Phase 5 focuses on implementing the API layer for GhostPaste, including R2 storage integration, RESTful endpoints, and security middleware. This phase is critical for enabling the core functionality of creating, reading, updating, and deleting encrypted gists.

| GitHub # | Component | Priority | Status | Description |

| -------- | --------------------- | -------- | -------- | ------------------------------------ |

| #103 | R2 Storage Foundation | CRITICAL | 🟡 Ready | R2 client wrapper and configuration |

| #104 | Storage Operations | CRITICAL | 🟡 Ready | Metadata and blob storage operations |

| GitHub # | Component | Priority | Status | Description |

| -------- | ------------------ | -------- | -------- | -------------------------------------------- |

| #105 | Create Gist API | CRITICAL | 🟡 Ready | POST /api/gists endpoint |

| #106 | Read Gist APIs | CRITICAL | 🟡 Ready | GET endpoints for metadata and blobs |

| #107 | Update/Delete APIs | HIGH | 🟡 Ready | PUT and DELETE endpoints with PIN validation |

| GitHub # | Component | Priority | Status | Description |

| -------- | ----------------- | -------- | -------- | ---------------------------------------- |

| #108 | API Middleware | HIGH | 🟡 Ready | Validation, error handling, and security |

| #109 | API Documentation | MEDIUM | 🟡 Ready | OpenAPI docs and integration tests |

**Priority:** CRITICAL

**Estimated Time:** 3-4 days

**Dependencies:** None

**Tasks:**

- [ ] Create R2 client wrapper using Cloudflare Workers R2 bindings

- [ ] Configure R2 bucket binding in wrangler.toml

- [ ] Create type-safe wrapper for R2 operations

- [ ] Handle R2 errors (R2Error, R2ObjectNotFound)

- [ ] Write unit tests for R2 client wrapper

- [ ] Document R2 configuration requirements

**Acceptance Criteria:**

- R2 client can be imported and used in API routes

- Type-safe operations for put, get, delete, list

- Proper error handling with custom error types

- Configuration works in both dev and production

**Priority:** CRITICAL

**Estimated Time:** 2-3 days

**Dependencies:** Issue 1

**Tasks:**

- [ ] Implement metadata upload/download (JSON) using R2 API

- [ ] Implement blob upload/download (binary) using R2 API

- [ ] Implement streaming for large files

- [ ] Add retry logic for transient failures

- [ ] Create storage utility functions

- [ ] Write integration tests with miniflare

**Acceptance Criteria:**

- Can store and retrieve JSON metadata

- Can store and retrieve binary blobs

- Streaming works for files up to 5MB

- Handles network errors gracefully

**Priority:** CRITICAL

**Estimated Time:** 3-4 days

**Dependencies:** Issue 2

**Tasks:**

- [ ] Create POST /api/gists endpoint

- [ ] Implement multipart form data parsing (Workers-compatible)

- [ ] Add request size validation (Workers limit: 100MB)

- [ ] Validate input data structure

- [ ] Store metadata in R2 with proper key structure

- [ ] Store encrypted blob in R2

- [ ] Return gist ID and share URL

**Acceptance Criteria:**

- Endpoint accepts encrypted gist data

- Validates all required fields

- Enforces size limits (500KB/file, 5MB total)

- Returns 201 with gist ID on success

- Handles errors with appropriate status codes

**Priority:** CRITICAL

**Estimated Time:** 2-3 days

**Dependencies:** Issue 2

**Tasks:**

- [ ] Create GET /api/gists/[id] for metadata

- [ ] Create GET /api/blobs/[id] for encrypted data

- [ ] Configure edge runtime for all routes

- [ ] Add caching headers for blobs

- [ ] Handle 404 for missing gists

- [ ] Implement one-time view deletion

**Acceptance Criteria:**

- Can retrieve gist metadata by ID

- Can retrieve encrypted blob by ID

- Returns 404 for non-existent gists

- One-time view gists are deleted after access

- Appropriate cache headers are set

**Priority:** HIGH

**Estimated Time:** 3-4 days

**Dependencies:** Issues 3 & 4

**Tasks:**

- [ ] Create PUT /api/gists/[id] endpoint

- [ ] Create DELETE /api/gists/[id] endpoint

- [ ] Implement PIN validation for both endpoints

- [ ] Ensure atomic operations (metadata + blob)

- [ ] Handle version conflicts

- [ ] Add audit logging

**Acceptance Criteria:**

- Can update gist with correct PIN

- Can delete gist with correct PIN

- Returns 401 for incorrect PIN

- Operations are atomic (all or nothing)

- Proper cleanup of both metadata and blob

**Priority:** HIGH

**Estimated Time:** 3-4 days

**Dependencies:** Can start with Issue 3

**Tasks:**

- [ ] Create input validation middleware

- [ ] Create error handling middleware

- [ ] Implement Cloudflare rate limiting rules

- [ ] Configure CORS for production domain

- [ ] Add request timeout handling (50ms CPU limit)

- [ ] Implement security headers

**Acceptance Criteria:**

- All inputs are validated before processing

- Errors return consistent JSON format

- Rate limiting prevents abuse

- CORS allows only specified origins

- CPU-intensive operations are optimized

**Priority:** MEDIUM

**Estimated Time:** 2-3 days

**Dependencies:** All other issues for completion

**Tasks:**

- [ ] Create OpenAPI/Swagger specification

- [ ] Document all endpoints and schemas

- [ ] Create API integration test suite

- [ ] Add example requests and responses

- [ ] Document R2 setup and configuration

- [ ] Create API client examples

**Acceptance Criteria:**

- Complete OpenAPI specification

- All endpoints have integration tests

- Documentation includes examples

- Setup guide for R2 configuration

- Tests run in CI pipeline

Start with R2 storage foundation as it blocks all other work. These issues can be worked on sequentially by one developer or in parallel if Issue 2 developer starts with interfaces and tests.

Implement the create and read endpoints. These can be developed in parallel by different developers once storage layer is ready.

Round out the API with update/delete operations and security middleware. Issue 6 can start earlier in parallel.

Complete API documentation and ensure comprehensive test coverage.

- **CRITICAL** (4): Issues 1, 2, 3, 4 - Core functionality

- **HIGH** (2): Issues 5, 6 - Security and complete CRUD

- **MEDIUM** (1): Issue 7 - Documentation and testing

- All API endpoints return responses within 50ms

- Zero data loss during storage operations

- 100% test coverage for critical paths

- API documentation is complete and accurate

- Rate limiting effectively prevents abuse

1. **R2 Configuration**: Ensure R2 bucket is created in Cloudflare dashboard before starting

2. **Edge Runtime**: All routes must use `export const runtime = 'edge'`

3. **Security**: PIN validation is critical for edit/delete operations

4. **Performance**: Watch for CPU time limits in Workers environment

5. **Testing**: Use miniflare for local R2 testing

gh issue create --title "feat: implement R2 storage foundation" --body "See PHASE_5_ISSUE_TRACKING.md for details" --label "api,priority: critical" --project "👻 GhostPaste"

gh issue list --label "api" --state open

gh issue edit [number] --add-label "in progress"

Last Updated: 2025-01-07

- [ ] Create R2 client wrapper using Cloudflare Workers R2 bindings - [#103](https://github.com/nullcoder/ghostpaste/issues/103)

- [ ] Configure R2 bucket binding in wrangler.toml - [#103](https://github.com/nullcoder/ghostpaste/issues/103)

- [ ] Implement metadata upload/download (JSON) using R2 API - [#104](https://github.com/nullcoder/ghostpaste/issues/104)

- [ ] Implement blob upload/download (binary) using R2 API - [#104](https://github.com/nullcoder/ghostpaste/issues/104)

- [ ] Handle R2 errors (R2Error, R2ObjectNotFound) - [#103](https://github.com/nullcoder/ghostpaste/issues/103)

- [ ] Create type-safe wrapper for R2 operations - [#103](https://github.com/nullcoder/ghostpaste/issues/103)

- [ ] Implement streaming for large files - [#104](https://github.com/nullcoder/ghostpaste/issues/104)

- [ ] Configure all routes with `export const runtime = 'edge'` - [#105](https://github.com/nullcoder/ghostpaste/issues/105), [#106](https://github.com/nullcoder/ghostpaste/issues/106), [#107](https://github.com/nullcoder/ghostpaste/issues/107)

- [ ] `POST /api/gists` - Create gist endpoint - [#105](https://github.com/nullcoder/ghostpaste/issues/105)

- [ ] `GET /api/gists/[id]` - Get gist metadata - [#106](https://github.com/nullcoder/ghostpaste/issues/106)

- [ ] `GET /api/blobs/[id]` - Get encrypted blob - [#106](https://github.com/nullcoder/ghostpaste/issues/106)

- [ ] `PUT /api/gists/[id]` - Update gist - [#107](https://github.com/nullcoder/ghostpaste/issues/107)

- [ ] `DELETE /api/gists/[id]` - Delete gist - [#107](https://github.com/nullcoder/ghostpaste/issues/107)

- [ ] Implement Cloudflare rate limiting rules - [#108](https://github.com/nullcoder/ghostpaste/issues/108)

- [ ] Add input validation middleware - [#108](https://github.com/nullcoder/ghostpaste/issues/108)

- [ ] Add error handling middleware - [#108](https://github.com/nullcoder/ghostpaste/issues/108)

- [ ] Configure API routes to access R2 bindings - [#103](https://github.com/nullcoder/ghostpaste/issues/103)

- [ ] Implement multipart form data parsing (Workers-compatible) - [#105](https://github.com/nullcoder/ghostpaste/issues/105)

- [ ] Add request size validation (Workers limit: 100MB) - [#105](https://github.com/nullcoder/ghostpaste/issues/105)

- [ ] Create consistent error responses - [#108](https://github.com/nullcoder/ghostpaste/issues/108)

- [ ] Add API documentation - [#109](https://github.com/nullcoder/ghostpaste/issues/109)

- [ ] Implement CORS configuration - [#108](https://github.com/nullcoder/ghostpaste/issues/108)

- [ ] Handle Workers CPU time limits (50ms) - [#108](https://github.com/nullcoder/ghostpaste/issues/108)