Identity & Access
The guard shouldn't lock out the builder.
1Principles
ValuesBeliefsControls
The owner can't get in.
- Auth succeeds but authorization fails — two different systems, two different failure modes
- PostgreSQL 22P02: query passes Clerk userId where UUID expected
- The bug is in the query, not the data — even with correct roles, the query crashes
- Default-deny is right, but only after roles exist to assign
| Problem | Question | Decision |
|---|---|---|
| Owner locked out of own app | Fix the guard or fix the query? | Fix the query — 22P02 uses wrong ID type |
Platform owner staring at a locked dashboard — the guard meant to protect strangers is blocking the builder
2Performance
ValuesBeliefsControls
789 errors, zero revenue.
| Metric | Target | Now |
|---|---|---|
| Owner access | Zero redirect loops | BLOCKED |
| Admin auto-bootstrap | 100% of new orgs | 0% |
| Checklist passing | 80%+ | 22% |
| Cross-tenant leakage | Zero | Untested |
| Problem | Question | Decision |
|---|---|---|
| Auth regression blocks all revenue PRDs | Which tier first? | Tier 0: fix query + break redirect loop |
Vercel logs showing 789 errors in 30 minutes — a redirect loop burning server resources while blocking all revenue
3Platform
ValuesBeliefsControls
80% built, 0% working.
| Layer | Built | Wired | Working |
|---|---|---|---|
| Authentication | Yes | Yes | Yes |
| Identity | Yes | Yes | Yes |
| Multi-tenancy schema | Yes | Yes | Yes |
| Authorization | Yes | No | No |
| Billing | Partial | No | No |
| Problem | Question | Decision |
|---|---|---|
| Schema exists, guards deployed, no wiring | What blocks what? | User-Role query passes Clerk ID where UUID expected |
Architecture diagram showing solid authentication pipeline on the left, broken authorization pipeline on the right — schema exists, guards deployed, no wiring
4Protocols
ValuesBeliefsControls
Every venture waits on this.
| Tier | What | Effort | Unblocks |
|---|---|---|---|
| T0 | Fix query + redirect + seed roles | 1 day | Owner access, CRM |
| T1 | Auto-bootstrap Admin | 1 day | Future deploys |
| T2 | RBAC enforced | 3 days | Customer onboarding |
| T3 | Invites + org switching | 3 days | Multi-user orgs |
| Problem | Question | Decision |
|---|---|---|
| Kill date 27 days away, can't onboard customers | Can Tier 0 ship today? | Yes — two bugs, both have known fixes |
Dependency diagram: Identity & Access at the root, with Sales CRM, Sales Dev Agent, Content Amplifier, and Agent Platform all blocked downstream
5Players
ValuesBeliefsControls
Builder locked from own house.
| Job | Struggling Moment | Hidden Objection |
|---|---|---|
| Let me in | Can't access own dashboard | "Don't weaken security to fix onboarding" |
| Control access | Everyone sees everything or nothing | "RBAC will take weeks" |
| Isolate data | No enforcement beyond FK | "RLS is hard to debug" |
| Invite members | No self-serve invite flow | "What if I invite by mistake?" |
| Manage org | No billing, settings, analytics | "Customers don't pay for plumbing" |
| Problem | Question | Decision |
|---|---|---|
| Platform owner can't use platform | Who fixes, who commissions? | Engineering fixes, dream team commissions via browser |
Split screen: engineering team fixing the query on the left, dream team commissioning via browser on the right — the builder never validates their own work
1 / 5
Five Questions
- Can the owner get in without touching the database?
- How many errors are we generating before revenue?
- What percentage of infrastructure is wired, not just built?
- Which ventures are waiting on this to ship?
- Who fixes, who commissions, who's locked out?