feat: implement RBAC permissions system

Add role-based access control with hierarchy: super_admin > team_admin >
engineer > viewer. Adds is_super_admin boolean to User model (migration 010),
centralized backend permissions module, frontend usePermissions hook, and
UI enforcement (conditional Create/Edit buttons, editor redirect for viewers,
role badge in header). All endpoint admin checks updated from role=="admin"
to is_super_admin.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

frontend/src/hooks/usePermissions.ts

@@ -0,0 +1,75 @@
+/**
+ * Centralized permissions hook for ResolutionFlow.
+ *
+ * Role hierarchy: super_admin > team_admin > engineer > viewer
+ *
+ * Mirrors backend logic in backend/app/core/permissions.py
+ */
+import { useAuthStore } from '@/store/authStore'
+import type { User } from '@/types'
+
+export type EffectiveRole = 'super_admin' | 'team_admin' | 'engineer' | 'viewer'
+
+const ROLE_HIERARCHY: Record<EffectiveRole, number> = {
+  super_admin: 4,
+  team_admin: 3,
+  engineer: 2,
+  viewer: 1,
+}
+
+function getEffectiveRole(user: User | null): EffectiveRole {
+  if (!user) return 'viewer'
+  if (user.is_super_admin) return 'super_admin'
+  if (user.is_team_admin && user.team_id) return 'team_admin'
+  return user.role as EffectiveRole
+}
+
+function hasMinimumRole(user: User | null, minimum: EffectiveRole): boolean {
+  const effective = getEffectiveRole(user)
+  return ROLE_HIERARCHY[effective] >= ROLE_HIERARCHY[minimum]
+}
+
+export function usePermissions() {
+  const { user } = useAuthStore()
+
+  const effectiveRole = getEffectiveRole(user)
+
+  return {
+    effectiveRole,
+    isSuperAdmin: effectiveRole === 'super_admin',
+    isTeamAdmin: effectiveRole === 'team_admin' || effectiveRole === 'super_admin',
+    isEngineer: hasMinimumRole(user, 'engineer'),
+    isViewer: effectiveRole === 'viewer',
+
+    // Content creation permissions
+    canCreateTrees: hasMinimumRole(user, 'engineer'),
+    canCreateSteps: hasMinimumRole(user, 'engineer'),
+
+    // Resource-specific checks
+    canEditTree: (tree: { author_id: string | null; team_id?: string | null }) => {
+      if (!user) return false
+      if (user.is_super_admin) return true
+      if (!hasMinimumRole(user, 'engineer')) return false
+      if (tree.author_id && tree.author_id === user.id) return true
+      if (user.is_team_admin && tree.team_id === user.team_id && user.team_id) return true
+      return false
+    },
+
+    canDeleteTree: (_tree: { author_id: string | null }) => {
+      if (!user) return false
+      return user.is_super_admin
+    },
+
+    canEditStep: (step: { created_by: string }) => {
+      if (!user) return false
+      if (user.is_super_admin) return true
+      if (!hasMinimumRole(user, 'engineer')) return false
+      return step.created_by === user.id
+    },
+
+    // Management permissions
+    canManageCategories: hasMinimumRole(user, 'team_admin'),
+    canManageGlobalCategories: effectiveRole === 'super_admin',
+    canManageTeam: effectiveRole === 'super_admin' || (effectiveRole === 'team_admin'),
+  }
+}