Admin operations

Admin mode is available at /admin for platform operators. The surface is intentionally separate from normal org navigation and requires admin-only access to protect tenant-level controls.

What you manage in admin

• Identity and ownership — orgs, users, workspaces, and org-scoped role boundaries.
• Usage and spend control — billing health, usage exports, and operational spend review.
• Connector governance — connector catalog health, connection state, and runtime webhook delivery.
• Platform quality signals — feedback triage, notification queues, admin notifications.
• Model and commerce health — model catalog and shopping store/product/order snapshots.
• Trust and safety — security events, runtime health checks, sandbox status, and audit trails.

Admin feedback and triage

/admin/feedback provides two operational modes:

1. Feedback mode — review user reports and security probes captured by the product.
2. Notifications mode — monitor platform-level alerts (schedule completion/failures, message events, usage events).

Feedback mode also exposes:

• security view and classification groups (script, command, SQL, template, path, fuzz)
• signal quality categories (product_signal, short_actionable, actionable, security_probe)
• burst/duplicate group hints so repeated probes are triaged once.

You can update workflow state from open to triaged, in_progress, done, then archive once resolved.

Wallets and financial operations

Admin operators can inspect agent wallet operations through dedicated screens and /api/v1/admin/agent-wallet. The page surfaces:

• Stripe issuing cards and card status
• spend requests and spend approvals
• authorization outcomes and transactions

These views help operators investigate card disputes and onboarding/usage anomalies.

Connector event operations

Connector event delivery, event IDs, and verification posture are visible from the admin pages. If an upstream webhook drops retries or a worker stalls, operators use the admin connector-events tools and sandbox/job status views to keep the route healthy.

Destructive super-admin actions

Cross-tenant destructive mutations (refunds, broadcasts, BYOK revoke, connector-event replay, session cancel, newsletter export, CMS publish mutations, skill deletes, and similar) require super_admin plus fresh step-up via requireFreshSuperAdmin. Read-only admin routes accept admin or super_admin without step-up.

Site CMS (marketing pages)

/admin/site/pages edits the public marketing site (site_pages + version history). Reads require admin; create, update, archive, publish, and revert require fresh super-admin step-up and write admin_audit_logs rows (site.created, site.updated, site.published, site.archived, …).

Publishing snapshots the current row into site_page_versions, sets status=published, and revalidates the page path plus /sitemap.xml via lib/site-cms/revalidate.ts. Public rendering only serves published slugs when the global feature flag site.cms_enabled is on.

Deployment targets

/admin/deployments lists deployment_targets and custom domains: routing mode, isolation mode, health, migration version, DNS verification state, and default hosts. Enterprise tenant hosts (*.enterprise.alumia.com or customer aliases) map through this registry — see the Enterprise guide.

AI loop runtime

/admin/runtime exposes resolved rolloutControls for shared agent-loop flags (ai.loop.*). Toggle kill-switch or pruning flags here before changing loop code in production.

Recommended admin checks

Admin console UI strings are localized through navigation message keys. Enterprise prospects use the public Enterprise guide and POST /api/v1/enterprise-inquiry.

For every major rollout:

• confirm /admin/models and /admin/usage remain responsive
• run a quick pass on recent /admin/connector-events delivery failures
• review new open feedback with highest severity and mark actionable handoffs quickly
• clear queue spikes in /admin/runtime or sandbox views before changing connector/webhook configurations
• verify enterprise deployment targets show healthy before DNS cutover