RaveFocus auth launch layer
Auth role privacy map
This maps Microsoft sign-in roles to worker profile privacy, quest/form access, admin-only evidence, and launch gates. It is prepared, not enforced, until the Microsoft backend is ready.
prepared; not enforced status
4 roles
3 protected routes prepared
0 active now
15 worker forms blocked
4 preflight blockers
Launch guard: do not apply protected auth until worker/admin role assignments, Lists, IDs, flows, and final verification pass.
outputs/auth-go-live-checklist.html · outputs/auth-owner-action-sheet.html · launch/staticwebapp.authenticated.config.json · outputs/worker-launch-switchboard.html · outputs/final-go-live-preflight.html
Account groups
owner/admin
- Role needed
- admin
- Can access
- admin setup, launch evidence, restricted outputs, form verification, proof routing
- Proof to capture
- admin account signs in and can reach admin-only setup pages
- Privacy rule
- do not publish passwords, recovery codes, private records, payout settings, IDs, or billing details
- Blocked until
- Microsoft Entra role assignment, protected Static Web Apps config, SharePoint Lists, and final preflight are ready
approved worker
- Role needed
- authenticated or worker
- Can access
- profile, quest board, assigned role tasks, forms, proof submission
- Proof to capture
- worker account signs in and cannot reach admin-only outputs
- Privacy rule
- worker sees only their own profile/task info and proof-safe task records
- Blocked until
- Microsoft Entra role assignment, protected Static Web Apps config, SharePoint Lists, and final preflight are ready
guest/not signed in
- Role needed
- anonymous preview only
- Can access
- public preview sections only before production lock
- Proof to capture
- signed-out visitor cannot reach profile, forms, proof, quest data, or admin evidence after auth is applied
- Privacy rule
- no operational manifests or proof links exposed to signed-out visitors
- Blocked until
- Microsoft Entra role assignment, protected Static Web Apps config, SharePoint Lists, and final preflight are ready
Roles
preview-only access before worker login is enforced
- Allowed sections
- #start, #levels, #role-quiz, #role-guide, #workers, #guides
- Blocked sections
- #profile, #quests, #forms, #proof, #admin
- Prepared route access
- none
- Mapped worker role keys
- none
- Mapped forms
- none
- Go-live rule
- anonymous users must lose operational access before worker launch
2
prepared
authenticated
1514
approved worker baseline after Microsoft sign-in
- Allowed sections
- #profile, #quests, #forms, #echo, #systems, #proof
- Blocked sections
- #admin
- Prepared route access
- /assets/data/*, /api/*
- Mapped worker role keys
- archive, echo, fs, hello, hq, iq, lenslab, lineup, meta, of, orbit, popl, pre, pt, rd, sc, shop, signal, spon
- Mapped forms
- analytics, booking, client-follow-up, content-schedule, edited-content, proof, shift, task-request
- Go-live rule
- signed-in workers still need role-seat approval before taking quests or seeing profile-specific details
assigned worker role; actual quest access still depends on role seat and admin approval
- Allowed sections
- #profile, #quests, #forms, #proof
- Blocked sections
- #admin
- Prepared route access
- none
- Mapped worker role keys
- archive, echo, fs, hello, hq, iq, lenslab, lineup, meta, of, orbit, popl, pre, pt, rd, sc, shop, signal, spon
- Mapped forms
- analytics, booking, client-follow-up, content-schedule, edited-content, proof, shift, task-request
- Go-live rule
- signed-in workers still need role-seat approval before taking quests or seeing profile-specific details
Jupiter/admin operations, review queues, setup guides, proof routing, and sensitive index oversight
- Allowed sections
- #admin, #systems, #proof, #forms, #profile, #quests
- Blocked sections
- none
- Prepared route access
- /outputs/*, /assets/data/*, /api/*
- Mapped worker role keys
- archive, compliance, echo, fs, hello, hq, iq, jupiter, lenslab, lineup, meta, of, orbit, popl, pre, pt, rd, sc, shop, signal, spon
- Mapped forms
- analytics, approval-request, booking, client-follow-up, content-schedule, edited-content, escalation, proof, shift, task-request
- Go-live rule
- admin-only evidence, setup outputs, proof routing, pay review, and restricted records require admin role