KLKLine FrontendDashboard · Preview · Embed shell

F050

Object Tree server persistence gate

Combines backend source-map evidence and frontend JSON-safe contracts. Real server writes stay blocked until tenant ownership, audit, revision/conflict and read-after-write are all available.

Server writes

Blocked

F050 write gate.

Blocked checks

4

must be zero before persistence.

Mode

source-map-and-contract

source map + contracts only.

Required backend capabilities

Gate 1
admin auth/session owned by the app, not pasted into the UI
Gate 2
tenant ownership guard for widget/layout/object scope
Gate 3
server revision or etag conflict policy
Gate 4
idempotency key replay handling
Gate 5
audit-log write that can be inspected without sensitive values
Gate 6
read-after-write verification endpoint
Gate 7
runtime-token protected restore endpoint for customer iframe runtime

Overlay/drawing registry contract

PASS

/api/admin/widget-types/klinecharts-runtime/overlays/contract

Backend exposes a backend-only overlay/drawing registry contract. Object Tree overlay rows must stay sourced from this registry plus runtime getOverlays snapshots.

  • src/control-plane/widget-type-registry/widget-type-registry.controller.ts -> @Controller("admin/widget-types") + @Get("klinecharts-runtime/overlays/contract")

Overlay interaction / object-tree contract

PASS

/api/admin/widget-types/klinecharts-runtime/overlays/interaction/contract

Backend documents drawing mode, overlay events, object-tree sync and trusted plugin policy without exposing executable custom code.

  • src/control-plane/widget-type-registry/klinecharts-overlay-interaction.contract.ts -> object_tree_get_overlays
  • Runtime bootstrap handoff mentions object-tree sync and trusted registerOverlay policy

Built-in overlay restore test contract

PASS

/api/admin/widget-types/klinecharts-runtime/overlays/built-in-tests/part-1/contract

Backend has a built-in overlay test/restore handoff. Server persistence must honor restore-after-refresh and symbol-switch semantics before live writes are enabled.

  • src/control-plane/widget-type-registry/widget-type-registry.controller.ts -> @Get("klinecharts-runtime/overlays/built-in-tests/part-1/contract")

Indicator registry contract

PASS

/api/admin/widget-types/klinecharts-runtime/indicators/contract

Backend exposes indicator lifecycle/registry contract. Object Tree indicator rows must remain registry-driven and JSON-safe.

  • src/control-plane/widget-type-registry/widget-type-registry.controller.ts -> @Get("klinecharts-runtime/indicators/contract")

Chart instance Object Tree snapshot contract

PASS

/api/admin/widget-types/klinecharts-runtime/chart-instance-api/part1/contract

Backend handoff says getIndicators/getOverlays are safe redacted snapshots for Object Tree/Admin Preview; raw chart instance must stay inside chart-runtime.

  • src/control-plane/widget-type-registry/klinecharts-chart-instance-api-part1.contract.ts -> getIndicators/getOverlays productDecision

Chart instance pixel/pane helper contract

PASS

/api/admin/widget-types/klinecharts-runtime/chart-instance-api/part2/contract

Backend handoff covers getSize, convertToPixel and convertFromPixel for safe pane/object-tree selection without exposing DOM or chart instance to backend.

  • src/control-plane/widget-type-registry/klinecharts-chart-instance-api-part2.contract.ts -> getDom/getSize/convertToPixel/convertFromPixel handoff

Admin overlay registry endpoint

WARNING

/api/admin/kline/overlay-registry

Backend exposes an admin overlay registry endpoint, but it is admin-token protected. Frontend QA must not require manual admin token input or render token values.

  • src/control-plane/admin-api/admin-api.controller.ts -> @ApiBearerAuth() + @Get("kline/overlay-registry")

Admin indicator registry endpoint

WARNING

/api/admin/kline/indicator-registry

Backend exposes an admin indicator registry endpoint, but it is admin-token protected. Dashboard must use controlled admin flows and never expose token evidence.

  • src/control-plane/admin-api/admin-api.controller.ts -> @ApiBearerAuth() + @Get("kline/indicator-registry")

Planned Object Tree preflight endpoint

BLOCKED

/api/admin/chart-runtime-config/object-tree-drafts/preflight

No matching backend controller was found in the uploaded backend ZIP. F026 preflight remains a frontend contract until backend implements this route with tenant/auth/audit/revision enforcement.

  • No @Post("object-tree-drafts/preflight") or runtime object-tree draft controller found in backend source scan

Planned Object Tree persist endpoint

BLOCKED

/api/admin/chart-runtime-config/object-tree-drafts

Server-side Object Tree writes are still blocked. Persist must not be enabled until backend has idempotency replay, optimistic revision locking and audit-log enforcement.

  • Backend currently has registry/config contracts, not tenant-owned Object Tree draft persistence

Planned runtime Object Tree restore endpoint

BLOCKED

/api/v1/widget/object-tree

No runtime restore endpoint was found. Iframe runtime must keep using local/contract restore paths until backend adds a runtime-token protected restore API.

  • Runtime widget controller exposes /api/v1/widget/bootstrap and /api/v1/widget/bootstrap/contract only; no /api/v1/widget/object-tree route found

F050 server persistence write gate

BLOCKED

/api/admin/chart-runtime-config/object-tree-drafts

Server-side Object Tree writes remain disabled until preflight, persist, audit, tenant ownership, revision/conflict and read-after-write contracts are all present.

  • frontend can construct JSON-safe requests
  • frontend must not enable POST/PATCH persistence from dashboard yet

F050 restore modes

PASS

chart-runtime intent service

Runtime restore stays limited to validate-only, replace-local and merge-local modes until backend runtime restore exists.

  • validate-only
  • replace-local
  • merge-local

F050 JSON-safe payload boundary

PASS

packages/contracts + packages/api-client

Object Tree drafts, mutations and restore requests are JSON-safe and do not carry chart instances, DOM nodes, functions or sensitive credentials.

  • scope: widgetId + symbol + interval + layoutKey
  • idempotency key: client-generated string only