diff --git a/.planning/phases/08-social-sign-in/08-VALIDATION.md b/.planning/phases/08-social-sign-in/08-VALIDATION.md index c03a99f..de2059b 100644 --- a/.planning/phases/08-social-sign-in/08-VALIDATION.md +++ b/.planning/phases/08-social-sign-in/08-VALIDATION.md @@ -1,10 +1,11 @@ --- phase: 8 slug: social-sign-in -status: draft +status: verified nyquist_compliant: true -wave_0_complete: false +wave_0_complete: true created: 2026-05-15 +updated: 2026-05-15 --- # Phase 8 — Validation Strategy @@ -19,16 +20,16 @@ created: 2026-05-15 |----------|-------| | **Framework** | Go test | | **Config file** | `backend/go.mod`, `backend/sqlc.yaml` | -| **Quick run command** | `cd backend && go test ./internal/auth ./internal/web` | -| **Full suite command** | `cd backend && go test ./...` | +| **Quick run command** | `cd backend && go test ./internal/auth ./internal/web -count=1` | +| **Full suite command** | `cd backend && go test ./... -count=1` | | **Estimated runtime** | ~30-90 seconds | --- ## Sampling Rate -- **After every task commit:** Run `cd backend && go test ./internal/auth ./internal/web` -- **After every plan wave:** Run `cd backend && go test ./...` +- **After every task commit:** Run `cd backend && go test ./internal/auth ./internal/web -count=1` +- **After every plan wave:** Run `cd backend && go test ./... -count=1` - **Before `$gsd-verify-work`:** Full suite must be green - **Max feedback latency:** 90 seconds @@ -38,12 +39,12 @@ created: 2026-05-15 | Requirement | Secure Behavior | Test Type | Automated Command | File Exists | Status | |-------------|-----------------|-----------|-------------------|-------------|--------| -| AUTH-08 | Google start route exists and handles missing config without leaking secrets | handler/unit | `cd backend && go test ./internal/web -run 'Test.*Google.*Start'` | ❌ W0 | ⬜ pending | -| AUTH-09 | Google callback validates state and verified ID token before local link/session | integration | `cd backend && go test ./internal/web -run 'Test.*Google.*Callback'` | ❌ W0 | ⬜ pending | -| AUTH-10 | Apple start route exists and handles missing config without leaking secrets | handler/unit | `cd backend && go test ./internal/web -run 'Test.*Apple.*Start'` | ❌ W0 | ⬜ pending | -| AUTH-11 | Apple callback validates state/nonce and verified ID token before local link/session | integration | `cd backend && go test ./internal/web -run 'Test.*Apple.*Callback'` | ❌ W0 | ⬜ pending | -| AUTH-12 | Provider callback creates existing Xtablo session cookie, not provider-token session | integration | `cd backend && go test ./internal/web -run 'Test.*Social.*Session'` | ❌ W0 | ⬜ pending | -| AUTH-13 | Email/password signup/login/logout/CSRF/rate-limit tests continue passing | regression | `cd backend && go test ./internal/auth ./internal/web` | ✅ | ⬜ pending | +| AUTH-08 | Google start route exists, provider controls render correctly, and missing config does not leak secrets | handler/unit | `cd backend && go test ./internal/web -count=1` | ✅ `handlers_social_test.go`, `handlers_auth_test.go` | ✅ green | +| AUTH-09 | Google callback validates state and verified ID token before local link/session | integration | `cd backend && go test ./internal/web -count=1` | ✅ `handlers_social_test.go` | ✅ green | +| AUTH-10 | Apple sign-in is hidden from login/signup while disabled | handler/unit | `cd backend && go test ./internal/web -count=1` | ✅ `handlers_auth_test.go` | ✅ green | +| AUTH-11 | Direct Apple sign-in routes are unavailable while disabled | handler/unit | `cd backend && go test ./internal/web -count=1` | ✅ `handlers_social_test.go` | ✅ green | +| AUTH-12 | Provider callback creates existing Xtablo session cookie, not provider-token session | integration | `cd backend && go test ./internal/web -count=1` | ✅ `handlers_social_test.go` | ✅ green | +| AUTH-13 | Email/password signup/login/logout/CSRF/rate-limit tests continue passing | regression | `cd backend && go test ./internal/auth ./internal/web -count=1` | ✅ auth + web test suites | ✅ green | *Status: ⬜ pending · ✅ green · ❌ red · ⚠️ flaky* @@ -51,29 +52,44 @@ created: 2026-05-15 ## Wave 0 Requirements -- [ ] `backend/migrations/0006_social_identities.sql` — nullable `users.password_hash` plus `user_identities` -- [ ] `backend/internal/db/queries/user_identities.sql` — identity lookup/link/update queries -- [ ] `backend/internal/web/handlers_social_test.go` — RED tests for Google/Apple start and callback flows -- [ ] `backend/internal/auth/oauth_test.go` or equivalent — RED tests for state/nonce/config/client-secret helpers +- [x] `backend/migrations/0006_social_identities.sql` — nullable `users.password_hash` plus `user_identities` +- [x] `backend/internal/db/queries/user_identities.sql` — identity lookup/link/update queries +- [x] `backend/internal/web/handlers_social_test.go` — Google start/callback tests plus Apple-disabled route guard +- [x] `backend/internal/auth/oauth_test.go` — config, cookie, nonce, verifier, and provider helper coverage --- ## Manual-Only Verifications -| Behavior | Requirement | Why Manual | Test Instructions | -|----------|-------------|------------|-------------------| -| Disabled provider buttons render when env vars are missing | AUTH-08, AUTH-10 | Visual/HTML state is fast to inspect manually during first pass | Start web with missing provider env vars; visit `/login` and `/signup`; confirm Google/Apple buttons are visible but disabled | -| Configured provider buttons route to provider start URLs | AUTH-08, AUTH-10 | Local provider credentials may not be available in every dev environment | Set dummy/local test provider config; visit `/login` and `/signup`; click each provider button; confirm start route redirects or returns controlled config/test response | +No manual-only validation gaps remain for Phase 8. Live Google provider dashboard configuration is covered by UAT rather than Nyquist unit coverage. + +--- + +## Validation Audit 2026-05-15 + +| Metric | Count | +|--------|-------| +| Requirements audited | 6 | +| Gaps found | 0 | +| Resolved | 0 | +| Escalated | 0 | + +Commands run: + +- `cd backend && go test ./internal/web -run 'TestGoogleStart|TestSignupProviderButtons|TestLoginProviderButtons' -count=1` +- `cd backend && go test ./internal/web -run 'TestGoogleCallback' -count=1` +- `cd backend && go test ./internal/web -run 'TestAppleRoutesAreDisabled|TestSignupProviderButtons|TestLoginProviderButtons' -count=1` +- `cd backend && go test ./internal/auth ./internal/web -count=1` --- ## Validation Sign-Off -- [ ] All tasks have `` verify or Wave 0 dependencies -- [ ] Sampling continuity: no 3 consecutive tasks without automated verify -- [ ] Wave 0 covers all MISSING references -- [ ] No watch-mode flags -- [ ] Feedback latency < 90s +- [x] All tasks have `` verify or Wave 0 dependencies +- [x] Sampling continuity: no 3 consecutive tasks without automated verify +- [x] Wave 0 covers all MISSING references +- [x] No watch-mode flags +- [x] Feedback latency < 90s - [x] `nyquist_compliant: true` set in frontmatter -**Approval:** pending +**Approval:** verified 2026-05-15