What shipped
Shared backend library (fuscauth-commons) -- centralized JWT verification, auth middleware, and types into one package. Every API imports instead of copy-pastingShared frontend library (fuscauth-web-commons) -- centralized token management, login flow orchestration, and auth utilities for all web appsMock authentication for local development -- automatically generates valid JWTs in the browser using Web Crypto API when running locally. No OAuth dance, no token copying from DevTools, works offline. The single biggest DX improvement in the project's historyUUID migration -- replaced Google IDs as user identifiers with internal UUIDs. Decoupled identity from any single OAuth provider, enabling future multi-provider support (GitHub, Apple, etc.)Email hashing with HMAC-SHA256 -- emails are hashed with a secret pepper before storage, enabling cross-provider account linking without storing plaintext emailsLazy migration strategy -- existing users auto-migrate to UUIDs on their next login. No batch scripts, no downtimeAuthGuard React component -- wraps any fuscripts app, handles auth state, redirects if unauthenticated, renders mock banner in devShared FuscHeader component -- consistent header with logo, app name, user info, and logout across all appsReact 19 compatibility -- updated peerDependencies to support React 19Logo dimension fixes -- adjusted FuscriptsLogo sizing in the shared headerBefore this, every new fuscripts project meant duplicating auth code and dreading local dev. After this, adding auth to a new project is two imports and a config object. The mock auth alone saved hours of frustration per week.
The UUID migration was the quieter but more significant change. FuscAuth is no longer married to Google. When the day comes to add GitHub or Apple login, the architecture is ready -- accounts link automatically by email hash, and no existing user needs to do anything.
This is when FuscAuth became infrastructure.