senke/veza
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
veza/VEZA_MVP_VALIDATION_TODOLIST.json

675 lines
25 KiB
JSON
Raw Normal View History

[BE-SEC-001] security: Fix ownership verification for user profile updates - Verified RequireOwnershipOrAdmin middleware is correctly applied to PUT /users/:id - Added integration tests for ownership verification - Test: user cannot update another user's profile (403 Forbidden) - Test: admin can update any profile (200 OK) - Test: user can update own profile (200 OK) - All tests pass Phase: PHASE-1 Priority: P0 Progress: 1/267 (0.4%)
2025-12-23 00:36:04 +00:00
{
"meta": {
"title": "Veza MVP Validation & Final Audit",
"description": "Complete validation of 15 MVP fixes + final audit to reach stable state",
"created_at": "2025-01-28T00:00:00Z",
"previous_phase": "MVP Stability Fixes (15/15 completed)",
"current_phase": "Validation & Final Audit",
"target": "Confirmed stable MVP with no regressions",
"estimated_effort": "3-5 hours"
},
"phases": [
{
"id": "PHASE-V1",
"name": "Technical Validation",
"description": "Verify all 15 MVP fixes compile and pass tests",
"priority": "CRITICAL",
"estimated_effort": "30 min",
"tasks": [
{
"id": "VAL-001",
"title": "TypeScript Compilation Check",
"type": "automated",
"status": "todo",
"command": "cd apps/web && npx tsc --noEmit",
"expected_result": "Exit code 0, no errors",
"failure_action": "List all errors, categorize by MVP fix that may have caused them",
"related_mvp_fixes": ["MVP-003", "MVP-004", "MVP-010", "MVP-011", "MVP-015"]
},
{
"id": "VAL-002",
"title": "Go Compilation Check",
"type": "automated",
"status": "todo",
"command": "cd veza-backend-api && go build ./...",
"expected_result": "Exit code 0, no errors",
"failure_action": "List all errors, identify which MVP fix caused them",
"related_mvp_fixes": ["MVP-001", "MVP-005", "MVP-009", "MVP-014"]
},
{
"id": "VAL-003",
"title": "Frontend Unit Tests",
"type": "automated",
"status": "todo",
"command": "cd apps/web && npm test -- --passWithNoTests --watchAll=false",
"expected_result": "All tests pass",
"failure_action": "List failing tests, identify regression source",
"related_mvp_fixes": ["MVP-002", "MVP-003", "MVP-004", "MVP-015"]
},
{
"id": "VAL-004",
"title": "Backend Unit Tests",
"type": "automated",
"status": "todo",
"command": "cd veza-backend-api && go test ./... -v",
"expected_result": "All tests pass",
"failure_action": "List failing tests, identify regression source",
"related_mvp_fixes": ["MVP-001", "MVP-009", "MVP-014"]
},
{
"id": "VAL-005",
"title": "CORS Production Validation",
"type": "automated",
"status": "todo",
"command": "cd veza-backend-api && APP_ENV=production CORS_ALLOWED_ORIGINS='' timeout 5 go run ./cmd/api || echo 'Expected failure'",
"expected_result": "Server fails to start with clear CORS error message",
"failure_action": "MVP-001 fix incomplete - server should not start without CORS in prod",
"related_mvp_fixes": ["MVP-001"]
},
{
"id": "VAL-006",
"title": "Legacy Code Removal - ApiService",
"type": "automated",
"status": "todo",
"command": "grep -r 'ApiService' apps/web/src/ || echo 'PASS: No ApiService found'",
"expected_result": "0 results (no ApiService references)",
"failure_action": "MVP-004 incomplete - remove remaining ApiService references",
"related_mvp_fixes": ["MVP-004"]
},
{
"id": "VAL-007",
"title": "Legacy Code Removal - Token Storage Fragmentation",
"type": "automated",
"status": "todo",
"command": "grep -r 'auth-storage' apps/web/src/services/ || echo 'PASS: No auth-storage in services'",
"expected_result": "0 results in services directory",
"failure_action": "MVP-002 incomplete - remove Zustand token storage fallback",
"related_mvp_fixes": ["MVP-002"]
},
{
"id": "VAL-008",
"title": "Environment Variable Consistency",
"type": "automated",
"status": "todo",
"command": "grep -r 'VITE_API_BASE_URL' apps/web/ || echo 'PASS: No VITE_API_BASE_URL found'",
"expected_result": "0 results (only VITE_API_URL should be used)",
"failure_action": "MVP-006 incomplete - standardize env var names",
"related_mvp_fixes": ["MVP-006"]
},
{
"id": "VAL-009",
"title": "User.id Type Consistency",
"type": "automated",
"status": "todo",
"command": "grep -rn 'id:\\s*number' apps/web/src/types/ apps/web/src/features/auth/types/ 2>/dev/null || echo 'PASS: No number id types'",
"expected_result": "0 results for User-related id: number",
"failure_action": "MVP-003 incomplete - fix remaining number types",
"related_mvp_fixes": ["MVP-003"]
},
{
"id": "VAL-010",
"title": "Remember Me Field Consistency",
"type": "automated",
"status": "todo",
"command": "grep -rn 'rememberMe' apps/web/src/ --include='*.ts' --include='*.tsx' | grep -v node_modules || echo 'PASS: No camelCase rememberMe'",
"expected_result": "0 results (should be remember_me everywhere)",
"failure_action": "MVP-015 incomplete - standardize to snake_case",
"related_mvp_fixes": ["MVP-015"]
}
]
},
{
"id": "PHASE-V2",
"name": "Functional E2E Validation",
"description": "Manual testing of critical user flows",
"priority": "HIGH",
"estimated_effort": "1 hour",
"tasks": [
{
"id": "E2E-001",
"title": "Authentication Flow - Registration",
"type": "manual",
"status": "todo",
"steps": [
"Navigate to /register",
"Fill form with valid data (email, username, password)",
"Submit form",
"Verify redirect to dashboard or confirmation page",
"Verify user data in localStorage (TokenStorage)",
"Verify no 'auth-storage' key in localStorage"
],
"expected_result": "User registered, tokens stored via TokenStorage only",
"failure_indicators": [
"Registration form error",
"API 4xx/5xx response",
"Tokens not stored",
"Multiple storage mechanisms detected"
],
"related_mvp_fixes": ["MVP-002", "MVP-003"]
},
{
"id": "E2E-002",
"title": "Authentication Flow - Login",
"type": "manual",
"status": "todo",
"steps": [
"Logout if logged in",
"Navigate to /login",
"Enter valid credentials",
"Check 'Remember me' checkbox",
"Submit form",
"Verify login success",
"Check localStorage for veza_access_token and veza_refresh_token",
"Verify remember_me was sent correctly (check Network tab)"
],
"expected_result": "Login succeeds, tokens stored, remember_me sent as snake_case",
"failure_indicators": [
"Login rejected",
"Token not stored",
"rememberMe sent instead of remember_me"
],
"related_mvp_fixes": ["MVP-002", "MVP-015"]
},
{
"id": "E2E-003",
"title": "Authentication Flow - Persistence",
"type": "manual",
"status": "todo",
"steps": [
"Ensure logged in",
"Hard refresh the page (Ctrl+Shift+R / Cmd+Shift+R)",
"Verify still logged in",
"Open new tab, navigate to app",
"Verify logged in in new tab",
"Close all tabs, reopen app",
"Verify still logged in (if remember_me was checked)"
],
"expected_result": "Session persists across refresh, tabs, and browser restart",
"failure_indicators": [
"Logged out after refresh",
"Different auth state across tabs",
"Token lost"
],
"related_mvp_fixes": ["MVP-002", "MVP-011"]
},
{
"id": "E2E-004",
"title": "Authentication Flow - Token Refresh",
"type": "manual",
"status": "todo",
"steps": [
"Login with short-lived token (or manually expire token in localStorage)",
"Make API request (e.g., load profile)",
"Check Network tab for refresh token request",
"Verify new tokens stored",
"Verify original request succeeded after refresh"
],
"expected_result": "Token auto-refreshes, request succeeds transparently",
"failure_indicators": [
"401 error shown to user",
"Logged out unexpectedly",
"Multiple refresh requests (race condition)"
],
"related_mvp_fixes": ["MVP-002", "MVP-011"]
},
{
"id": "E2E-005",
"title": "Authentication Flow - Logout",
"type": "manual",
"status": "todo",
"steps": [
"Ensure logged in",
"Click logout",
"Verify redirect to login page",
"Check localStorage - tokens should be cleared",
"Try to access protected route",
"Verify redirected to login"
],
"expected_result": "Clean logout, all tokens cleared, protected routes inaccessible",
"failure_indicators": [
"Tokens remain in localStorage",
"Can still access protected routes",
"Partial state remains"
],
"related_mvp_fixes": ["MVP-002"]
},
{
"id": "E2E-006",
"title": "Profile - View and Edit",
"type": "manual",
"status": "todo",
"steps": [
"Navigate to profile page",
"Verify all user fields displayed (id, email, username, avatar, etc.)",
"Edit a field (e.g., username)",
"Save changes",
"Refresh page",
"Verify changes persisted"
],
"expected_result": "Profile loads with full user data, edits persist",
"failure_indicators": [
"Missing fields (only id, email, role)",
"404 on profile endpoint",
"Edits not saved"
],
"related_mvp_fixes": ["MVP-007", "MVP-009"]
},
{
"id": "E2E-007",
"title": "API Error Handling - Request ID Correlation",
"type": "manual",
"status": "todo",
"steps": [
"Open browser DevTools Console",
"Trigger an API error (e.g., invalid request, 404)",
"Check console for error log",
"Verify request_id is included in log",
"Check Network tab for same request_id in response"
],
"expected_result": "Error logs include request_id matching backend response",
"failure_indicators": [
"No request_id in console",
"request_id mismatch",
"Error not logged"
],
"related_mvp_fixes": ["MVP-013"]
},
{
"id": "E2E-008",
"title": "API Error Handling - Retry Logic",
"type": "manual",
"status": "todo",
"steps": [
"If possible: Stop backend temporarily",
"Or: Use browser DevTools to throttle/block requests",
"Trigger API request",
"Check Network tab for retry attempts",
"Verify exponential backoff timing (1s, 2s, 4s)",
"Restart backend / remove throttle",
"Verify request eventually succeeds or fails gracefully after max retries"
],
"expected_result": "Transient errors (502/503) are retried with backoff",
"failure_indicators": [
"No retry attempts",
"Immediate failure on first error",
"No backoff between retries"
],
"related_mvp_fixes": ["MVP-012"]
},
{
"id": "E2E-009",
"title": "CORS - Cross-Origin Request",
"type": "manual",
"status": "todo",
"steps": [
"Run frontend on localhost:3000",
"Run backend on localhost:8080",
"Make API request from frontend",
"Check Network tab for CORS headers",
"Verify Access-Control-Allow-Origin matches frontend origin",
"Verify Access-Control-Allow-Credentials: true"
],
"expected_result": "CORS headers present and correct, requests succeed",
"failure_indicators": [
"CORS error in console",
"Missing Access-Control headers",
"Preflight (OPTIONS) fails"
],
"related_mvp_fixes": ["MVP-001", "MVP-014"]
},
{
"id": "E2E-010",
"title": "Console Error Check",
"type": "manual",
"status": "todo",
"steps": [
"Open DevTools Console",
"Clear console",
"Navigate through: Login → Dashboard → Profile → Tracks → Playlists → Logout",
"Note any errors or warnings",
"Specifically check for: 404 errors, CORS errors, TypeScript runtime errors"
],
"expected_result": "No unexpected errors in console during normal navigation",
"failure_indicators": [
"404 errors (missing endpoints)",
"CORS errors",
"Uncaught exceptions",
"Type errors"
],
"related_mvp_fixes": ["MVP-008"]
}
]
},
{
"id": "PHASE-V3",
"name": "Remaining Issues Audit",
"description": "Review issues INT-000016 to INT-000030 from original audit",
"priority": "MEDIUM",
"estimated_effort": "1 hour",
"tasks": [
{
"id": "AUDIT-001",
"title": "Review P2 Issues (INT-000016 to INT-000023)",
"type": "audit",
"status": "todo",
"issues_to_review": [
{
"id": "INT-000016",
"title": "Field Name Mismatch: cover_art_path vs cover_art_url",
"severity": "P2",
"check": "Verify if cover_art naming is consistent",
"action_if_found": "Add to next sprint backlog"
},
{
"id": "INT-000017",
"title": "Inconsistent Pagination Response Format",
"severity": "P2",
"check": "Verify pagination format across list endpoints",
"action_if_found": "Document and add to backlog"
},
{
"id": "INT-000018",
"title": "Missing Rate Limit Feedback to User",
"severity": "P2",
"check": "Verify 429 responses show user-friendly message",
"action_if_found": "Add to backlog"
},
{
"id": "INT-000019",
"title": "WebSocket Connection Error Handling",
"severity": "P2",
"check": "Verify chat/real-time features handle disconnects",
"action_if_found": "Add to backlog"
},
{
"id": "INT-000020",
"title": "File Upload Progress Accuracy",
"severity": "P2",
"check": "Verify upload progress is accurate",
"action_if_found": "Add to backlog"
},
{
"id": "INT-000021",
"title": "Search Debounce Missing",
"severity": "P2",
"check": "Verify search inputs have debounce",
"action_if_found": "Add to backlog"
},
{
"id": "INT-000022",
"title": "Optimistic UI Updates Not Rolled Back on Error",
"severity": "P2",
"check": "Verify failed mutations roll back UI state",
"action_if_found": "Add to backlog"
},
{
"id": "INT-000023",
"title": "Date/Time Timezone Handling",
"severity": "P2",
"check": "Verify dates display in user's timezone",
"action_if_found": "Add to backlog"
}
],
"output": "List of P2 issues still present with severity assessment"
},
{
"id": "AUDIT-002",
"title": "Review P3 Issues (INT-000024 to INT-000030)",
"type": "audit",
"status": "todo",
"issues_to_review": [
{
"id": "INT-000024",
"title": "No API Versioning Strategy",
"severity": "P3",
"check": "Verify /api/v1 is used consistently",
"action_if_found": "Document for future"
},
{
"id": "INT-000025",
"title": "Missing OpenAPI/Swagger Documentation",
"severity": "P3",
"check": "Check if API docs exist",
"action_if_found": "Add to tech debt backlog"
},
{
"id": "INT-000026",
"title": "Inconsistent Error Message Formatting",
"severity": "P3",
"check": "Spot check error responses for consistency",
"action_if_found": "Add to tech debt"
},
{
"id": "INT-000027",
"title": "No Rate Limit Headers in Responses",
"severity": "P3",
"check": "Check for X-RateLimit-* headers",
"action_if_found": "Add to tech debt"
},
{
"id": "INT-000028",
"title": "Missing API Documentation Updates",
"severity": "P3",
"check": "Verify FRONTEND_INTEGRATION.md is current",
"action_if_found": "Update docs"
},
{
"id": "INT-000029",
"title": "No Vite Proxy Configuration for Development",
"severity": "P3",
"check": "Verify dev setup works without proxy",
"action_if_found": "Optional improvement"
},
{
"id": "INT-000030",
"title": "Missing HLS Endpoints",
"severity": "P3",
"check": "Verify HLS features are disabled or stubbed",
"action_if_found": "Already handled in MVP-008"
}
],
"output": "List of P3 issues with tech debt assessment"
},
{
"id": "AUDIT-003",
"title": "Regression Detection Scan",
"type": "audit",
"status": "todo",
"checks": [
{
"name": "New TypeScript Errors",
"command": "cd apps/web && npx tsc --noEmit 2>&1 | head -50",
"check": "Any errors introduced by MVP fixes?"
},
{
"name": "New Console Warnings",
"command": "Manual: Check browser console during app usage",
"check": "Any new React warnings, deprecation notices?"
},
{
"name": "New Go Lint Issues",
"command": "cd veza-backend-api && golangci-lint run 2>&1 | head -50",
"check": "Any new lint issues from MVP fixes?"
},
{
"name": "Dead Code Detection",
"command": "grep -r 'TODO.*MVP\\|FIXME.*MVP' apps/web/src/ veza-backend-api/",
"check": "Any incomplete TODOs from MVP work?"
},
{
"name": "Duplicate Code",
"command": "Manual: Review for copy-paste code in MVP fixes",
"check": "Any obvious duplication introduced?"
}
],
"output": "List of regressions or new issues introduced"
},
{
"id": "AUDIT-004",
"title": "Security Quick Scan",
"type": "audit",
"status": "todo",
"checks": [
{
"name": "CSRF Token Implementation",
"check": "Is CSRF actually preventing attacks? (was deferred in MVP-005)",
"status": "Review if MVP-005 was fully implemented or stubbed"
},
{
"name": "Token Storage Security",
"check": "Tokens in localStorage are XSS-vulnerable",
"status": "Accepted risk for MVP, document for future httpOnly cookie migration"
},
{
"name": "CORS Wildcard Check",
"check": "No wildcards in production CORS origins",
"command": "grep -r 'AllowOrigins.*\\*' veza-backend-api/"
},
{
"name": "Sensitive Data in Logs",
"check": "Tokens/passwords not logged",
"command": "grep -rn 'console.log.*token\\|console.log.*password' apps/web/src/"
}
],
"output": "Security assessment with accepted risks documented"
}
]
},
{
"id": "PHASE-V4",
"name": "Final Report Generation",
"description": "Generate comprehensive integration health report",
"priority": "HIGH",
"estimated_effort": "30 min",
"tasks": [
{
"id": "REPORT-001",
"title": "Calculate New Health Score",
"type": "analysis",
"status": "todo",
"scoring_criteria": {
"compilation": {
"weight": 20,
"checks": ["TypeScript compiles", "Go compiles"],
"score_if_pass": 20,
"score_if_fail": 0
},
"tests": {
"weight": 15,
"checks": ["Frontend tests pass", "Backend tests pass"],
"score_if_pass": 15,
"score_if_fail": 0
},
"auth_flow": {
"weight": 20,
"checks": ["Login", "Logout", "Token refresh", "Persistence"],
"score_if_pass": 20,
"score_if_fail": 5
},
"api_contract": {
"weight": 15,
"checks": ["No 404s", "Consistent response format", "Type safety"],
"score_if_pass": 15,
"score_if_fail": 5
},
"error_handling": {
"weight": 10,
"checks": ["Retry logic", "Error correlation", "User feedback"],
"score_if_pass": 10,
"score_if_fail": 3
},
"security": {
"weight": 10,
"checks": ["CORS configured", "No wildcards in prod", "CSRF exists"],
"score_if_pass": 10,
"score_if_fail": 2
},
"code_quality": {
"weight": 10,
"checks": ["No legacy code", "Consistent naming", "No dead code"],
"score_if_pass": 10,
"score_if_fail": 5
}
},
"output": "Health score X/100 (converted to X/10)"
},
{
"id": "REPORT-002",
"title": "Generate Final Integration Report",
"type": "documentation",
"status": "todo",
"sections": [
"Executive Summary",
"Health Score Breakdown",
"MVP Fixes Verification (15/15)",
"E2E Test Results",
"Remaining Issues (P2/P3)",
"Security Assessment",
"Regressions Detected",
"Recommendations for Next Phase",
"Deployment Readiness Checklist"
],
"output_file": "VEZA_INTEGRATION_FINAL_REPORT.md"
},
{
"id": "REPORT-003",
"title": "Generate Next Phase Todolist (if needed)",
"type": "planning",
"status": "todo",
"condition": "If health score < 8/10 or critical issues found",
"output_file": "VEZA_POST_MVP_TODOLIST.json"
}
]
}
],
"summary": {
"total_tasks": 27,
"by_phase": {
"PHASE-V1 (Technical)": 10,
"PHASE-V2 (E2E)": 10,
"PHASE-V3 (Audit)": 4,
"PHASE-V4 (Report)": 3
},
"by_type": {
"automated": 10,
"manual": 10,
"audit": 4,
"analysis": 1,
"documentation": 1,
"planning": 1
},
"estimated_total_hours": "3-5 hours"
},
"progress_tracking": {
"completed": 0,
"in_progress": 0,
"todo": 27,
"failed": 0,
"last_updated": null,
"completion_percentage": 0
},
"validation_results": {
"technical": {
"typescript_compiles": null,
"go_compiles": null,
"frontend_tests_pass": null,
"backend_tests_pass": null,
"legacy_code_removed": null
},
"functional": {
"auth_flow_works": null,
"profile_works": null,
"error_handling_works": null,
"cors_works": null
},
"audit": {
"p2_issues_remaining": null,
"p3_issues_remaining": null,
"regressions_found": null,
"security_issues": null
},
"final_health_score": null,
"mvp_stable": null
}
}
Reference in a new issue Copy permalink