feat(api): capability enforcement on writes

Add lib/api/cap.js: requireWrite(entity_type) maps HTTP method to
action, runs canAct, and tags req.capTier as allow|suggest|deny→403.
Mutating routes (pages, projects, tasks, refs, resources, source_docs)
now check req.capTier and either run the repo (allow) or divert to
pending_changes returning 202 (suggest). Owner and worker actors stay
on the allow path. requireOwner helper added for Task 11.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

lib/api/routes/resources.js

@@ -5,6 +5,7 @@ import * as sourceDocs from '../../db/repos/source_docs.js';
 import * as audit from '../../db/repos/audit.js';
 import { validate } from '../validate.js';
 import { NotFoundError, ValidationError, ConflictError, asyncWrap } from '../errors.js';
+import { requireWrite, divertToPending } from '../cap.js';
 
 const RUNTIME = ['lxc', 'vm', 'docker', 'bare-metal'];
 const STATUSES = ['running', 'stopped', 'down', 'unknown'];
@@ -45,10 +46,15 @@ spacesScopedRouter.get('/',
 );
 
 spacesScopedRouter.post('/',
+  requireWrite('resource'),
   validate({ params: spaceParams, body: createSchema }),
   asyncWrap(async (req, res) => {
+    const payload = { ...req.body, space_id: req.params.space_id };
+    if (req.capTier === 'suggest') {
+      return divertToPending(req, res, { entity_type: 'resource', action: 'create', payload });
+    }
     try {
-      const row = await repo.create({ ...req.body, space_id: req.params.space_id }, req.actor);
+      const row = await repo.create(payload, req.actor);
       res.status(201).json(row);
     } catch (e) {
       if (e.code === '23503') throw new ValidationError('invalid space', { space_id: req.params.space_id });
@@ -67,30 +73,48 @@ router.get('/:id',
 );
 
 router.patch('/:id',
+  requireWrite('resource'),
   validate({ params: idParams, body: patchSchema }),
   asyncWrap(async (req, res) => {
     const existing = await repo.getById(req.params.id);
     if (!existing) throw new NotFoundError('resource not found');
+    if (req.capTier === 'suggest') {
+      return divertToPending(req, res, {
+        entity_type: 'resource', entity_id: req.params.id, action: 'update', payload: req.body
+      });
+    }
     res.json(await repo.update(req.params.id, req.body, req.actor));
   })
 );
 
 router.delete('/:id',
+  requireWrite('resource'),
   validate({ params: idParams }),
   asyncWrap(async (req, res) => {
     const existing = await repo.getById(req.params.id);
     if (!existing) throw new NotFoundError('resource not found');
+    if (req.capTier === 'suggest') {
+      return divertToPending(req, res, {
+        entity_type: 'resource', entity_id: req.params.id, action: 'delete', payload: {}
+      });
+    }
     await repo.del(req.params.id, req.actor);
     res.status(204).end();
   })
 );
 
 router.post('/:id/dependencies',
+  requireWrite('resource'),
   validate({ params: idParams, body: depBody }),
   asyncWrap(async (req, res) => {
     if (req.params.id === req.body.depends_on) {
       throw new ValidationError('resource cannot depend on itself');
     }
+    if (req.capTier === 'suggest') {
+      return divertToPending(req, res, {
+        entity_type: 'resource', entity_id: req.params.id, action: 'add_dependency', payload: req.body
+      });
+    }
     try {
       await repo.addDependency(req.params.id, req.body.depends_on, req.body.kind);
       res.status(201).json({ resource_id: req.params.id, depends_on: req.body.depends_on });
@@ -111,8 +135,15 @@ router.get('/:id/dependencies',
 );
 
 router.delete('/:id/dependencies/:dep_id',
+  requireWrite('resource'),
   validate({ params: depParams }),
   asyncWrap(async (req, res) => {
+    if (req.capTier === 'suggest') {
+      return divertToPending(req, res, {
+        entity_type: 'resource', entity_id: req.params.id, action: 'remove_dependency',
+        payload: { depends_on: req.params.dep_id }
+      });
+    }
     await repo.removeDependency(req.params.id, req.params.dep_id);
     res.status(204).end();
   })