feat: Task management enhancements (#215)

[rubenvdlinde]

Closes #215

Summary

Implement task management MVP enhancements to Procest: task list filtering and search, task validation utilities, lifecycle transition error feedback, and case reference validation on task creation. All features enable users to manage tasks more effectively with better discoverability and validation.

Spec Reference

• Issue: Implement: Task Management #215
• Spec: openspec/changes/task-management/design.md

Changes

• src/utils/taskValidation.js — Validation utilities for task create/update/transition operations with user-facing error messages
• src/views/tasks/TaskList.vue — Enhanced with filter bar (status, priority, assignee), search functionality, improved overdue highlighting
• src/views/tasks/TaskDetail.vue — Added lifecycle transition error feedback, auto-set completedDate on completion
• src/views/tasks/TaskCreateDialog.vue — Case reference validation (required field)
• openspec/changes/task-management/design.md — Updated spec documentation with implementation status

Test Coverage

• Core task validation logic via taskValidation.js functions (validateTaskCreate, validateTaskUpdate, validateTaskTransition)
• Filter and search logic in TaskList.vue computed properties (filteredObjects)
• Transition validation integration in TaskDetail.vue (transitionTo method)
• Case validation in TaskCreateDialog.vue (submit method)
• Overdue highlighting and visual indicators on list view
• completedDate auto-set on transition to completed status
• Error messages are user-facing and explain required actions

Implementation Notes

• All task transitions validated before save to prevent invalid state moves
• completedDate auto-set to current ISO timestamp on completion transition
• Case field required for all new tasks per specification
• Overdue tasks highlighted with visual indicators on list view
• Error messages are user-facing and explain required actions

[github-actions]

Quality Report — ConductionNL/procest @ 9fc6068

Check	PHP	Vue	Security	License	Tests
lint	✅
phpcs	❌
phpmd	✅
psalm	✅
phpstan	✅
phpmetrics	✅
eslint		❌
stylelint		❌
composer			✅	✅ 100/100
npm			❌	❌
PHPUnit					⏭️
Newman					⏭️
Playwright					⏭️

---

Quality workflow — 2026-04-21 04:53 UTC

Download the full PDF report from the workflow artifacts.

[rubenvdlinde]

Code Review — Juan Claude van Damme

Result: FAIL (0 fixed, 3 unfixed, 3 blocking)

Gate status

Gate	Result	Notes
hydra-gates (manual)	✅ PASS	Skill unavailable; ran all 4 gates manually
spdx-headers	✅ PASS	All 8 changed files carry EUPL-1.2 headers
forbidden-patterns	✅ PASS	No debug calls in changed files
stub-scan	✅ PASS (manual)	No stub markers, empty run() bodies, or hardcoded fetches
composer-audit	✅ PASS	No CVEs
phpmd / phpstan / psalm	✅ PASS	No issues
phpcs	❌ FAIL	Failures in lib/ files (inherited pre-existing — out of scope for this PR's 8 changed files)
eslint	❌ NOT RUN	Binary unavailable in pre-run container; deps installed manually but native permission error blocked execution
stylelint	❌ NOT RUN	Same as eslint
phpunit	⚠️ SKIPPED	No PHP files in this PR

Changed-file findings

[SUGGESTION] src/views/tasks/TaskList.vue:344-349
File has two separate <style scoped> blocks. The second block contains only :deep(.row--overdue) and can be merged into the first. No functional impact. (Carried forward from previous cycle F-01.)

[unfixed: check-not-run — eslint]
eslint binary was not found in the pre-run container. Manual dependency installation hit a native-module permission error (napi-postinstall: Permission denied). Manual code review of all 8 changed JS/Vue files found no obvious lint violations. Formal gate evidence is missing — requires a clean npm ci environment.

[unfixed: check-not-run — stylelint]
Same environment root cause as eslint. Manual review of Vue <style> blocks found no violations.

[unfixed: inherited from base — phpcs]
phpcs reports missing @spec PHPDoc tags in ~90 lib/ files (AppointmentReminderJob.php, ShareMaintenanceJob.php, BerichtenboxReadStatusJob.php, and others). None of these files are in this PR's changed-files list. Volume exceeds bounded-fix scope for a single pass.

Code quality (changed files — all pass)

The 8 changed JS/Vue files are well-implemented:

• taskValidation.js correctly centralises validation; re-used in both TaskCreateDialog and TaskDetail (TASK-TM-01 properly wired)
• taskHelpers.js / taskLifecycle.js — clean utility modules with full JSDoc
• TaskDetail.vue transition error feedback with user-readable messages per lifecycle rules ✓
• TaskCreateDialog.vue case-required validation hooked through the shared utility ✓
• TaskList.vue filter bar + search using reactive computed — correct Vue 2.7 pattern ✓
• All @spec links resolve to valid anchors in openspec/changes/task-management/tasks.md

See inline findings above. Retry with a working npm ci environment to close the two check-not-run gates.

[rubenvdlinde]

[unfixed: suggestion-level, no action required] Rule: OWASP A01:2021 / defence-in-depth — Task status transitions are validated client-side via validateTaskTransition() before saveObject('task', …) is called. If the backend task save/patch handler does not enforce the same CMMN state-machine constraints, an authenticated user could bypass client validation by crafting a direct API call and place a task in an invalid lifecycle state. Recommend confirming that the API layer also rejects illegal status transitions (e.g. available→completed).

[rubenvdlinde]

Security Review — Clyde Barcode

Result: PASS (0 fixed, 1 unfixed SUGGESTION, 0 blocking)

Checks run

Check	Result
Semgrep p/security-audit + p/owasp-top-ten	✅ 0 findings
Semgrep p/secrets	✅ 0 findings
Gitleaks (changed files)	✅ No secrets
composer audit	✅ No packages flagged
npm audit --production	⚠️ Drift signal (see below)
Manual OWASP Top 10 diff review	✅ Clean

Findings

• Total: 1
• CRITICAL: 0
• WARNING: 0
• SUGGESTION: 1 (unfixed, non-blocking)
• False positives: 0

SUGGESTION — OWASP A01:2021 / defence-in-depth

src/views/tasks/TaskDetail.vue:178 — CMMN lifecycle transitions (available→active→completed etc.) are enforced client-side via validateTaskTransition(). If the backend task endpoint does not independently enforce the same state machine, an authenticated user could bypass the check via a direct API call. This PR adds the client-side guard (an improvement); recommend confirming backend-side enforcement exists. See inline comment for detail.

npm audit drift signal

The pre-review quality stage reported npm-audit: PASS. My manual npm audit --production run finds 14 pre-existing vulnerabilities in transitive dependencies (9 low, 4 moderate, 1 high — fast-xml-parser via webdav). None of these are introduced by this PR (no new dependencies added). This drift may reflect a threshold difference between pipeline and manual runs. Recommend investigating the fast-xml-parser HIGH finding (GHSA-8gc5-j5rx-235r) in a separate dependency-update ticket.

Skipped gates

gitleaks (orchestrator-skipped per quality report), phpunit, newman, trivy, publiccode, stub-scan

See inline comment for per-finding detail. No fixes applied; no blocking findings.