refactor(authz): Phase 2 — replace hasRole('Admin') with permission checks

Permissions now actually govern access instead of the hard-coded Admin role:
- Super-admin bypass (see all projects / full access) -> can('manage all')
  in Project::scopeAccessibleBy, ProjectMap, ProjectDashboard, PhaseGantt,
  LayerManager, ProjectReportController.
- Redundant '|| hasRole(Admin)' fallbacks dropped (Gate::before already lets
  manage-all through can()): LayerManager (upload/delete layers), MediaManager
  (upload), ProjectMap (update progress), ProjectUsers/ProjectCompanies
  (assign users).
- Admin-only screens now gated by the matching permission: AdminUsers/UserView
  -> can('view users'), UserForm -> can('create users')|can('edit users'),
  CompanyView -> can('view companies').
- MediaManager delete: can('delete media') OR owner.
- Kept UserForm's domain guard (can't remove your own Admin role).

Note: the /admin route group still has middleware can:manage all, so admin
screens stay super-admin-only until that group is relaxed per-route.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

app/Livewire/ProjectCompanies.php

@@ -31,7 +31,7 @@ class ProjectCompanies extends Component
     public function assignCompany()
     {
         $user = Auth::user();
-        if (!$user->can('assign users') && !$user->hasRole('Admin')) {
+        if (!$user->can('assign users')) {
             session()->flash('error', 'No tienes permisos para asignar compañías.');
             return;
         }
@@ -53,7 +53,7 @@ class ProjectCompanies extends Component
     public function removeCompany($companyId)
     {
         $user = Auth::user();
-        if (!$user->can('assign users') && !$user->hasRole('Admin')) {
+        if (!$user->can('assign users')) {
             session()->flash('error', 'Sin permisos.');
             return;
         }