Additive schema, dual-write

[joebon]

Scope. Add the role attribute and backfill from Account.admin_id, set up dual-write on existing ownership-mutation paths, and ship the permission infrastructure in code without yet consuming it.

Acceptance criteria

• OrganizationRole enum (owner, admin, member) added.
• role column added to UserOrganization with default member.
• Backfill: every Account.admin_id user is owner on their membership; everyone else is member.
• Service-layer dual-write: org creation and the backoffice change_admin flow swap roles (previous owner → admin, new admin → owner) in the same transaction as the Account.admin_id mutation.
• Service-layer validation rejects writes that would put a non-Account.admin_id user into owner or move that user out of owner.
• role → permissions and scope → implied_permissions tables landed in code; fine-grained permission strings (organizations:edit_settings, organizations:delete, organizations:manage_payout_account, members:invite, members:remove, members:set_role) defined.
• Tables are not yet consumed by any policy; authorization still reads Account.admin_id.

References. RFC §Phase 1, parent #6646.