feat(rbac): enforce admin access checks and document permission model

docs/product-engineering/rbac-permission-model.md

@@ -0,0 +1,62 @@
+# RBAC And Permission Model
+
+This document defines the current role model, permission matrix, and scope semantics used by the admin app.
+
+## Roles
+
+- `admin`: full system access
+- `manager`: broad operational access with selective limitations
+- `editor`: content-focused access with reduced user-management privileges
+
+## Permission Scopes
+
+- `own`: applies to records the user owns
+- `team`: applies to records within the user's team/org unit
+- `global`: applies across all records
+
+Scope hierarchy (higher includes lower):
+
+- `global` -> `team` -> `own`
+
+## Permission Matrix Summary
+
+### Admin
+
+- All permissions at `global` scope
+
+### Manager
+
+- Dashboard and roadmap read: `global`
+- Pages, navigation, media, commissions, banner, news: `global`
+- Users: `read` at `global`, `write` at `team`
+
+### Editor
+
+- Dashboard: `read` at `global`
+- Pages/navigation/media/news: mostly `team`
+- Publish and workflow transitions: mostly `own`
+- Users and commissions: mostly `own`
+- Banner: `read` at `global`
+
+## Enforcement Layers
+
+- Route-level: `apps/admin/src/middleware.ts`
+- Action-level: server component checks in admin pages (`/` and `/todo`)
+- Shared model + checks: `packages/content/src/rbac.ts`
+
+## Dev Role Fallback
+
+For local development only:
+
+- If no role cookie/header is present and environment is not production,
+  role falls back to `CMS_DEV_ROLE` or `admin`.
+
+Use this only as bootstrap behavior until full auth/session integration is finished.
+
+## Related Tasks
+
+See `TODO.md` MVP0 gate items:
+
+- RBAC domain model finalized
+- RBAC route/action enforcement
+- Permission matrix documented and tested