Cursor + Claude: stop shipping broken auth flows

I use Cursor + Claude to generate auth code, then I try to break it. I run a tiny Node script to fuzz cookies + headers. I lock session handling into one file. No scattered reads. I add 3 tests that catch 80% of my dumb mistakes. Context I ship small SaaS apps. Usually fast. Usually solo. Auth is where I bleed time. Not because OAuth is hard. Because I miss boring edge cases. Cursor + Claude help me write the first draft. Fast. But the first draft lies. It’ll “work” in the happy path. Then I open a second tab, log out, and something still looks logged in. Spent 4 hours last month on a “random logout” bug. Most of it was wrong. The root cause: I was reading the session in 3 different places, each with slightly different assumptions. So I switched to a workflow: generate → centralize → fuzz → test. Same steps every time. 1) I force all session reads through one function If I read cookies in five files, I’m done. One module. One exported function. Everything else calls that. In Next.js Ap