From 67f0c01540b0247babeae1508422de5486f15101 Mon Sep 17 00:00:00 2001 From: curo1305 Date: Sun, 31 May 2026 11:12:23 +0200 Subject: [PATCH] docs(phase-6.2): add validation strategy --- .../06.2-VALIDATION.md | 94 +++++++++++++++++++ 1 file changed, 94 insertions(+) create mode 100644 .planning/phases/06.2-close-v1-sharing-cloud-delete-csv-export-gaps/06.2-VALIDATION.md diff --git a/.planning/phases/06.2-close-v1-sharing-cloud-delete-csv-export-gaps/06.2-VALIDATION.md b/.planning/phases/06.2-close-v1-sharing-cloud-delete-csv-export-gaps/06.2-VALIDATION.md new file mode 100644 index 0000000..aa6e602 --- /dev/null +++ b/.planning/phases/06.2-close-v1-sharing-cloud-delete-csv-export-gaps/06.2-VALIDATION.md @@ -0,0 +1,94 @@ +--- +phase: 6.2 +slug: close-v1-sharing-cloud-delete-csv-export-gaps +status: draft +nyquist_compliant: false +wave_0_complete: false +created: 2026-05-31 +--- + +# Phase 6.2 — Validation Strategy + +> Per-phase validation contract for feedback sampling during execution. + +--- + +## Test Infrastructure + +| Property | Value | +|----------|-------| +| **Framework** | pytest + pytest-asyncio (backend); Vitest (frontend) | +| **Config file** | `backend/pytest.ini` | +| **Quick run command** | `cd backend && pytest tests/test_shares.py tests/test_audit.py tests/test_documents.py -x -q` | +| **Full suite command** | `cd backend && pytest -v` | +| **Estimated runtime** | ~30 seconds | + +--- + +## Sampling Rate + +- **After every task commit:** Run `cd backend && pytest tests/test_shares.py tests/test_audit.py tests/test_documents.py -x -q` +- **After every plan wave:** Run `cd backend && pytest -v` +- **Before `/gsd:verify-work`:** Full suite must be green (excluding pre-existing `test_extractor.py::test_extract_docx` ModuleNotFoundError) +- **Max feedback latency:** 30 seconds + +--- + +## Per-Task Verification Map + +| Task ID | Plan | Wave | Requirement | Threat Ref | Secure Behavior | Test Type | Automated Command | File Exists | Status | +|---------|------|------|-------------|------------|-----------------|-----------|-------------------|-------------|--------| +| SHARE-05-fix | 01 | 1 | SHARE-05 | — | `is_shared` drives badge (not `share_count`) | unit | `pytest tests/test_shares.py::test_share_indicator_in_owner_list -x` | ✅ | ⬜ pending | +| SHARE-03-post | 01 | 1 | SHARE-03 | — | POST /api/shares respects `permission` field | integration | `pytest tests/test_shares.py::test_share_create_with_permission -x` | ❌ W0 | ⬜ pending | +| SHARE-03-patch | 01 | 1 | SHARE-03 | T-IDOR | PATCH /api/shares/{id} changes permission | integration | `pytest tests/test_shares.py::test_share_patch_permission -x` | ❌ W0 | ⬜ pending | +| SHARE-03-idor | 01 | 1 | SHARE-03 | T-IDOR | PATCH wrong owner → 404 (not 403) | integration | `pytest tests/test_shares.py::test_share_patch_idor -x` | ❌ W0 | ⬜ pending | +| CLOUD-del-route | 02 | 1 | CLOUD-del | T-quota | delete_document routes to cloud backend for non-minio | integration | `pytest tests/test_documents.py::test_delete_cloud_document_propagates -x` | ❌ W0 | ⬜ pending | +| CLOUD-del-fail | 02 | 1 | CLOUD-del | T-cloud | Cloud delete failure returns structured JSON error | integration | `pytest tests/test_documents.py::test_delete_cloud_document_failure -x` | ❌ W0 | ⬜ pending | +| CLOUD-del-rm | 02 | 1 | CLOUD-del | T-quota | remove_only=true skips cloud, removes DB record only | integration | `pytest tests/test_documents.py::test_delete_cloud_remove_only -x` | ❌ W0 | ⬜ pending | +| AUDIT-handle | 03 | 2 | ADMIN-06 | — | Audit log response includes user_handle and actor_handle | integration | `pytest tests/test_audit.py::test_audit_log_includes_user_handle -x` | ❌ W0 | ⬜ pending | +| AUDIT-filter | 03 | 2 | ADMIN-06 | — | user_handle filter resolves to correct entries | integration | `pytest tests/test_audit.py::test_audit_log_filter_by_handle -x` | ❌ W0 | ⬜ pending | +| AUDIT-filter-empty | 03 | 2 | ADMIN-06 | — | unknown handle filter returns empty (not error) | integration | `pytest tests/test_audit.py::test_audit_log_filter_unknown_handle -x` | ❌ W0 | ⬜ pending | +| DAILY-list | 03 | 2 | ADMIN-06 | — | Daily exports list endpoint returns sorted keys | integration | `pytest tests/test_audit.py::test_daily_exports_list -x` | ❌ W0 | ⬜ pending | +| DAILY-dl | 03 | 2 | ADMIN-06 | T-path | Daily export download returns CSV bytes; date validated against regex | integration | `pytest tests/test_audit.py::test_daily_export_download -x` | ❌ W0 | ⬜ pending | + +*Status: ⬜ pending · ✅ green · ❌ red · ⚠️ flaky* + +--- + +## Wave 0 Requirements + +- [ ] `tests/test_shares.py::test_share_create_with_permission` — stubs for SHARE-03 POST permission field +- [ ] `tests/test_shares.py::test_share_patch_permission` — stubs for SHARE-03 PATCH endpoint +- [ ] `tests/test_shares.py::test_share_patch_idor` — stubs for IDOR invariant on PATCH +- [ ] `tests/test_documents.py::test_delete_cloud_document_propagates` — stubs for cloud delete routing +- [ ] `tests/test_documents.py::test_delete_cloud_document_failure` — stubs for D-03 structured error +- [ ] `tests/test_documents.py::test_delete_cloud_remove_only` — stubs for D-02 remove_only path +- [ ] `tests/test_audit.py::test_audit_log_includes_user_handle` — stubs for D-11 handle enrichment +- [ ] `tests/test_audit.py::test_audit_log_filter_by_handle` — stubs for D-12 handle filter +- [ ] `tests/test_audit.py::test_audit_log_filter_unknown_handle` — stubs for D-12 empty result +- [ ] `tests/test_audit.py::test_daily_exports_list` — stubs for D-15 listing endpoint +- [ ] `tests/test_audit.py::test_daily_export_download` — stubs for D-16 streaming endpoint + +--- + +## Manual-Only Verifications + +| Behavior | Requirement | Why Manual | Test Instructions | +|----------|-------------|------------|-------------------| +| CSV export download via fetch+Blob triggers file save in browser | ADMIN-06 | Browser download behavior cannot be automated in pytest | Open admin panel, navigate to Audit Log tab, click "Export CSV", verify browser download dialog/file saved | +| Cloud delete failure warning modal UX | CLOUD-del | Modal interaction requires E2E framework | Delete a cloud document with a simulated provider failure; verify modal appears with "Remove from app" option | +| Daily export date dropdown populates and download triggers | ADMIN-06 | Frontend fetch+Blob download in browser | Open admin panel, verify date dropdown shows available exports, click Download, verify file saved | +| Share permission toggle visible per row in ShareModal | SHARE-03 | Vue component rendering | Open ShareModal for a document with active shares; verify view/edit toggle appears per row | + +--- + +## Validation Sign-Off + +- [ ] All tasks have `` verify or Wave 0 dependencies +- [ ] Sampling continuity: no 3 consecutive tasks without automated verify +- [ ] Wave 0 covers all MISSING references +- [ ] No watch-mode flags +- [ ] Feedback latency < 30s +- [ ] `nyquist_compliant: true` set in frontmatter + +**Approval:** pending