frankbria
diff --git a/‎CLAUDE.md‎
Lines changed: 4 additions & 2 deletions b/‎CLAUDE.md‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎codeframe/core/github_issues_service.py‎
Lines changed: 218 additions & 0 deletions b/‎codeframe/core/github_issues_service.py‎
Lines changed: 218 additions & 0 deletions
@@ -36,9 +36,11 @@ If you are an agent working in this repo: **do not improvise architecture**. Fol
 
 ### Current Focus: Phase 4A
 
-**Phase 5.5 is in progress** — GitHub Issues import. Repo connection via PAT (#563) is **complete**: Settings → **Integrations** tab connects a GitHub repo with a Personal Access Token. Backend `POST/DELETE/GET /api/v2/integrations/github/{connect,disconnect,status}` (`ui/routers/github_integrations_v2.py`). Validation is headless in `core/github_connect_service.py` (httpx; verifies token, repo visibility, and issues-read access; typed errors → 401/404/403). The PAT is stored machine-wide via `CredentialManager` (`CredentialProvider.GIT_GITHUB`, the #555 pattern) and **never returned in any response**; non-secret repo metadata persists per-workspace in `.codeframe/github_integration.json` (`core/github_integration_config.py`). Frontend: `GitHubIntegrationCard` + `integrationsApi`.
+**Phase 5.5 is complete** — GitHub Issues import. Repo connection via PAT (#563) is **complete**: Settings → **Integrations** tab connects a GitHub repo with a Personal Access Token. Backend `POST/DELETE/GET /api/v2/integrations/github/{connect,disconnect,status}` (`ui/routers/github_integrations_v2.py`). Validation is headless in `core/github_connect_service.py` (httpx; verifies token, repo visibility, and issues-read access; typed errors → 401/404/403). The PAT is stored machine-wide via `CredentialManager` (`CredentialProvider.GIT_GITHUB`, the #555 pattern) and **never returned in any response**; non-secret repo metadata persists per-workspace in `.codeframe/github_integration.json` (`core/github_integration_config.py`). Frontend: `GitHubIntegrationCard` + `integrationsApi`.
 
-Issue **browse** (#564) is **complete**: `GET /api/v2/integrations/github/issues?page&per_page&search&label` on the same router lists the connected repo's **open** issues (PRs filtered out) — repo from `.codeframe/github_integration.json`, PAT from `CredentialManager`, **409** when not connected. Headless fetch in `core/github_issues_service.py` (`list_issues`): plain `/repos/{o}/{r}/issues` by default, routes to `/search/issues` for free-text search, `labels=` filter, `Link`-header pagination, 60s in-process TTL cache, typed errors → 401/403/502. Frontend: `GitHubIssueImportModal` (paginated list, debounced search, label filter, multi-select that persists across pages, select-all-on-page, Import-Selected gated on ≥1) + `integrationsApi.getIssues`; an **Import from GitHub** button on `/tasks` (`TaskBoardView`) shown only when connected. The import action itself is the remaining 5.5 work (#565).
+Issue **browse** (#564) is **complete**: `GET /api/v2/integrations/github/issues?page&per_page&search&label` on the same router lists the connected repo's **open** issues (PRs filtered out) — repo from `.codeframe/github_integration.json`, PAT from `CredentialManager`, **409** when not connected. Headless fetch in `core/github_issues_service.py` (`list_issues`): plain `/repos/{o}/{r}/issues` by default, routes to `/search/issues` for free-text search, `labels=` filter, `Link`-header pagination, 60s in-process TTL cache, typed errors → 401/403/502. Frontend: `GitHubIssueImportModal` (paginated list, debounced search, label filter, multi-select that persists across pages, select-all-on-page, Import-Selected gated on ≥1) + `integrationsApi.getIssues`; an **Import from GitHub** button on `/tasks` (`TaskBoardView`) shown only when connected.
+
+Issue **import + traceability** (#565) is **complete**: `POST /api/v2/integrations/github/import` (same router) turns selected issues into tasks — title verbatim, body as description (+ a best-effort `**Labels:**` footer), linked via `github_issue_number` + `external_url`; PRs are rejected (`NotAnIssueError`→422), missing issues 404, fetch failures 502, malformed saved repo 409. Import is two-phase (fetch+dedupe all, then create) with rollback on a mid-create DB error; dedup is keyed on the full issue URL and backed by a `UNIQUE(workspace_id, external_url)` index (atomic across concurrent imports). Issue ops live in `core/github_issues_service.py` (`get_issue`, `close_issue`). **Auto-close**: marking an opted-in imported task DONE closes the linked issue — fired from core `tasks.update_status` so the web UI, CLI, and agent/batch paths all trigger it; the close targets the task's *source* repo parsed from `external_url` (not the live connection) and runs off the caller's path (event loop in the server, non-daemon thread in CLI). `TaskResponse` exposes the three traceability fields; `PATCH /api/v2/tasks/{id}` accepts `auto_close_github_issue` (persist-first + rollback-on-rejected-transition, with late opt-in on already-DONE tasks). Frontend: `GitHubIssueBadge`, import wiring in `TaskBoardView` (progress, in-modal error, summary banner), badge + auto-close checkbox in `TaskDetailModal`, `integrationsApi.importIssues` + `tasksApi.updateGitHubSettings`. **Known limitation**: auto-close uses the single machine-wide GIT_GITHUB PAT, so closing an older imported repo's issue after reconnecting to a different repo may fail if that PAT lacks access.
 
 **Phase 5.4 is complete** — PRD stress-test web UI: trigger + streaming (#561). Backend: `GET /api/v2/prd/stress-test` SSE endpoint streams `goals_extracted`, `goal_analyzed`, `complete`, and `error` events from `core/prd_stress_test.py:stress_test_prd_stream()`, resolving the LLM provider via the standard chain and applying the standard rate limit. Frontend: `useStressTestStream` hook manages the SSE connection and event accumulation; `StressTestModal` renders the streaming progress and is opened via a "Stress Test" button on the `/prd` page (enabled only when a PRD exists). Results rendering + refinement (#562) is **complete**: the `complete` SSE event now carries structured, severity-tagged `ambiguities` (`Ambiguity.severity` is `"blocking"`/`"warning"`); `StressTestModal` shows a results view of `AmbiguityCard`s (question text, severity badge, answer textarea) with an "X of Y answered" progress indicator and a **[Refine PRD]** button (disabled until every blocking ambiguity is answered). Refine posts to `POST /api/v2/prd/stress-test/refine`, which folds the answers into a new PRD version via `resolve_ambiguities_into_prd` (offloaded with `asyncio.to_thread`) and `prd.create_new_version`, then `mutatePrd` reflects it in the editor.
 
 
@@ -37,6 +37,23 @@
 
 _TIMEOUT = 15.0
 
+
+class NotAnIssueError(Exception):
+    """The requested number refers to a pull request, not an issue (#565).
+
+    Intentionally NOT a ``GitHubConnectError`` subclass: callers map it to a
+    client error (the caller sent a PR number), not a GitHub upstream failure.
+    """
+
+
+class IssueNotFoundError(Exception):
+    """The requested issue number does not exist in the repo (404) (#565).
+
+    Intentionally NOT a ``GitHubConnectError`` subclass: a missing/stale issue
+    number is a client error (bad payload), not a GitHub upstream failure, so
+    callers map it to a 4xx rather than a 502.
+    """
+
 # Parse the ``page=N`` query param out of a Link header's rel="last" URL.
 _LAST_PAGE_RE = re.compile(r'[?&]page=(\d+)[^>]*>;\s*rel="last"')
 
@@ -190,6 +207,207 @@ async def _list_issues(
     return issues, total
 
 
+class GitHubIssueDetail(TypedDict):
+    number: int
+    title: str
+    body: str
+    labels: list[str]
+    html_url: str
+
+
+async def get_issue(
+    pat: str,
+    repo: str,
+    number: int,
+    *,
+    client: Optional[httpx.AsyncClient] = None,
+) -> GitHubIssueDetail:
+    """Fetch a single issue's details for import (issue #565).
+
+    Unlike the list endpoint, this returns the issue ``body`` so the importer
+    can populate the task description.
+
+    Args:
+        pat: GitHub Personal Access Token.
+        repo: Repository in ``owner/repo`` format.
+        number: Issue number to fetch.
+        client: Optional httpx client (injected by tests). When ``None`` a
+            short-lived client is created and closed internally.
+
+    Returns:
+        ``{number, title, body, labels, html_url}`` — ``body`` is normalized to
+        ``""`` when GitHub returns null.
+
+    Raises:
+        ValueError: if ``repo`` is not a valid ``owner/repo`` string.
+        InvalidTokenError: GitHub returned 401.
+        InsufficientScopeError: the token cannot read issues (403).
+        GitHubConnectError: any other non-success response or network error.
+    """
+    owner, name = parse_repo(repo)
+
+    own_client = client is None
+    if own_client:
+        client = httpx.AsyncClient(timeout=_TIMEOUT)
+    try:
+        try:
+            resp = await client.get(
+                f"{GITHUB_API_BASE}/repos/{owner}/{name}/issues/{number}",
+                headers=_headers(pat),
+            )
+        except httpx.HTTPError as exc:
+            logger.warning("GitHub get issue failed: %s", type(exc).__name__)
+            raise GitHubConnectError("Could not reach GitHub. Try again later.")
+
+        # A 404 on /issues/{n} is ambiguous: the issue may genuinely not exist,
+        # OR the repo/token became inaccessible (renamed/deleted repo, rotated
+        # token). Probe the repo to tell a client typo (-> IssueNotFoundError,
+        # 404) apart from a broken integration (-> connect/auth error) so callers
+        # get the right recovery path. The probe only runs on the 404 path.
+        if resp.status_code == 404:
+            try:
+                repo_resp = await client.get(
+                    f"{GITHUB_API_BASE}/repos/{owner}/{name}", headers=_headers(pat)
+                )
+            except httpx.HTTPError as exc:
+                logger.warning("GitHub repo probe failed: %s", type(exc).__name__)
+                raise GitHubConnectError("Could not reach GitHub. Try again later.")
+            if repo_resp.status_code == 401:
+                raise InvalidTokenError("Invalid GitHub token.")
+            if repo_resp.status_code == 403:
+                raise InsufficientScopeError(
+                    "Token lacks access to this repository."
+                )
+            if repo_resp.status_code == 404:
+                raise GitHubConnectError(
+                    f"Repository '{repo}' is no longer accessible."
+                )
+            if repo_resp.status_code >= 400:
+                # Rate limit / 5xx / other failure on the probe — a real upstream
+                # problem, NOT a missing issue. Surface it as such so the caller
+                # retries rather than blaming the issue number.
+                raise GitHubConnectError(
+                    f"GitHub repo check returned status {repo_resp.status_code}."
+                )
+            # Repo probe succeeded (2xx) → the issue itself genuinely does not
+            # exist. (A 3xx would also land here, but GitHub answers repo lookups
+            # with 2xx/4xx, not redirects, for this endpoint.)
+            if repo_resp.status_code >= 300:
+                raise GitHubConnectError(
+                    f"GitHub repo check returned status {repo_resp.status_code}."
+                )
+            raise IssueNotFoundError(f"Issue #{number} was not found in '{repo}'.")
+        _raise_for_status(resp.status_code, context="get issue")
+
+        raw = resp.json()
+        if not isinstance(raw, dict):
+            raw = {}
+        # The issues endpoint also returns pull requests (a PR is an issue with a
+        # ``pull_request`` member). Reject them so the import stays consistent
+        # with ``list_issues`` (which excludes PRs) and never links a PR as an
+        # issue.
+        if "pull_request" in raw:
+            raise NotAnIssueError(f"#{number} is a pull request, not an issue.")
+        labels_raw = raw.get("labels") or []
+        labels = [
+            (lbl.get("name") if isinstance(lbl, dict) else str(lbl))
+            for lbl in labels_raw
+        ]
+        labels = [n for n in labels if n]
+        return {
+            "number": int(raw.get("number", number)),
+            "title": str(raw.get("title") or ""),
+            "body": str(raw.get("body") or ""),
+            "labels": labels,
+            "html_url": str(raw.get("html_url") or ""),
+        }
+    finally:
+        if own_client:
+            await client.aclose()
+
+
+async def close_issue(
+    pat: str,
+    repo: str,
+    number: int,
+    *,
+    comment: Optional[str] = None,
+    timeout: float = _TIMEOUT,
+    client: Optional[httpx.AsyncClient] = None,
+) -> bool:
+    """Close a GitHub issue, optionally posting a comment first (issue #565).
+
+    Args:
+        pat: GitHub Personal Access Token.
+        repo: Repository in ``owner/repo`` format.
+        number: Issue number to close.
+        comment: Optional comment body to post before closing.
+        timeout: HTTP timeout in seconds for the (self-created) client. Auto-close
+            passes a short value so a hung close never stalls a caller for long.
+        client: Optional httpx client (injected by tests). When ``None`` a
+            short-lived client is created and closed internally.
+
+    Returns:
+        ``True`` when the issue was closed.
+
+    Raises:
+        ValueError: if ``repo`` is not a valid ``owner/repo`` string.
+        InvalidTokenError: GitHub returned 401.
+        InsufficientScopeError: the token cannot write issues (403).
+        GitHubConnectError: any other non-success response or network error.
+    """
+    owner, name = parse_repo(repo)
+
+    own_client = client is None
+    if own_client:
+        client = httpx.AsyncClient(timeout=timeout)
+    try:
+        headers = _headers(pat)
+        base = f"{GITHUB_API_BASE}/repos/{owner}/{name}/issues/{number}"
+
+        if comment:
+            # Best-effort: the comment is cosmetic. A failure to post it (locked
+            # issue, repo with commenting disabled, transient error) must NOT
+            # prevent the close itself, which is the operation that matters.
+            try:
+                cresp = await client.post(
+                    f"{base}/comments", json={"body": comment}, headers=headers
+                )
+                if cresp.status_code >= 400:
+                    logger.warning(
+                        "GitHub issue comment returned %s; closing anyway.",
+                        cresp.status_code,
+                    )
+            except httpx.HTTPError as exc:
+                logger.warning(
+                    "GitHub issue comment failed (%s); closing anyway.",
+                    type(exc).__name__,
+                )
+
+        try:
+            resp = await client.patch(
+                base, json={"state": "closed"}, headers=headers
+            )
+        except httpx.HTTPError as exc:
+            logger.warning("GitHub close issue failed: %s", type(exc).__name__)
+            raise GitHubConnectError("Could not reach GitHub. Try again later.")
+
+        _raise_for_status(resp.status_code, context="close issue")
+        # A redirect (3xx) — e.g. a moved/renamed/transferred repo — means the
+        # PATCH was NOT applied (httpx does not follow redirects by default), so
+        # the issue is still open. Treat it as a failure rather than reporting a
+        # silent success.
+        if resp.status_code >= 300:
+            raise GitHubConnectError(
+                f"GitHub close returned status {resp.status_code}; "
+                "issue was not closed (repository may have moved)."
+            )
+        return True
+    finally:
+        if own_client:
+            await client.aclose()
+
+
 async def _search_issues(
     client: httpx.AsyncClient,
     headers: dict[str, str],