PlayRoll Contributor Portal
The contributor portal is the public and invited onboarding surface for Pilot1 contributors. It is a Vite, React, and TypeScript static app backed by Supabase Auth, Supabase Postgres, and row-level security. It deploys to Cloudflare Pages at https://playroll.extrinsiccognition.com.
The portal is intentionally narrow. It handles intake, verified email identity, legal document acknowledgement, data-minimization acknowledgement, receiving-method readiness, and the canonical identity link between a portal contributor and a Playroll app user. It does not execute payments, validate gameplay, generate receipts, operate the recorder, or provide an admin queue.
Source
Repository: C:\EC\playroll-contributor-portal
App entry: src/App.tsx
Flow state: src/features/portal/usePortalFlow.ts
Supabase browser API: src/lib/portalApi.ts
Generated documents: src/lib/generatedDocuments.ts
Supabase migrations: supabase/migrations/
Identity link function: supabase/functions/activate-contributor-app-link/index.ts
Operational docs: docs/
Product Ownership
The portal currently owns:
- public Pilot1 application intake
- Supabase email verification through magic-link or signup confirmation
- invite and referral onboarding links
- contributor profile data needed before recorder access
- generated text documents for incarico, privacy acknowledgement, and fiscal declaration
- document acceptance evidence with package version, document versions, timestamps, verified email, auth user id, and SHA-256 document hashes
- deferred sensitive-data acknowledgement
- own-name SEPA IBAN receiving-method capture with browser and database validation
- email confirmation for SEPA receiving methods
- manual review request when the contributor cannot provide a supported SEPA IBAN
- app identity activation after required agreements and confirmed SEPA IBAN
- minimal verified-contributor projection sync back to the Playroll app Supabase project
The portal does not currently own:
- general backend/service-role operations outside the identity-link Edge Function
- internal admin review pages
- storage buckets for signed PDFs or gameplay captures
- immutable PDF signing
- session validation
- PlayRoll time-credit generation
- milestone unlock execution
- payout request creation
- payment provider execution
- receipt or value-sheet generation
- failed-payment handling
Legal Identity Rules
Use Extrinsic Cognition, Inc. as the legal counterparty, controller, committente, and payor. Use PlayRoll only as the recorder and contributor portal product name.
Avoid language that makes the surface look like employment, payroll, a task marketplace, or an internship platform. Contributor-facing copy must not imply fixed shifts, exclusivity, disciplinary rankings, automatic penalties, or mandatory session acceptance.
Current Implementation
The browser app is a thin mode switcher:
loading -> email-sent -> public -> onboarding -> rewards -> status
src/App.tsx renders one workspace per mode. usePortalFlow owns session boot, Supabase callback parsing, application submission, onboarding submission, payout receiving-method save, payout email confirmation, and optional app identity-link sync when a link_intent or intent_id query parameter is present.
Main UI surfaces:
PublicApplicationPage: email login and initial application formOnboardingWorkspace: profile, document review, acceptance, and read-only document reviewRewardsWorkspace: zero-balance rewards state and receiving-method setupStatusView: returning applicant state
Playroll App Identity Link
The portal activates the app/contributor link only after its own contributor gate is complete. The app can request a signed link intent, but it cannot create an active contributor link by itself.
App identity:
playroll_supa_new.playroll_users.user_id
Portal identity:
playroll_contributor_portal.contributors.id
Portal source table:
playroll_contributor_portal.public.contributor_app_links
App read model:
playroll_supa_new.public.contributor_status_projection
See Playroll App Identity Link for the full flow, activation gate, e2e acceptance checks, and observability.
Production Gates
No contributor should receive recorder access until all pre-recorder gates are complete:
contract_signed = true
privacy_notice_accepted = true
tax_status_valid = true
data_minimization_acknowledged = true
verified_email is present
No contributor should receive money or value until all payment gates are complete:
payout_method_verified = true
session_validated = true
milestone_reward_available = true
rolling_12mo_projected_total <= 4000
receipt_or_payment_statement_generated = true
payment_approved_by_founder = true
Sensitive Data Boundary
Before recorder access, the portal must not collect:
codice fiscale
full residential address
date of birth
identity document
IBAN
payout method
The current onboarding insert stores empty compatibility fields for some legacy columns, but the visible browser flow defers those data classes. The rewards workspace may collect a receiving method only for receiving money or rewards from Extrinsic Cognition, Inc.