refactor: complete bootstrap of ARNES agent harness framework
- Add complete agent harness structure with 8 roles (leader, triager, architect, implementer, reviewer, security, qa, documenter) - Implement strict workflow with 9 stages and mandatory gates - Add comprehensive verification script and runtime status tracking - Create artifact-based evidence system with contracts and schemas - Add agent policy matrix with permissions and anti-cheat rules - Include test suite (44 tests passing) and CI-ready structure - Add documentation: README, HOWTO, CHECKPOINTS, templates - Configure model routing policies and token-aware task assignment - Add BDD/SDD specification guides and feature templates - Include starter pack for quick project onboarding All verification checks pass. Framework ready for production use.
This commit is contained in:
58
spec/bdd/features/auth/logout.feature
Normal file
58
spec/bdd/features/auth/logout.feature
Normal file
@@ -0,0 +1,58 @@
|
||||
@F-004 @auth @logout
|
||||
Feature: User Logout
|
||||
|
||||
Background:
|
||||
Given the user "alice@example.com" exists with password "SecurePass123!"
|
||||
And I am authenticated as "alice@example.com"
|
||||
|
||||
@positive
|
||||
Scenario: Successful logout invalidates current session
|
||||
Given my current access token is valid
|
||||
When I logout
|
||||
Then I should receive confirmation
|
||||
And my session should be marked as revoked
|
||||
And my access token should no longer be valid
|
||||
|
||||
@positive
|
||||
Scenario: Logout with refresh token also invalidates access
|
||||
Given I have a valid refresh token
|
||||
When I logout
|
||||
Then both access and refresh tokens should be invalid
|
||||
And I should not be able to get new access token with refresh
|
||||
|
||||
@positive
|
||||
Scenario: Logout all sessions for user
|
||||
Given I am logged in from device "desktop"
|
||||
And I am logged in from device "mobile"
|
||||
When I logout from all devices
|
||||
Then all my sessions should be invalidated
|
||||
And I should not be able to use any previous token
|
||||
|
||||
@negative
|
||||
Scenario: Using token after logout returns unauthorized
|
||||
Given I previously logged in successfully
|
||||
And I have logged out
|
||||
When I try to use my old access token
|
||||
Then I should receive 401 Unauthorized
|
||||
And I should not have access to protected resources
|
||||
|
||||
@negative
|
||||
Scenario: Logout with invalid token does nothing
|
||||
Given I have an invalid/expired token
|
||||
When I attempt to logout
|
||||
Then logout should not fail
|
||||
But no session should be affected
|
||||
|
||||
@security
|
||||
Scenario: Concurrent logout requests are handled correctly
|
||||
Given my session is valid
|
||||
When I send multiple logout requests simultaneously
|
||||
Then only one logout operation should occur
|
||||
And token should be invalidated only once
|
||||
|
||||
@smoke
|
||||
Scenario: Logout endpoint returns 200 on success
|
||||
Given I am authenticated as "alice@example.com"
|
||||
When I send POST request to "/api/v1/auth/logout"
|
||||
Then response should be 200 OK
|
||||
And response should indicate success
|
||||
Reference in New Issue
Block a user