video-accessibility/docs/tasks/README.md

# Task Management — Accessible Video Processing Platform

<!-- SCOPE: tasks | owner: ln-130 | generated: 2026-04-29 -->

## Task Tracking

Tasks are tracked in conversation context and in the plan file at `~/.claude/plans/`. No external task tracker (Linear, Jira) is configured for this project.

---

## Task Conventions

| Convention | Rule |
|-----------|------|
| Status | `pending` → `in_progress` → `completed` |
| Naming | Imperative verb phrase: "Fix login rate-limit bypass" |
| Owner | Assigned agent or person |
| Blocking | Security/data-loss tasks block all others |

---

## Active Work (as of 2026-04-29)

### Immediate Priority (Security Blockers)

| # | Task | File | Effort |
|---|------|------|--------|
| S-01 | Remove login endpoint from rate-limit bypass | `rate_limiting.py:165` | S |
| S-02 | Add refresh token type check in `get_current_user` | `dependencies.py:23` | S |
| S-03 | Generic exception message in refresh endpoint | `routes_auth.py:319` | S |
| S-04 | Replace `requests` with `httpx.AsyncClient` in Microsoft SSO | `microsoft_auth.py:59,91` | M |
| S-04b | Remove default admin password fallback | `seed.py:37` | S |

### Quality / Tech Debt

| # | Task | File | Effort |
|---|------|------|--------|
| Q-01 | Extract `broadcast_status_update()` to `tasks/utils.py` | `ingest_and_ai.py`, `translate_and_synthesize.py` | S |
| Q-02 | Fix `cache_key` scope bug in `authz.py:71` | `authz.py` | S |
| Q-03 | Replace all `print()` with `logger.debug()` in auth routes | `routes_auth.py` | S |
| Q-04 | Replace `asyncio.get_event_loop()` with `asyncio.get_running_loop()` in `gcs.py` | `services/gcs.py` | S |
| Q-05 | Fix MongoDB connection-per-login in auth routes | `routes_auth.py:44` | M |

### Test Coverage (Priority ≥15)

| # | Task | Target | Effort |
|---|------|--------|--------|
| T-01 | Create `backend/tests/conftest.py` with shared fixtures | All backend tests | M |
| T-02 | Write RBAC unit tests for `authz.py` | `core/authz.py` | M |
| T-03 | Write job state machine unit + integration tests | `tasks/ingest_and_ai.py` | L |
| T-04 | Write audit logger unit tests | `services/audit_logger.py` | M |
| T-05 | Write glossary hybrid retrieval unit tests | `services/glossary_service.py` | M |
| T-06 | Implement Playwright auth fixture, un-skip E2E tests | `tests/helpers/auth.ts` | L |

---

## Backlog (Deferred)

| # | Task | Priority | Notes |
|---|------|---------|-------|
| B-01 | Add `pip-audit` + `npm audit` to CI | LOW | CI exists, no security scan step |
| B-02 | Fix 53 B904 exception chain warnings (ruff) | LOW | `raise X from err` pattern |
| B-03 | Fix 33 ESLint errors (mostly `no-explicit-any`) | LOW | No security impact |
| B-04 | Fix B023 loop closure bug in translate_and_synthesize | MEDIUM | Safe in practice but violates best practices |
| B-05 | Add nonce validation in Microsoft SSO | INFO | Replay protection |
| B-06 | Validate `X-Forwarded-For` against trusted proxy list | MEDIUM | Rate limit bypass risk |
| B-07 | Enable mypy in CI (run in Docker) | MEDIUM | Currently not in CI pipeline |
| B-08 | VTT version control E2E tests | MEDIUM | Playwright spec needed |
| B-09 | WebSocket reconnect unit tests | MEDIUM | `useJobStatusWebSocket.ts` stale closure |

---

## Maintenance

**Update triggers:** Task completed, new task identified, priority changed.
**Verification:** Security blockers (S-01 through S-04b) are resolved before next production deploy.

<!-- END SCOPE: tasks -->