API and Route Overview

All route handlers are in app/server.py. State-changing routes require CSRF validation.

Public Routes

• /login, /forgot-password, /reset-password
• /healthz
• /website/ and /website/wiki/

Core JSON APIs

• /api/tasks, /api/tasks/create, /api/tasks/save
• /api/projects/save
• /api/comments, /api/comments/add
• /api/lookups, /api/activity
• /api/interface/log for UI/audit telemetry

Operational Rules

• Tasks are expected to map to projects (with fallback operations project behavior).
• Delete workflow uses status gates, soft-delete queue, and admin purge controls.
• Comments support @mentions and watcher notifications (respecting user email prefs).