docs: post-merge sweep for PRs #741–#756 wave

docs/IMPLEMENTATION_MASTERPLAN.md

@@ -597,6 +597,18 @@ Delivered in the latest cycle:
     - board metrics accuracy verification tests (`#718`/`#749`): 61 tests (51 service + 10 controller) for throughput, cycle time, WIP, blocked cards, done-column heuristic
     - notification delivery integration tests (`#719`/`#746`): 36 tests covering all 5 notification types, deduplication, preference filtering, cross-user isolation, batch operations
     - wave progress: 15 of 22 `#721` issues now delivered (~886 new tests total); 7 issues remain open
+128. Post-adversarial-review hardening and test expansion (PRs `#741`–`#756`, 2026-04-04):
+    - 9 issues from `#721` tracker plus product telemetry taxonomy, two bug fixes, and six frontend regression test additions
+    - product telemetry taxonomy delivered (`#341`/`#741`): `docs/product/TELEMETRY_TAXONOMY.md` with 35+ named events, privacy-first bucketing, and R1/R2/R3 launch gate anchors; opt-in, not yet implemented
+    - board header presence label bug fixed (`#683`/`#744`): username/email flip resolved with `normalizePresenceMembers()` in `BoardView.vue`; adversarial review confirmed no edge cases; 3 new tests
+    - manual card provenance empty state fixed (`#680`/`#754`): 3 bugs caught and fixed by adversarial review (overly broad 404 swallow, global Axios log regression, empty-state flash); `CardModal.vue` now shows "No capture provenance available." correctly; 4 new tests
+    - WIP-limit toast dedup regression tests (`#686`/`#745`): 7 tests in `boardStore.wipLimit.spec.ts` for `createCard` and `moveCard`
+    - auth-flow toast lifecycle tests (`#685`/`#742`): 20 tests in `sessionStore.authToast.spec.ts`; adversarial review fixed timer leak, mock isolation, inverted assertion
+    - router auth guard + workspace stability tests (`#687`/`#748`): `authGuard.spec.ts` and `workspaceRouteStability.spec.ts` with 16-case exhaustive guard table; pre-existing `AuthControllerEdgeCaseTests.cs` compile error fixed
+    - inbox triage action visibility tests (`#688`/`#743`): 21 new tests in `InboxView.spec.ts` for single-item triage and bulk action bar visibility
+    - webhook HMAC verification tests (`#726`/`#750`): 11 tests in `OutboundWebhookHmacDeliveryTests.cs` for header format, round-trip, wrong-key, secret rotation, timing-safe comparison
+    - webhook delivery reliability + SSRF boundary tests (`#710`/`#756`): 78 total webhook tests across 9 files; SSRF coverage via `OutboundWebhookEndpointGuardTests` for private IP ranges; retry/backoff/dead-letter reliability; `HttpClient` resource leak fixed in tests
+    - TST-32–TST-57 wave progress updated: 17 of 25 issues now delivered; remaining open: `#705`, `#711`, `#712`, `#716`, `#717`, `#720`, `#723`, `#725`; frontend suite at 1592 passing (up from 1496)
 
 ## Current Planning Pivot (2026-03-07)
 

docs/MANUAL_TEST_CHECKLIST.md

@@ -105,6 +105,16 @@ Manual-only checks (non-automatable in generic local script):
 9. Logout from top bar.
    - Expected: token/session cleared, redirected to `/login`.
 
+**Auth-flow toast regression (PR #742):**
+- Attempt login with wrong password.
+  - Expected: error toast appears with the server-provided reason (e.g. "Invalid credentials").
+- Attempt registration with a duplicate email.
+  - Expected: error toast appears with guidance about the duplicate account.
+- Login successfully after a failed attempt.
+  - Expected: error toast from the failed attempt does not persist; success toast "Logged in successfully" appears.
+- Sign in with GitHub OAuth (if configured).
+  - Expected: success toast "Signed in with GitHub" appears; error toast appears on OAuth failure.
+
 ## B. Boards, Columns, Cards, Labels
 
 1. Create board from workspace boards page.
@@ -130,10 +140,25 @@ Manual-only checks (non-automatable in generic local script):
    - Expected: operation blocked with visible error feedback.
    - WIP limit enforcement bug (`#517`) has been resolved; verify regression.
 
+**WIP-limit toast deduplication regression (PR #745):**
+- Set a WIP limit of 1 on a column, add a card, then try to add a second card.
+  - Expected: exactly ONE error toast appears. No duplicate toasts.
+- Try to move a card into the same WIP-limit-reached column.
+  - Expected: exactly ONE error toast. No duplicate toasts.
+
 9. Create card inline.
    - Expected: card appears in target column.
 10. Open card modal (`Enter` on selected card or click).
    - Expected: modal opens with current values.
+
+**Manual card provenance empty state (PR #754):**
+- Open a card that was created manually (not via capture/inbox).
+  - Expected: card detail shows "No capture provenance available." in the provenance area. No error shown. No blank/broken provenance section.
+- Open a card created via the capture/inbox flow.
+  - Expected: card detail shows full capture provenance (source, timestamp, original capture text). The "No capture provenance available." message does NOT appear for captured cards.
+- For captured cards, verify the provenance empty state does not flash during the initial load of the captured card's modal.
+  - Expected: empty state is only shown after load completes and provenance is confirmed absent.
+
 11. Edit title/description, set due date, block with reason, assign labels.
     - Expected: updates persist and render in lane.
 12. Move card to another column via drag/drop using the `Drag Card` handle.
@@ -147,6 +172,12 @@ Manual-only checks (non-automatable in generic local script):
     - Expected: label manager modal uses dark workspace theme (design tokens) — no jarring light-theme styling.
     - Bug fixed (`#684`/`#692`): modal migrated from hardcoded light-theme classes to design-token-driven dark theme.
 
+**Board header presence label format (PR #744):**
+- Open a board with at least one other presence member (or open the same board in two browser tabs with the same user).
+  - Expected: the current user's presence indicator shows their **username** (e.g. "alice"), NOT their email (e.g. "alice@example.com").
+  - Expected: when you open a card for editing, the presence label stays as username — it does not switch to email.
+  - Expected: presence indicators for OTHER users show whatever name the server provides (unaffected by the fix).
+
 ## C. Filters and Keyboard Workflow
 
 1. Toggle filter panel with `f`.
@@ -202,6 +233,25 @@ Manual-only checks (non-automatable in generic local script):
     - Expected: proposals that expire while the page is open transition to expired state reactively (60-second clock).
     - Bug fixed (`#678`+`#690`/`#696`): expired proposals no longer appear actionable; dismiss action now available.
 
+## D2. Router Auth Guard and Workspace State (PR #748)
+
+1. Workspace routes require authentication.
+   - Navigate to `/workspace/boards` while logged out.
+   - Expected: redirected to `/login?redirect=%2Fworkspace%2Fboards`.
+   - Log in. Expected: redirected back to `/workspace/boards`.
+
+2. Expired token cleanup.
+   - Manually set an expired JWT in localStorage (`taskdeck_token` key with an `exp` in the past), then navigate to any `/workspace/` route.
+   - Expected: token is cleared from localStorage, user redirected to `/login`.
+
+3. Workspace mode persistence across navigation.
+   - Switch workspace mode (if applicable) on Home, then navigate to Inbox, then back.
+   - Expected: workspace mode is unchanged after navigation within the workspace.
+
+4. Logout clears workspace state.
+   - Log in, navigate into a board, then logout from the top bar.
+   - Expected: after logging back in, workspace state is fresh (no stale board context from previous session).
+
 ## E. Inbox and Notifications Continuity
 
 1. Open `/workspace/inbox?boardId={boardId}` after creating a board-scoped capture.

docs/STATUS.md

@@ -1,6 +1,6 @@
 # Taskdeck Status (Source of Truth)
 
-Last Updated: 2026-04-04 (wave 2)
+Last Updated: 2026-04-04
 <br>
 Status Owner: Repository maintainers  
 Authoritative Scope: Current implementation, verified test execution, and active phase progress
@@ -78,6 +78,16 @@ Current constraints are mostly hardening and consistency:
   - **Proposal lifecycle edge cases** (`#708`/`#736`): 74 tests (42 domain + 25 application + 7 api) covering expiry timing boundaries, double-apply prevention, comprehensive state machine violations, dismissal edge cases, operation mutation guards, batch expiry, worker-vs-manual race conditions; adversarial review fixed clock-resolution flakiness and added 5 new edge case tests
   - **OAuth/auth edge case tests** (`#707`/`#737`): 44 tests covering login/registration edge cases, token validation (malformed/expired/wrong-key/missing-claims), OAuth code exchange, open redirect prevention, middleware enforcement; **found and fixed production bug**: `ExternalLoginAsync` `Substring(0, 50)` overflow for short usernames
   - **MCP full resource and tool inventory** (`#653`/`#739`): 9 resources under `taskdeck://` URI scheme + 11 tools (2 read + 6 write + 3 proposal management); all write tools produce proposals per GP-06; `approve_proposal` intentionally excluded; 42 MCP-specific tests; **adversarial review found and fixed user-scoping gap** on proposal resources/tools
+- Post-adversarial-review hardening and test expansion wave (2026-04-04, PRs `#741`–`#756`, 9 issues):
+  - **Product telemetry taxonomy** (`#341`/`#741`): `docs/product/TELEMETRY_TAXONOMY.md` defines 35+ named events across 7 categories (Capture, Proposal/Review, Board, Auth, Navigation, Agent, Error) with `noun.verb` naming convention, universal envelope, privacy guardrails (bucketed counts, no PII), and R1/R2/R3 launch gate anchors; telemetry is opt-in and not yet implemented
+  - **Board header presence label fixed** (`#683`/`#744`): `normalizePresenceMembers()` in `BoardView.vue` now replaces current user's SignalR `displayName` with locally-known username, eliminating email/username flip on card open; 3 new tests
+  - **Manual card provenance empty state** (`#680`/`#754`): `cardsApi.getCardProvenance()` now returns null only for "Capture provenance not found" 404s (not all 404s); CardModal shows "No capture provenance available." with `loadedCaptureProvenanceCardId` guard against flash; 4 new tests; adversarial review caught and fixed 3 bugs (overly broad 404 catch, global Axios log-level regression, empty-state flash)
+  - **WIP-limit duplicate toast regression** (`#686`/`#745`): 7 regression tests in `boardStore.wipLimit.spec.ts` guard against future double-toast on WIP limit violations for createCard and moveCard
+  - **Auth-flow toast regression coverage** (`#685`/`#742`): 20 tests in `sessionStore.authToast.spec.ts` covering login/register/OAuth failure and success toast lifecycle, isolation, and auto-removal; adversarial review fixed timer leak, mock isolation, and inverted assertion
+  - **Route and workspace-state stability** (`#687`/`#748`): `authGuard.spec.ts` (auth guard decision table) and `workspaceRouteStability.spec.ts` (mode persistence, hydration drift, resetForLogout) with 16-case exhaustive guard table; also fixed pre-existing `AuthControllerEdgeCaseTests.cs` compile error
+  - **Inbox triage action visibility** (`#688`/`#743`): 21 new tests in `InboxView.spec.ts` covering single-item triage action states and bulk action bar visibility with DOM-level assertions
+  - **Webhook HMAC signature verification** (`#726`/`#750`): 11 tests in `OutboundWebhookHmacDeliveryTests.cs` covering header format, HMAC round-trip, wrong-key rejection, secret rotation, large payload, and timing-safe comparison; adversarial review fixed rotation test and replaced BCL-testing stubs with real domain property tests
+  - **Webhook delivery reliability and SSRF boundary** (`#710`/`#756`): 78 webhook tests across 9 files (endpoint guard, service, signature, delivery worker, HMAC delivery, API, repository, domain delivery, domain subscription); SSRF coverage via `OutboundWebhookEndpointGuardTests` includes private IPv4/IPv6 ranges; delivery reliability covers retry/backoff, dead-letter, concurrent delivery, HMAC at worker boundary; `HttpClient` resource leak fixed in tests
 
 Target experience metrics for the capture direction:
 - capture action to saved artifact should feel under 10 seconds in normal use