feat(phase4+5): role hierarchy, tenant config, fallback material, dead code removal

Phase 4.1 — Role Hierarchy:
  - UserRole enum: add global_admin (platform operator) + tenant_admin
    (per-tenant admin); keep legacy 'admin' for backward compat
  - Role sets: ADMIN_ROLES, TENANT_ADMIN_ROLES, PM_ROLES, RLS_BYPASS_ROLES
  - New auth guards: require_global_admin(), require_tenant_admin_or_above(),
    require_pm_or_above(), is_admin(), is_privileged()
  - Legacy require_admin / require_admin_or_pm now check both old+new roles
  - Migration 049: ADD VALUE global_admin + tenant_admin with AUTOCOMMIT
    workaround; backfills admin → global_admin
  - Seed: new admin users created with global_admin role

Phase 4.3 — RLS bypass updated for global_admin in get_db + set_tenant_context

Phase 4.4 — Tenant Feature Flags:
  - Migration 050: tenant_config JSONB on tenants table
  - Tenant model: tenant_config field + get_config() accessor
  - Defaults: max_concurrent_renders=3, fallback_material, invoice_prefix etc.

Phase 5.1 — Fallback Material:
  - blender_render.py: replace PALETTE_LINEAR/PALETTE_HEX/_assign_palette_material
    with _assign_failed_material() → SCHAEFFLER_059999_FailedMaterial (magenta)
  - Unmatched parts now logged explicitly before rendering

Phase 5.2 — Remove EEVEE fallback:
  - render_blender.py: EEVEE→Cycles silent retry removed; hard failure on EEVEE error

Phase 5.3 — Remove Blender version check:
  - render_blender.py: deleted MIN_BLENDER_VERSION = (5, 0, 1) constant

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/app/database.py

@@ -34,7 +34,9 @@ async def get_db(request: "Request | None" = None) -> AsyncGenerator[AsyncSessio
             tenant_id = getattr(request.state, "tenant_id", None)
             role = getattr(request.state, "role", None)
             if tenant_id:
-                if role == "admin":
+                # global_admin and legacy admin bypass RLS to see all tenants
+                _bypass_roles = {"global_admin", "admin"}
+                if role in _bypass_roles:
                     await session.execute(text("SET LOCAL app.current_tenant_id = 'bypass'"))
                 else:
                     await session.execute(
@@ -69,7 +71,8 @@ async def get_db_for_tenant(
     if user and hasattr(user, "tenant_id") and user.tenant_id:
         role = getattr(user, "role", None)
         role_value = role.value if hasattr(role, "value") else str(role) if role else ""
-        if role_value == "admin":
+        _bypass = {"global_admin", "admin"}
+        if role_value in _bypass:
             await db.execute(text("SET LOCAL app.current_tenant_id = 'bypass'"))
         else:
             await db.execute(
@@ -120,7 +123,8 @@ async def set_tenant_context(db: AsyncSession, user: Optional[object]) -> None:
     if user and hasattr(user, "tenant_id") and user.tenant_id:
         role = getattr(user, "role", None)
         role_value = role.value if hasattr(role, "value") else str(role) if role else ""
-        if role_value == "admin":
+        _bypass = {"global_admin", "admin"}
+        if role_value in _bypass:
             await db.execute(text("SET LOCAL app.current_tenant_id = 'bypass'"))
         else:
             await db.execute(