Commit Graph

13892 Commits

Author SHA1 Message Date
kolaente a0116749d1 feat(mcp): add resource registry and dispatcher
Define the Op bitmask, the Resource struct, the package-level Register
function, and the Dispatch entry point that future tasks will use to
expose CRUD resources over MCP. No resources are registered yet.

Op carries the CRUD-op identity, knows its api-token permission string
(matching apiTokenRoutes exactly), and knows its tool-name suffix.
Resource.Inputs maps each enabled op to a pointer-to-zero of the wrapper
type the dispatcher will allocate and unmarshal into. Register validates
the resource shape and populates a tool-name lookup table so the
dispatcher never has to string-parse names like task_comments_read_all.

Dispatch threads the user from ctx, allocates a fresh wrapper, unmarshals
arguments, asks the wrapper to copy itself onto a fresh model via the
inputAdapter seam (which Task 4 will populate with real implementations),
and forwards to the corresponding handler.Do* function. The Do* calls go
through a swappable crudFuncs struct so the unit tests can verify
dispatch routing without standing up the database.
2026-05-26 23:20:04 +02:00
kolaente 3ec2d89543 feat(mcp): add streamable-http endpoint skeleton
Mount /api/v1/mcp (and /api/v1/mcp/*) inside the authenticated route
group. Reject JWT-authed requests with 401 (token-only policy), reject
API tokens without the mcp:access scope with 403, and propagate the
authed *user.User + *models.APIToken to r.Context() via typed keys so
downstream tool handlers can pull them out without depending on Echo.

The MCP protocol — JSON-RPC framing, Mcp-Session-Id management, SSE
streaming — is delegated to github.com/modelcontextprotocol/go-sdk
v1.6.1. tools/list returns {"tools": []} since no tools are registered
yet.
2026-05-26 23:08:45 +02:00
kolaente 49934adaaf feat(mcp): register mcp:access api token scope
Adds the mcp scope group with a single access permission so it shows up
in GET /api/v1/routes (and therefore in the frontend token form).
Adds APIToken.HasMCPAccess() mirroring the caldav/feeds helpers.

The MCP endpoint will use POST, GET, and DELETE on the same path for the
streamable-HTTP transport, which CanDoAPIRoute's exact (method, path)
match cannot gate. The token middleware therefore skips the route check
for /api/v1/mcp and any sub-path; the actual authorization is delegated
to an inline HasMCPAccess() call in the MCP handler (added in the next
task).

Fixtures gain two MCP tokens for user 1: one mcp-only and one with
mcp:access plus projects read scopes for the per-tool scope filter tests.
2026-05-26 22:58:53 +02:00
Frederick [Bot] c761ab9761 chore(i18n): update translations via Crowdin 2026-05-19 02:26:35 +00:00
Tink bot a79517a79a fix(frontend): prevent avatar layout shift while loading
The .avatar img in User.vue relied solely on the width/height HTML
attributes for sizing. Those are presentational hints with zero CSS
specificity, so Bulma's global reset (img { height: auto; max-width: 100% })
overrode them. While avatarSrc was still resolving (initial src=""),
the browser had no intrinsic dimensions to compute the auto height from
and fell back to the broken-image box (~96px in Chrome), then snapped
to the real size once the blob URL loaded.

Set inline-size/block-size explicitly via a CSS custom property bound
to the avatarSize prop so the rendered size is locked regardless of
load state or the Bulma reset.
2026-05-18 19:13:36 +00:00
Tink bot fee2d2ea58 fix(notifications): skip logo attachment for conversational mails
The conversational mail template does not reference cid:logo.png, but
RenderMail still attached the embedded logo to every outgoing mail.
That left an orphan inline part that some clients render as a stray
attachment. Only embed logo.png when the formal template is in use.
2026-05-18 19:06:49 +00:00
renovate[bot] faeeebe661 chore(deps): update dev-dependencies to v8.59.4 2026-05-18 19:01:32 +00:00
renovate[bot] ad457488fd chore(deps): update dependency vue-tsc to v3.3.0 2026-05-18 18:13:13 +00:00
dependabot[bot] f349b6360e chore(deps): bump brace-expansion from 5.0.5 to 5.0.6 in /frontend
Bumps [brace-expansion](https://github.com/juliangruber/brace-expansion) from 5.0.5 to 5.0.6.
- [Release notes](https://github.com/juliangruber/brace-expansion/releases)
- [Commits](https://github.com/juliangruber/brace-expansion/compare/v5.0.5...v5.0.6)

---
updated-dependencies:
- dependency-name: brace-expansion
  dependency-version: 5.0.6
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-05-18 18:12:58 +00:00
Tink bot 941f6bb1be fix(tooltip): show tooltips in top layer when inside modal dialog
Tooltips on relative dates (and other content) were invisible when a task
was opened in the modal. The modal uses <dialog> opened via showModal(),
which places it in the browser's top layer. floating-vue teleports
tooltips to <body> by default, so they were rendered *below* the dialog
backdrop and hidden behind it.

Wrap the v-tooltip directive to detect the nearest <dialog> ancestor of
the target and use it as the tooltip's container, keeping the tooltip in
the same top-layer context as the modal it belongs to. Tooltips outside
any dialog still teleport to <body> as before.
2026-05-18 18:09:38 +00:00
Tink bot 52f3dd6806 fix(ci): commit newly added Crowdin translation files
The Crowdin sync workflow used `git diff --quiet` and `git commit -am`,
both of which only consider tracked files. New language files downloaded
by Crowdin (e.g. el-GR, th-TH) were therefore left untracked and silently
dropped on each run.

Switch the change check to `git status --porcelain` scoped to the
translation directories and stage them explicitly before committing so
new locales are included.
2026-05-18 17:57:21 +00:00
kolaente dbccbd64ef
fix(relations): correctly position quick add magic hint (#2766) 2026-05-18 13:23:43 +02:00
bradmartin333 4a16df8af1 fix(frontend): ensure text color inherits in filter autocomplete component 2026-05-17 15:03:50 +00:00
renovate[bot] d4e186a024 chore(deps): update dependency caniuse-lite to v1.0.30001793 2026-05-17 14:51:39 +00:00
kolaente b9e3bb95fa
feat(frontend): add Atom feed settings page and notifications discovery (#2760) 2026-05-15 19:28:29 +02:00
Tink bot 6b14307896 test(trello): drop redundant BackgroundImage assignment in getTestBoard 2026-05-15 15:16:11 +00:00
Tink bot fc373ae963 test(trello): serve testimage from local server instead of vikunja.io
Mirrors the Todoist migration test setup so TestConvertTrelloToVikunja
no longer depends on https://vikunja.io/testimage.jpg being reachable.
2026-05-15 15:16:11 +00:00
kolaente 70393f38d2
feat: add Atom feed for user notifications with API token auth (#2758) 2026-05-15 17:25:09 +02:00
renovate[bot] c371ca7196 chore(deps): update dev-dependencies 2026-05-15 13:57:32 +00:00
Brett Randall bc7e41c2b0 chore(deps): group node and pnpm updates across mise and version files
Add packageRules to keep mise.toml in sync with the files it mirrors
when Renovate raises version-bump PRs:

- node: groups mise.toml and frontend/.nvmrc (nvm manager) into one PR
- pnpm: groups mise.toml and frontend/package.json#packageManager
  (npm manager) into one PR

Without these rules Renovate would open separate PRs for each file,
allowing them to drift out of sync.
2026-05-15 10:56:52 +00:00
Brett Randall 2b38c2a196 chore: add mise.toml to pin tool versions
Consolidates tool versions already declared across the project into a
single mise.toml so that `mise install` / `mise exec` activates the
correct runtime in one step.

Without an explicit project-level pin, mise falls back to the global
user config, silently using the wrong version even when .nvmrc is
present (legacy files rank below all mise config files).

Versions mirror existing project pins:
- node 24.13.0  (frontend/.nvmrc)
- pnpm 10.28.1  (frontend/package.json#packageManager)
- go 1.25.7     (go.mod)
2026-05-15 10:56:52 +00:00
renovate[bot] 7caaa9a16a chore(deps): update dev-dependencies 2026-05-15 10:28:16 +00:00
Tink bot 2ad7efb669 fix(kanban): prevent task taps from leaking through the sticky add-task footer on touch devices
The sticky bucket footer had no z-index, so the absolutely positioned
`.handle` overlays on each task (z-index: 1, used to capture taps on
touch devices) stacked above the Add Task button. Tapping the button
where a task scrolled behind it would open that task instead of opening
the new-task input.
2026-05-15 10:27:38 +00:00
renovate[bot] 57a0b8fee4 chore(deps): update dev-dependencies to v4.3.0 2026-05-11 21:21:39 +00:00
Tink bot f495a792b2 feat(frontend): apply quick add magic when creating related tasks
Route the create flow through taskStore.createNewTask so titles typed
into the related-task input get parsed for labels, priority, assignees,
due dates and cross-project targets - matching the main add-task input.
Also surface the quick-add-magic hint next to the field.
2026-05-11 21:21:11 +00:00
renovate[bot] 572edd431d chore(deps): update dev-dependencies 2026-05-11 06:05:06 +00:00
Frederick [Bot] c19b310b22 chore(i18n): update translations via Crowdin 2026-05-08 02:05:11 +00:00
Tink bot aa1956e1aa fix(oauth2server): accept all loopback redirect forms
Hardcoding the three exact strings localhost / 127.0.0.1 / ::1 rejected
legitimate loopback redirects like 127.0.0.2:1234 (anywhere in 127.0.0.0/8)
or [0:0:0:0:0:0:0:1]:1234 (expanded IPv6 loopback). Use net.IP.IsLoopback()
to cover the full loopback ranges, and match "localhost" case-insensitively.
0.0.0.0 stays rejected as it is not a loopback address.

https://claude.ai/code/session_01LsTDrCJ7trE6WQ4FYf78UB
2026-05-07 22:03:49 +00:00
Tink bot c6bda7a2dd feat(oauth2server): accept loopback redirect URIs
Previously the OAuth server rejected every redirect_uri that did not start
with a vikunja- custom scheme. Native apps that cannot register a custom
scheme (e.g. CLIs, desktop tools) need loopback redirects per RFC 8252, so
also allow http://localhost, http://127.0.0.1 and http://[::1] (any port).
Non-loopback http:// and https:// targets remain rejected.

https://claude.ai/code/session_01LsTDrCJ7trE6WQ4FYf78UB
2026-05-07 22:03:49 +00:00
renovate[bot] 812fa11b9b chore(deps): update dependency vite to v7.3.3 2026-05-07 07:38:48 +00:00
MidoriKurage beaf4e9e65 fix(static): Correct the API_URL value to replace in index.html 2026-05-06 16:31:48 +00:00
kolaente 7800102f93
fix(models): allow user-delete cascade to complete for disabled creators
TaskAttachment.ReadOne now swallows ErrAccountDisabled/ErrAccountLocked
from the creator lookup, matching the existing ErrUserDoesNotExist
swallow. Without this, deleting a disabled user that owned a project
with task attachments would fail when the cascade re-loaded the
attachment to delete it.
2026-05-06 16:08:16 +02:00
dependabot[bot] fc9a9a6c71 chore(deps): bump axios from 1.15.0 to 1.15.2 in /frontend
Bumps [axios](https://github.com/axios/axios) from 1.15.0 to 1.15.2.
- [Release notes](https://github.com/axios/axios/releases)
- [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md)
- [Commits](https://github.com/axios/axios/compare/v1.15.0...v1.15.2)

---
updated-dependencies:
- dependency-name: axios
  dependency-version: 1.15.2
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2026-05-06 12:37:48 +00:00
renovate[bot] 4754230ef0 chore(deps): update dev-dependencies 2026-05-06 12:37:26 +00:00
kolaente 3d594db725 fix(frontend): scope checkbox hit-area pseudo to the task row
The pseudo-element that extends the checkbox hit target also covered
label text content, which broke Playwright actionability checks for
clicks on text inside wider FancyCheckbox labels (e.g. the "Show
Archived" toggle on the projects list page).

Move the rule out of BaseCheckbox and into SingleTaskInProject's deep
override, where the label slot is already hidden via display: none, so
no neighboring content can be intercepted.
2026-05-05 15:42:10 +00:00
kolaente 9bea92bb6f fix(frontend): skip task detail on label and checkbox clicks
Defense in depth for the list-view row click handler: a click that
lands on a label or checkbox input no longer bubbles up to open the
task detail.
2026-05-05 15:42:10 +00:00
kolaente 1ea5675e1b fix(frontend): extend checkbox hit target to 44x44
A pseudo-element on the label provides a 44x44 minimum hit area
centered on the visible icon. Visible size and surrounding layout
are unchanged. Addresses misclicks on the task list view checkbox
where ~50% of taps would open the task detail instead of toggling
done.
2026-05-05 15:42:10 +00:00
kolaente 469ee8f364 fix(frontend): respect user's 12h/24h time format in date pickers
The flatpickr time inputs hardcoded `time_24hr: true`, so users who
selected the 12-hour format in their settings still got a 24-hour
picker — even though the displayed dates respected the preference.

Bind `time_24hr` to the existing `useTimeFormat` composable in:
- DatepickerInline (start/end/due dates and absolute reminders)
- DeferTask (defer due date)
- ApiTokenForm (API token expiry)

Reported at https://community.vikunja.io/t/4492.
2026-05-05 14:47:24 +00:00
kolaente 926e163089 chore(deps): bump workbox-precaching to 7.4.1 to match workbox-cli 2026-05-05 08:31:42 +00:00
renovate[bot] 7ed0e3ecd6 chore(deps): update dev-dependencies 2026-05-05 08:31:42 +00:00
Frederick [Bot] 65a6fc7b4b chore(i18n): update translations via Crowdin 2026-05-05 01:57:03 +00:00
kolaente 459dbe71ca
Improve modal responsive sizing with inline-size constraints (#2716) 2026-05-04 15:33:59 +02:00
Frederick [Bot] 6a604dd949 [skip ci] Updated swagger docs 2026-05-04 11:19:21 +00:00
renovate[bot] 55e96018f3 chore(deps): update dev-dependencies 2026-05-04 10:55:46 +00:00
Claude d9a5958bb8 feat: always enable bot users
Removes the `service.enablebotusers` config flag, the matching
`bot_users_enabled` field on /info, and the now-unused
`ErrBotUsersDisabled` error. Bot user routes and the frontend
settings tab are now always available.

https://claude.ai/code/session_01VhAR6xnoCdG1fpX52bzaCC
2026-05-04 10:38:53 +00:00
renovate[bot] 0f1bf6fab2 chore(deps): update dev-dependencies 2026-05-04 10:21:25 +00:00
Frederick [Bot] 935c950942 chore(i18n): update translations via Crowdin 2026-05-04 01:56:28 +00:00
Frederick [Bot] 0adf85dc2d [skip ci] Updated swagger docs 2026-05-01 15:01:51 +00:00
kolaente 22d82e292b feat(user): always include own bots in user search
User search previously filtered bots only when they happened to match the
search string. That produced two bad behaviours:

1. Bots owned by other users could surface on an exact-username match,
   leaking them into assignee pickers and similar UI.
2. A user could not reliably find their own bots by typing a partial
   name, so bots became awkward to assign to tasks.

Change ListUsers to treat bot ownership explicitly: the existing match
branch excludes rows owned by someone else, and a second branch always
returns bots owned by the calling user. The own-bots branch also
respects any AdditionalCond passed in so project-scoped listings don't
start leaking bots from outside the project.
2026-05-01 14:44:10 +00:00
kolaente 999e28435e feat(avatar): use distinct marble palette for bot users
Bot users now render with a cool-toned (blue/cyan/violet/teal/indigo)
marble variant so they're visually distinguishable from human users.
Marble's rendering logic is parameterized with a palette; the route
forces the bot palette whenever the resolved user is a bot, overriding
whatever avatar provider they'd otherwise inherit.
2026-05-01 14:44:10 +00:00