Login surfaces still diverge at the identifier step: dashboard LoginPage calls /auth/login/begin (opens an MFA session, touches lockout) while hosted LoginMfaFlow calls /auth/login/preflight for the lone-password engine-ON case (no session, no lockout). Recommendation: canonicalize on /auth/login/preflight at the identifier step, creating the session at the first real factor submit. Session/lockout semantics decision — owner sign-off needed. (Source: docs/archive/LOGIN_PARITY_2026-06-01.md — only remaining 'STILL DIVERGENT' row; confirmed on HEAD in AuthRepository.ts:116/153 + LoginMfaFlow.tsx.)
Login surfaces still diverge at the identifier step: dashboard
LoginPagecalls/auth/login/begin(opens an MFA session, touches lockout) while hostedLoginMfaFlowcalls/auth/login/preflightfor the lone-password engine-ON case (no session, no lockout). Recommendation: canonicalize on/auth/login/preflightat the identifier step, creating the session at the first real factor submit. Session/lockout semantics decision — owner sign-off needed. (Source: docs/archive/LOGIN_PARITY_2026-06-01.md — only remaining 'STILL DIVERGENT' row; confirmed on HEAD in AuthRepository.ts:116/153 + LoginMfaFlow.tsx.)