docs(1.0): promote org-SSO to a supported 1.0 feature (revises #325 scoping)

ANTI_FEATURES.md

@@ -10,7 +10,7 @@ Default reference relay is a convenience. Self-host with `wire relay-server`. Wo
 
 Your **identity** is an Ed25519 keypair you generate locally — never an OAuth token, never an IdP account, never a vendor handle. The DID is the key; no login mints it. Won't change.
 
-The one nuance (so this doc doesn't lie about shipped code): an org **may optionally** stand up an OIDC/SSO channel to *mediate the `ORG_VERIFIED` tier* — a faster path to org-membership attestation than the DNS-TXT floor or a hand-built roster. It is **opt-in, org-scoped, additive, and outside the 1.0 frozen-surface guarantee** (RFC-001 SSO amendment §H). It attests *org membership*, never *identity*, and never substitutes for the bilateral `wire dial` + accept gesture that earns `VERIFIED` (anti-feature #3). Turn it off and nothing about wire identity changes.
+The one nuance (so this doc doesn't lie about shipped code): an org **may optionally** stand up an OIDC/SSO channel to *mediate the `ORG_VERIFIED` tier* — a faster path to org-membership attestation than the DNS-TXT floor or a hand-built roster, and the enterprise day-one hook. It is **opt-in, org-scoped, and a supported 1.0 feature** (RFC-001 SSO amendment §H): the wire-side contract (`ORG_VERIFIED` tier + `org_attestation.via` provenance) is frozen, while the IdP-integration config evolves only under the deprecation policy. It attests *org membership*, never *identity*, and never substitutes for the bilateral `wire dial` + accept gesture that earns `VERIFIED` (anti-feature #3). Turn it off and nothing about wire identity changes.
 
 ## 3. No central trust authority
 

ROAD_TO_1.0.md

@@ -179,10 +179,12 @@ deprecation policy, **without breaking the promise.**
    DM-confidentiality posture explicitly (default-on, downgrade-bounded,
    operator-visible; group/FS/metadata out); `ANTI_FEATURES.md` #2 reconciled
    with the shipped opt-in org-SSO.
-4. ✅ **SSO kill criterion decided** (#325) — the 90-day auto-revert timer is
-   *disarmed*: the OIDC channel is scoped OUTSIDE the 1.0 frozen-surface
-   guarantee (experimental/post-1.0, deprecation-policy-gated), the DNS-TXT floor
-   + `ORG_VERIFIED` tier are in 1.0. No armed timer crosses the freeze.
+4. ✅ **SSO kill criterion decided** (#325, revised #330) — the 90-day
+   auto-revert timer is *disarmed* and SSO is **promoted to a supported 1.0
+   feature** (the enterprise day-one hook). Wire-side contract (`ORG_VERIFIED`
+   tier + `org_attestation.via` + DNS-TXT floor) is frozen; the IdP-integration
+   config evolves only under the deprecation window. No armed timer crosses the
+   freeze; no experimental asterisk on the enterprise hook.
 5. ✅ **Freeze the surface** (#326) — `docs/DEPRECATION_POLICY.md` published;
    `mcp_catalog_schema_is_frozen` golden-locks all 27 MCP tools' shape.
    *Stretch:* golden-locking every `--json` builder (beyond `delivery_json`) is

docs/DEPRECATION_POLICY.md

@@ -59,15 +59,20 @@ work until they choose to move to `2.0`.
 These may change in a MINOR without a deprecation window, because 1.0 never
 promised them — they are documented as out-of-scope/experimental:
 
-- The **OIDC/SSO channel** (RFC-001 amendment §B–§E) — experimental/post-1.0,
-  evidence-gated (RFC-001 SSO amendment §H). The DNS-TXT floor + `ORG_VERIFIED`
-  tier ARE frozen; the OIDC mediation channel is not.
 - Anything in `BACKLOG.md` marked deferred (MLS group confidentiality, forward
   secrecy, multi-relay redundancy, file-share, registry).
 - Internal-only output behind a documented `--unstable`/experimental flag.
 - Human-facing prose: `--help` wording, log lines, stderr phrasing (the *machine*
   surface — `--json`, exit codes — is frozen; the prose around it is not).
 
+**Note — org-SSO is supported, not windowless.** The OIDC/SSO channel
+(RFC-001 amendment §B–§E) is a supported 1.0 feature, *not* an exception above:
+its wire-side contract (`ORG_VERIFIED` tier + `org_attestation.via` provenance +
+the DNS-TXT floor) is **frozen**, and its IdP-integration *config* (JWKS, claims
+mapping, tenant/issuer shape) changes only **through the deprecation window** —
+the external-dependency churn is real, so the config is iterable, but never
+silently.
+
 ## Enforcement
 
 - The MCP tool catalog (names + input-schema props + required) is golden-locked

docs/rfc/0001-identity-layer.amendment-sso.md

@@ -1,7 +1,7 @@
 # RFC-001 Amendment: SSO-attestation channel (organization tier)
 
 **Amends:** [RFC-001 v2](./0001-identity-layer.md) (merged as PR #76, squash `a6b4163`)
-**Status:** Accepted — ratified by @laulpogan 2026-05-28 (direction blessed; AC-SSO1–5). **2026-06-16 (push-to-1.0):** the 90-day kill-criterion timer is **disarmed** — the OIDC channel (§B–§E) is scoped *outside* the 1.0 frozen-surface guarantee (experimental/post-1.0, evidence-gated under the deprecation policy); the DNS-TXT floor (§A) + `ORG_VERIFIED` tier are in 1.0. See §H. <!-- Draft | Discussion | Accepted | Rejected | Implemented | Superseded -->
+**Status:** Accepted — ratified by @laulpogan 2026-05-28 (direction blessed; AC-SSO1–5). **2026-06-16 (push-to-1.0):** the 90-day kill-criterion timer is **disarmed** and SSO is promoted to a **supported 1.0 feature** (it's the enterprise day-one hook). The wire-side contract — `ORG_VERIFIED` tier, `org_attestation.via` provenance, DNS-TXT floor (§A) — is **frozen**; the IdP-integration *config* (JWKS handling, OIDC claims→org mapping, tenant config) carries the normal deprecation window since it has external-dependency churn. See §H. <!-- Draft | Discussion | Accepted | Rejected | Implemented | Superseded -->
 **Tracking:** [#73](https://github.com/SlanchaAi/wire/issues/73)
 **Author:** swift-harbor (Copilot CLI agent, paired w/ @dthoma1)
 **Date:** 2026-05-28
@@ -199,14 +199,15 @@ Three questions for slate-lotus's owning side of #73 (filtering surface + projec
 2. **T21 alarm-window policy hook location:** global config, per-org config, or per-filter-rule. Affects where the §C grace-window + §E alarm-debounce timers are configured.
 3. **Filter-expression shape for "fan-out project:X to same-tenant ORG_VERIFIED":** the filter DSL needs to express both project-tag selectors and org-attestation predicates; the §C JWKS hard-refresh + grace-window mechanics produce cache-invalidation events that the filter compiler should subscribe to. Need slate's preferred event shape so §C degrade announcements are emitted as compatible cache-invalidations.
 
-## §H. Kill criterion
+## §H. Kill criterion → superseded: SSO is a supported 1.0 feature
 
-**Disarmed for 1.0 (2026-06-16, "push to 1.0" pass).** The original criterion auto-reverted the OIDC channel in v0.15 if it produced zero `ORG_VERIFIED` mediations within 90 days of v0.14. `ROAD_TO_1.0.md` §5 is explicit that you cannot freeze a 1.0 surface with a version-pinned self-destruct timer armed against it — so the timer is removed, **not** by force-cutting SSO (the code is written, tested, and additive) but by **scoping the OIDC channel OUT of the 1.0 frozen-surface guarantee**:
+**Resolved for 1.0 (2026-06-16, "push to 1.0" pass).** The original criterion auto-reverted the OIDC channel in v0.15 if it produced zero `ORG_VERIFIED` mediations within 90 days of v0.14. That armed version-pinned self-destruct can't cross a 1.0 freeze (`ROAD_TO_1.0.md` §5) — but the *fix is not to scope SSO out*. Org-verification is the **enterprise day-one hook** (it leads the enterprise pitch); enterprises must be able to build on a stable contract, so SSO is **promoted into the supported 1.0 surface**, split by stability:
 
-- The **DNS-TXT floor (§A)** and the **`ORG_VERIFIED` tier + `org_attestation.via` provenance** are in 1.0 and frozen (harmless, additive on the v3.2 card).
-- The **OIDC channel (§B–§E)** is **experimental / post-1.0**: it is not covered by the 1.0 compatibility promise and may be evolved or removed after 1.0 under the normal **deprecation policy** (a deprecation window, not a silent break), on the same zero-usage evidence — just without a hard `v0.15` revert date.
+- **Frozen in 1.0 (no-break guarantee):** the DNS-TXT floor (§A), the **`ORG_VERIFIED` tier**, and the **`org_attestation.via` provenance** subfield. A consumer can program against these.
+- **Supported, but evolves under the deprecation policy:** the **IdP-integration config** — JWKS endpoint handling, OIDC claims→`org` mapping, tenant/issuer config shape (§B–§E). This carries external-dependency churn (IdP quirks, claim conventions), so its *shape* may change across 1.x **through a deprecation window** (announce → warn → ≥1 MINOR & ≥90 days), never a silent break. The *capability* (SSO-mediated `ORG_VERIFIED`) is a 1.0 feature, not experimental.
+- **Removed:** the 90-day auto-revert timer. Keep/cut is now an ordinary evidence-gated deprecation decision, not a one-shot armed version gate.
 
-Net effect: 1.0 ships with no armed timer, SSO stays available for the orgs piloting it, and a future removal (if usage stays zero) is a deprecation, not a surprise. The keep-or-cut decision is now evidence-gated and continuous, not a one-shot version gate.
+Net effect: 1.0 ships SSO as a real, supported feature with a frozen wire-side contract; only the inherently-churny IdP plumbing is iterable, and even that only via the documented deprecation window. No surprise revert, no experimental asterisk on the enterprise hook.
 
 ## References