feat(users): switch account management to single-role model

- add users.role_id for one global role per account
- seed protected account-manager role with account.create permission
- default new accounts to guest role
- block admin role assignment through user management
- allow account-manager permission to create accounts

app/schemas/schemas.py

@@ -161,14 +161,14 @@ class UserBase(BaseModel):
 
 class UserCreate(UserBase):
     password: Optional[str] = None
-    is_admin: bool = False
+    role_id: Optional[int] = None
 
 
 class UserUpdate(BaseModel):
     full_name: Optional[str] = None
     email: Optional[str] = None
     password: Optional[str] = None
-    is_admin: Optional[bool] = None
+    role_id: Optional[int] = None
     is_active: Optional[bool] = None
 
 
@@ -176,6 +176,8 @@ class UserResponse(UserBase):
     id: int
     is_active: bool
     is_admin: bool
+    role_id: Optional[int] = None
+    role_name: Optional[str] = None
     created_at: datetime
     
     class Config: