[PIX-3863.2] Training RBAC permissions

[daggerstuff]

Summary

The audit flagged src/lib/auth/roles.ts ships 6 roles × 8 categories but has no training-specific permissions. Add a permission.training category with the granular actions the orchestrator / WS / server endpoints actually need.

Context

• Roles currently cover generic content + account actions but nothing granular enough for training flows.
• Without these perms, every route would have to inline if (user.role === 'admin') checks; centralising them in ROLE_DEFINITIONS is consistent with the rest of the codebase.

Scope

• Add the permission.training category with the 8 actions below.
• Extend ROLE_DEFINITIONS with the requested role grants.
• Export a static matrix snapshot for tests.

Files

• src/lib/auth/roles.ts (extend ROLE_DEFINITIONS and category map)
• src/lib/auth/tests/training-permissions.test.ts (new) — coverage of every granted/revoked combination

New permissions

• manage:fine_tuning — create / cancel / monitor fine-tune jobs
• start:training_jobs — submit jobs for execution
• read:training_jobs — view job status
• cancel:training_jobs — cancel running jobs
• manage:training_sessions — create / update fishbowl sessions
• read:own_training_sessions — view own sessions
• write:training_feedback — submit coaching feedback
• manage:training_data — merge / prepare datasets

Role grants

• admin — full set
• researcher — start:training_jobs, read:training_jobs, manage:training_data
• therapist — read:own_training_sessions, write:training_feedback

Dependencies

• BLOCKED-BY: none.
• BLOCKS:
  • [PIX-3863.2] Hardening: enforce auth on dataset merge & prepare routes #4460 Hardening: enforce auth on dataset merge & prepare routes
  • [PIX-3863.2] WebSocket hardening: persistence, rate-limit, ACL, audit log, origin validation #4464 WebSocket hardening (ACL matrix)

Acceptance checklist

• All 8 new permissions exported from src/lib/auth/roles.ts.
• ROLE_DEFINITIONS updated for admin / researcher / therapist.
• Matrix snapshot test verifies each role's allowed actions.
• No regressions on existing 6 roles (vitest src/lib/auth/...).
• Lint, typecheck, vitest all pass.
• Status update comment posted on this Linear ticket at PR-open and merge.

Related (Linear auto-links bare ticket IDs)

Parent: #4296.

This ticket blocks: #4460 (dataset routes auth) and #4464 (WebSocket hardening). Internal reference: #4463 (UI unification, uses these perms).

Audit anchors

• §5 Auth patterns
• §10 Priority recommendations chore(deps):(deps): bump scipy from 1.15.3 to 1.17.1 #8, chore(deps):(deps): bump pymongo from 4.10.1 to 4.16.0 #10

[linear-code]

PIX-3938