[MAJOR]: This modal is never imported or rendered anywhere in the app, so none of the email-signup UI you added here is reachable—users still only seeLoginModal, leaving signup-by-email impossible. Please either wire this component into the same places that open the auth dialog (or merge its functionality intoLoginModal, which already acceptsstartInSignupMode) so the new flow can be accessed, otherwise drop the unused file to avoid shipping dead code.

[MAJOR]:SignupModal reimplements the entire OAuth + email signup experience (state, validation, success handling, etc.) that now also exists inLoginModal via the newstartInSignupMode prop. Having two separate components duplicating hundreds of lines of identical form logic guarantees that fixes (e.g., password validation, error copy, refresh behavior) will quickly drift. Please reuse the existing modal (e.g., by toggling signup mode or extracting a shared form hook/component) instead of maintaining a second copy.

[MAJOR]: These handlers build the Google/GitHub auth redirects manually, bypassing the centralizeduseAuth().login.google/github helpers that encapsulate endpoint URLs and error handling. If those endpoints or login side effects change, this modal will silently break while the rest of the app keeps working. Please call the context-provided login helpers here (or plumb them through props) so all OAuth entry points share the same source of truth.

[MAJOR]: This effect now unconditionally flipsloginModalCanClose tofalse whenever the initial auth check resolves unauthenticated, even if the user had manually opened the modal whileauthLoading was still true. In that scenario the dialog suddenly becomes non-dismissible (theonOpenChange guard refuses to close it becauseloginModalCanClose is false and the user isn’t authenticated), effectively trapping them until they hard-refresh. Please only disable closing when the modal was auto-opened (e.g., track anautoOpened flag or checkshowLoginModal before overridingloginModalCanClose) so user-initiated open/close flows still work.

[MAJOR]: The password visibility toggle is removed from the tab order by settingtabIndex={-1}, so keyboard users and screen readers cannot focus or activate it. Because the modal is intended to be accessible, every interactive control must be reachable via keyboard; otherwise users relying on keyboard/assistive tech cannot reveal their password, which breaks the form flow. Please allow the toggle buttons to receive focus (e.g., remove the negative tab index or set it to0) so they remain operable for all users.

[MEDIUM]: The newloginWithEmail/signupWithEmail flows effectively introduce a third auth provider (email), but the sharedUser interface that this service imports (from@/types/api) still hard-codesprovider to'google' | 'github'. As soon as the backend starts returning'email' through/auth-status, the runtime value no longer satisfies the declared type, so any code branching onuser.provider will either break type-checking or be forced to cast away safety. Please expandUser.provider (and any related discriminated unions) to include'email' so thatAuthStatus and every consumer stay type-correct.

[major] This new branch now treatsany failure fromensure_user_in_organizations() as “user already exists” and forces a409. When the helper returnssuccess = False because the graph DB or callback handler failed, we’ll still execute this block, tell the user their email is taken, and hide the real 5xx error. That makes triage impossible and forces users to retry endlessly even though the backend is down. We need to distinguish betweensuccess is False (return a 500/"Registration failed") and the legitsuccess=True/new_identity=False case before emitting this response.

[major] Returning "An account with this email already exists" along with a409 leaks whether a particular email has ever registered. Attackers can now enumerate valid accounts just by hitting/signup/email. The earlier implementation always returned a generic success payload, so this is a new information disclosure. Please respond with a generic error (e.g. “Registration failed”/400) even when the identity already exists, and surface the specific reason only in logs.

[medium] Both password-visibility toggle buttons are rendered withtabIndex={-1}, which removes them from the tab order entirely. Keyboard and assistive-technology users can no longer reach the control, violating WCAG 2.1.2/2.4.3. Please leave the default tab index (and ideally add anaria-label such as “Show password”) so the toggle is operable without a pointer.

[major] Now that the context exposeslogin.email/signup.email,refreshAuth() will eventually populateuser.provider with the literal'email'. Our sharedUser type (imported from@/types/api) still restrictsprovider to'google' | 'github', so this assignment will be rejected by TypeScript (or worse, forced toany) and anything narrowing on provider will never match the email case. Please extend theUser interface to include'email' (and update the client code accordingly) so the new auth path is representable.