Skip to main content

14 — Control Plane Web Specification

Surface: Web app — super-admin / chain operator portal URL: https://admin.melmastoon.com (platform staff) / https://chain.melmastoon.com (chain operators) Phase: P2 / R2 outline; full implementation R3 Shell: Operator shell (high-density; super-admin variant) Competitive reference: Linear admin, Stripe Dashboard, Notion Workspace settings

1. Overview

The control plane web is the platform's super-admin interface. Two personas:

  • Platform staff (Ghasi team): Full access — tenant management, billing, feature flags, impersonation, support tools, audit logs.
  • Chain operators: Multi-property dashboard for hotel groups — aggregate reports, cross-property search, chain-level configuration, billing overview.

2. Route tree

/admin (platform staff)
  /tenants
    /[tenant_id]         ← Tenant detail (profile, config, billing, status)
  /billing               ← Platform-level revenue, subscription management
  /feature-flags         ← Global feature flag console
  /audit-log             ← Cross-tenant audit log viewer
  /support               ← Support tools (impersonation, ticket lookup)
  /ai-policy             ← AI model policy console (model versions, guardrails)
  /theme-review          ← Theme publish queue (review pending tenant themes)

/chain (chain operators)
  /properties            ← Multi-property dashboard
    /[property_id]       ← Individual property drill-down
  /reports               ← Aggregate reports (RevPAR, occupancy, revenue)
  /guests                ← Cross-property guest search
  /configuration         ← Chain-level defaults (branding, policies)
  /billing               ← Chain billing summary

3. Key screens

3.1 Tenant management (platform staff)

  • Searchable tenant list (filter by status, plan, country, feature flags)
  • Tenant detail: profile, active subscriptions, onboarding status, open support tickets
  • Tenant onboarding wizard: Step-by-step guided flow (property profile → rooms → rates → theme → go-live checklist)
  • Actions: Suspend, Reinstate, Delete, Impersonate

3.2 Feature flag console

  • List of all feature flags with current value per environment
  • Per-tenant override: set flag value for a specific tenant
  • Staged rollout: % of tenants, cohort targeting
  • Kill switch: one-click disable any flag globally

3.3 Theme review queue

  • Pending tenant theme publishes (changes from theme-config-service)
  • Preview tenant theme in a sandboxed iframe
  • Approve (auto-publishes) or Reject (returns to tenant with notes)
  • Used for white-label tenants on premium plan who require review before publish

3.4 AI policy console

  • Model version selector per AI surface (concierge, copilot, insight assistant)
  • Guardrail configuration (blocked topics per tenant, max response length)
  • HITL threshold settings (when AI must escalate to human)
  • Model performance metrics (avg latency, error rate, HITL rate)

3.5 Audit log viewer (platform staff)

  • Searchable event stream: tenant_id, operator_id, action_type, timestamp, resource
  • Filters: date range, actor, action type, resource type
  • Export: CSV/JSON
  • Compliance: 7-year retention (immutable)

3.6 Multi-property dashboard (chain operators)

Chain Overview: Kabul Hotels Group (4 properties)
────────────────────────────────────────────────────
          Hotel A   Hotel B   Hotel C   Hotel D   Total
Occupancy  82%       74%       91%       60%       77%
RevPAR     $85       $62       $110      $44       $75
ADR        $104      $84       $121      $73       $97
Arrivals    12        8         15        5         40
────────────────────────────────────────────────────
[View property →] per row

4. Impersonation (platform support)

Platform staff can impersonate any operator to troubleshoot:

  1. Search for tenant + operator
  2. "Impersonate" button → requires reason entry (logged in audit)
  3. New browser tab opens with operator's session; amber banner "Impersonating [name]" always visible
  4. Impersonation auto-expires after 2 hours or on tab close
  5. All actions during impersonation logged with impersonated_by: platform_staff_id

5. Security requirements

  • Separate authentication from tenant-operator flow (platform staff use Ghasi SSO + hardware MFA)
  • Chain operators: standard Melmastoon auth + email OTP or TOTP
  • IP allowlisting for platform staff access (optional; configurable)
  • All actions logged (audit trail; immutable)
  • No PII of individual guests visible to chain operators (aggregated only)
  • Platform staff PII access is logged and requires justification

6. Performance

MetricTarget
Dashboard load≤ 3 s
Audit log query (1M events)≤ 5 s (paginated)
Feature flag toggle effect≤ 30 s (Pub/Sub propagation)

References