Summary
Some routes may rely on UI gating instead of server-side auth checks. Audit and ensure server-side enforcement.
Acceptance criteria
- Audit
app/api/** for missing requireAuth.
- Add auth guard to user-specific routes.
- Add tests or a small checklist note in docs.
Summary
Some routes may rely on UI gating instead of server-side auth checks. Audit and ensure server-side enforcement.
Acceptance criteria
app/api/**for missingrequireAuth.