Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: c632e725bb
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| if (url.pathname === "/api/kanban" && req.method === "POST") { | ||
| try { | ||
| const body = await req.json() as KanbanBoard; | ||
| await writeKanban(body); |
There was a problem hiding this comment.
This new mutating endpoint accepts unauthenticated cross-origin POSTs because it does not call requireCsrf(req) before writing to disk, unlike the other state-changing /api/* routes in this file. In a browser session where the UI is open, any malicious site can trigger a form/fetch POST to /api/kanban and overwrite .claude/claudeclaw/kanban.json, which defeats the CSRF protections documented at the top of this server.
Useful? React with 👍 / 👎.
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 332d07bb2e
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
|
||
| async function saveKanban() { | ||
| try { | ||
| await fetch("/api/kanban", { method: "POST", headers: { "Content-Type": "application/json" }, body: JSON.stringify(kanbanData) }); |
There was a problem hiding this comment.
saveKanban posts directly with fetch instead of the existing mutatingFetch helper, but /api/kanban POST is CSRF-protected in server.ts and returns 403 without X-CSRF-Token. In practice, adding/clearing tasks appears to work in-memory, then the 10-second refresh reloads old data from disk, so Kanban changes are not persisted. Route this call through mutatingFetch (or attach a valid token) so writes actually succeed.
Useful? React with 👍 / 👎.
|
@codex review |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 6483b8e294
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
|
||
| async function saveKanban() { | ||
| try { | ||
| await fetch("/api/kanban", { method: "POST", headers: { "Content-Type": "application/json" }, body: JSON.stringify(kanbanData) }); |
There was a problem hiding this comment.
Replace this direct fetch with the existing mutatingFetch helper; POST /api/kanban is CSRF-protected in src/ui/server.ts (the handler calls requireCsrf), so this request is rejected with 403 when no X-CSRF-Token is sent. Because saveKanban() swallows errors, adding tasks or clearing Done appears to work in-memory but does not persist to disk and is lost on reload.
Useful? React with 👍 / 👎.
Three-column board (To Do / In Progress / Done) as a native tab in the ClaudeClaw+ web UI. State persists to .claude/claudeclaw/kanban.json. Auto-refreshes every 10 seconds. Integrates with the existing Dashboard/Chat tab system. Exposes /api/kanban GET+POST endpoints backed by src/ui/services/kanban.ts (readKanban, writeKanban, addCardToColumn, moveCard helpers). The Kanban service is standalone but designed to pair with the agent lifecycle events tab (PR #41) already in ClaudeClaw-Plus for auto-tracking sub-agent activity. Ported from moazbuilds/claudeclaw#42. Co-authored-by: Chetan Nandakumar <chetan-guevara@users.noreply.github.com>
TerrysPOV
force-pushed
the
feat/kanban-board
branch
from
6483b8e to
5c3912b
Compare
1 participant
What
Adds a Kanban board as a native tab in the ClaudeClaw+ web UI — no external server, no iframe, no configuration.
Three columns: To Do → In Progress → Done
+ Add task).claude/claudeclaw/kanban.jsonWhy it lives in Plus (not upstream)
This pairs naturally with the agent lifecycle events tab (already in ClaudeClaw+) —
addCardToColumn/moveCardhelpers are ready for sub-agent auto-tracking. The scope (509 lines across 5 UI files, project-management feature) doesn't fit upstream's lightweight brief.Architecture
New:
src/ui/services/kanban.ts—readKanban,writeKanban,addCardToColumn,moveCardNew endpoints:
GET /api/kanban,POST /api/kanbanCard schema:
Test plan
kanban.jsonAttribution
Originally submitted by @chetan-guevara in moazbuilds/claudeclaw#42. Ported to ClaudeClaw+ and adapted to fit the existing Dashboard/Chat tab structure. Thank you Chetan.