9e595503b7
The auth-merge that landed on 2026-06-23 (14 commits, a25504b..39ae988) adds real auth: User/Session models, bcrypt, matrix_gate, AUTH_DISABLED, a login router, RBAC on every existing endpoint, and a RequireAuth guard on the React shell. But CLAUDE.md, docs/REQUIREMENTS.md, and docs/ARCHITECTURE.md (all added/updated on the css-reduction branch) still describe the pre-auth "no auth, local-only, single operator, single host" posture. The doc/code divergence is real and would confuse anyone reading the docs. This is the spec for SP24 — the alignment. It is intentionally a docs/skills-only SP: no schema, no role, no gate changes. The plan section enumerates the doc lines to update; the implementation step sweeps the markdown for residual "no auth" claims. Draft, awaiting user sign-off per the SP-N spec flow.