Handbook
Prompt 06 — Authentication, invitation onboarding, and account security
Replace the prototype sign-in and key-management experience with a production-grade, tenant-aware onboarding and account-security flow while preserving actual encryption guarantees.
Updated
Required context
- Approved authentication/encryption ADRs
- Current sign-in, invite, key import, and account screens
- Product shell and shared form components
- Security/privacy rules and threat model
Prompt
Replace the prototype sign-in and key-management experience with a production-grade, tenant-aware onboarding and account-security flow while preserving actual encryption guarantees.
1. Separate production and development access
- Remove bearer-token entry from production UI.
- Keep any local token login behind an explicit development-only environment gate, with tests that it is absent from production builds.
- Do not accept arbitrary tenant slugs from unauthenticated users unless the tenant-discovery design explicitly requires it.
2. Invitation flow
Implement:
- Validate secure invite token and state.
- Show tenant name, inviter/purpose where safe, role/request type, expiry, and privacy notice.
- Authenticate through allowed methods.
- Confirm profile and tenant membership.
- Register device/recovery material according to the approved encryption mode.
- Confirm access and route to the intended task.
Handle expired, revoked, already-used, wrong-account, wrong-domain, tenant-suspended, and network/error states without leaking tenant membership.
3. Authentication options
Implement only approved providers and plan gates. Support a coherent order such as:
- Enterprise SSO/OIDC/SAML when configured
- Microsoft/Google OAuth when allowed
- Passwordless or passkey where approved
- Break-glass account policy for tenant security admins
Do not present unavailable buttons.
4. Key/recovery UX
Translate system behavior into plain language:
- Device access status
- Backup/recovery health
- Add a device
- Restore access
- Rotate security material
- Reauthorize after rotation
If subject-private mode can lead to permanent loss, explain it clearly before completion and provide a verifiable backup check. If tenant recovery exists, show who may initiate it, the approval/audit process, and notification behavior.
Do not display or log key material. Do not upload a key file before identity is validated unless the approved threat model explicitly requires it.
5. Account and security center
Build pages for:
- Profile
- Connected sign-in methods
- MFA/passkeys if supported
- Active sessions and devices
- Recovery/backup status
- Security activity
- Notifications preferences
- Privacy/data export/delete requests according to policy
- Sign out everywhere
Use confirmation and reauthentication for sensitive actions.
6. Enterprise tenant configuration
Provide admin flows for:
- Verified domains
- SSO setup and test mode
- Enforcement policy and staged rollout
- SCIM relationship where available
- Session timeout
- MFA policy
- Break-glass accounts
- Invite expiry and domain restrictions
- Authentication audit events
A failed SSO configuration must not lock out all administrators.
7. Security and tests
- CSRF/session fixation/open-redirect protections appropriate to the stack
- Secure return URL allowlist
- Token expiry, replay, revocation, and one-time semantics
- Rate limiting and abuse controls
- Tenant isolation on invitation resolution
- No secrets in client bundles, logs, analytics, or error messages
- End-to-end tests for invite, SSO fallback/test, recovery, and access denial
- Accessibility tests for all auth states
Acceptance gates
- Production login contains no bearer-token path.
- Invitees land on the intended task with tenant context.
- Lost/recovery behavior matches the approved ADR and docs.
- Sensitive actions require appropriate reauthentication.
- Error states do not reveal hidden tenant or account information.