Test permission resolution order (ADR-082)

[aaronsb]

From ADR-082/083 implementation checklist.

Test that permission resolution follows the correct order:

1. Explicit DENY (highest priority)
2. Instance-scoped permissions
3. Filter-scoped permissions
4. Global permissions
5. Inherited permissions from parent roles

Related: api/api/lib/permissions.py

[aaronsb]

Implemented - permission resolution tested per ADR-082