Persona: Returning User (Any Role) — Guest, Host, Admin, or Support Agent returning to the platform. Single login URL for all roles; role is detected from account record; redirect applied automatically post-authentication. SRS §8.4 FR-65

Google OAuth Primary CTA — "Continue with Google" (Firebase) as the dominant sign-in method. Phase 1: Apple and Facebook shown greyed with "Phase 1" badge. No manual role selector at login — role is inferred from account record. SRS §7.1 FR-1; §4.2 Out-of-Scope

Email + Password Secondary — Collapsible accordion for users without Google accounts or in restricted regions. "Forgot password?" link triggers email reset flow. SRS §7.1 FR-1; §7.1 FR-4

Rate Limiting Lockout UI — After 5 consecutive failed login attempts: form disabled + countdown timer shown. Anti-bot protection on login endpoint (FR-66). Prevents brute-force attacks. Timer re-enables after cooldown period. SRS §8.4 FR-66; §8.4 FR-69

Role-Based Redirect Logic (Annotation) — Post-login role check from FR-80 account record: Guest → SCR-06 Search; Host (KYC Approved) → SCR-15; Host (KYC Pending/Rejected) → SCR-05; Admin → SCR-24; Support Agent → SCR-29. Backend-driven; no visible UI selector. SRS §8.4 FR-65; §6.1; §6.2; §6.3; §6.4

Dual-Role Switcher (Post-Login Header) — If user has both Guest and Host roles (FR-2): nav header across all post-login screens shows a role toggle chip. Initialized on login; not a login-screen element itself. SRS §7.1 FR-2; Architect recommendation OP-13

Remember This Device Checkbox — Persists session on trusted device for 30 days (FR-4). Session management initialized post-login. Active sessions manageable from SCR-35 (Profile Settings). SRS §7.1 FR-4; §8.1 FR-57

Session Timeout Warning Armed (Annotation) — After successful login: SCR-36 (Session Timeout Modal) listener activated. Fires at T-60s and T-30s before 5-minute idle session expiry. Annotation only — no visible UI element at login screen itself. SRS §8.1 FR-57