Skip to content

Re-try merge of 0.37.0#1474

Merged
Crunchyman-ralph merged 3 commits intomainfrom
next
Dec 2, 2025
Merged

Re-try merge of 0.37.0#1474
Crunchyman-ralph merged 3 commits intomainfrom
next

Conversation

@Crunchyman-ralph
Copy link
Collaborator

@Crunchyman-ralph Crunchyman-ralph commented Dec 1, 2025
edited by coderabbitai bot
Loading

What type of PR is this?

  • 🐛 Bug fix
  • ✨ Feature
  • 🔌 Integration
  • 📝 Docs
  • 🧹 Refactor
  • Other:

Description

Related Issues

How to Test This

# Example commands or steps

Expected result:

Contributor Checklist

  • Created changeset: npm run changeset
  • Tests pass: npm test
  • Format check passes: npm run format-check (or npm run format to fix)
  • Addressed CodeRabbit comments (if any)
  • Linked related issues (if any)
  • Manually tested the changes

Changelog Entry

For Maintainers

  • PR title follows conventional commits
  • Target branch correct
  • Labels added
  • Milestone assigned (if applicable)

Summary by CodeRabbit

  • New Features

    • Centralized organization selection in the CLI; mandatory org selection during context setup and optional brief selection
    • Automatic context assignment after successful exports; prompt to choose a context when exporting multiple briefs
    • Invitation display now shows an “Already invited (pending)” status

  • Bug Fixes

    • Enhanced MFA handling: distinguishes MFA-required responses and routes to a dedicated verification flow instead of failing

✏️ Tip: You can customize this high-level summary in your review settings.

@changeset-bot
Copy link

changeset-bot bot commented Dec 1, 2025
edited
Loading

⚠️ No Changeset found

Latest commit: edeeef4

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Dec 1, 2025
edited
Loading

Walkthrough

Adds MFA detection and routed verification into the OAuth and CLI auth flows, expands invitation statuses to include "already_invited" and updates CLI export invite/display flow, and extracts a shared org-selection utility used by multiple CLI commands.

Changes

Cohort / File(s) Summary
MFA & OAuth changes
apps/cli/src/commands/auth.command.ts, packages/tm-core/src/modules/auth/services/oauth-service.ts, packages/tm-core/src/modules/auth/types.ts, packages/tm-core/src/modules/auth/managers/auth-manager.spec.ts		 Detects MFA during OAuth/session reconstruction via a new check (throws MFA errors including MFA challenge or incomplete), updates CLI auth flows to catch MFA errors and delegate to a shared handleMFAVerification() path, adds MFA_REQUIRED_INCOMPLETE error code, and adds singleton helpers to the mocked Supabase client in tests.
Invitation status & export flow
apps/cli/src/commands/export.command.ts, packages/tm-core/src/modules/integration/services/export.service.ts, scripts/modules/commands.js		 Adds 'already_invited' status to invitation result unions, surfaces that status in CLI/script output with a dedicated message, and reorders context-setting early in export flows (and prompts when multiple briefs exported) before invitation logic.
CLI org-selection extraction
apps/cli/src/utils/org-selection.ts, apps/cli/src/commands/briefs.command.ts, apps/cli/src/commands/context.command.ts		 Introduces shared ensureOrgSelected utility and getSelectedOrg; replaces local org-selection logic in briefs and context commands with calls to the shared utility and adjusts interactive context setup flow.
Minor signature/cleanup
apps/cli/src/commands/auth.command.ts		 Removes explicit boolean type annotations from showHeader default params in three methods (keeps defaults) and ensures countdown cleanup in browser auth path.

Sequence Diagram(s)

sequenceDiagram
    participant CLI as CLI Auth Command
    participant OAuth as OAuth Service
    participant Supabase as Supabase Client
    participant MFA as MFA Handler

    CLI->>OAuth: authenticateWithBrowser() / authenticateWithToken(token)
    OAuth->>Supabase: obtain/reconstruct session
    Supabase-->>OAuth: session (may include mfa state)
    OAuth->>OAuth: checkAndThrowIfMFARequired()
    alt MFA required with factor info
        OAuth-->>CLI: throw MFA_REQUIRED (mfaChallenge)
        CLI->>MFA: handleMFAVerification(mfaChallenge)
        MFA->>Supabase: verify factor / complete flow
        Supabase-->>CLI: authenticated session
    else MFA required but incomplete
        OAuth-->>CLI: throw MFA_REQUIRED_INCOMPLETE
        CLI->>CLI: show error / abort MFA flow
    else No MFA
        OAuth-->>CLI: authenticated session
    end
Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

  • Verify MFA detection points in oauth-service and that thrown payloads include valid mfaChallenge/factorId.
  • Inspect auth.command.ts catch branches to ensure correct spinner/countdown handling and correct delegation to handleMFAVerification.
  • Review new MFA_REQUIRED_INCOMPLETE usage and type updates to AuthErrorCode.
  • Confirm invitation status additions are handled consistently in export flows and script output.
  • Check tests using the Supabase mock singleton for proper reset/isolation.

Possibly related PRs

Suggested reviewers

  • eyaltoledano
  • maxtuzz

Pre-merge checks and finishing touches

❌ Failed checks (1 inconclusive)
Check name Status Explanation Resolution
Title check ❓ Inconclusive The title 'Re-try merge of 0.37.0' is vague and does not clearly describe the actual changes in the PR, which include MFA workflow enhancements, org-selection refactoring, invitation status handling, and type signature adjustments across multiple files. Provide a more specific title that describes the main feature or change, such as 'Add MFA verification flow and refactor org selection' or 'Enhance auth MFA handling and centralize org selection logic'.
✅ Passed checks (2 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage ✅ Passed Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
✨ Finishing touches
  • 📝 Generate docstrings
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch next
📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 62d3cd3 and edeeef4.

📒 Files selected for processing (4)
  • apps/cli/src/commands/briefs.command.ts (3 hunks)
  • apps/cli/src/commands/context.command.ts (3 hunks)
  • apps/cli/src/commands/export.command.ts (5 hunks)
  • apps/cli/src/utils/org-selection.ts (1 hunks)
🧰 Additional context used
📓 Path-based instructions (7)
**/*.ts

📄 CodeRabbit inference engine (.cursor/rules/test_workflow.mdc)

TypeScript test files must achieve minimum code coverage thresholds: 80% lines/functions and 70% branches globally, 90% for utilities, and 85% for middleware; new features must meet or exceed these thresholds

Files:

  • apps/cli/src/commands/context.command.ts
  • apps/cli/src/utils/org-selection.ts
  • apps/cli/src/commands/export.command.ts
  • apps/cli/src/commands/briefs.command.ts
**/*.{js,ts}

📄 CodeRabbit inference engine (.cursor/rules/utilities.mdc)

**/*.{js,ts}: Import and use specific getters from config-manager.js (e.g., getMainProvider(), getLogLevel(), getMainMaxTokens()) to access configuration values needed for application logic
Use isApiKeySet(providerName, session) from config-manager.js to check if a provider's key is available before potentially attempting an AI call
Do not add direct console.log calls outside the logging utility - use the central log function instead
Ensure silent mode is disabled in a finally block to prevent it from staying enabled
Do not access the global silentMode variable directly - use the exported silent mode control functions instead
Do not duplicate task ID formatting logic across modules - centralize formatting utilities
Use ContextGatherer class from utils/contextGatherer.js for AI-powered commands that need project context, supporting tasks, files, custom text, and project tree context
Use FuzzyTaskSearch class from utils/fuzzyTaskSearch.js for automatic task relevance detection with configurable search parameters
Use fuzzy search to supplement user-provided task IDs and display discovered task IDs to users for transparency
Do not replace explicit user task selections with fuzzy results - fuzzy search should supplement, not replace user selections
Use readJSON and writeJSON utilities for all JSON file operations instead of raw fs.readFileSync or fs.writeFileSync
Include error handling for JSON file operations and validate JSON structure after reading
Use path.join() for cross-platform path construction and path.resolve() for absolute paths, validating paths before file operations
Support both .env files and MCP session environment for environment variable resolution with fallbacks for missing values
Prefer updating the core function to accept an outputFormat parameter and check outputFormat === 'json' before displaying UI elements

Files:

  • apps/cli/src/commands/context.command.ts
  • apps/cli/src/utils/org-selection.ts
  • apps/cli/src/commands/export.command.ts
  • apps/cli/src/commands/briefs.command.ts
**/*.{ts,tsx}

📄 CodeRabbit inference engine (CLAUDE.md)

Import modules with .js extension even in TypeScript source files for ESM compatibility

Files:

  • apps/cli/src/commands/context.command.ts
  • apps/cli/src/utils/org-selection.ts
  • apps/cli/src/commands/export.command.ts
  • apps/cli/src/commands/briefs.command.ts
apps/cli/src/**/*.{ts,tsx}

📄 CodeRabbit inference engine (CLAUDE.md)

CLI (@tm/cli) should be a thin presentation layer that calls tm-core methods and displays results; handle only CLI-specific concerns like argument parsing, output formatting, and user prompts

Files:

  • apps/cli/src/commands/context.command.ts
  • apps/cli/src/utils/org-selection.ts
  • apps/cli/src/commands/export.command.ts
  • apps/cli/src/commands/briefs.command.ts
**/{utils,utilities,helpers}/**/*.{js,ts}

📄 CodeRabbit inference engine (.cursor/rules/utilities.mdc)

**/{utils,utilities,helpers}/**/*.{js,ts}: Document all parameters and return values in JSDoc format, include descriptions for complex logic, and add examples for non-obvious usage
Support multiple log levels (debug, info, warn, error) with appropriate icons for different log levels and respect the configured log level

Files:

  • apps/cli/src/utils/org-selection.ts
**/{utils,utilities}/*.{js,ts}

📄 CodeRabbit inference engine (.cursor/rules/utilities.mdc)

Implement the silent mode control functions (enableSilentMode, disableSilentMode, isSilentMode) in utility modules and always use isSilentMode() to check current state

Files:

  • apps/cli/src/utils/org-selection.ts
**/{utils,utilities}/**/*.{js,ts}

📄 CodeRabbit inference engine (.cursor/rules/utilities.mdc)

**/{utils,utilities}/**/*.{js,ts}: Use try/catch blocks for all file operations and return null or a default value on failure rather than allowing exceptions to propagate unhandled
Log detailed error information using the log utility in catch blocks for file operations
Create utilities for consistent task ID handling that support different ID formats (numeric, string, dot notation)
Implement reusable task finding utilities that support both task and subtask lookups and add context to subtask results
Implement cycle detection using graph traversal by tracking visited nodes and recursion stack, returning specific information about cycles
Detect circular dependencies using DFS and validate task references before operations
Export all utility functions explicitly in logical groups and include configuration constants from utility modules
Do not use default exports in utility modules - use named exports only
Group related exports together in utility modules and avoid creating circular dependencies
Make the log function respect silent mode by skipping logging when silent mode is enabled

Files:

  • apps/cli/src/utils/org-selection.ts
🧠 Learnings (12)
📓 Common learnings 
Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/git_workflow.mdc:0-0
Timestamp: 2025-11-24T18:00:23.032Z
Learning: Pull Request descriptions must include: Task Overview, Subtasks Completed (checklist), Implementation Details, Testing approach, Breaking Changes (if any), and Related Tasks.

Learnt from: Crunchyman-ralph
Repo: eyaltoledano/claude-task-master PR: 1178
File: packages/tm-core/src/auth/config.ts:5-7
Timestamp: 2025-09-02T21:51:27.921Z
Learning: The user Crunchyman-ralph prefers not to use node: scheme imports (e.g., 'node:os', 'node:path') for Node.js core modules and considers suggestions to change bare imports to node: scheme as too nitpicky.

Learnt from: Crunchyman-ralph
Repo: eyaltoledano/claude-task-master PR: 1069
File: .changeset/fix-tag-complexity-detection.md:0-0
Timestamp: 2025-08-02T15:33:22.656Z
Learning: For changeset files (.changeset/*.md), Crunchyman-ralph prefers to ignore formatting nitpicks about blank lines between frontmatter and descriptions, as he doesn't mind having them and wants to avoid such comments in future reviews.

Learnt from: Crunchyman-ralph
Repo: eyaltoledano/claude-task-master PR: 1132
File: .github/workflows/weekly-metrics-discord.yml:81-93
Timestamp: 2025-08-13T22:10:46.958Z
Learning: Crunchyman-ralph ignores YAML formatting nitpicks about trailing spaces when there's no project-specific YAML formatter configured, preferring to focus on functionality over cosmetic formatting issues.

Learnt from: Crunchyman-ralph
Repo: eyaltoledano/claude-task-master PR: 1132
File: .github/workflows/weekly-metrics-discord.yml:81-93
Timestamp: 2025-08-13T22:10:46.958Z
Learning: Crunchyman-ralph ignores YAML formatting nitpicks about trailing spaces when there's no project-specific YAML formatter configured, preferring to focus on functionality over cosmetic formatting issues.

Learnt from: Crunchyman-ralph
Repo: eyaltoledano/claude-task-master PR: 1105
File: scripts/modules/supported-models.json:242-254
Timestamp: 2025-08-08T11:33:15.297Z
Learning: Preference: In scripts/modules/supported-models.json, the "name" field is optional. For OpenAI entries (e.g., "gpt-5"), Crunchyman-ralph prefers omitting "name" when the id is explicit enough; avoid nitpicks requesting a "name" in such cases.

Learnt from: Crunchyman-ralph
Repo: eyaltoledano/claude-task-master PR: 1200
File: src/ai-providers/custom-sdk/grok-cli/language-model.js:96-100
Timestamp: 2025-09-19T16:06:42.182Z
Learning: The user Crunchyman-ralph prefers to keep environment variable names explicit (like GROK_CLI_API_KEY) rather than supporting multiple aliases, to avoid overlap and ensure clear separation between different CLI implementations.

Learnt from: Crunchyman-ralph
Repo: eyaltoledano/claude-task-master PR: 1178
File: packages/tm-core/src/subpath-exports.test.ts:6-9
Timestamp: 2025-09-03T12:45:30.724Z
Learning: The user Crunchyman-ralph prefers to avoid overly nitpicky or detailed suggestions in code reviews, especially for test coverage of minor import paths. Focus on more substantial issues rather than comprehensive coverage of all possible edge cases.

Learnt from: Crunchyman-ralph
Repo: eyaltoledano/claude-task-master PR: 1217
File: apps/cli/src/index.ts:16-21
Timestamp: 2025-09-18T16:35:35.147Z
Learning: The user Crunchyman-ralph considers suggestions to export types for better ergonomics (like exporting UpdateInfo type alongside related functions) as nitpicky and prefers not to implement such suggestions.
📚 Learning: 2025-11-24T17:58:47.030Z 
Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/commands.mdc:0-0
Timestamp: 2025-11-24T17:58:47.030Z
Learning: Applies to scripts/modules/commands.js : For context-aware AI commands: use ContextGatherer utility for multi-source context extraction, support task IDs/file paths/custom context, implement fuzzy search for task discovery, and display detailed token breakdown for transparency

Applied to files:

  • apps/cli/src/commands/context.command.ts
  • apps/cli/src/commands/export.command.ts
📚 Learning: 2025-07-18T17:08:48.695Z 
Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/commands.mdc:0-0
Timestamp: 2025-07-18T17:08:48.695Z
Learning: Applies to scripts/modules/commands.js : For AI-powered commands that benefit from project context, use the ContextGatherer utility for multi-source context extraction, support task IDs, file paths, custom context, and project tree, implement fuzzy search for automatic task discovery, and display detailed token breakdown for transparency.

Applied to files:

  • apps/cli/src/commands/context.command.ts
  • apps/cli/src/commands/export.command.ts
📚 Learning: 2025-11-24T18:04:01.629Z 
Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/ui.mdc:0-0
Timestamp: 2025-11-24T18:04:01.629Z
Learning: Applies to scripts/modules/ui.js : Keep display logic separate from business logic in UI components; import data processing functions from other modules

Applied to files:

  • apps/cli/src/commands/context.command.ts
  • apps/cli/src/commands/briefs.command.ts
📚 Learning: 2025-11-24T18:01:44.169Z 
Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/new_features.mdc:0-0
Timestamp: 2025-11-24T18:01:44.169Z
Learning: Applies to scripts/modules/ui.js : User interface features (display information) should be placed in `ui.js` and follow guidelines in `ui.mdc`

Applied to files:

  • apps/cli/src/commands/context.command.ts
  • apps/cli/src/commands/briefs.command.ts
📚 Learning: 2025-11-24T17:59:00.056Z 
Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/context_gathering.mdc:0-0
Timestamp: 2025-11-24T17:59:00.056Z
Learning: Applies to scripts/**/*.js : Implement graceful error handling for context gathering: handle missing files with warnings, validate task IDs with helpful messages, continue processing if some context sources fail, and provide fallback behavior

Applied to files:

  • apps/cli/src/commands/context.command.ts
📚 Learning: 2025-11-24T18:01:44.169Z 
Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/new_features.mdc:0-0
Timestamp: 2025-11-24T18:01:44.169Z
Learning: Applies to scripts/modules/*.js : Import context gathering utilities (`ContextGatherer`, `FuzzyTaskSearch`) for AI-powered commands; support multiple context types (tasks, files, custom text, project tree); implement detailed token breakdown display

Applied to files:

  • apps/cli/src/commands/context.command.ts
  • apps/cli/src/commands/export.command.ts
📚 Learning: 2025-11-24T18:04:43.972Z 
Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/utilities.mdc:0-0
Timestamp: 2025-11-24T18:04:43.972Z
Learning: Applies to **/{utils,utilities}/**/*.{js,ts} : Export all utility functions explicitly in logical groups and include configuration constants from utility modules

Applied to files:

  • apps/cli/src/utils/org-selection.ts
📚 Learning: 2025-11-24T22:09:45.455Z 
Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T22:09:45.455Z
Learning: Applies to apps/cli/src/**/*.{ts,tsx} : CLI (tm/cli) should be a thin presentation layer that calls tm-core methods and displays results; handle only CLI-specific concerns like argument parsing, output formatting, and user prompts

Applied to files:

  • apps/cli/src/utils/org-selection.ts
  • apps/cli/src/commands/briefs.command.ts
📚 Learning: 2025-11-24T18:04:43.972Z 
Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/utilities.mdc:0-0
Timestamp: 2025-11-24T18:04:43.972Z
Learning: Applies to **/{utils,utilities}/**/*.{js,ts} : Group related exports together in utility modules and avoid creating circular dependencies

Applied to files:

  • apps/cli/src/utils/org-selection.ts
📚 Learning: 2025-11-26T20:50:40.810Z 
Learnt from: Crunchyman-ralph
Repo: eyaltoledano/claude-task-master PR: 1451
File: apps/cli/src/ui/components/brand-banner.component.ts:42-44
Timestamp: 2025-11-26T20:50:40.810Z
Learning: In apps/cli/**/*.{ts,tsx}: Do not import or use isSilentMode() from the legacy scripts/modules/utils.js. isSilentMode is legacy code that will be removed during migration. The apps/cli package should use environment variables like TM_HIDE_BANNER for controlling output instead of legacy silent mode patterns.

Applied to files:

  • apps/cli/src/utils/org-selection.ts
📚 Learning: 2025-10-08T19:57:00.982Z 
Learnt from: Crunchyman-ralph
Repo: eyaltoledano/claude-task-master PR: 1282
File: packages/tm-core/src/utils/index.ts:16-34
Timestamp: 2025-10-08T19:57:00.982Z
Learning: For the tm-core package in the eyaltoledano/claude-task-master repository, the team prefers a minimal, need-based export strategy in index files rather than exposing all internal utilities. Exports should only be added when functions are actually consumed by other packages in the monorepo.

Applied to files:

  • apps/cli/src/utils/org-selection.ts
🧬 Code graph analysis (3)
apps/cli/src/commands/context.command.ts (2)
apps/cli/src/utils/org-selection.ts (1)
  • ensureOrgSelected (54-151)
apps/cli/src/utils/brief-selection.ts (1)
  • selectBriefInteractive (26-224)
apps/cli/src/commands/export.command.ts (1)
scripts/modules/commands.js (1)
  • result (438-444)
apps/cli/src/commands/briefs.command.ts (1)
apps/cli/src/utils/org-selection.ts (1)
  • ensureOrgSelected (54-151)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)
  • GitHub Check: Test
  • GitHub Check: Build
  • GitHub Check: Typecheck
🔇 Additional comments (18)
apps/cli/src/commands/export.command.ts (5)

419-421: LGTM! Context now set before invitations.

Moving context setup before invitation sending is correct since sendInvitationsForBrief requires org context (line 1059 checks for orgSlug). This prevents the "Organization context missing" error.

602-604: Consistent with standard export flow.

Same correct reordering as in executeStandardExport - ensures context is available for invitation API calls.

788-793: Context set before invitations in multi-export flow.

Good change - the first successful brief's context is now established before attempting to send invitations, ensuring orgSlug is available at line 1059.

803-804: Clarified comment for multi-brief context switching.

The comment now accurately reflects that this prompt is for changing from the already-set first brief to a different one.

934-938: New already_invited status handled correctly.

The display logic appropriately distinguishes between already_member (gray, already a team member) and already_invited (yellow, pending invitation). This aligns with the expanded invitation status variants mentioned in the AI summary.

apps/cli/src/commands/context.command.ts (4)

22-22: Import added for shared org-selection utility.

Aligns with the centralized org-selection pattern used across CLI commands.

626-644: Mandatory org selection using shared utility.

The refactored flow correctly:

  1. Uses ensureOrgSelected which handles auto-selection for single-org users
  2. Returns early if org selection fails (line 643)
  3. The orgResult.orgId check at line 641 ensures we have a valid org before proceeding

647-664: Optional brief selection with cleaner prompt flow.

The simplified confirm prompt and conditional brief selection is more user-friendly. The orgResult.orgId passed to selectBriefInteractive is guaranteed non-null due to the guard at line 641.

670-676: Generic error message for context setup failures.

The updated error message is appropriate since failures could now occur at either org or brief selection stage.

apps/cli/src/commands/briefs.command.ts (3)

20-20: Import added for shared org-selection utility.

Consistent with the centralized org-selection pattern across CLI commands.

184-184: Call site updated to use local wrapper.

The executeList method now uses the renamed wrapper that delegates to the shared utility.

252-257: Clean adapter pattern for shared utility.

The ensureOrgSelectedLocal wrapper correctly:

  1. Delegates to the shared ensureOrgSelected utility
  2. Converts the OrgSelectionResult to string | null for minimal impact on existing code
  3. Uses nullish coalescing (result.orgId || null) to handle undefined orgId

The updated JSDoc accurately describes the delegation to the shared utility.

apps/cli/src/utils/org-selection.ts (6)

1-10: Well-structured utility module with proper imports.

The file header clearly describes the purpose. Imports are minimal and appropriate:

  • AuthManager from core for auth operations
  • chalk and inquirer for CLI interactions
  • ui utilities for consistent error/success display

As per coding guidelines, this uses named exports only and groups related functionality together.

11-30: Clear interface definitions with JSDoc documentation.

Both OrgSelectionResult and EnsureOrgOptions are well-typed with optional fields appropriately marked. The JSDoc comments explain the purpose of each option.

32-53: Comprehensive JSDoc with usage example.

The documentation clearly explains the three-step flow (check existing, auto-select single, prompt for multiple) and provides a practical code example. This follows the coding guidelines for documenting utilities.

54-104: Robust org selection logic with auto-select for single org.

The implementation correctly:

  1. Returns existing org context if already selected (lines 64-71)
  2. Fetches organizations and handles empty case with user-friendly error (lines 76-84)
  3. Auto-selects and persists context when only one org exists (lines 86-103)

The silent option properly suppresses the auto-selection log message.

106-151: Interactive selection for multiple orgs with proper error handling.

The multi-org prompt flow:

  1. Shows informational message unless silent (lines 107-109)
  2. Uses inquirer list prompt with custom message option (lines 111-121)
  3. Updates context on successful selection (lines 125-129)
  4. Returns failure if org not found (should be rare edge case, lines 139-142)
  5. Catches and displays errors gracefully (lines 143-150)

The error handling follows the coding guidelines for utilities: catches errors, logs them via ui utilities, and returns a structured failure result rather than throwing.

153-173: Non-interactive org check helper.

The getSelectedOrg function provides a simple synchronous check for when prompting is not appropriate. It correctly returns the structured result with org details or a failure message.

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot reviewed Dec 1, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 0

🧹 Nitpick comments (3)
scripts/modules/commands.js (1)

483-499: Align invitation status handling with ExportCommand for consistency

Adding explicit handling for already_invited here is good, but this block now diverges from ExportCommand.displayInvitationResults (different color/text and no error status branch). Consider mirroring that helper’s mapping (including error) so both CLI paths present invitation outcomes consistently.

apps/cli/src/commands/export.command.ts (1)

921-941: New already_invited status handling is correct; consider cross-CLI consistency

The new already_invited branch cleanly covers the expanded invitation status and the “pending” wording is helpful. To avoid confusing users, you may want to align the text/color with the similar handling in scripts/modules/commands.js so both flows describe this status the same way.

packages/tm-core/src/modules/auth/services/oauth-service.ts (1)

129-129: MFA gating is integrated cleanly; verify partial-session semantics are safe

Centralizing MFA checks in checkAndThrowIfMFARequired and invoking it in both the PKCE and direct token paths is a good way to ensure OAuth flows honor MFA requirements and surface structured AuthenticationErrors (with MFA_REQUIRED / MFA_REQUIRED_INCOMPLETE plus MFAChallenge).

One thing to double‑check: in both flows you (a) establish the Supabase session and (b) save basic user context before calling checkAndThrowIfMFARequired. If checkMFARequired() reports MFA is required and you throw, you’ll end up with stored session/identity but an error at the call site. That’s fine as long as the rest of the system consistently treats these MFA errors as “not fully authenticated” and never relies solely on the stored session/context to consider the user logged in. If that guarantee isn’t already enforced elsewhere, consider either:

  • Deferring any durable session/context persistence until after the MFA check passes, or
  • Explicitly clearing/signing out the session and rolling back related context before throwing on MFA_REQUIRED / MFA_REQUIRED_INCOMPLETE.

This would avoid any chance of a “half‑authenticated” state being accidentally treated as fully authenticated.

Also applies to: 285-320, 351-397, 441-478

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 0cda135 and 62d3cd3.

📒 Files selected for processing (7)
  • apps/cli/src/commands/auth.command.ts (5 hunks)
  • apps/cli/src/commands/export.command.ts (1 hunks)
  • packages/tm-core/src/modules/auth/managers/auth-manager.spec.ts (1 hunks)
  • packages/tm-core/src/modules/auth/services/oauth-service.ts (5 hunks)
  • packages/tm-core/src/modules/auth/types.ts (1 hunks)
  • packages/tm-core/src/modules/integration/services/export.service.ts (3 hunks)
  • scripts/modules/commands.js (1 hunks)
🧰 Additional context used
📓 Path-based instructions (14)
scripts/modules/commands.js

📄 CodeRabbit inference engine (.cursor/rules/architecture.mdc)

commands.js should parse command-line arguments and options, invoke appropriate core logic functions from scripts/modules/, handle user input/output for CLI, and implement CLI-specific validation

scripts/modules/commands.js: Follow the basic command template structure when implementing CLI commands: use .command(), .description(), .option(), and .action() in Commander.js with concise action handlers that extract functionality to core modules
Keep command action handlers concise and focused; extract core functionality to appropriate modules like task-manager.js or init.js rather than implementing business logic in handlers
Use kebab-case for command names (e.g., 'analyze-complexity', 'remove-task') and action-oriented descriptions
Use kebab-case for long-form option names (e.g., --output-format) with single-letter shortcuts when appropriate (e.g., -f, --file), and access them in code as camelCase properties (e.g., options.numTasks)
Use positive flags with --skip- prefix for disabling behavior instead of --no- prefix negated flags; use clear variable naming like const generateFiles = !options.skipGenerate to avoid double negatives
Include confirmation prompts by default for destructive operations (delete/remove commands) with a --yes or -y flag to skip confirmation; display what will be deleted in the confirmation message
For file path handling in destructive operations: use path.join() to construct paths, follow naming conventions (e.g., task_001.txt), check file existence before deletion, and handle errors gracefully without string concatenation
Clean up references to deleted items in other parts of the data after destructive operations, handling both direct and indirect references with explanatory console logging
Regenerate task files after destructive operations by explicitly passing all required parameters to generation functions; provide a --skip-generate option if needed
Suggest non-destructive alternatives (like status changes instead of deletion)...

Files:

  • scripts/modules/commands.js
**/*.js

📄 CodeRabbit inference engine (.cursor/rules/architecture.mdc)

**/*.js: Always use isSilentMode() function to check current silent mode status instead of directly accessing the global silentMode variable or global.silentMode
Use try/finally block pattern when wrapping core function calls with enableSilentMode/disableSilentMode to ensure silent mode is always restored, even if errors occur
For functions that need to handle both a passed silentMode parameter and check global state, check both the function parameter and global state: const isSilent = options.silentMode || (typeof options.silentMode === 'undefined' && isSilentMode())
Functions should accept their dependencies as parameters rather than using globals to promote testability and explicit dependency injection
Define callbacks as separate functions for easier testing rather than inline functions

Files:

  • scripts/modules/commands.js
scripts/**/*.js

📄 CodeRabbit inference engine (.cursor/rules/context_gathering.mdc)

scripts/**/*.js: Use the ContextGatherer class from scripts/modules/utils/contextGatherer.js to extract context from multiple sources (tasks, files, custom text, project tree) with token counting using gpt-tokens library
Initialize ContextGatherer with project root and tasks path, then call gather() method with tasks array, files array, customContext, includeProjectTree, format ('research', 'chat', or 'system-prompt'), and includeTokenCounts options
Use the FuzzyTaskSearch class from scripts/modules/utils/fuzzyTaskSearch.js for intelligent task discovery with semantic matching, purpose categorization, and relevance scoring using Fuse.js
Implement a three-step initialization pattern for context-aware commands: (1) validate and parse parameters, (2) initialize context gatherer and find project root, (3) auto-discover relevant tasks using fuzzy search if task IDs not specified
Display token breakdown using boxen library with sections for tasks, files, and prompts, showing formatted token counts and file sizes in a clean bordered box with title
Process AI result responses using cli-highlight library to apply syntax highlighting to code blocks with language detection in the format language\ncode
Set reasonable file size limits (50KB default) and project tree depth limits (3-5 levels) when gathering context to maintain performance
Implement graceful error handling for context gathering: handle missing files with warnings, validate task IDs with helpful messages, continue processing if some context sources fail, and provide fallback behavior

Files:

  • scripts/modules/commands.js
scripts/modules/**/*

📄 CodeRabbit inference engine (.cursor/rules/dev_workflow.mdc)

Restart the MCP server if core logic in scripts/modules or MCP tool definitions change

Files:

  • scripts/modules/commands.js
scripts/modules/*.js

📄 CodeRabbit inference engine (.cursor/rules/mcp.mdc)

When implementing MCP support for a command, ensure the core logic function can suppress console output via an outputFormat parameter or other mechanism

scripts/modules/*.js: Use consistent file naming conventions: task_${id.toString().padStart(3, '0')}.txt for task files; use path.join() for composing paths; use appropriate extensions (.txt for tasks, .json for data)
Export all core functions, helper functions, and utility methods needed by dependent code from their respective modules; explicitly verify module export blocks at the bottom of files
Use structured error objects with code and message properties; include clear error messages; handle both function-specific and file system errors; log errors at appropriate severity levels
Use isSilentMode() function to check global silent mode status; wrap core function calls within direct functions using enableSilentMode() and disableSilentMode() in try/finally blocks if the core function produces console output not reliably controlled by outputFormat parameter
Ensure AI calls correctly handle and propagate telemetryData as described in telemetry.mdc
Import context gathering utilities (ContextGatherer, FuzzyTaskSearch) for AI-powered commands; support multiple context types (tasks, files, custom text, project tree); implement detailed token breakdown display
Prefer generateTextService for calls sending large context (like stringified JSON) where incremental display is not needed; import necessary service functions from ai-services-unified.js and prepare parameters (role, session, systemPrompt, prompt)
Create a clear unidirectional flow of dependencies between modules; separate business logic from UI rendering to avoid circular dependencies
Design functions to accept dependencies as parameters; avoid hard-coded dependencies that are difficult to mock
Keep pure logic separate from I/O operations or UI rendering to allow testing logic without mocking complex dependencies
Design core logic to work wi...

Files:

  • scripts/modules/commands.js
**/*.{js,jsx}

📄 CodeRabbit inference engine (.cursor/rules/test_workflow.mdc)

JavaScript test files using Jest must follow the same testing patterns as TypeScript files, include proper mocking of external dependencies, and achieve the same coverage thresholds

Files:

  • scripts/modules/commands.js
**/*.{js,ts}

📄 CodeRabbit inference engine (.cursor/rules/utilities.mdc)

**/*.{js,ts}: Import and use specific getters from config-manager.js (e.g., getMainProvider(), getLogLevel(), getMainMaxTokens()) to access configuration values needed for application logic
Use isApiKeySet(providerName, session) from config-manager.js to check if a provider's key is available before potentially attempting an AI call
Do not add direct console.log calls outside the logging utility - use the central log function instead
Ensure silent mode is disabled in a finally block to prevent it from staying enabled
Do not access the global silentMode variable directly - use the exported silent mode control functions instead
Do not duplicate task ID formatting logic across modules - centralize formatting utilities
Use ContextGatherer class from utils/contextGatherer.js for AI-powered commands that need project context, supporting tasks, files, custom text, and project tree context
Use FuzzyTaskSearch class from utils/fuzzyTaskSearch.js for automatic task relevance detection with configurable search parameters
Use fuzzy search to supplement user-provided task IDs and display discovered task IDs to users for transparency
Do not replace explicit user task selections with fuzzy results - fuzzy search should supplement, not replace user selections
Use readJSON and writeJSON utilities for all JSON file operations instead of raw fs.readFileSync or fs.writeFileSync
Include error handling for JSON file operations and validate JSON structure after reading
Use path.join() for cross-platform path construction and path.resolve() for absolute paths, validating paths before file operations
Support both .env files and MCP session environment for environment variable resolution with fallbacks for missing values
Prefer updating the core function to accept an outputFormat parameter and check outputFormat === 'json' before displaying UI elements

Files:

  • scripts/modules/commands.js
  • apps/cli/src/commands/export.command.ts
  • packages/tm-core/src/modules/auth/managers/auth-manager.spec.ts
  • packages/tm-core/src/modules/auth/types.ts
  • packages/tm-core/src/modules/integration/services/export.service.ts
  • apps/cli/src/commands/auth.command.ts
  • packages/tm-core/src/modules/auth/services/oauth-service.ts
scripts/modules/**/*.{js,ts}

📄 CodeRabbit inference engine (.cursor/rules/utilities.mdc)

scripts/modules/**/*.{js,ts}: Implement silent migration for tasks.json files that transforms old format to tagged format, marking global flag and performing complete migration
Implement tag resolution functions (getTasksForTag, setTasksForTag, getCurrentTag) that provide backward compatibility with legacy format and default to master tag
Implement complete migration functions for tagged task lists that handle configuration, state file creation, and migration status tracking
When a logger object is passed as a parameter to core functions, ensure the receiving function can call methods like .info, .warn, .error on that object

Files:

  • scripts/modules/commands.js
**/*.ts

📄 CodeRabbit inference engine (.cursor/rules/test_workflow.mdc)

TypeScript test files must achieve minimum code coverage thresholds: 80% lines/functions and 70% branches globally, 90% for utilities, and 85% for middleware; new features must meet or exceed these thresholds

Files:

  • apps/cli/src/commands/export.command.ts
  • packages/tm-core/src/modules/auth/managers/auth-manager.spec.ts
  • packages/tm-core/src/modules/auth/types.ts
  • packages/tm-core/src/modules/integration/services/export.service.ts
  • apps/cli/src/commands/auth.command.ts
  • packages/tm-core/src/modules/auth/services/oauth-service.ts
**/*.{ts,tsx}

📄 CodeRabbit inference engine (CLAUDE.md)

Import modules with .js extension even in TypeScript source files for ESM compatibility

Files:

  • apps/cli/src/commands/export.command.ts
  • packages/tm-core/src/modules/auth/managers/auth-manager.spec.ts
  • packages/tm-core/src/modules/auth/types.ts
  • packages/tm-core/src/modules/integration/services/export.service.ts
  • apps/cli/src/commands/auth.command.ts
  • packages/tm-core/src/modules/auth/services/oauth-service.ts
apps/cli/src/**/*.{ts,tsx}

📄 CodeRabbit inference engine (CLAUDE.md)

CLI (@tm/cli) should be a thin presentation layer that calls tm-core methods and displays results; handle only CLI-specific concerns like argument parsing, output formatting, and user prompts

Files:

  • apps/cli/src/commands/export.command.ts
  • apps/cli/src/commands/auth.command.ts
**/*.spec.ts

📄 CodeRabbit inference engine (CLAUDE.md)

Place package and app test files in packages/<package-name>/src/<module>/<file>.spec.ts or apps/<app-name>/src/<module>/<file>.spec.ts alongside source files

Files:

  • packages/tm-core/src/modules/auth/managers/auth-manager.spec.ts
**/*.{spec,test}.ts

📄 CodeRabbit inference engine (CLAUDE.md)

**/*.{spec,test}.ts: Always use .ts for TypeScript tests, never .js
NEVER use async/await in test functions unless testing actual asynchronous operations; use synchronous top-level imports instead of dynamic await import()

Files:

  • packages/tm-core/src/modules/auth/managers/auth-manager.spec.ts
packages/tm-core/**/*.{spec,test}.ts

📄 CodeRabbit inference engine (CLAUDE.md)

In unit tests for @tm/core, mock only external I/O (Supabase, APIs, filesystem) and use real internal services

Files:

  • packages/tm-core/src/modules/auth/managers/auth-manager.spec.ts
🧠 Learnings (13)
📓 Common learnings 
Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/git_workflow.mdc:0-0
Timestamp: 2025-11-24T18:00:23.032Z
Learning: Pull Request descriptions must include: Task Overview, Subtasks Completed (checklist), Implementation Details, Testing approach, Breaking Changes (if any), and Related Tasks.

Learnt from: Crunchyman-ralph
Repo: eyaltoledano/claude-task-master PR: 1444
File: apps/cli/src/utils/auto-update/changelog.ts:103-111
Timestamp: 2025-11-25T18:32:29.828Z
Learning: The claude-task-master project uses a custom changelog format with PR numbers and author acknowledgements in the pattern `- [#PR](...) Thanks [author]! - Description`, which is parsed by the regex in apps/cli/src/utils/auto-update/changelog.ts.

Learnt from: Crunchyman-ralph
Repo: eyaltoledano/claude-task-master PR: 1178
File: packages/tm-core/src/auth/config.ts:5-7
Timestamp: 2025-09-02T21:51:27.921Z
Learning: The user Crunchyman-ralph prefers not to use node: scheme imports (e.g., 'node:os', 'node:path') for Node.js core modules and considers suggestions to change bare imports to node: scheme as too nitpicky.

Learnt from: Crunchyman-ralph
Repo: eyaltoledano/claude-task-master PR: 1069
File: .changeset/fix-tag-complexity-detection.md:0-0
Timestamp: 2025-08-02T15:33:22.656Z
Learning: For changeset files (.changeset/*.md), Crunchyman-ralph prefers to ignore formatting nitpicks about blank lines between frontmatter and descriptions, as he doesn't mind having them and wants to avoid such comments in future reviews.

Learnt from: Crunchyman-ralph
Repo: eyaltoledano/claude-task-master PR: 1132
File: .github/workflows/weekly-metrics-discord.yml:81-93
Timestamp: 2025-08-13T22:10:46.958Z
Learning: Crunchyman-ralph ignores YAML formatting nitpicks about trailing spaces when there's no project-specific YAML formatter configured, preferring to focus on functionality over cosmetic formatting issues.

Learnt from: Crunchyman-ralph
Repo: eyaltoledano/claude-task-master PR: 1132
File: .github/workflows/weekly-metrics-discord.yml:81-93
Timestamp: 2025-08-13T22:10:46.958Z
Learning: Crunchyman-ralph ignores YAML formatting nitpicks about trailing spaces when there's no project-specific YAML formatter configured, preferring to focus on functionality over cosmetic formatting issues.

Learnt from: Crunchyman-ralph
Repo: eyaltoledano/claude-task-master PR: 1105
File: scripts/modules/supported-models.json:242-254
Timestamp: 2025-08-08T11:33:15.297Z
Learning: Preference: In scripts/modules/supported-models.json, the "name" field is optional. For OpenAI entries (e.g., "gpt-5"), Crunchyman-ralph prefers omitting "name" when the id is explicit enough; avoid nitpicks requesting a "name" in such cases.

Learnt from: Crunchyman-ralph
Repo: eyaltoledano/claude-task-master PR: 1200
File: src/ai-providers/custom-sdk/grok-cli/language-model.js:96-100
Timestamp: 2025-09-19T16:06:42.182Z
Learning: The user Crunchyman-ralph prefers to keep environment variable names explicit (like GROK_CLI_API_KEY) rather than supporting multiple aliases, to avoid overlap and ensure clear separation between different CLI implementations.

Learnt from: Crunchyman-ralph
Repo: eyaltoledano/claude-task-master PR: 1178
File: packages/tm-core/src/subpath-exports.test.ts:6-9
Timestamp: 2025-09-03T12:45:30.724Z
Learning: The user Crunchyman-ralph prefers to avoid overly nitpicky or detailed suggestions in code reviews, especially for test coverage of minor import paths. Focus on more substantial issues rather than comprehensive coverage of all possible edge cases.

Learnt from: Crunchyman-ralph
Repo: eyaltoledano/claude-task-master PR: 1217
File: apps/cli/src/index.ts:16-21
Timestamp: 2025-09-18T16:35:35.147Z
Learning: The user Crunchyman-ralph considers suggestions to export types for better ergonomics (like exporting UpdateInfo type alongside related functions) as nitpicky and prefers not to implement such suggestions.
📚 Learning: 2025-11-24T18:01:44.169Z 
Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/new_features.mdc:0-0
Timestamp: 2025-11-24T18:01:44.169Z
Learning: Applies to scripts/modules/commands.js : All new user-facing commands should be added to `commands.js` following Commander.js patterns for subcommand structure and consistent option naming

Applied to files:

  • scripts/modules/commands.js
📚 Learning: 2025-07-18T17:08:48.695Z 
Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/commands.mdc:0-0
Timestamp: 2025-07-18T17:08:48.695Z
Learning: Applies to scripts/modules/commands.js : Suggest non-destructive alternatives when appropriate, explain the difference between deletion and status changes, and include examples of alternative commands.

Applied to files:

  • scripts/modules/commands.js
📚 Learning: 2025-07-20T01:35:05.831Z 
Learnt from: rtmcrc
Repo: eyaltoledano/claude-task-master PR: 933
File: scripts/modules/task-manager/parse-prd.js:226-226
Timestamp: 2025-07-20T01:35:05.831Z
Learning: The parsePRD function in scripts/modules/task-manager/parse-prd.js has a different parameter structure than other task-manager functions - it uses `options` parameter instead of `context` parameter because it generates tasks from PRD documents rather than operating on existing tasks.

Applied to files:

  • scripts/modules/commands.js
📚 Learning: 2025-11-24T18:03:13.456Z 
Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/test_workflow.mdc:0-0
Timestamp: 2025-11-24T18:03:13.456Z
Learning: Use established mocking patterns from auth.test.ts as templates: mock bcrypt with proper TypeScript typing, mock Prisma client with transaction support, and always clear mocks between tests

Applied to files:

  • packages/tm-core/src/modules/auth/managers/auth-manager.spec.ts
📚 Learning: 2025-11-24T22:09:45.455Z 
Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T22:09:45.455Z
Learning: Applies to packages/tm-core/**/*.{spec,test}.ts : In unit tests for tm/core, mock only external I/O (Supabase, APIs, filesystem) and use real internal services

Applied to files:

  • packages/tm-core/src/modules/auth/managers/auth-manager.spec.ts
📚 Learning: 2025-11-24T18:03:46.713Z 
Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/tests.mdc:0-0
Timestamp: 2025-11-24T18:03:46.713Z
Learning: Applies to **/*.test.js : Do not import or instantiate real AI service clients. Create fully mocked versions that return predictable responses. Mock the entire module with controlled behavior.

Applied to files:

  • packages/tm-core/src/modules/auth/managers/auth-manager.spec.ts
📚 Learning: 2025-11-24T22:09:45.455Z 
Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T22:09:45.455Z
Learning: Applies to **/tests/integration/**/*.{spec,test}.ts : In integration tests, use real tm-core and mock only external boundaries (APIs, DB, filesystem)

Applied to files:

  • packages/tm-core/src/modules/auth/managers/auth-manager.spec.ts
📚 Learning: 2025-11-24T18:03:13.456Z 
Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/test_workflow.mdc:0-0
Timestamp: 2025-11-24T18:03:13.456Z
Learning: Applies to tests/fixtures/**/*.ts : Test fixture files must export reusable test data creators and constants (createTestUser, adminUser, invalidUser, etc.) for use across unit, integration, and e2e tests to ensure consistency

Applied to files:

  • packages/tm-core/src/modules/auth/managers/auth-manager.spec.ts
📚 Learning: 2025-11-24T22:09:45.455Z 
Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T22:09:45.455Z
Learning: Applies to apps/mcp/**/*.{spec,test}.ts : In unit tests for apps/mcp, mock tm-core responses but use real MCP framework to test response formatting

Applied to files:

  • packages/tm-core/src/modules/auth/managers/auth-manager.spec.ts
📚 Learning: 2025-11-12T20:05:10.138Z 
Learnt from: Crunchyman-ralph
Repo: eyaltoledano/claude-task-master PR: 1389
File: packages/tm-core/src/modules/auth/config.ts:55-59
Timestamp: 2025-11-12T20:05:10.138Z
Learning: In packages/tm-core/src/modules/auth/config.ts, the DEFAULT_AUTH_CONFIG Proxy does not require enumeration support (has, ownKeys, getOwnPropertyDescriptor traps). The codebase only uses direct property access on this config object, so the basic get trap is sufficient.

Applied to files:

  • packages/tm-core/src/modules/auth/managers/auth-manager.spec.ts
📚 Learning: 2025-11-24T18:03:46.713Z 
Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/tests.mdc:0-0
Timestamp: 2025-11-24T18:03:46.713Z
Learning: Applies to **/*.test.js : For modules with initialization-dependent functions in tests: create test-specific implementations that initialize all variables correctly; use factory functions in mocks to ensure proper initialization order; be careful with how you mock functions that depend on module state.

Applied to files:

  • packages/tm-core/src/modules/auth/managers/auth-manager.spec.ts
📚 Learning: 2025-10-15T14:43:40.410Z 
Learnt from: Crunchyman-ralph
Repo: eyaltoledano/claude-task-master PR: 1314
File: packages/tm-core/src/auth/credential-store.ts:92-94
Timestamp: 2025-10-15T14:43:40.410Z
Learning: In the claude-task-master codebase, `getCredentials()` in `credential-store.ts` defaults to `allowExpired: true` to enable Supabase refresh flows. The Supabase client automatically handles token refresh when credentials are expired but have a valid refresh token. The `SupabaseSessionStorage` updates the credentials after Supabase performs the refresh. This is an intentional design pattern where the credential store is passive storage and Supabase manages the active token lifecycle.

Applied to files:

  • packages/tm-core/src/modules/auth/services/oauth-service.ts
🧬 Code graph analysis (2)
apps/cli/src/commands/auth.command.ts (1)
packages/tm-core/src/modules/auth/types.ts (1)
  • AuthenticationError (126-143)
packages/tm-core/src/modules/auth/services/oauth-service.ts (1)
packages/tm-core/src/modules/auth/types.ts (3)
  • AuthCredentials (5-14)
  • AuthenticationError (126-143)
  • MFAChallenge (67-72)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
  • GitHub Check: Test
  • GitHub Check: Test
🔇 Additional comments (13)
packages/tm-core/src/modules/auth/managers/auth-manager.spec.ts (1)

75-87: SupabaseAuthClient singleton mock matches production pattern

The module-scoped instance plus static getInstance/resetInstance is a clean way to mirror the real singleton behavior in tests without side effects. Looks good and keeps the mock aligned with the implementation.

packages/tm-core/src/modules/auth/types.ts (1)

91-121: MFA_REQUIRED_INCOMPLETE code cleanly extends AuthErrorCode union

Adding MFA_REQUIRED_INCOMPLETE here is consistent with the new OAuth MFA handling and keeps error typing centralized; no issues from a typing or compatibility standpoint.

packages/tm-core/src/modules/auth/services/oauth-service.ts (1)

9-22: Type-only imports for Supabase and auth types are a good refinement

Switching Session, SupabaseAuthClient, ContextStore, and the various Auth* interfaces to import type keeps the runtime module surface minimal without changing behavior, which is a solid TS/ESM hygiene improvement.

packages/tm-core/src/modules/integration/services/export.service.ts (3)

102-106: LGTM! New already_invited status properly added to the base type.

The InvitationResult type is correctly extended to distinguish between users who are already team members (already_member) and users who have a pending invitation (already_invited). This type is reused by GenerateBriefFromPrdResponse, GenerateBriefFromPrdResult, GenerateBriefResponse, and GenerateBriefResult.

236-242: LGTM! Status union consistent with API contract.

The SendTeamInvitationsResponse type correctly includes already_invited for handling pending invitation scenarios in the API response.

247-257: LGTM! Result type aligned with response type.

The SendTeamInvitationsResult status union is now consistent with SendTeamInvitationsResponse, enabling proper propagation of the already_invited status through the service layer.

apps/cli/src/commands/auth.command.ts (7)

155-159: LGTM! Parameter default is appropriate.

The showHeader = true default maintains backward compatibility while allowing callers to suppress the banner when needed.

394-397: LGTM! Signature consistent with executeLogin.

498-502: LGTM! Documentation accurately reflects the MFA capability.

569-600: LGTM! Token auth MFA handling mirrors browser auth pattern.

The MFA handling in authenticateWithToken follows the same defensive pattern as authenticateWithBrowser:

  • Early check for MFA_REQUIRED before showing failure
  • Validation of mfaChallenge.factorId
  • Delegation to shared handleMFAVerification

Using spinner.stop() (no argument) is correct for ora spinners, unlike the countdown timer.

602-620: LGTM! Shared MFA verification handler with proper context binding.

The handleMFAVerification method correctly:

  • Provides defensive validation (useful if called from additional locations in future)
  • Binds verifyMFAWithRetry to authManager to preserve this context
  • Delegates to the shared handleMFAFlow utility from auth-ui.ts

625-629: LGTM! Parameter default consistent across auth methods.

538-563: AuthCountdownTimer.stop('mfa') is valid and well-supported.

The MFA detection and delegation logic is correctly implemented:

  1. Checks for MFA_REQUIRED before generic failure handling
  2. Validates factorId presence defensively
  3. Correctly calls countdownTimer.stop('mfa') — this is an explicitly supported state in the AuthCountdownTimer class with proper handling (stops spinner without success/failure message)
  4. Uses shared handleMFAVerification for consistency with token auth flow
  5. finally block ensures countdownTimer.cleanup() always runs

@eyaltoledano @Crunchyman-ralph
fix(auth): improve org context handling and export invitation flow (#…
edeeef4 
…1472)

Co-authored-by: Ralph Khreish <35776126+Crunchyman-ralph@users.noreply.github.com>
@Crunchyman-ralph Crunchyman-ralph merged commit e5ca6f5 into main Dec 2, 2025
20 of 21 checks passed
sfc-gh-dflippo pushed a commit to sfc-gh-dflippo/task-master-ai that referenced this pull request Dec 4, 2025
@Crunchyman-ralph
Merge pull request eyaltoledano#1474 from eyaltoledano/next
d5e2c9a
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@maxtuzz maxtuzz maxtuzz approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Crunchyman-ralph @maxtuzz @eyaltoledano