security: enforce RBAC on all entity CRUD handlers

[NeuroKoder3]

Summary

Fixes the Broken Access Control (BAC) vulnerability — the last critical security gap identified in the enterprise production readiness assessment.

Before: The entity CRUD handlers only checked whether a session was active. Any authenticated user — including viewers and regulators — could create, modify, or delete any entity type by calling the IPC channel directly.

After: Every handler now calls enforcePermission before proceeding. This function checks the user role against the RBAC permission matrix defined in accessControl.cjs.

Permission mapping covers all 14 entity types:

Entity	View	Create	Update	Delete
Patient	patient:view	patient:create	patient:update	patient:delete
DonorOrgan	donor:view	donor:create	donor:update	donor:delete
Match	match:view	match:create	match:update	blocked
AuditLog	audit:view	blocked	blocked	blocked
User	user:manage	user:manage	user:manage	user:manage
NotificationRule	open	settings:manage	settings:manage	settings:manage
EHR entities	open	system:configure	system:configure	system:configure
ReadinessBarrier	patient:view	patient:update	patient:update	patient:delete

Test plan

• Verify viewer role cannot create/update/delete patients
• Verify coordinator role can create patients but not delete
• Verify admin role has full access to all entities
• Verify regulator role has read-only access
• Verify existing tests still pass