feat: role-based UI access control

- Hide Admin sidebar section for non-ADMIN users
- Add RequireAdmin route guard — /admin/* redirects to / for non-admin
- Move App Config from admin section to main Config tab (per-app,
  visible when app selected). VIEWER sees read-only, OPERATOR+ can edit
- Hide diagram node toolbar for VIEWER (onNodeAction conditional)
- Add useIsAdmin/useCanControl helpers to centralize role checks
- Remove App Config from admin sidebar tree

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

ui/src/pages/Exchanges/ExchangeHeader.tsx

@@ -5,7 +5,7 @@ import { StatusDot, MonoText, Badge, useGlobalFilters } from '@cameleer/design-s
 import { useCorrelationChain } from '../../api/queries/correlation';
 import { useAgents } from '../../api/queries/agents';
 import { useRouteCatalog } from '../../api/queries/catalog';
-import { useAuthStore } from '../../auth/auth-store';
+import { useCanControl } from '../../auth/auth-store';
 import type { ExecutionDetail } from '../../components/ExecutionDiagram/types';
 import { attributeBadgeColor } from '../../utils/attribute-color';
 import { RouteControlBar } from './RouteControlBar';
@@ -79,8 +79,7 @@ export function ExchangeHeader({ detail, onCorrelatedSelect, onClearSelection }:
     };
   }, [agents, detail.instanceId]);
 
-  const roles = useAuthStore((s) => s.roles);
-  const canControl = roles.some(r => r === 'OPERATOR' || r === 'ADMIN');
+  const canControl = useCanControl();
 
   return (
     <div className={styles.header}>