docs(04): add research and validation strategy

.planning/phases/04-rbac/04-VALIDATION.md

@@ -0,0 +1,82 @@
+---
+phase: 4
+slug: rbac
+status: draft
+nyquist_compliant: false
+wave_0_complete: false
+created: 2026-03-24
+---
+
+# Phase 4 — Validation Strategy
+
+> Per-phase validation contract for feedback sampling during execution.
+
+---
+
+## Test Infrastructure
+
+| Property | Value |
+|----------|-------|
+| **Framework** | pytest 8.x + pytest-asyncio (existing) |
+| **Config file** | `pyproject.toml` (existing) |
+| **Quick run command** | `pytest tests/unit -x -q` |
+| **Full suite command** | `pytest tests/ -x` |
+| **Estimated runtime** | ~30 seconds |
+
+---
+
+## Sampling Rate
+
+- **After every task commit:** Run `pytest tests/unit -x -q`
+- **After every plan wave:** Run `pytest tests/ -x`
+- **Before `/gsd:verify-work`:** Full suite must be green
+- **Max feedback latency:** 30 seconds
+
+---
+
+## Per-Task Verification Map
+
+| Task ID | Plan | Wave | Requirement | Test Type | Automated Command | File Exists | Status |
+|---------|------|------|-------------|-----------|-------------------|-------------|--------|
+| 04-xx | 01 | 1 | RBAC-01,02,03 | unit | `pytest tests/unit/test_rbac_guards.py -x` | ❌ W0 | ⬜ pending |
+| 04-xx | 01 | 1 | RBAC-04 | unit | `pytest tests/unit/test_invitations.py -x` | ❌ W0 | ⬜ pending |
+| 04-xx | 01 | 1 | RBAC-05 | unit | `pytest tests/unit/test_portal_auth.py -x` | ❌ W0 | ⬜ pending |
+| 04-xx | 01 | 1 | RBAC-06 | integration | `pytest tests/integration/test_portal_rbac.py -x` | ❌ W0 | ⬜ pending |
+| 04-xx | 02 | 2 | RBAC-04 | integration | `pytest tests/integration/test_invite_flow.py -x` | ❌ W0 | ⬜ pending |
+| 04-xx | 02 | 2 | RBAC-05 | unit | `cd packages/portal && npx next build` | ✅ | ⬜ pending |
+
+*Status: ⬜ pending · ✅ green · ❌ red · ⚠️ flaky*
+
+---
+
+## Wave 0 Requirements
+
+- [ ] `tests/unit/test_rbac_guards.py` — RBAC-01,02,03: FastAPI require_* dependency tests
+- [ ] `tests/unit/test_invitations.py` — RBAC-04: HMAC token generation, expiry, tampering detection
+- [ ] `tests/unit/test_portal_auth.py` — RBAC-05: JWT contains role + tenant_ids
+- [ ] `tests/integration/test_invite_flow.py` — RBAC-04: end-to-end invite → accept → login
+- [ ] `tests/integration/test_portal_rbac.py` — RBAC-06: all endpoints tested with correct/incorrect roles
+
+---
+
+## Manual-Only Verifications
+
+| Behavior | Requirement | Why Manual | Test Instructions |
+|----------|-------------|------------|-------------------|
+| Role-specific landing pages render correctly | RBAC-05 | UI visual layout | Login as each role, verify correct dashboard renders |
+| Tenant switcher dropdown works | RBAC-05 | UI interaction | Login as multi-tenant user, switch tenants, verify context changes |
+| Impersonation banner visible and exit works | RBAC-01 | UI interaction | Platform admin clicks "view as", verify banner shows, click exit |
+| Invite email arrives and link works | RBAC-04 | Requires live SMTP | Send invite, check inbox, click link, complete activation |
+
+---
+
+## Validation Sign-Off
+
+- [ ] All tasks have `<automated>` verify or Wave 0 dependencies
+- [ ] Sampling continuity: no 3 consecutive tasks without automated verify
+- [ ] Wave 0 covers all MISSING references
+- [ ] No watch-mode flags
+- [ ] Feedback latency < 30s
+- [ ] `nyquist_compliant: true` set in frontmatter
+
+**Approval:** pending