Release: dev → main (all features since initial)#5
Conversation
- dev branch is the active development branch - main is release-only, updated via PRs from dev - Dokploy deploys from dev on OneDev - Document daily workflow for all agents
…dated - Add UserAvatar component with /api/avatars/:identity + colored initials fallback - Add avatar upload (POST /api/avatars/:identity) and serve (GET) endpoints - Replace all hardcoded AVATARS maps across swarm, admin, presence, nav - Admin page: hover-to-upload avatar overlay on user cards - Kanban columns now sort tasks by most recently updated first - Mobile swarm view already uses linear list (task was pre-done)
- Don't prepend 'Re: ' if subject already starts with it - Add search input to Swarm page (desktop + mobile) that filters tasks by title/detail
…filters - Add tags, expires_at, review_at columns to notebook_pages (manual SQL) - Add linked_notebook_pages column to swarm_tasks - Notebook API: create/update endpoints accept tags, expiresAt, reviewAt - Swarm API: create/update accept linkedNotebookPages - Tag editor component in page editor (add/remove tags inline) - Expiration banner (red, historical only) and review banner (amber, outdated) - Date pickers for expiration and review dates in page settings - Sticky swarm filters (project + assignee persisted to localStorage) - Schema types updated for both tables
…task-notebook page links - Task bd734e9d: Persist swarm filter selections (assignee, project) to localStorage - Task b7e30a92: Add tags to notebook pages with filter UI, sticky tag filters - Task b46070e2: Add expiration/review dates with banners and date pickers - Task acd37e97: Link notebook pages to swarm tasks via junction table + UI
- Mobile now always renders ListView (grouped by status with collapsible sections) - Removed mobile status tabs (list view already groups by status) - Added show/hide completed toggle to mobile toolbar - Desktop kanban board unchanged
Adds an optional 'follow_up' text column to swarm_tasks so agents can post status updates without overwriting the original task detail. - Schema: new follow_up column - API: exposed in GET, accepted in POST/PATCH - UI: displayed in card, board, and detail views; editable in task editor - Skill doc: documented in swarm skill - Migration: ALTER TABLE (manual, not db:push)
… visibility on linked pages Addresses PR #1 code review findings: - Remove duplicate tags/expiresAt/reviewAt in notebookPages schema - Add composite primary key to swarm_task_notebook_pages (already exists in DB) - Enforce notebook visibility rules on GET /api/swarm/tasks/:id/notebook-pages
…n file - Notebook date pickers now use local time instead of UTC for datetime-local inputs - Avatar upload deletes prior format variants before saving (prevents stale JPEG shadowing PNG/WebP) - Added SQL migration 0002 for notebook tags/dates, task-notebook links, and follow_up column
- Migrate biome.json schema from 2.0.0 to 2.3.15 (organizeImports → assist) - Add file includes to scope linting to src/server/tests/app - Exclude CSS (Tailwind v4 syntax not supported by biome parser) - Downgrade noisy pre-existing rules to warn/off (noExplicitAny, a11y, etc.) - Auto-format all files to biome standards - All lint errors resolved, tests passing
GoZumie
left a comment
GoZumie
left a comment
There was a problem hiding this comment.
Thanks — I can’t approve this as-is.
Key issues:
- Scope mismatch: PR title says ‘README update + docs link fix’, but it contains very large functional changes (164 files, +12k/-1.9k) including API routes, DB schema/migrations (drizzle/0002...), UI components, auth, avatars, notebook/swarm features, and a package-lock change.
- Branching policy concern: AGENTS.md in this PR states main is release-only; merging all these features to main in one shot defeats that policy unless this is intended as a full release.
- Mergeable=CONFLICTING: this PR currently has merge conflicts and can’t be merged cleanly.
- CI coverage: only CodeQL shows up; no unit/integration test workflow results are reported here.
Requested changes (to get to an approval):
- Resolve merge conflicts by rebasing dev onto main (or merging main into dev) and push.
- Either (a) split into smaller PRs (docs-only, migrations/schema, feature batches) OR (b) explicitly treat this as a release PR: update title/description + add a clear changelog/upgrade notes.
- Ensure CI runs for tests/lint/build and are green for this PR.
- For the DB changes: confirm deployment/upgrade path (when/how to apply drizzle/0002) and that the migration is idempotent for existing installs.
Happy to re-review once the above are addressed.
# Conflicts: # README.md
GoDoming
changed the title
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 6e23a99b0b
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
GoZumie
left a comment
GoZumie
left a comment
There was a problem hiding this comment.
Re-reviewed: merge conflicts appear resolved (mergeable), and CI (lint/test/build + CodeQL) is green. Current diff is now docs-only (README.md). Approving.
…ity in SQL - Added linked_notebook_pages column to migration 0002 (was in schema but missing from SQL) - Replaced sql.raw() identity interpolation with parameterized queries in notebook-pages, notebook index, and directory endpoints
- Remove 'value' from MarkdownEditor useEffect deps to prevent editor/WebSocket teardown on parent re-renders (metadata saves were causing the editor to reinitialize and lose content) - Lock now blocks editing for ALL users (not just non-owners) - Source mode button disabled when page is locked - Auto-switch to preview mode when locking a page - Server-side: WS handler rejects updates to locked pages
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 19a05f78eb
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: a646e41746
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
Polls every 10s for content changes when viewing in preview mode, so viewers see updates made by others without switching to source.
- Auto-generated routeTree.gen.ts excluded from lint/format checks - Wrapped fetchAll in useCallback to fix exhaustive deps warning in admin
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 71a7a43108
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
- Delete now sets archived_at timestamp instead of removing the row - Archived pages hidden from list view but still accessible via direct link - Archived pages show a banner and are read-only (no source editing, no title changes) - Delete button relabeled to 'Archive' with updated confirmation text - Added migration 0003 for archived_at column
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: a903094d15
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
- PATCH endpoint returns 403 for archived pages - WebSocket handler rejects updates to archived pages - Both API and WS now check archivedAt before accepting changes
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 77de4f8847
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
- New attachments table (entity_type + entity_id polymorphic) - CRUD endpoints: POST/GET /api/attachments, GET/DELETE /api/attachments/:id - Supports images, PDF, and text-based docs (json, yaml, md, excalidraw) - Max 10MB file size, stored on disk with Docker volume persistence - Creator or admin can delete; any authenticated user can upload/view
- Cache lock/archive state in WS doc entry instead of per-keystroke DB queries
- Send readonly/editable events to WS peers on lock/archive state changes
- Client handles readonly events by switching to preview mode
- Preview polling no longer overwrites in-progress title edits
- Add unarchive support via PATCH {archived: false} (owner/admin only)
- Fix lint issues in new files (attachments, swarm context/tags)
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 94c50d5b46
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| pages = await db | ||
| .select() | ||
| .from(notebookPages) | ||
| .where(inArray(notebookPages.id, idsByType.notebook_page)); |
There was a problem hiding this comment.
GET /api/swarm/projects/:id/context says it respects visibility, but this block fetches tagged notebook pages (and the next block does the same for directory entries) without applying the per-user visibility checks used elsewhere (server/routes/api/notebook/[id].get.ts and server/routes/api/directory/index.get.ts). If a private page/link is tagged to a project, any authenticated caller who can access this endpoint can receive its content/metadata, which is an authorization bypass.
Useful? React with 👍 / 👎.
| const [attachment] = await db | ||
| .select() | ||
| .from(attachments) | ||
| .where(eq(attachments.id, id)) |
There was a problem hiding this comment.
This download handler authenticates the token but never checks whether the caller can access the attachment’s parent task/notebook page before streaming the file. The same entity-level authorization gap exists in the new attachment list/upload routes, so a user who knows an ID can read or add attachments for notebook pages they cannot open via the notebook ACL path.
Useful? React with 👍 / 👎.
| idsByType.chat_message.map((id) => Number(id)), | ||
| ), |
There was a problem hiding this comment.
contentId is accepted as any string when tags are created, but context building later casts chat-message IDs with Number(id) for a bigint IN clause. If a stored tag has a non-numeric value, this becomes NaN and the query can fail at runtime, turning /api/swarm/projects/:id/context into a 500 for that project until the bad tag is removed.
Useful? React with 👍 / 👎.
4 participants
Release PR — dev → main
This is a full release merge bringing
mainup to date withdev.What's included
Features:
Infrastructure:
0002— additive (new tables/columns, no destructive changes). Applied automatically on deploy.Docs:
Branch fix
Merged
mainintodevto resolve conflicts caused by prior squash-merge divergence. All 3 previous main commits are now ancestors of this branch.CI
CodeQL is the current CI workflow. No test workflow is configured yet (tracked separately).
bun run buildandbun run lintpass locally.DB migration path
drizzle/0002is additive only — new tables and columns. Safe to apply on existing installs. The Docker entrypoint runs migrations automatically.