# Frontend Agent Task List
> Use this file to track steps for complex features or bug fixes.
> **Status:** 🔴 Sev-1 Security Incident Recovery / Stabilized.

## 📋 Active Task: Post-Incident Security Recovery
- [ ] **Step 1:** Conduct full audit of `PUBLIC_AE_API_SECRET_KEY` usage. Determine if it can be moved to server-side only.
- [ ] **Step 2:** Replace simulation tests (`tests/verify_jwt_logic.js`) with real Playwright integration tests hitting the local dev API.
- [ ] **Step 3:** Implement formal error boundaries for 403/401 API responses to provide user-friendly "Session Expired" or "Access Denied" UI.

## 🚧 Upcoming High Priority
- **event_session Search Fix:** Investigate 400 error (`Unauthorized search field 'account_id'`) on `event_session/search`.
- **Badge Rendering Fix:** Refactor `badge_template` lookup to use V3 Triple ID pattern.
- **CRUD v2 Refactor:** Finalize retirement of `Element_ae_crud_v2.svelte` in favor of V3 Editor.
- **Temp Cleanup:** Auto-removal of native `.tmp` files older than 24h.

## ✅ Completed Recently
- [x] **[Security]** Purged redundant `x-aether-api-token` from frontend and notified backend.
- [x] **[Security]** Fixed misplaced `Access-Control-Allow-Origin` request headers.
- [x] **[Security]** Implemented "Account ID Scavenging" to fix hydration race conditions.
- [x] **[API]** Unified all CRUD helpers to standard V3 `/v3/crud/...` paths.
- [x] **[Framework]** Implemented `AE_Obj_Field_Editor_V3` with Svelte 5 Runes.
- [x] **[IDAA]** Verify Bulletin Board and Recovery Meetings functionality.