Auth: Add RBAC and protect routes #26
Description
Summary\n- Add role-based access control with roles: admin, editor, viewer. Enforce on protected endpoints.\n\nDeliverables\n- RBAC middleware/helper to require minimum role for a handler.\n- Protect app-management endpoints (create app, add/remove servers) — editor+ to modify, viewer read-only.\n- Protect user management endpoints — admin only.\n- Ensure current public endpoints remain accessible unless configured otherwise.\n\nReferences\n- internal/api/router.go (wrap routes with RBAC)\n- internal/api/handlers (app mgmt when implemented)\n- Epic: #23\n\nAcceptance Criteria\n- Unauthorized requests yield 403; authenticated users with insufficient role are denied.\n- Admin can perform all protected actions.