docs(04): add validation strategy

.planning/phases/04-tasks-kanban/04-VALIDATION.md

@@ -0,0 +1,81 @@
+---
+phase: 4
+slug: tasks-kanban
+status: draft
+nyquist_compliant: false
+wave_0_complete: false
+created: 2026-05-15
+---
+
+# Phase 4 — Validation Strategy
+
+> Per-phase validation contract for feedback sampling during execution.
+
+---
+
+## Test Infrastructure
+
+| Property | Value |
+|----------|-------|
+| **Framework** | Go `testing` package + `net/http/httptest` |
+| **Config file** | none — standard `go test ./...` |
+| **Quick run command** | `go test ./internal/web/ -run TestTask -v` |
+| **Full suite command** | `go test ./...` |
+| **Estimated runtime** | ~15 seconds |
+
+---
+
+## Sampling Rate
+
+- **After every task commit:** Run `go test ./internal/web/ -run TestTask -v`
+- **After every plan wave:** Run `go test ./...`
+- **Before `/gsd-verify-work`:** Full suite must be green
+- **Max feedback latency:** 15 seconds
+
+---
+
+## Per-Task Verification Map
+
+| Task ID | Plan | Wave | Requirement | Threat Ref | Secure Behavior | Test Type | Automated Command | File Exists | Status |
+|---------|------|------|-------------|------------|-----------------|-----------|-------------------|-------------|--------|
+| 04-xx-01 | 01 | 1 | TASK-01 | T-04-IDOR | 4-column board only visible to tablo owner | integration | `go test ./internal/web/ -run TestTasksKanbanRenders -v` | ❌ W0 | ⬜ pending |
+| 04-xx-02 | 01 | 1 | TASK-02 | T-04-IDOR | POST /tablos/{id}/tasks requires tablo ownership | integration | `go test ./internal/web/ -run TestTaskCreate -v` | ❌ W0 | ⬜ pending |
+| 04-xx-03 | 01 | 2 | TASK-03 | T-04-IDOR | POST /tablos/{id}/tasks/{id} requires tablo ownership | integration | `go test ./internal/web/ -run TestTaskUpdate -v` | ❌ W0 | ⬜ pending |
+| 04-xx-04 | 01 | 2 | TASK-04 | T-04-ENUM | Status ENUM rejects invalid column values at DB layer | integration | `go test ./internal/web/ -run TestTaskReorderCrossColumn -v` | ❌ W0 | ⬜ pending |
+| 04-xx-05 | 01 | 2 | TASK-05 | T-04-MASS | Reorder only updates position/status, not title/desc | integration | `go test ./internal/web/ -run TestTaskReorderSameColumn -v` | ❌ W0 | ⬜ pending |
+| 04-xx-06 | 01 | 3 | TASK-06 | T-04-IDOR | DELETE requires tablo ownership + confirmation | integration | `go test ./internal/web/ -run TestTaskDelete -v` | ❌ W0 | ⬜ pending |
+| 04-xx-07 | 01 | 3 | TASK-07 | — | Positions persist across page reload | integration | `go test ./internal/web/ -run TestTaskOrderPersists -v` | ❌ W0 | ⬜ pending |
+
+*Status: ⬜ pending · ✅ green · ❌ red · ⚠️ flaky*
+
+---
+
+## Wave 0 Requirements
+
+- [ ] `backend/internal/web/handlers_tasks_test.go` — stubs covering TASK-01 through TASK-07
+- [ ] `backend/internal/db/queries/tasks.sql` — required before `sqlc generate` runs
+- [ ] `backend/migrations/0004_tasks.sql` — required before `setupTestDB` applies migrations
+- [ ] Sortable.js download added to `just bootstrap` — required before dev server starts
+
+---
+
+## Manual-Only Verifications
+
+| Behavior | Requirement | Why Manual | Test Instructions |
+|----------|-------------|------------|-------------------|
+| Drag-and-drop within column reorders visually | TASK-05 | Requires browser interaction with Sortable.js | Open /tablos/{id}, drag a task card up/down within a column, release, reload page, confirm order persists |
+| Drag-and-drop cross-column moves task | TASK-04 | Requires browser interaction | Open /tablos/{id}, drag task to a different column, release, reload, confirm task appears in new column |
+| Inline edit expand/collapse works | TASK-03 | Requires browser interaction | Click task card, confirm edit form appears, edit title, save, confirm card shows new title without full reload |
+
+---
+
+## Validation Sign-Off
+
+- [ ] All tasks have `<automated>` verify or Wave 0 dependencies
+- [ ] Sampling continuity: no 3 consecutive tasks without automated verify
+- [ ] Wave 0 covers all MISSING references
+- [ ] No watch-mode flags
+- [ ] Feedback latency < 15s
+- [ ] `nyquist_compliant: true` set in frontmatter
+
+**Approval:** pending