Add TickTick integration, MCP server, and dev project tracking

New integration with TickTick API for project/task management:
- OAuth 2.0 auth flow (mcp-servers/ticktick/ticktick_auth.py)
- MCP server with 9 tools for Claude Code (ticktick_mcp.py)
- FastAPI service with SOPS vault credentials (api/services/ticktick_service.py)
- JWT-protected REST router at /api/ticktick/ (api/routers/ticktick.py)
- Credentials stored in SOPS vault (services/ticktick.sops.yaml)

Dev project tracking (hybrid TickTick + DB):
- New dev_projects table migration (14 columns, status index)
- TickTick "Dev Projects" list for mobile visibility
- First project seeded: TickTick Integration (linked both sides)

Security: .tokens.json gitignored, token file permissions restricted,
HTML-escaped OAuth callback, SOPS vault (not env vars) for secrets.

Also: Installed Tailscale on ACG-5070 for office network access.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

.claude/memory/MEMORY.md

@@ -9,10 +9,12 @@
 - [ACG-5070 Workstation](reference_workstation_setup.md) - Windows 11, replaced CachyOS. SOPS vault, Ollama, all dev tools.
 - [Matomo Analytics](reference_matomo_analytics.md) - Self-hosted analytics at analytics.azcomputerguru.com, site IDs, tracking for all 3 sites
 - [Dataforth Contact - AJ](reference_dataforth_contact.md) - AJ at Dataforth, dataforthgit@ email forwarding to him
+- [TickTick Integration](reference_ticktick_integration.md) - OAuth API integration, MCP server, SOPS vault creds, project/task CRUD
 
 ## Feedback
 - [D2TESTNAS SSH Access](feedback_d2testnas_ssh.md) - Use root@192.168.0.9 with Paper123!@#, not sysadmin
 - [Bypass Permissions Setting](feedback_bypass_permissions_setting.md) - Set permissions.defaultMode to bypassPermissions in settings.json on all machines
+- [365 Remediation Tool](feedback_365_remediation_tool.md) - Always means Graph API app fabb3421, not CIPP
 
 ## Machine
 - [ACG-5070 Workstation Setup](reference_workstation_setup.md) - Windows 11 Pro clean install 2026-03-30, replaced CachyOS. All tools installed.

.claude/memory/reference_ticktick_integration.md

@@ -0,0 +1,33 @@
+---
+name: TickTick Integration
+description: TickTick API integration for project/task management - OAuth credentials in SOPS vault, MCP server, API service
+type: reference
+---
+
+## TickTick Integration (Built 2026-03-31)
+
+**App Name:** ClaudeTools (registered at developer.ticktick.com)
+
+### Credentials
+- SOPS vault: `services/ticktick.sops.yaml`
+- Fields: `credentials.client_id`, `credentials.client_secret`, `credentials.oauth_redirect_url`
+- OAuth tokens: `mcp-servers/ticktick/.tokens.json` (gitignored, auto-refreshed)
+
+### Components
+- **MCP Server:** `mcp-servers/ticktick/ticktick_mcp.py` - 9 tools for Claude Code (registered in `.mcp.json`)
+- **OAuth Auth:** `mcp-servers/ticktick/ticktick_auth.py` - One-time browser auth flow (localhost:9876 callback)
+- **API Service:** `api/services/ticktick_service.py` - Async service, SOPS vault credentials, auto token refresh
+- **API Router:** `api/routers/ticktick.py` - REST at `/api/ticktick/`, JWT-protected
+
+### TickTick API
+- Base URL: `https://api.ticktick.com/open/v1`
+- Auth: OAuth 2.0 Bearer tokens, scopes: `tasks:read tasks:write`
+- No webhooks (must poll), no search endpoint (filter client-side)
+- Priority values: 0=none, 1=low, 3=medium, 5=high (non-sequential)
+- Token endpoint requires `application/x-www-form-urlencoded` (not JSON)
+
+### MCP Tools
+`ticktick_list_projects`, `ticktick_get_project`, `ticktick_create_project`, `ticktick_update_project`, `ticktick_delete_project`, `ticktick_create_task`, `ticktick_update_task`, `ticktick_complete_task`, `ticktick_delete_task`
+
+### Re-auth
+If tokens expire completely, run: `python mcp-servers/ticktick/ticktick_auth.py` from bash (not PowerShell - needs vault access via bash).