updated MD files

AGENTS.md

@@ -11,7 +11,7 @@ Tech constraints:
 - ASP.NET Core Minimal API
 - Static HTML/CSS/JS (no Razor Pages, no Blazor, no HTMX)
 - SQLite via EF Core
-- Cookie-based anonymous identity (no accounts)
+- Username+Password identity (account stored in database)
 - Single active “session” (one room) unless extended later
 - Runs on IIS (Windows Server)
 
@@ -30,10 +30,6 @@ Also see the other related files: API.md, IIS.md, SPEC.md
   - Results phase: only aggregated totals are shown.
 - **Minimal moving parts**: prefer `Program.cs` + a few small files over frameworks.
 
-### “Ridiculously fast” bias
-- Prefer “ship a working MVP” over architecture purity.
-- Avoid introducing new dependencies unless they remove complexity.
-
 ---
 
 ## Repo Layout Target
@@ -53,21 +49,6 @@ Do not introduce MVC controllers, Razor Pages, Blazor, or SPA frameworks.
 
 ---
 
-## Implementation Checklist (Codex should follow this order)
-
-1. App boots and serves static files
-2. Cookie-based anonymous identity
-3. Phase gating (server-side)
-4. Suggest phase (blind input)
-5. Reveal phase (read-only)
-6. Vote phase (blind scoring)
-7. Results phase (aggregated leaderboard)
-8. Admin controls (phase switch, reset)
-9. Factory reset (clear all data including players) for fresh testing/deploy
-10. Suggest delete (players can delete their own suggestions during Suggest phase)
-
----
-
 ## Security Notes
 
 - Cookie must be HttpOnly and SameSite=Strict
@@ -81,5 +62,6 @@ Do not introduce MVC controllers, Razor Pages, Blazor, or SPA frameworks.
 - Implement API first, UI second
 - Keep changes small and testable
 - Prefer clarity over abstraction
+- Avoid introducing new dependencies unless they remove complexity.
 - After every iteration, do a git commit with a brief summary of the changes as a commit message.
 - Keep endpoint logic in `Endpoints/` and shared helpers/DTOs in their folders to avoid Program.cs bloat.

TASKS.md

@@ -1,10 +0,0 @@
-# CoopGameChooser Task List
-
-## Auth overhaul — username/password instead of random cookie
-- [x] Data model: add username + password hash/salt to `Player`, enforce unique username, update `AppDbContext` config and create an EF migration; ensure factory reset seeds stay valid.
-- [x] Cookie pipeline: refactor `UsePlayerIdentity` into a reader that only trusts existing `player` cookies; add helper to issue/clear the cookie after login/register while keeping HttpOnly/SameSite/Secure semantics.
-- [x] Auth endpoints: add `/api/auth/register`, `/api/auth/login`, `/api/auth/logout`; registration creates the player, sets the `player` cookie, and stores display name; login validates password and reissues cookie; logout clears cookie.
-- [x] Endpoint auth guard: replace `GetOrCreatePlayer` with a `GetAuthenticatedPlayer` helper that returns 401 when unauthenticated; update all suggest/vote/state endpoints to depend on an authenticated player without creating one implicitly.
-- [x] Frontend UX: add login/register screen shown when `/api/me` returns 401; on success hide auth pane, preload name, then refresh phase data; include a logout control to clear local state.
-- [x] Docs: update `API.md` (and `SPEC.md`) to document new auth flows, required auth for existing endpoints, and cookie token behavior.
-- [x] Ops/migration notes: generate/apply migration, legacy players auto-assigned `legacy-xxxxxxxx` usernames with blank hashes; expect fresh registration or factory reset; IIS/base-path unaffected.