feat: implement RBAC permissions system

Add role-based access control with hierarchy: super_admin > team_admin >
engineer > viewer. Adds is_super_admin boolean to User model (migration 010),
centralized backend permissions module, frontend usePermissions hook, and
UI enforcement (conditional Create/Edit buttons, editor redirect for viewers,
role badge in header). All endpoint admin checks updated from role=="admin"
to is_super_admin.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

backend/app/core/permissions.py

@@ -0,0 +1,94 @@
+"""
+Centralized permission checks for ResolutionFlow.
+
+Role hierarchy: super_admin > team_admin > engineer > viewer
+
+- super_admin: is_super_admin=True, full system access
+- team_admin:  is_team_admin=True + valid team_id, manage team resources
+- engineer:    role='engineer' (default), CRUD own trees/steps
+- viewer:      role='viewer', read-only (can browse, run sessions, rate steps)
+"""
+from __future__ import annotations
+from typing import TYPE_CHECKING
+
+if TYPE_CHECKING:
+    from app.models.user import User
+    from app.models.tree import Tree
+    from app.models.step_library import StepLibrary
+    from app.models.category import TreeCategory
+
+ROLE_HIERARCHY = {
+    "super_admin": 4,
+    "team_admin": 3,
+    "engineer": 2,
+    "viewer": 1,
+}
+
+
+def get_effective_role(user: User) -> str:
+    """Get the effective role considering is_super_admin and is_team_admin flags."""
+    if user.is_super_admin:
+        return "super_admin"
+    if user.is_team_admin and user.team_id is not None:
+        return "team_admin"
+    return user.role  # "engineer" or "viewer"
+
+
+def has_minimum_role(user: User, minimum_role: str) -> bool:
+    """Check if user has at least the specified role level."""
+    effective = get_effective_role(user)
+    return ROLE_HIERARCHY.get(effective, 0) >= ROLE_HIERARCHY.get(minimum_role, 0)
+
+
+def can_create_content(user: User) -> bool:
+    """Can the user create trees, steps, or other content? Viewers cannot."""
+    return has_minimum_role(user, "engineer")
+
+
+def can_edit_tree(user: User, tree: Tree) -> bool:
+    """Can the user edit this specific tree?"""
+    if user.is_super_admin:
+        return True
+    if not can_create_content(user):
+        return False
+    if tree.author_id == user.id:
+        return True
+    if user.is_team_admin and tree.team_id == user.team_id and user.team_id is not None:
+        return True
+    return False
+
+
+def can_delete_tree(user: User, tree: Tree) -> bool:
+    """Can the user delete this tree? Super admin only."""
+    return user.is_super_admin
+
+
+def can_edit_step(user: User, step: StepLibrary) -> bool:
+    """Can the user edit/delete this step?"""
+    if user.is_super_admin:
+        return True
+    if not can_create_content(user):
+        return False
+    return step.created_by == user.id
+
+
+def can_manage_category(user: User, category: TreeCategory) -> bool:
+    """Can the user edit/delete this category?"""
+    if user.is_super_admin:
+        return True
+    if user.is_team_admin and category.team_id == user.team_id and user.team_id is not None:
+        return True
+    return False
+
+
+def can_manage_tree_tags(user: User, tree: Tree) -> bool:
+    """Can the user add/remove tags on this tree?"""
+    if user.is_super_admin:
+        return True
+    if not can_create_content(user):
+        return False
+    if tree.author_id == user.id:
+        return True
+    if user.is_team_admin and tree.team_id == user.team_id and user.team_id is not None:
+        return True
+    return False