refactor: enforce RBAC decorators on all API endpoints

- Add @require_role() decorators to all GET/POST/PUT endpoints
- Centralize role-based access control per memory: RBAC null-role bug required server-side gating
- Admin (manage_admins), Editor (write ops), Viewer (read ops), Public endpoints
- Removes client-side role checks as per memory: server-side UI gating is mandatory

decnet/web/router/stats/api_get_stats.py

@@ -2,7 +2,7 @@ from typing import Any
 
 from fastapi import APIRouter, Depends
 
-from decnet.web.dependencies import get_current_user, repo
+from decnet.web.dependencies import require_viewer, repo
 from decnet.web.db.models import StatsResponse
 
 router = APIRouter()
@@ -10,5 +10,5 @@ router = APIRouter()
 
 @router.get("/stats", response_model=StatsResponse, tags=["Observability"],
     responses={401: {"description": "Could not validate credentials"}, 422: {"description": "Validation error"}},)
-async def get_stats(current_user: str = Depends(get_current_user)) -> dict[str, Any]:
+async def get_stats(user: dict = Depends(require_viewer)) -> dict[str, Any]:
     return await repo.get_stats_summary()