flaskpaste/TODO.md

TODO

Unstructured intake buffer for ideas, issues, and observations. Items here are raw and unrefined. Actionable items should be promoted to TASKLIST.md.

---

Ideas

• Paste compression for large text content
• ETag support for conditional requests
• Neovim/Vim plugin for editor integration
• Webhook notifications for paste events
• Certificate renewal reminder in CLI
• Admin endpoint for CA key rotation
• Shell completions (bash, zsh, fish)
• Clipboard integration (pbcopy/xclip)

Observations

• Comprehensive pentest plan completed (PENTEST_PLAN.md) - all remediations implemented
• PKI uses AES-256-GCM for CA private key encryption (PBKDF2 key derivation)
• SHA1 fingerprints are X.509 standard, not security-relevant (usedforsecurity=False)
• Revoked certificates are soft-deleted (status tracked, not removed)
• CI pipeline: lint runs parallel with security, tests wait for lint
• Ruff replaces flake8/isort/pyupgrade with single fast tool
• Bandit configured for medium+ severity only (-ll flag)
• PKI audit events now logged: CERT_ISSUED, CERT_REVOKED, AUTH_FAILURE
• Request duration metrics recorded via Prometheus histogram
• Memory leak tests use tracemalloc to detect leaks (CI job)
• Rate limit headers (X-RateLimit-*) on both 201 and 429 responses
• systemd service unit with security hardening in examples/

Questions

• Certificate renewal: reissue with same CN or require new request?
• Should revoked certs be purged after grace period?

Resolved

• Expired paste cleanup runs in-process via before_request hook (no cron needed)

Debt

• Mypy has pre-existing type errors (runs with --ignore-missing-imports)
• Could add more deployment examples (Kubernetes, Ansible role)

External Dependencies

• Consider adding python-magic for better MIME detection (currently magic bytes only)
• cryptography package required for PKI features (optional otherwise)

---

Review weekly. Promote actionable items to TASKLIST.md. Archive or delete stale items.