Okta SSO, Cookie-Based Sessions, Reliable "Select All", and Stricter Grid Filtering (QA)

A large backend batch promoted to QA that adds enterprise single sign-on via Okta, introduces secure browser-cookie session handling with CSRF protection, and reworks how grids handle "Select All" and column filtering so bulk actions act on exactly the rows that match the applied filters. Both Okta SSO and cookie-based login ship behind feature flags that are off by default, so existing token-based login is unchanged unless explicitly enabled. The batch also includes vendor-portal file/real-time-update cleanup and operational fixes.

Enterprise clients increasingly require login through their own identity provider (Okta) rather than separate DSM credentials. Separately, the previous grid filtering allowed "post-filtering" in application memory, which produced incorrect total counts, inconsistent pagination, and unreliable "Select All" results when a filter could not be applied at the database level. Browser sessions also needed a safer, HttpOnly-cookie option with CSRF defenses for portal logins.

• Okta SSO (when enabled): users can sign in to the admin and vendor portals with their Okta account; group membership can be mapped to DSM entities and roles, with optional auto-provisioning and account linking by email.
• "Select All" that means it: bulk update, delete, archive, and move on Mails, Inbox, Documents, Folders, Rules, and Batches now resolve the full filtered set (with the ability to exclude specific rows), and a preview shows how many items will be affected before acting.
• More trustworthy filtering: filter results, totals, and pagination stay consistent; columns that cannot be filtered at the database level (computed counts, display-name columns) are now clearly marked non-filterable instead of silently returning wrong results.
• Safer sessions (when cookie auth is enabled): HttpOnly session cookies with CSRF protection; logout reliably clears the browser session even if the token already expired.

• Cookie auth: new CookieAuthService + CookieAuthSettings (HttpOnly access/refresh cookies, SameSite, optional secure/domain); login, refresh, logout, and /me now set/clear cookies and emit a CSRF cookie/header; logout made idempotent via a new get_current_user_optional dependency. Gated by ENABLE_COOKIE_AUTH (default off).
• Okta OIDC SSO: new okta_oidc_service (Authorization Code + PKCE, discovery/JWKS caching, id_token verification) and auth_okta.py router (/okta/login, /callback, /logout) with redirect-allowlist validation. Gated by ENABLE_OKTA_SSO (default off).
• External identity mapping: new Alembic migration adds UserExternalIdentities, ExternalGroupEntityMappings, ExternalGroupRoleMappings tables; external_idp_mapping_service resolves/links users and maps IdP groups to entities/roles (union/replace modes); admin CRUD endpoints under /api/idp/... plus a seed migration for a default Okta admin group.
• CSRF: new CsrfMiddleware (Origin/Referer allowlist with double-submit-token fallback, skipped for Bearer-token requests) and a front-end fetch wrapper that attaches X-CSRF-Token.
• Grid filtering refactor: post-filtering deprecated; BaseColumnFilterAdapter strict mode raises UnsupportedFilterError for non-pushdown keys; migration marks computed/aggregate/display columns (e.g. mail_count, total_documents, status_name, client_name, sharing_details) as non-filterable. Six per-module column-filter services rewritten.
• Select All / bulk operations: new BulkSelectionService reusing the filter orchestrator for grid parity, plus /api/v1/bulk-operations/preview; select_all, filters, and excluded_ids added to bulk endpoints for Mails, Documents, Folders, Rules, and Batches. Select-all is rejected when active filters would require post-filtering.
• Vendor portal: vendor_files.py WebSocket auth refactored into a shared loop; vendor auth/login/files templates simplified.
• Chores: Makefile compose-override detection and --remove-orphans on down/clean; Redis adjustments. Includes design docs and Okta smoke-test scripts.

Largest risk is the grid filtering change: marking columns non-filterable and rejecting unsupported filter keys is intentionally stricter, so a previously "working" (but inaccurate) filter or a select-all over such a filter will now be refused rather than returning wrong rows. Mitigation: clients act on items manually in those cases, and counts/pagination are now correct. Auth additions are lower risk because Okta SSO and cookie sessions are both feature-flagged off by default, leaving existing Bearer-token login unchanged; CSRF enforcement only applies when cookie auth is enabled. Three new tables and several data-seeding migrations require a clean Alembic upgrade on QA.

• Run Alembic migrations cleanly on QA; confirm the three new IdP tables and the seeded default Okta mapping exist.
• With flags off, verify standard token login, refresh, and logout still work and that grids/bulk actions behave normally.
• Enable Okta SSO on QA: login via admin/vendor "Sign in with Okta", group-to-role/entity mapping, auto-provision/email-linking, and Okta logout; confirm the redirect-allowlist rejects untrusted next URLs.
• Enable cookie auth: confirm HttpOnly cookies set on login/refresh, CSRF header required on unsafe methods, and logout clears cookies even with an expired token.
• Bulk "Select All" across Mails, Inbox, Documents, Folders, Rules, Batches: verify preview count matches executed count, excluded_ids are honored, and select-all is cleanly rejected when a non-pushdown filter is applied.
• Verify computed/display columns (mail_count, total_documents, status_name, client_name, sharing_details) no longer offer filtering, and valid ID/status/search filters return correct totals and pagination.
• Smoke-test vendor portal file listing, preview/upload, and real-time updates.