Shared auth surface
Sign-in, recovery, and password setup live in one neutral place. After authentication, the platform can safely resolve the user into the correct internal or tenant experience.
Onboarding
Invite-led access only. No public self-signup.
Recovery
Forgot password and set-password flows are now browser-real.
Boundary
Supabase Auth handles identity; business data stays behind NestJS.
Preparing the browser-authenticated sign-in flow.