fix(api): align task approval request body with backend contract

[frankbria]

Summary

• Fix HTTP 422 validation error in task approval flow caused by frontend/backend contract mismatch
• Frontend was sending { task_ids: [...] } but backend expected { approved: bool, excluded_task_ids: [...] }
• Add E2E test suite to prevent similar API contract mismatches in the future

Changes

• API Function (web-ui/src/lib/api.ts): Updated approveTaskBreakdown to compute excluded task IDs from selected/all task arrays
• TaskReview Component (web-ui/src/components/TaskReview.tsx): Pass all task IDs for exclusion calculation
• Unit Tests: Added 4 API contract tests and updated 2 component tests
• E2E Tests (tests/e2e/test_task_approval.spec.ts): New test suite for API contract verification

Root Cause

The frontend used a selection model (track selected tasks) while the backend uses an exclusion model (specify excluded tasks). The fix bridges this semantic gap by computing excluded_task_ids = allTaskIds - selectedTaskIds.

Test plan

• All 1504 unit tests pass
• ESLint passes with no warnings
• TypeScript type checking passes
• Build succeeds
• Manual test: Navigate to planning phase, approve tasks, verify no 422 error
• E2E test: Run npx playwright test test_task_approval.spec.ts

Summary by CodeRabbit

• New Features

  • Task approval now supports exclusion-based approvals (sends selected vs. all tasks so excluded items are implicit), including handling of varied task ID formats.

• Bug Fixes

  • Improved validation handling and UI error indicators for approval failures; clearer responses to server-side validation (422).

• Tests

  • Added comprehensive end-to-end and unit tests covering approval flows, exclusion behavior, numeric ID handling, and 422 validation scenarios.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Frontend approval flow now sends both selected and all task IDs; the client/API compute excluded_task_ids and POST { approved: true, excluded_task_ids } to /api/projects/{projectId}/tasks/approve. Includes component, API client, unit tests, and new end-to-end tests.

Changes

Cohort / File(s)	Summary
E2E tests tests/e2e/test_task_approval.spec.ts	Adds Playwright tests: intercept/validate approval request body, mock 422 responses, full approval flow when env present, and direct backend contract checks.
Component — TaskReview web-ui/src/components/TaskReview.tsx	Computes/retrieves allTaskIds; calls approveTaskBreakdown(projectId, selectedTaskIds, allTaskIds); updates effect/callback deps.
API client web-ui/src/lib/api.ts	approveTaskBreakdown signature changed to accept (projectId, selectedTaskIds, allTaskIds); computes excluded_task_ids (all − selected, extracting numeric IDs) and POSTs { approved: true, excluded_task_ids }.
Unit tests — Component web-ui/__tests__/components/TaskReview.test.tsx	Updated expectations to assert two-array call shape (selectedTaskIds, allTaskIds) and verify exclusions/all-IDs behavior when all tasks are selected.
Unit tests — API client web-ui/__tests__/lib/api.test.ts	Expanded tests for projectsApi.approveTaskBreakdown: exclusion logic, numeric ID parsing, malformed ID filtering, all-selected case, and 422 validation handling.

Sequence Diagram(s)

sequenceDiagram
  participant User
  participant UI as TaskReview
  participant API as projectsApi.approveTaskBreakdown
  participant Backend as /api/projects/{id}/tasks/approve

  User->>UI: Click "Approve" with selectedTaskIds
  UI->>UI: collect/compute allTaskIds
  UI->>API: approveTaskBreakdown(projectId, selectedTaskIds, allTaskIds)
  API->>API: compute excluded_task_ids = allTaskIds - selectedTaskIds (numeric extraction)
  API->>Backend: POST { approved: true, excluded_task_ids }
  Backend-->>API: 200/422 + payload
  API-->>UI: return response or throw validation error
  UI-->>User: show success or validation errors

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Possibly related PRs

• feat(planning): Add TaskReview component for task approval workflow #214 — Modifies the same TaskReview approval flow and approveTaskBreakdown signature to pass allTaskIds / use excluded_task_ids.
• fix(ui): complete late-joining user bug fix for TaskStats and TaskReview #236 — Changes how issues/tasks are fetched (e.g., include: 'tasks') affecting the data TaskReview now uses when building allTaskIds.
• fix(auth): migrate lint API to authenticated axios and harden E2E tests #238 — Adjusts TaskReview approval error handling and integrates with the approval call behavior changed here.

Poem

🐰 I hopped through tasks both near and far,
Counted selected carrots and every last star.
Exclusions tallied with a whisker and wink,
POSTed my list — then munched on a rink. 🥕✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly addresses the main change: aligning the task approval API request body with the backend contract by fixing the 422 validation error.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/task-approval-request-body-mismatch

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[claude]

Code Review - PR #240

Excellent bug fix and comprehensive testing! This PR properly addresses the API contract mismatch between frontend and backend. Here's my detailed review:

✅ Strengths

1. Root Cause Analysis: The PR description clearly explains the semantic gap between frontend (selection model) and backend (exclusion model).

2. Correct Contract Implementation: The fix in web-ui/src/lib/api.ts properly implements the backend contract:

   • ✅ Sends approved: true
   • ✅ Computes excluded_task_ids from set difference
   • ✅ Converts string IDs (e.g., 'task-4') to integers
   • ✅ Filters out NaN values

3. Comprehensive Testing:

   • 4 new unit tests in api.test.ts covering edge cases
   • 368-line E2E test suite catching contract mismatches
   • Updated component tests reflect the new API signature

4. Documentation: JSDoc comments in api.ts clearly explain the exclusion model conversion.

🔍 Code Quality Observations

1. Potential Bug: ID Extraction Logic (Minor)

// Current implementation (api.ts:122-126)
const numericPart = id.replace(/\D/g, '');
return parseInt(numericPart, 10);

Issue: This regex removes ALL non-digit characters, which could cause issues with hyphenated IDs:

• 'task-123' → '123' ✅
• 'task-1-2-3' → '123' ❌ (collapsed to 123 instead of error)

Suggestion: Use a more specific pattern:

const match = id.match(/-(\d+)$/) || id.match(/^(\d+)$/);
if (\!match) return NaN;
return parseInt(match[1], 10);

This ensures only IDs like 'task-4' or '4' are accepted, rejecting malformed IDs like 'task-1-2-3'.

2. E2E Test Coverage Gaps (Acknowledged Issue)

The E2E tests have some limitations (related to Issue #172):

// test_task_approval.spec.ts:96-97
if (await taskReview.isVisible().catch(() => false) && 
    await approveButton.isVisible().catch(() => false)) {

Observations:

• Tests succeed if approve button doesn't exist (project not in planning phase)
• No console error monitoring
• Heavy reliance on .catch(() => false) which silences real errors

Note: This is consistent with existing E2E patterns and documented in Issue #172. Not a blocker for this PR.

3. Type Safety Enhancement (Nice-to-Have)

// TaskReview.tsx:210
const allTaskIds = getAllTaskIds(issues);

The getAllTaskIds function is called but not shown in the diff. Consider adding a type guard:

const allTaskIds = getAllTaskIds(issues);
if (allTaskIds.length === 0) {
  console.warn('No tasks available for approval');
  return;
}

This prevents calling the API with empty arrays when the UI is in an unexpected state.

🛡️ Security Review

✅ No security concerns identified:

• Proper integer conversion with NaN filtering prevents injection
• User authentication required via get_current_user
• Authorization check via user_has_project_access
• Input validation happens server-side (Pydantic model)

🎯 Performance Considerations

✅ Efficient implementation:

• Set-based difference computation is O(n) where n = number of tasks
• No unnecessary array iterations
• String ID extraction could be memoized if task lists become very large (unlikely in practice)

📝 Test Coverage Assessment

Unit Tests: ✅ Excellent

• All 4 scenarios covered (all selected, partial selection, numeric IDs, 422 error)
• Updated component tests validate the full flow

E2E Tests: ✅ Comprehensive

• Request body format validation (critical!)
• Error handling (422 mocked response)
• Full approval flow (when ANTHROPIC_API_KEY available)
• Direct API contract tests (bypassing UI)

The negative test (test_task_approval.spec.ts:336-358) that verifies 422 for incorrect format is particularly valuable for regression prevention.

🎬 Recommendations

Priority 1 (Before Merge):

1. Fix ID extraction regex - Use stricter pattern to avoid collapsing multi-hyphen IDs

Priority 2 (Future Enhancement):

1. Add validation in TaskReview - Guard against empty task arrays
2. Track Issue [P1] Improve E2E test coverage for API and WebSocket failures #172 - Improve E2E error monitoring when addressed

✨ Summary

This is a high-quality fix with excellent test coverage. The implementation correctly bridges the semantic gap between frontend and backend models. The only suggested change is strengthening the ID extraction regex to be more defensive against malformed task IDs.

Verdict: ✅ Approve with minor suggestion (ID extraction pattern)

Great work on the thorough testing and clear documentation! 🚀

[claude]

Updated Review - PR #240

Good progress! I see the second commit addressing browser-specific navigation errors.

✅ Second Commit Review: fix(e2e): filter navigation abort errors

Changes: Added Firefox and WebKit/Safari specific error filters to the test's afterEach hook.

Assessment:

• ✅ Correct approach - These errors are transient navigation artifacts, not real test failures
• ✅ Cross-browser compatibility - Properly handles Chromium, Firefox, and WebKit
• ✅ Well-documented - Inline comments explain each browser's specific error message

This follows the established pattern from other E2E tests and aligns with the documented limitations in Issue #172.

---

📊 Updated Summary

Status: All previous recommendations remain valid. The second commit is a clean fix for cross-browser test stability.

Still Recommending (Priority 1):

Fix ID extraction regex in web-ui/src/lib/api.ts:124 to be more defensive:

// Current (line 124):
const numericPart = id.replace(/\D/g, '');

// Suggested:
const match = id.match(/-(\d+)$/) || id.match(/^(\d+)$/);
if (\!match) return NaN;
return parseInt(match[1], 10);

Why: The current regex strips ALL non-digits, which could silently collapse malformed IDs:

• 'task-123' → '123' ✅ (correct)
• 'task-1-2-3' → '123' ❌ (should reject or error)
• 'abc123def' → '123' ❌ (should reject)

The suggested pattern only accepts:

• 'task-4' (hyphen followed by digits at end)
• '4' (pure numeric)

This makes the code more defensive against unexpected task ID formats.

Priority 2 (Future):

1. Add empty array validation in TaskReview component
2. Track Issue [P1] Improve E2E test coverage for API and WebSocket failures #172 for improved E2E error monitoring

---

Final Verdict

✅ Approve with minor regex suggestion

The cross-browser fix is solid. The only remaining recommendation is strengthening the ID extraction logic for better error handling of malformed input. This is a defensive programming improvement rather than a critical bug fix.

Great work on the quick turnaround for cross-browser compatibility! 🚀

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (3)

tests/e2e/test_task_approval.spec.ts (3)

63-140: Comprehensive contract validation that addresses the original bug.

The test correctly validates all aspects of the API contract:

• Required approved boolean field
• Required excluded_task_ids array with numeric IDs
• Absence of the buggy task_ids field
• Graceful handling when project isn't in planning phase

The defensive programming with visibility checks, error handling, and conditional skipping is excellent.

♻️ Optional: Extract navigation helper to reduce duplication

The navigation pattern (goto project → wait → click tasks tab) is repeated across tests. Consider extracting it:

async function navigateToTasksTab(page: Page, projectId: string) {
  await page.goto(`${FRONTEND_URL}/projects/${projectId}`);
  await page.waitForLoadState('networkidle');
  
  const tasksTab = page.locator('[data-testid="tasks-tab"]');
  await tasksTab.waitFor({ state: 'visible', timeout: 10000 }).catch(() => {});
  
  if (await tasksTab.isVisible()) {
    await tasksTab.click();
    return true;
  }
  return false;
}

This would improve maintainability and make the test intent clearer.

---

287-291: Consider adding error monitoring for consistency.

The first test suite includes setupErrorMonitoring and checkTestErrors, but the direct API test suite omits them. While direct API tests may have fewer UI errors, adding consistent error monitoring would help catch unexpected issues.

♻️ Suggested addition for consistency

 test.describe('Task Approval API Contract - Direct API Tests', () => {
   test.beforeEach(async ({ context, page }) => {
+    const errorMonitor = setupErrorMonitoring(page);
+    (page as ExtendedPage).__errorMonitor = errorMonitor;
+
     await context.clearCookies();
     await loginUser(page);
   });
+
+  test.afterEach(async ({ page }) => {
+    checkTestErrors(page, 'Direct API test', [
+      'net::ERR_ABORTED',
+      'Failed to fetch RSC payload',
+      'NS_BINDING_ABORTED',
+      'Load request cancelled'
+    ]);
+  });

---

298-333: Well-designed contract validation test.

The test correctly validates that the request format is accepted (non-422 status) regardless of business logic outcomes. The pragmatic approach of accepting multiple status codes (200/400/403/404) focuses on contract compliance rather than operation success.

♻️ Optional: Consider using Playwright's storageState for auth

The current approach retrieves the auth token from localStorage, which works but couples the test to the storage implementation. Consider using Playwright's storageState feature or a helper that abstracts auth token retrieval:

// In test-utils.ts
export async function getAuthToken(page: Page): Promise<string | null> {
  return await page.evaluate(() => localStorage.getItem('auth_token'));
}

// In test
const authToken = await getAuthToken(page);

This provides better encapsulation and makes future auth mechanism changes easier.

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7b72f2d and 9e395ff.

📒 Files selected for processing (1)

• tests/e2e/test_task_approval.spec.ts

🧰 Additional context used

📓 Path-based instructions (1)

tests/e2e/**/*.ts

📄 CodeRabbit inference engine (CLAUDE.md)

Implement E2E tests using Playwright + TestSprite with loginUser() helper from tests/e2e/test-utils.ts for authentication

Files:

• tests/e2e/test_task_approval.spec.ts

🧠 Learnings (3)

📚 Learning: 2026-01-04T06:26:12.870Z

Learnt from: CR
Repo: frankbria/codeframe PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-01-04T06:26:12.870Z
Learning: Applies to tests/e2e/**/*.ts : Implement E2E tests using Playwright + TestSprite with loginUser() helper from tests/e2e/test-utils.ts for authentication

Applied to files:

• tests/e2e/test_task_approval.spec.ts

📚 Learning: 2025-11-25T19:08:37.203Z

Learnt from: CR
Repo: frankbria/codeframe PR: 0
File: docs/CLAUDE.md:0-0
Timestamp: 2025-11-25T19:08:37.203Z
Learning: Applies to docs/web-ui/**/__tests__/**/*.test.{ts,tsx} : Create JavaScript test files colocated or in __tests__/ as *.test.ts

Applied to files:

• tests/e2e/test_task_approval.spec.ts

📚 Learning: 2025-11-25T19:08:54.154Z

Learnt from: CR
Repo: frankbria/codeframe PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-11-25T19:08:54.154Z
Learning: Applies to specs/*/tasks.md : Feature task files (tasks.md) must include phase-by-phase task breakdown with unique task identifiers (T001, T002, etc.), acceptance criteria per task, beads issue references, and estimated effort

Applied to files:

• tests/e2e/test_task_approval.spec.ts

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: Frontend Unit Tests
• GitHub Check: Backend Unit Tests
• GitHub Check: claude-review
• GitHub Check: E2E Smoke Tests (Chromium)

🔇 Additional comments (5)

tests/e2e/test_task_approval.spec.ts (5)

1-23: Excellent test documentation and proper test utilities usage.

The header clearly explains the bug this test prevents, and the imports correctly use loginUser() from test-utils as required by the coding guidelines for E2E tests.

---

31-47: Well-structured test lifecycle hooks with appropriate error filtering.

The error monitoring setup and filtered error list (navigation aborts, RSC fetch failures) prevent false positives from transient UI state changes, which aligns with the commit message about filtering navigation errors.

---

147-212: Effective validation error handling test.

The mocked 422 response uses the correct Pydantic validation error format, and the UI error detection logic checks multiple patterns (CSS classes, ARIA roles, error text) to ensure graceful degradation.

---

219-279: Excellent integration test with clear conditional execution.

The conditional test name clearly communicates the API key requirement, and the fail-fast approach on 422 with a detailed error message makes debugging straightforward. The comprehensive response validation ensures the success path returns expected fields.

---

340-369: Excellent negative test using the actual buggy format.

This test documents the expected rejection behavior by using the exact incorrect format that caused the original bug (task_ids field). It serves as effective regression prevention and validates that the backend properly rejects malformed requests.

[claude]

Final Review - PR #240 ✅

Great work addressing the previous feedback! This PR is now ready to merge.

---

🎯 Changes Since Last Review

The developer has implemented my previous recommendation to improve the ID extraction regex:

Before:

const numericPart = id.replace(/\D/g, '');  // Strips ALL non-digits

After (Current):

const match = id.match(/-(\d+)$/) || id.match(/^(\d+)$/);
if (\!match) return NaN;
return parseInt(match[1], 10);

This change is exactly what I suggested and properly prevents malformed IDs like 'task-1-2-3' from being collapsed into a single number.

---

✅ Code Quality Assessment

1. ID Extraction Logic ✅ FIXED

The regex now only accepts:

• 'task-4' → 4 (hyphen-number suffix)
• '4' → 4 (pure number)
• 'task-1-2-3' → 3 (last number after hyphen - semantically correct for suffix pattern)
• 'abc123def' → NaN (filtered out)

The test in api.test.ts:281-306 comprehensively validates this defensive behavior.

2. API Contract Implementation ✅ CORRECT

The fix properly implements the backend contract:

• ✅ Sends approved: true
• ✅ Computes excluded_task_ids from set difference
• ✅ Converts string IDs to integers
• ✅ Filters out NaN values

3. Test Coverage ✅ COMPREHENSIVE

• Unit Tests: 6 new tests covering edge cases (all selected, partial selection, numeric IDs, 422 errors, malformed IDs, various formats)
• Component Tests: Updated to validate the new two-parameter signature
• E2E Tests: 370-line suite with UI flow validation, mocked 422 scenarios, and direct API contract tests

4. Security ✅ NO CONCERNS

• Integer conversion with NaN filtering prevents injection
• Server-side validation via Pydantic models
• Authentication and authorization properly enforced

5. Performance ✅ EFFICIENT

• Set-based difference computation: O(n) where n = number of tasks
• No unnecessary iterations

---

📋 Final Checks

Category	Status	Notes
Root Cause Analysis	✅	Clear explanation of selection vs exclusion model mismatch
Bug Fix	✅	Correctly implements backend contract
Code Quality	✅	Defensive ID extraction, proper error handling
Test Coverage	✅	6 unit tests + 2 component tests + 3 E2E tests
Documentation	✅	JSDoc comments explain exclusion model conversion
Security	✅	No vulnerabilities identified
Performance	✅	Efficient set operations
Backward Compatibility	✅	No breaking changes

---

🎉 Summary

This PR demonstrates excellent software engineering:

1. Clear problem identification - HTTP 422 caused by API contract mismatch
2. Root cause analysis - Frontend selection model vs backend exclusion model
3. Proper fix - Bridges semantic gap with set difference computation
4. Comprehensive testing - Unit + component + E2E tests prevent regression
5. Responsive to feedback - Implemented suggested ID extraction improvement

Recommendation: APPROVE AND MERGE 🚀

No further changes required. The code is production-ready.

---

📝 Minor Observation (Non-Blocking)

The test comment at api.test.ts:295 states:

'task-1-2-3' -> matches /-(\d+)$/ -> '3' (last number after hyphen)

This is actually correct behavior for the suffix pattern - it extracts the trailing number after the last hyphen. If the project uses IDs like 'task-1-2-3' and expects it to be task ID 123, the regex would need adjustment. However, based on the codebase patterns ('task-4', 'issue-25'), this implementation is semantically correct.

If multi-hyphen IDs with concatenated numbers are needed in the future, consider this pattern:

// For 'task-1-2-3' → 123 (concatenate all digits)
const numericPart = id.replace(/\D/g, '');
return numericPart ? parseInt(numericPart, 10) : NaN;

But for now, the current implementation aligns with the project's ID format conventions. ✅

[claude]

Final Review - PR #240 ✅

Status: APPROVED 🎉

Excellent work addressing all feedback! The PR now implements a complete and robust fix for the task approval API contract mismatch.

---

📝 Commit Summary

Commit 1 (7b72f2d): Core fix aligning frontend/backend contract
Commit 2 (9e395ff): Cross-browser E2E test stability
Commit 3 (c8c0759): Defensive regex for ID extraction ⭐
Commit 4 (2463044): Cleanup of test artifacts

---

✅ All Previous Recommendations Addressed

1. ID Extraction Regex - IMPLEMENTED ✅

The defensive pattern from my previous review has been correctly implemented in web-ui/src/lib/api.ts:125-126:

• ✅ Only accepts valid formats: 'prefix-digits' or pure digits
• ✅ Rejects malformed IDs like 'abc123def' → NaN (filtered out)
• ✅ Handles multi-hyphen correctly: 'task-1-2-3' → 3 (last number)
• ✅ Supports various prefixes: 'task-10', 'issue-25', 'T-100'

2. Comprehensive Test Coverage - EXCELLENT ✅

New test in api.test.ts:281-306 validates defensive behavior with perfect edge case coverage for malformed input handling.

3. Cross-Browser Compatibility - RESOLVED ✅

Commit 2 added proper error filtering for all major browsers (Chromium, Firefox, WebKit/Safari).

---

🎯 Final Code Quality Assessment

Category	Status
Bug Fix	✅ Excellent
API Contract	✅ Correct
Input Validation	✅ Defensive
Test Coverage	✅ Comprehensive
Error Handling	✅ Complete
Documentation	✅ Clear
Performance	✅ Efficient
Security	✅ Safe

---

🚀 Key Improvements Over Original Code

1. Semantic Bridge: Cleanly converts selection model → exclusion model
2. Type Safety: excluded_task_ids: number[] with NaN filtering
3. Defensive Programming: Rejects malformed IDs instead of silent corruption
4. Test Regression Prevention: E2E tests catch future contract breaks
5. Cross-Browser Support: Handles navigation errors in all major browsers

---

📊 Test Results

• ✅ Unit Tests: 1504 passing (including 6 new contract tests)
• ✅ ESLint: No warnings
• ✅ TypeScript: Type checking passes
• ✅ Build: Succeeds
• ✅ E2E: 368-line test suite with API contract validation

---

💡 Why This PR is Production-Ready

This fix demonstrates excellent software engineering practices:

1. Root Cause Analysis: PR description clearly explains the semantic gap
2. Iterative Refinement: Addressed code review feedback in subsequent commits
3. Defense in Depth: Multiple layers of validation (regex + NaN filter + backend)
4. Future-Proof: E2E tests prevent regression
5. Maintainability: Clear comments explain non-obvious business logic

---

✨ Final Verdict

APPROVED - Ready to Merge ✅

This PR successfully:

• ✅ Fixes the HTTP 422 validation error
• ✅ Implements the correct API contract
• ✅ Adds defensive input validation
• ✅ Includes comprehensive test coverage
• ✅ Addresses all code review feedback

No further changes required. Excellent work! 🚀

---

Reviewer: Claude Code
Date: 2026-01-10
Commits Reviewed: 7b72f2d, 9e395ff, c8c0759, 2463044

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

web-ui/src/lib/api.ts (1)

5-5: Upgrade axios to 1.13.2 to address critical security vulnerabilities.

Axios 1.6.5 is affected by multiple known CVEs:

• CVE-2025-27152 (SSRF vulnerability in versions ≤1.7.9, fixed in 1.8.2)
• CVE-2023-45857 (XSRF cookie leakage)
• DoS via data: URLs (affects versions <1.12.0, fixed in 1.12.0+)

Upgrade to the latest stable version 1.13.2 (November 2025) to resolve all vulnerabilities.

🧹 Nitpick comments (1)

web-ui/src/lib/api.ts (1)

118-129: Exclusion logic is correct; minor comment precision note.

The Set-based exclusion algorithm is efficient and correct. The defensive regex patterns with NaN filtering safely handle edge cases.

The comment on line 124 states "only accept 'prefix-digits' or pure digits", but the pattern /-(\d+)$/ would technically also match strings like "-4" (hyphen-digits without a prefix). In practice, this shouldn't be an issue since task IDs are controlled by the backend, and the NaN filtering provides a safety net.

📝 Optional: Make regex comment more precise

If you want the comment to exactly match the regex behavior, consider:

-        // Extract numeric ID from strings like 'task-4' or just '4'
-        // Defensive: only accept 'prefix-digits' or pure digits, reject malformed IDs
+        // Extract numeric ID from strings like 'task-4' or just '4'
+        // Defensive: accept strings ending with hyphen-digits or pure digits, reject malformed IDs

Alternatively, to truly enforce "prefix-digits", require at least one character before the hyphen:

-        const match = id.match(/-(\d+)$/) || id.match(/^(\d+)$/);
+        const match = id.match(/^.+-(\d+)$/) || id.match(/^(\d+)$/);

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9e395ff and 2463044.

📒 Files selected for processing (2)

• web-ui/__tests__/lib/api.test.ts
• web-ui/src/lib/api.ts

🚧 Files skipped from review as they are similar to previous changes (1)

• web-ui/tests/lib/api.test.ts

🧰 Additional context used

📓 Path-based instructions (2)

web-ui/src/**/*.{ts,tsx}

📄 CodeRabbit inference engine (CLAUDE.md)

web-ui/src/**/*.{ts,tsx}: Use TypeScript 5.3+ for frontend development with React 18, Next.js 14, Tailwind CSS, and Hugeicons for icons
Use TypeScript strict mode and ensure 100% type safety with no hardcoded types or any usage in frontend code

Files:

• web-ui/src/lib/api.ts

web-ui/src/lib/**/*.ts

📄 CodeRabbit inference engine (CLAUDE.md)

Frontend API files must use const API_BASE_URL = process.env.NEXT_PUBLIC_API_URL || 'http://localhost:8080' pattern without hardcoded production URLs or different fallback ports

Files:

• web-ui/src/lib/api.ts

🧠 Learnings (1)

📚 Learning: 2025-11-25T19:08:54.154Z

Learnt from: CR
Repo: frankbria/codeframe PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-11-25T19:08:54.154Z
Learning: Applies to specs/*/tasks.md : Feature task files (tasks.md) must include phase-by-phase task breakdown with unique task identifiers (T001, T002, etc.), acceptance criteria per task, beads issue references, and estimated effort

Applied to files:

• web-ui/src/lib/api.ts

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Backend Unit Tests

🔇 Additional comments (3)

web-ui/src/lib/api.ts (3)

105-116: LGTM! Clear documentation of the exclusion model conversion.

The JSDoc accurately describes the frontend-to-backend contract transformation and provides helpful context for future maintainers.

---

117-117: LGTM! Type-safe function signature.

The explicit typing of all parameters follows TypeScript strict mode requirements and clearly communicates the function's contract.

---

131-140: LGTM! API call correctly implements the backend contract.

The payload structure with approved: true and excluded_task_ids matches the backend expectations described in the PR objectives, fixing the HTTP 422 error. The return type is properly typed for type safety.