fix: high-severity security hardening (Phase B permissions audit)

Phase B addresses 7 high-severity gaps from the permissions audit:

- B1: Enforce tree access check on session start via can_access_tree
- B2: Replace all inline permission helpers with centralized permissions.py
- B3: Fix require_engineer_or_admin to check is_team_admin before role
- B4: Add is_active field on User with enforcement in get_current_active_user
- B5: Add admin user management endpoints (list, get, role, team-admin, deactivate, activate)
- B6: Add rate limiting on auth/invite endpoints via slowapi (disabled in DEBUG)
- B7: Implement refresh token rotation with JTI-based revocation and meaningful logout

Also reduces access token TTL from 15 to 5 minutes and updates CLAUDE.md
with SaaS/MSP context for future planning sessions.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

backend/app/api/deps.py

@@ -67,8 +67,11 @@ async def get_current_active_user(
     current_user: Annotated[User, Depends(get_current_user)]
 ) -> User:
     """Ensure user is active (not disabled)."""
-    # For now, all users are considered active
-    # Add logic here if you add an is_active field to User
+    if not current_user.is_active:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Account has been deactivated"
+        )
     return current_user
 
 
@@ -90,6 +93,8 @@ async def require_engineer_or_admin(
     """Require engineer, team admin, or super admin role (blocks viewers)."""
     if current_user.is_super_admin:
         return current_user
+    if current_user.is_team_admin and current_user.team_id is not None:
+        return current_user
     if current_user.role not in ("engineer",):
         raise HTTPException(
             status_code=status.HTTP_403_FORBIDDEN,