# 06 — Tenant Admin PWA (Store-Ready)

Packaging
- Android: Trusted Web Activity (TWA) bound to `admin.<domain>`; fallback Capacitor if native plugins needed.
- iOS: Capacitor wrapper with push notifications and secure storage.
- Installable PWA (A2HS) with offline and background sync.

Auth & Tenancy
- Sanctum personal access tokens via `/api/v1/tenant-auth/*`, persisted to IndexedDB/Keychain and refreshable through the session→token exchange for Google sign-ins.
- Tokens carry `tenant_id` and roles; backend enforces scoping.

Capabilities
- Manage events, galleries, members, settings, legal pages, purchases.
- Notifications: Web Push (Android TWA) and Capacitor push (iOS).
- Conflict handling: ETag/If-Match; audit changes.
- Dashboard highlights tenant quota status (photo uploads, guest slots, gallery expiry) with traffic-light cards fed by package limit metrics.
- Global toast handler consumes the shared API error schema and surfaces localized error messages for tenant operators.
- Guest broadcast module on the Event detail page: tenant admins can compose short guest-facing notifications (broadcast/support tip/upload alert/feedback) with optional CTA links and expirations. Calls `/api/v1/tenant/events/{slug}/guest-notifications` and stores history (last 5 messages) for quick status checks.
- Event detail includes notification analytics: total sends, broadcast counts, last send time, type distribution, and the latest guest-visible messages so hosts can monitor reach without leaving the toolkit view.

Support Playbook (Limits)
- Wenn Tenant-Admins Upload- oder Gäste-Limits erreichen, zeigt der Header Warn-Badges + Toast mit derselben Fehlermeldung wie im Backend (`code`, `title`, `message`).
- Support-Team kann `php artisan metrics:package-limits` ausführen, um die aggregierten Warn-/Expired-Zähler der letzten Stunden einzusehen und Engpässe zu bestätigen (`--reset` leert die Zähler nach Eskalation).
- Empfehlung an Kunden: Paketupgrade oder Kontakt zu Sales; bei abgelaufener Galerie ggf. Verlängerung via Tenant Package.
- Bei Fehlalarmen zuerst Logs nach `package_limit_metric` durchsuchen und prüfen, ob der Zähler `recovered` die Credits bereits wieder freigibt.

Distribution & CI
- Play: assetlinks.json at `/.well-known/assetlinks.json`.
- App Store: fastlane lanes; privacy manifests.
- Version alignment with backend; feature flags synced on login.

See also: docs/adr/ADR-0006-tenant-admin-pwa.md