Stage

[evereq]

PR

• Have you followed the contributing guidelines?
• Have you explained what your changes do, and why they add value?

Please note: we will close your PR without comment if you do not check the boxes above and provide ALL requested information.

---

---

Summary by cubic

Enable dual task assignment to both teams and employees, and stabilize MCP Auth deployments and OAuth2 token exchange with proper envs, proxy headers, and error handling. Also added missing runtime dependencies to prevent startup issues.

• New Features

  • Tasks can be assigned to both employees and teams. Updated add-task-dialog and team-task-dialog to include employee multi-select, load existing members/teams, and send both on save.

• Bug Fixes

  • OAuth2 authorization code exchange: added strict parameter validation, detailed security logging, and try/catch with correct error responses.
  • Task mentions: only update mentions when mentionEmployeeIds is provided to avoid runtime errors.
  • MCP/MCP-Auth deployment: set NODE_ENV (demo=development, stage/prod=production), add MCP_AUTH_BASE_URL, and forward proxy headers via NGINX ingress to fix HTTPS/public URL detection; GitHub Actions now pass MCP_AUTH_BASE_URL.
  • Desktop/server: added @gauzy/plugin-integration-activepieces and @as-integrations/express5 to resolve missing runtime dependencies.

^{Written for commit 8654f96. Summary will update automatically on new commits.}

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch develop

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​types/​fs-extra@​5.0.2
	bcryptjs@​3.0.2

View full report

[greptile-apps]

Greptile Overview

Greptile Summary

This PR merges multiple improvements into the stage branch, including infrastructure configuration updates, dependency additions, and a new task dual assignment feature.

Key Changes:

• Infrastructure: Added proper proxy headers and NODE_ENV configuration to K8s manifests for correct HTTPS URL identification behind reverse proxies
• OAuth Server: Enhanced error handling with comprehensive try-catch blocks and detailed security logging throughout the authorization code grant flow
• Task Feature: Implemented dual assignment capability allowing tasks to be assigned to both employees and teams simultaneously (previously mutually exclusive)
• Dependencies: Added @gauzy/plugin-integration-activepieces and @as-integrations/express5 to desktop, server-api, and server packages
• Bug Fix: Fixed mention synchronization to only run when mentionEmployeeIds is explicitly provided, preventing unnecessary operations

PR Template Compliance:
The PR template checkboxes are not checked and no explanation of changes or value is provided, which violates the repository's contribution guidelines (custom instruction 90653f25-bd57-4517-ae57-772fe2013d9c).

Confidence Score: 4/5

• This PR is safe to merge with minor concerns about PR template compliance
• The code changes are well-structured and implement sensible improvements. The OAuth error handling enhancement follows best practices, the task dual assignment feature is properly implemented across both frontend components, and the infrastructure changes correctly address proxy header issues. The only concern is the incomplete PR template, which is a process issue rather than a code quality issue.
• No files require special attention - all changes are straightforward and well-implemented

Important Files Changed

File Analysis

Filename	Score	Overview
.deploy/k8s/k8s-manifest.mcp-auth.prod.yaml	5/5	Added NODE_ENV variable and proxy headers configuration for proper HTTPS URL identification
apps/desktop/src/package.json	5/5	Added @gauzy/plugin-integration-activepieces and @as-integrations/express5 dependencies
packages/auth/src/lib/mcp/server/oauth-authorization-server.ts	5/5	Added comprehensive try-catch error handling and enhanced logging to authorization code grant flow
packages/core/src/lib/tasks/task.service.ts	5/5	Fixed mention synchronization to only run when mentionEmployeeIds is explicitly provided
apps/gauzy/src/app/pages/tasks/components/team-task-dialog/team-task-dialog.component.ts	5/5	Implemented dual assignment feature allowing both team and employee assignment to tasks
packages/ui-core/shared/src/lib/tasks/add-task-dialog/add-task-dialog.component.ts	5/5	Removed radio toggle logic to enable dual assignment of tasks to both employees and teams simultaneously

Sequence Diagram

sequenceDiagram
    participant User
    participant TaskDialog
    participant EmployeeService
    participant TeamService
    participant TaskService
    participant MentionService
    participant OAuth2Server
    participant K8sIngress

    Note over User,TaskDialog: Task Dual Assignment Flow
    User->>TaskDialog: Create/Edit Task
    TaskDialog->>EmployeeService: loadEmployees()
    EmployeeService-->>TaskDialog: Employee List
    TaskDialog->>TeamService: loadTeams()
    TeamService-->>TaskDialog: Team List
    User->>TaskDialog: Select Employees & Teams
    TaskDialog->>TaskDialog: onSave()
    TaskDialog->>TaskService: createTask({members, teams})
    TaskService->>TaskService: Validate mentionEmployeeIds exists
    alt mentionEmployeeIds provided
        TaskService->>MentionService: updateEntityMentions(taskId, mentionIds)
        MentionService-->>TaskService: Success
    else mentionEmployeeIds not provided
        TaskService->>TaskService: Skip mention sync
    end
    TaskService-->>TaskDialog: Task Created/Updated
    TaskDialog-->>User: Success Message

    Note over OAuth2Server,K8sIngress: OAuth Authorization Flow
    User->>K8sIngress: POST /token (authorization_code)
    K8sIngress->>K8sIngress: Set X-Forwarded-Proto headers
    K8sIngress->>OAuth2Server: Forward request with headers
    OAuth2Server->>OAuth2Server: handleAuthorizationCodeGrant()
    OAuth2Server->>OAuth2Server: Validate params & client
    alt Validation Success
        OAuth2Server->>OAuth2Server: exchangeAuthorizationCode()
        OAuth2Server->>OAuth2Server: generateTokenPair()
        OAuth2Server->>OAuth2Server: Log success
        OAuth2Server-->>K8sIngress: Return tokens
    else Validation/Exchange Failure
        OAuth2Server->>OAuth2Server: Log detailed error
        OAuth2Server-->>K8sIngress: Return OAuth error
    end
    K8sIngress-->>User: Response

Loading

[greptile-apps]

_{18 files reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Update lockfile for new Express integration dependency

A new dependency @as-integrations/express5 was added here, but the root yarn.lock still has no entry for it (rg "@as-integrations/express5" yarn.lock returns nothing). Our workflows install with yarn install --frozen-lockfile (e.g., .github/workflows/server-mcp-stage.yml), so the next CI run will fail with a lockfile mismatch as soon as it tries to build this package. Please add the resolved version to yarn.lock to keep frozen installs working.

Useful? React with 👍 / 👎.

[cubic-dev-ai]

1 issue found across 18 files

Prompt for AI agents (all 1 issues)

Check if these issues are valid — if so, understand the root cause of each and fix them.


<file name="apps/server-api/src/package.json">

<violation number="1" location="apps/server-api/src/package.json:214">
`@as-integrations/express5` requires Express 5 as a peer dependency, but this package.json does not install `express@^5`, leading to unmet peer dependencies and runtime import failures.</violation>
</file>

_{Reply to cubic to teach it or ask questions. Re-run a review with @cubic-dev-ai review this PR}

[cubic-dev-ai]

@as-integrations/express5 requires Express 5 as a peer dependency, but this package.json does not install express@^5, leading to unmet peer dependencies and runtime import failures.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At apps/server-api/src/package.json, line 214:

<comment>`@as-integrations/express5` requires Express 5 as a peer dependency, but this package.json does not install `express@^5`, leading to unmet peer dependencies and runtime import failures.</comment>

<file context>
@@ -208,7 +210,8 @@
 		&quot;undici&quot;: &quot;^6.10.2&quot;,
-		&quot;custom-electron-titlebar&quot;: &quot;^4.2.8&quot;
+		&quot;custom-electron-titlebar&quot;: &quot;^4.2.8&quot;,
+		&quot;@as-integrations/express5&quot;: &quot;^1.1.2&quot;
 	},
 	&quot;optionalDependencies&quot;: {
</file context>