kanban-lite 1.2.3 → 1.2.4

package/src/sdk/types.d.ts

@@ -468,29 +468,11 @@ export declare class CardStateError extends Error {
     constructor(code: CardStateErrorCode, message: string);
 }
 /**
- * Minimal SDK webhook facade supplied to CLI plugins via {@link CliPluginContext}.
- *
- * Structural subset of `KanbanSDK`; plugins should use this surface instead of
- * importing `KanbanSDK` directly so they remain decoupled from core internals.
+ * @deprecated Use {@link KanbanSDK}. CLI plugin hosts now advertise the full
+ * public SDK surface, including `getConfigSnapshot()`, instead of a narrowed
+ * webhook-only facade.
  */
-export interface CliPluginSdk {
-    /**
-     * Returns the SDK extension bag contributed by the plugin with the given id,
-     * when the host is backed by a full `KanbanSDK` instance.
-     *
-     * CLI plugins should prefer this extension path when available and fall back
-     * to compatibility methods only when running against older or mocked SDK facades.
-     */
-    getExtension?<T extends Record<string, unknown> = Record<string, unknown>>(id: string): T | undefined;
-    listWebhooks(): Webhook[];
-    createWebhook(input: {
-        url: string;
-        events: string[];
-        secret?: string;
-    }): Promise<Webhook>;
-    updateWebhook(id: string, updates: Partial<Pick<Webhook, 'url' | 'events' | 'secret' | 'active'>>): Promise<Webhook | null>;
-    deleteWebhook(id: string): Promise<boolean>;
-}
+export type CliPluginSdk = KanbanSDK;
 /**
  * Runtime context supplied to a {@link KanbanCliPlugin} when it is invoked by
  * the `kl` CLI.
@@ -503,10 +485,12 @@ export interface CliPluginContext {
      *
      * Present when the plugin is invoked through the core `kl` CLI.
      * Absent in isolated unit tests or standalone invocations.
-     * Plugins should prefer this over constructing their own SDK so that
-     * SDK-level auth policy is honoured.
+    * Plugins may use the full public {@link KanbanSDK} contract here, including
+    * extension lookup and `getConfigSnapshot()`, instead of relying on older
+    * helper-only SDK facades. Plugins should prefer this over constructing their
+    * own SDK so that SDK-level auth policy is honoured.
      */
-    sdk?: CliPluginSdk;
+    sdk?: KanbanSDK;
     /**
      * Core-owned CLI auth helper.
      *

package/src/sdk/types.ts

@@ -1,5 +1,6 @@
 import type { Card, CardFormAttachment, CardFormDataMap, Priority, ResolvedFormDescriptor } from '../shared/types'
 import type { CapabilitySelections, Webhook } from '../shared/config'
+import type { KanbanSDK } from './KanbanSDK'
 import type { StorageEngine, StorageEngineType } from './plugins/types'
 import type { CardStateCursor } from './plugins'
 
@@ -615,28 +616,11 @@ export class CardStateError extends Error {
 }
 
 /**
- * Minimal SDK webhook facade supplied to CLI plugins via {@link CliPluginContext}.
- *
- * Structural subset of `KanbanSDK`; plugins should use this surface instead of
- * importing `KanbanSDK` directly so they remain decoupled from core internals.
+ * @deprecated Use {@link KanbanSDK}. CLI plugin hosts now advertise the full
+ * public SDK surface, including `getConfigSnapshot()`, instead of a narrowed
+ * webhook-only facade.
  */
-export interface CliPluginSdk {
-  /**
-   * Returns the SDK extension bag contributed by the plugin with the given id,
-   * when the host is backed by a full `KanbanSDK` instance.
-   *
-   * CLI plugins should prefer this extension path when available and fall back
-   * to compatibility methods only when running against older or mocked SDK facades.
-   */
-  getExtension?<T extends Record<string, unknown> = Record<string, unknown>>(id: string): T | undefined
-  listWebhooks(): Webhook[]
-  createWebhook(input: { url: string; events: string[]; secret?: string }): Promise<Webhook>
-  updateWebhook(
-    id: string,
-    updates: Partial<Pick<Webhook, 'url' | 'events' | 'secret' | 'active'>>,
-  ): Promise<Webhook | null>
-  deleteWebhook(id: string): Promise<boolean>
-}
+export type CliPluginSdk = KanbanSDK
 
 /**
  * Runtime context supplied to a {@link KanbanCliPlugin} when it is invoked by
@@ -650,10 +634,12 @@ export interface CliPluginContext {
    *
    * Present when the plugin is invoked through the core `kl` CLI.
    * Absent in isolated unit tests or standalone invocations.
-   * Plugins should prefer this over constructing their own SDK so that
-   * SDK-level auth policy is honoured.
+   * Plugins may use the full public {@link KanbanSDK} contract here, including
+   * extension lookup and `getConfigSnapshot()`, instead of relying on older
+   * helper-only SDK facades. Plugins should prefer this over constructing their
+   * own SDK so that SDK-level auth policy is honoured.
    */
-  sdk?: CliPluginSdk
+  sdk?: KanbanSDK
   /**
    * Core-owned CLI auth helper.
    *

package/src/shared/config.ts

@@ -482,6 +482,12 @@ function loadDotEnv(dir: string): void {
  * @returns The processed node (same reference for objects/arrays; new primitive for strings).
  */
 function resolveConfigEnvVars(node: unknown, configFileName: string, nodePath = ''): unknown {
+  const isFormDefaultDataPath = /^\.forms\.(?:[^.]+|"[^"]+")\.data(?:$|[.\[])/.test(nodePath)
+
+  if (isFormDefaultDataPath) {
+    return node
+  }
+
   if (typeof node === 'string') {
     return node.replace(/\$\{([^}]+)\}/g, (_match, varName: string) => {
       const envValue = process.env[varName]

package/src/standalone/__tests__/server.integration.test.ts

@@ -350,6 +350,86 @@ describe('Standalone Server Integration', () => {
       }
     })
 
+    it('passes the resolved public SDK to standalone plugin registration and request contexts', async () => {
+      const cleanup = installTempPackage(
+        'standalone-sdk-context-test-plugin',
+        `module.exports = {
+  authIdentityPlugin: {
+    manifest: { id: 'standalone-sdk-context-test-plugin', provides: ['auth.identity'] },
+    async resolveIdentity() {
+      return { subject: 'standalone-sdk-context-test-plugin' }
+    },
+  },
+  standaloneHttpPlugin: {
+    manifest: { id: 'standalone-sdk-context-test-plugin', provides: ['standalone.http'] },
+    registerMiddleware() {
+      return [async (request) => {
+        if (!request.route('GET', '/api/plugin-sdk-context')) return false
+        request.mergeAuthContext({ actorHint: 'middleware-auth-context' })
+        return false
+      }]
+    },
+    registerRoutes(options) {
+      return [async (request) => {
+        if (!request.route('GET', '/api/plugin-sdk-context')) return false
+        const registrationSnapshot = options.sdk ? options.sdk.getConfigSnapshot() : null
+        const requestSnapshot = request.sdk.getConfigSnapshot()
+        const registrationBoard = options.sdk ? options.sdk.getBoard('default') : null
+        const requestBoard = request.sdk.getBoard('default')
+        request.res.statusCode = 200
+        request.res.setHeader('Content-Type', 'application/json')
+        request.res.end(JSON.stringify({
+          ok: true,
+          registrationSdkAvailable: !!options.sdk,
+          registrationPort: registrationSnapshot ? registrationSnapshot.port ?? null : null,
+          registrationBoardName: registrationBoard ? registrationBoard.name : null,
+          requestPort: requestSnapshot.port ?? null,
+          requestBoardName: requestBoard.name,
+          workspaceRootMatches: options.workspaceRoot === request.workspaceRoot,
+          kanbanDirMatches: options.kanbanDir === request.kanbanDir,
+          actorHint: request.getAuthContext().actorHint ?? null,
+        }))
+        return true
+      }]
+    },
+  },
+}
+`,
+      )
+
+      const workspaceRoot = path.dirname(tempDir)
+      const resolvedConfigPath = writeWorkspaceConfig(workspaceRoot, {
+        port,
+        auth: {
+          'auth.identity': { provider: 'standalone-sdk-context-test-plugin' },
+          'auth.policy': { provider: 'noop' },
+        },
+      })
+
+      const localPort = await getPort()
+      const localServer = startServer(tempDir, localPort, webviewDir, resolvedConfigPath)
+      await sleep(200)
+
+      try {
+        const res = await httpGet(`http://localhost:${localPort}/api/plugin-sdk-context`)
+        expect(res.status).toBe(200)
+        expect(JSON.parse(res.body)).toEqual({
+          ok: true,
+          registrationSdkAvailable: true,
+          registrationPort: port,
+          registrationBoardName: 'Default',
+          requestPort: port,
+          requestBoardName: 'Default',
+          workspaceRootMatches: true,
+          kanbanDirMatches: true,
+          actorHint: 'middleware-auth-context',
+        })
+      } finally {
+        cleanup()
+        await new Promise<void>((resolve) => localServer.close(() => resolve()))
+      }
+    })
+
     it('starts even when the Swagger UI package logo file is unavailable', async () => {
       vi.resetModules()
 
@@ -2561,7 +2641,7 @@ describe('Standalone Server Integration', () => {
       const kanbanJson = path.join(path.dirname(tempDir), '.kanban.json')
       fs.writeFileSync(kanbanJson, JSON.stringify({
         version: 2,
-        boards: { default: { name: 'Default', columns: [], nextCardId: 1, defaultStatus: 'backlog', defaultPriority: 'medium' } },
+        boards: { default: { name: 'Default', columns: [{ id: 'backlog', name: 'Backlog' }], nextCardId: 1, defaultStatus: 'backlog', defaultPriority: 'medium' } },
         defaultBoard: 'default',
         kanbanDirectory: '.kanban',
         forms: {
@@ -2585,7 +2665,6 @@ describe('Standalone Server Integration', () => {
         }
       }, null, 2), 'utf-8')
 
-
       const createRes = await httpRequest('POST', `http://localhost:${port}/api/tasks`, {
         content: '# Interpolation Regression Card',
         status: 'backlog',

package/src/standalone/internal/websocket.ts

@@ -1,11 +1,21 @@
+import * as http from 'http'
 import { extractAuthContext, getAuthErrorLike } from '../authUtils'
+import type { AuthContext } from '../../sdk/types'
 import type { StandaloneContext } from '../context'
 import { clearClientEditingCard, setClientEditingCard } from '../broadcastService'
 import { handleMessage } from '../messageHandlers'
 
-export function attachWebSocketHandlers(ctx: StandaloneContext): void {
-  ctx.wss.on('connection', (ws, req) => {
-    const authContext = extractAuthContext(req)
+export function attachWebSocketHandlers(
+  ctx: StandaloneContext,
+  resolveAuthContext?: (req: http.IncomingMessage) => Promise<AuthContext>,
+): void {
+  ctx.wss.on('connection', async (ws, req) => {
+    let authContext: AuthContext
+    try {
+      authContext = resolveAuthContext ? await resolveAuthContext(req) : extractAuthContext(req)
+    } catch {
+      authContext = extractAuthContext(req)
+    }
     setClientEditingCard(ctx, ws, null)
     ws.on('message', (data) => {
       let message: unknown

package/src/standalone/server.ts

@@ -13,7 +13,7 @@ import { createStandaloneRuntime, getIndexHtml } from './internal/runtime'
 import { handleBoardRoutes } from './internal/routes/boards'
 import { handleSystemRoutes } from './internal/routes/system'
 import { handleTaskRoutes } from './internal/routes/tasks'
-import { getRequestAuthContext, mergeRequestAuthContext, setRequestAuthContext } from './authUtils'
+import { extractAuthContext, getRequestAuthContext, mergeRequestAuthContext, setRequestAuthContext } from './authUtils'
 import { attachWebSocketHandlers } from './internal/websocket'
 import { matchRoute, type IncomingMessageWithRawBody } from './httpUtils'
 
@@ -176,6 +176,7 @@ function collectStandaloneHttpHandlers(
 ): StandaloneHttpHandler[] {
   const plugins = ctx.sdk.capabilities?.standaloneHttpPlugins ?? []
   const registrationOptions = {
+    sdk: ctx.sdk,
     workspaceRoot: ctx.workspaceRoot,
     kanbanDir: ctx.absoluteKanbanDir,
     capabilities: ctx.sdk.capabilities?.providers ?? {
@@ -338,7 +339,50 @@ export function startServer(kanbanDir: string, port: number, webviewDir?: string
     reply.hijack()
   })
 
-  attachWebSocketHandlers(ctx)
+  // Resolve auth context for WebSocket upgrade requests by running the middleware
+  // pipeline so session cookies set by auth plugins (e.g. kl-auth-plugin) are honoured.
+  const resolveWsAuthContext = async (req: http.IncomingMessage) => {
+    const silentRes = (() => {
+      const r: Record<string, unknown> = {
+        writableEnded: false,
+        writeHead() { return r },
+        setHeader() { return r },
+        removeHeader() { /* no-op */ },
+        getHeader() { return undefined },
+        getHeaders() { return {} },
+        end(..._args: unknown[]) { (r as { writableEnded: boolean }).writableEnded = true; return r },
+        write() { return false },
+      }
+      return r as unknown as import('http').ServerResponse
+    })()
+    const reqWithBody = req as IncomingMessageWithRawBody
+    const wsUrl = new URL(req.url || '/', `http://${req.headers.host || 'localhost'}`)
+    const requestContext: StandaloneRequestContext = {
+      ctx,
+      sdk: ctx.sdk,
+      workspaceRoot: ctx.workspaceRoot,
+      kanbanDir: ctx.absoluteKanbanDir,
+      req: reqWithBody,
+      res: silentRes,
+      url: wsUrl,
+      pathname: wsUrl.pathname,
+      method: 'GET',
+      resolvedWebviewDir,
+      indexHtml: resolvedIndexHtml,
+      route: createRouteMatcher('GET', wsUrl.pathname, matchRoute),
+      isApiRequest: false,
+      isPageRequest: false,
+      getAuthContext: () => getRequestAuthContext(req),
+      setAuthContext: (auth) => setRequestAuthContext(req, auth),
+      mergeAuthContext: (auth) => mergeRequestAuthContext(req, auth),
+    }
+    for (const handler of middlewareHandlers) {
+      if (await handler(requestContext)) break
+    }
+    return extractAuthContext(req)
+  }
+
+  attachWebSocketHandlers(ctx, resolveWsAuthContext)
   setupStandaloneLifecycle(ctx, fastify.server)
 
   const effectiveConfigPath = resolvedConfigPath ?? configPath(path.dirname(ctx.absoluteKanbanDir))

package/tmp/screenshots-workspace/.kanban/.active-card.json

@@ -0,0 +1,5 @@
+{
+  "cardId": "1",
+  "boardId": "default",
+  "updatedAt": "2026-03-26T00:54:58.370Z"
+}

package/tmp/screenshots-workspace/.kanban/boards/default/deleted/1-dddd.md

@@ -0,0 +1,17 @@
+---
+version: 1
+id: "1"
+status: "deleted"
+priority: "medium"
+assignee: null
+dueDate: null
+created: "2026-03-26T00:54:50.866Z"
+modified: "2026-03-26T00:55:04.504Z"
+completedAt: null
+labels: []
+attachments:
+  - "1.log"
+order: "a0"
+---
+
+# dddd

package/tmp/screenshots-workspace/.kanban/boards/default/deleted/attachments/1.log

@@ -0,0 +1 @@
+2026-03-26T00:55:04.503Z [system] Status changed: `in-progress` → `deleted` {"previousStatus":"in-progress","status":"deleted","activity":{"type":"card.status.changed","qualifiesForUnread":true}}

package/tmp/screenshots-workspace/.kanban.json

@@ -0,0 +1,59 @@
+{
+  "version": 2,
+  "boards": {
+    "default": {
+      "name": "Default",
+      "columns": [
+        {
+          "id": "backlog",
+          "name": "Backlog",
+          "color": "#6b7280"
+        },
+        {
+          "id": "todo",
+          "name": "To Do",
+          "color": "#3b82f6"
+        },
+        {
+          "id": "in-progress",
+          "name": "In Progress",
+          "color": "#f59e0b"
+        },
+        {
+          "id": "review",
+          "name": "Review",
+          "color": "#8b5cf6"
+        },
+        {
+          "id": "done",
+          "name": "Done",
+          "color": "#22c55e"
+        }
+      ],
+      "nextCardId": 1,
+      "defaultStatus": "backlog",
+      "defaultPriority": "medium"
+    }
+  },
+  "defaultBoard": "default",
+  "kanbanDirectory": ".kanban",
+  "aiAgent": "claude",
+  "defaultPriority": "medium",
+  "defaultStatus": "backlog",
+  "nextCardId": 2,
+  "showPriorityBadges": true,
+  "showAssignee": true,
+  "showDueDate": true,
+  "showLabels": true,
+  "showBuildWithAI": true,
+  "showFileName": false,
+  "compactMode": false,
+  "markdownEditorMode": false,
+  "showDeletedColumn": false,
+  "boardZoom": 100,
+  "cardZoom": 100,
+  "boardBackgroundMode": "fancy",
+  "boardBackgroundPreset": "aurora",
+  "port": 2954,
+  "labels": {}
+}