AUTH-002 recommended auth-system
Auth system is documented
Auth flow documented in README, docs/, or inline; matches actual implementation
Question to ask
"Does the auth documentation match what the code actually does?"
Verification guide
Severity: Recommended
Check automatically:
Search for auth documentation:
# Check README for auth section grep -i "auth\|authentication\|login\|session" README.md 2>/dev/null # Check for dedicated auth docs find . -type f \( -name "*.md" -o -name "*.txt" \) -path "*/docs/*" 2>/dev/null | xargs grep -li "auth" 2>/dev/null # Check for inline documentation in auth files find . -type f \( -name "*auth*" \) -not -path "*/node_modules/*" 2>/dev/null | head -5Check for API documentation covering auth endpoints:
# OpenAPI/Swagger find . -type f \( -name "openapi*.yaml" -o -name "openapi*.json" -o -name "swagger*.yaml" -o -name "swagger*.json" \) 2>/dev/nullRead any found documentation and auth files to verify:
- Documentation exists
- Documentation matches actual implementation (cross-reference AUTH-001 findings)
Cross-reference with:
- AUTH-001: Documentation should match the auth flow you traced
Pass criteria:
- Auth flow documented somewhere (README, docs/, or inline comments)
- Documentation matches actual implementation
- A new developer could understand auth from docs alone
Fail criteria:
- No auth documentation anywhere
- Documentation exists but contradicts implementation
- Documentation is outdated (references removed mechanisms)
If no docs found, ask user: "No auth documentation found. Is the auth system documented elsewhere (Notion, Confluence, etc.)? If not, this should be added."
Evidence to capture:
- Location of auth documentation (file path or external URL)
- Whether documentation matches AUTH-001 traced flow
- Any gaps between docs and implementation