Update Portal open items after repo hardening pass

Codex/Portal/OPEN_ITEMS.md

@@ -3,10 +3,21 @@
 Only keep unfinished Portal work here.
 
 ## Active
+- Verify Portal compatibility after the API control-plane hardening pass:
+  - login / refresh / `/api/auth/me`
+  - hosted IDE token and hosted URL entry flow
+  - server list/status polling
+  - server create flow
+  - user-safe server delete flow via `DELETE /api/servers/{id}`
+  - billing checkout/portal/upgrade/downgrade flows
+  - backup/restore/file/console flows that depend on owned server access
+- Audit Portal API-client exports and usage for admin/internal endpoints after API route classification:
+  - `listAuditLogs()` must not be reachable from normal user UI unless an admin surface and admin auth model are intentionally implemented.
+  - `listInstances()` must not be used as a normal customer server-list path if `/api/instances` is now admin/internal-only or otherwise restricted.
+  - remove or quarantine unused admin/internal helpers rather than carrying accidental public-client affordances.
 - Verify CPU/network metrics on live DEV and GAME servers after the frontend metrics normalizer change; if values still do not update, investigate API/agent metrics collection or rate calculation.
 - Portal-owned email notification preferences/status UX once the API contract exists.
 - checkpoint-specific backup metadata presentation once the API sends the final fields.
-- verify Portal compatibility against API-side JWT/auth hardening, especially login refresh and hosted IDE entry flow after token tightening.
 
 ## Cleanup / consolidation priorities
 - fold repeated API-client/status-polling patterns and shared state-mapping logic where behavior is already the same
@@ -47,6 +58,7 @@ Only keep unfinished Portal work here.
 - public marketing/auth/dashboard mobile responsiveness pass is no longer a from-zero open item
 - mobile public nav/menu behavior has been fixed with a working mobile menu and corrected desktop breakpoint
 - SSH config snippet for power users has been moved to Phase 2 / platform future rather than active launch Portal work
+- stray root binary `testdameon` is not present in the current Portal root listing and is no longer tracked as an active Portal cleanup item
 
 ## Cleanup rule
 - prefer behavior-preserving folding over broad refactors
@@ -55,15 +67,12 @@ Only keep unfinished Portal work here.
 - reduce page-local duplication before introducing new abstractions
 - treat runtime/tooling cleanup as contract-sensitive once it touches auth, API integration, or user-visible route behavior
 
-## Repo cleanup
-- confirm whether stray root binary `testdameon` still exists in the Portal repo; remove only if still present.
-
 ## Verify before re-opening
 - restore accepted -> status polling -> completion UX
 - backup metadata rendering, including checkpoint-aware presentation
 - console reconnect/state behavior during restart/restore transitions
 - server management flows that share action/polling/toast logic
-- login/refresh/hosted-IDE flows after API token tightening
+- login/refresh/hosted-IDE flows after API token tightening or route-boundary changes
 - marketing CTA routing and SEO page internal links after public-site refresh
 - mobile behavior at 375px, 390px, 768px, and desktop widths after future UI changes
 - live CPU/network metric movement for DEV and GAME servers once API/agent metrics are confirmed healthy
@@ -71,4 +80,5 @@ Only keep unfinished Portal work here.
 ## Not Portal-owned
 - agent-local backup implementation details.
 - API transport semantics.
+- API route authorization enforcement, except for Portal compatibility validation and avoiding admin/internal route usage from browser code.
 - PBS / infra backup strategy.