.squad: Merge GitHub issues decisions, update agent cross-references

- Merged zoe-github-issues-created.md and zoe-azure-auth-plan.md into decisions.md
- Deleted inbox files after merge
- Updated agent history files with issue assignments (#39-#65):
  - Zoe: 14 issues (auth, infrastructure, hardening)
  - Kaylee: 8 issues (UI, CI/deploy, monitoring)
  - Jayne: E2E testing support
  - Wash: Deployment orchestration
- Wrote orchestration log and session log
- All 27 issues cross-referenced with dependencies
- Phase execution order: 2→1→3→4→5 (security-first)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: davidortinau

.squad/agents/jayne/history.md

@@ -18,4 +18,22 @@
 - "It compiles" is NOT sufficient — must verify in running app
 - Must call `CacheService.InvalidateVocabSummary()` after recording attempts or dashboard is stale
 - Playwright must use `pressSequentially` not `fill()` for Blazor server-side binding
+- "It compiles" is NOT sufficient — must verify in running app
+- Must call `CacheService.InvalidateVocabSummary()` after recording attempts or dashboard is stale
+- Playwright must use `pressSequentially` not `fill()` for Blazor server-side binding
 - Test users: David (Korean, f452438c-...), Jose (Spanish, 8d5f7b4a-...), Gunther (German, c3bb57f7-...)
+
+## Work Sessions
+
+### 2026-03-13 — Cross-Agent Update: Azure Deployment Issues
+
+**Status:** In Progress  
+**GitHub Issues:** #39-#65 created by Zoe (Lead)  
+**Jayne's Assignment:** N/A (testing/QA support for phase execution)  
+
+**Phase Execution Order:** Phase 2 (Secrets) → Phase 1 (Auth, localhost-testable) → Phase 3 (Infra) → Phase 4 (Pipeline) → Phase 5 (Hardening)
+
+**E2E Testing Support:** Jayne to verify each phase's integration tests per e2e-testing skill (mandatory for every feature/fix).
+
+**Critical Path:** CoreSync SQLite→PostgreSQL migration (#55, XL) — requires comprehensive data migration testing.
+

.squad/agents/kaylee/history.md

@@ -16,3 +16,26 @@
 - Activity pages: PageHeader, activity-content area, footer with activity-input-bar
 - Word Association activity at `/word-association` — latest activity, has Grade-first UX flow
 - Dashboard activities listed in `src/SentenceStudio.UI/Pages/Index.razor`
+
+## Work Sessions
+
+### 2026-03-13 — Cross-Agent Update: Azure Deployment Issues
+
+**Status:** In Progress  
+**GitHub Issues:** #39-#65 created by Zoe (Lead)  
+**Kaylee's Assignments:** 8 issues  
+
+**Issues Assigned to Kaylee:**
+- #44 WebApp OIDC Integration (Phase 1, size:L)
+- #45 MAUI MSAL Implementation (Phase 1, size:XL)
+- #56 CI Workflow Setup (Phase 4, size:M)
+- #57 Deploy Workflow (Phase 4, size:L)
+- #58 Staging Environment (Phase 4, size:M)
+- #60 Azure Monitor/Application Insights (Phase 5, size:M)
+- #62 CORS Configuration (Phase 5, size:S)
+- #64 Auto-Scaling Rules (Phase 5, size:M)
+
+**Phase Execution Order:** Phase 2 (Secrets) → Phase 1 (Auth, localhost-testable) → Phase 3 (Infra) → Phase 4 (Pipeline) → Phase 5 (Hardening)
+
+**Critical Path:** CoreSync SQLite→PostgreSQL migration (#55, XL).
+

.squad/agents/wash/history.md

@@ -17,4 +17,23 @@
 - DI registration in `SentenceStudioAppBuilder.cs` (AppLib) and `Program.cs` (WebApp)
 - Aspire env var config: `builder.Configuration["AI:OpenAI:ApiKey"]` not `["AI__OpenAI__ApiKey"]`
 - Server DB at: `/Users/davidortinau/Library/Application Support/sentencestudio/server/sentencestudio.db`
+- Server DB at: `/Users/davidortinau/Library/Application Support/sentencestudio/server/sentencestudio.db`
 - UserProfileId columns for multi-user data isolation — all repos filter by active_profile_id
+
+## Work Sessions
+
+### 2026-03-13 — Cross-Agent Update: Azure Deployment Issues
+
+**Status:** In Progress  
+**GitHub Issues:** #39-#65 created by Zoe (Lead)  
+**Wash's Role:** Deployment orchestration support  
+
+**Phase Execution Order:** Phase 2 (Secrets) → Phase 1 (Auth, localhost-testable) → Phase 3 (Infra) → Phase 4 (Pipeline) → Phase 5 (Hardening)
+
+**Wash Coordination Points:**
+- Phase 4 (Pipeline) — CI/deploy workflows — coordinate with Kaylee's automation
+- Phase 3.5 (Container Apps) — deployment target provisioning
+- Critical Path: CoreSync SQLite→PostgreSQL migration (#55, XL) — coordinate safe data migration in production
+
+**Key Dependencies:** Zoe coordinates Phase 1-3 decisions; Kaylee implements CI/deploy automation; Captain provides Azure portal access.
+

.squad/agents/zoe/history.md

@@ -18,3 +18,46 @@
 - Build with TFM: `dotnet build -f net10.0-maccatalyst`
 - E2E testing is mandatory for every feature/fix
 - Activities follow pattern: `activity-page-wrapper` → `PageHeader` → `activity-content` → `activity-input-bar`
+
+## Work Sessions
+
+### 2026-03-13 — GitHub Issues Created for Azure + Entra ID Plan
+
+**Status:** Complete  
+**Issues Created:** 27 issues (#39–#65)  
+**Dependencies:** All cross-referenced with dependency links  
+
+**Cross-Team Impact:**
+- **Kaylee:** 8 issues assigned (#44–45, #56–59, #60)
+- **Captain:** 1 issue assigned (#42)
+- Issues propagated to respective agent history files
+
+See `.squad/decisions.md` for full decision record.
+
+### 2025-07-22 — Created GitHub Issues for Azure Deployment + Entra ID Plan
+
+**Status:** Complete  
+**Issues Created:** 27 issues (#39-#65)  
+**Decision:** Reframed issue #39 (2.1) from "security emergency" to "best practices" — no secrets were committed to git history.
+
+**Issue Mapping to Plan:**
+
+- **Phase 1 (Auth):** #42 (Entra registrations) → #43 (JWT API) → #44 (WebApp OIDC) → #45 (MAUI MSAL) → #46 (CoreSync) → #47 (Integration tests)
+- **Phase 2 (Secrets):** #39 (user-secrets) → #40 (config all projects) → #41 (HTTPS/headers) → #54 (Key Vault integration)
+- **Phase 3 (Infrastructure):** #48 (azure.yaml) → #49 (PostgreSQL) → #50 (Redis) → #51 (Blob) → #52 (Container Apps) → #53 (Key Vault) → #55 (CoreSync DB migration)
+- **Phase 4 (Pipeline):** #56 (CI) → #57 (Deploy) → #58 (Staging) → #59 (Migrations)
+- **Phase 5 (Hardening):** #60 (Monitoring) → #61 (Rate limit) → #62 (CORS) → #63 (Health) → #64 (Scaling) → #65 (Audit logging)
+
+**Team Assignments:**
+- Zoe (Lead): 14 issues (auth foundational work, infra decisions, hardening architecture)
+- Kaylee (Full-stack): 8 issues (WebApp OIDC, MAUI MSAL, CI/deploy workflows, monitoring)
+- Captain (David): 1 issue (#42 - requires Azure portal/Entra ID access)
+
+**Dependencies Validated:** All 27 issues cross-referenced with dependency links. Phase order preserved for execution.
+
+**Key Learnings:**
+- No security emergency: appsettings.json with secrets already in .gitignore
+- User-secrets workflow as team best practice (Phase 2.1)
+- Phase 1 testable entirely on localhost with Entra ID redirecting to `http://localhost`
+- CoreSync SQLite→PostgreSQL migration is critical path item (Phase 3.7, XL size)
+- Aspire-native provisioning via `azd` avoids manual Bicep maintenance

.squad/decisions.md

@@ -2,7 +2,71 @@
 
 ## Active Decisions
 
-No decisions recorded yet.
+### 1. GitHub Issues Created for Azure + Entra ID Plan (2026-03-13)
+
+**Status:** DOCUMENTED  
+**Date:** 2026-03-13  
+**Author:** Zoe (Lead)  
+
+27 GitHub issues decompose the Azure deployment + Entra ID authentication plan into actionable work items across 5 phases. All issues linked with dependency references and assigned to team members.
+
+**Key Decisions:**
+- **Reframed Issue #39:** User-secrets workflow as team best practice (not security emergency) — no secrets accidentally committed; `appsettings.json` already in `.gitignore`
+- **Execution Order:** Phase 2 → Phase 1 → Phase 3 → Phase 4 → Phase 5 (security-first approach)
+- **Phase 1 Testable Locally:** Auth flow fully validates on `localhost` without Azure deployment
+- **Team Assignments:** Zoe (14 issues, architecture/infra), Kaylee (8 issues, UI/deploy), Captain (1 issue, Azure portal)
+- **Critical Path:** CoreSync SQLite→PostgreSQL migration (Phase 3.7, XL complexity)
+
+**Issue Mapping:**
+| Phase | Count | Issues |
+|-------|-------|--------|
+| Phase 1 (Auth) | 7 | #42-47 |
+| Phase 2 (Secrets) | 4 | #39-41, #54 |
+| Phase 3 (Infrastructure) | 8 | #48-53, #55 |
+| Phase 4 (Pipeline) | 4 | #56-59 |
+| Phase 5 (Hardening) | 6 | #60-65 |
+
+**Learnings:**
+- Aspire-native provisioning (`azd`) generates Bicep — no manual templates needed
+- Localhost testing of auth eliminates blocker for early validation
+- DevAuthHandler alongside Entra ID maintains developer velocity
+- User-secrets as team best practice enables secure local dev
+
+**Next Steps:**
+1. Captain: Register Entra ID app registrations (#42)
+2. Zoe: Begin user-secrets setup (#39-40)
+3. Kaylee: Begin CI workflow (#56)
+4. All phases proceed in parallel where dependencies allow
+
+---
+
+### 2. Architecture Plan: Azure Deployment with Entra ID Authentication (2026-03-13)
+
+**Status:** REFERENCE  
+**Date:** 2026-03-13  
+**Author:** Zoe (Lead)  
+
+Comprehensive architecture plan for transitioning SentenceStudio from local-dev-only to production-ready Azure deployment with real authentication. Covers 5 phases from secret management through hardening, with technical decisions, risk register, and cost estimates.
+
+**Key Technical Decisions:**
+1. **Aspire-Native Provisioning over Raw Bicep** — AppHost defines resources; `azd` generates Bicep
+2. **Keep DevAuthHandler Alongside Entra ID** — Developer velocity: use DevAuthHandler for local dev, Entra ID for production
+3. **PostgreSQL over Azure SQL** — Aligns with AppHost declaration and CoreSync support
+4. **Single-Tenant First** — Start with single Entra ID tenant; multi-tenant support added later
+5. **Token Caching:** SecureStorage (MAUI) and Redis (WebApp)
+
+**3 App Registrations Required:**
+- SentenceStudio API (Web API — resource server)
+- SentenceStudio WebApp (Web app, confidential — Blazor Server)
+- SentenceStudio Native (Mobile/Desktop, public — MAUI clients)
+
+**Scopes Exposed:**
+- `api://sentencestudio/user.read` — user profile, vocabulary
+- `api://sentencestudio/user.write` — modify user data, submit answers
+- `api://sentencestudio/ai.access` — AI chat, speech synthesis, image analysis
+- `api://sentencestudio/sync.readwrite` — CoreSync bi-directional sync
+
+**Estimated Monthly Cost (Production):** ~$107-252
 
 ## Governance