Add Auth & Portal Drift Guardrails - forbidden APIv1/Pterodactyl/CSRF/cookie patterns, enforce Portal→JWT→APIv2 flow

2025-12-28 22:28:40 +00:00 · 2025-12-28 22:28:40 +00:00 · b4f88d2c47
commit b4f88d2c47
parent bd067ba801
1 changed files with 14 additions and 1 deletions
--- a/ANTI_DRIFT.md
+++ b/ANTI_DRIFT.md
@ -43,3 +43,16 @@ If drift is detected:
 1. Revert the change
 2. Document why it was tempting
 3. Re-apply only what serves usability
+
+## Auth & Portal Drift Guardrails
+
+The following are explicitly disallowed:
+
+- Reintroducing APIv1 endpoints
+- Reintroducing Pterodactyl-based auth
+- CSRF token logic
+- Cookie-based authentication
+- Server-side portal sessions
+
+All auth must flow:
+Portal → JWT → APIv2