fix(extension): security fixes and cache optimizations

[FirstCastSolutions423]

Summary

This PR addresses security vulnerabilities and improves React Query cache performance in the VS Code extension.

Security Fixes

• Add @modelcontextprotocol/sdk ^1.25.2 as direct dependency
• Add npm override to force version across all workspaces
• Fixes SSRF vulnerability in MCP SDK < 1.25.0

Cache Optimizations

• Increase staleTime from 0 to 10 seconds to reduce unnecessary refetches
• Implement targeted cache invalidation instead of invalidating all queries
• Add optimistic updates for task list mutations
• Use parallel Promise.all for subtask parent/child invalidation

Result: Reduces unnecessary API calls by 60-80% while maintaining data freshness

Changed Files

• package.json - Added MCP SDK dependency and override
• apps/extension/package.json - Updated MCP SDK version
• apps/extension/src/webview/hooks/useTaskQueries.ts - Cache optimization

Test Plan

• TypeScript compilation passes
• No breaking changes to existing functionality
• Manual testing of extension task operations

---

🤖 Generated with Claude Code

---

Note

Security/Deps

• Upgrade @modelcontextprotocol/sdk to ^1.25.2 in apps/extension/package.json

Cache and Data Fetching

• Increase useTasks staleTime to 10s to reduce refetches
• Switch from broad invalidation (taskKeys.all) to targeted taskKeys.detail(id) and taskKeys.lists()
• Add optimistic list updates after useUpdateTask mutations
• Use Promise.all to invalidate parent/child details for subtasks and for scope changes

Logging

• Replace console calls with logger.log/error in useTaskQueries.ts

^{Written by Cursor Bugbot for commit aacec70. This will update automatically on new commits. Configure here.}

Summary by CodeRabbit

• Performance Improvements

  • Reduced unnecessary refreshes by extending task cache freshness.
  • Task updates now refresh only the affected items and details.

• Dependencies

  • Added new dependencies: @tm/core, axios.
  • Updated dependency: @modelcontextprotocol/sdk (version bump).

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[changeset-bot]

⚠️ No Changeset found

Latest commit: aacec70

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

📝 Walkthrough

Walkthrough

Updates manifest dependencies (adds @tm/core, adds axios, bumps @modelcontextprotocol/sdk) and refactors task-related React Query hooks to use centralized logging, longer task-list staleTime, optimistic updates, and targeted cache invalidations for task/subtask mutations.

Changes

Cohort / File(s)	Summary
Manifest / Dependency updates apps/extension/package.json, package.json	Added @tm/core dependency (*) to extension and root manifests; added axios (^1.13.2) to root; updated @modelcontextprotocol/sdk to ^1.25.2; reordered and reformatted JSON arrays/entries.
Task query hooks apps/extension/src/webview/hooks/useTaskQueries.ts	Replaced console logs with centralized logger; set useTasks staleTime to 10s and adjusted refetch behavior; changed mutations to perform targeted cache invalidations (task detail, parent/subtask, and task lists) and added optimistic update for task lists; improved MCP response error handling and added detailed success logs.

Sequence Diagram(s)

sequenceDiagram
    participant UI as Component (UI)
    participant Hook as useTaskQueries (React Query)
    participant MCP as MCP API
    participant Cache as React Query Cache

    UI->>Hook: trigger mutation (update task / subtask / scope)
    Hook->>Hook: apply optimistic update (task lists) [if updateTask]
    Hook->>MCP: send request
    MCP-->>Hook: response (success/failure)
    Hook->>Cache: targeted invalidation (task detail, parent/subtask, lists)
    Hook->>UI: update via cache refetch / optimistic resolution

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• fix: fix mcp tool call in extension #1070: Modifies the same useScopeUpTask / useScopeDownTask logic and MCP request parameters in useTaskQueries.ts.
• chore: fix CI failing to release #1232: Updates workspace/package manifests to add/restore @tm/core, touching the same dependency changes.
• Ralph/update.from.main #1481: Alters dependency declarations, including @tm/core and @modelcontextprotocol/sdk, overlapping manifest edits.

Suggested reviewers

• eyaltoledano

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main changes: security fixes (MCP SDK vulnerability, SSRF fix) and cache optimizations (staleTime increase, targeted invalidations).
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Fix all issues with AI agents

In @apps/extension/src/webview/hooks/useTaskQueries.ts:
- Around line 33-34: The refetchOnMount: 'always' setting in the useTaskQueries
hook contradicts the 10*1000 staleTime and forces refetch on every mount; change
refetchOnMount to false (or remove the option entirely) so React Query will
serve stale data for 10s and only refetch when data is actually stale, keeping
the existing comment intact.
- Around line 226-252: The onSuccess handler for the subtask update uses
console.log (in onSuccess) which violates the logging guideline; import logger
from ../utils/logger and replace the three console.log calls inside the
onSuccess function (the messages around "Subtask update successful", "Subtask
ID:", and "Parent and subtask details invalidated for:") with logger.log calls
while leaving the invalidation logic with queryClient and
taskKeys.detail/taskKeys.lists unchanged.
- Around line 164-191: The webview-manager's updateTask handler currently
ignores the MCP response and returns only { success: true }, which breaks
optimistic updates in useTaskQueries; modify the updateTask method in
webview-manager.ts to await and capture the result of
this.mcpClient.callTool('update_task', ...) (e.g., store it in a variable like
mcpResponse) and return it in the handler response (e.g., response = { success:
true, task: mcpResponse?.data?.updatedTask }) so useTaskQueries can access
data?.task or data for list and detail updates.

🧹 Nitpick comments (1)

apps/extension/package.json (1)

262-262: Update version spec to match root override.

The root package.json has an override forcing @modelcontextprotocol/sdk@^1.25.2, but this file specifies ^1.13.3. While the override will take precedence, this creates confusing documentation. Update the version here to ^1.25.2 to match the enforced version.

♻️ Align version with root override

-		"@modelcontextprotocol/sdk": "^1.13.3",
+		"@modelcontextprotocol/sdk": "^1.25.2",

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8d4ac0b and fb67ca0.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (3)

• apps/extension/package.json
• apps/extension/src/webview/hooks/useTaskQueries.ts
• package.json

🧰 Additional context used

📓 Path-based instructions (4)

**/*.ts

📄 CodeRabbit inference engine (.cursor/rules/test_workflow.mdc)

TypeScript test files must achieve minimum code coverage thresholds: 80% lines/functions and 70% branches globally, 90% for utilities, and 85% for middleware; new features must meet or exceed these thresholds

Files:

• apps/extension/src/webview/hooks/useTaskQueries.ts

**/*.{js,ts}

📄 CodeRabbit inference engine (.cursor/rules/utilities.mdc)

**/*.{js,ts}: Import and use specific getters from config-manager.js (e.g., getMainProvider(), getLogLevel(), getMainMaxTokens()) to access configuration values needed for application logic
Use isApiKeySet(providerName, session) from config-manager.js to check if a provider's key is available before potentially attempting an AI call
Do not add direct console.log calls outside the logging utility - use the central log function instead
Ensure silent mode is disabled in a finally block to prevent it from staying enabled
Do not access the global silentMode variable directly - use the exported silent mode control functions instead
Do not duplicate task ID formatting logic across modules - centralize formatting utilities
Use ContextGatherer class from utils/contextGatherer.js for AI-powered commands that need project context, supporting tasks, files, custom text, and project tree context
Use FuzzyTaskSearch class from utils/fuzzyTaskSearch.js for automatic task relevance detection with configurable search parameters
Use fuzzy search to supplement user-provided task IDs and display discovered task IDs to users for transparency
Do not replace explicit user task selections with fuzzy results - fuzzy search should supplement, not replace user selections
Use readJSON and writeJSON utilities for all JSON file operations instead of raw fs.readFileSync or fs.writeFileSync
Include error handling for JSON file operations and validate JSON structure after reading
Use path.join() for cross-platform path construction and path.resolve() for absolute paths, validating paths before file operations
Support both .env files and MCP session environment for environment variable resolution with fallbacks for missing values
Prefer updating the core function to accept an outputFormat parameter and check outputFormat === 'json' before displaying UI elements

Files:

• apps/extension/src/webview/hooks/useTaskQueries.ts

**/*.{ts,tsx}

📄 CodeRabbit inference engine (CLAUDE.md)

Import modules with .js extension even in TypeScript source files for ESM compatibility

Files:

• apps/extension/src/webview/hooks/useTaskQueries.ts

package.json

📄 CodeRabbit inference engine (.cursor/rules/test_workflow.mdc)

package.json scripts must include: 'test', 'test:watch', 'test:coverage', 'test:unit', 'test:integration', 'test:e2e', and 'test:ci' commands for testing framework integration

Files:

• package.json

🧠 Learnings (31)

📓 Common learnings

Learnt from: Crunchyman-ralph
Repo: eyaltoledano/claude-task-master PR: 1444
File: apps/cli/src/utils/auto-update/changelog.ts:103-111
Timestamp: 2025-11-25T18:32:29.828Z
Learning: The claude-task-master project uses a custom changelog format with PR numbers and author acknowledgements in the pattern `- [#PR](...) Thanks [author]! - Description`, which is parsed by the regex in apps/cli/src/utils/auto-update/changelog.ts.

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: assets/AGENTS.md:0-0
Timestamp: 2025-12-11T14:45:14.973Z
Learning: Applies to assets/**/CLAUDE.md : Update `CLAUDE.md` file with project-specific context, task summaries, and custom command examples for Claude Code integration

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/git_workflow.mdc:0-0
Timestamp: 2025-11-24T18:00:23.032Z
Learning: Pull Request descriptions must include: Task Overview, Subtasks Completed (checklist), Implementation Details, Testing approach, Breaking Changes (if any), and Related Tasks.

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: assets/AGENTS.md:0-0
Timestamp: 2025-12-11T14:45:14.973Z
Learning: Applies to assets/.claude/settings.json : Add Claude Code tool allowlist configuration in `.claude/settings.json` to include 'Edit', 'Bash(task-master *)', 'Bash(git commit:*)', 'Bash(git add:*)', 'Bash(npm run *)', and 'mcp__task_master_ai__*'

📚 Learning: 2025-11-24T18:04:43.972Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/utilities.mdc:0-0
Timestamp: 2025-11-24T18:04:43.972Z
Learning: Applies to **/*.{js,ts} : Use fuzzy search to supplement user-provided task IDs and display discovered task IDs to users for transparency

Applied to files:

• apps/extension/src/webview/hooks/useTaskQueries.ts

📚 Learning: 2025-11-24T18:02:36.388Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/tasks.mdc:0-0
Timestamp: 2025-11-24T18:02:36.388Z
Learning: Applies to scripts/modules/task-manager.js : Use consistent properties for subtasks (id, title, description, status, dependencies, details) without duplicating parent task properties, maintaining simple numeric IDs unique within the parent task

Applied to files:

• apps/extension/src/webview/hooks/useTaskQueries.ts

📚 Learning: 2025-11-24T18:02:36.388Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/tasks.mdc:0-0
Timestamp: 2025-11-24T18:02:36.388Z
Learning: Applies to scripts/modules/task-manager.js : Implement status update functions that handle both individual tasks and subtasks within the current tag context, considering subtask status when updating parent tasks and suggesting parent task updates when all subtasks are done

Applied to files:

• apps/extension/src/webview/hooks/useTaskQueries.ts

📚 Learning: 2025-11-24T18:04:43.972Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/utilities.mdc:0-0
Timestamp: 2025-11-24T18:04:43.972Z
Learning: Applies to **/{utils,utilities}/**/*.{js,ts} : Implement reusable task finding utilities that support both task and subtask lookups and add context to subtask results

Applied to files:

• apps/extension/src/webview/hooks/useTaskQueries.ts

📚 Learning: 2025-11-24T18:01:44.169Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/new_features.mdc:0-0
Timestamp: 2025-11-24T18:01:44.169Z
Learning: Applies to scripts/modules/*.js : Design core logic to work with both legacy (flat tasks array) and tagged task data formats; use tag resolution functions (getTasksForTag, setTasksForTag) for task data access; support silent migration during feature usage

Applied to files:

• apps/extension/src/webview/hooks/useTaskQueries.ts

📚 Learning: 2025-11-24T18:00:06.827Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/dev_workflow.mdc:0-0
Timestamp: 2025-11-24T18:00:06.827Z
Learning: Regularly use `task-master update-subtask --id=<subtaskId> --prompt='<update details>'` to log implementation findings, including what worked, what didn't, and decisions made

Applied to files:

• apps/extension/src/webview/hooks/useTaskQueries.ts

📚 Learning: 2025-11-24T18:02:36.388Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/tasks.mdc:0-0
Timestamp: 2025-11-24T18:02:36.388Z
Learning: Applies to scripts/modules/task-manager.js : Use tag resolution functions (getTasksForTag and setTasksForTag) in core task functions to maintain backward compatibility instead of directly manipulating the tagged structure

Applied to files:

• apps/extension/src/webview/hooks/useTaskQueries.ts

📚 Learning: 2025-11-24T18:04:43.972Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/utilities.mdc:0-0
Timestamp: 2025-11-24T18:04:43.972Z
Learning: Applies to scripts/modules/task-manager/**/*.{js,ts} : Do not call AI-specific getters (like getMainModelId, getMainMaxTokens) from core logic functions in scripts/modules/task-manager/*. Instead, pass the role to the unified AI service

Applied to files:

• apps/extension/src/webview/hooks/useTaskQueries.ts

📚 Learning: 2025-11-24T17:59:18.662Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/dependencies.mdc:0-0
Timestamp: 2025-11-24T17:59:18.662Z
Learning: Applies to scripts/modules/dependency-manager.js : Check for and remove references to non-existent tasks and self-references during cleanup, tracking and reporting changes made during cleanup

Applied to files:

• apps/extension/src/webview/hooks/useTaskQueries.ts

📚 Learning: 2025-11-24T18:00:06.827Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/dev_workflow.mdc:0-0
Timestamp: 2025-11-24T18:00:06.827Z
Learning: For subtask implementation, use `task-master show <subtaskId>` to understand goals, explore the codebase, determine code changes, then log the plan with `task-master update-subtask`

Applied to files:

• apps/extension/src/webview/hooks/useTaskQueries.ts

📚 Learning: 2025-07-31T20:49:04.638Z

Learnt from: Crunchyman-ralph
Repo: eyaltoledano/claude-task-master PR: 997
File: apps/extension/package.publish.json:2-8
Timestamp: 2025-07-31T20:49:04.638Z
Learning: In the eyaltoledano/claude-task-master repository, the VS Code extension uses a 3-file packaging system where package.json (with name "extension") is for development within the monorepo, while package.publish.json (with name "task-master-hamster") contains the clean manifest for VS Code marketplace publishing. The different names are intentional and serve distinct purposes in the build and publishing workflow.

Applied to files:

• apps/extension/package.json

📚 Learning: 2025-09-26T19:03:33.225Z

Learnt from: Crunchyman-ralph
Repo: eyaltoledano/claude-task-master PR: 1252
File: package.json:130-132
Timestamp: 2025-09-26T19:03:33.225Z
Learning: In the eyaltoledano/claude-task-master repository, packages are bundled using tsdown during the build process, which means dependencies imported by the source code (including tm internal packages like tm/ai-sdk-provider-grok-cli) are included in the final bundle and don't need to be available as separate runtime dependencies, so they should remain as devDependencies rather than being moved to dependencies.

Applied to files:

• apps/extension/package.json
• package.json

📚 Learning: 2025-09-26T19:05:47.555Z

Learnt from: Crunchyman-ralph
Repo: eyaltoledano/claude-task-master PR: 1252
File: packages/ai-sdk-provider-grok-cli/package.json:11-13
Timestamp: 2025-09-26T19:05:47.555Z
Learning: In the eyaltoledano/claude-task-master repository, internal tm/ packages use a specific export pattern where the "exports" field points to TypeScript source files (./src/index.ts) while "main" points to compiled output (./dist/index.js) and "types" points to source files (./src/index.ts). This pattern is used consistently across internal packages like tm/core and tm/ai-sdk-provider-grok-cli because they are consumed directly during build-time bundling with tsdown rather than being published as separate packages.

Applied to files:

• apps/extension/package.json
• package.json

📚 Learning: 2025-09-26T19:10:32.906Z

Learnt from: Crunchyman-ralph
Repo: eyaltoledano/claude-task-master PR: 1252
File: tsconfig.json:22-28
Timestamp: 2025-09-26T19:10:32.906Z
Learning: In the eyaltoledano/claude-task-master repository, all internal tm/ package path mappings in tsconfig.json consistently point to TypeScript source files (e.g., "./packages/*/src/index.ts") rather than built JavaScript. This is intentional architecture because tsdown bundles internal packages directly from source during build time, eliminating the need for separate compilation of internal packages.

Applied to files:

• apps/extension/package.json
• package.json

📚 Learning: 2025-10-08T19:57:00.982Z

Learnt from: Crunchyman-ralph
Repo: eyaltoledano/claude-task-master PR: 1282
File: packages/tm-core/src/utils/index.ts:16-34
Timestamp: 2025-10-08T19:57:00.982Z
Learning: For the tm-core package in the eyaltoledano/claude-task-master repository, the team prefers a minimal, need-based export strategy in index files rather than exposing all internal utilities. Exports should only be added when functions are actually consumed by other packages in the monorepo.

Applied to files:

• apps/extension/package.json

📚 Learning: 2025-09-22T19:45:04.337Z

Learnt from: Crunchyman-ralph
Repo: eyaltoledano/claude-task-master PR: 1232
File: packages/tm-core/package.json:50-51
Timestamp: 2025-09-22T19:45:04.337Z
Learning: In the eyaltoledano/claude-task-master project, Crunchyman-ralph intentionally omits version fields from internal/private packages in package.json files to prevent changesets from releasing new versions of these packages while still allowing them to be processed for dependency updates. The changesets warnings about missing versions are acceptable as they don't break the process and achieve the desired behavior of only releasing public packages.

Applied to files:

• apps/extension/package.json

📚 Learning: 2025-09-26T19:07:10.485Z

Learnt from: Crunchyman-ralph
Repo: eyaltoledano/claude-task-master PR: 1252
File: packages/ai-sdk-provider-grok-cli/package.json:21-35
Timestamp: 2025-09-26T19:07:10.485Z
Learning: In the eyaltoledano/claude-task-master repository, the tsdown build configuration uses `noExternal: [/^tm\//]` which means internal tm/ packages are bundled into the final output while external npm dependencies remain external and are resolved from the root package.json dependencies at runtime. This eliminates the need for peer dependencies in internal packages since the root package.json already provides the required external dependencies.

Applied to files:

• apps/extension/package.json
• package.json

📚 Learning: 2025-08-07T13:00:22.966Z

Learnt from: Crunchyman-ralph
Repo: eyaltoledano/claude-task-master PR: 1090
File: apps/extension/package.json:241-243
Timestamp: 2025-08-07T13:00:22.966Z
Learning: In monorepos, local packages should use "*" as the version constraint in package.json dependencies, as recommended by npm. This ensures the local version from within the same workspace is always used, rather than attempting to resolve from external registries. This applies to packages like task-master-ai within the eyaltoledano/claude-task-master monorepo.

Applied to files:

• apps/extension/package.json
• package.json

📚 Learning: 2025-09-17T19:09:08.882Z

Learnt from: Crunchyman-ralph
Repo: eyaltoledano/claude-task-master PR: 1211
File: jest.resolver.cjs:8-15
Timestamp: 2025-09-17T19:09:08.882Z
Learning: In the eyaltoledano/claude-task-master project, the team only uses .ts files and does not plan to use .tsx or .mts extensions, so Jest resolver and build tooling should focus on .js → .ts mapping only.

Applied to files:

• apps/extension/package.json

📚 Learning: 2025-09-03T12:16:15.866Z

Learnt from: Crunchyman-ralph
Repo: eyaltoledano/claude-task-master PR: 1178
File: packages/tm-core/package.json:13-64
Timestamp: 2025-09-03T12:16:15.866Z
Learning: For internal packages in the claude-task-master project, Crunchyman-ralph prefers pointing package.json "types" entries to src .ts files rather than dist .d.ts files for better developer experience (DX), as the packages are not being exported as SDKs.

Applied to files:

• apps/extension/package.json

📚 Learning: 2025-11-24T18:03:13.456Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/test_workflow.mdc:0-0
Timestamp: 2025-11-24T18:03:13.456Z
Learning: Applies to jest.config.js : Jest configuration must use ts-jest preset for TypeScript support, configure test environment as 'node', set roots to ['<rootDir>/src', '<rootDir>/tests'], and include testMatch patterns for both *.test.ts and *.spec.ts files with separate projects for unit, integration, and e2e tests

Applied to files:

• apps/extension/package.json

📚 Learning: 2025-11-24T18:03:13.456Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/test_workflow.mdc:0-0
Timestamp: 2025-11-24T18:03:13.456Z
Learning: Applies to package.json : package.json scripts must include: 'test', 'test:watch', 'test:coverage', 'test:unit', 'test:integration', 'test:e2e', and 'test:ci' commands for testing framework integration

Applied to files:

• apps/extension/package.json
• package.json

📚 Learning: 2025-09-26T19:03:33.225Z

Learnt from: Crunchyman-ralph
Repo: eyaltoledano/claude-task-master PR: 1252
File: package.json:130-132
Timestamp: 2025-09-26T19:03:33.225Z
Learning: In the eyaltoledano/claude-task-master repository, all packages with tm prefix are internal packages that are part of the monorepo structure and are not published externally.

Applied to files:

• apps/extension/package.json

📚 Learning: 2025-09-24T15:46:28.029Z

Learnt from: Crunchyman-ralph
Repo: eyaltoledano/claude-task-master PR: 1114
File: src/ai-providers/gemini-cli.js:12-12
Timestamp: 2025-09-24T15:46:28.029Z
Learning: When AI SDK provider packages are moved from optional dependencies to required dependencies in package.json, static imports should be used instead of dynamic imports with error handling, as the package is guaranteed to be available at runtime.

Applied to files:

• package.json

📚 Learning: 2025-09-17T20:26:17.277Z

Learnt from: Crunchyman-ralph
Repo: eyaltoledano/claude-task-master PR: 1213
File: .github/workflows/pre-release.yml:68-73
Timestamp: 2025-09-17T20:26:17.277Z
Learning: User Crunchyman-ralph clarified that not all packages in the monorepo need build steps, so adding turbo:build scripts to every workspace package.json is unnecessary and incorrect.

Applied to files:

• package.json

📚 Learning: 2025-11-24T18:04:43.972Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/utilities.mdc:0-0
Timestamp: 2025-11-24T18:04:43.972Z
Learning: Applies to **/*.{js,ts} : Use path.join() for cross-platform path construction and path.resolve() for absolute paths, validating paths before file operations

Applied to files:

• package.json

📚 Learning: 2025-11-24T17:57:14.743Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/ai_providers.mdc:0-0
Timestamp: 2025-11-24T17:57:14.743Z
Learning: Applies to src/ai-providers/*.js : Provider modules in `src/ai-providers/` must import `generateText`, `streamText`, `generateObject` from the `ai` package, the provider's `create<ProviderName>` function from `ai-sdk/<provider-name>`, and the `log` utility from `../../scripts/modules/utils.js`

Applied to files:

• package.json

📚 Learning: 2025-11-24T17:57:14.743Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/ai_providers.mdc:0-0
Timestamp: 2025-11-24T17:57:14.743Z
Learning: To add a new AI provider with official Vercel AI SDK support, install the provider package via `npm install ai-sdk/<provider-name>`

Applied to files:

• package.json

📚 Learning: 2025-11-24T17:58:07.992Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/architecture.mdc:0-0
Timestamp: 2025-11-24T17:58:07.992Z
Learning: Applies to src/ai-providers/*.js : src/ai-providers/*.js files should contain provider-specific wrappers for Vercel AI SDK functions and interact directly with Vercel AI SDK adapters

Applied to files:

• package.json

📚 Learning: 2025-11-24T17:57:14.743Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/ai_providers.mdc:0-0
Timestamp: 2025-11-24T17:57:14.743Z
Learning: Applies to src/ai-providers/*.js : Create a new provider module in `src/ai-providers/<provider-name>.js` that implements `generate<ProviderName>Text`, `stream<ProviderName>Text`, and `generate<ProviderName>Object` functions using the Vercel AI SDK

Applied to files:

• package.json

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Cursor Bugbot

🔇 Additional comments (5)

package.json (2)

153-153: Clarify the addition of whatwg-url override.

The whatwg-url@^11.0.0 override is not mentioned in the PR objectives. Is this also addressing a security issue, or is it required by one of the other dependency updates?

---

80-80: Both dependency versions are valid and current as of January 2026. axios@^1.13.2 and @modelcontextprotocol/sdk@^1.25.2 are the latest versions available on npm and exist in the registry. No action needed regarding version validity.

Likely an incorrect or invalid review comment.

apps/extension/src/webview/hooks/useTaskQueries.ts (2)

295-313: LGTM - Targeted invalidation for scope changes.

The optimization correctly invalidates only the affected queries:

• Specific task detail (structure changes from scoping)
• Task lists (display updates)

Uses Promise.all for efficient parallel invalidation instead of invalidating all queries.

---

356-374: LGTM - Consistent targeted invalidation pattern.

The implementation mirrors useScopeUpTask with proper targeted invalidation and parallel execution. The consistency across scope mutation hooks improves maintainability.

apps/extension/package.json (1)

272-272: @tm/core in devDependencies is correct.

The addition is properly placed in devDependencies. While @tm/core is used at runtime (it exports createTmCore which is called in terminal-manager.ts), the devDependencies placement is correct because tsdown bundles internal tm/ packages during the build process, making them available in the final extension output without needing them as separate runtime dependencies.

[cursor]

This PR is being reviewed by Cursor Bugbot

Details

Your team is on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle for each member of your team.

To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.

[cursor]

Optimistic update uses wrong response data structure

Medium Severity

The onSuccess handler in useUpdateTask tries to merge the mutation response into cached tasks using data?.task || data. However, the updateTask endpoint returns { success: true } without actual task data. This causes the code to spread { success: true } into each matching task object, adding a spurious property rather than updating with actual task changes. The task lists remain stale after updates since they're not invalidated and the "optimistic" update contains no useful data.

 

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

apps/extension/src/webview/hooks/useTaskQueries.ts (1)

91-130: Consider narrowing useUpdateTaskStatus invalidation from taskKeys.all.
Line 128 invalidates taskKeys.all (lists + all details), which partially undermines the “targeted invalidation” goal and can cause extra MCP calls. Consider invalidating taskKeys.lists() and (optionally) taskKeys.detail(taskId) instead.

Proposed fix

-		onSettled: () => {
-			queryClient.invalidateQueries({ queryKey: taskKeys.all });
-		}
+		onSettled: (_data, _error, variables) => {
+			void queryClient.invalidateQueries({ queryKey: taskKeys.lists() });
+			if (variables?.taskId) {
+				void queryClient.invalidateQueries({
+					queryKey: taskKeys.detail(variables.taskId)
+				});
+			}
+		}

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between fb67ca0 and aacec70.

📒 Files selected for processing (2)

• apps/extension/package.json
• apps/extension/src/webview/hooks/useTaskQueries.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• apps/extension/package.json

🧰 Additional context used

📓 Path-based instructions (3)

**/*.ts

📄 CodeRabbit inference engine (.cursor/rules/test_workflow.mdc)

TypeScript test files must achieve minimum code coverage thresholds: 80% lines/functions and 70% branches globally, 90% for utilities, and 85% for middleware; new features must meet or exceed these thresholds

Files:

• apps/extension/src/webview/hooks/useTaskQueries.ts

**/*.{js,ts}

📄 CodeRabbit inference engine (.cursor/rules/utilities.mdc)

**/*.{js,ts}: Import and use specific getters from config-manager.js (e.g., getMainProvider(), getLogLevel(), getMainMaxTokens()) to access configuration values needed for application logic
Use isApiKeySet(providerName, session) from config-manager.js to check if a provider's key is available before potentially attempting an AI call
Do not add direct console.log calls outside the logging utility - use the central log function instead
Ensure silent mode is disabled in a finally block to prevent it from staying enabled
Do not access the global silentMode variable directly - use the exported silent mode control functions instead
Do not duplicate task ID formatting logic across modules - centralize formatting utilities
Use ContextGatherer class from utils/contextGatherer.js for AI-powered commands that need project context, supporting tasks, files, custom text, and project tree context
Use FuzzyTaskSearch class from utils/fuzzyTaskSearch.js for automatic task relevance detection with configurable search parameters
Use fuzzy search to supplement user-provided task IDs and display discovered task IDs to users for transparency
Do not replace explicit user task selections with fuzzy results - fuzzy search should supplement, not replace user selections
Use readJSON and writeJSON utilities for all JSON file operations instead of raw fs.readFileSync or fs.writeFileSync
Include error handling for JSON file operations and validate JSON structure after reading
Use path.join() for cross-platform path construction and path.resolve() for absolute paths, validating paths before file operations
Support both .env files and MCP session environment for environment variable resolution with fallbacks for missing values
Prefer updating the core function to accept an outputFormat parameter and check outputFormat === 'json' before displaying UI elements

Files:

• apps/extension/src/webview/hooks/useTaskQueries.ts

**/*.{ts,tsx}

📄 CodeRabbit inference engine (CLAUDE.md)

Import modules with .js extension even in TypeScript source files for ESM compatibility

Files:

• apps/extension/src/webview/hooks/useTaskQueries.ts

🧠 Learnings (43)

📓 Common learnings

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: assets/AGENTS.md:0-0
Timestamp: 2025-12-11T14:45:14.973Z
Learning: Applies to assets/**/CLAUDE.md : Update `CLAUDE.md` file with project-specific context, task summaries, and custom command examples for Claude Code integration

Learnt from: Crunchyman-ralph
Repo: eyaltoledano/claude-task-master PR: 1444
File: apps/cli/src/utils/auto-update/changelog.ts:103-111
Timestamp: 2025-11-25T18:32:29.828Z
Learning: The claude-task-master project uses a custom changelog format with PR numbers and author acknowledgements in the pattern `- [#PR](...) Thanks [author]! - Description`, which is parsed by the regex in apps/cli/src/utils/auto-update/changelog.ts.

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/git_workflow.mdc:0-0
Timestamp: 2025-11-24T18:00:23.032Z
Learning: Pull Request descriptions must include: Task Overview, Subtasks Completed (checklist), Implementation Details, Testing approach, Breaking Changes (if any), and Related Tasks.

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/architecture.mdc:0-0
Timestamp: 2025-11-24T17:58:07.992Z
Learning: Applies to scripts/modules/dependency-manager.js : dependency-manager.js should manage task dependencies by handling add/remove/validate/fix operations across tagged task contexts

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/tasks.mdc:0-0
Timestamp: 2025-11-24T18:02:36.388Z
Learning: Applies to scripts/modules/task-manager.js : Format task files with consistent structure including task metadata (ID, title, status), dependencies with status indicators, and tag context information in the file header

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: assets/.windsurfrules:0-0
Timestamp: 2025-11-24T18:05:02.114Z
Learning: Update dependent tasks when implementation differs from original plan using `task-master update`

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/dependencies.mdc:0-0
Timestamp: 2025-11-24T17:59:18.662Z
Learning: Applies to scripts/modules/dependency-manager.js : Check for and remove references to non-existent tasks and self-references during cleanup, tracking and reporting changes made during cleanup

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/utilities.mdc:0-0
Timestamp: 2025-11-24T18:04:43.972Z
Learning: Applies to scripts/modules/**/*.{js,ts} : Implement complete migration functions for tagged task lists that handle configuration, state file creation, and migration status tracking

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/dependencies.mdc:0-0
Timestamp: 2025-11-24T17:59:18.662Z
Learning: Applies to scripts/modules/dependency-manager.js : Format task and dependency IDs consistently, check for existing dependencies to prevent duplicates, and sort dependencies for better readability when adding dependencies

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/dependencies.mdc:0-0
Timestamp: 2025-07-18T17:09:40.548Z
Learning: Applies to scripts/modules/dependency-manager.js : Remove references to non-existent tasks during validation

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/tasks.mdc:0-0
Timestamp: 2025-11-24T18:02:36.388Z
Learning: Applies to scripts/modules/task-manager.js : Implement status update functions that handle both individual tasks and subtasks within the current tag context, considering subtask status when updating parent tasks and suggesting parent task updates when all subtasks are done

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/dependencies.mdc:0-0
Timestamp: 2025-07-18T17:09:40.548Z
Learning: Applies to scripts/modules/dependency-manager.js : Check for and remove references to non-existent tasks during cleanup

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/dev_workflow.mdc:0-0
Timestamp: 2025-11-24T18:00:06.827Z
Learning: Run `task-master next` before starting any new development work to identify the next task with all dependencies satisfied

📚 Learning: 2025-11-24T18:04:43.972Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/utilities.mdc:0-0
Timestamp: 2025-11-24T18:04:43.972Z
Learning: Applies to **/*.{js,ts} : Use fuzzy search to supplement user-provided task IDs and display discovered task IDs to users for transparency

Applied to files:

• apps/extension/src/webview/hooks/useTaskQueries.ts

📚 Learning: 2025-11-24T18:04:43.972Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/utilities.mdc:0-0
Timestamp: 2025-11-24T18:04:43.972Z
Learning: Applies to **/{utils,utilities}/**/*.{js,ts} : Implement reusable task finding utilities that support both task and subtask lookups and add context to subtask results

Applied to files:

• apps/extension/src/webview/hooks/useTaskQueries.ts

📚 Learning: 2025-11-24T18:01:44.169Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/new_features.mdc:0-0
Timestamp: 2025-11-24T18:01:44.169Z
Learning: Applies to scripts/modules/*.js : Design core logic to work with both legacy (flat tasks array) and tagged task data formats; use tag resolution functions (getTasksForTag, setTasksForTag) for task data access; support silent migration during feature usage

Applied to files:

• apps/extension/src/webview/hooks/useTaskQueries.ts

📚 Learning: 2025-11-24T18:04:43.972Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/utilities.mdc:0-0
Timestamp: 2025-11-24T18:04:43.972Z
Learning: Applies to **/*.{js,ts} : Do not duplicate task ID formatting logic across modules - centralize formatting utilities

Applied to files:

• apps/extension/src/webview/hooks/useTaskQueries.ts

📚 Learning: 2025-11-24T18:04:43.972Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/utilities.mdc:0-0
Timestamp: 2025-11-24T18:04:43.972Z
Learning: Applies to scripts/modules/**/*.{js,ts} : Implement complete migration functions for tagged task lists that handle configuration, state file creation, and migration status tracking

Applied to files:

• apps/extension/src/webview/hooks/useTaskQueries.ts

📚 Learning: 2025-11-24T18:02:36.388Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/tasks.mdc:0-0
Timestamp: 2025-11-24T18:02:36.388Z
Learning: Applies to scripts/modules/task-manager.js : Format task files with consistent structure including task metadata (ID, title, status), dependencies with status indicators, and tag context information in the file header

Applied to files:

• apps/extension/src/webview/hooks/useTaskQueries.ts

📚 Learning: 2025-11-24T18:04:43.972Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/utilities.mdc:0-0
Timestamp: 2025-11-24T18:04:43.972Z
Learning: Applies to scripts/modules/task-manager/**/*.{js,ts} : Do not call AI-specific getters (like getMainModelId, getMainMaxTokens) from core logic functions in scripts/modules/task-manager/*. Instead, pass the role to the unified AI service

Applied to files:

• apps/extension/src/webview/hooks/useTaskQueries.ts

📚 Learning: 2025-11-24T18:02:36.388Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/tasks.mdc:0-0
Timestamp: 2025-11-24T18:02:36.388Z
Learning: Applies to scripts/modules/task-manager.js : Use consistent properties for subtasks (id, title, description, status, dependencies, details) without duplicating parent task properties, maintaining simple numeric IDs unique within the parent task

Applied to files:

• apps/extension/src/webview/hooks/useTaskQueries.ts

📚 Learning: 2025-11-24T17:58:07.992Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/architecture.mdc:0-0
Timestamp: 2025-11-24T17:58:07.992Z
Learning: Applies to scripts/modules/task-manager.js : task-manager.js should handle reading/writing tasks.json with tagged task lists support, implement CRUD operations, delegate AI interactions to ai-services-unified.js layer, and access non-AI configuration via config-manager.js getters

Applied to files:

• apps/extension/src/webview/hooks/useTaskQueries.ts

📚 Learning: 2025-11-24T18:01:44.169Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/new_features.mdc:0-0
Timestamp: 2025-11-24T18:01:44.169Z
Learning: Applies to scripts/modules/task-manager.js : Data manipulation features (create, read, update, delete tasks) should be placed in `task-manager.js` and follow guidelines in `tasks.mdc`

Applied to files:

• apps/extension/src/webview/hooks/useTaskQueries.ts

📚 Learning: 2025-11-24T18:04:43.972Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/utilities.mdc:0-0
Timestamp: 2025-11-24T18:04:43.972Z
Learning: Applies to mcp-server/src/tools/**/*.{js,ts} : Use processMCPResponseData(taskOrData, fieldsToRemove) utility to filter potentially sensitive or large fields (like details, testStrategy) from task objects before sending responses

Applied to files:

• apps/extension/src/webview/hooks/useTaskQueries.ts

📚 Learning: 2025-11-24T18:00:06.827Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/dev_workflow.mdc:0-0
Timestamp: 2025-11-24T18:00:06.827Z
Learning: Regularly use `task-master update-subtask --id=<subtaskId> --prompt='<update details>'` to log implementation findings, including what worked, what didn't, and decisions made

Applied to files:

• apps/extension/src/webview/hooks/useTaskQueries.ts

📚 Learning: 2025-11-24T18:01:44.169Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/new_features.mdc:0-0
Timestamp: 2025-11-24T18:01:44.169Z
Learning: Applies to mcp-server/src/core/task-master-core.js : Update `task-master-core.js` by importing and re-exporting direct functions and adding them to the directFunctions map

Applied to files:

• apps/extension/src/webview/hooks/useTaskQueries.ts

📚 Learning: 2025-11-24T18:01:06.077Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/mcp.mdc:0-0
Timestamp: 2025-11-24T18:01:06.077Z
Learning: Applies to mcp-server/src/tools/*.js : Use the AsyncOperationManager in the MCP tool layer for operations involving multiple steps or long waits beyond a single AI call; simple AI calls handled entirely within the *Direct function may not need it

Applied to files:

• apps/extension/src/webview/hooks/useTaskQueries.ts

📚 Learning: 2025-11-24T18:01:06.077Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/mcp.mdc:0-0
Timestamp: 2025-11-24T18:01:06.077Z
Learning: Applies to mcp-server/src/tools/*.js : Use snake_case for MCP tool names exposed to clients (e.g., list_tasks, set_task_status)

Applied to files:

• apps/extension/src/webview/hooks/useTaskQueries.ts

📚 Learning: 2025-11-24T18:01:44.169Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/new_features.mdc:0-0
Timestamp: 2025-11-24T18:01:44.169Z
Learning: Applies to mcp-server/src/tools/*.js : For long-running operations, use AsyncOperationManager to avoid blocking the client; identify CPU-intensive or >1-2 second operations as candidates; return immediate response with operationId

Applied to files:

• apps/extension/src/webview/hooks/useTaskQueries.ts

📚 Learning: 2025-11-24T18:02:49.782Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/telemetry.mdc:0-0
Timestamp: 2025-11-24T18:02:49.782Z
Learning: Applies to scripts/modules/task-manager/**/*.js : Core logic functions must extract mainResult from aiServiceResponse and return an object that includes aiServiceResponse.telemetryData

Applied to files:

• apps/extension/src/webview/hooks/useTaskQueries.ts

📚 Learning: 2025-11-24T18:02:36.388Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/tasks.mdc:0-0
Timestamp: 2025-11-24T18:02:36.388Z
Learning: Applies to scripts/modules/task-manager.js : Implement status update functions that handle both individual tasks and subtasks within the current tag context, considering subtask status when updating parent tasks and suggesting parent task updates when all subtasks are done

Applied to files:

• apps/extension/src/webview/hooks/useTaskQueries.ts

📚 Learning: 2025-11-24T22:09:45.455Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-11-24T22:09:45.455Z
Learning: Applies to apps/mcp/src/**/*.{ts,tsx} : MCP (tm/mcp) should be a thin presentation layer that calls tm-core methods and returns MCP-formatted responses; handle only MCP-specific concerns like tool schemas, parameter validation, and response formatting

Applied to files:

• apps/extension/src/webview/hooks/useTaskQueries.ts

📚 Learning: 2025-11-24T18:04:43.972Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/utilities.mdc:0-0
Timestamp: 2025-11-24T18:04:43.972Z
Learning: Applies to **/*.{js,ts} : Do not add direct console.log calls outside the logging utility - use the central log function instead

Applied to files:

• apps/extension/src/webview/hooks/useTaskQueries.ts

📚 Learning: 2025-11-24T18:01:44.169Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/new_features.mdc:0-0
Timestamp: 2025-11-24T18:01:44.169Z
Learning: Applies to scripts/modules/*.js : Use consistent file naming conventions: `task_${id.toString().padStart(3, '0')}.txt` for task files; use `path.join()` for composing paths; use appropriate extensions (.txt for tasks, .json for data)

Applied to files:

• apps/extension/src/webview/hooks/useTaskQueries.ts

📚 Learning: 2025-11-24T18:04:43.972Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/utilities.mdc:0-0
Timestamp: 2025-11-24T18:04:43.972Z
Learning: Applies to **/{utils,utilities}/**/*.{js,ts} : Create utilities for consistent task ID handling that support different ID formats (numeric, string, dot notation)

Applied to files:

• apps/extension/src/webview/hooks/useTaskQueries.ts

📚 Learning: 2025-11-24T17:58:07.992Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/architecture.mdc:0-0
Timestamp: 2025-11-24T17:58:07.992Z
Learning: Applies to scripts/modules/utils.js : utils.js should provide core utility functions including logging (log function), file I/O (readJSON, writeJSON), string utilities (truncate), task utilities (findTaskById), dependency utilities (findCycles), API key resolution (resolveEnvVariable), silent mode control (enableSilentMode, disableSilentMode), and tagged task list support (migration system, tag resolution, current tag management)

Applied to files:

• apps/extension/src/webview/hooks/useTaskQueries.ts

📚 Learning: 2025-11-24T18:02:36.388Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/tasks.mdc:0-0
Timestamp: 2025-11-24T18:02:36.388Z
Learning: Applies to scripts/modules/task-manager.js : Extract tasks from PRD documents using AI within the current tag context (defaulting to "master"), providing clear prompts to guide AI task generation and validating/cleaning up AI-generated tasks

Applied to files:

• apps/extension/src/webview/hooks/useTaskQueries.ts

📚 Learning: 2025-11-24T18:04:43.972Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/utilities.mdc:0-0
Timestamp: 2025-11-24T18:04:43.972Z
Learning: Applies to mcp-server/src/tools/**/*.{js,ts} : Use handleApiResult(result, log, errorPrefix, processFunction) to standardize the formatting of responses returned by direct functions into the MCP response format

Applied to files:

• apps/extension/src/webview/hooks/useTaskQueries.ts

📚 Learning: 2025-11-24T18:04:43.972Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/utilities.mdc:0-0
Timestamp: 2025-11-24T18:04:43.972Z
Learning: Applies to mcp-server/src/**/*.{js,ts} : Use createContentResponse(content) and createErrorResponse(errorMessage) helper functions to create basic MCP response structures

Applied to files:

• apps/extension/src/webview/hooks/useTaskQueries.ts

📚 Learning: 2025-11-24T18:01:06.077Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/mcp.mdc:0-0
Timestamp: 2025-11-24T18:01:06.077Z
Learning: Applies to mcp-server/src/tools/*.js : Use createErrorResponse and createContentResponse utilities from tools/utils.js for formatting MCP responses

Applied to files:

• apps/extension/src/webview/hooks/useTaskQueries.ts

📚 Learning: 2025-11-24T18:04:43.972Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/utilities.mdc:0-0
Timestamp: 2025-11-24T18:04:43.972Z
Learning: Applies to mcp-server/src/**/*.{js,ts} : Use the logger wrapper pattern when passing loggers to prevent mcpLog[level] is not a function errors, wrapping FastMCP's log object with standard methods

Applied to files:

• apps/extension/src/webview/hooks/useTaskQueries.ts

📚 Learning: 2025-11-24T18:01:06.077Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/mcp.mdc:0-0
Timestamp: 2025-11-24T18:01:06.077Z
Learning: If an MCP tool fails with unclear errors, run the equivalent task-master CLI command to get more detailed error messages from the core logic

Applied to files:

• apps/extension/src/webview/hooks/useTaskQueries.ts

📚 Learning: 2025-11-24T18:01:06.077Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/mcp.mdc:0-0
Timestamp: 2025-11-24T18:01:06.077Z
Learning: Applies to mcp-server/src/tools/*.js : Call the corresponding *Direct function wrapper from task-master-core.js within the execute method of each MCP tool, passing necessary arguments and the logger

Applied to files:

• apps/extension/src/webview/hooks/useTaskQueries.ts

📚 Learning: 2025-11-24T18:01:06.077Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/mcp.mdc:0-0
Timestamp: 2025-11-24T18:01:06.077Z
Learning: Applies to mcp-server/src/**/*.js : Do not log entire large data structures or sensitive information in direct functions and tools

Applied to files:

• apps/extension/src/webview/hooks/useTaskQueries.ts

📚 Learning: 2025-11-24T18:00:06.827Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/dev_workflow.mdc:0-0
Timestamp: 2025-11-24T18:00:06.827Z
Learning: When implementation differs significantly from planned approach, use `task-master update --from=<futureTaskId> --research` to update multiple future tasks

Applied to files:

• apps/extension/src/webview/hooks/useTaskQueries.ts

📚 Learning: 2025-11-24T18:00:06.827Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/dev_workflow.mdc:0-0
Timestamp: 2025-11-24T18:00:06.827Z
Learning: Update dependent tasks when implementation differs from original plan using `task-master update --from=<id>` or `task-master update-task --id=<id>`

Applied to files:

• apps/extension/src/webview/hooks/useTaskQueries.ts

📚 Learning: 2025-11-24T18:05:02.114Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: assets/.windsurfrules:0-0
Timestamp: 2025-11-24T18:05:02.114Z
Learning: Update dependent tasks when implementation differs from original plan using `task-master update`

Applied to files:

• apps/extension/src/webview/hooks/useTaskQueries.ts

📚 Learning: 2025-07-18T17:08:48.695Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/commands.mdc:0-0
Timestamp: 2025-07-18T17:08:48.695Z
Learning: Applies to scripts/modules/commands.js : Follow the provided structure for adding subtasks, including required options and detailed error handling.

Applied to files:

• apps/extension/src/webview/hooks/useTaskQueries.ts

📚 Learning: 2025-07-12T06:21:41.224Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/dev_workflow.mdc:0-0
Timestamp: 2025-07-12T06:21:41.224Z
Learning: Log detailed implementation plans and progress for each subtask using `update_subtask` / `task-master update-subtask --id=<subtaskId> --prompt='<details>'`, ensuring all findings, code snippets, and decisions are recorded in the subtask's `details` field.

Applied to files:

• apps/extension/src/webview/hooks/useTaskQueries.ts

📚 Learning: 2025-11-24T18:00:06.827Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/dev_workflow.mdc:0-0
Timestamp: 2025-11-24T18:00:06.827Z
Learning: For subtask implementation, use `task-master show <subtaskId>` to understand goals, explore the codebase, determine code changes, then log the plan with `task-master update-subtask`

Applied to files:

• apps/extension/src/webview/hooks/useTaskQueries.ts

📚 Learning: 2025-07-18T17:08:48.695Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/commands.mdc:0-0
Timestamp: 2025-07-18T17:08:48.695Z
Learning: Applies to scripts/modules/commands.js : Follow the provided structure for removing subtasks, including required options, conversion option, and detailed error handling.

Applied to files:

• apps/extension/src/webview/hooks/useTaskQueries.ts

📚 Learning: 2025-11-24T18:02:22.305Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/taskmaster.mdc:0-0
Timestamp: 2025-11-24T18:02:22.305Z
Learning: Use Research + Action Pattern: research for information gathering, update_subtask for committing findings with timestamps, update_task for incorporating research into task details, and add_task with research flag for informed task creation

Applied to files:

• apps/extension/src/webview/hooks/useTaskQueries.ts

📚 Learning: 2025-11-24T17:58:47.030Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/commands.mdc:0-0
Timestamp: 2025-11-24T17:58:47.030Z
Learning: Applies to scripts/modules/commands.js : For context-aware AI commands: use ContextGatherer utility for multi-source context extraction, support task IDs/file paths/custom context, implement fuzzy search for task discovery, and display detailed token breakdown for transparency

Applied to files:

• apps/extension/src/webview/hooks/useTaskQueries.ts

📚 Learning: 2025-07-18T17:08:48.695Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/commands.mdc:0-0
Timestamp: 2025-07-18T17:08:48.695Z
Learning: Applies to scripts/modules/commands.js : For AI-powered commands that benefit from project context, use the ContextGatherer utility for multi-source context extraction, support task IDs, file paths, custom context, and project tree, implement fuzzy search for automatic task discovery, and display detailed token breakdown for transparency.

Applied to files:

• apps/extension/src/webview/hooks/useTaskQueries.ts

📚 Learning: 2025-11-24T17:59:00.056Z

Learnt from: CR
Repo: eyaltoledano/claude-task-master PR: 0
File: .cursor/rules/context_gathering.mdc:0-0
Timestamp: 2025-11-24T17:59:00.056Z
Learning: Applies to scripts/**/*.js : Initialize `ContextGatherer` with project root and tasks path, then call `gather()` method with tasks array, files array, customContext, includeProjectTree, format ('research', 'chat', or 'system-prompt'), and includeTokenCounts options

Applied to files:

• apps/extension/src/webview/hooks/useTaskQueries.ts

🧬 Code graph analysis (1)

apps/extension/src/webview/hooks/useTaskQueries.ts (2)

src/utils/path-utils.js (6)

• logger (66-66)
• logger (139-139)
• logger (216-216)
• logger (301-301)
• logger (350-350)
• logger (404-404)

scripts/modules/task-manager/remove-task.js (1)

• parentTaskId (64-66)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Cursor Bugbot

🔇 Additional comments (4)

apps/extension/src/webview/hooks/useTaskQueries.ts (4)

34-35: staleTime: 10s on task lists is a sensible cache default.
This should reduce refetch churn without making task lists feel stale.

---

54-61: Good: MCP response parse errors go through centralized logger.
Line 60 replaces console.error-style logging with logger.error, matching the “no direct console” guideline.

---

223-246: Targeted invalidation + Promise.all is a solid improvement.
Invalidating parent/subtask details (Lines 231-238) and detail+lists for scope ops (Lines 294-301 / 352-359) is much more cache-friendly than broad purges.

Also applies to: 289-304, 347-362

---

1-5: No issues found. The import import { logger } from '../utils/logger'; is correctly formatted for the extension's module resolution configuration ("moduleResolution": "Node" with esModuleInterop enabled), which does not require explicit .js extensions. This matches the established import pattern throughout the codebase.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

wc -l apps/extension/src/webview/hooks/useTaskQueries.ts

Repository: eyaltoledano/claude-task-master

Length of output: 129

---

🏁 Script executed:

cat -n apps/extension/src/webview/hooks/useTaskQueries.ts

Repository: eyaltoledano/claude-task-master

Length of output: 12291

---

🏁 Script executed:

# Find TaskMasterTask type definition to understand response structure
rg "type TaskMasterTask|interface TaskMasterTask" -A 10

Repository: eyaltoledano/claude-task-master

Length of output: 2788

---

Avoid logging full responses and user-provided content (privacy and performance risk).

Lines 23, 31, 148, 155, 207, 214, 267, 280, 325, and 338 log potentially large payloads and sensitive user content. Specifically:

• Lines 23/148/207/267/325 log user-provided prompt and updates objects directly
• Lines 31/155/214/280/338 log full response objects containing description, details, and testStrategy fields

This exposes sensitive task information in extension logs and creates performance overhead. Log only IDs, counts, and error codes instead:

Examples

-logger.log('Fetching tasks with options:', options);
+logger.log('Fetching tasks', { tag: options?.tag, status: options?.status });

-logger.log('Tasks fetched:', response);
+logger.log('Tasks fetched', { count: Array.isArray(response) ? response.length : undefined });

-logger.log('Updating task:', taskId, updates, options);
+logger.log('Updating task', { taskId, options });

-logger.log('Update task response:', response);
+logger.log('Update task response received', { taskId });

-logger.log('Updating subtask:', taskId, prompt, options);
+logger.log('Updating subtask', { taskId, options });

-logger.log('Update subtask response:', response);
+logger.log('Update subtask response received', { taskId });

-logger.log('Scoping up task:', taskId, strength, prompt, options);
+logger.log('Scoping up task', { taskId, strength, options });

-logger.log('Scope up task response:', response);
+logger.log('Scope up task response received', { taskId });

-logger.log('Scoping down task:', taskId, strength, prompt, options);
+logger.log('Scoping down task', { taskId, strength, options });

-logger.log('Scope down task response:', response);
+logger.log('Scope down task response received', { taskId });

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

find . -type f -name "useTaskQueries.ts" 2>/dev/null | head -5

Repository: eyaltoledano/claude-task-master

Length of output: 127

---

🏁 Script executed:

cat -n ./apps/extension/src/webview/hooks/useTaskQueries.ts | head -250

Repository: eyaltoledano/claude-task-master

Length of output: 8608

---

🏁 Script executed:

cat -n ./apps/extension/src/webview/types.ts | head -100

Repository: eyaltoledano/claude-task-master

Length of output: 144

---

🏁 Script executed:

find ./apps/extension -name "*.ts" -type f | grep -i type | head -10

Repository: eyaltoledano/claude-task-master

Length of output: 176

---

🏁 Script executed:

cat -n ./apps/extension/src/webview/types/index.ts

Repository: eyaltoledano/claude-task-master

Length of output: 4086

---

🏁 Script executed:

find ./apps/extension -name "*.ts" -type f | xargs grep -l "updateTask" | head -10

Repository: eyaltoledano/claude-task-master

Length of output: 277

---

🏁 Script executed:

grep -n "updateTask" ./apps/extension/src/services/webview-manager.ts -B 3 -A 20 | head -100

Repository: eyaltoledano/claude-task-master

Length of output: 1618

---

🏁 Script executed:

grep -n "updateTask\|update_task" ./apps/extension/src/services/webview-manager.ts -A 30 | head -80

Repository: eyaltoledano/claude-task-master

Length of output: 2288

---

🏁 Script executed:

cat -n ./apps/extension/src/services/webview-manager.ts | sed -n '178,210p'

Repository: eyaltoledano/claude-task-master

Length of output: 1312

---

🏁 Script executed:

cat -n ./apps/extension/src/services/webview-manager.ts | sed -n '1,50p'

Repository: eyaltoledano/claude-task-master

Length of output: 1725

---

🏁 Script executed:

grep -rn "update_task" ./mcp-server --include="*.ts" --include="*.js" -A 10 | head -80

Repository: eyaltoledano/claude-task-master

Length of output: 3436

---

🏁 Script executed:

cat -n ./mcp-server/src/tools/update-task.js | head -200

Repository: eyaltoledano/claude-task-master

Length of output: 3929

---

🏁 Script executed:

find ./mcp-server -name "*.js" -o -name "*.ts" | xargs grep -l "handleApiResult" | head -5

Repository: eyaltoledano/claude-task-master

Length of output: 256

---

🏁 Script executed:

grep -rn "export.*handleApiResult\|function handleApiResult" ./mcp-server --include="*.js" --include="*.ts" -A 20 | head -100

Repository: eyaltoledano/claude-task-master

Length of output: 1447

---

🏁 Script executed:

cat -n ./mcp-server/src/tools/utils.js | sed -n '287,330p'

Repository: eyaltoledano/claude-task-master

Length of output: 1554

---

🏁 Script executed:

grep -n "createContentResponse\|createErrorResponse" ./mcp-server/src/tools/utils.js -A 10 | head -80

Repository: eyaltoledano/claude-task-master

Length of output: 2884

---

Extract and validate the patch data before spreading into task objects.

Line 181 spreads data?.task || data, but the response structure from the message handler is { success: true }, which lacks the updated task information. This will incorrectly merge response metadata into cached task objects, corrupting them. Extract a validated patch object from the response before spreading, or fall back to variables.updates if no task data is present.

Proposed fix (safe patch extraction)

 		onSuccess: async (data, variables) => {
@@
-			queryClient.setQueriesData(
-				{ queryKey: taskKeys.lists() },
-				(old: TaskMasterTask[] | undefined) => {
+			const patch =
+				data && typeof data === 'object'
+					? // prefer `data.task` when present, otherwise treat `data` as the patch
+						('task' in (data as any) &&
+						(data as any).task &&
+						typeof (data as any).task === 'object'
+							? (data as any).task
+							: (data as any))
+					: variables.updates;
+
+			queryClient.setQueriesData(
+				{ queryKey: taskKeys.lists() },
+				(old: TaskMasterTask[] | undefined) => {
 					if (!old || !Array.isArray(old)) return old;
 					return old.map((task) =>
 						task.id === variables.taskId
-							? { ...task, ...(data?.task || data) }
+							? { ...task, ...patch }
 							: task
 					);
 				}
 			);

[Crunchyman-ralph]

package-lock is 16000 line changes, please fix that, are you installing with the wrong node version or something like that, also please run npm run format.

I will review once these have been addressed, thanks for the contribution!