refactor(authz): Phase 2 — replace hasRole('Admin') with permission checks

Permissions now actually govern access instead of the hard-coded Admin role:
- Super-admin bypass (see all projects / full access) -> can('manage all')
  in Project::scopeAccessibleBy, ProjectMap, ProjectDashboard, PhaseGantt,
  LayerManager, ProjectReportController.
- Redundant '|| hasRole(Admin)' fallbacks dropped (Gate::before already lets
  manage-all through can()): LayerManager (upload/delete layers), MediaManager
  (upload), ProjectMap (update progress), ProjectUsers/ProjectCompanies
  (assign users).
- Admin-only screens now gated by the matching permission: AdminUsers/UserView
  -> can('view users'), UserForm -> can('create users')|can('edit users'),
  CompanyView -> can('view companies').
- MediaManager delete: can('delete media') OR owner.
- Kept UserForm's domain guard (can't remove your own Admin role).

Note: the /admin route group still has middleware can:manage all, so admin
screens stay super-admin-only until that group is relaxed per-route.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

app/Livewire/ProjectMap.php

@@ -96,7 +96,7 @@ class ProjectMap extends Component
     private function authorizeProjectAccess(): void
     {
         $user = Auth::user();
-        if ($user->hasRole('Admin')) return;
+        if ($user->can('manage all')) return;
         if (!$this->project->users()->where('user_id', $user->id)->exists()) abort(403);
     }
 
@@ -184,7 +184,7 @@ class ProjectMap extends Component
     {
         $feature = Feature::with('layer.phase')->findOrFail($featureId);
         $user = Auth::user();
-        if (!$user->can('update progress') && !$user->hasRole('Admin')) {
+        if (!$user->can('update progress')) {
             $this->dispatch('notify', 'Sin permisos');
             return;
         }