# API — Open Items

Only keep unfinished API work here.

## Active
- normalize backup response shape: define canonical success bodies for list/create/restore/delete and a stable error envelope that preserves agent details
- simplify and harden `devProxy`: reduce repeated hosted/tunnel logic, confirm cookie/security settings for production, and keep websocket/http behavior consistent
- service discovery migration: audit edge publish/DNS/Cloudflare/Technitium, Prometheus SD, dev IDE wildcard, and post-provision hot paths for direct host assumptions
- provisioning validation follow-up where API behavior is involved

## Cleanup / consolidation priorities
- fold repeated agent-forwarding patterns and shared response shaping where behavior is already the same
- fold repeated ownership/auth/IP-guard patterns into small concrete helpers without hiding route intent
- split oversized route/service files by responsibility without changing route contracts
- keep backup/restore status shaping and async-dispatch logic explicit, but remove duplicated mapping/normalization paths where possible
- keep stream-vs-JSON forwarding rules centralized in one place and avoid route-local reimplementation
- standardize repo-local Node version declaration with the current pinned platform version

## Cleanup rule
- prefer behavior-preserving folding over broad refactors
- merge repeated flows, not concepts
- keep helpers small and concrete
- reduce route-local duplication before introducing new abstractions
- treat Node/runtime/dependency upgrades as separate validation work, not part of cleanup-only changes

## Verify before re-opening
- hosted IDE token + hosted URL flow
- backup forwarding semantics
- readiness polling/cache behavior
- quota enforcement on create flow
- restore async-start contract + status polling semantics
- streamed file edit/revert forwarding through both canonical and compatibility routes

## Not API-owned
- agent-local backup implementation details
- portal-only UX/polish
- PBS / infra backup strategy