DSM Cortex Platform: Multi-Portal Monorepo, Unified Sign-In, and New Admin & Vendor Portals (QA)

This release promotes a large foundational rebuild of the DSM Cortex web platform to the QA environment for testing. The frontend was reorganized into a single multi-application workspace (Mail, a new standalone Vendor portal, and a brand-new Admin portal), all unified behind a shared single sign-on experience with optional Okta login and a Google-Workspace-style app switcher for moving between portals.

The product was growing from a single Mail application into a suite of portals (Mail, Vendor, Admin) that need to share branding, theming, authentication, and UI components. The previous setup duplicated logic and relied on browser-stored tokens (NextAuth/JWT in localStorage). To support enterprise customers and a cohesive multi-portal experience, the team consolidated everything into one shared codebase and moved to more secure HttpOnly cookie sessions shared across subdomains.

• Users can move between Mail, Vendor, and Admin portals via a unified 9-dot app switcher with a single sign-on session.
• Enterprise customers can sign in with Okta SSO alongside the existing login.
• A new self-service Admin portal exposes management of entities, users, roles, permissions, folders, document types, upload centers, rules, notification templates/policies, identity-provider mappings, and system settings (including health checks and cache controls).
• The Vendor portal is now a dedicated app with a redesigned upload experience (quick Mail/Batch uploads, a floating upload-progress panel, a View Files modal with search/date filters, and a live "Files Today" counter).
• Consistent theming (Original, Horizon, Lumina, Midnight presets), typography, and density across all portals.

Large change set (~100+ files reported, ~47k additions). Grounded in commit history and file list:

• Monorepo: Migrated to a Turborepo + pnpm workspace; split into apps/auth, apps/mail, apps/vendor, apps/admin and shared packages (types, config, http-client, auth-client, ui, personalization).
• Authentication: Replaced NextAuth/JWT/localStorage with HttpOnly cookie sessions (dms_session) validated via /api/v1/auth/me; added shared CSRF-token handling, cross-origin detection, and withCredentials. Middleware now gates routes on cookie presence (PR #742).
• Okta SSO: Added Okta login/logout buttons and flows in auth, mail, and vendor apps; new OktaTarget/OktaSSOOptions types.
• Admin portal (apps/admin, 95 files): Next.js 15 app with TanStack Query (40+ queries, 30+ mutations), adminService CRUD over 100+ endpoints, DataTable, and full set of entity pages plus form dialogs. Includes permission-response parsing ({items:[...]}) and rule/notification schema realignment (string IDs, delivery/title fields, match-mode badges).
• Vendor portal: Extracted to standalone app on its own route set; corrected FileStack upload payload (handles/policy/signature), fixed field mismatches (files_uploaded_today, tasks/count), and added a WebSocket provider with polling fallback for cross-origin.
• App switcher & branding: Cortex-gradient icons, favicons, AccessDenied + portal permission guards.
• Build/infra: Docker setup (Dockerfile, DOCKER.md, .dockerignore), ECR workflow update, dynamic Vercel-preview URL resolution, and Next.js 15 Suspense fixes for useSearchParams.

High-surface-area release: a monorepo migration plus an authentication overhaul (cookie + CSRF + Okta) touches every portal's login, redirects, and session handling, so regressions in sign-in, logout, or cross-subdomain sessions are the main risk. Commit notes flag a known backend logout issue ("No active sessions found" 400) and reliance on cross-origin cookie/CSRF behavior. Mitigation: this is a QA promotion (not production), the new Admin/Vendor portals are gated behind portal-access permissions, and a polling fallback exists where WebSockets fail. Recommend full auth regression on QA before any production promotion.

• Auth: Email/password and Okta SSO login on each portal; logout (watch the known backend 400); session persistence across mail/vendor/admin subdomains; CSRF on POST/PUT/PATCH/DELETE; behavior after browser back/forward (bfcache).
• App switcher: Visibility and permission gating (Mail open to all; Vendor/Admin require portal:access_*); keyboard navigation; AccessDenied for unauthorized portals.
• Admin portal: Each page loads (entities, users, roles, permissions, folders, document-types, upload-centers, rules, notification templates/policies, IDP mappings, settings); create/edit/delete via form dialogs; user activate/deactivate; settings health checks and cache clear/confirm dialogs.
• Vendor portal: Quick Mail/Batch uploads, upload-progress panel, View Files modal (search + date filter + status badges), live Files Today counter, task completion UI refresh.
• Theming: All four theme presets, typography, and density render consistently across portals.
• Cross-env: Verify auth redirects on Vercel preview URLs and confirm Docker builds for each app.