- Root-caused the collapsed Developer shell widget still rendering
Signed into the Developer-only identity merge path injs/api.js:/auth/sessionexposes the authenticated identity underpayload.user.email/payload.user.display_name/payload.user.user_code, but the previous Developer merge only read flatsession.email/session.name/session.user_code, so the shell resolver missed the real email and dropped into its generic fallback text. - Updated
js/api.jsto keep the fetched/auth/sessionpayload onme.sessionand to merge the nestedsession.user.*identity fields into the Developermeobject using the same real email/name/user-code source family the Admin dashboard consumes. - Tightened
js/auth.jsso the shell widget and dropdown identity helpers now readme.session.user.emailandme.session.user.display_namebefore any fallback, and replaced the old generic"Signed in"email fallback with the narrower"Email unavailable"fallback that only appears when no real email exists anywhere in the authenticated payload. - Corrected
css/app.cssso.developer-shell-page .ss-sidebar-brand .app-titleis now exactly16px; no other shell heading selectors were changed. - Expanded
tests/developer-access-gating.test.mjsto lock the real nested/auth/sessionuser-field merge path, the removal of the"Signed in"email fallback, and the exact16pxbrand-title rule. - No
StreamSuitesruntime/shared-session change was required. The existing/auth/sessioncontract already exposed the needed real email underuser.email; the rejection was in the Developer consumer path.
- The collapsed Developer user widget now resolves the real account email from the authenticated session instead of falling back to
Signed in. - The StreamSuites sidebar title is now exactly
16px.
- Corrected the Developer shell brand lockup in
css/app.cssto use the Admin-family sidebar header spacing model: restored the full brand block padding, aligned the logo/title/chip group back onto the standard left edge, increased the logo height to the family value, and reduced the title-to-chip gap by removing the extra Developer-only top offset on the subtitle chip. - Reworked the shell-only authenticated widget renderer in
js/auth.jsso the collapsed trigger now matches Admin behavior: primary text is always the display name, secondary text is always the resolved account email, and the old role-tier summary string is no longer used in the collapsed shell state. - Tightened Developer-side identity sourcing in
js/auth.jsso the widget resolves email/name/role from the same broader account/session field family used across the platform surfaces instead of falling back to the oldUnavailableplaceholder when the authenticated email is present on adjacent fields. - Ported the Creator-family tier-pill rendering into the Developer shell dropdown in
js/auth.jsandcss/app.css, so the Tier row now uses the real icon-plus-label chip treatment rather than plain text. - Normalized the Developer dropdown account-type row in
js/auth.jsto use family wording rules (Administrator,Creator,Developer, etc.) instead of the previous improvised role-tier summary formatting. - Replaced the Developer-only
css/status-widget.cssfork with the Admin Dashboard sizing/layout model. The widget logic already matched Admin; the tooltip was oversized because the Developer stylesheet had expanded the panel width, spacing, and placement behavior. - Expanded
tests/developer-access-gating.test.mjswith shell-parity assertions for the tier-pill renderer, the removal of theUnavailableemail fallback, and the restored Admin-style status tooltip structure. - No
StreamSuitesruntime or shared session payload change was required for this correction pass. The existing/api/mecontract already exposes the identity and tier fields needed by the Developer shell.
- The Developer shell brand block now lines up like the rest of the dashboard family and the
StreamSuites™toDeveloper Consolechip spacing is tighter. - The collapsed account widget now shows display name plus email, not role-plus-tier summary text.
- The dropdown now shows the real styled tier chip, and the footer status tooltip is back to the Admin-sized footprint.
- Root-caused the stuck-open account dropdown to the Developer shell CSS branch, not the session logic: the shell menu rendered with the
hiddenattribute butcss/app.cssnever re-applied a shell-scoped[hidden] { display: none; }rule for.ss-user-menu, so the authored flex layout overrode the browser default and left the panel visibly open. - Reworked the authenticated shell branch in
css/app.css,js/auth.js,dashboard/index.html,reports/index.html, andkeys/index.htmlto match the Admin/Creator family more closely: sidebar brand spacing now follows the same narrower shell rhythm, the shell picks up the same1200pxwidth reduction pattern, the top bar mounts the shared loader strip host, the footer now includes the Admin-style inline status-slot host, and mobile navigation now uses the family off-canvas drawer plus scrim pattern instead of stacking the full sidebar into the document flow. - Fixed identity rendering by updating
js/api.jsto merge/auth/sessionidentity fields into/api/mewhen the lighter Developer consumer lacks email/name/user-code data, then updatedjs/auth.jsso the collapsed shell widget shows the real email when present and only falls back to account identity text when email is genuinely unavailable. - Replaced the old hard-coded
tier + developercompact widget badges injs/auth.jswith badge normalization from the runtime-ownedbadgesarray plus role-aware fallback logic, so developer-capable accounts now pick the same admin-vs-developer-vs-tier compact icon treatment used elsewhere in the dashboard family. - Added the missing local shell utility files
js/utils/global-loader.js,js/utils/versioning.js,js/utils/version-stamp.js,js/status-widget.js,css/status-widget.css, and a localruntime/exports/version.jsonmirror so the Developer shell now loads the same class of version/build metadata, animated topbar loader, and inline status widget pattern as the working family surfaces without depending on another repo at runtime. - Tightened the dashboard-home hero rhythm in
css/app.cssby setting the protected-shell hero title to16px, reducing its bottom margin, and shrinking the subtitle gap without changing unrelated page headings. - Expanded
tests/developer-access-gating.test.mjswith shell-parity assertions for the new loader/version/status assets, mobile drawer hooks, hidden dropdown contract, and/auth/sessionidentity merge path. - No
StreamSuitesruntime/shared-state source change was required for this pass. The existing runtime already exposed the needed auth session identity and authoritative version export; the fix was in the Developer consumer and its missing local shell mirrors.
- The Developer shell now follows the Admin/Creator family more closely instead of carrying its own broken sidebar, dropdown, and mobile behavior.
- The account widget now closes properly, shows the real email when available, and uses the right compact role/tier icon for developer-capable accounts.
- Footer version/status and the animated topbar loader are now present in the Developer shell as expected.
- Added focused source coverage in
tests/developer-access-gating.test.mjsso the Developer login surface remains bound to the runtime/auth/turnstile/configenabledstate and still collapses the hidden Turnstile block cleanly when the runtime disables it.
- Developer login still follows the runtime-owned Turnstile switch instead of carrying its own local override.
- Root-caused the too-small
/reports/submitSurface selector to the page itself:reports/submit/index.htmlhard-coded a six-option shortlist, andjs/report-submit.jsmirrored only that tiny set through a small local label map. The backend was not enforcing that shortlist;StreamSuites/auth_api.pyalready accepts the developer report platform context as sanitized text plus structured JSON. - Added
js/report-surface-catalog.mjsas the new report-surface source of truth and expanded the catalog into grouped first-class product surfaces drawn from the actual StreamSuites repo map: Public, FindMeHere, Docs, Creator, Admin, Developer, LiveChat, Desktop Admin, Alerts App, shared platform systems, and runtime/core targets. - Updated
reports/submit/index.htmlso the Surface field now mounts from the shared grouped catalog instead of carrying the old inline shortlist, while preserving the existingcontext_surfacefield name and the conditionalOtherfollow-up input. - Updated
js/report-submit.jsto populate the grouped selector at runtime, reuse the shared label lookup during payload flattening, and preserve the existing submission contract forplatform_detailsandstructured_metadata. - Expanded
tests/developer-access-gating.test.mjswith a direct catalog import check so the repo now asserts the grouped surface inventory, representative cross-product entries, and the preservedOtherbranch. - No shared StreamSuites runtime/auth contract change was required for this pass; the runtime already stores the selected surface as free-form sanitized submission context.
- The developer report form now exposes the real StreamSuites product surface map instead of a tiny hand-picked shortlist.
- Shared platform and runtime/internal targets are now available alongside the web surfaces and desktop apps.
- Report submission behavior stays compatible with the current backend flow, including the existing
Otherpath.
- Root-caused the
/reports/submitshell bleed to the shared page bootstrap injs/auth.js: every route, including standalone routes, still ran the authenticated shell initializer and still received the shell-only signed-in account widget markup. That left shell state and shell-specific UI classes active outside the intended shell boundary even when the standalone HTML itself was separate. - Split the shared bootstrap into explicit
initShellPageandinitStandalonePageexports injs/auth.jsso only/dashboard,/reports, and/keysbind the sidebar/topbar shell behavior, collapse state, and shell-scoped account widget. - Updated the standalone routes and route scripts (
index.html,beta/index.html,login/index.html,login-success/index.html,js/beta-apply.js,js/feedback.js,js/report-submit.js) to use the standalone initializer instead of the shell initializer, and updated the real shell routes (js/dashboard.js,js/reports.js,js/keys.js) to use the shell-only initializer explicitly. - Changed
/reports/submitto identify itself as a standalone route instead of reusing the shellreportsnav key, and cleared any shell collapse classes on standalone boot so shell layout state cannot ride along onto standalone documents. - Restored a standalone-specific signed-in menu render path in
js/auth.jsusing the existing publicuser-widget/user-menustyling instead of injecting shell-onlystreamsuites-auth/ss-user-menumarkup into standalone headers. - Expanded
tests/developer-access-gating.test.mjsso the repo now asserts the shell-vs-standalone bootstrap split and verifies that/feedback,/beta,/beta/apply,/reports/submit,/login, and/login-successstay structurally outside the authenticated shell.
- The Developer shell is now route-bound again instead of leaking shared shell behavior into standalone pages.
/reports/submitand the other standalone pages keep their lighter standalone header treatment./dashboard,/reports, and/keysstill use the authenticated shell.
- Replaced the ad-hoc Developer authenticated shell markup on
dashboard/index.html,reports/index.html, andkeys/index.htmlwith the same Admin Dashboard shell pattern:#appgrid shell,#app-navsidebar,#app-headertopbar, collapse toggle, fixed topbar title slot, and#app-footer. - Ported the Admin-style authenticated account widget treatment into
js/auth.js/css/app.css, including the compact pill trigger, overview card dropdown, collapse-state persistence, topbar refresh action, and direct clickable sidebarli[data-view]items. - Kept
/feedback,/beta,/beta/apply,/reports/submit,/login, and/login-successoutside the authenticated shell; only the protected/dashboard,/reports, and/keysroutes moved onto the Admin-constructed shell. - Rebuilt
reports/submit/index.htmlinto structured sections with explicit required/optional markers, checkbox-driven affected-area selection, conditionalOtherfields, discrete environment inputs, and split platform/account context inputs. - Updated
js/report-submit.jsso the new structured UI is serialized back into the existing flat developer-report contract (affected_area,environment_details,platform_details,account_context) while also emitting richer JSON viastructured_metadata. - No shared StreamSuites runtime/auth contract change was required for this pass; the frontend adapts to the already-shipped
/api/developer/reportspayload shape. - Added targeted node assertions in
tests/developer-access-gating.test.mjsfor Admin-shell markup parity on protected routes and for structured report-field serialization markers.
- The protected Developer Console now uses the same shell construction discipline as Admin instead of the previous oversized custom sidebar.
- The detailed developer report form now asks for explicit technical context instead of loose monolithic environment/account text blobs.
- Report submission stays compatible with the current backend flow while carrying richer structured metadata for triage.
- Reordered
login/index.htmlso the Developer login surface now keeps the password form first, then the alternate-surface links, then the inline Turnstile block near the bottom of the auth stack. - Capped the dedicated Developer Turnstile helper/status text at
9pxincss/app.cssto match the shared emergency auth-surface requirement without shrinking unrelated console copy.
- Developer login still uses the same existing auth flow.
- The security check now sits lower in the form stack and uses the same discreet tiny helper text as the other login surfaces.
- Added the compact Creator-style account overview card pattern to the Developer Console dropdown in
js/auth.js/css/app.cssinstead of redesigning the shell. - The console dropdown now reads the existing runtime
admin_accessandcreator_workspace_accesscontracts alongsidedeveloper_console_access, soAdmin DashboardandCreator Dashboardlinks only render when the current session is actually authorized for those destinations. - No shared StreamSuites contract change was required for this repo pass; the console consumed the already-shipped access-class, display-tier, and capability payloads.
- The Developer dropdown now shows the same compact account-summary card family as Creator.
- Cross-surface links inside the console only appear when the signed-in account can really use them.
- Updated
js/auth.jsandjs/dashboard.jsto consume the new runtimeaccess_classpluseffective_tier.display_tier_labelcontract so protected-console gating keeps relying on runtime-owned developer authorization while the console shell stops reading the old tier shortcut as identity. - The Developer Console menu/account summaries now derive their visible identity string from access class plus backend display tier, collapsing duplicate
Developer · Developeroutput down to one label when the display chip matches the access class. - Added a focused node regression proving the shared auth helper now expects
access_classand display-tier data alongside the existingdeveloper_console_accesspayload.
- Protected Developer routes still honor the runtime developer-access decision, but the console now presents Developer identity from the new account-class model instead of the retired fake plan tier.
- Root-caused the live
/login-success/confirmation loop to the remaining cross-repo surface mismatch, not to missing credentials on the fetch itself:js/auth-success.jswas already callingGET /auth/sessionwithcredentials: "include", but the Developer repo still identified login starts assurface: "creator"while the runtime still treatedconsole.streamsuites.appas creator-origin auth traffic instead of a first-class console surface. - Updated the Developer login entry points to speak the correct surface contract.
js/config.jsnow exports the console auth surface key, andjs/login.jsnow sends both password and OAuth login starts withsurface=consolewhile keeping the existing/loginand/login-successroute model plus nestedreturn_tohandling intact. - Hardened the same-origin Pages auth proxy in
functions/_shared/auth-api-proxy.jsso it forwards every upstreamSet-Cookieheader instead of collapsing auth responses down to a single cookie line. That keeps password and OAuth handoffs honest when the runtime returns multiple cookies during login/callback cleanup. - Added concise browser-side auth diagnostics in
js/auth-success.jsfor the confirmation request target, final status, and rejection reason so future session-bootstrap regressions can be identified from the console without adding noisy debug-only scaffolding.
- The Developer Console now identifies itself as the Developer Console during login instead of pretending to be the creator surface.
- Auth handoffs keep all cookies that the runtime returns, and
/login-success/now records a useful reason when session confirmation still fails.
BUMP_NOTES.mdfunctions/_shared/auth-api-proxy.jsjs/auth-success.jsjs/config.jsjs/login.js
- Root-caused the remaining console login loop to a surface-handoff mismatch rather than a bad credential exchange: the Developer repo preserved
return_to, but it sent OAuth starts directly back to protected console routes and its/login-successpage only used a timed redirect instead of confirming the newly-issued session first. - Reworked the Developer console handoff to match the proven Creator/Public pattern.
js/login.jsnow sends OAuth providers to/login-success/with the original protected console target nested inreturn_to, and password login now lands on the same completion page after the existing short/api/mesettle check. - Replaced the old
js/auth-success.jstimer-only redirect with a real/auth/sessionconfirmation step that retries briefly on expected cookie-settle misses, preserves the requested console route, and only falls back to/login/when the runtime still reports no valid authenticated session. - Added console-local return-target normalization helpers in
js/config.jsso auth pages cannot become their own finalreturn_totarget and accidentally re-enter the login loop.
- Password and OAuth login now complete through a real session-confirmation handoff before the console enters
/dashboard,/reports,/keys, or other protected routes. /login-successis now a real auth completion page rather than a blind timed bounce.
BUMP_NOTES.mdjs/auth-success.jsjs/config.jsjs/login.js
- Root-caused the live
NetworkError when attempting to fetch resource.regression on the Developer/loginpassword submit tojs/login.js: the page still posted toPOST /auth/login/passwordwith a normal fetch, but the auth runtime finalizes successful password login with an HTTP302plus session cookie, so the browser fetch followed the redirect chain instead of treating the response as an auth handoff. - Kept the new access-code gate UI and unlock flow intact while changing the password-login branch to the same safe pattern used by the public auth surface:
redirect: "manual"on the password fetch, explicit handling for401/429/ verification-required responses, and short session polling through/api/mebefore navigating back toreturn_to. - Preserved the existing Developer route structure, same-origin auth proxy usage, OAuth/provider button wiring, and
surface: "creator"payload semantics; only the password-submit success handling changed.
- The access-code control remains on the Developer login page and still unlocks login when auth is gated.
- Password login no longer relies on a fetch-followed redirect that browsers can surface as a network error on success.
BUMP_NOTES.mdjs/login.js
- Root-caused the missing Developer login access-code control to the repo-local auth proxy:
functions/auth/[[path]].jsallowed password and OAuth starts, but it did not allow/auth/access-stateor/auth/debug/unlock, so the page could not load or execute the real public-style auth gate flow after deploy. - Reworked
login/index.htmlandjs/login.jsso the Developer/loginpage now uses the public auth surface's real access-code pattern instead of the earlier custom bypass variant: the control is labeledAccess code, gate state is fetched with cached/auth/access-statereads, unlocks persist in session storage until expiry, and password/OAuth starts are disabled or reopened behind the gate exactly as the public flow does. - Updated the narrow login-specific gate styling in
css/app.cssso the unlocked/open states and disabled OAuth buttons match the Developer surface without changing unrelated shell or layout work.
- The Developer login page now shows the real access-code gate behavior instead of a decorative or disconnected bypass variant.
- Password login, OAuth sign-in, and
return_tohandoff still use the existing routes, but they now wait on the same unlock step the public login uses when auth is gated.
BUMP_NOTES.mdcss/app.cssfunctions/auth/[[path]].jsjs/login.jslogin/index.html
- Replaced the old shared horizontal-nav treatment with two explicit chrome systems in the Developer repo: authenticated console routes now use a real sidebar plus topbar shell on
/dashboard,/reports, and/keys, while/feedback,/beta,/beta/apply,/reports/submit,/login, and/login-successstay on a lighter standalone header. - Refactored
css/app.cssaround wider shared content widths and a reduced heading scale so the console keeps the same visual family without the earlier cramped layout and oversized page titles. - Expanded
js/auth.jsfrom a simple status-chip slot into a reusable session widget with avatar/name metadata, dropdown actions, logout wiring, and active-route handling for both standalone pages and the authenticated shell. - Added a new authenticated
/reportshub page plusjs/reports.js, and moved the actual detailed developer report form to canonical/reports/submit/. - Replaced
report/submit/index.htmlwith a redirect stub and updated_redirectsso legacy/report/submitand/report/submit/both resolve to/reports/submit/cleanly after deploy. - Updated
js/report-submit.jsso submissions now identify themselves withsource_route: "/reports/submit/", keeping route metadata aligned with the new canonical page. - Added login-page auth-gate parity in
login/index.htmlandjs/login.js: the page now consumes/auth/access-state, exposes a bypass-code unlock form backed by/auth/debug/unlock, and renders Google, GitHub, and Discord provider icons while preserving the already-workingreturn_toflow and existing auth starts. - Shortened both legacy browser-facing auth pages under
auth/login/index.htmlandauth/success/index.htmlinto explicit redirect stubs because/loginand/login-successremain the browser-facing routes after the earlier proxy-namespace fix.
- The console now has a real authenticated shell instead of scattered top links.
- Standalone public and intake pages still feel connected to the console, but they stay outside the protected shell.
/reports/submitis now the real report page, and the old/report/submitpath redirects there.- The login page now includes the bypass-code field pattern and provider icons without regressing the working sign-in handoff.
BUMP_NOTES.mdDEPLOYMENT_SETUP.mdREADME.md_headers_redirectsindex.htmlauth/login/index.htmlauth/success/index.htmlbeta/index.htmlbeta/apply/index.htmlcss/app.cssdashboard/index.htmlfeedback/index.htmljs/auth.jsjs/config.jsjs/login.jsjs/report-submit.jsjs/reports.jskeys/index.htmllogin/index.htmllogin-success/index.htmlreport/submit/index.htmlreports/index.htmlreports/submit/index.html
- Root-caused live sign-in failure to a Cloudflare Pages route collision: the browser-facing login and success pages were mounted under
/auth/*, butfunctions/auth/[[path]].jsalso owns that namespace and intercepted/auth/login/with the proxy's404 {"success":false,"error":"Not Found"}response before static HTML could render. - Moved the browser-facing handoff pages to
/login/and/login-success/, which matches the proven Creator pattern of keeping human-facing login pages outside the proxied/auth/*namespace while still sending provider starts to/auth/login/{provider}and password posts to/auth/login/password. - Added exact legacy redirects from
/auth/loginand/auth/success(with and without trailing slash) to the new non-conflicting pages so older links and bookmarks still resolve after deploy.
- Console sign-in no longer relies on a page route that the auth proxy was swallowing.
- The login page now lives at
/login/, while the actual auth API starts stay on the existing proxied/auth/...endpoints.
BUMP_NOTES.mdDEPLOYMENT_SETUP.mdREADME.md_redirectsindex.htmljs/config.jslogin/index.htmllogin-success/index.html
- Scaffolded the existing
StreamSuites-Developerrepo as a Cloudflare Pages-oriented multi-route console surface using static HTML, shared CSS/JS modules, and same-origin Pages Function proxies for authoritative Auth/API access. - Established the first public routes at
/,/feedback,/beta, and/beta/apply, plus authenticated routes at/dashboard,/report/submit,/keys,/auth/login, and/auth/success. - Kept
console.streamsuites.appas the canonical hostname in repo positioning and docs while preserving enough naming flexibility for later alias attachment. - The feedback hub now combines new public intake with the existing approved-request board pattern rather than duplicating or inventing a second request authority.
- The report route is intentionally developer-only and aligns with runtime-owned validation and safe artifact handling instead of local form-only persistence.
- Added deployment/setup notes for the manual GitHub, Cloudflare Pages, custom-domain, environment-variable, and redirect verification steps that still happen outside this code milestone.
- The developer repo now has a real first-pass console scaffold instead of an empty shell.
- Public users can reach feedback and beta routes, while authenticated users can reach the dashboard, developer report route, and the future keys placeholder.
- This repo stays honest about its boundary: it is the console surface, not the runtime authority.
README.mdBUMP_NOTES.md.gitignore.env.example_headers_redirectsDEPLOYMENT_SETUP.mdindex.htmlfeedback/index.htmlbeta/index.htmlbeta/apply/index.htmldashboard/index.htmlreport/submit/index.htmlkeys/index.htmlauth/login/index.htmlauth/success/index.htmlcss/app.cssjs/*.jsfunctions/_shared/auth-api-proxy.jsfunctions/api/[[path]].jsfunctions/auth/[[path]].jsfunctions/oauth/[[path]].js
- Extended the developer-console Turnstile rollout beyond
/loginto the publicfeedbackandbeta/applysubmission forms, using the existing inline panel styling plus a shared explicit-render helper exported fromjs/auth.js. - Both forms now request
/auth/turnstile/config, require a fresh token before submit, and forwardturnstile_tokento the authoritative runtime endpoints/api/public/feedbackand/api/public/beta/apply. - This closes the request-access and public-intake gap that the interrupted rollout left behind.
- The developer console now protects public beta-application and feedback submissions with the same inline Cloudflare Turnstile approach already used on login, without redesigning those forms.
beta/apply/index.htmlfeedback/index.htmljs/auth.jsjs/beta-apply.jsjs/feedback.jsBUMP_NOTES.md
- Public intake abuse is reduced, not eliminated. Cloudflare WAF/rate limiting should still sit in front of the feedback, beta-apply, and auth-start endpoints.
- Reworked the protected Developer Console page bootstrap so
/dashboard,/reports,/reports/submit, and/keysnow opt into explicit developer-required gating instead of only checking for any authenticated session. - Updated
js/auth.jsto consume the runtime-owneddeveloper_console_accesspayload, redirect authenticated non-developer accounts away from protected console routes, and keep the signed-in menu from advertising protected console links to accounts that only have access to the public Developer routes. - Aligned the login page lockout control with the public auth treatment by changing the access-code action to the small key-style button, tightening Turnstile spacing, adding alternate-surface links, and adding a lightweight source-audit regression at
tests/developer-access-gating.test.mjs.
- Cleaned up the developer login vertical rhythm by grouping the existing access notice, Turnstile panel, alternate-surface links, password form, and status line into a dedicated auth stack without changing the auth logic or developer access model.
- Restored the missing access-code button icon by pointing the masked icon treatment at the required
assets/icons/ui/key.svg, and replaced the oldElsewherestrip with a collapsedLogin to other surfacessection using newss-public.svg,ss-creator.svg,ss-admin.svg, andss-developer.svgassets. - Expanded
tests/developer-access-gating.test.mjsto cover the new collapsed alternate-surface wording and the corrected key icon asset path.
- The Developer login page now breathes properly around the existing auth controls instead of feeling stacked too tightly.
- The old flat selector text was removed because it read poorly and made the alternate destinations look like leftover debug links rather than intentional secondary navigation.
- Non-developer accounts no longer get to sit inside the protected Developer Console shell just because they have a valid StreamSuites session.
- The Developer login page now matches the public access-code treatment more closely and exposes the same subtle links to the other login surfaces.
login/index.htmlcss/app.cssjs/auth.jsjs/dashboard.jsjs/reports.jsjs/keys.jstests/developer-access-gating.test.mjsREADME.mdBUMP_NOTES.md
- This pass still relies on the current shared StreamSuites identity model. The later dedicated Developer identity/admin-model task should revisit how protected-console eligibility is granted and presented, but it no longer needs to fix the immediate shell-access leak first.