feat(phase-39): role-based access control overhaul + forced password change

- Add must_change_password field to User model with migration b023

- Add POST /auth/change-password endpoint with password policy validation

- Add require_password_changed dependency to block requests until password is changed

- Add ChangePasswordModal with live password policy checklist (forced on first login)

- Show password policy in CreateUserModal and EditUserModal

- Fix backend permissions: tests, campaigns, templates, reports, evidence, worklogs

- red_tech/blue_tech: execute only, cannot create tests/campaigns/templates

- red_lead/blue_lead: create/edit tests/campaigns/templates, generate reports, no system access

- viewer: read-only everywhere, can generate reports

- Fix frontend role checks across TestDetailPage, TestDetailHeader, TeamTabs, TestsPage, CampaignsPage, CampaignDetailPage, Sidebar

frontend/src/pages/TestDetailPage.tsx

@@ -344,10 +344,10 @@ export default function TestDetailPage() {
   const role = user?.role ?? "";
   const canSaveRed =
     (test.state === "draft" || test.state === "red_executing") &&
-    (role === "red_tech" || role === "admin");
+    (role === "red_tech" || role === "red_lead" || role === "admin");
   const canSaveBlue =
     test.state === "blue_evaluating" &&
-    (role === "blue_tech" || role === "admin");
+    (role === "blue_tech" || role === "blue_lead" || role === "admin");
 
   // ── Render ─────────────────────────────────────────────────────