ADR-016: Tenant-Facing Chat App
Status: Accepted Owner: @bilal @deen Date: 2026-02-12
Context
Tenants currently interact via WhatsApp and Voice webhooks. We need a web-based chat interface where tenants can log in, chat with the AI assistant, view history, and upload files — without needing WhatsApp.
Key Requirements
- Tenants authenticate via phone/email OTP (no passwords)
- Reuses existing tenant-engine and RAG pipeline
- Must not interfere with landlord dashboard
- Should be extractable to standalone app later
- Dev mode: impersonate any tenant (skip OTP)
Decision
Co-located Route Group
Chat app lives inside envo-dashboard as app/(chat)/, sharing Supabase, Prisma, and the tenant-engine. Clear import boundaries ensure extractability:
- Chat imports from:
lib/,components/ui/,components/chat/ - Chat never imports from: dashboard pages, GraphQL layer, org/user contexts
Authentication
- Production: Supabase Phone/Email OTP → 6-digit code → TenantProvider matches auth to tenant record
- Development: Cookie-based tenant impersonation
API Design
REST endpoints under /api/chat/ (not GraphQL — simpler for focused chat):
| Endpoint | Method | Purpose |
|---|---|---|
/api/chat/me | GET | Authenticated tenant profile |
/api/chat/send | POST | Send message (calls processInboundMessage) |
/api/chat/conversations | GET | Tenant’s conversation list |
/api/chat/conversations/[id] | GET | Single conversation with messages |
/api/chat/upload | POST | File upload to Supabase Storage |
/api/chat/dev/tenants | GET | List all tenants (dev only) |
/api/chat/dev/impersonate | POST/DELETE | Set/clear dev cookie |
AI Integration
Reuses processInboundMessage() with channel: 'CHAT', provider: 'generic'. No new AI logic needed.
Middleware
Chat routes redirect unauthenticated users to /chat/login (not /login). Dashboard routes unchanged. /api/chat/* endpoints handle own auth.
Consequences
Positive
- Direct web channel without WhatsApp dependency
- Full AI pipeline reuse — no duplication
- Route group isolation keeps chat and dashboard independent
- Dev impersonation enables fast iteration
Negative
- Shared deployment (chat and dashboard scale together)
- Two auth flows in one app
- Cookie-based dev auth is dev-only (intentionally)
Risks
- OTP requires Supabase phone/email provider configuration
- Rate limiting is in-memory (resets on deploy — acceptable for MVP)