Add task artifacts and file reveal support

[afurm]

Summary

• Problem: The task detail inspector exposed the output panel as Files even though task runs can produce links, evidence, generated files, and other useful outputs.
• Why it matters: Users need one place to reopen run evidence without rereading the assistant transcript or losing local files behind non-clickable file:// links.
• What changed: Renamed the inspector tab to Artifacts, added artifact extraction/deduping for links, file refs, MEDIA directives, and local tool outputs, and added a backend endpoint to reveal local file artifacts from the task artifact list.
• What did not change: Existing task execution flow and task data shape remain compatible; web artifacts still open as normal external links.

Change Type

• Bug fix
• Feature
• Security hardening
• Documentation
• Chore / infrastructure

Security Impact

• New permissions or capabilities? Yes
• Secrets or token handling changed? No
• New or changed network calls? No
• Local storage or memory scope changed? Yes
• If any answer is Yes, explain the risk and mitigation: The new open endpoint can reveal only artifacts already associated with the requested task execution; it accepts an artifact id, resolves file:// or absolute-path file artifacts, rejects unresolvable paths, and is covered by route tests with an injected opener. Captured execution artifacts are stored with existing task execution data so useful links and generated files persist with the run.

Verification

• npm audit
• npm run typecheck
• npm test
• npm run build
• npm pack --dry-run
• UI screenshot or recording attached, if UI changed

Notes

• Linked issue: Closes [Feature]: Rename Files to Artifacts and capture useful clickable task artifacts #25
• Platform tested: macOS local development; browser QA on localhost verified a file artifact click returned 200 from the artifact open endpoint and did not navigate to file://.
• Known limitations: Artifact detection is heuristic, so it favors useful URLs, local file paths, and explicit MEDIA directives while avoiding arbitrary noisy shell output as file artifacts.

[chatgpt-codex-connector]

💡 Codex Review

draftmora/src/server/task-artifacts.ts

Line 133 in 08d488b

return artifact.url?.toLowerCase() ?? `${artifact.type}:${artifact.title}:${artifact.content}`;

Stop lowercasing artifact URLs during deduplication

Deduplicating on artifact.url?.toLowerCase() can collapse distinct artifacts that differ only by URL casing (for example /Report vs /report), even though many HTTP servers and file paths are case-sensitive. In those cases one artifact is silently dropped from persisted execution results, so users lose access to a real output/link from the run.

---

draftmora/src/server/artifact-file-opener.ts

Line 39 in 08d488b

return { command: "xdg-open", args: [path.dirname(filePath)] };

Reveal Linux directory artifacts instead of parent folder

The Linux branch always executes xdg-open on path.dirname(filePath), which is correct for files but wrong for directory artifacts: revealing /tmp/results opens /tmp instead of the requested artifact. Because revealArtifactFile explicitly accepts directories, this causes successful API responses to open the wrong location for directory artifacts on Linux.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".