---
id: TASK-3
title: Add Better Auth admin authentication
status: To Do
assignee: []
created_date: '2026-06-03 19:12'
labels:
  - mvp
  - auth
  - security
dependencies:
  - TASK-2
references:
  - PRD.md
priority: high
ordinal: 3000
---

## Description

<!-- SECTION:DESCRIPTION:BEGIN -->
Add the MVP authentication layer using Better Auth with Convex integration. The MVP is single-user focused: one admin user protects the dashboard while public audit pages remain accessible without login according to their publication status.
<!-- SECTION:DESCRIPTION:END -->

## Acceptance Criteria
<!-- AC:BEGIN -->
- [ ] #1 Better Auth is integrated with Convex and the Next.js app
- [ ] #2 Email/password login protects all internal dashboard routes
- [ ] #3 Public audit routes remain accessible without dashboard authentication
- [ ] #4 Session handling survives refreshes and rejects unauthenticated dashboard access
- [ ] #5 Password-change or admin-account maintenance path is available or explicitly documented for MVP operation
<!-- AC:END -->

## Implementation Plan

<!-- SECTION:PLAN:BEGIN -->
1. Install and configure Better Auth with Convex integration.
2. Add login/logout flows using shadcn-compatible UI.
3. Protect dashboard route groups with server-side/session checks.
4. Keep public audit pages outside the protected route boundary.
5. Test authenticated, unauthenticated, and logout flows.
<!-- SECTION:PLAN:END -->