Add RBAC tests, wiki docs, reset token to 1 hour

12 RBAC API tests: permission denial for no-role users, viewer read-only,
sales associate can create but not delete, technician scoped access,
instructor inventory denied, admin full access, permission inheritance
(admin implies edit+view), system role undeletable, custom role lifecycle.

Wiki articles for Users & Roles and Profile settings.
Reset password link expires in 1 hour instead of 24.

packages/backend/src/routes/v1/auth.ts

@@ -175,12 +175,12 @@ export const authRoutes: FastifyPluginAsync = async (app) => {
     const [user] = await app.db.select({ id: users.id, email: users.email }).from(users).where(eq(users.id, userId)).limit(1)
     if (!user) return reply.status(404).send({ error: { message: 'User not found', statusCode: 404 } })
 
-    // Generate a signed reset token that expires in 24 hours
-    const resetToken = app.jwt.sign({ userId: user.id, purpose: 'password-reset' }, { expiresIn: '24h' })
+    // Generate a signed reset token that expires in 1 hour
+    const resetToken = app.jwt.sign({ userId: user.id, purpose: 'password-reset' }, { expiresIn: '1h' })
     const resetLink = `${process.env.APP_URL ?? 'http://localhost:5173'}/reset-password?token=${resetToken}`
 
     request.log.info({ userId, generatedBy: request.user.id }, 'Password reset link generated')
-    return reply.send({ resetLink, expiresIn: '24 hours' })
+    return reply.send({ resetLink, expiresIn: '1 hour' })
   })
 
   // Reset password with token