Merge branch 'feature/survey-api'

# Conflicts:
#	.version
#	api/version.go

Author: ericfitz

.claude/skills/test/SKILL.md

@@ -23,6 +23,7 @@ The test suite runs in the following order, with each stage only running if the
 **Default**: PostgreSQL development environment (`make test-integration`)
 
 **Optional**: Oracle ADB can be used if explicitly requested by the user during skill invocation. In that case:
+
 - Use `make test-integration-oci` instead of `make test-integration`
 - May need to reset database with `make reset-db-oci` if requested
 
@@ -101,7 +102,7 @@ If API tests passed, run CATS security fuzzing:
 make cats-fuzz
 ```
 
-This takes approximately 9 minutes. The output will show progress through various fuzzers.
+This takes approximately 25-30 minutes. The output will show progress through various fuzzers. Check status every 5 minutes until the 20 minute mark, and then every minute until the 25 minute mark, and then every 30 seconds thereafter.
 
 ### Step 5: Parse and Analyze CATS Results
 

.gitignore

@@ -13,10 +13,15 @@
 !oapi-codegen-config.yml
 !.golangci.yml
 !vacuum-ruleset.yaml
+!arazzo-spectral.yaml
+!asyncapi-spectral.yaml
+!oas-spectral.yaml
+!ruleset-all.yaml
 !make-containers-dev*.sh
 !Dockerfile*
 !.dockerignore
 !config-example.yml
+!config-test-integration-pg.yml
 !auth/migrations/*.sql
 !.claude/settings.local.json
 !package.json

.version

@@ -1,5 +1,5 @@
 {
   "major": 1,
-  "minor": 3,
-  "patch": 3
+  "minor": 1,
+  "patch": 0
 }

CLAUDE.md

@@ -147,6 +147,7 @@ OAuth 2.0 testing harness with PKCE (RFC 7636) support for manual and automated
 | `POST /refresh` | Refresh access token |
 
 **Quick JWT Retrieval**:
+
 ```bash
 make start-oauth-stub
 curl -X POST http://localhost:8079/flows/start -H 'Content-Type: application/json' -d '{"userid": "alice"}'
@@ -162,6 +163,7 @@ Standalone Go application for testing WebSocket collaborative features.
 - **Location**: `wstest/` directory
 
 **Usage**:
+
 ```bash
 ./wstest --user alice --host --participants "bob,charlie"  # Host mode
 ./wstest --user bob                                        # Participant mode
@@ -349,6 +351,9 @@ When completing any task involving code changes, follow this checklist:
    - Run `make build-server` and fix any build issues
    - Run `make test-unit` and fix any test failures
 4. Suggest a conventional commit message
+5. If the task is associated with a GitHub issue, the task is NOT complete until:
+   - The commit that resolves the issue references the issue (e.g., `Fixes #123` or `Closes #123` in the commit message body)
+   - The issue is closed as "done"
 
 **Note**: Build and test steps are only required when Go files are modified. For non-Go changes (documentation, scripts, configuration), only linting is required.
 
@@ -357,6 +362,7 @@ When completing any task involving code changes, follow this checklist:
 **ALWAYS use conventional commits**
 
 **Conventional Commit Format**:
+
 - Use the format: `<type>(<scope>): <description>`
 - Types: `feat`, `fix`, `docs`, `style`, `refactor`, `test`, `chore`, `perf`, `ci`, `build`, `revert`
 - Scope: Optional, indicates the area of change (e.g., `api`, `auth`, `websocket`, `docs`)
@@ -428,12 +434,12 @@ JWT Middleware → Auth Context → Resource Middleware → Endpoint Handlers
 
 - Always use a normal oauth login flow with the "tmi" provider when performing any development or testing task that requires authentication
 - The oauth-client-callback-stub can receive callbacks from the TMI oauth provider with the token, and you can retrieve the token from the oauth-client-callback-stub with a REST api call.
-    - start stub: make start-oauth-stub
-    - stop stub: make oauth-stub-stop
-    - get JWT:
-        - start the stub
-        - perform a normal authorization request, using http://localhost:8079 as the callback url and specifying a user name as a login_hint
-        - retrieve the JWT from http://localhost:8079/creds?userid=<username-hint>
+  - start stub: make start-oauth-stub
+  - stop stub: make oauth-stub-stop
+  - get JWT:
+    - start the stub
+    - perform a normal authorization request, using http://localhost:8079 as the callback url and specifying a user name as a login_hint
+    - retrieve the JWT from http://localhost:8079/creds?userid=<username-hint>
 
 ### TMI OAuth Provider login_hints
 
@@ -456,7 +462,7 @@ curl "http://localhost:8080/oauth2/authorize?idp=tmi&login_hint=qa-automation"
 
 # Without login_hint - generates random user like 'testuser-12345678@tmi.local'
 curl "http://localhost:8080/oauth2/authorize?idp=tmi"
-````
+```
 
 **Automation Integration**:
 
@@ -479,6 +485,7 @@ OAuth 2.0 Client Credentials Grant (RFC 6749 Section 4.4) for webhooks, addons,
 | `DELETE /me/client_credentials/{id}` | Delete and revoke credential |
 
 **Token Exchange**:
+
 ```bash
 curl -X POST http://localhost:8080/oauth2/token \
   -d "grant_type=client_credentials" -d "client_id=tmi_cc_..." -d "client_secret=..."
@@ -495,7 +502,7 @@ curl -X POST http://localhost:8080/oauth2/token \
 
 TMI uses staticcheck for Go code quality analysis. The project has intentionally kept some staticcheck warnings:
 
-- **Auto-Generated Code**: `api/api.go` contains 338 ST1005 warnings (capitalized error strings)
+- **Auto-Generated Code**: `api/api.go` contains many ST1005 warnings (capitalized error strings)
   - File is generated by oapi-codegen from OpenAPI specification
   - Manual edits would be overwritten on next OpenAPI regeneration
   - Not worth customizing oapi-codegen templates for style compliance
@@ -515,18 +522,6 @@ TMI uses staticcheck for Go code quality analysis. The project has intentionally
 
 ## Agent Instructions
 
-This project uses **bd** (beads) for issue tracking. Run `bd onboard` to get started.
-
-### Quick Reference
-
-```bash
-bd ready              # Find available work
-bd show <id>          # View issue details
-bd update <id> --status in_progress  # Claim work
-bd close <id>         # Complete work
-bd sync               # Sync with git
-```
-
 ### Landing the Plane (Session Completion)
 
 **When ending a work session**, you MUST complete ALL steps below. Work is NOT complete until `git push` succeeds.
@@ -539,7 +534,6 @@ bd sync               # Sync with git
 4. **PUSH TO REMOTE** - This is MANDATORY:
    ```bash
    git pull --rebase
-   bd sync
    git push
    git status  # MUST show "up to date with origin"
    ```