Update testing frameworks and backend port configuration

README.md

@@ -25,7 +25,7 @@ A modern, full-stack task management application for organizing projects, tasks,
 - **Database**: PostgreSQL with Prisma ORM
 - **Authentication**: JWT (JSON Web Tokens)
 - **Security**: Helmet, CORS, Rate Limiting, bcrypt for password hashing
-- **Testing**: Playwright for end-to-end testing
+- **Testing**: Jest (unit and integration tests)
 
 ### Frontend
 - **Framework**: React 18 with Vite
@@ -35,7 +35,7 @@ A modern, full-stack task management application for organizing projects, tasks,
 - **Styling**: Tailwind CSS
 - **Drag & Drop**: dnd-kit
 - **Routing**: React Router v6
-- **Testing**: Playwright for end-to-end testing
+- **Testing**: Vitest (unit tests)
 
 ## Installation
 
@@ -83,7 +83,7 @@ A modern, full-stack task management application for organizing projects, tasks,
    npm run dev
    ```
 
-The backend will be available at `http://localhost:3000`.
+The backend will be available at `http://localhost:4000`.
 
 ### Frontend Setup
 
@@ -104,7 +104,7 @@ The backend will be available at `http://localhost:3000`.
 
 4. Update `.env` with your API endpoint:
    ```
-   VITE_API_URL="http://localhost:3000"
+   VITE_API_URL="http://localhost:4000"
    ```
 
 5. Start the development server:
@@ -159,7 +159,7 @@ docker-compose up --build
 ```
 
 This starts:
-- Backend API on port 3000
+- Backend API on port 4000
 - Frontend on port 5173
 - PostgreSQL database on port 5432
 

docs/ACTION_ITEMS.md

@@ -0,0 +1,73 @@
+# TaskMan — Concise Action Report
+
+**Date**: 2026-02-17
+**Assessed by**: Claude Sonnet 4.5
+
+---
+
+## Completed (this session)
+
+| # | Area | Action | Status |
+|---|---|---|---|
+| 1 | README | Fixed backend port: `3000` → `4000` in setup instructions, env example, and Docker section | ✅ Done |
+| 2 | README | Fixed tech stack testing entries: replaced "Playwright" with correct frameworks (`Jest` / `Vitest`) | ✅ Done |
+| 3 | Backend security | `npm audit fix` in `backend/` — patched `qs` moderate advisory → **0 vulnerabilities** | ✅ Done |
+
+---
+
+## High Priority
+
+### Fix the README ✅ (completed)
+The README is the front door. It had two errors that actively mislead contributors and alpha testers:
+- Backend port listed as `3000` — server runs on `4000`
+- Both backend and frontend tech stacks listed "Playwright for end-to-end testing" — backend uses Jest, frontend uses Vitest
+
+Both corrected in commit `45dea69`.
+
+### Patch the backend `qs` vulnerability ✅ (completed)
+`npm audit fix` resolved the one moderate advisory with no breaking changes.
+Result: `found 0 vulnerabilities`. A clean audit report is a basic credibility signal for any project accepting external users or contributors.
+
+---
+
+## Medium Priority
+
+### Stabilize CI/CD pipeline
+Recent commits show active work on pipeline failures. The test suite requires a live PostgreSQL instance (`taskapp_test` database), which causes flaky CI runs if not provisioned correctly. Recommended steps:
+- Ensure CI environment provisions the test database before running `npm test`
+- Confirm the backend TypeScript build step (`tsc`) passes on every PR (fixed in commit `fb2d195` but worth verifying)
+- Consider a health check before test execution
+
+### Update CLAUDE.md model count
+`CLAUDE.md` states "18 models" but the schema has grown to 21+ through gamification migrations (`Achievement`, `UserAchievement`, `UserQuest`, `UserSkill`, `XPLog`, `StreakProtectionLog`). One-line fix, keeps developer docs accurate.
+
+---
+
+## Low Priority / Future Work
+
+### Gamification phases 2–5
+Phase 1 (XP, levels, celebrations) is complete. The full design is in `docs/GAMIFICATION_DESIGN.md`:
+- **Phase 2**: Achievements (32+ across 8 categories)
+- **Phase 3**: Skill tree unlocks
+- **Phase 4**: Daily/weekly/challenge quests
+- **Phase 5**: Streaks and prestige system
+
+### Mobile authentication
+Cross-origin cookie issues (ITP/SameSite) on mobile caused login loops. Fixed in commit `e95fb1c` via Bearer token fallback. Worth regression testing on iOS Safari and Chrome for Android.
+
+### Deprecated packages (warnings, not vulnerabilities)
+`npm audit fix` surfaced deprecation warnings for `lodash.isequal`, `lodash.get`, `inflight`, and `glob@7.x`. Not security risks, but worth addressing in a dependency cleanup pass.
+
+---
+
+## Summary Table
+
+| Area | Status | Notes |
+|---|---|---|
+| README accuracy | ✅ Fixed | Port and testing framework corrected |
+| Backend security | ✅ Fixed | 0 vulnerabilities after audit fix |
+| CI/CD stability | 🔶 In progress | Active work, needs test DB provisioning confirmed |
+| CLAUDE.md accuracy | 🔵 Minor | Model count stale (18 → 21+) |
+| Gamification phases 2–5 | 🔵 Planned | Design complete, implementation pending |
+| Mobile auth | 🔵 Monitor | Fix shipped, needs regression testing |
+| Deprecated packages | 🔵 Low | Warnings only, no vulnerabilities |