docs(1.0): promote org-SSO to a supported 1.0 feature (revises #325 scoping)#330
Merged
Conversation
…coping) Maintainer call (2026-06-16): org-verification is the enterprise day-one hook — it leads the enterprise pitch — so enterprises must be able to build on a stable contract. #325 disarmed the 90-day auto-revert timer (correct, kept) but scoped the whole OIDC channel OUTSIDE the 1.0 guarantee as "experimental/post-1.0." That's the wrong signal for a day-one feature. Reframe with split stability: - **Frozen in 1.0:** the `ORG_VERIFIED` tier, `org_attestation.via` provenance, and the DNS-TXT floor — the wire-side contract a consumer programs against. - **Supported, evolves under the deprecation window:** the IdP-integration config (JWKS handling, OIDC claims→org mapping, tenant/issuer shape). Real external-dependency churn lives here, so its shape is iterable — but only through announce → warn → ≥1 MINOR & ≥90 days, never a silent break. - **Removed:** the armed auto-revert timer (keep/cut is now an ordinary evidence-gated deprecation decision). Updates the SSO amendment §H + status line, ANTI_FEATURES #2, the deprecation policy's "not frozen" list (SSO is no longer a windowless exception — it gets an explicit supported-but-split note), and ROAD_TO_1.0 §9 item 4. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Deploying wireup-landing with
|
| Latest commit: |
dcbe9e2
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://9dab452f.wireup-landing.pages.dev |
| Branch Preview URL: | https://docs-sso-supported-1-0-featu.wireup-landing.pages.dev |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Revises the #325 SSO scoping. Org-verification is the enterprise day-one hook (it leads the enterprise pitch), so enterprises must build on a stable contract. #325 correctly disarmed the 90-day auto-revert timer but scoped the whole OIDC channel outside the 1.0 guarantee as "experimental/post-1.0" — wrong signal for a day-one feature.
New framing: split stability
ORG_VERIFIEDtier,org_attestation.viaprovenance, DNS-TXT floor — the wire-side contract a consumer programs against.orgmapping, tenant/issuer shape). Real external-dependency churn lives here, so its shape is iterable — but only through announce → warn → ≥1 MINOR & ≥90 days, never silent.Net: SSO is a real, supported 1.0 feature with a frozen wire-side contract; only the inherently-churny IdP plumbing is iterable, and even that only via the documented window. No experimental asterisk on the enterprise hook.
Touches
SSO amendment §H + status line;
ANTI_FEATURES.md#2;DEPRECATION_POLICY.md("not frozen" list — SSO removed from the windowless exceptions, gets an explicit supported-but-split note);ROAD_TO_1.0.md§9 item 4.Docs-only.
🤖 Generated with Claude Code