Admin Guide

Platform admins have a platformAdmin custom claim on their Firebase Auth token. This grants access to designated admin-only UI pages.

Plans are maintained in /plans collection. Orgs reference planId; entitlements resolve at runtime.

• To create a new plan: write directly to /plans/{planId} via Admin SDK or console.
• To override an org plan: set org.planId and optionally populate /orgs/{orgId}/entitlements/snapshot.
• Billing status changes arrive via Stripe webhook → Function → /orgBilling update + /orgs.billing summary update.
• Seat limit violations are enforced at invite time. Existing members are never auto-removed.

The platform writes structured audit logs for all privileged actions. Logs are append-only and stored in /platform/auditLogs/items/{logId}.

{
  actorUid, actorEmail,
  action,          // e.g. "org.suspend", "plan.override"
  orgId,
  targetType, targetId,
  before, after,   // optional diffs
  severity,        // "info" | "warn" | "critical"
  correlationId,
  timestamp
}

Export audit logs via the Admin Console → Audit Logs → Export (CSV/JSON) for compliance evidence.

• Separate Firebase projects — never share Auth or Firestore.
• Separate .env files (not committed) — each environment has distinct API keys.
• Firestore rules and indexes deployed independently per project.
• Worker tokens are environment-scoped and non-transferable.