# Auth, Teams & RBAC OS - Agent Guide

Secure team accounts, memberships, roles, permissions, invites, audit logs, and tenant isolation around an existing auth provider.

## Agent instruction

Do not scrape the human UI. Use this agent guide, the package manifest, and raw Buildprint files.

1. Fetch package manifest: `/buildprints/auth-teams-rbac-os/package.json`
2. Read order: `BUILDPRINT.md`.
3. Do not scrape human cards. Use this manifest, agent.md, and raw files. BUILDPRINT.md is the canonical start file and owns the required read order, phase gates, and acceptance gates. Structured control files are machine-readable mirrors only.
4. Follow the Buildprint's alignment/question rules before implementation.
5. Run required validation and write requested validation evidence plus the final chat handover.

## Metadata

- slug: `auth-teams-rbac-os`
- category: `Feature / Extension`
- tier: `agent-grade`
- status: `publishable-draft`
- runtime: Existing app auth
- stack: Auth, Teams, RBAC, Multi-tenant SaaS, Audit logs

## Entrypoints

- Human page: /buildprints/auth-teams-rbac-os/
- Manifest JSON: /buildprints/auth-teams-rbac-os/package.json
- Prompt: /buildprints/auth-teams-rbac-os/prompt.txt
- GitHub: https://github.com/DomEscobar/agent-buildprint/tree/main/buildprints/auth-teams-rbac-os
- Raw base: https://agent-buildprint.com/buildprints/auth-teams-rbac-os/files

## Files

- `API_ROUTES.md` - Buildprint package file (required)
- `BUILDPRINT.md` - compatibility bootstrap or package contract (required)
- `checks/acceptance.md` - acceptance checklist (required)
- `conformance/examples/adapter.stub.ts` - target-app conformance artifact (required)
- `conformance/package.json` - target-app conformance artifact (required)
- `conformance/README.md` - target-app conformance artifact (required)
- `conformance/src/adapter-contract.ts` - target-app conformance artifact (required)
- `conformance/src/load-adapter.ts` - target-app conformance artifact (required)
- `conformance/test/auth-rbac.conformance.test.ts` - target-app conformance artifact (required)
- `conformance/test/node-builtins.d.ts` - target-app conformance artifact (required)
- `conformance/tsconfig.json` - target-app conformance artifact (required)
- `CONTRACTS.md` - legacy interface/data contracts, when present (required)
- `MIGRATION_GUIDE.md` - Buildprint package file (required)
- `PLAN.md` - legacy execution index, when present (required)
- `plans/00-auth-forensics-tenant-research.md` - phase rail (required)
- `plans/01-data-model-tenant-boundary.md` - phase rail (required)
- `plans/02-permission-model-engine.md` - phase rail (required)
- `plans/03-server-guards-context.md` - phase rail (required)
- `plans/04-invite-membership-lifecycle.md` - phase rail (required)
- `plans/05-role-management-owner-safety.md` - phase rail (required)
- `plans/06-ui-flows.md` - phase rail (required)
- `plans/07-audit-log.md` - phase rail (required)
- `plans/08-billing-admin-boundary.md` - phase rail (required)
- `plans/09-full-security-product-validation.md` - phase rail (required)
- `plans/10-migration-rollout.md` - phase rail (required)
- `proof/package.json` - offline proof artifact (required)
- `proof/src/index.ts` - offline proof artifact (required)
- `proof/test/node-builtins.d.ts` - offline proof artifact (required)
- `proof/test/rbac.test.ts` - offline proof artifact (required)
- `proof/tsconfig.json` - offline proof artifact (required)
- `publication.json` - machine-readable mirror (required)
- `questions.md` - configuration interview (required)
- `RBAC_MATRIX.md` - Buildprint package file (required)
- `README.md` - human overview, non-authoritative (required)
- `schemas/buildprint.meta.json` - schema artifact (optional)
- `SECURITY_POLICY.md` - Buildprint package file (required)
- `SPEC.md` - legacy behavior requirements, when present (required)
- `TEST_MATRIX.md` - legacy risk-to-test alignment, when present (required)
- `UI_FLOWS.md` - Buildprint package file (required)
- `VALIDATION_TEMPLATE.md` - legacy completion report template, when present (required)

## Copyable implementation prompt

```txt
Use the Auth, Teams & RBAC OS Buildprint. First bootstrap exact snapshots: agb start https://agent-buildprint.com/buildprints/auth-teams-rbac-os/package.json . If agb is not installed, clone https://github.com/DomEscobar/agent-buildprint and run node agent-buildprint/bin/agb.js start https://agent-buildprint.com/buildprints/auth-teams-rbac-os/package.json . Then read .buildprint/next-agent.md and continue. Do not write Buildprint snapshots manually. Do Phase 00 auth forensics before coding. Reuse existing auth by default; do not claim done without server-side authorization tests on team-scoped routes.
```