{
  "version": "2026-06-06",
  "owner": "FamilyCase.AI Security and Engineering",
  "auth_source_of_truth": "Approved production identity provider",
  "website_ownership_rule": "Website may link to login and sign-up entry points, but authentication, authorization, tenant membership, MFA, billing, and provisioning logic must be owned by approved platform services.",
  "entry_points": [
    {
      "name": "Login",
      "path": "/login/",
      "production_requirement": "Connect to approved authentication provider before production launch."
    },
    {
      "name": "Sign up",
      "path": "/signup/",
      "production_requirement": "Connect to approved Platform, CRM, authentication, provisioning, and billing workflows before production launch."
    }
  ],
  "required_controls": [
    "MFA",
    "RBAC",
    "tenant isolation",
    "session controls",
    "audit logging",
    "default deny authorization",
    "rate limiting",
    "bot protection",
    "email verification",
    "secure passwordless or SSO support",
    "admin approval workflow",
    "rollback and account disablement"
  ],
  "forbidden_behavior": [
    "Do not create accounts from the static website without approved authorization controls.",
    "Do not store credentials in the browser.",
    "Do not hardcode auth tokens, API keys, secrets, or provider credentials.",
    "Do not grant tenant access without verified tenant membership.",
    "Do not bypass MFA for privileged users.",
    "Do not provision access to case materials from a marketing-only form."
  ],
  "required_events": [
    "Trial Started",
    "Demo Booked"
  ]
}