diff --git a/.planning/phases/06-backend-authentication/06-CONTEXT.md b/.planning/phases/06-backend-authentication/06-CONTEXT.md
new file mode 100644
index 0000000..9869638
--- /dev/null
+++ b/.planning/phases/06-backend-authentication/06-CONTEXT.md
@@ -0,0 +1,67 @@
+# Phase 6: Backend Authentication - Context
+
+**Gathered:** 2026-02-04
+**Status:** Ready for planning
+
+<domain>
+## Phase Boundary
+
+Secure admin backend with user accounts and role-based access. Admin users can log in, manage sessions, reset passwords, and access is controlled through roles with plugin-registered permissions. Frontend user authentication is a separate phase (Core Plugins).
+
+</domain>
+
+<decisions>
+## Implementation Decisions
+
+### Login Experience
+- Email/password authentication with optional TOTP 2FA
+- Generic error messages only ("Invalid email or password") - no hints about which field is wrong
+- Progressive lockout: 10 minutes after N failed attempts, 20 minutes after N*2, etc.
+- "Remember me" checkbox extends session duration significantly (weeks/months)
+
+### Session Behavior
+- Default session duration: 24 hours (without "Remember me")
+- No idle timeout - sessions only expire at their set duration
+- Unlimited concurrent sessions allowed per user
+- Users can view list of all active sessions and revoke any individually
+
+### Password Reset Flow
+- Password reset email includes context (IP address, location, request time)
+- After successful reset, redirect to login page (no auto-login)
+- All existing sessions terminated when password changes
+- Link expiry duration: Claude's discretion (based on security best practices)
+
+### Permission Model
+- WinterCMS-style plugin-registered permissions (e.g., `acme.plugin.model.update`, `acme.plugin.model.custom_action`)
+- Flat role structure - no inheritance between roles
+- Single role per user (not additive)
+- Default role: Super Admin only (additional roles created manually)
+
+### Claude's Discretion
+- Password reset link expiry duration
+- Exact lockout timing thresholds (what counts as N attempts)
+- 2FA implementation details (TOTP specifics, backup codes)
+- Session management UI design
+- Email template styling
+
+</decisions>
+
+<specifics>
+## Specific Ideas
+
+- Permission system should work like WinterCMS - plugins register their own permissions that are easy to use through the system
+- 2FA should be optional, not mandatory
+
+</specifics>
+
+<deferred>
+## Deferred Ideas
+
+None - discussion stayed within phase scope
+
+</deferred>
+
+---
+
+*Phase: 06-backend-authentication*
+*Context gathered: 2026-02-04*