Admin & Access Console · Documentation
Architecture
Admin & Access Console's pipeline, its owned data, the events it emits/consumes, and what is out of scope.
← Admin & Access ConsoleSurface + gate
An owner-only console (the shared ConsoleShell in owner-only mode): OPERATE (users + sessions) · CONFIGURE (roles + SSO) · Audit. For a non-owner the shell renders a gate and the privileged content is never sent to the browser — the gated-content invariant the whole platform shares.
Owned data + administered core
Owns the user and role config it manages here (demo_eco_c8_user_account, demo_eco_c8_role) and administers the foundation's existing session table rather than duplicating auth (a recorded decision). The data invariant holds in the strongest form: the entire app is owner-only — viewers and guests get no rows and no DOM — and all writes are canonical and setWhere-guarded.
Events, no metering
Emits user.scope_changed on a role change. There is no metered model stage and no cost ledger row — the console is deterministic and $0. SSO is simulated and labelled (universal owner credential, no 2FA; real SAML/OIDC in Stage-2).
Out of scope (simulated + labelled)
Users, sessions and the IdP are synthetic and labelled; there is no real authentication provider, no real PII, and no real device telemetry. In Stage-2 the same method surface maps to the real session repository and a real IdP connection with no UI change.