draft-board 0.1.0-beta.0

package/app/backend/.env.example

@@ -0,0 +1,9 @@
+# Backend environment variables
+APP_ENV=development
+DATABASE_URL=sqlite:///./kanban.db
+FRONTEND_URL=http://localhost:5173
+
+# LLM API keys (at least one needed for ticket generation / planner)
+# ANTHROPIC_API_KEY=sk-ant-...
+# OPENAI_API_KEY=sk-...
+# AWS credentials auto-detected for Bedrock

package/app/backend/.smartkanban/evidence/8b383839-cbec-45af-86ee-c7708d075cbe/bddf2ed5-2e21-4d46-a62b-10b87f1642a6_patch.txt

@@ -0,0 +1,195 @@
+diff --git a/package.json b/package.json
+index 1a2b3c4..5d6e7f8 100644
+--- a/package.json
++++ b/package.json
+@@ -10,7 +10,9 @@
+   "dependencies": {
+     "express": "^4.18.2",
+     "better-sqlite3": "^9.4.3",
+-    "cors": "^2.8.5"
++    "cors": "^2.8.5",
++    "jsonwebtoken": "^9.0.2",
++    "bcryptjs": "^2.4.3"
+   },
+   "devDependencies": {
+     "jest": "^29.7.0",
+diff --git a/src/models/db.js b/src/models/db.js
+index 2b3c4d5..8e9f0a1 100644
+--- a/src/models/db.js
++++ b/src/models/db.js
+@@ -8,6 +8,16 @@ db.exec(`
+   )
+ `);
+
++db.exec(`
++  CREATE TABLE IF NOT EXISTS users (
++    id INTEGER PRIMARY KEY AUTOINCREMENT,
++    username TEXT UNIQUE NOT NULL,
++    password TEXT NOT NULL,
++    email TEXT,
++    created_at DATETIME DEFAULT CURRENT_TIMESTAMP
++  )
++`);
++
+ module.exports = db;
+diff --git a/src/middleware/auth.js b/src/middleware/auth.js
+new file mode 100644
+index 0000000..3f4a5b6
+--- /dev/null
++++ b/src/middleware/auth.js
+@@ -0,0 +1,45 @@
++const jwt = require("jsonwebtoken");
++
++const JWT_SECRET = process.env.JWT_SECRET || "dev-secret-key";
++
++function authenticateToken(req, res, next) {
++  const authHeader = req.headers["authorization"];
++  const token = authHeader && authHeader.split(" ")[1];
++
++  if (!token) {
++    return res.status(401).json({ error: "Access token required" });
++  }
++
++  try {
++    const decoded = jwt.verify(token, JWT_SECRET);
++    req.user = decoded;
++    next();
++  } catch (err) {
++    return res.status(401).json({ error: "Invalid or expired token" });
++  }
++}
++
++function generateToken(user) {
++  return jwt.sign(
++    { id: user.id, username: user.username },
++    JWT_SECRET,
++    { expiresIn: "24h" }
++  );
++}
++
++function hashPassword(password) {
++  const bcrypt = require("bcryptjs");
++  return bcrypt.hashSync(password, 10);
++}
++
++function comparePassword(password, hash) {
++  const bcrypt = require("bcryptjs");
++  return bcrypt.compareSync(password, hash);
++}
++
++module.exports = {
++  authenticateToken,
++  generateToken,
++  hashPassword,
++  comparePassword,
++  JWT_SECRET
++};
+diff --git a/src/routes/auth.js b/src/routes/auth.js
+new file mode 100644
+index 0000000..7c8d9e0
+--- /dev/null
++++ b/src/routes/auth.js
+@@ -0,0 +1,78 @@
++const express = require("express");
++const router = express.Router();
++const db = require("../models/db");
++const { generateToken, hashPassword, comparePassword } = require("../middleware/auth");
++
++// POST /api/auth/register
++router.post("/register", (req, res) => {
++  const { username, password, email } = req.body;
++
++  if (!username || !password) {
++    return res.status(400).json({ error: "Username and password are required" });
++  }
++
++  if (password.length < 6) {
++    return res.status(400).json({ error: "Password must be at least 6 characters" });
++  }
++
++  try {
++    const existing = db.prepare("SELECT id FROM users WHERE username = ?").get(username);
++    if (existing) {
++      return res.status(409).json({ error: "Username already exists" });
++    }
++
++    const hashedPassword = hashPassword(password);
++    const result = db.prepare(
++      "INSERT INTO users (username, password, email) VALUES (?, ?, ?)"
++    ).run(username, hashedPassword, email || null);
++
++    const user = { id: result.lastInsertRowid, username };
++    const token = generateToken(user);
++
++    res.status(201).json({ user: { id: user.id, username }, token });
++  } catch (err) {
++    res.status(500).json({ error: "Registration failed" });
++  }
++});
++
++// POST /api/auth/login
++router.post("/login", (req, res) => {
++  const { username, password } = req.body;
++
++  if (!username || !password) {
++    return res.status(400).json({ error: "Username and password are required" });
++  }
++
++  try {
++    const user = db.prepare("SELECT * FROM users WHERE username = ?").get(username);
++
++    if (!user) {
++      return res.status(401).json({ error: "Invalid credentials" });
++    }
++
++    if (!comparePassword(password, user.password)) {
++      return res.status(401).json({ error: "Invalid credentials" });
++    }
++
++    const token = generateToken({ id: user.id, username: user.username });
++    res.json({ user: { id: user.id, username: user.username }, token });
++  } catch (err) {
++    res.status(500).json({ error: "Login failed" });
++  }
++});
++
++// GET /api/auth/me - Get current user
++router.get("/me", (req, res) => {
++  if (!req.user) {
++    return res.status(401).json({ error: "Not authenticated" });
++  }
++
++  const user = db.prepare("SELECT id, username, email, created_at FROM users WHERE id = ?").get(req.user.id);
++  if (!user) {
++    return res.status(404).json({ error: "User not found" });
++  }
++
++  res.json({ user });
++});
++
++module.exports = router;
+diff --git a/src/index.js b/src/index.js
+index 4d5e6f7..9a0b1c2 100644
+--- a/src/index.js
++++ b/src/index.js
+@@ -2,6 +2,8 @@ const express = require("express");
+ const cors = require("cors");
+ const taskRoutes = require("./routes/tasks");
+ const projectRoutes = require("./routes/projects");
++const authRoutes = require("./routes/auth");
++const { authenticateToken } = require("./middleware/auth");
+ const { errorHandler } = require("./middleware/errorHandler");
+
+ const app = express();
+@@ -12,8 +14,10 @@ app.use(express.json());
+
+ app.get("/health", (req, res) => res.json({ status: "ok" }));
+
+-app.use("/api/tasks", taskRoutes);
+-app.use("/api/projects", projectRoutes);
++app.use("/api/auth", authRoutes);
++
++app.use("/api/tasks", authenticateToken, taskRoutes);
++app.use("/api/projects", authenticateToken, projectRoutes);
+
+ app.use(errorHandler);

package/app/backend/.smartkanban/evidence/8b383839-cbec-45af-86ee-c7708d075cbe/bddf2ed5-2e21-4d46-a62b-10b87f1642a6_stat.txt

@@ -0,0 +1,6 @@
+ src/middleware/auth.js | 45 +++++++++++++++++++++++++++++++++++++++++++++
+ src/routes/auth.js    | 78 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+ src/models/db.js      | 12 ++++++++++--
+ src/index.js          |  8 ++++++--
+ package.json          |  4 +++-
+ 5 files changed, 142 insertions(+), 5 deletions(-)

package/app/backend/CURL_EXAMPLES.md

@@ -0,0 +1,335 @@
+# Draft API - Example curl Commands
+
+This document provides example curl commands to interact with the Draft API.
+
+## Prerequisites
+
+Start the backend server:
+
+```bash
+cd backend
+source venv/bin/activate
+uvicorn app.main:app --reload
+```
+
+The API will be available at `http://localhost:8000`.
+
+## Health Check
+
+```bash
+curl http://localhost:8000/health
+```
+
+Expected response:
+```json
+{"status": "ok"}
+```
+
+## Goals
+
+### Create a Goal
+
+```bash
+curl -X POST http://localhost:8000/goals \
+  -H "Content-Type: application/json" \
+  -d '{
+    "title": "Implement User Authentication",
+    "description": "Add login, registration, and session management to the application"
+  }'
+```
+
+Expected response:
+```json
+{
+  "id": "550e8400-e29b-41d4-a716-446655440000",
+  "title": "Implement User Authentication",
+  "description": "Add login, registration, and session management to the application",
+  "created_at": "2026-01-05T10:00:00",
+  "updated_at": "2026-01-05T10:00:00"
+}
+```
+
+### List All Goals
+
+```bash
+curl http://localhost:8000/goals
+```
+
+Expected response:
+```json
+{
+  "goals": [
+    {
+      "id": "550e8400-e29b-41d4-a716-446655440000",
+      "title": "Implement User Authentication",
+      "description": "Add login, registration, and session management to the application",
+      "created_at": "2026-01-05T10:00:00",
+      "updated_at": "2026-01-05T10:00:00"
+    }
+  ],
+  "total": 1
+}
+```
+
+### Get a Single Goal
+
+```bash
+curl http://localhost:8000/goals/{goal_id}
+```
+
+Replace `{goal_id}` with the actual goal UUID.
+
+## Tickets
+
+### Create a Ticket
+
+```bash
+curl -X POST http://localhost:8000/tickets \
+  -H "Content-Type: application/json" \
+  -d '{
+    "goal_id": "550e8400-e29b-41d4-a716-446655440000",
+    "title": "Design login form UI",
+    "description": "Create a responsive login form with email and password fields",
+    "priority": 80,
+    "actor_type": "human",
+    "actor_id": "user-123"
+  }'
+```
+
+Expected response:
+```json
+{
+  "id": "660e8400-e29b-41d4-a716-446655440001",
+  "goal_id": "550e8400-e29b-41d4-a716-446655440000",
+  "title": "Design login form UI",
+  "description": "Create a responsive login form with email and password fields",
+  "state": "proposed",
+  "priority": 80,
+  "created_at": "2026-01-05T10:05:00",
+  "updated_at": "2026-01-05T10:05:00"
+}
+```
+
+### Get a Ticket
+
+```bash
+curl http://localhost:8000/tickets/{ticket_id}
+```
+
+Replace `{ticket_id}` with the actual ticket UUID.
+
+### Transition a Ticket (Valid)
+
+Move from `proposed` to `planned`:
+
+```bash
+curl -X POST http://localhost:8000/tickets/{ticket_id}/transition \
+  -H "Content-Type: application/json" \
+  -d '{
+    "to_state": "planned",
+    "actor_type": "planner",
+    "actor_id": "ai-planner-1",
+    "reason": "Task has been reviewed and broken down"
+  }'
+```
+
+Expected response (ticket with updated state):
+```json
+{
+  "id": "660e8400-e29b-41d4-a716-446655440001",
+  "goal_id": "550e8400-e29b-41d4-a716-446655440000",
+  "title": "Design login form UI",
+  "description": "Create a responsive login form with email and password fields",
+  "state": "planned",
+  "priority": 80,
+  "created_at": "2026-01-05T10:05:00",
+  "updated_at": "2026-01-05T10:10:00"
+}
+```
+
+### Complete Workflow: proposed → planned → executing → verifying → done
+
+```bash
+# Start executing (planned → executing)
+curl -X POST http://localhost:8000/tickets/{ticket_id}/transition \
+  -H "Content-Type: application/json" \
+  -d '{
+    "to_state": "executing",
+    "actor_type": "executor",
+    "actor_id": "ai-executor-1",
+    "reason": "Starting implementation"
+  }'
+
+# Submit for verification (executing → verifying)
+curl -X POST http://localhost:8000/tickets/{ticket_id}/transition \
+  -H "Content-Type: application/json" \
+  -d '{
+    "to_state": "verifying",
+    "actor_type": "executor",
+    "actor_id": "ai-executor-1",
+    "reason": "Implementation complete, ready for review"
+  }'
+
+# Mark as done (verifying → done)
+curl -X POST http://localhost:8000/tickets/{ticket_id}/transition \
+  -H "Content-Type: application/json" \
+  -d '{
+    "to_state": "done",
+    "actor_type": "human",
+    "actor_id": "user-123",
+    "reason": "Verified and approved"
+  }'
+```
+
+### Transition a Ticket (Invalid - Should Fail)
+
+Try to go directly from `proposed` to `done`:
+
+```bash
+curl -X POST http://localhost:8000/tickets/{ticket_id}/transition \
+  -H "Content-Type: application/json" \
+  -d '{
+    "to_state": "done",
+    "actor_type": "human",
+    "actor_id": "user-123",
+    "reason": "Trying to skip states"
+  }'
+```
+
+Expected error response (HTTP 400):
+```json
+{
+  "detail": "Invalid transition from 'proposed' to 'done'",
+  "error_type": "invalid_state_transition",
+  "from_state": "proposed",
+  "to_state": "done"
+}
+```
+
+### Get Ticket Events (Audit Log)
+
+```bash
+curl http://localhost:8000/tickets/{ticket_id}/events
+```
+
+Expected response:
+```json
+{
+  "events": [
+    {
+      "id": "770e8400-e29b-41d4-a716-446655440001",
+      "ticket_id": "660e8400-e29b-41d4-a716-446655440001",
+      "event_type": "created",
+      "from_state": null,
+      "to_state": "proposed",
+      "actor_type": "human",
+      "actor_id": "user-123",
+      "reason": "Ticket created",
+      "payload": {
+        "title": "Design login form UI",
+        "description": "Create a responsive login form with email and password fields",
+        "goal_id": "550e8400-e29b-41d4-a716-446655440000",
+        "priority": 80
+      },
+      "created_at": "2026-01-05T10:05:00"
+    },
+    {
+      "id": "770e8400-e29b-41d4-a716-446655440002",
+      "ticket_id": "660e8400-e29b-41d4-a716-446655440001",
+      "event_type": "transitioned",
+      "from_state": "proposed",
+      "to_state": "planned",
+      "actor_type": "planner",
+      "actor_id": "ai-planner-1",
+      "reason": "Task has been reviewed and broken down",
+      "payload": null,
+      "created_at": "2026-01-05T10:10:00"
+    }
+  ],
+  "total": 2
+}
+```
+
+## Board View
+
+### Get Board (All Tickets Grouped by State)
+
+```bash
+curl http://localhost:8000/board
+```
+
+Expected response:
+```json
+{
+  "columns": [
+    {
+      "state": "proposed",
+      "tickets": []
+    },
+    {
+      "state": "planned",
+      "tickets": [
+        {
+          "id": "660e8400-e29b-41d4-a716-446655440001",
+          "goal_id": "550e8400-e29b-41d4-a716-446655440000",
+          "title": "Design login form UI",
+          "description": "Create a responsive login form",
+          "state": "planned",
+          "priority": 80,
+          "created_at": "2026-01-05T10:05:00",
+          "updated_at": "2026-01-05T10:10:00"
+        }
+      ]
+    },
+    {
+      "state": "executing",
+      "tickets": []
+    },
+    {
+      "state": "verifying",
+      "tickets": []
+    },
+    {
+      "state": "needs_human",
+      "tickets": []
+    },
+    {
+      "state": "blocked",
+      "tickets": []
+    },
+    {
+      "state": "done",
+      "tickets": []
+    },
+    {
+      "state": "abandoned",
+      "tickets": []
+    }
+  ],
+  "total_tickets": 1
+}
+```
+
+## State Machine Reference
+
+### Valid State Transitions
+
+| From State    | Valid Next States                        |
+|---------------|------------------------------------------|
+| proposed      | planned, abandoned                       |
+| planned       | executing, blocked, abandoned            |
+| executing     | verifying, needs_human, blocked          |
+| verifying     | done, executing, needs_human             |
+| needs_human   | executing, planned, abandoned            |
+| blocked       | planned, abandoned                       |
+| done          | (terminal state - no transitions)        |
+| abandoned     | (terminal state - no transitions)        |
+
+### Actor Types
+
+- `human` - Human user action
+- `planner` - AI planner agent
+- `executor` - AI executor agent
+- `system` - Automated system action
+
+

package/app/backend/ENV_SETUP.md

@@ -0,0 +1,65 @@
+# Environment Variables Setup
+
+## AWS Bedrock Configuration
+
+To use AWS Bedrock models with the Draft planner, add these variables to your `.env` file in the `backend/` directory:
+
+```bash
+# Required AWS Credentials
+AWS_ACCESS_KEY_ID=your-access-key-id-here
+AWS_SECRET_ACCESS_KEY=your-secret-access-key-here
+AWS_REGION_NAME=us-east-1
+```
+
+### Notes:
+
+1. **Model Configuration**: The model is configured in `draft.yaml`:
+   ```yaml
+   planner_config:
+     model: "bedrock/anthropic.claude-sonnet-4-5-20250929-v1:0"
+   ```
+
+2. **AWS Region**: Make sure your `AWS_REGION_NAME` matches where your Bedrock model is available. Common regions:
+   - `us-east-1` (N. Virginia)
+   - `us-west-2` (Oregon)
+   - Check AWS Bedrock documentation for model availability by region
+
+3. **Bedrock Access**: Ensure your AWS account has:
+   - AWS Bedrock enabled
+   - Model access requested and approved for Claude Sonnet 4.5
+   - IAM permissions for `bedrock:InvokeModel`
+
+4. **Alternative: AWS Profile**: Instead of access keys, you can use an AWS CLI profile:
+   ```bash
+   AWS_PROFILE=your-profile-name
+   AWS_REGION_NAME=us-east-1
+   ```
+
+## Other Environment Variables
+
+```bash
+# Frontend URL for CORS (optional, defaults to http://localhost:5173)
+FRONTEND_URL=http://localhost:5173
+
+# Git repository path (optional, defaults to current directory)
+GIT_REPO_PATH=/path/to/your/repo
+
+# Database URL (optional, defaults to sqlite:///kanban.db)
+DATABASE_URL=sqlite:///kanban.db
+```
+
+## Testing the Configuration
+
+1. Make sure your `.env` file is in the `backend/` directory
+2. Restart the backend server to load the new environment variables
+3. Trigger a planner action (like proposing follow-ups for a blocked ticket) to test the LLM connection
+4. Check the logs for any AWS authentication or model access errors
+
+## Troubleshooting
+
+- **Authentication errors**: Verify your AWS credentials are correct
+- **Model not found**: Check if the model ID is correct and available in your region
+- **Access denied**: Ensure your IAM user/role has Bedrock permissions
+- **Region mismatch**: Verify the model is available in your configured region
+
+

package/app/backend/alembic/env.py

@@ -0,0 +1,71 @@
+"""Alembic environment configuration for Draft."""
+
+from logging.config import fileConfig
+
+from sqlalchemy import engine_from_config, pool
+
+from alembic import context
+
+# Import models to ensure they are registered with SQLAlchemy
+from app.models import Base  # noqa: F401
+
+# this is the Alembic Config object, which provides
+# access to the values within the .ini file in use.
+config = context.config
+
+# Interpret the config file for Python logging.
+# This line sets up loggers basically.
+if config.config_file_name is not None:
+    fileConfig(config.config_file_name)
+
+# add your model's MetaData object here
+# for 'autogenerate' support
+target_metadata = Base.metadata
+
+
+def run_migrations_offline() -> None:
+    """Run migrations in 'offline' mode.
+
+    This configures the context with just a URL
+    and not an Engine, though an Engine is acceptable
+    here as well.  By skipping the Engine creation
+    we don't even need a DBAPI to be available.
+
+    Calls to context.execute() here emit the given string to the
+    script output.
+    """
+    url = config.get_main_option("sqlalchemy.url")
+    context.configure(
+        url=url,
+        target_metadata=target_metadata,
+        literal_binds=True,
+        dialect_opts={"paramstyle": "named"},
+    )
+
+    with context.begin_transaction():
+        context.run_migrations()
+
+
+def run_migrations_online() -> None:
+    """Run migrations in 'online' mode.
+
+    In this scenario we need to create an Engine
+    and associate a connection with the context.
+    """
+    connectable = engine_from_config(
+        config.get_section(config.config_ini_section, {}),
+        prefix="sqlalchemy.",
+        poolclass=pool.NullPool,
+    )
+
+    with connectable.connect() as connection:
+        context.configure(connection=connection, target_metadata=target_metadata)
+
+        with context.begin_transaction():
+            context.run_migrations()
+
+
+if context.is_offline_mode():
+    run_migrations_offline()
+else:
+    run_migrations_online()