feat(backend): add USER_MANAGE permission + delta migration (D-015)

Adds `Permission.USER_MANAGE = "user.manage"` to the F11 matrix. rt_lead
already holds ALL_PERMISSIONS so GROUP_PERMISSIONS is unchanged — rt_lead
gets the new permission automatically, rt_operator and soc_analyst get 403.

Alembic migration `202605230001_add_user_manage_permission`:
- inserts the `user.manage` row into `permission`,
- inserts the `(rt_lead, user.manage)` link into `group_permission`,
- exposes `_DELTA_PERMISSIONS` / `_DELTA_GROUP_PERMISSIONS` for parity tests.

The previous `test_frozen_*_matches_runtime` invariant (MA3) is generalised
to "runtime = initial frozen ∪ deltas of every migration in `_DELTAS`". New
migrations register themselves there without editing the historical one.

Verbatim wording from spec-analyst is recorded as D-015 in
`tasks/spec-decisions.md` (separate commit).

backend/src/mimic/rbac/matrix.py

@@ -54,6 +54,9 @@ class Permission(enum.StrEnum):
     # Audit
     AUDIT_READ = "audit.read"
 
+    # User management (D-015): gates all /api/v1/users CRUD. rt_lead only.
+    USER_MANAGE = "user.manage"
+
 
 ALL_PERMISSIONS: tuple[Permission, ...] = tuple(Permission)