docs(l4d2-web): update auth contract

docs/superpowers/plans/2026-04-23-l4d2-web-app-v1.md

@@ -13,7 +13,7 @@
 ## Scope and Constraints
 
 - In scope:
-  - public signup/login
+  - local username/password login; public signup removed by the 2026-05-06 auth-pages follow-up
   - one-time CLI admin promotion
   - admin-managed overlay catalog
   - user-private blueprints with ordered overlays
@@ -277,9 +277,9 @@ git commit -m "feat(l4d2-web): add sqlite schema including blueprints and job lo
 - [ ] **Step 1: Write failing auth tests**
 
 ```python
-def test_public_signup(client):
+def test_signup_routes_are_gone(client):
-    r = client.post("/signup", data={"username": "alice", "password": "secret"})
+    assert client.get("/signup").status_code == 404
-    assert r.status_code == 302
+    assert client.post("/signup", data={"username": "alice", "password": "secret"}).status_code == 404
 
 
 def test_login_sets_session(client, seed_user):
@@ -329,7 +329,7 @@ Expected: PASS.
 
 ```bash
 git add l4d2web/{auth.py,cli.py,app.py} l4d2web/routes/auth_routes.py l4d2web/tests/test_auth.py
-git commit -m "feat(l4d2-web): add public auth and admin bootstrap command"
+git commit -m "feat(l4d2-web): add local auth and admin bootstrap command"
 ```
 
 ### Task 4: Implement admin overlay catalog CRUD with path safety

l4d2web/README.md

@@ -4,7 +4,7 @@ Flask web app for managing L4D2 servers through user-private blueprints.
 
 ## Key v1 behaviors
 
-- Public signup/login with local username/password
+- Local username/password login; no public signup
 - Admin-managed overlay catalog
 - Private blueprints per user
 - Server creation from blueprints (live-linked; no per-server blueprint overrides)
@@ -17,7 +17,7 @@ Flask web app for managing L4D2 servers through user-private blueprints.
 - Server-rendered templates (Jinja)
 - Vendored HTMX (`static/vendor/htmx.min.js`)
 - Custom CSS only
-- Consistent link color: `#0F766E`
+- Tokenized, consistent link and accent colors
 
 ## Development