openapi: 3.0.3
info:
  title: TenantPilot Admin (Workspace v2)
  version: 0.1.0
  description: |
    High-level contract for workspace-scoped admin entry points.

servers:
  - url: /

paths:
  /admin/choose-workspace:
    get:
      summary: Choose workspace page
      description: Render a list of workspaces the current user is a member of.
      responses:
        '200': { description: OK }
        '302': { description: Redirect (auto-select when only one membership) }

  /admin/no-access:
    get:
      summary: No access page
      description: Neutral page for authenticated users with zero workspace memberships.
      responses:
        '200': { description: OK }

  /admin/w/{workspace}/managed-tenants:
    get:
      summary: List managed tenants (workspace-scoped)
      parameters:
        - name: workspace
          in: path
          required: true
          schema: { type: string }
          description: Workspace identifier (slug preferred; id fallback)
      responses:
        '200': { description: OK }
        '404': { description: Not found (non-member) }

  /admin/w/{workspace}/managed-tenants/onboarding:
    get:
      summary: Start onboarding (workspace-scoped)
      parameters:
        - name: workspace
          in: path
          required: true
          schema: { type: string }
      responses:
        '200': { description: OK }
        '403': { description: Forbidden (member missing capability) }
        '404': { description: Not found (non-member) }

components:
  securitySchemes:
    sessionAuth:
      type: apiKey
      in: cookie
      name: tenantpilot_session

security:
  - sessionAuth: []