diff --git a/.gitea/workflows/docker.yml b/.gitea/workflows/docker.yml
index e78ce02..428ce73 100644
--- a/.gitea/workflows/docker.yml
+++ b/.gitea/workflows/docker.yml
@@ -3,6 +3,9 @@ on:
   push:
     branches: [main]
     tags: ['v*']
+    paths-ignore:
+      - '**/*.md'
+      - '**/*.txt'
   workflow_dispatch:
 
 jobs:
diff --git a/TODO.md b/TODO.md
index 665aed1..6d15f97 100644
--- a/TODO.md
+++ b/TODO.md
@@ -1,72 +1,64 @@
 # TODO
 
-Ideas to expand Jellomator without turning it into a heavy app.
+Concrete follow-up work for Jellomator.
 
-## Product
+## P0
+
+- Add a backup and restore flow for `jellomator.sqlite` in the admin UI.
+  - Let an admin download the current database.
+  - Let an admin upload a replacement database after confirmation.
+  - Validate that the uploaded file is SQLite before swapping it in.
+- Add a basic health endpoint for Docker and orchestration.
+  - Return `200` when the app can read and write the database.
+  - Return `503` if startup initialization or DB access fails.
+- Add login rate limiting.
+  - Track failed attempts per session or IP.
+  - Temporarily block repeated failures.
+- Add session expiry controls.
+  - Expire idle admin sessions after a configurable period.
+  - Renew active sessions on successful requests.
+
+## P1
+
+- Add drag-and-drop ordering for service cards.
+  - Persist display order in SQLite.
+  - Support moving a card up, down, or to the top in admin.
+- Add a featured/pinned flag for important links.
+  - Keep pinned links above the normal list.
+  - Let admins toggle pinned status from the edit form.
+- Add multi-category support.
+  - Store categories as a normalized table or join table.
+  - Allow filtering by more than one category in the dashboard.
+- Add duplicate/cloning for existing links.
+  - Pre-fill a new form from an existing service.
+  - Keep the original service unchanged.
+- Add a public read-only mode.
+  - Hide admin-only links from the dashboard.
+  - Keep the same UI but remove edit affordances.
+
+## P2
+
+- Add more presets for common self-hosted apps.
+  - Suggested first set: Paperless-ngx, Immich, Grafana, Home Assistant, Vaultwarden.
+  - Make each preset editable after insertion.
+- Add JSON import/export for services.
+  - Include metadata and icon blobs in the export format.
+  - Support importing a whole dashboard from a single file.
+- Add better icon handling.
+  - Show initials when no icon exists.
+  - Allow cropping or centering uploaded icons.
+- Add audit history for admin changes.
+  - Record create, update, delete, and preset actions.
+  - Show a simple timeline in the admin area.
+- Add a compact dashboard mode.
+  - Reduce card padding and text size.
+  - Make it easier to scan large lists of links.
+
+## P3
 
-- Add drag-and-drop reordering for service cards.
-- Add pinned or featured services to keep key links at the top.
-- Add per-service badges, such as `New`, `Internal`, or `External`.
-- Add an optional note field for each link, shown on hover or in a detail view.
-- Add multi-category support instead of a single category string.
-- Add a compact view toggle for dense dashboards.
 - Add keyboard shortcuts for search and quick launch.
-- Add a public read-only mode that hides admin-only services.
-
-## Admin UX
-
-- Add bulk edit actions for enable/disable, category, and deletion.
-- Add duplicate-link cloning from an existing card.
-- Add inline validation for URL format and icon file size.
-- Add image cropping or center-fit controls for uploaded icons.
-- Add a safer delete flow with a dependency-free confirmation modal.
-- Add a “preview as public” toggle in the admin panel.
-- Add recent changes / audit history for link updates.
-
-## Presets
-
-- Add more service presets for common self-hosted apps, such as Paperless-ngx, Immich, Grafana, Home Assistant, and Vaultwarden.
-- Add preset grouping so Arr*, media, download, and utilities are separated.
-- Add preset templates with configurable base URLs and ports.
-- Add an import flow for JSON presets so users can seed many services at once.
-
-## Authentication and Security
-
-- Add session expiry and idle timeout controls.
-- Add optional TOTP-based 2FA for admin accounts.
-- Add CSRF protection if cookie-authenticated state-changing requests need it.
-- Add a login attempt rate limit with temporary lockout.
-- Add an admin-only password reset flow for recovery.
-
-## Data and Backup
-
-- Add SQLite backup and restore from the admin UI.
-- Add an export/import feature for all services and icons.
-- Add database migration checks on startup.
-- Add soft-delete with restore for accidental removals.
-- Add scheduled automatic backups of the SQLite file.
-
-## API and Integration
-
-- Add a JSON API endpoint for public service listings.
-- Add health and readiness endpoints for container orchestration.
-- Add support for external status checks to mark services offline.
-- Add service response-time badges for launch targets.
-- Add Open Graph metadata for nicer shared links.
-
-## UI Polish
-
-- Add animated empty states for no services and no search results.
-- Add richer icon fallbacks with initials and category colors.
-- Add a subtle background pattern or gradient mesh to the hero section.
-- Add toast notifications for save, delete, and upload actions.
-- Add theme settings for alternate red, amber, or slate accents.
-- Add better mobile navigation for the admin area.
-
-## Operations
-
-- Add a Docker healthcheck.
-- Add automated build verification in CI after the image is published.
-- Add release notes generated from commits.
-- Add a minimal seed-reset command for local development.
-- Add structured logging for auth and CRUD events.
+- Add a toast system for save, delete, and upload actions.
+- Add Open Graph metadata for better link previews.
+- Add structured JSON logging for auth and CRUD events.
+- Add a small command or script to reset seed data for local development.
+- Add a CI verification step that builds the container image after publish.