# Domain Glossary

## Core Terms

### Owner

Highest-privilege admin role. Exactly one canonical owner must exist at all times.

### Support User

Hidden technical support account used for break-glass access and operational recovery.

### Admin Registration Policy

Runtime policy controlling whether `/register` can create additional admin users after owner bootstrap.

### Protected Account

Account that cannot be deleted/demoted through self-service flows (support + canonical owner).

### CRUD Service

Shared `@cms/crud` service abstraction combining schema validation, repository orchestration, and audit hooks.

### Permission Scope

RBAC access scope granularity: `own`, `team`, `global`.

### Roadmap Source Of Truth

`TODO.md` in repository root. Rendered in admin via `/todo`.

### Header Banner

Public-site announcement strip configured through `system_setting` key `public.header_banner`.