Platform admin

Platform-admin subdomains

Three cross-tenant surfaces moved off the per-tenant app onto dedicated subdomains (gh#685):

Subdomain Audience What
costs.flatsbratislava.com Superadmins only Cross-tenant AI + integration spend dashboard. See Cost observability.
infra.flatsbratislava.com Superadmins only Deep per-env diagnostics — Fly machine list, Redis health, S3 egress, recent deploy commits.
status.flatsbratislava.com Public + logged-in operators Health board for prod / preprod / sandbox / demo. See Status page.

Why separate subdomains

Each surface answers questions across all tenants — a per-tenant app shouldn't host cross-tenant data. Separating subdomains:

  • Tenant admins can't accidentally see cross-tenant spend / infra.
  • Superadmins navigate to the dedicated subdomain without bouncing through a tenant context.
  • Each subdomain's auth + routes scope correctly via the platformProcedure tRPC scope.

How auth works

  • status.flatsbratislava.com — public landing card; logged-in operators see DB ping + recent incidents; superadmins see the deep diagnostic panel.
  • costs.flatsbratislava.com + infra.flatsbratislava.com — superadmin login required (Google OAuth same as the main app + the superadmin role check).

The SSO works across all three subdomains — superadmin signs in once at the main app, follows a link to costs or infra, no re-login.

What's NOT on these subdomains

The per-tenant flavors of cost + status remain inside the tenant app:

The platform-admin subdomains add the cross-tenant aggregation only.


Implements: gh#685 (move Costs + Infra Status to dedicated subdomains, remove from tenant app, re-scope infraStatus to platformProcedure). Related: gh#533 (status page), gh#523 (cost dashboard), gh#689 (hide Preprod Controls on prod + demo).

Source: the FlatsBratislava operator manual.