Developer-ready foundation.
API surfaces are organized by domain: `/api/auth/*`, `/api/orgs/*`, `/api/products/*`, `/api/downloads/*`, and `/api/audit/*`. Core authentication and tenant context are shared across the full stack.
Security defaults
Argon2id hashing, strict cookies, CSRF via Auth.js, CSP/HSTS headers, rate limiting.
Launch bridge
Short-lived signed launch token flow prepared for OIDC bridge into product domains.