Domain deep dive — Platform & admin

Purpose

Single D1 narrative for engineers working on portal identity, Singpass, website/tenant admin, or AI integration settings stored as DocTypes. It ties together:

• Generated Platform & admin DocType reference
• Singpass — integration patterns
• Security checklist — guest APIs and tokens
• API inventory — user registration, FAQs, company search, etc.

“Platform” vs “Lee Kim business” DocTypes

platform-admin in the generator groups cross-cutting DocTypes (tokens, portal users, website helpers, logs). They are not a single runtime “platform service” — treat this category as a documentation bucket.

Domain boundary

In scope	Out of scope (link instead)
Singpass Token, UserLKA, Applicant, verification codes	Full Singpass legal/compliance sign-off — vendor docs
OpenAI Settings, Google reCAPTCHA	Model selection product strategy
Tenants Table, Features Group List	Multi-tenant billing — Finance & AR
Log Data / prompt logs	Application business PDFs — Incorporation

DocType cluster (generated)

Sub-theme	Examples
Identity / portal	userlka, applicant, singpass_token, verifycodelka, resetkeylka
AI / safety	openai_settings, google_recaptcha, prompt_log
Website / tenancy	tenants_table, features_group_list, addons_list
Ops logs	log_data, log_data_list

Confirm exact membership in platform-admin — categorization rules live in generate-doctype-reference.mjs.

Code map

Layer	Primary locations
APIs	leekimerp/api/user.py, api/website_faqs.py, api/company_search.py, Singpass-related packages — API inventory
DocType controllers	lee_kim_alliance_erp/doctype/<name>/ per generated page
Hooks	Grep hooks.py for portal DocTypes when adding doc_events

Overlay priority (for overlays.json)

Priority	DocType keys	Rationale
P1 — Overlays present	singpass_token, userlka, openai_settings (see overlays.json)	Auth/session, extended user, AI keys
P2	google_recaptcha, applicant, verifycodelka	Bot defense and onboarding
P3	tenants_table, log_data, prompt_log	Multi-tenant metadata and observability

Failure modes (where to look)

Symptom	First checks
Singpass login fails	Singpass Token freshness, redirect URIs, Singpass
AI features down	OpenAI Settings keys, rate limits, provider status
Spam signups	Google reCAPTCHA keys, server-side verification

Logs: Error Log, Log Data DocTypes if used for app-level tracing; never log raw tokens.

Related

• Engineering deliverables — governance policies (orthogonal to this domain narrative)
• Singpass
• Security checklist
• Domain documentation strategy
• Documentation upgrade roadmap