Add RBAC enforcement for contribution moderation actions

[willgriffin]

Summary

Contribution moderation and promotion actions in @happyvertical/smrt-content are currently exposed through generated custom action routes without a package-local RBAC enforcement layer.

Context

PR #1037 adds generated endpoints/actions such as:

• approveAction
• promoteAction
• rejectAction
• requestChangesAction
• withdrawAction

The business logic enforces content-state invariants, but there is not yet a standard per-action permission pattern wired through these generated routes. A quick fix would be risky because permissions currently live in @happyvertical/smrt-users session/service infrastructure rather than as an existing decorator/interceptor pattern in smrt-content.

Why defer

This looks like framework-level work, not a narrow PR fix. We should decide whether the correct solution is:

• generated-route permission metadata on SMRT actions
• a SvelteKit hook/interceptor pattern for generated API routes
• a package-level moderation service that integrates with event.locals.permissions

Acceptance criteria

• Moderation/promotion actions require explicit permissions.
• Permission checks are enforced consistently for generated custom action routes.
• The pattern is reusable across packages, not hard-coded only for content contributions.
• Add tests covering allowed and denied moderation actions.

Related

• PR feat(content): add contribution intake and promotion workflows #1037
• Review feedback on contribution moderation endpoints