Auth.js login
Needs inputLogin remains disabled until secrets, provider credentials, B2B DB, staff emails, and private storage are ready.
Next
Prepare AUTH_SECRET, AUTH_URL, login provider credentials, and staff/admin email allowlists.
System Readiness
This page shows whether the B2B live-consultation stack can safely store buyer conversations. The current answer should remain no until external credentials, Lightsail PostgreSQL, room guards, and private storage are ready.
Current recommendation
Keep consultation persistence disabled. Continue polishing demo UX and prepare external Lightsail/Auth credentials separately.
Owner actions
Prepare AUTH_SECRET, AUTH_URL, login provider credentials, and staff/admin email allowlists.
Create a separate Lightsail PostgreSQL database and set B2B_DATABASE_URL only in local/server env.
Choose a private local upload directory or private R2/S3 bucket, then keep the adapter locked until room access and audit logging are ready.
Add Redis-backed rate limiting and Turnstile verification before enabling public sign-in, room creation, uploads, or inquiry persistence.
Add a B2B database-backed audit writer with metadata redaction before enabling real buyer rooms or staff actions.
Owner should review the recommended retention policy before storing real buyer conversations.
These are not required for the current browser-only demo. They become necessary when real login, database persistence, or private file storage is enabled.
Production readiness
This screen keeps real buyer data locked until auth, B2B database, room guards, private storage, and audit logging are ready together.
Login remains disabled until secrets, provider credentials, B2B DB, staff emails, and private storage are ready.
Next
Prepare AUTH_SECRET, AUTH_URL, login provider credentials, and staff/admin email allowlists.
Database connection remains disabled until a separate Lightsail PostgreSQL database is prepared.
Next
Create a separate Lightsail PostgreSQL database and set B2B_DATABASE_URL only in local/server env.
Production room access is denied until Auth.js session checks and B2B DB room membership lookups are real.
Next
Implement repository-backed membership checks after auth and DB are configured.
Room, message, attachment, quote, sample, and handoff persistence remains locked by design.
Next
Keep write APIs locked until auth, database, room guard, private storage, and audit logging are complete.
The consultation repository is currently a no-op adapter. It defines the DB boundary but cannot read or write buyer data.
Next
Replace the no-op adapter with a PostgreSQL adapter only after Auth.js, room guards, private storage, and audit logging are ready.
Buyer image storage is a no-op adapter. Uploaded files are not written to disk, public paths, R2, or S3.
Next
Choose a private local upload directory or private R2/S3 bucket, then keep the adapter locked until room access and audit logging are ready.
Rate limiting and Turnstile are no-op. Demo routes remain usable, but public production traffic is not protected yet.
Next
Add Redis-backed rate limiting and Turnstile verification before enabling public sign-in, room creation, uploads, or inquiry persistence.
Security audit logging is a no-op adapter. No sign-in, room, upload, handoff, rate-limit, or admin security events are recorded yet.
Next
Add a B2B database-backed audit writer with metadata redaction before enabling real buyer rooms or staff actions.
Staff-selected 3D viewer presets sync through memory-only SSE for demo rooms. This is not persistent production realtime.
Next
Move viewer state to B2B DB plus Redis/Socket.IO after room guards exist.
Recommended policy is documented: Lightsail point-in-time backup, manual snapshots before changes, 3-year room retention, 5-year audit retention.
Next
Owner should review the recommended retention policy before storing real buyer conversations.