JWT authentication and role-based access control

**Description**

Secure the API with token auth and roles.

**Acceptance Criteria**

- [ ] JWT issuance and verification flows
- [ ] Roles/permissions mapped to endpoints/actions
- [ ] Token rotation/expiry documented
- [ ] Tests for authz/authn paths