fix(beads): Fix TypeScript type errors and improve type safety

[0xtsotsi]

Summary

• Fixed TypeScript type errors in Beads Kanban board components
• Corrected property name mismatches in hook parameters
• Updated drag event type compatibility for @dnd-kit/core
• Added validation, rate limiting, and JSON parsing middleware
• Added comprehensive unit tests

Test plan

• TypeScript compilation passes
• ESLint checks pass
• Prettier formatting applied
• Unit tests added for new utilities and services

🤖 Generated with Claude Code

Summary by CodeRabbit

• Security

  • Added API rate limiting and strengthened authentication initialization for production.

• New Features

  • Request validation with detailed error responses.
  • New endpoints: issue search, blocked-issue listing, and stale-issue retrieval.
  • UI: improved Kanban drag-and-drop performance and more reliable column placement.

• Bug Fixes

  • Safer JSON parsing and more robust service error handling.

• Documentation

  • Added a comprehensive audit report.

• Tests

  • New unit tests for validation, JSON parsing, and service behavior.

• Chores

  • Local version bump and formatting ignore updates.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

📝 Walkthrough

Walkthrough

Adds server auth initialization and per-route rate limiting, integrates Zod validation and validation middleware for Beads endpoints, introduces safe JSON parsing and rate-limit middlewares, strengthens BeadsService typing and APIs, centralizes UI column/blocker logic, refactors UI hooks, adds tests and an audit report, and updates types and minor client imports.

Changes

Cohort / File(s)	Summary
Server: bootstrap & routing apps/server/src/index.ts	Initialize auth at startup; validate CORS origin; mount and apply exported rate limiters (healthLimiter, apiLimiter, beadsLimiter, strictLimiter) to health and API routes; logging updates.
Server: auth apps/server/src/lib/auth.ts	New initializeAuth() enforcing AUTOMAKER_API_KEY in production; getAuthStatus() extended with productionMode flag; middleware unchanged.
Server: rate limiting apps/server/src/lib/rate-limiter.ts	New exported Express rate-limiter middlewares: apiLimiter, healthLimiter, strictLimiter, beadsLimiter.
Server: validation & middleware apps/server/src/lib/beads-validation.ts, apps/server/src/lib/validation-middleware.ts, apps/server/package.json	Add Zod dependency; extensive Beads schemas and inferred TS types; validation middleware (validateBody/query/params + combined validate) and Zod error formatter.
Server: handlers using validation apps/server/src/routes/beads/routes/create.ts, apps/server/src/routes/beads/routes/list.ts, apps/server/src/routes/beads/routes/update.ts	Integrate Zod safeParse checks; return 400 with structured details on validation failure; pass validated inputs to beadsService.
Server: JSON utils apps/server/src/lib/json-parser.ts	New safeJsonParse<T>(json, context) and safeJsonParseOrDefault<T>(json, defaultValue) helpers with contextual errors/defaulting.
Server: service typing & features apps/server/src/services/beads-service.ts	Strengthen method signatures to use new types; replace JSON.parse with safeJsonParse; add/search/getBlocked/getStale methods; improved init/error handling and defaults.
UI: column & blocker utilities apps/ui/src/components/views/beads-view/lib/column-utils.ts	New getIssueColumn(issue, allIssues) and hasOpenBlockers(issue, allIssues) to centralize column/blocker logic.
UI: view & board apps/ui/src/components/views/beads-view.tsx, apps/ui/src/components/views/beads-view/beads-kanban-board.tsx	Align create handler types to CreateBeadsIssueInput; update imports; change drag handler event types to DragStartEvent/DragEndEvent; memoize blocking counts.
UI: hooks refactor apps/ui/src/components/views/beads-view/hooks/*	Remove loadIssues / currentProject where noted; delegate column resolution to column-utils; simplify project-switch logic across use-beads-actions, use-beads-column-issues, use-beads-drag-drop, use-beads-issues.
Types & client cleanup libs/types/src/beads.ts, apps/ui/src/lib/electron.ts, apps/ui/src/lib/http-api-client.ts	Make create/update filter priorities numeric/optional; relax CreateBeadsIssueInput fields to optional; remove unused type imports from client modules.
Tests & audit apps/server/tests/unit/lib/beads-validation.test.ts, apps/server/tests/unit/lib/json-parser.test.ts, apps/server/tests/unit/services/beads-service.test.ts, BEADS_AUDIT_REPORT.md	Add unit tests for validation and json parser and service helpers; add BEADS_AUDIT_REPORT.md documenting findings, patches, and roadmap.
Config & misc .beads/.local_version, .prettierignore, apps/ui/src/components/views/beads-view/beads-header.tsx	Bump local version 0.34.0→0.35.0; add routeTree.gen.ts to .prettierignore; remove unused React imports in header.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    participant Client
    participant RateLimiter as Rate Limiter
    participant Server as Express Server
    participant Auth as Auth Init
    participant Validator as Zod Validator
    participant Service as BeadsService
    participant DB as Database

    Note over Server,Auth: Startup
    Server->>Auth: initializeAuth()
    Auth-->>Server: auth ready

    Note over Client,RateLimiter: Client request /api/beads
    Client->>RateLimiter: POST /api/beads
    alt rate limit exceeded
        RateLimiter-->>Client: 429 Too Many Requests
    else pass
        RateLimiter->>Server: forward request
        Server->>Validator: validate req.body (safeParse)
        alt validation fails
            Validator-->>Client: 400 Bad Request { details: [path,message] }
        else valid
            Validator-->>Server: validated data
            Server->>Service: createIssue(projectPath, input)
            Service->>DB: write issue
            DB-->>Service: created issue
            Service-->>Server: BeadsIssue
            Server-->>Client: 200 OK { issue }
        end
    end

Loading

Estimated Code Review Effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• feat(Beads): implement full Kanban board UI for issue tracking #5: Overlaps changes to Beads server route handlers (create/list/update) — related to handler validation wiring.
• feat(Beads): Implement full Kanban board UI for issue tracking #10: Broad Beads feature changes (types, service, UI) that this PR extends with validation, typing, and service/API updates.

Poem

🐰 I hopped through routes and checked each bead,

I counted blockers, made the inputs heed,
Rate limits hum, parsers guard the gate,
Tests and notes keep systems running straight,
I nibble code and leave the Beads in neat.

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately reflects the main focus: fixing TypeScript type errors and improving type safety across the Beads Kanban implementation, which is evident from widespread type updates, validation schemas, and improved type annotations throughout the changeset.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/beads-kanban-improvements

---

📜 Recent review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between bc08e6c and 98dfccc.

📒 Files selected for processing (1)

• apps/server/tests/unit/services/beads-service.test.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• apps/server/tests/unit/services/beads-service.test.ts

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello @0xtsotsi, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the quality, security, and maintainability of the Beads Kanban board by addressing critical issues identified in a comprehensive audit. It introduces robust type safety, implements essential API security measures like rate limiting and input validation, and refactors core logic for better organization and reliability. The changes aim to make the Beads implementation more production-ready and easier to develop against.

Highlights

• Enhanced Type Safety: Extensive TypeScript type errors have been fixed across Beads Kanban board components, including correcting property name mismatches in hook parameters and updating drag event type compatibility for @dnd-kit/core.
• API Security & Robustness: New middleware has been introduced for input validation (using Zod), rate limiting (using express-rate-limit), and safe JSON parsing, significantly improving the API's security and resilience against malformed input or abuse.
• Comprehensive Audit Report: A detailed BEADS_AUDIT_REPORT.md has been added, outlining over 60 identified issues (17 Critical, 18 High, 15 Medium, 12 Low) in the Beads Kanban board implementation, along with a phased plan for addressing them.
• Refactored Logic & New Utilities: Common logic for categorizing issues into Kanban columns has been centralized into new utility functions, and the BeadsService now includes new methods for searching, getting blocked, and stale issues, all with improved type definitions.
• New Unit Tests: Comprehensive unit tests have been added for the newly introduced Zod validation schemas and JSON parsing utilities, contributing to better code reliability and maintainability.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request is a significant step forward in improving the quality and security of the beads feature. It successfully addresses many of the critical issues highlighted in the audit report, such as adding type safety with Zod, implementing rate limiting and CORS validation, and fixing bugs in the UI. The refactoring of shared UI logic into utility functions is also a great improvement for maintainability.

I have a few suggestions to further enhance the code quality:

• Fix a bug in a validation regular expression.
• Consistently use the new validation middleware to simplify route handlers.
• Expand the unit tests for the BeadsService to cover its core functionality.
• Clean up some unused props in the UI hooks.

Overall, this is a very solid contribution that greatly improves the robustness of the application.

[gemini-code-assist]

The regex for validating the title in updateBeadsIssueSchema appears to have a typo. It's ^[^<>{}$], which only checks the first character of the string. This is inconsistent with the regex in createBeadsIssueSchema (^[^<>{}$]*$) and likely not the intended behavior, as it would allow invalid characters after the first one.

Suggested change

	.regex(/^[^<>{}$]/, 'Title contains invalid characters')
	.regex(/^[^<>{}$]*$/, 'Title contains invalid characters')

[gemini-code-assist]

The request body validation is being done manually within the handler. While this works, the PR also introduces a new validation middleware (lib/validation-middleware.ts) which is a great pattern for handling this. Using the middleware would make the route handlers cleaner, more consistent, and would better separate validation concerns from business logic.

This same feedback applies to apps/server/src/routes/beads/routes/list.ts and apps/server/src/routes/beads/routes/update.ts.

I'd suggest creating a single Zod schema for the entire request body and using the validateBody middleware in the router setup. For example, for this create route, you could define a schema like this and then use it with the middleware:

const createRouteBodySchema = z.object({
  projectPath: z.string().min(1, 'projectPath is required'),
  issue: createBeadsIssueSchema,
});

This would simplify the handler to just focus on the business logic, assuming the body is already validated.

[gemini-code-assist]

It's great to see new unit tests being added! However, the tests for BeadsService are quite minimal, only covering two helper methods. The PR description mentions "comprehensive unit tests", but the core functionality of this service (methods that execute the bd CLI command like listIssues, createIssue, etc.) is not covered.

To make these tests more comprehensive, I recommend mocking child_process.execFile (or execFileAsync) to test how the service methods build arguments and handle different outputs (success, errors, empty results) from the CLI. This would provide much stronger guarantees about the service's behavior.

[gemini-code-assist]

The props _currentProject (passed to useBeadsColumnIssues) and _loadIssues (passed to useBeadsActions) are not used within their respective hooks. It seems they might be leftovers from a previous refactoring, and the underscore was added to suppress a linting error.

To improve code clarity and remove unnecessary prop drilling, it would be best to remove these props from both the hook calls here and their definitions in use-beads-column-issues.ts and use-beads-actions.ts.

    searchQuery,
  });
  const { handleCreateIssue, handleUpdateIssue, handleDeleteIssue, handleStatusChange } =
    useBeadsActions({
      currentProject,
    });

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Fix update title validation to reject invalid chars

The update schema’s title regex only checks the first character (/^[^<>{}$]/), so titles like Ok<script> or A{bad} will pass validation as long as the first character is allowed. This bypasses the sanitization you intended (and is stricter on create), which means the update endpoint can accept characters you explicitly disallow elsewhere. Use the same full-string pattern as create (e.g., ^[^<>{}$]*$) to avoid inconsistent validation and accidental injection of forbidden characters.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Restore permissive CORS default for unset env

When CORS_ORIGIN is unset, the server now defaults to http://localhost:3008, which only allows same-origin browser requests. Any client running from a different origin (e.g., local web UI at :3000/:5173 or Electron file:// origin) will fail CORS unless the env var is explicitly set, which is a regression from the prior * default. If you want to avoid breaking out‑of‑box dev setups, consider keeping the permissive default or supporting a list of local dev origins.

Useful? React with 👍 / 👎.

[0xtsotsi]

@gemini review

[0xtsotsi]

@codex @claude review and make changes if needed

[chatgpt-codex-connector]

Summary

• Restored permissive CORS fallback when CORS_ORIGIN is unset to avoid dev regressions.
• Aligned update title validation with the full-string regex used on create.

Testing

• ⚠️ npm run typecheck --workspace=apps/ui (missing script: "typecheck")
• ✅ npm run lint --workspace=apps/ui

Notes

• bd CLI was not available in this environment (bd: command not found), so I couldn’t create or update Beads issues or sync the Beads database.

View task →

[coderabbitai]

Actionable comments posted: 5

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

apps/server/src/services/beads-service.ts (1)

163-186: Add support for parentIssueId parameter when creating subtasks.

The createIssue method doesn't handle the parentIssueId field from CreateBeadsIssueInput, but the bd create command supports the --parent flag for creating subtasks (as documented in AGENTS.md). The parentIssueId should be passed as --parent when present. The dependencies field is intentionally excluded from the validation schema since dependencies are added separately via bd dep add after issue creation.

🧹 Nitpick comments (9)

apps/server/tests/unit/services/beads-service.test.ts (1)

10-16: Unused type imports.

BeadsIssue, BeadsStats, CreateBeadsIssueInput, UpdateBeadsIssueInput, and ListBeadsIssuesFilters are imported but not used in the current tests. Consider removing them until tests that use these types are added.

apps/ui/src/components/views/beads-view/beads-kanban-board.tsx (1)

68-84: Consider memoizing getBlockingCounts to avoid O(n²) complexity.

getBlockingCounts is called for every issue during each render (line 106), resulting in O(n²) complexity. For boards with many issues, this could impact performance.

🔎 Suggested optimization

const blockingCountsMap = useMemo(() => {
  const map = new Map<string, { blockingCount: number; blockedCount: number }>();
  issues.forEach((issue) => {
    const blockingCount = issues.filter((otherIssue) =>
      otherIssue.dependencies?.some((dep) => dep.issueId === issue.id && dep.type === 'blocks')
    ).length;
    const blockedCount =
      issue.dependencies?.filter((dep) => {
        const depIssue = issues.find((i) => i.id === dep.issueId);
        return dep.type === 'blocks' && depIssue && 
          (depIssue.status === 'open' || depIssue.status === 'in_progress');
      }).length || 0;
    map.set(issue.id, { blockingCount, blockedCount });
  });
  return map;
}, [issues]);

// Then in the render:
const { blockingCount, blockedCount } = blockingCountsMap.get(issue.id) ?? { blockingCount: 0, blockedCount: 0 };

This is already noted in the audit report (Issue #8) and can be addressed in a follow-up.

Also applies to: 105-106

apps/ui/src/components/views/beads-view/hooks/use-beads-actions.ts (1)

14-14: Parameter _loadIssues is unused within the hook.

The _loadIssues parameter is destructured but never used in the function body. The underscore prefix suggests this is intentional, but the JSDoc (Line 21) mentions "may be used by consumers of the hook," which is misleading since parameters are internal to the function, not exposed to consumers.

Consider either:

1. Removing the parameter entirely if it's not needed
2. Using it if there's a valid use case (e.g., calling it after successful operations)
3. Updating the JSDoc to clarify why it's present but unused

🔎 Option to remove unused parameter

 interface UseBeadsActionsProps {
   currentProject: { path: string } | null;
-  _loadIssues: () => Promise<void>;
 }

 /**
  * Provide handlers to create, update, delete, and change the status of Beads issues for the current project.
  *
  * @param currentProject - The currently selected project (object with `path`) or `null` if none is selected
- * @param loadIssues - Function to trigger reloading of issues; may be used by consumers of the hook
  * @returns An object exposing four handlers:
  * - `handleCreateIssue`: creates an issue and returns the created `BeadsIssue` if successful, or `null` on failure.
  * - `handleUpdateIssue`: updates an issue and returns `true` on success, or `false` on failure.
  * - `handleDeleteIssue`: deletes an issue and returns `true` on success, or `false` on failure.
  * - `handleStatusChange`: updates only the issue status and returns `true` on success, or `false` on failure.
  */
-export function useBeadsActions({ currentProject, _loadIssues }: UseBeadsActionsProps) {
+export function useBeadsActions({ currentProject }: UseBeadsActionsProps) {

Also applies to: 28-28

apps/server/src/lib/json-parser.ts (2)

1-27: Misleading "type-safe" claim in documentation.

The module documentation and JSDoc for safeJsonParse claim to provide "type-safe JSON parsing," but the implementation uses type assertions (as T) without runtime validation. This means if the parsed JSON doesn't match the expected type T, TypeScript won't catch it at runtime.

The functions are useful for providing better error messages, but they don't actually guarantee type safety. Consider:

1. Updating the documentation to accurately reflect that these provide "convenient" or "error-context-enhanced" parsing rather than "type-safe" parsing
2. For true type safety, runtime validation with Zod schemas would be needed

📝 Suggested documentation update

 /**
- * Safe JSON parsing utilities
+ * JSON parsing utilities with enhanced error messages
  *
- * Provides type-safe JSON parsing with descriptive error messages.
+ * Provides JSON parsing with descriptive error messages and type casting.
+ * Note: Type parameter T is used for TypeScript type casting only - 
+ * no runtime validation is performed.
  */

 /**
- * Safely parse JSON with type checking and descriptive error messages
+ * Parse JSON with descriptive error messages and type casting
  *
  * @param json - The JSON string to parse
  * @param context - Context description for error messages (e.g., "listIssues")
- * @returns The parsed value as type T
+ * @returns The parsed value cast as type T (no runtime validation)
  * @throws {Error} With descriptive message if parsing fails

---

41-47: Consider documenting the lack of runtime type validation.

Similar to safeJsonParse, this function casts the parsed result without runtime validation. The documentation should clarify this behavior.

apps/server/src/index.ts (1)

181-207: Consider applying strictLimiter to sensitive endpoints.

The rate limiting is well-applied, but sensitive operations like /api/setup (line 195) and /api/settings (line 203) may benefit from the strictLimiter (5 req/min) instead of relying only on the general authMiddleware. The strictLimiter is defined in rate-limiter.ts but not used here.

🔎 Suggested rate limiter additions

 app.use('/api/git', createGitRoutes());
-app.use('/api/setup', createSetupRoutes());
+app.use('/api/setup', strictLimiter, createSetupRoutes());
 app.use('/api/suggestions', createSuggestionsRoutes(events));

 app.use('/api/terminal', createTerminalRoutes());
-app.use('/api/settings', createSettingsRoutes(settingsService));
+app.use('/api/settings', strictLimiter, createSettingsRoutes(settingsService));
 app.use('/api/claude', createClaudeRoutes(claudeUsageService));

apps/server/src/lib/rate-limiter.ts (1)

19-91: LGTM with a consideration for future enhancement.

The rate limiting configuration is well-designed with appropriate limits for each endpoint type:

• Health endpoint: restrictive enough to prevent abuse while allowing monitoring
• General API: balanced limits for typical usage
• Strict limiter: appropriately restrictive for sensitive operations
• Beads: higher limits for frequent operations

All limiters use consistent configuration (standardHeaders, legacyHeaders).

Consideration: Current rate limiting is IP-based only. In production with authenticated users on shared networks (corporate, educational), consider adding per-user rate limiting in addition to per-IP limits. The express-rate-limit library supports custom key generators for this purpose.

apps/ui/src/components/views/beads-view/hooks/use-beads-column-issues.ts (1)

6-10: Consider removing unused parameter.

The _currentProject parameter (lines 9, 31) is declared but never used in the function body. The underscore prefix correctly indicates it's intentionally unused, but if it's not needed for the hook's functionality, consider removing it entirely from the interface to simplify the API.

🔎 Suggested parameter removal

 interface UseBeadsColumnIssuesProps {
   issues: BeadsIssue[];
   searchQuery: string;
-  _currentProject: { path: string } | null;
 }

 export function useBeadsColumnIssues({
   issues,
   searchQuery,
-  _currentProject: currentProject,
 }: UseBeadsColumnIssuesProps) {

Don't forget to update the call site in beads-view.tsx as well.

Also applies to: 31-31

apps/server/src/lib/beads-validation.ts (1)

123-134: Consider validating priorityMin <= priorityMax with a refinement.

The schema allows priorityMin to exceed priorityMax, which would return no results or cause confusion. A .refine() could enforce logical consistency.

🔎 Suggested refinement

 export const listBeadsIssuesFiltersSchema = z
   .object({
     status: z.array(beadsIssueStatusSchema).optional(),
     type: z.array(beadsIssueTypeSchema).optional(),
     labels: z.array(z.string()).optional(),
     priorityMin: beadsIssuePrioritySchema.optional(),
     priorityMax: beadsIssuePrioritySchema.optional(),
     titleContains: z.string().max(200).optional(),
     descContains: z.string().max(200).optional(),
     ids: z.array(beadsIssueIdSchema).optional(),
   })
-  .strict();
+  .strict()
+  .refine(
+    (data) => {
+      if (data.priorityMin !== undefined && data.priorityMax !== undefined) {
+        return data.priorityMin <= data.priorityMax;
+      }
+      return true;
+    },
+    { message: 'priorityMin must be less than or equal to priorityMax' }
+  );

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 836ffb3 and 98d286c.

⛔ Files ignored due to path filters (3)

• .beads/beads.db is excluded by !**/*.db
• .beads/daemon.lock is excluded by !**/*.lock
• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (28)

• .beads/.local_version
• .prettierignore
• BEADS_AUDIT_REPORT.md
• apps/server/package.json
• apps/server/src/index.ts
• apps/server/src/lib/auth.ts
• apps/server/src/lib/beads-validation.ts
• apps/server/src/lib/json-parser.ts
• apps/server/src/lib/rate-limiter.ts
• apps/server/src/lib/validation-middleware.ts
• apps/server/src/routes/beads/routes/create.ts
• apps/server/src/routes/beads/routes/list.ts
• apps/server/src/routes/beads/routes/update.ts
• apps/server/src/services/beads-service.ts
• apps/server/tests/unit/lib/beads-validation.test.ts
• apps/server/tests/unit/lib/json-parser.test.ts
• apps/server/tests/unit/services/beads-service.test.ts
• apps/ui/src/components/views/beads-view.tsx
• apps/ui/src/components/views/beads-view/beads-header.tsx
• apps/ui/src/components/views/beads-view/beads-kanban-board.tsx
• apps/ui/src/components/views/beads-view/hooks/use-beads-actions.ts
• apps/ui/src/components/views/beads-view/hooks/use-beads-column-issues.ts
• apps/ui/src/components/views/beads-view/hooks/use-beads-drag-drop.ts
• apps/ui/src/components/views/beads-view/hooks/use-beads-issues.ts
• apps/ui/src/components/views/beads-view/lib/column-utils.ts
• apps/ui/src/lib/electron.ts
• apps/ui/src/lib/http-api-client.ts
• libs/types/src/beads.ts

💤 Files with no reviewable changes (2)

• apps/ui/src/lib/http-api-client.ts
• apps/ui/src/lib/electron.ts

🧰 Additional context used

📓 Path-based instructions (4)

**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (AGENTS.md)

**/*.{ts,tsx,js,jsx}: Run type checking with npm run typecheck before syncing the Beads database as part of quality gates
Run linting with npm run lint before syncing the Beads database as part of quality gates

Files:

• apps/server/src/lib/json-parser.ts
• apps/ui/src/components/views/beads-view/lib/column-utils.ts
• apps/ui/src/components/views/beads-view/hooks/use-beads-drag-drop.ts
• apps/server/src/lib/auth.ts
• apps/server/src/routes/beads/routes/update.ts
• apps/server/src/routes/beads/routes/create.ts
• apps/ui/src/components/views/beads-view/hooks/use-beads-actions.ts
• apps/server/tests/unit/lib/json-parser.test.ts
• apps/server/src/lib/rate-limiter.ts
• apps/server/src/routes/beads/routes/list.ts
• libs/types/src/beads.ts
• apps/server/tests/unit/lib/beads-validation.test.ts
• apps/ui/src/components/views/beads-view/beads-header.tsx
• apps/server/tests/unit/services/beads-service.test.ts
• apps/ui/src/components/views/beads-view/hooks/use-beads-column-issues.ts
• apps/ui/src/components/views/beads-view/beads-kanban-board.tsx
• apps/server/src/lib/beads-validation.ts
• apps/server/src/services/beads-service.ts
• apps/server/src/lib/validation-middleware.ts
• apps/ui/src/components/views/beads-view/hooks/use-beads-issues.ts
• apps/server/src/index.ts
• apps/ui/src/components/views/beads-view.tsx

apps/ui/src/components/**

📄 CodeRabbit inference engine (CLAUDE.md)

React components should be placed in apps/ui/src/components/, grouped by feature

Files:

• apps/ui/src/components/views/beads-view/lib/column-utils.ts
• apps/ui/src/components/views/beads-view/hooks/use-beads-drag-drop.ts
• apps/ui/src/components/views/beads-view/hooks/use-beads-actions.ts
• apps/ui/src/components/views/beads-view/beads-header.tsx
• apps/ui/src/components/views/beads-view/hooks/use-beads-column-issues.ts
• apps/ui/src/components/views/beads-view/beads-kanban-board.tsx
• apps/ui/src/components/views/beads-view/hooks/use-beads-issues.ts
• apps/ui/src/components/views/beads-view.tsx

apps/server/src/routes/**

📄 CodeRabbit inference engine (CLAUDE.md)

API routes should be placed in apps/server/src/routes/, with one file per route/resource

Files:

• apps/server/src/routes/beads/routes/update.ts
• apps/server/src/routes/beads/routes/create.ts
• apps/server/src/routes/beads/routes/list.ts

apps/server/src/services/**

📄 CodeRabbit inference engine (CLAUDE.md)

Services should be placed in apps/server/src/services/, with one service per file

Files:

• apps/server/src/services/beads-service.ts

🧠 Learnings (5)

📓 Common learnings

Learnt from: CR
Repo: 0xtsotsi/DevFlow PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-24T19:32:07.586Z
Learning: Applies to **/*.{ts,tsx,js,jsx} : Run type checking with `npm run typecheck` before syncing the Beads database as part of quality gates

📚 Learning: 2025-12-24T19:32:07.586Z

Learnt from: CR
Repo: 0xtsotsi/DevFlow PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-24T19:32:07.586Z
Learning: Create Beads issues for all substantive work (features, bugs, chores) using the `bd create` command

Applied to files:

• apps/server/src/routes/beads/routes/create.ts
• apps/server/src/services/beads-service.ts

📚 Learning: 2025-12-24T19:32:07.586Z

Learnt from: CR
Repo: 0xtsotsi/DevFlow PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-24T19:32:07.586Z
Learning: Applies to **/*.{ts,tsx,js,jsx} : Run type checking with `npm run typecheck` before syncing the Beads database as part of quality gates

Applied to files:

• apps/server/tests/unit/lib/beads-validation.test.ts
• apps/server/src/lib/beads-validation.ts
• apps/server/src/services/beads-service.ts
• apps/ui/src/components/views/beads-view/hooks/use-beads-issues.ts

📚 Learning: 2025-12-24T19:32:07.586Z

Learnt from: CR
Repo: 0xtsotsi/DevFlow PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-24T19:32:07.586Z
Learning: Check `bd ready` before starting new work to ensure you're working on unblocked tasks

Applied to files:

• apps/server/src/services/beads-service.ts

📚 Learning: 2025-12-24T19:31:56.698Z

Learnt from: CR
Repo: 0xtsotsi/DevFlow PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-24T19:31:56.698Z
Learning: Applies to apps/server/src/routes/** : API routes should be placed in `apps/server/src/routes/`, with one file per route/resource

Applied to files:

• apps/server/src/index.ts

🧬 Code graph analysis (9)

apps/ui/src/components/views/beads-view/hooks/use-beads-drag-drop.ts (1)

apps/ui/src/components/views/beads-view/lib/column-utils.ts (1)

• getIssueColumn (14-32)

apps/server/src/routes/beads/routes/update.ts (1)

apps/server/src/lib/beads-validation.ts (2)

• beadsIssueIdSchema (16-18)
• updateBeadsIssueSchema (77-93)

apps/server/src/routes/beads/routes/create.ts (1)

apps/server/src/lib/beads-validation.ts (1)

• createBeadsIssueSchema (62-72)

apps/server/tests/unit/lib/json-parser.test.ts (1)

apps/server/src/lib/json-parser.ts (2)

• safeJsonParse (20-27)
• safeJsonParseOrDefault (41-47)

apps/server/src/routes/beads/routes/list.ts (2)

apps/server/src/services/beads-service.ts (1)

• BeadsService (24-446)

apps/server/src/lib/beads-validation.ts (1)

• listBeadsIssuesFiltersSchema (123-134)

libs/types/src/beads.ts (1)

libs/types/src/index.ts (1)

• BeadsIssueType (89-89)

apps/server/tests/unit/lib/beads-validation.test.ts (1)

apps/server/src/lib/beads-validation.ts (12)

• beadsIssueIdSchema (16-18)
• beadsIssueStatusSchema (23-23)
• beadsIssueTypeSchema (28-28)
• beadsIssuePrioritySchema (33-35)
• beadsLabelsSchema (40-43)
• createBeadsIssueSchema (62-72)
• updateBeadsIssueSchema (77-93)
• deleteBeadsIssueSchema (98-101)
• addDependencySchema (106-110)
• listBeadsIssuesFiltersSchema (123-134)
• searchBeadsIssuesSchema (139-143)
• getStaleIssuesSchema (148-150)

apps/ui/src/components/views/beads-view/hooks/use-beads-column-issues.ts (2)

libs/types/src/beads.ts (1)

• BeadsIssue (36-65)

apps/ui/src/components/views/beads-view/lib/column-utils.ts (1)

• getIssueColumn (14-32)

apps/server/src/services/beads-service.ts (4)

libs/types/src/beads.ts (5)

• ListBeadsIssuesFilters (118-134)
• BeadsIssue (36-65)
• CreateBeadsIssueInput (80-95)
• UpdateBeadsIssueInput (100-113)
• BeadsStats (153-166)

libs/types/src/index.ts (5)

• ListBeadsIssuesFilters (95-95)
• BeadsIssue (87-87)
• CreateBeadsIssueInput (93-93)
• UpdateBeadsIssueInput (94-94)
• BeadsStats (97-97)

apps/server/src/lib/json-parser.ts (1)

• safeJsonParse (20-27)

apps/ui/src/components/views/beads-view/hooks/use-beads-column-issues.ts (1)

• BeadsStats (12-18)

🪛 LanguageTool

BEADS_AUDIT_REPORT.md

[grammar] ~161-~161: Use a hyphen to join words.
Context: ...timated Effort:** 0.5 days --- ## High Priority Issues ### 5. Incomplete Error...

(QB_NEW_EN_HYPHEN)

---

[uncategorized] ~281-~281: If this is a compound adjective that modifies the following noun, use a hyphen.
Context: ...Estimated Effort: 0.5 days --- ## Medium Priority Issues ### 9. No Loading State for Dra...

(EN_COMPOUND_ADJECTIVE_INTERNAL)

---

[style] ~333-~333: Consider using “inaccessible” to avoid wordiness.
Context: ...essibility Issues Impact: MEDIUM - Not accessible to keyboard/screen reader users **Files...

(NOT_ABLE_PREMIUM)

---

[grammar] ~382-~382: Use a hyphen to join words.
Context: ...stimated Effort:** 0.5 days --- ## Low Priority Issues ### 13. Missing CLI Ope...

(QB_NEW_EN_HYPHEN)

---

[grammar] ~478-~478: Use a hyphen to join words.
Context: ... UI Improvements (2-3 days) 6. Fix drag and drop column detection (0.5 days) 7. ...

(QB_NEW_EN_HYPHEN)

---

[grammar] ~478-~478: Use a hyphen to join words.
Context: ...Improvements (2-3 days) 6. Fix drag and drop column detection (0.5 days) 7. Fix ...

(QB_NEW_EN_HYPHEN)

---

[style] ~510-~510: Consider a different adjective to strengthen your wording.
Context: ...s-ignore markers - Explore agents - Deep code analysis with 4 parallel agents - ...

(DEEP_PROFOUND)

🪛 markdownlint-cli2 (0.18.1)

BEADS_AUDIT_REPORT.md

527-527: Emphasis used instead of a heading

(MD036, no-emphasis-as-heading)

🔇 Additional comments (39)

.prettierignore (1)

26-26: LGTM!

Adding the generated route tree file to .prettierignore is appropriate and consistent with the existing patterns for generated files.

.beads/.local_version (1)

1-1: LGTM!

Version bump to 0.35.0 aligns with the changes in this PR.

BEADS_AUDIT_REPORT.md (2)

28-38: Audit report may be inconsistent with this PR's changes.

The report states "Zero Test Coverage" and "Unit tests for BeadsService (0 tests)", but this PR adds unit tests in apps/server/tests/unit/services/beads-service.test.ts. Consider updating this section to reflect the tests being added, or add a note indicating this report was generated before the fixes were applied.

---

1-7: Comprehensive audit report — useful for tracking improvements.

The structured breakdown of issues by severity with estimated effort and implementation phases provides good visibility into technical debt. This aligns well with the PR's goal of improving type safety and validation.

apps/ui/src/components/views/beads-view/hooks/use-beads-issues.ts (1)

19-79: LGTM — simplified load flow looks correct.

The removal of project-switch detection simplifies the logic while preserving the essential behavior: tracking the current project path and managing loading states appropriately. The isInitialLoadRef still ensures the loading spinner only shows on initial load.

apps/ui/src/components/views/beads-view/beads-kanban-board.tsx (1)

2-10: Good type safety improvement for drag event handlers.

Replacing any with DragStartEvent and DragEndEvent from @dnd-kit/core properly types the drag handlers and aligns with the PR's objective of improving type safety.

Also applies to: 23-24

apps/server/src/lib/validation-middleware.ts (3)

1-32: Well-structured validation middleware with proper Zod 4 error handling.

The formatValidationError function correctly uses Zod 4's error.issues array to produce structured validation error responses. Good separation of concerns.

---

49-67: LGTM — validateBody correctly validates and replaces request body.

The middleware properly:

1. Validates using schema.parse()
2. Replaces req.body with validated data (important for stripping unknown fields)
3. Returns 400 with detailed errors on validation failure
4. Passes unexpected errors to Express error handler

---

153-185: Combined validate middleware is well-designed.

The ability to validate body, query, and params in a single middleware call reduces boilerplate. The sequential validation ensures all parts are validated before proceeding.

One minor note: if validation fails on body, the query and params won't be validated. This is typically fine (fail-fast), but if you need all validation errors at once, you'd need a different approach.

apps/server/package.json (1)

34-38: New dependencies for rate limiting and validation look appropriate.

The additions of express-rate-limit and zod support the security and validation improvements in this PR.

apps/ui/src/components/views/beads-view/beads-header.tsx (1)

1-1: LGTM! Clean removal of unused imports.

The removal of unused React hooks and utilities improves code cleanliness and aligns with linting best practices.

apps/server/src/lib/auth.ts (2)

12-31: Excellent security enhancement with production mode enforcement.

The initializeAuth() function ensures that AUTOMAKER_API_KEY is mandatory in production, preventing insecure deployments. The warning for development mode is helpful for developers.

---

78-83: LGTM! Useful addition of production mode indicator.

Adding productionMode to the auth status response provides useful context for health checks and monitoring.

apps/server/tests/unit/lib/json-parser.test.ts (1)

1-103: LGTM! Comprehensive test coverage.

The test suite thoroughly covers both happy paths and error cases for the JSON parsing utilities, including edge cases like empty strings and whitespace. The tests verify that error messages include the provided context, which is essential for debugging.

apps/ui/src/components/views/beads-view/hooks/use-beads-drag-drop.ts (1)

69-73: LGTM! Good refactoring to use shared column utility.

Delegating column determination to getIssueColumn centralizes the logic and ensures consistency with how columns are calculated elsewhere in the UI. This reduces duplication and makes the codebase more maintainable.

apps/server/src/routes/beads/routes/create.ts (1)

23-46: LGTM! Excellent addition of Zod-based validation.

The addition of schema validation with createBeadsIssueSchema significantly improves security and type safety. The structured error response with detailed validation failures (path and message) provides clear feedback for clients.

This is a solid implementation of input validation best practices.

apps/server/src/routes/beads/routes/update.ts (1)

26-55: LGTM! Robust dual validation for update endpoint.

The addition of both beadsIssueIdSchema and updateBeadsIssueSchema validation ensures:

1. Issue IDs conform to the expected format (bd-xxxxx)
2. Update payloads contain at least one valid field
3. Detailed validation errors are returned to clients

This is a well-implemented security enhancement that follows validation best practices.

apps/server/src/index.ts (2)

18-19: LGTM!

The security initialization imports and setup flow are well-structured. Calling initializeAuth() after initAllowedPaths() establishes proper security initialization ordering.

Also applies to: 86-90

---

101-126: LGTM!

The CORS validation logic is well-implemented with appropriate defaults, warnings for unsafe configurations, and fail-fast behavior for invalid URLs. The function correctly throws on invalid CORS_ORIGIN to prevent the server from starting with misconfiguration.

apps/server/src/routes/beads/routes/list.ts (1)

24-47: LGTM with a minor note on type coupling.

The filter validation logic is well-implemented with proper error handling and detailed error responses. Using Parameters<BeadsService['listIssues']>[1] for type inference ensures type safety, though it creates tight coupling to the service signature.

Note: If the BeadsService.listIssues signature changes, this will automatically adapt, which is good. However, if you need to decouple in the future, consider importing the type directly from @automaker/types.

apps/ui/src/components/views/beads-view/lib/column-utils.ts (2)

14-32: LGTM!

The column categorization logic is well-structured and handles all current BeadsIssueStatus values ('open', 'in_progress', 'closed'). The fallback to 'backlog' (line 30) provides defensive programming for future status additions.

---

41-56: LGTM!

The blocker detection logic is correct and handles edge cases well:

• Safely handles missing dependencies (line 42)
• Only considers 'blocks' type dependencies (line 47)
• Validates blocking issue existence before status check (line 50)
• Efficiently returns early when a blocker is found

apps/ui/src/components/views/beads-view/hooks/use-beads-column-issues.ts (1)

56-60: LGTM!

The refactoring to use the shared getIssueColumn utility is well-executed. It correctly passes both the issue and the full issues array needed for blocker detection, maintaining the same functionality while improving code reuse.

apps/server/tests/unit/lib/beads-validation.test.ts (3)

24-123: LGTM!

The basic schema tests provide excellent coverage:

• Valid and invalid inputs for all basic types
• Edge cases like uppercase, special characters, boundary values
• Constraint validation (label length, label count, priority range)
• Proper use of safeParse pattern throughout

---

125-250: LGTM with a note on missing test coverage.

The composite schema tests are comprehensive and well-structured, covering:

• Required and optional fields
• Security validation (invalid characters in titles)
• Constraint validation (length limits, invalid types)
• Empty update rejection

Note: removeDependencySchema is imported (line 17) but has no corresponding test suite. Consider adding tests for completeness.

---

252-339: LGTM!

The filter and utility schema tests provide solid coverage:

• Optional filter fields work correctly
• Strict mode properly rejects unknown properties (lines 280-285)
• Range constraints validated (priority range, limit range, days range)
• Empty/default cases handled

apps/ui/src/components/views/beads-view.tsx (2)

18-18: LGTM!

The type improvements are well-executed:

• Removed unused BeadsDependency import
• Properly typed handleCreateFromDialog parameter with CreateBeadsIssueInput (line 163) instead of using any

This improves type safety in the component.

Also applies to: 163-163

---

95-106: LGTM!

The dependency array update is correct. The handleConfirmDelete callback doesn't use getBlockingCounts internally (the count is pre-calculated and passed to the dialog), so removing it from the dependency array (line 106) is appropriate and eliminates an unnecessary dependency.

apps/server/src/lib/beads-validation.ts (4)

16-18: LGTM!

The issue ID regex correctly validates the expected format bd-xxxxx with optional .N suffix for child issues.

---

23-28: LGTM!

Status and type enums are well-defined with clear value sets.

---

62-72: LGTM!

The createBeadsIssueSchema has solid validation including character restrictions to prevent injection patterns (<>{}$).

---

175-182: LGTM!

Type exports correctly derive from their corresponding schemas using z.infer, ensuring type-schema alignment.

apps/server/src/services/beads-service.ts (7)

13-20: LGTM!

Type imports from @automaker/types and the new safeJsonParse helper consolidate type safety across the service.

---

103-135: LGTM!

The listIssues method properly applies typed filters to CLI arguments and uses safeJsonParse for robust JSON handling.

---

293-311: LGTM!

The getStats method returns properly typed BeadsStats with sensible defaults when Beads is not initialized. The default object correctly includes all required fields: readyIssues and blockedIssues.

---

324-353: LGTM!

The new searchIssues method follows the established pattern with proper error handling for uninitialized databases.

---

355-392: LGTM!

Both getBlockedIssues and getStaleIssues methods correctly implement the pattern of returning empty arrays when Beads is not initialized.

---

400-433: Good improvement: callback errors are now caught and logged.

The try-catch around the callback (lines 412-417) prevents watcher crashes from unhandled exceptions, and failed watch initialization now logs the error (line 430) instead of failing silently.

---

438-445: LGTM!

The isNotInitializedError method now robustly handles both Error instances and other thrown values.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Regex in updateBeadsIssueSchema is missing the * quantifier.

The title regex on line 83 uses /^[^<>{}$]/ which only checks the first character, while createBeadsIssueSchema uses /^[^<>{}$]*$/ which validates the entire string. This inconsistency allows invalid characters after the first position in updates.

🔎 Proposed fix

     title: z
       .string()
       .min(1, 'Title is required')
       .max(200, 'Title must be 200 characters or less')
-      .regex(/^[^<>{}$]/, 'Title contains invalid characters')
+      .regex(/^[^<>{}$]*$/, 'Title contains invalid characters')
       .optional(),

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	export const updateBeadsIssueSchema = z
	.object({
	title: z
	.string()
	.min(1, 'Title is required')
	.max(200, 'Title must be 200 characters or less')
	.regex(/^[^<>{}$]/, 'Title contains invalid characters')
	.optional(),
	description: z.string().max(10000, 'Description must be 10000 characters or less').optional(),
	status: beadsIssueStatusSchema.optional(),
	type: beadsIssueTypeSchema.optional(),
	priority: beadsIssuePrioritySchema.optional(),
	labels: beadsLabelsSchema,
	})
	.refine((data) => Object.keys(data).length > 0, {
	message: 'At least one field must be specified for update',
	});
	export const updateBeadsIssueSchema = z
	.object({
	title: z
	.string()
	.min(1, 'Title is required')
	.max(200, 'Title must be 200 characters or less')
	.regex(/^[^<>{}$]*$/, 'Title contains invalid characters')
	.optional(),
	description: z.string().max(10000, 'Description must be 10000 characters or less').optional(),
	status: beadsIssueStatusSchema.optional(),
	type: beadsIssueTypeSchema.optional(),
	priority: beadsIssuePrioritySchema.optional(),
	labels: beadsLabelsSchema,
	})
	.refine((data) => Object.keys(data).length > 0, {
	message: 'At least one field must be specified for update',
	});

🤖 Prompt for AI Agents

In apps/server/src/lib/beads-validation.ts around lines 77 to 93, the title
regex in updateBeadsIssueSchema only validates the first character (/^[^<>{}$]/)
so invalid characters can appear later; replace it with the full-string pattern
used in createBeadsIssueSchema (i.e. add the * quantifier and end anchor) so the
regex validates the entire title, and keep the existing error message unchanged.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

cat -n libs/types/src/beads.ts | head -100

Repository: 0xtsotsi/DevFlow

Length of output: 3331

---

🏁 Script executed:

# Search for BeadsIssuePriority definition
rg -n "BeadsIssuePriority" libs/types/src/

Repository: 0xtsotsi/DevFlow

Length of output: 246

---

🏁 Script executed:

# Check if beads-validation.ts exists and examine it
fd -t f "beads-validation" libs/types/src/

Repository: 0xtsotsi/DevFlow

Length of output: 42

---

🏁 Script executed:

# Search for CreateBeadsIssueInput usages
rg -n "CreateBeadsIssueInput" -A 3 -B 1

Repository: 0xtsotsi/DevFlow

Length of output: 7634

---

🏁 Script executed:

cat -n apps/server/src/lib/beads-validation.ts | grep -A 20 "createBeadsIssueSchema"

Repository: 0xtsotsi/DevFlow

Length of output: 1527

---

🏁 Script executed:

# Also check the specific schema definition
rg -n "createBeadsIssueSchema" -A 15 apps/server/src/lib/beads-validation.ts

Repository: 0xtsotsi/DevFlow

Length of output: 1272

---

🏁 Script executed:

# Run type checking as per coding guidelines
cd /repo && npm run typecheck 2>&1 | head -100

Repository: 0xtsotsi/DevFlow

Length of output: 115

---

🏁 Script executed:

rg -n "beadsIssuePrioritySchema" apps/server/src/lib/beads-validation.ts -B 2 -A 5

Repository: 0xtsotsi/DevFlow

Length of output: 1368

---

🏁 Script executed:

# Check the repository structure
pwd && ls -la

Repository: 0xtsotsi/DevFlow

Length of output: 2579

---

🏁 Script executed:

# Try typecheck with correct path
npm run typecheck 2>&1 | grep -i "priority\|createbeads" | head -20

Repository: 0xtsotsi/DevFlow

Length of output: 42

---

Restore strict type for priority field to maintain compile-time safety.

Changing priority from BeadsIssuePriority (0|1|2|3|4) to number (line 88) removes compile-time validation. While beadsIssuePrioritySchema enforces the 0-4 range at runtime on the server, UI and other client-side components importing from the types library have no TypeScript protection against invalid values like 10 or -1.

 export interface CreateBeadsIssueInput {
   /** Issue title */
   title: string;
   /** Detailed description */
   description?: string;
   /** Issue type */
   type?: BeadsIssueType;
   /** Priority (0=highest, 4=lowest) */
-  priority?: number;
+  priority?: BeadsIssuePriority;
 }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	description?: string;
	/** Issue type */
	type: BeadsIssueType;
	type?: BeadsIssueType;
	/** Priority (0=highest, 4=lowest) */
	priority: BeadsIssuePriority;
	priority?: number;
	export interface CreateBeadsIssueInput {
	/** Issue title */
	title: string;
	/** Detailed description */
	description?: string;
	/** Issue type */
	type?: BeadsIssueType;
	/** Priority (0=highest, 4=lowest) */
	priority?: BeadsIssuePriority;
	}

🤖 Prompt for AI Agents

In libs/types/src/beads.ts around lines 84 to 88, the priority field was widened
from the strict BeadsIssuePriority union to number, removing compile-time
validation; revert the priority type back to BeadsIssuePriority (the 0|1|2|3|4
union or enum already defined in this file) so TypeScript enforces allowed
values at compile time, ensuring client-side code cannot assign invalid numbers;
update any imports or references if needed to use the BeadsIssuePriority type.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Type safety weakened for priority fields.

Similar to CreateBeadsIssueInput, changing priority fields from BeadsIssuePriority to number in UpdateBeadsIssueInput (line 110) and ListBeadsIssuesFilters (lines 126-127) removes compile-time validation. This allows invalid values to pass TypeScript checking.

🔎 Suggested type restoration

   /** Updated type */
   type?: BeadsIssueType;
   /** Updated priority (0=highest, 4=lowest) */
-  priority?: number;
+  priority?: BeadsIssuePriority;
   /** Updated labels */
   labels?: string[];

   /** Filter by labels (AND) */
   labels?: string[];
   /** Filter by priority range (0-4, where 0 is highest) */
-  priorityMin?: number;
-  priorityMax?: number;
+  priorityMin?: BeadsIssuePriority;
+  priorityMax?: BeadsIssuePriority;
   /** Search in title */
   titleContains?: string;

Also applies to: 125-127

🤖 Prompt for AI Agents

In libs/types/src/beads.ts around lines 109-110 (and also affecting lines
125-127), the optional priority fields were changed from the enum type
BeadsIssuePriority to plain number, weakening type safety; revert these fields
to use BeadsIssuePriority (e.g., priority?: BeadsIssuePriority) for
UpdateBeadsIssueInput and ListBeadsIssuesFilters, and add or adjust the
import/definition reference for BeadsIssuePriority if required so TypeScript
enforces valid priority values at compile time.

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (4)

apps/server/tests/unit/services/beads-service.test.ts (2)

33-36: Duplicate test case — both tests use the same input.

The test named "should handle paths without trailing slash" uses the same input ('/my/project') as the previous test. To properly test trailing slash handling, this test should use an input with a trailing slash.

🔎 Proposed fix

     it('should handle paths without trailing slash', () => {
-      const path = beadsService.getDatabasePath('/my/project');
-      expect(path).toBe('/my/project/.beads/beads.db');
+      const path = beadsService.getDatabasePath('/my/project/');
+      expect(path).toBe('/my/project/.beads/beads.db');
     });

---

1-50: Test coverage is minimal for a service with extensive CLI functionality.

While it's positive to see unit tests added, the current coverage only validates two helper methods (getDatabasePath and isNotInitializedError). The core functionality of this service—methods that execute the bd CLI command like listIssues, createIssue, updateIssue, getStats, etc.—remains untested.

To make these tests more comprehensive, consider mocking execFileAsync to verify how service methods build CLI arguments and handle different outputs (success, errors, empty results).

apps/server/src/lib/beads-validation.ts (1)

84-84: Regex validation incomplete — allows invalid characters after first position.

The title regex in updateBeadsIssueSchema uses /^[^<>{}$]/ which only validates the first character, while createBeadsIssueSchema (line 67) uses /^[^<>{}$]*$/ which validates the entire string. This inconsistency allows titles like "Ok<script>" or "A{bad}" to pass validation in updates.

🔎 Proposed fix

       .regex(/^[^<>{}$]/, 'Title contains invalid characters')
+      .regex(/^[^<>{}$]*$/, 'Title contains invalid characters')

apps/server/src/index.ts (1)

101-123: Restrictive CORS default may break development setups.

As noted in the previous review, defaulting to http://localhost:3008 when CORS_ORIGIN is unset will prevent clients running on different origins (e.g., :3000, :5173, or Electron file:// origins) from connecting. This is a regression from a more permissive default.

Additionally, throwing an error for an invalid CORS_ORIGIN (line 121) will crash the server on startup. Consider logging the error and either falling back to a safe default or exiting gracefully with a clear error message.

🧹 Nitpick comments (1)

BEADS_AUDIT_REPORT.md (1)

163-163: Fix minor grammar issues flagged by static analysis.

Static analysis identified several hyphenation issues where compound adjectives or phrases should use hyphens for clarity:

• Line 163: "High Priority Issues" → "High-Priority Issues" (if modifying a noun compound)
• Line 283: "Medium Priority Issues" → "Medium-Priority Issues"
• Line 384: "Low Priority Issues" → "Low-Priority Issues"
• Lines 480 & 480: "drag and drop column detection" → "drag-and-drop column detection"

Additionally, line 335 suggests replacing "Not accessible" with "Inaccessible" for conciseness.

🔎 Proposed grammar fixes

- ## High Priority Issues
+ ## High-Priority Issues

- ## Medium Priority Issues
+ ## Medium-Priority Issues

- ## Low Priority Issues
+ ## Low-Priority Issues

- 6. Fix drag and drop column detection (0.5 days)
+ 6. Fix drag-and-drop column detection (0.5 days)

- **Impact:** MEDIUM - Not accessible to keyboard/screen reader users
+ **Impact:** MEDIUM - Inaccessible to keyboard and screen reader users

Also applies to: 283-283, 384-384, 480-480

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 98d286c and bc08e6c.

📒 Files selected for processing (10)

• BEADS_AUDIT_REPORT.md
• apps/server/src/index.ts
• apps/server/src/lib/beads-validation.ts
• apps/server/src/lib/json-parser.ts
• apps/server/src/services/beads-service.ts
• apps/server/tests/unit/services/beads-service.test.ts
• apps/ui/src/components/views/beads-view.tsx
• apps/ui/src/components/views/beads-view/beads-kanban-board.tsx
• apps/ui/src/components/views/beads-view/hooks/use-beads-actions.ts
• apps/ui/src/components/views/beads-view/hooks/use-beads-column-issues.ts

🚧 Files skipped from review as they are similar to previous changes (3)

• apps/server/src/lib/json-parser.ts
• apps/ui/src/components/views/beads-view/hooks/use-beads-actions.ts
• apps/ui/src/components/views/beads-view.tsx

🧰 Additional context used

📓 Path-based instructions (3)

apps/ui/src/components/**

📄 CodeRabbit inference engine (CLAUDE.md)

React components should be placed in apps/ui/src/components/, grouped by feature

Files:

• apps/ui/src/components/views/beads-view/beads-kanban-board.tsx
• apps/ui/src/components/views/beads-view/hooks/use-beads-column-issues.ts

**/*.{ts,tsx,js,jsx}

📄 CodeRabbit inference engine (AGENTS.md)

**/*.{ts,tsx,js,jsx}: Run type checking with npm run typecheck before syncing the Beads database as part of quality gates
Run linting with npm run lint before syncing the Beads database as part of quality gates

Files:

• apps/ui/src/components/views/beads-view/beads-kanban-board.tsx
• apps/server/src/index.ts
• apps/server/tests/unit/services/beads-service.test.ts
• apps/ui/src/components/views/beads-view/hooks/use-beads-column-issues.ts
• apps/server/src/services/beads-service.ts
• apps/server/src/lib/beads-validation.ts

apps/server/src/services/**

📄 CodeRabbit inference engine (CLAUDE.md)

Services should be placed in apps/server/src/services/, with one service per file

Files:

• apps/server/src/services/beads-service.ts

🧠 Learnings (6)

📓 Common learnings

Learnt from: CR
Repo: 0xtsotsi/DevFlow PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-24T19:32:07.586Z
Learning: Applies to **/*.{ts,tsx,js,jsx} : Run type checking with `npm run typecheck` before syncing the Beads database as part of quality gates

📚 Learning: 2025-12-24T19:32:07.586Z

Learnt from: CR
Repo: 0xtsotsi/DevFlow PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-24T19:32:07.586Z
Learning: Use `bd dep add <issue-id> blocks <issue-id>` to mark hard blocking dependencies where one issue must complete before another

Applied to files:

• apps/ui/src/components/views/beads-view/beads-kanban-board.tsx

📚 Learning: 2025-12-24T19:31:56.698Z

Learnt from: CR
Repo: 0xtsotsi/DevFlow PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-24T19:31:56.698Z
Learning: Applies to apps/server/src/routes/** : API routes should be placed in `apps/server/src/routes/`, with one file per route/resource

Applied to files:

• apps/server/src/index.ts

📚 Learning: 2025-12-24T19:32:07.586Z

Learnt from: CR
Repo: 0xtsotsi/DevFlow PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-24T19:32:07.586Z
Learning: Applies to **/*.{ts,tsx,js,jsx} : Run type checking with `npm run typecheck` before syncing the Beads database as part of quality gates

Applied to files:

• apps/server/tests/unit/services/beads-service.test.ts
• apps/server/src/services/beads-service.ts
• apps/server/src/lib/beads-validation.ts

📚 Learning: 2025-12-24T19:32:07.586Z

Learnt from: CR
Repo: 0xtsotsi/DevFlow PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-24T19:32:07.586Z
Learning: Create Beads issues for all substantive work (features, bugs, chores) using the `bd create` command

Applied to files:

• apps/server/src/services/beads-service.ts

📚 Learning: 2025-12-24T19:32:07.586Z

Learnt from: CR
Repo: 0xtsotsi/DevFlow PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-24T19:32:07.586Z
Learning: Check `bd ready` before starting new work to ensure you're working on unblocked tasks

Applied to files:

• apps/server/src/services/beads-service.ts

🧬 Code graph analysis (3)

apps/ui/src/components/views/beads-view/hooks/use-beads-column-issues.ts (1)

apps/ui/src/components/views/beads-view/lib/column-utils.ts (1)

• getIssueColumn (14-32)

apps/server/src/services/beads-service.ts (2)

libs/types/src/beads.ts (5)

• ListBeadsIssuesFilters (118-134)
• BeadsIssue (36-65)
• CreateBeadsIssueInput (80-95)
• UpdateBeadsIssueInput (100-113)
• BeadsStats (153-166)

apps/server/src/lib/json-parser.ts (1)

• safeJsonParse (22-29)

apps/server/src/lib/beads-validation.ts (1)

libs/types/src/beads.ts (3)

• CreateBeadsIssueInput (80-95)
• UpdateBeadsIssueInput (100-113)
• ListBeadsIssuesFilters (118-134)

🪛 LanguageTool

BEADS_AUDIT_REPORT.md

[grammar] ~163-~163: Use a hyphen to join words.
Context: ...timated Effort:** 0.5 days --- ## High Priority Issues ### 5. Incomplete Error...

(QB_NEW_EN_HYPHEN)

---

[uncategorized] ~283-~283: If this is a compound adjective that modifies the following noun, use a hyphen.
Context: ...Estimated Effort: 0.5 days --- ## Medium Priority Issues ### 9. No Loading State for Dra...

(EN_COMPOUND_ADJECTIVE_INTERNAL)

---

[style] ~335-~335: Consider using “inaccessible” to avoid wordiness.
Context: ...essibility Issues Impact: MEDIUM - Not accessible to keyboard/screen reader users **Files...

(NOT_ABLE_PREMIUM)

---

[grammar] ~384-~384: Use a hyphen to join words.
Context: ...stimated Effort:** 0.5 days --- ## Low Priority Issues ### 13. Missing CLI Ope...

(QB_NEW_EN_HYPHEN)

---

[grammar] ~480-~480: Use a hyphen to join words.
Context: ... UI Improvements (2-3 days) 6. Fix drag and drop column detection (0.5 days) 7. ...

(QB_NEW_EN_HYPHEN)

---

[grammar] ~480-~480: Use a hyphen to join words.
Context: ...Improvements (2-3 days) 6. Fix drag and drop column detection (0.5 days) 7. Fix ...

(QB_NEW_EN_HYPHEN)

---

[style] ~512-~512: Consider a different adjective to strengthen your wording.
Context: ...s-ignore markers - Explore agents - Deep code analysis with 4 parallel agents - ...

(DEEP_PROFOUND)

🪛 markdownlint-cli2 (0.18.1)

BEADS_AUDIT_REPORT.md

529-529: Emphasis used instead of a heading

(MD036, no-emphasis-as-heading)

🔇 Additional comments (18)

BEADS_AUDIT_REPORT.md (7)

1-22: Clarify the audit status relative to PR #11 changes.

This audit report marks its status as "READY FOR IMPLEMENTATION," but the enriched context indicates PR #11 has already addressed several of the critical issues listed below (rate limiting, Zod validation, JSON parsing utilities, type safety). The report should explicitly acknowledge which items have been fixed versus which remain outstanding.

Can you verify and update the report to reflect the current state after PR #11 (e.g., which security fixes, validation, and type improvements were actually implemented)?

---

28-42: Update test coverage status to reflect PR #11 additions.

Line 34 acknowledges unit test completion for BeadsService, but the context above (lines 28-32) still claims "Zero Test Coverage" as the overall status. The summary should be clearer about what test coverage was added (unit tests only) versus what remains (integration, component, E2E tests).

Confirm the exact scope of tests added in PR #11 and update the table and critical issues list accordingly.

---

45-91: Reconcile API security findings with PR #11 rate-limiting and validation fixes.

The PR summary states that rate limiting was applied (5 req/min to /api/setup and /api/settings) and comprehensive Zod validation schemas were added. However, lines 52–87 list these as outstanding issues without acknowledging the fixes. If the security improvements were indeed implemented, this section should be updated to reflect:

• Which endpoints now have rate limiting
• Which validation schemas are now in place
• Which gaps (if any) remain

Verify which of the issues in section 2 (lines 45–91) were fixed by PR #11 versus which truly remain outstanding.

---

93-131: Update type safety findings to reflect PR #11 fixes.

The PR objectives explicitly state "Fixed TypeScript type errors" and the enriched summary mentions "BeadsService typing and APIs" improvements. Lines 93–131 list any types as outstanding, but if these were actually fixed in PR #11, this section should note what was corrected and highlight any remaining gaps.

Confirm whether the type safety issues (lines 100–106) were fixed in PR #11 and update the report accordingly.

---

134-161: Account for JSON parsing utilities added in PR #11.

The PR summary notes "Added JSON parsing middleware," and the enriched context mentions new json-parser.ts utilities (safeJsonParse, safeJsonParseOrDefault). Section 4 (lines 134–161) lists unsafe JSON parsing as a critical issue, but if these utilities were added, the report should acknowledge the fix and clarify what coverage remains (e.g., whether all call sites now use safe parsing).

Verify whether the JSON parsing utilities from PR #11 are now being used across the codebase and update this section.

---

257-280: Acknowledge the memoization fix for getBlockingCounts.

The PR commit messages explicitly mention memoizing getBlockingCounts in BeadsKanbanBoard with useMemo to avoid O(n²) recalculation. While section 8 (lines 257–280) correctly identifies this issue and proposes a fix, it should note that this performance improvement was already implemented in PR #11.

Confirm that getBlockingCounts memoization is in place and update the report to mark this issue as resolved.

---

465-493: Update implementation priority roadmap to reflect PR #11 progress.

If PR #11 has already addressed Phase 1 and Phase 2 items (tests, security, validation, JSON parsing, type safety), the priority roadmap (lines 465–493) should reflect which phases have begun or completed versus which remain. The total estimated effort (12–17 days) should be recalculated based on work completed.

Provide an updated roadmap accounting for PR #11 work completed and recalculate remaining effort.

apps/ui/src/components/views/beads-view/beads-kanban-board.tsx (2)

1-10: LGTM! Type safety improved for drag events.

The addition of explicit DragStartEvent and DragEndEvent types from @dnd-kit/core improves type safety for the drag-and-drop handlers. This aligns the component with the library's expected event types.

Also applies to: 23-24

---

67-88: LGTM! Excellent performance optimization.

The memoization of blocking counts is a well-implemented optimization that prevents O(n²) recalculation on each render. The use of a Map for efficient lookups and safe defaults when retrieving counts are good practices.

Also applies to: 110-113

apps/ui/src/components/views/beads-view/hooks/use-beads-column-issues.ts (1)

3-4: LGTM! Good refactor to shared utilities.

The refactor to use getIssueColumn and hasOpenBlockers from shared utilities (column-utils.ts) is a positive change that:

• Eliminates code duplication
• Centralizes column determination logic
• Makes the hook more focused on organization and filtering

This aligns well with the DRY principle and improves maintainability.

Also applies to: 27-27, 51-54, 85-85

apps/server/src/services/beads-service.ts (4)

13-20: LGTM! Strong typing improves API surface.

The addition of explicit type imports from @automaker/types and the safeJsonParse utility significantly improves type safety across the service layer. This aligns well with the validation schemas introduced in the PR.

---

103-142: LGTM! Typed filters and safe parsing improve robustness.

The migration to typed ListBeadsIssuesFilters and safeJsonParse enhances both type safety and error handling. The filter logic is correctly preserved while providing clearer error context through the 'listIssues' key.

---

163-189: LGTM! Parent issue support properly integrated.

The addition of parentIssueId support in createIssue is well-implemented and aligns with the validation schema. The typed CreateBeadsIssueInput ensures consistency across the API surface.

---

327-395: LGTM! New methods follow consistent patterns.

The new methods searchIssues, getBlockedIssues, and getStaleIssues are well-implemented with:

• Consistent error handling for uninitialized state
• Proper use of safeJsonParse for type-safe parsing
• Clear parameter handling and return types

apps/server/src/lib/beads-validation.ts (1)

136-143: LGTM! Priority range validation is well-implemented.

The refinement check ensuring priorityMin <= priorityMax is a good validation that prevents invalid filter configurations. The error message clearly communicates the constraint.

apps/server/src/index.ts (3)

62-90: Security initialization is well-structured.

The security setup flow is logical: checking environment variables, initializing allowed paths, and then setting up authentication. The section comments improve code organization.

---

18-19: All imported modules and exports verified. The authentication middleware, initialization function, and rate limiter instances are properly exported from their respective modules.

---

181-207: Rate limiting strategy and configurations are well-designed.

The tiered rate limiting approach is sound with appropriate values:

• Health endpoint: 10 req/min (lighter limits for monitoring)
• General API routes: 100 req/15 min
• Sensitive operations (setup/settings): 5 req/min (strictest)
• Beads routes: 200 req/15 min (justified by frequent operations)

The middleware ordering is correct: rate limiting before authentication, health endpoint excluded from auth, and global auth middleware applied to all /api routes. All limiters use consistent standardHeaders configuration.