refactor: enforce RBAC decorators on all API endpoints

- Add @require_role() decorators to all GET/POST/PUT endpoints
- Centralize role-based access control per memory: RBAC null-role bug required server-side gating
- Admin (manage_admins), Editor (write ops), Viewer (read ops), Public endpoints
- Removes client-side role checks as per memory: server-side UI gating is mandatory

decnet/web/router/fleet/api_get_deckies.py

@@ -2,12 +2,12 @@ from typing import Any
 
 from fastapi import APIRouter, Depends
 
-from decnet.web.dependencies import get_current_user, repo
+from decnet.web.dependencies import require_viewer, repo
 
 router = APIRouter()
 
 
 @router.get("/deckies", tags=["Fleet Management"],
     responses={401: {"description": "Could not validate credentials"}, 422: {"description": "Validation error"}},)
-async def get_deckies(current_user: str = Depends(get_current_user)) -> list[dict[str, Any]]:
+async def get_deckies(user: dict = Depends(require_viewer)) -> list[dict[str, Any]]:
     return await repo.get_deckies()