pequenas correções + doc update

apps/admin-web/lib/auth.ts

@@ -3,13 +3,12 @@ import Credentials from 'next-auth/providers/credentials';
 import { prisma } from '@repo/db';
 import { authenticateCredential } from '@repo/api';
 import type { SessionUser } from '@repo/api';
+import { env } from '../env';
 import { authConfig } from './auth.config';
 
-const AUTH_SECRET = process.env['AUTH_SECRET'];
-
 export const { handlers, auth, signIn, signOut } = NextAuth({
   ...authConfig,
-  secret: AUTH_SECRET,
+  secret: env.AUTH_SECRET,
   providers: [
     Credentials({
       name: 'Email + password',

apps/operator-pwa/lib/auth.ts

@@ -2,33 +2,30 @@ import NextAuth from 'next-auth';
 import Credentials from 'next-auth/providers/credentials';
 import { prisma } from '@repo/db';
 import { authenticateCredential } from '@repo/api';
-import type { SessionUser } from '@repo/api';  // eslint-disable-line @typescript-eslint/no-unused-vars
+import type { SessionUser } from '@repo/api';
 import { env } from '../env';
 import { authConfig } from './auth.config';
 
 /**
  * ============================================================================
- *  Auth.js v5 — PLACEHOLDER configuration for the scaffold phase.
+ *  Auth.js v5 — operator authentication (v0.2).
  * ============================================================================
  *
- *  The Credentials provider below accepts ANY email that exists in the User
- *  table (seeded by `pnpm db:seed`). NO PASSWORD CHECK is performed. This is
- *  deliberately minimal — just enough to populate the tRPC context with a real
- *  Auth.js session — and MUST be replaced with real authentication before any
- *  non-dev deployment.
+ *  The Credentials provider below verifies an operator's PIN against the
+ *  scrypt hash in User.passwordHash (via authenticateCredential, which also
+ *  enforces role and account lockout). Only OPERATOR users may sign in here.
  *
  *  Auto sign-in
  *  ------------
  *  See `resolveUser()` below. When AUTH_DEV_AUTOLOGIN=true, server-side code
- *  that has no session falls back to the seeded admin user. This is a back
- *  door and is gated by an explicit env flag whose default in .env.example is
- *  FALSE.
+ *  that has no session falls back to the seeded admin user. This is a dev/CI
+ *  back door, gated TWICE: by an explicit env flag (default FALSE in
+ *  .env.example) AND by NODE_ENV — it is IGNORED when NODE_ENV=production.
  *
  *      !!! NEVER set AUTH_DEV_AUTOLOGIN=true in production. !!!
  *
- *  In production with AUTH_DEV_AUTOLOGIN unset/false, requests without a
- *  signed Auth.js session resolve to user=null, and protectedProcedure throws
- *  401.
+ *  In production (or with the flag off), requests without a signed Auth.js
+ *  session resolve to user=null, and protectedProcedure throws 401.
  * ============================================================================
  */
 

docs/plans/auth-v0.2.md

@@ -1,6 +1,8 @@
 # Plano — Auth real v0.2 (pré-piloto)
 
-> Autor: Opus 4.8 (sessão de design, 2026-05-30). Destinado a implementação pelo Sonnet.
+> **ESTADO: IMPLEMENTADO (2026-05-30).** Os 8 passos foram concluídos e verificados (typecheck limpo, `scripts/auth-smoke.ts` 11/11, E2E do MAI CALL verde). Endurecimentos pré-piloto ainda diferidos (não-bugs): enumeração por timing, rate-limit por IP, prefixo `__Secure-` dos cookies, PINs/segredo de demo, HTTPS em produção. Ver §10 e a memory `project-phase`.
+>
+> Autor: Opus 4.8 (sessão de design, 2026-05-30). Implementado pelo Sonnet.
 > Pré-requisito: MAI CALL v0.1 completo (ver [`mai-call-v0.1.md`](./mai-call-v0.1.md)). Estado do código no momento do design verificado contra o repo.
 
 ## Objetivo numa frase