ADR-0010 — OIDC + tenant-scoped RBAC; tokens for programmatic access

Context

BitVault serves browsers (web), automation (CLI/API), and enterprise SSO. It must authenticate humans and machines, authorize tenant-scoped and resource-scoped actions, and feed tenant context to the DB isolation layer (ADR-0007). It is self-hostable, so we cannot mandate a specific cloud identity provider.

Decision

Authentication

Authorization

Consequences

Positive

Negative / costs

Alternatives considered