feat: implement 8 OpenSpec proposals for security, reliability, and UX improvements

## Security Enhancements (P0) - Add input validation with max_length and numeric range constraints - Implement WebSocket token authentication via first message - Add path traversal prevention in file storage service ## Permission Enhancements (P0) - Add project member management for cross-department access - Implement is_department_manager flag for workload visibility ## Cycle Detection (P0) - Add DFS-based cycle detection for task dependencies - Add formula field circular reference detection - Display user-friendly cycle path visualization ## Concurrency & Reliability (P1) - Implement optimistic locking with version field (409 Conflict on mismatch) - Add trigger retry mechanism with exponential backoff (1s, 2s, 4s) - Implement cascade restore for soft-deleted tasks ## Rate Limiting (P1) - Add tiered rate limits: standard (60/min), sensitive (20/min), heavy (5/min) - Apply rate limits to tasks, reports, attachments, and comments ## Frontend Improvements (P1) - Add responsive sidebar with hamburger menu for mobile - Improve touch-friendly UI with proper tap target sizes - Complete i18n translations for all components ## Backend Reliability (P2) - Configure database connection pool (size=10, overflow=20) - Add Redis fallback mechanism with message queue - Add blocker check before task deletion ## API Enhancements (P3) - Add standardized response wrapper utility - Add /health/ready and /health/live endpoints - Implement project templates with status/field copying ## Tests Added - test_input_validation.py - Schema and path traversal tests - test_concurrency_reliability.py - Optimistic locking and retry tests - test_backend_reliability.py - Connection pool and Redis tests - test_api_enhancements.py - Health check and template tests Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-10 22:13:43 +08:00
parent 96210c7ad4
commit 3bdc6ff1c9
106 changed files with 9704 additions and 429 deletions
--- a/openspec/changes/archive/2026-01-10-add-rate-limiting-expansion/proposal.md
+++ b/openspec/changes/archive/2026-01-10-add-rate-limiting-expansion/proposal.md
@@ -0,0 +1,17 @@
+# Change: Expand Rate Limiting to Sensitive API Endpoints
+
+## Why
+Currently only the login endpoint has rate limiting. Other sensitive operations (task creation, report generation, bulk operations) can be abused through excessive requests, potentially causing service degradation or enabling brute-force attacks.
+
+## What Changes
+- Apply rate limiting to task creation/update endpoints
+- Apply rate limiting to report generation endpoints
+- Apply rate limiting to bulk operation endpoints
+- Add configurable rate limit tiers based on endpoint sensitivity
+
+## Impact
+- Affected specs: user-auth
+- Affected code:
+  - `backend/app/api/tasks/router.py` - Task rate limits
+  - `backend/app/api/reports/router.py` - Report rate limits
+  - `backend/app/core/config.py` - Rate limit configuration
--- a/openspec/changes/archive/2026-01-10-add-rate-limiting-expansion/specs/user-auth/spec.md
+++ b/openspec/changes/archive/2026-01-10-add-rate-limiting-expansion/specs/user-auth/spec.md
@@ -0,0 +1,25 @@
+## ADDED Requirements
+
+### Requirement: Comprehensive API Rate Limiting
+The system SHALL enforce rate limits on all sensitive API endpoints to prevent abuse and ensure service availability.
+
+#### Scenario: Task creation rate limit exceeded
+- **WHEN** user exceeds 60 task creation requests per minute
+- **THEN** system returns 429 Too Many Requests
+- **THEN** response includes Retry-After header
+
+#### Scenario: Report generation rate limit exceeded
+- **WHEN** user exceeds 5 report generation requests per minute
+- **THEN** system returns 429 Too Many Requests
+- **THEN** response includes rate limit headers
+
+#### Scenario: Rate limit headers provided
+- **WHEN** user makes any rate-limited API request
+- **THEN** response includes X-RateLimit-Limit header
+- **THEN** response includes X-RateLimit-Remaining header
+- **THEN** response includes X-RateLimit-Reset header
+
+#### Scenario: Rate limit window reset
+- **WHEN** rate limit window expires
+- **THEN** user can make requests again up to the limit
+- **THEN** X-RateLimit-Remaining resets to maximum
--- a/openspec/changes/archive/2026-01-10-add-rate-limiting-expansion/tasks.md
+++ b/openspec/changes/archive/2026-01-10-add-rate-limiting-expansion/tasks.md
@@ -0,0 +1,30 @@
+# Tasks: Expand Rate Limiting
+
+## 1. Configuration
+- [x] 1.1 Define rate limit tiers in config (standard, sensitive, heavy)
+- [x] 1.2 Standard: 60/minute, Sensitive: 20/minute, Heavy: 5/minute
+- [x] 1.3 Add environment variable overrides for rate limits
+
+## 2. Task API Rate Limiting
+- [x] 2.1 Apply "standard" rate limit to POST /api/tasks
+- [x] 2.2 Apply "standard" rate limit to PATCH /api/tasks/{id}
+- [x] 2.3 Apply "heavy" rate limit to bulk task operations
+
+## 3. Report API Rate Limiting
+- [x] 3.1 Apply "heavy" rate limit to POST /api/reports/generate
+- [x] 3.2 Apply "sensitive" rate limit to report export endpoints
+
+## 4. Other Sensitive Endpoints
+- [x] 4.1 Apply "sensitive" rate limit to password change endpoint (N/A - uses external auth)
+- [x] 4.2 Apply "sensitive" rate limit to attachment upload
+- [x] 4.3 Apply "standard" rate limit to comment creation
+
+## 5. Response Headers
+- [x] 5.1 Include X-RateLimit-Limit header in responses
+- [x] 5.2 Include X-RateLimit-Remaining header
+- [x] 5.3 Include X-RateLimit-Reset header
+
+## 6. Testing
+- [x] 6.1 Test rate limit enforcement
+- [x] 6.2 Test rate limit reset after window
+- [x] 6.3 Verify 429 Too Many Requests response