Secure staff access is live.
Local auth, sessions, roles, and per-user permission overrides are already active in this build. Admins now complete authenticator verification before they can reach the protected console.
Local auth
Role + permission model
Session-backed access
Admin MFA
Staff sign-in
Seed credentials can still bootstrap access through npm run db:seed, but users flagged for rotation are now forced through an in-app password reset before they can reach the console.