docs(02): create phase 2 plan — Users & Authentication

5 plans across 5 waves covering AUTH-01..08, SEC-01..03/05..07,
ADMIN-01..05/07. Includes security hardening (Origin validation,
per-account rate limiting, TOTP replay prevention, refresh token
family revocation with security alert), TOTP + backup code login,
and admin panel frontend.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.planning/STATE.md

@@ -3,12 +3,12 @@ gsd_state_version: 1.0
 milestone: v1.0
 milestone_name: milestone
 current_phase: 2
-status: completed
-last_updated: "2026-05-22T12:33:25.293Z"
+status: planned
+last_updated: "2026-05-22T18:00:00.000Z"
 progress:
   total_phases: 5
   completed_phases: 1
-  total_plans: 5
+  total_plans: 10
   completed_plans: 5
   percent: 20
 ---
@@ -16,7 +16,7 @@ progress:
 # Project State
 
 **Project:** DocuVault
-**Status:** Phase 1 Complete — Ready for Phase 2
+**Status:** Phase 2 Planned — Ready to Execute
 **Current Phase:** 2
 **Last Updated:** 2026-05-22
 
@@ -25,7 +25,7 @@ progress:
 | Phase | Name | Status |
 |---|---|---|
 | 1 | Infrastructure Foundation | ✓ Complete |
-| 2 | Users & Authentication | Not Started |
+| 2 | Users & Authentication | Planned (5 plans, ready to execute) |
 | 3 | Document Migration & Multi-User Isolation | Not Started |
 | 4 | Folders, Sharing, Quotas & Document UX | Not Started |
 | 5 | Cloud Storage Backends | Not Started |
@@ -90,6 +90,6 @@ _Updated at each phase transition._
 
 | Field | Value |
 |---|---|
-| Last session | 2026-05-22 — Executed Phase 1 (all 5 plans complete); walking-skeleton e2e verified live against Docker stack |
-| Next action | Run `/gsd:discuss-phase 2` to begin Phase 2 (Users & Authentication) |
+| Last session | 2026-05-22 — Planned Phase 2 (5 plans, 5 waves; verification passed after 3 iterations) |
+| Next action | Run `/gsd:execute-phase 2` to execute Phase 2 (Users & Authentication) |
 | Pending decisions | See Open Questions above |