// kova/auth.jsx — authentication surfaces // ---------------------------------------------------------------- // PRODUCT NOTE — architecture v7 §4.1 says: "KOVA does not build password login." // The canonical path is Cloudflare Access in front of every tenant with SSO via // Microsoft Entra ID / Google Workspace / Google OAuth. Password login below is // added at product owner's explicit request. If this contradiction needs to be // resolved, see strategy decision D-LOGIN (to be added) before shipping. // // All other surfaces (/session bootstrap, /access-pending, /access-denied) are // drawn from architecture §4.3 verbatim. // ---------------------------------------------------------------- const { useState, useEffect } = React; const { Btn, Input, Field, Chip, Kbd, Icon, Spinner } = window.K; /* ============================================================ PROVIDER BUTTON ============================================================ */ const ProviderBtn = ({ kind, label, meta, onClick, disabled }) => { const monogram = { google: 'G', microsoft: '◰', sso: 'S', email: '✉' }[kind] || '•'; return ( ); }; /* ============================================================ LOGIN PAGE — primary entry ============================================================ */ const LoginPage = ({ tenant = 'Acme Jewels', tenantId = 'acme', onAuthStart, onForgotPassword }) => { const [mode, setMode] = useState('chooser'); // 'chooser' | 'email' | 'submitting' | 'error' const [email, setEmail] = useState(`rohan@${tenantId}.com`); const [password, setPassword] = useState(''); const [errorMsg, setErrorMsg] = useState(''); const goSSO = (provider) => onAuthStart?.({ method: provider, tenant, tenantId }); const submitEmail = (e) => { e?.preventDefault(); if (!password) { setErrorMsg('Password is required.'); setMode('error'); return; } if (password.length < 4) { setErrorMsg('Incorrect email or password.'); setMode('error'); return; } setErrorMsg(''); setMode('submitting'); onAuthStart?.({ method: 'password', tenant, email }); }; return (

KOVA

Sign in to your workspace

Use your work account, or sign in with email and password.

Workspace · {tenantId}.kova.app {tenant}

{mode === 'chooser' && ( <>

goSSO('google')} /> goSSO('microsoft')} />

setMode('email')} style={{ width: '100%', justifyContent: 'center', height: 40 }}> Sign in with email )} {(mode === 'email' || mode === 'error' || mode === 'submitting') && ( )}

Protected by SSO · Cloudflare Access · audited on every action

); }; /* ============================================================ SESSION BOOTSTRAP — architecture §4.3 states checking_access → creating_user → creating_workspaces → loading_modules → ready ============================================================ */ const BOOTSTRAP_STEPS = [ ['checking_access', 'Checking your access…', 'Validating session with identity provider.'], ['creating_user', 'Creating your user record…', 'First-time sign-in · provisioning.'], ['creating_workspaces', 'Setting up your workspaces…', 'Designer · Inventory · or CEO workspaces per role.'], ['loading_modules', 'Loading your modules…', 'Role-filtered surfaces being mounted.'], ['ready', 'Welcome.', 'Opening home.'], ]; const SessionBootstrap = ({ method, tenant, onReady, onError }) => { const [stepIdx, setStepIdx] = useState(0); useEffect(() => { if (stepIdx >= BOOTSTRAP_STEPS.length - 1) { const t = setTimeout(() => onReady?.(), 700); return () => clearTimeout(t); } const t = setTimeout(() => setStepIdx(i => i + 1), [800, 600, 700, 600, 0][stepIdx] || 600); return () => clearTimeout(t); }, [stepIdx, onReady]); const providerLabel = { google: 'Signed in via Google Workspace', microsoft: 'Signed in via Microsoft Entra ID', password: 'Signed in via email and password', sso: 'Signed in via SSO', }[method] || 'Signed in'; const current = BOOTSTRAP_STEPS[stepIdx]; return (

{providerLabel}

{current[1]}

{current[2]}

{BOOTSTRAP_STEPS.map(([key, label], i) => { const state = i < stepIdx ? 'done' : i === stepIdx ? 'now' : 'pending'; return (

{label.replace(/…$/, '')}

); })}

); }; /* ============================================================ ACCESS PENDING — admin needs to assign role ============================================================ */ const AccessPending = ({ email, tenant, onSignOut, onContactAdmin }) => (

Access pending admin approval

Your identity is verified, but you haven’t been assigned a role in {tenant} yet. An administrator must complete provisioning before you can enter the workspace.

Identity verified · {email}

Awaiting admin role assignment

Workspaces created and modules loaded

Contact admin Sign out

); /* ============================================================ ACCESS DENIED — RBAC denial ============================================================ */ const AccessDenied = ({ email, tenant, reason, onSignOut, onRetry }) => (

Access denied

{reason || `Your account does not have access to ${tenant}. If this is unexpected, contact an administrator.`}

Identity verified · {email || 'unknown'}

Tenant denied access

Try a different account Sign out

); /* ============================================================ IDP ERROR — provider returned an error ============================================================ */ const IdpError = ({ provider, errorCode, onRetry, onSignOut }) => (

Identity provider error

We couldn’t verify your session with {provider || 'the identity provider'}. Your data is unchanged. Try again or sign out and start over.

{errorCode && (

err.idp · {errorCode}

)}

Retry Sign out

); /* ============================================================ DEV LOGIN — role switcher (architecture §4.3 /dev-login) Local-only · disabled in production. ============================================================ */ const ROLES = [ { id: 'ceo', name: 'CEO', mod: 'home', modules: 'HOME · ORBIT · VAULT · PRICE · KRAFT · APPROVALS · MONITOR (read) · ADMIN (read) · WIKI', persona: 'Rohan Patel', focus: 'Cross-company dashboards · approvals · trust layer' }, { id: 'hom', name: 'Head of Merchandising', mod: 'orbit', modules: 'HOME · ORBIT · VAULT (edit) · KRAFT (edit) · WIKI', persona: 'Priya Shah', focus: 'Trend review · brief drafting · KRAFT brief intake · signal triage' }, { id: 'designer', name: 'Designer', mod: 'kraft', modules: 'HOME · KRAFT · WIKI', persona: 'Vikram Sharma', focus: 'Private KRAFT workspace · brief-to-CAD lineage' }, { id: 'inventory', name: 'Inventory Manager', mod: 'vault', modules: 'HOME · VAULT · APPROVALS · WIKI', persona: 'Asha Iyer', focus: 'Deadstock queue · co-sign on transfers and reprices' }, { id: 'pricing', name: 'Pricing Lead', mod: 'price', modules: 'HOME · PRICE · APPROVALS · WIKI', persona: 'Karan Mehta', focus: 'Quotes · margin · rate updates · ceiling approvals' }, { id: 'admin', name: 'Platform Admin', mod: 'admin', modules: 'HOME · ADMIN · CONNECT · MONITOR · WIKI', persona: 'Neha Bose', focus: 'SSO · users · roles · audit · feature flags' }, { id: 'implementation',name: 'Implementation Eng', mod: 'monitor', modules: 'HOME · MONITOR · CONNECT · ADMIN (edit)', persona: 'Sami Khan', focus: 'Connectors · run telemetry · curator queue · heartbeats' }, ]; const DevLoginPage = ({ tenant = 'Acme Jewels', onPickRole }) => (

KOVA

Pick a persona

Dev login bypasses SSO and signs you in as the selected role. The rail, available modules, and approval power all change per role. Local only · disabled in production.

tenant · {tenant.toLowerCase().replace(/\s/g, '')}.kova.app

! This route should be off in production. Architecture v7 §4.3.

{ROLES.map(r => ( ))}

); /* ============================================================ SIGNED OUT — explicit post-logout page (architecture §4.3 /sign-out) ============================================================ */ const SignedOutPage = ({ user = 'Rohan', tenant = 'Acme Jewels', method, onSignInAgain }) => { const providerLabel = { google: 'Google Workspace', microsoft: 'Microsoft Entra ID', password: 'email & password', sso: 'SSO', }[method] || 'SSO'; return (

KOVA

✓

You’ve been signed out.

Your session for {tenant} has ended and your access token has been revoked. Any in-flight workflow remains queued in CONNECT and is unaffected.

Identity verified · {user.toLowerCase()}@acme.com

Signed in via {providerLabel}

Session ended · cookies cleared

Sign-out is audited · architecture v7 §11 admin telemetry

); }; /* ============================================================ AUTH SHELL — wraps any auth view with the same surrounding chrome ============================================================ */ const AuthShell = ({ children, hint }) => (

{children}

); /* ============================================================ EXPORT ============================================================ */ Object.assign(window.K, { ProviderBtn, LoginPage, SessionBootstrap, AccessPending, AccessDenied, IdpError, SignedOutPage, AuthShell, DevLoginPage, ROLES, });