{"sharedAuthService":{"serviceId":"diyaos-auth","runtime":"fastapi","issuer":"https://auth.diyaos.local","openApiPath":"https://auth.diyaos.local/openapi.json","healthPath":"https://auth.diyaos.local/health","oidcMetadataPath":"https://auth.diyaos.local/.well-known/openid-configuration","mcpStatus":"planned","a2aStatus":"planned","compatibility":["SvelteKit apps","standalone domains","OpenAPI clients","MCP agents","A2A agents"]},"apps":[{"id":"diya-os-control-plane","name":"DiyaOS Control Plane","status":"implemented","standaloneDomains":["os.diyaos.com","diyaos.com","admin.diyaos.com","account.diyaos.com","os.diyaos.local"],"integratedEntrypoint":"/apps/os","auth":{"mode":"diyaos-shared-auth","issuer":"https://auth.diyaos.com","audience":"diya-os-control-plane","standaloneDomains":["os.diyaos.com","diyaos.com","admin.diyaos.com","account.diyaos.com","os.diyaos.local"],"allowedRedirectUris":["https://os.diyaos.com/auth/callback","https://admin.diyaos.com/auth/callback","https://account.diyaos.com/auth/callback","https://diyaos.com/auth/callback","https://os.diyaos.local/auth/callback"],"allowedOrigins":["https://os.diyaos.com","https://diyaos.com","https://admin.diyaos.com","https://account.diyaos.com","https://os.diyaos.local"],"requiredScopes":["diyaos.scope"]},"backend":{"runtime":"fastapi","serviceId":"diyaos-auth","openApiPath":"https://auth.diyaos.com/openapi.json","healthPath":"https://auth.diyaos.com/health","mcp":{"status":"planned","serverId":"diyaos-auth-mcp","tools":["check_permission","explain_access","prepare_approval_request","bootstrap_os_admin"],"resources":["policy://auth-rbac","principal://{principal_id}","tenant://{tenant_id}"]},"a2a":{"status":"planned","agentCardPath":"https://auth.diyaos.com/.well-known/agent-card.json","skills":["authz_check","access_explanation","approval_preparation","os_admin_bootstrap"]}},"manifest":{"manifestKind":"app","id":"diya-os-control-plane","name":"DiyaOS Control Plane","version":"0.1.0","purpose":"Identity, tenant, and RBAC administration for DiyaOS.","owner":"platform","standaloneEntrypoint":"/","integratedEntrypoint":"/apps/os","apiBasePath":"/api","standaloneDomains":["os.diyaos.com","diyaos.com","admin.diyaos.com","account.diyaos.com","os.diyaos.local"],"allowedRedirectUris":["https://os.diyaos.com/auth/callback","https://admin.diyaos.com/auth/callback","https://account.diyaos.com/auth/callback","https://diyaos.com/auth/callback","https://os.diyaos.local/auth/callback"],"allowedOrigins":["https://os.diyaos.com","https://diyaos.com","https://admin.diyaos.com","https://account.diyaos.com","https://os.diyaos.local"],"auth":{"mode":"diyaos-shared-auth","issuer":"https://auth.diyaos.com","audience":"diya-os-control-plane","standaloneDomains":["os.diyaos.com","diyaos.com","admin.diyaos.com","account.diyaos.com","os.diyaos.local"],"allowedRedirectUris":["https://os.diyaos.com/auth/callback","https://admin.diyaos.com/auth/callback","https://account.diyaos.com/auth/callback","https://diyaos.com/auth/callback","https://os.diyaos.local/auth/callback"],"allowedOrigins":["https://os.diyaos.com","https://diyaos.com","https://admin.diyaos.com","https://account.diyaos.com","https://os.diyaos.local"],"requiredScopes":["diyaos.scope"]},"backend":{"runtime":"fastapi","serviceId":"diyaos-auth","openApiPath":"https://auth.diyaos.com/openapi.json","healthPath":"https://auth.diyaos.com/health","mcp":{"status":"planned","serverId":"diyaos-auth-mcp","tools":["check_permission","explain_access","prepare_approval_request","bootstrap_os_admin"],"resources":["policy://auth-rbac","principal://{principal_id}","tenant://{tenant_id}"]},"a2a":{"status":"planned","agentCardPath":"https://auth.diyaos.com/.well-known/agent-card.json","skills":["authz_check","access_explanation","approval_preparation","os_admin_bootstrap"]}},"capabilities":["bootstrap_first_os_admin","navigate_diyaos_admin_account_addresses","inspect_identity_principals","inspect_effective_permissions","evaluate_role_assignment_gate","evaluate_registration_workflow_gate","design_company_tenant_workflows","view_platform_and_tenant_scope_map","inspect_passwordless_auth_policy","inspect_user_management_hub","invite_platform_admins","orchestrate_tenant_onboarding_email","inspect_email_send_records","manage_tenant_core_pages","manage_tenant_billing_references"],"intents":["review_access","bootstrap_os_admin","enter_admin_console","manage_account_security","prepare_role_assignment","prepare_platform_admin_registration","prepare_tenant_provisioning","review_company_tenant_setup","prepare_tenant_activation","prepare_tenant_admin_registration","prepare_tenant_user_registration","prepare_onboarding_email","accept_invitation_and_register_passkey","audit_tenant_membership","review_tenant_billing_reference","inspect_scope_policy","navigate_user_management_operations"],"permissions":["identity.principals.read","identity.principals.manage","auth.credentials.read","auth.credentials.manage","auth.otp.issue","rbac.roles.read","rbac.roles.assign","platforms.read","platform.admins.manage","tenants.read","tenants.manage","tenant.admins.manage","tenant.users.read","tenant.users.manage","audit.events.read","apps.access","agents.delegate","email.connections.read","email.sender-identities.read","email.messages.send","email.messages.read-status","email.audit.read"],"eventsEmitted":["identity.os_admin_bootstrap_completed","identity.principal_invited","identity.principal_suspended","auth.webauthn_credential_registered","auth.otp_step_up_requested","rbac.role_assignment_requested","rbac.role_assignment_approved","platform.admin_registration_requested","tenant.created","tenant.admin_registration_requested","tenant.user_registration_requested","tenant.suspended","email.connection_created","email.connection_disabled","email.sender_identity_verified","email.message_send_requested","email.message_blocked","email.message_accepted","email.message_sent","email.message_failed"],"eventsConsumed":["tenant.archived","agent.action_requested"],"agentTools":["check_permission","list_effective_permissions","bootstrap_os_admin","prepare_role_assignment_request","prepare_registration_request","inspect_passwordless_policy","inspect_email_sender_identities","prepare_onboarding_email"],"integrationModes":["standalone","diyaos-integrated"],"protocolRoadmap":["openapi","mcp","a2a","cloudevents"],"tenantExperience":{"modes":["diyaos-hosted-branded","custom-domain-white-label"],"defaultMode":"diyaos-hosted-branded","brandingSource":"tenant-profile","requiresDomainVerification":true,"notes":"By default, the OS can resolve tenant branding while hosted on DiyaOS domains. Approved white-label tenants may use custom domains after domain verification, app-client registration, redirect/origin validation, routing, and certificate setup."},"storage":{"mode":"none","notes":"The OS app is an administrative UI and proxy surface. Durable identity, RBAC, tenant, and audit data belongs to services/auth and future storage-plane grants. Production service proxy secrets are runtime bindings only and must not be committed."},"secrets":[{"id":"tenant-service-proxy-token","purpose":"Shared service-to-service token used by the OS Pages Function proxy when calling the deployed Tenant FastAPI service.","sourceOfTruth":"cloudflare","requiredIn":["production"],"allowedDestinations":["cloudflare-pages:diyaos-os","cloudflare-tunnel-origin:diyaos-tenants-api","cloudflare-worker:diyaos-tenants-api"],"rotationPolicy":"Rotate by updating both Cloudflare runtime secret destinations together; move the source of truth to Infisical when write access is available."}],"serviceDependencies":[{"serviceId":"diyaos-auth","purpose":"Shared passwordless authentication, authorization, RBAC, registration, and audit contract authority.","required":true},{"serviceId":"diyaos-tenants","purpose":"Company tenant lifecycle, setup checklist, app access, invitation, and approval workflow backend.","required":true},{"serviceId":"diyaos-email","purpose":"Provider-neutral email sender identity, dry-run/live send, send-record, and audit boundary for onboarding invitations.","required":true}],"packageDependencies":[{"packageName":"@diyaos/auth","purpose":"Shared principal, scope, passwordless, session, and registration contracts.","required":true},{"packageName":"@diyaos/permissions","purpose":"Shared role catalog, permission catalog, and grant gate decisions.","required":true},{"packageName":"@diyaos/tenant-core","purpose":"Shared company tenant lifecycle and setup workflow contracts.","required":true},{"packageName":"@diyaos/email","purpose":"Shared email provider, sender identity, permission, event, and send request contracts.","required":true}]},"checks":{"sharedAuth":true,"standaloneDomains":true,"redirectUris":true,"openApi":true,"mcp":true,"a2a":true}},{"id":"diya-email-console","name":"Diya Email Console","status":"implemented","standaloneDomains":["email.diyaos.local"],"integratedEntrypoint":"/apps/email","auth":{"mode":"diyaos-shared-auth","issuer":"https://auth.diyaos.local","audience":"diya-email-console","standaloneDomains":["email.diyaos.local"],"allowedRedirectUris":["https://email.diyaos.local/auth/callback"],"allowedOrigins":["https://email.diyaos.local"],"requiredScopes":["diyaos.scope","email.messages.send"]},"backend":{"runtime":"fastapi","serviceId":"diyaos-email","openApiPath":"http://127.0.0.1:8003/openapi.json","healthPath":"http://127.0.0.1:8003/health","mcp":{"status":"planned","serverId":"diyaos-email-mcp","tools":["list_email_providers","list_email_sender_identities","send_email","inspect_email_send_records"],"resources":["email-provider://{provider_id}","email-sender://{sender_identity_id}","email-send://{send_record_id}"]},"a2a":{"status":"planned","agentCardPath":"http://127.0.0.1:8003/.well-known/agent-card.json","skills":["email_send_request","email_provider_readiness","email_delivery_status"]}},"manifest":{"permissions":["email.connections.read","email.sender-identities.read","email.messages.send","email.messages.read-status","email.audit.read"],"agentTools":["list_email_providers","list_email_sender_identities","send_email","inspect_email_send_records"],"protocolRoadmap":["openapi","mcp","a2a","cloudevents"]},"checks":{"sharedAuth":true,"standaloneDomains":true,"redirectUris":true,"openApi":true,"mcp":true,"a2a":true}},{"id":"diya-brand-house","name":"Diya Brand House","status":"implemented","standaloneDomains":["brand.diyaos.local"],"integratedEntrypoint":"/apps/brand","auth":{"mode":"diyaos-shared-auth","issuer":"https://auth.diyaos.local","audience":"diya-brand-house","standaloneDomains":["brand.diyaos.local"],"allowedRedirectUris":["https://brand.diyaos.local/auth/callback"],"allowedOrigins":["https://brand.diyaos.local"],"requiredScopes":["diyaos.scope","brand.workspace"]},"backend":{"runtime":"fastapi","serviceId":"diyaos-brand-api","openApiPath":"/api/brand/openapi","healthPath":"/api/brand/health","mcp":{"status":"planned","serverId":"diya-brand-house-mcp","tools":["search_brand_assets","get_current_brand_guidelines","check_brand_usage"],"resources":["brand://{tenant_id}/{brand_id}","brand-guidelines://{tenant_id}/{brand_id}/current"]},"a2a":{"status":"planned","agentCardPath":"/api/brand/.well-known/agent-card.json","skills":["brand_guideline_retrieval","brand_asset_search","brand_usage_check"]}},"manifest":{"permissions":["brand.guidelines.read","brand.assets.read","brand.requests.create"],"agentTools":["search_brand_assets","get_current_brand_guidelines","check_brand_usage"],"protocolRoadmap":["openapi","mcp","a2a","cloudevents"]},"checks":{"sharedAuth":true,"standaloneDomains":true,"redirectUris":true,"openApi":true,"mcp":true,"a2a":true}},{"id":"diya-vault","name":"Diya Vault","status":"planned","standaloneDomains":["vault.diyaos.local"],"integratedEntrypoint":"/apps/vault","auth":{"mode":"diyaos-shared-auth","issuer":"https://auth.diyaos.local","audience":"diya-vault","standaloneDomains":["vault.diyaos.local"],"allowedRedirectUris":["https://vault.diyaos.local/auth/callback"],"allowedOrigins":["https://vault.diyaos.local"],"requiredScopes":["diyaos.scope","vault.documents"]},"backend":{"runtime":"fastapi","serviceId":"diyaos-vault-api","openApiPath":"/api/vault/openapi","healthPath":"/api/vault/health","mcp":{"status":"planned","serverId":"diya-vault-mcp","tools":["search_documents","get_document_metadata","request_approval"],"resources":["document://{document_id}","project://{project_id}/documents"]},"a2a":{"status":"planned","agentCardPath":"/api/vault/.well-known/agent-card.json","skills":["document_search","latest_approved_version","document_package_preparation"]}},"manifest":{"permissions":["vault.documents.read","vault.documents.upload","vault.documents.approve"],"agentTools":["search_documents","get_document_metadata","request_approval"],"protocolRoadmap":["openapi","mcp","a2a","cloudevents"]},"checks":{"sharedAuth":true,"standaloneDomains":true,"redirectUris":true,"openApi":true,"mcp":true,"a2a":true}}]}