Summary

• Remove checkSSOAccess short-circuit in validateChatAuth — SSO branch now always validates via getSession(), body-supplied email is ignored
• Skip chat_auth cookie issuance and validation for SSO deployments to close the replay window
• Split the eligibility pre-flight into a dedicated POST /api/chat/[identifier]/sso endpoint that returns { eligible } and never touches the executor
• Drop .passthrough() and checkSSOAccess from deployedChatAuthBodySchema / deployedChatPostBodySchema
• Add SSO branch test coverage in chat/utils.test.ts

Type of Change

• Bug fix (security)

Testing

Tested manually; bun run check:api-validation passes.

Checklist

• Code follows project style guidelines
• Self-reviewed my changes
• Tests added/updated and passing
• No new warnings introduced
• I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)