Private Access and SSO

Private routes are served through the same public edge URL as public routes, but the edge requires visitor identity before forwarding.

The current implemented identity path is email-code login through the control plane. Private access admits the owner account and emails added with uplink share or share: in config.

Account-wide SSO/OIDC is product planning for stricter team tiers; it is described in the monetization and management docs, but the current route gate confirmed in code is account/email identity, not a shipped OIDC setup flow in the CLI.