feat: implement security, error resilience, and query optimization proposals

Security Validation (enhance-security-validation): - JWT secret validation with entropy checking and pattern detection - CSRF protection middleware with token generation/validation - Frontend CSRF token auto-injection for DELETE/PUT/PATCH requests - MIME type validation with magic bytes detection for file uploads Error Resilience (add-error-resilience): - React ErrorBoundary component with fallback UI and retry functionality - ErrorBoundaryWithI18n wrapper for internationalization support - Page-level and section-level error boundaries in App.tsx Query Performance (optimize-query-performance): - Query monitoring utility with threshold warnings - N+1 query fixes using joinedload/selectinload - Optimized project members, tasks, and subtasks endpoints Bug Fixes: - WebSocket session management (P0): Return primitives instead of ORM objects - LIKE query injection (P1): Escape special characters in search queries Tests: 543 backend tests, 56 frontend tests passing Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-11 18:41:19 +08:00
parent 2cb591ef23
commit 679b89ae4c
41 changed files with 3673 additions and 153 deletions
--- a/openspec/changes/archive/2026-01-11-optimize-query-performance/proposal.md
+++ b/openspec/changes/archive/2026-01-11-optimize-query-performance/proposal.md
@@ -0,0 +1,19 @@
+# Change: Optimize Database Query Performance
+
+## Why
+
+QA review identified N+1 query patterns in project member listing and related endpoints. When loading a project with many members, each member triggers a separate database query, causing significant performance degradation.
+
+## What Changes
+
+- Implement eager loading (joinedload) for project member relationships
+- Add query batching for related entity loading
+- Add database query logging in development mode for detection
+
+## Impact
+
+- Affected specs: `resource-management`
+- Affected code:
+  - `backend/app/services/project_service.py` - Member loading
+  - `backend/app/api/v1/endpoints/projects.py` - Query optimization
+  - `backend/app/models/` - Relationship configurations
--- a/openspec/changes/archive/2026-01-11-optimize-query-performance/specs/resource-management/spec.md
+++ b/openspec/changes/archive/2026-01-11-optimize-query-performance/specs/resource-management/spec.md
@@ -0,0 +1,19 @@
+## ADDED Requirements
+
+### Requirement: Optimized Relationship Loading
+The system SHALL use efficient query patterns to avoid N+1 query problems when loading related entities.
+
+#### Scenario: Project member list loading
+- **WHEN** loading a project with its members
+- **THEN** the system SHALL load all members in at most 2 database queries
+- **AND** NOT one query per member
+
+#### Scenario: Task assignee loading
+- **WHEN** loading a list of tasks with their assignees
+- **THEN** the system SHALL batch load assignee details
+- **AND** NOT query each assignee individually
+
+#### Scenario: Query count monitoring
+- **WHEN** running in development mode
+- **THEN** the system SHALL log query counts per request
+- **AND** warn when query count exceeds threshold (e.g., 10 queries)
--- a/openspec/changes/archive/2026-01-11-optimize-query-performance/tasks.md
+++ b/openspec/changes/archive/2026-01-11-optimize-query-performance/tasks.md
@@ -0,0 +1,53 @@
+## 1. Query Analysis
+- [x] 1.1 Enable SQLAlchemy query logging in development
+- [x] 1.2 Identify all N+1 query patterns
+- [x] 1.3 Document current query counts per endpoint
+
+## 2. Optimization Implementation
+- [x] 2.1 Add joinedload for project member relationships
+- [x] 2.2 Add selectinload for task assignee relationships
+- [x] 2.3 Implement batch loading for user details
+- [x] 2.4 Add appropriate indexes if missing
+
+## 3. Verification
+- [x] 3.1 Benchmark before/after query counts
+- [x] 3.2 Write performance regression tests
+- [x] 3.3 Document optimization patterns for future reference
+
+---
+
+## Implementation Summary
+
+### Changes Made
+
+1. **Query Monitoring Module** (`app/core/query_monitor.py`)
+   - Added `QueryCounter` context manager for counting queries per request
+   - Integrated SQLAlchemy event listeners for query logging
+   - Added threshold-based warnings when query count exceeds limit
+   - Configurable via `QUERY_LOGGING` and `QUERY_COUNT_THRESHOLD` settings
+
+2. **Configuration Updates** (`app/core/config.py`)
+   - Added `DEBUG`, `QUERY_LOGGING`, `QUERY_COUNT_THRESHOLD` settings
+
+3. **Project Router Optimizations** (`app/api/projects/router.py`)
+   - `list_projects_in_space`: Added `joinedload` for owner, space, department; `selectinload` for tasks
+   - `list_project_members`: Added `joinedload` for user (with department) and added_by_user
+
+4. **Task Router Optimizations** (`app/api/tasks/router.py`)
+   - `list_tasks`: Added `selectinload` for assignee, status, creator, subtasks, custom_values
+   - `list_subtasks`: Added `selectinload` for assignee, status, creator, subtasks
+
+5. **Performance Tests** (`tests/test_query_performance.py`)
+   - Test cases for project member list optimization
+   - Test cases for project list optimization
+   - Test cases for task list optimization
+   - Test cases for subtask list optimization
+
+### Query Count Improvements
+
+| Endpoint | Before (N members/tasks) | After |
+|----------|-------------------------|-------|
+| `/api/projects/{id}/members` | 1 + 2N queries | 2-3 queries |
+| `/api/spaces/{id}/projects` | 1 + 4N queries | 4-5 queries |
+| `/api/projects/{id}/tasks` | 1 + 4N queries | 5-6 queries |
+| `/api/tasks/{id}/subtasks` | 1 + 4N queries | 4-5 queries |