auth.taxipartner.at Supabase RLS: ready Google OAuth: pending wire-up
Build: not deployed Env: not linked
Identity / Access / Audit
Auth shell, built for tenant boundaries. This surface handles the Google entry flow, tenant context, and session bootstrap. It stays separate from the database and keeps fail-closed behavior at the boundary.
Auth model
Google OAuth
Our callback, our session, our tenant rules.
Tenant scope
Fail closed
No active tenant means no access.
Audit surface
Mandatory
Identity, policy, and exception events are recorded.
What is wired next The shell is ready. Next we connect the auth callback, env vars, and first tenant bootstrap.
Google OAuth boundary Login lives on auth.taxipartner.at. Admin only trusts our own callback and session layer.
Tenant-first enforcement Every request carries tenant context. Cross-tenant reads and writes fail closed.
Audit by default Identity, policy, and exception events are written as first-class records.
Next steps We only need three moves to turn this from shell into the first live auth surface.
Supabase Postgres Project is linked and ready for schema, RLS, and storage work.
Vercel hosting admin.taxipartner.at can point here once the import is deployed.
Auth flow Google login will be wired after the shell is live and stable.