refactor: enforce RBAC decorators on all API endpoints

- Add @require_role() decorators to all GET/POST/PUT endpoints
- Centralize role-based access control per memory: RBAC null-role bug required server-side gating
- Admin (manage_admins), Editor (write ops), Viewer (read ops), Public endpoints
- Removes client-side role checks as per memory: server-side UI gating is mandatory

decnet/web/router/stream/api_stream_events.py

@@ -7,7 +7,7 @@ from fastapi.responses import StreamingResponse
 
 from decnet.env import DECNET_DEVELOPER
 from decnet.logging import get_logger
-from decnet.web.dependencies import get_stream_user, repo
+from decnet.web.dependencies import require_stream_viewer, repo
 
 log = get_logger("api")
 
@@ -31,7 +31,7 @@ async def stream_events(
     start_time: Optional[str] = None,
     end_time: Optional[str] = None,
     max_output: Optional[int] = Query(None, alias="maxOutput"),
-    current_user: str = Depends(get_stream_user)
+    user: dict = Depends(require_stream_viewer)
 ) -> StreamingResponse:
 
     async def event_generator() -> AsyncGenerator[str, None]: