Scott.Idem/OSIT-AE-API-FastAPI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
17a627a9816ca442fabbadeaa6e5d010b53a011f
OSIT-AE-API-FastAPI/documentation/AGENT_TODO.md
Scott Idem 17a627a981 feat: Implement Event File Hosted Data Fix and API Guide Update 
Address critical data visibility issues for Event Files and enhance frontend documentation.

This commit resolves the persistent problem where top-level hosted file convenience fields
(e.g., , , ) were
returning as  in V3 Event File API responses, even when .

Key changes include:
- Refactored  Pydantic model:
    - Removed redundant  definitions from top-level hosted file convenience fields,
      allowing direct mapping from SQL view columns.
    - Simplified  to focus solely on conditionally loading the nested
       object, as top-level fields are now populated directly by Pydantic
      from the  view.
    - Added comprehensive comments to clarify data flow, Pydantic's behavior, and the
      expected origin of these convenience fields from SQL views.
- Updated :
    - Introduced a new section detailing how to retrieve Event File data, including the
      use of  to get both top-level convenience fields and a nested
       object.
    - Clarified all ID references as random string IDs.
    - Renumbered the troubleshooting section.
- Copied updated guide to .
- Continued ID Vision compliance audit, ensuring consistent handling of random string IDs
  across various core and event models (Account, Address, Contact, DataStore, Event Badge Template).
- Consolidated ID Vision E2E tests and updated related documentation.
- Minor updates to  and
  to support Event File data retrieval with .
2026-02-19 15:22:17 -05:00

2.3 KiB
Raw Blame History

Backend Agent Task List

Use this file to track steps for complex features or bug fixes. Status: 🟢 STABLE - Security Hardening Complete.

📋 Active Tasks

  • Core Isolation: Harden apply_forced_account_filter to Fail-Closed.
  • IDAA Baseline: Remove public_read from Event, CMS, and Archive objects.
  • Detailed Feedback: Implement descriptive 403 Forbidden reasons.
  • Audit Suite: Establish test_e2e_v3_security_audit.py as a permanent safeguard.
  • Polymorphic For_ID Patterns: Add ID Vision to Address, Contact, and DataStore objects.
  • Event File Hash_SHA256 Fix: Populate hosted_file_hash_sha256 correctly.
  • Step 1: ID Vision Parity Audit
    • Audit Core Event Models (Badge, Session, Presentation).
    • Audit File/Exhibit Models (File, Template, Tracking).
    • Whitelist account_id in all Event search definitions.
    • Audit Relational "Low-Priority" Models (Address, Contact, DataStore).
    • Audit Lookup Fields (Exclude all lu_*_id integers from public output).
    • Verify SQL Views join in all required _random IDs for performance.
  • Step 2: Coordination (Verify Frontend uses x-account-id instead of token).

🛡️ Security & Privacy Baseline (IDAA)

  • Status: ENFORCED.
  • Principle: Every object requires an Account Context except site_domain.
  • Maintenance: Run tests/e2e/test_e2e_v3_security_audit.py after ANY router or registry change.

🚧 Upcoming Strategic Goals

  • Zoom Events Integration: Implement cron synchronization for OAuth2 ticket retrieval.
  • Aether V4 Architecture: Migration to V4 core standards (Lifecycle fields).

📝 Session Notes (Feb 19, 2026)

  • Resolved: Fixed integer ID leakage in Event_Badge_Template_Base and Event_File_Base.
  • Hardened: Whitelisted account_id searching for all Event Objects (Presentation, General, Registration).
  • Verified: SQL Views v_event_session and v_event_session_w_file_count confirmed to have account_id_random.
  • Resolved: Implemented polymorphic for_id resolution for DataStore, Address, and Contact models.
  • Resolved: Fixed hash_sha256 for Event Files being null on the frontend.
  • Status: Core and Demo Vision parity suites verified at 100% pass rate.
Reference in New Issue View Git Blame Copy Permalink