Release v0.1.16: Fix MFA Enforcement Bypass for Google and GitHub OAuth

What Changed

• Fixed critical bug: Google and GitHub OAuth users were incorrectly blocked when MFA_REQUIRED=true because these providers don't emit amr (Authentication Methods Reference) claims in their ID tokens
• Provider-aware verification: Refactored MFA logic to distinguish between AMR-aware providers (Microsoft Entra ID, Okta) that emit amr claims and AMR-unaware providers (Google, GitHub) that enforce MFA at the provider level
• New MFA_REQUIRED_PROVIDERS env var: Operators can now restrict OAuth sign-ins to specific providers when MFA is required
• Clearer audit trail: Four distinct audit actions (auth.mfa_verified, auth.mfa_not_used, auth.mfa_provider_trusted, auth.mfa_claim_absent) replace ambiguous logging

Why It Matters

Google and GitHub users with MFA enabled at their provider level can now sign in when the platform requires MFA. The fix maintains security by trusting provider-level enforcement while preserving the audit trail required for SOC 2 CC6.1 compliance.

Technical Notes

• New resolveMfaVerified() function and exported provider classification sets (AMR_AWARE_PROVIDERS, AMR_UNAWARE_PROVIDERS) enable comprehensive unit testing
• Breaking change: MFA status is now determined by provider type rather than token claim alone
• Operators using MFA_REQUIRED=true with Google or GitHub should verify MFA enforcement is enabled in those platforms' admin consoles