--- phase: 4 slug: rbac status: draft nyquist_compliant: false wave_0_complete: false created: 2026-03-24 --- # Phase 4 — Validation Strategy > Per-phase validation contract for feedback sampling during execution. --- ## Test Infrastructure | Property | Value | |----------|-------| | **Framework** | pytest 8.x + pytest-asyncio (existing) | | **Config file** | `pyproject.toml` (existing) | | **Quick run command** | `pytest tests/unit -x -q` | | **Full suite command** | `pytest tests/ -x` | | **Estimated runtime** | ~30 seconds | --- ## Sampling Rate - **After every task commit:** Run `pytest tests/unit -x -q` - **After every plan wave:** Run `pytest tests/ -x` - **Before `/gsd:verify-work`:** Full suite must be green - **Max feedback latency:** 30 seconds --- ## Per-Task Verification Map | Task ID | Plan | Wave | Requirement | Test Type | Automated Command | File Exists | Status | |---------|------|------|-------------|-----------|-------------------|-------------|--------| | 04-xx | 01 | 1 | RBAC-01,02,03 | unit | `pytest tests/unit/test_rbac_guards.py -x` | ❌ W0 | ⬜ pending | | 04-xx | 01 | 1 | RBAC-04 | unit | `pytest tests/unit/test_invitations.py -x` | ❌ W0 | ⬜ pending | | 04-xx | 01 | 1 | RBAC-05 | unit | `pytest tests/unit/test_portal_auth.py -x` | ❌ W0 | ⬜ pending | | 04-xx | 01 | 1 | RBAC-06 | integration | `pytest tests/integration/test_portal_rbac.py -x` | ❌ W0 | ⬜ pending | | 04-xx | 02 | 2 | RBAC-04 | integration | `pytest tests/integration/test_invite_flow.py -x` | ❌ W0 | ⬜ pending | | 04-xx | 02 | 2 | RBAC-05 | unit | `cd packages/portal && npx next build` | ✅ | ⬜ pending | *Status: ⬜ pending · ✅ green · ❌ red · ⚠️ flaky* --- ## Wave 0 Requirements - [ ] `tests/unit/test_rbac_guards.py` — RBAC-01,02,03: FastAPI require_* dependency tests - [ ] `tests/unit/test_invitations.py` — RBAC-04: HMAC token generation, expiry, tampering detection - [ ] `tests/unit/test_portal_auth.py` — RBAC-05: JWT contains role + tenant_ids - [ ] `tests/integration/test_invite_flow.py` — RBAC-04: end-to-end invite → accept → login - [ ] `tests/integration/test_portal_rbac.py` — RBAC-06: all endpoints tested with correct/incorrect roles --- ## Manual-Only Verifications | Behavior | Requirement | Why Manual | Test Instructions | |----------|-------------|------------|-------------------| | Role-specific landing pages render correctly | RBAC-05 | UI visual layout | Login as each role, verify correct dashboard renders | | Tenant switcher dropdown works | RBAC-05 | UI interaction | Login as multi-tenant user, switch tenants, verify context changes | | Impersonation banner visible and exit works | RBAC-01 | UI interaction | Platform admin clicks "view as", verify banner shows, click exit | | Invite email arrives and link works | RBAC-04 | Requires live SMTP | Send invite, check inbox, click link, complete activation | --- ## Validation Sign-Off - [ ] All tasks have `` verify or Wave 0 dependencies - [ ] Sampling continuity: no 3 consecutive tasks without automated verify - [ ] Wave 0 covers all MISSING references - [ ] No watch-mode flags - [ ] Feedback latency < 30s - [ ] `nyquist_compliant: true` set in frontmatter **Approval:** pending