/* Shared styling for the chrome-free pre-authentication screens (sign-in landing
   and access-denied), rendered on AuthLayout. Global (not scoped) so both pages
   share one look. 618-branded (spec 037 T013, design/pages/signin.html): clean
   dark background, crisp card with the gold gradient keyline and the full brand
   lockup — no decorative watermarks. Token-driven so it follows [data-appearance]. */

.auth-shell {
    min-height: 100vh;
    display: flex;
    align-items: center;
    justify-content: center;
    padding: 2rem;
    background: var(--hz-bg);
}

.auth-card {
    position: relative;
    width: 100%;
    max-width: 400px;
    padding: 2.5rem 2.25rem;
    border-radius: var(--hz-radius-card);
    background: var(--hz-card);
    border: 1px solid var(--hz-border);
    box-shadow: var(--hz-shadow-overlay);
    text-align: center;
    color: var(--hz-text);
    overflow: hidden;
}

    /* The gold gradient keyline — the brand gesture on the card's top edge. */
    .auth-card::before {
        content: "";
        position: absolute;
        top: 0;
        left: 0;
        right: 0;
        height: 2px;
        background: var(--hz-brand-gradient);
    }

/* Full 618 lockup (BrandLockup): stacked mark + wide-tracked wordmark. */
.auth-card__brand {
    display: flex;
    justify-content: center;
    margin-bottom: 1.5rem;
}

    .auth-card__brand .hz-lockup {
        display: flex;
        flex-direction: column;
        align-items: center;
        gap: 0.55rem;
    }

    .auth-card__brand .hz-lockup__mark {
        width: 11.5rem;
        height: auto;
    }

    .auth-card__brand .hz-lockup__wordmark {
        font-family: var(--hz-font-display);
        font-weight: 600;
        font-size: 0.8rem;
        letter-spacing: 0.42em;
        text-indent: 0.42em;
        color: var(--hz-text);
    }

.auth-card__title {
    font-family: var(--hz-font-display);
    font-size: 1.25rem;
    margin: 0 0 0.35rem;
    font-weight: 600;
    letter-spacing: 0.01em;
    color: var(--hz-text);
    text-align: left;
}

.auth-card__subtitle {
    color: var(--hz-text-muted);
    margin: 0 0 1.6rem;
    font-size: 0.9rem;
    line-height: 1.5;
    text-align: left;
}

/* Explains an idle-reclaimed session (spec 043, FR-028). Informational, not an error: the user did
   nothing wrong, and the identity provider usually re-authenticates them silently. */
.auth-card__notice {
    margin: 0 0 1.1rem;
    padding: 0.6rem 0.75rem;
    border: 1px solid var(--hz-border);
    border-left: 3px solid var(--hz-brand);
    border-radius: var(--hz-radius-control);
    font-size: 0.85rem;
    line-height: 1.45;
    text-align: left;
}

.auth-card__button {
    display: inline-flex;
    align-items: center;
    justify-content: center;
    gap: 0.6rem;
    width: 100%;
    padding: 0.75rem 1rem;
    border-radius: var(--hz-radius-control);
    background: transparent;
    color: var(--hz-text);
    font-weight: 600;
    text-decoration: none;
    border: 1px solid var(--hz-border-strong);
    transition: background 0.15s ease, border-color 0.15s ease, color 0.15s ease;
}

    .auth-card__button:hover {
        background: var(--hz-brand-soft);
        border-color: var(--hz-brand);
        color: var(--hz-text);
    }

.auth-card__ms {
    flex: 0 0 auto;
}

.auth-card__hint {
    margin: 1.4rem 0 0;
    padding-top: 1.1rem;
    border-top: 1px solid var(--hz-border);
    font-size: 0.78rem;
    font-family: var(--hz-font-mono);
    color: var(--hz-text-muted);
    line-height: 1.5;
    text-align: left;
}
