Reference for how authentication, users, tenants, and per-tenant configuration work in sv0-platform. For the operational end-to-end flow, see [Authentication, end-to-end](../runbooks/authentication-end-to-end.md).
Adopt a B2B multi-tenant authentication architecture with an external identity provider as source of truth, URL-scoped tenants, SecurityV0 as its own organization, and cross-tenant super-admins via internal-org membership.
Four-PR plan to delete the personal-agent bridge, collapse three super-admin allowlists to one, and clean up the legacy authMiddleware + OIDC + redirect/cookie env duplications. Reduction-only — no new features. The plan is itself a simplification of an earlier six-step draft that mirrored the accretion pattern it was trying to fix.