# RBAC and User Model

## Roles
- ROOT_SUPERADMIN (seeded, protected)
- SUPERADMIN
- ADMIN (staff)
- AGENT

Users may have multiple roles via `role_user`.

---

## ROOT Superadmin Rules
- Created via seeder
- `is_system = true`
- Must not be deletable via UI
- Has full permissions

---

## Superadmin NRIC Verification Layer
When system detects role SUPERADMIN / ROOT_SUPERADMIN:
- user provides email + password
- system requires NRIC verification
- NRIC is validated by comparing hash (NRIC never stored in plain form)

---

## Agent Pricing Governance
Agents must not key in pricing.
All pricing is handled by Admin-side calculations and stored in sales records.

---

## Recommended Security Hardening (Future)
- lock account after 5 failed attempts
- log failed NRIC attempts
- log successful logins
- optional cooldown after repeated failures