From cb788def43ce0719cb3d0728101a5e5c53d2488d Mon Sep 17 00:00:00 2001 From: hsiegeln <37154749+hsiegeln@users.noreply.github.com> Date: Wed, 11 Mar 2026 19:45:58 +0100 Subject: [PATCH] docs(phase-04): add research and validation strategy Co-Authored-By: Claude Opus 4.6 --- .planning/phases/04-security/04-VALIDATION.md | 86 +++++++++++++++++++ 1 file changed, 86 insertions(+) create mode 100644 .planning/phases/04-security/04-VALIDATION.md diff --git a/.planning/phases/04-security/04-VALIDATION.md b/.planning/phases/04-security/04-VALIDATION.md new file mode 100644 index 00000000..737cd617 --- /dev/null +++ b/.planning/phases/04-security/04-VALIDATION.md @@ -0,0 +1,86 @@ +--- +phase: 4 +slug: security +status: draft +nyquist_compliant: false +wave_0_complete: false +created: 2026-03-11 +--- + +# Phase 4 — Validation Strategy + +> Per-phase validation contract for feedback sampling during execution. + +--- + +## Test Infrastructure + +| Property | Value | +|----------|-------| +| **Framework** | JUnit 5 + Spring Boot Test + Spring Security Test | +| **Config file** | cameleer3-server-app/src/test/resources/application-test.yml | +| **Quick run command** | `mvn test -pl cameleer3-server-app -Dtest="Security*,Jwt*,Bootstrap*,Ed25519*" -Dsurefire.reuseForks=false` | +| **Full suite command** | `mvn clean verify` | +| **Estimated runtime** | ~60 seconds | + +--- + +## Sampling Rate + +- **After every task commit:** Run `mvn test -pl cameleer3-server-app -Dsurefire.reuseForks=false` +- **After every plan wave:** Run `mvn clean verify` +- **Before `/gsd:verify-work`:** Full suite must be green +- **Max feedback latency:** 60 seconds + +--- + +## Per-Task Verification Map + +| Task ID | Plan | Wave | Requirement | Test Type | Automated Command | File Exists | Status | +|---------|------|------|-------------|-----------|-------------------|-------------|--------| +| 04-01-01 | 01 | 1 | SECU-03 | unit | `mvn test -pl cameleer3-server-app -Dtest=Ed25519SigningServiceTest -Dsurefire.reuseForks=false` | ❌ W0 | ⬜ pending | +| 04-01-02 | 01 | 1 | SECU-01 | unit | `mvn test -pl cameleer3-server-app -Dtest=JwtServiceTest -Dsurefire.reuseForks=false` | ❌ W0 | ⬜ pending | +| 04-01-03 | 01 | 1 | SECU-05 | integration | `mvn test -pl cameleer3-server-app -Dtest=BootstrapTokenIT -Dsurefire.reuseForks=false` | ❌ W0 | ⬜ pending | +| 04-01-04 | 01 | 1 | SECU-01 | integration | `mvn test -pl cameleer3-server-app -Dtest=SecurityFilterIT -Dsurefire.reuseForks=false` | ❌ W0 | ⬜ pending | +| 04-01-05 | 01 | 1 | SECU-02 | integration | `mvn test -pl cameleer3-server-app -Dtest=JwtRefreshIT -Dsurefire.reuseForks=false` | ❌ W0 | ⬜ pending | +| 04-01-06 | 01 | 1 | SECU-04 | integration | `mvn test -pl cameleer3-server-app -Dtest=SseSigningIT -Dsurefire.reuseForks=false` | ❌ W0 | ⬜ pending | +| 04-01-07 | 01 | 1 | N/A | integration | `mvn test -pl cameleer3-server-app -Dtest=RegistrationSecurityIT -Dsurefire.reuseForks=false` | ❌ W0 | ⬜ pending | + +*Status: ⬜ pending · ✅ green · ❌ red · ⚠️ flaky* + +--- + +## Wave 0 Requirements + +- [ ] `Ed25519SigningServiceTest.java` — unit test stubs for Ed25519 signing roundtrip (SECU-03) +- [ ] `JwtServiceTest.java` — unit test stubs for JWT creation/validation/expiry (SECU-01, SECU-02) +- [ ] `BootstrapTokenIT.java` — integration test stubs for bootstrap token validation (SECU-05) +- [ ] `SecurityFilterIT.java` — integration test stubs for protected/public endpoint access (SECU-01) +- [ ] `JwtRefreshIT.java` — integration test stubs for refresh flow (SECU-02) +- [ ] `SseSigningIT.java` — integration test stubs for Ed25519 SSE signing (SECU-04) +- [ ] `RegistrationSecurityIT.java` — integration test stubs for registration with bootstrap + public key (SECU-03, SECU-05) +- [ ] Update `application-test.yml` with `CAMELEER_AUTH_TOKEN: test-token` +- [ ] Update ALL existing ITs to include JWT auth headers (21 test files affected) + +*Existing infrastructure covers test framework and Testcontainers setup.* + +--- + +## Manual-Only Verifications + +| Behavior | Requirement | Why Manual | Test Instructions | +|----------|-------------|------------|-------------------| +| JWT token leakage in SSE query param logs | SECU-01 | Requires production log inspection | Check access logs don't log query parameters containing JWT tokens | + +--- + +## Validation Sign-Off + +- [ ] All tasks have `` verify or Wave 0 dependencies +- [ ] Sampling continuity: no 3 consecutive tasks without automated verify +- [ ] Wave 0 covers all MISSING references +- [ ] No watch-mode flags +- [ ] Feedback latency < 60s +- [ ] `nyquist_compliant: true` set in frontmatter + +**Approval:** pending