OSIT-AE-API-FastAPI/documentation/TODO__Agents.md

# Backend Agent Task List
> Use this file to track steps for complex features or bug fixes.
> **Status:** 🔵 DEPLOYMENT READY - Unified Docker Orchestration Complete.

## 🚀 Recent Infrastructure Wins
- [x] **Self-Contained Build:** `Dockerfile` and `requirements.txt` moved to project root.
- [x] **Dependency Pruning:** Removed 6 redundant/unused Python packages.
- [x] **Unified Orchestration:** API now builds as part of the `aether_container_env` stack.

## 📋 Operational Hardening (Next Steps)
- [x] **Healthcheck:** Implement `/health` route to verify DB/Redis status for Docker orchestration.
- [x] **Config Refactor:** Switch `app/config.py` to `pydantic-settings` to use direct Env Vars (Stop mounting config files).
- [x] **Locking:** Generate a `requirements.lock` for bit-identical builds.

## 📋 Feature Tasks
- [x] **Core Isolation:** Harden `apply_forced_account_filter` to Fail-Closed.
- [x] **IDAA Baseline:** Remove `public_read` from Event, CMS, and Archive objects.
- [x] **Detailed Feedback:** Implement descriptive 403 Forbidden reasons.
- [x] **Polymorphic For_ID Patterns:** Add ID Vision to Address, Contact, and DataStore objects.
- [x] **Event File Hash_SHA256 Fix:** Populate hosted_file_hash_sha256 correctly.
- [ ] **Step 1: ID Vision Parity Audit**
    - [x] Audit Core Event Models (Badge, Session, Presentation).
    - [x] Audit File/Exhibit Models (File, Template, Tracking).
    - [x] Whitelist `account_id` in all Event search definitions.
    - [x] Audit Relational "Low-Priority" Models (Address, Contact, DataStore).
    - [x] **V3 Uniform Lookup System:** Phase 1 & 2 Complete.
    - [ ] Verify SQL Views join in all required `_random` IDs for performance.
- [ ] **Step 2:** Coordination (Verify Frontend uses `x-account-id` instead of token).
- [ ] **Step 3:** Frontend V3 WebSocket integration test — queued after IDAA-specific work. Backend is ready (auth wired, heartbeat presence refresh confirmed, unit tests passing). Frontend guide updated at `GUIDE__AE_API_V3_for_Frontend_websockets.md`.

## 🛡️ Security & Privacy Baseline (IDAA)
- **Status:** **ENFORCED**.
- **Maintenance:** Run `tests/e2e/test_e2e_v3_security_audit.py` after ANY router or registry change.

## 🚧 Strategic Goals (V3.5+)
- [ ] **Pydantic V2 / SQLAlchemy 2.0:** Major framework upgrade for performance and type safety.
    - SQLAlchemy 2.0 is likely the easier migration (additive, legacy mode available).
    - Pydantic v2 touches every model definition — do this second.
    - Current pins: `pydantic==1.*`, `SQLAlchemy==1.4.52` — intentional, do not remove until migration is done.
- [~] **Novi-Mailman Bridge:** Synchronization between Novi AMS and Mailman 3.
    - Files: `app/methods/e_novi_mailman_methods.py`, `app/routers/api_v3_actions_e_novi_mailman.py`
    - Registered at `/v3/action/e_novi_mailman/`
    - **Confirmed from IDAA Jitsi code:**
        - Auth: `Authorization: Basic {api_key}` (Base64-encoded key stored in `data_store`)
        - Novi member fields are PascalCase: `Email`, `FirstName`, `LastName`, `Name`
        - Individual member lookup: `GET /customers/{uuid}`
        - Group member list: `GET /groups/{guid}/members?pageSize=200` (returns `Results` or `Members` key)
        - Emails may contain spaces instead of `+` — sanitize with `.replace(' ', '+')`
    - **Still needs confirmation:**
        - Bulk member list endpoint (likely `/members` or `/customers`) — hit `/novi/members` route after creds are set to inspect
        - `MembershipStatus` field name in bulk response (may be `Status`)
        - Webhook `EventType` values and payload shape (check Novi webhook docs)
    - **data_store setup required (two records):**
        - `novi_api_config` → `{"api_key": "<base64-key>", "base_url": "https://www.idaa.org/api", "mailman_list_id": "members@yourdomain.org"}`
        - `mailman_api_config` → `{"base_url": "http://<host>:8001", "username": "restadmin", "password": "<password>"}`
    - **Outstanding TODO in code:** Webhook HMAC signature verification once Novi webhook secret is known.
- [ ] **Lookup System Batch 2:** Migration of `post_topic`, `user_status`, `file_purpose`.
- [ ] **Zoom Events Integration:** Implement cron synchronization for OAuth2 ticket retrieval.

## 📝 Session Notes (March 11, 2026)
- **Media Methods Hardened:** `clip_video_method` and `convert_file_method` in `app/methods/lib_media.py` updated with improved error logging, PDF validation, and guaranteed temp-file cleanup.
- **V3 Action Migration:** `clip_video` endpoint promoted from legacy `hosted_file` router to V3 action (`/v3/action/hosted_file/{id}/clip_video`). Legacy route now issues a `307` redirect for backward compatibility.
- **Background Scheduling:** `clip_video` V3 action supports `?background=true` (returns `202 Accepted`), enabling async clipping for large files.
- **Robust Deletion:** `delete_file_action` unlink wrapped in `try/except OSError` — filesystem errors are now logged and non-fatal.
- **Unit Tests Added:** `tests/unit/test_unit_media_methods.py` covers `clip_video_method` and `convert_file_method` with full async mocking.
- **Docs Renamed & Updated:** `GUIDE__V3_FRONTEND_API.md` → `GUIDE__AE_API_V3_for_Frontend.md`; `GUIDE__V3_FRONTEND_WEBSOCKETS.md` → `GUIDE__AE_API_V3_for_Frontend_websockets.md`. Frontend guide updated with V3 action paths, background scheduling notes, and correct example URLs.

## 📝 Session Notes (March 10, 2026)
- **Unified Stack:** Merged API orchestration into the master environment.
- **Root Assets:** Docker assets are now part of this git repo again.
- **Pruning:** Successfully reduced dependency bloat in `requirements.txt`.
- **Operational Hardening complete:** Healthcheck, config refactor (pydantic-settings), requirements.lock all done.
- **BuildKit pip cache:** Dockerfile now uses `--mount=type=cache` — rebuild with `docker compose up -d --build ae_api`.
- **Novi-Mailman Bridge scaffolded:** Auth pattern and field names confirmed from existing IDAA Jitsi frontend code.