Account Security
Passwords enforce upper, lower, digit, and minimum length requirements. Sessions use secure cookies with `SameSite=Lax` and optional 30 day remember me tokens.
Clean auth, verification, reset flow, and RBAC.
This framework includes registration, login, remember me, email verification, password reset, maintenance mode, and role-aware admin controls.
Verification & Reset
Email verification links expire after 48 hours, password reset tokens expire after 1 hour, and resend/reset attempts are rate limited.
RBAC Ready
Roles include User, Contributor, Admin, and Super Admin, with management boundaries enforced in the shared RBAC helpers.