For CoverGuard staff. The CoverGuard super-admin role is a strict superset of every other persona: you see everything, own the platform `/admin` surface, and can act-as (impersonate) any user.
How you get this role. You don't self-select it. Every validated@coverguard.iostaff email is automatically elevated toCOVERGUARD_ADMIN— just sign in with your company email (email verification required). The platform owner is seeded as super-admin directly. The in-app role-change API refuses to grant or demote admin roles, so elevation is by staff domain or direct DB action only.
What you can see that customers can't
- Observability tab (PlatformPulse) — role-gated to staff, never shown to customers.
- Platform `/admin` surface — stats, users, usage telemetry, agent rules, demo
accounts, API-key approvals, staff→user outreach.
- Act-as any user (except a peer super-admin).
Everything a Buyer/Agent/Lender/Insurance/Admin sees is also visible to you.
Key staff workflows
Users & roles — /admin/users
List, search, and inspect users. Change a user's persona (cannot grant/demote ADMIN/COVERGUARD_ADMIN). Provision a user's AI key on their behalf — refused for admin targets, and every change is audited.
Act-as (impersonation) — "pull up anyone's instance"
It's an overlay, not a session takeover: you keep your own login and the client adds an act-as header to each request. From the /admin/users table, click Act as. A persistent banner shows who you're viewing, with one-click Exit. Start/stop are audited. You can never act-as another super-admin, and act-as sessions always use the managed AI key (never the target's BYOK key). See Platform admin & observability.
Usage telemetry & activation funnel — /admin/usage
Top endpoints, p95/p99 latency, error rates, top error codes, function stats, AI usage by source (BYOK vs managed cost), and the new-user activation funnel by persona.
Observability (PlatformPulse) — /observability
One consolidated dashboard: overview, trends, composed health, the Focus feed (users to flag now from real signals — dunning, error bursts, carrier exits), recent events, and per-user timelines. A synthetic prototype view is at ?view=prototype.
Staff → user AI outreach (ADR-0013)
From the Observability Focus feed, AI-draft a message to a user (managed key, guardrail-screened, never auto-sends), review it, and send. Recipients can opt out (the send path respects it). Draft/send are rate-limited per staffer.
Agent rules — Sys Admin → Feature Flags → Rules
Override the out-of-the-box digital agents' objectives ("rules") from the app instead of editing code. Overrides apply to future installs; already-provisioned agents keep the objective they were created with.
Partner API-key approvals — /admin API keys
Approve or suspend partner API keys (the KEY_NOT_APPROVED gate), independent of billing.
Demo accounts — /toolkit/demo-accounts
List and (re)provision the seeded demo accounts.
Activity history — user × company × property
The activity history (surfaced in admin tooling) is a single, append-only, queryable record of meaningful user + property actions. Filter by user, company/team, property, event type, and time window; it's paginated and requires at least one filter (no unbounded scans). Use it to answer "what did this user / company / property do?" — distinct from usage telemetry, which answers "how is the platform being used / where does it hurt".
Guardrails to remember
- Super-admins always use the managed AI key — never a customer's BYOK key, even under
act-as. Impersonation forces the managed key.
- You cannot act-as a peer super-admin.
- Role grants for admin personas are DB-only — the API won't do it.
- Outreach never auto-sends — a human reviews and sends; opted-out users are protected.
Troubleshooting quick hits
See Admin & staff tools troubleshooting. Quick hits:
- "Observability/admin 403s for me." — Your staff email may not be email-verified yet, or
your role hasn't been elevated. Confirm email_confirmed_at and re-sign-in.
- "Act-as won't start for a user." — The target may be a peer super-admin (not allowed),
or invalid. Check the audit log.
- "AI usage report is empty." — Historic; AI-cost telemetry began accruing from a
fix point forward, so older windows can read empty.
Do this next
Open Observability and work the Focus feed — it surfaces the users worth a human touch right now (dunning, error bursts, carrier exits). Draft outreach, review it, and send.