xtablo-source/.planning/phases/11-individual-planning/11-02-PLAN.md

phase	plan	type	wave	depends_on	files_modified	autonomous	requirements	must_haves
11-individual-planning	02	execute	2	11-01-PLAN.md	backend/internal/web/handlers_planning.go backend/internal/web/handlers_planning_test.go backend/internal/web/router.go backend/templates/planning.templ backend/templates/planning_forms.go	false	PLAN-01 PLAN-02 PLAN-03 PLAN-04	truths artifacts All PLAN-01..04 requirements are covered by automated tests or browser UAT All D-01..D-10 decisions from 11-CONTEXT.md are represented by source behavior, tests, or the browser checkpoint UI-SPEC: the page remains a restrained agenda view inside existing Layout, with no calendar recreation and no JS framework Validation: full generated-code backend verification and browser UAT run before Phase 11 is marked complete path provides backend/internal/web/handlers_planning_test.go final planning regression coverage path provides backend/templates/planning.templ final UI contract adjustments

Vertical slice 2: harden the individual planning page with full generated-code verification, targeted regression fixes, and the required browser UAT approval for the first upcoming-agenda behavior. @/Users/arthur.belleville/Documents/perso/projects/xtablo-source/.planning/phases/11-individual-planning/11-CONTEXT.md @/Users/arthur.belleville/Documents/perso/projects/xtablo-source/.planning/phases/11-individual-planning/11-RESEARCH.md @/Users/arthur.belleville/Documents/perso/projects/xtablo-source/.planning/phases/11-individual-planning/11-UI-SPEC.md @/Users/arthur.belleville/Documents/perso/projects/xtablo-source/.planning/phases/11-individual-planning/11-VALIDATION.md @/Users/arthur.belleville/Documents/perso/projects/xtablo-source/.planning/phases/11-individual-planning/11-01-PLAN.md

<threat_model> T-11-01 Unauthenticated access remains covered by full router tests. T-11-02 Cross-user event leaks remain covered by ListUserEventsRange tests and planning page ownership tests. T-11-03 XSS remains covered by templ escaped rendering and should be spot-checked with HTML-looking event/tablo/location content. T-11-04 Invalid date input remains covered by fallback tests. T-11-05 Source-link drift remains covered by response assertions for /tablos/{id}/events?month=YYYY-MM. T-11-06 Regression risk: extending NewRouter can silently break existing auth, tablos, tasks, etapes, events, and files test helpers if the full suite is not run. </threat_model>

<source_audit> SOURCE | ID | Feature/Requirement | Plan | Status | Notes GOAL | - | Personal planning view aggregates scheduled events across tablos | 11-01,11-02 | COVERED | Route, query, agenda template, UAT REQ | PLAN-01 | Authenticated user can open individual planning page | 11-01,11-02 | COVERED | Protected route test and browser UAT REQ | PLAN-02 | Planning lists user's scheduled events across tablos chronologically | 11-01,11-02 | COVERED | ListUserEventsRange plus response-order tests REQ | PLAN-03 | Planning links each event back to tablo context | 11-01,11-02 | COVERED | /tablos/{id}/events?month=YYYY-MM REQ | PLAN-04 | Functional empty state and date navigation/filtering | 11-01,11-02 | COVERED | 14-day navigation and empty-state tests CONTEXT | D-01..D-05 | Upcoming 14-day agenda, fixed windows, no calendar recreation | 11-01,11-02 | COVERED | Handler date model and UI contract CONTEXT | D-06..D-10 | Continuous rows, row fields, color dot, no descriptions, no-end display | 11-01,11-02 | COVERED | Template and response assertions RESEARCH | Security | Protected route, authenticated user query, escaping, invalid-date fallback | 11-01,11-02 | COVERED | Threat model and tests UI-SPEC | Contract | Header, toolbar, agenda list, empty state, responsive/accessibility basics | 11-01,11-02 | COVERED | Template and browser UAT </source_audit>

Task 1: Run full generated-code backend verification and fix planning regressions - backend/internal/web/handlers_planning.go - backend/internal/web/handlers_planning_test.go - backend/internal/web/router.go - backend/cmd/web/main.go - backend/templates/planning.templ - backend/templates/planning_forms.go - backend/internal/web/handlers_planning.go - backend/internal/web/handlers_planning_test.go - backend/internal/web/router.go - backend/cmd/web/main.go - backend/templates/planning.templ - backend/templates/planning_forms.go - .planning/phases/11-individual-planning/11-VALIDATION.md - .planning/phases/11-individual-planning/11-UI-SPEC.md Run generated-code verification and the full backend suite. Fix any regressions caused by `PlanningDeps`, `NewRouter` signature changes, generated templ output, route ordering, date/link helpers, or planning test fixtures. Keep fixes scoped to Phase 11 files and direct router call-site updates. Do not change Phase 10 event semantics, `ListUserEventsRange`, or existing task/file/etape behavior unless a compile break from the router signature requires call-site updates. cd backend && just generate && TEST_DATABASE_URL='postgres://xtablo:xtablo@localhost:5432/xtablo?sslmode=disable' go test ./... -count=1 - `cd backend && just generate` exits 0. - `cd backend && TEST_DATABASE_URL='postgres://xtablo:xtablo@localhost:5432/xtablo?sslmode=disable' go test ./... -count=1` exits 0. - `git diff --check` exits 0. - Existing auth, tablos, tasks, etapes, events, and files tests still pass after adding `/planning`. Task 2: Browser UAT checkpoint for individual planning - .planning/phases/11-individual-planning/11-UI-SPEC.md - .planning/phases/11-individual-planning/11-VALIDATION.md - backend/templates/planning.templ Start the app with `cd backend && just dev` or an equivalent local server using the same generated assets, sign in, create or use events across multiple tablos, and open `/planning`. Verify: 1. Unauthenticated `/planning` redirects to login. 2. Authenticated `/planning` renders `Planning` inside the normal authenticated layout. 3. The default range is today through 13 days after today. 4. Events from multiple owned tablos appear in one chronological agenda list. 5. Event rows show time, title, tablo title/color dot when present, and location when present. 6. Event rows do not show description snippets, edit/delete controls, grouped day headers, or a calendar grid. 7. Previous 14 days, Today, and Next 14 days controls work through normal links. 8. Empty ranges show `No events in this range` while navigation remains visible. 9. Event links return to `/tablos/{id}/events?month=YYYY-MM`. 10. User approves the first upcoming-agenda behavior from the ROADMAP user-in-loop note. cd backend && go test ./internal/web -run 'TestPlanning' -count=1 Browser confirms PLAN-01..04 and the 11-UI-SPEC interaction contract. - Full backend tests pass before the browser checkpoint. - Browser UAT covers auth, default range, navigation, empty state, event row content, and source tablo links. - User approves today/upcoming 14-day agenda behavior before Phase 11 is marked complete. Run: - `cd backend && just generate` - `cd backend && TEST_DATABASE_URL='postgres://xtablo:xtablo@localhost:5432/xtablo?sslmode=disable' go test ./... -count=1` - `git diff --check` - Browser UAT from Task 2

<success_criteria>

• All PLAN-01..04 requirements are complete.
• All D-01..D-10 context decisions are implemented or verified.
• UI-SPEC is satisfied by the first functional individual planning agenda.
• Security expectations are covered by protected route mounting, owned-only aggregation, escaped rendering, and invalid-date fallback. </success_criteria>