February - May 2025. The sheriff got a face, a front door, and better manners.
What shipped
Project restructure -- moved existing backend code into an api/ folder, establishing the standard fuscripts project layoutSvelteKit frontend -- built the login page from scratch. The Fusheriff finally had a home. Users could see where they were logging in and whyAPI-frontend integration -- wired the backend OAuth flow to work with the new frontend callback handlingPII minimization -- reduced the data requested from Google and stored in DynamoDB to the bare minimum. If we don't need it, we don't ask for itIAM tightening -- replaced the general AWS role with specific IAM permissions in serverless.yml. Principle of least privilegeLogin integration testing -- end-to-end verification that the full flow worked with client appsToken expiration set to 7 days -- landed on the sweet spot between convenience (not re-logging daily) and security (not staying valid forever)Dev script and documentation -- added local dev tooling and wrote a README with actually useful informationThis was the leap from "it works in Postman" to "a real person can use this." The SvelteKit frontend gave FuscAuth its identity — the Fusheriff, the wild west theming, the personality that would define the entire fuscripts ecosystem.
Security posture improved significantly with PII minimization and proper IAM scoping. And with a 7-day token expiration, the balance between UX and security was set.
After this round, FuscAuth wasn't a proof of concept anymore. It was open for business.