a3b300b76a
- AGENTS.md: canonical project entry point (Quick Nav, pipeline, constraints) - docs/: complete docs tree — architecture, API spec, DB schema, infra, runbook, requirements, tech stack, principles, reference ADRs, guides, tasks backlog, testing strategy - tests/README.md: test commands, structure, known gaps - README.md / CLAUDE.md / DEPLOYMENT.md: updated with canonical doc links - .archive/: backup of pre-documentation-pipeline originals - backend/uv.lock: uv dependency lockfile - Delete committed __pycache__ .pyc files (should have been gitignored) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> |
||
|---|---|---|
| .. | ||
| README.md | ||
Task Management — Accessible Video Processing Platform
Task Tracking
Tasks are tracked in conversation context and in the plan file at ~/.claude/plans/. No external task tracker (Linear, Jira) is configured for this project.
Task Conventions
| Convention | Rule |
|---|---|
| Status | pending → in_progress → completed |
| Naming | Imperative verb phrase: "Fix login rate-limit bypass" |
| Owner | Assigned agent or person |
| Blocking | Security/data-loss tasks block all others |
Active Work (as of 2026-04-29)
Immediate Priority (Security Blockers)
| # | Task | File | Effort |
|---|---|---|---|
| S-01 | Remove login endpoint from rate-limit bypass | rate_limiting.py:165 |
S |
| S-02 | Add refresh token type check in get_current_user |
dependencies.py:23 |
S |
| S-03 | Generic exception message in refresh endpoint | routes_auth.py:319 |
S |
| S-04 | Replace requests with httpx.AsyncClient in Microsoft SSO |
microsoft_auth.py:59,91 |
M |
| S-04b | Remove default admin password fallback | seed.py:37 |
S |
Quality / Tech Debt
| # | Task | File | Effort |
|---|---|---|---|
| Q-01 | Extract broadcast_status_update() to tasks/utils.py |
ingest_and_ai.py, translate_and_synthesize.py |
S |
| Q-02 | Fix cache_key scope bug in authz.py:71 |
authz.py |
S |
| Q-03 | Replace all print() with logger.debug() in auth routes |
routes_auth.py |
S |
| Q-04 | Replace asyncio.get_event_loop() with asyncio.get_running_loop() in gcs.py |
services/gcs.py |
S |
| Q-05 | Fix MongoDB connection-per-login in auth routes | routes_auth.py:44 |
M |
Test Coverage (Priority ≥15)
| # | Task | Target | Effort |
|---|---|---|---|
| T-01 | Create backend/tests/conftest.py with shared fixtures |
All backend tests | M |
| T-02 | Write RBAC unit tests for authz.py |
core/authz.py |
M |
| T-03 | Write job state machine unit + integration tests | tasks/ingest_and_ai.py |
L |
| T-04 | Write audit logger unit tests | services/audit_logger.py |
M |
| T-05 | Write glossary hybrid retrieval unit tests | services/glossary_service.py |
M |
| T-06 | Implement Playwright auth fixture, un-skip E2E tests | tests/helpers/auth.ts |
L |
Backlog (Deferred)
| # | Task | Priority | Notes |
|---|---|---|---|
| B-01 | Add pip-audit + npm audit to CI |
LOW | CI exists, no security scan step |
| B-02 | Fix 53 B904 exception chain warnings (ruff) | LOW | raise X from err pattern |
| B-03 | Fix 33 ESLint errors (mostly no-explicit-any) |
LOW | No security impact |
| B-04 | Fix B023 loop closure bug in translate_and_synthesize | MEDIUM | Safe in practice but violates best practices |
| B-05 | Add nonce validation in Microsoft SSO | INFO | Replay protection |
| B-06 | Validate X-Forwarded-For against trusted proxy list |
MEDIUM | Rate limit bypass risk |
| B-07 | Enable mypy in CI (run in Docker) | MEDIUM | Currently not in CI pipeline |
| B-08 | VTT version control E2E tests | MEDIUM | Playwright spec needed |
| B-09 | WebSocket reconnect unit tests | MEDIUM | useJobStatusWebSocket.ts stale closure |
Maintenance
Update triggers: Task completed, new task identified, priority changed. Verification: Security blockers (S-01 through S-04b) are resolved before next production deploy.