chore(webapp): add server-changes note for RBAC route permission enforcement

Author: matt-aitken

.server-changes/rbac-route-permission-enforcement.md

@@ -0,0 +1,18 @@
+---
+area: webapp
+type: feature
+---
+
+Enforce role-based permissions on the dashboard routes for cancelling and
+replaying runs (single and bulk), creating/promoting prompt versions, inviting
+and managing organization members, and managing billing. Each route now
+declares its required permission through the RBAC route builders'
+`authorization` option, and the matching UI controls are disabled with an
+explanatory tooltip (rather than hidden) when the current role lacks the
+permission. Behaviour is unchanged in the default configuration, where
+permissions are permissive and every control stays enabled.
+
+Adds reusable building blocks for this: a `checkPermissions` helper that turns
+a set of permission checks into a boolean map for a loader to pass to the
+client, and `PermissionButton` / `PermissionLink` wrappers that disable and
+add a tooltip when a permission is missing.