Add Playwright permission boundary tests (role-based access)

[dnplkndll]

Context

The demo user previously only had MembershipApi Domain Admin, which caused all "Mobile Settings" Playwright tests to fail (ContentApi Content Edit was missing). Fixed in fix/demo-role-permissions branch (PR #9).

We should add tests that verify lower-privilege roles cannot access features beyond their granted permissions.

Implementation

1. Add a second demo user in demo.sql (e.g. viewer@b1.church) with read-only permissions (MembershipApi People View only)
2. Add Playwright tests that log in as the viewer and verify:
   • "Mobile Apps" tab is NOT visible in Settings secondary menu
   • "Edit Settings" button is NOT visible (requires MembershipApi Settings Edit)
   • Direct navigation to /settings/mobile redirects to / (permission gate)
   • People list is visible (has People View)
   • Saving a person edit returns 401 (no People Edit)
   • Attendance, Giving, and Content sections are not accessible
3. Consider a third user (staff@b1.church) with edit-but-not-admin permissions for mid-tier testing

Files to touch

• services/Api/tools/dbScripts/membership/demo.sql — add viewer user + role + permissions
• services/B1Admin/tests/permissions.spec.ts — new test file
• services/B1Admin/playwright.config.ts — add permissions project

References

• Permission definitions: services/Api/src/shared/helpers/Permissions.ts
• checkAccess logic: @churchapps/apphelper UserHelper.checkAccess()
• Menu permission gates: services/B1Admin/src/helpers/SecondaryMenuHelper.ts
• Mobile page gate: services/B1Admin/src/settings/MobileAppSettingsPage.tsx (redirects to / without permission)