1.6 KiB
1.6 KiB
TODO
Unstructured intake buffer for ideas, issues, and observations. Items here are raw and unrefined. Actionable items should be promoted to TASKLIST.md.
Ideas
- Rate limit headers in responses (X-RateLimit-*)
- Paste compression for large text content
- ETag support for conditional requests
- Paste listing for authenticated users (their own pastes only)
- Neovim/Vim plugin for editor integration
- Webhook notifications for paste events
- Certificate renewal reminder in CLI
- Admin endpoint for CA key rotation
Observations
- PKI uses AES-256-GCM for CA private key encryption (PBKDF2 key derivation)
- SHA1 fingerprints are X.509 standard, not security-relevant (usedforsecurity=False)
- Revoked certificates are soft-deleted (status tracked, not removed)
- CI pipeline: lint runs parallel with security, tests wait for lint
- Ruff replaces flake8/isort/pyupgrade with single fast tool
- Bandit configured for medium+ severity only (-ll flag)
Questions
- Should expired paste cleanup run in-process or via external cron?
- Certificate renewal: reissue with same CN or require new request?
- Should revoked certs be purged after grace period?
Debt
- Mypy has pre-existing type errors (runs with --ignore-missing-imports)
- No integration tests for container deployment
- Missing test for concurrent paste creation
- Could add more deployment examples (Kubernetes, systemd)
External Dependencies
- Consider adding
python-magicfor better MIME detection (currently magic bytes only) - cryptography package required for PKI features (optional otherwise)
Review weekly. Promote actionable items to TASKLIST.md. Archive or delete stale items.