Bootstrap & Login
Invite and magic-link bootstrap flow, per-env TTL matrix, and the preview gate.
The operator console does not allow self-registration. All initial access happens through an admin-issued invite plus a magic-link bootstrap. This matches the Track A design goal of removing shared logins and making every access grant auditable.
Flow
- Admin issues an invite from
/admin/invites. - Recipient receives a one-time link.
- Redeeming the link establishes a Better Auth session and binds the role declared on the invite.
- Every invite issue and redemption is written to the audit log.
Environment-specific TTL matrix
| Environment | Invite TTL | Magic-link TTL | Session TTL |
|---|---|---|---|
| Production | 24 h | 10 min | 12 h |
| Staging | 7 d | 30 min | 24 h |
| Preview | Gated on ALLOW_PREVIEW_BOOTSTRAP | 60 min | 24 h |
Preview gate
Preview environments issue invites only when the ALLOW_PREVIEW_BOOTSTRAP env var is set. This keeps ephemeral PR URLs from becoming an accidental access surface while still letting reviewers exercise the full flow on demand.
Recovery
If a session is lost or compromised, an admin revokes the session from /admin/sessions and re-issues the invite. Recovery never bypasses the audit log; every revoke and re-issue is recorded.