r-same-azure-ad-sso-deferred-local-auth-v1
Azure AD SSO is deferred to v1.5 because Runwal’s Active Directory infrastructure is not ready. v1 uses local auth only: argon2id password hashing, JWT in HttpOnly+Secure+SameSite=Lax cookies (15m access / 7d refresh), mandatory TOTP MFA at registration, slowapi rate limiting (5/min/IP login), 10-fail lockout for 15 minutes, admin-only provisioning (no self-signup). Stub SSO interfaces exist in code for future migration via dual-mode email-match strategy.
Related
- r-dash-azure-ad-deferred-local-auth-v1-stack
- r-dash-auth-amendment-local-auth-v1-azure-ad-sso-deferred
- clawteam-openclaw-multi-agent-swarm-evaluation
- 2026-04-04-oracle-001-self-architecture-analysis
- snowflake
- r-same-local-auth-v1-azure-ad-deferred
- r-same-auth-constant-time-generic-errors-required
- azure-ad-sso-deferred-local-auth-migration-path
- azure-ad-sso-deferred-local-auth-v1-stub-interfaces
- refresh-token-rotation-must-be-atomic-same-transaction
- r-same-local-auth-v1-azure-ad-sso-deferred
- r-same-azure-ad-sso-deferred-v1-local-auth-only
- azure-ad-sso-deferred-local-auth-is-v1