feat: granular RBAC with resource/operation bindings, users, groups

- Replace admin role with granular roles: view, create, delete, edit, run
- Two binding types: resource bindings (role+resource+optional name) and
  operation bindings (role:run + action like backup, logs, impersonate)
- Name-scoped resource bindings for per-instance access control
- Remove role from project members (all permissions via RBAC)
- Add users, groups, RBAC CRUD endpoints and CLI commands
- describe user/group shows all RBAC access (direct + inherited)
- create rbac supports --subject, --binding, --operation flags
- Backup/restore handles users, groups, RBAC definitions
- mcplocal project-based MCP endpoint discovery
- Full test coverage for all new functionality

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

src/db/tests/helpers.ts

@@ -49,10 +49,15 @@ export async function clearAllTables(client: PrismaClient): Promise<void> {
   // Delete in order respecting foreign keys
   await client.auditLog.deleteMany();
   await client.mcpInstance.deleteMany();
+  await client.projectServer.deleteMany();
+  await client.projectMember.deleteMany();
   await client.secret.deleteMany();
   await client.session.deleteMany();
   await client.project.deleteMany();
   await client.mcpServer.deleteMany();
   await client.mcpTemplate.deleteMany();
+  await client.groupMember.deleteMany();
+  await client.group.deleteMany();
+  await client.rbacDefinition.deleteMany();
   await client.user.deleteMany();
 }