azure-ad-sso-deferred-local-auth-is-v1
Azure AD SSO is deferred from R-Same v1 because Runwal’s Active Directory infrastructure work is incomplete. v1 uses local auth: argon2id (time=3, mem=64MB, par=4 per OWASP 2024), TOTP MFA mandatory via pyotp, JWT 15min access + 7d opaque refresh in HttpOnly cookies, admin-only user provisioning. Migration path when AD is ready: dual-mode → per-user email-match → deprecate local. Stub interfaces are present in v1.