Configure Microsoft Entra ID as the sole SSO provider with
allowDangerousEmailAccountLinking to link SSO accounts to existing
seeded user records by email match. Add signIn event for automatic
org assignment by domain. Guard DEV_BYPASS_AUTH against production
use. Add branded pending page for authenticated users without org
membership. Remove Google provider for initial rollout simplicity.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Implemented `stage-resolver.ts` to unify old and new pipeline stage definitions.
- Created `org-scope.ts` for organization access verification and scoping queries.
- Added role-based permissions management in `permissions.ts` and `rbac-service.ts`.
- Introduced invitation management in `invitation-service.ts` with validation schemas.
- Developed custom field and notification rule services with respective validators.
- Established pipeline template CRUD operations in `pipeline-template-service.ts`.
- Added Zustand store for managing pipeline builder state in `pipeline-builder-store.ts`.
- Zod validation schemas for create/update project
- Service layer with listProjects, getProject, createProject,
updateProject, deleteProject
- API routes: GET/POST /api/projects, GET/PATCH/DELETE /api/projects/:id
- TanStack Query hooks for all project operations
- Project list page with card grid, status/priority badges
- Project create dialog with form validation
- QueryProvider + API utility helpers
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
