We've replaced the blunt "admin / not admin" toggle with a proper role + permission system. Admins can now grant exactly the surfaces a person needs (Moderator, Finance, Support, etc.) without handing them the keys to everything.

The same machinery powers an Operator PIN gate on sensitive actions — bulk money movements, role grants, and account deletions all prompt for a 6-digit PIN even after sign-in. Founders are protected from accidental self-lockout.