CRITICAL: Karakos Dashboard Authentication Bypass via Static Session Cookie

A critical security vulnerability in the Karakos dashboard allows complete authentication bypass. The flaw stems from a hardcoded, static session cookie value, enabling any user to manually set the cookie and gain full administrative access without valid credentials. This exposes the entire dashboard and its underlying sensitive data to unauthenticated actors.

The vulnerability is located in the `dashboard/app/api/auth/route.ts` file. The session cookie is set to a static string: `karakos_session=authenticated`. As demonstrated in a proof-of-concept, a user can simply execute `document.cookie = "karakos_session=authenticated";` in a browser's developer console and then navigate to the dashboard to bypass all login protections. This grants access to sensitive household information, device control systems, full system configuration panels, and stored API keys and secrets.

The static cookie represents a fundamental failure in session management, creating a trivial path for unauthorized access. The recommended fix is to replace the hardcoded value with cryptographically signed session tokens, such as JWT or HMAC-based tokens, using a server-side secret. Until this is implemented, the entire Karakos platform remains vulnerable to complete compromise by any user with basic web knowledge.