nrpg-workflow

Follow these rules when implementing changes in this repository:

Auth (critical)

• Use NextAuth cookie sessions for web UI flows.
• Do not use localStorage tokens for auth in the UI.
• In API routes, prefer getServerSession(authOptions) and server-side role checks.
• Only allow Authorization: Bearer ... when explicitly required for non-browser clients.

Multi-tenancy & privacy (critical)

• Never expose contractor identities to clients.
• Clients must not be able to browse/search contractors or contact them directly.
• Enforce role-based access for any contractor profile endpoints/pages.

Implementation workflow