OSIT-AE-App-Svelte/documentation/AGENT_TODO.md

Frontend Agent Task List

Use this file to track steps for complex features or bug fixes. Status: 🔴 Sev-1 Security Incident Recovery / Stabilized.

📋 Active Task: Post-Incident Security Recovery

• Step 1: Conduct full audit of PUBLIC_AE_API_SECRET_KEY usage. Determine if it can be moved to server-side only.
• Step 2: Replace simulation tests (tests/verify_jwt_logic.js) with real Playwright integration tests hitting the local dev API.
• Step 3: Implement formal error boundaries for 403/401 API responses to provide user-friendly "Session Expired" or "Access Denied" UI.

🚧 Upcoming High Priority

• CRUD v2 Refactor: Finalize retirement of Element_ae_crud_v2.svelte in favor of V3 Editor.
• Temp Cleanup: Auto-removal of native .tmp files older than 24h.

✅ Completed Recently

• [API] V3 Lookup System Integration: Implemented standardized /v3/lookup/ endpoints for Countries, Subdivisions, and Time Zones. Added support for only_priority filtering in IDAA editors.
• [UI] Events Launcher Location Fix: Resolved room select list issues by ensuring all enabled/hidden locations are proactively loaded and synced.
• [API] Event File V3 Mapping: Implemented inc_hosted_file support and mapped prefixed backend fields (hosted_file_hash_sha256, etc.) to flat properties.
• [UI] Badge Rendering Fix: Refactored badge_template lookup to use V3 Triple ID pattern.
• [API] event_session Search Fix: Resolved 400 error (Unauthorized search field 'account_id') via backend update.
• [Security] Purged redundant x-aether-api-token from frontend and notified backend.
• [Security] Fixed misplaced Access-Control-Allow-Origin request headers.
• [Security] Implemented "Account ID Scavenging" to fix hydration race conditions.
• [API] Unified all CRUD helpers to standard V3 /v3/crud/... paths.
• [Framework] Implemented AE_Obj_Field_Editor_V3 with Svelte 5 Runes.
• [IDAA] Verify Bulletin Board and Recovery Meetings functionality.