fix: update BASE_VERSION to remove release candidate suffix

fix: update login token expiration to 62 days

chore: bump version to 1.0.5RC1

test: add isParentPersistent to LoginButton.spec.ts

refactor: rename Assign Tasks button to Assign Chores in ParentView.vue

refactor: rename Assign Tasks to Assign Chores in TaskAssignView.vue

feat: add stay in parent mode checkbox and badge in LoginButton.vue

test: enhance LoginButton.spec.ts with persistent mode tests

test: add authGuard.spec.ts for logoutParent and enforceParentExpiry

feat: implement parent mode expiry logic in auth.ts

test: add auth.expiry.spec.ts for parent mode expiry tests

chore: create template for feature specs

.env.example

@@ -0,0 +1 @@
+FRONTEND_URL=https://yourdomain.com

.gitea/workflows/build.yaml

@@ -0,0 +1,142 @@
+name: Chore App Build, Test, and Push Docker Images
+run-name: ${{ gitea.actor }} is building Chores [${{ gitea.ref_name }}@${{ gitea.sha }}] 🚀
+on:
+  push:
+    branches:
+      - master
+      - next
+
+jobs:
+  build-and-push:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v3
+
+      - name: Determine Image Tag
+        id: vars
+        run: |
+          version=$(python -c "import sys; sys.path.append('./backend'); from config.version import BASE_VERSION; print(BASE_VERSION)")
+          current_date=$(date +%Y%m%d)
+          if [ "${{ gitea.ref }}" == "refs/heads/master" ]; then
+            echo "tag=$version" >> $GITHUB_OUTPUT
+          else
+            echo "tag=next-$version-$current_date" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Set up Python for backend tests
+        uses: actions/setup-python@v4
+        with:
+          python-version: "3.11"
+
+      - name: Install backend dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -r backend/requirements.txt
+
+      - name: Run backend unit tests
+        run: |
+          cd backend
+          pytest -q
+
+      - name: Set up Node.js for frontend tests
+        uses: actions/setup-node@v4
+        with:
+          node-version: "20.19.0"
+          cache: "npm"
+          cache-dependency-path: frontend/vue-app/package-lock.json
+
+      - name: Install frontend dependencies
+        run: npm ci
+        working-directory: frontend/vue-app
+
+      - name: Run frontend unit tests
+        run: npm run test:unit --if-present
+        working-directory: frontend/vue-app
+
+      - name: Build Backend Docker Image
+        run: |
+          docker build -t git.ryankegel.com:3000/kegel/chores/backend:${{ steps.vars.outputs.tag }} ./backend
+
+      - name: Build Frontend Docker Image
+        run: |
+          docker build -t git.ryankegel.com:3000/kegel/chores/frontend:${{ steps.vars.outputs.tag }} ./frontend/vue-app
+
+      - name: Log in to Registry
+        uses: docker/login-action@v2
+        with:
+          registry: git.ryankegel.com:3000
+          username: ${{ secrets.REGISTRY_USER }}
+          password: ${{ secrets.REGISTRY_PASSWORD }}
+
+      - name: Push Backend Image to Gitea Registry
+        run: |
+          for i in {1..3}; do
+            echo "Attempt $i to push backend image..."
+            if docker push git.ryankegel.com:3000/kegel/chores/backend:${{ steps.vars.outputs.tag }}; then
+              echo "Backend push succeeded on attempt $i"
+              break
+            else
+              echo "Backend push failed on attempt $i"
+              if [ $i -lt 3 ]; then
+                sleep 10
+              else
+                exit 1
+              fi
+            fi
+          done
+          if [ "${{ gitea.ref }}" == "refs/heads/master" ]; then
+            docker tag git.ryankegel.com:3000/kegel/chores/backend:${{ steps.vars.outputs.tag }} git.ryankegel.com:3000/kegel/chores/backend:latest
+            docker push git.ryankegel.com:3000/kegel/chores/backend:latest
+          elif [ "${{ gitea.ref }}" == "refs/heads/next" ]; then
+            docker tag git.ryankegel.com:3000/kegel/chores/backend:${{ steps.vars.outputs.tag }} git.ryankegel.com:3000/kegel/chores/backend:next
+            docker push git.ryankegel.com:3000/kegel/chores/backend:next
+          fi
+
+      - name: Push Frontend Image to Gitea Registry
+        run: |
+          for i in {1..3}; do
+            echo "Attempt $i to push frontend image..."
+            if docker push git.ryankegel.com:3000/kegel/chores/frontend:${{ steps.vars.outputs.tag }}; then
+              echo "Frontend push succeeded on attempt $i"
+              break
+            else
+              echo "Frontend push failed on attempt $i"
+              if [ $i -lt 3 ]; then
+                sleep 10
+              else
+                exit 1
+              fi
+            fi
+          done
+          if [ "${{ gitea.ref }}" == "refs/heads/master" ]; then
+            docker tag git.ryankegel.com:3000/kegel/chores/frontend:${{ steps.vars.outputs.tag }} git.ryankegel.com:3000/kegel/chores/frontend:latest
+            docker push git.ryankegel.com:3000/kegel/chores/frontend:latest
+          elif [ "${{ gitea.ref }}" == "refs/heads/next" ]; then
+            docker tag git.ryankegel.com:3000/kegel/chores/frontend:${{ steps.vars.outputs.tag }} git.ryankegel.com:3000/kegel/chores/frontend:next
+            docker push git.ryankegel.com:3000/kegel/chores/frontend:next
+          fi
+
+      - name: Deploy Test Environment
+        if: gitea.ref == 'refs/heads/next'
+        uses: appleboy/ssh-action@v1.0.3 # Or equivalent Gitea action; adjust version if needed
+        with:
+          host: ${{ secrets.DEPLOY_TEST_HOST }}
+          username: ${{ secrets.DEPLOY_TEST_USER }}
+          key: ${{ secrets.SSH_PRIVATE_KEY }}
+          port: 22 # Default SSH port; change if different
+          script: |
+            cd /tmp
+            # Pull the repository to get the latest docker-compose.dev.yml
+            if [ -d "chore" ]; then
+              cd chore
+              git pull origin next || true # Pull latest changes; ignore if it fails (e.g., first run)
+            else
+              git clone --branch next https://git.ryankegel.com/ryan/chore.git
+              cd chore
+            fi
+            echo "Bringing down previous test environment..."
+            docker-compose -f docker-compose.test.yml down --volumes --remove-orphans || true
+            echo "Starting new test environment..."
+            docker-compose -f docker-compose.test.yml pull  # Ensure latest images are pulled
+            docker-compose -f docker-compose.test.yml up -d

.github/alias.txt

@@ -0,0 +1,19 @@
+
+**Powershell
+git config --global alias.save-wip "!f() { git add . ; if (git log -1 --format=%s -eq 'wip') { git commit --amend --no-edit } else { git commit -m 'wip' }; git push origin `$(git branch --show-current):wip-sync --force-with-lease; }; f"
+git config --global alias.load-wip "!f() { if (git diff-index --quiet HEAD --) { git fetch origin wip-sync; git merge origin/wip-sync; if (git log -1 --format=%s -eq 'wip') { git reset --soft HEAD~1; echo 'WIP Loaded and unwrapped.' } else { echo 'No WIP found. Merge complete.' } } else { echo 'Error: Uncommitted changes detected.'; exit 1 }; }; f"
+git config --global alias.abort-wip "git reset --hard HEAD"
+
+**Git Bash
+git config --global alias.save-wip '!f() { git add . ; if [ "$(git log -1 --format=%s)" = "wip" ]; then git commit --amend --no-edit; else git commit -m "wip"; fi; git push origin $(git branch --show-current):wip-sync --force-with-lease; }; f'
+git config --global alias.load-wip '!f() { if ! git diff-index --quiet HEAD --; then echo "Error: Uncommitted changes detected."; exit 1; fi; git fetch origin wip-sync && git merge origin/wip-sync && if [ "$(git log -1 --format=%s)" = "wip" ]; then git reset --soft HEAD~1; echo "WIP Loaded and unwrapped."; else echo "No WIP found. Merge complete."; fi; }; f'
+git config --global alias.abort-wip 'git reset --hard HEAD'
+
+
+**Mac
+git config --global alias.save-wip '!f() { git add . ; if [ "$(git log -1 --format=%s)" = "wip" ]; then git commit --amend --no-edit; else git commit -m "wip"; fi; git push origin $(git branch --show-current):wip-sync --force-with-lease; }; f'
+git config --global alias.load-wip '!f() { if ! git diff-index --quiet HEAD --; then echo "Error: Uncommitted changes detected."; exit 1; fi; git fetch origin wip-sync && git merge origin/wip-sync && if [ "$(git log -1 --format=%s)" = "wip" ]; then git reset --soft HEAD~1; echo "WIP Loaded and unwrapped."; else echo "No WIP found. Merge complete."; fi; }; f'
+git config --global alias.abort-wip 'git reset --hard HEAD'
+
+***Reset wip-sync
+git push origin --delete wip-sync

.github/copilot-instructions.md

@@ -0,0 +1,63 @@
+# Reward Project: AI Coding Agent Instructions
+
+## 🏗️ Architecture & Data Flow
+
+- **Stack**: Flask (Python, backend) + Vue 3 (TypeScript, frontend) + TinyDB (JSON, thread-safe, see `db/`).
+- **API**: RESTful endpoints in `api/`, grouped by entity (child, reward, task, user, image, etc). Each API file maps to a business domain.
+- **Nginx Proxy**: Frontend nginx proxies `/api/*` to backend, stripping the `/api` prefix. Backend endpoints should NOT include `/api` in their route definitions. Example: Backend defines `@app.route('/user')`, frontend calls `/api/user`.
+- **Models**: Maintain strict 1:1 mapping between Python `@dataclass`es (`backend/models/`) and TypeScript interfaces (`frontend/vue-app/src/common/models.ts`).
+- **Database**: Use TinyDB with `from_dict()`/`to_dict()` for serialization. All logic should operate on model instances, not raw dicts.
+- **Events**: Real-time updates via Server-Sent Events (SSE). Every mutation (add/edit/delete/trigger) must call `send_event_for_current_user` (see `backend/events/`).
+- **Changes**: Do not use comments to replace code. All changes must be reflected in both backend and frontend files as needed.
+- **Specs**: If specs have a checklist, all items must be completed and marked done.
+
+## 🧩 Key Patterns & Conventions
+
+- **Frontend Styling**: Use only `:root` CSS variables from `colors.css` for all colors, spacing, and tokens. Example: `--btn-primary`, `--list-item-bg-good`.
+- **Scoped Styles**: All `.vue` files must use `<style scoped>`. Reference global variables for theme consistency.
+- **API Error Handling**: Backend returns JSON with `error` and `code` (see `backend/api/error_codes.py`). Frontend extracts `{ msg, code }` using `parseErrorResponse(res)` from `api.ts`.
+- **JWT Auth**: Tokens are stored in HttpOnly, Secure, SameSite=Strict cookies.
+- **Code Style**:
+  1. Follow PEP 8 for Python, and standard TypeScript conventions.
+  2. Use type annotations everywhere in Python.
+  3. Place all imports at the top of the file.
+  4. Vue files should specifically place `<template>`, `<script>`, then `<style>` in that order. Make sure to put ts code in `<script>` only.
+
+## 🚦 Frontend Logic & Event Bus
+
+- **SSE Event Management**: Register listeners in `onMounted`, clean up in `onUnmounted`. Listen for events like `child_task_triggered`, `child_reward_request`, `task_modified`, etc. See `frontend/vue-app/src/common/backendEvents.ts` and `components/BackendEventsListener.vue`.
+- **Layout Hierarchy**: Use `ParentLayout` for admin/management, `ChildLayout` for dashboard/focus views.
+
+## ⚖️ Business Logic & Safeguards
+
+- **Token Expiry**: Verification tokens expire in 4 hours; password reset tokens in 10 minutes.
+- **Image Assets**: Models use `image_id` for storage; frontend resolves to `image_url` for rendering.
+
+## 🛠️ Developer Workflows
+
+- **Backend**: Run Flask with `python -m flask run --host=0.0.0.0 --port=5000` from the `backend/` directory. Main entry: `backend/main.py`.
+- **Virtual Env**: Python is running from a virtual environment located at `backend/.venv/`.
+- **Frontend**: From `frontend/vue-app/`, run `npm install` then `npm run dev`.
+- **Tests**: Run backend tests with `pytest` in `backend/tests/`. Frontend component tests: `npm run test` in `frontend/vue-app/components/__tests__/`.
+- **Debugging**: Use VS Code launch configs or run Flask/Vue dev servers directly. For SSE, use browser dev tools to inspect event streams.
+
+## 📁 Key Files & Directories
+
+- `backend/api/` — Flask API endpoints (one file per entity)
+- `backend/models/` — Python dataclasses (business logic, serialization)
+- `backend/db/` — TinyDB setup and helpers
+- `backend/events/` — SSE event types, broadcaster, payloads
+- `frontend/vue-app/` — Vue 3 frontend (see `src/common/`, `src/components/`, `src/layout/`) - Where tests are run from
+- `frontend/vue-app/src/common/models.ts` — TypeScript interfaces (mirror Python models)
+- `frontend/vue-app/src/common/api.ts` — API helpers, error parsing, validation
+- `frontend/vue-app/src/common/backendEvents.ts` — SSE event types and handlers
+
+## 🧠 Integration & Cross-Component Patterns
+
+- **Every backend mutation must trigger an SSE event** for the current user.
+- **Frontend state is event-driven**: always listen for and react to SSE events for real-time updates.
+- **Model changes require updating both Python and TypeScript definitions** to maintain parity.
+
+---
+
+For any unclear or missing conventions, review the referenced files or ask for clarification. Keep this document concise and actionable for AI agents.

.github/specs/archive/bug-both-system-and-user-items-shown.md

@@ -0,0 +1,19 @@
+# Bug: When a user task or reward exists with the same name as a system user or task, both are shown in the assign list.
+
+## The Problem
+
+- **Actual:** When the user creates a task/reward from a system task/reward (copy on edit), and then goes to assign the task/reward, both the system and user task/reward are shown and can be assigned.
+- **Expected:** When a user task/reward is created from a system (or even if it has the same name) - show the user item instead in the assign views.
+
+## Investigation Notes
+
+- When a copy on edit happens of a 'good' task and it is changed to 'bad', I can see the 'good' task when assigning tasks and the 'bad' penalty when assigning the penalty
+- The backend will have to change to probably check if the names are the same on tasks/rewards and if so, choose to return the user items instead.
+- In the case of two items having the same name AND having different user_ids that are not null, then we should show both items.
+- The task view and reward view correctly hides the system item. However, the Task Assign View and RewardAssignView are still showing both items.
+
+## The "Red" Tests
+
+ - [x] Create a test that performs a copy on edit and then makes sure only that item shows instead of the system item
+ - [x] Create a test that performs has 2 user items with the same name as a system item. Verify that the user items are shown, but not the system item.
+ - [x] Create a test where if a system and identically named user task exist that the user tasks is the only one shown in the task assign view and reward assign view.

.github/specs/archive/feat-account-delete-scheduler.md

@@ -0,0 +1,318 @@
+# Feature: Account Deletion Scheduler
+
+## Overview
+
+**Goal:** Implement a scheduler in the backend that will delete accounts that are marked for deletion after a period of time.
+
+**User Story:**  
+As an administrator, I want accounts that are marked for deletion to be deleted around X amount of hours after they were marked. I want the time to be adjustable.
+
+---
+
+## Configuration
+
+### Environment Variables
+
+- `ACCOUNT_DELETION_THRESHOLD_HOURS`: Hours to wait before deleting marked accounts (default: 720 hours / 30 days)
+  - **Minimum:** 24 hours (enforced for safety)
+  - **Maximum:** 720 hours (30 days)
+  - Configurable via environment variable with validation on startup
+
+### Scheduler Settings
+
+- **Check Interval:** Every 1 hour
+- **Implementation:** APScheduler (BackgroundScheduler)
+- **Restart Handling:** On app restart, scheduler checks for users with `deletion_in_progress = True` and retries them
+- **Retry Logic:** Maximum 3 attempts per user; tracked via `deletion_attempted_at` timestamp
+
+---
+
+## Data Model Changes
+
+### User Model (`backend/models/user.py`)
+
+Add two new fields to the `User` dataclass:
+
+- `deletion_in_progress: bool` - Default `False`. Set to `True` when deletion is actively running
+- `deletion_attempted_at: datetime | None` - Default `None`. Timestamp of last deletion attempt
+
+**Serialization:**
+
+- Both fields must be included in `to_dict()` and `from_dict()` methods
+
+---
+
+## Deletion Process & Order
+
+When a user is due for deletion (current time >= `marked_for_deletion_at` + threshold), the scheduler performs deletion in this order:
+
+1. **Set Flag:** `deletion_in_progress = True` (prevents concurrent deletion)
+2. **Pending Rewards:** Remove all pending rewards for user's children
+3. **Children:** Remove all children belonging to the user
+4. **Tasks:** Remove all user-created tasks (where `user_id` matches)
+5. **Rewards:** Remove all user-created rewards (where `user_id` matches)
+6. **Images (Database):** Remove user's uploaded images from `image_db`
+7. **Images (Filesystem):** Delete `data/images/[user_id]` directory and all contents
+8. **User Record:** Remove the user from `users_db`
+9. **Clear Flag:** `deletion_in_progress = False` (only if deletion failed; otherwise user is deleted)
+10. **Update Timestamp:** Set `deletion_attempted_at` to current time (if deletion failed)
+
+### Error Handling
+
+- If any step fails, log the error and continue to next step
+- If deletion fails completely, update `deletion_attempted_at` and set `deletion_in_progress = False`
+- If a user has 3 failed attempts, log a critical error but continue processing other users
+- Missing directories or empty tables are not considered errors
+
+---
+
+## Admin API Endpoints
+
+### New Blueprint: `backend/api/admin_api.py`
+
+All endpoints require JWT authentication and admin privileges.
+
+**Note:** Endpoint paths below are as defined in Flask (without `/api` prefix). Frontend accesses them via nginx proxy at `/api/admin/*`.
+
+#### `GET /admin/deletion-queue`
+
+Returns list of users pending deletion.
+
+**Response:** JSON with `count` and `users` array containing user objects with fields: `id`, `email`, `marked_for_deletion_at`, `deletion_due_at`, `deletion_in_progress`, `deletion_attempted_at`
+
+#### `GET /admin/deletion-threshold`
+
+Returns current deletion threshold configuration.
+
+**Response:** JSON with `threshold_hours`, `threshold_min`, and `threshold_max` fields
+
+#### `PUT /admin/deletion-threshold`
+
+Updates deletion threshold (requires admin auth).
+
+**Request:** JSON with `threshold_hours` field
+
+**Response:** JSON with `message` and updated `threshold_hours`
+
+**Validation:**
+
+- Must be between 24 and 720 hours
+- Returns 400 error if out of range
+
+#### `POST /admin/deletion-queue/trigger`
+
+Manually triggers the deletion scheduler (processes entire queue immediately).
+
+**Response:** JSON with `message`, `processed`, `deleted`, and `failed` counts
+
+---
+
+## SSE Event
+
+### New Event Type: `USER_DELETED`
+
+**File:** `backend/events/types/user_deleted.py`
+
+**Payload fields:**
+
+- `user_id: str` - ID of deleted user
+- `email: str` - Email of deleted user
+- `deleted_at: str` - ISO format timestamp of deletion
+
+**Broadcasting:**
+
+- Event is sent only to **admin users** (not broadcast to all users)
+- Triggered immediately after successful user deletion
+- Frontend admin clients can listen to this event to update UI
+
+---
+
+## Implementation Details
+
+### File Structure
+
+- `backend/config/deletion_config.py` - Configuration with env variable
+- `backend/utils/account_deletion_scheduler.py` - Scheduler logic
+- `backend/api/admin_api.py` - New admin endpoints
+- `backend/events/types/user_deleted.py` - New SSE event
+
+### Scheduler Startup
+
+In `backend/main.py`, import and call `start_deletion_scheduler()` after Flask app setup
+
+### Logging Strategy
+
+**Configuration:**
+
+- Use dedicated logger: `account_deletion_scheduler`
+- Log to both stdout (for Docker/dev) and rotating file (for persistence)
+- File: `logs/account_deletion.log`
+- Rotation: 10MB max file size, keep 5 backups
+- Format: `%(asctime)s - %(name)s - %(levelname)s - %(message)s`
+
+**Log Levels:**
+
+- **INFO:** Each deletion step (e.g., "Deleted 5 children for user {user_id}")
+- **INFO:** Summary after each run (e.g., "Deletion scheduler run: 3 users processed, 2 deleted, 1 failed")
+- **ERROR:** Individual step failures (e.g., "Failed to delete images for user {user_id}: {error}")
+- **CRITICAL:** User with 3+ failed attempts (e.g., "User {user_id} has failed deletion 3 times")
+- **WARNING:** Threshold set below 168 hours (7 days)
+
+---
+
+## Acceptance Criteria (Definition of Done)
+
+### Data Model
+
+- [x] Add `deletion_in_progress` field to User model
+- [x] Add `deletion_attempted_at` field to User model
+- [x] Update `to_dict()` and `from_dict()` methods for serialization
+- [x] Update TypeScript User interface in frontend
+
+### Configuration
+
+- [x] Create `backend/config/deletion_config.py` with `ACCOUNT_DELETION_THRESHOLD_HOURS`
+- [x] Add environment variable support with default (720 hours)
+- [x] Enforce minimum threshold of 24 hours
+- [x] Enforce maximum threshold of 720 hours
+- [x] Log warning if threshold is less than 168 hours
+
+### Backend Implementation
+
+- [x] Create `backend/utils/account_deletion_scheduler.py`
+- [x] Implement APScheduler with 1-hour check interval
+- [x] Implement deletion logic in correct order (pending_rewards → children → tasks → rewards → images → directory → user)
+- [x] Add comprehensive error handling (log and continue)
+- [x] Add restart handling (check `deletion_in_progress` flag on startup)
+- [x] Add retry logic (max 3 attempts per user)
+- [x] Integrate scheduler into `backend/main.py` startup
+
+### Admin API
+
+- [x] Create `backend/api/admin_api.py` blueprint
+- [x] Implement `GET /admin/deletion-queue` endpoint
+- [x] Implement `GET /admin/deletion-threshold` endpoint
+- [x] Implement `PUT /admin/deletion-threshold` endpoint
+- [x] Implement `POST /admin/deletion-queue/trigger` endpoint
+- [x] Add JWT authentication checks for all admin endpoints
+- [x] Add admin role validation
+
+### SSE Event
+
+- [x] Create `backend/events/types/user_deleted.py`
+- [x] Add `USER_DELETED` to `event_types.py`
+- [x] Implement admin-only event broadcasting
+- [x] Trigger event after successful deletion
+
+### Backend Unit Tests
+
+#### Configuration Tests
+
+- [x] Test default threshold value (720 hours)
+- [x] Test environment variable override
+- [x] Test minimum threshold enforcement (24 hours)
+- [x] Test maximum threshold enforcement (720 hours)
+- [x] Test invalid threshold values (negative, non-numeric)
+
+#### Scheduler Tests
+
+- [x] Test scheduler identifies users ready for deletion (past threshold)
+- [x] Test scheduler ignores users not yet due for deletion
+- [x] Test scheduler handles empty database
+- [x] Test scheduler runs at correct interval (1 hour)
+- [x] Test scheduler handles restart with `deletion_in_progress = True`
+- [x] Test scheduler respects retry limit (max 3 attempts)
+
+#### Deletion Process Tests
+
+- [x] Test deletion removes pending_rewards for user's children
+- [x] Test deletion removes children for user
+- [x] Test deletion removes user's tasks (not system tasks)
+- [x] Test deletion removes user's rewards (not system rewards)
+- [x] Test deletion removes user's images from database
+- [x] Test deletion removes user directory from filesystem
+- [x] Test deletion removes user record from database
+- [x] Test deletion handles missing directory gracefully
+- [x] Test deletion order is correct (children before user, etc.)
+- [x] Test `deletion_in_progress` flag is set during deletion
+- [x] Test `deletion_attempted_at` is updated on failure
+
+#### Edge Cases
+
+- [x] Test deletion with user who has no children
+- [x] Test deletion with user who has no custom tasks/rewards
+- [x] Test deletion with user who has no uploaded images
+- [x] Test partial deletion failure (continue with other users)
+- [x] Test concurrent deletion attempts (flag prevents double-deletion)
+- [x] Test user with exactly 3 failed attempts (logs critical, no retry)
+
+#### Admin API Tests
+
+- [x] Test `GET /admin/deletion-queue` returns correct users
+- [x] Test `GET /admin/deletion-queue` requires authentication
+- [x] Test `GET /admin/deletion-threshold` returns current threshold
+- [x] Test `PUT /admin/deletion-threshold` updates threshold
+- [x] Test `PUT /admin/deletion-threshold` validates min/max
+- [x] Test `PUT /admin/deletion-threshold` requires admin role
+- [x] Test `POST /admin/deletion-queue/trigger` triggers scheduler
+- [x] Test `POST /admin/deletion-queue/trigger` returns summary
+
+#### Integration Tests
+
+- [x] Test full deletion flow from marking to deletion
+- [x] Test multiple users deleted in same scheduler run
+- [x] Test deletion with restart midway (recovery)
+
+### Logging & Monitoring
+
+- [x] Configure dedicated scheduler logger with rotating file handler
+- [x] Create `logs/` directory for log files
+- [x] Log each deletion step with INFO level
+- [x] Log summary after each scheduler run (users processed, deleted, failed)
+- [x] Log errors with user ID for debugging
+- [x] Log critical error for users with 3+ failed attempts
+- [x] Log warning if threshold is set below 168 hours
+
+### Documentation
+
+- [x] Create `README.md` at project root
+- [x] Document scheduler feature and behavior
+- [x] Document environment variable `ACCOUNT_DELETION_THRESHOLD_HOURS`
+- [x] Document deletion process and order
+- [x] Document admin API endpoints
+- [x] Document restart/retry behavior
+
+---
+
+## Testing Strategy
+
+All tests should use `DB_ENV=test` and operate on test databases in `backend/test_data/`.
+
+### Unit Test Files
+
+- `backend/tests/test_deletion_config.py` - Configuration validation
+- `backend/tests/test_deletion_scheduler.py` - Scheduler logic
+- `backend/tests/test_admin_api.py` - Admin endpoints
+
+### Test Fixtures
+
+- Create users with various `marked_for_deletion_at` timestamps
+- Create users with children, tasks, rewards, images
+- Create users with `deletion_in_progress = True` (for restart tests)
+
+### Assertions
+
+- Database records are removed in correct order
+- Filesystem directories are deleted
+- Flags and timestamps are updated correctly
+- Error handling works (log and continue)
+- Admin API responses match expected format
+
+---
+
+## Future Considerations
+
+- Archive deleted accounts instead of hard deletion
+- Email notification to admin when deletion completes
+- Configurable retry count (currently hardcoded to 3)
+- Soft delete with recovery option (within grace period)

.github/specs/archive/feat-dynamic-points/IMPLEMENTATION_SUMMARY.md

@@ -0,0 +1,149 @@
+# Tracking Feature Implementation Summary
+
+## ✅ Implementation Complete
+
+All acceptance criteria from [feat-tracking.md](.github/specs/active/feat-dynamic-points/feat-tracking.md) have been implemented and tested.
+
+---
+
+## 📦 What Was Delivered
+
+### Backend
+
+1. **Data Model** ([tracking_event.py](backend/models/tracking_event.py))
+   - `TrackingEvent` dataclass with full type safety
+   - Factory method `create_event()` for server-side timestamp generation
+   - Delta invariant validation (`delta == points_after - points_before`)
+
+2. **Database Layer** ([tracking.py](backend/db/tracking.py))
+   - New TinyDB table: `tracking_events.json`
+   - Helper functions: `insert_tracking_event`, `get_tracking_events_by_child`, `get_tracking_events_by_user`, `anonymize_tracking_events_for_user`
+   - Offset-based pagination with sorting by `occurred_at` (desc)
+
+3. **Audit Logging** ([tracking_logger.py](backend/utils/tracking_logger.py))
+   - Per-user rotating file handlers (`logs/tracking_user_<user_id>.log`)
+   - 10MB max file size, 5 backups
+   - Structured log format with all event metadata
+
+4. **API Integration** ([child_api.py](backend/api/child_api.py))
+   - Tracking added to:
+     - `POST /child/<id>/trigger-task` → action: `activated`
+     - `POST /child/<id>/request-reward` → action: `requested`
+     - `POST /child/<id>/trigger-reward` → action: `redeemed`
+     - `POST /child/<id>/cancel-request-reward` → action: `cancelled`
+
+5. **Admin API** ([tracking_api.py](backend/api/tracking_api.py))
+   - `GET /admin/tracking` with filters:
+     - `child_id` (required if no `user_id`)
+     - `user_id` (admin only)
+     - `entity_type` (task|reward|penalty)
+     - `action` (activated|requested|redeemed|cancelled)
+     - `limit` (default 50, max 500)
+     - `offset` (default 0)
+   - Returns total count for future pagination UI
+
+6. **SSE Events** ([event_types.py](backend/events/types/event_types.py), [tracking_event_created.py](backend/events/types/tracking_event_created.py))
+   - New event type: `TRACKING_EVENT_CREATED`
+   - Payload: `tracking_event_id`, `child_id`, `entity_type`, `action`
+   - Emitted on every tracking event creation
+
+---
+
+### Frontend
+
+1. **TypeScript Models** ([models.ts](frontend/vue-app/src/common/models.ts))
+   - `TrackingEvent` interface (1:1 parity with Python)
+   - Type aliases: `EntityType`, `ActionType`
+   - `TrackingEventCreatedPayload` for SSE events
+
+2. **API Helpers** ([api.ts](frontend/vue-app/src/common/api.ts))
+   - `getTrackingEventsForChild()` function with all filter params
+
+3. **SSE Registration**
+   - Event type registered in type union
+   - Ready for future UI components
+
+---
+
+### Tests
+
+**Backend Unit Tests** ([test_tracking.py](backend/tests/test_tracking.py)):
+
+- ✅ Tracking event creation with factory method
+- ✅ Delta invariant validation
+- ✅ Insert and query tracking events
+- ✅ Filtering by `entity_type` and `action`
+- ✅ Offset-based pagination
+- ✅ User anonymization on deletion
+- ✅ Points change correctness (positive/negative/zero delta)
+- ✅ No points change for request/cancel actions
+
+---
+
+## 🔑 Key Design Decisions
+
+1. **Append-only tracking table** - No deletions, only anonymization on user deletion
+2. **Server timestamps** - `occurred_at` always uses server time (UTC) to avoid client clock drift
+3. **Separate logging** - Per-user audit logs independent of database
+4. **Offset pagination** - Simpler than cursors, sufficient for expected scale
+5. **No UI (yet)** - API/models/SSE only; UI deferred to future phase
+
+---
+
+## 🚀 Usage Examples
+
+### Backend: Create a tracking event
+
+```python
+from models.tracking_event import TrackingEvent
+from db.tracking import insert_tracking_event
+from utils.tracking_logger import log_tracking_event
+
+event = TrackingEvent.create_event(
+    user_id='user123',
+    child_id='child456',
+    entity_type='task',
+    entity_id='task789',
+    action='activated',
+    points_before=50,
+    points_after=60,
+    metadata={'task_name': 'Homework'}
+)
+
+insert_tracking_event(event)
+log_tracking_event(event)
+```
+
+### Frontend: Query tracking events
+
+```typescript
+import { getTrackingEventsForChild } from "@/common/api";
+
+const res = await getTrackingEventsForChild({
+  childId: "child456",
+  entityType: "task",
+  limit: 20,
+  offset: 0,
+});
+
+const data = await res.json();
+// { tracking_events: [...], total: 42, count: 20, limit: 20, offset: 0 }
+```
+
+---
+
+## 📋 Migration Notes
+
+1. **New database file**: `backend/data/db/tracking_events.json` will be created automatically on first tracking event.
+2. **New log directory**: `backend/logs/tracking_user_<user_id>.log` files will be created per user.
+3. **No breaking changes** to existing APIs or data models.
+
+---
+
+## 🔮 Future Enhancements (Not in This Phase)
+
+- Admin/parent UI for viewing tracking history
+- Badges and certificates based on tracking data
+- Analytics and reporting dashboards
+- Export tracking data (CSV, JSON)
+- Time-based filters (date range queries)

.github/specs/archive/feat-dynamic-points/feat-dynamic-points.md

@@ -0,0 +1,519 @@
+# Feature: Dynamic Point and Cost Customization
+
+## Overview
+
+**Goal:** Allow parents to customize the point value of tasks/penalties and the cost of rewards on a per-child basis after assignment.
+
+**User Story:**  
+As a parent, I want to assign different point values to the same task for different children, so I can tailor rewards to each child's needs and motivations. For example, "Clean Room" might be worth 10 points for one child but 5 points for another.
+
+**Process:**
+
+1. **Assignment First**: Tasks, penalties, and rewards must be assigned to a child before their points/cost can be customized.
+2. **Edit Button Access**: After the first click on an item in ScrollingList (when it centers), an edit button appears in the corner (34x34px, using `edit.png` icon).
+3. **Modal Customization**: Clicking the edit button opens a modal with a number input field allowing values from **0 to 10000**.
+4. **Default Values**: The field defaults to the last user-set value or the entity's default points/cost if never customized.
+5. **Visual Indicator**: Items with custom values show a ✏️ emoji badge next to the points/cost number.
+6. **Activation Behavior**: The second click on an item activates it (triggers task/reward), not the first click.
+
+**Architecture Decisions:**
+
+- **Storage**: Use a separate `child_overrides.json` table (not embedded in child model) to store per-child customizations.
+- **Lifecycle**: Overrides reset to default when a child is unassigned from a task/reward. Overrides are deleted when the entity or child is deleted (cascade).
+- **Validation**: Allow 0 points/cost (not minimum 1). Disable save button on invalid input (empty, negative, >10000).
+- **UI Flow**: First click centers item and shows edit button. Second click activates entity. Edit button opens modal for customization.
+
+**UI:**
+
+- Before first click: [feat-dynamic-points-before.png](feat-dynamic-points-before.png)
+- After first click: [feat-dynamic-points-after.png](feat-dynamic-points-after.png)
+- Edit button icon: `frontend/vue-app/public/edit.png` (34x34px)
+- Button position: Corner of ScrollingList item, not interfering with text
+- Badge: ✏️ emoji displayed next to points/cost number when override exists
+
+---
+
+## Configuration
+
+**No new configuration required.** Range validation (0-10000) is hardcoded per requirements.
+
+---
+
+## Data Model Changes
+
+### New Model: `ChildOverride`
+
+**Python** (`backend/models/child_override.py`):
+
+Create a dataclass that inherits from `BaseModel` with the following fields:
+
+- `child_id` (str): ID of the child this override applies to
+- `entity_id` (str): ID of the task/penalty/reward being customized
+- `entity_type` (Literal['task', 'reward']): Type of entity
+- `custom_value` (int): Custom points or cost value
+
+Validation requirements:
+
+- `custom_value` must be between 0 and 10000 (inclusive)
+- `entity_type` must be either 'task' or 'reward'
+- Include `__post_init__` method to enforce these validations
+- Include static factory method `create_override()` that accepts the four main fields and returns a new instance
+
+**TypeScript** (`frontend/vue-app/src/common/models.ts`):
+
+Create an interface with 1:1 parity to the Python model:
+
+- Define `EntityType` as a union type: 'task' | 'reward'
+- Include all fields: `id`, `child_id`, `entity_id`, `entity_type`, `custom_value`, `created_at`, `updated_at`
+- All string fields except `custom_value` which is number
+
+### Database Table
+
+**New Table**: `child_overrides.json`
+
+**Indexes**:
+
+- `child_id` (for lookup by child)
+- `entity_id` (for lookup by task/reward)
+- Composite `(child_id, entity_id)` (for uniqueness constraint)
+
+**Database Helper** (`backend/db/child_overrides.py`):
+
+Create database helper functions using TinyDB and the `child_overrides_db` table:
+
+- `insert_override(override)`: Insert or update (upsert) based on composite key (child_id, entity_id). Only one override allowed per child-entity pair.
+- `get_override(child_id, entity_id)`: Return Optional[ChildOverride] for a specific child and entity combination
+- `get_overrides_for_child(child_id)`: Return List[ChildOverride] for all overrides belonging to a child
+- `delete_override(child_id, entity_id)`: Delete specific override, return bool indicating success
+- `delete_overrides_for_child(child_id)`: Delete all overrides for a child, return count deleted
+- `delete_overrides_for_entity(entity_id)`: Delete all overrides for an entity, return count deleted
+
+All functions should use `from_dict()` and `to_dict()` for model serialization.
+
+---
+
+## SSE Events
+
+### 1. `child_override_set`
+
+**Emitted When**: A parent sets or updates a custom value for a task/reward.
+
+**Payload** (`backend/events/types/child_override_set.py`):
+
+Create a dataclass `ChildOverrideSetPayload` that inherits from `EventPayload` with a single field:
+
+- `override` (ChildOverride): The override object that was set
+
+**TypeScript** (`frontend/vue-app/src/common/backendEvents.ts`):
+
+Create an interface `ChildOverrideSetPayload` with:
+
+- `override` (ChildOverride): The override object that was set
+
+### 2. `child_override_deleted`
+
+**Emitted When**: An override is deleted (manual reset, unassignment, or cascade).
+
+**Payload** (`backend/events/types/child_override_deleted.py`):
+
+Create a dataclass `ChildOverrideDeletedPayload` that inherits from `EventPayload` with three fields:
+
+- `child_id` (str): ID of the child
+- `entity_id` (str): ID of the entity
+- `entity_type` (str): Type of entity ('task' or 'reward')
+
+**TypeScript** (`frontend/vue-app/src/common/backendEvents.ts`):
+
+Create an interface `ChildOverrideDeletedPayload` with:
+
+- `child_id` (string): ID of the child
+- `entity_id` (string): ID of the entity
+- `entity_type` (string): Type of entity
+
+---
+
+## API Design
+
+### 1. **PUT** `/child/<child_id>/override`
+
+**Purpose**: Set or update a custom value for a task/reward.
+
+**Auth**: User must own the child.
+
+**Request Body**:
+
+JSON object with three required fields:
+
+- `entity_id` (string): UUID of the task or reward
+- `entity_type` (string): Either "task" or "reward"
+- `custom_value` (number): Integer between 0 and 10000
+
+**Validation**:
+
+- `entity_type` must be "task" or "reward"
+- `custom_value` must be 0-10000
+- Entity must be assigned to child
+- Child must exist and belong to user
+
+**Response**:
+
+JSON object with a single key `override` containing the complete ChildOverride object with all fields (id, child_id, entity_id, entity_type, custom_value, created_at, updated_at in ISO format).
+
+**Errors**:
+
+- 404: Child not found or not owned
+- 404: Entity not assigned to child
+- 400: Invalid entity_type
+- 400: custom_value out of range
+
+**SSE**: Emits `child_override_set` to user.
+
+### 2. **GET** `/child/<child_id>/overrides`
+
+**Purpose**: Get all overrides for a child.
+
+**Auth**: User must own the child.
+
+**Response**:
+
+JSON object with a single key `overrides` containing an array of ChildOverride objects. Each object includes all standard fields (id, child_id, entity_id, entity_type, custom_value, created_at, updated_at).
+
+**Errors**:
+
+- 404: Child not found or not owned
+
+### 3. **DELETE** `/child/<child_id>/override/<entity_id>`
+
+**Purpose**: Delete an override (reset to default).
+
+**Auth**: User must own the child.
+
+**Response**:
+
+JSON object with `message` field set to "Override deleted".
+
+**Errors**:
+
+- 404: Child not found or not owned
+- 404: Override not found
+
+**SSE**: Emits `child_override_deleted` to user.
+
+### Modified Endpoints
+
+Update these existing endpoints to include override information:
+
+1. **GET** `/child/<child_id>/list-tasks` - Include `custom_value` in task objects if override exists
+2. **GET** `/child/<child_id>/list-rewards` - Include `custom_value` in reward objects if override exists
+3. **POST** `/child/<child_id>/trigger-task` - Use `custom_value` if override exists when awarding points
+4. **POST** `/child/<child_id>/trigger-reward` - Use `custom_value` if override exists when deducting points
+5. **PUT** `/child/<child_id>/set-tasks` - Delete overrides for unassigned tasks
+6. **PUT** `/child/<child_id>/set-rewards` - Delete overrides for unassigned rewards
+
+---
+
+## Implementation Details
+
+### File Structure
+
+**Backend**:
+
+- `backend/models/child_override.py` - ChildOverride model
+- `backend/db/child_overrides.py` - Database helpers
+- `backend/api/child_override_api.py` - New API endpoints (PUT, GET, DELETE)
+- `backend/events/types/child_override_set.py` - SSE event payload
+- `backend/events/types/child_override_deleted.py` - SSE event payload
+- `backend/events/types/event_types.py` - Add CHILD_OVERRIDE_SET, CHILD_OVERRIDE_DELETED enums
+- `backend/tests/test_child_override_api.py` - Unit tests
+
+**Frontend**:
+
+- `frontend/vue-app/src/common/models.ts` - Add ChildOverride interface
+- `frontend/vue-app/src/common/api.ts` - Add setChildOverride(), getChildOverrides(), deleteChildOverride()
+- `frontend/vue-app/src/common/backendEvents.ts` - Add event types
+- `frontend/vue-app/src/components/OverrideEditModal.vue` - New modal component
+- `frontend/vue-app/src/components/ScrollingList.vue` - Add edit button and ✏️ badge
+- `frontend/vue-app/components/__tests__/OverrideEditModal.spec.ts` - Component tests
+
+### Logging Strategy
+
+**Backend**: Log override operations to per-user rotating log files (same pattern as tracking).
+
+**Log Messages**:
+
+- `Override set: child={child_id}, entity={entity_id}, type={entity_type}, value={custom_value}`
+- `Override deleted: child={child_id}, entity={entity_id}`
+- `Overrides cascade deleted for child: child_id={child_id}, count={count}`
+- `Overrides cascade deleted for entity: entity_id={entity_id}, count={count}`
+
+**Frontend**: No additional logging beyond standard error handling.
+
+---
+
+## Acceptance Criteria (Definition of Done)
+
+### Data Model
+
+- [x] `ChildOverride` Python dataclass created with validation (0-10000 range, entity_type literal)
+- [x] `ChildOverride` TypeScript interface created (1:1 parity with Python)
+- [x] `child_overrides.json` TinyDB table created in `backend/db/db.py`
+- [x] Database helper functions created (insert, get, delete by child, delete by entity)
+- [x] Composite uniqueness constraint enforced (child_id, entity_id)
+
+### Backend Implementation
+
+- [x] PUT `/child/<child_id>/override` endpoint created with validation
+- [x] GET `/child/<child_id>/overrides` endpoint created
+- [x] DELETE `/child/<child_id>/override/<entity_id>` endpoint created
+- [x] GET `/child/<child_id>/list-tasks` modified to include `custom_value` when override exists
+- [x] GET `/child/<child_id>/list-rewards` modified to include `custom_value` when override exists
+- [x] POST `/child/<child_id>/trigger-task` modified to use override value
+- [x] POST `/child/<child_id>/trigger-reward` modified to use override value
+- [x] PUT `/child/<child_id>/set-tasks` modified to delete overrides for unassigned tasks
+- [x] PUT `/child/<child_id>/set-rewards` modified to delete overrides for unassigned rewards
+- [x] Cascade delete implemented: deleting child removes all its overrides
+- [x] Cascade delete implemented: deleting task/reward removes all its overrides
+- [x] Authorization checks: user must own child to access overrides
+- [x] Validation: entity must be assigned to child before override can be set
+
+### SSE Events
+
+- [x] `child_override_set` event type added to event_types.py
+- [x] `child_override_deleted` event type added to event_types.py
+- [x] `ChildOverrideSetPayload` class created (Python)
+- [x] `ChildOverrideDeletedPayload` class created (Python)
+- [x] PUT endpoint emits `child_override_set` event
+- [x] DELETE endpoint emits `child_override_deleted` event
+- [x] Frontend TypeScript interfaces for event payloads created
+
+### Frontend Implementation
+
+- [x] `OverrideEditModal.vue` component created
+- [x] Modal has number input field with 0-10000 validation
+- [x] Modal disables save button on invalid input (empty, negative, >10000)
+- [x] Modal defaults to current override value or entity default
+- [x] Modal calls PUT `/child/<id>/override` API on save
+- [x] Edit button (34x34px) added to ScrollingList items
+- [x] Edit button only appears after first click (when item is centered)
+- [x] Edit button uses `edit.png` icon from public folder
+- [x] ✏️ emoji badge displayed next to points/cost when override exists
+- [x] Badge only shows for items with active overrides
+- [x] Second click on item activates entity (not first click)
+- [x] SSE listeners registered for `child_override_set` and `child_override_deleted`
+- [x] Real-time UI updates when override events received
+
+### Backend Unit Tests
+
+#### API Tests (`backend/tests/test_child_override_api.py`)
+
+- [x] Test PUT creates new override with valid data
+- [x] Test PUT updates existing override
+- [x] Test PUT returns 400 for custom_value < 0
+- [x] Test PUT returns 400 for custom_value > 10000
+- [x] Test PUT returns 400 for invalid entity_type
+- [ ] Test PUT returns 404 for non-existent child
+- [ ] Test PUT returns 404 for unassigned entity
+- [ ] Test PUT returns 403 for child not owned by user
+- [ ] Test PUT emits child_override_set event
+- [x] Test GET returns all overrides for child
+- [ ] Test GET returns empty array when no overrides
+- [ ] Test GET returns 404 for non-existent child
+- [ ] Test GET returns 403 for child not owned by user
+- [x] Test DELETE removes override
+- [ ] Test DELETE returns 404 when override doesn't exist
+- [ ] Test DELETE returns 404 for non-existent child
+- [ ] Test DELETE returns 403 for child not owned by user
+- [ ] Test DELETE emits child_override_deleted event
+
+#### Integration Tests
+
+- [ ] Test list-tasks includes custom_value for overridden tasks
+- [ ] Test list-tasks shows default points for non-overridden tasks
+- [ ] Test list-rewards includes custom_value for overridden rewards
+- [ ] Test trigger-task uses custom_value when awarding points
+- [ ] Test trigger-task uses default points when no override
+- [ ] Test trigger-reward uses custom_value when deducting points
+- [ ] Test trigger-reward uses default cost when no override
+- [ ] Test set-tasks deletes overrides for unassigned tasks
+- [ ] Test set-tasks preserves overrides for still-assigned tasks
+- [ ] Test set-rewards deletes overrides for unassigned rewards
+- [ ] Test set-rewards preserves overrides for still-assigned rewards
+
+#### Cascade Delete Tests
+
+- [x] Test deleting child removes all its overrides
+- [x] Test deleting task removes all overrides for that task
+- [x] Test deleting reward removes all overrides for that reward
+- [x] Test unassigning task from child deletes override
+- [x] Test reassigning task to child resets override (not preserved)
+
+#### Edge Cases
+
+- [x] Test custom_value = 0 is allowed
+- [x] Test custom_value = 10000 is allowed
+- [ ] Test cannot set override for entity not assigned to child
+- [ ] Test cannot set override for non-existent entity
+- [ ] Test multiple children can have different overrides for same entity
+
+### Frontend Unit Tests
+
+#### Component Tests (`components/__tests__/OverrideEditModal.spec.ts`)
+
+- [x] Test modal renders with default value
+- [x] Test modal renders with existing override value
+- [x] Test save button disabled when input is empty
+- [x] Test save button disabled when value < 0
+- [x] Test save button disabled when value > 10000
+- [x] Test save button enabled when value is 0-10000
+- [x] Test modal calls API with correct parameters on save
+- [x] Test modal emits close event after successful save
+- [x] Test modal shows error message on API failure
+- [x] Test cancel button closes modal without saving
+
+#### Component Tests (`components/__tests__/ScrollingList.spec.ts`)
+
+- [ ] Test edit button hidden before first click
+- [ ] Test edit button appears after first click (when centered)
+- [ ] Test edit button opens OverrideEditModal
+- [ ] Test ✏️ badge displayed when override exists
+- [ ] Test ✏️ badge hidden when no override exists
+- [ ] Test second click activates entity (not first click)
+- [ ] Test edit button positioned correctly (34x34px, corner)
+- [ ] Test edit button doesn't interfere with text
+
+#### Integration Tests
+
+- [ ] Test SSE event updates UI when override is set
+- [ ] Test SSE event updates UI when override is deleted
+- [ ] Test override value displayed in task/reward list
+- [ ] Test points calculation uses override when triggering task
+- [ ] Test cost calculation uses override when triggering reward
+
+#### Edge Cases
+
+- [ ] Test 0 points/cost displays correctly
+- [ ] Test 10000 points/cost displays correctly
+- [ ] Test badge updates immediately after setting override
+- [ ] Test badge disappears immediately after deleting override
+
+### Logging & Monitoring
+
+- [ ] Override set operations logged to per-user log files
+- [ ] Override delete operations logged
+- [ ] Cascade delete operations logged with count
+- [ ] Log messages include child_id, entity_id, entity_type, custom_value
+
+### Documentation
+
+- [ ] API endpoints documented in this spec
+- [ ] Data model documented in this spec
+- [ ] SSE events documented in this spec
+- [ ] UI behavior documented in this spec
+- [ ] Edge cases and validation rules documented
+
+---
+
+## Testing Strategy
+
+### Unit Test Files
+
+**Backend** (`backend/tests/test_child_override_api.py`):
+
+Create six test classes:
+
+1. **TestChildOverrideModel**: Test model validation (6 tests)
+   - Valid override creation
+   - Negative custom_value raises ValueError
+   - custom_value > 10000 raises ValueError
+   - custom_value = 0 is allowed
+   - custom_value = 10000 is allowed
+   - Invalid entity_type raises ValueError
+
+2. **TestChildOverrideDB**: Test database operations (8 tests)
+   - Insert new override
+   - Insert updates existing (upsert behavior)
+   - Get existing override returns object
+   - Get nonexistent override returns None
+   - Get all overrides for a child
+   - Delete specific override
+   - Delete all overrides for a child (returns count)
+   - Delete all overrides for an entity (returns count)
+
+3. **TestChildOverrideAPI**: Test all three API endpoints (18 tests)
+   - PUT creates new override
+   - PUT updates existing override
+   - PUT returns 400 for negative value
+   - PUT returns 400 for value > 10000
+   - PUT returns 400 for invalid entity_type
+   - PUT returns 404 for nonexistent child
+   - PUT returns 404 for unassigned entity
+   - PUT returns 403 for child not owned by user
+   - PUT emits child_override_set event
+   - GET returns all overrides for child
+   - GET returns empty array when no overrides
+   - GET returns 404 for nonexistent child
+   - GET returns 403 for child not owned
+   - DELETE removes override successfully
+   - DELETE returns 404 when override doesn't exist
+   - DELETE returns 404 for nonexistent child
+   - DELETE returns 403 for child not owned
+   - DELETE emits child_override_deleted event
+
+4. **TestIntegration**: Test override integration with existing endpoints (11 tests)
+   - list-tasks includes custom_value for overridden tasks
+   - list-tasks shows default points for non-overridden tasks
+   - list-rewards includes custom_value for overridden rewards
+   - trigger-task uses custom_value when awarding points
+   - trigger-task uses default points when no override
+   - trigger-reward uses custom_value when deducting points
+   - trigger-reward uses default cost when no override
+   - set-tasks deletes overrides for unassigned tasks
+   - set-tasks preserves overrides for still-assigned tasks
+   - set-rewards deletes overrides for unassigned rewards
+   - set-rewards preserves overrides for still-assigned rewards
+
+5. **TestCascadeDelete**: Test cascade deletion behavior (5 tests)
+   - Deleting child removes all its overrides
+   - Deleting task removes all overrides for that task
+   - Deleting reward removes all overrides for that reward
+   - Unassigning task deletes override
+   - Reassigning task resets override (not preserved)
+
+6. **TestEdgeCases**: Test boundary conditions (5 tests)
+   - custom_value = 0 is allowed
+   - custom_value = 10000 is allowed
+   - Cannot set override for unassigned entity
+   - Cannot set override for nonexistent entity
+   - Multiple children can have different overrides for same entity
+
+### Test Fixtures
+
+Create pytest fixtures for common test scenarios:
+
+- `child_with_task`: Uses existing `child` and `task` fixtures, calls set-tasks endpoint to assign task to child, asserts 200 response, returns child dict
+- `child_with_task_override`: Builds on `child_with_task`, calls PUT override endpoint to set custom_value=15 for the task, asserts 200 response, returns child dict
+- Similar fixtures for rewards: `child_with_reward`, `child_with_reward_override`
+- `child_with_overrides`: Child with multiple overrides for testing bulk operations
+
+### Assertions
+
+Test assertions should verify three main areas:
+
+1. **API Response Correctness**: Check status code (200, 400, 403, 404), verify returned override object has correct values for all fields (custom_value, child_id, entity_id, etc.)
+
+2. **SSE Event Emission**: Use mock_sse fixture to assert `send_event_for_current_user` was called exactly once with the correct EventType (CHILD_OVERRIDE_SET or CHILD_OVERRIDE_DELETED)
+
+3. **Points Calculation**: After triggering tasks/rewards, verify the child's points reflect the custom_value (not the default). For example, if default is 10 but override is 15, child.points should increase by 15.
+
+---
+
+## Future Considerations
+
+1. **Bulk Override Management**: Add endpoint to set/get/delete multiple overrides at once for performance.
+2. **Override History**: Track changes to override values over time for analytics.
+3. **Copy Overrides**: Allow copying overrides from one child to another.
+4. **Override Templates**: Save common override patterns as reusable templates.
+5. **Percentage-Based Overrides**: Allow setting overrides as percentage of default (e.g., "150% of default").
+6. **Override Expiration**: Add optional expiration dates for temporary adjustments.
+7. **Undo Override**: Add "Restore Default" button in UI that deletes override with one click.
+8. **Admin Dashboard**: Show overview of all overrides across all children for analysis.

.github/specs/archive/feat-dynamic-points/feat-tracking.md

@@ -0,0 +1,112 @@
+# Feature: Task and Reward Tracking
+
+## Overview
+
+**Goal:** Tasks, Penalties, and Rewards should be recorded when completed (activated), requested, redeemed, and cancelled. A record of the date and time should also be kept for these actions. A log file shall be produced that shows the child's points before and after the action happened.
+
+**User Story:**  
+As an administrator, I want to know what kind and when a task, penalty, or reward was activated.
+As an administrator, I want a log created detailing when a task, penalty, or reward was activated and how points for the affected child has changed.
+As a user (parent), when I activate a task or penalty, I want to record the time and what task or penalty was activated.
+As a user (parent), when I redeem a reward, I want to record the time and what reward was redeeemed.
+As a user (parent/child), when I cancel a reward, I want to record the time and what reward was cancelled.
+As a user (child), when I request a reward, I want to record the time and what reward was requested.
+
+**Questions:**
+
+- Tasks/Penalty, rewards should be tracked per child. Should the tracking be recorded in the child database, or should a new database be used linking the tracking to the child?
+- If using a new database, should tracking also be linking to user in case of account deletion?
+- Does there need to be any frontend changes for now?
+
+**Decisions:**
+
+- Use a **new TinyDB table** (`tracking_events.json`) for tracking records (append-only). Do **not** embed tracking in `child` to avoid large child docs and preserve audit history. Each record includes `child_id` and `user_id`.
+- Track events for: task/penalty activated, reward requested, reward redeemed, reward cancelled.
+- Store timestamps in **UTC ISO 8601** with timezone (e.g. `2026-02-09T18:42:15Z`). Always use **server time** for `occurred_at` to avoid client clock drift.
+- On user deletion: **anonymize** tracking records by setting `user_id` to `null`, preserving child activity history for compliance/audit.
+- Keep an **audit log file per user** (e.g. `tracking_user_<user_id>.log`) with points before/after and event metadata. Use rotating file handler.
+- Use **offset-based pagination** for tracking queries (simpler with TinyDB, sufficient for expected scale).
+- **Frontend changes deferred**: Ship backend API, models, and SSE events only. No UI components in this phase.
+
+---
+
+## Configuration
+
+## Acceptance Criteria (Definition of Done)
+
+### Data Model
+
+- [x] Add `TrackingEvent` model in `backend/models/` with `from_dict()`/`to_dict()` and 1:1 TS interface in [frontend/vue-app/src/common/models.ts](frontend/vue-app/src/common/models.ts)
+- [x] `TrackingEvent` fields include: `id`, `user_id`, `child_id`, `entity_type` (task|reward|penalty), `entity_id`, `action` (activated|requested|redeemed|cancelled), `points_before`, `points_after`, `delta`, `occurred_at`, `created_at`, `metadata` (optional dict)
+- [x] Ensure `delta == points_after - points_before` invariant
+
+### Backend Implementation
+
+- [x] Create TinyDB table (e.g., `tracking_events.json`) with helper functions in `backend/db/`
+- [x] Add tracking write in all mutation endpoints:
+  - task/penalty activation
+  - reward request
+  - reward redeem
+  - reward cancel
+- [x] Build `TrackingEvent` instances from models (no raw dict writes)
+- [x] Add server-side validation for required fields and action/entity enums
+- [x] Add `send_event_for_current_user` calls for tracking mutations
+
+### Frontend Implementation
+
+- [x] Add `TrackingEvent` interface and enums to [frontend/vue-app/src/common/models.ts](frontend/vue-app/src/common/models.ts)
+- [x] Add API helpers for tracking (list per child, optional filters) in [frontend/vue-app/src/common/api.ts](frontend/vue-app/src/common/api.ts)
+- [x] Register SSE event type `tracking_event_created` in [frontend/vue-app/src/common/backendEvents.ts](frontend/vue-app/src/common/backendEvents.ts)
+- [x] **No UI components** — deferred to future phase
+
+### Admin API
+
+- [x] Add admin endpoint to query tracking by `child_id`, date range, and `entity_type` (e.g. `GET /admin/tracking`)
+- [x] Add offset-based pagination parameters (`limit`, `offset`) with sensible defaults (e.g. limit=50, max=500)
+- [x] Return total count for pagination UI (future)
+
+### SSE Event
+
+- [x] Add event type `tracking_event_created` with payload containing `tracking_event_id` and minimal denormalized info
+- [x] Update [backend/events/types/event_types.py](backend/events/types/event_types.py) and [frontend/vue-app/src/common/backendEvents.ts](frontend/vue-app/src/common/backendEvents.ts)
+
+### Backend Unit Tests
+
+- [x] Create tests for tracking creation on each mutation endpoint (task/penalty activated, reward requested/redeemed/cancelled)
+- [x] Validate `points_before/after` and `delta` are correct
+- [x] Ensure tracking write does not block core mutation (failure behavior defined)
+
+### Frontend Unit Tests
+
+- [x] Test API helper functions for tracking queries
+- [x] Test TypeScript interface matches backend model (type safety)
+
+#### Edge Cases
+
+- [x] Reward cancel after redeem should not create duplicate inconsistent entries
+- [x] Multiple activations in rapid sequence must be ordered by `occurred_at` then `created_at`
+- [x] Child deleted: tracking records retained and still queryable by admin (archive mode)
+- [x] User deleted: anonymize tracking by setting `user_id` to `null`, retain all other fields for audit history
+
+#### Integration Tests
+
+- [x] End-to-end: activate task -> tracking created -> SSE event emitted -> audit log written
+- [x] Verify user deletion anonymizes tracking records without breaking queries
+
+### Logging & Monitoring
+
+- [x] Add dedicated tracking logger with **per-user rotating file handler** (e.g. `logs/tracking_user_<user_id>.log`)
+- [x] Log one line per tracking event with `user_id`, `child_id`, `entity_type`, `entity_id`, `action`, `points_before`, `points_after`, `delta`, `occurred_at`
+- [x] Configure max file size and backup count (e.g. 10MB, 5 backups)
+
+### Documentation
+
+- [x] Update README or docs to include tracking endpoints, schema, and sample responses
+- [x] Add migration note for new `tracking_events.json`
+
+---
+
+## Future Considerations
+
+- Reward tracking will be used to determine child ranking (badges and certificates!)
+- is_good vs not is_good in task tracking can be used to show the child their balance in good vs not good

.github/specs/archive/feat-hashed-passwords.md

@@ -0,0 +1,87 @@
+# Feature: Hash passwords in database
+
+## Overview
+
+**Goal:** Currently passwords for users are stored in the database as plain text. They need to be hashed using a secure algorithm to prevent exposure in case of a data breach.
+
+**User Story:**  
+As a user, when I create an account with a password, the password needs to be hashed in the database.  
+As an admin, I would like a script that will convert the current user database passwords into a hash.
+
+---
+
+## Data Model Changes
+
+### Backend Model (`backend/models/user.py`)
+
+No changes required to the `User` dataclass fields. Passwords will remain as strings, but they will now be hashed values instead of plain text.
+
+### Frontend Model (`frontend/vue-app/src/common/models.ts`)
+
+No changes required. The `User` interface does not expose passwords.
+
+---
+
+## Backend Implementation
+
+### Password Hashing
+
+- Use `werkzeug.security.generate_password_hash()` with default settings (PBKDF2 with SHA256, salt, and iterations) for hashing new passwords.
+- Use `werkzeug.security.check_password_hash()` for verification during login and password reset.
+- Update the following endpoints to hash passwords on input and verify hashes on output:
+  - `POST /signup` (hash password before storing; existing length/complexity checks apply).
+  - `POST /login` (verify hash against input).
+  - `POST /reset-password` (hash new password before storing; existing length/complexity checks apply).
+
+### Migration Script (`backend/scripts/hash_passwords.py`)
+
+Create a new script to hash existing plain text passwords in the database:
+
+- Read all users from `users_db`.
+- For each user, check if the password is already hashed (starts with `scrypt:` or `$pbkdf2-sha256$`); if so, skip.
+- For plain text passwords, hash using `generate_password_hash()`.
+- Update the user record in the database.
+- Log the number of users updated.
+- Run this script once after deployment to migrate existing data.
+
+**Usage:** `python backend/scripts/hash_passwords.py`
+
+**Security Notes:**
+
+- The script should only be run in a secure environment (e.g., admin access).
+- After migration, verify a few users can log in.
+- Delete or secure the script post-migration to avoid reuse.
+
+### Error Handling
+
+No new error codes needed. Existing authentication errors (e.g., invalid credentials) remain unchanged.
+
+---
+
+### Backend Tests (`backend/tests/test_auth_api.py`)
+
+- [x] Test signup with password hashing: Verify stored password is hashed (starts with `scrypt:`).
+- [x] Test login with correct password: Succeeds.
+- [x] Test login with incorrect password: Fails with appropriate error.
+- [x] Test password reset: New password is hashed.
+- [x] Test migration script: Hashes existing plain text passwords without data loss; skips already-hashed passwords.
+
+---
+
+## Future Considerations
+
+- Monitor for deprecated hashing algorithms and plan upgrades (e.g., to Argon2 if needed).
+- Implement password strength requirements on signup/reset if not already present.
+- Consider rate limiting on login attempts to prevent brute-force attacks.
+
+---
+
+## Acceptance Criteria (Definition of Done)
+
+### Backend
+
+- [x] Update `/signup` to hash passwords using `werkzeug.security.generate_password_hash()`.
+- [x] Update `/login` to verify passwords using `werkzeug.security.check_password_hash()`.
+- [x] Update `/reset-password` to hash new passwords.
+- [x] Create `backend/scripts/hash_passwords.py` script for migrating existing plain text passwords.
+- [x] All backend tests pass, including new hashing tests.

.github/specs/archive/feat-no-delete-system-tasks-and-rewards.md

@@ -0,0 +1,26 @@
+# Feature: Do Not Allow System Tasks or System Rewards To Be Deleted
+
+## Context:
+
+- **Goal:** In Task List view and Reward List view, do not allow items to be deleted by the user if they are system tasks.
+- **User Story:** As a [user], I want to only be able to press the delete button on a task or reward if that item is not a system task or reward so that shared system tasks are not deleted for other users.
+
+## Technical Requirements
+
+- **File Affected:** ItemList.vue, TaskView.vue, RewardView.vue, task_api.py, reward_api.py
+- **Logic:**
+  1. Starting with ItemList.vue, we should check to see if any item in the list has an "user_id" property and if that property is null.
+  2. If the property is null, that means the item is not owned by a user, so do no display a delete button.
+  3. If the ItemList has it's deletable property as false, don't bother checking each item for user_id as the delete button will not display.
+  4. As a safeguard, on the backend, the DELETE api requests should check to see if the "user_id" property of the requested task or reward is null. This is done by requesting the item from the database. The request provides the item's id. If the item is a system item, return 403. Let the return tell the requestor that the item is a system item and cannot be deleted.
+  5. As a safeguard, make PUT/PATCH operations perform a copy-on-edit of the item. This is already implemented.
+  6. Bulk deletion is not possible, don't make changes for this.
+  7. For any item in the frontend or backend that does not have a "user_id" property, treat that as a system item (user_id=null)
+  8. For both task and reward api create an application level constraint on the database that checks for user_id before mutation logic.
+
+## Acceptance Criteria (The "Definition of Done")
+
+- [x] Logic: Task or Reward does not display the delete button when props.deletable is true and a list item is a system item.
+- [x] UI: Doesn't show delete button for system items.
+- [x] Backend Tests: Unit tests cover a delete API request for a system task or reward and returns a 403.
+- [x] Frontend Tests: Add vitest for this feature in the frontend to make sure the delete button hidden or shown.

.github/specs/archive/feat-parent-mode-expire.md

@@ -0,0 +1,141 @@
+# Feature: Persistent and non-persistent parent mode
+
+## Overview
+
+When a parent is prompted to input the parent PIN, a checkbox should also be available that asks if the parent wants to 'stay' in parent mode. If that is checked, the parent mode remains persistent on the device until child mode is entered or until an expiry time of 2 days.
+When the checkbox is not enabled (default) the parent authentication should expire in 1 minute or the next reload of the site.
+
+**Goal:**
+A parent that has a dedicated device should stay in parent mode for a max of 2 days before having to re-enter the PIN, a device dedicated to the child should not stay in parent mode for more than a minute before reverting back to child mode.
+
+**User Story:**
+As a parent, I want my personal device to be able to stay in parent mode until I enter child mode or 2 days expire.
+As a parent, on my child's device, I want to be able to enter parent mode to make a change or two and not have to worry about exiting parent mode.
+
+**Rules:**
+Use .github/copilot-instructions.md
+
+**Common files:**
+frontend\vue-app\src\components\shared\LoginButton.vue
+frontend\vue-app\src\stores\auth.ts
+frontend\vue-app\src\router\index.ts
+
+---
+
+## Data Model Changes
+
+### Backend Model
+
+No backend changes required. PIN validation is already handled server-side via `POST /user/check-pin`. Parent mode session duration is a purely client-side concern.
+
+### Frontend Model
+
+**`localStorage['parentAuth']`** (written only for persistent mode):
+
+```json
+{ "expiresAt": 1234567890123 }
+```
+
+- Present only when "Stay in parent mode" was checked at PIN entry.
+- Removed when the user clicks "Child Mode", on explicit logout, or when found expired on store init.
+
+**Auth store state additions** (`frontend/vue-app/src/stores/auth.ts`):
+
+- `parentAuthExpiresAt: Ref<number | null>` — epoch ms timestamp; `null` when not authenticated. Memory-only for non-persistent sessions, restored from `localStorage` for persistent ones.
+- `isParentPersistent: Ref<boolean>` — `true` when the current parent session was marked "stay".
+- `isParentAuthenticated: Ref<boolean>` — plain ref set to `true` by `authenticateParent()` and `false` by `logoutParent()`. Expiry is enforced by the 15-second background watcher and the router guard calling `enforceParentExpiry()`.
+
+---
+
+## Backend Implementation
+
+No backend changes required.
+
+---
+
+## Backend Tests
+
+- [x] No new backend tests required.
+
+---
+
+## Frontend Implementation
+
+### 1. Refactor `auth.ts` — expiry-aware state
+
+- Remove the plain `ref<boolean>` `isParentAuthenticated` and the `watch` that wrote `'true'/'false'` to `localStorage['isParentAuthenticated']`.
+- Add `parentAuthExpiresAt: ref<number | null>` (initialized to `null`).
+- Add `isParentPersistent: ref<boolean>` (initialized to `false`).
+- Keep `isParentAuthenticated` as a plain `ref<boolean>` — set explicitly by `authenticateParent()` and `logoutParent()`. A background watcher and router guard enforce expiry by calling `logoutParent()` when `Date.now() >= parentAuthExpiresAt.value`.
+- Update `authenticateParent(persistent: boolean)`:
+  - Non-persistent: set `parentAuthExpiresAt.value = Date.now() + 60_000`, `isParentPersistent.value = false`. Write nothing to `localStorage`. State is lost on page reload naturally.
+  - Persistent: set `parentAuthExpiresAt.value = Date.now() + 172_800_000` (2 days), `isParentPersistent.value = true`. Write `{ expiresAt }` to `localStorage['parentAuth']`.
+  - Both: set `isParentAuthenticated.value = true`, call `startParentExpiryWatcher()`.
+- Update `logoutParent()`: clear all three refs (`null`/`false`/`false`), remove `localStorage['parentAuth']`, call `stopParentExpiryWatcher()`.
+- Update `loginUser()`: call `logoutParent()` internally (already resets parent state on fresh login).
+- On store initialization: read `localStorage['parentAuth']`; if present and `expiresAt > Date.now()`, restore as persistent auth; otherwise remove the stale key.
+
+### 2. Add background expiry watcher to `auth.ts`
+
+- Export `startParentExpiryWatcher()` and `stopParentExpiryWatcher()` that manage a 15-second `setInterval`.
+- The interval checks `Date.now() >= parentAuthExpiresAt.value`; if true, calls `logoutParent()` and navigates to `/child` via `window.location.href`. This enforces expiry even while a parent is mid-page on a `/parent` route.
+
+### 3. Update router navigation guard — `router/index.ts`
+
+- Import `logoutParent` and `enforceParentExpiry` from the auth store.
+- Before checking parent route access, call `enforceParentExpiry()` which evaluates `Date.now() >= parentAuthExpiresAt.value` directly and calls `logoutParent()` if expired.
+- If not authenticated after the check: call `logoutParent()` (cleanup) then redirect to `/child`.
+
+### 4. Update PIN modal in `LoginButton.vue` — checkbox
+
+- Add `stayInParentMode: ref<boolean>` (default `false`).
+- Add a checkbox below the PIN input, labelled **"Stay in parent mode on this device"**.
+- Style checkbox with `:root` CSS variables from `colors.css`.
+- Update `submit()` to call `authenticateParent(stayInParentMode.value)`.
+- Reset `stayInParentMode.value = false` when the modal closes.
+
+### 5. Add lock badge to avatar button — `LoginButton.vue`
+
+- Import `isParentPersistent` from the auth store.
+- Wrap the existing avatar button in a `position: relative` container.
+- When `isParentAuthenticated && isParentPersistent`, render a small `🔒` emoji element absolutely positioned at `bottom: -2px; left: -2px` with a font size of ~10px.
+- This badge disappears automatically when "Child Mode" is clicked (clears `isParentPersistent`).
+
+---
+
+## Frontend Tests
+
+- [x] `auth.ts` — non-persistent: `authenticateParent(false)` sets expiry to `now + 60s`; `isParentAuthenticated` returns `false` after watcher fires past expiry (via fake timers).
+- [x] `auth.ts` — persistent: `authenticateParent(true)` sets `parentAuthExpiresAt` to `now + 2 days`; `isParentAuthenticated` returns `false` after watcher fires past 2-day expiry.
+- [x] `auth.ts` — `logoutParent()` clears refs, stops watcher.
+- [x] `auth.ts` — `loginUser()` calls `logoutParent()` clearing all parent auth state.
+- [x] `LoginButton.vue` — checkbox is unchecked by default; checking it and submitting calls `authenticateParent(true)`.
+- [x] `LoginButton.vue` — submitting without checkbox calls `authenticateParent(false)`.
+- [x] `LoginButton.vue` — lock badge `🔒` is visible only when `isParentAuthenticated && isParentPersistent`.
+
+---
+
+## Future Considerations
+
+- Could offer a configurable expiry duration (e.g. 1 day, 3 days, 7 days) rather than a fixed 2-day cap.
+- Could show a "session expiring soon" warning for the persistent mode (e.g. banner appears 1 hour before the 2-day expiry).
+
+---
+
+## Acceptance Criteria (Definition of Done)
+
+### Backend
+
+- [x] No backend changes required; all work is frontend-only.
+
+### Frontend
+
+- [x] PIN modal includes an unchecked "Stay in parent mode on this device" checkbox.
+- [x] Non-persistent mode: parent auth is memory-only, expires after 1 minute, and is lost on page reload.
+- [x] Persistent mode: `localStorage['parentAuth']` is written with a 2-day `expiresAt` timestamp; auth survives page reload and new tabs.
+- [x] Router guard redirects silently to `/child` if parent mode has expired when navigating to any `/parent` route.
+- [x] Background 15-second interval also enforces expiry while the user is mid-page on a `/parent` route.
+- [x] "Child Mode" button clears both persistent and non-persistent auth state completely.
+- [x] A `🔒` emoji badge appears on the lower-left of the parent avatar button only when persistent mode is active.
+- [x] Opening a new tab while in persistent mode correctly restores parent mode from `localStorage`.
+- [x] All frontend tests listed above pass.

.github/specs/archive/feat-profile-mark-remove-account.md

@@ -0,0 +1,251 @@
+# Feature: Account Deletion (Mark for Removal)
+
+## Overview
+
+**Goal:** Allow users to mark their account for deletion from the Profile page.
+
+**User Story:**  
+As a user, I want to delete my account from the Profile page. When I click "Delete My Account", I want a confirmation dialog that warns me about data loss. After confirming by entering my email, my account will be marked for deletion, I will be signed out, and I will not be able to log in again.
+
+---
+
+## Data Model Changes
+
+### Backend Model (`backend/models/user.py`)
+
+Add the following fields to the `User` class:
+
+```python
+marked_for_deletion: bool = False
+marked_for_deletion_at: datetime | None = None
+```
+
+- Update `to_dict()` and `from_dict()` methods to serialize these fields.
+- Import `datetime` from Python standard library if not already imported.
+
+### Frontend Model (`frontend/vue-app/src/common/models.ts`)
+
+Add matching fields to the `User` interface:
+
+```typescript
+marked_for_deletion: boolean;
+marked_for_deletion_at: string | null;
+```
+
+---
+
+## Backend Implementation
+
+### New Error Codes (`backend/api/error_codes.py`)
+
+Add the following error code:
+
+```python
+ACCOUNT_MARKED_FOR_DELETION = 'ACCOUNT_MARKED_FOR_DELETION'
+ALREADY_MARKED = 'ALREADY_MARKED'
+```
+
+### New API Endpoint (`backend/api/user_api.py`)
+
+**Endpoint:** `POST /api/user/mark-for-deletion`
+
+**Authentication:** Requires valid JWT (authenticated user).
+
+**Request:**
+
+```json
+{}
+```
+
+(Empty body; user is identified from JWT token)
+
+**Response:**
+
+- **Success (200):**
+  ```json
+  { "success": true }
+  ```
+- **Error (400/401/403):**
+  ```json
+  { "error": "Error message", "code": "INVALID_USER" | "ALREADY_MARKED" }
+  ```
+
+**Logic:**
+
+1. Extract current user from JWT token.
+2. Validate user exists in database.
+3. Check if already marked for deletion:
+   - If `marked_for_deletion == True`, return error with code `ALREADY_MARKED` (or make idempotent and return success).
+4. Set `marked_for_deletion = True` and `marked_for_deletion_at = datetime.now(timezone.utc)`.
+5. Save user to database using `users_db.update()`.
+6. Trigger SSE event: `send_event_for_current_user('user_marked_for_deletion', { 'user_id': user.id })`.
+7. Return success response.
+
+### Login Blocking (`backend/api/auth_api.py`)
+
+In the `/api/login` endpoint, after validating credentials:
+
+1. Check if `user.marked_for_deletion == True`.
+2. If yes, return:
+   ```json
+   {
+     "error": "This account has been marked for deletion and cannot be accessed.",
+     "code": "ACCOUNT_MARKED_FOR_DELETION"
+   }
+   ```
+   with HTTP status `403`.
+
+### Password Reset Blocking (`backend/api/user_api.py`)
+
+In the `/api/user/request-reset` endpoint:
+
+1. After finding the user by email, check if `user.marked_for_deletion == True`.
+2. If yes, **silently ignore the request**:
+   - Do not send an email.
+   - Return success response (to avoid leaking account status).
+
+### SSE Event (`backend/events/types/event_types.py`)
+
+Add new event type:
+
+```python
+USER_MARKED_FOR_DELETION = 'user_marked_for_deletion'
+```
+
+---
+
+## Frontend Implementation
+
+### Files Affected
+
+- `frontend/vue-app/src/components/parent/UserProfile.vue`
+- `frontend/vue-app/src/common/models.ts`
+- `frontend/vue-app/src/common/errorCodes.ts`
+
+### Error Codes (`frontend/vue-app/src/common/errorCodes.ts`)
+
+Add:
+
+```typescript
+export const ACCOUNT_MARKED_FOR_DELETION = "ACCOUNT_MARKED_FOR_DELETION";
+export const ALREADY_MARKED = "ALREADY_MARKED";
+```
+
+### UI Components (`UserProfile.vue`)
+
+#### 1. Delete Account Button
+
+- **Label:** "Delete My Account"
+- **Style:** `.btn-danger-link` (use `--danger` color from `colors.css`)
+- **Placement:** Below "Change Password" link, with `24px` margin-top
+- **Behavior:** Opens warning modal on click
+
+#### 2. Warning Modal (uses `ModalDialog.vue`)
+
+- **Title:** "Delete Your Account?"
+- **Body:**  
+  "This will permanently delete your account and all associated data. This action cannot be undone."
+- **Email Confirmation Input:**
+  - Require user to type their email address to confirm.
+  - Display message: "Type your email address to confirm:"
+  - Input field with `v-model` bound to `confirmEmail` ref.
+- **Buttons:**
+  - **"Cancel"** (`.btn-secondary`) — closes modal
+  - **"Delete My Account"** (`.btn-danger`) — disabled until `confirmEmail` matches user email, triggers API call
+
+#### 3. Loading State
+
+- Disable "Delete My Account" button during API call.
+- Show loading spinner or "Deleting..." text.
+
+#### 4. Success Modal
+
+- **Title:** "Account Deleted"
+- **Body:**  
+  "Your account has been marked for deletion. You will now be signed out."
+- **Button:** "OK" (closes modal, triggers `logoutUser()` and redirects to `/auth/login`)
+
+#### 5. Error Modal
+
+- **Title:** "Error"
+- **Body:** Display error message from API using `parseErrorResponse(res).msg`.
+- **Button:** "Close"
+
+### Frontend Logic
+
+1. User clicks "Delete My Account" button.
+2. Warning modal opens with email confirmation input.
+3. User types email and clicks "Delete My Account".
+4. Frontend calls `POST /api/user/mark-for-deletion`.
+5. On success:
+   - Close warning modal.
+   - Show success modal.
+   - On "OK" click: call `logoutUser()` from `stores/auth.ts`, redirect to `/auth/login`.
+6. On error:
+   - Close warning modal.
+   - Show error modal with message from API.
+
+---
+
+## Testing
+
+### Backend Tests (`backend/tests/test_user_api.py`)
+
+- [x] Test marking a valid user account (200, `marked_for_deletion = True`, `marked_for_deletion_at` is set).
+- [x] Test marking an already-marked account (return error with `ALREADY_MARKED` or be idempotent).
+- [x] Test marking with invalid JWT (401).
+- [x] Test marking with missing JWT (401).
+- [x] Test login attempt by marked user (403, `ACCOUNT_MARKED_FOR_DELETION`).
+- [x] Test password reset request by marked user (silently ignored, returns 200 but no email sent).
+- [x] Test SSE event is triggered after marking.
+
+### Frontend Tests (`frontend/vue-app/src/components/__tests__/UserProfile.spec.ts`)
+
+- [x] Test "Delete My Account" button renders.
+- [x] Test warning modal opens on button click.
+- [x] Test "Delete My Account" button in modal is disabled until email matches.
+- [x] Test API call is made when user confirms with correct email.
+- [x] Test success modal shows after successful API response.
+- [x] Test error modal shows on API failure (with error message).
+- [x] Test user is signed out after success (calls `logoutUser()`).
+- [x] Test redirect to login page after sign-out.
+- [x] Test button is disabled during loading.
+
+---
+
+## Future Considerations
+
+- A background scheduler will be implemented to physically delete marked accounts after a grace period (e.g., 30 days).
+- Admin panel to view and manage marked accounts.
+- Email notification to user when account is marked for deletion (with grace period details).
+
+---
+
+## Acceptance Criteria (Definition of Done)
+
+### Data Model
+
+- [x] Add `marked_for_deletion` and `marked_for_deletion_at` fields to `User` model (backend).
+- [x] Add matching fields to `User` interface (frontend).
+- [x] Update `to_dict()` and `from_dict()` methods in `User` model.
+
+### Backend
+
+- [x] Create `POST /api/user/mark-for-deletion` endpoint.
+- [x] Add `ACCOUNT_MARKED_FOR_DELETION` and `ALREADY_MARKED` error codes.
+- [x] Block login for marked users in `/api/login`.
+- [x] Block password reset for marked users in `/api/user/request-reset`.
+- [x] Trigger `user_marked_for_deletion` SSE event after marking.
+- [x] All backend tests pass.
+
+### Frontend
+
+- [x] Add "Delete My Account" button to `UserProfile.vue` below "Change Password".
+- [x] Implement warning modal with email confirmation.
+- [x] Implement success modal.
+- [x] Implement error modal.
+- [x] Implement loading state during API call.
+- [x] Sign out user after successful account marking.
+- [x] Redirect to login page after sign-out.
+- [x] Add `ACCOUNT_MARKED_FOR_DELETION` and `ALREADY_MARKED` to `errorCodes.ts`.
+- [x] All frontend tests pass.

.github/specs/archive/profile-button-menu/feat-profile-icon-button-menu.md

@@ -0,0 +1,65 @@
+# Feature: Replace the text-based "Parent" button with an image icon and modernize the dropdown menu
+
+## Visual Reference:
+
+- **Sample Design:** #mockup.png
+- **Design:**
+  1. Dropdown header colors need to match color theme inside #colors.css
+  2. The icon button shall be circular and use all the space of it's container. It should be centered in it's container.
+  3. The three dropdown items should be "Profile", "Child Mode", and "Sign out"
+  4. Currently, the dropdown shows "Log out" for "Child Mode", that should be changed to "Child Mode"
+
+## Context:
+
+- **Goal:** I want a user image icon to display in place of the current "Parent" button
+- **User Story:** As a [user], I want to see the image assigned in my profile as an icon button at the top right of the screen. When I click the button I want to see a dropdown appear if I'm in 'parent mode.' I to have the options to see/edit my profile, go back to child mode, or sign out. In child mode, I want the button to trigger the parent pin modal if clicked.
+
+## Technical Requirements
+
+- **File Affected:** LoginButton.vue, ParentLayout.vue, ChildLayout.vue, AuthLayout.vue
+- **Backend:** When LoginButton loads, it should query the backend for the current user data (/user/profile) The returned data will provide the image_id and first_name of the user.
+- **Navigation:**
+  1. When the avatar button is focused, pressing Enter or Space opens the dropdown.
+  2. When the dropdown is open:
+  - Up/Down arrow keys move focus between menu items.
+  - Enter or Space activates the focused menu item.
+  - Esc closes the dropdown and returns focus to the avatar button.
+  3. Tabbing away from the dropdown closes it.
+- **ARIA:**
+  1. The avatar button must have aria-haspopup="menu" and aria-expanded reflecting the dropdown state.
+  2. The dropdown menu must use role="menu", and each item must use role="menuitem".
+  3. The currently focused menu item should have aria-selected="true".
+- **Focus Ring:** All interactive elements (avatar button and dropdown menu items) must display a visible focus ring when focused via keyboard navigation. The focus ring color should use a theme variable from colors.css and meet accessibility contrast guidelines.
+- **Mobile & Layout:**
+  1. The avatar icon button must always be positioned at the top right of the screen, regardless of device size.
+  2. The icon must never exceed 44px in width or height.
+  3. On mobile, ensure the button is at least 44x44px for touch accessibility.
+- **Avatar Fallback:** If user.first_name does not exist, display a ? as the fallback initial.
+- **Dropdown Placement and Animation:**
+  1. The dropdown menu must always appear directly below the avatar icon, right-aligned to the screen edge.
+  2. Use a slide down/up animation for showing/hiding the dropdown.
+- **State Requirements:**
+  - Collapsed: Button shows the user.image_id or a fallback icon with the initial of the user.first_name
+  - Expanded: Shows the dropdown with the three menu options shown in the #mockup.png. -**Menu Item Icons:**: For now, use a stub element or placeholder for each menu item icon, to be replaced with real icons later.
+- **Logic:**
+  1. Clicking an item in the dropdown should already be implemented. Do not change this.
+  2. When clicking a menu item or clicking outside the menu, collapse the menu.
+  3. When in 'child mode' (parent not authenticated), show the parent PIN modal or create PIN view (/parent/pin-setup) if user.pin doesn't exist or is empty. (this is already implemented)
+
+## UI Acceptance Criteria (The "Definition of Done")
+
+- [x] UI: Swap the "Parent" button with the user's avatar image.
+- [x] UI: Refactor #LoginButton.vue to use new CSS generated from #mockup.png
+- [x] Logic: Make sure the dropdown does not show when in child mode.
+- [x] Logic: Make sure the parent PIN modal shows when the button is pressed in child mode.
+- [x] Logic: Make sure the parent PIN creation view shows when the button is pressed in child mode if no user.pin doesn't exist or is empty.
+- [x] Frontend Tests: Add vitest for this feature in the frontend to make sure the logic for button clicking in parent mode and child mode act correctly.
+  1. [x] Avatar button renders image, initial, or ? as fallback
+  2. [x] Dropdown opens/closes via click, Enter, Space, Esc, and outside click.
+  3. [x] Dropdown is positioned and animated correctly.
+  4. [x] Keyboard navigation (Up/Down, Enter, Space, Esc) works as specified.
+  5. [x] ARIA attributes and roles are set correctly.
+  6. [x] Focus ring is visible and uses theme color.
+  7. [x] Avatar button meets size and position requirements on all devices.
+  8. [x] Menu logic for parent/child mode is correct.
+  9. [x] Stub icons are rendered for menu items.

.github/specs/template/feat-template.md

@@ -0,0 +1,49 @@
+# Feature:
+
+## Overview
+
+**Goal:**
+
+**User Story:**
+
+**Rules:**
+
+---
+
+## Data Model Changes
+
+### Backend Model
+
+### Frontend Model
+
+---
+
+## Backend Implementation
+
+## Backend Tests
+
+- [ ]
+
+---
+
+## Frontend Implementation
+
+## Frontend Tests
+
+- [ ]
+
+---
+
+## Future Considerations
+
+---
+
+## Acceptance Criteria (Definition of Done)
+
+### Backend
+
+- [ ]
+
+### Frontend
+
+- [ ]

.gitignore

@@ -1,78 +1,9 @@
-# Python
-__pycache__/
-*.py[cod]
-*$py.class
-*.so
-.Python
-build/
-develop-eggs/
-dist/
-downloads/
-eggs/
-.eggs/
-lib/
-lib64/
-parts/
-sdist/
-var/
-wheels/
-*.egg-info/
-.installed.cfg
-*.egg
-PIPFILE.lock
-
-# Virtual Environment
-venv/
-ENV/
-env/
-.venv
-
-# PyCharm
-.idea/
-*.iml
-*.iws
-.idea_modules/
-
-# VS Code
-.vscode/
-
-# Database files
-*.db
-*.sqlite
-*.sqlite3
-data/db/*.json
-
-# Flask
-instance/
-.webassets-cache
-
-# Environment variables
 .env
-.env.local
-.env.*.local
-
-# Node.js / Vue (web directory)
-web/node_modules/
-web/npm-debug.log*
-web/yarn-debug.log*
-web/yarn-error.log*
-web/dist/
-web/.nuxt/
-web/.cache/
-
-# OS files
-.DS_Store
-Thumbs.db
-*.swp
-*.swo
-*~
-
-# Logs
-*.log
-logs/
-
-# Testing
-.pytest_cache/
-.coverage
-htmlcov/
-.tox/
+backend/test_data/db/children.json
+backend/test_data/db/images.json
+backend/test_data/db/pending_rewards.json
+backend/test_data/db/rewards.json
+backend/test_data/db/tasks.json
+backend/test_data/db/users.json
+logs/account_deletion.log
+backend/test_data/db/tracking_events.json

.idea/.gitignore

@@ -0,0 +1,5 @@
+# Default ignored files
+/shelf/
+/workspace.xml
+# Editor-based HTTP Client requests
+/httpRequests/

.idea/Reward.iml

@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<module type="PYTHON_MODULE" version="4">
+  <component name="NewModuleRootManager">
+    <content url="file://$MODULE_DIR$" />
+    <orderEntry type="jdk" jdkName="Python 3.12 (Reward)" jdkType="Python SDK" />
+    <orderEntry type="sourceFolder" forTests="false" />
+  </component>
+  <component name="PyDocumentationSettings">
+    <option name="format" value="PLAIN" />
+    <option name="myDocStringFormat" value="Plain" />
+  </component>
+  <component name="TestRunnerService">
+    <option name="PROJECT_TEST_RUNNER" value="py.test" />
+  </component>
+</module>

.idea/copilot.data.migration.agent.xml

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="AgentMigrationStateService">
+    <option name="migrationStatus" value="COMPLETED" />
+  </component>
+</project>

.idea/copilot.data.migration.ask2agent.xml

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="Ask2AgentMigrationStateService">
+    <option name="migrationStatus" value="COMPLETED" />
+  </component>
+</project>

.idea/copilot.data.migration.edit.xml

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="EditMigrationStateService">
+    <option name="migrationStatus" value="COMPLETED" />
+  </component>
+</project>

.idea/inspectionProfiles/Project_Default.xml

@@ -0,0 +1,10 @@
+<component name="InspectionProjectProfileManager">
+  <profile version="1.0">
+    <option name="myName" value="Project Default" />
+    <inspection_tool class="PyPackageRequirementsInspection" enabled="true" level="WARNING" enabled_by_default="true">
+      <option name="ignoredPackages">
+        <list />
+      </option>
+    </inspection_tool>
+  </profile>
+</component>

.idea/inspectionProfiles/profiles_settings.xml

@@ -0,0 +1,6 @@
+<component name="InspectionProjectProfileManager">
+  <settings>
+    <option name="USE_PROJECT_PROFILE" value="false" />
+    <version value="1.0" />
+  </settings>
+</component>

.idea/misc.xml

@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="ProjectRootManager" version="2" project-jdk-name="Python 3.12 (Reward)" project-jdk-type="Python SDK" />
+</project>

.idea/modules.xml

@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="ProjectModuleManager">
+    <modules>
+      <module fileurl="file://$PROJECT_DIR$/.idea/Reward.iml" filepath="$PROJECT_DIR$/.idea/Reward.iml" />
+    </modules>
+  </component>
+</project>

.idea/vcs.xml

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="VcsDirectoryMappings">
+    <mapping directory="" vcs="Git" />
+  </component>
+</project>

.vscode/extensions.json

@@ -0,0 +1,9 @@
+{
+  "recommendations": [
+    "Vue.volar",
+    "vitest.explorer",
+    "dbaeumer.vscode-eslint",
+    "EditorConfig.EditorConfig",
+    "esbenp.prettier-vscode"
+  ]
+}

.vscode/launch.json

@@ -0,0 +1,88 @@
+{
+  "version": "0.2.0",
+  "configurations": [
+    {
+      "name": "Python: Flask",
+      "type": "python",
+      "request": "launch",
+      "module": "flask",
+      "python": "${command:python.interpreterPath}",
+      "env": {
+        "FLASK_APP": "backend/main.py",
+        "FLASK_DEBUG": "1"
+      },
+      "args": [
+        "run",
+        "--host=0.0.0.0",
+        "--port=5000",
+        "--no-debugger",
+        "--no-reload"
+      ],
+      "cwd": "${workspaceFolder}/backend",
+      "console": "integratedTerminal"
+    },
+    {
+      "name": "Vue: Dev Server",
+      "type": "node",
+      "request": "launch",
+      "runtimeExecutable": "npm",
+      "runtimeArgs": [
+        "run",
+        "dev"
+      ],
+      "cwd": "${workspaceFolder}/frontend/vue-app",
+      "console": "integratedTerminal"
+    },
+    {
+      "name": "Chrome: Launch (Vue App)",
+      "type": "pwa-chrome",
+      "request": "launch",
+      "url": "http://localhost:5173",
+      "webRoot": "${workspaceFolder}/frontend/vue-app"
+    },
+    {
+      "name": "Python: Backend Tests",
+      "type": "python",
+      "request": "launch",
+      "module": "pytest",
+      "args": [
+        "tests/"
+      ],
+      "cwd": "${workspaceFolder}/backend",
+      "console": "integratedTerminal",
+      "env": {
+        "PYTHONPATH": "${workspaceFolder}/backend"
+      }
+    },
+    {
+      "name": "Vue: Frontend Tests",
+      "type": "node",
+      "request": "launch",
+      "runtimeExecutable": "npm",
+      "windows": {
+        "runtimeExecutable": "npm.cmd"
+      },
+      "runtimeArgs": [
+        "run",
+        "test:unit"
+      ],
+      "cwd": "${workspaceFolder}/frontend/vue-app",
+      "console": "integratedTerminal",
+      "osx": {
+        "env": {
+          "PATH": "/opt/homebrew/bin:${env:PATH}"
+        }
+      }
+    }
+  ],
+  "compounds": [
+    {
+      "name": "Full Stack (Backend + Frontend)",
+      "configurations": [
+        "Python: Flask",
+        "Vue: Dev Server",
+        "Chrome: Launch (Vue App)"
+      ]
+    }
+  ]
+}

.vscode/launch.json.bak

@@ -0,0 +1,77 @@
+{
+  "version": "0.2.0",
+  "configurations": [
+    {
+      "name": "Python: Flask",
+      "type": "debugpy",
+      "request": "launch",
+      "module": "flask",
+      "python": "${command:python.interpreterPath}",
+      "env": {
+        "FLASK_APP": "backend/main.py",
+        "FLASK_DEBUG": "1"
+      },
+      "args": [
+        "run",
+        "--host=0.0.0.0",
+        "--port=5000",
+        "--no-debugger",
+        "--no-reload"
+      ]
+    },
+    {
+      "name": "Vue: Dev Server",
+      "type": "node",
+      "request": "launch",
+      "runtimeExecutable": "npm",
+      "runtimeArgs": [
+        "run",
+        "dev"
+      ],
+      "cwd": "${workspaceFolder}/frontend/vue-app",
+      "console": "integratedTerminal"
+    },
+    {
+      "name": "Chrome: Attach to Vue App",
+      "type": "chrome",
+      "request": "launch",
+      "url": "https://localhost:5173", // or your Vite dev server port
+      "webRoot": "${workspaceFolder}/frontend/vue-app"
+    },
+    {
+      "name": "Python: Backend Tests",
+      "type": "python",
+      "request": "launch",
+      "program": "${workspaceFolder}/backend/.venv/Scripts/pytest.exe",
+      "args": [
+        "tests/"
+      ],
+      "cwd": "${workspaceFolder}/backend",
+      "console": "integratedTerminal",
+      "env": {
+        "PYTHONPATH": "${workspaceFolder}/backend"
+      }
+    },
+    {
+      "name": "Vue: Frontend Tests",
+      "type": "node",
+      "request": "launch",
+      "runtimeExecutable": "npx",
+      "runtimeArgs": [
+        "vitest"
+      ],
+      "cwd": "${workspaceFolder}/frontend/vue-app",
+      "console": "integratedTerminal"
+    }
+  ],
+  "compounds": [
+    {
+      "name": "Full Stack (Backend + Frontend)",
+      "configurations": [
+        "Python: Flask",
+        "Vue: Dev Server",
+        "Chrome: Attach to Vue App"
+      ]
+    }
+  ]
+}

.vscode/settings.json

@@ -0,0 +1,23 @@
+{
+    "explorer.fileNesting.enabled": true,
+    "explorer.fileNesting.patterns": {
+        "tsconfig.json": "tsconfig.*.json, env.d.ts",
+        "vite.config.*": "jsconfig*, vitest.config.*, cypress.config.*, playwright.config.*",
+        "package.json": "package-lock.json, pnpm*, .yarnrc*, yarn*, .eslint*, eslint*, .oxlint*, oxlint*, .prettier*, prettier*, .editorconfig"
+    },
+    "editor.formatOnSave": true,
+    "editor.defaultFormatter": "esbenp.prettier-vscode",
+    "[json]": {
+        "editor.tabSize": 2,
+        "editor.insertSpaces": true
+    },
+    "[jsonc]": {
+        "editor.defaultFormatter": "vscode.json-language-features"
+    },
+    "editor.codeActionsOnSave": {
+        "source.fixAll.eslint": "explicit"
+    },
+    "chat.tools.terminal.autoApprove": {
+        "&": true
+    }
+}

.vscode/tasks.json

@@ -0,0 +1,45 @@
+{
+    "version": "2.0.0",
+    "tasks": [
+        {
+            "label": "Git: Save WIP",
+            "type": "shell",
+            "command": "git save-wip",
+            "group": "build",
+            "presentation": {
+                "reveal": "always",
+                "panel": "shared"
+            }
+        },
+        {
+            "label": "Git: Load WIP",
+            "type": "shell",
+            "command": "git load-wip",
+            "group": "build",
+            "presentation": {
+                "reveal": "always",
+                "panel": "shared"
+            }
+        },
+        {
+            "label": "Git: Reset Cloud WIP",
+            "type": "shell",
+            "command": "git push origin --delete wip-sync",
+            "presentation": {
+                "reveal": "always",
+                "panel": "shared"
+            }
+        },
+        {
+            "label": "Git: Abort WIP (Reset Local)",
+            "type": "shell",
+            "command": "git abort-wip",
+            "group": "none",
+            "presentation": {
+                "reveal": "always",
+                "panel": "shared",
+                "echo": true
+            }
+        }
+    ]
+}

README.md

@@ -0,0 +1,173 @@
+# Reward - Chore & Reward Management System
+
+A family-friendly application for managing chores, tasks, and rewards for children.
+
+## 🏗️ Architecture
+
+- **Backend**: Flask (Python) with TinyDB for data persistence
+- **Frontend**: Vue 3 (TypeScript) with real-time SSE updates
+- **Deployment**: Docker with nginx reverse proxy
+
+## 🚀 Getting Started
+
+### Backend
+
+```bash
+cd backend
+python -m venv .venv
+.venv\Scripts\activate  # Windows
+source .venv/bin/activate  # Linux/Mac
+pip install -r requirements.txt
+python -m flask run --host=0.0.0.0 --port=5000
+```
+
+### Frontend
+
+```bash
+cd frontend/vue-app
+npm install
+npm run dev
+```
+
+## 🔧 Configuration
+
+### Environment Variables
+
+| Variable                           | Description                                   | Default       |
+| ---------------------------------- | --------------------------------------------- | ------------- |
+| `ACCOUNT_DELETION_THRESHOLD_HOURS` | Hours to wait before deleting marked accounts | 720 (30 days) |
+| `DB_ENV`                           | Database environment (`prod` or `test`)       | `prod`        |
+| `DATA_ENV`                         | Data directory environment (`prod` or `test`) | `prod`        |
+
+### Account Deletion Scheduler
+
+The application includes an automated account deletion scheduler that removes user accounts marked for deletion after a configurable threshold period.
+
+**Key Features:**
+
+- Runs every hour checking for accounts due for deletion
+- Configurable threshold between 24 hours (minimum) and 720 hours (maximum)
+- Automatic retry on failure (max 3 attempts)
+- Restart-safe: recovers from interruptions during deletion
+
+**Deletion Process:**
+When an account is marked for deletion, the scheduler will automatically:
+
+1. Remove all pending rewards for the user's children
+2. Remove all children belonging to the user
+3. Remove all user-created tasks
+4. Remove all user-created rewards
+5. Remove uploaded images from database
+6. Delete user's image directory from filesystem
+7. Remove the user account
+
+**Configuration:**
+Set the deletion threshold via environment variable:
+
+```bash
+export ACCOUNT_DELETION_THRESHOLD_HOURS=168  # 7 days
+```
+
+**Monitoring:**
+
+- Logs are written to `logs/account_deletion.log` with rotation (10MB max, 5 backups)
+- Check logs for deletion summaries and any errors
+
+## 🔌 API Endpoints
+
+### Admin Endpoints
+
+All admin endpoints require JWT authentication and **admin role**.
+
+**Note:** Admin users must be created manually or via the provided script (`backend/scripts/create_admin.py`). The admin role cannot be assigned through the signup API for security reasons.
+
+**Creating an Admin User:**
+
+```bash
+cd backend
+python scripts/create_admin.py
+```
+
+#### Account Deletion Management
+
+- `GET /api/admin/deletion-queue` - View users pending deletion
+- `GET /api/admin/deletion-threshold` - Get current deletion threshold
+- `PUT /api/admin/deletion-threshold` - Update deletion threshold (24-720 hours)
+- `POST /api/admin/deletion-queue/trigger` - Manually trigger deletion scheduler
+
+### User Endpoints
+
+- `POST /api/user/mark-for-deletion` - Mark current user's account for deletion
+- `GET /api/me` - Get current user info
+- `POST /api/login` - User login
+- `POST /api/logout` - User logout
+
+## 🧪 Testing
+
+### Backend Tests
+
+```bash
+cd backend
+pytest tests/
+```
+
+### Frontend Tests
+
+```bash
+cd frontend/vue-app
+npm run test
+```
+
+## 📝 Features
+
+- ✅ User authentication with JWT tokens
+- ✅ Child profile management
+- ✅ Task assignment and tracking
+- ✅ Reward system
+- ✅ Real-time updates via SSE
+- ✅ Image upload and management
+- ✅ Account deletion with grace period
+- ✅ Automated cleanup scheduler
+
+## 🔒 Security
+
+- JWT tokens stored in HttpOnly, Secure, SameSite=Strict cookies
+- **Role-Based Access Control (RBAC)**: Admin endpoints protected by admin role validation
+- Admin users can only be created via direct database manipulation or provided script
+- Regular users cannot escalate privileges to admin
+- Account deletion requires email confirmation
+- Marked accounts blocked from login immediately
+
+## 📁 Project Structure
+
+```
+.
+├── backend/
+│   ├── api/              # REST API endpoints
+│   ├── config/           # Configuration files
+│   ├── db/               # TinyDB setup
+│   ├── events/           # SSE event system
+│   ├── models/           # Data models
+│   ├── tests/            # Backend tests
+│   └── utils/            # Utilities (scheduler, etc)
+├── frontend/
+│   └── vue-app/
+│       └── src/
+│           ├── common/   # Shared utilities
+│           ├── components/ # Vue components
+│           └── layout/   # Layout components
+└── .github/
+    └── specs/            # Feature specifications
+```
+
+## 🛠️ Development
+
+For detailed development patterns and conventions, see [`.github/copilot-instructions.md`](.github/copilot-instructions.md).
+
+## 📚 References
+
+- Reset flow (token validation, JWT invalidation, cross-tab logout sync): [`docs/reset-password-reference.md`](docs/reset-password-reference.md)
+
+## 📄 License
+
+Private project - All rights reserved.

api/child_api.py

@@ -1,671 +0,0 @@
-from flask import Blueprint, request, jsonify
-from tinydb import Query
-from db.db import child_db, task_db, reward_db, pending_reward_db
-from api.reward_status import RewardStatus
-from api.child_tasks import ChildTask
-from api.child_rewards import ChildReward
-from events.sse import send_event_to_user
-from events.types.child_modified import ChildModified
-from events.types.child_reward_request import ChildRewardRequest
-from events.types.child_reward_triggered import ChildRewardTriggered
-from events.types.child_rewards_set import ChildRewardsSet
-from events.types.child_task_triggered import ChildTaskTriggered
-from events.types.child_tasks_set import ChildTasksSet
-from events.types.event import Event
-from events.types.event_types import EventType
-from api.pending_reward import PendingReward as PendingRewardResponse
-
-from models.child import Child
-from models.pending_reward import PendingReward
-from models.task import Task
-from models.reward import Reward
-
-child_api = Blueprint('child_api', __name__)
-
-@child_api.route('/child/<name>', methods=['GET'])
-@child_api.route('/child/<id>', methods=['GET'])
-def get_child(id):
-    ChildQuery = Query()
-    result = child_db.search(ChildQuery.id == id)
-    if not result:
-        return jsonify({'error': 'Child not found'}), 404
-    return jsonify(Child.from_dict(result[0]).to_dict()), 200
-
-@child_api.route('/child/add', methods=['PUT'])
-def add_child():
-    data = request.get_json()
-    name = data.get('name')
-    age = data.get('age')
-    image = data.get('image_id', None)
-    if not name:
-        return jsonify({'error': 'Name is required'}), 400
-    if not image:
-        image = 'boy01'
-
-    child = Child(name=name, age=age, image_id=image)
-    child_db.insert(child.to_dict())
-    send_event_to_user("user123", Event(EventType.CHILD_MODIFIED.value, ChildModified(child.id, ChildModified.OPERATION_ADD)))
-    return jsonify({'message': f'Child {name} added.'}), 201
-
-@child_api.route('/child/<id>/edit', methods=['PUT'])
-def edit_child(id):
-    data = request.get_json()
-    name = data.get('name', None)
-    age = data.get('age', None)
-    points = data.get('points', None)
-    image = data.get('image_id', None)
-    ChildQuery = Query()
-    result = child_db.search(ChildQuery.id == id)
-    if not result:
-        return jsonify({'error': 'Child not found'}), 404
-    child = Child.from_dict(result[0])
-
-    if name is not None:
-        child.name = name
-    if age is not None:
-        child.age = age
-    if points is not None:
-        child.points = points
-    if image is not None:
-        child.image_id = image
-
-    # Check if points changed and handle pending rewards
-    if points is not None:
-        PendingQuery = Query()
-        pending_rewards = pending_reward_db.search(PendingQuery.child_id == id)
-
-        RewardQuery = Query()
-        for pr in pending_rewards:
-            pending = PendingReward.from_dict(pr)
-            reward_result = reward_db.get(RewardQuery.id == pending.reward_id)
-            if reward_result:
-                reward = Reward.from_dict(reward_result)
-                # If child can no longer afford the reward, remove the pending request
-                if child.points < reward.cost:
-                    pending_reward_db.remove(
-                        (PendingQuery.child_id == id) & (PendingQuery.reward_id == reward.id)
-                    )
-                    send_event_to_user(
-                        "user123",
-                        Event(
-                            EventType.CHILD_REWARD_REQUEST.value,
-                            ChildRewardRequest(id, reward.id, ChildRewardRequest.REQUEST_CANCELLED)
-                        )
-                    )
-
-    child_db.update(child.to_dict(), ChildQuery.id == id)
-    send_event_to_user("user123", Event(EventType.CHILD_MODIFIED.value, ChildModified(id, ChildModified.OPERATION_EDIT)))
-    return jsonify({'message': f'Child {id} updated.'}), 200
-
-@child_api.route('/child/list', methods=['GET'])
-def list_children():
-    children = child_db.all()
-    return jsonify({'children': children}), 200
-
-# Child DELETE
-@child_api.route('/child/<id>', methods=['DELETE'])
-def delete_child(id):
-    ChildQuery = Query()
-    if child_db.remove(ChildQuery.id == id):
-        send_event_to_user("user123",
-                           Event(EventType.CHILD_MODIFIED.value, ChildModified(id, ChildModified.OPERATION_DELETE)))
-        return jsonify({'message': f'Child {id} deleted.'}), 200
-    return jsonify({'error': 'Child not found'}), 404
-
-@child_api.route('/child/<id>/assign-task', methods=['POST'])
-def assign_task_to_child(id):
-    data = request.get_json()
-    task_id = data.get('task_id')
-    if not task_id:
-        return jsonify({'error': 'task_id is required'}), 400
-
-    ChildQuery = Query()
-    result = child_db.search(ChildQuery.id == id)
-    if not result:
-        return jsonify({'error': 'Child not found'}), 404
-
-    child = result[0]
-    if task_id not in child.get('tasks', []):
-        child['tasks'].append(task_id)
-        child_db.update({'tasks': child['tasks']}, ChildQuery.id == id)
-    return jsonify({'message': f'Task {task_id} assigned to {child['name']}.'}), 200
-
-# python
-@child_api.route('/child/<id>/set-tasks', methods=['PUT'])
-def set_child_tasks(id):
-    data = request.get_json() or {}
-    task_ids = data.get('task_ids')
-    if not isinstance(task_ids, list):
-        return jsonify({'error': 'task_ids must be a list'}), 400
-
-    # Deduplicate and drop falsy values
-    new_task_ids = [tid for tid in dict.fromkeys(task_ids) if tid]
-
-    ChildQuery = Query()
-    result = child_db.search(ChildQuery.id == id)
-    if not result:
-        return jsonify({'error': 'Child not found'}), 404
-
-    # Optional: validate task IDs exist in the task DB
-    TaskQuery = Query()
-    valid_task_ids = []
-    for tid in new_task_ids:
-        if task_db.get(TaskQuery.id == tid):
-            valid_task_ids.append(tid)
-    # Replace tasks with validated IDs
-    child_db.update({'tasks': valid_task_ids}, ChildQuery.id == id)
-    send_event_to_user("user123", Event(EventType.CHILD_TASKS_SET.value, ChildTasksSet(id, valid_task_ids)))
-    return jsonify({
-        'message': f'Tasks set for child {id}.',
-        'task_ids': valid_task_ids,
-        'count': len(valid_task_ids)
-    }), 200
-
-
-
-@child_api.route('/child/<id>/remove-task', methods=['POST'])
-def remove_task_from_child(id):
-    data = request.get_json()
-    task_id = data.get('task_id')
-    if not task_id:
-        return jsonify({'error': 'task_id is required'}), 400
-
-    ChildQuery = Query()
-    result = child_db.search(ChildQuery.id == id)
-    if not result:
-        return jsonify({'error': 'Child not found'}), 404
-
-    child = result[0]
-    if task_id in child.get('tasks', []):
-        child['tasks'].remove(task_id)
-        child_db.update({'tasks': child['tasks']}, ChildQuery.id == id)
-        return jsonify({'message': f'Task {task_id} removed from {child["name"]}.'}), 200
-    return jsonify({'error': 'Task not assigned to child'}), 400
-
-@child_api.route('/child/<id>/list-tasks', methods=['GET'])
-def list_child_tasks(id):
-    ChildQuery = Query()
-    result = child_db.search(ChildQuery.id == id)
-    if not result:
-        return jsonify({'error': 'Child not found'}), 404
-
-    child = result[0]
-    task_ids = child.get('tasks', [])
-
-    TaskQuery = Query()
-    child_tasks = []
-    for tid in task_ids:
-        task = task_db.get(TaskQuery.id == tid)
-        if not task:
-            continue
-        ct = ChildTask(task.get('name'), task.get('is_good'), task.get('points'), task.get('image_id'), task.get('id'))
-        child_tasks.append(ct.to_dict())
-
-    return jsonify({'tasks': child_tasks}), 200
-
-@child_api.route('/child/<id>/list-assignable-tasks', methods=['GET'])
-def list_assignable_tasks(id):
-    ChildQuery = Query()
-    result = child_db.search(ChildQuery.id == id)
-    if not result:
-        return jsonify({'error': 'Child not found'}), 404
-
-    child = result[0]
-    assigned_ids = set(child.get('tasks', []))
-
-    # Collect all task ids from the task database
-    all_task_ids = [t.get('id') for t in task_db.all() if t and t.get('id')]
-
-    # Filter out already assigned
-    assignable_ids = [tid for tid in all_task_ids if tid not in assigned_ids]
-
-    # Fetch full task details and wrap in ChildTask
-    TaskQuery = Query()
-    assignable_tasks = []
-    for tid in assignable_ids:
-        task = task_db.get(TaskQuery.id == tid)
-        if not task:
-            continue
-        ct = ChildTask(task.get('name'), task.get('is_good'), task.get('points'), task.get('image_id'), task.get('id'))
-        assignable_tasks.append(ct.to_dict())
-
-    return jsonify({'tasks': assignable_tasks, 'count': len(assignable_tasks)}), 200
-
-
-@child_api.route('/child/<id>/list-all-tasks', methods=['GET'])
-def list_all_tasks(id):
-    ChildQuery = Query()
-    result = child_db.search(ChildQuery.id == id)
-    if not result:
-        return jsonify({'error': 'Child not found'}), 404
-
-    child = result[0]
-    assigned_ids = set(child.get('tasks', []))
-
-    # Get all tasks from database
-    all_tasks = task_db.all()
-
-    assigned_tasks = []
-    assignable_tasks = []
-
-    for task in all_tasks:
-        if not task or not task.get('id'):
-            continue
-
-        ct = ChildTask(
-            task.get('name'),
-            task.get('is_good'),
-            task.get('points'),
-            task.get('image_id'),
-            task.get('id')
-        )
-
-        if task.get('id') in assigned_ids:
-            assigned_tasks.append(ct.to_dict())
-        else:
-            assignable_tasks.append(ct.to_dict())
-
-    return jsonify({
-        'assigned_tasks': assigned_tasks,
-        'assignable_tasks': assignable_tasks,
-        'assigned_count': len(assigned_tasks),
-        'assignable_count': len(assignable_tasks)
-    }), 200
-
-
-@child_api.route('/child/<id>/trigger-task', methods=['POST'])
-def trigger_child_task(id):
-    data = request.get_json()
-    task_id = data.get('task_id')
-    if not task_id:
-        return jsonify({'error': 'task_id is required'}), 400
-
-    ChildQuery = Query()
-    result = child_db.search(ChildQuery.id == id)
-    if not result:
-        return jsonify({'error': 'Child not found'}), 404
-
-    child: Child = Child.from_dict(result[0])
-    if task_id not in child.tasks:
-        return jsonify({'error': f'Task not found assigned to child {child.name}'}), 404
-    # look up  the task and get the details
-    TaskQuery = Query()
-    task_result = task_db.search(TaskQuery.id == task_id)
-    if not task_result:
-        return jsonify({'error': 'Task not found in task database'}), 404
-    task: Task = Task.from_dict(task_result[0])
-    # update the child's points based on task type
-    if task.is_good:
-        child.points += task.points
-    else:
-        child.points -= task.points
-        child.points = max(child.points, 0)
-    # update the child in the database
-    child_db.update({'points': child.points}, ChildQuery.id == id)
-    send_event_to_user("user123", Event(EventType.CHILD_TASK_TRIGGERED.value, ChildTaskTriggered(task.id, child.id,  child.points)))
-
-    return jsonify({'message': f'{task.name} points assigned to {child.name}.', 'points': child.points, 'id': child.id}), 200
-
-@child_api.route('/child/<id>/assign-reward', methods=['POST'])
-def assign_reward_to_child(id):
-    data = request.get_json()
-    reward_id = data.get('reward_id')
-    if not reward_id:
-        return jsonify({'error': 'reward_id is required'}), 400
-
-    ChildQuery = Query()
-    result = child_db.search(ChildQuery.id == id)
-    if not result:
-        return jsonify({'error': 'Child not found'}), 404
-
-    child = result[0]
-    if reward_id not in child.get('rewards', []):
-        child['rewards'].append(reward_id)
-        child_db.update({'rewards': child['rewards']}, ChildQuery.id == id)
-    return jsonify({'message': f'Reward {reward_id} assigned to {child["name"]}.'}), 200
-
-@child_api.route('/child/<id>/list-all-rewards', methods=['GET'])
-def list_all_rewards(id):
-    ChildQuery = Query()
-    result = child_db.search(ChildQuery.id == id)
-    if not result:
-        return jsonify({'error': 'Child not found'}), 404
-
-    child = result[0]
-    assigned_ids = set(child.get('rewards', []))
-
-    # Get all rewards from database
-    all_rewards = reward_db.all()
-
-    assigned_rewards = []
-    assignable_rewards = []
-
-    for reward in all_rewards:
-        if not reward or not reward.get('id'):
-            continue
-
-        cr = ChildReward(
-            reward.get('name'),
-            reward.get('cost'),
-            reward.get('image_id'),
-            reward.get('id')
-        )
-
-        if reward.get('id') in assigned_ids:
-            assigned_rewards.append(cr.to_dict())
-        else:
-            assignable_rewards.append(cr.to_dict())
-
-    return jsonify({
-        'assigned_rewards': assigned_rewards,
-        'assignable_rewards': assignable_rewards,
-        'assigned_count': len(assigned_rewards),
-        'assignable_count': len(assignable_rewards)
-    }), 200
-
-
-@child_api.route('/child/<id>/set-rewards', methods=['PUT'])
-def set_child_rewards(id):
-    data = request.get_json() or {}
-    reward_ids = data.get('reward_ids')
-    if not isinstance(reward_ids, list):
-        return jsonify({'error': 'reward_ids must be a list'}), 400
-
-    # Deduplicate and drop falsy values
-    new_reward_ids = [rid for rid in dict.fromkeys(reward_ids) if rid]
-
-    ChildQuery = Query()
-    result = child_db.search(ChildQuery.id == id)
-    if not result:
-        return jsonify({'error': 'Child not found'}), 404
-
-    # Optional: validate reward IDs exist in the reward DB
-    RewardQuery = Query()
-    valid_reward_ids = []
-    for rid in new_reward_ids:
-        if reward_db.get(RewardQuery.id == rid):
-            valid_reward_ids.append(rid)
-
-    # Replace rewards with validated IDs
-    child_db.update({'rewards': valid_reward_ids}, ChildQuery.id == id)
-    send_event_to_user("user123", Event(EventType.CHILD_REWARDS_SET.value, ChildRewardsSet(id, valid_reward_ids)))
-    return jsonify({
-        'message': f'Rewards set for child {id}.',
-        'reward_ids': valid_reward_ids,
-        'count': len(valid_reward_ids)
-    }), 200
-
-
-@child_api.route('/child/<id>/remove-reward', methods=['POST'])
-def remove_reward_from_child(id):
-    data = request.get_json()
-    reward_id = data.get('reward_id')
-    if not reward_id:
-        return jsonify({'error': 'reward_id is required'}), 400
-
-    ChildQuery = Query()
-    result = child_db.search(ChildQuery.id == id)
-    if not result:
-        return jsonify({'error': 'Child not found'}), 404
-
-    child = result[0]
-    if reward_id in child.get('rewards', []):
-        child['rewards'].remove(reward_id)
-        child_db.update({'rewards': child['rewards']}, ChildQuery.id == id)
-        return jsonify({'message': f'Reward {reward_id} removed from {child["name"]}.'}), 200
-    return jsonify({'error': 'Reward not assigned to child'}), 400
-
-@child_api.route('/child/<id>/list-rewards', methods=['GET'])
-def list_child_rewards(id):
-    ChildQuery = Query()
-    result = child_db.search(ChildQuery.id == id)
-    if not result:
-        return jsonify({'error': 'Child not found'}), 404
-
-    child = result[0]
-    reward_ids = child.get('rewards', [])
-
-    RewardQuery = Query()
-    child_rewards = []
-    for rid in reward_ids:
-        reward = reward_db.get(RewardQuery.id == rid)
-        if not reward:
-            continue
-        cr = ChildReward(reward.get('name'), reward.get('cost'), reward.get('image_id'), reward.get('id'))
-        child_rewards.append(cr.to_dict())
-
-    return jsonify({'rewards': child_rewards}), 200
-
-@child_api.route('/child/<id>/list-assignable-rewards', methods=['GET'])
-def list_assignable_rewards(id):
-    ChildQuery = Query()
-    result = child_db.search(ChildQuery.id == id)
-    if not result:
-        return jsonify({'error': 'Child not found'}), 404
-
-    child = result[0]
-    assigned_ids = set(child.get('rewards', []))
-
-    all_reward_ids = [r.get('id') for r in reward_db.all() if r and r.get('id')]
-    assignable_ids = [rid for rid in all_reward_ids if rid not in assigned_ids]
-
-    RewardQuery = Query()
-    assignable_rewards = []
-    for rid in assignable_ids:
-        reward = reward_db.get(RewardQuery.id == rid)
-        if not reward:
-            continue
-        cr = ChildReward(reward.get('name'), reward.get('cost'), reward.get('image_id'), reward.get('id'))
-        assignable_rewards.append(cr.to_dict())
-
-    return jsonify({'rewards': assignable_rewards, 'count': len(assignable_rewards)}), 200
-
-@child_api.route('/child/<id>/trigger-reward', methods=['POST'])
-def trigger_child_reward(id):
-    data = request.get_json()
-    reward_id = data.get('reward_id')
-    if not reward_id:
-        return jsonify({'error': 'reward_id is required'}), 400
-
-    ChildQuery = Query()
-    result = child_db.search(ChildQuery.id == id)
-    if not result:
-        return jsonify({'error': 'Child not found'}), 404
-
-    child: Child = Child.from_dict(result[0])
-    if reward_id not in child.rewards:
-        return jsonify({'error': f'Reward not found assigned to child {child.name}'}), 404
-    # look up  the task and get the details
-    RewardQuery = Query()
-    reward_result = reward_db.search(RewardQuery.id == reward_id)
-    if not reward_result:
-        return jsonify({'error': 'Reward not found in reward database'}), 404
-    reward: Reward = Reward.from_dict(reward_result[0])
-
-    # Remove matching pending reward requests for this child and reward
-    PendingQuery = Query()
-    removed = pending_reward_db.remove(
-        (PendingQuery.child_id == child.id) & (PendingQuery.reward_id == reward.id)
-    )
-    if removed:
-        send_event_to_user("user123", Event(EventType.CHILD_REWARD_REQUEST.value, ChildRewardRequest(reward.id, child.id, ChildRewardRequest.REQUEST_GRANTED)))
-
-
-    # update the child's points based on reward cost
-    child.points -= reward.cost
-    # update the child in the database
-    child_db.update({'points': child.points}, ChildQuery.id == id)
-    send_event_to_user("user123", Event(EventType.CHILD_REWARD_TRIGGERED.value, ChildRewardTriggered(reward.id, child.id, child.points)))
-
-
-    return jsonify({'message': f'{reward.name} assigned to {child.name}.', 'points': child.points, 'id': child.id}), 200
-
-@child_api.route('/child/<id>/affordable-rewards', methods=['GET'])
-def list_affordable_rewards(id):
-    ChildQuery = Query()
-    result = child_db.search(ChildQuery.id == id)
-    if not result:
-        return jsonify({'error': 'Child not found'}), 404
-
-    child = Child.from_dict(result[0])
-    points = child.points
-    reward_ids = child.rewards
-    RewardQuery = Query()
-    affordable = [
-        Reward.from_dict(reward).to_dict() for reward_id in reward_ids
-        if (reward := reward_db.get(RewardQuery.id == reward_id)) and points >= Reward.from_dict(reward).cost
-    ]
-    return jsonify({'affordable_rewards': affordable}), 200
-
-@child_api.route('/child/<id>/reward-status', methods=['GET'])
-def reward_status(id):
-    ChildQuery = Query()
-    result = child_db.search(ChildQuery.id == id)
-    if not result:
-        return jsonify({'error': 'Child not found'}), 404
-
-    child = Child.from_dict(result[0])
-    points = child.points
-    reward_ids = child.rewards
-
-    RewardQuery = Query()
-    statuses = []
-    for reward_id in reward_ids:
-        reward: Reward = Reward.from_dict(reward_db.get(RewardQuery.id == reward_id))
-        if not reward:
-            continue
-        points_needed = max(0, reward.cost - points)
-        #check to see if this reward id and child id is in the pending rewards db if so set its redeeming flag to true
-        pending_query = Query()
-        pending = pending_reward_db.get((pending_query.child_id == child.id) & (pending_query.reward_id == reward.id))
-        status = RewardStatus(reward.id, reward.name, points_needed, reward.cost, pending is not None, reward.image_id)
-        statuses.append(status.to_dict())
-
-    statuses.sort(key=lambda s: (not s['redeeming'], s['cost']))
-    return jsonify({'reward_status': statuses}), 200
-
-
-@child_api.route('/child/<id>/request-reward', methods=['POST'])
-def request_reward(id):
-    data = request.get_json()
-    reward_id = data.get('reward_id')
-    if not reward_id:
-        return jsonify({'error': 'reward_id is required'}), 400
-
-    ChildQuery = Query()
-    result = child_db.search(ChildQuery.id == id)
-    if not result:
-        return jsonify({'error': 'Child not found'}), 404
-
-    child = Child.from_dict(result[0])
-    if reward_id not in child.rewards:
-        return jsonify({'error': f'Reward not assigned to child {child.name}'}), 404
-
-    RewardQuery = Query()
-    reward_result = reward_db.search(RewardQuery.id == reward_id)
-    if not reward_result:
-        return jsonify({'error': 'Reward not found in reward database'}), 404
-
-    reward = Reward.from_dict(reward_result[0])
-
-    # Check if child has enough points
-    if child.points < reward.cost:
-        points_needed = reward.cost - child.points
-        return jsonify({
-            'error': 'Insufficient points',
-            'points_needed': points_needed,
-            'current_points': child.points,
-            'reward_cost': reward.cost
-        }), 400
-
-    pending = PendingReward(child_id=child.id, reward_id=reward.id)
-    pending_reward_db.insert(pending.to_dict())
-    send_event_to_user("user123", Event(EventType.CHILD_REWARD_REQUEST.value, ChildRewardRequest(child.id, reward.id, ChildRewardRequest.REQUEST_CREATED)))
-
-    return jsonify({
-        'message': f'Reward request for {reward.name} submitted for {child.name}.',
-        'reward_id': reward.id,
-        'reward_name': reward.name,
-        'child_id': child.id,
-        'child_name': child.name,
-        'cost': reward.cost
-    }), 200
-
-@child_api.route('/child/<id>/cancel-request-reward', methods=['POST'])
-def cancel_request_reward(id):
-    data = request.get_json()
-    reward_id = data.get('reward_id')
-    if not reward_id:
-        return jsonify({'error': 'reward_id is required'}), 400
-
-    ChildQuery = Query()
-    result = child_db.search(ChildQuery.id == id)
-    if not result:
-        return jsonify({'error': 'Child not found'}), 404
-
-    child = Child.from_dict(result[0])
-
-    # Remove matching pending reward request
-    PendingQuery = Query()
-    removed = pending_reward_db.remove(
-        (PendingQuery.child_id == child.id) & (PendingQuery.reward_id == reward_id)
-    )
-
-    if not removed:
-        return jsonify({'error': 'No pending request found for this reward'}), 404
-
-    # Notify user that the request was cancelled
-    send_event_to_user(
-        "user123",
-        Event(
-            EventType.CHILD_REWARD_REQUEST.value,
-            ChildRewardRequest(child.id, reward_id, ChildRewardRequest.REQUEST_CANCELLED)
-        )
-    )
-
-    return jsonify({
-        'message': f'Reward request cancelled for {child.name}.',
-        'child_id': child.id,
-        'reward_id': reward_id,
-        'removed_count': len(removed)
-    }), 200
-
-
-
-@child_api.route('/pending-rewards', methods=['GET'])
-def list_pending_rewards():
-    pending_rewards = pending_reward_db.all()
-    reward_responses = []
-
-    RewardQuery = Query()
-    ChildQuery = Query()
-
-    for pr in pending_rewards:
-        pending = PendingReward.from_dict(pr)
-
-        # Look up reward details
-        reward_result = reward_db.get(RewardQuery.id == pending.reward_id)
-        if not reward_result:
-            continue
-        reward = Reward.from_dict(reward_result)
-
-        # Look up child details
-        child_result = child_db.get(ChildQuery.id == pending.child_id)
-        if not child_result:
-            continue
-        child = Child.from_dict(child_result)
-
-        # Create response object
-        response = PendingRewardResponse(
-            _id=pending.id,
-            child_id=child.id,
-            child_name=child.name,
-            child_image_id=child.image_id,
-            reward_id=reward.id,
-            reward_name=reward.name,
-            reward_image_id=reward.image_id
-        )
-        reward_responses.append(response.to_dict())
-
-    return jsonify({'rewards': reward_responses}), 200
-

api/reward_api.py

@@ -1,104 +0,0 @@
-from flask import Blueprint, request, jsonify
-from tinydb import Query
-
-from events.sse import send_event_to_user
-from events.types.event import Event
-from events.types.event_types import EventType
-from events.types.reward_modified import RewardModified
-from models.reward import Reward
-from db.db import reward_db, child_db
-
-reward_api = Blueprint('reward_api', __name__)
-
-# Reward endpoints
-@reward_api.route('/reward/add', methods=['PUT'])
-def add_reward():
-    data = request.get_json()
-    name = data.get('name')
-    description = data.get('description')
-    cost = data.get('cost')
-    image = data.get('image_id', '')
-    if not name or description is None or cost is None:
-        return jsonify({'error': 'Name, description, and cost are required'}), 400
-    reward = Reward(name=name, description=description, cost=cost, image_id=image)
-    reward_db.insert(reward.to_dict())
-    send_event_to_user("user123", Event(EventType.REWARD_MODIFIED.value,
-                                        RewardModified(reward.id, RewardModified.OPERATION_ADD)))
-
-    return jsonify({'message': f'Reward {name} added.'}), 201
-
-
-
-@reward_api.route('/reward/<id>', methods=['GET'])
-def get_reward(id):
-    RewardQuery = Query()
-    result = reward_db.search(RewardQuery.id == id)
-    if not result:
-        return jsonify({'error': 'Reward not found'}), 404
-    return jsonify(result[0]), 200
-
-@reward_api.route('/reward/list', methods=['GET'])
-def list_rewards():
-    rewards = reward_db.all()
-    return jsonify({'rewards': rewards}), 200
-
-@reward_api.route('/reward/<id>', methods=['DELETE'])
-def delete_reward(id):
-    RewardQuery = Query()
-    removed = reward_db.remove(RewardQuery.id == id)
-    if removed:
-        # remove the reward id from any child's reward list
-        ChildQuery = Query()
-        for child in child_db.all():
-            rewards = child.get('rewards', [])
-            if id in rewards:
-                rewards.remove(id)
-                child_db.update({'rewards': rewards}, ChildQuery.id == child.get('id'))
-                send_event_to_user("user123", Event(EventType.REWARD_MODIFIED.value,
-                                                    RewardModified(id, RewardModified.OPERATION_DELETE)))
-
-        return jsonify({'message': f'Reward {id} deleted.'}), 200
-    return jsonify({'error': 'Reward not found'}), 404
-
-@reward_api.route('/reward/<id>/edit', methods=['PUT'])
-def edit_reward(id):
-    RewardQuery = Query()
-    existing = reward_db.get(RewardQuery.id == id)
-    if not existing:
-        return jsonify({'error': 'Reward not found'}), 404
-
-    data = request.get_json(force=True) or {}
-    updates = {}
-
-    if 'name' in data:
-        name = (data.get('name') or '').strip()
-        if not name:
-            return jsonify({'error': 'Name cannot be empty'}), 400
-        updates['name'] = name
-
-    if 'description' in data:
-        desc = (data.get('description') or '').strip()
-        if not desc:
-            return jsonify({'error': 'Description cannot be empty'}), 400
-        updates['description'] = desc
-
-    if 'cost' in data:
-        cost = data.get('cost')
-        if not isinstance(cost, int):
-            return jsonify({'error': 'Cost must be an integer'}), 400
-        if cost <= 0:
-            return jsonify({'error': 'Cost must be a positive integer'}), 400
-        updates['cost'] = cost
-
-    if 'image_id' in data:
-        updates['image_id'] = data.get('image_id', '')
-
-    if not updates:
-        return jsonify({'error': 'No valid fields to update'}), 400
-
-    reward_db.update(updates, RewardQuery.id == id)
-    updated = reward_db.get(RewardQuery.id == id)
-    send_event_to_user("user123", Event(EventType.REWARD_MODIFIED.value,
-                                        RewardModified(id, RewardModified.OPERATION_EDIT)))
-
-    return jsonify(updated), 200

api/task_api.py

@@ -1,100 +0,0 @@
-from flask import Blueprint, request, jsonify
-from tinydb import Query
-
-from events.sse import send_event_to_user
-from events.types.event import Event
-from events.types.event_types import EventType
-from events.types.task_modified import TaskModified
-from models.task import Task
-from db.db import task_db, child_db
-
-task_api = Blueprint('task_api', __name__)
-
-# Task endpoints
-@task_api.route('/task/add', methods=['PUT'])
-def add_task():
-    data = request.get_json()
-    name = data.get('name')
-    points = data.get('points')
-    is_good = data.get('is_good')
-    image = data.get('image_id', '')
-    if not name or points is None or is_good is None:
-        return jsonify({'error': 'Name, points, and is_good are required'}), 400
-    task = Task(name=name, points=points, is_good=is_good, image_id=image)
-    task_db.insert(task.to_dict())
-    send_event_to_user("user123", Event(EventType.TASK_MODIFIED.value,
-                                        TaskModified(task.id, TaskModified.OPERATION_ADD)))
-    return jsonify({'message': f'Task {name} added.'}), 201
-
-@task_api.route('/task/<id>', methods=['GET'])
-def get_task(id):
-    TaskQuery = Query()
-    result = task_db.search(TaskQuery.id == id)
-    if not result:
-        return jsonify({'error': 'Task not found'}), 404
-    return jsonify(result[0]), 200
-
-@task_api.route('/task/list', methods=['GET'])
-def list_tasks():
-    tasks = task_db.all()
-    return jsonify({'tasks': tasks}), 200
-
-@task_api.route('/task/<id>', methods=['DELETE'])
-def delete_task(id):
-    TaskQuery = Query()
-    removed = task_db.remove(TaskQuery.id == id)
-    if removed:
-        # remove the task id from any child's task list
-        ChildQuery = Query()
-        for child in child_db.all():
-            tasks = child.get('tasks', [])
-            if id in tasks:
-                tasks.remove(id)
-                child_db.update({'tasks': tasks}, ChildQuery.id == child.get('id'))
-                send_event_to_user("user123", Event(EventType.TASK_MODIFIED.value,
-                                                    TaskModified(id, TaskModified.OPERATION_DELETE)))
-
-        return jsonify({'message': f'Task {id} deleted.'}), 200
-    return jsonify({'error': 'Task not found'}), 404
-
-@task_api.route('/task/<id>/edit', methods=['PUT'])
-def edit_task(id):
-    TaskQuery = Query()
-    existing = task_db.get(TaskQuery.id == id)
-    if not existing:
-        return jsonify({'error': 'Task not found'}), 404
-
-    data = request.get_json(force=True) or {}
-    updates = {}
-
-    if 'name' in data:
-        name = data.get('name', '').strip()
-        if not name:
-            return jsonify({'error': 'Name cannot be empty'}), 400
-        updates['name'] = name
-
-    if 'points' in data:
-        points = data.get('points')
-        if not isinstance(points, int):
-            return jsonify({'error': 'Points must be an integer'}), 400
-        if points <= 0:
-            return jsonify({'error': 'Points must be a positive integer'}), 400
-        updates['points'] = points
-
-    if 'is_good' in data:
-        is_good = data.get('is_good')
-        if not isinstance(is_good, bool):
-            return jsonify({'error': 'is_good must be a boolean'}), 400
-        updates['is_good'] = is_good
-
-    if 'image_id' in data:
-        updates['image_id'] = data.get('image_id', '')
-
-    if not updates:
-        return jsonify({'error': 'No valid fields to update'}), 400
-
-    task_db.update(updates, TaskQuery.id == id)
-    updated = task_db.get(TaskQuery.id == id)
-    send_event_to_user("user123", Event(EventType.TASK_MODIFIED.value,
-                                        TaskModified(id, TaskModified.OPERATION_EDIT)))
-    return jsonify(updated), 200

backend/.gitignore

@@ -0,0 +1,83 @@
+# Python
+__pycache__/
+*.py[cod]
+*$py.class
+*.so
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+PIPFILE.lock
+
+# Virtual Environment
+venv/
+ENV/
+env/
+.venv
+
+# PyCharm
+.idea/
+*.iml
+*.iws
+.idea_modules/
+
+# VS Code
+.vscode/
+
+# Database files
+*.db
+*.sqlite
+*.sqlite3
+data/db/*.json
+data/images/
+test_data/
+
+# Flask
+instance/
+.webassets-cache
+
+# Environment variables
+.env
+.env.local
+.env.*.local
+
+# Node.js / Vue (web directory)
+web/node_modules/
+web/npm-debug.log*
+web/yarn-debug.log*
+web/yarn-error.log*
+web/dist/
+web/.nuxt/
+web/.cache/
+
+# OS files
+.DS_Store
+Thumbs.db
+*.swp
+*.swo
+*~
+
+# Logs
+*.log
+logs/
+
+# Testing
+.pytest_cache/
+.coverage
+htmlcov/
+.tox/
+
+/chore.bundle
+/tree.json

backend/api/admin_api.py

@@ -0,0 +1,199 @@
+from flask import Blueprint, request, jsonify
+from datetime import datetime, timedelta
+from tinydb import Query
+import jwt
+from functools import wraps
+
+from db.db import users_db
+from models.user import User
+from config.deletion_config import (
+    ACCOUNT_DELETION_THRESHOLD_HOURS,
+    MIN_THRESHOLD_HOURS,
+    MAX_THRESHOLD_HOURS,
+    validate_threshold
+)
+from utils.account_deletion_scheduler import trigger_deletion_manually
+
+admin_api = Blueprint('admin_api', __name__)
+
+def admin_required(f):
+    """
+    Decorator to require admin role for endpoints.
+    """
+    @wraps(f)
+    def decorated_function(*args, **kwargs):
+        # Get JWT token from cookie
+        token = request.cookies.get('token')
+        if not token:
+            return jsonify({'error': 'Authentication required', 'code': 'AUTH_REQUIRED'}), 401
+        
+        try:
+            # Verify JWT token
+            payload = jwt.decode(token, 'supersecretkey', algorithms=['HS256'])
+            user_id = payload.get('user_id')
+            
+            if not user_id:
+                return jsonify({'error': 'Invalid token', 'code': 'INVALID_TOKEN'}), 401
+            
+            # Get user from database
+            Query_ = Query()
+            user_dict = users_db.get(Query_.id == user_id)
+            
+            if not user_dict:
+                return jsonify({'error': 'User not found', 'code': 'USER_NOT_FOUND'}), 404
+            
+            user = User.from_dict(user_dict)
+            
+            # Check if user has admin role
+            if user.role != 'admin':
+                return jsonify({'error': 'Admin access required', 'code': 'ADMIN_REQUIRED'}), 403
+            
+            # Pass user to the endpoint
+            request.current_user = user
+            
+        except jwt.ExpiredSignatureError:
+            return jsonify({'error': 'Token expired', 'code': 'TOKEN_EXPIRED'}), 401
+        except jwt.InvalidTokenError:
+            return jsonify({'error': 'Invalid token', 'code': 'INVALID_TOKEN'}), 401
+        
+        return f(*args, **kwargs)
+    
+    return decorated_function
+
+@admin_api.route('/admin/deletion-queue', methods=['GET'])
+@admin_required
+def get_deletion_queue():
+    """
+    Get list of users pending deletion.
+    Returns users marked for deletion with their deletion due dates.
+    """
+    try:
+        Query_ = Query()
+        marked_users = users_db.search(Query_.marked_for_deletion == True)
+        
+        users_data = []
+        for user_dict in marked_users:
+            user = User.from_dict(user_dict)
+            
+            # Calculate deletion_due_at
+            deletion_due_at = None
+            if user.marked_for_deletion_at:
+                try:
+                    marked_at = datetime.fromisoformat(user.marked_for_deletion_at)
+                    due_at = marked_at + timedelta(hours=ACCOUNT_DELETION_THRESHOLD_HOURS)
+                    deletion_due_at = due_at.isoformat()
+                except (ValueError, TypeError):
+                    pass
+            
+            users_data.append({
+                'id': user.id,
+                'email': user.email,
+                'marked_for_deletion_at': user.marked_for_deletion_at,
+                'deletion_due_at': deletion_due_at,
+                'deletion_in_progress': user.deletion_in_progress,
+                'deletion_attempted_at': user.deletion_attempted_at
+            })
+        
+        return jsonify({
+            'count': len(users_data),
+            'users': users_data
+        }), 200
+        
+    except Exception as e:
+        return jsonify({'error': str(e), 'code': 'SERVER_ERROR'}), 500
+
+@admin_api.route('/admin/deletion-threshold', methods=['GET'])
+@admin_required
+def get_deletion_threshold():
+    """
+    Get current deletion threshold configuration.
+    """
+    return jsonify({
+        'threshold_hours': ACCOUNT_DELETION_THRESHOLD_HOURS,
+        'threshold_min': MIN_THRESHOLD_HOURS,
+        'threshold_max': MAX_THRESHOLD_HOURS
+    }), 200
+
+@admin_api.route('/admin/deletion-threshold', methods=['PUT'])
+@admin_required
+def update_deletion_threshold():
+    """
+    Update deletion threshold.
+    Note: This updates the runtime value but doesn't persist to environment variables.
+    For permanent changes, update the ACCOUNT_DELETION_THRESHOLD_HOURS env variable.
+    """
+    try:
+        data = request.get_json()
+        
+        if not data or 'threshold_hours' not in data:
+            return jsonify({
+                'error': 'threshold_hours is required',
+                'code': 'MISSING_THRESHOLD'
+            }), 400
+        
+        new_threshold = data['threshold_hours']
+        
+        # Validate type
+        if not isinstance(new_threshold, int):
+            return jsonify({
+                'error': 'threshold_hours must be an integer',
+                'code': 'INVALID_TYPE'
+            }), 400
+        
+        # Validate range
+        if new_threshold < MIN_THRESHOLD_HOURS:
+            return jsonify({
+                'error': f'threshold_hours must be at least {MIN_THRESHOLD_HOURS}',
+                'code': 'THRESHOLD_TOO_LOW'
+            }), 400
+        
+        if new_threshold > MAX_THRESHOLD_HOURS:
+            return jsonify({
+                'error': f'threshold_hours must be at most {MAX_THRESHOLD_HOURS}',
+                'code': 'THRESHOLD_TOO_HIGH'
+            }), 400
+        
+        # Update the global config
+        import config.deletion_config as config
+        config.ACCOUNT_DELETION_THRESHOLD_HOURS = new_threshold
+        
+        # Validate and log warning if needed
+        validate_threshold()
+        
+        return jsonify({
+            'message': 'Deletion threshold updated successfully',
+            'threshold_hours': new_threshold
+        }), 200
+        
+    except Exception as e:
+        return jsonify({'error': str(e), 'code': 'SERVER_ERROR'}), 500
+
+@admin_api.route('/admin/deletion-queue/trigger', methods=['POST'])
+@admin_required
+def trigger_deletion_queue():
+    """
+    Manually trigger the deletion scheduler to process the queue immediately.
+    Returns stats about the run.
+    """
+    try:
+        # Trigger the deletion process
+        result = trigger_deletion_manually()
+        
+        # Get updated queue stats
+        Query_ = Query()
+        marked_users = users_db.search(Query_.marked_for_deletion == True)
+        
+        # Count users that were just processed (this is simplified)
+        processed = result.get('queued_users', 0)
+        
+        # In a real implementation, you'd return actual stats from the deletion run
+        # For now, we'll return simplified stats
+        return jsonify({
+            'message': 'Deletion scheduler triggered',
+            'processed': processed,
+            'deleted': 0,  # TODO: Track this in the deletion function
+            'failed': 0   # TODO: Track this in the deletion function
+        }), 200
+        
+    except Exception as e:
+        return jsonify({'error': str(e), 'code': 'SERVER_ERROR'}), 500

backend/api/auth_api.py

@@ -0,0 +1,287 @@
+import logging
+import secrets, jwt
+from datetime import datetime, timedelta, timezone
+from models.user import User
+from flask import Blueprint, request, jsonify, current_app
+from tinydb import Query
+import os
+import utils.email_sender as email_sender
+from werkzeug.security import generate_password_hash, check_password_hash
+
+from api.utils import sanitize_email
+from config.paths import get_user_image_dir
+
+from api.error_codes import MISSING_FIELDS, EMAIL_EXISTS, MISSING_TOKEN, INVALID_TOKEN, TOKEN_TIMESTAMP_MISSING, \
+    TOKEN_EXPIRED, ALREADY_VERIFIED, MISSING_EMAIL, USER_NOT_FOUND, MISSING_EMAIL_OR_PASSWORD, INVALID_CREDENTIALS, \
+    NOT_VERIFIED, ACCOUNT_MARKED_FOR_DELETION
+from db.db import users_db
+from api.utils import normalize_email
+
+logger = logging.getLogger(__name__)
+auth_api = Blueprint('auth_api', __name__)
+UserQuery = Query()
+TOKEN_EXPIRY_MINUTES = 60*4
+RESET_PASSWORD_TOKEN_EXPIRY_MINUTES = 10
+
+
+def send_verification_email(to_email, token):
+    email_sender.send_verification_email(to_email, token)
+
+def send_reset_password_email(to_email, token):
+    email_sender.send_reset_password_email(to_email, token)
+
+@auth_api.route('/signup', methods=['POST'])
+def signup():
+    data = request.get_json()
+    required_fields = ['first_name', 'last_name', 'email', 'password']
+    if not all(field in data for field in required_fields):
+        return jsonify({'error': 'Missing required fields', 'code': MISSING_FIELDS}), 400
+    email = data.get('email', '')
+    norm_email = normalize_email(email)    
+
+    existing = users_db.get(UserQuery.email == norm_email)
+    if existing:
+        user = User.from_dict(existing)
+        if user.marked_for_deletion:
+            return jsonify({'error': 'Account marked for deletion', 'code': ACCOUNT_MARKED_FOR_DELETION}), 403
+        return jsonify({'error': 'Email already exists', 'code': EMAIL_EXISTS}), 400
+
+    token = secrets.token_urlsafe(32)
+    now_iso = datetime.utcnow().isoformat()
+    user = User(
+        first_name=data['first_name'],
+        last_name=data['last_name'],
+        email=norm_email,
+        password=generate_password_hash(data['password']),
+        verified=False,
+        verify_token=token,
+        verify_token_created=now_iso,
+        image_id="boy01"
+    )
+    users_db.insert(user.to_dict())
+    send_verification_email(norm_email, token)
+    return jsonify({'message': 'User created, verification email sent'}), 201
+
+@auth_api.route('/verify', methods=['GET'])
+def verify():
+    token = request.args.get('token')
+    status = 'success'
+    reason = ''
+    code = ''
+    user_dict = None
+    user = None
+
+    if not token:
+        status = 'error'
+        reason = 'Missing token'
+        code = MISSING_TOKEN
+    else:
+        user_dict = users_db.get(Query().verify_token == token)
+        user = User.from_dict(user_dict) if user_dict else None
+        if not user:
+            status = 'error'
+            reason = 'Invalid token'
+            code = INVALID_TOKEN
+        elif user.marked_for_deletion:
+            status = 'error'
+            reason = 'Account marked for deletion'
+            code = ACCOUNT_MARKED_FOR_DELETION
+        else:
+            created_str = user.verify_token_created
+            if not created_str:
+                status = 'error'
+                reason = 'Token timestamp missing'
+                code = TOKEN_TIMESTAMP_MISSING
+            else:
+                created_dt = datetime.fromisoformat(created_str).replace(tzinfo=timezone.utc)
+                if datetime.now(timezone.utc) - created_dt > timedelta(minutes=TOKEN_EXPIRY_MINUTES):
+                    status = 'error'
+                    reason = 'Token expired'
+                    code = TOKEN_EXPIRED
+                else:
+                    user.verified = True
+                    user.verify_token = None
+                    user.verify_token_created = None
+                    users_db.update(user.to_dict(), Query().email == user.email)
+
+    http_status = 200 if status == 'success' else 400
+    if http_status == 200 and user is not None:
+        if not user.email:
+            logger.error("Verified user has no email field.")
+        else:
+            user_image_dir = get_user_image_dir(user.id)
+            os.makedirs(user_image_dir, exist_ok=True)
+
+    return jsonify({'status': status, 'reason': reason, 'code': code}), http_status
+
+@auth_api.route('/resend-verify', methods=['POST'])
+def resend_verify():
+    data = request.get_json()
+    email = data.get('email', '')
+    if not email:
+        return jsonify({'error': 'Missing email', 'code': MISSING_EMAIL}), 400
+    norm_email = normalize_email(email)    
+
+    user_dict = users_db.get(UserQuery.email == norm_email)
+    user = User.from_dict(user_dict) if user_dict else None
+    if not user:
+        return jsonify({'error': 'User not found', 'code': USER_NOT_FOUND}), 404
+
+    if user.verified:
+        return jsonify({'error': 'Account already verified', 'code': ALREADY_VERIFIED}), 400
+
+    token = secrets.token_urlsafe(32)
+    now_iso = datetime.utcnow().isoformat()
+    user.verify_token = token
+    user.verify_token_created = now_iso
+    users_db.update(user.to_dict(), UserQuery.email == norm_email)
+    send_verification_email(norm_email, token)
+    return jsonify({'message': 'Verification email resent'}), 200
+
+@auth_api.route('/login', methods=['POST'])
+def login():
+    data = request.get_json()
+    email = data.get('email', '')
+    password = data.get('password')
+    if not email or not password:
+        return jsonify({'error': 'Missing email or password', 'code': MISSING_EMAIL_OR_PASSWORD}), 400
+    norm_email = normalize_email(email)
+
+    user_dict = users_db.get(UserQuery.email == norm_email)
+    user = User.from_dict(user_dict) if user_dict else None
+    if not user or not check_password_hash(user.password, password):
+        return jsonify({'error': 'Invalid credentials', 'code': INVALID_CREDENTIALS}), 401
+
+    if not user.verified:
+        return jsonify({'error': 'This account has not verified', 'code': NOT_VERIFIED}), 403
+
+    # Block login for marked accounts
+    if user.marked_for_deletion:
+        return jsonify({'error': 'This account has been marked for deletion and cannot be accessed.', 'code': ACCOUNT_MARKED_FOR_DELETION}), 403
+
+    payload = {
+        'email': norm_email,
+        'user_id': user.id,
+        'token_version': user.token_version,
+        'exp': datetime.utcnow() + timedelta(days=62)
+    }
+    token = jwt.encode(payload, current_app.config['SECRET_KEY'], algorithm='HS256')
+
+    resp = jsonify({'message': 'Login successful'})
+    resp.set_cookie('token', token, httponly=True, secure=True, samesite='Strict')
+    return resp, 200
+
+@auth_api.route('/me', methods=['GET'])
+def me():
+    token = request.cookies.get('token')
+    if not token:
+        return jsonify({'error': 'Missing token', 'code': MISSING_TOKEN}), 401
+
+    try:
+        payload = jwt.decode(token, current_app.config['SECRET_KEY'], algorithms=['HS256'])
+        user_id = payload.get('user_id', '')
+        token_version = payload.get('token_version', 0)
+        user_dict = users_db.get(UserQuery.id == user_id)
+        user = User.from_dict(user_dict) if user_dict else None
+        if not user:
+            return jsonify({'error': 'User not found', 'code': USER_NOT_FOUND}), 404
+        if token_version != user.token_version:
+            return jsonify({'error': 'Invalid token', 'code': INVALID_TOKEN}), 401
+        if user.marked_for_deletion:
+            return jsonify({'error': 'Account marked for deletion', 'code': ACCOUNT_MARKED_FOR_DELETION}), 403
+        return jsonify({
+            'email': user.email,
+            'id': user_id,
+            'first_name': user.first_name,
+            'last_name': user.last_name,
+            'verified': user.verified
+        }), 200
+    except jwt.ExpiredSignatureError:
+        return jsonify({'error': 'Token expired', 'code': TOKEN_EXPIRED}), 401
+    except jwt.InvalidTokenError:
+        return jsonify({'error': 'Invalid token', 'code': INVALID_TOKEN}), 401
+
+@auth_api.route('/request-password-reset', methods=['POST'])
+def request_password_reset():
+    data = request.get_json()
+    email = data.get('email', '')
+    norm_email = normalize_email(email)
+
+    success_msg = 'If this email is registered, you will receive a password reset link shortly.'
+
+    if not email:
+        return jsonify({'error': 'Missing email', 'code': MISSING_EMAIL}), 400
+
+    user_dict = users_db.get(UserQuery.email == norm_email)
+    user = User.from_dict(user_dict) if user_dict else None
+    if user:
+        if user.marked_for_deletion:
+            return jsonify({'error': 'Account marked for deletion', 'code': ACCOUNT_MARKED_FOR_DELETION}), 403
+        token = secrets.token_urlsafe(32)
+        now_iso = datetime.utcnow().isoformat()
+        user.reset_token = token
+        user.reset_token_created = now_iso
+        users_db.update(user.to_dict(), UserQuery.email == norm_email)
+        send_reset_password_email(norm_email, token)
+
+    return jsonify({'message': success_msg}), 200
+
+@auth_api.route('/validate-reset-token', methods=['GET'])
+def validate_reset_token():
+    token = request.args.get('token')
+    if not token:
+        return jsonify({'error': 'Missing token', 'code': MISSING_TOKEN}), 400
+
+    user_dict = users_db.get(UserQuery.reset_token == token)
+    user = User.from_dict(user_dict) if user_dict else None
+    if not user:
+        return jsonify({'error': 'Invalid token', 'code': INVALID_TOKEN}), 400
+
+    created_str = user.reset_token_created
+    if not created_str:
+        return jsonify({'error': 'Token timestamp missing', 'code': TOKEN_TIMESTAMP_MISSING}), 400
+
+    created_dt = datetime.fromisoformat(created_str).replace(tzinfo=timezone.utc)
+    if datetime.now(timezone.utc) - created_dt > timedelta(minutes=RESET_PASSWORD_TOKEN_EXPIRY_MINUTES):
+        return jsonify({'error': 'Token expired', 'code': TOKEN_EXPIRED}), 400
+
+    return jsonify({'message': 'Token is valid'}), 200
+
+@auth_api.route('/reset-password', methods=['POST'])
+def reset_password():
+    data = request.get_json()
+    token = data.get('token')
+    new_password = data.get('password')
+
+    if not token or not new_password:
+        return jsonify({'error': 'Missing token or password'}), 400
+
+    user_dict = users_db.get(UserQuery.reset_token == token)
+    user = User.from_dict(user_dict) if user_dict else None
+    if not user:
+        return jsonify({'error': 'Invalid token', 'code': INVALID_TOKEN}), 400
+
+    created_str = user.reset_token_created
+    if not created_str:
+        return jsonify({'error': 'Token timestamp missing', 'code': TOKEN_TIMESTAMP_MISSING}), 400
+
+    created_dt = datetime.fromisoformat(created_str).replace(tzinfo=timezone.utc)
+    if datetime.now(timezone.utc) - created_dt > timedelta(minutes=RESET_PASSWORD_TOKEN_EXPIRY_MINUTES):
+        return jsonify({'error': 'Token expired', 'code': TOKEN_EXPIRED}), 400
+
+    user.password = generate_password_hash(new_password)
+    user.reset_token = None
+    user.reset_token_created = None
+    user.token_version += 1
+    users_db.update(user.to_dict(), UserQuery.email == user.email)
+
+    resp = jsonify({'message': 'Password has been reset'})
+    resp.set_cookie('token', '', expires=0, httponly=True, secure=True, samesite='Strict')
+    return resp, 200
+
+@auth_api.route('/logout', methods=['POST'])
+def logout():
+    resp = jsonify({'message': 'Logged out'})
+    # Remove the token cookie by setting it to empty and expiring it
+    resp.set_cookie('token', '', expires=0, httponly=True, secure=True, samesite='Strict')
+    return resp, 200

backend/api/child_api.py

@@ -0,0 +1,970 @@
+from time import sleep
+
+from flask import Blueprint, request, jsonify
+from tinydb import Query
+
+from api.child_rewards import ChildReward
+from api.child_tasks import ChildTask
+from api.pending_reward import PendingReward as PendingRewardResponse
+from api.reward_status import RewardStatus
+from api.utils import send_event_for_current_user
+from db.db import child_db, task_db, reward_db, pending_reward_db
+from db.tracking import insert_tracking_event
+from db.child_overrides import get_override, delete_override, delete_overrides_for_child
+from events.types.child_modified import ChildModified
+from events.types.child_reward_request import ChildRewardRequest
+from events.types.child_reward_triggered import ChildRewardTriggered
+from events.types.child_rewards_set import ChildRewardsSet
+from events.types.child_task_triggered import ChildTaskTriggered
+from events.types.child_tasks_set import ChildTasksSet
+from events.types.tracking_event_created import TrackingEventCreated
+from events.types.event import Event
+from events.types.event_types import EventType
+from models.child import Child
+from models.pending_reward import PendingReward
+from models.reward import Reward
+from models.task import Task
+from models.tracking_event import TrackingEvent
+from api.utils import get_validated_user_id
+from utils.tracking_logger import log_tracking_event
+from collections import defaultdict
+import logging
+
+child_api = Blueprint('child_api', __name__)
+logger = logging.getLogger(__name__)
+
+@child_api.route('/child/<name>', methods=['GET'])
+@child_api.route('/child/<id>', methods=['GET'])
+def get_child(id):
+    user_id = get_validated_user_id()
+    if not user_id:
+        return jsonify({'error': 'Unauthorized', 'code': 'UNAUTHORIZED'}), 401
+    ChildQuery = Query()
+    result = child_db.search((ChildQuery.id == id) & (ChildQuery.user_id == user_id))
+    if not result:
+        return jsonify({'error': 'Child not found'}), 404
+    return jsonify(Child.from_dict(result[0]).to_dict()), 200
+
+@child_api.route('/child/add', methods=['PUT'])
+def add_child():
+    user_id = get_validated_user_id()
+    if not user_id:
+        return jsonify({'error': 'Unauthorized', 'code': 'UNAUTHORIZED'}), 401
+    data = request.get_json()
+    name = data.get('name')
+    age = data.get('age')
+    image = data.get('image_id', None)
+    if not name:
+        return jsonify({'error': 'Name is required'}), 400
+    if not image:
+        image = 'boy01'
+
+    child = Child(name=name, age=age, image_id=image, user_id=user_id)
+    child_db.insert(child.to_dict())
+    resp = send_event_for_current_user(
+        Event(EventType.CHILD_MODIFIED.value, ChildModified(child.id, ChildModified.OPERATION_ADD)))
+    if resp:
+        return resp
+    return jsonify({'message': f'Child {name} added.'}), 201
+
+@child_api.route('/child/<id>/edit', methods=['PUT'])
+def edit_child(id):
+    user_id = get_validated_user_id()
+    if not user_id:
+        return jsonify({'error': 'Unauthorized', 'code': 'UNAUTHORIZED'}), 401
+    data = request.get_json()
+    name = data.get('name', None)
+    age = data.get('age', None)
+    points = data.get('points', None)
+    image = data.get('image_id', None)
+    ChildQuery = Query()
+    result = child_db.search((ChildQuery.id == id) & (ChildQuery.user_id == user_id))
+    if not result:
+        return jsonify({'error': 'Child not found'}), 404
+    child = Child.from_dict(result[0])
+
+    if name is not None:
+        child.name = name
+    if age is not None:
+        child.age = age
+    if points is not None:
+        child.points = points
+    if image is not None:
+        child.image_id = image
+
+    # Check if points changed and handle pending rewards
+    if points is not None:
+        PendingQuery = Query()
+        pending_rewards = pending_reward_db.search((PendingQuery.child_id == id) & (PendingQuery.user_id == user_id))
+
+        RewardQuery = Query()
+        for pr in pending_rewards:
+            pending = PendingReward.from_dict(pr)
+            reward_result = reward_db.get((RewardQuery.id == pending.reward_id) & ((RewardQuery.user_id == user_id) | (RewardQuery.user_id == None)))
+            if reward_result:
+                reward = Reward.from_dict(reward_result)
+                # If child can no longer afford the reward, remove the pending request
+                if child.points < reward.cost:
+                    pending_reward_db.remove(
+                        (PendingQuery.child_id == id) & (PendingQuery.reward_id == reward.id) & (PendingQuery.user_id == user_id)
+                    )
+                    resp = send_event_for_current_user(
+                        Event(EventType.CHILD_REWARD_REQUEST.value, ChildRewardRequest(id, reward.id, ChildRewardRequest.REQUEST_CANCELLED)))
+                    if resp:
+                        return resp
+    child_db.update(child.to_dict(), ChildQuery.id == id)
+    resp = send_event_for_current_user(Event(EventType.CHILD_MODIFIED.value, ChildModified(id, ChildModified.OPERATION_EDIT)))
+    if resp:
+        return resp
+    return jsonify({'message': f'Child {id} updated.'}), 200
+
+@child_api.route('/child/list', methods=['GET'])
+def list_children():
+    user_id = get_validated_user_id()
+    if not user_id:
+        return jsonify({'error': 'Unauthorized', 'code': 'UNAUTHORIZED'}), 401
+    ChildQuery = Query()
+    children = child_db.search(ChildQuery.user_id == user_id)
+    return jsonify({'children': children}), 200
+
+# Child DELETE
+@child_api.route('/child/<id>', methods=['DELETE'])
+def delete_child(id):
+    user_id = get_validated_user_id()
+    if not user_id:
+        return jsonify({'error': 'Unauthorized', 'code': 'UNAUTHORIZED'}), 401
+    ChildQuery = Query()
+    
+    # Cascade delete overrides for this child
+    deleted_count = delete_overrides_for_child(id)
+    if deleted_count > 0:
+        logger.info(f"Cascade deleted {deleted_count} overrides for child {id}")
+    
+    if child_db.remove((ChildQuery.id == id) & (ChildQuery.user_id == user_id)):
+        resp = send_event_for_current_user(Event(EventType.CHILD_MODIFIED.value, ChildModified(id, ChildModified.OPERATION_DELETE)))
+        if resp:
+            return resp
+        return jsonify({'message': f'Child {id} deleted.'}), 200
+    return jsonify({'error': 'Child not found'}), 404
+
+@child_api.route('/child/<id>/assign-task', methods=['POST'])
+def assign_task_to_child(id):
+    user_id = get_validated_user_id()
+    if not user_id:
+        return jsonify({'error': 'Unauthorized', 'code': 'UNAUTHORIZED'}), 401
+    data = request.get_json()
+    task_id = data.get('task_id')
+    if not task_id:
+        return jsonify({'error': 'task_id is required'}), 400
+
+    ChildQuery = Query()
+    result = child_db.search((ChildQuery.id == id) & (ChildQuery.user_id == user_id))
+    if not result:
+        return jsonify({'error': 'Child not found'}), 404
+
+    child = result[0]
+    if task_id not in child.get('tasks', []):
+        child['tasks'].append(task_id)
+        child_db.update({'tasks': child['tasks']}, ChildQuery.id == id)
+    return jsonify({'message': f"Task {task_id} assigned to {child.get('name')}."}), 200
+
+# python
+@child_api.route('/child/<id>/set-tasks', methods=['PUT'])
+def set_child_tasks(id):
+    user_id = get_validated_user_id()
+    if not user_id:
+        return jsonify({'error': 'Unauthorized', 'code': 'UNAUTHORIZED'}), 401
+    data = request.get_json() or {}
+    task_ids = data.get('task_ids')
+    if 'type' not in data:
+        return jsonify({'error': 'type is required (good or bad)'}), 400
+    task_type = data.get('type', 'good')
+    if task_type not in ['good', 'bad']:
+        return jsonify({'error': 'type must be either good or bad'}), 400
+    is_good = task_type == 'good'
+    if not isinstance(task_ids, list):
+        return jsonify({'error': 'task_ids must be a list'}), 400
+
+    ChildQuery = Query()
+    result = child_db.search((ChildQuery.id == id) & (ChildQuery.user_id == user_id))
+    if not result:
+        return jsonify({'error': 'Child not found'}), 404
+    child = Child.from_dict(result[0])
+    new_task_ids = set(task_ids)
+
+    # Add all existing child tasks of the opposite type
+    for task in task_db.all():
+        if task['id'] in child.tasks and task['is_good'] != is_good:
+            new_task_ids.add(task['id'])
+
+    # Convert back to list if needed
+    new_tasks = list(new_task_ids)
+    
+    # Identify unassigned tasks and delete their overrides
+    old_task_ids = set(child.tasks)
+    unassigned_task_ids = old_task_ids - new_task_ids
+    for task_id in unassigned_task_ids:
+        # Only delete overrides for task entities
+        override = get_override(id, task_id)
+        if override and override.entity_type == 'task':
+            delete_override(id, task_id)
+            logger.info(f"Deleted override for unassigned task: child={id}, task={task_id}")
+    
+    # Replace tasks with validated IDs
+    child_db.update({'tasks': new_tasks}, ChildQuery.id == id)
+    resp = send_event_for_current_user(Event(EventType.CHILD_TASKS_SET.value, ChildTasksSet(id, new_tasks)))
+    if resp:
+        return resp
+    return jsonify({
+        'message': f'Tasks set for child {id}.',
+        'task_ids': new_tasks,
+        'count': len(new_tasks)
+    }), 200
+
+
+
+@child_api.route('/child/<id>/remove-task', methods=['POST'])
+def remove_task_from_child(id):
+    user_id = get_validated_user_id()
+    if not user_id:
+        return jsonify({'error': 'Unauthorized', 'code': 'UNAUTHORIZED'}), 401
+    data = request.get_json()
+    task_id = data.get('task_id')
+    if not task_id:
+        return jsonify({'error': 'task_id is required'}), 400
+
+    ChildQuery = Query()
+    result = child_db.search((ChildQuery.id == id) & (ChildQuery.user_id == user_id))
+    if not result:
+        return jsonify({'error': 'Child not found'}), 404
+
+    child = result[0]
+    if task_id in child.get('tasks', []):
+        child['tasks'].remove(task_id)
+        child_db.update({'tasks': child['tasks']}, ChildQuery.id == id)
+        return jsonify({'message': f'Task {task_id} removed from {child["name"]}.'}), 200
+    return jsonify({'error': 'Task not assigned to child'}), 400
+
+@child_api.route('/child/<id>/list-tasks', methods=['GET'])
+def list_child_tasks(id):
+    user_id = get_validated_user_id()
+    if not user_id:
+        return jsonify({'error': 'Unauthorized', 'code': 'UNAUTHORIZED'}), 401
+    ChildQuery = Query()
+    result = child_db.search((ChildQuery.id == id) & (ChildQuery.user_id == user_id))
+    if not result:
+        return jsonify({'error': 'Child not found'}), 404
+
+    child = result[0]
+    task_ids = child.get('tasks', [])
+
+    TaskQuery = Query()
+    child_tasks = []
+    for tid in task_ids:
+        task = task_db.get((TaskQuery.id == tid) & ((TaskQuery.user_id == user_id) | (TaskQuery.user_id == None)))
+        if not task:
+            continue
+        
+        # Check for override
+        override = get_override(id, tid)
+        custom_value = override.custom_value if override else None
+        
+        ct = ChildTask(task.get('name'), task.get('is_good'), task.get('points'), task.get('image_id'), task.get('id'))
+        ct_dict = ct.to_dict()
+        if custom_value is not None:
+            ct_dict['custom_value'] = custom_value
+        child_tasks.append(ct_dict)
+
+    return jsonify({'tasks': child_tasks}), 200
+
+@child_api.route('/child/<id>/list-assignable-tasks', methods=['GET'])
+def list_assignable_tasks(id):
+    user_id = get_validated_user_id()
+    if not user_id:
+        return jsonify({'error': 'Unauthorized', 'code': 'UNAUTHORIZED'}), 401
+    ChildQuery = Query()
+    result = child_db.search((ChildQuery.id == id) & (ChildQuery.user_id == user_id))
+    if not result:
+        return jsonify({'error': 'Child not found'}), 404
+
+    child = result[0]
+    assigned_ids = set(child.get('tasks', []))
+
+    # Get all assignable tasks (not already assigned)
+    all_tasks = [t for t in task_db.all() if t and t.get('id') and t.get('id') not in assigned_ids]
+
+    # Group by name
+    from collections import defaultdict
+    name_to_tasks = defaultdict(list)
+    for t in all_tasks:
+        name_to_tasks[t.get('name')].append(t)
+
+    filtered_tasks = []
+    for name, tasks in name_to_tasks.items():
+        user_tasks = [t for t in tasks if t.get('user_id') is not None]
+        if len(user_tasks) == 0:
+            # Only system task exists
+            filtered_tasks.append(tasks[0])
+        elif len(user_tasks) == 1:
+            # Only one user task: show it, not system
+            filtered_tasks.append(user_tasks[0])
+        else:
+            # Multiple user tasks: show all user tasks, not system
+            filtered_tasks.extend(user_tasks)
+
+    # Wrap in ChildTask and return
+    assignable_tasks = [ChildTask(t.get('name'), t.get('is_good'), t.get('points'), t.get('image_id'), t.get('id')).to_dict() for t in filtered_tasks]
+    return jsonify({'tasks': assignable_tasks, 'count': len(assignable_tasks)}), 200
+
+
+@child_api.route('/child/<id>/list-all-tasks', methods=['GET'])
+def list_all_tasks(id):
+    user_id = get_validated_user_id()
+    if not user_id:
+        return jsonify({'error': 'Unauthorized', 'code': 'UNAUTHORIZED'}), 401
+    ChildQuery = Query()
+    result = child_db.search((ChildQuery.id == id) & (ChildQuery.user_id == user_id))
+    if not result:
+        return jsonify({'error': 'Child not found'}), 404
+    has_type = "type" in request.args
+    if has_type and request.args.get('type') not in ['good', 'bad']:
+        return jsonify({'error': 'type must be either good or bad'}), 400
+    good = request.args.get('type', False) == 'good'
+
+    child = result[0]
+    assigned_ids = set(child.get('tasks', []))
+    # Get all tasks from database (not filtering out assigned, since this is 'all')
+    ChildTaskQuery = Query()
+    all_tasks = task_db.search((ChildTaskQuery.user_id == user_id) | (ChildTaskQuery.user_id == None))
+
+    name_to_tasks = defaultdict(list)
+    for t in all_tasks:
+        name_to_tasks[t.get('name')].append(t)
+
+    filtered_tasks = []
+    for name, tasks in name_to_tasks.items():
+        user_tasks = [t for t in tasks if t.get('user_id') is not None]
+        if len(user_tasks) == 0:
+            filtered_tasks.append(tasks[0])
+        elif len(user_tasks) == 1:
+            filtered_tasks.append(user_tasks[0])
+        else:
+            filtered_tasks.extend(user_tasks)
+            
+    result_tasks = []
+    for t in filtered_tasks:
+        if has_type and t.get('is_good') != good:
+            continue
+        ct = ChildTask(
+            t.get('name'),
+            t.get('is_good'),
+            t.get('points'),
+            t.get('image_id'),
+            t.get('id')
+        )
+        task_dict = ct.to_dict()
+        task_dict.update({'assigned': t.get('id') in assigned_ids})
+        result_tasks.append(task_dict)            
+        
+    result_tasks.sort(key=lambda t: (not t['assigned'], t['name'].lower()))
+    return jsonify({ 'tasks': result_tasks, 'count': len(result_tasks), 'list_type': 'task' }), 200
+
+
+@child_api.route('/child/<id>/trigger-task', methods=['POST'])
+def trigger_child_task(id):
+    user_id = get_validated_user_id()
+    if not user_id:
+        return jsonify({'error': 'Unauthorized', 'code': 'UNAUTHORIZED'}), 401
+    data = request.get_json()
+    task_id = data.get('task_id')
+    if not task_id:
+        return jsonify({'error': 'task_id is required'}), 400
+
+    ChildQuery = Query()
+    result = child_db.search((ChildQuery.id == id) & (ChildQuery.user_id == user_id))
+    if not result:
+        return jsonify({'error': 'Child not found'}), 404
+
+    child: Child = Child.from_dict(result[0])
+    if task_id not in child.tasks:
+        return jsonify({'error': f'Task not found assigned to child {child.name}'}), 404
+    # look up  the task and get the details
+    TaskQuery = Query()
+    task_result = task_db.search((TaskQuery.id == task_id) & ((TaskQuery.user_id == user_id) | (TaskQuery.user_id == None)))
+    if not task_result:
+        return jsonify({'error': 'Task not found in task database'}), 404
+    task: Task = Task.from_dict(task_result[0])
+    
+    # Capture points before modification
+    points_before = child.points
+    
+    # Check for override
+    override = get_override(id, task_id)
+    points_value = override.custom_value if override else task.points
+    
+    # update the child's points based on task type
+    if task.is_good:
+        child.points += points_value
+    else:
+        child.points -= points_value
+        child.points = max(child.points, 0)
+    
+    # update the child in the database
+    child_db.update({'points': child.points}, ChildQuery.id == id)
+    
+    # Create tracking event
+    entity_type = 'penalty' if not task.is_good else 'task'
+    tracking_metadata = {
+        'task_name': task.name, 
+        'is_good': task.is_good,
+        'default_points': task.points
+    }
+    if override:
+        tracking_metadata['custom_points'] = override.custom_value
+        tracking_metadata['has_override'] = True
+    
+    tracking_event = TrackingEvent.create_event(
+        user_id=user_id,
+        child_id=child.id,
+        entity_type=entity_type,
+        entity_id=task.id,
+        action='activated',
+        points_before=points_before,
+        points_after=child.points,
+        metadata=tracking_metadata
+    )
+    insert_tracking_event(tracking_event)
+    log_tracking_event(tracking_event)
+    
+    # Send tracking event via SSE
+    send_event_for_current_user(Event(EventType.TRACKING_EVENT_CREATED.value, TrackingEventCreated(tracking_event.id, child.id, entity_type, 'activated')))
+    
+    resp = send_event_for_current_user(Event(EventType.CHILD_TASK_TRIGGERED.value, ChildTaskTriggered(task.id, child.id,  child.points)))
+    if resp:
+        return resp
+    return jsonify({'message': f'{task.name} points assigned to {child.name}.', 'points': child.points, 'id': child.id}), 200
+
+@child_api.route('/child/<id>/assign-reward', methods=['POST'])
+def assign_reward_to_child(id):
+    user_id = get_validated_user_id()
+    if not user_id:
+        return jsonify({'error': 'Unauthorized', 'code': 'UNAUTHORIZED'}), 401
+    data = request.get_json()
+    reward_id = data.get('reward_id')
+    if not reward_id:
+        return jsonify({'error': 'reward_id is required'}), 400
+
+    ChildQuery = Query()
+    result = child_db.search((ChildQuery.id == id) & (ChildQuery.user_id == user_id))
+    if not result:
+        return jsonify({'error': 'Child not found'}), 404
+
+    child = result[0]
+    if reward_id not in child.get('rewards', []):
+        child['rewards'].append(reward_id)
+        child_db.update({'rewards': child['rewards']}, ChildQuery.id == id)
+    return jsonify({'message': f'Reward {reward_id} assigned to {child["name"]}.'}), 200
+
+@child_api.route('/child/<id>/list-all-rewards', methods=['GET'])
+def list_all_rewards(id):
+    user_id = get_validated_user_id()
+    if not user_id:
+        return jsonify({'error': 'Unauthorized', 'code': 'UNAUTHORIZED'}), 401
+    ChildQuery = Query()
+    result = child_db.search((ChildQuery.id == id) & (ChildQuery.user_id == user_id))
+    if not result:
+        return jsonify({'error': 'Child not found'}), 404
+
+    child = Child.from_dict(result[0])
+    assigned_ids = set(child.rewards)
+
+    # Get all rewards from database
+    ChildRewardQuery = Query()
+    all_rewards = reward_db.search((ChildRewardQuery.user_id == user_id) | (ChildRewardQuery.user_id == None))
+
+    from collections import defaultdict
+    name_to_rewards = defaultdict(list)
+    for r in all_rewards:
+        name_to_rewards[r.get('name')].append(r)
+
+    filtered_rewards = []
+    for name, rewards in name_to_rewards.items():
+        user_rewards = [r for r in rewards if r.get('user_id') is not None]
+        if len(user_rewards) == 0:
+            filtered_rewards.append(rewards[0])
+        elif len(user_rewards) == 1:
+            filtered_rewards.append(user_rewards[0])
+        else:
+            filtered_rewards.extend(user_rewards)
+
+    result_rewards = []
+    for r in filtered_rewards:
+        cr = ChildReward(
+            r.get('name'),
+            r.get('cost'),
+            r.get('image_id'),
+            r.get('id')
+        )
+        reward_dict = cr.to_dict()
+        reward_dict.update({'assigned': r.get('id') in assigned_ids})
+        result_rewards.append(reward_dict)
+    result_rewards.sort(key=lambda t: (not t['assigned'], t['name'].lower()))
+    return jsonify({
+        'rewards': result_rewards,
+        'rewards_count': len(result_rewards),
+        'list_type': 'reward'
+    }), 200
+
+
+@child_api.route('/child/<id>/set-rewards', methods=['PUT'])
+def set_child_rewards(id):
+    user_id = get_validated_user_id()
+    if not user_id:
+        return jsonify({'error': 'Unauthorized', 'code': 'UNAUTHORIZED'}), 401
+    data = request.get_json() or {}
+    reward_ids = data.get('reward_ids')
+    if not isinstance(reward_ids, list):
+        return jsonify({'error': 'reward_ids must be a list'}), 400
+
+    # Deduplicate and drop falsy values
+    new_reward_ids = [rid for rid in dict.fromkeys(reward_ids) if rid]
+
+    ChildQuery = Query()
+    result = child_db.search((ChildQuery.id == id) & (ChildQuery.user_id == user_id))
+    if not result:
+        return jsonify({'error': 'Child not found'}), 404
+    
+    child = Child.from_dict(result[0])
+    old_reward_ids = set(child.rewards)
+
+    # Optional: validate reward IDs exist in the reward DB
+    RewardQuery = Query()
+    valid_reward_ids = []
+    for rid in new_reward_ids:
+        if reward_db.get((RewardQuery.id == rid) & ((RewardQuery.user_id == user_id) | (RewardQuery.user_id == None))):
+            valid_reward_ids.append(rid)
+    
+    # Identify unassigned rewards and delete their overrides
+    new_reward_ids_set = set(valid_reward_ids)
+    unassigned_reward_ids = old_reward_ids - new_reward_ids_set
+    for reward_id in unassigned_reward_ids:
+        override = get_override(id, reward_id)
+        if override and override.entity_type == 'reward':
+            delete_override(id, reward_id)
+            logger.info(f"Deleted override for unassigned reward: child={id}, reward={reward_id}")
+
+    # Replace rewards with validated IDs
+    child_db.update({'rewards': valid_reward_ids}, ChildQuery.id == id)
+    send_event_for_current_user(Event(EventType.CHILD_REWARDS_SET.value, ChildRewardsSet(id, valid_reward_ids)))
+    return jsonify({
+        'message': f'Rewards set for child {id}.',
+        'reward_ids': valid_reward_ids,
+        'count': len(valid_reward_ids)
+    }), 200
+
+
+@child_api.route('/child/<id>/remove-reward', methods=['POST'])
+def remove_reward_from_child(id):
+    user_id = get_validated_user_id()
+    if not user_id:
+        return jsonify({'error': 'Unauthorized', 'code': 'UNAUTHORIZED'}), 401
+    data = request.get_json()
+    reward_id = data.get('reward_id')
+    if not reward_id:
+        return jsonify({'error': 'reward_id is required'}), 400
+
+    ChildQuery = Query()
+    result = child_db.search((ChildQuery.id == id) & (ChildQuery.user_id == user_id))
+    if not result:
+        return jsonify({'error': 'Child not found'}), 404
+
+    child = result[0]
+    if reward_id in child.get('rewards', []):
+        child['rewards'].remove(reward_id)
+        child_db.update({'rewards': child['rewards']}, ChildQuery.id == id)
+        return jsonify({'message': f'Reward {reward_id} removed from {child["name"]}.'}), 200
+    return jsonify({'error': 'Reward not assigned to child'}), 400
+
+@child_api.route('/child/<id>/list-rewards', methods=['GET'])
+def list_child_rewards(id):
+    user_id = get_validated_user_id()
+    if not user_id:
+        return jsonify({'error': 'Unauthorized', 'code': 'UNAUTHORIZED'}), 401
+    ChildQuery = Query()
+    result = child_db.search((ChildQuery.id == id) & (ChildQuery.user_id == user_id))
+    if not result:
+        return jsonify({'error': 'Child not found'}), 404
+
+    child = result[0]
+    reward_ids = child.get('rewards', [])
+
+    RewardQuery = Query()
+    child_rewards = []
+    for rid in reward_ids:
+        reward = reward_db.get((RewardQuery.id == rid) & ((RewardQuery.user_id == user_id) | (RewardQuery.user_id == None)))
+        if not reward:
+            continue
+        
+        # Check for override
+        override = get_override(id, rid)
+        custom_value = override.custom_value if override else None
+        
+        cr = ChildReward(reward.get('name'), reward.get('cost'), reward.get('image_id'), reward.get('id'))
+        cr_dict = cr.to_dict()
+        if custom_value is not None:
+            cr_dict['custom_value'] = custom_value
+        child_rewards.append(cr_dict)
+
+    return jsonify({'rewards': child_rewards}), 200
+
+@child_api.route('/child/<id>/list-assignable-rewards', methods=['GET'])
+def list_assignable_rewards(id):
+    user_id = get_validated_user_id()
+    if not user_id:
+        return jsonify({'error': 'Unauthorized', 'code': 'UNAUTHORIZED'}), 401
+    ChildQuery = Query()
+    result = child_db.search((ChildQuery.id == id) & (ChildQuery.user_id == user_id))
+    if not result:
+        return jsonify({'error': 'Child not found'}), 404
+
+    child = result[0]
+    assigned_ids = set(child.get('rewards', []))
+
+    # Get all assignable rewards (not already assigned)
+    all_rewards = [r for r in reward_db.all() if r and r.get('id') and r.get('id') not in assigned_ids]
+
+    # Group by name
+    from collections import defaultdict
+    name_to_rewards = defaultdict(list)
+    for r in all_rewards:
+        name_to_rewards[r.get('name')].append(r)
+
+    filtered_rewards = []
+    for name, rewards in name_to_rewards.items():
+        user_rewards = [r for r in rewards if r.get('user_id') is not None]
+        if len(user_rewards) == 0:
+            filtered_rewards.append(rewards[0])
+        elif len(user_rewards) == 1:
+            filtered_rewards.append(user_rewards[0])
+        else:
+            filtered_rewards.extend(user_rewards)
+
+    assignable_rewards = [ChildReward(r.get('name'), r.get('cost'), r.get('image_id'), r.get('id')).to_dict() for r in filtered_rewards]
+    return jsonify({'rewards': assignable_rewards, 'count': len(assignable_rewards)}), 200
+
+@child_api.route('/child/<id>/trigger-reward', methods=['POST'])
+def trigger_child_reward(id):
+    user_id = get_validated_user_id()
+    if not user_id:
+        return jsonify({'error': 'Unauthorized', 'code': 'UNAUTHORIZED'}), 401
+    data = request.get_json()
+    reward_id = data.get('reward_id')
+    if not reward_id:
+        return jsonify({'error': 'reward_id is required'}), 400
+
+    ChildQuery = Query()
+    result = child_db.search((ChildQuery.id == id) & (ChildQuery.user_id == user_id))
+    if not result:
+        return jsonify({'error': 'Child not found'}), 404
+
+    child: Child = Child.from_dict(result[0])
+    if reward_id not in child.rewards:
+        return jsonify({'error': f'Reward not found assigned to child {child.name}'}), 404
+    # look up  the task and get the details
+    RewardQuery = Query()
+    reward_result = reward_db.search((RewardQuery.id == reward_id) & ((RewardQuery.user_id == user_id) | (RewardQuery.user_id == None)))
+    if not reward_result:
+        return jsonify({'error': 'Reward not found in reward database'}), 404
+    reward: Reward = Reward.from_dict(reward_result[0])
+
+    # Check for override
+    override = get_override(id, reward_id)
+    cost_value = override.custom_value if override else reward.cost
+
+    # Check if child has enough points
+    logger.info(f'Child {child.name} has {child.points} points, reward {reward.name} costs {cost_value} points')
+    if child.points < cost_value:
+        points_needed = cost_value - child.points
+        return jsonify({
+            'error': 'Insufficient points',
+            'points_needed': points_needed,
+            'current_points': child.points,
+            'reward_cost': cost_value
+        }), 400
+
+    # Remove matching pending reward requests for this child and reward
+    PendingQuery = Query()
+    removed = pending_reward_db.remove(
+        (PendingQuery.child_id == child.id) & (PendingQuery.reward_id == reward.id)
+    )
+    if removed:
+        send_event_for_current_user(Event(EventType.CHILD_REWARD_REQUEST.value, ChildRewardRequest(reward.id, child.id, ChildRewardRequest.REQUEST_GRANTED)))
+
+    # Capture points before modification
+    points_before = child.points
+    
+    # update the child's points based on reward cost
+    child.points -= cost_value
+    # update the child in the database
+    child_db.update({'points': child.points}, ChildQuery.id == id)
+    
+    # Create tracking event
+    tracking_metadata = {
+        'reward_name': reward.name, 
+        'reward_cost': reward.cost,
+        'default_cost': reward.cost
+    }
+    if override:
+        tracking_metadata['custom_cost'] = override.custom_value
+        tracking_metadata['has_override'] = True
+    
+    tracking_event = TrackingEvent.create_event(
+        user_id=user_id,
+        child_id=child.id,
+        entity_type='reward',
+        entity_id=reward.id,
+        action='redeemed',
+        points_before=points_before,
+        points_after=child.points,
+        metadata=tracking_metadata
+    )
+    insert_tracking_event(tracking_event)
+    log_tracking_event(tracking_event)
+    
+    # Send tracking event via SSE
+    send_event_for_current_user(Event(EventType.TRACKING_EVENT_CREATED.value, TrackingEventCreated(tracking_event.id, child.id, 'reward', 'redeemed')))
+    
+    send_event_for_current_user(Event(EventType.CHILD_REWARD_TRIGGERED.value, ChildRewardTriggered(reward.id, child.id, child.points)))
+    return jsonify({'message': f'{reward.name} assigned to {child.name}.', 'points': child.points, 'id': child.id}), 200
+
+@child_api.route('/child/<id>/affordable-rewards', methods=['GET'])
+def list_affordable_rewards(id):
+    user_id = get_validated_user_id()
+    if not user_id:
+        return jsonify({'error': 'Unauthorized', 'code': 'UNAUTHORIZED'}), 401
+    ChildQuery = Query()
+    result = child_db.search((ChildQuery.id == id) & (ChildQuery.user_id == user_id))
+    if not result:
+        return jsonify({'error': 'Child not found'}), 404
+
+    child = Child.from_dict(result[0])
+    points = child.points
+    reward_ids = child.rewards
+    RewardQuery = Query()
+    affordable = [
+        Reward.from_dict(reward).to_dict() for reward_id in reward_ids
+        if (reward := reward_db.get((RewardQuery.id == reward_id) & ((RewardQuery.user_id == user_id) | (RewardQuery.user_id == None)))) and points >= Reward.from_dict(reward).cost
+    ]
+    return jsonify({'affordable_rewards': affordable}), 200
+
+@child_api.route('/child/<id>/reward-status', methods=['GET'])
+def reward_status(id):
+    user_id = get_validated_user_id()
+    if not user_id:
+        return jsonify({'error': 'Unauthorized', 'code': 'UNAUTHORIZED'}), 401
+    ChildQuery = Query()
+    result = child_db.search((ChildQuery.id == id) & (ChildQuery.user_id == user_id))
+    if not result:
+        return jsonify({'error': 'Child not found'}), 404
+
+    child = Child.from_dict(result[0])
+    points = child.points
+    reward_ids = child.rewards
+
+    RewardQuery = Query()
+    statuses = []
+    for reward_id in reward_ids:
+        reward_dict = reward_db.get((RewardQuery.id == reward_id) & ((RewardQuery.user_id == user_id) | (RewardQuery.user_id == None)))
+        if not reward_dict:
+            continue
+        reward: Reward = Reward.from_dict(reward_dict)
+        
+        # Check for override
+        override = get_override(id, reward_id)
+        cost_value = override.custom_value if override else reward.cost
+        points_needed = max(0, cost_value - points)
+        
+        #check to see if this reward id and child id is in the pending rewards db if so set its redeeming flag to true
+        pending_query = Query()
+        pending = pending_reward_db.get((pending_query.child_id == child.id) & (pending_query.reward_id == reward.id) & (pending_query.user_id == user_id))
+        status = RewardStatus(reward.id, reward.name, points_needed, cost_value, pending is not None, reward.image_id)
+        status_dict = status.to_dict()
+        if override:
+            status_dict['custom_value'] = override.custom_value
+        statuses.append(status_dict)
+
+    statuses.sort(key=lambda s: (not s['redeeming'], s['cost']))
+    return jsonify({'reward_status': statuses}), 200
+
+
+@child_api.route('/child/<id>/request-reward', methods=['POST'])
+def request_reward(id):
+    user_id = get_validated_user_id()
+    if not user_id:
+        return jsonify({'error': 'Unauthorized', 'code': 'UNAUTHORIZED'}), 401
+    data = request.get_json()
+    reward_id = data.get('reward_id')
+    if not reward_id:
+        return jsonify({'error': 'reward_id is required'}), 400
+
+    ChildQuery = Query()
+    result = child_db.search((ChildQuery.id == id) & (ChildQuery.user_id == user_id))
+    if not result:
+        return jsonify({'error': 'Child not found'}), 404
+
+    child = Child.from_dict(result[0])
+    if reward_id not in child.rewards:
+        return jsonify({'error': f'Reward not assigned to child {child.name}'}), 404
+
+    RewardQuery = Query()
+    reward_result = reward_db.search(RewardQuery.id == reward_id)
+    if not reward_result:
+        return jsonify({'error': 'Reward not found in reward database'}), 404
+
+    reward = Reward.from_dict(reward_result[0])
+
+    # Check if child has enough points
+    logger.info(f'Child {child.name} has {child.points} points, reward {reward.name} costs {reward.cost} points')
+    if child.points < reward.cost:
+        points_needed = reward.cost - child.points
+        return jsonify({
+            'error': 'Insufficient points',
+            'points_needed': points_needed,
+            'current_points': child.points,
+            'reward_cost': reward.cost
+        }), 400
+
+    pending = PendingReward(child_id=child.id, reward_id=reward.id, user_id=user_id)
+    pending_reward_db.insert(pending.to_dict())
+    logger.info(f'Pending reward request created for child {child.name} for reward {reward.name}')
+    
+    # Create tracking event (no points change on request)
+    tracking_event = TrackingEvent.create_event(
+        user_id=user_id,
+        child_id=child.id,
+        entity_type='reward',
+        entity_id=reward.id,
+        action='requested',
+        points_before=child.points,
+        points_after=child.points,
+        metadata={'reward_name': reward.name, 'reward_cost': reward.cost}
+    )
+    insert_tracking_event(tracking_event)
+    log_tracking_event(tracking_event)
+    
+    # Send tracking event via SSE
+    send_event_for_current_user(Event(EventType.TRACKING_EVENT_CREATED.value, TrackingEventCreated(tracking_event.id, child.id, 'reward', 'requested')))
+    
+    send_event_for_current_user(Event(EventType.CHILD_REWARD_REQUEST.value, ChildRewardRequest(child.id, reward.id, ChildRewardRequest.REQUEST_CREATED)))
+    return jsonify({
+        'message': f'Reward request for {reward.name} submitted for {child.name}.',
+        'reward_id': reward.id,
+        'reward_name': reward.name,
+        'child_id': child.id,
+        'child_name': child.name,
+        'cost': reward.cost
+    }), 200
+
+@child_api.route('/child/<id>/cancel-request-reward', methods=['POST'])
+def cancel_request_reward(id):
+    user_id = get_validated_user_id()
+    if not user_id:
+        return jsonify({'error': 'Unauthorized', 'code': 'UNAUTHORIZED'}), 401
+    data = request.get_json()
+    reward_id = data.get('reward_id')
+    if not reward_id:
+        return jsonify({'error': 'reward_id is required'}), 400
+
+    ChildQuery = Query()
+    result = child_db.search((ChildQuery.id == id) & (ChildQuery.user_id == user_id))
+    if not result:
+        return jsonify({'error': 'Child not found'}), 404
+
+    child = Child.from_dict(result[0])
+
+    # Fetch reward details for tracking metadata
+    RewardQuery = Query()
+    reward_result = reward_db.get((RewardQuery.id == reward_id) & ((RewardQuery.user_id == user_id) | (RewardQuery.user_id == None)))
+    reward_name = reward_result.get('name') if reward_result else 'Unknown'
+    reward_cost = reward_result.get('cost', 0) if reward_result else 0
+
+    # Remove matching pending reward request
+    PendingQuery = Query()
+    removed = pending_reward_db.remove(
+        (PendingQuery.child_id == child.id) & (PendingQuery.reward_id == reward_id) & (PendingQuery.user_id == user_id)
+    )
+
+    if not removed:
+        return jsonify({'error': 'No pending request found for this reward'}), 404
+
+    # Create tracking event (no points change on cancel)
+    tracking_event = TrackingEvent.create_event(
+        user_id=user_id,
+        child_id=child.id,
+        entity_type='reward',
+        entity_id=reward_id,
+        action='cancelled',
+        points_before=child.points,
+        points_after=child.points,
+        metadata={'reward_name': reward_name, 'reward_cost': reward_cost}
+    )
+    insert_tracking_event(tracking_event)
+    log_tracking_event(tracking_event)
+    
+    # Send tracking event via SSE
+    send_event_for_current_user(Event(EventType.TRACKING_EVENT_CREATED.value, TrackingEventCreated(tracking_event.id, child.id, 'reward', 'cancelled')))
+
+    # Notify user that the request was cancelled
+    resp = send_event_for_current_user(Event(EventType.CHILD_REWARD_REQUEST.value, ChildRewardRequest(child.id, reward_id, ChildRewardRequest.REQUEST_CANCELLED)))
+    if resp:
+        return resp
+    return jsonify({
+        'message': f'Reward request cancelled for {child.name}.',
+        'child_id': child.id,
+        'reward_id': reward_id,
+        'removed_count': len(removed)
+    }), 200
+
+
+
+@child_api.route('/pending-rewards', methods=['GET'])
+def list_pending_rewards():
+    user_id = get_validated_user_id()
+    if not user_id:
+        return jsonify({'error': 'Unauthorized', 'code': 'UNAUTHORIZED'}), 401
+    PendingQuery = Query()
+    pending_rewards = pending_reward_db.search(PendingQuery.user_id == user_id)
+    reward_responses = []
+
+    RewardQuery = Query()
+    ChildQuery = Query()
+
+    for pr in pending_rewards:
+        pending = PendingReward.from_dict(pr)
+
+        # Look up reward details
+        reward_result = reward_db.get((RewardQuery.id == pending.reward_id) & ((RewardQuery.user_id == user_id) | (RewardQuery.user_id == None)))
+        if not reward_result:
+            continue
+        reward = Reward.from_dict(reward_result)
+
+        # Look up child details
+        child_result = child_db.get(ChildQuery.id == pending.child_id)
+        if not child_result:
+            continue
+        child = Child.from_dict(child_result)
+
+        # Create response object
+        response = PendingRewardResponse(
+            _id=pending.id,
+            child_id=child.id,
+            child_name=child.name,
+            child_image_id=child.image_id,
+            reward_id=reward.id,
+            reward_name=reward.name,
+            reward_image_id=reward.image_id
+        )
+        reward_responses.append(response.to_dict())
+
+    return jsonify({'rewards': reward_responses, 'count': len(reward_responses), 'list_type': 'notification'}), 200
+

backend/api/child_override_api.py

@@ -0,0 +1,173 @@
+from flask import Blueprint, request, jsonify
+from tinydb import Query
+from api.utils import get_validated_user_id, send_event_for_current_user
+from api.error_codes import ErrorCodes
+from db.db import child_db, task_db, reward_db
+from db.child_overrides import (
+    insert_override,
+    get_override,
+    get_overrides_for_child,
+    delete_override
+)
+from models.child_override import ChildOverride
+from events.types.event import Event
+from events.types.event_types import EventType
+from events.types.child_override_set import ChildOverrideSetPayload
+from events.types.child_override_deleted import ChildOverrideDeletedPayload
+import logging
+
+child_override_api = Blueprint('child_override_api', __name__)
+logger = logging.getLogger(__name__)
+
+
+@child_override_api.route('/child/<child_id>/override', methods=['PUT'])
+def set_child_override(child_id):
+    """
+    Set or update a custom value for a task/reward for a specific child.
+    """
+    user_id = get_validated_user_id()
+    if not user_id:
+        return jsonify({'error': 'Unauthorized', 'code': ErrorCodes.UNAUTHORIZED}), 401
+    
+    # Validate child exists and belongs to user
+    ChildQuery = Query()
+    child_result = child_db.search((ChildQuery.id == child_id) & (ChildQuery.user_id == user_id))
+    if not child_result:
+        return jsonify({'error': 'Child not found', 'code': ErrorCodes.CHILD_NOT_FOUND}), 404
+    
+    child_dict = child_result[0]
+    
+    # Parse request data
+    data = request.get_json() or {}
+    entity_id = data.get('entity_id')
+    entity_type = data.get('entity_type')
+    custom_value = data.get('custom_value')
+    
+    # Validate required fields
+    if not entity_id:
+        return jsonify({'error': 'entity_id is required', 'code': ErrorCodes.MISSING_FIELD, 'field': 'entity_id'}), 400
+    if not entity_type:
+        return jsonify({'error': 'entity_type is required', 'code': ErrorCodes.MISSING_FIELD, 'field': 'entity_type'}), 400
+    if custom_value is None:
+        return jsonify({'error': 'custom_value is required', 'code': ErrorCodes.MISSING_FIELD, 'field': 'custom_value'}), 400
+    
+    # Validate entity_type
+    if entity_type not in ['task', 'reward']:
+        return jsonify({'error': 'entity_type must be "task" or "reward"', 'code': ErrorCodes.INVALID_VALUE, 'field': 'entity_type'}), 400
+    
+    # Validate custom_value range
+    if not isinstance(custom_value, int) or custom_value < 0 or custom_value > 10000:
+        return jsonify({'error': 'custom_value must be an integer between 0 and 10000', 'code': ErrorCodes.INVALID_VALUE, 'field': 'custom_value'}), 400
+    
+    # Validate entity exists and is assigned to child
+    if entity_type == 'task':
+        EntityQuery = Query()
+        entity_result = task_db.search(
+            (EntityQuery.id == entity_id) &
+            ((EntityQuery.user_id == user_id) | (EntityQuery.user_id == None))
+        )
+        if not entity_result:
+            return jsonify({'error': 'Task not found', 'code': ErrorCodes.TASK_NOT_FOUND}), 404
+        
+        # Check if task is assigned to child
+        assigned_tasks = child_dict.get('tasks', [])
+        if entity_id not in assigned_tasks:
+            return jsonify({'error': 'Task not assigned to child', 'code': ErrorCodes.ENTITY_NOT_ASSIGNED}), 404
+    
+    else:  # reward
+        EntityQuery = Query()
+        entity_result = reward_db.search(
+            (EntityQuery.id == entity_id) &
+            ((EntityQuery.user_id == user_id) | (EntityQuery.user_id == None))
+        )
+        if not entity_result:
+            return jsonify({'error': 'Reward not found', 'code': ErrorCodes.REWARD_NOT_FOUND}), 404
+        
+        # Check if reward is assigned to child
+        assigned_rewards = child_dict.get('rewards', [])
+        if entity_id not in assigned_rewards:
+            return jsonify({'error': 'Reward not assigned to child', 'code': ErrorCodes.ENTITY_NOT_ASSIGNED}), 404
+    
+    # Create and insert override
+    try:
+        override = ChildOverride.create_override(
+            child_id=child_id,
+            entity_id=entity_id,
+            entity_type=entity_type,
+            custom_value=custom_value
+        )
+        insert_override(override)
+        
+        # Send SSE event
+        resp = send_event_for_current_user(
+            Event(EventType.CHILD_OVERRIDE_SET.value, ChildOverrideSetPayload(override))
+        )
+        if resp:
+            return resp
+        
+        return jsonify({'override': override.to_dict()}), 200
+    
+    except ValueError as e:
+        return jsonify({'error': str(e), 'code': ErrorCodes.VALIDATION_ERROR}), 400
+    except Exception as e:
+        logger.error(f"Error setting override: {e}")
+        return jsonify({'error': 'Internal server error', 'code': ErrorCodes.INTERNAL_ERROR}), 500
+
+
+@child_override_api.route('/child/<child_id>/overrides', methods=['GET'])
+def get_child_overrides(child_id):
+    """
+    Get all overrides for a specific child.
+    """
+    user_id = get_validated_user_id()
+    if not user_id:
+        return jsonify({'error': 'Unauthorized', 'code': ErrorCodes.UNAUTHORIZED}), 401
+    
+    # Validate child exists and belongs to user
+    ChildQuery = Query()
+    child_result = child_db.search((ChildQuery.id == child_id) & (ChildQuery.user_id == user_id))
+    if not child_result:
+        return jsonify({'error': 'Child not found', 'code': ErrorCodes.CHILD_NOT_FOUND}), 404
+    
+    # Get all overrides for child
+    overrides = get_overrides_for_child(child_id)
+    
+    return jsonify({'overrides': [o.to_dict() for o in overrides]}), 200
+
+
+@child_override_api.route('/child/<child_id>/override/<entity_id>', methods=['DELETE'])
+def delete_child_override(child_id, entity_id):
+    """
+    Delete an override (reset to default).
+    """
+    user_id = get_validated_user_id()
+    if not user_id:
+        return jsonify({'error': 'Unauthorized', 'code': ErrorCodes.UNAUTHORIZED}), 401
+    
+    # Validate child exists and belongs to user
+    ChildQuery = Query()
+    child_result = child_db.search((ChildQuery.id == child_id) & (ChildQuery.user_id == user_id))
+    if not child_result:
+        return jsonify({'error': 'Child not found', 'code': ErrorCodes.CHILD_NOT_FOUND}), 404
+    
+    # Get override to determine entity_type for event
+    override = get_override(child_id, entity_id)
+    if not override:
+        return jsonify({'error': 'Override not found', 'code': ErrorCodes.OVERRIDE_NOT_FOUND}), 404
+    
+    entity_type = override.entity_type
+    
+    # Delete override
+    deleted = delete_override(child_id, entity_id)
+    if not deleted:
+        return jsonify({'error': 'Override not found', 'code': ErrorCodes.OVERRIDE_NOT_FOUND}), 404
+    
+    # Send SSE event
+    resp = send_event_for_current_user(
+        Event(EventType.CHILD_OVERRIDE_DELETED.value, 
+              ChildOverrideDeletedPayload(child_id, entity_id, entity_type))
+    )
+    if resp:
+        return resp
+    
+    return jsonify({'message': 'Override deleted'}), 200

backend/api/error_codes.py

@@ -0,0 +1,28 @@
+MISSING_FIELDS = "MISSING_FIELDS"
+EMAIL_EXISTS = "EMAIL_EXISTS"
+MISSING_TOKEN = "MISSING_TOKEN"
+INVALID_TOKEN = "INVALID_TOKEN"
+TOKEN_TIMESTAMP_MISSING = "TOKEN_TIMESTAMP_MISSING"
+TOKEN_EXPIRED = "TOKEN_EXPIRED"
+MISSING_EMAIL = "MISSING_EMAIL"
+USER_NOT_FOUND = "USER_NOT_FOUND"
+ALREADY_VERIFIED = "ALREADY_VERIFIED"
+MISSING_EMAIL_OR_PASSWORD = "MISSING_EMAIL_OR_PASSWORD"
+INVALID_CREDENTIALS = "INVALID_CREDENTIALS"
+NOT_VERIFIED = "NOT_VERIFIED"
+ACCOUNT_MARKED_FOR_DELETION = "ACCOUNT_MARKED_FOR_DELETION"
+ALREADY_MARKED = "ALREADY_MARKED"
+
+
+class ErrorCodes:
+    """Centralized error codes for API responses."""
+    UNAUTHORIZED = "UNAUTHORIZED"
+    CHILD_NOT_FOUND = "CHILD_NOT_FOUND"
+    TASK_NOT_FOUND = "TASK_NOT_FOUND"
+    REWARD_NOT_FOUND = "REWARD_NOT_FOUND"
+    ENTITY_NOT_ASSIGNED = "ENTITY_NOT_ASSIGNED"
+    OVERRIDE_NOT_FOUND = "OVERRIDE_NOT_FOUND"
+    MISSING_FIELD = "MISSING_FIELD"
+    INVALID_VALUE = "INVALID_VALUE"
+    VALIDATION_ERROR = "VALIDATION_ERROR"
+    INTERNAL_ERROR = "INTERNAL_ERROR"

backend/api/image_api.py

@@ -1,15 +1,18 @@
 import os
+UPLOAD_FOLDER = os.path.abspath(os.path.join(os.path.dirname(__file__), '../../data/images'))
+import os
 
 from PIL import Image as PILImage, UnidentifiedImageError
 from flask import Blueprint, request, jsonify, send_file
 from tinydb import Query
+
+from api.utils import get_current_user_id, sanitize_email, get_validated_user_id
 from config.paths import get_user_image_dir
 
 from db.db import image_db
 from models.image import Image
 
 image_api = Blueprint('image_api', __name__)
-UPLOAD_FOLDER = get_user_image_dir("user123")
 ALLOWED_EXTENSIONS = {'jpg', 'jpeg', 'png'}
 IMAGE_TYPE_PROFILE = 1
 IMAGE_TYPE_ICON = 2
@@ -20,6 +23,9 @@ def allowed_file(filename):
 
 @image_api.route('/image/upload', methods=['POST'])
 def upload():
+    user_id = get_validated_user_id()
+    if not user_id:
+        return jsonify({'error': 'Unauthorized', 'code': 'UNAUTHORIZED'}), 401
     if 'file' not in request.files:
         return jsonify({'error': 'No file part in the request'}), 400
     file = request.files['file']
@@ -60,13 +66,14 @@ def upload():
 
     format_extension_map = {'JPEG': '.jpg', 'PNG': '.png'}
     extension = format_extension_map.get(original_format, '.png')
-
-    image_record = Image(extension=extension, permanent=perm, type=image_type, user="user123")
+    image_record = Image(extension=extension, permanent=perm, type=image_type, user_id=user_id)
     filename = image_record.id + extension
-    filepath = os.path.abspath(os.path.join(UPLOAD_FOLDER, filename))
+    user_image_dir = get_user_image_dir(user_id)
+    os.makedirs(user_image_dir, exist_ok=True)
+
+    filepath = os.path.abspath(os.path.join(get_user_image_dir(sanitize_email(user_id)), filename))
 
     try:
-        os.makedirs(UPLOAD_FOLDER, exist_ok=True)
         # Save with appropriate format
         save_params = {}
         if pil_image.format == 'JPEG':
@@ -82,25 +89,38 @@ def upload():
 
 @image_api.route('/image/request/<id>', methods=['GET'])
 def request_image(id):
+    user_id = get_validated_user_id()
+    if not user_id:
+        return jsonify({'error': 'Unauthorized', 'code': 'UNAUTHORIZED'}), 401
     ImageQuery = Query()
-    image: Image = Image.from_dict(image_db.get(ImageQuery.id == id))
-    if not image:
+    image_record = image_db.get(ImageQuery.id == id)
+    if not image_record:
         return jsonify({'error': 'Image not found'}), 404
+    image = Image.from_dict(image_record)
+    # Allow if image.user_id is None (public image), or matches user_id
+    if image.user_id is not None and image.user_id != user_id:
+        return jsonify({'error': 'Forbidden: image does not belong to user', 'code': 'FORBIDDEN'}), 403
     filename = f"{image.id}{image.extension}"
-    filepath = os.path.abspath(os.path.join(get_user_image_dir(image.user), filename))
+    if image.user_id is None:
+        filepath = os.path.abspath(os.path.join(get_user_image_dir("default"), filename))
+    else:
+        filepath = os.path.abspath(os.path.join(get_user_image_dir(image.user_id), filename))
     if not os.path.exists(filepath):
         return jsonify({'error': 'File not found'}), 404
     return send_file(filepath)
 
 @image_api.route('/image/list', methods=['GET'])
 def list_images():
+    user_id = get_validated_user_id()
+    if not user_id:
+        return jsonify({'error': 'Unauthorized', 'code': 'UNAUTHORIZED'}), 401
     image_type = request.args.get('type', type=int)
     ImageQuery = Query()
     if image_type is not None:
         if image_type not in [IMAGE_TYPE_PROFILE, IMAGE_TYPE_ICON]:
             return jsonify({'error': 'Invalid image type'}), 400
-        images = image_db.search(ImageQuery.type == image_type)
+        images = image_db.search((ImageQuery.type == image_type) & ((ImageQuery.user_id == user_id) | (ImageQuery.user_id == None)))
     else:
-        images = image_db.all()
+        images = image_db.search((ImageQuery.user_id == user_id) | (ImageQuery.user_id == None))
     image_ids = [img['id'] for img in images]
     return jsonify({'ids': image_ids, 'count': len(image_ids)}), 200

backend/api/reward_api.py

@@ -0,0 +1,163 @@
+from flask import Blueprint, request, jsonify
+from tinydb import Query
+
+from api.utils import send_event_for_current_user, get_validated_user_id
+from events.types.child_rewards_set import ChildRewardsSet
+from db.db import reward_db, child_db
+from db.child_overrides import delete_overrides_for_entity
+from events.types.event import Event
+from events.types.event_types import EventType
+from events.types.reward_modified import RewardModified
+from models.reward import Reward
+
+reward_api = Blueprint('reward_api', __name__)
+
+# Reward endpoints
+@reward_api.route('/reward/add', methods=['PUT'])
+def add_reward():
+    user_id = get_validated_user_id()
+    if not user_id:
+        return jsonify({'error': 'Unauthorized', 'code': 'UNAUTHORIZED'}), 401
+    data = request.get_json()
+    name = data.get('name')
+    description = data.get('description')
+    cost = data.get('cost')
+    image = data.get('image_id', '')
+    if not name or description is None or cost is None:
+        return jsonify({'error': 'Name, description, and cost are required'}), 400
+    reward = Reward(name=name, description=description, cost=cost, image_id=image, user_id=user_id)
+    reward_db.insert(reward.to_dict())
+    send_event_for_current_user(Event(EventType.REWARD_MODIFIED.value, RewardModified(reward.id, RewardModified.OPERATION_ADD)))
+    return jsonify({'message': f'Reward {name} added.'}), 201
+
+
+
+@reward_api.route('/reward/<id>', methods=['GET'])
+def get_reward(id):
+    user_id = get_validated_user_id()
+    if not user_id:
+        return jsonify({'error': 'Unauthorized', 'code': 'UNAUTHORIZED'}), 401
+    RewardQuery = Query()
+    result = reward_db.search((RewardQuery.id == id) & ((RewardQuery.user_id == user_id) | (RewardQuery.user_id == None)))
+    if not result:
+        return jsonify({'error': 'Reward not found'}), 404
+    return jsonify(result[0]), 200
+
+@reward_api.route('/reward/list', methods=['GET'])
+def list_rewards():
+    user_id = get_validated_user_id()
+    if not user_id:
+        return jsonify({'error': 'Unauthorized', 'code': 'UNAUTHORIZED'}), 401
+    ids_param = request.args.get('ids')
+    RewardQuery = Query()
+    rewards = reward_db.search((RewardQuery.user_id == user_id) | (RewardQuery.user_id == None))
+    if ids_param is not None:
+        if ids_param.strip() == '':
+            rewards = []
+        else:
+            ids = set(ids_param.split(','))
+            rewards = [reward for reward in rewards if reward.get('id') in ids]
+
+    # Filter out default rewards if user-specific version exists (case/whitespace-insensitive)
+    user_rewards = {r['name'].strip().lower(): r for r in rewards if r.get('user_id') == user_id}
+    filtered_rewards = []
+    for r in rewards:
+        if r.get('user_id') is None and r['name'].strip().lower() in user_rewards:
+            continue  # Skip default if user version exists
+        filtered_rewards.append(r)
+    
+    # Sort: user-created items first (by name), then default items (by name)
+    user_created = sorted([r for r in filtered_rewards if r.get('user_id') == user_id], key=lambda x: x['name'].lower())
+    default_items = sorted([r for r in filtered_rewards if r.get('user_id') is None], key=lambda x: x['name'].lower())
+    sorted_rewards = user_created + default_items
+    
+    return jsonify({'rewards': sorted_rewards}), 200
+
+@reward_api.route('/reward/<id>', methods=['DELETE'])
+def delete_reward(id):
+    user_id = get_validated_user_id()
+    if not user_id:
+        return jsonify({'error': 'Unauthorized', 'code': 'UNAUTHORIZED'}), 401
+    RewardQuery = Query()
+    reward = reward_db.get(RewardQuery.id == id)
+    if not reward:
+        return jsonify({'error': 'Reward not found'}), 404
+    if reward.get('user_id') is None:
+        import logging
+        logging.warning(f"Forbidden delete attempt on system reward: id={id}, by user_id={user_id}")
+        return jsonify({'error': 'System rewards cannot be deleted.'}), 403
+    removed = reward_db.remove((RewardQuery.id == id) & (RewardQuery.user_id == user_id))
+    if removed:
+        # Cascade delete overrides for this reward
+        deleted_count = delete_overrides_for_entity(id)
+        if deleted_count > 0:
+            import logging
+            logging.info(f"Cascade deleted {deleted_count} overrides for reward {id}")
+        
+        # remove the reward id from any child's reward list
+        ChildQuery = Query()
+        for child in child_db.all():
+            rewards = child.get('rewards', [])
+            if id in rewards:
+                rewards.remove(id)
+                child_db.update({'rewards': rewards}, ChildQuery.id == child.get('id'))
+                send_event_for_current_user(Event(EventType.CHILD_REWARDS_SET.value, ChildRewardsSet(id, rewards)))
+        send_event_for_current_user(Event(EventType.REWARD_MODIFIED.value, RewardModified(id, RewardModified.OPERATION_DELETE)))
+        return jsonify({'message': f'Reward {id} deleted.'}), 200
+    return jsonify({'error': 'Reward not found'}), 404
+
+@reward_api.route('/reward/<id>/edit', methods=['PUT'])
+def edit_reward(id):
+    user_id = get_validated_user_id()
+    if not user_id:
+        return jsonify({'error': 'Unauthorized', 'code': 'UNAUTHORIZED'}), 401
+    RewardQuery = Query()
+    existing = reward_db.get((RewardQuery.id == id) & ((RewardQuery.user_id == user_id) | (RewardQuery.user_id == None)))
+    if not existing:
+        return jsonify({'error': 'Reward not found'}), 404
+
+    reward = Reward.from_dict(existing)
+    is_dirty = False
+
+    data = request.get_json(force=True) or {}
+    if 'name' in data:
+        name = (data.get('name') or '').strip()
+        if not name:
+            return jsonify({'error': 'Name cannot be empty'}), 400
+        reward.name = name
+        is_dirty = True
+
+    if 'description' in data:
+        desc = (data.get('description') or '').strip()
+        if not desc:
+            return jsonify({'error': 'Description cannot be empty'}), 400
+        reward.description = desc
+        is_dirty = True
+
+    if 'cost' in data:
+        cost = data.get('cost')
+        if not isinstance(cost, int):
+            return jsonify({'error': 'Cost must be an integer'}), 400
+        if cost <= 0:
+            return jsonify({'error': 'Cost must be a positive integer'}), 400
+        reward.cost = cost
+        is_dirty = True
+
+    if 'image_id' in data:
+        reward.image_id = data.get('image_id', '')
+        is_dirty = True
+
+    if not is_dirty:
+        return jsonify({'error': 'No valid fields to update'}), 400
+
+    if reward.user_id is None:  # public reward
+        new_reward = Reward(name=reward.name, description=reward.description, cost=reward.cost, image_id=reward.image_id, user_id=user_id)
+        reward_db.insert(new_reward.to_dict())
+        send_event_for_current_user(Event(EventType.REWARD_MODIFIED.value,
+                                        RewardModified(new_reward.id, RewardModified.OPERATION_ADD)))
+        return jsonify(new_reward.to_dict()), 200
+
+    reward_db.update(reward.to_dict(), (RewardQuery.id == id) & ((RewardQuery.user_id == user_id) | (RewardQuery.user_id == None)))
+    send_event_for_current_user(Event(EventType.REWARD_MODIFIED.value,
+                                        RewardModified(id, RewardModified.OPERATION_EDIT)))
+    return jsonify(reward.to_dict()), 200

backend/api/task_api.py

@@ -0,0 +1,178 @@
+from flask import Blueprint, request, jsonify
+from tinydb import Query
+
+from api.utils import send_event_for_current_user, get_validated_user_id
+from events.types.child_tasks_set import ChildTasksSet
+from db.db import task_db, child_db
+from db.child_overrides import delete_overrides_for_entity
+from events.types.event import Event
+from events.types.event_types import EventType
+from events.types.task_modified import TaskModified
+from models.task import Task
+
+task_api = Blueprint('task_api', __name__)
+
+# Task endpoints
+@task_api.route('/task/add', methods=['PUT'])
+def add_task():
+    user_id = get_validated_user_id()
+    if not user_id:
+        return jsonify({'error': 'Unauthorized', 'code': 'UNAUTHORIZED'}), 401
+    data = request.get_json()
+    name = data.get('name')
+    points = data.get('points')
+    is_good = data.get('is_good')
+    image = data.get('image_id', '')
+    if not name or points is None or is_good is None:
+        return jsonify({'error': 'Name, points, and is_good are required'}), 400
+    task = Task(name=name, points=points, is_good=is_good, image_id=image, user_id=user_id)
+    task_db.insert(task.to_dict())
+    send_event_for_current_user(Event(EventType.TASK_MODIFIED.value,
+                                        TaskModified(task.id, TaskModified.OPERATION_ADD)))
+    return jsonify({'message': f'Task {name} added.'}), 201
+
+@task_api.route('/task/<id>', methods=['GET'])
+def get_task(id):
+    user_id = get_validated_user_id()
+    if not user_id:
+        return jsonify({'error': 'Unauthorized', 'code': 'UNAUTHORIZED'}), 401
+    TaskQuery = Query()
+    result = task_db.search((TaskQuery.id == id) & ((TaskQuery.user_id == user_id) | (TaskQuery.user_id == None)))
+    if not result:
+        return jsonify({'error': 'Task not found'}), 404
+    return jsonify(result[0]), 200
+
+@task_api.route('/task/list', methods=['GET'])
+def list_tasks():
+    user_id = get_validated_user_id()
+    if not user_id:
+        return jsonify({'error': 'Unauthorized', 'code': 'UNAUTHORIZED'}), 401
+    ids_param = request.args.get('ids')
+    TaskQuery = Query()
+    tasks = task_db.search((TaskQuery.user_id == user_id) | (TaskQuery.user_id == None))
+    if ids_param is not None:
+        if ids_param.strip() == '':
+            tasks = []
+        else:
+            ids = set(ids_param.split(','))
+            tasks = [task for task in tasks if task.get('id') in ids]
+
+    user_tasks = {t['name'].strip().lower(): t for t in tasks if t.get('user_id') == user_id}
+    filtered_tasks = []
+    for t in tasks:
+        if t.get('user_id') is None and t['name'].strip().lower() in user_tasks:
+            continue  # Skip default if user version exists
+        filtered_tasks.append(t)
+    
+    # Sort order:
+    # 1) good tasks first, then not-good tasks
+    # 2) within each group: user-created items first (by name), then default items (by name)
+    good_tasks = [t for t in filtered_tasks if t.get('is_good') is True]
+    not_good_tasks = [t for t in filtered_tasks if t.get('is_good') is not True]
+
+    def sort_user_then_default(tasks_group):
+        user_created = sorted(
+            [t for t in tasks_group if t.get('user_id') == user_id],
+            key=lambda x: x['name'].lower(),
+        )
+        default_items = sorted(
+            [t for t in tasks_group if t.get('user_id') is None],
+            key=lambda x: x['name'].lower(),
+        )
+        return user_created + default_items
+
+    sorted_tasks = sort_user_then_default(good_tasks) + sort_user_then_default(not_good_tasks)
+    
+    return jsonify({'tasks': sorted_tasks}), 200
+
+@task_api.route('/task/<id>', methods=['DELETE'])
+def delete_task(id):
+    user_id = get_validated_user_id()
+    if not user_id:
+        return jsonify({'error': 'Unauthorized', 'code': 'UNAUTHORIZED'}), 401
+    TaskQuery = Query()
+    task = task_db.get(TaskQuery.id == id)
+    if not task:
+        return jsonify({'error': 'Task not found'}), 404
+    if task.get('user_id') is None:
+        import logging
+        logging.warning(f"Forbidden delete attempt on system task: id={id}, by user_id={user_id}")
+        return jsonify({'error': 'System tasks cannot be deleted.'}), 403
+    removed = task_db.remove((TaskQuery.id == id) & (TaskQuery.user_id == user_id))
+    if removed:
+        # Cascade delete overrides for this task
+        deleted_count = delete_overrides_for_entity(id)
+        if deleted_count > 0:
+            import logging
+            logging.info(f"Cascade deleted {deleted_count} overrides for task {id}")
+        
+        # remove the task id from any child's task list
+        ChildQuery = Query()
+        for child in child_db.all():
+            child_tasks = child.get('tasks', [])
+            if id in child_tasks:
+                child_tasks.remove(id)
+                child_db.update({'tasks': child_tasks}, ChildQuery.id == child.get('id'))
+                send_event_for_current_user(Event(EventType.CHILD_TASKS_SET.value, ChildTasksSet(id, child_tasks)))
+        send_event_for_current_user(Event(EventType.TASK_MODIFIED.value, TaskModified(id, TaskModified.OPERATION_DELETE)))
+        return jsonify({'message': f'Task {id} deleted.'}), 200
+    return jsonify({'error': 'Task not found'}), 404
+
+@task_api.route('/task/<id>/edit', methods=['PUT'])
+def edit_task(id):
+    user_id = get_validated_user_id()
+    if not user_id:
+        return jsonify({'error': 'Unauthorized', 'code': 'UNAUTHORIZED'}), 401
+    TaskQuery = Query()
+    existing = task_db.get((TaskQuery.id == id) & ((TaskQuery.user_id == user_id) | (TaskQuery.user_id == None)))
+    if not existing:
+        return jsonify({'error': 'Task not found'}), 404
+
+    task = Task.from_dict(existing)
+    is_dirty = False
+
+    data = request.get_json(force=True) or {}
+    updates = {}
+
+    if 'name' in data:
+        name = data.get('name', '').strip()
+        if not name:
+            return jsonify({'error': 'Name cannot be empty'}), 400
+        task.name = name
+        is_dirty = True
+
+    if 'points' in data:
+        points = data.get('points')
+        if not isinstance(points, int):
+            return jsonify({'error': 'Points must be an integer'}), 400
+        if points <= 0:
+            return jsonify({'error': 'Points must be a positive integer'}), 400
+        task.points = points
+        is_dirty = True
+
+    if 'is_good' in data:
+        is_good = data.get('is_good')
+        if not isinstance(is_good, bool):
+            return jsonify({'error': 'is_good must be a boolean'}), 400
+        task.is_good = is_good
+        is_dirty = True
+
+    if 'image_id' in data:
+        task.image_id = data.get('image_id', '')
+        is_dirty = True
+
+    if not is_dirty:
+        return jsonify({'error': 'No valid fields to update'}), 400
+    
+    if task.user_id is None: # public task
+        new_task = Task(name=task.name, points=task.points, is_good=task.is_good, image_id=task.image_id, user_id=user_id)
+        task_db.insert(new_task.to_dict())
+        send_event_for_current_user(Event(EventType.TASK_MODIFIED.value,
+                                        TaskModified(new_task.id, TaskModified.OPERATION_ADD)))
+
+        return jsonify(new_task.to_dict()), 200
+
+    task_db.update(task.to_dict(), (TaskQuery.id == id) & ((TaskQuery.user_id == user_id) | (TaskQuery.user_id == None)))
+    send_event_for_current_user(Event(EventType.TASK_MODIFIED.value,
+                                        TaskModified(id, TaskModified.OPERATION_EDIT)))
+    return jsonify(task.to_dict()), 200

backend/api/tracking_api.py

@@ -0,0 +1,122 @@
+from flask import Blueprint, request, jsonify
+from api.utils import get_validated_user_id
+from db.tracking import get_tracking_events_by_child, get_tracking_events_by_user
+from models.tracking_event import TrackingEvent
+from functools import wraps
+import jwt
+from tinydb import Query
+from db.db import users_db
+from models.user import User
+
+
+tracking_api = Blueprint('tracking_api', __name__)
+
+
+def admin_required(f):
+    """
+    Decorator to require admin role for endpoints.
+    """
+    @wraps(f)
+    def decorated_function(*args, **kwargs):
+        # Get JWT token from cookie
+        token = request.cookies.get('token')
+        if not token:
+            return jsonify({'error': 'Authentication required', 'code': 'AUTH_REQUIRED'}), 401
+        
+        try:
+            # Verify JWT token
+            payload = jwt.decode(token, 'supersecretkey', algorithms=['HS256'])
+            user_id = payload.get('user_id')
+            
+            if not user_id:
+                return jsonify({'error': 'Invalid token', 'code': 'INVALID_TOKEN'}), 401
+            
+            # Get user from database
+            Query_ = Query()
+            user_dict = users_db.get(Query_.id == user_id)
+            
+            if not user_dict:
+                return jsonify({'error': 'User not found', 'code': 'USER_NOT_FOUND'}), 404
+            
+            user = User.from_dict(user_dict)
+            
+            # Check if user has admin role
+            if user.role != 'admin':
+                return jsonify({'error': 'Admin access required', 'code': 'ADMIN_REQUIRED'}), 403
+            
+            # Store user_id in request context
+            request.admin_user_id = user_id
+            return f(*args, **kwargs)
+        
+        except jwt.ExpiredSignatureError:
+            return jsonify({'error': 'Token expired', 'code': 'TOKEN_EXPIRED'}), 401
+        except jwt.InvalidTokenError:
+            return jsonify({'error': 'Invalid token', 'code': 'INVALID_TOKEN'}), 401
+    
+    return decorated_function
+
+
+@tracking_api.route('/admin/tracking', methods=['GET'])
+@admin_required
+def get_tracking():
+    """
+    Admin endpoint to query tracking events with filters and pagination.
+    
+    Query params:
+    - child_id: Filter by child ID (optional)
+    - user_id: Filter by user ID (optional, admin only)
+    - entity_type: Filter by entity type (task/reward/penalty) (optional)
+    - action: Filter by action type (activated/requested/redeemed/cancelled) (optional)
+    - limit: Max results (default 50, max 500)
+    - offset: Pagination offset (default 0)
+    """
+    child_id = request.args.get('child_id')
+    filter_user_id = request.args.get('user_id')
+    entity_type = request.args.get('entity_type')
+    action = request.args.get('action')
+    limit = int(request.args.get('limit', 50))
+    offset = int(request.args.get('offset', 0))
+    
+    # Validate limit
+    limit = min(max(limit, 1), 500)
+    offset = max(offset, 0)
+    
+    # Validate filters
+    if entity_type and entity_type not in ['task', 'reward', 'penalty']:
+        return jsonify({'error': 'Invalid entity_type', 'code': 'INVALID_ENTITY_TYPE'}), 400
+    
+    if action and action not in ['activated', 'requested', 'redeemed', 'cancelled']:
+        return jsonify({'error': 'Invalid action', 'code': 'INVALID_ACTION'}), 400
+    
+    # Query tracking events
+    if child_id:
+        events, total = get_tracking_events_by_child(
+            child_id=child_id,
+            limit=limit,
+            offset=offset,
+            entity_type=entity_type,
+            action=action
+        )
+    elif filter_user_id:
+        events, total = get_tracking_events_by_user(
+            user_id=filter_user_id,
+            limit=limit,
+            offset=offset,
+            entity_type=entity_type
+        )
+    else:
+        return jsonify({
+            'error': 'Either child_id or user_id is required',
+            'code': 'MISSING_FILTER'
+        }), 400
+    
+    # Convert to dict
+    events_data = [event.to_dict() for event in events]
+    
+    return jsonify({
+        'tracking_events': events_data,
+        'total': total,
+        'limit': limit,
+        'offset': offset,
+        'count': len(events_data)
+    }), 200

backend/api/user_api.py

@@ -0,0 +1,246 @@
+from flask import Blueprint, request, jsonify, current_app
+from events.types.user_modified import UserModified
+from models.user import User
+from tinydb import Query
+from db.db import users_db
+import jwt
+import random
+import string
+import utils.email_sender as email_sender
+from datetime import datetime, timedelta, timezone
+from api.utils import get_validated_user_id, normalize_email, send_event_for_current_user
+from api.error_codes import ACCOUNT_MARKED_FOR_DELETION, ALREADY_MARKED
+from events.types.event_types import EventType
+from events.types.event import Event
+from events.types.profile_updated import ProfileUpdated
+from utils.tracking_logger import log_tracking_event
+from models.tracking_event import TrackingEvent
+from db.tracking import insert_tracking_event
+
+user_api = Blueprint('user_api', __name__)
+UserQuery = Query()
+
+def get_current_user():
+    token = request.cookies.get('token')
+    if not token:
+        return None
+    try:
+        payload = jwt.decode(token, current_app.config['SECRET_KEY'], algorithms=['HS256'])
+        user_id = payload.get('user_id')
+        user_dict = users_db.get(UserQuery.id == user_id)
+        return User.from_dict(user_dict) if user_dict else None
+    except Exception:
+        return None
+
+@user_api.route('/user/profile', methods=['GET'])
+def get_profile():
+    user_id = get_validated_user_id()
+    if not user_id:
+        return jsonify({'error': 'Unauthorized', 'code': 'UNAUTHORIZED'}), 401
+    user = get_current_user()
+    if not user:
+        return jsonify({'error': 'Unauthorized'}), 401
+    return jsonify({
+        'first_name': user.first_name,
+        'last_name': user.last_name,
+        'email': user.email,
+        'image_id': user.image_id
+    }), 200
+
+@user_api.route('/user/profile', methods=['PUT'])
+def update_profile():
+    user_id = get_validated_user_id()
+    if not user_id:
+        return jsonify({'error': 'Unauthorized', 'code': 'UNAUTHORIZED'}), 401
+    user = get_current_user()
+    if not user:
+        return jsonify({'error': 'Unauthorized'}), 401
+    data = request.get_json()
+    # Only allow first_name, last_name, image_id to be updated
+    first_name = data.get('first_name')
+    last_name = data.get('last_name')
+    image_id = data.get('image_id')
+    if first_name is not None:
+        user.first_name = first_name
+    if last_name is not None:
+        user.last_name = last_name
+    if image_id is not None:
+        user.image_id = image_id
+    users_db.update(user.to_dict(), UserQuery.email == user.email)
+    
+    # Create tracking event
+    metadata = {}
+    if first_name is not None:
+        metadata['first_name_updated'] = True
+    if last_name is not None:
+        metadata['last_name_updated'] = True
+    if image_id is not None:
+        metadata['image_updated'] = True
+    
+    tracking_event = TrackingEvent.create_event(
+        user_id=user_id,
+        child_id=None,  # No child for user profile
+        entity_type='user',
+        entity_id=user.id,
+        action='updated',
+        points_before=0,  # Not relevant
+        points_after=0,
+        metadata=metadata
+    )
+    insert_tracking_event(tracking_event)
+    log_tracking_event(tracking_event)
+    
+    # Send SSE event
+    send_event_for_current_user(Event(EventType.PROFILE_UPDATED.value, ProfileUpdated(user.id)))
+    
+    return jsonify({'message': 'Profile updated'}), 200
+
+@user_api.route('/user/image', methods=['PUT'])
+def update_image():
+    user_id = get_validated_user_id()
+    if not user_id:
+        return jsonify({'error': 'Unauthorized', 'code': 'UNAUTHORIZED'}), 401
+    user = get_current_user()
+    if not user:
+        return jsonify({'error': 'Unauthorized'}), 401
+    data = request.get_json()
+    image_id = data.get('image_id')
+    if not image_id:
+        return jsonify({'error': 'Missing image_id'}), 400
+    user.image_id = image_id
+    users_db.update(user.to_dict(), UserQuery.email == user.email)
+    return jsonify({'message': 'Image updated', 'image_id': image_id}), 200
+
+@user_api.route('/user/check-pin', methods=['POST'])
+def check_pin():
+    user_id = get_validated_user_id()
+    if not user_id:
+        return jsonify({'error': 'Unauthorized', 'code': 'UNAUTHORIZED'}), 401
+    user = get_current_user()
+    if not user:
+        return jsonify({'error': 'Unauthorized'}), 401
+    data = request.get_json()
+    pin = data.get('pin')
+    if not pin:
+        return jsonify({'error': 'Missing pin'}), 400
+    if user.pin and pin == user.pin:
+        return jsonify({'valid': True}), 200
+    return jsonify({'valid': False}), 200
+
+@user_api.route('/user/has-pin', methods=['GET'])
+def has_pin():
+    user_id = get_validated_user_id()
+    if not user_id:
+        return jsonify({'error': 'Unauthorized', 'code': 'UNAUTHORIZED'}), 401
+    user = get_current_user()
+    if not user:
+        return jsonify({'error': 'Unauthorized'}), 401
+    return jsonify({'has_pin': bool(user.pin)}), 200
+
+@user_api.route('/user/request-pin-setup', methods=['POST'])
+def request_pin_setup():
+    user_id = get_validated_user_id()
+    if not user_id:
+        return jsonify({'error': 'Unauthorized', 'code': 'UNAUTHORIZED'}), 401
+    user = get_current_user()
+    if not user or not user.verified:
+        return jsonify({'error': 'Unauthorized'}), 401
+    # Generate 6-digit/character code
+    code = ''.join(random.choices(string.ascii_uppercase + string.digits, k=6))
+    user.pin_setup_code = code
+    user.pin_setup_code_created = datetime.utcnow().isoformat()
+    users_db.update(user.to_dict(), UserQuery.email == user.email)
+    # Send email
+    send_pin_setup_email(user.email, code)
+    return jsonify({'message': 'Verification code sent to your email.'}), 200
+
+def send_pin_setup_email(email, code):
+        # Use the reusable email sender
+        email_sender.send_pin_setup_email(email, code)
+
+@user_api.route('/user/verify-pin-setup', methods=['POST'])
+def verify_pin_setup():
+    user_id = get_validated_user_id()
+    if not user_id:
+        return jsonify({'error': 'Unauthorized', 'code': 'UNAUTHORIZED'}), 401
+    user = get_current_user()
+    if not user or not user.verified:
+        return jsonify({'error': 'Unauthorized'}), 401
+    data = request.get_json()
+    code = data.get('code')
+    if not code:
+        return jsonify({'error': 'Missing code'}), 400
+    if not user.pin_setup_code or not user.pin_setup_code_created:
+        return jsonify({'error': 'No code requested'}), 400
+    # Check expiry (10 min)
+    created = datetime.fromisoformat(user.pin_setup_code_created)
+    if datetime.utcnow() > created + timedelta(minutes=10):
+        return jsonify({'error': 'Code expired'}), 400
+    if code.strip().upper() != user.pin_setup_code.upper():
+        return jsonify({'error': 'Invalid code'}), 400
+    return jsonify({'message': 'Code verified'}), 200
+
+@user_api.route('/user/set-pin', methods=['POST'])
+def set_pin():
+    user_id = get_validated_user_id()
+    if not user_id:
+        return jsonify({'error': 'Unauthorized', 'code': 'UNAUTHORIZED'}), 401
+    user = get_current_user()
+    if not user or not user.verified:
+        return jsonify({'error': 'Unauthorized'}), 401
+    data = request.get_json()
+    pin = data.get('pin')
+    if not pin or not pin.isdigit() or not (4 <= len(pin) <= 6):
+        return jsonify({'error': 'PIN must be 4-6 digits'}), 400
+    # Only allow if code was recently verified
+    if not user.pin_setup_code or not user.pin_setup_code_created:
+        return jsonify({'error': 'No code verified'}), 400
+    created = datetime.fromisoformat(user.pin_setup_code_created)
+    if datetime.utcnow() > created + timedelta(minutes=10):
+        return jsonify({'error': 'Code expired'}), 400
+    # Set pin, clear code
+    user.pin = pin
+    user.pin_setup_code = ''
+    user.pin_setup_code_created = None
+    users_db.update(user.to_dict(), UserQuery.email == user.email)
+    return jsonify({'message': 'Parent PIN set'}), 200
+
+@user_api.route('/user/mark-for-deletion', methods=['POST'])
+def mark_for_deletion():
+    user_id = get_validated_user_id()
+    if not user_id:
+        return jsonify({'error': 'Unauthorized', 'code': 'UNAUTHORIZED'}), 401
+    user = get_current_user()
+    if not user:
+        return jsonify({'error': 'Unauthorized'}), 401
+    
+    # Validate email from request body
+    data = request.get_json()
+    email = data.get('email', '').strip()
+    if not email:
+        return jsonify({'error': 'Email is required', 'code': 'EMAIL_REQUIRED'}), 400
+    
+    # Verify email matches the logged-in user - make sure to normalize the email address first
+    if normalize_email(email) != normalize_email(user.email):
+        return jsonify({'error': 'Email does not match your account', 'code': 'EMAIL_MISMATCH'}), 400
+   
+    # Check if already marked
+    if user.marked_for_deletion:
+        return jsonify({'error': 'Account already marked for deletion', 'code': ALREADY_MARKED}), 400
+    
+    # Mark for deletion
+    user.marked_for_deletion = True
+    user.marked_for_deletion_at = datetime.now(timezone.utc).isoformat()
+
+    # Invalidate any outstanding verification/reset tokens so they cannot be used after marking
+    user.verify_token = None
+    user.verify_token_created = None
+    user.reset_token = None
+    user.reset_token_created = None
+
+    users_db.update(user.to_dict(), UserQuery.id == user.id)
+    
+    # Trigger SSE event
+    send_event_for_current_user(Event(EventType.USER_MARKED_FOR_DELETION.value, UserModified(user.id, UserModified.OPERATION_DELETE)))
+    
+    return jsonify({'success': True}), 200

backend/api/utils.py

@@ -0,0 +1,53 @@
+import jwt
+import re
+from db.db import users_db
+from tinydb import Query
+from flask import request, current_app, jsonify
+
+from events.sse import send_event_to_user
+
+
+def normalize_email(email: str) -> str:
+    """Normalize email for uniqueness checks (Gmail: remove dots and +aliases)."""
+    email = email.strip().lower()
+    if '@' not in email:
+        return email
+    local, domain = email.split('@', 1)
+    if domain in ('gmail.com', 'googlemail.com'):
+        local = local.split('+', 1)[0].replace('.', '')
+    return f"{local}@{domain}"
+
+def sanitize_email(email):
+    return email.replace('@', '_at_').replace('.', '_dot_')
+
+def get_current_user_id():
+    token = request.cookies.get('token')
+    if not token:
+        return None
+    try:
+        payload = jwt.decode(token, current_app.config['SECRET_KEY'], algorithms=['HS256'])
+        user_id = payload.get('user_id')
+        if not user_id:
+            return None
+        token_version = payload.get('token_version', 0)
+        user = users_db.get(Query().id == user_id)
+        if not user:
+            return None
+        if token_version != user.get('token_version', 0):
+            return None
+        return user_id
+    except jwt.InvalidTokenError:
+        return None
+    
+def get_validated_user_id():
+    user_id = get_current_user_id()
+    if not user_id or not users_db.get(Query().id == user_id):
+        return None
+    return user_id    
+
+def send_event_for_current_user(event):
+    user_id = get_current_user_id()
+    if not user_id:
+        return jsonify({'error': 'Unauthorized'}), 401
+    send_event_to_user(user_id, event)
+    return None

backend/config/deletion_config.py

@@ -0,0 +1,61 @@
+import os
+import logging
+
+logger = logging.getLogger(__name__)
+
+# Account deletion threshold in hours
+# Default: 720 hours (30 days)
+# Minimum: 24 hours (1 day)
+# Maximum: 720 hours (30 days)
+
+try:
+    ACCOUNT_DELETION_THRESHOLD_HOURS = int(os.getenv('ACCOUNT_DELETION_THRESHOLD_HOURS', '720'))
+except ValueError as e:
+    raise ValueError(
+        f"ACCOUNT_DELETION_THRESHOLD_HOURS must be a valid integer. "
+        f"Invalid value: {os.getenv('ACCOUNT_DELETION_THRESHOLD_HOURS')}"
+    ) from e
+
+# Validation
+MIN_THRESHOLD_HOURS = 24
+MAX_THRESHOLD_HOURS = 720
+
+def validate_threshold(threshold_hours=None):
+    """
+    Validate the account deletion threshold.
+    
+    Args:
+        threshold_hours: Optional threshold value to validate. If None, validates the module's global value.
+        
+    Returns True if valid, raises ValueError if invalid.
+    """
+    value = threshold_hours if threshold_hours is not None else ACCOUNT_DELETION_THRESHOLD_HOURS
+    
+    if value < MIN_THRESHOLD_HOURS:
+        raise ValueError(
+            f"ACCOUNT_DELETION_THRESHOLD_HOURS must be at least {MIN_THRESHOLD_HOURS} hours. "
+            f"Current value: {value}"
+        )
+    
+    if value > MAX_THRESHOLD_HOURS:
+        raise ValueError(
+            f"ACCOUNT_DELETION_THRESHOLD_HOURS must be at most {MAX_THRESHOLD_HOURS} hours. "
+            f"Current value: {value}"
+        )
+    
+    # Warn if threshold is less than 7 days (168 hours)
+    if value < 168:
+        logger.warning(
+            f"Account deletion threshold is set to {value} hours, "
+            "which is below the recommended minimum of 7 days (168 hours). "
+            "Users will have limited time to recover their accounts."
+        )
+    
+    if threshold_hours is None:
+        # Only log this when validating the module's global value
+        logger.info(f"Account deletion threshold: {ACCOUNT_DELETION_THRESHOLD_HOURS} hours")
+    
+    return True
+
+# Validate on module import
+validate_threshold()

backend/config/paths.py

@@ -9,19 +9,33 @@ TEST_DATA_DIR_NAME = 'test_data'
 # Project root (two levels up from this file)
 PROJECT_ROOT = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
 
+def get_base_data_dir(data_env: str | None = None) -> str:
+    """
+    Return the absolute base data directory path for the given env.
+    data_env: 'prod' uses `data`, anything else uses `test_data`.
+    """
+    env = (data_env or os.environ.get('DATA_ENV', 'prod')).lower()
+    base_name = DATA_DIR_NAME if env == 'prod' else TEST_DATA_DIR_NAME
+    return os.path.join(PROJECT_ROOT, base_name)
+
 def get_database_dir(db_env: str | None = None) -> str:
     """
     Return the absolute base directory path for the given DB env.
     db_env: 'prod' uses `data/db`, anything else uses `test_data/db`.
     """
     env = (db_env or os.environ.get('DB_ENV', 'prod')).lower()
-    base_name = DATA_DIR_NAME if env == 'prod' else TEST_DATA_DIR_NAME
-    return os.path.join(PROJECT_ROOT, base_name, 'db')
+    return os.path.join(PROJECT_ROOT, get_base_data_dir(env), 'db')
 
 def get_user_image_dir(username: str | None) -> str:
     """
     Return the absolute directory path for storing images for a specific user.
     """
     if username:
-        return os.path.join(PROJECT_ROOT, DATA_DIR_NAME, 'images', username)
+        return os.path.join(PROJECT_ROOT, get_base_data_dir(), 'images', username)
     return os.path.join(PROJECT_ROOT, 'resources', 'images')
+
+def get_logs_dir() -> str:
+    """
+    Return the absolute directory path for application logs.
+    """
+    return os.path.join(PROJECT_ROOT, 'logs')

backend/config/version.py

@@ -2,7 +2,7 @@
 # file: config/version.py
 import os
 
-BASE_VERSION = "1.0.3"  # update manually when releasing features
+BASE_VERSION = "1.0.5"  # update manually when releasing features
 
 def get_full_version() -> str:
     """

backend/db/child_overrides.py

@@ -0,0 +1,146 @@
+"""Helper functions for child override database operations."""
+import logging
+from typing import Optional, List
+from tinydb import Query
+from db.db import child_overrides_db
+from models.child_override import ChildOverride
+
+
+logger = logging.getLogger(__name__)
+
+
+def insert_override(override: ChildOverride) -> str:
+    """
+    Insert or update an override. Only one override per (child_id, entity_id).
+    
+    Args:
+        override: ChildOverride instance to insert or update
+        
+    Returns:
+        The override ID
+    """
+    try:
+        OverrideQuery = Query()
+        existing = child_overrides_db.get(
+            (OverrideQuery.child_id == override.child_id) &
+            (OverrideQuery.entity_id == override.entity_id)
+        )
+        
+        if existing:
+            # Update existing override
+            override.touch()  # Update timestamp
+            child_overrides_db.update(override.to_dict(), doc_ids=[existing.doc_id])
+            logger.info(f"Override updated: child={override.child_id}, entity={override.entity_id}, value={override.custom_value}")
+        else:
+            # Insert new override
+            child_overrides_db.insert(override.to_dict())
+            logger.info(f"Override created: child={override.child_id}, entity={override.entity_id}, value={override.custom_value}")
+        
+        return override.id
+    except Exception as e:
+        logger.error(f"Failed to insert override: {e}")
+        raise
+
+
+def get_override(child_id: str, entity_id: str) -> Optional[ChildOverride]:
+    """
+    Get override for a specific child and entity.
+    
+    Args:
+        child_id: Child ID
+        entity_id: Entity ID (task or reward)
+        
+    Returns:
+        ChildOverride instance or None if not found
+    """
+    OverrideQuery = Query()
+    result = child_overrides_db.get(
+        (OverrideQuery.child_id == child_id) &
+        (OverrideQuery.entity_id == entity_id)
+    )
+    return ChildOverride.from_dict(result) if result else None
+
+
+def get_overrides_for_child(child_id: str) -> List[ChildOverride]:
+    """
+    Get all overrides for a specific child.
+    
+    Args:
+        child_id: Child ID
+        
+    Returns:
+        List of ChildOverride instances
+    """
+    OverrideQuery = Query()
+    results = child_overrides_db.search(OverrideQuery.child_id == child_id)
+    return [ChildOverride.from_dict(r) for r in results]
+
+
+def delete_override(child_id: str, entity_id: str) -> bool:
+    """
+    Delete a specific override.
+    
+    Args:
+        child_id: Child ID
+        entity_id: Entity ID
+        
+    Returns:
+        True if deleted, False if not found
+    """
+    try:
+        OverrideQuery = Query()
+        deleted = child_overrides_db.remove(
+            (OverrideQuery.child_id == child_id) &
+            (OverrideQuery.entity_id == entity_id)
+        )
+        if deleted:
+            logger.info(f"Override deleted: child={child_id}, entity={entity_id}")
+            return True
+        return False
+    except Exception as e:
+        logger.error(f"Failed to delete override: {e}")
+        raise
+
+
+def delete_overrides_for_child(child_id: str) -> int:
+    """
+    Delete all overrides for a child.
+    
+    Args:
+        child_id: Child ID
+        
+    Returns:
+        Count of deleted overrides
+    """
+    try:
+        OverrideQuery = Query()
+        deleted = child_overrides_db.remove(OverrideQuery.child_id == child_id)
+        count = len(deleted)
+        if count > 0:
+            logger.info(f"Overrides cascade deleted for child: child_id={child_id}, count={count}")
+        return count
+    except Exception as e:
+        logger.error(f"Failed to delete overrides for child: {e}")
+        raise
+
+
+def delete_overrides_for_entity(entity_id: str) -> int:
+    """
+    Delete all overrides for an entity.
+    
+    Args:
+        entity_id: Entity ID (task or reward)
+        
+    Returns:
+        Count of deleted overrides
+    """
+    try:
+        OverrideQuery = Query()
+        deleted = child_overrides_db.remove(OverrideQuery.entity_id == entity_id)
+        count = len(deleted)
+        if count > 0:
+            logger.info(f"Overrides cascade deleted for entity: entity_id={entity_id}, count={count}")
+        return count
+    except Exception as e:
+        logger.error(f"Failed to delete overrides for entity: {e}")
+        raise

backend/db/db.py

@@ -72,6 +72,9 @@ task_path = os.path.join(base_dir, 'tasks.json')
 reward_path = os.path.join(base_dir, 'rewards.json')
 image_path = os.path.join(base_dir, 'images.json')
 pending_reward_path = os.path.join(base_dir, 'pending_rewards.json')
+users_path = os.path.join(base_dir, 'users.json')
+tracking_events_path = os.path.join(base_dir, 'tracking_events.json')
+child_overrides_path = os.path.join(base_dir, 'child_overrides.json')
 
 # Use separate TinyDB instances/files for each collection
 _child_db = TinyDB(child_path, indent=2)
@@ -79,6 +82,9 @@ _task_db = TinyDB(task_path, indent=2)
 _reward_db = TinyDB(reward_path, indent=2)
 _image_db = TinyDB(image_path, indent=2)
 _pending_rewards_db = TinyDB(pending_reward_path, indent=2)
+_users_db = TinyDB(users_path, indent=2)
+_tracking_events_db = TinyDB(tracking_events_path, indent=2)
+_child_overrides_db = TinyDB(child_overrides_path, indent=2)
 
 # Expose table objects wrapped with locking
 child_db = LockedTable(_child_db)
@@ -86,6 +92,9 @@ task_db = LockedTable(_task_db)
 reward_db = LockedTable(_reward_db)
 image_db = LockedTable(_image_db)
 pending_reward_db = LockedTable(_pending_rewards_db)
+users_db = LockedTable(_users_db)
+tracking_events_db = LockedTable(_tracking_events_db)
+child_overrides_db = LockedTable(_child_overrides_db)
 
 if os.environ.get('DB_ENV', 'prod') == 'test':
     child_db.truncate()
@@ -93,4 +102,7 @@ if os.environ.get('DB_ENV', 'prod') == 'test':
     reward_db.truncate()
     image_db.truncate()
     pending_reward_db.truncate()
+    users_db.truncate()
+    tracking_events_db.truncate()
+    child_overrides_db.truncate()
 

backend/db/default.py

@@ -2,6 +2,8 @@
 # File: db/debug.py
 
 from tinydb import Query
+import os
+import shutil
 
 from api.image_api import IMAGE_TYPE_ICON, IMAGE_TYPE_PROFILE
 from db.db import task_db, reward_db, image_db
@@ -119,7 +121,22 @@ def createDefaultRewards():
             reward_db.insert(reward.to_dict())
 
 def initializeImages():
-    """Initialize the image database with default images if empty."""
+    
+    """Initialize the image database with default images if empty, and copy images to data/images/default."""
+     # Step 1: Create data/images/default directory if it doesn't exist
+    default_img_dir = os.path.join(os.path.dirname(__file__), '../data/images/default')
+    os.makedirs(default_img_dir, exist_ok=True)
+
+    # Step 2: Copy all image files from resources/images/ to data/images/default
+    src_img_dir = os.path.join(os.path.dirname(__file__), '../resources/images')
+    if os.path.exists(src_img_dir):
+        for fname in os.listdir(src_img_dir):
+            src_path = os.path.join(src_img_dir, fname)
+            dst_path = os.path.join(default_img_dir, fname)
+            if os.path.isfile(src_path):
+                shutil.copy2(src_path, dst_path)
+
+    # Original DB initialization logic
     if len(image_db.all()) == 0:
         image_defs = [
             ('boy01', IMAGE_TYPE_PROFILE, '.png', True),

backend/db/tracking.py

@@ -0,0 +1,125 @@
+"""Helper functions for tracking events database operations."""
+import logging
+from typing import Optional, List
+from tinydb import Query
+from db.db import tracking_events_db
+from models.tracking_event import TrackingEvent, EntityType, ActionType
+
+
+logger = logging.getLogger(__name__)
+
+
+def insert_tracking_event(event: TrackingEvent) -> str:
+    """
+    Insert a tracking event into the database.
+    
+    Args:
+        event: TrackingEvent instance to insert
+        
+    Returns:
+        The event ID
+    """
+    try:
+        tracking_events_db.insert(event.to_dict())
+        logger.info(f"Tracking event created: {event.action} {event.entity_type} {event.entity_id} for child {event.child_id}")
+        return event.id
+    except Exception as e:
+        logger.error(f"Failed to insert tracking event: {e}")
+        raise
+
+
+def get_tracking_events_by_child(
+    child_id: str,
+    limit: int = 50,
+    offset: int = 0,
+    entity_type: Optional[EntityType] = None,
+    action: Optional[ActionType] = None
+) -> tuple[List[TrackingEvent], int]:
+    """
+    Query tracking events for a specific child with optional filters.
+    
+    Args:
+        child_id: Child ID to filter by
+        limit: Maximum number of results (default 50, max 500)
+        offset: Number of results to skip
+        entity_type: Optional filter by entity type
+        action: Optional filter by action type
+        
+    Returns:
+        Tuple of (list of TrackingEvent instances, total count)
+    """
+    limit = min(limit, 500)
+    
+    TrackingQuery = Query()
+    query_condition = TrackingQuery.child_id == child_id
+    
+    if entity_type:
+        query_condition &= TrackingQuery.entity_type == entity_type
+    if action:
+        query_condition &= TrackingQuery.action == action
+    
+    all_results = tracking_events_db.search(query_condition)
+    total = len(all_results)
+    
+    # Sort by occurred_at desc, then created_at desc
+    all_results.sort(key=lambda x: (x.get('occurred_at', ''), x.get('created_at', 0)), reverse=True)
+    
+    paginated = all_results[offset:offset + limit]
+    events = [TrackingEvent.from_dict(r) for r in paginated]
+    
+    return events, total
+
+
+def get_tracking_events_by_user(
+    user_id: str,
+    limit: int = 50,
+    offset: int = 0,
+    entity_type: Optional[EntityType] = None
+) -> tuple[List[TrackingEvent], int]:
+    """
+    Query tracking events for a specific user.
+    
+    Args:
+        user_id: User ID to filter by
+        limit: Maximum number of results
+        offset: Number of results to skip
+        entity_type: Optional filter by entity type
+        
+    Returns:
+        Tuple of (list of TrackingEvent instances, total count)
+    """
+    limit = min(limit, 500)
+    
+    TrackingQuery = Query()
+    query_condition = TrackingQuery.user_id == user_id
+    
+    if entity_type:
+        query_condition &= TrackingQuery.entity_type == entity_type
+    
+    all_results = tracking_events_db.search(query_condition)
+    total = len(all_results)
+    
+    all_results.sort(key=lambda x: (x.get('occurred_at', ''), x.get('created_at', 0)), reverse=True)
+    
+    paginated = all_results[offset:offset + limit]
+    events = [TrackingEvent.from_dict(r) for r in paginated]
+    
+    return events, total
+
+
+def anonymize_tracking_events_for_user(user_id: str) -> int:
+    """
+    Anonymize tracking events by setting user_id to None.
+    Called when a user is deleted.
+    
+    Args:
+        user_id: User ID to anonymize
+        
+    Returns:
+        Number of records anonymized
+    """
+    TrackingQuery = Query()
+    result = tracking_events_db.update({'user_id': None}, TrackingQuery.user_id == user_id)
+    count = len(result) if result else 0
+    logger.info(f"Anonymized {count} tracking events for user {user_id}")
+    return count

backend/events/sse.py

@@ -29,6 +29,7 @@ def get_queue(user_id: str, connection_id: str) -> queue.Queue:
 def send_to_user(user_id: str, data: Dict[str, Any]):
     """Send data to all connections for a specific user."""
     logger.info(f"Sending data to {user_id} user quesues are {user_queues.keys()}")
+    logger.info(f"Data: {data}")
     if user_id in user_queues:
         logger.info(f"Queued {user_id}")
         # Format as SSE message once
@@ -37,8 +38,6 @@ def send_to_user(user_id: str, data: Dict[str, Any]):
         # Send to all connections for this user
         for connection_id, q in user_queues[user_id].items():
             try:
-                logger.info(f"Sending message to {connection_id}")
-                q.put(message)
                 q.put(message, block=False)
             except queue.Full:
                 # Skip if queue is full (connection might be dead)
@@ -61,7 +60,6 @@ def sse_response_for_user(user_id: str):
         try:
             while True:
                 # Get message from queue (blocks until available)
-                logger.info(f"blocking on get for {user_id} user")
                 message = user_queue.get()
                 yield message
         except GeneratorExit:

backend/events/types/child_override_deleted.py

@@ -0,0 +1,22 @@
+from events.types.payload import Payload
+
+
+class ChildOverrideDeletedPayload(Payload):
+    def __init__(self, child_id: str, entity_id: str, entity_type: str):
+        super().__init__({
+            'child_id': child_id,
+            'entity_id': entity_id,
+            'entity_type': entity_type
+        })
+
+    @property
+    def child_id(self) -> str:
+        return self.get("child_id")
+
+    @property
+    def entity_id(self) -> str:
+        return self.get("entity_id")
+
+    @property
+    def entity_type(self) -> str:
+        return self.get("entity_type")

backend/events/types/child_override_set.py

@@ -0,0 +1,13 @@
+from events.types.payload import Payload
+from models.child_override import ChildOverride
+
+
+class ChildOverrideSetPayload(Payload):
+    def __init__(self, override: ChildOverride):
+        super().__init__({
+            'override': override.to_dict()
+        })
+
+    @property
+    def override(self) -> dict:
+        return self.get("override")

backend/events/types/event_types.py

@@ -13,3 +13,13 @@ class EventType(Enum):
     CHILD_REWARD_REQUEST = "child_reward_request"
 
     CHILD_MODIFIED = "child_modified"
+
+    USER_MARKED_FOR_DELETION = "user_marked_for_deletion"
+    USER_DELETED = "user_deleted"
+
+    TRACKING_EVENT_CREATED = "tracking_event_created"
+    
+    CHILD_OVERRIDE_SET = "child_override_set"
+    CHILD_OVERRIDE_DELETED = "child_override_deleted"
+
+    PROFILE_UPDATED = "profile_updated"

backend/events/types/profile_updated.py

@@ -0,0 +1,12 @@
+from events.types.payload import Payload
+
+
+class ProfileUpdated(Payload):
+    def __init__(self, user_id: str):
+        super().__init__({
+            'user_id': user_id,
+        })
+
+    @property
+    def user_id(self) -> str:
+        return self.get("user_id")

backend/events/types/tracking_event_created.py

@@ -0,0 +1,27 @@
+from events.types.payload import Payload
+
+
+class TrackingEventCreated(Payload):
+    def __init__(self, tracking_event_id: str, child_id: str, entity_type: str, action: str):
+        super().__init__({
+            'tracking_event_id': tracking_event_id,
+            'child_id': child_id,
+            'entity_type': entity_type,
+            'action': action
+        })
+
+    @property
+    def tracking_event_id(self) -> str:
+        return self.get("tracking_event_id")
+
+    @property
+    def child_id(self) -> str:
+        return self.get("child_id")
+
+    @property
+    def entity_type(self) -> str:
+        return self.get("entity_type")
+
+    @property
+    def action(self) -> str:
+        return self.get("action")

backend/events/types/user_deleted.py

@@ -0,0 +1,26 @@
+from events.types.payload import Payload
+
+
+class UserDeleted(Payload):
+    """
+    Event payload for when a user account is deleted.
+    This event is broadcast only to admin users.
+    """
+    def __init__(self, user_id: str, email: str, deleted_at: str):
+        super().__init__({
+            'user_id': user_id,
+            'email': email,
+            'deleted_at': deleted_at,
+        })
+
+    @property
+    def user_id(self) -> str:
+        return self.get("user_id")
+
+    @property
+    def email(self) -> str:
+        return self.get("email")
+
+    @property
+    def deleted_at(self) -> str:
+        return self.get("deleted_at")

backend/events/types/user_modified.py

@@ -0,0 +1,21 @@
+from events.types.payload import Payload
+
+
+class UserModified(Payload):
+    OPERATION_ADD = "ADD"
+    OPERATION_EDIT = "EDIT"
+    OPERATION_DELETE = "DELETE"
+    def __init__(self, user_id: str, operation: str):
+        super().__init__({
+            'user_id': user_id,
+            'operation': operation,
+        })
+
+    @property
+    def user_id(self) -> str:
+        return self.get("user_id")
+
+    @property
+    def operation(self) -> str:
+        return self.get("operation")
+

backend/main.py

@@ -1,16 +1,25 @@
-import sys, logging, os
-from config.paths import get_user_image_dir
+import logging
+import sys
+import os
+
 from flask import Flask, request, jsonify
 from flask_cors import CORS
 
+from api.admin_api import admin_api
+from api.auth_api import auth_api
 from api.child_api import child_api
+from api.child_override_api import child_override_api
 from api.image_api import image_api
 from api.reward_api import reward_api
 from api.task_api import task_api
+from api.tracking_api import tracking_api
+from api.user_api import user_api
 from config.version import get_full_version
+
+from db.default import initializeImages, createDefaultTasks, createDefaultRewards
 from events.broadcaster import Broadcaster
 from events.sse import sse_response_for_user, send_to_user
-from db.default import initializeImages, createDefaultTasks, createDefaultRewards
+from utils.account_deletion_scheduler import start_deletion_scheduler
 
 # Configure logging once at application startup
 logging.basicConfig(
@@ -24,10 +33,28 @@ logger = logging.getLogger(__name__)
 
 app = Flask(__name__)
 #CORS(app, resources={r"/api/*": {"origins": ["http://localhost:3000", "http://localhost:5173"]}})
+#Todo - add prefix to all these routes instead of in each blueprint
+app.register_blueprint(admin_api)
 app.register_blueprint(child_api)
+app.register_blueprint(child_override_api)
 app.register_blueprint(reward_api)
 app.register_blueprint(task_api)
 app.register_blueprint(image_api)
+app.register_blueprint(auth_api, url_prefix='/auth')
+app.register_blueprint(user_api)
+app.register_blueprint(tracking_api)
+
+app.config.update(
+    MAIL_SERVER='smtp.gmail.com',
+    MAIL_PORT=587,
+    MAIL_USE_TLS=True,
+    MAIL_USERNAME='ryan.kegel@gmail.com',
+    MAIL_PASSWORD='ruyj hxjf nmrz buar',
+    MAIL_DEFAULT_SENDER='ryan.kegel@gmail.com',
+    FRONTEND_URL=os.environ.get('FRONTEND_URL', 'https://localhost:5173'),  # Dynamic via env var, defaults to localhost
+    SECRET_KEY='supersecretkey'  # Replace with a secure key in production
+)
+
 CORS(app)
 
 @app.route("/version")
@@ -61,12 +88,11 @@ def start_background_threads():
     broadcaster.start()
 
 # TODO: implement users
-os.makedirs(get_user_image_dir("user123"), exist_ok=True)
 initializeImages()
 createDefaultTasks()
 createDefaultRewards()
 start_background_threads()
-
+start_deletion_scheduler()
 
 if __name__ == '__main__':
     app.run(debug=False, host='0.0.0.0', port=5000, threaded=True)

backend/models/child.py

@@ -9,6 +9,7 @@ class Child(BaseModel):
     rewards: list[str] = field(default_factory=list)
     points: int = 0
     image_id: str | None = None
+    user_id: str | None = None
 
     @classmethod
     def from_dict(cls, d: dict):
@@ -19,10 +20,10 @@ class Child(BaseModel):
             rewards=d.get('rewards', []),
             points=d.get('points', 0),
             image_id=d.get('image_id'),
+            user_id=d.get('user_id'),
             id=d.get('id'),
             created_at=d.get('created_at'),
             updated_at=d.get('updated_at')
-
         )
 
     def to_dict(self):
@@ -33,6 +34,7 @@ class Child(BaseModel):
             'tasks': self.tasks,
             'rewards': self.rewards,
             'points': self.points,
-            'image_id': self.image_id
+            'image_id': self.image_id,
+            'user_id': self.user_id
         })
         return base

backend/models/child_override.py

@@ -0,0 +1,64 @@
+from dataclasses import dataclass
+from typing import Literal
+from models.base import BaseModel
+
+
+@dataclass
+class ChildOverride(BaseModel):
+    """
+    Stores per-child customized points/cost for tasks, penalties, and rewards.
+    
+    Attributes:
+        child_id: ID of the child this override applies to
+        entity_id: ID of the task/penalty/reward being customized
+        entity_type: Type of entity ('task' or 'reward')
+        custom_value: Custom points (for tasks/penalties) or cost (for rewards)
+    """
+    child_id: str
+    entity_id: str
+    entity_type: Literal['task', 'reward']
+    custom_value: int
+
+    def __post_init__(self):
+        """Validate custom_value range and entity_type."""
+        if self.custom_value < 0 or self.custom_value > 10000:
+            raise ValueError("custom_value must be between 0 and 10000")
+        if self.entity_type not in ['task', 'reward']:
+            raise ValueError("entity_type must be 'task' or 'reward'")
+
+    @classmethod
+    def from_dict(cls, d: dict):
+        return cls(
+            child_id=d.get('child_id'),
+            entity_id=d.get('entity_id'),
+            entity_type=d.get('entity_type'),
+            custom_value=d.get('custom_value'),
+            id=d.get('id'),
+            created_at=d.get('created_at'),
+            updated_at=d.get('updated_at')
+        )
+
+    def to_dict(self):
+        base = super().to_dict()
+        base.update({
+            'child_id': self.child_id,
+            'entity_id': self.entity_id,
+            'entity_type': self.entity_type,
+            'custom_value': self.custom_value
+        })
+        return base
+
+    @staticmethod
+    def create_override(
+        child_id: str,
+        entity_id: str,
+        entity_type: Literal['task', 'reward'],
+        custom_value: int
+    ) -> 'ChildOverride':
+        """Factory method to create a new override."""
+        return ChildOverride(
+            child_id=child_id,
+            entity_id=entity_id,
+            entity_type=entity_type,
+            custom_value=custom_value
+        )

backend/models/image.py

@@ -2,12 +2,14 @@
 from dataclasses import dataclass
 from models.base import BaseModel
 
+
 @dataclass
 class Image(BaseModel):
     type: int
     extension: str
     permanent: bool = False
-    user: str | None = None
+    user_id: str | None = None
+
 
     @classmethod
     def from_dict(cls, d: dict):
@@ -19,7 +21,7 @@ class Image(BaseModel):
             id=d.get('id'),
             created_at=d.get('created_at'),
             updated_at=d.get('updated_at'),
-            user=d.get('user')
+            user_id=d.get('user_id') if 'user_id' in d else d.get('user')
         )
 
     def to_dict(self):
@@ -28,6 +30,6 @@ class Image(BaseModel):
             'type': self.type,
             'permanent': self.permanent,
             'extension': self.extension,
-            'user': self.user
+            'user_id': self.user_id
         })
         return base

backend/models/pending_reward.py

@@ -5,6 +5,7 @@ from models.base import BaseModel
 class PendingReward(BaseModel):
     child_id: str
     reward_id: str
+    user_id: str    
     status: str = "pending"  # pending, approved, rejected
 
     @classmethod
@@ -13,6 +14,7 @@ class PendingReward(BaseModel):
             child_id=d.get('child_id'),
             reward_id=d.get('reward_id'),
             status=d.get('status', 'pending'),
+            user_id=d.get('user_id'),
             id=d.get('id'),
             created_at=d.get('created_at'),
             updated_at=d.get('updated_at')
@@ -23,6 +25,7 @@ class PendingReward(BaseModel):
         base.update({
             'child_id': self.child_id,
             'reward_id': self.reward_id,
-            'status': self.status
+            'status': self.status,
+            'user_id': self.user_id
         })
         return base

backend/models/reward.py

@@ -8,6 +8,7 @@ class Reward(BaseModel):
     description: str
     cost: int
     image_id: str | None = None
+    user_id: str | None = None
 
     @classmethod
     def from_dict(cls, d: dict):
@@ -17,6 +18,7 @@ class Reward(BaseModel):
             description=d.get('description'),
             cost=d.get('cost', 0),
             image_id=d.get('image_id'),
+            user_id=d.get('user_id'),
             id=d.get('id'),
             created_at=d.get('created_at'),
             updated_at=d.get('updated_at')
@@ -28,6 +30,7 @@ class Reward(BaseModel):
             'name': self.name,
             'description': self.description,
             'cost': self.cost,
-            'image_id': self.image_id
+            'image_id': self.image_id,
+            'user_id': self.user_id
         })
         return base

backend/models/task.py

@@ -7,6 +7,7 @@ class Task(BaseModel):
     points: int
     is_good: bool
     image_id: str | None = None
+    user_id: str | None = None
 
     @classmethod
     def from_dict(cls, d: dict):
@@ -15,17 +16,19 @@ class Task(BaseModel):
             points=d.get('points', 0),
             is_good=d.get('is_good', True),
             image_id=d.get('image_id'),
+            user_id=d.get('user_id'),
             id=d.get('id'),
             created_at=d.get('created_at'),
             updated_at=d.get('updated_at')
         )
-
+    
     def to_dict(self):
         base = super().to_dict()
         base.update({
             'name': self.name,
             'points': self.points,
             'is_good': self.is_good,
-            'image_id': self.image_id
+            'image_id': self.image_id,
+            'user_id': self.user_id
         })
         return base

backend/models/tracking_event.py

@@ -0,0 +1,91 @@
+from dataclasses import dataclass
+from datetime import datetime, timezone
+from typing import Literal, Optional
+from models.base import BaseModel
+
+
+EntityType = Literal['task', 'reward', 'penalty']
+ActionType = Literal['activated', 'requested', 'redeemed', 'cancelled']
+
+
+@dataclass
+class TrackingEvent(BaseModel):
+    user_id: Optional[str]
+    child_id: str
+    entity_type: EntityType
+    entity_id: str
+    action: ActionType
+    points_before: int
+    points_after: int
+    delta: int
+    occurred_at: str  # UTC ISO 8601 timestamp
+    metadata: Optional[dict] = None
+
+    def __post_init__(self):
+        """Validate invariants after initialization."""
+        if self.delta != self.points_after - self.points_before:
+            raise ValueError(
+                f"Delta invariant violated: {self.delta} != {self.points_after} - {self.points_before}"
+            )
+
+    @classmethod
+    def from_dict(cls, d: dict):
+        return cls(
+            user_id=d.get('user_id'),
+            child_id=d.get('child_id'),
+            entity_type=d.get('entity_type'),
+            entity_id=d.get('entity_id'),
+            action=d.get('action'),
+            points_before=d.get('points_before'),
+            points_after=d.get('points_after'),
+            delta=d.get('delta'),
+            occurred_at=d.get('occurred_at'),
+            metadata=d.get('metadata'),
+            id=d.get('id'),
+            created_at=d.get('created_at'),
+            updated_at=d.get('updated_at')
+        )
+
+    def to_dict(self):
+        base = super().to_dict()
+        base.update({
+            'user_id': self.user_id,
+            'child_id': self.child_id,
+            'entity_type': self.entity_type,
+            'entity_id': self.entity_id,
+            'action': self.action,
+            'points_before': self.points_before,
+            'points_after': self.points_after,
+            'delta': self.delta,
+            'occurred_at': self.occurred_at,
+            'metadata': self.metadata
+        })
+        return base
+
+    @staticmethod
+    def create_event(
+        user_id: Optional[str],
+        child_id: str,
+        entity_type: EntityType,
+        entity_id: str,
+        action: ActionType,
+        points_before: int,
+        points_after: int,
+        metadata: Optional[dict] = None
+    ) -> 'TrackingEvent':
+        """Factory method to create a tracking event with server timestamp."""
+        delta = points_after - points_before
+        occurred_at = datetime.now(timezone.utc).isoformat()
+        
+        return TrackingEvent(
+            user_id=user_id,
+            child_id=child_id,
+            entity_type=entity_type,
+            entity_id=entity_id,
+            action=action,
+            points_before=points_before,
+            points_after=points_after,
+            delta=delta,
+            occurred_at=occurred_at,
+            metadata=metadata
+        )

backend/models/user.py

@@ -0,0 +1,77 @@
+from dataclasses import dataclass, field
+from models.base import BaseModel
+
+@dataclass
+class User(BaseModel):
+    first_name: str
+    last_name: str
+    email: str
+    password: str  # In production, this should be hashed
+    verified: bool = False
+    verify_token: str | None = None
+    verify_token_created: str | None = None
+    reset_token: str | None = None
+    reset_token_created: str | None = None
+    image_id: str | None = None
+    pin: str = ''
+    pin_setup_code: str = ''
+    pin_setup_code_created: str | None = None
+    marked_for_deletion: bool = False
+    marked_for_deletion_at: str | None = None
+    deletion_in_progress: bool = False
+    deletion_attempted_at: str | None = None
+    role: str = 'user'
+    token_version: int = 0
+
+    @classmethod
+    def from_dict(cls, d: dict):
+        return cls(
+            first_name=d.get('first_name'),
+            last_name=d.get('last_name'),
+            email=d.get('email'),
+            password=d.get('password'),
+            verified=d.get('verified', False),
+            verify_token=d.get('verify_token'),
+            verify_token_created=d.get('verify_token_created'),
+            reset_token=d.get('reset_token'),
+            reset_token_created=d.get('reset_token_created'),
+            image_id=d.get('image_id'),
+            pin=d.get('pin', ''),
+            pin_setup_code=d.get('pin_setup_code', ''),
+            pin_setup_code_created=d.get('pin_setup_code_created'),
+            marked_for_deletion=d.get('marked_for_deletion', False),
+            marked_for_deletion_at=d.get('marked_for_deletion_at'),
+            deletion_in_progress=d.get('deletion_in_progress', False),
+            deletion_attempted_at=d.get('deletion_attempted_at'),
+            role=d.get('role', 'user'),
+            token_version=d.get('token_version', 0),
+            id=d.get('id'),
+            created_at=d.get('created_at'),
+            updated_at=d.get('updated_at')
+
+        )
+
+    def to_dict(self):
+        base = super().to_dict()
+        base.update({
+            'first_name': self.first_name,
+            'last_name': self.last_name,
+            'email': self.email,
+            'password': self.password,
+            'verified': self.verified,
+            'verify_token': self.verify_token,
+            'verify_token_created': self.verify_token_created,
+            'reset_token': self.reset_token,
+            'reset_token_created': self.reset_token_created,
+            'image_id': self.image_id,
+            'pin': self.pin,
+            'pin_setup_code': self.pin_setup_code,
+            'pin_setup_code_created': self.pin_setup_code_created,
+            'marked_for_deletion': self.marked_for_deletion,
+            'marked_for_deletion_at': self.marked_for_deletion_at,
+            'deletion_in_progress': self.deletion_in_progress,
+            'deletion_attempted_at': self.deletion_attempted_at,
+            'role': self.role,
+            'token_version': self.token_version,
+        })
+        return base

backend/package-lock.json

@@ -0,0 +1,6 @@
+{
+  "name": "backend",
+  "lockfileVersion": 3,
+  "requires": true,
+  "packages": {}
+}