{"service":"auth-onamerica","version":"2.1.0","status":"ok","mesh_role":"Fleet Authorization Service for *.onamerica.org","spec":"GET /.well-known/fleet-auth.json for full integration spec","ventures":[{"code":"link","domain":"link.onamerica.org","customer":"Vets Whole In One"},{"code":"weyland","domain":"weyland.onamerica.org","customer":null},{"code":"mhs","domain":"helmcorp.cc","customer":null},{"code":"iaas","domain":"iaas.onamerica.org","customer":null}],"endpoints":["POST /api/auth/magic-link — Send 8-digit consent code to email","GET /api/auth/token-status/:token — Poll for consent confirmation","GET /api/auth/verify-token/:token — One-time code verification (flips 0→1)","POST /api/auth/code — Checkin code login (venture-specific)","GET /api/auth/role/:email — Resolve role for venture context","GET /api/auth/staff — List staff for venture","GET /api/auth/mhs-id/:email — Look up MHS ID","PUT /api/auth/mhs-id/suffix — Self-service MHS ID suffix change","POST /api/auth/logout — Revoke session — invalidate fleet token server-side","GET /api/verify/:id/confirm?by=email — Trust chain: confirm","GET /api/verify/:id/followup?by=email — Trust chain: follow up","GET /api/verify/:id/deny?by=email — Trust chain: deny","GET /api/verifications/pending — List pending verifications","GET /.well-known/fleet-auth.json — This spec (machine-readable)"],"consent_model":{"principle":"Maximum automation between consent gates. Every gate is explicit human affirmation.","gates":["Gate 0: Email entry (identity declaration)","Gate 1: 8-digit code entry (consent to authenticate — code from email, typed into requesting portal)","Gate 2: Biometric opt-in (consent to provision device — first login per device)","Gate 2': Biometric scan (reauthorization — instant access on provisioned devices)"],"token_security":{"generation":"crypto.getRandomValues() — 8-digit random per request","storage":"SHA-256 hashed before INSERT. Plaintext code never stored in D1. Separate polling UUID for frontend.","lifecycle":"Single-use. Prior tokens invalidated on new request. Burns after configurable failed attempts (default 5). 60-second cooldown between requests per node per venture.","expiry":"15-minute TTL from creation","transport":"HTTPS only. Code travels via email (MTA relay). User types code into HTTPS page. iOS autocomplete via @domain #code format.","venture_scoped":"Each token is bound to a venture. A GolfLink code cannot be used on Weyland."}},"joining":{"description":"How to onboard a new venture into the fleet auth mesh.","steps":["1. Register venture: INSERT INTO onamerica_ventures (id, code, ...) — ID MUST use ven_ prefix (FTB-2026-0406-001). Example: ven_newventure.","2. Build your auth portal: hascom build auth-portal --venture your_code --redirect /your-app/","3. Deploy the generated index.html to your CF Pages project at your venture domain","4. The portal handles: email entry, 8-digit code, polling, biometric enrollment, session storage","5. All auth API calls go to auth-onamerica.ron-helms.workers.dev — your portal is static HTML","6. Build your venture worker with POST /api/auth/fleet-exchange to accept fleet identity","7. Optional: POST /api/auth/invite for team management, POST /api/consent/grant for consent records"],"why_venture_local_portals":{"reason":"WebAuthn biometric credentials bind to the origin where they were registered. If the auth portal lives on auth-onamerica.ron-helms.workers.dev, credentials bind to that domain — not your venture domain. Each venture deploys its own static copy so biometric enrollment binds to the correct origin.","build_command":"hascom build auth-portal --venture X --redirect /path/","output":"Static HTML baked with venture constants at build time. Same template, different origins.","update":"hascom build auth-portal --all rebuilds every venture from the latest template + D1 config."},"venture_worker_contract":{"description":"Your venture worker should implement these routes to integrate with fleet auth:","routes":["POST /api/auth/fleet-exchange — accept fleet identity, create/match local node by mhsId, return venture-scoped context","GET /api/node/ventures — return ventures for authenticated node (populates workspace switcher)","GET/POST/DELETE /api/ventures/:id/members — team management"]},"consent_constraints":{"rule":"Every cross-system operation requires consent from both parties. Fleet auth publishes identity. Your service subscribes to it. Neither stores the other's credentials.","token_chain":"Fleet identity → Venture context → API calls. Each hop is a consent boundary.","consent_inline":"Consents travel WITH the identity in the token-status response. No extra call to consent-onamerica needed for enforcement.","guest_access":"Pre-consented view-only tokens bypass fleet auth. Your service issues these directly."},"compliance":{"encryption":"All D1 data encrypted at rest. Tokens SHA-256 hashed. MTA secrets in CF vault. WebAuthn keys never leave device.","soc2":"Auditable consent chain in onamerica_ops_log. Configurable brute-force attempt limits per venture.","gdpr":"GET /api/user/export for data access. DELETE /api/user/erase for erasure cascade. POST /api/consent/withdraw for consent withdrawal. 13 consent types managed via consent-onamerica."},"migration_system":{"description":"Schema changes are tracked via hascom migrate. Numbered SQL files in hascom/migrations/. Each migration gets a chain block.","commands":"hascom migrate --status | --history | --plan | --create NAME"}}}