Skip to content

docs(status): refresh STATUS.md + inventories for Phase 0 closure #82

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
TortoiseWolfe merged 1 commit into from
May 6, 2026
Merged

docs(status): refresh STATUS.md + inventories for Phase 0 closure #82

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
76 changes: 5 additions & 71 deletions .claude/inventories/acceptance-criteria.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,74 +1,8 @@
# Acceptance Criteria Status
# Acceptance Criteria

Generated: 2026-01-15 | Refresh: `/refresh-inventories`
Generated: 2026-05-06 17:45 UTC | Source: `features/*/*/spec.md`

## Overview
## Features with AC (0 scenarios across 0 features)

| Category | Features | AC Defined | Wireframes | Implementation |
| ------------- | -------- | ---------- | ---------- | -------------- |
| Foundation | 7 | 7/7 | 18 SVGs | Not started |
| Core Features | 6 | 6/6 | 10 SVGs | Not started |
| Auth/OAuth | 4 | 4/4 | 5 SVGs | Not started |
| Enhancements | 5 | 5/5 | 0 SVGs | Not started |
| Integrations | 5 | 5/5 | 2 SVGs | Not started |
| Polish | 4 | 4/4 | 0 SVGs | Not started |
| Testing | 7 | 7/7 | 0 SVGs | Not started |
| Payments | 6 | 6/6 | 0 SVGs | Not started |
| Code Quality | 2 | 2/2 | 0 SVGs | Not started |

**Total**: 46 features, all with acceptance criteria defined

## Priority P0 Features (Must Ship)

| Feature | AC Count | Status |
| ------------ | --------- | --------------- |
| 000-RLS | 3 stories | Wireframes done |
| 003-Auth | 5 stories | Wireframes done |
| 005-Security | 4 stories | Wireframes done |
| 007-E2E | 3 stories | Wireframes done |
| 019-Consent | 3 stories | Wireframes done |

## Acceptance Criteria Format

Each feature spec contains:

- **User Stories** with priority (P0, P1, P2)
- **Acceptance Scenarios** in Given/When/Then format
- **Independent Test** description for each story

Example from 003-Auth:

```
Given I am a new user
When I click "Sign Up" and enter valid email/password
Then my account is created and I receive verification email
```

## Verification Workflow

1. **Pre-Implementation**: AC defined in spec.md
2. **Wireframes**: Visual representation of AC
3. **Implementation**: Code matches AC
4. **Testing**: E2E tests verify AC scenarios
5. **QA Review**: Manual verification of AC

## Quick Commands

```bash
# Count acceptance scenarios per feature
grep -c "Given.*When.*Then" features/*/*/spec.md

# Find features missing AC
grep -L "Acceptance Scenarios" features/*/*/spec.md

# Extract P0 stories
grep -B5 "Priority: P0" features/*/*/spec.md
```

## QA Lead Checklist

- [ ] All P0 features have AC defined
- [ ] AC scenarios are testable (Given/When/Then)
- [ ] Wireframes match AC requirements
- [ ] E2E tests cover P0 scenarios
- [ ] Manual test cases for edge cases
| Feature | Priority | Scenarios |
| ------- | -------- | --------- |
53 changes: 4 additions & 49 deletions .claude/inventories/dependency-graph.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,53 +1,8 @@
# Dependency Graph

Generated: 2026-01-15 | Source: `features/IMPLEMENTATION_ORDER.md` | Refresh: `/refresh-inventories`
Generated: 2026-05-06 17:45 UTC | Source: `features/IMPLEMENTATION_ORDER.md`

## Tier Overview
## Features (0)

| Tier | Focus | Features |
| ---- | ------------------ | ------------------------------------------- |
| 1 | Foundation | 000, 003, 007, 006, 002, 001 |
| 2 | Consent & Security | 005, 019 |
| 3 | Core Messaging | 009, 011, 012, 013, 016, 014, 015, 043, 026 |
| 4 | Payments | 024, 042, 038, 039, 040, 041 |
| 5 | Content & Blog | 010, 025, 029, 022, 023 |
| 6 | Enhancements | 017, 018, 020, 021, 028, 030 |
| 7 | Polish | 027, 008 |
| 8 | Testing | 031-037 |
| 9 | Third-Party | 044, 045 |

## Key Blockers

```
000-RLS ──────> 003-Auth ──────> ALL authenticated features
019-Consent ──> 044-Sentry, 045-Disqus
024-Payment ──> 038-Dashboard, 039-Offline, 040-Retry, 041-PayPal
007-E2E ──────> 031-037 (all tests)
009-Messaging ─> 011-Groups ──> 012-Welcome ──> 014-Gate
```

## Feature Dependencies (Quick Reference)

| Feature | Depends On | Blocks |
| ------------- | ---------- | ------------------------------------- |
| 000-RLS | None | 003, 024, 042 |
| 003-Auth | 000 | 005, 009, 013-016, 024, 030, 032, 036 |
| 007-E2E | None | 031-037 |
| 019-Consent | None | 044, 045 |
| 024-Payment | 000, 003 | 038-041 |
| 009-Messaging | 003 | 011, 026, 043 |
| 010-Blog | 002 | 025, 029, 034 |
| 001-WCAG | None | 017, 018, 037 |

## Wave-Based Parallel Implementation

| Wave | Features | Can Start After |
| ------ | --------------------------------- | --------------------- |
| Wave 1 | 000, 003, 007, 006, 002, 001 | Immediately |
| Wave 2 | 005, 019, 020 | Wave 1 |
| Wave 3 | 009, 011, 012, 016, 013, 014, 015 | Wave 2 |
| Wave 4 | 024, 042, 038, 039, 040, 041 | Wave 2 |
| Wave 5 | 010, 025, 029, 017, 018, 022, 023 | Wave 1 |
| Wave 6 | 021, 028, 026, 027, 030, 008, 043 | Wave 3 |
| Wave 7 | 031-037 | Wave 1 (007 complete) |
| Wave 8 | 044, 045 | Wave 2 (019 complete) |
| Tier | Features |
| ---- | -------- |
24 changes: 12 additions & 12 deletions .claude/inventories/screen-inventory.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,31 +1,31 @@
# Screen Inventory

Generated: 2026-04-22 16:48 UTC | Source: `features/*/*/wireframes/`
Generated: 2026-05-06 17:45 UTC | Source: `features/*/*/wireframes/`

## Wireframes (52 SVGs across 25 features)
## Wireframes (61 SVGs across 25 features)

| Feature | SVG Count |
| ---------------------------------------------- | --------- |
| auth-oauth/013-oauth-messaging-password | 2 |
| auth-oauth/014-admin-welcome-email-gate | 2 |
| auth-oauth/014-admin-welcome-email-gate | 4 |
| auth-oauth/015-oauth-display-name | 1 |
| auth-oauth/016-messaging-critical-fixes | 4 |
| core-features/007-e2e-testing-framework | 2 |
| core-features/008-on-the-account | 1 |
| core-features/009-user-messaging-system | 2 |
| core-features/010-unified-blog-content | 2 |
| core-features/011-group-chats | 2 |
| core-features/008-on-the-account | 2 |
| core-features/009-user-messaging-system | 3 |
| core-features/010-unified-blog-content | 5 |
| core-features/011-group-chats | 1 |
| core-features/012-welcome-message-architecture | 1 |
| enhancements/017-colorblind-mode | 2 |
| enhancements/018-font-switcher | 3 |
| enhancements/018-font-switcher | 2 |
| enhancements/019-google-analytics | 2 |
| enhancements/021-geolocation-map | 2 |
| enhancements/021-geolocation-map | 1 |
| foundation/000-brand-identity | 1 |
| foundation/000-landing-page | 1 |
| foundation/000-landing-page | 2 |
| foundation/000-rls-implementation | 1 |
| foundation/001-wcag-aa-compliance | 3 |
| foundation/002-cookie-consent | 3 |
| foundation/003-user-authentication | 3 |
| foundation/002-cookie-consent | 4 |
| foundation/003-user-authentication | 6 |
| foundation/004-mobile-first-design | 2 |
| foundation/005-security-hardening | 3 |
| foundation/006-template-fork-experience | 2 |
Expand Down
155 changes: 53 additions & 102 deletions .claude/inventories/security-touchpoints.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,102 +1,53 @@
# Security Touchpoints Inventory

Generated: 2026-01-15 | Refresh: `/refresh-inventories`

## Discovery Method

This inventory is **dynamically generated** by scanning all feature specs for security-related keywords:
`auth`, `security`, `privacy`, `RLS`, `OWASP`, `consent`, `password`, `session`, `token`, `encryption`

After forking, run `/refresh-inventories` to discover your project's security features.

## Discovered Security Features

| Feature | Focus | Priority |
| ---------------- | -------------------------------------------- | --------------- |
| **000-RLS** | Row-Level Security policies for all tables | Foundation |
| **002-Cookie** | Cookie consent system | Privacy |
| **003-Auth** | Email/password, OAuth, session management | Foundation |
| **005-Security** | Data isolation, CSRF, brute force prevention | Foundation |
| **013-OAuth** | OAuth messaging password | Auth |
| **014-Admin** | Admin welcome email gate | Auth |
| **019-Consent** | Analytics consent, GDPR compliance | Pre-integration |

## Security Touchpoints by Category

### Data Isolation (RLS)

- `000`: User data isolation - profiles, preferences, activity
- `000`: Service role operations for backend functions
- `005`: Payment data isolation between users
- `042`: Payment-specific RLS policies

### Authentication

- `003`: Email/password registration with verification
- `003`: Session management (7-day default, 30-day remember me)
- `003`: Password reset flow
- `013`: OAuth messaging password
- `015`: OAuth display name handling

### Authorization

- `003`: Role-based access (user, admin)
- `005`: OAuth callback verification (CSRF prevention)
- `014`: Admin welcome email gate

### Attack Prevention

- `005`: Brute force prevention (server-side rate limiting)
- `005`: OAuth state parameter verification
- `005`: Authorization code replay prevention
- `003`: Account lockout after 5 failed attempts (15 min)

### Privacy & Consent

- `019`: Analytics consent before any tracking
- `002`: Cookie consent modal
- `002`: Preference management UI
- Constitution: Privacy First principle

### Audit & Logging

- `005`: Security event audit logging
- `044`: Error handler integrations (Sentry/LogRocket) - requires consent

## OWASP Top 10 Coverage

| OWASP Risk | Feature Coverage |
| ----------------------------- | ----------------------- |
| A01 Broken Access Control | 000-RLS, 003-Auth |
| A02 Cryptographic Failures | 003-Auth (hashing) |
| A03 Injection | Supabase RLS policies |
| A04 Insecure Design | Constitution principles |
| A05 Security Misconfiguration | 005-Security |
| A06 Vulnerable Components | DevOps scanning |
| A07 Auth Failures | 003-Auth, 005-Security |
| A08 Software Integrity | CI/CD validation |
| A09 Logging Failures | 005-Audit, 044-Error |
| A10 SSRF | Supabase Edge Functions |

## Secrets Management

| Location | Type |
| -------------- | ------------------------- |
| Supabase Vault | API keys, OAuth secrets |
| GitHub Secrets | CI/CD tokens |
| `.env.local` | Dev-only, never committed |

**Rule**: Never store secrets in client code. Use `NEXT_PUBLIC_*` only for non-sensitive config.

## Quick Security Checks

```bash
# Find potential secrets in code
grep -r "sk_\|api_key\|secret" --include="*.ts" --include="*.tsx"

# Check RLS policies
supabase db diff --schema public

# Review auth flows
grep -r "supabase.auth" --include="*.ts"
```
# Security Touchpoints

Generated: 2026-05-06 17:45 UTC | Refresh: `/refresh-inventories security`

## Features with Security Impact (45)

| Feature | Keywords |
| ------------- | ------------------------------------------------------ |
| core-features | auth, authentication, privacy, RLS, session |
| core-features | auth, authentication, security |
| core-features | auth, authentication, security, secure, GDPR |
| core-features | auth, RLS, session, hash |
| core-features | auth, authentication, security, secure, RLS |
| core-features | auth, authentication, secure, password, credential |
| core-features | auth, authentication, session |
| code-quality | privacy, consent, session |
| code-quality | auth, authentication, privacy, GDPR, consent |
| enhancements | session |
| enhancements | session |
| enhancements | privacy, GDPR, consent, session |
| enhancements | privacy, consent, session |
| enhancements | session |
| testing | auth, authentication, password, credential, session |
| testing | auth, authentication, GDPR, password, credential |
| testing | RLS |
| testing | security, GDPR, encryption, hash |
| testing | token |
| testing | auth, authentication, security, password, credential |
| polish | hash |
| polish | auth, privacy, GDPR, consent, session |
| polish | auth |
| polish | privacy, consent, session |
| foundation | auth, authentication, security, secure, GDPR |
| foundation | privacy, GDPR, consent, session |
| foundation | auth, authentication, authorization, security, secure |
| foundation | auth, session |
| foundation | session |
| foundation | auth, authentication, authorization, security, secure |
| foundation | auth, authentication, credential, session |
| payments | auth, authentication, session |
| payments | auth, authentication, security, secure, privacy |
| payments | auth, authentication, secure, RLS |
| payments | auth, authentication, security, secure, session |
| payments | auth, authentication, security, privacy, GDPR |
| auth-oauth | auth, authentication, security, password, credential |
| auth-oauth | auth, authentication, password, credential, encryption |
| auth-oauth | auth, authentication, secure, password, credential |
| auth-oauth | auth, authentication, password |
| integrations | credential |
| integrations | auth, authentication, RLS |
| integrations | auth, authentication, security, secure, privacy |
| integrations | consent, credential |
| integrations | auth, authentication, privacy, consent, RLS |
Loading
Loading