a3c0e9aa7f
Captures the decision to gate login UX on capabilities (no SaaS-mode flag), drop prompt=none from the primary OIDC flow per RFC 9700 §4.4, and keep ?local as the explicit admin-recovery escape hatch. MFA enrollment / enforcement and password reset for local accounts are explicitly deferred and tracked in issue #154. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>