Platform Cross-cutting platform concerns shared by every subsystem — authentication, storage, secrets, networking. Authentication Stateless Bearer JWT — a one-shot cookie-to-JWT exchange, then local JWKS verification on every business route. Three server entry points (h() / requireAuth / raw verifyJwt) cover JSON CRUD, streaming + multipart, and WebSocket; one cookie-only exception remains for top-level browser navigation that triggers OAuth.