Administrator capabilities & boundaries
ADMINISTRATOR The administrator is the sole owner of fleet structure, user accounts, and the UCS Foundation. Code-level capability gates are defined insrc/role-helpers.js.Allowed
| Capability | Code gate |
|---|---|
| Manage users (create / disable / change role / reset password) | canManageUsers |
| Manage backups (R2 export / restore) | canManageBackups |
| UCS Foundation activate / propose, drawings registry mutation, vessel management | canManageFoundation |
| Approve / reject drafts (also supervisors) | canApproveDrafts |
| Teach Model (also supervisors) | canTeachModel |
| KB rebuild / backfill (also supervisors) | canAccessKB |
| RAG graph (also supervisors) | canAccessRagGraph |
Boundaries — things even the administrator should not do
- Bypass the draft → approve cycle. The cycle exists for audit. Direct DB writes leave no trail.
- Edit live components without a source document. The "doc prevails" rule is the contract — if a doc says X, the field reads X.
- Re-set Worker secrets without reason. Each
wrangler secret putinvalidates running edge workers for ~30 s. - Delete vessels in haste. Delete-ship preserves RAG by design, but the audit footprint of a deletion is heavy.
- Push to
mainwithout a T0 audit. Even with auto-merge, the audit must be clean first.
Internal vs external administrator action
Most admin actions are internal (DB / Foundation). External actions (publishing PRs, rotating secrets, changing DNS, modifying CF Pages) need extra care because they touch shared systems. Confirm before:
- Force-pushing to
main - Rotating
MOONSHOT_API_KEY,CLAUDE_API_KEY,POSTMARK_TOKEN - Changing the Cloudflare Access policy on
help.pmsplanner.com/admin - Deleting an R2 backup or KV namespace