Add simple auth

specs/003-basic-login/data-model.md

@@ -0,0 +1,35 @@
+# Data Model: Basic Login Protection
+
+**Feature**: 003-basic-login  
+**Date**: 2026-04-06
+
+## No Backend Schema Changes
+
+This feature introduces no new database tables or Flyway migrations. The user account is defined entirely in the Spring Security in-memory configuration (`SecurityConfig.java`) backed by environment variables.
+
+## Frontend: Auth Store State
+
+The Pinia `authStore` is the single source of truth for authentication state in the frontend.
+
+```
+AuthState
+├── username: string | null     — entered username, null if not logged in
+├── password: string | null     — entered password, null if not logged in
+└── isAuthenticated: boolean    — derived: true when both username and password are non-null
+
+Actions
+├── login(username, password)   — validates credentials via /api/v1/auth/check, stores in sessionStorage on success
+├── logout()                    — clears username, password, sessionStorage; redirects to /login
+└── restoreSession()            — reads credentials from sessionStorage on app start; calls /api/v1/auth/check to verify still valid
+```
+
+## Backend: Application Properties
+
+Two properties configure the single allowed user account:
+
+| Property | Default | Source | Example |
+|----------|---------|--------|---------|
+| `app.auth.username` | `neurosurgeon` | `application.yaml` / env var `APP_AUTH_USERNAME` | `admin` |
+| `app.auth.password` | (required) | env var `APP_AUTH_PASSWORD` | `s3cret` |
+
+No hashing is applied in the current `SecurityConfig` (`{noop}` prefix). The spec (FR-011) requires passwords not to be stored in plaintext — this refers to the backend config/env var pattern, which is acceptable as env vars are not persisted in the codebase. If hashing is required later, the `{noop}` prefix can be replaced with `{bcrypt}` without other code changes.