diff --git a/backend/tests/test_shares.py b/backend/tests/test_shares.py
index c0f1f38..f33c4d5 100644
--- a/backend/tests/test_shares.py
+++ b/backend/tests/test_shares.py
@@ -343,3 +343,23 @@ async def test_share_indicator_in_owner_list(async_client, auth_user, second_aut
     assert post_match[0]["is_shared"] is True, (
         f"Expected is_shared=True after sharing, got {post_match[0].get('is_shared')!r}"
     )
+
+
+# ---------------------------------------------------------------------------
+# Phase 6.2 Wave 0 xfail stubs — SHARE-03 permission field
+# ---------------------------------------------------------------------------
+
+
+async def test_share_create_with_permission(async_client, auth_user, second_auth_user, db_session):
+    """POST /api/shares respects permission field from request body (SHARE-03, D-08, D-10)"""
+    pytest.xfail("Phase 6.2 — not implemented yet")
+
+
+async def test_share_patch_permission(async_client, auth_user, second_auth_user, db_session):
+    """PATCH /api/shares/{id} changes permission to edit (SHARE-03, D-09)"""
+    pytest.xfail("Phase 6.2 — not implemented yet")
+
+
+async def test_share_patch_idor(async_client, auth_user, second_auth_user, db_session):
+    """PATCH /api/shares/{id} by non-owner returns 404 — IDOR protection (SHARE-03, D-09, T-IDOR)"""
+    pytest.xfail("Phase 6.2 — not implemented yet")