feat: Implement user validation and ownership checks for image, reward, and task APIs

- Added `get_validated_user_id` utility function to validate user authentication across multiple APIs.
- Updated image upload, request, and listing endpoints to ensure user ownership and proper error handling.
- Enhanced reward management endpoints to include user validation and ownership checks.
- Modified task management endpoints to enforce user authentication and ownership verification.
- Updated models to include `user_id` for images, rewards, tasks, and children to track ownership.
- Implemented frontend changes to ensure UI reflects the ownership of tasks and rewards.
- Added a new feature specification to prevent deletion of system tasks and rewards.

.github/copilot-instructions.md

@@ -13,22 +13,16 @@
 
 - **Frontend Styling**: Use only `:root` CSS variables from `global.css` for all colors, spacing, and tokens. Example: `--btn-primary`, `--list-item-bg-good`.
 - **Scoped Styles**: All `.vue` files must use `<style scoped>`. Reference global variables for theme consistency.
-- **Rewards UI**: If `points >= cost`, apply `--item-card-ready-shadow` and `--item-card-ready-border`.
 - **API Error Handling**: Backend returns JSON with `error` and `code` (see `backend/api/error_codes.py`). Frontend extracts `{ msg, code }` using `parseErrorResponse(res)` from `api.ts`.
-- **Validation**: Use `isEmailValid` and `isPasswordStrong` (min 8 chars, 1 letter, 1 number) from `api.ts` for all user input. Use `sanitize_email()` for directory names and unique IDs (see `backend/api/utils.py`).
 - **JWT Auth**: Tokens are stored in HttpOnly, Secure, SameSite=Strict cookies.
 
 ## 🚦 Frontend Logic & Event Bus
 
 - **SSE Event Management**: Register listeners in `onMounted`, clean up in `onUnmounted`. Listen for events like `child_task_triggered`, `child_reward_request`, `task_modified`, etc. See `frontend/vue-app/src/common/backendEvents.ts` and `components/BackendEventsListener.vue`.
-- **UI Guardrails**:
-  - Before triggering a task, check for pending rewards. If found, prompt for cancellation before proceeding.
-  - On `EDIT`, always refetch the full object from the API to ensure state integrity.
 - **Layout Hierarchy**: Use `ParentLayout` for admin/management, `ChildLayout` for dashboard/focus views.
 
 ## ⚖️ Business Logic & Safeguards
 
-- **Points**: Always enforce `child.points = max(child.points, 0)` after any mutation.
 - **Token Expiry**: Verification tokens expire in 4 hours; password reset tokens in 10 minutes.
 - **Image Assets**: Models use `image_id` for storage; frontend resolves to `image_url` for rendering.
 
@@ -36,7 +30,7 @@
 
 - **Backend**: Run Flask with `python -m flask run --host=0.0.0.0 --port=5000` from the `backend/` directory. Main entry: `backend/main.py`.
 - **Frontend**: From `frontend/vue-app/`, run `npm install` then `npm run dev`.
-- **Tests**: Run backend tests with `pytest` in `backend/`. Frontend tests: `npm run test` in `frontend/vue-app/`.
+- **Tests**: Run backend tests with `pytest` in `backend/tests/`. Frontend component tests: `npm run test` in `frontend/vue-app/components/__tests__/`.
 - **Debugging**: Use VS Code launch configs or run Flask/Vue dev servers directly. For SSE, use browser dev tools to inspect event streams.
 
 ## 📁 Key Files & Directories
@@ -48,7 +42,7 @@
 - `frontend/vue-app/` — Vue 3 frontend (see `src/common/`, `src/components/`, `src/layout/`)
 - `frontend/vue-app/src/common/models.ts` — TypeScript interfaces (mirror Python models)
 - `frontend/vue-app/src/common/api.ts` — API helpers, error parsing, validation
-- `web/vue-app/src/common/backendEvents.ts` — SSE event types and handlers
+- `frontend/vue-app/src/common/backendEvents.ts` — SSE event types and handlers
 
 ## 🧠 Integration & Cross-Component Patterns