path: root/SESSION_STATE.md

# Session State

## Current Focus
Agent Context API - Refactored for simplicity and clarity

## Active Feature
**Agent Context API** — `issues/feature_agent_context_api.md`
- Status: [REVIEW_READY] Phase 1 Complete + Browser-Only Agent Endpoints + Refactored
- Phase 2 (Write Operations) and Phase 3 (Create + Management) pending

### Recent Refactoring (agent.go)
- Reused `BuildTimeline()` from timeline_logic.go instead of duplicating fetch logic
- Removed ~60 lines of duplicate timeline building code
- Added section headers for code organization: Constants, Types, Helpers, Auth Handlers, Context Handlers, Middleware, Web Handlers
- Extracted `isSessionExpired()` helper to reduce duplication
- Extracted `renderAgentTemplate()` helper to simplify template rendering
- Moved `AgentRequestPayload` from websocket.go to agent.go (agent-specific type)
- Used `config.Now()` and `config.Today()` for consistent timezone handling

### Phase 1 Completed Items
- [x] Migration `migrations/010_agent_tables.sql` — agents and agent_sessions tables
- [x] Store methods in `internal/store/sqlite.go` — full CRUD for agents/sessions
- [x] Agent handlers in `internal/handlers/agent.go`:
  - POST `/agent/auth/request` — request access (returns request_token)
  - GET `/agent/auth/poll` — poll for approval status
  - POST `/agent/auth/approve` — user approves (browser auth required)
  - POST `/agent/auth/deny` — user denies (browser auth required)
  - GET `/agent/context` — full 7-day context (agent session required)
- [x] WebSocket hub in `internal/handlers/websocket.go`:
  - GET `/ws/notifications` — push agent request alerts to browsers
- [x] Routes registered in `cmd/dashboard/main.go`
- [x] Frontend approval UI in `web/static/js/app.js`:
  - WebSocket connection with auto-reconnect
  - Approval modal with trust indicators
  - Countdown timer for request expiry
- [x] Unit tests in `internal/handlers/agent_test.go`

### Phase 1.5: Browser-Only Agent Endpoints (NEW)
- [x] GET `/agent/web/request?name=X&agent_id=Y` — HTML page with request token
- [x] GET `/agent/web/status?token=TOKEN` — HTML page showing approval status
- [x] GET `/agent/web/context?session=TOKEN` — HTML page with timeline data
- [x] Templates: `agent-request.html`, `agent-status.html`, `agent-context.html`, `agent-error.html`
- [x] All templates include embedded JSON in `<script type="application/json" id="agent-data">` for parsing
- [x] Store method: `GetPendingAgentSessionByAgentID()` — returns existing pending session
- [x] Bug fix: SQLite datetime comparison now uses `datetime('now', 'localtime')` for proper timezone handling
- [x] Tests for all new endpoints

### Key Design Decisions
- Auth: Notification-based approval via WebSocket to browser
- Identity: Name + UUID binding with impersonation detection
- Session: 1 hour TTL, one session per agent, re-auth on expiry
- Scope: 7-day context (timeline from cached tasks, cards, meals)
- Rate limit: 10 requests/minute per IP on auth request endpoint

### Files Modified
- `migrations/010_agent_tables.sql` (new)
- `internal/models/types.go` (added Agent, AgentSession, AgentAuthRequest, etc.)
- `internal/store/sqlite.go` (added ~250 lines of agent/session CRUD)
- `internal/handlers/agent.go` (new)
- `internal/handlers/websocket.go` (new)
- `internal/handlers/agent_test.go` (new)
- `cmd/dashboard/main.go` (route registration)
- `web/static/js/app.js` (WebSocket + approval modal)
- `go.mod`, `go.sum` (added gorilla/websocket)

## Previous Work (Completed)
- [x] Bug fixes (Trello filter, recurring tasks)
- [x] Scripts: `bugs`, `resolve-bug`

## Remaining Items (Feature Requests)
- #12: Research task durations
- #28: Bugs as first-class atoms
- #30: Consistent background opacity
- #31: PlanToEat ingredients
- #33-38: Shopping/timeline features

## Next Steps
1. **Phase 2**: Implement write operations (complete, uncomplete, update due date)
2. **Phase 3**: Create task/shopping item, agent management UI
3. Test full auth flow manually with a real agent