Default-deny access model with admin grant/revoke via new User Access
tab. /api/clients filters by user grants; client-scoped endpoints
enforce access server-side. Admin role and client grants persist in
user_access.json with audit trail in usage logs.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
