Access control
V1 access control is metadata only — enforced at build time by src/content/config.ts. V2 enforcement comes from the deployment hub or a hosting layer (Google IAP, IAM, repo permissions).
Pages
- Access control overview — current assumptions, what is and isn’t enforced.
- RBAC plan — 5-role model + per-role permission matrix.
- Approval workflow — draft → reviewed → approved lifecycle.