Why: Ship the feature dark behind config so it is reversible by env flag (per the reversible-risky-changes rule), and document how to enable + canary.
Done when:
- Add
@ConfigurationProperties SsoSessionProperties + application*.yml keys app.auth.sso-session.enabled: false, app.auth.sso-session.max-age: PT8H. Update SSO_APP_LAUNCHER_DESIGN.md ('Phase 1: done') + the api CLAUDE.md operator note (how to enable + canary plan).
./mvnw -T 2C test green.
Security acceptance (must hold before any canary): flag OFF = byte-for-byte today's behavior; forged/expired cookie never mints; step-up tenants never silently bypassed; minted tokens keep pairwise sub + real tenant_id; every silent mint audited; prompt=none with no session → login_required. Rollout: dark → staging → canary one tenant (Marmara) → broad.
source: docs/SSO_APP_LAUNCHER_PHASE1_PLAN.md:89
Migrated from docs/SSO_APP_LAUNCHER_PHASE1_PLAN.md (git history retains the original).
Why: Ship the feature dark behind config so it is reversible by env flag (per the reversible-risky-changes rule), and document how to enable + canary.
Done when:
@ConfigurationPropertiesSsoSessionProperties +application*.ymlkeysapp.auth.sso-session.enabled: false,app.auth.sso-session.max-age: PT8H. Update SSO_APP_LAUNCHER_DESIGN.md ('Phase 1: done') + the api CLAUDE.md operator note (how to enable + canary plan)../mvnw -T 2C testgreen.Security acceptance (must hold before any canary): flag OFF = byte-for-byte today's behavior; forged/expired cookie never mints; step-up tenants never silently bypassed; minted tokens keep pairwise sub + real tenant_id; every silent mint audited; prompt=none with no session → login_required. Rollout: dark → staging → canary one tenant (Marmara) → broad.
source: docs/SSO_APP_LAUNCHER_PHASE1_PLAN.md:89
Migrated from
docs/SSO_APP_LAUNCHER_PHASE1_PLAN.md(git history retains the original).