docs(05-05): complete cloud API endpoints plan — SUMMARY and STATE

- Created 05-05-SUMMARY.md: cloud.py (7 endpoints), main.py (router registration), admin.py (SEC-09 cleanup)
- Updated STATE.md: plan advanced to 5/8, session log updated, decisions recorded
- Updated ROADMAP.md: 05-03, 05-04, 05-05 marked complete
- Updated REQUIREMENTS.md: SEC-09 marked complete (cloud credential purge on account deletion)

.planning/STATE.md

@@ -4,13 +4,13 @@ milestone: v1.0
 milestone_name: milestone
 current_phase: 5
 status: executing
-last_updated: "2026-05-28T19:15:00.000Z"
+last_updated: "2026-05-29T09:21:57.000Z"
 progress:
   total_phases: 5
   completed_phases: 4
   total_plans: 32
-  completed_plans: 27
-  percent: 84
+  completed_plans: 28
+  percent: 87
 ---
 
 # Project State
@@ -28,13 +28,13 @@ progress:
 | 2 | Users & Authentication | ✓ Complete (5/5 plans) |
 | 3 | Document Migration & Multi-User Isolation | ✓ Complete (5/5 plans, UAT passed, security gate passed) |
 | 4 | Folders, Sharing, Quotas & Document UX | ✓ Complete (9/9 plans, UAT 14/15 passed, 1 bug fixed) |
-| 5 | Cloud Storage Backends | In Progress (4/8 plans complete) |
+| 5 | Cloud Storage Backends | In Progress (5/8 plans complete) |
 
 ## Current Position
 
 **Phase:** 05-cloud-storage-backends — In Progress
-**Plan:** 4/8
-**Progress:** [████████░░] 84%
+**Plan:** 5/8
+**Progress:** [████████░░] 87%
 
 ## Performance Metrics
 
@@ -131,6 +131,9 @@ progress:
 | WebDAVBackend SSRF double guard pattern | validate_cloud_url in __init__ (construct-time) AND before every asyncio.to_thread() call — mirrors D-17 requirement for DNS-rebinding mitigation |
 | nextcloud/webdav dispatch to distinct classes | NextcloudBackend for 'nextcloud' provider (has list_folder); WebDAVBackend for 'webdav' — identical constructor signatures |
 | webdavclient3 upload_to/download_from confirmed | A1 assumption in RESEARCH.md was correct; verified via runtime dir(Client) inspection before use |
+| OAuth callback not authenticated via JWT | OAuth redirect flow cannot carry Bearer header; state token (256 bits, TTL 1800s, single-use) provides equivalent security |
+| Cloud cleanup added to admin delete_user only | auth.py has no DELETE /api/users/me; admin-initiated deletion is the only account deletion code path |
+| Cloud cleanup runs before MinIO cleanup | credentials still in DB when get_storage_backend_for_document is called; sessions.flush() after conn deletes |
 
 ### Open Questions
 
@@ -178,6 +181,7 @@ _Updated at each phase transition._
 | Last session | 2026-05-28 — Plan 05-02 executed: cloud_utils.py (SSRF+HKDF), cloud_cache.py (TTLCache), storage factory extended; 199 passed / 43 xfailed / 1 pre-existing failure |
 | Last session | 2026-05-28 — Plan 05-03 executed: GoogleDriveBackend (Drive v3, cache_discovery=False, asyncio.to_thread) + OneDriveBackend (MSAL, resumable upload, CHUNK_SIZE=10MB); 262 passed / 43 xfailed / 1 pre-existing failure |
 | Last session | 2026-05-28 — Plan 05-04 executed: WebDAVBackend + NextcloudBackend (SSRF double-guard, asyncio.to_thread, list_folder); 262 passed / 43 xfailed / 1 pre-existing failure |
-| Next action | Execute Plan 05-05: Cloud API Endpoints |
+| Last session | 2026-05-29 — Plan 05-05 executed: cloud.py (7 endpoints), main.py (routers registered), admin.py (SEC-09 cloud cleanup); 262 passed / 43 xfailed / 1 pre-existing failure |
+| Next action | Execute Plan 05-06: Cloud Document Upload/Download |
 | Pending decisions | None |
-| Resume file | `.planning/phases/05-cloud-storage-backends/05-05-PLAN.md` |
+| Resume file | `.planning/phases/05-cloud-storage-backends/05-06-PLAN.md` |