C-01: Initialize config=None before conditional in auth/status to
prevent NameError on fresh instance (setup_required=True path)
C-02: Use generic "Authentication failed" on passkey lockout trigger
instead of leaking lockout state (consistent with F-02 remediation)
W-01: Add nginx rate limit for /api/auth/passkeys/passwordless
endpoints (enable accepts password — brute force protection)
W-02: Call record_successful_login in passkey unlock path to reset
failed_login_count (prevents unexpected lockout accumulation)
W-05: Auto-clear must_change_password on passkey login — user can't
provide old password in forced-change form after passkey auth
S-01: Pin webauthn to >=2.1.0,<3 (prevent major version breakage)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Kyle Pope
0a8e163e47