- Add complete agent harness structure with 8 roles (leader, triager, architect, implementer, reviewer, security, qa, documenter) - Implement strict workflow with 9 stages and mandatory gates - Add comprehensive verification script and runtime status tracking - Create artifact-based evidence system with contracts and schemas - Add agent policy matrix with permissions and anti-cheat rules - Include test suite (44 tests passing) and CI-ready structure - Add documentation: README, HOWTO, CHECKPOINTS, templates - Configure model routing policies and token-aware task assignment - Add BDD/SDD specification guides and feature templates - Include starter pack for quick project onboarding All verification checks pass. Framework ready for production use.
58 lines
1.9 KiB
Gherkin
58 lines
1.9 KiB
Gherkin
@F-004 @auth @logout
|
|
Feature: User Logout
|
|
|
|
Background:
|
|
Given the user "alice@example.com" exists with password "SecurePass123!"
|
|
And I am authenticated as "alice@example.com"
|
|
|
|
@positive
|
|
Scenario: Successful logout invalidates current session
|
|
Given my current access token is valid
|
|
When I logout
|
|
Then I should receive confirmation
|
|
And my session should be marked as revoked
|
|
And my access token should no longer be valid
|
|
|
|
@positive
|
|
Scenario: Logout with refresh token also invalidates access
|
|
Given I have a valid refresh token
|
|
When I logout
|
|
Then both access and refresh tokens should be invalid
|
|
And I should not be able to get new access token with refresh
|
|
|
|
@positive
|
|
Scenario: Logout all sessions for user
|
|
Given I am logged in from device "desktop"
|
|
And I am logged in from device "mobile"
|
|
When I logout from all devices
|
|
Then all my sessions should be invalidated
|
|
And I should not be able to use any previous token
|
|
|
|
@negative
|
|
Scenario: Using token after logout returns unauthorized
|
|
Given I previously logged in successfully
|
|
And I have logged out
|
|
When I try to use my old access token
|
|
Then I should receive 401 Unauthorized
|
|
And I should not have access to protected resources
|
|
|
|
@negative
|
|
Scenario: Logout with invalid token does nothing
|
|
Given I have an invalid/expired token
|
|
When I attempt to logout
|
|
Then logout should not fail
|
|
But no session should be affected
|
|
|
|
@security
|
|
Scenario: Concurrent logout requests are handled correctly
|
|
Given my session is valid
|
|
When I send multiple logout requests simultaneously
|
|
Then only one logout operation should occur
|
|
And token should be invalidated only once
|
|
|
|
@smoke
|
|
Scenario: Logout endpoint returns 200 on success
|
|
Given I am authenticated as "alice@example.com"
|
|
When I send POST request to "/api/v1/auth/logout"
|
|
Then response should be 200 OK
|
|
And response should indicate success |