GateKeeper / Layer 2 / Wave 2

Governance decides first. Identity follows second.

This scaffold proves the thesis before live provider work begins: if the system is going to block the action, it blocks it before requesting credentials.

Auth Shell

No application session is active yet. Sign in through the SDK route to reach the protected dashboard.

/auth/login

Current posture

FULL_AUTO

google_calendar_read

provider google / domain documentation_comments

SUPERVISED

github_issue_create

provider github / domain new_file_creation

HARD_STOP

pricing_rule_change

provider internal / domain pricing_quote_logic

Active governance profile

conservative

Conservative is pinned for Wave 1 so the yellow and red lanes remain honest before any live auth or policy backend is introduced.