feat: implement automation module

- Event-based triggers (Phase 1):
  - Trigger/TriggerLog models with field_change type
  - TriggerService for condition evaluation and action execution
  - Trigger CRUD API endpoints
  - Task integration (status, assignee, priority changes)
  - Frontend: TriggerList, TriggerForm components

- Weekly reports (Phase 2):
  - ScheduledReport/ReportHistory models
  - ReportService for stats generation
  - APScheduler for Friday 16:00 job
  - Report preview/generate/history API
  - Frontend: WeeklyReportPreview, ReportHistory components

- Tests: 23 new tests (14 triggers + 9 reports)
- OpenSpec: add-automation change archived

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

backend/app/api/reports/__init__.py

@@ -0,0 +1,3 @@
+from app.api.reports.router import router
+
+__all__ = ["router"]

backend/app/api/reports/router.py

@@ -0,0 +1,146 @@
+from fastapi import APIRouter, Depends, HTTPException, status
+from sqlalchemy.orm import Session
+from typing import Optional
+
+from app.core.database import get_db
+from app.models import User, ReportHistory, ScheduledReport
+from app.schemas.report import (
+    WeeklyReportContent, ReportHistoryListResponse, ReportHistoryItem,
+    GenerateReportResponse, ReportSummary
+)
+from app.middleware.auth import get_current_user
+from app.services.report_service import ReportService
+
+router = APIRouter(tags=["reports"])
+
+
+@router.get("/api/reports/weekly/preview", response_model=WeeklyReportContent)
+async def preview_weekly_report(
+    db: Session = Depends(get_db),
+    current_user: User = Depends(get_current_user),
+):
+    """
+    Preview the weekly report for the current user.
+    Shows what would be included in the next weekly report.
+    """
+    content = ReportService.get_weekly_stats(db, current_user.id)
+
+    return WeeklyReportContent(
+        week_start=content["week_start"],
+        week_end=content["week_end"],
+        generated_at=content["generated_at"],
+        projects=content["projects"],
+        summary=ReportSummary(**content["summary"]),
+    )
+
+
+@router.post("/api/reports/weekly/generate", response_model=GenerateReportResponse)
+async def generate_weekly_report(
+    db: Session = Depends(get_db),
+    current_user: User = Depends(get_current_user),
+):
+    """
+    Manually trigger weekly report generation for the current user.
+    """
+    # Generate report
+    report_history = ReportService.generate_weekly_report(db, current_user.id)
+
+    if not report_history:
+        raise HTTPException(
+            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+            detail="Failed to generate report",
+        )
+
+    # Send notification
+    ReportService.send_report_notification(db, current_user.id, report_history.content)
+    db.commit()
+
+    summary = report_history.content.get("summary", {})
+
+    return GenerateReportResponse(
+        message="Weekly report generated successfully",
+        report_id=report_history.id,
+        summary=ReportSummary(
+            completed_count=summary.get("completed_count", 0),
+            in_progress_count=summary.get("in_progress_count", 0),
+            overdue_count=summary.get("overdue_count", 0),
+            total_tasks=summary.get("total_tasks", 0),
+        ),
+    )
+
+
+@router.get("/api/reports/history", response_model=ReportHistoryListResponse)
+async def list_report_history(
+    limit: int = 10,
+    offset: int = 0,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(get_current_user),
+):
+    """
+    List report history for the current user.
+    """
+    # Get scheduled report for this user
+    scheduled_report = db.query(ScheduledReport).filter(
+        ScheduledReport.recipient_id == current_user.id,
+    ).first()
+
+    if not scheduled_report:
+        return ReportHistoryListResponse(reports=[], total=0)
+
+    # Get history
+    total = db.query(ReportHistory).filter(
+        ReportHistory.report_id == scheduled_report.id,
+    ).count()
+
+    history = db.query(ReportHistory).filter(
+        ReportHistory.report_id == scheduled_report.id,
+    ).order_by(ReportHistory.generated_at.desc()).offset(offset).limit(limit).all()
+
+    return ReportHistoryListResponse(
+        reports=[
+            ReportHistoryItem(
+                id=h.id,
+                report_id=h.report_id,
+                generated_at=h.generated_at,
+                content=h.content,
+                status=h.status,
+                error_message=h.error_message,
+            ) for h in history
+        ],
+        total=total,
+    )
+
+
+@router.get("/api/reports/history/{report_id}")
+async def get_report_detail(
+    report_id: str,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(get_current_user),
+):
+    """
+    Get detailed content of a specific report.
+    """
+    report = db.query(ReportHistory).filter(ReportHistory.id == report_id).first()
+
+    if not report:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="Report not found",
+        )
+
+    # Check ownership
+    scheduled_report = report.report
+    if scheduled_report.recipient_id != current_user.id and not current_user.is_system_admin:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Access denied",
+        )
+
+    return ReportHistoryItem(
+        id=report.id,
+        report_id=report.report_id,
+        generated_at=report.generated_at,
+        content=report.content,
+        status=report.status,
+        error_message=report.error_message,
+    )

backend/app/api/tasks/router.py

@@ -14,6 +14,7 @@ from app.middleware.auth import (
 )
 from app.middleware.audit import get_audit_metadata
 from app.services.audit_service import AuditService
+from app.services.trigger_service import TriggerService
 
 router = APIRouter(tags=["tasks"])
 
@@ -271,7 +272,7 @@ async def update_task(
             detail="Permission denied",
         )
 
-    # Capture old values for audit
+    # Capture old values for audit and triggers
     old_values = {
         "title": task.title,
         "description": task.description,
@@ -289,7 +290,7 @@ async def update_task(
         else:
             setattr(task, field, value)
 
-    # Capture new values for audit
+    # Capture new values for audit and triggers
     new_values = {
         "title": task.title,
         "description": task.description,
@@ -313,6 +314,10 @@ async def update_task(
             request_metadata=get_audit_metadata(request),
         )
 
+    # Evaluate triggers for priority changes
+    if "priority" in update_data:
+        TriggerService.evaluate_triggers(db, task, old_values, new_values, current_user)
+
     db.commit()
     db.refresh(task)
 
@@ -397,6 +402,9 @@ async def update_task_status(
             detail="Status not found in this project",
         )
 
+    # Capture old status for triggers
+    old_status_id = task.status_id
+
     task.status_id = status_data.status_id
 
     # Auto-set blocker_flag based on status name
@@ -405,6 +413,15 @@ async def update_task_status(
     else:
         task.blocker_flag = False
 
+    # Evaluate triggers for status changes
+    if old_status_id != status_data.status_id:
+        TriggerService.evaluate_triggers(
+            db, task,
+            {"status_id": old_status_id},
+            {"status_id": status_data.status_id},
+            current_user
+        )
+
     db.commit()
     db.refresh(task)
 
@@ -460,6 +477,15 @@ async def assign_task(
         request_metadata=get_audit_metadata(request),
     )
 
+    # Evaluate triggers for assignee changes
+    if old_assignee_id != assign_data.assignee_id:
+        TriggerService.evaluate_triggers(
+            db, task,
+            {"assignee_id": old_assignee_id},
+            {"assignee_id": assign_data.assignee_id},
+            current_user
+        )
+
     db.commit()
     db.refresh(task)
 

backend/app/api/triggers/__init__.py

@@ -0,0 +1,3 @@
+from app.api.triggers.router import router
+
+__all__ = ["router"]

backend/app/api/triggers/router.py

@@ -0,0 +1,276 @@
+import uuid
+from fastapi import APIRouter, Depends, HTTPException, status
+from sqlalchemy.orm import Session
+from typing import Optional
+
+from app.core.database import get_db
+from app.models import User, Project, Trigger, TriggerLog
+from app.schemas.trigger import (
+    TriggerCreate, TriggerUpdate, TriggerResponse, TriggerListResponse,
+    TriggerLogResponse, TriggerLogListResponse, TriggerUserInfo
+)
+from app.middleware.auth import get_current_user, check_project_access, check_project_edit_access
+
+router = APIRouter(tags=["triggers"])
+
+
+def trigger_to_response(trigger: Trigger) -> TriggerResponse:
+    """Convert Trigger model to TriggerResponse."""
+    return TriggerResponse(
+        id=trigger.id,
+        project_id=trigger.project_id,
+        name=trigger.name,
+        description=trigger.description,
+        trigger_type=trigger.trigger_type,
+        conditions=trigger.conditions,
+        actions=trigger.actions if isinstance(trigger.actions, list) else [trigger.actions],
+        is_active=trigger.is_active,
+        created_by=trigger.created_by,
+        created_at=trigger.created_at,
+        updated_at=trigger.updated_at,
+        creator=TriggerUserInfo(
+            id=trigger.creator.id,
+            name=trigger.creator.name,
+            email=trigger.creator.email,
+        ) if trigger.creator else None,
+    )
+
+
+@router.post("/api/projects/{project_id}/triggers", response_model=TriggerResponse, status_code=status.HTTP_201_CREATED)
+async def create_trigger(
+    project_id: str,
+    trigger_data: TriggerCreate,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(get_current_user),
+):
+    """Create a new trigger for a project."""
+    project = db.query(Project).filter(Project.id == project_id).first()
+
+    if not project:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="Project not found",
+        )
+
+    if not check_project_edit_access(current_user, project):
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Permission denied - only project owner can manage triggers",
+        )
+
+    # Validate trigger type
+    if trigger_data.trigger_type not in ["field_change", "schedule"]:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="Invalid trigger type. Must be 'field_change' or 'schedule'",
+        )
+
+    # Validate conditions
+    if trigger_data.conditions.field not in ["status_id", "assignee_id", "priority"]:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="Invalid condition field. Must be 'status_id', 'assignee_id', or 'priority'",
+        )
+
+    if trigger_data.conditions.operator not in ["equals", "not_equals", "changed_to", "changed_from"]:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail="Invalid operator. Must be 'equals', 'not_equals', 'changed_to', or 'changed_from'",
+        )
+
+    # Create trigger
+    trigger = Trigger(
+        id=str(uuid.uuid4()),
+        project_id=project_id,
+        name=trigger_data.name,
+        description=trigger_data.description,
+        trigger_type=trigger_data.trigger_type,
+        conditions=trigger_data.conditions.model_dump(),
+        actions=[a.model_dump() for a in trigger_data.actions],
+        is_active=trigger_data.is_active,
+        created_by=current_user.id,
+    )
+    db.add(trigger)
+    db.commit()
+    db.refresh(trigger)
+
+    return trigger_to_response(trigger)
+
+
+@router.get("/api/projects/{project_id}/triggers", response_model=TriggerListResponse)
+async def list_triggers(
+    project_id: str,
+    is_active: Optional[bool] = None,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(get_current_user),
+):
+    """List all triggers for a project."""
+    project = db.query(Project).filter(Project.id == project_id).first()
+
+    if not project:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="Project not found",
+        )
+
+    if not check_project_access(current_user, project):
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Access denied",
+        )
+
+    query = db.query(Trigger).filter(Trigger.project_id == project_id)
+
+    if is_active is not None:
+        query = query.filter(Trigger.is_active == is_active)
+
+    triggers = query.order_by(Trigger.created_at.desc()).all()
+
+    return TriggerListResponse(
+        triggers=[trigger_to_response(t) for t in triggers],
+        total=len(triggers),
+    )
+
+
+@router.get("/api/triggers/{trigger_id}", response_model=TriggerResponse)
+async def get_trigger(
+    trigger_id: str,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(get_current_user),
+):
+    """Get a specific trigger by ID."""
+    trigger = db.query(Trigger).filter(Trigger.id == trigger_id).first()
+
+    if not trigger:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="Trigger not found",
+        )
+
+    project = trigger.project
+    if not check_project_access(current_user, project):
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Access denied",
+        )
+
+    return trigger_to_response(trigger)
+
+
+@router.put("/api/triggers/{trigger_id}", response_model=TriggerResponse)
+async def update_trigger(
+    trigger_id: str,
+    trigger_data: TriggerUpdate,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(get_current_user),
+):
+    """Update a trigger."""
+    trigger = db.query(Trigger).filter(Trigger.id == trigger_id).first()
+
+    if not trigger:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="Trigger not found",
+        )
+
+    project = trigger.project
+    if not check_project_edit_access(current_user, project):
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Permission denied",
+        )
+
+    # Update fields if provided
+    if trigger_data.name is not None:
+        trigger.name = trigger_data.name
+    if trigger_data.description is not None:
+        trigger.description = trigger_data.description
+    if trigger_data.conditions is not None:
+        # Validate conditions
+        if trigger_data.conditions.field not in ["status_id", "assignee_id", "priority"]:
+            raise HTTPException(
+                status_code=status.HTTP_400_BAD_REQUEST,
+                detail="Invalid condition field",
+            )
+        trigger.conditions = trigger_data.conditions.model_dump()
+    if trigger_data.actions is not None:
+        trigger.actions = [a.model_dump() for a in trigger_data.actions]
+    if trigger_data.is_active is not None:
+        trigger.is_active = trigger_data.is_active
+
+    db.commit()
+    db.refresh(trigger)
+
+    return trigger_to_response(trigger)
+
+
+@router.delete("/api/triggers/{trigger_id}", status_code=status.HTTP_204_NO_CONTENT)
+async def delete_trigger(
+    trigger_id: str,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(get_current_user),
+):
+    """Delete a trigger."""
+    trigger = db.query(Trigger).filter(Trigger.id == trigger_id).first()
+
+    if not trigger:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="Trigger not found",
+        )
+
+    project = trigger.project
+    if not check_project_edit_access(current_user, project):
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Permission denied",
+        )
+
+    db.delete(trigger)
+    db.commit()
+
+
+@router.get("/api/triggers/{trigger_id}/logs", response_model=TriggerLogListResponse)
+async def list_trigger_logs(
+    trigger_id: str,
+    limit: int = 50,
+    offset: int = 0,
+    db: Session = Depends(get_db),
+    current_user: User = Depends(get_current_user),
+):
+    """Get execution logs for a trigger."""
+    trigger = db.query(Trigger).filter(Trigger.id == trigger_id).first()
+
+    if not trigger:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail="Trigger not found",
+        )
+
+    project = trigger.project
+    if not check_project_access(current_user, project):
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Access denied",
+        )
+
+    total = db.query(TriggerLog).filter(TriggerLog.trigger_id == trigger_id).count()
+
+    logs = db.query(TriggerLog).filter(
+        TriggerLog.trigger_id == trigger_id,
+    ).order_by(TriggerLog.executed_at.desc()).offset(offset).limit(limit).all()
+
+    return TriggerLogListResponse(
+        logs=[
+            TriggerLogResponse(
+                id=log.id,
+                trigger_id=log.trigger_id,
+                task_id=log.task_id,
+                executed_at=log.executed_at,
+                status=log.status,
+                details=log.details,
+                error_message=log.error_message,
+            ) for log in logs
+        ],
+        total=total,
+    )