Add workflow documentation for auth implementation

Include surgical instructions and code review feedback
from authentication feature development.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

2 files changed, 106 insertions, 0 deletions

diff --git a/instructions.md b/instructions.md
new file mode 100644
index 0000000..b01168b
--- /dev/null
+++ b/instructions.md
@@ -0,0 +1,77 @@
+# Surgical Instructions: Wire Up Authentication
+
+## Context
+The `internal/auth` package is fully implemented, and the database migrations are ready. We need to wire everything up in `cmd/dashboard/main.go` and ensure the application is protected.
+
+## Plan
+1.  **Update `cmd/dashboard/main.go`** to initialize sessions, auth service, and protect routes.
+2.  **Verify** the login flow.
+
+## Step 1: Update `cmd/dashboard/main.go`
+
+**Action:** Edit `cmd/dashboard/main.go`.
+
+**Imports to Add:**
+```go
+"github.com/alexedwards/scs/v2"
+"github.com/alexedwards/scs/sqlite3store"
+"task-dashboard/internal/auth"
+```
+
+**Changes in `main()` function:**
+
+1.  **Initialize Session Manager** (After `store` init, before `router` init):
+    ```go
+    // Initialize Session Manager
+    sessionManager := scs.New()
+    sessionManager.Store = sqlite3store.New(store.DB())
+    sessionManager.Lifetime = 24 * time.Hour
+    sessionManager.Cookie.Persist = true
+    sessionManager.Cookie.SameSite = http.SameSiteLaxMode
+    sessionManager.Cookie.Secure = !cfg.Debug
+    ```
+
+2.  **Initialize Auth Service & Handlers** (After `templates` init):
+    ```go
+    // Initialize Auth
+    authService := auth.NewService(store.DB())
+    // Ensure default admin user exists (for development/first run)
+    if err := authService.EnsureDefaultUser("admin", "admin"); err != nil {
+        log.Printf("WARNING: Failed to ensure default user: %v", err)
+    }
+
+    authHandlers := auth.NewHandlers(authService, sessionManager, tmpl)
+    ```
+
+3.  **Configure Router Middleware & Routes**:
+    *   Add `r.Use(sessionManager.LoadAndSave)` to the global middleware stack.
+    *   **Refactor Routes**:
+        *   Keep `/static/*` public.
+        *   Add Public Auth Routes:
+            ```go
+            r.Get("/login", authHandlers.HandleLoginPage)
+            r.Post("/login", authHandlers.HandleLogin)
+            r.Post("/logout", authHandlers.HandleLogout)
+            ```
+        *   **Protect Application Routes**: Wrap the main application routes in a group using `RequireAuth`.
+            ```go
+            r.Group(func(r chi.Router) {
+                r.Use(authHandlers.Middleware().RequireAuth)
+                
+                // Move existing application routes here:
+                r.Get("/", handlers.HandleHome)
+                r.Get("/tabs/{type}", handlers.HandleTab)
+                // ... and any other app routes
+            })
+            ```
+
+## Step 2: Verification
+
+**Action:**
+1.  **Update Dependencies:** Run `go mod tidy` to ensure new imports are tracked correctly.
+2.  **Ensure CSS is built:** Run `npm run build` to generate `web/static/css/output.css`.
+3.  **Run the application:** `go run cmd/dashboard/main.go`.
+4.  **Verify Flow:**
+    *   Accessing `/` should redirect to `/login`.
+    *   Login with `admin` / `admin` should work and redirect to `/`.
+    *   Logout should work and redirect to `/login`.
diff --git a/review_feedback.md b/review_feedback.md
new file mode 100644
index 0000000..7ac8a0d
--- /dev/null
+++ b/review_feedback.md
@@ -0,0 +1,29 @@
+# Review Cycle 2025-05-20
+
+## Status: [NEEDS_FIX]
+
+## Critical Issues (Blocking)
+
+1.  **Missing Tests for Auth Package:**
+    *   The `internal/auth` package has no unit tests.
+    *   **Action:** Create `internal/auth/auth_test.go` and `internal/auth/handlers_test.go` to verify logic (hashing, session management, etc.).
+
+2.  **Missing CSRF Protection:**
+    *   The login form uses POST but lacks a CSRF token. While `SameSite=Lax` helps, it is not a complete defense.
+    *   **Action:** Integrate a CSRF middleware (e.g., `justinas/nosurf` or similar) or manually implement CSRF token verification for state-changing requests.
+
+3.  **Acceptance Tests Outdated:**
+    *   `test/acceptance_test.go` sets up the server manually and bypasses the new authentication middleware.
+    *   **Action:** Update `setupTestServer` in `test/acceptance_test.go` to include the auth middleware and mock the session/auth flow so tests can pass with the new security layer.
+
+## Clean Code Suggestions (Non-Blocking)
+
+1.  **File Renaming:**
+    *   `cmd/dashboard_main.go` was correctly identified as needing a rename. I have performed this rename to `cmd/dashboard/main.go`.
+    *   **Action:** Ensure future edits target `cmd/dashboard/main.go`.
+
+## Praise
+
+*   **Solid Auth Implementation:** The `internal/auth` package is well-structured and easy to read.
+*   **Secure Defaults:** Good use of `bcrypt` for hashing and `scs` for session management with `RenewToken` to prevent session fixation.
+*   **Clean Architecture:** The separation of concerns between Service, Handlers, and Middleware is excellent.