AI agents can verify auth implementation

Severity: Recommended

Check automatically:

1. Verify auth code is readable (not obfuscated/minified):

   # Check auth files are source, not bundled
   find . -type f \( -name "*auth*" \) -not -path "*/node_modules/*" -not -path "*/dist/*" -not -path "*/.next/*" 2>/dev/null
   

2. Check for CLAUDE.md or AGENTS.md with auth context:

   cat CLAUDE.md 2>/dev/null | grep -i "auth"
   cat AGENTS.md 2>/dev/null | grep -i "auth"
   

3. Attempt to trace auth as an AI agent would:

   • Read auth files identified in AUTH-001
   • Can you determine: login flow, token/session handling, protected route pattern?
   • Are there magic strings, undocumented env vars, or external dependencies that block understanding?

Cross-reference with:

• AUTH-001: If you could trace the flow, agents can too
• AUTH-002: Good docs help agents verify

Pass criteria:

• Auth source files are in repo (not external/compiled)
• No critical auth logic hidden in env vars or external services without documentation
• An AI agent reading the codebase can answer: "How does auth work here?"

Fail criteria:

• Auth logic in compiled/minified files only
• Critical auth decisions depend on undocumented external services
• Auth code uses patterns an AI cannot follow (excessive indirection, dynamic requires)

If auth relies on external service, ask user: "Auth appears to use [Clerk/Auth0/etc.]. Is the integration documented? Can an AI agent understand how it connects to your app?"

Evidence to capture:

• Whether auth source is available in repo
• External auth dependencies (if any)
• Gaps that would block AI verification

---