arthur/xtablo-source
1
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions 5

docs(08): verify Nyquist validation coverage

Browse source
This commit is contained in:
Arthur Belleville 2026-05-15 21:52:33 +02:00
parent 4101138f15
commit 981d2a0174
No known key found for this signature in database
1 changed files with 42 additions and 26 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

68
.planning/phases/08-social-sign-in/08-VALIDATION.md
View file

@ -1,10 +1,11 @@
---
phase: 8
slug: social-sign-in
status: draft
status: verified
nyquist_compliant: true
wave_0_complete: false
wave_0_complete: true
created: 2026-05-15
updated: 2026-05-15
---
# Phase 8 — Validation Strategy
@ -19,16 +20,16 @@ created: 2026-05-15
|----------|-------|
| **Framework** | Go test |
| **Config file** | `backend/go.mod`, `backend/sqlc.yaml` |
| **Quick run command** | `cd backend && go test ./internal/auth ./internal/web` |
| **Full suite command** | `cd backend && go test ./...` |
| **Quick run command** | `cd backend && go test ./internal/auth ./internal/web -count=1` |
| **Full suite command** | `cd backend && go test ./... -count=1` |
| **Estimated runtime** | ~30-90 seconds |
---
## Sampling Rate
- **After every task commit:** Run `cd backend && go test ./internal/auth ./internal/web`
- **After every plan wave:** Run `cd backend && go test ./...`
- **After every task commit:** Run `cd backend && go test ./internal/auth ./internal/web -count=1`
- **After every plan wave:** Run `cd backend && go test ./... -count=1`
- **Before `$gsd-verify-work`:** Full suite must be green
- **Max feedback latency:** 90 seconds
@ -38,12 +39,12 @@ created: 2026-05-15
| Requirement | Secure Behavior | Test Type | Automated Command | File Exists | Status |
|-------------|-----------------|-----------|-------------------|-------------|--------|
| AUTH-08 | Google start route exists and handles missing config without leaking secrets | handler/unit | `cd backend && go test ./internal/web -run 'Test.*Google.*Start'` | ❌ W0 | ⬜ pending |
| AUTH-09 | Google callback validates state and verified ID token before local link/session | integration | `cd backend && go test ./internal/web -run 'Test.*Google.*Callback'` | ❌ W0 | ⬜ pending |
| AUTH-10 | Apple start route exists and handles missing config without leaking secrets | handler/unit | `cd backend && go test ./internal/web -run 'Test.*Apple.*Start'` | ❌ W0 | ⬜ pending |
| AUTH-11 | Apple callback validates state/nonce and verified ID token before local link/session | integration | `cd backend && go test ./internal/web -run 'Test.*Apple.*Callback'` | ❌ W0 | ⬜ pending |
| AUTH-12 | Provider callback creates existing Xtablo session cookie, not provider-token session | integration | `cd backend && go test ./internal/web -run 'Test.*Social.*Session'` | ❌ W0 | ⬜ pending |
| AUTH-13 | Email/password signup/login/logout/CSRF/rate-limit tests continue passing | regression | `cd backend && go test ./internal/auth ./internal/web` | ✅ | ⬜ pending |
| AUTH-08 | Google start route exists, provider controls render correctly, and missing config does not leak secrets | handler/unit | `cd backend && go test ./internal/web -count=1` | ✅ `handlers_social_test.go`, `handlers_auth_test.go` | ✅ green |
| AUTH-09 | Google callback validates state and verified ID token before local link/session | integration | `cd backend && go test ./internal/web -count=1` | ✅ `handlers_social_test.go` | ✅ green |
| AUTH-10 | Apple sign-in is hidden from login/signup while disabled | handler/unit | `cd backend && go test ./internal/web -count=1` | ✅ `handlers_auth_test.go` | ✅ green |
| AUTH-11 | Direct Apple sign-in routes are unavailable while disabled | handler/unit | `cd backend && go test ./internal/web -count=1` | ✅ `handlers_social_test.go` | ✅ green |
| AUTH-12 | Provider callback creates existing Xtablo session cookie, not provider-token session | integration | `cd backend && go test ./internal/web -count=1` | ✅ `handlers_social_test.go` | ✅ green |
| AUTH-13 | Email/password signup/login/logout/CSRF/rate-limit tests continue passing | regression | `cd backend && go test ./internal/auth ./internal/web -count=1` | ✅ auth + web test suites | ✅ green |
*Status: ⬜ pending · ✅ green · ❌ red · ⚠️ flaky*
@ -51,29 +52,44 @@ created: 2026-05-15
## Wave 0 Requirements
- [ ] `backend/migrations/0006_social_identities.sql` — nullable `users.password_hash` plus `user_identities`
- [ ] `backend/internal/db/queries/user_identities.sql` — identity lookup/link/update queries
- [ ] `backend/internal/web/handlers_social_test.go` — RED tests for Google/Apple start and callback flows
- [ ] `backend/internal/auth/oauth_test.go` or equivalent — RED tests for state/nonce/config/client-secret helpers
- [x] `backend/migrations/0006_social_identities.sql` — nullable `users.password_hash` plus `user_identities`
- [x] `backend/internal/db/queries/user_identities.sql` — identity lookup/link/update queries
- [x] `backend/internal/web/handlers_social_test.go` — Google start/callback tests plus Apple-disabled route guard
- [x] `backend/internal/auth/oauth_test.go` — config, cookie, nonce, verifier, and provider helper coverage
---
## Manual-Only Verifications
| Behavior | Requirement | Why Manual | Test Instructions |
|----------|-------------|------------|-------------------|
| Disabled provider buttons render when env vars are missing | AUTH-08, AUTH-10 | Visual/HTML state is fast to inspect manually during first pass | Start web with missing provider env vars; visit `/login` and `/signup`; confirm Google/Apple buttons are visible but disabled |
| Configured provider buttons route to provider start URLs | AUTH-08, AUTH-10 | Local provider credentials may not be available in every dev environment | Set dummy/local test provider config; visit `/login` and `/signup`; click each provider button; confirm start route redirects or returns controlled config/test response |
No manual-only validation gaps remain for Phase 8. Live Google provider dashboard configuration is covered by UAT rather than Nyquist unit coverage.
---
## Validation Audit 2026-05-15
| Metric | Count |
|--------|-------|
| Requirements audited | 6 |
| Gaps found | 0 |
| Resolved | 0 |
| Escalated | 0 |
Commands run:
- `cd backend && go test ./internal/web -run 'TestGoogleStart|TestSignupProviderButtons|TestLoginProviderButtons' -count=1`
- `cd backend && go test ./internal/web -run 'TestGoogleCallback' -count=1`
- `cd backend && go test ./internal/web -run 'TestAppleRoutesAreDisabled|TestSignupProviderButtons|TestLoginProviderButtons' -count=1`
- `cd backend && go test ./internal/auth ./internal/web -count=1`
---
## Validation Sign-Off
- [ ] All tasks have `<automated>` verify or Wave 0 dependencies
- [ ] Sampling continuity: no 3 consecutive tasks without automated verify
- [ ] Wave 0 covers all MISSING references
- [ ] No watch-mode flags
- [ ] Feedback latency < 90s
- [x] All tasks have `<automated>` verify or Wave 0 dependencies
- [x] Sampling continuity: no 3 consecutive tasks without automated verify
- [x] Wave 0 covers all MISSING references
- [x] No watch-mode flags
- [x] Feedback latency < 90s
- [x] `nyquist_compliant: true` set in frontmatter
**Approval:** pending
**Approval:** verified 2026-05-15