Skip to content

Add REST API layer with HTTP endpoints and WebSocket support #327

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
kvnloo wants to merge 28 commits into
base: develop
Choose a base branch
from
Open

Add REST API layer with HTTP endpoints and WebSocket support #327

kvnloo wants to merge 28 commits into from
+9,349 −61

Conversation

@kvnloo
Copy link
Contributor

@kvnloo kvnloo commented Dec 26, 2025
edited by coderabbitai bot
Loading

Base Branch

  • This PR targets the develop branch (required for all feature/fix PRs)
  • This PR targets main (hotfix only - maintainers)

Description

Implement complete REST API layer exposing existing IPC functionality through HTTP endpoints and WebSocket connections. Add authentication middleware, route handlers for tasks/projects/monitoring, event bridge for IPC integration, and comprehensive test coverage including OpenAPI specification validation.

Related Issue

Closes #

Type of Change

  • 🐛 Bug fix
  • ✨ New feature
  • 📚 Documentation
  • ♻️ Refactor
  • 🧪 Test

Area

  • Frontend
  • Backend
  • Fullstack

Commit Message Format

Follow conventional commits: feat: add HTTP REST API layer with WebSocket support

Types: feat, fix, docs, style, refactor, test, chore

Example: feat: add user authentication system

Checklist

  • I've synced with develop branch
  • I've tested my changes locally
  • I've followed the code principles (SOLID, DRY, KISS)
  • My PR is small and focused (< 400 lines ideally)

CI/Testing Requirements

  • All CI checks pass
  • All existing tests pass
  • New features include test coverage
  • Bug fixes include regression tests

Screenshots

Before After

Feature Toggle

  • Behind localStorage flag: use_feature_name
  • Behind settings toggle
  • Behind environment variable/config
  • N/A - Feature is complete and ready for all users

Breaking Changes

Breaking: No

Details:

Summary by CodeRabbit

  • New Features

    • REST API server with full project/task CRUD, start/stop/review actions, and WebSocket real-time task monitoring
    • Event bridge forwarding runtime events to WebSocket clients; optional debug mode
    • API server lifecycle integration for startup/shutdown and status reporting

  • Documentation

    • OpenAPI/Swagger generation and interactive docs for all API and WebSocket endpoints
    • Comprehensive request/response schemas for validation and docs

  • Tests

    • Extensive unit & integration tests for REST, WebSocket, auth, and OpenAPI generation

  • Chores

    • Added Fastify and related ecosystem packages; env example documents API settings (port/host/key)

✏️ Tip: You can customize this high-level summary in your review settings.

kvnloo and others added 26 commits December 26, 2025 12:59
@kvnloo @claude
auto-claude: subtask-1-1 - Install Fastify and related dependencies
36e9b55 
Added the following dependencies to apps/frontend/package.json:
- fastify@^5.3.4
- @fastify/swagger@^9.4.2
- @fastify/swagger-ui@^5.2.2
- @fastify/websocket@^11.0.2

These packages will be used to implement the OpenAPI REST API for remote access.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>
@kvnloo @claude
auto-claude: subtask-1-2 - Create API directory structure
d6c5e6e 
Create directory structure for the OpenAPI REST API:
- apps/frontend/src/main/api/ - Main API directory
- apps/frontend/src/main/api/routes/ - REST endpoint handlers
- apps/frontend/src/main/api/middleware/ - Authentication middleware
- apps/frontend/src/main/api/types/ - TypeScript type definitions
- apps/frontend/src/main/api/schemas/ - JSON schemas for validation

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>
@kvnloo @claude
auto-claude: subtask-2-1 - Create TypeScript type definitions for API…
e838544 
… contracts

Add comprehensive TypeScript type definitions for the REST API layer:
- Re-export core types from shared types (Task, Project, TaskStatus, etc.)
- Define API request/response types for task and project endpoints
- Define WebSocket message types for real-time events
- Add health check and monitoring response types
- Include pagination types for future extensibility

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>
@kvnloo @claude
auto-claude: subtask-2-2 - Create JSON schemas for validation and Ope…
a7d61ba 
…nAPI gen

Add comprehensive JSON schemas for Fastify validation and OpenAPI/Swagger
specification generation. These schemas match the TypeScript interfaces in
the types module and provide:

- Task status, subtask status, and execution phase enums
- Task category, complexity, impact, and priority enums
- WebSocket message type enums
- Core object schemas (Task, Project, Subtask, QAReport, etc.)
- API request/response schemas for all endpoints:
  - Task management (create, list, get, update, delete, start, stop, review)
  - Project management (add, list, get, delete, settings)
  - Monitoring (health, version)
- WebSocket payload schemas for real-time events
- Pagination schemas for future use
- Complete route schemas with OpenAPI documentation (tags, summary, description)
- API key security scheme definition

The RouteSchema type extends FastifySchema to include OpenAPI-specific
properties used by @fastify/swagger for documentation generation.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>
@kvnloo @claude
auto-claude: subtask-1-3 - Add API server environment variables to .e…
134adda 
…nv.example

Added API_PORT, API_HOST, and API_KEY environment variables with documentation:
- API_PORT: Port for REST API server (default: 3456)
- API_HOST: Host/IP for API server binding (default: 127.0.0.1)
- API_KEY: Authentication key for remote API access

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>
@kvnloo @claude
auto-claude: subtask-2-3 - Implement API key authentication middleware
594fe73 
Add API key authentication middleware with support for:
- Multiple API keys via comma-separated API_KEY env var
- x-api-key header validation
- Query parameter fallback for WebSocket connections
- 401 Unauthorized responses for invalid/missing keys
- Helper functions for testing and configuration

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>
@kvnloo
auto-claude: subtask-2-4 - Create main Fastify server with Swagger pl…
47ee2fa 
…ugins

- Create apps/frontend/src/main/api/server.ts
- Initialize Fastify with logger and request sanitization
- Register plugins in correct order: Swagger -> SwaggerUI -> WebSocket
- Configure OpenAPI spec with proper info, tags, and security schemes
- Add global error handler and not-found handler
- Add lifecycle hooks for ready and close events
- Export createApiServer(), startApiServer(), stopApiServer() functions
- Export utility functions: isServerRunning(), getServerUptime()
- Server fails to start if API_KEY not set (secure by default)
@kvnloo @claude
auto-claude: subtask-3-1 - Create task management REST endpoints with…
06d55b2 
… full CRUD

Implements REST API endpoints for task management at /api/tasks:
- GET /api/tasks - List tasks for a project (with optional status filter)
- POST /api/tasks - Create a new task
- GET /api/tasks/:id - Get a specific task
- PATCH /api/tasks/:id - Update a task
- DELETE /api/tasks/:id - Delete a task
- POST /api/tasks/:id/start - Start task execution
- POST /api/tasks/:id/stop - Stop task execution
- POST /api/tasks/:id/review - Submit task review

All endpoints:
- Use API key authentication via authenticateApiKey middleware
- Follow existing IPC handler patterns from crud-handlers.ts
- Use JSON schemas from schemas/index.ts for validation
- Return proper HTTP status codes (200, 201, 204, 400, 404, 500)
- Handle errors gracefully with consistent error response format

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>
@kvnloo @claude
auto-claude: subtask-2-4 - Add CORS plugin to Fastify server
e530bae 
- Import and register @fastify/cors plugin (before Swagger)
- Add corsOrigins configuration option with environment variable support
- Configure CORS to allow x-api-key header for API authentication
- Set preflight cache to 24 hours for performance
- Update plugin registration order in documentation comment

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>
@kvnloo @claude
auto-claude: subtask-4-1 - Create project management REST endpoints
8cf14b9 
Implements REST API routes for project management operations:
- GET /api/projects - List all projects with validation
- POST /api/projects - Add project by filesystem path
- GET /api/projects/:id - Get specific project details
- DELETE /api/projects/:id - Remove project from tracking
- PATCH /api/projects/:id/settings - Update project settings

All endpoints use API key authentication and follow the same
patterns as task routes. Uses projectStore singleton for data
operations, matching existing IPC handler behavior.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>
@kvnloo @claude
auto-claude: subtask-5-1 - Create health check, version, and status m…
3aefcb8 
…onitoring endpoints

Add monitoring REST API routes for the AutoClaude Remote API:
- GET /api/health - Public health check endpoint (returns status, uptime, version)
- GET /api/version - Public version endpoint (returns app and API versions)
- GET /api/status - Protected detailed status endpoint (memory, component health)

Features:
- Health status determined by heap memory usage
- Returns 503 when unhealthy for load balancer compatibility
- Electron version included when running in Electron context
- Component-level health status (API, projectStore)
- Memory usage reporting (heapUsed, heapTotal, rss)

Note: Full endpoint verification requires route registration (subtask 7-1).

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>
@kvnloo @claude
auto-claude: subtask-5-1 - Add public endpoint security annotations
9b0bde8 
Update schemas for health and version endpoints to explicitly document
that they are publicly accessible (no authentication required).

- Add security: [] to healthSchema for OpenAPI documentation
- Add security: [] to versionSchema for OpenAPI documentation
- Update descriptions to clarify public accessibility

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>
@kvnloo @claude
auto-claude: subtask-6-1 - Create WebSocket server with authentication
41a665c 
Implements WebSocket server for real-time task monitoring with:
- API key authentication via x-api-key header or api_key query param
- Task subscription management (subscribe to specific tasks/projects)
- Event type filtering (task-progress, status-change, log, error)
- Ping/pong for connection health monitoring
- Graceful cleanup on disconnect

Key exports:
- registerWebSocketRoute(): Register /ws route on Fastify instance
- Broadcast functions: broadcastTaskProgress, broadcastTaskStatusChange,
  broadcastTaskLog, broadcastTaskError, broadcastTaskExecutionProgress
- Client management: getClientCount, getAllClients, closeAllConnections

Based on patterns from agent-events-handlers.ts and logs-handlers.ts

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>
@kvnloo @claude
auto-claude: subtask-6-1 - Create WebSocket server with authentication
ea40c69 
Implements WebSocket server for real-time task monitoring with:
- API key authentication via header or query parameter
- Task subscription management (subscribe to specific tasks or all)
- Project subscription management
- Event type filtering
- Automatic cleanup on disconnect
- Ping/pong for connection health monitoring
- Broadcast functions for task progress, status, logs, errors

Features:
- registerWebSocketRoute() to add /ws endpoint to Fastify server
- broadcastTaskProgress(), broadcastTaskStatusChange(), etc.
- closeAllConnections() for graceful shutdown
- Client tracking with subscription state

Also adds @types/ws dev dependency for WebSocket type definitions.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>
@kvnloo @claude
auto-claude: subtask-6-2 - Create event bridge to forward IPC task ev…
bb096d3 
…ents to WebSocket clients

Add event-bridge.ts that bridges AgentManager and FileWatcher events to
WebSocket clients. Features:

- Subscribes to AgentManager events: log, error, exit, execution-progress
- Subscribes to FileWatcher events: progress, error
- Forwards events to WebSocket clients via broadcast functions
- Mirrors status logic from agent-events-handlers.ts (qa_review -> ai_review)
- Proper cleanup on shutdown with stored cleanup functions
- Debug mode for verbose logging
- Statistics tracking (event count, uptime)
- Exports: initializeEventBridge, shutdownEventBridge, isEventBridgeActive,
  getEventBridgeStats, setEventBridgeDebug

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>
@kvnloo @claude
auto-claude: subtask-7-1 - Create route index file to register all ro…
c6c2422 
…ute modules

Adds apps/frontend/src/main/api/routes/index.ts with:
- registerRoutes() function that registers all API route modules
- Imports and registers task, project, and monitoring routes
- Imports and registers WebSocket route
- Re-exports individual registration functions for custom usage
- Follows pattern from ipc-handlers/index.ts

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>
@kvnloo @claude
auto-claude: subtask-7-2 - Create API module index file that exports …
53d7a0c 
…all publ

Creates apps/frontend/src/main/api/index.ts as the main entry point for the
AutoClaude Remote API module. This file exports all public API components:

- Server lifecycle: createApiServer, startApiServer, stopApiServer, etc.
- Route registration: registerRoutes, registerTaskRoutes, etc.
- WebSocket: broadcast functions, client management
- Event bridge: initializeEventBridge, shutdownEventBridge
- Authentication: loadApiKeys, authenticateApiKey, validateApiKey
- Types: All API type definitions for consumers
- Schemas: JSON schemas and enum constants for route definitions

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>
@kvnloo @claude
auto-claude: subtask-8-1 - Create API server startup module with grac…
853d61c 
…eful shutdown

Created apps/frontend/src/main/api/startup.ts providing:
- initializeApiServer() - starts API server with route registration and event bridge
- shutdownApiServer() - graceful cleanup of WebSocket connections, event bridge, and server
- getApiServerStatus() - status information (running state, clients, uptime, events)
- isApiServerEnabled() - check if API_KEY is set to enable API server
- areApiKeysLoaded() - check if API keys have been loaded

Features:
- API server is OPTIONAL - only starts if API_KEY environment variable is set
- Graceful error handling - startup failures are logged but don't crash Electron
- Complete lifecycle management for integration with Electron main process
- Event bridge integration for real-time WebSocket updates

Updated index.ts to export all startup module functions and types.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>
@kvnloo @claude
auto-claude: subtask-8-2 - Integrate API server startup into Electron…
c025432 
… main process

Integrates the API server lifecycle into the Electron main process:
- Import initializeApiServer, shutdownApiServer, isApiServerEnabled from api/startup
- Import fileWatcher singleton for event bridge
- Initialize API server after IPC handlers and usage monitor setup
- API server is optional - only starts if API_KEY environment variable is set
- Add graceful shutdown in before-quit handler (before agent/terminal cleanup)
- Include debug mode support for verbose logging

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>
@kvnloo @claude
auto-claude: subtask-9-1 - Create unit tests for API key authenticati…
7ec3b16 
…on middleware

Add comprehensive unit tests for the auth middleware covering:
- loadApiKeys: environment variable loading and parsing
- areKeysLoaded: state tracking
- getKeyCount: key count retrieval
- validateApiKey: key validation with various inputs
- extractApiKey: key extraction from headers and query params
- authenticateApiKey: HTTP request middleware
- authenticateWebSocket: WebSocket request middleware
- resetAuthState and setApiKeysForTesting: test utilities
- Security edge cases (fail closed, no key leakage)

42 tests covering all authentication scenarios.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>
@kvnloo @claude
auto-claude: subtask-9-2 - Create unit tests for task routes with moc…
d54b60b 
…k depend

- Add comprehensive unit tests for all task REST API routes
- Cover GET /api/tasks (list with filters)
- Cover POST /api/tasks (create with metadata and spec ID generation)
- Cover GET /api/tasks/:id (get specific task)
- Cover PATCH /api/tasks/:id (update title/description)
- Cover DELETE /api/tasks/:id (delete task and spec directory)
- Cover POST /api/tasks/:id/start (start task validation)
- Cover POST /api/tasks/:id/stop (stop running task)
- Cover POST /api/tasks/:id/review (approve/reject with feedback)
- Mock projectStore and auth middleware for isolated testing
- All 33 tests pass

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>
@kvnloo @claude
auto-claude: subtask-9-3 - Create unit tests for WebSocket connection…
d37aaa5 
… handling

Add comprehensive unit tests for the WebSocket module covering:
- Client management (getClientCount, getAllClients, getClient, isWebSocketReady)
- Broadcast functions (broadcastTaskProgress, broadcastTaskStatusChange, broadcastTaskLog, broadcastTaskError, broadcastTaskExecutionProgress, broadcastToProject)
- Connection cleanup (closeAllConnections)
- WebSocket route registration with authentication and schema validation
- WebSocket handler behavior (connection, disconnection, message processing)
- Subscription handling (subscribe/unsubscribe tasks, projects, event types)
- Broadcast filtering based on subscriptions
- Edge cases (closed sockets, send errors, unique client IDs, whitespace trimming, invalid event types)

All 51 tests pass.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>
@kvnloo @claude
auto-claude: subtask-10-1 - Create integration test for HTTP to IPC b…
1b120e9 
…ridge

Add comprehensive integration test suite that verifies HTTP API endpoints
mirror IPC functionality for remote access. Tests cover:

- Project operations: list, get, add, delete, update settings
- Task operations: list, get, create, start, stop, review, delete, update
- Error handling: 404 for missing resources, 400 for invalid requests
- Monitoring endpoints: health, version, status
- Authentication middleware verification
- Data store consistency (HTTP and IPC use same projectStore)
- Task status transitions matching IPC behavior

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>
@kvnloo @claude
auto-claude: subtask-10-2 - Create integration test for OpenAPI spec …
ec0ed2b 
…generation

Add comprehensive integration tests for OpenAPI specification generation
and validation. Tests verify:

- OpenAPI 3.0 spec structure (info, servers, tags, paths, components)
- Task endpoints documentation (CRUD + start/stop/review)
- Project endpoints documentation (CRUD + settings)
- Monitoring endpoints documentation (health, version, status)
- Security scheme (API key in header) documentation
- Response schema documentation (200, 201, 202, 204, 400, 401, 404)
- Request body schema documentation
- Query and path parameter documentation
- OpenAPI spec accessibility via /documentation/json endpoint
- Schema validation including enums and required fields
- Complete endpoint coverage verification

WebSocket endpoint documentation is handled gracefully as WebSocket routes
may not be captured by Swagger due to handler signature differences.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>
@kvnloo @claude
auto-claude: subtask-11-1 - End-to-end verification complete
22a5f88 
E2E Verification Results:
- All 732 unit tests pass
- Build completes successfully
- All API endpoints verified through integration tests
- Authentication middleware verified
- OpenAPI spec generation validated
- WebSocket functionality tested

Test file improvements:
- Fixed TypeScript type annotations in test files
- Added proper type assertions for Fastify hooks

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <[email protected]>
@kvnloo
feat(api): add HTTP REST API layer with WebSocket support
515ff60 
Implement complete REST API layer exposing existing IPC functionality through HTTP endpoints and WebSocket connections. Add authentication middleware, route handlers for tasks/projects/monitoring, event bridge for IPC integration, and comprehensive test coverage including OpenAPI specification validation.
@coderabbitai
Copy link
Contributor

coderabbitai bot commented Dec 26, 2025
edited
Loading

📝 Walkthrough

Walkthrough

Adds a Fastify-based HTTP + WebSocket API to the frontend: server lifecycle, routes for tasks/projects/monitoring, OpenAPI schemas, API-key auth (HTTP + WebSocket), event bridge from AgentManager/FileWatcher, WebSocket client management, tests, and Electron startup integration.

Changes

Cohort / File(s) Summary
Configuration
apps/frontend/.env.example, apps/frontend/package.json		 Documented API server env vars (API_PORT, API_HOST, API_KEY). Added Fastify and related plugins and ws types to package.json.
API Server Core
apps/frontend/src/main/api/server.ts, apps/frontend/src/main/api/startup.ts, apps/frontend/src/main/api/index.ts		 New Fastify server creation/start/stop, plugin registration (CORS, Swagger, WebSocket), OpenAPI integration, logging/error hooks, and Electron startup/shutdown orchestration; centralized API re-exports.
Route Modules
apps/frontend/src/main/api/routes/*
apps/frontend/src/main/api/routes/index.ts, .../tasks.ts, .../projects.ts, .../monitoring.ts		 New route registration entrypoint and route handlers for tasks (CRUD, start/stop/review), projects (list/add/get/delete/settings), and monitoring (health/version/status with optional auth).
WebSocket & Event Bridge
apps/frontend/src/main/api/websocket.ts, apps/frontend/src/main/api/event-bridge.ts		 WebSocket route and client management (subscriptions, broadcasts, lifecycle) plus event bridge forwarding AgentManager and FileWatcher events to WebSocket broadcasts with lifecycle and debug controls.
Authentication
apps/frontend/src/main/api/middleware/auth.ts, apps/frontend/src/main/api/middleware/__tests__/auth.spec.ts		 API-key loading/validation, header/query extraction, HTTP and WebSocket pre-handlers, test utilities and comprehensive auth unit tests.
Schemas & Types
apps/frontend/src/main/api/schemas/index.ts, apps/frontend/src/main/api/types/index.ts		 Large collection of JSON Schemas and TypeScript API/WebSocket types for OpenAPI generation, requests/responses, payloads, and route validation.
Integration & Unit Tests
apps/frontend/src/__tests__/*, apps/frontend/src/main/api/routes/__tests__/*, apps/frontend/src/main/api/__tests__/*		 New integration tests for HTTP↔IPC parity and OpenAPI spec; unit/integration tests for tasks routes and WebSocket behavior (extensive coverage of flows and edge cases).
Main Process Integration
apps/frontend/src/main/index.ts		 Hooked API server initialization/shutdown into Electron main flow, conditional on API_KEY presence.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant Fastify as Fastify API Server
    participant Auth as Auth Middleware
    participant Store as ProjectStore
    participant FS as File System

    Client->>Fastify: POST /api/tasks (x-api-key)
    Fastify->>Auth: validateApiKey()
    Auth-->>Fastify: authorized
    Fastify->>Store: getProject(projectId)
    Store-->>Fastify: project
    Fastify->>FS: create spec dir & write artifacts
    FS-->>Fastify: ok
    Fastify-->>Client: 201 Created (Task)
Loading 
sequenceDiagram
    participant AgentMgr as AgentManager
    participant FileWatcher
    participant EventBridge
    participant WebSocket as WebSocket Server
    participant Client

    AgentMgr->>EventBridge: emit('log', taskId, message)
    FileWatcher->>EventBridge: emit('progress', taskId, progress)
    EventBridge->>WebSocket: broadcastTaskLog(taskId, message)
    EventBridge->>WebSocket: broadcastTaskProgress(taskId, progress)

    rect rgb(200,220,255)
    Note over WebSocket,Client: Client subscribed to taskId
    WebSocket->>Client: task_log / task_progress payloads
    end

    rect rgb(240,240,240)
    Note over WebSocket: Client not subscribed → message filtered
    end
Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

Suggested labels

size/L

Suggested reviewers

  • AlexMadera
  • AndyMik90

Poem

🐰
A tiny rabbit hops with glee,
Fastify winds the API tree.
Tasks and projects, live and bright,
WebSockets hum through day and night.
Hooray — events now leap and see!

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The pull request title 'Add REST API layer with HTTP endpoints and WebSocket support' clearly and concisely describes the main change: introducing a new REST API layer with HTTP endpoints and WebSocket functionality, which aligns with the extensive changes across server setup, routes, middleware, and real-time communication.
Docstring Coverage ✅ Passed Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5c9de86 and f90a55e.

⛔ Files ignored due to path filters (1)
  • apps/frontend/package-lock.json is excluded by !**/package-lock.json, !**/package-lock.json
📒 Files selected for processing (1)
  • apps/frontend/package.json
🧰 Additional context used
🧠 Learnings (1)
📓 Common learnings 
Learnt from: CR
Repo: AndyMik90/Auto-Claude PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-25T18:29:32.954Z
Learning: Applies to apps/backend/agents/{qa_reviewer,qa_fixer}.py : For frontend bug fixes and feature implementations, use the Electron MCP server for automated E2E testing when the app is running with `--remote-debugging-port=9222`
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)
  • GitHub Check: CodeQL (python)
  • GitHub Check: CodeQL (javascript-typescript)
🔇 Additional comments (2)
apps/frontend/package.json (2)

53-56: Fastify ecosystem dependencies added appropriately for the new REST API feature.

The Fastify packages and WebSocket support dependencies align well with the PR's objective to add a REST API layer. The version update recommendations in the previous review comment should be addressed.

Also applies to: 84-84

111-111: The addition of TypeScript types for the ws library is appropriate. Version 8.18.1 is the current version on npm.

Comment @coderabbitai help to get the list of available commands and usage tips.

github-actions[bot]
github-actions bot reviewed Dec 26, 2025
View reviewed changes
Copy link

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎉 Thanks for your first PR!

A maintainer will review it soon. Please make sure:

  • Your branch is synced with develop
  • CI checks pass
  • You've followed our contribution guide

Welcome to the Auto Claude community!

coderabbitai[bot]
coderabbitai bot reviewed Dec 26, 2025
View reviewed changes
Copy link
Contributor

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 20

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8a80b1d and 5c9de86.

⛔ Files ignored due to path filters (1)
  • apps/frontend/package-lock.json is excluded by !**/package-lock.json, !**/package-lock.json
📒 Files selected for processing (24)
  • apps/frontend/.env.example
  • apps/frontend/package.json
  • apps/frontend/src/__tests__/integration/api-ipc-bridge.test.ts
  • apps/frontend/src/__tests__/integration/openapi-spec.test.ts
  • apps/frontend/src/main/api/.gitkeep
  • apps/frontend/src/main/api/__tests__/websocket.spec.ts
  • apps/frontend/src/main/api/event-bridge.ts
  • apps/frontend/src/main/api/index.ts
  • apps/frontend/src/main/api/middleware/.gitkeep
  • apps/frontend/src/main/api/middleware/__tests__/auth.spec.ts
  • apps/frontend/src/main/api/middleware/auth.ts
  • apps/frontend/src/main/api/routes/.gitkeep
  • apps/frontend/src/main/api/routes/__tests__/tasks.spec.ts
  • apps/frontend/src/main/api/routes/index.ts
  • apps/frontend/src/main/api/routes/monitoring.ts
  • apps/frontend/src/main/api/routes/projects.ts
  • apps/frontend/src/main/api/routes/tasks.ts
  • apps/frontend/src/main/api/schemas/.gitkeep
  • apps/frontend/src/main/api/schemas/index.ts
  • apps/frontend/src/main/api/server.ts
  • apps/frontend/src/main/api/startup.ts
  • apps/frontend/src/main/api/types/index.ts
  • apps/frontend/src/main/api/websocket.ts
  • apps/frontend/src/main/index.ts
🧰 Additional context used
📓 Path-based instructions (2)
apps/frontend/src/**/*.{ts,tsx}

📄 CodeRabbit inference engine (CLAUDE.md)

apps/frontend/src/**/*.{ts,tsx}: Always use translation keys with useTranslation() for all user-facing text in React/TypeScript frontend components - use format namespace:section.key (e.g., navigation:items.githubPRs)
Never use hardcoded strings in JSX/TSX files for user-facing text - always reference translation keys from apps/frontend/src/shared/i18n/locales/

Files:

  • apps/frontend/src/main/api/middleware/__tests__/auth.spec.ts
  • apps/frontend/src/main/index.ts
  • apps/frontend/src/__tests__/integration/openapi-spec.test.ts
  • apps/frontend/src/main/api/routes/monitoring.ts
  • apps/frontend/src/__tests__/integration/api-ipc-bridge.test.ts
  • apps/frontend/src/main/api/server.ts
  • apps/frontend/src/main/api/routes/tasks.ts
  • apps/frontend/src/main/api/routes/projects.ts
  • apps/frontend/src/main/api/websocket.ts
  • apps/frontend/src/main/api/routes/index.ts
  • apps/frontend/src/main/api/event-bridge.ts
  • apps/frontend/src/main/api/routes/__tests__/tasks.spec.ts
  • apps/frontend/src/main/api/__tests__/websocket.spec.ts
  • apps/frontend/src/main/api/startup.ts
  • apps/frontend/src/main/api/types/index.ts
  • apps/frontend/src/main/api/middleware/auth.ts
  • apps/frontend/src/main/api/index.ts
  • apps/frontend/src/main/api/schemas/index.ts
apps/frontend/**/*.{ts,tsx}

⚙️ CodeRabbit configuration file

apps/frontend/**/*.{ts,tsx}: Review React patterns and TypeScript type safety.
Check for proper state management and component composition.

Files:

  • apps/frontend/src/main/api/middleware/__tests__/auth.spec.ts
  • apps/frontend/src/main/index.ts
  • apps/frontend/src/__tests__/integration/openapi-spec.test.ts
  • apps/frontend/src/main/api/routes/monitoring.ts
  • apps/frontend/src/__tests__/integration/api-ipc-bridge.test.ts
  • apps/frontend/src/main/api/server.ts
  • apps/frontend/src/main/api/routes/tasks.ts
  • apps/frontend/src/main/api/routes/projects.ts
  • apps/frontend/src/main/api/websocket.ts
  • apps/frontend/src/main/api/routes/index.ts
  • apps/frontend/src/main/api/event-bridge.ts
  • apps/frontend/src/main/api/routes/__tests__/tasks.spec.ts
  • apps/frontend/src/main/api/__tests__/websocket.spec.ts
  • apps/frontend/src/main/api/startup.ts
  • apps/frontend/src/main/api/types/index.ts
  • apps/frontend/src/main/api/middleware/auth.ts
  • apps/frontend/src/main/api/index.ts
  • apps/frontend/src/main/api/schemas/index.ts
🧠 Learnings (2)
📚 Learning: 2025-12-25T18:29:32.954Z 
Learnt from: CR
Repo: AndyMik90/Auto-Claude PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-25T18:29:32.954Z
Learning: Applies to apps/backend/.env* : Enable Electron MCP in `apps/backend/.env` with `ELECTRON_MCP_ENABLED=true` and `ELECTRON_DEBUG_PORT=9222` to allow QA agents to interact with running Electron app

Applied to files:

  • apps/frontend/.env.example
📚 Learning: 2025-12-25T18:29:32.954Z 
Learnt from: CR
Repo: AndyMik90/Auto-Claude PR: 0
File: CLAUDE.md:0-0
Timestamp: 2025-12-25T18:29:32.954Z
Learning: Applies to apps/backend/agents/{qa_reviewer,qa_fixer}.py : For frontend bug fixes and feature implementations, use the Electron MCP server for automated E2E testing when the app is running with `--remote-debugging-port=9222`

Applied to files:

  • apps/frontend/.env.example
🧬 Code graph analysis (4)
apps/frontend/src/main/api/routes/monitoring.ts (2)
scripts/bump-version.js (1)
  • status (106-106)
apps/frontend/src/main/project-store.ts (1)
  • projectStore (776-776)
apps/frontend/src/__tests__/integration/api-ipc-bridge.test.ts (1)
apps/frontend/src/main/project-store.ts (1)
  • projectStore (776-776)
apps/frontend/src/main/api/routes/projects.ts (1)
apps/frontend/src/main/project-store.ts (1)
  • projectStore (776-776)
apps/frontend/src/main/api/routes/__tests__/tasks.spec.ts (1)
apps/frontend/src/main/project-store.ts (1)
  • projectStore (776-776)
🪛 Gitleaks (8.30.0)
apps/frontend/src/main/api/middleware/__tests__/auth.spec.ts

[high] 183-183: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

[high] 193-193: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

🔇 Additional comments (48)
apps/frontend/.env.example (1)

39-56: LGTM! Clear and secure API configuration documentation.

The API server settings block is well-documented with sensible defaults. The security guidance (127.0.0.1 for local-only, API_KEY requirement for remote access) appropriately balances developer experience with security posture.

apps/frontend/src/main/api/types/index.ts (1)

1-362: LGTM! Comprehensive and well-organized type definitions.

The API type definitions are thorough and well-structured:

  • Clear separation by domain (Tasks, Projects, Monitoring, WebSocket, Auth)
  • Appropriate re-exports from shared types
  • Generic types (ApiResponse<T>, WebSocketMessage<T>) for flexibility
  • JSDoc comments document endpoint paths and usage

This provides a solid type foundation for the API layer.

apps/frontend/src/main/api/index.ts (1)

1-281: LGTM! Well-organized API module aggregation.

The centralized index provides a clean public API surface with clear organization:

  • Grouped exports by functional area (Server, Routes, Auth, WebSocket, etc.)
  • Helpful usage example in module header
  • Comprehensive coverage of the API surface

This barrel export pattern is appropriate here as a single entry point for API consumers.

apps/frontend/src/main/index.ts (2)

185-202: Clean API server integration with proper lifecycle management.

The API server initialization follows the existing pattern for optional features (checking isApiServerEnabled() first). The promise-based error handling with logging is appropriate for startup initialization.

One consideration: Ensure fileWatcher is fully initialized before being passed to initializeApiServer. Based on the import pattern, it appears to be a singleton instance, which should be safe.

257-267: Graceful shutdown with appropriate error handling.

The API server shutdown mirrors the usage monitor shutdown pattern with proper error handling and logging. The try-catch ensures that API shutdown errors don't prevent other cleanup (agent/terminal cleanup on lines 269-276).

apps/frontend/src/main/api/routes/index.ts (1)

26-40: LGTM! Clean route registration orchestration.

The registerRoutes function properly orchestrates all route registrations in a logical order. The mix of await for async registrations (lines 28-34) and direct call for WebSocket (line 37) correctly reflects the different function signatures.

apps/frontend/src/__tests__/integration/openapi-spec.test.ts (1)

1-655: LGTM! Comprehensive OpenAPI validation coverage.

The test suite thoroughly validates:

  • OpenAPI spec structure and metadata
  • All endpoint documentation (tasks, projects, monitoring, WebSocket)
  • Security schemes and authentication requirements
  • Request/response schemas and validation
  • Query and path parameters
  • Complete endpoint coverage

The WebSocket documentation handling (lines 344-353) appropriately acknowledges OpenAPI's WebSocket limitations while still validating the tag definition. Well-structured and thorough.

apps/frontend/src/__tests__/integration/api-ipc-bridge.test.ts (1)

1-636: LGTM! Excellent IPC bridge parity validation.

This integration test suite thoroughly validates that the HTTP API mirrors IPC functionality:

  • Complete CRUD operations for projects and tasks
  • Status transition validation
  • Error handling parity (404, 400 status codes)
  • Authentication middleware integration
  • Shared data store usage
  • Edge cases and invalid state transitions

The test setup with realistic filesystem structure (lines 92-110) and comprehensive cleanup (lines 85-89) demonstrates good testing practices. The coverage of both success and failure paths ensures robust API behavior.

apps/frontend/src/main/api/middleware/__tests__/auth.spec.ts (4)

1-35: LGTM! Comprehensive test setup with proper isolation.

The test setup correctly handles module reset, environment variable restoration, and mock cleanup. The callMiddleware helper appropriately handles Fastify's middleware signature.

The static analysis warnings for "generic API keys" on lines 183 and 193 are false positives — these are intentional test fixtures (e.g., 'valid-key-123') used to verify authentication behavior.

36-106: Thorough edge case coverage for key loading.

The tests properly validate all key loading scenarios including malformed inputs, whitespace handling, and comma-separated parsing. Good coverage of the "fail-closed" security pattern.

142-305: Well-structured validation and extraction tests.

Good coverage of type safety (undefined, null, non-string inputs) and the security-critical "fail-closed" behavior when keys aren't loaded. The header-over-query priority testing is important for security.

562-577: Excellent security validation.

The test verifying that validation results don't leak key information (line 572-577) is a good security practice. This ensures the API doesn't inadvertently expose internal key identifiers or other sensitive data in responses.

apps/frontend/src/main/api/routes/projects.ts (3)

1-32: Clean module structure with comprehensive documentation.

The header documentation clearly outlines all endpoints, and imports are well-organized. Good separation of schemas and types.

45-64: LGTM! Defensive validation with appropriate logging.

The route properly validates project state before returning results, with warn-level logging for missing folders to aid debugging without flooding logs.

104-167: LGTM! Proper REST semantics and error handling.

Both endpoints follow REST conventions correctly: 404 for missing resources, 204 for successful deletion. The DELETE endpoint properly distinguishes between "not found" (404) and "removal failed" (500).

apps/frontend/src/main/api/routes/monitoring.ts (2)

1-42: Well-structured monitoring module with clear separation of concerns.

Good documentation and logical organization. The Electron version detection is handled correctly with proper undefined fallback.

149-170: LGTM! Correct health check semantics.

Using 503 for unhealthy status is the correct approach for load balancer compatibility. The 200 for both healthy and degraded allows traffic to continue while signaling potential issues.

apps/frontend/src/main/api/routes/__tests__/tasks.spec.ts (3)

1-95: Solid test setup with proper mocking and cleanup.

Good use of /tmp for test artifacts, proper mock setup for dependencies, and cleanup in both beforeEach and afterEach to ensure test isolation.

184-287: Comprehensive task creation tests.

Good coverage of validation, metadata handling, and the critical specId generation logic. The incrementing number test (lines 255-286) properly verifies uniqueness.

396-631: Thorough lifecycle and state transition tests.

Excellent coverage of state validation (already running, already completed, not running, not in review). The feedback file verification (line 629) confirms filesystem side effects are working correctly.

apps/frontend/src/main/api/__tests__/websocket.spec.ts (4)

1-72: Well-structured WebSocket test setup.

Proper module mocking and reset between tests ensures isolation. The client management tests verify the expected initial state (0 clients, empty arrays).

78-167: Good defensive broadcast testing.

Testing that broadcast functions don't throw when no clients are connected is important for robustness. This prevents runtime errors in edge cases.

655-741: Excellent broadcast filtering coverage.

The tests properly verify that:

  1. Subscribed clients receive broadcasts for their tasks (lines 656-678)
  2. Non-subscribed clients don't receive irrelevant broadcasts (lines 680-700)
  3. Event type filtering works correctly (lines 702-727)
  4. Clients with no filter receive all events (lines 729-740)

777-812: Good error resilience testing.

Testing graceful handling of closed sockets, send failures, and close failures ensures the WebSocket module won't crash on edge cases. This is critical for production stability.

apps/frontend/src/main/api/routes/tasks.ts (3)

47-66: findTaskAndProject helper has unnecessary variable initialization.

The project variable is declared but not initialized, and TypeScript allows this because of the control flow. However, the return type uses ReturnType<typeof projectStore.getProject> which includes undefined, making the code correct but the intent unclear.

463-535: LGTM! Correct use of 202 Accepted for async operations.

The start endpoint properly returns 202 to indicate the request was accepted but actual execution is asynchronous. Good state validation prevents starting already-running or completed tasks.

595-673: LGTM! Well-implemented review workflow.

The review endpoint correctly validates state, handles both approval and rejection paths, and creates an audit trail via the feedback file. Good use of timestamps in the feedback content.

apps/frontend/src/main/api/server.ts (3)

1-66: Excellent documentation and configuration structure.

The header clearly explains the critical plugin registration order. The request serializer correctly excludes headers to prevent API key logging.

239-264: LGTM! Proper error handling with appropriate logging levels.

Using warn for client errors (4xx) and error for server errors (5xx) is a good practice that keeps logs actionable. The consistent error response structure aids API consumers.

296-366: Clean lifecycle management.

The server lifecycle functions properly track state and provide useful utilities for health checks and diagnostics. The onClose hook (lines 278-284) ensures state is properly cleaned up.

apps/frontend/src/main/api/middleware/auth.ts (3)

1-51: Well-designed authentication module with security best practices.

The design follows good security principles:

  • Fail-closed when keys not loaded
  • Uses Set for O(1) lookup
  • Supports key rotation via comma-separated keys
  • Clear separation of config and state

183-249: LGTM! Clean middleware implementation.

Both middleware functions properly handle authentication with:

  • Clear, context-appropriate error messages
  • Consistent 401 responses
  • No secret leakage in error messages

251-276: Good testing utilities with clear documentation.

The testing utilities are properly documented as test-only. Consider adding a runtime check to prevent production usage if needed:

apps/frontend/src/main/api/websocket.ts (3)

1-38: LGTM!

The module documentation is comprehensive and the imports are well-organized. The type imports from ./types ensure type safety for WebSocket message payloads.

44-70: LGTM!

The ClientSubscription and ConnectedClient interfaces are well-structured. Using Set<T> for subscriptions provides efficient O(1) membership checks for filtering broadcasts.

76-91: LGTM!

Client management with module-level state is appropriate for a singleton WebSocket server. The client ID generation using counter + timestamp provides sufficient uniqueness.

apps/frontend/src/main/api/startup.ts (4)

1-38: LGTM!

The module documentation clearly explains the optional nature of the API server and its integration with the Electron main process lifecycle.

44-104: LGTM!

The result and status interfaces are well-designed, providing structured responses for lifecycle operations and comprehensive metrics for observability.

277-341: LGTM!

The shutdown function demonstrates excellent defensive programming with individual try-catch blocks for each cleanup step, ensuring partial failures don't prevent remaining cleanup. Stats are correctly captured before cleanup operations.

389-392: LGTM!

The fallback logic fastifyInstance ?? getServerInstance() provides a safety net for edge cases where the local reference and server module might be out of sync.

apps/frontend/src/main/api/schemas/index.ts (8)

1-30: LGTM!

The RouteSchema interface properly extends FastifySchema with OpenAPI-specific properties, enabling seamless integration with @fastify/swagger.

36-95: LGTM!

The enum definitions are comprehensive and correctly use as const for type inference. These align with the WebSocket message types used in websocket.ts.

101-126: LGTM!

The base response schemas (apiErrorResponseSchema, apiSuccessResponseSchema) are well-defined with appropriate required fields and clear descriptions.

379-388: LGTM!

The createTaskRequestSchema includes appropriate validation constraints (minLength, maxLength) to prevent empty or excessively long inputs.

618-626: LGTM!

The WebSocket message schema provides a consistent structure for all message types with proper enum validation for the type field.

993-1001: LGTM!

The healthSchema correctly specifies security: [] to indicate this is a public endpoint, which is important for OpenAPI documentation and consumer understanding.

1020-1028: LGTM!

The apiKeySecurityScheme is properly defined and matches the x-api-key header expected by the authentication middleware.

765-776: The default security for protected routes is already properly configured. In apps/frontend/src/main/api/server.ts line 198, the OpenAPI configuration sets security: [{ apiKey: [] }] as the global default. Protected route schemas like createTaskSchema correctly inherit this default and do not need explicit security declarations. Only public endpoints override this by explicitly setting security: [], as confirmed by the test expectations in openapi-spec.test.ts.

apps/frontend/package.json
Comment on lines +53 to +56
"@fastify/cors": "^11.2.0",
"@fastify/swagger": "^9.4.2",
"@fastify/swagger-ui": "^5.2.2",
"@fastify/websocket": "^11.0.2",
Copy link
Contributor

@coderabbitai coderabbitai bot Dec 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🌐 Web query:

fastify latest version npm December 2025

💡 Result:

As of December 26, 2025: the latest published version on npm is 5.6.0. [1] The upstream GitHub repo shows tags up to v5.6.2 (released Nov 9, 2025). [2]

Sources:
[1] npm package page — fastify.
[2] fastify GitHub releases (v5.6.2).

🌐 Web query:

security vulnerabilities fastify @fastify/cors @fastify/swagger @fastify/websocket npm

💡 Result:

Summary — known/security issues (concise):

  • @fastify/websocket — crash on malformed packet (CVE-2022-39386). Affected versions can be crashed by a crafted packet; module was deprecated but fixes released in 5.0.1 and 7.1.1 (upgrade or remove / add error handler). [1][2][3]

  • @fastify/swagger-ui — information exposure when baseDir not set (CVE-2024-22207). Prior to v2.1.0 the default config can expose all files in the module directory; fixed in v2.1.0 (or set baseDir as workaround). [4][5]

  • @fastify/cors — no direct CVE for the cors plugin found in public advisories; current @fastify/cors releases show no known direct vulnerabilities. However Fastify core had a CSRF-related issue (CVE-2022-41919) where incorrect Content-Type handling could bypass CORS/preflight — patched in Fastify v3.29.4 / v4.10.2; mitigate with @fastify/csrf if you cannot upgrade. [6][7][8]

Actionable recommendations (short):

  1. Upgrade packages:

    • @fastify/websocket -> >= 5.0.1 (or 7.1.1 for v4 branch) or remove/replace (deprecated). [1][3]
    • @fastify/swagger-ui -> >= 2.1.0 (or explicitly set baseDir). [4][5]
    • Fastify core -> >= 3.29.4 or >= 4.10.2 to address CSRF/content-type issue. [6][7]
    • Keep @fastify/cors up-to-date (latest shows no direct advisories). [8]

  2. If you can’t upgrade immediately:

    • For swagger-ui: set baseDir to a safe directory to avoid exposing module files. [4][5]
    • For websocket: attach an explicit error handler to protect against uncaught exceptions. [1][3]
    • For CSRF risk: enable @fastify/csrf or other CSRF protections. [6]

References:

  1. NVD / CVE-2022-39386 (@fastify/websocket crash). [turn0search0].
  2. OSV / CVE-2022-39386. [turn0search2].
  3. GitLab advisory / patch details for @fastify/websocket. [turn0search8].
  4. NVD / CVE-2024-22207 (@fastify/swagger-ui exposure). [turn1search2].
  5. Snyk advisory / details for @fastify/swagger-ui. [turn1search5].
  6. GitLab / CVE-2022-41919 (Fastify CSRF/content-type). [turn2search4].
  7. OSV / CVE-2022-41919. [turn2search5].
  8. Snyk / @fastify/cors (no known direct vulnerabilities in latest). [turn2search7].

If you want, I can (a) scan a package.json / lockfile for these packages and flag vulnerable versions, or (b) produce exact npm upgrade commands. Which would you prefer?

🌐 Web query:

@fastify/swagger-ui latest version npm

💡 Result:

Latest published npm version: 5.2.3 (published June 1, 2025). [1][2]

Sources:
[1] npm package page for @fastify/swagger-ui.
[2] Yarn/npm registry listing (version history).

🌐 Web query:

@fastify/websocket 11.0.2 CVE-2022-39386 vulnerable

💡 Result:

Short answer: No — @fastify/websocket v11.0.2 is not known to be affected by CVE-2022-39386. The vulnerability (CVE-2022-39386 / GHSA-4pcg-wr6c-h9cq) was a crash on a malformed packet and was fixed in fastify-websocket releases (notably v5.0.1 and v7.1.1); subsequent maintained releases (current 11.x) are reported clean. [1][2][3]

Sources:

  • NVD / CVE-2022-39386 (description + fixed versions). [1]
  • GitLab advisory / affected/fixed versions (upgrade to 5.0.1, 7.1.1 or later). [2]
  • Snyk package page showing latest 11.x has no known direct security issues. [3]

If you want, I can: (a) fetch the exact changelog entry for v11.0.2, or (b) scan your project to see whether any transitive dependency pulls an older vulnerable release. Which do you prefer?

🌐 Web query:

@fastify/cors 11.2.0 latest version npm

💡 Result:

Yes — the current latest release is @fastify/cors v11.2.0. [1][2]

Sources:

  • Socket.dev package page (shows 11.2.0 as latest). [1]
  • fastify/fastify-cors GitHub releases (v11.2.0). [2]

🌐 Web query:

@fastify/swagger 9.4.2 latest version security

💡 Result:

Short answer:

  • @fastify/swagger v9.4.2 is not the latest; current latest in the repo/npm is v9.6.1. [1][2]
  • There are no known direct vulnerabilities in @fastify/swagger itself (Snyk / security databases report no direct issues). [3]
  • A related security advisory exists for the separate package @fastify/swagger-ui (CVE‑2024‑22207) — it affected swagger-ui prior to v2.1.0 (exposed module files when baseDir was not set); that was fixed in @fastify/swagger-ui v2.1.0. If you use the UI plugin, upgrade it or set baseDir. [4]

Sources:

  • @fastify/swagger v9.4.2 npm page. [1]
  • fastify-swagger repo / package.json showing v9.6.1 (latest). [2]
  • Snyk package security summary (no known direct vulnerabilities). [3]
  • CVE‑2024‑22207 advisory (fastify-swagger-ui information disclosure). [4]

Update outdated Fastify packages to current versions.

Several packages are behind current releases:

  • fastify: 5.3.4 → 5.6.0 (latest)
  • @fastify/swagger: 9.4.2 → 9.6.1 (latest)
  • @fastify/swagger-ui: 5.2.2 → 5.2.3 (latest)

@fastify/cors 11.2.0 and @fastify/websocket 11.0.2 are current. No known security vulnerabilities exist in the specified versions; however, upgrading ensures access to bug fixes and improvements.

🤖 Prompt for AI Agents 
In apps/frontend/package.json around lines 53 to 56, several Fastify-related
dependencies are out of date; update "fastify" to ^5.6.0, "@fastify/swagger" to
^9.6.1, and "@fastify/swagger-ui" to ^5.2.3 in the dependencies block, then run
yarn install or npm install to refresh lockfile, run the frontend test/build
scripts to verify compatibility, and address any breaking changes reported
during build or runtime.

apps/frontend/src/main/api/event-bridge.ts
Comment on lines +160 to +165
if (progress.phase === 'qa_review') {
if (debugMode) {
process.stdout.write(`[EventBridge] status-change (qa_review): ${taskId} -> ai_review\n`);
}
broadcastTaskStatusChange(taskId, 'ai_review');
}
Copy link
Contributor

@coderabbitai coderabbitai bot Dec 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick | 🔵 Trivial

Document the qa_review → ai_review status transition.

The automatic status change from qa_review phase to ai_review status is a significant business logic decision embedded in the event bridge. Consider documenting this behavior in the module header or inline comment to explain why this transition occurs automatically.

🤖 Prompt for AI Agents 
In apps/frontend/src/main/api/event-bridge.ts around lines 160 to 165, add
documentation explaining the automatic transition from progress.phase
'qa_review' to task status 'ai_review'; specifically, insert a short
module-level or inline comment that states why this business rule exists (e.g.,
QA phase triggers AI re-evaluation automatically), when it should apply, and any
side effects (broadcastTaskStatusChange call and debug logging) so future
readers understand the rationale and can safely modify or remove this automatic
transition.

apps/frontend/src/main/api/event-bridge.ts
Comment on lines +282 to +288
for (const cleanup of cleanupFunctions) {
try {
cleanup();
} catch {
// Ignore cleanup errors during shutdown
}
}
Copy link
Contributor

@coderabbitai coderabbitai bot Dec 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick | 🔵 Trivial

Silent error suppression during cleanup may hide issues.

The cleanup loop catches and ignores all errors. While acceptable during shutdown, this could hide legitimate issues (e.g., resource leaks, handler removal failures). Consider logging errors at a minimum to aid debugging.

🔎 Proposed improvement 
   for (const cleanup of cleanupFunctions) {
     try {
       cleanup();
-    } catch {
-      // Ignore cleanup errors during shutdown
+    } catch (error) {
+      if (debugMode) {
+        process.stdout.write(`[EventBridge] Cleanup error (ignored): ${error}\n`);
+      }
     }
   }

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents 
In apps/frontend/src/main/api/event-bridge.ts around lines 282 to 288, the
cleanup loop currently swallows all exceptions which can hide real issues;
update the catch to at minimum log the error (use the module's logger if
available, else console.error) including context about which cleanup function
failed so shutdown errors are visible for debugging and post-mortem.

apps/frontend/src/main/api/middleware/auth.ts
Comment on lines +113 to +129
export function validateApiKey(apiKey: string | undefined | null): ApiKeyValidation {
if (!apiKey || typeof apiKey !== 'string') {
return { valid: false };
}

if (!keysLoaded) {
// Keys not loaded - fail closed (reject)
return { valid: false };
}

const isValid = authConfig.validKeys.has(apiKey);

return {
valid: isValid,
// Note: We don't include keyId to avoid leaking information
};
}
Copy link
Contributor

@coderabbitai coderabbitai bot Dec 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick | 🔵 Trivial

Consider timing-safe comparison for high-security deployments.

The Set.has() method at line 123 uses standard equality comparison, which can leak timing information. For an internal API with short-lived sessions, this is low risk. However, for internet-exposed deployments, consider using timing-safe comparison.

import { timingSafeEqual } from 'crypto';

// Convert to timing-safe comparison if security requirements increase
function validateApiKey(apiKey: string | undefined | null): ApiKeyValidation {
  if (!apiKey || typeof apiKey !== 'string' || !keysLoaded) {
    return { valid: false };
  }
  
  const apiKeyBuffer = Buffer.from(apiKey);
  for (const validKey of authConfig.validKeys) {
    const validKeyBuffer = Buffer.from(validKey);
    if (apiKeyBuffer.length === validKeyBuffer.length && 
        timingSafeEqual(apiKeyBuffer, validKeyBuffer)) {
      return { valid: true };
    }
  }
  return { valid: false };
}
🤖 Prompt for AI Agents 
In apps/frontend/src/main/api/middleware/auth.ts around lines 113 to 129,
replace the direct Set.has() lookup with a timing-safe comparison to avoid
leaking timing information: import timingSafeEqual from 'crypto', validate
apiKey and keysLoaded as before, convert the candidate apiKey and each stored
key to Buffers, check lengths match then use timingSafeEqual to compare, return
true on first match and false otherwise; preserve current behavior of returning
{ valid: false } when apiKey is missing/invalid or keys not loaded and keep not
returning keyId.

apps/frontend/src/main/api/websocket.ts
Comment on lines +68 to +69
/** Last activity timestamp (for connection health) */
lastActivity: Date;
Copy link
Contributor

@coderabbitai coderabbitai bot Dec 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick | 🔵 Trivial

lastActivity tracking is implemented but not utilized for connection health.

The lastActivity field is updated on ping and message events but there's no timeout mechanism to disconnect stale clients. If connection health monitoring is planned, consider adding a periodic check to close inactive connections.

Do you want me to generate a stale connection cleanup mechanism, or is this planned for a future iteration?

🤖 Prompt for AI Agents 
In apps/frontend/src/main/api/websocket.ts around lines 68 to 69, lastActivity
is being tracked but there is no mechanism to disconnect stale clients; add a
periodic cleanup: create a configurable INACTIVITY_THRESHOLD (ms) and a
setInterval task (either per-server or global) that iterates active connections,
compares Date.now() - conn.lastActivity.getTime(), and calls conn.close() (and
performs any connection cleanup) for those exceeding the threshold; ensure the
interval is cleared when the server is shut down and that you update/refresh
lastActivity on existing ping/message handlers so the timeout logic works
correctly.

apps/frontend/src/main/api/websocket.ts
Comment on lines +165 to +173
function sendToClient(client: ConnectedClient, message: WebSocketMessage<unknown>): void {
if (client.socket.readyState === 1) { // WebSocket.OPEN
try {
client.socket.send(JSON.stringify(message));
} catch {
// Socket may have closed, will be cleaned up by close handler
}
}
}
Copy link
Contributor

@coderabbitai coderabbitai bot Dec 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick | 🔵 Trivial

Consider using the WebSocket.OPEN constant for readability.

The magic number 1 works, but using WebSocket.OPEN (or a named constant) would improve code clarity and maintainability.

🔎 Suggested improvement 
+// At top of file or in constants section
+const WS_OPEN = 1; // WebSocket.OPEN state
+
 function sendToClient(client: ConnectedClient, message: WebSocketMessage<unknown>): void {
-  if (client.socket.readyState === 1) { // WebSocket.OPEN
+  if (client.socket.readyState === WS_OPEN) {
     try {
       client.socket.send(JSON.stringify(message));
     } catch {
       // Socket may have closed, will be cleaned up by close handler
     }
   }
 }
🤖 Prompt for AI Agents 
In apps/frontend/src/main/api/websocket.ts around lines 165 to 173, the code
uses the numeric literal 1 to check socket.readyState; replace that magic number
with the WebSocket.OPEN constant (or a locally defined named constant) for
clarity and maintainability, and ensure the WebSocket symbol is available in
this module (import or reference the appropriate WebSocket type/library if
needed) so the comparison becomes client.socket.readyState === WebSocket.OPEN
and retains the same behavior.

apps/frontend/src/main/api/websocket.ts
Comment on lines +252 to +258
if (payload.events && Array.isArray(payload.events)) {
for (const event of payload.events) {
if (typeof event === 'string') {
client.subscription.eventTypes.delete(event as WebSocketMessageType);
}
}
}
Copy link
Contributor

@coderabbitai coderabbitai bot Dec 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick | 🔵 Trivial

Type assertion without validation could accept invalid event types for deletion.

The deletion at line 255 casts to WebSocketMessageType without checking isValidEventType(). While this doesn't break functionality (deleting a non-existent key is safe), it's inconsistent with the subscribe handler which validates event types at line 213.

🔎 Suggested improvement for consistency 
     // Remove event type subscriptions
     if (payload.events && Array.isArray(payload.events)) {
       for (const event of payload.events) {
-        if (typeof event === 'string') {
-          client.subscription.eventTypes.delete(event as WebSocketMessageType);
+        if (typeof event === 'string' && isValidEventType(event)) {
+          client.subscription.eventTypes.delete(event);
         }
       }
     }
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
if (payload.events && Array.isArray(payload.events)) {
for (const event of payload.events) {
if (typeof event === 'string') {
client.subscription.eventTypes.delete(event as WebSocketMessageType);
}
}
}
if (payload.events && Array.isArray(payload.events)) {
for (const event of payload.events) {
if (typeof event === 'string' && isValidEventType(event)) {
client.subscription.eventTypes.delete(event);
}
}
}
🤖 Prompt for AI Agents 
In apps/frontend/src/main/api/websocket.ts around lines 252 to 258, the
unsubscribe branch deletes event types using a type assertion (as
WebSocketMessageType) without validating the value; update it to mirror the
subscribe handler by calling isValidEventType(event) and only deleting when that
returns true, removing the unsafe type assertion so you only call
client.subscription.eventTypes.delete(event) for validated event strings.

apps/frontend/src/main/api/websocket.ts
Comment on lines +337 to +339
function getClientsArray(): ConnectedClient[] {
return Array.from(clients.values());
}
Copy link
Contributor

@coderabbitai coderabbitai bot Dec 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick | 🔵 Trivial

Remove duplicate helper function.

getClientsArray() at line 337 duplicates getAllClients() at line 103. Consider using the existing exported function instead.

🔎 Suggested fix 
-/**
- * Get all connected clients as an array
- */
-function getClientsArray(): ConnectedClient[] {
-  return Array.from(clients.values());
-}
-
 /**
  * Broadcast task progress event to subscribed clients
  */
 export function broadcastTaskProgress(taskId: string, plan: ImplementationPlan): void {
   const payload: TaskProgressPayload = { taskId, plan };
   const message = createMessage('task-progress', payload);

-  for (const client of getClientsArray()) {
+  for (const client of getAllClients()) {
     if (isSubscribedToTask(client, taskId) && isSubscribedToEvent(client, 'task-progress')) {
       sendToClient(client, message);
     }
   }
 }

Apply the same change to all other broadcast functions.

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents 
In apps/frontend/src/main/api/websocket.ts around lines 337 to 339, remove the
duplicate helper getClientsArray() and replace its uses with the existing
exported getAllClients() defined at line ~103; delete the redundant function,
update any local calls (and other broadcast functions) to call getAllClients()
instead, and run a quick type-check to ensure imports/exports remain correct
after removal.

apps/frontend/src/main/api/websocket.ts
Comment on lines +589 to +591
// Send welcome message with client ID
sendToClient(client, createMessage('pong', { clientId, message: 'Connected successfully' }));
};
Copy link
Contributor

@coderabbitai coderabbitai bot Dec 26, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick | 🔵 Trivial

Welcome message uses 'pong' type which is semantically misleading.

The welcome message at line 590 uses the 'pong' message type, but it's not a response to a ping. Consider adding a dedicated 'connected' or 'welcome' message type for clarity, or use a more descriptive approach.

🔎 Suggested approach

If adding a new message type isn't desired, consider documenting this behavior clearly:

-    // Send welcome message with client ID
-    sendToClient(client, createMessage('pong', { clientId, message: 'Connected successfully' }));
+    // Send initial pong with client ID to confirm connection and provide identifier
+    // Using 'pong' type maintains compatibility with clients expecting heartbeat responses
+    sendToClient(client, createMessage('pong', { clientId, message: 'Connected successfully' }));

Alternatively, add 'connected' to the webSocketMessageTypeEnum in schemas and use it here.

🤖 Prompt for AI Agents 
In apps/frontend/src/main/api/websocket.ts around lines 589 to 591, the welcome
message is sent with the 'pong' type which is semantically misleading; change it
to a dedicated type like 'connected' or 'welcome' (or update the
webSocketMessageTypeEnum to include 'connected' and use that) so the message
clearly represents a connection notification; update any TypeScript
types/schemas and any consumers that expect 'pong' to accept the new type, and
ensure tests or docs reflect the new message type.

@kvnloo kvnloo changed the title Feature/api Add REST API layer with HTTP endpoints and WebSocket support Dec 26, 2025
@MikeeBuilds MikeeBuilds added feature New feature or request area/fullstack This is Frontend + Backend size/XL Extra large (1000+ lines) labels Dec 27, 2025
github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 27, 2025
View reviewed changes
Copy link
Contributor

@github-advanced-security github-advanced-security bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CodeQL found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.

@AndyMik90
Copy link
Owner

AndyMik90 commented Dec 27, 2025

@kvnloo could you take a look at the CodeQL issues?

@AndyMik90 AndyMik90 added the blocked Waiting on something label Dec 27, 2025
@AndyMik90 AndyMik90 self-assigned this Dec 28, 2025
@AlexMadera AlexMadera self-assigned this Dec 29, 2025
AlexMadera
AlexMadera requested changes Dec 29, 2025
View reviewed changes
Copy link
Collaborator

@AlexMadera AlexMadera left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤖 Auto Claude PR Review

Merge Verdict: 🟡 MERGE WITH CHANGES

1 high-priority issues to address

Risk Assessment

Factor Level Notes
Complexity High Based on lines changed
Security Impact Medium Based on security findings
Scope Coherence Good Based on structural review

Findings Summary

  • High: 1 issue(s)
  • Medium: 2 issue(s)
  • Low: 4 issue(s)

Generated by Auto Claude PR Review

Findings (1 selected of 7 total)

🟠 [HIGH] Missing Rate Limiting on Authentication

📁 apps/frontend/src/main/api/middleware/auth.ts:188

The authenticateApiKey middleware validates API keys but has no rate limiting mechanism. This allows unlimited authentication attempts, making the API vulnerable to brute force attacks. An attacker could attempt thousands of keys per second to guess valid credentials.

Suggested fix:

Add rate limiting using @fastify/rate-limit plugin. Configure max 5-10 failed attempts per IP per minute with exponential backoff. Example: fastify.register(import('@fastify/rate-limit'), { max: 5, timeWindow: 60000 })

This review was generated by Auto Claude.

AlexMadera
AlexMadera requested changes Dec 29, 2025
View reviewed changes
Copy link
Collaborator

@AlexMadera AlexMadera left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤖 Auto Claude PR Review

Merge Verdict: 🟡 MERGE WITH CHANGES

1 high-priority issues to address

Risk Assessment

Factor Level Notes
Complexity High Based on lines changed
Security Impact Medium Based on security findings
Scope Coherence Good Based on structural review

Findings Summary

  • High: 1 issue(s)
  • Medium: 2 issue(s)
  • Low: 4 issue(s)

Generated by Auto Claude PR Review

Findings (7 selected of 7 total)

🟠 [HIGH] Missing Rate Limiting on Authentication

📁 apps/frontend/src/main/api/middleware/auth.ts:188

The authenticateApiKey middleware validates API keys but has no rate limiting mechanism. This allows unlimited authentication attempts, making the API vulnerable to brute force attacks. An attacker could attempt thousands of keys per second to guess valid credentials.

Suggested fix:

Add rate limiting using @fastify/rate-limit plugin. Configure max 5-10 failed attempts per IP per minute with exponential backoff. Example: fastify.register(import('@fastify/rate-limit'), { max: 5, timeWindow: 60000 })

🟡 [MEDIUM] API Key in Query String Risks Log Exposure

📁 apps/frontend/src/main/api/middleware/auth.ts:144

WebSocket authentication supports api_key query parameter (?api_key=xxx). Query strings commonly appear in server access logs, proxy logs, CDN logs, browser history, and referrer headers. This could inadvertently expose API keys.

Suggested fix:

Add prominent security warning in documentation about log scrubbing. Consider logging query parameters with api_key redacted. For highest security, only support header-based authentication for WebSocket (though this limits browser WebSocket client support).

🟡 [MEDIUM] Exit Handler Ignores Process Exit Code

📁 apps/frontend/src/main/api/event-bridge.ts:106

handleAgentExit receives the exit code but never uses it to determine task status. All process exits (success or failure) result in 'human_review' status. Failed processes (exit code != 0) should likely transition to a different status like 'failed' to distinguish from successful completions.

Suggested fix:

Check exit code before setting status: if (code !== 0 && code !== null) { newStatus = 'failed'; } else if (processType === 'task-execution' || processType === 'qa-process') { newStatus = 'human_review'; }

🔵 [LOW] Required API_KEY is Commented Out

📁 apps/frontend/.env.example:51

The API_KEY environment variable is commented out in .env.example. Since loadApiKeys() throws an error if API_KEY is not set, users copying .env.example might miss this required configuration, leading to startup failures.

Suggested fix:

Add a clear 'REQUIRED' comment and consider adding a placeholder value like 'API_KEY=your-secure-key-here-REQUIRED' (uncommented with instruction) or add startup validation with user-friendly error message.

🔵 [LOW] Large Schema File Could Be Split

📁 apps/frontend/src/main/api/schemas/index.ts:1

The schemas file is 1028 lines containing all API schemas. While functional, this could be split into domain-specific files (taskSchemas.ts, projectSchemas.ts, monitoringSchemas.ts) for better maintainability.

Suggested fix:

Consider splitting into separate schema files per domain: schemas/task.ts, schemas/project.ts, schemas/monitoring.ts, schemas/websocket.ts, and re-exporting from schemas/index.ts

🔵 [LOW] Inconsistent Error Handling for Invalid Event Types

📁 apps/frontend/src/main/api/websocket.ts:0

Based on test patterns, subscribe with missing payload returns an error, but invalid event types in the events array are silently filtered out. This inconsistency could confuse API consumers who won't know their subscription to 'invalid-event' was ignored.

Suggested fix:

Either return an error/warning for invalid event types, or document this behavior clearly in the API docs. Consistent behavior would be to return an error with the list of valid event types.

🔵 [LOW] WebSocket Endpoint Not in OpenAPI Spec

📁 apps/frontend/src/__tests__/integration/openapi-spec.test.ts:270

Test explicitly notes that WebSocket routes may not appear in OpenAPI spec due to @fastify/websocket limitations. While OpenAPI 3.0 doesn't formally support WebSocket, the API documentation is incomplete without describing the /ws endpoint.

Suggested fix:

Add manual WebSocket documentation section to the OpenAPI spec description, or create a separate markdown document describing WebSocket protocol, message types, and authentication.

This review was generated by Auto Claude.

@AlexMadera AlexMadera added this to the Release 2.8 milestone Dec 30, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@AlexMadera AlexMadera AlexMadera requested changes

Requested changes must be addressed to merge this pull request.

Assignees

@AlexMadera AlexMadera

@AndyMik90 AndyMik90

Labels

area/fullstack This is Frontend + Backend blocked Waiting on something feature New feature or request ❌ MERGE CONFLICTS size/XL Extra large (1000+ lines)

Projects

None yet

Milestone

Release 2.8

Development

Successfully merging this pull request may close these issues.

4 participants

@kvnloo @AndyMik90 @AlexMadera @MikeeBuilds