User Journey

An owner opens the console, finds a staff user, and cycles their role or suspends them. The change updates the user record, emits user.scope_changed on the shared bus, and appends to the audit log. Reviewing the role→permission matrix shows exactly what each role can do; reviewing active sessions shows who is currently in.

Because this console administers the foundation's existing session table and the shared access model, a role or scope change here is the access every other app honours — the same owner/viewer gate, the same per-credential scope, the same DOM-absent rule for unauthorized sessions. #44 is the one place that edits the rules everyone else enforces.