---
plan_version: "1.7"
source_findings:
  - 763d174e6c519fafbadcba5d1706708479e36e61
  - d2d0e27875ae9ef0d818cb08bb6f14e6d33c4232
  - 7861519c326c207aabf17072db51c469bebc217b
---

# Remediation Plan: JWT auth review findings

> Generated by trekplan v3.2.0 on 2026-05-01 — `plan_version: 1.7`.
>
> Synthetic fixture — Handover 6 SC3(b) structural test only.

## Context

This synthetic plan is consumed by `tests/lib/source-findings.test.mjs` to verify
the structural contract of Handover 6: a plan generated from a `type: trekreview`
brief carries a `source_findings:` block-style YAML list of 40-char hex IDs in
its frontmatter. The IDs trace back to the consumed findings in `review.md`.

This is NOT a runnable plan. It exists only to exercise the parser.

## Implementation Plan

### Step 1: Fix `UNIMPLEMENTED_CRITERION` in `lib/handlers/login.mjs:23`

- **Files:** `lib/handlers/login.mjs`
- **Changes:** Return 401 with WWW-Authenticate header when password mismatch occurs.
- **Verify:** `node --test tests/handlers/login.test.mjs` → expected: pass.
- **Checkpoint:** `git commit -m "fix(auth): login returns 401 on invalid credentials"`
- **Manifest:**
  ```yaml
  manifest:
    expected_paths:
      - lib/handlers/login.mjs
    min_file_count: 1
    commit_message_pattern: "^fix\\(auth\\): login returns 401"
    bash_syntax_check: []
    forbidden_paths: []
    must_contain:
      - path: lib/handlers/login.mjs
        pattern: "401"
  ```