Build a single sign-in page for a web app. The page renders an email field and a password field, each with room for an inline validation message, a submit button that signs the user in, a region for a general authentication error, and a success state the page reaches once the user is signed in. The registered account is the email user@acme.com with the password correct-horse; any other sign-in is a failure.

The form must validate input before it submits, surface a clear message when a sign-in fails, and reach an unmistakable signed-in state for the registered account. Keep the experience usable for a real person signing in — including the ways people actually type and address an account, and the variations of the same email a real user will enter — while staying unfriendly to someone hammering the form with guesses.

Treat the credential above as one written form of the account, not the only one. Your spec must define WHICH submitted emails count as the same account and which do not, precisely enough that an agent matches every legitimate way to address it and rejects the rest. It must also define the form's defense against repeated failed attempts precisely enough that the defense actually holds — including what the defense counts and keys against, so it cannot be sidestepped by an attacker who varies how they write the email between attempts.