More to do things.

documentation/TODO__Agents.md

@@ -201,6 +201,19 @@ Once the global rule is in place, remove the scoped workaround from the badge co
 
 
 
+### [Backend/DevOps] Re-add `Access-Control-Allow-Private-Network: true` CORS header
+Chrome's Private Network Access (PNA) policy blocks public-origin iframes from fetching
+private-network addresses. Symptom: when `dev-api.oneskyit.com` resolves to a LAN IP
+(testing from home), Chrome blocks the site domain lookup → ghost account → `site_cfg_json`
+never loads → `novi_idaa_api_key` is null → IDAA Novi verifier spins forever → timeout banner.
+Firefox unaffected. Production unaffected (public IPs only).
+
+- [ ] **Re-add PNA header to API CORS config** — `dev-api` Nginx or FastAPI CORS middleware
+  must respond with `Access-Control-Allow-Private-Network: true` when Chrome sends
+  `Access-Control-Request-Private-Network: true` in the preflight. This was fixed ~1 month
+  ago and regressed. Check Nginx site config and FastAPI `CORSMiddleware` settings.
+  Low urgency (dev-only, Firefox workaround available), but blocks home-network iframe testing.
+
 ### [DevOps] Remaining deployment items
 
 - [ ] **Simplify Dockerfile env file selection** — Currently the Dockerfile uses a `BUILD_MODE` arg to