auth
Enables sign-in for the admin UI. Uses OPAQUE: the password never reaches the server, so there is nothing to leak or seed — hence ./cms create-admin, ./cms def-help and invite links instead of default credentials.
| key | default | description |
|---|---|---|
| session_ttl_minutes | 120 | session lifetime, max 43200 (30 days) |
| cookie_name | cms_session | session cookie (HttpOnly) |
| rate_limit | 5 / 10 | sign-in attempts per minute: per_ip_per_minute and per_login_per_minute |
New users are created via invite links (admin → Users; the link is valid 24 hours, single use). Any signed-in user can change their password from the Dashboard.