From 1e5a02dfe55e238e0fa88b5f7dd204ebe215cc12 Mon Sep 17 00:00:00 2001 From: jester Date: Thu, 30 Apr 2026 19:18:09 +0000 Subject: [PATCH] Update API open items after hardening and teardown validation --- Codex/API/OPEN_ITEMS.md | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/Codex/API/OPEN_ITEMS.md b/Codex/API/OPEN_ITEMS.md index 73451bb..992be1a 100644 --- a/Codex/API/OPEN_ITEMS.md +++ b/Codex/API/OPEN_ITEMS.md @@ -7,21 +7,27 @@ Only keep unfinished API work here. - service discovery migration: audit edge publish/DNS/Cloudflare/Technitium, Prometheus SD, dev IDE wildcard, and post-provision hot paths for direct host assumptions - provisioning validation follow-up where API behavior is involved - verify Portal compatibility after API JWT issuer/audience tightening, especially refresh flow and hosted IDE token flow +- migrate Portal delete calls to `DELETE /api/servers/:id`; `DELETE /api/containers/:vmid` currently remains as owned-user compatibility plus internal-token automation, but should return to internal-only once Portal is updated - verify canonical and compatibility file routes still behave identically across list/stat/read/download/delete/put/revert/upload paths after helper extraction - align merged live-status readiness fields so Portal-facing `agentReady` semantics fully match semantic `/ready` -- verify orphan/manual delete behavior after retirement of legacy PortPool release logic - decide whether the remaining Portal-side `/api/agent/:serverId/:action` bridge should be deleted outright or formally kept as compatibility-only Portal-owned behavior - live-verify Velocity bridge lifecycle callbacks after `ZPACK_PROXY_STATUS_ENDPOINT` is set: confirm `registered_with_proxy`, `proxy_ping_ok`, and `proxy_ping_failed` land in `ContainerInstance.payload.proxy` and surface through `GET /api/servers/:id/status` - Portal integration follow-up for host/LXC lifecycle state: consume `GET /api/servers/:id/host/status`, list-level `hostStatus` / `powerState` / `hostOperation`, and `202` host action responses for game and dev containers - remove or downgrade the temporary `MaxListenersExceededWarning` tracer in `src/app.js` after outbound Axios socket listener warnings are confirmed quiet in runtime logs - verify Proxmox node resolution against all active container ranges; recent local smoke checks showed some DB VMIDs not present in `/cluster/resources` or on the configured node +- add minimal test/CI coverage for auth boundaries and teardown behavior: + - normal users cannot reach admin-only routes + - missing internal token fails closed for internal-only routes + - owned-user delete archives then removes the active instance + - non-owner delete fails + - Stripe webhook raw-body handling remains intact ## Cleanup / consolidation priorities - fold repeated ownership/auth/IP-guard patterns into small concrete helpers without hiding route intent - split oversized route/service files by responsibility without changing route contracts - keep backup/restore status shaping and async-dispatch logic explicit, but remove duplicated mapping/normalization paths where possible - keep stream-vs-JSON forwarding rules centralized in one place and avoid route-local reimplementation -- keep archived legacy flows out of the live tree unless they are intentionally revived and revalidated against the current schema/contracts +- keep legacy flows out of the live tree unless they are intentionally revived and revalidated against the current schema/contracts ## Completed and moved out of active cleanup - Node/runtime pinning is no longer an open cleanup-only item; Node 24 pinning is now treated as current repo state @@ -29,7 +35,10 @@ Only keep unfinished API work here. - initial file-proxy route deduplication has been completed; only compatibility verification and follow-on cleanup remain open - Prisma config migration is no longer an open item - baseline proxy cookie/log hardening is no longer an open item -- worker-era provisioning and detached legacy port reservation have been archived rather than treated as active API surfaces +- worker-era provisioning and detached legacy port reservation have been removed from the live tree rather than treated as active API surfaces +- initial control-plane hardening has landed: shared admin/internal-token middleware, admin-only audit/global instance list, internal-token guards on raw control-plane routes, and fail-closed monitoring/SD token behavior outside explicit development/test +- teardown workflow has been extracted into a service and live-verified against one game VMID and one dev VMID; both archived with `reason=user_delete` and active rows were removed +- repo hygiene pass removed checked-in key/token/artifact/legacy clutter and tightened ignore rules ## Cleanup rule - prefer behavior-preserving folding over broad refactors