flaskpaste/TODO.md

# TODO

Unstructured intake buffer for ideas, issues, and observations. Items here are raw and unrefined. Actionable items should be promoted to TASKLIST.md.

---

## Ideas

- Rate limit headers in responses (X-RateLimit-*)
- Paste compression for large text content
- ETag support for conditional requests
- Paste listing for authenticated users (their own pastes only)
- Neovim/Vim plugin for editor integration
- Webhook notifications for paste events
- Certificate renewal reminder in CLI
- Admin endpoint for CA key rotation

## Observations

- PKI uses AES-256-GCM for CA private key encryption (PBKDF2 key derivation)
- SHA1 fingerprints are X.509 standard, not security-relevant (usedforsecurity=False)
- Revoked certificates are soft-deleted (status tracked, not removed)
- CI pipeline: lint runs parallel with security, tests wait for lint
- Ruff replaces flake8/isort/pyupgrade with single fast tool
- Bandit configured for medium+ severity only (-ll flag)

## Questions

- Certificate renewal: reissue with same CN or require new request?
- Should revoked certs be purged after grace period?

## Resolved

- Expired paste cleanup runs in-process via before_request hook (no cron needed)

## Debt

- Mypy has pre-existing type errors (runs with --ignore-missing-imports)
- No integration tests for container deployment
- Missing test for concurrent paste creation
- Could add more deployment examples (Kubernetes, systemd)

## External Dependencies

- Consider adding `python-magic` for better MIME detection (currently magic bytes only)
- cryptography package required for PKI features (optional otherwise)

---

*Review weekly. Promote actionable items to TASKLIST.md. Archive or delete stale items.*