feat: implement 8 OpenSpec proposals for security, reliability, and UX improvements

## Security Enhancements (P0) - Add input validation with max_length and numeric range constraints - Implement WebSocket token authentication via first message - Add path traversal prevention in file storage service ## Permission Enhancements (P0) - Add project member management for cross-department access - Implement is_department_manager flag for workload visibility ## Cycle Detection (P0) - Add DFS-based cycle detection for task dependencies - Add formula field circular reference detection - Display user-friendly cycle path visualization ## Concurrency & Reliability (P1) - Implement optimistic locking with version field (409 Conflict on mismatch) - Add trigger retry mechanism with exponential backoff (1s, 2s, 4s) - Implement cascade restore for soft-deleted tasks ## Rate Limiting (P1) - Add tiered rate limits: standard (60/min), sensitive (20/min), heavy (5/min) - Apply rate limits to tasks, reports, attachments, and comments ## Frontend Improvements (P1) - Add responsive sidebar with hamburger menu for mobile - Improve touch-friendly UI with proper tap target sizes - Complete i18n translations for all components ## Backend Reliability (P2) - Configure database connection pool (size=10, overflow=20) - Add Redis fallback mechanism with message queue - Add blocker check before task deletion ## API Enhancements (P3) - Add standardized response wrapper utility - Add /health/ready and /health/live endpoints - Implement project templates with status/field copying ## Tests Added - test_input_validation.py - Schema and path traversal tests - test_concurrency_reliability.py - Optimistic locking and retry tests - test_backend_reliability.py - Connection pool and Redis tests - test_api_enhancements.py - Health check and template tests Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-10 22:13:43 +08:00
parent 96210c7ad4
commit 3bdc6ff1c9
106 changed files with 9704 additions and 429 deletions
--- a/backend/app/schemas/auth.py
+++ b/backend/app/schemas/auth.py
@@ -1,10 +1,10 @@
-from pydantic import BaseModel
+from pydantic import BaseModel, Field
 from typing import Optional


 class LoginRequest(BaseModel):
-    email: str
-    password: str
+    email: str = Field(..., max_length=255)
+    password: str = Field(..., min_length=1, max_length=128)


 class LoginResponse(BaseModel):
--- a/backend/app/schemas/department.py
+++ b/backend/app/schemas/department.py
@@ -1,10 +1,10 @@
-from pydantic import BaseModel
+from pydantic import BaseModel, Field
 from typing import Optional
 from datetime import datetime


 class DepartmentBase(BaseModel):
-    name: str
+    name: str = Field(..., min_length=1, max_length=200)
    parent_id: Optional[str] = None


@@ -13,7 +13,7 @@ class DepartmentCreate(DepartmentBase):


 class DepartmentUpdate(BaseModel):
-    name: Optional[str] = None
+    name: Optional[str] = Field(None, min_length=1, max_length=200)
    parent_id: Optional[str] = None


--- a/backend/app/schemas/project.py
+++ b/backend/app/schemas/project.py
@@ -1,4 +1,4 @@
-from pydantic import BaseModel
+from pydantic import BaseModel, Field
 from typing import Optional
 from datetime import datetime, date
 from decimal import Decimal
@@ -12,9 +12,9 @@ class SecurityLevel(str, Enum):


 class ProjectBase(BaseModel):
-    title: str
-    description: Optional[str] = None
-    budget: Optional[Decimal] = None
+    title: str = Field(..., min_length=1, max_length=500)
+    description: Optional[str] = Field(None, max_length=10000)
+    budget: Optional[Decimal] = Field(None, ge=0, le=99999999999)
    start_date: Optional[date] = None
    end_date: Optional[date] = None
    security_level: SecurityLevel = SecurityLevel.DEPARTMENT
@@ -25,13 +25,13 @@ class ProjectCreate(ProjectBase):


 class ProjectUpdate(BaseModel):
-    title: Optional[str] = None
-    description: Optional[str] = None
-    budget: Optional[Decimal] = None
+    title: Optional[str] = Field(None, min_length=1, max_length=500)
+    description: Optional[str] = Field(None, max_length=10000)
+    budget: Optional[Decimal] = Field(None, ge=0, le=99999999999)
    start_date: Optional[date] = None
    end_date: Optional[date] = None
    security_level: Optional[SecurityLevel] = None
-    status: Optional[str] = None
+    status: Optional[str] = Field(None, max_length=50)
    department_id: Optional[str] = None


--- a/backend/app/schemas/project_member.py
+++ b/backend/app/schemas/project_member.py
@@ -0,0 +1,56 @@
+"""Project member schemas for cross-department collaboration."""
+from pydantic import BaseModel, Field
+from typing import Optional, List
+from datetime import datetime
+from enum import Enum
+
+
+class ProjectMemberRole(str, Enum):
+    """Roles that can be assigned to project members."""
+    MEMBER = "member"
+    ADMIN = "admin"
+
+
+class ProjectMemberBase(BaseModel):
+    """Base schema for project member."""
+    user_id: str = Field(..., description="ID of the user to add as project member")
+    role: ProjectMemberRole = Field(
+        default=ProjectMemberRole.MEMBER,
+        description="Role of the member: 'member' (view/edit tasks) or 'admin' (manage project)"
+    )
+
+
+class ProjectMemberCreate(ProjectMemberBase):
+    """Schema for creating a project member."""
+    pass
+
+
+class ProjectMemberUpdate(BaseModel):
+    """Schema for updating a project member."""
+    role: ProjectMemberRole = Field(..., description="New role for the member")
+
+
+class ProjectMemberResponse(ProjectMemberBase):
+    """Schema for project member response."""
+    id: str
+    project_id: str
+    added_by: str
+    created_at: datetime
+
+    class Config:
+        from_attributes = True
+
+
+class ProjectMemberWithDetails(ProjectMemberResponse):
+    """Schema for project member with user details."""
+    user_name: Optional[str] = None
+    user_email: Optional[str] = None
+    user_department_id: Optional[str] = None
+    user_department_name: Optional[str] = None
+    added_by_name: Optional[str] = None
+
+
+class ProjectMemberListResponse(BaseModel):
+    """Schema for listing project members."""
+    members: List[ProjectMemberWithDetails]
+    total: int
--- a/backend/app/schemas/project_template.py
+++ b/backend/app/schemas/project_template.py
@@ -0,0 +1,95 @@
+"""Schemas for project template API endpoints."""
+from typing import Optional, List, Any
+from datetime import datetime
+from pydantic import BaseModel, Field
+
+
+class TaskStatusDefinition(BaseModel):
+    """Task status definition for templates."""
+    name: str = Field(..., min_length=1, max_length=50)
+    color: str = Field(default="#808080", pattern=r"^#[0-9A-Fa-f]{6}$")
+    position: int = Field(default=0, ge=0)
+    is_done: bool = Field(default=False)
+
+
+class CustomFieldDefinition(BaseModel):
+    """Custom field definition for templates."""
+    name: str = Field(..., min_length=1, max_length=100)
+    field_type: str = Field(..., pattern=r"^(text|number|dropdown|date|person|formula)$")
+    options: Optional[List[str]] = None
+    formula: Optional[str] = None
+    is_required: bool = Field(default=False)
+    position: int = Field(default=0, ge=0)
+
+
+class ProjectTemplateBase(BaseModel):
+    """Base schema for project template."""
+    name: str = Field(..., min_length=1, max_length=200)
+    description: Optional[str] = None
+    is_public: bool = Field(default=False)
+    task_statuses: Optional[List[TaskStatusDefinition]] = None
+    custom_fields: Optional[List[CustomFieldDefinition]] = None
+    default_security_level: Optional[str] = Field(
+        default="department",
+        pattern=r"^(public|department|confidential)$"
+    )
+
+
+class ProjectTemplateCreate(ProjectTemplateBase):
+    """Schema for creating a project template."""
+    pass
+
+
+class ProjectTemplateUpdate(BaseModel):
+    """Schema for updating a project template."""
+    name: Optional[str] = Field(None, min_length=1, max_length=200)
+    description: Optional[str] = None
+    is_public: Optional[bool] = None
+    task_statuses: Optional[List[TaskStatusDefinition]] = None
+    custom_fields: Optional[List[CustomFieldDefinition]] = None
+    default_security_level: Optional[str] = Field(
+        None,
+        pattern=r"^(public|department|confidential)$"
+    )
+
+
+class ProjectTemplateResponse(ProjectTemplateBase):
+    """Schema for project template response."""
+    id: str
+    owner_id: str
+    is_active: bool
+    created_at: datetime
+    updated_at: datetime
+
+    class Config:
+        from_attributes = True
+
+
+class ProjectTemplateWithOwner(ProjectTemplateResponse):
+    """Project template response with owner details."""
+    owner_name: Optional[str] = None
+
+
+class ProjectTemplateListResponse(BaseModel):
+    """Response schema for listing project templates."""
+    templates: List[ProjectTemplateWithOwner]
+    total: int
+
+
+class CreateProjectFromTemplateRequest(BaseModel):
+    """Request schema for creating a project from a template."""
+    template_id: str
+    title: str = Field(..., min_length=1, max_length=500)
+    description: Optional[str] = Field(None, max_length=10000)
+    space_id: str
+    department_id: Optional[str] = None
+
+
+class CreateProjectFromTemplateResponse(BaseModel):
+    """Response schema for project created from template."""
+    id: str
+    title: str
+    template_id: str
+    template_name: str
+    task_statuses_created: int
+    custom_fields_created: int
--- a/backend/app/schemas/space.py
+++ b/backend/app/schemas/space.py
@@ -1,11 +1,11 @@
-from pydantic import BaseModel
+from pydantic import BaseModel, Field
 from typing import Optional
 from datetime import datetime


 class SpaceBase(BaseModel):
-    name: str
-    description: Optional[str] = None
+    name: str = Field(..., min_length=1, max_length=200)
+    description: Optional[str] = Field(None, max_length=2000)


 class SpaceCreate(SpaceBase):
@@ -13,8 +13,8 @@ class SpaceCreate(SpaceBase):


 class SpaceUpdate(BaseModel):
-    name: Optional[str] = None
-    description: Optional[str] = None
+    name: Optional[str] = Field(None, min_length=1, max_length=200)
+    description: Optional[str] = Field(None, max_length=2000)


 class SpaceResponse(SpaceBase):
--- a/backend/app/schemas/task.py
+++ b/backend/app/schemas/task.py
@@ -1,4 +1,4 @@
-from pydantic import BaseModel, computed_field
+from pydantic import BaseModel, computed_field, Field, field_validator
 from typing import Optional, List, Any, Dict
 from datetime import datetime
 from decimal import Decimal
@@ -28,10 +28,10 @@ class CustomValueResponse(BaseModel):


 class TaskBase(BaseModel):
-    title: str
-    description: Optional[str] = None
+    title: str = Field(..., min_length=1, max_length=500)
+    description: Optional[str] = Field(None, max_length=10000)
    priority: Priority = Priority.MEDIUM
-    original_estimate: Optional[Decimal] = None
+    original_estimate: Optional[Decimal] = Field(None, ge=0, le=99999)
    start_date: Optional[datetime] = None
    due_date: Optional[datetime] = None

@@ -44,17 +44,18 @@ class TaskCreate(TaskBase):


 class TaskUpdate(BaseModel):
-    title: Optional[str] = None
-    description: Optional[str] = None
+    title: Optional[str] = Field(None, min_length=1, max_length=500)
+    description: Optional[str] = Field(None, max_length=10000)
    priority: Optional[Priority] = None
    status_id: Optional[str] = None
    assignee_id: Optional[str] = None
-    original_estimate: Optional[Decimal] = None
-    time_spent: Optional[Decimal] = None
+    original_estimate: Optional[Decimal] = Field(None, ge=0, le=99999)
+    time_spent: Optional[Decimal] = Field(None, ge=0, le=99999)
    start_date: Optional[datetime] = None
    due_date: Optional[datetime] = None
-    position: Optional[int] = None
+    position: Optional[int] = Field(None, ge=0)
    custom_values: Optional[List[CustomValueInput]] = None
+    version: Optional[int] = Field(None, ge=1, description="Version for optimistic locking")


 class TaskStatusUpdate(BaseModel):
@@ -77,6 +78,7 @@ class TaskResponse(TaskBase):
    created_by: str
    created_at: datetime
    updated_at: datetime
+    version: int = 1  # Optimistic locking version

    class Config:
        from_attributes = True
@@ -100,3 +102,32 @@ class TaskWithDetails(TaskResponse):
 class TaskListResponse(BaseModel):
    tasks: List[TaskWithDetails]
    total: int
+
+
+class TaskRestoreRequest(BaseModel):
+    """Request body for restoring a soft-deleted task."""
+    cascade: bool = Field(
+        default=True,
+        description="If True, also restore child tasks deleted at the same time. If False, restore only the parent task."
+    )
+
+
+class TaskRestoreResponse(BaseModel):
+    """Response for task restore operation."""
+    restored_task: TaskResponse
+    restored_children_count: int = 0
+    restored_children_ids: List[str] = []
+
+
+class TaskDeleteWarningResponse(BaseModel):
+    """Response when task has unresolved blockers and force_delete is False."""
+    warning: str
+    blocker_count: int
+    message: str = "Task has unresolved blockers. Use force_delete=true to delete anyway."
+
+
+class TaskDeleteResponse(BaseModel):
+    """Response for task delete operation."""
+    task: TaskResponse
+    blockers_resolved: int = 0
+    force_deleted: bool = False
--- a/backend/app/schemas/task_dependency.py
+++ b/backend/app/schemas/task_dependency.py
@@ -76,3 +76,46 @@ class DependencyValidationError(BaseModel):
    error_type: str  # 'circular', 'self_reference', 'duplicate', 'cross_project'
    message: str
    details: Optional[dict] = None
+
+
+class BulkDependencyItem(BaseModel):
+    """Single dependency item for bulk operations."""
+    predecessor_id: str
+    successor_id: str
+    dependency_type: DependencyType = DependencyType.FS
+    lag_days: int = 0
+
+    @field_validator('lag_days')
+    @classmethod
+    def validate_lag_days(cls, v):
+        if v < -365 or v > 365:
+            raise ValueError('lag_days must be between -365 and 365')
+        return v
+
+
+class BulkDependencyCreate(BaseModel):
+    """Schema for creating multiple dependencies at once."""
+    dependencies: List[BulkDependencyItem]
+
+    @field_validator('dependencies')
+    @classmethod
+    def validate_dependencies(cls, v):
+        if not v:
+            raise ValueError('At least one dependency is required')
+        if len(v) > 50:
+            raise ValueError('Cannot create more than 50 dependencies at once')
+        return v
+
+
+class BulkDependencyValidationResult(BaseModel):
+    """Result of bulk dependency validation."""
+    valid: bool
+    errors: List[dict] = []
+
+
+class BulkDependencyCreateResponse(BaseModel):
+    """Response for bulk dependency creation."""
+    created: List[TaskDependencyResponse]
+    failed: List[dict] = []
+    total_created: int
+    total_failed: int
--- a/backend/app/schemas/task_status.py
+++ b/backend/app/schemas/task_status.py
@@ -1,12 +1,12 @@
-from pydantic import BaseModel
+from pydantic import BaseModel, Field
 from typing import Optional
 from datetime import datetime


 class TaskStatusBase(BaseModel):
-    name: str
-    color: str = "#808080"
-    position: int = 0
+    name: str = Field(..., min_length=1, max_length=100)
+    color: str = Field("#808080", max_length=20)
+    position: int = Field(0, ge=0)
    is_done: bool = False


@@ -15,9 +15,9 @@ class TaskStatusCreate(TaskStatusBase):


 class TaskStatusUpdate(BaseModel):
-    name: Optional[str] = None
-    color: Optional[str] = None
-    position: Optional[int] = None
+    name: Optional[str] = Field(None, min_length=1, max_length=100)
+    color: Optional[str] = Field(None, max_length=20)
+    position: Optional[int] = Field(None, ge=0)
    is_done: Optional[bool] = None


--- a/backend/app/schemas/user.py
+++ b/backend/app/schemas/user.py
@@ -1,16 +1,16 @@
-from pydantic import BaseModel, field_validator
+from pydantic import BaseModel, Field, field_validator
 from typing import Optional, List
 from datetime import datetime
 from decimal import Decimal


 class UserBase(BaseModel):
-    email: str
-    name: str
+    email: str = Field(..., max_length=255)
+    name: str = Field(..., min_length=1, max_length=200)
    department_id: Optional[str] = None
    role_id: Optional[str] = None
    skills: Optional[List[str]] = None
-    capacity: Optional[Decimal] = Decimal("40.00")
+    capacity: Optional[Decimal] = Field(Decimal("40.00"), ge=0, le=168)


 class UserCreate(UserBase):
@@ -18,11 +18,11 @@ class UserCreate(UserBase):


 class UserUpdate(BaseModel):
-    name: Optional[str] = None
+    name: Optional[str] = Field(None, min_length=1, max_length=200)
    department_id: Optional[str] = None
    role_id: Optional[str] = None
    skills: Optional[List[str]] = None
-    capacity: Optional[Decimal] = None
+    capacity: Optional[Decimal] = Field(None, ge=0, le=168)
    is_active: Optional[bool] = None