## ADDED Requirements

### Requirement: Login page at /login
The system SHALL serve a login page at `/login` (route `src/app/(public)/login/page.tsx`). The page SHALL match the Lovable design mockup from `lovable_design_html/candles_lovable_design_login_page.html`.

#### Scenario: Login page renders
- **WHEN** an unauthenticated user navigates to `/login`
- **THEN** the login page renders with a centered card containing the login form

#### Scenario: Authenticated user redirected
- **WHEN** an authenticated user navigates to `/login`
- **THEN** they are redirected to `/app`

### Requirement: Login page navigation
The login page navbar SHALL display a back arrow and the CandleAnnotator logo/name, linking to `/` (landing page).

#### Scenario: Back to landing
- **WHEN** a user clicks the CandleAnnotator logo in the login page navbar
- **THEN** they are navigated to `/`

### Requirement: Email/password login form
The login card SHALL display a "Welcome back" heading, "Sign in to your workspace" subtitle, and a form with email input, password input, and "Sign In" submit button. The form SHALL use Auth.js `signIn("credentials", ...)` on submit.

#### Scenario: Successful email login
- **WHEN** a user enters valid email and password and clicks "Sign In"
- **THEN** `signIn("credentials", { email, password, redirect: true, callbackUrl: "/app" })` is called
- **AND** on success, the user is redirected to `/app`

#### Scenario: Failed email login
- **WHEN** a user enters invalid credentials and clicks "Sign In"
- **THEN** an error message is displayed: "Invalid email or password"
- **AND** the user remains on the login page

#### Scenario: Form validation
- **WHEN** a user clicks "Sign In" with empty email or password fields
- **THEN** browser-native validation prevents submission (fields are `required`)

### Requirement: Google OAuth login button
The login form SHALL include a "Continue with Google" button below the email/password form. Clicking it SHALL call `signIn("google", { callbackUrl: "/app" })`.

#### Scenario: Google login initiated
- **WHEN** a user clicks "Continue with Google"
- **THEN** they are redirected to Google's OAuth consent screen
- **AND** on successful auth, they are redirected back to `/app`

### Requirement: Forgot password link
The login form SHALL display a "Forgot password?" link next to the password label. Since password reset is deferred, clicking it SHALL show a toast: "Password reset is not yet available. Contact support."

#### Scenario: Forgot password clicked
- **WHEN** a user clicks "Forgot password?"
- **THEN** a toast notification appears with the message about contacting support

### Requirement: Register link
The login page SHALL display "Don't have an account? Sign up" below the form. "Sign up" SHALL link to `/register`.

#### Scenario: Navigate to register
- **WHEN** a user clicks "Sign up"
- **THEN** they are navigated to `/register`