Saving notes

documentation/AGENT_TODO.md

@@ -4,15 +4,16 @@
 
 ## 📋 Active Task: Post-Incident Security Recovery
 - [ ] **Step 1:** Conduct full audit of `PUBLIC_AE_API_SECRET_KEY` usage. Determine if it can be moved to server-side only.
-- [ ] **Step 2:** Replace simulation tests (`tests/verify_jwt_logic.js`) with real Playwright integration tests hitting the local dev API.
+- [x] **Step 2:** Replace simulation tests (`tests/verify_jwt_logic.js`) with real Playwright integration tests hitting the local dev API.
 - [ ] **Step 3:** Implement formal error boundaries for 403/401 API responses to provide user-friendly "Session Expired" or "Access Denied" UI.
 
 ## 🚧 Upcoming High Priority
-- **Events Launcher:** Investigate why not all Event Locations are showing in the select options list. Modify event loading to include the full location list.
 - **CRUD v2 Refactor:** Finalize retirement of `Element_ae_crud_v2.svelte` in favor of V3 Editor.
 - **Temp Cleanup:** Auto-removal of native `.tmp` files older than 24h.
 
 ## ✅ Completed Recently
+- [x] **[API]** **V3 Lookup System Integration:** Implemented standardized `/v3/lookup/` endpoints for Countries, Subdivisions, and Time Zones. Added support for `only_priority` filtering in IDAA editors.
+- [x] **[UI]** **Events Launcher Location Fix:** Resolved room select list issues by ensuring all enabled/hidden locations are proactively loaded and synced.
 - [x] **[API]** **Event File V3 Mapping:** Implemented `inc_hosted_file` support and mapped prefixed backend fields (`hosted_file_hash_sha256`, etc.) to flat properties.
 - [x] **[UI]** **Badge Rendering Fix:** Refactored `badge_template` lookup to use V3 Triple ID pattern.
 - [x] **[API]** **event_session Search Fix:** Resolved 400 error (`Unauthorized search field 'account_id'`) via backend update.