Open question carried by ADR-0022.
The read-only operator console ships with two accepted limitations:
- Shared console password — one bcrypt credential, not per-operator accounts.
- Operator-sees-all — the BFF dials Control as one operator-scoped peer, so a console view is not an audited per-human action (only the mutating CLI/SOAR path carries the NFR-SEC-45 per-actor audit), and the console projects every session with no per-operator scoping.
Lifting these requires per-operator console accounts and per-read attribution: distinct operator credentials at the BFF, an audited per-human read event, and optional per-operator scoping of the session projection.
Out of scope for the v1 read-surface contract; tracked here so the limitation is not later read as a defect.
Open question carried by ADR-0022.
The read-only operator console ships with two accepted limitations:
Lifting these requires per-operator console accounts and per-read attribution: distinct operator credentials at the BFF, an audited per-human read event, and optional per-operator scoping of the session projection.
Out of scope for the v1 read-surface contract; tracked here so the limitation is not later read as a defect.