# Session State

## Active Task
None - Authentication implementation complete.

## Recent Changes
*   **Task 002:** Implemented session-based authentication.
    *   Added `scs` session manager with SQLite store.
    *   Added `bcrypt` password hashing via `golang.org/x/crypto`.
    *   Created `internal/auth` package with `Service`, `Middleware`, and `Handlers`.
    *   Created migration `004_add_auth.sql` (users + sessions tables).
    *   Created `login.html` template.
    *   Added logout button to dashboard header.
    *   Protected all routes except `/login`, `/logout`, and `/static/*`.
    *   Default user: `admin` / `changeme` (configurable via `DEFAULT_USER`/`DEFAULT_PASS` env vars).
*   **Task 001:** Removed Obsidian functionality.

## Next Steps
1.  **Commit** the authentication changes.
2.  **Test manually** by running the server and logging in.
3.  **Optional:** Add auth tests to `internal/auth`.
4.  **Optional:** Add password change functionality.