# Task Management — Accessible Video Processing Platform ## Task Tracking Tasks are tracked in conversation context and in the plan file at `~/.claude/plans/`. No external task tracker (Linear, Jira) is configured for this project. --- ## Task Conventions | Convention | Rule | |-----------|------| | Status | `pending` → `in_progress` → `completed` | | Naming | Imperative verb phrase: "Fix login rate-limit bypass" | | Owner | Assigned agent or person | | Blocking | Security/data-loss tasks block all others | --- ## Active Work (as of 2026-04-29) ### Immediate Priority (Security Blockers) | # | Task | File | Effort | |---|------|------|--------| | S-01 | Remove login endpoint from rate-limit bypass | `rate_limiting.py:165` | S | | S-02 | Add refresh token type check in `get_current_user` | `dependencies.py:23` | S | | S-03 | Generic exception message in refresh endpoint | `routes_auth.py:319` | S | | S-04 | Replace `requests` with `httpx.AsyncClient` in Microsoft SSO | `microsoft_auth.py:59,91` | M | | S-04b | Remove default admin password fallback | `seed.py:37` | S | ### Quality / Tech Debt | # | Task | File | Effort | |---|------|------|--------| | Q-01 | Extract `broadcast_status_update()` to `tasks/utils.py` | `ingest_and_ai.py`, `translate_and_synthesize.py` | S | | Q-02 | Fix `cache_key` scope bug in `authz.py:71` | `authz.py` | S | | Q-03 | Replace all `print()` with `logger.debug()` in auth routes | `routes_auth.py` | S | | Q-04 | Replace `asyncio.get_event_loop()` with `asyncio.get_running_loop()` in `gcs.py` | `services/gcs.py` | S | | Q-05 | Fix MongoDB connection-per-login in auth routes | `routes_auth.py:44` | M | ### Test Coverage (Priority ≥15) | # | Task | Target | Effort | |---|------|--------|--------| | T-01 | Create `backend/tests/conftest.py` with shared fixtures | All backend tests | M | | T-02 | Write RBAC unit tests for `authz.py` | `core/authz.py` | M | | T-03 | Write job state machine unit + integration tests | `tasks/ingest_and_ai.py` | L | | T-04 | Write audit logger unit tests | `services/audit_logger.py` | M | | T-05 | Write glossary hybrid retrieval unit tests | `services/glossary_service.py` | M | | T-06 | Implement Playwright auth fixture, un-skip E2E tests | `tests/helpers/auth.ts` | L | --- ## Backlog (Deferred) | # | Task | Priority | Notes | |---|------|---------|-------| | B-01 | Add `pip-audit` + `npm audit` to CI | LOW | CI exists, no security scan step | | B-02 | Fix 53 B904 exception chain warnings (ruff) | LOW | `raise X from err` pattern | | B-03 | Fix 33 ESLint errors (mostly `no-explicit-any`) | LOW | No security impact | | B-04 | Fix B023 loop closure bug in translate_and_synthesize | MEDIUM | Safe in practice but violates best practices | | B-05 | Add nonce validation in Microsoft SSO | INFO | Replay protection | | B-06 | Validate `X-Forwarded-For` against trusted proxy list | MEDIUM | Rate limit bypass risk | | B-07 | Enable mypy in CI (run in Docker) | MEDIUM | Currently not in CI pipeline | | B-08 | VTT version control E2E tests | MEDIUM | Playwright spec needed | | B-09 | WebSocket reconnect unit tests | MEDIUM | `useJobStatusWebSocket.ts` stale closure | --- ## Maintenance **Update triggers:** Task completed, new task identified, priority changed. **Verification:** Security blockers (S-01 through S-04b) are resolved before next production deploy.