feat(phase-39): role-based access control overhaul + forced password change

- Add must_change_password field to User model with migration b023

- Add POST /auth/change-password endpoint with password policy validation

- Add require_password_changed dependency to block requests until password is changed

- Add ChangePasswordModal with live password policy checklist (forced on first login)

- Show password policy in CreateUserModal and EditUserModal

- Fix backend permissions: tests, campaigns, templates, reports, evidence, worklogs

- red_tech/blue_tech: execute only, cannot create tests/campaigns/templates

- red_lead/blue_lead: create/edit tests/campaigns/templates, generate reports, no system access

- viewer: read-only everywhere, can generate reports

- Fix frontend role checks across TestDetailPage, TestDetailHeader, TeamTabs, TestsPage, CampaignsPage, CampaignDetailPage, Sidebar

backend/app/routers/campaigns.py

@@ -198,7 +198,7 @@ def list_campaigns(
 def create_campaign(
     payload: CampaignCreate,
     db: Session = Depends(get_db),
-    current_user: User = Depends(require_any_role("red_tech", "admin")),
+    current_user: User = Depends(require_any_role("red_lead", "blue_lead")),
 ):
     """Create a new campaign."""
     campaign = Campaign(
@@ -254,7 +254,7 @@ def update_campaign(
     campaign_id: str,
     payload: CampaignUpdate,
     db: Session = Depends(get_db),
-    current_user: User = Depends(require_any_role("red_tech", "admin")),
+    current_user: User = Depends(require_any_role("red_lead", "blue_lead")),
 ):
     """Update a campaign. Only allowed in draft or active state."""
     campaign = db.query(Campaign).filter(Campaign.id == campaign_id).first()
@@ -299,7 +299,7 @@ def add_test_to_campaign(
     campaign_id: str,
     payload: AddTestPayload,
     db: Session = Depends(get_db),
-    current_user: User = Depends(require_any_role("red_tech", "admin")),
+    current_user: User = Depends(require_any_role("red_lead", "blue_lead")),
 ):
     """Add a test to a campaign with optional ordering and dependency."""
     campaign = db.query(Campaign).filter(Campaign.id == campaign_id).first()
@@ -370,7 +370,7 @@ def remove_test_from_campaign(
     campaign_id: str,
     campaign_test_id: str,
     db: Session = Depends(get_db),
-    current_user: User = Depends(require_any_role("red_tech", "admin")),
+    current_user: User = Depends(require_any_role("red_lead", "blue_lead")),
 ):
     """Remove a test from a campaign."""
     campaign = db.query(Campaign).filter(Campaign.id == campaign_id).first()
@@ -414,7 +414,7 @@ def remove_test_from_campaign(
 def activate_campaign(
     campaign_id: str,
     db: Session = Depends(get_db),
-    current_user: User = Depends(require_any_role("red_tech", "admin")),
+    current_user: User = Depends(require_any_role("red_lead", "blue_lead")),
 ):
     """Activate a campaign, moving it from draft to active."""
     campaign = db.query(Campaign).filter(Campaign.id == campaign_id).first()
@@ -524,7 +524,7 @@ def get_campaign_progress_endpoint(
 def generate_campaign_from_actor(
     actor_id: str,
     db: Session = Depends(get_db),
-    current_user: User = Depends(require_any_role("red_tech", "admin")),
+    current_user: User = Depends(require_any_role("red_lead", "blue_lead")),
 ):
     """Auto-generate a campaign from a threat actor's uncovered techniques.
 
@@ -558,7 +558,7 @@ def schedule_campaign(
     campaign_id: str,
     payload: SchedulePayload,
     db: Session = Depends(get_db),
-    current_user: User = Depends(require_any_role("admin")),
+    current_user: User = Depends(require_any_role("red_lead", "blue_lead")),
 ):
     """Configure or update the recurrence schedule for a campaign.