feat: implement RBAC permissions system

Add role-based access control with hierarchy: super_admin > team_admin >
engineer > viewer. Adds is_super_admin boolean to User model (migration 010),
centralized backend permissions module, frontend usePermissions hook, and
UI enforcement (conditional Create/Edit buttons, editor redirect for viewers,
role badge in header). All endpoint admin checks updated from role=="admin"
to is_super_admin.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

backend/app/api/deps.py

@@ -75,11 +75,11 @@ async def get_current_active_user(
 async def require_admin(
     current_user: Annotated[User, Depends(get_current_active_user)]
 ) -> User:
-    """Require admin role."""
-    if current_user.role != "admin":
+    """Require super admin access."""
+    if not current_user.is_super_admin:
         raise HTTPException(
             status_code=status.HTTP_403_FORBIDDEN,
-            detail="Admin access required"
+            detail="Super admin access required"
         )
     return current_user
 
@@ -87,8 +87,10 @@ async def require_admin(
 async def require_engineer_or_admin(
     current_user: Annotated[User, Depends(get_current_active_user)]
 ) -> User:
-    """Require engineer or admin role."""
-    if current_user.role not in ("admin", "engineer"):
+    """Require engineer, team admin, or super admin role (blocks viewers)."""
+    if current_user.is_super_admin:
+        return current_user
+    if current_user.role not in ("engineer",):
         raise HTTPException(
             status_code=status.HTTP_403_FORBIDDEN,
             detail="Engineer or admin access required"