OSIT-AE-App-Svelte/documentation/TODO__Agents.md

Frontend Agent Task List

Use this file to track steps for complex features or bug fixes. Status: 🔴 Sev-1 Security Incident Recovery / Stabilized.

📋 Active Task: Post-Incident Security Recovery

• Step 1: Conduct full audit of PUBLIC_AE_API_SECRET_KEY usage. Determine if it can be moved to server-side only.
• Step 2: Replace simulation tests (tests/verify_jwt_logic.js) with real Playwright integration tests hitting the local dev API.
• Step 3: Implement formal error boundaries for 403/401 API responses to provide user-friendly "Session Expired" or "Access Denied" UI.

🚧 Upcoming High Priority

• CRUD v2 Refactor: Finalize retirement of Element_ae_crud_v2.svelte in favor of V3 Editor.
• Temp Cleanup: Auto-removal of native .tmp files older than 24h.
• window.print() for badge print button: Wire the existing handle_print_badge() to trigger window.print(). Browser print works well across Chrome/Chromium/Firefox — no Electron needed.
• Input Field Audit: Several input fields are missing name/id attributes or data-testid. Known examples: badge override fields in ae_comp__badge_obj_view.svelte; template name input in ae_comp__badge_template_form.svelte. Matters for: accessibility, autofill, label associations, and test targeting. (For tests, use getByLabel() rather than input[value*=...] which only checks the HTML attribute, not the Svelte-bound DOM property.)

✅ Completed Recently

• [API] V3 Lookup System Integration: Implemented standardized /v3/lookup/ endpoints for Countries, Subdivisions, and Time Zones. Added support for only_priority filtering in IDAA editors.
• [UI] Events Launcher Location Fix: Resolved room select list issues by ensuring all enabled/hidden locations are proactively loaded and synced.
• [API] Event File V3 Mapping: Implemented inc_hosted_file support and mapped prefixed backend fields (hosted_file_hash_sha256, etc.) to flat properties.
• [UI] Badge Rendering Fix: Refactored badge_template lookup to use V3 Triple ID pattern.
• [API] event_session Search Fix: Resolved 400 error (Unauthorized search field 'account_id') via backend update.
• [Security] Purged redundant x-aether-api-token from frontend and notified backend.
• [Security] Fixed misplaced Access-Control-Allow-Origin request headers.
• [Security] Implemented "Account ID Scavenging" to fix hydration race conditions.
• [API] Unified all CRUD helpers to standard V3 /v3/crud/... paths.
• [Framework] Implemented AE_Obj_Field_Editor_V3 with Svelte 5 Runes.
• [IDAA] Verify Bulletin Board and Recovery Meetings functionality.
• [Badges] Multi-word fulltext search fix: Split query on whitespace, apply AND logic per word. "scott idem" now matches records containing both words. (dc0f3066)
• [Badges] Print button implemented: handle_print_badge() increments print_count, records print_first_datetime/print_last_datetime. Button has loading/done/error states. (d1ded2d4)
• [Badges] data-testid attributes added to badge view interactive elements (badge-edit-btn, badge-save-btn, badge-cancel-btn, badge-print-btn, badge-professional-title-input) for reliable test targeting.
• [Tests] Attendee badge workflow test passing: event_badge_attendee_workflow.test.ts — navigate → edit professional title → save (verify PATCH body) → print (verify count/timestamps) → return to search. (d1ded2d4)
• [Tests] All badge data integrity tests fixed: All 6 tests in event_badge_data_integrity.test.ts now pass. Root causes: (1) search mock used nested URL instead of flat /v3/crud/event_badge/search, (2) template list mock used nested URL instead of flat with for_obj_id, (3) missing _random ID fields in mock badge objects, (4) CSS input[value*=...] selector doesn’t work for Svelte-bound inputs — fixed to getByLabel(). (f5e98b8c)