Step 1 of 6
Diagnose what is fake
Map exactly which parts of auth are theater before rebuilding.
Audit the current auth implementation and report precisely what is real vs fake: Does signup write a user record (show where)? Does login verify a password against a stored hash or accept anything? Where does auth state live and does it survive refresh? Are routes guarded before render? Do backend endpoints check the session? Output a table: component -> current behavior -> required behavior.
Expected after this step
An honest diagnosis table of the entire auth surface.
Should not happen
- ✕Login that accepts any credentials
- ✕Auth state in memory only, gone on refresh
- ✕Protected pages reachable by URL
- ✕APIs serving private data without any session check
Verify before continuing
Do not move on until every check is true. The complete button stays locked until then.
Do not continue if…
- !Login that accepts any credentials
- !Auth state in memory only, gone on refresh
- !Protected pages reachable by URL
- !APIs serving private data without any session check
If the AI messes this up
Use this when the AI fakes progress or breaks the feature. It forces a real fix.
The diagnosis is optimistic guesswork. Trace the actual code paths: run a signup, query the user store, attempt a wrong-password login, and hit a private API logged-out. Report what actually happened.