From 66310adb222804fe92a382be87f61848547e250a Mon Sep 17 00:00:00 2001
From: Scott Idem <stidem@gmail.com>
Date: Sun, 19 Apr 2026 19:32:43 -0400
Subject: [PATCH] More to do things.

---
 documentation/TODO__Agents.md | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/documentation/TODO__Agents.md b/documentation/TODO__Agents.md
index cf66cfd8..526dd71d 100644
--- a/documentation/TODO__Agents.md
+++ b/documentation/TODO__Agents.md
@@ -201,6 +201,19 @@ Once the global rule is in place, remove the scoped workaround from the badge co
 
 
 
+### [Backend/DevOps] Re-add `Access-Control-Allow-Private-Network: true` CORS header
+Chrome's Private Network Access (PNA) policy blocks public-origin iframes from fetching
+private-network addresses. Symptom: when `dev-api.oneskyit.com` resolves to a LAN IP
+(testing from home), Chrome blocks the site domain lookup → ghost account → `site_cfg_json`
+never loads → `novi_idaa_api_key` is null → IDAA Novi verifier spins forever → timeout banner.
+Firefox unaffected. Production unaffected (public IPs only).
+
+- [ ] **Re-add PNA header to API CORS config** — `dev-api` Nginx or FastAPI CORS middleware
+  must respond with `Access-Control-Allow-Private-Network: true` when Chrome sends
+  `Access-Control-Request-Private-Network: true` in the preflight. This was fixed ~1 month
+  ago and regressed. Check Nginx site config and FastAPI `CORSMiddleware` settings.
+  Low urgency (dev-only, Firefox workaround available), but blocks home-network iframe testing.
+
 ### [DevOps] Remaining deployment items
 
 - [ ] **Simplify Dockerfile env file selection** — Currently the Dockerfile uses a `BUILD_MODE` arg to