fix(auth): migrate lint API to authenticated axios and harden E2E tests

[frankbria]

Summary

• Migrate lint API from standalone axios to authFetch to fix 401 errors from LintTrendChart
• Improve error handling in TaskReview component with specific error messages and auth error detection
• Add response interceptor logging for 401 errors in development mode
• Remove obsolete auth-bypass.ts file (no tests were using it)
• Add Project 6 seed data for task breakdown workflow tests (planning phase, PRD complete, no tasks)
• Fix stale discovery state issue by DELETE before INSERT in seed data
• Add data-testid attributes to TaskTreeView for E2E test selectors

Test Results

• Before: 92 passed, 8 skipped
• After: 94 passed, 6 skipped

Files Changed

• web-ui/src/api/lint.ts - Migrated to authFetch
• web-ui/src/components/TaskReview.tsx - Improved error handling
• web-ui/src/lib/api.ts - Added response interceptor for 401 logging
• web-ui/src/components/TaskTreeView.tsx - Added data-testid attributes
• tests/e2e/auth-bypass.ts - Deleted (unused)
• tests/e2e/seed-test-data.py - Added Project 6 for task breakdown tests
• tests/e2e/test_task_breakdown.spec.ts - Updated to use Project 6
• tests/e2e/test_state_reconciliation.spec.ts - Fixed test selectors
• tests/e2e/E2E_TEST_AUDIT.md - Updated documentation
• tests/e2e/README-USER-JOURNEY-TESTS.md - Updated documentation

Test plan

• Run full E2E test suite with ANTHROPIC_API_KEY
• Verify lint API no longer returns 401 errors
• Verify task breakdown tests now pass with Project 6
• Verify TaskTreeView testids work for E2E selectors

Summary by CodeRabbit

• Bug Fixes

  • Improved error handling and clearer messages for task approval; triggers login redirect on expired sessions.
  • Added API-side error logging for unauthorized and other response errors.

• Tests

  • Converted e2e suite to real JWT-based UI authentication; removed bypass utilities.
  • Strengthened tests to validate approval API responses and robustly detect task UI states.
  • Seeded a dedicated project for task breakdown scenarios.

• Documentation

  • Updated e2e docs to reflect real authentication flows.

• Chores

  • Added an e2e script to the ignore list.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

This PR migrates E2E tests from an auth-bypass to real FastAPI Users JWT authentication, removes the bypass utility, updates seeding and tests to use a seeded Project 6 for task breakdown, strengthens API/client error handling and logging, adds testability attributes to UI components, and refactors frontend lint endpoints to use authFetch.

Changes

Cohort / File(s)	Change Summary
Configuration & Gitignore ​.gitignore	Added tests/e2e/run-e2e-full.sh to the Testing ignore list.
E2E Audit & Docs tests/e2e/E2E_TEST_AUDIT.md, tests/e2e/README-USER-JOURNEY-TESTS.md	Overhauled audit to consolidated RESOLVED sections and replaced BetterAuth auth-bypass narrative with FastAPI Users JWT real-login flow and localStorage token handling.
E2E Auth Utility tests/e2e/auth-bypass.ts	Deleted auth-bypass helper (removed setTestUserSession and getTestUserCredentials).
E2E Seed Data tests/e2e/seed-test-data.py	Added seeding for Project 6 (planning phase, PRD complete, no tasks), workspace, memories, and a minimal project-agent assignment; ensures no tasks exist for project 6.
E2E Tests — State & Task Breakdown tests/e2e/test_state_reconciliation.spec.ts, tests/e2e/test_task_breakdown.spec.ts	Broadened UI selectors and visibility checks (task-tree, task-cards, task-items, task-stats), added lazy-expansion logic for late-joiners, introduced TASK_BREAKDOWN_PROJECT_ID = '6' and a new API response validation test that inspects approval responses (2xx/4xx/401/403/500 handling).
Frontend API Client / Lint web-ui/src/api/lint.ts, web-ui/src/lib/api.ts	Replaced axios calls in lint endpoints with authFetch; added Axios response interceptor to log 401 and development-only error details.
Components — Error Handling & Testability web-ui/src/components/TaskReview.tsx, web-ui/src/components/TaskTreeView.tsx	TaskReview: granular error parsing for 401/403/404, sets user-facing messages, triggers login redirect on auth expiry, and propagates an Error to caller. TaskTreeView: added data-testid and data-status attributes to tasks/issues for test selectors.

Sequence Diagram(s)

sequenceDiagram
  actor Browser
  participant Frontend
  participant AuthAPI as FastAPI Auth
  participant AppAPI as FastAPI App
  participant DB

  Browser->>Frontend: Navigate to login & submit credentials
  Frontend->>AuthAPI: POST /auth/login (credentials)
  AuthAPI->>DB: verify user/password
  DB-->>AuthAPI: user record
  AuthAPI-->>Frontend: 200 + JWT
  Frontend-->>Browser: store JWT in localStorage
  Browser->>Frontend: User triggers approve task
  Frontend->>AppAPI: POST /tasks/approve (Authorization: Bearer JWT)
  AppAPI->>DB: validate token & perform action
  DB-->>AppAPI: action result
  AppAPI-->>Frontend: 2xx or 4xx/401/403/500 response
  Frontend->>Browser: show success or specific error (401 -> redirect to login)

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Possibly related issues

• [P2] Add unit tests for FastAPI Users authentication #164 — The PR migrates E2E tests to FastAPI Users JWT and removes the auth-bypass, matching the issue's objective to add unit/tests around the FastAPI Users auth changes.

Possibly related PRs

• feat(planning): Add Generate Task Breakdown button to DiscoveryProgress #213 — Related: adds generateTasks API and Task Breakdown feature exercised by the new seeding and tests.
• Migrate Authentication from BetterAuth to FastAPI Users #163 — Related: implements the same migration from auth-bypass to FastAPI Users JWT across tests and tooling.
• feat: Add inline dependency rendering to TaskTreeView #49 — Related: touches TaskTreeView and aligns with the added data-testid/data-status attributes.

Poem

🐰 I hopped through seeds and fixed the test-bypass,
Now JWTs hum as browsers sing in class.
Task trees wear tags, approvals shout their plea,
Auth errors logged, then bounced politely — whee!
Seeds planted true, the E2E garden grows with glee.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main changes: migrating the lint API to use authenticated requests and hardening E2E tests with better selectors and project setup.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/auth-e2e-hardening

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[claude]

Code Review - PR #238: Auth Migration & E2E Test Hardening

This PR successfully addresses critical authentication issues and hardens the E2E test suite. Overall quality is excellent with well-structured changes following best practices. Here's my detailed review:

---

✅ Strengths

1. Authentication Migration (lint.ts)

• Perfect implementation of the migration from standalone axios to authFetch
• Clean removal of direct axios dependency
• Consistent API_BASE pattern with proper environment variable fallback
• All 4 endpoints properly migrated with correct type signatures

2. Comprehensive Error Handling (TaskReview.tsx)

• Excellent error extraction logic (lines 218-259)
• Specific error messages for 401/403/404 status codes
• Smart parsing of API error details from authFetch format
• Proper user redirection to login on auth errors with delay
• Clear debugging via console.error with full context

3. Response Interceptor (api.ts)

• Very helpful 401 debugging context (lines 31-63)
• Development-only detailed logging prevents production noise
• Logs method, URL, and auth header presence for quick debugging
• Helpful checklist for common auth issues

4. Test Data Architecture (seed-test-data.py)

• Critical fix: DELETE before INSERT prevents stale discovery state conflicts (lines 1909-1914)
• Well-documented Project 6 seed data with clear purpose
• Comprehensive PRD content for realistic task breakdown testing
• Proper cleanup ensures test isolation

5. E2E Test Improvements

• Removed obsolete auth-bypass.ts - proper cleanup
• Added data-testid attributes to TaskTreeView for stable selectors
• Updated documentation (E2E_TEST_AUDIT.md, README-USER-JOURNEY-TESTS.md)
• Better test resilience with alternate state verification

---

🔍 Issues & Recommendations

MINOR: Error Message Parsing (TaskReview.tsx:234-245)

Issue: The error parsing logic attempts to JSON.parse error details, but falls back silently on parse failure. This is fine, but could be more explicit.

Current code:

try {
  const detail = JSON.parse(detailMatch[1]);
  errorMessage = detail.detail || detail.message || errorMessage;
} catch {
  // Use the raw message if not JSON
  errorMessage = detailMatch[1] || errorMessage;
}

Recommendation: Consider logging parse failures in development mode:

} catch (parseError) {
  if (process.env.NODE_ENV === 'development') {
    console.warn('[TaskReview] Could not parse error detail as JSON:', detailMatch[1]);
  }
  errorMessage = detailMatch[1] || errorMessage;
}

This would help debug unexpected error formats without affecting production.

---

MINOR: Magic Number (TaskReview.tsx:254)

Issue: Hardcoded 2000ms delay before redirect on auth error.

Current code:

setTimeout(() => {
  router.push('/login');
}, 2000);

Recommendation: Extract to named constant for maintainability:

const AUTH_ERROR_REDIRECT_DELAY_MS = 2000;

// Later...
setTimeout(() => {
  router.push('/login');
}, AUTH_ERROR_REDIRECT_DELAY_MS);

---

MINOR: Type Safety (api.ts:142)

Issue: Empty response returns {} as T, which may not be type-safe if T has required fields.

Current code:

if (\!text) {
  return {} as T;
}

Recommendation: Consider documenting this behavior or returning undefined for empty responses:

// Option 1: Document the behavior
// Handle empty responses (204 No Content, etc.)
// Returns empty object - callers should expect this for 204 responses
if (\!text) {
  return {} as T;
}

// Option 2: Return undefined and adjust return type
if (\!text) {
  return undefined as T;
}

Alternatively, consider throwing an error if the response is unexpectedly empty.

---

OBSERVATION: Seed Data Complexity (seed-test-data.py)

Note: The seed data script is growing quite large (2017 lines). While Project 6 addition is well-documented and necessary, consider:

• Breaking into smaller seed data modules by test scenario
• Using a seed data builder pattern
• Extracting reusable fixtures

This is not blocking for this PR but worth considering for future maintainability.

---

🔒 Security Review

✅ No security concerns identified

• JWT tokens properly stored in localStorage (standard practice for SPAs)
• Auth token included in all authenticated requests
• 401 errors properly handled with re-authentication
• No credentials logged or exposed
• WebSocket auth via query param is acceptable (FastAPI Users pattern)

---

🧪 Test Coverage

✅ Excellent test coverage improvements

• Test suite now uses real authentication (no bypass)
• Strict error filtering (only navigation cancellation allowed)
• Project 6 provides proper test isolation for task breakdown
• Test result improvement: 92→94 passed, 8→6 skipped

Verification needed: Have you run the full E2E suite with ANTHROPIC_API_KEY to verify the lint API fix actually resolves the 401 errors in LintTrendChart?

---

📋 Code Quality Checklist

• ✅ Follows repository conventions (CLAUDE.md)
• ✅ Uses proper TypeScript types
• ✅ Error handling is comprehensive
• ✅ Logging appropriate for development debugging
• ✅ Documentation updated (E2E_TEST_AUDIT.md, README)
• ✅ No hardcoded URLs (uses environment variables)
• ✅ Proper cleanup (auth-bypass.ts deleted)
• ✅ Data testids added for E2E stability

---

🎯 Verdict

APPROVED ✅ (with minor suggestions for future consideration)

This is a high-quality PR that successfully:

1. Fixes the root cause of lint API 401 errors
2. Removes technical debt (auth-bypass)
3. Improves error handling and debugging
4. Hardens E2E test suite with proper authentication
5. Adds proper test isolation with Project 6 seed data

The minor suggestions above are non-blocking and can be addressed in follow-up PRs if desired.

---

📌 Action Items

Before merge:

• Confirm full E2E test suite passes with ANTHROPIC_API_KEY
• Verify lint API no longer returns 401 in LintTrendChart component
• Verify task breakdown tests pass with Project 6

Future improvements (optional):

• Consider extracting magic numbers to named constants
• Add development logging for error parse failures
• Consider seed data refactoring as file grows

---

Great work on this PR! The authentication migration is clean, error handling is thorough, and the test improvements significantly increase confidence in the system. 🚀

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (3)

tests/e2e/README-USER-JOURNEY-TESTS.md (3)

19-19: Stale reference to BetterAuth API.

Line 19 still mentions "BetterAuth API integration (sign-in endpoint)" but the authentication section (lines 100-135) now describes FastAPI Users JWT. Consider updating this line for consistency.

---

142-143: Inconsistent reference to BetterAuth.

Line 142 mentions "Unified authentication system - BetterAuth aligned with CodeFRAME schema" but the PR migrates to FastAPI Users JWT. This should be updated to reflect the current architecture.

---

229-229: Stale reference to auth bypass.

Line 229 mentions "Auth bypass allows consistent execution" but auth bypass was removed in this PR. The text should reflect that tests now use real authentication.

📝 Suggested fix

-| Tests run in CI without flakiness | ✅ Complete - Auth bypass allows consistent execution |
+| Tests run in CI without flakiness | ✅ Complete - Real JWT authentication with seeded test user |

🤖 Fix all issues with AI agents

In @tests/e2e/test_task_breakdown.spec.ts:
- Around line 416-420: The conditional passed to page.waitForResponse currently
relies on operator precedence and allows any method for URLs matching
'/tasks/approve'; update the predicate used in page.waitForResponse (the inline
response => ... arrow function) to explicitly group conditions so the method()
=== 'POST' is applied to both URL checks — e.g. wrap the URL checks in
parentheses and then && response.request().method() === 'POST' so it becomes
(response.url().includes('/tasks/approve') ||
response.url().includes('/api/projects/')) && response.request().method() ===
'POST'.

🧹 Nitpick comments (4)

tests/e2e/E2E_TEST_AUDIT.md (2)

56-61: Add language specifier to fenced code block.

Static analysis flagged this code block as missing a language specifier. Based on the content (describing a flow diagram), consider using text or plaintext.

📝 Suggested fix

-```
+```text
 loginUser(page) -> /login page -> fill credentials -> submit -> JWT stored in localStorage

---

64-67: Add language specifier to fenced code block.

Same issue—missing language specifier.

📝 Suggested fix

-```
+```text
 setupErrorMonitoring(page) -> captures console errors, network failures, failed requests
 afterEach: checkTestErrors(page, context, [minimal filters]) -> asserts no unexpected errors

tests/e2e/test_task_breakdown.spec.ts (2)

392-395: Consider replacing fixed timeout with element-based wait.

Fixed timeouts (waitForTimeout(500)) can cause flakiness. Consider waiting for a specific element that indicates the tab content has loaded.

Suggested improvement

     if (await tasksTab.count() > 0 && await tasksTab.isVisible()) {
       await tasksTab.click();
-      await page.waitForTimeout(500);
+      await page.waitForLoadState('networkidle');
     }

---

459-462: Variable name is misleading.

The catch block handles all exceptions, not just timeouts. Consider renaming for clarity.

Suggested fix

-    } catch (timeoutError) {
+    } catch {
       // No matching response within timeout
       console.log('ℹ️ No matching API response captured (may use different endpoint)');
     }

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 15efb26 and a34e77f.

📒 Files selected for processing (11)

• .gitignore
• tests/e2e/E2E_TEST_AUDIT.md
• tests/e2e/README-USER-JOURNEY-TESTS.md
• tests/e2e/auth-bypass.ts
• tests/e2e/seed-test-data.py
• tests/e2e/test_state_reconciliation.spec.ts
• tests/e2e/test_task_breakdown.spec.ts
• web-ui/src/api/lint.ts
• web-ui/src/components/TaskReview.tsx
• web-ui/src/components/TaskTreeView.tsx
• web-ui/src/lib/api.ts

💤 Files with no reviewable changes (1)

• tests/e2e/auth-bypass.ts

🧰 Additional context used

📓 Path-based instructions (6)

web-ui/src/**/*.{ts,tsx}

📄 CodeRabbit inference engine (CLAUDE.md)

web-ui/src/**/*.{ts,tsx}: Use TypeScript 5.3+ for frontend development with React 18, Next.js 14, Tailwind CSS, and Hugeicons for icons
Use TypeScript strict mode and ensure 100% type safety with no hardcoded types or any usage in frontend code

Files:

• web-ui/src/lib/api.ts
• web-ui/src/components/TaskReview.tsx
• web-ui/src/components/TaskTreeView.tsx
• web-ui/src/api/lint.ts

web-ui/src/lib/**/*.ts

📄 CodeRabbit inference engine (CLAUDE.md)

Frontend API files must use const API_BASE_URL = process.env.NEXT_PUBLIC_API_URL || 'http://localhost:8080' pattern without hardcoded production URLs or different fallback ports

Files:

• web-ui/src/lib/api.ts

web-ui/src/components/**/*.tsx

📄 CodeRabbit inference engine (CLAUDE.md)

web-ui/src/components/**/*.tsx: Use shadcn/ui Nova template components with semantic color palette (bg-card, text-foreground, etc.) and avoid hardcoded color values
Use cn() utility for conditional Tailwind CSS classes and follow Nova's compact spacing conventions

Files:

• web-ui/src/components/TaskReview.tsx
• web-ui/src/components/TaskTreeView.tsx

web-ui/src/**/*.tsx

📄 CodeRabbit inference engine (CLAUDE.md)

Replace all icon usage with Hugeicons (@hugeicons/react) and do not mix with lucide-react

Files:

• web-ui/src/components/TaskReview.tsx
• web-ui/src/components/TaskTreeView.tsx

tests/e2e/**/*.ts

📄 CodeRabbit inference engine (CLAUDE.md)

Implement E2E tests using Playwright + TestSprite with loginUser() helper from tests/e2e/test-utils.ts for authentication

Files:

• tests/e2e/test_state_reconciliation.spec.ts
• tests/e2e/test_task_breakdown.spec.ts

**/*.md

📄 CodeRabbit inference engine (AGENTS.md)

Documentation files must be sized to fit in a single agent context window (spec.md ~200-400 lines, plan.md ~300-600 lines, tasks.md ~400-800 lines)

Files:

• tests/e2e/README-USER-JOURNEY-TESTS.md
• tests/e2e/E2E_TEST_AUDIT.md

🧠 Learnings (12)

📓 Common learnings

Learnt from: CR
Repo: frankbria/codeframe PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-01-04T06:26:12.870Z
Learning: Applies to tests/e2e/**/*.ts : Implement E2E tests using Playwright + TestSprite with loginUser() helper from tests/e2e/test-utils.ts for authentication

📚 Learning: 2026-01-04T06:26:12.870Z

Learnt from: CR
Repo: frankbria/codeframe PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-01-04T06:26:12.870Z
Learning: Applies to web-ui/src/lib/api-client.ts : Store authentication tokens in localStorage using localStorage.getItem('auth_token') and include in API headers via Authorization: Bearer pattern

Applied to files:

• web-ui/src/lib/api.ts
• web-ui/src/api/lint.ts

📚 Learning: 2026-01-04T06:26:12.870Z

Learnt from: CR
Repo: frankbria/codeframe PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-01-04T06:26:12.870Z
Learning: Applies to web-ui/src/components/AgentStateProvider.tsx : Wrap AgentStateProvider with ErrorBoundary component for graceful error handling in Dashboard

Applied to files:

• web-ui/src/components/TaskReview.tsx

📚 Learning: 2025-11-25T19:08:54.154Z

Learnt from: CR
Repo: frankbria/codeframe PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-11-25T19:08:54.154Z
Learning: Applies to specs/*/tasks.md : Feature task files (tasks.md) must include phase-by-phase task breakdown with unique task identifiers (T001, T002, etc.), acceptance criteria per task, beads issue references, and estimated effort

Applied to files:

• tests/e2e/test_state_reconciliation.spec.ts
• tests/e2e/test_task_breakdown.spec.ts

📚 Learning: 2026-01-04T06:26:12.870Z

Learnt from: CR
Repo: frankbria/codeframe PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-01-04T06:26:12.870Z
Learning: Applies to tests/e2e/**/*.ts : Implement E2E tests using Playwright + TestSprite with loginUser() helper from tests/e2e/test-utils.ts for authentication

Applied to files:

• tests/e2e/README-USER-JOURNEY-TESTS.md
• tests/e2e/test_task_breakdown.spec.ts
• tests/e2e/E2E_TEST_AUDIT.md

📚 Learning: 2026-01-04T06:26:12.870Z

Learnt from: CR
Repo: frankbria/codeframe PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-01-04T06:26:12.870Z
Learning: Applies to codeframe/auth/**/*.py : For authentication, use FastAPI Users with JWT tokens and mandatory authentication (no bypass mode)

Applied to files:

• tests/e2e/README-USER-JOURNEY-TESTS.md

📚 Learning: 2026-01-04T06:26:12.870Z

Learnt from: CR
Repo: frankbria/codeframe PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-01-04T06:26:12.870Z
Learning: Applies to codeframe/auth/**/*.py : Organize Python backend files with Auth module at codeframe/auth/ containing dependencies.py (get_current_user), manager.py (UserManager), models.py, router.py, and schemas.py

Applied to files:

• tests/e2e/README-USER-JOURNEY-TESTS.md

📚 Learning: 2026-01-04T06:26:12.870Z

Learnt from: CR
Repo: frankbria/codeframe PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-01-04T06:26:12.870Z
Learning: Applies to codeframe/**/*.py : Implement quality gates with multi-stage pre-completion checks (tests → type → coverage → review) and Git + SQLite + context snapshots for project state rollback

Applied to files:

• .gitignore

📚 Learning: 2026-01-04T06:26:12.870Z

Learnt from: CR
Repo: frankbria/codeframe PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-01-04T06:26:12.870Z
Learning: Run tests using 'uv run pytest' for Python tests and 'cd web-ui && npm test' for frontend tests

Applied to files:

• .gitignore

📚 Learning: 2025-11-25T19:08:54.154Z

Learnt from: CR
Repo: frankbria/codeframe PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-11-25T19:08:54.154Z
Learning: Applies to {README.md,CODEFRAME_SPEC.md,CHANGELOG.md,SPRINTS.md,CLAUDE.md,AGENTS.md,TESTING.md,CONTRIBUTING.md} : Root-level documentation must include: README.md (project intro), CODEFRAME_SPEC.md (architecture, ~800 lines), CHANGELOG.md (user-facing changes), SPRINTS.md (timeline index), CLAUDE.md (coding standards), AGENTS.md (navigation guide), TESTING.md (test standards), and CONTRIBUTING.md (contribution guidelines)

Applied to files:

• .gitignore

📚 Learning: 2026-01-04T06:26:12.870Z

Learnt from: CR
Repo: frankbria/codeframe PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-01-04T06:26:12.870Z
Learning: Applies to web-ui/src/app/page.tsx : Implement automatic project discovery start after project creation with loading state transitions and 'Start Discovery' button for idle projects

Applied to files:

• tests/e2e/test_task_breakdown.spec.ts

📚 Learning: 2026-01-04T06:26:12.870Z

Learnt from: CR
Repo: frankbria/codeframe PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-01-04T06:26:12.870Z
Learning: Applies to web-ui/src/lib/**/*.ts : Frontend API files must use const API_BASE_URL = process.env.NEXT_PUBLIC_API_URL || 'http://localhost:8080' pattern without hardcoded production URLs or different fallback ports

Applied to files:

• tests/e2e/test_task_breakdown.spec.ts

🧬 Code graph analysis (3)

web-ui/src/components/TaskTreeView.tsx (1)

tests/lib/test_quality_gates.py (3)

• task (56-79)
• task (467-488)
• task (901-923)

tests/e2e/test_task_breakdown.spec.ts (1)

tests/e2e/e2e-config.ts (1)

• FRONTEND_URL (14-14)

web-ui/src/api/lint.ts (2)

web-ui/src/lib/api-client.ts (1)

• authFetch (106-146)

web-ui/src/types/lint.ts (2)

• LintTrendEntry (12-17)
• LintConfig (19-25)

🪛 markdownlint-cli2 (0.18.1)

tests/e2e/E2E_TEST_AUDIT.md

56-56: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

---

64-64: Fenced code blocks should have a language specified

(MD040, fenced-code-language)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: Frontend Unit Tests
• GitHub Check: Backend Unit Tests
• GitHub Check: E2E Smoke Tests (Chromium)
• GitHub Check: claude-review

🔇 Additional comments (16)

.gitignore (1)

46-46: LGTM!

The addition of tests/e2e/run-e2e-full.sh to the Testing section is appropriate. This shell script is a test runner artifact and should not be committed to the repository. The specific filename approach is conservative and avoids accidentally ignoring other legitimate shell scripts.

web-ui/src/lib/api.ts (1)

30-64: LGTM! Response interceptor provides useful debugging context.

The interceptor correctly:

• Passes successful responses through unchanged
• Logs 401 errors with contextual debugging info (endpoint, method, auth header presence)
• Provides developer-friendly hints in development mode
• Re-throws errors to preserve existing error handling flows

tests/e2e/seed-test-data.py (1)

1873-2012: Well-structured seed data for task breakdown tests.

The implementation correctly:

• Clears stale discovery/PRD state before inserting (lines 1910-1913), preventing test flakiness from previous runs
• Sets up the exact state needed for "Generate Task Breakdown" button (planning phase + PRD complete + no tasks)
• Uses explicit DELETE for tasks (line 1995) to guarantee the empty-tasks precondition

The comprehensive PRD content provides realistic test data for the task breakdown workflow.

web-ui/src/components/TaskTreeView.tsx (3)

117-117: LGTM! Good testability attribute on root container.

---

123-123: LGTM! Issue-level test identifiers enable targeted E2E selectors.

---

191-192: LGTM! Task-level testability attributes with status exposure.

The data-status attribute is particularly useful—E2E tests can assert on task state directly without parsing CSS classes or inner text.

web-ui/src/api/lint.ts (1)

1-63: LGTM! Migration to authFetch correctly fixes 401 errors.

The migration from standalone axios to authFetch:

• Ensures JWT Bearer tokens are included in all lint API requests
• Maintains type safety with generic type parameters
• Correctly passes POST body for runLint
• Follows the API_BASE_URL pattern per coding guidelines

web-ui/src/components/TaskReview.tsx (1)

217-263: Solid error handling with specific user-facing messages.

Good improvements:

• Categorizes errors by HTTP status for appropriate user messaging
• Auto-redirect to login on auth failures gives clear recovery path
• Defensive JSON parsing with fallback (lines 238-244)

One minor note: the setTimeout redirect (lines 253-256) could trigger after component unmount if the user navigates away quickly. Consider returning a cleanup function from useEffect or tracking mounted state, though this is low-risk since router navigation is safe.

tests/e2e/README-USER-JOURNEY-TESTS.md (1)

100-135: Good update to document FastAPI Users JWT authentication flow.

The authentication section accurately describes:

• Backend using FastAPI Users
• Frontend JWT storage in localStorage
• WebSocket token handling
• Test user credentials and seeding

tests/e2e/test_task_breakdown.spec.ts (4)

29-33: LGTM! Good documentation of seed data expectations.

The module-level constant with clear documentation of the expected seed state (planning phase, PRD complete, no tasks) improves test maintainability and makes the test's prerequisites explicit.

---

38-48: LGTM! Authentication follows project guidelines.

The beforeEach hook correctly uses loginUser() helper from test-utils.ts for authentication, as specified in the coding guidelines for E2E tests.

---

59-109: LGTM! Robust state verification pattern.

The test properly validates the project is in a known alternate state before skipping, preventing silent failures from broken pages.

---

340-375: LGTM! Correctly uses different project for this test case.

This test intentionally uses Project 1 (discovery phase) instead of the task breakdown project, as it validates the button is hidden when PRD is not complete.

tests/e2e/test_state_reconciliation.spec.ts (3)

363-383: LGTM! Resilient task content detection.

The multi-selector approach with Promise.race gracefully handles different UI implementations (TaskList cards vs TaskTreeView items vs stats), making the test robust against UI changes while still asserting that some task-related content exists.

---

573-612: LGTM! Thorough handling of TaskTreeView's collapsed state.

The logic correctly accounts for TaskTreeView's default collapsed state by:

1. First checking if the tree container is visible
2. Then attempting to expand collapsed items to reveal nested tasks
3. Logging results appropriately

The approach ensures the test validates content even when tasks are nested inside collapsed issues.

---

614-620: LGTM! Comprehensive status indicator detection.

The selector now covers multiple UI patterns for indicating completed status (data-testid, CSS class, and data-status attribute), providing good resilience against UI implementation variations.

[claude]

Updated Code Review - PR #238 (Review #2)

I've reviewed the latest changes to this PR. Since I already provided a comprehensive review earlier, I'll focus on new observations and confirming previous feedback has been addressed.

---

🔄 Changes Since Last Review

Looking at the conversation history, the latest changes appear to be documentation updates to:

• tests/e2e/README-USER-JOURNEY-TESTS.md
• tests/e2e/test_task_breakdown.spec.ts

The CodeRabbit bot noted stale references to BetterAuth in the README that should be updated to reflect FastAPI Users JWT.

---

✅ Confirmed: Previous Review Still Valid

My previous review (posted earlier) identified the following items as non-blocking suggestions for future consideration:

1. Magic number in TaskReview.tsx:254 - 2000ms redirect delay could be extracted to a named constant
2. Error message parsing - Could add development logging for JSON parse failures in error handling
3. Type safety in api.ts:142 - Empty response returns {} as T without guarantees about required fields
4. Seed data complexity - Consider refactoring as the file grows (2017+ lines)

These remain valid suggestions but are NOT blockers for merging.

---

🆕 Additional Observation: Documentation Consistency

Issue: The README still contains stale BetterAuth references that conflict with the FastAPI Users JWT migration:

Lines with outdated references:

• Line 19: "BetterAuth API integration" should be "FastAPI Users JWT API integration"
• Line 142-143: "Unified authentication system - BetterAuth aligned with CodeFRAME schema" should reference FastAPI Users
• Line 229: "Auth bypass allows consistent execution" - auth bypass was removed

Impact: Low - documentation inconsistency only, doesn't affect functionality

Recommendation: Update these lines to match the authentication architecture section (lines 100-135) which correctly describes FastAPI Users JWT.

---

🎯 Final Verdict

STILL APPROVED ✅

The core changes in this PR are excellent:

• ✅ Lint API migration to authFetch is clean and correct
• ✅ Error handling in TaskReview is comprehensive
• ✅ Response interceptor provides valuable debugging context
• ✅ Test improvements significantly increase reliability
• ✅ Project 6 seed data properly isolated for task breakdown tests

Before merge:

• Fix documentation references to BetterAuth (low priority, can be done in follow-up)
• Confirm E2E tests pass with ANTHROPIC_API_KEY

Optional future improvements (from previous review):

• Extract magic numbers to constants
• Consider seed data refactoring
• Add development logging for error parse failures

---

📊 Quality Assessment

Aspect	Rating	Notes
Code Quality	⭐⭐⭐⭐⭐	Clean, well-structured changes
Error Handling	⭐⭐⭐⭐⭐	Comprehensive with specific error cases
Test Coverage	⭐⭐⭐⭐⭐	Improved from 92 to 94 passing tests
Documentation	⭐⭐⭐⭐	Good overall, minor stale references
Security	✅	No concerns identified

The minor documentation inconsistencies don't detract from the overall quality of this PR. Great work! 🚀

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

tests/e2e/README-USER-JOURNEY-TESTS.md (1)

160-160: Clarify port configuration inconsistency.

The webServer config on line 160 uses PORT=3001, but the Prerequisites section states the frontend runs on port 3000. This mismatch could cause confusion during setup.

Suggested fix

Update the prerequisites to reflect the actual configured port:

-2. Frontend server running on port 3000 (or production build)
+2. Frontend server running on port 3001 (or production build)

Alternatively, if port 3000 is correct, update the webServer config to use PORT=3000 instead.

Also applies to: 174-175

🧹 Nitpick comments (3)

tests/e2e/test_task_breakdown.spec.ts (3)

377-413: Consider defining a constant for Project 2 or document why Project 6 isn't used.

While the test correctly handles authentication validation, the hardcoded PROJECT_ID = '2' is inconsistent with the migration pattern used elsewhere in this file. The comment mentions Project 2 "has tasks that can be approved," but it's not clear why Project 6 (which has seeded task data) couldn't serve this purpose.

♻️ Proposed refactor

Option 1: Define a constant at the top of the file if Project 2 is intentionally different:

+// Project 2 has tasks in an approvable state for approval flow tests
+const TASK_APPROVAL_PROJECT_ID = '2';
+
 test('should validate task approval API response with proper authentication', async () => {
-  // Use Project 2 which has tasks that can be approved
-  const PROJECT_ID = '2';
+  const PROJECT_ID = TASK_APPROVAL_PROJECT_ID;

Option 2: Document why Project 6 cannot be used for this test:

-  // Use Project 2 which has tasks that can be approved
+  // Use Project 2 (not Project 6) because Project 6 tasks are not yet approved
+  // and this test requires tasks in an approvable state
   const PROJECT_ID = '2';

---

416-419: Consider narrowing the response predicate to avoid false matches.

The current predicate matches any POST request to URLs containing /api/projects/, which is quite broad and could match unrelated API calls (e.g., POST /api/projects/2/discovery, POST /api/projects/2/prd). If multiple API calls occur simultaneously, this could capture an unintended response.

♻️ Proposed fix to narrow the predicate

 const responsePromise = page.waitForResponse(
-  response => (response.url().includes('/tasks/approve') ||
-               response.url().includes('/api/projects/')) && response.request().method() === 'POST',
+  response => {
+    const url = response.url();
+    const method = response.request().method();
+    return method === 'POST' && 
+           (url.includes('/tasks/approve') || 
+            url.match(/\/api\/projects\/\d+\/tasks\/approve$/));
+  },
   { timeout: 15000 }
 );

This ensures only task approval endpoints are matched, not arbitrary project API calls.

---

437-448: Add type guard for response data validation.

The code accesses properties on data without first verifying it's a non-null object. While the checks if (data.success !== undefined) provide some protection, they could still fail if data is null, a primitive, or an array.

♻️ Proposed defensive validation

       if (status >= 200 && status < 300) {
         const data = await response.json();
         console.log(`✅ Task approval succeeded:`, data);
 
         // Response should have expected fields
         expect(data).toBeDefined();
+        
+        // Validate data is an object before accessing properties
+        if (data && typeof data === 'object' && !Array.isArray(data)) {
-        if (data.success !== undefined) {
-          expect(data.success).toBe(true);
-        }
-        if (data.approved_count !== undefined) {
-          expect(data.approved_count).toBeGreaterThanOrEqual(0);
-        }
+          if (data.success !== undefined) {
+            expect(data.success).toBe(true);
+          }
+          if (data.approved_count !== undefined) {
+            expect(data.approved_count).toBeGreaterThanOrEqual(0);
+          }
+        }
       } else if (status === 401) {

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a34e77f and d5ea116.

📒 Files selected for processing (2)

• tests/e2e/README-USER-JOURNEY-TESTS.md
• tests/e2e/test_task_breakdown.spec.ts

🧰 Additional context used

📓 Path-based instructions (2)

tests/e2e/**/*.ts

📄 CodeRabbit inference engine (CLAUDE.md)

Implement E2E tests using Playwright + TestSprite with loginUser() helper from tests/e2e/test-utils.ts for authentication

Files:

• tests/e2e/test_task_breakdown.spec.ts

**/*.md

📄 CodeRabbit inference engine (AGENTS.md)

Documentation files must be sized to fit in a single agent context window (spec.md ~200-400 lines, plan.md ~300-600 lines, tasks.md ~400-800 lines)

Files:

• tests/e2e/README-USER-JOURNEY-TESTS.md

🧠 Learnings (8)

📓 Common learnings

Learnt from: CR
Repo: frankbria/codeframe PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-01-04T06:26:12.870Z
Learning: Applies to codeframe/auth/**/*.py : For authentication, use FastAPI Users with JWT tokens and mandatory authentication (no bypass mode)

Learnt from: CR
Repo: frankbria/codeframe PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-01-04T06:26:12.870Z
Learning: Applies to tests/e2e/**/*.ts : Implement E2E tests using Playwright + TestSprite with loginUser() helper from tests/e2e/test-utils.ts for authentication

📚 Learning: 2025-11-25T19:08:54.154Z

Learnt from: CR
Repo: frankbria/codeframe PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-11-25T19:08:54.154Z
Learning: Applies to specs/*/tasks.md : Feature task files (tasks.md) must include phase-by-phase task breakdown with unique task identifiers (T001, T002, etc.), acceptance criteria per task, beads issue references, and estimated effort

Applied to files:

• tests/e2e/test_task_breakdown.spec.ts

📚 Learning: 2026-01-04T06:26:12.870Z

Learnt from: CR
Repo: frankbria/codeframe PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-01-04T06:26:12.870Z
Learning: Applies to web-ui/src/app/page.tsx : Implement automatic project discovery start after project creation with loading state transitions and 'Start Discovery' button for idle projects

Applied to files:

• tests/e2e/test_task_breakdown.spec.ts

📚 Learning: 2026-01-04T06:26:12.870Z

Learnt from: CR
Repo: frankbria/codeframe PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-01-04T06:26:12.870Z
Learning: Applies to web-ui/src/lib/**/*.ts : Frontend API files must use const API_BASE_URL = process.env.NEXT_PUBLIC_API_URL || 'http://localhost:8080' pattern without hardcoded production URLs or different fallback ports

Applied to files:

• tests/e2e/test_task_breakdown.spec.ts

📚 Learning: 2026-01-04T06:26:12.870Z

Learnt from: CR
Repo: frankbria/codeframe PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-01-04T06:26:12.870Z
Learning: Applies to tests/e2e/**/*.ts : Implement E2E tests using Playwright + TestSprite with loginUser() helper from tests/e2e/test-utils.ts for authentication

Applied to files:

• tests/e2e/test_task_breakdown.spec.ts
• tests/e2e/README-USER-JOURNEY-TESTS.md

📚 Learning: 2026-01-04T06:26:12.870Z

Learnt from: CR
Repo: frankbria/codeframe PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-01-04T06:26:12.870Z
Learning: Applies to codeframe/auth/**/*.py : For authentication, use FastAPI Users with JWT tokens and mandatory authentication (no bypass mode)

Applied to files:

• tests/e2e/README-USER-JOURNEY-TESTS.md

📚 Learning: 2026-01-04T06:26:12.870Z

Learnt from: CR
Repo: frankbria/codeframe PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-01-04T06:26:12.870Z
Learning: Applies to codeframe/auth/**/*.py : Organize Python backend files with Auth module at codeframe/auth/ containing dependencies.py (get_current_user), manager.py (UserManager), models.py, router.py, and schemas.py

Applied to files:

• tests/e2e/README-USER-JOURNEY-TESTS.md

📚 Learning: 2025-11-25T19:08:37.203Z

Learnt from: CR
Repo: frankbria/codeframe PR: 0
File: docs/CLAUDE.md:0-0
Timestamp: 2025-11-25T19:08:37.203Z
Learning: Applies to docs/web-ui/**/__tests__/**/*.test.{ts,tsx} : Create JavaScript test files colocated or in __tests__/ as *.test.ts

Applied to files:

• tests/e2e/README-USER-JOURNEY-TESTS.md

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Backend Unit Tests
• GitHub Check: Frontend Unit Tests
• GitHub Check: E2E Smoke Tests (Chromium)

🔇 Additional comments (5)

tests/e2e/README-USER-JOURNEY-TESTS.md (1)

100-130: Excellent authentication architecture documentation.

The new "Authentication System: FastAPI Users JWT Authentication" section clearly explains the backend/frontend architecture, test authentication flow with concrete steps, and helper functions. This aligns well with the migration from auth-bypass to real JWT flows and matches the retrieved learning to use FastAPI Users with JWT tokens for mandatory authentication.

tests/e2e/test_task_breakdown.spec.ts (4)

29-33: LGTM! Good practice to centralize test project ID.

The constant and accompanying comments clearly document the seeded state expectations for Project 6, improving test maintainability and readability.

---

60-64: LGTM! Consistent migration to seeded Project 6.

The updates standardize test project selection across multiple tests and add helpful comments explaining the seeded state, improving test reliability and clarity.

Also applies to: 112-112, 180-180, 234-234, 287-287

---

341-342: LGTM! Correct to use Project 1 for PRD incomplete scenario.

This test intentionally uses a different project to verify the button is hidden when PRD is not complete, which is a different test case from the Project 6 task breakdown flow.

---

377-463: Well-structured test with comprehensive authentication validation.

This test effectively validates that the task approval API includes proper JWT Bearer tokens and catches 401 errors as intended by the PR objectives. The error handling covers success cases (2xx), authentication failures (401 thrown as error), and other status codes with appropriate logging.