HR-P1 Standalone Admin

Standalone login, access, seed, and import controls

Production can run before Account/ERP by using standalone HR identity, company memberships, role grants, audited seed batches, and employee imports.

RuntimePostgres requiredFixture endpoints stay unavailable in production; admin actions operate only through database-backed sessions.
Token gated

Bootstrap

Creates the first standalone HR admin, primary company, membership, assignment, and company-level grant.

Company-level

Company access

Displays grants, memberships, assignment IDs, sensitivity ceiling, export permission, and consolidation rights.

Audited

Baseline seed

Seeds companies, employees, standalone users, role grants, and workflow records from the HR-P1 baseline contract.

Batch tracked

Employee import

Imports employee master rows with row-level errors, checksum, batch record, and production audit event.

API surface

Admin endpoints

Session based
MethodPathGuard
POST/people/v1/admin/bootstrapx-people-bootstrap-token
GET/people/v1/admin/company-accessBearer people session
POST/people/v1/admin/seed/baselinehr_admin grant
POST/people/v1/admin/import/employeeshr_admin grant + company scope

Access pattern

Company-level rights

RLS scoped
RoleScopeCeilingExportConsolidation
hr_admincompanyS4AllowedNo
employeeselfS3NoNo
auditorcross_companyS2MaskedAllowed