feat(users): switch account management to single-role model

- add users.role_id for one global role per account
- seed protected account-manager role with account.create permission
- default new accounts to guest role
- block admin role assignment through user management
- allow account-manager permission to create accounts

app/models/models.py

@@ -74,12 +74,18 @@ class User(Base):
     full_name = Column(String(100), nullable=True)
     is_active = Column(Boolean, default=True)
     is_admin = Column(Boolean, default=False)
+    role_id = Column(Integer, ForeignKey("roles.id"), nullable=True)
     created_at = Column(DateTime(timezone=True), server_default=func.now())
-    
+
+    role = relationship("Role", foreign_keys=[role_id])
     owned_projects = relationship("Project", back_populates="owner")
     comments = relationship("Comment", back_populates="author")
     project_memberships = relationship("ProjectMember", back_populates="user")
 
+    @property
+    def role_name(self):
+        return self.role.name if self.role else None
+
 
 class ProjectMember(Base):
     __tablename__ = "project_members"