Scott.Idem/OSIT-AE-API-FastAPI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
48fc97cf46c7749e3bc235aed8a1786a87a5d2a0
OSIT-AE-API-FastAPI/documentation/AGENT_TODO.md

2.3 KiB
Raw Blame History

Backend Agent Task List

Use this file to track steps for complex features or bug fixes. Status: 🟢 STABLE - Security Hardening Complete.

📋 Active Tasks

  • Core Isolation: Harden apply_forced_account_filter to Fail-Closed.
  • IDAA Baseline: Remove public_read from Event, CMS, and Archive objects.
  • Detailed Feedback: Implement descriptive 403 Forbidden reasons.
  • Audit Suite: Establish test_e2e_v3_security_audit.py as a permanent safeguard.
  • Polymorphic For_ID Patterns: Add ID Vision to Address, Contact, and DataStore objects.
  • Event File Hash_SHA256 Fix: Populate hosted_file_hash_sha256 correctly.
  • Step 1: ID Vision Parity Audit
    • Audit Core Event Models (Badge, Session, Presentation).
    • Audit File/Exhibit Models (File, Template, Tracking).
    • Whitelist account_id in all Event search definitions.
    • Audit Relational "Low-Priority" Models (Address, Contact, DataStore).
    • Audit Lookup Fields (Uniform V3 System Phase 1 Complete).
    • Verify SQL Views join in all required _random IDs for performance.
  • Step 2: Coordination (Verify Frontend uses x-account-id instead of token).

🛡️ Security & Privacy Baseline (IDAA)

  • Status: ENFORCED.
  • Principle: Every object requires an Account Context except site_domain.
  • Maintenance: Run tests/e2e/test_e2e_v3_security_audit.py after ANY router or registry change.

🚧 Upcoming Strategic Goals

  • Zoom Events Integration: Implement cron synchronization for OAuth2 ticket retrieval.
  • Aether V4 Architecture: Migration to V4 core standards (Lifecycle fields).

📝 Session Notes (Feb 19, 2026)

  • Resolved: Fixed integer ID leakage in Event_Badge_Template_Base and Event_File_Base.
  • Hardened: Whitelisted account_id searching for all Event Objects (Presentation, General, Registration).
  • Verified: SQL Views v_event_session and v_event_session_w_file_count confirmed to have account_id_random.
  • Resolved: Implemented polymorphic for_id resolution for DataStore, Address, and Contact models.
  • Resolved: Fixed hash_sha256 for Event Files being null on the frontend.
  • Status: Core and Demo Vision parity suites verified at 100% pass rate.
Reference in New Issue View Git Blame Copy Permalink