feat: Implement Event File Hosted Data Fix and API Guide Update

Address critical data visibility issues for Event Files and enhance frontend documentation.

This commit resolves the persistent problem where top-level hosted file convenience fields
(e.g., , , ) were
returning as  in V3 Event File API responses, even when .

Key changes include:
- Refactored  Pydantic model:
    - Removed redundant  definitions from top-level hosted file convenience fields,
      allowing direct mapping from SQL view columns.
    - Simplified  to focus solely on conditionally loading the nested
       object, as top-level fields are now populated directly by Pydantic
      from the  view.
    - Added comprehensive comments to clarify data flow, Pydantic's behavior, and the
      expected origin of these convenience fields from SQL views.
- Updated :
    - Introduced a new section detailing how to retrieve Event File data, including the
      use of  to get both top-level convenience fields and a nested
       object.
    - Clarified all ID references as random string IDs.
    - Renumbered the troubleshooting section.
- Copied updated guide to .
- Continued ID Vision compliance audit, ensuring consistent handling of random string IDs
  across various core and event models (Account, Address, Contact, DataStore, Event Badge Template).
- Consolidated ID Vision E2E tests and updated related documentation.
- Minor updates to  and
  to support Event File data retrieval with .

documentation/AGENT_TODO.md

@@ -7,9 +7,16 @@
 - [x] **IDAA Baseline:** Remove `public_read` from Event, CMS, and Archive objects.
 - [x] **Detailed Feedback:** Implement descriptive 403 Forbidden reasons.
 - [x] **Audit Suite:** Establish `test_e2e_v3_security_audit.py` as a permanent safeguard.
-- [ ] **Step 1:** Audit low-priority MariaDB models for ID Vision parity.
-- [ ] **Step 2:** Refactor `api_crud_v2.py` (Reduce file size < 800 lines).
-- [ ] **Step 3:** Coordination (Verify Frontend uses `x-account-id` instead of token).
+- [x] **Polymorphic For_ID Patterns:** Add ID Vision to Address, Contact, and DataStore objects.
+- [x] **Event File Hash_SHA256 Fix:** Populate hosted_file_hash_sha256 correctly.
+- [ ] **Step 1: ID Vision Parity Audit**
+    - [x] Audit Core Event Models (Badge, Session, Presentation).
+    - [x] Audit File/Exhibit Models (File, Template, Tracking).
+    - [x] Whitelist `account_id` in all Event search definitions.
+    - [x] Audit Relational "Low-Priority" Models (Address, Contact, DataStore).
+    - [ ] Audit Lookup Fields (Exclude all `lu_*_id` integers from public output).
+    - [ ] Verify SQL Views join in all required `_random` IDs for performance.
+- [ ] **Step 2:** Coordination (Verify Frontend uses `x-account-id` instead of token).
 
 ## 🛡️ Security & Privacy Baseline (IDAA)
 - **Status:** **ENFORCED**.
@@ -20,8 +27,10 @@
 - **Zoom Events Integration:** Implement cron synchronization for OAuth2 ticket retrieval.
 - **Aether V4 Architecture:** Migration to V4 core standards (Lifecycle fields).
 
-## 📝 Session Notes (Feb 13, 2026)
-- **Resolved:** Critical "Fail Open" search leak where missing context returned all records.
-- **Hardened:** Removed `public_read` from Events, Presentations, Posts, and Files.
-- **Standardized:** Updated 10+ core models with Vision Transformer pattern.
-- **Verification:** Security Audit Suite verified at 100% pass rate.
+## 📝 Session Notes (Feb 19, 2026)
+- **Resolved:** Fixed integer ID leakage in `Event_Badge_Template_Base` and `Event_File_Base`.
+- **Hardened:** Whitelisted `account_id` searching for all Event Objects (Presentation, General, Registration).
+- **Verified:** SQL Views `v_event_session` and `v_event_session_w_file_count` confirmed to have `account_id_random`.
+- **Resolved:** Implemented polymorphic `for_id` resolution for DataStore, Address, and Contact models.
+- **Resolved:** Fixed `hash_sha256` for Event Files being null on the frontend.
+- **Status:** Core and Demo Vision parity suites verified at 100% pass rate.

documentation/GUIDE__DEVELOPMENT.md

@@ -33,3 +33,4 @@ Before starting work:
 1. Read `~/agents_sync/README.md` to understand the fleet status and cross-agent tasks.
 2. Check `README.md` in the project root for technical specs.
 3. Review your local `documentation/AGENT_TODO.md` for active tasks.
+4. You must be able to explain what needs to be done and why before you start coding. This is important, as it demonstrates understanding and ensures alignment with project goals.

documentation/GUIDE__V3_FRONTEND_API.md

@@ -60,7 +60,26 @@ The primary way to retrieve data.
 
 ---
 
-## 4. Troubleshooting 403 Forbidden
+## 4. Event File Data Retrieval (Hosted Files)
+
+Event Files (`event_file`) often have associated Hosted Files (`hosted_file`) which contain binary data and metadata like SHA256 hashes, content types, and sizes. To retrieve this additional data:
+
+*   **Endpoint:** `GET /v3/crud/event_file/{event_file_id_random}`
+*   **Query Parameter:** Add `inc_hosted_file=true`
+    *   Example: `/v3/crud/event_file/<event_file_id_random>?inc_hosted_file=true`
+
+**Response Impact:**
+
+1.  **Top-Level Convenience Fields:** The response will include top-level fields for commonly needed hosted file data. These are populated directly from the SQL view via JOINs.
+    *   `hosted_file_hash_sha256` (string)
+    *   `hosted_file_subdirectory_path` (string)
+    *   `hosted_file_content_type` (string)
+    *   `hosted_file_size` (string - in bytes)
+2.  **Nested Hosted File Object:** A full `hosted_file` object will be nested under the `hosted_file` key. This object (`Hosted_File_Base` model) will contain all its standard fields, including `id` (random string ID), `hash_sha256`, `content_type`, `size`, etc.
+
+---
+
+## 5. Troubleshooting 403 Forbidden
 
 If you receive a 403 on a valid ID:
 1.  Verify `x-aether-api-key` is correct.