Extends AZD_AUTH_ENDPOINT with two new URL schemes so IDE hosts can hand tokens to AZD over OS-secured local IPC instead of standing up a loopback HTTPS server with a self-signed cert. The existing https: flow is unchanged. AZD_AUTH_KEY remains required for all schemes.

Behavior

• https://host:port — unchanged. AZD_AUTH_CERT and AZD_AUTH_KEY are both required; AZD rejects https: when no cert is provided.
• unix:/abs/path/to/socket (POSIX) — Unix domain socket. Cert MUST NOT be set; AZD_AUTH_KEY is required and forwarded. AZD stat()s the socket and its parent and refuses unless both are owned by the current euid and have group/other bits cleared. The socket path MUST NOT be a symlink — AZD rejects symlinked socket paths outright (no symlink support) so a link into a less-restricted directory cannot bypass the parent-directory permission check.
• npipe: or npipe:////./pipe/ (Windows) — named pipe via winio.DialPipeContext. Cert MUST NOT be set; AZD_AUTH_KEY is required and forwarded. AZD queries the pipe's DACL after connect and refuses any allow ACE outside the current user / SYSTEM / Administrators.
• http: / no-scheme — accepted for the local loopback test harness only.
• Unknown scheme → error listing supported schemes (and noting http/no-scheme are local-test-only).
• For unix:/npipe:, the request URL is rewritten to http://azd-auth/token?... so RemoteCredential is untouched; the transport pins the actual dial target.

Changes

• Scheme dispatch — new cli/azd/cmd/auth_transport.go containing buildExternalAuthConfiguration; container.go's MustRegisterScoped factory now defers to it. https: fails fast without a cert; unix:/npipe: fail fast without a key.
• Platform-split transports — auth_transport_unix.go (//go:build unix) for UDS + permission verification (including symlink rejection); auth_transport_windows.go (//go:build windows) for named pipes + structured DACL inspection; auth_transport_other.go stub for everything else. Each file exports the same newSocketTransport / newPipeTransport signature so container.go stays portable.
• Dependency — adds github.com/Microsoft/go-winio v0.6.2 as a direct requirement for pipe dialing (compiled in only on Windows).
• Docs — new "Transport selection via URL scheme" section in docs/external-authentication.md; AZD_AUTH_* rows in cli/azd/docs/environment-variables.md and docs/reference/environment-variables.md updated to mark AZD_AUTH_KEY required for all schemes and document the no-symlink rule; CHANGELOG.md entry under Features Added.
• Tests — table-driven scheme dispatch in auth_transport_test.go (covers cert-required-for-https and key-required-for-unix/npipe); UDS permission and symlink rejection cases plus a full round trip through httptest.Server bound to a UDS listener in auth_transport_unix_test.go; pipe path normalizer in auth_transport_windows_test.go.

// container.go
container.MustRegisterScoped(func() (auth.ExternalAuthConfiguration, error) {
    return buildExternalAuthConfiguration(
        os.Getenv("AZD_AUTH_ENDPOINT"),
        os.Getenv("AZD_AUTH_KEY"),
        os.Getenv("AZD_AUTH_CERT"),
    )
})

Notes for reviewers

• Windows DACL enumeration walks ACEs structurally via the golang.org/x/sys/windows library (sd.DACL() + windows.GetAce + windows.EqualSid) rather than regex-parsing the SDDL string representation. Allowed principals are real *windows.SID values: the current process token user (resolved via OpenProcessToken + GetTokenUser) plus WinLocalSystemSid and WinBuiltinAdministratorsSid. Object-style allow ACEs (AD-flavored) are rejected defensively because their SID lives at a different offset than ACCESS_ALLOWED_ACE.SidStart.
• http:// (no cert) is still accepted by the dispatcher to preserve the existing httptest.NewServer-based functional tests under cli/azd/test/functional/auth_test.go. http:// with a cert is rejected, as before.

Out of scope (separate work)

• VS Code Azure extension switching to the new schemes — ships once a new AZD release is out.
• A vsrpc-mode equivalent for InitializeServerOptions.AuthenticationEndpoint in cli/azd/internal/vsrpc/models.go.