[M2] G4: Implement multi-user RBAC (owner/admin/agent)

[DevCalebR]

Gap ID: G4

Introduce role-based membership and authorization across app flows, with strict tenant boundaries and test-backed permission checks.

Reference: docs/PRODUCTION_READINESS_GAPS.md