feat: implement 8 OpenSpec proposals for security, reliability, and UX improvements

## Security Enhancements (P0) - Add input validation with max_length and numeric range constraints - Implement WebSocket token authentication via first message - Add path traversal prevention in file storage service ## Permission Enhancements (P0) - Add project member management for cross-department access - Implement is_department_manager flag for workload visibility ## Cycle Detection (P0) - Add DFS-based cycle detection for task dependencies - Add formula field circular reference detection - Display user-friendly cycle path visualization ## Concurrency & Reliability (P1) - Implement optimistic locking with version field (409 Conflict on mismatch) - Add trigger retry mechanism with exponential backoff (1s, 2s, 4s) - Implement cascade restore for soft-deleted tasks ## Rate Limiting (P1) - Add tiered rate limits: standard (60/min), sensitive (20/min), heavy (5/min) - Apply rate limits to tasks, reports, attachments, and comments ## Frontend Improvements (P1) - Add responsive sidebar with hamburger menu for mobile - Improve touch-friendly UI with proper tap target sizes - Complete i18n translations for all components ## Backend Reliability (P2) - Configure database connection pool (size=10, overflow=20) - Add Redis fallback mechanism with message queue - Add blocker check before task deletion ## API Enhancements (P3) - Add standardized response wrapper utility - Add /health/ready and /health/live endpoints - Implement project templates with status/field copying ## Tests Added - test_input_validation.py - Schema and path traversal tests - test_concurrency_reliability.py - Optimistic locking and retry tests - test_backend_reliability.py - Connection pool and Redis tests - test_api_enhancements.py - Health check and template tests Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-10 22:13:43 +08:00
parent 96210c7ad4
commit 3bdc6ff1c9
106 changed files with 9704 additions and 429 deletions
--- a/backend/app/api/custom_fields/router.py
+++ b/backend/app/api/custom_fields/router.py
@@ -91,13 +91,17 @@ async def create_custom_field(
                detail="Formula is required for formula fields",
            )

-        is_valid, error_msg = FormulaService.validate_formula(
+        is_valid, error_msg, cycle_path = FormulaService.validate_formula_with_details(
            field_data.formula, project_id, db
        )
        if not is_valid:
+            detail = {"message": error_msg}
+            if cycle_path:
+                detail["cycle_path"] = cycle_path
+                detail["cycle_description"] = " -> ".join(cycle_path)
            raise HTTPException(
                status_code=status.HTTP_400_BAD_REQUEST,
-                detail=error_msg,
+                detail=detail,
            )

    # Get next position
@@ -229,13 +233,17 @@ async def update_custom_field(

    # Validate formula if updating formula field
    if field.field_type == "formula" and field_data.formula is not None:
-        is_valid, error_msg = FormulaService.validate_formula(
+        is_valid, error_msg, cycle_path = FormulaService.validate_formula_with_details(
            field_data.formula, field.project_id, db, field_id
        )
        if not is_valid:
+            detail = {"message": error_msg}
+            if cycle_path:
+                detail["cycle_path"] = cycle_path
+                detail["cycle_description"] = " -> ".join(cycle_path)
            raise HTTPException(
                status_code=status.HTTP_400_BAD_REQUEST,
-                detail=error_msg,
+                detail=detail,
            )

    # Validate options if updating dropdown field