openapi: 3.0.3
info:
  title: Tenant Operate Hub / Central Monitoring (UI Route Contracts)
  version: 0.1.0
  description: |
    Internal documentation of canonical central Monitoring surfaces.

    These are Filament page routes (not a public API). The contract is used to
    pin down URL shapes and security semantics (404 vs 403) for acceptance.

servers:
  - url: /

paths:
  /admin/operations:
    get:
      summary: Central Monitoring - Operations index
      description: |
        Canonical operations list. Must render without outbound calls.

        Scope semantics:
        - If tenant context is active AND entitled: page is tenant-filtered by default and shows tenant-scoped header/CTAs.
        - If tenant context is absent: page is workspace-wide.
        - If tenant context is active but not entitled: page behaves workspace-wide and must not reveal tenant identity.
      responses:
        '200':
          description: OK
        '302':
          description: Redirect to choose workspace if none selected
        '403':
          description: Authenticated but forbidden (capability denial after membership)
        '404':
          description: Deny-as-not-found when not entitled to workspace scope
  /admin/clear-tenant-context:
    post:
      summary: Exit tenant context (Monitoring)
      description: |
        Clears the active tenant context for the current session.
        Used by “Show all tenants” on central Monitoring pages.
      responses:
        '302':
          description: Redirect back to a canonical Monitoring page
        '404':
          description: Deny-as-not-found when not entitled to workspace scope
  /admin/operations/{run}:
    get:
      summary: Central Monitoring - Run detail
      parameters:
        - in: path
          name: run
          required: true
          schema:
            type: integer
      responses:
        '200':
          description: OK
        '403':
          description: Authenticated but forbidden (policy denies view)
        '404':
          description: Deny-as-not-found when run is outside entitled scope
  /admin/alerts:
    get:
      summary: Central Monitoring - Alerts
      responses:
        '200':
          description: OK
        '404':
          description: Deny-as-not-found when not entitled to workspace scope
  /admin/audit-log:
    get:
      summary: Central Monitoring - Audit log
      responses:
        '200':
          description: OK
        '404':
          description: Deny-as-not-found when not entitled to workspace scope