plan(phase1): 1.2/1.4 done across 3 repos (lib 0.1.1); remaining 1.3/1.5-1.7

docs/plans/2026-06-02-auth-audit-normalization-phase1.md

@@ -110,6 +110,19 @@ regardless of `Enabled`, requiring Server/SearchBase/ServiceAccountDn even when
 add an `if (!Enabled) return Success` guard to the shared validator and republish `0.1.1`, re-pinning all
 consumers. (Alternative: each consumer always supplies those fields. The library fix is the principled one.)
 
+## Task 1.2/1.4 — DONE (reviewed + fixed, 2026-06-02)
+
+Library hardened to **`0.1.1`** (`LdapOptionsValidator` skips when `Enabled=false`), republished, re-pinned in all 3 repos.
+Fix commits: OtOpcUa `c4f315e` (startup insecure-transport guard gated on Enabled/DevStub + `Transport: Ldaps`
+declared in the 3 prod overlays + test fidelity), MxGateway `f4dc11b` (group-claim shape documented as
+non-breaking — claim read nowhere in prod; shadow `LdapOptions` kept with a drift-warning doc), ScadaBridge
+`4db8c37` (secret-test repointed to nested key, prod checklist updated, `Scope` cast guarded). All targeted
+suites green. **1.2 (LDAP) + 1.4 (config) complete across all 3 repos.**
+
+Remaining Phase 1: **1.3 ApiKeys** (MxGateway donor cutover — low risk; ScadaBridge full re-architecture —
+largest single item: SQLite store + Bearer format + scopes + key re-issuance), **1.5** claims/cookies,
+**1.6** dev base DN, **1.7** canonical roles.
+
 ## Resolved decisions (2026-06-02)
 
 - **Decision A — ScadaBridge inbound API keys depth → (a) FULL ADOPT.** Re-architect inbound-API auth to the