remove incorrectly dated file (replaced by 2026-02-28)

2026-03-02 00:02:10 +00:00 · 2026-03-02 00:02:10 +00:00 · cce6007679
commit cce6007679
parent d06aceaab2
1 changed files with 0 additions and 154 deletions
--- a/SESSION_LOG/2026-02-23-modrinth-install-integration.md
+++ b/SESSION_LOG/2026-02-23-modrinth-install-integration.md
@ -1,154 +0,0 @@
 # 2026-02-23 — Modrinth Install + Full Mod Lifecycle
 **Type:** Foundational Architecture + Implementation
 **Status:** Full mod lifecycle complete, file browser next
 ---
 ## Completed
 ### API
 Implemented full mod lifecycle routes:
 ```
 GET    /api/game/mods/search?q=&vmid=
 GET    /api/game/servers/:id/mods
 POST   /api/game/servers/:id/mods/install
 PATCH  /api/game/servers/:id/mods/:modId
 DELETE /api/game/servers/:id/mods/:modId
 ```
 All routes:
 - `requireAuth`
 - Enforce container ownership
 - Enforce `ctype === "game"`
 - Forward to agent with timeout + `502`/`504` mapping
 ### Resolver
 - Loader normalization fixed (`neoforge` / `fabric` / `forge` / `quilt`)
 - `.jar`-only enforcement
 - Host allowlist: `cdn.modrinth.com`
 - Publish-date safe sorting
 - SHA512 preferred (fallback to SHA1)
 ### Agent
 Mod install flow:
 - Accepts direct Modrinth artifact URL
 - Validates:
  - HTTPS only
  - Allowed host (`cdn.modrinth.com`, `artifacts.zerolaghub.com`)
  - Max size 200MB
  - SHA256 hash
 - Writes to `<serverRoot>/mods`
 - Enables via filename convention
 - Soft delete moves to `<serverRoot>/mods-removed`
 - Enable/disable via rename: `.jar` ↔ `.jar.disabled`
 ### Frontend
 - Mod search drawer implemented
 - Installed mods panel implemented
 - Installed flag merged into search results (heuristic matching)
 - Install button functional
 - Enable / disable functional
 - Delete functional
 - Toast notifications added
 ---
 ## Current System Behavior
 Filesystem is source of truth.
 No database persistence for:
 - Mod install history
 - Modrinth project ID mapping
 Installed matching is heuristic based on:
 - Slug
 - Filename
 - Name
 Soft delete retains file permanently in `/mods-removed`. No retention policy implemented (intentional).
 ---
 ## Known Architectural Tradeoffs
 - No deterministic Modrinth project ID persistence yet
 - Installed detection is best-effort heuristic
 - No install queue
 - No auto-update logic
 ---
 ## Security Controls In Place
 **Agent level:**
 - HTTPS-only downloads
 - Host allowlist enforcement
 - Redirect limit (max 3)
 - 200MB hard cap
 - SHA256 verification
 - Filename sanitization (`[a-zA-Z0-9._+-]` — `+` added for Modrinth filenames)
 - Duplicate prevention
 - Ownership enforcement (`minecraft:minecraft`)
 - Temp file cleanup on failure
 - Controlled mod directory write path
 - Cache invalidation after every mutation
 **API level:**
 - Auth + ownership enforcement
 - VMID validation
 - Timeout protection with `AbortController`
 - Resolver filtering (loader + version + stability)
 - Correct payload contract to agent
 ---
 ## Payload Contract (API → Agent)
 ```json
 {
  "source": "modrinth",
  "download_url": "...",
  "filename": "...",
  "sha512": "..."
 }
 ```
 Engine metadata format (corrected this session):
 ```
 engineType    = "neoforge"   (not "minecraft")
 engineVersion = "1.21.4"     (not "neoforge-1.21.4")
 ```
 ---
 ## Remaining Issues
 ### Response Corruption (Needs Verification)
 One early `curl` output appeared corrupted. Reproduce before wiring portal:
 ```bash
 curl -sS -D headers.txt -o body.txt ...
 ```
 ### API Error Mapping Refinement
 - `"mod already exists"` should return `409` (currently `502`)
 ---
 ## Next Steps
 1. Reproduce and resolve response corruption issue
 2. Tighten API error mapping (`409` for duplicate)
 3. Wire install endpoint to portal UI
 4. Begin file browser (see `OPEN_THREADS.md`)