From fbc6a379595bf4420eafc8599c459a17d2776e2d Mon Sep 17 00:00:00 2001
From: kelvin calcano <kelvin@vmi2907809.contaboserver.net>
Date: Thu, 12 Feb 2026 18:42:23 +0100
Subject: [PATCH 01/28] feat: add task comments

- Add comments UI in task modal\n- Add comments API endpoints + types\n- Add SQL migration for task_comments + RLS policies\n- Add Playwright E2E + component tests\n- Update DB schema docs
---
 backend/src/controllers/taskController.js | 100 ++++++++++++++-
 backend/src/routes/tasks.js               |  57 ++++++++-
 docs/DATABASE_SCHEMA.md                   |  53 ++++++++
 e2e/page-objects/auth.page.ts             |  14 ++-
 e2e/task-comments.spec.ts                 |  83 +++++++++++++
 migrations/001_create_task_comments.sql   |  45 +++++++
 src/components/TaskComments.tsx           | 142 ++++++++++++++++++++++
 src/components/TaskDetailModal.tsx        |   7 ++
 src/locales/en.json                       |   5 +-
 src/locales/es.json                       |   5 +-
 src/services/taskService.ts               |  66 +++++++++-
 src/test/components/TaskComments.test.tsx | 101 +++++++++++++++
 src/test/setup.ts                         |   4 +
 src/types/Task.ts                         |  10 ++
 14 files changed, 685 insertions(+), 7 deletions(-)
 create mode 100644 e2e/task-comments.spec.ts
 create mode 100644 migrations/001_create_task_comments.sql
 create mode 100644 src/components/TaskComments.tsx
 create mode 100644 src/test/components/TaskComments.test.tsx

diff --git a/backend/src/controllers/taskController.js b/backend/src/controllers/taskController.js
index 1426298..2031235 100644
--- a/backend/src/controllers/taskController.js
+++ b/backend/src/controllers/taskController.js
@@ -377,10 +377,108 @@ const deleteTask = async (req, res) => {
   }
 };
 
+/**
+ * Get all comments for a specific task
+ */
+const getComments = async (req, res) => {
+  try {
+    const { id: task_id } = req.params;
+    const user_id = req.user.id;
+
+    const db = req.supabase || supabaseClient.supabase;
+
+    // Verify task belongs to user
+    const { data: task, error: taskErr } = await db
+      .from('tasks')
+      .select('id')
+      .eq('id', task_id)
+      .eq('user_id', user_id)
+      .single();
+
+    if (taskErr || !task) {
+      return res.status(404).json({ error: 'Task not found' });
+    }
+
+    const { data: comments, error } = await db
+      .from('task_comments')
+      .select('*')
+      .eq('task_id', task_id)
+      .order('created_at', { ascending: true });
+
+    if (error) throw error;
+
+    res.status(200).json({ comments });
+  } catch (error) {
+    console.error('Get comments error:', error);
+    res.status(500).json({ error: 'Internal server error' });
+  }
+};
+
+/**
+ * Add a new comment to a task
+ */
+const addComment = async (req, res) => {
+  try {
+    const { id: task_id } = req.params;
+    const { content } = req.body;
+    const user_id = req.user.id;
+
+    if (!content || !content.trim()) {
+      return res.status(400).json({ error: 'Content is required' });
+    }
+
+    const db = req.supabase || supabaseClient.supabase;
+
+    // Verify task belongs to user
+    const { data: task, error: taskErr } = await db
+      .from('tasks')
+      .select('id')
+      .eq('id', task_id)
+      .eq('user_id', user_id)
+      .single();
+
+    if (taskErr || !task) {
+      return res.status(404).json({ error: 'Task not found' });
+    }
+
+    // Get user profile for author info
+    const { data: profile } = await db
+      .from('profiles')
+      .select('username, display_name, avatar_url')
+      .eq('id', user_id)
+      .single();
+
+    const author_name = profile?.display_name || profile?.username || req.user.email;
+    const author_avatar = profile?.avatar_url || null;
+
+    const { data: comment, error } = await db
+      .from('task_comments')
+      .insert([{
+        task_id,
+        user_id,
+        author_name,
+        author_avatar,
+        content: content.trim()
+      }])
+      .select()
+      .single();
+
+    if (error) throw error;
+
+    res.status(201).json({ comment });
+  } catch (error) {
+    console.error('Add comment error:', error);
+    res.status(500).json({ error: 'Internal server error' });
+  }
+};
+
+
 module.exports = {
   createTask,
   getTasks,
   getTaskById,
   updateTask,
-  deleteTask
+  deleteTask,
+  getComments,
+  addComment
 };
diff --git a/backend/src/routes/tasks.js b/backend/src/routes/tasks.js
index d79954a..d05f405 100644
--- a/backend/src/routes/tasks.js
+++ b/backend/src/routes/tasks.js
@@ -6,7 +6,9 @@ const {
   getTasks,
   getTaskById,
   updateTask,
-  deleteTask
+  deleteTask,
+  getComments,
+  addComment
 } = require('../controllers/taskController');
 
 // Apply authentication middleware to all task routes
@@ -151,4 +153,57 @@ router.put('/:id', updateTask);
  */
 router.delete('/:id', deleteTask);
 
+/**
+ * @swagger
+ * /tasks/{id}/comments:
+ *   get:
+ *     summary: Get all comments for a task
+ *     tags: [Tasks]
+ *     security:
+ *       - bearerAuth: []
+ *     parameters:
+ *       - in: path
+ *         name: id
+ *         required: true
+ *         schema:
+ *           type: string
+ *         description: Task ID
+ *     responses:
+ *       200:
+ *         description: List of comments
+ */
+router.get('/:id/comments', getComments);
+
+/**
+ * @swagger
+ * /tasks/{id}/comments:
+ *   post:
+ *     summary: Add a comment to a task
+ *     tags: [Tasks]
+ *     security:
+ *       - bearerAuth: []
+ *     parameters:
+ *       - in: path
+ *         name: id
+ *         required: true
+ *         schema:
+ *           type: string
+ *         description: Task ID
+ *     requestBody:
+ *       required: true
+ *       content:
+ *         application/json:
+ *           schema:
+ *             type: object
+ *             required:
+ *               - content
+ *             properties:
+ *               content:
+ *                 type: string
+ *     responses:
+ *       201:
+ *         description: Comment created
+ */
+router.post('/:id/comments', addComment);
+
 module.exports = router;
diff --git a/docs/DATABASE_SCHEMA.md b/docs/DATABASE_SCHEMA.md
index f4d2575..6da57bb 100644
--- a/docs/DATABASE_SCHEMA.md
+++ b/docs/DATABASE_SCHEMA.md
@@ -62,6 +62,20 @@ Stores the tasks for each user. Each task is linked to a user and supports hiera
 | `created_at`      | `timestamptz` | Not Null, Default `now()`                          |
 | `updated_at`      | `timestamptz` | Not Null, Default `now()`                          |
 
+### `public.task_comments`
+
+Stores comments on tasks. Each comment belongs to a task and is authored by a user.
+
+| Column          | Type          | Constraints |
+|-----------------|---------------|------------|
+| `id`            | `uuid`        | Primary Key, Default `gen_random_uuid()` |
+| `task_id`       | `bigint`      | Not Null, Foreign Key to `public.tasks(id)`, On Delete CASCADE |
+| `user_id`       | `uuid`        | Not Null, Foreign Key to `auth.users(id)` |
+| `author_name`   | `text`        | Not Null |
+| `author_avatar` | `text`        | Nullable |
+| `content`       | `text`        | Not Null |
+| `created_at`    | `timestamptz` | Not Null, Default `now()` |
+
 ### `public.feature_requests`
 
 Stores user feedback, bug reports, and feature requests.
@@ -149,6 +163,45 @@ CREATE POLICY "Users can delete own tasks"
 
 **Note:** Backend API implements additional user isolation at the application level through JWT validation.
 
+### `task_comments` Table Policies
+
+Users can view and create comments **only on their own tasks**. Users can delete their own comments.
+
+```sql
+-- Enable RLS
+ALTER TABLE public.task_comments ENABLE ROW LEVEL SECURITY;
+
+-- Select: user can see comments where the parent task belongs to them
+CREATE POLICY "Users can view comments on their own tasks"
+  ON public.task_comments
+  FOR SELECT
+  USING (
+    EXISTS (
+      SELECT 1 FROM public.tasks
+      WHERE public.tasks.id = public.task_comments.task_id
+      AND public.tasks.user_id = auth.uid()
+    )
+  );
+
+-- Insert: user can add comments where the parent task belongs to them
+CREATE POLICY "Users can create comments on their own tasks"
+  ON public.task_comments
+  FOR INSERT
+  WITH CHECK (
+    EXISTS (
+      SELECT 1 FROM public.tasks
+      WHERE public.tasks.id = public.task_comments.task_id
+      AND public.tasks.user_id = auth.uid()
+    )
+  );
+
+-- Delete: user can delete their own comments
+CREATE POLICY "Users can delete their own comments"
+  ON public.task_comments
+  FOR DELETE
+  USING (auth.uid() = user_id);
+```
+
 ### `time_entries` Table Policies
 
 Users can only see and manage their own time entries. Policies assume `time_entries.user_id` is set on insert/update by the backend.
diff --git a/e2e/page-objects/auth.page.ts b/e2e/page-objects/auth.page.ts
index 3b0ed1d..d032455 100644
--- a/e2e/page-objects/auth.page.ts
+++ b/e2e/page-objects/auth.page.ts
@@ -20,8 +20,18 @@ export class AuthPage {
 
   // Login actions
   async login(email: string, password: string, expectSuccess: boolean = true) {
-    await this.page.locator('[data-testid="email-input"]').fill(email);
-    await this.page.locator('[data-testid="password-input"]').fill(password);
+    const emailInput = this.page.locator('[data-testid="email-input"]');
+    const passwordInput = this.page.locator('[data-testid="password-input"]');
+    
+    // Use fill instead of type for reliability with browser autofill
+    await emailInput.click();
+    await emailInput.fill(email);
+    await expect(emailInput).toHaveValue(email);
+    
+    await passwordInput.click();
+    await passwordInput.fill(password);
+    await expect(passwordInput).toHaveValue(password);
+    
     await this.page.locator('[data-testid="login-button"]').click();
 
     if (expectSuccess) {
diff --git a/e2e/task-comments.spec.ts b/e2e/task-comments.spec.ts
new file mode 100644
index 0000000..f519c2f
--- /dev/null
+++ b/e2e/task-comments.spec.ts
@@ -0,0 +1,83 @@
+import { test, expect } from '@playwright/test';
+import { AppPage } from './page-objects/app.page';
+import { TaskPage } from './page-objects/task.page';
+import { AuthPage } from './page-objects/auth.page';
+
+const generateUniqueTitle = (base: string) => `${base} - ${Date.now()}-${Math.floor(Math.random() * 1000)}`;
+
+test.describe('Task Comments', () => {
+  let appPage: AppPage;
+  let taskPage: TaskPage;
+  let authPage: AuthPage;
+
+  test.beforeEach(async ({ page }) => {
+    appPage = new AppPage(page);
+    taskPage = new TaskPage(page);
+    authPage = new AuthPage(page);
+
+    await appPage.goto();
+    // Clear state
+    await page.evaluate(() => localStorage.clear());
+    await page.reload();
+
+    await authPage.goToLogin();
+    
+    // Slow down typing to avoid race conditions
+    const email = process.env.E2E_USER_TASK_EMAIL || 'automation-kolium-task@yopmail.com';
+    const password = process.env.E2E_USER_TASK_PASSWORD || 'Automation123';
+    
+    await authPage.login(email, password);
+    
+    // Wait for the app to be fully loaded
+    await appPage.waitForLoadingComplete();
+  });
+
+  test('should add and view comments on a task', async ({ page }) => {
+    test.setTimeout(60000); // Increase timeout for this test
+    const taskTitle = generateUniqueTitle('Comment Task');
+    
+    await appPage.openAddTaskModal();
+    await taskPage.createTask({ title: taskTitle, description: 'Task for comments' });
+    
+    // Search for the task to ensure it's visible
+    await appPage.searchTasks(taskTitle);
+    const taskCard = page.getByText(taskTitle).first();
+    await expect(taskCard).toBeVisible({ timeout: 10000 });
+
+    // Open task detail
+    await taskCard.click();
+    
+    // Check comments section - wait for it to be visible
+    const commentsHeader = page.locator('h3').filter({ hasText: 'Comments' });
+    await expect(commentsHeader).toBeVisible({ timeout: 10000 });
+    
+    // Wait for loading to finish or empty message
+    const emptyMsg = page.getByText('No comments yet.').first();
+    const loadingMsg = page.getByText('Loading...').first();
+    
+    await expect(loadingMsg.or(emptyMsg)).toBeVisible();
+
+    // Add comment
+    const commentContent = 'This is a test comment from E2E - ' + Date.now();
+    const textarea = page.getByTestId('comment-input');
+    await textarea.click();
+    await textarea.fill(commentContent);
+    
+    // Check if button is enabled
+    const sendButton = page.getByTestId('add-comment-button');
+    await expect(sendButton).toBeEnabled();
+    
+    await sendButton.click();
+
+    // Verify comment
+    await expect(page.getByText(commentContent)).toBeVisible({ timeout: 15000 });
+    await expect(page.getByText('No comments yet.')).not.toBeVisible();
+
+    // persistence check
+    await page.locator('button[aria-label="Close modal"]').click();
+    await appPage.clearSearch();
+    await appPage.searchTasks(taskTitle);
+    await page.getByText(taskTitle).first().click();
+    await expect(page.getByText(commentContent)).toBeVisible({ timeout: 10000 });
+  });
+});
diff --git a/migrations/001_create_task_comments.sql b/migrations/001_create_task_comments.sql
new file mode 100644
index 0000000..6caddc7
--- /dev/null
+++ b/migrations/001_create_task_comments.sql
@@ -0,0 +1,45 @@
+-- Migration: Create task_comments table
+-- Run this in Supabase SQL Editor
+
+CREATE TABLE IF NOT EXISTS public.task_comments (
+  id uuid DEFAULT gen_random_uuid() PRIMARY KEY,
+  task_id bigint NOT NULL REFERENCES public.tasks(id) ON DELETE CASCADE,
+  user_id uuid NOT NULL REFERENCES auth.users(id),
+  author_name text NOT NULL,
+  author_avatar text,
+  content text NOT NULL,
+  created_at timestamp with time zone DEFAULT TIMEZONE('utc'::text, NOW()) NOT NULL
+);
+
+-- Enable Row Level Security
+ALTER TABLE public.task_comments ENABLE ROW LEVEL SECURITY;
+
+-- Policies
+CREATE POLICY "Users can view comments on their own tasks"
+  ON public.task_comments
+  FOR SELECT
+  USING (
+    EXISTS (
+      SELECT 1 FROM public.tasks
+      WHERE public.tasks.id = public.task_comments.task_id
+      AND public.tasks.user_id = auth.uid()
+    )
+  );
+
+CREATE POLICY "Users can create comments on their own tasks"
+  ON public.task_comments
+  FOR INSERT
+  WITH CHECK (
+    EXISTS (
+      SELECT 1 FROM public.tasks
+      WHERE public.tasks.id = public.task_comments.task_id
+      AND public.tasks.user_id = auth.uid()
+    )
+  );
+
+CREATE POLICY "Users can delete their own comments"
+  ON public.task_comments
+  FOR DELETE
+  USING (
+    auth.uid() = user_id
+  );
diff --git a/src/components/TaskComments.tsx b/src/components/TaskComments.tsx
new file mode 100644
index 0000000..9bd7932
--- /dev/null
+++ b/src/components/TaskComments.tsx
@@ -0,0 +1,142 @@
+import React, { useState, useEffect } from 'react';
+import { useTranslation } from 'react-i18next';
+import { TaskComment } from '../types/Task';
+import { taskService } from '../services/taskService';
+import { useTheme } from '../contexts/ThemeContext';
+import { MessageSquare, Send, User } from 'lucide-react';
+import { formatDate } from '../utils/taskUtils';
+
+interface TaskCommentsProps {
+  taskId: string;
+}
+
+export const TaskComments: React.FC<TaskCommentsProps> = ({ taskId }) => {
+  const { t } = useTranslation();
+  const { theme } = useTheme();
+  const [comments, setComments] = useState<TaskComment[]>([]);
+  const [newComment, setNewComment] = useState('');
+  const [isLoading, setIsLoading] = useState(true);
+  const [isSubmitting, setIsSubmitting] = useState(false);
+
+  const fetchComments = async () => {
+    setIsLoading(true);
+    try {
+      const response = await taskService.getComments(taskId);
+      if (response.data) {
+        setComments(response.data);
+      }
+    } catch (error) {
+      console.error('Error fetching comments:', error);
+    } finally {
+      setIsLoading(false);
+    }
+  };
+
+  useEffect(() => {
+    fetchComments();
+  }, [taskId]);
+
+  const handleSubmit = async (e: React.FormEvent) => {
+    e.preventDefault();
+    if (!newComment.trim() || isSubmitting) return;
+
+    setIsSubmitting(true);
+    try {
+      const response = await taskService.addComment(taskId, newComment);
+      if (response.data) {
+        setComments((prev) => [...prev, response.data!]);
+        setNewComment('');
+      }
+    } catch (error) {
+      console.error('Error adding comment:', error);
+    } finally {
+      setIsSubmitting(false);
+    }
+  };
+
+  return (
+    <div className="space-y-4">
+      <div className="flex items-center gap-2">
+        <MessageSquare size={18} className="text-indigo-500" />
+        <h3 className={`text-sm font-semibold uppercase tracking-wider ${
+          theme === 'dark' ? 'text-gray-400' : 'text-gray-500'
+        }`}>
+          {t('tasks.comments', 'Comments')}
+        </h3>
+      </div>
+
+      {/* Comment List */}
+      <div className="space-y-3 max-h-60 overflow-y-auto pr-2 custom-scrollbar">
+        {isLoading ? (
+          <p className="text-sm text-gray-500 italic">{t('common.loading')}</p>
+        ) : comments.length === 0 ? (
+          <p className="text-sm text-gray-500 italic">{t('tasks.no_comments', 'No comments yet.')}</p>
+        ) : (
+          comments.map((comment) => (
+            <div
+              key={comment.id}
+              className={`p-3 rounded-lg border ${
+                theme === 'dark' ? 'bg-gray-700/30 border-gray-600' : 'bg-gray-50 border-gray-100'
+              }`}
+            >
+              <div className="flex items-start justify-between gap-2 mb-1">
+                <div className="flex items-center gap-2">
+                  <div className={`p-1 rounded-full ${
+                    theme === 'dark' ? 'bg-gray-600' : 'bg-gray-200'
+                  }`}>
+                    {comment.authorAvatar ? (
+                      <img src={comment.authorAvatar} alt={comment.authorName} className="w-5 h-5 rounded-full" />
+                    ) : (
+                      <User size={12} className="text-gray-500" />
+                    )}
+                  </div>
+                  <span className={`text-xs font-bold ${
+                    theme === 'dark' ? 'text-gray-200' : 'text-gray-700'
+                  }`}>
+                    {comment.authorName}
+                  </span>
+                </div>
+                <span className="text-[10px] text-gray-400">
+                  {formatDate(comment.createdAt)}
+                </span>
+              </div>
+              <p className={`text-sm whitespace-pre-wrap ${
+                theme === 'dark' ? 'text-gray-300' : 'text-gray-600'
+              }`}>
+                {comment.content}
+              </p>
+            </div>
+          ))
+        )}
+      </div>
+
+      {/* New Comment Form */}
+      <form onSubmit={handleSubmit} className="relative" data-testid="add-comment-form">
+        <textarea
+          value={newComment}
+          onChange={(e) => setNewComment(e.target.value)}
+          placeholder={t('tasks.add_comment_placeholder', 'Add a comment...')}
+          rows={2}
+          data-testid="comment-input"
+          className={`w-full p-3 pr-12 text-sm rounded-lg border focus:outline-none focus:ring-2 focus:ring-indigo-500 transition-all ${
+            theme === 'dark'
+              ? 'bg-gray-900 border-gray-700 text-gray-100'
+              : 'bg-white border-gray-200 text-gray-900'
+          }`}
+        />
+        <button
+          type="submit"
+          data-testid="add-comment-button"
+          disabled={!newComment.trim() || isSubmitting}
+          className={`absolute right-2 bottom-2 p-2 rounded-lg transition-colors ${
+            !newComment.trim() || isSubmitting
+              ? 'text-gray-400'
+              : 'text-indigo-500 hover:bg-indigo-50'
+          }`}
+        >
+          <Send size={18} />
+        </button>
+      </form>
+    </div>
+  );
+};
diff --git a/src/components/TaskDetailModal.tsx b/src/components/TaskDetailModal.tsx
index 1129430..5a5b3db 100644
--- a/src/components/TaskDetailModal.tsx
+++ b/src/components/TaskDetailModal.tsx
@@ -8,6 +8,8 @@ import { formatDate, getStatusColor, formatTime } from '../utils/taskUtils';
 import { X, Calendar, Clock, Edit2, AlertCircle, CheckCircle, Calculator, User } from 'lucide-react';
 import { extractAttachments } from '../utils/attachmentUtils';
 import { AttachmentList } from './AttachmentList';
+import { TaskComments } from './TaskComments';
+
 
 interface TaskDetailModalProps {
   task: Task | null;
@@ -182,6 +184,11 @@ export const TaskDetailModal: React.FC<TaskDetailModalProps> = ({
                 </div>
               </div>
 
+              <hr className={`${theme === 'dark' ? 'border-gray-700' : 'border-gray-200'}`} />
+
+              {/* Comments Section */}
+              <TaskComments taskId={task.id} />
+
               {/* Stats / Metadata */}
               <div className={`grid grid-cols-1 sm:grid-cols-2 gap-4 p-4 rounded-lg ${theme === 'dark' ? 'bg-gray-700/50' : 'bg-gray-50'
                 }`}>
diff --git a/src/locales/en.json b/src/locales/en.json
index 2e9c04c..cb3c25d 100644
--- a/src/locales/en.json
+++ b/src/locales/en.json
@@ -113,7 +113,10 @@
         "add_subtask": "Add Subtask",
         "cannot_complete_subtasks": "Cannot complete a task that has incomplete subtasks",
         "subtask_of": "Subtask of",
-        "parents": "Parents"
+        "parents": "Parents",
+        "comments": "Comments",
+        "no_comments": "No comments yet.",
+        "add_comment_placeholder": "Add a comment..."
     },
     "nav": {
         "dashboard": "Dashboard",
diff --git a/src/locales/es.json b/src/locales/es.json
index 6379505..9f3cc57 100644
--- a/src/locales/es.json
+++ b/src/locales/es.json
@@ -113,7 +113,10 @@
         "add_subtask": "Añadir Subtarea",
         "cannot_complete_subtasks": "No se puede completar una tarea que tiene subtareas incompletas",
         "subtask_of": "Subtarea de",
-        "parents": "Padres"
+        "parents": "Padres",
+        "comments": "Comentarios",
+        "no_comments": "Aún no hay comentarios.",
+        "add_comment_placeholder": "Añadir un comentario..."
     },
     "nav": {
         "dashboard": "Tablero",
diff --git a/src/services/taskService.ts b/src/services/taskService.ts
index 8eb74e8..4cd1f83 100644
--- a/src/services/taskService.ts
+++ b/src/services/taskService.ts
@@ -1,5 +1,5 @@
 import supabase, { supabaseUrl } from '../lib/supabaseClient';
-import { Task, TaskStatus } from '../types/Task';
+import { Task, TaskStatus, TaskComment } from '../types/Task';
 import { API_BASE_URL } from '../utils/apiConfig';
 
 export interface UploadResult {
@@ -44,6 +44,16 @@ interface BackendTask {
   responsible?: string | null;
 }
 
+interface BackendComment {
+  id: string;
+  task_id: number;
+  user_id: string;
+  author_name: string;
+  author_avatar: string | null;
+  content: string;
+  created_at: string;
+}
+
 // No mapping needed; backend and frontend share the same status values
 
 /**
@@ -390,6 +400,60 @@ export class TaskService {
     return { data: { id: (response.data as any).entry.id } } as any;
   }
 
+  /**
+   * Convert backend comment to frontend TaskComment format
+   */
+  private convertBackendCommentToFrontend(bc: BackendComment): TaskComment {
+    return {
+      id: bc.id,
+      taskId: String(bc.task_id),
+      userId: bc.user_id,
+      authorName: bc.author_name,
+      authorAvatar: bc.author_avatar || undefined,
+      content: bc.content,
+      createdAt: new Date(bc.created_at),
+    };
+  }
+
+  /**
+   * Get all comments for a specific task
+   */
+  async getComments(taskId: string): Promise<ApiResponse<TaskComment[]>> {
+    const response = await this.makeRequest<{ comments: BackendComment[] }>(`/api/tasks/${taskId}/comments`);
+
+    if (response.error) {
+      return { error: response.error };
+    }
+
+    if (response.data?.comments) {
+      const comments = response.data.comments.map((bc) => this.convertBackendCommentToFrontend(bc));
+      return { data: comments };
+    }
+
+    return { error: 'Invalid response from server' };
+  }
+
+  /**
+   * Add a new comment to a task
+   */
+  async addComment(taskId: string, content: string): Promise<ApiResponse<TaskComment>> {
+    const response = await this.makeRequest<{ comment: BackendComment }>(`/api/tasks/${taskId}/comments`, {
+      method: 'POST',
+      body: JSON.stringify({ content }),
+    });
+
+    if (response.error) {
+      return { error: response.error };
+    }
+
+    if (response.data?.comment) {
+      const newComment = this.convertBackendCommentToFrontend(response.data.comment);
+      return { data: newComment };
+    }
+
+    return { error: 'Failed to add comment' };
+  }
+
   /**
    * Check if user is authenticated
    */
diff --git a/src/test/components/TaskComments.test.tsx b/src/test/components/TaskComments.test.tsx
new file mode 100644
index 0000000..cdb4474
--- /dev/null
+++ b/src/test/components/TaskComments.test.tsx
@@ -0,0 +1,101 @@
+import { render, screen, fireEvent, waitFor } from '@testing-library/react';
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+import { TaskComments } from '../../components/TaskComments';
+import { ThemeProvider } from '../../contexts/ThemeContext';
+import { taskService } from '../../services/taskService';
+
+vi.mock('../../services/taskService', () => ({
+  taskService: {
+    getComments: vi.fn(),
+    addComment: vi.fn(),
+  },
+}));
+
+const mockComments = [
+  {
+    id: 'c1',
+    taskId: '1',
+    userId: 'u1',
+    authorName: 'User One',
+    content: 'First comment',
+    createdAt: new Date('2024-01-01T10:00:00Z'),
+  },
+  {
+    id: 'c2',
+    taskId: '1',
+    userId: 'u2',
+    authorName: 'Bot One',
+    content: 'Second comment',
+    createdAt: new Date('2024-01-01T11:00:00Z'),
+  },
+];
+
+const renderWithTheme = (component: React.ReactNode) => {
+  return render(
+    <ThemeProvider>
+      {component}
+    </ThemeProvider>
+  );
+};
+
+describe('TaskComments', () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  it('should render comments and handle loading state', async () => {
+    vi.mocked(taskService.getComments).mockResolvedValue({ data: mockComments });
+
+    renderWithTheme(<TaskComments taskId="1" />);
+
+    expect(screen.getByText('Loading...')).toBeInTheDocument();
+
+    await waitFor(() => {
+      expect(screen.getByText('User One')).toBeInTheDocument();
+      expect(screen.getByText('First comment')).toBeInTheDocument();
+      expect(screen.getByText('Bot One')).toBeInTheDocument();
+      expect(screen.getByText('Second comment')).toBeInTheDocument();
+    });
+  });
+
+  it('should show empty message when no comments', async () => {
+    vi.mocked(taskService.getComments).mockResolvedValue({ data: [] });
+
+    renderWithTheme(<TaskComments taskId="1" />);
+
+    await waitFor(() => {
+      expect(screen.getByText('No comments yet.')).toBeInTheDocument();
+    });
+  });
+
+  it('should add a new comment', async () => {
+    vi.mocked(taskService.getComments).mockResolvedValue({ data: [] });
+    const newComment = {
+      id: 'c3',
+      taskId: '1',
+      userId: 'u1',
+      authorName: 'User One',
+      content: 'New test comment',
+      createdAt: new Date(),
+    };
+    vi.mocked(taskService.addComment).mockResolvedValue({ data: newComment });
+
+    renderWithTheme(<TaskComments taskId="1" />);
+
+    await waitFor(() => {
+      expect(screen.getByPlaceholderText('Add a comment...')).toBeInTheDocument();
+    });
+
+    const textarea = screen.getByPlaceholderText('Add a comment...');
+    fireEvent.change(textarea, { target: { value: 'New test comment' } });
+
+    // The Send button has a Send icon but it's a button
+    const submitButton = screen.getByRole('button');
+    fireEvent.click(submitButton);
+
+    await waitFor(() => {
+      expect(taskService.addComment).toHaveBeenCalledWith('1', 'New test comment');
+      expect(screen.getByText('New test comment')).toBeInTheDocument();
+    });
+  });
+});
diff --git a/src/test/setup.ts b/src/test/setup.ts
index 3a14a10..e341cd4 100644
--- a/src/test/setup.ts
+++ b/src/test/setup.ts
@@ -105,6 +105,10 @@ vi.mock('react-i18next', () => ({
         'pricing.use_crypto': 'Use crypto',
         'pricing.custom_amount': 'Custom',
         'pricing.price_amount': '${{amount}}',
+        'tasks.comments': 'Comments',
+        'tasks.no_comments': 'No comments yet.',
+        'tasks.add_comment_placeholder': 'Add a comment...',
+        'common.loading': 'Loading...',
         // Add more mapping as needed by tests
       };
       return translations[key] || key;
diff --git a/src/types/Task.ts b/src/types/Task.ts
index 2dba8e3..659e8e0 100644
--- a/src/types/Task.ts
+++ b/src/types/Task.ts
@@ -61,3 +61,13 @@ export interface TaskTimeStats {
   startDate: number;  // timestamp
   endDate: number;    // timestamp
 }
+
+export interface TaskComment {
+  id: string;
+  taskId: string;
+  userId: string;
+  authorName: string;
+  authorAvatar?: string;
+  content: string;
+  createdAt: Date;
+}

From ff2c7e98d2a385513f28776ec30c0becde9fee04 Mon Sep 17 00:00:00 2001
From: kelvin calcano <kelvin@vmi2907809.contaboserver.net>
Date: Thu, 12 Feb 2026 18:59:50 +0100
Subject: [PATCH 02/28] fix: tighten comment insert rls + validate content

- Enforce auth.uid() = user_id in INSERT policy
- Validate comment content type before trimming
---
 backend/src/controllers/taskController.js | 9 +++++++--
 migrations/001_create_task_comments.sql   | 3 ++-
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/backend/src/controllers/taskController.js b/backend/src/controllers/taskController.js
index 2031235..05263b4 100644
--- a/backend/src/controllers/taskController.js
+++ b/backend/src/controllers/taskController.js
@@ -423,7 +423,12 @@ const addComment = async (req, res) => {
     const { content } = req.body;
     const user_id = req.user.id;
 
-    if (!content || !content.trim()) {
+    if (typeof content !== 'string') {
+      return res.status(400).json({ error: 'Content must be a string' });
+    }
+
+    const trimmed = content.trim();
+    if (!trimmed) {
       return res.status(400).json({ error: 'Content is required' });
     }
 
@@ -458,7 +463,7 @@ const addComment = async (req, res) => {
         user_id,
         author_name,
         author_avatar,
-        content: content.trim()
+        content: trimmed
       }])
       .select()
       .single();
diff --git a/migrations/001_create_task_comments.sql b/migrations/001_create_task_comments.sql
index 6caddc7..0542da5 100644
--- a/migrations/001_create_task_comments.sql
+++ b/migrations/001_create_task_comments.sql
@@ -30,7 +30,8 @@ CREATE POLICY "Users can create comments on their own tasks"
   ON public.task_comments
   FOR INSERT
   WITH CHECK (
-    EXISTS (
+    auth.uid() = user_id
+    AND EXISTS (
       SELECT 1 FROM public.tasks
       WHERE public.tasks.id = public.task_comments.task_id
       AND public.tasks.user_id = auth.uid()

From c7080291e03d2c9273123ca1b399c74034ccfc72 Mon Sep 17 00:00:00 2001
From: kelvin calcano <kelvin@vmi2907809.contaboserver.net>
Date: Thu, 12 Feb 2026 19:21:22 +0100
Subject: [PATCH 03/28] fix: show comment submission errors

- Surface API errors from addComment via toast
- Add unit test for failed comment submission path
---
 src/components/TaskComments.tsx           |  7 ++++++
 src/test/components/TaskComments.test.tsx | 29 +++++++++++++++++++++++
 2 files changed, 36 insertions(+)

diff --git a/src/components/TaskComments.tsx b/src/components/TaskComments.tsx
index 9bd7932..d885aa0 100644
--- a/src/components/TaskComments.tsx
+++ b/src/components/TaskComments.tsx
@@ -4,6 +4,7 @@ import { TaskComment } from '../types/Task';
 import { taskService } from '../services/taskService';
 import { useTheme } from '../contexts/ThemeContext';
 import { MessageSquare, Send, User } from 'lucide-react';
+import { toast } from 'sonner';
 import { formatDate } from '../utils/taskUtils';
 
 interface TaskCommentsProps {
@@ -43,12 +44,18 @@ export const TaskComments: React.FC<TaskCommentsProps> = ({ taskId }) => {
     setIsSubmitting(true);
     try {
       const response = await taskService.addComment(taskId, newComment);
+      if (response.error) {
+        toast.error(response.error);
+        return;
+      }
+
       if (response.data) {
         setComments((prev) => [...prev, response.data!]);
         setNewComment('');
       }
     } catch (error) {
       console.error('Error adding comment:', error);
+      toast.error(t('common.error', 'Something went wrong'));
     } finally {
       setIsSubmitting(false);
     }
diff --git a/src/test/components/TaskComments.test.tsx b/src/test/components/TaskComments.test.tsx
index cdb4474..67a1c4d 100644
--- a/src/test/components/TaskComments.test.tsx
+++ b/src/test/components/TaskComments.test.tsx
@@ -3,6 +3,7 @@ import { describe, it, expect, vi, beforeEach } from 'vitest';
 import { TaskComments } from '../../components/TaskComments';
 import { ThemeProvider } from '../../contexts/ThemeContext';
 import { taskService } from '../../services/taskService';
+import { toast } from 'sonner';
 
 vi.mock('../../services/taskService', () => ({
   taskService: {
@@ -11,6 +12,12 @@ vi.mock('../../services/taskService', () => ({
   },
 }));
 
+vi.mock('sonner', () => ({
+  toast: {
+    error: vi.fn(),
+  },
+}));
+
 const mockComments = [
   {
     id: 'c1',
@@ -98,4 +105,26 @@ describe('TaskComments', () => {
       expect(screen.getByText('New test comment')).toBeInTheDocument();
     });
   });
+
+  it('should surface error when comment submission fails', async () => {
+    vi.mocked(taskService.getComments).mockResolvedValue({ data: [] });
+    vi.mocked(taskService.addComment).mockResolvedValue({ error: 'Not authenticated. Please log in.' });
+
+    renderWithTheme(<TaskComments taskId="1" />);
+
+    await waitFor(() => {
+      expect(screen.getByPlaceholderText('Add a comment...')).toBeInTheDocument();
+    });
+
+    const textarea = screen.getByPlaceholderText('Add a comment...');
+    fireEvent.change(textarea, { target: { value: 'Comment that should fail' } });
+
+    const submitButton = screen.getByRole('button');
+    fireEvent.click(submitButton);
+
+    await waitFor(() => {
+      expect(taskService.addComment).toHaveBeenCalledWith('1', 'Comment that should fail');
+      expect(toast.error).toHaveBeenCalledWith('Not authenticated. Please log in.');
+    });
+  });
 });

From 0751fad0c76c5920d4d95c676bba56edc067c37d Mon Sep 17 00:00:00 2001
From: kelvin calcano <kelvin@vmi2907809.contaboserver.net>
Date: Thu, 12 Feb 2026 19:37:44 +0100
Subject: [PATCH 04/28] fix: clear stale comments on fetch failures

- Reset comments state when loading a different task
- Surface getComments API errors with toast
- Add unit test for stale comment regression path
---
 src/components/TaskComments.tsx           |  7 +++++++
 src/test/components/TaskComments.test.tsx | 24 +++++++++++++++++++++++
 2 files changed, 31 insertions(+)

diff --git a/src/components/TaskComments.tsx b/src/components/TaskComments.tsx
index d885aa0..746a1fd 100644
--- a/src/components/TaskComments.tsx
+++ b/src/components/TaskComments.tsx
@@ -21,13 +21,20 @@ export const TaskComments: React.FC<TaskCommentsProps> = ({ taskId }) => {
 
   const fetchComments = async () => {
     setIsLoading(true);
+    setComments([]);
     try {
       const response = await taskService.getComments(taskId);
+      if (response.error) {
+        toast.error(response.error);
+        return;
+      }
+
       if (response.data) {
         setComments(response.data);
       }
     } catch (error) {
       console.error('Error fetching comments:', error);
+      toast.error(t('common.error', 'Something went wrong'));
     } finally {
       setIsLoading(false);
     }
diff --git a/src/test/components/TaskComments.test.tsx b/src/test/components/TaskComments.test.tsx
index 67a1c4d..f91437f 100644
--- a/src/test/components/TaskComments.test.tsx
+++ b/src/test/components/TaskComments.test.tsx
@@ -75,6 +75,30 @@ describe('TaskComments', () => {
     });
   });
 
+  it('should clear stale comments and surface error when fetch fails', async () => {
+    vi.mocked(taskService.getComments)
+      .mockResolvedValueOnce({ data: mockComments })
+      .mockResolvedValueOnce({ error: 'Not authenticated. Please log in.' });
+
+    const { rerender } = renderWithTheme(<TaskComments taskId="1" />);
+
+    await waitFor(() => {
+      expect(screen.getByText('First comment')).toBeInTheDocument();
+    });
+
+    rerender(
+      <ThemeProvider>
+        <TaskComments taskId="2" />
+      </ThemeProvider>
+    );
+
+    await waitFor(() => {
+      expect(toast.error).toHaveBeenCalledWith('Not authenticated. Please log in.');
+      expect(screen.queryByText('First comment')).not.toBeInTheDocument();
+      expect(screen.getByText('No comments yet.')).toBeInTheDocument();
+    });
+  });
+
   it('should add a new comment', async () => {
     vi.mocked(taskService.getComments).mockResolvedValue({ data: [] });
     const newComment = {

From d89ae00d92ffb0e3b7d2ef6809d83ee1d815bb30 Mon Sep 17 00:00:00 2001
From: kelvin calcano <kelvin@vmi2907809.contaboserver.net>
Date: Thu, 12 Feb 2026 19:53:22 +0100
Subject: [PATCH 05/28] fix: prevent stale comment fetch race

- Guard comment state updates with request sequence IDs
- Ignore out-of-order responses and stale loading transitions
---
 src/components/TaskComments.tsx | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/src/components/TaskComments.tsx b/src/components/TaskComments.tsx
index 746a1fd..5dfc18a 100644
--- a/src/components/TaskComments.tsx
+++ b/src/components/TaskComments.tsx
@@ -1,4 +1,4 @@
-import React, { useState, useEffect } from 'react';
+import React, { useState, useEffect, useRef } from 'react';
 import { useTranslation } from 'react-i18next';
 import { TaskComment } from '../types/Task';
 import { taskService } from '../services/taskService';
@@ -18,12 +18,17 @@ export const TaskComments: React.FC<TaskCommentsProps> = ({ taskId }) => {
   const [newComment, setNewComment] = useState('');
   const [isLoading, setIsLoading] = useState(true);
   const [isSubmitting, setIsSubmitting] = useState(false);
+  const requestSeqRef = useRef(0);
 
   const fetchComments = async () => {
+    const requestId = ++requestSeqRef.current;
+
     setIsLoading(true);
     setComments([]);
     try {
       const response = await taskService.getComments(taskId);
+      if (requestId !== requestSeqRef.current) return;
+
       if (response.error) {
         toast.error(response.error);
         return;
@@ -33,15 +38,22 @@ export const TaskComments: React.FC<TaskCommentsProps> = ({ taskId }) => {
         setComments(response.data);
       }
     } catch (error) {
+      if (requestId !== requestSeqRef.current) return;
       console.error('Error fetching comments:', error);
       toast.error(t('common.error', 'Something went wrong'));
     } finally {
-      setIsLoading(false);
+      if (requestId === requestSeqRef.current) {
+        setIsLoading(false);
+      }
     }
   };
 
   useEffect(() => {
     fetchComments();
+
+    return () => {
+      requestSeqRef.current += 1;
+    };
   }, [taskId]);
 
   const handleSubmit = async (e: React.FormEvent) => {

From a2e2802bf4862cdf75799c63103df5bc150152ff Mon Sep 17 00:00:00 2001
From: kelvin calcano <kelvin@vmi2907809.contaboserver.net>
Date: Thu, 12 Feb 2026 20:17:22 +0100
Subject: [PATCH 06/28] chore: trigger kimi co-review hook


From 53e480d179491f0ff33e3a9d893a20ffe849f1fe Mon Sep 17 00:00:00 2001
From: kelvin calcano <kelvin@vmi2907809.contaboserver.net>
Date: Thu, 12 Feb 2026 20:19:06 +0100
Subject: [PATCH 07/28] chore: verify kimi hook dedupe


From 9f6f62430c22f4c56524a868d200cd5990736261 Mon Sep 17 00:00:00 2001
From: kelvin calcano <kelvin@vmi2907809.contaboserver.net>
Date: Thu, 12 Feb 2026 20:28:05 +0100
Subject: [PATCH 08/28] fix: harden comments API and UX limits

- Add backend comment length guard + lightweight cooldown\n- Add comments pagination and explicit column selection\n- Use maybeSingle for optional profile lookup\n- Add task_comments(task_id) index in migration\n- Add textarea maxLength + live character counter
---
 backend/src/controllers/taskController.js | 27 ++++++++++++++++++++---
 migrations/001_create_task_comments.sql   |  3 +++
 src/components/TaskComments.tsx           | 10 +++++++--
 src/services/taskService.ts               |  5 +++--
 4 files changed, 38 insertions(+), 7 deletions(-)

diff --git a/backend/src/controllers/taskController.js b/backend/src/controllers/taskController.js
index 05263b4..caea7ab 100644
--- a/backend/src/controllers/taskController.js
+++ b/backend/src/controllers/taskController.js
@@ -384,6 +384,10 @@ const getComments = async (req, res) => {
   try {
     const { id: task_id } = req.params;
     const user_id = req.user.id;
+    const rawLimit = Number.parseInt(String(req.query.limit ?? '50'), 10);
+    const rawOffset = Number.parseInt(String(req.query.offset ?? '0'), 10);
+    const limit = Number.isFinite(rawLimit) ? Math.min(Math.max(rawLimit, 1), 200) : 50;
+    const offset = Number.isFinite(rawOffset) ? Math.max(rawOffset, 0) : 0;
 
     const db = req.supabase || supabaseClient.supabase;
 
@@ -401,9 +405,10 @@ const getComments = async (req, res) => {
 
     const { data: comments, error } = await db
       .from('task_comments')
-      .select('*')
+      .select('id, task_id, user_id, author_name, author_avatar, content, created_at')
       .eq('task_id', task_id)
-      .order('created_at', { ascending: true });
+      .order('created_at', { ascending: true })
+      .range(offset, offset + limit - 1);
 
     if (error) throw error;
 
@@ -414,6 +419,10 @@ const getComments = async (req, res) => {
   }
 };
 
+const MAX_COMMENT_LENGTH = 2000;
+const COMMENT_COOLDOWN_MS = 1500;
+const lastCommentAtByUser = new Map();
+
 /**
  * Add a new comment to a task
  */
@@ -432,6 +441,16 @@ const addComment = async (req, res) => {
       return res.status(400).json({ error: 'Content is required' });
     }
 
+    if (trimmed.length > MAX_COMMENT_LENGTH) {
+      return res.status(400).json({ error: `Content exceeds max length (${MAX_COMMENT_LENGTH})` });
+    }
+
+    const now = Date.now();
+    const lastAt = lastCommentAtByUser.get(user_id) || 0;
+    if (now - lastAt < COMMENT_COOLDOWN_MS) {
+      return res.status(429).json({ error: 'Too many comments. Please wait a moment.' });
+    }
+
     const db = req.supabase || supabaseClient.supabase;
 
     // Verify task belongs to user
@@ -451,7 +470,7 @@ const addComment = async (req, res) => {
       .from('profiles')
       .select('username, display_name, avatar_url')
       .eq('id', user_id)
-      .single();
+      .maybeSingle();
 
     const author_name = profile?.display_name || profile?.username || req.user.email;
     const author_avatar = profile?.avatar_url || null;
@@ -470,6 +489,8 @@ const addComment = async (req, res) => {
 
     if (error) throw error;
 
+    lastCommentAtByUser.set(user_id, now);
+
     res.status(201).json({ comment });
   } catch (error) {
     console.error('Add comment error:', error);
diff --git a/migrations/001_create_task_comments.sql b/migrations/001_create_task_comments.sql
index 0542da5..b5f7f84 100644
--- a/migrations/001_create_task_comments.sql
+++ b/migrations/001_create_task_comments.sql
@@ -11,6 +11,9 @@ CREATE TABLE IF NOT EXISTS public.task_comments (
   created_at timestamp with time zone DEFAULT TIMEZONE('utc'::text, NOW()) NOT NULL
 );
 
+CREATE INDEX IF NOT EXISTS idx_task_comments_task_id
+  ON public.task_comments(task_id);
+
 -- Enable Row Level Security
 ALTER TABLE public.task_comments ENABLE ROW LEVEL SECURITY;
 
diff --git a/src/components/TaskComments.tsx b/src/components/TaskComments.tsx
index 5dfc18a..743a4c0 100644
--- a/src/components/TaskComments.tsx
+++ b/src/components/TaskComments.tsx
@@ -19,6 +19,7 @@ export const TaskComments: React.FC<TaskCommentsProps> = ({ taskId }) => {
   const [isLoading, setIsLoading] = useState(true);
   const [isSubmitting, setIsSubmitting] = useState(false);
   const requestSeqRef = useRef(0);
+  const MAX_COMMENT_LENGTH = 2000;
 
   const fetchComments = async () => {
     const requestId = ++requestSeqRef.current;
@@ -58,11 +59,12 @@ export const TaskComments: React.FC<TaskCommentsProps> = ({ taskId }) => {
 
   const handleSubmit = async (e: React.FormEvent) => {
     e.preventDefault();
-    if (!newComment.trim() || isSubmitting) return;
+    const trimmed = newComment.trim();
+    if (!trimmed || isSubmitting) return;
 
     setIsSubmitting(true);
     try {
-      const response = await taskService.addComment(taskId, newComment);
+      const response = await taskService.addComment(taskId, trimmed);
       if (response.error) {
         toast.error(response.error);
         return;
@@ -143,6 +145,7 @@ export const TaskComments: React.FC<TaskCommentsProps> = ({ taskId }) => {
           onChange={(e) => setNewComment(e.target.value)}
           placeholder={t('tasks.add_comment_placeholder', 'Add a comment...')}
           rows={2}
+          maxLength={MAX_COMMENT_LENGTH}
           data-testid="comment-input"
           className={`w-full p-3 pr-12 text-sm rounded-lg border focus:outline-none focus:ring-2 focus:ring-indigo-500 transition-all ${
             theme === 'dark'
@@ -162,6 +165,9 @@ export const TaskComments: React.FC<TaskCommentsProps> = ({ taskId }) => {
         >
           <Send size={18} />
         </button>
+        <div className={`mt-1 text-[11px] text-right ${theme === 'dark' ? 'text-gray-500' : 'text-gray-400'}`}>
+          {newComment.length}/{MAX_COMMENT_LENGTH}
+        </div>
       </form>
     </div>
   );
diff --git a/src/services/taskService.ts b/src/services/taskService.ts
index 4cd1f83..28b4343 100644
--- a/src/services/taskService.ts
+++ b/src/services/taskService.ts
@@ -418,8 +418,9 @@ export class TaskService {
   /**
    * Get all comments for a specific task
    */
-  async getComments(taskId: string): Promise<ApiResponse<TaskComment[]>> {
-    const response = await this.makeRequest<{ comments: BackendComment[] }>(`/api/tasks/${taskId}/comments`);
+  async getComments(taskId: string, limit = 50, offset = 0): Promise<ApiResponse<TaskComment[]>> {
+    const qs = new URLSearchParams({ limit: String(limit), offset: String(offset) });
+    const response = await this.makeRequest<{ comments: BackendComment[] }>(`/api/tasks/${taskId}/comments?${qs.toString()}`);
 
     if (response.error) {
       return { error: response.error };

From 8a56608c23ba0765ba9ab982bb4debbbeaf9819d Mon Sep 17 00:00:00 2001
From: kelvin calcano <kelvin@vmi2907809.contaboserver.net>
Date: Thu, 12 Feb 2026 20:46:25 +0100
Subject: [PATCH 09/28] chore: test auto kimi trigger logging


From 009135e125edd80f1cfe6236060694fd73c2cba2 Mon Sep 17 00:00:00 2001
From: kelvin calcano <kelvin@vmi2907809.contaboserver.net>
Date: Thu, 12 Feb 2026 20:47:08 +0100
Subject: [PATCH 10/28] chore: test pre-push kimi auto trigger


From 8b984460e12d8aced68af31a0ce3c8f373b474f6 Mon Sep 17 00:00:00 2001
From: kelvin calcano <kelvin@vmi2907809.contaboserver.net>
Date: Thu, 12 Feb 2026 20:48:35 +0100
Subject: [PATCH 11/28] chore: verify pre-push kimi trigger v2


From fe7ed98134013081a672b42441d3b3d6c7be5f88 Mon Sep 17 00:00:00 2001
From: kelvin calcano <kelvin@vmi2907809.contaboserver.net>
Date: Thu, 12 Feb 2026 20:49:40 +0100
Subject: [PATCH 12/28] chore: verify auto kimi trigger v3


From 987d4acf2f91d791a00fe51b81a4622b4640f7b4 Mon Sep 17 00:00:00 2001
From: kelvin calcano <kelvin@vmi2907809.contaboserver.net>
Date: Thu, 12 Feb 2026 21:32:56 +0100
Subject: [PATCH 13/28] ci: add Kimi co-review GitHub Action for PR pushes

---
 .github/workflows/kimi-co-review.yml | 153 +++++++++++++++++++++++++++
 1 file changed, 153 insertions(+)
 create mode 100644 .github/workflows/kimi-co-review.yml

diff --git a/.github/workflows/kimi-co-review.yml b/.github/workflows/kimi-co-review.yml
new file mode 100644
index 0000000..5323fa2
--- /dev/null
+++ b/.github/workflows/kimi-co-review.yml
@@ -0,0 +1,153 @@
+name: Kimi PR Co-Review
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened, ready_for_review]
+
+permissions:
+  contents: read
+  pull-requests: write
+
+concurrency:
+  group: kimi-co-review-pr-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
+
+jobs:
+  kimi-review:
+    if: ${{ !github.event.pull_request.draft }}
+    runs-on: ubuntu-latest
+    env:
+      MOONSHOT_API_KEY: ${{ secrets.MOONSHOT_API_KEY }}
+      PR_NUMBER: ${{ github.event.pull_request.number }}
+      REPO: ${{ github.repository }}
+      BASE_SHA: ${{ github.event.pull_request.base.sha }}
+      HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+      BASE_REF: ${{ github.event.pull_request.base.ref }}
+      HEAD_REF: ${{ github.event.pull_request.head.ref }}
+    steps:
+      - name: Validate secret
+        run: |
+          if [ -z "${MOONSHOT_API_KEY:-}" ]; then
+            echo "Missing MOONSHOT_API_KEY secret"
+            exit 1
+          fi
+
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Build PR diff
+        id: diff
+        shell: bash
+        run: |
+          set -euo pipefail
+          git fetch origin "$BASE_REF" --quiet || true
+          DIFF_CONTENT="$(git diff --unified=2 "$BASE_SHA...$HEAD_SHA" || true)"
+
+          if [ -z "$DIFF_CONTENT" ]; then
+            echo "has_diff=false" >> "$GITHUB_OUTPUT"
+            exit 0
+          fi
+
+          MAX_CHARS=120000
+          if (( ${#DIFF_CONTENT} > MAX_CHARS )); then
+            DIFF_CONTENT="${DIFF_CONTENT:0:MAX_CHARS}\n\n[diff truncated]"
+          fi
+
+          {
+            echo 'DIFF_EOF<<EOF'
+            printf '%s\n' "$DIFF_CONTENT"
+            echo 'EOF'
+          } >> "$GITHUB_ENV"
+
+          echo "has_diff=true" >> "$GITHUB_OUTPUT"
+
+      - name: Skip if already commented for this SHA
+        if: steps.diff.outputs.has_diff == 'true'
+        id: dedupe
+        env:
+          GH_TOKEN: ${{ github.token }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          MARKER="<!-- kimi-action-review:pr=${PR_NUMBER} sha=${HEAD_SHA} -->"
+          if gh api "repos/${REPO}/issues/${PR_NUMBER}/comments" --paginate --jq '.[].body' | grep -Fq "$MARKER"; then
+            echo "already_done=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "already_done=false" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Request Kimi review
+        if: steps.diff.outputs.has_diff == 'true' && steps.dedupe.outputs.already_done != 'true'
+        id: kimi
+        shell: bash
+        run: |
+          set -euo pipefail
+
+          PROMPT="$(cat <<EOF
+Este es un Code Review hecho por Kimi k2.5
+PR #${PR_NUMBER} | base: ${BASE_REF} | head: ${HEAD_REF}
+
+Revisa este diff con enfoque en: correctness, regresiones, seguridad y UX edge-cases.
+Responde en markdown breve con:
+- Findings (P1/P2/P3) con archivo y recomendación, o
+- Approved si no hay issues.
+
+DIFF:
+${DIFF_EOF}
+EOF
+)"
+
+          PAYLOAD="$(jq -nc --arg content "$PROMPT" '{model:"kimi-k2.5",temperature:1,messages:[{role:"user",content:$content}]}')"
+
+          RESPONSE="$(curl -sS -X POST https://api.moonshot.ai/v1/chat/completions \
+            -H "Authorization: Bearer ${MOONSHOT_API_KEY}" \
+            -H "Content-Type: application/json" \
+            -d "$PAYLOAD")"
+
+          CONTENT="$(printf '%s' "$RESPONSE" | jq -r '.choices[0].message.content // empty')"
+          ERR_MSG="$(printf '%s' "$RESPONSE" | jq -r '.error.message // empty')"
+
+          if [ -z "$CONTENT" ] && [ -n "$ERR_MSG" ]; then
+            CONTENT="Kimi review failed: ${ERR_MSG}"
+          fi
+
+          if [ -z "$CONTENT" ]; then
+            CONTENT="Kimi review: no output (empty response)."
+          fi
+
+          CONTENT_LC="$(printf '%s' "$CONTENT" | tr '[:upper:]' '[:lower:]')"
+          if [[ "$CONTENT" != Kimi\ review\ failed:* ]] && [[ "$CONTENT" != *"no output (empty response)"* ]]; then
+            if echo "$CONTENT_LC" | grep -Eq 'approved|no issues|sin hallazgos|sin findings|looks good|lgtm'; then
+              if ! echo "$CONTENT" | grep -Eq '(^|[^A-Z])(P1|P2|P3)([^A-Z]|$)|Findings|Issue:'; then
+                CONTENT="Approved"
+              fi
+            fi
+          fi
+
+          {
+            echo 'body<<EOF'
+            printf '%s\n' "$CONTENT"
+            echo 'EOF'
+          } >> "$GITHUB_OUTPUT"
+
+      - name: Post PR comment
+        if: steps.diff.outputs.has_diff == 'true' && steps.dedupe.outputs.already_done != 'true'
+        env:
+          GH_TOKEN: ${{ github.token }}
+        shell: bash
+        run: |
+          set -euo pipefail
+          MARKER="<!-- kimi-action-review:pr=${PR_NUMBER} sha=${HEAD_SHA} -->"
+
+          COMMENT_FILE="$(mktemp)"
+          {
+            echo "$MARKER"
+            echo
+            echo "### Kimi K2.5 Co-Review"
+            echo
+            printf '%s\n' "${{ steps.kimi.outputs.body }}"
+          } > "$COMMENT_FILE"
+
+          gh pr comment "$PR_NUMBER" --repo "$REPO" --body-file "$COMMENT_FILE"

From 24896bb7c15d1f82857e2af8732c07dce0311d8f Mon Sep 17 00:00:00 2001
From: kelvin calcano <kelvin@vmi2907809.contaboserver.net>
Date: Thu, 12 Feb 2026 22:12:02 +0100
Subject: [PATCH 14/28] chore: validate Kimi GitHub Action


From 773f49bf5e98fdc93c226a96514f6f14610de001 Mon Sep 17 00:00:00 2001
From: kelvin calcano <kelvin@vmi2907809.contaboserver.net>
Date: Thu, 12 Feb 2026 22:13:25 +0100
Subject: [PATCH 15/28] fix: repair Kimi action workflow syntax

---
 .github/workflows/kimi-co-review.yml | 15 ++-------------
 1 file changed, 2 insertions(+), 13 deletions(-)

diff --git a/.github/workflows/kimi-co-review.yml b/.github/workflows/kimi-co-review.yml
index 5323fa2..28052db 100644
--- a/.github/workflows/kimi-co-review.yml
+++ b/.github/workflows/kimi-co-review.yml
@@ -85,19 +85,8 @@ jobs:
         run: |
           set -euo pipefail
 
-          PROMPT="$(cat <<EOF
-Este es un Code Review hecho por Kimi k2.5
-PR #${PR_NUMBER} | base: ${BASE_REF} | head: ${HEAD_REF}
-
-Revisa este diff con enfoque en: correctness, regresiones, seguridad y UX edge-cases.
-Responde en markdown breve con:
-- Findings (P1/P2/P3) con archivo y recomendación, o
-- Approved si no hay issues.
-
-DIFF:
-${DIFF_EOF}
-EOF
-)"
+          PROMPT_HEADER="Este es un Code Review hecho por Kimi k2.5\nPR #${PR_NUMBER} | base: ${BASE_REF} | head: ${HEAD_REF}\n\nRevisa este diff con enfoque en: correctness, regresiones, seguridad y UX edge-cases.\nResponde en markdown breve con:\n- Findings (P1/P2/P3) con archivo y recomendación, o\n- Approved si no hay issues.\n\nDIFF:\n"
+          PROMPT="${PROMPT_HEADER}${DIFF_EOF}"
 
           PAYLOAD="$(jq -nc --arg content "$PROMPT" '{model:"kimi-k2.5",temperature:1,messages:[{role:"user",content:$content}]}')"
 

From af1401b49290dcf1d8f79a58b8ad6d5d62202c12 Mon Sep 17 00:00:00 2001
From: kelvin calcano <kelvin@vmi2907809.contaboserver.net>
Date: Thu, 12 Feb 2026 22:34:58 +0100
Subject: [PATCH 16/28] ci: switch to reusable Kimi review workflow

---
 .github/workflows/kimi-co-review.yml | 131 +--------------------------
 1 file changed, 5 insertions(+), 126 deletions(-)

diff --git a/.github/workflows/kimi-co-review.yml b/.github/workflows/kimi-co-review.yml
index 28052db..5fc4c54 100644
--- a/.github/workflows/kimi-co-review.yml
+++ b/.github/workflows/kimi-co-review.yml
@@ -13,130 +13,9 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
-  kimi-review:
-    if: ${{ !github.event.pull_request.draft }}
-    runs-on: ubuntu-latest
-    env:
+  kimi:
+    uses: kelvinCB/github-automation/.github/workflows/kimi-review-reusable.yml@main
+    with:
+      marker_prefix: kimi-action-review
+    secrets:
       MOONSHOT_API_KEY: ${{ secrets.MOONSHOT_API_KEY }}
-      PR_NUMBER: ${{ github.event.pull_request.number }}
-      REPO: ${{ github.repository }}
-      BASE_SHA: ${{ github.event.pull_request.base.sha }}
-      HEAD_SHA: ${{ github.event.pull_request.head.sha }}
-      BASE_REF: ${{ github.event.pull_request.base.ref }}
-      HEAD_REF: ${{ github.event.pull_request.head.ref }}
-    steps:
-      - name: Validate secret
-        run: |
-          if [ -z "${MOONSHOT_API_KEY:-}" ]; then
-            echo "Missing MOONSHOT_API_KEY secret"
-            exit 1
-          fi
-
-      - name: Checkout
-        uses: actions/checkout@v4
-        with:
-          fetch-depth: 0
-
-      - name: Build PR diff
-        id: diff
-        shell: bash
-        run: |
-          set -euo pipefail
-          git fetch origin "$BASE_REF" --quiet || true
-          DIFF_CONTENT="$(git diff --unified=2 "$BASE_SHA...$HEAD_SHA" || true)"
-
-          if [ -z "$DIFF_CONTENT" ]; then
-            echo "has_diff=false" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-
-          MAX_CHARS=120000
-          if (( ${#DIFF_CONTENT} > MAX_CHARS )); then
-            DIFF_CONTENT="${DIFF_CONTENT:0:MAX_CHARS}\n\n[diff truncated]"
-          fi
-
-          {
-            echo 'DIFF_EOF<<EOF'
-            printf '%s\n' "$DIFF_CONTENT"
-            echo 'EOF'
-          } >> "$GITHUB_ENV"
-
-          echo "has_diff=true" >> "$GITHUB_OUTPUT"
-
-      - name: Skip if already commented for this SHA
-        if: steps.diff.outputs.has_diff == 'true'
-        id: dedupe
-        env:
-          GH_TOKEN: ${{ github.token }}
-        shell: bash
-        run: |
-          set -euo pipefail
-          MARKER="<!-- kimi-action-review:pr=${PR_NUMBER} sha=${HEAD_SHA} -->"
-          if gh api "repos/${REPO}/issues/${PR_NUMBER}/comments" --paginate --jq '.[].body' | grep -Fq "$MARKER"; then
-            echo "already_done=true" >> "$GITHUB_OUTPUT"
-          else
-            echo "already_done=false" >> "$GITHUB_OUTPUT"
-          fi
-
-      - name: Request Kimi review
-        if: steps.diff.outputs.has_diff == 'true' && steps.dedupe.outputs.already_done != 'true'
-        id: kimi
-        shell: bash
-        run: |
-          set -euo pipefail
-
-          PROMPT_HEADER="Este es un Code Review hecho por Kimi k2.5\nPR #${PR_NUMBER} | base: ${BASE_REF} | head: ${HEAD_REF}\n\nRevisa este diff con enfoque en: correctness, regresiones, seguridad y UX edge-cases.\nResponde en markdown breve con:\n- Findings (P1/P2/P3) con archivo y recomendación, o\n- Approved si no hay issues.\n\nDIFF:\n"
-          PROMPT="${PROMPT_HEADER}${DIFF_EOF}"
-
-          PAYLOAD="$(jq -nc --arg content "$PROMPT" '{model:"kimi-k2.5",temperature:1,messages:[{role:"user",content:$content}]}')"
-
-          RESPONSE="$(curl -sS -X POST https://api.moonshot.ai/v1/chat/completions \
-            -H "Authorization: Bearer ${MOONSHOT_API_KEY}" \
-            -H "Content-Type: application/json" \
-            -d "$PAYLOAD")"
-
-          CONTENT="$(printf '%s' "$RESPONSE" | jq -r '.choices[0].message.content // empty')"
-          ERR_MSG="$(printf '%s' "$RESPONSE" | jq -r '.error.message // empty')"
-
-          if [ -z "$CONTENT" ] && [ -n "$ERR_MSG" ]; then
-            CONTENT="Kimi review failed: ${ERR_MSG}"
-          fi
-
-          if [ -z "$CONTENT" ]; then
-            CONTENT="Kimi review: no output (empty response)."
-          fi
-
-          CONTENT_LC="$(printf '%s' "$CONTENT" | tr '[:upper:]' '[:lower:]')"
-          if [[ "$CONTENT" != Kimi\ review\ failed:* ]] && [[ "$CONTENT" != *"no output (empty response)"* ]]; then
-            if echo "$CONTENT_LC" | grep -Eq 'approved|no issues|sin hallazgos|sin findings|looks good|lgtm'; then
-              if ! echo "$CONTENT" | grep -Eq '(^|[^A-Z])(P1|P2|P3)([^A-Z]|$)|Findings|Issue:'; then
-                CONTENT="Approved"
-              fi
-            fi
-          fi
-
-          {
-            echo 'body<<EOF'
-            printf '%s\n' "$CONTENT"
-            echo 'EOF'
-          } >> "$GITHUB_OUTPUT"
-
-      - name: Post PR comment
-        if: steps.diff.outputs.has_diff == 'true' && steps.dedupe.outputs.already_done != 'true'
-        env:
-          GH_TOKEN: ${{ github.token }}
-        shell: bash
-        run: |
-          set -euo pipefail
-          MARKER="<!-- kimi-action-review:pr=${PR_NUMBER} sha=${HEAD_SHA} -->"
-
-          COMMENT_FILE="$(mktemp)"
-          {
-            echo "$MARKER"
-            echo
-            echo "### Kimi K2.5 Co-Review"
-            echo
-            printf '%s\n' "${{ steps.kimi.outputs.body }}"
-          } > "$COMMENT_FILE"
-
-          gh pr comment "$PR_NUMBER" --repo "$REPO" --body-file "$COMMENT_FILE"

From b37b504b9afd3938c4dfc1e6260bce946b1fdcbe Mon Sep 17 00:00:00 2001
From: kelvin calcano <kelvin@vmi2907809.contaboserver.net>
Date: Thu, 12 Feb 2026 22:36:39 +0100
Subject: [PATCH 17/28] chore: re-run Kimi reusable action


From aa5f4cee7f5e44d49a58ed8a2a6c4dca60011d55 Mon Sep 17 00:00:00 2001
From: kelvin calcano <kelvin@vmi2907809.contaboserver.net>
Date: Fri, 13 Feb 2026 09:48:26 +0100
Subject: [PATCH 18/28] feat: add comment update/delete endpoints

---
 backend/src/controllers/taskController.js | 121 +++++++++++++++++++---
 backend/src/routes/tasks.js               |   6 +-
 2 files changed, 109 insertions(+), 18 deletions(-)

diff --git a/backend/src/controllers/taskController.js b/backend/src/controllers/taskController.js
index caea7ab..eaa1b8f 100644
--- a/backend/src/controllers/taskController.js
+++ b/backend/src/controllers/taskController.js
@@ -389,6 +389,10 @@ const getComments = async (req, res) => {
     const limit = Number.isFinite(rawLimit) ? Math.min(Math.max(rawLimit, 1), 200) : 50;
     const offset = Number.isFinite(rawOffset) ? Math.max(rawOffset, 0) : 0;
 
+    if (!Number.isSafeInteger(offset + limit - 1)) {
+      return res.status(400).json({ error: 'Invalid pagination range' });
+    }
+
     const db = req.supabase || supabaseClient.supabase;
 
     // Verify task belongs to user
@@ -405,7 +409,7 @@ const getComments = async (req, res) => {
 
     const { data: comments, error } = await db
       .from('task_comments')
-      .select('id, task_id, user_id, author_name, author_avatar, content, created_at')
+      .select('id, task_id, user_id, author_name, author_avatar, content, created_at, updated_at')
       .eq('task_id', task_id)
       .order('created_at', { ascending: true })
       .range(offset, offset + limit - 1);
@@ -421,7 +425,13 @@ const getComments = async (req, res) => {
 
 const MAX_COMMENT_LENGTH = 2000;
 const COMMENT_COOLDOWN_MS = 1500;
-const lastCommentAtByUser = new Map();
+
+const sanitizeCommentContent = (value = '') => {
+  return value
+    .replace(/<[^>]*>/g, '')
+    .replace(/\s+/g, ' ')
+    .trim();
+};
 
 /**
  * Add a new comment to a task
@@ -436,21 +446,15 @@ const addComment = async (req, res) => {
       return res.status(400).json({ error: 'Content must be a string' });
     }
 
-    const trimmed = content.trim();
-    if (!trimmed) {
+    const sanitized = sanitizeCommentContent(content);
+    if (!sanitized) {
       return res.status(400).json({ error: 'Content is required' });
     }
 
-    if (trimmed.length > MAX_COMMENT_LENGTH) {
+    if (sanitized.length > MAX_COMMENT_LENGTH) {
       return res.status(400).json({ error: `Content exceeds max length (${MAX_COMMENT_LENGTH})` });
     }
 
-    const now = Date.now();
-    const lastAt = lastCommentAtByUser.get(user_id) || 0;
-    if (now - lastAt < COMMENT_COOLDOWN_MS) {
-      return res.status(429).json({ error: 'Too many comments. Please wait a moment.' });
-    }
-
     const db = req.supabase || supabaseClient.supabase;
 
     // Verify task belongs to user
@@ -465,6 +469,26 @@ const addComment = async (req, res) => {
       return res.status(404).json({ error: 'Task not found' });
     }
 
+    // DB-backed cooldown (multi-instance safe)
+    const cooldownSince = new Date(Date.now() - COMMENT_COOLDOWN_MS).toISOString();
+    const { data: latestOwnComment } = await db
+      .from('task_comments')
+      .select('created_at')
+      .eq('user_id', user_id)
+      .order('created_at', { ascending: false })
+      .limit(1)
+      .maybeSingle();
+
+    if (latestOwnComment?.created_at && latestOwnComment.created_at > cooldownSince) {
+      const elapsedMs = Date.now() - new Date(latestOwnComment.created_at).getTime();
+      const retryAfterSeconds = Math.max(1, Math.ceil((COMMENT_COOLDOWN_MS - elapsedMs) / 1000));
+      res.set('Retry-After', String(retryAfterSeconds));
+      return res.status(429).json({
+        error: `Please wait ${retryAfterSeconds}s before posting another comment.`,
+        retry_after_seconds: retryAfterSeconds,
+      });
+    }
+
     // Get user profile for author info
     const { data: profile } = await db
       .from('profiles')
@@ -472,7 +496,7 @@ const addComment = async (req, res) => {
       .eq('id', user_id)
       .maybeSingle();
 
-    const author_name = profile?.display_name || profile?.username || req.user.email;
+    const author_name = profile?.display_name || profile?.username || 'User';
     const author_avatar = profile?.avatar_url || null;
 
     const { data: comment, error } = await db
@@ -482,15 +506,13 @@ const addComment = async (req, res) => {
         user_id,
         author_name,
         author_avatar,
-        content: trimmed
+        content: sanitized
       }])
-      .select()
+      .select('id, task_id, user_id, author_name, author_avatar, content, created_at, updated_at')
       .single();
 
     if (error) throw error;
 
-    lastCommentAtByUser.set(user_id, now);
-
     res.status(201).json({ comment });
   } catch (error) {
     console.error('Add comment error:', error);
@@ -498,6 +520,69 @@ const addComment = async (req, res) => {
   }
 };
 
+const updateComment = async (req, res) => {
+  try {
+    const { id: task_id, commentId } = req.params;
+    const { content } = req.body;
+    const user_id = req.user.id;
+
+    if (typeof content !== 'string') {
+      return res.status(400).json({ error: 'Content must be a string' });
+    }
+
+    const sanitized = sanitizeCommentContent(content);
+    if (!sanitized) return res.status(400).json({ error: 'Content is required' });
+    if (sanitized.length > MAX_COMMENT_LENGTH) {
+      return res.status(400).json({ error: `Content exceeds max length (${MAX_COMMENT_LENGTH})` });
+    }
+
+    const db = req.supabase || supabaseClient.supabase;
+
+    const { data: updated, error } = await db
+      .from('task_comments')
+      .update({ content: sanitized, updated_at: new Date().toISOString() })
+      .eq('id', commentId)
+      .eq('task_id', task_id)
+      .eq('user_id', user_id)
+      .select('id, task_id, user_id, author_name, author_avatar, content, created_at, updated_at')
+      .single();
+
+    if (error || !updated) {
+      return res.status(404).json({ error: 'Comment not found or not allowed' });
+    }
+
+    res.status(200).json({ comment: updated });
+  } catch (error) {
+    console.error('Update comment error:', error);
+    res.status(500).json({ error: 'Internal server error' });
+  }
+};
+
+const deleteComment = async (req, res) => {
+  try {
+    const { id: task_id, commentId } = req.params;
+    const user_id = req.user.id;
+    const db = req.supabase || supabaseClient.supabase;
+
+    const { data: deleted, error } = await db
+      .from('task_comments')
+      .delete()
+      .eq('id', commentId)
+      .eq('task_id', task_id)
+      .eq('user_id', user_id)
+      .select('id')
+      .maybeSingle();
+
+    if (error || !deleted) {
+      return res.status(404).json({ error: 'Comment not found or not allowed' });
+    }
+
+    res.status(200).json({ message: 'Comment deleted' });
+  } catch (error) {
+    console.error('Delete comment error:', error);
+    res.status(500).json({ error: 'Internal server error' });
+  }
+};
 
 module.exports = {
   createTask,
@@ -506,5 +591,7 @@ module.exports = {
   updateTask,
   deleteTask,
   getComments,
-  addComment
+  addComment,
+  updateComment,
+  deleteComment
 };
diff --git a/backend/src/routes/tasks.js b/backend/src/routes/tasks.js
index d05f405..abcd751 100644
--- a/backend/src/routes/tasks.js
+++ b/backend/src/routes/tasks.js
@@ -8,7 +8,9 @@ const {
   updateTask,
   deleteTask,
   getComments,
-  addComment
+  addComment,
+  updateComment,
+  deleteComment
 } = require('../controllers/taskController');
 
 // Apply authentication middleware to all task routes
@@ -205,5 +207,7 @@ router.get('/:id/comments', getComments);
  *         description: Comment created
  */
 router.post('/:id/comments', addComment);
+router.patch('/:id/comments/:commentId', updateComment);
+router.delete('/:id/comments/:commentId', deleteComment);
 
 module.exports = router;

From b93c21728fb89ba9f8168974182bfa3bdc6bbdc2 Mon Sep 17 00:00:00 2001
From: kelvin calcano <kelvin@vmi2907809.contaboserver.net>
Date: Fri, 13 Feb 2026 09:48:29 +0100
Subject: [PATCH 19/28] chore: add comment updated_at and user index

---
 migrations/001_create_task_comments.sql | 25 ++++++++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

diff --git a/migrations/001_create_task_comments.sql b/migrations/001_create_task_comments.sql
index b5f7f84..e18c0e6 100644
--- a/migrations/001_create_task_comments.sql
+++ b/migrations/001_create_task_comments.sql
@@ -8,12 +8,19 @@ CREATE TABLE IF NOT EXISTS public.task_comments (
   author_name text NOT NULL,
   author_avatar text,
   content text NOT NULL,
-  created_at timestamp with time zone DEFAULT TIMEZONE('utc'::text, NOW()) NOT NULL
+  created_at timestamp with time zone DEFAULT TIMEZONE('utc'::text, NOW()) NOT NULL,
+  updated_at timestamp with time zone DEFAULT TIMEZONE('utc'::text, NOW()) NOT NULL
 );
 
+ALTER TABLE public.task_comments
+  ADD COLUMN IF NOT EXISTS updated_at timestamp with time zone DEFAULT TIMEZONE('utc'::text, NOW()) NOT NULL;
+
 CREATE INDEX IF NOT EXISTS idx_task_comments_task_id
   ON public.task_comments(task_id);
 
+CREATE INDEX IF NOT EXISTS idx_task_comments_user_id
+  ON public.task_comments(user_id);
+
 -- Enable Row Level Security
 ALTER TABLE public.task_comments ENABLE ROW LEVEL SECURITY;
 
@@ -47,3 +54,19 @@ CREATE POLICY "Users can delete their own comments"
   USING (
     auth.uid() = user_id
   );
+
+CREATE OR REPLACE FUNCTION public.set_task_comments_updated_at()
+RETURNS trigger
+LANGUAGE plpgsql
+AS $$
+BEGIN
+  NEW.updated_at = TIMEZONE('utc'::text, NOW());
+  RETURN NEW;
+END;
+$$;
+
+DROP TRIGGER IF EXISTS trg_task_comments_updated_at ON public.task_comments;
+CREATE TRIGGER trg_task_comments_updated_at
+BEFORE UPDATE ON public.task_comments
+FOR EACH ROW
+EXECUTE FUNCTION public.set_task_comments_updated_at();

From 8f2056485dd528d96522dc730c74156f000ab9cf Mon Sep 17 00:00:00 2001
From: kelvin calcano <kelvin@vmi2907809.contaboserver.net>
Date: Fri, 13 Feb 2026 09:48:34 +0100
Subject: [PATCH 20/28] feat: handle 429 and add comment service actions

---
 src/services/taskService.ts | 32 ++++++++++++++++++++++++++++++++
 src/types/Task.ts           |  1 +
 2 files changed, 33 insertions(+)

diff --git a/src/services/taskService.ts b/src/services/taskService.ts
index 28b4343..0241b3b 100644
--- a/src/services/taskService.ts
+++ b/src/services/taskService.ts
@@ -52,6 +52,7 @@ interface BackendComment {
   author_avatar: string | null;
   content: string;
   created_at: string;
+  updated_at?: string | null;
 }
 
 // No mapping needed; backend and frontend share the same status values
@@ -137,6 +138,14 @@ export class TaskService {
       const data = (await response.json().catch(() => ({}))) as unknown as T & { error?: string; message?: string };
 
       if (!response.ok) {
+        if (response.status === 429) {
+          const retryAfter = (data as any)?.retry_after_seconds || response.headers.get('Retry-After');
+          const waitText = retryAfter ? ` Please wait ${retryAfter}s before posting another comment.` : ' Please wait before posting another comment.';
+          return {
+            error: (data as any)?.error || `Too many requests.${waitText}`,
+          };
+        }
+
         return {
           error: data && (data as any).error || (data as any).message || `Request failed with status ${response.status}`,
         };
@@ -412,6 +421,7 @@ export class TaskService {
       authorAvatar: bc.author_avatar || undefined,
       content: bc.content,
       createdAt: new Date(bc.created_at),
+      updatedAt: bc.updated_at ? new Date(bc.updated_at) : undefined,
     };
   }
 
@@ -455,6 +465,28 @@ export class TaskService {
     return { error: 'Failed to add comment' };
   }
 
+  async updateComment(taskId: string, commentId: string, content: string): Promise<ApiResponse<TaskComment>> {
+    const response = await this.makeRequest<{ comment: BackendComment }>(`/api/tasks/${taskId}/comments/${commentId}`, {
+      method: 'PATCH',
+      body: JSON.stringify({ content }),
+    });
+
+    if (response.error) return { error: response.error };
+    if (response.data?.comment) {
+      return { data: this.convertBackendCommentToFrontend(response.data.comment) };
+    }
+
+    return { error: 'Failed to update comment' };
+  }
+
+  async deleteComment(taskId: string, commentId: string): Promise<ApiResponse<{ message: string }>> {
+    const response = await this.makeRequest<{ message: string }>(`/api/tasks/${taskId}/comments/${commentId}`, {
+      method: 'DELETE',
+    });
+
+    return response;
+  }
+
   /**
    * Check if user is authenticated
    */
diff --git a/src/types/Task.ts b/src/types/Task.ts
index 659e8e0..eb87b19 100644
--- a/src/types/Task.ts
+++ b/src/types/Task.ts
@@ -70,4 +70,5 @@ export interface TaskComment {
   authorAvatar?: string;
   content: string;
   createdAt: Date;
+  updatedAt?: Date;
 }

From 88ab5944edfd9de282b2f57284949aa01f8f643b Mon Sep 17 00:00:00 2001
From: kelvin calcano <kelvin@vmi2907809.contaboserver.net>
Date: Fri, 13 Feb 2026 09:48:37 +0100
Subject: [PATCH 21/28] feat: add edit/delete actions for task comments UI

---
 src/components/TaskComments.tsx | 94 ++++++++++++++++++++++++++++++---
 1 file changed, 86 insertions(+), 8 deletions(-)

diff --git a/src/components/TaskComments.tsx b/src/components/TaskComments.tsx
index 743a4c0..36f092a 100644
--- a/src/components/TaskComments.tsx
+++ b/src/components/TaskComments.tsx
@@ -6,6 +6,7 @@ import { useTheme } from '../contexts/ThemeContext';
 import { MessageSquare, Send, User } from 'lucide-react';
 import { toast } from 'sonner';
 import { formatDate } from '../utils/taskUtils';
+import supabase from '../lib/supabaseClient';
 
 interface TaskCommentsProps {
   taskId: string;
@@ -18,6 +19,9 @@ export const TaskComments: React.FC<TaskCommentsProps> = ({ taskId }) => {
   const [newComment, setNewComment] = useState('');
   const [isLoading, setIsLoading] = useState(true);
   const [isSubmitting, setIsSubmitting] = useState(false);
+  const [currentUserId, setCurrentUserId] = useState<string | null>(null);
+  const [editingId, setEditingId] = useState<string | null>(null);
+  const [editingContent, setEditingContent] = useState('');
   const requestSeqRef = useRef(0);
   const MAX_COMMENT_LENGTH = 2000;
 
@@ -52,6 +56,10 @@ export const TaskComments: React.FC<TaskCommentsProps> = ({ taskId }) => {
   useEffect(() => {
     fetchComments();
 
+    supabase.auth.getUser().then(({ data }) => {
+      setCurrentUserId(data.user?.id || null);
+    });
+
     return () => {
       requestSeqRef.current += 1;
     };
@@ -82,6 +90,45 @@ export const TaskComments: React.FC<TaskCommentsProps> = ({ taskId }) => {
     }
   };
 
+  const beginEdit = (comment: TaskComment) => {
+    setEditingId(comment.id);
+    setEditingContent(comment.content);
+  };
+
+  const cancelEdit = () => {
+    setEditingId(null);
+    setEditingContent('');
+  };
+
+  const saveEdit = async () => {
+    if (!editingId) return;
+    const trimmed = editingContent.trim();
+    if (!trimmed) return;
+
+    const response = await taskService.updateComment(taskId, editingId, trimmed);
+    if (response.error) {
+      toast.error(response.error);
+      return;
+    }
+
+    if (response.data) {
+      setComments((prev) => prev.map((c) => (c.id === editingId ? response.data! : c)));
+      cancelEdit();
+    }
+  };
+
+  const removeComment = async (commentId: string) => {
+    if (!window.confirm(t('tasks.confirm_delete_comment', 'Delete this comment?'))) return;
+
+    const response = await taskService.deleteComment(taskId, commentId);
+    if (response.error) {
+      toast.error(response.error);
+      return;
+    }
+
+    setComments((prev) => prev.filter((c) => c.id !== commentId));
+  };
+
   return (
     <div className="space-y-4">
       <div className="flex items-center gap-2">
@@ -124,15 +171,45 @@ export const TaskComments: React.FC<TaskCommentsProps> = ({ taskId }) => {
                     {comment.authorName}
                   </span>
                 </div>
-                <span className="text-[10px] text-gray-400">
-                  {formatDate(comment.createdAt)}
-                </span>
+                <div className="text-right">
+                  <span className="text-[10px] text-gray-400 block">
+                    {formatDate(comment.updatedAt || comment.createdAt)}
+                  </span>
+                  {comment.userId === currentUserId && (
+                    <div className="flex gap-2 justify-end mt-1">
+                      <button type="button" className="text-[10px] text-indigo-500" onClick={() => beginEdit(comment)}>
+                        {t('common.edit', 'Edit')}
+                      </button>
+                      <button type="button" className="text-[10px] text-red-500" onClick={() => removeComment(comment.id)}>
+                        {t('common.delete', 'Delete')}
+                      </button>
+                    </div>
+                  )}
+                </div>
               </div>
-              <p className={`text-sm whitespace-pre-wrap ${
-                theme === 'dark' ? 'text-gray-300' : 'text-gray-600'
-              }`}>
-                {comment.content}
-              </p>
+              {editingId === comment.id ? (
+                <div className="space-y-2">
+                  <textarea
+                    value={editingContent}
+                    onChange={(e) => setEditingContent(e.target.value)}
+                    rows={2}
+                    maxLength={MAX_COMMENT_LENGTH}
+                    className={`w-full p-2 text-sm rounded border ${
+                      theme === 'dark' ? 'bg-gray-900 border-gray-700 text-gray-100' : 'bg-white border-gray-200 text-gray-900'
+                    }`}
+                  />
+                  <div className="flex gap-2 justify-end">
+                    <button type="button" className="text-xs text-gray-500" onClick={cancelEdit}>{t('common.cancel', 'Cancel')}</button>
+                    <button type="button" className="text-xs text-indigo-500" onClick={saveEdit}>{t('common.save', 'Save')}</button>
+                  </div>
+                </div>
+              ) : (
+                <p className={`text-sm whitespace-pre-wrap ${
+                  theme === 'dark' ? 'text-gray-300' : 'text-gray-600'
+                }`}>
+                  {comment.content}
+                </p>
+              )}
             </div>
           ))
         )}
@@ -155,6 +232,7 @@ export const TaskComments: React.FC<TaskCommentsProps> = ({ taskId }) => {
         />
         <button
           type="submit"
+          aria-label={t('tasks.send_comment', 'Send comment')}
           data-testid="add-comment-button"
           disabled={!newComment.trim() || isSubmitting}
           className={`absolute right-2 bottom-2 p-2 rounded-lg transition-colors ${

From 49bb79d199b7db687ec77bc2197f895e4d3eede0 Mon Sep 17 00:00:00 2001
From: kelvin calcano <kelvin@vmi2907809.contaboserver.net>
Date: Fri, 13 Feb 2026 09:58:57 +0100
Subject: [PATCH 22/28] fix: add UPDATE RLS policy for task comments

---
 docs/DATABASE_SCHEMA.md                 |  9 ++++++++-
 migrations/001_create_task_comments.sql | 10 ++++++++++
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/docs/DATABASE_SCHEMA.md b/docs/DATABASE_SCHEMA.md
index 6da57bb..fc411b8 100644
--- a/docs/DATABASE_SCHEMA.md
+++ b/docs/DATABASE_SCHEMA.md
@@ -165,7 +165,7 @@ CREATE POLICY "Users can delete own tasks"
 
 ### `task_comments` Table Policies
 
-Users can view and create comments **only on their own tasks**. Users can delete their own comments.
+Users can view and create comments **only on their own tasks**. Users can update/delete their own comments.
 
 ```sql
 -- Enable RLS
@@ -195,6 +195,13 @@ CREATE POLICY "Users can create comments on their own tasks"
     )
   );
 
+-- Update: user can update their own comments
+CREATE POLICY "Users can update their own comments"
+  ON public.task_comments
+  FOR UPDATE
+  USING (auth.uid() = user_id)
+  WITH CHECK (auth.uid() = user_id);
+
 -- Delete: user can delete their own comments
 CREATE POLICY "Users can delete their own comments"
   ON public.task_comments
diff --git a/migrations/001_create_task_comments.sql b/migrations/001_create_task_comments.sql
index e18c0e6..0a22e42 100644
--- a/migrations/001_create_task_comments.sql
+++ b/migrations/001_create_task_comments.sql
@@ -48,6 +48,16 @@ CREATE POLICY "Users can create comments on their own tasks"
     )
   );
 
+CREATE POLICY "Users can update their own comments"
+  ON public.task_comments
+  FOR UPDATE
+  USING (
+    auth.uid() = user_id
+  )
+  WITH CHECK (
+    auth.uid() = user_id
+  );
+
 CREATE POLICY "Users can delete their own comments"
   ON public.task_comments
   FOR DELETE

From 1014998d5c811f046a9205520320f4860af0b151 Mon Sep 17 00:00:00 2001
From: kelvin calcano <kelvin@vmi2907809.contaboserver.net>
Date: Fri, 13 Feb 2026 09:59:02 +0100
Subject: [PATCH 23/28] feat: add visual cooldown UX for comment 429

---
 src/components/TaskComments.tsx | 37 +++++++++++++++++++++++++++++++--
 src/locales/en.json             |  3 ++-
 src/locales/es.json             |  3 ++-
 src/test/setup.ts               |  1 +
 4 files changed, 40 insertions(+), 4 deletions(-)

diff --git a/src/components/TaskComments.tsx b/src/components/TaskComments.tsx
index 36f092a..b676dae 100644
--- a/src/components/TaskComments.tsx
+++ b/src/components/TaskComments.tsx
@@ -19,6 +19,8 @@ export const TaskComments: React.FC<TaskCommentsProps> = ({ taskId }) => {
   const [newComment, setNewComment] = useState('');
   const [isLoading, setIsLoading] = useState(true);
   const [isSubmitting, setIsSubmitting] = useState(false);
+  const [cooldownUntil, setCooldownUntil] = useState<number | null>(null);
+  const [cooldownSeconds, setCooldownSeconds] = useState(0);
   const [currentUserId, setCurrentUserId] = useState<string | null>(null);
   const [editingId, setEditingId] = useState<string | null>(null);
   const [editingContent, setEditingContent] = useState('');
@@ -65,6 +67,27 @@ export const TaskComments: React.FC<TaskCommentsProps> = ({ taskId }) => {
     };
   }, [taskId]);
 
+  useEffect(() => {
+    if (!cooldownUntil) {
+      setCooldownSeconds(0);
+      return;
+    }
+
+    const tick = () => {
+      const remainingMs = cooldownUntil - Date.now();
+      if (remainingMs <= 0) {
+        setCooldownUntil(null);
+        setCooldownSeconds(0);
+        return;
+      }
+      setCooldownSeconds(Math.ceil(remainingMs / 1000));
+    };
+
+    tick();
+    const timer = window.setInterval(tick, 250);
+    return () => window.clearInterval(timer);
+  }, [cooldownUntil]);
+
   const handleSubmit = async (e: React.FormEvent) => {
     e.preventDefault();
     const trimmed = newComment.trim();
@@ -74,6 +97,11 @@ export const TaskComments: React.FC<TaskCommentsProps> = ({ taskId }) => {
     try {
       const response = await taskService.addComment(taskId, trimmed);
       if (response.error) {
+        const retryMatch = response.error.match(/wait\s+(\d+)s/i);
+        if (retryMatch) {
+          const seconds = Math.max(1, Number(retryMatch[1]));
+          setCooldownUntil(Date.now() + seconds * 1000);
+        }
         toast.error(response.error);
         return;
       }
@@ -234,9 +262,9 @@ export const TaskComments: React.FC<TaskCommentsProps> = ({ taskId }) => {
           type="submit"
           aria-label={t('tasks.send_comment', 'Send comment')}
           data-testid="add-comment-button"
-          disabled={!newComment.trim() || isSubmitting}
+          disabled={!newComment.trim() || isSubmitting || cooldownSeconds > 0}
           className={`absolute right-2 bottom-2 p-2 rounded-lg transition-colors ${
-            !newComment.trim() || isSubmitting
+            !newComment.trim() || isSubmitting || cooldownSeconds > 0
               ? 'text-gray-400'
               : 'text-indigo-500 hover:bg-indigo-50'
           }`}
@@ -246,6 +274,11 @@ export const TaskComments: React.FC<TaskCommentsProps> = ({ taskId }) => {
         <div className={`mt-1 text-[11px] text-right ${theme === 'dark' ? 'text-gray-500' : 'text-gray-400'}`}>
           {newComment.length}/{MAX_COMMENT_LENGTH}
         </div>
+        {cooldownSeconds > 0 && (
+          <div className={`text-[11px] mt-1 ${theme === 'dark' ? 'text-amber-400' : 'text-amber-600'}`}>
+            {t('tasks.comment_cooldown_wait', 'Please wait {{seconds}}s before posting another comment.', { seconds: cooldownSeconds })}
+          </div>
+        )}
       </form>
     </div>
   );
diff --git a/src/locales/en.json b/src/locales/en.json
index cb3c25d..edeb40e 100644
--- a/src/locales/en.json
+++ b/src/locales/en.json
@@ -116,7 +116,8 @@
         "parents": "Parents",
         "comments": "Comments",
         "no_comments": "No comments yet.",
-        "add_comment_placeholder": "Add a comment..."
+        "add_comment_placeholder": "Add a comment...",
+        "comment_cooldown_wait": "Please wait {{seconds}}s before posting another comment."
     },
     "nav": {
         "dashboard": "Dashboard",
diff --git a/src/locales/es.json b/src/locales/es.json
index 9f3cc57..7bfbfee 100644
--- a/src/locales/es.json
+++ b/src/locales/es.json
@@ -116,7 +116,8 @@
         "parents": "Padres",
         "comments": "Comentarios",
         "no_comments": "Aún no hay comentarios.",
-        "add_comment_placeholder": "Añadir un comentario..."
+        "add_comment_placeholder": "Añadir un comentario...",
+        "comment_cooldown_wait": "Espera {{seconds}}s antes de enviar otro comentario."
     },
     "nav": {
         "dashboard": "Tablero",
diff --git a/src/test/setup.ts b/src/test/setup.ts
index e341cd4..2bccea7 100644
--- a/src/test/setup.ts
+++ b/src/test/setup.ts
@@ -108,6 +108,7 @@ vi.mock('react-i18next', () => ({
         'tasks.comments': 'Comments',
         'tasks.no_comments': 'No comments yet.',
         'tasks.add_comment_placeholder': 'Add a comment...',
+        'tasks.comment_cooldown_wait': 'Please wait {{seconds}}s before posting another comment.',
         'common.loading': 'Loading...',
         // Add more mapping as needed by tests
       };

From 4ff8119154be7418189b589683ba9c65c600e809 Mon Sep 17 00:00:00 2001
From: kelvin calcano <kelvin@vmi2907809.contaboserver.net>
Date: Fri, 13 Feb 2026 09:59:05 +0100
Subject: [PATCH 24/28] docs: update key endpoints for task comments API

---
 docs/BACKEND_GUIDE.md | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/docs/BACKEND_GUIDE.md b/docs/BACKEND_GUIDE.md
index a947cda..f6ddf8b 100644
--- a/docs/BACKEND_GUIDE.md
+++ b/docs/BACKEND_GUIDE.md
@@ -107,6 +107,10 @@ backend/
 | GET | `/api/tasks/:id` | Get specific task by ID |
 | PUT | `/api/tasks/:id` | Update an existing task |
 | DELETE | `/api/tasks/:id` | Delete a task |
+| GET | `/api/tasks/:id/comments` | Get comments for a task (supports `limit` + `offset`) |
+| POST | `/api/tasks/:id/comments` | Create comment (cooldown/429 supported) |
+| PATCH | `/api/tasks/:id/comments/:commentId` | Edit own comment |
+| DELETE | `/api/tasks/:id/comments/:commentId` | Delete own comment |
 | **Time Entries** | | |
 | POST | `/api/time-entries/start` | Start task timer |
 | POST | `/api/time-entries/stop` | Stop task timer |
@@ -227,6 +231,11 @@ Manages task CRUD operations with:
   - `getTaskById`: Get single task (validates ownership)
   - `updateTask`: Update task fields (validates ownership)
   - `deleteTask`: Remove task (validates ownership)
+- **Comment Operations**:
+  - `getComments`: Paginated task comments (`limit`/`offset`)
+  - `addComment`: Sanitized create + backend cooldown (returns 429 + `Retry-After`)
+  - `updateComment`: Edit own comment
+  - `deleteComment`: Delete own comment
 - **Security**: Prevents cross-user data access
 - **Validation**: Status enum, UUID format, circular reference prevention
 

From e3bba4688ddd2869a35528a89e4a2647be42f2f9 Mon Sep 17 00:00:00 2001
From: kelvin calcano <kelvin@vmi2907809.contaboserver.net>
Date: Fri, 13 Feb 2026 10:06:24 +0100
Subject: [PATCH 25/28] fix: harden comment sanitization and delete error
 handling

---
 backend/src/controllers/taskController.js | 21 ++++++++++++++++-----
 1 file changed, 16 insertions(+), 5 deletions(-)

diff --git a/backend/src/controllers/taskController.js b/backend/src/controllers/taskController.js
index eaa1b8f..8d9d13c 100644
--- a/backend/src/controllers/taskController.js
+++ b/backend/src/controllers/taskController.js
@@ -427,10 +427,16 @@ const MAX_COMMENT_LENGTH = 2000;
 const COMMENT_COOLDOWN_MS = 1500;
 
 const sanitizeCommentContent = (value = '') => {
-  return value
-    .replace(/<[^>]*>/g, '')
-    .replace(/\s+/g, ' ')
-    .trim();
+  const escaped = String(value)
+    .replace(/&/g, '&amp;')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+    .replace(/"/g, '&quot;')
+    .replace(/'/g, '&#39;')
+    .replace(/`/g, '&#96;')
+    .replace(/\u0000/g, '');
+
+  return escaped.replace(/\s+/g, ' ').trim();
 };
 
 /**
@@ -573,7 +579,12 @@ const deleteComment = async (req, res) => {
       .select('id')
       .maybeSingle();
 
-    if (error || !deleted) {
+    if (error) {
+      console.error('Delete comment DB error:', error);
+      return res.status(500).json({ error: 'Failed to delete comment' });
+    }
+
+    if (!deleted) {
       return res.status(404).json({ error: 'Comment not found or not allowed' });
     }
 

From 572edfee4d2e1a79615166b6641837086ab7e8e8 Mon Sep 17 00:00:00 2001
From: kelvin calcano <kelvin@vmi2907809.contaboserver.net>
Date: Fri, 13 Feb 2026 10:06:28 +0100
Subject: [PATCH 26/28] fix: keep comments on fetch error and use structured
 cooldown

---
 src/components/TaskComments.tsx           | 6 ++----
 src/services/taskService.ts               | 5 ++++-
 src/test/components/TaskComments.test.tsx | 5 ++---
 3 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/src/components/TaskComments.tsx b/src/components/TaskComments.tsx
index b676dae..f0d31a7 100644
--- a/src/components/TaskComments.tsx
+++ b/src/components/TaskComments.tsx
@@ -31,7 +31,6 @@ export const TaskComments: React.FC<TaskCommentsProps> = ({ taskId }) => {
     const requestId = ++requestSeqRef.current;
 
     setIsLoading(true);
-    setComments([]);
     try {
       const response = await taskService.getComments(taskId);
       if (requestId !== requestSeqRef.current) return;
@@ -97,9 +96,8 @@ export const TaskComments: React.FC<TaskCommentsProps> = ({ taskId }) => {
     try {
       const response = await taskService.addComment(taskId, trimmed);
       if (response.error) {
-        const retryMatch = response.error.match(/wait\s+(\d+)s/i);
-        if (retryMatch) {
-          const seconds = Math.max(1, Number(retryMatch[1]));
+        if (response.retryAfterSeconds) {
+          const seconds = Math.max(1, Number(response.retryAfterSeconds));
           setCooldownUntil(Date.now() + seconds * 1000);
         }
         toast.error(response.error);
diff --git a/src/services/taskService.ts b/src/services/taskService.ts
index 0241b3b..767aede 100644
--- a/src/services/taskService.ts
+++ b/src/services/taskService.ts
@@ -21,6 +21,7 @@ interface ApiResponse<T> {
   data?: T;
   error?: string;
   message?: string;
+  retryAfterSeconds?: number;
 }
 
 /**
@@ -139,10 +140,12 @@ export class TaskService {
 
       if (!response.ok) {
         if (response.status === 429) {
-          const retryAfter = (data as any)?.retry_after_seconds || response.headers.get('Retry-After');
+          const retryAfterRaw = (data as any)?.retry_after_seconds || response.headers.get('Retry-After');
+          const retryAfter = retryAfterRaw ? Number(retryAfterRaw) : undefined;
           const waitText = retryAfter ? ` Please wait ${retryAfter}s before posting another comment.` : ' Please wait before posting another comment.';
           return {
             error: (data as any)?.error || `Too many requests.${waitText}`,
+            retryAfterSeconds: Number.isFinite(retryAfter) ? retryAfter : undefined,
           };
         }
 
diff --git a/src/test/components/TaskComments.test.tsx b/src/test/components/TaskComments.test.tsx
index f91437f..6490806 100644
--- a/src/test/components/TaskComments.test.tsx
+++ b/src/test/components/TaskComments.test.tsx
@@ -75,7 +75,7 @@ describe('TaskComments', () => {
     });
   });
 
-  it('should clear stale comments and surface error when fetch fails', async () => {
+  it('should keep previous comments and surface error when fetch fails', async () => {
     vi.mocked(taskService.getComments)
       .mockResolvedValueOnce({ data: mockComments })
       .mockResolvedValueOnce({ error: 'Not authenticated. Please log in.' });
@@ -94,8 +94,7 @@ describe('TaskComments', () => {
 
     await waitFor(() => {
       expect(toast.error).toHaveBeenCalledWith('Not authenticated. Please log in.');
-      expect(screen.queryByText('First comment')).not.toBeInTheDocument();
-      expect(screen.getByText('No comments yet.')).toBeInTheDocument();
+      expect(screen.getByText('First comment')).toBeInTheDocument();
     });
   });
 

From b28a8a4a4e81262280066f53a6971e5b4c9956c6 Mon Sep 17 00:00:00 2001
From: kelvin calcano <kelvin@vmi2907809.contaboserver.net>
Date: Fri, 13 Feb 2026 10:06:33 +0100
Subject: [PATCH 27/28] docs: sync guides for comments API, cooldown, and RLS

---
 docs/BACKEND_GUIDE.md  |  6 +++---
 docs/FRONTEND_GUIDE.md |  7 +++++++
 docs/PRD_GUIDE.md      | 11 +++++++++--
 docs/TESTING_GUIDE.md  |  1 +
 4 files changed, 20 insertions(+), 5 deletions(-)

diff --git a/docs/BACKEND_GUIDE.md b/docs/BACKEND_GUIDE.md
index f6ddf8b..850d579 100644
--- a/docs/BACKEND_GUIDE.md
+++ b/docs/BACKEND_GUIDE.md
@@ -232,10 +232,10 @@ Manages task CRUD operations with:
   - `updateTask`: Update task fields (validates ownership)
   - `deleteTask`: Remove task (validates ownership)
 - **Comment Operations**:
-  - `getComments`: Paginated task comments (`limit`/`offset`)
-  - `addComment`: Sanitized create + backend cooldown (returns 429 + `Retry-After`)
+  - `getComments`: Paginated task comments (`limit`/`offset`) with safe-range guard
+  - `addComment`: Sanitized create + backend cooldown (returns 429 + `Retry-After` + `retry_after_seconds`)
   - `updateComment`: Edit own comment
-  - `deleteComment`: Delete own comment
+  - `deleteComment`: Delete own comment with explicit `404` (not found) vs `500` (DB error)
 - **Security**: Prevents cross-user data access
 - **Validation**: Status enum, UUID format, circular reference prevention
 
diff --git a/docs/FRONTEND_GUIDE.md b/docs/FRONTEND_GUIDE.md
index 6d83fad..1939de4 100644
--- a/docs/FRONTEND_GUIDE.md
+++ b/docs/FRONTEND_GUIDE.md
@@ -66,6 +66,7 @@ src/
 │   ├── TaskForm.tsx     # Task creation/editing form
 │   ├── TaskItem.tsx     # Individual task component
 │   ├── TaskTimer.tsx    # Time tracking component
+│   ├── TaskComments.tsx # Task comments (create/edit/delete + cooldown UX)
 │   ├── TaskStats.tsx    # Statistics component
 │   ├── TimeStatsView.tsx # Time analytics view
 │   ├── ProgressIcon.tsx # Custom progress icon
@@ -955,6 +956,12 @@ const useApiCall = <T>(apiFunction: () => Promise<T>) => {
 };
 ```
 
+### Task Comments Error/Cooldown Handling
+
+- `TaskComments` keeps previously loaded comments when a fetch error occurs (avoids flicker/context loss on transient errors).
+- Cooldown UX is driven by structured backend metadata (`retry_after_seconds` / `Retry-After`) instead of parsing localized text.
+- While cooldown is active, the submit button is disabled and a countdown message is shown.
+
 ### User-Friendly Error Messages
 
 #### Error Display Components
diff --git a/docs/PRD_GUIDE.md b/docs/PRD_GUIDE.md
index 7313ceb..0a4464e 100644
--- a/docs/PRD_GUIDE.md
+++ b/docs/PRD_GUIDE.md
@@ -25,6 +25,13 @@ Create an intuitive, powerful task management tool that combines hierarchical or
 
 ### 🆕 Recent Updates
 
+**Feature TM-066: Task Comments End-to-End** (✅ Completed)
+- Backend endpoints for comments: list/create/update/delete
+- RLS policies now include `SELECT`, `INSERT`, `UPDATE`, `DELETE`
+- DB-backed cooldown with `429` + `Retry-After` header
+- Frontend cooldown UX: disabled send button + countdown message
+- Added pagination support (`limit`/`offset`) and improved error handling
+
 **Feature TM-065: UX - Close Detail View with Escape** (✅ Completed)
 - Implemented global `Escape` key listener in `TaskDetailModal` for instant closure
 - Enhanced navigation to ensure return to Board or Tree view upon closing
@@ -142,12 +149,12 @@ Create an intuitive, powerful task management tool that combines hierarchical or
 | **Password Reset** | ✅ Complete | 100% | Forgot password functionality |
 | **Account Settings** | ❌ Pending | 0% | User preferences and settings |
 
-### 📱 Enhanced UI Features (Not Started - 25%)
+### 📱 Enhanced UI Features (In Progress - 40%)
 
 | Feature | Status | Completion | Description |
 |---------|--------|------------|-------------|
 | **Task Detail View** | ✅ Complete | 100% | Detailed task view modal |
-| **Task Comments** | ❌ Pending | 0% | Add comments to tasks |
+| **Task Comments** | ✅ Complete | 100% | Create/edit/delete comments, backend cooldown (429), Retry-After UX countdown, and RLS-backed ownership controls |
 | **Task Attachments** | ✅ Complete | 100% | Attach files to tasks |
 | **Task Labels/Tags** | ❌ Pending | 0% | Categorize tasks with labels |
 | **Task Priority** | ❌ Pending | 0% | Set task priorities |
diff --git a/docs/TESTING_GUIDE.md b/docs/TESTING_GUIDE.md
index 21ae1f8..15aa32e 100644
--- a/docs/TESTING_GUIDE.md
+++ b/docs/TESTING_GUIDE.md
@@ -79,6 +79,7 @@ src/test/
   - ResetPasswordPage (7 tests)
 - **PasswordInput**: Componente de contraseña con toggle de visibilidad (8 tests)
 - **TaskForm**: Creación, edición, validación, IA, campos de Estimación y Responsable (22 tests)
+- **TaskComments**: carga, estado vacío, submit, manejo de error, y prevención de stale state/race conditions (5 tests)
 - **TaskTimer**: Cronometraje, notificaciones (6 tests)
 - **useTasks**: Lógica de tareas y tiempo (10 tests)
 - **openaiService**: Integración IA (16 tests)

From 3ddaff682cc14dfc713802b0710a4fd7d25f2f09 Mon Sep 17 00:00:00 2001
From: kelvin calcano <kelvin@vmi2907809.contaboserver.net>
Date: Fri, 13 Feb 2026 10:12:50 +0100
Subject: [PATCH 28/28] fix: prevent duplicate edit requests in task comments

---
 src/components/TaskComments.tsx | 28 +++++++++++++++++-----------
 1 file changed, 17 insertions(+), 11 deletions(-)

diff --git a/src/components/TaskComments.tsx b/src/components/TaskComments.tsx
index f0d31a7..2d0cae0 100644
--- a/src/components/TaskComments.tsx
+++ b/src/components/TaskComments.tsx
@@ -24,6 +24,7 @@ export const TaskComments: React.FC<TaskCommentsProps> = ({ taskId }) => {
   const [currentUserId, setCurrentUserId] = useState<string | null>(null);
   const [editingId, setEditingId] = useState<string | null>(null);
   const [editingContent, setEditingContent] = useState('');
+  const [isSavingEdit, setIsSavingEdit] = useState(false);
   const requestSeqRef = useRef(0);
   const MAX_COMMENT_LENGTH = 2000;
 
@@ -127,19 +128,24 @@ export const TaskComments: React.FC<TaskCommentsProps> = ({ taskId }) => {
   };
 
   const saveEdit = async () => {
-    if (!editingId) return;
+    if (!editingId || isSavingEdit) return;
     const trimmed = editingContent.trim();
     if (!trimmed) return;
 
-    const response = await taskService.updateComment(taskId, editingId, trimmed);
-    if (response.error) {
-      toast.error(response.error);
-      return;
-    }
+    setIsSavingEdit(true);
+    try {
+      const response = await taskService.updateComment(taskId, editingId, trimmed);
+      if (response.error) {
+        toast.error(response.error);
+        return;
+      }
 
-    if (response.data) {
-      setComments((prev) => prev.map((c) => (c.id === editingId ? response.data! : c)));
-      cancelEdit();
+      if (response.data) {
+        setComments((prev) => prev.map((c) => (c.id === editingId ? response.data! : c)));
+        cancelEdit();
+      }
+    } finally {
+      setIsSavingEdit(false);
     }
   };
 
@@ -225,8 +231,8 @@ export const TaskComments: React.FC<TaskCommentsProps> = ({ taskId }) => {
                     }`}
                   />
                   <div className="flex gap-2 justify-end">
-                    <button type="button" className="text-xs text-gray-500" onClick={cancelEdit}>{t('common.cancel', 'Cancel')}</button>
-                    <button type="button" className="text-xs text-indigo-500" onClick={saveEdit}>{t('common.save', 'Save')}</button>
+                    <button type="button" className="text-xs text-gray-500 disabled:opacity-50" onClick={cancelEdit} disabled={isSavingEdit}>{t('common.cancel', 'Cancel')}</button>
+                    <button type="button" className="text-xs text-indigo-500 disabled:opacity-50" onClick={saveEdit} disabled={isSavingEdit}>{isSavingEdit ? t('common.loading', 'Loading...') : t('common.save', 'Save')}</button>
                   </div>
                 </div>
               ) : (