Select WorkOS as the identity provider for sv0-platform. Provides AuthKit (hosted login), enterprise SSO with self-serve Admin Portal, Directory Sync, and magic-link passwordless — free at evaluation scale, per-connection pricing at enterprise scale.
Lock the Azure compute landing zone for sv0-platform: westeurope, IaaS primitives only, Cloudflare Tunnel ingress (no public IPs / no Azure LB), HA prod fleet across two zones, ephemeral per-PR VMs, OIDC-federated TF auth, and a cloud-portability rule set that keeps the design migratable to AWS/GCP.
Operationalises ADR-022 §3 (Phase 3f) for the dev tier: the stable demo VM at dev-azure.securityv0.com deploys on every main CI success via Azure Run Command using a new tightly-scoped Entra app + OIDC federation from GitHub Actions. No SSH key in the deploy path. Hetzner stays warm as fallback during cutover (no behavior change on the Hetzner side). PR-preview ephemeral VMs are explicitly out of scope; the design for that surface is banked in [docs/infrastructure/azure-ephemeral-pr-previews-design.md](../../infrastructure/azure-ephemeral-pr-previews-design.md) for re-activation when triggered.
Four-PR plan to delete the personal-agent bridge, collapse three super-admin allowlists to one, and clean up the legacy authMiddleware + OIDC + redirect/cookie env duplications. Reduction-only — no new features. The plan is itself a simplification of an earlier six-step draft that mirrored the accretion pattern it was trying to fix.
Comprehensive catalog of all AWS non-human identity types, their authentication mechanisms, SecurityV0 entity mappings, ownership decay scenarios, and discovery APIs.
Deferred design for ephemeral Azure PR-preview VMs with a cap-of-3 hard-fail policy, deployment-stacks lifecycle, drift sweeper, and composite RBAC. NOT active infrastructure — the implementation work was cut from ADR-024 (2026-05-14) on the grounds that (a) Hetzner already runs PR previews and (b) no concrete trigger demands the move. This document preserves the design so it can be lifted into an active ADR when a trigger materialises (Hetzner OOM pattern, partner with concurrent-review load, regulatory data-residency requirement, etc.). Lives in docs/infrastructure/ alongside operational infra docs but is distinguishable by the `-design` filename suffix and `status: deferred` frontmatter.
Implementation plan for ADR-022: current Hetzner inventory, target Azure topology, five-phase migration sequencing, secrets delivery via Key Vault + Managed Identity, and the executable break-glass procedure for the case where TFC is unreachable.