feat(app): wire dashboard administration flows

readme.md

@@ -1,8 +1,8 @@
 # @idp.global/idp.global
 
-Identity infrastructure for apps that need accounts, sessions, organizations, invites, admin tooling, and OpenID Connect in one TypeScript codebase.
+Identity infrastructure for apps that need accounts, sessions, organizations, invites, admin tooling, mobile passport approvals, security alerts, and OpenID Connect in one TypeScript codebase.
 
-This repository ships the `idp.global` server, the browser/client SDK, the CLI, shared request/data interfaces, and the web UI used by the hosted service.
+This repository ships the `idp.global` server, browser SDK, CLI, web UI, and tspublish submodules used by the hosted service. Shared public contracts live in the sibling `@idp.global/interfaces` package.
 
 ## Issue Reporting and Security
 
@@ -14,6 +14,7 @@ For reporting bugs, issues, or security vulnerabilities, please visit [community
 - Serves a web app for login, registration, account management, org management, billing flows, and global admin views.
 - Exposes typed realtime APIs over `typedrequest` and `typedsocket`.
 - Implements OIDC/OAuth endpoints including discovery, JWKS, authorization, token, userinfo, and revoke.
+- Supports passport-style mobile device enrollment, signed approval challenges, push registration, security alerts, and NFC/location-backed identity proof flows.
 - Includes a reusable browser client and a terminal CLI for common account and org workflows.
 
 ## Monorepo Modules
@@ -21,10 +22,10 @@ For reporting bugs, issues, or security vulnerabilities, please visit [community
 | Folder | Purpose |
 | --- | --- |
 | `ts/` | Backend service entrypoint and the core `Reception` managers |
-| `ts_interfaces/` | Shared request and data contracts used by server, client, CLI, and UI |
 | `ts_idpclient/` | Browser-focused SDK published as `@idp.global/client` |
 | `ts_idpcli/` | CLI published as `@idp.global/cli` |
 | `ts_web/` | Frontend bundle with login, registration, account, org, billing, and admin views |
+| `../interfaces/` | Shared request and data contracts published as `@idp.global/interfaces` |
 
 ## Core Backend Pieces
 
@@ -41,6 +42,9 @@ For reporting bugs, issues, or security vulnerabilities, please visit [community
 - `BillingPlanManager` for Paddle-backed billing data.
 - `AppManager` and `AppConnectionManager` for app connections and admin app stats.
 - `ActivityLogManager` for audit-style activity entries.
+- `AlertManager` for passport alerts and organization/global alert rules.
+- `AbuseProtectionManager` for rate-limited sensitive flows such as OIDC token exchange.
+- `PassportManager` and `PassportPushManager` for trusted device enrollment, challenge approval, and push notification delivery.
 - `OidcManager` for the OIDC/OAuth provider surface.
 
 ## Quick Start
@@ -67,7 +71,7 @@ export INSTANCE_NAME=idp-dev
 
 Optional:
 
-- `SERVEZONE_PLATFROM_AUTHORIZATION`
+- `SERVEZONE_PLATFORM_AUTHORIZATION`
 - `PADDLE_TOKEN`
 - `PADDLE_PRICE_ID`
 
@@ -85,6 +89,19 @@ pnpm watch
 
 This starts the backend from `ts/` and rebuilds the frontend bundle from `ts_web/`. The service listens on port `2999`.
 
+### Seed Development Data
+
+```bash
+pnpm run seed
+```
+
+The seed command starts an interactive CLI that writes to the configured local database. The default demo workspace creates a global admin, an organization, demo users, and global OAuth app records.
+
+Default development credentials if accepted unchanged:
+
+- Email: `admin@idp.global`
+- Password: `idp.global`
+
 ## Runtime Surface
 
 ### Web Routes
@@ -93,9 +110,10 @@ This starts the backend from `ts/` and rebuilds the frontend bundle from `ts_web
 | --- | --- |
 | `/` | Welcome page |
 | `/login` | Login flow |
+| `/logout` | Logout flow |
 | `/register` | Registration flow |
 | `/finishregistration` | Multi-step registration completion |
-| `/account` | Signed-in account area |
+| `/account` | Signed-in account area and account subroutes |
 
 ### OIDC and OAuth Endpoints
 
@@ -110,6 +128,18 @@ This starts the backend from `ts/` and rebuilds the frontend bundle from `ts_web
 
 Supported scopes in the OIDC manager include `openid`, `profile`, `email`, `organizations`, and `roles`.
 
+## Passport And Mobile Approval Flow
+
+`PassportManager` powers the trusted-device side of idp.global. A web session can create a passport enrollment challenge, the Swift app completes enrollment through a QR/NFC pairing payload, and later sign-in or identity checks can be approved by the paired device with signed challenge responses.
+
+The typed request surface includes:
+
+- `createPassportEnrollmentChallenge` and `completePassportEnrollment` for pairing a trusted device.
+- `getPassportDevices` and `revokePassportDevice` for account-level device management.
+- `createPassportChallenge`, `approvePassportChallenge`, `rejectPassportChallenge`, and `listPendingPassportChallenges` for approval flows.
+- `getPassportDashboard`, `listPassportAlerts`, and `markPassportAlertSeen` for mobile app dashboards and notifications.
+- `registerPassportPushToken` for push delivery setup.
+
 ## SDK Example
 
 The browser SDK lives in `ts_idpclient/` and is published as `@idp.global/client`.
@@ -153,10 +183,10 @@ The CLI stores credentials in `~/.idp-global/credentials.json` and reads `IDP_UR
 
 ## Shared Interfaces
 
-`ts_interfaces/` exports the type contracts shared across the stack:
+The sibling `@idp.global/interfaces` package exports the type contracts shared across the stack:
 
-- `data/*` for users, orgs, roles, JWTs, sessions, devices, billing plans, apps, and OIDC payloads.
-- `request/*` for auth, registration, user, org, invitation, app, admin, billing, and JWT request contracts.
+- `data/*` for users, orgs, roles, JWTs, sessions, devices, billing plans, apps, passport records, alerts, and OIDC payloads.
+- `request/*` for auth, registration, user, org, invitation, app, admin, billing, JWT, passport, alert, and OIDC request contracts.
 - `tags/*` for shared tag exports.
 
 ## Frontend