Session gateway

Auth enters here and routes people to the right protected room.

The sign-in surface is now live. Clients land in the right workspace, while staff and admin accounts move into the operator queue behind RBAC.

After sign-in, we will try to continue to /workspaces. If your role does not belong there, the app will send you to the correct default surface instead.

Boundary discipline

Identity is a threshold, not a scattered feature.

This route now owns the real handoff into protected product space while keeping the marketing story clean and unauthenticated.

Entry

Sign-in, invites, and reset flows stay concentrated here instead of leaking into marketing routes.

Session

Server-side checks move clients into the right workspace and staff into admin without blocking the public site.

Trust

Access stays deliberate, internally provisioned, and role-aware from the first redirect onward.