RaveFocus auth launch layer

Auth role privacy map

This maps Microsoft sign-in roles to worker profile privacy, quest/form access, admin-only evidence, and launch gates. It is prepared, not enforced, until the Microsoft backend is ready.

prepared; not enforced status
4 roles
3 protected routes prepared
0 active now
15 worker forms blocked
4 preflight blockers
Launch guard: do not apply protected auth until worker/admin role assignments, Lists, IDs, flows, and final verification pass.

outputs/auth-go-live-checklist.html · outputs/auth-owner-action-sheet.html · launch/staticwebapp.authenticated.config.json · outputs/worker-launch-switchboard.html · outputs/final-go-live-preflight.html

Account groups

owner/admin

Role needed
admin
Can access
admin setup, launch evidence, restricted outputs, form verification, proof routing
Proof to capture
admin account signs in and can reach admin-only setup pages
Privacy rule
do not publish passwords, recovery codes, private records, payout settings, IDs, or billing details
Blocked until
Microsoft Entra role assignment, protected Static Web Apps config, SharePoint Lists, and final preflight are ready

approved worker

Role needed
authenticated or worker
Can access
profile, quest board, assigned role tasks, forms, proof submission
Proof to capture
worker account signs in and cannot reach admin-only outputs
Privacy rule
worker sees only their own profile/task info and proof-safe task records
Blocked until
Microsoft Entra role assignment, protected Static Web Apps config, SharePoint Lists, and final preflight are ready

guest/not signed in

Role needed
anonymous preview only
Can access
public preview sections only before production lock
Proof to capture
signed-out visitor cannot reach profile, forms, proof, quest data, or admin evidence after auth is applied
Privacy rule
no operational manifests or proof links exposed to signed-out visitors
Blocked until
Microsoft Entra role assignment, protected Static Web Apps config, SharePoint Lists, and final preflight are ready

Roles

1
prepared

anonymous

0

preview-only access before worker login is enforced

Allowed sections
#start, #levels, #role-quiz, #role-guide, #workers, #guides
Blocked sections
#profile, #quests, #forms, #proof, #admin
Prepared route access
none
Mapped worker role keys
none
Mapped forms
none
Go-live rule
anonymous users must lose operational access before worker launch
2
prepared

authenticated

1514

approved worker baseline after Microsoft sign-in

Allowed sections
#profile, #quests, #forms, #echo, #systems, #proof
Blocked sections
#admin
Prepared route access
/assets/data/*, /api/*
Mapped worker role keys
archive, echo, fs, hello, hq, iq, lenslab, lineup, meta, of, orbit, popl, pre, pt, rd, sc, shop, signal, spon
Mapped forms
analytics, booking, client-follow-up, content-schedule, edited-content, proof, shift, task-request
Go-live rule
signed-in workers still need role-seat approval before taking quests or seeing profile-specific details
3
prepared

worker

1514

assigned worker role; actual quest access still depends on role seat and admin approval

Allowed sections
#profile, #quests, #forms, #proof
Blocked sections
#admin
Prepared route access
none
Mapped worker role keys
archive, echo, fs, hello, hq, iq, lenslab, lineup, meta, of, orbit, popl, pre, pt, rd, sc, shop, signal, spon
Mapped forms
analytics, booking, client-follow-up, content-schedule, edited-content, proof, shift, task-request
Go-live rule
signed-in workers still need role-seat approval before taking quests or seeing profile-specific details
4
prepared

admin

1700

Jupiter/admin operations, review queues, setup guides, proof routing, and sensitive index oversight

Allowed sections
#admin, #systems, #proof, #forms, #profile, #quests
Blocked sections
none
Prepared route access
/outputs/*, /assets/data/*, /api/*
Mapped worker role keys
archive, compliance, echo, fs, hello, hq, iq, jupiter, lenslab, lineup, meta, of, orbit, popl, pre, pt, rd, sc, shop, signal, spon
Mapped forms
analytics, approval-request, booking, client-follow-up, content-schedule, edited-content, escalation, proof, shift, task-request
Go-live rule
admin-only evidence, setup outputs, proof routing, pay review, and restricted records require admin role