BidOS › Projects › MCP Verify Test

MCP Verify Test

Build Failed
#14 Created May 30, 2026
Status History
May 30, 10:35 PM Pending
May 30, 10:38 PM In Progress
Intake Form
budget small
timeline 1 week
description A simple task tracker with Express and PostgreSQL. Users create projects, add tasks with due dates, and mark them complete. REST API with JWT auth and role-based permissions.
Technical Specification
Frontend
None (REST API only)
Backend
Express.js REST API (Node.js)
Database
PostgreSQL via Neon (serverless)
Hosting
Render (Node.js free tier)
Summary

A lightweight REST API task tracker built with Express.js and PostgreSQL that allows users to organize work into projects and manage tasks with due dates and assignees. The API features JWT-based authentication and a two-tier role system (admin/member) to enforce ownership and collaboration boundaries. Its clean, well-structured codebase makes it an ideal foundation for a frontend client or mobile app integration.

File Structure
server.js Entry point: initializes Express app, middleware, and starts HTTP server
config/db.js PostgreSQL connection pool setup using pg and environment variables
config/jwt.js JWT secret config and token generation/verification helpers
middleware/auth.js JWT authentication middleware that validates Bearer tokens on protected routes
middleware/roles.js Role-based access control middleware supporting admin and member roles
middleware/errorHandler.js Global error handling middleware that formats and returns consistent error responses
routes/auth.js Auth routes: POST /register and POST /login returning JWT tokens
routes/projects.js CRUD routes for projects: list, create, get by ID, update, delete
routes/tasks.js CRUD routes for tasks nested under projects: create, list, update, mark complete, delete
routes/users.js Admin-only user management routes: list users, update roles, deactivate accounts
controllers/authController.js Business logic for user registration, password hashing with bcrypt, and login
controllers/projectsController.js Business logic for project CRUD with ownership and membership checks
controllers/tasksController.js Business logic for task CRUD including due date handling and completion toggling
controllers/usersController.js Business logic for admin user management operations
models/userModel.js SQL query functions for user table: findById, findByEmail, create, updateRole
models/projectModel.js SQL query functions for projects table: CRUD and membership lookups
models/taskModel.js SQL query functions for tasks table: CRUD, filter by project, mark complete
db/migrations/001_create_users.sql Creates users table with id, email, password_hash, role, created_at columns
db/migrations/002_create_projects.sql Creates projects table with id, name, description, owner_id, created_at columns
db/migrations/003_create_project_members.sql Creates project_members join table for role-based project membership
db/migrations/004_create_tasks.sql Creates tasks table with id, project_id, title, description, due_date, completed, assignee_id, created_at
db/seed.js Optional seed script to insert demo admin user and sample project/tasks
utils/validate.js Input validation helpers using express-validator for request body sanitization
.env.example Template for required environment variables: DATABASE_URL, JWT_SECRET, PORT
package.json Project dependencies and npm scripts for start, dev, and migrate
README.md API documentation with endpoint list, auth instructions, and setup guide
Features (6)
User Authentication P1
Users can register and log in to receive a JWT token used to authenticate all subsequent API requests.
  • POST /api/auth/register accepts email and password, hashes password with bcrypt, stores user, returns JWT
  • POST /api/auth/login validates credentials and returns a signed JWT with userId and role in payload
  • Passwords must be at least 8 characters; duplicate email registration returns 409 Conflict
  • All protected routes return 401 Unauthorized when no valid token is provided
  • JWT tokens expire after 24 hours
Role-Based Access Control P2
Two roles (admin and member) gate access to sensitive operations such as user management and project deletion.
  • New users are assigned the 'member' role by default on registration
  • Admin role can list all users, change user roles, and delete any project
  • Members can only modify projects they own or are a member of
  • Requests by members to admin-only endpoints return 403 Forbidden
  • Role is embedded in JWT payload and re-validated against DB on sensitive operations
Project Management P3
Authenticated users can create, view, update, and delete projects they own.
  • POST /api/projects creates a project and sets the authenticated user as owner
  • GET /api/projects returns only projects the user owns or is a member of
  • GET /api/projects/:id returns project details including member list
  • PUT /api/projects/:id allows owner or admin to update name and description
  • DELETE /api/projects/:id is restricted to project owner or admin; cascades to delete all tasks
Project Membership P4
Project owners can invite other registered users to collaborate on a project.
  • POST /api/projects/:id/members accepts a userId and adds them as a project member
  • Only the project owner or admin can add or remove members
  • DELETE /api/projects/:id/members/:userId removes a member from the project
  • GET /api/projects/:id includes a members array with userId and email
  • Adding a non-existent userId returns 404 Not Found
Task Management P5
Project members can create, update, and delete tasks within a project, each with an optional due date and assignee.
  • POST /api/projects/:id/tasks creates a task with title, optional description, due_date, and assignee_id
  • GET /api/projects/:id/tasks returns all tasks for the project with optional ?completed=true/false filter
  • PUT /api/projects/:id/tasks/:taskId updates title, description, due_date, or assignee
  • DELETE /api/projects/:id/tasks/:taskId removes the task; restricted to task creator, project owner, or admin
  • due_date must be a valid ISO 8601 date; past dates are accepted but flagged as overdue in response
Mark Task Complete P6
Any project member can toggle a task's completion status.
  • PATCH /api/projects/:id/tasks/:taskId/complete sets completed to true and records completed_at timestamp
  • PATCH /api/projects/:id/tasks/:taskId/reopen sets completed to false and clears completed_at
  • Response returns the full updated task object
  • Only members of the project can toggle completion; non-members receive 403
Build Log
scoping Starting AI-powered tech spec generation
scoping Starting AI-powered tech spec generation
scoping Tech spec generated successfully
start Build orchestration started for project 14
attempt Build attempt 1/3
scoping Tech spec generated successfully
start Build orchestration started for project 14
attempt Build attempt 1/3
generate Attempt 1 failed: AI generation failed: Unterminated string in JSON at position 46530 failed
retry Retrying (2/3)...
attempt Build attempt 2/3
generate Attempt 2 failed: AI generation failed: 429 Daily token limit reached (100,000 tokens). Resets at midnight UTC. failed
retry Retrying (3/3)...
attempt Build attempt 3/3
generate Attempt 3 failed: AI generation failed: 429 Daily token limit reached (100,000 tokens). Resets at midnight UTC. failed
complete Build failed after 3 attempts failed
status Project status updated to Build Failed
Deliverables
📦

Deliverables become available once project reaches Review status.