Staff records
4
Demo access directory
Staff Access & Roles
Future staff login required Production-bound preview namespaceGuarded /admin access
Production-bound preview
Review only · Staff sign-in required · Money, reward, winner, and distribution actions remain locked
Internal access foundation
Staff Access & Roles
Review current work, spot risk quickly, and keep protected actions locked until approval.
Staff auth required Review only No live money movement
Active owner
1
DB-backed production seed documented
Access reviews
3
Invited, inactive, or pending
Live writes
Off
Invite sending and role writes blocked
Read-only data source
Guarded Access & Roles read model.
Access & Roles preview data is loaded from the deterministic Staff/Admin model.
preview deterministic_demo
Action readiness
Future controlled actions stay blocked.
Access & Roles can show operational readiness, but invite sending, role changes, MFA enforcement, access removal, provider admin actions, and expanded audit writes remain disabled until a separate approval window.
Invite staff admin
Invite sending: blocked
Prepare a controlled staff invite workflow without sending invitations from this screen.
Blocked reason: Live invitation sending is not approved for the guarded Access & Roles route.
Audit requirement: Append-only staff invite audit event with actor, target, role, reason, and result.
Role: platform_owner
Enabled: no
Change staff role
Role changes: blocked
Show role readiness without changing membership roles or permissions.
Blocked reason: Role write services are not enabled and membership history must not be rewritten.
Audit requirement: Append-only role-change audit event with previous role, requested role, approver, and reason.
Role: platform_owner
Enabled: no
Enforce MFA
MFA enforcement: blocked
Track MFA readiness while enforcement changes remain future-only.
Blocked reason: MFA policy write behavior requires a separate security-reviewed enablement pass.
Audit requirement: Append-only MFA policy audit event with actor, target, old state, new state, and recovery note.
Permission: sensitive_production_action
Enabled: no
Remove staff access
Access removal: blocked
Represent access removal readiness without disabling memberships.
Blocked reason: Membership disable/revocation writes are not enabled on this read-only route.
Audit requirement: Append-only access-removal audit event with target, reason, effective time, and recovery path.
Role: platform_owner
Enabled: no
Resend invite
Invite resend: blocked
Show pending invite follow-up readiness while delivery remains blocked.
Blocked reason: Invite resends would trigger live email delivery and are not approved.
Audit requirement: Append-only invite resend audit event with invite id, recipient, actor, and result.
Role: platform_owner
Enabled: no
Cancel invite
Invite cancellation: blocked
Show cancellation readiness without mutating invite state.
Blocked reason: Invite cancellation writes require approved membership and invite-state services.
Audit requirement: Append-only invite cancellation audit event with actor, invite, reason, and result.
Role: platform_owner
Enabled: no
Expand audit writes
Audit write expansion: blocked
Plan broader Access & Roles audit coverage without writing new event types here.
Blocked reason: Only previously approved audit write scopes may write; this route adds no new write scope.
Audit requirement: Approved append-only event schema before any expanded write scope is enabled.
Permission: future_write
Enabled: no
Use Supabase admin API
Supabase admin API usage: blocked
Record that provider-level administration remains outside this UI until separately approved.
Blocked reason: This route must not call provider admin APIs or mutate authentication state.
Audit requirement: Privileged provider action audit event with no secrets and a reviewed reason code.
Role: platform_owner
Enabled: no
Use service role
Service-role usage: blocked
Keep privileged service credentials out of Access & Roles UI and client-rendered code.
Blocked reason: Service-role credentials are not used by this read-only route or component.
Audit requirement: Privileged server action audit event; no credential values may be logged or displayed.
Role: platform_owner
Enabled: no
Staff/Admin users
Review access, roles, MFA state, and next action.
This is a management foundation only. Invite sending, role changes, membership disables, and dashboard unlocks stay blocked.
NameEmailRoleStatusMFAAccess state
Active Platform Owner
Chad FanSports
chad@fansportsfundraiser.com
Owner-level review across all Staff/Admin sections. Dashboard still blocked.
MFA: Required, not verified
Access review Staff Admin
Operations Admin Preview
ops-admin@example.test
Campaigns, groups, cards, support, economics review, and reports after approval.
MFA: Required before access
Invited Support Admin
Support Lead Preview
support-lead@example.test
Support queue, card claim review, group setup support, and manual review.
MFA: Required before access
Inactive Finance Admin
Finance Review Preview
finance-review@example.test
Economics review only after owner reactivation and audit policy approval.
MFA: Required if re-enabled
Invite planning
Draft the workflow without sending anything.
ops-admin@example.test
Staff Admin · Drafted
MFA required before dashboard access
Platform Owner review required
staff_invite_drafted then staff_invite_pending_send after approval
support-lead@example.test
Support Admin · Pending send approval
MFA required before access
Operations Admin review required
Invite payload must be redacted and append-only audited
auditor@example.test
Read Only Admin · Drafted
MFA required unless approved policy says otherwise
Read-only scope review required
No plain token storage; token hash only in future
Current namespace
/platform/demo/staff-admin
The current /platform/demo/staff-admin namespace is the production-bound development and preview namespace. It is not the final production admin URL.
Future namespace
/admin
The /admin route is the protected production Staff/Admin entry. It may render the FS Admin Backend only after requireStaffAdminAccess() passes Supabase Auth, active Staff/Admin membership, role, MFA source, audit payload, and guarded exposure checks.
Policy sections
14
Data-only policy matrix. No role enforcement.
Production exposure
Locked
Only the `/admin` access gate is exposed. Staff/Admin dashboard UI remains blocked.
Persistence readiness
Roles, invites, MFA policy, and audit tables are modeled for the secured `/admin` path.
This page is still read-only. It shows the persistence contract that future server-side guards and Access & Roles workflows will use after approval.
public.staff_admin_memberships
Maps app users to Staff/Admin roles, status, and MFA policy intent.
public.staff_admin_invites
Stores future invite workflow state without sending email or storing plain tokens.
public.staff_admin_audit_events
Stores future append-only Staff/Admin access, role, invite, and sensitive-action audit events.
Writes enabled: no
Invite sending: no
MFA enforcement: no
Production migration status
Staff/Admin production migration applied and verified.
Render PostgreSQL `fansports-db` now has the Staff/Admin membership, invite, and audit tables. This page only reads local policy constants and does not connect to production.
staff_admin_memberships
Ready for future guarded reads.
staff_admin_invites
Ready for future guarded reads.
staff_admin_audit_events
Ready for future guarded reads.
Audit event readiness
Payload builder and sanitizer are ready.
Event types: 16
Payload validation: passing
Writes enabled: no
Sanitized metadata keys: reason, safeContext
Future role matrix
Staff role concepts are centralized but not enforced.
Platform Owner
platform_owner
Future owner-level role for Staff/Admin access, policy, recovery, and high-risk review.
Production admin access readinessAccess & Roles visibilityMembership management viewFuture membership management writesInvite management viewFuture invite management writes
Staff Admin
staff_admin
Future broad operations role across Staff/Admin review surfaces.
Production admin access readinessAccess & Roles visibilityMembership management viewInvite management viewAudit viewingPlatform Directory view
Support Admin
support_admin
Future support, claim, card, and manual-review role.
Production admin access readinessPlatform Directory viewRegistration Pipeline viewSupport review viewSupport review workflowCard operations view
Finance Admin
finance_admin
Future economics review role with no-live-money controls until approved.
Production admin access readinessEconomics review viewEconomics review with no-live-money controlsReporting viewAudit viewingPlatform Directory view
Compliance Admin
compliance_admin
Future Campaign Lock, prize eligible, reward, legal, and compliance review role.
Production admin access readinessPrize & eligibility review viewPrize & eligibility mutation blockedCard operations viewRoute audit viewAudit viewing
Group Success
group_success
Future group onboarding, White Glove Setup, and readiness support role.
Production admin access readinessCampaign and group operations viewCampaign and group operations reviewSupport review viewReporting viewPlatform Directory view
Read Only Admin
read_only_admin
Future inspection-only role for operational review, reports, and route audit.
Production admin access readinessAccess & Roles visibilityAudit viewingReporting viewRoute audit viewPlatform Directory view
Permission groups
Policy separates read, review, future write, and blocked sensitive actions.
View/read
14
permissions in this group
Review
3
permissions in this group
Future write
3
permissions in this group
Sensitive action
2
permissions in this group
Money/prize/reward/accounting blocked
1
permissions in this group
Policy by section
Route access policy preview.
These rows preview the future server-side access contract. They do not read sessions, inspect users, or enforce permissions.
Staff/Admin Dashboard
/platform/demo/staff-admin
Platform OwnerStaff AdminRead Only Admin
real staff authentication · role-gated access
Campaign Management
/platform/demo/staff-admin/campaigns
Platform OwnerStaff AdminGroup Success
real staff authentication · role-gated access
Group Management
/platform/demo/staff-admin/groups
Platform OwnerStaff AdminGroup SuccessSupport Admin
real staff authentication · role-gated access
Card Operations
/platform/demo/staff-admin/cards
Platform OwnerStaff AdminSupport AdminCompliance Admin
real staff authentication · role-gated access
Support Queue
/platform/demo/staff-admin/support
Platform OwnerStaff AdminSupport Admin
real staff authentication · role-gated access
Prize & Eligibility
/platform/demo/staff-admin/eligibility
Platform OwnerStaff AdminCompliance Admin
real staff authentication · role-gated access
Economics Operations
/platform/demo/staff-admin/economics
Platform OwnerStaff AdminFinance Admin
real staff authentication · role-gated access
Marketing Kits
/platform/demo/staff-admin/marketing-kits
Platform OwnerStaff AdminGroup SuccessSupport Admin
real staff authentication · role-gated access
System
/platform/demo/staff-admin/system
Platform OwnerStaff AdminRead Only Admin
real staff authentication · role-gated access
Reporting
/platform/demo/staff-admin/reports
Platform OwnerStaff AdminFinance AdminGroup Success
real staff authentication · role-gated access
Partner Program
/platform/demo/staff-admin/reports
Platform OwnerStaff AdminFinance AdminGroup SuccessCompliance Admin
real staff authentication · role-gated access
Platform Directory
/platform/demo/staff-admin/directory
Platform OwnerStaff AdminSupport AdminRead Only Admin
real staff authentication · role-gated access
Registration Pipeline
/platform/demo/staff-admin/registration-pipeline
Platform OwnerStaff AdminGroup SuccessSupport Admin
real staff authentication · role-gated access
Access & Roles
/platform/demo/staff-admin/access-roles
Platform Owner
real staff authentication · role-gated access