feat: web dashboard with Vue 3 + PrimeVue + Tailwind CSS

[Aureliolo]

Summary

PR 1 of 2 — core infrastructure, stores, API layer, and shared components. A follow-up PR will add remaining page views and close #346.

• Full web dashboard built with Vue 3, PrimeVue, Tailwind CSS, Pinia, and Vue Router
• 10 page views: Dashboard, TaskBoard, AgentProfiles, BudgetPanel, MessageFeed, ApprovalQueue, OrgChart, Login, Setup, ChangePassword
• 11 Pinia stores: auth, agents, tasks, budget, messages, approvals, websocket, analytics, company, providers, plus WebSocket real-time event handling
• API layer: Axios client with JWT auth interceptor, 401 auto-logout with Pinia sync, typed endpoint modules mirroring backend Pydantic models
• Real-time: WebSocket store with exponential backoff reconnection, channel subscriptions, runtime payload validation with type guards
• Security: CSP meta tag, input sanitization, XSS-safe rendering, no token in logs, shared sanitizeForLog utility
• Infrastructure: ESLint, vue-tsc strict type checking, Vitest with 172 tests, nginx config with SPA routing + API/WS proxy
• Docker: nginx-unprivileged container, integrated into existing docker-compose
• Docs: Updated CLAUDE.md, README, getting_started, user_guide, roadmap, operations design page

Review coverage

• 3 rounds of external review (CodeRabbit, Copilot, Greptile, CodeQL) — all findings addressed
• 6 local review agents per round (code-reviewer, python-reviewer, test-analyzer, silent-failure-hunter, type-design-analyzer, docs-consistency)
• ~150+ review findings triaged and implemented across all rounds

Test plan

• npm --prefix web run lint — 0 errors (6 pre-existing warnings)
• npm --prefix web run type-check — clean
• npm --prefix web run test — 172/172 tests pass
• Rebased on latest main (includes Mem0 adapter feat: implement Mem0 memory backend adapter #345)

Towards #346 (requires follow-up page-views PR)

🤖 Generated with Claude Code

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 2 package(s) with unknown licenses.
• ⚠️ 51 packages with OpenSSF Scorecard issues.

View full job summary

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 93.90%. Comparing base (2788db8) to head (26c8f79).
⚠️ Report is 1 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #347   +/-   ##
=======================================
  Coverage   93.90%   93.90%           
=======================================
  Files         447      447           
  Lines       20803    20803           
  Branches     2010     2010           
=======================================
  Hits        19535    19535           
  Misses        981      981           
  Partials      287      287           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Copilot]

Pull request overview

This PR implements a full Vue 3 web dashboard for the SynthOrg platform, replacing the previous static placeholder page with a modern SPA built on PrimeVue, Tailwind CSS, Pinia, and Vue Router. It establishes the core frontend infrastructure including API client, state management, real-time WebSocket support, authentication flows, and CI integration.

Changes:

• Complete frontend infrastructure: Axios API client with JWT interceptor, 11 Pinia stores (auth, agents, tasks, budget, messages, approvals, websocket, analytics, company, providers), Vue Router with auth guards, and reusable composables
• Docker multi-stage build (Node builder → nginx runtime), CI pipeline with lint/type-check/test/build/audit jobs, and nginx config updates for WebSocket proxy and HSTS
• Documentation updates across CLAUDE.md, README, getting_started, user_guide, roadmap, and operations design pages reflecting the new dashboard

Reviewed changes

Copilot reviewed 85 out of 89 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
web/package.json	Frontend dependencies and scripts
web/vite.config.ts, vitest.config.ts	Build and test configuration
web/tsconfig.json, tsconfig.node.json	TypeScript configuration
web/eslint.config.js	ESLint with Vue and security plugins
web/src/api/client.ts	Axios client with JWT interceptor and response envelope unwrapping
web/src/api/types.ts	TypeScript interfaces mirroring backend Pydantic models
web/src/api/endpoints/*.ts	Typed API endpoint modules for all backend resources
web/src/stores/*.ts	10 Pinia stores covering auth, data, and real-time state
web/src/router/index.ts, guards.ts	Vue Router with auth guard and redirect preservation
web/src/views/*.vue	Login, Setup, and Placeholder pages
web/src/components/**/*.vue	Layout shell (sidebar, topbar) and common components
web/src/composables/*.ts	usePolling, useOptimisticUpdate, useAuth
web/src/utils/*.ts	Error handling, formatting, constants, logging
web/src/styles/*.css, *.ts	Global CSS and theme tokens
web/src/tests/**/*.ts	172 Vitest unit tests
web/nginx.conf	WebSocket proxy, HSTS, CSP updates
docker/web/Dockerfile	Multi-stage build with Node builder
.github/workflows/ci.yml	5 new dashboard CI jobs
CLAUDE.md, README.md, docs/*.md	Documentation updates

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[greptile-apps]

Greptile Summary

This PR introduces a complete Vue 3 + PrimeVue + Tailwind CSS web dashboard — including 11 Pinia stores, a typed Axios API layer, a WebSocket store with exponential-backoff reconnection, login/setup views, shared layout components, 172 Vitest tests, an nginx reverse-proxy config, and a multi-stage Docker build — integrating cleanly into the existing backend architecture.

The implementation is thorough and well-structured. Three issues were found:

• Post-login redirect is broken (LoginPage.vue:34) — after a successful login the handler always calls router.push('/'), ignoring the route.query.redirect parameter that authGuard carefully injects when bouncing unauthenticated users. Any user who navigates directly to /tasks, /approvals, etc. will always land on / after authenticating instead of their intended destination. The fix is straightforward: read route.query.redirect with an startsWith('/') open-redirect guard.
• Dead code in performAuthFlow (auth.ts:101-114) — the inner catch block checks for a 401 Axios error from fetchUser, but fetchUser already handles 401 silently (calls clearAuth() without rethrowing), so that branch is unreachable. The !user.value guard below handles this case correctly; the dead branch just adds misleading noise.
• WS_MAX_MESSAGE_SIZE is declared but never enforced (websocket.ts:82) — the constant (4 096 bytes) is imported but the onmessage handler doesn't check frame size before passing data to JSON.parse, leaving the client open to unbounded allocations from large frames.

Confidence Score: 4/5

• PR is safe to merge with minor fixes; no critical security or data-loss issues found.
• The implementation is comprehensive and well-reviewed (3 prior rounds). The one logic bug — post-login redirect always going to / — is a usability regression but not a security issue. The two other findings are a dead code branch and an unenforced size constant, both low-risk. All prior review threads have been addressed, CI is fully gated, and the WebSocket JWT-in-query-param risk is tracked and acknowledged.
• web/src/views/LoginPage.vue — missing route.query.redirect consumption breaks the auth guard's redirect round-trip.

Important Files Changed

Filename	Overview
web/src/views/LoginPage.vue	Login form with lockout composable; post-login redirect always goes to '/' ignoring the route.query.redirect param set by the auth guard.
web/src/stores/auth.ts	JWT auth store with expiry timer, performAuthFlow helper, and HMR cleanup; contains one unreachable 401 branch in performAuthFlow's inner catch that is dead code.
web/src/stores/websocket.ts	WebSocket store with exponential backoff reconnection and channel subscriptions; WS_MAX_MESSAGE_SIZE is imported from constants but never enforced on incoming frames.
web/src/api/client.ts	Axios client with JWT interceptor and ApiResponse envelope unwrapping; 401 fallback redirect (store import failure path) now includes the redirect query param per the previous review thread.
web/src/router/guards.ts	Auth navigation guard preserving redirect query param; correctly redirects unauthenticated users, but the redirect param is not consumed by LoginPage.vue.
web/src/stores/tasks.ts	Task store with WS event handling and active-filter guard; total counter and list insertion both correctly gated behind !hasActiveFilters().
web/src/stores/approvals.ts	Approvals store with WS event handling; total counter and list insertion correctly gated inside !activeFilters.value block (previous thread issue resolved).
web/nginx.conf	nginx config with dedicated WS location before generic API proxy, HSTS header added, access_log off on WS endpoint to avoid logging JWT query params, and X-Forwarded-Proto handled via map block.
docker/web/Dockerfile	Multi-stage build: non-root Node builder stage for Vue compilation, digest-pinned nginx-unprivileged runtime; clean separation of build and serve concerns.
.github/workflows/ci.yml	Five new parallel dashboard CI jobs (lint, type-check, test, build, npm audit) all gated through the existing ci-pass sentinel job; pinned action SHAs throughout.

Sequence Diagram

sequenceDiagram
    participant Browser
    participant Router as Vue Router
    participant LoginPage
    participant AuthStore
    participant ApiClient as Axios Client
    participant Backend
    participant WsStore as WebSocket Store

    Browser->>Router: Navigate to protected route (unauthenticated)
    Router->>Browser: redirect /login?redirect=/original-path
    Browser->>LoginPage: render

    LoginPage->>AuthStore: login(username, password)
    AuthStore->>ApiClient: POST /api/v1/auth/login
    ApiClient->>Backend: credentials
    Backend-->>ApiClient: token + expires_in
    AuthStore->>AuthStore: setToken + scheduleExpiry timer
    AuthStore->>ApiClient: GET /api/v1/auth/me
    Backend-->>AuthStore: UserInfoResponse

    AuthStore-->>LoginPage: resolves
    Note over LoginPage,Router: Bug - always pushes to '/' ignoring redirect param
    LoginPage->>Router: push('/')

    Router->>WsStore: connect via AppShell on mount
    WsStore->>Backend: WebSocket upgrade (auth via query param, TODO-343)
    Backend-->>WsStore: connection open
    WsStore->>Backend: subscribe channels

    loop Real-time events
        Backend->>WsStore: WsEvent payload
        WsStore->>WsStore: dispatchEvent to store handlers
    end

    loop Session expiry or 401
        ApiClient->>AuthStore: 401 interceptor fires
        AuthStore->>Router: clearAuth + push to login
    end

Loading

Prompt To Fix All With AI

This is a comment left during a code review.
Path: web/src/views/LoginPage.vue
Line: 32-35

Comment:
**Post-login redirect ignores `route.query.redirect`**

After a successful login, the handler always pushes to `'/'` without reading the `redirect` query parameter that `authGuard` injects in `guards.ts`. This means any user who navigates directly to a protected route (e.g. `/tasks`), gets bounced to `/login?redirect=%2Ftasks`, and then successfully authenticates will land on the dashboard root instead of their intended destination.

`guards.ts` correctly sets this up:
```ts
const redirect = to.fullPath !== '/' ? to.fullPath : undefined
next({ path: '/login', query: redirect ? { redirect } : undefined })
```

But `LoginPage.vue` never reads it back:

```suggestion
  try {
    await auth.login(username.value, password.value)
    reset()
    if (auth.mustChangePassword) {
      toast.add({ severity: 'warn', summary: 'Password change required', life: 5000 })
    }
    const redirect = route.query.redirect
    router.push(typeof redirect === 'string' && redirect.startsWith('/') ? redirect : '/')
  } catch (err) {
```

You'll also need to import `useRoute` and instantiate it at the top of the script block:
```ts
import { useRouter, useRoute } from 'vue-router'
const router = useRouter()
const route = useRoute()
```

The `startsWith('/')` guard prevents an open-redirect via a crafted `?redirect=https://evil.com`.

How can I resolve this? If you propose a fix, please make it concise.

---

This is a comment left during a code review.
Path: web/src/stores/auth.ts
Line: 101-115

Comment:
**Unreachable 401 branch inside `performAuthFlow`'s inner catch**

The inner `catch (fetchErr)` block checks for a `401` status from `fetchUser`, but `fetchUser` never re-throws on a 401 — it handles it by calling `clearAuth()` and returning silently:

```ts
// fetchUser (lines 142–155)
if (isAxiosError(err) && err.response?.status === 401) {
  clearAuth()
  // ← no throw, so performAuthFlow's catch never sees a 401
} else {
  throw err  // only non-401 errors propagate
}
```

This means the `if (isAxiosError(fetchErr) && fetchErr.response?.status === 401)` branch on line 105 is dead code. The `if (!user.value)` check that follows the try/catch correctly handles the silent-clearAuth case, so the logic is still sound — but the dead branch adds noise and could mislead future maintainers into thinking 401s surface as exceptions here.

Consider removing the dead branch and updating the comment:

```suggestion
      } catch (fetchErr) {
        // fetchUser only throws for non-401 errors; 401s are handled silently
        // (clearAuth + no rethrow). If we get here it's a transient network/5xx
        // error — clear auth since the app can't function without user data.
        clearAuth()
        throw new Error(`${flowName} succeeded but failed to load user profile. Please check your connection and try again.`)
      }
```

How can I resolve this? If you propose a fix, please make it concise.

---

This is a comment left during a code review.
Path: web/src/stores/websocket.ts
Line: 82-88

Comment:
**`WS_MAX_MESSAGE_SIZE` constant is imported but never enforced**

`WS_MAX_MESSAGE_SIZE` (4096 bytes) is declared in `constants.ts` and imported here, but the `onmessage` handler never checks the size of incoming frames before parsing them. A misbehaving or malicious backend could send arbitrarily large payloads, causing unbounded memory allocation inside `JSON.parse`.

Consider guarding before parsing:

```suggestion
    socket.onmessage = (event: MessageEvent) => {
      if (typeof event.data === 'string' && event.data.length > WS_MAX_MESSAGE_SIZE) {
        console.error('WebSocket message exceeds size limit, dropping')
        return
      }
      let data: unknown
      try {
        data = JSON.parse(event.data)
```

How can I resolve this? If you propose a fix, please make it concise.

_{Last reviewed commit: 26c8f79}

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 1e1f938a-9725-4cc0-b53b-ae5739a2e5d8

📥 Commits

Reviewing files that changed from the base of the PR and between 51e9a50 and 26c8f79.

📒 Files selected for processing (5)

• web/src/api/client.ts
• web/src/composables/useLoginLockout.ts
• web/src/stores/approvals.ts
• web/src/views/LoginPage.vue
• web/src/views/SetupPage.vue

---

📝 Walkthrough

Summary by CodeRabbit

• New Features

  • Vue 3 web dashboard: auth, task/approval management, agents, budget, analytics, and real-time updates via WebSocket; health and connection indicators.

• Documentation

  • Updated README, guides, roadmap and design docs to include dashboard stack and development setup.

• Tests

  • Extensive unit and integration tests covering components, stores, composables, API clients, and WebSocket behavior.

• Chores

  • Multi-stage Docker build and healthcheck for the dashboard; CI updated with dashboard lint/type/test/build/audit jobs; added TypeScript, ESLint, Vite, and Vitest configs; ignored frontend build artifacts.

Walkthrough

Adds a complete Vue 3 web dashboard (Vite, TypeScript, PrimeVue, Tailwind) with API client, extensive Pinia stores, WebSocket layer, router guards, components, tests, Docker multi-stage build, and CI jobs; removes legacy static frontend artifacts and updates docs/configs accordingly.

Changes

Cohort / File(s)	Summary
Build & Docker /.dockerignore, /.gitignore, docker/web/Dockerfile, web/package.json, web/vite.config.ts, web/vitest.config.ts, web/tsconfig.json, web/tsconfig.node.json, web/eslint.config.js, web/.env.example	Adds frontend package manifest and toolchain configs, docker multi-stage build copying dist/, excludes build artifacts from Docker/Git, and adds Node/Vite/Vitest/TS/ESLint configs.
CI Workflow .github/workflows/ci.yml	Adds dashboard CI jobs (lint, type-check, test, build, audit) and wires them into the ci-pass aggregation and result propagation.
Documentation CLAUDE.md, README.md, docs/*	Documents the new web dashboard stack and updates layout/status/getting-started/roadmap/operations content to reference the dashboard.
Nginx / Runtime web/nginx.conf, docker/web/Dockerfile	Adds WebSocket proxy location, adjusted headers/CSP/HSTS in nginx config; Dockerfile now builds SPA in builder stage and serves /app/dist/ from nginx with HEALTHCHECK and labels.
App entry & HTML web/index.html, web/src/main.ts, web/primevue-preset.ts	Replaces static page with SPA entry, bootstraps Vue app with Pinia/PrimeVue/Toast/ConfirmationService and global error handlers.
Types & API client web/src/api/types.ts, web/src/api/client.ts, web/src/api/endpoints/*	Introduces a comprehensive TypeScript type surface, central Axios client with JWT/401 handling, unwrap helpers, and many endpoint wrappers (auth, tasks, approvals, agents, budget, messages, providers, analytics, company, health, etc.).
Pinia stores web/src/stores/* (auth.ts, websocket.ts, tasks.ts, approvals.ts, agents.ts, budget.ts, messages.ts, analytics.ts, company.ts, providers.ts)	Adds ~10 stores: auth with token lifecycle, robust websocket store (reconnect, subscriptions, handlers), and domain stores integrating REST + WS event handling and validation.
Router & Guards web/src/router/index.ts, web/src/router/guards.ts	Adds router with /login, /setup, / route and an authGuard enforcing authentication (note: TODO for mustChangePassword enforcement present).
UI Components & Layout web/src/components/..., web/src/views/*, web/src/App.vue, web/src/styles/*, web/style.css	New AppShell, Sidebar, Topbar, ConnectionStatus, common components (EmptyState, StatusBadge, ErrorBoundary, LoadingSkeleton, PageHeader), pages (Login, Setup, PlaceholderHome), global theme and Tailwind-based CSS; removes old web/style.css and web/app.js health-check.
Composables & Utilities web/src/composables/*, web/src/utils/*, web/src/styles/theme.ts, web/src/env.d.ts	Adds composables (useAuth, useOptimisticUpdate, usePolling, useLoginLockout), utilities for errors/format/logging/constants, theme tokens, and Vite env typings.
Tests web/src/__tests__/**/*.test.ts	Adds extensive Vitest-based unit tests covering API client, components, composables, router guards, stores (many with WS event scenarios), and utilities.
Removed legacy static frontend web/app.js, web/style.css	Removes legacy health-check script and previous stylesheet in favor of SPA assets.

Sequence Diagram(s)

sequenceDiagram
    participant Browser
    participant Router as Router/Guards
    participant Auth as Auth Store
    participant Local as LocalStorage
    participant API as API Client
    participant Backend

    Browser->>Router: Navigate to protected route
    Router->>Auth: isAuthenticated?
    Auth->>Local: read token
    alt token valid
        Auth-->>Router: allow
    else no token / expired
        Auth-->>Router: redirect /login (with redirect query)
    end

    Browser->>Auth: login(credentials)
    Auth->>API: POST /auth/login
    API->>Backend: request
    Backend-->>API: token
    API-->>Auth: token
    Auth->>Local: store token & expiry
    Auth->>API: GET /auth/me
    API->>Backend: request user
    Backend-->>API: user
    API-->>Auth: user (set isAuthenticated)
    Auth-->>Browser: navigate to intended route

Loading

sequenceDiagram
    participant Component as Vue Component
    participant WSStore as WebSocket Store
    participant Socket as WebSocket
    participant Backend

    Component->>WSStore: connect(token)
    WSStore->>Socket: new WebSocket(url?token=...)
    Socket-->>WSStore: OPEN
    WSStore->>WSStore: connected=true
    Component->>WSStore: subscribe(['agents'], {status:'active'})
    WSStore->>Socket: send subscribe (if open) else queue
    Backend-->>Socket: event (agent.status_changed)
    Socket-->>WSStore: message
    WSStore->>Component: dispatch handler -> store updates -> UI reacts

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/web-dashboard

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch feat/web-dashboard

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request delivers the foundational web dashboard for the application, providing a modern and interactive user interface for monitoring and managing synthetic organizations. It establishes a robust frontend framework with Vue 3, integrating essential features like authentication, real-time data updates, and comprehensive state management. This significantly advances the project's user-facing capabilities and sets the stage for further feature development.

Highlights

• New Web Dashboard: Introduced a comprehensive web dashboard built with Vue 3, PrimeVue, Tailwind CSS, Pinia, and Vue Router, featuring 10 distinct page views for various functionalities.
• Robust Frontend Architecture: Implemented a sophisticated frontend architecture including 11 Pinia stores for state management, an Axios-based API layer with JWT authentication and 401 auto-logout, and real-time WebSocket communication with exponential backoff reconnection and payload validation.
• Enhanced Security and Infrastructure: Integrated security measures such as CSP meta tags, input sanitization, and XSS-safe rendering. The project infrastructure now includes ESLint, strict vue-tsc type checking, Vitest with 172 tests, and an Nginx configuration for SPA routing and API/WebSocket proxy.
• Docker Integration and Documentation Updates: The web dashboard is containerized using an nginx-unprivileged Docker image and integrated into the existing docker-compose setup. Extensive documentation updates across CLAUDE.md, README.md, getting_started.md, user_guide.md, roadmap/index.md, and docs/design/operations.md reflect the new web UI.

Changelog

• .dockerignore
  • Added web dashboard build artifacts to ignore list.
• .gitignore
  • Added web dashboard build artifacts and coverage directory to ignore list.
• CLAUDE.md
  • Updated project layout to include the new web directory.
  • Added web dashboard development instructions.
  • Updated Docker section to reflect Vue 3 SPA integration.
• README.md
  • Updated project status to reflect the completion of the web dashboard.
• docker/web/Dockerfile
  • Converted to a multi-stage Docker build for the Vue dashboard, including Node.js for building and Nginx for serving.
• docs/design/operations.md
  • Updated Web UI status from 'Planned' to 'In Progress' and specified Vue 3 technology.
  • Revised description of Web UI features to reflect current development status.
• docs/getting_started.md
  • Updated description of the web/ directory.
  • Added detailed instructions for web dashboard development.
• docs/roadmap/index.md
  • Moved the web dashboard from 'Remaining Work' to 'In Progress' in the roadmap.
• docs/user_guide.md
  • Updated web dashboard status from 'Planned' to 'Active Development'.
  • Adjusted description of template configuration to reflect dashboard availability.
• web/.env.example
  • Added an example environment variable for the API base URL.
• web/app.js
  • Removed the old placeholder JavaScript file.
• web/env.d.ts
  • Added TypeScript declaration file for Vite environment variables.
• web/eslint.config.js
  • Added ESLint configuration for Vue 3, TypeScript, and security best practices.
• web/index.html
  • Replaced placeholder HTML with the Vue 3 root element and updated meta tags.
• web/nginx.conf
  • Updated Nginx configuration to support Vue 3 SPA routing, WebSocket proxying, and enhanced security headers.
• web/package.json
  • Added package.json for web dashboard dependencies, including Vue, PrimeVue, Tailwind, Pinia, Vitest, and ESLint.
• web/public/favicon.svg
  • Added a favicon for the web dashboard.
• web/src/App.vue
  • Added the root Vue component, integrating Vue Router, PrimeVue Toast, and ConfirmDialog.
• web/src/tests/api/client.test.ts
  • Added unit tests for the API client's request interceptor and response unwrapping functions.
• web/src/tests/components/EmptyState.test.ts
  • Added unit tests for the EmptyState Vue component.
• web/src/tests/components/PageHeader.test.ts
  • Added unit tests for the PageHeader Vue component.
• web/src/tests/components/StatusBadge.test.ts
  • Added unit tests for the StatusBadge Vue component.
• web/src/tests/composables/useOptimisticUpdate.test.ts
  • Added unit tests for the useOptimisticUpdate composable.
• web/src/tests/composables/usePolling.test.ts
  • Added unit tests for the usePolling composable.
• web/src/tests/router/guards.test.ts
  • Added unit tests for the Vue Router authentication guards.
• web/src/tests/stores/agents.test.ts
  • Added unit tests for the Pinia store managing agent data and WebSocket events.
• web/src/tests/stores/approvals.test.ts
  • Added unit tests for the Pinia store managing approval data and WebSocket events.
• web/src/tests/stores/auth.test.ts
  • Added unit tests for the Pinia store managing authentication state.
• web/src/tests/stores/budget.test.ts
  • Added unit tests for the Pinia store managing budget data and WebSocket events.
• web/src/tests/stores/messages.test.ts
  • Added unit tests for the Pinia store managing message data and WebSocket events.
• web/src/tests/stores/tasks.test.ts
  • Added unit tests for the Pinia store managing task data and WebSocket events.
• web/src/tests/stores/websocket.test.ts
  • Added unit tests for the Pinia store managing WebSocket connections and events.
• web/src/tests/utils/constants.test.ts
  • Added unit tests for application-wide constants.
• web/src/tests/utils/errors.test.ts
  • Added unit tests for error handling utilities.
• web/src/tests/utils/format.test.ts
  • Added unit tests for data formatting utilities.
• web/src/api/client.ts
  • Added an Axios client configured with JWT interceptors and response unwrapping logic.
• web/src/api/endpoints/agents.ts
  • Added API endpoint functions for interacting with agent-related services.
• web/src/api/endpoints/analytics.ts
  • Added API endpoint functions for fetching analytics data.
• web/src/api/endpoints/approvals.ts
  • Added API endpoint functions for managing approval requests.
• web/src/api/endpoints/auth.ts
  • Added API endpoint functions for user authentication and setup.
• web/src/api/endpoints/budget.ts
  • Added API endpoint functions for managing budget configurations and cost records.
• web/src/api/endpoints/company.ts
  • Added API endpoint functions for fetching company and department configurations.
• web/src/api/endpoints/health.ts
  • Added API endpoint function for checking application health status.
• web/src/api/endpoints/messages.ts
  • Added API endpoint functions for listing messages and channels.
• web/src/api/endpoints/providers.ts
  • Added API endpoint functions for listing and retrieving provider information.
• web/src/api/endpoints/tasks.ts
  • Added API endpoint functions for managing tasks, including creation, updates, and transitions.
• web/src/api/types.ts
  • Added TypeScript interfaces mirroring backend Pydantic data transfer objects and domain models.
• web/src/components/common/EmptyState.vue
  • Added a reusable Vue component for displaying empty states with customizable icons, titles, and messages.
• web/src/components/common/ErrorBoundary.vue
  • Added a reusable Vue component for displaying error messages with a retry option.
• web/src/components/common/LoadingSkeleton.vue
  • Added a reusable Vue component for displaying loading skeletons.
• web/src/components/common/PageHeader.vue
  • Added a reusable Vue component for page headers with titles, subtitles, and action slots.
• web/src/components/common/StatusBadge.vue
  • Added a reusable Vue component for displaying status badges with dynamic coloring based on type.
• web/src/components/layout/AppShell.vue
  • Added the main application shell component, including sidebar and topbar integration.
• web/src/components/layout/ConnectionStatus.vue
  • Added a Vue component to display real-time API and WebSocket connection statuses.
• web/src/components/layout/Sidebar.vue
  • Added the main sidebar navigation component with dynamic collapsing and active route highlighting.
• web/src/components/layout/Topbar.vue
  • Added the main top bar component, featuring a sidebar toggle, connection status, and user menu.
• web/src/composables/useAuth.ts
  • Added a Vue composable for accessing and managing authentication state.
• web/src/composables/useOptimisticUpdate.ts
  • Added a Vue composable for performing optimistic UI updates with automatic rollback on failure.
• web/src/composables/usePolling.ts
  • Added a Vue composable for polling data at specified intervals with cleanup on unmount.
• web/src/main.ts
  • Added the main entry point for the Vue application, configuring Pinia, Vue Router, PrimeVue, and global error handling.
• web/src/primevue-preset.ts
  • Added PrimeVue theme configuration using the Aura preset.
• web/src/router/guards.ts
  • Added Vue Router navigation guards to enforce authentication and redirect users appropriately.
• web/src/router/index.ts
  • Added Vue Router configuration, defining initial routes and applying the authentication guard.
• web/src/stores/agents.ts
  • Added a Pinia store for managing agent data, including fetching and handling WebSocket events.
• web/src/stores/analytics.ts
  • Added a Pinia store for managing analytics data, including fetching overview metrics.
• web/src/stores/approvals.ts
  • Added a Pinia store for managing approval data, including fetching, approving, rejecting, and handling WebSocket events.
• web/src/stores/auth.ts
  • Added a Pinia store for managing user authentication state, including login, setup, token handling, and user profile fetching.
• web/src/stores/budget.ts
  • Added a Pinia store for managing budget configurations, cost records, and agent spending, including handling WebSocket events.
• web/src/stores/company.ts
  • Added a Pinia store for managing company and department configurations.
• web/src/stores/messages.ts
  • Added a Pinia store for managing messages and channels, including fetching and handling WebSocket events.
• web/src/stores/providers.ts
  • Added a Pinia store for managing provider configurations, including sanitizing sensitive data.
• web/src/stores/tasks.ts
  • Added a Pinia store for managing task data, including fetching, creating, updating, transitioning, canceling, and handling WebSocket events.
• web/src/stores/websocket.ts
  • Added a Pinia store for managing WebSocket connections, subscriptions, and event dispatching with reconnection logic.
• web/src/styles/global.css
  • Added global CSS styles, including TailwindCSS imports and custom scrollbar styling.
• web/src/styles/theme.ts
  • Added a TypeScript file defining theme color tokens and mappings for status, priority, and risk levels.
• web/src/utils/constants.ts
  • Added application-wide constants for WebSocket settings, polling intervals, password requirements, task statuses, and navigation items.
• web/src/utils/errors.ts
  • Added utility functions for robust error handling, including Axios error detection and user-friendly message extraction.
• web/src/utils/format.ts
  • Added utility functions for formatting dates, relative times, currency, numbers, and uptime strings.
• web/src/utils/logging.ts
  • Added a utility function for sanitizing values before logging to prevent sensitive data exposure.
• web/src/views/LoginPage.vue
  • Added the Vue component for the user login interface, including client-side lockout logic.
• web/src/views/PlaceholderHome.vue
  • Added a placeholder Vue component for the home dashboard view.
• web/src/views/SetupPage.vue
  • Added the Vue component for the initial admin account setup interface.
• web/style.css
  • Removed the old placeholder CSS file.
• web/tsconfig.json
  • Added TypeScript configuration for the web project, including path aliases and strict type checking.
• web/tsconfig.node.json
  • Added TypeScript configuration specifically for Node.js environment files like Vite and Vitest configs.
• web/vite.config.ts
  • Added Vite configuration for the Vue 3 project, including plugin setup, path aliases, and API proxy settings.
• web/vitest.config.ts
  • Added Vitest configuration for unit testing, including globals, environment setup, and coverage reporting.

Ignored Files

• Ignored by pattern: .github/workflows/** (1)
  • .github/workflows/ci.yml

Activity

• The pull request underwent 3 rounds of external review by CodeRabbit, Copilot, Greptile, and CodeQL, with all findings addressed.
• Six local review agents were utilized per round, including code-reviewer, python-reviewer, test-analyzer, silent-failure-hunter, type-design-analyzer, and docs-consistency.
• Over 150 review findings were triaged and implemented across all review rounds.
• The web dashboard linting, type-checking, and 172 unit tests passed successfully.
• The branch was rebased on the latest main, incorporating changes from the Mem0 adapter PR feat: implement Mem0 memory backend adapter #345.
• This PR closes issue feat: enforce mustChangePassword redirect in router guards #346.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[greptile-apps]

Post-login redirect ignores route.query.redirect

After a successful login, the handler always pushes to '/' without reading the redirect query parameter that authGuard injects in guards.ts. This means any user who navigates directly to a protected route (e.g. /tasks), gets bounced to /login?redirect=%2Ftasks, and then successfully authenticates will land on the dashboard root instead of their intended destination.

guards.ts correctly sets this up:

const redirect = to.fullPath !== '/' ? to.fullPath : undefined
next({ path: '/login', query: redirect ? { redirect } : undefined })

But LoginPage.vue never reads it back:

Suggested change

	}
	router.push('/')
	} catch (err) {
	const lockoutMsg = recordFailure(err)
	try {
	await auth.login(username.value, password.value)
	reset()
	if (auth.mustChangePassword) {
	toast.add({ severity: 'warn', summary: 'Password change required', life: 5000 })
	}
	const redirect = route.query.redirect
	router.push(typeof redirect === 'string' && redirect.startsWith('/') ? redirect : '/')
	} catch (err) {

You'll also need to import useRoute and instantiate it at the top of the script block:

import { useRouter, useRoute } from 'vue-router'
const router = useRouter()
const route = useRoute()

The startsWith('/') guard prevents an open-redirect via a crafted ?redirect=https://evil.com.

Prompt To Fix With AI

This is a comment left during a code review.
Path: web/src/views/LoginPage.vue
Line: 32-35

Comment:
**Post-login redirect ignores `route.query.redirect`**

After a successful login, the handler always pushes to `'/'` without reading the `redirect` query parameter that `authGuard` injects in `guards.ts`. This means any user who navigates directly to a protected route (e.g. `/tasks`), gets bounced to `/login?redirect=%2Ftasks`, and then successfully authenticates will land on the dashboard root instead of their intended destination.

`guards.ts` correctly sets this up:
```ts
const redirect = to.fullPath !== '/' ? to.fullPath : undefined
next({ path: '/login', query: redirect ? { redirect } : undefined })
```

But `LoginPage.vue` never reads it back:

```suggestion
  try {
    await auth.login(username.value, password.value)
    reset()
    if (auth.mustChangePassword) {
      toast.add({ severity: 'warn', summary: 'Password change required', life: 5000 })
    }
    const redirect = route.query.redirect
    router.push(typeof redirect === 'string' && redirect.startsWith('/') ? redirect : '/')
  } catch (err) {
```

You'll also need to import `useRoute` and instantiate it at the top of the script block:
```ts
import { useRouter, useRoute } from 'vue-router'
const router = useRouter()
const route = useRoute()
```

The `startsWith('/')` guard prevents an open-redirect via a crafted `?redirect=https://evil.com`.

How can I resolve this? If you propose a fix, please make it concise.

[greptile-apps]

Unreachable 401 branch inside performAuthFlow's inner catch

The inner catch (fetchErr) block checks for a 401 status from fetchUser, but fetchUser never re-throws on a 401 — it handles it by calling clearAuth() and returning silently:

// fetchUser (lines 142–155)
if (isAxiosError(err) && err.response?.status === 401) {
  clearAuth()
  // ← no throw, so performAuthFlow's catch never sees a 401
} else {
  throw err  // only non-401 errors propagate
}

This means the if (isAxiosError(fetchErr) && fetchErr.response?.status === 401) branch on line 105 is dead code. The if (!user.value) check that follows the try/catch correctly handles the silent-clearAuth case, so the logic is still sound — but the dead branch adds noise and could mislead future maintainers into thinking 401s surface as exceptions here.

Consider removing the dead branch and updating the comment:

Suggested change

	throw new Error(`${flowName} failed: invalid session. Please try again.`)
	}
	clearAuth()
	throw new Error(`${flowName} succeeded but failed to load user profile. Please check your connection and try again.`)
	}
	// If fetchUser silently cleared auth (e.g. 401), the flow should not succeed
	if (!user.value) {
	clearAuth()
	throw new Error(`${flowName} succeeded but failed to load user profile. Please try again.`)
	}
	return result
	} finally {
	loading.value = false
	}
	}
	} catch (fetchErr) {
	// fetchUser only throws for non-401 errors; 401s are handled silently
	// (clearAuth + no rethrow). If we get here it's a transient network/5xx
	// error — clear auth since the app can't function without user data.
	clearAuth()
	throw new Error(`${flowName} succeeded but failed to load user profile. Please check your connection and try again.`)
	}

Prompt To Fix With AI

This is a comment left during a code review.
Path: web/src/stores/auth.ts
Line: 101-115

Comment:
**Unreachable 401 branch inside `performAuthFlow`'s inner catch**

The inner `catch (fetchErr)` block checks for a `401` status from `fetchUser`, but `fetchUser` never re-throws on a 401 — it handles it by calling `clearAuth()` and returning silently:

```ts
// fetchUser (lines 142–155)
if (isAxiosError(err) && err.response?.status === 401) {
  clearAuth()
  // ← no throw, so performAuthFlow's catch never sees a 401
} else {
  throw err  // only non-401 errors propagate
}
```

This means the `if (isAxiosError(fetchErr) && fetchErr.response?.status === 401)` branch on line 105 is dead code. The `if (!user.value)` check that follows the try/catch correctly handles the silent-clearAuth case, so the logic is still sound — but the dead branch adds noise and could mislead future maintainers into thinking 401s surface as exceptions here.

Consider removing the dead branch and updating the comment:

```suggestion
      } catch (fetchErr) {
        // fetchUser only throws for non-401 errors; 401s are handled silently
        // (clearAuth + no rethrow). If we get here it's a transient network/5xx
        // error — clear auth since the app can't function without user data.
        clearAuth()
        throw new Error(`${flowName} succeeded but failed to load user profile. Please check your connection and try again.`)
      }
```

How can I resolve this? If you propose a fix, please make it concise.

[greptile-apps]

WS_MAX_MESSAGE_SIZE constant is imported but never enforced

WS_MAX_MESSAGE_SIZE (4096 bytes) is declared in constants.ts and imported here, but the onmessage handler never checks the size of incoming frames before parsing them. A misbehaving or malicious backend could send arbitrarily large payloads, causing unbounded memory allocation inside JSON.parse.

Consider guarding before parsing:

Suggested change

	}
	return
	}
	if (msg.error) {
	console.error('WebSocket error:', sanitizeForLog(msg.error))
	return
	socket.onmessage = (event: MessageEvent) => {
	if (typeof event.data === 'string' && event.data.length > WS_MAX_MESSAGE_SIZE) {
	console.error('WebSocket message exceeds size limit, dropping')
	return
	}
	let data: unknown
	try {
	data = JSON.parse(event.data)

Prompt To Fix With AI

This is a comment left during a code review.
Path: web/src/stores/websocket.ts
Line: 82-88

Comment:
**`WS_MAX_MESSAGE_SIZE` constant is imported but never enforced**

`WS_MAX_MESSAGE_SIZE` (4096 bytes) is declared in `constants.ts` and imported here, but the `onmessage` handler never checks the size of incoming frames before parsing them. A misbehaving or malicious backend could send arbitrarily large payloads, causing unbounded memory allocation inside `JSON.parse`.

Consider guarding before parsing:

```suggestion
    socket.onmessage = (event: MessageEvent) => {
      if (typeof event.data === 'string' && event.data.length > WS_MAX_MESSAGE_SIZE) {
        console.error('WebSocket message exceeds size limit, dropping')
        return
      }
      let data: unknown
      try {
        data = JSON.parse(event.data)
```

How can I resolve this? If you propose a fix, please make it concise.

[gemini-code-assist]

Code Review

This pull request introduces a comprehensive web dashboard using Vue 3, PrimeVue, and Tailwind CSS. The changes include the core infrastructure, Pinia stores, API layer, shared components, and extensive testing. The overall quality of the code is very high, with excellent attention to detail in areas like security, error handling, and state management. I've found one critical issue with dependency versions in package.json that will prevent the project from being set up, and one minor suggestion for .gitignore to improve clarity.

[gemini-code-assist]

Several devDependencies are pinned to versions that do not exist, which will cause npm install to fail. For example, vite is at ^6 while the latest is ^5.x.x, and vitest is at ^3 while the latest is ^1.x.x. Using pre-release versions for core dependencies like Vue and Tailwind is also a risk to stability.

I've suggested updating to the latest stable or compatible versions for the broken dependencies to ensure the project is buildable.

  "devDependencies": {
    "@types/node": "^20.14.9",
    "vite": "^5.3.1",
    "@typescript-eslint/parser": "^7.15.0",
    "@vitejs/plugin-vue": "^5.0.5",
    "@vitest/coverage-v8": "^1.6.0",
    "@vue/test-utils": "^2.4.6",
    "@vue/tsconfig": "^0.7.0",
    "eslint": "^9.6.0",
    "eslint-plugin-security": "^3.0.0",
    "eslint-plugin-vue": "^9.26.0",
    "jsdom": "^24.1.0",
    "typescript": "^5.5.2",
    "vitest": "^1.6.0",
    "vue-tsc": "^2.0.24"
  }

[gemini-code-assist]

These lines ignore generated JavaScript and TypeScript declaration files for your Vite and Vitest configurations. While this is likely correct because you've written the configurations in TypeScript (.ts), it's an uncommon setup that might confuse new contributors. Consider adding a comment to clarify that these are build artifacts and are intentionally ignored.