claude-teammate 0.1.307 → 0.1.309

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "claude-teammate",
-  "version": "0.1.307",
+  "version": "0.1.309",
   "description": "CLI bootstrapper for Claude Teammate.",
   "license": "MIT",
   "type": "module",

package/src/claude/prompts.js

@@ -179,6 +179,7 @@ export function buildJiraClarificationUserPrompt(input) {
     referenceRepos: input.referenceRepos,
     repoPaths: input.repoPaths
   });
+  const attachmentsSection = formatIssueAttachments(input.issue.attachments);
 
   return `Clarify this Jira issue.
 
@@ -189,6 +190,7 @@ Status: ${input.issue.status}
 Description:
 ${input.issue.descriptionText || "(none)"}
 
+${attachmentsSection}
 Memory snapshot:
 ${JSON.stringify(input.memory, null, 2)}
 
@@ -202,6 +204,20 @@ ${reopenContext}
 Decide whether the requirements are clear enough to plan implementation and whether the task needs code changes. Read code only if it helps.`;
 }
 
+// List attachments already present on the Jira issue so the agent reads
+// material the user attached instead of asking for it. These are downloadable
+// with jira_download_attachments by filename.
+function formatIssueAttachments(attachments) {
+  const list = (Array.isArray(attachments) ? attachments : []).filter((item) => item && item.filename);
+  if (list.length === 0) {
+    return "";
+  }
+  const lines = list.map((item) => `- ${item.filename}${item.mimeType ? ` (${item.mimeType})` : ""}`).join("\n");
+  return `Issue attachments (download with jira_download_attachments before planning; read every one relevant to the task):
+${lines}
+`;
+}
+
 function formatClarificationRepoScope({ targetRepo, referenceRepos, repoPaths }) {
   const repoPathLines = (Array.isArray(repoPaths) ? repoPaths : []).filter(Boolean);
 

package/src/config.js

@@ -51,6 +51,35 @@ export const REQUIRED_FIELDS = [
     prompt: "GitLab personal access token",
     secret: true,
     required: false
+  },
+  {
+    key: "DASHBOARD_BASE_URL",
+    prompt: "Dashboard public URL (for Google OAuth redirect)",
+    example: "https://bot.ignify.co",
+    required: false
+  },
+  {
+    key: "DASHBOARD_ALLOWED_DOMAIN",
+    prompt: "Email domain allowed to sign in",
+    example: "ignify.co",
+    required: false
+  },
+  {
+    key: "GOOGLE_CLIENT_ID",
+    prompt: "Google OAuth client ID (dashboard login)",
+    required: false
+  },
+  {
+    key: "GOOGLE_CLIENT_SECRET",
+    prompt: "Google OAuth client secret",
+    secret: true,
+    required: false
+  },
+  {
+    key: "DASHBOARD_AUTH_SECRET",
+    prompt: "Random secret for signing dashboard sessions",
+    secret: true,
+    required: false
   }
 ];
 

package/src/dashboard/README.md

@@ -103,6 +103,83 @@ location / {
 
 ---
 
+## Authentication (Google OAuth)
+
+The dashboard can require Google sign-in restricted to one email domain
+(e.g. `@ignify.co`). Auth is **off** until the env vars below are all set, so
+local/dev usage needs no config.
+
+### 1. Create a Google OAuth client
+
+1. Google Cloud Console → **APIs & Services → Credentials**.
+2. Configure the **OAuth consent screen** (Internal if `ignify.co` is a Google
+   Workspace domain; otherwise External). Scopes: `email`, `profile`, `openid`.
+3. **Create Credentials → OAuth client ID → Web application**.
+4. **Authorized redirect URIs**: add `https://bot.ignify.co/auth/callback`
+5. Copy the **Client ID** and **Client secret**.
+
+### 2. Add config to the dashboard `.env` (`~/.tm8/.env`)
+
+```ini
+DASHBOARD_BASE_URL=https://bot.ignify.co
+DASHBOARD_ALLOWED_DOMAIN=ignify.co
+GOOGLE_CLIENT_ID=<client id>
+GOOGLE_CLIENT_SECRET=<client secret>
+DASHBOARD_AUTH_SECRET=<random 32+ byte hex>   # node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"
+```
+
+### 3. nginx must terminate TLS and forward the real protocol
+
+Google rejects non-HTTPS redirect URIs. Run the dashboard as plain http on
+`127.0.0.1:7881` behind nginx with a Let's Encrypt cert:
+
+```nginx
+server {
+    listen 443 ssl;
+    server_name bot.ignify.co;
+
+    ssl_certificate     /etc/letsencrypt/live/bot.ignify.co/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/bot.ignify.co/privkey.pem;
+
+    location / {
+        proxy_pass http://127.0.0.1:7881;
+        proxy_http_version 1.1;
+        proxy_set_header Host              $host;
+        proxy_set_header X-Forwarded-Proto $scheme;   # required for OAuth redirect
+        proxy_set_header X-Forwarded-For   $remote_addr;
+        proxy_set_header Upgrade           $http_upgrade;
+        proxy_set_header Connection        keep-alive;
+    }
+}
+
+server {                          # redirect http → https
+    listen 80;
+    server_name bot.ignify.co;
+    return 301 https://$host$request_uri;
+}
+```
+
+Get the cert with `sudo certbot --nginx -d bot.ignify.co`.
+
+### 4. Rebuild SPA + restart
+
+```bash
+cd src/dashboard/app && npm run generate   # rebuild SPA (logout button / 401 redirect)
+sudo systemctl restart tm8-dashboard       # reload .env (auth config read at startup)
+```
+
+### How it works
+
+- Unauthenticated `/api/*` → `401`; unauthenticated pages → redirect to
+  `/auth/login` → Google → `/auth/callback`.
+- The callback verifies the Google id_token, checks `email_verified` and that the
+  address ends with `@DASHBOARD_ALLOWED_DOMAIN`, then sets a signed
+  (HMAC-SHA256), HttpOnly, Secure, SameSite=Lax session cookie (7-day expiry).
+- No server-side session store — stateless cookie, safe across worker restarts.
+- Changing `.env` requires a dashboard restart (config loaded at startup).
+
+---
+
 ## API notes
 
 - `/api/status` — worker state, polled every 10 s by the UI

package/src/dashboard/app/assets/css/main.css

@@ -272,6 +272,35 @@ body::before {
   letter-spacing: 0.5px;
 }
 
+.user-pill {
+  display: flex;
+  align-items: center;
+  gap: 8px;
+  font-size: 0.78rem;
+}
+
+.user-pill .user-email {
+  color: var(--ink-3);
+  max-width: 180px;
+  overflow: hidden;
+  text-overflow: ellipsis;
+  white-space: nowrap;
+}
+
+.user-pill .logout-link {
+  color: var(--ink-2);
+  text-decoration: none;
+  font-weight: 600;
+  padding: 3px 9px;
+  border: 1px solid var(--border-color);
+  border-radius: 6px;
+}
+
+.user-pill .logout-link:hover {
+  color: var(--ink-1);
+  border-color: var(--ink-3);
+}
+
 /* ── Sidebar ── */
 .sidebar {
   background: var(--bg-card);

package/src/dashboard/app/composables/useApi.ts

@@ -3,9 +3,19 @@
  * All calls go to the same origin the Nuxt app is served from.
  */
 export function useApi() {
+  // Session expired / not logged in → bounce to the OAuth login (full reload, not SPA nav).
+  function handleUnauthorized(status: number) {
+    if (status === 401 && typeof window !== "undefined") {
+      window.location.href = "/auth/login";
+    }
+  }
+
   async function apiFetch<T = unknown>(url: string): Promise<T> {
     const r = await fetch(url);
-    if (!r.ok) throw new Error("HTTP " + r.status);
+    if (!r.ok) {
+      handleUnauthorized(r.status);
+      throw new Error("HTTP " + r.status);
+    }
     return r.json() as Promise<T>;
   }
 
@@ -15,7 +25,10 @@ export function useApi() {
       headers: { "Content-Type": "application/json" },
       body: JSON.stringify(body)
     });
-    if (!r.ok) throw new Error("HTTP " + r.status);
+    if (!r.ok) {
+      handleUnauthorized(r.status);
+      throw new Error("HTTP " + r.status);
+    }
     return r.json() as Promise<T>;
   }
 
@@ -25,7 +38,10 @@ export function useApi() {
       headers: body ? { "Content-Type": "application/json" } : {},
       body: body ? JSON.stringify(body) : undefined
     });
-    if (!r.ok) throw new Error("HTTP " + r.status);
+    if (!r.ok) {
+      handleUnauthorized(r.status);
+      throw new Error("HTTP " + r.status);
+    }
     return r.json() as Promise<T>;
   }
 

package/src/dashboard/app/layouts/default.vue

@@ -24,6 +24,10 @@
           <span>{{ workerText }}</span>
         </div>
         <div class="clock" id="clock">{{ clockText }}</div>
+        <div v-if="userEmail" class="user-pill" :title="userEmail">
+          <span class="user-email">{{ userEmail }}</span>
+          <a href="/auth/logout" class="logout-link" title="Sign out">Sign out</a>
+        </div>
       </div>
     </header>
 
@@ -168,6 +172,19 @@ const { status, startPolling } = useStatus();
 const { skillFixStats, loadSkillFixStats, startPolling: startSkillPolling } = useSkillFixes();
 const sidebarOpen = ref(false);
 const clockText = ref("");
+const userEmail = ref<string | null>(null);
+
+async function loadUser() {
+  try {
+    const r = await fetch("/auth/me");
+    if (r.ok) {
+      const data = await r.json();
+      userEmail.value = data.email || null;
+    }
+  } catch {
+    // auth disabled or offline — leave userEmail null (pill hidden)
+  }
+}
 
 const _skillsCount = computed(() => skillFixStats.value?.totalEvents24h ?? null);
 
@@ -207,6 +224,7 @@ const _awaitingCount = computed(() => {
 });
 
 onMounted(() => {
+  loadUser();
   startPolling();
   startSkillPolling(15000);
   loadSkillFixStats();

package/src/dashboard/auth.js

@@ -0,0 +1,275 @@
+/**
+ * Google OAuth gate for the dashboard.
+ *
+ * Stateless: a signed (HMAC-SHA256) cookie holds the authenticated email + expiry.
+ * No server-side session store, so it stays idempotent across worker restarts.
+ *
+ * Auth is OFF unless GOOGLE_CLIENT_ID, GOOGLE_CLIENT_SECRET and DASHBOARD_AUTH_SECRET
+ * are all set. That keeps localhost/dev usage working with zero config.
+ */
+import crypto from "node:crypto";
+
+const SESSION_COOKIE = "tm8_sess";
+const STATE_COOKIE = "tm8_oauth_state";
+const SESSION_TTL_MS = 7 * 24 * 60 * 60 * 1000; // 7 days
+const STATE_TTL_MS = 10 * 60 * 1000; // 10 min
+const DEFAULT_ALLOWED_DOMAIN = "ignify.co";
+
+const GOOGLE_AUTH_URL = "https://accounts.google.com/o/oauth2/v2/auth";
+const GOOGLE_TOKEN_URL = "https://oauth2.googleapis.com/token";
+
+export function buildAuthConfig(values) {
+  const clientId = String(values.GOOGLE_CLIENT_ID || "").trim();
+  const clientSecret = String(values.GOOGLE_CLIENT_SECRET || "").trim();
+  const secret = String(values.DASHBOARD_AUTH_SECRET || "").trim();
+  const allowedDomain = String(values.DASHBOARD_ALLOWED_DOMAIN || DEFAULT_ALLOWED_DOMAIN)
+    .trim()
+    .toLowerCase()
+    .replace(/^@/, "");
+  const baseUrl = String(values.DASHBOARD_BASE_URL || "")
+    .trim()
+    .replace(/\/+$/, "");
+
+  const enabled = Boolean(clientId && clientSecret && secret);
+
+  return { enabled, clientId, clientSecret, secret, allowedDomain, baseUrl };
+}
+
+function redirectUri(cfg, req) {
+  if (cfg.baseUrl) return `${cfg.baseUrl}/auth/callback`;
+  // Fallback: derive from request (assumes proxy sets X-Forwarded-Proto)
+  const proto = (req.headers["x-forwarded-proto"] || "http").split(",")[0].trim();
+  return `${proto}://${req.headers.host}/auth/callback`;
+}
+
+// --- cookie helpers -------------------------------------------------------
+
+function parseCookies(req) {
+  const header = req.headers.cookie;
+  const out = {};
+  if (!header) return out;
+  for (const part of header.split(";")) {
+    const idx = part.indexOf("=");
+    if (idx === -1) continue;
+    const k = part.slice(0, idx).trim();
+    const v = part.slice(idx + 1).trim();
+    if (k) out[k] = decodeURIComponent(v);
+  }
+  return out;
+}
+
+function setCookie(res, name, value, { maxAgeMs, httpOnly = true } = {}) {
+  const parts = [`${name}=${encodeURIComponent(value)}`, "Path=/", "SameSite=Lax"];
+  if (httpOnly) parts.push("HttpOnly");
+  parts.push("Secure"); // dashboard is served over https via the reverse proxy
+  if (typeof maxAgeMs === "number") parts.push(`Max-Age=${Math.floor(maxAgeMs / 1000)}`);
+  appendSetCookie(res, parts.join("; "));
+}
+
+function clearCookie(res, name) {
+  appendSetCookie(res, `${name}=; Path=/; SameSite=Lax; HttpOnly; Secure; Max-Age=0`);
+}
+
+function appendSetCookie(res, cookie) {
+  const existing = res.getHeader("Set-Cookie");
+  if (!existing) res.setHeader("Set-Cookie", [cookie]);
+  else res.setHeader("Set-Cookie", Array.isArray(existing) ? [...existing, cookie] : [existing, cookie]);
+}
+
+// --- signing --------------------------------------------------------------
+
+function sign(value, secret) {
+  return crypto.createHmac("sha256", secret).update(value).digest("base64url");
+}
+
+function timingSafeEqual(a, b) {
+  const ab = Buffer.from(a);
+  const bb = Buffer.from(b);
+  if (ab.length !== bb.length) return false;
+  return crypto.timingSafeEqual(ab, bb);
+}
+
+function createSessionToken(email, secret) {
+  const payload = Buffer.from(JSON.stringify({ email, exp: Date.now() + SESSION_TTL_MS })).toString("base64url");
+  return `${payload}.${sign(payload, secret)}`;
+}
+
+function verifySessionToken(token, secret) {
+  if (!token || typeof token !== "string") return null;
+  const dot = token.lastIndexOf(".");
+  if (dot === -1) return null;
+  const payload = token.slice(0, dot);
+  const sig = token.slice(dot + 1);
+  if (!timingSafeEqual(sig, sign(payload, secret))) return null;
+  let data;
+  try {
+    data = JSON.parse(Buffer.from(payload, "base64url").toString("utf8"));
+  } catch {
+    return null;
+  }
+  if (!data || typeof data.email !== "string" || typeof data.exp !== "number") return null;
+  if (Date.now() > data.exp) return null;
+  return data.email;
+}
+
+/** Returns the authenticated email, or null. */
+export function getAuthedEmail(req, cfg) {
+  if (!cfg.enabled) return null;
+  const cookies = parseCookies(req);
+  return verifySessionToken(cookies[SESSION_COOKIE], cfg.secret);
+}
+
+// --- route handling -------------------------------------------------------
+
+function sendHtml(res, status, html) {
+  res.writeHead(status, { "Content-Type": "text/html; charset=utf-8" });
+  res.end(html);
+}
+
+function emailAllowed(email, emailVerified, allowedDomain) {
+  if (!email || emailVerified === false) return false;
+  return email.toLowerCase().endsWith(`@${allowedDomain}`);
+}
+
+/**
+ * Handles /auth/* routes. Returns true if the request was handled here.
+ * Safe to call before the auth gate (these routes must be reachable while unauthenticated).
+ */
+export async function handleAuthRoutes(req, res, url, cfg) {
+  const { pathname } = url;
+  if (!pathname.startsWith("/auth/")) return false;
+
+  if (pathname === "/auth/me" && req.method === "GET") {
+    const email = getAuthedEmail(req, cfg);
+    if (!email) {
+      res.writeHead(401, { "Content-Type": "application/json; charset=utf-8" });
+      res.end(JSON.stringify({ error: "Not authenticated" }));
+    } else {
+      res.writeHead(200, { "Content-Type": "application/json; charset=utf-8" });
+      res.end(JSON.stringify({ email, authEnabled: true }));
+    }
+    return true;
+  }
+
+  if (pathname === "/auth/logout") {
+    clearCookie(res, SESSION_COOKIE);
+    res.writeHead(302, { Location: "/auth/login" });
+    res.end();
+    return true;
+  }
+
+  if (pathname === "/auth/login" && req.method === "GET") {
+    const state = crypto.randomBytes(16).toString("hex");
+    setCookie(res, STATE_COOKIE, state, { maxAgeMs: STATE_TTL_MS });
+    const params = new URLSearchParams({
+      client_id: cfg.clientId,
+      redirect_uri: redirectUri(cfg, req),
+      response_type: "code",
+      scope: "openid email profile",
+      state,
+      access_type: "online",
+      prompt: "select_account",
+      hd: cfg.allowedDomain // hint only — verified server-side below
+    });
+    res.writeHead(302, { Location: `${GOOGLE_AUTH_URL}?${params.toString()}` });
+    res.end();
+    return true;
+  }
+
+  if (pathname === "/auth/callback" && req.method === "GET") {
+    const code = url.searchParams.get("code");
+    const state = url.searchParams.get("state");
+    const cookies = parseCookies(req);
+    clearCookie(res, STATE_COOKIE);
+
+    if (!code || !state || !cookies[STATE_COOKIE] || !timingSafeEqual(state, cookies[STATE_COOKIE])) {
+      sendHtml(res, 400, authErrorPage("Invalid OAuth state. Please try logging in again."));
+      return true;
+    }
+
+    let email;
+    let emailVerified;
+    try {
+      const claims = await exchangeCode(code, cfg, redirectUri(cfg, req));
+      email = claims.email;
+      emailVerified = claims.email_verified;
+    } catch (err) {
+      sendHtml(res, 502, authErrorPage(`Could not reach Google: ${escapeHtml(err.message || String(err))}`));
+      return true;
+    }
+
+    if (!emailAllowed(email, emailVerified, cfg.allowedDomain)) {
+      clearCookie(res, SESSION_COOKIE);
+      sendHtml(
+        res,
+        403,
+        authErrorPage(
+          `Access denied for <b>${escapeHtml(email || "unknown")}</b>. Only @${escapeHtml(cfg.allowedDomain)} accounts may sign in.`
+        )
+      );
+      return true;
+    }
+
+    setCookie(res, SESSION_COOKIE, createSessionToken(email, cfg.secret), { maxAgeMs: SESSION_TTL_MS });
+    res.writeHead(302, { Location: "/" });
+    res.end();
+    return true;
+  }
+
+  return false;
+}
+
+async function exchangeCode(code, cfg, redirect) {
+  const body = new URLSearchParams({
+    code,
+    client_id: cfg.clientId,
+    client_secret: cfg.clientSecret,
+    redirect_uri: redirect,
+    grant_type: "authorization_code"
+  });
+
+  const resp = await fetch(GOOGLE_TOKEN_URL, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body
+  });
+
+  if (!resp.ok) {
+    const text = await resp.text().catch(() => "");
+    throw new Error(`token endpoint ${resp.status} ${text.slice(0, 200)}`);
+  }
+
+  const json = await resp.json();
+  const idToken = json.id_token;
+  if (!idToken) throw new Error("no id_token in token response");
+  // id_token came directly from Google's token endpoint over TLS, so we can
+  // trust its payload without re-verifying the signature.
+  return decodeJwtPayload(idToken);
+}
+
+function decodeJwtPayload(jwt) {
+  const parts = jwt.split(".");
+  if (parts.length !== 3) throw new Error("malformed id_token");
+  return JSON.parse(Buffer.from(parts[1], "base64url").toString("utf8"));
+}
+
+function escapeHtml(s) {
+  return String(s).replace(
+    /[&<>"']/g,
+    (c) => ({ "&": "&amp;", "<": "&lt;", ">": "&gt;", '"': "&quot;", "'": "&#39;" })[c]
+  );
+}
+
+function authErrorPage(message) {
+  return `<!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><title>TM8 Dashboard — Sign in</title>
+<style>body{font-family:system-ui,sans-serif;background:#0f172a;color:#e2e8f0;display:flex;min-height:100vh;align-items:center;justify-content:center;margin:0}
+.card{background:#1e293b;padding:2rem 2.5rem;border-radius:12px;max-width:420px;text-align:center;box-shadow:0 10px 40px rgba(0,0,0,.4)}
+h1{font-size:1.15rem;margin:0 0 .75rem}p{color:#94a3b8;line-height:1.5}a{display:inline-block;margin-top:1.25rem;background:#3b82f6;color:#fff;text-decoration:none;padding:.6rem 1.25rem;border-radius:8px;font-weight:600}</style>
+</head><body><div class="card"><h1>TM8 Dashboard</h1><p>${message}</p><a href="/auth/login">Sign in with Google</a></div></body></html>`;
+}
+
+/** Minimal page shown to unauthenticated users instead of redirect loops on the SPA shell. */
+export function loginRedirect(res) {
+  res.writeHead(302, { Location: "/auth/login" });
+  res.end();
+}

package/src/dashboard/server.js

@@ -12,6 +12,7 @@ import { getRuntimePaths, isProcessRunning, readPid, readState } from "../runtim
 import { restoreSkillBackup } from "../skills/fixer.js";
 import { SKILL_FIX_COOLDOWN_WINDOW_MS_DEFAULT, SKILL_IMPROVEMENT_COOLDOWN_MS_DEFAULT } from "../skills/index.js";
 import { replaceJiraOperationalLabels } from "../worker/forge-sync.js";
+import { buildAuthConfig, getAuthedEmail, handleAuthRoutes, loginRedirect } from "./auth.js";
 
 const __dirname = path.dirname(fileURLToPath(import.meta.url));
 const NUXT_DIST_CANDIDATES = [
@@ -42,9 +43,17 @@ let _usageCache = null; // { data, expiresAt }
 export async function startDashboardServer({ projectRoot, port = 7880 }) {
   const runtimePaths = getRuntimePaths(projectRoot);
 
+  const { values } = await loadProjectEnv(projectRoot);
+  const authConfig = buildAuthConfig(values);
+  if (authConfig.enabled) {
+    process.stdout.write(`  Auth         : Google OAuth (allowed domain: @${authConfig.allowedDomain})\n`);
+  } else {
+    process.stdout.write("  Auth         : DISABLED (set GOOGLE_CLIENT_ID/SECRET + DASHBOARD_AUTH_SECRET to enable)\n");
+  }
+
   const server = createServer(async (req, res) => {
     try {
-      await handleRequest(req, res, projectRoot, runtimePaths);
+      await handleRequest(req, res, projectRoot, runtimePaths, authConfig);
     } catch (error) {
       sendJson(res, 500, { error: error.message || "Internal server error" });
     }
@@ -59,8 +68,8 @@ export async function startDashboardServer({ projectRoot, port = 7880 }) {
   });
 }
 
-async function handleRequest(req, res, projectRoot, runtimePaths) {
-  setCorsHeaders(res);
+async function handleRequest(req, res, projectRoot, runtimePaths, authConfig) {
+  setCorsHeaders(res, authConfig);
 
   if (req.method === "OPTIONS") {
     res.writeHead(204);
@@ -71,6 +80,21 @@ async function handleRequest(req, res, projectRoot, runtimePaths) {
   const url = new URL(req.url, `http://${req.headers.host}`);
   const pathname = url.pathname;
 
+  // Auth routes (login/callback/logout/me) must be reachable while unauthenticated.
+  if (authConfig?.enabled && (await handleAuthRoutes(req, res, url, authConfig))) {
+    return;
+  }
+
+  // Gate everything else when auth is enabled.
+  if (authConfig?.enabled && !getAuthedEmail(req, authConfig)) {
+    if (pathname.startsWith("/api/")) {
+      sendJson(res, 401, { error: "Not authenticated" });
+    } else {
+      loginRedirect(res);
+    }
+    return;
+  }
+
   if (!pathname.startsWith("/api/")) {
     const served = await tryServeNuxt(res, pathname);
     if (!served) {
@@ -176,7 +200,19 @@ async function handleRequest(req, res, projectRoot, runtimePaths) {
   sendJson(res, 404, { error: "Not found" });
 }
 
-function setCorsHeaders(res) {
+function setCorsHeaders(res, authConfig) {
+  // When auth is on, the SPA is same-origin behind the proxy — wildcard CORS would
+  // let any site drive the API with the user's cookie. Keep it locked down.
+  if (authConfig?.enabled) {
+    if (authConfig.baseUrl) {
+      res.setHeader("Access-Control-Allow-Origin", authConfig.baseUrl);
+      res.setHeader("Access-Control-Allow-Credentials", "true");
+      res.setHeader("Vary", "Origin");
+    }
+    res.setHeader("Access-Control-Allow-Methods", "GET, PUT, POST, OPTIONS");
+    res.setHeader("Access-Control-Allow-Headers", "Content-Type");
+    return;
+  }
   res.setHeader("Access-Control-Allow-Origin", "*");
   res.setHeader("Access-Control-Allow-Methods", "GET, PUT, POST, OPTIONS");
   res.setHeader("Access-Control-Allow-Headers", "Content-Type");

package/src/jira.js

@@ -306,10 +306,28 @@ function mapIssueDetail(issue, baseUrl) {
     ? issue.fields.comment.comments.map(mapComment).sort(compareCommentsByCreated)
     : [];
 
+  // The detail fetch uses fields=*all, so existing attachments are already in
+  // the payload — surface them so the intake/planning step can download and
+  // read documents that users attach to the issue (a frequent "tài liệu đã
+  // đính kèm" complaint where the bot ignored material already on the task).
+  const attachments = Array.isArray(issue.fields?.attachment) ? issue.fields.attachment.map(mapAttachment) : [];
+
   return {
     ...mapIssue(issue, baseUrl),
     descriptionText: adfToText(issue.fields?.description).trim(),
-    comments
+    comments,
+    attachments
+  };
+}
+
+function mapAttachment(attachment) {
+  return {
+    id: attachment?.id ?? null,
+    filename: attachment?.filename ?? "",
+    mimeType: attachment?.mimeType ?? "",
+    size: attachment?.size ?? null,
+    url: attachment?.content ?? null,
+    created: attachment?.created ?? null
   };
 }
 

package/src/memory.js

@@ -263,6 +263,7 @@ function normalizeIssueMemoryData(data) {
   normalized.last_jira_memory_comment_id = String(normalized.last_jira_memory_comment_id ?? "").trim();
   normalized.code_change_verdict = String(normalized.code_change_verdict ?? "").trim();
   normalized.code_change_input_id = String(normalized.code_change_input_id ?? "").trim();
+  normalized.no_code_locked = Boolean(normalized.no_code_locked);
   delete normalized.github_issue_url;
   delete normalized.github_issue_number;
   delete normalized.latest_processed_comment_id;

package/src/worker/jira-helpers.js

@@ -185,11 +185,51 @@ export function shouldDisplayIssueInState(issue) {
   });
 }
 
+// Matches an explicit "no code" declaration in any of: "no code", "no_code",
+// "no-code", "nocode" (case-insensitive). Users add this to tell the bot a task
+// is documentation/estimate only and must NOT create a repo issue or push code.
+const NO_CODE_MARKER = /\bno[\s_-]?code\b/iu;
+
+// Deterministic no-code detection from explicit user signals, so the verdict no
+// longer depends on the LLM guessing (which flipped to "code" and made users
+// repeat "task no code" on every comment). Checks an explicit Jira label, the
+// description, and the latest human comment.
+export function detectNoCodeMarker(detail, botUser, jira) {
+  if (!detail) {
+    return false;
+  }
+
+  const labels = Array.isArray(detail.labels) ? detail.labels : [];
+  if (labels.some((label) => /^no[\s_-]?code$/iu.test(String(label || "").trim()))) {
+    return true;
+  }
+
+  if (NO_CODE_MARKER.test(String(detail.descriptionText || ""))) {
+    return true;
+  }
+
+  const latestHumanComment = [...(Array.isArray(detail.comments) ? detail.comments : [])]
+    .filter((comment) => !String(comment?.bodyText || "").startsWith(PROGRESS_COMMENT_PREFIX))
+    .sort(compareCommentsNewestFirst)
+    .find((comment) => (botUser ? !jira.isBotAuthor(comment.author, botUser) : true));
+
+  return Boolean(latestHumanComment && NO_CODE_MARKER.test(String(latestHumanComment.bodyText || "")));
+}
+
 export function shouldReuseNoCodeDecision({ issueMemory, latestInputId }) {
+  const noGithubIssues = !Array.isArray(issueMemory?.github_issues) || issueMemory.github_issues.length === 0;
+
+  // Once an explicit no-code marker has locked the issue, keep the no-code
+  // verdict sticky across subsequent comments (new input ids) so a follow-up
+  // that does not repeat "no code" is not re-evaluated back into a code task.
+  if (issueMemory?.no_code_locked && noGithubIssues) {
+    return true;
+  }
+
   return (
     issueMemory?.code_change_verdict === "no_code" &&
     issueMemory?.code_change_input_id === latestInputId &&
-    (!Array.isArray(issueMemory?.github_issues) || issueMemory.github_issues.length === 0)
+    noGithubIssues
   );
 }
 

package/src/worker/jira-issue-workflow.js

@@ -22,6 +22,7 @@ import {
   cleanupJiraProgressComments,
   deriveRawTaskRepos,
   deriveTaskRepos,
+  detectNoCodeMarker,
   ensureJiraComment,
   getLatestBlockedTaskRestartComment,
   getLatestClarificationInput,
@@ -632,7 +633,18 @@ export async function processJiraIssue({
       issueMemory,
       latestInputId: latestInput.id
     });
-    if (shouldReusePreservedNoCodeDecision) {
+    if (detectNoCodeMarker(detail, botUser, jira)) {
+      // Explicit user signal ("task no code" / no-code label) overrides the
+      // LLM verdict and locks the issue so later comments stay no-code. This
+      // stops the bot from re-deciding "code" and creating a repo issue, which
+      // forced users to repeat "task no code" on every comment.
+      decisionResult = { verdict: "no_code" };
+      issueMemory.no_code_locked = true;
+      await logger.info("Explicit no-code marker detected; forcing no_code verdict", {
+        issue: detail.key,
+        input: latestInput.id
+      });
+    } else if (shouldReusePreservedNoCodeDecision) {
       decisionResult = { verdict: "no_code" };
       await logger.info("Reusing preserved no-code decision", {
         issue: detail.key,