docs: Add complete project documentation, user stories, and task breakdowns

[mentally-gamez-soft]

📋 Summary
This PR establishes the complete documentation foundation for the IPFS Gateway SaaS project, including project specifications, user stories for all layers (backend, frontend, infrastructure), and granular task breakdowns.

📁 What's Included
Documentation (documentation)

project-specifications.md - Overall project requirements and architecture
backend-specs.md - Backend technical specifications (Flask, PostgreSQL, Celery)
frontend-specs.md - Frontend technical specifications (Next.js, TypeScript)
dockerization-tools-specs.md - Container and deployment specifications
user-stories-summary.md - Overview of all user stories
User Stories (user-stories)

Backend (13 stories): US-001 to US-013 covering project setup, database models, authentication, file upload/retrieval, task queue, pinning, security, logging, and testing
Frontend (10 stories): US-101 to US-110 covering project setup, pages, file management UI, and testing
Infrastructure (5 stories): US-201 to US-205 covering Docker, deployment, CI/CD, monitoring, and pre-commit hooks
Task Breakdowns (tasks)

Backend tasks: Flask factory, dependencies, user model, Filebase service
Frontend tasks: Next.js initialization, API client
README

Comprehensive project overview with architecture diagrams (Mermaid)
Data model documentation (ERD)
Full API reference with examples
Tech stack details
🎯 Purpose
Provides the complete roadmap and specifications needed to begin implementation of the IPFS Gateway SaaS platform.

Summary by CodeRabbit

• Documentation
  • Added comprehensive project specifications and technical architecture documentation.
  • Created detailed user stories and acceptance criteria for backend, frontend, and infrastructure features.
  • Established project setup and implementation guidance documentation.
  • Added expanded README with system architecture, data models, API specifications, and workflow diagrams.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

This pull request adds comprehensive specification, planning, and task definition documentation for an IPFS Gateway SaaS project. It introduces architectural specs, project-wide requirements, detailed user stories across backend/frontend/infrastructure domains, and implementation task guides covering the full technology stack and development lifecycle.

Changes

Cohort / File(s)	Summary
Project Specifications & Planning documentation/project-specifications.md, documentation/backend-specs.md, documentation/frontend-specs.md, documentation/dockerization-tools-specs.md, documentation/user-stories-summary.md	Comprehensive specification documents covering project overview, technical stack (Flask, Next.js, PostgreSQL, SQLModel, Celery, Redis, Docker), architecture patterns, data models, security requirements, testing strategies, and deployment infrastructure. Includes dependency graphs and risk assessments.
Planning Prompts prompts/initial-prompt.md, prompts/readme-prompt.md	Planning and prompt templates requesting comprehensive project planning and README generation for the IPFS gateway project, outlining guidelines and deliverables.
Project README readme.md	Expanded with full project documentation including project metadata, objectives, feature table, system architecture (Mermaid diagrams), data models (ER diagram), API specifications with endpoints and examples, error responses, user stories, work tickets, and quick-start Docker setup instructions.
Backend Implementation Tasks tasks/backend/TASK-US-001-01-create-directory-structure.md, tasks/backend/TASK-US-001-02-configure-dependencies.md, tasks/backend/TASK-US-001-03-implement-flask-factory.md, tasks/backend/TASK-US-002-01-create-user-model.md, tasks/backend/TASK-US-005-02-implement-filebase-service.md	Detailed task specifications for backend setup including directory scaffolding, Python dependency configuration via pyproject.toml, Flask application factory pattern implementation, SQLModel User model definition with authentication, and Filebase/IPFS service integration with circuit breaker and retry logic.
Frontend Implementation Tasks tasks/frontend/TASK-US-101-01-init-nextjs-project.md, tasks/frontend/TASK-US-101-04-create-api-client.md	Step-by-step frontend initialization and API client setup including Next.js 14+ project creation, TypeScript configuration, Tailwind CSS, centralized Axios API client with interceptors, React Query integration, and custom hooks for file operations.
Backend User Stories user-stories/backend/US-001-project-setup-configuration.md, user-stories/backend/US-002-database-models-migrations.md, user-stories/backend/US-003-user-registration-authentication.md, user-stories/backend/US-004-api-key-management.md, user-stories/backend/US-005-file-upload-ipfs.md, user-stories/backend/US-006-file-retrieval-ipfs.md, user-stories/backend/US-007-celery-task-queue.md, user-stories/backend/US-008-content-pinning-management.md, user-stories/backend/US-009-rate-limiting-security.md, user-stories/backend/US-010-audit-logging.md, user-stories/backend/US-011-error-handling-responses.md, user-stories/backend/US-012-api-documentation.md, user-stories/backend/US-013-backend-testing.md	User story definitions across backend domains: project foundation, database/ORM setup, user registration/auth with bcrypt and API key generation, API key lifecycle management, file upload to IPFS via Filebase, file retrieval with caching, Celery async task queue, content pinning/unpinning, rate limiting via Flask-Limiter, audit logging, standardized error responses, Swagger API documentation, and comprehensive testing strategy with pytest.
Frontend User Stories user-stories/frontend/US-101-frontend-project-setup.md, user-stories/frontend/US-102-home-page-navigation.md, user-stories/frontend/US-103-user-registration.md, user-stories/frontend/US-104-login-dashboard.md, user-stories/frontend/US-105-file-upload-interface.md, user-stories/frontend/US-106-file-retrieval-interface.md, user-stories/frontend/US-107-files-management.md, user-stories/frontend/US-108-documentation-pages.md, user-stories/frontend/US-109-error-handling-feedback.md, user-stories/frontend/US-110-frontend-testing.md	User story definitions for frontend features: Next.js project setup with TypeScript/Tailwind, responsive home page with navigation, registration form with validation, login and user dashboard, drag-and-drop file upload with progress tracking, CID-based file retrieval with preview support, file management with list/grid views and sorting, documentation pages with MDX, error boundaries and toast notifications, and end-to-end testing with Playwright/Jest.
Infrastructure User Stories user-stories/infrastructure/US-201-docker-configuration.md, user-stories/infrastructure/US-202-deployment-scripts.md, user-stories/infrastructure/US-203-cicd-pipeline.md, user-stories/infrastructure/US-204-monitoring-logging.md, user-stories/infrastructure/US-205-precommit-hooks.md	Infrastructure and DevOps user stories: multi-stage Docker builds for backend/frontend with supporting services (PostgreSQL, Redis, Nginx), interactive CLI deployment scripts (Bash/PowerShell), GitHub Actions CI/CD pipeline with matrix strategies, Prometheus/Grafana monitoring and ELK-based logging stack, and pre-commit hooks for code quality.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~30 minutes

Poem

🐰 A warren of specs, now neatly arranged,
User stories, tasks, and plans so well-changed!
From backend to frontend, each rabbit hops through,
With Docker, with APIs, fresh paths to pursue.
This blueprint so thorough—what joy to behold,
A project well-planned is a project worth gold! 📚✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main addition: comprehensive project documentation, user stories, and task breakdowns for the IPFS Gateway project.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Tip

🧪 Unit Test Generation v2 is now available!

We have significantly improved our unit test generation capabilities.

To enable: Add this to your .coderabbit.yaml configuration:

reviews:
  finishing_touches:
    unit_tests:
      enabled: true

Try it out by using the @coderabbitai generate unit tests command on your code files or under ✨ Finishing Touches on the walkthrough!

Have feedback? Share your thoughts on our Discord thread!

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 13

Note

Due to the large number of review comments, Critical, Major severity comments were prioritized as inline comments.

🤖 Fix all issues with AI agents

In `@documentation/backend-specs.md`:
- Line 12: The /renew endpoint currently allows API key regeneration with only
an email, enabling unauthorized renewals; change the flow for the /renew route
to require strong verification: require the current API key (authenticate the
caller) via the existing auth middleware before allowing renewal, or implement a
secure email verification flow that sends a time-limited, single-use renewal
token/link to the email and only renews when that token is presented; add rate
limiting for the /renew route (e.g., 1 per 24h per email) and consider branching
for high-value accounts to require additional verification; update any handler
or controller for the "/renew" route to enforce these checks and log audit
events for renewals.
- Around line 23-27: Update the "API Security" section by adding a new "Rate
Limiting Strategy" subsection that specifies concrete limits per endpoint (e.g.,
uploads, retrievals, registrations), explicit windows for each limit (per
minute/hour/day), whether limits apply per-user (API key) or per-IP (or both)
for each endpoint, the exact rate-limit response format (HTTP status code,
headers like X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset and
JSON body fields), and the behavior on violation (429 response, retry-after
header, optional backoff or temporary blocking); ensure this subsection sits
alongside the existing "Rate Limiting" bullet under the "API Security" heading
so implementers can copy these rules directly.

In `@tasks/backend/TASK-US-002-01-create-user-model.md`:
- Line 39: The api_key Field is declared with max_length=64 but the generated
key uses the prefix "ipfs_gw_" + secrets.token_hex(32) (72 chars); update the
api_key Field's max_length to at least 72 (I recommend 80 for headroom) and
update any other occurrences of this constraint (the referenced lines 72-79) so
they match; after changing the api_key Field, create and run the corresponding
DB migration to alter the column length so inserts won't fail.

In `@tasks/backend/TASK-US-005-02-implement-filebase-service.md`:
- Around line 286-294: The config currently defaults FILEBASE_ENDPOINT_URL,
FILEBASE_IPFS_API_KEY, FILEBASE_IPFS_API_SECRET, and FILEBASE_BUCKET_NAME to
empty strings which pushes errors to runtime; add startup validation that checks
these variables (FILEBASE_ENDPOINT_URL, FILEBASE_IPFS_API_KEY,
FILEBASE_IPFS_API_SECRET, FILEBASE_BUCKET_NAME) and raise a clear exception
(e.g., ValueError/ConfigError) if any required value is missing or empty, so the
application fails fast with a descriptive message; perform this validation in
the module that defines these constants or in the application initialization
path that imports them (e.g., config loader or init function).
- Around line 120-179: The upload_file method currently uses the raw filename as
the S3 key; sanitize and normalize the key before upload by removing path
separators and disallowed characters, enforcing a safe character whitelist
(alphanumerics, dashes, underscores, dots), and limiting length; prepend a UUID
(or secure random prefix) to the sanitized filename to avoid collisions and
overwrites, and use this sanitized_key when calling self.client.upload_fileobj
and when returning UploadResult(key=...). Ensure all references to filename in
head_object and logging use sanitized_key and that FILEBASE_BUCKET_NAME remains
unchanged.
- Around line 120-179: The upload_file implementation assumes the incoming
BinaryIO is seekable and calls file.seek() which will raise on non-seekable
streams; change upload_file to detect non-seekable streams (using
file.seekable()) and if not seekable, wrap the stream into a seekable buffer
(e.g., tempfile.SpooledTemporaryFile()) and copy the incoming data into it so
you can determine size and rewind before upload (use the buffered object's
seek/tell), or alternatively set size = None and update UploadResult to accept
Optional[int] and downstream callers to handle None; update references in
upload_file (file, filename, size, UploadResult) accordingly and ensure
metadata/ExtraArgs logic and head_object/CID handling remain the same when using
the buffered file.

In `@tasks/frontend/TASK-US-101-04-create-api-client.md`:
- Line 39: The code is reading the API key from localStorage via
localStorage.getItem("api_key") which exposes it to XSS; replace this
client-side storage with a secure approach: have the backend set the API token
in an httpOnly, Secure, SameSite cookie and change the client code that uses
apiKey to stop reading localStorage and instead make requests with fetch/axios
using credentials: 'include' (or withCredentials) so the server-side cookie is
sent automatically; alternatively implement a short-lived access token + refresh
token flow where only the refresh token is httpOnly and the frontend holds no
long-lived secret—update all references to apiKey/localStorage.getItem to use
the new mechanism and remove any code that persists credentials in localStorage.
- Line 58: Replace the direct window.location.href assignment in the interceptor
with a Next-friendly navigation signal: either dispatch a CustomEvent like
"auth:unauthorized" from the interceptor (so a top-level component/layout using
useRouter can listen for that event and call router.push('/login')), or reject
the request with a distinct error (e.g., Error('UNAUTHORIZED')) after clearing
localStorage so calling components (React Query onError handlers or hooks) can
detect that error and call router.push('/login'); update the interceptor code
path that currently does window.location.href = "/login" to implement one of
these two patterns.
- Around line 37-46: The request interceptor registered on
apiClient.interceptors.request.use reads localStorage directly which will throw
during SSR; update the interceptor (the function passed to
apiClient.interceptors.request.use) to first check for a browser environment
(e.g., typeof window !== "undefined" and window.localStorage) before calling
localStorage.getItem("api_key"), and only set config.headers["X-API-Key"] when
the check passes; keep the existing error handler and return config as before.

In `@user-stories/backend/US-002-database-models-migrations.md`:
- Around line 26-29: The ERD and docs currently show integer primary keys (e.g.,
"int id") while the technical notes require UUIDs; update the diagram and all
related field references (e.g., user_id, id columns, and foreign key labels) to
UUID, and align model/migration definitions to use UUID primary keys and UUID
foreign keys (ensure defaults like uuid_generate_v4() or the framework's UUID
generator are specified). Also update any prose in the markdown that mentions
"int id" to "UUID" so the documentation, ERD, and model/migration names (e.g.,
user_id, <entity>_id) are consistent. Ensure foreign key constraints and sample
queries in the doc reflect UUID types.

In `@user-stories/backend/US-004-api-key-management.md`:
- Around line 19-24: The renew flow currently trusts only an email; change the
API key renewal endpoint (e.g., renew / renewApiKey handler) to require a secure
verification: either an authenticated session, a time-limited one-time token
(OTP) sent to the user’s email and verified by the renew handler, or a signed
verification link containing a nonce validated server-side before issuing a new
key; ensure the old key is invalidated, the action is recorded in AuditLog (use
the same AuditLog entry creation used by createApiKey/revokeApiKey), and trigger
the email notification path after successful renewal; update any renew-related
validation logic to reject requests that lack the OTP/session/signed nonce.

In `@user-stories/backend/US-010-audit-logging.md`:
- Line 16: Update the audit logging spec to address IP privacy: in the "Details
field" add a clear data retention policy (e.g., IP_RETENTION_DAYS = 90) and a
legal-basis statement (e.g., "legitimate interest for security"); add an option
to anonymize/hash IPs for non-critical logs (e.g., ANONYMIZE_IPS flag and
describe hashing algorithm/entropy), require an admin workflow and API support
to honor user deletion requests for IP data, and add a note to
registration/terms that IP logging is performed; ensure the spec indicates
whether raw IPs are stored (retain_raw_ips boolean) and how/when raw→hashed
migration or deletion occurs.

In `@user-stories/frontend/US-104-login-dashboard.md`:
- Line 32: The doc suggests "Store API key in secure HTTP-only context or
encrypted localStorage", which is insecure; update the guidance to recommend
using HTTP-only, Secure, SameSite cookies for session tokens (backend validates
API key once and issues short-lived session token) as the primary option, and
add two alternatives: (a) keep API keys only in memory (React state/context) for
per-session use requiring re-entry after refresh, and (b) implement
OAuth2/token-based auth with refresh tokens stored in HTTP-only cookies; replace
the phrase "encrypted localStorage" and explicitly list these three options
(HTTP-only cookie flow, in-memory per-session storage, OAuth2) with brief
implementation notes for backend validation and token lifetimes.

🟡 Minor comments (30)

user-stories/infrastructure/US-205-precommit-hooks.md-28-42 (1)

28-42: ⚠️ Potential issue | 🟡 Minor

Fix markdown table formatting for lint compliance.

markdownlint flags missing blank lines around the table and compact pipe spacing. Add surrounding blank lines and consistent spacing to avoid MD058/MD060.

✅ Proposed fix

-## Pre-commit Hooks
-| Hook | Purpose | Language |
-|------|---------|----------|
-| black | Code formatting | Python |
-| isort | Import sorting | Python |
-| flake8 | Linting | Python |
-| mypy | Type checking | Python |
-| bandit | Security | Python |
-| eslint | Linting | JavaScript |
-| prettier | Formatting | JavaScript |
-| detect-secrets | Security | All |
-| trailing-whitespace | Cleanup | All |
-| check-yaml | Validation | YAML |
-| check-json | Validation | JSON |
+## Pre-commit Hooks
+
+| Hook              | Purpose         | Language   |
+| ----------------- | --------------- | ---------- |
+| black             | Code formatting | Python     |
+| isort             | Import sorting  | Python     |
+| flake8            | Linting         | Python     |
+| mypy              | Type checking   | Python     |
+| bandit            | Security        | Python     |
+| eslint            | Linting         | JavaScript |
+| prettier          | Formatting      | JavaScript |
+| detect-secrets    | Security        | All        |
+| trailing-whitespace | Cleanup       | All        |
+| check-yaml        | Validation      | YAML       |
+| check-json        | Validation      | JSON       |
+

tasks/frontend/TASK-US-101-04-create-api-client.md-229-229 (1)

229-229: ⚠️ Potential issue | 🟡 Minor

Document the react-hot-toast dependency.

The code imports toast from react-hot-toast, but this package is not mentioned in the task's acceptance criteria or installation steps. Ensure this dependency is documented and added to package.json.

prompts/readme-prompt.md-4-4 (1)

4-4: ⚠️ Potential issue | 🟡 Minor

Fix spelling error: "arquitecture" → "architecture"

The word "arquitecture" is misspelled.

📝 Proposed fix

-the tech stack arquitecture + a mermaid diagram to show it
+the tech stack architecture + a mermaid diagram to show it

tasks/backend/TASK-US-001-02-configure-dependencies.md-26-73 (1)

26-73: ⚠️ Potential issue | 🟡 Minor

Update dependency version constraints to accommodate current stable releases.

Version constraints are overly restrictive and exclude current stable releases as of January 2025:

• Line 31: gunicorn>=21.0.0,<23.0.0 excludes gunicorn 23.0.0 (latest stable)
• Line 87: black>=23.12.0,<24.0.0 excludes black 25.1.0 (latest stable, released Jan 29, 2025)

Relax the upper bounds to permit these stable versions:

• gunicorn: change <23.0.0 to <24.0.0
• black: change <24.0.0 to <26.0.0

user-stories/backend/US-004-api-key-management.md-28-98 (1)

28-98: ⚠️ Potential issue | 🟡 Minor

Add language identifiers to fenced code blocks for linting and readability.
Use json for request/response payloads and mermaid for diagrams.

📝 Suggested fix

-```
+```http
 POST /status
 X-API-Key: ipfs_gw_xxxxxxxxxxxxx
@@
-```
+```http
 POST /renew
 Content-Type: application/json
@@
-```
+```http
 POST /revoke
 X-API-Key: admin_api_key
@@
-```
+```http
 POST /reactivate
 X-API-Key: admin_api_key
@@
-```mermaid
+```mermaid
 flowchart TD
@@
-```
+```

-Response (200 OK):
-{
+Response (200 OK):
+```json
+{
     "status": 200,
@@
-}
-```
+}
+```

Also applies to: 117-141

user-stories/infrastructure/US-204-monitoring-logging.md-59-68 (1)

59-68: ⚠️ Potential issue | 🟡 Minor

Add blank lines and spacing around the table.
This resolves MD058/MD060 and improves readability.

📝 Suggested fix

-## Key Metrics
-| Metric | Type | Description |
-|--------|------|-------------|
-| http_requests_total | Counter | Total HTTP requests |
-| http_request_duration | Histogram | Request latency |
-| upload_size_bytes | Histogram | Upload file sizes |
-| active_users | Gauge | Current active users |
-| celery_tasks_total | Counter | Celery task count |
-| error_rate | Gauge | Error percentage |
+## Key Metrics
+
+| Metric               | Type      | Description          |
+|----------------------|-----------|----------------------|
+| http_requests_total  | Counter   | Total HTTP requests  |
+| http_request_duration| Histogram | Request latency      |
+| upload_size_bytes    | Histogram | Upload file sizes    |
+| active_users         | Gauge     | Current active users |
+| celery_tasks_total   | Counter   | Celery task count    |
+| error_rate           | Gauge     | Error percentage     |

user-stories/backend/US-011-error-handling-responses.md-52-68 (1)

52-68: ⚠️ Potential issue | 🟡 Minor

Add blank lines and spacing around the table.
This resolves MD058/MD060.

📝 Suggested fix

-## HTTP Status Codes
-| Code | Usage |
-|------|-------|
-| 200 | Success |
-| 201 | Resource created |
-| 202 | Accepted (async) |
-| 400 | Bad request |
-| 401 | Unauthorized |
-| 403 | Forbidden |
-| 404 | Not found |
-| 409 | Conflict |
-| 413 | Payload too large |
-| 422 | Validation error |
-| 429 | Rate limit exceeded |
-| 500 | Internal error |
-| 503 | Service unavailable |
+## HTTP Status Codes
+
+| Code | Usage              |
+|------|--------------------|
+| 200  | Success            |
+| 201  | Resource created   |
+| 202  | Accepted (async)   |
+| 400  | Bad request        |
+| 401  | Unauthorized       |
+| 403  | Forbidden          |
+| 404  | Not found          |
+| 409  | Conflict           |
+| 413  | Payload too large  |
+| 422  | Validation error   |
+| 429  | Rate limit exceeded|
+| 500  | Internal error     |
+| 503  | Service unavailable|

user-stories/frontend/US-110-frontend-testing.md-24-31 (1)

24-31: ⚠️ Potential issue | 🟡 Minor

Add blank lines and spacing around the table.
This resolves MD058/MD060 and improves readability.

📝 Suggested fix

-## Test Categories
-| Category | Tool | Target |
-|----------|------|--------|
-| Unit Tests | Jest | 80% |
-| Component Tests | RTL | 75% |
-| E2E Tests | Playwright | Critical paths |
-| A11y Tests | axe-core | All pages |
+## Test Categories
+
+| Category         | Tool       | Target         |
+|------------------|------------|----------------|
+| Unit Tests       | Jest       | 80%            |
+| Component Tests  | RTL        | 75%            |
+| E2E Tests        | Playwright | Critical paths |
+| A11y Tests       | axe-core   | All pages      |

user-stories/backend/US-011-error-handling-responses.md-23-50 (1)

23-50: ⚠️ Potential issue | 🟡 Minor

Add a language identifier to the response block.
Use json to satisfy MD040 and improve readability.

📝 Suggested fix

-```python
+```json
 # Success Response
 {
@@
-```
+```

user-stories/frontend/US-110-frontend-testing.md-32-50 (1)

32-50: ⚠️ Potential issue | 🟡 Minor

Add a language identifier to the test-structure block.
Use text (or bash) to satisfy MD040.

📝 Suggested fix

-```
+```text
 frontend/tests/
 ├── unit/
@@
-```
+```

user-stories/frontend/US-109-error-handling-feedback.md-25-31 (1)

25-31: ⚠️ Potential issue | 🟡 Minor

Fix table spacing and add blank lines around it.

markdownlint flags MD058/MD060.

✅ Suggested formatting

 ## Error Pages
-| Page | Trigger | Content |
-|------|---------|---------|
-| 404 | Unknown route | "Page not found" + navigation |
-| 403 | Unauthorized access | "Access denied" + login link |
-| 500 | Server error | "Something went wrong" + retry |
-| Offline | Network loss | "You're offline" + cached data |
+
+| Page    | Trigger             | Content                               |
+| ------- | ------------------- | ------------------------------------- |
+| 404     | Unknown route       | "Page not found" + navigation         |
+| 403     | Unauthorized access | "Access denied" + login link          |
+| 500     | Server error        | "Something went wrong" + retry        |
+| Offline | Network loss        | "You're offline" + cached data        |
+

user-stories/frontend/US-105-file-upload-interface.md-25-30 (1)

25-30: ⚠️ Potential issue | 🟡 Minor

Add blank lines and consistent pipe spacing around the table.

markdownlint flags table formatting (MD058/MD060). Please add a blank line before/after the table and use consistent spacing around pipes.

✅ Suggested formatting

-## Upload Constraints
-| Constraint | Value |
-|------------|-------|
-| Max file size | 100 MB |
-| Allowed types | All (with optional filtering) |
-| Max concurrent | 3 files |
+## Upload Constraints
+
+| Constraint      | Value                      |
+| --------------- | -------------------------- |
+| Max file size   | 100 MB                     |
+| Allowed types   | All (with optional filtering) |
+| Max concurrent  | 3 files                    |
+

user-stories/frontend/US-103-user-registration.md-24-29 (1)

24-29: ⚠️ Potential issue | 🟡 Minor

Fix table spacing and add blank lines around it.

markdownlint flags MD058/MD060.

✅ Suggested formatting

 ## Form Fields
-| Field | Type | Validation |
-|-------|------|------------|
-| Email | email | Required, valid format, max 255 chars |
-| Password | password | Required, min 8 chars, 1 uppercase, 1 number |
-| Confirm Password | password | Must match password |
+
+| Field            | Type     | Validation                               |
+| ---------------- | -------- | ---------------------------------------- |
+| Email            | email    | Required, valid format, max 255 chars    |
+| Password         | password | Required, min 8 chars, 1 uppercase, 1 number |
+| Confirm Password | password | Must match password                      |
+

user-stories/frontend/US-103-user-registration.md-50-112 (1)

50-112: ⚠️ Potential issue | 🟡 Minor

Label fenced blocks with languages.

markdownlint flags missing identifiers (MD040) for the workflow diagram and wireframes.

✅ Suggested formatting

-```mermaid
+```mermaid
 flowchart TD
@@
-```
+```

-```
+```text
 +--------------------------------------------------+
@@
-```
+```

-```
+```text
 +--------------------------------------------------+
@@
-```
+```

user-stories/frontend/US-109-error-handling-feedback.md-55-95 (1)

55-95: ⚠️ Potential issue | 🟡 Minor

Label fenced blocks with languages.

markdownlint flags missing identifiers (MD040) for mermaid and wireframe blocks.

✅ Suggested formatting

-```mermaid
+```mermaid
 flowchart TD
@@
-```
+```

-```
+```text
 +--------------------------------------------------+
@@
-```
+```

-```
+```text
 +--------------------------------------------------+
@@
-```
+```

documentation/dockerization-tools-specs.md-1-58 (1)

1-58: ⚠️ Potential issue | 🟡 Minor

Fix spelling/casing and list lettering for clarity.

There are multiple typos and inconsistent list lettering (e.g., a, c, d...). This reduces readability.

✅ Suggested edits (excerpt)

-You are a senior devOps engineer tasked with creating Dockerization and deployment specifications for a python and js projects.
+You are a senior DevOps engineer tasked with creating Dockerization and deployment specifications for Python and JS projects.

-  c. postgresql for database management and user data storage
+  c. PostgreSQL for database management and user data storage

-    1. choose an environement [production, development, staging]
+    1. choose an environment [production, development, staging]

-All creeated files should be in a `deployment/` directory at the root of the project.
+All created files should be in a `deployment/` directory at the root of the project.

user-stories/frontend/US-105-file-upload-interface.md-51-97 (1)

51-97: ⚠️ Potential issue | 🟡 Minor

Specify fenced block languages for mermaid and wireframe.

markdownlint flags missing language identifiers (MD040). Please label the mermaid block and the wireframe block.

✅ Suggested formatting

-```mermaid
+```mermaid
 flowchart TD
@@
-```
+```

-```
+```text
 +--------------------------------------------------+
@@
-```
+```

user-stories/backend/US-005-file-upload-ipfs.md-26-57 (1)

26-57: ⚠️ Potential issue | 🟡 Minor

Add a language identifier to the API spec block.

markdownlint flags the fenced block without a language (MD040).

✅ Suggested formatting

-```
+```http
 POST /upload
 X-API-Key: ipfs_gw_xxxxxxxxxxxxx
 Content-Type: multipart/form-data
@@
-```
+```

user-stories/backend/US-007-celery-task-queue.md-37-66 (1)

37-66: ⚠️ Potential issue | 🟡 Minor

Add a language identifier to the API spec block.

Helps markdownlint/formatters and improves readability.

✅ Suggested formatting

-```
+```http
 GET /tasks/<task_id>/status
 X-API-Key: ipfs_gw_xxxxxxxxxxxxx
@@
-```
+```

user-stories/frontend/US-102-home-page-navigation.md-68-89 (1)

68-89: ⚠️ Potential issue | 🟡 Minor

Add a language identifier to the wireframe block.

Improves readability and consistent markdown formatting.

✅ Suggested formatting

-```
+```text
 +--------------------------------------------------+
@@
-```
+```

user-stories/frontend/US-106-file-retrieval-interface.md-24-31 (1)

24-31: ⚠️ Potential issue | 🟡 Minor

Fix markdownlint table spacing and code-fence language.
Add blank lines around the table and use consistent pipe spacing; tag the wireframe block as text.

✅ Suggested update

 ## Supported Preview Types
-| Type | Preview |
-|------|---------|
-| Images (png, jpg, gif, webp) | Inline image |
-| Text (txt, md, json, xml) | Formatted text |
-| PDF | Embedded viewer |
-| Others | Download only |
+
+| Type | Preview |
+| --- | --- |
+| Images (png, jpg, gif, webp) | Inline image |
+| Text (txt, md, json, xml) | Formatted text |
+| PDF | Embedded viewer |
+| Others | Download only |
+
 ...
-```
+```text
 +--------------------------------------------------+
 |  Retrieve File                                   |
 ...
 +--------------------------------------------------+
-```
+```

Also applies to: 72-105

user-stories/backend/US-013-backend-testing.md-32-53 (1)

32-53: ⚠️ Potential issue | 🟡 Minor

Add a language identifier to the test-structure block.
Use text to satisfy MD040.

✅ Suggested update

-```
+```text
 backend/tests/
 ├── __init__.py
 ...
 └── test_models.py
-```
+```

user-stories/frontend/US-108-documentation-pages.md-86-112 (1)

86-112: ⚠️ Potential issue | 🟡 Minor

Specify a language for the wireframe block.
Markdownlint flags this fence. Use text (or md) to satisfy MD040.

✅ Suggested update

-```
+```text
 +--------------------------------------------------+
 |  Documentation                      [Search 🔍]  |
 ...
 +--------------------------------------------------+
-```
+```

user-stories/backend/US-006-file-retrieval-ipfs.md-27-50 (1)

27-50: ⚠️ Potential issue | 🟡 Minor

Add language identifiers to fenced blocks.
These examples should be tagged (http for request/headers, json for error bodies).

✅ Suggested update

-```
+```http
 GET /retrieve/QmXxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 X-API-Key: ipfs_gw_xxxxxxxxxxxxx
 ...
-Error Response (404 Not Found):
+```
+```json
+Error Response (404 Not Found):
 {
     "status": 404,
     "message": "File not found"
 }
 ...
-Error Response (403 Forbidden):
+```
+```json
+Error Response (403 Forbidden):
 {
     "status": 403,
     "message": "Access denied to this file"
 }
-```
+```

user-stories/backend/US-008-content-pinning-management.md-27-88 (1)

27-88: ⚠️ Potential issue | 🟡 Minor

Add language identifiers to fenced blocks.
Markdownlint flags these code fences without a language. Consider http for request/response examples and json for bodies.

✅ Suggested update

-```
+```http
 POST /pin/QmXxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 X-API-Key: ipfs_gw_xxxxxxxxxxxxx
 ...
-Response (200 OK):
+Response (200 OK):
+```
+```json
 {
     "status": 200,
     "message": "Content pinned successfully",
     "data": {
         "cid": "QmXxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
         "pinned": true,
         "pinned_at": "2026-01-29T10:30:00Z"
     }
 }
-Response (202 Accepted - Async):
+```
+```json
+Response (202 Accepted - Async):
 {
     "status": 202,
     "message": "Pinning request queued",
     "data": {
         "task_id": "uuid-task-id"
     }
 }
-```
+```

user-stories/backend/US-010-audit-logging.md-61-61 (1)

61-61: ⚠️ Potential issue | 🟡 Minor

Inconsistency: "login" action type without corresponding endpoint.

The action types table includes "login" (line 61), but the backend specifications don't define a login endpoint—authentication is API key-based. This creates confusion about the authentication model.

Recommendation: Either:

1. Remove "login" from action types if API keys are the only authentication method, OR
2. Clarify if there's a planned session-based login flow that uses API keys for initial authentication

user-stories/backend/US-003-user-registration-authentication.md-13-15 (1)

13-15: ⚠️ Potential issue | 🟡 Minor

Consistency issue: Backend specs don't mention password requirement.

This user story correctly specifies that /register accepts both email and password (lines 13, 30-33), but documentation/backend-specs.md line 8 only mentions email: "Register a new user (identified by its email)".

Recommendation: Update backend-specs.md to clarify that registration requires both email and password for authentication, ensuring consistency across all specification documents.

Also applies to: 30-33

documentation/user-stories-summary.md-164-201 (1)

164-201: ⚠️ Potential issue | 🟡 Minor

Sprint plan checkboxes should not be pre-checked.

All sprint items are marked as completed (✅) in the recommended sprint plan, but this PR is adding documentation, not completing the implementation. These checkboxes create confusion about the actual project status.

Recommendation: Change all - ✅ to - [ ] in the sprint plan sections (lines 164-201) to accurately reflect that these are planned, not completed, tasks.

📋 Proposed fix

 ### Sprint 1 (Week 1-2): Foundation
-- ✅ US-001: Backend Project Setup
-- ✅ US-002: Database Models
-- ✅ US-011: Error Handling
-- ✅ US-101: Frontend Project Setup
-- ✅ US-205: Pre-commit Hooks
+- [ ] US-001: Backend Project Setup
+- [ ] US-002: Database Models
+- [ ] US-011: Error Handling
+- [ ] US-101: Frontend Project Setup
+- [ ] US-205: Pre-commit Hooks

(Apply similar changes to all sprint sections)

documentation/project-specifications.md-172-172 (1)

172-172: ⚠️ Potential issue | 🟡 Minor

Fix typo: "environement" should be "environment".

📝 Proposed fix

-    The access credentials and configuration details are already stored securely using environment variables under the environment file .env. The environement variable is named FILEBASE_IPFS_API_KEY.
+    The access credentials and configuration details are already stored securely using environment variables under the environment file .env. The environment variable is named FILEBASE_IPFS_API_KEY.

documentation/project-specifications.md-7-7 (1)

7-7: ⚠️ Potential issue | 🟡 Minor

Fix typo: "gaol" should be "goal".

📝 Proposed fix

-    The main gaol of this API is to give access to a CID (Content Identifier) based storage system that is decentralized and secure, allowing users to store and retrieve content without relying on centralized servers.
+    The main goal of this API is to give access to a CID (Content Identifier) based storage system that is decentralized and secure, allowing users to store and retrieve content without relying on centralized servers.

🧹 Nitpick comments (20)

tasks/frontend/TASK-US-101-04-create-api-client.md (1)

238-252: Consider exposing error details for custom handling.

The current implementation uses toast notifications for all upload errors, which limits flexibility. Consider returning the error from the mutation so components can implement custom error handling logic when needed.

💡 Optional enhancement

 export function useUploadFile() {
   const queryClient = useQueryClient();
 
   return useMutation({
     mutationFn: ({ file, onProgress }: { file: File; onProgress?: (p: number) => void }) =>
       api.uploadFile(file, onProgress),
     onSuccess: () => {
       queryClient.invalidateQueries({ queryKey: ["files"] });
       toast.success("File uploaded successfully!");
     },
     onError: (error: Error) => {
       toast.error(`Upload failed: ${error.message}`);
+      // Error is still accessible via mutation.error for custom handling
     },
   });
 }

Components can then choose whether to use the default toast or implement custom error UI:

const mutation = useUploadFile();
// Access mutation.error for custom handling if needed

tasks/backend/TASK-US-005-02-implement-filebase-service.md (1)

191-223: Avoid reading the full object into memory.

response["Body"].read() loads the entire file into RAM; large files will spike memory. Prefer streaming or returning the body stream with an iterator/response passthrough.

💡 Streaming-friendly return

-            content = response["Body"].read()
-            content_type = response.get("ContentType", "application/octet-stream")
-            size = response.get("ContentLength", len(content))
+            body = response["Body"]
+            content_type = response.get("ContentType", "application/octet-stream")
+            size = response.get("ContentLength")
...
-            return RetrieveResult(
-                content=content,
+            return RetrieveResult(
+                content=body,
                 content_type=content_type,
-                size=size,
+                size=size or 0,
                 filename=key,
             )

user-stories/backend/US-009-rate-limiting-security.md (1)

25-33: Rate limits will need tuning based on actual usage patterns.

The specified rate limits (e.g., 100 requests/hour for retrieval, 20/hour for uploads) are reasonable starting points, but production values should be validated through load testing and actual usage metrics to balance user experience with abuse prevention.

user-stories/frontend/US-104-login-dashboard.md (1)

13-22: Consider adding error handling acceptance criteria.

The acceptance criteria cover the happy path well, but consider adding explicit criteria for error scenarios:

• Invalid API key format
• Expired or revoked API key
• Network/backend unavailability
• Session timeout handling

This would align better with US-109 (Error Handling and Feedback UI) mentioned in the related stories.

documentation/frontend-specs.md (2)

26-30: Consider adding a Security section to frontend specifications.

The frontend specs would benefit from explicit security guidelines, such as:

• Content Security Policy (CSP) headers
• XSS prevention strategies
• Secure handling of API keys (complementing US-104)
• HTTPS enforcement
• Input sanitization on the client side

This would provide a more complete foundation for secure frontend development.

---

26-30: Consider adding accessibility requirements.

Adding a section on accessibility would ensure the frontend meets inclusive design standards:

• WCAG 2.1 Level AA compliance target
• Keyboard navigation support
• Screen reader compatibility
• Color contrast requirements
• Semantic HTML usage

This aligns with the "User-Friendly Interface" principle mentioned in line 28.

documentation/user-stories-summary.md (1)

18-22: Time estimate appears optimistic for production-ready implementation.

The estimated 196 hours (~5 weeks with 1 developer) covers the task work itself but doesn't account for:

• Code review cycles and feedback incorporation
• Bug fixes and rework during testing
• Integration debugging between frontend/backend/infrastructure
• Documentation polish and updates
• Unexpected technical challenges (especially with Filebase API integration)

A more realistic estimate would be 250-300 hours (6-8 weeks) for a production-ready system. Consider adding a contingency buffer of 25-30% to the estimates.

prompts/initial-prompt.md (1)

4-5: Minor: Inconsistent capitalization of framework name.

"nextjs" should be capitalized as "Next.js" (the official brand name) for consistency and professionalism in documentation.

-- **Programming Language**: Python for backend, nextjs for frontend
-- **Web Framework**: Flask, nextjs
+- **Programming Language**: Python for backend, Next.js for frontend
+- **Web Framework**: Flask, Next.js

user-stories/frontend/US-101-frontend-project-setup.md (1)

26-57: Add language identifier to fenced code block.

The directory structure code block should specify a language identifier for proper rendering and accessibility.

📝 Proposed fix

-```
+```text
 frontend/
 ├── app/

documentation/project-specifications.md (3)

57-57: Capitalize "GitHub" properly.

The official name of the platform uses a capital "H".

📝 Proposed fix

-  d. CI/CD pipeline for automated testing and deployment with github actions
+  d. CI/CD pipeline for automated testing and deployment with GitHub Actions

---

157-157: Add hyphen to compound modifier.

"Auto-upgrading" should be hyphenated when used as a compound modifier.

📝 Proposed fix

-    Make sure to fix the versions of the packages in the requirements files to ensure consistency across different development environments. No auto upgrading of packages will be allowed without prior approval.
+    Make sure to fix the versions of the packages in the requirements files to ensure consistency across different development environments. No auto-upgrading of packages will be allowed without prior approval.

---

173-173: Add hyphen to compound modifier.

"S3-compatible" should be hyphenated when used as a compound modifier before a noun.

📝 Proposed fix

-    The access to the IPFS network will be used for uploading and retrieving content during development and testing. It will be achieved through the filebase S3 compatible API. For this reason you will use the `boto3` library to interact with the S3 compatible API provided by filebase-ipfs.
+    The access to the IPFS network will be used for uploading and retrieving content during development and testing. It will be achieved through the filebase S3-compatible API. For this reason you will use the `boto3` library to interact with the S3-compatible API provided by filebase-ipfs.

user-stories/frontend/US-107-files-management.md (2)

26-35: Add blank line before table.

Tables should be surrounded by blank lines for proper Markdown rendering.

📝 Proposed fix

 ## Table Columns
+
 | Column | Sortable | Description |

---

76-97: Add language identifier to wireframe code block.

The wireframe should specify a language identifier (e.g., text or plaintext) for proper rendering.

📝 Proposed fix

 ## Wireframe
-```
+```text
 +--------------------------------------------------+

readme.md (3)

220-220: Replace placeholder repository URL.

The git clone command contains a placeholder URL that should be updated to the actual repository URL.

Would you like me to verify the correct repository URL from the PR context and suggest the appropriate replacement?

---

368-371: Add language identifier to fenced code block.

The base URL code block should specify a language identifier for proper syntax highlighting.

📝 Proposed fix

 ### Base URL
-```
+```text
 Production: https://api.ipfs-gateway.com
 Development: http://localhost:5000

</details>

---

`375-377`: **Add language identifier to authentication example.**

The authentication header example should specify a language identifier (e.g., `http` or `text`).



<details>
<summary>📝 Proposed fix</summary>

```diff
 All API requests (except registration) require an API key in the header:
-```
+```http
 X-API-Key: ipfs_gw_your_api_key_here

</details>

</blockquote></details>
<details>
<summary>tasks/backend/TASK-US-002-01-create-user-model.md (3)</summary><blockquote>

`21-21`: **Consider using `datetime.utcnow()` instead of Arrow.**

The Arrow library is imported and used throughout for generating UTC timestamps, but its advanced features (timezone parsing, humanization, relative time) aren't utilized. Using Python's built-in `datetime.utcnow()` would:
- Eliminate an external dependency
- Improve performance (marginally)
- Simplify the code



<details>
<summary>♻️ Proposed refactor</summary>

```diff
 from datetime import datetime
 from typing import Optional
 import secrets
 import uuid
 
 from sqlmodel import Field, SQLModel, Relationship
 from passlib.hash import bcrypt
-import arrow


 class User(SQLModel, table=True):
     """User model for the IPFS Gateway."""
     
     __tablename__ = "users"
     
     id: Optional[int] = Field(default=None, primary_key=True)
     email: str = Field(unique=True, index=True, max_length=255)
     password_hash: str = Field()
     api_key: str = Field(unique=True, index=True, max_length=72)
     is_active: bool = Field(default=True)
     is_admin: bool = Field(default=False)
     is_deleted: bool = Field(default=False)
     usage_count: int = Field(default=0)
-    created_at: datetime = Field(default_factory=lambda: arrow.utcnow().datetime)
-    updated_at: datetime = Field(default_factory=lambda: arrow.utcnow().datetime)
+    created_at: datetime = Field(default_factory=datetime.utcnow)
+    updated_at: datetime = Field(default_factory=datetime.utcnow)
     last_renewed_at: Optional[datetime] = Field(default=None)

Then update all method calls:

-        self.last_renewed_at = arrow.utcnow().datetime
-        self.updated_at = arrow.utcnow().datetime
+        self.last_renewed_at = datetime.utcnow()
+        self.updated_at = datetime.utcnow()

Also applies to: 28-28, 44-46, 88-89, 95-95, 101-101, 106-106, 111-111

---

92-111: Consider automating updated_at timestamp updates.

Every mutation method manually sets self.updated_at = datetime.utcnow(). While explicit, this is repetitive and error-prone if forgotten in future methods. Consider using SQLModel's event hooks or a before-update trigger at the database level.

Example using SQLAlchemy events (SQLModel is built on SQLAlchemy):

from sqlalchemy import event
from sqlalchemy.orm import Session

`@event.listens_for`(User, 'before_update', propagate=True)
def update_timestamp(mapper, connection, target):
    target.updated_at = datetime.utcnow()

Note: This would require careful consideration of when updates should and shouldn't trigger timestamp changes.

---

31-46: Consider adding composite indexes for common query patterns.

The model has individual indexes on email and api_key, but queries filtering by user status will likely use combinations like:

• Active, non-deleted users: WHERE is_active = true AND is_deleted = false
• Admin users who are active: WHERE is_admin = true AND is_active = true

Adding composite indexes would improve query performance:

class User(SQLModel, table=True):
    """User model for the IPFS Gateway."""
    
    __tablename__ = "users"
    __table_args__ = (
        Index('ix_user_active_deleted', 'is_active', 'is_deleted'),
        Index('ix_user_admin_active', 'is_admin', 'is_active'),
    )

Don't forget to add the import:

from sqlalchemy import Index

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Security issue: /renew endpoint design enables unauthorized API key renewal.

The specification states that the /renew endpoint only requires an email address to send a new API key. This design allows anyone who knows a user's email to trigger API key regeneration, potentially:

• Causing denial of service by invalidating the user's current key
• Creating confusion and support burden
• Enabling email enumeration attacks

Recommendations:

• Require the current (possibly compromised) API key for authentication before renewal
• Implement a secure email verification flow (send a time-limited renewal link)
• Add rate limiting specifically for this endpoint (e.g., 1 renewal per 24 hours per email)
• Consider requiring additional verification for high-value accounts

🤖 Prompt for AI Agents

In `@documentation/backend-specs.md` at line 12, The /renew endpoint currently
allows API key regeneration with only an email, enabling unauthorized renewals;
change the flow for the /renew route to require strong verification: require the
current API key (authenticate the caller) via the existing auth middleware
before allowing renewal, or implement a secure email verification flow that
sends a time-limited, single-use renewal token/link to the email and only renews
when that token is presented; add rate limiting for the /renew route (e.g., 1
per 24h per email) and consider branching for high-value accounts to require
additional verification; update any handler or controller for the "/renew" route
to enforce these checks and log audit events for renewals.

[coderabbitai]

🛠️ Refactor suggestion | 🟠 Major

Specify rate limiting details for better implementation guidance.

While rate limiting is mentioned as a requirement, the specification lacks concrete details that would guide implementation:

• Rate limits per endpoint (e.g., uploads, retrievals, registrations)
• Rate limit windows (per minute/hour/day)
• Per-user vs. per-IP rate limiting strategy
• Rate limit response format (remaining quota, reset time)
• Handling of rate limit violations

Consider adding a "Rate Limiting Strategy" subsection with these details to ensure consistent implementation across endpoints.

🤖 Prompt for AI Agents

In `@documentation/backend-specs.md` around lines 23 - 27, Update the "API
Security" section by adding a new "Rate Limiting Strategy" subsection that
specifies concrete limits per endpoint (e.g., uploads, retrievals,
registrations), explicit windows for each limit (per minute/hour/day), whether
limits apply per-user (API key) or per-IP (or both) for each endpoint, the exact
rate-limit response format (HTTP status code, headers like X-RateLimit-Limit,
X-RateLimit-Remaining, X-RateLimit-Reset and JSON body fields), and the behavior
on violation (429 response, retry-after header, optional backoff or temporary
blocking); ensure this subsection sits alongside the existing "Rate Limiting"
bullet under the "API Security" heading so implementers can copy these rules
directly.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Critical: API key length exceeds max_length constraint.

The api_key field is defined with max_length=64, but the generated API key will be 72 characters long:

• Prefix "ipfs_gw_" = 8 characters
• secrets.token_hex(32) = 64 hexadecimal characters
• Total = 72 characters

This will cause database insertion failures or silent truncation.

🔧 Proposed fix

-    api_key: str = Field(unique=True, nullable=False, index=True, max_length=64)
+    api_key: str = Field(unique=True, index=True, max_length=72)

Also applies to: 72-79

🤖 Prompt for AI Agents

In `@tasks/backend/TASK-US-002-01-create-user-model.md` at line 39, The api_key
Field is declared with max_length=64 but the generated key uses the prefix
"ipfs_gw_" + secrets.token_hex(32) (72 chars); update the api_key Field's
max_length to at least 72 (I recommend 80 for headroom) and update any other
occurrences of this constraint (the referenced lines 72-79) so they match; after
changing the api_key Field, create and run the corresponding DB migration to
alter the column length so inserts won't fail.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Validate/sanitize the S3 key derived from filename.

Using raw filename as the object key can allow path-like keys, collisions, or unexpected overwrites. Please add key normalization (e.g., UUID prefix) and validate allowed characters.

🔐 Example hardening

-            # Upload to Filebase
-            self.client.upload_fileobj(
-                file,
-                FILEBASE_BUCKET_NAME,
-                filename,
-                ExtraArgs=extra_args,
-            )
+            key = f"{uuid4().hex}/{secure_filename(filename)}"
+            self.client.upload_fileobj(
+                file,
+                FILEBASE_BUCKET_NAME,
+                key,
+                ExtraArgs=extra_args,
+            )
...
-            return UploadResult(cid=cid, size=size, key=filename)
+            return UploadResult(cid=cid, size=size or 0, key=key)

🤖 Prompt for AI Agents

In `@tasks/backend/TASK-US-005-02-implement-filebase-service.md` around lines 120
- 179, The upload_file method currently uses the raw filename as the S3 key;
sanitize and normalize the key before upload by removing path separators and
disallowed characters, enforcing a safe character whitelist (alphanumerics,
dashes, underscores, dots), and limiting length; prepend a UUID (or secure
random prefix) to the sanitized filename to avoid collisions and overwrites, and
use this sanitized_key when calling self.client.upload_fileobj and when
returning UploadResult(key=...). Ensure all references to filename in
head_object and logging use sanitized_key and that FILEBASE_BUCKET_NAME remains
unchanged.

---

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

find . -name "TASK-US-005-02-implement-filebase-service.md" -type f

Repository: LIDR-academy/AI4Devs-finalproject

Length of output: 137

---

🏁 Script executed:

# Also search for any ipfs_service.py or filebase references
find . -type f -name "*ipfs*service*" -o -name "*filebase*"

Repository: LIDR-academy/AI4Devs-finalproject

Length of output: 137

---

🌐 Web query:

Python file-like object seekable streams BinaryIO seek non-seekable

💡 Result:

Seekability is a runtime property of file-like objects (not guaranteed by BinaryIO)

• In Python’s I/O model, a stream is seekable iff obj.seekable() returns True. If it’s False, then seek(), tell(), and truncate() are expected to raise OSError. [1]
• typing.BinaryIO is a broad type (“types of I/O streams such as returned by open()”), and it is not a protocol with strict guarantees—so a BinaryIO value may still be non-seekable (e.g., sockets / HTTP responses). [2]

Practical pattern: check seekable() and fall back to buffering

from typing import BinaryIO
import io
import tempfile

def ensure_seekable(src: BinaryIO, *, max_mem: int = 8 * 1024 * 1024) -> BinaryIO:
    if getattr(src, "seekable", lambda: False)():
        return src

    # Option A: memory+disk spooling (best general-purpose)
    tmp = tempfile.SpooledTemporaryFile(max_size=max_mem, mode="w+b")  # seekable
    while True:
        chunk = src.read(1024 * 1024)
        if not chunk:
            break
        tmp.write(chunk)
    tmp.seek(0)
    return tmp

    # Option B (if you KNOW it's small): return io.BytesIO(src.read())

Why SpooledTemporaryFile: it keeps data in memory up to max_size, then transparently rolls over to disk, and behaves like a normal seekable file. [3]

“Can I wrap a non-seekable stream to make it seekable?”

Not in a magic way. If the underlying source is inherently sequential (socket/HTTP), you generally must buffer/copy somewhere (memory or a temp file) to support seeking. This is a common issue with HTTP response objects. [4]

Note on io.BufferedReader docs vs reality

Some docs describe io.BufferedReader as giving higher-level access to a readable “non-seekable” raw stream, but in practice it can wrap seekable streams too; its seekable() just reflects the underlying stream. [5]

Sources: [1] io.IOBase.seekable() behavior [1], typing.BinaryIO scope/non-protocol note [2], tempfile.SpooledTemporaryFile behavior [3], non-seekable HTTPResponse / buffering requirement [4], BufferedReader seekability discussion [5].

---

Handle non-seekable upload streams with buffering.

file.seek() will raise OSError on non-seekable streams (HTTP responses, request bodies, sockets) since BinaryIO does not guarantee seekability. The guard with seekable() prevents crashes, but still leaves the stream unhandled. Instead, convert non-seekable streams to seekable ones using tempfile.SpooledTemporaryFile() to buffer in memory/disk, or accept that size cannot be determined and handle None in downstream code.

💡 Recommended approach

+            # Convert non-seekable streams to seekable via buffering
+            if hasattr(file, "seekable") and not file.seekable():
+                import tempfile
+                buffered = tempfile.SpooledTemporaryFile(max_size=8*1024*1024)
+                while True:
+                    chunk = file.read(1024*1024)
+                    if not chunk:
+                        break
+                    buffered.write(chunk)
+                buffered.seek(0)
+                file = buffered
+            
             # Get file size
             file.seek(0, 2)  # Seek to end
             size = file.tell()
             file.seek(0)  # Seek back to start

Alternatively, if seeking is not critical, set size = None for non-seekable streams and update UploadResult to accept optional size.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	def upload_file(
	self,
	file: BinaryIO,
	filename: str,
	content_type: str = "application/octet-stream",
	metadata: Optional[dict] = None,
	) -> UploadResult:
	"""Upload a file to IPFS via Filebase.
	Args:
	file: File-like object to upload.
	filename: Safe filename for the upload.
	content_type: MIME type of the file.
	metadata: Optional metadata to store with the file.
	Returns:
	UploadResult: Contains CID, size, and key.
	Raises:
	UploadError: If upload fails after retries.
	"""
	try:
	# Get file size
	file.seek(0, 2) # Seek to end
	size = file.tell()
	file.seek(0) # Seek back to start
	extra_args = {
	"ContentType": content_type,
	}
	if metadata:
	extra_args["Metadata"] = metadata
	logger.info(f"Uploading file: {filename}, size: {size}")
	# Upload to Filebase
	self.client.upload_fileobj(
	file,
	FILEBASE_BUCKET_NAME,
	filename,
	ExtraArgs=extra_args,
	)
	# Get the CID from response headers
	response = self.client.head_object(
	Bucket=FILEBASE_BUCKET_NAME,
	Key=filename,
	)
	cid = response["Metadata"].get("cid", "")
	if not cid:
	# Fallback: CID might be in different location
	cid = response.get("ResponseMetadata", {}).get(
	"HTTPHeaders", {}
	).get("x-amz-meta-cid", "")
	logger.info(f"Upload successful. CID: {cid}")
	return UploadResult(cid=cid, size=size, key=filename)
	def upload_file(
	self,
	file: BinaryIO,
	filename: str,
	content_type: str = "application/octet-stream",
	metadata: Optional[dict] = None,
	) -> UploadResult:
	"""Upload a file to IPFS via Filebase.
	Args:
	file: File-like object to upload.
	filename: Safe filename for the upload.
	content_type: MIME type of the file.
	metadata: Optional metadata to store with the file.
	Returns:
	UploadResult: Contains CID, size, and key.
	Raises:
	UploadError: If upload fails after retries.
	"""
	try:
	# Convert non-seekable streams to seekable via buffering
	if hasattr(file, "seekable") and not file.seekable():
	import tempfile
	buffered = tempfile.SpooledTemporaryFile(max_size=8*1024*1024)
	while True:
	chunk = file.read(1024*1024)
	if not chunk:
	break
	buffered.write(chunk)
	buffered.seek(0)
	file = buffered
	# Get file size
	file.seek(0, 2) # Seek to end
	size = file.tell()
	file.seek(0) # Seek back to start
	extra_args = {
	"ContentType": content_type,
	}
	if metadata:
	extra_args["Metadata"] = metadata
	logger.info(f"Uploading file: {filename}, size: {size}")
	# Upload to Filebase
	self.client.upload_fileobj(
	file,
	FILEBASE_BUCKET_NAME,
	filename,
	ExtraArgs=extra_args,
	)
	# Get the CID from response headers
	response = self.client.head_object(
	Bucket=FILEBASE_BUCKET_NAME,
	Key=filename,
	)
	cid = response["Metadata"].get("cid", "")
	if not cid:
	# Fallback: CID might be in different location
	cid = response.get("ResponseMetadata", {}).get(
	"HTTPHeaders", {}
	).get("x-amz-meta-cid", "")
	logger.info(f"Upload successful. CID: {cid}")
	return UploadResult(cid=cid, size=size, key=filename)

🤖 Prompt for AI Agents

In `@tasks/backend/TASK-US-005-02-implement-filebase-service.md` around lines 120
- 179, The upload_file implementation assumes the incoming BinaryIO is seekable
and calls file.seek() which will raise on non-seekable streams; change
upload_file to detect non-seekable streams (using file.seekable()) and if not
seekable, wrap the stream into a seekable buffer (e.g.,
tempfile.SpooledTemporaryFile()) and copy the incoming data into it so you can
determine size and rewind before upload (use the buffered object's seek/tell),
or alternatively set size = None and update UploadResult to accept Optional[int]
and downstream callers to handle None; update references in upload_file (file,
filename, size, UploadResult) accordingly and ensure metadata/ExtraArgs logic
and head_object/CID handling remain the same when using the buffered file.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Fail fast when Filebase config is missing.

Defaulting credentials/bucket to empty strings defers failures to runtime with confusing errors. Recommend validating config on startup and raising a clear exception if required values are missing.

🤖 Prompt for AI Agents

In `@tasks/backend/TASK-US-005-02-implement-filebase-service.md` around lines 286
- 294, The config currently defaults FILEBASE_ENDPOINT_URL,
FILEBASE_IPFS_API_KEY, FILEBASE_IPFS_API_SECRET, and FILEBASE_BUCKET_NAME to
empty strings which pushes errors to runtime; add startup validation that checks
these variables (FILEBASE_ENDPOINT_URL, FILEBASE_IPFS_API_KEY,
FILEBASE_IPFS_API_SECRET, FILEBASE_BUCKET_NAME) and raise a clear exception
(e.g., ValueError/ConfigError) if any required value is missing or empty, so the
application fails fast with a descriptive message; perform this validation in
the module that defines these constants or in the application initialization
path that imports them (e.g., config loader or init function).

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Use Next.js router instead of direct window.location manipulation.

Direct assignment to window.location.href bypasses Next.js's client-side routing, causing a full page reload and losing client-side state. Use the Next.js useRouter hook or programmatic navigation instead.

💡 Recommended approach

Since interceptors cannot directly access React hooks, consider one of these patterns:

Option 1: Emit a custom event that a component listens for:

// In interceptor
window.dispatchEvent(new CustomEvent('auth:unauthorized'));

// In a layout component with useRouter
useEffect(() => {
  const handleUnauth = () => router.push('/login');
  window.addEventListener('auth:unauthorized', handleUnauth);
  return () => window.removeEventListener('auth:unauthorized', handleUnauth);
}, [router]);

Option 2: Return a specific error that components handle:

// In interceptor - just reject with a custom error
if (error.response?.status === 401) {
  localStorage.removeItem("api_key");
  localStorage.removeItem("user_email");
  return Promise.reject(new Error('UNAUTHORIZED'));
}

// In components using React Query
onError: (error) => {
  if (error.message === 'UNAUTHORIZED') {
    router.push('/login');
  }
}

🤖 Prompt for AI Agents

In `@tasks/frontend/TASK-US-101-04-create-api-client.md` at line 58, Replace the
direct window.location.href assignment in the interceptor with a Next-friendly
navigation signal: either dispatch a CustomEvent like "auth:unauthorized" from
the interceptor (so a top-level component/layout using useRouter can listen for
that event and call router.push('/login')), or reject the request with a
distinct error (e.g., Error('UNAUTHORIZED')) after clearing localStorage so
calling components (React Query onError handlers or hooks) can detect that error
and call router.push('/login'); update the interceptor code path that currently
does window.location.href = "/login" to implement one of these two patterns.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Resolve UUID vs. integer ID inconsistency.
The technical notes specify UUID primary keys, but the ERD shows int id. Please update the diagram (and any related fields like user_id) to UUID to avoid divergent implementations.

📝 Suggested fix

-    USER {
-        int id PK
+    USER {
+        uuid id PK
@@
-    FILE {
-        int id PK
-        int user_id FK
+    FILE {
+        uuid id PK
+        uuid user_id FK
@@
-    AUDITLOG {
-        int id PK
-        int user_id FK
+    AUDITLOG {
+        uuid id PK
+        uuid user_id FK

Also applies to: 55-86

🤖 Prompt for AI Agents

In `@user-stories/backend/US-002-database-models-migrations.md` around lines 26 -
29, The ERD and docs currently show integer primary keys (e.g., "int id") while
the technical notes require UUIDs; update the diagram and all related field
references (e.g., user_id, id columns, and foreign key labels) to UUID, and
align model/migration definitions to use UUID primary keys and UUID foreign keys
(ensure defaults like uuid_generate_v4() or the framework's UUID generator are
specified). Also update any prose in the markdown that mentions "int id" to
"UUID" so the documentation, ERD, and model/migration names (e.g., user_id,
<entity>_id) are consistent. Ensure foreign key constraints and sample queries
in the doc reflect UUID types.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Require a secure verification step for API key renewal.
Renewal based solely on email enables account takeover (anyone can submit another user’s email). Consider requiring an authenticated session, a one-time token sent to email, or a signed verification link before issuing a new key.

Also applies to: 44-62

🤖 Prompt for AI Agents

In `@user-stories/backend/US-004-api-key-management.md` around lines 19 - 24, The
renew flow currently trusts only an email; change the API key renewal endpoint
(e.g., renew / renewApiKey handler) to require a secure verification: either an
authenticated session, a time-limited one-time token (OTP) sent to the user’s
email and verified by the renew handler, or a signed verification link
containing a nonce validated server-side before issuing a new key; ensure the
old key is invalidated, the action is recorded in AuditLog (use the same
AuditLog entry creation used by createApiKey/revokeApiKey), and trigger the
email notification path after successful renewal; update any renew-related
validation logic to reject requests that lack the OTP/session/signed nonce.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Consider data privacy implications of IP address logging.

The specification requires logging IP addresses (line 16, 43) for security analysis, which has privacy and compliance implications:

GDPR/CCPA Considerations:

• IP addresses are personally identifiable information (PII)
• Requires clear data retention and deletion policies
• Users may need the ability to request IP data deletion

Recommendations:

• Add a data retention policy (e.g., "IP addresses retained for 90 days")
• Document the legal basis for IP logging (legitimate interest for security)
• Consider IP anonymization/hashing for non-critical logs
• Add IP logging disclosure to user registration terms

Also applies to: 43-43

🤖 Prompt for AI Agents

In `@user-stories/backend/US-010-audit-logging.md` at line 16, Update the audit
logging spec to address IP privacy: in the "Details field" add a clear data
retention policy (e.g., IP_RETENTION_DAYS = 90) and a legal-basis statement
(e.g., "legitimate interest for security"); add an option to anonymize/hash IPs
for non-critical logs (e.g., ANONYMIZE_IPS flag and describe hashing
algorithm/entropy), require an admin workflow and API support to honor user
deletion requests for IP data, and add a note to registration/terms that IP
logging is performed; ensure the spec indicates whether raw IPs are stored
(retain_raw_ips boolean) and how/when raw→hashed migration or deletion occurs.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Security concern: Storing API keys in localStorage is a risk.

The technical note suggests storing API keys in "encrypted localStorage", but this approach is vulnerable to XSS attacks. localStorage is accessible to any JavaScript running on the page, making it unsuitable for sensitive credentials like API keys.

Consider these alternatives:

• Option 1 (Recommended): Use HTTP-only, Secure, SameSite cookies for session tokens after initial API key authentication. The backend validates the API key once and issues a short-lived session token.
• Option 2: If direct API key usage is required, prompt users to enter their API key per session and store it only in memory (React state/context), requiring re-entry after page refresh.
• Option 3: Implement OAuth2 or similar token-based authentication with refresh tokens stored in HTTP-only cookies.

🤖 Prompt for AI Agents

In `@user-stories/frontend/US-104-login-dashboard.md` at line 32, The doc suggests
"Store API key in secure HTTP-only context or encrypted localStorage", which is
insecure; update the guidance to recommend using HTTP-only, Secure, SameSite
cookies for session tokens (backend validates API key once and issues
short-lived session token) as the primary option, and add two alternatives: (a)
keep API keys only in memory (React state/context) for per-session use requiring
re-entry after refresh, and (b) implement OAuth2/token-based auth with refresh
tokens stored in HTTP-only cookies; replace the phrase "encrypted localStorage"
and explicitly list these three options (HTTP-only cookie flow, in-memory
per-session storage, OAuth2) with brief implementation notes for backend
validation and token lifetimes.