## 1. Dependencies & Configuration

- [ ] 1.1 `[haiku]` Install npm dependencies: `next-auth@5`, `bcryptjs`, `@types/bcryptjs`
- [ ] 1.2 `[haiku]` Add environment variables to `.env.example`: `AUTH_SECRET`, `AUTH_GOOGLE_ID`, `AUTH_GOOGLE_SECRET`, `AUTH_TRUST_HOST`, `DEFAULT_ADMIN_EMAIL`, `DEFAULT_ADMIN_PASSWORD`
- [ ] 1.3 `[haiku]` Update `docker-compose.yml` to pass new auth env vars to the candle-annotator service

## 2. Database Schema & Migration

- [ ] 2.1 `[sonnet]` Add `users` table to Drizzle schema (`src/lib/db/schema.ts`) with UUID PK, email, password_hash, name, image, provider, provider_account_id, email_verified, created_at, updated_at
- [ ] 2.2 `[sonnet]` Add `user_id` (uuid, FK to users.id) column to `charts`, `annotations`, `annotation_types`, `span_annotations`, `span_label_types` in schema
- [ ] 2.3 `[sonnet]` Replace unique constraints: `charts.name` → `(user_id, name)`, `annotation_types.name` → `(user_id, name)`, `span_label_types.name` → `(user_id, name)`
- [ ] 2.4 `[haiku]` Generate Drizzle migration with `drizzle-kit generate`
- [ ] 2.5 `[opus]` Create data migration script (`scripts/migrate-users.ts`): create default admin user, backfill `user_id` on all existing rows, alter columns to NOT NULL

## 3. Auth.js Configuration

- [ ] 3.1 `[sonnet]` Create `src/auth.ts` with Auth.js v5 config: JWT strategy, Credentials provider (email/password with bcryptjs verify), Google OAuth provider
- [ ] 3.2 `[sonnet]` Add JWT callback to embed `user.id` in token and session callback to expose `session.user.id`
- [ ] 3.3 `[sonnet]` Handle Google OAuth sign-in callback: create user on first sign-in, find existing user on returning sign-in
- [ ] 3.4 `[haiku]` Create `src/app/api/auth/[...nextauth]/route.ts` exporting GET/POST handlers

## 4. Registration API

- [ ] 4.1 `[sonnet]` Create `POST /api/auth/register` endpoint: validate input (email required, password 8+ chars), check email uniqueness, hash password with bcryptjs, insert user, return 201
- [ ] 4.2 `[sonnet]` Add default data seeding function: on new user creation, insert default annotation_types (break_up, break_down, line) and default span_label_types for the new user

## 5. Auth Middleware & Helpers

- [ ] 5.1 `[sonnet]` Create `proxy.ts` at project root: protect `/app/*` routes (redirect to `/login`), protect `/api/*` except `/api/auth/*` and `/api/health` (return 401), redirect authenticated users from `/login` and `/register` to `/app`
- [ ] 5.2 `[haiku]` Create `src/lib/auth.ts` with `getAuthUser()` helper that extracts user from Auth.js session

## 6. User Settings API

- [ ] 6.1 `[haiku]` Create `PUT /api/auth/profile` endpoint: update user display name
- [ ] 6.2 `[sonnet]` Create `PUT /api/auth/password` endpoint: verify current password, hash new password, update; reject for OAuth users
- [ ] 6.3 `[sonnet]` Create `DELETE /api/auth/account` endpoint: delete all user data (cascade) and user record

## 7. Update Existing API Routes

- [ ] 7.1 `[sonnet]` Add `getAuthUser()` check to all data API routes: `/api/upload`, `/api/candles`, `/api/charts`, `/api/annotations`, `/api/annotation-types`, `/api/span-annotations`, `/api/span-label-types`, `/api/export`
- [ ] 7.2 `[opus]` Update all Drizzle queries to filter by `user_id` from authenticated session (SELECT, INSERT, DELETE)
- [ ] 7.3 `[sonnet]` Add `getAuthUser()` check to all proxy API routes: `/api/predict`, `/api/predict/batch`, `/api/model/info`, `/api/model/load`, `/api/patterns/detect`, `/api/patterns/available`, `/api/training/start`, `/api/training/runs`
- [ ] 7.4 `[haiku]` Add `X-User-ID` header to all fetch calls from proxy routes to the FastAPI ML service

## 8. Frontend Routing Restructure

- [ ] 8.1 `[haiku]` Create `src/app/(public)/layout.tsx` — minimal layout for public pages (shared fonts/theme, no sidebar)
- [ ] 8.2 `[haiku]` Move current `src/app/page.tsx` to `src/app/app/page.tsx` (workspace at `/app`)
- [ ] 8.3 `[sonnet]` Create `src/app/app/layout.tsx` — protected layout with `SessionProvider`, user menu nav bar, sidebar with settings link
- [ ] 8.4 `[haiku]` Update any hardcoded `/` links in existing components to `/app`

## 9. Landing Page

- [ ] 9.1 `[sonnet]` Create `src/app/(public)/page.tsx` — landing page matching Lovable design: navbar with login/register links, hero section, features grid (6 cards), stats bar, footer CTA
- [ ] 9.2 `[haiku]` Add auth-aware navbar: show "Log in"/"Get Started" when unauthenticated, "Go to App" when authenticated

## 10. Login Page

- [ ] 10.1 `[sonnet]` Create `src/app/(public)/login/page.tsx` — login form matching Lovable design: email/password inputs, "Sign In" button calling `signIn("credentials")`, "Continue with Google" button calling `signIn("google")`
- [ ] 10.2 `[haiku]` Add error state display for invalid credentials
- [ ] 10.3 `[haiku]` Add "Forgot password?" link (shows toast: "Not yet available"), "Sign up" link to `/register`

## 11. Register Page

- [ ] 11.1 `[sonnet]` Create `src/app/(public)/register/page.tsx` — register form matching Lovable design: name/email/password inputs, "Create Account" button posting to `/api/auth/register` then auto-signing in
- [ ] 11.2 `[haiku]` Add error state display for duplicate email, short password
- [ ] 11.3 `[haiku]` Add "Continue with Google" button, "Sign in" link to `/login`

## 12. Settings Page

- [ ] 12.1 `[sonnet]` Create `src/app/app/settings/page.tsx` — Profile section: display name input with save, read-only email
- [ ] 12.2 `[sonnet]` Add Security section: change password form (current/new/confirm) for credentials users, "Signed in via Google" for OAuth users
- [ ] 12.3 `[sonnet]` Add Danger Zone section: delete account button with confirmation dialog (type "DELETE" to confirm)
- [ ] 12.4 `[haiku]` Add back navigation link to `/app`

## 13. App Layout & User Menu

- [ ] 13.1 `[sonnet]` Create user menu component: avatar/initial, dropdown with "Settings" and "Sign Out" links
- [ ] 13.2 `[haiku]` Add settings gear icon to sidebar (near theme toggle)
- [ ] 13.3 `[haiku]` Wire `signOut()` in user menu to destroy session and redirect to `/login`

## 14. ML Service User Scoping

- [ ] 14.1 `[haiku]` Update FastAPI service to read `X-User-ID` header from incoming requests
- [ ] 14.2 `[haiku]` Scope MLflow experiment names to include user ID (e.g., `user_{uuid}_training`)
- [ ] 14.3 `[sonnet]` Scope training run queries in FastAPI to filter by user ID

## 15. Documentation & Deployment

- [ ] 15.1 `[haiku]` Update `DEPLOYMENT.md` with new env vars, migration steps, Google OAuth setup instructions
- [ ] 15.2 `[haiku]` Update `README.md` with user accounts feature description
- [ ] 15.3 `[haiku]` Update `CLAUDE_DESCRIPTION.md` with new routing, auth system, and schema changes
- [ ] 15.4 `[haiku]` Update `.env.example` with all new environment variables and comments