feat(advanced-template-management): implement spec (#153)

[rubenvdlinde]

Closes #153

Summary

Auto-generated draft PR for OpenSpec change advanced-template-management.
The Hydra builder ran the spec but could not run gh pr create itself
(Phase D+E credential strip — Claude has no GH_TOKEN by design).
The entrypoint detected commits on the feature branch with no PR and
created this draft so the reviewer + security + applier can proceed.

Spec Reference

• Issue: Implement: Advanced Template Management #153
• Spec: /spec/
  • /spec/proposal.md

Commits on this branch

• c8d0e22 fix(rule-0b): resolve ESLint parse error and attribute warnings (Implement: Advanced Template Management #153)
• b728d09 feat(dialogs): extract NcDialog to dedicated dialog files per ADR-004 (Implement: Advanced Template Management #153)
• 2862aad feat: advanced template management — WYSIWYG editor, versioning, categories, locking (Implement: Advanced Template Management #153)

Files changed

• lib/Settings/docudesk_register.json
• openspec/changes/advanced-template-management/design.md
• openspec/changes/advanced-template-management/tasks.md
• src/dialogs/ConditionalSectionDialog.vue
• src/dialogs/MergeFieldDialog.vue
• src/views/templates/TemplateDetail.vue
• src/views/templates/TemplateIndex.vue
• task-audit.json
• tests/bootstrap-standalone.php
• tests/stubs/OpenRegisterStubs.php
• tests/unit/Service/TemplatePreviewServiceTest.php
• tests/unit/Service/TemplateVersionServiceTest.php

---

PR auto-created by Hydra builder entrypoint (hydra_ensure_pr_exists)
because Claude's session closed without running gh pr create.
Reviewer + applier follow as normal.

[github-actions]

Quality Report — ConductionNL/docudesk @ 9008825

Check	PHP	Vue	Security	License	Tests
lint	✅
phpcs	✅
phpmd	✅
psalm	✅
phpstan	✅
phpmetrics	✅
eslint		❌
stylelint		❌
composer			✅	✅ 108/108
npm			❌	❌
PHPUnit					⏭️
Newman					⏭️
Playwright					⏭️

---

Quality workflow — 2026-05-18 19:16 UTC

Download the full PDF report from the workflow artifacts.

[rubenvdlinde]

Code Review — Juan Claude van Damme

Result: PASS (5 fixed, 0 blocking unfixed, 2 security advisories → Clyde)

---

Fixes applied

File	Issue	Fix
appinfo/info.xml	Merge conflict (PR 0.0.34-unstable.8 vs origin/development 0.0.33)	Kept PR version — feature branch version bump
src/dialogs/ConditionalSectionDialog.vue:10	vue/attribute-hyphenation — :inputLabel must be :input-label	ESLint auto-fix
src/views/templates/TemplateIndex.vue:14,106	vue/attribute-hyphenation + comma-dangle	ESLint auto-fix
src/views/templates/TemplateDetail.vue:346,366,397	comma-dangle — missing trailing commas in multi-line function calls	ESLint auto-fix
src/dialogs/MergeFieldDialog.vue:9	vue/no-parsing-error — Jinja2 {{ fieldName }} placeholder inside a Vue mustache expression {{ t(...) }} confused eslint-plugin-vue's template parser	Moved string to computed property insertHint

---

Security advisories → Clyde

src/views/templates/TemplateDetail.vue:138,176 — vue/no-v-html (×2). The v-html directive is intentional here (template preview renders HTML content). Security reviewer to verify that previewHtml and editorHtml are sanitized before display.

---

Checks skipped (environment)

composer check:strict and composer test:unit — phpcs/psalm/phpstan/phpunit not installed in the reviewer container. Per CLAUDE.md, builder Rule 0b ran these in the authoritative environment before dispatch. All 14 hydra gates green.

npm test e2e suite — Playwright environment not configured in reviewer container (pre-existing); jest unit tests (navigation.spec.ts) pass 3/3.

---

Advisories

MCP coverage (advisory) — This app does not yet publish an IMcpToolProvider and has no opt-out recorded in openspec/project.md. Per ADR-035, consider whether this PR's new template management surface (TemplateDetail, TemplateIndex views) should be MCP-callable. If yes, file a follow-up issue. If the app should opt out, add an ## MCP coverage block to project.md in a follow-up PR.

---

🤖 Changes Juan Claude van Damme applied

• 442cf2a — Initial commit
• 7eab992 — Lets setup the app
• 36e2603 — Lets commit a bit more
• 1f361c5 — Bump version to 0.0.3
• 5e41e39 — Firt tit tats of frontent
• 6ba3f48 — Setting up th docs
• f00ac48 — Remove the custom sidebar
• 22063c5 — Side bar fix
• 7b3ece3 — Last Docu Desk naming
• 3b2e8e2 — Forgot One
• 582641e — Add the puml
• b234fcc — Render PlantUML files
• e48c908 — Rework the puml
• c928123 — Merge branch 'documentation' of https://github.com/ConductionNL/DocuDesk into documentation
• 37976cc — Stupid typo
• 52fad7c — Recovering the gdpr instruction
• 1251695 — Small fixes to the anonimisation flow
• 5f36cf1 — Render PlantUML files
• fa20688 — Remove handwritten
• 4a2267e — Merge branch 'documentation' of https://github.com/ConductionNL/DocuDesk into documentation
• 1cd19d1 — Render PlantUML files
• 735a804 — Lets talk about workflows
• 3c09016 — Merge branch 'documentation' of https://github.com/ConductionNL/DocuDesk into documentation
• 9de2f71 — Let set a puml for the workflow
• a71f9ad — Render PlantUML files
• 59de266 — Add the logo
• 1759b57 — Merge branch 'documentation' of https://github.com/ConductionNL/DocuDesk into documentation
• fa0f30a — Lets make the workflow visable
• aa23b7f — Correct logo
• 1d32cd1 — Lets not use the word flow two time
• e844ea4 — Lets add .app to the website name
• 5b60696 — Small schema fixes
• 4510849 — Render PlantUML files
• dc9c520 — Lets get a better tagline
• 41acfce — Style fixes
• b9579ff — Propper domain name
• a063dad — Lets try a slash deployment
• 7aebb93 — Opdate the DocuDesk theme
• e819bf6 — Fix CNAME
• c11e322 — Switch to docusaurus
• f13d94a — Fix the settings page
• dde2fe5 — Lets add api docs
• 74e2c5d — Broken api specs link
• 5b34f9d — Update the documentation
• 2d187be — Code cleanup
• c887e18 — So that fixes the layput
• 409a216 — Fixing the settings page
• 7838fb4 — The actual logic for the reporting analasys
• bc8004a — Adding to the settings page
• 912ea32 — Fixing report creation
• 7bc703c — Icon fixes
• eba2781 — Cleanup on property names
• dc1c00e — Lets deal with no text docments
• 5840831 — Lets make our limits known
• 210536f — Remove action menu
• c4908ad — Drop some non used stuff
• e650560 — Lets go on to extracting the texts
• 0c9e520 — Fixed reading txt files
• 9d0ddc7 — Bit of extra loging
• 74570bc — Fixed presidio
• 8bb6de8 — Lets make it a bit more readable
• 9aa1999 — Update to anonimization service
• d3fc3dc — Fixed circular reference
• b4372be — A raign of fixes
• 80122b7 — fixed invinite file creation
• 73a69c6 — Fixed the string replacement
• ddc9e45 — Ad gdpr workflow
• 3f14109 — Build the new docs
• 807f038 — Lets try this again
• d33fad0 — More broken links
• 73ed5d6 — Create crs-flow.yaml
• b717af0 — Bump version to 0.0.4
• 81aeb12 — Create docudesk.csr
• c29ea51 — Bump version to 0.0.5
• e875b1b — Merge pull request Documentation #26 from ConductionNL/documentation
• 7e5cfd3 — Bump version to 0.0.6
• add6ebb — Bump version to 0.0.7
• 22a82c6 — Update release-workflow.yaml
• 74b1a07 — Bump version to 0.0.8
• b3d1fb6 — Update release-workflow.yaml
• 74f941f — Bump version to 0.0.9
• 877ff24 — Update release-workflow.yaml
• 65dc2b7 — Bump version to 0.0.10
• 2b1ca47 — Update composer.json
• cb99280 — Bump version to 0.0.11
• f348f6d — Create beta-release.yaml
• 6bd034e — Bump version to 0.0.12
• 0a82880 — Lets get some work into supporting the new open register
• 679adc2 — Bump version to 0.0.13
• cb6bdb2 — Let fix some phpcs
• 4a72a2a — Merge branch 'main' of https://github.com/ConductionNL/DocuDesk into main
• 60073ce — Bump version to 0.0.14
• 2bc51c6 — Lets run report creation
• 3300e1e — Merge branch 'main' of https://github.com/ConductionNL/DocuDesk into main
• c4a1d65 — Bump version to 0.0.15
• 7dba37d — Add the proper impoert
• 88541f6 — Merge branch 'main' of https://github.com/ConductionNL/DocuDesk into main
• 3243383 — Bump version to 0.0.16
• a90276d — Procces reports
• feb1e62 — Fixed the autoloader issue
• 289280d — Get the text from word document
• e18d180 — Getting the text from pdf
• 5b7fae4 — Fixed doble reports
• 377b250 — Properly creating annonymization objects
• 16a801f — Dont loop anonymisations
• f192137 — Creating annomyized word files
• 534bc5e — Merge branch 'hotfix/zuiddrecht'
• 7f225e2 — Merge remote-tracking branch 'origin/main'
• 651aaf8 — Bump version to 0.0.17
• f99e0d1 — Lets fix the frontend
• 612741c — Fixed the index pages
• 0c9a337 — Update info.xml
• bb702f7 — Bump version to 0.0.18
• c17f0a3 — Update info.xml
• edfc7f0 — Bump version to 0.0.19
• 9864979 — First settup for settings service
• 0953d5d — Update to the configuration service
• 24016be — Merge remote-tracking branch 'origin/main' into hotfix/frontend
• cb4b11b — Merge branch 'hotfix/frontend'
• f15847f — Bump version to 0.0.20
• f148707 — Merge branch 'main' into hotfix/frontend
• 280786a — Fixes on build and $obj
• be7a4f6 — Fixes on build and $obj
• 1801bb0 — Merge branch 'hotfix/frontend'
• 6b0987e — Bump version to 0.0.21
• 16187d5 — Add licence checking
• 25d1926 — Lets automate our code quality checks
• f5b9a4f — Update README.md
• 60f090e — Bump version to 0.0.22
• 84c0ec2 — Fix for non-admin users
• e3e5ce5 — Merge branch 'hotfix/frontend'
• d762698 — Bump version to 0.0.23
• b842bf1 — Lets start linting this repository
• 5afe1ac — More styling fixes
• d9a46c7 — Remove some of the conflicting code
• b1ddac9 — Last of the linting :)
• 25a0026 — Lets update the code quality workflow
• f040f16 — Merge branch 'hotfix/frontend'
• b3cb216 — Bump version to 0.0.24
• 114cf74 — Lets update the code quility workflow
• e981d1d — Merge branch 'main' of https://github.com/ConductionNL/DocuDesk into main
• 3411723 — Bump version to 0.0.25
• 1f4f9ae — Lets try to fix the quality code code
• 6578e64 — Merge branch 'main' of https://github.com/ConductionNL/DocuDesk into main
• 43ad3a8 — Bump version to 0.0.26
• d855047 — Bit more cleanup on the qi part
• bbffc73 — Merge branch 'main' of https://github.com/ConductionNL/DocuDesk into main
• d436652 — Bump version to 0.0.27
• bbef666 — Lets try to setup better testing
• a4a5fc4 — Merge branch 'main' of https://github.com/ConductionNL/DocuDesk into main
• 4d14190 — Bump version to 0.0.28
• f923eb2 — Lets take a look at the linting of javascript files
• 4945d5e — Merge branch 'main' of https://github.com/ConductionNL/DocuDesk into main
• 7169e0e — Bump version to 0.0.29
• 117bd6e — Merge branch 'main' into hotfix/frontend
• 2812577 — Bit of work to get the quility checks more acurate
• b2075a8 — Lets switch to a reports page concept
• 93b6d55 — Mooie nieuwe raportage pagina's
• 7ead736 — Vernieuwde opzet van anonimizeren inc gdpr register
• 89c2d7e — Voorkom dubel raporteren van genonimiseerde bestanden
• c86bcf8 — Merge branch 'hotfix/frontend'
• 2b6f923 — Bump version to 0.0.30
• cca1861 — Lets add the entities Register
• c63d14b — Merge branch 'main' of https://github.com/ConductionNL/DocuDesk into main
• 4147f11 — Merge branch 'main' into hotfix/frontend
• 7ea7084 — Bump version to 0.0.31
• cef357c — First steps in indexing documents to solr
• 6e75343 — Add solr docker compose example
• b751bf0 — First working version including deletion
• c82335d — Finish up setting config for solr, also add a search provider to search
• 31c04c2 — Add documentation
• b55a5ca — feat: add Nextcloud 32 support
• 0e341be — Merge pull request Feature/nextcloud 32 support #31 from ConductionNL/feature/nextcloud-32-support
• 7639384 — Merge remote-tracking branch 'origin/feature/WOO-404/write-to-solr' into development
• 7178558 — Let get the code back to work
• b3a319a — Add dashboard widget, consent management, and CI/CD workflows
• ba735cb — Bump unstable version to 0.0.32-unstable.1 [skip ci]
• 4c2efc2 — Update branch protection: main from beta, beta from development
• 56b0550 — Bump unstable version to 0.0.32-unstable.2 [skip ci]
• a7d5d31 — Fix invalid dependency in info.xml
• 35ff5aa — Add three-tier release workflow files [skip ci]
• f34900b — fix: PHPCS coding standard fixes and quality tooling (fix: PHPCS coding standard fixes and quality tooling #35)
• 601e239 — Bump unstable version to 0.0.32-unstable.3 [skip ci]
• a48088a — Merge pull request chore: Merge development into main #38 from ConductionNL/development
• c293e40 — Bump version to 0.0.33 [skip ci]
• 2d739a5 — chore: resolve merge conflict in appinfo/info.xml — keep feature branch version 0.0.34-unstable.8
• 43e7ba9 — fix(code-review bounded): Juan post-run mechanical commit

View full diff · 8 files changed, 119 insertions(+), 7 deletions(-)

[rubenvdlinde]

📍 appinfo/info.xml:32 (outside PR diff — line-comment API rejected, posted as issue comment)

[fixed: merge conflict resolved] Kept PR branch version 0.0.34-unstable.8 — this is the feature branch's intended version bump. origin/development had 0.0.33.

[rubenvdlinde]

[fixed: vue/attribute-hyphenation] :inputLabel → :input-label — Vue attribute binding names must be hyphenated per ESLint rule.

[rubenvdlinde]

[fixed: vue/no-parsing-error] The Jinja2 placeholder {{ fieldName }} inside a Vue template mustache expression {{ t(..., '… {{ fieldName }} …', ...) }} caused eslint-plugin-vue's parser to see a nested expression start. Moved the string-building to a computed property insertHint — template now reads {{ insertHint }} which is clean.

[rubenvdlinde]

[unfixed: SUGGESTION — security escalated to Clyde] vue/no-v-html: v-html on previewHtml can enable XSS if the content is not sanitized. Template preview rendering requires HTML output — security reviewer to confirm sanitization.

[rubenvdlinde]

[unfixed: SUGGESTION — security escalated to Clyde] vue/no-v-html: v-html on editorHtml binding. Security reviewer to verify source and sanitization of this value.

[rubenvdlinde]

[fixed: comma-dangle] Added missing trailing commas in multi-line function call arguments at lines 346, 366, and 397 per ESLint comma-dangle rule.

[rubenvdlinde]

[fixed: vue/attribute-hyphenation + comma-dangle] :inputLabel → :input-label; added missing trailing comma at line 106.

[github-actions]

Quality Report — ConductionNL/docudesk @ 33fe648

Check	PHP	Vue	Security	License	Tests
lint	✅
phpcs	✅
phpmd	✅
psalm	✅
phpstan	✅
phpmetrics	✅
eslint		✅
stylelint		✅
composer			✅	✅ 108/108
npm			✅	✅ 529/529
PHPUnit					✅
Newman					⏭️
Playwright					⏭️

Coverage: 0% (0/10 statements)

---

Quality workflow — 2026-05-19 03:10 UTC

Download the full PDF report from the workflow artifacts.

[rubenvdlinde]

Security Review — Clyde Barcode

Result: PASS (1 fixed, 0 unfixed blocking)

• Total findings: 1
• Fixed: 1 (WARNING — DOM XSS via unescaped attribute values in insertConditionalSection)
• Unfixed: 0
• Verdict: pass

Fix applied

[fixed: HTML attribute escaping in insertConditionalSection] src/views/templates/TemplateDetail.vue:412 — user-controlled field, op, value were interpolated raw into an HTML string passed to execCommand('insertHTML'). Added inline esc() helper encoding &, ", <, >. Semgrep self-verify clean post-fix.

Out-of-scope inherited debt (informational, non-blocking)

npm audit: 59 CVEs (13 low, 37 moderate, 9 high) in Vue 2 ecosystem transitive deps (axios, fast-uri, fast-xml-builder, ajv). Not introduced by this PR — pre-existed on development. Recommend a dedicated dep-bump PR; fast-xml-builder has an npm audit fix available.

See inline comments for per-finding detail.

---

🤖 Changes Clyde Barcode applied

• f4f6ccc — fix(security-review bounded): Clyde post-run mechanical commit

View full diff · 1 file changed, 4 insertions(+), 3 deletions(-)

[rubenvdlinde]

[fixed: HTML attribute escaping] Rule: OWASP A03:2021 / CWE-79 — user-controlled field, op, value were interpolated directly into HTML attribute strings passed to document.execCommand('insertHTML'). A value containing " breaks attribute context; event handlers inject DOM XSS persisted in the template content. Fixed by adding an inline esc() helper that encodes &, ", <, > before interpolation. Semgrep self-verify passed post-fix.

[github-actions]

Quality Report — ConductionNL/docudesk @ 229fef8

Check	PHP	Vue	Security	License	Tests
lint	⏭️
phpcs	⏭️
phpmd	⏭️
psalm	⏭️
phpstan	⏭️
phpmetrics	⏭️
eslint		⏭️
stylelint		⏭️
composer			⏭️	⏭️
npm			⏭️	⏭️
PHPUnit					❌
Newman					❌
Playwright					❌

---

Quality workflow — 2026-05-19 03:19 UTC

Download the full PDF report from the workflow artifacts.

[github-actions]

Quality Report — ConductionNL/docudesk @ a9c6c4f

Check	PHP	Vue	Security	License	Tests
lint	✅
phpcs	✅
phpmd	✅
psalm	✅
phpstan	✅
phpmetrics	✅
eslint		❌
stylelint		✅
composer			✅	✅ 108/108
npm			✅	✅ 529/529
PHPUnit					✅
Newman					⏭️
Playwright					⏭️

Coverage: 0% (0/10 statements)

---

Quality workflow — 2026-05-19 03:24 UTC

Download the full PDF report from the workflow artifacts.

[github-actions]

Quality Report — ConductionNL/docudesk @ 7d6b7d5

Check	PHP	Vue	Security	License	Tests
lint	✅
phpcs	✅
phpmd	✅
psalm	✅
phpstan	✅
phpmetrics	✅
eslint		✅
stylelint		✅
composer			✅	✅ 108/108
npm			✅	✅ 529/529
PHPUnit					✅
Newman					⏭️
Playwright					⏭️

Coverage: 0% (0/10 statements)

---

Quality workflow — 2026-05-19 04:04 UTC

Download the full PDF report from the workflow artifacts.