feat(auth): restrict system role config reads to admins

packages/api/src/router/system-role-config.ts

@@ -1,10 +1,10 @@
 import { z } from "zod";
-import { adminProcedure, createTRPCRouter, invalidateRoleDefaultsCache, protectedProcedure } from "../trpc.js";
+import { adminProcedure, createTRPCRouter, invalidateRoleDefaultsCache } from "../trpc.js";
 import { createAuditEntry } from "../lib/audit.js";
 
 export const systemRoleConfigRouter = createTRPCRouter({
   /** List all role configs (sorted by sortOrder) */
-  list: protectedProcedure.query(async ({ ctx }) => {
+  list: adminProcedure.query(async ({ ctx }) => {
     return ctx.db.systemRoleConfig.findMany({
       orderBy: { sortOrder: "asc" },
     });