The Errors section of specs/api/auth.md lists `oauth_state_mismatch` and `oauth_session_invalid` as `401 unauthenticated` responses, while `github_unreachable` and `email_unverified` are documented as `502`/`403` with explicit redirect to `/login?error=`.
The github-oauth plan adopts the redirect strategy uniformly: every failure mode in the browser OAuth callback redirects to `/login?error=`. That matches specs/screens/login.md which expects `?error=` rendering, and is what makes sense for a callback the browser hits directly.
Should the spec be updated to:
- list every OAuth error as 'redirect with `?error=
`' (the actual user experience), and
- reserve the bare-status-code shape for non-browser callers (e.g., if the API ever exposes the same flow to a CLI client)?
Filed in the github-oauth closeout — non-blocking for that plan, but worth a small spec edit.
The Errors section of specs/api/auth.md lists `oauth_state_mismatch` and `oauth_session_invalid` as `401 unauthenticated` responses, while `github_unreachable` and `email_unverified` are documented as `502`/`403` with explicit redirect to `/login?error=
`.The github-oauth plan adopts the redirect strategy uniformly: every failure mode in the browser OAuth callback redirects to `/login?error=
`. That matches specs/screens/login.md which expects `?error=` rendering, and is what makes sense for a callback the browser hits directly.Should the spec be updated to:
`' (the actual user experience), andFiled in the github-oauth closeout — non-blocking for that plan, but worth a small spec edit.