Admin connect + Provision tenant + Repair DB security (Option A: clinic_<code>_<module>).
No shared app user. PWA must connect using u_<clinicCode> + role tenant:<clinicCode>.
Pages are filtered by mode + required modules. Disabled pages are hidden in the public app and blocked on direct URL.
Admin Username
Admin Password
Not saved
Provision a Tenant (Clinic Code)
Creates u_<clinicCode> user, role tenant:<clinicCode>,
DBs as clinic_<clinicCode>_<module>,
and sets each DB security to:
admins.roles=["_admin"] and members.roles=["tenant:<clinicCode>"].
Important: It also keeps members.names=[], so no stray users (like old pwa_app) remain in DB permissions.
Seeds clinic_settings doc in clinic_<code>_settings.
clinicCode (lowercase)
Tenant username
Tenant password (generated)
Share these creds with the client (Public App → Connect).
Preset
Pack (stored in clinic_settings)
Modules (DBs to create)
Idle
Live Log
Clinic Settings (Canonical · single source of truth)
This edits clinic_settings in clinic_<code>_settings.
It keeps old fields for compatibility, but enforces canonical fields required by the public app:
status, pack, features,
sync.couchUrl, sync.dbPrefix, branding.theme.
Important: no custom keys starting with _ (CouchDB validation).
Status
Pack
Clinic Name
Theme (branding.theme)
Logo URL
Banner URL
Banner Fit
Banner Height
Offline boot allowed
Features (public app gating)
Idle
Raw clinic_settings (latest loaded)
Why this exists
Public app should NOT contain admin/kite pages. This control app is the only place for:
tenant provisioning, branding changes, health checks, suspend enforcement.
Option A rule: every tenant DB is private and accessible only via tenant:<clinicCode>.