Critical security improvements:
- Add requireAuth middleware to /api/upload/project-image endpoint (prevents unauthenticated file uploads)
- Fix SQL injection vulnerability in tasks.js DELETE route by whitelisting table names
- Add missing resource existence check in shares.js POST endpoint (prevents permissions on non-existent resources)
Code quality improvements:
- Replace all console.error with logError across all route files for consistent logging
- Import logError service in all route modules
All tests passing (597 passed).
- Add admin-only users API: list/create/delete (prevent self-delete and last-admin deletion).
- Include is_admin in auth responses.
- Frontend: /admin/users page with table, selection, remove, Add User modal.
- Show “Manage users” in user menu for admins and optional sidebar link.
- Add i18n strings for admin UI.
- Enhance create user script to grant admin via optional third arg.
- Minor: set dev bootstrap user as admin in start script.
