refactor(authz): Phase 2 — replace hasRole('Admin') with permission checks

Permissions now actually govern access instead of the hard-coded Admin role:
- Super-admin bypass (see all projects / full access) -> can('manage all')
  in Project::scopeAccessibleBy, ProjectMap, ProjectDashboard, PhaseGantt,
  LayerManager, ProjectReportController.
- Redundant '|| hasRole(Admin)' fallbacks dropped (Gate::before already lets
  manage-all through can()): LayerManager (upload/delete layers), MediaManager
  (upload), ProjectMap (update progress), ProjectUsers/ProjectCompanies
  (assign users).
- Admin-only screens now gated by the matching permission: AdminUsers/UserView
  -> can('view users'), UserForm -> can('create users')|can('edit users'),
  CompanyView -> can('view companies').
- MediaManager delete: can('delete media') OR owner.
- Kept UserForm's domain guard (can't remove your own Admin role).

Note: the /admin route group still has middleware can:manage all, so admin
screens stay super-admin-only until that group is relaxed per-route.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

app/Livewire/UserForm.php

@@ -45,7 +45,7 @@ class UserForm extends Component
 
     public function mount(?User $user = null): void
     {
-        if (!Auth::user()->hasRole('Admin')) abort(403);
+        abort_unless(Auth::user()->can('create users') || Auth::user()->can('edit users'), 403);
 
         $this->roles     = Role::orderBy('name')->get();
         $this->companies = Company::where('estado', 'activo')->orderBy('name')->get();