## 33) Trusted proxy configuration is hardcoded in auth router - Where found: - [backend/app/routers/auth.py](backend/app/routers/auth.py#L46) - [backend/app/utils/client_ip.py](backend/app/utils/client_ip.py) - Why this is needed: - Incorrect client IP extraction can break per-IP rate limiting behind proxies. - Goal: - Move trusted proxies to validated runtime config. - What to do: - Add settings for trusted proxy IPs/CIDRs. - Validate and use these in client IP extraction. - Possible traps and issues: - Over-trusting headers can enable spoofing. - Docs changes needed: - Add reverse-proxy deployment configuration section. - Doc references: - [Docs/Instructions.md](Docs/Instructions.md) --- ## 34) Setup redirect allowlist uses broad prefix matching - Where found: - [backend/app/main.py](backend/app/main.py#L434) - Why this is needed: - Prefix-based allow rules are fragile for future route additions. - Goal: - Use exact path or route-level allow policy. - What to do: - Replace startswith matching with explicit allowlist checks. - Possible traps and issues: - API docs and setup flow paths must remain reachable. - Docs changes needed: - Add setup guard route policy documentation. - Doc references: - [backend/app/main.py](backend/app/main.py) --- ## 35) API client sends JSON and CSRF header for every request method - Where found: - [frontend/src/api/client.ts](frontend/src/api/client.ts) - Why this is needed: - Extra headers on GET increase unnecessary CORS preflights and noise. - Goal: - Apply headers by method/body requirements. - What to do: - Only set Content-Type for requests with JSON body. - Send CSRF header for mutating cookie-authenticated requests only. - Possible traps and issues: - CSRF protection assumptions must still hold for all mutating paths. - Docs changes needed: - Update frontend API client contract and CSRF notes. - Doc references: - [backend/app/middleware/csrf.py](backend/app/middleware/csrf.py) --- ## 36) Polling continues when tab is not visible - Where found: - [frontend/src/hooks/usePolledData.ts](frontend/src/hooks/usePolledData.ts#L90) - [frontend/src/hooks/useBlocklistStatus.ts](frontend/src/hooks/useBlocklistStatus.ts) - Why this is needed: - Unnecessary backend load and client resource usage in background tabs. - Goal: - Pause/reduce polling when page is hidden. - What to do: - Add visibility-aware polling strategy and optional backoff. - Possible traps and issues: - Data may appear stale immediately after tab restore if refresh is delayed. - Docs changes needed: - Add frontend polling lifecycle policy. - Doc references: - [Docs/Web-Development.md](Docs/Web-Development.md) --- ## 37) Multi-worker safety check depends on one environment variable - Where found: - [backend/app/startup.py](backend/app/startup.py#L61) - Why this is needed: - Other process managers can still launch multiple workers without this variable. - Goal: - Enforce scheduler single-executor safety regardless of launcher. - What to do: - Add robust single-run lock/leader mechanism for scheduler ownership. - Possible traps and issues: - Locking strategy must be reliable in container orchestration. - Docs changes needed: - Expand deployment constraints and supported run modes. - Doc references: - [Docs/Architekture.md](Docs/Architekture.md) --- ## 38) History archive query paths may need explicit indexing plan - Where found: - [backend/app/db.py](backend/app/db.py) - [backend/app/repositories/history_archive_repo.py](backend/app/repositories/history_archive_repo.py) - Why this is needed: - Large archive datasets can degrade filter/sort performance. - Goal: - Add indexes aligned with real query patterns. - What to do: - Benchmark common history queries. - Add migration with targeted indexes. - Possible traps and issues: - Extra indexes increase write cost and DB size. - Docs changes needed: - Add DB performance/indexing section for history. - Doc references: - [Docs/Backend-Development.md](Docs/Backend-Development.md) - https://www.sqlite.org/queryplanner.html --- ## 39) No explicit DI container strategy for backend service graph - Where found: - [backend/app/dependencies.py](backend/app/dependencies.py) - [backend/app/services](backend/app/services) - Why this is needed: - Dependency construction and lifecycle are partly implicit. - Goal: - Define a clear dependency wiring pattern for services and repositories. - What to do: - Create service composition root pattern and document usage. - Possible traps and issues: - Over-engineering if container abstraction is too heavy for current size. - Docs changes needed: - Add dependency wiring chapter. - Doc references: - [Docs/Architekture.md](Docs/Architekture.md) --- ## 40) Frontend and backend observability are not aligned - Where found: - [backend/app/main.py](backend/app/main.py) - [frontend/src](frontend/src) - Why this is needed: - Backend uses structured logging while frontend error telemetry is mostly local and ad-hoc. - Goal: - Define unified error telemetry and correlation approach. - What to do: - Introduce frontend error reporting pipeline and request correlation IDs. - Possible traps and issues: - PII/sensitive payload leakage risk in client-side telemetry. - Docs changes needed: - Add observability and privacy-safe logging guidelines. - Doc references: - [Docs/Architekture.md](Docs/Architekture.md) - [Docs/Web-Development.md](Docs/Web-Development.md)