Severity: low
Category: Functional
The /setup page renders its full form even when an account already exists (needsSetup: false). The redirect in +layout.svelte only guards authenticated users on public routes, not unauthenticated users on /setup when setup is complete.
Fix: Add a client-side check: if !auth.needsSetup && page.url.pathname === '/setup', redirect to /login.
Part of #73
Severity: low
Category: Functional
The
/setuppage renders its full form even when an account already exists (needsSetup: false). The redirect in+layout.svelteonly guards authenticated users on public routes, not unauthenticated users on/setupwhen setup is complete.Fix: Add a client-side check: if
!auth.needsSetup && page.url.pathname === '/setup', redirect to/login.Part of #73