L0product

Admin Portal

Operator creates and manages customer organisations, reference data, and superadmin access without database intervention. The control surface that unlocks customer 2.

Priority Score

Pain × Demand × Edge × Trend × Conversion

Customer Journey

Why should I care?

Five cards that sell the dream

1Why

One org forever blocks customer two.

Can I create a new org without opening the database?

The friction: Every new customer org requires a developer with DB credentials. /org/new returns 404. admin.dreamineering.com returns 403.

The desire: A form at /admin/orgs/new. Submit. Org live in 30 seconds. Customer logs in and sees their dashboard.

The proof: The organisations table exists. The multi-tenancy schema works. The only gap is the control surface.

The outcome map

Picture

A platform operator stares at a terminal showing 404 where /org/new should be. Database client open in another window. Dark room, single monitor glow. Cinematic, 16:9

2Evidence

Superadmin sees all; admin sees one.

Can a superadmin see all orgs from one screen?

Role	Sees	Can do
Superadmin	All orgs	Create, suspend, manage reference data
Org Admin	Own org only	Invite users, manage roles
Member	Own org only	CRM, proposals, plans

The access control stories

Picture

Two dashboards side by side — one shows all orgs, one shows a single org. Same codebase, different middleware path. Dark room, split screen. Cinematic, 16:9

3Platform

Middleware bypass without breaking isolation.

Is the bypass contained — or does it bleed into tenant code?

Layer	Current	Target
Middleware	Passes organisationId to all requests	Adds superadmin bypass path
Server actions	All scope by organisationId	Unchanged — bypass is middleware-only
Auth session	No superadmin claim	role=superadmin on selected users

The dependency map

Picture

A single checkpoint in the request pipeline. Superadmin token bypasses the organisationId filter. All other paths unchanged. Dark, diagrammatic. Cinematic, 16:9

4Loop

Auth claim unlocks the master key.

Does adding a resource type require a developer?

Tier	Ships	Unblocks
T0	Superadmin claim + middleware	Everything else
T1	Org create + list	Customer 2 onboarding
T2	Org picker + reference data UI	Multi-org + no-code resource types
T3	Org suspend/archive	Lifecycle management

The build contract

Picture

A sequential build ladder: auth claim at the foundation, then /admin route, then org creation, then org picker and reference data UI at the top. Dark, crimson highlights. Cinematic, 16:9

5People

Operator manages tenants; tenant manages members.

When customer 2 signs, are we ready?

Job	Who	Struggling moment
Create customer org	Operator	Has to open a database client
See all orgs	Operator	No list view exists
Add resource type	Operator	Has to redeploy the app

Hidden objection: "Should self-serve org signup exist?" Operator-initiated for now — self-serve is a separate PRD.

Who we built this for

Picture

Two-level hierarchy — platform operator at top managing orgs, org admins below managing their own users. Each layer sees only what it controls. Cinematic, 16:9

1 / 5

Same five positions. Different seat.

The customer sees the control surface. The builder sees the security model. The outer game sells operator freedom. The inner game proves isolation holds.

Feature Dev Journey

How does this get built?

Five cards that sell the process

1Job

The job: org lifecycle without SQL.

Can you state the struggling moment in one sentence?

Situation: Platform operator needs to create customer orgs. Currently: /org/new returns 404. All org management requires direct DB access.

Intention: Superadmin creates orgs, manages reference data, and controls access — all from a UI. Zero database access required.

Obstacle: No superadmin role claim. No org creation action. Every server action scopes by organisationId — the bypass must live in one place.

Intent contract

Picture

A terminal cursor blinking on an INSERT INTO organisations statement. Dark room. Cinematic, 16:9

2Stories

Four stories, four test files.

If the THEN does not name a data source and threshold, what are you actually testing?

Story	THEN assertion	Forbidden
S1: Org creation	Org in DB within 30s of submit	Non-superadmin can reach /admin/orgs/new
S2: Org picker	Multi-org user sees picker at login	Single-org user sees picker
S3: Resource type	New type in roles CRUD same session	Requires seed re-run to appear
S4: Access denied	Org admin redirected to /dashboard	403 page reveals admin portal exists

Full story contracts

Picture

A test dashboard — four story IDs, each with a red indicator, thresholds visible. Dark background, terminal aesthetic. Cinematic, 16:9

3Build

70% composition, 30% new code.

What is already built that you have not wired yet?

Exists	Wire	Build
Better Auth	trustedOrigins config	Superadmin claim
organisations table	INSERT action	/admin pages
Next.js middleware	Superadmin bypass	Org picker component
governance_resource_types	UI for CRUD	Reference data admin

Platform state

Picture

Architecture diagram — auth, middleware, DB layers with connection lines showing composition. Crimson highlights on gaps. Cinematic, 16:9

4Sprints

Four sprints to multi-tenant.

Which sprint proves the thesis fastest?

Sprint	Ships	Proves
0 (0.5d)	Superadmin claim + middleware	Non-superadmin cannot reach /admin
1 (1d)	Org list + create	Org created via UI, no DB access
2 (0.5d)	Org picker on login	Multi-org user selects org
3 (1.5d)	Reference data + suspend/archive	Full lifecycle without developer

Build order and commissioning

Picture

A timeline with four sprint blocks — each lighting up as features ship. Dark background, crimson milestones. Cinematic, 16:9

5Validation

Customer 2 onboards or we stop.

What is the smallest experiment that proves multi-tenant works?

Kill signal: If customer 2 is ready to sign and onboarding is still manual, pain jumps to 5. If no second customer prospect by 2026-09-18, move to backburner.

Blocker	Severity	Resolution
403 on admin.dreamineering.com	Critical	Add domain to Better Auth trustedOrigins
/org/new returns 404	Critical	Build Sprint 0 + Sprint 1
No superadmin role	High	Define claim in auth config

Commissioning criteria

Picture

A kill switch on a dark panel — the words 'Customer 2' prominent. Stark, minimal. Cinematic, 16:9

1 / 5

The pitch is the shape. The flow diagrams prove the thinking. The VV stories validate the value.

Flow Diagrams VV Stories

Problem

Situation

Platform operator needs to create customer orgs, manage global reference data, and grant superadmin access. admin.dreamineering.com deployed but returns 403 (Better Auth invalid origin). /org/new returns 404. All org management requires direct DB access. Resource types only editable via seed function.

Intention

Any user with superadmin role can create orgs, see all orgs, manage resource types, and grant superadmin to others — zero database access required. Admin portal at admin.dreamineering.com fully operational.

Obstacle

No superadmin role claim. No org creation server action. No /admin route with middleware guard. Every server action scopes by organisationId — the admin layer needs a controlled bypass inaccessible to org-level admins. Better Auth trustedOrigins missing admin.dreamineering.com.

Hardest Thing

Superadmin queries span all orgs. That requires removing the organisationId filter that protects multi-tenant isolation. The bypass must live in middleware — not scattered across server actions — so there is exactly one place to audit and one place that can break.

Scorecard

Priority (5P)

3/5

Pain

2/5

Demand

2/5

Edge

3/5

Trend

2/5

Convert

Readiness (5R)

Principles2 / 5

Performance1 / 5

Platform2 / 5

Process1 / 5

Players1 / 5

What Exists

Component	State	Gap
Better Auth authentication	Working	trustedOrigins missing admin.dreamineering.com — returns 403.
organisations table	Working	CREATE org action missing.
Multi-tenancy schema	Working	organisationId FK on all tenant tables. No bypass layer.
governance_resource_types table	Partial	Seed only, no UI.
Next.js middleware	Working	No superadmin bypass.
Auth custom claims	Missing	role=superadmin claim not defined.
/admin route	Missing	404.
Org picker	Missing	Login goes straight to dashboard.
admin.dreamineering.com	Deployed	Domain exists but 403 from Better Auth invalid origin.

Relationships

PRD	Contributes
Identity & Access	Parent — this extends org-level user management to the operator layer.
Agent Platform	Peer — Agent Platform manages agent identities within orgs; Admin Portal manages the orgs themselves.
Sales CRM	Downstream — new customer orgs created here are the orgs CRM data lives in.
ETL Data Tool	Downstream — ETL pipelines are per-org; org creation here enables per-org data import.

Kill Signal

If customer 2 is ready to sign and onboarding is still manual, pain jumps to 5 and this becomes top priority. If no second customer prospect emerges by 2026-09-18, move to backburner.

Questions

If org creation is operator-initiated, what is the path for a customer who wants to sign up without contacting the operator?

Is the org picker the right UX, or should users maintain a default org preference that bypasses the picker on most logins?
When a superadmin adds a resource type, should it propagate to all existing orgs automatically, or only appear when an org admin explicitly seeds permissions?
What is the recovery path if a superadmin accidentally suspends the Dreamineering org itself?