docs(web): archive signed-out shell guards sprint

2026-03-08 15:28:20 +02:00
parent 42b761d471
commit cf6ad22ebf
1 changed files with 0 additions and 0 deletions
--- a/docs/implplan/SPRINT_20260307_014_FE_signed_out_shell_bootstrap_auth_guards.md
+++ b/docs/implplan/SPRINT_20260307_014_FE_signed_out_shell_bootstrap_auth_guards.md
@@ -1,86 +0,0 @@
-# Sprint 20260307-014 - FE Signed-Out Shell Bootstrap Auth Guards
-
-## Topic & Scope
- Eliminate signed-out `/welcome` shell requests that currently hit authenticated context and Doctor endpoints before a session exists.
- Start background shell services only when the authenticated shell is active, and stop them when the user leaves that state.
- Add focused Angular tests for the bootstrap gating, then verify `/welcome` with live Playwright to prove the browser stops emitting `401` bootstrap noise.
- Working directory: `src/Web/StellaOps.Web`.
- Expected evidence: focused Angular tests, live Playwright request tracing on `https://stella-ops.local/welcome`, and sprint execution log updates.
-
-## Dependencies & Concurrency
- Depends on the just-landed release-health iteration (`SPRINT_20260307_012` and `SPRINT_20260307_013`) because the new defect was discovered during the topology Playwright sweep that followed those fixes.
- Safe parallelism: stay inside `src/Web/StellaOps.Web` plus sprint updates; do not touch unrelated navigation/settings/sidebar work already in progress from other agents.
- Scope is limited to signed-out shell bootstrap behavior, not broader auth UX or welcome-page visual work.
-
-## Documentation Prerequisites
- `src/Web/StellaOps.Web/AGENTS.md`
- `src/Web/StellaOps.Web/src/app/app.component.ts`
- `src/Web/StellaOps.Web/src/app/core/context/platform-context-url-sync.service.ts`
- `src/Web/StellaOps.Web/src/app/core/doctor/doctor-trend.service.ts`
- `src/Web/StellaOps.Web/src/app/core/doctor/doctor-notification.service.ts`
-
-## Delivery Tracker
-
-### FE-AUTH-001 - Reproduce signed-out shell bootstrap traffic
-Status: DONE
-Dependency: none
-Owners: QA
-Task description:
- Replay `/welcome` and a signed-out transition into the app shell with real Playwright.
- Capture the exact unauthorized requests instead of treating console errors as generic flake.
-
-Completion criteria:
- [x] Live Playwright captures the concrete `401` request set.
- [x] Root cause is reduced to specific shell bootstrap call sites.
-
-### FE-AUTH-002 - Gate shell background services behind authenticated shell state
-Status: DONE
-Dependency: FE-AUTH-001
-Owners: Developer
-Task description:
- Update app-shell bootstrap behavior so Platform context sync and Doctor background services only start when the authenticated shell is active.
- Ensure background polling stops cleanly when the user leaves authenticated shell state.
-
-Completion criteria:
- [x] Signed-out `/welcome` no longer starts protected Platform context bootstrap.
- [x] Signed-out shell no longer starts Doctor trend/report background polling.
- [x] Authenticated shell still starts the required background services.
-
-### FE-AUTH-003 - Add focused Angular coverage for bootstrap gating
-Status: DONE
-Dependency: FE-AUTH-002
-Owners: Test Automation
-Task description:
- Add focused tests around `AppComponent` bootstrap behavior and any touched shell services.
- Verify the tests assert start/stop behavior, not just component creation.
-
-Completion criteria:
- [x] Focused Angular tests fail before the fix and pass after it.
- [x] Tests cover both signed-out suppression and authenticated-shell startup.
-
-### FE-AUTH-004 - Replay `/welcome` with live Playwright
-Status: DONE
-Dependency: FE-AUTH-003
-Owners: QA
-Task description:
- Re-run a live Playwright trace on `/welcome` and capture console plus network evidence after the fix.
- Confirm the page remains interactive and the previous unauthorized bootstrap requests are gone.
-
-Completion criteria:
- [x] Live Playwright on `/welcome` shows no `401` bootstrap requests from Platform context or Doctor endpoints.
- [x] The sign-in action remains available and the page stays responsive.
-
-## Execution Log
-| Date (UTC) | Update | Owner |
-| --- | --- | --- |
-| 2026-03-07 | Sprint created after live Playwright on topology/release-health showed repeated signed-out `401` requests on `/welcome` for `/api/v2/context/*` and `/api/v1/doctor/scheduler/trends/categories/*`, traced to unconditional shell bootstrap startup. | QA |
-| 2026-03-07 | Gated shell bootstrap startup behind authenticated shell state in `AppComponent`, added stop semantics to the Doctor background services, and guarded `PlatformContextStore` against unauthenticated protected requests. Focused Angular coverage passed via `npx ng test --watch=false --include src/app/app.component.spec.ts --include src/app/core/context/platform-context.store.spec.ts`. | Developer |
-| 2026-03-07 | Replayed signed-out `/welcome` with live Playwright on the rebuilt bundle. The page rendered with no console errors, no `401` responses, and the primary sign-in action still navigated to the Authority `/connect/authorize` flow. | QA |
-
-## Decisions & Risks
- Decision: fix the startup sequencing at the shell bootstrap layer instead of swallowing `401` responses, because the browser should not emit protected requests before auth exists.
- Decision: add defense-in-depth guards in both `AppComponent` and the background/context services so signed-out routes remain quiet even if a future caller starts those services too early.
- Risk: the app currently starts long-lived background services from `AppComponent`, so the fix must preserve authenticated behavior while preventing duplicate timers or stale polling after logout.
-
-## Next Checkpoints
- 2026-03-07: continue the Playwright page/action sweep from the signed-out/authenticated shell surfaces outward.