feat(phase-39): role-based access control overhaul + forced password change

- Add must_change_password field to User model with migration b023

- Add POST /auth/change-password endpoint with password policy validation

- Add require_password_changed dependency to block requests until password is changed

- Add ChangePasswordModal with live password policy checklist (forced on first login)

- Show password policy in CreateUserModal and EditUserModal

- Fix backend permissions: tests, campaigns, templates, reports, evidence, worklogs

- red_tech/blue_tech: execute only, cannot create tests/campaigns/templates

- red_lead/blue_lead: create/edit tests/campaigns/templates, generate reports, no system access

- viewer: read-only everywhere, can generate reports

- Fix frontend role checks across TestDetailPage, TestDetailHeader, TeamTabs, TestsPage, CampaignsPage, CampaignDetailPage, Sidebar

backend/app/routers/evidence.py

@@ -98,11 +98,10 @@ def _validate_upload_permission(
         return
 
     if team == TeamSide.red:
-        # Only red_tech can upload red evidence
-        if user.role != "red_tech":
+        if user.role not in ("red_tech", "red_lead"):
             raise HTTPException(
                 status_code=status.HTTP_403_FORBIDDEN,
-                detail="Only red_tech or admin can upload red evidence",
+                detail="Only red_tech, red_lead or admin can upload red evidence",
             )
         if test.state not in _RED_EDITABLE_STATES:
             raise HTTPException(
@@ -111,11 +110,10 @@ def _validate_upload_permission(
                        f"(allowed in: draft, red_executing)",
             )
     elif team == TeamSide.blue:
-        # Only blue_tech can upload blue evidence
-        if user.role != "blue_tech":
+        if user.role not in ("blue_tech", "blue_lead"):
             raise HTTPException(
                 status_code=status.HTTP_403_FORBIDDEN,
-                detail="Only blue_tech or admin can upload blue evidence",
+                detail="Only blue_tech, blue_lead or admin can upload blue evidence",
             )
         if test.state not in _BLUE_EDITABLE_STATES:
             raise HTTPException(
@@ -150,7 +148,7 @@ def _validate_delete_permission(
                 status_code=status.HTTP_403_FORBIDDEN,
                 detail="Cannot delete red evidence outside draft/red_executing",
             )
-        if user.role != "red_tech" and evidence.uploaded_by != user.id:
+        if user.role not in ("red_tech", "red_lead") and evidence.uploaded_by != user.id:
             raise HTTPException(
                 status_code=status.HTTP_403_FORBIDDEN,
                 detail="Not enough permissions to delete this evidence",
@@ -161,7 +159,7 @@ def _validate_delete_permission(
                 status_code=status.HTTP_403_FORBIDDEN,
                 detail="Cannot delete blue evidence outside blue_evaluating",
             )
-        if user.role != "blue_tech" and evidence.uploaded_by != user.id:
+        if user.role not in ("blue_tech", "blue_lead") and evidence.uploaded_by != user.id:
             raise HTTPException(
                 status_code=status.HTTP_403_FORBIDDEN,
                 detail="Not enough permissions to delete this evidence",