fix(tasks): audit pass — permission checks, tool gaps, hard reload

- PUT/PATCH/DELETE /api/tasks/:id now use get_note_for_user + can_write_note
  so shared project editors can mutate tasks; owners unaffected
- PATCH /api/tasks/:id/status gets same treatment
- All write routes call update_note/delete_note with note.user_id (owner)
  not the accessing user's uid, matching the milestone fix pattern
- create_task tool gains tags (array) and status (enum) parameters;
  handler now passes tags to create_note and respects initial status
- create_task tool response now includes milestone_id and parent_id
- update_note tool gains milestone parameter; handler resolves the
  milestone by title within the note's current (or newly set) project,
  clears milestone_id when project is cleared
- list_tasks tool gains q keyword search parameter; passed through
  to list_notes
- TaskEditorView: replace window.location.reload() with
  router.push('/tasks/:id') after save

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
2026-04-04 13:48:07 -04:00
parent c5191837fb
commit d9bd16633f
3 changed files with 69 additions and 7 deletions
+1 -1
View File
@@ -333,7 +333,7 @@ async function save() {
savedParentId = parentId.value;
dirty.value = false;
toast.show("Task saved");
window.location.reload();
router.push(`/tasks/${taskId.value}`);
} else {
const task = await store.createTask(data);
dirty.value = false;