Add Role resource policies (defense-in-depth)

- PermissionSets: Role read :all for own_data, read_only, normal_user; admin keeps full CRUD
- Role resource: authorizers and policies with HasPermission
- Tests: role_policies_test.exs (read all, create/update/destroy admin only)
- Fix existing tests to pass actor or authorize?: false for Role operations

test/mv_web/live/role_live/show_test.exs

@@ -18,7 +18,7 @@ defmodule MvWeb.RoleLive.ShowTest do
   alias Mv.Authorization
   alias Mv.Authorization.Role
 
-  # Helper to create a role
+  # Helper to create a role (authorize?: false for test data setup)
   defp create_role(attrs \\ %{}) do
     default_attrs = %{
       name: "Test Role #{System.unique_integer([:positive])}",
@@ -28,7 +28,7 @@ defmodule MvWeb.RoleLive.ShowTest do
 
     attrs = Map.merge(default_attrs, attrs)
 
-    case Authorization.create_role(attrs) do
+    case Authorization.create_role(attrs, authorize?: false) do
       {:ok, role} -> role
       {:error, error} -> raise "Failed to create role: #{inspect(error)}"
     end
@@ -38,7 +38,7 @@ defmodule MvWeb.RoleLive.ShowTest do
   defp create_admin_user(conn, actor) do
     # Create admin role
     admin_role =
-      case Authorization.list_roles() do
+      case Authorization.list_roles(authorize?: false) do
         {:ok, roles} ->
           case Enum.find(roles, &(&1.name == "Admin")) do
             nil ->