refactor: enforce RBAC decorators on all API endpoints

- Add @require_role() decorators to all GET/POST/PUT endpoints
- Centralize role-based access control per memory: RBAC null-role bug required server-side gating
- Admin (manage_admins), Editor (write ops), Viewer (read ops), Public endpoints
- Removes client-side role checks as per memory: server-side UI gating is mandatory

decnet/web/router/logs/api_get_histogram.py

@@ -2,7 +2,7 @@ from typing import Any, Optional
 
 from fastapi import APIRouter, Depends, Query
 
-from decnet.web.dependencies import get_current_user, repo
+from decnet.web.dependencies import require_viewer, repo
 
 router = APIRouter()
 
@@ -14,7 +14,7 @@ async def get_logs_histogram(
     start_time: Optional[str] = Query(None),
     end_time: Optional[str] = Query(None),
     interval_minutes: int = Query(15, ge=1),
-    current_user: str = Depends(get_current_user)
+    user: dict = Depends(require_viewer)
 ) -> list[dict[str, Any]]:
     def _norm(v: Optional[str]) -> Optional[str]:
         if v in (None, "null", "NULL", "undefined", ""):