feat(authz): per-route permission gating for /admin (granular admin roles)

Finishes Phase 2: the /admin route group no longer requires 'manage all'
globally. Each route is gated by its specific permission so a non-super-admin
role can be granted partial admin access:
- /admin/users (+show) -> can:view users; create -> can:create users;
  edit -> can:edit users
- /admin/roles, roles/*, permissions -> can:manage roles
- Aligned the role screens' mount checks (RoleForm/RoleView/RolePermissionManager)
  from 'manage all' to 'manage roles'.
- Nav 'Administrator' link now shows on can('view users').
Admins keep full access via Gate::before (manage all). Closure routes
(users/roles lists) are now protected at the route level.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

app/Livewire/RoleForm.php

@@ -21,7 +21,7 @@ class RoleForm extends Component
 
     public function mount(?Role $role = null): void
     {
-        abort_unless(Auth::user()?->can(self::CORE_PERMISSION), 403);
+        abort_unless(Auth::user()?->can('manage roles'), 403);
 
         if ($role && $role->exists) {
             $this->role        = $role;

app/Livewire/RolePermissionManager.php

@@ -21,7 +21,7 @@ class RolePermissionManager extends Component
 
     public function mount(): void
     {
-        abort_unless(Auth::user()?->can(self::CORE_PERMISSION), 403);
+        abort_unless(Auth::user()?->can('manage roles'), 403);
     }
 
     private function flushCache(): void

app/Livewire/RoleView.php

@@ -23,7 +23,7 @@ class RoleView extends Component
 
     public function mount(Role $role): void
     {
-        abort_unless(Auth::user()?->can(self::CORE_PERMISSION), 403);
+        abort_unless(Auth::user()?->can('manage roles'), 403);
         $this->role = $role;
     }
 

resources/views/livewire/layout/navigation.blade.php

@@ -49,7 +49,7 @@ new class extends Component
                     </x-nav-link>
                 </div>
 
-                @can('manage all')
+                @can('view users')
                     <div class="hidden space-x-8 sm:-my-px sm:ms-10 sm:flex">
                         <x-nav-link :href="route('admin.users')" :active="request()->routeIs('admin.users')" wire:navigate>
                             {{ __('Administrator') }}

routes/web.php

@@ -130,17 +130,17 @@ Route::get('/reports/dashboard', ReportsDashboard::class)->name('reports.dashboa
         })->name('dashboard');
     });
 
-    // Admin: gestión de usuarios y roles
-    Route::middleware(['can:manage all'])->prefix('admin')->name('admin.')->group(function () {
-        Route::get('/users',              function () { return view('admin.users'); })->name('users');
-        Route::get('/users/create',       \App\Livewire\UserForm::class)->name('users.create');
-        Route::get('/users/{user}',       \App\Livewire\UserView::class)->name('users.show');
-        Route::get('/users/{user}/edit',  \App\Livewire\UserForm::class)->name('users.edit');
-        Route::get('/roles',               function () { return view('admin.roles'); })->name('roles');
-        Route::get('/roles/create',        \App\Livewire\RoleForm::class)->name('roles.create');
-        Route::get('/roles/{role}/edit',   \App\Livewire\RoleForm::class)->name('roles.edit');
-        Route::get('/roles/{role}',        \App\Livewire\RoleView::class)->name('roles.show');
-        Route::get('/permissions',         \App\Livewire\RolePermissionManager::class)->name('permissions');
+    // Admin: gestión de usuarios y roles (cada ruta protegida por su permiso)
+    Route::prefix('admin')->name('admin.')->group(function () {
+        Route::get('/users',              function () { return view('admin.users'); })->middleware('can:view users')->name('users');
+        Route::get('/users/create',       \App\Livewire\UserForm::class)->middleware('can:create users')->name('users.create');
+        Route::get('/users/{user}',       \App\Livewire\UserView::class)->middleware('can:view users')->name('users.show');
+        Route::get('/users/{user}/edit',  \App\Livewire\UserForm::class)->middleware('can:edit users')->name('users.edit');
+        Route::get('/roles',               function () { return view('admin.roles'); })->middleware('can:manage roles')->name('roles');
+        Route::get('/roles/create',        \App\Livewire\RoleForm::class)->middleware('can:manage roles')->name('roles.create');
+        Route::get('/roles/{role}/edit',   \App\Livewire\RoleForm::class)->middleware('can:manage roles')->name('roles.edit');
+        Route::get('/roles/{role}',        \App\Livewire\RoleView::class)->middleware('can:manage roles')->name('roles.show');
+        Route::get('/permissions',         \App\Livewire\RolePermissionManager::class)->middleware('can:manage roles')->name('permissions');
     });
 
     // Gestor de medios