From 9433acb78747fb341d4e130b156811d50b18f3cc Mon Sep 17 00:00:00 2001 From: jester Date: Thu, 30 Apr 2026 19:28:09 +0000 Subject: [PATCH] Update Portal open items after repo hardening pass --- Codex/Portal/OPEN_ITEMS.md | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/Codex/Portal/OPEN_ITEMS.md b/Codex/Portal/OPEN_ITEMS.md index cb15865..83b94ef 100644 --- a/Codex/Portal/OPEN_ITEMS.md +++ b/Codex/Portal/OPEN_ITEMS.md @@ -3,10 +3,21 @@ Only keep unfinished Portal work here. ## Active +- Verify Portal compatibility after the API control-plane hardening pass: + - login / refresh / `/api/auth/me` + - hosted IDE token and hosted URL entry flow + - server list/status polling + - server create flow + - user-safe server delete flow via `DELETE /api/servers/{id}` + - billing checkout/portal/upgrade/downgrade flows + - backup/restore/file/console flows that depend on owned server access +- Audit Portal API-client exports and usage for admin/internal endpoints after API route classification: + - `listAuditLogs()` must not be reachable from normal user UI unless an admin surface and admin auth model are intentionally implemented. + - `listInstances()` must not be used as a normal customer server-list path if `/api/instances` is now admin/internal-only or otherwise restricted. + - remove or quarantine unused admin/internal helpers rather than carrying accidental public-client affordances. - Verify CPU/network metrics on live DEV and GAME servers after the frontend metrics normalizer change; if values still do not update, investigate API/agent metrics collection or rate calculation. - Portal-owned email notification preferences/status UX once the API contract exists. - checkpoint-specific backup metadata presentation once the API sends the final fields. -- verify Portal compatibility against API-side JWT/auth hardening, especially login refresh and hosted IDE entry flow after token tightening. ## Cleanup / consolidation priorities - fold repeated API-client/status-polling patterns and shared state-mapping logic where behavior is already the same @@ -47,6 +58,7 @@ Only keep unfinished Portal work here. - public marketing/auth/dashboard mobile responsiveness pass is no longer a from-zero open item - mobile public nav/menu behavior has been fixed with a working mobile menu and corrected desktop breakpoint - SSH config snippet for power users has been moved to Phase 2 / platform future rather than active launch Portal work +- stray root binary `testdameon` is not present in the current Portal root listing and is no longer tracked as an active Portal cleanup item ## Cleanup rule - prefer behavior-preserving folding over broad refactors @@ -55,15 +67,12 @@ Only keep unfinished Portal work here. - reduce page-local duplication before introducing new abstractions - treat runtime/tooling cleanup as contract-sensitive once it touches auth, API integration, or user-visible route behavior -## Repo cleanup -- confirm whether stray root binary `testdameon` still exists in the Portal repo; remove only if still present. - ## Verify before re-opening - restore accepted -> status polling -> completion UX - backup metadata rendering, including checkpoint-aware presentation - console reconnect/state behavior during restart/restore transitions - server management flows that share action/polling/toast logic -- login/refresh/hosted-IDE flows after API token tightening +- login/refresh/hosted-IDE flows after API token tightening or route-boundary changes - marketing CTA routing and SEO page internal links after public-site refresh - mobile behavior at 375px, 390px, 768px, and desktop widths after future UI changes - live CPU/network metric movement for DEV and GAME servers once API/agent metrics are confirmed healthy @@ -71,4 +80,5 @@ Only keep unfinished Portal work here. ## Not Portal-owned - agent-local backup implementation details. - API transport semantics. +- API route authorization enforcement, except for Portal compatibility validation and avoiding admin/internal route usage from browser code. - PBS / infra backup strategy.