# PRP Addendum (2025-09-08): Tenant Admin PWA

This addendum supersedes tenant-facing Filament guidance in `fotospiel_prp.md`. Super Admin remains Filament (web-only). Tenant administration now lives in a separate, store-ready PWA.

## Summary

- Separate React/Vite PWA for tenant admins.
- Distribution: Android via TWA, iOS via Capacitor; PWA install (A2HS) supported.
- API-first backend: `/api/v1/tenant/*` endpoints cover all tenant operations.
- Auth: Authorization Code + PKCE + refresh tokens; access token includes `tenant_id` and roles.
- Tenancy: global scope + policies; host-based resolution remains for guest PWA.
- Billing: Event credits MVP; subscriptions deferred.

## Architecture Changes

- Replace tenant Filament panel with PWA + API.
- Add `BelongsToTenant` trait and composite uniques including `tenant_id`.
- Introduce `apps/admin-pwa` and `packages/mobile` directories; keep `apps/super-admin` for Filament.

## Mobile Packaging

- Android (TWA): bind to `admin.<platform-domain>` with `/.well-known/assetlinks.json`.
- iOS (Capacitor): native wrapper, push notifications, secure storage.

## Offline & Sync

- Service Worker caches app shell and essentials.
- Background sync queues mutations; conflicts resolved via ETag/If-Match.

## API Surface (Tenant)

- Auth: `/api/v1/tenant-auth/login`, `/tenant-auth/exchange`, `/tenant-auth/logout`, `/tenant-auth/me`.
- Entities: events, galleries, members, uploads, settings, purchases.
- Conventions: pagination, filtering, 429 rate limits, trace IDs in errors.

## Security

- Token storage in Keychain/Keystore (mobile) and IndexedDB (web) with rotation.
- Audit logs for destructive actions and impersonation.

## Migration Notes

- Treat Filament tenant resources in PRP as deprecated examples. Use them to inform field definitions and validation only.
- Future task: convert `fotospiel_prp.md` to UTF-8 and merge this addendum into the main PRP.