diff --git a/docs/tasks.md b/docs/tasks.md index bb54641..f6a3083 100644 --- a/docs/tasks.md +++ b/docs/tasks.md @@ -222,32 +222,95 @@ ### Phase 6: Error Recovery & Polish (#417) -| id | status | description | issue | repo | branch | depends_on | blocks | agent | started_at | completed_at | estimate | used | -| -------- | ----------- | ------------------------------------------------------------------- | ----- | ---- | ----------------------------- | ----------------------------------- | -------- | ----- | ---------- | ------------ | -------- | ---- | -| AUTH-024 | done | 6.1: Create auth-errors.ts with PDA error parsing and mapping | #417 | web | fix/auth-frontend-remediation | AUTH-V05 | AUTH-025 | w-18 | 2026-02-16T12:10Z | 2026-02-16T12:15Z | 12K | 12K | -| AUTH-025 | done | 6.2: Add retry logic for network errors (3x exponential backoff) | #417 | web | fix/auth-frontend-remediation | AUTH-V05 | | w-20 | 2026-02-16T12:16Z | 2026-02-16T12:22Z | 10K | 15K | -| AUTH-026 | done | 6.3-6.4: AuthProvider session-expiring state + SessionExpiryWarning | #417 | web | fix/auth-frontend-remediation | AUTH-V05,AUTH-019 | | w-19 | 2026-02-16T12:10Z | 2026-02-16T12:15Z | 15K | 20K | -| AUTH-027 | done | 6.5: Update auth-client.ts error messages to PDA-friendly | #417 | web | fix/auth-frontend-remediation | AUTH-024 | | w-21 | 2026-02-16T12:16Z | 2026-02-16T12:18Z | 8K | 10K | -| AUTH-V06 | done | Phase 6 verification: quality gates pass | #417 | all | fix/auth-frontend-remediation | AUTH-024,AUTH-025,AUTH-026,AUTH-027 | | orch | 2026-02-16T12:23Z | 2026-02-16T12:24Z | 5K | 2K | +| id | status | description | issue | repo | branch | depends_on | blocks | agent | started_at | completed_at | estimate | used | +| -------- | ------ | ------------------------------------------------------------------- | ----- | ---- | ----------------------------- | ----------------------------------- | -------- | ----- | ----------------- | ----------------- | -------- | ---- | +| AUTH-024 | done | 6.1: Create auth-errors.ts with PDA error parsing and mapping | #417 | web | fix/auth-frontend-remediation | AUTH-V05 | AUTH-025 | w-18 | 2026-02-16T12:10Z | 2026-02-16T12:15Z | 12K | 12K | +| AUTH-025 | done | 6.2: Add retry logic for network errors (3x exponential backoff) | #417 | web | fix/auth-frontend-remediation | AUTH-V05 | | w-20 | 2026-02-16T12:16Z | 2026-02-16T12:22Z | 10K | 15K | +| AUTH-026 | done | 6.3-6.4: AuthProvider session-expiring state + SessionExpiryWarning | #417 | web | fix/auth-frontend-remediation | AUTH-V05,AUTH-019 | | w-19 | 2026-02-16T12:10Z | 2026-02-16T12:15Z | 15K | 20K | +| AUTH-027 | done | 6.5: Update auth-client.ts error messages to PDA-friendly | #417 | web | fix/auth-frontend-remediation | AUTH-024 | | w-21 | 2026-02-16T12:16Z | 2026-02-16T12:18Z | 8K | 10K | +| AUTH-V06 | done | Phase 6 verification: quality gates pass | #417 | all | fix/auth-frontend-remediation | AUTH-024,AUTH-025,AUTH-026,AUTH-027 | | orch | 2026-02-16T12:23Z | 2026-02-16T12:24Z | 5K | 2K | ### Phase 7: Review Remediation (#411) -| id | status | description | issue | repo | branch | depends_on | blocks | agent | started_at | completed_at | estimate | used | -| -------- | ----------- | ------------------------------------------------------------------------------ | ----- | ---- | ----------------------------- | ---------- | -------- | ----- | ---------- | ------------ | -------- | ---- | -| AUTH-028 | done | 7.1: Frontend fixes — wire fetchWithRetry, dedupe errors, fix OAuth/catch/signout | #411 | web | fix/auth-frontend-remediation | AUTH-V06 | AUTH-030 | w-22 | 2026-02-16T18:29Z | 2026-02-16T18:33Z | 20K | 15K | -| AUTH-029 | done | 7.2: Backend fixes — COOKIE_DOMAIN, TRUSTED_ORIGINS validation, verifySession | #411 | api | fix/auth-frontend-remediation | AUTH-V06 | AUTH-030 | w-23 | 2026-02-16T18:29Z | 2026-02-16T18:31Z | 15K | 12K | -| AUTH-030 | done | 7.3: Missing tests — getAccessToken, isAdmin, null cases, getClientIp | #411 | all | fix/auth-frontend-remediation | AUTH-028,AUTH-029 | AUTH-V07 | w-24 | 2026-02-16T18:34Z | 2026-02-16T18:37Z | 15K | 15K | -| AUTH-V07 | done | Phase 7 verification: 191 web + 106 API tests passing | #411 | all | fix/auth-frontend-remediation | AUTH-030 | | orch | 2026-02-16T18:37Z | 2026-02-16T18:38Z | 5K | 2K | +| id | status | description | issue | repo | branch | depends_on | blocks | agent | started_at | completed_at | estimate | used | +| -------- | ------ | --------------------------------------------------------------------------------- | ----- | ---- | ----------------------------- | ----------------- | -------- | ----- | ----------------- | ----------------- | -------- | ---- | +| AUTH-028 | done | 7.1: Frontend fixes — wire fetchWithRetry, dedupe errors, fix OAuth/catch/signout | #411 | web | fix/auth-frontend-remediation | AUTH-V06 | AUTH-030 | w-22 | 2026-02-16T18:29Z | 2026-02-16T18:33Z | 20K | 15K | +| AUTH-029 | done | 7.2: Backend fixes — COOKIE_DOMAIN, TRUSTED_ORIGINS validation, verifySession | #411 | api | fix/auth-frontend-remediation | AUTH-V06 | AUTH-030 | w-23 | 2026-02-16T18:29Z | 2026-02-16T18:31Z | 15K | 12K | +| AUTH-030 | done | 7.3: Missing tests — getAccessToken, isAdmin, null cases, getClientIp | #411 | all | fix/auth-frontend-remediation | AUTH-028,AUTH-029 | AUTH-V07 | w-24 | 2026-02-16T18:34Z | 2026-02-16T18:37Z | 15K | 15K | +| AUTH-V07 | done | Phase 7 verification: 191 web + 106 API tests passing | #411 | all | fix/auth-frontend-remediation | AUTH-030 | | orch | 2026-02-16T18:37Z | 2026-02-16T18:38Z | 5K | 2K | + +### Phase 8: QA Remediation — Backend Error Handling (#411) + +| id | status | description | issue | repo | branch | depends_on | blocks | agent | started_at | completed_at | estimate | used | +| ------ | ------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------- | ----- | ---- | ----------------------------- | --------------------------- | ------------- | ----- | ----------------- | ----------------- | -------- | ---- | +| QA-001 | done | CRITICAL: AuthGuard — let infrastructure errors propagate instead of wrapping as 401 | #411 | api | fix/auth-frontend-remediation | | QA-V08 | w-25 | 2026-02-16T19:00Z | 2026-02-16T19:10Z | 12K | 9K | +| QA-002 | done | CRITICAL+HIGH: verifySession — invert error classification (allowlist auth errors, re-throw everything else) + typed return type + health check escalation | #411 | api | fix/auth-frontend-remediation | | QA-001,QA-V08 | w-26 | 2026-02-16T19:00Z | 2026-02-16T19:15Z | 25K | 8K | +| QA-003 | done | MEDIUM: auth.config.ts — replace null coalescing with throw in getOidcPlugins + include error details in getTrustedOrigins catch | #411 | api | fix/auth-frontend-remediation | | QA-V08 | w-27 | 2026-02-16T19:16Z | 2026-02-16T19:25Z | 10K | 3K | +| QA-004 | done | MEDIUM: auth.controller.ts — use HttpException(401) instead of raw Error in getSession + PDA-friendly handleAuth error message | #411 | api | fix/auth-frontend-remediation | | QA-V08 | w-28 | 2026-02-16T19:16Z | 2026-02-16T19:22Z | 10K | 7K | +| QA-V08 | done | Phase 8 verification: 128 auth tests pass, 2 pre-existing failures (DB/package), no regressions | #411 | all | fix/auth-frontend-remediation | QA-001,QA-002,QA-003,QA-004 | QA-005 | orch | 2026-02-16T19:26Z | 2026-02-16T19:27Z | 5K | 2K | + +### Phase 9: QA Remediation — Frontend Error Handling (#411) + +| id | status | description | issue | repo | branch | depends_on | blocks | agent | started_at | completed_at | estimate | used | +| ------ | ------ | ------------------------------------------------------------------------------------------------------------------------------------------------------- | ----- | ---- | ----------------------------- | --------------------------- | ------------- | ----- | ----------------- | ----------------- | -------- | ---- | +| QA-005 | done | CRITICAL+HIGH: auth-context.tsx — production logging, replace isBackendError with parseAuthError, fix signOut classification, add session-expired state | #411 | web | fix/auth-frontend-remediation | QA-V08 | QA-007,QA-V09 | w-29 | 2026-02-16T19:28Z | 2026-02-16T19:45Z | 25K | 85K | +| QA-006 | done | MEDIUM: auth-client.ts — log JSON parse error in signInWithCredentials + add logging to getAccessToken/isAdmin silent defaults | #411 | web | fix/auth-frontend-remediation | QA-V08 | QA-V09 | w-30 | 2026-02-16T19:28Z | 2026-02-16T19:50Z | 12K | 15K | +| QA-007 | done | HIGH: login/page.tsx — show explicit error state instead of silent email-only fallback when config fetch fails | #411 | web | fix/auth-frontend-remediation | QA-005 | QA-V09 | w-31 | 2026-02-16T19:51Z | 2026-02-16T19:56Z | 15K | 18K | +| QA-008 | done | LOW: auth-errors.ts — derive KNOWN_CODES from Object.keys(ERROR_MESSAGES) to eliminate duplication | #411 | web | fix/auth-frontend-remediation | QA-V08 | QA-V09 | w-32 | 2026-02-16T19:51Z | 2026-02-16T19:53Z | 3K | 4K | +| QA-V09 | done | Phase 9 verification: 194 auth web tests pass, no regressions | #411 | all | fix/auth-frontend-remediation | QA-005,QA-006,QA-007,QA-008 | QA-009 | orch | 2026-02-16T19:57Z | 2026-02-16T19:58Z | 5K | 2K | + +### Phase 10: QA Remediation — Comment & Documentation Fixes (#411) + +| id | status | description | issue | repo | branch | depends_on | blocks | agent | started_at | completed_at | estimate | used | +| ------ | ------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----- | ------- | ----------------------------- | ------------- | ------ | ----- | ----------------- | ----------------- | -------- | ---- | +| QA-009 | done | CRITICAL: Fix updateAge comment (not idle timeout — it's session refresh throttle), fix .env.example OIDC vars, fix username->email bug in signInWithCredentials | #411 | api,web | fix/auth-frontend-remediation | QA-V09 | QA-V10 | w-33 | 2026-02-16T19:59Z | 2026-02-16T20:05Z | 12K | 12K | +| QA-010 | done | MINOR: Fix JSDoc issues — response.ok is 2xx not "200", remove "Automatic token refresh" claim, remove "Enable for now" comment, fix CSRF comment placement, fix 403 mapping comment | #411 | api,web | fix/auth-frontend-remediation | QA-V09 | QA-V10 | w-34 | 2026-02-16T19:59Z | 2026-02-16T20:03Z | 8K | 8K | +| QA-V10 | done | Phase 10 verification: 71 tests pass, no regressions | #411 | all | fix/auth-frontend-remediation | QA-009,QA-010 | QA-011 | orch | 2026-02-16T20:06Z | 2026-02-16T20:07Z | 5K | 2K | + +### Phase 11: QA Remediation — Type Design Improvements (#411) + +| id | status | description | issue | repo | branch | depends_on | blocks | agent | started_at | completed_at | estimate | used | +| ------ | ------ | ------------------------------------------------------------------------------------------------------------------------------------- | ----- | ---- | ----------------------------- | ------------- | ------ | ----- | ----------------- | ----------------- | -------- | ---- | +| QA-011 | done | HIGH: Unify 4 request-with-user types (RequestWithSession, AuthRequest, BetterAuthRequest, RequestWithUser) into AuthenticatedRequest | #411 | api | fix/auth-frontend-remediation | QA-V10 | QA-V11 | w-35 | 2026-02-16T20:08Z | 2026-02-16T20:16Z | 20K | 15K | +| QA-012 | done | LOW: Add RetryOptions value clamping (maxRetries>=0, baseDelayMs>=100, backoffFactor>=1) | #411 | web | fix/auth-frontend-remediation | QA-V10 | QA-V11 | w-36 | 2026-02-16T20:08Z | 2026-02-16T20:12Z | 5K | 4K | +| QA-V11 | done | Phase 11 verification: 125 tests pass (106 API + 19 web), types compile | #411 | all | fix/auth-frontend-remediation | QA-011,QA-012 | QA-013 | orch | 2026-02-16T20:17Z | 2026-02-16T20:18Z | 5K | 2K | + +### Phase 12: QA Remediation — Test Coverage Gaps (#411) + +| id | status | description | issue | repo | branch | depends_on | blocks | agent | started_at | completed_at | estimate | used | +| ------ | ------ | --------------------------------------------------------------------------------------------------------- | ----- | ---- | ----------------------------- | -------------------- | ------ | ----- | ----------------- | ----------------- | -------- | ---- | +| QA-013 | done | Add signOut failure path test — verify user cleared + authError set to proper type on apiPost rejection | #411 | web | fix/auth-frontend-remediation | QA-V11 | QA-V12 | w-37 | 2026-02-16T20:19Z | 2026-02-16T20:26Z | 10K | 4K | +| QA-014 | done | Add verifySession non-Error thrown value test — verify returns null for string/object throws | #411 | api | fix/auth-frontend-remediation | QA-V11 | QA-V12 | w-38 | 2026-02-16T20:19Z | 2026-02-16T20:23Z | 8K | 4K | +| QA-015 | done | Add handleCredentialsLogin error message fallback test + fix refreshSession test to actually call refresh | #411 | web | fix/auth-frontend-remediation | QA-V11 | QA-V12 | w-39 | 2026-02-16T20:27Z | 2026-02-16T20:30Z | 12K | 7K | +| QA-V12 | done | Phase 12 verification: 309 tests pass (201 web + 108 API) — final quality gate | #411 | all | fix/auth-frontend-remediation | QA-013,QA-014,QA-015 | | orch | 2026-02-16T20:31Z | 2026-02-16T20:32Z | 5K | 2K | + +### Phase 13: QA Round 2 — Backend Hardening (#411) + +| id | status | description | issue | repo | branch | depends_on | blocks | agent | started_at | completed_at | estimate | used | +| ------- | ------ | ----------------------------------------------------------------------------------------------------------------------------------------- | ----- | ---- | ----------------------------- | ----------------------------------------------- | --------------- | ----- | ----------------- | ----------------- | -------- | ---- | +| QA2-001 | done | MEDIUM: Narrow verifySession allowlist — "token expired"/"session expired" instead of bare "expired", exact match "unauthorized" | #411 | api | fix/auth-frontend-remediation | | QA2-003,QA2-V13 | w-40 | 2026-02-16T21:00Z | 2026-02-16T21:02Z | 10K | 4K | +| QA2-002 | done | MEDIUM: Add runtime null checks in auth.controller getSession/getProfile — defense-in-depth for AuthenticatedRequest | #411 | api | fix/auth-frontend-remediation | | QA2-V13 | w-42 | 2026-02-16T21:03Z | 2026-02-16T21:05Z | 8K | 5K | +| QA2-003 | done | MEDIUM: Sanitize Bearer tokens from logged error stacks + add logger.warn for non-Error thrown values in verifySession | #411 | api | fix/auth-frontend-remediation | QA2-001 | QA2-V13 | w-44 | 2026-02-16T21:06Z | 2026-02-16T21:08Z | 8K | 5K | +| QA2-004 | done | MEDIUM: classifyAuthError — map invalid_credentials/session_expired to null instead of "backend" (don't show error banner for normal 401) | #411 | web | fix/auth-frontend-remediation | | QA2-V13 | w-41 | 2026-02-16T21:00Z | 2026-02-16T21:02Z | 10K | 5K | +| QA2-005 | done | MEDIUM: Login page — route BetterAuth result.error.message through parseAuthError for PDA-friendly sanitization | #411 | web | fix/auth-frontend-remediation | | QA2-V13 | w-43 | 2026-02-16T21:03Z | 2026-02-16T21:05Z | 8K | 4K | +| QA2-006 | done | LOW: AuthGuard user validation branch tests — malformed user (missing id/email/name), non-object user, string user | #411 | api | fix/auth-frontend-remediation | | QA2-V13 | w-45 | 2026-02-16T21:06Z | 2026-02-16T21:09Z | 8K | 5K | +| QA2-V13 | done | Phase 13 verification: 272 tests pass (126 web + 146 API), 2 pre-existing failures, no regressions | #411 | all | fix/auth-frontend-remediation | QA2-001,QA2-002,QA2-003,QA2-004,QA2-005,QA2-006 | | orch | 2026-02-16T21:10Z | 2026-02-16T21:12Z | 5K | 2K | ### Summary -| Phase | Issue | Tasks | Total Estimate | -| ----------------------------- | ----- | ------ | -------------- | -| 1 - Critical Backend Fixes | #412 | 6 | 36K | -| 2 - Auth Config Discovery | #413 | 5 | 43K | -| 3 - Backend Hardening | #414 | 5 | 34K | -| 4 - Frontend Foundation | #415 | 7 | 64K | -| 5 - Login Page Integration | #416 | 5 | 54K | -| 6 - Error Recovery & Polish | #417 | 5 | 50K | -| 7 - Review Remediation | #411 | 4 | 55K | -| **Total** | | **37** | **336K** | +| Phase | Issue | Tasks | Total Estimate | +| ------------------------------- | ----- | ------ | -------------- | +| 1 - Critical Backend Fixes | #412 | 6 | 36K | +| 2 - Auth Config Discovery | #413 | 5 | 43K | +| 3 - Backend Hardening | #414 | 5 | 34K | +| 4 - Frontend Foundation | #415 | 7 | 64K | +| 5 - Login Page Integration | #416 | 5 | 54K | +| 6 - Error Recovery & Polish | #417 | 5 | 50K | +| 7 - Review Remediation | #411 | 4 | 55K | +| 8 - QA: Backend Error Handling | #411 | 5 | 62K | +| 9 - QA: Frontend Error Handling | #411 | 5 | 60K | +| 10 - QA: Comment Fixes | #411 | 3 | 25K | +| 11 - QA: Type Design | #411 | 3 | 30K | +| 12 - QA: Test Coverage | #411 | 4 | 35K | +| 13 - QA R2: Hardening + Tests | #411 | 7 | 57K | +| **Total** | | **64** | **605K** |