# TODO

Concrete follow-up work for Jellomator, prioritized by implementation risk and user impact.

## P0 - Security and Reliability

- [x] Add session expiry and rotation.
  - [x] Add `expires_at` and `last_seen_at` to `sessions`.
  - [x] Reject expired tokens in `current_user`.
  - [x] Rotate session token on login and periodically on use.
- [x] Harden auth endpoints.
  - [x] Add login rate limiting by IP + username pair.
  - [x] Add brute-force lockout window with clear error message.
  - [x] Add optional CSRF protection for cookie-authenticated write routes.
- [x] Fix cookie/security defaults for deployment.
  - [x] Set cookie `secure` from environment (true in production).
  - [x] Make cookie max-age configurable.
  - [x] Keep `httponly` and `samesite=lax`.
- [x] Add input and payload validation.
  - [x] Validate URL scheme for links (`http`/`https` only).
  - [x] Enforce max lengths for `name`, `category`, `description`, and `icon_url`.
  - [x] Validate uploaded icon type and max file size before reading blob.
- [x] Add health/readiness endpoints.
  - [x] `/healthz` returns `200` when process is up.
  - [x] `/readyz` checks DB query + optional write test and returns `503` on failure.

## P1 - Data Model and Backend Quality

- [x] Replace string timestamps with DB-native datetime.
  - [x] Migrate `created_at`/`updated_at` columns from `varchar` to `datetime`.
  - [x] Use UTC consistently for writes and reads.
- [x] Add display ordering support.
  - [x] Add `sort_order` column and stable ordering fallback by `name`.
  - [x] Update read query to order by `enabled desc`, `sort_order`, `name`.
- [x] Remove duplicate connection pattern in create flow.
  - [x] Use one DB transaction/connection per request path where possible.
- [x] Add backup and restore flow in admin API/UI.
  - [x] Download full export.
  - [x] Upload validated import with explicit confirmation.
  - [x] Add dry-run validation mode before apply.
- [x] Add structured logging.
  - [x] Log auth attempts, CRUD actions, and restore events with request IDs.

## P2 - UX and Product Improvements

- Replace browser `alert()` with inline form errors/toasts.
  - Show server errors near submit controls.
  - Add success toasts for create/update/delete.
- Remove forced reload in auth forms.
  - Replace `location.reload()` with state refresh only.
  - Keep SPA navigation predictable on setup/login/logout.
- Add drag-and-drop ordering in admin.
  - Persist `sort_order` updates.
  - Provide keyboard-accessible move controls as fallback.
- Add duplicate/cloning for links.
  - Pre-fill form from an existing link.
  - Save as new record with unique name validation.
- Add public read-only mode toggle.
  - Hide admin entry points and editing affordances for non-admin view.

## P3 - Nice-to-Have

- Add multi-category support with normalization.
- Add audit history timeline in admin.
- Add JSON import/export for services with icons.
- Add keyboard shortcuts for search/quick launch.
- Add Open Graph metadata and richer SEO tags.
- Add CI verification that builds container image for pull requests.