Phase 3: Harden backend RBAC and audit log

[gxmzung]

Move role-based access control from frontend assumptions to backend enforcement. Store audit logs and unauthorized access events.