# Surgical Instructions: Wire Up Authentication

## Context
The `internal/auth` package is fully implemented, and the database migrations are ready. We need to wire everything up in `cmd/dashboard/main.go` and ensure the application is protected.

## Plan
1.  **Update `cmd/dashboard/main.go`** to initialize sessions, auth service, and protect routes.
2.  **Verify** the login flow.

## Step 1: Update `cmd/dashboard/main.go`

**Action:** Edit `cmd/dashboard/main.go`.

**Imports to Add:**
```go
"github.com/alexedwards/scs/v2"
"github.com/alexedwards/scs/sqlite3store"
"task-dashboard/internal/auth"
```

**Changes in `main()` function:**

1.  **Initialize Session Manager** (After `store` init, before `router` init):
    ```go
    // Initialize Session Manager
    sessionManager := scs.New()
    sessionManager.Store = sqlite3store.New(store.DB())
    sessionManager.Lifetime = 24 * time.Hour
    sessionManager.Cookie.Persist = true
    sessionManager.Cookie.SameSite = http.SameSiteLaxMode
    sessionManager.Cookie.Secure = !cfg.Debug
    ```

2.  **Initialize Auth Service & Handlers** (After `templates` init):
    ```go
    // Initialize Auth
    authService := auth.NewService(store.DB())
    // Ensure default admin user exists (for development/first run)
    if err := authService.EnsureDefaultUser("admin", "admin"); err != nil {
        log.Printf("WARNING: Failed to ensure default user: %v", err)
    }

    authHandlers := auth.NewHandlers(authService, sessionManager, tmpl)
    ```

3.  **Configure Router Middleware & Routes**:
    *   Add `r.Use(sessionManager.LoadAndSave)` to the global middleware stack.
    *   **Refactor Routes**:
        *   Keep `/static/*` public.
        *   Add Public Auth Routes:
            ```go
            r.Get("/login", authHandlers.HandleLoginPage)
            r.Post("/login", authHandlers.HandleLogin)
            r.Post("/logout", authHandlers.HandleLogout)
            ```
        *   **Protect Application Routes**: Wrap the main application routes in a group using `RequireAuth`.
            ```go
            r.Group(func(r chi.Router) {
                r.Use(authHandlers.Middleware().RequireAuth)
                
                // Move existing application routes here:
                r.Get("/", handlers.HandleHome)
                r.Get("/tabs/{type}", handlers.HandleTab)
                // ... and any other app routes
            })
            ```

## Step 2: Verification

**Action:**
1.  **Update Dependencies:** Run `go mod tidy` to ensure new imports are tracked correctly.
2.  **Ensure CSS is built:** Run `npm run build` to generate `web/static/css/output.css`.
3.  **Run the application:** `go run cmd/dashboard/main.go`.
4.  **Verify Flow:**
    *   Accessing `/` should redirect to `/login`.
    *   Login with `admin` / `admin` should work and redirect to `/`.
    *   Logout should work and redirect to `/login`.