feat: add image_path to recipe/subtask and user password change API

- Recipe model: add image_path field for recipe-level image
- RecipeSubtask model: add image_path for per-subtask detail images
- Schemas: add image_path to create/update/response for recipe and subtask
- Task router: pass image_path when creating tasks and subtasks
- Recipe service: copy image_path in versioning and update-in-place
- Users router: add PUT /{user_id}/password endpoint (admin only)
- User schema: add UserPasswordChange model

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

server/models/recipe.py

@@ -18,6 +18,7 @@ class Recipe(Base):
     code: Mapped[str] = mapped_column(String(100), unique=True, nullable=False, index=True)
     name: Mapped[str] = mapped_column(String(255), nullable=False)
     description: Mapped[Optional[str]] = mapped_column(Text, nullable=True)
+    image_path: Mapped[Optional[str]] = mapped_column(String(500), nullable=True)
     created_by: Mapped[int] = mapped_column(Integer, ForeignKey("users.id"), nullable=False)
     created_at: Mapped[datetime] = mapped_column(
         DateTime, nullable=False, server_default=func.now()

server/models/task.py

@@ -69,6 +69,7 @@ class RecipeSubtask(Base):
     ltl: Mapped[Optional[float]] = mapped_column(DECIMAL(12, 6), nullable=True)  # Lower Tolerance Limit
 
     unit: Mapped[str] = mapped_column(String(20), nullable=False, default="mm")
+    image_path: Mapped[Optional[str]] = mapped_column(String(500), nullable=True)
 
     # Relationships
     task: Mapped["RecipeTask"] = relationship(back_populates="subtasks")

server/routers/tasks.py

@@ -175,6 +175,7 @@ async def create_task(
         title=data.title,
         directive=data.directive,
         description=data.description,
+        file_path=data.file_path,
         file_type=data.file_type,
         annotations_json=data.annotations_json,
     )
@@ -194,6 +195,7 @@ async def create_task(
             lwl=sub_data.lwl,
             ltl=sub_data.ltl,
             unit=sub_data.unit,
+            image_path=sub_data.image_path,
         )
         db.add(sub)
 
@@ -333,6 +335,7 @@ async def create_subtask(
         lwl=data.lwl,
         ltl=data.ltl,
         unit=data.unit,
+        image_path=data.image_path,
     )
     db.add(subtask)
     await db.flush()

server/routers/users.py

@@ -6,7 +6,7 @@ from sqlalchemy.ext.asyncio import AsyncSession
 from database import get_db
 from middleware.api_key import require_admin_user
 from models.user import User
-from schemas.user import UserCreate, UserResponse, UserUpdate
+from schemas.user import UserCreate, UserPasswordChange, UserResponse, UserUpdate
 from services.auth_service import create_user, hash_password, regenerate_api_key
 
 router = APIRouter(prefix="/api/users", tags=["users"])
@@ -91,6 +91,23 @@ async def update_user(
     return UserResponse.model_validate(user)
 
 
+@router.put("/{user_id}/password", status_code=status.HTTP_200_OK)
+async def change_user_password(
+    user_id: int,
+    data: UserPasswordChange,
+    admin: User = Depends(require_admin_user),
+    db: AsyncSession = Depends(get_db),
+):
+    """Change user password (admin only)."""
+    result = await db.execute(select(User).where(User.id == user_id))
+    user = result.scalar_one_or_none()
+    if user is None:
+        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="User not found")
+    user.password_hash = hash_password(data.password)
+    await db.flush()
+    return {"message": f"Password changed for user {user.username}"}
+
+
 @router.delete("/{user_id}", status_code=status.HTTP_204_NO_CONTENT)
 async def deactivate_user(
     user_id: int,

server/schemas/recipe.py

@@ -13,6 +13,7 @@ class RecipeCreate(BaseModel):
     code: str = Field(..., min_length=1, max_length=100)
     name: str = Field(..., min_length=1, max_length=255)
     description: Optional[str] = None
+    image_path: Optional[str] = Field(None, max_length=500)
     # Optional task-level fields for the initial technical drawing
     file_path: Optional[str] = Field(None, max_length=500)
     file_type: Optional[str] = Field(None, pattern="^(image|pdf)$")
@@ -23,6 +24,7 @@ class RecipeUpdate(BaseModel):
     """Schema for updating a recipe (creates new version)."""
     name: Optional[str] = Field(None, min_length=1, max_length=255)
     description: Optional[str] = None
+    image_path: Optional[str] = Field(None, max_length=500)
     change_notes: Optional[str] = None
     # Task-level fields: saved to the first task of the new version
     file_path: Optional[str] = Field(None, max_length=500)
@@ -52,6 +54,7 @@ class RecipeResponse(BaseModel):
     code: str
     name: str
     description: Optional[str] = None
+    image_path: Optional[str] = None
     created_by: int
     created_at: datetime
     active: bool

server/schemas/task.py

@@ -15,6 +15,7 @@ class SubtaskCreate(BaseModel):
     lwl: Optional[float] = None
     ltl: Optional[float] = None
     unit: str = Field("mm", max_length=20)
+    image_path: Optional[str] = Field(None, max_length=500)
 
 
 class SubtaskUpdate(BaseModel):
@@ -27,6 +28,7 @@ class SubtaskUpdate(BaseModel):
     lwl: Optional[float] = None
     ltl: Optional[float] = None
     unit: Optional[str] = Field(None, max_length=20)
+    image_path: Optional[str] = Field(None, max_length=500)
 
 
 class SubtaskResponse(BaseModel):
@@ -44,6 +46,7 @@ class SubtaskResponse(BaseModel):
     lwl: Optional[float] = None
     ltl: Optional[float] = None
     unit: str
+    image_path: Optional[str] = None
 
 
 class TaskCreate(BaseModel):

server/schemas/user.py

@@ -52,6 +52,11 @@ class UserResponse(BaseModel):
     last_login: Optional[datetime] = None
 
 
+class UserPasswordChange(BaseModel):
+    """Schema for changing user password (admin only)."""
+    password: str = Field(..., min_length=6, max_length=128)
+
+
 class LoginRequest(BaseModel):
     """Schema for login request."""
     username: str

server/services/recipe_service.py

@@ -77,6 +77,7 @@ async def _copy_tasks_to_version(
                 lwl=sub.lwl,
                 ltl=sub.ltl,
                 unit=sub.unit,
+                image_path=sub.image_path,
             )
             db.add(new_sub)
 
@@ -132,6 +133,7 @@ async def create_recipe(
         code=data.code,
         name=data.name,
         description=data.description,
+        image_path=data.image_path,
         created_by=user.id,
     )
     db.add(recipe)
@@ -285,6 +287,8 @@ async def create_new_version(
         update_fields["name"] = data.name
     if data.description is not None:
         update_fields["description"] = data.description
+    if data.image_path is not None:
+        update_fields["image_path"] = data.image_path
     if update_fields:
         await db.execute(
             update(Recipe).where(Recipe.id == recipe_id).values(**update_fields)
@@ -373,12 +377,14 @@ async def update_current_version(
     data: RecipeUpdate,
 ) -> RecipeVersion:
     """Update recipe header in-place on the current version (no copy-on-write)."""
-    # Apply header updates (name, description)
+    # Apply header updates (name, description, image_path)
     update_fields: dict = {}
     if data.name is not None:
         update_fields["name"] = data.name
     if data.description is not None:
         update_fields["description"] = data.description
+    if data.image_path is not None:
+        update_fields["image_path"] = data.image_path
     if update_fields:
         await db.execute(
             update(Recipe).where(Recipe.id == recipe_id).values(**update_fields)