chore: add MVP planning backlog

backlog/tasks/task-3 - Add-Better-Auth-admin-authentication.md

@@ -0,0 +1,42 @@
+---
+id: TASK-3
+title: Add Better Auth admin authentication
+status: To Do
+assignee: []
+created_date: '2026-06-03 19:12'
+labels:
+  - mvp
+  - auth
+  - security
+dependencies:
+  - TASK-2
+references:
+  - PRD.md
+priority: high
+ordinal: 3000
+---
+
+## Description
+
+<!-- SECTION:DESCRIPTION:BEGIN -->
+Add the MVP authentication layer using Better Auth with Convex integration. The MVP is single-user focused: one admin user protects the dashboard while public audit pages remain accessible without login according to their publication status.
+<!-- SECTION:DESCRIPTION:END -->
+
+## Acceptance Criteria
+<!-- AC:BEGIN -->
+- [ ] #1 Better Auth is integrated with Convex and the Next.js app
+- [ ] #2 Email/password login protects all internal dashboard routes
+- [ ] #3 Public audit routes remain accessible without dashboard authentication
+- [ ] #4 Session handling survives refreshes and rejects unauthenticated dashboard access
+- [ ] #5 Password-change or admin-account maintenance path is available or explicitly documented for MVP operation
+<!-- AC:END -->
+
+## Implementation Plan
+
+<!-- SECTION:PLAN:BEGIN -->
+1. Install and configure Better Auth with Convex integration.
+2. Add login/logout flows using shadcn-compatible UI.
+3. Protect dashboard route groups with server-side/session checks.
+4. Keep public audit pages outside the protected route boundary.
+5. Test authenticated, unauthenticated, and logout flows.
+<!-- SECTION:PLAN:END -->