• Enforce comment visibility rules for public and unauthenticated users:
  • Restricted comments are no longer exposed in public task views.
  • Users cannot create comments with a visibility level higher than their role.
• Revoke public access tokens for inactive users.
• Use timing-safe comparisons (hash_equals) for API and webhook token validation to mitigate timing attacks.
• Replace raw SQL interpolation with parameterized queries in:
  • Task queries (TaskFinderModel)
  • iCalendar export conditions
• Validate task ownership in bulk operations:
  • Ensure tasks belong to the specified project before applying bulk changes.