Auth Pheromones
Auth pheromones are time-limited security escalation markers. When a founder deposits a pheromone, all users must complete TOTP verification to access the site.
Pheromone Record
Section titled “Pheromone Record”| Field | Type | Description |
|---|---|---|
id | TEXT | Unique identifier |
require_2fa | INTEGER | 1 to enforce TOTP |
expires_at | TEXT | When the lockdown ends |
deposited_by | TEXT | Founder who activated |
deposited_at | TEXT | Activation timestamp |
Behavior
Section titled “Behavior”When an active pheromone exists (require_2fa = 1 and expires_at > now):
- All authenticated requests check for a valid TOTP session
- Users without TOTP enrollment are redirected to
/totp/enroll?reason=required - Users with TOTP but no active session are redirected to
/totp/verify?reason=pheromone - The lockdown automatically expires when
expires_atpasses