Observal App Exposes Critical Auth Bypass: Removing '/login' Grants Full Dashboard Access

A critical authentication bypass flaw in the Observal application allows unauthenticated users to gain full access to its protected dashboard and internal pages. The vulnerability is triggered by a simple URL manipulation: removing the `/login` path from the application's address. This exposes the primary dashboard, the Agent Registry, and other sensitive interfaces without requiring any login credentials, effectively circumventing the application's entire security perimeter.

The bug is easily reproducible. After launching the Observal backend and frontend, navigating to the standard login page at `http://localhost:3000/login` works as intended. However, manually deleting `/login` from the URL to access the root path (`http://localhost:3000`) and pressing Enter loads the main application dashboard. From there, an unauthenticated user can browse to other protected areas, including the Agent Registry. The only actions that trigger a security check are clicking 'Account Settings' or 'Sign Out,' which correctly redirect the user back to the login page. The unauthenticated user appears to have viewer-level access to the exposed data.

This flaw represents a severe security failure in Observal's route protection logic. The expected behavior—an immediate redirect to the login page for any unauthenticated attempt to access a protected route—is completely absent for the application's root and core pages. The vulnerability grants unauthorized visibility into potentially sensitive operational data and agent registries, posing a significant data exposure risk until the routing and session validation mechanisms are comprehensively fixed.