From edd1d45a1aa358486c54e041bdc83d68228524e4 Mon Sep 17 00:00:00 2001
From: hsiegeln <37154749+hsiegeln@users.noreply.github.com>
Date: Mon, 6 Apr 2026 10:24:52 +0200
Subject: [PATCH] docs: Logto admin credentials + branding design spec

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 ...6-04-06-logto-admin-and-branding-design.md | 66 +++++++++++++++++++
 1 file changed, 66 insertions(+)
 create mode 100644 docs/superpowers/specs/2026-04-06-logto-admin-and-branding-design.md

diff --git a/docs/superpowers/specs/2026-04-06-logto-admin-and-branding-design.md b/docs/superpowers/specs/2026-04-06-logto-admin-and-branding-design.md
new file mode 100644
index 0000000..3761892
--- /dev/null
+++ b/docs/superpowers/specs/2026-04-06-logto-admin-and-branding-design.md
@@ -0,0 +1,66 @@
+# Logto Admin Credentials + Sign-In Branding
+
+## Problem
+
+1. Logto admin console and SaaS platform have separate credentials — unnecessary complexity for operators
+2. Logto's sign-in page uses default Logto branding, not Cameleer's theme
+
+## Solution
+
+### Admin Credentials
+
+Reuse the SaaS admin user for Logto console access. The bootstrap assigns the Logto admin tenant management role to the SaaS admin user, so `SAAS_ADMIN_USER`/`SAAS_ADMIN_PASS` works for both the platform and the Logto console.
+
+**Bootstrap change:** After creating the SaaS admin user, assign them to Logto's `admin` tenant with the management role:
+```sh
+# Assign admin tenant management role to SaaS owner
+ADMIN_MGMT_ROLE_ID=$(api_get "/api/roles" | jq -r '.[] | select(.name == "admin:admin") | .id')
+if [ -n "$ADMIN_MGMT_ROLE_ID" ]; then
+  api_post "/api/users/$ADMIN_USER_ID/roles" "{\"roleIds\": [\"$ADMIN_MGMT_ROLE_ID\"]}"
+  log "SaaS admin granted Logto console access."
+fi
+```
+
+### Sign-In Branding
+
+Configure Logto's sign-in experience via `PATCH /api/sign-in-exp` during bootstrap.
+
+**Colors** (from `@cameleer/design-system`):
+- Primary: `#C6820E` (amber)
+- Dark primary: `#D4941E`
+- Dark mode enabled
+
+**Logo**: Served from SaaS app at `/platform/logo.svg` and `/platform/logo-dark.svg`. Files live in `ui/public/`.
+
+**Custom CSS**: Override fonts and button styles to match Cameleer theme.
+
+**Bootstrap API call:**
+```sh
+api_patch "/api/sign-in-exp" "{
+  \"color\": {
+    \"primaryColor\": \"#C6820E\",
+    \"isDarkModeEnabled\": true,
+    \"darkPrimaryColor\": \"#D4941E\"
+  },
+  \"branding\": {
+    \"logoUrl\": \"${PROTO}://${HOST}/platform/logo.svg\",
+    \"darkLogoUrl\": \"${PROTO}://${HOST}/platform/logo-dark.svg\"
+  }
+}"
+```
+
+## Files to Modify
+
+- `docker/logto-bootstrap.sh`:
+  - Add `api_patch` helper function (PATCH method, like `api_put` but with PATCH)
+  - New phase: assign admin tenant role to SaaS admin user
+  - New phase: configure sign-in experience branding
+- `ui/public/logo.svg` — NEW, Cameleer logo for light mode
+- `ui/public/logo-dark.svg` — NEW, Cameleer logo for dark mode
+
+## Customer Experience
+
+Customer sets `SAAS_ADMIN_USER` and `SAAS_ADMIN_PASS` in `.env`. After `docker compose up`:
+- Login to SaaS platform at `/platform/` with those credentials
+- Login to Logto console at port 3002 with the same credentials
+- Sign-in page shows Cameleer branding automatically