#107 Comprehensive RBAC permission tests for API token scopes

Create integration tests that verify all API endpoints enforce correct permissions. Must: 1) Create tokens with various permission combinations via API, 2) Test each protected endpoint with correct/incorrect scopes, 3) Verify 403 for denied access, 200 for allowed, 4) Bootstrap mechanism for new installations, 5) No code duplication in RBAC logic