From 25d464215eff00774117ab4315952b4cd0cd9b14 Mon Sep 17 00:00:00 2001 From: Codex Agent Date: Thu, 1 Jan 2026 19:53:05 +0100 Subject: [PATCH] Document superadmin control surface --- .beads/issues.jsonl | 2 +- .beads/last-touched | 2 +- docs/ops/operations-manual.md | 30 ++++++++++++++++++++++++++++++ 3 files changed, 32 insertions(+), 2 deletions(-) diff --git a/.beads/issues.jsonl b/.beads/issues.jsonl index 19e50b8..aad032b 100644 --- a/.beads/issues.jsonl +++ b/.beads/issues.jsonl @@ -58,7 +58,7 @@ {"id":"fotospiel-app-g74","title":"Paddle migration: automated tests for checkout/webhooks/sync","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-01T15:58:34.795423009+01:00","created_by":"soeren","updated_at":"2026-01-01T15:58:40.467997776+01:00","closed_at":"2026-01-01T15:58:40.467997776+01:00","close_reason":"Completed in codebase (verified)"} {"id":"fotospiel-app-gsv","title":"Localized SEO: validate hreflang via Search Console/Lighthouse","status":"open","priority":2,"issue_type":"task","created_at":"2026-01-01T16:02:36.4821072+01:00","created_by":"soeren","updated_at":"2026-01-01T16:02:36.4821072+01:00"} {"id":"fotospiel-app-hbt","title":"Moderation queue for guest content","description":"Queue for flagged guest content (photos, feedback). Bulk actions to hide/delete/resolve with audit.","notes":"Land the plane: tests run (FilamentPanelNavigationTest, PhotoModerationQueueTest, TenantFeedbackModerationQueueTest, TenantLifecycle*), migrations added for photo + feedback moderation, no follow-up blockers.","status":"closed","priority":1,"issue_type":"feature","created_at":"2026-01-01T14:18:37.777772819+01:00","updated_at":"2026-01-01T18:50:57.274743566+01:00","closed_at":"2026-01-01T18:46:09.677538603+01:00"} -{"id":"fotospiel-app-ihd","title":"Superadmin control surface spec and access matrix","description":"Define the minimal superadmin control surface, permissions, and mapping to tenant/guest responsibilities. Document scope and non-goals.","notes":"Spec v1: Superadmin control surface\\n\\nGoals\\n- Practical controls over tenant admin + guest experience (safety, limits, visibility).\\n- Fast response to abuse/outages without deploys.\\n- GDPR-safe: no new PII logging; audit log stores action metadata only.\\n\\nNon-goals\\n- New tracking beyond anonymous guest session_id.\\n- Deep analytics beyond operational KPIs.\\n\\nAccess matrix (high-level)\\n- Guest: upload/like/join per event only, no admin privileges.\\n- Tenant Admin: manage their events/photos/tasks; no cross-tenant access.\\n- Superadmin: global visibility + override controls + audit trail.\\n\\nProposed control areas\\nDaily Ops\\n- Tenant Lifecycle: status (active/suspended/grace), limits (uploads/storage/events), manual overrides.\\n- Moderation Queue: flagged photos/feedback; hide/delete/resolve/bulk actions.\\n- Support: Tenant feedback triage view.\\n\\nWeekly Ops\\n- Guest Policy: feature toggles + rate limits + retention defaults.\\n- Event Access: join token TTL, max uses, invalidate/regenerate.\\n- Commercial: packages/addons/coupons/tenant packages.\\n\\nRare/Admin\\n- Ops Health: queues, failed jobs, storage thresholds.\\n- Compliance: data export requests + retention overrides.\\n- Audit Log: superadmin actions (no PII payloads).\\n- Integrations health: Paddle/RevenueCat/webhooks status.\\n\\nData model considerations\\n- Existing JSON fields: tenants.settings/features; events.settings; tenant_feedback.metadata; photos.security_meta.\\n- Prefer new tables for auditability: moderation_items, super_admin_audit_logs, data_export_requests, retention_overrides, guest_policy_settings.\\n- Tenant lifecycle limits can be a new table (tenant_overrides) or fields on tenants (status, grace_until, limits JSON).\\n\\nSuccess criteria\\n- Each resource renders in superadmin panel without errors.\\n- Actions are logged (audit log).\\n- Policies enforce tenant isolation + superadmin override.","status":"in_progress","priority":2,"issue_type":"task","created_at":"2026-01-01T14:18:10.789147344+01:00","updated_at":"2026-01-01T14:32:31.455392845+01:00"} +{"id":"fotospiel-app-ihd","title":"Superadmin control surface spec and access matrix","description":"Define the minimal superadmin control surface, permissions, and mapping to tenant/guest responsibilities. Document scope and non-goals.","notes":"Added superadmin control surface + access matrix to docs/ops/operations-manual.md (Section 1.1), including non-goals and role scope.","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-01T14:18:10.789147344+01:00","updated_at":"2026-01-01T19:52:54.391624328+01:00","closed_at":"2026-01-01T19:52:54.391628452+01:00"} {"id":"fotospiel-app-iyc","title":"Superadmin audit log for admin actions","description":"Audit trail for superadmin actions without PII payloads.","status":"open","priority":2,"issue_type":"feature","created_at":"2026-01-01T14:20:19.043695952+01:00","updated_at":"2026-01-01T14:20:19.043695952+01:00"} {"id":"fotospiel-app-iyh","title":"Security review follow-ups: signed URL TTLs, guest asset throttles, CORS allowlist, logging hygiene","status":"open","priority":2,"issue_type":"task","created_at":"2026-01-01T16:05:42.642109576+01:00","created_by":"soeren","updated_at":"2026-01-01T16:05:42.642109576+01:00"} {"id":"fotospiel-app-jk4","title":"Checkout refactor: CheckoutController + marketing route alignment","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-01T16:06:21.088319132+01:00","created_by":"soeren","updated_at":"2026-01-01T16:06:26.663419594+01:00","closed_at":"2026-01-01T16:06:26.663419594+01:00","close_reason":"Completed in codebase (verified)"} diff --git a/.beads/last-touched b/.beads/last-touched index fa4fd9c..0350cd1 100644 --- a/.beads/last-touched +++ b/.beads/last-touched @@ -1 +1 @@ -fotospiel-app-wde +fotospiel-app-ihd diff --git a/docs/ops/operations-manual.md b/docs/ops/operations-manual.md index 8e7de9a..491bc33 100644 --- a/docs/ops/operations-manual.md +++ b/docs/ops/operations-manual.md @@ -21,6 +21,36 @@ Ziel ist, dass du von hier aus schnell zu den relevanten Runbooks und Referenzen > TODO: Ergänze ein Architekturdiagramm aus Sicht des Betriebs (z.B. als PNG oder PlantUML) und verlinke es hier. +## 1.1 Superadmin‑Kontrollfläche & Zugriffs‑Matrix + +Die Superadmin‑Konsole ist für operative Kontrolle und Eskalation gedacht – nicht für tägliche Tenant‑Arbeit. Ziel ist eine minimale, aber vollständige Kontrollfläche. + +**Minimaler Control Surface (Superadmin)** +- **Tenant‑Lifecycle & Limits:** Aktivieren/Sperren, Grace‑Periode, Löschung/Anonymisierung, Limits (Fotos/Event, Storage), Audit‑Timeline. +- **Commercial & Billing:** Pakete/Addons, Tenant‑Pakete, Käufe/History, Gutscheine/Coupons. +- **Event‑Oversight:** Events/Fotos global, Moderations‑Queues, Tenant‑Feedback. +- **Plattform & Compliance:** Legal Pages, Datenexporte, Audit‑Log. +- **Infra & Storage:** Storage Targets, Photobooth Settings, Deployments/Logs. + +**Zugriffs‑Matrix (Soll)** + +| Bereich | Superadmin | Tenant‑Admin | Gast | +| --- | --- | --- | --- | +| Tenant‑Lifecycle & Limits | RW | R (own) | – | +| Tenant‑Pakete & Billing | RW | R (own) | – | +| Events/Photos (global) | RW | RW (own) | R/W (event scope) | +| Moderation/Feedback | RW | RW (own) | – | +| Tasks/Emotions/Event‑Types | RW | RW (own) | R (event scope) | +| Users (Platform) | RW | R (own) | – | +| Legal/Content | RW | R | R (public) | +| Storage/Photobooth/Infra | RW | R | – | +| Audit‑Log (Admin‑Aktionen) | R | – | – | + +**Nicht‑Ziele** +- Superadmin ersetzt keine Tenant‑Admins für Tagesgeschäft, nur Eskalation. +- Kein zusätzliches Tracking/PII‑Logging ohne Privacy‑Update. +- Keine Infrastruktur‑Mutation ohne explizite Freigabe. + ## 2. Deployments & Infrastruktur Diese Kapitel erklären, wie die Plattform in Docker/Dokploy betrieben wird.