This example shows how to document a user flow in your PRODUCT_SPEC.md. Notice how it covers happy paths, sad paths, and constraints—giving the AI everything it needs to implement without guessing.
- User enters email on /login
- System sends magic link email
- User clicks link within 24 hours
- System creates session, redirects to /dashboard
- Invalid email format → Show inline validation error
- Email send fails → Show error, suggest retry
- Link expired → Redirect to /login?error=expired
- Link already used → Redirect to /login?error=used
- Rate limit: 5 magic links per email per hour
- Rate limit: 10 magic links per IP per hour
- Token storage: SHA256 hash (never store plaintext)
- Session: HTTP-only cookie, 7-day expiry
When you give the AI this level of detail:
- No guessing about expiry times
- No inventing rate limits
- No "should I hash the token?" decisions
The spec is the source of truth. The AI implements; you verify it matches the spec.