Role-Based Access Control

RBAC is a prerequisite for every feature that distinguishes between peer mentor and coordinator workflows, making it a critical MVP requirement. Without it, coordinators cannot reach proxy registration or team reporting, and admins cannot access the admin portal. It also enforces the data isolation requirement that Global Admins must not have default access to any organization's operational data - a compliance and trust requirement stated explicitly by all three workshop organizations. Establishing correct role boundaries at MVP avoids a costly security refactor when higher-privilege roles and multi-organization scenarios are introduced in subsequent phases.

Role claims are embedded in the JWT access token as a standard array claim. Backend middleware reads and validates the claim on every protected endpoint before the handler executes; no role check is delegated to the application layer. The mobile app decodes the role from the token at session start and passes it to the Module Registry, which mounts only navigation items and screens authorized for that role. Role changes take effect at the next token refresh so promotions apply without a forced logout. The no-access screen is a static Flutter widget with a clear message and a deep link to the admin portal for users with no mobile role.