# UnifiedFiler v1.9.9 Notes

v1.9.9 focuses on Backend API contract stabilization, security policy hardening, and regression-test documentation before the v2.0 API freeze.

## Highlights

- Added `BackendApiContractService` with a stable Backend API v1.0 contract descriptor.
- Extended `BackendApiAdapter` with fixed endpoint mapping, enriched Host context, metadata, thumbnail, and backend-spec APIs.
- Added `SecurityPolicyService` for file name, path, upload, MIME/extension, and package-preview safety policy.
- Integrated `SecurityPolicyService` into `FileService` for write, upload, rename, create-folder, list, and search paths.
- Added backend metadata support to `MemoryApiBackendService` for Demo and regression testing.
- Extended `ApiClientService` context headers for workspace and owner object linking.
- Added regression test checklist documentation for FileExplorer, Picker/Saver, Google Drive, Backend API, and Security.

## Backend API contract

The canonical contract version is `1.0`. Backend implementations should support the following logical operations:

- `list`
- `search`
- `read`
- `upload`
- `createFolder`
- `rename`
- `remove`
- `copy`
- `move`
- `metadata`
- `thumbnail`
- `exportFile`

Context fields are available both as request payload/query values and conventional HTTP headers:

- `tenantId`
- `appId`
- `userId`
- `workspaceId`
- `ownerObjectType`
- `ownerObjectId`
- `permissionScope`
- `requestId`
- `contractVersion`

## Security policy

`SecurityPolicyService` is enabled by default in Demo `FileService`. It blocks path traversal, invalid names, and common executable upload extensions while keeping development-friendly web file types such as `.html`, `.css`, and `.js` usable.

Hosts can override policy:

```javascript
var securityPolicy = new SecurityPolicyService({
    maxUploadFileSize: 512 * 1024 * 1024,
    blockedExtensions: ['.exe', '.bat', '.cmd', '.msi'],
    allowedExtensions: null
});

var fileService = new FileService({
    registry: storageRegistry,
    securityPolicy: securityPolicy
});
```

## Compatibility

- Existing jQuery plugin APIs are preserved.
- Existing adapter APIs remain compatible.
- Backend API additions are additive and do not break the in-browser Memory backend.
