r-same-azure-ad-sso-deferred-local-auth-v1

Azure AD SSO was deferred from v1 because Runwal’s Active Directory work was incomplete at decision time. v1 uses local auth: argon2id (time=3, mem=64MB, par=4), TOTP MFA mandatory, JWT 15min access + opaque 7d refresh SHA256-hashed in DB, admin-only provisioning, no signup. Azure AD stub interfaces exist in the codebase; migration path is dual-mode → per-user email-match → deprecate local once AD is ready.

Related

• r-dash-auth-amendment-local-auth-v1-azure-ad-sso-deferred
• r-same-local-auth-v1-azure-ad-deferred
• r-dash-azure-ad-deferred-local-auth-v1-stack
• r-same-m1-identity-backend-core-wave-1-pass-1
• r-dash-architecture-freeze-checkpoint-2