Scott.Idem/OSIT-AE-API-FastAPI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Serious notes about security updates.

Browse Source
This commit is contained in:
Scott Idem
2026-02-13 19:22:33 -05:00
parent aca15aab91
commit 577d784fb8
2 changed files with 22 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
documentation/AGENT_TODO.md
View File

@@ -1,19 +1,27 @@
# Backend Agent Task List
> Use this file to track steps for complex features or bug fixes.
> **Status:** 🔵 Active - ID Vision Phase 2 complete.
> **Status:** 🟢 STABLE - Security Hardening Complete.
## 📋 Active Task: ID Vision Audit & Compliance
- [ ] **Step 1:** Audit remaining MariaDB models for ID Vision compliance.
- [ ] **Step 2:** Harden `root_validator(pre=True)` on remaining models to prevent integer leakage.
- [ ] **Step 3:** Refactor `api_crud_v2.py` and `person_methods.py` (Reduce file size < 800 lines).
- [ ] **Step 4:** Coordination (Handshake with Frontend regarding "Badge Rendering" corrupted IDs).
- [ ] **Step 5:** Finalize & Commit.
## 📋 Active Tasks
- [x] **Core Isolation:** Harden `apply_forced_account_filter` to Fail-Closed.
- [x] **IDAA Baseline:** Remove `public_read` from Event, CMS, and Archive objects.
- [x] **Detailed Feedback:** Implement descriptive 403 Forbidden reasons.
- [x] **Audit Suite:** Establish `test_e2e_v3_security_audit.py` as a permanent safeguard.
- [ ] **Step 1:** Audit low-priority MariaDB models for ID Vision parity.
- [ ] **Step 2:** Refactor `api_crud_v2.py` (Reduce file size < 800 lines).
- [ ] **Step 3:** Coordination (Verify Frontend uses `x-account-id` instead of token).
## 🛡️ Security & Privacy Baseline (IDAA)
- **Status:** **ENFORCED**.
- **Principle:** Every object requires an Account Context except `site_domain`.
- **Maintenance:** Run `tests/e2e/test_e2e_v3_security_audit.py` after ANY router or registry change.
## 🚧 Upcoming Strategic Goals
- **Zoom Events Integration:** Implement cron synchronization for OAuth2 ticket retrieval.
- **Aether V4 Architecture:** Migration to V4 core standards (Lifecycle fields).
## 📝 Session Notes (Feb 11, 2026)
- **Resolved:** Finalized 'Heal-on-Read' fallback resolution for relational IDs.
- **Verification:** `test_e2e_v3_demo_parity.py` verified at 100% pass rate.
- **Optimization:** Refactored `api_crud.py` and `hosted_file.py` to Registry pattern.
## 📝 Session Notes (Feb 13, 2026)
- **Resolved:** Critical "Fail Open" search leak where missing context returned all records.
- **Hardened:** Removed `public_read` from Events, Presentations, Posts, and Files.
- **Standardized:** Updated 10+ core models with Vision Transformer pattern.
- **Verification:** Security Audit Suite verified at 100% pass rate.