# TODO Unstructured intake buffer for ideas, issues, and observations. Items here are raw and unrefined. Actionable items should be promoted to TASKLIST.md. --- ## Ideas - Paste compression for large text content - Must mark compression in URL fragment (e.g., `#z:` or `#:z`) - Receiver needs to know content is compressed before decryption - Design: compress-then-encrypt only (not compress-only) - Compressed data has high entropy → bypasses entropy enforcement - Must enforce encryption when compression enabled (CLI-side) - Server rejects plaintext via REQUIRE_BINARY (UTF-8 detection) - ETag support for conditional requests - Neovim/Vim plugin for editor integration - Webhook notifications for paste events - Certificate renewal reminder in CLI - Admin endpoint for CA key rotation - Clipboard integration (pbcopy/xclip) ## Observations - Shell completions already implemented (`fpaste completion --shell bash/zsh/fish`) - Mypy type errors fixed: now enforced in CI (was informational) - CI enhanced: security-tests job, SBOM generation (CycloneDX), memory leak checks - Comprehensive pentest plan completed (PENTEST_PLAN.md) - all remediations implemented - PKI uses AES-256-GCM for CA private key encryption (PBKDF2 key derivation) - SHA1 fingerprints are X.509 standard, not security-relevant (usedforsecurity=False) - Revoked certificates are soft-deleted (status tracked, not removed) - CI pipeline: lint runs parallel with security, tests wait for lint - Ruff replaces flake8/isort/pyupgrade with single fast tool - Bandit configured for medium+ severity only (-ll flag) - PKI audit events now logged: CERT_ISSUED, CERT_REVOKED, AUTH_FAILURE - Request duration metrics recorded via Prometheus histogram - Memory leak tests use tracemalloc to detect leaks (CI job) - Rate limit headers (X-RateLimit-*) on both 201 and 429 responses - systemd service unit with security hardening in examples/ ## Questions - Certificate renewal: reissue with same CN or require new request? - Should revoked certs be purged after grace period? ## Resolved - Expired paste cleanup runs in-process via before_request hook (no cron needed) ## Debt - Create Ansible deployment role (Kubernetes manifests complete) ## External Dependencies - cryptography package required for PKI features (optional otherwise) - For full MIME detection, consider `filetype` library (currently text/binary only) --- *Review weekly. Promote actionable items to TASKLIST.md. Archive or delete stale items.*