Serious notes about security updates.
This commit is contained in:
Scott Idem
@@ -31,6 +31,8 @@ You must follow the safety, testing, and coordination standards defined in:
|
||||
- **Safe Handover (Native):** Rename `.tmp` to `.file` ONLY after SHA-256 verification in Electron.
|
||||
- **Envelopes:** API helpers automatically handle the `{data: ...}` envelope returned by the backend.
|
||||
- **Bootstrap Paradox:** Use unauthenticated bypass (`x-no-account-id: "Nothing to See Here"`) for initial site/domain lookups.
|
||||
- **Sev-1 Incident Recovery (2026-02-13):** Purged redundant/misplaced headers (`x-aether-api-token`, `Access-Control-Allow-Origin`). Unified all CRUD helpers to standard `/v3/crud/...` paths.
|
||||
- **Account ID Scavenging:** Core fetch helpers now proactively read `account_id` from `localStorage` (`ae_loc`) if missing from config. This is the mandatory fix for Svelte 5 hydration race conditions where `onMount` triggers API calls before global stores are synced.
|
||||
|
||||
## 🤝 Coordination & Continuity
|
||||
- **Handshake:** Use the `message` tool to notify the Backend Agent of UI/Data requirements.
|
||||
|
||||
@@ -1,18 +1,21 @@
|
||||
# Frontend Agent Task List
|
||||
> Use this file to track steps for complex features or bug fixes.
|
||||
> **Status:** 🔵 Active - Launcher Stabilization complete.
|
||||
> **Status:** 🔴 Sev-1 Security Incident Recovery / Stabilized.
|
||||
|
||||
## 📋 Active Task: Badge Rendering Fix
|
||||
- [x] **Step 1:** Investigate `event_badge_template` table for corrupted numeric IDs. (Confirmed Fine / Database Integrity OK)
|
||||
- [ ] **Step 2:** Refactor `badge_template` lookup in `+page.svelte` to use V3 Triple ID pattern (`id_random` or `event_badge_template_id_random`).
|
||||
- [ ] **Step 3:** Implement inline field editing using `Element_ae_crud_v2.svelte` for badge fields (Admin tool pattern).
|
||||
- [ ] **Step 4:** Finalize & Commit.
|
||||
## 📋 Active Task: Post-Incident Security Recovery
|
||||
- [ ] **Step 1:** Conduct full audit of `PUBLIC_AE_API_SECRET_KEY` usage. Determine if it can be moved to server-side only.
|
||||
- [ ] **Step 2:** Replace simulation tests (`tests/verify_jwt_logic.js`) with real Playwright integration tests hitting the local dev API.
|
||||
- [ ] **Step 3:** Implement formal error boundaries for 403/401 API responses to provide user-friendly "Session Expired" or "Access Denied" UI.
|
||||
|
||||
## 🚧 Upcoming High Priority
|
||||
- **CRUD v2 Refactor:** Implement V3 API alignment for `Element_ae_crud_v2.svelte`.
|
||||
- **Badge Rendering Fix:** Refactor `badge_template` lookup to use V3 Triple ID pattern.
|
||||
- **CRUD v2 Refactor:** Finalize retirement of `Element_ae_crud_v2.svelte` in favor of V3 Editor.
|
||||
- **Temp Cleanup:** Auto-removal of native `.tmp` files older than 24h.
|
||||
|
||||
## ✅ Completed Recently
|
||||
- [x] **[IDAA]** Verify Bulletin Board functionality.
|
||||
- [x] **[IDAA]** Verify Recovery Meetings functionality.
|
||||
- [x] **[Journals]** Fix buttons missing `type="button"`.
|
||||
- [x] **[Security]** Purged redundant `x-aether-api-token` from frontend and notified backend.
|
||||
- [x] **[Security]** Fixed misplaced `Access-Control-Allow-Origin` request headers.
|
||||
- [x] **[Security]** Implemented "Account ID Scavenging" to fix hydration race conditions.
|
||||
- [x] **[API]** Unified all CRUD helpers to standard V3 `/v3/crud/...` paths.
|
||||
- [x] **[Framework]** Implemented `AE_Obj_Field_Editor_V3` with Svelte 5 Runes.
|
||||
- [x] **[IDAA]** Verify Bulletin Board and Recovery Meetings functionality.
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
# Project Plan: Aether AE Obj Field Editor v3 (Consolidated)
|
||||
|
||||
> **Status:** Active / Planning Refinement
|
||||
> **Status:** 🔵 Active / Testing & Stabilization
|
||||
> **Date:** February 13, 2026
|
||||
> **Target Component:** `src/lib/elements/element_ae_obj_field_editor_v3.svelte`
|
||||
> **Replaces:** `element_ae_crud.svelte` and `element_ae_crud_v2.svelte`
|
||||
@@ -18,28 +18,33 @@ Consolidate the legacy CRUD components into a single, high-performance "Aether O
|
||||
|
||||
## 3. Implementation Phases
|
||||
|
||||
### Phase 1: Foundation & Reactivity
|
||||
- [ ] Create the new `v3` component shell.
|
||||
- [ ] Implement strict TypeScript interface for Props.
|
||||
- [ ] Use `$state` for local "draft" values to prevent reactivity loops with the global store.
|
||||
- [ ] Implement the `handle_patch` logic using the central `api.patch` helper.
|
||||
### Phase 1: Foundation & Reactivity (COMPLETED)
|
||||
- [x] Create the new `v3` component shell.
|
||||
- [x] Implement strict TypeScript interface for Props.
|
||||
- [x] Use `$state` for local "draft" values to prevent reactivity loops with the global store.
|
||||
- [x] Implement the `handle_patch` logic using the central `api.patch` helper.
|
||||
|
||||
### Phase 2: UI & UX Refinement
|
||||
- [ ] Standardize Tailwind classes (using Tailwind 4 patterns).
|
||||
- [ ] Implement "Edit Mode" awareness (syncing with `$ae_loc.edit_mode`).
|
||||
- [ ] Add a "Save" loading state with Lucide's `LoaderCircle` spinner.
|
||||
- [ ] Implement a clear "Cancel" path that restores the original value.
|
||||
### Phase 2: UI & UX Refinement (COMPLETED)
|
||||
- [x] Standardize Tailwind classes (using Tailwind 4 patterns).
|
||||
- [x] Implement "Edit Mode" awareness (syncing with `$ae_loc.edit_mode`).
|
||||
- [x] Add a "Save" loading state with Lucide's `LoaderCircle` spinner.
|
||||
- [x] Implement a clear "Cancel" path that restores the original value.
|
||||
|
||||
### Phase 3: Field Type Parity
|
||||
- [ ] Support `text`, `textarea`, `select`, `tiptap`, and `checkbox`.
|
||||
### Phase 3: Field Type Parity (IN PROGRESS)
|
||||
- [x] Support `text`, `textarea`, `select`, `tiptap`, and `checkbox`.
|
||||
- [ ] Add `datetime` support using native browser pickers.
|
||||
- [ ] Implement searchable dropdowns for the `select` type.
|
||||
|
||||
### Phase 4: Migration & Cleanup
|
||||
- [ ] Create a playground route for V3 verification.
|
||||
- [x] Create a playground route for V3 verification (`/testing/ae_obj_field_editor_v3`).
|
||||
- [ ] Deprecate and eventually remove `v1` and `v2` files.
|
||||
- [ ] Update `GUIDE__DEVELOPMENT.md` with the new usage patterns.
|
||||
|
||||
## ⚠️ Security & Reliability Stabilization (NEW)
|
||||
- [x] **Account Context:** Fixed 403 errors by unifying API helpers to the `/v3/crud/` standard.
|
||||
- [x] **Race Conditions:** Implemented `localStorage` scavenging for Account IDs to fix Svelte 5 hydration lags.
|
||||
- [x] **Protocol Hygiene:** Purged redundant/misplaced headers (`x-aether-api-token`, `Access-Control-Allow-Origin`).
|
||||
|
||||
## 4. Maintenance & Standards
|
||||
- Component must respect `$ae_loc.trusted_access` for visibility of edit triggers.
|
||||
- Always use `type="button"` for internal actions to prevent form collisions.
|
||||
|
||||
Reference in New Issue
Block a user