flaskpaste/TODO.md

# TODO

Unstructured intake buffer for ideas, issues, and observations. Items here are raw and unrefined. Actionable items should be promoted to TASKLIST.md.

---

## Ideas

- Prometheus metrics endpoint (`/metrics`) for monitoring integration
- Structured JSON logging for log aggregation compatibility
- Burn-after-read paste option
- Custom expiry header for per-paste TTL
- CLI client tool (fpaste) for easier usage
- Rate limit headers in responses (X-RateLimit-*)
- Paste compression for large text content
- Optional paste encryption with user-provided key
- ETag support for conditional requests
- HEAD method support for metadata without body
- Paste listing for authenticated users (their own pastes only)

## Observations

- Current abuse prevention uses content-hash; IP-based limiting delegated to proxy
- SQLite WAL mode could improve concurrent read performance
- Container image size could be reduced with multi-stage build
- Test coverage could include more edge cases for MIME detection

## Questions

- Should expired paste cleanup run in-process or via external cron?
- Is SQLite sufficient for anticipated load, or plan for PostgreSQL?
- Should burn-after-read pastes show in metadata before burn?
- Password-protected pastes: derive key from password or store hash?

## Debt

- Dedup feature changes pending commit
- Documentation could include more deployment examples
- No integration tests for container deployment
- Missing test for concurrent paste creation

## External Dependencies

- Consider adding `python-magic` for better MIME detection (currently magic bytes only)
- Evaluate `structlog` for structured logging when implemented
- Look into `prometheus-flask-exporter` for metrics

---

*Review weekly. Promote actionable items to TASKLIST.md. Archive or delete stale items.*