fix: high-severity security hardening (Phase B permissions audit)

Phase B addresses 7 high-severity gaps from the permissions audit:

- B1: Enforce tree access check on session start via can_access_tree
- B2: Replace all inline permission helpers with centralized permissions.py
- B3: Fix require_engineer_or_admin to check is_team_admin before role
- B4: Add is_active field on User with enforcement in get_current_active_user
- B5: Add admin user management endpoints (list, get, role, team-admin, deactivate, activate)
- B6: Add rate limiting on auth/invite endpoints via slowapi (disabled in DEBUG)
- B7: Implement refresh token rotation with JTI-based revocation and meaningful logout

Also reduces access token TTL from 15 to 5 minutes and updates CLAUDE.md
with SaaS/MSP context for future planning sessions.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

backend/app/core/permissions.py

@@ -9,13 +9,15 @@ Role hierarchy: super_admin > team_admin > engineer > viewer
 - viewer:      role='viewer', read-only (can browse, run sessions, rate steps)
 """
 from __future__ import annotations
-from typing import TYPE_CHECKING
+from typing import Optional, TYPE_CHECKING
+from uuid import UUID
 
 if TYPE_CHECKING:
     from app.models.user import User
     from app.models.tree import Tree
     from app.models.step_library import StepLibrary
     from app.models.category import TreeCategory
+    from app.models.step_category import StepCategory
 
 ROLE_HIERARCHY = {
     "super_admin": 4,
@@ -92,3 +94,78 @@ def can_manage_tree_tags(user: User, tree: Tree) -> bool:
     if user.is_team_admin and tree.team_id == user.team_id and user.team_id is not None:
         return True
     return False
+
+
+def can_access_tree(user: User, tree: Tree) -> bool:
+    """Can the user access (view) this tree?"""
+    if tree.is_default or tree.is_public:
+        return True
+    if tree.author_id == user.id:
+        return True
+    if tree.team_id == user.team_id and user.team_id is not None:
+        return True
+    if user.is_super_admin:
+        return True
+    return False
+
+
+def can_view_step(user: User, step: StepLibrary) -> bool:
+    """Can the user view this step based on its visibility?"""
+    if step.visibility == "public":
+        return True
+    if step.visibility == "private":
+        return step.created_by == user.id
+    if step.visibility == "team":
+        return (step.team_id == user.team_id and user.team_id is not None) or user.is_super_admin
+    return False
+
+
+def can_create_tag(user: User, team_id: Optional[UUID]) -> bool:
+    """Can the user create a tag for the given scope?
+
+    - Super admins can create global tags (team_id=None) or any team's tags
+    - Engineers can create team tags for their own team
+    - Viewers cannot create tags
+    """
+    if user.is_super_admin:
+        return True
+    if not can_create_content(user):
+        return False
+    if team_id is not None and team_id == user.team_id:
+        return True
+    return False
+
+
+def can_create_category(user: User, team_id: Optional[UUID]) -> bool:
+    """Can the user create a category for the given team?
+
+    - Super admins can create global or any team's categories
+    - Team admins can create categories for their own team
+    """
+    if user.is_super_admin:
+        return True
+    if user.is_team_admin and team_id == user.team_id and user.team_id is not None:
+        return True
+    return False
+
+
+def can_manage_step_category(user: User, category: StepCategory) -> bool:
+    """Can the user edit/delete this step category?"""
+    if user.is_super_admin:
+        return True
+    if user.is_team_admin and category.team_id == user.team_id and user.team_id is not None:
+        return True
+    return False
+
+
+def can_create_step_category(user: User, team_id: Optional[UUID]) -> bool:
+    """Can the user create a step category for the given team?
+
+    - Super admins can create global or any team's step categories
+    - Team admins can create step categories for their own team
+    """
+    if user.is_super_admin:
+        return True
+    if user.is_team_admin and team_id == user.team_id and user.team_id is not None:
+        return True
+    return False