#199 Apps: Add RBAC permissions for app management

## Parent Epic: #195 ## Description Add new RBAC permissions and update roles for app management. ## Location engine/security/rbac_roles.py ## New Permissions (11 total) ### App Registry Management - register_apps: Register new apps (publishers) - update_apps: Update app metadata/versions - delete_apps: Deregister apps (soft delete) - publish_apps: Publish app versions (draft -> published) ### App Installation (Tenant) - install_apps: Install apps to tenant - uninstall_apps: Remove apps from tenant - configure_apps: Update app configuration - manage_app_secrets: Manage app secrets in Vault ### App Usage - use_apps: Use apps in workflows - view_apps: View available apps - view_app_logs: View app execution logs ## Role Updates ### tenant_admin All 11 permissions ### workflow_author - use_apps, view_apps ### workflow_operator - use_apps, view_apps, view_app_logs ### developer - register_apps, update_apps, publish_apps - install_apps, configure_apps - use_apps, view_apps, view_app_logs ## Implementation 1. Add APP_PERMISSIONS list 2. Add ROLE_APP_PERMISSIONS mapping 3. Update PREDEFINED_ROLES to include app permissions 4. Update initialize_tenant_roles() to create app permissions ## Migration Considerations - Existing tenants need app permissions added - Create migration helper function ## Testing - Verify permissions work via API - Test role-permission inheritance - Test permission checks in app endpoints