1 files changed, 77 insertions, 0 deletions
diff --git a/instructions.md b/instructions.md
new file mode 100644
index 0000000..b01168b
--- /dev/null
+++ b/instructions.md
@@ -0,0 +1,77 @@
+# Surgical Instructions: Wire Up Authentication
+
+## Context
+The `internal/auth` package is fully implemented, and the database migrations are ready. We need to wire everything up in `cmd/dashboard/main.go` and ensure the application is protected.
+
+## Plan
+1.  **Update `cmd/dashboard/main.go`** to initialize sessions, auth service, and protect routes.
+2.  **Verify** the login flow.
+
+## Step 1: Update `cmd/dashboard/main.go`
+
+**Action:** Edit `cmd/dashboard/main.go`.
+
+**Imports to Add:**
+```go
+"github.com/alexedwards/scs/v2"
+"github.com/alexedwards/scs/sqlite3store"
+"task-dashboard/internal/auth"
+```
+
+**Changes in `main()` function:**
+
+1.  **Initialize Session Manager** (After `store` init, before `router` init):
+    ```go
+    // Initialize Session Manager
+    sessionManager := scs.New()
+    sessionManager.Store = sqlite3store.New(store.DB())
+    sessionManager.Lifetime = 24 * time.Hour
+    sessionManager.Cookie.Persist = true
+    sessionManager.Cookie.SameSite = http.SameSiteLaxMode
+    sessionManager.Cookie.Secure = !cfg.Debug
+    ```
+
+2.  **Initialize Auth Service & Handlers** (After `templates` init):
+    ```go
+    // Initialize Auth
+    authService := auth.NewService(store.DB())
+    // Ensure default admin user exists (for development/first run)
+    if err := authService.EnsureDefaultUser("admin", "admin"); err != nil {
+        log.Printf("WARNING: Failed to ensure default user: %v", err)
+    }
+
+    authHandlers := auth.NewHandlers(authService, sessionManager, tmpl)
+    ```
+
+3.  **Configure Router Middleware & Routes**:
+    *   Add `r.Use(sessionManager.LoadAndSave)` to the global middleware stack.
+    *   **Refactor Routes**:
+        *   Keep `/static/*` public.
+        *   Add Public Auth Routes:
+            ```go
+            r.Get("/login", authHandlers.HandleLoginPage)
+            r.Post("/login", authHandlers.HandleLogin)
+            r.Post("/logout", authHandlers.HandleLogout)
+            ```
+        *   **Protect Application Routes**: Wrap the main application routes in a group using `RequireAuth`.
+            ```go
+            r.Group(func(r chi.Router) {
+                r.Use(authHandlers.Middleware().RequireAuth)
+                
+                // Move existing application routes here:
+                r.Get("/", handlers.HandleHome)
+                r.Get("/tabs/{type}", handlers.HandleTab)
+                // ... and any other app routes
+            })
+            ```
+
+## Step 2: Verification
+
+**Action:**
+1.  **Update Dependencies:** Run `go mod tidy` to ensure new imports are tracked correctly.
+2.  **Ensure CSS is built:** Run `npm run build` to generate `web/static/css/output.css`.
+3.  **Run the application:** `go run cmd/dashboard/main.go`.
+4.  **Verify Flow:**
+    *   Accessing `/` should redirect to `/login`.
+    *   Login with `admin` / `admin` should work and redirect to `/`.
+    *   Logout should work and redirect to `/login`.