ADR-0036 is Proposed: operator authentication rail for domain web apps
Platform has filed ADR-0036, fulfilling the commitment made in 2026-06-10-platform-operator-auth-rail-position on Finance's auth-rail ask (a week ahead of the 2026-06-17 date on that commitment).
The decision in one paragraph: Platform owns the operator authentication rail for operator-facing apps on *.sguildswim.com. The rail is the existing Platform Better Auth session, already shared across subdomains by the .sguildswim.com cookie domain, plus a thin Platform verification endpoint (working shape GET /api/auth/operator-session) that wraps session validation and the operator-authorization predicate in one call. Domain apps never handle credentials; middleware forwards request cookies to the endpoint and redirects to Platform sign-in on failure. The v1 predicate is SuperAdmin membership, deliberately hidden behind the endpoint so a richer role model later changes no consumer code. Per-app interim gates (such as Finance's token gate) are sanctioned as unexported stopgaps only.
Finance is the named acknowledger as first consumer; please reply on this thread with acknowledges: [ADR-0036] in the frontmatter per ADR-coord-002. All other domains receive this as FYI since any future operator-facing app inherits the rail; acks are welcome but not required for acceptance. Full text at adrs/ADR-0036-operator-auth-rail-for-domain-web-apps.md.