# Quickstart: Auth Structure

This guide provides the essential steps for a developer to set up and test the `064-auth-structure` feature locally.

## Prerequisites

-   Ensure you are on the `064-auth-structure` feature branch.
-   A working local development environment (Laravel Sail is preferred).
-   Entra ID application credentials must be configured in your `.env` file to test the `/admin` panel.

## 1. Apply Database Changes

Run the new migration to create the `platform_users` table and seed it with an initial administrator account.

```bash
# Using Laravel Sail
./vendor/bin/sail artisan migrate
./vendor/bin/sail artisan db:seed --class=PlatformUserSeeder
```

The default seeded platform user will be:
-   **Email**: `operator@tenantpilot.io`
-   **Password**: `password`

## 2. Configure Environment Variables

Add the following variables to your local `.env` file to control the new features.

```dotenv
# .env

# Enables the "break-glass" feature in the System Panel.
# Default: false
BREAK_GLASS_ENABLED=true

# Sets the duration (in minutes) for a break-glass session before it auto-expires.
# Default: 60
BREAK_GLASS_TTL_MINUTES=60
```

## 3. Verification Steps

Follow these steps to confirm the feature is working correctly.

### a. Test System Panel Access

1.  Navigate to `http://localhost/system/login`.
2.  Log in using the seeded platform operator credentials:
    -   Email: `operator@tenantpilot.io`
    -   Password: `password`
3.  You should be successfully redirected to the System Panel dashboard.
4.  If `BREAK_GLASS_ENABLED` is `true`, find and activate the "Enter break-glass mode" feature. A persistent banner should appear at the top of the page.

### b. Test Admin Panel Access

1.  Navigate to `http://localhost/admin/login`.
2.  Log in using a valid Microsoft Entra ID test user associated with a tenant.
3.  You should be successfully redirected to that tenant's dashboard.

### c. Test Isolation (Cross-Scope Access)

1.  **While logged into the System Panel** (`/system`), attempt to navigate directly to a tenant-scoped admin URL (e.g., `http://localhost/admin/t/1/dashboard`).
    -   **Expected Result**: You should receive a **404 Not Found** error page.

2.  **While logged into the Admin Panel** (`/admin`), attempt to navigate directly to a system panel URL (e.g., `http://localhost/system/dashboard`).
    -   **Expected Result**: You should receive a **404 Not Found** error page.

If all the above steps are successful, the local setup is complete and correct.