Soft-delete a KYC user (sets is_active=False).

Does not touch kyc_status or the Sumsub applicant. Deactivated users are hidden from the default GET /lists response unless the caller passes include_inactive=true. Idempotent: re-deactivating an already-inactive user is a no-op success.

require_client_permissions enforces allowed_roles only for client_user actors; the explicit role guard below also rejects client_api callers whose credential role is not Owner.