feat(users): switch account management to single-role model

- add users.role_id for one global role per account
- seed protected account-manager role with account.create permission
- default new accounts to guest role
- block admin role assignment through user management
- allow account-manager permission to create accounts

app/init_wizard.py

@@ -123,6 +123,7 @@ DEFAULT_PERMISSIONS = [
     ("propose.reopen", "Reopen a rejected propose", "propose"),
     # Role/Permission management
     ("role.manage", "Manage roles and permissions", "admin"),
+    ("account.create", "Create HarborForge accounts", "account"),
     # User management
     ("user.manage", "Manage users", "admin"),
     # Monitor
@@ -175,9 +176,14 @@ _DEV_PERMISSIONS = {
     "monitor.read",
 }
 
+_ACCOUNT_MANAGER_PERMISSIONS = {
+    "account.create",
+}
+
 # Role definitions: (name, description, permission_set)
 _DEFAULT_ROLES = [
     ("admin", "Administrator - full access to all features", None),       # None ⇒ all perms
+    ("account-manager", "Account manager - can only create accounts", _ACCOUNT_MANAGER_PERMISSIONS),
     ("mgr",   "Manager - project & milestone management",    _MGR_PERMISSIONS),
     ("dev",   "Developer - task execution & daily work",     _DEV_PERMISSIONS),
     ("guest", "Guest - read-only access",                    None),       # special: *.read only