Issue #18 login surface

Dedicated admin sign-in

Phase 1 keeps the login surface intentionally small: the browser talks only to the admin Route Handler, session mint stays server-owned, and recovery remains outside the normal sign-in flow.

Auth route

Dedicated admin sign-in

/api/auth/login

Enter the sole admin identifier and password. Session mint stays blocked until backend verification and MFA complete.

Known states

Login state matrix

initialDedicated admin sign-in
submittingChecking admin credentials
invalid-credentialIdentifier or password did not match
mfa-requiredMFA challenge required
session-expiredSession expired
locked-outSign-in is temporarily locked
backend-not-readyAdmin backend is not ready
generic-failureSign-in could not be completed

Environment

Fail-closed behavior

Live Supabase still does not have internal.admin_principals / internal.admin_sessions / internal.admin_audit_logs applied as of 2026-04-09, so the login surface must keep backend-not-ready visible instead of failing open.

Recovery

Minimal disclosure only

Recovery stays outside the normal login flow. If normal sign-in cannot be recovered, contact the owner who manages the recovery runbook.

Break-glass details stay outside the browser UI.
Operator ownership and runbook execution stay repo-side.
Suspicious or locked states do not reveal secret recovery paths.