Implement admin users and roles management

- Add user CRUD: list, create (via Better Auth), update role/status, remove from port
- Add role CRUD: create, update permissions, delete with system role protection
- Full permissions matrix UI with accordion groups and per-action checkboxes
- Validators, services, API routes, and UI components following existing patterns

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

src/app/api/v1/admin/roles/route.ts

@@ -1,19 +1,35 @@
 import { NextResponse } from 'next/server';
 
 import { withAuth, withPermission } from '@/lib/api/helpers';
-import { db } from '@/lib/db';
+import { parseBody } from '@/lib/api/route-helpers';
+import { listRoles, createRole } from '@/lib/services/roles.service';
+import { createRoleSchema } from '@/lib/validators/roles';
 import { errorResponse } from '@/lib/errors';
 
 export const GET = withAuth(
-  withPermission('admin', 'manage_users', async (_req, _ctx) => {
+  withPermission('admin', 'manage_users', async () => {
     try {
-      const data = await db.query.roles.findMany({
-        orderBy: (roles, { asc }) => [asc(roles.name)],
-      });
-
+      const data = await listRoles();
       return NextResponse.json({ data });
     } catch (error) {
       return errorResponse(error);
     }
   }),
 );
+
+export const POST = withAuth(
+  withPermission('admin', 'manage_users', async (req, ctx) => {
+    try {
+      const body = await parseBody(req, createRoleSchema);
+      const data = await createRole(body, {
+        userId: ctx.userId,
+        portId: ctx.portId,
+        ipAddress: ctx.ipAddress,
+        userAgent: ctx.userAgent,
+      });
+      return NextResponse.json({ data }, { status: 201 });
+    } catch (error) {
+      return errorResponse(error);
+    }
+  }),
+);