# Backend Agent Task List
> Use this file to track steps for complex features or bug fixes.
> **Status:** 🟢 STABLE - Security Hardening Complete.

## 📋 Active Tasks
- [x] **Core Isolation:** Harden `apply_forced_account_filter` to Fail-Closed.
- [x] **IDAA Baseline:** Remove `public_read` from Event, CMS, and Archive objects.
- [x] **Detailed Feedback:** Implement descriptive 403 Forbidden reasons.
- [x] **Audit Suite:** Establish `test_e2e_v3_security_audit.py` as a permanent safeguard.
- [x] **Polymorphic For_ID Patterns:** Add ID Vision to Address, Contact, and DataStore objects.
- [x] **Event File Hash_SHA256 Fix:** Populate hosted_file_hash_sha256 correctly.
- [ ] **Step 1: ID Vision Parity Audit**
    - [x] Audit Core Event Models (Badge, Session, Presentation).
    - [x] Audit File/Exhibit Models (File, Template, Tracking).
    - [x] Whitelist `account_id` in all Event search definitions.
    - [x] Audit Relational "Low-Priority" Models (Address, Contact, DataStore).
    - [x] **V3 Uniform Lookup System:** Phase 1 & 2 Complete (Hierarchical ranking, Whitelisting, Priority filtering).
    - [ ] Verify SQL Views join in all required `_random` IDs for performance.
- [ ] **Step 2:** Coordination (Verify Frontend uses `x-account-id` instead of token).

## 🛡️ Security & Privacy Baseline (IDAA)
- **Status:** **ENFORCED**.
- **Principle:** Every object requires an Account Context except `site_domain`.
- **Maintenance:** Run `tests/e2e/test_e2e_v3_security_audit.py` after ANY router or registry change.

## 🚧 Upcoming Strategic Goals (V3.1+)
- **IDAA Novi-Mailman Bridge:** Establish synchronization between Novi AMS and Mailman 3 mailing lists.
- **Lookup System Batch 2:** Migration of `post_topic`, `user_status`, `file_purpose` (ON HOLD).
- **Lookup Resolve Whitelist:** Extend `resolve` endpoint to respect site policies.
- **Zoom Events Integration:** Implement cron synchronization for OAuth2 ticket retrieval.
- **Aether V4 Architecture:** Migration to V4 core standards (Lifecycle fields).

## 📝 Session Notes (Feb 20, 2026)
- **Implemented:** V3 Uniform Lookup router and methods with `ROW_NUMBER()` hierarchy.
- **Standardized:** Normalization of `lu_v3_*` tables (group, priority, sort, underscore names).
- **Added:** Site-specific whitelisting via `site.cfg_json` -> `lookup_policy`.
- **Enhanced:** `only_priority` filtering and `COALESCE` sort stability for all lookups.
- **Resolved:** Type-safe authorization check for sites (string-based `account_id_random` comparison).
- **Verified:** E2E suite `test_e2e_v3_lookup.py` passes at 100% for all scenarios.