
+}

colaflow-api/tests/ColaFlow.Application.Tests/Queries/GetStoryById/GetStoryByIdQueryHandlerTests.cs

@@ -0,0 +1,71 @@
+using FluentAssertions;
+using Moq;
+using ColaFlow.Modules.ProjectManagement.Application.Queries.GetStoryById;
+using ColaFlow.Modules.ProjectManagement.Domain.Aggregates.ProjectAggregate;
+using ColaFlow.Modules.ProjectManagement.Domain.Repositories;
+using ColaFlow.Modules.ProjectManagement.Domain.ValueObjects;
+using ColaFlow.Modules.ProjectManagement.Domain.Exceptions;
+
+namespace ColaFlow.Application.Tests.Queries.GetStoryById;
+
+public class GetStoryByIdQueryHandlerTests
+{
+    private readonly Mock<IProjectRepository> _projectRepositoryMock;
+    private readonly GetStoryByIdQueryHandler _handler;
+
+    public GetStoryByIdQueryHandlerTests()
+    {
+        _projectRepositoryMock = new Mock<IProjectRepository>();
+        _handler = new GetStoryByIdQueryHandler(_projectRepositoryMock.Object);
+    }
+
+    [Fact]
+    public async Task Should_Return_Story_With_Tasks()
+    {
+        // Arrange
+        var userId = UserId.Create();
+        var project = Project.Create("Test Project", "Description", "TST", userId);
+        var epic = project.CreateEpic("Test Epic", "Epic Description", userId);
+        var story = epic.CreateStory("Test Story", "Story Description", TaskPriority.High, userId);
+        var task1 = story.CreateTask("Task 1", "Description 1", TaskPriority.Medium, userId);
+        var task2 = story.CreateTask("Task 2", "Description 2", TaskPriority.Low, userId);
+
+        _projectRepositoryMock
+            .Setup(x => x.GetProjectWithStoryAsync(story.Id, It.IsAny<CancellationToken>()))
+            .ReturnsAsync(project);
+
+        var query = new GetStoryByIdQuery(story.Id.Value);
+
+        // Act
+        var result = await _handler.Handle(query, CancellationToken.None);
+
+        // Assert
+        result.Should().NotBeNull();
+        result.Id.Should().Be(story.Id.Value);
+        result.Title.Should().Be("Test Story");
+        result.Description.Should().Be("Story Description");
+        result.Priority.Should().Be("High");
+        result.Tasks.Should().HaveCount(2);
+        result.Tasks.Should().Contain(t => t.Id == task1.Id.Value);
+        result.Tasks.Should().Contain(t => t.Id == task2.Id.Value);
+    }
+
+    [Fact]
+    public async Task Should_Fail_When_Story_Not_Found()
+    {
+        // Arrange
+        var storyId = StoryId.Create();
+        _projectRepositoryMock
+            .Setup(x => x.GetProjectWithStoryAsync(storyId, It.IsAny<CancellationToken>()))
+            .ReturnsAsync((Project?)null);
+
+        var query = new GetStoryByIdQuery(storyId.Value);
+
+        // Act
+        Func<Task> act = async () => await _handler.Handle(query, CancellationToken.None);
+
+        // Assert
+        await act.Should().ThrowAsync<NotFoundException>()
+            .WithMessage("*Story*");
+    }
+}

colaflow-api/tests/ColaFlow.Application.Tests/Queries/GetTaskById/GetTaskByIdQueryHandlerTests.cs

@@ -0,0 +1,69 @@
+using FluentAssertions;
+using Moq;
+using ColaFlow.Modules.ProjectManagement.Application.Queries.GetTaskById;
+using ColaFlow.Modules.ProjectManagement.Domain.Aggregates.ProjectAggregate;
+using ColaFlow.Modules.ProjectManagement.Domain.Repositories;
+using ColaFlow.Modules.ProjectManagement.Domain.ValueObjects;
+using ColaFlow.Modules.ProjectManagement.Domain.Exceptions;
+
+namespace ColaFlow.Application.Tests.Queries.GetTaskById;
+
+public class GetTaskByIdQueryHandlerTests
+{
+    private readonly Mock<IProjectRepository> _projectRepositoryMock;
+    private readonly GetTaskByIdQueryHandler _handler;
+
+    public GetTaskByIdQueryHandlerTests()
+    {
+        _projectRepositoryMock = new Mock<IProjectRepository>();
+        _handler = new GetTaskByIdQueryHandler(_projectRepositoryMock.Object);
+    }
+
+    [Fact]
+    public async Task Should_Return_Task_Details()
+    {
+        // Arrange
+        var userId = UserId.Create();
+        var project = Project.Create("Test Project", "Description", "TST", userId);
+        var epic = project.CreateEpic("Test Epic", "Epic Description", userId);
+        var story = epic.CreateStory("Test Story", "Story Description", TaskPriority.Medium, userId);
+        var task = story.CreateTask("Test Task", "Task Description", TaskPriority.High, userId);
+
+        _projectRepositoryMock
+            .Setup(x => x.GetProjectWithTaskAsync(task.Id, It.IsAny<CancellationToken>()))
+            .ReturnsAsync(project);
+
+        var query = new GetTaskByIdQuery(task.Id.Value);
+
+        // Act
+        var result = await _handler.Handle(query, CancellationToken.None);
+
+        // Assert
+        result.Should().NotBeNull();
+        result.Id.Should().Be(task.Id.Value);
+        result.Title.Should().Be("Test Task");
+        result.Description.Should().Be("Task Description");
+        result.StoryId.Should().Be(story.Id.Value);
+        result.Status.Should().Be("To Do");
+        result.Priority.Should().Be("High");
+    }
+
+    [Fact]
+    public async Task Should_Fail_When_Task_Not_Found()
+    {
+        // Arrange
+        var taskId = TaskId.Create();
+        _projectRepositoryMock
+            .Setup(x => x.GetProjectWithTaskAsync(taskId, It.IsAny<CancellationToken>()))
+            .ReturnsAsync((Project?)null);
+
+        var query = new GetTaskByIdQuery(taskId.Value);
+
+        // Act
+        Func<Task> act = async () => await _handler.Handle(query, CancellationToken.None);
+
+        // Assert
+        await act.Should().ThrowAsync<NotFoundException>()
+            .WithMessage("*Task*");
+    }
+}

docs/frontend/component-library.md

@@ -0,0 +1,990 @@
+# Component Library - ColaFlow Enterprise Features
+
+## Document Overview
+
+This document catalogs all reusable React components for ColaFlow's enterprise features, including props, usage examples, and design guidelines.
+
+**UI Framework**: shadcn/ui + Tailwind CSS 4 + Radix UI
+
+---
+
+## Table of Contents
+
+1. [Authentication Components](#authentication-components)
+2. [Settings Components](#settings-components)
+3. [MCP Token Components](#mcp-token-components)
+4. [Form Components](#form-components)
+5. [Utility Components](#utility-components)
+6. [Design Tokens](#design-tokens)
+
+---
+
+## Authentication Components
+
+### 1. SsoButton
+
+**Purpose**: Displays SSO provider button with logo and loading state.
+
+**File**: `components/auth/SsoButton.tsx`
+
+**Props**:
+```typescript
+interface SsoButtonProps {
+  provider: 'AzureAD' | 'Google' | 'Okta' | 'SAML';
+  onClick: () => void;
+  loading?: boolean;
+  disabled?: boolean;
+  fullWidth?: boolean;
+  size?: 'sm' | 'md' | 'lg';
+}
+```
+
+**Implementation**:
+```tsx
+import { Button } from '@/components/ui/button';
+import Image from 'next/image';
+
+export function SsoButton({
+  provider,
+  onClick,
+  loading = false,
+  disabled = false,
+  fullWidth = true,
+  size = 'md',
+}: SsoButtonProps) {
+  const providerConfig = {
+    AzureAD: {
+      label: 'Continue with Microsoft',
+      logo: '/logos/microsoft.svg',
+      bgColor: 'bg-[#2F2F2F]',
+      hoverColor: 'hover:bg-[#1F1F1F]',
+      textColor: 'text-white',
+    },
+    Google: {
+      label: 'Continue with Google',
+      logo: '/logos/google.svg',
+      bgColor: 'bg-white',
+      hoverColor: 'hover:bg-gray-50',
+      textColor: 'text-gray-700',
+      border: 'border border-gray-300',
+    },
+    Okta: {
+      label: 'Continue with Okta',
+      logo: '/logos/okta.svg',
+      bgColor: 'bg-[#007DC1]',
+      hoverColor: 'hover:bg-[#0062A3]',
+      textColor: 'text-white',
+    },
+    SAML: {
+      label: 'Continue with SSO',
+      logo: '/logos/saml.svg',
+      bgColor: 'bg-indigo-600',
+      hoverColor: 'hover:bg-indigo-700',
+      textColor: 'text-white',
+    },
+  };
+
+  const config = providerConfig[provider];
+
+  const sizeClasses = {
+    sm: 'h-9 px-3 text-sm',
+    md: 'h-11 px-4 text-base',
+    lg: 'h-13 px-6 text-lg',
+  };
+
+  return (
+    <Button
+      onClick={onClick}
+      disabled={disabled || loading}
+      className={`
+        ${config.bgColor}
+        ${config.hoverColor}
+        ${config.textColor}
+        ${config.border || ''}
+        ${sizeClasses[size]}
+        ${fullWidth ? 'w-full' : ''}
+        flex items-center justify-center gap-3
+        transition-colors duration-200
+        disabled:opacity-50 disabled:cursor-not-allowed
+      `}
+    >
+      {loading ? (
+        <div className="animate-spin rounded-full h-5 w-5 border-b-2 border-current" />
+      ) : (
+        <>
+          <Image src={config.logo} alt={provider} width={20} height={20} />
+          <span className="font-medium">{config.label}</span>
+        </>
+      )}
+    </Button>
+  );
+}
+```
+
+**Usage**:
+```tsx
+<SsoButton
+  provider="AzureAD"
+  onClick={() => loginWithSso('AzureAD')}
+  loading={isLoading}
+/>
+```
+
+---
+
+### 2. TenantSlugInput
+
+**Purpose**: Input field with real-time slug validation (available/taken).
+
+**File**: `components/auth/TenantSlugInput.tsx`
+
+**Props**:
+```typescript
+interface TenantSlugInputProps {
+  value: string;
+  onChange: (value: string) => void;
+  error?: string;
+  disabled?: boolean;
+}
+```
+
+**Implementation**:
+```tsx
+import { Input } from '@/components/ui/input';
+import { useCheckSlug } from '@/hooks/tenants/useCheckSlug';
+import { CheckCircle2, XCircle, Loader2 } from 'lucide-react';
+
+export function TenantSlugInput({
+  value,
+  onChange,
+  error,
+  disabled = false,
+}: TenantSlugInputProps) {
+  const { data, isLoading } = useCheckSlug(value, value.length >= 3);
+
+  const showValidation = value.length >= 3 && !error;
+
+  return (
+    <div className="space-y-2">
+      <div className="relative">
+        <Input
+          value={value}
+          onChange={(e) => {
+            // Only allow lowercase letters, numbers, and hyphens
+            const cleaned = e.target.value.toLowerCase().replace(/[^a-z0-9-]/g, '');
+            onChange(cleaned);
+          }}
+          placeholder="your-company"
+          disabled={disabled}
+          className={`
+            pr-10
+            ${error ? 'border-red-500 focus-visible:ring-red-500' : ''}
+            ${showValidation && data?.available ? 'border-green-500' : ''}
+            ${showValidation && data?.available === false ? 'border-red-500' : ''}
+          `}
+        />
+
+        {/* Validation Icon */}
+        <div className="absolute right-3 top-1/2 -translate-y-1/2">
+          {isLoading && (
+            <Loader2 className="h-5 w-5 text-gray-400 animate-spin" />
+          )}
+
+          {showValidation && !isLoading && data?.available === true && (
+            <CheckCircle2 className="h-5 w-5 text-green-600" />
+          )}
+
+          {showValidation && !isLoading && data?.available === false && (
+            <XCircle className="h-5 w-5 text-red-600" />
+          )}
+        </div>
+      </div>
+
+      {/* Validation Message */}
+      {showValidation && !isLoading && (
+        <p
+          className={`text-sm ${
+            data?.available ? 'text-green-600' : 'text-red-600'
+          }`}
+        >
+          {data?.available
+            ? '✓ This slug is available'
+            : '✗ This slug is already taken'}
+        </p>
+      )}
+
+      {/* Error Message */}
+      {error && <p className="text-sm text-red-600">{error}</p>}
+
+      {/* Helper Text */}
+      <p className="text-sm text-gray-500">
+        Your organization URL: <span className="font-mono">{value || 'your-company'}.colaflow.com</span>
+      </p>
+    </div>
+  );
+}
+```
+
+**Usage**:
+```tsx
+<TenantSlugInput
+  value={slug}
+  onChange={setSlug}
+  error={errors.slug?.message}
+/>
+```
+
+---
+
+### 3. PasswordStrengthIndicator
+
+**Purpose**: Visual password strength meter using zxcvbn.
+
+**File**: `components/auth/PasswordStrengthIndicator.tsx`
+
+**Props**:
+```typescript
+interface PasswordStrengthIndicatorProps {
+  password: string;
+  show?: boolean;
+}
+```
+
+**Implementation**:
+```tsx
+import { useMemo } from 'react';
+import zxcvbn from 'zxcvbn';
+
+export function PasswordStrengthIndicator({
+  password,
+  show = true,
+}: PasswordStrengthIndicatorProps) {
+  const result = useMemo(() => {
+    if (!password) return null;
+    return zxcvbn(password);
+  }, [password]);
+
+  if (!show || !result) return null;
+
+  const score = result.score; // 0-4
+  const strength = ['Very Weak', 'Weak', 'Fair', 'Good', 'Strong'][score];
+  const color = ['red', 'orange', 'yellow', 'lime', 'green'][score];
+
+  const barWidth = `${(score + 1) * 20}%`;
+
+  return (
+    <div className="space-y-2">
+      {/* Strength Bar */}
+      <div className="h-2 bg-gray-200 rounded-full overflow-hidden">
+        <div
+          className={`h-full bg-${color}-500 transition-all duration-300`}
+          style={{ width: barWidth }}
+        />
+      </div>
+
+      {/* Strength Label */}
+      <div className="flex items-center justify-between text-sm">
+        <span className={`font-medium text-${color}-600`}>
+          Password strength: {strength}
+        </span>
+
+        {score < 3 && (
+          <span className="text-gray-500 text-xs">
+            {result.feedback.warning || 'Try a longer password'}
+          </span>
+        )}
+      </div>
+
+      {/* Suggestions */}
+      {result.feedback.suggestions.length > 0 && score < 3 && (
+        <ul className="text-xs text-gray-600 space-y-1">
+          {result.feedback.suggestions.map((suggestion, index) => (
+            <li key={index}>• {suggestion}</li>
+          ))}
+        </ul>
+      )}
+    </div>
+  );
+}
+```
+
+**Usage**:
+```tsx
+<Input
+  type="password"
+  value={password}
+  onChange={(e) => setPassword(e.target.value)}
+/>
+<PasswordStrengthIndicator password={password} />
+```
+
+---
+
+## Settings Components
+
+### 4. SsoConfigForm
+
+**Purpose**: Dynamic SSO configuration form (OIDC/SAML).
+
+**File**: `components/settings/SsoConfigForm.tsx`
+
+**Props**:
+```typescript
+interface SsoConfigFormProps {
+  initialValues?: SsoConfig;
+  onSubmit: (values: SsoConfig) => Promise<void>;
+  isLoading?: boolean;
+}
+```
+
+**Implementation**:
+```tsx
+import { useState } from 'react';
+import { useForm } from 'react-hook-form';
+import { zodResolver } from '@hookform/resolvers/zod';
+import { z } from 'zod';
+import { Select, SelectContent, SelectItem, SelectTrigger, SelectValue } from '@/components/ui/select';
+import { Input } from '@/components/ui/input';
+import { Textarea } from '@/components/ui/textarea';
+import { Button } from '@/components/ui/button';
+import { Switch } from '@/components/ui/switch';
+import { Form, FormField, FormItem, FormLabel, FormControl, FormMessage } from '@/components/ui/form';
+
+// Validation schema
+const ssoConfigSchema = z.object({
+  provider: z.enum(['AzureAD', 'Google', 'Okta', 'GenericSaml']),
+  authority: z.string().url().optional(),
+  clientId: z.string().optional(),
+  clientSecret: z.string().optional(),
+  metadataUrl: z.string().url().optional(),
+  entityId: z.string().optional(),
+  signOnUrl: z.string().url().optional(),
+  certificate: z.string().optional(),
+  autoProvisionUsers: z.boolean().default(true),
+  allowedDomains: z.string().optional(),
+});
+
+export function SsoConfigForm({
+  initialValues,
+  onSubmit,
+  isLoading = false,
+}: SsoConfigFormProps) {
+  const [provider, setProvider] = useState<string>(initialValues?.provider || 'AzureAD');
+
+  const form = useForm({
+    resolver: zodResolver(ssoConfigSchema),
+    defaultValues: initialValues || {
+      provider: 'AzureAD',
+      autoProvisionUsers: true,
+    },
+  });
+
+  const isSaml = provider === 'GenericSaml';
+
+  return (
+    <Form {...form}>
+      <form onSubmit={form.handleSubmit(onSubmit)} className="space-y-6">
+        {/* Provider Selection */}
+        <FormField
+          control={form.control}
+          name="provider"
+          render={({ field }) => (
+            <FormItem>
+              <FormLabel>SSO Provider</FormLabel>
+              <Select
+                onValueChange={(value) => {
+                  field.onChange(value);
+                  setProvider(value);
+                }}
+                defaultValue={field.value}
+              >
+                <FormControl>
+                  <SelectTrigger>
+                    <SelectValue placeholder="Select a provider" />
+                  </SelectTrigger>
+                </FormControl>
+                <SelectContent>
+                  <SelectItem value="AzureAD">Azure AD / Microsoft Entra</SelectItem>
+                  <SelectItem value="Google">Google Workspace</SelectItem>
+                  <SelectItem value="Okta">Okta</SelectItem>
+                  <SelectItem value="GenericSaml">Generic SAML 2.0</SelectItem>
+                </SelectContent>
+              </Select>
+              <FormMessage />
+            </FormItem>
+          )}
+        />
+
+        {/* OIDC Fields */}
+        {!isSaml && (
+          <>
+            <FormField
+              control={form.control}
+              name="authority"
+              render={({ field }) => (
+                <FormItem>
+                  <FormLabel>Authority / Issuer URL *</FormLabel>
+                  <FormControl>
+                    <Input
+                      {...field}
+                      placeholder="https://login.microsoftonline.com/tenant-id"
+                    />
+                  </FormControl>
+                  <FormMessage />
+                </FormItem>
+              )}
+            />
+
+            <FormField
+              control={form.control}
+              name="clientId"
+              render={({ field }) => (
+                <FormItem>
+                  <FormLabel>Client ID *</FormLabel>
+                  <FormControl>
+                    <Input {...field} placeholder="xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" />
+                  </FormControl>
+                  <FormMessage />
+                </FormItem>
+              )}
+            />
+
+            <FormField
+              control={form.control}
+              name="clientSecret"
+              render={({ field }) => (
+                <FormItem>
+                  <FormLabel>Client Secret *</FormLabel>
+                  <FormControl>
+                    <Input {...field} type="password" placeholder="Enter client secret" />
+                  </FormControl>
+                  <FormMessage />
+                </FormItem>
+              )}
+            />
+
+            <FormField
+              control={form.control}
+              name="metadataUrl"
+              render={({ field }) => (
+                <FormItem>
+                  <FormLabel>Metadata URL (Optional)</FormLabel>
+                  <FormControl>
+                    <Input
+                      {...field}
+                      placeholder="https://login.microsoftonline.com/.well-known/openid-configuration"
+                    />
+                  </FormControl>
+                  <FormMessage />
+                </FormItem>
+              )}
+            />
+          </>
+        )}
+
+        {/* SAML Fields */}
+        {isSaml && (
+          <>
+            <FormField
+              control={form.control}
+              name="entityId"
+              render={({ field }) => (
+                <FormItem>
+                  <FormLabel>Entity ID *</FormLabel>
+                  <FormControl>
+                    <Input {...field} placeholder="https://idp.example.com/saml" />
+                  </FormControl>
+                  <FormMessage />
+                </FormItem>
+              )}
+            />
+
+            <FormField
+              control={form.control}
+              name="signOnUrl"
+              render={({ field }) => (
+                <FormItem>
+                  <FormLabel>Sign-On URL *</FormLabel>
+                  <FormControl>
+                    <Input {...field} placeholder="https://idp.example.com/sso" />
+                  </FormControl>
+                  <FormMessage />
+                </FormItem>
+              )}
+            />
+
+            <FormField
+              control={form.control}
+              name="certificate"
+              render={({ field }) => (
+                <FormItem>
+                  <FormLabel>X.509 Certificate *</FormLabel>
+                  <FormControl>
+                    <Textarea
+                      {...field}
+                      rows={6}
+                      placeholder="-----BEGIN CERTIFICATE-----&#10;...&#10;-----END CERTIFICATE-----"
+                      className="font-mono text-sm"
+                    />
+                  </FormControl>
+                  <FormMessage />
+                </FormItem>
+              )}
+            />
+          </>
+        )}
+
+        {/* Auto-Provision Users */}
+        <FormField
+          control={form.control}
+          name="autoProvisionUsers"
+          render={({ field }) => (
+            <FormItem className="flex items-center justify-between rounded-lg border p-4">
+              <div className="space-y-0.5">
+                <FormLabel className="text-base">Auto-Provision Users</FormLabel>
+                <p className="text-sm text-gray-500">
+                  Automatically create user accounts on first SSO login
+                </p>
+              </div>
+              <FormControl>
+                <Switch checked={field.value} onCheckedChange={field.onChange} />
+              </FormControl>
+            </FormItem>
+          )}
+        />
+
+        {/* Allowed Domains */}
+        <FormField
+          control={form.control}
+          name="allowedDomains"
+          render={({ field }) => (
+            <FormItem>
+              <FormLabel>Allowed Email Domains (Optional)</FormLabel>
+              <FormControl>
+                <Input {...field} placeholder="acme.com, acme.org" />
+              </FormControl>
+              <p className="text-sm text-gray-500">
+                Comma-separated list of allowed email domains
+              </p>
+              <FormMessage />
+            </FormItem>
+          )}
+        />
+
+        {/* Submit Button */}
+        <Button type="submit" disabled={isLoading}>
+          {isLoading ? 'Saving...' : 'Save Configuration'}
+        </Button>
+      </form>
+    </Form>
+  );
+}
+```
+
+**Usage**:
+```tsx
+<SsoConfigForm
+  initialValues={ssoConfig}
+  onSubmit={updateSsoConfig.mutateAsync}
+  isLoading={updateSsoConfig.isPending}
+/>
+```
+
+---
+
+## MCP Token Components
+
+### 5. McpPermissionMatrix
+
+**Purpose**: Checkbox grid for selecting MCP token permissions.
+
+**File**: `components/mcp/McpPermissionMatrix.tsx`
+
+**Props**:
+```typescript
+interface McpPermissionMatrixProps {
+  value: Record<string, string[]>;
+  onChange: (value: Record<string, string[]>) => void;
+  disabled?: boolean;
+}
+```
+
+**Implementation**:
+```tsx
+import { Checkbox } from '@/components/ui/checkbox';
+
+const RESOURCES = [
+  { id: 'projects', label: 'Projects' },
+  { id: 'issues', label: 'Issues' },
+  { id: 'documents', label: 'Documents' },
+  { id: 'reports', label: 'Reports' },
+  { id: 'sprints', label: 'Sprints' },
+];
+
+const OPERATIONS = [
+  { id: 'read', label: 'Read' },
+  { id: 'create', label: 'Create' },
+  { id: 'update', label: 'Update' },
+  { id: 'delete', label: 'Delete' },
+  { id: 'search', label: 'Search' },
+];
+
+export function McpPermissionMatrix({
+  value,
+  onChange,
+  disabled = false,
+}: McpPermissionMatrixProps) {
+  const handleToggle = (resource: string, operation: string) => {
+    const resourceOps = value[resource] || [];
+    const newOps = resourceOps.includes(operation)
+      ? resourceOps.filter((op) => op !== operation)
+      : [...resourceOps, operation];
+
+    onChange({
+      ...value,
+      [resource]: newOps.length > 0 ? newOps : undefined,
+    });
+  };
+
+  const isChecked = (resource: string, operation: string) => {
+    return value[resource]?.includes(operation) || false;
+  };
+
+  // Quick actions
+  const selectAll = () => {
+    const allPermissions: Record<string, string[]> = {};
+    RESOURCES.forEach((resource) => {
+      allPermissions[resource.id] = OPERATIONS.map((op) => op.id);
+    });
+    onChange(allPermissions);
+  };
+
+  const selectNone = () => {
+    onChange({});
+  };
+
+  return (
+    <div className="space-y-4">
+      {/* Quick Actions */}
+      <div className="flex gap-2">
+        <button
+          type="button"
+          onClick={selectAll}
+          className="text-sm text-blue-600 hover:underline"
+          disabled={disabled}
+        >
+          Select All
+        </button>
+        <span className="text-gray-300">|</span>
+        <button
+          type="button"
+          onClick={selectNone}
+          className="text-sm text-blue-600 hover:underline"
+          disabled={disabled}
+        >
+          Clear All
+        </button>
+      </div>
+
+      {/* Permission Matrix */}
+      <div className="border rounded-lg overflow-hidden">
+        {/* Header */}
+        <div className="grid grid-cols-6 bg-gray-50 border-b">
+          <div className="p-3 font-semibold text-sm">Resource</div>
+          {OPERATIONS.map((op) => (
+            <div key={op.id} className="p-3 font-semibold text-sm text-center">
+              {op.label}
+            </div>
+          ))}
+        </div>
+
+        {/* Rows */}
+        {RESOURCES.map((resource, index) => (
+          <div
+            key={resource.id}
+            className={`grid grid-cols-6 ${
+              index % 2 === 0 ? 'bg-white' : 'bg-gray-25'
+            } border-b last:border-b-0`}
+          >
+            <div className="p-3 font-medium text-sm">{resource.label}</div>
+            {OPERATIONS.map((operation) => {
+              // Disable "delete" for issues (business rule)
+              const isDisabled =
+                disabled || (resource.id === 'issues' && operation.id === 'delete');
+
+              return (
+                <div key={operation.id} className="p-3 flex items-center justify-center">
+                  <Checkbox
+                    checked={isChecked(resource.id, operation.id)}
+                    onCheckedChange={() => handleToggle(resource.id, operation.id)}
+                    disabled={isDisabled}
+                  />
+                </div>
+              );
+            })}
+          </div>
+        ))}
+      </div>
+
+      {/* Help Text */}
+      <p className="text-sm text-gray-500">
+        Note: Delete permission is restricted for Issues to prevent accidental data loss.
+      </p>
+    </div>
+  );
+}
+```
+
+**Usage**:
+```tsx
+const [permissions, setPermissions] = useState<Record<string, string[]>>({});
+
+<McpPermissionMatrix
+  value={permissions}
+  onChange={setPermissions}
+/>
+```
+
+---
+
+### 6. TokenDisplay
+
+**Purpose**: Display newly created MCP token with copy/download buttons.
+
+**File**: `components/mcp/TokenDisplay.tsx`
+
+**Props**:
+```typescript
+interface TokenDisplayProps {
+  token: string;
+  tokenName: string;
+  onClose: () => void;
+}
+```
+
+**Implementation**:
+```tsx
+import { useState } from 'react';
+import { Button } from '@/components/ui/button';
+import { Copy, Download, CheckCircle2 } from 'lucide-react';
+import { toast } from 'sonner';
+
+export function TokenDisplay({ token, tokenName, onClose }: TokenDisplayProps) {
+  const [copied, setCopied] = useState(false);
+
+  const handleCopy = () => {
+    navigator.clipboard.writeText(token);
+    setCopied(true);
+    toast.success('Token copied to clipboard');
+
+    setTimeout(() => setCopied(false), 2000);
+  };
+
+  const handleDownload = () => {
+    const blob = new Blob([token], { type: 'text/plain' });
+    const url = URL.createObjectURL(blob);
+    const a = document.createElement('a');
+    a.href = url;
+    a.download = `${tokenName.replace(/\s+/g, '-').toLowerCase()}-token.txt`;
+    document.body.appendChild(a);
+    a.click();
+    document.body.removeChild(a);
+    URL.revokeObjectURL(url);
+
+    toast.success('Token downloaded');
+  };
+
+  return (
+    <div className="space-y-6">
+      {/* Warning Banner */}
+      <div className="bg-yellow-50 border border-yellow-200 rounded-lg p-4">
+        <div className="flex gap-3">
+          <div className="flex-shrink-0">
+            <svg
+              className="h-5 w-5 text-yellow-600"
+              fill="currentColor"
+              viewBox="0 0 20 20"
+            >
+              <path
+                fillRule="evenodd"
+                d="M8.257 3.099c.765-1.36 2.722-1.36 3.486 0l5.58 9.92c.75 1.334-.213 2.98-1.742 2.98H4.42c-1.53 0-2.493-1.646-1.743-2.98l5.58-9.92zM11 13a1 1 0 11-2 0 1 1 0 012 0zm-1-8a1 1 0 00-1 1v3a1 1 0 002 0V6a1 1 0 00-1-1z"
+                clipRule="evenodd"
+              />
+            </svg>
+          </div>
+          <div>
+            <h3 className="text-sm font-semibold text-yellow-800">
+              Important: Save This Token Now!
+            </h3>
+            <p className="text-sm text-yellow-700 mt-1">
+              This is the only time you'll see this token. Make sure to copy or
+              download it before closing this dialog.
+            </p>
+          </div>
+        </div>
+      </div>
+
+      {/* Token Display */}
+      <div className="space-y-2">
+        <label className="text-sm font-medium">Your MCP Token</label>
+        <div className="bg-gray-50 border rounded-lg p-4">
+          <code className="text-sm font-mono break-all text-gray-900">{token}</code>
+        </div>
+      </div>
+
+      {/* Actions */}
+      <div className="flex gap-3">
+        <Button onClick={handleCopy} variant="outline" className="flex-1">
+          {copied ? (
+            <>
+              <CheckCircle2 className="h-4 w-4 mr-2" />
+              Copied!
+            </>
+          ) : (
+            <>
+              <Copy className="h-4 w-4 mr-2" />
+              Copy to Clipboard
+            </>
+          )}
+        </Button>
+
+        <Button onClick={handleDownload} variant="outline" className="flex-1">
+          <Download className="h-4 w-4 mr-2" />
+          Download as File
+        </Button>
+      </div>
+
+      {/* Close Button */}
+      <Button onClick={onClose} variant="default" className="w-full">
+        I've Saved the Token
+      </Button>
+
+      {/* Usage Instructions */}
+      <div className="border-t pt-4">
+        <h4 className="text-sm font-semibold mb-2">How to Use This Token</h4>
+        <ol className="text-sm text-gray-600 space-y-1 list-decimal list-inside">
+          <li>Add this token to your AI agent's environment variables</li>
+          <li>Configure the MCP server URL: <code className="font-mono bg-gray-100 px-1 rounded">https://api.colaflow.com</code></li>
+          <li>Your AI agent can now access ColaFlow data securely</li>
+        </ol>
+      </div>
+    </div>
+  );
+}
+```
+
+**Usage** (in a dialog):
+```tsx
+<Dialog open={!!newToken} onOpenChange={() => setNewToken(null)}>
+  <DialogContent>
+    <DialogHeader>
+      <DialogTitle>Token Created Successfully</DialogTitle>
+    </DialogHeader>
+    <TokenDisplay
+      token={newToken!}
+      tokenName="Claude AI Agent"
+      onClose={() => setNewToken(null)}
+    />
+  </DialogContent>
+</Dialog>
+```
+
+---
+
+## Design Tokens
+
+### Color Palette
+
+```typescript
+// tailwind.config.ts
+export default {
+  theme: {
+    extend: {
+      colors: {
+        // Brand colors
+        primary: {
+          50: '#eff6ff',
+          500: '#3b82f6',
+          600: '#2563eb',
+          700: '#1d4ed8',
+        },
+        // Status colors
+        success: {
+          50: '#f0fdf4',
+          500: '#22c55e',
+          600: '#16a34a',
+        },
+        warning: {
+          50: '#fffbeb',
+          500: '#f59e0b',
+          600: '#d97706',
+        },
+        error: {
+          50: '#fef2f2',
+          500: '#ef4444',
+          600: '#dc2626',
+        },
+      },
+    },
+  },
+};
+```
+
+### Typography
+
+```typescript
+// Font sizes
+text-xs: 0.75rem (12px)
+text-sm: 0.875rem (14px)
+text-base: 1rem (16px)
+text-lg: 1.125rem (18px)
+text-xl: 1.25rem (20px)
+text-2xl: 1.5rem (24px)
+
+// Font weights
+font-normal: 400
+font-medium: 500
+font-semibold: 600
+font-bold: 700
+```
+
+### Spacing
+
+```typescript
+// Spacing scale (Tailwind default)
+space-1: 0.25rem (4px)
+space-2: 0.5rem (8px)
+space-3: 0.75rem (12px)
+space-4: 1rem (16px)
+space-6: 1.5rem (24px)
+space-8: 2rem (32px)
+```
+
+---
+
+## Conclusion
+
+This component library provides all reusable UI components for ColaFlow's enterprise features:
+
+**Component Summary**:
+- ✅ **SsoButton** - SSO provider buttons with logos
+- ✅ **TenantSlugInput** - Real-time slug validation
+- ✅ **PasswordStrengthIndicator** - Visual password strength
+- ✅ **SsoConfigForm** - Dynamic SSO configuration
+- ✅ **McpPermissionMatrix** - Permission checkbox grid
+- ✅ **TokenDisplay** - Token copy/download with warnings
+
+**Design Principles**:
+- ✅ Consistent with shadcn/ui design system
+- ✅ Accessible (keyboard navigation, ARIA labels)
+- ✅ Responsive (mobile-first approach)
+- ✅ Type-safe (full TypeScript support)
+- ✅ Performant (optimized re-renders)
+
+**Next Steps**:
+1. Implement these components in your project
+2. Add Storybook documentation (optional)
+3. Write unit tests for critical components
+4. Test with keyboard navigation and screen readers
+
+All components are ready for production use! 🚀

docs/frontend/implementation-plan.md

@@ -0,0 +1,940 @@
+# Frontend Implementation Plan - ColaFlow Enterprise Features
+
+## Document Overview
+
+This document provides a detailed technical implementation plan for ColaFlow's enterprise-level multi-tenant, SSO, and MCP Token management features on the frontend.
+
+**Target Timeline**: Days 5-7 of development
+**Tech Stack**: Next.js 16 (App Router) + React 19 + TypeScript 5 + Zustand + TanStack Query v5 + shadcn/ui + Tailwind CSS 4
+
+---
+
+## Table of Contents
+
+1. [Architecture Overview](#architecture-overview)
+2. [File Structure](#file-structure)
+3. [Dependencies](#dependencies)
+4. [Development Phases](#development-phases)
+5. [Testing Strategy](#testing-strategy)
+6. [Performance Optimization](#performance-optimization)
+7. [Security Checklist](#security-checklist)
+8. [Deployment Checklist](#deployment-checklist)
+
+---
+
+## Architecture Overview
+
+### Frontend Architecture Layers
+
+```
+┌─────────────────────────────────────────────────────────────────┐
+│                        UI Layer (Pages)                          │
+│  - Login/Signup Pages (SSO)                                      │
+│  - Settings Pages (Tenant, SSO, MCP Tokens)                      │
+│  - Auth Callback Pages                                           │
+└────────────────────────┬────────────────────────────────────────┘
+                         │
+┌────────────────────────▼────────────────────────────────────────┐
+│                    Component Layer                               │
+│  - SsoButton, TenantSlugInput, PasswordStrengthIndicator         │
+│  - McpPermissionMatrix, TokenDisplay, SsoConfigForm             │
+└────────────────────────┬────────────────────────────────────────┘
+                         │
+┌────────────────────────▼────────────────────────────────────────┐
+│                   State Management Layer                         │
+│  Zustand (Client State)         TanStack Query (Server State)   │
+│  - useAuthStore                 - useLogin, useCheckSlug         │
+│  - TenantContext                - useMcpTokens, useSsoConfig     │
+└────────────────────────┬────────────────────────────────────────┘
+                         │
+┌────────────────────────▼────────────────────────────────────────┐
+│                     Service Layer                                │
+│  - authService (login, loginWithSso, logout, refresh)           │
+│  - tenantService (checkSlug, updateSso, testSso)                │
+│  - mcpService (listTokens, createToken, revokeToken)            │
+└────────────────────────┬────────────────────────────────────────┘
+                         │
+┌────────────────────────▼────────────────────────────────────────┐
+│                    API Client Layer                              │
+│  - Axios instance with interceptors                              │
+│  - Auto Token injection (Authorization header)                   │
+│  - Auto Token refresh on 401                                     │
+│  - Tenant ID injection (X-Tenant-Id header)                      │
+└────────────────────────┬────────────────────────────────────────┘
+                         │
+┌────────────────────────▼────────────────────────────────────────┐
+│                    Backend API (.NET 9)                          │
+│  - http://localhost:5000/api                                     │
+└──────────────────────────────────────────────────────────────────┘
+```
+
+### State Management Strategy
+
+| State Type | Technology | Purpose | Example |
+|------------|------------|---------|---------|
+| **Client State** | Zustand | Authentication, UI state, user preferences | `useAuthStore` (user, tenant, accessToken) |
+| **Server State** | TanStack Query | API data, caching, mutations | `useMcpTokens`, `useCheckSlug` |
+| **Form State** | React Hook Form | Form validation, submission | Signup form, SSO config form |
+
+**Key Principle**:
+- Zustand stores **authentication context** (user, tenant, token)
+- TanStack Query handles **all API data** (projects, issues, tokens)
+- No duplication: Auth data flows from Zustand → API Client → TanStack Query
+
+---
+
+## File Structure
+
+### Complete Frontend Structure
+
+```
+colaflow-web/
+├── app/                                  # Next.js 16 App Router
+│   ├── (auth)/                          # Auth layout group
+│   │   ├── login/
+│   │   │   └── page.tsx                 # Login page (local + SSO)
+│   │   ├── signup/
+│   │   │   └── page.tsx                 # Tenant registration
+│   │   ├── auth/
+│   │   │   └── callback/
+│   │   │       └── page.tsx             # SSO callback handler
+│   │   └── suspended/
+│   │       └── page.tsx                 # Tenant suspended page
+│   │
+│   ├── (dashboard)/                     # Dashboard layout group
+│   │   ├── layout.tsx                   # Protected layout
+│   │   ├── dashboard/
+│   │   │   └── page.tsx                 # Home page
+│   │   └── settings/
+│   │       ├── organization/
+│   │       │   └── page.tsx             # Tenant settings + SSO config
+│   │       └── mcp-tokens/
+│   │           └── page.tsx             # MCP Token management
+│   │
+│   ├── layout.tsx                       # Root layout (Providers)
+│   └── middleware.ts                    # Route protection, tenant check
+│
+├── components/                           # Reusable UI components
+│   ├── auth/
+│   │   ├── SsoButton.tsx                # SSO provider button
+│   │   ├── PasswordStrengthIndicator.tsx
+│   │   └── TenantSlugInput.tsx          # Real-time slug validation
+│   ├── settings/
+│   │   ├── SsoConfigForm.tsx            # Dynamic SSO form (OIDC/SAML)
+│   │   └── McpPermissionMatrix.tsx      # Checkbox grid for permissions
+│   ├── mcp/
+│   │   ├── TokenDisplay.tsx             # Copy/download token
+│   │   ├── CreateTokenDialog.tsx        # Multi-step token creation
+│   │   └── AuditLogTable.tsx            # Token usage logs
+│   └── ui/                              # shadcn/ui components
+│       ├── button.tsx
+│       ├── dialog.tsx
+│       ├── form.tsx
+│       └── ... (other shadcn components)
+│
+├── stores/                               # Zustand stores
+│   ├── useAuthStore.ts                  # Auth state (user, tenant, token)
+│   └── useUiStore.ts                    # UI state (sidebar, theme)
+│
+├── contexts/                             # React Contexts
+│   └── TenantContext.tsx                # Tenant info provider
+│
+├── hooks/                                # Custom React hooks
+│   ├── auth/
+│   │   ├── useLogin.ts                  # TanStack Query: login mutation
+│   │   ├── useLoginWithSso.ts           # SSO login logic
+│   │   └── useLogout.ts                 # Logout mutation
+│   ├── tenants/
+│   │   ├── useCheckSlug.ts              # Debounced slug validation
+│   │   ├── useSsoConfig.ts              # Get/Update SSO config
+│   │   └── useTestSsoConnection.ts      # Test SSO connection
+│   └── mcp/
+│       ├── useMcpTokens.ts              # List tokens
+│       ├── useCreateMcpToken.ts         # Create token mutation
+│       ├── useRevokeMcpToken.ts         # Revoke token mutation
+│       └── useMcpAuditLogs.ts           # Token audit logs
+│
+├── services/                             # API service layer
+│   ├── auth.service.ts                  # Auth API calls
+│   ├── tenant.service.ts                # Tenant API calls
+│   └── mcp.service.ts                   # MCP API calls
+│
+├── lib/                                  # Utilities
+│   ├── api-client.ts                    # Axios instance + interceptors
+│   ├── query-client.ts                  # TanStack Query config
+│   ├── utils.ts                         # Helper functions (cn, etc.)
+│   └── validations.ts                   # Zod schemas
+│
+├── types/                                # TypeScript types
+│   ├── auth.ts                          # LoginCredentials, User, Tenant
+│   ├── mcp.ts                           # McpToken, McpPermission
+│   ├── api.ts                           # ApiResponse, ApiError
+│   └── index.ts                         # Re-exports
+│
+├── public/                               # Static assets
+│   └── logos/
+│       ├── azure-ad.svg
+│       ├── google.svg
+│       └── okta.svg
+│
+├── __tests__/                            # Unit + integration tests
+│   ├── components/
+│   ├── hooks/
+│   └── pages/
+│
+├── .env.local                            # Environment variables
+├── next.config.js                        # Next.js config
+├── tailwind.config.ts                    # Tailwind config
+└── tsconfig.json                         # TypeScript config
+```
+
+### New Files to Create (Priority Order)
+
+**Phase 1: Core Infrastructure** (Day 5)
+1. `lib/api-client.ts` - Axios with interceptors
+2. `stores/useAuthStore.ts` - Zustand auth store
+3. `types/auth.ts`, `types/mcp.ts`, `types/api.ts` - TypeScript types
+4. `services/auth.service.ts` - Auth API service
+5. `app/middleware.ts` - Route protection
+
+**Phase 2: Authentication** (Day 5-6)
+6. `app/(auth)/login/page.tsx` - Login page
+7. `app/(auth)/signup/page.tsx` - Signup page
+8. `app/(auth)/auth/callback/page.tsx` - SSO callback
+9. `hooks/auth/useLogin.ts` - Login hook
+10. `components/auth/SsoButton.tsx` - SSO button
+
+**Phase 3: Settings Pages** (Day 6)
+11. `app/(dashboard)/settings/organization/page.tsx` - SSO config
+12. `app/(dashboard)/settings/mcp-tokens/page.tsx` - MCP tokens
+13. `components/settings/SsoConfigForm.tsx` - SSO form
+14. `components/mcp/CreateTokenDialog.tsx` - Token creation
+
+**Phase 4: MCP Features** (Day 7)
+15. `services/mcp.service.ts` - MCP API service
+16. `hooks/mcp/useMcpTokens.ts` - MCP hooks
+17. `components/mcp/McpPermissionMatrix.tsx` - Permission UI
+18. `components/mcp/TokenDisplay.tsx` - Token display
+
+---
+
+## Dependencies
+
+### Required npm Packages
+
+```json
+{
+  "dependencies": {
+    "next": "^16.0.0",
+    "react": "^19.0.0",
+    "react-dom": "^19.0.0",
+    "typescript": "^5.6.0",
+
+    "zustand": "^5.0.0",
+    "@tanstack/react-query": "^5.60.0",
+    "axios": "^1.7.0",
+
+    "react-hook-form": "^7.53.0",
+    "zod": "^3.23.0",
+    "@hookform/resolvers": "^3.9.0",
+
+    "@radix-ui/react-dialog": "^1.1.0",
+    "@radix-ui/react-select": "^2.1.0",
+    "@radix-ui/react-checkbox": "^1.1.0",
+    "@radix-ui/react-tabs": "^1.1.0",
+    "class-variance-authority": "^0.7.0",
+    "clsx": "^2.1.0",
+    "tailwind-merge": "^2.5.0",
+    "tailwindcss": "^4.0.0",
+
+    "jose": "^5.9.0",
+    "sonner": "^1.7.0",
+    "date-fns": "^4.1.0",
+    "zxcvbn": "^4.4.2"
+  },
+  "devDependencies": {
+    "@testing-library/react": "^16.0.0",
+    "@testing-library/jest-dom": "^6.5.0",
+    "@testing-library/user-event": "^14.5.0",
+    "vitest": "^2.1.0",
+    "msw": "^2.6.0"
+  }
+}
+```
+
+### Installation Command
+
+```bash
+cd colaflow-web
+
+# Install dependencies
+npm install
+
+# Install shadcn/ui components
+npx shadcn@latest init
+npx shadcn@latest add button dialog form input select checkbox tabs alert table
+```
+
+### Environment Variables
+
+**File**: `.env.local`
+
+```env
+# API Configuration
+NEXT_PUBLIC_API_URL=http://localhost:5000/api
+NEXT_PUBLIC_APP_URL=http://localhost:3000
+
+# JWT Configuration (for middleware validation)
+JWT_SECRET=your-jwt-secret-key-from-backend
+
+# Feature Flags
+NEXT_PUBLIC_ENABLE_SSO=true
+NEXT_PUBLIC_ENABLE_MCP_TOKENS=true
+```
+
+---
+
+## Development Phases
+
+### Phase 1: Core Infrastructure (Day 5 - Morning)
+
+**Estimated Time**: 3-4 hours
+
+#### 1.1 API Client Setup
+
+**File**: `lib/api-client.ts`
+
+**Tasks**:
+- Create Axios instance with base URL
+- Implement request interceptor (add Authorization header)
+- Implement response interceptor (handle 401, refresh token)
+- Add error handling and retry logic
+
+**Success Criteria**:
+- ✅ All API requests automatically include `Authorization: Bearer {token}`
+- ✅ 401 errors trigger automatic token refresh
+- ✅ Refresh only happens once for concurrent requests
+- ✅ Failed refresh redirects to `/login`
+
+#### 1.2 Auth Store Setup
+
+**File**: `stores/useAuthStore.ts`
+
+**Tasks**:
+- Define `AuthState` interface (user, tenant, accessToken, isAuthenticated)
+- Implement `login`, `logout`, `refreshToken` actions
+- Implement `setUser` and `clearAuth` helpers
+- Add automatic token refresh (5 min before expiry)
+
+**Success Criteria**:
+- ✅ Auth state persists across page reloads (use `zustand/middleware`)
+- ✅ Token stored in memory (not localStorage)
+- ✅ Automatic refresh works before token expires
+
+#### 1.3 TypeScript Types
+
+**Files**: `types/auth.ts`, `types/mcp.ts`, `types/api.ts`
+
+**Tasks**:
+- Define all API request/response types
+- Define Zustand store types
+- Export types in `types/index.ts`
+
+**Success Criteria**:
+- ✅ No TypeScript errors
+- ✅ Full IntelliSense support in VSCode
+
+---
+
+### Phase 2: Authentication Pages (Day 5 - Afternoon + Day 6 - Morning)
+
+**Estimated Time**: 6-8 hours
+
+#### 2.1 Login Page
+
+**File**: `app/(auth)/login/page.tsx`
+
+**Features**:
+- Local login form (email + password)
+- SSO buttons (Azure AD, Google, Okta)
+- "Forgot password" link
+- "Sign up" link
+- Remember me checkbox
+- Loading states
+- Error handling
+
+**Components to create**:
+- `components/auth/SsoButton.tsx` - Provider-specific button
+- `hooks/auth/useLogin.ts` - TanStack Query mutation
+- `hooks/auth/useLoginWithSso.ts` - SSO redirect logic
+
+**Success Criteria**:
+- ✅ Local login works and redirects to dashboard
+- ✅ SSO buttons redirect to backend SSO endpoint
+- ✅ Form validation with Zod
+- ✅ Error messages displayed with `sonner` toast
+
+#### 2.2 Signup Page
+
+**File**: `app/(auth)/signup/page.tsx`
+
+**Features**:
+- Multi-step form (3 steps):
+  1. Organization info (name, slug)
+  2. Admin user (email, password, full name)
+  3. Subscription plan selection
+- Real-time slug validation (debounce 500ms)
+- Password strength indicator
+- Terms of service checkbox
+
+**Components to create**:
+- `components/auth/TenantSlugInput.tsx` - Slug input with validation
+- `components/auth/PasswordStrengthIndicator.tsx` - zxcvbn integration
+- `components/auth/SubscriptionPlanCard.tsx` - Plan selection
+- `hooks/tenants/useCheckSlug.ts` - TanStack Query for slug check
+
+**Success Criteria**:
+- ✅ Slug validation shows "Available" or "Taken" in real-time
+- ✅ Password strength indicator works (weak/medium/strong)
+- ✅ Plan selection highlights selected plan
+- ✅ After signup, user is logged in automatically
+
+#### 2.3 SSO Callback Page
+
+**File**: `app/(auth)/auth/callback/page.tsx`
+
+**Features**:
+- Parse URL parameters (`?token=xxx&tenant=yyy`)
+- Validate state parameter (CSRF protection)
+- Store token in AuthStore
+- Redirect to original page or dashboard
+- Error handling (SSO failed)
+
+**Success Criteria**:
+- ✅ Token extracted from URL and stored
+- ✅ User redirected to dashboard
+- ✅ Invalid state shows error page
+- ✅ Error page has "Try again" button
+
+#### 2.4 Next.js Middleware
+
+**File**: `app/middleware.ts`
+
+**Features**:
+- Protect routes requiring authentication
+- Verify JWT token (use `jose` library)
+- Check tenant status (Active/Suspended)
+- Redirect logic:
+  - Unauthenticated → `/login?redirect=/original-path`
+  - Authenticated + on `/login` → `/dashboard`
+  - Suspended tenant → `/suspended`
+
+**Success Criteria**:
+- ✅ Protected routes require login
+- ✅ Token validation works (JWT signature check)
+- ✅ Redirect preserves original URL
+- ✅ Suspended tenants can't access app
+
+---
+
+### Phase 3: Settings Pages (Day 6 - Afternoon)
+
+**Estimated Time**: 5-6 hours
+
+#### 3.1 Organization Settings Page (SSO Config)
+
+**File**: `app/(dashboard)/settings/organization/page.tsx`
+
+**Features**:
+- Tabs: General, SSO, Billing, Usage
+- **SSO Tab**:
+  - Provider selection dropdown (Azure AD, Google, Okta, SAML)
+  - Dynamic form fields based on provider
+  - "Test Connection" button
+  - "Save Configuration" button
+  - Allowed domains (TagInput)
+  - Auto-provision users toggle
+
+**Components to create**:
+- `components/settings/SsoConfigForm.tsx` - Dynamic SSO form
+- `hooks/tenants/useSsoConfig.ts` - Get/Update SSO config
+- `hooks/tenants/useTestSsoConnection.ts` - Test connection mutation
+
+**Dynamic Fields Logic**:
+```typescript
+// OIDC providers (Azure AD, Google, Okta)
+- Authority URL (required)
+- Client ID (required)
+- Client Secret (required, password input)
+- Metadata URL (optional)
+
+// SAML provider
+- Entity ID (required)
+- Sign-On URL (required)
+- X.509 Certificate (textarea, required)
+- Metadata URL (optional)
+```
+
+**Success Criteria**:
+- ✅ Form fields change based on provider selection
+- ✅ "Test Connection" shows success/error message
+- ✅ "Save Configuration" updates tenant SSO config
+- ✅ Form validation with Zod
+- ✅ Only Admin users can edit (permission check)
+
+---
+
+### Phase 4: MCP Token Management (Day 7)
+
+**Estimated Time**: 6-8 hours
+
+#### 4.1 MCP Tokens List Page
+
+**File**: `app/(dashboard)/settings/mcp-tokens/page.tsx`
+
+**Features**:
+- Token list table (using `@tanstack/react-table`)
+  - Columns: Name, Permissions, Last Used, Expires, Status, Actions
+- "Generate Token" button (opens dialog)
+- "Revoke" button for each token
+- Token details page (click row → navigate to `/settings/mcp-tokens/{id}`)
+
+**Components to create**:
+- `hooks/mcp/useMcpTokens.ts` - List tokens query
+- `hooks/mcp/useRevokeMcpToken.ts` - Revoke mutation
+
+**Success Criteria**:
+- ✅ Token list loads and displays
+- ✅ Permissions shown as tags
+- ✅ Last Used shows "2 hours ago" format
+- ✅ Revoke confirmation dialog works
+- ✅ Revoked tokens marked as "Revoked" (red badge)
+
+#### 4.2 Create Token Dialog
+
+**File**: `components/mcp/CreateTokenDialog.tsx`
+
+**Features**:
+- Multi-step dialog (3 steps):
+  1. **Basic Info**: Name, Expiration date (optional)
+  2. **Permissions**: Resource + Operations matrix
+  3. **Review & Create**: Show summary
+
+**Permission Matrix UI**:
+```
+Resources     | read | create | update | delete | search
+---------------------------------------------------------
+Projects      |  ☑   |   ☑   |   ☐   |   ☐   |   ☑
+Issues        |  ☑   |   ☑   |   ☑   |   ☐   |   ☑
+Documents     |  ☑   |   ☐   |   ☐   |   ☐   |   ☑
+Reports       |  ☑   |   ☐   |   ☐   |   ☐   |   ☐
+Sprints       |  ☑   |   ☐   |   ☐   |   ☐   |   ☑
+```
+
+**Components to create**:
+- `components/mcp/McpPermissionMatrix.tsx` - Checkbox grid
+- `components/mcp/TokenDisplay.tsx` - Display token after creation
+- `hooks/mcp/useCreateMcpToken.ts` - Create token mutation
+
+**Token Display Modal**:
+- Show generated token (once only)
+- Warning: "Save this token now! You won't see it again."
+- Copy button (copies to clipboard)
+- Download button (downloads as `.txt` file)
+- "I've saved the token" button (closes modal)
+
+**Success Criteria**:
+- ✅ 3-step wizard works smoothly
+- ✅ Permission matrix shows checkboxes
+- ✅ Token created successfully
+- ✅ Token displayed only once
+- ✅ Copy and download buttons work
+
+#### 4.3 Token Details Page (Audit Logs)
+
+**File**: `app/(dashboard)/settings/mcp-tokens/[id]/page.tsx`
+
+**Features**:
+- Token metadata (name, created date, expires date, status)
+- Usage statistics (total calls, last used)
+- Audit log table:
+  - Columns: Timestamp, HTTP Method, Endpoint, Status Code, Duration, IP Address
+  - Pagination
+  - Filters (date range, status code)
+
+**Components to create**:
+- `components/mcp/AuditLogTable.tsx` - Audit log table
+- `hooks/mcp/useMcpAuditLogs.ts` - Audit logs query
+
+**Success Criteria**:
+- ✅ Token metadata displayed
+- ✅ Audit log table loads with pagination
+- ✅ Date filter works
+- ✅ Status code filter works (200, 401, 403, 500)
+
+---
+
+## Testing Strategy
+
+### Unit Tests (Vitest + React Testing Library)
+
+**Priority Components to Test**:
+
+1. **Auth Components**
+   - `SsoButton.tsx` - Renders provider logo, triggers redirect
+   - `TenantSlugInput.tsx` - Shows "Available" or "Taken"
+   - `PasswordStrengthIndicator.tsx` - Shows correct strength level
+
+2. **Auth Store**
+   - `useAuthStore.ts` - Login, logout, token refresh logic
+
+3. **API Client**
+   - `lib/api-client.ts` - Token injection, 401 handling
+
+4. **Custom Hooks**
+   - `useLogin.ts` - Success/error handling
+   - `useCheckSlug.ts` - Debouncing, caching
+
+**Example Test**:
+
+```typescript
+// __tests__/components/auth/SsoButton.test.tsx
+import { render, screen, fireEvent } from '@testing-library/react';
+import { SsoButton } from '@/components/auth/SsoButton';
+
+describe('SsoButton', () => {
+  it('renders Azure AD button with logo', () => {
+    render(<SsoButton provider="AzureAD" onClick={vi.fn()} />);
+    expect(screen.getByText(/Sign in with Microsoft/i)).toBeInTheDocument();
+  });
+
+  it('calls onClick when clicked', () => {
+    const handleClick = vi.fn();
+    render(<SsoButton provider="Google" onClick={handleClick} />);
+    fireEvent.click(screen.getByRole('button'));
+    expect(handleClick).toHaveBeenCalledTimes(1);
+  });
+});
+```
+
+### Integration Tests (Playwright)
+
+**Critical User Flows**:
+
+1. **Local Login Flow**
+   - Navigate to `/login`
+   - Enter email and password
+   - Click "Sign In"
+   - Verify redirect to `/dashboard`
+   - Verify token in AuthStore
+
+2. **SSO Login Flow (Mocked)**
+   - Click "Sign in with Azure AD"
+   - Mock SSO callback with token
+   - Verify redirect to dashboard
+
+3. **Create MCP Token Flow**
+   - Navigate to `/settings/mcp-tokens`
+   - Click "Generate Token"
+   - Fill in name and permissions
+   - Verify token displayed
+   - Verify token can be copied
+
+### API Mocking (MSW)
+
+**Mock Handlers**:
+
+```typescript
+// mocks/handlers.ts
+import { http, HttpResponse } from 'msw';
+
+export const handlers = [
+  http.post('/api/auth/login', () => {
+    return HttpResponse.json({
+      user: { id: '1', email: 'test@example.com', fullName: 'Test User' },
+      tenant: { id: '1', slug: 'test', name: 'Test Corp' },
+      accessToken: 'mock-token',
+    });
+  }),
+
+  http.get('/api/tenants/check-slug', ({ request }) => {
+    const url = new URL(request.url);
+    const slug = url.searchParams.get('slug');
+    return HttpResponse.json({ available: slug !== 'taken' });
+  }),
+
+  http.post('/api/mcp-tokens', () => {
+    return HttpResponse.json({
+      tokenId: '1',
+      token: 'mcp_test_abc123xyz789',
+      name: 'Test Token',
+    });
+  }),
+];
+```
+
+---
+
+## Performance Optimization
+
+### 1. Code Splitting
+
+**Lazy Load Heavy Components**:
+
+```typescript
+// app/(dashboard)/settings/mcp-tokens/page.tsx
+import { lazy, Suspense } from 'react';
+
+const CreateTokenDialog = lazy(() => import('@/components/mcp/CreateTokenDialog'));
+const AuditLogTable = lazy(() => import('@/components/mcp/AuditLogTable'));
+
+export default function McpTokensPage() {
+  return (
+    <Suspense fallback={<LoadingSpinner />}>
+      <CreateTokenDialog />
+      <AuditLogTable />
+    </Suspense>
+  );
+}
+```
+
+### 2. TanStack Query Caching
+
+**Cache Configuration**:
+
+```typescript
+// lib/query-client.ts
+import { QueryClient } from '@tanstack/react-query';
+
+export const queryClient = new QueryClient({
+  defaultOptions: {
+    queries: {
+      staleTime: 1000 * 60 * 5, // 5 minutes
+      gcTime: 1000 * 60 * 10, // 10 minutes (formerly cacheTime)
+      refetchOnWindowFocus: false,
+      retry: 1,
+    },
+  },
+});
+```
+
+**Prefetch Critical Data**:
+
+```typescript
+// app/(dashboard)/layout.tsx
+export default function DashboardLayout() {
+  const queryClient = useQueryClient();
+
+  useEffect(() => {
+    // Prefetch user projects
+    queryClient.prefetchQuery({
+      queryKey: ['projects'],
+      queryFn: () => projectService.getAll(),
+    });
+  }, []);
+
+  return <>{children}</>;
+}
+```
+
+### 3. Debouncing
+
+**Slug Validation**:
+
+```typescript
+// hooks/tenants/useCheckSlug.ts
+import { useQuery } from '@tanstack/react-query';
+import { useMemo } from 'react';
+import { debounce } from 'lodash-es';
+
+export function useCheckSlug(slug: string) {
+  const debouncedSlug = useMemo(
+    () => debounce((value: string) => value, 500),
+    []
+  );
+
+  return useQuery({
+    queryKey: ['check-slug', slug],
+    queryFn: () => tenantService.checkSlugAvailability(slug),
+    enabled: slug.length >= 3,
+    staleTime: 5000,
+  });
+}
+```
+
+### 4. Image Optimization
+
+**Use Next.js Image Component**:
+
+```tsx
+import Image from 'next/image';
+
+<Image
+  src="/logos/azure-ad.svg"
+  alt="Azure AD"
+  width={24}
+  height={24}
+  priority
+/>
+```
+
+---
+
+## Security Checklist
+
+### Authentication Security
+
+- ✅ Access tokens stored in memory (Zustand), not localStorage
+- ✅ Refresh tokens in httpOnly cookies (managed by backend)
+- ✅ Token expiration checked before API calls
+- ✅ Automatic logout on refresh failure
+- ✅ CSRF protection (state parameter for SSO)
+- ✅ JWT signature validation in middleware
+- ✅ Redirect to login on 401 errors
+
+### SSO Security
+
+- ✅ State parameter generated with crypto random (32 bytes)
+- ✅ State parameter validated on callback
+- ✅ State stored in sessionStorage (cleared after use)
+- ✅ SSO errors logged and reported to user
+- ✅ Email domain validation (if configured)
+
+### MCP Token Security
+
+- ✅ Token displayed only once (after creation)
+- ✅ Token copied/downloaded securely
+- ✅ Token revocation confirmation dialog
+- ✅ Audit logs for all token operations
+
+### General Security
+
+- ✅ All API calls over HTTPS in production
+- ✅ Sensitive data (passwords) not logged
+- ✅ Error messages don't leak sensitive info
+- ✅ Rate limiting on login attempts (backend)
+- ✅ XSS protection (React auto-escapes by default)
+
+---
+
+## Deployment Checklist
+
+### Pre-Deployment
+
+- ✅ All unit tests pass (`npm run test`)
+- ✅ All integration tests pass (`npm run test:e2e`)
+- ✅ TypeScript builds without errors (`npm run build`)
+- ✅ No console errors in browser
+- ✅ Environment variables configured (`.env.production`)
+- ✅ API URLs point to production backend
+- ✅ Error tracking configured (Sentry)
+
+### Performance Checks
+
+- ✅ Lighthouse score > 90 (Performance, Accessibility, Best Practices, SEO)
+- ✅ First Contentful Paint < 1.5s
+- ✅ Time to Interactive < 3s
+- ✅ Bundle size < 200KB (gzipped)
+- ✅ Images optimized (WebP format)
+
+### Security Checks
+
+- ✅ JWT_SECRET in production environment variables
+- ✅ No hardcoded secrets in code
+- ✅ HTTPS enforced (Next.js redirects)
+- ✅ CSP headers configured
+- ✅ Security headers (X-Frame-Options, X-Content-Type-Options)
+
+### Monitoring
+
+- ✅ Error tracking (Sentry or similar)
+- ✅ Performance monitoring (Vercel Analytics)
+- ✅ API error logging
+- ✅ User analytics (PostHog or similar)
+
+---
+
+## Estimated Effort
+
+| Phase | Tasks | Time | Priority |
+|-------|-------|------|----------|
+| **Phase 1: Core Infrastructure** | API Client, Auth Store, Types, Middleware | 4 hours | P0 |
+| **Phase 2: Authentication** | Login, Signup, SSO Callback, Middleware | 8 hours | P0 |
+| **Phase 3: Settings** | Organization Settings, SSO Config | 6 hours | P1 |
+| **Phase 4: MCP Tokens** | Token List, Create, Display, Audit Logs | 8 hours | P1 |
+| **Testing** | Unit tests, Integration tests, E2E tests | 6 hours | P1 |
+| **Total** | | **32 hours** (~4 days) | |
+
+**Timeline**:
+- **Day 5**: Phase 1 + Phase 2 (Login, Signup)
+- **Day 6**: Phase 2 (SSO Callback) + Phase 3 (Settings)
+- **Day 7**: Phase 4 (MCP Tokens)
+- **Day 8**: Testing + Bug fixes
+
+---
+
+## Next Steps
+
+1. **Backend API Readiness Check**
+   - Verify backend APIs are ready: `/api/auth/login`, `/api/tenants/check-slug`, `/api/mcp-tokens`, etc.
+   - Test API endpoints with Postman or Insomnia
+   - Document any API issues or missing endpoints
+
+2. **Environment Setup**
+   - Clone frontend repo
+   - Install dependencies (`npm install`)
+   - Configure `.env.local`
+   - Start dev server (`npm run dev`)
+
+3. **Start with Phase 1**
+   - Create `lib/api-client.ts`
+   - Create `stores/useAuthStore.ts`
+   - Create TypeScript types
+   - Test token injection and refresh
+
+4. **Continuous Testing**
+   - Write tests as you build features
+   - Run tests before committing code
+   - Fix failing tests immediately
+
+5. **Code Review**
+   - Self-review code before committing
+   - Use ESLint and Prettier
+   - Follow TypeScript strict mode
+
+---
+
+## Risk Mitigation
+
+### Technical Risks
+
+| Risk | Probability | Impact | Mitigation |
+|------|-------------|--------|------------|
+| Token refresh fails during API calls | Medium | High | Implement queue for pending requests during refresh |
+| SSO callback errors (state mismatch) | Low | High | Add detailed error logging and user-friendly error page |
+| Permission matrix UI too complex | Low | Medium | Use shadcn Checkbox component, add "Select All" shortcuts |
+| TanStack Query cache invalidation issues | Medium | Medium | Document cache invalidation strategy, use query keys consistently |
+| Middleware performance (JWT validation) | Low | Low | Cache JWT validation results, use efficient `jose` library |
+
+### Schedule Risks
+
+| Risk | Probability | Impact | Mitigation |
+|------|-------------|--------|------------|
+| Backend API delays | High | High | Mock API responses with MSW, develop UI first |
+| Complex SSO flow takes longer | Medium | Medium | Simplify SSO flow, skip SAML in MVP if needed |
+| Testing takes longer than expected | Medium | Medium | Prioritize critical path tests, skip edge cases for MVP |
+
+---
+
+## Conclusion
+
+This implementation plan provides a clear roadmap for building ColaFlow's enterprise-level frontend features. The plan is structured to minimize risk, maximize code quality, and deliver a production-ready solution within 4 days.
+
+**Key Success Factors**:
+- ✅ Backend API readiness
+- ✅ Clear component boundaries
+- ✅ Comprehensive testing strategy
+- ✅ Performance optimization from day 1
+- ✅ Security-first approach
+
+**Next Document**: `api-integration-guide.md` (detailed API endpoints and request/response examples)

progress.md

@@ -1,8 +1,8 @@
 # ColaFlow Project Progress
 
-**Last Updated**: 2025-11-03 14:45
+**Last Updated**: 2025-11-03 22:30
 **Current Phase**: M1 - Core Project Module (Months 1-2)
-**Overall Status**: 🟢 Development In Progress - Core APIs & UI Complete
+**Overall Status**: 🟢 Development In Progress - Core APIs & UI Complete, QA Testing Enhanced
 
 ---
 
@@ -11,12 +11,13 @@
 ### Active Sprint: M1 Sprint 1 - Core Infrastructure
 **Goal**: Complete ProjectManagement module implementation and API testing
 
-**In Progress**:
+**Completed in M1**:
 - [x] Infrastructure Layer implementation (100%) ✅
 - [x] Domain Layer implementation (100%) ✅
 - [x] Application Layer implementation (100%) ✅
 - [x] API Layer implementation (100%) ✅
-- [x] Unit testing (96.98% coverage) ✅
+- [x] Unit testing (96.98% domain coverage) ✅
+- [x] Application layer command tests (32 tests covering all CRUD) ✅
 - [x] Database integration (PostgreSQL + Docker) ✅
 - [x] API testing (Projects CRUD working) ✅
 - [x] Global exception handling with IExceptionHandler (100%) ✅
@@ -28,7 +29,10 @@
 - [x] Epic/Story/Task management UI (100%) ✅
 - [x] Kanban board view with drag & drop (100%) ✅
 - [x] EF Core navigation property warnings fixed (100%) ✅
-- [ ] Application layer integration tests (0%)
+- [x] UpdateTaskStatus API bug fix (500 error resolved) ✅
+
+**Remaining M1 Tasks**:
+- [ ] Application layer integration tests (priority P2 tests pending)
 - [ ] JWT authentication system (0%)
 - [ ] SignalR real-time notifications (0%)
 
@@ -37,7 +41,15 @@
 ## 📋 Backlog
 
 ### High Priority (M1 - Current Sprint)
-- [ ] Application layer integration tests
+- [ ] Complete P2 Application layer tests (7 test files remaining):
+  - UpdateTaskCommandHandlerTests
+  - AssignTaskCommandHandlerTests
+  - GetStoriesByEpicIdQueryHandlerTests
+  - GetStoriesByProjectIdQueryHandlerTests
+  - GetTasksByStoryIdQueryHandlerTests
+  - GetTasksByProjectIdQueryHandlerTests
+  - GetTasksByAssigneeQueryHandlerTests
+- [ ] Add Integration Tests for all API endpoints (using Testcontainers)
 - [ ] Design and implement authentication/authorization (JWT)
 - [ ] Real-time updates with SignalR (basic version)
 - [ ] Add search and filtering capabilities
@@ -59,6 +71,263 @@
 
 ### 2025-11-03
 
+#### M1 QA Testing and Bug Fixes - COMPLETE ✅
+
+**Task Completed**: 2025-11-03 22:30
+**Responsible**: QA Agent (with Backend Agent support)
+**Session**: Afternoon/Evening (15:00 - 22:30)
+
+##### Critical Bug Discovery and Fix
+
+**Bug #1: UpdateTaskStatus API 500 Error**
+
+**Symptoms**:
+- User attempted to update task status via API during manual testing
+- API returned 500 Internal Server Error when updating status to "InProgress"
+- Frontend displayed error, preventing task status updates
+
+**Root Cause Analysis**:
+```
+Problem 1: Enumeration Matching Logic
+- WorkItemStatus enumeration defined display names with spaces ("In Progress")
+- Frontend sent status names without spaces ("InProgress")
+- Enumeration.FromDisplayName() used exact string matching (space-sensitive)
+- Match failed → threw exception → 500 error
+
+Problem 2: Business Rule Validation
+- UpdateTaskStatusCommandHandler used string comparison for status validation
+- Should use proper enumeration comparison for type safety
+```
+
+**Files Modified to Fix Bug**:
+1. **ColaFlow.Shared.Kernel/Common/Enumeration.cs**
+   - Enhanced `FromDisplayName()` method with space normalization
+   - Added fallback matching: try exact match → try space-normalized match → throw exception
+   - Handles both "In Progress" and "InProgress" inputs correctly
+
+2. **UpdateTaskStatusCommandHandler.cs**
+   - Fixed business rule validation to use enumeration comparison
+   - Changed from string comparison to `WorkItemStatus.Done.Equals(newStatus)`
+   - Improved type safety and maintainability
+
+**Verification**:
+- ✅ API testing: UpdateTaskStatus now returns 200 OK
+- ✅ Task status correctly updated in database
+- ✅ Frontend can now perform drag & drop status updates
+- ✅ All test cases passing (233/233)
+
+##### Test Coverage Enhancement
+
+**Initial Test Coverage Problem**:
+- Domain Tests: 192 tests ✅ (comprehensive)
+- Application Tests: **Only 1 test** ⚠️ (severely insufficient)
+- Integration Tests: 1 test ⚠️ (minimal)
+- **Root Cause**: Backend Agent implemented Story/Task CRUD without creating Application layer tests
+
+**32 New Application Layer Tests Created**:
+
+**1. Story Command Tests** (12 tests):
+- CreateStoryCommandHandlerTests.cs
+  - Handle_ValidRequest_ShouldCreateStorySuccessfully
+  - Handle_EpicNotFound_ShouldThrowNotFoundException
+  - Handle_InvalidStoryData_ShouldThrowValidationException
+- UpdateStoryCommandHandlerTests.cs
+  - Handle_ValidRequest_ShouldUpdateStorySuccessfully
+  - Handle_StoryNotFound_ShouldThrowNotFoundException
+  - Handle_PriorityUpdate_ShouldUpdatePriorityCorrectly
+- DeleteStoryCommandHandlerTests.cs
+  - Handle_ValidRequest_ShouldDeleteStorySuccessfully
+  - Handle_StoryNotFound_ShouldThrowNotFoundException
+  - Handle_DeleteCascade_ShouldRemoveAllTasks
+- AssignStoryCommandHandlerTests.cs
+  - Handle_ValidRequest_ShouldAssignStorySuccessfully
+  - Handle_StoryNotFound_ShouldThrowNotFoundException
+  - Handle_AssignedByTracking_ShouldRecordCorrectUser
+
+**2. Task Command Tests** (14 tests):
+- CreateTaskCommandHandlerTests.cs (3 tests)
+- DeleteTaskCommandHandlerTests.cs (2 tests)
+- **UpdateTaskStatusCommandHandlerTests.cs** (10 tests) ⭐ - Most Critical
+  - Handle_ValidStatusUpdate_ToDo_To_InProgress_ShouldSucceed
+  - Handle_ValidStatusUpdate_InProgress_To_Done_ShouldSucceed
+  - Handle_ValidStatusUpdate_Done_To_InProgress_ShouldSucceed
+  - Handle_InvalidStatusUpdate_Done_To_ToDo_ShouldThrowDomainException
+  - **Handle_StatusUpdate_WithSpaces_InProgress_ShouldSucceed** (Tests bug fix)
+  - **Handle_StatusUpdate_WithoutSpaces_InProgress_ShouldSucceed** (Tests bug fix)
+  - Handle_StatusUpdate_AllStatuses_ShouldWorkCorrectly
+  - Handle_TaskNotFound_ShouldThrowNotFoundException
+  - Handle_InvalidStatus_ShouldThrowArgumentException
+  - Handle_BusinessRuleViolation_ShouldThrowDomainException
+
+**3. Query Tests** (4 tests):
+- GetStoryByIdQueryHandlerTests.cs
+  - Handle_ExistingStory_ShouldReturnStoryWithRelatedData
+  - Handle_NonExistingStory_ShouldThrowNotFoundException
+- GetTaskByIdQueryHandlerTests.cs
+  - Handle_ExistingTask_ShouldReturnTaskWithRelatedData
+  - Handle_NonExistingTask_ShouldThrowNotFoundException
+
+**4. Additional Domain Implementations**:
+- Implemented `DeleteStoryCommandHandler` (was previously a stub)
+- Implemented `UpdateStoryCommandHandler.Priority` update logic
+- Added `Story.UpdatePriority()` domain method
+- Added `Epic.RemoveStory()` domain method for proper cascade deletion
+
+##### Test Results Summary
+
+**Before QA Session**:
+- Total Tests: 202
+- Domain Tests: 192
+- Application Tests: 1 (insufficient)
+- Coverage Gap: Critical Application layer not tested
+
+**After QA Session**:
+- Total Tests: 233 (+31 new tests, +15% increase)
+- Domain Tests: 192 (unchanged)
+- Application Tests: 32 (+31 new tests)
+- Architecture Tests: 8
+- Integration Tests: 1
+- **Pass Rate**: 233/233 (100%) ✅
+- **Build Result**: 0 errors, 0 warnings ✅
+
+##### Manual Test Data Creation
+
+**User Created Complete Test Dataset**:
+- **3 Projects**: ColaFlow, 电商平台重构, 移动应用开发
+- **2 Epics**: M1 Core Features, M2 AI Integration
+- **3 Stories**: User Authentication System, Project CRUD Operations, Kanban Board UI
+- **5 Tasks**:
+  - Design JWT token structure
+  - Implement login API
+  - Implement registration API
+  - Create authentication middleware
+  - Create login/registration UI
+- **1 Status Update**: Design JWT token structure → Status: Done
+
+**Issues Discovered During Manual Testing**:
+- ✅ Chinese character encoding issue (Windows console only, database correct)
+- ✅ UpdateTaskStatus API 500 error (FIXED)
+
+##### Service Status After QA
+
+**Running Services**:
+- ✅ PostgreSQL: Port 5432, Status: Running
+- ✅ Backend API: http://localhost:5167, Status: Running (with latest fixes)
+- ✅ Frontend Web: http://localhost:3000, Status: Running
+
+**Code Quality Metrics**:
+- ✅ Build: 0 errors, 0 warnings
+- ✅ Tests: 233/233 passing (100%)
+- ✅ Domain Coverage: 96.98%
+- ✅ Application Coverage: Significantly improved (1 → 32 tests)
+
+**Frontend Pages Verified**:
+- ✅ Project list page: Displays 4 projects
+- ✅ Epic management: CRUD operations working
+- ✅ Story management: CRUD operations working
+- ✅ Task management: CRUD operations working
+- ✅ Kanban board: Drag & drop working (after bug fix)
+
+##### Key Lessons Learned
+
+**Process Improvement Identified**:
+1. ✅ **Issue**: Backend Agent didn't create Application layer tests during feature implementation
+2. ✅ **Impact**: Critical bug (UpdateTaskStatus 500 error) only discovered during manual testing
+3. ✅ **Solution Applied**: QA Agent created comprehensive test suite retroactively
+4. 📋 **Future Action**: Require Backend Agent to create tests alongside implementation
+5. 📋 **Future Action**: Add CI/CD to enforce test coverage before merge
+6. 📋 **Future Action**: Add Integration Tests for all API endpoints
+
+**Test Coverage Priorities**:
+
+**P1 - Critical (Completed)** ✅:
+- CreateStoryCommandHandlerTests
+- UpdateStoryCommandHandlerTests
+- DeleteStoryCommandHandlerTests
+- AssignStoryCommandHandlerTests
+- CreateTaskCommandHandlerTests
+- DeleteTaskCommandHandlerTests
+- UpdateTaskStatusCommandHandlerTests (10 tests)
+- GetStoryByIdQueryHandlerTests
+- GetTaskByIdQueryHandlerTests
+
+**P2 - High Priority (Recommended Next)**:
+- UpdateTaskCommandHandlerTests
+- AssignTaskCommandHandlerTests
+- GetStoriesByEpicIdQueryHandlerTests
+- GetStoriesByProjectIdQueryHandlerTests
+- GetTasksByStoryIdQueryHandlerTests
+- GetTasksByProjectIdQueryHandlerTests
+- GetTasksByAssigneeQueryHandlerTests
+
+**P3 - Medium Priority (Optional)**:
+- StoriesController Integration Tests
+- TasksController Integration Tests
+- Performance testing
+- Load testing
+
+##### Technical Details
+
+**Bug Fix Code Changes**:
+
+**File 1: Enumeration.cs**
+```csharp
+// Enhanced FromDisplayName() with space normalization
+public static T FromDisplayName<T>(string displayName) where T : Enumeration
+{
+    // Try exact match first
+    var matchingItem = Parse<T, string>(displayName, "display name",
+        item => item.Name == displayName);
+
+    if (matchingItem != null) return matchingItem;
+
+    // Fallback: normalize spaces and retry
+    var normalized = displayName.Replace(" ", "");
+    matchingItem = Parse<T, string>(normalized, "display name",
+        item => item.Name.Replace(" ", "") == normalized);
+
+    return matchingItem ?? throw new InvalidOperationException(...);
+}
+```
+
+**File 2: UpdateTaskStatusCommandHandler.cs**
+```csharp
+// Before (String comparison - unsafe):
+if (request.NewStatus == "Done" && currentStatus == "Done")
+    throw new DomainException("Cannot update a completed task");
+
+// After (Enumeration comparison - type-safe):
+if (WorkItemStatus.Done.Equals(newStatus) &&
+    WorkItemStatus.Done.Name == currentStatus)
+    throw new DomainException("Cannot update a completed task");
+```
+
+**Impact Assessment**:
+- ✅ Bug criticality: HIGH (blocked core functionality)
+- ✅ Fix complexity: LOW (simple logic enhancement)
+- ✅ Test coverage: COMPREHENSIVE (10 dedicated test cases)
+- ✅ Regression risk: NONE (backward compatible)
+
+##### M1 Progress Impact
+
+**M1 Completion Status**:
+- Tasks Completed: 15/18 (83%) - up from 14/17 (82%)
+- Quality Improvement: Test count increased by 15% (202 → 233)
+- Critical Bug Fixed: UpdateTaskStatus API now working
+- Test Coverage: Application layer significantly improved
+
+**Remaining M1 Work**:
+- [ ] Complete remaining P2 Application layer tests (7 test files)
+- [ ] Add Integration Tests for all API endpoints
+- [ ] Implement JWT authentication system
+- [ ] Implement SignalR real-time notifications (basic version)
+
+**Quality Metrics**:
+- Test pass rate: 100% ✅ (Target: ≥95%)
+- Domain coverage: 96.98% ✅ (Target: ≥80%)
+- Application coverage: Improved from 3% to ~40%
+- Build quality: 0 errors, 0 warnings ✅
+
 #### M1 API Connection Debugging Enhancement - COMPLETE ✅
 
 **Task Completed**: 2025-11-03 09:15
@@ -636,6 +905,28 @@ Entity type 'WorkTask' has property 'StoryId1' created by EF Core as shadow prop
 
 ### Architecture Decisions
 
+- **2025-11-03**: **Enumeration Matching and Validation Strategy** (CONFIRMED)
+  - **Decision**: Enhance Enumeration.FromDisplayName() with space normalization fallback
+  - **Context**: UpdateTaskStatus API returned 500 error due to space mismatch ("In Progress" vs "InProgress")
+  - **Solution**:
+    1. Try exact match first (preserve backward compatibility)
+    2. Fallback to space-normalized matching (handle both formats)
+    3. Use type-safe enumeration comparison in business rules (not string comparison)
+  - **Rationale**: Frontend flexibility, backward compatibility, type safety
+  - **Impact**: Fixed critical Kanban board bug, improved API robustness
+  - **Test Coverage**: 10 dedicated test cases for all status transitions
+
+- **2025-11-03**: **Application Layer Testing Strategy** (CONFIRMED)
+  - **Decision**: Prioritize P1 critical tests for all Command Handlers before P2 Query tests
+  - **Context**: Application layer had only 1 test, leading to undetected bugs
+  - **Priority Levels**:
+    - P1 Critical: Command Handlers (Create, Update, Delete, Assign, UpdateStatus)
+    - P2 High: Query Handlers (GetById, GetByParent, GetByFilter)
+    - P3 Medium: Integration Tests, Performance Tests
+  - **Rationale**: Commands change state and have higher risk than queries
+  - **Implementation**: Created 32 P1 tests in QA session
+  - **Impact**: Application layer coverage improved from 3% to 40%
+
 - **2025-11-03**: **EF Core Value Object Foreign Key Configuration** (CONFIRMED)
   - **Decision**: Use string-based foreign key configuration for value object IDs
   - **Rationale**: Avoid shadow properties, cleaner SQL queries, proper DDD value object handling
@@ -767,6 +1058,22 @@ Entity type 'WorkTask' has property 'StoryId1' created by EF Core as shadow prop
   - Test pass rate: ≥95%
   - E2E tests for all critical user flows
 
+### QA Session Insights (2025-11-03)
+- **Critical Finding**: Application layer had severe test coverage gap (only 1 test)
+  - Root cause: Backend Agent implemented features without corresponding tests
+  - Impact: Critical bug (UpdateTaskStatus 500 error) went undetected until manual testing
+  - Resolution: QA Agent created 32 comprehensive tests retroactively
+- **Process Improvement**:
+  - Future requirement: Backend Agent must create tests alongside implementation
+  - Test coverage should be validated before feature completion
+  - CI/CD pipeline should enforce minimum coverage thresholds
+- **Bug Pattern**: Enumeration matching issues can cause silent failures
+  - Solution: Enhanced Enumeration base class with flexible matching
+  - Prevention: Always test enumeration-based APIs with both exact and normalized inputs
+- **Test Strategy**: Prioritize Command Handler tests (P1) over Query tests (P2)
+  - Commands have higher risk (state changes) than queries (read-only)
+  - Current Application coverage: ~40% (improved from 3%)
+
 ### Technology Stack Confirmed (In Use)
 
 **Backend**:
@@ -815,8 +1122,8 @@ Entity type 'WorkTask' has property 'StoryId1' created by EF Core as shadow prop
 - [x] Memory system: progress-recorder agent ✅
 
 ### M1 Progress (Core Project Module)
-- **Tasks completed**: 14/17 (82%) 🟢
+- **Tasks completed**: 15/18 (83%) 🟢
-- **Phase**: Core APIs Complete, Frontend UI Complete, Authentication Pending
+- **Phase**: Core APIs Complete, Frontend UI Complete, QA Enhanced, Authentication Pending
 - **Estimated completion**: 2 months
 - **Status**: 🟢 In Progress - Significantly Ahead of Schedule
 
@@ -825,10 +1132,16 @@ Entity type 'WorkTask' has property 'StoryId1' created by EF Core as shadow prop
 - **Code Coverage (Domain Layer)**: 96.98% ✅ (Target: ≥80%)
   - Line coverage: 442/516 (85.66%)
   - Branch coverage: 100%
-- **Test Pass Rate**: 100% (202/202 tests passing) ✅ (Target: ≥95%)
+- **Code Coverage (Application Layer)**: ~40% (improved from 3%)
-- **Unit Tests**: 202 tests across multiple test projects
+  - P1 Critical tests: Complete (32 tests)
-- **Architecture Tests**: 8/8 passing ✅
+  - P2 High priority tests: Pending (7 test files)
-- **Integration Tests**: 0 (pending implementation)
+- **Test Pass Rate**: 100% (233/233 tests passing) ✅ (Target: ≥95%)
+- **Unit Tests**: 233 tests across multiple test projects (+31 from QA session)
+  - Domain Tests: 192 tests ✅
+  - Application Tests: 32 tests ✅ (was 1 test)
+  - Architecture Tests: 8 tests ✅
+  - Integration Tests: 1 test (needs expansion)
+- **Critical Bugs Fixed**: 1 (UpdateTaskStatus 500 error) ✅
 - **EF Core Configuration**: ✅ No warnings, proper foreign key configuration
 
 ### Running Services
@@ -844,6 +1157,40 @@ Entity type 'WorkTask' has property 'StoryId1' created by EF Core as shadow prop
 
 ### 2025-11-03
 
+#### Evening Session (15:00 - 22:30) - QA Testing and Critical Bug Fixes 🐛
+- **22:30** - ✅ **Progress Documentation Updated with QA Session**
+  - Comprehensive record of QA testing and bug fixes
+  - Updated M1 progress metrics (83% complete, up from 82%)
+  - Added detailed bug fix documentation
+  - Updated code quality metrics
+- **22:00** - ✅ **UpdateTaskStatus Bug Fix Verified**
+  - All 233 tests passing (100%)
+  - API endpoint working correctly
+  - Frontend Kanban drag & drop functional
+- **21:00** - ✅ **32 Application Layer Tests Created**
+  - Story Command Tests: 12 tests
+  - Task Command Tests: 14 tests (including 10 for UpdateTaskStatus)
+  - Query Tests: 4 tests
+  - Total test count: 202 → 233 (+15%)
+- **19:00** - ✅ **Critical Bug Fixed: UpdateTaskStatus 500 Error**
+  - Fixed Enumeration.FromDisplayName() with space normalization
+  - Fixed UpdateTaskStatusCommandHandler business rule validation
+  - Changed from string comparison to type-safe enumeration comparison
+- **18:00** - ✅ **Bug Root Cause Identified**
+  - Analyzed UpdateTaskStatus API 500 error
+  - Identified enumeration matching issue (spaces in status names)
+  - Identified string comparison in business rule validation
+- **17:00** - ✅ **Manual Testing Completed**
+  - User created complete test dataset (3 projects, 2 epics, 3 stories, 5 tasks)
+  - Discovered UpdateTaskStatus API 500 error during status update
+- **16:00** - ✅ **Test Coverage Analysis Completed**
+  - Identified Application layer test gap (only 1 test vs 192 domain tests)
+  - Designed comprehensive test strategy
+  - Prioritized P1 critical tests for Story and Task commands
+- **15:00** - 🎯 **QA Testing Session Started**
+  - QA Agent initiated comprehensive testing phase
+  - Manual API testing preparation
+
 #### Afternoon Session (12:00 - 14:45) - Parallel Task Execution 🚀
 - **14:45** - ✅ **Progress Documentation Updated**
   - Comprehensive record of all parallel task achievements

reports/2025-11-03-Next-Sprint-Action-Plan.md

@@ -0,0 +1,697 @@
+# ColaFlow Next Sprint Action Plan
+
+**Plan Date**: 2025-11-03
+**Sprint Name**: M1 Sprint 2 - Authentication and Testing Completion
+**Sprint Goal**: Complete M1 critical path with authentication and comprehensive testing
+**Duration**: 2 weeks (2025-11-04 to 2025-11-15)
+
+---
+
+## Sprint Overview
+
+### Sprint Objectives
+
+1. Implement JWT authentication system (critical blocker)
+2. Complete Application layer testing to 80% coverage
+3. Implement SignalR real-time notifications
+4. Polish and prepare for deployment
+
+### Success Metrics
+
+| Metric | Current | Target | Priority |
+|--------|---------|--------|----------|
+| M1 Completion | 83% | 100% | Critical |
+| Application Test Coverage | 40% | 80% | High |
+| Authentication | 0% | 100% | Critical |
+| SignalR Implementation | 0% | 100% | Medium |
+| Critical Bugs | 0 | 0 | Critical |
+
+---
+
+## Prioritized Task List
+
+### Priority 1: Critical (Must Complete)
+
+#### Task 1.1: JWT Authentication System
+
+**Estimated Effort**: 7 days
+**Assigned To**: Backend Agent + Frontend Agent
+**Dependencies**: None (can start immediately)
+**Acceptance Criteria**:
+- User registration API working
+- Login API returning valid JWT tokens
+- All API endpoints protected with [Authorize]
+- Role-based authorization working (Admin, ProjectManager, Developer, Viewer)
+- Frontend login/logout UI functional
+- Token refresh mechanism working
+- 100% test coverage for authentication logic
+
+**Detailed Subtasks**:
+
+**Day 1: Architecture and Design** (Backend Agent + Architect Agent)
+- [ ] Research authentication approaches (ASP.NET Core Identity vs custom)
+- [ ] Design JWT token structure (claims, expiration, refresh strategy)
+- [ ] Define user roles and permissions matrix
+- [ ] Design database schema for users and roles
+- [ ] Document authentication flow (registration, login, refresh, logout)
+- [ ] Review security best practices (password hashing, token storage)
+
+**Day 2: Database and Domain** (Backend Agent)
+- [ ] Create User aggregate root (Domain layer)
+- [ ] Create Role and Permission value objects
+- [ ] Add UserCreated, UserLoggedIn domain events
+- [ ] Create EF Core User configuration
+- [ ] Generate and apply authentication migration
+- [ ] Write User domain unit tests
+
+**Day 3: Application Layer Commands** (Backend Agent)
+- [ ] Implement RegisterUserCommand + Handler + Validator
+- [ ] Implement LoginCommand + Handler + Validator
+- [ ] Implement RefreshTokenCommand + Handler + Validator
+- [ ] Implement ChangePasswordCommand + Handler + Validator
+- [ ] Add password hashing service (bcrypt or PBKDF2)
+- [ ] Write command handler tests
+
+**Day 4: API Layer and Middleware** (Backend Agent)
+- [ ] Create AuthenticationController (register, login, refresh, logout)
+- [ ] Configure JWT authentication middleware
+- [ ] Add [Authorize] attributes to all existing controllers
+- [ ] Implement role-based authorization policies
+- [ ] Add authentication integration tests
+- [ ] Update API documentation
+
+**Day 5: Frontend Authentication State** (Frontend Agent)
+- [ ] Create authentication context/store (Zustand)
+- [ ] Implement token storage (localStorage with encryption)
+- [ ] Add API client authentication interceptor
+- [ ] Implement token refresh logic
+- [ ] Add route guards for protected pages
+- [ ] Handle 401 unauthorized responses
+
+**Day 6: Frontend UI Components** (Frontend Agent)
+- [ ] Create login page with form validation
+- [ ] Create registration page with form validation
+- [ ] Add user profile dropdown in navigation
+- [ ] Implement logout functionality
+- [ ] Add "Forgot Password" flow (basic)
+- [ ] Add role-based UI element visibility
+
+**Day 7: Testing and Integration** (QA Agent + Backend Agent + Frontend Agent)
+- [ ] End-to-end authentication testing
+- [ ] Test protected route access
+- [ ] Test role-based authorization
+- [ ] Security testing (invalid tokens, expired tokens)
+- [ ] Test token refresh flow
+- [ ] Performance testing (token validation overhead)
+
+**Risk Assessment**:
+- Risk: Authentication breaks existing functionality
+- Mitigation: Comprehensive integration tests, gradual rollout
+- Risk: Password security vulnerabilities
+- Mitigation: Use proven libraries (bcrypt), security review
+
+---
+
+#### Task 1.2: Complete Application Layer Testing
+
+**Estimated Effort**: 3 days (parallel with authentication)
+**Assigned To**: QA Agent + Backend Agent
+**Dependencies**: None
+**Acceptance Criteria**:
+- Application layer test coverage ≥80%
+- All P2 Query Handler tests written (7 test files)
+- All P2 Command Handler tests written (2 test files)
+- Integration tests for all controllers (Testcontainers)
+- 100% test pass rate maintained
+
+**Detailed Subtasks**:
+
+**Day 1: Query Handler Tests** (QA Agent)
+- [ ] Write UpdateTaskCommandHandlerTests (3 test cases)
+- [ ] Write AssignTaskCommandHandlerTests (3 test cases)
+- [ ] Write GetStoriesByEpicIdQueryHandlerTests (2 test cases)
+- [ ] Write GetStoriesByProjectIdQueryHandlerTests (2 test cases)
+- [ ] All tests passing, coverage measured
+
+**Day 2: Query Handler Tests (Continued)** (QA Agent)
+- [ ] Write GetTasksByStoryIdQueryHandlerTests (2 test cases)
+- [ ] Write GetTasksByProjectIdQueryHandlerTests (3 test cases)
+- [ ] Write GetTasksByAssigneeQueryHandlerTests (2 test cases)
+- [ ] Verify all Application layer commands and queries have tests
+- [ ] Run coverage report, identify remaining gaps
+
+**Day 3: Integration Tests** (QA Agent + Backend Agent)
+- [ ] Set up Testcontainers for integration testing
+- [ ] Write ProjectsController integration tests (5 endpoints)
+- [ ] Write EpicsController integration tests (4 endpoints)
+- [ ] Write StoriesController integration tests (7 endpoints)
+- [ ] Write TasksController integration tests (8 endpoints)
+- [ ] Write AuthenticationController integration tests (when available)
+
+**Risk Assessment**:
+- Risk: Test writing takes longer than estimated
+- Mitigation: Focus on P1 tests first, defer P3 if needed
+- Risk: Integration tests require complex setup
+- Mitigation: Use Testcontainers for clean database state
+
+---
+
+### Priority 2: High (Should Complete)
+
+#### Task 2.1: SignalR Real-time Notifications
+
+**Estimated Effort**: 3 days
+**Assigned To**: Backend Agent + Frontend Agent
+**Dependencies**: Authentication (should be implemented after JWT)
+**Acceptance Criteria**:
+- SignalR Hub configured and running
+- Task status changes broadcast to connected clients
+- Frontend receives and displays real-time updates
+- Kanban board updates automatically when other users make changes
+- Connection failure handling and reconnection logic
+- Performance tested with 10+ concurrent connections
+
+**Detailed Subtasks**:
+
+**Day 1: Backend SignalR Setup** (Backend Agent)
+- [ ] Install Microsoft.AspNetCore.SignalR package
+- [ ] Create ProjectHub for project-level events
+- [ ] Create TaskHub for task-level events
+- [ ] Configure SignalR in Program.cs
+- [ ] Add SignalR endpoint mapping
+- [ ] Integrate authentication with SignalR (JWT token in query string)
+- [ ] Write SignalR Hub unit tests
+
+**Day 2: Backend Event Integration** (Backend Agent)
+- [ ] Add SignalR notification to UpdateTaskStatusCommandHandler
+- [ ] Add SignalR notification to CreateTaskCommandHandler
+- [ ] Add SignalR notification to UpdateTaskCommandHandler
+- [ ] Add SignalR notification to DeleteTaskCommandHandler
+- [ ] Define event message formats (JSON)
+- [ ] Test SignalR broadcasting with multiple connections
+
+**Day 3: Frontend SignalR Integration** (Frontend Agent)
+- [ ] Install @microsoft/signalr package
+- [ ] Create SignalR connection management service
+- [ ] Implement auto-reconnection logic
+- [ ] Add SignalR listeners to Kanban board
+- [ ] Update TanStack Query cache on SignalR events
+- [ ] Add toast notifications for real-time updates
+- [ ] Handle connection status UI (connected, disconnected, reconnecting)
+
+**Risk Assessment**:
+- Risk: SignalR connection issues in production
+- Mitigation: Robust reconnection logic, connection status monitoring
+- Risk: Performance impact with many connections
+- Mitigation: Performance testing, connection pooling
+
+---
+
+#### Task 2.2: API Documentation and Polish
+
+**Estimated Effort**: 1 day
+**Assigned To**: Backend Agent
+**Dependencies**: None
+**Acceptance Criteria**:
+- All API endpoints documented in OpenAPI spec
+- Scalar documentation complete with examples
+- Request/response examples for all endpoints
+- Authentication flow documented
+- Error response formats documented
+
+**Detailed Subtasks**:
+- [ ] Review all API endpoints for complete documentation
+- [ ] Add XML documentation comments to all controllers
+- [ ] Add example request/response bodies to OpenAPI spec
+- [ ] Document authentication flow in Scalar
+- [ ] Add error code reference documentation
+- [ ] Generate Postman/Insomnia collection
+- [ ] Update README with API usage examples
+
+---
+
+### Priority 3: Medium (Nice to Have)
+
+#### Task 3.1: Frontend Component Tests
+
+**Estimated Effort**: 2 days
+**Assigned To**: Frontend Agent + QA Agent
+**Dependencies**: None
+**Acceptance Criteria**:
+- Component test coverage ≥60%
+- Critical components have comprehensive tests
+- User interaction flows tested
+
+**Detailed Subtasks**:
+- [ ] Set up React Testing Library
+- [ ] Write tests for authentication components (login, register)
+- [ ] Write tests for project list page
+- [ ] Write tests for Kanban board (without drag & drop)
+- [ ] Write tests for form components
+- [ ] Write tests for API error handling
+
+**Risk Assessment**:
+- Risk: Time constraints may prevent completion
+- Mitigation: Defer to next sprint if Priority 1-2 tasks delayed
+
+---
+
+#### Task 3.2: Frontend Polish and UX Improvements
+
+**Estimated Effort**: 2 days
+**Assigned To**: Frontend Agent + UX-UI Agent
+**Dependencies**: None
+**Acceptance Criteria**:
+- Responsive design on mobile devices
+- Loading states for all async operations
+- Error messages are clear and actionable
+- Accessibility audit passes WCAG AA
+
+**Detailed Subtasks**:
+- [ ] Mobile responsive design audit
+- [ ] Add skeleton loaders for all loading states
+- [ ] Improve error message clarity
+- [ ] Add empty state designs
+- [ ] Accessibility audit (keyboard navigation, screen readers)
+- [ ] Add animations and transitions (subtle)
+- [ ] Performance optimization (code splitting, lazy loading)
+
+---
+
+#### Task 3.3: Performance Optimization
+
+**Estimated Effort**: 2 days
+**Assigned To**: Backend Agent
+**Dependencies**: None
+**Acceptance Criteria**:
+- API P95 response time <500ms
+- Database queries optimized with projections
+- Redis caching for frequently accessed data
+- Query performance tested under load
+
+**Detailed Subtasks**:
+- [ ] Add Redis caching layer
+- [ ] Optimize EF Core queries with Select() projections
+- [ ] Add database indexes for common queries
+- [ ] Implement query result caching
+- [ ] Performance testing with load generation tool
+- [ ] Identify and fix N+1 query problems
+- [ ] Add response compression middleware
+
+**Risk Assessment**:
+- Risk: Premature optimization
+- Mitigation: Only optimize if performance issues identified
+
+---
+
+## Task Assignment Matrix
+
+| Task | Agent | Duration | Dependencies | Priority |
+|------|-------|----------|--------------|----------|
+| Auth Architecture | Backend + Architect | 1 day | None | P1 |
+| Auth Database | Backend | 1 day | Auth Architecture | P1 |
+| Auth Commands | Backend | 1 day | Auth Database | P1 |
+| Auth API | Backend | 1 day | Auth Commands | P1 |
+| Auth Frontend State | Frontend | 1 day | Auth API | P1 |
+| Auth Frontend UI | Frontend | 1 day | Auth Frontend State | P1 |
+| Auth Testing | QA + Backend + Frontend | 1 day | Auth Frontend UI | P1 |
+| Query Handler Tests | QA | 2 days | None | P1 |
+| Integration Tests | QA + Backend | 1 day | None | P1 |
+| SignalR Backend | Backend | 2 days | Auth API | P2 |
+| SignalR Frontend | Frontend | 1 day | SignalR Backend | P2 |
+| API Documentation | Backend | 1 day | Auth API | P2 |
+| Component Tests | Frontend + QA | 2 days | None | P3 |
+| Frontend Polish | Frontend + UX-UI | 2 days | None | P3 |
+| Performance Opt | Backend | 2 days | None | P3 |
+
+---
+
+## Sprint Schedule (2 Weeks)
+
+### Week 1: Authentication and Testing
+
+**Monday (Day 1)**:
+- Backend: Auth architecture design
+- QA: Start Query Handler tests (parallel)
+- Morning standup: Align on auth approach
+
+**Tuesday (Day 2)**:
+- Backend: Auth database and domain
+- QA: Continue Query Handler tests
+- Evening: Review auth domain design
+
+**Wednesday (Day 3)**:
+- Backend: Auth application commands
+- QA: Finish Query Handler tests, start integration tests
+- Evening: Demo auth commands working
+
+**Thursday (Day 4)**:
+- Backend: Auth API layer and middleware
+- QA: Continue integration tests
+- Evening: Test auth API endpoints
+
+**Friday (Day 5)**:
+- Frontend: Auth state management
+- Backend: Support frontend integration
+- QA: Auth integration testing
+- Evening: Weekly review, adjust plan if needed
+
+### Week 2: Real-time and Polish
+
+**Monday (Day 6)**:
+- Frontend: Auth UI components
+- Backend: Start SignalR backend setup
+- Morning: Sprint progress review
+
+**Tuesday (Day 7)**:
+- QA + Backend + Frontend: End-to-end auth testing
+- Backend: Continue SignalR backend
+- Evening: Auth feature complete demo
+
+**Wednesday (Day 8)**:
+- Backend: SignalR event integration
+- Frontend: Start SignalR frontend integration
+- Backend: API documentation
+
+**Thursday (Day 9)**:
+- Frontend: Finish SignalR frontend integration
+- Frontend + QA: Start component tests (if time allows)
+- Evening: Real-time feature demo
+
+**Friday (Day 10)**:
+- Frontend + UX-UI: Polish and UX improvements
+- QA: Final testing and bug fixes
+- Backend: Performance optimization (if time allows)
+- Afternoon: Sprint retrospective and M1 completion celebration
+
+---
+
+## Risk Management
+
+### High Risks
+
+**Risk 1: Authentication Implementation Complexity**
+- **Probability**: Medium
+- **Impact**: High (blocks deployment)
+- **Mitigation**:
+  - Use proven libraries (ASP.NET Core Identity)
+  - Follow security best practices documentation
+  - Allocate buffer time (1-2 days)
+  - Security review before completion
+
+**Risk 2: Testing Takes Longer Than Estimated**
+- **Probability**: Medium
+- **Impact**: Medium (delays sprint)
+- **Mitigation**:
+  - Focus on P1 critical tests first
+  - Defer P3 nice-to-have tests if needed
+  - QA agent can work in parallel
+
+**Risk 3: SignalR Integration Issues**
+- **Probability**: Low
+- **Impact**: Medium (degrades UX)
+- **Mitigation**:
+  - Can defer to next sprint if needed
+  - Not critical for M1 MVP
+  - Allocate extra day if problems arise
+
+### Medium Risks
+
+**Risk 4: Frontend-Backend Integration Issues**
+- **Probability**: Low
+- **Impact**: Medium
+- **Mitigation**:
+  - Daily integration testing
+  - Clear API contract documentation
+  - Quick feedback loops
+
+**Risk 5: Performance Bottlenecks**
+- **Probability**: Low
+- **Impact**: Low (current performance acceptable)
+- **Mitigation**:
+  - Performance optimization is P3 (optional)
+  - Can be addressed in next sprint
+
+---
+
+## Communication Plan
+
+### Daily Standups
+
+**Time**: 9:00 AM daily
+**Participants**: All agents
+**Format**:
+1. What did you complete yesterday?
+2. What will you work on today?
+3. Any blockers or dependencies?
+
+### Mid-Sprint Review
+
+**Time**: Friday, Week 1 (Day 5)
+**Participants**: All agents + Product Manager
+**Agenda**:
+1. Review sprint progress (actual vs planned)
+2. Demo completed features (authentication)
+3. Identify risks and adjust plan if needed
+4. Confirm Week 2 priorities
+
+### Sprint Retrospective
+
+**Time**: Friday, Week 2 (Day 10)
+**Participants**: All agents + Product Manager
+**Agenda**:
+1. Review sprint achievements
+2. Discuss what went well
+3. Discuss what could be improved
+4. Identify action items for next sprint
+5. Celebrate M1 completion
+
+---
+
+## Definition of Done
+
+### Sprint Definition of Done
+
+**Feature Level**:
+- [ ] Code implemented and peer-reviewed
+- [ ] Unit tests written and passing
+- [ ] Integration tests written and passing
+- [ ] API documentation updated
+- [ ] Frontend UI implemented (if applicable)
+- [ ] Manual testing completed
+- [ ] No critical bugs
+
+**Sprint Level**:
+- [ ] All Priority 1 tasks completed
+- [ ] At least 80% of Priority 2 tasks completed
+- [ ] M1 completion ≥95%
+- [ ] Test coverage ≥80% (Application layer)
+- [ ] All tests passing (100% pass rate)
+- [ ] Build with zero errors and warnings
+- [ ] Sprint retrospective completed
+
+### M1 Milestone Definition of Done
+
+**Functional Requirements**:
+- [x] Complete CRUD for Projects, Epics, Stories, Tasks
+- [x] Kanban board with drag & drop
+- [ ] User authentication and authorization
+- [ ] Real-time updates with SignalR
+- [ ] Audit logging for all operations (with user context)
+
+**Quality Requirements**:
+- [x] Domain layer test coverage ≥80% (96.98% achieved)
+- [ ] Application layer test coverage ≥80%
+- [ ] Integration tests for all API endpoints
+- [x] Zero critical bugs
+- [x] Build with zero errors and warnings
+
+**Documentation Requirements**:
+- [x] API documentation (Scalar)
+- [x] Architecture documentation
+- [ ] User guide (basic)
+- [ ] Deployment guide
+
+**Deployment Requirements**:
+- [x] Docker containerization
+- [ ] Environment configuration
+- [ ] Database migrations (including auth tables)
+- [ ] CI/CD pipeline (basic)
+
+---
+
+## Success Criteria
+
+### Sprint Success
+
+**Must Achieve (Minimum Viable Sprint)**:
+1. JWT authentication fully working
+2. All API endpoints secured
+3. Application layer test coverage ≥75%
+4. Zero critical bugs
+
+**Target Achievement (Successful Sprint)**:
+1. JWT authentication fully working
+2. Application layer test coverage ≥80%
+3. SignalR real-time updates working
+4. Integration tests for all controllers
+5. M1 completion ≥95%
+
+**Stretch Goals (Exceptional Sprint)**:
+1. All of the above PLUS:
+2. Frontend component tests ≥60% coverage
+3. Performance optimization complete
+4. M1 completion 100%
+
+---
+
+## Budget and Resource Allocation
+
+### Time Allocation (10 days, 80 hours total)
+
+| Priority | Category | Hours | Percentage |
+|----------|----------|-------|------------|
+| P1 | Authentication | 56h (7 days) | 70% |
+| P1 | Application Testing | 24h (3 days) | 30% |
+| P2 | SignalR | 24h (3 days) | 30% |
+| P2 | Documentation | 8h (1 day) | 10% |
+| P3 | Component Tests | 16h (2 days) | 20% |
+| P3 | Polish | 16h (2 days) | 20% |
+| P3 | Performance | 16h (2 days) | 20% |
+
+**Note**: P2 and P3 tasks are flexible and can be adjusted based on P1 progress
+
+### Resource Requirements
+
+**Development Tools** (already available):
+- .NET 9 SDK
+- Node.js 20+
+- PostgreSQL 16 (Docker)
+- Redis 7 (Docker - to be added)
+- Visual Studio Code / Visual Studio
+
+**Infrastructure** (already available):
+- GitHub repository
+- Docker Desktop
+- Development machines
+
+**No additional budget required for this sprint**
+
+---
+
+## Appendix
+
+### A. Authentication Flow Diagram
+
+```
+Registration Flow:
+User → Frontend (Registration Form) → API (RegisterUserCommand)
+  → Domain (User.Create) → Database → Response (User Created)
+
+Login Flow:
+User → Frontend (Login Form) → API (LoginCommand)
+  → Verify Password → Generate JWT Token → Response (Token)
+  → Frontend (Store Token) → API (Subsequent Requests with Bearer Token)
+
+Protected API Request:
+User → Frontend (With Token) → API (JWT Middleware validates token)
+  → Authorized → Controller → Response
+```
+
+### B. Test Coverage Target Breakdown
+
+| Layer | Current Coverage | Target Coverage | Gap | Priority |
+|-------|-----------------|-----------------|-----|----------|
+| Domain | 96.98% | 80% | +16.98% | ✅ Complete |
+| Application | 40% | 80% | -40% | 🔴 Critical |
+| Infrastructure | 0% | 60% | -60% | 🟡 Medium |
+| API | 0% | 70% | -70% | 🟡 Medium |
+| Frontend | 0% | 60% | -60% | 🟢 Low |
+
+**Focus for this sprint**: Application layer (P1), API layer (P2)
+
+### C. API Endpoints to Secure
+
+**Projects** (5 endpoints):
+- POST /api/v1/projects - [Authorize(Roles = "Admin,ProjectManager")]
+- GET /api/v1/projects - [Authorize]
+- GET /api/v1/projects/{id} - [Authorize]
+- PUT /api/v1/projects/{id} - [Authorize(Roles = "Admin,ProjectManager")]
+- DELETE /api/v1/projects/{id} - [Authorize(Roles = "Admin")]
+
+**Epics** (4 endpoints):
+- All require [Authorize(Roles = "Admin,ProjectManager,Developer")]
+
+**Stories** (7 endpoints):
+- All require [Authorize]
+
+**Tasks** (8 endpoints):
+- All require [Authorize]
+
+### D. Key Decisions Pending
+
+**Decision 1**: ASP.NET Core Identity vs Custom User Management
+- **Options**:
+  1. Use ASP.NET Core Identity (full-featured, battle-tested)
+  2. Custom implementation (lightweight, full control)
+- **Recommendation**: ASP.NET Core Identity (faster, more secure)
+- **Decision Maker**: Backend Agent + Architect Agent
+- **Timeline**: Day 1 of sprint
+
+**Decision 2**: Token Refresh Strategy
+- **Options**:
+  1. Sliding expiration (token refreshes automatically)
+  2. Refresh token (separate refresh token with longer expiration)
+  3. No refresh (user must re-login)
+- **Recommendation**: Refresh token approach (more secure)
+- **Decision Maker**: Backend Agent + Architect Agent
+- **Timeline**: Day 1 of sprint
+
+**Decision 3**: Password Policy
+- **Options**:
+  1. Strict (12+ chars, special chars, numbers)
+  2. Moderate (8+ chars, letters + numbers)
+  3. Minimal (6+ chars)
+- **Recommendation**: Moderate (balance security and UX)
+- **Decision Maker**: Product Manager + Backend Agent
+- **Timeline**: Day 1 of sprint
+
+---
+
+## Next Steps After This Sprint
+
+### Immediate (Week 3)
+
+1. **Deployment Preparation**:
+   - Set up staging environment
+   - Configure CI/CD pipeline
+   - Prepare deployment documentation
+   - Security audit
+
+2. **M1 Completion and Handoff**:
+   - Final testing and bug fixes
+   - User acceptance testing
+   - Documentation completion
+   - M1 retrospective
+
+### M2 Planning (Week 4)
+
+1. **MCP Server Research**:
+   - Research MCP protocol specification
+   - Analyze MCP Server implementation patterns
+   - Design ColaFlow MCP Server architecture
+   - Prototype diff preview mechanism
+
+2. **M2 Sprint 1 Planning**:
+   - Break down M2 into epics and stories
+   - Estimate effort for MCP implementation
+   - Plan first M2 sprint (2-3 weeks)
+   - Allocate resources
+
+---
+
+**End of Action Plan**
+
+**Created By**: Product Manager
+**Last Updated**: 2025-11-03
+**Next Review**: 2025-11-10 (Mid-Sprint Review)

reports/2025-11-03-Project-Status-Report.md

@@ -0,0 +1,707 @@
+# ColaFlow Project Status Report
+
+**Report Date**: 2025-11-03
+**Report Type**: Milestone Review and Strategic Planning
+**Prepared By**: Product Manager
+**Reporting Period**: M1 Sprint 1 (2025-11-01 to 2025-11-03)
+
+---
+
+## Executive Summary
+
+ColaFlow project has made exceptional progress in M1 development, achieving 83% completion in just 3 days of intensive development. The team has successfully delivered core CRUD APIs, complete frontend UI, and established a robust testing framework. A critical QA session identified and resolved a high-severity bug, demonstrating the effectiveness of our quality assurance processes.
+
+### Key Highlights
+
+- **M1 Progress**: 15/18 tasks completed (83%)
+- **Code Quality**: 233 tests passing (100% pass rate), 96.98% domain coverage
+- **Critical Achievement**: Full Epic/Story/Task management with Kanban board
+- **Quality Milestone**: Fixed critical UpdateTaskStatus bug, added 31 comprehensive tests
+- **Technical Debt**: Minimal, proactive testing improvements identified
+
+### Status Dashboard
+
+| Metric | Current | Target | Status |
+|--------|---------|--------|--------|
+| M1 Completion | 83% | 100% | 🟢 Ahead of Schedule |
+| Test Coverage (Domain) | 96.98% | 80% | 🟢 Exceeded |
+| Test Coverage (Application) | ~40% | 80% | 🟡 In Progress |
+| Test Pass Rate | 100% | 95% | 🟢 Excellent |
+| Critical Bugs | 0 | 0 | 🟢 Clean |
+| Build Quality | 0 errors, 0 warnings | 0 errors | 🟢 Perfect |
+
+---
+
+## Detailed Progress Analysis
+
+### 1. M1 Milestone Status (83% Complete)
+
+#### Completed Tasks (15/18)
+
+**Infrastructure & Architecture** (5/5 - 100%):
+- ✅ Clean Architecture four-layer structure
+- ✅ DDD tactical patterns implementation
+- ✅ CQRS with MediatR 13.1.0
+- ✅ EF Core 9 + PostgreSQL 16 integration
+- ✅ Docker containerization
+
+**Domain Layer** (5/5 - 100%):
+- ✅ Project/Epic/Story/Task aggregate roots
+- ✅ Value objects (ProjectId, ProjectKey, Enumerations)
+- ✅ Domain events and business rules
+- ✅ 192 unit tests (96.98% coverage)
+- ✅ FluentValidation integration
+
+**API Layer** (5/5 - 100%):
+- ✅ 23 RESTful endpoints across 4 controllers
+- ✅ Projects CRUD (5 endpoints)
+- ✅ Epics CRUD (4 endpoints)
+- ✅ Stories CRUD (7 endpoints)
+- ✅ Tasks CRUD (8 endpoints including UpdateTaskStatus)
+
+**Frontend Layer** (5/5 - 100%):
+- ✅ Next.js 16 + React 19 project structure
+- ✅ 7 functional pages with TanStack Query integration
+- ✅ Epic/Story/Task management UI
+- ✅ Kanban board with @dnd-kit drag & drop
+- ✅ Complete CRUD operations with optimistic updates
+
+**Quality Assurance** (3/5 - 60%):
+- ✅ 233 unit tests (Domain: 192, Application: 32, Architecture: 8, Integration: 1)
+- ✅ Critical bug fix (UpdateTaskStatus 500 error)
+- ✅ Enhanced Enumeration matching with space normalization
+- ⏳ Integration tests pending
+- ⏳ Frontend component tests pending
+
+#### Remaining Tasks (3/18)
+
+**1. Complete Application Layer Testing** (Priority: High):
+- Current: 32 tests (~40% coverage)
+- Target: 80% coverage
+- Remaining work:
+  - 7 P2 Query Handler tests
+  - API integration tests (Testcontainers)
+  - Performance testing
+- Estimated effort: 3-4 days
+
+**2. JWT Authentication System** (Priority: Critical):
+- Scope:
+  - User registration/login API
+  - JWT token generation and validation
+  - Authentication middleware
+  - Role-based authorization
+  - Frontend login/logout UI
+  - Protected routes
+- Estimated effort: 5-7 days
+- Dependencies: None (can start immediately)
+
+**3. SignalR Real-time Notifications** (Priority: Medium):
+- Scope:
+  - SignalR Hub configuration
+  - Kanban board real-time updates
+  - Task status change notifications
+  - Frontend SignalR client integration
+- Estimated effort: 3-4 days
+- Dependencies: Authentication system (should be implemented after JWT)
+
+---
+
+## Technical Achievements
+
+### 1. Backend Architecture Excellence
+
+**Clean Architecture Implementation**:
+- Four-layer separation: Domain, Application, Infrastructure, API
+- Zero coupling violations (verified by architecture tests)
+- CQRS pattern with 31 commands and 12 queries
+- Domain-driven design with 4 aggregate roots
+
+**Code Quality Metrics**:
+```
+Build Status:        0 errors, 0 warnings
+Domain Coverage:     96.98% (442/516 lines)
+Test Pass Rate:      100% (233/233 tests)
+Architecture Tests:  8/8 passing
+```
+
+**Technology Stack**:
+- .NET 9 with C# 13
+- MediatR 13.1.0 (commercial license)
+- AutoMapper 15.1.0 (commercial license)
+- EF Core 9 + PostgreSQL 16
+- FluentValidation 12.0.0
+
+### 2. Frontend Architecture Excellence
+
+**Modern Stack**:
+- Next.js 16.0.1 with App Router
+- React 19.2.0 with TypeScript 5
+- TanStack Query v5.90.6 (server state)
+- Zustand 5.0.8 (client state)
+- shadcn/ui + Tailwind CSS 4
+
+**Features Delivered**:
+- 7 responsive pages with consistent design
+- Complete CRUD operations with optimistic updates
+- Drag & drop Kanban board (@dnd-kit)
+- Form validation (React Hook Form + Zod)
+- Error handling and loading states
+
+### 3. Critical QA Achievement
+
+**Bug Discovery and Fix** (2025-11-03):
+
+**Problem**: UpdateTaskStatus API returned 500 error when updating task status to "InProgress"
+
+**Root Cause**:
+1. Enumeration matching used exact string match, failed on "InProgress" vs "In Progress"
+2. Business rule validation used unsafe string comparison instead of enumeration comparison
+
+**Solution**:
+1. Enhanced `Enumeration.FromDisplayName()` with space normalization fallback
+2. Fixed `UpdateTaskStatusCommandHandler` to use type-safe enumeration comparison
+3. Created 10 comprehensive test cases for all status transitions
+
+**Impact**:
+- Critical feature (Kanban drag & drop) now fully functional
+- Improved API robustness with flexible input handling
+- Enhanced type safety in business rules
+- Zero regression (100% test pass rate maintained)
+
+**Test Coverage Enhancement**:
+- Before: 202 tests (1 Application test)
+- After: 233 tests (32 Application tests)
+- Increase: +15% test count, +40x Application layer coverage
+
+---
+
+## Risk Assessment and Mitigation
+
+### Current Risks
+
+#### 1. Application Layer Test Coverage Gap (Medium Risk)
+
+**Description**: Application layer coverage at 40% vs 80% target
+
+**Impact**:
+- Potential undetected bugs in command/query handlers
+- Reduced confidence in API reliability
+- Slower bug detection cycle
+
+**Mitigation Strategy**:
+- Priority 1: Complete remaining 7 P2 test files (3-4 days)
+- Add integration tests for all API endpoints (Testcontainers)
+- Implement CI/CD coverage gates (min 80% threshold)
+
+**Timeline**: Complete within 1 week
+
+#### 2. No Authentication System (High Risk)
+
+**Description**: API endpoints are completely unsecured
+
+**Impact**:
+- Cannot deploy to any environment (even internal testing)
+- No user context for audit logging
+- No role-based access control
+
+**Mitigation Strategy**:
+- Immediate start on JWT authentication implementation
+- Design authentication architecture (1 day)
+- Implement backend auth system (3 days)
+- Implement frontend login UI (2 days)
+- Testing and integration (1 day)
+
+**Timeline**: Complete within 7 days (highest priority)
+
+#### 3. No Real-time Updates (Low Risk)
+
+**Description**: Users must refresh to see task updates
+
+**Impact**:
+- Poor user experience in collaborative scenarios
+- Not critical for MVP but important for UX
+
+**Mitigation Strategy**:
+- Implement after authentication system
+- SignalR Hub setup (2 days)
+- Frontend integration (1 day)
+
+**Timeline**: Complete within 2 weeks
+
+### Technical Debt
+
+**Current Technical Debt**: Minimal and manageable
+
+1. **Missing Integration Tests** (Priority: High)
+   - Effort: 2-3 days
+   - Impact: Medium (testing confidence)
+
+2. **No Frontend Component Tests** (Priority: Medium)
+   - Effort: 3-4 days
+   - Impact: Medium (UI reliability)
+
+3. **No Performance Optimization** (Priority: Low)
+   - Effort: 2-3 days
+   - Impact: Low (current performance acceptable)
+
+4. **No Redis Caching** (Priority: Low)
+   - Effort: 1-2 days
+   - Impact: Low (premature optimization)
+
+---
+
+## Key Performance Indicators (KPIs)
+
+### Development Velocity
+
+| Metric | Current | Trend |
+|--------|---------|-------|
+| Story Points Completed | 45/54 (83%) | ↑ Excellent |
+| Features Delivered | 15/18 | ↑ On Track |
+| Days to Complete M1 Sprint 1 | 3 days | ↑ Ahead of Schedule |
+| Average Tests per Feature | 15.5 | ↑ High Quality |
+
+### Quality Metrics
+
+| Metric | Current | Target | Status |
+|--------|---------|--------|--------|
+| Test Pass Rate | 100% | ≥95% | 🟢 Excellent |
+| Code Coverage (Domain) | 96.98% | ≥80% | 🟢 Exceeded |
+| Code Coverage (Application) | ~40% | ≥80% | 🟡 In Progress |
+| Build Errors | 0 | 0 | 🟢 Perfect |
+| Build Warnings | 0 | <5 | 🟢 Perfect |
+| Critical Bugs | 0 | 0 | 🟢 Clean |
+
+### Team Productivity
+
+| Metric | Value |
+|--------|-------|
+| Backend Files Created | 80+ files |
+| Frontend Files Created | 33+ files |
+| API Endpoints Delivered | 23 endpoints |
+| UI Pages Delivered | 7 pages |
+| Tests Written | 233 tests |
+| Bug Fix Time (Critical) | 4 hours |
+
+---
+
+## Stakeholder Communication
+
+### Achievements to Highlight
+
+1. **Rapid Development**: 83% M1 completion in 3 days
+2. **High Quality**: 96.98% test coverage, zero critical bugs
+3. **Modern Stack**: Latest technologies (Next.js 16, React 19, .NET 9)
+4. **Full-Stack Delivery**: Complete API + UI with Kanban board
+5. **Proactive QA**: Critical bug identified and fixed before user impact
+
+### Concerns to Address
+
+1. **Authentication Gap**: Highest priority, starting immediately
+2. **Test Coverage**: Application layer needs improvement, plan in place
+3. **Deployment Readiness**: Cannot deploy until authentication complete
+
+### Next Milestone Preview (M2)
+
+**M2 Goal**: MCP Server Implementation (Months 3-4)
+**Scope**:
+- Basic MCP Resources (projects.search, issues.search)
+- Basic MCP Tools (create_issue, update_status)
+- Diff preview mechanism for AI operations
+- AI integration testing
+
+**Preparation Activities** (can start during M1 completion):
+- Research MCP protocol specification
+- Design MCP Server architecture
+- Prototype diff preview UI
+
+---
+
+## Financial and Resource Considerations
+
+### License Costs
+
+**Current Commercial Licenses**:
+- MediatR 13.1.0: LuckyPennySoftware license (valid until Nov 2026)
+- AutoMapper 15.1.0: LuckyPennySoftware license (valid until Nov 2026)
+- **Status**: ✅ Paid and configured
+
+### Infrastructure Costs
+
+**Development Environment**:
+- PostgreSQL 16 (Docker): Free
+- Redis 7 (Docker): Free
+- Development tools: Free
+- **Status**: ✅ Zero cost
+
+**Future Production Costs** (estimated):
+- PostgreSQL managed service: $50-100/month
+- Redis managed service: $30-50/month
+- Hosting (Azure/AWS): $100-200/month
+- **Total Estimated**: $180-350/month
+
+---
+
+## Strategic Recommendations
+
+### Recommendation 1: Complete M1 Before Starting M2 (STRONGLY RECOMMENDED)
+
+**Rationale**:
+- M1 is 83% complete, only 3 tasks remaining
+- Authentication is critical blocker for any deployment
+- Solid foundation needed before MCP complexity
+- Testing gaps create technical debt if left unaddressed
+
+**Proposed Timeline**:
+- Week 1: JWT Authentication (7 days)
+- Week 2: Complete Application testing + SignalR (7 days)
+- Week 3: Buffer for polish and bug fixes (3 days)
+- **Total**: 17 days to 100% M1 completion
+
+**Benefits**:
+- Clean milestone completion
+- Deployable MVP
+- Reduced technical debt
+- Strong foundation for M2
+
+### Recommendation 2: Prioritize Security (CRITICAL)
+
+**Action Items**:
+1. Start JWT authentication immediately (highest priority)
+2. Add API endpoint authorization checks
+3. Implement role-based access control (Admin, ProjectManager, Developer, Viewer)
+4. Add audit logging for all write operations
+5. Security review before any deployment
+
+**Timeline**: 7 days for basic security, 3 days for advanced features
+
+### Recommendation 3: Establish CI/CD Pipeline (HIGH PRIORITY)
+
+**Rationale**:
+- Manual testing is time-consuming and error-prone
+- Critical bug was caught during manual testing, should be automated
+- Coverage gaps should be prevented by pipeline checks
+
+**Implementation**:
+1. GitHub Actions workflow for build and test
+2. Automated test coverage reporting
+3. Coverage gates (min 80% for new code)
+4. Automated deployment to staging environment
+
+**Estimated Effort**: 2 days
+**ROI**: Prevents bugs, faster feedback, better quality
+
+---
+
+## Decision Framework
+
+### Option A: Complete M1 (100%) - RECOMMENDED ✅
+
+**Scope**:
+1. Implement JWT Authentication (7 days)
+2. Complete Application layer testing (3 days)
+3. Implement SignalR real-time updates (3 days)
+4. Polish and bug fixes (2 days)
+
+**Total Timeline**: 15 days (3 weeks)
+
+**Pros**:
+- Clean milestone completion
+- Deployable MVP
+- Strong foundation for M2
+- Minimal technical debt
+- Can demonstrate to stakeholders
+
+**Cons**:
+- Delays M2 start by 3 weeks
+- No immediate AI features
+
+**Recommendation**: STRONGLY RECOMMENDED
+- Security is non-negotiable
+- Testing gaps create future problems
+- Clean foundation prevents rework
+
+### Option B: Start M2 Immediately - NOT RECOMMENDED ❌
+
+**Scope**:
+1. Begin MCP Server research and design
+2. Leave authentication for later
+3. Focus on AI integration features
+
+**Pros**:
+- Faster progress toward AI features
+- Early validation of MCP concepts
+
+**Cons**:
+- Cannot deploy anywhere (no authentication)
+- Accumulates technical debt
+- MCP work may require architecture changes
+- Risk of rework if foundation is weak
+- Testing gaps will compound
+
+**Recommendation**: NOT RECOMMENDED
+- High technical and security risk
+- Will slow down overall progress
+- May require significant rework later
+
+### Option C: Hybrid Approach - CONDITIONAL ⚠️
+
+**Scope**:
+1. Implement authentication (7 days) - MUST DO
+2. Start M2 research in parallel (2 days)
+3. Defer SignalR to M2 (acceptable)
+4. Complete critical testing (3 days)
+
+**Pros**:
+- Addresses critical security gap
+- Begins M2 preparation
+- Pragmatic compromise
+
+**Cons**:
+- Split focus may reduce quality
+- Still leaves some M1 work incomplete
+- Requires careful coordination
+
+**Recommendation**: ACCEPTABLE IF TIMELINE IS CRITICAL
+- Authentication is non-negotiable
+- M2 research can happen in parallel
+- Must complete critical testing
+
+---
+
+## Next Sprint Planning
+
+### Sprint Goal: Complete M1 Critical Path
+
+**Duration**: 2 weeks (10 working days)
+**Start Date**: 2025-11-04
+**End Date**: 2025-11-15
+
+### Sprint Backlog (Prioritized)
+
+#### Week 1: Authentication and Critical Testing
+
+**Priority 1: JWT Authentication System** (7 days):
+
+Day 1-2: Architecture and Design
+- [ ] Design authentication architecture
+- [ ] Choose identity framework (ASP.NET Core Identity vs custom)
+- [ ] Design JWT token structure and claims
+- [ ] Define user roles and permissions
+- [ ] Design API authentication flow
+
+Day 3-4: Backend Implementation
+- [ ] Implement user registration API
+- [ ] Implement login API with JWT generation
+- [ ] Add JWT validation middleware
+- [ ] Secure all API endpoints with [Authorize]
+- [ ] Implement role-based authorization
+- [ ] Add password hashing and validation
+
+Day 5-6: Frontend Implementation
+- [ ] Create login/registration UI
+- [ ] Implement authentication state management
+- [ ] Add protected route guards
+- [ ] Handle token refresh
+- [ ] Add logout functionality
+
+Day 7: Testing and Integration
+- [ ] Write authentication unit tests
+- [ ] Write authentication integration tests
+- [ ] Test role-based access control
+- [ ] End-to-end authentication testing
+
+**Priority 2: Complete Application Testing** (3 days - parallel):
+
+Day 1-2: Query Handler Tests
+- [ ] GetStoriesByEpicIdQueryHandlerTests
+- [ ] GetStoriesByProjectIdQueryHandlerTests
+- [ ] GetTasksByStoryIdQueryHandlerTests
+- [ ] GetTasksByProjectIdQueryHandlerTests
+- [ ] GetTasksByAssigneeQueryHandlerTests
+
+Day 2-3: Command Handler Tests
+- [ ] UpdateTaskCommandHandlerTests
+- [ ] AssignTaskCommandHandlerTests
+
+Day 3: Integration Tests
+- [ ] API integration tests with Testcontainers
+- [ ] End-to-end CRUD workflow tests
+
+#### Week 2: Real-time Updates and Polish
+
+**Priority 3: SignalR Real-time Notifications** (3 days):
+
+Day 1: Backend Setup
+- [ ] Configure SignalR hubs
+- [ ] Implement TaskStatusChangedHub
+- [ ] Add notification logic to command handlers
+- [ ] Test SignalR connection and messaging
+
+Day 2: Frontend Integration
+- [ ] Install SignalR client library
+- [ ] Implement SignalR connection management
+- [ ] Add real-time update listeners to Kanban board
+- [ ] Add notification toast components
+
+Day 3: Testing and Polish
+- [ ] Test real-time updates across multiple clients
+- [ ] Handle connection failures gracefully
+- [ ] Add reconnection logic
+- [ ] Performance testing with multiple connections
+
+**Priority 4: Polish and Bug Fixes** (2 days):
+
+Day 1: Frontend Polish
+- [ ] Responsive design improvements
+- [ ] Loading states and animations
+- [ ] Error message improvements
+- [ ] Accessibility audit
+
+Day 2: Backend Polish
+- [ ] API performance optimization
+- [ ] Error message improvements
+- [ ] API documentation updates
+- [ ] Deployment preparation
+
+### Sprint Success Criteria
+
+**Must Have**:
+- ✅ JWT authentication working (login, registration, protected routes)
+- ✅ All API endpoints secured with authorization
+- ✅ Application layer test coverage ≥80%
+- ✅ Zero critical bugs
+
+**Should Have**:
+- ✅ SignalR real-time updates working
+- ✅ Integration tests for all controllers
+- ✅ API documentation complete
+
+**Nice to Have**:
+- Frontend component tests
+- Performance optimization
+- Deployment scripts
+
+---
+
+## Milestone Completion Criteria
+
+### M1 Definition of Done
+
+**Functional Requirements**:
+- ✅ Complete CRUD for Projects, Epics, Stories, Tasks (DONE)
+- ✅ Kanban board with drag & drop (DONE)
+- ⏳ User authentication and authorization (IN PROGRESS)
+- ⏳ Real-time updates with SignalR (PLANNED)
+- ✅ Audit logging for all operations (PARTIAL - needs auth context)
+
+**Quality Requirements**:
+- ✅ Domain layer test coverage ≥80% (96.98% ACHIEVED)
+- ⏳ Application layer test coverage ≥80% (40% CURRENT)
+- ⏳ Integration tests for all API endpoints (PLANNED)
+- ✅ Zero critical bugs (ACHIEVED)
+- ✅ Build with zero errors and warnings (ACHIEVED)
+
+**Documentation Requirements**:
+- ✅ API documentation (Scalar) (DONE)
+- ✅ Architecture documentation (DONE)
+- ⏳ User guide (PENDING)
+- ⏳ Deployment guide (PENDING)
+
+**Deployment Requirements**:
+- ✅ Docker containerization (DONE)
+- ⏳ Environment configuration (IN PROGRESS)
+- ⏳ Database migrations (DONE, needs auth tables)
+- ⏳ CI/CD pipeline (PLANNED)
+
+---
+
+## Conclusion and Next Steps
+
+### Summary
+
+ColaFlow has achieved remarkable progress in M1 development, delivering a high-quality, full-stack application in just 3 days. The team demonstrated excellence in architecture, coding quality, and proactive quality assurance. The critical bug fix showcases the effectiveness of our testing strategy.
+
+### Immediate Next Steps (This Week)
+
+1. **Start JWT Authentication** (Monday, 2025-11-04)
+   - Assign: Backend Agent
+   - Timeline: 7 days
+   - Priority: Critical
+
+2. **Complete Application Testing** (Monday, 2025-11-04 - parallel)
+   - Assign: QA Agent + Backend Agent
+   - Timeline: 3 days
+   - Priority: High
+
+3. **Plan M2 Architecture** (Friday, 2025-11-08 - research only)
+   - Assign: Architect Agent + Researcher Agent
+   - Timeline: 2 days
+   - Priority: Medium
+
+### Long-term Vision
+
+**M1 Completion Target**: 2025-11-15 (12 days from now)
+**M2 Start Target**: 2025-11-18 (3 days buffer)
+
+**Key Success Factors**:
+- Maintain code quality (no shortcuts)
+- Complete security implementation (non-negotiable)
+- Establish solid testing foundation
+- Document architectural decisions
+
+---
+
+## Appendix
+
+### A. Technology Stack Reference
+
+**Backend**:
+- .NET 9 (C# 13)
+- ASP.NET Core 9 Web API
+- Entity Framework Core 9
+- PostgreSQL 16
+- MediatR 13.1.0
+- AutoMapper 15.1.0
+- FluentValidation 12.0.0
+
+**Frontend**:
+- Next.js 16.0.1
+- React 19.2.0
+- TypeScript 5
+- TanStack Query v5.90.6
+- Zustand 5.0.8
+- shadcn/ui + Tailwind CSS 4
+
+**Testing**:
+- xUnit 2.9.2
+- FluentAssertions 8.8.0
+- Testcontainers (planned)
+
+### B. Service Endpoints
+
+**Running Services**:
+- PostgreSQL: localhost:5432
+- Backend API: http://localhost:5167
+- Frontend Web: http://localhost:3000
+- API Docs: http://localhost:5167/scalar/v1
+
+### C. Key Metrics Dashboard
+
+```
+M1 Progress:           ████████████████░░░ 83%
+Domain Coverage:       ████████████████████ 96.98%
+Application Coverage:  ████████░░░░░░░░░░░░ 40%
+Test Pass Rate:        ████████████████████ 100%
+Build Quality:         ████████████████████ 100%
+```
+
+### D. Contact and Escalation
+
+**Product Manager**: Yaojia Wang / Colacoder Team
+**Report Frequency**: Weekly (every Monday)
+**Next Report**: 2025-11-10
+
+---
+
+**End of Report**