Session gateway

Auth enters here and routes people to the right protected room.

The sign-in surface is now live. Clients land in the right workspace, while staff and admin accounts move into the operator queue behind RBAC.

If you already have access, sign in below. If not, the public marketing routes stay available without any auth wall.

Boundary discipline

Identity is a threshold, not a scattered feature.

This route now owns the real handoff into protected product space while keeping the marketing story clean and unauthenticated.

Entry

Sign-in, invites, and reset flows stay concentrated here instead of leaking into marketing routes.

Session

Server-side checks move clients into the right workspace and staff into admin without blocking the public site.

Trust

Access stays deliberate, internally provisioned, and role-aware from the first redirect onward.