Align API current state with local code

Codex/API/CURRENT_STATE.md

@@ -26,13 +26,30 @@ This file records what is believed to be implemented now.
   - `POST /api/game/servers/:id/backups`
   - `POST /api/game/servers/:id/backups/restore?id=<backup_id>`
   - `DELETE /api/game/servers/:id/backups/:backupId`
-- API preserves useful agent semantics such as `404`, `409`, and readiness-oriented failures where possible.
+- API forwards agent HTTP status codes for backup responses.
+- Successful backup responses currently pass through the agent body.
+- Non-OK backup responses currently use the shared agent response envelope: `{ error: <fallback>, details: <agent_body> }`.
+- Backup response shape normalization remains open.
 
 ## Agent contract alignment already done
 - `/start`, `/stop`, `/restart` forwarded as POST.
 - `/console/command` forwarded as POST JSON.
 - `/ready` is part of poller/readiness logic.
 
+## Billing / auth lifecycle
+- API issues access tokens and refresh tokens.
+- Password reset tokens are stored hashed and exchanged through API routes.
+- Stripe billing routes cover checkout, upgrade, downgrade, portal, and current billing state.
+- Stripe webhooks are mounted with raw body parsing before normal JSON middleware.
+- Billing scheduler starts in-process and performs limited reminder/reconciliation work.
+- Admin users are billing-exempt in billing flows.
+
+## Hosted IDE proxy
+- `POST /api/dev/:id/ide-token` issues short-lived IDE proxy tokens.
+- IDE proxy supports both tunnel paths under `/__ide/:id` and hosted `dev-<vmid>.<suffix>` hosts.
+- Hosted IDE tokens can be delivered by query parameter and then persisted as the IDE proxy cookie.
+- Hosted URL return is controlled by `DEV_IDE_RETURN_HOSTED_URL`.
+
 ## Still true
 - websocket console proxy wiring remains outside `agentClient.js`
 - raw streaming upload proxy behavior remains outside `agentClient.js`