From 1773bc89b36671956a968d4adcd0f5042815f5c4 Mon Sep 17 00:00:00 2001 From: jester Date: Sun, 19 Apr 2026 21:17:12 +0000 Subject: [PATCH] Record API Codex decisions from Node 24 modernization and hardening pass --- Codex/API/DECISIONS.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/Codex/API/DECISIONS.md b/Codex/API/DECISIONS.md index d08fd55..4c369dd 100644 --- a/Codex/API/DECISIONS.md +++ b/Codex/API/DECISIONS.md @@ -7,6 +7,13 @@ - Portal should consume API-normalized state, not call agents directly for normal state/actions. - streaming upload proxy behavior should remain separate from generic non-streaming `agentClient.js` transport. - websocket console proxy behavior should remain separate from generic non-streaming `agentClient.js` transport. +- API is now tracked on a Node 24 baseline with repo-local version pinning. +- built-in global `fetch` is the intended fetch implementation; direct `node-fetch` dependency is no longer the preferred pattern. +- duplicated game file proxy behavior should be folded into shared helper paths while preserving compatibility for both canonical and compatibility routes. +- Prisma config should live in dedicated Prisma config, not deprecated `package.json#prisma` config. +- JWT verification hardening is allowed to be contract-sensitive; access, refresh, and IDE proxy tokens may use distinct audience expectations. +- hosted IDE proxy cookies should default to hardened behavior appropriate for public HTTPS deployments. +- proxy logging should avoid exposing cookies or detailed forwarded-header values in routine logs. ## Tracking rule - when API work completes, remove it from `OPEN_ITEMS.md`