feat: implement RBAC permissions system

Add role-based access control with hierarchy: super_admin > team_admin >
engineer > viewer. Adds is_super_admin boolean to User model (migration 010),
centralized backend permissions module, frontend usePermissions hook, and
UI enforcement (conditional Create/Edit buttons, editor redirect for viewers,
role badge in header). All endpoint admin checks updated from role=="admin"
to is_super_admin.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

backend/app/api/endpoints/trees.py

@@ -53,6 +53,7 @@ def build_tree_response(tree: Tree) -> TreeListResponse:
         category_info=category_info,
         tags=tree.tag_names,
         author_id=tree.author_id,
+        team_id=tree.team_id,
         is_active=tree.is_active,
         is_public=tree.is_public,
         is_default=tree.is_default,
@@ -250,7 +251,7 @@ async def get_tree(
         tree.is_public or
         tree.author_id == current_user.id or
         (tree.team_id == current_user.team_id and current_user.team_id is not None) or
-        current_user.role == "admin"
+        current_user.is_super_admin
     )
     if not tree.is_active or not can_access:
         raise HTTPException(
@@ -274,7 +275,7 @@ async def create_tree(
     - tags: List of tag names to assign (creates new tags if needed)
     """
     # Only admins can create default/system trees
-    is_default = tree_data.is_default and current_user.role == "admin"
+    is_default = tree_data.is_default and current_user.is_super_admin
 
     # Verify category exists if provided
     if tree_data.category_id:
@@ -288,7 +289,7 @@ async def create_tree(
                 detail="Category not found"
             )
         # Check category access
-        if category.team_id and category.team_id != current_user.team_id and current_user.role != "admin":
+        if category.team_id and category.team_id != current_user.team_id and not current_user.is_super_admin:
             raise HTTPException(
                 status_code=status.HTTP_403_FORBIDDEN,
                 detail="You don't have access to this category"
@@ -310,7 +311,7 @@ async def create_tree(
 
     # Handle tags
     if tree_data.tags:
-        tree_team_id = new_tree.team_id or (current_user.team_id if current_user.role != "admin" else None)
+        tree_team_id = new_tree.team_id or (current_user.team_id if not current_user.is_super_admin else None)
 
         # Collect tags to add
         tags_to_add = []
@@ -401,7 +402,7 @@ async def update_tree(
     # Check if user can edit: must be author, team admin for team trees, or global admin
     can_edit = (
         tree.author_id == current_user.id or
-        current_user.role == "admin" or
+        current_user.is_super_admin or
         (current_user.is_team_admin and tree.team_id == current_user.team_id)
     )
     if not can_edit:
@@ -425,7 +426,7 @@ async def update_tree(
                 status_code=status.HTTP_404_NOT_FOUND,
                 detail="Category not found"
             )
-        if category.team_id and category.team_id != current_user.team_id and current_user.role != "admin":
+        if category.team_id and category.team_id != current_user.team_id and not current_user.is_super_admin:
             raise HTTPException(
                 status_code=status.HTTP_403_FORBIDDEN,
                 detail="You don't have access to this category"
@@ -455,7 +456,7 @@ async def update_tree(
         )
 
         # Add new tags
-        tree_team_id = tree.team_id or (current_user.team_id if current_user.role != "admin" else None)
+        tree_team_id = tree.team_id or (current_user.team_id if not current_user.is_super_admin else None)
         added_tag_ids = set()
 
         for tag_name in tags_data: