# Yumi SSO — Runbook (Google · Apple · Microsoft)

> **Status: scaffold + plan.** The actual provider **app registrations must be created by Ben**
> in each provider's console — an agent cannot create them (they require Ben's identity and
> interactive console access, like the Entra TAP work). This file is the runbook for that work
> and the integration points once the registrations exist.

## Current state

Cowork surfaces today authenticate via the **MMD Entra** application registration (the live
tenant). Yumi needs its **own** identity-provider registrations so it is not coupled to the MMD
tenant, and so Google and Apple sign-in are supported alongside Microsoft.

## What to create (Ben, in each console)

### 1. Microsoft (Azure / Entra)
- New App Registration in the Yumi tenant.
- Redirect URIs: web/PWA origin, desktop redirect, mobile deep link (collect exact URIs from the
  surface configs first).
- Expose an API / scopes as needed; grant the Graph scopes the Cowork connectors use
  (Mail, Calendar, Teams, OneDrive/Files, Directory/User.Read — match the existing MMD set).
- Record: `Client ID`, `Tenant ID`, `Client Secret` → env.

### 2. Google (Google Cloud Console)
- OAuth Client (Web +, if needed, Desktop/iOS/Android client types).
- Same redirect URI set.
- Scopes: Gmail, Calendar, Drive, Directory (People) — the Google analogues of the Graph scopes.
- Record: `Client ID`, `Client Secret` → env.

### 3. Apple (Apple Developer)
- **Sign in with Apple**: create a Services ID and a Sign-in-with-Apple key, configure return URLs.
- For native iOS later: an App ID + associated capability.
- Record: `Services ID`, `Team ID`, `Key ID`, private key → env/secret store.

## Integration points (code wiring — P1)

The shared auth helpers live in `services/mmd-cowork-core` (auth helpers referenced by the
architecture doc) and the connector credential references live in `services/mmd-cowork-config`.
P1 work: add a multi-provider SSO layer (Google + Apple alongside the existing Microsoft/Entra
path) that resolves the signed-in user to a Yumi identity and a Hindsight bank, then feed the
provider tokens into the MCP connectors. **Audit the current auth code in `@mmd/cowork-core`
before designing this** — do not assume env-var names; read the implementation.

## Verification rule

Per Ben's global server-only rule: any live SSO verification uses the **real public provider
redirect path**, not localhost, bypassed auth, injected headers, or stale tokens. If a proper
public check is blocked, report `blocked` — do not substitute local evidence.

## Open

- Decide the Yumi domain(s) the redirect URIs will use (the stack currently lives on
  `*.baobab-ts.com` / `*.flow-master.ai`).
- Decide whether Yumi runs in its own Entra tenant or a new one.