feat: per-user museum and channel access control

- PATCH /api/users/:id route to update user permissions
- Auth session stores and returns allowedMuseums/allowedChannels
- User type gains AllowedMuseums/AllowedChannels (JSON string fields)
- parseAllowed() with fail-closed semantics (empty string → null → no data)
- Dashboard/Comparison apply permission base filter before user filters
- Filter dropdowns (museums, channels, years, districts) derived from
  permission-filtered data — restricted users only see their allowed options
- Settings UserRow component with inline checkbox pickers for access config
- Access badges in users table showing current restriction summary

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

src/App.css

@@ -1006,6 +1006,21 @@ table tbody tr:hover {
   gap: 6px;
 }
 
+.access-badge {
+  display: inline-block;
+  font-size: 0.7rem;
+  padding: 2px 7px;
+  border-radius: 10px;
+  background: var(--surface-raised, #f0f0f0);
+  color: var(--text-secondary, #666);
+  margin-right: 4px;
+}
+
+.access-badge--full {
+  background: #d1fae5;
+  color: #065f46;
+}
+
 .btn-small {
   padding: 4px 10px;
   font-size: 0.75rem;