Labels: stage-4, security, backend, architecture Depends on: none Acceptance Criteria: - [ ] ADR document is merged with chosen auth flow and session strategy. - [ ] Password hashing algorithm is explicitly defined. - [ ] Session expiry and refresh behavior are defined. - [ ] CSRF approach is defined for authenticated write endpoints. - [ ] Threats and mitigations are listed for brute force, token theft, and replay.
Labels: stage-4, security, backend, architecture
Depends on: none
Acceptance Criteria: