# Frontend Agent Task List
> **Doc Owner:** Active frontend implementation team (human + agent)
> **Review Trigger:** Update when work starts, completes, changes priority, or moves to an archive.
> Use this file to track steps for complex features or bug fixes.
> **Status:** Stable — ongoing development.
> **Scope:** Active/open work only. Completed detail lives in archive files.

## 🔴 LCI October — Pres Mgmt Restoration (in progress 2026-06-12)

These features regressed over the last 6 months and must be working before the LCI conference.
Reference commit for original working implementation: `bb993a102`.

**2026-06-16:** Pres Mgmt's config sync architecture was overhauled the same day this list's
LCI event data was used for live testing — `lock_config` removed (was causing "sometimes
works" reports tied to save history, not current settings), POC/Location list-table column
bugs fixed (admin setting was being silently ignored), QR display fixed to match the intended
global-default-with-trusted-override design, and the Config page got a documentation pass
(title tooltips, POC settings split into its own section). None of this touches the open
items below, but anyone picking those up should know the sync layer underneath them is in a
meaningfully different (and better-understood) state now. Full incident log:
`PROJECT__AE_Events_PressMgmt_Config_Cleanup.md`.

### Session POC (Champion/Moderator) — `session_view.svelte`

**Root cause of visible bugs:** The POC section is placed *below* the session hero card as a
separate disconnected block. In the original it was part of a structured `<ul>` with the session
name, code, datetime, location, and description all together. The current layout looks and feels
wrong to users.

- [x] **[Pres Mgmt] POC section — move inside session hero card** (2026-06-12)
  Restructured hero card as a `<ul>` with datetime, room, and POC as rows inside the card.
  Session name and code are now always visible (not just in edit_mode — that was a bug).

- [x] **[Pres Mgmt] POC assignment — "Select Person" flow broken** (2026-06-12)
  Gated the select editor on `person_options_loaded` (`Object.keys($slct.person_obj_kv).length > 0`).
  "Select Person" button renders as "Reload Person" after list is loaded.

- [x] **[Pres Mgmt] Email Session POC sign-in link — UI missing** (2026-06-12)
  Restored email button in POC row with `sending/sent/error` state feedback.
  Shown when `require__session_agree && show__email_access_link && poc_person_primary_email`.

- [x] **[Pres Mgmt] Copy Session POC access link — UI missing from session view** (2026-06-12)
  Restored inline `MyClipboard` copy button in POC row for trusted staff.
  Shown when `show__copy_access_link && trusted_access && poc_sign_in_url`.

### Presenter Sign-In

- [x] **[Pres Mgmt] Presenter email sign-in link routes to wrong page** (fixed 2026-06-12,
  commit `e05602b87`; verified 2026-06-16) `email_sign_in__event_presenter()` now builds a URL
  to `/session/[session_id]?...&presenter_id=...&presentation_id=...` instead of `/presenter/[id]`
  — confirmed in `ae_events__event_presenter.ts`. Verified `sign_in_out.svelte` (mounted on the
  session page) reads `presenter_id`/`presentation_id` from the URL and grants presenter-level
  auth via `auth__kv.presenter`/`auth__kv.presentation`, not just session read access.

- [ ] **[Pres Mgmt] Presenter agreement not enforced before file upload** (verified still open,
  2026-06-16) `presenter_is_authed` in `presenter/[presenter_id]/+page.svelte` — the gate used
  everywhere the upload UI is shown (`Comp_event_files_upload`, `Element_manage_event_file_li_wrap`)
  — only checks sign-in state (`auth__kv.presenter`/`auth__kv.session`/person match). It has no
  dependency on `.agree` at all. `require__presenter_agree` (`pres_mgmt_loc.current`) is read in
  exactly one place (`presenter_page_menu.svelte`) to decide whether to *show* the Agreed/Not
  Agreed button — it never blocks anything. A presenter who signs in but has not agreed can still
  see and use the upload section when this setting is on. Confirmed `ae_comp__event_files_upload.svelte`
  has no internal agreement check either — there is no enforcement anywhere in the chain.
  Fix: gate the upload sections (and ideally `allow_basic`/`allow_moderator` on the file list too)
  on `!pres_mgmt_loc.current.require__presenter_agree || $lq__auth__event_presenter_obj?.agree`
  in addition to `presenter_is_authed`.

### Session POC Sign-In

- [x] **[Pres Mgmt] `session_page_menu.svelte` sign-in prop** (verified correct, 2026-06-16)
  `event_session_id={$lq__event_session_obj?.event_session_id}` — confirmed this is the real
  session ID from the loaded session object, not the raw URL param. The sign-in component's
  separate `url_session_id` (parsed from a `session_id` query param) is intentionally a different
  thing — it's only used for the POC/Champion sign-in link shape, not the presenter flow, which
  relies on the route's own `[session_id]` path param via this prop. No bug found.

---



- [ ] **[Launcher/Electron] Wallpaper reliability (post-CMSC)**
  - [ ] Use timestamp/randomized temp filename so macOS always sees a new path.
  - [ ] Add resilient reconciliation loop or event-driven reapply on display topology changes.

---

## 🔴 Axonius DC — June 9 (Badge Printing)
**Setup/Registration:** June 8 | **Show:** June 9

- [x] **[Badges] Epson C3500 fanfold badge layout** — `badge_4x6_fanfold` layout CSS created,
  wired, and documented. First live use: Axonius Adapt DC, June 9, 2026. (2026-05-15)

### Badges follow-ups

- [ ] **[Badges] Implement review-link email delivery** — current Email Link actions only show
  placeholder alerts. Send to `event_badge.email`, never the attendee-editable `email_override`.
- [ ] **[Badges] Unify review and kiosk edit permissions** — remote review reads
  `event.mod_badges_json.edit_permissions`; print controls read template `cfg_json.controls_cfg`.
  Define precedence or consolidate them so both flows enforce one documented policy.
- [ ] **[Badges] Use template badge types in search filter** — replace the hardcoded badge-type
  list in `ae_comp__badge_search.svelte` with the active template's `badge_type_list`.

---

## 🚧 V3 CRUD Migration (Surgical Cleanup)
Finalizing the 100% adoption of V3 Standard endpoints and retirement of legacy wrappers.

- [ ] **[Core] Legacy Utility Helpers** — Refactor `ae_core_functions.ts` to use V3 helpers.
- [ ] **[Cleanup] Delete Legacy Wrappers** — Once all callsites are migrated, remove
  `src/lib/ae_api/api_get__crud_obj_id.ts` and the legacy exports from `api.ts`.

---

## 🚧 High Priority Workstreams

### [Security] Site Passcode JWT Migration

- [ ] **[Security] Verify `/authenticate_passcode` deployment** — confirm explicit role priority,
  complete role flags, `auth_type: 'passcode'`, per-role TTLs, and minimum length validation.
- [ ] **[Security] Replace local passcode comparison** — migrate
  `e_app_access_type.svelte` to server verification, JWT storage, and pending/error UI.
- [ ] **[Security] Remove client-side passcode delivery/storage** — stop caching
  `access_code_kv_json`, remove `site_access_code_kv` from auth state, and remove passcode logging.
- [ ] **[Security] Enforce passcode JWT expiry on restore** — expired passcode sessions must
  return to anonymous without affecting user-login JWT handling.

Reference: `documentation/PROJECT__AE_Site_Passcode_Security.md`.

### [Stores] Svelte 4 → Svelte 5 State Migration
The app uses `svelte-persisted-store` (coarse reactivity). Migration target: replace with Svelte 5
`PersistedState` (from `runed`) for fine-grained updates. See `PROJECT__Stores_Svelte5_Migration.md`.

- [x] **Events module — COMPLETE (2026-06-11):** `events_loc` fully retired. All 5 sub-stores
  (`badges_loc`, `leads_loc`, `pres_mgmt_loc`, `launcher_loc`, `events_auth_loc`) are on
  `PersistedState`. Unused fields also pruned from `ae_stores.ts` and `ae_idaa_stores.ts`.
- [ ] **`idaa_loc` → PersistedState** — Highest remaining priority. Root cause of the IDAA
  "Access Denied" corruption bug (`ae_loc` bootstrap writes stomp on `authenticated_access`).
  Promote `novi_*` identity fields and `archives/bb/recovery_meetings` sub-objects.
- [ ] **`ae_loc` → PersistedState** — Largest scope. Extract `auth_loc` sub-store first
  (the identity/permission fields are what get corrupted). Defer full migration until after `idaa_loc`.
- [ ] **Non-persisted writables** (`ae_sess`, `slct`, etc.) — Low priority; no coarse-reactivity problem.

### [Data Layer] IDB sorting + content version rollout
Sorting baseline is now `build_tmp_sort` (ASC chain, no `.reverse()` on tmp-sort lists).

**⚠️ Exception:** `ae_events__event.ts` and `ae_events__event_session.ts` use **legacy encoding**
(`priority ? 1 : 0`, priority=true→`'1'`). Their sort comparators must remain **descending**
until the modules are migrated to `build_tmp_sort`. `ae_events__event_presentation.ts` already
uses `build_tmp_sort` (overrides generic encoding in its `specific_processor`). See
`CLIENT__IDAA_and_customized_mods.md` → "Sort Encoding" for full table.

- [ ] **[IDB Sort] Migrate `ae_events__event.ts` to `build_tmp_sort`** — requires bumping
  `IDB_CONTENT_VERSIONS.events.event` (currently v3) and switching all event sort comparators
  to ascending. Check all pages that sort events before doing this.
- [ ] **[IDB Sort] Roll out to `ae_events__event_session`** after sort behavior review.
- [ ] **[IDB Sort] Roll out to `ae_events__event_presenter`** after sort behavior review.
- [ ] **[IDB Sort] Roll out to `ae_events__event_location`** after sort behavior review.
- [ ] **[IDB Sort] Roll out to `ae_core__person` + `ae_core__account`** after sort behavior review.
- [ ] **[IDB Version] Roll out to `db_events.ts`** (session, presenter, badge, etc.).
- [ ] **[IDB Version] Roll out to `db_core.ts`** (site_domain, person, user).

### [Journals] Journal Entry Config follow-ups
- [ ] **[Journals] Entry passcode secondary auth** — implement `passcode_hash` comparison.
- [ ] **[Journals] Quick Add/import encryption behavior** — both creation paths currently
  create plaintext entries; define the intended privacy UX and add encryption support before
  claiming that these paths honor entry E2EE.
- [ ] **[Journals] Remove decrypted-content console preview** —
  `ae_journals_decryption.ts` logs the first 30 plaintext characters after successful decryption.
  Never log private journal content.
- [ ] **[Journals] Confirm outbound email-sharing requirement** — the archived UI project listed
  this as unfinished, but no implementation exists. Confirm product/security requirements before
  creating an email workflow for private journal content.

---

## 🧪 Testing & Optimization

- [ ] **[IDAA] IDB fast-path contact search** — parse `contact_li_json` in `search__event()`.
- [ ] **[IDAA] Optimize Recovery Meetings SQL VIEW and indexes.**
- [ ] **[IDAA / Events] Audit `default_qry_str` coverage** in all other event search pages.
- [ ] **[Launcher/VLC] Linux playback investigation** — fullscreen + pause-on-end flags.

---

## ⚙️ DevOps & Backend

- [ ] **[Cleanup] Remove unused legacy API wrappers** — `create_ae_obj_crud()`,
  `get_ae_obj_id_crud()`, and `update_ae_obj_id_crud()` are still exported from `api.ts` but
  no longer called anywhere in production code. V3 migration is 100% complete. Safe to delete:
  definitions in `api.ts` (lines 109-260), `src/lib/ae_api/api_get__crud_obj_id.ts`, unused
  wrapper in `ae_core_functions.ts` (`get_site_domain_obj_from_fqdn`, `update_ae_obj_id_crud`).
- [ ] **[Backend] `event_file` — add `cfg_json` column (post-CMSC)** — The per-file display
  override currently uses a localStorage workaround (`launcher_loc.current.file_display_overrides`)
  because `event_file` has no JSON blob column. Proper fix: add `cfg_json` to the `event_file` DB
  table, expose it through the FastAPI model, then migrate the frontend back to reading/writing the
  backend field (restoring global/cross-device persistence). Frontend code is in
  `launcher_file_cont.svelte` — search for `file_display_overrides`.
- [ ] **[Backend] Re-add `Access-Control-Allow-Private-Network: true` CORS header.**
- [x] **[DevOps] Service worker `skipWaiting` + `clients.claim`** — Root cause of "users see
  old code / can't reproduce in dev testing": the SW sat in waiting state until all tabs closed.
  IDAA members leave idaa.org open all day. Fixed 2026-06-03: both calls added to
  `src/service-worker.js`. See mistake #16 in `BOOTSTRAP__AI_Agent_Quickstart.md`.
- [ ] **[DevOps] Nginx proxy buffer tuning** — Buffer settings copied from PHP guide; not
  optimal for Node.js. `proxy_busy_buffers_size` technically exceeds safe limit. Re-examine
  when enabling compression (now re-enabled) stabilizes.
- [ ] **[DevOps] Simplify Dockerfile env file selection** — Use plain `.env` instead of `BUILD_MODE`.

---

## ✅ Completed (archived)
See the full completed history in:
[documentation/archive/TODO__Agents__ARCHIVE_2026-03.md](documentation/archive/TODO__Agents__ARCHIVE_2026-03.md)
[documentation/archive/TODO__Agents__ARCHIVE_2026-04.md](documentation/archive/TODO__Agents__ARCHIVE_2026-04.md)
[documentation/archive/TODO__Agents__ARCHIVE_2026-05.md](documentation/archive/TODO__Agents__ARCHIVE_2026-05.md)
[documentation/archive/TODO__Agents__ARCHIVE_2026-06.md](documentation/archive/TODO__Agents__ARCHIVE_2026-06.md)