docs: post-merge sweep for 10 PRs (2026-04-22)#925
Conversation
Add delivery wave entry for PRs #914--#924 covering CI/hardening (SAST, migration validation, performance regression gate, circuit breaker), frontend decomposition (ReviewView, InboxView, AutomationChatView), ops (alerting rules), docs (data model ERD), and UX (session timeout warning). Mark resolved items in AUDIT.md: oversized views, session timeout, SAST, alerting rules, data model reference, performance regression tests.
Add delivery wave 27 for PRs #914--#924 covering CI/hardening (SAST, migration validation, performance regression gate, circuit breaker), frontend decomposition (ReviewView, InboxView, AutomationChatView), ops (alerting rules), docs (data model ERD), and session timeout warning. Note ADR-0031 and ADR-0032. Update wave 26 to cross-reference view decomposition resolution.
Add migration-validation job to ci-required, SAST scanning and performance regression gate to ci-extended, and both to ci-nightly. Update test counts for circuit breaker (23 backend) and session timeout (19 frontend) tests.
Reflect view decomposition pattern (thin shells + extracted composables/components) and add examples of view-specific composables and component directories.
Mark view decomposition (ReviewView, InboxView, AutomationChatView) and monitoring/alerting setup as resolved in both roadmap files.
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 1e838de216
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| 6. ~~`#859`~~ FE-18 decompose AutomationChatView (**delivered** PR `#920`) | ||
| 7. ~~`#858`~~ FE-17 decompose InboxView (**delivered** PR `#921`) |
There was a problem hiding this comment.
Stage 7 reuses #859 and #858 for FE-18/FE-17, but the same file already maps those issue IDs to PERF-12 and OPS-27 in Stage 6 (#859 at line 399, #858 at line 398). Because issue numbers are unique and used for delivery tracking/project automation, this introduces ambiguous links from issue IDs to unrelated work items.
Useful? React with 👍 / 👎.
| - `migration-validation` | ||
| - EF Core migration chain validation via `scripts/ci/validate-migrations.sh` (TST-61, `#869`/`#916`) | ||
| - Runs in parallel with other required jobs |
There was a problem hiding this comment.
This section states that ci-required.yml now runs a required migration-validation gate, but in this commit .github/workflows/ci-required.yml contains no migration-validation job and no call to a migration-validation reusable workflow. Documenting a non-existent required gate creates false confidence that migration chain checks are enforced on every PR.
Useful? React with 👍 / 👎.
| | [0031](ADR-0031-sast-scanning-semgrep.md) | SAST Scanning with Semgrep (Advisory Mode) | Accepted | 2026-04-22 | | ||
| | [0032](ADR-0032-circuit-breaker-polly.md) | Circuit Breaker for External API Calls (Polly) | Accepted | 2026-04-22 | |
There was a problem hiding this comment.
These new index rows link to ADR-0031-sast-scanning-semgrep.md and ADR-0032-circuit-breaker-polly.md, but those files are not present under docs/decisions/ in this commit tree. That leaves broken links in the canonical ADR index and prevents readers from reviewing the decisions cited elsewhere in the docs.
Useful? React with 👍 / 👎.
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request provides a comprehensive documentation update following the completion of 'Wave 27,' covering CI hardening, frontend view decomposition, and operational enhancements. Key changes include updating the status of resolved audit items, documenting significant line-count reductions in decomposed views, and updating verified test totals to approximately 7,110 passing tests. Feedback indicates a recurring issue number conflict where IDs #859 and #858 were incorrectly reused for FE-18 and FE-17, conflicting with their previous assignments to PERF-12 and OPS-27.
| 25. **Post-validation documentation sweep (2026-04-16)**: Wave index and delivery annotations sweep (`#844`, merged) updated `#107` wave execution index with 126/129 completed items checked and added "(delivered)" annotations to ~100+ items across Stages 2--5 in `ISSUE_EXECUTION_GUIDE.md`. Remaining PRs in the post-validation wave (`#822`, `#841`, `#877`--`#880`, `#882`) remain open and pending merge; their delivery notes will be added upon merge. | ||
| 26. **Production hardening wave from AUDIT.md findings (2026-04-22, PRs `#902`–`#913`)**: 12 PRs closing 10 tracked audit issues plus 2 CI stabilisation fixes. Delivered: SEC-26 SSRF protection (`#850`/`#905`), SEC-27 dev JWT secret removal + unconditional bootstrap (`#851`/`#911`), SEC-30 file import content validation (`#860`/`#910`), PERF-11 WorkspaceService sync-over-async removal (`#847`/`#904`), PERF-12 board list pagination (`#859`/`#909`), PERF-13 SQL-level AuditLog filtering (`#849`/`#903`), OPS-27 startup configuration validation (`#858`/`#908`), OPS-28 EF migration bootstrap verification (`#864`/`#907`), CI-02 Gitleaks secrets detection (`#871`/`#902`), TST-58 CLI test discovery + shared harness (`#853`/`#906`). CI stabilisation: ActivityView Windows timestamp flake (`#912`), FirstRunBootstrapper cross-process write serialisation (`#913`). All 5 Tier 1 and 4 of 5 Tier 2 audit priorities from `docs/AUDIT.md` are now resolved; response compression (Tier 1) and view decomposition + error boundary (Tier 2) remain open. | ||
| 26. **Production hardening wave from AUDIT.md findings (2026-04-22, PRs `#902`–`#913`)**: 12 PRs closing 10 tracked audit issues plus 2 CI stabilisation fixes. Delivered: SEC-26 SSRF protection (`#850`/`#905`), SEC-27 dev JWT secret removal + unconditional bootstrap (`#851`/`#911`), SEC-30 file import content validation (`#860`/`#910`), PERF-11 WorkspaceService sync-over-async removal (`#847`/`#904`), PERF-12 board list pagination (`#859`/`#909`), PERF-13 SQL-level AuditLog filtering (`#849`/`#903`), OPS-27 startup configuration validation (`#858`/`#908`), OPS-28 EF migration bootstrap verification (`#864`/`#907`), CI-02 Gitleaks secrets detection (`#871`/`#902`), TST-58 CLI test discovery + shared harness (`#853`/`#906`). CI stabilisation: ActivityView Windows timestamp flake (`#912`), FirstRunBootstrapper cross-process write serialisation (`#913`). All 5 Tier 1 and 4 of 5 Tier 2 audit priorities from `docs/AUDIT.md` are now resolved; response compression (Tier 1) and ~~view decomposition~~ + error boundary (Tier 2) remain open. View decomposition now resolved in wave 27 below. | ||
| 27. **CI/hardening, frontend decomposition, ops, and documentation wave (2026-04-22, PRs `#914`–`#924`)**: 10 issues across 10 PRs. **CI/Hardening**: CI-01 SAST scanning with Semgrep (`#870`/`#915`, ADR-0031), TST-61 database migration validation in CI (`#869`/`#916`), CI-03 performance regression gate (`#872`/`#918`), HARD-01 circuit breaker for external API calls with Polly (`#876`/`#924`, ADR-0032). **Frontend**: FE-20 session timeout warning (`#861`/`#919`, 19 tests), FE-18 decompose AutomationChatView (`#859`/`#920`, 1523 lines to 235-line shell + 7 components + 1 composable), FE-17 decompose InboxView (`#858`/`#921`, 1527 lines to 222-line shell + 2 panels + 1 composable + utils), FE-16 decompose ReviewView (`#856`/`#923`, 1659 lines to 148-line shell + 6 components + 2 composables, all 45 existing tests pass). **Ops/Docs**: OPS-30 monitoring and alerting rules (`#868`/`#914`, 10 alert rules with P1/P2 severity tiers), DOC-08 data model reference with ERD (`#875`/`#917`, 855 lines, 37 entities, Mermaid ERD). All 3 oversized views from `docs/AUDIT.md` Tier 2 are now decomposed. 2 new ADRs (ADR-0031, ADR-0032). |
There was a problem hiding this comment.
There is an issue number conflict for FE-18 and FE-17. This masterplan entry uses #859 for FE-18 and #858 for FE-17, but Stage 6 (Wave 26) already uses these numbers for PERF-12 and OPS-27 respectively. Please verify and update these to the correct unique issue numbers.
| 6. ~~`#859`~~ FE-18 decompose AutomationChatView (**delivered** PR `#920`) | ||
| 7. ~~`#858`~~ FE-17 decompose InboxView (**delivered** PR `#921`) |
There was a problem hiding this comment.
The issue numbers #859 and #858 are duplicated in this file. They are used here for FE-18 and FE-17, but were previously assigned to PERF-12 and OPS-27 in Stage 6 (lines 398-399). This conflict should be resolved to maintain accurate issue tracking.
| - **FE-18 decompose AutomationChatView** (`#859`/`#920`): 1,523 lines reduced to 235-line shell + 7 components (`ChatHeroHeader`, `LlmHealthStatusBar`, `ChatSessionSidebar`, `ChatMessageList`, `ChatParseHintCard`, `ChatToolCallDetails`, `ChatComposeBar`) + `useAutomationChat` composable (394 lines); all components under 400 lines | ||
| - **FE-17 decompose InboxView** (`#858`/`#921`): 1,527 lines reduced to 222-line shell + `InboxListPanel`, `InboxDetailPanel`, `useInboxOrchestrator` composable, and `inboxUtils`; all existing tests pass without modification |
There was a problem hiding this comment.
The issue numbers #859 (assigned to FE-18) and #858 (assigned to FE-17) conflict with the issue numbers used for PERF-12 and OPS-27 in the previous delivery wave (see docs/AUDIT.md lines 302-303). Please update these references to the correct issue IDs.
The governance regex requires the line to end after the date (YYYY-MM-DD) with only optional whitespace. Move the parenthetical sweep note to its own line.
OPS-27 (config validation) is GitHub issue #863, not #858. PERF-12 (board list pagination) is GitHub issue #848, not #859. The wrong numbers (#858/#859) belong to FE-17 and FE-18 respectively. Fixes references in STATUS.md, IMPLEMENTATION_MASTERPLAN.md, ISSUE_EXECUTION_GUIDE.md, AUDIT.md, HARDENING_AND_PERFORMANCE.md, TESTING_GUIDE.md, and CONFIGURATION_REFERENCE.md.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: f4bf32ab56
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
|
||
| - CI/hardening, frontend decomposition, ops, and documentation wave (2026-04-22, PRs `#914`--`#924`, 10 issues): | ||
| - **OPS-30 monitoring and alerting rules** (`#868`/`#914`): `docs/ops/ALERTING_RULES.md` (356 lines, 10 alert rules) with severity-tiered thresholds — P1: 5xx rate >1%, worker heartbeat >5min, DB connectivity loss, health endpoint failure; P2: p95 latency >2s, disk >80%, memory >85%, queue backlog >100, CPU >80%, SignalR/Redis degradation; integration paths for Grafana, CloudWatch, and PagerDuty documented; `docs/ops/README.md` and `docs/ops/OBSERVABILITY_BASELINE.md` updated with cross-links | ||
| - **CI-01 SAST scanning with Semgrep** (`#870`/`#915`): `.semgrep/taskdeck-csharp.yml` (5 custom C# rules) and `.semgrep/taskdeck-typescript.yml` (5 custom TypeScript rules); `scripts/ci/summarize-sast-findings.mjs` for human-readable finding summaries; `.github/workflows/reusable-sast-scanning.yml` wired into `ci-extended` (label: `security`) and `ci-nightly`; advisory mode by default with enforceable option; ADR-0031 documents the SAST scanning decision |
There was a problem hiding this comment.
docs/STATUS.md is the repo’s source-of-truth status document, but this new entry marks CI-01 as delivered while referencing artifacts that are not in this commit tree (.semgrep/taskdeck-csharp.yml, .semgrep/taskdeck-typescript.yml, scripts/ci/summarize-sast-findings.mjs, and .github/workflows/reusable-sast-scanning.yml). Recording an undelivered security gate as complete can cause planning/project tracking to skip required implementation and leave CI coverage gaps unnoticed.
Useful? React with 👍 / 👎.
| - `sast-scanning` | ||
| - Semgrep SAST with custom C# and TypeScript rules via `reusable-sast-scanning.yml` (CI-01, `#870`/`#915`) | ||
| - opt-in on PRs labeled `security` or manual `workflow_dispatch` | ||
| - advisory mode by default; enforceable via workflow input | ||
| - `scripts/ci/summarize-sast-findings.mjs` produces human-readable summary |
There was a problem hiding this comment.
This section documents a sast-scanning lane (and the adjacent performance lane) as part of ci-extended, but .github/workflows/ci-extended.yml and .github/workflows/ci-nightly.yml in this repo snapshot do not define those jobs, and the referenced reusable workflow/scripts are absent. The guide therefore gives false assurance that these checks are automated in CI when they are not.
Useful? React with 👍 / 👎.
| - **api/**: HTTP client modules for backend communication | ||
| - **composables/**: Shared Vue composition functions | ||
| - **components/**: Reusable UI components | ||
| - **composables/**: Shared Vue composition functions (including view-specific orchestrators like useReviewProposals, useInboxOrchestrator, useAutomationChat, useBoardDragDrop, useSessionTimeout, etc.) |
There was a problem hiding this comment.
The added composables list includes useReviewProposals, useInboxOrchestrator, useAutomationChat, and useSessionTimeout, but those modules are not present under frontend/taskdeck-web/src/composables in this commit. This makes the architecture guide inaccurate and misleads contributors about what frontend decomposition/session-timeout code is actually available.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: fd28072d55
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| - **FE-18 decompose AutomationChatView** (`#859`/`#920`): 1,523 lines reduced to 235-line shell + 7 components (`ChatHeroHeader`, `LlmHealthStatusBar`, `ChatSessionSidebar`, `ChatMessageList`, `ChatParseHintCard`, `ChatToolCallDetails`, `ChatComposeBar`) + `useAutomationChat` composable (394 lines); all components under 400 lines | ||
| - **FE-17 decompose InboxView** (`#858`/`#921`): 1,527 lines reduced to 222-line shell + `InboxListPanel`, `InboxDetailPanel`, `useInboxOrchestrator` composable, and `inboxUtils`; all existing tests pass without modification | ||
| - **FE-16 decompose ReviewView** (`#856`/`#923`): 1,659 lines reduced to 148-line shell + 6 components (`ReviewHeader`, `ReviewSummaryCards`, `ReviewEmptyState`, `ReviewProposalCard`, `ReviewProposalActions`, `ReviewProposalDetails`) + 2 composables (`useReviewProposals`, `useReviewActions`); all 45 existing ReviewView tests pass without modification | ||
| - **HARD-01 circuit breaker for external API calls** (`#876`/`#924`): Polly circuit breakers on OpenAI, Gemini HTTP clients, and OAuth backchannel; `CircuitBreakerStateTracker` singleton and `CircuitBreakerSettings` config class; health endpoint reports circuit breaker state as degraded (not 503); 23 tests; ADR-0032 documents the circuit breaker decision |
There was a problem hiding this comment.
Fresh evidence in this commit: it newly adds multiple references to ADR-0032 (including this HARD-01 status entry), but the commit tree has no docs/decisions/ADR-0032-*.md file (only ADR-0031 exists). That leaves the documented circuit-breaker decision unverifiable and creates a broken canonical reference path for contributors who follow status and implementation docs. Please add the ADR-0032 document or remove/update the ADR-0032 references until the file is present.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 7f8973e70c
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| - **FE-18 decompose AutomationChatView** (`#859`/`#920`): 1,523 lines reduced to 235-line shell + 7 components (`ChatHeroHeader`, `LlmHealthStatusBar`, `ChatSessionSidebar`, `ChatMessageList`, `ChatParseHintCard`, `ChatToolCallDetails`, `ChatComposeBar`) + `useAutomationChat` composable (394 lines); all components under 400 lines | ||
| - **FE-17 decompose InboxView** (`#858`/`#921`): 1,527 lines reduced to 222-line shell + `InboxListPanel`, `InboxDetailPanel`, `useInboxOrchestrator` composable, and `inboxUtils`; all existing tests pass without modification | ||
| - **FE-16 decompose ReviewView** (`#856`/`#923`): 1,659 lines reduced to 148-line shell + 6 components (`ReviewHeader`, `ReviewSummaryCards`, `ReviewEmptyState`, `ReviewProposalCard`, `ReviewProposalActions`, `ReviewProposalDetails`) + 2 composables (`useReviewProposals`, `useReviewActions`); all 45 existing ReviewView tests pass without modification | ||
| - **HARD-01 circuit breaker for external API calls** (`#876`/`#924`): Polly circuit breakers on OpenAI, Gemini HTTP clients, and OAuth backchannel; `CircuitBreakerStateTracker` singleton and `CircuitBreakerSettings` config class; health endpoint reports circuit breaker state as degraded (not 503); 23 tests; ADR-0032 documents the circuit breaker decision |
There was a problem hiding this comment.
This line marks HARD-01 as delivered with Polly circuit breakers and 23 tests, but in this commit tree there is no corresponding backend implementation or test coverage (repo search for CircuitBreaker/Polly in backend/src and backend/tests returns no matches). Because docs/STATUS.md is the source-of-truth tracker, this creates a false “done” signal that can cause the resilience work to be skipped in planning and release readiness.
Useful? React with 👍 / 👎.
1 participant
Summary
PRs accounted for
#914 (OPS-30), #915 (CI-01), #916 (TST-61), #917 (DOC-08), #918 (CI-03), #919 (FE-20), #920 (FE-18), #921 (FE-17), #923 (FE-16), #924 (HARD-01)
Test plan