Implement server-authoritative roles and Shift+Z admin flows

docs/runtime-flow.md

@@ -9,6 +9,7 @@
    - includes `authPolicy` limits for username/password.
 5. Client sends `auth_login`, `auth_register`, or `auth_resume`.
 6. Server sends `auth_result`.
+   - includes role + permissions for authenticated session.
 7. Server sends `welcome` with users/items snapshot.
 8. Client:
    - applies `welcome.worldConfig.gridSize` for authoritative grid bounds/rendering
@@ -44,6 +45,10 @@ Core incoming message effects:
 - `signal`: WebRTC negotiation and ICE exchange.
 - `auth_required`: prompt client to authenticate before gameplay messages.
 - `auth_result`: auth success/failure with optional session token + account metadata + `authPolicy`.
+- `auth_permissions`: live permission refresh (role + permission set) after role/permission admin changes.
+- `admin_roles_list`: role metadata + user counts + permission keys for role management UI.
+- `admin_users_list`: user metadata list for role/ban admin flows.
+- `admin_action_result`: success/error for role/user admin mutations.
 - `update_position`: update peer position; may play movement/teleport world sound.
 - `teleport_complete`: play peer teleport landing sound at final tile.
 - `update_nickname`: update peer display name.
@@ -67,6 +72,12 @@ Core incoming message effects:
 - If reconnect lands on a different `welcome.serverInfo.instanceId`, client announces server restart.
 - Connect/reconnect status message is emitted from `welcome` and includes server version.
 
+## Authorization Runtime
+
+- Server enforces item/chat/nickname/voice/admin permissions for each packet.
+- Role and permission changes apply live to connected users without reconnect.
+- `voice.send` revocation is pushed immediately via `auth_permissions`; client mutes outbound voice track.
+
 ## Disconnect/Cleanup
 
 On disconnect: