npm - draft-board - Versions diffs - 0.1.0-beta.0 - Mend

draft-board 0.1.0-beta.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (250) hide show

package/app/backend/.env.example +9 -0
package/app/backend/.smartkanban/evidence/8b383839-cbec-45af-86ee-c7708d075cbe/bddf2ed5-2e21-4d46-a62b-10b87f1642a6_patch.txt +195 -0
package/app/backend/.smartkanban/evidence/8b383839-cbec-45af-86ee-c7708d075cbe/bddf2ed5-2e21-4d46-a62b-10b87f1642a6_stat.txt +6 -0
package/app/backend/CURL_EXAMPLES.md +335 -0
package/app/backend/ENV_SETUP.md +65 -0
package/app/backend/alembic/env.py +71 -0
package/app/backend/alembic/script.py.mako +28 -0
package/app/backend/alembic/versions/001_initial_schema.py +104 -0
package/app/backend/alembic/versions/002_add_jobs_table.py +52 -0
package/app/backend/alembic/versions/003_add_workspace_table.py +48 -0
package/app/backend/alembic/versions/004_add_evidence_table.py +56 -0
package/app/backend/alembic/versions/005_add_verification_commands.py +32 -0
package/app/backend/alembic/versions/006_add_planner_lock_table.py +39 -0
package/app/backend/alembic/versions/007_add_revision_review_tables.py +126 -0
package/app/backend/alembic/versions/008_add_revision_idempotency_and_traceability.py +52 -0
package/app/backend/alembic/versions/009_add_job_health_fields.py +46 -0
package/app/backend/alembic/versions/010_add_review_comment_line_content.py +36 -0
package/app/backend/alembic/versions/011_add_analysis_cache.py +47 -0
package/app/backend/alembic/versions/012_add_boards_table.py +102 -0
package/app/backend/alembic/versions/013_add_ticket_blocking.py +45 -0
package/app/backend/alembic/versions/014_add_agent_sessions.py +220 -0
package/app/backend/alembic/versions/015_add_ticket_sort_order.py +33 -0
package/app/backend/alembic/versions/03220f0b93ae_add_pr_fields_to_ticket.py +49 -0
package/app/backend/alembic/versions/0c2d89fff3b1_seed_board_configs_from_yaml.py +206 -0
package/app/backend/alembic/versions/3348e5cf54c1_add_merge_checklist_table.py +67 -0
package/app/backend/alembic/versions/357c780ee445_add_goal_status.py +34 -0
package/app/backend/alembic/versions/553340b7e26c_add_autonomy_fields_to_goal.py +65 -0
package/app/backend/alembic/versions/774dc335c679_merge_migration_heads.py +23 -0
package/app/backend/alembic/versions/7b307e847cbd_merge_heads.py +23 -0
package/app/backend/alembic/versions/82ecd978cc70_add_missing_indexes.py +48 -0
package/app/backend/alembic/versions/8ef5054dc280_add_normalized_log_entries.py +173 -0
package/app/backend/alembic/versions/8f3e2bd8ea3b_merge_migration_heads.py +23 -0
package/app/backend/alembic/versions/9d17f0698d3b_add_config_column_to_boards_table.py +30 -0
package/app/backend/alembic/versions/add_agent_conversation_history.py +72 -0
package/app/backend/alembic/versions/add_job_variant.py +34 -0
package/app/backend/alembic/versions/add_performance_indexes.py +95 -0
package/app/backend/alembic/versions/add_repos_and_board_repos.py +174 -0
package/app/backend/alembic/versions/add_session_id_to_jobs.py +27 -0
package/app/backend/alembic/versions/add_sqlite_backend_tables.py +104 -0
package/app/backend/alembic/versions/b10fb0b62240_add_diff_content_to_revisions.py +34 -0
package/app/backend/alembic.ini +89 -0
package/app/backend/app/__init__.py +3 -0
package/app/backend/app/data_dir.py +85 -0
package/app/backend/app/database.py +70 -0
package/app/backend/app/database_sync.py +64 -0
package/app/backend/app/dependencies/__init__.py +5 -0
package/app/backend/app/dependencies/auth.py +80 -0
package/app/backend/app/dependencies.py +43 -0
package/app/backend/app/exceptions.py +178 -0
package/app/backend/app/executors/__init__.py +1 -0
package/app/backend/app/executors/adapters/__init__.py +1 -0
package/app/backend/app/executors/adapters/aider.py +152 -0
package/app/backend/app/executors/adapters/amazon_q.py +103 -0
package/app/backend/app/executors/adapters/amp.py +123 -0
package/app/backend/app/executors/adapters/claude.py +177 -0
package/app/backend/app/executors/adapters/cline.py +127 -0
package/app/backend/app/executors/adapters/codex.py +167 -0
package/app/backend/app/executors/adapters/copilot.py +202 -0
package/app/backend/app/executors/adapters/cursor.py +87 -0
package/app/backend/app/executors/adapters/droid.py +123 -0
package/app/backend/app/executors/adapters/gemini.py +132 -0
package/app/backend/app/executors/adapters/goose.py +131 -0
package/app/backend/app/executors/adapters/opencode.py +123 -0
package/app/backend/app/executors/adapters/qwen.py +123 -0
package/app/backend/app/executors/plugins/__init__.py +1 -0
package/app/backend/app/executors/registry.py +202 -0
package/app/backend/app/executors/spec.py +226 -0
package/app/backend/app/main.py +486 -0
package/app/backend/app/middleware/__init__.py +13 -0
package/app/backend/app/middleware/idempotency.py +426 -0
package/app/backend/app/middleware/rate_limit.py +312 -0
package/app/backend/app/middleware/security_headers.py +43 -0
package/app/backend/app/middleware/timeout.py +37 -0
package/app/backend/app/models/__init__.py +56 -0
package/app/backend/app/models/agent_conversation_history.py +56 -0
package/app/backend/app/models/agent_session.py +127 -0
package/app/backend/app/models/analysis_cache.py +49 -0
package/app/backend/app/models/base.py +9 -0
package/app/backend/app/models/board.py +79 -0
package/app/backend/app/models/board_repo.py +68 -0
package/app/backend/app/models/cost_budget.py +42 -0
package/app/backend/app/models/enums.py +40 -0
package/app/backend/app/models/evidence.py +132 -0
package/app/backend/app/models/goal.py +102 -0
package/app/backend/app/models/idempotency_entry.py +30 -0
package/app/backend/app/models/job.py +163 -0
package/app/backend/app/models/job_queue.py +39 -0
package/app/backend/app/models/kv_store.py +28 -0
package/app/backend/app/models/merge_checklist.py +87 -0
package/app/backend/app/models/normalized_log.py +100 -0
package/app/backend/app/models/planner_lock.py +43 -0
package/app/backend/app/models/rate_limit_entry.py +25 -0
package/app/backend/app/models/repo.py +66 -0
package/app/backend/app/models/review_comment.py +91 -0
package/app/backend/app/models/review_summary.py +69 -0
package/app/backend/app/models/revision.py +130 -0
package/app/backend/app/models/ticket.py +223 -0
package/app/backend/app/models/ticket_event.py +83 -0
package/app/backend/app/models/user.py +47 -0
package/app/backend/app/models/workspace.py +71 -0
package/app/backend/app/redis_client.py +119 -0
package/app/backend/app/routers/__init__.py +29 -0
package/app/backend/app/routers/agents.py +296 -0
package/app/backend/app/routers/auth.py +94 -0
package/app/backend/app/routers/board.py +885 -0
package/app/backend/app/routers/dashboard.py +351 -0
package/app/backend/app/routers/debug.py +528 -0
package/app/backend/app/routers/evidence.py +96 -0
package/app/backend/app/routers/executors.py +324 -0
package/app/backend/app/routers/goals.py +574 -0
package/app/backend/app/routers/jobs.py +448 -0
package/app/backend/app/routers/maintenance.py +172 -0
package/app/backend/app/routers/merge.py +360 -0
package/app/backend/app/routers/planner.py +537 -0
package/app/backend/app/routers/pull_requests.py +382 -0
package/app/backend/app/routers/repos.py +263 -0
package/app/backend/app/routers/revisions.py +939 -0
package/app/backend/app/routers/settings.py +267 -0
package/app/backend/app/routers/tickets.py +2003 -0
package/app/backend/app/routers/webhooks.py +143 -0
package/app/backend/app/routers/websocket.py +249 -0
package/app/backend/app/schemas/__init__.py +109 -0
package/app/backend/app/schemas/board.py +87 -0
package/app/backend/app/schemas/common.py +33 -0
package/app/backend/app/schemas/evidence.py +87 -0
package/app/backend/app/schemas/goal.py +90 -0
package/app/backend/app/schemas/job.py +97 -0
package/app/backend/app/schemas/merge.py +139 -0
package/app/backend/app/schemas/planner.py +500 -0
package/app/backend/app/schemas/repo.py +187 -0
package/app/backend/app/schemas/review.py +137 -0
package/app/backend/app/schemas/revision.py +114 -0
package/app/backend/app/schemas/ticket.py +238 -0
package/app/backend/app/schemas/ticket_event.py +72 -0
package/app/backend/app/schemas/workspace.py +19 -0
package/app/backend/app/services/__init__.py +31 -0
package/app/backend/app/services/agent_memory_service.py +223 -0
package/app/backend/app/services/agent_registry.py +346 -0
package/app/backend/app/services/agent_session_manager.py +318 -0
package/app/backend/app/services/agent_session_service.py +219 -0
package/app/backend/app/services/agent_tools.py +379 -0
package/app/backend/app/services/auth_service.py +98 -0
package/app/backend/app/services/autonomy_service.py +380 -0
package/app/backend/app/services/board_repo_service.py +201 -0
package/app/backend/app/services/board_service.py +326 -0
package/app/backend/app/services/cleanup_service.py +1085 -0
package/app/backend/app/services/config_service.py +908 -0
package/app/backend/app/services/context_gatherer.py +557 -0
package/app/backend/app/services/cost_tracking_service.py +293 -0
package/app/backend/app/services/cursor_log_normalizer.py +536 -0
package/app/backend/app/services/delivery_pipeline.py +440 -0
package/app/backend/app/services/executor_service.py +634 -0
package/app/backend/app/services/git_host/__init__.py +11 -0
package/app/backend/app/services/git_host/factory.py +87 -0
package/app/backend/app/services/git_host/github.py +270 -0
package/app/backend/app/services/git_host/gitlab.py +194 -0
package/app/backend/app/services/git_host/protocol.py +75 -0
package/app/backend/app/services/git_merge_simple.py +346 -0
package/app/backend/app/services/git_ops.py +384 -0
package/app/backend/app/services/github_service.py +233 -0
package/app/backend/app/services/goal_service.py +113 -0
package/app/backend/app/services/job_service.py +423 -0
package/app/backend/app/services/job_watchdog_service.py +424 -0
package/app/backend/app/services/langchain_adapter.py +122 -0
package/app/backend/app/services/llm_provider_clients.py +351 -0
package/app/backend/app/services/llm_service.py +285 -0
package/app/backend/app/services/log_normalizer.py +342 -0
package/app/backend/app/services/log_stream_service.py +276 -0
package/app/backend/app/services/merge_checklist_service.py +264 -0
package/app/backend/app/services/merge_service.py +784 -0
package/app/backend/app/services/orchestrator_log.py +84 -0
package/app/backend/app/services/planner_service.py +1662 -0
package/app/backend/app/services/planner_tick_sync.py +1040 -0
package/app/backend/app/services/queued_message_service.py +156 -0
package/app/backend/app/services/reliability_wrapper.py +389 -0
package/app/backend/app/services/repo_discovery_service.py +318 -0
package/app/backend/app/services/review_service.py +334 -0
package/app/backend/app/services/revision_service.py +389 -0
package/app/backend/app/services/safe_autopilot.py +510 -0
package/app/backend/app/services/sqlite_worker.py +372 -0
package/app/backend/app/services/task_dispatch.py +135 -0
package/app/backend/app/services/ticket_generation_service.py +1781 -0
package/app/backend/app/services/ticket_service.py +486 -0
package/app/backend/app/services/udar_planner_service.py +1007 -0
package/app/backend/app/services/webhook_service.py +126 -0
package/app/backend/app/services/workspace_service.py +465 -0
package/app/backend/app/services/worktree_file_service.py +92 -0
package/app/backend/app/services/worktree_validator.py +213 -0
package/app/backend/app/sqlite_kv.py +278 -0
package/app/backend/app/state_machine.py +128 -0
package/app/backend/app/templates/__init__.py +5 -0
package/app/backend/app/templates/registry.py +243 -0
package/app/backend/app/utils/__init__.py +5 -0
package/app/backend/app/utils/artifact_reader.py +87 -0
package/app/backend/app/utils/circuit_breaker.py +229 -0
package/app/backend/app/utils/db_retry.py +136 -0
package/app/backend/app/utils/ignored_fields.py +123 -0
package/app/backend/app/utils/validators.py +54 -0
package/app/backend/app/websocket/__init__.py +5 -0
package/app/backend/app/websocket/manager.py +179 -0
package/app/backend/app/websocket/state_tracker.py +113 -0
package/app/backend/app/worker.py +3190 -0
package/app/backend/calculator_tickets.json +40 -0
package/app/backend/canary_tests.sh +591 -0
package/app/backend/celerybeat-schedule +0 -0
package/app/backend/celerybeat-schedule-shm +0 -0
package/app/backend/celerybeat-schedule-wal +0 -0
package/app/backend/logs/.gitkeep +3 -0
package/app/backend/multiplication_division_implementation_tickets.json +55 -0
package/app/backend/multiplication_division_tickets.json +42 -0
package/app/backend/pyproject.toml +45 -0
package/app/backend/requirements-dev.txt +8 -0
package/app/backend/requirements.txt +20 -0
package/app/backend/run.sh +30 -0
package/app/backend/run_with_logs.sh +10 -0
package/app/backend/scientific_calculator_tickets.json +40 -0
package/app/backend/scripts/extract_openapi.py +21 -0
package/app/backend/scripts/seed_demo.py +187 -0
package/app/backend/setup_demo_review.py +302 -0
package/app/backend/test_actual_parse.py +41 -0
package/app/backend/test_agent_streaming.py +61 -0
package/app/backend/test_parse.py +51 -0
package/app/backend/test_streaming.py +51 -0
package/app/backend/test_subprocess_streaming.py +50 -0
package/app/backend/tests/__init__.py +1 -0
package/app/backend/tests/conftest.py +46 -0
package/app/backend/tests/test_auth.py +341 -0
package/app/backend/tests/test_autonomy_service.py +391 -0
package/app/backend/tests/test_cleanup_service_safety.py +417 -0
package/app/backend/tests/test_middleware.py +279 -0
package/app/backend/tests/test_planner_providers.py +290 -0
package/app/backend/tests/test_planner_unblock.py +183 -0
package/app/backend/tests/test_revision_invariants.py +618 -0
package/app/backend/tests/test_sqlite_kv.py +290 -0
package/app/backend/tests/test_sqlite_worker.py +353 -0
package/app/backend/tests/test_task_dispatch.py +100 -0
package/app/backend/tests/test_ticket_validation.py +304 -0
package/app/backend/tests/test_udar_agent.py +693 -0
package/app/backend/tests/test_webhook_service.py +184 -0
package/app/backend/tickets_output.json +59 -0
package/app/backend/user_management_tickets.json +50 -0
package/app/backend/uvicorn.log +0 -0
package/app/draft.yaml +313 -0
package/app/frontend/dist/assets/index-LcjCczu5.js +155 -0
package/app/frontend/dist/assets/index-_FP_279e.css +1 -0
package/app/frontend/dist/index.html +14 -0
package/app/frontend/dist/vite.svg +1 -0
package/app/frontend/package.json +101 -0
package/bin/cli.js +527 -0
package/package.json +37 -0

package/app/backend/app/services/board_service.py ADDED Viewed

@@ -0,0 +1,326 @@
+"""Service for Board operations and authorization.
+CRITICAL: Board is the primary permission boundary.
+- All goals, tickets, jobs, workspaces belong to a board
+- All filesystem operations use board.repo_root (NEVER global config)
+- All mutating endpoints must validate board_id ownership
+"""
+import uuid
+from pathlib import Path
+from sqlalchemy import select
+from sqlalchemy.ext.asyncio import AsyncSession
+from app.models import Board, Goal, Job, Ticket, Workspace
+from app.schemas.board import BoardCreate, BoardUpdate
+class BoardService:
+    """Service for managing boards and enforcing board boundaries."""
+    def __init__(self, db: AsyncSession):
+        self.db = db
+    @staticmethod
+    def get_default_board_config() -> dict:
+        """Get full default configuration for new boards.
+        Returns a complete DraftConfig as a dict so that the DB
+        is the single source of truth (no YAML needed at runtime).
+        Key defaults:
+        - executor_model: "sonnet-4.5" (fast and cost-effective)
+        - timeout: 300 (5 minutes, reasonable for most tasks)
+        """
+        from app.services.config_service import DraftConfig
+        config = DraftConfig()
+        full = config.to_dict()
+        # Override with our preferred defaults
+        full["execute_config"]["executor_model"] = "sonnet-4.5"
+        full["execute_config"]["timeout"] = 300
+        return full
+    async def create_board(
+        self, data: BoardCreate, owner_id: str | None = None
+    ) -> Board:
+        """Create a new board with sensible default configuration.
+        CRITICAL: repo_root becomes the authoritative path for all
+        filesystem operations on this board.
+        The board is initialized with default config to prevent falling back
+        to YAML config which may have non-optimal defaults (e.g., "auto" model).
+        If template_id is provided, applies template configuration and creates
+        starter goals (unless create_starter_goals=False).
+        """
+        # Validate repo_root exists and is a git repo
+        repo_path = Path(data.repo_root).resolve()
+        if not repo_path.exists():
+            raise ValueError(f"repo_root does not exist: {data.repo_root}")
+        if not repo_path.is_dir():
+            raise ValueError(f"repo_root is not a directory: {data.repo_root}")
+        if not (repo_path / ".git").exists():
+            raise ValueError(f"repo_root is not a git repository: {data.repo_root}")
+        # Apply template config if template_id provided
+        board_config = self.get_default_board_config()
+        if data.template_id:
+            from app.templates import get_template
+            template = get_template(data.template_id)
+            if not template:
+                raise ValueError(f"Invalid template_id: {data.template_id}")
+            # Merge template config with defaults (template takes precedence)
+            if template.get("config"):
+                from app.services.config_service import deep_merge_dicts
+                board_config = deep_merge_dicts(board_config, template["config"])
+        board = Board(
+            id=str(uuid.uuid4()),
+            name=data.name,
+            description=data.description,
+            repo_root=str(repo_path),  # Store resolved absolute path
+            default_branch=data.default_branch,
+            config=board_config,
+            owner_id=owner_id,
+        )
+        self.db.add(board)
+        await self.db.commit()
+        await self.db.refresh(board)
+        # Create starter goals if template provided and requested
+        if data.template_id and data.create_starter_goals:
+            from app.templates import get_template
+            template = get_template(data.template_id)
+            if template and template.get("starter_goals"):
+                for goal_data in template["starter_goals"]:
+                    goal = Goal(
+                        id=str(uuid.uuid4()),
+                        board_id=board.id,
+                        title=goal_data["title"],
+                        description=goal_data["description"],
+                    )
+                    self.db.add(goal)
+                await self.db.commit()
+        return board
+    async def get_board_by_id(self, board_id: str) -> Board:
+        """Get a board by its ID."""
+        result = await self.db.execute(select(Board).where(Board.id == board_id))
+        board = result.scalar_one_or_none()
+        if not board:
+            raise ValueError(f"Board not found: {board_id}")
+        return board
+    async def get_boards(self, owner_id: str | None = None) -> list[Board]:
+        """Get all boards, optionally filtered by owner.
+        When owner_id is provided, returns only boards owned by that user.
+        When owner_id is None, returns all boards (backward compatible).
+        """
+        query = select(Board)
+        if owner_id is not None:
+            query = query.where(Board.owner_id == owner_id)
+        result = await self.db.execute(query)
+        return list(result.scalars().all())
+    async def update_board(self, board_id: str, data: BoardUpdate) -> Board:
+        """Update a board."""
+        board = await self.get_board_by_id(board_id)
+        update_data = data.model_dump(exclude_unset=True)
+        for field, value in update_data.items():
+            setattr(board, field, value)
+        await self.db.commit()
+        await self.db.refresh(board)
+        return board
+    async def delete_board(self, board_id: str) -> None:
+        """Delete a board and all its children (cascades)."""
+        board = await self.get_board_by_id(board_id)
+        await self.db.delete(board)
+        await self.db.commit()
+    async def initialize_board_config(self, board_id: str) -> Board:
+        """Initialize config for a board that has config=null.
+        This is useful for migrating existing boards that were created
+        before auto-initialization was implemented.
+        If board already has config, this is a no-op.
+        """
+        board = await self.get_board_by_id(board_id)
+        if board.config is None:
+            board.config = self.get_default_board_config()
+            await self.db.commit()
+            await self.db.refresh(board)
+        return board
+    async def initialize_all_board_configs(self) -> dict:
+        """Initialize config for all boards that have config=null.
+        Returns a summary of boards that were updated.
+        """
+        boards = await self.get_boards()
+        updated = []
+        skipped = []
+        for board in boards:
+            if board.config is None:
+                board.config = self.get_default_board_config()
+                updated.append(board.id)
+            else:
+                skipped.append(board.id)
+        if updated:
+            await self.db.commit()
+        return {
+            "total": len(boards),
+            "updated": len(updated),
+            "skipped": len(skipped),
+            "updated_board_ids": updated,
+        }
+    async def get_repo_root(self, board_id: str) -> Path:
+        """Get the repo_root path for a board.
+        CRITICAL: This is the ONLY authoritative way to get a repo path.
+        NEVER accept paths from client requests.
+        NEVER use global config repo_root when board_id is available.
+        """
+        board = await self.get_board_by_id(board_id)
+        return Path(board.repo_root).resolve()
+    # =========================================================================
+    # Authorization helpers - use these to enforce board boundaries
+    # =========================================================================
+    async def verify_goal_in_board(self, goal_id: str, board_id: str) -> Goal:
+        """Verify a goal belongs to a board.
+        Raises ValueError if goal doesn't exist or doesn't belong to board.
+        """
+        result = await self.db.execute(select(Goal).where(Goal.id == goal_id))
+        goal = result.scalar_one_or_none()
+        if not goal:
+            raise ValueError(f"Goal not found: {goal_id}")
+        if goal.board_id and goal.board_id != board_id:
+            raise ValueError(
+                f"Goal {goal_id} belongs to board {goal.board_id}, not {board_id}"
+            )
+        return goal
+    async def verify_ticket_in_board(self, ticket_id: str, board_id: str) -> Ticket:
+        """Verify a ticket belongs to a board.
+        Raises ValueError if ticket doesn't exist or doesn't belong to board.
+        """
+        result = await self.db.execute(select(Ticket).where(Ticket.id == ticket_id))
+        ticket = result.scalar_one_or_none()
+        if not ticket:
+            raise ValueError(f"Ticket not found: {ticket_id}")
+        if ticket.board_id and ticket.board_id != board_id:
+            raise ValueError(
+                f"Ticket {ticket_id} belongs to board {ticket.board_id}, not {board_id}"
+            )
+        return ticket
+    async def verify_tickets_in_board(
+        self, ticket_ids: list[str], board_id: str
+    ) -> list[Ticket]:
+        """Verify multiple tickets belong to a board.
+        Raises ValueError if any ticket doesn't exist or doesn't belong.
+        """
+        tickets = []
+        for ticket_id in ticket_ids:
+            ticket = await self.verify_ticket_in_board(ticket_id, board_id)
+            tickets.append(ticket)
+        return tickets
+    async def verify_job_in_board(self, job_id: str, board_id: str) -> Job:
+        """Verify a job belongs to a board."""
+        result = await self.db.execute(select(Job).where(Job.id == job_id))
+        job = result.scalar_one_or_none()
+        if not job:
+            raise ValueError(f"Job not found: {job_id}")
+        if job.board_id and job.board_id != board_id:
+            raise ValueError(
+                f"Job {job_id} belongs to board {job.board_id}, not {board_id}"
+            )
+        return job
+    async def verify_workspace_in_board(
+        self, workspace_id: str, board_id: str
+    ) -> Workspace:
+        """Verify a workspace belongs to a board."""
+        result = await self.db.execute(
+            select(Workspace).where(Workspace.id == workspace_id)
+        )
+        workspace = result.scalar_one_or_none()
+        if not workspace:
+            raise ValueError(f"Workspace not found: {workspace_id}")
+        if workspace.board_id and workspace.board_id != board_id:
+            raise ValueError(
+                f"Workspace {workspace_id} belongs to board {workspace.board_id}, "
+                f"not {board_id}"
+            )
+        return workspace
+    async def verify_path_under_repo_root(
+        self, path: str | Path, board_id: str
+    ) -> Path:
+        """Verify a path is under the board's repo_root.
+        CRITICAL: Use this to validate any filesystem paths before operations.
+        Prevents directory traversal attacks.
+        """
+        repo_root = await self.get_repo_root(board_id)
+        target_path = Path(path).resolve()
+        try:
+            target_path.relative_to(repo_root)
+        except ValueError:
+            raise ValueError(
+                f"Path {target_path} is not under board repo_root {repo_root}"
+            )
+        return target_path
+    async def get_board_for_goal(self, goal_id: str) -> Board | None:
+        """Get the board that owns a goal (if any)."""
+        result = await self.db.execute(select(Goal).where(Goal.id == goal_id))
+        goal = result.scalar_one_or_none()
+        if not goal or not goal.board_id:
+            return None
+        return await self.get_board_by_id(goal.board_id)
+    async def get_board_for_ticket(self, ticket_id: str) -> Board | None:
+        """Get the board that owns a ticket (if any)."""
+        result = await self.db.execute(select(Ticket).where(Ticket.id == ticket_id))
+        ticket = result.scalar_one_or_none()
+        if not ticket or not ticket.board_id:
+            return None
+        return await self.get_board_by_id(ticket.board_id)