RBAC policy (v0.1)

Roles: - system_admin: SaaS operator. Can manage tenants and users across tenants. - admin: Tenant admin. Can manage resources within own tenant. - operator: Tenant operator. Can view and run (future) workflows within tenant.

Rules (implemented now): - POST /api/tenants: system_admin only - GET /api/tenants: system_admin only - POST /api/tenants/{tenantId}/users: - system_admin: any tenant - admin: only if {tenantId} == JWT tenant_id - GET /api/tenants/{tenantId}/users: - system_admin: any tenant - admin: only if {tenantId} == JWT tenant_id

Notes: - In v0.1 bootstrap, the default admin@local user is created as system_admin. - Over time we can separate bootstrap/system admin from tenant admin accounts.