Actor context and permission boundaries are being checked.
Review browser sessions, refresh-token posture, password protection, step-up readiness, and actor boundaries without exposing raw secrets.
HttpOnly cookie session with CSRF protection for mutating browser requests.
Refresh tokens are stored hashed and can be revoked without touching purchase history.
Sensitive operator/admin flows require stronger proof before privileged access.
Password material is never shown and reset flows remain audit-aware.
Agent API keys are not account passwords and are managed in the Operator control plane.
The browser cannot become an operator, admin, or agent by sending client-side role claims.
Keeps the current browser signed in while invalidating other refresh chains.
Marks sensitive account changes as step-up required before they continue.
Exports a member-safe security record without raw tokens or secrets.