docs(02-01): execution summary — auth service layer, deps, migration complete

- 02-01-SUMMARY.md: 3 tasks complete, 31 tests passing, all verification checks passed
- STATE.md: Phase 2 plan 1/5 complete, decisions added, open questions resolved

.planning/STATE.md

@@ -3,8 +3,8 @@ gsd_state_version: 1.0
 milestone: v1.0
 milestone_name: milestone
 current_phase: 2
-status: planned
-last_updated: "2026-05-22T18:00:00.000Z"
+status: in_progress
+last_updated: "2026-05-22T20:00:00.000Z"
 progress:
   total_phases: 5
   completed_phases: 1
@@ -16,7 +16,7 @@ progress:
 # Project State
 
 **Project:** DocuVault
-**Status:** Phase 2 Planned — Ready to Execute
+**Status:** Phase 2 In Progress — Executing
 **Current Phase:** 2
 **Last Updated:** 2026-05-22
 
@@ -25,16 +25,16 @@ progress:
 | Phase | Name | Status |
 |---|---|---|
 | 1 | Infrastructure Foundation | ✓ Complete |
-| 2 | Users & Authentication | Planned (5 plans, ready to execute) |
+| 2 | Users & Authentication | In Progress (1/5 plans complete) |
 | 3 | Document Migration & Multi-User Isolation | Not Started |
 | 4 | Folders, Sharing, Quotas & Document UX | Not Started |
 | 5 | Cloud Storage Backends | Not Started |
 
 ## Current Position
 
-**Phase:** 01-infrastructure-foundation — COMPLETE ✓
-**Plan:** 5/5 complete
-**Progress:** ██░░░░░░░░ 20% (1/5 phases)
+**Phase:** 02-users-authentication — In Progress
+**Plan:** 1/5 complete (Plan 01: Auth service layer)
+**Progress:** ██░░░░░░░░ 24% (1/5 phases + 1/5 Phase 2 plans)
 
 ## Performance Metrics
 
@@ -63,6 +63,10 @@ progress:
 | groups stub table Phase 1 | D-02 — groups is a v2 feature; table created now for schema completeness, no rows until Phase 2+ |
 | SEQUENCES grants in migration | GRANT USAGE/SELECT on sequences required for audit_log.id autoincrement nextval() by docuvault_app |
 | Admin impersonation excluded | Explicit architectural exclusion — no endpoint or UI pathway; violates privacy-first core value |
+| user_id as refresh token family proxy | No separate family_id column; user_id serves as family per RFC 9700 — simpler schema |
+| pwdlib over passlib | pwdlib actively maintained with clean Argon2Hasher API; passlib unmaintained |
+| TOTP replay TTL=90s | valid_window=1 covers ±30s (90s total) — TTL matches window |
+| HIBP fail-open | Network errors return False + log warning; auth never blocked by external service |
 | Two-DSN PostgreSQL strategy | DATABASE_URL (docuvault_app, DML only) + DATABASE_MIGRATE_URL (docuvault_migrate, DDL only); celery-worker gets only DATABASE_URL |
 | MinIO healthcheck via mc ready local | curl removed from MinIO Docker image since Oct 2023; mc is the correct in-container healthcheck tool |
 | pydantic-settings v2 SettingsConfigDict | SettingsConfigDict API used (not deprecated class Config form) for env var config |
@@ -77,8 +81,8 @@ progress:
 
 - Celery + Redis vs pgqueuer for Phase 3 (depends on Redis availability in deployment target)
 - Verify cloud SDK minor versions on PyPI before Phase 5 pinning
-- Confirm PyOTP `valid_window` default in current docs (recommend `valid_window=1` for ±30s clock drift)
-- Audit existing codebase for any bcrypt hashes before removing passlib in Phase 2
+- Celery + Redis vs pgqueuer for Phase 3 (depends on Redis availability in deployment target)
+- Verify cloud SDK minor versions on PyPI before Phase 5 pinning
 
 ### Blockers
 
@@ -90,6 +94,6 @@ _Updated at each phase transition._
 
 | Field | Value |
 |---|---|
-| Last session | 2026-05-22 — Planned Phase 2 (5 plans, 5 waves; verification passed after 3 iterations) |
-| Next action | Run `/gsd:execute-phase 2` to execute Phase 2 (Users & Authentication) |
+| Last session | 2026-05-22 — Executed Phase 2 Plan 01 (auth service layer, deps, migration) |
+| Next action | Run `/gsd:execute-phase 2` to continue Phase 2 (Plan 02: auth endpoints) |
 | Pending decisions | See Open Questions above |