diff --git a/TODO.md b/TODO.md
new file mode 100644
index 0000000..3187230
--- /dev/null
+++ b/TODO.md
@@ -0,0 +1,33 @@
+# TODO — Code Logic Errors
+
+## Critical
+
+- [ ] **Login: nil pointer dereference** (`http.go:111`)
+  `CacheGetClientByName` returns `nil` on miss, then `DbSetClientByName` is called with that nil `client` → panic. Should query DB by username directly.
+
+- [ ] **Login: password never verified** (`http.go:87–131`)
+  No call to `PasswordVerify`/`bcrypt.CompareHashAndPassword`. Anyone with a valid username can log in.
+
+## High
+
+- [ ] **Login: validates `username` length instead of `password`** (`http.go:98`)
+  `if len(username) < 8` should be `if len(password) < 8`. Password is never length-checked.
+
+- [ ] **DB: missing `&` in `Scan` for `pronouns`** (`database.go:87`)
+  `client.Pronouns` should be `&client.Pronouns`. Compare with `DbSetClientById` which does it correctly.
+
+- [ ] **WS: 30s context kills entire connection** (`wsServer.go:23`)
+  A single 30s timeout context is shared across all reads in the loop. Should use per-read deadlines or `context.Background()` for the loop.
+
+## Medium
+
+- [ ] **NewUser: missing `return` after bad color error** (`http.go:54–56`)
+  On `parseRgb` error, `http.Error` is called but execution continues with `color = [0,0,0]`.
+
+- [ ] **WS: unauth disconnect deletes ID=0 from cache** (`wsServer.go:115`)
+  `closeConnection` calls `CacheDeleteClient(client.Id)` but unauthenticated clients have `Id=0`, wiping whatever sits at key 0.
+
+## Low
+
+- [ ] **`CacheSetGroup` is a no-op** (`cache.go:59`)
+  Function body is empty. The `Groups` cache is never populated, so every `CacheGetGroup` call misses and falls back to DB.