API — Decisions

Settled

API is the heartbeat authority by polling agents.
Agent does not push heartbeat/state into API.
Semantic readiness uses /ready, not plain HTTP 200.
Portal should consume API-normalized state, not call agents directly for normal state/actions.
streaming upload proxy behavior should remain separate from generic non-streaming agentClient.js transport.
websocket console proxy behavior should remain separate from generic non-streaming agentClient.js transport.
API is now tracked on a Node 24 baseline with repo-local version pinning.
built-in global fetch is the intended fetch implementation; direct node-fetch dependency is no longer the preferred pattern.
duplicated game file proxy behavior should be folded into shared helper paths while preserving compatibility for both canonical and compatibility routes.
Prisma config should live in dedicated Prisma config, not deprecated package.json#prisma config.
JWT verification hardening is allowed to be contract-sensitive; access, refresh, and IDE proxy tokens may use distinct audience expectations.
hosted IDE proxy cookies should default to hardened behavior appropriate for public HTTPS deployments.
proxy logging should avoid exposing cookies or detailed forwarded-header values in routine logs.

when API work completes, remove it from OPEN_ITEMS.md
if it changes the long-lived architecture, update CURRENT_STATE.md or this file