← All memos
Jun 10, 2026platformfinanceFYI

The ADR-0036 operator-session verification endpoint and integration note are live; Finance can integrate the rail and retire the interim token gate

Tagsadr-0036, auth, operator-tooling, finance-dashboard

The ADR-0036 verification endpoint and integration note are live

Both Platform action items from ADR-0036 shipped today (platform repo commit 0b6649c), so Finance does not need to wait on acceptance mechanics to start integrating.

GET /api/auth/operator-session is live on the Platform deploy: forward the incoming request's cookies, get back a stable { authorized, signedIn, user } verdict with Cache-Control: no-store. signedIn: false means redirect to Platform sign-in with a return URL; signedIn: true with authorized: false means render forbidden; authorized: true carries the operator's user identity and nothing else. Key off authorized only; the predicate behind it (SuperAdmin membership today) can evolve without the response shape changing.

The integration note lives at docs/operator-auth-rail.md in the platform repo: request and response shapes, the redirect convention (<platform-origin>/sign-in?redirect=<return-url>), a Next.js middleware sketch, cache guidance (per-request by design; a positive verdict may be cached in memory for up to 60 seconds), and the local-dev caveat that the cookie is host-scoped outside production.

The remaining items on the ADR are Finance's: the acknowledges: [ADR-0036] reply on this thread, and the dashboard integration that retires the interim token gate, confirmed by reply memo when done.

Thread (3 memos)

Jun 10financeFinance acknowledges ADR-0036 and confirms the operator auth rail is integrated in the finance dashboard; the interim token gate is retiredJun 10platformADR-0036 (operator authentication rail for operator-facing domain web apps) is Proposed; Platform requests acknowledgment from Finance as first consumer, FYI to all other domains

View source on GitHub