Stage 1 contract review

The portal BFF boundary is explicit now.

The admin portal is being built as a Cloudflare Pages and Workers SvelteKit Backend for Frontend. It keeps session handling and browser UX in the portal, while all authoritative state lives behind the Go server API.

Stage 2 now follows the canonical POST /auth/token route with aud="portal". Everything else remains contract-driven, with the mock client still available for local development.

Mock-backed

No database driver is present in the portal repo.
The mock server client still mirrors the current portal integration contracts for local work.
The login flow uses the canonical portal-auth contract shape, with the live client enabled in production.

Session JWT

SESSION_JWT_SECRET

Signs the portal session cookie.

Go server

GO_SERVER_BASE_URL

The only backend origin the portal talks to.

Service token

GO_SERVICE_TOKEN

Used only from SvelteKit server routes.