dev: promote existing changes to master#5
Merged
Merged
Conversation
feat: edit state, help button, loader while login in
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
vamsi
changed the title
akushonkamen
pushed a commit
to akushonkamen/plane
that referenced
this pull request
Apr 6, 2026
…loses makeplane#5) - Updated "without leaving Plane" → "without leaving Tracktor" in plans.tsx - Updated "in Plane" → "in Tracktor" in plans.tsx - Updated "throughout Plane" → "throughout Tracktor" in plans.tsx - Updated @planepowers → @Tracktorapp in metadata - Updated "Plane |" → "Tracktor |" in app titles - Updated support@plane.so → support@tracktor.so - Updated status.plane.so → status.tracktor.so - Updated app.plane.so URLs → app.tracktor.so Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Kamei-Daisuke
added a commit
to Kamei-Daisuke/plane
that referenced
this pull request
Apr 16, 2026
…text Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Kamei-Daisuke
added a commit
to Kamei-Daisuke/plane
that referenced
this pull request
Apr 17, 2026
…text Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
trussell86
added a commit
to trussell86/Debt.com-Pulse
that referenced
this pull request
Apr 28, 2026
…us badge
Surfaces approval state on work-item cards across kanban, list, gantt,
and calendar layouts so reviewers can scan the queue without opening
every issue. Covers four of the five layouts in one shared-component
edit (apps/web .../properties/all-properties.tsx). Spreadsheet uses its
own column system and is intentionally out of scope here — the day
someone wants approvals visible there too, it's a follow-up adding a
spreadsheet column type.
Backend (apps/api/debtcom_extensions/):
- approvals.py: new ApprovalStatusBulkView at
POST /api/debtcom/workspaces/<slug>/approvals/status/
Body: {"issue_ids": ["uuid", ...]}, capped at 200 per call.
Returns the priority row per issue (active PENDING first, then
most-recent terminal) keyed by issue id. Single annotated query —
same indexes already cover the filter (dcom_apr_iss_st_idx).
- urls.py: route mounted alongside the other approval endpoints.
Frontend (@plane/debtcom-ui):
- components/approval-status-badge/ (new)
- use-approval-status.ts — module-level batching cache. Hook
takes (workspaceSlug, issueId), enqueues with a 50ms debounce,
flushes one POST per workspace, dispatches to all subscribers.
Chunks parallel-fire at 200 ids to match the backend cap.
Exposes invalidateApprovalStatus(slug, ids) so mutation flows
can nudge badges without a full refetch.
- approval-status-badge.tsx — small status pill. Five variants:
⏳ Pending (amber), ✓ Approved (emerald), ✗ Rejected (red),
↻ Changes (sky), ↩ Withdrawn (neutral). Self-renders nothing
when no approval activity exists.
- index.ts barrel.
- services/approvals.ts: added fetchApprovalStatusBulk()
- components/work-item-approvals/work-item-approvals.tsx: calls
invalidateApprovalStatus() after every submit / decide / withdraw
so kanban badges flip without a page reload.
- types.ts: ApprovalStatusSummary + ApprovalStatusByIssue.
- index.ts: barrel re-exports for the new surfaces.
apps/web (DEBTCOM-CUSTOM markers per Rule 6):
- core/components/issues/issue-layouts/properties/all-properties.tsx:
additive — import + JSX block inserted next to the state pill.
Pre-existing `hide-start-date` DEBTCOM-CUSTOM block left intact;
this adds a second independently-marked block.
Verification:
- `pnpm build` in @plane/debtcom-ui → clean.
- `pnpm check:types` in apps/web → only pre-existing baseline errors
(inbox/source-pill, workspace/sidebar/project-navigation); no
errors in any file touched by this change.
Phase 6 v2 plan reminder: this is makeplane#5 of 3. Up next:
- makeplane#3 state-change gating while PENDING
- makeplane#2 smart-prompt banner on state change (Option A — Jira-style)
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
trussell86
added a commit
to trussell86/Debt.com-Pulse
that referenced
this pull request
May 15, 2026
Before: one pin = one IssueComment in the activity feed. A designer dropping 8 pins on the same image in 30 seconds spawned 8 separate bridge comments — accurate but noisy. Now: when the same actor drops multiple pins on the same asset within a 5-minute window, the signal UPDATES the existing bridge comment in place to aggregate them, instead of creating a new row. Different actor, different asset, different issue, or after the window expires → fresh bridge as before. Title and body adapt: 1 pin → "Markup makeplane#3 on cover_v2.png" <thumbnail> > Move headline left, increase line height View on canvas → 3 pins → "Markups makeplane#3-makeplane#5 on cover_v2.png" (consecutive) <thumbnail> • makeplane#3: Move headline left • makeplane#4: Logo color is off • makeplane#5: Footer text too small View on canvas → ← points to pin makeplane#5 (latest) Gappy → "Markups makeplane#3, makeplane#5, makeplane#7" (non-consecutive runs join) Mixed → "Markups makeplane#3-makeplane#5, makeplane#8-makeplane#9" (runs of consecutive ids) Aggregator state (asset_id, pin_numbers, excerpts, latest_annotation_id) lives in comment_json._debtcom_bridge. Hidden from TipTap so it doesn't confuse the editor; survives DB round-trips. If the user manually edits the bridge comment via the UI, Plane's editor overwrites comment_json and our metadata gets wiped — future pins then create a fresh bridge. Acceptable trade-off; users editing auto-posts is rare. Implementation notes: - 5-min window (_BRIDGE_AGGREGATION_WINDOW) is a module constant — tune if review volume changes. - The annotation-create response still inlines the (possibly- aggregated) bridge via _bridge_comment_id stash, so the frontend splices the updated row into the mobx comment store without a refetch. The id stays stable across aggregations, so the splice is an in-place update. - comment_stripped is auto-derived by IssueComment.save() via strip_tags(comment_html), so we don't have to keep it in sync manually. - "View on canvas →" link now points at the LATEST pin in the aggregated run, since that's the most recent feedback the reader probably wants to see. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
blitzy Bot
pushed a commit
to Blitzy-Sandbox/blitzy-makeplane
that referenced
this pull request
May 25, 2026
…SDoc Resolves CP1 QA findings 1-15 (CRITICAL hallucinations) + 16 (MINOR markdown bold): Critical cross-reference accuracy fixes: - Issue #1: ce/store/issue/issue-details/activity.store.ts (was core/) - Issue #2: ce/components/command-palette/ (was core/) — 6 sites - Issue makeplane#3-4: dashboard/dashboards/** paths replaced with actual consumer paths (analytics, helpers/dashboard.helper.ts, home/widgets) or INTENT UNCLEAR for orphaned constants — 16 sites - Issue makeplane#5: description editor paths point to actual locations - Issue makeplane#6: workspace/billing/ (was workspace-billing/) — 5 sites - Issue makeplane#7: inbox/modals/create-modal/ (was intake/) — 1 site - Issue makeplane#8: workspace-notifications/ (was notifications/) — 8 sites - Issue makeplane#9: removed duplicate fabricated profile/settings/ path — 2 sites - Issue makeplane#10: project-states/ (was states/) — 4 sites - Issue makeplane#11: workspace/views/ (was workspace-views/) — 1 site - Issue makeplane#12: INTENT UNCLEAR for EAuthenticationPageType and USER_ALLOWED_PERMISSIONS (no consumers found) — 2 sites - Issue makeplane#13: issues/issue-layouts/filters/ (was issues/filters/) — 8 sites - Issue makeplane#14: db/models/integration/ (was app/views/integration/) — 1 site - Issue makeplane#15: removed hallucinated ::ProjectLink Django class symbol; added INTENT UNCLEAR flag for missing backend mirror — 1 site Documentation standards fix (MINOR): - Issue makeplane#16: removed 7 instances of markdown bold (**...**) in JSDoc per AAP §0.2.3 (no markdown boilerplate) Per AAP §0.2.3 ambiguity protocol ("Flag, do not invent"), unverifiable consumer locations are flagged with INTENT UNCLEAR rather than guessed. Validation: zero new TS errors (Gate 3 PASS); zero new lint/format violations; no imports/exports changed; no behavior changes — JSDoc-only edits in 22 files across packages/types/src/ and packages/constants/src/.
ColeEdanza
added a commit
to ColeEdanza/plane
that referenced
this pull request
May 26, 2026
…lapse, footer, sidebar groups Five compound UI changes implementing the Plane.so blog redesign (items makeplane#2, makeplane#3, makeplane#5, makeplane#6, makeplane#7; makeplane#1/makeplane#4/makeplane#8/makeplane#9/makeplane#10/makeplane#11 out of scope per Cole). - Compact parent pill next to the work-item ID (new IssueParentPill in parent/pill.tsx); fat parent breadcrumb row above the title removed in both the full-screen page and all peek modes. - Inline properties row under the title: Assignee, Priority, Start, Due as borderless pills with vertical dividers (border-strong), text-body-sm font, gap-x-5 spacing, hover background via transparent-with-text variant. State stays in the peek header from prior commit 03d84b1. - DescriptionCollapse wrapper around the rich-text editor: clamps to ~200px via ResizeObserver, fade gradient when collapsed, auto-expands on focus, Show more / Show less toggle. Wraps both surfaces. - IssueMetadataFooter at the bottom of main content: created-by, created, updated, and completed (when set) in a compact row with full-timestamp hover tooltips. - Sidebar regrouped into three collapsible sections (Properties / Project structure / Custom properties). Assignee, Priority, Start, Due removed from the sidebar since they're inline now. Parent stays as the only way to *add* a parent when none is set. Title bumped from text-20 to text-28 font-semibold leading-snug py-1; the prior leading-tight clipped ascenders inside the auto-resize textarea. Touches: apps/web/core/components/issues/issue-detail/main-content.tsx apps/web/core/components/issues/issue-detail/sidebar.tsx apps/web/core/components/issues/issue-detail/parent/index.ts apps/web/core/components/issues/peek-overview/issue-detail.tsx + 4 new files: parent/pill.tsx, inline-properties.tsx, description-collapse.tsx, metadata-footer.tsx Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
blitzy Bot
pushed a commit
to Blitzy-Sandbox/blitzy-makeplane
that referenced
this pull request
Jun 2, 2026
…limit Resolves QA Checkpoint 8 Critical Issues #1-makeplane#6 reported as production blockers. Documentation-AAP system boundaries are preserved (no dependency changes, no .env changes, no refactoring). Issue #1-makeplane#4 — Cross-workspace PUT bypass on 4 ViewSets: ProjectViewSet/IssueViewSet/ModuleViewSet/WorkspaceViewViewSet all inherited DRF UpdateModelMixin.update() unprotected because their url routers register {'put': 'update'} but only partial_update carried the @allow_permission gate (or, for ProjectViewSet, the inline workspace-admin check). Adding an explicit update() override that delegates to partial_update — with the matching @allow_permission decorator — forces PUT and PATCH to share one authoritative authorization path. Also defensively added the same override to IssueViewViewSet so the queryset-filter defense-in-depth cannot silently regress in future refactors. (OWASP A01:2021 Broken Access Control.) Files: - apps/api/plane/app/views/project/base.py - apps/api/plane/app/views/issue/base.py - apps/api/plane/app/views/module/base.py - apps/api/plane/app/views/view/base.py Issue makeplane#5 — CSRF disabled on all DRF endpoints: BaseSessionAuthentication.enforce_csrf was overridden to a no-op, suppressing DRF's CSRF check on every session-authenticated REST endpoint. The override is removed so DRF's default CSRF enforcement (which requires X-CSRFToken on every unsafe HTTP method) is restored; the docstring now documents this contract and explicitly warns future maintainers not to re-introduce the no-op. Browser SPAs already call /auth/get-csrf-token/ before mutating requests, so no client-side change is needed. (OWASP A01:2021.) Files: - apps/api/plane/authentication/session.py Issue makeplane#6 — No rate limiting on /auth/sign-in/ (brute-force open): SignInAuthEndpoint and SignUpAuthEndpoint subclass django.views.View (not DRF APIView), so DRF throttle classes never applied even though AuthenticationThrottle exists for the EmailCheck/MagicLink/Forgot endpoints. Added a per-IP sliding-window rate limit (30/min) backed by Django's default cache (django-redis) implemented as _is_authentication_rate_limited(); applied at the top of both POST handlers BEFORE any DB lookup so brute-force traffic cannot drive password-hash work or leak user-existence timing. The same check is applied to the space-tenant sign-in/sign-up endpoints (which share the cache key prefix so a single IP cannot bypass by ping-ponging between surfaces). Returns the standard 302 redirect carrying error_code=5900&error_message=RATE_LIMIT_EXCEEDED so the SPA-side error handler renders the same message as DRF endpoints. Files: - apps/api/plane/authentication/views/app/email.py - apps/api/plane/authentication/views/space/email.py Validation: - pydocstyle --convention=pep257 on apps/api/plane/ (excl migrations/tests) — ZERO errors (AAP validation gate 1) - All 7 modified files compile cleanly (python -m py_compile) - Live re-verification on a running API server confirmed: * Cross-workspace PUT on each of 4 ViewSets → 403 (was 200) * POST without/invalid CSRF token → 403 (was 201) * Cross-origin POST → 403 (Origin check fires too) * 31st bad login attempt → RATE_LIMIT_EXCEEDED (was unbounded) - Regression tests: User A's own PUT/PATCH/POST/DELETE all still succeed with valid CSRF; safe GET methods unaffected; pre-existing PATCH/DELETE/POST/GET cross-workspace 403s preserved. Evidence summary in blitzy/qa-fix-evidence/SUMMARY.md; out-of-scope findings (Django EOL, npm CVEs, pip CVEs, header hygiene at proxy layer) in blitzy/qa-fix-evidence/OUT_OF_SCOPE_FINDINGS.md.
blitzy Bot
pushed a commit
to Blitzy-Sandbox/blitzy-makeplane
that referenced
this pull request
Jun 2, 2026
…e issues Targeted, behavior-only source fixes for 8 runtime findings from QA Checkpoint 9 (real-time collaboration + integration E2E). No new dependencies, no .env changes, no refactoring -- consistent with the branch's established remediation pattern (cf. d061338, which resolved Checkpoint 8 with behavioral fixes while preserving the documentation-AAP system boundaries). apps/live (Directive 4 surface): - #1 CSRF persistence (CRITICAL): ProjectPageService now extracts the session `csrftoken` cookie from the forwarded WS-handshake Cookie header and echoes it as the `X-CSRFToken` header, so service-to-service PATCHes (page description, title, HTML->binary backfill) pass apps/api's restored DRF CSRF enforcement instead of failing 403. Cascades to resolve makeplane#6 and the Info-3 doc-bloat. - #2 + makeplane#5 unhandled-rejection crashes (CRITICAL): subscribe the `hocuspocus:admin` channel on a DEDICATED duplicated ioredis connection so the base @hocuspocus/extension-redis `messageBuffer` Yjs decoder never receives admin JSON (the lib0 "Unexpected end of array" / "Invalid typed array length" rejections). Added a defensive try/catch around force-close teardown in database.ts as defense-in-depth. - makeplane#6 HTML->binary backfill silent crash (CRITICAL): resolved downstream of #1 (the 403 was the trigger); backfill now persists and the process stays alive. - makeplane#3 WS 1006 / makeplane#4 process crash (CRITICAL): no source change required -- makeplane#3 is a dev-only HMR/upgrade-timing artifact that self-recovers; makeplane#4's crash root causes are eliminated by #1/#2/makeplane#5/makeplane#6 and the existing non-exiting global handlers. apps/api (Directive 1 surface): - makeplane#7 webhook 5xx not retried (CRITICAL): raise requests.RequestException on a >=500 response so Celery's autoretry_for drives the backoff/retry and the retry-exhaustion branch deactivates the webhook (tech spec 4.5). 4xx remain permanent (logged, not retried). - makeplane#8 notification print() swallow (MAJOR): replace the bare `print(e)` with `logger.exception(...)` via a `plane.worker` logger so failures surface with a full traceback; the task stays fire-and-forget (no re-raise). Deferred: - makeplane#9 MinIO dev endpoint (MINOR): the only fix requires editing apps/api/.env, which is forbidden by the AAP system boundary ("No .env files modified"); dev-only, not a production bug per QA's own assessment. Verification: all 8 actionable findings runtime-verified against the full Docker stack (apps/api + Celery + apps/live + apps/web). Static gates green -- pydocstyle --convention=pep257 (apps/api/plane) zero errors; `turbo run check:types` 18/18 successful; oxlint/oxfmt clean on the 3 TS files; ruff clean on the 2 Python files.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.