chore: sync submodule state (parent ref update)

Made-with: Cursor

docs/admin-console-frontend-plan.md

@@ -1097,6 +1097,36 @@
 
 ---
 
+#### Task 4.8: Org-Level Security and Audit Panel (Phase 4/6)
+**Purpose:** Single place to see "who has what role across all projects" and to view central audit log (who asked what agent/tool to do what, when, outcome). Aligns with [MASTER_PLAN](../../../docs/00-meta/MASTER_PLAN.md) §2.4 and central audit API (dbis_core `/api/admin/central/audit`).
+
+**Subtasks:**
+- **Global identity list:**
+  - Table: Identity (email/ID), Roles (badges), Projects/Services (list), Last active
+  - Search by identity or role
+  - Filter by project, service
+  - Link to role matrix
+- **Role matrix:**
+  - Rows: roles (e.g. DBIS Admin, SCB Admin, Portal Admin)
+  - Columns: resources/permissions (e.g. gru:write, corridor:read, audit:export)
+  - Cell: granted (check) or —
+  - Read-only for viewers; editable for super-admin (when backend supports)
+- **Central audit viewer:**
+  - Consume GET `/api/admin/central/audit` (dbis_core) with query params: project, service, actorId, action, from, to, limit
+  - Table columns: Timestamp, Actor (ID/email), Action, Resource type, Resource ID, Project, Service, Outcome
+  - Filters: project, service, user, action, date range
+  - Export (CSV/JSON) using backend export when available
+  - Permission: only users with `admin:audit:read` or equivalent
+
+**Deliverables:**
+- Security & Identity nav item (route /dbis/security) shows global identity list and role matrix
+- Audit & Governance nav item (route /dbis/audit) shows central audit viewer
+- Backend: use existing central audit API; add permission check for audit read
+
+**Estimated Time:** 1 week (when DBIS console is built)
+
+---
+
 ### Phase 5: SCB Admin Console Screens (3 Tasks)
 
 #### Task 5.1: SCB Overview Dashboard