Authentication

/signup creates an auth user with email and password. Users must verify their email before they can sign in — auto-confirm is not enabled. Marketing email opt-in is a separate, off-by-default checkbox.

/login (and the alias /signin) signs the user in and redirects to /app. Already-signed-in users are redirected away from auth pages.

/forgot-password sends a password reset email. The page confirms the request without leaking whether an account exists.

/reset-password handles the recovery link. Invalid or expired links surface a clear error and link back to forgot-password.

Routes under /app/* are gated by RequireAuth. Unauthenticated visitors are redirected to /login.

On first sign-in, ensureUserWorkspace creates the user's profiles row, default organization,organization_members row, and notification_settings./app/onboarding finalises the profile and sets onboarding_completed = true.