openapi: 3.1.0
info:
  title: Platform Relocation Runtime Smoke Contract
  version: 0.1.0
  description: |
    Relocation smoke contract for the preserved HTTP surfaces after moving the Laravel app to apps/platform.
    The intent is not to define new APIs, but to formalize which entry surfaces must remain reachable
    and what broad response classes are acceptable during smoke validation.
servers:
  - url: http://localhost
paths:
  /up:
    get:
      summary: Laravel health endpoint remains reachable
      responses:
        '200':
          description: Health endpoint resolves successfully after relocation.
  /:
    get:
      summary: Public web entry remains reachable
      responses:
        '200':
          description: Public entry loads successfully.
  /admin:
    get:
      summary: Admin shell route remains reachable
      responses:
        '200':
          description: Authenticated admin shell is reachable.
        '302':
          description: Unauthenticated access redirects to the expected auth entry without a runtime failure.
  /admin/choose-workspace:
    get:
      summary: Workspace chooser remains reachable
      responses:
        '200':
          description: Authenticated workspace chooser loads successfully.
        '302':
          description: Unauthenticated access redirects to the correct auth entry.
  /admin/t/{tenant}/backup-sets:
    get:
      summary: Tenant-scoped Filament route remains reachable with existing auth semantics
      parameters:
        - in: path
          name: tenant
          required: true
          schema:
            type: string
            format: uuid
      responses:
        '200':
          description: Entitled actor can load the tenant-scoped route.
        '302':
          description: Unauthenticated actor is redirected to login.
        '403':
          description: Member without required capability remains forbidden.
        '404':
          description: Non-member or wrong-scope access remains deny-as-not-found.
  /system:
    get:
      summary: System-plane shell route remains reachable
      responses:
        '200':
          description: Authenticated and authorized system shell is reachable.
        '302':
          description: Unauthenticated access redirects to the expected auth entry.
        '403':
          description: Authenticated system-plane actor without required capability remains forbidden.
        '404':
          description: Wrong-plane or non-member access remains deny-as-not-found.