tasks ready

specs/016-multi-user-auth/checklists/requirements.md

@@ -0,0 +1,34 @@
+# Specification Quality Checklist: Multi-User Authentication and Authorization
+
+**Purpose**: Validate specification completeness and quality before proceeding to planning
+**Created**: 2026-01-26
+**Feature**: [Link to spec.md](../spec.md)
+
+## Content Quality
+
+- [x] No implementation details (languages, frameworks, APIs)
+- [x] Focused on user value and business needs
+- [x] Written for non-technical stakeholders
+- [x] All mandatory sections completed
+
+## Requirement Completeness
+
+- [x] No [NEEDS CLARIFICATION] markers remain
+- [x] Requirements are testable and unambiguous
+- [x] Success criteria are measurable
+- [x] Success criteria are technology-agnostic (no implementation details)
+- [x] All acceptance scenarios are defined
+- [x] Edge cases are identified
+- [x] Scope is clearly bounded
+- [x] Dependencies and assumptions identified
+
+## Feature Readiness
+
+- [x] All functional requirements have clear acceptance criteria
+- [x] User scenarios cover primary flows
+- [x] Feature meets measurable outcomes defined in Success Criteria
+- [x] No implementation details leak into specification
+
+## Notes
+
+- Items marked incomplete require spec updates before `/speckit.clarify` or `/speckit.plan`

specs/016-multi-user-auth/checklists/security.md

@@ -0,0 +1,39 @@
+# Security Requirements Checklist: Multi-User Auth
+
+**Purpose**: Validate completeness and rigor of security requirements for authentication and authorization.
+**Created**: 2026-01-27
+**Feature**: [Link to spec.md](../spec.md)
+
+## Authentication Security
+
+- [x] CHK001 Are password complexity requirements specified for local users? [Completeness, Gap] (Covered by T037)
+- [x] CHK002 Is the exact hashing algorithm (bcrypt) and work factor specified? [Clarity, Spec §Research] (Covered by T006)
+- [x] CHK003 Are account lockout policies defined for failed login attempts? [Coverage, Gap] (Covered by T033)
+- [x] CHK004 Is the behavior for inactive/disabled accounts explicitly defined for both local and ADFS users? [Edge Case, Spec §Edge Cases] (Covered by T044)
+- [x] CHK005 Are requirements defined for session revocation (e.g., logout, admin action)? [Completeness] (Covered by T043)
+
+## ADFS & SSO Security
+
+- [x] CHK006 Are token validation requirements (signature, issuer, audience) specified for ADFS OIDC tokens? [Completeness] (Covered by T007)
+- [x] CHK007 Is the mapping behavior defined when an ADFS user is removed from a mapped AD group? [Edge Case, Gap] (Covered by T028)
+- [x] CHK008 Are requirements defined for handling ADFS token expiration and refresh? [Coverage] (Covered by T046)
+- [x] CHK009 Is the JIT provisioning process secure against privilege escalation (e.g., default role)? [Security, Spec §FR-008] (Covered by T028)
+
+## Authorization & RBAC
+
+- [x] CHK010 Are "default deny" requirements specified for plugin access? [Clarity, Spec §SC-002] (Covered by T020)
+- [x] CHK011 Is the behavior defined when a user has multiple roles with conflicting permissions? [Edge Case, Gap] (Covered by T045)
+- [x] CHK012 Are requirements specified for preventing admins from removing their own admin privileges (lockout prevention)? [Edge Case] (Covered by T022)
+- [x] CHK013 Is the scope of "Execute" vs "Read" permission clearly defined for each plugin? [Clarity] (Covered by T019)
+
+## Data Protection
+
+- [x] CHK014 Are requirements defined for protecting sensitive data (passwords, tokens) in logs? [Completeness, Spec §Constitution] (Covered by T047)
+- [x] CHK015 Are HttpOnly and Secure flags required for session cookies? [Clarity, Spec §Research] (Covered by T032)
+- [x] CHK016 Is the storage mechanism for ADFS client secrets defined securely? [Completeness] (Covered by T002)
+
+## API Security
+
+- [x] CHK017 Are authentication requirements enforced on ALL API endpoints (except login)? [Coverage] (Covered by T021)
+- [x] CHK018 Are rate limiting requirements defined for login endpoints to prevent brute force? [Gap] (Covered by T033)
+- [x] CHK019 Are error messages required to be generic to avoid username enumeration? [Clarity] (Covered by T034)

specs/016-multi-user-auth/checklists/technical.md

@@ -0,0 +1,31 @@
+# Technical Readiness Checklist: Multi-User Auth
+
+**Purpose**: Validate technical specifications, schema, and API contracts.
+**Created**: 2026-01-27
+**Feature**: [Link to spec.md](../spec.md)
+
+## Data Model & Schema
+
+- [x] CHK001 Are all necessary fields defined for the `User` entity (e.g., last_login)? [Completeness, Spec §Data Model] (Covered by T004)
+- [x] CHK002 Are foreign key constraints explicitly defined for `ADGroupMapping`? [Clarity, Spec §Data Model] (Covered by T027)
+- [x] CHK003 Is the uniqueness constraint for `username` and `email` specified? [Consistency] (Covered by T004)
+- [x] CHK004 Are database migration requirements defined for the new `auth.db`? [Completeness, Gap] (Covered by T005)
+
+## API Contracts
+
+- [x] CHK005 Are request/response schemas defined for the `login` endpoint? [Completeness, Spec §Contracts] (Covered by T009)
+- [x] CHK006 Are error response codes (401, 403, 404) standardized across all auth endpoints? [Consistency] (Covered by T012)
+- [x] CHK007 Is the structure of the JWT payload (claims) explicitly defined? [Clarity, Spec §Research] (Covered by T007)
+- [x] CHK008 Are pagination requirements defined for the "List Users" admin endpoint? [Gap] (Covered by T023)
+
+## Dependencies & Integration
+
+- [x] CHK009 Are version requirements specified for `Authlib` and `Passlib`? [Clarity, Spec §Plan] (Covered by T001)
+- [x] CHK010 Is the dependency on the existing `TaskManager` for plugin execution defined? [Integration] (Covered by T021)
+- [x] CHK011 Are requirements defined for the CLI admin creation tool? [Completeness, Spec §FR-009] (Covered by T008)
+
+## Non-Functional Requirements
+
+- [x] CHK012 Is the maximum acceptable latency for auth verification specified? [Clarity, Spec §Plan] (Covered by T013)
+- [x] CHK013 Are concurrency requirements defined for the SQLite `auth.db` (WAL mode)? [Completeness, Spec §Research] (Covered by T003)
+- [x] CHK014 Are logging requirements defined for audit trails (who did what)? [Completeness] (Covered by T047)

specs/016-multi-user-auth/checklists/testing.md

@@ -0,0 +1,26 @@
+# Testing Requirements Checklist: Multi-User Auth
+
+**Purpose**: Validate test scenario coverage and strategy.
+**Created**: 2026-01-27
+**Feature**: [Link to spec.md](../spec.md)
+
+## Functional Coverage
+
+- [x] CHK001 Are positive test scenarios defined for Local Login? [Coverage, Spec §US-1] (Covered by T049)
+- [x] CHK002 Are positive test scenarios defined for ADFS Login (mocked)? [Coverage, Spec §US-3] (Covered by T050)
+- [x] CHK003 Are negative test scenarios defined for invalid passwords? [Coverage] (Covered by T049)
+- [x] CHK004 Are negative test scenarios defined for unauthorized plugin access? [Coverage, Spec §US-2] (Covered by T049)
+- [x] CHK005 Are test scenarios defined for switching between auth methods on the same screen? [Coverage] (Covered by T050)
+
+## Edge Cases
+
+- [x] CHK005 Are test scenarios defined for mixed-case username handling? [Edge Case] (Covered by T049)
+- [x] CHK006 Are test scenarios defined for ADFS JIT provisioning with missing groups? [Edge Case] (Covered by T050)
+- [x] CHK007 Are test scenarios defined for accessing the API with an expired token? [Edge Case] (Covered by T049)
+- [x] CHK008 Are test scenarios defined for concurrent login sessions? [Edge Case] (Covered by T049)
+
+## Integration & System
+
+- [x] CHK009 Is the strategy defined for mocking ADFS during CI/CD tests? [Completeness] (Covered by T041)
+- [x] CHK010 Are end-to-end tests required for the full admin user creation flow? [Coverage] (Covered by T050)
+- [x] CHK011 Are tests required to verify the CLI admin creation tool? [Coverage] (Covered by T049)

specs/016-multi-user-auth/checklists/ux.md

@@ -0,0 +1,31 @@
+# UX Requirements Checklist: Multi-User Auth
+
+**Purpose**: Validate user experience and interface requirements.
+**Created**: 2026-01-27
+**Feature**: [Link to spec.md](../spec.md)
+
+## Login Flow
+
+- [x] CHK001 Are feedback requirements defined for invalid credentials (generic message)? [Clarity, Spec §US-1] (Covered by T016)
+- [x] CHK002 Is the redirect behavior specified after successful login (dashboard vs deep link)? [Clarity, Spec §US-1] (Covered by T016)
+- [x] CHK003 Are loading states required during the ADFS redirection process? [Completeness] (Covered by T030)
+- [x] CHK004 Is the "Session Expired" user flow defined? [Edge Case, Gap] (Covered by T035)
+- [x] CHK005 Are requirements defined for the dual-mode login screen layout (Form + ADFS Button)? [Clarity, Spec §FR-013] (Covered by T030)
+
+## Admin Interface
+
+- [x] CHK005 Are requirements defined for the User Management list view (columns, sorting)? [Completeness] (Covered by T024)
+- [x] CHK006 Is the feedback mechanism defined for successful/failed user creation? [Clarity] (Covered by T024)
+- [x] CHK007 Are confirmation dialogs required for deleting users? [Safety, Gap] (Covered by T040)
+- [x] CHK008 Is the UI behavior defined when assigning roles (dropdown, search)? [Clarity] (Covered by T024)
+
+## Navigation & Visibility
+
+- [x] CHK009 Are requirements defined for hiding menu items the user lacks permission for? [Completeness, Spec §FR-006] (Covered by T025)
+- [x] CHK010 Is the behavior defined if a user tries to access a restricted URL directly? [Edge Case] (Covered by T042)
+- [x] CHK011 Are user profile/logout controls required to be visible on all pages? [Consistency] (Covered by T025)
+
+## Accessibility
+
+- [x] CHK012 Are keyboard navigation requirements defined for the login form? [Coverage] (Covered by T048)
+- [x] CHK013 Are error message accessibility requirements (ARIA alerts) specified? [Coverage] (Covered by T048)