Backend Dependencies

Coordination items the backend must confirm before each finding can close. Sourced from 04-backend-dependencies/backend-contract-dependencies.md §7. Confirmations persist to localStorage.

Coordination Items9

FE↔BE Seams6

Capability Drift0

Source04-backend-deps

Open coordination items (each must be confirmed by a backend owner before the corresponding finding can close)

0 / 9 confirmed

Confirm each routes.ts requiredCapability is enforced on the matching backend endpoint

DD-2 / A-RBAC-004 — string-level diff is clean; runtime enforcement still requires confirmation.

Blocks:A-RBAC-004A-RBAC-001

Confirm /api/v1/services/* does NOT require services.read post-2026-05-19 change

AUDIT-003 / A-RBAC-001. The 2026-05-19 routes.ts change dropped requiredCapability to null; backend must allow any authenticated user OR the popup deep-link use case must hit no backend route the role lacks.

Blocks:A-RBAC-001

Provide an OpenAPI snapshot (/openapi.json) at SHA 49d4c7d for DD-2 + plan §10.2

Required for the auto-generated TS client (eliminates the type-drift risk between FE interfaces and Pydantic models).

Blocks:A-TS-005

Provide staging-backend access + 2 seeded role accounts (admin + non-trader) for DD-2 / DD-3 end-to-end

Phase-0 Q2 dependency. Required for end-to-end DD re-runs.

Blocks:A-MONEY-001A-RBAC-004

Confirm WebSocket payload shapes — what fields are guaranteed? What can be null / missing?

Feeds A-TS-001 / 002 / 003 validator design.

Blocks:A-TS-001A-TS-002A-TS-003

Confirm the SSE event-type vocabulary on /api/v1/session-analytics/{id}/stream

Feeds A-TS-004 validator design.

Blocks:A-TS-004

Confirm whether trading_log_notification is the correct trigger for the WS↔REST high-speed-mode transition

Feeds C-RT-001 fix design.

Blocks:C-RT-001

Confirm whether maker_rebate_rate / taker_fee_rate already exist on the backend AccountConfig Pydantic model or need adding

Required for A-TS-005 codegen scope.

Blocks:A-TS-005

Confirm logout endpoint behaviour: does backend invalidate the WS session token on logout, or does FE need to close sockets explicitly?

Feeds A-AUTH-008 design.

Blocks:A-AUTH-008

FE ↔ Backend seam catalog (every place the frontend touches the backend contract)

§1 Capability strings — RBAC sync

clean

30/30 frontend capability constants match a backend CAP_* constant at the pinned SHA. No drift. DD-2 still must verify each backend route enforces the matching capability.

Name	Detail	Location
Frontend constants	30 keys in CAPABILITIES	`client/src/config/routes.ts:48-80`
Backend constants	CAP_* constants	`server/src/core/permissions.py`
Diff verdict	no capability-string driftBackend has 3 extras (CAP_ALL, admin.manage, audit.write) — intentional, admin-only.	`phase-0-baseline`

§2 REST endpoints consumed by useApi.ts

partial

useApi.ts is the single API consumer at 2,296 LOC with ~250 exports. Live count of HTTP endpoints lives in the auto-generated API Reference view.

Name	Detail	Location
REST consumer	useApi.ts (2,296 LOC, ~250 exports)See /api-reference for the auto-extracted endpoint list.	`client/src/hooks/useApi.ts`
Backend routers	Per-domain routers under /api/v1	`server/src/api/routers/*`
Recommended remediation	Generate TS client from /openapi.jsonEffort: M (1-3d). Eliminates drift between FE types and backend Pydantic models.	`Plan §10.2`

§3 WebSocket channels

partial

Three WebSocket sites in the frontend: generic /ws/{channel}, dedicated /ws/trading-logs, and a third LogViewer global WS using window.__logWs.

Name	Detail	Location
/ws/{channel}	channels: system, market_data, orders, executions, logs	`client/src/hooks/useWebSocket.ts:25`
/ws/trading-logs	Trading-engine log frames; throttled notification mode under high load	`client/src/store/tradingLogStore.ts:544`
/ws/logs (LogViewer)	Uses window.__logWs global (C-RT-007)Candidate for A-ARCH-020 unification.	`client/src/components/LogViewer.tsx:105,107`

§4 SSE streams

open

Single SSE stream for live session analytics. Hydrate path uses inline fetch() that bypasses the 401 refresh handler (C-FE-005a R1-blocker).

Name	Detail	Location
/api/v1/session-analytics/{sessionId}/stream	Quote frames + 5 SSE event types via unchecked `as` castsCapacity cap MAX_QUOTES = 10_000 at line 123. Hydrate uses inline fetch() — C-FE-005a R1-blocker.	`client/src/hooks/useSessionStream.ts:264`

§5 Browser-storage contract

clean

Two storage sites only — sessionStorage for auth slice, localStorage for theme. Auth deliberately chose sessionStorage over localStorage as a security middle-ground.

Name	Detail	Location
sessionStorage	auth, paperSelection, paperSession (Zustand persist)	`client/src/store/useStore.ts`
localStorage	STORAGE_KEY = 'theme'Also referenced in index.html:16 for flash-prevention.	`client/src/hooks/useTheme.ts:10,25`

§6 Type-contract surface

open

~250 hand-written TypeScript interfaces in useApi.ts mirror backend Pydantic models. Drift is HIGH risk because it's not detectable until runtime.

Name	Detail	Location
Hand-written interfaces	LoginResponse, UserResponse, TradingConfig, …	`client/src/hooks/useApi.ts`
Backend models	Pydantic models per router	`server/src/api/schemas/*.py`
Mitigation	openapi-typescript codegenOne-time effort. Future drift caught at compile time.	`Plan §10.2`