V0.1.1 release, close to actual release. Bug & security fixes/improvements.

2026-05-24 19:29:41 +02:00
parent a7b44af91a
commit b004e15948
38 changed files with 3145 additions and 137 deletions
--- a/agent1_batch10.md
+++ b/agent1_batch10.md
@@ -0,0 +1,29 @@
+# Batch 10 — API Documentation Update
+
+## File Changed
+- `docs/API.md`
+
+## Exact Changes Made
+
+### 1. Added `POST /api/content/:cxid/report` endpoint
+Inserted a new endpoint section between `GET /api/content/:cxid/file/:file_idx/raw` and `POST /api/content/:cxid/verify-password`.
+
+- **Auth:** None
+- **Body:** `{ "reason": "string" }`
+- **Behavior documented:** Validates cxid, checks content is active, inserts report with `reporter_user_id = 0` (web), forwards notification to all `review_group_ids` via Telegram Bot API
+- **Response:** `204 No Content` on success, `404 Not Found` if content not found/deleted/blacklisted
+- **Rate limiting:** Covered by the general API governor
+
+### 2. Updated `GET /api/content/:cxid/file/:file_idx` view counter note
+Changed the note from:
+> "Range requests and `If-None-Match` (ETag) matches do **not** increment the counter."
+
+To:
+> "Range requests, `If-None-Match` (ETag) matches, and HEAD requests do **not** increment the counter."
+
+### 3. Added "Password Flow" subsection under General Behavior
+Inserted after "Rate Limiting" and before "Fallback / Static Assets" to clarify:
+- The `sc` query parameter is checked on both the metadata endpoint (`GET /api/content/:cxid`) and the file endpoints (`GET /api/content/:cxid/file/:file_idx`, `GET /api/content/:cxid/file/:file_idx/raw`).
+- When valid, the server sets an HMAC-signed `cgcx_pw` cookie on the response.
+- Passwords can also be provided via the `cgcx_pw` cookie.
+- For programmatic verification, use `POST /api/content/:cxid/verify-password`.