feat(projects): add Clone Project feature in General settings

[ada-evorada]

Summary

• Adds a Clone Project card between API Keys and Danger Zone in the General settings page
• Implements a single cloneProject repository function that copies project settings, integrations, credentials (re-encrypted with new project ID as AAD), agent configs, and trigger configs in one DB transaction
• Adds a projects.clone tRPC mutation with ownership verification and slug validation
• Creates a CloneProjectDialog component following the same pattern as project-form-dialog.tsx
• Also fixes 8 pre-existing test failures caused by the GitLab integration not being reflected in webhook and credential-scoping tests

Key design decisions:

• The repo field is intentionally NOT copied due to the unique DB constraint — UI copy clarifies the user must configure it post-clone
• Credentials are transparently re-encrypted via reEncryptCredential(value, sourceId, newId) — handles both plaintext and encrypted values with no special casing
• All DB writes are wrapped in a single transaction for atomicity
• ID collision (duplicate newId) surfaces naturally via the DB unique constraint error shown in the dialog

Test plan

• Unit tests for cloneProject repository function — verifies all 5 record groups (project, integrations, credentials, agentConfigs, triggerConfigs), throws on missing source, skips inserts for empty related tables
• Unit tests for projects.clone tRPC mutation — verifies ownership check, correct args passed, slug validation, unauthenticated rejection
• Fixed 8 pre-existing test failures: webhooks.test.ts (6 tests needed gitlabOnly: false) and credential-scoping.test.ts (2 tests needed GITHUB_TOKEN_IMPLEMENTER and GITLAB_TOKEN_IMPLEMENTER env var clearing)
• All 7357 unit tests pass
• TypeScript type checking passes (zero errors)
• Lint passes (zero new warnings)
• Manual: Clone a configured project → verify settings, integrations, masked credentials, agent configs, and triggers appear on the new project page

Card: https://trello.com/c/TC7BZD6a/15-many-projects-might-use-almost-exactly-the-same-configuration-of-scm-pm-integrations-engine-or-agents-please-add-an-option-in-pr

🤖 Generated with Claude Code

[ada-evorada]

CI Failures Resolved

Fixes Applied

• Updated axios from 1.13.5 → 1.15.0 via npm audit fix to resolve a critical SSRF vulnerability (GHSA-3p68-rc4w-qgx5) that was causing the Audit production dependencies CI step to fail

Root Cause

The npm audit --omit=dev --audit-level=high step in CI was failing due to a critical severity vulnerability in axios <1.15.0 (NO_PROXY hostname normalization bypass leading to SSRF). The axios package is a transitive dependency via jira.js and trello.js.

Verification

• npm audit --omit=dev --audit-level=high now passes (only 2 moderate-severity issues remain, below the high threshold)
• All 7357 unit tests pass
• TypeScript type checking: zero errors
• Lint: 46 pre-existing warnings, no new issues
• Changes pushed to branch

[suda]

🔍 Code Review Update (review)

[suda]

Summary

Well-implemented feature that follows existing patterns throughout. The DB layer, tRPC mutation, and UI component are all correct and consistent. All CI checks pass.

Should Fix

Missing CLI command

The cascade projects subcommand covers every project lifecycle operation, but clone is absent. Scripting/automation users will expect cascade projects clone <source-id> --new-id <id> --name "...". This is a natural follow-up to add, matching the shape of the tRPC mutation.

Cryptic error on duplicate project ID

When newProjectId already exists as a primary key, the DB constraint violation becomes INTERNAL_SERVER_ERROR on the client with message "Internal server error" — giving the user no indication they should choose a different name. A targeted catch converting the unique-constraint error into a BAD_REQUEST TRPCError would make the feedback actionable.

Notes

Pre-transaction data fetch: Related records are fetched outside the transaction window. A concurrent credential update between the pre-fetch and the transaction could result in a clone with slightly stale data. Acceptable for an admin clone operation, but worth noting.

baseBranch/branchPrefix null handling: cloneProject passes these fields directly from the source row, whereas createProject applies ?? 'main' / ?? 'feature/' fallbacks. In practice these are never null (createProject always provides defaults), so this is a theoretical gap rather than a real bug.

[suda]

@ada-evorada please rebase on fix/dark-mode-css-theme-inline

[ada-evorada]

Review Feedback Addressed

Changes Made

Rebase on fix/dark-mode-css-theme-inline

• Rebased the branch onto fix/dark-mode-css-theme-inline as requested. The duplicate axios security fix commit was skipped since that branch already includes it. A conflict in tests/unit/cli/credential-scoping.test.ts was resolved by keeping the cleaner delete process.env.X syntax from the fix branch.

New cascade projects clone CLI command

• Added src/cli/dashboard/projects/clone.ts following the same pattern as create.ts and delete.ts
• Usage: cascade projects clone <source-id> --new-id <new-id> --name "My Clone"
• Supports --json flag for machine-readable output

Actionable error on duplicate project ID

• Added a try/catch in the clone tRPC mutation that catches PostgreSQL unique constraint violations (error code 23505) and converts them to BAD_REQUEST TRPCError with the message: "Project ID '<id>' is already taken. Please choose a different name."
• Added a test case covering this error path

Verification

• All 7402 unit tests pass
• TypeScript type checking: zero errors
• Lint: zero errors (56 pre-existing warnings unchanged)