Establish a role-scoped session for the SEEDED demo user of role (looks it up in env.PREVIEW_DB).
This is the only code that touches a session; it must bind to a seeded throwaway row, never a real user.
OptionalredirectWhere to land after login (default "/").
The roles a preview may assume — derive from the contract (cockpit previewRoles), NEVER a hardcoded list. A requested role MUST be a member; "anonymous" is handled by the launcher (it opens the app with no login).