kelvinCB · kelvinCB · Feb 13, 2026 · Feb 12, 2026 · Feb 12, 2026 · Feb 12, 2026
diff --git a/.github/workflows/kimi-co-review.yml b/.github/workflows/kimi-co-review.yml
@@ -0,0 +1,21 @@
+name: Kimi PR Co-Review
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened, ready_for_review]
+
+permissions:
+  contents: read
+  pull-requests: write
+
+concurrency:
+  group: kimi-co-review-pr-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
+
+jobs:
+  kimi:
+    uses: kelvinCB/github-automation/.github/workflows/kimi-review-reusable.yml@main
+    with:
+      marker_prefix: kimi-action-review
+    secrets:
+      MOONSHOT_API_KEY: ${{ secrets.MOONSHOT_API_KEY }}
diff --git a/backend/src/controllers/taskController.js b/backend/src/controllers/taskController.js
@@ -377,10 +377,232 @@ const deleteTask = async (req, res) => {
   }
 };
 
+/**
+ * Get all comments for a specific task
+ */
+const getComments = async (req, res) => {
+  try {
+    const { id: task_id } = req.params;
+    const user_id = req.user.id;
+    const rawLimit = Number.parseInt(String(req.query.limit ?? '50'), 10);
+    const rawOffset = Number.parseInt(String(req.query.offset ?? '0'), 10);
+    const limit = Number.isFinite(rawLimit) ? Math.min(Math.max(rawLimit, 1), 200) : 50;
+    const offset = Number.isFinite(rawOffset) ? Math.max(rawOffset, 0) : 0;
+
+    if (!Number.isSafeInteger(offset + limit - 1)) {
+      return res.status(400).json({ error: 'Invalid pagination range' });
+    }
+
+    const db = req.supabase || supabaseClient.supabase;
+
+    // Verify task belongs to user
+    const { data: task, error: taskErr } = await db
+      .from('tasks')
+      .select('id')
+      .eq('id', task_id)
+      .eq('user_id', user_id)
+      .single();
+
+    if (taskErr || !task) {
+      return res.status(404).json({ error: 'Task not found' });
+    }
+
+    const { data: comments, error } = await db
+      .from('task_comments')
+      .select('id, task_id, user_id, author_name, author_avatar, content, created_at, updated_at')
+      .eq('task_id', task_id)
+      .order('created_at', { ascending: true })
+      .range(offset, offset + limit - 1);
+
+    if (error) throw error;
+
+    res.status(200).json({ comments });
+  } catch (error) {
+    console.error('Get comments error:', error);
+    res.status(500).json({ error: 'Internal server error' });
+  }
+};
+
+const MAX_COMMENT_LENGTH = 2000;
+const COMMENT_COOLDOWN_MS = 1500;
+
+const sanitizeCommentContent = (value = '') => {
+  const escaped = String(value)
+    .replace(/&/g, '&amp;')
+    .replace(/</g, '&lt;')
+    .replace(/>/g, '&gt;')
+    .replace(/"/g, '&quot;')
+    .replace(/'/g, '&#39;')
+    .replace(/`/g, '&#96;')
+    .replace(/\u0000/g, '');
+
+  return escaped.replace(/\s+/g, ' ').trim();
+};
+
+/**
+ * Add a new comment to a task
+ */
+const addComment = async (req, res) => {
+  try {
+    const { id: task_id } = req.params;
+    const { content } = req.body;
+    const user_id = req.user.id;
+
+    if (typeof content !== 'string') {
+      return res.status(400).json({ error: 'Content must be a string' });
+    }
+
+    const sanitized = sanitizeCommentContent(content);
+    if (!sanitized) {
+      return res.status(400).json({ error: 'Content is required' });
+    }
+
+    if (sanitized.length > MAX_COMMENT_LENGTH) {
+      return res.status(400).json({ error: `Content exceeds max length (${MAX_COMMENT_LENGTH})` });
+    }
+
+    const db = req.supabase || supabaseClient.supabase;
+
+    // Verify task belongs to user
+    const { data: task, error: taskErr } = await db
+      .from('tasks')
+      .select('id')
+      .eq('id', task_id)
+      .eq('user_id', user_id)
+      .single();
+
+    if (taskErr || !task) {
+      return res.status(404).json({ error: 'Task not found' });
+    }
+
+    // DB-backed cooldown (multi-instance safe)
+    const cooldownSince = new Date(Date.now() - COMMENT_COOLDOWN_MS).toISOString();
+    const { data: latestOwnComment } = await db
+      .from('task_comments')
+      .select('created_at')
+      .eq('user_id', user_id)
+      .order('created_at', { ascending: false })
+      .limit(1)
+      .maybeSingle();
+
+    if (latestOwnComment?.created_at && latestOwnComment.created_at > cooldownSince) {
+      const elapsedMs = Date.now() - new Date(latestOwnComment.created_at).getTime();
+      const retryAfterSeconds = Math.max(1, Math.ceil((COMMENT_COOLDOWN_MS - elapsedMs) / 1000));
+      res.set('Retry-After', String(retryAfterSeconds));
+      return res.status(429).json({
+        error: `Please wait ${retryAfterSeconds}s before posting another comment.`,
+        retry_after_seconds: retryAfterSeconds,
+      });
+    }
+
+    // Get user profile for author info
+    const { data: profile } = await db
+      .from('profiles')
+      .select('username, display_name, avatar_url')
+      .eq('id', user_id)
+      .maybeSingle();
+
+    const author_name = profile?.display_name || profile?.username || 'User';
+    const author_avatar = profile?.avatar_url || null;
+
+    const { data: comment, error } = await db
+      .from('task_comments')
+      .insert([{
+        task_id,
+        user_id,
+        author_name,
+        author_avatar,
+        content: sanitized
+      }])
+      .select('id, task_id, user_id, author_name, author_avatar, content, created_at, updated_at')
+      .single();
+
+    if (error) throw error;
+
+    res.status(201).json({ comment });
+  } catch (error) {
+    console.error('Add comment error:', error);
+    res.status(500).json({ error: 'Internal server error' });
+  }
+};
+
+const updateComment = async (req, res) => {
+  try {
+    const { id: task_id, commentId } = req.params;
+    const { content } = req.body;
+    const user_id = req.user.id;
+
+    if (typeof content !== 'string') {
+      return res.status(400).json({ error: 'Content must be a string' });
+    }
+
+    const sanitized = sanitizeCommentContent(content);
+    if (!sanitized) return res.status(400).json({ error: 'Content is required' });
+    if (sanitized.length > MAX_COMMENT_LENGTH) {
+      return res.status(400).json({ error: `Content exceeds max length (${MAX_COMMENT_LENGTH})` });
+    }
+
+    const db = req.supabase || supabaseClient.supabase;
+
+    const { data: updated, error } = await db
+      .from('task_comments')
+      .update({ content: sanitized, updated_at: new Date().toISOString() })
+      .eq('id', commentId)
+      .eq('task_id', task_id)
+      .eq('user_id', user_id)
+      .select('id, task_id, user_id, author_name, author_avatar, content, created_at, updated_at')
+      .single();
+
+    if (error || !updated) {
+      return res.status(404).json({ error: 'Comment not found or not allowed' });
+    }
+
+    res.status(200).json({ comment: updated });
+  } catch (error) {
+    console.error('Update comment error:', error);
+    res.status(500).json({ error: 'Internal server error' });
+  }
+};
+
+const deleteComment = async (req, res) => {
+  try {
+    const { id: task_id, commentId } = req.params;
+    const user_id = req.user.id;
+    const db = req.supabase || supabaseClient.supabase;
+
+    const { data: deleted, error } = await db
+      .from('task_comments')
+      .delete()
+      .eq('id', commentId)
+      .eq('task_id', task_id)
+      .eq('user_id', user_id)
+      .select('id')
+      .maybeSingle();
+
+    if (error) {
+      console.error('Delete comment DB error:', error);
+      return res.status(500).json({ error: 'Failed to delete comment' });
+    }
+
+    if (!deleted) {
+      return res.status(404).json({ error: 'Comment not found or not allowed' });
+    }
+
+    res.status(200).json({ message: 'Comment deleted' });
+  } catch (error) {
+    console.error('Delete comment error:', error);
+    res.status(500).json({ error: 'Internal server error' });
+  }
+};
+
 module.exports = {
   createTask,
   getTasks,
   getTaskById,
   updateTask,
-  deleteTask
+  deleteTask,
+  getComments,
+  addComment,
+  updateComment,
+  deleteComment
 };
diff --git a/backend/src/routes/tasks.js b/backend/src/routes/tasks.js
@@ -6,7 +6,11 @@ const {
   getTasks,
   getTaskById,
   updateTask,
-  deleteTask
+  deleteTask,
+  getComments,
+  addComment,
+  updateComment,
+  deleteComment
 } = require('../controllers/taskController');
 
 // Apply authentication middleware to all task routes
@@ -151,4 +155,59 @@ router.put('/:id', updateTask);
  */
 router.delete('/:id', deleteTask);
 
+/**
+ * @swagger
+ * /tasks/{id}/comments:
+ *   get:
+ *     summary: Get all comments for a task
+ *     tags: [Tasks]
+ *     security:
+ *       - bearerAuth: []
+ *     parameters:
+ *       - in: path
+ *         name: id
+ *         required: true
+ *         schema:
+ *           type: string
+ *         description: Task ID
+ *     responses:
+ *       200:
+ *         description: List of comments
+ */
+router.get('/:id/comments', getComments);
+
+/**
+ * @swagger
+ * /tasks/{id}/comments:
+ *   post:
+ *     summary: Add a comment to a task
+ *     tags: [Tasks]
+ *     security:
+ *       - bearerAuth: []
+ *     parameters:
+ *       - in: path
+ *         name: id
+ *         required: true
+ *         schema:
+ *           type: string
+ *         description: Task ID
+ *     requestBody:
+ *       required: true
+ *       content:
+ *         application/json:
+ *           schema:
+ *             type: object
+ *             required:
+ *               - content
+ *             properties:
+ *               content:
+ *                 type: string
+ *     responses:
+ *       201:
+ *         description: Comment created
+ */
+router.post('/:id/comments', addComment);
+router.patch('/:id/comments/:commentId', updateComment);
+router.delete('/:id/comments/:commentId', deleteComment);
+
 module.exports = router;
diff --git a/docs/BACKEND_GUIDE.md b/docs/BACKEND_GUIDE.md
@@ -107,6 +107,10 @@ backend/
 | GET | `/api/tasks/:id` | Get specific task by ID |
 | PUT | `/api/tasks/:id` | Update an existing task |
 | DELETE | `/api/tasks/:id` | Delete a task |
+| GET | `/api/tasks/:id/comments` | Get comments for a task (supports `limit` + `offset`) |
+| POST | `/api/tasks/:id/comments` | Create comment (cooldown/429 supported) |
+| PATCH | `/api/tasks/:id/comments/:commentId` | Edit own comment |
+| DELETE | `/api/tasks/:id/comments/:commentId` | Delete own comment |
 | **Time Entries** | | |
 | POST | `/api/time-entries/start` | Start task timer |
 | POST | `/api/time-entries/stop` | Stop task timer |
@@ -227,6 +231,11 @@ Manages task CRUD operations with:
   - `getTaskById`: Get single task (validates ownership)
   - `updateTask`: Update task fields (validates ownership)
   - `deleteTask`: Remove task (validates ownership)
+- **Comment Operations**:
+  - `getComments`: Paginated task comments (`limit`/`offset`) with safe-range guard
+  - `addComment`: Sanitized create + backend cooldown (returns 429 + `Retry-After` + `retry_after_seconds`)
+  - `updateComment`: Edit own comment
+  - `deleteComment`: Delete own comment with explicit `404` (not found) vs `500` (DB error)
 - **Security**: Prevents cross-user data access
 - **Validation**: Status enum, UUID format, circular reference prevention