#!/usr/bin/env bash set -euo pipefail script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" tmp_root="$(mktemp -d)" trap 'rm -rf "$tmp_root"' EXIT mkdir -p "$tmp_root/ai/commands" \ "$tmp_root/ai/requirements/active" \ "$tmp_root/ai/fixtures/requirements/auth-admin-bootstrap" cp "$script_dir/requirements-state.sh" "$tmp_root/ai/commands/requirements-state.sh" chmod +x "$tmp_root/ai/commands/requirements-state.sh" git -C "$tmp_root" init -q git -C "$tmp_root" config user.email "requirements-scenarios@example.invalid" git -C "$tmp_root" config user.name "Requirements Scenarios" git -C "$tmp_root" add ai/commands git -C "$tmp_root" commit -q -m "baseline requirements helper" assert_contains() { local output="$1" local expected="$2" if [[ "$output" != *"$expected"* ]]; then echo "Expected output to contain: $expected" >&2 echo "Actual output:" >&2 printf '%s\n' "$output" >&2 exit 1 fi } assert_not_contains() { local output="$1" local unexpected="$2" if [[ "$output" == *"$unexpected"* ]]; then echo "Expected output not to contain: $unexpected" >&2 echo "Actual output:" >&2 printf '%s\n' "$output" >&2 exit 1 fi } rough_fixture="$tmp_root/ai/fixtures/requirements/auth-admin-bootstrap/rough-idea.md" answers_fixture="$tmp_root/ai/fixtures/requirements/auth-admin-bootstrap/clarification-answers.md" requirements_file="$tmp_root/ai/requirements/active/requirements-000999-auth-admin-bootstrap.md" cat > "$rough_fixture" <<'EOF' # Rough Idea: Auth/Admin Bootstrap Need login/logout and some way to create the first admin. Admins should be able to create users or invite them. The frontend should show admin menu items only for admins. Make it testable locally. Not sure if public signup is allowed, how first admin works, whether bootstrap shuts off, or whether password reset/MFA is in scope. EOF cat > "$answers_fixture" <<'EOF' # Clarification Answers: Auth/Admin Bootstrap - Public registration is not allowed. - The first user can self-bootstrap as admin only when no admin exists. - Bootstrap is disabled after the first admin exists. - Admins create users directly for the first implementation; email invites are out of scope. - Roles are `admin` and `user`. - Password reset and MFA are out of scope for the first implementation. - Local/dev/test flows must use deterministic fixture users and cleanup. - Production credentials and production data must never be required by tests. EOF cat > "$requirements_file" <<'EOF' --- Status: Active Owner Role: Requirements Intake Created: 2026-05-10 Approved: Depends On: Validation: ai/commands/requirements-state.sh --- # Auth/Admin Bootstrap Requirements Simulation ## Raw Idea Need login/logout and first admin setup. Admins should create or invite users. Frontend should show admin menu items for admins. Make it locally testable. ## User Perspective An operator needs a controlled way to create the first admin and manage basic users. ## User Workflows - First operator reaches bootstrap. - Admin logs in and sees admin navigation. ## Functional Requirements - Login and logout are available. - Admin-only visibility is required. ## Non-Functional Requirements - Local tests must avoid production credentials. ## Data / Model Requirements - User role is required. ## Permissions / Auth Requirements - Admin-only user management is required. ## UI / UX Requirements - Admin menu visibility depends on role. ## Out Of Scope - Pending clarification. ## Assumptions - Pending clarification. ## Open Questions - Is public registration allowed? - Can first user self-bootstrap as admin? - Is bootstrap disabled after first admin exists? - Are users invited by email or created directly? - What role model is required? - Are password reset and MFA in scope? - What are local/dev/test constraints? ## Acceptance Criteria - Requirements Review blocks until bootstrap, registration, role, user creation, and test-safety decisions are answered. ## Runtime Smoke Expectations - Pending clarification. ## Risks - Bootstrap policy could be insecure if invented during implementation. ## Requirements Intake Notes - Rough idea is intentionally incomplete. ## Requirements Review - Verdict: BLOCKED. - Blockers: public registration decision missing; first-admin bootstrap policy missing; bootstrap shutoff missing; user invite/create behavior missing; role model missing; password reset/MFA scope missing; local/dev/test constraints missing. - Recommended Next Action: Answer clarification questions before chunk planning. ## Chunk Plan (none) ## Pass History ### Requirements Intake Pass 1 - Role: Requirements Intake - Date: 2026-05-10 - Goal: Convert rough idea into reviewable questions. - Result: Draft created but blocked by missing policy decisions. - Blockers: Clarification answers required. - Validation: ai/commands/requirements-state.sh passed with expected BLOCKED verdict. - Cleanup: Temporary fixture only. - Recommended Next Action: Simulate clarification answers. EOF pre_state="$("$tmp_root/ai/commands/requirements-state.sh" "$requirements_file")" assert_contains "$pre_state" "Requirements Review verdict: BLOCKED." assert_contains "$pre_state" "public registration decision missing" assert_contains "$pre_state" "first-admin bootstrap policy missing" assert_contains "$pre_state" "role model missing" assert_not_contains "$pre_state" "Requirements Review verdict: PASS" answers="$(cat "$answers_fixture")" assert_contains "$answers" "Public registration is not allowed" assert_contains "$answers" "first user can self-bootstrap as admin only when no admin exists" assert_contains "$answers" "Bootstrap is disabled after the first admin exists" assert_contains "$answers" "Admins create users directly" assert_contains "$answers" "Roles are \`admin\` and \`user\`" assert_contains "$answers" "Password reset and MFA are out of scope" assert_contains "$answers" "Local/dev/test flows must use deterministic fixture users and cleanup" cat > "$requirements_file" <<'EOF' --- Status: Active Owner Role: Requirements Review Created: 2026-05-10 Approved: Depends On: Validation: ai/commands/requirements-state.sh --- # Auth/Admin Bootstrap Requirements Simulation ## Raw Idea Source fixture: ai/fixtures/requirements/auth-admin-bootstrap/rough-idea.md. ## User Perspective An operator needs a local-safe and production-safe way to bootstrap the first admin, sign in and out, and let admins create basic users. ## User Workflows - First operator self-bootstraps as admin only when no admin exists. - Admin logs in, sees admin navigation, and creates a user. - Normal user logs in and does not see admin navigation. ## Functional Requirements - Public registration is disabled. - First-user admin bootstrap is allowed only while no admin exists. - Bootstrap is disabled after the first admin exists. - Admins create users directly in the first implementation. - Login and logout are available for admin and normal users. ## Non-Functional Requirements - Tests must be deterministic and local/dev safe. - No production credentials or production data are required. ## Data / Model Requirements - Users have `admin` or `user` role. - Scenario users use deterministic prefixes and cleanup. ## Permissions / Auth Requirements - Admin-only user management requires `admin` role. - Normal users cannot see or use admin user-management actions. ## UI / UX Requirements - Admin menu appears only for admins. - Normal users see only non-admin navigation. ## Out Of Scope - Email invites. - Password reset. - MFA. - Production bootstrap operations. ## Assumptions - This is a deterministic simulation fixture, not approved product requirements. - Human approval is still required before real auth/admin implementation. ## Open Questions - None for simulation planning readiness. ## Acceptance Criteria - Requirements Review is BLOCKED before clarification answers. - Clarification answers resolve registration, bootstrap, role, user creation, and test-safety gaps. - Post-clarification requirements are planning-ready in simulation only. - Chunk plan is derived from clarified requirements. ## Runtime Smoke Expectations - Future product chunks need backend/API scenario tests and frontend/browser smoke. ## Risks - Human approval is still needed for real production bootstrap policy. ## Requirements Intake Notes - Derived from rough idea and clarification fixtures. ## Requirements Review - Verdict: PASS for simulation planning readiness only. - Blockers: None for deterministic simulation; not approved product requirements. - Recommended Next Action: Use chunk plan outline for future human-approved requirements work. ## Chunk Plan ### Chunk 1: Finalize Human-Approved Auth/Admin Requirements - Depends On: deterministic simulation report. - Validation: requirements-state and human approval. ### Chunk 2: Backend Auth/Admin API Scenario Harness - Depends On: approved requirements. - Validation: backend unit/e2e and local scenario cleanup. ### Chunk 3: Frontend Admin Visibility Smoke - Depends On: backend API behavior or fixtures. - Validation: component tests and browser smoke when available. ### Chunk 4: Orchestrated Developer/QA Product Implementation - Depends On: approved requirements and scenario harnesses. - Validation: full workflow gates plus runtime smoke. ## Pass History ### Requirements Intake Pass 1 - Role: Requirements Intake - Date: 2026-05-10 - Goal: Convert rough idea into clarified requirements simulation. - Result: Clarification answers resolved named gaps. - Blockers: None for simulation. - Validation: Fixture assertions passed. - Cleanup: Temporary fixture only. - Recommended Next Action: Requirements Review simulation. ### Requirements Review Pass 1 - Role: Requirements Review - Date: 2026-05-10 - Goal: Review clarified requirements for planning readiness. - Verdict: PASS for simulation planning readiness only. - Blockers: None for simulation; human approval still required for real product implementation. - Validation: ai/commands/requirements-state.sh passed. - Cleanup: Temporary fixture only. - Recommended Next Action: Simulated chunk planning. EOF post_state="$("$tmp_root/ai/commands/requirements-state.sh" "$requirements_file")" assert_contains "$post_state" "Requirements Review verdict: PASS FOR SIMULATION PLANNING READINESS ONLY." assert_contains "$post_state" "Chunk plan: present" assert_contains "$post_state" "Gate blockers:" assert_contains "$post_state" " - none" active_state="$("$tmp_root/ai/commands/requirements-state.sh")" assert_contains "$active_state" "Active requirements count: 1" assert_contains "$active_state" "requirements-000999-auth-admin-bootstrap.md" assert_contains "$(cat "$requirements_file")" "not approved product requirements" assert_contains "$(cat "$requirements_file")" "Human approval is still required" assert_contains "$(cat "$requirements_file")" "Backend Auth/Admin API Scenario Harness" assert_contains "$(cat "$requirements_file")" "Frontend Admin Visibility Smoke" echo "requirements lifecycle scenario tests passed"