diff --git a/Codex/Portal/CURRENT_STATE.md b/Codex/Portal/CURRENT_STATE.md index d032b84..7a753ab 100644 --- a/Codex/Portal/CURRENT_STATE.md +++ b/Codex/Portal/CURRENT_STATE.md @@ -1,17 +1,18 @@ # Portal - Current State -Verified against the local Portal repo after the dashboard/nav cleanup pass, fresh API and Agent repo review, server status/host lifecycle/IDE UX pass, public marketing/SEO refresh, mobile responsiveness pass, and server create/delete/status follow-up fixes. +Verified against the current Portal repo after the dashboard/nav cleanup pass, fresh API and Agent repo review, server status/host lifecycle/IDE UX pass, public marketing/SEO refresh, mobile responsiveness pass, server create/delete/status follow-up fixes, and the API control-plane hardening review. This file records what is implemented now. ## Runtime / tooling baseline -- Portal is now aligned to the Node 24 runtime line used by the API repo. -- `.nvmrc`, `package.json` engines, and `package-lock.json` are synchronized on the current Node 24 baseline. +- Portal is aligned to the Node 24 runtime line used by the API repo. +- Current `package.json` pins `engines.node` to `24.14.1`. +- Current `package.json` uses `next@16.2.4`, React 18.2, TypeScript 5, Tailwind 3.4, ESLint 9, and `eslint-config-next@16.2.4`. - Lint no longer relies on removed `next lint`; the repo uses `eslint .` with the Next 16 flat-config path. - The lint configuration has been adjusted so current project patterns lint cleanly without forcing a broad React-compiler-style refactor. -- `npm run lint` passes with only existing React hook dependency warnings. -- `npm run build` reportedly passes on Next 16.2.4 with Turbopack. -- npm audit is reported clean at moderate-or-higher severity. +- `npm run lint` has previously been reported passing with only existing React hook dependency warnings. +- `npm run build` has previously been reported passing on Next 16.2.4 with Turbopack. +- npm audit has previously been reported clean at moderate-or-higher severity. ## Repo cleanup already done - Confirmed-unused HUD wrapper components have been removed. @@ -19,6 +20,7 @@ This file records what is implemented now. - Unused `js-cookie` type shim has been removed. - Unused dependencies and Tailwind plugins have reportedly been pruned from the Portal repo. - The Portal cleanup pass reports net line-count reduction rather than growth. +- Current root listing no longer shows the previously suspected stray root binary `testdameon`. ## Public marketing / SEO site - Public marketing now follows a hybrid SaaS structure: @@ -44,13 +46,13 @@ This file records what is implemented now. - Public feature copy now presents the platform as build/test/run rather than Minecraft-only hosting. - LXC/system-container differentiator is represented carefully as avoiding Docker-style game-server overhead without unsupported benchmark claims. - The fake `zlh build --target server` hero command was removed and replaced with a real/plausible `$ npm run build` line. -- Public SEO/intent pages have been added: +- Public SEO/intent pages exist: - `/minecraft-server-hosting` - `/modded-minecraft-hosting` - `/browser-dev-environment` - Metadata has been added or refreshed for Home, Features, Pricing, FAQ, About, Support, and the three SEO landing pages. - FAQ has been expanded around platform positioning, dev environments, Minecraft, mods, datapacks, local install expectations, backups/restores, and plan limits. -- Build and lint reportedly pass after the marketing/SEO changes with the same existing unrelated warnings. +- Build and lint were previously reported passing after the marketing/SEO changes with the same existing unrelated warnings. ## Current mobile status - A targeted mobile responsiveness pass has been applied across public marketing, SEO landing pages, auth pages, server list, server create, and basic console/file/backup surfaces. @@ -123,7 +125,9 @@ This file records what is implemented now. - server deletion has been migrated from `DELETE /api/containers/{vmid}` to `DELETE /api/servers/{id}` through the normal user JWT API client. - Portal does not add or expose `INTERNAL_API_TOKEN` in browser code. - delete UX maps API responses explicitly: `202` as already in progress, `401` as login required, `404` as not owned/missing, `409` as `Stop host before deleting`, and `500` as teardown failure. -- Project cleanup has reportedly removed dead weight around unused wrappers/dependencies, but API-client/status-polling consolidation is not yet considered fully complete. +- Current browser-side API helpers still include `listAuditLogs()` and `listInstances()`; these must be treated as admin/internal-sensitive surfaces until usage is audited against the API route boundary. +- `src/lib/api/legacy.ts` still contains legacy/Pterodactyl-era helper exports and TODOs; keep them quarantined and remove only after confirming there are no live imports. +- Project cleanup has removed dead weight around unused wrappers/dependencies, but API-client/status-polling consolidation is not yet considered fully complete. ## Dashboard / IA - the dashboard spotlight server card now uses API-backed server data instead of placeholder entries. @@ -136,3 +140,4 @@ This file records what is implemented now. - Portal should track API auth / JWT behavior closely because API-side token hardening can require Portal compatibility verification. - Portal cleanup should remain behavior-preserving; build/lint green status is part of the current baseline. - Mobile responsiveness is no longer a from-zero open item, but it still needs periodic device/browser validation as UI surfaces change. +- Browser-visible code must not gain admin/internal shared secrets; admin/internal routes should stay API/server-side concerns unless a deliberate admin UI is built.