diff --git a/src/core/auth/auth-options.ts b/src/core/auth/auth-options.ts
index 0a35617..fe2b9b5 100644
--- a/src/core/auth/auth-options.ts
+++ b/src/core/auth/auth-options.ts
@@ -1,5 +1,6 @@
 import type { NextAuthOptions } from "next-auth";
 import AuthentikProvider from "next-auth/providers/authentik";
+import { useGisAcFlag } from "@/core/feature-flags/use-gis-ac";
 
 export const authOptions: NextAuthOptions = {
   providers: [
@@ -55,6 +56,10 @@ export const authOptions: NextAuthOptions = {
         (session.user as any).company = token.company || "group";
       }
       (session as any).accessToken = token.accessToken;
+      // Faza C cutover flag — exposed on session so client components can
+      // branch the same way server routes do (env-driven, evaluated per
+      // request so flag flip + container restart picks up without rebuild).
+      (session as any).useGisAc = useGisAcFlag(session.user?.email);
       return session;
     },
   },
diff --git a/src/core/feature-flags/use-gis-ac.ts b/src/core/feature-flags/use-gis-ac.ts
new file mode 100644
index 0000000..b517835
--- /dev/null
+++ b/src/core/feature-flags/use-gis-ac.ts
@@ -0,0 +1,20 @@
+// Server-side feature flag for the api.gis.ac cutover (Plan 003, Faza C).
+//
+// Off by default → all parcel/eterra/geoportal call sites keep using the
+// legacy local-DB code path. Flip via Infisical /architools:
+//   USE_GIS_AC=1                    → global enable
+//   GIS_AC_PILOT_USERS=a@x,b@y      → per-email override for staged rollout
+//
+// After redeploy, call sites read useGisAcFlag(session.user.email) and
+// branch between the legacy path and the gis-api thin client (Faza D).
+
+const PILOT_USERS = (process.env.GIS_AC_PILOT_USERS || "")
+  .split(",")
+  .map((s) => s.trim().toLowerCase())
+  .filter(Boolean);
+
+export function useGisAcFlag(userEmail?: string | null): boolean {
+  if (process.env.USE_GIS_AC === "1") return true;
+  if (!userEmail) return false;
+  return PILOT_USERS.includes(userEmail.toLowerCase());
+}