Document superadmin control surface

.beads/issues.jsonl

@@ -58,7 +58,7 @@
 {"id":"fotospiel-app-g74","title":"Paddle migration: automated tests for checkout/webhooks/sync","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-01T15:58:34.795423009+01:00","created_by":"soeren","updated_at":"2026-01-01T15:58:40.467997776+01:00","closed_at":"2026-01-01T15:58:40.467997776+01:00","close_reason":"Completed in codebase (verified)"}
 {"id":"fotospiel-app-gsv","title":"Localized SEO: validate hreflang via Search Console/Lighthouse","status":"open","priority":2,"issue_type":"task","created_at":"2026-01-01T16:02:36.4821072+01:00","created_by":"soeren","updated_at":"2026-01-01T16:02:36.4821072+01:00"}
 {"id":"fotospiel-app-hbt","title":"Moderation queue for guest content","description":"Queue for flagged guest content (photos, feedback). Bulk actions to hide/delete/resolve with audit.","notes":"Land the plane: tests run (FilamentPanelNavigationTest, PhotoModerationQueueTest, TenantFeedbackModerationQueueTest, TenantLifecycle*), migrations added for photo + feedback moderation, no follow-up blockers.","status":"closed","priority":1,"issue_type":"feature","created_at":"2026-01-01T14:18:37.777772819+01:00","updated_at":"2026-01-01T18:50:57.274743566+01:00","closed_at":"2026-01-01T18:46:09.677538603+01:00"}
-{"id":"fotospiel-app-ihd","title":"Superadmin control surface spec and access matrix","description":"Define the minimal superadmin control surface, permissions, and mapping to tenant/guest responsibilities. Document scope and non-goals.","notes":"Spec v1: Superadmin control surface\\n\\nGoals\\n- Practical controls over tenant admin + guest experience (safety, limits, visibility).\\n- Fast response to abuse/outages without deploys.\\n- GDPR-safe: no new PII logging; audit log stores action metadata only.\\n\\nNon-goals\\n- New tracking beyond anonymous guest session_id.\\n- Deep analytics beyond operational KPIs.\\n\\nAccess matrix (high-level)\\n- Guest: upload/like/join per event only, no admin privileges.\\n- Tenant Admin: manage their events/photos/tasks; no cross-tenant access.\\n- Superadmin: global visibility + override controls + audit trail.\\n\\nProposed control areas\\nDaily Ops\\n- Tenant Lifecycle: status (active/suspended/grace), limits (uploads/storage/events), manual overrides.\\n- Moderation Queue: flagged photos/feedback; hide/delete/resolve/bulk actions.\\n- Support: Tenant feedback triage view.\\n\\nWeekly Ops\\n- Guest Policy: feature toggles + rate limits + retention defaults.\\n- Event Access: join token TTL, max uses, invalidate/regenerate.\\n- Commercial: packages/addons/coupons/tenant packages.\\n\\nRare/Admin\\n- Ops Health: queues, failed jobs, storage thresholds.\\n- Compliance: data export requests + retention overrides.\\n- Audit Log: superadmin actions (no PII payloads).\\n- Integrations health: Paddle/RevenueCat/webhooks status.\\n\\nData model considerations\\n- Existing JSON fields: tenants.settings/features; events.settings; tenant_feedback.metadata; photos.security_meta.\\n- Prefer new tables for auditability: moderation_items, super_admin_audit_logs, data_export_requests, retention_overrides, guest_policy_settings.\\n- Tenant lifecycle limits can be a new table (tenant_overrides) or fields on tenants (status, grace_until, limits JSON).\\n\\nSuccess criteria\\n- Each resource renders in superadmin panel without errors.\\n- Actions are logged (audit log).\\n- Policies enforce tenant isolation + superadmin override.","status":"in_progress","priority":2,"issue_type":"task","created_at":"2026-01-01T14:18:10.789147344+01:00","updated_at":"2026-01-01T14:32:31.455392845+01:00"}
+{"id":"fotospiel-app-ihd","title":"Superadmin control surface spec and access matrix","description":"Define the minimal superadmin control surface, permissions, and mapping to tenant/guest responsibilities. Document scope and non-goals.","notes":"Added superadmin control surface + access matrix to docs/ops/operations-manual.md (Section 1.1), including non-goals and role scope.","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-01T14:18:10.789147344+01:00","updated_at":"2026-01-01T19:52:54.391624328+01:00","closed_at":"2026-01-01T19:52:54.391628452+01:00"}
 {"id":"fotospiel-app-iyc","title":"Superadmin audit log for admin actions","description":"Audit trail for superadmin actions without PII payloads.","status":"open","priority":2,"issue_type":"feature","created_at":"2026-01-01T14:20:19.043695952+01:00","updated_at":"2026-01-01T14:20:19.043695952+01:00"}
 {"id":"fotospiel-app-iyh","title":"Security review follow-ups: signed URL TTLs, guest asset throttles, CORS allowlist, logging hygiene","status":"open","priority":2,"issue_type":"task","created_at":"2026-01-01T16:05:42.642109576+01:00","created_by":"soeren","updated_at":"2026-01-01T16:05:42.642109576+01:00"}
 {"id":"fotospiel-app-jk4","title":"Checkout refactor: CheckoutController + marketing route alignment","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-01T16:06:21.088319132+01:00","created_by":"soeren","updated_at":"2026-01-01T16:06:26.663419594+01:00","closed_at":"2026-01-01T16:06:26.663419594+01:00","close_reason":"Completed in codebase (verified)"}

.beads/last-touched

@@ -1 +1 @@
-fotospiel-app-wde
+fotospiel-app-ihd

docs/ops/operations-manual.md

@@ -21,6 +21,36 @@ Ziel ist, dass du von hier aus schnell zu den relevanten Runbooks und Referenzen
 
 > TODO: Ergänze ein Architekturdiagramm aus Sicht des Betriebs (z.B. als PNG oder PlantUML) und verlinke es hier.
 
+## 1.1 Superadmin‑Kontrollfläche & Zugriffs‑Matrix
+
+Die Superadmin‑Konsole ist für operative Kontrolle und Eskalation gedacht – nicht für tägliche Tenant‑Arbeit. Ziel ist eine minimale, aber vollständige Kontrollfläche.
+
+**Minimaler Control Surface (Superadmin)**
+- **Tenant‑Lifecycle & Limits:** Aktivieren/Sperren, Grace‑Periode, Löschung/Anonymisierung, Limits (Fotos/Event, Storage), Audit‑Timeline.
+- **Commercial & Billing:** Pakete/Addons, Tenant‑Pakete, Käufe/History, Gutscheine/Coupons.
+- **Event‑Oversight:** Events/Fotos global, Moderations‑Queues, Tenant‑Feedback.
+- **Plattform & Compliance:** Legal Pages, Datenexporte, Audit‑Log.
+- **Infra & Storage:** Storage Targets, Photobooth Settings, Deployments/Logs.
+
+**Zugriffs‑Matrix (Soll)**
+
+| Bereich | Superadmin | Tenant‑Admin | Gast |
+| --- | --- | --- | --- |
+| Tenant‑Lifecycle & Limits | RW | R (own) | – |
+| Tenant‑Pakete & Billing | RW | R (own) | – |
+| Events/Photos (global) | RW | RW (own) | R/W (event scope) |
+| Moderation/Feedback | RW | RW (own) | – |
+| Tasks/Emotions/Event‑Types | RW | RW (own) | R (event scope) |
+| Users (Platform) | RW | R (own) | – |
+| Legal/Content | RW | R | R (public) |
+| Storage/Photobooth/Infra | RW | R | – |
+| Audit‑Log (Admin‑Aktionen) | R | – | – |
+
+**Nicht‑Ziele**
+- Superadmin ersetzt keine Tenant‑Admins für Tagesgeschäft, nur Eskalation.
+- Kein zusätzliches Tracking/PII‑Logging ohne Privacy‑Update.
+- Keine Infrastruktur‑Mutation ohne explizite Freigabe.
+
 ## 2. Deployments & Infrastruktur
 
 Diese Kapitel erklären, wie die Plattform in Docker/Dokploy betrieben wird.