Scott.Idem/OSIT-AE-API-FastAPI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6bfbff309a4846cb2f2e96a04db20bb32afa9e28
OSIT-AE-API-FastAPI/documentation/AGENT_TODO.md

37 lines
2.3 KiB
Markdown
Raw Blame History

# Backend Agent Task List
> Use this file to track steps for complex features or bug fixes.
> **Status:** 🟢 STABLE - Security Hardening Complete.
## 📋 Active Tasks
- [x] **Core Isolation:** Harden `apply_forced_account_filter` to Fail-Closed.
- [x] **IDAA Baseline:** Remove `public_read` from Event, CMS, and Archive objects.
- [x] **Detailed Feedback:** Implement descriptive 403 Forbidden reasons.
- [x] **Audit Suite:** Establish `test_e2e_v3_security_audit.py` as a permanent safeguard.
- [x] **Polymorphic For_ID Patterns:** Add ID Vision to Address, Contact, and DataStore objects.
- [x] **Event File Hash_SHA256 Fix:** Populate hosted_file_hash_sha256 correctly.
- [ ] **Step 1: ID Vision Parity Audit**
- [x] Audit Core Event Models (Badge, Session, Presentation).
- [x] Audit File/Exhibit Models (File, Template, Tracking).
- [x] Whitelist `account_id` in all Event search definitions.
- [x] Audit Relational "Low-Priority" Models (Address, Contact, DataStore).
- [x] Audit Lookup Fields (Uniform V3 System Phase 1 Complete).
- [ ] Verify SQL Views join in all required `_random` IDs for performance.
- [ ] **Step 2:** Coordination (Verify Frontend uses `x-account-id` instead of token).
## 🛡️ Security & Privacy Baseline (IDAA)
- **Status:** **ENFORCED**.
- **Principle:** Every object requires an Account Context except `site_domain`.
- **Maintenance:** Run `tests/e2e/test_e2e_v3_security_audit.py` after ANY router or registry change.
## 🚧 Upcoming Strategic Goals
- **Zoom Events Integration:** Implement cron synchronization for OAuth2 ticket retrieval.
- **Aether V4 Architecture:** Migration to V4 core standards (Lifecycle fields).
## 📝 Session Notes (Feb 19, 2026)
- **Resolved:** Fixed integer ID leakage in `Event_Badge_Template_Base` and `Event_File_Base`.
- **Hardened:** Whitelisted `account_id` searching for all Event Objects (Presentation, General, Registration).
- **Verified:** SQL Views `v_event_session` and `v_event_session_w_file_count` confirmed to have `account_id_random`.
- **Resolved:** Implemented polymorphic `for_id` resolution for DataStore, Address, and Contact models.
- **Resolved:** Fixed `hash_sha256` for Event Files being null on the frontend.
- **Status:** Core and Demo Vision parity suites verified at 100% pass rate.
Reference in New Issue View Git Blame Copy Permalink