chore(semantic): checkpoint remediation progress

backend/src/api/routes/admin.py

@@ -4,8 +4,8 @@
 # @SEMANTICS: api, admin, users, roles, permissions
 # @PURPOSE:   Admin API endpoints for user and role management.
 # @LAYER:     API
-# @RELATION:  USES -> backend.src.core.auth.repository.AuthRepository
-# @RELATION:  USES -> backend.src.dependencies.has_permission
+# @RELATION:  [USES] ->[backend.src.core.auth.repository.AuthRepository]
+# @RELATION:  [USES] ->[backend.src.dependencies.has_permission]
 #
 # @INVARIANT: All endpoints in this module require 'Admin' role or 'admin' scope.
 
@@ -36,6 +36,7 @@ router = APIRouter(prefix="/api/admin", tags=["admin"])
 # [/DEF:router:Variable]
 
 # [DEF:list_users:Function]
+# @TIER: STANDARD
 # @PURPOSE: Lists all registered users.
 # @PRE:     Current user has 'Admin' role.
 # @POST:    Returns a list of UserSchema objects.
@@ -52,6 +53,7 @@ async def list_users(
 # [/DEF:list_users:Function]
 
 # [DEF:create_user:Function]
+# @TIER: STANDARD
 # @PURPOSE: Creates a new local user.
 # @PRE:     Current user has 'Admin' role.
 # @POST:    New user is created in the database.
@@ -89,6 +91,7 @@ async def create_user(
 # [/DEF:create_user:Function]
 
 # [DEF:update_user:Function]
+# @TIER: STANDARD
 # @PURPOSE: Updates an existing user.
 @router.put("/users/{user_id}", response_model=UserSchema)
 async def update_user(
@@ -123,6 +126,7 @@ async def update_user(
 # [/DEF:update_user:Function]
 
 # [DEF:delete_user:Function]
+# @TIER: STANDARD
 # @PURPOSE: Deletes a user.
 @router.delete("/users/{user_id}", status_code=status.HTTP_204_NO_CONTENT)
 async def delete_user(
@@ -146,6 +150,7 @@ async def delete_user(
 # [/DEF:delete_user:Function]
 
 # [DEF:list_roles:Function]
+# @TIER: STANDARD
 # @PURPOSE: Lists all available roles.
 # @RETURN:  List[RoleSchema] - List of roles.
 # @RELATION: CALLS -> backend.src.models.auth.Role
@@ -159,6 +164,7 @@ async def list_roles(
 # [/DEF:list_roles:Function]
 
 # [DEF:create_role:Function]
+# @TIER: STANDARD
 # @PURPOSE: Creates a new system role with associated permissions.
 # @PRE:     Role name must be unique.
 # @POST:    New Role record is created in auth.db.
@@ -196,6 +202,7 @@ async def create_role(
 # [/DEF:create_role:Function]
 
 # [DEF:update_role:Function]
+# @TIER: STANDARD
 # @PURPOSE: Updates an existing role's metadata and permissions.
 # @PRE:     role_id must be a valid existing role UUID.
 # @POST:    Role record is updated in auth.db.
@@ -240,6 +247,7 @@ async def update_role(
 # [/DEF:update_role:Function]
 
 # [DEF:delete_role:Function]
+# @TIER: STANDARD
 # @PURPOSE: Removes a role from the system.
 # @PRE:     role_id must be a valid existing role UUID.
 # @POST:    Role record is removed from auth.db.
@@ -266,6 +274,7 @@ async def delete_role(
 # [/DEF:delete_role:Function]
 
 # [DEF:list_permissions:Function]
+# @TIER: STANDARD
 # @PURPOSE: Lists all available system permissions for assignment.
 # @POST:    Returns a list of all PermissionSchema objects.
 # @PARAM:   db (Session) - Auth database session.
@@ -291,6 +300,7 @@ async def list_permissions(
 # [/DEF:list_permissions:Function]
 
 # [DEF:list_ad_mappings:Function]
+# @TIER: STANDARD
 # @PURPOSE: Lists all AD Group to Role mappings.
 @router.get("/ad-mappings", response_model=List[ADGroupMappingSchema])
 async def list_ad_mappings(
@@ -302,6 +312,7 @@ async def list_ad_mappings(
 # [/DEF:list_ad_mappings:Function]
 
 # [DEF:create_ad_mapping:Function]
+# @TIER: STANDARD
 # @PURPOSE: Creates a new AD Group mapping.
 @router.post("/ad-mappings", response_model=ADGroupMappingSchema)
 async def create_ad_mapping(