diff --git a/.planning/phases/08-social-sign-in/08-UAT.md b/.planning/phases/08-social-sign-in/08-UAT.md
new file mode 100644
index 0000000..2802258
--- /dev/null
+++ b/.planning/phases/08-social-sign-in/08-UAT.md
@@ -0,0 +1,59 @@
+---
+status: complete
+phase: 08-social-sign-in
+source:
+  - 08-01-SUMMARY.md
+  - 08-02-SUMMARY.md
+  - 08-03-SUMMARY.md
+  - 08-04-SUMMARY.md
+  - 08-05-SUMMARY.md
+started: 2026-05-15T19:29:29Z
+updated: 2026-05-15T19:46:05Z
+---
+
+## Current Test
+
+[testing complete]
+
+## Tests
+
+### 1. Cold Start Smoke Test
+expected: Kill any running backend process. From `backend/`, start the app with `just dev`. Postgres and MinIO start, generation completes, migrations apply, and the web server comes up on `http://localhost:8080` without startup errors. Loading the login page returns the Xtablo auth UI.
+result: pass
+
+### 2. Auth Pages Show Provider Controls
+expected: Visiting `/login` and `/signup` shows the Google provider control above the email/password form, followed by an `or` separator. When Google env vars are missing, the Google control is visible but disabled and non-clickable. When Google env vars are configured, the control links to `/auth/google/start`. Apple sign-in controls are not shown.
+result: pass
+
+### 3. Google Sign-in Flow
+expected: With Google OAuth env vars configured, clicking `Continue with Google` starts Google sign-in. After completing the provider flow, Xtablo creates or links the local account, issues the normal server-managed session cookie, and redirects to `/` as a signed-in user.
+result: pass
+
+### 4. Apple Sign-in Disabled
+expected: Apple sign-in is not shown on `/login` or `/signup`. There is no `Continue with Apple` button, no Apple disabled-state copy, and no link to `/auth/apple/start`. Direct requests to `/auth/apple/start` and `/auth/apple/callback` return 404.
+result: pass
+
+### 5. Existing Email/Password Auth Still Works
+expected: Email/password signup, login, logout, CSRF validation, and rate-limited invalid login behavior still work as before. Social sign-in controls do not submit or break the email/password form.
+result: pass
+
+### 6. Social-only Account Guardrails
+expected: For an email that already belongs to a social-only user, password signup shows `An account already exists for this email. Sign in with your provider.` Password login does not reveal provider details and fails with the normal invalid-credentials behavior.
+result: pass
+
+### 7. Linked Providers View
+expected: `/account/providers` requires authentication. When signed in, it shows `Linked providers` with a Google row. The row shows `Connected` with the stored provider email when linked, or `Not connected` when no Google identity is linked. No Apple row, unlink action, or add-password action is shown.
+result: pass
+
+## Summary
+
+total: 7
+passed: 7
+issues: 0
+pending: 0
+skipped: 0
+blocked: 0
+
+## Gaps
+
+[none yet]