Legal AI

Tenant-aware legal operations, routed through one controlled edge.

This scaffold proves the auth handoff, protected shell, and navigation model for the Next.js app while keeping the browser on the BFF origin.

Ingress rule

Every browser request terminates at the BFF. Internal routing stays hidden behind that boundary.

Session state

Tenant, user, role, and JWT are stored together so route guards and future API calls operate from the same session object.

Authenticate through the BFF

This temporary dev login still uses the scaffolded `/token` endpoint. OIDC replacement can drop in later without changing the route guard or shell layout.

Dev access note: the `/token` flow now requires the current operator-managed password. The default email, tenant, and role fields remain scaffold defaults for the AWS dev proof surface until IdP-backed auth replaces this path.