Milestone 1

Sign in to the governed workspace shell.

This flow is intentionally narrow for the first milestone: known users sign in, receive a signed session token, and then the app renders protected workspace data directly from the API.

Authentication

Session token entrypoint

The web app proxies login through Next route handlers, then uses the resulting cookie for server-rendered protected reads.