docs: create roadmap (5 phases)

.planning/REQUIREMENTS.md

@@ -113,8 +113,61 @@ _Last updated: 2026-05-21_
 
 ## Traceability
 
-_Filled by roadmapper._
+_Filled by roadmapper — 2026-05-21._
 
 | REQ-ID | Phase | Notes |
 |---|---|---|
-| (pending) | | |
+| STORE-01 | 1 | Dual-write migration script; schema and Alembic wiring |
+| STORE-02 | 1 | Object key schema enforced in model layer |
+| STORE-07 | 1 | Stateless backend; no per-instance file locks |
+| AUTH-01 | 2 | Registration with Argon2 + HaveIBeenPwned check |
+| AUTH-02 | 2 | JWT session; httpOnly refresh cookie; Pinia memory access token |
+| AUTH-03 | 2 | TOTP enrollment with backup code acknowledgement flow |
+| AUTH-04 | 2 | Login via TOTP code or single-use backup code |
+| AUTH-05 | 2 | Password reset email; routes back to TOTP gate |
+| AUTH-06 | 2 | Sign out all devices; revokes all refresh tokens |
+| AUTH-07 | 2 | Refresh token family revocation on reuse; security alert |
+| AUTH-08 | 2 | TOTP single-use enforcement within validity window |
+| SEC-01 | 2 | CSRF protection on all state-changing endpoints |
+| SEC-02 | 2 | Rate limiting on auth endpoints (per-IP and per-account) |
+| SEC-03 | 2 | Parameterized queries / ORM enforced from first migration |
+| SEC-05 | 2 | Security response headers on all responses |
+| SEC-06 | 2 | Constant-time comparison for token/code verification |
+| SEC-07 | 2 | Admin role dependency; admin blocked from document content |
+| ADMIN-01 | 2 | Admin creates user with temporary password |
+| ADMIN-02 | 2 | Admin deactivates user account |
+| ADMIN-03 | 2 | Admin initiates password reset for user |
+| ADMIN-04 | 2 | Admin views and adjusts user storage quotas |
+| ADMIN-05 | 2 | Admin assigns AI provider and model per user |
+| ADMIN-07 | 2 | Explicit architectural exclusion of admin impersonation |
+| STORE-03 | 3 | Atomic quota enforcement at upload |
+| STORE-04 | 3 | Quota usage bar with 80%/95% warnings |
+| STORE-05 | 3 | Upload rejection at quota limit with detailed error |
+| STORE-06 | 3 | Atomic quota decrement on document delete |
+| STORE-08 | 3 | BackgroundTasks replaced with Celery+Redis or pgqueuer |
+| SEC-04 | 3 | DB-lookup-only file access; no key reconstruction from params |
+| DOC-03 | 3 | AI provider/model from DB per user; not user-supplied |
+| DOC-04 | 3 | System default topics + per-user topic overrides preserved |
+| DOC-05 | 3 | Classification uses user's assigned provider and model |
+| FOLD-01 | 4 | Folder CRUD with content-count confirmation on delete |
+| FOLD-02 | 4 | Document move between folders |
+| FOLD-03 | 4 | Breadcrumb navigation with clickable path segments |
+| FOLD-04 | 4 | Document list sort by name, date, and file size |
+| FOLD-05 | 4 | Full-text search via PostgreSQL tsvector index |
+| SHARE-01 | 4 | Share document by user handle |
+| SHARE-02 | 4 | "Shared with me" virtual folder; no quota charged to recipient |
+| SHARE-03 | 4 | View-only default sharing; owner controls permission level |
+| SHARE-04 | 4 | Immediate share revocation |
+| SHARE-05 | 4 | Shared indicator on documents in owner's list view |
+| SEC-08 | 4 | credentials_enc excluded from all serializers |
+| SEC-09 | 4 | Account deletion triggers delete_user_files() per cloud connection |
+| ADMIN-06 | 4 | Admin audit log viewer filtered by date, user, action |
+| DOC-01 | 4 | View document metadata and extracted text |
+| DOC-02 | 4 | In-browser PDF preview via PDF.js; bytes proxied through app |
+| CLOUD-01 | 5 | Connect OneDrive, Google Drive, Nextcloud, WebDAV |
+| CLOUD-02 | 5 | HKDF per-user key derivation for credential encryption |
+| CLOUD-03 | 5 | Local and cloud storage coexist; user selects default |
+| CLOUD-04 | 5 | Connection status display: ACTIVE / REQUIRES_REAUTH / ERROR |
+| CLOUD-05 | 5 | invalid_grant transitions to REQUIRES_REAUTH; surfaced to user |
+| CLOUD-06 | 5 | Disconnect cloud backend; credentials permanently deleted |
+| CLOUD-07 | 5 | StorageBackend ABC + factory in storage/ module |