The login that let everyone in if you left the password blank.

if (user) { grantAccess() }. The agent fetched the user by email. On a blank password it still found the row. user was truthy. Access granted.

The test suite passed because the tests only ever sent valid passwords. The autopsy is not ’the AI was dumb.’ It’s that nobody specified the failure case, so nobody verified it.