OSIT-AE-App-Svelte/documentation/TODO__Agents.md

# Frontend Agent Task List
> Use this file to track steps for complex features or bug fixes.
> **Status:** <20> Stable — ongoing development.

## 📋 Open: Security
- [x] **PUBLIC_AE_API_SECRET_KEY Audit:** Completed 2026-03-11. Key is `PUBLIC_*` by design (always in client bundle). Highest-risk anonymous path now uses limited-permission `PUBLIC_AE_BOOTSTRAP_KEY`. Full server-side migration would require a major API proxy refactor — not justified given JWT + account_id auth layers. `manifest.webmanifest/+server.ts` is a minor cleanup candidate (could use bootstrap key instead), but no security urgency. Current state is acceptable.

## 🚧 Upcoming High Priority

### [Stores] Refactor — ae_stores.ts and ae_events_stores.ts cleanup
Both files have grown organically and are messy. Refactor goals:
- Split into focused files per domain (core, user/auth, files, module-specific)
- Remove dead/commented-out code and stale `ver`/`ver_idb` constants from data structs (replaced by `__version` in store_versions.ts)
- Standardize field naming conventions
- Move sponsorships/stripe Stripe button IDs out of session store and into config
- Keep `ae_stores.ts` and `ae_events_stores.ts` as barrel re-exports for backwards compatibility
Related: `src/lib/stores/store_versions.ts` is the new home for version constants.

### [Launcher] Active features (identified 2026-03-06)

- [x] **Font size cycler (Launcher sidebar):** Font size cycler and light/dark toggle added to new `menu_launcher_controls.svelte` component; wired into `launcher_menu.svelte`. Visibility toggles (All Files / All Sessions) moved to same component and restyled to `preset-tonal-tertiary`. (2026-03-11)

- [x] **Minor Svelte warning:** `slct_event_location_id` in `menu_location_list.svelte` — prop already has `$bindable(null)`; stale comment in file updated. (2026-03-11)

### [Svelte] State reference warnings
- **42 `state_referenced_locally` warnings remain** in `recovery_meetings/ae_idaa_comp__event_obj_id_edit.svelte` and `..._v2.svelte`. Same pattern as the 10 fixed on 2026-03-09 — move reactive reads into `onMount`.

### [Badges] Remaining badge work before first live event
- **Badge print controls UX polish:** Scott has improvements in mind — TBD next session.
  File: `ae_comp__badge_print_controls.svelte`.

### [Leads] Exhibitor Lead Scanning — NEXT MAJOR FEATURE
QR code scan at exhibitor booth → capture attendee badge data. Gated by `allow_tracking` on
the badge. Check if `documentation/MODULE__AE_Events_Leads.md` exists for full spec.
Key questions before starting: which routes, does the Electron app scan, what does the
lead record look like in the DB?

### [DevOps] Remaining deployment items
- [x] **Wire AE_APP_REPLICAS:** `docker-compose.yml` line 147 already has `scale: ${AE_APP_REPLICAS:-1}`. (verified 2026-03-11)
- [x] **Archive ae_env_node_app:** Archived as tar.gz under `~/OSIT_dev/backups/`; old history/docs moved to `~/OSIT_dev/for_reference_only/`. (2026-03-11)
- [x] **Build Optimization:** Current state finalized. Local Gitea instance stood up at `git.dgrzone.com` (Docker, home server) — future: migrate repos from Bitbucket, verify Backblaze/restic backups cover Gitea data. (2026-03-11)


### [General]
- [x] **Temp Cleanup:** `cleanup_tmp_files` wired in `launcher_background_sync.svelte`; called at launcher startup. Confirmed working. (2026-03-11)
- **`window.print()` for badge print button:** Wire the existing `handle_print_badge()` to trigger `window.print()`. Browser print works well across Chrome/Chromium/Firefox — no Electron needed.
- **Input Field Audit:** Several input fields are missing `name`/`id` attributes or `data-testid`. Known examples: badge override fields in `ae_comp__badge_obj_view.svelte`; template name input in `ae_comp__badge_template_form.svelte`. Matters for: accessibility, autofill, label associations, and test targeting. (For tests, use `getByLabel()` rather than `input[value*=...]` which only checks the HTML attribute, not the Svelte-bound DOM property.)

### [UX] Session Expired & Access Denied (identified 2026-03-10)

Two related UX gaps to handle together:

**1. Session Expired banner (API 401/403 mid-session):**
- `flag_expired` in root `+layout.svelte` is declared but never set — it was always intended for this
- Add a small writable store or custom event (e.g., `ae_auth_error` in `ae_stores`) that API helpers (`api_get_object.ts`, `api_post_object.ts`, `api_patch_object.ts`) can fire when they get a 401 or 403
- Root layout watches the store and sets `flag_expired = true`
- Render a non-blocking dismissible banner (not full-screen): "Session expired. Please sign in again." with a link to the sign-in control
- Especially relevant for Launcher (event staff on tablets may not notice silent failures)

**2. Standardize Access Denied UI (non-IDAA routes only — IDAA layout is intentionally custom):**
- Currently inconsistent across the app:
  - Root layout: full-screen `flag_denied` (site access key gate — keep this, it's correct)
  - `/core` layout: silent redirect to home — should show a brief message instead
  - `/events/[event_id]/settings`: inline raw text string — should use a consistent banner component
  - `/events/.../badges/.../review`: inline `<h3>Access Denied</h3>` with no context or action
- Create a reusable `element_access_denied.svelte` component (small: icon + message + optional action button)
- Swap the ad-hoc patterns to use it consistently

## ✅ Completed (2026-03)
- [x] **[Build]** Rollup/Vite circular dependency warnings eliminated — `manualChunks` in `vite.config.ts` colocates all `svelte/*` internals into a single `svelte-vendor` chunk, preventing `runtime.js` / `index-client.js` split (~35 warnings gone). (2026-03-11)
- [x] **[Refactor]** `try_cache` audit + sponsorship/event_file/hosted_file SWR alignment — removed vestigial `try_cache` params from `generate_qr_code`, `ae_core_functions` wrappers; added SWR fast/slow path to sponsorship loaders; changed `event_file` and `hosted_file` single-object loader defaults from `false` → `true` for consistency. (2026-03-11)
- [x] **[DevOps]** Frontend + Backend unified into single `aether_container_env` Docker Compose. `ae_app` service live with healthcheck, single exposed port (`AE_APP_NODE_PORT`), internal `ae_api` networking. Deploy scripts in `package.json` both target `../aether_container_env/docker-compose.yml`. (2026-03-10)
- [x] **[DevOps]** `/health` endpoint live at `src/routes/health/+server.ts`. Docker `HEALTHCHECK` uses it. (2026-03-10)
- [x] **[UI]** Dark mode `color-scheme` fix — `html.dark/light { color-scheme }` in `app.css`; all native browser controls now sync to app dark mode. (2026-03-10)
- [x] **[Launcher]** Location select → session auto-load bug fixed via `$derived.by()` liveQuery pattern. (2026-03-10)
- [x] **[Svelte]** `state_referenced_locally` warning fixes — 10 warnings resolved in IDAA archives/BB. (2026-03-09)
- [x] **[TypeScript]** Sign In/Out TS errors fixed — `user_id` / `person_id` typed as `string | null`. (2026-03-09)
- [x] **[Tests]** All badge data integrity and attendee workflow Playwright tests passing. Root causes documented in `tests/README.md`. (2026-03)
- [x] **[Badges]** Badge print controls panel, QR code, duplex wiring, review form, print button, multi-word fulltext search, `data-testid` attributes. (2026-03)
- [x] **[UI]** Firefly Theme + Pres Mgmt Visual Redesign (5 files). (2026-03-06)
- [x] **[Docs]** UI Style Guidelines + Component Patterns docs created. (2026-03-06)
- [x] **[API]** V3 Lookup system integration; Event File V3 mapping; `event_session` search 400-error fix. (2026-02/03)
- [x] **[API]** All CRUD helpers on V3 `/v3/crud/...` paths. (2026-02)
- [x] **[Security]** Purged `x-aether-api-token`; fixed misplaced CORS headers; Account ID Scavenging. (2026-02)
- [x] **[Security]** Playwright integration tests replace `verify_jwt_logic.js` simulation tests. (2026-03)
- [x] **[Framework]** `AE_Obj_Field_Editor_V3` with Svelte 5 Runes. CRUD v2 fully retired. (2026-03-05)
- [x] **[IDAA]** Bulletin Board and Recovery Meetings functionality verified. (2026-02)