# Program Portal Admin/Auth Architecture ProgramPortal is intentionally independent from Chem-Titan and AxiomFlo. It should deploy as its own Cloudflare Pages project and link to product demos through configurable URLs in `public/portal-config.js`. ## Isolation rule - Do not copy Chem-Titan or AxiomFlo bundles into `ProgramPortal/dist`. - Do not iframe product apps into the portal for the public marketing experience. - Treat product demos as outbound links or separately deployed Cloudflare Pages projects. - If Chem-Titan or AxiomFlo is down, the marketing site should still load and collect leads. ## Recommended production services 1. **Supabase Auth** - Create platform-level admin users. - Store roles in a `platform_admin_profiles` table. - Require role checks before exposing any account or lead records. 2. **QR-code 2FA / TOTP** - Use Supabase MFA enrollment for TOTP factors. - Admin login flow should be: password/OAuth → enrolled factor check → challenge verification → admin dashboard. - Never bypass MFA for the primary owner admin account. 3. **Demo request logging** - Point `demoLeadEndpoint` in `portal-config.js` at a Cloudflare Function, Worker, or Supabase Edge Function. - Store records in a platform-level table such as `platform_demo_leads`. - Include `source`, `product`, `organization`, `created_at`, IP/user-agent metadata, and follow-up status. 4. **Resend automation** - Keep the Resend API key server-side only. - Send confirmation emails from `admin@chem-titan.com` or a future platform domain sender. - Log email delivery status back to the lead record. 5. **Admin board** - The static `admin.html` page is only an entry point. - The real board should load after auth and MFA, then query server-side APIs for leads, account creation logs, access grants, and product status. - Link out to product-specific dashboards when needed rather than making one product own all admin control. ## Suggested tables - `platform_admin_profiles` - `platform_demo_leads` - `platform_account_events` - `platform_email_events` - `platform_product_links` ## Suggested links - Chem-Titan demo: configured as `chemTitanHref`. - Chem-Titan global dashboard: configured as `chemTitanAdminHref`. - AxiomFlo Beta: configured as `axiomFloHref` when ready. ## Current implementation status - Public portal: implemented as static HTML/CSS/ES module JavaScript. - Demo request form: posts to `demoLeadEndpoint` when configured; otherwise opens a safe email fallback. - Admin page: implemented as a secure entry placeholder, not a fake admin backend. - Portal dashboard: now supports shared Supabase teacher/admin sign-in against the same `teacher_profiles` access model used by Chem-Titan. - Portal dashboard data: currently reads live access/profile fields such as role, access term, granted date, and expiration date directly from Supabase. - Admin parity note: full website-side admin parity with the Chem-Titan dashboard still needs a dedicated server-side summary/function endpoint for richer rollups beyond the profile row. - Product apps: not copied, bundled, embedded, or required at runtime.