Scott.Idem/OSIT-AE-App-Svelte
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

docs: unwrap hard line breaks in TODO__Agents.md

Browse Source 
Pure reformatting, no content change. Each bullet/paragraph is now one
logical line instead of manually wrapped at ~80-100 chars, which looked
ragged with short trailing fragments in narrow/variable-width editor
panels. Editors soft-wrap long lines naturally; manual hard wraps don't
adapt to panel width.

Also gave the orphaned "Wallpaper reliability" item (previously sitting
between two --- dividers with no section header and a stray double
blank line) its own section header for consistency with the rest of
the doc.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Scott Idem
2026-06-16 15:35:54 -04:00
parent fc6eb01137
commit b94301336c
1 changed files with 35 additions and 122 deletions
Download Patch File Download Diff File Expand all files Collapse all files

157
documentation/TODO__Agents.md
View File

@@ -7,76 +7,33 @@
## ✅ LCI October — Pres Mgmt Restoration (complete 2026-06-16)
These features regressed over the last 6 months and must be working before the LCI conference.
Reference commit for original working implementation: `bb993a102`.
These features regressed over the last 6 months and must be working before the LCI conference. Reference commit for original working implementation: `bb993a102`.
**2026-06-16:** Pres Mgmt's config sync architecture was overhauled the same day this list's
LCI event data was used for live testing — `lock_config` removed (was causing "sometimes
works" reports tied to save history, not current settings), POC/Location list-table column
bugs fixed (admin setting was being silently ignored), QR display fixed to match the intended
global-default-with-trusted-override design, and the Config page got a documentation pass
(title tooltips, POC settings split into its own section). None of this touches the open
items below, but anyone picking those up should know the sync layer underneath them is in a
meaningfully different (and better-understood) state now. Full incident log:
`PROJECT__AE_Events_PressMgmt_Config_Cleanup.md`.
**2026-06-16:** Pres Mgmt's config sync architecture was overhauled the same day this list's LCI event data was used for live testing — `lock_config` removed (was causing "sometimes works" reports tied to save history, not current settings), POC/Location list-table column bugs fixed (admin setting was being silently ignored), QR display fixed to match the intended global-default-with-trusted-override design, and the Config page got a documentation pass (title tooltips, POC settings split into its own section). None of this touches the open items below, but anyone picking those up should know the sync layer underneath them is in a meaningfully different (and better-understood) state now. Full incident log: `PROJECT__AE_Events_PressMgmt_Config_Cleanup.md`.
### Session POC (Champion/Moderator) — `session_view.svelte`
**Root cause of visible bugs:** The POC section is placed *below* the session hero card as a
separate disconnected block. In the original it was part of a structured `<ul>` with the session
name, code, datetime, location, and description all together. The current layout looks and feels
wrong to users.
**Root cause of visible bugs:** The POC section is placed *below* the session hero card as a separate disconnected block. In the original it was part of a structured `<ul>` with the session name, code, datetime, location, and description all together. The current layout looks and feels wrong to users.
- [x] **[Pres Mgmt] POC section — move inside session hero card** (2026-06-12)
Restructured hero card as a `<ul>` with datetime, room, and POC as rows inside the card.
Session name and code are now always visible (not just in edit_mode — that was a bug).
- [x] **[Pres Mgmt] POC assignment — "Select Person" flow broken** (2026-06-12)
Gated the select editor on `person_options_loaded` (`Object.keys($slct.person_obj_kv).length > 0`).
"Select Person" button renders as "Reload Person" after list is loaded.
- [x] **[Pres Mgmt] Email Session POC sign-in link — UI missing** (2026-06-12)
Restored email button in POC row with `sending/sent/error` state feedback.
Shown when `require__session_agree && show__email_access_link && poc_person_primary_email`.
- [x] **[Pres Mgmt] Copy Session POC access link — UI missing from session view** (2026-06-12)
Restored inline `MyClipboard` copy button in POC row for trusted staff.
Shown when `show__copy_access_link && trusted_access && poc_sign_in_url`.
- [x] **[Pres Mgmt] POC section — move inside session hero card** (2026-06-12) Restructured hero card as a `<ul>` with datetime, room, and POC as rows inside the card. Session name and code are now always visible (not just in edit_mode — that was a bug).
- [x] **[Pres Mgmt] POC assignment — "Select Person" flow broken** (2026-06-12) Gated the select editor on `person_options_loaded` (`Object.keys($slct.person_obj_kv).length > 0`). "Select Person" button renders as "Reload Person" after list is loaded.
- [x] **[Pres Mgmt] Email Session POC sign-in link — UI missing** (2026-06-12) Restored email button in POC row with `sending/sent/error` state feedback. Shown when `require__session_agree && show__email_access_link && poc_person_primary_email`.
- [x] **[Pres Mgmt] Copy Session POC access link — UI missing from session view** (2026-06-12) Restored inline `MyClipboard` copy button in POC row for trusted staff. Shown when `show__copy_access_link && trusted_access && poc_sign_in_url`.
### Presenter Sign-In
- [x] **[Pres Mgmt] Presenter email sign-in link routes to wrong page** (fixed 2026-06-12,
commit `e05602b87`; verified 2026-06-16) `email_sign_in__event_presenter()` now builds a URL
to `/session/[session_id]?...&presenter_id=...&presentation_id=...` instead of `/presenter/[id]`
— confirmed in `ae_events__event_presenter.ts`. Verified `sign_in_out.svelte` (mounted on the
session page) reads `presenter_id`/`presentation_id` from the URL and grants presenter-level
auth via `auth__kv.presenter`/`auth__kv.presentation`, not just session read access.
- [x] **[Pres Mgmt] Presenter agreement not enforced before file upload** (fixed 2026-06-16)
`presenter_is_authed` only checked sign-in state, never `.agree`, so a presenter could upload
without agreeing whenever `require__presenter_agree` was on. Added a new derived
`presenter_agree_ok` (`trusted_access || !require__presenter_agree || auth__event_presenter_obj.agree`)
and `presenter_can_upload` (`presenter_is_authed && presenter_agree_ok`) in
`presenter/[presenter_id]/+page.svelte`, and swapped it in everywhere the upload UI/file-list
permissions are gated (both the default view and the `manage_files` alt view — the latter's
`public_access` identity bypass is preserved but still requires `presenter_agree_ok`). Also
added an inline warning message in place of the upload section when signed in but pending
agreement, instead of it just silently disappearing.
- [x] **[Pres Mgmt] Presenter email sign-in link routes to wrong page** (fixed 2026-06-12, commit `e05602b87`; verified 2026-06-16) `email_sign_in__event_presenter()` now builds a URL to `/session/[session_id]?...&presenter_id=...&presentation_id=...` instead of `/presenter/[id]` — confirmed in `ae_events__event_presenter.ts`. Verified `sign_in_out.svelte` (mounted on the session page) reads `presenter_id`/`presentation_id` from the URL and grants presenter-level auth via `auth__kv.presenter`/`auth__kv.presentation`, not just session read access.
- [x] **[Pres Mgmt] Presenter agreement not enforced before file upload** (fixed 2026-06-16) `presenter_is_authed` only checked sign-in state, never `.agree`, so a presenter could upload without agreeing whenever `require__presenter_agree` was on. Added a new derived `presenter_agree_ok` (`trusted_access || !require__presenter_agree || auth__event_presenter_obj.agree`) and `presenter_can_upload` (`presenter_is_authed && presenter_agree_ok`) in `presenter/[presenter_id]/+page.svelte`, and swapped it in everywhere the upload UI/file-list permissions are gated (both the default view and the `manage_files` alt view — the latter's `public_access` identity bypass is preserved but still requires `presenter_agree_ok`). Also added an inline warning message in place of the upload section when signed in but pending agreement, instead of it just silently disappearing.
### Session POC Sign-In
- [x] **[Pres Mgmt] `session_page_menu.svelte` sign-in prop** (verified correct, 2026-06-16)
`event_session_id={$lq__event_session_obj?.event_session_id}` — confirmed this is the real
session ID from the loaded session object, not the raw URL param. The sign-in component's
separate `url_session_id` (parsed from a `session_id` query param) is intentionally a different
thing — it's only used for the POC/Champion sign-in link shape, not the presenter flow, which
relies on the route's own `[session_id]` path param via this prop. No bug found.
- [x] **[Pres Mgmt] `session_page_menu.svelte` sign-in prop** (verified correct, 2026-06-16) `event_session_id={$lq__event_session_obj?.event_session_id}` — confirmed this is the real session ID from the loaded session object, not the raw URL param. The sign-in component's separate `url_session_id` (parsed from a `session_id` query param) is intentionally a different thing — it's only used for the POC/Champion sign-in link shape, not the presenter flow, which relies on the route's own `[session_id]` path param via this prop. No bug found.
---
## 🚧 Launcher/Electron — Wallpaper Reliability (post-CMSC)
- [ ] **[Launcher/Electron] Wallpaper reliability (post-CMSC)**
- [ ] **[Launcher/Electron] Wallpaper reliability**
- [ ] Use timestamp/randomized temp filename so macOS always sees a new path.
- [ ] Add resilient reconciliation loop or event-driven reapply on display topology changes.
@@ -84,19 +41,11 @@ wrong to users.
## 🚧 Badges follow-ups (post-Axonius DC, downgraded 2026-06-16)
Axonius DC (June 9) is done — the show happened and the badge layout work that was 🔴 for it
is complete. Downgraded from 🔴 to 🚧; these are normal backlog now, no event deadline attached.
Revisit before the next badge-printing event.
Axonius DC (June 9) is done — the show happened and the badge layout work that was 🔴 for it is complete. Downgraded from 🔴 to 🚧; these are normal backlog now, no event deadline attached. Revisit before the next badge-printing event.
- [ ] **[Badges] Implement review-link email delivery** — current Email Link actions only show
placeholder alerts. Send to `event_badge.email`, never the attendee-editable `email_override`.
- [ ] **[Badges] Unify review and kiosk edit permissions** — remote review reads
`event.mod_badges_json.edit_permissions`; print controls read template `cfg_json.controls_cfg`.
Define precedence or consolidate them so both flows enforce one documented policy.
- [ ] **[Badges] Use template badge types in search filter** — replace the hardcoded badge-type
list in `ae_comp__badge_search.svelte` with the active template's `badge_type_list`. Checked
2026-06-16: confirmed still not done — the list is still hardcoded ("Axonius 2026 badge type
codes") with its own `// TODO: drive this from the event's badge templates` comment above it.
- [ ] **[Badges] Implement review-link email delivery** — current Email Link actions only show placeholder alerts. Send to `event_badge.email`, never the attendee-editable `email_override`.
- [ ] **[Badges] Unify review and kiosk edit permissions** — remote review reads `event.mod_badges_json.edit_permissions`; print controls read template `cfg_json.controls_cfg`. Define precedence or consolidate them so both flows enforce one documented policy.
- [ ] **[Badges] Use template badge types in search filter** — replace the hardcoded badge-type list in `ae_comp__badge_search.svelte` with the active template's `badge_type_list`. Checked 2026-06-16: confirmed still not done — the list is still hardcoded ("Axonius 2026 badge type codes") with its own `// TODO: drive this from the event's badge templates` comment above it.
---
@@ -104,8 +53,7 @@ Revisit before the next badge-printing event.
Finalizing the 100% adoption of V3 Standard endpoints and retirement of legacy wrappers.
- [ ] **[Core] Legacy Utility Helpers** — Refactor `ae_core_functions.ts` to use V3 helpers.
- [ ] **[Cleanup] Delete Legacy Wrappers** — Once all callsites are migrated, remove
`src/lib/ae_api/api_get__crud_obj_id.ts` and the legacy exports from `api.ts`.
- [ ] **[Cleanup] Delete Legacy Wrappers** — Once all callsites are migrated, remove `src/lib/ae_api/api_get__crud_obj_id.ts` and the legacy exports from `api.ts`.
---
@@ -113,43 +61,27 @@ Finalizing the 100% adoption of V3 Standard endpoints and retirement of legacy w
### [Security] Site Passcode JWT Migration
- [ ] **[Security] Verify `/authenticate_passcode` deployment** — confirm explicit role priority,
complete role flags, `auth_type: 'passcode'`, per-role TTLs, and minimum length validation.
- [ ] **[Security] Replace local passcode comparison** — migrate
`e_app_access_type.svelte` to server verification, JWT storage, and pending/error UI.
- [ ] **[Security] Remove client-side passcode delivery/storage** — stop caching
`access_code_kv_json`, remove `site_access_code_kv` from auth state, and remove passcode logging.
- [ ] **[Security] Enforce passcode JWT expiry on restore** — expired passcode sessions must
return to anonymous without affecting user-login JWT handling.
- [ ] **[Security] Verify `/authenticate_passcode` deployment** — confirm explicit role priority, complete role flags, `auth_type: 'passcode'`, per-role TTLs, and minimum length validation.
- [ ] **[Security] Replace local passcode comparison** — migrate `e_app_access_type.svelte` to server verification, JWT storage, and pending/error UI.
- [ ] **[Security] Remove client-side passcode delivery/storage** — stop caching `access_code_kv_json`, remove `site_access_code_kv` from auth state, and remove passcode logging.
- [ ] **[Security] Enforce passcode JWT expiry on restore** — expired passcode sessions must return to anonymous without affecting user-login JWT handling.
Reference: `documentation/PROJECT__AE_Site_Passcode_Security.md`.
### [Stores] Svelte 4 → Svelte 5 State Migration
The app uses `svelte-persisted-store` (coarse reactivity). Migration target: replace with Svelte 5
`PersistedState` (from `runed`) for fine-grained updates. See `PROJECT__Stores_Svelte5_Migration.md`.
The app uses `svelte-persisted-store` (coarse reactivity). Migration target: replace with Svelte 5 `PersistedState` (from `runed`) for fine-grained updates. See `PROJECT__Stores_Svelte5_Migration.md`.
- [x] **Events module — COMPLETE (2026-06-11):** `events_loc` fully retired. All 5 sub-stores
(`badges_loc`, `leads_loc`, `pres_mgmt_loc`, `launcher_loc`, `events_auth_loc`) are on
`PersistedState`. Unused fields also pruned from `ae_stores.ts` and `ae_idaa_stores.ts`.
- [ ] **`idaa_loc` → PersistedState** — Highest remaining priority. Root cause of the IDAA
"Access Denied" corruption bug (`ae_loc` bootstrap writes stomp on `authenticated_access`).
Promote `novi_*` identity fields and `archives/bb/recovery_meetings` sub-objects.
- [ ] **`ae_loc` → PersistedState** — Largest scope. Extract `auth_loc` sub-store first
(the identity/permission fields are what get corrupted). Defer full migration until after `idaa_loc`.
- [x] **Events module — COMPLETE (2026-06-11):** `events_loc` fully retired. All 5 sub-stores (`badges_loc`, `leads_loc`, `pres_mgmt_loc`, `launcher_loc`, `events_auth_loc`) are on `PersistedState`. Unused fields also pruned from `ae_stores.ts` and `ae_idaa_stores.ts`.
- [ ] **`idaa_loc` → PersistedState** — Highest remaining priority. Root cause of the IDAA "Access Denied" corruption bug (`ae_loc` bootstrap writes stomp on `authenticated_access`). Promote `novi_*` identity fields and `archives/bb/recovery_meetings` sub-objects.
- [ ] **`ae_loc` → PersistedState** — Largest scope. Extract `auth_loc` sub-store first (the identity/permission fields are what get corrupted). Defer full migration until after `idaa_loc`.
- [ ] **Non-persisted writables** (`ae_sess`, `slct`, etc.) — Low priority; no coarse-reactivity problem.
### [Data Layer] IDB sorting + content version rollout
Sorting baseline is now `build_tmp_sort` (ASC chain, no `.reverse()` on tmp-sort lists).
**⚠️ Exception:** `ae_events__event.ts` and `ae_events__event_session.ts` use **legacy encoding**
(`priority ? 1 : 0`, priority=true→`'1'`). Their sort comparators must remain **descending**
until the modules are migrated to `build_tmp_sort`. `ae_events__event_presentation.ts` already
uses `build_tmp_sort` (overrides generic encoding in its `specific_processor`). See
`CLIENT__IDAA_and_customized_mods.md` → "Sort Encoding" for full table.
**⚠️ Exception:** `ae_events__event.ts` and `ae_events__event_session.ts` use **legacy encoding** (`priority ? 1 : 0`, priority=true→`'1'`). Their sort comparators must remain **descending** until the modules are migrated to `build_tmp_sort`. `ae_events__event_presentation.ts` already uses `build_tmp_sort` (overrides generic encoding in its `specific_processor`). See `CLIENT__IDAA_and_customized_mods.md` → "Sort Encoding" for full table.
- [ ] **[IDB Sort] Migrate `ae_events__event.ts` to `build_tmp_sort`** — requires bumping
`IDB_CONTENT_VERSIONS.events.event` (currently v3) and switching all event sort comparators
to ascending. Check all pages that sort events before doing this.
- [ ] **[IDB Sort] Migrate `ae_events__event.ts` to `build_tmp_sort`** — requires bumping `IDB_CONTENT_VERSIONS.events.event` (currently v3) and switching all event sort comparators to ascending. Check all pages that sort events before doing this.
- [ ] **[IDB Sort] Roll out to `ae_events__event_session`** after sort behavior review.
- [ ] **[IDB Sort] Roll out to `ae_events__event_presenter`** after sort behavior review.
- [ ] **[IDB Sort] Roll out to `ae_events__event_location`** after sort behavior review.
@@ -158,16 +90,11 @@ uses `build_tmp_sort` (overrides generic encoding in its `specific_processor`).
- [ ] **[IDB Version] Roll out to `db_core.ts`** (site_domain, person, user).
### [Journals] Journal Entry Config follow-ups
- [ ] **[Journals] Entry passcode secondary auth** — implement `passcode_hash` comparison.
- [ ] **[Journals] Quick Add/import encryption behavior** — both creation paths currently
create plaintext entries; define the intended privacy UX and add encryption support before
claiming that these paths honor entry E2EE.
- [ ] **[Journals] Remove decrypted-content console preview** —
`ae_journals_decryption.ts` logs the first 30 plaintext characters after successful decryption.
Never log private journal content.
- [ ] **[Journals] Confirm outbound email-sharing requirement** — the archived UI project listed
this as unfinished, but no implementation exists. Confirm product/security requirements before
creating an email workflow for private journal content.
- [ ] **[Journals] Quick Add/import encryption behavior** — both creation paths currently create plaintext entries; define the intended privacy UX and add encryption support before claiming that these paths honor entry E2EE.
- [ ] **[Journals] Remove decrypted-content console preview** — `ae_journals_decryption.ts` logs the first 30 plaintext characters after successful decryption. Never log private journal content.
- [ ] **[Journals] Confirm outbound email-sharing requirement** — the archived UI project listed this as unfinished, but no implementation exists. Confirm product/security requirements before creating an email workflow for private journal content.
---
@@ -182,25 +109,11 @@ uses `build_tmp_sort` (overrides generic encoding in its `specific_processor`).
## ⚙️ DevOps & Backend
- [ ] **[Cleanup] Remove unused legacy API wrappers** — `create_ae_obj_crud()`,
`get_ae_obj_id_crud()`, and `update_ae_obj_id_crud()` are still exported from `api.ts` but
no longer called anywhere in production code. V3 migration is 100% complete. Safe to delete:
definitions in `api.ts` (lines 109-260), `src/lib/ae_api/api_get__crud_obj_id.ts`, unused
wrapper in `ae_core_functions.ts` (`get_site_domain_obj_from_fqdn`, `update_ae_obj_id_crud`).
- [ ] **[Backend] `event_file` — add `cfg_json` column (post-CMSC)** — The per-file display
override currently uses a localStorage workaround (`launcher_loc.current.file_display_overrides`)
because `event_file` has no JSON blob column. Proper fix: add `cfg_json` to the `event_file` DB
table, expose it through the FastAPI model, then migrate the frontend back to reading/writing the
backend field (restoring global/cross-device persistence). Frontend code is in
`launcher_file_cont.svelte` — search for `file_display_overrides`.
- [ ] **[Cleanup] Remove unused legacy API wrappers** — `create_ae_obj_crud()`, `get_ae_obj_id_crud()`, and `update_ae_obj_id_crud()` are still exported from `api.ts` but no longer called anywhere in production code. V3 migration is 100% complete. Safe to delete: definitions in `api.ts` (lines 109-260), `src/lib/ae_api/api_get__crud_obj_id.ts`, unused wrapper in `ae_core_functions.ts` (`get_site_domain_obj_from_fqdn`, `update_ae_obj_id_crud`).
- [ ] **[Backend] `event_file` — add `cfg_json` column (post-CMSC)** — The per-file display override currently uses a localStorage workaround (`launcher_loc.current.file_display_overrides`) because `event_file` has no JSON blob column. Proper fix: add `cfg_json` to the `event_file` DB table, expose it through the FastAPI model, then migrate the frontend back to reading/writing the backend field (restoring global/cross-device persistence). Frontend code is in `launcher_file_cont.svelte` — search for `file_display_overrides`.
- [ ] **[Backend] Re-add `Access-Control-Allow-Private-Network: true` CORS header.**
- [x] **[DevOps] Service worker `skipWaiting` + `clients.claim`** — Root cause of "users see
old code / can't reproduce in dev testing": the SW sat in waiting state until all tabs closed.
IDAA members leave idaa.org open all day. Fixed 2026-06-03: both calls added to
`src/service-worker.js`. See mistake #16 in `BOOTSTRAP__AI_Agent_Quickstart.md`.
- [ ] **[DevOps] Nginx proxy buffer tuning** — Buffer settings copied from PHP guide; not
optimal for Node.js. `proxy_busy_buffers_size` technically exceeds safe limit. Re-examine
when enabling compression (now re-enabled) stabilizes.
- [x] **[DevOps] Service worker `skipWaiting` + `clients.claim`** — Root cause of "users see old code / can't reproduce in dev testing": the SW sat in waiting state until all tabs closed. IDAA members leave idaa.org open all day. Fixed 2026-06-03: both calls added to `src/service-worker.js`. See mistake #16 in `BOOTSTRAP__AI_Agent_Quickstart.md`.
- [ ] **[DevOps] Nginx proxy buffer tuning** — Buffer settings copied from PHP guide; not optimal for Node.js. `proxy_busy_buffers_size` technically exceeds safe limit. Re-examine when enabling compression (now re-enabled) stabilizes.
- [ ] **[DevOps] Simplify Dockerfile env file selection** — Use plain `.env` instead of `BUILD_MODE`.
---