docs: add shared module map to CLAUDE.md, SECURITY.md, planning artifacts

- CLAUDE.md: add Code Standards section with backend and frontend shared
  module maps, component architecture rules, duplication checklist, and
  no-dead-code enforcement rule
- SECURITY.md: Phase 02 + 03 security audit results (all threats CLOSED)
- .planning: update milestone audit, config, and add plan/UAT files for
  phases 01, 02-06, and 06.2-05

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.planning/phases/01-infrastructure-foundation/01-UAT.md

@@ -0,0 +1,63 @@
+---
+status: testing
+phase: 01-infrastructure-foundation
+source: 01-01-SUMMARY.md, 01-02-SUMMARY.md, 01-03-SUMMARY.md, 01-04-SUMMARY.md, 01-05-SUMMARY.md
+started: 2026-05-31T00:00:00Z
+updated: 2026-05-31T00:00:00Z
+---
+
+## Current Test
+
+<!-- OVERWRITE each test - shows where we are -->
+
+number: 1
+name: Cold Start Smoke Test
+expected: |
+  Kill any running containers. Run `docker compose down -v` to clear all volumes and state.
+  Then run `docker compose up --build -d`. All 5 services (postgres, minio, redis, backend,
+  celery-worker) should come up as `Up (healthy)` with no errors. Hit `GET /health` and get
+  back `{"status":"ok","checks":{"postgres":"ok","minio":"ok"}}` — live data from a fresh start.
+awaiting: user response
+
+## Tests
+
+### 1. Cold Start Smoke Test
+expected: Kill any running containers. Run `docker compose down -v` to clear all volumes and state. Then run `docker compose up --build -d`. All 5 services (postgres, minio, redis, backend, celery-worker) should come up as `Up (healthy)` with no errors. Hit `GET /health` and get back `{"status":"ok","checks":{"postgres":"ok","minio":"ok"}}` — live data from a fresh start.
+result: [pending]
+
+### 2. Database Migration Applies Cleanly
+expected: Run `cd backend && alembic upgrade head`. It should exit 0 with output `Running upgrade -> 0001`. All 11 tables (users, quotas, refresh_tokens, folders, documents, topics, document_topics, shares, audit_log, cloud_connections, groups) should be present in PostgreSQL.
+result: [pending]
+
+### 3. Health Endpoint Reports OK
+expected: `GET /health` (or `curl http://localhost:8000/health`) returns HTTP 200 with `{"status":"ok","checks":{"postgres":"ok","minio":"ok"}}`. Both postgres and minio checks show "ok".
+result: [pending]
+
+### 4. Document Upload Stored in PostgreSQL + MinIO
+expected: Upload any text or PDF file via `POST /documents` (multipart form, field `file`). Response contains a UUID `id` and `original_name` matching the filename. Checking PostgreSQL shows one row in `documents` with `object_key` starting with `null-user/`. Checking the MinIO `docuvault` bucket shows the object is present.
+result: [pending]
+
+### 5. Celery Background Task Processes Upload
+expected: After uploading a document, Celery should automatically pick up the `extract_and_classify` task. Within a few seconds, `docker compose logs celery-worker` shows `Task tasks.document_tasks.extract_and_classify[...] succeeded`. No `FAILED` task entries appear.
+result: [pending]
+
+### 6. Document Delete Removes from Both Stores
+expected: `DELETE /documents/{id}` (using the UUID from the upload) returns `{"success": true}`. The document row is gone from PostgreSQL. The object is gone from the MinIO `docuvault` bucket.
+result: [pending]
+
+### 7. MinIO Object Key Contains No Original Filename
+expected: After uploading a file named something recognizable (e.g. `invoice-q3.pdf`), inspect the object key in MinIO. The key should be in the form `null-user/{uuid}/{uuid}.pdf` — the word "invoice", "q3", or any part of the original filename must NOT appear in the key.
+result: [pending]
+
+## Summary
+
+total: 7
+passed: 0
+issues: 0
+pending: 7
+skipped: 0
+blocked: 0
+
+## Gaps
+
+[none yet]