# TODO

Unstructured intake buffer for ideas, issues, and observations. Items here are raw and unrefined. Actionable items should be promoted to TASKLIST.md.

---

## Ideas

- Rate limit headers in responses (X-RateLimit-*)
- Paste compression for large text content
- ETag support for conditional requests
- Neovim/Vim plugin for editor integration
- Webhook notifications for paste events
- Certificate renewal reminder in CLI
- Admin endpoint for CA key rotation
- Shell completions (bash, zsh, fish)
- Clipboard integration (pbcopy/xclip)

## Observations

- PKI uses AES-256-GCM for CA private key encryption (PBKDF2 key derivation)
- SHA1 fingerprints are X.509 standard, not security-relevant (usedforsecurity=False)
- Revoked certificates are soft-deleted (status tracked, not removed)
- CI pipeline: lint runs parallel with security, tests wait for lint
- Ruff replaces flake8/isort/pyupgrade with single fast tool
- Bandit configured for medium+ severity only (-ll flag)
- PKI audit events now logged: CERT_ISSUED, CERT_REVOKED, AUTH_FAILURE
- Request duration metrics recorded via Prometheus histogram
- Memory leak tests use tracemalloc to detect leaks (CI job)

## Questions

- Certificate renewal: reissue with same CN or require new request?
- Should revoked certs be purged after grace period?

## Resolved

- Expired paste cleanup runs in-process via before_request hook (no cron needed)

## Debt

- Mypy has pre-existing type errors (runs with --ignore-missing-imports)
- Could add more deployment examples (Kubernetes, systemd)

## External Dependencies

- Consider adding `python-magic` for better MIME detection (currently magic bytes only)
- cryptography package required for PKI features (optional otherwise)

---

*Review weekly. Promote actionable items to TASKLIST.md. Archive or delete stale items.*