When Turtini staff request access to your account

If a Turtini staff member needs to see your account (debugging an issue you reported, reproducing a bug, helping you set something up), they have to REQUEST your permission first. They cannot just sign in as you.

What you'll see when a request comes in:

A full-screen overlay (we call it the "drape") appears on your screen showing:

• The full name of the Turtini staff member requesting access
• That they're requesting from "Turtini" (no role, no title — just that they're staff)
• An optional reason they typed when they made the request
• Four duration buttons: 15 min / 30 min / 45 min / 60 min
• A Deny button

The drape is modal — you can't dismiss it or navigate away until you grant or deny. Reload doesn't help; the same request reappears.

What grant does:

• Picks a window (15 / 30 / 45 / 60 minutes) — the staff member can act as you ONLY during that window
• At expiry the session ends automatically; if they need more time, they have to make a new request
• You can revoke at any time during the window from the slim top banner that appears once the session is active

What deny does:

• The request is recorded as denied
• The staff member sees "Request denied" and cannot make another request for this account for at least 30 minutes
• You can deny without explaining; no reason is required

What the staff member CAN'T do without your grant:

• Read your data without permission (rules deny them at the Firestore layer outside an active session)
• Sign in as you with credentials (custom tokens are minted only when you've granted, only for the duration you've granted)
• Take an action that doesn't show up in audit (every action during the session is logged with their uid + that they were acting as you)

What audit captures:

• Every grant: who requested, who granted, duration, timestamp, optional reason
• Every action during the session
• Every revoke / extend / expiry

Why we built it this way: the old "platformAdmin can impersonate any user" flow was easy for staff but a poor consent story for users. Consent-gated SuperUser puts you in charge of when and how long staff can see your account — and never lets them see it without you knowing.

Pending requests time out automatically after 30 minutes if you neither grant nor deny.