{
  "$schema": "https://workweaver.ai/agent-knowledge/auth-contract.json",
  "contract_id": "workweaver.auth.identity.v1",
  "issue": "https://github.com/bitfoundry-ai/workweaver/issues/1322",
  "summary": "Frozen identity stance for managed SaaS and product-facing agents: SMS/mobile OTP is not a first-class login or MFA factor.",
  "sms_mobile_otp": {
    "status": "not_supported",
    "scope": ["login", "mfa"],
    "meaning": "Provider SMS-based MFA challenges are rejected at the API; telephony and messaging channels do not imply SMS-based account authentication.",
    "user_visible_behavior": "Users must use email verification plus authenticator-app TOTP for MFA when enabled.",
    "non_goals": [
      "Using caller-ID or inbound SMS thread presence as proof of account ownership for login.",
      "Claiming parity between 'has a phone number' and 'phone is an auth factor'."
    ],
    "future_work": "Implementing SMS OTP as first-class would require a dedicated product contract, threat model, metering, and identity-provider configuration review — tracked as follow-on work, not implied by channel work."
  },
  "supported_first_class_factors": [
    {
      "id": "email_verification",
      "description": "Email ownership verification during signup and account flows."
    },
    {
      "id": "totp_authenticator",
      "description": "Time-based one-time passwords via authenticator apps."
    },
    {
      "id": "oauth_providers",
      "description": "OAuth sign-in and linking where configured (Google, Microsoft, Zoho, etc.)."
    }
  ],
  "api_enforcement": {
    "rejected_provider_challenges": ["SMS_MFA"],
    "supported_login_challenges": ["MFA_SETUP", "SOFTWARE_TOKEN_MFA"]
  },
  "canonical_doc": "docs/PRODUCT.md#identity-verification-contract"
}