@polymorphism-tech/morph-spec 4.2.0 → 4.3.1

package/stacks/blazor-azure/.claude/skills/level-2-domains/infrastructure/bicep-architect.md

@@ -1,126 +0,0 @@
-# Bicep Architect
-
-> **Layer:** 2 | **Load:** on-keyword | **Keywords:** bicep, iac, infrastructure as code, provision, azure resource, deploy
-
-Especialista em Infrastructure as Code com Azure Bicep. **Zero Portal** — all infra via code.
-
-## Structure
-
-```
-infra/
-├── main.bicep              # Entry point
-├── main.bicepparam         # Parameters (alt to JSON)
-├── parameters.dev.json
-├── parameters.prod.json
-└── modules/
-    ├── container-app.bicep
-    ├── container-app-env.bicep
-    ├── sql-database.bicep
-    ├── storage.bicep
-    ├── key-vault.bicep
-    ├── app-insights.bicep
-    ├── service-bus.bicep
-    └── redis-cache.bicep
-```
-
-## Main Template Pattern
-
-```bicep
-targetScope = 'resourceGroup'
-
-@allowed(['dev', 'staging', 'prod'])
-param environment string = 'dev'
-param location string = resourceGroup().location
-@minLength(3) @maxLength(20) param appName string
-@secure() param sqlAdminPassword string
-
-var resourcePrefix = '${appName}-${environment}'
-var tags = { environment: environment, application: appName, managedBy: 'bicep' }
-
-resource logAnalytics 'Microsoft.OperationalInsights/workspaces@2022-10-01' = {
-  name: '${resourcePrefix}-logs'
-  location: location
-  tags: tags
-  properties: { sku: { name: 'PerGB2018' }, retentionInDays: 30 }
-}
-
-module appInsights 'modules/app-insights.bicep' = { name: 'appInsights', params: { ... } }
-module containerAppEnv 'modules/container-app-env.bicep' = { name: 'env', params: { ... } }
-module containerApp 'modules/container-app.bicep' = { name: 'app', params: { ... } }
-module sqlDatabase 'modules/sql-database.bicep' = { name: 'sql', params: { ... } }
-module keyVault 'modules/key-vault.bicep' = { name: 'kv', params: { ... } }
-
-output containerAppUrl string = containerApp.outputs.url
-output sqlConnectionString string = sqlDatabase.outputs.connectionString
-```
-
-## SQL Database Module (Free Tier)
-
-```bicep
-// modules/sql-database.bicep
-param serverName string
-param databaseName string
-param location string
-param tags object = {}
-param adminUsername string = 'sqladmin'
-@secure() param adminPassword string
-param useFree bool = true
-
-resource sqlServer 'Microsoft.Sql/servers@2023-05-01-preview' = {
-  name: serverName
-  location: location
-  tags: tags
-  properties: { administratorLogin: adminUsername, administratorLoginPassword: adminPassword,
-    version: '12.0', minimalTlsVersion: '1.2', publicNetworkAccess: 'Enabled' }
-}
-
-resource db 'Microsoft.Sql/servers/databases@2023-05-01-preview' = {
-  parent: sqlServer
-  name: databaseName
-  location: location
-  sku: useFree ? { name: 'Free', tier: 'Free' } : { name: 'Basic', tier: 'Basic' }
-}
-
-resource firewall 'Microsoft.Sql/servers/firewallRules@2023-05-01-preview' = {
-  parent: sqlServer
-  name: 'AllowAllAzureIps'
-  properties: { startIpAddress: '0.0.0.0', endIpAddress: '0.0.0.0' }
-}
-```
-
-> **Container App module:** See `container-specialist.md` for full Container App + ACR Bicep.
-
-## Commands
-
-```bash
-az bicep build --file infra/main.bicep                                    # Validate
-az deployment group what-if -g rg-app-dev -f infra/main.bicep -p @infra/parameters.dev.json  # Preview
-az deployment group create -g rg-app-dev -f infra/main.bicep -p @infra/parameters.dev.json   # Deploy
-```
-
-## Parameters File
-
-```json
-{
-  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
-  "contentVersion": "1.0.0.0",
-  "parameters": {
-    "environment": { "value": "dev" },
-    "appName": { "value": "myapp" },
-    "sqlAdminPassword": { "reference": { "keyVault": { "id": "/subscriptions/.../vaults/{kv}" }, "secretName": "sql-admin-password" } }
-  }
-}
-```
-
-## Checklist
-- [ ] Bicep valid (`az bicep build`)
-- [ ] Modules for reusable resources
-- [ ] Parameters for dev and prod
-- [ ] Secrets referenced from Key Vault
-- [ ] Tags on all resources
-- [ ] What-if executed before deploy
-- [ ] Outputs for important values
-
----
-
-*MORPH-SPEC by Polymorphism Tech*

package/stacks/blazor-azure/.claude/skills/level-2-domains/infrastructure/container-specialist.md

@@ -1,131 +0,0 @@
-# Container Specialist
-
-> **Layer:** 2 | **Load:** on-keyword | **Keywords:** docker, container, containerize, container apps, acr, registry, image
-
-Especialista em containerização com Docker e deploy para Azure Container Apps.
-
-## Dockerfile (.NET Multi-stage)
-
-```dockerfile
-FROM mcr.microsoft.com/dotnet/sdk:10.0-alpine AS build
-WORKDIR /src
-COPY ["src/Web/Web.csproj", "src/Web/"]
-COPY ["src/Application/Application.csproj", "src/Application/"]
-COPY ["src/Domain/Domain.csproj", "src/Domain/"]
-COPY ["src/Infrastructure/Infrastructure.csproj", "src/Infrastructure/"]
-RUN dotnet restore "src/Web/Web.csproj"
-COPY . .
-WORKDIR "/src/src/Web"
-RUN dotnet publish "Web.csproj" -c Release -o /app/publish /p:UseAppHost=false
-
-FROM mcr.microsoft.com/dotnet/aspnet:10.0-alpine AS final
-WORKDIR /app
-RUN addgroup -g 1000 appgroup && adduser -u 1000 -G appgroup -D appuser
-COPY --from=publish /app/publish .
-RUN chown -R appuser:appgroup /app
-USER appuser
-EXPOSE 8080
-HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
-    CMD wget --quiet --tries=1 --spider http://localhost:8080/health || exit 1
-ENTRYPOINT ["dotnet", "Web.dll"]
-```
-
-### Image Sizes
-| Base Image | Size |
-|------------|------|
-| `aspnet:10.0` | ~220MB |
-| `aspnet:10.0-alpine` | ~110MB |
-| `aspnet:10.0-chiseled` | ~80MB (most secure) |
-
-## ACR (Azure Container Registry)
-
-```bash
-az acr create -g rg-myapp -n myappacr --sku Basic
-az acr login -n myappacr
-az acr build --registry myappacr --image myapp:v1 .
-```
-
-## Container App (Bicep)
-
-```bicep
-param name string
-param location string
-param tags object = {}
-param environmentId string
-param containerImage string
-param registryServer string
-param registryUsername string
-@secure() param registryPassword string
-
-resource containerApp 'Microsoft.App/containerApps@2023-05-01' = {
-  name: name
-  location: location
-  tags: tags
-  properties: {
-    managedEnvironmentId: environmentId
-    configuration: {
-      ingress: { external: true, targetPort: 8080, transport: 'http', allowInsecure: false }
-      registries: [{ server: registryServer, username: registryUsername, passwordSecretRef: 'reg-pwd' }]
-      secrets: [{ name: 'reg-pwd', value: registryPassword }]
-    }
-    template: {
-      containers: [{
-        name: name, image: containerImage
-        resources: { cpu: json('0.25'), memory: '0.5Gi' }
-        probes: [
-          { type: 'Liveness', httpGet: { path: '/health', port: 8080 }, initialDelaySeconds: 10 }
-          { type: 'Readiness', httpGet: { path: '/health/ready', port: 8080 }, initialDelaySeconds: 5 }
-        ]
-      }]
-      scale: { minReplicas: 0, maxReplicas: 5
-        rules: [{ name: 'http-scale', http: { metadata: { concurrentRequests: '100' } } }]
-      }
-    }
-  }
-}
-output url string = 'https://${containerApp.properties.configuration.ingress.fqdn}'
-```
-
-## Health Checks (ASP.NET)
-
-```csharp
-builder.Services.AddHealthChecks()
-    .AddSqlServer(connString, name: "database", tags: new[] { "ready" });
-
-app.MapHealthChecks("/health");
-app.MapHealthChecks("/health/ready", new() { Predicate = c => c.Tags.Contains("ready") });
-app.MapHealthChecks("/health/live", new() { Predicate = _ => false }); // Always healthy
-```
-
-## Docker Compose (Dev)
-
-```yaml
-services:
-  web:
-    build: { context: ., dockerfile: Dockerfile }
-    ports: ["8080:8080"]
-    environment:
-      - ConnectionStrings__Default=Server=db;Database=App;User=sa;Password=Pass!;TrustServerCertificate=true
-    depends_on: { db: { condition: service_healthy } }
-  db:
-    image: mcr.microsoft.com/mssql/server:2022-latest
-    environment: [ACCEPT_EULA=Y, SA_PASSWORD=YourStrong!Passw0rd]
-    ports: ["1433:1433"]
-    volumes: [sqldata:/var/opt/mssql]
-volumes:
-  sqldata:
-```
-
-## Checklist
-- [ ] Dockerfile multi-stage with alpine/chiseled
-- [ ] .dockerignore configured
-- [ ] Non-root user in container
-- [ ] Health checks (liveness + readiness)
-- [ ] Docker Compose for dev
-- [ ] ACR created and configured
-- [ ] Container App with scale-to-zero
-- [ ] Probes configured
-
----
-
-*MORPH-SPEC by Polymorphism Tech*

package/stacks/blazor-azure/.claude/skills/level-2-domains/infrastructure/devops-engineer.md

@@ -1,119 +0,0 @@
-# DevOps Engineer
-
-> **Layer:** 2 | **Load:** on-keyword | **Keywords:** pipeline, ci/cd, deploy, release, azure devops, github actions, build, automation
-
-Especialista em CI/CD, pipelines e automação de deploy.
-
-## Azure Pipelines
-
-```yaml
-trigger:
-  branches: { include: [main, develop] }
-  paths: { exclude: ['**/*.md'] }
-
-variables:
-  buildConfiguration: 'Release'
-  dotnetVersion: '10.0.x'
-
-stages:
-  - stage: Build
-    jobs:
-      - job: BuildJob
-        pool: { vmImage: 'ubuntu-latest' }
-        steps:
-          - task: UseDotNet@2
-            inputs: { version: '$(dotnetVersion)' }
-          - task: DotNetCoreCLI@2
-            displayName: 'Restore'
-            inputs: { command: 'restore', projects: '**/*.csproj' }
-          - task: DotNetCoreCLI@2
-            displayName: 'Build'
-            inputs: { command: 'build', arguments: '-c $(buildConfiguration) --no-restore' }
-          - task: DotNetCoreCLI@2
-            displayName: 'Test'
-            inputs: { command: 'test', projects: '**/tests/**/*.csproj', arguments: '--collect:"XPlat Code Coverage"' }
-          - task: DotNetCoreCLI@2
-            displayName: 'Publish'
-            inputs: { command: 'publish', publishWebProjects: true, arguments: '-c $(buildConfiguration) -o $(Build.ArtifactStagingDirectory)' }
-          - task: PublishBuildArtifacts@1
-            inputs: { pathToPublish: '$(Build.ArtifactStagingDirectory)', artifactName: 'drop' }
-
-  - stage: DeployDev
-    dependsOn: Build
-    condition: and(succeeded(), eq(variables['Build.SourceBranch'], 'refs/heads/develop'))
-    jobs:
-      - deployment: Deploy
-        environment: 'development'
-        strategy:
-          runOnce:
-            deploy:
-              steps:
-                - task: AzureCLI@2
-                  inputs:
-                    scriptType: 'bash'
-                    inlineScript: 'az containerapp update --name app-dev -g rg-dev --image $(image)'
-```
-
-## GitHub Actions
-
-```yaml
-name: CI/CD
-on:
-  push: { branches: [main, develop] }
-  pull_request: { branches: [main] }
-
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-dotnet@v4
-        with: { dotnet-version: '10.0.x' }
-      - run: dotnet restore && dotnet build -c Release --no-restore && dotnet test -c Release --no-build
-      - run: dotnet publish src/Web/Web.csproj -c Release -o ./publish
-
-  docker:
-    needs: build
-    if: github.event_name == 'push'
-    runs-on: ubuntu-latest
-    permissions: { contents: read, packages: write }
-    steps:
-      - uses: actions/checkout@v4
-      - uses: docker/login-action@v3
-        with: { registry: ghcr.io, username: '${{ github.actor }}', password: '${{ secrets.GITHUB_TOKEN }}' }
-      - uses: docker/build-push-action@v5
-        with: { push: true, tags: 'ghcr.io/${{ github.repository }}:${{ github.sha }}' }
-
-  deploy:
-    needs: docker
-    if: github.ref == 'refs/heads/main'
-    runs-on: ubuntu-latest
-    environment: production
-    steps:
-      - uses: azure/login@v2
-        with: { creds: '${{ secrets.AZURE_CREDENTIALS }}' }
-      - uses: azure/container-apps-deploy-action@v1
-        with: { resourceGroup: rg-prod, containerAppName: app-prod, imageToDeploy: 'ghcr.io/${{ github.repository }}:${{ github.sha }}' }
-```
-
-> **Dockerfile:** See `container-specialist.md` for optimized multi-stage Dockerfile.
-
-## Secrets Management
-
-| Platform | Method |
-|----------|--------|
-| Azure DevOps | Variable Groups + Key Vault references |
-| GitHub Actions | Repository/Environment Secrets |
-
-## Checklist
-- [ ] Trigger configured (branches, paths)
-- [ ] Build: restore, build, test, publish
-- [ ] Code coverage published
-- [ ] Deploy to dev automatic (develop branch)
-- [ ] Deploy to prod with approval (main branch)
-- [ ] Secrets in Key Vault or variable groups
-- [ ] Health check after deploy
-
----
-
-*MORPH-SPEC by Polymorphism Tech*

package/stacks/blazor-azure/.claude/skills/level-2-domains/integrations/asaas-financial.md

@@ -1,130 +0,0 @@
-# Asaas Financial
-
-> **Layer:** 2 | **Load:** on-keyword | **Keywords:** asaas, payment, pix, boleto, cobranca, subscription, billing, pagamento
-
-Integração com Asaas para pagamentos no Brasil. API REST, sem SDK .NET oficial. Suporta PIX, Boleto, Cartão.
-
-## Setup
-
-```csharp
-// appsettings.json
-{ "Asaas": { "BaseUrl": "https://sandbox.asaas.com/api/v3", "ApiKey": "${ASAAS_API_KEY}" } }
-
-// Program.cs
-builder.Services.Configure<AsaasOptions>(builder.Configuration.GetSection("Asaas"));
-builder.Services.AddHttpClient<IAsaasClient, AsaasClient>((sp, client) =>
-{
-    var options = sp.GetRequiredService<IOptions<AsaasOptions>>().Value;
-    client.BaseAddress = new Uri(options.BaseUrl);
-    client.DefaultRequestHeaders.Add("access_token", options.ApiKey);
-    client.DefaultRequestHeaders.Add("User-Agent", "MyApp/1.0");
-});
-```
-
-## Client Interface
-
-```csharp
-public interface IAsaasClient
-{
-    Task<AsaasCustomer> CreateCustomerAsync(CreateCustomerRequest request);
-    Task<AsaasPayment> CreatePaymentAsync(CreatePaymentRequest request);
-    Task<AsaasPayment> GetPaymentAsync(string paymentId);
-    Task<AsaasSubscription> CreateSubscriptionAsync(CreateSubscriptionRequest request);
-}
-```
-
-Implementation: standard `HttpClient.PostAsJsonAsync` / `GetAsync` + `ReadFromJsonAsync` pattern. Log errors, throw `AsaasException` on failure.
-
-## DTOs (all use `[JsonPropertyName]`)
-
-```csharp
-public record CreateCustomerRequest
-{
-    [JsonPropertyName("name")] public required string Name { get; init; }
-    [JsonPropertyName("cpfCnpj")] public required string CpfCnpj { get; init; }  // REQUIRED even in sandbox
-    [JsonPropertyName("email")] public string? Email { get; init; }
-}
-
-public record CreatePaymentRequest
-{
-    [JsonPropertyName("customer")] public required string Customer { get; init; }
-    [JsonPropertyName("billingType")] public required string BillingType { get; init; }  // BOLETO, PIX, CREDIT_CARD
-    [JsonPropertyName("value")] public required decimal Value { get; init; }
-    [JsonPropertyName("dueDate")] public required string DueDate { get; init; }  // yyyy-MM-dd
-    [JsonPropertyName("description")] public string? Description { get; init; }
-    [JsonPropertyName("externalReference")] public string? ExternalReference { get; init; }
-}
-
-public record AsaasPayment
-{
-    [JsonPropertyName("id")] public string Id { get; init; } = "";
-    [JsonPropertyName("status")] public string Status { get; init; } = "";  // PENDING, RECEIVED, CONFIRMED, OVERDUE
-    [JsonPropertyName("invoiceUrl")] public string? InvoiceUrl { get; init; }
-    [JsonPropertyName("bankSlipUrl")] public string? BankSlipUrl { get; init; }
-    [JsonPropertyName("pixQrCode")] public AsaasPixQrCode? PixQrCode { get; init; }
-}
-
-public record AsaasPixQrCode
-{
-    [JsonPropertyName("encodedImage")] public string? EncodedImage { get; init; }  // Base64
-    [JsonPropertyName("payload")] public string? Payload { get; init; }  // PIX copia-e-cola
-}
-```
-
-Follow same pattern for `CreateSubscriptionRequest` (add `cycle`: MONTHLY/WEEKLY/YEARLY, `nextDueDate`).
-
-## Webhooks
-
-```csharp
-[ApiController, Route("api/webhooks/asaas")]
-public class AsaasWebhookController(IPaymentService payments, ILogger<AsaasWebhookController> logger) : ControllerBase
-{
-    [HttpPost]
-    public async Task<IActionResult> Handle([FromBody] AsaasWebhookPayload payload)
-    {
-        logger.LogInformation("Asaas webhook: {Event} payment {Id}", payload.Event, payload.Payment?.Id);
-        switch (payload.Event)
-        {
-            case "PAYMENT_CONFIRMED": case "PAYMENT_RECEIVED":
-                await payments.ConfirmPaymentAsync(payload.Payment!.Id); break;
-            case "PAYMENT_OVERDUE":
-                await payments.MarkOverdueAsync(payload.Payment!.Id); break;
-            case "PAYMENT_REFUNDED":
-                await payments.RefundPaymentAsync(payload.Payment!.Id); break;
-        }
-        return Ok();
-    }
-}
-```
-
-## Environments
-
-| Environment | Base URL |
-|-------------|----------|
-| Sandbox | `https://sandbox.asaas.com/api/v3` |
-| Production | `https://www.asaas.com/api/v3` |
-
-## Gotchas
-
-| Issue | Fix |
-|-------|-----|
-| PIX QR Code returns Base64, NOT URL | `$"data:image/png;base64,{response.EncodedImage}"` |
-| CPF required even in sandbox | Always include `cpfCnpj` in CreateCustomer |
-| Missing `User-Agent` header | Add to HttpClient defaults |
-| Date format must be `yyyy-MM-dd` | `DateTime.Today.AddDays(1).ToString("yyyy-MM-dd")` |
-
-## Checklist
-
-- [ ] API Key configured (not hardcoded)
-- [ ] HttpClient with retry policy (Polly)
-- [ ] Headers: `access_token` + `User-Agent`
-- [ ] CPF/CNPJ always included for customers
-- [ ] PIX QR Code → data URI conversion
-- [ ] Dates in `yyyy-MM-dd` format
-- [ ] Webhook endpoint + signature validation
-- [ ] ExternalReference for reconciliation
-- [ ] Tests with sandbox
-
----
-
-*MORPH-SPEC by Polymorphism Tech*

package/stacks/blazor-azure/.claude/skills/level-2-domains/integrations/azure-identity.md

@@ -1,142 +0,0 @@
-# Azure Identity (Microsoft Identity)
-
-> **Layer:** 2 | **Load:** on-keyword | **Keywords:** identity, entra, azure ad, microsoft auth, msal, oauth, oidc, microsoft identity
-
-Microsoft Identity Platform for .NET/Blazor. SDK: `Microsoft.Identity.Web`.
-
-## Setup
-
-```bash
-dotnet add package Microsoft.Identity.Web
-dotnet add package Microsoft.Identity.Web.UI  # For Blazor
-```
-
-```json
-// appsettings.json
-{ "AzureAd": {
-    "Instance": "https://login.microsoftonline.com/",
-    "Domain": "yourdomain.onmicrosoft.com",
-    "TenantId": "your-tenant-id",
-    "ClientId": "your-client-id",
-    "ClientSecret": "${AZURE_AD_CLIENT_SECRET}",
-    "CallbackPath": "/signin-oidc"
-} }
-```
-
-```csharp
-// Program.cs
-builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
-    .AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAd"));
-builder.Services.AddControllersWithViews().AddMicrosoftIdentityUI();
-builder.Services.AddAuthorization();
-app.UseAuthentication();
-app.UseAuthorization();
-```
-
-## Blazor Server
-
-```csharp
-// Additional setup
-builder.Services.AddServerSideBlazor().AddMicrosoftIdentityConsentHandler();
-
-// App.razor
-<CascadingAuthenticationState>
-    <Router AppAssembly="@typeof(App).Assembly">
-        <Found Context="routeData">
-            <AuthorizeRouteView RouteData="@routeData" DefaultLayout="@typeof(MainLayout)">
-                <NotAuthorized>
-                    @if (!context.User.Identity?.IsAuthenticated ?? true) { <RedirectToLogin /> }
-                    else { <p>No permission.</p> }
-                </NotAuthorized>
-            </AuthorizeRouteView>
-        </Found>
-    </Router>
-</CascadingAuthenticationState>
-
-// RedirectToLogin.razor
-@inject NavigationManager Nav
-@code {
-    protected override void OnInitialized() =>
-        Nav.NavigateTo($"MicrosoftIdentity/Account/SignIn?redirectUri={Uri.EscapeDataString(Nav.Uri)}", forceLoad: true);
-}
-```
-
-## Protected Pages
-
-```razor
-@page "/secure"
-@attribute [Authorize]
-
-<AuthorizeView>
-    <Authorized>Welcome, @context.User.Identity?.Name!</Authorized>
-</AuthorizeView>
-
-<AuthorizeView Roles="Admin"><Authorized><AdminPanel /></Authorized></AuthorizeView>
-```
-
-## API Protection
-
-```csharp
-// API Program.cs
-builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
-    .AddMicrosoftIdentityWebApi(builder.Configuration.GetSection("AzureAd"));
-
-// Controller
-[ApiController, Route("api/[controller]"), Authorize]
-public class ProfileController : ControllerBase
-{
-    [HttpGet]
-    public IActionResult GetProfile() => Ok(new {
-        UserId = User.FindFirst(ClaimTypes.NameIdentifier)?.Value,
-        Name = User.Identity?.Name
-    });
-
-    [HttpGet("admin"), Authorize(Roles = "Admin")]
-    public IActionResult AdminOnly() => Ok("Admin access");
-}
-```
-
-## Downstream APIs (Microsoft Graph)
-
-```csharp
-builder.Services.AddAuthentication(OpenIdConnectDefaults.AuthenticationScheme)
-    .AddMicrosoftIdentityWebApp(builder.Configuration.GetSection("AzureAd"))
-    .EnableTokenAcquisitionToCallDownstreamApi()
-    .AddMicrosoftGraph(builder.Configuration.GetSection("Graph"))
-    .AddInMemoryTokenCaches();
-```
-
-## Authorization Policies
-
-```csharp
-builder.Services.AddAuthorization(o => {
-    o.AddPolicy("RequireAdmin", p => p.RequireRole("Admin"));
-    o.AddPolicy("RequireManager", p => p.RequireAssertion(c =>
-        c.User.IsInRole("Admin") || c.User.IsInRole("Manager")));
-});
-```
-
-## Multi-tenant & B2C
-
-```json
-// Multi-tenant: TenantId = "common" or "organizations"
-// Then validate allowed tenants in TokenValidationParameters.IssuerValidator
-
-// B2C: Use "AzureAdB2C" section with SignUpSignInPolicyId, ResetPasswordPolicyId
-```
-
-## Checklist
-
-- [ ] App registered in Azure Portal
-- [ ] Client ID + Tenant ID configured
-- [ ] Client Secret in Key Vault
-- [ ] Redirect URIs configured
-- [ ] API permissions defined
-- [ ] Token caching configured
-- [ ] Authorization policies created
-- [ ] Logout flow implemented
-- [ ] Token expiry error handling
-
----
-
-*MORPH-SPEC by Polymorphism Tech*