fix(auth): prevent USER_ADMIN from downgrading SUPER_ADMIN users

[kjken23]

Summary

• Tighten admin user role mutation authorization so only SUPER_ADMIN can change role state involving SUPER_ADMIN.
• Prevent USER_ADMIN from downgrading or replacing an existing SUPER_ADMIN account with USER or another platform role.
• Add regression coverage to ensure rejected role mutations do not delete or rewrite existing role bindings.

This is needed because the previous backend check only blocked non-SUPER_ADMIN actors from assigning SUPER_ADMIN; it did not protect target users who already had SUPER_ADMIN.

Closes #562

Validation

• Backend tests passed
• Frontend typecheck/build passed
• OpenAPI SDK regenerated or checked when API contracts changed
• Smoke test run when relevant

Commands run:

make test-backend-app

Result:

Tests run: 574, Failures: 0, Errors: 0, Skipped: 0
BUILD SUCCESS

OpenAPI impact:

No API contract changes. No SDK regeneration required.

Frontend impact:

Backend-only authorization behavior change. Frontend typecheck/build not run.

Smoke test:

Not run. This change is covered by backend service regression tests and does not change deployment wiring.

Risk

• User-facing impact: USER_ADMIN can still manage ordinary users, but attempts to mutate an existing SUPER_ADMIN now return a forbidden error unless the actor is also SUPER_ADMIN.
• Deployment or migration impact: none. No schema, API contract, generated SDK, or configuration changes.
• Rollback approach: revert the role mutation guard, localized message keys, and regression test.

Notes

• Related issue: [Bug] Prevent USER_ADMIN from downgrading existing SUPER_ADMIN accounts #562
• Follow-up work: none expected.
• Docs or operator runbooks updated when behavior changed: not required; this is a backend authorization correction for an existing endpoint.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}