Credentials are verified by the standalone Rust backend (authN). Sessions are not yet wired — see ADR-0007.