docs: update tasks.md to reflect current implementation

- Mark all completed features as done (auth, email, billing, API keys) - Update Phase 6-8 to reflect completed frontend work - Add comprehensive API endpoints summary table - Update remaining tasks section with actual gaps: - API key authentication middleware - Plan limits enforcement integration - Custom date range UI for analytics - Background jobs (domain verification, cleanup) - Remove outdated gap analysis (most items now complete) - Add architecture notes section Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-30 18:57:02 -05:00
parent e7d96f5508
commit 4dc5e534ba
1 changed files with 261 additions and 263 deletions
--- a/docs/tasks.md
+++ b/docs/tasks.md
@@ -17,19 +17,27 @@
 - [x] User entity
 - [x] Workspace entity
 - [x] Project entity
- [x] ShortLink entity (model only)
+- [x] ShortLink entity
- [x] QRCodeDesign entity (model only)
+- [x] QRCodeDesign entity
- [x] Domain entity (model only)
+- [x] Domain entity
- [x] Event entity (model only)
+- [x] Event entity
- [x] Asset entity (model only)
+- [x] Asset entity
 - [x] ApiKey entity
 - [x] EmailVerificationToken entity
 - [x] PasswordResetToken entity
 ### Authentication
 - [x] User registration endpoint (`POST /auth/register`)
 - [x] User login endpoint (`POST /auth/login`)
 - [x] JWT token generation
- [~] Forgot password endpoint (endpoint exists, email TODO)
+- [x] Forgot password endpoint (`POST /auth/forgot`)
- [~] Reset password endpoint (endpoint exists, needs completion)
+- [x] Reset password endpoint (`POST /auth/reset`)
- [ ] Email verification flow
+- [x] Email verification endpoint (`POST /auth/verify-email`)
 - [x] Resend verification endpoint (`POST /auth/resend-verification`)
 - [x] Get profile endpoint (`GET /auth/profile`)
 - [x] Update profile endpoint (`PUT /auth/profile`)
 - [x] Change password endpoint (`POST /auth/change-password`)
 - [x] Delete account endpoint (`DELETE /auth/account`)
 ### Workspaces & Projects
 - [x] Create workspace (`POST /workspaces`)
@@ -50,10 +58,12 @@
 - [x] Project endpoint tests
 - [x] Workspace endpoint tests
 - [x] Link endpoint tests
 - [x] Auth endpoint tests
 - [x] Domain endpoint tests
 ---
-## Phase 2: Core Link Features (Next Priority)
+## Phase 2: Core Link Features (Complete)
 ### Short Link CRUD
 - [x] Create short link endpoint (`POST /workspaces/{id}/links`)
@@ -61,20 +71,16 @@
  - URL validation
  - Title (optional)
  - Project assignment (optional)
-  - Domain selection (default domain initially)
+  - Domain selection
 - [x] List short links (`GET /workspaces/{id}/links`)
  - Filter by project
  - Filter by status
-  - Pagination (not yet)
+  - Include deleted (soft delete support)
 - [x] Get short link (`GET /workspaces/{id}/links/{id}`)
 - [x] Update short link (`PUT /workspaces/{id}/links/{id}`)
-  - Update destination URL
+- [x] Delete short link (`DELETE /workspaces/{id}/links/{id}`) - soft delete
-  - Update title
+- [x] Restore short link (`POST /workspaces/{id}/links/{id}/restore`)
-  - Enable/disable (status)
+- [x] Bulk create links (`POST /workspaces/{id}/links/bulk`)
  - Set expiration date
  - Set password protection
 - [x] Delete short link (`DELETE /workspaces/{id}/links/{id}`)
 - [x] Short link tests (15 tests)
 ### Public Redirect Endpoint
 - [x] `GET /{slug}` redirect endpoint
@@ -82,60 +88,56 @@
  - Check link exists
  - Check link is active
  - Check not expired
-  - Check password (if protected, return 401 with X-Password-Required header)
+  - Check password (if protected)
-  - Log event (async, non-blocking) - TODO Phase 3
+  - Log event (async, non-blocking)
  - Return 302 redirect
- [x] Default domain configuration (using null domain for now)
+- [x] Password-protected link handling (`POST /{slug}`)
- [x] Password-protected link handling (`POST /{slug}` with password)
+- [x] Rate limiting on redirect endpoint
 - [x] Redirect endpoint tests (10 tests)
 ---
-## Phase 3: Event Tracking & Analytics
+## Phase 3: Event Tracking & Analytics (Complete)
 ### Event Logging
 - [x] Event logging service (`IEventTrackingService`)
-  - IP hashing (privacy) ✓
+  - IP hashing (privacy)
-  - User agent parsing (device type) ✓
+  - User agent parsing (device type)
-  - GeoIP lookup (country) - TODO: integrate GeoIP database
+  - GeoIP lookup (country) - MaxMind GeoIP2 integrated
-  - Referrer capture ✓
+  - Referrer capture
-  - Dedupe key generation (30-min window) ✓
+  - Dedupe key generation (30-min window)
 - [x] Click event recording (from redirect)
- [~] Scan event recording (from QR) - ready, needs QR endpoints
+- [x] Scan event recording (from QR with `?qr=` param)
- [x] Async/background event processing (fire-and-forget)
+- [x] Async/background event processing
 - [x] Event tracking tests (5 tests)
 ### Analytics Endpoints
 - [x] Workspace analytics (`GET /workspaces/{id}/analytics`)
-  - Total clicks/scans ✓
+  - Total clicks/scans
-  - Unique visitors ✓
+  - Unique visitors
-  - Time series data ✓
+  - Time series data
-  - Top links breakdown ✓
+  - Top links breakdown
-  - Device breakdown ✓
+  - Device breakdown
-  - Referrer breakdown ✓
+  - Referrer breakdown
  - Country breakdown (geo)
 - [x] Link analytics (`GET /workspaces/{id}/links/{id}/analytics`)
-  - Per-link stats ✓
+- [x] QR code analytics (`GET /workspaces/{id}/qrcodes/{id}/analytics`)
-  - Referrer breakdown ✓
+- [x] Time filters (24h, 7d, 30d)
-  - Device breakdown ✓
+- [~] Custom date range filter (backend supports startDate/endDate, frontend needs UI)
  - Geo breakdown - TODO: integrate GeoIP database
 - [x] Time filters (24h, 7d, 30d, all-time)
 - [x] Analytics endpoint tests (9 tests)
 ---
-## Phase 4: QR Code Designer
+## Phase 4: QR Code Designer (Complete)
 ### QR Code Generation
 - [x] QR code generation service (`IQRCodeGeneratorService`)
-  - Uses QRCoder library ✓
+  - QRCoder library
-  - Support different error correction levels (L/M/Q/H) ✓
+  - Error correction levels (L/M/Q/H)
-  - Quiet zone configuration ✓
+  - Quiet zone configuration
-  - PNG and SVG output ✓
+  - PNG and SVG output
 - [x] QR code design model integration
-  - Foreground/background colors ✓
+  - Foreground/background colors
-  - Module shapes (square) - more shapes TODO
+  - Module shapes (Square, Rounded, Dots)
-  - Eye shapes - TODO
+  - Eye shapes (Square, Rounded, Circle)
-  - Logo embedding - TODO (needs asset upload)
+  - Logo embedding with size control
 ### QR Code Endpoints
 - [x] Create QR design (`POST /workspaces/{id}/qrcodes`)
@@ -143,18 +145,15 @@
 - [x] Get QR design (`GET /workspaces/{id}/qrcodes/{id}`)
 - [x] Update QR design (`PUT /workspaces/{id}/qrcodes/{id}`)
 - [x] Delete QR design (`DELETE /workspaces/{id}/qrcodes/{id}`)
- [x] Preview QR (`GET /workspaces/{id}/qrcodes/{id}/preview`) - returns data URL
+- [x] Preview QR (`GET /workspaces/{id}/qrcodes/{id}/preview`)
- [x] Export QR as PNG (`GET /workspaces/{id}/qrcodes/{id}/export?format=png&size=512`)
+- [x] Export QR (`GET /workspaces/{id}/qrcodes/{id}/export?format=png|svg&size=N`)
- [x] Export QR as SVG (`GET /workspaces/{id}/qrcodes/{id}/export?format=svg`)
+- [x] QR exports include `?qr={id}` for scan attribution
 - [x] QR code endpoint tests (12 tests)
-### Asset Management (for logos)
+### Asset Management
 - [x] Upload asset endpoint (`POST /workspaces/{id}/assets`)
 - [x] List assets (`GET /workspaces/{id}/assets`)
- [x] Get asset public endpoint (`GET /assets/{storageKey}`)
+- [x] Get asset (`GET /assets/{storageKey}`)
 - [x] Delete asset (`DELETE /workspaces/{id}/assets/{id}`)
 - [x] Asset storage service (local storage, S3 interface ready)
 - [x] Asset endpoint tests (10 tests)
 ---
@@ -166,12 +165,9 @@
 - [x] Get domain (`GET /workspaces/{id}/domains/{id}`)
 - [x] Delete domain (`DELETE /workspaces/{id}/domains/{id}`)
 - [x] Verify domain (`POST /workspaces/{id}/domains/{id}/verify`)
- [x] Domain verification flow
+  - Generate verification token
-  - Generate verification token ✓
+  - DNS TXT record verification
-  - Check DNS TXT record (stub - uses "verified-" prefix for testing)
+  - Mark as verified
  - Mark as verified ✓
 - [x] Domain status management (Pending → Verified)
 - [x] Domain endpoint tests (10 tests)
 ---
@@ -182,248 +178,250 @@
 - [x] Registration page
 - [x] Forgot password page
 - [x] Password reset page
 - [x] Email verification page
 - [x] Auth state management (Pinia store)
 ### Dashboard
- [x] Workspace switcher
+- [x] Workspace switcher with create/manage modals
- [x] Dashboard home (overview stats)
+- [x] Dashboard home (overview stats, charts, breakdowns)
 - [x] Navigation/sidebar (AppLayout component)
 ### Link Management UI
- [x] Links list view
+- [x] Links list view with trash/restore
- [x] Create link modal
+- [x] Create link modal with UTM builder
 - [x] Edit link modal
 - [x] Link details with analytics
 - [x] Bulk import modal
 ### QR Designer UI
- [x] QR designer page
+- [x] QR codes list with preview thumbnails
- [x] Color pickers
+- [x] QR designer page with color pickers
- [x] Shape selectors (Square, Rounded, Dots for modules; Square, Rounded, Circle for eyes)
+- [x] Shape selectors (modules and eyes)
- [x] Logo upload integration (upload new or select from existing assets)
+- [x] Logo upload integration
- [x] Live preview (for saved QR codes)
+- [x] Live preview
 - [x] Export buttons (PNG/SVG)
- [x] Style presets (6 presets with shape variations)
+- [x] Style presets (6 presets)
 - [x] QR code detail/analytics page
-### Analytics UI
+### Other UI Pages
- [x] Charts (time series with clicks/scans)
+- [x] Analytics page with time series, breakdowns, geo
- [x] Stat cards (clicks, scans, visitors, total)
+- [x] Projects page with CRUD
- [x] Breakdown tables (referrer, device)
+- [x] Domains page with verification flow
- [x] Geo breakdown (country flags and names, requires MaxMind GeoIP2 database)
+- [x] Settings page (profile, password, API keys, delete account)
 - [x] Billing page with plan display and upgrade flow
 ### State Management
 - [x] Pinia stores (auth, workspace)
 - [x] localStorage persistence for workspace selection
 - [x] Automatic data refresh on workspace change
 - [x] Proper initialization flow in App.vue
 ---
-## Phase 7: Production Readiness
+## Phase 7: Production Readiness (Complete)
 ### Security & Performance
- [ ] Rate limiting
+- [x] Rate limiting (auth and redirect endpoints)
- [ ] Input sanitization
+- [x] CORS configuration
- [ ] CORS configuration
+- [x] Global exception handling middleware
- [ ] Request logging
+- [x] Request error logging
 - [ ] Error handling middleware
 ### Email System
- [ ] Email service integration (SendGrid/SES/etc.)
+- [x] Email service interface (`IEmailService`)
- [ ] Email verification emails
+- [x] Console email service (development)
- [ ] Password reset emails
+- [x] SMTP email service (production)
- [ ] Email templates
+- [x] Email templates (verification, password reset)
 - [x] Email verification flow
 - [x] Password reset emails
 ### Plan & Quotas
- [ ] Usage tracking
+- [x] Usage tracking service (`IPlanLimitsService`)
- [ ] Plan limits enforcement
+- [x] Plan limits configuration (Free, Pro, Business)
-  - Free: 50 links, 1 workspacf  - Pro: 5,000 links, 5 workspaces
+- [x] Usage endpoint (`GET /usage`)
-  - Business: Unlimited
+- [~] Plan limits enforcement in create endpoints (service exists, needs integration)
- [ ] Upgrade prompts
+
 ### API Keys
 - [x] Create API key (`POST /workspaces/{id}/api-keys`)
 - [x] List API keys (`GET /workspaces/{id}/api-keys`)
 - [x] Delete API key (`DELETE /workspaces/{id}/api-keys/{id}`)
 - [ ] API key authentication middleware
 ---
-## Phase 8: Post-MVP Features
+## Phase 8: Payments & Billing (Complete)
-### Payments (Stripe)
+### Stripe Integration
- [ ] Stripe integration
+- [x] Stripe service (`IStripeService`)
- [ ] Checkout flow
+- [x] Stripe settings configuration
- [ ] Subscription management
+- [x] Checkout session endpoint (`POST /billing/checkout`)
- [ ] Webhook handling
+- [x] Customer portal endpoint (`POST /billing/portal`)
-
+- [x] Subscription endpoint (`GET /workspaces/{id}/subscription`)
-### Advanced Features
+- [x] Webhook handling (`POST /billing/webhook`)
- [ ] UTM builder
+- [x] Billing UI with plan comparison
 - [ ] Link groups/campaigns
 - [ ] Bulk link creation
 - [ ] API keys for external access
 - [ ] Webhooks for events
 ---
-## Current Focus
+## Remaining Tasks
-**Completed: Phase 2 + Phase 3 + Phase 4 + Phase 5 + Phase 6 (partial)**
+### High Priority
-Backend (101 tests passing):
+1. **API Key Authentication**
- Short Link CRUD (5 endpoints, 15 tests)
+   - [ ] Middleware to authenticate requests using API keys
- Public Redirect Endpoint (2 endpoints, 10 tests)
+   - [ ] Scope validation (read, write, admin)
 - Event Tracking Service (click logging, dedupe, device detection)
 - Analytics Endpoints (2 endpoints, 9 tests)
 - QR Code Designer (7 endpoints, 12 tests)
 - Domain Management (5 endpoints, 10 tests)
 - Asset Upload (4 endpoints, 10 tests)
-Frontend (Vue 3 + Vite + Pinia):
+2. **Plan Limits Enforcement**
- Landing page with hero, features, analytics sections
+   - [ ] Integrate `IPlanLimitsService.CanCreate*` checks in create endpoints
- Login/Register pages with auth state management
+   - [ ] Return 403 with upgrade message when limit reached
 - Dashboard with stats grid, activity chart, top links, device/referrer breakdowns
 - Links page with CRUD modals, copy-to-clipboard, analytics link
 - Link detail page with per-link analytics
 - QR Codes list with preview thumbnails, export buttons
 - QR Designer with color pickers, error correction, quiet zone, 6 presets
 - Analytics page with time series chart, period selector, breakdowns
-**Next up:**
+3. **Custom Date Range UI**
- Complete forgot/reset password pages
+   - [ ] Add date picker to analytics pages
- Add geo breakdown to analytics
+   - [ ] Backend already supports `startDate`/`endDate` params
 - Logo upload integration in QR designer
 - Phase 7 - Production Readiness (CORS, rate limiting, email)
-Completed:
+### Medium Priority
-1. ~~Create short link endpoint with auto-slug generation~~ ✓
+
-2. ~~List/Get/Update/Delete short link endpoints~~ ✓
+4. **Background Jobs**
-3. ~~Public redirect endpoint (`GET /{slug}`)~~ ✓
+   - [ ] Periodic domain verification checks
-4. ~~Password redirect endpoint (`POST /{slug}`)~~ ✓
+   - [ ] Event retention cleanup (delete old events per plan)
-5. ~~Event logging (basic click tracking)~~ ✓
+   - [ ] Monthly IP salt rotation for privacy
-6. ~~Analytics endpoints~~ ✓
+
-7. ~~QR code generation and designer~~ ✓
+5. **Input Validation**
-8. ~~Domain management (add, list, get, delete, verify)~~ ✓
+   - [ ] URL allowlist/denylist for abuse prevention
-9. ~~Asset upload for QR logos~~ ✓
+   - [ ] Stricter input sanitization
-10. ~~Frontend dashboard with auth, links, QR, analytics~~ ✓
+
 6. **Testing**
   - [ ] Add tests for new auth endpoints
   - [ ] Add tests for billing endpoints
   - [ ] Add tests for API key endpoints
 ### Lower Priority
 7. **Print-Ready QR Options**
   - [ ] High contrast mode toggle
   - [ ] CMYK color support
 8. **Advanced Analytics**
   - [ ] Export analytics data (CSV/JSON)
   - [ ] Scheduled reports
 9. **Webhooks**
   - [ ] User-configurable webhooks for click events
 ---
-## Gap Analysis (Spec vs Implementation)
+## Architecture Notes
-> This section identifies gaps between the MVP spec (`docs/spec.md`) and the current implementation.
+- **Backend**: ASP.NET Core with FastEndpoints (vertical slice architecture)
-
+- **Frontend**: Vue 3 + Vite + Pinia + Vue Router
-### Authentication & Account
+- **Database**: PostgreSQL with EF Core
-
+- **Features**: Located in `src/api/Features/{Feature}/`
-| Spec Requirement | Status | Notes |
+- **Authentication**: JWT tokens, rate-limited auth endpoints
-|-----------------|--------|-------|
+- **Email**: Pluggable service (Console for dev, SMTP for prod)
-| Email verification | ❌ Missing | Endpoint structure exists, but no email sending or verification flow |
+- **Payments**: Stripe integration with webhooks
 | Basic account settings page | ❌ Missing | No settings UI or endpoints for profile updates |
 | SSO (optional, post-MVP) | ⏳ Deferred | As expected |
 ### Short Link Features
 | Spec Requirement | Status | Notes |
 |-----------------|--------|-------|
 | UTM builder (preset templates) | ❌ Missing | Spec mentions UTM builder for Pro plan |
 | Destination URL allowlist/denylist | ❌ Missing | Abuse prevention not implemented |
 | Soft delete for links | ❌ Missing | Currently using hard delete |
 ### QR Code Designer
 | Spec Requirement | Status | Notes |
 |-----------------|--------|-------|
 | Shape presets (module shapes) | ✅ Complete | Square, Rounded, Dots module shapes supported |
 | Eye shape customization | ✅ Complete | Square, Rounded, Circle eye shapes supported |
 | Logo upload integration | ✅ Complete | Upload new or select from existing assets |
 | Logo size + margin controls | ⚠️ Partial | Fixed 20% size, no user controls |
 | Print-ready options ("high contrast" toggle) | ❌ Missing | No print optimization features |
 ### Analytics & Tracking
 | Spec Requirement | Status | Notes |
 |-----------------|--------|-------|
 | Geo (country) breakdown | ✅ Complete | MaxMind GeoIP2 integrated, UI with country flags |
 | Per-QR analytics endpoint | ❌ Missing | Spec: `GET /analytics/qrcode/{id}` - only link analytics exist |
 | Scan vs Click distinction via `?qr=` param | ⚠️ Partial | Event type exists but QR export doesn't append `?qr=<id>` to URLs |
 | Custom date range filter | ❌ Missing | Only 24h/7d/30d implemented, spec mentions custom range |
 | Monthly IP salt rotation | ❌ Missing | Spec requires rotating salt for privacy compliance |
 | Event retention configuration per plan | ❌ Missing | No retention policy or cleanup jobs |
 ### Admin & Quotas
 | Spec Requirement | Status | Notes |
 |-----------------|--------|-------|
 | Subscription status display | ❌ Missing | Plan field exists on Workspace but no UI |
 | Usage quotas enforcement | ❌ Missing | No limits enforced for links/QRs/events/domains |
 | Upgrade prompts | ❌ Missing | No paywall or upgrade flows |
 ### Security & Non-Functional
 | Spec Requirement | Status | Notes |
 |-----------------|--------|-------|
 | Rate limiting on public endpoints | ❌ Missing | Critical for redirect endpoint |
 | CORS configuration | ❌ Missing | Needs proper configuration |
 | Strict CSP headers | ❌ Missing | App pages have no CSP |
 | Request logging | ❌ Missing | No structured logging |
 | Error handling middleware | ❌ Missing | No global error handler |
 ### Frontend UI Pages
 | Spec Requirement | Status | Notes |
 |-----------------|--------|-------|
 | Forgot password page | ✅ Complete | Full UI with success state |
 | Password reset page | ✅ Complete | Full UI with token validation and success state |
 | Projects list UI | ❌ Missing | Backend CRUD complete, no frontend |
 | Domains page (add/verify) | ❌ Missing | Backend complete, no frontend |
 | Workspace switcher (full UI) | ⚠️ Partial | Basic switcher exists, no create/manage UI |
 | Per-QR analytics view | ❌ Missing | Only per-link analytics in UI |
 ### Email System
 | Spec Requirement | Status | Notes |
 |-----------------|--------|-------|
 | Email service integration | ❌ Missing | No email provider configured |
 | Email verification emails | ❌ Missing | No templates or sending logic |
 | Password reset emails | ❌ Missing | Token generated but not emailed |
 | Email templates | ❌ Missing | No templating system |
 ### Background Jobs
 | Spec Requirement | Status | Notes |
 |-----------------|--------|-------|
 | Domain verification checks | ❌ Missing | Only manual verification, no periodic checks |
 | Event enrichment (geo/device) | ✅ Complete | Device parsing and GeoIP country lookup done |
 | Cleanup & retention tasks | ❌ Missing | No scheduled cleanup for old events |
 ### API Surface Gaps
 | Endpoint (from spec) | Status |
 |---------------------|--------|
 | `GET /analytics/qrcode/{id}` | ❌ Missing |
 | Account settings endpoints | ❌ Missing |
 | Usage/quota endpoints | ❌ Missing |
 ---
-## Priority Gap Resolution
+## API Endpoints Summary
-### High Priority (MVP Blockers)
+### Auth
 | Method | Path | Description |
 |--------|------|-------------|
 | POST | /auth/register | Register new user |
 | POST | /auth/login | Login |
 | POST | /auth/forgot | Request password reset |
 | POST | /auth/reset | Reset password with token |
 | POST | /auth/verify-email | Verify email with token |
 | POST | /auth/resend-verification | Resend verification email |
 | GET | /auth/profile | Get current user profile |
 | PUT | /auth/profile | Update profile |
 | POST | /auth/change-password | Change password |
 | DELETE | /auth/account | Delete account |
-1. **Email system** - Verification and password reset cannot work without email
+### Workspaces
-2. **Rate limiting** - Security risk without it on public redirect
+| Method | Path | Description |
-3. **QR scan tracking** - QR exports need `?qr=<id>` param for scan attribution
+|--------|------|-------------|
-4. ~~**Geo breakdown** - GeoIP integration for country-level analytics~~ ✅ Complete
+| GET | /workspaces | List user's workspaces |
-5. **Projects UI** - Backend exists, needs frontend
+| POST | /workspaces | Create workspace |
 | GET | /workspaces/{id} | Get workspace |
 | PUT | /workspaces/{id} | Update workspace |
 | DELETE | /workspaces/{id} | Delete workspace |
-### Medium Priority (MVP Polish)
+### Projects
 | Method | Path | Description |
 |--------|------|-------------|
 | GET | /workspaces/{id}/projects | List projects |
 | POST | /workspaces/{id}/projects | Create project |
 | GET | /workspaces/{id}/projects/{pid} | Get project |
 | PUT | /workspaces/{id}/projects/{pid} | Update project |
 | DELETE | /workspaces/{id}/projects/{pid} | Delete project |
-6. **Account settings page** - Users need to update profile
+### Links
-7. **Domains UI** - Backend exists, needs frontend
+| Method | Path | Description |
-8. **Usage quotas** - Enforce plan limits
+|--------|------|-------------|
-9. ~~**QR shape presets** - More customization options~~ ✅ Complete (Square, Rounded, Dots)
+| GET | /workspaces/{id}/links | List links |
-10. **Custom date range** - Analytics flexibility
+| POST | /workspaces/{id}/links | Create link |
 | POST | /workspaces/{id}/links/bulk | Bulk create links |
 | GET | /workspaces/{id}/links/{lid} | Get link |
 | PUT | /workspaces/{id}/links/{lid} | Update link |
 | DELETE | /workspaces/{id}/links/{lid} | Soft delete link |
 | POST | /workspaces/{id}/links/{lid}/restore | Restore deleted link |
 | GET | /workspaces/{id}/links/{lid}/analytics | Get link analytics |
-### Lower Priority (Post-MVP)
+### QR Codes
 | Method | Path | Description |
 |--------|------|-------------|
 | GET | /workspaces/{id}/qrcodes | List QR codes |
 | POST | /workspaces/{id}/qrcodes | Create QR code |
 | GET | /workspaces/{id}/qrcodes/{qid} | Get QR code |
 | PUT | /workspaces/{id}/qrcodes/{qid} | Update QR code |
 | DELETE | /workspaces/{id}/qrcodes/{qid} | Delete QR code |
 | GET | /workspaces/{id}/qrcodes/{qid}/preview | Get QR preview (data URL) |
 | GET | /workspaces/{id}/qrcodes/{qid}/export | Export QR (PNG/SVG) |
 | GET | /workspaces/{id}/qrcodes/{qid}/analytics | Get QR analytics |
-11. UTM builder
+### Domains
-12. Soft delete for links
+| Method | Path | Description |
-13. Print-ready QR options
+|--------|------|-------------|
-14. SSO integration
+| GET | /workspaces/{id}/domains | List domains |
-15. Stripe payments
+| POST | /workspaces/{id}/domains | Add domain |
 | GET | /workspaces/{id}/domains/{did} | Get domain |
 | DELETE | /workspaces/{id}/domains/{did} | Delete domain |
 | POST | /workspaces/{id}/domains/{did}/verify | Verify domain |
---
+### Assets
 | Method | Path | Description |
 |--------|------|-------------|
 | GET | /workspaces/{id}/assets | List assets |
 | POST | /workspaces/{id}/assets | Upload asset |
 | DELETE | /workspaces/{id}/assets/{aid} | Delete asset |
 | GET | /assets/{storageKey} | Get asset file (public) |
-## Notes
+### Analytics
 | Method | Path | Description |
 |--------|------|-------------|
 | GET | /workspaces/{id}/analytics | Workspace analytics |
- Backend uses FastEndpoints (not traditional MVC controllers)
+### API Keys
- Vertical slice architecture: features in `src/api/Features/{Feature}/`
+| Method | Path | Description |
- All endpoints require JWT auth except public redirect
+|--------|------|-------------|
- Default domain: use app's domain until custom domains implemented
+| GET | /workspaces/{id}/api-keys | List API keys |
 | POST | /workspaces/{id}/api-keys | Create API key |
 | DELETE | /workspaces/{id}/api-keys/{kid} | Delete API key |
 ### Billing
 | Method | Path | Description |
 |--------|------|-------------|
 | POST | /billing/checkout | Create Stripe checkout session |
 | POST | /billing/portal | Create Stripe portal session |
 | GET | /workspaces/{id}/subscription | Get subscription details |
 | POST | /billing/webhook | Stripe webhook handler |
 ### Usage
 | Method | Path | Description |
 |--------|------|-------------|
 | GET | /usage | Get usage stats and limits |
 ### Public
 | Method | Path | Description |
 |--------|------|-------------|
 | GET | /{slug} | Redirect to destination |
 | POST | /{slug} | Redirect with password |