Finance access

Runtime auth and role enforcement status for Finance OS. Mutating server actions require admin or finance_operator access; read-only users can inspect evidence without changing Finance Supabase state.

Current request

Local development fallback grants admin access.

allowed

local.finance-os@trygravity.ai

Role

Admin

Auth mode

local

Identity source

local_development

Action permissions

Server actions enforce these capabilities again before writing.

View Finance OS

Allowed

Run source sync probes

Allowed

Approve inputs

Allowed

Prepare close checkpoints

Allowed

Lock close periods

Allowed

Deployment auth checklist

These settings move Phase 0 auth/deploy verification from implicit to explicit.

Check	Status	Detail
Auth mode	attention	Local mode allows a development admin fallback when no trusted identity header is present.
Trusted identity headers	ready	x-gravity-user-email, x-auth-request-email, cf-access-authenticated-user-email, x-forwarded-email, x-user-email
Email allowlist	ready	At least one allowed email or domain is configured.
Role assignments	ready	At least one role-specific email list is configured.

Role model

Original Phase 0 roles and capability intent.

Role	Capabilities
Admin	Manage settings, Approve policy changes, Lock close periods, Review all exceptions
Finance operator	Run syncs, Review aliases, Approve contract terms, Prepare close packages
Reviewer	Review reports, Approve assigned exceptions, Comment on close readiness
Read only	View dashboards, Download approved reports, Inspect source traces