{"manifestKind":"app","id":"diya-os-control-plane","name":"DiyaOS Control Plane","version":"0.1.0","purpose":"Identity, tenant, and RBAC administration for DiyaOS.","owner":"platform","standaloneEntrypoint":"/","integratedEntrypoint":"/apps/os","apiBasePath":"/api","standaloneDomains":["os.diyaos.com","diyaos.com","admin.diyaos.com","account.diyaos.com","os.diyaos.local"],"allowedRedirectUris":["https://os.diyaos.com/auth/callback","https://admin.diyaos.com/auth/callback","https://account.diyaos.com/auth/callback","https://diyaos.com/auth/callback","https://os.diyaos.local/auth/callback"],"allowedOrigins":["https://os.diyaos.com","https://diyaos.com","https://admin.diyaos.com","https://account.diyaos.com","https://os.diyaos.local"],"auth":{"mode":"diyaos-shared-auth","issuer":"https://auth.diyaos.com","audience":"diya-os-control-plane","standaloneDomains":["os.diyaos.com","diyaos.com","admin.diyaos.com","account.diyaos.com","os.diyaos.local"],"allowedRedirectUris":["https://os.diyaos.com/auth/callback","https://admin.diyaos.com/auth/callback","https://account.diyaos.com/auth/callback","https://diyaos.com/auth/callback","https://os.diyaos.local/auth/callback"],"allowedOrigins":["https://os.diyaos.com","https://diyaos.com","https://admin.diyaos.com","https://account.diyaos.com","https://os.diyaos.local"],"requiredScopes":["diyaos.scope"]},"backend":{"runtime":"fastapi","serviceId":"diyaos-auth","openApiPath":"https://auth.diyaos.com/openapi.json","healthPath":"https://auth.diyaos.com/health","mcp":{"status":"planned","serverId":"diyaos-auth-mcp","tools":["check_permission","explain_access","prepare_approval_request","bootstrap_os_admin"],"resources":["policy://auth-rbac","principal://{principal_id}","tenant://{tenant_id}"]},"a2a":{"status":"planned","agentCardPath":"https://auth.diyaos.com/.well-known/agent-card.json","skills":["authz_check","access_explanation","approval_preparation","os_admin_bootstrap"]}},"capabilities":["bootstrap_first_os_admin","navigate_diyaos_admin_account_addresses","inspect_identity_principals","inspect_effective_permissions","evaluate_role_assignment_gate","evaluate_registration_workflow_gate","design_company_tenant_workflows","view_platform_and_tenant_scope_map","inspect_passwordless_auth_policy","inspect_user_management_hub","invite_platform_admins","orchestrate_tenant_onboarding_email","inspect_email_send_records","manage_tenant_core_pages","manage_tenant_billing_references"],"intents":["review_access","bootstrap_os_admin","enter_admin_console","manage_account_security","prepare_role_assignment","prepare_platform_admin_registration","prepare_tenant_provisioning","review_company_tenant_setup","prepare_tenant_activation","prepare_tenant_admin_registration","prepare_tenant_user_registration","prepare_onboarding_email","accept_invitation_and_register_passkey","audit_tenant_membership","review_tenant_billing_reference","inspect_scope_policy","navigate_user_management_operations"],"permissions":["identity.principals.read","identity.principals.manage","auth.credentials.read","auth.credentials.manage","auth.otp.issue","rbac.roles.read","rbac.roles.assign","platforms.read","platform.admins.manage","tenants.read","tenants.manage","tenant.admins.manage","tenant.users.read","tenant.users.manage","audit.events.read","apps.access","agents.delegate","email.connections.read","email.sender-identities.read","email.messages.send","email.messages.read-status","email.audit.read"],"eventsEmitted":["identity.os_admin_bootstrap_completed","identity.principal_invited","identity.principal_suspended","auth.webauthn_credential_registered","auth.otp_step_up_requested","rbac.role_assignment_requested","rbac.role_assignment_approved","platform.admin_registration_requested","tenant.created","tenant.admin_registration_requested","tenant.user_registration_requested","tenant.suspended","email.connection_created","email.connection_disabled","email.sender_identity_verified","email.message_send_requested","email.message_blocked","email.message_accepted","email.message_sent","email.message_failed"],"eventsConsumed":["tenant.archived","agent.action_requested"],"agentTools":["check_permission","list_effective_permissions","bootstrap_os_admin","prepare_role_assignment_request","prepare_registration_request","inspect_passwordless_policy","inspect_email_sender_identities","prepare_onboarding_email"],"integrationModes":["standalone","diyaos-integrated"],"protocolRoadmap":["openapi","mcp","a2a","cloudevents"],"tenantExperience":{"modes":["diyaos-hosted-branded","custom-domain-white-label"],"defaultMode":"diyaos-hosted-branded","brandingSource":"tenant-profile","requiresDomainVerification":true,"notes":"By default, the OS can resolve tenant branding while hosted on DiyaOS domains. Approved white-label tenants may use custom domains after domain verification, app-client registration, redirect/origin validation, routing, and certificate setup."},"storage":{"mode":"none","notes":"The OS app is an administrative UI and proxy surface. Durable identity, RBAC, tenant, and audit data belongs to services/auth and future storage-plane grants. Production service proxy secrets are runtime bindings only and must not be committed."},"secrets":[{"id":"tenant-service-proxy-token","purpose":"Shared service-to-service token used by the OS Pages Function proxy when calling the deployed Tenant FastAPI service.","sourceOfTruth":"cloudflare","requiredIn":["production"],"allowedDestinations":["cloudflare-pages:diyaos-os","cloudflare-tunnel-origin:diyaos-tenants-api","cloudflare-worker:diyaos-tenants-api"],"rotationPolicy":"Rotate by updating both Cloudflare runtime secret destinations together; move the source of truth to Infisical when write access is available."}],"serviceDependencies":[{"serviceId":"diyaos-auth","purpose":"Shared passwordless authentication, authorization, RBAC, registration, and audit contract authority.","required":true},{"serviceId":"diyaos-tenants","purpose":"Company tenant lifecycle, setup checklist, app access, invitation, and approval workflow backend.","required":true},{"serviceId":"diyaos-email","purpose":"Provider-neutral email sender identity, dry-run/live send, send-record, and audit boundary for onboarding invitations.","required":true}],"packageDependencies":[{"packageName":"@diyaos/auth","purpose":"Shared principal, scope, passwordless, session, and registration contracts.","required":true},{"packageName":"@diyaos/permissions","purpose":"Shared role catalog, permission catalog, and grant gate decisions.","required":true},{"packageName":"@diyaos/tenant-core","purpose":"Shared company tenant lifecycle and setup workflow contracts.","required":true},{"packageName":"@diyaos/email","purpose":"Shared email provider, sender identity, permission, event, and send request contracts.","required":true}]}