auth-rbaclisted

## Overview Gate routes and actions behind roles so only authorised users can perform them. ## Steps 1. Attach a role claim to the session at sign in. 2. Add middleware that checks the required role for protected routes. 3. Return 403 rather than 404 for an authenticated but unauthorised user. ## Verify Run the tests and confirm a user without the required role receives a 403 on a protected route.