- update `updateRole` to allow name changes for system roles while blocking permission updates
- remove edit button restriction for system roles in roles page
- disable name field only was replaced by disabling permissions checkboxes for system roles in edit modal
- update README to reflect new system role update policy
- throw error in updateRole when role is system-protected
- hide edit button in roles table for system roles
- update README to reflect roles cannot be modified (not just renamed)
- add optional `permission` field to route definitions with type validation in `define.js`
- check `hasPermission()` in router after `requireAdmin()` and return 403 if denied
- document `permission` and `skipRateLimit` optional fields in api README
- load user permissions in `AdminPage.server.js` and pass them to client via `user` prop
- use `user.permissions` in `RolesPage` and `UsersPage` to conditionally render actions
- expose permission-gated API routes in `auth/api.js`
hykocx