azure static web app auth readiness
Generated: 2026-06-29
current state
The live worker hub is still in public preview mode with draft-safe forms.
Do not treat the mock profile password box as real authentication. It is only a front-end preview of the intended profile flow and does not save the password.
intended production auth
Use Microsoft Entra ID / Azure Static Web Apps authentication.
Recommended roles:
anonymous- preview-only access to start/guide/role-fit content before login is enforcedauthenticated- signed-in worker baselineworker- assigned worker access after role approvaladmin- Jupiter/admin setup, proof routing, pay review, restricted records, and completion archives
section gates
#profile- authenticated#quests- authenticated plus assigned role rules inside the app#forms- authenticated; SharePoint Lists must exist before live submission#proof- authenticated; no proof = no payout#admin- admin only
static web apps route plan
After Entra roles are ready, protect:
/outputs/*asadmin/assets/data/*asauthenticated
Keep / available to anonymous only if you want public preview/landing access. For a fully private worker hub, protect / as authenticated.
Prepared files:
launch/staticwebapp.authenticated.config.json- protected-mode Static Web Apps config template.launch/set-static-web-app-auth-mode.ps1- safe preview/apply/restore helper for switching auth mode.
Preview the protected-mode config before applying it:
```powershell
powershell -NoProfile -ExecutionPolicy Bypass -File launch\set-static-web-app-auth-mode.ps1 -Mode preview
```
Apply only after Microsoft Entra / Static Web Apps roles are configured:
```powershell
powershell -NoProfile -ExecutionPolicy Bypass -File launch\set-static-web-app-auth-mode.ps1 -Mode apply
powershell -NoProfile -ExecutionPolicy Bypass -File launch\deploy-static-web-app-direct.ps1
```
If you need to return to public preview mode after testing:
```powershell
powershell -NoProfile -ExecutionPolicy Bypass -File launch\set-static-web-app-auth-mode.ps1 -Mode restore-preview
```
go-live checklist
1. Configure Microsoft Entra authentication for Azure Static Web Apps.
2. Assign approved users to authenticated, worker, and admin roles.
3. Replace the mock profile password behavior with Microsoft sign-in status.
4. Protect /outputs/* before placing sensitive setup reports there.
5. Confirm SharePoint Lists/forms exist, then run npm.cmd run verify:sharepoint-forms.
6. Run npm.cmd run forms:live only after form verification passes.
7. Run npm.cmd run verify, npm.cmd run verify:live, and npm.cmd run verify:render.
sensitive info rule
Never store passwords, recovery codes, ID photos, billing/card/bank info, payout settings, private fan/customer records, private creator records, or platform recovery details in the website. Use owner-only private record required when sensitive proof exists elsewhere.