cve-dashboard/.kiro/specs/jira-api-compliance-cleanup/tasks.md

Tasks

Task 1: Remove the POST /api/jira/search route

• 1.1 Delete the router.post('/search', ...) handler from backend/routes/jiraTickets.js (the entire block from the JSDoc comment through the closing });)
• 1.2 Verify no other code in the routes file references the removed handler
• 1.3 Verify the server starts without errors after the route removal

Task 2: Widen the JQL time window to 72 hours

• 2.1 In backend/helpers/jiraApi.js, change the searchIssuesByKeys() JQL string from updated >= -24h to updated >= -72h
• 2.2 Update the JSDoc comment on searchIssuesByKeys() if it references the 24-hour window

Task 3: Update the API use-cases documentation

• 3.1 In docs/api/jira-api-use-cases.md, update the bulk sync use case (Use Case 8) to reflect the -72h JQL window and remove any reference to arbitrary JQL or POST /rest/api/2/search
• 3.2 Update the Compliance Summary Table to reflect that JQL queries use predefined scoped patterns (no arbitrary JQL passthrough) and the -72h window
• 3.3 Update the Estimated Daily API Usage table to remove the arbitrary JQL search row and recalculate the total
• 3.4 Add POST /rest/api/2/search to the Blocked Endpoints section with an explanation that arbitrary JQL search via POST is not used

Task 4: Write property-based test for JQL window invariant

• 4.1 Create a property-based test that verifies searchIssuesByKeys() always generates JQL containing updated >= -72h and project = for any non-empty array of issue keys

Task 5: Write example-based tests for route removal and remaining routes

• 5.1 Write a test that sends POST /api/jira/search and asserts HTTP 404
• 5.2 Write tests that verify the remaining Jira routes (GET /lookup/:issueKey, POST /sync-all, POST /:id/sync, POST /create-in-jira) still respond with non-404 status codes