feat: add configurable permissions system with admin panel

Adds a full permissions management feature allowing admins to control
who can perform actions across the app (trip CRUD, files, places,
budget, packing, reservations, collab, members, share links).

- New server/src/services/permissions.ts: 16 configurable actions,
  in-memory cache, checkPermission() helper, backwards-compatible
  defaults matching upstream behaviour
- GET/PUT /admin/permissions endpoints; permissions loaded into
  app-config response so clients have them on startup
- checkPermission() applied to all mutating route handlers across
  10 server route files; getTripOwnerId() helper eliminates repeated
  inline DB queries; trips.ts and files.ts now reuse canAccessTrip()
  result to avoid redundant DB round-trips
- New client/src/store/permissionsStore.ts: Zustand store +
  useCanDo() hook; TripOwnerContext type accepts both Trip and
  DashboardTrip shapes without casting at call sites
- New client/src/components/Admin/PermissionsPanel.tsx: categorised
  UI with per-action dropdowns, customised badge, save/reset
- AdminPage, DashboardPage, FileManager, PlacesSidebar,
  TripMembersModal gated via useCanDo(); no prop drilling
- 46 perm.* translation keys added to all 12 language files

server/src/routes/share.ts

@@ -1,7 +1,8 @@
 import express, { Request, Response } from 'express';
 import crypto from 'crypto';
-import { db, canAccessTrip } from '../db/database';
+import { db, canAccessTrip, getTripOwnerId } from '../db/database';
 import { authenticate } from '../middleware/auth';
+import { checkPermission } from '../services/permissions';
 import { AuthRequest } from '../types';
 import { loadTagsByPlaceIds } from '../services/queryHelpers';
 
@@ -12,6 +13,10 @@ router.post('/trips/:tripId/share-link', authenticate, (req: Request, res: Respo
   const authReq = req as AuthRequest;
   const { tripId } = req.params;
   if (!canAccessTrip(tripId, authReq.user.id)) return res.status(404).json({ error: 'Trip not found' });
+  const tripOwnerId = getTripOwnerId(tripId);
+  if (!tripOwnerId) return res.status(404).json({ error: 'Trip not found' });
+  if (!checkPermission('share_manage', authReq.user.role, tripOwnerId, authReq.user.id, tripOwnerId !== authReq.user.id))
+    return res.status(403).json({ error: 'No permission' });
 
   const { share_map = true, share_bookings = true, share_packing = false, share_budget = false, share_collab = false } = req.body || {};
 
@@ -45,6 +50,10 @@ router.delete('/trips/:tripId/share-link', authenticate, (req: Request, res: Res
   const authReq = req as AuthRequest;
   const { tripId } = req.params;
   if (!canAccessTrip(tripId, authReq.user.id)) return res.status(404).json({ error: 'Trip not found' });
+  const tripOwnerId = getTripOwnerId(tripId);
+  if (!tripOwnerId) return res.status(404).json({ error: 'Trip not found' });
+  if (!checkPermission('share_manage', authReq.user.role, tripOwnerId, authReq.user.id, tripOwnerId !== authReq.user.id))
+    return res.status(403).json({ error: 'No permission' });
 
   db.prepare('DELETE FROM share_tokens WHERE trip_id = ?').run(tripId);
   res.json({ success: true });