{
  "contract_id": "FAMILYCASE-AUTH-PROVIDER-ROUTING-001",
  "version": "2026-06-06",
  "owner": "FamilyCase.AI Security, Engineering, Product, Platform, Support, and DevOps",
  "status": "pending_auth_cutover",
  "objective": "Define login, sign-up, authentication-provider routing, access-control, session, audit, provisioning, and production approval requirements for FamilyCase.AI public website launch.",
  "required_auth_destinations": [
    "approved login route or identity provider URL",
    "approved sign-up route or trial workflow URL",
    "approved logout route",
    "approved passwordless or SSO workflow",
    "approved MFA enrollment workflow",
    "approved tenant provisioning workflow",
    "approved support escalation path",
    "approved rollback or account-disablement workflow"
  ],
  "provider_route_inventory": [
    {
      "name": "login",
      "marketing_path": "/login/",
      "approved_provider_route_env": "VITE_AUTH_PROVIDER_URL",
      "required_scheme": "https",
      "approval_owner": "Security and Engineering",
      "production_status": "blocked_pending_approved_provider_route"
    },
    {
      "name": "signup",
      "marketing_path": "/signup/",
      "approved_provider_route_env": "VITE_SIGNUP_PROVIDER_URL",
      "required_scheme": "https",
      "approval_owner": "Security, Platform, and Engineering",
      "production_status": "blocked_pending_approved_provider_route"
    },
    {
      "name": "logout",
      "marketing_path": "/logout/",
      "approved_provider_route_env": "VITE_AUTH_LOGOUT_URL",
      "required_scheme": "https",
      "approval_owner": "Security and Engineering",
      "production_status": "blocked_pending_approved_provider_route"
    },
    {
      "name": "support_escalation",
      "marketing_path": "/support-incident-readiness/",
      "approved_provider_route_env": "VITE_AUTH_SUPPORT_ESCALATION_URL",
      "required_scheme": "https",
      "approval_owner": "Support, Security, and Engineering",
      "production_status": "blocked_pending_approved_support_route"
    }
  ],
  "callback_allowlist_requirements": [
    "familycase.ai production callback URL approved by Security and Engineering",
    "www.familycase.ai callback behavior approved or explicitly disabled",
    "app.familycase.ai application callback URL approved by Security and Engineering",
    "localhost callback URLs disabled in production identity-provider configuration",
    "wildcard callbacks prohibited unless Security grants a documented exception"
  ],
  "cutover_smoke_commands": [
    "AUTH_PROVIDER_BASE_URL=<approved-provider-url> npm run auth:readiness && npm run verify:auth-readiness",
    "LIVE_SMOKE_BASE_URL=https://familycase.ai npm run smoke:live && npm run verify:live-smoke",
    "npm run verify:secrets && npm run verify:preview-boundaries"
  ],
  "access_control_requirements": [
    "Default deny authorization is enforced by the platform service.",
    "MFA is required according to the approved security policy.",
    "RBAC is enforced before any matter or tenant access.",
    "Tenant isolation is verified before any case material access.",
    "Session duration, idle timeout, and revocation controls are approved.",
    "Admin approval workflow is required for privileged access.",
    "Email verification or approved identity verification is required before account activation.",
    "Audit logging records authentication, authorization, provisioning, and privileged access events."
  ],
  "website_routing_requirements": [
    "Marketing website may link to login and sign-up entry points only.",
    "Marketing website must not create accounts directly.",
    "Marketing website must not store credentials, auth tokens, API keys, or provider secrets.",
    "Login and sign-up routes must resolve or redirect to the approved auth provider before production launch.",
    "Trial Started event may be recorded without sensitive credentials or case facts.",
    "Auth provider errors must route users to approved support or retry paths.",
    "Preview mode may use static login and sign-up explanation pages without provisioning side effects."
  ],
  "public_surface_readiness": [
    "Header exposes Sign In and Start Free Trial as distinct routes.",
    "Login and sign-up routes remain static readiness pages until approved auth provider cutover.",
    "Marketing code does not collect passwords, tokens, MFA codes, or account recovery secrets.",
    "Public copy identifies MFA, RBAC, tenant isolation, session controls, audit logging, and support escalation as production requirements.",
    "Production launch remains blocked until login route, sign-up route, MFA policy, RBAC, tenant isolation, session controls, and audit logging evidence are attached."
  ],
  "provisioning_requirements": [
    "Trial or customer provisioning is owned by approved platform services.",
    "Tenant membership is verified before access is granted.",
    "Billing or order-form state is verified where required.",
    "Support can disable or roll back account access.",
    "Provisioning failures are logged with correlation IDs and without secrets.",
    "No user can access case materials from a marketing-only sign-up form."
  ],
  "monitoring_requirements": [
    "Monitor login route availability.",
    "Monitor sign-up route availability.",
    "Monitor auth provider error rate.",
    "Monitor failed MFA and account activation flows.",
    "Monitor privileged access approval events.",
    "Monitor tenant provisioning failures.",
    "Alert Security, Engineering, Support, and DevOps on auth-route, MFA, RBAC, tenant, or provisioning failures."
  ],
  "production_launch_blockers": [
    "auth provider ownership evidence pending Security, Engineering, Product, and DevOps review",
    "login route evidence pending Security, Engineering, Product, and Support review",
    "sign-up route evidence pending Security, Engineering, Product, Platform, and Support review",
    "MFA policy evidence pending Security and Engineering review",
    "RBAC enforcement evidence pending Security and Engineering review",
    "tenant isolation evidence pending Security and Engineering review",
    "session controls evidence pending Security, Engineering, and Support review",
    "audit logging evidence pending Security, Engineering, DevOps, and Support review",
    "privileged approval workflow evidence pending Security, Engineering, and Support review",
    "support escalation path evidence pending Support, Security, and Engineering review",
    "marketing site creates accounts directly",
    "browser-exposed auth secret prevention evidence pending Security, Engineering, Product, Platform, Support, and DevOps approval"
  ],
  "required_evidence": [
    "auth-provider-routing-contract.json reviewed",
    "auth-contract.json reviewed",
    "integration-readiness-contract.json reviewed",
    "security-contract.json reviewed",
    "data-processing-contract.json reviewed",
    "login route smoke test completed",
    "sign-up route smoke test completed",
    "MFA RBAC tenant isolation smoke evidence attached",
    "post-deploy smoke checklist includes auth provider routing",
    "npm run validate passes"
  ]
}