refactor: enforce RBAC decorators on all API endpoints

- Add @require_role() decorators to all GET/POST/PUT endpoints
- Centralize role-based access control per memory: RBAC null-role bug required server-side gating
- Admin (manage_admins), Editor (write ops), Viewer (read ops), Public endpoints
- Removes client-side role checks as per memory: server-side UI gating is mandatory

decnet/web/router/fleet/api_mutate_interval.py

@@ -1,7 +1,7 @@
 from fastapi import APIRouter, Depends, HTTPException
 
 from decnet.config import DecnetConfig
-from decnet.web.dependencies import get_current_user, repo
+from decnet.web.dependencies import require_admin, repo
 from decnet.web.db.models import MutateIntervalRequest
 
 router = APIRouter()
@@ -19,11 +19,12 @@ def _parse_duration(s: str) -> int:
     responses={
         400: {"description": "Bad Request (e.g. malformed JSON)"},
         401: {"description": "Could not validate credentials"},
+        403: {"description": "Insufficient permissions"},
         404: {"description": "No active deployment or decky not found"},
         422: {"description": "Validation error"}
     },
 )
-async def api_update_mutate_interval(decky_name: str, req: MutateIntervalRequest, current_user: str = Depends(get_current_user)) -> dict[str, str]:
+async def api_update_mutate_interval(decky_name: str, req: MutateIntervalRequest, admin: dict = Depends(require_admin)) -> dict[str, str]:
     state_dict = await repo.get_state("deployment")
     if not state_dict:
         raise HTTPException(status_code=404, detail="No active deployment")