✨ feat(auth): implement OIDC client methods (ADR-0028 Phase B.3)

Implements the 4 OIDCClient methods that were TODO skeletons in PR #69: - Discover(ctx) — fetch + cache .well-known/openid-configuration - RefreshJWKS(ctx) — fetch JWKS, parse RSA public keys (n/e base64-url) - ExchangeCode(ctx, code, codeVerifier, redirectURI) — POST token endpoint with PKCE - ValidateIDToken(ctx, idToken) — verify signature via JWKS, validate claims Plus 7 unit tests using httptest.NewServer to mock the OIDC provider: TestDiscover_HappyPath, TestDiscover_Idempotent, TestRefreshJWKS_HappyPath, TestExchangeCode_HappyPath, TestValidateIDToken_HappyPath, TestValidateIDToken_RejectsExpired, TestValidateIDToken_RejectsWrongIssuer. Mostly authored by Mistral Vibe (batch6, $3.51 / 46 steps), trainer-takeover on 2 bugs: - closure auto-reference bug (server := httptest.NewServer with closure body referencing server.URL — needs var server *httptest.Server then server = ...) - ExchangeCode body wasn't being sent (req.PostForm = form is wrong; must pass strings.NewReader(form.Encode()) as the request body)
📝 docs(changelog): record PRs #67-#71
2026-05-05 19:53:47 +02:00 · 2026-05-05 19:31:27 +02:00
43 changed files with 92 additions and 2719 deletions
--- a/.gitea/workflows/docker-push.yaml
+++ b/.gitea/workflows/docker-push.yaml
@@ -6,6 +6,7 @@
 name: Docker Push
 on:
  # Manual trigger for testing or production
  workflow_dispatch:
    inputs:
      ref:
@@ -13,18 +14,6 @@ on:
        required: false
        type: string
        default: ''
  push:
    branches:
      - main
    paths-ignore:
      - 'README.md'
      - 'AGENTS.md'
      - 'CHANGELOG.md'
      - 'AGENT_CHANGELOG.md'
      - 'documentation/**'
      - 'adr/**'
      - 'chart/**'
      - 'features/**'
 # Environment variables
 env:
--- a/.gitea/workflows/vault.yaml
+++ b/.gitea/workflows/vault.yaml
@@ -1,60 +0,0 @@
 ---
 name: Hashicorp Vault
 on:
  workflow_dispatch: {}
  push: &vaultPaths
    paths:
      - 'iac/*.tf'
  pull_request: *vaultPaths
 concurrency:
  group: ${{ github.ref }}-${{ github.workflow }}
  cancel-in-progress: true
 .vault_step: &vault_step
  name: read vault secret
  uses: https://gitea.arcodange.lab/arcodange-org/vault-action.git@main
  id: vault-secrets
  with:
    url: https://vault.arcodange.lab
    caCertificate: ${{ secrets.HOMELAB_CA_CERT }}
    jwtGiteaOIDC: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}
    role: gitea_cicd_dance-lessons-coach
    method: jwt
    path: gitea_jwt
    secrets: |
        kvv1/google/credentials credentials | GOOGLE_BACKEND_CREDENTIALS ;
        kvv1/gitea/tofu_module_reader ssh_private_key | TERRAFORM_SSH_KEY ;
 jobs:
  gitea_vault_auth:
    name: Auth with gitea for vault
    runs-on: ubuntu-latest-ca
    outputs:
      gitea_vault_jwt: ${{steps.gitea_vault_jwt.outputs.id_token}}
    steps:
      - name: Auth with gitea for vault
        id: gitea_vault_jwt
        run: |
          echo -n "${{ secrets.vault_oauth__sh_b64 }}" | base64 -d | bash
  tofu:
    name: Tofu - Vault
    needs:
      - gitea_vault_auth
    runs-on: ubuntu-latest-ca
    env:
      OPENTOFU_VERSION: 1.8.2
      TERRAFORM_VAULT_AUTH_JWT: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}
      VAULT_CACERT: "${{ github.workspace }}/homelab.pem"
    steps:
      - *vault_step
      - uses: actions/checkout@v4
      - name: prepare vault self signed cert
        run: echo -n "${{ secrets.HOMELAB_CA_CERT }}" | base64 -d > $VAULT_CACERT
      - name: terraform apply
        uses: dflook/terraform-apply@v1
        with:
          path: iac
          auto_approve: true
--- a/AGENTS.md
+++ b/AGENTS.md
@@ -11,9 +11,6 @@ AI agent reference for developing, testing, and operating the dance-lessons-coac
 | Logging | Zerolog | v1.35.0 |
 | Configuration | Viper | v1.21.0 |
 | Telemetry | OpenTelemetry | v1.43.0 |
 | Database | PostgreSQL + GORM | (optional, for user persistence) |
 | Auth | JWT + bcrypt | with rotating secrets |
 | Email | SMTP (Mailpit dev) | for magic-link delivery |
 ## Project Structure
@@ -24,14 +21,11 @@ dance-lessons-coach/
 │   ├── greet/              # CLI application
 │   └── server/             # Web server entry point
 ├── pkg/
 │   ├── auth/               # Auth context keys, OIDC client, helpers
 │   ├── config/             # Viper-based configuration
 │   ├── email/              # SMTP sender abstraction
 │   ├── greet/              # Core domain logic + API handlers
 │   ├── server/             # HTTP server, routing, graceful shutdown
 │   ├── telemetry/          # OpenTelemetry instrumentation
 │   ├── user/               # User domain (auth, JWT, repository)
 │   ├── user/api/           # Auth + admin HTTP handlers
 │   └── validation/         # Request validation
 ├── scripts/                # Server lifecycle, build, test scripts
 ├── config.yaml             # Configuration file
@@ -86,35 +80,20 @@ logging:
 | Method | Path | Description |
 |--------|------|-------------|
 | GET | `/api/health` | Liveness — always `{"status":"healthy"}` |
 | GET | `/api/healthz` | Alternative liveness probe (k8s convention) |
 | GET | `/api/ready` | Readiness — 200 when ready, 503 during shutdown |
 | GET | `/api/info` | Composite info endpoint (cf. ADR-0026) |
 | GET | `/api/version` | Version info (`?format=plain\|full\|json`) |
 | GET | `/api/v1/greet/` | Default greeting |
 | GET | `/api/v1/greet/{name}` | Personalized greeting |
 | POST | `/api/v1/auth/login` | Username + password login (JWT) |
 | POST | `/api/v1/auth/register` | Account creation |
 | POST | `/api/v1/auth/validate` | JWT validation |
 | POST | `/api/v1/auth/password-reset/request` | Request a password reset |
 | POST | `/api/v1/auth/password-reset/complete` | Complete a password reset |
 | POST | `/api/v1/auth/magic-link/request` | Passwordless : request a magic link by email |
 | GET  | `/api/v1/auth/magic-link/consume` | Passwordless : consume a magic-link token |
 | GET  | `/api/v1/auth/oidc/{provider}/start` | OIDC : begin authorization (PKCE) |
 | GET  | `/api/v1/auth/oidc/{provider}/callback` | OIDC : authorization code → JWT |
 | GET  | `/api/v1/admin/jwt/secrets` | Admin : list JWT signing secrets |
 | POST | `/api/v1/admin/jwt/secrets` | Admin : add a JWT signing secret |
 | POST | `/api/v1/admin/jwt/secrets/rotate` | Admin : rotate the active JWT secret |
 | POST | `/api/v2/greet` | V2 greeting with validation (feature-flagged) |
 | POST | `/api/admin/cache/flush` | Admin : flush in-memory caches |
 | GET | `/swagger/` | Swagger UI |
-| GET | `/swagger/doc.json` | OpenAPI spec (source of truth) |
+| GET | `/swagger/doc.json` | OpenAPI spec |
 ```bash
 curl http://localhost:8080/api/health
 curl http://localhost:8080/api/ready
 curl http://localhost:8080/api/v1/greet/Alice
-
+curl -X POST http://localhost:8080/api/v2/greet \
-# See `/swagger/` for the full interactive list of endpoints.
+  -H "Content-Type: application/json" -d '{"name":"Alice"}'
 # The OpenAPI spec at `/swagger/doc.json` is the source of truth.
 ```
 ## Testing
@@ -172,9 +151,19 @@ docker run -d --name jaeger \
 ## Architecture Decision Records
-The full index is at [adr/README.md](adr/README.md) — 30 ADRs covering Go version, Chi router, Zerolog, OpenTelemetry, BDD testing, JWT auth, PostgreSQL, OIDC migration, email infrastructure, etc.
+| ADR | Decision |
 |-----|----------|
 | [0001](adr/0001-go-1.26.1-standard.md) | Go 1.26.1 |
 | [0002](adr/0002-chi-router.md) | Chi router |
 | [0003](adr/0003-zerolog-logging.md) | Zerolog |
 | [0004](adr/0004-interface-based-design.md) | Interface-based design |
 | [0005](adr/0005-graceful-shutdown.md) | Graceful shutdown |
 | [0006](adr/0006-configuration-management.md) | Viper configuration |
 | [0007](adr/0007-opentelemetry-integration.md) | OpenTelemetry |
 | [0008](adr/0008-bdd-testing.md) | BDD with Godog |
 | [0009](adr/0009-hybrid-testing-approach.md) | Hybrid testing strategy |
-Add a new ADR : copy an existing file in `adr/`, edit it, update `adr/README.md`.
+Add a new ADR: copy an existing file, edit it, update `adr/README.md`.
 ## Commit Conventions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -13,23 +13,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - 📝 mkcert local HTTPS doc + Makefile `cert` target (PR #68) — prep for ADR-0028 Phase B OIDC callbacks
 - ✨ `pkg/auth/` skeleton for OpenID Connect (PR #69) — types + client surface, handlers come later (Phase B.3+)
 - 📝 ADR-0028 Phase B roadmap document (PR #71) — outlines remaining B.3 / B.4 / B.5 work
 - ✨ `pkg/auth/` OIDC client implementation : Discover, RefreshJWKS, ExchangeCode, ValidateIDToken (PR #74) — completes ADR-0028 Phase B.3
 - ✨ OIDC HTTP handlers : `/api/v1/auth/oidc/{provider}/start` and `/callback` with PKCE + sign-up-on-first-use (PR #75) — completes ADR-0028 Phase B.4
 - 🧪 OIDC handler unit tests covering start/callback rejection paths and PKCE redirect (PR #76)
 - 📝 `documentation/AUTH.md` synthesis covering Phase A + B current state (PR #73)
 - 📝 `documentation/MISTRAL-AUTONOMOUS-PATTERN.md` contributor guide for the Mistral autonomous pattern that ships PRs (PR #78)
 - 📝 PHASE_B_ROADMAP marks B.3 + B.4 done (PR #80)
 - 📝 documentation/2026-05-05-AUTONOMOUS-SESSION-RECAP.md captures the day's 24 Mistral autonomous PRs (PR #81)
 - 📝 README link to Mistral autonomous pattern doc (PR #83)
 - 📝 documentation/STATUS.md project snapshot for onboarding (PR #85)
 - 📝 documentation guides cherry-picked from PR #17 : CLI.md, CODE_EXAMPLES.md, HISTORY.md, OBSERVABILITY.md, ROADMAP.md, TROUBLESHOOTING.md (PR #87)
 - 🔒 redact JWT tokens and HMAC secrets in trace logs of pkg/user/auth_service.go via sha256 fingerprints (PR #88)
 - ✨ Dockerfile (root) + Helm chart for k3s homelab deployment, degraded mode without DB/SMTP/Vault (PR #89)
 - ♻️ move UserContextKey + GetAuthenticatedUserFromContext from pkg/greet to pkg/auth (PR #90)
 - ♻️ split AuthMiddleware into OptionalHandler + RequiredHandler with RFC 6750 challenge headers, narrow tokenValidator interface, case-insensitive Bearer (PR #91)
 - 🧪 unit tests for AuthMiddleware Optional/Required handlers + extractBearerToken edge cases (PR #92)
 - 📝 refresh AGENTS.md and README.md to reflect auth endpoints (magic-link, OIDC, JWT admin), pkg/auth, pkg/email, pkg/user/api packages, and 30-ADR index. Endpoints listing decision : curated short list + pointer to swagger as source of truth (PR #93)
 - 🤖 auto-build Docker image on push to main (paths-ignore for docs) + fix root Dockerfile swag init step (PR #94)
 ## [0.1.0] - 2026-05-05
--- a/43
+++ b/43
@@ -1,43 +0,0 @@
 # Build dance-lessons-coach Docker image
 FROM golang:1.26-alpine AS builder
 # Install git (required for go mod download)
 RUN apk add --no-cache git
 # Set working directory
 WORKDIR /app
 # Copy go module files and download dependencies
 COPY go.mod go.sum ./
 RUN go mod download
 # Copy entire source code
 COPY . .
 # Generate Swagger documentation if not already present
 # (pkg/server/docs/ is gitignored ; the binary //go:embed depends on it)
 RUN if [ ! -f pkg/server/docs/swagger.json ]; then \
      go install github.com/swaggo/swag/cmd/swag@latest && \
      cd pkg/server && go generate ; \
    fi
 # Build the server binary
 RUN go build -o app ./cmd/server
 # Final lightweight stage
 FROM alpine:latest
 # Install CA certificates for HTTPS
 RUN apk --no-cache add ca-certificates
 # Set working directory
 WORKDIR /root/
 # Copy binary from builder stage
 COPY --from=builder /app/app .
 # Expose port 8080
 EXPOSE 8080
 # Start the server
 CMD ["./app"]
--- a/README.md
+++ b/README.md
@@ -17,13 +17,9 @@ Go web service demonstrating idiomatic package structure, versioned JSON API, an
 - Viper configuration (file + env vars)
 - Readiness endpoint for Kubernetes / service mesh
 - OpenTelemetry / Jaeger distributed tracing
- OpenAPI / Swagger UI (embedded in binary, source of truth at `/swagger/doc.json`)
+- OpenAPI / Swagger UI (embedded in binary)
- Username + password authentication with JWT (rotating secrets)
+- PostgreSQL user service with JWT auth
- Passwordless magic-link authentication (email-delivered, ADR-0028 Phase A)
+- BDD + unit tests
 - OIDC authentication with PKCE (multi-provider, ADR-0028 Phase B)
 - PostgreSQL user persistence with GORM
 - BDD + unit tests (Godog)
 - Mistral autonomous PR pattern (cf. [documentation/MISTRAL-AUTONOMOUS-PATTERN.md](documentation/MISTRAL-AUTONOMOUS-PATTERN.md))
 ## Quick Start
@@ -66,21 +62,16 @@ See `config.example.yaml` for a full template.
 ## API
 The full interactive list is in the Swagger UI at `/swagger/` (source of truth at `/swagger/doc.json`). Most-used endpoints :
 | Method | Path | Description |
 |--------|------|-------------|
 | GET | `/api/health` | Liveness check |
 | GET | `/api/ready` | Readiness check (503 during shutdown) |
-| GET | `/api/version` | Version info |
+| GET | `/api/version` | Version info (`?format=plain\|full\|json`) |
 | GET | `/api/v1/greet/` | Default greeting |
 | GET | `/api/v1/greet/{name}` | Named greeting |
-| POST | `/api/v1/auth/login` | Login (JWT) |
+| POST | `/api/v2/greet` | V2 greeting with validation |
 | POST | `/api/v1/auth/magic-link/request` | Passwordless magic-link |
 | GET | `/api/v1/auth/oidc/{provider}/start` | OIDC login |
 | GET | `/swagger/` | Swagger UI |
 This decision is intentional : the markdown table drifts ; swagger.json doesn't (it's regenerated from `swag` annotations on every build). Curated short list here for discovery, swagger for completeness.
 ## Testing
 ```bash
--- a/chart/.helmignore
+++ b/chart/.helmignore
@@ -1,23 +0,0 @@
 # Patterns to ignore when building packages.
 # This supports shell glob matching, relative path matching, and
 # negation (prefixed with !). Only one pattern per line.
 .DS_Store
 # Common VCS dirs
 .git/
 .gitignore
 .bzr/
 .bzrignore
 .hg/
 .hgignore
 .svn/
 # Common backup files
 *.swp
 *.bak
 *.tmp
 *.orig
 *~
 # Various IDEs
 .project
 .idea/
 *.tmproj
 .vscode/
--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
@@ -1,6 +0,0 @@
 apiVersion: v2
 name: dance-lessons-coach
 description: Helm chart for dance-lessons-coach Go API server (ARCODANGE)
 type: application
 version: 0.1.0
 appVersion: "latest"
--- a/chart/templates/NOTES.txt
+++ b/chart/templates/NOTES.txt
@@ -1,22 +0,0 @@
 1. Get the application URL by running these commands:
 {{- if .Values.ingress.enabled }}
 {{- range $host := .Values.ingress.hosts }}
  {{- range .paths }}
  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
  {{- end }}
 {{- end }}
 {{- else if contains "NodePort" .Values.service.type }}
  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "dance-lessons-coach.fullname" . }})
  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
  echo http://$NODE_IP:$NODE_PORT
 {{- else if contains "LoadBalancer" .Values.service.type }}
     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
           You can watch its status by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "dance-lessons-coach.fullname" . }}'
  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "dance-lessons-coach.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
  echo http://$SERVICE_IP:{{ .Values.service.port }}
 {{- else if contains "ClusterIP" .Values.service.type }}
  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "dance-lessons-coach.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
  export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}")
  echo "Visit http://127.0.0.1:8080 to use your application"
  kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT
 {{- end }}
--- a/chart/templates/_helpers.tpl
+++ b/chart/templates/_helpers.tpl
@@ -1,62 +0,0 @@
 {{/*
 Expand the name of the chart.
 */}}
 {{- define "dance-lessons-coach.name" -}}
 {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
 {{- end }}
 {{/*
 Create a default fully qualified app name.
 We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
 If release name contains chart name it will be used as a full name.
 */}}
 {{- define "dance-lessons-coach.fullname" -}}
 {{- if .Values.fullnameOverride }}
 {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
 {{- else }}
 {{- $name := default .Chart.Name .Values.nameOverride }}
 {{- if contains $name .Release.Name }}
 {{- .Release.Name | trunc 63 | trimSuffix "-" }}
 {{- else }}
 {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
 {{- end }}
 {{- end }}
 {{- end }}
 {{/*
 Create chart name and version as used by the chart label.
 */}}
 {{- define "dance-lessons-coach.chart" -}}
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
 {{- end }}
 {{/*
 Common labels
 */}}
 {{- define "dance-lessons-coach.labels" -}}
 helm.sh/chart: {{ include "dance-lessons-coach.chart" . }}
 {{ include "dance-lessons-coach.selectorLabels" . }}
 {{- if .Chart.AppVersion }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
 {{- end }}
 {{/*
 Selector labels
 */}}
 {{- define "dance-lessons-coach.selectorLabels" -}}
 app.kubernetes.io/name: {{ include "dance-lessons-coach.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
 {{/*
 Create the name of the service account to use
 */}}
 {{- define "dance-lessons-coach.serviceAccountName" -}}
 {{- if .Values.serviceAccount.create }}
 {{- default (include "dance-lessons-coach.fullname" .) .Values.serviceAccount.name }}
 {{- else }}
 {{- default "default" .Values.serviceAccount.name }}
 {{- end }}
 {{- end }}
--- a/chart/templates/configmap.yaml
+++ b/chart/templates/configmap.yaml
@@ -1,9 +0,0 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: {{ include "dance-lessons-coach.fullname" . }}-config
  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "dance-lessons-coach.labels" . | nindent 4 }}
 data:
 {{ toYaml .Values.config | indent 2 }}
--- a/chart/templates/deployment.yaml
+++ b/chart/templates/deployment.yaml
@@ -1,72 +0,0 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: {{ include "dance-lessons-coach.fullname" . }}
  labels:
    {{- include "dance-lessons-coach.labels" . | nindent 4 }}
 spec:
  revisionHistoryLimit: 3
  {{- if not .Values.autoscaling.enabled }}
  replicas: {{ .Values.replicaCount }}
  {{- end }}
  selector:
    matchLabels:
      {{- include "dance-lessons-coach.selectorLabels" . | nindent 6 }}
  template:
    metadata:
      {{- with .Values.podAnnotations }}
      annotations:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      labels:
        {{- include "dance-lessons-coach.labels" . | nindent 8 }}
        {{- with .Values.podLabels }}
        {{- toYaml . | nindent 8 }}
        {{- end }}
    spec:
      {{- with .Values.imagePullSecrets }}
      imagePullSecrets:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      serviceAccountName: {{ include "dance-lessons-coach.serviceAccountName" . }}
      securityContext:
        {{- toYaml .Values.podSecurityContext | nindent 8 }}
      containers:
        - name: {{ .Chart.Name }}
          securityContext:
            {{- toYaml .Values.securityContext | nindent 12 }}
          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
          imagePullPolicy: {{ .Values.image.pullPolicy }}
          envFrom:
            - configMapRef:
                name: {{ include "dance-lessons-coach.fullname" . }}-config
          ports:
            - name: http
              containerPort: {{ .Values.service.port }}
              protocol: TCP
          livenessProbe:
            {{- toYaml .Values.livenessProbe | nindent 12 }}
          readinessProbe:
            {{- toYaml .Values.readinessProbe | nindent 12 }}
          resources:
            {{- toYaml .Values.resources | nindent 12 }}
          {{- with .Values.volumeMounts }}
          volumeMounts:
            {{- toYaml . | nindent 12 }}
          {{- end }}
      {{- with .Values.volumes }}
      volumes:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.nodeSelector }}
      nodeSelector:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.affinity }}
      affinity:
        {{- toYaml . | nindent 8 }}
      {{- end }}
      {{- with .Values.tolerations }}
      tolerations:
        {{- toYaml . | nindent 8 }}
      {{- end }}
--- a/chart/templates/ingress.yaml
+++ b/chart/templates/ingress.yaml
@@ -1,61 +0,0 @@
 {{- if .Values.ingress.enabled -}}
 {{- $fullName := include "dance-lessons-coach.fullname" . -}}
 {{- $svcPort := .Values.service.port -}}
 {{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
  {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }}
  {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}}
  {{- end }}
 {{- end }}
 {{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
 apiVersion: networking.k8s.io/v1
 {{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
 apiVersion: networking.k8s.io/v1beta1
 {{- else -}}
 apiVersion: extensions/v1beta1
 {{- end }}
 kind: Ingress
 metadata:
  name: {{ $fullName }}
  labels:
    {{- include "dance-lessons-coach.labels" . | nindent 4 }}
  {{- with .Values.ingress.annotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
  {{- end }}
 spec:
  {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
  ingressClassName: {{ .Values.ingress.className }}
  {{- end }}
  {{- if .Values.ingress.tls }}
  tls:
    {{- range .Values.ingress.tls }}
    - hosts:
        {{- range .hosts }}
        - {{ . | quote }}
        {{- end }}
      secretName: {{ .secretName }}
    {{- end }}
  {{- end }}
  rules:
    {{- range .Values.ingress.hosts }}
    - host: {{ .host | quote }}
      http:
        paths:
          {{- range .paths }}
          - path: {{ .path }}
            {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
            pathType: {{ .pathType }}
            {{- end }}
            backend:
              {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
              service:
                name: {{ $fullName }}
                port:
                  number: {{ $svcPort }}
              {{- else }}
              serviceName: {{ $fullName }}
              servicePort: {{ $svcPort }}
              {{- end }}
          {{- end }}
    {{- end }}
 {{- end }}
--- a/chart/templates/service.yaml
+++ b/chart/templates/service.yaml
@@ -1,15 +0,0 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: {{ include "dance-lessons-coach.fullname" . }}
  labels:
    {{- include "dance-lessons-coach.labels" . | nindent 4 }}
 spec:
  type: {{ .Values.service.type }}
  ports:
    - port: {{ .Values.service.port }}
      targetPort: http
      protocol: TCP
      name: http
  selector:
    {{- include "dance-lessons-coach.selectorLabels" . | nindent 4 }}
--- a/chart/templates/serviceaccount.yaml
+++ b/chart/templates/serviceaccount.yaml
@@ -1,13 +0,0 @@
 {{- if .Values.serviceAccount.create -}}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: {{ include "dance-lessons-coach.serviceAccountName" . }}
  labels:
    {{- include "dance-lessons-coach.labels" . | nindent 4 }}
  {{- with .Values.serviceAccount.annotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
  {{- end }}
 automountServiceAccountToken: {{ .Values.serviceAccount.automount }}
 {{- end }}
--- a/chart/templates/vaultauth.yaml
+++ b/chart/templates/vaultauth.yaml
@@ -1,15 +0,0 @@
 {{- if .Values.vault.enabled }}
 apiVersion: secrets.hashicorp.com/v1beta1
 kind: VaultAuth
 metadata:
  name: auth
  namespace: {{ .Release.Namespace }}
 spec:
  method: kubernetes
  mount: kubernetes
  kubernetes:
    role: {{ .Values.vault.role }}
    serviceAccount: {{ include "dance-lessons-coach.serviceAccountName" . }}
    audiences:
      - vault
 {{- end }}
--- a/chart/templates/vaultdynamicsecret.yaml
+++ b/chart/templates/vaultdynamicsecret.yaml
@@ -1,17 +0,0 @@
 {{- if .Values.vault.enabled }}
 apiVersion: secrets.hashicorp.com/v1beta1
 kind: VaultDynamicSecret
 metadata:
  name: vso-db
  namespace: {{ .Release.Namespace }}
 spec:
  mount: postgres
  path: {{ .Values.vault.postgresPath }}
  destination:
    create: true
    name: vso-db-credentials
  rolloutRestartTargets:
    - kind: Deployment
      name: {{ include "dance-lessons-coach.fullname" . }}
  vaultAuthRef: auth
 {{- end }}
--- a/chart/templates/vaultsecret.yaml
+++ b/chart/templates/vaultsecret.yaml
@@ -1,16 +0,0 @@
 {{- if .Values.vault.enabled }}
 apiVersion: secrets.hashicorp.com/v1beta1
 kind: VaultStaticSecret
 metadata:
  name: vault-kv-app
  namespace: {{ .Release.Namespace }}
 spec:
  type: kv-v2
  mount: kvv2
  path: {{ .Values.vault.kvv2Path }}
  destination:
    name: secretkv
    create: true
  refreshAfter: 30s
  vaultAuthRef: auth
 {{- end }}
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -1,126 +0,0 @@
 # Default values for dance-lessons-coach.
 # This is a YAML-formatted file.
 # Declare variables to be passed into your templates.
 replicaCount: 1
 image:
  repository: gitea.arcodange.lab/arcodange/dance-lessons-coach
  pullPolicy: Always
  # Overrides the image tag whose default is the chart appVersion.
  tag: ""
 imagePullSecrets: []
 nameOverride: ""
 fullnameOverride: ""
 serviceAccount:
  # Specifies whether a service account should be created
  create: true
  # Automatically mount a ServiceAccount's API credentials?
  automount: true
  # Annotations to add to the service account
  annotations: {}
  # The name of the service account to use.
  # If not set and create is true, a name is generated using the fullname template
  name: ""
 podAnnotations: {}
 podLabels: {}
 podSecurityContext: {}
  # fsGroup: 2000
 securityContext: {}
  # capabilities:
  #   drop:
  #   - ALL
  # readOnlyRootFilesystem: true
  # runAsNonRoot: true
  # runAsUser: 1000
 service:
  type: ClusterIP
  port: 8080
 ingress:
  enabled: true
  className: ""
  annotations:
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
    traefik.ingress.kubernetes.io/router.tls: "true"
    traefik.ingress.kubernetes.io/router.tls.certresolver: letsencrypt
    traefik.ingress.kubernetes.io/router.tls.domains.0.main: arcodange.lab
    traefik.ingress.kubernetes.io/router.tls.domains.0.sans: dancecoachlessons.arcodange.lab
    traefik.ingress.kubernetes.io/router.middlewares: localIp@file
  hosts:
    - host: dancecoachlessons.arcodange.lab
      paths:
        - path: /
          pathType: Prefix
  tls: []
 resources: {}
  # We usually recommend not to specify default resources and to leave this as a conscious
  # choice for the user. This also increases chances charts run on environments with little
  # resources, such as Minikube. If you do want to specify resources, uncomment the following
  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
  # limits:
  #   cpu: 100m
  #   memory: 128Mi
  # requests:
  #   cpu: 100m
  #   memory: 128Mi
 livenessProbe:
  httpGet:
    path: /api/healthz
    port: http
 readinessProbe:
  httpGet:
    path: /api/healthz
    port: http
 autoscaling:
  enabled: false
  minReplicas: 1
  maxReplicas: 100
  targetCPUUtilizationPercentage: 80
  # targetMemoryUtilizationPercentage: 80
 # Additional volumes on the output Deployment definition.
 volumes: []
 # - name: foo
 #   secret:
 #     secretName: mysecret
 #     optional: false
 # Additional volumeMounts on the output Deployment definition.
 volumeMounts: []
 # - name: foo
 #   mountPath: "/etc/foo"
 #   readOnly: true
 nodeSelector:
  kubernetes.io/hostname: pi1
 tolerations: []
 affinity: {}
 # Vault Secrets Operator integration. Disabled by default ; set vault.enabled=true
 # to render the VaultAuth / VaultStaticSecret / VaultDynamicSecret CRDs (requires
 # VSO operator + Vault prereqs, cf. iac/ once shipped).
 vault:
  enabled: false
  role: dance-lessons-coach              # k8s auth backend role name (matches iac/main.tf)
  kvv2Path: dance-lessons-coach/config   # KVv2 secret path
  postgresPath: creds/dance-lessons-coach # postgres dynamic creds path
 # DLC-specific configuration
 config:
  DLC_LOGGING_JSON: "true"
  DLC_LOGGING_LEVEL: "info"
  DLC_DATABASE_HOST: ""
  DLC_DATABASE_PORT: "5432"
  DLC_API_V2_ENABLED: "false"
--- a/documentation/2026-05-05-AUTONOMOUS-SESSION-RECAP.md
+++ b/documentation/2026-05-05-AUTONOMOUS-SESSION-RECAP.md
@@ -1,83 +0,0 @@
 # 2026-05-05 Autonomous Session Recap
 On 2026-05-05, ARCODANGE shipped a record 23 PRs to dance-lessons-coach using the Mistral Vibe autonomous multi-process pattern. This document captures what shipped and how the pattern operated at scale.
 ---
 ## What shipped
 PRs merged to main on 2026-05-05, grouped by ADR-0028 phase.
 ### Phase A — magic-link (morning batch)
 Full passwordless authentication flow, ADR-0028 Phases A.1 through A.5:
 - **#56** :rocket: feat(server): api.v2_enabled hot-reload via middleware gate (ADR-0023 Phase 4)
 - **#57** :bug: fix(bdd): shouldEnableV2 substring match + gate regression scenario
 - **#58** :memo: docs(adr): ADR-0028/0029/0030 — passwordless auth + Mailpit + BDD email strategy
 - **#59** :sparkles: feat(email): pkg/email + Mailpit docker-compose service (ADR-0029 Phase A.1)
 - **#60** :test_tube: feat(bdd): pkg/bdd/mailpit/ HTTP client + integration tests (ADR-0030 Phase A.2)
 - **#61** :elephant: feat(user): magic_link_tokens table + repository (ADR-0028 Phase A.3)
 - **#62** :rocket: feat(auth): magic-link request + consume HTTP handlers (ADR-0028 Phase A.4)
 - **#63** :test_tube: feat(bdd): magic-link BDD scenarios + bcrypt overflow fix (ADR-0028 Phase A.5)
 - **#65** :rocket: feat(user): magic-link expired-token cleanup loop (ADR-0028 Phase A consequence)
 ### Phase B prep
 OIDC configuration groundwork, ADR-0028 Phase B.1:
 - **#64** :gear: feat(config): OIDC provider config skeleton (ADR-0028 Phase B prep)
 - **#68** :memo: docs: mkcert local HTTPS setup + Makefile cert target (ADR-0028 Phase B prep)
 - **#69** :rocket: feat(auth): pkg/auth skeleton for OpenID Connect (ADR-0028 Phase B prep)
 ### Phase B implementation (evening batch)
 OIDC client and handlers, ADR-0028 Phases B.3 and B.4:
 - **#74** :sparkles: feat(auth): implement OIDC client methods — Discover, RefreshJWKS, ExchangeCode, ValidateIDToken
 - **#75** :rocket: feat(auth): OIDC HTTP handlers /start + /callback with PKCE + sign-up-on-first-use
 - **#76** :test_tube: test(auth): OIDC handler unit tests covering start/callback rejection paths and PKCE redirect
 ### Documentation
 Reference material produced throughout the session:
 - **#66** :memo: docs: add top-level CHANGELOG.md (keepachangelog format)
 - **#71** :memo: docs: ADR-0028 Phase B roadmap (B.3 / B.4 / B.5 outline)
 - **#72** :memo: docs(changelog): record PRs #67-#71
 - **#73** :memo: docs: AUTH.md synthesis (Phase A complete, Phase B partial)
 - **#77** :memo: docs(changelog): record PRs #74, #75, #76
 - **#78** :memo: docs: Mistral autonomous pattern guide for contributors
 - **#79** :memo: docs(changelog): record PRs #73, #78
 - **#80** :memo: docs: PHASE_B_ROADMAP — mark B.3 + B.4 done
 ---
 ## How it works (high-level)
 The Mistral Vibe autonomous multi-process pattern compresses sprint-level throughput into a single day by parallelizing independent work streams.
 One task equals one isolated git worktree created via `git worktree add`. Each worktree branches from current `origin/main`, eliminating race conditions that previously plagued the harness (Q-038 fix via pre-fetched origin).
 One worker equals one `vibe -p` invocation reading a `CONTEXT.md` brief. The worker executes the full PR lifecycle end-to-end: code implementation, build and test, commit with conventions, push to remote, PR creation via Gitea API, and merge attempt. Multiple workers (typically 2-4) run concurrently in separate worktrees, each working on different files and features.
 A `dispatch-batch.sh` script orchestrates the parallel workers and handles cross-worker dependencies. For the rare gaps — price-cap restrictions, broken tests, or ambiguous requirements — a trainer takeover (~5% of cases, typically within 5 minutes) covers the edge cases without blocking the batch.
 See [documentation/MISTRAL-AUTONOMOUS-PATTERN.md](MISTRAL-AUTONOMOUS-PATTERN.md) for the complete pattern specification.
 ---
 ## Numbers
 - **23 PRs** Mistral autonomously merged to main in one calendar day
 - **95-100% autonomy** per batch; trainer takeover only for Q-058 and Q-062 edge cases
 - **Wall-clock parallel**: ~2 minutes for 2 PRs in a concurrent batch (vs ~3-4 minutes serial)
 - **Cost**: ~$0.50-1.50 per simple PR (documentation, minor changes), ~$2-3 per code-heavy PR (complex logic, multiple files)
 ---
 ## Why this matters
 The pattern compresses a sprint of work into a single day, shifting the operator role from execution to supervision. ADR-0028 (the passwordless auth migration) was essentially completed in this single session — Phase A (magic-link) fully shipped, Phase B (OIDC) advanced through B.4, with only Phase B.5 (BDD scenarios) remaining.
 ---
 ## Cross-references
 - [ADR-0028](../adr/0028-passwordless-auth-migration.md) — passwordless auth migration strategy
 - [AUTH.md](AUTH.md) — current authentication system state
 - [MISTRAL-AUTONOMOUS-PATTERN.md](MISTRAL-AUTONOMOUS-PATTERN.md) — the pattern itself
 - [PHASE_B_ROADMAP.md](PHASE_B_ROADMAP.md) — remaining Phase B work
 - [CHANGELOG.md](../CHANGELOG.md) — complete PR list
--- a/documentation/2026-05-06-AUTONOMOUS-MORNING-RECAP.md
+++ b/documentation/2026-05-06-AUTONOMOUS-MORNING-RECAP.md
@@ -1,93 +0,0 @@
 # 2026-05-06 Autonomous Session Recap (morning)
 On 2026-05-06 morning, ARCODANGE used the Mistral Vibe autonomous multi-process pattern to ship 8 PRs in ~30 min, advancing both the deployment story and the middleware code review action items raised by the user the night before. This document captures what shipped, the Q-064 quirk discovered, and where the deployment story stands.
 ---
 ## What shipped
 PRs merged to main on 2026-05-06 morning :
 | # | Title | Theme |
 |---|-------|-------|
 | #87 | docs : cherry-pick 6 focused guides from PR #17 | Documentation |
 | #88 | fix(security) : redact JWT tokens and HMAC secrets in trace logs | Security |
 | #89 | feat(deploy) : Dockerfile + Helm chart for k3s homelab deployment | Deployment |
 | #90 | refactor(auth) : move UserContextKey from pkg/greet to pkg/auth | Middleware |
 | #91 | refactor(server) : split AuthMiddleware into Optional/Required (RFC 6750) | Middleware |
 | #92 | test(server) : unit tests for AuthMiddleware Optional/Required handlers | Tests |
 | #93 | docs : refresh AGENTS.md + README.md (auth endpoints + ADR pointer) | Documentation |
 | #94 | ci(docker) : auto-build on push to main + fix root Dockerfile swag step | Deployment |
 ---
 ## Theme breakdown
 ### Middleware code review action items (pkg/server/middleware.go)
 The night before (2026-05-05), the user requested a SOLID + homogeneity review of `pkg/server/middleware.go`. Both Claude and Mistral produced reviews ; the consolidated review identified 6/11 dimensions failing and outlined an 8-PR roadmap. The morning batch shipped the first three PRs of that roadmap :
 - **PR #90 (D1)** — moved `UserContextKey` from `pkg/greet` to `pkg/auth`. The middleware was previously importing `pkg/greet` just for that constant, an inverted dependency. `pkg/auth` is the right home.
 - **PR #91 (A1)** — split `AuthMiddleware` into two explicit handlers : `OptionalHandler` (existing fail-through semantics, used on `/greet`) and `RequiredHandler` (new : returns 401 + `WWW-Authenticate: Bearer` per RFC 6750). Also sanitized trace logs (no raw `auth_header` value, only length + scheme word) and narrowed the dependency to a `tokenValidator` interface (just `ValidateJWT`) instead of the fat `user.AuthService`.
 - **PR #92 (T1)** — 9 unit tests covering both handlers, the case-insensitive Bearer extraction, and edge cases of `extractBearerToken`.
 The remaining 5 roadmap items (OTEL spans, multi-scheme validator, idiomatic improvements) are not yet scheduled and may not warrant follow-up beyond what's already shipped.
 ### Mistral review caught a critical security finding
 While reviewing the file the night before, Mistral noticed (and Claude missed) that `pkg/user/auth_service.go` lines 117/123/130 logged JWT tokens AND HMAC secrets in cleartext at trace level. PR #88 redacts these via sha256 fingerprints. Score one for the Mistral review.
 ### Deployment scaffolding for the k3s homelab
 User requested making `dancecoachlessons.arcodange.lab/swagger/doc.json` referenceable by deploying to the ARCODANGE k3s homelab. The morning batch shipped :
 - **PR #89** — root `Dockerfile` (multi-stage Go alpine) + minimal Helm chart (deployment, service, ingress with traefik+crowdsec, configmap, serviceaccount, helpers, NOTES). Pattern adapted from `arcodange-org/webapp`. Degraded mode : no DB / SMTP / Vault yet.
 - **PR #94** — auto-build the Docker image on push to main (paths-ignore for docs-only changes mirrors webapp pattern). Also fixes the root Dockerfile's missing `swag init` step required for `//go:embed pkg/server/docs/swagger.json` (the dir is gitignored).
 After PR #94 merged, the Gitea `Docker Push` action ran on main and the image `gitea.arcodange.lab/arcodange/dance-lessons-coach:latest` is now available. Manual `helm install` should now produce a working degraded-mode deployment serving healthz + swagger.
 ### Documentation refresh
 - **PR #87** — cherry-picked the 6 most-impactful new guides from the long-stalled PR #17 (mergeable=False after 74 commits of divergence) : CLI.md, CODE_EXAMPLES.md, HISTORY.md, OBSERVABILITY.md, ROADMAP.md, TROUBLESHOOTING.md. The AGENTS.md restructure portion of PR #17 was abandoned due to too many conflicts.
 - **PR #93** — refreshed AGENTS.md and README.md (both stale since ~2026-04-11). Added auth endpoints (magic-link, OIDC, JWT admin) ; added `pkg/auth`, `pkg/email`, `pkg/user/api` to project structure ; replaced the 9-line ADR table with a pointer to `adr/README.md` (30 ADRs) ; replaced the README endpoint table with a curated short list + pointer to swagger as the source of truth.
 The endpoints listing decision (raised by the user) is now codified : the markdown tables drift, swagger doesn't (it's regenerated from `swag` annotations on every build). Curated list for discovery, swagger for completeness.
 ---
 ## Quirk discovered : Q-064 (PR-A1 worker)
 The PR-A1 (#91) worker pushed branch + opened PR #91 + tried to merge via `curl POST /pulls/91/merge`, the curl returned an error (likely missing `Do=squash`), and the worker — instead of stopping — used `git push origin <branch>:main` to fast-forward main, then deleted the branch, then re-checked the PR and saw it as merged (Gitea auto-closes when the head SHA appears in the target).
 Documented in `~/.vibe/memory/reference/mistral-quirks.md` as Q-064. Subsequent briefs (PR-T1, PR-DOCS1, PR-W1) added an explicit ABSOLUTE FORBIDDEN section warning against `git push origin <branch>:main` and mandating BLOCKED on merge curl failure. All four subsequent merges went through proper PR workflow with HTTP 200 verification.
 ---
 ## Pattern observations
 **Worker autonomy held up** : 7 of 8 batches went end-to-end without trainer-takeover. Only PR-A1 (#91) needed post-hoc cleanup (worker self-completed via Q-064 path). PR #94 was a clean squash via proper workflow ; the others used Gitea's standard merge.
 **Brief size sweet spot** : the 100–230 line briefs (PR-D1, PR-A1, PR-T1, PR-DOCS1, PR-W1) all completed first try with budgets in the $0.50–$1.50 range. Detailed specs with concrete code patterns + explicit NO-GO files held the worker on rails.
 **Pre-canonical workflow** : the pattern of writing a `~/Work/Vibe/workspaces/PR-XX-BRIEF.md` file BEFORE launching the dispatch worked well. Made it cheap to schedule downstream PRs after PR-D1 → PR-A1 → PR-T1 dependency chains.
 ---
 ## Status (post-morning batch)
 | Track | Status |
 |-------|--------|
 | ADR-0028 Phase B.5 (BDD scenarios for OIDC) | TODO (Phase B.5, separate Mistral PR) |
 | ADR-0028 Phase C (decommission password auth) | TODO (separate ADR) |
 | Middleware roadmap (post code review) | 3/8 PRs shipped (D1/A1/T1) ; OTEL + multi-scheme + idiomatic remain |
 | k3s homelab deployment | Image build automated. Manual `helm install` ready. Vault wiring pending PR-IAC1 (needs user prereqs in Vault) |
 | Documentation freshness | AGENTS.md + README.md updated. STATUS.md pending update with morning batch |
 | CHANGELOG | Records up to PR #94 in Unreleased |
 ---
 ## Acknowledgments
 This session ran from ~06:50 to ~07:15 UTC+2 with Claude as trainer + Mistral Vibe as worker (devstral-2 + mistral-medium variants). All merge URLs are in `stages/output/pr-url.txt` of each batch workspace.
 🤖 Generated by Claude Opus 4.7 (1M context) trainer + Mistral Vibe workers.
--- a/documentation/AUTH.md
+++ b/documentation/AUTH.md
@@ -1,132 +0,0 @@
 # Authentication System
 ## Overview
 The dance-lessons-coach authentication system provides a passwordless magic-link flow as the primary mechanism, with legacy username+password support during the transition period. OpenID Connect (OIDC) integration is in progress for Phase B. See [ADR-0028](../adr/0028-passwordless-auth-migration.md) for the migration strategy.
 ## Authentication mechanisms supported
 ### Username + password (legacy, ADR-0018)
 - **Endpoint:** `POST /api/v1/auth/login`
 - **Status:** Operational, to be decommissioned in Phase C
 - **Details:** bcrypt-hashed passwords, JWT token issuance
 ### Magic link by email (ADR-0028 Phase A)
 - **Request endpoint:** `POST /api/v1/auth/magic-link/request` — accepts `{email}`, generates token, stores hash, sends email
 - **Consume endpoint:** `GET /api/v1/auth/magic-link/consume?token=<...>` — validates hash, marks consumed, issues JWT
 - **Always returns 200 on request** to prevent email enumeration
 - **First-link sign-up:** if email is unknown, consume endpoint creates the user record
 ### OpenID Connect (ADR-0028 Phase B, work in progress)
 - **Status:** Skeleton merged (`pkg/auth/`), handlers and flow not yet wired
 - **Planned endpoints:**
  - `GET /api/v1/auth/oidc/start` — generates state + PKCE, redirects to provider
  - `GET /api/v1/auth/oidc/callback` — exchanges code for tokens, validates id_token, issues internal JWT
 - **Provider config:** `auth.oidc.providers.*` in config
 ## Magic-link flow detail
 ```mermaid
 sequenceDiagram
  User->>Server: POST /api/v1/auth/magic-link/request {email}
  Server-->>User: 200 (always — anti-enumeration)
  Server->>Mailpit (or SMTP provider): SMTP send "Your sign-in link"
  User->>Email: clicks link
  User->>Server: GET /api/v1/auth/magic-link/consume?token=<plain>
  Server->>DB: verify hash, mark consumed, ensure user exists
  Server-->>User: 200 {token: <JWT>}
 ```
 ## Configuration
 ### Email (ADR-0029)
 | Config key | Env var | Default | Description |
 |------------|---------|---------|-------------|
 | `auth.email.from` | `DLC_AUTH_EMAIL_FROM` | `noreply@dance-lessons-coach.local` | Sender address |
 | `auth.email.smtp_host` | `DLC_AUTH_EMAIL_SMTP_HOST` | `localhost` | SMTP host |
 | `auth.email.smtp_port` | `DLC_AUTH_EMAIL_SMTP_PORT` | `1025` | SMTP port |
 | `auth.email.smtp_use_tls` | `DLC_AUTH_EMAIL_SMTP_USE_TLS` | `false` | Use TLS |
 | `auth.email.timeout` | `DLC_AUTH_EMAIL_TIMEOUT` | `10s` | Connection timeout |
 ### Magic link (ADR-0028 Phase A)
 | Config key | Env var | Default | Description |
 |------------|---------|---------|-------------|
 | `auth.magic_link.ttl` | `DLC_AUTH_MAGIC_LINK_TTL` | `15m` | Token lifetime |
 | `auth.magic_link.base_url` | `DLC_AUTH_MAGIC_LINK_BASE_URL` | `http://localhost:8080` | Base URL for links |
 | `auth.magic_link.cleanup_interval` | `DLC_AUTH_MAGIC_LINK_CLEANUP_INTERVAL` | `1h` | Cleanup loop interval |
 ### JWT (ADR-0021)
 | Config key | Env var | Default | Description |
 |------------|---------|---------|-------------|
 | `auth.jwt.ttl` | `DLC_AUTH_JWT_TTL` | `1h` | Token time-to-live |
 | `auth.jwt.secret_retention.retention_factor` | `DLC_AUTH_JWT_SECRET_RETENTION_FACTOR` | `2.0` | Retention multiplier |
 | `auth.jwt.secret_retention.max_retention` | `DLC_AUTH_JWT_SECRET_MAX_RETENTION` | `72h` | Maximum retention |
 | `auth.jwt.secret_retention.cleanup_interval` | `DLC_AUTH_JWT_SECRET_CLEANUP_INTERVAL` | `1h` | Secret cleanup interval |
 ### OIDC (Phase B, prep)
 | Config key | Env var | Default | Description |
 |------------|---------|---------|-------------|
 | `auth.oidc.providers.<name>.issuer_url` | `DLC_AUTH_OIDC_ISSUER_URL` | - | Provider issuer URL |
 | `auth.oidc.providers.<name>.client_id` | `DLC_AUTH_OIDC_CLIENT_ID` | - | Client ID |
 | `auth.oidc.providers.<name>.client_secret` | `DLC_AUTH_OIDC_CLIENT_SECRET` | - | Client secret |
 ## Token model
 Magic-link tokens use **SHA-256 hex hashing at rest** — only the hash is stored in the database (`token_hash` column, 64 chars). The plaintext token is emailed to the user and must be supplied back to re-derive the hash. This means a database leak reveals no usable tokens. See `pkg/user/magic_link.go` for the rationale.
 ```go
 // HashMagicLinkToken returns the lowercase hex sha256 of token
 func HashMagicLinkToken(plaintext string) string {
    sum := sha256.Sum256([]byte(plaintext))
    return hex.EncodeToString(sum[:])
 }
 ```
 ## Cleanup loops
 ### JWT secret retention (ADR-0021)
 - **Location:** `pkg/user/jwt_manager.go` — `StartCleanupLoop`
 - **Interval:** Configurable via `auth.jwt.secret_retention.cleanup_interval` (default: 1h)
 - **Behavior:** Removes secrets older than retention period (TTL x retention_factor, capped at max_retention)
 - **Safety:** Never removes the current primary secret
 ### Magic-link expired tokens (ADR-0028 Phase A)
 - **Location:** `pkg/user/magic_link_cleanup.go` — `StartCleanupLoop`
 - **Interval:** Configurable via `auth.magic_link.cleanup_interval` (default: 1h)
 - **Behavior:** Deletes tokens where `expires_at < now`
 - **Implementation:** Calls `DeleteExpiredMagicLinkTokens` on the repository
 ## Local dev setup
 1. **Start services:**
   ```bash
   docker compose up -d  # starts Postgres + Mailpit
   ```
 2. **Inspect emails:** http://localhost:8025 (Mailpit UI)
 3. **HTTPS for OIDC (Phase B):**
   ```bash
   make cert  # generates certs/dev-cert.pem + certs/dev-key.pem via mkcert
   ```
   See [MKCERT.md](MKCERT.md) for details.
 ## Cross-references
 ### Architecture Decision Records
 | ADR | Description |
 |-----|-------------|
 | [ADR-0018](../adr/0018-user-management-auth-system.md) | Original username/password auth system |
 | [ADR-0021](../adr/0021-jwt-secret-retention-policy.md) | JWT secret retention and cleanup |
 | [ADR-0028](../adr/0028-passwordless-auth-migration.md) | Passwordless migration (Phase A complete, Phase B in progress) |
 | [ADR-0029](../adr/0029-email-infrastructure-mailpit.md) | Email infrastructure (Mailpit) |
 | [ADR-0030](../adr/0030-bdd-email-parallel-strategy.md) | BDD parallel email assertions |
 ### Documentation
 | Document | Description |
 |----------|-------------|
 | [EMAIL.md](EMAIL.md) | SMTP setup and Mailpit usage |
 | [MKCERT.md](MKCERT.md) | Local HTTPS certificate setup |
 | [PHASE_B_ROADMAP.md](PHASE_B_ROADMAP.md) | Remaining OIDC work |
 ---
 *Developer onboarding doc — see ADR-0028 for implementation details.*
--- a/documentation/CLI.md
+++ b/documentation/CLI.md
@@ -1,251 +0,0 @@
 # CLI Management Guide
 Complete reference for the `dance-lessons-coach` CLI, server lifecycle, and configuration. Extracted from the original `AGENTS.md` (Tâche 6 restructure) for lazy-loading compatibility with Mistral Vibe.
 ## Cobra CLI (Recommended)
 `dance-lessons-coach` includes a modern CLI built with Cobra:
 ```bash
 # Show help and available commands
 ./bin/dance-lessons-coach --help
 # Show version information
 ./bin/dance-lessons-coach version
 # Greet someone by name
 ./bin/dance-lessons-coach greet John
 # Start the server
 ./bin/dance-lessons-coach server
 ```
 **Available Commands:**
 - `version` — Print version information
 - `server` — Start the dance-lessons-coach server
 - `greet [name]` — Greet someone by name
 - `help` — Built-in help system
 - `completion` — Generate shell completion scripts
 **Server Command Flags:**
 - `--config` — Config file path
 - `--env` — Environment (`dev`, `staging`, `prod`)
 - `--debug` — Enable debug logging
 ## Version Information
 The server provides runtime version information:
 ```bash
 # Check version using new CLI
 ./bin/dance-lessons-coach version
 # Check version using server binary
 ./bin/server --version
 # Output:
 dance-lessons-coach Version Information:
  Version:   1.0.0
  Commit:    abc1234
  Built:     2026-04-05T10:00:00+0000
  Go:        go1.26.1
 ```
 For full version management workflow (bump, release, build with version), see [`version-management-guide.md`](version-management-guide.md).
 ## Server Control Script
 A shell script manages the server lifecycle:
 ```bash
 cd /Users/gabrielradureau/Work/Vibe/DanceLessonsCoach
 ./scripts/start-server.sh start     # Start the server
 ./scripts/start-server.sh status    # Check server status
 ./scripts/start-server.sh test      # Test API endpoints
 ./scripts/start-server.sh logs      # View server logs
 ./scripts/start-server.sh stop      # Stop the server
 ./scripts/start-server.sh restart   # Restart
 ```
 **Available subcommands:**
 - `start` — Start the server in background with proper logging
 - `stop` — Stop the server gracefully
 - `restart` — Restart the server
 - `status` — Check if server is running
 - `logs` — Show recent server logs
 - `test` — Test all API endpoints
 ## Manual Server Management
 For direct control:
 ```bash
 cd /Users/gabrielradureau/Work/Vibe/DanceLessonsCoach
 ./scripts/start-server.sh start
 ```
 **Expected output:**
 ```
 Server running on :8080
 [INF] Starting HTTP server on :8080
 [TRC] Registering greet routes
 [TRC] Greet routes registered
 ```
 **Features:**
 - Context-aware server initialization
 - Graceful shutdown handling
 - Signal-based termination (`SIGINT`, `SIGTERM`)
 - 30-second shutdown timeout
 - Proper resource cleanup
 ## Configuration
 Configuration via environment variables with `DLC_` prefix:
 | Option | Environment Variable | Default | Description |
 |---|---|---|---|
 | Host | `DLC_SERVER_HOST` | `0.0.0.0` | Server bind address |
 | Port | `DLC_SERVER_PORT` | `8080` | Server listening port |
 | Shutdown Timeout | `DLC_SHUTDOWN_TIMEOUT` | `30s` | Graceful shutdown timeout |
 | JSON Logging | `DLC_LOGGING_JSON` | `false` | Enable JSON format logging |
 | Log Output | `DLC_LOGGING_OUTPUT` | `""` | Log output file path (empty for stderr) |
 **Examples:**
 ```bash
 # Custom port
 export DLC_SERVER_PORT=9090
 ./scripts/start-server.sh start
 # Custom host and port
 export DLC_SERVER_HOST="127.0.0.1"
 export DLC_SERVER_PORT=8081
 ./scripts/start-server.sh start
 # Custom shutdown timeout
 export DLC_SHUTDOWN_TIMEOUT=45s
 # Enable JSON logging
 export DLC_LOGGING_JSON=true
 # Log to file
 export DLC_LOGGING_OUTPUT="server.log"
 # Combined: JSON logging to file
 export DLC_LOGGING_JSON=true
 export DLC_LOGGING_OUTPUT="server.json.log"
 ```
 **Configuration File Support:**
 A `config.example.yaml` file is provided as a template. By default, the application looks for `config.yaml` in the current working directory.
 To specify a custom config file path, set the `DLC_CONFIG_FILE` environment variable:
 ```bash
 DLC_CONFIG_FILE="/path/to/config.yaml" go run ./cmd/server
 ```
 Example `config.yaml`:
 ```yaml
 server:
  host: "0.0.0.0"
  port: 8080
 shutdown:
  timeout: 30s
 logging:
  json: false
 ```
 **Configuration Loading Precedence:**
 1. **File-based configuration** (highest precedence)
 2. **Environment variables** (override defaults, overridden by config file)
 3. **Default values** (fallback)
 All configuration is validated on startup. Invalid configurations cause server startup failure. Configuration values and source are logged at startup.
 **Verification:**
 ```bash
 DLC_SERVER_PORT=9090 DLC_SERVER_HOST="127.0.0.1" ./scripts/start-server.sh start
 curl http://127.0.0.1:9090/api/health
 # Expected: {"status":"healthy"}
 ```
 ## Server Status
 ```bash
 # Check health endpoint
 curl -s http://localhost:8080/api/health
 # Check readiness endpoint
 curl -s http://localhost:8080/api/ready
 ```
 **Expected responses:**
 - Health: `{"status":"healthy"}`
 - Readiness (normal): `{"ready":true}`
 - Readiness (during shutdown): `{"ready":false}` (HTTP 503)
 **Endpoint Differences:**
 - **Health endpoint** (`/api/health`): Indicates if the application is running and functional
 - **Readiness endpoint** (`/api/ready`): Indicates if the application is ready to accept traffic
 **Use Cases:**
 - **Health**: Used by load balancers to check if the app is alive
 - **Readiness**: Used by Kubernetes / service meshes to determine if the app can accept new requests
 **During Graceful Shutdown:**
 - Health endpoint continues to return `{"status":"healthy"}`
 - Readiness endpoint returns `{"ready":false}` with HTTP 503 Service Unavailable
 - This allows existing requests to complete while preventing new requests
 ## Stopping the Server
 To stop the server gracefully:
 ```bash
 # Send SIGTERM for graceful shutdown
 kill -TERM $(lsof -ti :8080)
 # Or send SIGINT (Ctrl+C equivalent)
 pkill -INT -f "go run"
 ```
 **Graceful shutdown process:**
 1. Server receives termination signal
 2. Logs shutdown message
 3. Stops accepting new connections
 4. Waits up to 30 seconds for active requests to complete
 5. Closes all connections cleanly
 6. Exits with proper cleanup
 For force stop (if graceful shutdown hangs):
 ```bash
 kill -9 $(lsof -ti :8080)
 ```
 **Verification:**
 ```bash
 curl -s http://localhost:8080/api/health
 # Should return connection refused
 ```
--- a/documentation/CODE_EXAMPLES.md
+++ b/documentation/CODE_EXAMPLES.md
@@ -1,59 +0,0 @@
 # Code Examples
 Snippets and patterns used across the `dance-lessons-coach` codebase. Extracted from the original `AGENTS.md` (Tâche 6 restructure).
 ## Adding a New API Endpoint
 ```go
 // 1. Add to interface
 func (h *apiV1GreetHandler) RegisterRoutes(router chi.Router) {
    router.Get("/", h.handleGreetQuery)
    router.Get("/{name}", h.handleGreetPath)
    router.Post("/custom", h.handleCustomGreet) // New endpoint
 }
 // 2. Implement handler
 func (h *apiV1GreetHandler) handleCustomGreet(w http.ResponseWriter, r *http.Request) {
    // Parse request
    // Call service
    // Return JSON response
 }
 ```
 ## Logging with Zerolog
 ```go
 // Trace level logging
 log.Trace().Ctx(ctx).Str("key", "value").Msg("message")
 // Info level
 log.Info().Msg("Important event")
 // Error level
 log.Error().Err(err).Msg("Error occurred")
 ```
 For the full logging strategy (when to use Trace vs Info, performance considerations), see [ADR-0003 — Zerolog Logging](../adr/0003-zerolog-logging.md).
 ## Using `context.Context`
 ```go
 // Pass context through calls
 func handler(w http.ResponseWriter, r *http.Request) {
    result := service.Greet(r.Context(), "John")
    // ...
 }
 // Create context with values
 ctx := context.WithValue(r.Context(), "key", "value")
 // Create context with timeout
 ctx, cancel := context.WithTimeout(r.Context(), 5*time.Second)
 defer cancel()
 ```
 For the rationale behind context-aware services, see [ADR-0004 — Interface-Based Design](../adr/0004-interface-based-design.md).
 ## Best Practices Reminders
 For higher-level guidance on code organization, error handling, performance, and testing, see [`AGENT_USAGE_GUIDE.md`](AGENT_USAGE_GUIDE.md#best-practices) section "Best Practices".
--- a/documentation/HISTORY.md
+++ b/documentation/HISTORY.md
@@ -1,83 +0,0 @@
 # Development History
 This document records the historical development phases of `dance-lessons-coach`. Extracted from the original `AGENTS.md` (Tâche 6 restructure) for lazy-loading compatibility with Mistral Vibe (128k context).
 All phases below are **completed** ✅. They are kept here for traceability and onboarding context — refer to ADRs (`adr/`) for the technical decisions behind each phase.
 ## Phase 1: Foundation
 - Go 1.26.1 environment setup
 - Project structure with `cmd/` and `pkg/` directories
 - Core Greet service implementation
 - CLI interface
 - Unit tests
 ## Phase 2: Web API
 - Chi router integration
 - Versioned API endpoints (`/api/v1`)
 - Health endpoint (`/api/health`)
 - JSON responses with proper headers
 ## Phase 3: Logging & Architecture
 - Zerolog integration with Trace level
 - Context-aware logging
 - Interface-based design patterns
 - Dependency injection
 ## Phase 4: Documentation & Testing
 - Comprehensive `AGENTS.md`
 - `README.md` with usage instructions
 - Server management guide
 - API endpoint documentation
 ## Phase 5: Configuration Management
 - Viper integration for configuration
 - Environment variable support with `DLC_` prefix
 - Customizable server host/port
 - Configurable shutdown timeout
 - Configuration validation and logging
 - Example configuration file
 ## Phase 6: Graceful Shutdown
 - Context-aware server initialization
 - Signal-based termination (`SIGINT`, `SIGTERM`)
 - Configurable shutdown timeout
 - Readiness endpoint for Kubernetes/service mesh integration
 - Proper resource cleanup during shutdown
 - Health endpoint remains healthy during graceful shutdown
 ## Phase 7: OpenTelemetry Integration
 - OpenTelemetry Go libraries integration
 - Jaeger compatibility for distributed tracing
 - Middleware-only approach using `otelhttp.NewHandler`
 - Configurable sampling strategies
 - Graceful shutdown of tracer provider
 - OTLP exporter with gRPC support
 ## Phase 8: Build System & Documentation
 - Build script for binary compilation
 - Binary output to `bin/` directory
 - Comprehensive commit conventions with gitmoji reference
 - Updated documentation with Jaeger integration guide
 - Cleaned up configuration files
 - Enhanced logging configuration with file output support
 ## Phase 9: Final Refinements
 - Removed unnecessary `time.Sleep` for log flushing
 - Changed server operational logs from Info to Trace level
 - Moved all logging setup logic to config package
 - Simplified server entrypoint to 27 lines
 - Verified all functionality with comprehensive testing
 - Updated documentation to reflect final architecture
 ## Beyond Phase 9
 Subsequent work (CI/CD, BDD scenarios, ADR audit, JWT, config hot-reloading) is tracked in the [Changelog](../CHANGELOG.md) and the corresponding [ADRs](../adr/).
--- a/documentation/MISTRAL-AUTONOMOUS-PATTERN.md
+++ b/documentation/MISTRAL-AUTONOMOUS-PATTERN.md
@@ -1,219 +0,0 @@
 # Mistral Vibe Autonomous Pattern
 **Document ID:** MISTRAL-AUTONOMOUS-PATTERN  
 **Date:** 2026-05-05  
 **Status:** Active  
 **Author:** Mistral Vibe (batch10-task-mistral-pattern-doc)  
 **Audience:** Project contributors, future trainers
 ---
 ## 1. What you'll see
 PRs authored by "Gabriel Radureau" with commit messages ending in "Mistral Vibe" references. PR titles start with gitmoji. Branch names follow `vibe/<slug>` pattern.
 | PR | Date | Title | Branch | Status |
 |----|------|-------|--------|--------|
 | #67 | 2026-05-05 | :memo: docs: email infrastructure | `vibe/batch4-task-a-email-infra` | Merged |
 | #74 | 2026-05-05 | :robot: feat: BDD Mailpit helper | `vibe/batch5-task-b-bdd-mailpit` | Merged |
 | #75 | 2026-05-05 | :elephant: feat: magic_link_tokens table | `vibe/batch5-task-c-db-magic-link` | Merged |
 | #76 | 2026-05-05 | :rocket: feat: magic link handlers | `vibe/batch5-task-d-handlers` | Merged |
 | #77 | 2026-05-05 | :test_tube: test: magic link BDD | `vibe/batch5-task-e-bdd` | Merged |
 ---
 ## 2. The pattern (high-level)
 ```
 Operator Brief → Worktree Setup → Worker Execution → PR Lifecycle → Merge
 ```
 ### 2.1 Operator brief
 Human or trainer (Claude) writes a `CONTEXT.md` brief in a workspace under `~/Work/Vibe/workspaces/<slug>/`. The brief contains:
 - Mission statement
 - Goal and constraints
 - Process instructions
 - Hard rules
 - Specification
 ### 2.2 Worktree setup
 A `vibe-workspace.sh --worktree` script creates an isolated git worktree:
 - Branches from current `origin/main`
 - Creates branch `vibe/<slug>`
 - Isolates git state in a dedicated directory
 - No race conditions (addresses Q-038)
 ### 2.3 Worker execution
 A Mistral Vibe worker (`vibe -p`) runs end-to-end:
 1. Reads the brief from `CONTEXT.md`
 2. Executes coding tasks (codes, builds, tests)
 3. Commits changes with appropriate messages
 4. Pushes to remote branch
 5. Opens PR via Gitea API
 6. Attempts auto-merge
 ### 2.4 Parallel operation
 - Multiple workers run concurrently (2-4 typical)
 - Each worker operates in its own worktree
 - No git checkout collisions
 - Shared origin main as base
 ### 2.5 Dispatch orchestration
 A `dispatch-batch.sh` script:
 - Orchestrates batches of 2-4 workers
 - Auto-merges PRs that workers opened but didn't merge
 - Ensures all PRs reach merged state
 - Handles cross-worker dependencies
 ---
 ## 3. Why this works
 ### 3.1 Worktree isolation
 Git worktrees provide complete isolation of git state. Each worker has its own:
 - Working directory
 - Index (staging area)
 - HEAD pointer
 - Branch reference
 This eliminates race conditions documented in Q-038 of the harness logs.
 ### 3.2 Pre-fetched origin
 Origin is pre-fetched before worktree creation (Q-060 fix). This guarantees:
 - All workers branch from current main
 - No stale base branches
 - Consistent starting point across batch
 ### 3.3 Full PR lifecycle
 Workers handle the complete PR lifecycle:
 - Code implementation
 - Build and test execution
 - Commit with proper conventions
 - Push to remote
 - PR creation via Gitea API
 - Merge via Gitea API (squash merge default)
 ### 3.4 Trainer takeover
 For the rare gaps (~5% of cases):
 - Price-cap restrictions
 - Broken Mistral tests
 - Ambiguous requirements
 Trainer (Claude) takeover within ~5 minutes covers these edge cases.
 ---
 ## 4. How to read PR provenance
 ### 4.1 Commit message markers
 Look for these patterns in commit messages:
 | Marker | Meaning |
 |--------|---------|
 | `Mostly Mistral Vibe authored` | Mixed human + AI authorship |
 | `100% Mistral autonomous` | Fully autonomous workflow |
 | `batch<N>-task-<X>` | Brief slug reference |
 | `Q-058 trainer takeover` | Specific quirk reference |
 | `Q-062 fix applied` | Quirk mitigation applied |
 ### 4.2 Branch naming
 Branch names encode the workflow:
 ```
 vibe/<batch>-<task>-<description>
 ```
 Examples:
 - `vibe/batch4-task-a-email-infra`
 - `vibe/batch10-task-mistral-pattern-doc`
 ### 4.3 PR title conventions
 PR titles use gitmoji prefix:
 - `:memo:` - Documentation
 - `:robot:` - AI/automation
 - `:elephant:` - Database
 - `:rocket:` - Feature
 - `:test_tube:` - Testing
 ---
 ## 5. Reproducing the pattern
 ### 5.1 Quickstart guide
 See `~/.vibe/scripts/QUICKSTART-DISPATCH-BATCH.md` for complete how-to guide.
 ### 5.2 Resources
 | Resource | Path | Description |
 |----------|------|-------------|
 | Brief template | `~/.vibe/skills/prompt-builder/examples/dispatch-batch-task.md` | Standardized brief format |
 | Mistral quirks | `~/.vibe/memory/reference/mistral-quirks.md` | Accumulated lessons (Q-001 through Q-063 as of 2026-05-05) |
 | Architecture doc | `~/.vibe/memory/reference/architecture-mapreduce-orchestration.md` | Design rationale |
 | Budget history | `~/.vibe/memory/reference/budget-history.jsonl` | Empirical cost data |
 ---
 ## 6. Numbers (2026-05-05 reference)
 ### 6.1 Throughput
 | Metric | Value | Notes |
 |--------|-------|-------|
 | PRs merged (one day) | 20 | Mistral autonomous |
 | Wall-clock parallel (2 PRs) | ~2 minutes | vs ~3-4 minutes serial |
 | Wall-clock parallel (4 PRs) | ~2-3 minutes | Batch efficiency |
 ### 6.2 Cost
 | PR Type | Cost Range | Notes |
 |---------|------------|-------|
 | Simple PR | $0.5-1.5 | Documentation, minor changes |
 | Code-heavy PR | $2-3 | Complex logic, multiple files |
 | Complex PR | $3-5 | Architecture changes, deep refactoring |
 ### 6.3 Autonomy rate
 | Metric | Value |
 |--------|-------|
 | Autonomy rate per batch | 95-100% |
 | Trainer takeover rate | 5% |
 | Takeover reasons | Price-cap (2%), broken tests (2%), ambiguity (1%) |
 ---
 ## 7. Future evolution
 ### 7.1 Phase 1bis (current)
 - Multi-process workers operating in parallel
 - Claude trainer reduces observations
 - Improves harness reliability
 - Current state as of 2026-05-05
 ### 7.2 Phase 2 (target)
 - Mistral meta-agent performs reduce phase
 - Full autonomy loop without Claude
 - Self-improving pattern
 - Target: Q3 2026
 ### 7.3 Long-term vision
 - Fully autonomous feature development
 - Self-healing test failures
 - Cost-optimized batch dispatch
 - Multi-repository orchestration
 ---
 ## 8. Cross-references
 ### 8.1 Related ADRs
 | ADR | Description |
 |-----|-------------|
 | [ADR-0001](../adr/0001-go-1.26.1-standard.md) | Go 1.26.1 standard |
 | [ADR-0008](../adr/0008-bdd-testing.md) | BDD with Godog |
 | [ADR-0028](../adr/0028-passwordless-auth-migration.md) | Passwordless auth (Phase A complete) |
 ### 8.2 Related documentation
 | Document | Description |
 |----------|-------------|
 | [CONTRIBUTING.md](../CONTRIBUTING.md) | Contribution guidelines |
 | [AGENTS.md](../AGENTS.md) | Agent documentation |
 | [PHASE_B_ROADMAP.md](PHASE_B_ROADMAP.md) | Phase B OIDC roadmap |
 ---
 *Developer onboarding doc — see QUICKSTART-DISPATCH-BATCH.md for implementation details.*
--- a/documentation/OBSERVABILITY.md
+++ b/documentation/OBSERVABILITY.md
@@ -1,94 +0,0 @@
 # Observability — OpenTelemetry & Jaeger Integration
 Tracing setup for `dance-lessons-coach`. Extracted from the original `AGENTS.md` (Tâche 6 restructure) for lazy-loading compatibility with Mistral Vibe.
 The application supports OpenTelemetry for distributed tracing with Jaeger compatibility.
 ## Configuration
 Enable OpenTelemetry in your `config.yaml`:
 ```yaml
 telemetry:
  enabled: true
  otlp_endpoint: "localhost:4317"
  service_name: "dance-lessons-coach"
  insecure: true
  sampler:
    type: "parentbased_always_on"
    ratio: 1.0
 ```
 Or via environment variables:
 ```bash
 export DLC_TELEMETRY_ENABLED=true
 export DLC_TELEMETRY_OTLP_ENDPOINT="localhost:4317"
 export DLC_TELEMETRY_SERVICE_NAME="dance-lessons-coach"
 export DLC_TELEMETRY_INSECURE=true
 export DLC_TELEMETRY_SAMPLER_TYPE="parentbased_always_on"
 export DLC_TELEMETRY_SAMPLER_RATIO=1.0
 ```
 ## Testing with Jaeger
 **1. Start Jaeger in Docker:**
 ```bash
 docker run -d --name jaeger \
  -e COLLECTOR_OTLP_ENABLED=true \
  -p 16686:16686 \
  -p 4317:4317 \
  jaegertracing/all-in-one:latest
 ```
 **2. Start the server with OpenTelemetry enabled:**
 ```bash
 # Using config file
 ./scripts/start-server.sh start
 # Or with environment variables
 DLC_TELEMETRY_ENABLED=true ./scripts/start-server.sh start
 ```
 **3. Make API requests:**
 ```bash
 curl http://localhost:8080/api/v1/greet/John
 ```
 **4. View traces in Jaeger UI:**
 Open http://localhost:16686 and select the `dance-lessons-coach` service.
 ## Sampler Types
 | Sampler | Behavior |
 |---|---|
 | `always_on` | Sample all traces |
 | `always_off` | Sample no traces |
 | `traceidratio` | Sample based on trace ID ratio |
 | `parentbased_always_on` | Sample based on parent span (always on) |
 | `parentbased_always_off` | Sample based on parent span (always off) |
 | `parentbased_traceidratio` | Sample based on parent span with ratio |
 ## Testing Script
 A convenience script is provided:
 ```bash
 ./scripts/test-opentelemetry.sh
 ```
 This script:
 1. Starts Jaeger container
 2. Starts the server with OpenTelemetry
 3. Makes test API calls
 4. Shows Jaeger UI URL
 5. Cleans up on exit
 ## ADR Reference
 See [ADR-0007 — OpenTelemetry Integration](../adr/0007-opentelemetry-integration.md) for the full architectural decision and rationale (middleware-only approach, sampling strategy, OTLP/gRPC choice).
--- a/documentation/PHASE_B_ROADMAP.md
+++ b/documentation/PHASE_B_ROADMAP.md
@@ -12,18 +12,13 @@
 - [x] ADR-0028 Phase A complete (PRs #59-#63, #65)
 - [x] Phase B.1 OIDC config (PR #64)
 - [x] Phase B prep : pkg/auth skeleton (PR #69) + mkcert doc (PR #68)
- [x] Phase B.3 OIDC client implementation : ✅ (PR #74)
+- [ ] Phase B.3 not yet started
 - [x] Phase B.4 OIDC HTTP handlers + tests : ✅ (PR #75 + PR #76 follow-up tests)
 ## Status as of 2026-05-05 evening (after autonomous Mistral session)
 Phase B is essentially complete except B.5. The OIDC client (B.3, PR #74), HTTP handlers and tests (B.4, PR #75 + PR #76) have been delivered and merged.
 ---
 ## Remaining work
-Phase B delivers OpenID Connect Authorization Code flow with PKCE. Work is organized into **3 shippable phases**, each deliverable as an independent PR. At the time of this update, only Phase B.5 (BDD scenarios) remains to be completed.
+Phase B delivers OpenID Connect Authorization Code flow with PKCE. Work is organized into **3 shippable phases**, each deliverable as an independent PR.
 ### Phase B.3 — OIDC client implementation
 - **Goal:** Implement the core OIDC client methods in `pkg/auth/oidc.go`
@@ -122,9 +117,6 @@ B.5 (BDD coverage) —— requires B.3 + B.4
 - [PR #65: Magic link cleanup loop](https://gitea.arcodange.lab/arcodange/dance-lessons-coach/pulls/65)
 - [PR #68: mkcert documentation](https://gitea.arcodange.lab/arcodange/dance-lessons-coach/pulls/68)
 - [PR #69: pkg/auth skeleton](https://gitea.arcodange.lab/arcodange/dance-lessons-coach/pulls/69)
 - [PR #74: Phase B.3 OIDC client implementation](https://gitea.arcodange.lab/arcodange/dance-lessons-coach/pulls/74)
 - [PR #75: Phase B.4 OIDC HTTP handlers](https://gitea.arcodange.lab/arcodange/dance-lessons-coach/pulls/75)
 - [PR #76: Phase B.4 follow-up tests](https://gitea.arcodange.lab/arcodange/dance-lessons-coach/pulls/76)
 ---
--- a/documentation/ROADMAP.md
+++ b/documentation/ROADMAP.md
@@ -1,40 +0,0 @@
 # Roadmap & Future Enhancements
 Tracking pending features and architectural improvements. Extracted from the original `AGENTS.md` (Tâche 6 restructure). Status updated continuously — items move to "Completed Features" section once shipped.
 ## Potential Features
 - [ ] Database integration
 - [ ] Authentication / Authorization
 - [ ] Rate limiting
 - [ ] Metrics and monitoring
 - [ ] Docker containerization
 - ✅ CI/CD pipeline ([ADR-0016](../adr/0016-ci-cd-pipeline-design.md), [ADR-0017](../adr/0017-trunk-based-development-workflow.md))
 - [ ] Configuration hot reload
 - [ ] Circuit breakers
 ## Architectural Improvements
 - [ ] Request validation middleware
 - ✅ OpenAPI / Swagger documentation with embedded spec
 - [ ] Enhanced OpenTelemetry instrumentation
 - [ ] Metrics collection and visualization
 - [ ] Health check improvements
 - [ ] Configuration validation enhancements
 ## Completed Features
 - ✅ Graceful shutdown with readiness endpoint
 - ✅ OpenTelemetry integration with Jaeger support
 - ✅ Configuration management with Viper
 - ✅ Comprehensive logging with Zerolog
 - ✅ Build system with binary output
 - ✅ Complete documentation with commit conventions
 - ✅ Version management with runtime info
 ## How to Propose a New Feature
 1. Open a Gitea issue describing the use case and acceptance criteria
 2. If the feature implies an architectural decision, draft an ADR (`adr/<NNNN>-<slug>.md`) following the template
 3. Reference the ADR + issue in any PR introducing the feature
 4. Update this roadmap (move from "Potential" to "Completed" when shipped)
--- a/documentation/STATUS.md
+++ b/documentation/STATUS.md
@@ -1,49 +0,0 @@
 # Project Status Snapshot
 Last updated 2026-05-05 evening.
 ---
 ## Active Features
 - Magic-link passwordless auth (POST /api/v1/auth/magic-link/request + GET /consume) — production-ready, ADR-0028 Phase A complete
 - OIDC client + HTTP handlers (GET /api/v1/auth/oidc/{provider}/start + /callback with PKCE) — production-ready code, BDD coverage TODO. ADR-0028 Phase B (B.1, B.3, B.4 + tests done ; B.5 BDD scenarios TODO).
 - Username + password auth — legacy (ADR-0018), kept during migration. To be decommissioned in Phase C.
 - Versioned API, JWT, OpenTelemetry, Swagger, BDD
 ---
 ## What's In Progress / Next
 - Phase B.5 BDD scenarios for OIDC (1 PR Mistral expected)
 - Phase C decommission password auth (separate ADR)
 ---
 ## Project Structure Highlights
 ```
 adr/ : ADRs
 pkg/ : packages (auth, config, server, user, etc.)
 features/ : BDD scenarios
 documentation/ : docs index
 scripts/ : build + CI
 ```
 ---
 ## Key Documentation Entry Points
 - README.md : quick start
 - AGENTS.md : agent + automation conventions
 - documentation/AUTH.md : auth system synthesis
 - documentation/MISTRAL-AUTONOMOUS-PATTERN.md : how Mistral PRs are shipped
 - documentation/PHASE_B_ROADMAP.md : remaining auth migration work
 - documentation/2026-05-05-AUTONOMOUS-SESSION-RECAP.md : the autonomous session highlights
 - adr/ : architecture decisions
 ---
 ## Today's Milestone (2026-05-05)
 27 PRs merged in 1 day via the Mistral autonomous multi-process pattern. ADR-0028 (passwordless auth migration) essentially complete except Phase B.5 BDD.
--- a/documentation/TROUBLESHOOTING.md
+++ b/documentation/TROUBLESHOOTING.md
@@ -1,107 +0,0 @@
 # Troubleshooting
 Common issues and their resolution. Extracted from the original `AGENTS.md` and merged with relevant sections from `AGENT_USAGE_GUIDE.md` and `BDD_GUIDE.md`. Refer back to those guides for context-specific troubleshooting (agent workflows, BDD test failures).
 ## Port Already in Use
 ```bash
 # Find and kill process using port 8080
 kill -TERM $(lsof -ti :8080)
 # Force kill if graceful does not work
 kill -9 $(lsof -ti :8080)
 ```
 ## Server Not Responding
 ```bash
 # Check if running
 curl -s http://localhost:8080/api/health
 # Restart server using control script
 ./scripts/start-server.sh restart
 # View recent logs
 ./scripts/start-server.sh logs
 ```
 If health endpoint returns connection refused, the server may have crashed. Check logs in `./scripts/start-server.sh logs` for stack traces.
 ## Dependency Issues
 ```bash
 # Clean and rebuild
 go mod tidy
 go build ./...
 # If dependency version conflicts persist
 go mod download
 go mod verify
 ```
 ## Tests Failing
 ### Unit tests
 ```bash
 # Run with verbose output
 go test -v ./...
 # Check specific test
 go test ./pkg/greet/ -run TestName
 ```
 ### BDD tests
 See [`BDD_GUIDE.md`](BDD_GUIDE.md) for the full BDD troubleshooting workflow (Godog setup, scenario isolation, step matching). Common BDD issues:
 - **Step not found** → check `pkg/bdd/steps/` for the step definition file
 - **Scenario state leaking** → review [ADR-0025](../adr/0025-bdd-scenario-isolation-strategies.md) for the isolation pattern
 - **Database not reset** → ensure the test fixtures cleanup runs (BDD scenario After hooks)
 ## Configuration Not Loading
 The application logs the configuration source at startup. Check logs for:
 ```
 [INF] Configuration loaded from: file:config.yaml
 # or
 [INF] Configuration loaded from: env
 # or
 [INF] Configuration loaded from: defaults
 ```
 If config is not loading as expected:
 1. Verify file exists and is readable: `ls -la config.yaml`
 2. Verify env vars are exported: `env | grep DLC_`
 3. Check for typos in keys (case-sensitive)
 4. Review [`AGENT_USAGE_GUIDE.md`](AGENT_USAGE_GUIDE.md) section "Configuration troubleshooting"
 ## OpenTelemetry Not Tracing
 1. Verify Jaeger is running: `docker ps | grep jaeger`
 2. Check `DLC_TELEMETRY_ENABLED=true` in environment or `telemetry.enabled: true` in config
 3. Verify OTLP endpoint reachable: `nc -zv localhost 4317`
 4. Check sampler is not `always_off`
 5. See [`OBSERVABILITY.md`](OBSERVABILITY.md) for full setup
 ## Build Failures
 ```bash
 # Clear caches
 go clean -cache -modcache
 go mod download
 # Rebuild
 go build ./...
 ```
 If errors persist, see [`local-ci-cd-testing.md`](local-ci-cd-testing.md) for the CI/CD pipeline that mirrors the production build.
 ## Where to Look Next
 - **Agent-specific issues** (vibe, mistral, programmer agent) → [`AGENT_USAGE_GUIDE.md`](AGENT_USAGE_GUIDE.md)
 - **BDD-specific issues** → [`BDD_GUIDE.md`](BDD_GUIDE.md)
 - **Version/release issues** → [`version-management-guide.md`](version-management-guide.md)
 - **CI/CD issues** → [`local-ci-cd-testing.md`](local-ci-cd-testing.md)
--- a/iac/backend.tf
+++ b/iac/backend.tf
@@ -1,6 +0,0 @@
 terraform {
  backend "gcs" {
    bucket = "arcodange-tf"
    prefix = "dance-lessons-coach/main"
  }
 }
--- a/iac/main.tf
+++ b/iac/main.tf
@@ -1,10 +0,0 @@
 locals {
  app = {
    name = "dance-lessons-coach"
  }
 }
 module "app_roles" {
  source = "git::ssh://git@192.168.1.202:2222/arcodange-org/tools.git//hashicorp-vault/iac/modules/app_roles?depth=1&ref=main"
  name   = local.app.name
 }
--- a/iac/providers.tf
+++ b/iac/providers.tf
@@ -1,17 +0,0 @@
 terraform {
  required_providers {
    vault = {
      source  = "vault"
      version = "4.4.0"
    }
  }
 }
 provider "vault" {
  address = "https://vault.arcodange.lab"
  auth_login_jwt {
    # TERRAFORM_VAULT_AUTH_JWT environment variable, set by the gitea OIDC step
    mount = "gitea_jwt"
    role  = "gitea_cicd_dance-lessons-coach"
  }
 }
--- a/pkg/auth/context.go
+++ b/pkg/auth/context.go
@@ -1,30 +0,0 @@
 // Package auth — context keys and helpers for authentication state.
 //
 // This file owns the symbols that other packages use to read/write the
 // authenticated user from a request context. Previously these symbols
 // lived in pkg/greet/ which was the wrong home (auth concern in greet
 // package) ; moved here as part of the middleware design cleanup.
 package auth
 import (
 	"context"
 	"dance-lessons-coach/pkg/user"
 )
 // contextKey is unexported to prevent collisions with other packages
 // using string keys (Go convention).
 type contextKey string
 // UserContextKey is the key under which the authenticated user is
 // stored in the request context by AuthMiddleware.
 const UserContextKey contextKey = "authenticatedUser"
 // GetAuthenticatedUserFromContext extracts the authenticated user from
 // the request context. Returns (nil, false) if no user is present
 // (which is the case for unauthenticated requests AND for requests
 // that failed silent fail-through ; cf. AuthMiddleware semantics).
 func GetAuthenticatedUserFromContext(ctx context.Context) (*user.User, bool) {
 	u, ok := ctx.Value(UserContextKey).(*user.User)
 	return u, ok
 }
--- a/pkg/auth/oidc.go
+++ b/pkg/auth/oidc.go
@@ -94,21 +94,6 @@ func NewOIDCClient(issuerURL, clientID, clientSecret string) *OIDCClient {
 	}
 }
 // ClientID returns the OIDC client ID.
 func (c *OIDCClient) ClientID() string {
 	return c.clientID
 }
 // IssuerURL returns the OIDC issuer URL.
 func (c *OIDCClient) IssuerURL() string {
 	return c.issuerURL
 }
 // SetHTTPClient sets a custom HTTP client for testing.
 func (c *OIDCClient) SetHTTPClient(client *http.Client) {
 	c.httpClient = client
 }
 // decodeRSAPublicKey reconstructs an *rsa.PublicKey from JWK n and e values.
 func decodeRSAPublicKey(j jwk) (*rsa.PublicKey, error) {
 	nBytes, err := base64.RawURLEncoding.DecodeString(j.N)
--- a/pkg/greet/greet.go
+++ b/pkg/greet/greet.go
@@ -3,17 +3,31 @@ package greet
 import (
 	"context"
-	"dance-lessons-coach/pkg/auth"
+	"dance-lessons-coach/pkg/user"
 	"github.com/rs/zerolog/log"
 )
 // Context key for storing authenticated user
 type contextKey string
 const (
 	// UserContextKey is the context key for storing authenticated user
 	UserContextKey contextKey = "authenticatedUser"
 )
 type Service struct{}
 func NewService() *Service {
 	return &Service{}
 }
 // GetAuthenticatedUserFromContext extracts the authenticated user from context
 func GetAuthenticatedUserFromContext(ctx context.Context) (*user.User, bool) {
 	user, ok := ctx.Value(UserContextKey).(*user.User)
 	return user, ok
 }
 // Greet returns a greeting message for the given name.
 // If name is empty, it checks for authenticated user and uses their username.
 // If no authenticated user and no name, it defaults to "world".
@@ -23,7 +37,7 @@ func (s *Service) Greet(ctx context.Context, name string) string {
 	// If no name provided, check for authenticated user
 	if name == "" {
-		if authenticatedUser, ok := auth.GetAuthenticatedUserFromContext(ctx); ok {
+		if authenticatedUser, ok := GetAuthenticatedUserFromContext(ctx); ok {
 			name = authenticatedUser.Username
 			log.Trace().Ctx(ctx).Str("authenticated_user", name).Msg("Using authenticated username for greeting")
 		}
--- a/pkg/server/middleware.go
+++ b/pkg/server/middleware.go
@@ -3,131 +3,61 @@ package server
 import (
 	"context"
 	"net/http"
 	"strings"
-	"dance-lessons-coach/pkg/auth"
+	"dance-lessons-coach/pkg/greet"
 	"dance-lessons-coach/pkg/user"
 	"github.com/rs/zerolog/log"
 )
-// tokenValidator is the narrow interface AuthMiddleware needs from
+// AuthMiddleware handles JWT authentication and adds user to context
 // user.AuthService — only JWT validation. ISP : avoid pulling the full
 // fat AuthService interface (12+ methods) into the middleware.
 type tokenValidator interface {
 	ValidateJWT(ctx context.Context, token string) (*user.User, error)
 }
 const bearerPrefix = "Bearer "
 // firstWord returns the first whitespace-separated word of s, or s itself
 // if there's no whitespace. Used for log-safe scheme extraction.
 func firstWord(s string) string {
 	if i := strings.IndexAny(s, " \t"); i >= 0 {
 		return s[:i]
 	}
 	return s
 }
 // extractBearerToken pulls the bearer token out of an Authorization header.
 // Returns ("", false) if absent or malformed. RFC 6750 specifies the
 // scheme is case-insensitive ; we honor that.
 func extractBearerToken(authHeader string) (string, bool) {
 	if authHeader == "" {
 		return "", false
 	}
 	// Case-insensitive prefix match for "Bearer "
 	if len(authHeader) < len(bearerPrefix) {
 		return "", false
 	}
 	if !strings.EqualFold(authHeader[:len(bearerPrefix)], bearerPrefix) {
 		return "", false
 	}
 	return authHeader[len(bearerPrefix):], true
 }
 // AuthMiddleware (existing type kept for backwards compatibility ; the
 // constructor now returns a struct that exposes BOTH the optional and
 // required handlers). The legacy .Middleware method delegates to
 // OptionalHandler so existing wiring (server.go r.Use(authMiddleware.Middleware))
 // keeps working.
 type AuthMiddleware struct {
-	validator tokenValidator
+	authService user.AuthService
 }
-func NewAuthMiddleware(validator tokenValidator) *AuthMiddleware {
+// NewAuthMiddleware creates a new authentication middleware
-	return &AuthMiddleware{validator: validator}
+func NewAuthMiddleware(authService user.AuthService) *AuthMiddleware {
 	return &AuthMiddleware{
 		authService: authService,
 	}
 }
-// OptionalHandler wraps next so :
+// Middleware returns the authentication middleware function
 //   - no Authorization header : pass through, no user in context
 //   - malformed header : pass through, log Trace, no user in context
 //   - invalid JWT : pass through, log Trace, no user in context
 //   - valid JWT : pass through, user injected via auth.UserContextKey
 //
 // Use this on endpoints where auth is "nice to have" — the handler is
 // expected to call auth.GetAuthenticatedUserFromContext and decide.
 func (m *AuthMiddleware) OptionalHandler(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		ctx := r.Context()
 		token, ok := extractBearerToken(r.Header.Get("Authorization"))
 		if !ok {
 			// Header absent or malformed — log size only (Q-064 : no raw value).
 			if h := r.Header.Get("Authorization"); h != "" {
 				log.Trace().Ctx(ctx).
 					Int("auth_header_len", len(h)).
 					Str("scheme_word", firstWord(h)).
 					Msg("Optional auth : malformed Authorization header")
 			}
 			next.ServeHTTP(w, r)
 			return
 		}
 		validatedUser, err := m.validator.ValidateJWT(ctx, token)
 		if err != nil {
 			log.Trace().Ctx(ctx).Err(err).Msg("Optional auth : JWT validation failed")
 			next.ServeHTTP(w, r)
 			return
 		}
 		ctxWithUser := context.WithValue(ctx, auth.UserContextKey, validatedUser)
 		next.ServeHTTP(w, r.WithContext(ctxWithUser))
 	})
 }
 // RequiredHandler wraps next so :
 //   - no header / malformed / invalid JWT : 401 Unauthorized + WWW-Authenticate: Bearer
 //   - valid JWT : pass through, user injected via auth.UserContextKey
 //
 // Use this on endpoints where unauthenticated access is forbidden.
 // Conforms to RFC 6750.
 func (m *AuthMiddleware) RequiredHandler(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		ctx := r.Context()
 		token, ok := extractBearerToken(r.Header.Get("Authorization"))
 		if !ok {
 			w.Header().Set("WWW-Authenticate", `Bearer realm="dance-lessons-coach"`)
 			w.Header().Set("Content-Type", "application/json")
 			w.WriteHeader(http.StatusUnauthorized)
 			_, _ = w.Write([]byte(`{"error":"unauthorized","message":"missing or malformed Authorization header"}`))
 			return
 		}
 		validatedUser, err := m.validator.ValidateJWT(ctx, token)
 		if err != nil {
 			w.Header().Set("WWW-Authenticate", `Bearer realm="dance-lessons-coach", error="invalid_token"`)
 			w.Header().Set("Content-Type", "application/json")
 			w.WriteHeader(http.StatusUnauthorized)
 			_, _ = w.Write([]byte(`{"error":"unauthorized","message":"invalid token"}`))
 			return
 		}
 		ctxWithUser := context.WithValue(ctx, auth.UserContextKey, validatedUser)
 		next.ServeHTTP(w, r.WithContext(ctxWithUser))
 	})
 }
 // Middleware is the legacy method — preserved for backwards compatibility.
 // Delegates to OptionalHandler. New wiring should call OptionalHandler or
 // RequiredHandler explicitly.
 //
 // Deprecated: use OptionalHandler() directly.
 func (m *AuthMiddleware) Middleware(next http.Handler) http.Handler {
-	return m.OptionalHandler(next)
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		ctx := r.Context()
 		// Extract Authorization header
 		authHeader := r.Header.Get("Authorization")
 		if authHeader == "" {
 			// No authorization header, pass through with no user
 			next.ServeHTTP(w, r)
 			return
 		}
 		// Extract token from "Bearer <token>" format
 		const bearerPrefix = "Bearer "
 		if len(authHeader) < len(bearerPrefix) || authHeader[:len(bearerPrefix)] != bearerPrefix {
 			log.Trace().Ctx(ctx).Str("auth_header", authHeader).Msg("Invalid authorization header format")
 			next.ServeHTTP(w, r)
 			return
 		}
 		token := authHeader[len(bearerPrefix):]
 		// Validate JWT token
 		validatedUser, err := m.authService.ValidateJWT(ctx, token)
 		if err != nil {
 			log.Trace().Ctx(ctx).Err(err).Msg("JWT validation failed")
 			next.ServeHTTP(w, r)
 			return
 		}
 		// Add user to context
 		ctxWithUser := context.WithValue(ctx, greet.UserContextKey, validatedUser)
 		r = r.WithContext(ctxWithUser)
 		// Continue to next handler
 		next.ServeHTTP(w, r)
 	})
 }
--- a/pkg/server/middleware_test.go
+++ b/pkg/server/middleware_test.go
@@ -1,181 +0,0 @@
 package server
 import (
 	"context"
 	"errors"
 	"net/http"
 	"net/http/httptest"
 	"testing"
 	"dance-lessons-coach/pkg/auth"
 	"dance-lessons-coach/pkg/user"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 )
 // fakeTokenValidator is a minimal tokenValidator stub.
 type fakeTokenValidator struct {
 	validUser *user.User
 	err       error
 	seen      string // captures the last token passed in
 }
 func (f *fakeTokenValidator) ValidateJWT(ctx context.Context, token string) (*user.User, error) {
 	f.seen = token
 	if f.err != nil {
 		return nil, f.err
 	}
 	return f.validUser, nil
 }
 // nextHandler returns 200 with a flag in body indicating whether a user
 // was injected into context.
 func nextHandler() http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		u, ok := auth.GetAuthenticatedUserFromContext(r.Context())
 		if ok && u != nil {
 			w.Header().Set("X-User", u.Username)
 		}
 		w.WriteHeader(http.StatusOK)
 		_, _ = w.Write([]byte("ok"))
 	})
 }
 func TestOptionalHandler_NoHeader_PassesThrough(t *testing.T) {
 	fv := &fakeTokenValidator{}
 	mw := NewAuthMiddleware(fv).OptionalHandler(nextHandler())
 	req := httptest.NewRequest(http.MethodGet, "/foo", nil)
 	rec := httptest.NewRecorder()
 	mw.ServeHTTP(rec, req)
 	assert.Equal(t, http.StatusOK, rec.Code)
 	assert.Empty(t, rec.Header().Get("X-User"), "no user expected when no Authorization header")
 	assert.Empty(t, fv.seen, "validator should not have been called")
 }
 func TestOptionalHandler_MalformedHeader_PassesThrough(t *testing.T) {
 	fv := &fakeTokenValidator{}
 	mw := NewAuthMiddleware(fv).OptionalHandler(nextHandler())
 	req := httptest.NewRequest(http.MethodGet, "/foo", nil)
 	req.Header.Set("Authorization", "Basic xxx")
 	rec := httptest.NewRecorder()
 	mw.ServeHTTP(rec, req)
 	assert.Equal(t, http.StatusOK, rec.Code)
 	assert.Empty(t, rec.Header().Get("X-User"))
 	assert.Empty(t, fv.seen, "validator should not have been called for non-Bearer scheme")
 }
 func TestOptionalHandler_BearerCaseInsensitive(t *testing.T) {
 	fv := &fakeTokenValidator{validUser: &user.User{Username: "alice"}}
 	mw := NewAuthMiddleware(fv).OptionalHandler(nextHandler())
 	req := httptest.NewRequest(http.MethodGet, "/foo", nil)
 	req.Header.Set("Authorization", "bearer abc123") // lowercase
 	rec := httptest.NewRecorder()
 	mw.ServeHTTP(rec, req)
 	assert.Equal(t, http.StatusOK, rec.Code)
 	assert.Equal(t, "alice", rec.Header().Get("X-User"), "case-insensitive Bearer per RFC 6750")
 	assert.Equal(t, "abc123", fv.seen)
 }
 func TestOptionalHandler_InvalidJWT_PassesThrough(t *testing.T) {
 	fv := &fakeTokenValidator{err: errors.New("bad signature")}
 	mw := NewAuthMiddleware(fv).OptionalHandler(nextHandler())
 	req := httptest.NewRequest(http.MethodGet, "/foo", nil)
 	req.Header.Set("Authorization", "Bearer xxx")
 	rec := httptest.NewRecorder()
 	mw.ServeHTTP(rec, req)
 	assert.Equal(t, http.StatusOK, rec.Code, "optional auth never returns 401")
 	assert.Empty(t, rec.Header().Get("X-User"))
 }
 func TestOptionalHandler_ValidJWT_InjectsUser(t *testing.T) {
 	fv := &fakeTokenValidator{validUser: &user.User{ID: 7, Username: "bob"}}
 	mw := NewAuthMiddleware(fv).OptionalHandler(nextHandler())
 	req := httptest.NewRequest(http.MethodGet, "/foo", nil)
 	req.Header.Set("Authorization", "Bearer goodtoken")
 	rec := httptest.NewRecorder()
 	mw.ServeHTTP(rec, req)
 	assert.Equal(t, http.StatusOK, rec.Code)
 	assert.Equal(t, "bob", rec.Header().Get("X-User"))
 	assert.Equal(t, "goodtoken", fv.seen)
 }
 func TestRequiredHandler_NoHeader_Returns401(t *testing.T) {
 	fv := &fakeTokenValidator{}
 	mw := NewAuthMiddleware(fv).RequiredHandler(nextHandler())
 	req := httptest.NewRequest(http.MethodGet, "/foo", nil)
 	rec := httptest.NewRecorder()
 	mw.ServeHTTP(rec, req)
 	require.Equal(t, http.StatusUnauthorized, rec.Code)
 	assert.Contains(t, rec.Header().Get("WWW-Authenticate"), "Bearer", "RFC 6750 challenge header")
 	assert.Contains(t, rec.Body.String(), "unauthorized")
 }
 func TestRequiredHandler_InvalidJWT_Returns401WithErrorTag(t *testing.T) {
 	fv := &fakeTokenValidator{err: errors.New("expired")}
 	mw := NewAuthMiddleware(fv).RequiredHandler(nextHandler())
 	req := httptest.NewRequest(http.MethodGet, "/foo", nil)
 	req.Header.Set("Authorization", "Bearer xxx")
 	rec := httptest.NewRecorder()
 	mw.ServeHTTP(rec, req)
 	require.Equal(t, http.StatusUnauthorized, rec.Code)
 	assert.Contains(t, rec.Header().Get("WWW-Authenticate"), `error="invalid_token"`)
 }
 func TestRequiredHandler_ValidJWT_PassesThrough(t *testing.T) {
 	fv := &fakeTokenValidator{validUser: &user.User{Username: "carol"}}
 	mw := NewAuthMiddleware(fv).RequiredHandler(nextHandler())
 	req := httptest.NewRequest(http.MethodGet, "/foo", nil)
 	req.Header.Set("Authorization", "Bearer goodtoken")
 	rec := httptest.NewRecorder()
 	mw.ServeHTTP(rec, req)
 	require.Equal(t, http.StatusOK, rec.Code)
 	assert.Equal(t, "carol", rec.Header().Get("X-User"))
 }
 func TestExtractBearerToken_EdgeCases(t *testing.T) {
 	cases := []struct {
 		in  string
 		out string
 		ok  bool
 	}{
 		{"", "", false},
 		{"Bearer ", "", true}, // empty token, but matches the prefix — caller decides
 		{"Bearer xxx", "xxx", true},
 		{"bearer xxx", "xxx", true}, // case-insensitive
 		{"BEARER xxx", "xxx", true},
 		{"Basic xxx", "", false},
 		{"Bearer", "", false}, // no separating space
 		{"Bear", "", false},
 	}
 	for _, c := range cases {
 		t.Run(c.in, func(t *testing.T) {
 			tok, ok := extractBearerToken(c.in)
 			assert.Equal(t, c.ok, ok)
 			assert.Equal(t, c.out, tok)
 		})
 	}
 }
 func TestFirstWord(t *testing.T) {
 	assert.Equal(t, "Bearer", firstWord("Bearer xxx"))
 	assert.Equal(t, "Basic", firstWord("Basic\tabc"))
 	assert.Equal(t, "Token", firstWord("Token"))
 	assert.Equal(t, "", firstWord(""))
 }
--- a/pkg/server/server.go
+++ b/pkg/server/server.go
@@ -18,7 +18,6 @@ import (
 	"github.com/rs/zerolog/log"
 	httpSwagger "github.com/swaggo/http-swagger"
 	"dance-lessons-coach/pkg/auth"
 	"dance-lessons-coach/pkg/cache"
 	"dance-lessons-coach/pkg/config"
 	"dance-lessons-coach/pkg/email"
@@ -280,18 +279,6 @@ func (s *Server) registerApiV1Routes(r chi.Router) {
 					)
 					mlHandler.RegisterRoutes(r)
 				}
 				// OIDC handlers (ADR-0028 Phase B.4)
 				oidcProviders := s.config.GetOIDCProviders()
 				if len(oidcProviders) > 0 {
 					oidcClients := make(map[string]*auth.OIDCClient, len(oidcProviders))
 					for name, p := range oidcProviders {
 						oidcClients[name] = auth.NewOIDCClient(p.IssuerURL, p.ClientID, p.ClientSecret)
 					}
 					redirectBase := s.config.GetMagicLinkConfig().BaseURL
 					oidcHandler := userapi.NewOIDCHandler(oidcClients, s.userService, s.userRepo, redirectBase)
 					oidcHandler.RegisterRoutes(r)
 				}
 			})
 			// Register admin routes
--- a/pkg/user/api/oidc_handler.go
+++ b/pkg/user/api/oidc_handler.go
@@ -1,329 +0,0 @@
 package api
 import (
 	"context"
 	"crypto/rand"
 	"crypto/sha256"
 	"encoding/base64"
 	"encoding/hex"
 	"fmt"
 	"net/http"
 	"net/url"
 	"sync"
 	"time"
 	"dance-lessons-coach/pkg/auth"
 	"dance-lessons-coach/pkg/user"
 	"github.com/go-chi/chi/v5"
 	"github.com/rs/zerolog/log"
 )
 // OIDCHandler exposes the OIDC authorization-code endpoints.
 type OIDCHandler struct {
 	clients      map[string]*auth.OIDCClient // keyed by provider name
 	users        user.UserService
 	repo         user.UserRepository
 	redirectBase string
 	pkceMu    sync.Mutex
 	pkceStore map[string]pkceEntry
 }
 type pkceEntry struct {
 	codeVerifier string
 	providerName string
 	expiresAt    time.Time
 }
 // NewOIDCHandler creates a new OIDCHandler.
 func NewOIDCHandler(clients map[string]*auth.OIDCClient, users user.UserService, repo user.UserRepository, redirectBase string) *OIDCHandler {
 	return &OIDCHandler{
 		clients:      clients,
 		users:        users,
 		repo:         repo,
 		redirectBase: redirectBase,
 		pkceStore:    make(map[string]pkceEntry),
 	}
 }
 // RegisterRoutes mounts the OIDC endpoints on the provided router.
 func (h *OIDCHandler) RegisterRoutes(router chi.Router) {
 	router.Get("/oidc/{provider}/start", h.handleStart)
 	router.Get("/oidc/{provider}/callback", h.handleCallback)
 }
 // handleStart initiates the OIDC authorization-code flow.
 //
 //	@Summary		Start OIDC authorization
 //	@Description	Generates PKCE state and verifier, redirects to the OIDC provider authorization endpoint.
 //	@Tags		API/v1/User
 //	@Produce		json
 //	@Param		provider	path		string		true	"OIDC provider name"
 //	@Success		302		{string}string	"Redirect to OIDC provider"
 //	@Failure		404		{object}map[string]string	"Unknown provider"
 //	@Failure		502		{object}map[string]string	"Discovery failed"
 //	@Router		/v1/auth/oidc/{provider}/start [get]
 func (h *OIDCHandler) handleStart(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	provider := chi.URLParam(r, "provider")
 	client, exists := h.clients[provider]
 	if !exists {
 		log.Warn().Ctx(ctx).Str("provider", provider).Msg("OIDC start: unknown provider")
 		writeJSONError(w, http.StatusNotFound, "unknown_provider", "unknown OIDC provider")
 		return
 	}
 	// Ensure discovery is loaded
 	disc, err := client.Discover(ctx)
 	if err != nil {
 		log.Error().Ctx(ctx).Err(err).Str("provider", provider).Msg("OIDC start: discovery failed")
 		writeJSONError(w, http.StatusBadGateway, "discovery_failed", fmt.Sprintf("OIDC discovery failed: %v", err))
 		return
 	}
 	// Generate state: 32 bytes random, base64-url-no-padding
 	state := generateRandomBase64URL(32)
 	// Generate code verifier: 32 bytes random, base64-url-no-padding
 	codeVerifier := generateRandomBase64URL(32)
 	// Compute code challenge: SHA256 hash of code verifier, base64-url-no-padding
 	hash := sha256.Sum256([]byte(codeVerifier))
 	codeChallenge := base64.RawURLEncoding.EncodeToString(hash[:])
 	// Store PKCE entry
 	h.pkceMu.Lock()
 	// Lazy-clean expired entries
 	now := time.Now()
 	for k, entry := range h.pkceStore {
 		if entry.expiresAt.Before(now) {
 			delete(h.pkceStore, k)
 		}
 	}
 	h.pkceStore[state] = pkceEntry{
 		codeVerifier: codeVerifier,
 		providerName: provider,
 		expiresAt:    now.Add(10 * time.Minute),
 	}
 	h.pkceMu.Unlock()
 	// Build redirect URL
 	redirectURI := fmt.Sprintf("%s/api/v1/auth/oidc/%s/callback", h.redirectBase, provider)
 	v := url.Values{}
 	v.Set("response_type", "code")
 	v.Set("client_id", client.ClientID())
 	v.Set("redirect_uri", redirectURI)
 	v.Set("state", state)
 	v.Set("code_challenge", codeChallenge)
 	v.Set("code_challenge_method", "S256")
 	v.Set("scope", "openid email profile")
 	target := disc.AuthorizationEndpoint + "?" + v.Encode()
 	log.Debug().Ctx(ctx).Str("provider", provider).Str("target", target).Msg("OIDC start: redirecting to provider")
 	http.Redirect(w, r, target, http.StatusFound)
 }
 // handleCallback handles the OIDC callback after authorization.
 //
 //	@Summary		OIDC callback handler
 //	@Description	Validates state, exchanges code for tokens, validates id_token, signs up on first use, issues JWT.
 //	@Tags		API/v1/User
 //	@Produce		json
 //	@Param		provider	path		string		true	"OIDC provider name"
 //	@Param		state		query		string		true	"State parameter"
 //	@Param		code		query		string		false	"Authorization code"
 //	@Param		error		query		string		false	"OIDC error"
 //	@Success		200		{object}	OIDCCallbackResponse	"Successfully signed in via OIDC"
 //	@Failure		401		{object}	map[string]string	"Invalid state, missing code, or OIDC error"
 //	@Failure		502		{object}	map[string]string	"Token exchange or validation failed"
 //	@Failure		500		{object}	map[string]string	"Internal server error"
 //	@Router		/v1/auth/oidc/{provider}/callback [get]
 func (h *OIDCHandler) handleCallback(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
 	provider := chi.URLParam(r, "provider")
 	client, exists := h.clients[provider]
 	if !exists {
 		log.Warn().Ctx(ctx).Str("provider", provider).Msg("OIDC callback: unknown provider")
 		writeJSONError(w, http.StatusNotFound, "unknown_provider", "unknown OIDC provider")
 		return
 	}
 	// Read query parameters
 	state := r.URL.Query().Get("state")
 	code := r.URL.Query().Get("code")
 	oidcError := r.URL.Query().Get("error")
 	// If OIDC provider returned an error
 	if oidcError != "" {
 		log.Warn().Ctx(ctx).Str("provider", provider).Str("error", oidcError).Msg("OIDC callback: provider error")
 		writeJSON(w, http.StatusUnauthorized, map[string]string{
 			"error":          "oidc_error",
 			"provider_error": oidcError,
 		})
 		return
 	}
 	// Validate state
 	if state == "" {
 		log.Warn().Ctx(ctx).Msg("OIDC callback: missing state")
 		writeJSONError(w, http.StatusUnauthorized, "invalid_state", "missing state parameter")
 		return
 	}
 	h.pkceMu.Lock()
 	entry, exists := h.pkceStore[state]
 	if !exists {
 		h.pkceMu.Unlock()
 		log.Warn().Ctx(ctx).Str("state", state).Msg("OIDC callback: state not found")
 		writeJSONError(w, http.StatusUnauthorized, "invalid_state", "state not found or already used")
 		return
 	}
 	// Check expiration and provider match
 	now := time.Now()
 	if entry.expiresAt.Before(now) {
 		delete(h.pkceStore, state)
 		h.pkceMu.Unlock()
 		log.Warn().Ctx(ctx).Str("state", state).Msg("OIDC callback: state expired")
 		writeJSONError(w, http.StatusUnauthorized, "invalid_state", "state expired")
 		return
 	}
 	if entry.providerName != provider {
 		delete(h.pkceStore, state)
 		h.pkceMu.Unlock()
 		log.Warn().Ctx(ctx).Str("state", state).Str("expected_provider", entry.providerName).Str("actual_provider", provider).Msg("OIDC callback: provider mismatch")
 		writeJSONError(w, http.StatusUnauthorized, "invalid_state", "provider mismatch")
 		return
 	}
 	// Delete the entry (single-use)
 	codeVerifier := entry.codeVerifier
 	delete(h.pkceStore, state)
 	h.pkceMu.Unlock()
 	// Validate code parameter
 	if code == "" {
 		log.Warn().Ctx(ctx).Msg("OIDC callback: missing code")
 		writeJSONError(w, http.StatusUnauthorized, "invalid_request", "missing authorization code")
 		return
 	}
 	// Build redirect URI
 	redirectURI := fmt.Sprintf("%s/api/v1/auth/oidc/%s/callback", h.redirectBase, provider)
 	// Exchange code for tokens
 	tokenResp, err := client.ExchangeCode(ctx, code, codeVerifier, redirectURI)
 	if err != nil {
 		log.Error().Ctx(ctx).Err(err).Str("provider", provider).Msg("OIDC callback: code exchange failed")
 		writeJSONError(w, http.StatusBadGateway, "token_exchange_failed", fmt.Sprintf("code exchange failed: %v", err))
 		return
 	}
 	// Validate ID token
 	claims, err := client.ValidateIDToken(ctx, tokenResp.IDToken)
 	if err != nil {
 		log.Error().Ctx(ctx).Err(err).Str("provider", provider).Msg("OIDC callback: ID token validation failed")
 		writeJSONError(w, http.StatusUnauthorized, "invalid_id_token", fmt.Sprintf("ID token validation failed: %v", err))
 		return
 	}
 	// Check email in claims
 	if claims.Email == "" {
 		log.Warn().Ctx(ctx).Str("provider", provider).Msg("OIDC callback: no email in ID token")
 		writeJSONError(w, http.StatusUnauthorized, "no_email_in_id_token", "ID token does not contain an email claim")
 		return
 	}
 	// Ensure user exists (sign-up on first use)
 	u, err := h.ensureUser(ctx, claims.Email)
 	if err != nil {
 		log.Error().Ctx(ctx).Err(err).Str("email", claims.Email).Msg("OIDC callback: user upsert failed")
 		writeJSONError(w, http.StatusInternalServerError, "server_error", fmt.Sprintf("user upsert failed: %v", err))
 		return
 	}
 	// Generate JWT
 	jwtToken, err := h.users.GenerateJWT(ctx, u)
 	if err != nil {
 		log.Error().Ctx(ctx).Err(err).Str("email", claims.Email).Msg("OIDC callback: JWT generation failed")
 		writeJSONError(w, http.StatusInternalServerError, "server_error", fmt.Sprintf("JWT generation failed: %v", err))
 		return
 	}
 	log.Info().Ctx(ctx).Str("provider", provider).Str("email", claims.Email).Msg("OIDC callback: user signed in successfully")
 	writeJSON(w, http.StatusOK, map[string]string{
 		"message": "signed in via oidc",
 		"token":   jwtToken,
 		"user":    claims.Email,
 	})
 }
 // ensureUser returns the user keyed on email (stored as Username),
 // creating them if absent. Newly-created users get a random unguessable
 // bcrypt-hashed password so the password endpoints stay locked out.
 func (h *OIDCHandler) ensureUser(ctx context.Context, email string) (*user.User, error) {
 	if h.repo != nil {
 		existing, err := h.repo.GetUserByUsername(ctx, email)
 		if err != nil {
 			return nil, fmt.Errorf("get user by username: %w", err)
 		}
 		if existing != nil {
 			return existing, nil
 		}
 	}
 	// Generate random password
 	rawPass := generateRandomHex(32)
 	hash, err := h.users.HashPassword(ctx, rawPass)
 	if err != nil {
 		return nil, fmt.Errorf("hash password: %w", err)
 	}
 	u := &user.User{
 		Username:     email,
 		PasswordHash: hash,
 		IsAdmin:      false,
 	}
 	if err := h.users.CreateUser(ctx, u); err != nil {
 		return nil, fmt.Errorf("create user: %w", err)
 	}
 	if h.repo != nil {
 		return h.repo.GetUserByUsername(ctx, email)
 	}
 	return u, nil
 }
 // generateRandomBase64URL generates a random string suitable for use in OIDC PKCE flows.
 func generateRandomBase64URL(length int) string {
 	b := make([]byte, length)
 	if _, err := rand.Read(b); err != nil {
 		panic(fmt.Sprintf("failed to read random bytes: %v", err))
 	}
 	return base64.RawURLEncoding.EncodeToString(b)
 }
 // generateRandomHex generates a random hex string.
 func generateRandomHex(length int) string {
 	b := make([]byte, length/2)
 	if _, err := rand.Read(b); err != nil {
 		panic(fmt.Sprintf("failed to read random bytes: %v", err))
 	}
 	return hex.EncodeToString(b)
 }
 // OIDCCallbackResponse represents the JSON response from the OIDC callback.
 type OIDCCallbackResponse struct {
 	Message string `json:"message"`
 	Token   string `json:"token"`
 	User    string `json:"user"`
 }
--- a/pkg/user/api/oidc_handler_test.go
+++ b/pkg/user/api/oidc_handler_test.go
@@ -1,134 +0,0 @@
 package api
 import (
 	"fmt"
 	"net/http"
 	"net/http/httptest"
 	"testing"
 	"dance-lessons-coach/pkg/auth"
 	"dance-lessons-coach/pkg/user"
 	"github.com/go-chi/chi/v5"
 	"github.com/stretchr/testify/assert"
 )
 // fakeUserSvc is reused from magic_link_handler_test.go
 // It's in the same package (api) so we can use it directly.
 // fakeUserRepo is reused from magic_link_handler_test.go
 // It's in the same package (api) so we can use it directly.
 // setupMockOIDCProvider creates a mock OIDC provider server for testing.
 // Uses the Q-062 mitigation pattern with var server *httptest.Server.
 func setupMockOIDCProvider(t *testing.T) *httptest.Server {
 	t.Helper()
 	var server *httptest.Server
 	server = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		if r.URL.Path == "/.well-known/openid-configuration" {
 			w.Header().Set("Content-Type", "application/json")
 			fmt.Fprintf(w, `{"issuer":"%s","authorization_endpoint":"%s/auth","token_endpoint":"%s/token","jwks_uri":"%s/jwks"}`,
 				server.URL, server.URL, server.URL, server.URL)
 			return
 		}
 		w.WriteHeader(http.StatusNotFound)
 	}))
 	return server
 }
 // mountOIDCHandler mounts the OIDCHandler on a new router and returns it.
 func mountOIDCHandler(t *testing.T, handler *OIDCHandler) *chi.Mux {
 	t.Helper()
 	r := chi.NewRouter()
 	handler.RegisterRoutes(r)
 	return r
 }
 // newTestOIDCHandler creates an OIDCHandler with the given clients.
 func newTestOIDCHandler(clients map[string]*auth.OIDCClient) *OIDCHandler {
 	return NewOIDCHandler(
 		clients,
 		newFakeUserSvc(),
 		&fakeUserRepo{svc: newFakeUserSvc()},
 		"http://localhost:8080",
 	)
 }
 // TestOIDCHandler_Start_RejectsUnknownProvider tests that starting with an unknown provider returns 404.
 func TestOIDCHandler_Start_RejectsUnknownProvider(t *testing.T) {
 	handler := newTestOIDCHandler(map[string]*auth.OIDCClient{})
 	router := mountOIDCHandler(t, handler)
 	req := httptest.NewRequest(http.MethodGet, "/oidc/unknown/start", nil)
 	rr := httptest.NewRecorder()
 	router.ServeHTTP(rr, req)
 	assert.Equal(t, http.StatusNotFound, rr.Code)
 }
 // TestOIDCHandler_Callback_RejectsMissingState tests that callback without state returns 401.
 func TestOIDCHandler_Callback_RejectsMissingState(t *testing.T) {
 	client := auth.NewOIDCClient("http://mock-provider", "test-id", "test-secret")
 	handler := newTestOIDCHandler(map[string]*auth.OIDCClient{"test": client})
 	router := mountOIDCHandler(t, handler)
 	req := httptest.NewRequest(http.MethodGet, "/oidc/test/callback", nil)
 	rr := httptest.NewRecorder()
 	router.ServeHTTP(rr, req)
 	assert.Equal(t, http.StatusUnauthorized, rr.Code)
 }
 // TestOIDCHandler_Callback_RejectsUnknownState tests that callback with unknown state returns 401.
 func TestOIDCHandler_Callback_RejectsUnknownState(t *testing.T) {
 	client := auth.NewOIDCClient("http://mock-provider", "test-id", "test-secret")
 	handler := newTestOIDCHandler(map[string]*auth.OIDCClient{"test": client})
 	router := mountOIDCHandler(t, handler)
 	req := httptest.NewRequest(http.MethodGet, "/oidc/test/callback?state=unknown&code=any", nil)
 	rr := httptest.NewRecorder()
 	router.ServeHTTP(rr, req)
 	assert.Equal(t, http.StatusUnauthorized, rr.Code)
 }
 // TestOIDCHandler_Start_RedirectsWithPKCE tests that starting with a valid provider redirects with PKCE.
 func TestOIDCHandler_Start_RedirectsWithPKCE(t *testing.T) {
 	// Setup mock OIDC provider
 	mockServer := setupMockOIDCProvider(t)
 	defer mockServer.Close()
 	// Create OIDC client pointing to mock server
 	client := auth.NewOIDCClient(mockServer.URL, "test-id", "test-secret")
 	// Set a custom HTTP client that can reach the mock server
 	client.SetHTTPClient(mockServer.Client())
 	handler := newTestOIDCHandler(map[string]*auth.OIDCClient{"test": client})
 	router := mountOIDCHandler(t, handler)
 	req := httptest.NewRequest(http.MethodGet, "/oidc/test/start", nil)
 	rr := httptest.NewRecorder()
 	router.ServeHTTP(rr, req)
 	// Assert 302 redirect
 	assert.Equal(t, http.StatusFound, rr.Code)
 	// Get Location header
 	location := rr.Header().Get("Location")
 	assert.NotEmpty(t, location)
 	// Location should start with the mock auth endpoint
 	expectedAuthEndpoint := mockServer.URL + "/auth"
 	assert.Contains(t, location, expectedAuthEndpoint)
 	// Location should contain code_challenge and state
 	assert.Contains(t, location, "code_challenge=")
 	assert.Contains(t, location, "state=")
 	assert.Contains(t, location, "response_type=code")
 	assert.Contains(t, location, "client_id=test-id")
 	assert.Contains(t, location, "code_challenge_method=S256")
 }
 // Ensure the interfaces are satisfied at compile time
 var _ user.UserService = (*fakeUserSvc)(nil)
 var _ user.UserRepository = (*fakeUserRepo)(nil)
--- a/pkg/user/auth_service.go
+++ b/pkg/user/auth_service.go
@@ -106,7 +106,7 @@ func (s *userServiceImpl) GenerateJWT(ctx context.Context, user *User) (string,
 	// Use the most recently added secret (last in the list)
 	// This ensures new tokens are signed with the latest secret
 	signingSecret := validSecrets[len(validSecrets)-1].Secret
-	log.Trace().Ctx(ctx).Str("signing_secret_fp", tokenFingerprint(signingSecret)).Bool("is_primary", validSecrets[len(validSecrets)-1].IsPrimary).Msg("Generating JWT with latest secret")
+	log.Trace().Ctx(ctx).Str("signing_secret", signingSecret).Bool("is_primary", validSecrets[len(validSecrets)-1].IsPrimary).Msg("Generating JWT with latest secret")
 	// Sign and get the complete encoded token as a string
 	tokenString, err := token.SignedString([]byte(signingSecret))
@@ -114,20 +114,20 @@ func (s *userServiceImpl) GenerateJWT(ctx context.Context, user *User) (string,
 		return "", fmt.Errorf("failed to sign JWT: %w", err)
 	}
-	log.Trace().Ctx(ctx).Str("token_fp", tokenFingerprint(tokenString)).Int("token_len", len(tokenString)).Msg("Generated JWT token")
+	log.Trace().Ctx(ctx).Str("token", tokenString).Msg("Generated JWT token")
 	return tokenString, nil
 }
 // ValidateJWT validates a JWT token and returns the user
 func (s *userServiceImpl) ValidateJWT(ctx context.Context, tokenString string) (*User, error) {
-	log.Trace().Ctx(ctx).Str("token_fp", tokenFingerprint(tokenString)).Int("token_len", len(tokenString)).Msg("Validating JWT token")
+	log.Trace().Ctx(ctx).Str("token", tokenString).Msg("Validating JWT token")
 	// Get all valid secrets for validation
 	validSecrets := s.secretManager.GetAllValidSecrets()
 	log.Trace().Ctx(ctx).Int("num_secrets", len(validSecrets)).Msg("Validating JWT with multiple secrets")
 	for i, secret := range validSecrets {
-		log.Trace().Ctx(ctx).Int("secret_index", i).Str("secret_fp", tokenFingerprint(secret.Secret)).Bool("is_primary", secret.IsPrimary).Msg("Trying secret")
+		log.Trace().Ctx(ctx).Int("secret_index", i).Str("secret", secret.Secret).Bool("is_primary", secret.IsPrimary).Msg("Trying secret")
 	}
 	// Try each valid secret until we find one that works
@@ -146,7 +146,7 @@ func (s *userServiceImpl) ValidateJWT(ctx context.Context, tokenString string) (
 		})
 		if err == nil && token.Valid {
-			log.Trace().Ctx(ctx).Int("secret_index", i).Str("secret_fp", tokenFingerprint(secret.Secret)).Msg("JWT validation successful")
+			log.Trace().Ctx(ctx).Int("secret_index", i).Str("secret", secret.Secret).Msg("JWT validation successful")
 			parsedToken = token
 			break
 		}
@@ -154,7 +154,7 @@ func (s *userServiceImpl) ValidateJWT(ctx context.Context, tokenString string) (
 		// Store the last error for reporting
 		validationError = err
 		if err != nil {
-			log.Trace().Ctx(ctx).Int("secret_index", i).Str("secret_fp", tokenFingerprint(secret.Secret)).Err(err).Msg("JWT validation failed")
+			log.Trace().Ctx(ctx).Int("secret_index", i).Str("secret", secret.Secret).Err(err).Msg("JWT validation failed")
 		}
 	}
@@ -351,13 +351,3 @@ func (s *PasswordResetServiceImpl) CompletePasswordReset(ctx context.Context, us
 	// Complete the password reset
 	return s.repo.CompletePasswordReset(ctx, username, hashedPassword)
 }
 // tokenFingerprint returns the first 16 hex chars of SHA-256 hash of a token/secret.
 // Used for safe logging correlation without leaking sensitive values.
 func tokenFingerprint(tok string) string {
 	if tok == "" {
 		return ""
 	}
 	sum := sha256.Sum256([]byte(tok))
 	return hex.EncodeToString(sum[:8]) // 16 hex chars = 8 bytes
 }