# Halo Bestie — Control Center

React + Vite SPA for internal platform management. **Internal use only.**

> See root `CLAUDE.md` for full project context and architectural decisions.

## Stack

- **Framework:** React + Vite
- **Auth:** Self-managed (see root `CLAUDE.md` — Phase 3.4). Email + bcrypt password via `POST /internal/auth/login`. Access token lives in memory (React `AuthContext`); refresh token in an `httpOnly` Secure cookie (`cc_refresh_token`). All API calls must send `credentials: 'include'`. Admin-only provisioning — no public signup, no password-reset flow.
- **API:** Calls internal Fastify listener only (`/internal/` routes on port 3001)
- **Access:** Internal network / VPN only — never exposed to public internet

## Security

- This app and its backend routes must NEVER be accessible from the public internet
- Protected at network level: Nginx `allow 10.0.0.0/8; deny all;`
- Additional role check on every API call (`role: admin`)
- Do not add any public-facing routes or features here

## Key Responsibilities

- Manage and approve mitra accounts
- Configure platform settings
- Monitor sessions and payments
- Manage communication between mitra and client (escalation, disputes)
- Manage trial period configuration