fix: high-severity security hardening (Phase B permissions audit)

Phase B addresses 7 high-severity gaps from the permissions audit:

- B1: Enforce tree access check on session start via can_access_tree
- B2: Replace all inline permission helpers with centralized permissions.py
- B3: Fix require_engineer_or_admin to check is_team_admin before role
- B4: Add is_active field on User with enforcement in get_current_active_user
- B5: Add admin user management endpoints (list, get, role, team-admin, deactivate, activate)
- B6: Add rate limiting on auth/invite endpoints via slowapi (disabled in DEBUG)
- B7: Implement refresh token rotation with JTI-based revocation and meaningful logout

Also reduces access token TTL from 15 to 5 minutes and updates CLAUDE.md
with SaaS/MSP context for future planning sessions.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

backend/app/schemas/user.py

@@ -1,5 +1,5 @@
 from datetime import datetime
-from typing import Optional
+from typing import Literal, Optional
 from uuid import UUID
 from pydantic import BaseModel, EmailStr, Field
 
@@ -29,9 +29,18 @@ class UserResponse(UserBase):
     role: str
     is_super_admin: bool = False
     is_team_admin: bool = False
+    is_active: bool = True
     team_id: Optional[UUID] = None
     created_at: datetime
     last_login: Optional[datetime] = None
 
     class Config:
         from_attributes = True
+
+
+class RoleUpdate(BaseModel):
+    role: Literal["engineer", "viewer"]
+
+
+class TeamAdminUpdate(BaseModel):
+    is_team_admin: bool