Users & roles

Invite team members and assign roles: owner, finance, account_manager, production, admin. Role changes take effect for trusted-plane authorization — not session-based (Arch §6). Every change is audited.

Full implementation deferred to the auth + provisioning phase.