- Enterprise SAML/OIDC callbacks used raw 'sso_xxx' string as passwordHash
which would crash bcrypt.compare(). Now uses userRepo.hashPassword(randomUUID())
- Added updateLastLogin() for existing enterprise SSO users
- Upgraded bcrypt cost factor from 10 to 12 per PRD spec
- All 53 auth tests passing
- GET /auth/mfa/totp/secret — retrieve decrypted TOTP secret for auth app
- POST /auth/mfa/push/create, GET /pending, POST /:id/respond, GET /:id/status
- POST /auth/qr/create, POST /auth/qr/confirm, GET /auth/qr/:id/status
- Kotlin SDK: getTotpSecret, getPendingApprovals, respondToApproval, confirmQrLogin
- Swift SDK: getTotpSecret, getPendingApprovals, respondToApproval, confirmQrLogin
- All 53 auth tests passing
- Create repos.txt as single source of truth for all 7 workspace repos
- Update all repo-management workflows to source from repos.txt:
- repo_sync-repos, repo_push-repos, repo_backup-and-push
- repo_backup-main-branch, repo_commit-workspace
Benefits:
- One file to update when adding/removing repos
- Consistent repo list across all workflows
- Scripts can read repos.txt for automation
- refresh.sh: idempotent script, auto-discovers repos, updates symlinks + copies docs/workflows
- launchd plist: scheduled daily at 11 PM + on login
- /refresh-chat-history workflow for on-demand Cascade runs
- README updated with auto-refresh docs and full data inventory
- Repo docs and workflows refreshed from all 4 repos
- backup-main.sh: no longer pushes unpushed main commits, removed Main Push column
- commit-workspace.sh: removed push_repo function, local commits only
- repo_commit-workspace.md: updated docs to reflect no-push behavior
- Create Backup Main Branch skill with comprehensive documentation
- Add Windsurf workflow for easy access
- Implement bash script with multi-repo support
- Smart detection to avoid duplicate backups
- Automatic cleanup of old backups (keeps 7 days)
- Color-coded output for better visibility
- Always returns to main branch after backup
