diff --git a/docs/tasks.md b/docs/tasks.md index 9b1d00c..a81c28a 100644 --- a/docs/tasks.md +++ b/docs/tasks.md @@ -156,3 +156,88 @@ | ----------- | ------ | ----------------------------------------------------------------------- | ----- | ---- | --------------------------- | --------------------------------------- | ----------- | --------- | ----------------- | ----------------- | -------- | ---- | ----------------- | | SP-E2E-001 | done | #405: E2E integration tests for speech services | #405 | api | feature/m13-speech-services | SP-EP-001,SP-EP-002,SP-WS-001,SP-FE-003 | SP-DOCS-001 | worker-17 | 2026-02-15T07:23Z | 2026-02-15T07:32Z | 25K | 35K | 30 tests, d2c7602 | | SP-DOCS-001 | done | #406: Documentation - Speech services architecture, API, and deployment | #406 | docs | feature/m13-speech-services | SP-E2E-001 | | worker-18 | 2026-02-15T07:23Z | 2026-02-15T07:29Z | 15K | 35K | 24065aa | + +--- + +## Auth-Frontend-Remediation (<0.1.0) — Auth & Frontend Remediation + +**Orchestrator:** Claude Code +**Started:** 2026-02-16 +**Branch:** fix/auth-frontend-remediation +**Milestone:** Auth-Frontend-Remediation (<0.1.0) +**Epic:** #411 + +### Phase 1: Critical Backend Fixes (#412) + +| id | status | description | issue | repo | branch | depends_on | blocks | agent | started_at | completed_at | estimate | used | +| -------- | ----------- | ----------------------------------------------------------------- | ----- | ------ | ----------------------------- | -------------------------------------------- | -------- | ----- | ---------- | ------------ | -------- | ---- | +| AUTH-001 | not-started | 1.1: Add OIDC_REDIRECT_URI to validation with URL + path checks | #412 | api | fix/auth-frontend-remediation | | AUTH-002 | | | | 10K | | +| AUTH-002 | not-started | 1.2: Wrap BetterAuth handler in try/catch with error logging | #412 | api | fix/auth-frontend-remediation | AUTH-001 | | | | | 10K | | +| AUTH-003 | not-started | 1.3: Fix docker-compose OIDC_REDIRECT_URI default | #412 | devops | fix/auth-frontend-remediation | | | | | | 3K | | +| AUTH-004 | not-started | 1.4: Enable PKCE in genericOAuth config | #412 | api | fix/auth-frontend-remediation | | | | | | 5K | | +| AUTH-005 | not-started | 1.5: Add @SkipCsrf() documentation with BetterAuth CSRF rationale | #412 | api | fix/auth-frontend-remediation | | | | | | 3K | | +| AUTH-V01 | not-started | Phase 1 verification: quality gates pass | #412 | all | fix/auth-frontend-remediation | AUTH-001,AUTH-002,AUTH-003,AUTH-004,AUTH-005 | AUTH-006 | | | | 5K | | + +### Phase 2: Auth Config Discovery (#413) + +| id | status | description | issue | repo | branch | depends_on | blocks | agent | started_at | completed_at | estimate | used | +| -------- | ----------- | -------------------------------------------------------------------- | ----- | ------ | ----------------------------- | ----------------------------------- | -------- | ----- | ---------- | ------------ | -------- | ---- | +| AUTH-006 | not-started | 2.1: Add AuthProvider and AuthConfigResponse types to @mosaic/shared | #413 | shared | fix/auth-frontend-remediation | AUTH-V01 | AUTH-007 | | | | 5K | | +| AUTH-007 | not-started | 2.2-2.3: Implement getAuthConfig() + GET /auth/config endpoint | #413 | api | fix/auth-frontend-remediation | AUTH-006 | AUTH-008 | | | | 15K | | +| AUTH-008 | not-started | 2.4: Add secret-leakage prevention test | #413 | api | fix/auth-frontend-remediation | AUTH-007 | AUTH-009 | | | | 8K | | +| AUTH-009 | not-started | 2.5: Implement isOidcProviderReachable() health check | #413 | api | fix/auth-frontend-remediation | AUTH-007 | | | | | 10K | | +| AUTH-V02 | not-started | Phase 2 verification: quality gates pass | #413 | all | fix/auth-frontend-remediation | AUTH-006,AUTH-007,AUTH-008,AUTH-009 | AUTH-010 | | | | 5K | | + +### Phase 3: Backend Hardening (#414) + +| id | status | description | issue | repo | branch | depends_on | blocks | agent | started_at | completed_at | estimate | used | +| -------- | ----------- | ---------------------------------------------------------------- | ----- | ------ | ----------------------------- | ----------------------------------- | -------- | ----- | ---------- | ------------ | -------- | ---- | +| AUTH-010 | not-started | 3.1: Extract trustedOrigins to getTrustedOrigins() with env vars | #414 | api | fix/auth-frontend-remediation | AUTH-V02 | AUTH-011 | | | | 10K | | +| AUTH-011 | not-started | 3.2: Align CORS config in main.ts with getTrustedOrigins() | #414 | api | fix/auth-frontend-remediation | AUTH-010 | | | | | 8K | | +| AUTH-012 | not-started | 3.3: Update session config (7d abs, 2h idle, cookie attrs) | #414 | api | fix/auth-frontend-remediation | AUTH-V02 | | | | | 8K | | +| AUTH-013 | not-started | 3.4: Add TRUSTED_ORIGINS, COOKIE_DOMAIN to .env.example | #414 | devops | fix/auth-frontend-remediation | AUTH-010 | | | | | 3K | | +| AUTH-V03 | not-started | Phase 3 verification: quality gates pass | #414 | all | fix/auth-frontend-remediation | AUTH-010,AUTH-011,AUTH-012,AUTH-013 | AUTH-014 | | | | 5K | | + +### Phase 4: Frontend Foundation (#415) + +| id | status | description | issue | repo | branch | depends_on | blocks | agent | started_at | completed_at | estimate | used | +| -------- | ----------- | ---------------------------------------------------------------- | ----- | ---- | ----------------------------- | ----------------------------------------------------- | -------- | ----- | ---------- | ------------ | -------- | ---- | +| AUTH-014 | not-started | 4.1: Fix theme storage key (jarvis-theme -> mosaic-theme) | #415 | web | fix/auth-frontend-remediation | AUTH-V03 | | | | | 5K | | +| AUTH-015 | not-started | 4.2: Create AuthErrorBanner component (PDA-friendly, blue theme) | #415 | web | fix/auth-frontend-remediation | AUTH-V03 | AUTH-020 | | | | 12K | | +| AUTH-016 | not-started | 4.3: Create AuthDivider component | #415 | web | fix/auth-frontend-remediation | AUTH-V03 | AUTH-020 | | | | 5K | | +| AUTH-017 | not-started | 4.4: Create OAuthButton component (replaces LoginButton) | #415 | web | fix/auth-frontend-remediation | AUTH-V03 | AUTH-020 | | | | 12K | | +| AUTH-018 | not-started | 4.5: Create LoginForm component with email/password validation | #415 | web | fix/auth-frontend-remediation | AUTH-V03 | AUTH-020 | | | | 15K | | +| AUTH-019 | not-started | 4.6: Create SessionExpiryWarning component | #415 | web | fix/auth-frontend-remediation | AUTH-V03 | AUTH-025 | | | | 10K | | +| AUTH-V04 | not-started | Phase 4 verification: quality gates pass | #415 | all | fix/auth-frontend-remediation | AUTH-014,AUTH-015,AUTH-016,AUTH-017,AUTH-018,AUTH-019 | AUTH-020 | | | | 5K | | + +### Phase 5: Login Page Integration (#416) + +| id | status | description | issue | repo | branch | depends_on | blocks | agent | started_at | completed_at | estimate | used | +| -------- | ----------- | ------------------------------------------------------------ | ----- | ---- | ----------------------------- | ----------------------------------- | -------- | ----- | ---------- | ------------ | -------- | ---- | +| AUTH-020 | not-started | 5.1-5.2: Fetch /auth/config and render providers dynamically | #416 | web | fix/auth-frontend-remediation | AUTH-V04,AUTH-V02 | AUTH-021 | | | | 20K | | +| AUTH-021 | not-started | 5.3-5.4: Error display from query params + loading states | #416 | web | fix/auth-frontend-remediation | AUTH-020 | AUTH-022 | | | | 12K | | +| AUTH-022 | not-started | 5.5: Delete old LoginButton.tsx and update imports | #416 | web | fix/auth-frontend-remediation | AUTH-020 | | | | | 5K | | +| AUTH-023 | not-started | 5.6-5.7: Responsive layout + accessibility audit | #416 | web | fix/auth-frontend-remediation | AUTH-020,AUTH-021 | | | | | 12K | | +| AUTH-V05 | not-started | Phase 5 verification: quality gates pass | #416 | all | fix/auth-frontend-remediation | AUTH-020,AUTH-021,AUTH-022,AUTH-023 | AUTH-024 | | | | 5K | | + +### Phase 6: Error Recovery & Polish (#417) + +| id | status | description | issue | repo | branch | depends_on | blocks | agent | started_at | completed_at | estimate | used | +| -------- | ----------- | ------------------------------------------------------------------- | ----- | ---- | ----------------------------- | ----------------------------------- | -------- | ----- | ---------- | ------------ | -------- | ---- | +| AUTH-024 | not-started | 6.1: Create auth-errors.ts with PDA error parsing and mapping | #417 | web | fix/auth-frontend-remediation | AUTH-V05 | AUTH-025 | | | | 12K | | +| AUTH-025 | not-started | 6.2: Add retry logic for network errors (3x exponential backoff) | #417 | web | fix/auth-frontend-remediation | AUTH-V05 | | | | | 10K | | +| AUTH-026 | not-started | 6.3-6.4: AuthProvider session-expiring state + SessionExpiryWarning | #417 | web | fix/auth-frontend-remediation | AUTH-V05,AUTH-019 | | | | | 15K | | +| AUTH-027 | not-started | 6.5: Update auth-client.ts error messages to PDA-friendly | #417 | web | fix/auth-frontend-remediation | AUTH-024 | | | | | 8K | | +| AUTH-V06 | not-started | Phase 6 verification: quality gates pass | #417 | all | fix/auth-frontend-remediation | AUTH-024,AUTH-025,AUTH-026,AUTH-027 | | | | | 5K | | + +### Summary + +| Phase | Issue | Tasks | Total Estimate | +| --------------------------- | ----- | ------ | -------------- | +| 1 - Critical Backend Fixes | #412 | 6 | 36K | +| 2 - Auth Config Discovery | #413 | 5 | 43K | +| 3 - Backend Hardening | #414 | 5 | 34K | +| 4 - Frontend Foundation | #415 | 7 | 64K | +| 5 - Login Page Integration | #416 | 5 | 54K | +| 6 - Error Recovery & Polish | #417 | 5 | 50K | +| **Total** | | **33** | **281K** |