diff --git a/AUDIT-AUTH.md b/AUDIT-AUTH.md
new file mode 100644
index 0000000..67b5224
--- /dev/null
+++ b/AUDIT-AUTH.md
@@ -0,0 +1,33 @@
+# Security Audit: Authentication & Authorization
+
+## Executive Summary
+
+The security audit of authentication and authorization mechanisms for the Poindexter repository has been completed. The investigation concludes that the codebase is a Go library providing data structures and algorithms, specifically k-d trees and sorting utilities. It does not contain any user-facing application, authentication flows, authorization logic, or session management. Therefore, the requested audit categories are not applicable.
+
+## Scope of Review
+
+The audit was initiated to assess the following areas:
+- **Authentication:** Password handling, session management, token security, and multi-factor authentication.
+- **Authorization:** Access control models, permission checks, privilege escalation vulnerabilities, and API protection.
+
+## Findings
+
+A thorough review of the codebase was conducted, including but not limited to the following files:
+- `README.md`
+- `poindexter.go`
+- `kdtree.go`
+- `CLAUDE.md`
+- `npm/poindexter-wasm/smoke.mjs`
+- `wasm/main.go`
+- `go.mod`
+
+The analysis of these files confirms that the repository contains a library and not a service or application. There are no functions or modules related to:
+- User registration or login
+- Password hashing or storage
+- Session or token generation
+- Access control lists (ACLs), role-based access control (RBAC), or other authorization models
+- API endpoints requiring protection
+
+## Conclusion
+
+The Poindexter library, by its nature, does not handle authentication or authorization. As such, there are no vulnerabilities to report in these areas. The audit is concluded as not applicable.