feat: add admin console and app-admin access management

CHANGELOG.md

@@ -12,6 +12,8 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 - Added a first-run admin bootstrap flow with `/api/admin/bootstrap/status` and `/api/admin/bootstrap/claim` so the initial application-admin account can be claimed safely.
 - Added `bootstrap-token` and `bootstrap-enabled` environment/config support, plus setup docs and operational checklist updates for first-run admin provisioning.
 - Added authenticated UI admin-badge visibility by exposing `isAdmin` on shared session/auth payloads.
+- Added a dedicated read-only `Admin Console` page with analytics summary and billing workspace support visibility tools.
+- Added app-admin access management APIs and UI for list/add/reactivate/disable actions, with last-active-admin lockout guardrails and audit events.
 
 ### Changed
 - Replaced env-only billing-admin authorization with application-admin checks backed by database records, while keeping env allowlist fallback support for rollout safety.
@@ -22,6 +24,9 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
 - Updated README and TODO planning docs for phased admin-console rollout and the first-run operational checklist.
 - Hardened pending-downgrade lifecycle handling so Stripe-scheduled downgrades are preserved in billing state and apply automatically when the effective date is reached.
 - Clarified post-downgrade quota messaging in enforcement, account UI, and admin billing detail so over-limit behavior is explicit after scheduled plan changes.
+- Refocused the account page on user self-service while moving admin billing tooling into `Admin Console`, with admin-only navigation.
+- Updated deployment Compose wiring so services can attach to a shared external `locale-all` network.
+- Marked `Admin Console` Phase A and Phase B implementation progress in the pricing TODO tracker.
 
 ## [2026-05-22]