Grant Or Revoke Staff
A5 — grant a staff_role (body.staff_role set) or revoke (null).
staff:admin only (this endpoint’s own dependency, on top of the router- level “any staff” floor). Audited via write_audit against the ACTING admin’s own workspace_id — audit_log.workspace_id is NOT NULL and there is no workspace-agnostic anchor for a staff-global action; this is a deliberate, documented choice (see E1 report), not an oversight.
Grants require an existing user_id: PG’s staff_profiles.user_id has a FK to users(id), so granting to an unknown user_id would otherwise 500 with a raw FK violation on Postgres while the memory store happily created a dangling row — checked here so both backends return the same clean 404.