---
description: Identity, authorization, and auditability
alwaysApply: true
---

Auth, permissions, and audit requirements.

## Identity and access
- Authentication is passwordless-first.
- Prefer support for:
  - magic links
  - OIDC
  - passkeys
- Roles and permissions are core architecture concerns and must not be deferred casually.

## Authorization
- Never assume all authenticated users have broad access.
- Design authorization around role-aware and context-aware access rules.
- Support evolving permission models without hard-coding simplistic assumptions.

## Auditability
- Important actions must be auditable.
- This includes at minimum:
  - deletions
  - updates to sensitive records
  - role/permission changes
  - financial changes
  - document-related changes where relevant
- Preserve historical traceability wherever practical.