Initial commit: Beads issue tracker with security fixes

Core features: - Dependency-aware issue tracking with SQLite backend - Ready work detection (issues with no open blockers) - Dependency tree visualization - Cycle detection and prevention - Full audit trail - CLI with colored output Security and correctness fixes applied: - Fixed SQL injection vulnerability in UpdateIssue (whitelisted fields) - Fixed race condition in ID generation (added mutex) - Fixed cycle detection to return full paths (not just issue IDs) - Added cycle prevention in AddDependency (validates before commit) - Added comprehensive input validation (priority, status, types, etc.) - Fixed N+1 query in GetBlockedIssues (using GROUP_CONCAT) - Improved query building in GetReadyWork (proper string joining) - Fixed P0 priority filter bug (using Changed() instead of value check) All critical and major issues from code review have been addressed. 🤖 Generated with Claude Code
2025-10-11 20:07:36 -07:00
commit 704515125d
19 changed files with 3976 additions and 0 deletions
--- a/internal/storage/sqlite/schema.go
+++ b/internal/storage/sqlite/schema.go
@@ -0,0 +1,93 @@
+package sqlite
+
+const schema = `
+-- Issues table
+CREATE TABLE IF NOT EXISTS issues (
+    id TEXT PRIMARY KEY,
+    title TEXT NOT NULL CHECK(length(title) <= 500),
+    description TEXT NOT NULL DEFAULT '',
+    design TEXT NOT NULL DEFAULT '',
+    acceptance_criteria TEXT NOT NULL DEFAULT '',
+    notes TEXT NOT NULL DEFAULT '',
+    status TEXT NOT NULL DEFAULT 'open',
+    priority INTEGER NOT NULL DEFAULT 2 CHECK(priority >= 0 AND priority <= 4),
+    issue_type TEXT NOT NULL DEFAULT 'task',
+    assignee TEXT,
+    estimated_minutes INTEGER,
+    created_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    updated_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    closed_at DATETIME
+);
+
+CREATE INDEX IF NOT EXISTS idx_issues_status ON issues(status);
+CREATE INDEX IF NOT EXISTS idx_issues_priority ON issues(priority);
+CREATE INDEX IF NOT EXISTS idx_issues_assignee ON issues(assignee);
+CREATE INDEX IF NOT EXISTS idx_issues_created_at ON issues(created_at);
+
+-- Dependencies table
+CREATE TABLE IF NOT EXISTS dependencies (
+    issue_id TEXT NOT NULL,
+    depends_on_id TEXT NOT NULL,
+    type TEXT NOT NULL DEFAULT 'blocks',
+    created_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    created_by TEXT NOT NULL,
+    PRIMARY KEY (issue_id, depends_on_id),
+    FOREIGN KEY (issue_id) REFERENCES issues(id) ON DELETE CASCADE,
+    FOREIGN KEY (depends_on_id) REFERENCES issues(id) ON DELETE CASCADE
+);
+
+CREATE INDEX IF NOT EXISTS idx_dependencies_issue ON dependencies(issue_id);
+CREATE INDEX IF NOT EXISTS idx_dependencies_depends_on ON dependencies(depends_on_id);
+
+-- Labels table
+CREATE TABLE IF NOT EXISTS labels (
+    issue_id TEXT NOT NULL,
+    label TEXT NOT NULL,
+    PRIMARY KEY (issue_id, label),
+    FOREIGN KEY (issue_id) REFERENCES issues(id) ON DELETE CASCADE
+);
+
+CREATE INDEX IF NOT EXISTS idx_labels_label ON labels(label);
+
+-- Events table (audit trail)
+CREATE TABLE IF NOT EXISTS events (
+    id INTEGER PRIMARY KEY AUTOINCREMENT,
+    issue_id TEXT NOT NULL,
+    event_type TEXT NOT NULL,
+    actor TEXT NOT NULL,
+    old_value TEXT,
+    new_value TEXT,
+    comment TEXT,
+    created_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    FOREIGN KEY (issue_id) REFERENCES issues(id) ON DELETE CASCADE
+);
+
+CREATE INDEX IF NOT EXISTS idx_events_issue ON events(issue_id);
+CREATE INDEX IF NOT EXISTS idx_events_created_at ON events(created_at);
+
+-- Ready work view
+CREATE VIEW IF NOT EXISTS ready_issues AS
+SELECT i.*
+FROM issues i
+WHERE i.status = 'open'
+  AND NOT EXISTS (
+    SELECT 1 FROM dependencies d
+    JOIN issues blocked ON d.depends_on_id = blocked.id
+    WHERE d.issue_id = i.id
+      AND d.type = 'blocks'
+      AND blocked.status IN ('open', 'in_progress', 'blocked')
+  );
+
+-- Blocked issues view
+CREATE VIEW IF NOT EXISTS blocked_issues AS
+SELECT
+    i.*,
+    COUNT(d.depends_on_id) as blocked_by_count
+FROM issues i
+JOIN dependencies d ON i.id = d.issue_id
+JOIN issues blocker ON d.depends_on_id = blocker.id
+WHERE i.status IN ('open', 'in_progress', 'blocked')
+  AND d.type = 'blocks'
+  AND blocker.status IN ('open', 'in_progress', 'blocked')
+GROUP BY i.id;
+`