Workspace setup
Configuration here should support operational trust, not distract from the core loops.
Default tenant/site
Currently sourced from runtime config for demo wiring.
Role controls
Later phases should align permission boundaries with real field workflows.